diff --git a/hosts/elaris/machine.nix b/hosts/elaris/machine.nix index 2c63c08..7a73a41 100644 --- a/hosts/elaris/machine.nix +++ b/hosts/elaris/machine.nix @@ -1,2 +1,2 @@ { -} +} \ No newline at end of file diff --git a/hosts/velarion/machine.nix b/hosts/velarion/machine.nix index d438145..82485ec 100644 --- a/hosts/velarion/machine.nix +++ b/hosts/velarion/machine.nix @@ -1,13 +1,11 @@ -{ dns, ... }: -let +{dns, ...}: let domain = "ruject.fun"; database = { host = "127.0.0.1"; port = 5432; }; ipv4 = "94.156.112.0"; -in -{ +in { services.nginx.enable = true; machine = { gateway = "10.0.0.1"; @@ -31,7 +29,7 @@ in "ns2" ]; - A = [ ipv4 ]; + A = [ipv4]; subdomains = rec { ns1 = host ipv4 null; @@ -54,10 +52,10 @@ in }; TXT = [ - (with spf; strict [ "a:mail.ruject.fun" ]) + (with spf; strict ["a:mail.ruject.fun"]) ]; - MX = with mx; [ (mx 10 "mail.ruject.fun.") ]; + MX = with mx; [(mx 10 "mail.ruject.fun.")]; DMARC = [ { diff --git a/services/bind/firewall.nix b/services/bind/firewall.nix index a661735..1196ffd 100644 --- a/services/bind/firewall.nix +++ b/services/bind/firewall.nix @@ -6,8 +6,7 @@ let cfg = config.machine.bind; in -with lib; -mkIf cfg.enable { +with lib; mkIf cfg.enable { networking.firewall = { allowedTCPPorts = [ cfg.port ]; allowedUDPPorts = [ cfg.port ]; diff --git a/services/bind/service.nix b/services/bind/service.nix index 5abbe6a..de504c1 100644 --- a/services/bind/service.nix +++ b/services/bind/service.nix @@ -7,8 +7,7 @@ let cfg = config.machine.bind; in -with lib; -mkIf cfg.enable { +with lib; mkIf cfg.enable { services.bind = { enable = cfg.enable; listenOnPort = cfg.port; diff --git a/services/code-server/nginx.nix b/services/code-server/nginx.nix index bb7d62d..296d0ed 100644 --- a/services/code-server/nginx.nix +++ b/services/code-server/nginx.nix @@ -6,8 +6,7 @@ let cfg = config.machine.code-server; in -with lib; -mkIf cfg.enable { +with lib; mkIf cfg.enable { services.nginx.virtualHosts = mkIf (cfg.domain != null) { ${cfg.domain} = { enableACME = true; diff --git a/services/code-server/options.nix b/services/code-server/options.nix index a8d788d..66dfcbe 100644 --- a/services/code-server/options.nix +++ b/services/code-server/options.nix @@ -6,8 +6,7 @@ let cfg = config.machine.code-server; in -with lib; -{ +with lib; { options.machine.code-server = { enable = mkEnableOption "code-server"; port = mkOption { diff --git a/services/code-server/service.nix b/services/code-server/service.nix index 72db900..5671050 100644 --- a/services/code-server/service.nix +++ b/services/code-server/service.nix @@ -7,8 +7,7 @@ let cfg = config.machine.code-server; in -with lib; -mkIf cfg.enable { +with lib; mkIf cfg.enable { services.code-server = { enable = cfg.enable; port = cfg.port; diff --git a/services/coturn/firewall.nix b/services/coturn/firewall.nix index ec42adf..e9c410c 100644 --- a/services/coturn/firewall.nix +++ b/services/coturn/firewall.nix @@ -6,8 +6,7 @@ let cfg = config.machine.coturn; in -with lib; -mkIf cfg.enable { +with lib; mkIf cfg.enable { networking.firewall = { interfaces.enp2s0 = let diff --git a/services/coturn/service.nix b/services/coturn/service.nix index 2ba2976..712bd88 100644 --- a/services/coturn/service.nix +++ b/services/coturn/service.nix @@ -12,8 +12,7 @@ let realm ; in -with lib; -mkIf enable { +with lib; mkIf enable { services.coturn = rec { inherit realm enable; no-cli = true; diff --git a/services/forgejo/mail.nix b/services/forgejo/mail.nix index 65d0fda..9e0f5e6 100644 --- a/services/forgejo/mail.nix +++ b/services/forgejo/mail.nix @@ -9,8 +9,7 @@ let inherit (config.machine.forgejo) domain; address = "noreply@${domain}"; in -with lib; -mkIf config.machine.mail.enable { +with lib; mkIf config.machine.mail.enable { services.forgejo = { secrets = { mailer.PASSWD = sec."mail/servicePassword".path; diff --git a/services/forgejo/network.nix b/services/forgejo/network.nix index 4680a1d..546e966 100644 --- a/services/forgejo/network.nix +++ b/services/forgejo/network.nix @@ -10,22 +10,19 @@ let port ; in -with lib; -mkIf enable { +with lib; mkIf enable { networking.firewall = { allowedTCPPorts = [ port ]; }; - services.nginx.virtualHosts = - with lib; - mkIf (domain != null) { - "${domain}" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://[::1]:${toString port}"; - proxyWebsockets = true; - }; + services.nginx.virtualHosts = with lib; mkIf (domain != null) { + "${domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://[::1]:${toString port}"; + proxyWebsockets = true; }; }; + }; } diff --git a/services/forgejo/runners.nix b/services/forgejo/runners.nix index b060c09..21e8acb 100644 --- a/services/forgejo/runners.nix +++ b/services/forgejo/runners.nix @@ -9,8 +9,7 @@ let url = config.services.forgejo.settings.server.ROOT_URL; cfg = config.machine.forgejo; in -with lib; -mkIf cfg.enableRunner { +with lib; mkIf cfg.enableRunner { sops.secrets = { "forgejo/runnerToken" = { sopsFile = ./../../secrets/common.yaml; diff --git a/services/forgejo/tmpfiles.nix b/services/forgejo/tmpfiles.nix index ad68293..dab1371 100644 --- a/services/forgejo/tmpfiles.nix +++ b/services/forgejo/tmpfiles.nix @@ -7,8 +7,7 @@ let cfg = config.machine.forgejo; customDir = config.services.forgejo.customDir; in -with lib; -mkIf cfg.enable { +with lib; mkIf cfg.enable { systemd.tmpfiles.rules = [ "d '${customDir}/templates' - forgejo forgejo - -" "d '${customDir}/public' - forgejo forgejo - -" diff --git a/services/mail/rspamd.nix b/services/mail/rspamd.nix index 3779981..210f2d6 100644 --- a/services/mail/rspamd.nix +++ b/services/mail/rspamd.nix @@ -6,8 +6,7 @@ let inherit (config.machine.mail) enable; in -with lib; -mkIf enable { +with lib; mkIf enable { services.rspamd = { enable = true; overrides = { diff --git a/services/mail/tmpfiles.nix b/services/mail/tmpfiles.nix index 47e63b1..b376e21 100644 --- a/services/mail/tmpfiles.nix +++ b/services/mail/tmpfiles.nix @@ -7,8 +7,7 @@ let inherit (config.machine.mail) enable; in -with lib; -mkIf enable { +with lib; mkIf enable { systemd.tmpfiles.rules = [ "C /var/dkim/default.private 0600 root root - - ${sec.dkim_default_private.path}" ]; diff --git a/services/minecraft-server/firewall.nix b/services/minecraft-server/firewall.nix index 5d82c23..8bb68f4 100644 --- a/services/minecraft-server/firewall.nix +++ b/services/minecraft-server/firewall.nix @@ -9,8 +9,7 @@ let port ; in -with lib; -mkIf enable { +with lib; mkIf enable { networking.firewall.allowedTCPPorts = [ port ]; diff --git a/services/minecraft-server/service.nix b/services/minecraft-server/service.nix index 533e4ff..ffce921 100644 --- a/services/minecraft-server/service.nix +++ b/services/minecraft-server/service.nix @@ -10,8 +10,7 @@ let port ; in -with lib; -mkIf enable { +with lib; mkIf enable { services.minecraft-server = { inherit enable; dataDir = "/var/lib/minecraft"; diff --git a/services/mysql/firewall.nix b/services/mysql/firewall.nix index 38905b4..2ef7ae1 100644 --- a/services/mysql/firewall.nix +++ b/services/mysql/firewall.nix @@ -6,8 +6,7 @@ let cfg = config.machine.mysql; in -with lib; -mkIf cfg.enable { +with lib; mkIf cfg.enable { networking.firewall = { allowedTCPPorts = [ cfg.port ]; }; diff --git a/services/mysql/service.nix b/services/mysql/service.nix index 29ad84e..1a01be1 100644 --- a/services/mysql/service.nix +++ b/services/mysql/service.nix @@ -10,8 +10,7 @@ let enable ; in -with lib; -mkIf enable { +with lib; mkIf enable { services.mysql = { inherit enable; package = pkgs.mysql84; diff --git a/services/navidrome/service.nix b/services/navidrome/service.nix index a1b4c74..be70885 100644 --- a/services/navidrome/service.nix +++ b/services/navidrome/service.nix @@ -11,20 +11,17 @@ let folder ; in -with lib; -mkIf enable { - services.nginx.virtualHosts = - with lib; - mkIf (domain != null) { - "${domain}" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://[::1]:${toString port}"; - proxyWebsockets = true; - }; +with lib; mkIf enable { + services.nginx.virtualHosts = with lib; mkIf (domain != null) { + "${domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://[::1]:${toString port}"; + proxyWebsockets = true; }; }; + }; services.navidrome = { inherit enable; diff --git a/services/networking/default.nix b/services/networking/default.nix index e860eca..9fc890e 100644 --- a/services/networking/default.nix +++ b/services/networking/default.nix @@ -3,4 +3,4 @@ ./options.nix ./service.nix ]; -} +} \ No newline at end of file diff --git a/services/networking/service.nix b/services/networking/service.nix index 716e25a..cec7c64 100644 --- a/services/networking/service.nix +++ b/services/networking/service.nix @@ -1,14 +1,8 @@ -{ - config, - lib, - hostname, - ... -}: +{ config, lib, hostname, ... }: let inherit (config.machine) ipv4 gateway; in -with lib; -{ +with lib; { networking = { hostName = hostname; networkmanager.enable = mkDefault true; diff --git a/services/nextcloud/database.nix b/services/nextcloud/database.nix index a053d98..86d9b71 100644 --- a/services/nextcloud/database.nix +++ b/services/nextcloud/database.nix @@ -7,8 +7,7 @@ let pgsqlEnable = config.machine.postgresql.enable; cfg = config.machine.nextcloud; in -with lib; -mkIf cfg.enable { +with lib; mkIf cfg.enable { services.nextcloud.config = if pgsqlEnable then { @@ -21,15 +20,13 @@ mkIf cfg.enable { dbhost = "localhost"; }; - services.postgresql = - with lib; - mkIf pgsqlEnable { - ensureDatabases = [ "nextcloud" ]; - ensureUsers = [ - { - name = "nextcloud"; - ensureDBOwnership = true; - } - ]; - }; + services.postgresql = with lib; mkIf pgsqlEnable { + ensureDatabases = [ "nextcloud" ]; + ensureUsers = [ + { + name = "nextcloud"; + ensureDBOwnership = true; + } + ]; + }; } diff --git a/services/nextcloud/mail.nix b/services/nextcloud/mail.nix index 39822d9..2c741f3 100644 --- a/services/nextcloud/mail.nix +++ b/services/nextcloud/mail.nix @@ -11,8 +11,7 @@ let ; address = "noreply@${host}"; in -with lib; -mkIf enable { +with lib; mkIf enable { services.nextcloud = { settings = { mail_smtpmode = "smtp"; diff --git a/services/nextcloud/service.nix b/services/nextcloud/service.nix index d9da422..e97a6b0 100644 --- a/services/nextcloud/service.nix +++ b/services/nextcloud/service.nix @@ -8,8 +8,7 @@ let cfg = config.machine.nextcloud; in -with lib; -mkIf cfg.enable { +with lib; mkIf cfg.enable { services.nextcloud = { enable = cfg.enable; appstoreEnable = false; diff --git a/services/nginx/acme.nix b/services/nginx/acme.nix index 360da9a..1b1f87b 100644 --- a/services/nginx/acme.nix +++ b/services/nginx/acme.nix @@ -1,6 +1,5 @@ { lib, config, ... }: -with lib; -mkIf (config.services.nginx.enable) { +with lib; mkIf (config.services.nginx.enable) { security.acme = { acceptTerms = true; defaults = { diff --git a/services/nginx/firewall.nix b/services/nginx/firewall.nix index 5c50605..a8969c8 100644 --- a/services/nginx/firewall.nix +++ b/services/nginx/firewall.nix @@ -6,8 +6,7 @@ let inherit (config.services.nginx) enable; in -with lib; -mkIf enable { +with lib; mkIf enable { networking.firewall.allowedTCPPorts = [ 80 443 diff --git a/services/postgresql/service.nix b/services/postgresql/service.nix index d396f39..72704ce 100644 --- a/services/postgresql/service.nix +++ b/services/postgresql/service.nix @@ -10,8 +10,7 @@ let enable ; in -with lib; -mkIf enable { +with lib; mkIf enable { services.postgresql = { inherit enable; settings = { diff --git a/services/prometheus/service.nix b/services/prometheus/service.nix index 92cce37..7810105 100644 --- a/services/prometheus/service.nix +++ b/services/prometheus/service.nix @@ -9,8 +9,7 @@ let port ; in -with lib; -mkIf enable { +with lib; mkIf enable { services.prometheus = { inherit enable port; }; diff --git a/services/prosody/firewall.nix b/services/prosody/firewall.nix index df51a26..ebd8cf2 100644 --- a/services/prosody/firewall.nix +++ b/services/prosody/firewall.nix @@ -8,8 +8,7 @@ let enable ; in -with lib; -mkIf enable { +with lib; mkIf enable { networking.firewall = { allowedTCPPorts = [ # HTTP filer diff --git a/services/prosody/nginx.nix b/services/prosody/nginx.nix index 254b1e1..8445478 100644 --- a/services/prosody/nginx.nix +++ b/services/prosody/nginx.nix @@ -11,8 +11,7 @@ let localhost = "http://localhost:5280"; in -with lib; -mkIf enable { +with lib; mkIf enable { security.acme.certs."${domain}".extraDomainNames = [ "conference.${domain}" "upload.${domain}" @@ -20,38 +19,36 @@ mkIf enable { users.groups.acme.members = [ "prosody" ]; - services.nginx.virtualHosts = - with lib; - mkIf (domain != null) { - "${domain}".locations = { - "= /xmpp-websocket" = { - proxyPass = localhost; - proxyWebsockets = true; - }; - "= /http-bind".proxyPass = localhost; - "/push".proxyPass = localhost; - "= /.well-known/host-meta".proxyPass = localhost; - "= /.well-known/host-meta.json".proxyPass = localhost; - }; - "conference.${domain}" = { - http3 = true; - quic = true; - forceSSL = true; - kTLS = true; - useACMEHost = domain; - sslCertificate = "${config.security.acme.certs.${domain}.directory}/fullchain.pem"; - sslCertificateKey = "${config.security.acme.certs.${domain}.directory}/key.pem"; - locations."/".proxyPass = localhost; - }; - "upload.${domain}" = { - http3 = true; - quic = true; - forceSSL = true; - kTLS = true; - useACMEHost = domain; - sslCertificate = "${config.security.acme.certs.${domain}.directory}/fullchain.pem"; - sslCertificateKey = "${config.security.acme.certs.${domain}.directory}/key.pem"; - locations."/".proxyPass = localhost; + services.nginx.virtualHosts = with lib; mkIf (domain != null) { + "${domain}".locations = { + "= /xmpp-websocket" = { + proxyPass = localhost; + proxyWebsockets = true; }; + "= /http-bind".proxyPass = localhost; + "/push".proxyPass = localhost; + "= /.well-known/host-meta".proxyPass = localhost; + "= /.well-known/host-meta.json".proxyPass = localhost; }; + "conference.${domain}" = { + http3 = true; + quic = true; + forceSSL = true; + kTLS = true; + useACMEHost = domain; + sslCertificate = "${config.security.acme.certs.${domain}.directory}/fullchain.pem"; + sslCertificateKey = "${config.security.acme.certs.${domain}.directory}/key.pem"; + locations."/".proxyPass = localhost; + }; + "upload.${domain}" = { + http3 = true; + quic = true; + forceSSL = true; + kTLS = true; + useACMEHost = domain; + sslCertificate = "${config.security.acme.certs.${domain}.directory}/fullchain.pem"; + sslCertificateKey = "${config.security.acme.certs.${domain}.directory}/key.pem"; + locations."/".proxyPass = localhost; + }; + }; } diff --git a/services/prosody/service.nix b/services/prosody/service.nix index 585d968..f9b30c2 100644 --- a/services/prosody/service.nix +++ b/services/prosody/service.nix @@ -12,8 +12,7 @@ let sslCertDir = config.security.acme.certs."${domain}".directory; in -with lib; -mkIf enable { +with lib; mkIf enable { services.prosody = { inherit enable; diff --git a/services/redis/service.nix b/services/redis/service.nix index fe16516..5dc40f7 100644 --- a/services/redis/service.nix +++ b/services/redis/service.nix @@ -10,8 +10,7 @@ let enable ; in -with lib; -mkIf enable { +with lib; mkIf enable { sops.secrets = { "redis/password" = { }; }; diff --git a/services/roundcube/service.nix b/services/roundcube/service.nix index 44b293b..a302fcc 100644 --- a/services/roundcube/service.nix +++ b/services/roundcube/service.nix @@ -10,8 +10,7 @@ let domain ; in -with lib; -mkIf enable { +with lib; mkIf enable { services.roundcube = { inherit enable; dicts = with pkgs.aspellDicts; [ diff --git a/services/synapse/database.nix b/services/synapse/database.nix index 425e1ce..f353491 100644 --- a/services/synapse/database.nix +++ b/services/synapse/database.nix @@ -7,25 +7,20 @@ let pgsqlEnable = config.machine.postgresql.enable; inherit (config.machine.synapse) enable; in -with lib; -mkIf enable { - services.postgresql = - with lib; - mkIf pgsqlEnable { - ensureUsers = [ - { - name = "matrix-synapse"; - ensureDBOwnership = true; - } - ]; - ensureDatabases = [ "matrix-synapse" ]; - }; +with lib; mkIf enable { + services.postgresql = with lib; mkIf pgsqlEnable { + ensureUsers = [ + { + name = "matrix-synapse"; + ensureDBOwnership = true; + } + ]; + ensureDatabases = [ "matrix-synapse" ]; + }; services.matrix-synapse.settings.database = { name = if pgsqlEnable then "psycopg2" else "sqlite3"; - args = - with lib; - mkIf pgsqlEnable { - host = "/run/postgresql"; - }; + args = with lib; mkIf pgsqlEnable { + host = "/run/postgresql"; + }; }; } diff --git a/services/synapse/element.nix b/services/synapse/element.nix index 36b2311..f0999fa 100644 --- a/services/synapse/element.nix +++ b/services/synapse/element.nix @@ -52,8 +52,7 @@ let }; }; in -with lib; -mkIf enable { +with lib; mkIf enable { services.nginx.virtualHosts.${domain} = { enableACME = true; forceSSL = true; diff --git a/services/synapse/mail.nix b/services/synapse/mail.nix index fd27c07..8c7111b 100644 --- a/services/synapse/mail.nix +++ b/services/synapse/mail.nix @@ -11,8 +11,7 @@ let ; address = "noreply@${domain}"; in -with lib; -mkIf (enable && config.machine.mail.enable) { +with lib; mkIf (enable && config.machine.mail.enable) { services.matrix-synapse = { settings = { admin_contact = address; diff --git a/services/synapse/redis.nix b/services/synapse/redis.nix index 7dedf20..4845b76 100644 --- a/services/synapse/redis.nix +++ b/services/synapse/redis.nix @@ -7,8 +7,7 @@ let redisEnable = config.machine.redis.enable; inherit (config.machine.synapse) enable; in -with lib; -mkIf (redisEnable && enable) { +with lib; mkIf (redisEnable && enable) { services.redis.servers.matrix-synapse = { enable = true; }; diff --git a/services/synapse/secrets.nix b/services/synapse/secrets.nix index cd3aa95..73eb31a 100644 --- a/services/synapse/secrets.nix +++ b/services/synapse/secrets.nix @@ -8,8 +8,7 @@ let enable ; in -with lib; -mkIf enable { +with lib; mkIf enable { sops.secrets = { "matrix/registrationSharedSecret" = { sopsFile = ./../../secrets/common.yaml; @@ -41,9 +40,7 @@ mkIf enable { smtp_pass: ${config.sops.placeholder."mail/servicePassword"} ''; }; - services.matrix-synapse.extraConfigFiles = - with lib; - mkIf config.machine.synapse.enable [ - config.sops.templates.matrix-synapse-config.path - ]; + services.matrix-synapse.extraConfigFiles = with lib; mkIf config.machine.synapse.enable [ + config.sops.templates.matrix-synapse-config.path + ]; } diff --git a/services/synapse/synapse.nix b/services/synapse/synapse.nix index acb5aa1..022ac61 100644 --- a/services/synapse/synapse.nix +++ b/services/synapse/synapse.nix @@ -12,8 +12,7 @@ let metrics ; in -with lib; -mkIf enable { +with lib; mkIf enable { services.matrix-synapse = { inherit enable; enableRegistrationScript = true; diff --git a/services/synapse/turn.nix b/services/synapse/turn.nix index a7ccdc1..556c996 100644 --- a/services/synapse/turn.nix +++ b/services/synapse/turn.nix @@ -6,8 +6,7 @@ let inherit (config.machine.coturn) enable; in -with lib; -mkIf (enable && config.machine.coturn.enable) { +with lib; mkIf (enable && config.machine.coturn.enable) { services.matrix-synapse.settings = with config.services.coturn; { turn_uris = [ "turn:${realm}:3478?transport=udp" diff --git a/services/uptime-kuma/service.nix b/services/uptime-kuma/service.nix index e2dbde1..3be7bde 100644 --- a/services/uptime-kuma/service.nix +++ b/services/uptime-kuma/service.nix @@ -10,8 +10,7 @@ let port ; in -with lib; -mkIf enable { +with lib; mkIf enable { services.uptime-kuma = { inherit enable; settings = { @@ -19,18 +18,16 @@ mkIf enable { }; }; - services.nginx.virtualHosts = - with lib; - mkIf (domain != null) { - "${domain}" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString port}"; - proxyWebsockets = true; - }; + services.nginx.virtualHosts = with lib; mkIf (domain != null) { + "${domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString port}"; + proxyWebsockets = true; }; }; + }; networking.firewall = { allowedTCPPorts = [ port ]; diff --git a/services/vaultwarden/service.nix b/services/vaultwarden/service.nix index c639755..e35d78e 100644 --- a/services/vaultwarden/service.nix +++ b/services/vaultwarden/service.nix @@ -10,37 +10,34 @@ let port ; in -with lib; -mkIf enable { +with lib; mkIf enable { networking.firewall = { allowedTCPPorts = [ port ]; }; - services.nginx.virtualHosts = - with lib; - mkIf (domain != null) { - "${domain}" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString port}"; - proxyWebsockets = true; - extraConfig = '' - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; - ''; - }; - + services.nginx.virtualHosts = with lib; mkIf (domain != null) { + "${domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString port}"; + proxyWebsockets = true; extraConfig = '' - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header Referrer-Policy same-origin; - add_header X-XSS-Protection "1; mode=block"; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; ''; }; + + extraConfig = '' + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Referrer-Policy same-origin; + add_header X-XSS-Protection "1; mode=block"; + ''; }; + }; services.vaultwarden = { inherit enable; diff --git a/services/xray-3x-ui/firewall.nix b/services/xray-3x-ui/firewall.nix index 4eaf332..aef0dcc 100644 --- a/services/xray-3x-ui/firewall.nix +++ b/services/xray-3x-ui/firewall.nix @@ -9,8 +9,7 @@ let port ; in -with lib; -mkIf enable { +with lib; mkIf enable { networking.firewall.allowedTCPPorts = [ # Web panel port diff --git a/services/xray-3x-ui/nginx.nix b/services/xray-3x-ui/nginx.nix index 148196c..19c0c86 100644 --- a/services/xray-3x-ui/nginx.nix +++ b/services/xray-3x-ui/nginx.nix @@ -2,50 +2,43 @@ lib, config, ... -}: -let - inherit (config.machine.xray-3x-ui) +}: let + inherit + (config.machine.xray-3x-ui) enable port domain subscriptions ; -in -{ - services.nginx.virtualHosts = - with lib; - mkIf enable { - ${domain} = - with lib; - mkIf (domain != null) { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString port}"; - proxyWebsockets = true; - extraConfig = '' - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_redirect off; - ''; - }; - }; - ${subscriptions.domain} = - with lib; - mkIf (subscriptions.domain != null) { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:2096"; - proxyWebsockets = true; - extraConfig = '' - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_redirect off; - ''; - }; - }; +in { + services.nginx.virtualHosts = with lib; mkIf enable { + ${domain} = with lib; mkIf (domain != null) { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString port}"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_redirect off; + ''; + }; }; + ${subscriptions.domain} = with lib; mkIf (subscriptions.domain != null) { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:2096"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_redirect off; + ''; + }; + }; + }; } diff --git a/services/xray-3x-ui/options.nix b/services/xray-3x-ui/options.nix index b979e0e..e6aab90 100644 --- a/services/xray-3x-ui/options.nix +++ b/services/xray-3x-ui/options.nix @@ -30,4 +30,4 @@ with lib; description = "Directory to store 3x-ui data."; }; }; -} +} \ No newline at end of file diff --git a/services/xray-3x-ui/service.nix b/services/xray-3x-ui/service.nix index 9423843..175915a 100644 --- a/services/xray-3x-ui/service.nix +++ b/services/xray-3x-ui/service.nix @@ -1,11 +1,6 @@ # See https://github.com/sunmeplz/xray-3x-ui -{ - config, - lib, - pkgs, - ... -}: +{ config, lib, pkgs, ... }: with lib; @@ -16,7 +11,8 @@ let minGoVersion = "1.26.0"; xray-3x-ui = - assert assertMsg (versionAtLeast pkgs.go.version minGoVersion) + assert assertMsg + (versionAtLeast pkgs.go.version minGoVersion) "3x-ui requires Go >= ${minGoVersion}, but ${pkgs.go.version} is available"; pkgs.buildGoModule rec { @@ -32,10 +28,7 @@ let vendorHash = "sha256-M8YQTMfF/xZut4hxUcAfF2xGK625vwJNp4JS/zoXUCQ="; - ldflags = [ - "-s" - "-w" - ]; + ldflags = [ "-s" "-w" ]; meta = with lib; { description = "Xray panel supporting multi-protocol multi-user"; @@ -46,8 +39,7 @@ let }; }; -in -{ +in { # Service implementation config = mkIf cfg.enable { # User and group configuration @@ -93,14 +85,8 @@ in Group = "xray-3x-ui"; StateDirectory = "3x-ui 3x-ui/bin 3x-ui/logs"; StateDirectoryMode = "0755"; - AmbientCapabilities = [ - "CAP_NET_BIND_SERVICE" - "CAP_NET_ADMIN" - ]; - CapabilityBoundingSet = [ - "CAP_NET_BIND_SERVICE" - "CAP_NET_ADMIN" - ]; + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_NET_ADMIN" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_NET_ADMIN" ]; }; }; diff --git a/users/rus07tam/modules/openclaw/service.nix b/users/rus07tam/modules/openclaw/service.nix index 5337230..f818086 100644 --- a/users/rus07tam/modules/openclaw/service.nix +++ b/users/rus07tam/modules/openclaw/service.nix @@ -7,7 +7,6 @@ programs.openclaw = { enable = true; installApp = false; - systemd.enable = true; bundledPlugins = { summarize.enable = true;