diff --git a/modules/containers.nix b/modules/containers.nix index 00f6d89..c3fbca9 100644 --- a/modules/containers.nix +++ b/modules/containers.nix @@ -38,38 +38,10 @@ ports = [ "127.0.0.1:9641:9641" ]; volumes = [ "/vault/mqtt2prometheus/config.yaml:/config.yaml" ]; }; - # CGM repository - nightscout = { - image = - "nightscout/cgm-remote-monitor@sha256:ce522a9fe9b1373f576329e48349a622c8a9b6177c93dc2771152df36dd90876"; - environmentFiles = [ config.age.secrets.nightscout.path ]; - extraOptions = [ "--pod=cgm-repo" ]; - dependsOn = [ "mongodb" ]; - }; - # CGM repository database - mongodb = { - image = - "mongo:4.4.9@sha256:0837a92d01bcc8c750a8d692ed4df33f0befd07ef261b23e7d9feda04bacd3eb"; - volumes = [ "/vault/mongodb:/data/db" ]; - extraOptions = [ "--pod=cgm-repo" ]; - }; }; }; }; - # Allow networking between Cgm-Repo and MongoDB - systemd.services.create-cgm-repo-pod = { - serviceConfig.Type = "oneshot"; - wantedBy = [ "podman-mongodb.service" ]; - script = with pkgs; '' - ${podman}/bin/podman pod exists cgm-repo || ${podman}/bin/podman pod create -n cgm-repo -p '127.0.0.1:1337:1337' - ''; - }; - # Start services after ZFS mount - systemd.services.podman-mongodb.unitConfig.RequiresMountsFor = - [ /vault/mongodb ]; - systemd.services.podman-mqtt2prometheus.unitConfig.RequiresMountsFor = - [ /vault/mqtt2prometheus ]; systemd.services.podman-mqtt2prometheus.unitConfig.RequiresMountsFor = [ /vault/mqtt2prometheus ]; } diff --git a/modules/periodic.nix b/modules/periodic.nix index a1418e4..a6470b2 100644 --- a/modules/periodic.nix +++ b/modules/periodic.nix @@ -1,10 +1,16 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let stateDir = "/var/lib/dnscrypt-proxy"; blocklist = "${stateDir}/blocklist.txt"; -in { +in +{ # PostgreSQL daily backups services.postgresqlBackup = { enable = true; @@ -18,7 +24,10 @@ in { systemd.services.download-dns-blocklist = { description = "Download hosts-blocklists"; wantedBy = [ "default.target" ]; - path = with pkgs; [ curl coreutils ]; + path = with pkgs; [ + curl + coreutils + ]; script = '' curl -L https://download.dnscrypt.info/blacklists/domains/mybase.txt -o ${blocklist} ''; diff --git a/modules/webstack.nix b/modules/webstack.nix index ae2423c..5463d46 100644 --- a/modules/webstack.nix +++ b/modules/webstack.nix @@ -1,5 +1,11 @@ # Web services configuration -{ config, pkgs, lib, ... }: { +{ + config, + pkgs, + lib, + ... +}: +{ # Reverse proxy configuration services.nginx = { @@ -9,8 +15,7 @@ recommendedProxySettings = true; recommendedOptimisation = true; clientMaxBodySize = "0"; - sslCiphers = - "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128"; + sslCiphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128"; sslProtocols = "TLSv1.2 TLSv1.3"; sslDhparam = "/var/lib/dhparams/nginx.pem"; commonHttpConfig = '' @@ -36,10 +41,8 @@ locations = { "/radicale/".return = "301 https://radicale.coolneng.duckdns.org"; "/syncthing/".return = "301 https://sync.coolneng.duckdns.org"; - "/gitea/".extraConfig = - "rewrite ^/gitea/(.*)$ https://git.coolneng.duckdns.org/$1 last;"; - "/miniflux/".extraConfig = - "rewrite ^/miniflux/(.*)$ https://rss.coolneng.duckdns.org/$1 last;"; + "/gitea/".extraConfig = "rewrite ^/gitea/(.*)$ https://git.coolneng.duckdns.org/$1 last;"; + "/miniflux/".extraConfig = "rewrite ^/miniflux/(.*)$ https://rss.coolneng.duckdns.org/$1 last;"; # Delegation for Matrix "/.well-known/" = { alias = "${../well-known}" + "/"; @@ -111,8 +114,7 @@ ssl = true; } ]; - locations."~ ^(/_matrix|/_synapse/client)".proxyPass = - "http://localhost:8008"; + locations."~ ^(/_matrix|/_synapse/client)".proxyPass = "http://localhost:8008"; }; "element.coolneng.duckdns.org" = { useACMEHost = "coolneng.duckdns.org"; @@ -165,16 +167,6 @@ proxyWebsockets = true; }; }; - "nightscout.coolneng.duckdns.org" = { - useACMEHost = "coolneng.duckdns.org"; - forceSSL = true; - locations."/" = { - proxyPass = "http://localhost:1337"; - extraConfig = '' - proxy_set_header X-Forwarded-For $remote_addr; - ''; - }; - }; }; }; @@ -188,9 +180,9 @@ webroot = "/var/lib/acme/acme-challenge"; ocspMustStaple = true; }; - certs."coolneng.duckdns.org".extraDomainNames = - lib.attrsets.mapAttrsToList (name: value: "${name}") - config.services.nginx.virtualHosts; + certs."coolneng.duckdns.org".extraDomainNames = lib.attrsets.mapAttrsToList ( + name: value: "${name}" + ) config.services.nginx.virtualHosts; }; # Generate dhparams diff --git a/scripts/motd.sh b/scripts/motd.sh index bb2a38b..22e7311 100755 --- a/scripts/motd.sh +++ b/scripts/motd.sh @@ -37,7 +37,6 @@ services=( "podman-mqtt2prometheus.service" "prometheus.service" "grafana.service" - "podman-nightscout.service" ) for var in "${services[@]}"; do diff --git a/secrets/nightscout.age b/secrets/nightscout.age deleted file mode 100644 index 064638c..0000000 Binary files a/secrets/nightscout.age and /dev/null differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 6cafe5f..220ef45 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,7 +1,7 @@ let - zion = - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW"; -in { + zion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW"; +in +{ "wireguard.age".publicKeys = [ zion ]; "syncthing.age".publicKeys = [ zion ]; "msmtp.age".publicKeys = [ zion ]; @@ -14,7 +14,6 @@ in { "telegram.age".publicKeys = [ zion ]; "mqtt-sender.age".publicKeys = [ zion ]; "mqtt-receiver.age".publicKeys = [ zion ]; - "nightscout.age".publicKeys = [ zion ]; "facebook.age".publicKeys = [ zion ]; "signal.age".publicKeys = [ zion ]; }