Move services to ponyo

common/hosts.nix

@@ -16,7 +16,7 @@ in {
       publicKey = system.liza;
     };
     ponyo = {
-      hostNames = [ "ponyo" "ponyo.neet.dev" "ponyo.zt.neet.dev" ];
+      hostNames = [ "ponyo" "ponyo.neet.dev" "ponyo.zt.neet.dev" "git.neet.dev" ];
       publicKey = system.ponyo;
     };
     ponyo-unlock = {

machines/liza/configuration.nix

@@ -24,129 +24,6 @@
 
   networking.interfaces.enp1s0.useDHCP = true;
 
-  services.gitea = {
-    enable = true;
-    hostname = "git.neet.dev";
-    disableRegistration = true;
-  };
-
-  services.peertube = {
-    enable = true;
-    localDomain = "tube.neet.space";
-    listenHttp = 9000;
-    listenWeb = 443;
-    enableWebHttps = true;
-    # dataDirs
-    serviceEnvironmentFile = "/run/agenix/peertube-init";
-    # settings
-    database = {
-      createLocally = true;
-      passwordFile = "/run/agenix/peertube-db-pw";
-    };
-    redis = {
-      createLocally = true;
-      passwordFile = "/run/agenix/peertube-redis-pw";
-    };
-    smtp = {
-      createLocally = false;
-      passwordFile = "/run/agenix/peertube-smtp";
-    };
-  };
-  services.nginx.virtualHosts."tube.neet.space" = {
-    enableACME = true;
-    forceSSL = true;
-    locations."/" = {
-      proxyPass = "http://localhost:${toString config.services.peertube.listenHttp}";
-      proxyWebsockets = true;
-    };
-  };
-  age.secrets.peertube-init.file = ../../secrets/peertube-init.age;
-  age.secrets.peertube-db-pw.file = ../../secrets/peertube-db-pw.age;
-  age.secrets.peertube-redis-pw.file = ../../secrets/peertube-redis-pw.age;
-  age.secrets.peertube-smtp.file = ../../secrets/peertube-smtp.age;
-  networking.firewall.allowedTCPPorts = [ 1935 ];
-
-  services.searx = {
-    enable = true;
-    environmentFile = "/run/agenix/searx";
-    settings = {
-      server.port = 43254;
-      server.secret_key = "@SEARX_SECRET_KEY@";
-      engines = [ {
-        name = "wolframalpha";
-        shortcut = "wa";
-        api_key = "@WOLFRAM_API_KEY@";
-        engine = "wolframalpha_api";
-      } ];
-    };
-  };
-  services.nginx.virtualHosts."search.neet.space" = {
-    enableACME = true;
-    forceSSL = true;
-    locations."/" = {
-      proxyPass = "http://localhost:${toString config.services.searx.settings.server.port}";
-    };
-  };
-  age.secrets.searx.file = ../../secrets/searx.age;
-
-  # wrap radio in a VPN
-  containers.vpn = mkVpnContainer pkgs "/dev/null" {
-    services.radio = {
-      enable = true;
-      host = "radio.neet.space";
-    };
-  };
-  # containers cannot unlock their own secrets right now. unlock it here
-  age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
-
-  services.drastikbot = {
-    enable = true;
-    wolframAppIdFile = "/run/agenix/wolframalpha";
-  };
-  age.secrets.wolframalpha = {
-    file = ../../secrets/wolframalpha.age;
-    owner = config.services.drastikbot.user;
-  };
-
-  # icecast endpoint + website
-  services.nginx.virtualHosts."radio.neet.space" = {
-    enableACME = true;
-    forceSSL = true;
-    locations = {
-      "/stream.mp3" = {
-        proxyPass = "http://vpn.containers:8001/stream.mp3";
-        extraConfig = ''
-          add_header Access-Control-Allow-Origin *;
-        '';
-      };
-      "/".root = config.inputs.radio-web;
-    };
-  };
-
-  services.matrix = {
-    enable = true;
-    host = "neet.space";
-    enable_registration = false;
-    element-web = {
-      enable = true;
-      host = "chat.neet.space";
-    };
-    jitsi-meet = {
-      enable = true;
-      host = "meet.neet.space";
-    };
-    turn = {
-      host = "turn.neet.space";
-      secret = "a8369a0e96922abf72494bb888c85831b";
-    };
-  };
-
-  services.nginx.virtualHosts."tmp.neet.dev" = {
-    enableACME = true;
-    forceSSL = true;
-    root = "/var/www/tmp";
-  };
-
   mailserver = {
     enable = true;
     fqdn = "mail.neet.dev";
@@ -204,26 +81,6 @@
     forceSSL = true;
   };
 
-  # iodine DNS-based vpn
-  services.iodine.server = {
-    enable = true;
-    ip = "192.168.99.1";
-    domain = "tun.neet.dev";
-    passwordFile = "/run/agenix/iodine";
-  };
-  age.secrets.iodine.file = ../../secrets/iodine.age;
-  networking.firewall.allowedUDPPorts = [ 53 ];
-
-  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-  networking.nat.enable = true;
-  networking.nat.internalInterfaces = [
-    "dns0" # iodine
-    "ve-vpn" # vpn container
-  ];
-  networking.nat.externalInterface = "enp1s0";
-
-  services.postgresql.package = pkgs.postgresql_11;
-
   security.acme.acceptTerms = true;
   security.acme.email = "zuckerberg@neet.dev";
 }

machines/ponyo/configuration.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, mkVpnContainer, ... }:
 
 {
   imports =[
@@ -22,6 +22,12 @@
 
   services.zerotierone.enable = true;
 
+  services.gitea = {
+    enable = true;
+    hostname = "git.neet.dev";
+    disableRegistration = true;
+  };
+
   services.thelounge = {
     enable = true;
     port = 9000;
@@ -39,6 +45,100 @@
     domain = "voice.neet.space";
   };
 
+  services.drastikbot = {
+    enable = true;
+    wolframAppIdFile = "/run/agenix/wolframalpha";
+  };
+  age.secrets.wolframalpha = {
+    file = ../../secrets/wolframalpha.age;
+    owner = config.services.drastikbot.user;
+  };
+
+  # wrap radio in a VPN
+  containers.vpn = mkVpnContainer pkgs "/dev/null" {
+    services.radio = {
+      enable = true;
+      host = "radio.neet.space";
+    };
+  };
+  # containers cannot unlock their own secrets right now. unlock it here
+  age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
+
+  # icecast endpoint + website
+  services.nginx.virtualHosts."radio.neet.space" = {
+    enableACME = true;
+    forceSSL = true;
+    locations = {
+      "/stream.mp3" = {
+        proxyPass = "http://vpn.containers:8001/stream.mp3";
+        extraConfig = ''
+          add_header Access-Control-Allow-Origin *;
+        '';
+      };
+      "/".root = config.inputs.radio-web;
+    };
+  };
+
+  services.matrix = {
+    enable = true;
+    host = "neet.space";
+    enable_registration = false;
+    element-web = {
+      enable = true;
+      host = "chat.neet.space";
+    };
+    jitsi-meet = {
+      enable = true;
+      host = "meet.neet.space";
+    };
+    turn = {
+      host = "turn.neet.space";
+      secret = "a8369a0e96922abf72494bb888c85831b";
+    };
+  };
+  services.postgresql.package = pkgs.postgresql_11;
+
+  services.searx = {
+    enable = true;
+    environmentFile = "/run/agenix/searx";
+    settings = {
+      server.port = 43254;
+      server.secret_key = "@SEARX_SECRET_KEY@";
+      engines = [ {
+        name = "wolframalpha";
+        shortcut = "wa";
+        api_key = "@WOLFRAM_API_KEY@";
+        engine = "wolframalpha_api";
+      } ];
+    };
+  };
+  services.nginx.virtualHosts."search.neet.space" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://localhost:${toString config.services.searx.settings.server.port}";
+    };
+  };
+  age.secrets.searx.file = ../../secrets/searx.age;
+
+  # iodine DNS-based vpn
+  services.iodine.server = {
+    enable = true;
+    ip = "192.168.99.1";
+    domain = "tun.neet.dev";
+    passwordFile = "/run/agenix/iodine";
+  };
+  age.secrets.iodine.file = ../../secrets/iodine.age;
+  networking.firewall.allowedUDPPorts = [ 53 ];
+
+  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+  networking.nat.enable = true;
+  networking.nat.internalInterfaces = [
+    "dns0" # iodine
+    "ve-vpn" # vpn container
+  ];
+  networking.nat.externalInterface = "ens3";
+
   services.nginx.enable = true;
   services.nginx.virtualHosts."jellyfin.neet.cloud" = {
     enableACME = true;
@@ -54,6 +154,12 @@
     locations."/".proxyPass = "http://s0.zt.neet.dev:4533";
   };
 
+  services.nginx.virtualHosts."tmp.neet.dev" = {
+    enableACME = true;
+    forceSSL = true;
+    root = "/var/www/tmp";
+  };
+
   security.acme.acceptTerms = true;
   security.acme.email = "zuckerberg@neet.dev";
 }