Add 'old-conf/' from commit '62a64a79a8'

git-subtree-dir: old-conf git-subtree-mainline: 4667974392 git-subtree-split: 62a64a79a8
2025-11-21 13:33:06 +01:00 · 2025-11-21 13:33:06 +01:00 · 83de52d5db
commit 83de52d5db
parent 4667974392 62a64a79a8
195 changed files with 13408 additions and 0 deletions
--- a/old-conf/nixos-modules/services/authelia.nix
+++ b/old-conf/nixos-modules/services/authelia.nix
@ -0,0 +1,76 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.ragon.services.authelia;
+  instanceName = "main";
+  stateDir = "/var/lib/authelia-${instanceName}";
+in
+{
+  options.ragon.services.authelia.enable = lib.mkEnableOption "Enables the authelia SSO Server";
+  options.ragon.services.authelia.domain =
+    lib.mkOption {
+      type = lib.types.str;
+      default = "sso.xyno.systems";
+    };
+  config = lib.mkIf cfg.enable {
+
+    ragon.agenix.secrets.autheliaStorageEncryption = { owner = "authelia-main"; };
+    ragon.agenix.secrets.autheliaSessionSecret = { owner = "authelia-main"; };
+    ragon.agenix.secrets.autheliaOidcIssuerPrivateKey = { owner = "authelia-main"; };
+    ragon.agenix.secrets.autheliaOidcHmacSecret = { owner = "authelia-main"; };
+    ragon.agenix.secrets.autheliaJwtSecret = { owner = "authelia-main"; };
+    ragon.agenix.secrets.autheliaEmail = { owner = "authelia-main"; };
+    services.authelia.instances.${instanceName} = {
+      enable = true;
+      secrets = {
+        storageEncryptionKeyFile = config.age.secrets.autheliaStorageEncryption.path;
+        sessionSecretFile = config.age.secrets.autheliaSessionSecret.path;
+        oidcIssuerPrivateKeyFile = config.age.secrets.autheliaOidcIssuerPrivateKey.path;
+        oidcHmacSecretFile = config.age.secrets.autheliaOidcHmacSecret.path;
+        jwtSecretFile = config.age.secrets.autheliaJwtSecret.path;
+      };
+      settingsFiles = [
+        config.age.secrets.autheliaEmail.path
+      ];
+      settings = {
+        theme = "auto";
+        default_2fa_method = "webauthn";
+        access_control = {
+          default_policy = "one_factor";
+        };
+        authentication_backend = {
+          file = {
+            path = "${stateDir}/users.yml";
+          };
+        };
+        session = {
+          domain = cfg.domain;
+        };
+        storage = {
+          postgres = {
+            host = "/run/postgresql";
+            port = "5432";
+            database = "authelia";
+            username = "authelia-main";
+            password = "dosentmatter";
+          };
+        };
+
+      };
+    };
+    services.postgresql = {
+      enable = true;
+
+      # Ensure the database, user, and permissions always exist
+      ensureDatabases = [ "authelia" ];
+      ensureUsers = [
+        {
+          name = "authelia-main";
+          #ensureDBOwnership = true;
+        }
+      ];
+    };
+    ragon.persist.extraDirectories = [
+      "${stateDir}"
+    ];
+  };
+}
--- a/old-conf/nixos-modules/services/bitwarden.nix
+++ b/old-conf/nixos-modules/services/bitwarden.nix
@ -0,0 +1,44 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.ragon.services.bitwarden;
+in
+{
+  options.ragon.services.bitwarden.enable = lib.mkEnableOption "Enables the vaultwarden BitWarden Server";
+  options.ragon.services.bitwarden.domain =
+    lib.mkOption {
+      type = lib.types.str;
+      default = "bw.xyno.systems";
+    };
+  config = lib.mkIf cfg.enable {
+    services.vaultwarden = {
+      enable = true;
+      package = pkgs.unstable.vaultwarden;
+      #backupDir = "/persistent/backups/vaultwarden";
+      config = {
+        domain = "https://${cfg.domain}";
+        signupsAllowed = true;
+        rocketPort = 8222;
+        rocketAddress = "127.0.0.1";
+        databaseUrl = "postgresql://%2Frun%2Fpostgresql/vaultwarden";
+        webVaultEnabled = true;
+      };
+      dbBackend = "postgresql";
+
+    };
+    services.postgresql = {
+      enable = true;
+
+      # Ensure the database, user, and permissions always exist
+      ensureDatabases = [ "vaultwarden" ];
+      ensureUsers = [
+        {
+          name = "vaultwarden";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+    ragon.persist.extraDirectories = [
+      "/var/lib/bitwarden_rs"
+    ];
+  };
+}
--- a/old-conf/nixos-modules/services/caddy/custom-caddy.nix
+++ b/old-conf/nixos-modules/services/caddy/custom-caddy.nix
@ -0,0 +1,48 @@
+{ pkgs, lib, ... }:
+
+with pkgs;
+
+caddy.override {
+  buildGo125Module = args: buildGo125Module (args // {
+    src = stdenv.mkDerivation rec {
+      pname = "caddy-using-xcaddy-${xcaddy.version}";
+      inherit (caddy) version;
+
+      dontUnpack = true;
+      dontFixup = true;
+
+      nativeBuildInputs = [
+        cacert
+        git
+        go
+      ];
+
+      plugins = [
+        "github.com/caddy-dns/desec@v1.0.1"
+      ];
+
+      configurePhase = ''
+        export GOCACHE=$TMPDIR/go-cache
+        export GOPATH="$TMPDIR/go"
+        export XCADDY_SKIP_BUILD=1
+      '';
+
+      buildPhase = ''
+        ${xcaddy}/bin/xcaddy build "${lib.last (lib.splitString "/" caddy.src.rev)}" ${lib.concatMapStringsSep " " (plugin: "--with ${plugin}") plugins}
+        cd buildenv*
+        go mod vendor
+      '';
+
+      installPhase = ''
+        cp -r --reflink=auto . $out
+      '';
+
+      outputHash = "sha256-a2GeG7TYBnCz30jBKQmmQz8Y3vutRpa+tboaahJ5xeQ=";
+      outputHashMode = "recursive";
+    };
+
+    subPackages = [ "." ];
+    ldflags = [ "-s" "-w" ]; ## don't include version info twice
+    vendorHash = null;
+  });
+}
--- a/old-conf/nixos-modules/services/caddy/default.nix
+++ b/old-conf/nixos-modules/services/caddy/default.nix
@ -0,0 +1,14 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.ragon.services.caddy;
+in
+{
+  options.ragon.services.caddy.enable = lib.mkEnableOption "enables the caddy webserver";
+  config = lib.mkIf cfg.enable {
+    services.caddy = {
+      enable = true;
+      package = import ./custom-caddy.nix { inherit lib; pkgs = pkgs.unstable; };
+    };
+    ragon.persist.extraDirectories = [ config.services.caddy.dataDir ];
+  };
+}
--- a/old-conf/nixos-modules/services/docker.nix
+++ b/old-conf/nixos-modules/services/docker.nix
@ -0,0 +1,18 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.ragon.services.docker;
+in
+{
+  options.ragon.services.docker.enable = lib.mkEnableOption "Enables docker";
+  config = lib.mkIf cfg.enable {
+    virtualisation.oci-containers.backend = "podman";
+    virtualisation.podman.enable = true;
+    virtualisation.podman.dockerCompat = true;
+    virtualisation.podman.defaultNetwork.settings.dns_enabled = true;
+    ragon.user.extraGroups = [ "docker" "podman" ];
+    ragon.persist.extraDirectories = [
+      "/var/lib/docker"
+      "/var/cache/docker"
+    ];
+  };
+}
--- a/old-conf/nixos-modules/services/hedgedoc.nix
+++ b/old-conf/nixos-modules/services/hedgedoc.nix
@ -0,0 +1,66 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.ragon.services.hedgedoc;
+in
+{
+  options.ragon.services.hedgedoc.enable = lib.mkEnableOption "Enables the hedgedoc BitWarden Server";
+  options.ragon.services.hedgedoc.domain =
+    lib.mkOption {
+      type = lib.types.str;
+      default = "md.xyno.systems";
+    };
+  config = lib.mkIf cfg.enable {
+    # ragon.agenix.secrets.autheliaHedgedoc = { owner = "authelia-main"; };
+    # services.authelia.instances.main.settingsFiles = [
+    #   config.age.secrets.autheliaHedgedoc.path
+    # ];
+    services.hedgedoc = {
+      enable = true;
+      environmentFile = "${config.age.secrets.hedgedocSecret.path}";
+      settings = {
+        protocolUseSSL = true;
+        sessionSecret = "$SESSION_SECRET";
+        allowAnonymous = false;
+        allowAnonymousEdits = false;
+        allowFreeURL = true;
+        email = false;
+        oauth2 = {
+          providerName = "authentik";
+          clientID = "$CLIENT_ID";
+          clientSecret = "$CLIENT_SECRET";
+          scope = "openid email profile";
+          userProfileURL = "https://auth.hailsatan.eu/application/o/userinfo/";
+          tokenURL = "https://auth.hailsatan.eu/application/o/token/";
+          authorizationURL = "https://auth.hailsatan.eu/application/o/authorize/";
+          userProfileUsernameAttr = "preferred_username";
+          userProfileDisplayNameAttr = "name";
+          userProfileEmailAttr = "email";
+        };
+        domain = "${cfg.domain}";
+        db = {
+          dialect = "postgres";
+          host = "/run/postgresql";
+          database = "hedgedoc";
+        };
+      };
+
+    };
+    ragon.agenix.secrets.hedgedocSecret.owner = "hedgedoc";
+    services.postgresql = {
+
+      enable = true;
+
+      # Ensure the database, user, and permissions always exist
+      ensureDatabases = [ "hedgedoc" ];
+      ensureUsers = [
+        {
+          name = "hedgedoc";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+    ragon.persist.extraDirectories = [
+      "/var/lib/hedgedoc"
+    ];
+  };
+}
--- a/old-conf/nixos-modules/services/libvirt.nix
+++ b/old-conf/nixos-modules/services/libvirt.nix
@ -0,0 +1,18 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.ragon.services.libvirt;
+  domain = config.ragon.services.nginx.domain;
+in
+{
+  options.ragon.services.libvirt.enable = lib.mkEnableOption "Enables libvirt and stuff";
+  config = lib.mkIf cfg.enable {
+    virtualisation.libvirtd = {
+      enable = true;
+    };
+    ragon.user.extraGroups = [ "kvm" "libvirtd" ];
+    security.polkit.enable = true;
+    ragon.persist.extraDirectories = [
+      "/var/lib/libvirt"
+    ];
+  };
+}
--- a/old-conf/nixos-modules/services/msmtp.nix
+++ b/old-conf/nixos-modules/services/msmtp.nix
@ -0,0 +1,21 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.ragon.services.msmtp;
+in
+{
+  options.ragon.services.msmtp.enable = lib.mkEnableOption "Enables msmtp";
+  config = lib.mkIf cfg.enable {
+    programs.msmtp = {
+      enable = true;
+    };
+    environment.etc."msmtprc".enable = false;
+    ragon.agenix.secrets.msmtprc = {
+      path = "/etc/msmtprc";
+      mode = "0644";
+    };
+    ragon.agenix.secrets.aliases = {
+      path = "/etc/aliases";
+      mode = "0644";
+    };
+  };
+}
--- a/old-conf/nixos-modules/services/paperless.nix
+++ b/old-conf/nixos-modules/services/paperless.nix
@ -0,0 +1,32 @@
+{ config, inputs, lib, pkgs, ... }:
+with lib;
+with lib.my;
+let
+  cfg = config.ragon.services.paperless;
+  domain = config.ragon.services.nginx.domain;
+in
+{
+  options.ragon.services.paperless.enable = mkEnableOption "Enables paperless ng";
+  options.ragon.services.paperless.location =
+    lib.mkOption {
+      type = lib.types.str;
+      default = "http://${config.services.paperless.address}:${toString config.services.paperless.port}";
+    };
+  config = mkIf cfg.enable {
+    services.paperless = {
+      enable = true;
+      mediaDir = mkDefault "/data/documents/paperless";
+      consumptionDir = "/data/applications/paperless-consumption";
+      consumptionDirIsPublic = true;
+      passwordFile = "${config.age.secrets.paperlessAdminPW.path}";
+      extraConfig = {
+        PAPERLESS_OCR_LANGUAGE = "deu+eng";
+        PAPERLESS_TIME_ZONE = config.time.timeZone;
+      };
+    };
+    ragon.agenix.secrets.paperlessAdminPW = { group = "${config.services.paperless.user}"; mode = "0440"; };
+    ragon.persist.extraDirectories = [
+      "${config.services.paperless.dataDir}"
+    ];
+  };
+}
--- a/old-conf/nixos-modules/services/photoprism.nix
+++ b/old-conf/nixos-modules/services/photoprism.nix
@ -0,0 +1,38 @@
+{ config, lib, pkgs, ... }:
+with lib;
+with lib.my;
+let
+  cfg = config.ragon.services.photoprism;
+  domain = config.ragon.services.nginx.domain;
+in
+{
+  options.ragon.services.photoprism.enable = mkEnableOption "Enables the hedgedoc BitWarden Server";
+  options.ragon.services.photoprism.location =
+    lib.mkOption {
+      type = lib.types.str;
+      default = "http://127.0.0.1:${toString config.ragon.services.photoprism.port}";
+    };
+  options.ragon.services.photoprism.port =
+    mkOption {
+      type = lib.types.str;
+      default = "28452";
+    };
+  config = lib.mkIf cfg.enable {
+    virtualisation.oci-containers.containers.photoprism = {
+      ports = [ "127.0.0.1:${cfg.port}:2342" ];
+      image = "photoprism/photoprism:latest";
+      environmentFiles = [ config.age.secrets.photoprismEnv.path ];
+      workdir = "/photoprism"; # upstream says so
+      user = "1000:100";
+      volumes = [
+        "/data/pictures:/photoprism/originals"
+        "/data/applications/photoprismimport:/photoprism/import"
+        "/var/lib/photoprism:/photoprism/storage"
+      ];
+    };
+    ragon.agenix.secrets.photoprismEnv.owner = "root";
+    ragon.persist.extraDirectories = [
+      "/var/lib/photoprism"
+    ];
+  };
+}
--- a/old-conf/nixos-modules/services/samba.nix
+++ b/old-conf/nixos-modules/services/samba.nix
@ -0,0 +1,28 @@
+{ config, lib, pkgs, ... }:
+with lib;
+with lib.my;
+with builtins;
+let
+  cfg = config.ragon.services.samba;
+  allowedIPs = cfg.allowedIPs;
+  cfgExports = cfg.exports;
+in
+{
+  options.ragon.services.samba.enable = mkEnableOption "Enables Samba";
+  options.ragon.services.samba.shares = mkOption {
+    type = lib.types.attrs;
+    default = { };
+  };
+  config = mkIf cfg.enable {
+    services.samba = {
+      enable = true;
+      shares = cfg.shares;
+    };
+    ragon.persist.extraDirectories = [
+      "/var/lib/samba"
+    ];
+
+    networking.firewall.allowedTCPPorts = [ 139 445 ];
+    networking.firewall.allowedUDPPorts = [ 137 138 ];
+  };
+}
--- a/old-conf/nixos-modules/services/ssh.nix
+++ b/old-conf/nixos-modules/services/ssh.nix
@ -0,0 +1,14 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.ragon.services.ssh;
+  pubkeys = import ../../data/pubkeys.nix;
+in
+{
+  options.ragon.services.ssh.enable = lib.mkEnableOption "Enables sshd";
+  config = lib.mkIf cfg.enable {
+    services.openssh.settings.PermitRootLogin = "without-password";
+    services.openssh.enable = true;
+    services.openssh.settings.PasswordAuthentication = false;
+    users.users.root.openssh.authorizedKeys.keys = pubkeys.ragon.user;
+  };
+}
--- a/old-conf/nixos-modules/services/tailscale-openvpn.nix
+++ b/old-conf/nixos-modules/services/tailscale-openvpn.nix
@ -0,0 +1,85 @@
+{ options, config, lib, pkgs, ... }:
+with lib;
+{
+  options.ragon.services.tailscale-openvpn = {
+    enable = mkEnableOption "Tailscale OpenVPN Bridge";
+    config = mkOption {
+      type = types.attrsOf types.str;
+    };
+    tsAuthKey = mkOption { type = types.str; };
+    script = mkOption { type = types.str; };
+  };
+  config =
+    let
+      cfg = config.ragon.services.tailscale-openvpn;
+      bridgeExt = "br-ovpn-ext";
+      container = server: "ovpn-${server}";
+      bridge = server: "br-ovpn-${server}";
+    in
+    mkIf cfg.enable
+      {
+        networking.bridges = {
+          ${bridgeExt}.interfaces = [ ];
+        };
+        networking.interfaces = {
+          ${bridgeExt}.ipv4.addresses = [{ address = "192.168.129.1"; prefixLength = 24; }];
+        };
+
+        networking.nat = {
+          enable = true;
+          internalInterfaces = [ bridgeExt ];
+        };
+
+
+        systemd.services = {
+          "container@".after = [ "network.target" ];
+        } // (mapAttrs'
+          (server: _: nameValuePair ("container@${container server}") ({ requires = [ "network-addresses-${bridgeExt}.service" ]; }))
+          cfg.config
+        );
+        containers = builtins.listToAttrs (imap0
+          (i: name: nameValuePair name
+            {
+              autoStart = true;
+              ephemeral = true;
+              enableTun = true;
+              privateNetwork = true;
+              hostBridge = bridgeExt;
+              localAddress = "192.168.129.${toString (i + 2)}/24";
+              bindMounts = {
+                "/host/run" = { hostPath = "/run"; isReadOnly = true; };
+                "/run/agenix.d" = { hostPath = "/run/agenix.d"; isReadOnly = true; };
+              };
+              config = {
+                networking.nameservers = [ "9.9.9.9" ];
+                systemd.services.ovpnScript = {
+                  wantedBy = ["multi-user.target"];
+                  script = ''${pkgs.bash}/bin/bash /host${cfg.script}'';
+                  unitConfig.Type = "oneshot";
+                  requiredBy = [ "tailscaled.service" "openvpn-ovpn.service"];
+                  path = [ pkgs.dig pkgs.iproute2 ];
+                };
+                services.openvpn.servers.ovpn = {
+                  config = ''
+                    config /host${cfg.config.${name}}
+                  '';
+                  up = "echo nameserver $nameserver | ${pkgs.openresolv}/sbin/resolvconf -m 0 -a $dev";
+                  down = "${pkgs.openresolv}/sbin/resolvconf -d $dev";
+                };
+                services.tailscale = {
+                  enable = true;
+                  useRoutingFeatures = "server";
+                  extraUpFlags = [ "--advertise-exit-node" ];
+                  authKeyFile = "/host${cfg.tsAuthKey}";
+                  openFirewall = true;
+                };
+                system.stateVersion = "23.11";
+              };
+
+            })
+          (builtins.attrNames cfg.config));
+
+
+
+      };
+}
--- a/old-conf/nixos-modules/services/ts3.nix
+++ b/old-conf/nixos-modules/services/ts3.nix
@ -0,0 +1,22 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.ragon.services.ts3;
+in
+{
+  options.ragon.services.ts3.enable = lib.mkEnableOption "Enables the Teamspeak 3 Server";
+  config = lib.mkIf cfg.enable {
+    services.teamspeak3 = {
+      enable = true;
+    };
+    networking.firewall.allowedTCPPorts = [
+      config.services.teamspeak3.queryPort
+      config.services.teamspeak3.fileTransferPort
+    ];
+    networking.firewall.allowedUDPPorts = [
+      config.services.teamspeak3.defaultVoicePort
+    ];
+    ragon.persist.extraDirectories = [
+      "${config.services.teamspeak3.dataDir}"
+    ];
+  };
+}