mirror of
https://github.com/CHN-beta/nixos.git
synced 2024-10-23 03:18:45 +08:00
Compare commits
3 Commits
2356bbb83b
...
eb5e634125
Author | SHA1 | Date | |
---|---|---|---|
eb5e634125 | |||
06763b5920 | |||
50b79be223 |
@ -64,7 +64,7 @@ inputs:
|
||||
main.enable = true;
|
||||
};
|
||||
};
|
||||
coturn.enable = true;
|
||||
coturn = {};
|
||||
httpua.enable = true;
|
||||
mirism.enable = true;
|
||||
fail2ban.enable = true;
|
||||
|
@ -58,7 +58,7 @@ inputs:
|
||||
freshrss.enable = true;
|
||||
send.enable = true;
|
||||
huginn.enable = true;
|
||||
fz-new-order.enable = true;
|
||||
fz-new-order = {};
|
||||
nginx.applications = { kkmeeting.enable = true; webdav.instances."webdav.chn.moe" = {}; };
|
||||
httpapi.enable = true;
|
||||
gitea.enable = true;
|
||||
|
@ -1,46 +1,43 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.services.acme = let inherit (inputs.lib) mkOption types; in
|
||||
options.nixos.services.acme = let inherit (inputs.lib) mkOption types; in mkOption
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
cert = mkOption
|
||||
type = types.nullOr (types.submodule { options =
|
||||
{
|
||||
type = types.attrsOf (types.submodule (submoduleInputs: { options =
|
||||
cert = mkOption
|
||||
{
|
||||
domains = mkOption
|
||||
{ type = types.nonEmptyListOf types.nonEmptyStr; default = [ submoduleInputs.config._module.args.name ]; };
|
||||
group = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
};}));
|
||||
default = {};
|
||||
};
|
||||
};
|
||||
config =
|
||||
let
|
||||
inherit (inputs.lib) mkIf;
|
||||
inherit (inputs.config.nixos.services) acme;
|
||||
inherit (builtins) map listToAttrs;
|
||||
inherit (inputs.localLib) attrsToList;
|
||||
in mkIf acme.enable
|
||||
{
|
||||
security.acme =
|
||||
{
|
||||
acceptTerms = true;
|
||||
defaults.email = "chn@chn.moe";
|
||||
certs = listToAttrs (map
|
||||
(cert:
|
||||
{
|
||||
name = builtins.elemAt cert.value.domains 0;
|
||||
value =
|
||||
{
|
||||
dnsResolver = "8.8.8.8";
|
||||
dnsProvider = "cloudflare";
|
||||
credentialsFile = inputs.config.sops.secrets."acme/cloudflare.ini".path;
|
||||
extraDomainNames = builtins.tail cert.value.domains;
|
||||
group = mkIf (cert.value.group != null) cert.value.group;
|
||||
};
|
||||
})
|
||||
(attrsToList acme.cert));
|
||||
type = types.attrsOf (types.submodule (submoduleInputs: { options =
|
||||
{
|
||||
domains = mkOption
|
||||
{ type = types.nonEmptyListOf types.nonEmptyStr; default = [ submoduleInputs.config._module.args.name ]; };
|
||||
group = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
|
||||
};}));
|
||||
default = {};
|
||||
};
|
||||
sops.secrets."acme/cloudflare.ini" = {};
|
||||
};});
|
||||
default = null;
|
||||
};
|
||||
config = let inherit (inputs.config.nixos.services) acme; in inputs.lib.mkIf (acme != null)
|
||||
{
|
||||
security.acme =
|
||||
{
|
||||
acceptTerms = true;
|
||||
defaults.email = "chn@chn.moe";
|
||||
certs = builtins.listToAttrs (builtins.map
|
||||
(cert:
|
||||
{
|
||||
name = builtins.elemAt cert.value.domains 0;
|
||||
value =
|
||||
{
|
||||
dnsResolver = "8.8.8.8";
|
||||
dnsProvider = "cloudflare";
|
||||
credentialsFile = inputs.config.sops.secrets."acme/cloudflare.ini".path;
|
||||
extraDomainNames = builtins.tail cert.value.domains;
|
||||
group = inputs.lib.mkIf (cert.value.group != null) cert.value.group;
|
||||
};
|
||||
})
|
||||
(inputs.lib.localLib.attrsToList acme.cert));
|
||||
};
|
||||
sops.secrets."acme/cloudflare.ini" = {};
|
||||
};
|
||||
}
|
||||
|
@ -1,37 +1,32 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.services.coturn = let inherit (inputs.lib) mkOption types; in
|
||||
options.nixos.services.coturn = let inherit (inputs.lib) mkOption types; in mkOption
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
hostname = mkOption { type = types.str; default = "coturn.chn.moe"; };
|
||||
type = types.nullOr (types.submodule { options =
|
||||
{
|
||||
hostname = mkOption { type = types.str; default = "coturn.chn.moe"; };
|
||||
};});
|
||||
default = null;
|
||||
};
|
||||
config = let inherit (inputs.config.nixos.services) coturn; in inputs.lib.mkIf (coturn != null)
|
||||
{
|
||||
services.coturn = let keydir = inputs.config.security.acme.certs.${coturn.hostname}.directory; in
|
||||
{
|
||||
enable = true;
|
||||
use-auth-secret = true;
|
||||
static-auth-secret-file = inputs.config.sops.secrets."coturn/auth-secret".path;
|
||||
realm = coturn.hostname;
|
||||
cert = "${keydir}/full.pem";
|
||||
pkey = "${keydir}/key.pem";
|
||||
no-cli = true;
|
||||
};
|
||||
sops.secrets."coturn/auth-secret".owner = inputs.config.systemd.services.coturn.serviceConfig.User;
|
||||
nixos.services.acme.cert.${coturn.hostname}.group = inputs.config.systemd.services.coturn.serviceConfig.Group;
|
||||
networking.firewall = with inputs.config.services.coturn;
|
||||
{
|
||||
allowedUDPPorts = [ listening-port tls-listening-port ];
|
||||
allowedTCPPorts = [ listening-port tls-listening-port ];
|
||||
allowedUDPPortRanges = [{ from = min-port; to = max-port; }];
|
||||
};
|
||||
};
|
||||
config =
|
||||
let
|
||||
inherit (inputs.config.nixos.services) coturn;
|
||||
inherit (inputs.lib) mkIf;
|
||||
in mkIf coturn.enable
|
||||
{
|
||||
services.coturn = let keydir = inputs.config.security.acme.certs.${coturn.hostname}.directory; in
|
||||
{
|
||||
enable = true;
|
||||
use-auth-secret = true;
|
||||
static-auth-secret-file = inputs.config.sops.secrets."coturn/auth-secret".path;
|
||||
realm = coturn.hostname;
|
||||
cert = "${keydir}/full.pem";
|
||||
pkey = "${keydir}/key.pem";
|
||||
no-cli = true;
|
||||
};
|
||||
sops.secrets."coturn/auth-secret".owner = inputs.config.systemd.services.coturn.serviceConfig.User;
|
||||
nixos.services.acme =
|
||||
{
|
||||
enable = true;
|
||||
cert.${coturn.hostname}.group = inputs.config.systemd.services.coturn.serviceConfig.Group;
|
||||
};
|
||||
networking.firewall = with inputs.config.services.coturn;
|
||||
{
|
||||
allowedUDPPorts = [ listening-port tls-listening-port ];
|
||||
allowedTCPPorts = [ listening-port tls-listening-port ];
|
||||
allowedUDPPortRanges = [ { from = min-port; to = max-port; } ];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -190,7 +190,7 @@ inputs:
|
||||
};
|
||||
secrets."frp/token" = {};
|
||||
};
|
||||
nixos.services.acme = { enable = true; cert.${frpServer.serverName}.group = "frp"; };
|
||||
nixos.services.acme.cert.${frpServer.serverName}.group = "frp";
|
||||
users =
|
||||
{
|
||||
users.frp = { uid = inputs.config.nixos.user.uid.frp; group = "frp"; isSystemUser = true; };
|
||||
|
@ -1,115 +1,106 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.services.fz-new-order = let inherit (inputs.lib) mkOption types; in
|
||||
options.nixos.services.fz-new-order = let inherit (inputs.lib) mkOption types; in mkOption
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
type = types.nullOr (types.submodule {});
|
||||
default = null;
|
||||
};
|
||||
config =
|
||||
let
|
||||
inherit (inputs.config.nixos.services) fz-new-order;
|
||||
inherit (inputs.localLib) attrsToList;
|
||||
inherit (inputs.lib) mkIf;
|
||||
inherit (builtins) map listToAttrs toString concatLists;
|
||||
in mkIf fz-new-order.enable
|
||||
config = let inherit (inputs.config.nixos.services) fz-new-order; in inputs.lib.mkIf (fz-new-order != null)
|
||||
{
|
||||
users =
|
||||
{
|
||||
users =
|
||||
users.fz-new-order =
|
||||
{
|
||||
users.fz-new-order =
|
||||
{
|
||||
uid = inputs.config.nixos.user.uid.fz-new-order;
|
||||
group = "fz-new-order";
|
||||
home = "/var/lib/fz-new-order";
|
||||
createHome = true;
|
||||
isSystemUser = true;
|
||||
};
|
||||
groups.fz-new-order.gid = inputs.config.nixos.user.gid.fz-new-order;
|
||||
};
|
||||
systemd =
|
||||
{
|
||||
timers.fz-new-order =
|
||||
{
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig =
|
||||
{
|
||||
OnBootSec = "10m";
|
||||
OnUnitActiveSec = "10m";
|
||||
Unit = "fz-new-order.service";
|
||||
};
|
||||
};
|
||||
services.fz-new-order = rec
|
||||
{
|
||||
description = "fz-new-order";
|
||||
after = [ "network.target" ];
|
||||
requires = after;
|
||||
serviceConfig =
|
||||
{
|
||||
User = inputs.config.users.users."fz-new-order".name;
|
||||
Group = inputs.config.users.users."fz-new-order".group;
|
||||
WorkingDirectory = "/var/lib/fz-new-order";
|
||||
ExecStart =
|
||||
let
|
||||
src = inputs.pkgs.substituteAll
|
||||
{
|
||||
src = ./main.cpp;
|
||||
config_file = inputs.config.sops.templates."fz-new-order/config.json".path;
|
||||
};
|
||||
binary = inputs.pkgs.stdenv.mkDerivation
|
||||
{
|
||||
name = "fz-new-order";
|
||||
inherit src;
|
||||
buildInputs = with inputs.pkgs; [ jsoncpp.dev cereal fmt httplib ];
|
||||
dontUnpack = true;
|
||||
buildPhase =
|
||||
''
|
||||
runHook preBuild
|
||||
g++ -std=c++20 -O2 -o fz-new-order ${src} -ljsoncpp -lfmt
|
||||
runHook postBuild
|
||||
'';
|
||||
installPhase =
|
||||
''
|
||||
runHook preInstall
|
||||
mkdir -p $out/bin
|
||||
cp fz-new-order $out/bin/fz-new-order
|
||||
runHook postInstall
|
||||
'';
|
||||
};
|
||||
in "${binary}/bin/fz-new-order";
|
||||
};
|
||||
};
|
||||
tmpfiles.rules =
|
||||
[
|
||||
"d /var/lib/fz-new-order 0700 fz-new-order fz-new-order"
|
||||
"Z /var/lib/fz-new-order - fz-new-order fz-new-order"
|
||||
];
|
||||
};
|
||||
sops = let userNum = 6; configNum = 2; in
|
||||
{
|
||||
templates."fz-new-order/config.json" =
|
||||
{
|
||||
owner = inputs.config.users.users."fz-new-order".name;
|
||||
group = inputs.config.users.users."fz-new-order".group;
|
||||
content = let placeholder = inputs.config.sops.placeholder; in builtins.toJSON
|
||||
{
|
||||
manager = placeholder."fz-new-order/manager";
|
||||
token = placeholder."fz-new-order/token";
|
||||
uids = map (j: placeholder."fz-new-order/uids/user${toString j}") (builtins.genList (n: n) userNum);
|
||||
config = map
|
||||
(i: listToAttrs (map
|
||||
(attrName: { name = attrName; value = placeholder."fz-new-order/config${toString i}/${attrName}"; })
|
||||
[ "username" "password" "comment" ]))
|
||||
(builtins.genList (n: n) configNum);
|
||||
};
|
||||
};
|
||||
secrets =
|
||||
{ "fz-new-order/manager" = {}; "fz-new-order/token" = {}; }
|
||||
// (listToAttrs (map
|
||||
(i: { name = "fz-new-order/uids/user${toString i}"; value = {}; })
|
||||
(builtins.genList (n: n) userNum)))
|
||||
// (listToAttrs (concatLists (map
|
||||
(i: map
|
||||
(attrName: { name = "fz-new-order/config${toString i}/${attrName}"; value = {}; })
|
||||
[ "username" "password" "comment" ])
|
||||
(builtins.genList (n: n) configNum))));
|
||||
uid = inputs.config.nixos.user.uid.fz-new-order;
|
||||
group = "fz-new-order";
|
||||
home = "/var/lib/fz-new-order";
|
||||
createHome = true;
|
||||
isSystemUser = true;
|
||||
};
|
||||
groups.fz-new-order.gid = inputs.config.nixos.user.gid.fz-new-order;
|
||||
};
|
||||
systemd =
|
||||
{
|
||||
timers.fz-new-order =
|
||||
{
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig = { OnBootSec = "10m"; OnUnitActiveSec = "10m"; Unit = "fz-new-order.service"; };
|
||||
};
|
||||
services.fz-new-order = rec
|
||||
{
|
||||
description = "fz-new-order";
|
||||
after = [ "network.target" ];
|
||||
requires = after;
|
||||
serviceConfig =
|
||||
{
|
||||
User = inputs.config.users.users."fz-new-order".name;
|
||||
Group = inputs.config.users.users."fz-new-order".group;
|
||||
WorkingDirectory = "/var/lib/fz-new-order";
|
||||
ExecStart =
|
||||
let
|
||||
src = inputs.pkgs.substituteAll
|
||||
{
|
||||
src = ./main.cpp;
|
||||
config_file = inputs.config.sops.templates."fz-new-order/config.json".path;
|
||||
};
|
||||
binary = inputs.pkgs.stdenv.mkDerivation
|
||||
{
|
||||
name = "fz-new-order";
|
||||
inherit src;
|
||||
buildInputs = with inputs.pkgs; [ jsoncpp.dev cereal fmt httplib ];
|
||||
dontUnpack = true;
|
||||
buildPhase =
|
||||
''
|
||||
runHook preBuild
|
||||
g++ -std=c++20 -O2 -o fz-new-order ${src} -ljsoncpp -lfmt
|
||||
runHook postBuild
|
||||
'';
|
||||
installPhase =
|
||||
''
|
||||
runHook preInstall
|
||||
mkdir -p $out/bin
|
||||
cp fz-new-order $out/bin/fz-new-order
|
||||
runHook postInstall
|
||||
'';
|
||||
};
|
||||
in "${binary}/bin/fz-new-order";
|
||||
};
|
||||
};
|
||||
tmpfiles.rules =
|
||||
[
|
||||
"d /var/lib/fz-new-order 0700 fz-new-order fz-new-order"
|
||||
"Z /var/lib/fz-new-order - fz-new-order fz-new-order"
|
||||
];
|
||||
};
|
||||
sops = let userNum = 6; configNum = 2; in
|
||||
{
|
||||
templates."fz-new-order/config.json" =
|
||||
{
|
||||
owner = inputs.config.users.users."fz-new-order".name;
|
||||
group = inputs.config.users.users."fz-new-order".group;
|
||||
content = let placeholder = inputs.config.sops.placeholder; in builtins.toJSON
|
||||
{
|
||||
manager = placeholder."fz-new-order/manager";
|
||||
token = placeholder."fz-new-order/token";
|
||||
uids = builtins.map (j: placeholder."fz-new-order/uids/user${builtins.toString j}")
|
||||
(builtins.genList (n: n) userNum);
|
||||
config = builtins.map
|
||||
(i: builtins.listToAttrs (builtins.map
|
||||
(attrName: { name = attrName; value = placeholder."fz-new-order/config${toString i}/${attrName}"; })
|
||||
[ "username" "password" "comment" ]))
|
||||
(builtins.genList (n: n) configNum);
|
||||
};
|
||||
};
|
||||
secrets =
|
||||
{ "fz-new-order/manager" = {}; "fz-new-order/token" = {}; }
|
||||
// (builtins.listToAttrs (builtins.map
|
||||
(i: { name = "fz-new-order/uids/user${toString i}"; value = {}; })
|
||||
(builtins.genList (n: n) userNum)))
|
||||
// (builtins.listToAttrs (builtins.concatLists (builtins.map
|
||||
(i: builtins.map
|
||||
(attrName: { name = "fz-new-order/config${builtins.toString i}/${attrName}"; value = {}; })
|
||||
[ "username" "password" "comment" ])
|
||||
(builtins.genList (n: n) configNum))));
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -1,25 +1,20 @@
|
||||
inputs:
|
||||
{
|
||||
options.nixos.services.httpua = let inherit (inputs.lib) mkOption types; in
|
||||
options.nixos.services.httpua = let inherit (inputs.lib) mkOption types; in mkOption
|
||||
{
|
||||
enable = mkOption { type = types.bool; default = false; };
|
||||
hostname = mkOption { type = types.nonEmptyStr; default = "ua.chn.moe"; };
|
||||
};
|
||||
config =
|
||||
let
|
||||
inherit (inputs.config.nixos.services) httpua;
|
||||
inherit (inputs.lib) mkIf;
|
||||
inherit (builtins) toString;
|
||||
in mkIf httpua.enable
|
||||
type = types.nullOr (types.submodule { options =
|
||||
{
|
||||
nixos.services =
|
||||
{
|
||||
phpfpm.instances.httpua = {};
|
||||
nginx.http.${httpua.hostname}.php =
|
||||
{
|
||||
root = toString ./.;
|
||||
fastcgiPass = inputs.config.nixos.services.phpfpm.instances.httpua.fastcgi;
|
||||
};
|
||||
};
|
||||
hostname = mkOption { type = types.nonEmptyStr; default = "ua.chn.moe"; };
|
||||
};});
|
||||
default = null;
|
||||
};
|
||||
config = let inherit (inputs.config.nixos.services) httpua; in inputs.lib.mkIf (httpua != null)
|
||||
{
|
||||
nixos.services =
|
||||
{
|
||||
phpfpm.instances.httpua = {};
|
||||
nginx.http.${httpua.hostname}.php =
|
||||
{ root = "${./.}"; fastcgiPass = inputs.config.nixos.services.phpfpm.instances.httpua.fastcgi; };
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -56,7 +56,7 @@ inputs:
|
||||
})
|
||||
[ "entry." "" ]);
|
||||
};
|
||||
acme = { enable = true; cert = { "ng01.mirism.one".group = "mirism"; "beta.mirism.one".group = "mirism"; }; };
|
||||
acme.cert = { "ng01.mirism.one".group = "mirism"; "beta.mirism.one".group = "mirism"; };
|
||||
};
|
||||
environment.etc = listToAttrs (concatLists (map
|
||||
(instance:
|
||||
|
@ -670,13 +670,9 @@ inputs:
|
||||
(site: { inherit (site) name; value.rewriteHttps = {}; })
|
||||
(filter (site: site.value.global.rewriteHttps) sites));
|
||||
};
|
||||
acme =
|
||||
{
|
||||
enable = true;
|
||||
cert = listToAttrs (map
|
||||
(site: { inherit (site) name; value.group = inputs.config.services.nginx.group; })
|
||||
sites);
|
||||
};
|
||||
acme.cert = listToAttrs (map
|
||||
(site: { inherit (site) name; value.group = inputs.config.services.nginx.group; })
|
||||
sites);
|
||||
};
|
||||
sops =
|
||||
let
|
||||
|
@ -514,7 +514,7 @@ inputs:
|
||||
};
|
||||
nixos.services =
|
||||
{
|
||||
acme = { enable = true; cert.${xray.server.serverName}.group = inputs.config.users.users.nginx.group; };
|
||||
acme.cert.${xray.server.serverName}.group = inputs.config.users.users.nginx.group;
|
||||
nginx =
|
||||
{
|
||||
enable = true;
|
||||
|
@ -56,12 +56,8 @@ inputs:
|
||||
services.xrdp =
|
||||
let keydir = inputs.config.security.acme.certs.${mainDomain}.directory;
|
||||
in { sslCert = "${keydir}/full.pem"; sslKey = "${keydir}/key.pem"; };
|
||||
nixos.services.acme =
|
||||
{
|
||||
enable = true;
|
||||
cert.${mainDomain} =
|
||||
{ domains = xrdp.hostname; group = inputs.config.systemd.services.xrdp.serviceConfig.Group; };
|
||||
};
|
||||
nixos.services.acme.cert.${mainDomain} =
|
||||
{ domains = xrdp.hostname; group = inputs.config.systemd.services.xrdp.serviceConfig.Group; };
|
||||
}
|
||||
)
|
||||
)
|
||||
|
Loading…
Reference in New Issue
Block a user