feat: split flake into multiple hosts and add homelab config

2025-06-06 22:28:42 -05:00 · 2025-06-06 22:28:42 -05:00 · ebe58addaa
commit ebe58addaa
parent cd07c91676
19 changed files with 539 additions and 40 deletions
--- a/hosts/lithium/services/caddy.nix
+++ b/hosts/lithium/services/caddy.nix
@ -0,0 +1,41 @@
+{ config, pkgs, ... }:
+{
+  sops.secrets.caddy_env = {
+    sopsFile = ../secrets/caddy.env;
+    format = "dotenv";
+    mode = "0440";
+    owner = config.services.caddy.user;
+    group = config.services.caddy.group;
+    restartUnits = [ "caddy.service" ];
+  };
+  services.caddy = {
+    enable = true;
+    package = pkgs.caddy.withPlugins {
+      # NOTE: Occasionally specify @latest and update the new versions, and the result hash.
+      plugins = [
+        "github.com/mholt/caddy-dynamicdns@v0.0.0-20250430031602-b846b9e8fb83"
+        "github.com/caddy-dns/cloudflare@v0.2.1"
+      ];
+
+      # NOTE: Built on 6/4/2025
+      hash = "sha256-swskhAr7yFJX+qy0FR54nqJarTOojwhV2Mbk7+fyS0I=";
+    };
+    # NOTE: Use Staging CA while testing, check `systemctl status caddy`
+    # to see if everything is working.
+    # acmeCA = "https://acme-staging-v02.api.letsencrypt.org/directory";
+
+    # TODO: Add Metrics with Prometheus & Grafana
+    environmentFile = config.sops.secrets.caddy_env.path;
+    globalConfig = ''
+      # acme_dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+      dynamic_dns {
+        provider cloudflare {env.CLOUDFLARE_API_TOKEN}
+        domains {
+          ${config.networking.domain} @
+        }
+        dynamic_domains
+      }
+    '';
+  };
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}
--- a/hosts/lithium/services/jellyfin.nix
+++ b/hosts/lithium/services/jellyfin.nix
@ -0,0 +1,20 @@
+{ config, pkgs, ... }:
+let
+  svcDomain = "tv.${config.networking.domain}";
+in
+{
+  services.caddy.virtualHosts."${svcDomain}".extraConfig = ''
+    reverse_proxy :8096
+  '';
+  services.jellyfin = {
+    enable = true;
+    # NOTE: Keeping this open for now, for internal network use.
+    # ports 8096 for http and 8920 for https
+    openFirewall = true;
+  };
+  environment.systemPackages = [
+    pkgs.jellyfin
+    pkgs.jellyfin-web
+    pkgs.jellyfin-ffmpeg
+  ];
+}
--- a/hosts/lithium/services/kanidm.nix
+++ b/hosts/lithium/services/kanidm.nix
@ -0,0 +1,126 @@
+{ config, pkgs, lib, ... }:
+let
+  svcDomain = "id.${config.networking.domain}";
+  caddyCertsRoot = "${config.services.caddy.dataDir}/.local/share/caddy/certificates";
+  caddyCertsDir = "${caddyCertsRoot}/acme-v02.api.letsencrypt.org-directory";
+  certsDir = "/var/lib/kanidm/certs";
+in
+{
+  # Example of yoinking certs from caddy:
+  # https://github.com/marcusramberg/nix-config/blob/e558914dd3705150511c5ef76278fc50bb4604f3/nixos/kanidm.nix#L3
+
+  # TODO: If possible, consider specifying the cert location here instead of the following kludge.
+  services.caddy.virtualHosts."${svcDomain}".extraConfig = ''
+    reverse_proxy :8443 {
+      transport http {
+        tls_server_name ${svcDomain}
+      }
+    }
+  '';
+
+  # NOTE: Attempted kludge due to caddy generating (and therefore owning the certs)
+  systemd.tmpfiles.rules = [
+    "d ${certsDir} 0750 kanidm caddy -"
+    "C ${certsDir}/cert.pem - kanidm - - ${caddyCertsDir}/${svcDomain}/${svcDomain}.crt"
+    "C ${certsDir}/key.key  - kanidm - - ${caddyCertsDir}/${svcDomain}/${svcDomain}.key"
+  ];
+  systemd.services.kanidm = {
+    after = [ "systemd-tmpfiles-setup.service" ];
+    requires = [ "caddy.service" "systemd-tmpfiles-setup.service" ];
+  };
+  users.users.kanidm.extraGroups = [
+    "caddy"
+  ];
+
+  sops.secrets = {
+    "kanidm/admin-password" = {
+      group = "kanidm";
+      mode = "440";
+    };
+    "kanidm/idm-admin-password" = {
+      group = "kanidm";
+      mode = "440";
+    };
+  };
+
+  services.kanidm = {
+    package = pkgs.kanidmWithSecretProvisioning;
+    enableServer = true;
+    serverSettings = {
+      # NOTE: Required to start the server: https://kanidm.github.io/kanidm/stable/server_configuration.html
+      # domain, origin, tls_chain, tls_key
+      domain = svcDomain;
+      origin = "https://${svcDomain}";
+      tls_chain = "${certsDir}/cert.pem";
+      tls_key = "${certsDir}/key.key";
+
+      # NOTE: Optional Settings
+      ldapbindaddress = "127.0.0.1:3636";  # For Jellyfin LDAP integration.
+
+      # trust_x_forwarded_for = true;
+    };
+
+    enableClient = true;
+    clientSettings.uri = config.services.kanidm.serverSettings.origin;
+
+    # NOTE: POSIX accounts bound to LDAP assume 'anonymous' permissions.
+    # https://kanidm.github.io/kanidm/stable/integrations/pam_and_nsswitch.html
+    enablePam = true;
+    unixSettings = {
+      pam_allowed_login_groups = [
+        "unix.admins"
+      ];
+      home_attr = "uuid";
+      home_alias = "name";
+    };
+
+    # NOTE: There are manual steps required as root to allow a user to set
+    # their own credentials, or to confiugre an account as posix. As-is this
+    # module doesn't support provisioning a complete user /w credentials.
+    # Adding an account to `idm_high_privilege` prevents an account from being
+    # tampered with by any other admin accounts.
+    # https://kanidm.github.io/kanidm/stable/accounts/authentication_and_credentials.html#onboarding-a-new-person--resetting-credentials
+    provision = {
+      enable = true;
+      autoRemove = false;
+      adminPasswordFile = config.sops.secrets."kanidm/admin-password".path;
+      idmAdminPasswordFile = config.sops.secrets."kanidm/idm-admin-password".path;
+
+      # NOTE: Basically all this can do is pair up a uuid with a collection of
+      # groups, and you still need to manually issue a reset token so that the
+      # user can create a Passekey and/or Password /w MFA.
+      persons = {
+        # https://kanidm.github.io/kanidm/stable/accounts/authentication_and_credentials.html#resetting-person-account-credentials
+        zenware = {
+          displayName = "zenware";
+          groups = [
+            "unix.admins"
+            "git.users"
+            "git.admins"
+            "tv.users"
+          ];
+        };
+      };
+      groups = {
+        "unix.admins" = {};
+        "git.users" = {};
+        "git.admins" = {};
+        "tv.users" = {};
+        "tv.admins" = {};
+      };
+    };
+  };
+
+  # NOTE: Allow Kanidm auth over SSH
+  services.openssh.settings = {
+    UsePAM = true;
+    PubkeyAuthentication = true;
+    PasswordAuthentication = true;
+    AuthorizedKeysCommand = "${
+      lib.getExe' config.services.kanidm.package
+      "kanidm_ssh_authorizedkeys"
+    } %u";
+    AuthorizedKeysCommandUser = "nobody";
+  };
+
+}
--- a/hosts/lithium/services/uptime-kuma.nix
+++ b/hosts/lithium/services/uptime-kuma.nix
@ -0,0 +1,18 @@
+{ config, pkgs, ... }:
+let
+  svcDomain = "status.${config.networking.domain}";
+  svcPort = config.services.uptime-kuma.settings.PORT;
+in
+{
+  services.caddy.virtualHosts."${svcDomain}".extraConfig = ''
+    reverse_proxy :${svcPort}
+  '';
+  # NOTE: Currently requires some web-interface configuration
+  # User must set up an admin account, monitors, and status pages manually.
+  services.uptime-kuma = {
+    enable = true;
+    # NOTE: NixOS Attributes here resolve into these ENV vars:
+    # https://github.com/louislam/uptime-kuma/wiki/Environment-Variables
+    # settings = {};
+  };
+}