upRootNutrition/dotfiles
1
0
Fork 0
mirror of https://gitlab.com/upRootNutrition/dotfiles.git synced 2025-06-16 18:15:13 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: init

Browse source
This commit is contained in:
Nick 2024-10-06 15:25:05 -05:00
commit c19ea940bd
320 changed files with 23845 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

86
nixos/modules/services/acme.nix Executable file
View file

@ -0,0 +1,86 @@
{
config,
flake,
...
}: let
inherit (flake.config.people) user0;
inherit (flake.config.people.user.${user0}) domain email dns;
inherit (flake.config.service.instance.acme) paths;
inherit (flake.config.service) instance;
dnsConfig = {
dnsProvider = dns.provider0;
directory = paths.path0;
environmentFile = config.sops.secrets."dns/namecheap".path;
};
instanceName = service: (instance.${service}.subdomain);
domain0Services = [
"nextcloud"
"jellyfin"
"minecraft"
"ollama"
"syncthing"
"vaultwarden"
];
domain1Services = [
"nextcloud"
"castopod"
"forgejo"
"matrix"
"peertube"
"writefreely"
];
domain0Sub = map instanceName domain0Services;
domain1Sub = map instanceName domain1Services;
domainRoot = [
domain.url0
domain.url1
];
in {
security.acme = {
acceptTerms = true;
defaults = {
email = email.address0;
server = "https://acme-v02.api.letsencrypt.org/directory";
};
certs = builtins.listToAttrs (
(map (prefix: {
name = "${prefix}.${domain.url0}";
value = dnsConfig;
})
domain0Sub)
++ (map (prefix: {
name = "${prefix}.${domain.url1}";
value = dnsConfig;
})
domain1Sub)
++ (map (name: {
name = name;
value = dnsConfig;
})
domainRoot)
);
};
sops = let
sopsSecrets = ["pass"];
sopsPath = secret: {
path = "/var/lib/secrets/${instance.acme.name}/${dns.provider0}-${secret}";
owner = "root";
mode = "600";
};
in {
secrets = builtins.listToAttrs (
map
(secret: {
name = "dns/${dns.provider0}";
value = sopsPath secret;
})
sopsSecrets
);
};
}

28
nixos/modules/services/caddy.nix Executable file
View file

@ -0,0 +1,28 @@
{flake, ...}: let
inherit (flake.config.people) user0;
inherit (flake.config.people.user.${user0}) domain;
inherit (flake.config.service.instance.caddy) ports;
in {
services.caddy = {
enable = true;
virtualHosts = {
"${domain.url0}" = {
extraConfig = ''
tls /var/lib/acme/${domain.url0}/fullchain.pem /var/lib/acme/${domain.url0}/key.pem
encode zstd gzip
'';
};
};
};
users.users.caddy.extraGroups = ["acme" "nextcloud" "mastodon"];
networking = {
firewall = {
allowedTCPPorts = [
ports.port0
ports.port1
];
};
};
}

102
nixos/modules/services/castopod.nix Executable file
View file

@ -0,0 +1,102 @@
{
flake,
config,
...
}: let
inherit (flake.config.people) user0;
inherit (flake.config.people.user.${user0}) domain email;
inherit (flake.config.system.device) server wildcard;
inherit (flake.config.service.instance.castopod) paths ports subdomain name sops ssl;
inherit (flake.config.service.instance) nginx;
localhost = wildcard.ip.address0;
host = "${subdomain}.${domain.url1}";
in {
services = {
castopod = {
enable = true;
localDomain = host;
configureNginx = false;
environmentFile = config.sops.secrets."${name}-smtp".path;
maxUploadSize = "1024M";
database = {
createLocally = true;
# passwordFile = config.sops.secrets."${name}-database".path;
};
poolSettings = {
pm = "dynamic";
"pm.max_children" = "32";
"pm.max_requests" = "500";
"pm.max_spare_servers" = "4";
"pm.min_spare_servers" = "2";
"pm.start_servers" = "2";
};
settings = {
"email.fromEmail" = email.address6;
"email.protocol" = "smtp";
"email.SMTPHost" = localhost;
"email.SMTPPort" = 587;
"email.SMTPUser" = "smtp.protonmail.ch";
};
};
nginx = {
enable = true;
virtualHosts = {
"${host}" = {
};
};
};
caddy = {
virtualHosts = {
"${host}" = {
extraConfig = ''
reverse_proxy ${localhost}:${toString ports.port0}
tls ${ssl.cert} ${ssl.key}
'';
};
};
};
};
sops = let
sopsSecrets = ["smtp" "database"];
sopsPath = secret: {
path = "${sops.path0}/${name}-${secret}";
owner = name;
mode = "600";
};
in {
secrets = builtins.listToAttrs (
map
(secret: {
name = "${name}-${secret}";
value = sopsPath secret;
})
sopsSecrets
);
};
fileSystems."/var/lib/${name}" = {
device = paths.path0;
fsType = "none";
options = ["bind"];
depends = [server.storage0.mount];
};
systemd.tmpfiles.rules = [
"Z ${paths.path0} 755 ${name} ${name} -"
"Z ${sops.path0} 755 ${name} ${name} -"
];
networking = {
firewall = {
allowedTCPPorts = [
ports.port0
nginx.ports.port0
];
};
};
users.groups.nginx = {};
}

31
nixos/modules/services/default.nix Executable file
View file

@ -0,0 +1,31 @@
{
imports = [
# Folders
./mastodon
# Files
./acme.nix
./caddy.nix
./jellyfin.nix
./logrotate.nix
./minecraft.nix
./ollama.nix
./peertube.nix
./postgresql.nix
./samba.nix
./vaultwarden.nix
# These are all broken.
# ./forgejo.nix
# Partial Nginx configs make it nearly impossible to use alongside Caddy. 👇
# ./castopod.nix
# The reverse proxy works, but something is cucked.
# Maybe the port, or some configuration thing. It's unclear.
# Might actually have to wait for the package to get uncucked. 👇
# ./nextcloud.nix
];
}

106
nixos/modules/services/forgejo.nix Executable file
View file

@ -0,0 +1,106 @@
{
flake,
config,
...
}: let
inherit (flake.config.people) user0;
inherit (flake.config.people.user.${user0}) domain email;
inherit (flake.config.system.device) server wildcard;
inherit (flake.config.service.instance.forgejo) paths ports name subdomain sops ssl;
localhost = wildcard.ip.address0;
host = "${subdomain}.${domain.url1}";
in {
services = {
forgejo = {
enable = true;
database.type = "postgres";
lfs.enable = true;
secrets = {
mailer.PASSWD = config.sops.secrets."${name}-smtp".path;
database.PASSWD = config.sops.secrets."${name}-database".path;
};
dump = {
interval = "5:00";
type = "zip";
file = "forgejo-backup";
enable = true;
};
settings = {
server = {
DOMAIN = host;
ROOT_URL = "https://${host}/";
HTTP_PORT = ports.port0;
};
# If you need to start from scratch, don't forget to turn this off again
service.DISABLE_REGISTRATION = false;
actions = {
ENABLED = true;
DEFAULT_ACTIONS_URL = "github";
};
mirror = {
ENABLED = true;
};
mailer = {
ENABLED = true;
SMTP_ADDR = "smtp.protonmail.ch";
FROM = email.address5;
USER = email.address5;
PROTOCOL = "smtp+starttls";
SMTP_PORT = 587;
SEND_AS_PLAIN_TEXT = true;
USE_CLIENT_CERT = false;
};
};
};
caddy = {
virtualHosts = {
"${host}" = {
extraConfig = ''
reverse_proxy ${localhost}:${toString ports.port0}
tls ${ssl.cert} ${ssl.key}
'';
};
};
};
};
sops = let
sopsSecrets = ["smtp" "database"];
sopsPath = secret: {
path = "${sops.path0}/${name}-${secret}";
owner = name;
mode = "600";
};
in {
secrets = builtins.listToAttrs (
map
(secret: {
name = "${name}-${secret}";
value = sopsPath secret;
})
sopsSecrets
);
};
fileSystems."/var/lib/${name}" = {
device = paths.path0;
fsType = "none";
options = ["bind"];
depends = [server.storage0.mount];
};
systemd.tmpfiles.rules = [
"Z ${paths.path0} 755 ${name} ${name} -"
"Z ${sops.path0} 755 ${name} ${name} -"
];
users.users.${name}.extraGroups = ["caddy" "postgres"];
networking = {
firewall = {
allowedTCPPorts = [
ports.port0
];
};
};
}

68
nixos/modules/services/jellyfin.nix Executable file
View file

@ -0,0 +1,68 @@
{flake, ...}: let
inherit (flake.config.people) user0;
inherit (flake.config.people.user.${user0}) domain;
inherit (flake.config.system.device) server wildcard;
inherit (flake.config.service.instance.jellyfin) paths ports name subdomain ssl;
localhost = wildcard.ip.address0;
host = "${subdomain}.${domain.url0}";
in {
services = {
jellyfin = {
enable = true;
openFirewall = true;
user = user0;
};
jellyseerr = {
openFirewall = true;
enable = true;
};
caddy = {
virtualHosts = {
"${host}" = {
extraConfig = ''
redir /.well-known/carddav /remote.php/dav/ 301
redir /.well-known/caldav /remote.php/dav/ 301
reverse_proxy ${localhost}:${toString ports.port1}
tls ${ssl.cert} ${ssl.key}
'';
};
};
};
};
fileSystems = let
settings = {
fsType = "none";
options = ["bind"];
depends = [server.storage0.mount];
};
in {
"/var/lib/${name}" =
{
device = paths.path0;
}
// settings;
"/var/cache/${name}" =
{
device = "${paths.path0}/cache";
}
// settings;
};
systemd.tmpfiles.rules = [
"Z ${paths.path0} 0755 ${user0} ${name} -"
"Z ${paths.path0}/cache 0755 ${user0} ${name} -"
];
networking = {
firewall = {
allowedTCPPorts = [
ports.port0
ports.port1
ports.port2
];
};
};
}

3
nixos/modules/services/logrotate.nix Executable file
View file

@ -0,0 +1,3 @@
{
services.logrotate.enable = true;
}

34
nixos/modules/services/mastodon/chars.patch Executable file
View file

@ -0,0 +1,34 @@
diff --git a/app/javascript/mastodon/features/compose/components/compose_form.jsx b/app/javascript/mastodon/features/compose/components/compose_form.jsx
index 9222b2dc8..962310a28 100644
--- a/app/javascript/mastodon/features/compose/components/compose_form.jsx
+++ b/app/javascript/mastodon/features/compose/components/compose_form.jsx
@@ -100,7 +100,7 @@ class ComposeForm extends ImmutablePureComponent {
const fulltext = this.getFulltextForCharacterCounting();
const isOnlyWhitespace = fulltext.length !== 0 && fulltext.trim().length === 0;
- return !(isSubmitting || isUploading || isChangingUpload || length(fulltext) > 500 || (isOnlyWhitespace && !anyMedia));
+ return !(isSubmitting || isUploading || isChangingUpload || length(fulltext) > 5000 || (isOnlyWhitespace && !anyMedia));
};
handleSubmit = (e) => {
@@ -297,7 +297,7 @@ class ComposeForm extends ImmutablePureComponent {
</div>
<div className='character-counter__wrapper'>
- <CharacterCounter max={500} text={this.getFulltextForCharacterCounting()} />
+ <CharacterCounter max={5000} text={this.getFulltextForCharacterCounting()} />
</div>
</div>
</div>
diff --git a/app/validators/status_length_validator.rb b/app/validators/status_length_validator.rb
index dc841ded3..9cb1ec94b 100644
--- a/app/validators/status_length_validator.rb
+++ b/app/validators/status_length_validator.rb
@@ -1,7 +1,7 @@
# frozen_string_literal: true
class StatusLengthValidator < ActiveModel::Validator
- MAX_CHARS = 500
+ MAX_CHARS = 5000
URL_PLACEHOLDER_CHARS = 23
URL_PLACEHOLDER = 'x' * 23

186
nixos/modules/services/mastodon/default.nix Executable file
View file

@ -0,0 +1,186 @@
{
flake,
config,
pkgs,
lib,
...
}: let
inherit (flake.config.people) user0;
inherit (flake.config.people.user.${user0}) domain email;
inherit (flake.config.system.device) server wildcard;
inherit (flake.config.service.instance.mastodon) paths name sops ssl;
host = domain.url1;
localhost = wildcard.ip.address0;
in {
# If you need to start fresh for some reason, run these to create the new Admin account:
# sudo -u mastodon mastodon-tootctl accounts create nick --email=nick@localhost --confirmed --role=Owner
# sudo -u mastodon mastodon-tootctl accounts approve nick
# If you fuck up and lose the password, use this:
# sudo mastodon-tootctl accounts modify --reset-password nick
# If you really fuck up and name yourself wrong, use this shit
# sudo mastodon-tootctl accounts modify username --remove-role
nixpkgs.overlays = [
(
final: prev: {
mastodon = prev.mastodon.overrideAttrs (oldAttrs: {
postPatch =
(oldAttrs.postPatch or "")
+ ''
patch -p1 < ${./chars.patch}
'';
});
}
)
];
services = {
mastodon = {
enable = true;
localDomain = host;
secretKeyBaseFile = "/var/lib/mastodon/secrets/secret-key-base";
streamingProcesses = 7;
trustedProxy = localhost;
automaticMigrations = true;
database = {
createLocally = true;
name = name;
host = "/run/postgresql";
user = name;
passwordFile = config.sops.secrets.mastodon-database.path;
};
extraConfig = {
SINGLE_USER_MODE = "true";
SMTP_AUTH_METHOD = "plain";
SMTP_DELIVERY_METHOD = "smtp";
SMTP_ENABLE_STARTTLS_AUTO = "true";
SMTP_SSL = "false";
};
mediaAutoRemove = {
enable = true;
olderThanDays = 14;
};
redis = {
createLocally = true;
enableUnixSocket = true;
};
sidekiqThreads = 25;
sidekiqProcesses = {
all = {
jobClasses = [];
threads = null;
};
default = {
jobClasses = ["default"];
threads = 5;
};
ingress = {
jobClasses = ["ingress"];
threads = 5;
};
push-pull = {
jobClasses = ["push" "pull"];
threads = 5;
};
mailers = {
jobClasses = ["mailers"];
threads = 5;
};
};
smtp = {
authenticate = true;
createLocally = false;
fromAddress = "The Nutrivore <${email.address2}>";
host = "smtp.protonmail.ch";
passwordFile = config.sops.secrets.mastodon-smtp.path;
port = 587;
user = email.address2;
};
};
caddy = {
virtualHosts = {
"${host}" = {
extraConfig = ''
handle_path /system/* {
file_server * {
root /var/lib/mastodon/public-system
}
}
handle /api/v1/streaming/* {
reverse_proxy unix//run/mastodon-streaming/streaming.socket
}
route * {
file_server * {
root ${pkgs.mastodon}/public
pass_thru
}
reverse_proxy * unix//run/mastodon-web/web.socket
}
tls ${ssl.cert} ${ssl.key}
handle_errors {
root * ${pkgs.mastodon}/public
rewrite 500.html
file_server
}
encode gzip
header /* {
Strict-Transport-Security "max-age=31536000;"
}
header /emoji/* Cache-Control "public, max-age=31536000, immutable"
header /packs/* Cache-Control "public, max-age=31536000, immutable"
header /system/accounts/avatars/* Cache-Control "public, max-age=31536000, immutable"
header /system/media_attachments/files/* Cache-Control "public, max-age=31536000, immutable"
'';
};
};
};
};
systemd.services.caddy.serviceConfig.ReadWriteDirectories = lib.mkForce ["/var/lib/caddy" "/run/mastodon-web"];
sops = let
sopsSecrets = ["smtp" "database" "redis"];
sopsPath = secret: {
path = "${sops.path0}/${name}-${secret}";
owner = name;
mode = "600";
};
in {
secrets = builtins.listToAttrs (
map
(secret: {
name = "${name}-${secret}";
value = sopsPath secret;
})
sopsSecrets
);
};
fileSystems."/var/lib/${name}" = {
device = paths.path0;
fsType = "none";
options = ["bind"];
depends = [server.storage0.mount];
};
systemd.tmpfiles.rules = [
"Z ${paths.path0} 0755 ${name} ${name} -"
"Z ${sops.path0} 0755 ${name} ${name} -"
];
users.users.${name}.extraGroups = ["postgres"];
networking = {
firewall = {
allowedTCPPorts = [];
};
};
}

5422
nixos/modules/services/mastodon/twitter.txt Executable file
View file

File diff suppressed because one or more lines are too long

88
nixos/modules/services/minecraft.nix Executable file
View file

@ -0,0 +1,88 @@
{
config,
flake,
...
}: let
inherit (flake.config.system.device) server;
inherit (flake.config.service.instance.minecraft) paths ports name sops;
in {
services = {
minecraft-server = {
enable = true;
eula = true;
openFirewall = true;
declarative = true;
serverProperties = {
"rcon.password" = config.sops.secrets."${name}-pass".path;
allow-flight = false;
allow-nether = true;
difficulty = 2;
enable-command-block = false;
enable-rcon = true;
enable-status = true;
force-gamemode = true;
gamemode = 0;
generate-structures = true;
hardcore = false;
hide-online-players = false;
level-name = "Brix on Nix";
level-seed = "9064150133272194";
max-players = 10;
max-world-size = 64000000;
motd = "A cool Minecraft server powered by NixOS";
online-mode = true;
pvp = true;
server-port = ports.port0;
spawn-animals = true;
spawn-monsters = true;
spawn-npcs = true;
spawn-protection = 16;
view-dtstance = 32;
white-list = true;
};
whitelist = {
Hefty_Chungus = "b75a9816-d408-4c54-b226-385b59ea1cb3";
Hefty_Chungus_Jr = "c3bf8cac-e953-4ea4-ae5f-7acb92a51a85";
EclipseMoon01 = "adef4af7-d8c6-4627-b492-e990ea1bb993";
Fallaryn = "d8baa117-ab58-4b07-92a5-48fb1978eb49";
};
};
};
sops = let
sopsSecrets = ["pass"];
sopsPath = secret: {
path = "${sops.path0}/${name}-${secret}";
owner = name;
mode = "600";
};
in {
secrets = builtins.listToAttrs (
map
(secret: {
name = "${name}-${secret}";
value = sopsPath secret;
})
sopsSecrets
);
};
fileSystems."/var/lib/${name}" = {
device = paths.path0;
fsType = "none";
options = ["bind"];
depends = [server.storage0.mount];
};
systemd.tmpfiles.rules = [
"Z ${paths.path0} 0755 ${name} ${name} -"
"Z ${sops.path0} 0755 ${name} ${name} -"
];
networking = {
firewall = {
allowedTCPPorts = [
ports.port0
];
};
};
}

125
nixos/modules/services/nextcloud.nix Executable file
View file

@ -0,0 +1,125 @@
{
flake,
config,
pkgs,
...
}: let
inherit (flake.config.people) user0;
inherit (flake.config.people.user.${user0}) domain;
inherit (flake.config.system.device) server wildcard;
inherit (flake.config.service.instance) nextcloud nginx;
localhost = wildcard.ip.address0;
host = "${nextcloud.name}.${domain.url0}";
in {
imports = [
"${fetchTarball {
url = "https://github.com/onny/nixos-nextcloud-testumgebung/archive/fa6f062830b4bc3cedb9694c1dbf01d5fdf775ac.tar.gz";
sha256 = "0gzd0276b8da3ykapgqks2zhsqdv4jjvbv97dsxg0hgrhb74z0fs";
}}/nextcloud-extras.nix"
];
services = {
nextcloud = {
appstoreEnable = true;
autoUpdateApps.enable = true;
configureRedis = true;
enable = true;
hostName = host;
https = true;
webserver = "caddy";
package = pkgs.nextcloud29;
phpOptions."opcache.interned_strings_buffer" = "24";
extraAppsEnable = true;
extraApps = {
inherit
(config.services.nextcloud.package.packages.apps)
calendar
;
};
config = {
adminpassFile = config.sops.secrets."${nextcloud.name}-pass".path;
dbtype = "pgsql";
};
database = {
createLocally = true;
};
settings = {
default_phone_region = "CA";
log_type = "file";
mail_sendmailmode = "pipe";
mail_smtpmode = "sendmail";
maintenance_window_start = 4;
overwriteprotocol = "https";
enabledPreviewProviders = [
"OC\\Preview\\BMP"
"OC\\Preview\\GIF"
"OC\\Preview\\JPEG"
"OC\\Preview\\Krita"
"OC\\Preview\\MarkDown"
"OC\\Preview\\MP3"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\PNG"
"OC\\Preview\\TXT"
"OC\\Preview\\XBitmap"
"OC\\Preview\\HEIC"
];
trusted_proxies = [
localhost
];
};
};
caddy = {
virtualHosts = {
"https://${host}" = {
extraConfig = ''
reverse_proxy ${localhost}:${toString nextcloud.ports.port0}
tls ${nextcloud.ssl.cert} ${nextcloud.ssl.key}
'';
};
};
};
};
sops = let
sopsSecrets = ["pass"];
sopsPath = secret: {
path = "${nextcloud.sops.path0}/${nextcloud.name}-${secret}";
owner = nextcloud.name;
mode = "600";
};
in {
secrets = builtins.listToAttrs (
map
(secret: {
name = "${nextcloud.name}-${secret}";
value = sopsPath secret;
})
sopsSecrets
);
};
fileSystems."/var/lib/${nextcloud.name}" = {
device = nextcloud.paths.path0;
fsType = "none";
options = ["bind"];
depends = [server.storage0.mount];
};
systemd.tmpfiles.rules = [
"Z ${nextcloud.paths.path0} 750 ${nextcloud.name} ${nextcloud.name} -"
"Z ${nextcloud.sops.path0} 750 ${nextcloud.name} ${nextcloud.name} -"
];
users.users.${nextcloud.name}.extraGroups = ["caddy" "nginx" "postgres"];
networking = {
firewall = {
allowedTCPPorts = [
nginx.ports.port0
nextcloud.ports.port0
];
};
};
}

63
nixos/modules/services/ollama.nix Executable file
View file

@ -0,0 +1,63 @@
{flake, ...}: let
inherit (flake.config.people) user0;
inherit (flake.config.people.user.${user0}) domain;
inherit (flake.config.system.device) server wildcard;
inherit (flake.config.service.instance.ollama) paths ports subdomain name ssl;
localhost = wildcard.ip.address0;
host = "${subdomain}.${domain.url0}";
in {
services = {
ollama = {
acceleration = false;
enable = true;
group = name;
host = "http://${localhost}";
port = ports.port1;
user = name;
};
open-webui = {
enable = true;
host = localhost;
port = ports.port0;
environment = {
ENABLE_OLLAMA_API = "True";
ANONYMIZED_TELEMETRY = "False";
DO_NOT_TRACK = "True";
SCARF_NO_ANALYTICS = "True";
OLLAMA_BASE_URL = "http://${localhost}:${toString ports.port1}";
WEBUI_AUTH = "True";
};
};
caddy = {
virtualHosts = {
${host} = {
extraConfig = ''
reverse_proxy ${localhost}:${toString ports.port0}
tls ${ssl.cert} ${ssl.key}
'';
};
};
};
};
fileSystems."/var/lib/${name}" = {
device = paths.path0;
fsType = "none";
options = ["bind"];
depends = [server.storage0.mount];
};
systemd.tmpfiles.rules = ["Z ${paths.path0} 0755 ${name} ${name} -"];
networking = {
firewall = {
allowedTCPPorts = [
ports.port0
ports.port1
];
};
};
}

127
nixos/modules/services/peertube.nix Executable file
View file

@ -0,0 +1,127 @@
{
flake,
config,
pkgs,
...
}: let
inherit (flake.config.people) user0;
inherit (flake.config.people.user.${user0}) domain email;
inherit (flake.config.system.device) server wildcard;
inherit (flake.config.service.instance) caddy peertube;
localhost = wildcard.ip.address0;
host = "${peertube.subdomain}.${domain.url1}";
in {
services = {
peertube = {
configureNginx = false;
enable = true;
enableWebHttps = true;
group = peertube.name;
listenWeb = caddy.ports.port1;
listenHttp = peertube.ports.port0;
localDomain = host;
serviceEnvironmentFile = config.sops.secrets."${peertube.name}-root".path;
user = peertube.name;
plugins = {
enable = true;
plugins = with pkgs; [
peertube-plugin-livechat
peertube-plugin-matomo
peertube-plugin-transcoding-custom-quality
peertube-theme-dark
];
};
secrets = {
secretsFile = config.sops.secrets."${peertube.name}-secret".path;
};
settings = {
instance = {
name = "The Nutrivore";
};
log = {
level = "debug";
};
smtp = {
transport = "smtp";
disable_starttls = false;
from_address = email.address4;
hostname = "smtp.protonmail.ch";
port = 587;
username = email.address4;
tls = false;
};
};
database = {
createLocally = true;
passwordFile = config.sops.secrets."${peertube.name}-database".path;
};
redis = {
enableUnixSocket = true;
createLocally = true;
passwordFile = config.sops.secrets."${peertube.name}-redis".path;
};
smtp = {
createLocally = true;
passwordFile = config.sops.secrets."${peertube.name}-smtp".path;
};
};
caddy = {
virtualHosts = {
${host} = {
extraConfig = ''
reverse_proxy ${localhost}:${toString peertube.ports.port0}
tls ${peertube.ssl.cert} ${peertube.ssl.key}
'';
};
};
};
};
sops = let
sopsSecrets = ["smtp" "database" "redis" "root" "secret"];
sopsPath = secret: {
path = "${peertube.sops.path0}/${peertube.name}-${secret}-pass";
owner = peertube.name;
mode = "600";
};
in {
secrets = builtins.listToAttrs (
map
(secret: {
name = "${peertube.name}-${secret}";
value = sopsPath secret;
})
sopsSecrets
);
};
fileSystems."/var/lib/${peertube.name}" = {
device = peertube.paths.path0;
fsType = "none";
options = ["bind"];
depends = [server.storage0.mount];
};
systemd.tmpfiles.rules = [
"Z ${peertube.paths.path0} 755 ${peertube.name} ${peertube.name} -"
"Z ${peertube.sops.path0} 755 ${peertube.name} ${peertube.name} -"
];
users.users.${peertube.name}.extraGroups = ["nginx" "caddy"];
networking = {
firewall = {
allowedTCPPorts = [
peertube.ports.port0
peertube.ports.port1
peertube.ports.port2
peertube.ports.port3
peertube.ports.port4
];
};
};
}

37
nixos/modules/services/postgresql.nix Executable file
View file

@ -0,0 +1,37 @@
{flake, ...}: let
inherit (flake.config.service.instance.postgresql) name paths ports;
inherit (flake.config.system.device) server;
in {
services = {
postgresqlBackup = {
enable = true;
location = paths.path0;
databases = ["mastodon" "nextcloud" "peertube" "forgejo"];
};
postgresql = {
enable = true;
};
};
networking = {
firewall = {
allowedTCPPorts = [
ports.port0
];
};
};
fileSystems."/var/lib/postgresql" = {
device = paths.path0;
fsType = "none";
options = ["bind"];
depends = [server.storage0.mount];
};
systemd.tmpfiles.rules = ["Z ${paths.path0} 700 ${name} ${name} -"];
users.users.${name}.extraGroups = ["nextcloud" "mastodon" "forgejo"];
system.activationScripts.postgresCommands = ''
chown -R ${name}:${name} ${paths.path0}
'';
}

31
nixos/modules/services/samba.nix Executable file
View file

@ -0,0 +1,31 @@
{
pkgs,
flake,
...
}: let
inherit (flake.config.service.instance) samba jellyfin;
in {
# If you ever need to start fresh, you need to add yourself to the Samba users database:
# sudo smbpasswd -a username
services = {
samba = {
package = pkgs.samba4Full;
enable = true;
openFirewall = true;
settings = {
media = {
path = jellyfin.paths.path0;
writable = "true";
};
};
};
};
networking = {
firewall = {
allowedTCPPorts = [
samba.ports.port0
];
};
};
}

95
nixos/modules/services/vaultwarden.nix Executable file
View file

@ -0,0 +1,95 @@
{
flake,
config,
...
}: let
inherit (flake.config.people) user0;
inherit (flake.config.people.user.${user0}) domain email;
inherit (flake.config.system.device) wildcard;
inherit (flake.config.service.instance.vaultwarden) paths ports subdomain name sops ssl;
localhost = wildcard.ip.address0;
host = "${subdomain}.${domain.url0}";
in {
services = {
vaultwarden = {
backupDir = paths.path0;
enable = true;
environmentFile = config.sops.secrets."${name}/env".path;
config = {
# Domain Configuration
DOMAIN = "https://${host}";
# Email Configuration
SMTP_AUTH_MECHANISM = "Plain";
SMTP_EMBED_IMAGES = true;
SMTP_FROM = email.address3;
SMTP_FROM_NAME = "Vaultwarden";
SMTP_HOST = "smtp.protonmail.ch";
SMTP_PORT = 587;
SMTP_SECURITY = "starttls";
SMTP_USERNAME = email.address3;
# Security Configuration
DISABLE_ADMIN_TOKEN = false;
# Event and Backup Management
EVENTS_DAYS_RETAIN = 90;
# User Features
SENDS_ALLOWED = true;
SIGNUPS_VERIFY = true;
WEB_VAULT_ENABLED = true;
# Rocket (Web Server) Settings
ROCKET_ADDRESS = localhost;
ROCKET_PORT = ports.port0;
};
};
caddy = {
virtualHosts = {
"${host}" = {
extraConfig = ''
reverse_proxy ${localhost}:${toString ports.port0} {
header_up X-Real-IP {remote_host}
}
tls ${ssl.cert} ${ssl.key}
encode zstd gzip
'';
};
};
};
};
sops = let
sopsSecrets = ["env"];
sopsPath = secret: {
path = "${sops.path0}/${name}-${secret}";
owner = name;
mode = "600";
};
in {
secrets = builtins.listToAttrs (
map
(secret: {
name = "${name}/${secret}";
value = sopsPath secret;
})
sopsSecrets
);
};
systemd.tmpfiles.rules = [
"Z ${paths.path0} 0755 ${name} ${name} -"
"Z ${sops.path0} 755 ${name} ${name} -"
];
networking = {
firewall = {
allowedTCPPorts = [
ports.port0
];
};
};
}