mirror of
https://github.com/CHN-beta/nixos.git
synced 2024-10-23 02:58:44 +08:00
全部修改完成
This commit is contained in:
parent
69cb43e6f5
commit
fd799befd3
131
flake.nix
131
flake.nix
@ -198,13 +198,12 @@
|
||||
};
|
||||
};
|
||||
firewall.trustedInterfaces = [ "virbr0" "waydroid0" ];
|
||||
acme = { enable = true; certs = [ "debug.mirism.one" ]; };
|
||||
acme = { enable = true; cert."debug.mirism.one" = {}; };
|
||||
frpClient =
|
||||
{
|
||||
enable = true;
|
||||
serverName = "frp.chn.moe";
|
||||
user = "pc";
|
||||
tcp.store = { localPort = 443; remotePort = 7676; };
|
||||
};
|
||||
nix-serve = { enable = true; hostname = "nix-store.chn.moe"; };
|
||||
smartd.enable = true;
|
||||
@ -283,7 +282,7 @@
|
||||
{
|
||||
map =
|
||||
{
|
||||
"nix-store.chn.moe" = { upstream = "internal.pc.chn.moe:443"; rewriteHttps = true; };
|
||||
"nix-store.chn.moe" = { upstream = "internal.pc.chn.moe"; rewriteHttps = true; };
|
||||
"anchor.fm" = { upstream = "anchor.fm:443"; rewriteHttps = true; };
|
||||
"podcasters.spotify.com" = { upstream = "podcasters.spotify.com:443"; rewriteHttps = true; };
|
||||
"xlog.chn.moe" = { upstream = "cname.xlog.app:443"; rewriteHttps = true; };
|
||||
@ -297,7 +296,7 @@
|
||||
value =
|
||||
{ upstream.address = "internal.vps7.chn.moe"; proxyProtocol = true; rewriteHttps = true; };
|
||||
})
|
||||
[ "xn--s8w913fdga" "misskey" "nextcloud" "photoprism" "synapse" "vaultwarden" ]));
|
||||
[ "xn--s8w913fdga" "misskey" "synapse" ]));
|
||||
};
|
||||
applications =
|
||||
{
|
||||
@ -358,10 +357,7 @@
|
||||
fontconfig.enable = true;
|
||||
sshd.enable = true;
|
||||
rsshub.enable = true;
|
||||
nginx =
|
||||
{
|
||||
transparentProxy.externalIp = [ "95.111.228.40" "192.168.82.2" ];
|
||||
};
|
||||
nginx.transparentProxy.externalIp = [ "95.111.228.40" "192.168.82.2" ];
|
||||
wallabag.enable = true;
|
||||
misskey.instances =
|
||||
{
|
||||
@ -483,125 +479,6 @@
|
||||
users.users = [ "root" "chn" "xll" "zem" "yjq" "yxy" ];
|
||||
};})
|
||||
];
|
||||
"xmupc1" =
|
||||
[
|
||||
(inputs: { config.nixos =
|
||||
{
|
||||
system =
|
||||
{
|
||||
fileSystems =
|
||||
{
|
||||
mount =
|
||||
{
|
||||
vfat."/dev/disk/by-uuid/3F57-0EBE" = "/boot/efi";
|
||||
btrfs =
|
||||
{
|
||||
"/dev/disk/by-uuid/02e426ec-cfa2-4a18-b3a5-57ef04d66614"."/" = "/boot";
|
||||
"/dev/mapper/root" = { "/nix" = "/nix"; "/nix/rootfs/current" = "/"; };
|
||||
};
|
||||
};
|
||||
decrypt.auto =
|
||||
{
|
||||
"/dev/disk/by-uuid/55fdd19f-0f1d-4c37-bd4e-6df44fc31f26" = { mapper = "root"; ssd = true; };
|
||||
"/dev/md/swap" = { mapper = "swap"; ssd = true; before = [ "root" ]; };
|
||||
};
|
||||
mdadm =
|
||||
"ARRAY /dev/md/swap metadata=1.2 name=pc:swap UUID=2b546b8d:e38007c8:02990dd1:df9e23a4";
|
||||
swap = [ "/dev/mapper/swap" ];
|
||||
resume = "/dev/mapper/swap";
|
||||
rollingRootfs = { device = "/dev/mapper/root"; path = "/nix/rootfs"; };
|
||||
};
|
||||
grub.installDevice = "efi";
|
||||
nixpkgs = { march = "znver3"; cudaSupport = true; };
|
||||
nix =
|
||||
{
|
||||
marches =
|
||||
[
|
||||
"znver3" "znver2"
|
||||
# PREFETCHW RDRND XSAVE XSAVEOPT PTWRITE SGX GFNI-SSE MOVDIRI MOVDIR64B CLDEMOTE WAITPKG LZCNT
|
||||
# PCONFIG SERIALIZE HRESET KL WIDEKL AVX-VNNI
|
||||
"alderlake"
|
||||
# SAHF FXSR XSAVE
|
||||
"sandybridge"
|
||||
# SAHF FXSR PREFETCHW RDRND
|
||||
"silvermont"
|
||||
];
|
||||
substituters = [ "https://cache.nixos.org/" "https://nix-store.chn.moe" ];
|
||||
};
|
||||
gui.enable = true;
|
||||
kernel.patches = [ "cjktty" "preempt" ];
|
||||
impermanence.enable = true;
|
||||
networking.hostname = "xmupc1";
|
||||
sops = { enable = true; keyPathPrefix = "/nix/persistent"; };
|
||||
};
|
||||
hardware =
|
||||
{
|
||||
cpus = [ "intel" ];
|
||||
gpus = [ "intel" "nvidia" ];
|
||||
bluetooth.enable = true;
|
||||
joystick.enable = true;
|
||||
printer.enable = true;
|
||||
sound.enable = true;
|
||||
prime =
|
||||
{ enable = true; mode = "offload"; busId = { intel = "PCI:0:2:0"; nvidia = "PCI:1:0:0"; };};
|
||||
};
|
||||
packages.packageSet = "workstation";
|
||||
virtualization =
|
||||
{
|
||||
docker.enable = true;
|
||||
kvmHost = { enable = true; gui = true; };
|
||||
};
|
||||
services =
|
||||
{
|
||||
snapper = { enable = true; configs.persistent = "/nix/persistent"; };
|
||||
fontconfig.enable = true;
|
||||
samba =
|
||||
{
|
||||
enable = true;
|
||||
hostsAllowed = "192.168. 127.";
|
||||
shares =
|
||||
{
|
||||
media.path = "/run/media/chn";
|
||||
home.path = "/home/chn";
|
||||
mnt.path = "/mnt";
|
||||
share.path = "/home/chn/share";
|
||||
};
|
||||
};
|
||||
sshd.enable = true;
|
||||
xrayClient =
|
||||
{
|
||||
enable = true;
|
||||
serverAddress = "74.211.99.69";
|
||||
serverName = "vps6.xserver.chn.moe";
|
||||
dns =
|
||||
{
|
||||
extraInterfaces = [ "docker0" ];
|
||||
hosts =
|
||||
{
|
||||
"mirism.one" = "216.24.188.24";
|
||||
"beta.mirism.one" = "216.24.188.24";
|
||||
"ng01.mirism.one" = "216.24.188.24";
|
||||
"debug.mirism.one" = "127.0.0.1";
|
||||
"initrd.vps6.chn.moe" = "74.211.99.69";
|
||||
"nix-store.chn.moe" = "127.0.0.1";
|
||||
};
|
||||
};
|
||||
};
|
||||
firewall.trustedInterfaces = [ "virbr0" ];
|
||||
frpClient =
|
||||
{
|
||||
enable = true;
|
||||
serverName = "frp.chn.moe";
|
||||
user = "xmupc1";
|
||||
tcp.store = { localPort = 443; remotePort = 7676; };
|
||||
};
|
||||
smartd.enable = true;
|
||||
nginx.transparentProxy.enable = false;
|
||||
postgresql.enable = true;
|
||||
};
|
||||
bugs = [ "xmunet" "firefox" "embree" ];
|
||||
};})
|
||||
];
|
||||
"yoga" =
|
||||
[
|
||||
(inputs: { config.nixos =
|
||||
|
@ -25,8 +25,11 @@ inputs:
|
||||
no-cli = true;
|
||||
};
|
||||
sops.secrets."coturn/auth-secret".owner = inputs.config.systemd.services.coturn.serviceConfig.User;
|
||||
nixos.services.acme = { enable = true; certs = [ coturn.hostname ]; };
|
||||
security.acme.certs.${coturn.hostname}.group = inputs.config.systemd.services.coturn.serviceConfig.Group;
|
||||
nixos.services.acme =
|
||||
{
|
||||
enable = true;
|
||||
cert.${coturn.hostname}.group = inputs.config.systemd.services.coturn.serviceConfig.Group;
|
||||
};
|
||||
networking.firewall = with inputs.config.services.coturn;
|
||||
{
|
||||
allowedUDPPorts = [ listening-port tls-listening-port ];
|
||||
|
@ -25,19 +25,14 @@ inputs:
|
||||
./photoprism.nix
|
||||
./nextcloud.nix
|
||||
./freshrss.nix
|
||||
./kmscon.nix
|
||||
./fontconfig.nix
|
||||
./nix-serve.nix
|
||||
];
|
||||
options.nixos.services = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
kmscon.enable = mkOption { type = types.bool; default = false; };
|
||||
fontconfig.enable = mkOption { type = types.bool; default = false; };
|
||||
firewall.trustedInterfaces = mkOption { type = types.listOf types.nonEmptyStr; default = []; };
|
||||
nix-serve =
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
hostname = mkOption { type = types.nonEmptyStr; };
|
||||
};
|
||||
smartd.enable = mkOption { type = types.bool; default = false; };
|
||||
fileshelter.enable = mkOption { type = types.bool; default = false; };
|
||||
wallabag.enable = mkOption { type = types.bool; default = false; };
|
||||
noisetorch.enable = mkOption { type = types.bool; default = inputs.config.nixos.system.gui.preferred; };
|
||||
};
|
||||
@ -49,49 +44,7 @@ inputs:
|
||||
inherit (builtins) map listToAttrs toString;
|
||||
in mkMerge
|
||||
[
|
||||
(
|
||||
mkIf services.kmscon.enable
|
||||
{
|
||||
services.kmscon =
|
||||
{
|
||||
enable = true;
|
||||
fonts = [{ name = "FiraCode Nerd Font Mono"; package = inputs.pkgs.nerdfonts; }];
|
||||
};
|
||||
}
|
||||
)
|
||||
(
|
||||
mkIf services.fontconfig.enable
|
||||
{
|
||||
fonts =
|
||||
{
|
||||
fontDir.enable = true;
|
||||
fonts = with inputs.pkgs;
|
||||
[ noto-fonts source-han-sans source-han-serif source-code-pro hack-font jetbrains-mono nerdfonts ];
|
||||
fontconfig.defaultFonts =
|
||||
{
|
||||
emoji = [ "Noto Color Emoji" ];
|
||||
monospace = [ "Noto Sans Mono CJK SC" "Sarasa Mono SC" "DejaVu Sans Mono"];
|
||||
sansSerif = [ "Noto Sans CJK SC" "Source Han Sans SC" "DejaVu Sans" ];
|
||||
serif = [ "Noto Serif CJK SC" "Source Han Serif SC" "DejaVu Serif" ];
|
||||
};
|
||||
};
|
||||
}
|
||||
)
|
||||
{ networking.firewall.trustedInterfaces = services.firewall.trustedInterfaces; }
|
||||
(
|
||||
mkIf services.nix-serve.enable
|
||||
{
|
||||
services.nix-serve =
|
||||
{
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
secretKeyFile = inputs.config.sops.secrets."store/signingKey".path;
|
||||
};
|
||||
sops.secrets."store/signingKey" = {};
|
||||
nixos.services.nginx.http.${services.nix-serve.hostname} =
|
||||
{ rewriteHttps = true; locations."/".proxy.upstream = "http://127.0.0.1:5000"; };
|
||||
}
|
||||
)
|
||||
(mkIf services.smartd.enable { services.smartd.enable = true; })
|
||||
(
|
||||
mkIf services.wallabag.enable
|
||||
@ -111,11 +64,6 @@ inputs:
|
||||
extraOptions = [ "--add-host=host.docker.internal:host-gateway" ];
|
||||
environmentFiles = [ inputs.config.sops.templates."wallabag/env".path ];
|
||||
};
|
||||
# systemd.services.docker-wallabag.serviceConfig =
|
||||
# {
|
||||
# User = "wallabag";
|
||||
# Group = "wallabag";
|
||||
# };
|
||||
sops =
|
||||
{
|
||||
templates."wallabag/env".content =
|
||||
@ -139,33 +87,7 @@ inputs:
|
||||
# SYMFONY__ENV__MAILER_DSN=smtp://bot%%40chn.moe@${placeholder."mail/bot-encoded"}:mail.chn.moe
|
||||
# SYMFONY__ENV__FROM_EMAIL=bot@chn.moe
|
||||
# SYMFONY__ENV__TWOFACTOR_SENDER=bot@chn.moe
|
||||
secrets =
|
||||
{
|
||||
"redis/wallabag".owner = inputs.config.users.users.redis-wallabag.name;
|
||||
"postgresql/wallabag" = {};
|
||||
"mail/bot-encoded" = {};
|
||||
};
|
||||
};
|
||||
services =
|
||||
{
|
||||
redis.servers.wallabag =
|
||||
{
|
||||
enable = true;
|
||||
bind = null;
|
||||
port = 8790;
|
||||
requirePassFile = inputs.config.sops.secrets."redis/wallabag".path;
|
||||
};
|
||||
postgresql =
|
||||
{
|
||||
ensureDatabases = [ "wallabag" ];
|
||||
ensureUsers =
|
||||
[{
|
||||
name = "wallabag";
|
||||
ensurePermissions."DATABASE \"wallabag\"" = "ALL PRIVILEGES";
|
||||
}];
|
||||
# ALTER DATABASE db_name OWNER TO new_owner_name
|
||||
# sudo docker exec -t wallabag /var/www/wallabag/bin/console wallabag:install --env=prod --no-interaction
|
||||
};
|
||||
secrets."mail/bot-encoded" = {};
|
||||
};
|
||||
nixos =
|
||||
{
|
||||
@ -174,21 +96,14 @@ inputs:
|
||||
nginx =
|
||||
{
|
||||
enable = true;
|
||||
http."wallabag.chn.moe" =
|
||||
{
|
||||
rewriteHttps = true;
|
||||
locations."/".proxy = { upstream = "http://127.0.0.1:4398"; setHeaders.Host = "wallabag.chn.moe"; };
|
||||
};
|
||||
https."wallabag.chn.moe".location."/".proxy.upstream = "http://127.0.0.1:4398";
|
||||
};
|
||||
postgresql.enable = true;
|
||||
postgresql = { enable = true; instances.wallabag = {}; };
|
||||
redis.instances.wallabag.port = 8790;
|
||||
};
|
||||
# TODO: root docker use config of rootless docker?
|
||||
virtualization.docker.enable = true;
|
||||
};
|
||||
# users =
|
||||
# {
|
||||
# users.wallabag = { isSystemUser = true; group = "wallabag"; autoSubUidGidRange = true; };
|
||||
# groups.wallabag = {};
|
||||
# };
|
||||
}
|
||||
)
|
||||
(mkIf services.noisetorch.enable { programs.noisetorch.enable = true; })
|
||||
|
27
modules/services/fontconfig.nix
Normal file
27
modules/services/fontconfig.nix
Normal file
@ -0,0 +1,27 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.services.fontconfig = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
};
|
||||
config =
|
||||
let
|
||||
inherit (inputs.lib) mkIf;
|
||||
inherit (inputs.config.nixos.services) fontconfig;
|
||||
in mkIf fontconfig.enable
|
||||
{
|
||||
fonts =
|
||||
{
|
||||
fontDir.enable = true;
|
||||
fonts = with inputs.pkgs;
|
||||
[ noto-fonts source-han-sans source-han-serif source-code-pro hack-font jetbrains-mono nerdfonts ];
|
||||
fontconfig.defaultFonts =
|
||||
{
|
||||
emoji = [ "Noto Color Emoji" ];
|
||||
monospace = [ "Noto Sans Mono CJK SC" "Sarasa Mono SC" "DejaVu Sans Mono"];
|
||||
sansSerif = [ "Noto Sans CJK SC" "Source Han Sans SC" "DejaVu Sans" ];
|
||||
serif = [ "Noto Serif CJK SC" "Source Han Serif SC" "DejaVu Serif" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
@ -37,10 +37,9 @@ inputs:
|
||||
nixos.services =
|
||||
{
|
||||
mariadb = { enable = true; instances.freshrss = {}; };
|
||||
nginx.http.${freshrss.hostname} =
|
||||
nginx.https.${freshrss.hostname} =
|
||||
{
|
||||
rewriteHttps = true;
|
||||
locations =
|
||||
location =
|
||||
{
|
||||
"/".static =
|
||||
{
|
||||
|
@ -179,8 +179,11 @@ inputs:
|
||||
};
|
||||
secrets."frp/token" = {};
|
||||
};
|
||||
nixos.services.acme = { enable = true; certs = [ frpServer.serverName ]; };
|
||||
security.acme.certs.${frpServer.serverName}.group = "frp";
|
||||
nixos.services.acme =
|
||||
{
|
||||
enable = true;
|
||||
cert.${frpServer.serverName}.group = "frp";
|
||||
};
|
||||
users = { users.frp = { isSystemUser = true; group = "frp"; }; groups.frp = {}; };
|
||||
networking.firewall.allowedTCPPorts = [ 7000 ];
|
||||
}
|
||||
|
19
modules/services/kmscon.nix
Normal file
19
modules/services/kmscon.nix
Normal file
@ -0,0 +1,19 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.services.kmscon = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
};
|
||||
config =
|
||||
let
|
||||
inherit (inputs.lib) mkIf;
|
||||
inherit (inputs.config.nixos.services) kmscon;
|
||||
in mkIf kmscon.enable
|
||||
{
|
||||
services.kmscon =
|
||||
{
|
||||
enable = true;
|
||||
fonts = [{ name = "FiraCode Nerd Font Mono"; package = inputs.pkgs.nerdfonts; }];
|
||||
};
|
||||
};
|
||||
}
|
@ -169,13 +169,11 @@ inputs:
|
||||
name = hostname;
|
||||
value =
|
||||
{
|
||||
global.rewriteHttps = true;
|
||||
listen.main.proxyProtocol = true;
|
||||
locations."/".proxy =
|
||||
location."/".proxy =
|
||||
{
|
||||
upstream = "http://127.0.0.1:${toString port}";
|
||||
websocket = true;
|
||||
setHeaders.Host = hostname;
|
||||
};
|
||||
};
|
||||
})
|
||||
|
@ -70,11 +70,7 @@ inputs:
|
||||
nginx =
|
||||
{
|
||||
enable = true;
|
||||
https.${nextcloud.hostname} =
|
||||
{
|
||||
global.rewriteHttps = true;
|
||||
listen.main.proxyProtocol = true;
|
||||
};
|
||||
https.${nextcloud.hostname} = {};
|
||||
};
|
||||
};
|
||||
sops =
|
||||
|
@ -20,21 +20,17 @@ inputs:
|
||||
(instance: with instance.value;
|
||||
{
|
||||
name = hostname;
|
||||
value =
|
||||
{
|
||||
global.rewriteHttps = true;
|
||||
locations."/".static.root =
|
||||
if defaultServer == null then toString inputs.pkgs.element-web
|
||||
else toString (inputs.pkgs.element-web.override { conf =
|
||||
value.location."/".static.root =
|
||||
if defaultServer == null then toString inputs.pkgs.element-web
|
||||
else toString (inputs.pkgs.element-web.override { conf =
|
||||
{
|
||||
default_server_config."m.homeserver" =
|
||||
{
|
||||
default_server_config."m.homeserver" =
|
||||
{
|
||||
base_url = "https://${defaultServer}";
|
||||
server_name = defaultServer;
|
||||
};
|
||||
disable_guests = false;
|
||||
};});
|
||||
};
|
||||
base_url = "https://${defaultServer}";
|
||||
server_name = defaultServer;
|
||||
};
|
||||
disable_guests = false;
|
||||
};});
|
||||
})
|
||||
(attrsToList instances));
|
||||
};
|
||||
|
@ -14,15 +14,11 @@ inputs:
|
||||
inherit (builtins) map listToAttrs;
|
||||
in
|
||||
{
|
||||
nixos.services.nginx.http = listToAttrs (map
|
||||
(http: with http.value;
|
||||
nixos.services.nginx.https = listToAttrs (map
|
||||
(site: with site.value;
|
||||
{
|
||||
name = hostname;
|
||||
value =
|
||||
{
|
||||
rewriteHttps = true;
|
||||
locations."/".static.root = "${inputs.pkgs.synapse-admin}";
|
||||
};
|
||||
value.location."/".static.root = "${inputs.pkgs.synapse-admin}";
|
||||
})
|
||||
(attrsToList instances));
|
||||
};
|
||||
|
@ -44,9 +44,9 @@ inputs:
|
||||
];
|
||||
default = {};
|
||||
};
|
||||
proxyProtocol = mkOption { type = types.bool; default = false; };
|
||||
proxyProtocol = mkOption { type = types.bool; default = true; };
|
||||
addToTransparentProxy = mkOption { type = types.bool; default = true; };
|
||||
rewriteHttps = mkOption { type = types.bool; default = false; };
|
||||
rewriteHttps = mkOption { type = types.bool; default = true; };
|
||||
};})
|
||||
]);
|
||||
default = {};
|
||||
@ -54,14 +54,14 @@ inputs:
|
||||
};
|
||||
https = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule { options =
|
||||
type = types.attrsOf (types.submodule (siteSubmoduleInputs: { options =
|
||||
{
|
||||
global =
|
||||
{
|
||||
root = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
index = mkOption { type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr); default = null; };
|
||||
detectAuth = mkOption { type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr); default = null; };
|
||||
rewriteHttps = mkOption { type = types.bool; default = false; };
|
||||
rewriteHttps = mkOption { type = types.bool; default = true; };
|
||||
};
|
||||
listen = mkOption
|
||||
{
|
||||
@ -75,18 +75,14 @@ inputs:
|
||||
};});
|
||||
default.main = {};
|
||||
};
|
||||
locations = mkOption
|
||||
location = mkOption
|
||||
{
|
||||
type = types.attrsOf (types.submodule { options =
|
||||
let
|
||||
genericOptions =
|
||||
{
|
||||
# htpasswd -n username
|
||||
detectAuth = mkOption
|
||||
{
|
||||
type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr);
|
||||
default = null;
|
||||
};
|
||||
detectAuth = mkOption { type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr); default = null; };
|
||||
};
|
||||
in
|
||||
{
|
||||
@ -97,7 +93,11 @@ inputs:
|
||||
{
|
||||
upstream = mkOption { type = types.nonEmptyStr; };
|
||||
websocket = mkOption { type = types.bool; default = false; };
|
||||
setHeaders = mkOption { type = types.attrsOf types.str; default = {}; };
|
||||
setHeaders = mkOption
|
||||
{
|
||||
type = types.attrsOf types.str;
|
||||
default.Host = siteSubmoduleInputs.config._module.args.name;
|
||||
};
|
||||
# echo -n "username:password" | base64
|
||||
addAuth = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
};});
|
||||
@ -127,7 +127,7 @@ inputs:
|
||||
};});
|
||||
default = {};
|
||||
};
|
||||
};});
|
||||
};}));
|
||||
default = {};
|
||||
};
|
||||
http = mkOption
|
||||
@ -157,7 +157,7 @@ inputs:
|
||||
};
|
||||
config =
|
||||
let
|
||||
inherit (inputs.lib) mkMerge mkIf;
|
||||
inherit (inputs.lib) mkMerge mkIf mkDefault;
|
||||
inherit (inputs.lib.string) escapeURL;
|
||||
inherit (inputs.localLib) attrsToList;
|
||||
inherit (inputs.config.nixos.services) nginx;
|
||||
@ -406,7 +406,7 @@ inputs:
|
||||
(concatLists (map
|
||||
(site: (map
|
||||
(location: { inherit (location) value; name = "${site.name} ${location.name}"; })
|
||||
(attrsToList site.value.locations)))
|
||||
(attrsToList site.value.location)))
|
||||
(attrsToList nginx.https))))
|
||||
# root should be specified either in global or in each location
|
||||
++ (map
|
||||
@ -418,7 +418,7 @@ inputs:
|
||||
(concatLists (map
|
||||
(site: (map
|
||||
(location: { inherit (location) value; name = "${site.name} ${location.name}"; })
|
||||
(attrsToList site.value.locations)))
|
||||
(attrsToList site.value.location)))
|
||||
(filter (site: site.value.global.root == null) (attrsToList nginx.https)))))
|
||||
);
|
||||
services.nginx.virtualHosts = listToAttrs (map
|
||||
@ -500,7 +500,7 @@ inputs:
|
||||
else {}
|
||||
);
|
||||
})
|
||||
(attrsToList site.value.locations));
|
||||
(attrsToList site.value.location));
|
||||
};
|
||||
})
|
||||
(attrsToList nginx.https));
|
||||
@ -534,6 +534,7 @@ inputs:
|
||||
upstream.port = httpsPort + httpsPortShift.proxyProtocol
|
||||
+ (if site.value.http2 then httpsPortShift.http2 else 0);
|
||||
proxyProtocol = true;
|
||||
rewiteHttps = mkDefault false;
|
||||
};
|
||||
})
|
||||
(filter (listen: listen.value.proxyProtocol) listens));
|
||||
@ -564,7 +565,7 @@ inputs:
|
||||
httpsLocationTypes);
|
||||
addAuth = location.value.proxy.addAuth or null;
|
||||
})
|
||||
(attrsToList site.value.locations))
|
||||
(attrsToList site.value.location))
|
||||
(attrsToList nginx.https)))
|
||||
++ (map
|
||||
(site:
|
||||
|
29
modules/services/nix-serve.nix
Normal file
29
modules/services/nix-serve.nix
Normal file
@ -0,0 +1,29 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.services.nix-serve = let inherit (inputs.lib) mkOption types; in
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
hostname = mkOption { type = types.nonEmptyStr; };
|
||||
};
|
||||
config =
|
||||
let
|
||||
inherit (inputs.lib) mkMerge mkIf;
|
||||
inherit (inputs.localLib) stripeTabs attrsToList;
|
||||
inherit (inputs.config.nixos.services) nix-serve;
|
||||
inherit (builtins) map listToAttrs toString;
|
||||
in mkIf nix-serve.enable
|
||||
{
|
||||
services.nix-serve =
|
||||
{
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
secretKeyFile = inputs.config.sops.secrets."store/signingKey".path;
|
||||
};
|
||||
sops.secrets."store/signingKey" = {};
|
||||
nixos.services.nginx =
|
||||
{
|
||||
enable = true;
|
||||
https.${nix-serve.hostname}.location."/".proxy.upstream = "http://127.0.0.1:5000";
|
||||
};
|
||||
};
|
||||
}
|
@ -48,16 +48,10 @@ inputs:
|
||||
nginx =
|
||||
{
|
||||
enable = true;
|
||||
https.${photoprism.hostname} =
|
||||
https.${photoprism.hostname}.location."/".proxy =
|
||||
{
|
||||
global.rewriteHttps = true;
|
||||
listen.main.proxyProtocol = true;
|
||||
location."/".proxy =
|
||||
{
|
||||
upstream = "http://127.0.0.1:${toString photoprism.port}";
|
||||
websocket = true;
|
||||
setHeaders.Host = photoprism.hostname;
|
||||
};
|
||||
upstream = "http://127.0.0.1:${toString photoprism.port}";
|
||||
websocket = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -60,12 +60,7 @@ inputs:
|
||||
nginx =
|
||||
{
|
||||
enable = true;
|
||||
http.${rsshub.hostname} =
|
||||
{
|
||||
rewriteHttps = true;
|
||||
locations."/".proxy =
|
||||
{ upstream = "http://127.0.0.1:${toString rsshub.port}"; setHeaders.Host = rsshub.hostname; };
|
||||
};
|
||||
https.${rsshub.hostname}.location."/".proxy.upstream = "http://127.0.0.1:${toString rsshub.port}";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -104,13 +104,11 @@ inputs:
|
||||
enable = true;
|
||||
https.${synapse.hostname} =
|
||||
{
|
||||
global.rewriteHttps = true;
|
||||
listen.main.proxyProtocol = true;
|
||||
location."/".proxy =
|
||||
{
|
||||
upstream = "http://127.0.0.1:${toString synapse.port}";
|
||||
websocket = true;
|
||||
setHeaders.Host = synapse.hostname;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -70,8 +70,6 @@ inputs:
|
||||
enable = true;
|
||||
https.${vaultwarden.hostname} =
|
||||
{
|
||||
global.rewriteHttps = true;
|
||||
listen.main.proxyProtocol = true;
|
||||
location = listToAttrs
|
||||
(
|
||||
(map
|
||||
@ -93,7 +91,6 @@ inputs:
|
||||
{
|
||||
upstream = "http://127.0.0.1:${toString vaultwarden.websocketPort}";
|
||||
websocket = true;
|
||||
setHeaders.Host = vaultwarden.hostname;
|
||||
};
|
||||
})
|
||||
[ "/notifications/hub" ])
|
||||
|
@ -512,10 +512,9 @@ inputs:
|
||||
users = { users.v2ray = { isSystemUser = true; group = "v2ray"; }; groups.v2ray = {}; };
|
||||
nixos.services =
|
||||
{
|
||||
acme = { enable = true; certs = [ xrayServer.serverName ]; };
|
||||
nginx.transparentProxy.map."${xrayServer.serverName}" = 4726;
|
||||
acme = { enable = true; cert.${xrayServer.serverName}.group = inputs.config.users.users.nginx.group; };
|
||||
nginx = { enable = true; transparentProxy.map."${xrayServer.serverName}" = 4726; };
|
||||
};
|
||||
security.acme.certs.${xrayServer.serverName}.group = inputs.config.users.users.nginx.group;
|
||||
}
|
||||
))
|
||||
];
|
||||
|
@ -6,7 +6,7 @@ inputs:
|
||||
port = mkOption { type = types.ints.unsigned; default = 3389; };
|
||||
hostname = mkOption
|
||||
{
|
||||
type = types.nullOr (types.oneOf [ types.nonEmptyStr (types.listOf types.nonEmptyStr) ]);
|
||||
type = types.nullOr (types.nonEmptyListOf types.nonEmptyStr);
|
||||
default = null;
|
||||
};
|
||||
};
|
||||
@ -29,14 +29,21 @@ inputs:
|
||||
mkIf (xrdp.hostname != null)
|
||||
(
|
||||
let
|
||||
mainDomain = if builtins.typeOf xrdp.hostname == "string" then xrdp.hostname
|
||||
else builtins.elemAt xrdp.hostname 0;
|
||||
mainDomain = builtins.elemAt xrdp.hostname 0;
|
||||
in
|
||||
{
|
||||
services.xrdp = let keydir = inputs.config.security.acme.certs.${mainDomain}.directory; in
|
||||
{ sslCert = "${keydir}/full.pem"; sslKey = "${keydir}/key.pem"; };
|
||||
nixos.services.acme = { enable = true; certs = [ xrdp.hostname ]; };
|
||||
security.acme.certs.${mainDomain}.group = inputs.config.systemd.services.xrdp.serviceConfig.Group;
|
||||
services.xrdp =
|
||||
let keydir = inputs.config.security.acme.certs.${mainDomain}.directory;
|
||||
in { sslCert = "${keydir}/full.pem"; sslKey = "${keydir}/key.pem"; };
|
||||
nixos.services.acme =
|
||||
{
|
||||
enable = true;
|
||||
cert.${mainDomain} =
|
||||
{
|
||||
domains = xrdp.hostname;
|
||||
group = inputs.config.systemd.services.xrdp.serviceConfig.Group;
|
||||
};
|
||||
};
|
||||
}
|
||||
)
|
||||
)
|
||||
|
Loading…
Reference in New Issue
Block a user