chore: move caddy to common settings

machines/baryte/default.nix

@@ -10,6 +10,7 @@
     commonSettings = {
       auth.enable = true;
       network.localdns.enable = true;
+      serverComponents.enable = true;
     };
 
     services.openssh.enable = true;

machines/biotite/services/synapse.nix

@@ -120,8 +120,4 @@ in
       reverse_proxy /_synapse/client/* 127.0.0.1:${toString port-synapse}
     '';
   };
-
-  networking.firewall.allowedTCPPorts = [
-    443
-  ];
 }

machines/calcite/configuration.nix

@@ -316,10 +316,6 @@ in
     ];
   };
 
-  custom.prometheus = {
-    exporters.node.enable = true;
-  };
-
   services.ollama = {
     enable = true;
     acceleration = "cuda";

machines/dolomite/common.nix

@@ -36,6 +36,7 @@
     commonSettings = {
       auth.enable = true;
       comin.enable = true;
+      serverComponents.enable = true;
       proxyServer = {
         enable = true;
         users = [

machines/minimal/default.nix

@@ -1,25 +0,0 @@
-{
-  lib,
-  ...
-}:
-
-{
-  imports = [
-    ./hardware-configuration.nix
-  ];
-
-  boot.initrd.availableKernelModules =
-    [
-    ];
-
-  swapDevices = [ ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-}

machines/raspite/configuration.nix

@@ -23,6 +23,8 @@
     })
   ];
 
+  networking.firewall.allowedTCPPorts = [ 8443 ];
+
   environment.systemPackages = with pkgs; [
     git
     libraspberrypi

machines/raspite/services/hass.nix

@@ -223,10 +223,7 @@
     };
   };
 
-  networking.firewall.allowedTCPPorts = [ 8443 ];
-
   services.caddy = {
-    enable = true;
     virtualHosts = {
       "raspite.coho-tet.ts.net".extraConfig = ''
         reverse_proxy ${config.services.home-assistant.config.http.server_host}:${toString config.services.home-assistant.config.http.server_port}

machines/thorite/default.nix

@@ -26,16 +26,10 @@
       address = [ "23.165.200.99/24" ];
     };
 
-    networking.firewall.allowedTCPPorts = [
-      80
-      443
-    ];
-
-    services.caddy.enable = true;
-
     commonSettings = {
       auth.enable = true;
       comin.enable = true;
+      serverComponents.enable = true;
     };
 
     nixpkgs.system = "x86_64-linux";

machines/weilite/default.nix

@@ -32,6 +32,7 @@
       };
       comin.enable = true;
       network.localdns.enable = true;
+      serverComponents.enable = true;
     };
 
     boot = {

machines/weilite/services/caddy.nix

@@ -35,13 +35,6 @@
       }";
     in
     {
-      enable = true;
-      package = pkgs.caddy.withPlugins {
-        plugins = [
-          "github.com/caddy-dns/cloudflare@v0.2.1"
-        ];
-        hash = "sha256-saKJatiBZ4775IV2C5JLOmZ4BwHKFtRZan94aS5pO90=";
-      };
       virtualHosts."derper00.namely.icu:8443".extraConfig = ''
         ${acmeCF}
         reverse_proxy 127.0.0.1:${toString config.services.tailscale.derper.port}
@@ -52,10 +45,7 @@
       '';
     };
 
-  networking.firewall.allowedTCPPorts = [
+  networking.firewall.allowedTCPPorts = [ 8443 ];
-    8000
-    8443
-  ];
 
   systemd.services.caddy = {
     serviceConfig = {

machines/weilite/services/jellyfin.nix

@@ -19,7 +19,7 @@ in
   services.caddy.virtualHosts."https://weilite.coho-tet.ts.net:8920".extraConfig = ''
     reverse_proxy 127.0.0.1:8096
   '';
-  networking.firewall.allowedTCPPorts = [ 8920 ]; # allow on lan
+
   users.users.jellyfin.extraGroups = [ "render" ];
   users.groups.media.members = [ cfg.user ];
 }

machines/weilite/services/ocis.nix

@@ -27,7 +27,6 @@
     # environmentFile = config.sops.secrets."ocis/env".path;
   };
 
-  networking.firewall.allowedTCPPorts = [ 8443 ];
   services.caddy.virtualHosts."${config.services.ocis.url}".extraConfig = ''
     reverse_proxy ${config.services.ocis.address}:${toString config.services.ocis.port}
   '';

machines/weilite/services/restic.nix

@@ -38,8 +38,6 @@ in
     (mkPrune "xin" "thorite")
   ];
 
-  networking.firewall.allowedTCPPorts = [ 8443 ];
-
   services.caddy.virtualHosts."https://backup.xinyang.life:8443".extraConfig = ''
     tls {
       dns dnspod {env.DNSPOD_API_TOKEN}

machines/weilite/services/transmission.nix

@@ -73,6 +73,8 @@ in
       watch-dir-enabled = false;
     };
   };
+
+  networking.firewall.allowedTCPPorts = [ 9091 ];
   services.caddy.virtualHosts."https://weilite.coho-tet.ts.net:9091".extraConfig = ''
     reverse_proxy 127.0.0.1:${toString cfg.settings.rpc-port}
   '';
@@ -93,6 +95,5 @@ in
     };
   };
 
-  networking.firewall.allowedTCPPorts = [ 9091 ]; # allow on lan
   users.groups.media.members = [ cfg.user ];
 }

modules/nixos/common-settings/proxy-server.nix

@@ -176,11 +176,8 @@ in
         reverse_proxy 127.0.0.1:30310
       '';
 
-      networking.firewall.allowedTCPPorts = [
+      networking.firewall.allowedTCPPorts = [ cfg.trojan.port ];
-        80
+      networking.firewall.allowedUDPPorts = lib.range 6311 6314;
-        cfg.trojan.port
-      ];
-      networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);
 
       services.sing-box = {
         enable = true;

modules/nixos/common-settings/server.nix

@@ -0,0 +1,56 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  cfg = config.commonSettings.serverComponents;
+in
+{
+  options = {
+    commonSettings.serverComponents = {
+      enable = lib.mkEnableOption "Common components on servers";
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [
+      80
+      443
+    ];
+
+    services.caddy = {
+      enable = true;
+      package = pkgs.caddy.withPlugins {
+        plugins = [
+          "github.com/caddy-dns/cloudflare@v0.2.1"
+        ];
+        hash = "sha256-saKJatiBZ4775IV2C5JLOmZ4BwHKFtRZan94aS5pO90=";
+      };
+    };
+
+    services.caddy.globalConfig = ''
+      servers {
+        metrics
+      }
+
+      admin unix//var/run/caddy/admin.sock {
+        origins 127.0.0.1 ${config.networking.hostName}.coho-tet.ts.net:2019
+      }
+    '';
+
+    systemd.services.caddy.serviceConfig = {
+      RuntimeDirectory = "caddy";
+      RuntimeDirectoryMode = "0700";
+    };
+
+    custom.monitoring = {
+      promtail.enable = true;
+    };
+
+    custom.prometheus.exporters = {
+      enable = true;
+      node.enable = true;
+    };
+  };
+}

modules/nixos/default.nix

@@ -7,6 +7,7 @@
     ./common-settings/proxy-server.nix
     ./common-settings/mainland.nix
     ./common-settings/network.nix
+    ./common-settings/server.nix
     ./disk-partitions
     ./restic.nix
     ./monitor

modules/nixos/forgejo-actions-runner.nix

@@ -1,45 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-let
-  cfg = config.custom.forgejo-actions-runner;
-  settingsFormat = pkgs.formats.yaml { };
-in
-{
-  options = {
-    custom.forgejo-actions-runner = {
-      enable = lib.mkEnableOption "TPM supported ssh agent in go";
-      tokenFile = lib.mkOption { type = lib.types.path; };
-      settings = lib.mkOption {
-        type = lib.types.submodule {
-          freeformType = settingsFormat.type;
-        };
-
-        default = { };
-      };
-    };
-  };
-  config = lib.mkIf cfg.enable {
-    virtualisation.docker.enable = true;
-    services.gitea-actions-runner.package = pkgs.forgejo-actions-runner;
-    services.gitea-actions-runner.instances = {
-      "git.xinyang.life" = {
-        enable = true;
-        url = "https://git.xinyang.life";
-        tokenFile = cfg.tokenFile;
-        name = config.networking.hostName;
-        labels = [
-          "debian-latest:docker://node:18-bullseye"
-          "ubuntu-latest:docker://node:18-bullseye"
-          "nix:docker://xiny/nix-runner:2.21.0-pkgs-23.11"
-        ];
-        settings = {
-          container.network = "host";
-        } // cfg.settings;
-      };
-    };
-  };
-}

modules/nixos/kanidm-client.nix

@@ -1,81 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-with lib;
-
-let
-  cfg = config.custom.kanidm-client;
-in
-{
-  options = {
-    custom.kanidm-client = {
-      enable = mkEnableOption "Kanidm client service";
-      asSSHAuth = mkOption {
-        type = types.submodule {
-          options = {
-            enable = mkEnableOption "Kanidm as system authentication source";
-            allowedGroups = mkOption {
-              type = types.listOf types.str;
-              example = [ "linux_users" ];
-            };
-            hardening = mkOption {
-              type = types.bool;
-              default = false;
-            };
-          };
-        };
-      };
-      sudoers = mkOption {
-        type = types.listOf types.str;
-        default = [ ];
-      };
-      uri = mkOption { type = types.str; };
-    };
-  };
-  config = mkIf cfg.enable {
-    services.kanidm = mkMerge [
-      (mkIf cfg.enable {
-        package = pkgs.kanidm_1_5;
-        enableClient = true;
-        clientSettings = {
-          uri = cfg.uri;
-        };
-      })
-      (mkIf cfg.asSSHAuth.enable {
-        enablePam = true;
-        unixSettings = {
-          pam_allowed_login_groups = cfg.asSSHAuth.allowedGroups;
-          default_shell = "/bin/sh";
-        };
-      })
-    ];
-    services.openssh = mkIf cfg.asSSHAuth.enable {
-      enable = true;
-      authorizedKeysCommand = "/etc/ssh/auth %u";
-      authorizedKeysCommandUser = "kanidm-ssh-runner";
-      settings = mkIf cfg.asSSHAuth.enable {
-        PasswordAuthentication = false;
-        KbdInteractiveAuthentication = false;
-        PermitRootLogin = lib.mkForce "no";
-      };
-    };
-
-    environment.etc."ssh/auth" = mkIf cfg.asSSHAuth.enable {
-      mode = "0555";
-      text = ''
-        #!${pkgs.stdenv.shell}
-        ${pkgs.kanidm}/bin/kanidm_ssh_authorizedkeys $1
-      '';
-    };
-    users.groups.wheel.members = cfg.sudoers;
-    users.groups.kanidm-ssh-runner = { };
-    users.users.kanidm-ssh-runner = {
-      isSystemUser = true;
-      group = "kanidm-ssh-runner";
-    };
-
-  };
-}

modules/nixos/vaultwarden.nix

@@ -1,52 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-
-with lib;
-
-let
-  cfg = config.custom.vaultwarden;
-in
-{
-  options = {
-    custom.vaultwarden = {
-      enable = mkEnableOption "vaultwarden server";
-      domain = mkOption {
-        type = types.str;
-        default = "bitwarden.example.com";
-        description = "Domain name of the vaultwarden server";
-      };
-      caddy = mkOption {
-        type = types.bool;
-        default = true;
-        description = "Enable Caddy as reverse proxy";
-      };
-      # TODO: mailserver support
-    };
-  };
-  config = mkIf cfg.enable {
-    services.vaultwarden = {
-      enable = true;
-      dbBackend = "sqlite";
-      config = {
-        DOMAIN = "https://${cfg.domain}";
-        SIGNUPS_ALLOWED = false;
-
-        ROCKET_ADDRESS = "127.0.0.1";
-        ROCKET_PORT = 8222;
-
-        ROCKET_LOG = "critical";
-      };
-    };
-    services.caddy = mkIf cfg.caddy {
-      enable = true;
-
-      virtualHosts."https://${cfg.domain}".extraConfig = ''
-        reverse_proxy ${config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT}
-      '';
-    };
-  };
-}