diff options
Diffstat (limited to 'modules/nixos/server')
| -rw-r--r-- | modules/nixos/server/default.nix | 1 | ||||
| -rw-r--r-- | modules/nixos/server/host-user.nix | 40 | ||||
| -rw-r--r-- | modules/nixos/server/mixins/acme.nix | 23 | ||||
| -rw-r--r-- | modules/nixos/server/mixins/cloudflared.nix | 29 |
4 files changed, 72 insertions, 21 deletions
diff --git a/modules/nixos/server/default.nix b/modules/nixos/server/default.nix index 83ec0a8..1c23124 100644 --- a/modules/nixos/server/default.nix +++ b/modules/nixos/server/default.nix @@ -12,6 +12,7 @@ in { }; imports = [ + ./host-user.nix ./mixins ]; diff --git a/modules/nixos/server/host-user.nix b/modules/nixos/server/host-user.nix new file mode 100644 index 0000000..5aa1ce5 --- /dev/null +++ b/modules/nixos/server/host-user.nix @@ -0,0 +1,40 @@ +{ + config, + lib, + secretsDir, + ... +}: let + cfg = config.server.hostUser; + inherit (config.networking) hostName; +in { + options.server.hostUser = { + enable = lib.mkEnableOption "${hostName} user configuration" // {default = config.server.enable;}; + + manageSecrets = + lib.mkEnableOption "automatic secrets management" + // { + default = config.traits.secrets.enable; + }; + }; + + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + { + users.users.${hostName} = { + isNormalUser = true; + extraGroups = ["wheel"]; + }; + } + + (lib.mkIf cfg.manageSecrets { + age.secrets = { + userPassword.file = secretsDir + "/userPassword.age"; + }; + + users.users.${hostName} = { + hashedPasswordFile = config.age.secrets.userPassword.path; + }; + }) + ] + ); +} diff --git a/modules/nixos/server/mixins/acme.nix b/modules/nixos/server/mixins/acme.nix index 60703e6..0e4a6d6 100644 --- a/modules/nixos/server/mixins/acme.nix +++ b/modules/nixos/server/mixins/acme.nix @@ -23,23 +23,26 @@ in { { security.acme = { acceptTerms = true; - defaults = - { - email = "[email protected]"; - } - // lib.optionalAttrs cfg.useDns { - dnsProvider = "cloudflare"; - } - // lib.optionalAttrs cfg.manageSecrets { - credentialsFile = config.age.secrets.cloudflareApiKey.path; - }; + defaults = { + email = "[email protected]"; + }; }; } + (lib.mkIf cfg.useDns { + security.acme.defaults = { + dnsProvider = "cloudflare"; + }; + }) + (lib.mkIf cfg.manageSecrets { age.secrets = { cloudflareApiKey.file = secretsDir + "/cloudflareApiKey.age"; }; + + security.acme.defaults = { + credentialsFile = config.age.secrets.cloudflareApiKey.path; + }; }) ] ); diff --git a/modules/nixos/server/mixins/cloudflared.nix b/modules/nixos/server/mixins/cloudflared.nix index 5f75a35..26c0714 100644 --- a/modules/nixos/server/mixins/cloudflared.nix +++ b/modules/nixos/server/mixins/cloudflared.nix @@ -9,6 +9,15 @@ in { options.server.mixins.cloudflared = { enable = lib.mkEnableOption "cloudflared mixin"; + tunnelName = lib.mkOption { + type = lib.types.str; + default = "${config.networking.hostName}-nginx"; + example = lib.literalExpression "my-tunnel"; + description = lib.mdDoc '' + Name of the default tunnel being created + ''; + }; + manageSecrets = lib.mkEnableOption "automatic secrets management" // { @@ -21,18 +30,12 @@ in { { services.cloudflared = { enable = true; - tunnels = { - "${config.networking.hostName}-nginx" = - { - default = "http_status:404"; + tunnels.${cfg.tunnelName} = { + default = "http_status:404"; - ingress = lib.genAttrs (builtins.attrNames nginx.virtualHosts) ( - _: {service = "http://localhost:${toString nginx.defaultHTTPListenPort}";} - ); - } - // lib.optionalAttrs cfg.manageSecrets { - credentialsFile = config.age.secrets.cloudflaredCreds.path; - }; + ingress = lib.genAttrs (builtins.attrNames nginx.virtualHosts) ( + _: {service = "http://localhost:${toString nginx.defaultHTTPListenPort}";} + ); }; }; } @@ -44,6 +47,10 @@ in { owner = "cloudflared"; group = "cloudflared"; }; + + services.cloudflared.tunnels.${cfg.tunnelName} = { + credentialsFile = config.age.secrets.cloudflaredCreds.path; + }; }) ] ); |