derped/nixos
1
0
Fork 0
Code Releases Activity

Format project using nixfmt rfc candidate.

Browse source
This commit is contained in:
Kevin Baensch 2024-11-20 20:32:38 +01:00
parent 1f63817684
commit a9f7fe416f
Signed by: derped
GPG key ID: C0F1D326C7626543
91 changed files with 1347 additions and 1000 deletions
Download patch file Download diff file Expand all files Collapse all files

17
services/acme.nix
View file

@ -7,13 +7,14 @@
...
}:
with builtins;
with lib; let
with lib;
let
cfg = config.machine;
in
mkIf (elem "acme" cfg.services) {
security.acme = {
# see https://letsencrypt.org/repository/
acceptTerms = true;
defaults.email = "${(elemAt cfg.mailAccounts 0).name}@${cfg.domain}";
};
}
mkIf (elem "acme" cfg.services) {
security.acme = {
# see https://letsencrypt.org/repository/
acceptTerms = true;
defaults.email = "${(elemAt cfg.mailAccounts 0).name}@${cfg.domain}";
};
}

47
services/bind.nix
View file

@ -8,29 +8,30 @@
...
}:
with builtins;
with lib; let
with lib;
let
cfg = config.machine;
in
mkIf (elem "bind" cfg.services) {
services.bind = {
enable = true;
listenOn = ["127.0.0.1"];
forwarders = [
# Cloudflare CDN
"1.1.1.1"
"1.0.0.1"
#CCC DNS
"204.152.184.76"
"159.203.38.175"
"207.148.83.241"
];
# TODO: add DNSSEC
extraOptions = ''
dnssec-validation auto;
mkIf (elem "bind" cfg.services) {
services.bind = {
enable = true;
listenOn = [ "127.0.0.1" ];
forwarders = [
# Cloudflare CDN
"1.1.1.1"
"1.0.0.1"
#CCC DNS
"204.152.184.76"
"159.203.38.175"
"207.148.83.241"
];
# TODO: add DNSSEC
extraOptions = ''
dnssec-validation auto;
recursion yes;
allow-recursion { 127.0.0.1; };
version none;
'';
};
}
recursion yes;
allow-recursion { 127.0.0.1; };
version none;
'';
};
}

34
services/containers.nix
View file

@ -4,21 +4,21 @@
...
}:
with lib;
mkIf (elem "containers" config.machine.services) {
containers.CDServer = {
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.11";
config = {
imports = [
../machines/CDServer/options.nix
./default.nix
../config/default.nix
../pkgs/nixpkgs.nix
../pkgs/pkgsets.nix
];
services.nixosManual.showManual = false;
services.ntp.enable = false;
};
mkIf (elem "containers" config.machine.services) {
containers.CDServer = {
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.11";
config = {
imports = [
../machines/CDServer/options.nix
./default.nix
../config/default.nix
../pkgs/nixpkgs.nix
../pkgs/pkgsets.nix
];
services.nixosManual.showManual = false;
services.ntp.enable = false;
};
}
};
}

21
services/cups.nix
View file

@ -5,11 +5,16 @@
...
}:
with lib;
mkIf (elem "cups" config.machine.services) {
services.printing = {
enable = true;
browsed.enable = false;
startWhenNeeded = true;
drivers = with pkgs; [gutenprint hplip splix samsung-unified-linux-driver];
};
}
mkIf (elem "cups" config.machine.services) {
services.printing = {
enable = true;
browsed.enable = false;
startWhenNeeded = true;
drivers = with pkgs; [
gutenprint
hplip
splix
samsung-unified-linux-driver
];
};
}

105
services/desktop.nix
View file

@ -5,68 +5,69 @@
pkgs,
...
}:
with lib; let
with lib;
let
cfg = config.machine;
desktopFiles = fn.lst {
p = toString ./desktop;
b = true;
};
in
{
imports = desktopFiles;
}
// mkIf (elem "desktop" cfg.services) {
xdg.portal = {
{
imports = desktopFiles;
}
// mkIf (elem "desktop" cfg.services) {
xdg.portal = {
enable = true;
wlr.enable = true;
extraPortals = with pkgs; [
xdg-desktop-portal-gtk
xdg-desktop-portal-gnome
];
};
services = {
gvfs.enable = true;
libinput = {
enable = true;
wlr.enable = true;
extraPortals = with pkgs; [
xdg-desktop-portal-gtk
xdg-desktop-portal-gnome
];
touchpad = {
tapping = true;
disableWhileTyping = false;
naturalScrolling = false;
horizontalScrolling = true;
};
};
services = {
gvfs.enable = true;
libinput = {
enable = true;
touchpad = {
tapping = true;
disableWhileTyping = false;
naturalScrolling = false;
horizontalScrolling = true;
};
};
};
programs = {
dconf.enable = true;
regreet = {
enable = true;
settings = {
GTK = {
application_prefer_dark_theme = true;
theme_name = lib.mkForce "Kanagawa-BL";
};
};
programs = {
dconf.enable = true;
regreet = {
enable = true;
settings = {
GTK = {
application_prefer_dark_theme = true;
theme_name = lib.mkForce "Kanagawa-BL";
};
};
};
};
environment = {
systemPackages = with pkgs; [kanagawa];
etc."xdg/gtk-2.0/gtkrc".text = ''
gtk-key-theme-name = "Kanagawa-BL"
'';
etc."xdg/gtk-3.0/settings.ini".text = ''
[Settings]
gtk-key-theme-name = Kanagawa-BL
'';
# Set keyboard layout for regreet cage
# see man cage or:
# https://man.archlinux.org/man/cage.1.en#ENVIRONMENT
variables.XKB_DEFAULT_LAYOUT = "de";
};
# Allow users in the video group to change the display brightness
services.udev.extraRules = ''
ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chgrp video /sys/class/backlight/%k/brightness"
ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chmod 664 /sys/class/backlight/%k/brightness"
environment = {
systemPackages = with pkgs; [ kanagawa ];
etc."xdg/gtk-2.0/gtkrc".text = ''
gtk-key-theme-name = "Kanagawa-BL"
'';
}
etc."xdg/gtk-3.0/settings.ini".text = ''
[Settings]
gtk-key-theme-name = Kanagawa-BL
'';
# Set keyboard layout for regreet cage
# see man cage or:
# https://man.archlinux.org/man/cage.1.en#ENVIRONMENT
variables.XKB_DEFAULT_LAYOUT = "de";
};
# Allow users in the video group to change the display brightness
services.udev.extraRules = ''
ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chgrp video /sys/class/backlight/%k/brightness"
ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chmod 664 /sys/class/backlight/%k/brightness"
'';
}

34
services/desktop/i3.nix
View file

@ -5,20 +5,24 @@
...
}:
with lib;
mkIf (elem "desktop::i3" config.machine.services) {
services.xserver = {
mkIf (elem "desktop::i3" config.machine.services) {
services.xserver = {
enable = true;
windowManager.i3 = {
enable = true;
windowManager.i3 = {
enable = true;
configFile = import ../../config/etc/i3/config.nix {inherit pkgs;};
extraPackages = with pkgs; [
dmenu
file
i3lock
i3status
xdg-user-dirs
];
};
configFile = import ../../config/etc/i3/config.nix { inherit pkgs; };
extraPackages = with pkgs; [
dmenu
file
i3lock
i3status
xdg-user-dirs
];
};
machine.pkgsets.python3.pkgs = with pkgs.python3Packages; [py3status pytz tzlocal];
}
};
machine.pkgsets.python3.pkgs = with pkgs.python3Packages; [
py3status
pytz
tzlocal
];
}

86
services/desktop/sway.nix
View file

@ -5,47 +5,47 @@
...
}:
with lib;
mkIf (elem "desktop::sway" config.machine.services) {
programs.sway = {
enable = true;
package = pkgs.sway.override {
enableXWayland = true;
};
extraPackages = with pkgs; [
file
gnome.adwaita-icon-theme
grim
gsettings-desktop-schemas
gtk3
i3status
kanagawa
light
mako
qt5.qtwayland
rofi-wayland
slurp
swayidle
swaylock
wf-recorder
wl-clipboard
];
wrapperFeatures = {
base = true;
gtk = true;
};
extraSessionCommands = ''
export GDK_BACKEND=wayland
export CLUTTER_BACKEND=wayland
export SDL_VIDEODRIVER=wayland
# needs qt5.qtwayland in systemPackages
export QT_QPA_PLATFORM=wayland-egl
export QT_WAYLAND_FORCE_DPI=physical
export QT_WAYLAND_DISABLE_WINDOWDECORATION="1"
# Fix for some Java AWT applications (e.g. Android Studio),
# use this if they aren't displayed properly:
export _JAVA_AWT_WM_NONREPARENTING=1
# Chromium (based) applications
export NIXOS_OZONE_WL=1
'';
mkIf (elem "desktop::sway" config.machine.services) {
programs.sway = {
enable = true;
package = pkgs.sway.override {
enableXWayland = true;
};
}
extraPackages = with pkgs; [
file
gnome.adwaita-icon-theme
grim
gsettings-desktop-schemas
gtk3
i3status
kanagawa
light
mako
qt5.qtwayland
rofi-wayland
slurp
swayidle
swaylock
wf-recorder
wl-clipboard
];
wrapperFeatures = {
base = true;
gtk = true;
};
extraSessionCommands = ''
export GDK_BACKEND=wayland
export CLUTTER_BACKEND=wayland
export SDL_VIDEODRIVER=wayland
# needs qt5.qtwayland in systemPackages
export QT_QPA_PLATFORM=wayland-egl
export QT_WAYLAND_FORCE_DPI=physical
export QT_WAYLAND_DISABLE_WINDOWDECORATION="1"
# Fix for some Java AWT applications (e.g. Android Studio),
# use this if they aren't displayed properly:
export _JAVA_AWT_WM_NONREPARENTING=1
# Chromium (based) applications
export NIXOS_OZONE_WL=1
'';
};
}

20
services/docker.nix
View file

@ -6,11 +6,15 @@
}:
# Note: add privileged users to docker group for access
with lib;
mkIf ((elem "docker" config.machine.services) && !(elem "podman" config.machine.services)) {
virtualisation.docker = {
enable = true;
# Disable live restore as it tends to delay/block system shutdown
liveRestore = false;
};
environment.systemPackages = with pkgs; [docker-compose docker-machine cntr];
}
mkIf ((elem "docker" config.machine.services) && !(elem "podman" config.machine.services)) {
virtualisation.docker = {
enable = true;
# Disable live restore as it tends to delay/block system shutdown
liveRestore = false;
};
environment.systemPackages = with pkgs; [
docker-compose
docker-machine
cntr
];
}

175
services/fail2ban.nix
View file

@ -3,102 +3,103 @@
lib,
...
}:
with lib; let
with lib;
let
cfg = config.machine;
active = name: (elem name cfg.services);
in
mkIf (elem "fail2ban" cfg.services) {
services.fail2ban = {
enable = true;
jails = {
DEFAULT = ''
bantime = 3600
blocktype = DROP
logpath = /var/log/auth.log
'';
mkIf (elem "fail2ban" cfg.services) {
services.fail2ban = {
enable = true;
jails = {
DEFAULT = ''
bantime = 3600
blocktype = DROP
logpath = /var/log/auth.log
'';
ssh = ''
enabled = ${boolToString (active "openssh")}
filter = sshd
maxretry = 4
action = iptables[name=SSH, port=ssh, protocol=tcp]
'';
sshd-ddos = ''
enabled = ${boolToString (active "openssh")}
filter = sshd-ddos
maxretry = 4
action = iptables[name=ssh, port=ssh, protocol=tcp]
'';
ssh = ''
enabled = ${boolToString (active "openssh")}
filter = sshd
maxretry = 4
action = iptables[name=SSH, port=ssh, protocol=tcp]
'';
sshd-ddos = ''
enabled = ${boolToString (active "openssh")}
filter = sshd-ddos
maxretry = 4
action = iptables[name=ssh, port=ssh, protocol=tcp]
'';
postfix = ''
enabled = ${boolToString (active "mailserver")}
filter = postfix
maxretry = 3
action = iptables[name=postfix, port=smtp, protocol=tcp]
'';
postfix-sasl = ''
enabled = ${boolToString (active "mailserver")}
filter = postfix-sasl
port = postfix,imap3,imaps,pop3,pop3s
maxretry = 3
action = iptables[name=postfix, port=smtp, protocol=tcp]
'';
postfix-ddos = ''
enabled = ${boolToString (active "mailserver")}
filter = postfix-ddos
maxretry = 3
action = iptables[name=postfix, port=submission, protocol=tcp]
bantime = 7200
'';
postfix = ''
enabled = ${boolToString (active "mailserver")}
filter = postfix
maxretry = 3
action = iptables[name=postfix, port=smtp, protocol=tcp]
'';
postfix-sasl = ''
enabled = ${boolToString (active "mailserver")}
filter = postfix-sasl
port = postfix,imap3,imaps,pop3,pop3s
maxretry = 3
action = iptables[name=postfix, port=smtp, protocol=tcp]
'';
postfix-ddos = ''
enabled = ${boolToString (active "mailserver")}
filter = postfix-ddos
maxretry = 3
action = iptables[name=postfix, port=submission, protocol=tcp]
bantime = 7200
'';
nginx-req-limit = ''
enabled = ${boolToString (active "nginx")}
filter = nginx-req-limit
maxretry = 10
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
findtime = 600
bantime = 7200
'';
};
};
environment.etc."fail2ban/filter.d/sshd-ddos.conf" = {
enable = active "openssh";
text = ''
[Definition]
failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$
ignoreregex =
nginx-req-limit = ''
enabled = ${boolToString (active "nginx")}
filter = nginx-req-limit
maxretry = 10
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
findtime = 600
bantime = 7200
'';
};
};
environment.etc."fail2ban/filter.d/postfix-sasl.conf" = {
enable = active "mailserver";
text = ''
# Fail2Ban filter for postfix authentication failures
[INCLUDES]
before = common.conf
[Definition]
daemon = postfix/smtpd
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
'';
};
environment.etc."fail2ban/filter.d/sshd-ddos.conf" = {
enable = active "openssh";
text = ''
[Definition]
failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$
ignoreregex =
'';
};
environment.etc."fail2ban/filter.d/postfix-ddos.conf" = {
enable = active "mailserver";
text = ''
[Definition]
failregex = lost connection after EHLO from \S+\[<HOST>\]
'';
};
environment.etc."fail2ban/filter.d/postfix-sasl.conf" = {
enable = active "mailserver";
text = ''
# Fail2Ban filter for postfix authentication failures
[INCLUDES]
before = common.conf
[Definition]
daemon = postfix/smtpd
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
'';
};
environment.etc."fail2ban/filter.d/nginx-req-limit.conf" = {
enable = active "nginx";
text = ''
[Definition]
failregex = limiting requests, excess:.* by zone.*client: <HOST>
'';
};
environment.etc."fail2ban/filter.d/postfix-ddos.conf" = {
enable = active "mailserver";
text = ''
[Definition]
failregex = lost connection after EHLO from \S+\[<HOST>\]
'';
};
# Limit stack size to reduce memory usage
systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024;
}
environment.etc."fail2ban/filter.d/nginx-req-limit.conf" = {
enable = active "nginx";
text = ''
[Definition]
failregex = limiting requests, excess:.* by zone.*client: <HOST>
'';
};
# Limit stack size to reduce memory usage
systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024;
}

36
services/forgejo.nix
View file

@ -4,12 +4,14 @@
...
}:
with lib;
mkIf (elem "forgejo" config.machine.services) {
services = {
forgejo = let
mkIf (elem "forgejo" config.machine.services) {
services = {
forgejo =
let
cfg = config.machine;
inherit ((findFirst (s: s.service == "forgejo") cfg cfg.vHosts)) domain;
in {
in
{
enable = true;
user = "git";
database = {
@ -44,16 +46,16 @@ with lib;
};
};
};
};
sops.secrets."services/forgejo/dbPass" = {
owner = "git";
group = "forgejo";
};
users.users.git = {
description = "Forgejo Service";
isNormalUser = true;
home = config.services.forgejo.stateDir;
createHome = false;
useDefaultShell = true;
};
}
};
sops.secrets."services/forgejo/dbPass" = {
owner = "git";
group = "forgejo";
};
users.users.git = {
description = "Forgejo Service";
isNormalUser = true;
home = config.services.forgejo.stateDir;
createHome = false;
useDefaultShell = true;
};
}

23
services/fprintd.nix
View file

@ -4,8 +4,9 @@
...
}:
with lib;
mkIf (elem "fprintd" config.machine.services) {
security.pam.services = let
mkIf (elem "fprintd" config.machine.services) {
security.pam.services =
let
unlock = [
"sudo"
"i3lock"
@ -13,12 +14,16 @@ with lib;
"lightdm"
];
in
listToAttrs (forEach unlock (n: {
listToAttrs (
forEach unlock (n: {
name = n;
value = {fprintAuth = true;};
}));
value = {
fprintAuth = true;
};
})
);
services.fprintd = {
enable = true;
};
}
services.fprintd = {
enable = true;
};
}

52
services/hydra.nix
View file

@ -9,24 +9,32 @@
# https://qfpl.io/posts/nix/starting-simple-hydra/
# also for reference a well written hydra config:
# https://github.com/NixOS/nixos-org-configurations/blob/master/delft/hydra.nix
with lib; let
with lib;
let
cacheDir = "/var/cache/hydra";
in
mkIf (elem "hydra" config.machine.services) {
# also take a look at ../conf/nix.nix
nix.buildMachines = [
{
hostName = "localhost";
system = "x86_64-linux";
supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"];
maxJobs = 8;
}
];
mkIf (elem "hydra" config.machine.services) {
# also take a look at ../conf/nix.nix
nix.buildMachines = [
{
hostName = "localhost";
system = "x86_64-linux";
supportedFeatures = [
"kvm"
"nixos-test"
"big-parallel"
"benchmark"
];
maxJobs = 8;
}
];
services = let
services =
let
cfg = config.machine;
inherit ((findFirst (s: s.service == "hydra") cfg cfg.vHosts)) domain;
in {
in
{
hydra = {
enable = true;
hydraURL = domain; # externally visible URL
@ -42,7 +50,9 @@ in
# hydra.conf: binary_cache_secret_key_file is deprecated and ignored. use store_uri=...?secret-key= instead
extraConfig = ''
max_output_size = 4294967296
store_uri = file://${cacheDir}?secret-key=${config.sops.secrets."services.hydra.secretKey".path}&write-nar-listing=1&ls-compression=br&log-compression=br
store_uri = file://${cacheDir}?secret-key=${
config.sops.secrets."services.hydra.secretKey".path
}&write-nar-listing=1&ls-compression=br&log-compression=br
# add ?local-nar-cache= to set nar cache location
server_store_uri = https://cache.${cfg.domain}
binary_cache_public_uri https://cache.${cfg.domain}
@ -62,10 +72,10 @@ in
'';
};
};
systemd.services.nix-serve.serviceConfig.User = mkForce "hydra";
systemd.services.nix-serve.environment.NIX_STORE_DIR = cacheDir;
sops.secrets."services/hydra/secretKey" = {
owner = "hydra";
group = "hydra";
};
}
systemd.services.nix-serve.serviceConfig.User = mkForce "hydra";
systemd.services.nix-serve.environment.NIX_STORE_DIR = cacheDir;
sops.secrets."services/hydra/secretKey" = {
owner = "hydra";
group = "hydra";
};
}

40
services/mailserver.nix
View file

@ -6,32 +6,40 @@
...
}:
with lib;
{
imports = [
mailserver.nixosModules.mailserver
];
}
// mkIf (elem "mailserver" config.machine.services) {
mailserver = let
{
imports = [
mailserver.nixosModules.mailserver
];
}
// mkIf (elem "mailserver" config.machine.services) {
mailserver =
let
cfg = config.machine;
inherit (cfg) domain;
fdomain = (findFirst (s: s.service == "mail") cfg cfg.vHosts).domain;
mkFqdnAlias = name: ["${name}@${domain}" "${name}@${fdomain}"];
mkFqdnAlias = name: [
"${name}@${domain}"
"${name}@${fdomain}"
];
mkExDomAlias = name: (map (exDom: "${name}@${exDom}") cfg.extraDomains);
mkUser = user: rec {
name = "${user.name}@${domain}";
value = {
hashedPasswordFile = config.sops.secrets."users/${user.name}/mail".path;
aliases =
["${user.name}@${fdomain}"]
[ "${user.name}@${fdomain}" ]
++ (flatten (map mkFqdnAlias user.aliases))
++ (flatten (map mkExDomAlias ([user.name] ++ user.aliases)));
++ (flatten (map mkExDomAlias ([ user.name ] ++ user.aliases)));
};
};
in rec {
in
rec {
enable = true;
fqdn = fdomain;
domains = [fdomain domain] ++ cfg.extraDomains;
domains = [
fdomain
domain
] ++ cfg.extraDomains;
loginAccounts = listToAttrs (map mkUser cfg.mailAccounts);
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
@ -55,9 +63,5 @@ with lib;
# 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty)
virusScanning = false;
};
sops.secrets =
fn.sopsHelper
(user: "users/${user.name}/mail")
config.machine.mailAccounts
{};
}
sops.secrets = fn.sopsHelper (user: "users/${user.name}/mail") config.machine.mailAccounts { };
}

12
services/mariaDB.nix
View file

@ -5,9 +5,9 @@
...
}:
with lib;
mkIf (elem "mariaDB" config.machine.services) {
services.mysql = rec {
enable = true;
package = pkgs.mariadb;
};
}
mkIf (elem "mariaDB" config.machine.services) {
services.mysql = rec {
enable = true;
package = pkgs.mariadb;
};
}

6
services/mullvad.nix
View file

@ -4,6 +4,6 @@
...
}:
with lib;
mkIf (elem "mullvad" config.machine.services) {
services.mullvad-vpn.enable = true;
}
mkIf (elem "mullvad" config.machine.services) {
services.mullvad-vpn.enable = true;
}

20
services/nextcloud.nix
View file

@ -6,11 +6,13 @@
...
}:
with lib;
mkIf (elem "nextcloud" config.machine.services) {
services = let
mkIf (elem "nextcloud" config.machine.services) {
services =
let
cfg = config.machine;
inherit ((findFirst (s: s.service == "nextcloud") cfg cfg.vHosts)) domain;
in {
in
{
nextcloud = {
enable = true;
home = "/var/lib/nextcloud";
@ -54,12 +56,14 @@ with lib;
'';
};
};
sops.secrets =
fn.sopsHelper
(name: "services/nextcloud/${name}")
["adminPass" "dbPass"]
sops.secrets =
fn.sopsHelper (name: "services/nextcloud/${name}")
[
"adminPass"
"dbPass"
]
{
owner = "nextcloud";
group = "nextcloud";
};
}
}

41
services/nginx.nix
View file

@ -15,28 +15,35 @@
}:
with lib;
with builtins;
mkIf (elem "nginx" config.machine.services) {
services.nginx = let
vHostConfigs = listToAttrs (map
(name: {
name = replaceStrings [".nix"] [""] name;
value = import (./. + (toPath "/nginx_vHosts/${name}")) {inherit options config lib pkgs;};
})
(attrNames (readDir ./nginx_vHosts)));
mkIf (elem "nginx" config.machine.services) {
services.nginx =
let
vHostConfigs = listToAttrs (
map (name: {
name = replaceStrings [ ".nix" ] [ "" ] name;
value = import (./. + (toPath "/nginx_vHosts/${name}")) {
inherit
options
config
lib
pkgs
;
};
}) (attrNames (readDir ./nginx_vHosts))
);
mkVHost = vHost: {
name = vHost.domain;
value =
{
enableACME = true;
forceSSL = true;
acmeRoot = "/var/lib/acme/acme-challenge";
}
// vHostConfigs."${vHost.service}";
value = {
enableACME = true;
forceSSL = true;
acmeRoot = "/var/lib/acme/acme-challenge";
} // vHostConfigs."${vHost.service}";
};
vHosts = listToAttrs (map mkVHost config.machine.vHosts);
in {
in
{
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
@ -56,4 +63,4 @@ with builtins;
'';
virtualHosts = vHosts;
};
}
}

15
services/nginx_vHosts/cache.nix
View file

@ -4,10 +4,10 @@
...
}:
with lib;
{
vHost =
if config.services.nix-serve.enable
then {
{
vHost =
if config.services.nix-serve.enable then
{
extraConfig = ''
location / {
proxy_pass http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port};
@ -18,6 +18,7 @@ with lib;
}
'';
}
else {};
}
.vHost
else
{ };
}
.vHost

15
services/nginx_vHosts/forgejo.nix
View file

@ -4,10 +4,10 @@
...
}:
with lib;
{
vHost =
if config.services.forgejo.enable
then {
{
vHost =
if config.services.forgejo.enable then
{
root = "${config.services.forgejo.stateDir}/public";
extraConfig = ''
location / {
@ -28,6 +28,7 @@ with lib;
}
'';
}
else {};
}
.vHost
else
{ };
}
.vHost

15
services/nginx_vHosts/hydra.nix
View file

@ -4,10 +4,10 @@
...
}:
with lib;
{
vHost =
if config.services.hydra.enable
then {
{
vHost =
if config.services.hydra.enable then
{
extraConfig = ''
location / {
proxy_pass http://${config.services.hydra.listenHost}:${toString config.services.hydra.port};
@ -18,6 +18,7 @@ with lib;
}
'';
}
else {};
}
.vHost
else
{ };
}
.vHost

15
services/nginx_vHosts/mail.nix
View file

@ -4,14 +4,15 @@
...
}:
with lib;
{
vHost =
if config.mailserver.enable
then {
{
vHost =
if config.mailserver.enable then
{
serverName = config.mailserver.fqdn;
enableACME = true;
forceSSL = true;
}
else {};
}
.vHost
else
{ };
}
.vHost

20
services/nginx_vHosts/nextcloud.nix
View file

@ -6,13 +6,13 @@
...
}:
with lib;
if config.services.nextcloud.enable
then
{
vHost = {
enableACME = config.services.nextcloud.https;
forceSSL = config.services.nextcloud.https;
};
}
.vHost
else {}
if config.services.nextcloud.enable then
{
vHost = {
enableACME = config.services.nextcloud.https;
forceSSL = config.services.nextcloud.https;
};
}
.vHost
else
{ }

12
services/nginx_vHosts/simple.nix
View file

@ -4,9 +4,9 @@
...
}:
with lib;
{
vHost = {
root = "/var/www";
};
}
.vHost
{
vHost = {
root = "/var/www";
};
}
.vHost

16
services/nginx_vHosts/tandoor.nix
View file

@ -6,10 +6,11 @@
with lib;
let
tandoor = config.services.tandoor-recipes;
in {
vHost =
if tandoor.enable
then {
in
{
vHost =
if tandoor.enable then
{
extraConfig = ''
location /media/ {
alias ${tandoor.extraConfig.MEDIA_ROOT};
@ -24,6 +25,7 @@ in {
}
'';
}
else {};
}
.vHost
else
{ };
}
.vHost

45
services/openssh.nix
View file

@ -8,35 +8,38 @@
# https://infosec.mozilla.org/guidelines/openssh.html
# https://stribika.github.io/2015/01/04/secure-secure-shell.html
with lib;
mkIf (elem "openssh" config.machine.services) {
services.openssh = {
enable = true;
settings.KexAlgorithms = ["curve25519-sha256@libssh.org"];
sftpFlags = ["-f AUTHPRIV" "-l INFO"];
startWhenNeeded = false;
settings = {
KbdInteractiveAuthentication = false;
PasswordAuthentication = false;
PermitRootLogin = "no";
};
extraConfig = let
mkIf (elem "openssh" config.machine.services) {
services.openssh = {
enable = true;
settings.KexAlgorithms = [ "curve25519-sha256@libssh.org" ];
sftpFlags = [
"-f AUTHPRIV"
"-l INFO"
];
startWhenNeeded = false;
settings = {
KbdInteractiveAuthentication = false;
PasswordAuthentication = false;
PermitRootLogin = "no";
};
extraConfig =
let
users =
concatMapStrings (user: "${user.name} ") config.machine.administrators
+ (optionalString config.services.forgejo.enable (config.services.forgejo.user + " "));
in ''
in
''
UsePAM no
AllowUsers ${users}
LogLevel VERBOSE
'';
};
# Add public keys to /etc/ssh/authorized_keys.d
# This replaces users.users.*.openssh.authorizedKeys.*
sops.secrets =
fn.sopsHelper
(user: "users/${user.name}/publicKey")
config.machine.administrators
};
# Add public keys to /etc/ssh/authorized_keys.d
# This replaces users.users.*.openssh.authorizedKeys.*
sops.secrets =
fn.sopsHelper (user: "users/${user.name}/publicKey") config.machine.administrators
(user: {
path = "/etc/ssh/authorized_keys.d/${user.name}";
mode = "444";
});
}
}

32
services/podman.nix
View file

@ -4,19 +4,25 @@
pkgs,
...
}:
with lib; let
with lib;
let
withDocker = elem "docker" config.machine.services;
in
mkIf (elem "podman" config.machine.services) {
virtualisation.podman = {
enable = true;
dockerSocket.enable = withDocker;
dockerCompat = withDocker;
defaultNetwork = {
settings.dns_enabled = true;
};
mkIf (elem "podman" config.machine.services) {
virtualisation.podman = {
enable = true;
dockerSocket.enable = withDocker;
dockerCompat = withDocker;
defaultNetwork = {
settings.dns_enabled = true;
};
environment.systemPackages =
(with pkgs; [podman-compose cntr img skopeo])
++ (optional withDocker pkgs.docker-compose);
}
};
environment.systemPackages =
(with pkgs; [
podman-compose
cntr
img
skopeo
])
++ (optional withDocker pkgs.docker-compose);
}

16
services/tandoor.nix
View file

@ -5,12 +5,12 @@
...
}:
with lib;
mkIf (elem "tandoor" config.machine.services) {
services.tandoor-recipes = {
enable = true;
extraConfig = {
# Set explicitly so it can be referenced by web-server
MEDIA_ROOT = "/var/lib/tandoor-recipes/media/";
};
mkIf (elem "tandoor" config.machine.services) {
services.tandoor-recipes = {
enable = true;
extraConfig = {
# Set explicitly so it can be referenced by web-server
MEDIA_ROOT = "/var/lib/tandoor-recipes/media/";
};
}
};
}

6
services/udev.nix
View file

@ -5,6 +5,6 @@
...
}:
with lib;
mkIf (elem "udev" config.machine.services) {
hardware.steam-hardware.enable = true;
}
mkIf (elem "udev" config.machine.services) {
hardware.steam-hardware.enable = true;
}