✨♻️ Migrate and refactor all v1 services, Add atticd service and cleanup

2025-10-31 13:50:04 +00:00 · 2025-05-25 19:09:33 +02:00 · 2025-05-25 19:09:33 +02:00 · e45cfc0fbc
commit e45cfc0fbc
parent 76489651f1
24 changed files with 592 additions and 20 deletions
--- a/modules/nixos/archetypes/server/default.nix
+++ b/modules/nixos/archetypes/server/default.nix
@ -0,0 +1,38 @@
+{
+  lib,
+  self,
+  config,
+  ...
+}: let
+  inherit (lib) mkEnableOption mkIf;
+  inherit (self) namespace;
+
+  cfg = config.${namespace}.archetypes.server;
+in {
+  options.${namespace}.archetypes.server = {
+    enable = mkEnableOption "the server archetype for your current system";
+  };
+
+  config = mkIf cfg.enable {
+    puzzlevision = {
+      system = {
+        nix = {
+          enable = true;
+          use-lix = true;
+        };
+        grub.enable = true;
+        networking.enable = true;
+        kernel.enable = true;
+        shell.enable = true;
+        locale.enable = true;
+      };
+
+      services = {
+        docker.enable = true;
+      };
+    };
+
+    # Enable SSH for remote login
+    services.openssh.enable = true;
+  };
+}
--- a/modules/nixos/services/atticd/default.nix
+++ b/modules/nixos/services/atticd/default.nix
@ -0,0 +1,53 @@
+{
+  lib,
+  self,
+  config,
+  ...
+}: let
+  inherit (lib) mkEnableOption mkIf;
+  inherit (self) namespace;
+
+  cfg = config.${namespace}.services.atticd;
+in {
+  options.${namespace}.services.atticd = {
+    enable = mkEnableOption "the attic service, a multi-tenant nix binary cache.";
+    sopsFile = mkOpt types.str null "The location of the sops secret file for the Atticd service.";
+    sopsFormat = mkOpt types.str null "The format of the sops secret file for the Atticd service.";
+    subdomain = mkOpt types.str "cache" "The subdomain, of the system domain, the service should be exposed on.";
+  };
+
+  config = mkIf cfg.enable {
+    config.sops.secrets."services/atticd" = {
+      sopsFile = cfg.sopsFile;
+      format = cfg.sopsFormat;
+    };
+
+    services.atticd = {
+      enable = true;
+
+      environmentFile = config.sops.secrets."services/atticd".path;
+
+      settings = {
+        listen = "[::]:3900";
+        jwt = {};
+
+        chunking = {
+          nar-size-threshold = 64 * 1024; # 64 KiB
+          min-size = 16 * 1024; # 16 KiB
+          avg-size = 64 * 1024; # 64 KiB
+          max-size = 256 * 1024; # 256 KiB
+        };
+      };
+    };
+
+    services.traefik.dynamicConfigOptions = {
+      http = {
+        services.atticd.loadBalancer.server.url = "http://localhost:3900";
+        routers.atticd = {
+          entrypoints = ["websecure"];
+          rule = "Host(`${cfg.subdomain}.${config.services.domain}`)";
+        };
+      };
+    };
+  };
+}
--- a/modules/nixos/services/default.nix
+++ b/modules/nixos/services/default.nix
@ -0,0 +1,13 @@
+{
+  lib,
+  self,
+  ...
+}: let
+  inherit (lib) types;
+  inherit (self) namespace;
+  inherit (self.lib) mkOpt;
+in {
+  options.${namespace}.services = {
+    domain = mkOpt types.str "thevoid.cafe" "The main system domain, used for exposing services.";
+  };
+}
--- a/modules/nixos/services/docker/default.nix
+++ b/modules/nixos/services/docker/default.nix
@ -15,6 +15,9 @@ in {

  config = mkIf cfg.enable {
    # Enable docker
-    virtualisation.docker.enable = true;
+    virtualisation = {
+      docker.enable = true;
+      oci-containers.backend = "docker";
+    };
  };
 }
--- a/modules/nixos/services/duckdns/default.nix
+++ b/modules/nixos/services/duckdns/default.nix
@ -0,0 +1,34 @@
+{
+  lib,
+  self,
+  config,
+  ...
+}: let
+  inherit (lib) mkEnableOption mkIf types;
+  inherit (self) namespace;
+  inherit (self.lib) mkOpt;
+
+  cfg = config.${namespace}.services.duckdns;
+in {
+  options.${namespace}.services.duckdns = {
+    enable = mkEnableOption "DuckDNS, the dynamic dns service. Will periodically refresh your IP.";
+    sopsFile = mkOpt types.str null "The location of the sops secret file for the DuckDNS service.";
+    sopsFormat = mkOpt types.str null "The format of the sops secret file for the DuckDNS service.";
+  };
+
+  config = mkIf cfg.enable {
+    sops.secrets.duckdns = {
+      sopsFile = cfg.sopsFile;
+      format = cfg.sopsFormat;
+    };
+
+    virtualisation.oci-containers.containers.duckdns = {
+      image = "lscr.io/linuxserver/duckdns:latest";
+      autoStart = true;
+      hostname = config.networking.hostname;
+      environmentFiles = [
+        config.sops.secrets.duckdns.path
+      ];
+    };
+  };
+}
--- a/modules/nixos/services/homepage/default.nix
+++ b/modules/nixos/services/homepage/default.nix
@ -0,0 +1,54 @@
+{
+  lib,
+  self,
+  config,
+  ...
+}: let
+  inherit (lib) mkEnableOption mkIf types;
+  inherit (self) namespace;
+  inherit (self.lib) mkOpt;
+
+  cfg = config.${namespace}.services.homepage;
+in {
+  options.${namespace}.services.homepage = {
+    enable = mkEnableOption "Homepage, an intuitive dashboard for your services.";
+    subdomain = mkOpt types.str "home" "The subdomain, of the system domain, the service should be exposed on.";
+    configDir = mkOpt types.str null "The config directory, which will be copied to the Homepage directory during compilation.";
+  };
+
+  config = mkIf cfg.enable {
+    systemd.tmpfiles.rules = [
+      "d /var/lib/containers/homepage 0700 root root -"
+      "d /var/lib/containers/homepage/config 0700 root root -"
+      "d /var/lib/containers/homepage/images 0700 root root -"
+    ];
+
+    # Copy files from homepageConfigDirectory to the target directory
+    system.activationScripts.homepage = ''
+      cp -r ${cfg.configDir}/* /var/lib/containers/homepage/
+    '';
+
+    virtualisation.oci-containers.containers.homepage = {
+      image = "ghcr.io/gethomepage/homepage:latest";
+      autoStart = true;
+      hostname = config.networking.hostname;
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.homepage.entrypoints" = "websecure";
+        "traefik.http.routers.homepage.rule" = "Host(`${cfg.subdomain}.${config.services.domain}`)";
+        "traefik.http.services.homepage.loadbalancer.server.port" = "3000";
+      };
+      volumes = [
+        "/var/lib/containers/homepage/config:/app/config:rw"
+        "/var/lib/containers/homepage/images:/app/public/images:rw"
+
+        # Optional, used for docker integration.
+        "/var/run/docker.sock:/var/run/docker.sock:ro"
+      ];
+      environment = {
+        "HOMEPAGE_ALLOWED_HOSTS" = "${cfg.subdomain}.${config.services.domain}";
+      };
+      extraOptions = ["--network=proxy"];
+    };
+  };
+}
--- a/modules/nixos/services/traefik/default.nix
+++ b/modules/nixos/services/traefik/default.nix
@ -0,0 +1,98 @@
+{
+  lib,
+  self,
+  config,
+  ...
+}: let
+  inherit (lib) mkEnableOption mkIf mkOption;
+  inherit (self) namespace;
+
+  cfg = config.${namespace}.services.traefik;
+in {
+  options.${namespace}.services.traefik = {
+    enable = mkEnableOption "the Traefik service.";
+    sopsFile = mkOpt types.str null "The location of the sops secret file for the Traefik service.";
+    sopsFormat = mkOpt types.str null "The format of the sops secret file for the Traefik service.";
+  };
+
+  config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [80 8080 443]; # http, dashboard, https
+
+    sops.secrets."services/traefik" = {
+      sopsFile = cfg.sopsFile;
+      format = cfg.sopsFormat;
+    };
+
+    systemd.services.traefik = {
+      serviceConfig = {
+        EnvironmentFile = [config.sops.secrets."services/traefik".path];
+      };
+    };
+
+    services.traefik = {
+      enable = true;
+      group = "docker";
+
+      staticConfigOptions = {
+        log = {
+          level = "INFO";
+          filePath = "/var/lib/traefik/traefik.log";
+          noColor = false;
+          maxSize = 100;
+          compress = true;
+        };
+
+        api = {
+          dashboard = true;
+          insecure = true;
+        };
+
+        providers = {
+          docker = {
+            exposedByDefault = false;
+            network = "proxy";
+          };
+        };
+
+        certificatesResolvers = {
+          letsencrypt = {
+            acme = {
+              email = cfg.cloudflareEmail;
+              storage = "/var/lib/traefik/acme.json";
+              #caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"; # Uncomment this when testing stuff!
+              dnsChallenge = {
+                provider = "cloudflare";
+              };
+            };
+          };
+        };
+
+        entryPoints.web = {
+          address = ":80";
+          http.redirections.entryPoint = {
+            to = "websecure";
+            scheme = "https";
+            permanent = true;
+          };
+        };
+
+        entryPoints.websecure = {
+          address = ":443";
+          http.tls = {
+            certResolver = "letsencrypt";
+            domains = [
+              {
+                main = "thevoid.cafe";
+                sans = ["*.thevoid.cafe"];
+              }
+              {
+                main = "rhysbot.co.uk";
+                sans = ["*.rhysbot.co.uk"];
+              }
+            ];
+          };
+        };
+      };
+    };
+  };
+}
--- a/modules/nixos/services/vaultwarden/default.nix
+++ b/modules/nixos/services/vaultwarden/default.nix
@ -0,0 +1,49 @@
+{
+  lib,
+  self,
+  config,
+  ...
+}: let
+  inherit (lib) mkEnableOption mkIf types;
+  inherit (self) namespace;
+  inherit (self.lib) mkOpt;
+
+  cfg = config.${namespace}.services.vaultwarden;
+in {
+  options.${namespace}.services.vaultwarden = {
+    enable = mkEnableOption "Vaultwarden, a self-hostable password manager.";
+    sopsFile = mkOpt types.str null "The location of the sops secret file for the Vaultwarden service.";
+    sopsFormat = mkOpt types.str null "The format of the sops secret file for the Vaultwarden service.";
+    subdomain = mkOpt types.str "vault" "The subdomain, of the system domain, the service should be exposed on.";
+  };
+
+  config = mkIf cfg.enable {
+    sops.secrets."services/vaultwarden" = {
+      sopsFile = cfg.sopsFile;
+      format = cfg.sopsFormat;
+    };
+
+    # Ensure directories exist before OCI container is launched.
+    systemd.tmpfiles.rules = [
+      "d /var/lib/containers/vaultwarden/data 0700 root root -"
+    ];
+
+    virtualisation.oci-containers.containers.vaultwarden = {
+      image = "vaultwarden/server";
+      autoStart = true;
+      hostname = config.networking.hostname;
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.vaultwarden.entrypoints" = "websecure";
+        "traefik.http.routers.vaultwarden.rule" = "Host(`${cfg.subdomain}.${config.services.domain}`)";
+      };
+      volumes = [
+        "/var/lib/containers/vaultwarden/data:/data:rw"
+      ];
+      environmentFiles = [
+        config.sops.secrets."services/vaultwarden".path
+      ];
+      extraOptions = ["--network=proxy"];
+    };
+  };
+}