From c7c87ec8b259c49b52ac0c88979e3336d82a50ec Mon Sep 17 00:00:00 2001 From: Gerg-L Date: Sun, 2 Mar 2025 22:49:05 -0500 Subject: [PATCH] port magic --- flake.lock | 6 +- .../gerg-desktop/services/forgejo.nix | 13 +-- .../gerg-desktop/services/immich.nix | 12 +-- .../gerg-desktop/services/miniflux.nix | 16 ++-- .../gerg-desktop/services/nix-serve.nix | 65 ++++--------- .../gerg-desktop/services/searxng.nix | 10 +- nixosModules/nix.nix | 1 - nixosModules/portMagic.nix | 94 +++++++++++++++++++ 8 files changed, 144 insertions(+), 73 deletions(-) create mode 100644 nixosModules/portMagic.nix diff --git a/flake.lock b/flake.lock index 76a2227..8fa97e8 100644 --- a/flake.lock +++ b/flake.lock @@ -647,11 +647,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1740880178, - "narHash": "sha256-NBPrFkKsTB/C8L6JDeC6p5Dxek/NMtcCRWYkafsyL38=", + "lastModified": 1740960270, + "narHash": "sha256-JsNqwyqD2I/5h0KJ5ntrvULJpFgJdJb9jHNFucCLXJw=", "owner": "Gerg-L", "repo": "nvim-flake", - "rev": "b7488d039a8c63b7015c67f026da0564ae54b833", + "rev": "57f3e79cf0330cb4db3c1c612307dddd84c05a42", "type": "github" }, "original": { diff --git a/nixosConfigurations/gerg-desktop/services/forgejo.nix b/nixosConfigurations/gerg-desktop/services/forgejo.nix index 5595c58..aa21d13 100644 --- a/nixosConfigurations/gerg-desktop/services/forgejo.nix +++ b/nixosConfigurations/gerg-desktop/services/forgejo.nix @@ -1,5 +1,9 @@ { config }: +let + link = config.local.links.forgejo; +in { + local.links.forgejo = { }; users = { groups.${config.services.forgejo.group} = { }; users = { @@ -10,7 +14,6 @@ openssh.authorizedKeys.keys = [ config.local.keys.gerg_gerg-desktop ]; }; - ${config.services.nginx.user}.extraGroups = [ config.services.forgejo.group ]; }; }; services.forgejo = { @@ -22,9 +25,8 @@ DOMAIN = "git.gerg-l.com"; ROOT_URL = "https://git.gerg-l.com/"; LANDING_PAGE = "/explore/repos"; - HTTP_ADDR = "/run/forgejo/forgejo.sock"; - PROTOCOL = "http+unix"; - UNIX_SOCKET_PERMISSION = "660"; + HTTP_ADDR = link.ipv4; + HTTP_PORT = link.port; }; ui.DEFAULT_THEME = "forgejo-dark"; service.DISABLE_REGISTRATION = true; @@ -35,6 +37,5 @@ }; }; - local.nginx.proxyVhosts."git.gerg-l.com" = - "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}"; + local.nginx.proxyVhosts."git.gerg-l.com" = link.url; } diff --git a/nixosConfigurations/gerg-desktop/services/immich.nix b/nixosConfigurations/gerg-desktop/services/immich.nix index 62b9719..dca391f 100644 --- a/nixosConfigurations/gerg-desktop/services/immich.nix +++ b/nixosConfigurations/gerg-desktop/services/immich.nix @@ -1,11 +1,11 @@ { config, ... }: let cfg = config.services.immich; + link = config.local.links.immich; in { - systemd.tmpfiles.rules = - - [ "d ${cfg.mediaLocation} - ${cfg.user} ${cfg.group} - -" ]; + local.links.immich = { }; + systemd.tmpfiles.rules = [ "d ${cfg.mediaLocation} - ${cfg.user} ${cfg.group} - -" ]; users.users.${cfg.user}.extraGroups = [ "postgres" ]; services.immich = { @@ -18,9 +18,9 @@ in mediaLocation = "/persist/services/immich"; machine-learning.enable = true; settings = null; - port = 2283; - host = "0.0.0.0"; + inherit (link) port; + host = link.ipv4; }; - local.nginx.proxyVhosts."photos.gerg-l.com" = "http://localhost:${toString cfg.port}"; + local.nginx.proxyVhosts."photos.gerg-l.com" = link.url; } diff --git a/nixosConfigurations/gerg-desktop/services/miniflux.nix b/nixosConfigurations/gerg-desktop/services/miniflux.nix index aaa50d9..c9351f9 100644 --- a/nixosConfigurations/gerg-desktop/services/miniflux.nix +++ b/nixosConfigurations/gerg-desktop/services/miniflux.nix @@ -1,15 +1,19 @@ { config, - lib, }: +let + link = config.local.links.miniflux; +in { + local.links.miniflux = { }; + sops.secrets.minifluxenv = { }; services.miniflux = { enable = true; config = { BASE_URL = "https://flux.gerg-l.com"; - LISTEN_ADDR = "/run/miniflux/miniflux.sock"; + LISTEN_ADDR = link.tuple; }; adminCredentialsFile = config.sops.secrets.minifluxenv.path; createDatabaseLocally = true; @@ -28,11 +32,5 @@ }; }; - systemd.services.miniflux.serviceConfig = { - RuntimeDirectoryMode = lib.mkForce "0770"; - DynamicUser = lib.mkForce false; - }; - - local.nginx.proxyVhosts."flux.gerg-l.com" = - "http://unix:${config.services.miniflux.config.LISTEN_ADDR}"; + local.nginx.proxyVhosts."flux.gerg-l.com" = link.url; } diff --git a/nixosConfigurations/gerg-desktop/services/nix-serve.nix b/nixosConfigurations/gerg-desktop/services/nix-serve.nix index 4b6eff1..ea45303 100644 --- a/nixosConfigurations/gerg-desktop/services/nix-serve.nix +++ b/nixosConfigurations/gerg-desktop/services/nix-serve.nix @@ -1,28 +1,22 @@ { config, pkgs, - lib, }: +let + link = config.local.links.nix-serve; +in { - sops.secrets.store_key.owner = "nix-serve"; + local.links.nix-serve = { }; + + sops.secrets.store_key = { }; users = { - groups = { - builder = { }; - nix-serve = { }; - }; - users = { - ${config.services.nginx.user}.extraGroups = [ "nix-serve" ]; - builder = { - isSystemUser = true; - openssh.authorizedKeys.keys = [ config.local.keys.root_media-laptop ]; - group = "builder"; - shell = pkgs.bashInteractive; - }; - nix-serve = { - isSystemUser = true; - group = "nix-serve"; - }; + groups.builder = { }; + users.builder = { + isSystemUser = true; + openssh.authorizedKeys.keys = [ config.local.keys.root_media-laptop ]; + group = "builder"; + shell = pkgs.bashInteractive; }; }; @@ -38,37 +32,18 @@ nix.settings = { trusted-users = [ "builder" ]; - allowed-users = [ "nix-serve" ]; keep-outputs = true; keep-derivations = true; secret-key-files = config.sops.secrets.store_key.path; }; - systemd.services.nix-serve = { - description = "nix-serve binary cache server"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - path = [ - config.nix.package - pkgs.bzip2 - ]; - - serviceConfig = { - ExecStart = "${lib.getExe pkgs.nix-serve-ng} --socket /run/nix-serve/nix-serve.sock"; - Restart = "always"; - RestartSec = "5s"; - User = "nix-serve"; - Group = "nix-serve"; - RuntimeDirectory = "nix-serve"; - UMask = "0117"; - }; - - environment = { - NIX_REMOTE = "daemon"; - NIX_SECRET_KEY_FILE = config.sops.secrets.store_key.path; - }; - + services.nix-serve = { + enable = true; + inherit (link) port; + package = pkgs.nix-serve-ng; + bindAddress = link.ipv4; + secretKeyFile = config.sops.secrets.store_key.path; }; - local.nginx.proxyVhosts."cache.gerg-l.com" = "http://unix:/run/nix-serve/nix-serve.sock"; + + local.nginx.proxyVhosts."cache.gerg-l.com" = link.url; } diff --git a/nixosConfigurations/gerg-desktop/services/searxng.nix b/nixosConfigurations/gerg-desktop/services/searxng.nix index 4fcc4c2..a84806a 100644 --- a/nixosConfigurations/gerg-desktop/services/searxng.nix +++ b/nixosConfigurations/gerg-desktop/services/searxng.nix @@ -1,5 +1,10 @@ { config, pkgs }: +let + link = config.local.links.searx; +in { + local.links.searx = { }; + sops.secrets.searxngenv = { }; users.users.${config.services.nginx.user}.extraGroups = [ "searx" ]; services.searx = { @@ -7,8 +12,7 @@ package = pkgs.searxng; runInUwsgi = true; uwsgiConfig = { - socket = "/run/searx/searx.sock"; - chmod-socket = "660"; + http = link.tuple; disable-logging = true; }; environmentFile = config.sops.secrets.searxngenv.path; @@ -37,7 +41,7 @@ }; local.nginx.defaultVhosts."search.gerg-l.com" = { - locations."/".extraConfig = "uwsgi_pass unix:${config.services.searx.uwsgiConfig.socket};"; + locations."/".proxyPass = link.url; extraConfig = "access_log off;"; }; } diff --git a/nixosModules/nix.nix b/nixosModules/nix.nix index b1ec9d4..3a46f85 100644 --- a/nixosModules/nix.nix +++ b/nixosModules/nix.nix @@ -59,7 +59,6 @@ # #allow-import-from-derivation = false; trusted-users = [ "root" ]; - allowed-users = [ "@wheel" ]; use-xdg-base-directories = true; auto-allocate-uids = true; }; diff --git a/nixosModules/portMagic.nix b/nixosModules/portMagic.nix new file mode 100644 index 0000000..4ea5c80 --- /dev/null +++ b/nixosModules/portMagic.nix @@ -0,0 +1,94 @@ +{ lib, ... }: +{ + options.local.links = lib.mkOption { + type = lib.types.attrsOf ( + lib.types.submodule ( + { + config, + name, + ... + }: + + let + portHash = lib.flip lib.pipe [ + (builtins.hashString "md5") + (builtins.substring 0 7) + (hash: (fromTOML "v=0x${hash}").v) + (lib.flip lib.mod config.reservedPorts.amount) + (builtins.add config.reservedPorts.start) + ]; + in + + { + options = { + ipv4 = lib.mkOption { + type = lib.types.str; + default = "127.0.0.1"; + description = "The IPv4 address."; + }; + hostname = lib.mkOption { + type = lib.types.str; + description = "The hostname."; + }; + + port = lib.mkOption { + type = lib.types.int; + description = "The TCP or UDP port."; + }; + portStr = lib.mkOption { + type = lib.types.str; + description = "The TCP or UDP port, as a string."; + }; + reservedPorts = { + amount = lib.mkOption { + type = lib.types.int; + default = 10000; + description = "Amount of ports to reserve at most."; + }; + start = lib.mkOption { + type = lib.types.int; + default = 30000; + description = "Starting point for reserved ports."; + }; + }; + + protocol = lib.mkOption { + type = lib.types.str; + default = "http"; + description = "The protocol in URL scheme name format."; + }; + path = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + description = "The resource path."; + }; + url = lib.mkOption { + type = lib.types.str; + description = "The URL."; + }; + tuple = lib.mkOption { + type = lib.types.str; + description = "The hostname:port tuple."; + }; + extra = lib.mkOption { + type = lib.types.attrs; + description = "Arbitrary extra data."; + }; + }; + config = lib.mkIf true { + hostname = lib.mkDefault config.ipv4; + port = lib.mkDefault (portHash "${config.hostname}:${name}"); + portStr = toString config.port; + tuple = "${config.hostname}:${config.portStr}"; + url = "${config.protocol}://${config.hostname}:${config.portStr}${ + if config.path == null then "" else config.path + }"; + }; + } + ) + + ); + description = "Port Magic links."; + default = { }; + }; +}