gerg-l/nixos
1
0
Fork 0
mirror of https://github.com/Gerg-L/nixos.git synced 2025-12-10 00:43:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

better services

Browse source
This commit is contained in:
Gerg-L 2025-03-05 22:32:40 -05:00
parent 29b35ab058
commit 518ab13797
Signed by: gerg-l
SSH key fingerprint: SHA256:FPYDHIkvMocr4wdmZXpgpJjsb2Tw6rASs2ISPbOb0KI
10 changed files with 189 additions and 123 deletions
Download patch file Download diff file Expand all files Collapse all files

33
nixosConfigurations/gerg-desktop/services/forgejo.nix
View file

@ -3,19 +3,13 @@ let
link = config.local.links.forgejo;
in
{
sops.secrets.forgejo.owner = config.services.forgejo.user;
local.links.forgejo = { };
users = {
groups.${config.services.forgejo.group} = { };
users = {
${config.services.forgejo.user} = {
isSystemUser = true;
inherit (config.services.forgejo) group;
extraGroups = [ "postgres" ];
openssh.authorizedKeys.keys = [ config.local.keys.gerg_gerg-desktop ];
};
};
};
users.users.${config.services.forgejo.user}.openssh.authorizedKeys.keys = [
config.local.keys.gerg_gerg-desktop
];
services.forgejo = {
enable = true;
stateDir = "/persist/services/forgejo";
@ -25,16 +19,25 @@ in
DOMAIN = "git.gerg-l.com";
ROOT_URL = "https://git.gerg-l.com/";
LANDING_PAGE = "/explore/repos";
PROTOCOL = link.protocol;
HTTP_ADDR = link.ipv4;
HTTP_PORT = link.port;
};
ui.DEFAULT_THEME = "forgejo-dark";
service.DISABLE_REGISTRATION = true;
database.LOG_SQL = false;
};
database = {
type = "postgres";
createDatabase = true;
};
database =
let
dbLink = config.local.links.postgresql;
in
{
type = "postgres";
createDatabase = true;
inherit (dbLink) port;
host = dbLink.hostname;
passwordFile = config.sops.secrets.forgejo.path;
};
};
local.nginx.proxyVhosts."git.gerg-l.com" = link.url;

22
nixosConfigurations/gerg-desktop/services/immich.nix
View file

@ -1,25 +1,33 @@
{ config, ... }:
{ config }:
let
cfg = config.services.immich;
link = config.local.links.immich;
in
{
sops.secrets.immich.owner = cfg.user;
local.links.immich = { };
systemd.tmpfiles.rules = [ "d ${cfg.mediaLocation} - ${cfg.user} ${cfg.group} - -" ];
users.users.${cfg.user}.extraGroups = [ "postgres" ];
services.immich = {
enable = true;
openFirewall = true;
database = {
enable = true;
createDB = true;
};
#secretsFile = config.sops.secrets.immich.path;
database =
let
dbLink = config.local.links.postgresql;
in
{
enable = true;
createDB = true;
inherit (dbLink) port;
#host = dbLink.hostname;
};
mediaLocation = "/persist/services/immich";
machine-learning.enable = true;
settings = null;
inherit (link) port;
host = link.ipv4;
host = link.hostname;
};
local.nginx.proxyVhosts."photos.gerg-l.com" = link.url;

19
nixosConfigurations/gerg-desktop/services/miniflux.nix
View file

@ -1,4 +1,5 @@
{
lib,
config,
}:
let
@ -14,23 +15,15 @@ in
config = {
BASE_URL = "https://flux.gerg-l.com";
LISTEN_ADDR = link.tuple;
DATABASE_URL =
let
dbLink = config.local.links.postgresql;
in
lib.mkForce "user=miniflux host=${dbLink.hostname} port=${dbLink.portStr} dbname=miniflux sslmode=disable";
};
adminCredentialsFile = config.sops.secrets.minifluxenv.path;
createDatabaseLocally = true;
};
users = {
groups.miniflux.gid = 377;
users = {
miniflux = {
group = "miniflux";
extraGroups = [ "postgres" ];
isSystemUser = true;
uid = 377;
};
${config.services.nginx.user}.extraGroups = [ "miniflux" ];
};
};
local.nginx.proxyVhosts."flux.gerg-l.com" = link.url;
}

123
nixosConfigurations/gerg-desktop/services/nginx.nix
View file

@ -9,70 +9,71 @@
};
};
config = {
local.nginx.defaultVhosts = builtins.mapAttrs (_: v: {
locations."/".proxyPass = v;
}) config.local.nginx.proxyVhosts;
config =
let
cfg = config.services.nginx;
in
{
local.nginx.defaultVhosts = builtins.mapAttrs (_: v: {
locations."/".proxyPass = v;
}) config.local.nginx.proxyVhosts;
sops.secrets = {
gerg_ssl_key.owner = config.services.nginx.user;
gerg_ssl_cert.owner = config.services.nginx.user;
};
security.acme = {
acceptTerms = true;
certs."gerg-l.com" = {
email = "GregLeyda@proton.me";
webroot = "/var/lib/acme/acme-challenge";
extraDomainNames = builtins.attrNames config.local.nginx.defaultVhosts;
sops.secrets = {
gerg_ssl_key.owner = cfg.user;
gerg_ssl_cert.owner = cfg.user;
};
};
fileSystems."/var/lib/acme" = {
device = "/persist/services/acme";
fsType = "none";
options = [ "bind" ];
depends = [
"/persist"
"/var"
security.acme = {
acceptTerms = true;
certs."gerg-l.com" = {
email = "GregLeyda@proton.me";
inherit (cfg) group;
webroot = "/var/lib/acme/acme-challenge";
extraDomainNames = builtins.attrNames config.local.nginx.defaultVhosts;
};
};
systemd.mounts = [
{
what = "/persist/services/acme";
where = "/var/lib/acme";
type = "none";
options = "bind";
}
];
services.nginx = {
enable = true;
recommendedZstdSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# For immich
clientMaxBodySize = "50000M";
proxyTimeout = "600s";
virtualHosts =
builtins.mapAttrs
(
_: v:
{
forceSSL = true;
useACMEHost = "gerg-l.com";
}
// v
)
(
config.local.nginx.defaultVhosts
// {
"_" = {
default = true;
locations."/".return = "404";
};
}
);
};
networking.firewall.allowedTCPPorts = [
80
443
];
};
users.users.${config.services.nginx.user}.extraGroups = [ "acme" ];
services.nginx = {
enable = true;
recommendedZstdSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# For immich
clientMaxBodySize = "50000M";
proxyTimeout = "600s";
virtualHosts =
builtins.mapAttrs
(
_: v:
{
forceSSL = true;
useACMEHost = "gerg-l.com";
}
// v
)
(
config.local.nginx.defaultVhosts
// {
"_" = {
default = true;
locations."/".return = "404";
};
}
);
};
networking.firewall.allowedTCPPorts = [
80
443
];
};
}

17
nixosConfigurations/gerg-desktop/services/postgresql.nix
View file

@ -1,9 +1,22 @@
{ pkgs }:
{
lib,
pkgs,
config,
}:
let
link = config.local.links.postgresql;
in
{
local.links.postgresql.port = 5432;
services.postgresql = {
enable = true;
package = pkgs.postgresql_16;
dataDir = "/persist/services/postgresql";
settings.unix_socket_permissions = "0770";
settings = {
inherit (link) port;
listen_addresses = lib.mkForce link.ipv4;
#unix_socket_directories = "";
};
};
}

11
nixosConfigurations/gerg-desktop/services/searxng.nix
View file

@ -22,10 +22,13 @@ in
secret_key = "@SEARXNG_SECRET@";
base_url = "https://search.gerg-l.com";
};
search.formats = [
"html"
"json"
];
search = {
default_lang = "en";
formats = [
"html"
"json"
];
};
engines = [
{
name = "bing";

2
nixosConfigurations/gerg-desktop/services/vocard/_application.nix
View file

@ -7,6 +7,7 @@
address = link.ipv4;
};
lavalink = {
pluginsDir = lavalinkPlugins;
plugins = [
{
dependency = "dev.lavalink.youtube:youtube-plugin:1.11.5";
@ -74,7 +75,6 @@
metrics.prometheus.enabled = false;
plugins = {
pluginsDir = lavalinkPlugins;
youtube = {
allowDirectPlaylistIds = true;
allowDirectVideoIds = true;

2
nixosConfigurations/gerg-desktop/services/vocard/_settings.nix
View file

@ -90,7 +90,7 @@
mongodb_name = "vocard";
mongodb_url = ferretLink.url;
nodes.DEFAULT = {
host = link.ipv4;
host = link.hostname;
identifier = "DEFAULT";
password = p."vocard/password";
inherit (link) port;

74
nixosConfigurations/gerg-desktop/services/vocard/vocard.nix
View file

@ -17,6 +17,7 @@ in
sops = {
secrets =
{
ferretdb = { };
lavalink = {
sopsFile = ./secrets.yaml;
restartUnits = [
@ -88,19 +89,15 @@ in
];
serviceConfig = {
ExecStart =
let
configFile = pkgs.writeText "application.yml" (
builtins.toJSON (
import ./_application.nix {
inherit link;
inherit (self'.packages) lavalinkPlugins;
}
)
);
in
"${lib.getExe self'.packages.lavalink} --spring.config.location='file:${configFile}'";
ExecStart = lib.getExe self'.packages.lavalink;
WorkingDirectory = lib.pipe ./_application.nix [
(lib.flip import {
inherit link;
inherit (self'.packages) lavalinkPlugins;
})
builtins.toJSON
(pkgs.writeTextDir "application.yml")
];
DynamicUser = true;
EnvironmentFile = config.sops.secrets.lavalink.path;
Restart = "on-failure";
@ -109,9 +106,54 @@ in
};
};
services.ferretdb = {
enable = true;
settings.FERRETDB_LISTEN_ADDR = ferretLink.tuple;
services.postgresql = {
ensureDatabases = [ "ferretdb" ];
ensureUsers = [
{
name = "ferretdb";
ensureDBOwnership = true;
}
];
};
systemd.services.ferretdb = {
description = "FerretDB";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment = {
FERRETDB_HANDLER = "pg";
FERRETDB_LISTEN_ADDR = ferretLink.tuple;
};
serviceConfig = {
ExecStart =
let
dbLink = config.local.links.postgresql;
in
"${lib.getExe pkgs.ferretdb} --debug-addr='-' --telemetry='disable' --postgresql-url=\"postgres:///ferretdb?user=ferretdb&host=${dbLink.hostname}&port=${dbLink.portStr}&passfile=\${CREDENTIALS_DIRECTORY}/password\"";
Type = "simple";
StateDirectory = "ferretdb";
WorkingDirectory = "%S/ferretdb";
LoadCredential = "password:${config.sops.secrets.ferretdb.path}";
Restart = "on-failure";
ProtectHome = true;
ProtectSystem = "strict";
PrivateTmp = true;
PrivateDevices = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
NoNewPrivileges = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
PrivateMounts = true;
DynamicUser = true;
};
};
systemd.mounts = [