2023-07-25 23:33:37 +08:00
|
|
|
inputs:
|
|
|
|
{
|
2023-08-20 12:48:05 +08:00
|
|
|
imports = inputs.localLib.mkModules
|
2023-08-20 12:15:02 +08:00
|
|
|
[
|
|
|
|
./postgresql.nix
|
2023-08-23 13:34:58 +08:00
|
|
|
./redis.nix
|
|
|
|
./rsshub.nix
|
2023-08-25 18:25:34 +08:00
|
|
|
./misskey.nix
|
2023-08-25 20:53:31 +08:00
|
|
|
./nginx.nix
|
2023-08-26 13:30:35 +08:00
|
|
|
./meilisearch.nix
|
2023-08-27 09:52:28 +08:00
|
|
|
./xray.nix
|
2023-08-20 12:48:05 +08:00
|
|
|
# ./docker.nix
|
2023-08-20 12:15:02 +08:00
|
|
|
];
|
2023-07-25 23:33:37 +08:00
|
|
|
options.nixos.services = let inherit (inputs.lib) mkOption types; in
|
|
|
|
{
|
|
|
|
impermanence =
|
|
|
|
{
|
|
|
|
enable = mkOption { type = types.bool; default = false; };
|
|
|
|
persistence = mkOption { type = types.nonEmptyStr; default = "/nix/persistent"; };
|
2023-08-04 18:46:20 +08:00
|
|
|
root = mkOption { type = types.nonEmptyStr; default = "/nix/rootfs/current"; };
|
2023-08-27 11:36:21 +08:00
|
|
|
nodatacow = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
2023-07-25 23:33:37 +08:00
|
|
|
};
|
|
|
|
snapper =
|
|
|
|
{
|
|
|
|
enable = mkOption { type = types.bool; default = false; };
|
|
|
|
configs = mkOption { type = types.attrsOf types.nonEmptyStr; default = {}; };
|
|
|
|
};
|
2023-07-26 11:24:27 +08:00
|
|
|
kmscon.enable = mkOption { type = types.bool; default = false; };
|
2023-07-26 17:03:09 +08:00
|
|
|
fontconfig.enable = mkOption { type = types.bool; default = false; };
|
2023-07-26 21:05:46 +08:00
|
|
|
sops =
|
|
|
|
{
|
|
|
|
enable = mkOption { type = types.bool; default = false; };
|
|
|
|
keyPathPrefix = mkOption { type = types.str; default = ""; };
|
|
|
|
};
|
|
|
|
samba =
|
|
|
|
{
|
|
|
|
enable = mkOption { type = types.bool; default = false; };
|
|
|
|
wsdd = mkOption { type = types.bool; default = false; };
|
|
|
|
private = mkOption { type = types.bool; default = false; };
|
|
|
|
hostsAllowed = mkOption { type = types.str; default = "127."; };
|
|
|
|
shares = mkOption
|
2023-07-25 23:33:37 +08:00
|
|
|
{
|
2023-07-26 21:05:46 +08:00
|
|
|
type = types.attrsOf (types.submodule { options =
|
2023-07-25 23:33:37 +08:00
|
|
|
{
|
2023-07-26 21:05:46 +08:00
|
|
|
comment = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
|
|
|
path = mkOption { type = types.nonEmptyStr; };
|
|
|
|
};});
|
|
|
|
default = {};
|
|
|
|
};
|
|
|
|
};
|
2023-07-27 00:07:20 +08:00
|
|
|
sshd.enable = mkOption { type = types.bool; default = false; };
|
2023-07-27 19:01:58 +08:00
|
|
|
firewall.trustedInterfaces = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
|
2023-08-04 20:07:57 +08:00
|
|
|
acme =
|
|
|
|
{
|
|
|
|
enable = mkOption { type = types.bool; default = false; };
|
|
|
|
certs = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
|
|
|
|
};
|
2023-08-07 21:16:49 +08:00
|
|
|
frpClient =
|
|
|
|
{
|
|
|
|
enable = mkOption { type = types.bool; default = false; };
|
|
|
|
serverName = mkOption { type = types.nonEmptyStr; };
|
|
|
|
user = mkOption { type = types.nonEmptyStr; };
|
|
|
|
tcp = mkOption
|
|
|
|
{
|
2023-08-14 14:24:39 +08:00
|
|
|
type = types.attrsOf (types.submodule (inputs:
|
2023-08-07 21:16:49 +08:00
|
|
|
{
|
|
|
|
options =
|
|
|
|
{
|
2023-08-14 14:24:39 +08:00
|
|
|
localIp = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
|
2023-08-07 21:16:49 +08:00
|
|
|
localPort = mkOption { type = types.ints.unsigned; };
|
2023-08-14 14:24:39 +08:00
|
|
|
remoteIp = mkOption { type = types.nonEmptyStr; default = "127.0.0.1"; };
|
|
|
|
remotePort = mkOption { type = types.ints.unsigned; default = inputs.config.localPort; };
|
2023-08-07 21:16:49 +08:00
|
|
|
};
|
2023-08-14 14:24:39 +08:00
|
|
|
}));
|
2023-08-07 21:16:49 +08:00
|
|
|
default = {};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
frpServer =
|
|
|
|
{
|
|
|
|
enable = mkOption { type = types.bool; default = false; };
|
|
|
|
serverName = mkOption { type = types.nonEmptyStr; };
|
|
|
|
};
|
2023-08-14 13:55:27 +08:00
|
|
|
nix-serve =
|
|
|
|
{
|
|
|
|
enable = mkOption { type = types.bool; default = false; };
|
|
|
|
hostname = mkOption { type = types.nonEmptyStr; };
|
|
|
|
};
|
2023-08-10 10:15:21 +08:00
|
|
|
smartd.enable = mkOption { type = types.bool; default = false; };
|
2023-08-13 23:24:47 +08:00
|
|
|
fileshelter.enable = mkOption { type = types.bool; default = false; };
|
2023-08-15 00:53:30 +08:00
|
|
|
wallabag.enable = mkOption { type = types.bool; default = false; };
|
2023-07-26 21:05:46 +08:00
|
|
|
};
|
|
|
|
config =
|
|
|
|
let
|
2023-08-04 20:07:57 +08:00
|
|
|
inherit (inputs.lib) mkMerge mkIf;
|
2023-07-26 21:05:46 +08:00
|
|
|
inherit (inputs.localLib) stripeTabs attrsToList;
|
2023-07-26 21:11:47 +08:00
|
|
|
inherit (inputs.config.nixos) services;
|
2023-08-27 09:52:28 +08:00
|
|
|
inherit (builtins) map listToAttrs toString;
|
2023-07-26 21:05:46 +08:00
|
|
|
in mkMerge
|
|
|
|
[
|
|
|
|
(
|
|
|
|
mkIf services.impermanence.enable
|
2023-07-26 11:24:27 +08:00
|
|
|
{
|
2023-08-04 18:46:20 +08:00
|
|
|
environment.persistence =
|
2023-07-26 21:05:46 +08:00
|
|
|
{
|
2023-08-04 18:46:20 +08:00
|
|
|
"${services.impermanence.persistence}" =
|
|
|
|
{
|
|
|
|
hideMounts = true;
|
|
|
|
directories =
|
|
|
|
[
|
|
|
|
"/etc/NetworkManager/system-connections"
|
|
|
|
"/home"
|
|
|
|
"/root"
|
|
|
|
"/var/db"
|
|
|
|
"/var/lib"
|
|
|
|
"/var/log"
|
|
|
|
"/var/spool"
|
|
|
|
];
|
|
|
|
files =
|
|
|
|
[
|
|
|
|
"/etc/machine-id"
|
|
|
|
"/etc/ssh/ssh_host_ed25519_key.pub"
|
|
|
|
"/etc/ssh/ssh_host_ed25519_key"
|
|
|
|
"/etc/ssh/ssh_host_rsa_key.pub"
|
|
|
|
"/etc/ssh/ssh_host_rsa_key"
|
|
|
|
];
|
|
|
|
};
|
|
|
|
"${services.impermanence.root}" =
|
|
|
|
{
|
|
|
|
hideMounts = true;
|
|
|
|
directories = []
|
|
|
|
++ (if inputs.config.services.xserver.displayManager.sddm.enable then
|
|
|
|
[{ directory = "/var/lib/sddm"; user = "sddm"; group = "sddm"; mode = "0700"; }] else []);
|
|
|
|
};
|
2023-08-27 11:36:21 +08:00
|
|
|
}
|
|
|
|
// (
|
|
|
|
if (services.impermanence.nodatacow != null) then
|
|
|
|
{
|
|
|
|
"${services.impermanence.nodatacow}" =
|
|
|
|
{
|
|
|
|
hideMounts = true;
|
|
|
|
directories =
|
|
|
|
[
|
|
|
|
"/var/lib/postgresql"
|
|
|
|
"/var/lib/meilisearch"
|
|
|
|
];
|
|
|
|
};
|
|
|
|
}
|
|
|
|
else {}
|
|
|
|
);
|
2023-07-26 21:05:46 +08:00
|
|
|
}
|
|
|
|
)
|
|
|
|
(
|
|
|
|
mkIf services.snapper.enable
|
|
|
|
{
|
|
|
|
services.snapper.configs =
|
|
|
|
let
|
|
|
|
f = (config:
|
|
|
|
{
|
|
|
|
inherit (config) name;
|
|
|
|
value =
|
|
|
|
{
|
|
|
|
SUBVOLUME = config.value;
|
|
|
|
TIMELINE_CREATE = true;
|
|
|
|
TIMELINE_CLEANUP = true;
|
|
|
|
TIMELINE_MIN_AGE = 1800;
|
|
|
|
TIMELINE_LIMIT_HOURLY = "10";
|
|
|
|
TIMELINE_LIMIT_DAILY = "7";
|
|
|
|
TIMELINE_LIMIT_WEEKLY = "1";
|
|
|
|
TIMELINE_LIMIT_MONTHLY = "0";
|
|
|
|
TIMELINE_LIMIT_YEARLY = "0";
|
|
|
|
};
|
|
|
|
});
|
|
|
|
in
|
2023-08-04 20:07:57 +08:00
|
|
|
listToAttrs (map f (attrsToList services.snapper.configs));
|
2023-08-04 22:18:39 +08:00
|
|
|
nixpkgs.config.packageOverrides = pkgs:
|
|
|
|
{
|
|
|
|
snapper = pkgs.snapper.overrideAttrs (attrs:
|
|
|
|
{
|
|
|
|
patches = (if (attrs ? patches) then attrs.patches else []) ++ [ ./snapper.patch ];
|
|
|
|
});
|
|
|
|
};
|
2023-07-26 21:05:46 +08:00
|
|
|
}
|
|
|
|
)
|
|
|
|
(
|
|
|
|
mkIf services.kmscon.enable
|
2023-07-26 17:03:09 +08:00
|
|
|
{
|
2023-07-26 21:05:46 +08:00
|
|
|
services.kmscon =
|
2023-07-26 17:03:09 +08:00
|
|
|
{
|
2023-07-26 21:05:46 +08:00
|
|
|
enable = true;
|
|
|
|
fonts = [{ name = "FiraCode Nerd Font Mono"; package = inputs.pkgs.nerdfonts; }];
|
2023-07-26 17:03:09 +08:00
|
|
|
};
|
2023-07-26 21:05:46 +08:00
|
|
|
}
|
|
|
|
)
|
|
|
|
(
|
|
|
|
mkIf services.fontconfig.enable
|
|
|
|
{
|
|
|
|
fonts =
|
|
|
|
{
|
|
|
|
fontDir.enable = true;
|
2023-08-09 22:05:51 +08:00
|
|
|
packages = with inputs.pkgs;
|
2023-07-26 21:05:46 +08:00
|
|
|
[ noto-fonts source-han-sans source-han-serif source-code-pro hack-font jetbrains-mono nerdfonts ];
|
|
|
|
fontconfig.defaultFonts =
|
|
|
|
{
|
|
|
|
emoji = [ "Noto Color Emoji" ];
|
|
|
|
monospace = [ "Noto Sans Mono CJK SC" "Sarasa Mono SC" "DejaVu Sans Mono"];
|
|
|
|
sansSerif = [ "Noto Sans CJK SC" "Source Han Sans SC" "DejaVu Sans" ];
|
|
|
|
serif = [ "Noto Serif CJK SC" "Source Han Serif SC" "DejaVu Serif" ];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|
|
|
|
)
|
|
|
|
(
|
|
|
|
mkIf services.sops.enable
|
|
|
|
{
|
|
|
|
sops =
|
|
|
|
{
|
|
|
|
defaultSopsFile = ../../secrets/${inputs.config.networking.hostName}.yaml;
|
|
|
|
# sops start before impermanence, so we need to use the absolute path
|
|
|
|
age.sshKeyPaths = [ "${services.sops.keyPathPrefix}/etc/ssh/ssh_host_ed25519_key" ];
|
2023-07-27 00:07:20 +08:00
|
|
|
gnupg.sshKeyPaths = [ "${services.sops.keyPathPrefix}/etc/ssh/ssh_host_rsa_key" ];
|
2023-07-26 21:05:46 +08:00
|
|
|
};
|
|
|
|
}
|
|
|
|
)
|
|
|
|
(
|
|
|
|
mkIf services.samba.enable
|
2023-07-26 17:08:32 +08:00
|
|
|
{
|
2023-07-26 21:05:46 +08:00
|
|
|
# make shares visible for windows 10 clients
|
|
|
|
services =
|
|
|
|
{
|
|
|
|
samba-wsdd.enable = services.samba.wsdd;
|
|
|
|
samba =
|
|
|
|
{
|
|
|
|
enable = true;
|
|
|
|
openFirewall = !services.samba.private;
|
|
|
|
securityType = "user";
|
|
|
|
extraConfig = stripeTabs
|
|
|
|
''
|
|
|
|
workgroup = WORKGROUP
|
|
|
|
server string = Samba Server
|
|
|
|
server role = standalone server
|
|
|
|
hosts allow = ${services.samba.hostsAllowed}
|
|
|
|
dns proxy = no
|
|
|
|
'';
|
|
|
|
# obey pam restrictions = yes
|
|
|
|
# encrypt passwords = no
|
2023-08-04 20:07:57 +08:00
|
|
|
shares = listToAttrs (map
|
2023-07-26 21:05:46 +08:00
|
|
|
(share:
|
|
|
|
{
|
|
|
|
name = share.name;
|
|
|
|
value =
|
|
|
|
{
|
|
|
|
comment = if share.value.comment != null then share.value.comment else share.name;
|
|
|
|
path = share.value.path;
|
|
|
|
browseable = true;
|
|
|
|
writeable = true;
|
|
|
|
"create mask" = "664";
|
|
|
|
"force create mode" = "644";
|
|
|
|
"directory mask" = "2755";
|
|
|
|
"force directory mode" = "2755";
|
|
|
|
};
|
|
|
|
})
|
|
|
|
(attrsToList services.samba.shares));
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|
|
|
|
)
|
2023-07-27 00:07:20 +08:00
|
|
|
(
|
2023-08-02 16:49:43 +08:00
|
|
|
mkIf services.sshd.enable
|
|
|
|
{
|
|
|
|
services.openssh =
|
|
|
|
{
|
|
|
|
enable = true;
|
2023-08-02 18:10:22 +08:00
|
|
|
settings =
|
|
|
|
{
|
2023-08-08 16:36:34 +08:00
|
|
|
X11Forwarding = true;
|
2023-08-21 13:28:10 +08:00
|
|
|
TrustedUserCAKeys = builtins.toString ./ca.pub;
|
2023-08-02 18:10:22 +08:00
|
|
|
ChallengeResponseAuthentication = false;
|
2023-08-03 17:03:54 +08:00
|
|
|
PasswordAuthentication = false;
|
|
|
|
KbdInteractiveAuthentication = false;
|
2023-08-02 18:10:22 +08:00
|
|
|
UsePAM = true;
|
|
|
|
};
|
2023-08-02 16:49:43 +08:00
|
|
|
};
|
|
|
|
}
|
2023-07-27 00:07:20 +08:00
|
|
|
)
|
2023-07-27 19:01:58 +08:00
|
|
|
{ networking.firewall.trustedInterfaces = services.firewall.trustedInterfaces; }
|
2023-08-04 20:07:57 +08:00
|
|
|
(
|
|
|
|
mkIf services.acme.enable
|
|
|
|
{
|
|
|
|
security.acme =
|
|
|
|
{
|
|
|
|
acceptTerms = true;
|
|
|
|
defaults.email = "chn@chn.moe";
|
|
|
|
certs = listToAttrs (map
|
|
|
|
(name:
|
|
|
|
{
|
|
|
|
name = name; value =
|
|
|
|
{
|
2023-08-14 14:36:21 +08:00
|
|
|
dnsResolver = "8.8.8.8";
|
2023-08-04 20:07:57 +08:00
|
|
|
dnsProvider = "cloudflare";
|
|
|
|
credentialsFile = inputs.config.sops.secrets."acme/cloudflare.ini".path;
|
|
|
|
};
|
|
|
|
})
|
|
|
|
services.acme.certs);
|
|
|
|
};
|
|
|
|
sops.secrets."acme/cloudflare.ini" = {};
|
|
|
|
}
|
|
|
|
)
|
2023-08-07 21:16:49 +08:00
|
|
|
(
|
|
|
|
mkIf (services.frpClient.enable)
|
|
|
|
{
|
|
|
|
systemd.services.frpc =
|
|
|
|
let
|
|
|
|
frpc = "${inputs.pkgs.frp}/bin/frpc";
|
|
|
|
config = inputs.config.sops.templates."frpc.ini";
|
|
|
|
in
|
|
|
|
{
|
|
|
|
description = "Frp Client Service";
|
|
|
|
after = [ "network.target" ];
|
|
|
|
serviceConfig =
|
|
|
|
{
|
|
|
|
Type = "simple";
|
|
|
|
User = "frp";
|
2023-08-08 22:52:38 +08:00
|
|
|
Restart = "always";
|
2023-08-07 21:16:49 +08:00
|
|
|
RestartSec = "5s";
|
|
|
|
ExecStart = "${frpc} -c ${config.path}";
|
|
|
|
LimitNOFILE = 1048576;
|
|
|
|
};
|
|
|
|
wantedBy= [ "multi-user.target" ];
|
|
|
|
restartTriggers = [ config.file ];
|
|
|
|
};
|
|
|
|
sops =
|
|
|
|
{
|
|
|
|
templates."frpc.ini" =
|
|
|
|
{
|
2023-08-11 15:30:47 +08:00
|
|
|
owner = inputs.config.users.users.frp.name;
|
|
|
|
group = inputs.config.users.users.frp.group;
|
2023-08-07 21:16:49 +08:00
|
|
|
content = inputs.lib.generators.toINI {}
|
|
|
|
(
|
|
|
|
{
|
|
|
|
common =
|
|
|
|
{
|
|
|
|
server_addr = services.frpClient.serverName;
|
|
|
|
server_port = 7000;
|
|
|
|
token = inputs.config.sops.placeholder."frp/token";
|
|
|
|
user = services.frpClient.user;
|
|
|
|
tls_enable = true;
|
|
|
|
};
|
|
|
|
}
|
|
|
|
// (listToAttrs (map
|
|
|
|
(tcp:
|
|
|
|
{
|
|
|
|
name = tcp.name;
|
|
|
|
value =
|
|
|
|
{
|
|
|
|
type = "tcp";
|
|
|
|
local_ip = tcp.value.localIp;
|
|
|
|
local_port = tcp.value.localPort;
|
|
|
|
remote_port = tcp.value.remotePort;
|
|
|
|
use_compression = true;
|
|
|
|
};
|
|
|
|
})
|
|
|
|
(attrsToList services.frpClient.tcp))
|
|
|
|
)
|
|
|
|
);
|
|
|
|
};
|
|
|
|
secrets."frp/token" = {};
|
|
|
|
};
|
|
|
|
users = { users.frp = { isSystemUser = true; group = "frp"; }; groups.frp = {}; };
|
|
|
|
}
|
|
|
|
)
|
|
|
|
(
|
|
|
|
mkIf (services.frpServer.enable)
|
|
|
|
{
|
|
|
|
systemd.services.frps =
|
|
|
|
let
|
|
|
|
frps = "${inputs.pkgs.frp}/bin/frps";
|
|
|
|
config = inputs.config.sops.templates."frps.ini";
|
|
|
|
in
|
|
|
|
{
|
|
|
|
description = "Frp Server Service";
|
|
|
|
after = [ "network.target" ];
|
|
|
|
serviceConfig =
|
|
|
|
{
|
|
|
|
Type = "simple";
|
|
|
|
User = "frp";
|
|
|
|
Restart = "on-failure";
|
|
|
|
RestartSec = "5s";
|
|
|
|
ExecStart = "${frps} -c ${config.path}";
|
|
|
|
LimitNOFILE = 1048576;
|
|
|
|
};
|
|
|
|
wantedBy= [ "multi-user.target" ];
|
|
|
|
restartTriggers = [ config.file ];
|
|
|
|
};
|
|
|
|
sops =
|
|
|
|
{
|
|
|
|
templates."frps.ini" =
|
|
|
|
{
|
2023-08-11 15:30:47 +08:00
|
|
|
owner = inputs.config.users.users.frp.name;
|
|
|
|
group = inputs.config.users.users.frp.group;
|
2023-08-07 21:16:49 +08:00
|
|
|
content = inputs.lib.generators.toINI {}
|
|
|
|
{
|
|
|
|
common = let cert = inputs.config.security.acme.certs.${services.frpServer.serverName}.directory; in
|
|
|
|
{
|
|
|
|
bind_port = 7000;
|
|
|
|
bind_udp_port = 7000;
|
|
|
|
token = inputs.config.sops.placeholder."frp/token";
|
2023-08-07 21:30:05 +08:00
|
|
|
tls_cert_file = "${cert}/full.pem";
|
|
|
|
tls_key_file = "${cert}/key.pem";
|
2023-08-07 21:16:49 +08:00
|
|
|
tls_only = true;
|
|
|
|
user_conn_timeout = 30;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
secrets."frp/token" = {};
|
|
|
|
};
|
|
|
|
nixos.services.acme = { enable = true; certs = [ services.frpServer.serverName ]; };
|
|
|
|
security.acme.certs.${services.frpServer.serverName}.group = "frp";
|
|
|
|
users = { users.frp = { isSystemUser = true; group = "frp"; }; groups.frp = {}; };
|
2023-08-07 21:30:05 +08:00
|
|
|
networking.firewall.allowedTCPPorts = [ 7000 ];
|
2023-08-07 21:16:49 +08:00
|
|
|
}
|
|
|
|
)
|
2023-08-07 21:44:46 +08:00
|
|
|
(
|
|
|
|
mkIf services.nix-serve.enable
|
|
|
|
{
|
|
|
|
services.nix-serve =
|
|
|
|
{
|
|
|
|
enable = true;
|
|
|
|
openFirewall = true;
|
|
|
|
secretKeyFile = inputs.config.sops.secrets."store/signingKey".path;
|
|
|
|
};
|
|
|
|
sops.secrets."store/signingKey" = {};
|
2023-08-14 21:40:01 +08:00
|
|
|
nixos.services.nginx.httpProxy.${services.nix-serve.hostname}.upstream = "http://127.0.0.1:5000";
|
2023-08-07 21:44:46 +08:00
|
|
|
}
|
|
|
|
)
|
2023-08-10 10:15:21 +08:00
|
|
|
(mkIf services.smartd.enable { services.smartd.enable = true; })
|
2023-08-15 00:53:30 +08:00
|
|
|
(
|
|
|
|
mkIf services.wallabag.enable
|
|
|
|
{
|
|
|
|
virtualisation.oci-containers.containers.wallabag =
|
|
|
|
{
|
|
|
|
image = "wallabag/wallabag:2.6.2";
|
|
|
|
imageFile = inputs.pkgs.dockerTools.pullImage
|
|
|
|
{
|
|
|
|
imageName = "wallabag/wallabag";
|
|
|
|
imageDigest = "sha256:241e5c71f674ee3f383f428e8a10525cbd226d04af58a40ce9363ed47e0f1de9";
|
|
|
|
sha256 = "0zflrhgg502w3np7kqmxij8v44y491ar2qbk7qw981fysia5ix09";
|
|
|
|
finalImageName = "wallabag/wallabag";
|
|
|
|
finalImageTag = "2.6.2";
|
|
|
|
};
|
|
|
|
ports = [ "127.0.0.1:4398:80/tcp" ];
|
|
|
|
extraOptions = [ "--add-host=host.docker.internal:host-gateway" ];
|
|
|
|
environmentFiles = [ inputs.config.sops.templates."wallabag/env".path ];
|
|
|
|
};
|
2023-08-15 15:20:15 +08:00
|
|
|
# systemd.services.docker-wallabag.serviceConfig =
|
|
|
|
# {
|
|
|
|
# User = "wallabag";
|
|
|
|
# Group = "wallabag";
|
|
|
|
# };
|
2023-08-15 00:53:30 +08:00
|
|
|
sops =
|
|
|
|
{
|
|
|
|
templates."wallabag/env".content =
|
|
|
|
let
|
|
|
|
placeholder = inputs.config.sops.placeholder;
|
|
|
|
in stripeTabs
|
|
|
|
''
|
|
|
|
SYMFONY__ENV__DATABASE_DRIVER=pdo_pgsql
|
|
|
|
SYMFONY__ENV__DATABASE_HOST=host.docker.internal
|
|
|
|
SYMFONY__ENV__DATABASE_PORT=5432
|
|
|
|
SYMFONY__ENV__DATABASE_NAME=wallabag
|
|
|
|
SYMFONY__ENV__DATABASE_USER=wallabag
|
2023-08-15 01:10:28 +08:00
|
|
|
SYMFONY__ENV__DATABASE_PASSWORD=${placeholder."postgresql/wallabag"}
|
2023-08-15 00:53:30 +08:00
|
|
|
SYMFONY__ENV__REDIS_HOST=host.docker.internal
|
|
|
|
SYMFONY__ENV__REDIS_PORT=8790
|
|
|
|
SYMFONY__ENV__REDIS_PASSWORD=${placeholder."redis/wallabag"}
|
|
|
|
SYMFONY__ENV__SERVER_NAME=wallabag.chn.moe
|
2023-08-15 16:40:12 +08:00
|
|
|
SYMFONY__ENV__DOMAIN_NAME=https://wallabag.chn.moe
|
2023-08-15 16:26:46 +08:00
|
|
|
SYMFONY__ENV__TWOFACTOR_AUTH=false
|
2023-08-15 00:53:30 +08:00
|
|
|
'';
|
2023-08-15 17:24:08 +08:00
|
|
|
# SYMFONY__ENV__MAILER_DSN=smtp://bot%%40chn.moe@${placeholder."mail/bot-encoded"}:mail.chn.moe
|
|
|
|
# SYMFONY__ENV__FROM_EMAIL=bot@chn.moe
|
|
|
|
# SYMFONY__ENV__TWOFACTOR_SENDER=bot@chn.moe
|
2023-08-15 01:10:28 +08:00
|
|
|
secrets =
|
|
|
|
{
|
|
|
|
"redis/wallabag".owner = inputs.config.users.users.redis-wallabag.name;
|
|
|
|
"postgresql/wallabag" = {};
|
2023-08-15 17:24:08 +08:00
|
|
|
"mail/bot-encoded" = {};
|
2023-08-15 01:10:28 +08:00
|
|
|
};
|
2023-08-15 00:53:30 +08:00
|
|
|
};
|
|
|
|
services =
|
|
|
|
{
|
|
|
|
redis.servers.wallabag =
|
|
|
|
{
|
|
|
|
enable = true;
|
|
|
|
bind = null;
|
|
|
|
port = 8790;
|
|
|
|
requirePassFile = inputs.config.sops.secrets."redis/wallabag".path;
|
|
|
|
};
|
|
|
|
postgresql =
|
|
|
|
{
|
|
|
|
ensureDatabases = [ "wallabag" ];
|
2023-08-15 01:10:28 +08:00
|
|
|
ensureUsers =
|
|
|
|
[{
|
2023-08-15 00:53:30 +08:00
|
|
|
name = "wallabag";
|
|
|
|
ensurePermissions."DATABASE \"wallabag\"" = "ALL PRIVILEGES";
|
2023-08-15 01:10:28 +08:00
|
|
|
}];
|
2023-08-15 02:50:03 +08:00
|
|
|
# ALTER DATABASE db_name OWNER TO new_owner_name
|
|
|
|
# sudo docker exec -t wallabag /var/www/wallabag/bin/console wallabag:install --env=prod --no-interaction
|
2023-08-15 00:53:30 +08:00
|
|
|
};
|
|
|
|
};
|
|
|
|
nixos =
|
|
|
|
{
|
|
|
|
services =
|
|
|
|
{
|
2023-08-26 01:00:32 +08:00
|
|
|
nginx =
|
|
|
|
{
|
|
|
|
enable = true;
|
|
|
|
httpProxy."wallabag.chn.moe" =
|
|
|
|
{
|
|
|
|
upstream = "http://127.0.0.1:4398";
|
|
|
|
setHeaders.Host = "wallabag.chn.moe";
|
|
|
|
};
|
|
|
|
};
|
2023-08-15 00:53:30 +08:00
|
|
|
postgresql.enable = true;
|
|
|
|
};
|
|
|
|
virtualization.docker.enable = true;
|
|
|
|
};
|
2023-08-15 15:20:15 +08:00
|
|
|
# users =
|
|
|
|
# {
|
|
|
|
# users.wallabag = { isSystemUser = true; group = "wallabag"; autoSubUidGidRange = true; };
|
|
|
|
# groups.wallabag = {};
|
|
|
|
# };
|
2023-08-15 00:53:30 +08:00
|
|
|
}
|
|
|
|
)
|
2023-07-26 21:05:46 +08:00
|
|
|
];
|
2023-07-25 23:33:37 +08:00
|
|
|
}
|