upRootNutrition/dotfiles
1
0
Fork 0
mirror of https://gitlab.com/upRootNutrition/dotfiles.git synced 2025-06-17 10:35:13 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: reformated services

Browse source
This commit is contained in:
Nick 2024-11-23 20:04:38 -06:00
parent c28066d2d3
commit d73b50cb7b
19 changed files with 5 additions and 198 deletions
Download patch file Download diff file Expand all files Collapse all files

84
nixos/modules/services/config/acme.nix Executable file
View file

@ -0,0 +1,84 @@
{
config,
flake,
...
}: let
inherit (flake.config.people.users.user0) email;
inherit (flake.config.services) instances;
domain0 = instances.web.domains.url0;
domain1 = instances.web.domains.url1;
dns = instances.web.dns.provider0;
instanceName = service: (instances.${service}.subdomain);
dnsConfig = {
dnsProvider = dns;
directory = instances.acme.paths.path0;
environmentFile = config.sops.secrets."dns/namecheap".path;
};
in {
security.acme = {
acceptTerms = true;
defaults = {
email = email.address0;
server = "https://acme-v02.api.letsencrypt.org/directory";
};
certs = builtins.listToAttrs (
(map (prefix: {
name = "${prefix}.${domain0}";
value = dnsConfig;
})
map
instanceName [
"nextcloud"
"jellyfin"
"minecraft"
"ollama"
"syncthing"
"vaultwarden"
])
++ (map (prefix: {
name = "${prefix}.${domain1}";
value = dnsConfig;
})
map
instanceName [
"wiki"
"nextcloud"
"castopod"
"forgejo"
"matrix"
"owncast"
"peertube"
"writefreely"
])
++ (map (name: {
name = name;
value = dnsConfig;
})
[
domain0
domain1
])
);
};
sops = let
sopsSecrets = ["pass"];
sopsPath = secret: {
path = "/var/lib/secrets/${instances.acme.name}/${dns}-${secret}";
owner = "root";
mode = "600";
};
in {
secrets = builtins.listToAttrs (
map
(secret: {
name = "dns/${dns}";
value = sopsPath secret;
})
sopsSecrets
);
};
}

30
nixos/modules/services/config/caddy.nix Executable file
View file

@ -0,0 +1,30 @@
{flake, ...}: let
inherit (flake.config.services.instances) caddy web;
domain0 = web.domains.url0;
service = caddy;
in {
services.caddy = {
enable = true;
virtualHosts = {
"${domain0}" = {
extraConfig = ''
tls /var/lib/acme/${domain0}/fullchain.pem /var/lib/acme/${domain0}/key.pem
encode zstd gzip
'';
};
};
};
users.users.${service.name}.extraGroups = ["acme" "nextcloud" "mastodon"];
networking = {
firewall = {
allowedTCPPorts = [
service.ports.port0
service.ports.port1
];
};
};
}

107
nixos/modules/services/config/forgejo.nix Executable file
View file

@ -0,0 +1,107 @@
{
flake,
config,
...
}: let
inherit (flake.config.machines.devices) server;
inherit (flake.config.services.instances) forgejo web;
service = forgejo;
localhost = web.localhost.address0;
host = "${service.subdomain}.${web.domains.url1}";
in {
services = {
forgejo = {
enable = true;
database.type = "postgres";
lfs.enable = true;
secrets = {
mailer.PASSWD = config.sops.secrets."${service.name}-smtp".path;
database.PASSWD = config.sops.secrets."${service.name}-database".path;
};
dump = {
interval = "5:00";
type = "zip";
file = "forgejo-backup";
enable = true;
};
settings = {
server = {
DOMAIN = host;
ROOT_URL = "https://${host}/";
HTTP_PORT = service.ports.port0;
};
# If you need to start from scratch, don't forget to turn this off again
service.DISABLE_REGISTRATION = false;
actions = {
ENABLED = true;
DEFAULT_ACTIONS_URL = "github";
};
mirror = {
ENABLED = true;
};
mailer = {
ENABLED = true;
SMTP_ADDR = "smtp.protonmail.ch";
FROM = service.email.address0;
USER = service.email.address0;
PROTOCOL = "smtp+starttls";
SMTP_PORT = 587;
SEND_AS_PLAIN_TEXT = true;
USE_CLIENT_CERT = false;
};
};
};
caddy = {
virtualHosts = {
"${host}" = {
extraConfig = ''
reverse_proxy ${localhost}:${toString service.ports.port0}
tls ${service.ssl.cert} ${service.ssl.key}
'';
};
};
};
};
sops = let
sopsPath = secret: {
path = "${service.sops.path0}/${service.name}-${secret}";
owner = service.name;
mode = "600";
};
in {
secrets = builtins.listToAttrs (
map
(secret: {
name = "${service.name}-${secret}";
value = sopsPath secret;
})
[
"smtp"
"database"
]
);
};
fileSystems."/var/lib/${service.name}" = {
device = service.paths.path0;
fsType = "none";
options = ["bind"];
depends = [server.storage0.mount];
};
systemd.tmpfiles.rules = [
"Z ${service.paths.path0} 755 ${service.name} ${service.name} -"
"Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
];
users.users.${service.name}.extraGroups = ["caddy" "postgres"];
networking = {
firewall = {
allowedTCPPorts = [
service.ports.port0
];
};
};
}

68
nixos/modules/services/config/jellyfin.nix Executable file
View file

@ -0,0 +1,68 @@
{flake, ...}: let
inherit (flake.config.people) user0;
inherit (flake.config.machines.devices) server;
inherit (flake.config.services.instances) jellyfin web;
service = jellyfin;
localhost = web.localhost.address0;
host = "${service.subdomain}.${web.domains.url0}";
in {
services = {
jellyfin = {
enable = true;
openFirewall = true;
user = user0;
};
jellyseerr = {
openFirewall = true;
enable = true;
};
caddy = {
virtualHosts = {
"${host}" = {
extraConfig = ''
redir /.well-known/carddav /remote.php/dav/ 301
redir /.well-known/caldav /remote.php/dav/ 301
reverse_proxy ${localhost}:${toString service.ports.port1}
tls ${service.ssl.cert} ${service.ssl.key}
'';
};
};
};
};
fileSystems = let
settings = {
fsType = "none";
options = ["bind"];
depends = [server.storage0.mount];
};
in {
"/var/lib/${service.name}" =
{
device = service.paths.path0;
}
// settings;
"/var/cache/${service.name}" =
{
device = "${service.paths.path0}/cache";
}
// settings;
};
systemd.tmpfiles.rules = [
"Z ${service.paths.path0} 0755 ${user0} ${service.name} -"
"Z ${service.paths.path0}/cache 0755 ${user0} ${service.name} -"
];
networking = {
firewall = {
allowedTCPPorts = [
service.ports.port0
service.ports.port1
service.ports.port2
];
};
};
}

3
nixos/modules/services/config/logrotate.nix Executable file
View file

@ -0,0 +1,3 @@
{
services.logrotate.enable = true;
}

34
nixos/modules/services/config/mastodon/chars.patch Executable file
View file

@ -0,0 +1,34 @@
diff --git a/app/javascript/mastodon/features/compose/components/compose_form.jsx b/app/javascript/mastodon/features/compose/components/compose_form.jsx
index 9222b2dc8..962310a28 100644
--- a/app/javascript/mastodon/features/compose/components/compose_form.jsx
+++ b/app/javascript/mastodon/features/compose/components/compose_form.jsx
@@ -100,7 +100,7 @@ class ComposeForm extends ImmutablePureComponent {
const fulltext = this.getFulltextForCharacterCounting();
const isOnlyWhitespace = fulltext.length !== 0 && fulltext.trim().length === 0;
- return !(isSubmitting || isUploading || isChangingUpload || length(fulltext) > 500 || (isOnlyWhitespace && !anyMedia));
+ return !(isSubmitting || isUploading || isChangingUpload || length(fulltext) > 5000 || (isOnlyWhitespace && !anyMedia));
};
handleSubmit = (e) => {
@@ -297,7 +297,7 @@ class ComposeForm extends ImmutablePureComponent {
</div>
<div className='character-counter__wrapper'>
- <CharacterCounter max={500} text={this.getFulltextForCharacterCounting()} />
+ <CharacterCounter max={5000} text={this.getFulltextForCharacterCounting()} />
</div>
</div>
</div>
diff --git a/app/validators/status_length_validator.rb b/app/validators/status_length_validator.rb
index dc841ded3..9cb1ec94b 100644
--- a/app/validators/status_length_validator.rb
+++ b/app/validators/status_length_validator.rb
@@ -1,7 +1,7 @@
# frozen_string_literal: true
class StatusLengthValidator < ActiveModel::Validator
- MAX_CHARS = 500
+ MAX_CHARS = 5000
URL_PLACEHOLDER_CHARS = 23
URL_PLACEHOLDER = 'x' * 23

188
nixos/modules/services/config/mastodon/default.nix Executable file
View file

@ -0,0 +1,188 @@
{
flake,
config,
pkgs,
lib,
...
}: let
inherit (flake.config.machines.devices) server;
inherit (flake.config.services.instances) mastodon web;
service = mastodon;
host = web.domains.url1;
localhost = web.localhost.address0;
in {
# If you need to start fresh for some reason, run these to create the new Admin account:
# sudo -u mastodon mastodon-tootctl accounts create nick --email=nick@localhost --confirmed --role=Owner
# sudo -u mastodon mastodon-tootctl accounts approve nick
# If you fuck up and lose the password, use this:
# sudo mastodon-tootctl accounts modify --reset-password nick
# If you really fuck up and name yourself wrong, use this shit
# sudo mastodon-tootctl accounts modify username --remove-role
nixpkgs.overlays = [
(
final: prev: {
mastodon = prev.mastodon.overrideAttrs (oldAttrs: {
postPatch =
(oldAttrs.postPatch or "")
+ ''
patch -p1 < ${./chars.patch}
'';
});
}
)
];
services = {
mastodon = {
enable = true;
localDomain = host;
secretKeyBaseFile = "/var/lib/mastodon/secrets/secret-key-base";
streamingProcesses = 7;
trustedProxy = localhost;
automaticMigrations = true;
database = {
createLocally = true;
name = service.name;
host = "/run/postgresql";
user = service.name;
passwordFile = config.sops.secrets.mastodon-database.path;
};
extraConfig = {
SINGLE_USER_MODE = "true";
SMTP_AUTH_METHOD = "plain";
SMTP_DELIVERY_METHOD = "smtp";
SMTP_ENABLE_STARTTLS_AUTO = "true";
SMTP_SSL = "false";
};
mediaAutoRemove = {
enable = true;
olderThanDays = 14;
};
redis = {
createLocally = true;
enableUnixSocket = true;
};
sidekiqThreads = 25;
sidekiqProcesses = {
all = {
jobClasses = [];
threads = null;
};
default = {
jobClasses = ["default"];
threads = 5;
};
ingress = {
jobClasses = ["ingress"];
threads = 5;
};
push-pull = {
jobClasses = ["push" "pull"];
threads = 5;
};
mailers = {
jobClasses = ["mailers"];
threads = 5;
};
};
smtp = {
authenticate = true;
createLocally = false;
fromAddress = "The Nutrivore <${service.email.address0}>";
host = "smtp.protonmail.ch";
passwordFile = config.sops.secrets.mastodon-smtp.path;
port = 587;
user = service.email.address0;
};
};
caddy = {
virtualHosts = {
"${host}" = {
extraConfig = ''
handle_path /system/* {
file_server * {
root /var/lib/mastodon/public-system
}
}
handle /api/v1/streaming/* {
reverse_proxy unix//run/mastodon-streaming/streaming.socket
}
route * {
file_server * {
root ${pkgs.mastodon}/public
pass_thru
}
reverse_proxy * unix//run/mastodon-web/web.socket
}
tls ${service.ssl.cert} ${service.ssl.key}
handle_errors {
root * ${pkgs.mastodon}/public
rewrite 500.html
file_server
}
encode gzip
header /* {
Strict-Transport-Security "max-age=31536000;"
}
header /emoji/* Cache-Control "public, max-age=31536000, immutable"
header /packs/* Cache-Control "public, max-age=31536000, immutable"
header /system/accounts/avatars/* Cache-Control "public, max-age=31536000, immutable"
header /system/media_attachments/files/* Cache-Control "public, max-age=31536000, immutable"
'';
};
};
};
};
systemd.services.caddy.serviceConfig.ReadWriteDirectories = lib.mkForce ["/var/lib/caddy" "/run/mastodon-web"];
sops = let
sopsPath = secret: {
path = "${service.sops.path0}/${service.name}-${secret}";
owner = service.name;
mode = "600";
};
in {
secrets = builtins.listToAttrs (
map
(secret: {
name = "${service.name}-${secret}";
value = sopsPath secret;
})
[
"smtp"
"database"
"redis"
]
);
};
fileSystems."/var/lib/${service.name}" = {
device = service.paths.path0;
fsType = "none";
options = ["bind"];
depends = [server.storage0.mount];
};
systemd.tmpfiles.rules = [
"Z ${service.paths.path0} 0755 ${service.name} ${service.name} -"
"Z ${service.sops.path0} 0755 ${service.name} ${service.name} -"
];
users.users.${service.name}.extraGroups = ["postgres"];
networking = {
firewall = {
allowedTCPPorts = [];
};
};
}

5422
nixos/modules/services/config/mastodon/twitter.txt Executable file
View file

File diff suppressed because one or more lines are too long

90
nixos/modules/services/config/minecraft.nix Executable file
View file

@ -0,0 +1,90 @@
{
config,
flake,
...
}: let
inherit (flake.config.machines.devices) server;
inherit (flake.config.services.instances) minecraft;
service = minecraft;
in {
services = {
minecraft-server = {
enable = true;
eula = true;
openFirewall = true;
declarative = true;
serverProperties = {
"rcon.password" = config.sops.secrets."${service.name}-pass".path;
allow-flight = false;
allow-nether = true;
difficulty = 2;
enable-command-block = false;
enable-rcon = true;
enable-status = true;
force-gamemode = true;
gamemode = 0;
generate-structures = true;
hardcore = false;
hide-online-players = false;
level-name = "Brix on Nix";
level-seed = "9064150133272194";
max-players = 10;
max-world-size = 64000000;
motd = "A cool Minecraft server powered by NixOS";
online-mode = true;
pvp = true;
server-port = service.ports.port0;
spawn-animals = true;
spawn-monsters = true;
spawn-npcs = true;
spawn-protection = 16;
view-dtstance = 32;
white-list = true;
};
whitelist = {
Hefty_Chungus = "b75a9816-d408-4c54-b226-385b59ea1cb3";
Hefty_Chungus_Jr = "c3bf8cac-e953-4ea4-ae5f-7acb92a51a85";
EclipseMoon01 = "adef4af7-d8c6-4627-b492-e990ea1bb993";
Fallaryn = "d8baa117-ab58-4b07-92a5-48fb1978eb49";
};
};
};
sops = let
sopsPath = secret: {
path = "${service.sops.path0}/${service.name}-${secret}";
owner = service.name;
mode = "600";
};
in {
secrets = builtins.listToAttrs (
map
(secret: {
name = "${service.name}-${secret}";
value = sopsPath secret;
})
[
"pass"
]
);
};
fileSystems."/var/lib/${service.name}" = {
device = service.paths.path0;
fsType = "none";
options = ["bind"];
depends = [server.storage0.mount];
};
systemd.tmpfiles.rules = [
"Z ${service.paths.path0} 0755 ${service.name} ${service.name} -"
"Z ${service.sops.path0} 0755 ${service.name} ${service.name} -"
];
networking = {
firewall = {
allowedTCPPorts = [
service.ports.port0
];
};
};
}

118
nixos/modules/services/config/nextcloud.nix Executable file
View file

@ -0,0 +1,118 @@
{
flake,
config,
pkgs,
...
}: let
inherit (flake.config.people) user0;
inherit (flake.config.people.users.${user0}) name;
inherit (flake.config.machines.devices) server;
inherit (flake.config.services.instances) nextcloud nginx web;
service = nextcloud;
localhost = web.localhost.address0;
host = "${service.subdomain}.${web.domains.url1}";
in {
services = {
nextcloud = {
appstoreEnable = true;
autoUpdateApps.enable = true;
configureRedis = true;
enable = true;
hostName = host;
https = true;
package = pkgs.nextcloud30;
phpOptions."opcache.interned_strings_buffer" = "24";
extraAppsEnable = true;
extraApps = {
inherit
(config.services.service.package.packages.apps)
contacts
calendar
;
};
config = {
adminpassFile = config.sops.secrets."${service.name}-pass".path;
adminuser = name;
dbtype = "pgsql";
};
database = {
createLocally = true;
};
settings = {
default_phone_region = "CA";
log_type = "file";
mail_sendmailmode = "pipe";
mail_smtpmode = "sendmail";
maintenance_window_start = 4;
overwriteprotocol = "https";
trusted_proxies = [
localhost
];
};
};
nginx = {
enable = true;
virtualHosts.${host}.listen = [
{
addr = web.localhost.address1;
port = nginx.ports.port0;
}
];
};
caddy = {
virtualHosts = {
"${host}" = {
extraConfig = ''
reverse_proxy ${localhost}:${toString nginx.ports.port0}
tls ${service.ssl.cert} ${service.ssl.key}
'';
};
};
};
};
sops = let
sopsPath = secret: {
path = "${service.sops.path0}/${service.name}-${secret}";
owner = service.name;
mode = "600";
};
in {
secrets = builtins.listToAttrs (
map
(secret: {
name = "${service.name}-${secret}";
value = sopsPath secret;
})
[
"pass"
]
);
};
fileSystems."/var/lib/${service.name}" = {
device = service.paths.path0;
fsType = "none";
options = ["bind"];
depends = [server.storage0.mount];
};
systemd.tmpfiles.rules = [
"Z ${service.paths.path0} 750 ${service.name} ${service.name} -"
"Z ${service.sops.path0} 750 ${service.name} ${service.name} -"
];
users.users.${service.name}.extraGroups = ["caddy" "nginx" "postgres"];
networking = {
firewall = {
allowedTCPPorts = [
nginx.ports.port0
service.ports.port0
];
};
};
}

62
nixos/modules/services/config/ollama.nix Executable file
View file

@ -0,0 +1,62 @@
{flake, ...}: let
inherit (flake.config.machines.devices) server;
inherit (flake.config.services.instances) ollama web;
service = ollama;
localhost = web.localhost.address0;
host = "${service.subdomain}.${web.domains.url0}";
in {
services = {
ollama = {
acceleration = false;
enable = true;
group = service.name;
host = "http://${localhost}";
port = service.ports.port1;
user = service.name;
};
open-webui = {
enable = true;
host = localhost;
port = service.ports.port0;
environment = {
ENABLE_OLLAMA_API = "True";
ANONYMIZED_TELEMETRY = "False";
DO_NOT_TRACK = "True";
SCARF_NO_ANALYTICS = "True";
OLLAMA_BASE_URL = "http://${localhost}:${toString service.ports.port1}";
WEBUI_AUTH = "True";
};
};
caddy = {
virtualHosts = {
${host} = {
extraConfig = ''
reverse_proxy ${localhost}:${toString service.ports.port0}
tls ${service.ssl.cert} ${service.ssl.key}
'';
};
};
};
};
fileSystems."/var/lib/${service.name}" = {
device = service.paths.path0;
fsType = "none";
options = ["bind"];
depends = [server.storage0.mount];
};
systemd.tmpfiles.rules = ["Z ${service.paths.path0} 0755 ${service.name} ${service.name} -"];
networking = {
firewall = {
allowedTCPPorts = [
service.ports.port0
service.ports.port1
];
};
};
}

38
nixos/modules/services/config/owncast.nix Executable file
View file

@ -0,0 +1,38 @@
{flake, ...}: let
inherit (flake.config.services.instances) owncast web;
service = owncast;
localhost = web.localhost.address1;
host = "${service.subdomain}.${web.domains.url1}";
in {
services = {
owncast = {
enable = true;
listen = localhost;
port = service.ports.port0;
openFirewall = true;
};
caddy = {
virtualHosts = {
"${host}" = {
extraConfig = ''
reverse_proxy ${localhost}:${toString service.ports.port0}
tls ${service.ssl.cert} ${service.ssl.key}
'';
};
};
};
};
networking = {
firewall = {
allowedTCPPorts = [
service.ports.port0
service.ports.port1
];
};
};
# OBS Server rtmp://192.168.50.140:1935/live
}

134
nixos/modules/services/config/peertube.nix Executable file
View file

@ -0,0 +1,134 @@
{
flake,
config,
pkgs,
...
}: let
inherit (flake.config.machines.devices) server;
inherit (flake.config.services.instances) caddy peertube web;
service = peertube;
localhost = web.localhost.address0;
host = "${service.subdomain}.${web.domains.url1}";
in {
services = {
peertube = {
configureNginx = false;
enable = true;
enableWebHttps = true;
group = service.name;
listenWeb = caddy.ports.port1;
listenHttp = service.ports.port0;
localDomain = host;
serviceEnvironmentFile = config.sops.secrets."${service.name}-root".path;
user = service.name;
plugins = {
enable = true;
plugins = builtins.attrValues {
inherit
(pkgs)
peertube-plugin-livechat
peertube-plugin-matomo
peertube-plugin-transcoding-custom-quality
peertube-theme-dark
;
};
};
secrets = {
secretsFile = config.sops.secrets."${service.name}-secret".path;
};
settings = {
instance = {
name = "The Nutrivore";
};
log = {
level = "debug";
};
smtp = {
transport = "smtp";
disable_starttls = false;
from_address = service.email.address0;
hostname = "smtp.protonmail.ch";
port = 587;
username = service.email.address0;
tls = false;
};
};
database = {
createLocally = true;
passwordFile = config.sops.secrets."${service.name}-database".path;
};
redis = {
enableUnixSocket = true;
createLocally = true;
passwordFile = config.sops.secrets."${service.name}-redis".path;
};
smtp = {
createLocally = true;
passwordFile = config.sops.secrets."${service.name}-smtp".path;
};
};
caddy = {
virtualHosts = {
${host} = {
extraConfig = ''
reverse_proxy ${localhost}:${toString service.ports.port0}
tls ${service.ssl.cert} ${service.ssl.key}
'';
};
};
};
};
sops = let
sopsPath = secret: {
path = "${service.sops.path0}/${service.name}-${secret}-pass";
owner = service.name;
mode = "600";
};
in {
secrets = builtins.listToAttrs (
map
(secret: {
name = "${service.name}-${secret}";
value = sopsPath secret;
})
[
"smtp"
"database"
"redis"
"root"
"secret"
]
);
};
fileSystems."/var/lib/${service.name}" = {
device = service.paths.path0;
fsType = "none";
options = ["bind"];
depends = [server.storage0.mount];
};
systemd.tmpfiles.rules = [
"Z ${service.paths.path0} 755 ${service.name} ${service.name} -"
"Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
];
users.users.${service.name}.extraGroups = ["nginx" "caddy"];
networking = {
firewall = {
allowedTCPPorts = [
service.ports.port0
service.ports.port1
service.ports.port2
service.ports.port3
service.ports.port4
];
};
};
}

39
nixos/modules/services/config/postgresql.nix Executable file
View file

@ -0,0 +1,39 @@
{flake, ...}: let
inherit (flake.config.machines.devices) server;
inherit (flake.config.services.instances) postgresql;
service = postgresql;
in {
services = {
postgresqlBackup = {
enable = true;
location = service.paths.path0;
databases = ["mastodon" "nextcloud" "peertube" "forgejo" "wiki"];
};
postgresql = {
enable = true;
};
};
networking = {
firewall = {
allowedTCPPorts = [
service.ports.port0
];
};
};
fileSystems."/var/lib/postgresql" = {
device = service.paths.path0;
fsType = "none";
options = ["bind"];
depends = [server.storage0.mount];
};
systemd.tmpfiles.rules = ["Z ${service.paths.path0} 700 ${service.name} ${service.name} -"];
users.users.${service.name}.extraGroups = ["nextcloud" "mastodon" "forgejo"];
system.activationScripts.postgresCommands = ''
chown -R ${service.name}:${service.name} ${service.paths.path0}
'';
}

32
nixos/modules/services/config/samba.nix Executable file
View file

@ -0,0 +1,32 @@
{
pkgs,
flake,
...
}: let
inherit (flake.config.services.instances) samba jellyfin;
service = samba;
in {
# If you ever need to start fresh, you need to add yourself to the Samba users database:
# sudo smbpasswd -a username
services = {
samba = {
package = pkgs.samba4Full;
enable = true;
openFirewall = true;
settings = {
${service.paths.path1} = {
path = jellyfin.paths.path0;
writable = "true";
};
};
};
};
networking = {
firewall = {
allowedTCPPorts = [
service.ports.port0
];
};
};
}

94
nixos/modules/services/config/vaultwarden.nix Executable file
View file

@ -0,0 +1,94 @@
{
flake,
config,
...
}: let
inherit (flake.config.services.instances) vaultwarden web;
service = vaultwarden;
localhost = web.localhost.address0;
host = "${service.subdomain}.${web.domains.url0}";
in {
services = {
vaultwarden = {
backupDir = service.paths.path0;
enable = true;
environmentFile = config.sops.secrets."${service.name}/env".path;
config = {
# Domain Configuration
DOMAIN = "https://${host}";
# Email Configuration
SMTP_AUTH_MECHANISM = "Plain";
SMTP_EMBED_IMAGES = true;
SMTP_FROM = service.email.address0;
SMTP_FROM_NAME = "Vaultwarden";
SMTP_HOST = "smtp.protonmail.ch";
SMTP_PORT = 587;
SMTP_SECURITY = "starttls";
SMTP_USERNAME = service.email.address0;
# Security Configuration
DISABLE_ADMIN_TOKEN = false;
# Event and Backup Management
EVENTS_DAYS_RETAIN = 90;
# User Features
SENDS_ALLOWED = true;
SIGNUPS_VERIFY = true;
WEB_VAULT_ENABLED = true;
# Rocket (Web Server) Settings
ROCKET_ADDRESS = localhost;
ROCKET_PORT = service.ports.port0;
};
};
caddy = {
virtualHosts = {
"${host}" = {
extraConfig = ''
reverse_proxy ${localhost}:${toString service.ports.port0} {
header_up X-Real-IP {remote_host}
}
tls ${service.ssl.cert} ${service.ssl.key}
encode zstd gzip
'';
};
};
};
};
sops = let
sopsPath = secret: {
path = "${service.sops.path0}/${service.name}-${secret}";
owner = service.name;
mode = "600";
};
in {
secrets = builtins.listToAttrs (
map
(secret: {
name = "${service.name}/${secret}";
value = sopsPath secret;
})
[
"env"
]
);
};
systemd.tmpfiles.rules = [
"Z ${service.paths.path0} 0755 ${service.name} ${service.name} -"
"Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
];
networking = {
firewall = {
allowedTCPPorts = [
service.ports.port0
];
};
};
}