gerg-l/nixos
1
0
Fork 0
mirror of https://github.com/Gerg-L/nixos.git synced 2025-12-10 00:43:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

better services

Browse source
This commit is contained in:
Gerg-L 2025-03-05 22:32:40 -05:00
parent 29b35ab058
commit 518ab13797
Signed by: gerg-l
SSH key fingerprint: SHA256:FPYDHIkvMocr4wdmZXpgpJjsb2Tw6rASs2ISPbOb0KI
10 changed files with 189 additions and 123 deletions
Download patch file Download diff file Expand all files Collapse all files

9
nixosConfigurations/gerg-desktop/secrets.yaml
View file

@ -1,7 +1,10 @@
ferretdb: ENC[AES256_GCM,data:T+aeEtgiM4D+a7MOumE69UNMFjKYKASexSl5/r2HC2fSg93qlISwXRPuSXp6RidyWQE/HJWh3RdPzkbIkBtTmcyxF78gk/LlHsMbrCdSBHF9/hPd4N1AuKquZi8PvyDE6e0RjmUjZxn1PkzDdqWB7bWtYLFyZO7T8WaReouyZObFCG1hI00oT/s=,iv:6xwdMS/JPzVThT3rJmF7/MPs6oEoUwdwYhvyGC1mCrQ=,tag:wxBfckBmo+JM6me+PKcjfw==,type:str]
forgejo: ENC[AES256_GCM,data:gNpOxeXlkYIqIFTqQvFg3pr/b1P5CEVbKDDXhmNnsp6PpdLDKjdRsMobEAOHsSuqdRUpuRsLolAlMUayHyQZ5pLtATXhxLN9TZtucn52eKqVdYx4spbSbbPdHHRznEze55MZuNmMPH9Y3tk+uzIQgzOpHohRs8+/lI3dS8F2dfqg,iv:vIGaWyDRFoR5csdIwsLoHyr3LmA7qyOGshivdvYFy5c=,tag:hif0XGaLQRzhDFVDQLTDBQ==,type:str]
immich: ENC[AES256_GCM,data:P5sMIZ0qaXDvmJ9h1pm+w53FtjMFZcaHXFCqpqldEZ9umVRqidaie5C2c/5SMPpiNWxpFMksvzfA8CQrZVgFEo7kqbg/xU4KeZMEhAqC8tWku0Zi3c452479PARzRvN/e1v24KSzFA5X0zztDNRxMFpjIAURNhQ7ZxKaP/ItP/MW9rzukP3Ow5homThawjk=,iv:dvTLTyh1Cbcmmcq87yvGDffe43Q/Grp7lz36zI5Yd1A=,tag:fLgVTUyQqULiodM4MVfAlQ==,type:str]
cloudflare: ENC[AES256_GCM,data:RZ+Smjn1nvnkxYAF56fEcBsFvO3YY+FWJ8wb0c72sxQleRjy9tVp7yDr9gRfUg3G,iv:mGaFxKFLrIouNhyqq/nBKaKub1WfekcCeHVLASQpBCs=,tag:xKl5EHR9g7d4pJkt49BLyw==,type:str] cloudflare: ENC[AES256_GCM,data:RZ+Smjn1nvnkxYAF56fEcBsFvO3YY+FWJ8wb0c72sxQleRjy9tVp7yDr9gRfUg3G,iv:mGaFxKFLrIouNhyqq/nBKaKub1WfekcCeHVLASQpBCs=,tag:xKl5EHR9g7d4pJkt49BLyw==,type:str]
reboot_token: ENC[AES256_GCM,data:/3QP30OUZsFaagj9Ljde1jz5nxZA6jp6/B6pmlponepRy3uZJ2jlaYQ3EBDiv5L413ecfWePAeWlX07eZ08JIRdoO5Ky52LM1+nPHMJFXzQ0h2onz4RVQAM=,iv:qiRk93LM7+3QmW27ItoWYGo7PLlu/hpprcPdnOaCBdw=,tag:X9kEov2FOrsIqkkStLegPw==,type:str] reboot_token: ENC[AES256_GCM,data:/3QP30OUZsFaagj9Ljde1jz5nxZA6jp6/B6pmlponepRy3uZJ2jlaYQ3EBDiv5L413ecfWePAeWlX07eZ08JIRdoO5Ky52LM1+nPHMJFXzQ0h2onz4RVQAM=,iv:qiRk93LM7+3QmW27ItoWYGo7PLlu/hpprcPdnOaCBdw=,tag:X9kEov2FOrsIqkkStLegPw==,type:str]
searxngenv: ENC[AES256_GCM,data:HtH4KxXWoQEJp88Bgfhfj5Y4Up+inHu8mnVtay64XvCRpVKHF/kceC3XwT9C3IdXpQ==,iv:iXK8hOFoEnM5wFUZhC8IOdHzPhwPDHtTL8MmS5FSlns=,tag:TZHTB7ia5Qq2f2fETJOpEA==,type:str] searxngenv: ENC[AES256_GCM,data:HtH4KxXWoQEJp88Bgfhfj5Y4Up+inHu8mnVtay64XvCRpVKHF/kceC3XwT9C3IdXpQ==,iv:iXK8hOFoEnM5wFUZhC8IOdHzPhwPDHtTL8MmS5FSlns=,tag:TZHTB7ia5Qq2f2fETJOpEA==,type:str]
minifluxenv: ENC[AES256_GCM,data:wgz6sxSbbjXrgBAak0Q0TlvG78+JHPpiPtcbqGo9HpSF3qY78edECCDB3qqIaynxdhI4,iv:mbsr+OG8fE5MggmC+TNkLmhhDNGvJo+uelNRo/rMLoo=,tag:xN+FbNHZIVCruQh23aMt5g==,type:str] minifluxenv: ENC[AES256_GCM,data:xn1x68dE0+/wP627w7zbm+lCvOKfKkPahjlLN+4zg/zoTGbIrstb40HFLTt8opCMgW3OmCPIY45DjT49W29m8SipJwOjWvqbm5iGhI3KYgE/jzpjLnFiNLdigGeZ0aBf5OiN/ef82B+qkjlOcO3x0CWFSONLRsDqa0KJR/eHWFCsqdxJxUd9KpJ47TiPb4y7mvnfJebrg3IPxxABrImeg2d5a2RjDIueFdWyJLJol9JTJDPpTLFm0OEG6Xbr2G2sQQ==,iv:mXdcFtbLGTu3aOCJ/m/axA9bnHNqzPsQFuLv5Bj1Dkw=,tag:255hftEAi2CPsr5gwXs1zQ==,type:str]
gerg: ENC[AES256_GCM,data:iSwWGIIxQenCPMd/Tith/eagjVINn0mgrO99IG85cP4UXtut6GF2R57XDMeD7SU18vW1ULod/lYuTo0SmmrkmX+wlDWgm4cODw==,iv:fHTcn4ZmjSqLC8jQkuualRbp+RwvgblS1ic6WPb2WEY=,tag:rkDuXhvleKekv3bVpdNNuw==,type:str] gerg: ENC[AES256_GCM,data:iSwWGIIxQenCPMd/Tith/eagjVINn0mgrO99IG85cP4UXtut6GF2R57XDMeD7SU18vW1ULod/lYuTo0SmmrkmX+wlDWgm4cODw==,iv:fHTcn4ZmjSqLC8jQkuualRbp+RwvgblS1ic6WPb2WEY=,tag:rkDuXhvleKekv3bVpdNNuw==,type:str]
store_key: ENC[AES256_GCM,data:2XioKwoH0V5QuedXl4w2IFrT2qOQWF0kbchYTMhyL9BaUqYHhXQi4buvKUVbBQ8AnzD1GJT3ZRy1S13CxEkdQvXE0IY0iX5nkTJtI3VgpiF64wfvZqcLQGaaNTCg+AEDP304KtIZZiao,iv:PV0bORWHoRDM8HvFwOI2sl7QjfD9G0VXSZ9RrPBUsyM=,tag:caVnOow466eBT/5bqYU0Iw==,type:str] store_key: ENC[AES256_GCM,data:2XioKwoH0V5QuedXl4w2IFrT2qOQWF0kbchYTMhyL9BaUqYHhXQi4buvKUVbBQ8AnzD1GJT3ZRy1S13CxEkdQvXE0IY0iX5nkTJtI3VgpiF64wfvZqcLQGaaNTCg+AEDP304KtIZZiao,iv:PV0bORWHoRDM8HvFwOI2sl7QjfD9G0VXSZ9RrPBUsyM=,tag:caVnOow466eBT/5bqYU0Iw==,type:str]
github_token: ENC[AES256_GCM,data:LijyCmMkfaCmh3rVKB96GHd7eM5Qbj9Jea1UZbQGgf67rof1uS+XML+3hmC6lOf6iOeJQtg12fC3ODHnzGuiC+dd1VbIkL5xRR7VBpFF2g6q5ixz9On/IRP74lX7SexCbcOx6YHi6eU6FX6fXe8wWhM87RYZcuiaEw==,iv:GWpI5Q2svJCz28wPVwTPq/+aLN7bWFz4gHNm3Qe6YFI=,tag:1KO9shVI0m2DSomDAuGnsQ==,type:str] github_token: ENC[AES256_GCM,data:LijyCmMkfaCmh3rVKB96GHd7eM5Qbj9Jea1UZbQGgf67rof1uS+XML+3hmC6lOf6iOeJQtg12fC3ODHnzGuiC+dd1VbIkL5xRR7VBpFF2g6q5ixz9On/IRP74lX7SexCbcOx6YHi6eU6FX6fXe8wWhM87RYZcuiaEw==,iv:GWpI5Q2svJCz28wPVwTPq/+aLN7bWFz4gHNm3Qe6YFI=,tag:1KO9shVI0m2DSomDAuGnsQ==,type:str]
@ -22,8 +25,8 @@ sops:
dGhDRXRTWE9xSGtxQU80RVpuL1A5MkEKxAxC/wDkq+6hM8eXkWd/RBDNIUtGYnPy dGhDRXRTWE9xSGtxQU80RVpuL1A5MkEKxAxC/wDkq+6hM8eXkWd/RBDNIUtGYnPy
MvVxB6dkj+S11oRcMpdFqiM9jSzz/gYecB2tfuDgj+UX/VAzSkvPxA== MvVxB6dkj+S11oRcMpdFqiM9jSzz/gYecB2tfuDgj+UX/VAzSkvPxA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-02-26T23:23:36Z" lastmodified: "2025-03-06T03:09:11Z"
mac: ENC[AES256_GCM,data:rUuzMNzXf2rgmT7t4eNXnVDtA4izwbc+8wvMztu5gvymJNBGf2B+uvFzEZMqMA+gmdqwX4B51K2oTYe7GU3EAgjp+7709hy4Dzs0vILebJn6ijO3AVHLEWLE7ia0cao6wAzKv6qtlyvAb1TvyTgtJpM+LCsuOkEItPJxoEDGlzc=,iv:rYlkNXaz/mk7WBYm27y/+eqJAThZ/pcjW6bMuTjTIZ4=,tag:end6/klu3sW9PuTIbWxZmw==,type:str] mac: ENC[AES256_GCM,data:3EeCTjNO74bwoa9mi2Da5jigmjwQC+IZO9eJS8V5ujuIz2suB1Q9xl7AUBk8JT5oqCvuVJZ4QuOjtSUp00h2f4cvuq0/VQWurb7RBDG956iT0v6Js+3s4sgZ6mTaD0W3IXYpQkoCLKA0EdfZpqayBAK8ToUYCJhCaNBLl7eUZBw=,iv:heJUcxMbJCmEq14woFFXGEfx2xlID0ZeDxtBK8kXWOE=,tag:jNahdAVH9IoIs63H3yW0AA==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.4 version: 3.9.4

27
nixosConfigurations/gerg-desktop/services/forgejo.nix
View file

@ -3,19 +3,13 @@ let
link = config.local.links.forgejo; link = config.local.links.forgejo;
in in
{ {
sops.secrets.forgejo.owner = config.services.forgejo.user;
local.links.forgejo = { }; local.links.forgejo = { };
users = {
groups.${config.services.forgejo.group} = { };
users = {
${config.services.forgejo.user} = {
isSystemUser = true;
inherit (config.services.forgejo) group;
extraGroups = [ "postgres" ];
openssh.authorizedKeys.keys = [ config.local.keys.gerg_gerg-desktop ];
};
}; users.users.${config.services.forgejo.user}.openssh.authorizedKeys.keys = [
}; config.local.keys.gerg_gerg-desktop
];
services.forgejo = { services.forgejo = {
enable = true; enable = true;
stateDir = "/persist/services/forgejo"; stateDir = "/persist/services/forgejo";
@ -25,15 +19,24 @@ in
DOMAIN = "git.gerg-l.com"; DOMAIN = "git.gerg-l.com";
ROOT_URL = "https://git.gerg-l.com/"; ROOT_URL = "https://git.gerg-l.com/";
LANDING_PAGE = "/explore/repos"; LANDING_PAGE = "/explore/repos";
PROTOCOL = link.protocol;
HTTP_ADDR = link.ipv4; HTTP_ADDR = link.ipv4;
HTTP_PORT = link.port; HTTP_PORT = link.port;
}; };
ui.DEFAULT_THEME = "forgejo-dark"; ui.DEFAULT_THEME = "forgejo-dark";
service.DISABLE_REGISTRATION = true; service.DISABLE_REGISTRATION = true;
database.LOG_SQL = false;
}; };
database = { database =
let
dbLink = config.local.links.postgresql;
in
{
type = "postgres"; type = "postgres";
createDatabase = true; createDatabase = true;
inherit (dbLink) port;
host = dbLink.hostname;
passwordFile = config.sops.secrets.forgejo.path;
}; };
}; };

16
nixosConfigurations/gerg-desktop/services/immich.nix
View file

@ -1,25 +1,33 @@
{ config, ... }: { config }:
let let
cfg = config.services.immich; cfg = config.services.immich;
link = config.local.links.immich; link = config.local.links.immich;
in in
{ {
sops.secrets.immich.owner = cfg.user;
local.links.immich = { }; local.links.immich = { };
systemd.tmpfiles.rules = [ "d ${cfg.mediaLocation} - ${cfg.user} ${cfg.group} - -" ]; systemd.tmpfiles.rules = [ "d ${cfg.mediaLocation} - ${cfg.user} ${cfg.group} - -" ];
users.users.${cfg.user}.extraGroups = [ "postgres" ];
services.immich = { services.immich = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
database = { #secretsFile = config.sops.secrets.immich.path;
database =
let
dbLink = config.local.links.postgresql;
in
{
enable = true; enable = true;
createDB = true; createDB = true;
inherit (dbLink) port;
#host = dbLink.hostname;
}; };
mediaLocation = "/persist/services/immich"; mediaLocation = "/persist/services/immich";
machine-learning.enable = true; machine-learning.enable = true;
settings = null; settings = null;
inherit (link) port; inherit (link) port;
host = link.ipv4; host = link.hostname;
}; };
local.nginx.proxyVhosts."photos.gerg-l.com" = link.url; local.nginx.proxyVhosts."photos.gerg-l.com" = link.url;

19
nixosConfigurations/gerg-desktop/services/miniflux.nix
View file

@ -1,4 +1,5 @@
{ {
lib,
config, config,
}: }:
let let
@ -14,23 +15,15 @@ in
config = { config = {
BASE_URL = "https://flux.gerg-l.com"; BASE_URL = "https://flux.gerg-l.com";
LISTEN_ADDR = link.tuple; LISTEN_ADDR = link.tuple;
DATABASE_URL =
let
dbLink = config.local.links.postgresql;
in
lib.mkForce "user=miniflux host=${dbLink.hostname} port=${dbLink.portStr} dbname=miniflux sslmode=disable";
}; };
adminCredentialsFile = config.sops.secrets.minifluxenv.path; adminCredentialsFile = config.sops.secrets.minifluxenv.path;
createDatabaseLocally = true; createDatabaseLocally = true;
}; };
users = {
groups.miniflux.gid = 377;
users = {
miniflux = {
group = "miniflux";
extraGroups = [ "postgres" ];
isSystemUser = true;
uid = 377;
};
${config.services.nginx.user}.extraGroups = [ "miniflux" ];
};
};
local.nginx.proxyVhosts."flux.gerg-l.com" = link.url; local.nginx.proxyVhosts."flux.gerg-l.com" = link.url;
} }

29
nixosConfigurations/gerg-desktop/services/nginx.nix
View file

@ -9,41 +9,42 @@
}; };
}; };
config = { config =
let
cfg = config.services.nginx;
in
{
local.nginx.defaultVhosts = builtins.mapAttrs (_: v: { local.nginx.defaultVhosts = builtins.mapAttrs (_: v: {
locations."/".proxyPass = v; locations."/".proxyPass = v;
}) config.local.nginx.proxyVhosts; }) config.local.nginx.proxyVhosts;
sops.secrets = { sops.secrets = {
gerg_ssl_key.owner = config.services.nginx.user; gerg_ssl_key.owner = cfg.user;
gerg_ssl_cert.owner = config.services.nginx.user; gerg_ssl_cert.owner = cfg.user;
}; };
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
certs."gerg-l.com" = { certs."gerg-l.com" = {
email = "GregLeyda@proton.me"; email = "GregLeyda@proton.me";
inherit (cfg) group;
webroot = "/var/lib/acme/acme-challenge"; webroot = "/var/lib/acme/acme-challenge";
extraDomainNames = builtins.attrNames config.local.nginx.defaultVhosts; extraDomainNames = builtins.attrNames config.local.nginx.defaultVhosts;
}; };
}; };
fileSystems."/var/lib/acme" = { systemd.mounts = [
device = "/persist/services/acme"; {
fsType = "none"; what = "/persist/services/acme";
options = [ "bind" ]; where = "/var/lib/acme";
depends = [ type = "none";
"/persist" options = "bind";
"/var" }
]; ];
};
users.users.${config.services.nginx.user}.extraGroups = [ "acme" ];
services.nginx = { services.nginx = {
enable = true; enable = true;
recommendedZstdSettings = true; recommendedZstdSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedProxySettings = true; recommendedProxySettings = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;

17
nixosConfigurations/gerg-desktop/services/postgresql.nix
View file

@ -1,9 +1,22 @@
{ pkgs }:
{ {
lib,
pkgs,
config,
}:
let
link = config.local.links.postgresql;
in
{
local.links.postgresql.port = 5432;
services.postgresql = { services.postgresql = {
enable = true; enable = true;
package = pkgs.postgresql_16; package = pkgs.postgresql_16;
dataDir = "/persist/services/postgresql"; dataDir = "/persist/services/postgresql";
settings.unix_socket_permissions = "0770"; settings = {
inherit (link) port;
listen_addresses = lib.mkForce link.ipv4;
#unix_socket_directories = "";
};
}; };
} }

5
nixosConfigurations/gerg-desktop/services/searxng.nix
View file

@ -22,10 +22,13 @@ in
secret_key = "@SEARXNG_SECRET@"; secret_key = "@SEARXNG_SECRET@";
base_url = "https://search.gerg-l.com"; base_url = "https://search.gerg-l.com";
}; };
search.formats = [ search = {
default_lang = "en";
formats = [
"html" "html"
"json" "json"
]; ];
};
engines = [ engines = [
{ {
name = "bing"; name = "bing";

2
nixosConfigurations/gerg-desktop/services/vocard/_application.nix
View file

@ -7,6 +7,7 @@
address = link.ipv4; address = link.ipv4;
}; };
lavalink = { lavalink = {
pluginsDir = lavalinkPlugins;
plugins = [ plugins = [
{ {
dependency = "dev.lavalink.youtube:youtube-plugin:1.11.5"; dependency = "dev.lavalink.youtube:youtube-plugin:1.11.5";
@ -74,7 +75,6 @@
metrics.prometheus.enabled = false; metrics.prometheus.enabled = false;
plugins = { plugins = {
pluginsDir = lavalinkPlugins;
youtube = { youtube = {
allowDirectPlaylistIds = true; allowDirectPlaylistIds = true;
allowDirectVideoIds = true; allowDirectVideoIds = true;

2
nixosConfigurations/gerg-desktop/services/vocard/_settings.nix
View file

@ -90,7 +90,7 @@
mongodb_name = "vocard"; mongodb_name = "vocard";
mongodb_url = ferretLink.url; mongodb_url = ferretLink.url;
nodes.DEFAULT = { nodes.DEFAULT = {
host = link.ipv4; host = link.hostname;
identifier = "DEFAULT"; identifier = "DEFAULT";
password = p."vocard/password"; password = p."vocard/password";
inherit (link) port; inherit (link) port;

70
nixosConfigurations/gerg-desktop/services/vocard/vocard.nix
View file

@ -17,6 +17,7 @@ in
sops = { sops = {
secrets = secrets =
{ {
ferretdb = { };
lavalink = { lavalink = {
sopsFile = ./secrets.yaml; sopsFile = ./secrets.yaml;
restartUnits = [ restartUnits = [
@ -88,19 +89,15 @@ in
]; ];
serviceConfig = { serviceConfig = {
ExecStart = ExecStart = lib.getExe self'.packages.lavalink;
let WorkingDirectory = lib.pipe ./_application.nix [
configFile = pkgs.writeText "application.yml" ( (lib.flip import {
builtins.toJSON (
import ./_application.nix {
inherit link; inherit link;
inherit (self'.packages) lavalinkPlugins; inherit (self'.packages) lavalinkPlugins;
} })
) builtins.toJSON
); (pkgs.writeTextDir "application.yml")
in ];
"${lib.getExe self'.packages.lavalink} --spring.config.location='file:${configFile}'";
DynamicUser = true; DynamicUser = true;
EnvironmentFile = config.sops.secrets.lavalink.path; EnvironmentFile = config.sops.secrets.lavalink.path;
Restart = "on-failure"; Restart = "on-failure";
@ -109,9 +106,54 @@ in
}; };
}; };
services.ferretdb = { services.postgresql = {
enable = true; ensureDatabases = [ "ferretdb" ];
settings.FERRETDB_LISTEN_ADDR = ferretLink.tuple; ensureUsers = [
{
name = "ferretdb";
ensureDBOwnership = true;
}
];
};
systemd.services.ferretdb = {
description = "FerretDB";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment = {
FERRETDB_HANDLER = "pg";
FERRETDB_LISTEN_ADDR = ferretLink.tuple;
};
serviceConfig = {
ExecStart =
let
dbLink = config.local.links.postgresql;
in
"${lib.getExe pkgs.ferretdb} --debug-addr='-' --telemetry='disable' --postgresql-url=\"postgres:///ferretdb?user=ferretdb&host=${dbLink.hostname}&port=${dbLink.portStr}&passfile=\${CREDENTIALS_DIRECTORY}/password\"";
Type = "simple";
StateDirectory = "ferretdb";
WorkingDirectory = "%S/ferretdb";
LoadCredential = "password:${config.sops.secrets.ferretdb.path}";
Restart = "on-failure";
ProtectHome = true;
ProtectSystem = "strict";
PrivateTmp = true;
PrivateDevices = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
NoNewPrivileges = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
PrivateMounts = true;
DynamicUser = true;
};
}; };
systemd.mounts = [ systemd.mounts = [