about summary refs log tree commit diff
path: root/modules
diff options
context:
space:
mode:
authorAzat Bahawi <azat@bahawi.net>2022-09-12 14:03:31 +0300
committerAzat Bahawi <azat@bahawi.net>2022-09-12 14:03:31 +0300
commit5b01fa945b2122b82da4be33203e4cf753951b7c (patch)
treef0693b31788e717d9ab1781cf19e2403727755df /modules
parent2022-09-11 (diff)
2022-09-12
Diffstat (limited to 'modules')
-rw-r--r--modules/nixfiles/monitoring/default.nix80
-rw-r--r--modules/nixfiles/openssh.nix102
-rw-r--r--modules/nixfiles/profiles/headful.nix65
-rw-r--r--modules/nixfiles/rtorrent.nix2
-rw-r--r--modules/nixfiles/syncthing.nix50
-rw-r--r--modules/nixfiles/wireguard.nix18
6 files changed, 231 insertions, 86 deletions
diff --git a/modules/nixfiles/monitoring/default.nix b/modules/nixfiles/monitoring/default.nix
index 9758cff..c439614 100644
--- a/modules/nixfiles/monitoring/default.nix
+++ b/modules/nixfiles/monitoring/default.nix
@@ -64,12 +64,80 @@ in {
 
       loki.configuration.ruler.alertmanager_url = "https://${config.nixfiles.modules.alertmanager.domain}";
 
-      prometheus.alertmanagers = [
-        {
-          scheme = "https";
-          static_configs = [{targets = [config.nixfiles.modules.alertmanager.domain];}];
-        }
-      ];
+      prometheus = {
+        scrapeConfigs = with my.configurations;
+        with config.services.prometheus.exporters; [
+          {
+            job_name = "endlessh-go";
+            static_configs = [
+              {
+                targets = with config.services.endlessh-go.prometheus; [
+                  "${manwe.hostname}:${toString port}"
+                  "${varda.hostname}:${toString port}"
+                  "${yavanna.hostname}:${toString port}"
+                ];
+              }
+            ];
+          }
+          {
+            job_name = "nginx";
+            static_configs = [
+              {
+                targets = with nginx; [
+                  "${manwe.hostname}:${toString port}"
+                  "${varda.hostname}:${toString port}"
+                  "${yavanna.hostname}:${toString port}"
+                ];
+              }
+            ];
+          }
+          {
+            job_name = "node";
+            static_configs = [
+              {
+                targets = with node; [
+                  "${manwe.hostname}:${toString port}"
+                  "${varda.hostname}:${toString port}"
+                  "${yavanna.hostname}:${toString port}"
+                ];
+              }
+            ];
+          }
+          {
+            job_name = "postgres";
+            static_configs = [
+              {
+                targets = with postgres; ["${manwe.hostname}:${toString port}"];
+              }
+            ];
+          }
+          {
+            job_name = "unbound";
+            static_configs = [
+              {
+                targets = with unbound; ["${manwe.hostname}:${toString port}"];
+              }
+            ];
+          }
+          {
+            job_name = "wireguard";
+            static_configs = [
+              {
+                targets = with wireguard; ["${manwe.hostname}:${toString port}"];
+              }
+            ];
+          }
+        ];
+
+        alertmanagers = [
+          {
+            scheme = "https";
+            static_configs = [
+              {targets = [config.nixfiles.modules.alertmanager.domain];}
+            ];
+          }
+        ];
+      };
     };
   };
 }
diff --git a/modules/nixfiles/openssh.nix b/modules/nixfiles/openssh.nix
index 3a526d7..2bae2da 100644
--- a/modules/nixfiles/openssh.nix
+++ b/modules/nixfiles/openssh.nix
@@ -12,41 +12,73 @@ in {
     server.enable = mkEnableOption "OpenSSH server";
   };
 
-  config = mkMerge [
-    (mkIf cfg.client.enable {
-      hm = {
-        home.packages = with pkgs; [mosh sshfs];
-
-        programs.ssh = {
-          enable = true;
-          controlMaster = "auto";
-          controlPersist = "24H";
-          hashKnownHosts = true;
-          serverAliveCountMax = 30;
-          serverAliveInterval = 60;
-        };
-      };
-    })
-    (mkIf cfg.server.enable {
-      programs.mosh.enable = true;
-
-      services = let
-        port = 22022;
-      in {
-        openssh = {
-          enable = true;
-          ports = [port];
-          logLevel = "VERBOSE";
-          permitRootLogin = "no";
-          passwordAuthentication = false;
+  config = let
+    port = 22022; # Port 22 should be occupied by endlessh.
+  in
+    mkMerge [
+      (mkIf cfg.client.enable {
+        hm = {
+          home.packages = with pkgs; [mosh sshfs];
+
+          programs.ssh = {
+            enable = true;
+
+            hashKnownHosts = true;
+
+            controlMaster = "auto";
+            controlPersist = "24H";
+
+            serverAliveCountMax = 30;
+            serverAliveInterval = 60;
+
+            matchBlocks = let
+              mkBlock = name: {
+                hostname ? name,
+                port ? 22,
+                user ? my.username,
+                identityFile ? "${config.my.home}/.ssh/id_ed25519",
+                extraAttrs ? {},
+              }:
+                nameValuePair name ({inherit hostname port user identityFile;}
+                  // extraAttrs);
+
+              internalServers =
+                mapAttrs' mkBlock
+                (mapAttrs (name: _: {
+                    hostname = "${name}.${my.domain.shire}";
+                    inherit port;
+                  }) (filterAttrs (_: attr:
+                    hasAttr "wireguard" attr
+                    && attr.isHeadless)
+                  my.configurations));
+            in
+              internalServers
+              // (mapAttrs' mkBlock {
+                # Custom blocks go here.
+                #
+                # example.hostname = "129.168.70.80";
+              });
+          };
         };
+      })
+      (mkIf cfg.server.enable {
+        programs.mosh.enable = true;
 
-        fail2ban.jails.sshd = ''
-          enabled = true
-          mode = aggressive
-          port = ${toString port}
-        '';
-      };
-    })
-  ];
+        services = {
+          openssh = {
+            enable = true;
+            ports = [port];
+            logLevel = "VERBOSE"; # Required by fail2ban.
+            permitRootLogin = "no";
+            passwordAuthentication = false;
+          };
+
+          fail2ban.jails.sshd = ''
+            enabled = true
+            mode = aggressive
+            port = ${toString port}
+          '';
+        };
+      })
+    ];
 }
diff --git a/modules/nixfiles/profiles/headful.nix b/modules/nixfiles/profiles/headful.nix
index 9fd7386..d8fc208 100644
--- a/modules/nixfiles/profiles/headful.nix
+++ b/modules/nixfiles/profiles/headful.nix
@@ -40,7 +40,70 @@ in {
       xmonad.enable = mkDefault false;
     };
 
-    hm.home.packages = with pkgs; [convmv dos2unix];
+    hm = {
+      home.packages = with pkgs; [
+        calibre
+        convmv
+        dos2unix
+        kotatogram-desktop
+        nheko
+        tor-browser
+      ];
+
+      accounts.email = {
+        maildirBasePath = "${config.my.home}/mail";
+
+        accounts = let
+          mkAccount = attrs:
+            mkMerge [
+              {
+                mbsync = {
+                  enable = true;
+                  create = "both";
+                  expunge = "both";
+                  patterns = ["*"];
+                };
+                msmtp.enable = true;
+                mu.enable = true;
+              }
+              attrs
+            ];
+
+          pass = path: "${pkgs.pass}/bin/pass show ${path}";
+        in {
+          shire = mkAccount {
+            address = my.email;
+            gpg = {
+              inherit (my.pgp) key;
+              signByDefault = true;
+              encryptByDefault = false;
+            };
+
+            primary = true;
+
+            imap.host = "shire.me";
+            smtp.host = "shire.me";
+            userName = "azahi@shire.me";
+            passwordCommand = pass "email/shire.me/azahi";
+          };
+
+          yahoo = mkAccount {
+            address = "a.gondor@yahoo.com";
+
+            imap.host = "imap.yahoo.com";
+            smtp.host = "smtp.yahoo.com";
+            userName = "a.gondor@yahoo.com";
+            passwordCommand = pass "email/yahoo.com/a.gondor";
+          };
+        };
+      };
+
+      programs = {
+        mbsync.enable = true;
+        msmtp.enable = true;
+        mu.enable = true;
+      };
+    };
 
     # There are (arguably) not a lot of reasons to keep mitigations enabled for
     # on machine that is not web-facing. First of all, to completely mitigate
diff --git a/modules/nixfiles/rtorrent.nix b/modules/nixfiles/rtorrent.nix
index a91e83d..121f1ca 100644
--- a/modules/nixfiles/rtorrent.nix
+++ b/modules/nixfiles/rtorrent.nix
@@ -11,7 +11,7 @@ in {
     enable = mkEnableOption "rTorrent";
 
     flood = {
-      enable = mkEnableOption "Flood";
+      enable = mkEnableOption "Flood" // {default = cfg.enable;};
 
       domain = mkOption {
         description = "Domain name sans protocol scheme.";
diff --git a/modules/nixfiles/syncthing.nix b/modules/nixfiles/syncthing.nix
index 6e6e629..31286fa 100644
--- a/modules/nixfiles/syncthing.nix
+++ b/modules/nixfiles/syncthing.nix
@@ -1,5 +1,6 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   this,
@@ -16,34 +17,23 @@ in {
       type = with types; str;
       default = "syncthing.${config.networking.fqdn}";
     };
-
-    # TODO Set this automatically shire on the hostname.
-    cert = mkOption {
-      description = "Path to the cert file.";
-      type = with types; nullOr string;
-      default = null;
-    };
-
-    # TODO Set this automatically shire on the hostname.
-    key = mkOption {
-      description = "Path to the key file.";
-      type = with types; nullOr string;
-      default = null;
-    };
   };
 
   config = mkIf cfg.enable (mkMerge [
     {
-      assertions = [
-        {
-          assertion = cfg.cert != null;
-          message = "Cert file needs to be specified.";
-        }
-        {
-          assertion = cfg.key != null;
-          message = "Key file needs to be specified.";
-        }
-      ];
+      secrets = {
+        "syncthing-cert-${this.hostname}" = with config.services.syncthing; {
+          file = "${inputs.self}/secrets/syncthing-cert-${this.hostname}";
+          owner = user;
+          inherit group;
+        };
+
+        "syncthing-key-${this.hostname}" = with config.services.syncthing; {
+          file = "${inputs.self}/secrets/syncthing-key-${this.hostname}";
+          owner = user;
+          inherit group;
+        };
+      };
 
       services.syncthing = {
         enable = true;
@@ -55,7 +45,8 @@ in {
 
         guiAddress = "127.0.0.1:8384";
 
-        inherit (cfg) key cert;
+        cert = config.secrets."syncthing-cert-${this.hostname}".path;
+        key = config.secrets."syncthing-key-${this.hostname}".path;
 
         overrideDevices = true;
         devices = mapAttrs (name: attr:
@@ -94,9 +85,8 @@ in {
               versioning = trashcan;
             };
             pass = {
-              path =
-                config.hm.programs.password-store.settings.PASSWORD_STORE_DIR;
-              devices = all;
+              path = config.hm.programs.password-store.settings.PASSWORD_STORE_DIR;
+              devices = notOther;
               versioning = trashcan;
             };
             org = {
@@ -114,8 +104,8 @@ in {
               devices = notOther;
               versioning = trashcan;
             };
-            vidya = {
-              path = "${documents}/vidya";
+            books = {
+              path = "${documents}/books";
               devices = notOther;
               versioning = trashcan;
             };
diff --git a/modules/nixfiles/wireguard.nix b/modules/nixfiles/wireguard.nix
index c4fca1e..f98b4e3 100644
--- a/modules/nixfiles/wireguard.nix
+++ b/modules/nixfiles/wireguard.nix
@@ -1,5 +1,6 @@
 {
   config,
+  inputs,
   lib,
   pkgs,
   this,
@@ -9,13 +10,6 @@ with lib; let
   cfg = config.nixfiles.modules.wireguard;
 in {
   options.nixfiles.modules.wireguard = {
-    # TODO Set this automatically shire on the hostname.
-    privateKeyFile = mkOption {
-      description = "Path to the private key file.";
-      type = with types; nullOr string;
-      default = null;
-    };
-
     client = {
       enable = mkEnableOption "WireGuard client";
 
@@ -98,10 +92,6 @@ in {
     {
       assertions = [
         {
-          assertion = cfg.privateKeyFile != null;
-          message = "Key file must be specified.";
-        }
-        {
           assertion = config.security.sudo.enable;
           message = "Sudo is not enabled.";
         }
@@ -113,12 +103,14 @@ in {
     }
     // mkMerge [
       (mkIf (cfg.client.enable || cfg.server.enable) {
+        secrets."wireguard-private-key-${this.hostname}".file = "${inputs.self}/secrets/wireguard-private-key-${this.hostname}";
+
         networking.firewall.trustedInterfaces = [cfg.interface];
       })
       (mkIf cfg.client.enable {
         networking.wg-quick.interfaces.${cfg.interface} = mkMerge [
           (with this.wireguard; {
-            inherit (cfg) privateKeyFile;
+            privateKeyFile = config.secrets."wireguard-private-key-${this.hostname}".path;
             address = ["${ipv4.address}/16" "${ipv6.address}/16"];
           })
           (with cfg.server; {
@@ -173,7 +165,7 @@ in {
           wireguard = {
             enable = true;
             interfaces.${cfg.interface} = with cfg.server; {
-              inherit (cfg) privateKeyFile;
+              privateKeyFile = config.secrets."wireguard-private-key-${this.hostname}".path;
               ips = ["${ipv4.address}/16" "${ipv6.address}/16"];
               listenPort = port;
               inherit peers;

Consider giving Nix/NixOS a try! <3