Initial commit

hosts/cryodev-main/services/default.nix

@@ -0,0 +1,13 @@
+{
+  imports = [
+    ./forgejo.nix
+    ./headplane.nix
+    ./headscale.nix
+    ./mailserver.nix
+    ./netdata.nix
+    ./nginx.nix
+    ./openssh.nix
+    ./sops.nix
+    ./tailscale.nix
+  ];
+}

hosts/cryodev-main/services/forgejo.nix

@@ -0,0 +1,51 @@
+{
+  config,
+  pkgs,
+  outputs,
+  constants,
+  ...
+}:
+
+{
+  imports = [
+    outputs.nixosModules.forgejo
+    outputs.nixosModules.forgejo-runner
+  ];
+
+  services.forgejo = {
+    enable = true;
+    settings = {
+      server = {
+        DOMAIN = constants.services.forgejo.fqdn;
+        ROOT_URL = "https://${constants.services.forgejo.fqdn}/";
+        HTTP_PORT = constants.services.forgejo.port;
+      };
+      service = {
+        DISABLE_REGISTRATION = true;
+      };
+      mailer = {
+        ENABLED = true;
+        FROM = "forgejo@${constants.domain}";
+        SMTP_ADDR = constants.services.mail.fqdn;
+        SMTP_PORT = constants.services.mail.port;
+        USER = "forgejo@${constants.domain}";
+      };
+    };
+    sops = true; # Enable sops integration for secrets
+  };
+
+  services.forgejo-runner = {
+    enable = true;
+    url = "https://${constants.services.forgejo.fqdn}";
+    # Token needs to be set up via sops/secrets
+    sops = true;
+  };
+
+  services.nginx.virtualHosts."${constants.services.forgejo.fqdn}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString constants.services.forgejo.port}";
+    };
+  };
+}

hosts/cryodev-main/services/headplane.nix

@@ -0,0 +1,35 @@
+{
+  config,
+  pkgs,
+  outputs,
+  constants,
+  ...
+}:
+
+{
+  imports = [
+    outputs.nixosModules.headplane
+  ];
+
+  services.headplane = {
+    enable = true;
+    port = constants.services.headplane.port;
+    headscale = {
+      url = "http://127.0.0.1:${toString constants.services.headscale.port}";
+      public_url = "https://${constants.services.headscale.fqdn}";
+    };
+    # Secrets for headplane need to be configured via sops
+    sops.secrets = {
+      "headplane/cookie_secret" = { };
+      "headplane/agent_pre_authkey" = { };
+    };
+  };
+
+  services.nginx.virtualHosts."${constants.services.headplane.fqdn}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString constants.services.headplane.port}";
+    };
+  };
+}

hosts/cryodev-main/services/headscale.nix

@@ -0,0 +1,32 @@
+{
+  config,
+  pkgs,
+  outputs,
+  constants,
+  ...
+}:
+
+{
+  imports = [
+    outputs.nixosModules.headscale
+  ];
+
+  services.headscale = {
+    enable = true;
+    address = "127.0.0.1";
+    port = constants.services.headscale.port;
+    settings = {
+      server_url = "https://${constants.services.headscale.fqdn}";
+      dns_config.base_domain = constants.domain;
+    };
+  };
+
+  services.nginx.virtualHosts."${constants.services.headscale.fqdn}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString constants.services.headscale.port}";
+      proxyWebsockets = true;
+    };
+  };
+}

hosts/cryodev-main/services/mailserver.nix

@@ -0,0 +1,27 @@
+{
+  config,
+  pkgs,
+  outputs,
+  constants,
+  ...
+}:
+
+{
+  imports = [
+    outputs.nixosModules.mailserver
+  ];
+
+  mailserver = {
+    enable = true;
+    fqdn = constants.services.mail.fqdn;
+    domains = [ constants.domain ];
+    accounts = {
+      forgejo = { };
+      admin = {
+        aliases = [ "postmaster" ];
+      };
+    };
+    certificateScheme = "acme-nginx";
+    sops = true;
+  };
+}

hosts/cryodev-main/services/netdata.nix

@@ -0,0 +1,34 @@
+{
+  config,
+  pkgs,
+  constants,
+  ...
+}:
+
+{
+  services.netdata = {
+    enable = true;
+    package = pkgs.netdata.override {
+      withCloudUi = true;
+    };
+    config = {
+      global = {
+        "debug log" = "syslog";
+        "access log" = "syslog";
+        "error log" = "syslog";
+        "bind to" = "127.0.0.1";
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."${constants.services.netdata.fqdn}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString constants.services.netdata.port}";
+      proxyWebsockets = true;
+      # Basic Auth can be added here if desired, or restrict by IP
+      # extraConfig = "allow 100.64.0.0/10; deny all;"; # Example for Tailscale only
+    };
+  };
+}

hosts/cryodev-main/services/nginx.nix

@@ -0,0 +1,22 @@
+{
+  inputs,
+  outputs,
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ outputs.nixosModules.nginx ];
+
+  services.nginx = {
+    enable = true;
+    forceSSL = true; # Force SSL for all vhosts by default if configured to use this option
+    openFirewall = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+  };
+}

hosts/cryodev-main/services/openssh.nix

@@ -0,0 +1,12 @@
+{
+  outputs,
+  ...
+}:
+
+{
+  imports = [
+    outputs.nixosModules.openssh
+  ];
+
+  services.openssh.enable = true;
+}

hosts/cryodev-main/services/sops.nix

@@ -0,0 +1,21 @@
+{
+  config,
+  pkgs,
+  outputs,
+  ...
+}:
+
+{
+  imports = [
+    outputs.nixosModules.sops
+  ];
+
+  sops = {
+    defaultSopsFile = ../secrets.yaml;
+    # age.keyFile is not set, sops-nix defaults to using /etc/ssh/ssh_host_ed25519_key
+    secrets = {
+      "forgejo-runner/token" = { };
+      "tailscale/auth-key" = { };
+    };
+  };
+}

hosts/cryodev-main/services/tailscale.nix

@@ -0,0 +1,23 @@
+{
+  config,
+  pkgs,
+  outputs,
+  constants,
+  ...
+}:
+
+{
+  imports = [
+    outputs.nixosModules.tailscale
+  ];
+
+  services.tailscale = {
+    enable = true;
+    # Connect to our own headscale instance
+    loginServer = "https://${constants.services.headscale.fqdn}";
+    # Allow SSH access over Tailscale
+    enableSSH = true;
+    # Use MagicDNS names
+    acceptDNS = true;
+  };
+}