update: system update & refactor

# Breaking Changes
- sops location movod to "system/dev/<dev-name>/sops/sops-conf.nix"
- flake devices declaration changes
- whole flake update

system/dev/dn-server/common/default.nix

@@ -0,0 +1,14 @@
+{
+  imports = [
+    ../../../modules/presets/minimal.nix
+    ../../../modules/bluetooth.nix
+    ../../../modules/gc.nix
+    ../../../modules/stylix.nix
+    ../../../modules/postgresql.nix
+    ./backup.nix
+    ./boot.nix
+    ./hardware-configuration.nix
+    ./networking.nix
+    ./nvidia.nix
+  ];
+}

system/dev/dn-server/common/hardware-configuration.nix

@@ -4,7 +4,6 @@
 {
   config,
   lib,
-  pkgs,
   modulesPath,
   ...
 }:

system/dev/dn-server/common/networking.nix

@@ -2,18 +2,11 @@
 with lib;
 {
   networking = {
-    domain = "net.dn";
     networkmanager = {
       enable = true;
       insertNameservers = mkForce [ "127.0.0.1" ];
     };
     enableIPv6 = true;
-    firewall = {
-      enable = true;
-      allowedTCPPorts = [
-        443
-        80
-      ];
-    };
+    firewall.enable = true;
   };
 }

system/dev/dn-server/common/nvidia.nix

@@ -0,0 +1,9 @@
+{
+  imports = [
+    (import ../../../modules/nvidia.nix {
+      nvidia-mode = "offload";
+      intel-bus-id = "PCI:0:2:0";
+      nvidia-bus-id = "PCI:1:0:0";
+    })
+  ];
+}

system/dev/dn-server/default.nix

@@ -1,157 +1,33 @@
+{ hostname }:
 {
   pkgs,
   lib,
   inputs,
   system,
-  username,
   config,
   ...
 }:
 let
-  inherit (lib) optionalAttrs;
-  inherit (builtins) toString;
+  username = "danny";
 in
 {
+  systemConf = {
+    inherit hostname username;
+    domain = "net.dn";
+    hyprland.enable = false;
+  };
+
   imports = [
-    (import ../../modules/nvidia.nix {
-      nvidia-mode = "offload";
-      intel-bus-id = "PCI:0:2:0";
-      nvidia-bus-id = "PCI:1:0:0";
-    })
-    ./backup.nix
-    ./security.nix
-    ./sops-conf.nix
-    ./boot.nix
-    ./hardware-configuration.nix
-    ./networking.nix
-    ./services.nix
-    ./nginx.nix
-    ./step-ca.nix
-    ./atticd.nix
-    ../../modules/presets/minimal.nix
-    ../../modules/bluetooth.nix
-    ../../modules/gc.nix
-    ../../modules/mail-server
-    ../../modules/stylix.nix
-    (import ../../modules/paperless-ngx.nix {
-      domain = "paperless.net.dn";
-      passwordFile = config.sops.secrets."paperless/adminPassword".path;
-    })
-    (import ../../modules/prometheus.nix {
-      fqdn = "metrics.net.dn";
-      selfMonitor = true;
-      configureNginx = true;
-      scrapes = [
-        (optionalAttrs config.services.pdns-recursor.enable {
-          job_name = "powerdns_recursor";
-          static_configs = [
-            {
-              targets = [ "localhost:${toString config.services.pdns-recursor.api.port}" ];
-            }
-          ];
-        })
-      ];
-    })
-    (import ../../modules/actual {
-      fqdn = "actual.net.dn";
-    })
-    (import ../../modules/nextcloud.nix {
-      hostname = "nextcloud.net.dn";
-      adminpassFile = config.sops.secrets."nextcloud/adminPassword".path;
-      trusted = [ "nextcloud.daccc.info" ];
-    })
-    (import ../../modules/vaultwarden.nix {
-      domain = "bitwarden.net.dn";
-    })
-    (import ../../modules/grafana.nix {
-      domain = "grafana.net.dn";
-      passFile = config.sops.secrets."grafana/password".path;
-      smtpHost = config.mail-server.domain;
-      smtpDomain = config.mail-server.domain;
-      extraSettings = {
-        "auth.generic_oauth" =
-          let
-            OIDCBaseUrl = "https://keycloak.net.dn/realms/master/protocol/openid-connect";
-          in
-          {
-            enabled = true;
-            allow_sign_up = true;
-            client_id = "grafana";
-            client_secret = ''$__file{${config.sops.secrets."grafana/client_secret".path}}'';
-            scopes = "openid email profile offline_access roles";
-            email_attribute_path = "email";
-            login_attribute_path = "username";
-            name_attribute_path = "full_name";
-            auth_url = "${OIDCBaseUrl}/auth";
-            token_url = "${OIDCBaseUrl}/token";
-            api_url = "${OIDCBaseUrl}/userinfo";
-            role_attribute_path = "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'";
-          };
-      };
-    })
-    ../../modules/postgresql.nix
+    ./common
+    ./home
+    ./network
+    ./nix
+    ./security
+    ./services
+    ./sops
   ];
 
   environment.systemPackages = with pkgs; [
     openssl
   ];
-
-  mail-server = {
-    enable = true;
-    configureACME = true;
-    mailDir = "~/Maildir";
-    caFile = "" + ../../extra/ca.crt;
-    virtualMailDir = "/var/mail/vhosts";
-    domain = "net.dn";
-    rootAlias = "${username}";
-    networks = [
-      "127.0.0.0/8"
-      "10.0.0.0/24"
-    ];
-    virtual = ''
-      admin@net.dn ${username}@net.dn
-      postmaster@net.dn ${username}@net.dn
-    '';
-    openFirewall = true;
-    oauth = {
-      passwordFile = config.sops.secrets."oauth/password".path;
-    };
-    ldap = {
-      passwordFile = config.sops.secrets."ldap/password".path;
-      webEnv = config.sops.secrets."ldap/env".path;
-    };
-    rspamd = {
-      trainerSecret = config.sops.secrets."rspamd-trainer".path;
-    };
-  };
-
-  home-manager = {
-    users."${username}" = {
-      imports = [
-        ../../../home/user/config.nix
-        ../../../home/user/direnv.nix
-        ../../../home/user/environment.nix
-        ../../../home/user/nvf
-        ../../../home/user/shell.nix
-        ../../../home/user/tmux.nix
-        ../../../home/user/yazi.nix
-        {
-          home.packages = with pkgs; [
-            inputs.ghostty.packages.${system}.default
-            (python3.withPackages (
-              p: with p; [
-                pip
-              ]
-            ))
-          ];
-        }
-
-        # Git
-        (import ../../../home/user/git.nix {
-          inherit username;
-          email = "danny10132024@gmail.com";
-        })
-      ];
-    };
-  };
 }

system/dev/dn-server/home/default.nix

@@ -0,0 +1,34 @@
+{
+  inputs,
+  config,
+  pkgs,
+  ...
+}:
+let
+  inherit (config.systemConf) username;
+in
+{
+  home-manager = {
+    users."${username}" = {
+      imports = [
+        ../../../../home/user/config.nix
+        ../../../../home/user/direnv.nix
+        ../../../../home/user/environment.nix
+        ../../../../home/user/nvf
+        ../../../../home/user/shell.nix
+        ../../../../home/user/yazi.nix
+        {
+          home.packages = with pkgs; [
+            inputs.ghostty.packages.${system}.default
+          ];
+        }
+
+        # Git
+        (import ../../../../home/user/git.nix {
+          inherit username;
+          email = "danny10132024@gmail.com";
+        })
+      ];
+    };
+  };
+}

system/dev/dn-server/network/default.nix

@@ -0,0 +1,7 @@
+{
+  imports = [
+    ./nginx.nix
+    ./services.nix
+    ./step-ca.nix
+  ];
+}

system/dev/dn-server/network/services.nix

@@ -1,11 +1,10 @@
 {
   config,
   lib,
-  username,
   ...
 }:
 let
-  inherit username;
+  inherit (config.systemConf) username;
 
   ethInterface = "enp0s31f6";
   sshPorts = [ 30072 ];
@@ -319,6 +318,7 @@ in
         gpgsql-host=/var/run/postgresql
         gpgsql-dbname=pdns
         gpgsql-user=pdns
+        gpgsql-dnssec=yes
         webserver=yes
         webserver-port=8081
         local-port=5359
@@ -372,6 +372,9 @@ in
     };
   };
 
+  systemd.services.pdns-recursor.before = [ "acme-setup.service" ];
+  systemd.services.pdns.before = [ "acme-setup.service" ];
+
   users.users = {
     root.openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJSAOufpee7f8D8ONIIGU3qsN+8+DGO7BfZnEOTYqtQ5 danny@pre7780.dn"
@@ -386,7 +389,7 @@ in
 
   virtualisation = {
     oci-containers = {
-      backend = "podman";
+      backend = "docker";
       containers = {
         uptime-kuma = {
           extraOptions = [ "--network=host" ];

system/dev/dn-server/nix/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./atticd.nix
+  ];
+}

system/dev/dn-server/security/crowdsec.nix

@@ -0,0 +1,12 @@
+{ config, ... }:
+{
+  imports = [
+    (import ../../../modules/crowdsec.nix {
+      lapiCred = config.sops.secrets."crowdsec/lapi.yaml".path;
+      capiCred = config.sops.secrets."crowdsec/capi.yaml".path;
+      consoleToken = config.sops.secrets."crowdsec/consoleToken".path;
+      enableServer = true;
+      enablePrometheus = true;
+    })
+  ];
+}

system/dev/dn-server/security/default.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./fail2ban.nix
+    ./crowdsec.nix
+  ];
+}

system/dev/dn-server/security/fail2ban.nix

@@ -1,9 +1,6 @@
-{
-  ...
-}:
 {
   imports = [
-    (import ../../modules/fail2ban.nix {
+    (import ../../../modules/fail2ban.nix {
       extraAllowList = [
         "10.0.0.0/24"
         "122.117.215.55"

system/dev/dn-server/services/actual-budget.nix

@@ -0,0 +1,7 @@
+{
+  imports = [
+    (import ../../../modules/actual {
+      fqdn = "actual.net.dn";
+    })
+  ];
+}

system/dev/dn-server/services/bitwarden.nix

@@ -0,0 +1,7 @@
+{
+  imports = [
+    (import ../../../modules/vaultwarden.nix {
+      domain = "bitwarden.net.dn";
+    })
+  ];
+}

system/dev/dn-server/services/default.nix

@@ -0,0 +1,11 @@
+{
+  imports = [
+    ./actual-budget.nix
+    ./bitwarden.nix
+    ./docmost.nix
+    ./mail-server.nix
+    ./nextcloud.nix
+    ./paperless-ngx.nix
+    ./metrics.nix
+  ];
+}

system/dev/dn-server/services/docmost.nix

@@ -0,0 +1,12 @@
+{ config, ... }:
+{
+  imports = [
+    (import ../../../modules/docmost.nix {
+      fqdn = "docmost.net.dn";
+      extraConf = {
+        MAIL_DRIVER = "smtp";
+      };
+      envFile = config.sops.secrets."docmost".path;
+    })
+  ];
+}

system/dev/dn-server/services/mail-server.nix

@@ -0,0 +1,58 @@
+{ config, ... }:
+let
+  inherit (config.systemConf) username;
+in
+{
+  mail-server =
+    let
+      domain = "net.dn";
+    in
+    {
+      inherit domain;
+
+      enable = true;
+      openFirewall = true;
+      configureNginx = true;
+      hostname = "mx1";
+      extraDomains = [
+        "mail.${domain}"
+      ];
+      caFile = "" + ../../../extra/ca.crt;
+      rootAlias = "${username}";
+      networks = [
+        "127.0.0.0/8"
+        "10.0.0.0/24"
+      ];
+      virtual = ''
+        admin@${domain} ${username}@${domain}
+        postmaster@${domain} ${username}@${domain}
+      '';
+      webmail = {
+        enable = true;
+        hostname = "mail.${domain}";
+      };
+      keycloak = {
+        dbSecretFile = config.sops.secrets."oauth/password".path;
+        adminAccountFile = config.sops.secrets."oauth/adminEnv".path;
+      };
+      ldap = {
+        filter = "(&(objectClass=inetOrgPerson)(objectClass=mailRoutingObject)(uid=%{user | username}))";
+        extraAuthConf = ''
+          auth_username_format = %{user | lower}
+          fields {
+            user = %{ldap:mail}
+            password = %{ldap:userPassword}
+          }
+        '';
+        secretFile = config.sops.secrets."ldap/password".path;
+        webSecretFile = config.sops.secrets."ldap/env".path;
+      };
+      rspamd = {
+        secretFile = config.sops.secrets."rspamd".path;
+        trainerSecretFile = config.sops.secrets."rspamd-trainer".path;
+      };
+      dovecot.oauth = {
+        enable = true;
+      };
+    };
+}

system/dev/dn-server/services/metrics.nix

@@ -0,0 +1,157 @@
+{
+  config,
+  lib,
+  helper,
+  pkgs,
+  ...
+}:
+let
+  inherit (helper.grafana) mkDashboard;
+  inherit (lib) optionalAttrs;
+  inherit (config.networking) hostName;
+
+  datasourceTemplate = [
+    {
+      current = {
+        text = "Prometheus";
+        value = "prometheus-dn-server";
+      };
+      label = "DS_PROMETHEUS";
+      name = "DS_PROMETHEUS";
+      options = [ ];
+      query = "prometheus";
+      refresh = 1;
+      regex = "";
+      type = "datasource";
+    }
+  ];
+
+  crowdsecSrc = fetchTarball {
+    url = "https://github.com/crowdsecurity/grafana-dashboards/archive/c89d8476b32ea76e924c488db7d0afd0306fc609.tar.gz";
+    sha256 = "sha256:1s7v03hzss22dkl3hw9qf0qc86qn98wx8x13rvy73wc5mgxv9wnk";
+  };
+
+  crowdsecDashboard = mkDashboard {
+    name = "crowdsec";
+    src = "${crowdsecSrc}/dashboards_v5";
+    templateList = datasourceTemplate;
+  };
+
+  pdnsRecursorSrc = pkgs.fetchurl {
+    name = "pdns-recursor-grafana-dashboard.json";
+    url = "https://grafana.com/api/dashboards/20448/revisions/3/download";
+    sha256 = "sha256-8lgo+A3dnFLanhGJWCKAo/iPYSMiove17xvMolgq9nI=";
+  };
+
+  pdnsRecursorDashboard = mkDashboard {
+    name = "pdns-recursor";
+    src = "${pdnsRecursorSrc}";
+    templateList = datasourceTemplate;
+    conf = {
+      dontUnpack = true;
+    };
+  };
+in
+{
+  imports = [
+    (import ../../../modules/prometheus.nix {
+      fqdn = "metrics.net.dn";
+      selfMonitor = true;
+      configureNginx = true;
+      scrapes = [
+        (optionalAttrs config.services.pdns-recursor.enable {
+          job_name = "powerdns_recursor";
+          static_configs = [
+            {
+              targets = [ "localhost:${toString config.services.pdns-recursor.api.port}" ];
+              labels = {
+                machine = "${hostName}";
+              };
+            }
+          ];
+          relabel_configs = [
+            {
+              source_labels = [ "__address__" ];
+              target_label = "instance";
+              regex = "(.*):[0-9]+";
+              replacement = "PDNS Recursor - \${1}";
+            }
+          ];
+        })
+        (optionalAttrs config.services.crowdsec.settings.general.prometheus.enabled {
+          job_name = "crowdsec";
+          static_configs = [
+            {
+              targets = [
+                "localhost:${toString config.services.crowdsec.settings.general.prometheus.listen_port}"
+              ];
+              labels = {
+                machine = "${hostName}";
+              };
+            }
+          ];
+          relabel_configs = [
+            {
+              source_labels = [ "__address__" ];
+              target_label = "instance";
+              regex = "(.*):[0-9]+";
+              replacement = "CrowdSec - \${1}";
+            }
+          ];
+        })
+      ];
+    })
+
+    (import ../../../modules/grafana.nix {
+      domain = "grafana.net.dn";
+      passFile = config.sops.secrets."grafana/password".path;
+      smtpHost = "${config.mail-server.hostname}.${config.mail-server.domain}:465";
+      smtpDomain = config.mail-server.domain;
+      extraSettings = {
+        "auth.generic_oauth" =
+          let
+            OIDCBaseUrl = "https://keycloak.net.dn/realms/master/protocol/openid-connect";
+          in
+          {
+            enabled = true;
+            allow_sign_up = true;
+            client_id = "grafana";
+            client_secret = ''$__file{${config.sops.secrets."grafana/client_secret".path}}'';
+            scopes = "openid email profile offline_access roles";
+            email_attribute_path = "email";
+            login_attribute_path = "username";
+            name_attribute_path = "username";
+            auth_url = "${OIDCBaseUrl}/auth";
+            token_url = "${OIDCBaseUrl}/token";
+            api_url = "${OIDCBaseUrl}/userinfo";
+            role_attribute_path = "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'";
+          };
+      };
+      extraConf = {
+        provision.datasources.settings = {
+          prune = true;
+          datasources = [
+            {
+              uid = "prometheus-dn-server";
+              name = "Prometheus";
+              url = "https://metrics.net.dn";
+              type = "prometheus";
+            }
+          ];
+        };
+        provision.dashboards.settings.providers = [
+          {
+            name = "CrowdSec";
+            type = "file";
+            options.path = "${crowdsecDashboard}";
+          }
+          {
+            name = "PDNSRecursor";
+            type = "file";
+            options.path = "${pdnsRecursorDashboard}";
+          }
+        ];
+      };
+    })
+  ];
+}

system/dev/dn-server/services/nextcloud.nix

@@ -0,0 +1,11 @@
+{ config, ... }:
+{
+  imports = [
+    (import ../../../modules/nextcloud.nix {
+      hostname = "nextcloud.net.dn";
+      adminpassFile = config.sops.secrets."nextcloud/adminPassword".path;
+      trusted-domains = [ "nextcloud.daccc.info" ];
+      trusted-proxies = [ "10.0.0.0/24" ];
+    })
+  ];
+}

system/dev/dn-server/services/paperless-ngx.nix

@@ -0,0 +1,9 @@
+{ config, ... }:
+{
+  imports = [
+    (import ../../../modules/paperless-ngx.nix {
+      domain = "paperless.net.dn";
+      passwordFile = config.sops.secrets."paperless/adminPassword".path;
+    })
+  ];
+}

system/dev/dn-server/sops-conf.nix

@@ -1,69 +0,0 @@
-{ config, lib, ... }:
-let
-  inherit (lib) mkIf;
-in
-{
-  sops = {
-    secrets = {
-      "wireguard/privateKey" = { };
-      "nextcloud/adminPassword" = { };
-      "step_ca/password" = { };
-      vaultwarden = { };
-      "oauth/password" = { };
-      "ldap/password" = lib.mkIf config.mail-server.enable {
-        mode = "0660";
-        owner = config.services.openldap.user;
-        group = config.services.openldap.group;
-      };
-      "ldap/env" = lib.mkIf config.mail-server.enable {
-        mode = "0660";
-        group = config.users.groups.docker.name;
-      };
-      "powerdns-admin/secret" = {
-        mode = "0660";
-        owner = "powerdnsadmin";
-        group = "powerdnsadmin";
-      };
-      "powerdns-admin/salt" = {
-        mode = "0660";
-        owner = "powerdnsadmin";
-        group = "powerdnsadmin";
-      };
-      powerdns = {
-        mode = "0660";
-        owner = "pdns";
-        group = "pdns";
-      };
-      rspamd-trainer = { };
-      "acme/env" = mkIf config.security.acme.acceptTerms {
-        mode = "0660";
-        owner = "acme";
-        group = "acme";
-      };
-      "postsrsd/secret" = mkIf config.services.postsrsd.enable {
-        mode = "0660";
-        owner = config.services.postsrsd.user;
-        group = config.services.postsrsd.group;
-      };
-      "grafana/password" = mkIf config.services.grafana.enable {
-        mode = "0660";
-        owner = "grafana";
-        group = "grafana";
-      };
-      "grafana/client_secret" = mkIf config.services.grafana.enable {
-        mode = "0660";
-        owner = "grafana";
-        group = "grafana";
-      };
-      "prometheus/powerdns/password" = mkIf config.services.prometheus.enable {
-        mode = "0660";
-        owner = "prometheus";
-        group = config.users.users.prometheus.group;
-      };
-      "paperless/adminPassword" = mkIf config.services.paperless.enable {
-        owner = config.services.paperless.user;
-      };
-      "atticd/secret" = mkIf config.services.atticd.enable { };
-    };
-  };
-}

system/dev/dn-server/sops/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./sops-conf.nix
+  ];
+}

system/dev/dn-server/sops/sops-conf.nix

@@ -0,0 +1,85 @@
+{ config, lib, ... }:
+let
+  inherit (lib) mkIf;
+in
+{
+  sops.secrets = {
+    "wireguard/privateKey" = { };
+    "nextcloud/adminPassword" = { };
+    "step_ca/password" = { };
+    vaultwarden = { };
+    "oauth/password" = { };
+    "oauth/adminEnv" = { };
+    "ldap/password" = lib.mkIf config.mail-server.enable {
+      mode = "0660";
+      owner = config.services.openldap.user;
+      group = config.services.openldap.group;
+    };
+    "ldap/env" = lib.mkIf config.mail-server.enable {
+      mode = "0660";
+      group = config.users.groups.docker.name;
+    };
+    "powerdns-admin/secret" = {
+      mode = "0660";
+      owner = "powerdnsadmin";
+      group = "powerdnsadmin";
+    };
+    "powerdns-admin/salt" = {
+      mode = "0660";
+      owner = "powerdnsadmin";
+      group = "powerdnsadmin";
+    };
+    powerdns = {
+      mode = "0660";
+      owner = "pdns";
+      group = "pdns";
+    };
+    rspamd-trainer = {
+    };
+    rspamd = mkIf config.services.rspamd.enable {
+      owner = config.services.rspamd.user;
+    };
+    "acme/env" = mkIf config.security.acme.acceptTerms {
+      mode = "0660";
+      owner = "acme";
+      group = "acme";
+    };
+    "postsrsd/secret" = mkIf config.services.postsrsd.enable {
+      mode = "0660";
+      owner = config.services.postsrsd.user;
+      group = config.services.postsrsd.group;
+    };
+    "grafana/password" = mkIf config.services.grafana.enable {
+      mode = "0660";
+      owner = "grafana";
+      group = "grafana";
+    };
+    "grafana/client_secret" = mkIf config.services.grafana.enable {
+      mode = "0660";
+      owner = "grafana";
+      group = "grafana";
+    };
+    "prometheus/powerdns/password" = mkIf config.services.prometheus.enable {
+      mode = "0660";
+      owner = "prometheus";
+      group = config.users.users.prometheus.group;
+    };
+    "paperless/adminPassword" = mkIf config.services.paperless.enable {
+      owner = config.services.paperless.user;
+    };
+    "atticd/secret" = mkIf config.services.atticd.enable { };
+    "docmost" = { };
+    "crowdsec/lapi.yaml" = mkIf config.services.crowdsec.enable {
+      owner = "crowdsec";
+      mode = "0600";
+    };
+    "crowdsec/capi.yaml" = mkIf config.services.crowdsec.enable {
+      owner = "crowdsec";
+      mode = "0600";
+    };
+    "crowdsec/consoleToken" = mkIf config.services.crowdsec.enable {
+      owner = "crowdsec";
+      mode = "0600";
+    };
+  };
+}