diff --git a/nixos/boxes/bolty/default.nix b/nixos/boxes/bolty/default.nix index 769e47e6..32806c59 100644 --- a/nixos/boxes/bolty/default.nix +++ b/nixos/boxes/bolty/default.nix @@ -3,11 +3,13 @@ ../cli.nix ./bolty-boot.nix ./home-assistant.nix + ./influxdb.nix ./matrix-server.nix ./nix-store-server.nix ./print-server.nix ./real-hardware.nix ./restic-server.nix + ./tailscale-cert.nix ./woodpecker-agent.nix ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; diff --git a/nixos/boxes/bolty/influxdb.nix b/nixos/boxes/bolty/influxdb.nix new file mode 100644 index 00000000..55022728 --- /dev/null +++ b/nixos/boxes/bolty/influxdb.nix @@ -0,0 +1,42 @@ +{ config, pkgs, inputs, lib, ... }: +let + fqdn = "bolty.raptor-carp.ts.net"; + port = 8086; + path = "/data/influxdb"; + certPath = "${path}/cert.pem"; + keyPath = "${path}/key.pem"; +in { + networking.firewall.allowedTCPPorts = [ port ]; + + systemd.services.influxdb2-prep = { + script = '' + mkdir -p ${path} + cp -rv /var/lib/tailscale-certs/cert.pem ${certPath} + cp -rv /var/lib/tailscale-certs/key.pem ${keyPath} + chown -Rv influxdb2:influxdb2 ${path} + ''; + serviceConfig = { + Type = "oneshot"; + ReloadPropagatedFrom = "tailscale-cert.service"; + }; + before = [ "influxdb2.service" ]; + wantedBy = [ "multi-user.target" ]; + after = [ + "network.target" + "network-online.target" + "tailscaled.service" + "tailscale-cert.service" + ]; + wants = [ "tailscale-cert.service" ]; + }; + + services.influxdb2 = { + enable = true; + settings = { + http-bind-address = "${fqdn}:${toString port}"; + tls-cert = "${certPath}"; + tls-key = "${keyPath}"; + }; + }; + +} diff --git a/nixos/boxes/bolty/tailscale-cert.nix b/nixos/boxes/bolty/tailscale-cert.nix new file mode 100644 index 00000000..3e1b3204 --- /dev/null +++ b/nixos/boxes/bolty/tailscale-cert.nix @@ -0,0 +1,61 @@ +{ config, pkgs, inputs, lib, ... }: +let + fqdn = "bolty.raptor-carp.ts.net"; + basePath = "/var/lib/tailscale-certs"; + keyPath = "${basePath}/key.pem"; + certPath = "${basePath}/cert.pem"; +in { + imports = [ ]; + services.nginx.virtualHosts."${fqdn}" = { + sslCertificateKey = keyPath; + sslCertificate = certPath; + }; + + systemd.services.tailscale-cert-make-path = { + script = '' + mkdir -p ${basePath} + ''; + serviceConfig = { Type = "oneshot"; }; + before = [ "tailscale-cert.service" ]; + wantedBy = [ "multi-user.target" ]; + }; + + systemd.services.tailscale-cert = { + after = [ "network.target" "network-online.target" "tailscaled.service" ]; + wants = [ "tailscaled.service" ]; + wantedBy = [ "multi-user.target" ]; + + path = with pkgs; [ tailscale ]; + + serviceConfig = { + Type = "oneshot"; + UMask = 22; + StateDirectoryMode = 750; + ProtectSystem = "strict"; + ReadWritePaths = [ "${basePath}" ]; + PrivateTmp = true; + WorkingDirectory = "${basePath}"; + NoNewPrivileges = true; + PrivateDevices = true; + ProtectClock = true; + ProtectHome = true; + ProtectHostname = true; + StateDirectory = [ "${basePath}" ]; + }; + + script = '' + tailscale cert --cert-file ${certPath} --key-file ${keyPath} ${fqdn} + ''; + }; + + systemd.timers.tailscale-renew = { + wantedBy = [ "timers.target" ]; + description = "Renew tailscale server cert"; + timerConfig = { + OnCalendar = "weekly"; + Unit = "tailscale-cert.service"; + Persistent = "yes"; + RandomizedDelaySec = "24h"; + }; + }; +} diff --git a/nixos/boxes/vpsfree1/mastodon.nix b/nixos/boxes/vpsfree1/mastodon.nix index ff8333ad..2799e802 100644 --- a/nixos/boxes/vpsfree1/mastodon.nix +++ b/nixos/boxes/vpsfree1/mastodon.nix @@ -78,11 +78,7 @@ in { chmod -R g+r ${publicPath} chmod -R u+rwX ${publicPath} ''; - serviceConfig = { - Type = "oneshot"; - ProtectSystem = "strict"; - ReadWritePaths = path; - }; + serviceConfig = { Type = "oneshot"; }; before = [ "container@mastodon.service" ]; };