feat: modularize hydrogen's services

hosts/hydrogen/configuration.nix

@@ -1,9 +1,10 @@
-{ modulesPath, pkgs, lib, name, config, ... }:
+{ modulesPath, pkgs, lib, name, ... }: {
-
-{
   imports =
-    lib.optional (builtins.pathExists ./do-userdata.nix) ./do-userdata.nix
+    lib.optional (builtins.pathExists ./do-userdata.nix) ./do-userdata.nix ++ [
-    ++ [ (modulesPath + "/virtualisation/digital-ocean-config.nix") ];
+      (modulesPath + "/virtualisation/digital-ocean-config.nix")
+
+      ./services
+    ];
 
   networking = {
     hostName = name;
@@ -14,12 +15,6 @@
         80 # http
         443 # https
       ];
-      allowedUDPPorts = [
-        5553 # wireguard
-      ];
-      interfaces."wg0".allowedUDPPorts = [
-        53 # dns
-      ];
     };
   };
 
@@ -29,113 +24,6 @@
   };
 
   networking.nat.enable = true;
-  networking.nat.internalInterfaces = [ "wg0" ];
-  networking.wireguard.interfaces = {
-    wg0 = {
-      ips = [ "10.0.0.1/24" ];
-      listenPort = 5553;
-      privateKeyFile = "/root/wg-private";
-      peers = [
-        { # pixel
-          publicKey = "HS2q+PpPPwxqT1jCD7D4puqr4ZyaXV5TostavlYWBx0=";
-          allowedIPs = [ "10.0.0.2/32" ];
-        }
-        { # neodymium
-          publicKey = "IFeRvelEilNRLkhWgFKL9HrJ9XYsm+r4yvv23CigETk=";
-          allowedIPs = [ "10.0.0.3/32" ];
-        }
-      ];
-    };
-  };
-
-  services.blocky = {
-    enable = true;
-    settings = {
-      upstream.default = [ "208.67.222.222" "208.67.220.220" ];
-      clientLookup.clients = {
-        hydrogen = [ "10.0.0.1" "127.0.0.1" ];
-        pixel5 = [ "10.0.0.2" ];
-        neodymium = [ "10.0.0.3" ];
-      };
-      blocking = {
-        refreshPeriod = "24h";
-        clientGroupsBlock.default =
-          [ "firebog-tick" "firebog-nocross" "regex" ];
-        blackLists = {
-          firebog-tick = [
-            # https://v.firebog.net/hosts/lists.php?type=tick
-            "https://adaway.org/hosts.txt"
-            "https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt"
-            "https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt"
-            "https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt"
-            "https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt"
-            "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext"
-            "https://phishing.army/download/phishing_army_blocklist_extended.txt"
-            "https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt"
-            "https://raw.githubusercontent.com/AssoEchap/stalkerware-indicators/master/generated/hosts"
-            "https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts"
-            "https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt"
-            "https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt"
-            "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts"
-            "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts"
-            "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts"
-            "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts"
-            "https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt"
-            "https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt"
-            "https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt"
-            "https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt"
-            "https://urlhaus.abuse.ch/downloads/hostfile/"
-            "https://v.firebog.net/hosts/AdguardDNS.txt"
-            "https://v.firebog.net/hosts/Admiral.txt"
-            "https://v.firebog.net/hosts/Easylist.txt"
-            "https://v.firebog.net/hosts/Easyprivacy.txt"
-            "https://v.firebog.net/hosts/Prigent-Ads.txt"
-            "https://v.firebog.net/hosts/Prigent-Crypto.txt"
-            "https://v.firebog.net/hosts/RPiList-Malware.txt"
-            "https://v.firebog.net/hosts/RPiList-Phishing.txt"
-            "https://v.firebog.net/hosts/static/w3kbl.txt"
-            "https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser"
-          ];
-          firebog-nocross = [
-            # https://v.firebog.net/hosts/lists.php?type=nocross
-            "https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt"
-            "https://malware-filter.gitlab.io/malware-filter/phishing-filter-hosts.txt"
-            "https://paulgb.github.io/BarbBlock/blacklists/hosts-file.txt"
-            "https://raw.githubusercontent.com/jdlingyu/ad-wars/master/hosts"
-            "https://raw.githubusercontent.com/matomo-org/referrer-spam-blacklist/master/spammers.txt"
-            "https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/AmazonFireTV.txt"
-            "https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/android-tracking.txt"
-            "https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV.txt"
-            "https://raw.githubusercontent.com/RooneyMcNibNug/pihole-stuff/master/SNAFU.txt"
-            "https://raw.githubusercontent.com/VeleSila/yhosts/master/hosts"
-            "https://someonewhocares.org/hosts/zero/hosts"
-            "https://v.firebog.net/hosts/neohostsbasic.txt"
-            "https://v.firebog.net/hosts/Prigent-Malware.txt"
-            "https://winhelp2002.mvps.org/hosts.txt"
-            "https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt"
-          ];
-          regex = [''
-            # https://github.com/mmotti/pihole-regex/blob/master/regex.list
-            /^ad([sxv]?[0-9]*|system)[_.-]([^.[:space:]]+\\.){1,}|[_.-]ad([sxv]?[0-9]*|system)[_.-]/
-            /^(.+[_.-])?adse?rv(er?|ice)?s?[0-9]*[_.-]/
-            /^(.+[_.-])?telemetry[_.-]/
-            /^adim(age|g)s?[0-9]*[_.-]/
-            /^adtrack(er|ing)?[0-9]*[_.-]/
-            /^advert(s|is(ing|ements?))?[0-9]*[_.-]/
-            /^aff(iliat(es?|ion))?[_.-]/
-            /^analytics?[_.-]/
-            /^banners?[_.-]/
-            /^beacons?[0-9]*[_.-]/
-            /^count(ers?)?[0-9]*[_.-]/
-            /^mads\\./
-            /^pixels?[-.]/
-            /^stat(s|istics)?[0-9]*[_.-]/
-            /.*\\.g[0-9]+\\..*/
-          ''];
-        };
-      };
-    };
-  };
 
   users.mutableUsers = false;
   users.users.root.openssh.authorizedKeys.keys = [
@@ -144,42 +32,6 @@
 
   environment.systemPackages = with pkgs; [ htop ];
 
-  age.secrets.gitea = {
-    file = ../../secrets/gitea.age;
-    owner = "gitea";
-    group = "gitea";
-  };
-  age.identityPaths = [ "/root/.ssh/id_ed25519" ];
-
-  services.gitea = {
-    enable = true;
-    domain = "git.fainsin.bzh";
-    rootUrl = "https://git.fainsin.bzh";
-    lfs.enable = true;
-    database = {
-      type = "postgres";
-      passwordFile = config.age.secrets.gitea.path;
-    };
-    settings = {
-      service = {
-        "DEFAULT_KEEP_EMAIL_PRIVATE" = true;
-        "DISABLE_REGISTRATION" = true;
-      };
-      server = { "LANDING_PAGE" = "explore"; };
-      indexer = {
-        "REPO_INDEXER_ENABLED" = true;
-        "REPO_INDEXER_PATH" = "indexers/repos.bleve";
-        "UPDATE_BUFFER_LEN" = 20;
-        "MAX_FILE_SIZE" = 1048576;
-        "REPO_INDEXER_EXCLUDE" = "node_modules/**";
-      };
-      session = {
-        "PROVIDER" = "db";
-        "COOKIE_SECURE" = true;
-      };
-    };
-  };
-
   services.nginx = {
     enable = true;
 
@@ -188,13 +40,6 @@
     recommendedGzipSettings = true;
     recommendedProxySettings = true;
 
-    commonHttpConfig = ''
-      log_format vhosts '$host $remote_addr - $remote_user [$time_local] '
-                        '$request $status $body_bytes_sent $http_referer '
-                        '$http_user_agent $http_x_forwarded_for';
-      access_log  /var/log/nginx/access.log vhosts;
-    '';
-
     virtualHosts = {
       "fainsin.bzh" = {
         enableACME = true;
@@ -207,14 +52,6 @@
         forceSSL = true;
         root = "/srv/www/";
       };
-      "git.fainsin.bzh" = {
-        enableACME = true;
-        forceSSL = true;
-        locations."/" = {
-          proxyPass = "http://localhost:3000/";
-          proxyWebsockets = true;
-        };
-      };
       default = {
         default = true;
         locations."/".return = ''301 "$scheme://fainsin.bzh" '';

hosts/hydrogen/services/blocky/default.nix

@@ -0,0 +1,103 @@
+{ ... }: {
+  networking = {
+    firewall = {
+      # allow dns queries trough wireguard
+      interfaces."wg0".allowedUDPPorts = [
+        53 # dns default port
+      ];
+    };
+  };
+
+  services.blocky = {
+    enable = true;
+    settings = {
+      upstream.default = [ "208.67.222.222" "208.67.220.220" ];
+
+      clientLookup.clients = {
+        hydrogen = [ "10.0.0.1" "127.0.0.1" ];
+        pixel5 = [ "10.0.0.2" ];
+        neodymium = [ "10.0.0.3" ];
+      };
+
+      blocking = {
+        refreshPeriod = "24h";
+        clientGroupsBlock.default =
+          [ "firebog-tick" "firebog-nocross" "regex" ];
+        blackLists = {
+          firebog-tick = [
+            # https://v.firebog.net/hosts/lists.php?type=tick
+            "https://adaway.org/hosts.txt"
+            "https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt"
+            "https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt"
+            "https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt"
+            "https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt"
+            "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext"
+            "https://phishing.army/download/phishing_army_blocklist_extended.txt"
+            "https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt"
+            "https://raw.githubusercontent.com/AssoEchap/stalkerware-indicators/master/generated/hosts"
+            "https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts"
+            "https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt"
+            "https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt"
+            "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts"
+            "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts"
+            "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts"
+            "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts"
+            "https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt"
+            "https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt"
+            "https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt"
+            "https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt"
+            "https://urlhaus.abuse.ch/downloads/hostfile/"
+            "https://v.firebog.net/hosts/AdguardDNS.txt"
+            "https://v.firebog.net/hosts/Admiral.txt"
+            "https://v.firebog.net/hosts/Easylist.txt"
+            "https://v.firebog.net/hosts/Easyprivacy.txt"
+            "https://v.firebog.net/hosts/Prigent-Ads.txt"
+            "https://v.firebog.net/hosts/Prigent-Crypto.txt"
+            "https://v.firebog.net/hosts/RPiList-Malware.txt"
+            "https://v.firebog.net/hosts/RPiList-Phishing.txt"
+            "https://v.firebog.net/hosts/static/w3kbl.txt"
+            "https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser"
+          ];
+          firebog-nocross = [
+            # https://v.firebog.net/hosts/lists.php?type=nocross
+            "https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt"
+            "https://malware-filter.gitlab.io/malware-filter/phishing-filter-hosts.txt"
+            "https://paulgb.github.io/BarbBlock/blacklists/hosts-file.txt"
+            "https://raw.githubusercontent.com/jdlingyu/ad-wars/master/hosts"
+            "https://raw.githubusercontent.com/matomo-org/referrer-spam-blacklist/master/spammers.txt"
+            "https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/AmazonFireTV.txt"
+            "https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/android-tracking.txt"
+            "https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV.txt"
+            "https://raw.githubusercontent.com/RooneyMcNibNug/pihole-stuff/master/SNAFU.txt"
+            "https://raw.githubusercontent.com/VeleSila/yhosts/master/hosts"
+            "https://someonewhocares.org/hosts/zero/hosts"
+            "https://v.firebog.net/hosts/neohostsbasic.txt"
+            "https://v.firebog.net/hosts/Prigent-Malware.txt"
+            "https://winhelp2002.mvps.org/hosts.txt"
+            "https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt"
+          ];
+          regex = [
+            # https://github.com/mmotti/pihole-regex/blob/master/regex.list
+            ''
+              /^ad([sxv]?[0-9]*|system)[_.-]([^.[:space:]]+\\.){1,}|[_.-]ad([sxv]?[0-9]*|system)[_.-]/
+              /^(.+[_.-])?adse?rv(er?|ice)?s?[0-9]*[_.-]/
+              /^(.+[_.-])?telemetry[_.-]/
+              /^adim(age|g)s?[0-9]*[_.-]/
+              /^adtrack(er|ing)?[0-9]*[_.-]/
+              /^advert(s|is(ing|ements?))?[0-9]*[_.-]/
+              /^aff(iliat(es?|ion))?[_.-]/
+              /^analytics?[_.-]/
+              /^banners?[_.-]/
+              /^beacons?[0-9]*[_.-]/
+              /^count(ers?)?[0-9]*[_.-]/
+              /^mads\\./
+              /^pixels?[-.]/
+              /^stat(s|istics)?[0-9]*[_.-]/
+              /.*\\.g[0-9]+\\..*/
+            ''
+          ];
+        };
+      };
+    };
+  };
+}

hosts/hydrogen/services/default.nix

@@ -0,0 +1 @@
+{ imports = [ ./gitea ./blocky ./wireguard ]; }

hosts/hydrogen/services/gitea/default.nix

@@ -0,0 +1,46 @@
+{ config, ... }: {
+  age.secrets.gitea = {
+    file = ../../../../secrets/gitea.age;
+    owner = "gitea";
+    group = "gitea";
+  };
+  age.identityPaths = [ "/root/.ssh/id_ed25519" ];
+
+  services.gitea = {
+    enable = true;
+    domain = "git.fainsin.bzh";
+    rootUrl = "https://git.fainsin.bzh";
+    lfs.enable = true;
+    database = {
+      type = "postgres";
+      passwordFile = config.age.secrets.gitea.path;
+    };
+    settings = {
+      service = {
+        "DEFAULT_KEEP_EMAIL_PRIVATE" = true;
+        "DISABLE_REGISTRATION" = true;
+      };
+      server = { "LANDING_PAGE" = "explore"; };
+      indexer = {
+        "REPO_INDEXER_ENABLED" = true;
+        "REPO_INDEXER_PATH" = "indexers/repos.bleve";
+        "UPDATE_BUFFER_LEN" = 20;
+        "MAX_FILE_SIZE" = 1048576;
+        "REPO_INDEXER_EXCLUDE" = "node_modules/**";
+      };
+      session = {
+        "PROVIDER" = "db";
+        "COOKIE_SECURE" = true;
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."git.fainsin.bzh" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://localhost:3000/";
+      proxyWebsockets = true;
+    };
+  };
+}

hosts/hydrogen/services/wireguard/default.nix

@@ -0,0 +1,29 @@
+{ ... }: {
+  networking = {
+    firewall = {
+      allowedUDPPorts = [
+        5553 # default wireguard port
+      ];
+    };
+
+    nat.internalInterfaces = [ "wg0" ];
+
+    wireguard.interfaces = {
+      wg0 = {
+        ips = [ "10.0.0.1/24" ];
+        listenPort = 5553;
+        privateKeyFile = "/root/wg-private";
+        peers = [
+          { # pixel
+            publicKey = "HS2q+PpPPwxqT1jCD7D4puqr4ZyaXV5TostavlYWBx0=";
+            allowedIPs = [ "10.0.0.2/32" ];
+          }
+          { # neodymium
+            publicKey = "IFeRvelEilNRLkhWgFKL9HrJ9XYsm+r4yvv23CigETk=";
+            allowedIPs = [ "10.0.0.3/32" ];
+          }
+        ];
+      };
+    };
+  };
+}