Move more services to defiant. Remove sarek.

hosts/defiant/services/flame.nix

@@ -0,0 +1,22 @@
+{ config, pkgs, lib, ... }:
+let
+  domain = "flame.home.feal.no";
+  host = "127.0.1.2";
+  port = "5005";
+in {
+  # Flame - Homelab dashboard/linktree
+  virtualisation.oci-containers.containers = {
+    flame = {
+      image = "pawelmalak/flame";
+      ports = [ "${host}:${port}:5005" ];
+      volumes = [
+        "/var/lib/flame/data:/app/data/"
+      ];
+    };
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    locations."/".proxyPass = "http://${host}:${port}";
+  };
+}
+

hosts/defiant/services/hedgedoc.nix

@@ -0,0 +1,117 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.hedgedoc.settings;
+  domain = "md.feal.no";
+  port = 3300;
+  host = "127.0.1.2";
+  authServerUrl = "https://auth.feal.no";
+in {
+  # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
+  sops.secrets."hedgedoc/env" = {
+    restartUnits = [ "hedgedoc.service" ];
+  };
+
+  services.hedgedoc = {
+    enable = true;
+    environmentFile = config.sops.secrets."hedgedoc/env".path;
+    settings = {
+      inherit domain port host;
+      protocolUseSSL = true;
+      sessionSecret = "$CMD_SESSION_SECRET";
+
+      allowFreeURL = true;
+      allowAnonymous = false;
+      allowAnonymousEdits = true; # Allow anonymous edits with the "freely" permission
+
+      # dbURL = "postgres://hedgedoc@localhost/hedgedoc";
+      db = {
+        username = "hedgedoc";
+        database = "hedgedoc";
+        host = "/run/postgresql";
+        dialect = "postgresql";
+      };
+
+      email = false;
+      oauth2 = {
+        baseURL = "${authServerUrl}/oauth2";
+        tokenURL = "${authServerUrl}/oauth2/token";
+        authorizationURL = "${authServerUrl}/ui/oauth2";
+        userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";
+
+        clientID = "hedgedoc";
+        clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
+        scope = "openid email profile";
+        userProfileUsernameAttr = "name";
+        userProfileEmailAttr = "email";
+        userProfileDisplayNameAttr = "displayname";
+
+        providerName = "KaniDM";
+      };
+    };
+  };
+
+  systemd.services.hedgedoc = {
+    requires = [
+      "postgresql.service"
+      # "kanidm.service"
+    ];
+    serviceConfig = let
+      workDir = "/var/lib/hedgedoc";
+    in {
+      WorkingDirectory = lib.mkForce workDir;
+      StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];
+
+      # Better safe than sorry :)
+      CapabilityBoundingSet = "";
+      LockPersonality = true;
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      PrivateMounts = true;
+      PrivateTmp = true;
+      PrivateUsers = true;
+      ProtectClock = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProtectSystem = "strict";
+      ReadWritePaths = [ workDir ];
+      RemoveIPC = true;
+      RestrictSUIDSGID = true;
+      UMask = "0007";
+      RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
+      SystemCallArchitectures = "native";
+      # SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
+    };
+  };
+
+  services.postgresql = {
+    ensureDatabases = [ "hedgedoc" ];
+    ensureUsers = [{
+      name = "hedgedoc";
+      ensureDBOwnership = true;
+    }];
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    listen = [
+      { addr = "192.168.10.175"; port = 43443; ssl = true; }
+      { addr = "192.168.10.175"; port = 43080; ssl = false; }
+    ];
+
+    enableACME = true;
+    forceSSL = true;
+
+    locations = {
+      "/" = {
+        proxyPass = "http://${host}:${toString port}";
+      };
+      "/socket.io" = {
+        proxyPass = "http://${host}:${toString port}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}

hosts/defiant/services/nginx.nix

@@ -12,7 +12,7 @@
     defaultListen = [
       {
         addr = "192.168.10.175";
-        port = "80";
+        port = 80;
         ssl = false;
       }
     ];
@@ -27,4 +27,22 @@
     acceptTerms = true;
     defaults.email = "felix@albrigtsen.it";
   };
+
+  # Publicly exposed services:
+
+  services.nginx.virtualHosts = let
+    publicProxy = upstream: {
+      listen = [
+        { addr = "192.168.10.175"; port = 43443; ssl = true; }
+        { addr = "192.168.10.175"; port = 43080; ssl = false; }
+      ];
+      enableACME = true;
+      forceSSL = true;
+
+      locations."/".proxyPass = "${upstream}";
+    };
+  in {
+    "jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/";
+    # "wiki.wackattack.eu" = publicProxy "http://pascal.wackattack.home.feal.no/";
+  };
 }

hosts/defiant/services/pihole.nix

@@ -0,0 +1,30 @@
+{ config, pkgs, lib, ... }:
+let
+  domain = "pihole.home.feal.no";
+  dnsHost = "192.168.10.175";
+  webuiListen = "127.0.1.2:5053";
+in {
+  # Flame - Homelab dashboard/linktree
+  virtualisation.oci-containers.containers = {
+    pihole = {
+      image = "pihole/pihole";
+      ports = [
+        "${dnsHost}:53:53/tcp"
+        "${dnsHost}:53:53/udp"
+        "${webuiListen}:80"
+      ];
+
+      environment.TZ = "Europe/Oslo";
+
+      volumes = [
+        "/var/lib/pihole/etc:/etc/pihole"
+        "/var/lib/pihole/dnsmasq:/etc/dnsmasq.d"
+      ];
+    };
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    locations."/".proxyPass = "http://${webuiListen}";
+  };
+}
+

hosts/defiant/services/postgresql.nix

@@ -6,12 +6,11 @@
   };
 
   services.postgresqlBackup = {
-    enable = true;
+    # enable = true;
     location = "/data/backup/postgresql/";
     startAt = "*-*-* 03:15:00";
     backupAll = true;
   };
 
-
   environment.systemPackages = [ config.services.postgresql.package ];
 }