Services: add tailscale, kuma, vw and forgejo to Theia

2025-06-08 03:43:02 -04:00 · 2025-01-26 23:22:46 +02:00 · 2025-01-26 23:22:46 +02:00 · 057582d665
commit 057582d665
parent dcd2d8adab
10 changed files with 168 additions and 5 deletions
--- a/modules/nixos/networking/default.nix
+++ b/modules/nixos/networking/default.nix
@ -6,6 +6,7 @@
  inherit (lib.modules) mkDefault mkForce;
 in {
  imports = [
+    ./tailscale.nix
  ];

  networking = {
@ -15,5 +16,13 @@ in {
    useNetworkd = mkForce true;

    usePredictableInterfaceNames = mkDefault true;
+
+    nameservers = [
+      "1.1.1.1"
+      "1.0.0.1"
+      "9.9.9.9"
+    ];
+
+    enableIPv6 = true;
  };
 }
--- a/modules/nixos/networking/tailscale.nix
+++ b/modules/nixos/networking/tailscale.nix
@ -0,0 +1,33 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}: let
+  inherit (lib.modules) mkIf mkDefault;
+  inherit (lib.options) mkEnableOption;
+  inherit (config.services) tailscale;
+
+  sys = config.olympus.system.networking;
+  cfg = sys.tailscale;
+in {
+  options.olympus.system.networking.tailscale = {
+    enable = mkEnableOption "Tailscale";
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [pkgs.tailscale];
+
+    networking.firewall = {
+      # always allow traffic from your Tailscale network
+      trustedInterfaces = ["${tailscale.interfaceName}"];
+      checkReversePath = "loose";
+    };
+
+    services.tailscale = {
+      enable = true;
+      openFirewall = true;
+      useRoutingFeatures = mkDefault "server";
+    };
+  };
+}
--- a/modules/nixos/services/hosted/forgejo.nix
+++ b/modules/nixos/services/hosted/forgejo.nix
@ -121,7 +121,7 @@ in {

      caddy.virtualHosts.${cfg.domain} = {
        extraConfig = ''
-          reverse_proxy localhost:3000
+          reverse_proxy localhost:${toString cfg.port}
        '';
      };
    };
--- a/modules/nixos/services/hosted/uptime-kuma.nix
+++ b/modules/nixos/services/hosted/uptime-kuma.nix
@ -24,7 +24,7 @@ in {

    services.caddy.virtualHosts.${cfg.domain} = {
      extraConfig = ''
-        reverse_proxy localhost:${cfg.port}
+        reverse_proxy localhost:${toString cfg.port}
      '';
    };
  };
--- a/modules/nixos/services/hosted/vaultwarden.nix
+++ b/modules/nixos/services/hosted/vaultwarden.nix
@ -1 +1,54 @@
-{}
+{
+  lib,
+  config,
+  ...
+}: let
+  inherit (lib) template;
+  inherit (lib.modules) mkIf;
+  inherit (lib.services) mkServiceOption;
+  inherit (lib.secrets) mkSecret;
+
+  rdomain = config.networking.domain;
+  cfg = config.olympus.services.vaultwarden;
+in {
+  options.olympus.services.vaultwarden = mkServiceOption "vaultwarden" {
+    port = 8222;
+    domain = "vault.${rdomain}";
+  };
+
+  config = mkIf cfg.enable {
+    age.secrets.vaultwarden-env = mkSecret {
+      file = "vaultwarden-env";
+      owner = "vaultwarden";
+      group = "vaultwarden";
+    };
+
+    services = {
+      vaultwarden = {
+        enable = true;
+        environmentFile = config.age.secrets.vaultwarden-env.path;
+
+        config = {
+          DOMAIN = "https://${cfg.domain}";
+          ROCKET_ADDRESS = cfg.host;
+          ROCKET_PORT = cfg.port;
+          extendedLogging = true;
+          invitationsAllowed = true;
+          useSyslog = true;
+          logLevel = "warn";
+          showPasswordHint = false;
+          SIGNUPS_ALLOWED = false;
+          signupsAllowed = false;
+          signupsDomainsWhitelist = "${rdomain}";
+          dataDir = "/var/lib/vaultwarden";
+        };
+      };
+
+      caddy.virtualHosts.${cfg.domain} = {
+        extraConfig = ''
+          reverse_proxy localhost:${toString cfg.port}
+        '';
+      };
+    };
+  };
+}