zaphyra's git: nixfiles

zaphyra and void's nixfiles

commit a21e9b28c005725aac9586e746c6b48b57720249
parent a5287a70ac143b797712ac42cbad60af75b169cd
Author: Katja (zaphyra) <git@ctu.cx>
Date: Sat, 24 May 2025 15:09:41 +0200

config/nixos/modules/websites: add `dav.zaphyra.eu` (and enable on host `morio`)

3 files changed, 81 insertions(+), 2 deletions(-)
A
config/nixos/modules/websites/dav.zaphyra.eu.nix
|
76
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
M
hosts/morio/default.nix
|
1
+
M
secrets/morio.yaml
|
6
++++--
diff --git a/config/nixos/modules/websites/dav.zaphyra.eu.nix b/config/nixos/modules/websites/dav.zaphyra.eu.nix
@@ -0,0 +1,76 @@
+{
+  povSelf,
+  hostConfig,
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+  inherit (lib) types;
+  cfg = lib.getAttrFromPath povSelf config;
+
+in
+{
+
+  options = {
+    enable = {
+      type = types.bool;
+      default = false;
+    };
+    domain = {
+      type = types.str;
+      default = "zaphyra.eu";
+    };
+    subdomain = {
+      type = types.str;
+      default = "dav";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    dns.zones."${cfg.domain}".subdomains."${cfg.subdomain}".CNAME = [ "${config.networking.fqdn}." ];
+
+    sops.secrets = {
+      "resticPasswords/radicale" = { };
+      radicaleUsers = {
+        owner = "radicale";
+      };
+    };
+
+    modules.services.resticBackup.paths = {
+      radicale = {
+        enable = true;
+        user = "radicale";
+        passwordFile = config.sops.secrets."resticPasswords/radicale".path;
+        paths = [ config.services.radicale.settings.storage.filesystem_folder ];
+      };
+    };
+
+    services = {
+      radicale = {
+        enable = true;
+        settings = {
+          server.hosts = [ "[::1]:5232" ];
+          web.type = "internal";
+          storage.filesystem_folder = "/var/lib/radicale";
+          headers.Access-Control-Allow-Origin = "*";
+          auth.type = "htpasswd";
+          auth.htpasswd_filename = config.sops.secrets.radicaleUsers.path;
+          auth.htpasswd_encryption = "plain";
+        };
+      };
+      nginx = {
+        enable = true;
+        virtualHosts."${cfg.subdomain}.${cfg.domain}" = {
+          useACMEHost = "${config.networking.fqdn}";
+          forceSSL = true;
+          kTLS = true;
+          locations."/".proxyPass = "http://[::1]:5232/";
+        };
+      };
+    };
+  };
+
+}

diff --git a/hosts/morio/default.nix b/hosts/morio/default.nix
@@ -80,6 +80,7 @@
 
           "git.zaphyra.eu".enable = true;
           "bikemap.zaphyra.eu".enable = true;
+          "dav.zaphyra.eu".enable = true;
         };
 
         users.katja.enable = true;

diff --git a/secrets/morio.yaml b/secrets/morio.yaml
@@ -4,7 +4,9 @@ mailPasswords:
 resticPasswords:
     gitolite: ENC[AES256_GCM,data:g28//NtKEYL+Dh0+Ws73ZKySl1L0avxqNXVn5lKaj1U=,iv:mGQ7pYjeMEGTCS1l6H/h043M2oAhgMOAlUHkgDir03E=,tag:E/ps0EZmlMEm+ziWzXzQPQ==,type:str]
     mail: ENC[AES256_GCM,data:wag5v/l0kQrhStO9P3ibtRtkReslszu4IfTEL8Ls4Pc=,iv:QCSveMAylefSBeb8Eaw6Av+1cA6lAvhtv1jNT8QUvIM=,tag:Y+HKURnEXPxKUSvGwaJAjA==,type:str]
+    radicale: ENC[AES256_GCM,data:GsAXncF4JRHaNe0Tkv6PucJpwFFu9cfHo3INIBjc24I=,iv:XVvx9UOGIcC94uh3LnwOFs6g8Zy2YHjodCp0RNWcFrQ=,tag:ekUjoM/fbsmST2KDPNf/VA==,type:str]
 knotKeys: ENC[AES256_GCM,data:rlTFDvonfEQFST1eSHHcaG3e1CSt5paDUTvfoYmInBV7mjqe7PwT5dtg01W2ANZJYl+SN/cdI3eEvAdJvwYR6FK+7g1LPwn6G1coE68a/XwzsWM5WpSemmDfTykoUiguEUfRCZ0Q3M7YqV0/jDWrKMaH0iKqKqvlv7nEy6VXB5SZBX+aN18KvPVygw5FixQ/kD3XFI2HTTST4vqlMma3CTsjnK6Uwf1421JOIe3JR32qd0V7IfhFvL0mErMIRhLnITO9uJ//t1HJoeaOV7FEY4K6Ohacng1c68fkUjVX5wYBTd6X657nFqevvLiMRDiQnASOJrAJUAeq4Kwf5R7C/I/MeVh+1Hq/U+z4ZQKh/DViEE8+TkJwDMBAWarzlyOz7xDF8O+fj4iH5jTX8H3FmJLU/TVU0QXqnwjcAAVs/YNARNVt0wGdWTb9iyvD7vEIZE57wIp+TIGE8XFjOO11/DRC/0kC8HFkvoXke9IRrTIj1pCP1VIrv31v7aIyphWa5hBuBHfVb0f8g5eaqyKumM03Rge+Fo+jtM/NP7H2gao6uaZM/K4a625nVx+M1lUpW+1c0sIAME2SlDjSyuhTkMknOPGAAYXMwVQGazoOJna6sEBl6jYcgn31w3dHtJXGKyAB0eqELxjt5b0tzcBfJ4pXi7HO7w2yhKrqyL7GuE5LtLp5mkguC5eZbiX+VlGTLX6V2z1kDRUdYDDZMMh3cYGBIrGVoJhWx8xLWrLGm7TrvifiwYJq5Mq13tt2hS7HpY8T8YGBD2x3IdPAHtikZUYgv5cQxs7drSJi8zFQAwDUKofxhJQUvqrnmvNf+eiGkfgI7lQ0//NLg9o4t+5g+T3mV8IUkW4nbJsP46k6azQGBt3udYAVhgrFy/jTE++KrA==,iv:+5NBUUC1QhPjN+6E8nWhzd2SNuH9mLbhsFwDTm8Hy+U=,tag:RtSO5Rmb0wNR9ovtpwJIIg==,type:str]
+radicaleUsers: ENC[AES256_GCM,data:kH5XW/Gr2xMJWm68unKtZ+L19S74gOf1YXw5QtPcBnp8jJrQsc3mHX5GPOJafuNa23Tnt9BHTFmuO3e5bEzhBcVm8GdoMR/Wz4B0y0W5,iv:Frc4ukXwdWZuWNgauLUyz4ErFKFUvoYoTMN9eZNWAGg=,tag:PLVaetT3syVGR4Ox3AYhUA==,type:str]
 sops:
     kms: []
     gcp_kms: []

@@ -20,8 +22,8 @@ sops:
             bDRhUEtDdmlZa0ZENFhSVnNqVjFCR1UKEIkSg3tKFkwlnNXFFqCBtdZBGz1bEmWl
             wghkTtqTl++759zZAAmjdnFFQWs/AoCZ5g/GUidz6HHcFdxMpGVmiA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-24T10:37:35Z"
-    mac: ENC[AES256_GCM,data:JFnHKkVxPLkouEQBOlzmSMj0plONSonX5QFflualxJbjusCW8AZmURz/hUZ+10qveTDoLhZ6iL05m0gRYsfrLITvQ1RJH+mGSIoQngiK41j4bTFo9lt2Ih3voQdK+UYYGz4BakbPiLWu4+tTuP/zwc3Enp6dZCuNcuAmKA1AYts=,iv:TnHe4f67zUBIbz81q7amyQ43tzYU91hMfvYHwzR0dn0=,tag:x+AzafjgKW+0CR+ub0BwOg==,type:str]
+    lastmodified: "2025-05-24T12:56:49Z"
+    mac: ENC[AES256_GCM,data:OkOahTYk7bSyJqXJh3WDON5RCNp7vyzkU1joni/gmBs9iz0SPu4dIOnip0Vuosf1OERnFVpI8/jW/kUG5J+EJ9U1AmB8ygs2eR1XLTPNTZcV2JRwS1p9GZ3EU/1FY6xBv50RxkLVf9cu/aDBjPEXUleN+3c7DQ6X02NVe9YO0Zo=,iv:yQ8KcIOFPgCLeFAo8z3YKoH6Og8hxWxu0aljSi8J4xA=,tag:GxM0Nm/HzC8kjourFZ7+Zg==,type:str]
     pgp:
         - created_at: "2025-05-21T08:09:28Z"
           enc: |-