mirror of
https://gitlab.com/upRootNutrition/dotfiles.git
synced 2025-06-16 10:05:13 -05:00
feat: refactored abstractions
This commit is contained in:
Nick
parent
f3897c1e0c
commit
2e0ba5f89e
23 changed files with 324 additions and 310 deletions
|
|
@ -7,7 +7,6 @@
|
|||
"phone"
|
||||
"server"
|
||||
"tablet"
|
||||
"wildcard"
|
||||
];
|
||||
instanceNames = [
|
||||
"acme"
|
||||
|
|
@ -28,7 +27,8 @@
|
|||
"syncthing"
|
||||
"synology"
|
||||
"vaultwarden"
|
||||
"wiki-js"
|
||||
"web"
|
||||
"wiki"
|
||||
"writefreely"
|
||||
];
|
||||
userNames = [
|
||||
|
|
@ -78,9 +78,7 @@ in let
|
|||
sshKeys = listType;
|
||||
group = stringType;
|
||||
email = genOptions stringType "address";
|
||||
domain = genOptions stringType "url";
|
||||
dns = genOptions stringType "provider";
|
||||
git = genOptions stringType "path";
|
||||
paths = genOptions stringType "path";
|
||||
};
|
||||
};
|
||||
serviceSubmodule = lib.types.submodule {
|
||||
|
|
@ -104,6 +102,10 @@ in let
|
|||
subdomain = stringType;
|
||||
label = stringType;
|
||||
name = stringType;
|
||||
domains = genOptions stringType "url";
|
||||
dns = genOptions stringType "provider";
|
||||
localhost = genOptions stringType "address";
|
||||
email = genOptions stringType "address";
|
||||
sops = genOptions stringType "path";
|
||||
paths = genOptions stringType "path";
|
||||
ports = genOptions intType "port";
|
||||
|
|
|
|||
|
|
@ -166,16 +166,5 @@ in {
|
|||
address0 = "192.168.50.189";
|
||||
};
|
||||
};
|
||||
|
||||
# No particular system
|
||||
|
||||
wildcard = {
|
||||
ip = {
|
||||
address0 = "127.0.0.1"; # Local
|
||||
address1 = "0.0.0.0"; # All
|
||||
address2 = "192.168.50.1"; # Router
|
||||
address3 = "192.168.50.0"; # Router
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -51,6 +51,21 @@ let
|
|||
varLib = "/var/lib";
|
||||
in {
|
||||
instance = {
|
||||
web = {
|
||||
domains = {
|
||||
url0 = domain0;
|
||||
url1 = domain1;
|
||||
};
|
||||
dns = {
|
||||
provider0 = "namecheap";
|
||||
};
|
||||
localhost = {
|
||||
address0 = "127.0.0.1"; # Local
|
||||
address1 = "0.0.0.0"; # All
|
||||
address2 = "192.168.50.1"; # Router
|
||||
address3 = "192.168.50.0"; # Router
|
||||
};
|
||||
};
|
||||
acme = {
|
||||
label = acmeLabel;
|
||||
name = acmeName;
|
||||
|
|
@ -73,14 +88,17 @@ in {
|
|||
};
|
||||
};
|
||||
castopod = let
|
||||
castDomain = "podcast";
|
||||
castopodSubdomain = "podcast";
|
||||
in {
|
||||
label = castLabel;
|
||||
name = castName;
|
||||
email = {
|
||||
address0 = "noreply@${castopodSubdomain}.${domain1}";
|
||||
};
|
||||
sops = {
|
||||
path0 = "${sops}/${castName}";
|
||||
};
|
||||
subdomain = castDomain;
|
||||
subdomain = castopodSubdomain;
|
||||
paths = {
|
||||
path0 = "${servicePath}/${castLabel}";
|
||||
};
|
||||
|
|
@ -88,19 +106,22 @@ in {
|
|||
port0 = 8000;
|
||||
};
|
||||
ssl = {
|
||||
cert = "${sslPath}/${castDomain}.${domain1}/fullchain.pem";
|
||||
key = "${sslPath}/${castDomain}.${domain1}/key.pem";
|
||||
cert = "${sslPath}/${castopodSubdomain}.${domain1}/fullchain.pem";
|
||||
key = "${sslPath}/${castopodSubdomain}.${domain1}/key.pem";
|
||||
};
|
||||
};
|
||||
forgejo = let
|
||||
forgejoDomain = "source";
|
||||
forgejoSubdomain = "source";
|
||||
in {
|
||||
label = forgejoLabel;
|
||||
name = forgejoName;
|
||||
email = {
|
||||
address0 = "noreply@${forgejoSubdomain}.${domain1}";
|
||||
};
|
||||
sops = {
|
||||
path0 = "${sops}/${forgejoName}";
|
||||
};
|
||||
subdomain = forgejoDomain;
|
||||
subdomain = forgejoSubdomain;
|
||||
paths = {
|
||||
path0 = "${servicePath}/${forgejoLabel}";
|
||||
};
|
||||
|
|
@ -108,8 +129,8 @@ in {
|
|||
port0 = 3033;
|
||||
};
|
||||
ssl = {
|
||||
cert = "${sslPath}/${forgejoDomain}.${domain1}/fullchain.pem";
|
||||
key = "${sslPath}/${forgejoDomain}.${domain1}/key.pem";
|
||||
cert = "${sslPath}/${forgejoSubdomain}.${domain1}/fullchain.pem";
|
||||
key = "${sslPath}/${forgejoSubdomain}.${domain1}/key.pem";
|
||||
};
|
||||
};
|
||||
jellyfin = {
|
||||
|
|
@ -148,6 +169,9 @@ in {
|
|||
mastodon = {
|
||||
label = mastodonLabel;
|
||||
name = mastodonName;
|
||||
email = {
|
||||
address0 = "thenutrivore@${domain1}";
|
||||
};
|
||||
sops = {
|
||||
path0 = "${sops}/${mastodonName}";
|
||||
};
|
||||
|
|
@ -245,13 +269,18 @@ in {
|
|||
key = "${sslPath}/${owncastSubdomain}.${domain1}/key.pem";
|
||||
};
|
||||
};
|
||||
peertube = {
|
||||
peertube = let
|
||||
peertubeSubdomain = "video";
|
||||
in {
|
||||
label = peertubeLabel;
|
||||
name = peertubeName;
|
||||
email = {
|
||||
address0 = "noreply@${peertubeSubdomain}.${domain1}";
|
||||
};
|
||||
sops = {
|
||||
path0 = "${sops}/${peertubeName}";
|
||||
};
|
||||
subdomain = "video";
|
||||
subdomain = peertubeSubdomain;
|
||||
paths = {
|
||||
path0 = "${servicePath}/${peertubeLabel}";
|
||||
};
|
||||
|
|
@ -322,13 +351,18 @@ in {
|
|||
key = "${sslPath}/${syncthingName}.${domain0}/key.pem";
|
||||
};
|
||||
};
|
||||
vaultwarden = {
|
||||
vaultwarden = let
|
||||
vaultwardenSubdomain = vaultwardenName;
|
||||
in {
|
||||
label = vaultwardenLabel;
|
||||
name = vaultwardenName;
|
||||
email = {
|
||||
address0 = "noreply@${vaultwardenSubdomain}.${domain0}";
|
||||
};
|
||||
sops = {
|
||||
path0 = "${sops}/${vaultwardenName}";
|
||||
};
|
||||
subdomain = vaultwardenName;
|
||||
subdomain = vaultwardenSubdomain;
|
||||
paths = {
|
||||
path0 = "${servicePath}/${vaultwardenLabel}/BackupDir";
|
||||
};
|
||||
|
|
|
|||
|
|
@ -16,21 +16,9 @@ in {
|
|||
email = {
|
||||
address0 = "nickjhiebert@proton.me";
|
||||
address1 = "thenutrivore@proton.me";
|
||||
address2 = "thenutrivore@the-nutrivore.social";
|
||||
address3 = "noreply@vaultwarden.cloudbert.fun";
|
||||
address4 = "noreply@video.the-nutrivore.social";
|
||||
address5 = "noreply@source.the-nutrivore.social";
|
||||
address6 = "noreply@podcast.the-nutrivore.social";
|
||||
};
|
||||
domain = {
|
||||
url0 = "cloudbert.fun";
|
||||
url1 = "the-nutrivore.social";
|
||||
};
|
||||
git = {
|
||||
path0 = "/home/${user0}/Files/Projects";
|
||||
};
|
||||
dns = {
|
||||
provider0 = "namecheap";
|
||||
paths = {
|
||||
path0 = "/home/${user0}/Files/Projects"; # Git path
|
||||
};
|
||||
sshKeys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBF9TmImDoYDpsW5VMFbOcuK3aH4TWRtx/xGxT3yUtEN nick@desktop"
|
||||
|
|
|
|||
|
|
@ -1,39 +1,39 @@
|
|||
{flake, ...}: let
|
||||
inherit (flake.config.system.device) wildcard;
|
||||
inherit (flake.config.service.instance.ollama) paths ports name;
|
||||
localhost = wildcard.ip.address0;
|
||||
inherit (flake.config.service.instance) ollama web;
|
||||
service = ollama;
|
||||
localhost = web.localhost.address0;
|
||||
in {
|
||||
services = {
|
||||
ollama = {
|
||||
acceleration = false;
|
||||
enable = true;
|
||||
group = name;
|
||||
group = service.name;
|
||||
host = "http://${localhost}";
|
||||
models = paths.path1;
|
||||
user = name;
|
||||
models = service.paths.path1;
|
||||
user = service.name;
|
||||
};
|
||||
open-webui = {
|
||||
enable = true;
|
||||
host = localhost;
|
||||
port = ports.port0;
|
||||
port = service.ports.port0;
|
||||
environment = {
|
||||
ENABLE_OLLAMA_API = "True";
|
||||
ANONYMIZED_TELEMETRY = "False";
|
||||
DO_NOT_TRACK = "True";
|
||||
SCARF_NO_ANALYTICS = "True";
|
||||
OLLAMA_BASE_URL = "http://${localhost}:${toString ports.port1}";
|
||||
OLLAMA_BASE_URL = "http://${localhost}:${toString service.ports.port1}";
|
||||
WEBUI_AUTH = "True";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = ["Z ${paths.path1} 0755 ${name} ${name} -"];
|
||||
systemd.tmpfiles.rules = ["Z ${service.paths.path1} 0755 ${service.name} ${service.name} -"];
|
||||
|
||||
networking = {
|
||||
firewall = {
|
||||
allowedTCPPorts = [
|
||||
ports.port0
|
||||
ports.port1
|
||||
service.ports.port0
|
||||
service.ports.port1
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -4,17 +4,21 @@
|
|||
...
|
||||
}: let
|
||||
inherit (flake.config.people) user0;
|
||||
inherit (flake.config.people.user.${user0}) domain email dns;
|
||||
inherit (flake.config.service.instance.acme) paths;
|
||||
inherit (flake.config.people.user.${user0}) email;
|
||||
inherit (flake.config.service) instance;
|
||||
dnsConfig = {
|
||||
dnsProvider = dns.provider0;
|
||||
directory = paths.path0;
|
||||
environmentFile = config.sops.secrets."dns/namecheap".path;
|
||||
};
|
||||
|
||||
domain0 = instance.web.domains.url0;
|
||||
domain1 = instance.web.domains.url1;
|
||||
dns = instance.web.dns.provider0;
|
||||
|
||||
instanceName = service: (instance.${service}.subdomain);
|
||||
|
||||
dnsConfig = {
|
||||
dnsProvider = dns;
|
||||
directory = instance.acme.paths.path0;
|
||||
environmentFile = config.sops.secrets."dns/namecheap".path;
|
||||
};
|
||||
|
||||
domain0SubdomainNames = [
|
||||
"nextcloud"
|
||||
"jellyfin"
|
||||
|
|
@ -35,13 +39,13 @@
|
|||
"writefreely"
|
||||
];
|
||||
|
||||
domainRoot = [
|
||||
domain0
|
||||
domain1
|
||||
];
|
||||
|
||||
domain0Subdomains = map instanceName domain0SubdomainNames;
|
||||
domain1Subdomains = map instanceName domain1SubdomainNames;
|
||||
|
||||
domainRoot = [
|
||||
domain.url0
|
||||
domain.url1
|
||||
];
|
||||
in {
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
|
|
@ -51,12 +55,12 @@ in {
|
|||
};
|
||||
certs = builtins.listToAttrs (
|
||||
(map (prefix: {
|
||||
name = "${prefix}.${domain.url0}";
|
||||
name = "${prefix}.${domain0}";
|
||||
value = dnsConfig;
|
||||
})
|
||||
domain0Subdomains)
|
||||
++ (map (prefix: {
|
||||
name = "${prefix}.${domain.url1}";
|
||||
name = "${prefix}.${domain1}";
|
||||
value = dnsConfig;
|
||||
})
|
||||
domain1Subdomains)
|
||||
|
|
@ -71,7 +75,7 @@ in {
|
|||
sops = let
|
||||
sopsSecrets = ["pass"];
|
||||
sopsPath = secret: {
|
||||
path = "/var/lib/secrets/${instance.acme.name}/${dns.provider0}-${secret}";
|
||||
path = "/var/lib/secrets/${instance.acme.name}/${dns}-${secret}";
|
||||
owner = "root";
|
||||
mode = "600";
|
||||
};
|
||||
|
|
@ -79,7 +83,7 @@ in {
|
|||
secrets = builtins.listToAttrs (
|
||||
map
|
||||
(secret: {
|
||||
name = "dns/${dns.provider0}";
|
||||
name = "dns/${dns}";
|
||||
value = sopsPath secret;
|
||||
})
|
||||
sopsSecrets
|
||||
|
|
|
|||
|
|
@ -1,27 +1,29 @@
|
|||
{flake, ...}: let
|
||||
inherit (flake.config.people) user0;
|
||||
inherit (flake.config.people.user.${user0}) domain;
|
||||
inherit (flake.config.service.instance.caddy) ports;
|
||||
inherit (flake.config.service.instance) caddy web;
|
||||
|
||||
domain0 = web.domains.url0;
|
||||
|
||||
service = caddy;
|
||||
in {
|
||||
services.caddy = {
|
||||
enable = true;
|
||||
virtualHosts = {
|
||||
"${domain.url0}" = {
|
||||
"${domain0}" = {
|
||||
extraConfig = ''
|
||||
tls /var/lib/acme/${domain.url0}/fullchain.pem /var/lib/acme/${domain.url0}/key.pem
|
||||
tls /var/lib/acme/${domain0}/fullchain.pem /var/lib/acme/${domain0}/key.pem
|
||||
encode zstd gzip
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
users.users.caddy.extraGroups = ["acme" "nextcloud" "mastodon"];
|
||||
users.users.${service}.extraGroups = ["acme" "nextcloud" "mastodon"];
|
||||
|
||||
networking = {
|
||||
firewall = {
|
||||
allowedTCPPorts = [
|
||||
ports.port0
|
||||
ports.port1
|
||||
service.ports.port0
|
||||
service.ports.port1
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -3,20 +3,18 @@
|
|||
config,
|
||||
...
|
||||
}: let
|
||||
inherit (flake.config.people) user0;
|
||||
inherit (flake.config.people.user.${user0}) domain email;
|
||||
inherit (flake.config.system.device) server wildcard;
|
||||
inherit (flake.config.service.instance.castopod) paths ports subdomain name sops ssl;
|
||||
inherit (flake.config.service.instance) nginx;
|
||||
localhost = wildcard.ip.address0;
|
||||
host = "${subdomain}.${domain.url1}";
|
||||
inherit (flake.config.system.device) server;
|
||||
inherit (flake.config.service.instance) castopod nginx web;
|
||||
service = castopod;
|
||||
localhost = web.localhost.address0;
|
||||
host = "${service.subdomain}.${web.domains.url1}";
|
||||
in {
|
||||
services = {
|
||||
castopod = {
|
||||
enable = true;
|
||||
localDomain = host;
|
||||
configureNginx = false;
|
||||
environmentFile = config.sops.secrets."${name}-smtp".path;
|
||||
environmentFile = config.sops.secrets."${service.name}-smtp".path;
|
||||
maxUploadSize = "1024M";
|
||||
database = {
|
||||
createLocally = true;
|
||||
|
|
@ -31,7 +29,7 @@ in {
|
|||
"pm.start_servers" = "2";
|
||||
};
|
||||
settings = {
|
||||
"email.fromEmail" = email.address6;
|
||||
"email.fromEmail" = service.email.address0;
|
||||
"email.protocol" = "smtp";
|
||||
"email.SMTPHost" = localhost;
|
||||
"email.SMTPPort" = 587;
|
||||
|
|
@ -51,9 +49,9 @@ in {
|
|||
virtualHosts = {
|
||||
"${host}" = {
|
||||
extraConfig = ''
|
||||
reverse_proxy ${localhost}:${toString ports.port0}
|
||||
reverse_proxy ${localhost}:${toString service.ports.port0}
|
||||
|
||||
tls ${ssl.cert} ${ssl.key}
|
||||
tls ${service.ssl.cert} ${service.ssl.key}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
|
@ -63,37 +61,37 @@ in {
|
|||
sops = let
|
||||
sopsSecrets = ["smtp" "database"];
|
||||
sopsPath = secret: {
|
||||
path = "${sops.path0}/${name}-${secret}";
|
||||
owner = name;
|
||||
path = "${service.sops.path0}/${service.name}-${secret}";
|
||||
owner = service.name;
|
||||
mode = "600";
|
||||
};
|
||||
in {
|
||||
secrets = builtins.listToAttrs (
|
||||
map
|
||||
(secret: {
|
||||
name = "${name}-${secret}";
|
||||
name = "${service.name}-${secret}";
|
||||
value = sopsPath secret;
|
||||
})
|
||||
sopsSecrets
|
||||
);
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/${name}" = {
|
||||
device = paths.path0;
|
||||
fileSystems."/var/lib/${service.name}" = {
|
||||
device = service.paths.path0;
|
||||
fsType = "none";
|
||||
options = ["bind"];
|
||||
depends = [server.storage0.mount];
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"Z ${paths.path0} 755 ${name} ${name} -"
|
||||
"Z ${sops.path0} 755 ${name} ${name} -"
|
||||
"Z ${service.paths.path0} 755 ${service.name} ${service.name} -"
|
||||
"Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
|
||||
];
|
||||
|
||||
networking = {
|
||||
firewall = {
|
||||
allowedTCPPorts = [
|
||||
ports.port0
|
||||
service.ports.port0
|
||||
nginx.ports.port0
|
||||
];
|
||||
};
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@
|
|||
./owncast.nix
|
||||
./samba.nix
|
||||
./vaultwarden.nix
|
||||
./wiki.nix
|
||||
# ./wiki.nix
|
||||
|
||||
# These are all broken.
|
||||
|
||||
|
|
|
|||
|
|
@ -3,12 +3,11 @@
|
|||
config,
|
||||
...
|
||||
}: let
|
||||
inherit (flake.config.people) user0;
|
||||
inherit (flake.config.people.user.${user0}) domain email;
|
||||
inherit (flake.config.system.device) server wildcard;
|
||||
inherit (flake.config.service.instance.forgejo) paths ports name subdomain sops ssl;
|
||||
localhost = wildcard.ip.address0;
|
||||
host = "${subdomain}.${domain.url1}";
|
||||
inherit (flake.config.system.device) server;
|
||||
inherit (flake.config.service.instance) forgejo web;
|
||||
service = forgejo;
|
||||
localhost = web.localhost.address0;
|
||||
host = "${service.subdomain}.${web.domains.url1}";
|
||||
in {
|
||||
services = {
|
||||
forgejo = {
|
||||
|
|
@ -16,8 +15,8 @@ in {
|
|||
database.type = "postgres";
|
||||
lfs.enable = true;
|
||||
secrets = {
|
||||
mailer.PASSWD = config.sops.secrets."${name}-smtp".path;
|
||||
database.PASSWD = config.sops.secrets."${name}-database".path;
|
||||
mailer.PASSWD = config.sops.secrets."${service.name}-smtp".path;
|
||||
database.PASSWD = config.sops.secrets."${service.name}-database".path;
|
||||
};
|
||||
dump = {
|
||||
interval = "5:00";
|
||||
|
|
@ -29,7 +28,7 @@ in {
|
|||
server = {
|
||||
DOMAIN = host;
|
||||
ROOT_URL = "https://${host}/";
|
||||
HTTP_PORT = ports.port0;
|
||||
HTTP_PORT = service.ports.port0;
|
||||
};
|
||||
# If you need to start from scratch, don't forget to turn this off again
|
||||
service.DISABLE_REGISTRATION = false;
|
||||
|
|
@ -43,8 +42,8 @@ in {
|
|||
mailer = {
|
||||
ENABLED = true;
|
||||
SMTP_ADDR = "smtp.protonmail.ch";
|
||||
FROM = email.address5;
|
||||
USER = email.address5;
|
||||
FROM = service.email.address0;
|
||||
USER = service.email.address0;
|
||||
PROTOCOL = "smtp+starttls";
|
||||
SMTP_PORT = 587;
|
||||
SEND_AS_PLAIN_TEXT = true;
|
||||
|
|
@ -56,9 +55,9 @@ in {
|
|||
virtualHosts = {
|
||||
"${host}" = {
|
||||
extraConfig = ''
|
||||
reverse_proxy ${localhost}:${toString ports.port0}
|
||||
reverse_proxy ${localhost}:${toString service.ports.port0}
|
||||
|
||||
tls ${ssl.cert} ${ssl.key}
|
||||
tls ${service.ssl.cert} ${service.ssl.key}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
|
@ -67,39 +66,39 @@ in {
|
|||
sops = let
|
||||
sopsSecrets = ["smtp" "database"];
|
||||
sopsPath = secret: {
|
||||
path = "${sops.path0}/${name}-${secret}";
|
||||
owner = name;
|
||||
path = "${service.sops.path0}/${service.name}-${secret}";
|
||||
owner = service.name;
|
||||
mode = "600";
|
||||
};
|
||||
in {
|
||||
secrets = builtins.listToAttrs (
|
||||
map
|
||||
(secret: {
|
||||
name = "${name}-${secret}";
|
||||
name = "${service.name}-${secret}";
|
||||
value = sopsPath secret;
|
||||
})
|
||||
sopsSecrets
|
||||
);
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/${name}" = {
|
||||
device = paths.path0;
|
||||
fileSystems."/var/lib/${service.name}" = {
|
||||
device = service.paths.path0;
|
||||
fsType = "none";
|
||||
options = ["bind"];
|
||||
depends = [server.storage0.mount];
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"Z ${paths.path0} 755 ${name} ${name} -"
|
||||
"Z ${sops.path0} 755 ${name} ${name} -"
|
||||
"Z ${service.paths.path0} 755 ${service.name} ${service.name} -"
|
||||
"Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
|
||||
];
|
||||
|
||||
users.users.${name}.extraGroups = ["caddy" "postgres"];
|
||||
users.users.${service.name}.extraGroups = ["caddy" "postgres"];
|
||||
|
||||
networking = {
|
||||
firewall = {
|
||||
allowedTCPPorts = [
|
||||
ports.port0
|
||||
service.ports.port0
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -1,10 +1,10 @@
|
|||
{flake, ...}: let
|
||||
inherit (flake.config.people) user0;
|
||||
inherit (flake.config.people.user.${user0}) domain;
|
||||
inherit (flake.config.system.device) server wildcard;
|
||||
inherit (flake.config.service.instance.jellyfin) paths ports name subdomain ssl;
|
||||
localhost = wildcard.ip.address0;
|
||||
host = "${subdomain}.${domain.url0}";
|
||||
inherit (flake.config.system.device) server;
|
||||
inherit (flake.config.service.instance) jellyfin web;
|
||||
service = jellyfin;
|
||||
localhost = web.localhost.address0;
|
||||
host = "${service.subdomain}.${web.domains.url0}";
|
||||
in {
|
||||
services = {
|
||||
jellyfin = {
|
||||
|
|
@ -23,9 +23,9 @@ in {
|
|||
redir /.well-known/carddav /remote.php/dav/ 301
|
||||
redir /.well-known/caldav /remote.php/dav/ 301
|
||||
|
||||
reverse_proxy ${localhost}:${toString ports.port1}
|
||||
reverse_proxy ${localhost}:${toString service.ports.port1}
|
||||
|
||||
tls ${ssl.cert} ${ssl.key}
|
||||
tls ${service.ssl.cert} ${service.ssl.key}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
|
@ -39,29 +39,29 @@ in {
|
|||
depends = [server.storage0.mount];
|
||||
};
|
||||
in {
|
||||
"/var/lib/${name}" =
|
||||
"/var/lib/${service.name}" =
|
||||
{
|
||||
device = paths.path0;
|
||||
device = service.paths.path0;
|
||||
}
|
||||
// settings;
|
||||
"/var/cache/${name}" =
|
||||
"/var/cache/${service.name}" =
|
||||
{
|
||||
device = "${paths.path0}/cache";
|
||||
device = "${service.paths.path0}/cache";
|
||||
}
|
||||
// settings;
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"Z ${paths.path0} 0755 ${user0} ${name} -"
|
||||
"Z ${paths.path0}/cache 0755 ${user0} ${name} -"
|
||||
"Z ${service.paths.path0} 0755 ${user0} ${service.name} -"
|
||||
"Z ${service.paths.path0}/cache 0755 ${user0} ${service.name} -"
|
||||
];
|
||||
|
||||
networking = {
|
||||
firewall = {
|
||||
allowedTCPPorts = [
|
||||
ports.port0
|
||||
ports.port1
|
||||
ports.port2
|
||||
service.ports.port0
|
||||
service.ports.port1
|
||||
service.ports.port2
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -5,12 +5,11 @@
|
|||
lib,
|
||||
...
|
||||
}: let
|
||||
inherit (flake.config.people) user0;
|
||||
inherit (flake.config.people.user.${user0}) domain email;
|
||||
inherit (flake.config.system.device) server wildcard;
|
||||
inherit (flake.config.service.instance.mastodon) paths name sops ssl;
|
||||
host = domain.url1;
|
||||
localhost = wildcard.ip.address0;
|
||||
inherit (flake.config.system.device) server;
|
||||
inherit (flake.config.service.instance) mastodon web;
|
||||
service = mastodon;
|
||||
host = web.domains.url1;
|
||||
localhost = web.localhost.address0;
|
||||
in {
|
||||
# If you need to start fresh for some reason, run these to create the new Admin account:
|
||||
# sudo -u mastodon mastodon-tootctl accounts create nick --email=nick@localhost --confirmed --role=Owner
|
||||
|
|
@ -46,9 +45,9 @@ in {
|
|||
automaticMigrations = true;
|
||||
database = {
|
||||
createLocally = true;
|
||||
name = name;
|
||||
name = service.name;
|
||||
host = "/run/postgresql";
|
||||
user = name;
|
||||
user = service.name;
|
||||
passwordFile = config.sops.secrets.mastodon-database.path;
|
||||
};
|
||||
extraConfig = {
|
||||
|
|
@ -92,11 +91,11 @@ in {
|
|||
smtp = {
|
||||
authenticate = true;
|
||||
createLocally = false;
|
||||
fromAddress = "The Nutrivore <${email.address2}>";
|
||||
fromAddress = "The Nutrivore <${service.email.address0}>";
|
||||
host = "smtp.protonmail.ch";
|
||||
passwordFile = config.sops.secrets.mastodon-smtp.path;
|
||||
port = 587;
|
||||
user = email.address2;
|
||||
user = service.email.address0;
|
||||
};
|
||||
};
|
||||
caddy = {
|
||||
|
|
@ -121,7 +120,7 @@ in {
|
|||
reverse_proxy * unix//run/mastodon-web/web.socket
|
||||
}
|
||||
|
||||
tls ${ssl.cert} ${ssl.key}
|
||||
tls ${service.ssl.cert} ${service.ssl.key}
|
||||
|
||||
handle_errors {
|
||||
root * ${pkgs.mastodon}/public
|
||||
|
|
@ -149,34 +148,34 @@ in {
|
|||
sops = let
|
||||
sopsSecrets = ["smtp" "database" "redis"];
|
||||
sopsPath = secret: {
|
||||
path = "${sops.path0}/${name}-${secret}";
|
||||
owner = name;
|
||||
path = "${service.sops.path0}/${service.name}-${secret}";
|
||||
owner = service.name;
|
||||
mode = "600";
|
||||
};
|
||||
in {
|
||||
secrets = builtins.listToAttrs (
|
||||
map
|
||||
(secret: {
|
||||
name = "${name}-${secret}";
|
||||
name = "${service.name}-${secret}";
|
||||
value = sopsPath secret;
|
||||
})
|
||||
sopsSecrets
|
||||
);
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/${name}" = {
|
||||
device = paths.path0;
|
||||
fileSystems."/var/lib/${service.name}" = {
|
||||
device = service.paths.path0;
|
||||
fsType = "none";
|
||||
options = ["bind"];
|
||||
depends = [server.storage0.mount];
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"Z ${paths.path0} 0755 ${name} ${name} -"
|
||||
"Z ${sops.path0} 0755 ${name} ${name} -"
|
||||
"Z ${service.paths.path0} 0755 ${service.name} ${service.name} -"
|
||||
"Z ${service.sops.path0} 0755 ${service.name} ${service.name} -"
|
||||
];
|
||||
|
||||
users.users.${name}.extraGroups = ["postgres"];
|
||||
users.users.${service.name}.extraGroups = ["postgres"];
|
||||
|
||||
networking = {
|
||||
firewall = {
|
||||
|
|
|
|||
|
|
@ -4,7 +4,8 @@
|
|||
...
|
||||
}: let
|
||||
inherit (flake.config.system.device) server;
|
||||
inherit (flake.config.service.instance.minecraft) paths ports name sops;
|
||||
inherit (flake.config.service.instance) minecraft;
|
||||
service = minecraft;
|
||||
in {
|
||||
services = {
|
||||
minecraft-server = {
|
||||
|
|
@ -13,7 +14,7 @@ in {
|
|||
openFirewall = true;
|
||||
declarative = true;
|
||||
serverProperties = {
|
||||
"rcon.password" = config.sops.secrets."${name}-pass".path;
|
||||
"rcon.password" = config.sops.secrets."${service.name}-pass".path;
|
||||
allow-flight = false;
|
||||
allow-nether = true;
|
||||
difficulty = 2;
|
||||
|
|
@ -32,7 +33,7 @@ in {
|
|||
motd = "A cool Minecraft server powered by NixOS";
|
||||
online-mode = true;
|
||||
pvp = true;
|
||||
server-port = ports.port0;
|
||||
server-port = service.ports.port0;
|
||||
spawn-animals = true;
|
||||
spawn-monsters = true;
|
||||
spawn-npcs = true;
|
||||
|
|
@ -51,37 +52,37 @@ in {
|
|||
sops = let
|
||||
sopsSecrets = ["pass"];
|
||||
sopsPath = secret: {
|
||||
path = "${sops.path0}/${name}-${secret}";
|
||||
owner = name;
|
||||
path = "${service.sops.path0}/${service.name}-${secret}";
|
||||
owner = service.name;
|
||||
mode = "600";
|
||||
};
|
||||
in {
|
||||
secrets = builtins.listToAttrs (
|
||||
map
|
||||
(secret: {
|
||||
name = "${name}-${secret}";
|
||||
name = "${service.name}-${secret}";
|
||||
value = sopsPath secret;
|
||||
})
|
||||
sopsSecrets
|
||||
);
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/${name}" = {
|
||||
device = paths.path0;
|
||||
fileSystems."/var/lib/${service.name}" = {
|
||||
device = service.paths.path0;
|
||||
fsType = "none";
|
||||
options = ["bind"];
|
||||
depends = [server.storage0.mount];
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"Z ${paths.path0} 0755 ${name} ${name} -"
|
||||
"Z ${sops.path0} 0755 ${name} ${name} -"
|
||||
"Z ${service.paths.path0} 0755 ${service.name} ${service.name} -"
|
||||
"Z ${service.sops.path0} 0755 ${service.name} ${service.name} -"
|
||||
];
|
||||
|
||||
networking = {
|
||||
firewall = {
|
||||
allowedTCPPorts = [
|
||||
ports.port0
|
||||
service.ports.port0
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -5,11 +5,12 @@
|
|||
...
|
||||
}: let
|
||||
inherit (flake.config.people) user0;
|
||||
inherit (flake.config.people.user.${user0}) domain name;
|
||||
inherit (flake.config.system.device) server wildcard;
|
||||
inherit (flake.config.service.instance) nextcloud nginx;
|
||||
localhost = wildcard.ip.address0;
|
||||
host = "${nextcloud.subdomain}.${domain.url1}";
|
||||
inherit (flake.config.people.user.${user0}) name;
|
||||
inherit (flake.config.system.device) server;
|
||||
inherit (flake.config.service.instance) nextcloud nginx web;
|
||||
service = nextcloud;
|
||||
localhost = web.localhost.address0;
|
||||
host = "${service.subdomain}.${web.domains.url1}";
|
||||
in {
|
||||
services = {
|
||||
nextcloud = {
|
||||
|
|
@ -24,13 +25,13 @@ in {
|
|||
extraAppsEnable = true;
|
||||
extraApps = {
|
||||
inherit
|
||||
(config.services.nextcloud.package.packages.apps)
|
||||
(config.services.service.package.packages.apps)
|
||||
contacts
|
||||
calendar
|
||||
;
|
||||
};
|
||||
config = {
|
||||
adminpassFile = config.sops.secrets."${nextcloud.name}-pass".path;
|
||||
adminpassFile = config.sops.secrets."${service.name}-pass".path;
|
||||
adminuser = name;
|
||||
dbtype = "pgsql";
|
||||
};
|
||||
|
|
@ -54,7 +55,7 @@ in {
|
|||
enable = true;
|
||||
virtualHosts.${host}.listen = [
|
||||
{
|
||||
addr = wildcard.ip.address1;
|
||||
addr = web.localhost.address1;
|
||||
port = nginx.ports.port0;
|
||||
}
|
||||
];
|
||||
|
|
@ -66,7 +67,7 @@ in {
|
|||
extraConfig = ''
|
||||
reverse_proxy ${localhost}:${toString nginx.ports.port0}
|
||||
|
||||
tls ${nextcloud.ssl.cert} ${nextcloud.ssl.key}
|
||||
tls ${service.ssl.cert} ${service.ssl.key}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
|
@ -76,40 +77,40 @@ in {
|
|||
sops = let
|
||||
sopsSecrets = ["pass"];
|
||||
sopsPath = secret: {
|
||||
path = "${nextcloud.sops.path0}/${nextcloud.name}-${secret}";
|
||||
owner = nextcloud.name;
|
||||
path = "${service.sops.path0}/${service.name}-${secret}";
|
||||
owner = service.name;
|
||||
mode = "600";
|
||||
};
|
||||
in {
|
||||
secrets = builtins.listToAttrs (
|
||||
map
|
||||
(secret: {
|
||||
name = "${nextcloud.name}-${secret}";
|
||||
name = "${service.name}-${secret}";
|
||||
value = sopsPath secret;
|
||||
})
|
||||
sopsSecrets
|
||||
);
|
||||
};
|
||||
|
||||
# fileSystems."/var/lib/${nextcloud.name}" = {
|
||||
# device = nextcloud.paths.path0;
|
||||
# fsType = "none";
|
||||
# options = ["bind"];
|
||||
# depends = [server.storage0.mount];
|
||||
# };
|
||||
fileSystems."/var/lib/${service.name}" = {
|
||||
device = service.paths.path0;
|
||||
fsType = "none";
|
||||
options = ["bind"];
|
||||
depends = [server.storage0.mount];
|
||||
};
|
||||
|
||||
# systemd.tmpfiles.rules = [
|
||||
# "Z ${nextcloud.paths.path0} 750 ${nextcloud.name} ${nextcloud.name} -"
|
||||
# "Z ${nextcloud.sops.path0} 750 ${nextcloud.name} ${nextcloud.name} -"
|
||||
# ];
|
||||
systemd.tmpfiles.rules = [
|
||||
"Z ${service.paths.path0} 750 ${service.name} ${service.name} -"
|
||||
"Z ${service.sops.path0} 750 ${service.name} ${service.name} -"
|
||||
];
|
||||
|
||||
users.users.${nextcloud.name}.extraGroups = ["caddy" "nginx" "postgres"];
|
||||
users.users.${service.name}.extraGroups = ["caddy" "nginx" "postgres"];
|
||||
|
||||
networking = {
|
||||
firewall = {
|
||||
allowedTCPPorts = [
|
||||
nginx.ports.port0
|
||||
nextcloud.ports.port0
|
||||
service.ports.port0
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -1,31 +1,30 @@
|
|||
{flake, ...}: let
|
||||
inherit (flake.config.people) user0;
|
||||
inherit (flake.config.people.user.${user0}) domain;
|
||||
inherit (flake.config.system.device) server wildcard;
|
||||
inherit (flake.config.service.instance.ollama) paths ports subdomain name ssl;
|
||||
localhost = wildcard.ip.address0;
|
||||
host = "${subdomain}.${domain.url0}";
|
||||
inherit (flake.config.system.device) server;
|
||||
inherit (flake.config.service.instance) ollama web;
|
||||
service = ollama;
|
||||
localhost = web.localhost.address0;
|
||||
host = "${service.subdomain}.${web.domains.url0}";
|
||||
in {
|
||||
services = {
|
||||
ollama = {
|
||||
acceleration = false;
|
||||
enable = true;
|
||||
group = name;
|
||||
group = service.name;
|
||||
host = "http://${localhost}";
|
||||
port = ports.port1;
|
||||
user = name;
|
||||
port = service.ports.port1;
|
||||
user = service.name;
|
||||
};
|
||||
|
||||
open-webui = {
|
||||
enable = true;
|
||||
host = localhost;
|
||||
port = ports.port0;
|
||||
port = service.ports.port0;
|
||||
environment = {
|
||||
ENABLE_OLLAMA_API = "True";
|
||||
ANONYMIZED_TELEMETRY = "False";
|
||||
DO_NOT_TRACK = "True";
|
||||
SCARF_NO_ANALYTICS = "True";
|
||||
OLLAMA_BASE_URL = "http://${localhost}:${toString ports.port1}";
|
||||
OLLAMA_BASE_URL = "http://${localhost}:${toString service.ports.port1}";
|
||||
WEBUI_AUTH = "True";
|
||||
};
|
||||
};
|
||||
|
|
@ -34,29 +33,29 @@ in {
|
|||
virtualHosts = {
|
||||
${host} = {
|
||||
extraConfig = ''
|
||||
reverse_proxy ${localhost}:${toString ports.port0}
|
||||
reverse_proxy ${localhost}:${toString service.ports.port0}
|
||||
|
||||
tls ${ssl.cert} ${ssl.key}
|
||||
tls ${service.ssl.cert} ${service.ssl.key}
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/${name}" = {
|
||||
device = paths.path0;
|
||||
fileSystems."/var/lib/${service.name}" = {
|
||||
device = service.paths.path0;
|
||||
fsType = "none";
|
||||
options = ["bind"];
|
||||
depends = [server.storage0.mount];
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = ["Z ${paths.path0} 0755 ${name} ${name} -"];
|
||||
systemd.tmpfiles.rules = ["Z ${service.paths.path0} 0755 ${service.name} ${service.name} -"];
|
||||
|
||||
networking = {
|
||||
firewall = {
|
||||
allowedTCPPorts = [
|
||||
ports.port0
|
||||
ports.port1
|
||||
service.ports.port0
|
||||
service.ports.port1
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -1,25 +1,23 @@
|
|||
{flake, ...}: let
|
||||
inherit (flake.config.people) user0;
|
||||
inherit (flake.config.people.user.${user0}) domain;
|
||||
inherit (flake.config.system.device) wildcard;
|
||||
inherit (flake.config.service.instance.owncast) ports subdomain ssl;
|
||||
localhost = wildcard.ip.address1;
|
||||
host = "${subdomain}.${domain.url1}";
|
||||
inherit (flake.config.service.instance) owncast web;
|
||||
service = owncast;
|
||||
localhost = web.localhost.address1;
|
||||
host = "${service.subdomain}.${web.domains.url1}";
|
||||
in {
|
||||
services = {
|
||||
owncast = {
|
||||
enable = true;
|
||||
listen = localhost;
|
||||
port = ports.port0;
|
||||
port = service.ports.port0;
|
||||
openFirewall = true;
|
||||
};
|
||||
caddy = {
|
||||
virtualHosts = {
|
||||
"${host}" = {
|
||||
extraConfig = ''
|
||||
reverse_proxy ${localhost}:${toString ports.port0}
|
||||
reverse_proxy ${localhost}:${toString service.ports.port0}
|
||||
|
||||
tls ${ssl.cert} ${ssl.key}
|
||||
tls ${service.ssl.cert} ${service.ssl.key}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
|
@ -29,8 +27,8 @@ in {
|
|||
networking = {
|
||||
firewall = {
|
||||
allowedTCPPorts = [
|
||||
ports.port0
|
||||
ports.port1
|
||||
service.ports.port0
|
||||
service.ports.port1
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -4,24 +4,23 @@
|
|||
pkgs,
|
||||
...
|
||||
}: let
|
||||
inherit (flake.config.people) user0;
|
||||
inherit (flake.config.people.user.${user0}) domain email;
|
||||
inherit (flake.config.system.device) server wildcard;
|
||||
inherit (flake.config.service.instance) caddy peertube;
|
||||
localhost = wildcard.ip.address0;
|
||||
host = "${peertube.subdomain}.${domain.url1}";
|
||||
inherit (flake.config.system.device) server;
|
||||
inherit (flake.config.service.instance) caddy peertube web;
|
||||
service = peertube;
|
||||
localhost = web.localhost.address0;
|
||||
host = "${service.subdomain}.${web.domains.url1}";
|
||||
in {
|
||||
services = {
|
||||
peertube = {
|
||||
configureNginx = false;
|
||||
enable = true;
|
||||
enableWebHttps = true;
|
||||
group = peertube.name;
|
||||
group = service.name;
|
||||
listenWeb = caddy.ports.port1;
|
||||
listenHttp = peertube.ports.port0;
|
||||
listenHttp = service.ports.port0;
|
||||
localDomain = host;
|
||||
serviceEnvironmentFile = config.sops.secrets."${peertube.name}-root".path;
|
||||
user = peertube.name;
|
||||
serviceEnvironmentFile = config.sops.secrets."${service.name}-root".path;
|
||||
user = service.name;
|
||||
plugins = {
|
||||
enable = true;
|
||||
plugins = with pkgs; [
|
||||
|
|
@ -33,7 +32,7 @@ in {
|
|||
};
|
||||
|
||||
secrets = {
|
||||
secretsFile = config.sops.secrets."${peertube.name}-secret".path;
|
||||
secretsFile = config.sops.secrets."${service.name}-secret".path;
|
||||
};
|
||||
settings = {
|
||||
instance = {
|
||||
|
|
@ -45,25 +44,25 @@ in {
|
|||
smtp = {
|
||||
transport = "smtp";
|
||||
disable_starttls = false;
|
||||
from_address = email.address4;
|
||||
from_address = service.email.address0;
|
||||
hostname = "smtp.protonmail.ch";
|
||||
port = 587;
|
||||
username = email.address4;
|
||||
username = service.email.address0;
|
||||
tls = false;
|
||||
};
|
||||
};
|
||||
database = {
|
||||
createLocally = true;
|
||||
passwordFile = config.sops.secrets."${peertube.name}-database".path;
|
||||
passwordFile = config.sops.secrets."${service.name}-database".path;
|
||||
};
|
||||
redis = {
|
||||
enableUnixSocket = true;
|
||||
createLocally = true;
|
||||
passwordFile = config.sops.secrets."${peertube.name}-redis".path;
|
||||
passwordFile = config.sops.secrets."${service.name}-redis".path;
|
||||
};
|
||||
smtp = {
|
||||
createLocally = true;
|
||||
passwordFile = config.sops.secrets."${peertube.name}-smtp".path;
|
||||
passwordFile = config.sops.secrets."${service.name}-smtp".path;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
@ -71,9 +70,9 @@ in {
|
|||
virtualHosts = {
|
||||
${host} = {
|
||||
extraConfig = ''
|
||||
reverse_proxy ${localhost}:${toString peertube.ports.port0}
|
||||
reverse_proxy ${localhost}:${toString service.ports.port0}
|
||||
|
||||
tls ${peertube.ssl.cert} ${peertube.ssl.key}
|
||||
tls ${service.ssl.cert} ${service.ssl.key}
|
||||
|
||||
'';
|
||||
};
|
||||
|
|
@ -84,43 +83,43 @@ in {
|
|||
sops = let
|
||||
sopsSecrets = ["smtp" "database" "redis" "root" "secret"];
|
||||
sopsPath = secret: {
|
||||
path = "${peertube.sops.path0}/${peertube.name}-${secret}-pass";
|
||||
owner = peertube.name;
|
||||
path = "${service.sops.path0}/${service.name}-${secret}-pass";
|
||||
owner = service.name;
|
||||
mode = "600";
|
||||
};
|
||||
in {
|
||||
secrets = builtins.listToAttrs (
|
||||
map
|
||||
(secret: {
|
||||
name = "${peertube.name}-${secret}";
|
||||
name = "${service.name}-${secret}";
|
||||
value = sopsPath secret;
|
||||
})
|
||||
sopsSecrets
|
||||
);
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/${peertube.name}" = {
|
||||
device = peertube.paths.path0;
|
||||
fileSystems."/var/lib/${service.name}" = {
|
||||
device = service.paths.path0;
|
||||
fsType = "none";
|
||||
options = ["bind"];
|
||||
depends = [server.storage0.mount];
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"Z ${peertube.paths.path0} 755 ${peertube.name} ${peertube.name} -"
|
||||
"Z ${peertube.sops.path0} 755 ${peertube.name} ${peertube.name} -"
|
||||
"Z ${service.paths.path0} 755 ${service.name} ${service.name} -"
|
||||
"Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
|
||||
];
|
||||
|
||||
users.users.${peertube.name}.extraGroups = ["nginx" "caddy"];
|
||||
users.users.${service.name}.extraGroups = ["nginx" "caddy"];
|
||||
|
||||
networking = {
|
||||
firewall = {
|
||||
allowedTCPPorts = [
|
||||
peertube.ports.port0
|
||||
peertube.ports.port1
|
||||
peertube.ports.port2
|
||||
peertube.ports.port3
|
||||
peertube.ports.port4
|
||||
service.ports.port0
|
||||
service.ports.port1
|
||||
service.ports.port2
|
||||
service.ports.port3
|
||||
service.ports.port4
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -1,11 +1,13 @@
|
|||
{flake, ...}: let
|
||||
inherit (flake.config.service.instance.postgresql) name paths ports;
|
||||
inherit (flake.config.system.device) server;
|
||||
inherit (flake.config.service.instance) postgresql;
|
||||
|
||||
service = postgresql;
|
||||
in {
|
||||
services = {
|
||||
postgresqlBackup = {
|
||||
enable = true;
|
||||
location = paths.path0;
|
||||
location = service.paths.path0;
|
||||
databases = ["mastodon" "nextcloud" "peertube" "forgejo" "wiki"];
|
||||
};
|
||||
postgresql = {
|
||||
|
|
@ -15,23 +17,23 @@ in {
|
|||
networking = {
|
||||
firewall = {
|
||||
allowedTCPPorts = [
|
||||
ports.port0
|
||||
service.ports.port0
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/postgresql" = {
|
||||
device = paths.path0;
|
||||
device = service.paths.path0;
|
||||
fsType = "none";
|
||||
options = ["bind"];
|
||||
depends = [server.storage0.mount];
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = ["Z ${paths.path0} 700 ${name} ${name} -"];
|
||||
systemd.tmpfiles.rules = ["Z ${service.paths.path0} 700 ${service.name} ${service.name} -"];
|
||||
|
||||
users.users.${name}.extraGroups = ["nextcloud" "mastodon" "forgejo"];
|
||||
users.users.${service.name}.extraGroups = ["nextcloud" "mastodon" "forgejo"];
|
||||
|
||||
system.activationScripts.postgresCommands = ''
|
||||
chown -R ${name}:${name} ${paths.path0}
|
||||
chown -R ${service.name}:${service.name} ${service.paths.path0}
|
||||
'';
|
||||
}
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@
|
|||
...
|
||||
}: let
|
||||
inherit (flake.config.service.instance) samba jellyfin;
|
||||
service = samba;
|
||||
in {
|
||||
# If you ever need to start fresh, you need to add yourself to the Samba users database:
|
||||
# sudo smbpasswd -a username
|
||||
|
|
@ -13,7 +14,7 @@ in {
|
|||
enable = true;
|
||||
openFirewall = true;
|
||||
settings = {
|
||||
${samba.paths.path1} = {
|
||||
${service.paths.path1} = {
|
||||
path = jellyfin.paths.path0;
|
||||
writable = "true";
|
||||
};
|
||||
|
|
@ -24,7 +25,7 @@ in {
|
|||
networking = {
|
||||
firewall = {
|
||||
allowedTCPPorts = [
|
||||
samba.ports.port0
|
||||
service.ports.port0
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -3,18 +3,16 @@
|
|||
config,
|
||||
...
|
||||
}: let
|
||||
inherit (flake.config.people) user0;
|
||||
inherit (flake.config.people.user.${user0}) domain email;
|
||||
inherit (flake.config.system.device) wildcard;
|
||||
inherit (flake.config.service.instance.vaultwarden) paths ports subdomain name sops ssl;
|
||||
localhost = wildcard.ip.address0;
|
||||
host = "${subdomain}.${domain.url0}";
|
||||
inherit (flake.config.service.instance) vaultwarden web;
|
||||
service = vaultwarden;
|
||||
localhost = web.localhost.address0;
|
||||
host = "${service.subdomain}.${web.domains.url0}";
|
||||
in {
|
||||
services = {
|
||||
vaultwarden = {
|
||||
backupDir = paths.path0;
|
||||
backupDir = service.paths.path0;
|
||||
enable = true;
|
||||
environmentFile = config.sops.secrets."${name}/env".path;
|
||||
environmentFile = config.sops.secrets."${service.name}/env".path;
|
||||
config = {
|
||||
# Domain Configuration
|
||||
DOMAIN = "https://${host}";
|
||||
|
|
@ -22,12 +20,12 @@ in {
|
|||
# Email Configuration
|
||||
SMTP_AUTH_MECHANISM = "Plain";
|
||||
SMTP_EMBED_IMAGES = true;
|
||||
SMTP_FROM = email.address3;
|
||||
SMTP_FROM = service.email.address0;
|
||||
SMTP_FROM_NAME = "Vaultwarden";
|
||||
SMTP_HOST = "smtp.protonmail.ch";
|
||||
SMTP_PORT = 587;
|
||||
SMTP_SECURITY = "starttls";
|
||||
SMTP_USERNAME = email.address3;
|
||||
SMTP_USERNAME = service.email.address0;
|
||||
|
||||
# Security Configuration
|
||||
DISABLE_ADMIN_TOKEN = false;
|
||||
|
|
@ -42,18 +40,18 @@ in {
|
|||
|
||||
# Rocket (Web Server) Settings
|
||||
ROCKET_ADDRESS = localhost;
|
||||
ROCKET_PORT = ports.port0;
|
||||
ROCKET_PORT = service.ports.port0;
|
||||
};
|
||||
};
|
||||
caddy = {
|
||||
virtualHosts = {
|
||||
"${host}" = {
|
||||
extraConfig = ''
|
||||
reverse_proxy ${localhost}:${toString ports.port0} {
|
||||
reverse_proxy ${localhost}:${toString service.ports.port0} {
|
||||
header_up X-Real-IP {remote_host}
|
||||
}
|
||||
|
||||
tls ${ssl.cert} ${ssl.key}
|
||||
tls ${service.ssl.cert} ${service.ssl.key}
|
||||
|
||||
encode zstd gzip
|
||||
'';
|
||||
|
|
@ -65,15 +63,15 @@ in {
|
|||
sops = let
|
||||
sopsSecrets = ["env"];
|
||||
sopsPath = secret: {
|
||||
path = "${sops.path0}/${name}-${secret}";
|
||||
owner = name;
|
||||
path = "${service.sops.path0}/${service.name}-${secret}";
|
||||
owner = service.name;
|
||||
mode = "600";
|
||||
};
|
||||
in {
|
||||
secrets = builtins.listToAttrs (
|
||||
map
|
||||
(secret: {
|
||||
name = "${name}/${secret}";
|
||||
name = "${service.name}/${secret}";
|
||||
value = sopsPath secret;
|
||||
})
|
||||
sopsSecrets
|
||||
|
|
@ -81,14 +79,14 @@ in {
|
|||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"Z ${paths.path0} 0755 ${name} ${name} -"
|
||||
"Z ${sops.path0} 755 ${name} ${name} -"
|
||||
"Z ${service.paths.path0} 0755 ${service.name} ${service.name} -"
|
||||
"Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
|
||||
];
|
||||
|
||||
networking = {
|
||||
firewall = {
|
||||
allowedTCPPorts = [
|
||||
ports.port0
|
||||
service.ports.port0
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -3,22 +3,21 @@
|
|||
config,
|
||||
...
|
||||
}: let
|
||||
inherit (flake.config.people) user0;
|
||||
inherit (flake.config.people.user.${user0}) domain;
|
||||
inherit (flake.config.system.device) server wildcard;
|
||||
inherit (flake.config.service.instance.wiki) paths ports subdomain ssl sops name;
|
||||
localhost = wildcard.ip.address0;
|
||||
host = "${subdomain}.${domain.url1}";
|
||||
inherit (flake.config.system.device) server;
|
||||
inherit (flake.config.service.instance) web wiki;
|
||||
service = wiki;
|
||||
localhost = web.localhost.address0;
|
||||
host = "${service.subdomain}.${web.domains.url1}";
|
||||
in {
|
||||
services = {
|
||||
wiki-js = {
|
||||
enable = true;
|
||||
environmentFile = config.sops.secrets."${name}-pass".path;
|
||||
environmentFile = config.sops.secrets."${service.name}-pass".path;
|
||||
settings = {
|
||||
port = ports.port0;
|
||||
port = service.ports.port0;
|
||||
bindIP = localhost;
|
||||
db = {
|
||||
db = name;
|
||||
db = service.name;
|
||||
type = "postgres";
|
||||
host = host;
|
||||
};
|
||||
|
|
@ -29,19 +28,19 @@ in {
|
|||
virtualHosts = {
|
||||
"${host}" = {
|
||||
extraConfig = ''
|
||||
reverse_proxy ${localhost}:${toString ports.port0}
|
||||
reverse_proxy ${localhost}:${toString service.ports.port0}
|
||||
|
||||
tls ${ssl.cert} ${ssl.key}
|
||||
tls ${service.ssl.cert} ${service.ssl.key}
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
postgresql = {
|
||||
ensureDatabases = [name];
|
||||
ensureDatabases = [service.name];
|
||||
ensureUsers = [
|
||||
{
|
||||
name = name;
|
||||
name = service.name;
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
|
|
@ -51,7 +50,7 @@ in {
|
|||
sops = let
|
||||
sopsSecrets = ["pass"];
|
||||
sopsPath = secret: {
|
||||
path = "${sops.path0}/${name}-${secret}";
|
||||
path = "${service.sops.path0}/${service.name}-${secret}";
|
||||
owner = "root";
|
||||
mode = "600";
|
||||
};
|
||||
|
|
@ -59,30 +58,30 @@ in {
|
|||
secrets = builtins.listToAttrs (
|
||||
map
|
||||
(secret: {
|
||||
name = "${name}-${secret}";
|
||||
name = "${service.name}-${secret}";
|
||||
value = sopsPath secret;
|
||||
})
|
||||
sopsSecrets
|
||||
);
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/${name}" = {
|
||||
device = paths.path0;
|
||||
fileSystems."/var/lib/${service.name}" = {
|
||||
device = service.paths.path0;
|
||||
fsType = "none";
|
||||
options = ["bind"];
|
||||
depends = [server.storage0.mount];
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"Z ${paths.path0} 755 ${name} ${name} -"
|
||||
"Z ${sops.path0} 755 ${name} ${name} -"
|
||||
"Z ${service.paths.path0} 755 ${service.name} ${service.name} -"
|
||||
"Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
|
||||
];
|
||||
|
||||
networking = {
|
||||
firewall = {
|
||||
allowedTCPPorts = [
|
||||
ports.port0
|
||||
ports.port1
|
||||
service.ports.port0
|
||||
service.ports.port1
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -1,7 +1,8 @@
|
|||
{flake, ...}: let
|
||||
inherit (flake.config.system.device) nas phone tablet wildcard;
|
||||
inherit (flake.config.service.instance.syncthing) ports;
|
||||
localhost = wildcard.ip.address0;
|
||||
inherit (flake.config.system.device) nas phone tablet;
|
||||
inherit (flake.config.service.instance) syncthing web;
|
||||
service = syncthing;
|
||||
localhost = web.localhost.address0;
|
||||
in {
|
||||
services = {
|
||||
syncthing = {
|
||||
|
|
@ -10,14 +11,14 @@ in {
|
|||
overrideFolders = false;
|
||||
openDefaultPorts = true;
|
||||
systemService = true;
|
||||
guiAddress = "${localhost}:${toString ports.port0}";
|
||||
guiAddress = "${localhost}:${toString service.ports.port0}";
|
||||
settings = {
|
||||
devices = {
|
||||
${nas.name} = {
|
||||
autoAcceptFolders = true;
|
||||
name = nas.name;
|
||||
addresses = [
|
||||
"tcp://${nas.ip.address0}:${toString ports.port2}"
|
||||
"tcp://${nas.ip.address0}:${toString service.ports.port2}"
|
||||
];
|
||||
id = nas.sync;
|
||||
};
|
||||
|
|
@ -25,7 +26,7 @@ in {
|
|||
autoAcceptFolders = true;
|
||||
name = phone.name;
|
||||
addresses = [
|
||||
"tcp://${phone.ip.address0}:${toString ports.port2}"
|
||||
"tcp://${phone.ip.address0}:${toString service.ports.port2}"
|
||||
];
|
||||
id = phone.sync;
|
||||
};
|
||||
|
|
@ -33,7 +34,7 @@ in {
|
|||
autoAcceptFolders = true;
|
||||
name = tablet.name;
|
||||
addresses = [
|
||||
"tcp://${tablet.ip.address0}:${toString ports.port2}"
|
||||
"tcp://${tablet.ip.address0}:${toString service.ports.port2}"
|
||||
];
|
||||
id = tablet.sync;
|
||||
};
|
||||
|
|
@ -45,9 +46,9 @@ in {
|
|||
networking = {
|
||||
firewall = {
|
||||
allowedTCPPorts = [
|
||||
ports.port0
|
||||
ports.port1
|
||||
ports.port2
|
||||
service.ports.port0
|
||||
service.ports.port1
|
||||
service.ports.port2
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
...
|
||||
}: let
|
||||
inherit (flake.config.people) user0;
|
||||
inherit (flake.config.people.user.${user0}) name git;
|
||||
inherit (flake.config.people.user.${user0}) name paths;
|
||||
|
||||
hostname = config.networking.hostName;
|
||||
in {
|
||||
|
|
@ -90,7 +90,7 @@ in {
|
|||
];
|
||||
in {
|
||||
rules =
|
||||
["d ${git.path0} 0755 ${user0} users -"]
|
||||
["d ${paths.path0} 0755 ${user0} users -"]
|
||||
++ (map (path: "d /home/${user0}/${path} 0755 ${user0} users -") directoriesAddedToHome)
|
||||
++ (map (path: "R /home/${user0}/${path} 0755 ${user0} users - -") directoriesRemovedFromHome);
|
||||
};
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue