chn/nixos
1
0
Fork 0
mirror of https://github.com/CHN-beta/nixos.git synced 2024-10-23 02:58:44 +08:00
Code Issues Packages Projects Releases Wiki Activity

全部修改完成

Browse Source
This commit is contained in:
陈浩南 2023-11-09 22:19:37 +08:00
parent 69cb43e6f5
commit fd799befd3
19 changed files with 152 additions and 303 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

131
flake.nix
View File

@ -198,13 +198,12 @@
};
};
firewall.trustedInterfaces = [ "virbr0" "waydroid0" ];
acme = { enable = true; certs = [ "debug.mirism.one" ]; };
acme = { enable = true; cert."debug.mirism.one" = {}; };
frpClient =
{
enable = true;
serverName = "frp.chn.moe";
user = "pc";
tcp.store = { localPort = 443; remotePort = 7676; };
};
nix-serve = { enable = true; hostname = "nix-store.chn.moe"; };
smartd.enable = true;
@ -283,7 +282,7 @@
{
map =
{
"nix-store.chn.moe" = { upstream = "internal.pc.chn.moe:443"; rewriteHttps = true; };
"nix-store.chn.moe" = { upstream = "internal.pc.chn.moe"; rewriteHttps = true; };
"anchor.fm" = { upstream = "anchor.fm:443"; rewriteHttps = true; };
"podcasters.spotify.com" = { upstream = "podcasters.spotify.com:443"; rewriteHttps = true; };
"xlog.chn.moe" = { upstream = "cname.xlog.app:443"; rewriteHttps = true; };
@ -297,7 +296,7 @@
value =
{ upstream.address = "internal.vps7.chn.moe"; proxyProtocol = true; rewriteHttps = true; };
})
[ "xn--s8w913fdga" "misskey" "nextcloud" "photoprism" "synapse" "vaultwarden" ]));
[ "xn--s8w913fdga" "misskey" "synapse" ]));
};
applications =
{
@ -358,10 +357,7 @@
fontconfig.enable = true;
sshd.enable = true;
rsshub.enable = true;
nginx =
{
transparentProxy.externalIp = [ "95.111.228.40" "192.168.82.2" ];
};
nginx.transparentProxy.externalIp = [ "95.111.228.40" "192.168.82.2" ];
wallabag.enable = true;
misskey.instances =
{
@ -483,125 +479,6 @@
users.users = [ "root" "chn" "xll" "zem" "yjq" "yxy" ];
};})
];
"xmupc1" =
[
(inputs: { config.nixos =
{
system =
{
fileSystems =
{
mount =
{
vfat."/dev/disk/by-uuid/3F57-0EBE" = "/boot/efi";
btrfs =
{
"/dev/disk/by-uuid/02e426ec-cfa2-4a18-b3a5-57ef04d66614"."/" = "/boot";
"/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
};
};
decrypt.auto =
{
"/dev/disk/by-uuid/55fdd19f-0f1d-4c37-bd4e-6df44fc31f26" = { mapper = "root"; ssd = true; };
"/dev/md/swap" = { mapper = "swap"; ssd = true; before = [ "root" ]; };
};
mdadm =
"ARRAY /dev/md/swap metadata=1.2 name=pc:swap UUID=2b546b8d:e38007c8:02990dd1:df9e23a4";
swap = [ "/dev/mapper/swap" ];
resume = "/dev/mapper/swap";
rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
};
grub.installDevice = "efi";
nixpkgs = { march = "znver3"; cudaSupport = true; };
nix =
{
marches =
[
"znver3" "znver2"
# PREFETCHW RDRND XSAVE XSAVEOPT PTWRITE SGX GFNI-SSE MOVDIRI MOVDIR64B CLDEMOTE WAITPKG LZCNT
# PCONFIG SERIALIZE HRESET KL WIDEKL AVX-VNNI
"alderlake"
# SAHF FXSR XSAVE
"sandybridge"
# SAHF FXSR PREFETCHW RDRND
"silvermont"
];
substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
};
gui.enable = true;
kernel.patches = [ "cjktty" "preempt" ];
impermanence.enable = true;
networking.hostname = "xmupc1";
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
};
hardware =
{
cpus = [ "intel" ];
gpus = [ "intel" "nvidia" ];
bluetooth.enable = true;
joystick.enable = true;
printer.enable = true;
sound.enable = true;
prime =
{ enable = true; mode = "offload"; busId = { intel = "PCI:0:2:0"; nvidia = "PCI:1:0:0"; };};
};
packages.packageSet = "workstation";
virtualization =
{
docker.enable = true;
kvmHost = { enable = true; gui = true; };
};
services =
{
snapper = { enable = true; configs.persistent = "/nix/persistent"; };
fontconfig.enable = true;
samba =
{
enable = true;
hostsAllowed = "192.168. 127.";
shares =
{
media.path = "/run/media/chn";
home.path = "/home/chn";
mnt.path = "/mnt";
share.path = "/home/chn/share";
};
};
sshd.enable = true;
xrayClient =
{
enable = true;
serverAddress = "74.211.99.69";
serverName = "vps6.xserver.chn.moe";
dns =
{
extraInterfaces = [ "docker0" ];
hosts =
{
"mirism.one" = "216.24.188.24";
"beta.mirism.one" = "216.24.188.24";
"ng01.mirism.one" = "216.24.188.24";
"debug.mirism.one" = "127.0.0.1";
"initrd.vps6.chn.moe" = "74.211.99.69";
"nix-store.chn.moe" = "127.0.0.1";
};
};
};
firewall.trustedInterfaces = [ "virbr0" ];
frpClient =
{
enable = true;
serverName = "frp.chn.moe";
user = "xmupc1";
tcp.store = { localPort = 443; remotePort = 7676; };
};
smartd.enable = true;
nginx.transparentProxy.enable = false;
postgresql.enable = true;
};
bugs = [ "xmunet" "firefox" "embree" ];
};})
];
"yoga" =
[
(inputs: { config.nixos =

7
modules/services/coturn.nix
View File

@ -25,8 +25,11 @@ inputs:
no-cli = true;
};
sops.secrets."coturn/auth-secret".owner = inputs.config.systemd.services.coturn.serviceConfig.User;
nixos.services.acme = { enable = true; certs = [ coturn.hostname ]; };
security.acme.certs.${coturn.hostname}.group = inputs.config.systemd.services.coturn.serviceConfig.Group;
nixos.services.acme =
{
enable = true;
cert.${coturn.hostname}.group = inputs.config.systemd.services.coturn.serviceConfig.Group;
};
networking.firewall = with inputs.config.services.coturn;
{
allowedUDPPorts = [ listening-port tls-listening-port ];

101
modules/services/default.nix
View File

@ -25,19 +25,14 @@ inputs:
./photoprism.nix
./nextcloud.nix
./freshrss.nix
./kmscon.nix
./fontconfig.nix
./nix-serve.nix
];
options.nixos.services = let inherit (inputs.lib) mkOption types; in
{
kmscon.enable = mkOption { type = types.bool; default = false; };
fontconfig.enable = mkOption { type = types.bool; default = false; };
firewall.trustedInterfaces = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
nix-serve =
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.nonEmptyStr; };
};
smartd.enable = mkOption { type = types.bool; default = false; };
fileshelter.enable = mkOption { type = types.bool; default = false; };
wallabag.enable = mkOption { type = types.bool; default = false; };
noisetorch.enable = mkOption { type = types.bool; default = inputs.config.nixos.system.gui.preferred; };
};
@ -49,49 +44,7 @@ inputs:
inherit (builtins) map listToAttrs toString;
in mkMerge
[
(
mkIf services.kmscon.enable
{
services.kmscon =
{
enable = true;
fonts = [{ name = "FiraCode Nerd Font Mono"; package = inputs.pkgs.nerdfonts; }];
};
}
)
(
mkIf services.fontconfig.enable
{
fonts =
{
fontDir.enable = true;
fonts = with inputs.pkgs;
[ noto-fonts source-han-sans source-han-serif source-code-pro hack-font jetbrains-mono nerdfonts ];
fontconfig.defaultFonts =
{
emoji = [ "Noto Color Emoji" ];
monospace = [ "Noto Sans Mono CJK SC" "Sarasa Mono SC" "DejaVu Sans Mono"];
sansSerif = [ "Noto Sans CJK SC" "Source Han Sans SC" "DejaVu Sans" ];
serif = [ "Noto Serif CJK SC" "Source Han Serif SC" "DejaVu Serif" ];
};
};
}
)
{ networking.firewall.trustedInterfaces = services.firewall.trustedInterfaces; }
(
mkIf services.nix-serve.enable
{
services.nix-serve =
{
enable = true;
openFirewall = true;
secretKeyFile = inputs.config.sops.secrets."store/signingKey".path;
};
sops.secrets."store/signingKey" = {};
nixos.services.nginx.http.${services.nix-serve.hostname} =
{ rewriteHttps = true; locations."/".proxy.upstream = "http://127.0.0.1:5000"; };
}
)
(mkIf services.smartd.enable { services.smartd.enable = true; })
(
mkIf services.wallabag.enable
@ -111,11 +64,6 @@ inputs:
extraOptions = [ "--add-host=host.docker.internal:host-gateway" ];
environmentFiles = [ inputs.config.sops.templates."wallabag/env".path ];
};
# systemd.services.docker-wallabag.serviceConfig =
# {
# User = "wallabag";
# Group = "wallabag";
# };
sops =
{
templates."wallabag/env".content =
@ -139,33 +87,7 @@ inputs:
# SYMFONY__ENV__MAILER_DSN=smtp://bot%%40chn.moe@${placeholder."mail/bot-encoded"}:mail.chn.moe
# SYMFONY__ENV__FROM_EMAIL=bot@chn.moe
# SYMFONY__ENV__TWOFACTOR_SENDER=bot@chn.moe
secrets =
{
"redis/wallabag".owner = inputs.config.users.users.redis-wallabag.name;
"postgresql/wallabag" = {};
"mail/bot-encoded" = {};
};
};
services =
{
redis.servers.wallabag =
{
enable = true;
bind = null;
port = 8790;
requirePassFile = inputs.config.sops.secrets."redis/wallabag".path;
};
postgresql =
{
ensureDatabases = [ "wallabag" ];
ensureUsers =
[{
name = "wallabag";
ensurePermissions."DATABASE \"wallabag\"" = "ALL PRIVILEGES";
}];
# ALTER DATABASE db_name OWNER TO new_owner_name
# sudo docker exec -t wallabag /var/www/wallabag/bin/console wallabag:install --env=prod --no-interaction
};
secrets."mail/bot-encoded" = {};
};
nixos =
{
@ -174,21 +96,14 @@ inputs:
nginx =
{
enable = true;
http."wallabag.chn.moe" =
{
rewriteHttps = true;
locations."/".proxy = { upstream = "http://127.0.0.1:4398"; setHeaders.Host = "wallabag.chn.moe"; };
};
https."wallabag.chn.moe".location."/".proxy.upstream = "http://127.0.0.1:4398";
};
postgresql.enable = true;
postgresql = { enable = true; instances.wallabag = {}; };
redis.instances.wallabag.port = 8790;
};
# TODO: root docker use config of rootless docker?
virtualization.docker.enable = true;
};
# users =
# {
# users.wallabag = { isSystemUser = true; group = "wallabag"; autoSubUidGidRange = true; };
# groups.wallabag = {};
# };
}
)
(mkIf services.noisetorch.enable { programs.noisetorch.enable = true; })

27
modules/services/fontconfig.nix Normal file
View File

@ -0,0 +1,27 @@
inputs:
{
options.nixos.services.fontconfig = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
};
config =
let
inherit (inputs.lib) mkIf;
inherit (inputs.config.nixos.services) fontconfig;
in mkIf fontconfig.enable
{
fonts =
{
fontDir.enable = true;
fonts = with inputs.pkgs;
[ noto-fonts source-han-sans source-han-serif source-code-pro hack-font jetbrains-mono nerdfonts ];
fontconfig.defaultFonts =
{
emoji = [ "Noto Color Emoji" ];
monospace = [ "Noto Sans Mono CJK SC" "Sarasa Mono SC" "DejaVu Sans Mono"];
sansSerif = [ "Noto Sans CJK SC" "Source Han Sans SC" "DejaVu Sans" ];
serif = [ "Noto Serif CJK SC" "Source Han Serif SC" "DejaVu Serif" ];
};
};
};
}

5
modules/services/freshrss.nix
View File

@ -37,10 +37,9 @@ inputs:
nixos.services =
{
mariadb = { enable = true; instances.freshrss = {}; };
nginx.http.${freshrss.hostname} =
nginx.https.${freshrss.hostname} =
{
rewriteHttps = true;
locations =
location =
{
"/".static =
{

7
modules/services/frp.nix
View File

@ -179,8 +179,11 @@ inputs:
};
secrets."frp/token" = {};
};
nixos.services.acme = { enable = true; certs = [ frpServer.serverName ]; };
security.acme.certs.${frpServer.serverName}.group = "frp";
nixos.services.acme =
{
enable = true;
cert.${frpServer.serverName}.group = "frp";
};
users = { users.frp = { isSystemUser = true; group = "frp"; }; groups.frp = {}; };
networking.firewall.allowedTCPPorts = [ 7000 ];
}

19
modules/services/kmscon.nix Normal file
View File

@ -0,0 +1,19 @@
inputs:
{
options.nixos.services.kmscon = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
};
config =
let
inherit (inputs.lib) mkIf;
inherit (inputs.config.nixos.services) kmscon;
in mkIf kmscon.enable
{
services.kmscon =
{
enable = true;
fonts = [{ name = "FiraCode Nerd Font Mono"; package = inputs.pkgs.nerdfonts; }];
};
};
}

4
modules/services/misskey.nix
View File

@ -169,13 +169,11 @@ inputs:
name = hostname;
value =
{
global.rewriteHttps = true;
listen.main.proxyProtocol = true;
locations."/".proxy =
location."/".proxy =
{
upstream = "http://127.0.0.1:${toString port}";
websocket = true;
setHeaders.Host = hostname;
};
};
})

6
modules/services/nextcloud.nix
View File

@ -70,11 +70,7 @@ inputs:
nginx =
{
enable = true;
https.${nextcloud.hostname} =
{
global.rewriteHttps = true;
listen.main.proxyProtocol = true;
};
https.${nextcloud.hostname} = {};
};
};
sops =

24
modules/services/nginx/applications/element.nix
View File

@ -20,21 +20,17 @@ inputs:
(instance: with instance.value;
{
name = hostname;
value =
{
global.rewriteHttps = true;
locations."/".static.root =
if defaultServer == null then toString inputs.pkgs.element-web
else toString (inputs.pkgs.element-web.override { conf =
value.location."/".static.root =
if defaultServer == null then toString inputs.pkgs.element-web
else toString (inputs.pkgs.element-web.override { conf =
{
default_server_config."m.homeserver" =
{
default_server_config."m.homeserver" =
{
base_url = "https://${defaultServer}";
server_name = defaultServer;
};
disable_guests = false;
};});
};
base_url = "https://${defaultServer}";
server_name = defaultServer;
};
disable_guests = false;
};});
})
(attrsToList instances));
};

10
modules/services/nginx/applications/synapse-admin.nix
View File

@ -14,15 +14,11 @@ inputs:
inherit (builtins) map listToAttrs;
in
{
nixos.services.nginx.http = listToAttrs (map
(http: with http.value;
nixos.services.nginx.https = listToAttrs (map
(site: with site.value;
{
name = hostname;
value =
{
rewriteHttps = true;
locations."/".static.root = "${inputs.pkgs.synapse-admin}";
};
value.location."/".static.root = "${inputs.pkgs.synapse-admin}";
})
(attrsToList instances));
};

35
modules/services/nginx/default.nix
View File

@ -44,9 +44,9 @@ inputs:
];
default = {};
};
proxyProtocol = mkOption { type = types.bool; default = false; };
proxyProtocol = mkOption { type = types.bool; default = true; };
addToTransparentProxy = mkOption { type = types.bool; default = true; };
rewriteHttps = mkOption { type = types.bool; default = false; };
rewriteHttps = mkOption { type = types.bool; default = true; };
};})
]);
default = {};
@ -54,14 +54,14 @@ inputs:
};
https = mkOption
{
type = types.attrsOf (types.submodule { options =
type = types.attrsOf (types.submodule (siteSubmoduleInputs: { options =
{
global =
{
root = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
index = mkOption { type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr); default = null; };
detectAuth = mkOption { type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr); default = null; };
rewriteHttps = mkOption { type = types.bool; default = false; };
rewriteHttps = mkOption { type = types.bool; default = true; };
};
listen = mkOption
{
@ -75,18 +75,14 @@ inputs:
};});
default.main = {};
};
locations = mkOption
location = mkOption
{
type = types.attrsOf (types.submodule { options =
let
genericOptions =
{
# htpasswd -n username
detectAuth = mkOption
{
type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr);
default = null;
};
detectAuth = mkOption { type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr); default = null; };
};
in
{
@ -97,7 +93,11 @@ inputs:
{
upstream = mkOption { type = types.nonEmptyStr; };
websocket = mkOption { type = types.bool; default = false; };
setHeaders = mkOption { type = types.attrsOf types.str; default = {}; };
setHeaders = mkOption
{
type = types.attrsOf types.str;
default.Host = siteSubmoduleInputs.config._module.args.name;
};
# echo -n "username:password" | base64
addAuth = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
};});
@ -127,7 +127,7 @@ inputs:
};});
default = {};
};
};});
};}));
default = {};
};
http = mkOption
@ -157,7 +157,7 @@ inputs:
};
config =
let
inherit (inputs.lib) mkMerge mkIf;
inherit (inputs.lib) mkMerge mkIf mkDefault;
inherit (inputs.lib.string) escapeURL;
inherit (inputs.localLib) attrsToList;
inherit (inputs.config.nixos.services) nginx;
@ -406,7 +406,7 @@ inputs:
(concatLists (map
(site: (map
(location: { inherit (location) value; name = "${site.name} ${location.name}"; })
(attrsToList site.value.locations)))
(attrsToList site.value.location)))
(attrsToList nginx.https))))
# root should be specified either in global or in each location
++ (map
@ -418,7 +418,7 @@ inputs:
(concatLists (map
(site: (map
(location: { inherit (location) value; name = "${site.name} ${location.name}"; })
(attrsToList site.value.locations)))
(attrsToList site.value.location)))
(filter (site: site.value.global.root == null) (attrsToList nginx.https)))))
);
services.nginx.virtualHosts = listToAttrs (map
@ -500,7 +500,7 @@ inputs:
else {}
);
})
(attrsToList site.value.locations));
(attrsToList site.value.location));
};
})
(attrsToList nginx.https));
@ -534,6 +534,7 @@ inputs:
upstream.port = httpsPort + httpsPortShift.proxyProtocol
+ (if site.value.http2 then httpsPortShift.http2 else 0);
proxyProtocol = true;
rewiteHttps = mkDefault false;
};
})
(filter (listen: listen.value.proxyProtocol) listens));
@ -564,7 +565,7 @@ inputs:
httpsLocationTypes);
addAuth = location.value.proxy.addAuth or null;
})
(attrsToList site.value.locations))
(attrsToList site.value.location))
(attrsToList nginx.https)))
++ (map
(site:

29
modules/services/nix-serve.nix Normal file
View File

@ -0,0 +1,29 @@
inputs:
{
options.nixos.services.nix-serve = let inherit (inputs.lib) mkOption types; in
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.nonEmptyStr; };
};
config =
let
inherit (inputs.lib) mkMerge mkIf;
inherit (inputs.localLib) stripeTabs attrsToList;
inherit (inputs.config.nixos.services) nix-serve;
inherit (builtins) map listToAttrs toString;
in mkIf nix-serve.enable
{
services.nix-serve =
{
enable = true;
openFirewall = true;
secretKeyFile = inputs.config.sops.secrets."store/signingKey".path;
};
sops.secrets."store/signingKey" = {};
nixos.services.nginx =
{
enable = true;
https.${nix-serve.hostname}.location."/".proxy.upstream = "http://127.0.0.1:5000";
};
};
}

12
modules/services/photoprism.nix
View File

@ -48,16 +48,10 @@ inputs:
nginx =
{
enable = true;
https.${photoprism.hostname} =
https.${photoprism.hostname}.location."/".proxy =
{
global.rewriteHttps = true;
listen.main.proxyProtocol = true;
location."/".proxy =
{
upstream = "http://127.0.0.1:${toString photoprism.port}";
websocket = true;
setHeaders.Host = photoprism.hostname;
};
upstream = "http://127.0.0.1:${toString photoprism.port}";
websocket = true;
};
};
};

7
modules/services/rsshub.nix
View File

@ -60,12 +60,7 @@ inputs:
nginx =
{
enable = true;
http.${rsshub.hostname} =
{
rewriteHttps = true;
locations."/".proxy =
{ upstream = "http://127.0.0.1:${toString rsshub.port}"; setHeaders.Host = rsshub.hostname; };
};
https.${rsshub.hostname}.location."/".proxy.upstream = "http://127.0.0.1:${toString rsshub.port}";
};
};
};

2
modules/services/synapse.nix
View File

@ -104,13 +104,11 @@ inputs:
enable = true;
https.${synapse.hostname} =
{
global.rewriteHttps = true;
listen.main.proxyProtocol = true;
location."/".proxy =
{
upstream = "http://127.0.0.1:${toString synapse.port}";
websocket = true;
setHeaders.Host = synapse.hostname;
};
};
};

3
modules/services/vaultwarden.nix
View File

@ -70,8 +70,6 @@ inputs:
enable = true;
https.${vaultwarden.hostname} =
{
global.rewriteHttps = true;
listen.main.proxyProtocol = true;
location = listToAttrs
(
(map
@ -93,7 +91,6 @@ inputs:
{
upstream = "http://127.0.0.1:${toString vaultwarden.websocketPort}";
websocket = true;
setHeaders.Host = vaultwarden.hostname;
};
})
[ "/notifications/hub" ])

5
modules/services/xray.nix
View File

@ -512,10 +512,9 @@ inputs:
users = { users.v2ray = { isSystemUser = true; group = "v2ray"; }; groups.v2ray = {}; };
nixos.services =
{
acme = { enable = true; certs = [ xrayServer.serverName ]; };
nginx.transparentProxy.map."${xrayServer.serverName}" = 4726;
acme = { enable = true; cert.${xrayServer.serverName}.group = inputs.config.users.users.nginx.group; };
nginx = { enable = true; transparentProxy.map."${xrayServer.serverName}" = 4726; };
};
security.acme.certs.${xrayServer.serverName}.group = inputs.config.users.users.nginx.group;
}
))
];

21
modules/services/xrdp.nix
View File

@ -6,7 +6,7 @@ inputs:
port = mkOption { type = types.ints.unsigned; default = 3389; };
hostname = mkOption
{
type = types.nullOr (types.oneOf [ types.nonEmptyStr (types.listOf types.nonEmptyStr) ]);
type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr);
default = null;
};
};
@ -29,14 +29,21 @@ inputs:
mkIf (xrdp.hostname != null)
(
let
mainDomain = if builtins.typeOf xrdp.hostname == "string" then xrdp.hostname
else builtins.elemAt xrdp.hostname 0;
mainDomain = builtins.elemAt xrdp.hostname 0;
in
{
services.xrdp = let keydir = inputs.config.security.acme.certs.${mainDomain}.directory; in
{ sslCert = "${keydir}/full.pem"; sslKey = "${keydir}/key.pem"; };
nixos.services.acme = { enable = true; certs = [ xrdp.hostname ]; };
security.acme.certs.${mainDomain}.group = inputs.config.systemd.services.xrdp.serviceConfig.Group;
services.xrdp =
let keydir = inputs.config.security.acme.certs.${mainDomain}.directory;
in { sslCert = "${keydir}/full.pem"; sslKey = "${keydir}/key.pem"; };
nixos.services.acme =
{
enable = true;
cert.${mainDomain} =
{
domains = xrdp.hostname;
group = inputs.config.systemd.services.xrdp.serviceConfig.Group;
};
};
}
)
)