From 518ab13797314de2de4b6f7a36aaeb03e33fb511 Mon Sep 17 00:00:00 2001 From: Gerg-L Date: Wed, 5 Mar 2025 22:32:40 -0500 Subject: [PATCH] better services --- nixosConfigurations/gerg-desktop/secrets.yaml | 9 +- .../gerg-desktop/services/forgejo.nix | 33 ++--- .../gerg-desktop/services/immich.nix | 22 +++- .../gerg-desktop/services/miniflux.nix | 19 +-- .../gerg-desktop/services/nginx.nix | 123 +++++++++--------- .../gerg-desktop/services/postgresql.nix | 17 ++- .../gerg-desktop/services/searxng.nix | 11 +- .../services/vocard/_application.nix | 2 +- .../services/vocard/_settings.nix | 2 +- .../gerg-desktop/services/vocard/vocard.nix | 74 ++++++++--- 10 files changed, 189 insertions(+), 123 deletions(-) diff --git a/nixosConfigurations/gerg-desktop/secrets.yaml b/nixosConfigurations/gerg-desktop/secrets.yaml index 489f244..8473701 100644 --- a/nixosConfigurations/gerg-desktop/secrets.yaml +++ b/nixosConfigurations/gerg-desktop/secrets.yaml @@ -1,7 +1,10 @@ +ferretdb: ENC[AES256_GCM,data:T+aeEtgiM4D+a7MOumE69UNMFjKYKASexSl5/r2HC2fSg93qlISwXRPuSXp6RidyWQE/HJWh3RdPzkbIkBtTmcyxF78gk/LlHsMbrCdSBHF9/hPd4N1AuKquZi8PvyDE6e0RjmUjZxn1PkzDdqWB7bWtYLFyZO7T8WaReouyZObFCG1hI00oT/s=,iv:6xwdMS/JPzVThT3rJmF7/MPs6oEoUwdwYhvyGC1mCrQ=,tag:wxBfckBmo+JM6me+PKcjfw==,type:str] +forgejo: ENC[AES256_GCM,data:gNpOxeXlkYIqIFTqQvFg3pr/b1P5CEVbKDDXhmNnsp6PpdLDKjdRsMobEAOHsSuqdRUpuRsLolAlMUayHyQZ5pLtATXhxLN9TZtucn52eKqVdYx4spbSbbPdHHRznEze55MZuNmMPH9Y3tk+uzIQgzOpHohRs8+/lI3dS8F2dfqg,iv:vIGaWyDRFoR5csdIwsLoHyr3LmA7qyOGshivdvYFy5c=,tag:hif0XGaLQRzhDFVDQLTDBQ==,type:str] +immich: ENC[AES256_GCM,data:P5sMIZ0qaXDvmJ9h1pm+w53FtjMFZcaHXFCqpqldEZ9umVRqidaie5C2c/5SMPpiNWxpFMksvzfA8CQrZVgFEo7kqbg/xU4KeZMEhAqC8tWku0Zi3c452479PARzRvN/e1v24KSzFA5X0zztDNRxMFpjIAURNhQ7ZxKaP/ItP/MW9rzukP3Ow5homThawjk=,iv:dvTLTyh1Cbcmmcq87yvGDffe43Q/Grp7lz36zI5Yd1A=,tag:fLgVTUyQqULiodM4MVfAlQ==,type:str] cloudflare: ENC[AES256_GCM,data:RZ+Smjn1nvnkxYAF56fEcBsFvO3YY+FWJ8wb0c72sxQleRjy9tVp7yDr9gRfUg3G,iv:mGaFxKFLrIouNhyqq/nBKaKub1WfekcCeHVLASQpBCs=,tag:xKl5EHR9g7d4pJkt49BLyw==,type:str] reboot_token: ENC[AES256_GCM,data:/3QP30OUZsFaagj9Ljde1jz5nxZA6jp6/B6pmlponepRy3uZJ2jlaYQ3EBDiv5L413ecfWePAeWlX07eZ08JIRdoO5Ky52LM1+nPHMJFXzQ0h2onz4RVQAM=,iv:qiRk93LM7+3QmW27ItoWYGo7PLlu/hpprcPdnOaCBdw=,tag:X9kEov2FOrsIqkkStLegPw==,type:str] searxngenv: ENC[AES256_GCM,data:HtH4KxXWoQEJp88Bgfhfj5Y4Up+inHu8mnVtay64XvCRpVKHF/kceC3XwT9C3IdXpQ==,iv:iXK8hOFoEnM5wFUZhC8IOdHzPhwPDHtTL8MmS5FSlns=,tag:TZHTB7ia5Qq2f2fETJOpEA==,type:str] -minifluxenv: ENC[AES256_GCM,data:wgz6sxSbbjXrgBAak0Q0TlvG78+JHPpiPtcbqGo9HpSF3qY78edECCDB3qqIaynxdhI4,iv:mbsr+OG8fE5MggmC+TNkLmhhDNGvJo+uelNRo/rMLoo=,tag:xN+FbNHZIVCruQh23aMt5g==,type:str] +minifluxenv: ENC[AES256_GCM,data:xn1x68dE0+/wP627w7zbm+lCvOKfKkPahjlLN+4zg/zoTGbIrstb40HFLTt8opCMgW3OmCPIY45DjT49W29m8SipJwOjWvqbm5iGhI3KYgE/jzpjLnFiNLdigGeZ0aBf5OiN/ef82B+qkjlOcO3x0CWFSONLRsDqa0KJR/eHWFCsqdxJxUd9KpJ47TiPb4y7mvnfJebrg3IPxxABrImeg2d5a2RjDIueFdWyJLJol9JTJDPpTLFm0OEG6Xbr2G2sQQ==,iv:mXdcFtbLGTu3aOCJ/m/axA9bnHNqzPsQFuLv5Bj1Dkw=,tag:255hftEAi2CPsr5gwXs1zQ==,type:str] gerg: ENC[AES256_GCM,data:iSwWGIIxQenCPMd/Tith/eagjVINn0mgrO99IG85cP4UXtut6GF2R57XDMeD7SU18vW1ULod/lYuTo0SmmrkmX+wlDWgm4cODw==,iv:fHTcn4ZmjSqLC8jQkuualRbp+RwvgblS1ic6WPb2WEY=,tag:rkDuXhvleKekv3bVpdNNuw==,type:str] store_key: ENC[AES256_GCM,data:2XioKwoH0V5QuedXl4w2IFrT2qOQWF0kbchYTMhyL9BaUqYHhXQi4buvKUVbBQ8AnzD1GJT3ZRy1S13CxEkdQvXE0IY0iX5nkTJtI3VgpiF64wfvZqcLQGaaNTCg+AEDP304KtIZZiao,iv:PV0bORWHoRDM8HvFwOI2sl7QjfD9G0VXSZ9RrPBUsyM=,tag:caVnOow466eBT/5bqYU0Iw==,type:str] github_token: ENC[AES256_GCM,data:LijyCmMkfaCmh3rVKB96GHd7eM5Qbj9Jea1UZbQGgf67rof1uS+XML+3hmC6lOf6iOeJQtg12fC3ODHnzGuiC+dd1VbIkL5xRR7VBpFF2g6q5ixz9On/IRP74lX7SexCbcOx6YHi6eU6FX6fXe8wWhM87RYZcuiaEw==,iv:GWpI5Q2svJCz28wPVwTPq/+aLN7bWFz4gHNm3Qe6YFI=,tag:1KO9shVI0m2DSomDAuGnsQ==,type:str] @@ -22,8 +25,8 @@ sops: dGhDRXRTWE9xSGtxQU80RVpuL1A5MkEKxAxC/wDkq+6hM8eXkWd/RBDNIUtGYnPy MvVxB6dkj+S11oRcMpdFqiM9jSzz/gYecB2tfuDgj+UX/VAzSkvPxA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-26T23:23:36Z" - mac: ENC[AES256_GCM,data:rUuzMNzXf2rgmT7t4eNXnVDtA4izwbc+8wvMztu5gvymJNBGf2B+uvFzEZMqMA+gmdqwX4B51K2oTYe7GU3EAgjp+7709hy4Dzs0vILebJn6ijO3AVHLEWLE7ia0cao6wAzKv6qtlyvAb1TvyTgtJpM+LCsuOkEItPJxoEDGlzc=,iv:rYlkNXaz/mk7WBYm27y/+eqJAThZ/pcjW6bMuTjTIZ4=,tag:end6/klu3sW9PuTIbWxZmw==,type:str] + lastmodified: "2025-03-06T03:09:11Z" + mac: ENC[AES256_GCM,data:3EeCTjNO74bwoa9mi2Da5jigmjwQC+IZO9eJS8V5ujuIz2suB1Q9xl7AUBk8JT5oqCvuVJZ4QuOjtSUp00h2f4cvuq0/VQWurb7RBDG956iT0v6Js+3s4sgZ6mTaD0W3IXYpQkoCLKA0EdfZpqayBAK8ToUYCJhCaNBLl7eUZBw=,iv:heJUcxMbJCmEq14woFFXGEfx2xlID0ZeDxtBK8kXWOE=,tag:jNahdAVH9IoIs63H3yW0AA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.4 diff --git a/nixosConfigurations/gerg-desktop/services/forgejo.nix b/nixosConfigurations/gerg-desktop/services/forgejo.nix index aa21d13..461390a 100644 --- a/nixosConfigurations/gerg-desktop/services/forgejo.nix +++ b/nixosConfigurations/gerg-desktop/services/forgejo.nix @@ -3,19 +3,13 @@ let link = config.local.links.forgejo; in { + sops.secrets.forgejo.owner = config.services.forgejo.user; local.links.forgejo = { }; - users = { - groups.${config.services.forgejo.group} = { }; - users = { - ${config.services.forgejo.user} = { - isSystemUser = true; - inherit (config.services.forgejo) group; - extraGroups = [ "postgres" ]; - openssh.authorizedKeys.keys = [ config.local.keys.gerg_gerg-desktop ]; - }; - }; - }; + users.users.${config.services.forgejo.user}.openssh.authorizedKeys.keys = [ + config.local.keys.gerg_gerg-desktop + ]; + services.forgejo = { enable = true; stateDir = "/persist/services/forgejo"; @@ -25,16 +19,25 @@ in DOMAIN = "git.gerg-l.com"; ROOT_URL = "https://git.gerg-l.com/"; LANDING_PAGE = "/explore/repos"; + PROTOCOL = link.protocol; HTTP_ADDR = link.ipv4; HTTP_PORT = link.port; }; ui.DEFAULT_THEME = "forgejo-dark"; service.DISABLE_REGISTRATION = true; + database.LOG_SQL = false; }; - database = { - type = "postgres"; - createDatabase = true; - }; + database = + let + dbLink = config.local.links.postgresql; + in + { + type = "postgres"; + createDatabase = true; + inherit (dbLink) port; + host = dbLink.hostname; + passwordFile = config.sops.secrets.forgejo.path; + }; }; local.nginx.proxyVhosts."git.gerg-l.com" = link.url; diff --git a/nixosConfigurations/gerg-desktop/services/immich.nix b/nixosConfigurations/gerg-desktop/services/immich.nix index dca391f..cd0b090 100644 --- a/nixosConfigurations/gerg-desktop/services/immich.nix +++ b/nixosConfigurations/gerg-desktop/services/immich.nix @@ -1,25 +1,33 @@ -{ config, ... }: +{ config }: let cfg = config.services.immich; link = config.local.links.immich; in { + sops.secrets.immich.owner = cfg.user; + local.links.immich = { }; systemd.tmpfiles.rules = [ "d ${cfg.mediaLocation} - ${cfg.user} ${cfg.group} - -" ]; - users.users.${cfg.user}.extraGroups = [ "postgres" ]; services.immich = { enable = true; openFirewall = true; - database = { - enable = true; - createDB = true; - }; + #secretsFile = config.sops.secrets.immich.path; + database = + let + dbLink = config.local.links.postgresql; + in + { + enable = true; + createDB = true; + inherit (dbLink) port; + #host = dbLink.hostname; + }; mediaLocation = "/persist/services/immich"; machine-learning.enable = true; settings = null; inherit (link) port; - host = link.ipv4; + host = link.hostname; }; local.nginx.proxyVhosts."photos.gerg-l.com" = link.url; diff --git a/nixosConfigurations/gerg-desktop/services/miniflux.nix b/nixosConfigurations/gerg-desktop/services/miniflux.nix index c9351f9..42f8c4b 100644 --- a/nixosConfigurations/gerg-desktop/services/miniflux.nix +++ b/nixosConfigurations/gerg-desktop/services/miniflux.nix @@ -1,4 +1,5 @@ { + lib, config, }: let @@ -14,23 +15,15 @@ in config = { BASE_URL = "https://flux.gerg-l.com"; LISTEN_ADDR = link.tuple; + DATABASE_URL = + let + dbLink = config.local.links.postgresql; + in + lib.mkForce "user=miniflux host=${dbLink.hostname} port=${dbLink.portStr} dbname=miniflux sslmode=disable"; }; adminCredentialsFile = config.sops.secrets.minifluxenv.path; createDatabaseLocally = true; }; - users = { - groups.miniflux.gid = 377; - users = { - miniflux = { - group = "miniflux"; - extraGroups = [ "postgres" ]; - isSystemUser = true; - uid = 377; - }; - ${config.services.nginx.user}.extraGroups = [ "miniflux" ]; - }; - }; - local.nginx.proxyVhosts."flux.gerg-l.com" = link.url; } diff --git a/nixosConfigurations/gerg-desktop/services/nginx.nix b/nixosConfigurations/gerg-desktop/services/nginx.nix index 7df0f54..0b07b48 100644 --- a/nixosConfigurations/gerg-desktop/services/nginx.nix +++ b/nixosConfigurations/gerg-desktop/services/nginx.nix @@ -9,70 +9,71 @@ }; }; - config = { - local.nginx.defaultVhosts = builtins.mapAttrs (_: v: { - locations."/".proxyPass = v; - }) config.local.nginx.proxyVhosts; + config = + let + cfg = config.services.nginx; + in + { + local.nginx.defaultVhosts = builtins.mapAttrs (_: v: { + locations."/".proxyPass = v; + }) config.local.nginx.proxyVhosts; - sops.secrets = { - gerg_ssl_key.owner = config.services.nginx.user; - gerg_ssl_cert.owner = config.services.nginx.user; - }; - - security.acme = { - acceptTerms = true; - certs."gerg-l.com" = { - email = "GregLeyda@proton.me"; - webroot = "/var/lib/acme/acme-challenge"; - extraDomainNames = builtins.attrNames config.local.nginx.defaultVhosts; + sops.secrets = { + gerg_ssl_key.owner = cfg.user; + gerg_ssl_cert.owner = cfg.user; }; - }; - fileSystems."/var/lib/acme" = { - device = "/persist/services/acme"; - fsType = "none"; - options = [ "bind" ]; - depends = [ - "/persist" - "/var" + security.acme = { + acceptTerms = true; + certs."gerg-l.com" = { + email = "GregLeyda@proton.me"; + inherit (cfg) group; + webroot = "/var/lib/acme/acme-challenge"; + extraDomainNames = builtins.attrNames config.local.nginx.defaultVhosts; + }; + }; + + systemd.mounts = [ + { + what = "/persist/services/acme"; + where = "/var/lib/acme"; + type = "none"; + options = "bind"; + } + ]; + + services.nginx = { + enable = true; + recommendedZstdSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + # For immich + clientMaxBodySize = "50000M"; + proxyTimeout = "600s"; + virtualHosts = + builtins.mapAttrs + ( + _: v: + { + forceSSL = true; + useACMEHost = "gerg-l.com"; + } + // v + ) + ( + config.local.nginx.defaultVhosts + // { + "_" = { + default = true; + locations."/".return = "404"; + }; + } + ); + }; + networking.firewall.allowedTCPPorts = [ + 80 + 443 ]; }; - - users.users.${config.services.nginx.user}.extraGroups = [ "acme" ]; - - services.nginx = { - enable = true; - recommendedZstdSettings = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - # For immich - clientMaxBodySize = "50000M"; - proxyTimeout = "600s"; - virtualHosts = - builtins.mapAttrs - ( - _: v: - { - forceSSL = true; - useACMEHost = "gerg-l.com"; - } - // v - ) - ( - config.local.nginx.defaultVhosts - // { - "_" = { - default = true; - locations."/".return = "404"; - }; - } - ); - }; - networking.firewall.allowedTCPPorts = [ - 80 - 443 - ]; - }; } diff --git a/nixosConfigurations/gerg-desktop/services/postgresql.nix b/nixosConfigurations/gerg-desktop/services/postgresql.nix index f8509dd..aa2fa04 100644 --- a/nixosConfigurations/gerg-desktop/services/postgresql.nix +++ b/nixosConfigurations/gerg-desktop/services/postgresql.nix @@ -1,9 +1,22 @@ -{ pkgs }: { + lib, + pkgs, + config, +}: +let + link = config.local.links.postgresql; +in +{ + local.links.postgresql.port = 5432; + services.postgresql = { enable = true; package = pkgs.postgresql_16; dataDir = "/persist/services/postgresql"; - settings.unix_socket_permissions = "0770"; + settings = { + inherit (link) port; + listen_addresses = lib.mkForce link.ipv4; + #unix_socket_directories = ""; + }; }; } diff --git a/nixosConfigurations/gerg-desktop/services/searxng.nix b/nixosConfigurations/gerg-desktop/services/searxng.nix index a84806a..46a2c3a 100644 --- a/nixosConfigurations/gerg-desktop/services/searxng.nix +++ b/nixosConfigurations/gerg-desktop/services/searxng.nix @@ -22,10 +22,13 @@ in secret_key = "@SEARXNG_SECRET@"; base_url = "https://search.gerg-l.com"; }; - search.formats = [ - "html" - "json" - ]; + search = { + default_lang = "en"; + formats = [ + "html" + "json" + ]; + }; engines = [ { name = "bing"; diff --git a/nixosConfigurations/gerg-desktop/services/vocard/_application.nix b/nixosConfigurations/gerg-desktop/services/vocard/_application.nix index 728264b..1f05617 100644 --- a/nixosConfigurations/gerg-desktop/services/vocard/_application.nix +++ b/nixosConfigurations/gerg-desktop/services/vocard/_application.nix @@ -7,6 +7,7 @@ address = link.ipv4; }; lavalink = { + pluginsDir = lavalinkPlugins; plugins = [ { dependency = "dev.lavalink.youtube:youtube-plugin:1.11.5"; @@ -74,7 +75,6 @@ metrics.prometheus.enabled = false; plugins = { - pluginsDir = lavalinkPlugins; youtube = { allowDirectPlaylistIds = true; allowDirectVideoIds = true; diff --git a/nixosConfigurations/gerg-desktop/services/vocard/_settings.nix b/nixosConfigurations/gerg-desktop/services/vocard/_settings.nix index 501057e..e0c73d6 100644 --- a/nixosConfigurations/gerg-desktop/services/vocard/_settings.nix +++ b/nixosConfigurations/gerg-desktop/services/vocard/_settings.nix @@ -90,7 +90,7 @@ mongodb_name = "vocard"; mongodb_url = ferretLink.url; nodes.DEFAULT = { - host = link.ipv4; + host = link.hostname; identifier = "DEFAULT"; password = p."vocard/password"; inherit (link) port; diff --git a/nixosConfigurations/gerg-desktop/services/vocard/vocard.nix b/nixosConfigurations/gerg-desktop/services/vocard/vocard.nix index c225408..8b65174 100644 --- a/nixosConfigurations/gerg-desktop/services/vocard/vocard.nix +++ b/nixosConfigurations/gerg-desktop/services/vocard/vocard.nix @@ -17,6 +17,7 @@ in sops = { secrets = { + ferretdb = { }; lavalink = { sopsFile = ./secrets.yaml; restartUnits = [ @@ -88,19 +89,15 @@ in ]; serviceConfig = { - ExecStart = - let - configFile = pkgs.writeText "application.yml" ( - builtins.toJSON ( - import ./_application.nix { - inherit link; - inherit (self'.packages) lavalinkPlugins; - } - ) - ); - in - - "${lib.getExe self'.packages.lavalink} --spring.config.location='file:${configFile}'"; + ExecStart = lib.getExe self'.packages.lavalink; + WorkingDirectory = lib.pipe ./_application.nix [ + (lib.flip import { + inherit link; + inherit (self'.packages) lavalinkPlugins; + }) + builtins.toJSON + (pkgs.writeTextDir "application.yml") + ]; DynamicUser = true; EnvironmentFile = config.sops.secrets.lavalink.path; Restart = "on-failure"; @@ -109,9 +106,54 @@ in }; }; - services.ferretdb = { - enable = true; - settings.FERRETDB_LISTEN_ADDR = ferretLink.tuple; + services.postgresql = { + ensureDatabases = [ "ferretdb" ]; + ensureUsers = [ + { + name = "ferretdb"; + ensureDBOwnership = true; + } + ]; + }; + + systemd.services.ferretdb = { + description = "FerretDB"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + environment = { + FERRETDB_HANDLER = "pg"; + FERRETDB_LISTEN_ADDR = ferretLink.tuple; + }; + + serviceConfig = { + ExecStart = + let + dbLink = config.local.links.postgresql; + in + "${lib.getExe pkgs.ferretdb} --debug-addr='-' --telemetry='disable' --postgresql-url=\"postgres:///ferretdb?user=ferretdb&host=${dbLink.hostname}&port=${dbLink.portStr}&passfile=\${CREDENTIALS_DIRECTORY}/password\""; + Type = "simple"; + StateDirectory = "ferretdb"; + WorkingDirectory = "%S/ferretdb"; + LoadCredential = "password:${config.sops.secrets.ferretdb.path}"; + Restart = "on-failure"; + ProtectHome = true; + ProtectSystem = "strict"; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + NoNewPrivileges = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RemoveIPC = true; + PrivateMounts = true; + DynamicUser = true; + }; }; systemd.mounts = [