From 961a5c06c2a07870e846238be5365ad1c44dcaba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= <cynerd@email.cz>
Date: Wed, 18 Jan 2023 14:33:05 +0100
Subject: nixos/lipwig: extend functionality

---
 nixos/machine/lipwig.nix    | 110 ++++++++++++++++++++++++++++++++++++++++----
 nixos/modules/syncthing.nix |   4 +-
 2 files changed, 103 insertions(+), 11 deletions(-)

(limited to 'nixos')

diff --git a/nixos/machine/lipwig.nix b/nixos/machine/lipwig.nix
index 0ebf894..b109065 100644
--- a/nixos/machine/lipwig.nix
+++ b/nixos/machine/lipwig.nix
@@ -8,10 +8,10 @@ with lib; {
   config = {
     cynerd = {
       syncthing = {
-        #enable = true;
+        enable = false;
         baseDir = "/nas";
       };
-      openvpn.personal = true;
+      openvpn.oldpersonal = true;
     };
 
     fileSystems."/nas" = {
@@ -19,9 +19,51 @@ with lib; {
       fsType = "nfs";
     };
 
+    # Web ######################################################################
+    services.nginx = {
+      enable = true;
+      virtualHosts = {
+        "cynerd.cz" = {
+          forceSSL = true;
+          enableACME = true;
+          serverAliases = [
+            "grafana.cynerd.cz"
+          ];
+          locations."/" = {
+            root = ../../web;
+          };
+        };
+        "git.cynerd.cz" = {
+          forceSSL = true;
+          useACMEHost = "cynerd.cz";
+          locations."/".extraConfig = ''
+            fastcgi_param DOCUMENT_ROOT ${pkgs.cgit}/cgit/;
+            fastcgi_param SCRIPT_NAME cgit;
+            fastcgi_pass unix:${config.services.fcgiwrap.socketAddress};
+          '';
+        };
+        "grafana.cynerd.cz" = {
+          forceSSL = true;
+          useACMEHost = "cynerd.cz";
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}/";
+            proxyWebsockets = true;
+          };
+        };
+      };
+    };
+    services.fcgiwrap = {
+      enable = true;
+      group = config.services.nginx.group;
+    };
+    security.acme = {
+      acceptTerms = true;
+      defaults.email = "cynerd+acme@email.cz";
+    };
+
     # Git ######################################################################
     services.gitolite = {
-      enable = false;
+      enable = true;
       user = "git";
       group = "git";
       dataDir = "/var/lib/git";
@@ -33,16 +75,56 @@ with lib; {
       group = "gitdaemon";
       basePath = "/var/lib/git/repositories";
     };
+    environment.etc."cgitrc".text = ''
+      root-title=Cynerd's git repository
+      root-desc=All my projects (at least those released to public)
+      logo=${../../web/wolf.svg}
+      virtual-root=/
+
+      # Allow download of tar.gz, tar.bz2 and zip-files
+      snapshots=tar.gz tar.bz2 zip
+      ## List of common mimetypes
+      mimetype.gif=image/gif
+      mimetype.html=text/html
+      mimetype.jpg=image/jpeg
+      mimetype.jpeg=image/jpeg
+      mimetype.pdf=application/pdf
+      mimetype.png=image/png
+      mimetype.svg=image/svg+xml
+
+      source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py
+      about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh
+
+      readme=:README.md
+      readme=:README.adoc
+
+      enable-index-owner=0
+      enable-index-links=1
+      enable-http-clone=1
+      clone-url=https://git.cynerd.cz/$CGIT_REPO_URL git://cynerd.cz/$CGIT_REPO_URL.git git@cynerd.cz:$CGIT_REPO_URL
+      enable-commit-graph=1
+      branch-sort=age
+
+      remove-suffix=1
+      enable-git-config=1
+      project-list=/var/lib/git/projects.list
+      scan-path=/var/lib/git/repositories/
+    '';
 
     # CalDAV and CardDAV #######################################################
     services.radicale = {
       enable = true;
+      rights.cynerd = {
+        user = "cynerd";
+        collection = ".*";
+        permission = "rw";
+      };
       settings = {
         server = {
           hosts = ["0.0.0.0:5232" "[::]:5232"];
           ssl = true;
-          certificate = "/run/secrets/radicale/radicale.crt";
-          key = "/run/secrets/radicale/radicale.key";
+          certificate = "/run/secrets/radicale.crt";
+          key = "/run/secrets/radicale.key";
         };
         encoding = {
           request = "utf-8";
@@ -50,17 +132,27 @@ with lib; {
         };
         auth = {
           type = "htpasswd";
-          htpasswd_filename = "/run/secrets/radicale/users";
+          htpasswd_filename = "${config.personal-secrets}/unencrypted/radicale.users";
           htpasswd_encryption = "bcrypt";
           delay = 1;
         };
         storage = {
           filesystem_folder = "/var/lib/radicale/";
         };
-        web = {
-          type = "none";
-        };
+        web.type = "none";
       };
     };
+
+    # Old Syncthing ############################################################
+    services.syncthing = {
+      enable = true;
+      openDefaultPorts = true;
+
+      overrideDevices = false;
+      overrideFolders = false;
+
+      dataDir = "/nas";
+      configDir = "/nas/.syncthing";
+    };
   };
 }
diff --git a/nixos/modules/syncthing.nix b/nixos/modules/syncthing.nix
index db8b6a8..716e5a3 100644
--- a/nixos/modules/syncthing.nix
+++ b/nixos/modules/syncthing.nix
@@ -51,8 +51,8 @@ in {
     services.syncthing = {
       enable = any (n: n == hostName) allDevices;
       user = mkDefault "cynerd";
-      key = "/run/secrets/syncthing/key.pem";
-      cert = "/run/secrets/syncthing/cert.pem";
+      key = "/run/secrets/syncthing.key.pem";
+      cert = "/run/secrets/syncthing.cert.pem";
 
       openDefaultPorts = true;
 
-- 
cgit v1.2.3