jsw/NiksOS
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Recreated options

Browse source
This commit is contained in:
Jurn Wubben 2025-08-29 11:05:27 +02:00
parent 0b839e082a
commit fc8178ed80
22 changed files with 325 additions and 205 deletions
Download patch file Download diff file Expand all files Collapse all files

16
system/server/caddy.nix
View file

@ -3,13 +3,15 @@
lib,
...
}: let
cfg = config.niksos.server;
inherit (config.services.caddy) enable;
inherit (lib) mkIf;
in {
services.caddy = {
enable = cfg;
email = "jurnwubben@gmail.com";
enableReload = false;
};
config = mkIf enable {
services.caddy = {
email = "jurnwubben@gmail.com";
enableReload = false;
};
networking.firewall.allowedTCPPorts = lib.mkIf cfg [80 443];
networking.firewall.allowedTCPPorts = [80 443];
};
}

18
system/server/default.nix
View file

@ -1,16 +1,24 @@
{lib, ...}: {
{lib, ...}: let
inherit (lib) mkOption types;
in {
imports = [
# ./matrix.nix
./bot.nix
# ./temp.nix
./jsw-bot.nix
./caddy.nix
./derekBot.nix
./derek-bot.nix
./forgejo.nix
./immich.nix
./index
./mail.nix
./nextcloud.nix
./temp.nix
./zitadel.nix
];
options.niksos.server = lib.mkEnableOption "server servcies (such as caddy)."; #TODO: per service option.
options.niksos.server = {
baseDomain = mkOption {
type = types.lines;
description = "Set's the apex domain for the webservices. Do not include 'https' or a slash at the end. Just 'example.com'.";
example = "example.com";
};
};
}

34
system/server/derekBot.nix → system/server/derek-bot.nix
View file

@ -4,26 +4,26 @@
lib,
...
}: let
cfg = config.niksos.server;
userGroup = "bread-dcbot";
name = "derek-bot";
cfg = config.niksos.server.${name}.enable;
userGroup = name;
gitRepo = "https://github.com/The-Breadening/Breadener";
bash = lib.getExe pkgs.bash;
inherit (lib) getExe mkEnableOption mkIf;
bash = getExe pkgs.bash;
varLib = "/var/lib/";
mainDir =
varLib
+ (
if !cfg
then ""
else userGroup
)
+ "/";
programDir = mainDir + "program";
denoDir = mainDir + "deno";
tokenDir = mainDir + "Breadener-token";
mainDir = "${varLib}${userGroup}";
programDir = "${mainDir}/program";
denoDir = "${mainDir}/deno";
tokenDir = "${mainDir}/Breadener-token";
path = builtins.concatStringsSep ":" (map (x: "${x}/bin/") [pkgs.coreutils pkgs.deno pkgs.git]);
in {
config = lib.mkIf config.niksos.server {
options.niksos.server.${name}.enable = mkEnableOption name;
config = mkIf cfg {
systemd.services.${userGroup} = {
enable = true;
after = ["network.target"];
@ -39,7 +39,7 @@ in {
export PATH=${path}
cd "${mainDir}"
chown -R ${userGroup}:${userGroup} ${mainDir}* || echo
chown -R ${userGroup}:${userGroup} ${mainDir}/* || echo
rm -rf "${tokenDir}" || echo
mkdir -p "${denoDir}" "${tokenDir}"
@ -48,7 +48,7 @@ in {
if [ ! -d "${programDir}" ]; then
git clone "${gitRepo}" "${programDir}"
fi
chmod -R 750 ${mainDir}* || echo
chmod -R 750 ${mainDir}/* || echo
cd "${programDir}"

28
system/server/forgejo.nix
View file

@ -3,17 +3,24 @@
lib,
...
}: let
DOMAIN = "git.jsw.tf";
name = "forgejo";
cfg = import ./lib/extractWebOptions.nix {inherit config name;};
DOMAIN = cfg.domain;
in {
options = import ./lib/webOptions.nix {inherit config lib name;};
config =
lib.mkIf config.niksos.server
lib.mkIf cfg.enable
{
services.caddy.virtualHosts.${DOMAIN}.extraConfig = ''
request_body {
max_size 512M
}
reverse_proxy unix/${config.services.forgejo.settings.server.HTTP_ADDR}
'';
services.caddy = {
enable = true;
virtualHosts.${DOMAIN}.extraConfig = ''
request_body {
max_size 512M
}
reverse_proxy unix/${config.services.forgejo.settings.server.HTTP_ADDR}
'';
};
services.forgejo = {
enable = true;
@ -52,12 +59,13 @@ in {
DEFAULT_ACTIONS_URL = "github";
};
mailer = {
#FIXME: Only enable if stalwart is enabled by default.
ENABLED = true;
SUBJECT_PREFIX = "JSWGit";
PROTOCOL = "smtps";
SMTP_ADDR = "mail.jsw.tf"; #FIXME: replace with config... to stalwart setting once using stalwart nixos module.
SMTP_ADDR = "mail.${cfg.baseDomain}"; #FIXME: replace with config... to stalwart setting once using stalwart nixos module.
SMTP_PORT = 465;
FROM = "git@jsw.tf";
FROM = "git@${cfg.baseDomain}";
USER = "git";
PASSWD_URI = "file:${config.age.secrets.forgejo-mailpass.path}";
};

28
system/server/immich.nix
View file

@ -4,23 +4,29 @@
pkgs,
...
}: let
name = "immich";
inherit (lib) mkIf mkForce mkDefault;
cfg = config.niksos.server;
cfg = import ./lib/extractWebOptions.nix {inherit config name;};
oidcSubstitute = "*@#OPENIDCLIENTSECRET#@*";
config-dir = "/run/immich-conf";
url = "photos.jsw.tf";
httpsUrl = "https://" + url;
httpsUrl = "https://" + cfg.domain;
in {
config =
mkIf cfg
{
users.users.${config.services.immich.user}.extraGroups = ["video" "render"];
services.caddy.virtualHosts.${url}.extraConfig = ''
reverse_proxy localhost:9002
'';
options = import ./lib/webOptions.nix {inherit config lib name;};
services.immich = mkIf cfg {
config =
mkIf cfg.enable
{
services.caddy = {
enable = true;
virtualHosts.${cfg.domain}.extraConfig = ''
reverse_proxy localhost:9002
'';
};
users.users.${config.services.immich.user}.extraGroups = ["video" "render"];
services.immich = {
enable = true;
port = 9002;

22
system/server/index/default.nix
View file

@ -2,13 +2,19 @@
config,
lib,
...
}: {
services.caddy.virtualHosts."jsw.tf" = lib.mkIf config.niksos.server {
extraConfig = ''
header Content-Type text/html
respond <<HTML
${builtins.readFile ./index.html}
HTML 200
'';
}: let
name = "site";
cfg = import ../lib/extractWebOptions.nix {inherit config name;};
in {
options = import ../lib/webOptions.nix {inherit config lib name;};
config = lib.mkIf cfg.enable {
services.caddy.virtualHosts.${cfg.domain} = {
extraConfig = ''
header Content-Type text/html
respond <<HTML
${builtins.readFile ./index.html}
HTML 200
'';
};
};
}

43
system/server/bot.nix → system/server/jsw-bot.nix
View file

@ -5,8 +5,13 @@
inputs,
...
}: let
deno = lib.getExe pkgs.deno;
bash = lib.getExe pkgs.bash;
name = "jsw-bot";
cfg = import ./lib/extractWebOptions.nix {inherit config name;};
inherit (lib) getExe mkIf optional;
inherit (config.niksos.server) nextcloud;
bash = getExe pkgs.bash;
mainDir = "/var/lib/dcbot/";
programDir = mainDir + "program";
@ -15,10 +20,14 @@
path = builtins.concatStringsSep ":" (map (x: "${x}/bin/") [pkgs.coreutils pkgs.typst pkgs.deno]);
in {
config = lib.mkIf config.niksos.server {
systemd.services.dcbot = {
options = import ./lib/webOptions.nix {
inherit config lib name;
};
config = mkIf cfg.enable {
systemd.services.${name} = {
enable = true;
after = ["network.target"];
after = ["network.target"]; #FIXME: doesn't start after network.
wantedBy = ["default.target"];
description = "Jsw's slaafje, discord bot.";
@ -33,35 +42,37 @@ in {
cd "${mainDir}"
mkdir -p "${programDir}" "${dataDir}" "${denoDir}"
chown -R dcbot:dcbot ${mainDir}* || echo
chown -R ${name}:${name} ${mainDir}* || echo
chmod -R 750 ${mainDir}* || echo
cp --no-preserve=mode,ownership -r ${inputs.dcbot}/* "${programDir}/"
rm "${dataDir}/.env" || echo
ln -s "${config.age.secrets.dcbot.path}" "${dataDir}/.env"
ln -s "${config.age.secrets.jsw-bot.path}" "${dataDir}/.env"
cd "${programDir}"
DENO_DIR=${denoDir} deno i
'';
serviceConfig = {
StateDirectory = "dcbot";
StateDirectory = name;
ExecStart = "${bash} -c 'cd ${dataDir} && deno run -A ${programDir}/src/main.ts'";
User = "dcbot";
Group = "dcbot";
User = name;
Group = name;
Restart = "always";
};
};
services.caddy.virtualHosts."dc.jsw.tf" = {
serverAliases = ["www.dc.jsw.tf"];
extraConfig = ''
reverse_proxy :9001
'';
services.caddy = {
enable = true;
virtualHosts.${cfg.domain} = {
extraConfig = ''
reverse_proxy :9001
'';
};
};
users.groups."dcbot" = {
members = ["nextcloud"]; #TODO: if config.niksos.server.nextcloud
members = optional nextcloud.enable "nextcloud"; #TODO: if config.niksos.server.nextcloud
#NOTE: for nextcloud mounted folder
};
users.users."dcbot" = {

18
system/server/lib/extractWebOptions.nix Normal file
View file

@ -0,0 +1,18 @@
{
config,
name,
}: let
inherit (config.niksos) server;
inherit (server) baseDomain;
cfg = server.${name};
subDomain =
if cfg.subDomain == ""
then ""
else "${cfg.subDomain}.";
in
{
domain = "${subDomain}.${baseDomain}";
inherit baseDomain;
}
// cfg

16
system/server/lib/webOptions.nix Normal file
View file

@ -0,0 +1,16 @@
{
config,
lib,
name,
}: let
inherit (lib) mkEnableOption mkOption types;
in {
niksos.server.${name} = {
enable = mkEnableOption name;
subDomain = mkOption {
type = types.lines;
description = "What subdomain to use for ${name}";
example = name;
};
};
}

18
system/server/mail.nix
View file

@ -2,10 +2,15 @@
config,
lib,
...
}: {
}: let
name = "stalwart";
cfg = import ./lib/extractWebOptions.nix {inherit config name;};
in {
#FIXME: revert when stopped using docker for stalwart. https://github.com/NixOS/nixpkgs/issues/416091 (look at older commits for previous code.)
config = lib.mkIf config.niksos.server {
options = import ./lib/webOptions.nix {inherit lib config name;};
config = lib.mkIf cfg.enable {
virtualisation.oci-containers.containers.stalwart = {
image = "docker.io/stalwartlabs/stalwart:latest";
labels = {
@ -22,8 +27,11 @@
465
];
services.caddy.virtualHosts."mail.jsw.tf".extraConfig = ''
reverse_proxy http://127.0.0.1:9003
'';
services.caddy = {
enable = true;
virtualHosts.${cfg.domain}.extraConfig = ''
reverse_proxy http://127.0.0.1:9003
'';
};
};
}

35
system/server/matrix.nix
View file

@ -3,36 +3,37 @@
lib,
...
}: let
database = {
connection_string = "postgres:///dendrite?host=/run/postgresql";
max_open_conns = 97;
max_idle_conns = 5;
conn_max_lifetime = -1;
};
host = "matrix.jsw.tf";
name = "matrix";
cfg = import ./lib/extractWebOptions.nix {inherit config name;};
in {
config = lib.mkIf config.niksos.server {
options = import ./lib/webOptions.nix {inherit config lib name;};
config = lib.mkIf cfg.enable {
services = {
matrix-continuwuity = {
enable = true;
group = "caddy"; # Permissions for socket
#FIXME: caddy should be part of matrix group, not other way around
settings.global = {
unix_socket_path = "/run/continuwuity/continuwuity.sock";
server_name = host;
server_name = cfg.domain;
allow_registration = true;
registration_token_file = config.age.secrets.matrix-registration.path;
new_user_displayname_suffix = "";
};
};
caddy.virtualHosts = {
${host}.extraConfig = ''
header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin *
respond /.well-known/matrix/server `{"m.server": "${host}:443"}`
respond /.well-known/matrix/client `{"m.homeserver": {"base_url": "https://${host}"}}`
reverse_proxy /_matrix/* unix//run/continuwuity/continuwuity.sock
'';
caddy = {
enable = true;
virtualHosts = {
${cfg.domain}.extraConfig = ''
header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin *
respond /.well-known/matrix/server `{"m.server": "${cfg.domain}:443"}`
respond /.well-known/matrix/client `{"m.homeserver": {"base_url": "https://${cfg.domain}"}}`
reverse_proxy /_matrix/* unix//run/continuwuity/continuwuity.sock
'';
};
};
};
};

118
system/server/nextcloud.nix
View file

@ -4,18 +4,24 @@
lib,
...
}: let
inherit (config.niksos) server;
host = "cloud.jsw.tf";
nginxRoot = config.services.nginx.virtualHosts.${host}.root;
name = "nextcloud";
cfg = import ./lib/extractWebOptions.nix {inherit config name;};
inherit (cfg) enable domain;
nginxRoot = config.services.nginx.virtualHosts.${domain}.root;
fpmSocket = config.services.phpfpm.pools.nextcloud.socket;
imaginaryPort = 9004;
in {
config = lib.mkIf server {
options = import ./lib/webOptions.nix {inherit config lib name;};
config = lib.mkIf enable {
users.groups.nextcloud.members = ["nextcloud" "caddy"];
services = {
nextcloud = {
enable = true;
hostName = host;
hostName = domain;
# Need to manually increment with every major upgrade.
package = pkgs.nextcloud31;
@ -77,12 +83,12 @@ in {
dbtype = "pgsql";
};
};
imaginary = {
enable = true;
port = imaginaryPort;
address = "localhost";
settings.returnSize = true;
};
# imaginary = { #FIXME: doesn't start.
# enable = true;
# port = imaginaryPort;
# address = "localhost";
# settings.returnSize = true;
# };
nginx.enable = lib.mkForce false;
phpfpm.pools.nextcloud.settings = let
@ -91,58 +97,62 @@ in {
"listen.owner" = user;
"listen.group" = group;
};
caddy.virtualHosts."${host}".extraConfig = ''
encode zstd gzip
root * ${nginxRoot}
caddy = {
enable = true;
virtualHosts.${domain}.extraConfig = ''
encode zstd gzip
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
redir /.well-known/* /index.php{uri} 301
redir /remote/* /remote.php{uri} 301
root * ${nginxRoot}
header {
Strict-Transport-Security max-age=31536000
Permissions-Policy interest-cohort=()
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
Referrer-Policy no-referrer
X-XSS-Protection "1; mode=block"
X-Permitted-Cross-Domain-Policies none
X-Robots-Tag "noindex, nofollow"
-X-Powered-By
}
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
redir /.well-known/* /index.php{uri} 301
redir /remote/* /remote.php{uri} 301
php_fastcgi unix/${fpmSocket} {
root ${nginxRoot}
env front_controller_active true
env modHeadersAvailable true
}
header {
Strict-Transport-Security max-age=31536000
Permissions-Policy interest-cohort=()
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
Referrer-Policy no-referrer
X-XSS-Protection "1; mode=block"
X-Permitted-Cross-Domain-Policies none
X-Robots-Tag "noindex, nofollow"
-X-Powered-By
}
@forbidden {
path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
path /.* /autotest* /occ* /issue* /indie* /db_* /console*
not path /.well-known/*
}
error @forbidden 404
php_fastcgi unix/${fpmSocket} {
root ${nginxRoot}
env front_controller_active true
env modHeadersAvailable true
}
@immutable {
path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
query v=*
}
header @immutable Cache-Control "max-age=15778463, immutable"
@forbidden {
path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
path /.* /autotest* /occ* /issue* /indie* /db_* /console*
not path /.well-known/*
}
error @forbidden 404
@static {
path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
not query v=*
}
header @static Cache-Control "max-age=15778463"
@immutable {
path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
query v=*
}
header @immutable Cache-Control "max-age=15778463, immutable"
@woff2 path *.woff2
header @woff2 Cache-Control "max-age=604800"
@static {
path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
not query v=*
}
header @static Cache-Control "max-age=15778463"
file_server
'';
@woff2 path *.woff2
header @woff2 Cache-Control "max-age=604800"
file_server
'';
};
};
};
}

25
system/server/temp.nix
View file

@ -1,14 +1,15 @@
#WARNING: deprecated
{
config,
pkgs,
lib,
inputs,
...
}: {
config = lib.mkIf config.niksos.server {
# NOTE: allows me to spin up temporarily services.
services.caddy.virtualHosts."temp.jsw.tf".extraConfig = ''
reverse_proxy :8000
'';
};
# config,
# pkgs,
# lib,
# inputs,
# ...
# }: {
# config = lib.mkIf config.niksos.server {
# # NOTE: allows me to spin up temporarily services.
# services.caddy.virtualHosts."temp.jsw.tf".extraConfig = ''
# reverse_proxy :8000
# '';
# };
}

25
system/server/zitadel.nix
View file

@ -3,15 +3,22 @@
lib,
...
}: let
ExternalDomain = "z.jsw.tf";
name = "zitadel";
cfg = import ./lib/extractWebOptions.nix {inherit config name;};
Port = 9000;
in {
options = import ./lib/webOptions.nix {inherit config lib name;};
config =
lib.mkIf config.niksos.server
lib.mkIf cfg.enable
{
services.caddy.virtualHosts.${ExternalDomain}.extraConfig = ''
reverse_proxy localhost:${builtins.toString Port}
'';
services.caddy = {
enable = true;
virtualHosts.${cfg.domain}.extraConfig = ''
reverse_proxy localhost:${builtins.toString Port}
'';
};
# services.zitadel = {
# enable = true;
@ -32,8 +39,10 @@ in {
enable = true;
masterKeyFile = config.age.secrets.zitadel-key.path;
settings = {
inherit Port ExternalDomain;
inherit Port;
ExternalDomain = cfg.domain;
ExternalPort = 443;
Database.postgres = {
Host = "/var/run/postgresql/";
Port = 5432;
@ -53,9 +62,9 @@ in {
steps.FirstInstance = {
InstanceName = "jsw";
Org = {
Name = "jsw";
Name = "jsw-admin";
Human = {
UserName = "jsw@jsw.tf";
UserName = "jsw-admin@jsw.tf";
FirstName = "Jurn";
LastName = "Wubben";
Email.Verified = true;