chore: move caddy to common settings

chore: use deploy-next branch for test builds
2025-05-10 00:27:51 +08:00 · 2025-05-09 13:53:02 +08:00
22 changed files with 77 additions and 6709 deletions
--- a/garnix.yaml
+++ b/garnix.yaml
@ -7,6 +7,14 @@ builds:
      - nixosConfigurations.agate
      - nixosConfigurations.baryte
    branch: deploy
+  - include:
+      - nixosConfigurations.*
+    exclude:
+      - nixosConfigurations.osmium
+      - nixosConfigurations.raspite
+      - nixosConfigurations.agate
+      - nixosConfigurations.baryte
+    branch: deploy-next
  - include:
      - nixosConfigurations.biotite
    branch: testing-biotite
--- a/gfw.txt
+++ b/gfw.txt
--- a/machines/baryte/default.nix
+++ b/machines/baryte/default.nix
@ -10,6 +10,7 @@
    commonSettings = {
      auth.enable = true;
      network.localdns.enable = true;
+      serverComponents.enable = true;
    };

    services.openssh.enable = true;
--- a/machines/biotite/services/synapse.nix
+++ b/machines/biotite/services/synapse.nix
@ -120,8 +120,4 @@ in
      reverse_proxy /_synapse/client/* 127.0.0.1:${toString port-synapse}
    '';
  };
-
-  networking.firewall.allowedTCPPorts = [
-    443
-  ];
 }
--- a/machines/calcite/configuration.nix
+++ b/machines/calcite/configuration.nix
@ -316,10 +316,6 @@ in
    ];
  };

-  custom.prometheus = {
-    exporters.node.enable = true;
-  };
-
  services.ollama = {
    enable = true;
    acceleration = "cuda";
--- a/machines/dolomite/common.nix
+++ b/machines/dolomite/common.nix
@ -36,6 +36,7 @@
    commonSettings = {
      auth.enable = true;
      comin.enable = true;
+      serverComponents.enable = true;
      proxyServer = {
        enable = true;
        users = [
--- a/machines/minimal/default.nix
+++ b/machines/minimal/default.nix
@ -1,25 +0,0 @@
-{
-  lib,
-  ...
-}:
-
-{
-  imports = [
-    ./hardware-configuration.nix
-  ];
-
-  boot.initrd.availableKernelModules =
-    [
-    ];
-
-  swapDevices = [ ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-}
--- a/machines/raspite/configuration.nix
+++ b/machines/raspite/configuration.nix
@ -23,6 +23,8 @@
    })
  ];

+  networking.firewall.allowedTCPPorts = [ 8443 ];
+
  environment.systemPackages = with pkgs; [
    git
    libraspberrypi
--- a/machines/raspite/services/hass.nix
+++ b/machines/raspite/services/hass.nix
@ -223,10 +223,7 @@
    };
  };

-  networking.firewall.allowedTCPPorts = [ 8443 ];
-
  services.caddy = {
-    enable = true;
    virtualHosts = {
      "raspite.coho-tet.ts.net".extraConfig = ''
        reverse_proxy ${config.services.home-assistant.config.http.server_host}:${toString config.services.home-assistant.config.http.server_port}
--- a/machines/thorite/default.nix
+++ b/machines/thorite/default.nix
@ -26,16 +26,10 @@
      address = [ "23.165.200.99/24" ];
    };

-    networking.firewall.allowedTCPPorts = [
-      80
-      443
-    ];
-
-    services.caddy.enable = true;
-
    commonSettings = {
      auth.enable = true;
      comin.enable = true;
+      serverComponents.enable = true;
    };

    nixpkgs.system = "x86_64-linux";
--- a/machines/weilite/default.nix
+++ b/machines/weilite/default.nix
@ -32,6 +32,7 @@
      };
      comin.enable = true;
      network.localdns.enable = true;
+      serverComponents.enable = true;
    };

    boot = {
--- a/machines/weilite/services/caddy.nix
+++ b/machines/weilite/services/caddy.nix
@ -35,13 +35,6 @@
      }";
    in
    {
-      enable = true;
-      package = pkgs.caddy.withPlugins {
-        plugins = [
-          "github.com/caddy-dns/cloudflare@v0.2.1"
-        ];
-        hash = "sha256-saKJatiBZ4775IV2C5JLOmZ4BwHKFtRZan94aS5pO90=";
-      };
      virtualHosts."derper00.namely.icu:8443".extraConfig = ''
        ${acmeCF}
        reverse_proxy 127.0.0.1:${toString config.services.tailscale.derper.port}
@ -52,10 +45,7 @@
      '';
    };

-  networking.firewall.allowedTCPPorts = [
-    8000
-    8443
-  ];
+  networking.firewall.allowedTCPPorts = [ 8443 ];

  systemd.services.caddy = {
    serviceConfig = {
--- a/machines/weilite/services/jellyfin.nix
+++ b/machines/weilite/services/jellyfin.nix
@ -19,7 +19,7 @@ in
  services.caddy.virtualHosts."https://weilite.coho-tet.ts.net:8920".extraConfig = ''
    reverse_proxy 127.0.0.1:8096
  '';
-  networking.firewall.allowedTCPPorts = [ 8920 ]; # allow on lan
+
  users.users.jellyfin.extraGroups = [ "render" ];
  users.groups.media.members = [ cfg.user ];
 }
--- a/machines/weilite/services/ocis.nix
+++ b/machines/weilite/services/ocis.nix
@ -27,7 +27,6 @@
    # environmentFile = config.sops.secrets."ocis/env".path;
  };

-  networking.firewall.allowedTCPPorts = [ 8443 ];
  services.caddy.virtualHosts."${config.services.ocis.url}".extraConfig = ''
    reverse_proxy ${config.services.ocis.address}:${toString config.services.ocis.port}
  '';
--- a/machines/weilite/services/restic.nix
+++ b/machines/weilite/services/restic.nix
@ -38,8 +38,6 @@ in
    (mkPrune "xin" "thorite")
  ];

-  networking.firewall.allowedTCPPorts = [ 8443 ];
-
  services.caddy.virtualHosts."https://backup.xinyang.life:8443".extraConfig = ''
    tls {
      dns dnspod {env.DNSPOD_API_TOKEN}
--- a/machines/weilite/services/transmission.nix
+++ b/machines/weilite/services/transmission.nix
@ -73,6 +73,8 @@ in
      watch-dir-enabled = false;
    };
  };
+
+  networking.firewall.allowedTCPPorts = [ 9091 ];
  services.caddy.virtualHosts."https://weilite.coho-tet.ts.net:9091".extraConfig = ''
    reverse_proxy 127.0.0.1:${toString cfg.settings.rpc-port}
  '';
@ -93,6 +95,5 @@ in
    };
  };

-  networking.firewall.allowedTCPPorts = [ 9091 ]; # allow on lan
  users.groups.media.members = [ cfg.user ];
 }
--- a/modules/nixos/common-settings/proxy-server.nix
+++ b/modules/nixos/common-settings/proxy-server.nix
@ -176,11 +176,8 @@ in
        reverse_proxy 127.0.0.1:30310
      '';

-      networking.firewall.allowedTCPPorts = [
-        80
-        cfg.trojan.port
-      ];
-      networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);
+      networking.firewall.allowedTCPPorts = [ cfg.trojan.port ];
+      networking.firewall.allowedUDPPorts = lib.range 6311 6314;

      services.sing-box = {
        enable = true;
--- a/modules/nixos/common-settings/server.nix
+++ b/modules/nixos/common-settings/server.nix
@ -0,0 +1,56 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  cfg = config.commonSettings.serverComponents;
+in
+{
+  options = {
+    commonSettings.serverComponents = {
+      enable = lib.mkEnableOption "Common components on servers";
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [
+      80
+      443
+    ];
+
+    services.caddy = {
+      enable = true;
+      package = pkgs.caddy.withPlugins {
+        plugins = [
+          "github.com/caddy-dns/cloudflare@v0.2.1"
+        ];
+        hash = "sha256-saKJatiBZ4775IV2C5JLOmZ4BwHKFtRZan94aS5pO90=";
+      };
+    };
+
+    services.caddy.globalConfig = ''
+      servers {
+        metrics
+      }
+
+      admin unix//var/run/caddy/admin.sock {
+        origins 127.0.0.1 ${config.networking.hostName}.coho-tet.ts.net:2019
+      }
+    '';
+
+    systemd.services.caddy.serviceConfig = {
+      RuntimeDirectory = "caddy";
+      RuntimeDirectoryMode = "0700";
+    };
+
+    custom.monitoring = {
+      promtail.enable = true;
+    };
+
+    custom.prometheus.exporters = {
+      enable = true;
+      node.enable = true;
+    };
+  };
+}
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@ -7,6 +7,7 @@
    ./common-settings/proxy-server.nix
    ./common-settings/mainland.nix
    ./common-settings/network.nix
+    ./common-settings/server.nix
    ./disk-partitions
    ./restic.nix
    ./monitor
--- a/modules/nixos/forgejo-actions-runner.nix
+++ b/modules/nixos/forgejo-actions-runner.nix
@ -1,45 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-let
-  cfg = config.custom.forgejo-actions-runner;
-  settingsFormat = pkgs.formats.yaml { };
-in
-{
-  options = {
-    custom.forgejo-actions-runner = {
-      enable = lib.mkEnableOption "TPM supported ssh agent in go";
-      tokenFile = lib.mkOption { type = lib.types.path; };
-      settings = lib.mkOption {
-        type = lib.types.submodule {
-          freeformType = settingsFormat.type;
-        };
-
-        default = { };
-      };
-    };
-  };
-  config = lib.mkIf cfg.enable {
-    virtualisation.docker.enable = true;
-    services.gitea-actions-runner.package = pkgs.forgejo-actions-runner;
-    services.gitea-actions-runner.instances = {
-      "git.xinyang.life" = {
-        enable = true;
-        url = "https://git.xinyang.life";
-        tokenFile = cfg.tokenFile;
-        name = config.networking.hostName;
-        labels = [
-          "debian-latest:docker://node:18-bullseye"
-          "ubuntu-latest:docker://node:18-bullseye"
-          "nix:docker://xiny/nix-runner:2.21.0-pkgs-23.11"
-        ];
-        settings = {
-          container.network = "host";
-        } // cfg.settings;
-      };
-    };
-  };
-}
--- a/modules/nixos/kanidm-client.nix
+++ b/modules/nixos/kanidm-client.nix
@ -1,81 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-with lib;
-
-let
-  cfg = config.custom.kanidm-client;
-in
-{
-  options = {
-    custom.kanidm-client = {
-      enable = mkEnableOption "Kanidm client service";
-      asSSHAuth = mkOption {
-        type = types.submodule {
-          options = {
-            enable = mkEnableOption "Kanidm as system authentication source";
-            allowedGroups = mkOption {
-              type = types.listOf types.str;
-              example = [ "linux_users" ];
-            };
-            hardening = mkOption {
-              type = types.bool;
-              default = false;
-            };
-          };
-        };
-      };
-      sudoers = mkOption {
-        type = types.listOf types.str;
-        default = [ ];
-      };
-      uri = mkOption { type = types.str; };
-    };
-  };
-  config = mkIf cfg.enable {
-    services.kanidm = mkMerge [
-      (mkIf cfg.enable {
-        package = pkgs.kanidm_1_5;
-        enableClient = true;
-        clientSettings = {
-          uri = cfg.uri;
-        };
-      })
-      (mkIf cfg.asSSHAuth.enable {
-        enablePam = true;
-        unixSettings = {
-          pam_allowed_login_groups = cfg.asSSHAuth.allowedGroups;
-          default_shell = "/bin/sh";
-        };
-      })
-    ];
-    services.openssh = mkIf cfg.asSSHAuth.enable {
-      enable = true;
-      authorizedKeysCommand = "/etc/ssh/auth %u";
-      authorizedKeysCommandUser = "kanidm-ssh-runner";
-      settings = mkIf cfg.asSSHAuth.enable {
-        PasswordAuthentication = false;
-        KbdInteractiveAuthentication = false;
-        PermitRootLogin = lib.mkForce "no";
-      };
-    };
-
-    environment.etc."ssh/auth" = mkIf cfg.asSSHAuth.enable {
-      mode = "0555";
-      text = ''
-        #!${pkgs.stdenv.shell}
-        ${pkgs.kanidm}/bin/kanidm_ssh_authorizedkeys $1
-      '';
-    };
-    users.groups.wheel.members = cfg.sudoers;
-    users.groups.kanidm-ssh-runner = { };
-    users.users.kanidm-ssh-runner = {
-      isSystemUser = true;
-      group = "kanidm-ssh-runner";
-    };
-
-  };
-}
--- a/modules/nixos/vaultwarden.nix
+++ b/modules/nixos/vaultwarden.nix
@ -1,52 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-
-with lib;
-
-let
-  cfg = config.custom.vaultwarden;
-in
-{
-  options = {
-    custom.vaultwarden = {
-      enable = mkEnableOption "vaultwarden server";
-      domain = mkOption {
-        type = types.str;
-        default = "bitwarden.example.com";
-        description = "Domain name of the vaultwarden server";
-      };
-      caddy = mkOption {
-        type = types.bool;
-        default = true;
-        description = "Enable Caddy as reverse proxy";
-      };
-      # TODO: mailserver support
-    };
-  };
-  config = mkIf cfg.enable {
-    services.vaultwarden = {
-      enable = true;
-      dbBackend = "sqlite";
-      config = {
-        DOMAIN = "https://${cfg.domain}";
-        SIGNUPS_ALLOWED = false;
-
-        ROCKET_ADDRESS = "127.0.0.1";
-        ROCKET_PORT = 8222;
-
-        ROCKET_LOG = "critical";
-      };
-    };
-    services.caddy = mkIf cfg.caddy {
-      enable = true;
-
-      virtualHosts."https://${cfg.domain}".extraConfig = ''
-        reverse_proxy ${config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT}
-      '';
-    };
-  };
-}
Author	SHA1	Message	Date
xinyangli	9b3e4038a9	chore: move caddy to common settings	2025-05-10 00:27:51 +08:00
xinyangli	e78f1fe200	chore: use deploy-next branch for test builds	2025-05-09 13:53:02 +08:00