gerg-l/nixos
1
0
Fork 0
mirror of https://github.com/Gerg-L/nixos.git synced 2025-12-10 00:43:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

treewide reformat

Browse source
This commit is contained in:
Gerg-L 2023-09-23 21:55:56 -04:00
parent de7683556e
commit fc21bf9436
Signed by: gerg-l
SSH key fingerprint: SHA256:FPYDHIkvMocr4wdmZXpgpJjsb2Tw6rASs2ISPbOb0KI
42 changed files with 1012 additions and 876 deletions
Download patch file Download diff file Expand all files Collapse all files

10
hosts/gerg-desktop/services/gitea.nix
View file

@ -1,10 +1,12 @@
_: {config, ...}: {
_:
{ config, ... }:
{
users.users = {
${config.services.gitea.user} = {
openssh.authorizedKeys.keys = [config.local.keys.gerg_gerg-desktop];
extraGroups = ["postgres"];
openssh.authorizedKeys.keys = [ config.local.keys.gerg_gerg-desktop ];
extraGroups = [ "postgres" ];
};
${config.services.nginx.user}.extraGroups = [config.services.gitea.group];
${config.services.nginx.user}.extraGroups = [ config.services.gitea.group ];
};
services.gitea = {
enable = true;

34
hosts/gerg-desktop/services/minecraft.nix
View file

@ -1,11 +1,9 @@
{self, ...}: {
pkgs,
lib,
...
}: {
{ self, ... }:
{ pkgs, lib, ... }:
{
# I manually switch this sometimes
config = lib.mkIf false {
networking.firewall.allowedTCPPorts = [25565];
networking.firewall.allowedTCPPorts = [ 25565 ];
users.users.minecraft = {
description = "Minecraft server service user";
@ -14,10 +12,10 @@
isSystemUser = true;
group = "minecraft";
};
users.groups.minecraft = {};
users.groups.minecraft = { };
systemd.sockets.minecraft-server = {
bindsTo = ["minecraft-server.service"];
bindsTo = [ "minecraft-server.service" ];
socketConfig = {
ListenFIFO = "/run/minecraft-server.stdin";
SocketMode = "0660";
@ -31,10 +29,13 @@
systemd.services.minecraft-server = {
enable = true;
description = "Minecraft Server Service";
wantedBy = ["multi-user.target"];
requires = ["minecraft-server.socket"];
after = ["network.target" "minecraft-server.socket"];
path = [self.packages.${pkgs.system}.papermc];
wantedBy = [ "multi-user.target" ];
requires = [ "minecraft-server.socket" ];
after = [
"network.target"
"minecraft-server.socket"
];
path = [ self.packages.${pkgs.system}.papermc ];
script = ''
minecraft-server \
-Xms8G \
@ -70,8 +71,8 @@
StandardError = "journal";
# Hardening
CapabilityBoundingSet = [""];
DeviceAllow = [""];
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
PrivateDevices = true;
PrivateTmp = true;
@ -84,7 +85,10 @@
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictAddressFamilies = ["AF_INET" "AF_INET6"];
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;

46
hosts/gerg-desktop/services/miniflux.nix
View file

@ -1,17 +1,23 @@
_: {
_:
{
config,
lib,
pkgs,
...
}: {
}:
{
sops.secrets.minifluxenv.owner = "miniflux";
systemd.services = {
miniflux = {
description = "Miniflux service";
wantedBy = ["multi-user.target"];
requires = ["miniflux-dbsetup.service"];
after = ["network.target" "postgresql.service" "miniflux-dbsetup.service"];
wantedBy = [ "multi-user.target" ];
requires = [ "miniflux-dbsetup.service" ];
after = [
"network.target"
"postgresql.service"
"miniflux-dbsetup.service"
];
script = lib.getExe' pkgs.miniflux "miniflux";
serviceConfig = {
@ -20,8 +26,8 @@ _: {
RuntimeDirectoryMode = "0770";
EnvironmentFile = config.sops.secrets.minifluxenv.path;
# Hardening
CapabilityBoundingSet = [""];
DeviceAllow = [""];
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateDevices = true;
@ -35,12 +41,19 @@ _: {
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictAddressFamilies = ["AF_INET" "AF_INET6" "AF_UNIX"];
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = ["@system-service" "~@privileged"];
SystemCallFilter = [
"@system-service"
"~@privileged"
];
UMask = "0077";
};
@ -54,10 +67,15 @@ _: {
};
miniflux-dbsetup = {
description = "Miniflux database setup";
requires = ["postgresql.service"];
after = ["network.target" "postgresql.service"];
requires = [ "postgresql.service" ];
after = [
"network.target"
"postgresql.service"
];
script = ''
${lib.getExe' config.services.postgresql.package "psql"} "miniflux" -c "CREATE EXTENSION IF NOT EXISTS hstore"
${
lib.getExe' config.services.postgresql.package "psql"
} "miniflux" -c "CREATE EXTENSION IF NOT EXISTS hstore"
'';
serviceConfig = {
Type = "oneshot";
@ -72,11 +90,11 @@ _: {
users = {
miniflux = {
group = "miniflux";
extraGroups = ["postgres"];
extraGroups = [ "postgres" ];
isSystemUser = true;
uid = 377;
};
${config.services.nginx.user}.extraGroups = ["miniflux"];
${config.services.nginx.user}.extraGroups = [ "miniflux" ];
};
};
}

10
hosts/gerg-desktop/services/nextcloud.nix
View file

@ -1,11 +1,9 @@
_: {
pkgs,
config,
...
}: {
_:
{ pkgs, config, ... }:
{
sops.secrets.nextcloud.owner = "nextcloud";
users.users.nextcloud.extraGroups = ["postgres"];
users.users.nextcloud.extraGroups = [ "postgres" ];
services.nextcloud = {
enable = true;

38
hosts/gerg-desktop/services/nginx.nix
View file

@ -1,19 +1,20 @@
_: {
config,
lib,
...
}: {
_:
{ config, lib, ... }:
{
sops.secrets =
lib.genAttrs [
"nixfu_ssl_cert"
"nixfu_ssl_key"
"gerg_ssl_key"
"gerg_ssl_cert"
]
(_: {
owner = config.services.nginx.user;
inherit (config.services.nginx) group;
});
lib.genAttrs
[
"nixfu_ssl_cert"
"nixfu_ssl_key"
"gerg_ssl_key"
"gerg_ssl_cert"
]
(
_: {
owner = config.services.nginx.user;
inherit (config.services.nginx) group;
}
);
services.nginx = {
enable = true;
@ -33,7 +34,7 @@ _: {
forceSSL = true;
sslCertificate = config.sops.secrets.nixfu_ssl_cert.path;
sslCertificateKey = config.sops.secrets.nixfu_ssl_key.path;
serverAliases = ["www.nix-fu.com"];
serverAliases = [ "www.nix-fu.com" ];
globalRedirect = "github.com/Gerg-L";
};
"search.gerg-l.com" = {
@ -62,6 +63,9 @@ _: {
};
};
};
networking.firewall.allowedTCPPorts = [80 443];
networking.firewall.allowedTCPPorts = [
80
443
];
_file = ./nginx.nix;
}

14
hosts/gerg-desktop/services/parrot.nix
View file

@ -1,15 +1,17 @@
_: {
_:
{
pkgs,
config,
lib,
...
}: {
sops.secrets.discordenv = {};
}:
{
sops.secrets.discordenv = { };
systemd.services.parrot = {
enable = true;
wantedBy = ["multi-user.target"];
wants = ["network-online.target"];
after = ["network-online.target"];
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
script = lib.getExe pkgs.parrot;
serviceConfig = {
EnvironmentFile = config.sops.secrets.discordenv.path;

18
hosts/gerg-desktop/services/postgresql.nix
View file

@ -1,8 +1,6 @@
_: {
config,
pkgs,
...
}: {
_:
{ config, pkgs, ... }:
{
services.postgresql = {
enable = true;
package = pkgs.postgresql_13;
@ -12,12 +10,10 @@ _: {
"miniflux"
config.services.gitea.database.user
];
ensureUsers = [
{
name = "miniflux";
ensurePermissions."DATABASE miniflux" = "ALL PRIVILEGES";
}
];
ensureUsers = [ {
name = "miniflux";
ensurePermissions."DATABASE miniflux" = "ALL PRIVILEGES";
} ];
settings.unix_socket_permissions = "0770";
};

15
hosts/gerg-desktop/services/searxng.nix
View file

@ -1,20 +1,17 @@
_: {
config,
pkgs,
...
}: {
_:
{ config, pkgs, ... }:
{
sops.secrets.searxngenv = {
owner = "searx";
group = "searx";
};
users.users.${config.services.nginx.user}.extraGroups = ["searx"];
users.users.${config.services.nginx.user}.extraGroups = [ "searx" ];
services.searx = {
enable = true;
package = pkgs.searxng;
#Later
/*
redisCreateLocally = true;
limiterSettings = {};
/* redisCreateLocally = true;
limiterSettings = {};
*/
runInUwsgi = true;
uwsgiConfig = {