diff --git a/hosts/elaris/machine.nix b/hosts/elaris/machine.nix index 7a73a41..2c63c08 100644 --- a/hosts/elaris/machine.nix +++ b/hosts/elaris/machine.nix @@ -1,2 +1,2 @@ { -} \ No newline at end of file +} diff --git a/hosts/velarion/machine.nix b/hosts/velarion/machine.nix index 82485ec..d438145 100644 --- a/hosts/velarion/machine.nix +++ b/hosts/velarion/machine.nix @@ -1,11 +1,13 @@ -{dns, ...}: let +{ dns, ... }: +let domain = "ruject.fun"; database = { host = "127.0.0.1"; port = 5432; }; ipv4 = "94.156.112.0"; -in { +in +{ services.nginx.enable = true; machine = { gateway = "10.0.0.1"; @@ -29,7 +31,7 @@ in { "ns2" ]; - A = [ipv4]; + A = [ ipv4 ]; subdomains = rec { ns1 = host ipv4 null; @@ -52,10 +54,10 @@ in { }; TXT = [ - (with spf; strict ["a:mail.ruject.fun"]) + (with spf; strict [ "a:mail.ruject.fun" ]) ]; - MX = with mx; [(mx 10 "mail.ruject.fun.")]; + MX = with mx; [ (mx 10 "mail.ruject.fun.") ]; DMARC = [ { diff --git a/services/bind/firewall.nix b/services/bind/firewall.nix index 1196ffd..a661735 100644 --- a/services/bind/firewall.nix +++ b/services/bind/firewall.nix @@ -6,7 +6,8 @@ let cfg = config.machine.bind; in -with lib; mkIf cfg.enable { +with lib; +mkIf cfg.enable { networking.firewall = { allowedTCPPorts = [ cfg.port ]; allowedUDPPorts = [ cfg.port ]; diff --git a/services/bind/service.nix b/services/bind/service.nix index de504c1..5abbe6a 100644 --- a/services/bind/service.nix +++ b/services/bind/service.nix @@ -7,7 +7,8 @@ let cfg = config.machine.bind; in -with lib; mkIf cfg.enable { +with lib; +mkIf cfg.enable { services.bind = { enable = cfg.enable; listenOnPort = cfg.port; diff --git a/services/code-server/nginx.nix b/services/code-server/nginx.nix index 296d0ed..bb7d62d 100644 --- a/services/code-server/nginx.nix +++ b/services/code-server/nginx.nix @@ -6,7 +6,8 @@ let cfg = config.machine.code-server; in -with lib; mkIf cfg.enable { +with lib; +mkIf cfg.enable { services.nginx.virtualHosts = mkIf (cfg.domain != null) { ${cfg.domain} = { enableACME = true; diff --git a/services/code-server/options.nix b/services/code-server/options.nix index 66dfcbe..a8d788d 100644 --- a/services/code-server/options.nix +++ b/services/code-server/options.nix @@ -6,7 +6,8 @@ let cfg = config.machine.code-server; in -with lib; { +with lib; +{ options.machine.code-server = { enable = mkEnableOption "code-server"; port = mkOption { diff --git a/services/code-server/service.nix b/services/code-server/service.nix index 5671050..72db900 100644 --- a/services/code-server/service.nix +++ b/services/code-server/service.nix @@ -7,7 +7,8 @@ let cfg = config.machine.code-server; in -with lib; mkIf cfg.enable { +with lib; +mkIf cfg.enable { services.code-server = { enable = cfg.enable; port = cfg.port; diff --git a/services/coturn/firewall.nix b/services/coturn/firewall.nix index e9c410c..ec42adf 100644 --- a/services/coturn/firewall.nix +++ b/services/coturn/firewall.nix @@ -6,7 +6,8 @@ let cfg = config.machine.coturn; in -with lib; mkIf cfg.enable { +with lib; +mkIf cfg.enable { networking.firewall = { interfaces.enp2s0 = let diff --git a/services/coturn/service.nix b/services/coturn/service.nix index 712bd88..2ba2976 100644 --- a/services/coturn/service.nix +++ b/services/coturn/service.nix @@ -12,7 +12,8 @@ let realm ; in -with lib; mkIf enable { +with lib; +mkIf enable { services.coturn = rec { inherit realm enable; no-cli = true; diff --git a/services/forgejo/mail.nix b/services/forgejo/mail.nix index 9e0f5e6..65d0fda 100644 --- a/services/forgejo/mail.nix +++ b/services/forgejo/mail.nix @@ -9,7 +9,8 @@ let inherit (config.machine.forgejo) domain; address = "noreply@${domain}"; in -with lib; mkIf config.machine.mail.enable { +with lib; +mkIf config.machine.mail.enable { services.forgejo = { secrets = { mailer.PASSWD = sec."mail/servicePassword".path; diff --git a/services/forgejo/network.nix b/services/forgejo/network.nix index 546e966..4680a1d 100644 --- a/services/forgejo/network.nix +++ b/services/forgejo/network.nix @@ -10,19 +10,22 @@ let port ; in -with lib; mkIf enable { +with lib; +mkIf enable { networking.firewall = { allowedTCPPorts = [ port ]; }; - services.nginx.virtualHosts = with lib; mkIf (domain != null) { - "${domain}" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://[::1]:${toString port}"; - proxyWebsockets = true; + services.nginx.virtualHosts = + with lib; + mkIf (domain != null) { + "${domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://[::1]:${toString port}"; + proxyWebsockets = true; + }; }; }; - }; } diff --git a/services/forgejo/runners.nix b/services/forgejo/runners.nix index 21e8acb..b060c09 100644 --- a/services/forgejo/runners.nix +++ b/services/forgejo/runners.nix @@ -9,7 +9,8 @@ let url = config.services.forgejo.settings.server.ROOT_URL; cfg = config.machine.forgejo; in -with lib; mkIf cfg.enableRunner { +with lib; +mkIf cfg.enableRunner { sops.secrets = { "forgejo/runnerToken" = { sopsFile = ./../../secrets/common.yaml; diff --git a/services/forgejo/tmpfiles.nix b/services/forgejo/tmpfiles.nix index dab1371..ad68293 100644 --- a/services/forgejo/tmpfiles.nix +++ b/services/forgejo/tmpfiles.nix @@ -7,7 +7,8 @@ let cfg = config.machine.forgejo; customDir = config.services.forgejo.customDir; in -with lib; mkIf cfg.enable { +with lib; +mkIf cfg.enable { systemd.tmpfiles.rules = [ "d '${customDir}/templates' - forgejo forgejo - -" "d '${customDir}/public' - forgejo forgejo - -" diff --git a/services/mail/rspamd.nix b/services/mail/rspamd.nix index 210f2d6..3779981 100644 --- a/services/mail/rspamd.nix +++ b/services/mail/rspamd.nix @@ -6,7 +6,8 @@ let inherit (config.machine.mail) enable; in -with lib; mkIf enable { +with lib; +mkIf enable { services.rspamd = { enable = true; overrides = { diff --git a/services/mail/tmpfiles.nix b/services/mail/tmpfiles.nix index b376e21..47e63b1 100644 --- a/services/mail/tmpfiles.nix +++ b/services/mail/tmpfiles.nix @@ -7,7 +7,8 @@ let inherit (config.machine.mail) enable; in -with lib; mkIf enable { +with lib; +mkIf enable { systemd.tmpfiles.rules = [ "C /var/dkim/default.private 0600 root root - - ${sec.dkim_default_private.path}" ]; diff --git a/services/minecraft-server/firewall.nix b/services/minecraft-server/firewall.nix index 8bb68f4..5d82c23 100644 --- a/services/minecraft-server/firewall.nix +++ b/services/minecraft-server/firewall.nix @@ -9,7 +9,8 @@ let port ; in -with lib; mkIf enable { +with lib; +mkIf enable { networking.firewall.allowedTCPPorts = [ port ]; diff --git a/services/minecraft-server/service.nix b/services/minecraft-server/service.nix index ffce921..533e4ff 100644 --- a/services/minecraft-server/service.nix +++ b/services/minecraft-server/service.nix @@ -10,7 +10,8 @@ let port ; in -with lib; mkIf enable { +with lib; +mkIf enable { services.minecraft-server = { inherit enable; dataDir = "/var/lib/minecraft"; diff --git a/services/mysql/firewall.nix b/services/mysql/firewall.nix index 2ef7ae1..38905b4 100644 --- a/services/mysql/firewall.nix +++ b/services/mysql/firewall.nix @@ -6,7 +6,8 @@ let cfg = config.machine.mysql; in -with lib; mkIf cfg.enable { +with lib; +mkIf cfg.enable { networking.firewall = { allowedTCPPorts = [ cfg.port ]; }; diff --git a/services/mysql/service.nix b/services/mysql/service.nix index 1a01be1..29ad84e 100644 --- a/services/mysql/service.nix +++ b/services/mysql/service.nix @@ -10,7 +10,8 @@ let enable ; in -with lib; mkIf enable { +with lib; +mkIf enable { services.mysql = { inherit enable; package = pkgs.mysql84; diff --git a/services/navidrome/service.nix b/services/navidrome/service.nix index be70885..a1b4c74 100644 --- a/services/navidrome/service.nix +++ b/services/navidrome/service.nix @@ -11,17 +11,20 @@ let folder ; in -with lib; mkIf enable { - services.nginx.virtualHosts = with lib; mkIf (domain != null) { - "${domain}" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://[::1]:${toString port}"; - proxyWebsockets = true; +with lib; +mkIf enable { + services.nginx.virtualHosts = + with lib; + mkIf (domain != null) { + "${domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://[::1]:${toString port}"; + proxyWebsockets = true; + }; }; }; - }; services.navidrome = { inherit enable; diff --git a/services/networking/default.nix b/services/networking/default.nix index 9fc890e..e860eca 100644 --- a/services/networking/default.nix +++ b/services/networking/default.nix @@ -3,4 +3,4 @@ ./options.nix ./service.nix ]; -} \ No newline at end of file +} diff --git a/services/networking/service.nix b/services/networking/service.nix index cec7c64..716e25a 100644 --- a/services/networking/service.nix +++ b/services/networking/service.nix @@ -1,8 +1,14 @@ -{ config, lib, hostname, ... }: +{ + config, + lib, + hostname, + ... +}: let inherit (config.machine) ipv4 gateway; in -with lib; { +with lib; +{ networking = { hostName = hostname; networkmanager.enable = mkDefault true; diff --git a/services/nextcloud/database.nix b/services/nextcloud/database.nix index 86d9b71..a053d98 100644 --- a/services/nextcloud/database.nix +++ b/services/nextcloud/database.nix @@ -7,7 +7,8 @@ let pgsqlEnable = config.machine.postgresql.enable; cfg = config.machine.nextcloud; in -with lib; mkIf cfg.enable { +with lib; +mkIf cfg.enable { services.nextcloud.config = if pgsqlEnable then { @@ -20,13 +21,15 @@ with lib; mkIf cfg.enable { dbhost = "localhost"; }; - services.postgresql = with lib; mkIf pgsqlEnable { - ensureDatabases = [ "nextcloud" ]; - ensureUsers = [ - { - name = "nextcloud"; - ensureDBOwnership = true; - } - ]; - }; + services.postgresql = + with lib; + mkIf pgsqlEnable { + ensureDatabases = [ "nextcloud" ]; + ensureUsers = [ + { + name = "nextcloud"; + ensureDBOwnership = true; + } + ]; + }; } diff --git a/services/nextcloud/mail.nix b/services/nextcloud/mail.nix index 2c741f3..39822d9 100644 --- a/services/nextcloud/mail.nix +++ b/services/nextcloud/mail.nix @@ -11,7 +11,8 @@ let ; address = "noreply@${host}"; in -with lib; mkIf enable { +with lib; +mkIf enable { services.nextcloud = { settings = { mail_smtpmode = "smtp"; diff --git a/services/nextcloud/service.nix b/services/nextcloud/service.nix index e97a6b0..d9da422 100644 --- a/services/nextcloud/service.nix +++ b/services/nextcloud/service.nix @@ -8,7 +8,8 @@ let cfg = config.machine.nextcloud; in -with lib; mkIf cfg.enable { +with lib; +mkIf cfg.enable { services.nextcloud = { enable = cfg.enable; appstoreEnable = false; diff --git a/services/nginx/acme.nix b/services/nginx/acme.nix index 1b1f87b..360da9a 100644 --- a/services/nginx/acme.nix +++ b/services/nginx/acme.nix @@ -1,5 +1,6 @@ { lib, config, ... }: -with lib; mkIf (config.services.nginx.enable) { +with lib; +mkIf (config.services.nginx.enable) { security.acme = { acceptTerms = true; defaults = { diff --git a/services/nginx/firewall.nix b/services/nginx/firewall.nix index a8969c8..5c50605 100644 --- a/services/nginx/firewall.nix +++ b/services/nginx/firewall.nix @@ -6,7 +6,8 @@ let inherit (config.services.nginx) enable; in -with lib; mkIf enable { +with lib; +mkIf enable { networking.firewall.allowedTCPPorts = [ 80 443 diff --git a/services/postgresql/service.nix b/services/postgresql/service.nix index 72704ce..d396f39 100644 --- a/services/postgresql/service.nix +++ b/services/postgresql/service.nix @@ -10,7 +10,8 @@ let enable ; in -with lib; mkIf enable { +with lib; +mkIf enable { services.postgresql = { inherit enable; settings = { diff --git a/services/prometheus/service.nix b/services/prometheus/service.nix index 7810105..92cce37 100644 --- a/services/prometheus/service.nix +++ b/services/prometheus/service.nix @@ -9,7 +9,8 @@ let port ; in -with lib; mkIf enable { +with lib; +mkIf enable { services.prometheus = { inherit enable port; }; diff --git a/services/prosody/firewall.nix b/services/prosody/firewall.nix index ebd8cf2..df51a26 100644 --- a/services/prosody/firewall.nix +++ b/services/prosody/firewall.nix @@ -8,7 +8,8 @@ let enable ; in -with lib; mkIf enable { +with lib; +mkIf enable { networking.firewall = { allowedTCPPorts = [ # HTTP filer diff --git a/services/prosody/nginx.nix b/services/prosody/nginx.nix index 8445478..254b1e1 100644 --- a/services/prosody/nginx.nix +++ b/services/prosody/nginx.nix @@ -11,7 +11,8 @@ let localhost = "http://localhost:5280"; in -with lib; mkIf enable { +with lib; +mkIf enable { security.acme.certs."${domain}".extraDomainNames = [ "conference.${domain}" "upload.${domain}" @@ -19,36 +20,38 @@ with lib; mkIf enable { users.groups.acme.members = [ "prosody" ]; - services.nginx.virtualHosts = with lib; mkIf (domain != null) { - "${domain}".locations = { - "= /xmpp-websocket" = { - proxyPass = localhost; - proxyWebsockets = true; + services.nginx.virtualHosts = + with lib; + mkIf (domain != null) { + "${domain}".locations = { + "= /xmpp-websocket" = { + proxyPass = localhost; + proxyWebsockets = true; + }; + "= /http-bind".proxyPass = localhost; + "/push".proxyPass = localhost; + "= /.well-known/host-meta".proxyPass = localhost; + "= /.well-known/host-meta.json".proxyPass = localhost; + }; + "conference.${domain}" = { + http3 = true; + quic = true; + forceSSL = true; + kTLS = true; + useACMEHost = domain; + sslCertificate = "${config.security.acme.certs.${domain}.directory}/fullchain.pem"; + sslCertificateKey = "${config.security.acme.certs.${domain}.directory}/key.pem"; + locations."/".proxyPass = localhost; + }; + "upload.${domain}" = { + http3 = true; + quic = true; + forceSSL = true; + kTLS = true; + useACMEHost = domain; + sslCertificate = "${config.security.acme.certs.${domain}.directory}/fullchain.pem"; + sslCertificateKey = "${config.security.acme.certs.${domain}.directory}/key.pem"; + locations."/".proxyPass = localhost; }; - "= /http-bind".proxyPass = localhost; - "/push".proxyPass = localhost; - "= /.well-known/host-meta".proxyPass = localhost; - "= /.well-known/host-meta.json".proxyPass = localhost; }; - "conference.${domain}" = { - http3 = true; - quic = true; - forceSSL = true; - kTLS = true; - useACMEHost = domain; - sslCertificate = "${config.security.acme.certs.${domain}.directory}/fullchain.pem"; - sslCertificateKey = "${config.security.acme.certs.${domain}.directory}/key.pem"; - locations."/".proxyPass = localhost; - }; - "upload.${domain}" = { - http3 = true; - quic = true; - forceSSL = true; - kTLS = true; - useACMEHost = domain; - sslCertificate = "${config.security.acme.certs.${domain}.directory}/fullchain.pem"; - sslCertificateKey = "${config.security.acme.certs.${domain}.directory}/key.pem"; - locations."/".proxyPass = localhost; - }; - }; } diff --git a/services/prosody/service.nix b/services/prosody/service.nix index f9b30c2..585d968 100644 --- a/services/prosody/service.nix +++ b/services/prosody/service.nix @@ -12,7 +12,8 @@ let sslCertDir = config.security.acme.certs."${domain}".directory; in -with lib; mkIf enable { +with lib; +mkIf enable { services.prosody = { inherit enable; diff --git a/services/redis/service.nix b/services/redis/service.nix index 5dc40f7..fe16516 100644 --- a/services/redis/service.nix +++ b/services/redis/service.nix @@ -10,7 +10,8 @@ let enable ; in -with lib; mkIf enable { +with lib; +mkIf enable { sops.secrets = { "redis/password" = { }; }; diff --git a/services/roundcube/service.nix b/services/roundcube/service.nix index a302fcc..44b293b 100644 --- a/services/roundcube/service.nix +++ b/services/roundcube/service.nix @@ -10,7 +10,8 @@ let domain ; in -with lib; mkIf enable { +with lib; +mkIf enable { services.roundcube = { inherit enable; dicts = with pkgs.aspellDicts; [ diff --git a/services/synapse/database.nix b/services/synapse/database.nix index f353491..425e1ce 100644 --- a/services/synapse/database.nix +++ b/services/synapse/database.nix @@ -7,20 +7,25 @@ let pgsqlEnable = config.machine.postgresql.enable; inherit (config.machine.synapse) enable; in -with lib; mkIf enable { - services.postgresql = with lib; mkIf pgsqlEnable { - ensureUsers = [ - { - name = "matrix-synapse"; - ensureDBOwnership = true; - } - ]; - ensureDatabases = [ "matrix-synapse" ]; - }; +with lib; +mkIf enable { + services.postgresql = + with lib; + mkIf pgsqlEnable { + ensureUsers = [ + { + name = "matrix-synapse"; + ensureDBOwnership = true; + } + ]; + ensureDatabases = [ "matrix-synapse" ]; + }; services.matrix-synapse.settings.database = { name = if pgsqlEnable then "psycopg2" else "sqlite3"; - args = with lib; mkIf pgsqlEnable { - host = "/run/postgresql"; - }; + args = + with lib; + mkIf pgsqlEnable { + host = "/run/postgresql"; + }; }; } diff --git a/services/synapse/element.nix b/services/synapse/element.nix index f0999fa..36b2311 100644 --- a/services/synapse/element.nix +++ b/services/synapse/element.nix @@ -52,7 +52,8 @@ let }; }; in -with lib; mkIf enable { +with lib; +mkIf enable { services.nginx.virtualHosts.${domain} = { enableACME = true; forceSSL = true; diff --git a/services/synapse/mail.nix b/services/synapse/mail.nix index 8c7111b..fd27c07 100644 --- a/services/synapse/mail.nix +++ b/services/synapse/mail.nix @@ -11,7 +11,8 @@ let ; address = "noreply@${domain}"; in -with lib; mkIf (enable && config.machine.mail.enable) { +with lib; +mkIf (enable && config.machine.mail.enable) { services.matrix-synapse = { settings = { admin_contact = address; diff --git a/services/synapse/redis.nix b/services/synapse/redis.nix index 4845b76..7dedf20 100644 --- a/services/synapse/redis.nix +++ b/services/synapse/redis.nix @@ -7,7 +7,8 @@ let redisEnable = config.machine.redis.enable; inherit (config.machine.synapse) enable; in -with lib; mkIf (redisEnable && enable) { +with lib; +mkIf (redisEnable && enable) { services.redis.servers.matrix-synapse = { enable = true; }; diff --git a/services/synapse/secrets.nix b/services/synapse/secrets.nix index 73eb31a..cd3aa95 100644 --- a/services/synapse/secrets.nix +++ b/services/synapse/secrets.nix @@ -8,7 +8,8 @@ let enable ; in -with lib; mkIf enable { +with lib; +mkIf enable { sops.secrets = { "matrix/registrationSharedSecret" = { sopsFile = ./../../secrets/common.yaml; @@ -40,7 +41,9 @@ with lib; mkIf enable { smtp_pass: ${config.sops.placeholder."mail/servicePassword"} ''; }; - services.matrix-synapse.extraConfigFiles = with lib; mkIf config.machine.synapse.enable [ - config.sops.templates.matrix-synapse-config.path - ]; + services.matrix-synapse.extraConfigFiles = + with lib; + mkIf config.machine.synapse.enable [ + config.sops.templates.matrix-synapse-config.path + ]; } diff --git a/services/synapse/synapse.nix b/services/synapse/synapse.nix index 022ac61..acb5aa1 100644 --- a/services/synapse/synapse.nix +++ b/services/synapse/synapse.nix @@ -12,7 +12,8 @@ let metrics ; in -with lib; mkIf enable { +with lib; +mkIf enable { services.matrix-synapse = { inherit enable; enableRegistrationScript = true; diff --git a/services/synapse/turn.nix b/services/synapse/turn.nix index 556c996..a7ccdc1 100644 --- a/services/synapse/turn.nix +++ b/services/synapse/turn.nix @@ -6,7 +6,8 @@ let inherit (config.machine.coturn) enable; in -with lib; mkIf (enable && config.machine.coturn.enable) { +with lib; +mkIf (enable && config.machine.coturn.enable) { services.matrix-synapse.settings = with config.services.coturn; { turn_uris = [ "turn:${realm}:3478?transport=udp" diff --git a/services/uptime-kuma/service.nix b/services/uptime-kuma/service.nix index 3be7bde..e2dbde1 100644 --- a/services/uptime-kuma/service.nix +++ b/services/uptime-kuma/service.nix @@ -10,7 +10,8 @@ let port ; in -with lib; mkIf enable { +with lib; +mkIf enable { services.uptime-kuma = { inherit enable; settings = { @@ -18,16 +19,18 @@ with lib; mkIf enable { }; }; - services.nginx.virtualHosts = with lib; mkIf (domain != null) { - "${domain}" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString port}"; - proxyWebsockets = true; + services.nginx.virtualHosts = + with lib; + mkIf (domain != null) { + "${domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString port}"; + proxyWebsockets = true; + }; }; }; - }; networking.firewall = { allowedTCPPorts = [ port ]; diff --git a/services/vaultwarden/service.nix b/services/vaultwarden/service.nix index e35d78e..c639755 100644 --- a/services/vaultwarden/service.nix +++ b/services/vaultwarden/service.nix @@ -10,34 +10,37 @@ let port ; in -with lib; mkIf enable { +with lib; +mkIf enable { networking.firewall = { allowedTCPPorts = [ port ]; }; - services.nginx.virtualHosts = with lib; mkIf (domain != null) { - "${domain}" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString port}"; - proxyWebsockets = true; + services.nginx.virtualHosts = + with lib; + mkIf (domain != null) { + "${domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString port}"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + ''; + }; + extraConfig = '' - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Referrer-Policy same-origin; + add_header X-XSS-Protection "1; mode=block"; ''; }; - - extraConfig = '' - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header Referrer-Policy same-origin; - add_header X-XSS-Protection "1; mode=block"; - ''; }; - }; services.vaultwarden = { inherit enable; diff --git a/services/xray-3x-ui/firewall.nix b/services/xray-3x-ui/firewall.nix index aef0dcc..4eaf332 100644 --- a/services/xray-3x-ui/firewall.nix +++ b/services/xray-3x-ui/firewall.nix @@ -9,7 +9,8 @@ let port ; in -with lib; mkIf enable { +with lib; +mkIf enable { networking.firewall.allowedTCPPorts = [ # Web panel port diff --git a/services/xray-3x-ui/nginx.nix b/services/xray-3x-ui/nginx.nix index 19c0c86..148196c 100644 --- a/services/xray-3x-ui/nginx.nix +++ b/services/xray-3x-ui/nginx.nix @@ -2,43 +2,50 @@ lib, config, ... -}: let - inherit - (config.machine.xray-3x-ui) +}: +let + inherit (config.machine.xray-3x-ui) enable port domain subscriptions ; -in { - services.nginx.virtualHosts = with lib; mkIf enable { - ${domain} = with lib; mkIf (domain != null) { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString port}"; - proxyWebsockets = true; - extraConfig = '' - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_redirect off; - ''; - }; +in +{ + services.nginx.virtualHosts = + with lib; + mkIf enable { + ${domain} = + with lib; + mkIf (domain != null) { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString port}"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_redirect off; + ''; + }; + }; + ${subscriptions.domain} = + with lib; + mkIf (subscriptions.domain != null) { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:2096"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_redirect off; + ''; + }; + }; }; - ${subscriptions.domain} = with lib; mkIf (subscriptions.domain != null) { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:2096"; - proxyWebsockets = true; - extraConfig = '' - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_redirect off; - ''; - }; - }; - }; } diff --git a/services/xray-3x-ui/options.nix b/services/xray-3x-ui/options.nix index e6aab90..b979e0e 100644 --- a/services/xray-3x-ui/options.nix +++ b/services/xray-3x-ui/options.nix @@ -30,4 +30,4 @@ with lib; description = "Directory to store 3x-ui data."; }; }; -} \ No newline at end of file +} diff --git a/services/xray-3x-ui/service.nix b/services/xray-3x-ui/service.nix index 175915a..9423843 100644 --- a/services/xray-3x-ui/service.nix +++ b/services/xray-3x-ui/service.nix @@ -1,6 +1,11 @@ # See https://github.com/sunmeplz/xray-3x-ui -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: with lib; @@ -11,8 +16,7 @@ let minGoVersion = "1.26.0"; xray-3x-ui = - assert assertMsg - (versionAtLeast pkgs.go.version minGoVersion) + assert assertMsg (versionAtLeast pkgs.go.version minGoVersion) "3x-ui requires Go >= ${minGoVersion}, but ${pkgs.go.version} is available"; pkgs.buildGoModule rec { @@ -28,7 +32,10 @@ let vendorHash = "sha256-M8YQTMfF/xZut4hxUcAfF2xGK625vwJNp4JS/zoXUCQ="; - ldflags = [ "-s" "-w" ]; + ldflags = [ + "-s" + "-w" + ]; meta = with lib; { description = "Xray panel supporting multi-protocol multi-user"; @@ -39,7 +46,8 @@ let }; }; -in { +in +{ # Service implementation config = mkIf cfg.enable { # User and group configuration @@ -85,8 +93,14 @@ in { Group = "xray-3x-ui"; StateDirectory = "3x-ui 3x-ui/bin 3x-ui/logs"; StateDirectoryMode = "0755"; - AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_NET_ADMIN" ]; - CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_NET_ADMIN" ]; + AmbientCapabilities = [ + "CAP_NET_BIND_SERVICE" + "CAP_NET_ADMIN" + ]; + CapabilityBoundingSet = [ + "CAP_NET_BIND_SERVICE" + "CAP_NET_ADMIN" + ]; }; };