upRootNutrition/dotfiles
1
0
Fork 0
mirror of https://gitlab.com/upRootNutrition/dotfiles.git synced 2025-06-16 10:05:13 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor: cleaned up nixos and home dirs

Browse source
This commit is contained in:
Nick 2025-02-06 14:27:52 -06:00
parent 824a91d405
commit e596e1c1b3
582 changed files with 2 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

91
modules/nixos/services/acme/default.nix Executable file
View file

@ -0,0 +1,91 @@
{
config,
flake,
...
}:
let
inherit (flake.config.people)
user0
;
inherit (flake.config.people.users.${user0})
email
;
inherit (flake.config.services)
instances
;
domain0 = instances.web.domains.url0;
domain1 = instances.web.domains.url1;
domain3 = instances.web.domains.url3;
dns = instances.web.dns.provider0;
instanceName = service: (instances.${service}.subdomain);
dnsConfig = {
dnsProvider = dns;
directory = instances.acme.paths.path0;
environmentFile = config.sops.secrets."dns/namecheap".path;
};
in
{
security.acme = {
acceptTerms = true;
defaults = {
email = email.address0;
server = "https://acme-v02.api.letsencrypt.org/directory";
};
certs = builtins.listToAttrs (
(map
(service: {
name = "${instanceName service}.${domain0}";
value = dnsConfig;
})
[
"jellyfin"
"minecraft"
"ollama"
"syncthing"
"vaultwarden"
]
)
++ (map
(service: {
name = "${instanceName service}.${domain3}";
value = dnsConfig;
})
[
"peertube"
"forgejo"
"mastodon"
]
)
++ (map
(name: {
name = name;
value = dnsConfig;
})
[
domain0
domain1
domain3
]
)
);
};
sops =
let
sopsSecrets = [
"pass"
];
sopsPath = secret: {
path = "/var/lib/secrets/${instances.acme.name}/${dns}-${secret}";
owner = "root";
mode = "600";
};
in
{
secrets = builtins.listToAttrs (
map (secret: {
name = "dns/${dns}";
value = sopsPath secret;
}) sopsSecrets
);
};
}

39
modules/nixos/services/caddy/default.nix Executable file
View file

@ -0,0 +1,39 @@
{ flake, ... }:
let
inherit (flake.config.services.instances)
caddy
web
;
domain0 = web.domains.url0;
service = caddy;
in
{
services.caddy = {
enable = true;
virtualHosts = {
"${domain0}" = {
extraConfig = ''
tls /var/lib/acme/${domain0}/fullchain.pem /var/lib/acme/${domain0}/key.pem
encode zstd gzip
'';
};
};
};
users.users.${service.name}.extraGroups = [
"acme"
"nextcloud"
"mastodon"
];
networking = {
firewall = {
allowedTCPPorts = [
service.ports.port0
service.ports.port1
];
};
};
}

10
modules/nixos/services/default.nix Executable file
View file

@ -0,0 +1,10 @@
let
content = builtins.readDir ./.;
dirContent = builtins.filter (n: content.${n} == "directory") (builtins.attrNames content);
importList = map (name: ./. + "/${name}") dirContent;
in
{
imports = importList;
}

120
modules/nixos/services/forgejo/default.nix Executable file
View file

@ -0,0 +1,120 @@
{
flake,
config,
...
}:
let
inherit (flake.config.machines.devices)
server
;
inherit (flake.config.services.instances) smtp forgejo web;
service = forgejo;
localhost = web.localhost.address0;
host = "${service.subdomain}.${web.domains.url3}";
in
{
services = {
forgejo = {
enable = true;
database.type = "postgres";
lfs.enable = true;
secrets = {
mailer.PASSWD = config.sops.secrets."${service.name}-smtp".path;
database.PASSWD = config.sops.secrets."${service.name}-database".path;
};
dump = {
interval = "5:00";
type = "zip";
file = "forgejo-backup";
enable = true;
};
settings = {
server = {
DOMAIN = host;
ROOT_URL = "https://${host}/";
HTTP_PORT = service.ports.port0;
};
# If you need to start from scratch, don't forget to turn this off again
service.DISABLE_REGISTRATION = true;
actions = {
ENABLED = true;
DEFAULT_ACTIONS_URL = "github";
};
mirror = {
ENABLED = true;
};
mailer = {
ENABLED = true;
SMTP_ADDR = smtp.hostname;
FROM = service.email.address0;
USER = service.email.address0;
PROTOCOL = "smtp+starttls";
SMTP_PORT = smtp.ports.port0;
SEND_AS_PLAIN_TEXT = true;
USE_CLIENT_CERT = false;
};
};
};
caddy = {
virtualHosts = {
"${host}" = {
extraConfig = ''
reverse_proxy ${localhost}:${toString service.ports.port0}
tls ${service.ssl.cert} ${service.ssl.key}
'';
};
};
};
};
sops =
let
sopsPath = secret: {
path = "${service.sops.path0}/${service.name}-${secret}";
owner = service.name;
mode = "600";
};
in
{
secrets = builtins.listToAttrs (
map
(secret: {
name = "${service.name}-${secret}";
value = sopsPath secret;
})
[
"smtp"
"database"
]
);
};
fileSystems."/var/lib/${service.name}" = {
device = service.paths.path0;
fsType = "none";
options = [
"bind"
];
depends = [
server.storage0.mount
];
};
systemd.tmpfiles.rules = [
"Z ${service.paths.path0} 755 ${service.name} ${service.name} -"
"Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
];
users.users.${service.name}.extraGroups = [
"caddy"
"postgres"
];
networking = {
firewall = {
allowedTCPPorts = [
service.ports.port0
];
};
};
}

72
modules/nixos/services/hLedger/default.nix Executable file
View file

@ -0,0 +1,72 @@
{
flake,
pkgs,
...
}:
let
inherit (flake.config.machines.devices)
server
;
inherit (flake.config.services.instances)
hledger
web
;
service = hledger;
localhost = web.localhost.address0;
in
{
services = {
hledger-web = {
enable = true;
host = localhost;
# baseUrl = "https://${host}";
stateDir = service.paths.path0;
port = service.ports.port0;
journalFiles = [
".hledger.journal"
];
allow = "edit";
};
};
environment = {
systemPackages = builtins.attrValues {
inherit (pkgs)
hledger
hledger-ui
;
};
};
users = {
users.${service.name} = {
isSystemUser = true;
group = service.name;
home = service.paths.path0;
};
groups.${service.name} = { };
};
fileSystems."/var/lib/${service.name}" = {
device = service.paths.path0;
fsType = "none";
options = [
"bind"
];
depends = [
server.storage0.mount
];
};
systemd.tmpfiles.rules = [
"Z ${service.paths.path0} 0755 ${service.name} ${service.name} -"
];
networking = {
firewall = {
allowedTCPPorts = [
service.ports.port0
];
};
};
}

79
modules/nixos/services/jellyfin/default.nix Executable file
View file

@ -0,0 +1,79 @@
{ flake, ... }:
let
inherit (flake.config.people)
user0
;
inherit (flake.config.machines.devices)
server
;
inherit (flake.config.services.instances)
jellyfin
web
;
service = jellyfin;
localhost = web.localhost.address0;
host = "${service.subdomain}.${web.domains.url0}";
in
{
services = {
jellyfin = {
enable = true;
openFirewall = true;
user = user0;
};
jellyseerr = {
openFirewall = true;
enable = true;
};
caddy = {
virtualHosts = {
"${host}" = {
extraConfig = ''
redir /.well-known/carddav /remote.php/dav/ 301
redir /.well-known/caldav /remote.php/dav/ 301
reverse_proxy ${localhost}:${toString service.ports.port1}
tls ${service.ssl.cert} ${service.ssl.key}
'';
};
};
};
};
fileSystems =
let
settings = {
fsType = "none";
options = [
"bind"
];
depends = [
server.storage0.mount
];
};
in
{
"/var/lib/${service.name}" = {
device = service.paths.path0;
} // settings;
"/var/cache/${service.name}" = {
device = "${service.paths.path0}/cache";
} // settings;
};
systemd.tmpfiles.rules = [
"Z ${service.paths.path0} 0755 ${user0} ${service.name} -"
"Z ${service.paths.path0}/cache 0755 ${user0} ${service.name} -"
];
networking = {
firewall = {
allowedTCPPorts = [
service.ports.port0
service.ports.port1
service.ports.port2
];
};
};
}

3
modules/nixos/services/logrotate/default.nix Executable file
View file

@ -0,0 +1,3 @@
{
services.logrotate.enable = true;
}

34
modules/nixos/services/mastodon/config/chars.patch Executable file
View file

@ -0,0 +1,34 @@
diff --git a/app/javascript/mastodon/features/compose/components/compose_form.jsx b/app/javascript/mastodon/features/compose/components/compose_form.jsx
index 9222b2dc8..962310a28 100644
--- a/app/javascript/mastodon/features/compose/components/compose_form.jsx
+++ b/app/javascript/mastodon/features/compose/components/compose_form.jsx
@@ -100,7 +100,7 @@ class ComposeForm extends ImmutablePureComponent {
const fulltext = this.getFulltextForCharacterCounting();
const isOnlyWhitespace = fulltext.length !== 0 && fulltext.trim().length === 0;
- return !(isSubmitting || isUploading || isChangingUpload || length(fulltext) > 500 || (isOnlyWhitespace && !anyMedia));
+ return !(isSubmitting || isUploading || isChangingUpload || length(fulltext) > 5000 || (isOnlyWhitespace && !anyMedia));
};
handleSubmit = (e) => {
@@ -297,7 +297,7 @@ class ComposeForm extends ImmutablePureComponent {
</div>
<div className='character-counter__wrapper'>
- <CharacterCounter max={500} text={this.getFulltextForCharacterCounting()} />
+ <CharacterCounter max={5000} text={this.getFulltextForCharacterCounting()} />
</div>
</div>
</div>
diff --git a/app/validators/status_length_validator.rb b/app/validators/status_length_validator.rb
index dc841ded3..9cb1ec94b 100644
--- a/app/validators/status_length_validator.rb
+++ b/app/validators/status_length_validator.rb
@@ -1,7 +1,7 @@
# frozen_string_literal: true
class StatusLengthValidator < ActiveModel::Validator
- MAX_CHARS = 500
+ MAX_CHARS = 5000
URL_PLACEHOLDER_CHARS = 23
URL_PLACEHOLDER = 'x' * 23

5500
modules/nixos/services/mastodon/config/twitter.txt Executable file
View file

File diff suppressed because one or more lines are too long

214
modules/nixos/services/mastodon/default.nix Executable file
View file

@ -0,0 +1,214 @@
{
flake,
config,
pkgs,
lib,
...
}:
let
inherit (flake.config.machines.devices)
server
;
inherit (flake.config.services.instances) smtp mastodon web;
service = mastodon;
host = "${mastodon.subdomain}.${web.domains.url3}";
localhost = web.localhost.address0;
in
{
# If you need to start fresh for some reason, run these to create the new Admin account:
# sudo -u mastodon mastodon-tootctl accounts create nick --email=nick@localhost --confirmed --role=Owner
# sudo -u mastodon mastodon-tootctl accounts approve nick
# If you fuck up and lose the password, use this:
# sudo mastodon-tootctl accounts modify --reset-password nick
# If you really fuck up and name yourself wrong, use this shit
# sudo mastodon-tootctl accounts modify username --remove-role
# nixpkgs.overlays = [
# (
# final: prev: {
# mastodon = prev.mastodon.overrideAttrs (oldAttrs: {
# postPatch =
# (oldAttrs.postPatch or "")
# + ''
# patch -p1 < ${./chars.patch}
# '';
# });
# }
# )
# ];
services = {
mastodon = {
enable = true;
localDomain = host;
secretKeyBaseFile = "/var/lib/mastodon/secrets/secret-key-base";
streamingProcesses = 7;
trustedProxy = localhost;
automaticMigrations = true;
database = {
createLocally = true;
name = service.name;
host = "/run/postgresql";
user = service.name;
passwordFile = config.sops.secrets.mastodon-database.path;
};
extraConfig = {
SINGLE_USER_MODE = "true";
SMTP_AUTH_METHOD = "plain";
SMTP_DELIVERY_METHOD = "smtp";
SMTP_ENABLE_STARTTLS_AUTO = "true";
SMTP_SSL = "false";
};
mediaAutoRemove = {
enable = true;
olderThanDays = 14;
};
redis = {
createLocally = true;
enableUnixSocket = true;
};
sidekiqThreads = 25;
sidekiqProcesses = {
all = {
jobClasses = [
];
threads = null;
};
default = {
jobClasses = [
"default"
];
threads = 5;
};
ingress = {
jobClasses = [
"ingress"
];
threads = 5;
};
push-pull = {
jobClasses = [
"push"
"pull"
];
threads = 5;
};
mailers = {
jobClasses = [
"mailers"
];
threads = 5;
};
};
smtp = {
authenticate = true;
createLocally = false;
fromAddress = "upRootNutrition <${service.email.address0}>";
host = smtp.hostname;
passwordFile = config.sops.secrets.mastodon-smtp.path;
port = smtp.ports.port0;
user = service.email.address0;
};
};
caddy = {
virtualHosts = {
"${host}" = {
extraConfig = ''
handle_path /system/* {
file_server * {
root /var/lib/mastodon/public-system
}
}
handle /api/v1/streaming/* {
reverse_proxy unix//run/mastodon-streaming/streaming.socket
}
route * {
file_server * {
root ${pkgs.mastodon}/public
pass_thru
}
reverse_proxy * unix//run/mastodon-web/web.socket
}
tls ${service.ssl.cert} ${service.ssl.key}
handle_errors {
root * ${pkgs.mastodon}/public
rewrite 500.html
file_server
}
encode gzip
header /* {
Strict-Transport-Security "max-age=31536000;"
}
header /emoji/* Cache-Control "public, max-age=31536000, immutable"
header /packs/* Cache-Control "public, max-age=31536000, immutable"
header /system/accounts/avatars/* Cache-Control "public, max-age=31536000, immutable"
header /system/media_attachments/files/* Cache-Control "public, max-age=31536000, immutable"
'';
};
};
};
};
systemd.services.caddy.serviceConfig.ReadWriteDirectories = lib.mkForce [
"/var/lib/caddy"
"/run/mastodon-web"
];
sops =
let
sopsPath = secret: {
path = "${service.sops.path0}/${service.name}-${secret}";
owner = service.name;
mode = "600";
};
in
{
secrets = builtins.listToAttrs (
map
(secret: {
name = "${service.name}-${secret}";
value = sopsPath secret;
})
[
"smtp"
"database"
"redis"
]
);
};
fileSystems."/var/lib/${service.name}" = {
device = service.paths.path0;
fsType = "none";
options = [
"bind"
];
depends = [
server.storage0.mount
];
};
systemd.tmpfiles.rules = [
"Z ${service.paths.path0} 0755 ${service.name} ${service.name} -"
"Z ${service.sops.path0} 0755 ${service.name} ${service.name} -"
];
users.users.${service.name}.extraGroups = [
"postgres"
];
networking = {
firewall = {
allowedTCPPorts = [
];
};
};
}

102
modules/nixos/services/minecraft/default.nix Executable file
View file

@ -0,0 +1,102 @@
{
config,
flake,
...
}:
let
inherit (flake.config.machines.devices)
server
;
inherit (flake.config.services.instances)
minecraft
;
service = minecraft;
in
{
services = {
minecraft-server = {
enable = true;
eula = true;
openFirewall = true;
declarative = true;
serverProperties = {
"rcon.password" = config.sops.secrets."${service.name}-pass".path;
allow-flight = false;
allow-nether = true;
difficulty = 2;
enable-command-block = false;
enable-rcon = true;
enable-status = true;
force-gamemode = true;
gamemode = 0;
generate-structures = true;
hardcore = false;
hide-online-players = false;
level-name = "Brix on Nix";
level-seed = "9064150133272194";
max-players = 10;
max-world-size = 64000000;
motd = "A cool Minecraft server powered by NixOS";
online-mode = true;
pvp = true;
server-port = service.ports.port0;
spawn-animals = true;
spawn-monsters = true;
spawn-npcs = true;
spawn-protection = 16;
view-dtstance = 32;
white-list = true;
};
whitelist = {
Hefty_Chungus = "b75a9816-d408-4c54-b226-385b59ea1cb3";
Hefty_Chungus_Jr = "c3bf8cac-e953-4ea4-ae5f-7acb92a51a85";
EclipseMoon01 = "adef4af7-d8c6-4627-b492-e990ea1bb993";
Fallaryn = "d8baa117-ab58-4b07-92a5-48fb1978eb49";
};
};
};
sops =
let
sopsPath = secret: {
path = "${service.sops.path0}/${service.name}-${secret}";
owner = service.name;
mode = "600";
};
in
{
secrets = builtins.listToAttrs (
map
(secret: {
name = "${service.name}-${secret}";
value = sopsPath secret;
})
[
"pass"
]
);
};
fileSystems."/var/lib/${service.name}" = {
device = service.paths.path0;
fsType = "none";
options = [
"bind"
];
depends = [
server.storage0.mount
];
};
systemd.tmpfiles.rules = [
"Z ${service.paths.path0} 0755 ${service.name} ${service.name} -"
"Z ${service.sops.path0} 0755 ${service.name} ${service.name} -"
];
networking = {
firewall = {
allowedTCPPorts = [
service.ports.port0
];
};
};
}

6
modules/nixos/services/mullvad/default.nix Executable file
View file

@ -0,0 +1,6 @@
{
services.mullvad-vpn = {
enable = true;
enableExcludeWrapper = false;
};
}

139
modules/nixos/services/nextcloud/default.nix Executable file
View file

@ -0,0 +1,139 @@
{
flake,
config,
pkgs,
...
}:
let
inherit (flake.config.people)
user0
;
inherit (flake.config.people.users.${user0})
name
;
inherit (flake.config.machines.devices)
server
;
inherit (flake.config.services.instances)
nextcloud
nginx
web
;
service = nextcloud;
localhost = web.localhost.address0;
host = "${service.subdomain}.${web.domains.url1}";
in
{
services = {
nextcloud = {
appstoreEnable = true;
autoUpdateApps.enable = true;
configureRedis = true;
enable = true;
hostName = host;
https = true;
package = pkgs.nextcloud30;
phpOptions."opcache.interned_strings_buffer" = "24";
extraAppsEnable = true;
extraApps = {
inherit (config.services.service.package.packages.apps)
contacts
calendar
;
};
config = {
adminpassFile = config.sops.secrets."${service.name}-pass".path;
adminuser = name;
dbtype = "pgsql";
};
database = {
createLocally = true;
};
settings = {
default_phone_region = "CA";
log_type = "file";
mail_sendmailmode = "pipe";
mail_smtpmode = "sendmail";
maintenance_window_start = 4;
overwriteprotocol = "https";
trusted_proxies = [
localhost
];
};
};
nginx = {
enable = true;
virtualHosts.${host}.listen = [
{
addr = web.localhost.address1;
port = nginx.ports.port0;
}
];
};
caddy = {
virtualHosts = {
"${host}" = {
extraConfig = ''
reverse_proxy ${localhost}:${toString nginx.ports.port0}
tls ${service.ssl.cert} ${service.ssl.key}
'';
};
};
};
};
sops =
let
sopsPath = secret: {
path = "${service.sops.path0}/${service.name}-${secret}";
owner = service.name;
mode = "600";
};
in
{
secrets = builtins.listToAttrs (
map
(secret: {
name = "${service.name}-${secret}";
value = sopsPath secret;
})
[
"pass"
]
);
};
fileSystems."/var/lib/${service.name}" = {
device = service.paths.path0;
fsType = "none";
options = [
"bind"
];
depends = [
server.storage0.mount
];
};
systemd.tmpfiles.rules = [
"Z ${service.paths.path0} 750 ${service.name} ${service.name} -"
"Z ${service.sops.path0} 750 ${service.name} ${service.name} -"
];
users.users.${service.name}.extraGroups = [
"caddy"
"nginx"
"postgres"
];
networking = {
firewall = {
allowedTCPPorts = [
nginx.ports.port0
service.ports.port0
];
};
};
}

117
modules/nixos/services/ollama/default.nix Executable file
View file

@ -0,0 +1,117 @@
{
flake,
config,
pkgs,
...
}:
let
inherit (flake.config.machines.devices)
desktop
server
;
inherit (flake.config.services.instances)
ollama
web
;
service = ollama;
localhost = web.localhost.address0;
hostname = config.networking.hostName;
host = "${service.subdomain}.${web.domains.url0}";
caddyLogic =
if hostname == server.name then
{
caddy = {
virtualHosts = {
${host} = {
extraConfig = ''
reverse_proxy ${localhost}:${toString service.ports.port0}
tls ${service.ssl.cert} ${service.ssl.key}
'';
};
};
};
}
else
{ };
mountLogic =
if hostname == server.name then
{
"/var/lib/${service.name}" = {
device = service.paths.path0;
fsType = "none";
options = [
"bind"
];
depends = [
server.storage0.mount
];
};
}
else
{ };
in
{
services = {
ollama =
{
enable = true;
group = service.name;
host = "http://${localhost}";
user = service.name;
}
// (
if hostname == desktop.name then
{
acceleration = "rocm";
package = pkgs.ollama.override {
config = {
rocmSupport = true;
cudaSupport = false;
};
};
}
else
{
port = service.ports.port1;
acceleration = false;
models = service.paths.path1;
}
);
open-webui = {
enable = true;
host = localhost;
port = service.ports.port0;
environment = {
ENABLE_OLLAMA_API = "True";
ANONYMIZED_TELEMETRY = "False";
DO_NOT_TRACK = "True";
SCARF_NO_ANALYTICS = "True";
OLLAMA_BASE_URL = "http://${localhost}:${toString service.ports.port1}";
WEBUI_AUTH = "True";
};
};
} // caddyLogic;
systemd.tmpfiles.rules = [
(
if hostname == desktop.name then
"Z ${service.paths.path1} 0777 ${service.name} ${service.name} -"
else
"Z ${service.paths.path0} 0755 ${service.name} ${service.name} -"
)
];
networking = {
firewall = {
allowedTCPPorts = [
# 8080
service.ports.port0
service.ports.port1
];
};
};
fileSystems = mountLogic;
}

43
modules/nixos/services/owncast/default.nix Executable file
View file

@ -0,0 +1,43 @@
{ flake, ... }:
let
inherit (flake.config.services.instances)
owncast
web
;
service = owncast;
localhost = web.localhost.address1;
host = "${service.subdomain}.${web.domains.url1}";
in
{
services = {
owncast = {
enable = true;
listen = localhost;
port = service.ports.port0;
openFirewall = true;
};
caddy = {
virtualHosts = {
"${host}" = {
extraConfig = ''
reverse_proxy ${localhost}:${toString service.ports.port0}
tls ${service.ssl.cert} ${service.ssl.key}
'';
};
};
};
};
networking = {
firewall = {
allowedTCPPorts = [
service.ports.port0
service.ports.port1
];
};
};
# OBS Server rtmp://192.168.50.140:1935/live
}

151
modules/nixos/services/peertube/default.nix Executable file
View file

@ -0,0 +1,151 @@
{
flake,
config,
pkgs,
...
}:
let
inherit (flake.config.machines.devices)
server
;
inherit (flake.config.services.instances)
caddy
peertube
smtp
web
;
service = peertube;
localhost = web.localhost.address0;
host = "${service.subdomain}.${web.domains.url3}";
in
{
services = {
peertube = {
configureNginx = false;
enable = true;
enableWebHttps = true;
group = service.name;
listenWeb = caddy.ports.port1;
listenHttp = service.ports.port0;
localDomain = host;
serviceEnvironmentFile = config.sops.secrets."${service.name}-root".path;
user = service.name;
plugins = {
enable = true;
plugins = builtins.attrValues {
inherit (pkgs)
peertube-plugin-livechat
peertube-plugin-matomo
peertube-plugin-transcoding-custom-quality
peertube-theme-dark
;
};
};
secrets = {
secretsFile = config.sops.secrets."${service.name}-secret".path;
};
settings = {
instance = {
name = "upRootNutrition";
};
log = {
level = "debug";
};
smtp = {
transport = "smtp";
disable_starttls = false;
from_address = service.email.address0;
hostname = smtp.hostname;
port = smtp.ports.port0;
username = service.email.address0;
tls = false;
};
};
database = {
createLocally = true;
passwordFile = config.sops.secrets."${service.name}-database".path;
};
redis = {
enableUnixSocket = true;
createLocally = true;
passwordFile = config.sops.secrets."${service.name}-redis".path;
};
smtp = {
createLocally = true;
passwordFile = config.sops.secrets."${service.name}-smtp".path;
};
};
caddy = {
virtualHosts = {
${host} = {
extraConfig = ''
reverse_proxy ${localhost}:${toString service.ports.port0}
tls ${service.ssl.cert} ${service.ssl.key}
'';
};
};
};
};
sops =
let
sopsPath = secret: {
path = "${service.sops.path0}/${service.name}-${secret}-pass";
owner = service.name;
mode = "600";
};
in
{
secrets = builtins.listToAttrs (
map
(secret: {
name = "${service.name}-${secret}";
value = sopsPath secret;
})
[
"smtp"
"database"
"redis"
"root"
"secret"
]
);
};
fileSystems."/var/lib/${service.name}" = {
device = service.paths.path0;
fsType = "none";
options = [
"bind"
];
depends = [
server.storage0.mount
];
};
systemd.tmpfiles.rules = [
"Z ${service.paths.path0} 755 ${service.name} ${service.name} -"
"Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
];
users.users.${service.name}.extraGroups = [
"nginx"
"caddy"
];
networking = {
firewall = {
allowedTCPPorts = [
service.ports.port0
service.ports.port1
service.ports.port2
service.ports.port3
service.ports.port4
];
};
};
}

60
modules/nixos/services/postgresql/default.nix Executable file
View file

@ -0,0 +1,60 @@
{ flake, ... }:
let
inherit (flake.config.machines.devices)
server
;
inherit (flake.config.services.instances)
postgresql
;
service = postgresql;
in
{
services = {
postgresqlBackup = {
enable = true;
location = service.paths.path0;
databases = [
"mastodon"
"nextcloud"
"peertube"
"forgejo"
];
};
postgresql = {
enable = true;
};
};
networking = {
firewall = {
allowedTCPPorts = [
service.ports.port0
];
};
};
fileSystems."/var/lib/postgresql" = {
device = service.paths.path0;
fsType = "none";
options = [
"bind"
];
depends = [
server.storage0.mount
];
};
systemd.tmpfiles.rules = [
"Z ${service.paths.path0} 700 ${service.name} ${service.name} -"
];
users.users.${service.name}.extraGroups = [
"nextcloud"
"mastodon"
"forgejo"
];
system.activationScripts.postgresCommands = ''
chown -R ${service.name}:${service.name} ${service.paths.path0}
'';
}

37
modules/nixos/services/samba/default.nix Executable file
View file

@ -0,0 +1,37 @@
{
pkgs,
flake,
...
}:
let
inherit (flake.config.services.instances)
samba
jellyfin
;
service = samba;
in
{
# If you ever need to start fresh, you need to add yourself to the Samba users database:
# sudo smbpasswd -a username
services = {
samba = {
package = pkgs.samba4Full;
enable = true;
openFirewall = true;
settings = {
${service.paths.path1} = {
path = jellyfin.paths.path0;
writable = "true";
};
};
};
};
networking = {
firewall = {
allowedTCPPorts = [
service.ports.port0
];
};
};
}

64
modules/nixos/services/syncthing/default.nix Executable file
View file

@ -0,0 +1,64 @@
{ flake, ... }:
let
inherit (flake.config.machines.devices)
synology
phone
tablet
;
inherit (flake.config.services.instances)
syncthing
web
;
service = syncthing;
localhost = web.localhost.address0;
in
{
services = {
syncthing = {
enable = true;
overrideDevices = false;
overrideFolders = false;
openDefaultPorts = true;
systemService = true;
guiAddress = "${localhost}:${toString service.ports.port0}";
settings = {
devices = {
${synology.name} = {
autoAcceptFolders = true;
name = synology.name;
addresses = [
"tcp://${synology.ip.address0}:${toString service.ports.port2}"
];
id = synology.sync.address0;
};
${phone.name} = {
autoAcceptFolders = true;
name = phone.name;
addresses = [
"tcp://${phone.ip.address0}:${toString service.ports.port2}"
];
id = phone.sync.address0;
};
${tablet.name} = {
autoAcceptFolders = true;
name = tablet.name;
addresses = [
"tcp://${tablet.ip.address0}:${toString service.ports.port2}"
];
id = tablet.sync.address0;
};
};
};
};
};
networking = {
firewall = {
allowedTCPPorts = [
service.ports.port0
service.ports.port1
service.ports.port2
];
};
};
}

98
modules/nixos/services/vaultwarden/default.nix Executable file
View file

@ -0,0 +1,98 @@
{
flake,
config,
...
}:
let
inherit (flake.config.services.instances) smtp vaultwarden web;
service = vaultwarden;
localhost = web.localhost.address0;
host = "${service.subdomain}.${web.domains.url0}";
in
{
services = {
vaultwarden = {
backupDir = service.paths.path0;
enable = true;
environmentFile = config.sops.secrets."${service.name}/env".path;
config = {
# Domain Configuration
DOMAIN = "https://${host}";
# Email Configuration
SMTP_AUTH_MECHANISM = "Plain";
SMTP_EMBED_IMAGES = true;
SMTP_FROM = service.email.address0;
SMTP_FROM_NAME = service.label;
SMTP_HOST = smtp.hostname;
SMTP_PORT = smtp.ports.port0;
SMTP_SECURITY = "starttls";
SMTP_USERNAME = service.email.address0;
# Security Configuration
DISABLE_ADMIN_TOKEN = false;
# Event and Backup Management
EVENTS_DAYS_RETAIN = 90;
# User Features
SENDS_ALLOWED = true;
SIGNUPS_VERIFY = true;
WEB_VAULT_ENABLED = true;
# Rocket (Web Server) Settings
ROCKET_ADDRESS = localhost;
ROCKET_PORT = service.ports.port0;
};
};
caddy = {
virtualHosts = {
"${host}" = {
extraConfig = ''
reverse_proxy ${localhost}:${toString service.ports.port0} {
header_up X-Real-IP {remote_host}
}
tls ${service.ssl.cert} ${service.ssl.key}
encode zstd gzip
'';
};
};
};
};
sops =
let
sopsPath = secret: {
path = "${service.sops.path0}/${service.name}-${secret}";
owner = service.name;
mode = "600";
};
in
{
secrets = builtins.listToAttrs (
map
(secret: {
name = "${service.name}/${secret}";
value = sopsPath secret;
})
[
"env"
]
);
};
systemd.tmpfiles.rules = [
"Z ${service.paths.path0} 0755 ${service.name} ${service.name} -"
"Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
];
networking = {
firewall = {
allowedTCPPorts = [
service.ports.port0
];
};
};
}

33
modules/nixos/services/website/default.nix Executable file
View file

@ -0,0 +1,33 @@
{ flake, ... }:
let
inherit (flake.config.services.instances)
upRootNutrition
web
;
service = upRootNutrition;
host = web.domains.url3;
in
{
services = {
caddy = {
virtualHosts = {
"${host}" = {
extraConfig = ''
root * ${service.paths.path0}
file_server
encode gzip
try_files {path} /index.html
tls ${service.ssl.cert} ${service.ssl.key}
'';
};
};
};
};
systemd.tmpfiles.rules = [
"Z ${service.paths.path0} 755 caddy caddy -"
];
}