qo.is/infrastructure
3
0
Fork 0
Code Issues 10 Pull requests 1 Projects Activity Actions

Compare commits

base: qo.is:462622a0778fdf794c37b817235764cf0cfd5e93
Branches Tags
qo.is:main
qo.is:renovate/lock-file-maintenance
qo.is:update-deploy-flags
qo.is:18-caral
..
compare: qo.is:0e8db874a2332e6a1c130750467f5437abdd34a0
Branches Tags
qo.is:renovate/lock-file-maintenance
qo.is:update-deploy-flags
qo.is:main
qo.is:18-caral

5 commits
462622a077 ... 0e8db874a2

Author SHA1 Message Date
Fabian Hauser
0e8db874a2 Use nixpkgs apps in nextcloud
All checks were successful
CI / build (push) Successful in 2m43s
Details
2024-12-06 19:30:08 +02:00
Fabian Hauser
2fb1a1bec8 Update headscale configuration 2024-12-06 19:30:08 +02:00
Fabian Hauser
52bc3cc708 Upgrade all stateVersions 2024-12-06 19:30:08 +02:00
Fabian Hauser
88d5e65b66 Update dnsmasq and hostapd config 2024-12-06 19:30:08 +02:00
Fabian Hauser
9ac8c89417 Require postgres version to be configured manually 2024-12-06 17:39:33 +02:00
20 changed files with 731 additions and 692 deletions
Show stats Expand all files Collapse all files

2
defaults/meta/network-virtual.nix
View file

@ -15,7 +15,7 @@
id = "100.64.0.0";
prefixLength = 10;
};
domain = "vpn.qo.is";
domain = "vpn.net.qo.is";
hosts = { };
};

20
defaults/nextcloud/default.nix
View file

@ -13,7 +13,7 @@
owner = name;
};
qois.postgresql.enable = true;
services.postgresql.enable = true;
qois.backup-client.includePaths = [ config.services.nextcloud.home ];
services.nextcloud = {
@ -30,6 +30,24 @@
dbtype = "pgsql";
};
appstoreEnable = false;
extraApps = {
inherit (config.services.nextcloud.package.passthru.packages.apps)
calendar
contacts
deck
groupfolders
maps
memories
music
news
notes
notify_push
tasks
twofactor_webauthn
;
};
phpOptions = {
"opcache.interned_strings_buffer" = "23";
};

2
nixos-configurations/calanda/default.nix
View file

@ -17,5 +17,5 @@
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
system.stateVersion = "24.11"; # Did you read the comment?
}

2
nixos-configurations/cyprianspitz/default.nix
View file

@ -24,5 +24,5 @@
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "24.05"; # Did you read the comment?
system.stateVersion = "24.11"; # Did you read the comment?
}

3
nixos-configurations/lindberg-build/applications/attic.nix
View file

@ -52,11 +52,10 @@ in
imports = [ ../../../defaults/webserver ];
qois.postgresql.enable = true;
# Note: Attic cache availability is "best effort", so no artifacts are backed up.
services.postgresql = {
enable = true;
ensureDatabases = [ "atticd" ];
ensureUsers = [
{

1
nixos-configurations/lindberg-build/applications/default.nix
View file

@ -7,4 +7,5 @@
];
qois.git-ci-runner.enable = true;
qois.postgresql.package = pkgs.postgresql_15;
}

2
nixos-configurations/lindberg-build/default.nix
View file

@ -22,5 +22,5 @@
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.11"; # Did you read the comment?
system.stateVersion = "24.11"; # Did you read the comment?
}

2
nixos-configurations/lindberg-nextcloud/applications/cloud.nix
View file

@ -6,7 +6,7 @@ in
imports = [ ../../../defaults/nextcloud ];
qois.postgresql.enable = true;
services.postgresql.enable = true;
services.nextcloud = {
hostName = host;

2
nixos-configurations/lindberg-nextcloud/applications/default.nix
View file

@ -2,4 +2,6 @@
{
imports = [ ./cloud.nix ];
qois.postgresql.package = pkgs.postgresql_14;
}

2
nixos-configurations/lindberg-nextcloud/default.nix
View file

@ -46,5 +46,5 @@
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.05"; # Did you read the comment?
system.stateVersion = "24.11"; # Did you read the comment?
}

1
nixos-configurations/lindberg-webapps/applications/default.nix
View file

@ -6,4 +6,5 @@
qois.vault.enable = true;
qois.git.enable = true;
qois.static-page.enable = true;
qois.postgresql.package = pkgs.postgresql_15;
}

2
nixos-configurations/lindberg-webapps/default.nix
View file

@ -21,5 +21,5 @@
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.11"; # Did you read the comment?
system.stateVersion = "24.11"; # Did you read the comment?
}

2
nixos-configurations/lindberg/default.nix
View file

@ -25,5 +25,5 @@
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
system.stateVersion = "24.11"; # Did you read the comment?
}

2
nixos-configurations/tierberg/default.nix
View file

@ -20,5 +20,5 @@
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "23.05"; # Did you read the comment?
system.stateVersion = "24.11"; # Did you read the comment?
}

6
nixos-modules/postgresql/default.nix
View file

@ -11,15 +11,15 @@ in
with lib;
{
options.qois.postgresql = {
enable = mkEnableOption ''Enable postgresql services with defaults'';
# Note: this module is auto-enabled if postgres is used.
package = mkPackageOption pkgs "postgresql" {
example = "postgresql_15";
default = null;
};
};
config = mkIf cfg.enable {
services.postgresql.enable = true;
config = mkIf config.services.postgresql.enable {
services.postgresql.package = cfg.package;
services.postgresqlBackup.enable = true;
qois.backup-client.includePaths = [ config.services.postgresqlBackup.location ];
};

2
nixos-modules/qois/git/default.nix
View file

@ -21,7 +21,7 @@ with lib;
};
config = mkIf cfg.enable {
qois.postgresql.enable = true;
services.postgresql.enable = true;
services.forgejo = {
enable = true;

123
nixos-modules/qois/vpn-server/default.nix
View file

@ -16,6 +16,11 @@ in
options.qois.vpn-server = {
enable = mkEnableOption "Enable vpn server services";
domain = mkOption {
description = "Domain for the VPN admin server";
type = types.str;
default = "vpn.qo.is";
};
dnsRecords = mkOption {
description = "DNS records to add to Hosts";
type = with types; attrsOf str;
@ -36,8 +41,8 @@ in
with config.services.headscale.settings;
(
[
db_path
private_key_path
database.sqlite.path
derp.server.private_key_path
noise.private_key_path
]
++ derp.paths
@ -56,22 +61,22 @@ in
in
{
enable = true;
address = vnet.backplane.hosts.cyprianspitz.v4.ip;
address = vnet.backplane.hosts.cyprianspitz.v4.ip; # TODO: This entails that the backplane interface is up.
port = 46084;
settings = {
server_url = "https://${vpnNet.domain}:443";
server_url = "https://${cfg.domain}:443";
tls_letsencrypt_challenge_type = "TLS-ALPN-01";
tls_letsencrypt_hostname = vpnNet.domain;
dns_config = {
nameservers = [ vnet.backplane.hosts.calanda.v4.ip ];
domains = [
vpnNet.domain
dns = {
base_domain = vpnNet.domain;
magic_dns = true;
nameservers.global = [ vnet.backplane.hosts.calanda.v4.ip ];
search_domains = [
# vpnNet.domain # First by default with magic_dns
vnet.backplane.domain
];
magic_dns = true;
base_domain = vpnNet.domain;
extra_records = pipe cfg.dnsRecords [
attrsToList
(map (val: val // { type = "A"; }))
@ -80,56 +85,64 @@ in
ip_prefixes = [ vpnNetPrefix ];
acl_policy_path = pkgs.writeTextFile {
name = "acls";
text = builtins.toJSON {
hosts = {
"clients" = vpnNetPrefix;
};
groups = {
"group:wheel" = cfg.wheelUsers;
};
tagOwners = {
"tag:srv" = [ "srv" ]; # srv tag ist owned by srv user
};
autoApprovers = {
exitNode = [
"tag:srv"
"group:wheel"
];
routes = {
${backplaneNetPrefix} = [ "tag:srv" ];
policy =
let
# Note: headscale has limited acl support currently. This might change in the future.
aclPolicy = {
hosts = {
"clients" = vpnNetPrefix;
};
};
acls = [
# Allow all communication from and to srv tagged hosts
{
action = "accept";
src = [
groups = {
"group:wheel" = cfg.wheelUsers;
};
tagOwners = {
"tag:srv" = [ "srv" ]; # srv tag ist owned by srv user
};
autoApprovers = {
exitNode = [
"tag:srv"
"srv"
"group:wheel"
];
dst = [ "*:*" ];
}
{
action = "accept";
src = [ "*" ];
dst = [
"tag:srv:*"
"srv:*"
];
}
routes = {
${backplaneNetPrefix} = [ "tag:srv" ];
};
};
# Allow access to all connected hosts for wheels
{
action = "accept";
src = [ "group:wheel" ];
dst = [ "*:*" ];
}
];
acls = [
# Allow all communication from and to srv tagged hosts
{
action = "accept";
src = [
"tag:srv"
"srv"
];
dst = [ "*:*" ];
}
{
action = "accept";
src = [ "*" ];
dst = [
"tag:srv:*"
"srv:*"
];
}
# Allow access to all connected hosts for wheels
{
action = "accept";
src = [ "group:wheel" ];
dst = [ "*:*" ];
}
];
};
in
{
mode = "file";
path = pkgs.writeTextFile {
name = "acls";
text = builtins.toJSON aclPolicy;
};
};
};
};
};
});

1243
nixos-modules/router-dhcp/default.nix
View file

File diff suppressed because it is too large Load diff

1
nixos-modules/router-wireless-ap/default.nix
View file

@ -63,6 +63,7 @@ in
enable = wle24GhzEnabled;
radios.${cfg.wleInterface24Ghz} = {
channel = 6;
wifi4.enable = true;
wifi4.capabilities = [
"HT40-"

3
nixos-modules/vault/default.nix
View file

@ -48,8 +48,6 @@ with lib;
};
};
qois.postgresql.enable = true;
qois.backup-client.includePaths = [ config.services.vaultwarden.config.DATA_FOLDER ];
services.postgresql =
@ -57,6 +55,7 @@ with lib;
name = config.users.users.vaultwarden.name;
in
{
enable = true;
ensureUsers = [
{
inherit name;