RuJect/nixos-infra
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: RuJect:793eeb316167ef73aedb730cfce5c332e1ebe7ea
Branches Tags
RuJect:main
..
compare: RuJect:caa6948199f28a9901feee89cc5037b6ae9c38e8
Branches Tags
RuJect:main

No commits in common. "793eeb316167ef73aedb730cfce5c332e1ebe7ea" and "caa6948199f28a9901feee89cc5037b6ae9c38e8" have entirely different histories.
793eeb3161 ... caa6948199

48 changed files with 187 additions and 275 deletions
Download patch file Download diff file Expand all files Collapse all files

12
hosts/velarion/machine.nix
View file

@ -1,13 +1,11 @@
{ dns, ... }: {dns, ...}: let
let
domain = "ruject.fun"; domain = "ruject.fun";
database = { database = {
host = "127.0.0.1"; host = "127.0.0.1";
port = 5432; port = 5432;
}; };
ipv4 = "94.156.112.0"; ipv4 = "94.156.112.0";
in in {
{
services.nginx.enable = true; services.nginx.enable = true;
machine = { machine = {
gateway = "10.0.0.1"; gateway = "10.0.0.1";
@ -31,7 +29,7 @@ in
"ns2" "ns2"
]; ];
A = [ ipv4 ]; A = [ipv4];
subdomains = rec { subdomains = rec {
ns1 = host ipv4 null; ns1 = host ipv4 null;
@ -54,10 +52,10 @@ in
}; };
TXT = [ TXT = [
(with spf; strict [ "a:mail.ruject.fun" ]) (with spf; strict ["a:mail.ruject.fun"])
]; ];
MX = with mx; [ (mx 10 "mail.ruject.fun.") ]; MX = with mx; [(mx 10 "mail.ruject.fun.")];
DMARC = [ DMARC = [
{ {

3
services/bind/firewall.nix
View file

@ -6,8 +6,7 @@
let let
cfg = config.machine.bind; cfg = config.machine.bind;
in in
with lib; with lib; mkIf cfg.enable {
mkIf cfg.enable {
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ cfg.port ]; allowedTCPPorts = [ cfg.port ];
allowedUDPPorts = [ cfg.port ]; allowedUDPPorts = [ cfg.port ];

3
services/bind/service.nix
View file

@ -7,8 +7,7 @@
let let
cfg = config.machine.bind; cfg = config.machine.bind;
in in
with lib; with lib; mkIf cfg.enable {
mkIf cfg.enable {
services.bind = { services.bind = {
enable = cfg.enable; enable = cfg.enable;
listenOnPort = cfg.port; listenOnPort = cfg.port;

3
services/code-server/nginx.nix
View file

@ -6,8 +6,7 @@
let let
cfg = config.machine.code-server; cfg = config.machine.code-server;
in in
with lib; with lib; mkIf cfg.enable {
mkIf cfg.enable {
services.nginx.virtualHosts = mkIf (cfg.domain != null) { services.nginx.virtualHosts = mkIf (cfg.domain != null) {
${cfg.domain} = { ${cfg.domain} = {
enableACME = true; enableACME = true;

3
services/code-server/options.nix
View file

@ -6,8 +6,7 @@
let let
cfg = config.machine.code-server; cfg = config.machine.code-server;
in in
with lib; with lib; {
{
options.machine.code-server = { options.machine.code-server = {
enable = mkEnableOption "code-server"; enable = mkEnableOption "code-server";
port = mkOption { port = mkOption {

3
services/code-server/service.nix
View file

@ -7,8 +7,7 @@
let let
cfg = config.machine.code-server; cfg = config.machine.code-server;
in in
with lib; with lib; mkIf cfg.enable {
mkIf cfg.enable {
services.code-server = { services.code-server = {
enable = cfg.enable; enable = cfg.enable;
port = cfg.port; port = cfg.port;

3
services/coturn/firewall.nix
View file

@ -6,8 +6,7 @@
let let
cfg = config.machine.coturn; cfg = config.machine.coturn;
in in
with lib; with lib; mkIf cfg.enable {
mkIf cfg.enable {
networking.firewall = { networking.firewall = {
interfaces.enp2s0 = interfaces.enp2s0 =
let let

3
services/coturn/service.nix
View file

@ -12,8 +12,7 @@ let
realm realm
; ;
in in
with lib; with lib; mkIf enable {
mkIf enable {
services.coturn = rec { services.coturn = rec {
inherit realm enable; inherit realm enable;
no-cli = true; no-cli = true;

3
services/forgejo/mail.nix
View file

@ -9,8 +9,7 @@ let
inherit (config.machine.forgejo) domain; inherit (config.machine.forgejo) domain;
address = "noreply@${domain}"; address = "noreply@${domain}";
in in
with lib; with lib; mkIf config.machine.mail.enable {
mkIf config.machine.mail.enable {
services.forgejo = { services.forgejo = {
secrets = { secrets = {
mailer.PASSWD = sec."mail/servicePassword".path; mailer.PASSWD = sec."mail/servicePassword".path;

7
services/forgejo/network.nix
View file

@ -10,15 +10,12 @@ let
port port
; ;
in in
with lib; with lib; mkIf enable {
mkIf enable {
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ port ]; allowedTCPPorts = [ port ];
}; };
services.nginx.virtualHosts = services.nginx.virtualHosts = with lib; mkIf (domain != null) {
with lib;
mkIf (domain != null) {
"${domain}" = { "${domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;

3
services/forgejo/runners.nix
View file

@ -9,8 +9,7 @@ let
url = config.services.forgejo.settings.server.ROOT_URL; url = config.services.forgejo.settings.server.ROOT_URL;
cfg = config.machine.forgejo; cfg = config.machine.forgejo;
in in
with lib; with lib; mkIf cfg.enableRunner {
mkIf cfg.enableRunner {
sops.secrets = { sops.secrets = {
"forgejo/runnerToken" = { "forgejo/runnerToken" = {
sopsFile = ./../../secrets/common.yaml; sopsFile = ./../../secrets/common.yaml;

3
services/forgejo/tmpfiles.nix
View file

@ -7,8 +7,7 @@ let
cfg = config.machine.forgejo; cfg = config.machine.forgejo;
customDir = config.services.forgejo.customDir; customDir = config.services.forgejo.customDir;
in in
with lib; with lib; mkIf cfg.enable {
mkIf cfg.enable {
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d '${customDir}/templates' - forgejo forgejo - -" "d '${customDir}/templates' - forgejo forgejo - -"
"d '${customDir}/public' - forgejo forgejo - -" "d '${customDir}/public' - forgejo forgejo - -"

3
services/mail/rspamd.nix
View file

@ -6,8 +6,7 @@
let let
inherit (config.machine.mail) enable; inherit (config.machine.mail) enable;
in in
with lib; with lib; mkIf enable {
mkIf enable {
services.rspamd = { services.rspamd = {
enable = true; enable = true;
overrides = { overrides = {

3
services/mail/tmpfiles.nix
View file

@ -7,8 +7,7 @@
let let
inherit (config.machine.mail) enable; inherit (config.machine.mail) enable;
in in
with lib; with lib; mkIf enable {
mkIf enable {
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"C /var/dkim/default.private 0600 root root - - ${sec.dkim_default_private.path}" "C /var/dkim/default.private 0600 root root - - ${sec.dkim_default_private.path}"
]; ];

3
services/minecraft-server/firewall.nix
View file

@ -9,8 +9,7 @@ let
port port
; ;
in in
with lib; with lib; mkIf enable {
mkIf enable {
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
port port
]; ];

3
services/minecraft-server/service.nix
View file

@ -10,8 +10,7 @@ let
port port
; ;
in in
with lib; with lib; mkIf enable {
mkIf enable {
services.minecraft-server = { services.minecraft-server = {
inherit enable; inherit enable;
dataDir = "/var/lib/minecraft"; dataDir = "/var/lib/minecraft";

3
services/mysql/firewall.nix
View file

@ -6,8 +6,7 @@
let let
cfg = config.machine.mysql; cfg = config.machine.mysql;
in in
with lib; with lib; mkIf cfg.enable {
mkIf cfg.enable {
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ cfg.port ]; allowedTCPPorts = [ cfg.port ];
}; };

3
services/mysql/service.nix
View file

@ -10,8 +10,7 @@ let
enable enable
; ;
in in
with lib; with lib; mkIf enable {
mkIf enable {
services.mysql = { services.mysql = {
inherit enable; inherit enable;
package = pkgs.mysql84; package = pkgs.mysql84;

7
services/navidrome/service.nix
View file

@ -11,11 +11,8 @@ let
folder folder
; ;
in in
with lib; with lib; mkIf enable {
mkIf enable { services.nginx.virtualHosts = with lib; mkIf (domain != null) {
services.nginx.virtualHosts =
with lib;
mkIf (domain != null) {
"${domain}" = { "${domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;

10
services/networking/service.nix
View file

@ -1,14 +1,8 @@
{ { config, lib, hostname, ... }:
config,
lib,
hostname,
...
}:
let let
inherit (config.machine) ipv4 gateway; inherit (config.machine) ipv4 gateway;
in in
with lib; with lib; {
{
networking = { networking = {
hostName = hostname; hostName = hostname;
networkmanager.enable = mkDefault true; networkmanager.enable = mkDefault true;

7
services/nextcloud/database.nix
View file

@ -7,8 +7,7 @@ let
pgsqlEnable = config.machine.postgresql.enable; pgsqlEnable = config.machine.postgresql.enable;
cfg = config.machine.nextcloud; cfg = config.machine.nextcloud;
in in
with lib; with lib; mkIf cfg.enable {
mkIf cfg.enable {
services.nextcloud.config = services.nextcloud.config =
if pgsqlEnable then if pgsqlEnable then
{ {
@ -21,9 +20,7 @@ mkIf cfg.enable {
dbhost = "localhost"; dbhost = "localhost";
}; };
services.postgresql = services.postgresql = with lib; mkIf pgsqlEnable {
with lib;
mkIf pgsqlEnable {
ensureDatabases = [ "nextcloud" ]; ensureDatabases = [ "nextcloud" ];
ensureUsers = [ ensureUsers = [
{ {

3
services/nextcloud/mail.nix
View file

@ -11,8 +11,7 @@ let
; ;
address = "noreply@${host}"; address = "noreply@${host}";
in in
with lib; with lib; mkIf enable {
mkIf enable {
services.nextcloud = { services.nextcloud = {
settings = { settings = {
mail_smtpmode = "smtp"; mail_smtpmode = "smtp";

3
services/nextcloud/service.nix
View file

@ -8,8 +8,7 @@
let let
cfg = config.machine.nextcloud; cfg = config.machine.nextcloud;
in in
with lib; with lib; mkIf cfg.enable {
mkIf cfg.enable {
services.nextcloud = { services.nextcloud = {
enable = cfg.enable; enable = cfg.enable;
appstoreEnable = false; appstoreEnable = false;

3
services/nginx/acme.nix
View file

@ -1,6 +1,5 @@
{ lib, config, ... }: { lib, config, ... }:
with lib; with lib; mkIf (config.services.nginx.enable) {
mkIf (config.services.nginx.enable) {
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults = { defaults = {

3
services/nginx/firewall.nix
View file

@ -6,8 +6,7 @@
let let
inherit (config.services.nginx) enable; inherit (config.services.nginx) enable;
in in
with lib; with lib; mkIf enable {
mkIf enable {
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
80 80
443 443

3
services/postgresql/service.nix
View file

@ -10,8 +10,7 @@ let
enable enable
; ;
in in
with lib; with lib; mkIf enable {
mkIf enable {
services.postgresql = { services.postgresql = {
inherit enable; inherit enable;
settings = { settings = {

3
services/prometheus/service.nix
View file

@ -9,8 +9,7 @@ let
port port
; ;
in in
with lib; with lib; mkIf enable {
mkIf enable {
services.prometheus = { services.prometheus = {
inherit enable port; inherit enable port;
}; };

3
services/prosody/firewall.nix
View file

@ -8,8 +8,7 @@ let
enable enable
; ;
in in
with lib; with lib; mkIf enable {
mkIf enable {
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
# HTTP filer # HTTP filer

7
services/prosody/nginx.nix
View file

@ -11,8 +11,7 @@ let
localhost = "http://localhost:5280"; localhost = "http://localhost:5280";
in in
with lib; with lib; mkIf enable {
mkIf enable {
security.acme.certs."${domain}".extraDomainNames = [ security.acme.certs."${domain}".extraDomainNames = [
"conference.${domain}" "conference.${domain}"
"upload.${domain}" "upload.${domain}"
@ -20,9 +19,7 @@ mkIf enable {
users.groups.acme.members = [ users.groups.acme.members = [
"prosody" "prosody"
]; ];
services.nginx.virtualHosts = services.nginx.virtualHosts = with lib; mkIf (domain != null) {
with lib;
mkIf (domain != null) {
"${domain}".locations = { "${domain}".locations = {
"= /xmpp-websocket" = { "= /xmpp-websocket" = {
proxyPass = localhost; proxyPass = localhost;

3
services/prosody/service.nix
View file

@ -12,8 +12,7 @@ let
sslCertDir = config.security.acme.certs."${domain}".directory; sslCertDir = config.security.acme.certs."${domain}".directory;
in in
with lib; with lib; mkIf enable {
mkIf enable {
services.prosody = { services.prosody = {
inherit enable; inherit enable;

3
services/redis/service.nix
View file

@ -10,8 +10,7 @@ let
enable enable
; ;
in in
with lib; with lib; mkIf enable {
mkIf enable {
sops.secrets = { sops.secrets = {
"redis/password" = { }; "redis/password" = { };
}; };

3
services/roundcube/service.nix
View file

@ -10,8 +10,7 @@ let
domain domain
; ;
in in
with lib; with lib; mkIf enable {
mkIf enable {
services.roundcube = { services.roundcube = {
inherit enable; inherit enable;
dicts = with pkgs.aspellDicts; [ dicts = with pkgs.aspellDicts; [

11
services/synapse/database.nix
View file

@ -7,11 +7,8 @@ let
pgsqlEnable = config.machine.postgresql.enable; pgsqlEnable = config.machine.postgresql.enable;
inherit (config.machine.synapse) enable; inherit (config.machine.synapse) enable;
in in
with lib; with lib; mkIf enable {
mkIf enable { services.postgresql = with lib; mkIf pgsqlEnable {
services.postgresql =
with lib;
mkIf pgsqlEnable {
ensureUsers = [ ensureUsers = [
{ {
name = "matrix-synapse"; name = "matrix-synapse";
@ -22,9 +19,7 @@ mkIf enable {
}; };
services.matrix-synapse.settings.database = { services.matrix-synapse.settings.database = {
name = if pgsqlEnable then "psycopg2" else "sqlite3"; name = if pgsqlEnable then "psycopg2" else "sqlite3";
args = args = with lib; mkIf pgsqlEnable {
with lib;
mkIf pgsqlEnable {
host = "/run/postgresql"; host = "/run/postgresql";
}; };
}; };

3
services/synapse/element.nix
View file

@ -52,8 +52,7 @@ let
}; };
}; };
in in
with lib; with lib; mkIf enable {
mkIf enable {
services.nginx.virtualHosts.${domain} = { services.nginx.virtualHosts.${domain} = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;

3
services/synapse/mail.nix
View file

@ -11,8 +11,7 @@ let
; ;
address = "noreply@${domain}"; address = "noreply@${domain}";
in in
with lib; with lib; mkIf (enable && config.machine.mail.enable) {
mkIf (enable && config.machine.mail.enable) {
services.matrix-synapse = { services.matrix-synapse = {
settings = { settings = {
admin_contact = address; admin_contact = address;

3
services/synapse/redis.nix
View file

@ -7,8 +7,7 @@ let
redisEnable = config.machine.redis.enable; redisEnable = config.machine.redis.enable;
inherit (config.machine.synapse) enable; inherit (config.machine.synapse) enable;
in in
with lib; with lib; mkIf (redisEnable && enable) {
mkIf (redisEnable && enable) {
services.redis.servers.matrix-synapse = { services.redis.servers.matrix-synapse = {
enable = true; enable = true;
}; };

7
services/synapse/secrets.nix
View file

@ -8,8 +8,7 @@ let
enable enable
; ;
in in
with lib; with lib; mkIf enable {
mkIf enable {
sops.secrets = { sops.secrets = {
"matrix/registrationSharedSecret" = { "matrix/registrationSharedSecret" = {
sopsFile = ./../../secrets/common.yaml; sopsFile = ./../../secrets/common.yaml;
@ -41,9 +40,7 @@ mkIf enable {
smtp_pass: ${config.sops.placeholder."mail/servicePassword"} smtp_pass: ${config.sops.placeholder."mail/servicePassword"}
''; '';
}; };
services.matrix-synapse.extraConfigFiles = services.matrix-synapse.extraConfigFiles = with lib; mkIf config.machine.synapse.enable [
with lib;
mkIf config.machine.synapse.enable [
config.sops.templates.matrix-synapse-config.path config.sops.templates.matrix-synapse-config.path
]; ];
} }

3
services/synapse/synapse.nix
View file

@ -12,8 +12,7 @@ let
metrics metrics
; ;
in in
with lib; with lib; mkIf enable {
mkIf enable {
services.matrix-synapse = { services.matrix-synapse = {
inherit enable; inherit enable;
enableRegistrationScript = true; enableRegistrationScript = true;

3
services/synapse/turn.nix
View file

@ -6,8 +6,7 @@
let let
inherit (config.machine.coturn) enable; inherit (config.machine.coturn) enable;
in in
with lib; with lib; mkIf (enable && config.machine.coturn.enable) {
mkIf (enable && config.machine.coturn.enable) {
services.matrix-synapse.settings = with config.services.coturn; { services.matrix-synapse.settings = with config.services.coturn; {
turn_uris = [ turn_uris = [
"turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=udp"

7
services/uptime-kuma/service.nix
View file

@ -10,8 +10,7 @@ let
port port
; ;
in in
with lib; with lib; mkIf enable {
mkIf enable {
services.uptime-kuma = { services.uptime-kuma = {
inherit enable; inherit enable;
settings = { settings = {
@ -19,9 +18,7 @@ mkIf enable {
}; };
}; };
services.nginx.virtualHosts = services.nginx.virtualHosts = with lib; mkIf (domain != null) {
with lib;
mkIf (domain != null) {
"${domain}" = { "${domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;

7
services/vaultwarden/service.nix
View file

@ -10,15 +10,12 @@ let
port port
; ;
in in
with lib; with lib; mkIf enable {
mkIf enable {
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ port ]; allowedTCPPorts = [ port ];
}; };
services.nginx.virtualHosts = services.nginx.virtualHosts = with lib; mkIf (domain != null) {
with lib;
mkIf (domain != null) {
"${domain}" = { "${domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;

3
services/xray-3x-ui/firewall.nix
View file

@ -9,8 +9,7 @@ let
port port
; ;
in in
with lib; with lib; mkIf enable {
mkIf enable {
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
# Web panel # Web panel
port port

21
services/xray-3x-ui/nginx.nix
View file

@ -2,22 +2,17 @@
lib, lib,
config, config,
... ...
}: }: let
let inherit
inherit (config.machine.xray-3x-ui) (config.machine.xray-3x-ui)
enable enable
port port
domain domain
subscriptions subscriptions
; ;
in in {
{ services.nginx.virtualHosts = with lib; mkIf enable {
services.nginx.virtualHosts = ${domain} = with lib; mkIf (domain != null) {
with lib;
mkIf enable {
${domain} =
with lib;
mkIf (domain != null) {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
@ -31,9 +26,7 @@ in
''; '';
}; };
}; };
${subscriptions.domain} = ${subscriptions.domain} = with lib; mkIf (subscriptions.domain != null) {
with lib;
mkIf (subscriptions.domain != null) {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {

28
services/xray-3x-ui/service.nix
View file

@ -1,11 +1,6 @@
# See https://github.com/sunmeplz/xray-3x-ui # See https://github.com/sunmeplz/xray-3x-ui
{ { config, lib, pkgs, ... }:
config,
lib,
pkgs,
...
}:
with lib; with lib;
@ -16,7 +11,8 @@ let
minGoVersion = "1.26.0"; minGoVersion = "1.26.0";
xray-3x-ui = xray-3x-ui =
assert assertMsg (versionAtLeast pkgs.go.version minGoVersion) assert assertMsg
(versionAtLeast pkgs.go.version minGoVersion)
"3x-ui requires Go >= ${minGoVersion}, but ${pkgs.go.version} is available"; "3x-ui requires Go >= ${minGoVersion}, but ${pkgs.go.version} is available";
pkgs.buildGoModule rec { pkgs.buildGoModule rec {
@ -32,10 +28,7 @@ let
vendorHash = "sha256-M8YQTMfF/xZut4hxUcAfF2xGK625vwJNp4JS/zoXUCQ="; vendorHash = "sha256-M8YQTMfF/xZut4hxUcAfF2xGK625vwJNp4JS/zoXUCQ=";
ldflags = [ ldflags = [ "-s" "-w" ];
"-s"
"-w"
];
meta = with lib; { meta = with lib; {
description = "Xray panel supporting multi-protocol multi-user"; description = "Xray panel supporting multi-protocol multi-user";
@ -46,8 +39,7 @@ let
}; };
}; };
in in {
{
# Service implementation # Service implementation
config = mkIf cfg.enable { config = mkIf cfg.enable {
# User and group configuration # User and group configuration
@ -93,14 +85,8 @@ in
Group = "xray-3x-ui"; Group = "xray-3x-ui";
StateDirectory = "3x-ui 3x-ui/bin 3x-ui/logs"; StateDirectory = "3x-ui 3x-ui/bin 3x-ui/logs";
StateDirectoryMode = "0755"; StateDirectoryMode = "0755";
AmbientCapabilities = [ AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_NET_ADMIN" ];
"CAP_NET_BIND_SERVICE" CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_NET_ADMIN" ];
"CAP_NET_ADMIN"
];
CapabilityBoundingSet = [
"CAP_NET_BIND_SERVICE"
"CAP_NET_ADMIN"
];
}; };
}; };

1
users/rus07tam/modules/openclaw/service.nix
View file

@ -7,7 +7,6 @@
programs.openclaw = { programs.openclaw = {
enable = true; enable = true;
installApp = false; installApp = false;
systemd.enable = true;
bundledPlugins = { bundledPlugins = {
summarize.enable = true; summarize.enable = true;