RuJect/nixos-infra
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: RuJect:caa6948199f28a9901feee89cc5037b6ae9c38e8
Branches Tags
RuJect:main
...
compare: RuJect:793eeb316167ef73aedb730cfce5c332e1ebe7ea
Branches Tags
RuJect:main

2 commits
caa6948199 ... 793eeb3161

Author SHA1 Message Date
Rustam Efimov
793eeb3161
feat(users/rus07tam): enable openclaw gateway via systemd
Some checks failed
Nix CI / build (push) Failing after 3m36s
Details
2026-04-01 09:56:24 +03:00
Rustam Efimov
e2bd4444d2
chore: apply nix fmt 2026-04-01 09:54:15 +03:00
48 changed files with 275 additions and 187 deletions
Download patch file Download diff file Expand all files Collapse all files

2
hosts/elaris/machine.nix
View file

@ -1,2 +1,2 @@
{ {
} }

12
hosts/velarion/machine.nix
View file

@ -1,11 +1,13 @@
{dns, ...}: let { dns, ... }:
let
domain = "ruject.fun"; domain = "ruject.fun";
database = { database = {
host = "127.0.0.1"; host = "127.0.0.1";
port = 5432; port = 5432;
}; };
ipv4 = "94.156.112.0"; ipv4 = "94.156.112.0";
in { in
{
services.nginx.enable = true; services.nginx.enable = true;
machine = { machine = {
gateway = "10.0.0.1"; gateway = "10.0.0.1";
@ -29,7 +31,7 @@ in {
"ns2" "ns2"
]; ];
A = [ipv4]; A = [ ipv4 ];
subdomains = rec { subdomains = rec {
ns1 = host ipv4 null; ns1 = host ipv4 null;
@ -52,10 +54,10 @@ in {
}; };
TXT = [ TXT = [
(with spf; strict ["a:mail.ruject.fun"]) (with spf; strict [ "a:mail.ruject.fun" ])
]; ];
MX = with mx; [(mx 10 "mail.ruject.fun.")]; MX = with mx; [ (mx 10 "mail.ruject.fun.") ];
DMARC = [ DMARC = [
{ {

3
services/bind/firewall.nix
View file

@ -6,7 +6,8 @@
let let
cfg = config.machine.bind; cfg = config.machine.bind;
in in
with lib; mkIf cfg.enable { with lib;
mkIf cfg.enable {
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ cfg.port ]; allowedTCPPorts = [ cfg.port ];
allowedUDPPorts = [ cfg.port ]; allowedUDPPorts = [ cfg.port ];

3
services/bind/service.nix
View file

@ -7,7 +7,8 @@
let let
cfg = config.machine.bind; cfg = config.machine.bind;
in in
with lib; mkIf cfg.enable { with lib;
mkIf cfg.enable {
services.bind = { services.bind = {
enable = cfg.enable; enable = cfg.enable;
listenOnPort = cfg.port; listenOnPort = cfg.port;

3
services/code-server/nginx.nix
View file

@ -6,7 +6,8 @@
let let
cfg = config.machine.code-server; cfg = config.machine.code-server;
in in
with lib; mkIf cfg.enable { with lib;
mkIf cfg.enable {
services.nginx.virtualHosts = mkIf (cfg.domain != null) { services.nginx.virtualHosts = mkIf (cfg.domain != null) {
${cfg.domain} = { ${cfg.domain} = {
enableACME = true; enableACME = true;

3
services/code-server/options.nix
View file

@ -6,7 +6,8 @@
let let
cfg = config.machine.code-server; cfg = config.machine.code-server;
in in
with lib; { with lib;
{
options.machine.code-server = { options.machine.code-server = {
enable = mkEnableOption "code-server"; enable = mkEnableOption "code-server";
port = mkOption { port = mkOption {

3
services/code-server/service.nix
View file

@ -7,7 +7,8 @@
let let
cfg = config.machine.code-server; cfg = config.machine.code-server;
in in
with lib; mkIf cfg.enable { with lib;
mkIf cfg.enable {
services.code-server = { services.code-server = {
enable = cfg.enable; enable = cfg.enable;
port = cfg.port; port = cfg.port;

3
services/coturn/firewall.nix
View file

@ -6,7 +6,8 @@
let let
cfg = config.machine.coturn; cfg = config.machine.coturn;
in in
with lib; mkIf cfg.enable { with lib;
mkIf cfg.enable {
networking.firewall = { networking.firewall = {
interfaces.enp2s0 = interfaces.enp2s0 =
let let

3
services/coturn/service.nix
View file

@ -12,7 +12,8 @@ let
realm realm
; ;
in in
with lib; mkIf enable { with lib;
mkIf enable {
services.coturn = rec { services.coturn = rec {
inherit realm enable; inherit realm enable;
no-cli = true; no-cli = true;

3
services/forgejo/mail.nix
View file

@ -9,7 +9,8 @@ let
inherit (config.machine.forgejo) domain; inherit (config.machine.forgejo) domain;
address = "noreply@${domain}"; address = "noreply@${domain}";
in in
with lib; mkIf config.machine.mail.enable { with lib;
mkIf config.machine.mail.enable {
services.forgejo = { services.forgejo = {
secrets = { secrets = {
mailer.PASSWD = sec."mail/servicePassword".path; mailer.PASSWD = sec."mail/servicePassword".path;

21
services/forgejo/network.nix
View file

@ -10,19 +10,22 @@ let
port port
; ;
in in
with lib; mkIf enable { with lib;
mkIf enable {
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ port ]; allowedTCPPorts = [ port ];
}; };
services.nginx.virtualHosts = with lib; mkIf (domain != null) { services.nginx.virtualHosts =
"${domain}" = { with lib;
forceSSL = true; mkIf (domain != null) {
enableACME = true; "${domain}" = {
locations."/" = { forceSSL = true;
proxyPass = "http://[::1]:${toString port}"; enableACME = true;
proxyWebsockets = true; locations."/" = {
proxyPass = "http://[::1]:${toString port}";
proxyWebsockets = true;
};
}; };
}; };
};
} }

3
services/forgejo/runners.nix
View file

@ -9,7 +9,8 @@ let
url = config.services.forgejo.settings.server.ROOT_URL; url = config.services.forgejo.settings.server.ROOT_URL;
cfg = config.machine.forgejo; cfg = config.machine.forgejo;
in in
with lib; mkIf cfg.enableRunner { with lib;
mkIf cfg.enableRunner {
sops.secrets = { sops.secrets = {
"forgejo/runnerToken" = { "forgejo/runnerToken" = {
sopsFile = ./../../secrets/common.yaml; sopsFile = ./../../secrets/common.yaml;

3
services/forgejo/tmpfiles.nix
View file

@ -7,7 +7,8 @@ let
cfg = config.machine.forgejo; cfg = config.machine.forgejo;
customDir = config.services.forgejo.customDir; customDir = config.services.forgejo.customDir;
in in
with lib; mkIf cfg.enable { with lib;
mkIf cfg.enable {
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d '${customDir}/templates' - forgejo forgejo - -" "d '${customDir}/templates' - forgejo forgejo - -"
"d '${customDir}/public' - forgejo forgejo - -" "d '${customDir}/public' - forgejo forgejo - -"

3
services/mail/rspamd.nix
View file

@ -6,7 +6,8 @@
let let
inherit (config.machine.mail) enable; inherit (config.machine.mail) enable;
in in
with lib; mkIf enable { with lib;
mkIf enable {
services.rspamd = { services.rspamd = {
enable = true; enable = true;
overrides = { overrides = {

3
services/mail/tmpfiles.nix
View file

@ -7,7 +7,8 @@
let let
inherit (config.machine.mail) enable; inherit (config.machine.mail) enable;
in in
with lib; mkIf enable { with lib;
mkIf enable {
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"C /var/dkim/default.private 0600 root root - - ${sec.dkim_default_private.path}" "C /var/dkim/default.private 0600 root root - - ${sec.dkim_default_private.path}"
]; ];

3
services/minecraft-server/firewall.nix
View file

@ -9,7 +9,8 @@ let
port port
; ;
in in
with lib; mkIf enable { with lib;
mkIf enable {
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
port port
]; ];

3
services/minecraft-server/service.nix
View file

@ -10,7 +10,8 @@ let
port port
; ;
in in
with lib; mkIf enable { with lib;
mkIf enable {
services.minecraft-server = { services.minecraft-server = {
inherit enable; inherit enable;
dataDir = "/var/lib/minecraft"; dataDir = "/var/lib/minecraft";

3
services/mysql/firewall.nix
View file

@ -6,7 +6,8 @@
let let
cfg = config.machine.mysql; cfg = config.machine.mysql;
in in
with lib; mkIf cfg.enable { with lib;
mkIf cfg.enable {
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ cfg.port ]; allowedTCPPorts = [ cfg.port ];
}; };

3
services/mysql/service.nix
View file

@ -10,7 +10,8 @@ let
enable enable
; ;
in in
with lib; mkIf enable { with lib;
mkIf enable {
services.mysql = { services.mysql = {
inherit enable; inherit enable;
package = pkgs.mysql84; package = pkgs.mysql84;

21
services/navidrome/service.nix
View file

@ -11,17 +11,20 @@ let
folder folder
; ;
in in
with lib; mkIf enable { with lib;
services.nginx.virtualHosts = with lib; mkIf (domain != null) { mkIf enable {
"${domain}" = { services.nginx.virtualHosts =
forceSSL = true; with lib;
enableACME = true; mkIf (domain != null) {
locations."/" = { "${domain}" = {
proxyPass = "http://[::1]:${toString port}"; forceSSL = true;
proxyWebsockets = true; enableACME = true;
locations."/" = {
proxyPass = "http://[::1]:${toString port}";
proxyWebsockets = true;
};
}; };
}; };
};
services.navidrome = { services.navidrome = {
inherit enable; inherit enable;

2
services/networking/default.nix
View file

@ -3,4 +3,4 @@
./options.nix ./options.nix
./service.nix ./service.nix
]; ];
} }

10
services/networking/service.nix
View file

@ -1,8 +1,14 @@
{ config, lib, hostname, ... }: {
config,
lib,
hostname,
...
}:
let let
inherit (config.machine) ipv4 gateway; inherit (config.machine) ipv4 gateway;
in in
with lib; { with lib;
{
networking = { networking = {
hostName = hostname; hostName = hostname;
networkmanager.enable = mkDefault true; networkmanager.enable = mkDefault true;

23
services/nextcloud/database.nix
View file

@ -7,7 +7,8 @@ let
pgsqlEnable = config.machine.postgresql.enable; pgsqlEnable = config.machine.postgresql.enable;
cfg = config.machine.nextcloud; cfg = config.machine.nextcloud;
in in
with lib; mkIf cfg.enable { with lib;
mkIf cfg.enable {
services.nextcloud.config = services.nextcloud.config =
if pgsqlEnable then if pgsqlEnable then
{ {
@ -20,13 +21,15 @@ with lib; mkIf cfg.enable {
dbhost = "localhost"; dbhost = "localhost";
}; };
services.postgresql = with lib; mkIf pgsqlEnable { services.postgresql =
ensureDatabases = [ "nextcloud" ]; with lib;
ensureUsers = [ mkIf pgsqlEnable {
{ ensureDatabases = [ "nextcloud" ];
name = "nextcloud"; ensureUsers = [
ensureDBOwnership = true; {
} name = "nextcloud";
]; ensureDBOwnership = true;
}; }
];
};
} }

3
services/nextcloud/mail.nix
View file

@ -11,7 +11,8 @@ let
; ;
address = "noreply@${host}"; address = "noreply@${host}";
in in
with lib; mkIf enable { with lib;
mkIf enable {
services.nextcloud = { services.nextcloud = {
settings = { settings = {
mail_smtpmode = "smtp"; mail_smtpmode = "smtp";

3
services/nextcloud/service.nix
View file

@ -8,7 +8,8 @@
let let
cfg = config.machine.nextcloud; cfg = config.machine.nextcloud;
in in
with lib; mkIf cfg.enable { with lib;
mkIf cfg.enable {
services.nextcloud = { services.nextcloud = {
enable = cfg.enable; enable = cfg.enable;
appstoreEnable = false; appstoreEnable = false;

3
services/nginx/acme.nix
View file

@ -1,5 +1,6 @@
{ lib, config, ... }: { lib, config, ... }:
with lib; mkIf (config.services.nginx.enable) { with lib;
mkIf (config.services.nginx.enable) {
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults = { defaults = {

3
services/nginx/firewall.nix
View file

@ -6,7 +6,8 @@
let let
inherit (config.services.nginx) enable; inherit (config.services.nginx) enable;
in in
with lib; mkIf enable { with lib;
mkIf enable {
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
80 80
443 443

3
services/postgresql/service.nix
View file

@ -10,7 +10,8 @@ let
enable enable
; ;
in in
with lib; mkIf enable { with lib;
mkIf enable {
services.postgresql = { services.postgresql = {
inherit enable; inherit enable;
settings = { settings = {

3
services/prometheus/service.nix
View file

@ -9,7 +9,8 @@ let
port port
; ;
in in
with lib; mkIf enable { with lib;
mkIf enable {
services.prometheus = { services.prometheus = {
inherit enable port; inherit enable port;
}; };

3
services/prosody/firewall.nix
View file

@ -8,7 +8,8 @@ let
enable enable
; ;
in in
with lib; mkIf enable { with lib;
mkIf enable {
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
# HTTP filer # HTTP filer

65
services/prosody/nginx.nix
View file

@ -11,7 +11,8 @@ let
localhost = "http://localhost:5280"; localhost = "http://localhost:5280";
in in
with lib; mkIf enable { with lib;
mkIf enable {
security.acme.certs."${domain}".extraDomainNames = [ security.acme.certs."${domain}".extraDomainNames = [
"conference.${domain}" "conference.${domain}"
"upload.${domain}" "upload.${domain}"
@ -19,36 +20,38 @@ with lib; mkIf enable {
users.groups.acme.members = [ users.groups.acme.members = [
"prosody" "prosody"
]; ];
services.nginx.virtualHosts = with lib; mkIf (domain != null) { services.nginx.virtualHosts =
"${domain}".locations = { with lib;
"= /xmpp-websocket" = { mkIf (domain != null) {
proxyPass = localhost; "${domain}".locations = {
proxyWebsockets = true; "= /xmpp-websocket" = {
proxyPass = localhost;
proxyWebsockets = true;
};
"= /http-bind".proxyPass = localhost;
"/push".proxyPass = localhost;
"= /.well-known/host-meta".proxyPass = localhost;
"= /.well-known/host-meta.json".proxyPass = localhost;
};
"conference.${domain}" = {
http3 = true;
quic = true;
forceSSL = true;
kTLS = true;
useACMEHost = domain;
sslCertificate = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
sslCertificateKey = "${config.security.acme.certs.${domain}.directory}/key.pem";
locations."/".proxyPass = localhost;
};
"upload.${domain}" = {
http3 = true;
quic = true;
forceSSL = true;
kTLS = true;
useACMEHost = domain;
sslCertificate = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
sslCertificateKey = "${config.security.acme.certs.${domain}.directory}/key.pem";
locations."/".proxyPass = localhost;
}; };
"= /http-bind".proxyPass = localhost;
"/push".proxyPass = localhost;
"= /.well-known/host-meta".proxyPass = localhost;
"= /.well-known/host-meta.json".proxyPass = localhost;
}; };
"conference.${domain}" = {
http3 = true;
quic = true;
forceSSL = true;
kTLS = true;
useACMEHost = domain;
sslCertificate = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
sslCertificateKey = "${config.security.acme.certs.${domain}.directory}/key.pem";
locations."/".proxyPass = localhost;
};
"upload.${domain}" = {
http3 = true;
quic = true;
forceSSL = true;
kTLS = true;
useACMEHost = domain;
sslCertificate = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
sslCertificateKey = "${config.security.acme.certs.${domain}.directory}/key.pem";
locations."/".proxyPass = localhost;
};
};
} }

3
services/prosody/service.nix
View file

@ -12,7 +12,8 @@ let
sslCertDir = config.security.acme.certs."${domain}".directory; sslCertDir = config.security.acme.certs."${domain}".directory;
in in
with lib; mkIf enable { with lib;
mkIf enable {
services.prosody = { services.prosody = {
inherit enable; inherit enable;

3
services/redis/service.nix
View file

@ -10,7 +10,8 @@ let
enable enable
; ;
in in
with lib; mkIf enable { with lib;
mkIf enable {
sops.secrets = { sops.secrets = {
"redis/password" = { }; "redis/password" = { };
}; };

3
services/roundcube/service.nix
View file

@ -10,7 +10,8 @@ let
domain domain
; ;
in in
with lib; mkIf enable { with lib;
mkIf enable {
services.roundcube = { services.roundcube = {
inherit enable; inherit enable;
dicts = with pkgs.aspellDicts; [ dicts = with pkgs.aspellDicts; [

31
services/synapse/database.nix
View file

@ -7,20 +7,25 @@ let
pgsqlEnable = config.machine.postgresql.enable; pgsqlEnable = config.machine.postgresql.enable;
inherit (config.machine.synapse) enable; inherit (config.machine.synapse) enable;
in in
with lib; mkIf enable { with lib;
services.postgresql = with lib; mkIf pgsqlEnable { mkIf enable {
ensureUsers = [ services.postgresql =
{ with lib;
name = "matrix-synapse"; mkIf pgsqlEnable {
ensureDBOwnership = true; ensureUsers = [
} {
]; name = "matrix-synapse";
ensureDatabases = [ "matrix-synapse" ]; ensureDBOwnership = true;
}; }
];
ensureDatabases = [ "matrix-synapse" ];
};
services.matrix-synapse.settings.database = { services.matrix-synapse.settings.database = {
name = if pgsqlEnable then "psycopg2" else "sqlite3"; name = if pgsqlEnable then "psycopg2" else "sqlite3";
args = with lib; mkIf pgsqlEnable { args =
host = "/run/postgresql"; with lib;
}; mkIf pgsqlEnable {
host = "/run/postgresql";
};
}; };
} }

3
services/synapse/element.nix
View file

@ -52,7 +52,8 @@ let
}; };
}; };
in in
with lib; mkIf enable { with lib;
mkIf enable {
services.nginx.virtualHosts.${domain} = { services.nginx.virtualHosts.${domain} = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;

3
services/synapse/mail.nix
View file

@ -11,7 +11,8 @@ let
; ;
address = "noreply@${domain}"; address = "noreply@${domain}";
in in
with lib; mkIf (enable && config.machine.mail.enable) { with lib;
mkIf (enable && config.machine.mail.enable) {
services.matrix-synapse = { services.matrix-synapse = {
settings = { settings = {
admin_contact = address; admin_contact = address;

3
services/synapse/redis.nix
View file

@ -7,7 +7,8 @@ let
redisEnable = config.machine.redis.enable; redisEnable = config.machine.redis.enable;
inherit (config.machine.synapse) enable; inherit (config.machine.synapse) enable;
in in
with lib; mkIf (redisEnable && enable) { with lib;
mkIf (redisEnable && enable) {
services.redis.servers.matrix-synapse = { services.redis.servers.matrix-synapse = {
enable = true; enable = true;
}; };

11
services/synapse/secrets.nix
View file

@ -8,7 +8,8 @@ let
enable enable
; ;
in in
with lib; mkIf enable { with lib;
mkIf enable {
sops.secrets = { sops.secrets = {
"matrix/registrationSharedSecret" = { "matrix/registrationSharedSecret" = {
sopsFile = ./../../secrets/common.yaml; sopsFile = ./../../secrets/common.yaml;
@ -40,7 +41,9 @@ with lib; mkIf enable {
smtp_pass: ${config.sops.placeholder."mail/servicePassword"} smtp_pass: ${config.sops.placeholder."mail/servicePassword"}
''; '';
}; };
services.matrix-synapse.extraConfigFiles = with lib; mkIf config.machine.synapse.enable [ services.matrix-synapse.extraConfigFiles =
config.sops.templates.matrix-synapse-config.path with lib;
]; mkIf config.machine.synapse.enable [
config.sops.templates.matrix-synapse-config.path
];
} }

3
services/synapse/synapse.nix
View file

@ -12,7 +12,8 @@ let
metrics metrics
; ;
in in
with lib; mkIf enable { with lib;
mkIf enable {
services.matrix-synapse = { services.matrix-synapse = {
inherit enable; inherit enable;
enableRegistrationScript = true; enableRegistrationScript = true;

3
services/synapse/turn.nix
View file

@ -6,7 +6,8 @@
let let
inherit (config.machine.coturn) enable; inherit (config.machine.coturn) enable;
in in
with lib; mkIf (enable && config.machine.coturn.enable) { with lib;
mkIf (enable && config.machine.coturn.enable) {
services.matrix-synapse.settings = with config.services.coturn; { services.matrix-synapse.settings = with config.services.coturn; {
turn_uris = [ turn_uris = [
"turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=udp"

21
services/uptime-kuma/service.nix
View file

@ -10,7 +10,8 @@ let
port port
; ;
in in
with lib; mkIf enable { with lib;
mkIf enable {
services.uptime-kuma = { services.uptime-kuma = {
inherit enable; inherit enable;
settings = { settings = {
@ -18,16 +19,18 @@ with lib; mkIf enable {
}; };
}; };
services.nginx.virtualHosts = with lib; mkIf (domain != null) { services.nginx.virtualHosts =
"${domain}" = { with lib;
forceSSL = true; mkIf (domain != null) {
enableACME = true; "${domain}" = {
locations."/" = { forceSSL = true;
proxyPass = "http://127.0.0.1:${toString port}"; enableACME = true;
proxyWebsockets = true; locations."/" = {
proxyPass = "http://127.0.0.1:${toString port}";
proxyWebsockets = true;
};
}; };
}; };
};
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ port ]; allowedTCPPorts = [ port ];

43
services/vaultwarden/service.nix
View file

@ -10,34 +10,37 @@ let
port port
; ;
in in
with lib; mkIf enable { with lib;
mkIf enable {
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ port ]; allowedTCPPorts = [ port ];
}; };
services.nginx.virtualHosts = with lib; mkIf (domain != null) { services.nginx.virtualHosts =
"${domain}" = { with lib;
forceSSL = true; mkIf (domain != null) {
enableACME = true; "${domain}" = {
locations."/" = { forceSSL = true;
proxyPass = "http://127.0.0.1:${toString port}"; enableACME = true;
proxyWebsockets = true; locations."/" = {
proxyPass = "http://127.0.0.1:${toString port}";
proxyWebsockets = true;
extraConfig = ''
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
'';
};
extraConfig = '' extraConfig = ''
proxy_set_header X-Real-IP $remote_addr; add_header X-Frame-Options DENY;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; add_header X-Content-Type-Options nosniff;
proxy_set_header X-Forwarded-Proto $scheme; add_header Referrer-Policy same-origin;
proxy_set_header X-Forwarded-Host $host; add_header X-XSS-Protection "1; mode=block";
''; '';
}; };
extraConfig = ''
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy same-origin;
add_header X-XSS-Protection "1; mode=block";
'';
}; };
};
services.vaultwarden = { services.vaultwarden = {
inherit enable; inherit enable;

3
services/xray-3x-ui/firewall.nix
View file

@ -9,7 +9,8 @@ let
port port
; ;
in in
with lib; mkIf enable { with lib;
mkIf enable {
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
# Web panel # Web panel
port port

73
services/xray-3x-ui/nginx.nix
View file

@ -2,43 +2,50 @@
lib, lib,
config, config,
... ...
}: let }:
inherit let
(config.machine.xray-3x-ui) inherit (config.machine.xray-3x-ui)
enable enable
port port
domain domain
subscriptions subscriptions
; ;
in { in
services.nginx.virtualHosts = with lib; mkIf enable { {
${domain} = with lib; mkIf (domain != null) { services.nginx.virtualHosts =
enableACME = true; with lib;
forceSSL = true; mkIf enable {
locations."/" = { ${domain} =
proxyPass = "http://127.0.0.1:${toString port}"; with lib;
proxyWebsockets = true; mkIf (domain != null) {
extraConfig = '' enableACME = true;
proxy_set_header X-Real-IP $remote_addr; forceSSL = true;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; locations."/" = {
proxy_set_header X-Forwarded-Proto $scheme; proxyPass = "http://127.0.0.1:${toString port}";
proxy_redirect off; proxyWebsockets = true;
''; extraConfig = ''
}; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
'';
};
};
${subscriptions.domain} =
with lib;
mkIf (subscriptions.domain != null) {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:2096";
proxyWebsockets = true;
extraConfig = ''
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
'';
};
};
}; };
${subscriptions.domain} = with lib; mkIf (subscriptions.domain != null) {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:2096";
proxyWebsockets = true;
extraConfig = ''
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
'';
};
};
};
} }

2
services/xray-3x-ui/options.nix
View file

@ -30,4 +30,4 @@ with lib;
description = "Directory to store 3x-ui data."; description = "Directory to store 3x-ui data.";
}; };
}; };
} }

28
services/xray-3x-ui/service.nix
View file

@ -1,6 +1,11 @@
# See https://github.com/sunmeplz/xray-3x-ui # See https://github.com/sunmeplz/xray-3x-ui
{ config, lib, pkgs, ... }: {
config,
lib,
pkgs,
...
}:
with lib; with lib;
@ -11,8 +16,7 @@ let
minGoVersion = "1.26.0"; minGoVersion = "1.26.0";
xray-3x-ui = xray-3x-ui =
assert assertMsg assert assertMsg (versionAtLeast pkgs.go.version minGoVersion)
(versionAtLeast pkgs.go.version minGoVersion)
"3x-ui requires Go >= ${minGoVersion}, but ${pkgs.go.version} is available"; "3x-ui requires Go >= ${minGoVersion}, but ${pkgs.go.version} is available";
pkgs.buildGoModule rec { pkgs.buildGoModule rec {
@ -28,7 +32,10 @@ let
vendorHash = "sha256-M8YQTMfF/xZut4hxUcAfF2xGK625vwJNp4JS/zoXUCQ="; vendorHash = "sha256-M8YQTMfF/xZut4hxUcAfF2xGK625vwJNp4JS/zoXUCQ=";
ldflags = [ "-s" "-w" ]; ldflags = [
"-s"
"-w"
];
meta = with lib; { meta = with lib; {
description = "Xray panel supporting multi-protocol multi-user"; description = "Xray panel supporting multi-protocol multi-user";
@ -39,7 +46,8 @@ let
}; };
}; };
in { in
{
# Service implementation # Service implementation
config = mkIf cfg.enable { config = mkIf cfg.enable {
# User and group configuration # User and group configuration
@ -85,8 +93,14 @@ in {
Group = "xray-3x-ui"; Group = "xray-3x-ui";
StateDirectory = "3x-ui 3x-ui/bin 3x-ui/logs"; StateDirectory = "3x-ui 3x-ui/bin 3x-ui/logs";
StateDirectoryMode = "0755"; StateDirectoryMode = "0755";
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_NET_ADMIN" ]; AmbientCapabilities = [
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_NET_ADMIN" ]; "CAP_NET_BIND_SERVICE"
"CAP_NET_ADMIN"
];
CapabilityBoundingSet = [
"CAP_NET_BIND_SERVICE"
"CAP_NET_ADMIN"
];
}; };
}; };

1
users/rus07tam/modules/openclaw/service.nix
View file

@ -7,6 +7,7 @@
programs.openclaw = { programs.openclaw = {
enable = true; enable = true;
installApp = false; installApp = false;
systemd.enable = true;
bundledPlugins = { bundledPlugins = {
summarize.enable = true; summarize.enable = true;