upRootNutrition/dotfiles
1
0
Fork 0
mirror of https://gitlab.com/upRootNutrition/dotfiles.git synced 2025-06-16 10:05:13 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: refactored abstractions

Browse source
This commit is contained in:
Nick 2024-10-19 18:22:29 -05:00
parent f3897c1e0c
commit 2e0ba5f89e
23 changed files with 324 additions and 310 deletions
Download patch file Download diff file Expand all files Collapse all files

12
config/default.nix
View file

@ -7,7 +7,6 @@
"phone" "phone"
"server" "server"
"tablet" "tablet"
"wildcard"
]; ];
instanceNames = [ instanceNames = [
"acme" "acme"
@ -28,7 +27,8 @@
"syncthing" "syncthing"
"synology" "synology"
"vaultwarden" "vaultwarden"
"wiki-js" "web"
"wiki"
"writefreely" "writefreely"
]; ];
userNames = [ userNames = [
@ -78,9 +78,7 @@ in let
sshKeys = listType; sshKeys = listType;
group = stringType; group = stringType;
email = genOptions stringType "address"; email = genOptions stringType "address";
domain = genOptions stringType "url"; paths = genOptions stringType "path";
dns = genOptions stringType "provider";
git = genOptions stringType "path";
}; };
}; };
serviceSubmodule = lib.types.submodule { serviceSubmodule = lib.types.submodule {
@ -104,6 +102,10 @@ in let
subdomain = stringType; subdomain = stringType;
label = stringType; label = stringType;
name = stringType; name = stringType;
domains = genOptions stringType "url";
dns = genOptions stringType "provider";
localhost = genOptions stringType "address";
email = genOptions stringType "address";
sops = genOptions stringType "path"; sops = genOptions stringType "path";
paths = genOptions stringType "path"; paths = genOptions stringType "path";
ports = genOptions intType "port"; ports = genOptions intType "port";

11
config/device.nix
View file

@ -166,16 +166,5 @@ in {
address0 = "192.168.50.189"; address0 = "192.168.50.189";
}; };
}; };
# No particular system
wildcard = {
ip = {
address0 = "127.0.0.1"; # Local
address1 = "0.0.0.0"; # All
address2 = "192.168.50.1"; # Router
address3 = "192.168.50.0"; # Router
};
};
}; };
} }

58
config/instance.nix
View file

@ -51,6 +51,21 @@ let
varLib = "/var/lib"; varLib = "/var/lib";
in { in {
instance = { instance = {
web = {
domains = {
url0 = domain0;
url1 = domain1;
};
dns = {
provider0 = "namecheap";
};
localhost = {
address0 = "127.0.0.1"; # Local
address1 = "0.0.0.0"; # All
address2 = "192.168.50.1"; # Router
address3 = "192.168.50.0"; # Router
};
};
acme = { acme = {
label = acmeLabel; label = acmeLabel;
name = acmeName; name = acmeName;
@ -73,14 +88,17 @@ in {
}; };
}; };
castopod = let castopod = let
castDomain = "podcast"; castopodSubdomain = "podcast";
in { in {
label = castLabel; label = castLabel;
name = castName; name = castName;
email = {
address0 = "noreply@${castopodSubdomain}.${domain1}";
};
sops = { sops = {
path0 = "${sops}/${castName}"; path0 = "${sops}/${castName}";
}; };
subdomain = castDomain; subdomain = castopodSubdomain;
paths = { paths = {
path0 = "${servicePath}/${castLabel}"; path0 = "${servicePath}/${castLabel}";
}; };
@ -88,19 +106,22 @@ in {
port0 = 8000; port0 = 8000;
}; };
ssl = { ssl = {
cert = "${sslPath}/${castDomain}.${domain1}/fullchain.pem"; cert = "${sslPath}/${castopodSubdomain}.${domain1}/fullchain.pem";
key = "${sslPath}/${castDomain}.${domain1}/key.pem"; key = "${sslPath}/${castopodSubdomain}.${domain1}/key.pem";
}; };
}; };
forgejo = let forgejo = let
forgejoDomain = "source"; forgejoSubdomain = "source";
in { in {
label = forgejoLabel; label = forgejoLabel;
name = forgejoName; name = forgejoName;
email = {
address0 = "noreply@${forgejoSubdomain}.${domain1}";
};
sops = { sops = {
path0 = "${sops}/${forgejoName}"; path0 = "${sops}/${forgejoName}";
}; };
subdomain = forgejoDomain; subdomain = forgejoSubdomain;
paths = { paths = {
path0 = "${servicePath}/${forgejoLabel}"; path0 = "${servicePath}/${forgejoLabel}";
}; };
@ -108,8 +129,8 @@ in {
port0 = 3033; port0 = 3033;
}; };
ssl = { ssl = {
cert = "${sslPath}/${forgejoDomain}.${domain1}/fullchain.pem"; cert = "${sslPath}/${forgejoSubdomain}.${domain1}/fullchain.pem";
key = "${sslPath}/${forgejoDomain}.${domain1}/key.pem"; key = "${sslPath}/${forgejoSubdomain}.${domain1}/key.pem";
}; };
}; };
jellyfin = { jellyfin = {
@ -148,6 +169,9 @@ in {
mastodon = { mastodon = {
label = mastodonLabel; label = mastodonLabel;
name = mastodonName; name = mastodonName;
email = {
address0 = "thenutrivore@${domain1}";
};
sops = { sops = {
path0 = "${sops}/${mastodonName}"; path0 = "${sops}/${mastodonName}";
}; };
@ -245,13 +269,18 @@ in {
key = "${sslPath}/${owncastSubdomain}.${domain1}/key.pem"; key = "${sslPath}/${owncastSubdomain}.${domain1}/key.pem";
}; };
}; };
peertube = { peertube = let
peertubeSubdomain = "video";
in {
label = peertubeLabel; label = peertubeLabel;
name = peertubeName; name = peertubeName;
email = {
address0 = "noreply@${peertubeSubdomain}.${domain1}";
};
sops = { sops = {
path0 = "${sops}/${peertubeName}"; path0 = "${sops}/${peertubeName}";
}; };
subdomain = "video"; subdomain = peertubeSubdomain;
paths = { paths = {
path0 = "${servicePath}/${peertubeLabel}"; path0 = "${servicePath}/${peertubeLabel}";
}; };
@ -322,13 +351,18 @@ in {
key = "${sslPath}/${syncthingName}.${domain0}/key.pem"; key = "${sslPath}/${syncthingName}.${domain0}/key.pem";
}; };
}; };
vaultwarden = { vaultwarden = let
vaultwardenSubdomain = vaultwardenName;
in {
label = vaultwardenLabel; label = vaultwardenLabel;
name = vaultwardenName; name = vaultwardenName;
email = {
address0 = "noreply@${vaultwardenSubdomain}.${domain0}";
};
sops = { sops = {
path0 = "${sops}/${vaultwardenName}"; path0 = "${sops}/${vaultwardenName}";
}; };
subdomain = vaultwardenName; subdomain = vaultwardenSubdomain;
paths = { paths = {
path0 = "${servicePath}/${vaultwardenLabel}/BackupDir"; path0 = "${servicePath}/${vaultwardenLabel}/BackupDir";
}; };

16
config/user.nix
View file

@ -16,21 +16,9 @@ in {
email = { email = {
address0 = "nickjhiebert@proton.me"; address0 = "nickjhiebert@proton.me";
address1 = "thenutrivore@proton.me"; address1 = "thenutrivore@proton.me";
address2 = "thenutrivore@the-nutrivore.social";
address3 = "noreply@vaultwarden.cloudbert.fun";
address4 = "noreply@video.the-nutrivore.social";
address5 = "noreply@source.the-nutrivore.social";
address6 = "noreply@podcast.the-nutrivore.social";
}; };
domain = { paths = {
url0 = "cloudbert.fun"; path0 = "/home/${user0}/Files/Projects"; # Git path
url1 = "the-nutrivore.social";
};
git = {
path0 = "/home/${user0}/Files/Projects";
};
dns = {
provider0 = "namecheap";
}; };
sshKeys = [ sshKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBF9TmImDoYDpsW5VMFbOcuK3aH4TWRtx/xGxT3yUtEN nick@desktop" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBF9TmImDoYDpsW5VMFbOcuK3aH4TWRtx/xGxT3yUtEN nick@desktop"

22
nixos/modules/ollama.nix
View file

@ -1,39 +1,39 @@
{flake, ...}: let {flake, ...}: let
inherit (flake.config.system.device) wildcard; inherit (flake.config.service.instance) ollama web;
inherit (flake.config.service.instance.ollama) paths ports name; service = ollama;
localhost = wildcard.ip.address0; localhost = web.localhost.address0;
in { in {
services = { services = {
ollama = { ollama = {
acceleration = false; acceleration = false;
enable = true; enable = true;
group = name; group = service.name;
host = "http://${localhost}"; host = "http://${localhost}";
models = paths.path1; models = service.paths.path1;
user = name; user = service.name;
}; };
open-webui = { open-webui = {
enable = true; enable = true;
host = localhost; host = localhost;
port = ports.port0; port = service.ports.port0;
environment = { environment = {
ENABLE_OLLAMA_API = "True"; ENABLE_OLLAMA_API = "True";
ANONYMIZED_TELEMETRY = "False"; ANONYMIZED_TELEMETRY = "False";
DO_NOT_TRACK = "True"; DO_NOT_TRACK = "True";
SCARF_NO_ANALYTICS = "True"; SCARF_NO_ANALYTICS = "True";
OLLAMA_BASE_URL = "http://${localhost}:${toString ports.port1}"; OLLAMA_BASE_URL = "http://${localhost}:${toString service.ports.port1}";
WEBUI_AUTH = "True"; WEBUI_AUTH = "True";
}; };
}; };
}; };
systemd.tmpfiles.rules = ["Z ${paths.path1} 0755 ${name} ${name} -"]; systemd.tmpfiles.rules = ["Z ${service.paths.path1} 0755 ${service.name} ${service.name} -"];
networking = { networking = {
firewall = { firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
ports.port0 service.ports.port0
ports.port1 service.ports.port1
]; ];
}; };
}; };

36
nixos/modules/services/acme.nix
View file

@ -4,17 +4,21 @@
... ...
}: let }: let
inherit (flake.config.people) user0; inherit (flake.config.people) user0;
inherit (flake.config.people.user.${user0}) domain email dns; inherit (flake.config.people.user.${user0}) email;
inherit (flake.config.service.instance.acme) paths;
inherit (flake.config.service) instance; inherit (flake.config.service) instance;
dnsConfig = {
dnsProvider = dns.provider0; domain0 = instance.web.domains.url0;
directory = paths.path0; domain1 = instance.web.domains.url1;
environmentFile = config.sops.secrets."dns/namecheap".path; dns = instance.web.dns.provider0;
};
instanceName = service: (instance.${service}.subdomain); instanceName = service: (instance.${service}.subdomain);
dnsConfig = {
dnsProvider = dns;
directory = instance.acme.paths.path0;
environmentFile = config.sops.secrets."dns/namecheap".path;
};
domain0SubdomainNames = [ domain0SubdomainNames = [
"nextcloud" "nextcloud"
"jellyfin" "jellyfin"
@ -35,13 +39,13 @@
"writefreely" "writefreely"
]; ];
domainRoot = [
domain0
domain1
];
domain0Subdomains = map instanceName domain0SubdomainNames; domain0Subdomains = map instanceName domain0SubdomainNames;
domain1Subdomains = map instanceName domain1SubdomainNames; domain1Subdomains = map instanceName domain1SubdomainNames;
domainRoot = [
domain.url0
domain.url1
];
in { in {
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
@ -51,12 +55,12 @@ in {
}; };
certs = builtins.listToAttrs ( certs = builtins.listToAttrs (
(map (prefix: { (map (prefix: {
name = "${prefix}.${domain.url0}"; name = "${prefix}.${domain0}";
value = dnsConfig; value = dnsConfig;
}) })
domain0Subdomains) domain0Subdomains)
++ (map (prefix: { ++ (map (prefix: {
name = "${prefix}.${domain.url1}"; name = "${prefix}.${domain1}";
value = dnsConfig; value = dnsConfig;
}) })
domain1Subdomains) domain1Subdomains)
@ -71,7 +75,7 @@ in {
sops = let sops = let
sopsSecrets = ["pass"]; sopsSecrets = ["pass"];
sopsPath = secret: { sopsPath = secret: {
path = "/var/lib/secrets/${instance.acme.name}/${dns.provider0}-${secret}"; path = "/var/lib/secrets/${instance.acme.name}/${dns}-${secret}";
owner = "root"; owner = "root";
mode = "600"; mode = "600";
}; };
@ -79,7 +83,7 @@ in {
secrets = builtins.listToAttrs ( secrets = builtins.listToAttrs (
map map
(secret: { (secret: {
name = "dns/${dns.provider0}"; name = "dns/${dns}";
value = sopsPath secret; value = sopsPath secret;
}) })
sopsSecrets sopsSecrets

18
nixos/modules/services/caddy.nix
View file

@ -1,27 +1,29 @@
{flake, ...}: let {flake, ...}: let
inherit (flake.config.people) user0; inherit (flake.config.service.instance) caddy web;
inherit (flake.config.people.user.${user0}) domain;
inherit (flake.config.service.instance.caddy) ports; domain0 = web.domains.url0;
service = caddy;
in { in {
services.caddy = { services.caddy = {
enable = true; enable = true;
virtualHosts = { virtualHosts = {
"${domain.url0}" = { "${domain0}" = {
extraConfig = '' extraConfig = ''
tls /var/lib/acme/${domain.url0}/fullchain.pem /var/lib/acme/${domain.url0}/key.pem tls /var/lib/acme/${domain0}/fullchain.pem /var/lib/acme/${domain0}/key.pem
encode zstd gzip encode zstd gzip
''; '';
}; };
}; };
}; };
users.users.caddy.extraGroups = ["acme" "nextcloud" "mastodon"]; users.users.${service}.extraGroups = ["acme" "nextcloud" "mastodon"];
networking = { networking = {
firewall = { firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
ports.port0 service.ports.port0
ports.port1 service.ports.port1
]; ];
}; };
}; };

36
nixos/modules/services/castopod.nix
View file

@ -3,20 +3,18 @@
config, config,
... ...
}: let }: let
inherit (flake.config.people) user0; inherit (flake.config.system.device) server;
inherit (flake.config.people.user.${user0}) domain email; inherit (flake.config.service.instance) castopod nginx web;
inherit (flake.config.system.device) server wildcard; service = castopod;
inherit (flake.config.service.instance.castopod) paths ports subdomain name sops ssl; localhost = web.localhost.address0;
inherit (flake.config.service.instance) nginx; host = "${service.subdomain}.${web.domains.url1}";
localhost = wildcard.ip.address0;
host = "${subdomain}.${domain.url1}";
in { in {
services = { services = {
castopod = { castopod = {
enable = true; enable = true;
localDomain = host; localDomain = host;
configureNginx = false; configureNginx = false;
environmentFile = config.sops.secrets."${name}-smtp".path; environmentFile = config.sops.secrets."${service.name}-smtp".path;
maxUploadSize = "1024M"; maxUploadSize = "1024M";
database = { database = {
createLocally = true; createLocally = true;
@ -31,7 +29,7 @@ in {
"pm.start_servers" = "2"; "pm.start_servers" = "2";
}; };
settings = { settings = {
"email.fromEmail" = email.address6; "email.fromEmail" = service.email.address0;
"email.protocol" = "smtp"; "email.protocol" = "smtp";
"email.SMTPHost" = localhost; "email.SMTPHost" = localhost;
"email.SMTPPort" = 587; "email.SMTPPort" = 587;
@ -51,9 +49,9 @@ in {
virtualHosts = { virtualHosts = {
"${host}" = { "${host}" = {
extraConfig = '' extraConfig = ''
reverse_proxy ${localhost}:${toString ports.port0} reverse_proxy ${localhost}:${toString service.ports.port0}
tls ${ssl.cert} ${ssl.key} tls ${service.ssl.cert} ${service.ssl.key}
''; '';
}; };
}; };
@ -63,37 +61,37 @@ in {
sops = let sops = let
sopsSecrets = ["smtp" "database"]; sopsSecrets = ["smtp" "database"];
sopsPath = secret: { sopsPath = secret: {
path = "${sops.path0}/${name}-${secret}"; path = "${service.sops.path0}/${service.name}-${secret}";
owner = name; owner = service.name;
mode = "600"; mode = "600";
}; };
in { in {
secrets = builtins.listToAttrs ( secrets = builtins.listToAttrs (
map map
(secret: { (secret: {
name = "${name}-${secret}"; name = "${service.name}-${secret}";
value = sopsPath secret; value = sopsPath secret;
}) })
sopsSecrets sopsSecrets
); );
}; };
fileSystems."/var/lib/${name}" = { fileSystems."/var/lib/${service.name}" = {
device = paths.path0; device = service.paths.path0;
fsType = "none"; fsType = "none";
options = ["bind"]; options = ["bind"];
depends = [server.storage0.mount]; depends = [server.storage0.mount];
}; };
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"Z ${paths.path0} 755 ${name} ${name} -" "Z ${service.paths.path0} 755 ${service.name} ${service.name} -"
"Z ${sops.path0} 755 ${name} ${name} -" "Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
]; ];
networking = { networking = {
firewall = { firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
ports.port0 service.ports.port0
nginx.ports.port0 nginx.ports.port0
]; ];
}; };

2
nixos/modules/services/default.nix
View file

@ -14,7 +14,7 @@
./owncast.nix ./owncast.nix
./samba.nix ./samba.nix
./vaultwarden.nix ./vaultwarden.nix
./wiki.nix # ./wiki.nix
# These are all broken. # These are all broken.

43
nixos/modules/services/forgejo.nix
View file

@ -3,12 +3,11 @@
config, config,
... ...
}: let }: let
inherit (flake.config.people) user0; inherit (flake.config.system.device) server;
inherit (flake.config.people.user.${user0}) domain email; inherit (flake.config.service.instance) forgejo web;
inherit (flake.config.system.device) server wildcard; service = forgejo;
inherit (flake.config.service.instance.forgejo) paths ports name subdomain sops ssl; localhost = web.localhost.address0;
localhost = wildcard.ip.address0; host = "${service.subdomain}.${web.domains.url1}";
host = "${subdomain}.${domain.url1}";
in { in {
services = { services = {
forgejo = { forgejo = {
@ -16,8 +15,8 @@ in {
database.type = "postgres"; database.type = "postgres";
lfs.enable = true; lfs.enable = true;
secrets = { secrets = {
mailer.PASSWD = config.sops.secrets."${name}-smtp".path; mailer.PASSWD = config.sops.secrets."${service.name}-smtp".path;
database.PASSWD = config.sops.secrets."${name}-database".path; database.PASSWD = config.sops.secrets."${service.name}-database".path;
}; };
dump = { dump = {
interval = "5:00"; interval = "5:00";
@ -29,7 +28,7 @@ in {
server = { server = {
DOMAIN = host; DOMAIN = host;
ROOT_URL = "https://${host}/"; ROOT_URL = "https://${host}/";
HTTP_PORT = ports.port0; HTTP_PORT = service.ports.port0;
}; };
# If you need to start from scratch, don't forget to turn this off again # If you need to start from scratch, don't forget to turn this off again
service.DISABLE_REGISTRATION = false; service.DISABLE_REGISTRATION = false;
@ -43,8 +42,8 @@ in {
mailer = { mailer = {
ENABLED = true; ENABLED = true;
SMTP_ADDR = "smtp.protonmail.ch"; SMTP_ADDR = "smtp.protonmail.ch";
FROM = email.address5; FROM = service.email.address0;
USER = email.address5; USER = service.email.address0;
PROTOCOL = "smtp+starttls"; PROTOCOL = "smtp+starttls";
SMTP_PORT = 587; SMTP_PORT = 587;
SEND_AS_PLAIN_TEXT = true; SEND_AS_PLAIN_TEXT = true;
@ -56,9 +55,9 @@ in {
virtualHosts = { virtualHosts = {
"${host}" = { "${host}" = {
extraConfig = '' extraConfig = ''
reverse_proxy ${localhost}:${toString ports.port0} reverse_proxy ${localhost}:${toString service.ports.port0}
tls ${ssl.cert} ${ssl.key} tls ${service.ssl.cert} ${service.ssl.key}
''; '';
}; };
}; };
@ -67,39 +66,39 @@ in {
sops = let sops = let
sopsSecrets = ["smtp" "database"]; sopsSecrets = ["smtp" "database"];
sopsPath = secret: { sopsPath = secret: {
path = "${sops.path0}/${name}-${secret}"; path = "${service.sops.path0}/${service.name}-${secret}";
owner = name; owner = service.name;
mode = "600"; mode = "600";
}; };
in { in {
secrets = builtins.listToAttrs ( secrets = builtins.listToAttrs (
map map
(secret: { (secret: {
name = "${name}-${secret}"; name = "${service.name}-${secret}";
value = sopsPath secret; value = sopsPath secret;
}) })
sopsSecrets sopsSecrets
); );
}; };
fileSystems."/var/lib/${name}" = { fileSystems."/var/lib/${service.name}" = {
device = paths.path0; device = service.paths.path0;
fsType = "none"; fsType = "none";
options = ["bind"]; options = ["bind"];
depends = [server.storage0.mount]; depends = [server.storage0.mount];
}; };
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"Z ${paths.path0} 755 ${name} ${name} -" "Z ${service.paths.path0} 755 ${service.name} ${service.name} -"
"Z ${sops.path0} 755 ${name} ${name} -" "Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
]; ];
users.users.${name}.extraGroups = ["caddy" "postgres"]; users.users.${service.name}.extraGroups = ["caddy" "postgres"];
networking = { networking = {
firewall = { firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
ports.port0 service.ports.port0
]; ];
}; };
}; };

32
nixos/modules/services/jellyfin.nix
View file

@ -1,10 +1,10 @@
{flake, ...}: let {flake, ...}: let
inherit (flake.config.people) user0; inherit (flake.config.people) user0;
inherit (flake.config.people.user.${user0}) domain; inherit (flake.config.system.device) server;
inherit (flake.config.system.device) server wildcard; inherit (flake.config.service.instance) jellyfin web;
inherit (flake.config.service.instance.jellyfin) paths ports name subdomain ssl; service = jellyfin;
localhost = wildcard.ip.address0; localhost = web.localhost.address0;
host = "${subdomain}.${domain.url0}"; host = "${service.subdomain}.${web.domains.url0}";
in { in {
services = { services = {
jellyfin = { jellyfin = {
@ -23,9 +23,9 @@ in {
redir /.well-known/carddav /remote.php/dav/ 301 redir /.well-known/carddav /remote.php/dav/ 301
redir /.well-known/caldav /remote.php/dav/ 301 redir /.well-known/caldav /remote.php/dav/ 301
reverse_proxy ${localhost}:${toString ports.port1} reverse_proxy ${localhost}:${toString service.ports.port1}
tls ${ssl.cert} ${ssl.key} tls ${service.ssl.cert} ${service.ssl.key}
''; '';
}; };
}; };
@ -39,29 +39,29 @@ in {
depends = [server.storage0.mount]; depends = [server.storage0.mount];
}; };
in { in {
"/var/lib/${name}" = "/var/lib/${service.name}" =
{ {
device = paths.path0; device = service.paths.path0;
} }
// settings; // settings;
"/var/cache/${name}" = "/var/cache/${service.name}" =
{ {
device = "${paths.path0}/cache"; device = "${service.paths.path0}/cache";
} }
// settings; // settings;
}; };
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"Z ${paths.path0} 0755 ${user0} ${name} -" "Z ${service.paths.path0} 0755 ${user0} ${service.name} -"
"Z ${paths.path0}/cache 0755 ${user0} ${name} -" "Z ${service.paths.path0}/cache 0755 ${user0} ${service.name} -"
]; ];
networking = { networking = {
firewall = { firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
ports.port0 service.ports.port0
ports.port1 service.ports.port1
ports.port2 service.ports.port2
]; ];
}; };
}; };

37
nixos/modules/services/mastodon/default.nix
View file

@ -5,12 +5,11 @@
lib, lib,
... ...
}: let }: let
inherit (flake.config.people) user0; inherit (flake.config.system.device) server;
inherit (flake.config.people.user.${user0}) domain email; inherit (flake.config.service.instance) mastodon web;
inherit (flake.config.system.device) server wildcard; service = mastodon;
inherit (flake.config.service.instance.mastodon) paths name sops ssl; host = web.domains.url1;
host = domain.url1; localhost = web.localhost.address0;
localhost = wildcard.ip.address0;
in { in {
# If you need to start fresh for some reason, run these to create the new Admin account: # If you need to start fresh for some reason, run these to create the new Admin account:
# sudo -u mastodon mastodon-tootctl accounts create nick --email=nick@localhost --confirmed --role=Owner # sudo -u mastodon mastodon-tootctl accounts create nick --email=nick@localhost --confirmed --role=Owner
@ -46,9 +45,9 @@ in {
automaticMigrations = true; automaticMigrations = true;
database = { database = {
createLocally = true; createLocally = true;
name = name; name = service.name;
host = "/run/postgresql"; host = "/run/postgresql";
user = name; user = service.name;
passwordFile = config.sops.secrets.mastodon-database.path; passwordFile = config.sops.secrets.mastodon-database.path;
}; };
extraConfig = { extraConfig = {
@ -92,11 +91,11 @@ in {
smtp = { smtp = {
authenticate = true; authenticate = true;
createLocally = false; createLocally = false;
fromAddress = "The Nutrivore <${email.address2}>"; fromAddress = "The Nutrivore <${service.email.address0}>";
host = "smtp.protonmail.ch"; host = "smtp.protonmail.ch";
passwordFile = config.sops.secrets.mastodon-smtp.path; passwordFile = config.sops.secrets.mastodon-smtp.path;
port = 587; port = 587;
user = email.address2; user = service.email.address0;
}; };
}; };
caddy = { caddy = {
@ -121,7 +120,7 @@ in {
reverse_proxy * unix//run/mastodon-web/web.socket reverse_proxy * unix//run/mastodon-web/web.socket
} }
tls ${ssl.cert} ${ssl.key} tls ${service.ssl.cert} ${service.ssl.key}
handle_errors { handle_errors {
root * ${pkgs.mastodon}/public root * ${pkgs.mastodon}/public
@ -149,34 +148,34 @@ in {
sops = let sops = let
sopsSecrets = ["smtp" "database" "redis"]; sopsSecrets = ["smtp" "database" "redis"];
sopsPath = secret: { sopsPath = secret: {
path = "${sops.path0}/${name}-${secret}"; path = "${service.sops.path0}/${service.name}-${secret}";
owner = name; owner = service.name;
mode = "600"; mode = "600";
}; };
in { in {
secrets = builtins.listToAttrs ( secrets = builtins.listToAttrs (
map map
(secret: { (secret: {
name = "${name}-${secret}"; name = "${service.name}-${secret}";
value = sopsPath secret; value = sopsPath secret;
}) })
sopsSecrets sopsSecrets
); );
}; };
fileSystems."/var/lib/${name}" = { fileSystems."/var/lib/${service.name}" = {
device = paths.path0; device = service.paths.path0;
fsType = "none"; fsType = "none";
options = ["bind"]; options = ["bind"];
depends = [server.storage0.mount]; depends = [server.storage0.mount];
}; };
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"Z ${paths.path0} 0755 ${name} ${name} -" "Z ${service.paths.path0} 0755 ${service.name} ${service.name} -"
"Z ${sops.path0} 0755 ${name} ${name} -" "Z ${service.sops.path0} 0755 ${service.name} ${service.name} -"
]; ];
users.users.${name}.extraGroups = ["postgres"]; users.users.${service.name}.extraGroups = ["postgres"];
networking = { networking = {
firewall = { firewall = {

23
nixos/modules/services/minecraft.nix
View file

@ -4,7 +4,8 @@
... ...
}: let }: let
inherit (flake.config.system.device) server; inherit (flake.config.system.device) server;
inherit (flake.config.service.instance.minecraft) paths ports name sops; inherit (flake.config.service.instance) minecraft;
service = minecraft;
in { in {
services = { services = {
minecraft-server = { minecraft-server = {
@ -13,7 +14,7 @@ in {
openFirewall = true; openFirewall = true;
declarative = true; declarative = true;
serverProperties = { serverProperties = {
"rcon.password" = config.sops.secrets."${name}-pass".path; "rcon.password" = config.sops.secrets."${service.name}-pass".path;
allow-flight = false; allow-flight = false;
allow-nether = true; allow-nether = true;
difficulty = 2; difficulty = 2;
@ -32,7 +33,7 @@ in {
motd = "A cool Minecraft server powered by NixOS"; motd = "A cool Minecraft server powered by NixOS";
online-mode = true; online-mode = true;
pvp = true; pvp = true;
server-port = ports.port0; server-port = service.ports.port0;
spawn-animals = true; spawn-animals = true;
spawn-monsters = true; spawn-monsters = true;
spawn-npcs = true; spawn-npcs = true;
@ -51,37 +52,37 @@ in {
sops = let sops = let
sopsSecrets = ["pass"]; sopsSecrets = ["pass"];
sopsPath = secret: { sopsPath = secret: {
path = "${sops.path0}/${name}-${secret}"; path = "${service.sops.path0}/${service.name}-${secret}";
owner = name; owner = service.name;
mode = "600"; mode = "600";
}; };
in { in {
secrets = builtins.listToAttrs ( secrets = builtins.listToAttrs (
map map
(secret: { (secret: {
name = "${name}-${secret}"; name = "${service.name}-${secret}";
value = sopsPath secret; value = sopsPath secret;
}) })
sopsSecrets sopsSecrets
); );
}; };
fileSystems."/var/lib/${name}" = { fileSystems."/var/lib/${service.name}" = {
device = paths.path0; device = service.paths.path0;
fsType = "none"; fsType = "none";
options = ["bind"]; options = ["bind"];
depends = [server.storage0.mount]; depends = [server.storage0.mount];
}; };
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"Z ${paths.path0} 0755 ${name} ${name} -" "Z ${service.paths.path0} 0755 ${service.name} ${service.name} -"
"Z ${sops.path0} 0755 ${name} ${name} -" "Z ${service.sops.path0} 0755 ${service.name} ${service.name} -"
]; ];
networking = { networking = {
firewall = { firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
ports.port0 service.ports.port0
]; ];
}; };
}; };

49
nixos/modules/services/nextcloud.nix
View file

@ -5,11 +5,12 @@
... ...
}: let }: let
inherit (flake.config.people) user0; inherit (flake.config.people) user0;
inherit (flake.config.people.user.${user0}) domain name; inherit (flake.config.people.user.${user0}) name;
inherit (flake.config.system.device) server wildcard; inherit (flake.config.system.device) server;
inherit (flake.config.service.instance) nextcloud nginx; inherit (flake.config.service.instance) nextcloud nginx web;
localhost = wildcard.ip.address0; service = nextcloud;
host = "${nextcloud.subdomain}.${domain.url1}"; localhost = web.localhost.address0;
host = "${service.subdomain}.${web.domains.url1}";
in { in {
services = { services = {
nextcloud = { nextcloud = {
@ -24,13 +25,13 @@ in {
extraAppsEnable = true; extraAppsEnable = true;
extraApps = { extraApps = {
inherit inherit
(config.services.nextcloud.package.packages.apps) (config.services.service.package.packages.apps)
contacts contacts
calendar calendar
; ;
}; };
config = { config = {
adminpassFile = config.sops.secrets."${nextcloud.name}-pass".path; adminpassFile = config.sops.secrets."${service.name}-pass".path;
adminuser = name; adminuser = name;
dbtype = "pgsql"; dbtype = "pgsql";
}; };
@ -54,7 +55,7 @@ in {
enable = true; enable = true;
virtualHosts.${host}.listen = [ virtualHosts.${host}.listen = [
{ {
addr = wildcard.ip.address1; addr = web.localhost.address1;
port = nginx.ports.port0; port = nginx.ports.port0;
} }
]; ];
@ -66,7 +67,7 @@ in {
extraConfig = '' extraConfig = ''
reverse_proxy ${localhost}:${toString nginx.ports.port0} reverse_proxy ${localhost}:${toString nginx.ports.port0}
tls ${nextcloud.ssl.cert} ${nextcloud.ssl.key} tls ${service.ssl.cert} ${service.ssl.key}
''; '';
}; };
}; };
@ -76,40 +77,40 @@ in {
sops = let sops = let
sopsSecrets = ["pass"]; sopsSecrets = ["pass"];
sopsPath = secret: { sopsPath = secret: {
path = "${nextcloud.sops.path0}/${nextcloud.name}-${secret}"; path = "${service.sops.path0}/${service.name}-${secret}";
owner = nextcloud.name; owner = service.name;
mode = "600"; mode = "600";
}; };
in { in {
secrets = builtins.listToAttrs ( secrets = builtins.listToAttrs (
map map
(secret: { (secret: {
name = "${nextcloud.name}-${secret}"; name = "${service.name}-${secret}";
value = sopsPath secret; value = sopsPath secret;
}) })
sopsSecrets sopsSecrets
); );
}; };
# fileSystems."/var/lib/${nextcloud.name}" = { fileSystems."/var/lib/${service.name}" = {
# device = nextcloud.paths.path0; device = service.paths.path0;
# fsType = "none"; fsType = "none";
# options = ["bind"]; options = ["bind"];
# depends = [server.storage0.mount]; depends = [server.storage0.mount];
# }; };
# systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
# "Z ${nextcloud.paths.path0} 750 ${nextcloud.name} ${nextcloud.name} -" "Z ${service.paths.path0} 750 ${service.name} ${service.name} -"
# "Z ${nextcloud.sops.path0} 750 ${nextcloud.name} ${nextcloud.name} -" "Z ${service.sops.path0} 750 ${service.name} ${service.name} -"
# ]; ];
users.users.${nextcloud.name}.extraGroups = ["caddy" "nginx" "postgres"]; users.users.${service.name}.extraGroups = ["caddy" "nginx" "postgres"];
networking = { networking = {
firewall = { firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
nginx.ports.port0 nginx.ports.port0
nextcloud.ports.port0 service.ports.port0
]; ];
}; };
}; };

35
nixos/modules/services/ollama.nix
View file

@ -1,31 +1,30 @@
{flake, ...}: let {flake, ...}: let
inherit (flake.config.people) user0; inherit (flake.config.system.device) server;
inherit (flake.config.people.user.${user0}) domain; inherit (flake.config.service.instance) ollama web;
inherit (flake.config.system.device) server wildcard; service = ollama;
inherit (flake.config.service.instance.ollama) paths ports subdomain name ssl; localhost = web.localhost.address0;
localhost = wildcard.ip.address0; host = "${service.subdomain}.${web.domains.url0}";
host = "${subdomain}.${domain.url0}";
in { in {
services = { services = {
ollama = { ollama = {
acceleration = false; acceleration = false;
enable = true; enable = true;
group = name; group = service.name;
host = "http://${localhost}"; host = "http://${localhost}";
port = ports.port1; port = service.ports.port1;
user = name; user = service.name;
}; };
open-webui = { open-webui = {
enable = true; enable = true;
host = localhost; host = localhost;
port = ports.port0; port = service.ports.port0;
environment = { environment = {
ENABLE_OLLAMA_API = "True"; ENABLE_OLLAMA_API = "True";
ANONYMIZED_TELEMETRY = "False"; ANONYMIZED_TELEMETRY = "False";
DO_NOT_TRACK = "True"; DO_NOT_TRACK = "True";
SCARF_NO_ANALYTICS = "True"; SCARF_NO_ANALYTICS = "True";
OLLAMA_BASE_URL = "http://${localhost}:${toString ports.port1}"; OLLAMA_BASE_URL = "http://${localhost}:${toString service.ports.port1}";
WEBUI_AUTH = "True"; WEBUI_AUTH = "True";
}; };
}; };
@ -34,29 +33,29 @@ in {
virtualHosts = { virtualHosts = {
${host} = { ${host} = {
extraConfig = '' extraConfig = ''
reverse_proxy ${localhost}:${toString ports.port0} reverse_proxy ${localhost}:${toString service.ports.port0}
tls ${ssl.cert} ${ssl.key} tls ${service.ssl.cert} ${service.ssl.key}
''; '';
}; };
}; };
}; };
}; };
fileSystems."/var/lib/${name}" = { fileSystems."/var/lib/${service.name}" = {
device = paths.path0; device = service.paths.path0;
fsType = "none"; fsType = "none";
options = ["bind"]; options = ["bind"];
depends = [server.storage0.mount]; depends = [server.storage0.mount];
}; };
systemd.tmpfiles.rules = ["Z ${paths.path0} 0755 ${name} ${name} -"]; systemd.tmpfiles.rules = ["Z ${service.paths.path0} 0755 ${service.name} ${service.name} -"];
networking = { networking = {
firewall = { firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
ports.port0 service.ports.port0
ports.port1 service.ports.port1
]; ];
}; };
}; };

20
nixos/modules/services/owncast.nix
View file

@ -1,25 +1,23 @@
{flake, ...}: let {flake, ...}: let
inherit (flake.config.people) user0; inherit (flake.config.service.instance) owncast web;
inherit (flake.config.people.user.${user0}) domain; service = owncast;
inherit (flake.config.system.device) wildcard; localhost = web.localhost.address1;
inherit (flake.config.service.instance.owncast) ports subdomain ssl; host = "${service.subdomain}.${web.domains.url1}";
localhost = wildcard.ip.address1;
host = "${subdomain}.${domain.url1}";
in { in {
services = { services = {
owncast = { owncast = {
enable = true; enable = true;
listen = localhost; listen = localhost;
port = ports.port0; port = service.ports.port0;
openFirewall = true; openFirewall = true;
}; };
caddy = { caddy = {
virtualHosts = { virtualHosts = {
"${host}" = { "${host}" = {
extraConfig = '' extraConfig = ''
reverse_proxy ${localhost}:${toString ports.port0} reverse_proxy ${localhost}:${toString service.ports.port0}
tls ${ssl.cert} ${ssl.key} tls ${service.ssl.cert} ${service.ssl.key}
''; '';
}; };
}; };
@ -29,8 +27,8 @@ in {
networking = { networking = {
firewall = { firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
ports.port0 service.ports.port0
ports.port1 service.ports.port1
]; ];
}; };
}; };

61
nixos/modules/services/peertube.nix
View file

@ -4,24 +4,23 @@
pkgs, pkgs,
... ...
}: let }: let
inherit (flake.config.people) user0; inherit (flake.config.system.device) server;
inherit (flake.config.people.user.${user0}) domain email; inherit (flake.config.service.instance) caddy peertube web;
inherit (flake.config.system.device) server wildcard; service = peertube;
inherit (flake.config.service.instance) caddy peertube; localhost = web.localhost.address0;
localhost = wildcard.ip.address0; host = "${service.subdomain}.${web.domains.url1}";
host = "${peertube.subdomain}.${domain.url1}";
in { in {
services = { services = {
peertube = { peertube = {
configureNginx = false; configureNginx = false;
enable = true; enable = true;
enableWebHttps = true; enableWebHttps = true;
group = peertube.name; group = service.name;
listenWeb = caddy.ports.port1; listenWeb = caddy.ports.port1;
listenHttp = peertube.ports.port0; listenHttp = service.ports.port0;
localDomain = host; localDomain = host;
serviceEnvironmentFile = config.sops.secrets."${peertube.name}-root".path; serviceEnvironmentFile = config.sops.secrets."${service.name}-root".path;
user = peertube.name; user = service.name;
plugins = { plugins = {
enable = true; enable = true;
plugins = with pkgs; [ plugins = with pkgs; [
@ -33,7 +32,7 @@ in {
}; };
secrets = { secrets = {
secretsFile = config.sops.secrets."${peertube.name}-secret".path; secretsFile = config.sops.secrets."${service.name}-secret".path;
}; };
settings = { settings = {
instance = { instance = {
@ -45,25 +44,25 @@ in {
smtp = { smtp = {
transport = "smtp"; transport = "smtp";
disable_starttls = false; disable_starttls = false;
from_address = email.address4; from_address = service.email.address0;
hostname = "smtp.protonmail.ch"; hostname = "smtp.protonmail.ch";
port = 587; port = 587;
username = email.address4; username = service.email.address0;
tls = false; tls = false;
}; };
}; };
database = { database = {
createLocally = true; createLocally = true;
passwordFile = config.sops.secrets."${peertube.name}-database".path; passwordFile = config.sops.secrets."${service.name}-database".path;
}; };
redis = { redis = {
enableUnixSocket = true; enableUnixSocket = true;
createLocally = true; createLocally = true;
passwordFile = config.sops.secrets."${peertube.name}-redis".path; passwordFile = config.sops.secrets."${service.name}-redis".path;
}; };
smtp = { smtp = {
createLocally = true; createLocally = true;
passwordFile = config.sops.secrets."${peertube.name}-smtp".path; passwordFile = config.sops.secrets."${service.name}-smtp".path;
}; };
}; };
@ -71,9 +70,9 @@ in {
virtualHosts = { virtualHosts = {
${host} = { ${host} = {
extraConfig = '' extraConfig = ''
reverse_proxy ${localhost}:${toString peertube.ports.port0} reverse_proxy ${localhost}:${toString service.ports.port0}
tls ${peertube.ssl.cert} ${peertube.ssl.key} tls ${service.ssl.cert} ${service.ssl.key}
''; '';
}; };
@ -84,43 +83,43 @@ in {
sops = let sops = let
sopsSecrets = ["smtp" "database" "redis" "root" "secret"]; sopsSecrets = ["smtp" "database" "redis" "root" "secret"];
sopsPath = secret: { sopsPath = secret: {
path = "${peertube.sops.path0}/${peertube.name}-${secret}-pass"; path = "${service.sops.path0}/${service.name}-${secret}-pass";
owner = peertube.name; owner = service.name;
mode = "600"; mode = "600";
}; };
in { in {
secrets = builtins.listToAttrs ( secrets = builtins.listToAttrs (
map map
(secret: { (secret: {
name = "${peertube.name}-${secret}"; name = "${service.name}-${secret}";
value = sopsPath secret; value = sopsPath secret;
}) })
sopsSecrets sopsSecrets
); );
}; };
fileSystems."/var/lib/${peertube.name}" = { fileSystems."/var/lib/${service.name}" = {
device = peertube.paths.path0; device = service.paths.path0;
fsType = "none"; fsType = "none";
options = ["bind"]; options = ["bind"];
depends = [server.storage0.mount]; depends = [server.storage0.mount];
}; };
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"Z ${peertube.paths.path0} 755 ${peertube.name} ${peertube.name} -" "Z ${service.paths.path0} 755 ${service.name} ${service.name} -"
"Z ${peertube.sops.path0} 755 ${peertube.name} ${peertube.name} -" "Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
]; ];
users.users.${peertube.name}.extraGroups = ["nginx" "caddy"]; users.users.${service.name}.extraGroups = ["nginx" "caddy"];
networking = { networking = {
firewall = { firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
peertube.ports.port0 service.ports.port0
peertube.ports.port1 service.ports.port1
peertube.ports.port2 service.ports.port2
peertube.ports.port3 service.ports.port3
peertube.ports.port4 service.ports.port4
]; ];
}; };
}; };

16
nixos/modules/services/postgresql.nix
View file

@ -1,11 +1,13 @@
{flake, ...}: let {flake, ...}: let
inherit (flake.config.service.instance.postgresql) name paths ports;
inherit (flake.config.system.device) server; inherit (flake.config.system.device) server;
inherit (flake.config.service.instance) postgresql;
service = postgresql;
in { in {
services = { services = {
postgresqlBackup = { postgresqlBackup = {
enable = true; enable = true;
location = paths.path0; location = service.paths.path0;
databases = ["mastodon" "nextcloud" "peertube" "forgejo" "wiki"]; databases = ["mastodon" "nextcloud" "peertube" "forgejo" "wiki"];
}; };
postgresql = { postgresql = {
@ -15,23 +17,23 @@ in {
networking = { networking = {
firewall = { firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
ports.port0 service.ports.port0
]; ];
}; };
}; };
fileSystems."/var/lib/postgresql" = { fileSystems."/var/lib/postgresql" = {
device = paths.path0; device = service.paths.path0;
fsType = "none"; fsType = "none";
options = ["bind"]; options = ["bind"];
depends = [server.storage0.mount]; depends = [server.storage0.mount];
}; };
systemd.tmpfiles.rules = ["Z ${paths.path0} 700 ${name} ${name} -"]; systemd.tmpfiles.rules = ["Z ${service.paths.path0} 700 ${service.name} ${service.name} -"];
users.users.${name}.extraGroups = ["nextcloud" "mastodon" "forgejo"]; users.users.${service.name}.extraGroups = ["nextcloud" "mastodon" "forgejo"];
system.activationScripts.postgresCommands = '' system.activationScripts.postgresCommands = ''
chown -R ${name}:${name} ${paths.path0} chown -R ${service.name}:${service.name} ${service.paths.path0}
''; '';
} }

5
nixos/modules/services/samba.nix
View file

@ -4,6 +4,7 @@
... ...
}: let }: let
inherit (flake.config.service.instance) samba jellyfin; inherit (flake.config.service.instance) samba jellyfin;
service = samba;
in { in {
# If you ever need to start fresh, you need to add yourself to the Samba users database: # If you ever need to start fresh, you need to add yourself to the Samba users database:
# sudo smbpasswd -a username # sudo smbpasswd -a username
@ -13,7 +14,7 @@ in {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
settings = { settings = {
${samba.paths.path1} = { ${service.paths.path1} = {
path = jellyfin.paths.path0; path = jellyfin.paths.path0;
writable = "true"; writable = "true";
}; };
@ -24,7 +25,7 @@ in {
networking = { networking = {
firewall = { firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
samba.ports.port0 service.ports.port0
]; ];
}; };
}; };

36
nixos/modules/services/vaultwarden.nix
View file

@ -3,18 +3,16 @@
config, config,
... ...
}: let }: let
inherit (flake.config.people) user0; inherit (flake.config.service.instance) vaultwarden web;
inherit (flake.config.people.user.${user0}) domain email; service = vaultwarden;
inherit (flake.config.system.device) wildcard; localhost = web.localhost.address0;
inherit (flake.config.service.instance.vaultwarden) paths ports subdomain name sops ssl; host = "${service.subdomain}.${web.domains.url0}";
localhost = wildcard.ip.address0;
host = "${subdomain}.${domain.url0}";
in { in {
services = { services = {
vaultwarden = { vaultwarden = {
backupDir = paths.path0; backupDir = service.paths.path0;
enable = true; enable = true;
environmentFile = config.sops.secrets."${name}/env".path; environmentFile = config.sops.secrets."${service.name}/env".path;
config = { config = {
# Domain Configuration # Domain Configuration
DOMAIN = "https://${host}"; DOMAIN = "https://${host}";
@ -22,12 +20,12 @@ in {
# Email Configuration # Email Configuration
SMTP_AUTH_MECHANISM = "Plain"; SMTP_AUTH_MECHANISM = "Plain";
SMTP_EMBED_IMAGES = true; SMTP_EMBED_IMAGES = true;
SMTP_FROM = email.address3; SMTP_FROM = service.email.address0;
SMTP_FROM_NAME = "Vaultwarden"; SMTP_FROM_NAME = "Vaultwarden";
SMTP_HOST = "smtp.protonmail.ch"; SMTP_HOST = "smtp.protonmail.ch";
SMTP_PORT = 587; SMTP_PORT = 587;
SMTP_SECURITY = "starttls"; SMTP_SECURITY = "starttls";
SMTP_USERNAME = email.address3; SMTP_USERNAME = service.email.address0;
# Security Configuration # Security Configuration
DISABLE_ADMIN_TOKEN = false; DISABLE_ADMIN_TOKEN = false;
@ -42,18 +40,18 @@ in {
# Rocket (Web Server) Settings # Rocket (Web Server) Settings
ROCKET_ADDRESS = localhost; ROCKET_ADDRESS = localhost;
ROCKET_PORT = ports.port0; ROCKET_PORT = service.ports.port0;
}; };
}; };
caddy = { caddy = {
virtualHosts = { virtualHosts = {
"${host}" = { "${host}" = {
extraConfig = '' extraConfig = ''
reverse_proxy ${localhost}:${toString ports.port0} { reverse_proxy ${localhost}:${toString service.ports.port0} {
header_up X-Real-IP {remote_host} header_up X-Real-IP {remote_host}
} }
tls ${ssl.cert} ${ssl.key} tls ${service.ssl.cert} ${service.ssl.key}
encode zstd gzip encode zstd gzip
''; '';
@ -65,15 +63,15 @@ in {
sops = let sops = let
sopsSecrets = ["env"]; sopsSecrets = ["env"];
sopsPath = secret: { sopsPath = secret: {
path = "${sops.path0}/${name}-${secret}"; path = "${service.sops.path0}/${service.name}-${secret}";
owner = name; owner = service.name;
mode = "600"; mode = "600";
}; };
in { in {
secrets = builtins.listToAttrs ( secrets = builtins.listToAttrs (
map map
(secret: { (secret: {
name = "${name}/${secret}"; name = "${service.name}/${secret}";
value = sopsPath secret; value = sopsPath secret;
}) })
sopsSecrets sopsSecrets
@ -81,14 +79,14 @@ in {
}; };
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"Z ${paths.path0} 0755 ${name} ${name} -" "Z ${service.paths.path0} 0755 ${service.name} ${service.name} -"
"Z ${sops.path0} 755 ${name} ${name} -" "Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
]; ];
networking = { networking = {
firewall = { firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
ports.port0 service.ports.port0
]; ];
}; };
}; };

41
nixos/modules/services/wiki.nix
View file

@ -3,22 +3,21 @@
config, config,
... ...
}: let }: let
inherit (flake.config.people) user0; inherit (flake.config.system.device) server;
inherit (flake.config.people.user.${user0}) domain; inherit (flake.config.service.instance) web wiki;
inherit (flake.config.system.device) server wildcard; service = wiki;
inherit (flake.config.service.instance.wiki) paths ports subdomain ssl sops name; localhost = web.localhost.address0;
localhost = wildcard.ip.address0; host = "${service.subdomain}.${web.domains.url1}";
host = "${subdomain}.${domain.url1}";
in { in {
services = { services = {
wiki-js = { wiki-js = {
enable = true; enable = true;
environmentFile = config.sops.secrets."${name}-pass".path; environmentFile = config.sops.secrets."${service.name}-pass".path;
settings = { settings = {
port = ports.port0; port = service.ports.port0;
bindIP = localhost; bindIP = localhost;
db = { db = {
db = name; db = service.name;
type = "postgres"; type = "postgres";
host = host; host = host;
}; };
@ -29,19 +28,19 @@ in {
virtualHosts = { virtualHosts = {
"${host}" = { "${host}" = {
extraConfig = '' extraConfig = ''
reverse_proxy ${localhost}:${toString ports.port0} reverse_proxy ${localhost}:${toString service.ports.port0}
tls ${ssl.cert} ${ssl.key} tls ${service.ssl.cert} ${service.ssl.key}
''; '';
}; };
}; };
}; };
postgresql = { postgresql = {
ensureDatabases = [name]; ensureDatabases = [service.name];
ensureUsers = [ ensureUsers = [
{ {
name = name; name = service.name;
ensureDBOwnership = true; ensureDBOwnership = true;
} }
]; ];
@ -51,7 +50,7 @@ in {
sops = let sops = let
sopsSecrets = ["pass"]; sopsSecrets = ["pass"];
sopsPath = secret: { sopsPath = secret: {
path = "${sops.path0}/${name}-${secret}"; path = "${service.sops.path0}/${service.name}-${secret}";
owner = "root"; owner = "root";
mode = "600"; mode = "600";
}; };
@ -59,30 +58,30 @@ in {
secrets = builtins.listToAttrs ( secrets = builtins.listToAttrs (
map map
(secret: { (secret: {
name = "${name}-${secret}"; name = "${service.name}-${secret}";
value = sopsPath secret; value = sopsPath secret;
}) })
sopsSecrets sopsSecrets
); );
}; };
fileSystems."/var/lib/${name}" = { fileSystems."/var/lib/${service.name}" = {
device = paths.path0; device = service.paths.path0;
fsType = "none"; fsType = "none";
options = ["bind"]; options = ["bind"];
depends = [server.storage0.mount]; depends = [server.storage0.mount];
}; };
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"Z ${paths.path0} 755 ${name} ${name} -" "Z ${service.paths.path0} 755 ${service.name} ${service.name} -"
"Z ${sops.path0} 755 ${name} ${name} -" "Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
]; ];
networking = { networking = {
firewall = { firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
ports.port0 service.ports.port0
ports.port1 service.ports.port1
]; ];
}; };
}; };

21
nixos/modules/syncthing.nix
View file

@ -1,7 +1,8 @@
{flake, ...}: let {flake, ...}: let
inherit (flake.config.system.device) nas phone tablet wildcard; inherit (flake.config.system.device) nas phone tablet;
inherit (flake.config.service.instance.syncthing) ports; inherit (flake.config.service.instance) syncthing web;
localhost = wildcard.ip.address0; service = syncthing;
localhost = web.localhost.address0;
in { in {
services = { services = {
syncthing = { syncthing = {
@ -10,14 +11,14 @@ in {
overrideFolders = false; overrideFolders = false;
openDefaultPorts = true; openDefaultPorts = true;
systemService = true; systemService = true;
guiAddress = "${localhost}:${toString ports.port0}"; guiAddress = "${localhost}:${toString service.ports.port0}";
settings = { settings = {
devices = { devices = {
${nas.name} = { ${nas.name} = {
autoAcceptFolders = true; autoAcceptFolders = true;
name = nas.name; name = nas.name;
addresses = [ addresses = [
"tcp://${nas.ip.address0}:${toString ports.port2}" "tcp://${nas.ip.address0}:${toString service.ports.port2}"
]; ];
id = nas.sync; id = nas.sync;
}; };
@ -25,7 +26,7 @@ in {
autoAcceptFolders = true; autoAcceptFolders = true;
name = phone.name; name = phone.name;
addresses = [ addresses = [
"tcp://${phone.ip.address0}:${toString ports.port2}" "tcp://${phone.ip.address0}:${toString service.ports.port2}"
]; ];
id = phone.sync; id = phone.sync;
}; };
@ -33,7 +34,7 @@ in {
autoAcceptFolders = true; autoAcceptFolders = true;
name = tablet.name; name = tablet.name;
addresses = [ addresses = [
"tcp://${tablet.ip.address0}:${toString ports.port2}" "tcp://${tablet.ip.address0}:${toString service.ports.port2}"
]; ];
id = tablet.sync; id = tablet.sync;
}; };
@ -45,9 +46,9 @@ in {
networking = { networking = {
firewall = { firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
ports.port0 service.ports.port0
ports.port1 service.ports.port1
ports.port2 service.ports.port2
]; ];
}; };
}; };

4
profiles/user0/default.nix
View file

@ -5,7 +5,7 @@
... ...
}: let }: let
inherit (flake.config.people) user0; inherit (flake.config.people) user0;
inherit (flake.config.people.user.${user0}) name git; inherit (flake.config.people.user.${user0}) name paths;
hostname = config.networking.hostName; hostname = config.networking.hostName;
in { in {
@ -90,7 +90,7 @@ in {
]; ];
in { in {
rules = rules =
["d ${git.path0} 0755 ${user0} users -"] ["d ${paths.path0} 0755 ${user0} users -"]
++ (map (path: "d /home/${user0}/${path} 0755 ${user0} users -") directoriesAddedToHome) ++ (map (path: "d /home/${user0}/${path} 0755 ${user0} users -") directoriesAddedToHome)
++ (map (path: "R /home/${user0}/${path} 0755 ${user0} users - -") directoriesRemovedFromHome); ++ (map (path: "R /home/${user0}/${path} 0755 ${user0} users - -") directoriesRemovedFromHome);
}; };