port magic

flake.lock

@@ -647,11 +647,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1740880178,
-        "narHash": "sha256-NBPrFkKsTB/C8L6JDeC6p5Dxek/NMtcCRWYkafsyL38=",
+        "lastModified": 1740960270,
+        "narHash": "sha256-JsNqwyqD2I/5h0KJ5ntrvULJpFgJdJb9jHNFucCLXJw=",
         "owner": "Gerg-L",
         "repo": "nvim-flake",
-        "rev": "b7488d039a8c63b7015c67f026da0564ae54b833",
+        "rev": "57f3e79cf0330cb4db3c1c612307dddd84c05a42",
         "type": "github"
       },
       "original": {

nixosConfigurations/gerg-desktop/services/forgejo.nix

@@ -1,5 +1,9 @@
 { config }:
+let
+  link = config.local.links.forgejo;
+in
 {
+  local.links.forgejo = { };
   users = {
     groups.${config.services.forgejo.group} = { };
     users = {
@@ -10,7 +14,6 @@
         openssh.authorizedKeys.keys = [ config.local.keys.gerg_gerg-desktop ];
       };
 
-      ${config.services.nginx.user}.extraGroups = [ config.services.forgejo.group ];
     };
   };
   services.forgejo = {
@@ -22,9 +25,8 @@
         DOMAIN = "git.gerg-l.com";
         ROOT_URL = "https://git.gerg-l.com/";
         LANDING_PAGE = "/explore/repos";
-        HTTP_ADDR = "/run/forgejo/forgejo.sock";
-        PROTOCOL = "http+unix";
-        UNIX_SOCKET_PERMISSION = "660";
+        HTTP_ADDR = link.ipv4;
+        HTTP_PORT = link.port;
       };
       ui.DEFAULT_THEME = "forgejo-dark";
       service.DISABLE_REGISTRATION = true;
@@ -35,6 +37,5 @@
     };
   };
 
-  local.nginx.proxyVhosts."git.gerg-l.com" =
-    "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}";
+  local.nginx.proxyVhosts."git.gerg-l.com" = link.url;
 }

nixosConfigurations/gerg-desktop/services/immich.nix

@@ -1,11 +1,11 @@
 { config, ... }:
 let
   cfg = config.services.immich;
+  link = config.local.links.immich;
 in
 {
-  systemd.tmpfiles.rules =
-
-    [ "d ${cfg.mediaLocation} - ${cfg.user} ${cfg.group} - -" ];
+  local.links.immich = { };
+  systemd.tmpfiles.rules = [ "d ${cfg.mediaLocation} - ${cfg.user} ${cfg.group} - -" ];
 
   users.users.${cfg.user}.extraGroups = [ "postgres" ];
   services.immich = {
@@ -18,9 +18,9 @@ in
     mediaLocation = "/persist/services/immich";
     machine-learning.enable = true;
     settings = null;
-    port = 2283;
-    host = "0.0.0.0";
+    inherit (link) port;
+    host = link.ipv4;
   };
 
-  local.nginx.proxyVhosts."photos.gerg-l.com" = "http://localhost:${toString cfg.port}";
+  local.nginx.proxyVhosts."photos.gerg-l.com" = link.url;
 }

nixosConfigurations/gerg-desktop/services/miniflux.nix

@@ -1,15 +1,19 @@
 {
   config,
-  lib,
 }:
+let
+  link = config.local.links.miniflux;
+in
 {
+  local.links.miniflux = { };
+
   sops.secrets.minifluxenv = { };
 
   services.miniflux = {
     enable = true;
     config = {
       BASE_URL = "https://flux.gerg-l.com";
-      LISTEN_ADDR = "/run/miniflux/miniflux.sock";
+      LISTEN_ADDR = link.tuple;
     };
     adminCredentialsFile = config.sops.secrets.minifluxenv.path;
     createDatabaseLocally = true;
@@ -28,11 +32,5 @@
     };
   };
 
-  systemd.services.miniflux.serviceConfig = {
-    RuntimeDirectoryMode = lib.mkForce "0770";
-    DynamicUser = lib.mkForce false;
-  };
-
-  local.nginx.proxyVhosts."flux.gerg-l.com" =
-    "http://unix:${config.services.miniflux.config.LISTEN_ADDR}";
+  local.nginx.proxyVhosts."flux.gerg-l.com" = link.url;
 }

nixosConfigurations/gerg-desktop/services/nix-serve.nix

@@ -1,28 +1,22 @@
 {
   config,
   pkgs,
-  lib,
 }:
+let
+  link = config.local.links.nix-serve;
+in
 {
-  sops.secrets.store_key.owner = "nix-serve";
+  local.links.nix-serve = { };
+
+  sops.secrets.store_key = { };
 
   users = {
-    groups = {
-      builder = { };
-      nix-serve = { };
-    };
-    users = {
-      ${config.services.nginx.user}.extraGroups = [ "nix-serve" ];
-      builder = {
-        isSystemUser = true;
-        openssh.authorizedKeys.keys = [ config.local.keys.root_media-laptop ];
-        group = "builder";
-        shell = pkgs.bashInteractive;
-      };
-      nix-serve = {
-        isSystemUser = true;
-        group = "nix-serve";
-      };
+    groups.builder = { };
+    users.builder = {
+      isSystemUser = true;
+      openssh.authorizedKeys.keys = [ config.local.keys.root_media-laptop ];
+      group = "builder";
+      shell = pkgs.bashInteractive;
     };
   };
 
@@ -38,37 +32,18 @@
 
   nix.settings = {
     trusted-users = [ "builder" ];
-    allowed-users = [ "nix-serve" ];
     keep-outputs = true;
     keep-derivations = true;
     secret-key-files = config.sops.secrets.store_key.path;
   };
 
-  systemd.services.nix-serve = {
-    description = "nix-serve binary cache server";
-    after = [ "network.target" ];
-    wantedBy = [ "multi-user.target" ];
-
-    path = [
-      config.nix.package
-      pkgs.bzip2
-    ];
-
-    serviceConfig = {
-      ExecStart = "${lib.getExe pkgs.nix-serve-ng} --socket /run/nix-serve/nix-serve.sock";
-      Restart = "always";
-      RestartSec = "5s";
-      User = "nix-serve";
-      Group = "nix-serve";
-      RuntimeDirectory = "nix-serve";
-      UMask = "0117";
-    };
-
-    environment = {
-      NIX_REMOTE = "daemon";
-      NIX_SECRET_KEY_FILE = config.sops.secrets.store_key.path;
-    };
-
+  services.nix-serve = {
+    enable = true;
+    inherit (link) port;
+    package = pkgs.nix-serve-ng;
+    bindAddress = link.ipv4;
+    secretKeyFile = config.sops.secrets.store_key.path;
   };
-  local.nginx.proxyVhosts."cache.gerg-l.com" = "http://unix:/run/nix-serve/nix-serve.sock";
+
+  local.nginx.proxyVhosts."cache.gerg-l.com" = link.url;
 }

nixosConfigurations/gerg-desktop/services/searxng.nix

@@ -1,5 +1,10 @@
 { config, pkgs }:
+let
+  link = config.local.links.searx;
+in
 {
+  local.links.searx = { };
+
   sops.secrets.searxngenv = { };
   users.users.${config.services.nginx.user}.extraGroups = [ "searx" ];
   services.searx = {
@@ -7,8 +12,7 @@
     package = pkgs.searxng;
     runInUwsgi = true;
     uwsgiConfig = {
-      socket = "/run/searx/searx.sock";
-      chmod-socket = "660";
+      http = link.tuple;
       disable-logging = true;
     };
     environmentFile = config.sops.secrets.searxngenv.path;
@@ -37,7 +41,7 @@
   };
 
   local.nginx.defaultVhosts."search.gerg-l.com" = {
-    locations."/".extraConfig = "uwsgi_pass unix:${config.services.searx.uwsgiConfig.socket};";
+    locations."/".proxyPass = link.url;
     extraConfig = "access_log off;";
   };
 }

nixosModules/nix.nix

@@ -59,7 +59,6 @@
       #
       #allow-import-from-derivation = false;
       trusted-users = [ "root" ];
-      allowed-users = [ "@wheel" ];
       use-xdg-base-directories = true;
       auto-allocate-uids = true;
     };

nixosModules/portMagic.nix

@@ -0,0 +1,94 @@
+{ lib, ... }:
+{
+  options.local.links = lib.mkOption {
+    type = lib.types.attrsOf (
+      lib.types.submodule (
+        {
+          config,
+          name,
+          ...
+        }:
+
+        let
+          portHash = lib.flip lib.pipe [
+            (builtins.hashString "md5")
+            (builtins.substring 0 7)
+            (hash: (fromTOML "v=0x${hash}").v)
+            (lib.flip lib.mod config.reservedPorts.amount)
+            (builtins.add config.reservedPorts.start)
+          ];
+        in
+
+        {
+          options = {
+            ipv4 = lib.mkOption {
+              type = lib.types.str;
+              default = "127.0.0.1";
+              description = "The IPv4 address.";
+            };
+            hostname = lib.mkOption {
+              type = lib.types.str;
+              description = "The hostname.";
+            };
+
+            port = lib.mkOption {
+              type = lib.types.int;
+              description = "The TCP or UDP port.";
+            };
+            portStr = lib.mkOption {
+              type = lib.types.str;
+              description = "The TCP or UDP port, as a string.";
+            };
+            reservedPorts = {
+              amount = lib.mkOption {
+                type = lib.types.int;
+                default = 10000;
+                description = "Amount of ports to reserve at most.";
+              };
+              start = lib.mkOption {
+                type = lib.types.int;
+                default = 30000;
+                description = "Starting point for reserved ports.";
+              };
+            };
+
+            protocol = lib.mkOption {
+              type = lib.types.str;
+              default = "http";
+              description = "The protocol in URL scheme name format.";
+            };
+            path = lib.mkOption {
+              type = lib.types.nullOr lib.types.path;
+              default = null;
+              description = "The resource path.";
+            };
+            url = lib.mkOption {
+              type = lib.types.str;
+              description = "The URL.";
+            };
+            tuple = lib.mkOption {
+              type = lib.types.str;
+              description = "The hostname:port tuple.";
+            };
+            extra = lib.mkOption {
+              type = lib.types.attrs;
+              description = "Arbitrary extra data.";
+            };
+          };
+          config = lib.mkIf true {
+            hostname = lib.mkDefault config.ipv4;
+            port = lib.mkDefault (portHash "${config.hostname}:${name}");
+            portStr = toString config.port;
+            tuple = "${config.hostname}:${config.portStr}";
+            url = "${config.protocol}://${config.hostname}:${config.portStr}${
+              if config.path == null then "" else config.path
+            }";
+          };
+        }
+      )
+
+    );
+    description = "Port Magic links.";
+    default = { };
+  };
+}