moved all services out of nixos containers

fixed a lot as well
2025-12-10 08:53:56 -05:00 · 2023-09-18 22:38:12 -04:00 · 2023-09-18 22:38:12 -04:00 · 66ee1bb541
commit 66ee1bb541
parent 4fd4b0ad74
10 changed files with 247 additions and 266 deletions
--- a/hosts/gerg-desktop/services/gitea.nix
+++ b/hosts/gerg-desktop/services/gitea.nix
@ -0,0 +1,34 @@
+_: {config, ...}: {
+  sops.secrets.sql_gitea = {
+    owner = config.services.gitea.user;
+    inherit (config.services.gitea) group;
+  };
+  users.users = {
+    ${config.services.gitea.user}.openssh.authorizedKeys.keys = [config.local.keys.gerg_gerg-desktop];
+    ${config.services.nginx.user}.extraGroups = [config.services.gitea.group];
+  };
+  services = {
+    gitea = {
+      enable = true;
+      stateDir = "/persist/services/gitea";
+      appName = "Powered by NixOS";
+      settings = {
+        server = {
+          DOMAIN = "git.gerg-l.com";
+          ROOT_URL = "https://git.gerg-l.com/";
+          LANDING_PAGE = "/explore/repos";
+          HTTP_ADDR = "/run/gitea/gitea.sock";
+          PROTOCOL = "http+unix";
+          UNIX_SOCKET_PERMISSION = "660";
+        };
+        ui.DEFAULT_THEME = "arc-green";
+        service.DISABLE_REGISTRATION = true;
+      };
+      database = {
+        type = "postgres";
+        passwordFile = config.sops.secrets.sql_gitea.path;
+      };
+    };
+  };
+  _file = ./gitea.nix;
+}
--- a/hosts/gerg-desktop/services/minecraft.nix
+++ b/hosts/gerg-desktop/services/minecraft.nix
@ -0,0 +1,101 @@
+{self, ...}: {
+  pkgs,
+  lib,
+  ...
+}: {
+  # I manually switch this sometimes
+  config = lib.mkIf false {
+    networking.firewall.allowedTCPPorts = [25565];
+
+    system.stateVersion = "unstable";
+    users.users.minecraft = {
+      description = "Minecraft server service user";
+      home = "/persist/minecraft";
+      createHome = true;
+      isSystemUser = true;
+      group = "minecraft";
+    };
+    users.groups.minecraft = {};
+
+    systemd.sockets.minecraft-server = {
+      bindsTo = ["minecraft-server.service"];
+      socketConfig = {
+        ListenFIFO = "/run/minecraft-server.stdin";
+        SocketMode = "0660";
+        SocketUser = "minecraft";
+        SocketGroup = "minecraft";
+        RemoveOnStop = true;
+        FlushPending = true;
+      };
+    };
+
+    systemd.services.minecraft-server = {
+      enable = true;
+      description = "Minecraft Server Service";
+      wantedBy = ["multi-user.target"];
+      requires = ["minecraft-server.socket"];
+      after = ["network.target" "minecraft-server.socket"];
+      path = [self.packages.${pkgs.system}.papermc];
+      script = ''
+        minecraft-server \
+          -Xms8G \
+          -Xmx8G \
+          -XX:+UseG1GC \
+          -XX:+ParallelRefProcEnabled \
+          -XX:MaxGCPauseMillis=200 \
+          -XX:+UnlockExperimentalVMOptions \
+          -XX:+DisableExplicitGC \
+          -XX:+AlwaysPreTouch \
+          -XX:G1NewSizePercent=30 \
+          -XX:G1MaxNewSizePercent=40 \
+          -XX:G1HeapRegionSize=8M \
+          -XX:G1ReservePercent=20 \
+          -XX:G1HeapWastePercent=5 \
+          -XX:G1MixedGCCountTarget=4 \
+          -XX:InitiatingHeapOccupancyPercent=15 \
+          -XX:G1MixedGCLiveThresholdPercent=90 \
+          -XX:G1RSetUpdatingPauseTimePercent=5 \
+          -XX:SurvivorRatio=32 \
+          -XX:+PerfDisableSharedMem \
+          -XX:MaxTenuringThreshold=1 \
+          -Dusing.aikars.flags=https://mcflags.emc.gs-Daikars.new.flags=true \
+      '';
+
+      serviceConfig = {
+        Restart = "always";
+        User = "minecraft";
+        WorkingDirectory = "/minecraft";
+
+        StandardInput = "socket";
+        StandardOutput = "journal";
+        StandardError = "journal";
+
+        # Hardening
+        CapabilityBoundingSet = [""];
+        DeviceAllow = [""];
+        LockPersonality = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        RestrictAddressFamilies = ["AF_INET" "AF_INET6"];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        UMask = "0077";
+      };
+      preStart = ''
+        echo "eula=true" > eula.txt
+      '';
+    };
+  };
+  _file = ./minecraft.nix;
+}
--- a/hosts/gerg-desktop/services/nextcloud.nix
+++ b/hosts/gerg-desktop/services/nextcloud.nix
@ -0,0 +1,40 @@
+_: {
+  pkgs,
+  config,
+  ...
+}: {
+  sops.secrets = {
+    sql_nextcloud = {
+      owner = "nextcloud";
+      group = "nextcloud";
+    };
+    nextcloud = {
+      owner = "nextcloud";
+      group = "nextcloud";
+    };
+  };
+  systemd.tmpfiles.rules = [
+    "d /persist/services/nextcloud - nextcloud nextcloud - -"
+  ];
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud27;
+    datadir = "/persist/services/nextcloud";
+    hostName = "next.gerg-l.com";
+    autoUpdateApps.enable = false;
+    enableBrokenCiphersForSSE = false;
+    config = {
+      dbtype = "pgsql";
+      dbhost = "/run/postgresql";
+      dbpassFile = config.sops.secrets.sql_nextcloud.path;
+      adminpassFile = config.sops.secrets.sql_nextcloud.path;
+      adminuser = "admin-root";
+      defaultPhoneRegion = "US";
+    };
+  };
+  systemd.services."nextcloud-setup" = {
+    requires = ["postgresql.service"];
+    after = ["postgresql.service"];
+  };
+  _file = ./nextcloud.nix;
+}
--- a/hosts/gerg-desktop/services/nginx.nix
+++ b/hosts/gerg-desktop/services/nginx.nix
@ -0,0 +1,54 @@
+_: {
+  config,
+  lib,
+  ...
+}: {
+  sops.secrets =
+    lib.genAttrs [
+      "nixfu_ssl_cert"
+      "nixfu_ssl_key"
+      "gerg_ssl_key"
+      "gerg_ssl_cert"
+    ]
+    (_: {
+      owner = config.services.nginx.user;
+      inherit (config.services.nginx) group;
+    });
+
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    virtualHosts = {
+      "nix-fu.com" = {
+        forceSSL = true;
+        sslCertificate = config.sops.secrets.nixfu_ssl_cert.path;
+        sslCertificateKey = config.sops.secrets.nixfu_ssl_key.path;
+        serverAliases = ["www.nix-fu.com"];
+        globalRedirect = "github.com/Gerg-L";
+      };
+      "search.gerg-l.com" = {
+        forceSSL = true;
+        sslCertificate = config.sops.secrets.gerg_ssl_cert.path;
+        sslCertificateKey = config.sops.secrets.gerg_ssl_key.path;
+        locations."/".extraConfig = "uwsgi_pass unix:${config.services.searx.uwsgiConfig.socket};";
+        extraConfig = "access_log off;";
+      };
+      "git.gerg-l.com" = {
+        forceSSL = true;
+        sslCertificate = config.sops.secrets.gerg_ssl_cert.path;
+        sslCertificateKey = config.sops.secrets.gerg_ssl_key.path;
+        locations."/".proxyPass = "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}";
+      };
+      "next.gerg-l.com" = {
+        forceSSL = true;
+        sslCertificate = config.sops.secrets.gerg_ssl_cert.path;
+        sslCertificateKey = config.sops.secrets.gerg_ssl_key.path;
+      };
+    };
+  };
+  networking.firewall.allowedTCPPorts = [80 443];
+  _file = ./nginx.nix;
+}
--- a/hosts/gerg-desktop/services/parrot.nix
+++ b/hosts/gerg-desktop/services/parrot.nix
@ -0,0 +1,21 @@
+_: {
+  pkgs,
+  config,
+  lib,
+  ...
+}: {
+  sops.secrets.discordenv = {};
+  systemd.services.parrot = {
+    enable = true;
+    wantedBy = ["multi-user.target"];
+    wants = ["network-online.target"];
+    after = ["network-online.target"];
+    script = lib.getExe pkgs.parrot;
+    serviceConfig = {
+      EnvironmentFile = config.sops.secrets.discordenv.path;
+      Restart = "on-failure";
+      RestartSec = "30s";
+    };
+  };
+  _file = ./parrot.nix;
+}
--- a/hosts/gerg-desktop/services/postgresql.nix
+++ b/hosts/gerg-desktop/services/postgresql.nix
@ -0,0 +1,24 @@
+_: {
+  config,
+  pkgs,
+  ...
+}: {
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_13;
+    dataDir = "/persist/services/postgresql";
+    ensureDatabases = [config.services.nextcloud.config.dbname];
+    ensureUsers = [
+      {
+        name = config.services.nextcloud.config.dbuser;
+        ensurePermissions."DATABASE ${config.services.nextcloud.config.dbname}" = "ALL PRIVILEGES";
+      }
+      {
+        name = config.services.gitea.database.user;
+
+        ensurePermissions."DATABASE ${config.services.gitea.database.name}" = "ALL PRIVILEGES";
+      }
+    ];
+  };
+  _file = ./postgresql.nix;
+}
--- a/hosts/gerg-desktop/services/searxng.nix
+++ b/hosts/gerg-desktop/services/searxng.nix
@ -0,0 +1,50 @@
+_: {
+  config,
+  pkgs,
+  ...
+}: {
+  sops.secrets.searxngenv = {
+    owner = "searx";
+    group = "searx";
+  };
+  users.users.${config.services.nginx.user}.extraGroups = ["searx"];
+  services.searx = {
+    enable = true;
+    package = pkgs.searxng;
+    #Later
+    /*
+    redisCreateLocally = true;
+    limiterSettings = {};
+    */
+    runInUwsgi = true;
+    uwsgiConfig = {
+      socket = "/run/searx/searx.sock";
+      chmod-socket = "660";
+      disable-logging = true;
+    };
+    environmentFile = config.sops.secrets.searxngenv.path;
+    settings = {
+      general.instance_name = "Gerg search";
+      server = {
+        secret_key = "@SEARXNG_SECRET@";
+        base_url = "https://search.gerg-l.com";
+      };
+      search.formats = [
+        "html"
+        "json"
+      ];
+      engines = [
+        {
+          name = "bing";
+          disabled = true;
+        }
+        {
+          name = "brave";
+          disabled = true;
+        }
+      ];
+      ui.theme_args.simple_style = "dark";
+    };
+  };
+  _file = ./searxng.nix;
+}