chn/nixos
1
0
Fork 0
mirror of https://github.com/CHN-beta/nixos.git synced 2024-10-23 03:18:45 +08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: chn:2356bbb83bc2c220e25b22da1fc0e961d04653c3
Branches Tags
chn:production
chn:xmuserver
chn:next
chn:srv
chn:vasp
chn:fcitx5
chn:debug
chn:winjob
chn:winjob-old-design
chn:ollama
chn:server
chn:vps6
chn:chn-bsub
chn:temp
chn:test-nvidia
chn:archive
chn:bug
chn:hpcstat
chn:next-debug
chn:krfb
chn:xray
chn:split-desktop-server
chn:pi
chn:envfs
chn:main
chn:dae
chn:xmupc2
chn:xrdp
chn:ipfs
chn:xmupc1
chn:mumax
chn:slurm
chn:blas
chn:firefox
chn:color
chn:gpu
chn:nvidia
chn:xanmod
chn:rsshub
chn:ttyd
chn:fix-efishell
chn:device
chn:misskey
chn:power
chn:native
chn:meilisearch-migration
chn:nixos-23.05
chn:nginx
chn:ua
chn:vps7-freshrss
chn:nvme-bug
chn:yoga
chn:kernel-lts
chn:nas-beesd
chn:vps7-beesd
chn:vps6-beesd
chn:phonopy
chn:tested
chn:docker
chn:test-nebula
chn:test-nebula-nas
chn:stable
chn:benchmark
chn:ccache-bug-report
chn:try-to-fix-rtkit-pipewire
...
compare: chn:eb5e6341259a697eb1a55f8af72a83dd158c8df3
Branches Tags
chn:production
chn:xmuserver
chn:next
chn:srv
chn:vasp
chn:fcitx5
chn:debug
chn:winjob
chn:winjob-old-design
chn:ollama
chn:server
chn:vps6
chn:chn-bsub
chn:temp
chn:test-nvidia
chn:archive
chn:bug
chn:hpcstat
chn:next-debug
chn:krfb
chn:xray
chn:split-desktop-server
chn:pi
chn:envfs
chn:main
chn:dae
chn:xmupc2
chn:xrdp
chn:ipfs
chn:xmupc1
chn:mumax
chn:slurm
chn:blas
chn:firefox
chn:color
chn:gpu
chn:nvidia
chn:xanmod
chn:rsshub
chn:ttyd
chn:fix-efishell
chn:device
chn:misskey
chn:power
chn:native
chn:meilisearch-migration
chn:nixos-23.05
chn:nginx
chn:ua
chn:vps7-freshrss
chn:nvme-bug
chn:yoga
chn:kernel-lts
chn:nas-beesd
chn:vps7-beesd
chn:vps6-beesd
chn:phonopy
chn:tested
chn:docker
chn:test-nebula
chn:test-nebula-nas
chn:stable
chn:benchmark
chn:ccache-bug-report
chn:try-to-fix-rtkit-pipewire

3 Commits
2356bbb83b ... eb5e634125

Author SHA1 Message Date
chn
eb5e634125 services.httpua: 整理 2024-03-24 10:23:24 +08:00
chn
06763b5920 services.fz-new-order: 整理 2024-03-24 10:23:24 +08:00
chn
50b79be223 整理coturn acme 2024-03-24 10:23:24 +08:00
11 changed files with 183 additions and 213 deletions
Show Stats Expand all files Collapse all files

2
devices/vps6/default.nix
View File

@ -64,7 +64,7 @@ inputs:
main.enable = true;
};
};
coturn.enable = true;
coturn = {};
httpua.enable = true;
mirism.enable = true;
fail2ban.enable = true;

2
devices/vps7/default.nix
View File

@ -58,7 +58,7 @@ inputs:
freshrss.enable = true;
send.enable = true;
huginn.enable = true;
fz-new-order.enable = true;
fz-new-order = {};
nginx.applications = { kkmeeting.enable = true; webdav.instances."webdav.chn.moe" = {}; };
httpapi.enable = true;
gitea.enable = true;

73
modules/services/acme.nix
View File

@ -1,46 +1,43 @@
inputs:
{
options.nixos.services.acme = let inherit (inputs.lib) mkOption types; in
options.nixos.services.acme = let inherit (inputs.lib) mkOption types; in mkOption
{
enable = mkOption { type = types.bool; default = false; };
cert = mkOption
type = types.nullOr (types.submodule { options =
{
type = types.attrsOf (types.submodule (submoduleInputs: { options =
cert = mkOption
{
domains = mkOption
{ type = types.nonEmptyListOf types.nonEmptyStr; default = [ submoduleInputs.config._module.args.name ]; };
group = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
};}));
default = {};
};
};
config =
let
inherit (inputs.lib) mkIf;
inherit (inputs.config.nixos.services) acme;
inherit (builtins) map listToAttrs;
inherit (inputs.localLib) attrsToList;
in mkIf acme.enable
{
security.acme =
{
acceptTerms = true;
defaults.email = "chn@chn.moe";
certs = listToAttrs (map
(cert:
{
name = builtins.elemAt cert.value.domains 0;
value =
{
dnsResolver = "8.8.8.8";
dnsProvider = "cloudflare";
credentialsFile = inputs.config.sops.secrets."acme/cloudflare.ini".path;
extraDomainNames = builtins.tail cert.value.domains;
group = mkIf (cert.value.group != null) cert.value.group;
};
})
(attrsToList acme.cert));
type = types.attrsOf (types.submodule (submoduleInputs: { options =
{
domains = mkOption
{ type = types.nonEmptyListOf types.nonEmptyStr; default = [ submoduleInputs.config._module.args.name ]; };
group = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
};}));
default = {};
};
sops.secrets."acme/cloudflare.ini" = {};
};});
default = null;
};
config = let inherit (inputs.config.nixos.services) acme; in inputs.lib.mkIf (acme != null)
{
security.acme =
{
acceptTerms = true;
defaults.email = "chn@chn.moe";
certs = builtins.listToAttrs (builtins.map
(cert:
{
name = builtins.elemAt cert.value.domains 0;
value =
{
dnsResolver = "8.8.8.8";
dnsProvider = "cloudflare";
credentialsFile = inputs.config.sops.secrets."acme/cloudflare.ini".path;
extraDomainNames = builtins.tail cert.value.domains;
group = inputs.lib.mkIf (cert.value.group != null) cert.value.group;
};
})
(inputs.lib.localLib.attrsToList acme.cert));
};
sops.secrets."acme/cloudflare.ini" = {};
};
}

59
modules/services/coturn.nix
View File

@ -1,37 +1,32 @@
inputs:
{
options.nixos.services.coturn = let inherit (inputs.lib) mkOption types; in
options.nixos.services.coturn = let inherit (inputs.lib) mkOption types; in mkOption
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.str; default = "coturn.chn.moe"; };
type = types.nullOr (types.submodule { options =
{
hostname = mkOption { type = types.str; default = "coturn.chn.moe"; };
};});
default = null;
};
config = let inherit (inputs.config.nixos.services) coturn; in inputs.lib.mkIf (coturn != null)
{
services.coturn = let keydir = inputs.config.security.acme.certs.${coturn.hostname}.directory; in
{
enable = true;
use-auth-secret = true;
static-auth-secret-file = inputs.config.sops.secrets."coturn/auth-secret".path;
realm = coturn.hostname;
cert = "${keydir}/full.pem";
pkey = "${keydir}/key.pem";
no-cli = true;
};
sops.secrets."coturn/auth-secret".owner = inputs.config.systemd.services.coturn.serviceConfig.User;
nixos.services.acme.cert.${coturn.hostname}.group = inputs.config.systemd.services.coturn.serviceConfig.Group;
networking.firewall = with inputs.config.services.coturn;
{
allowedUDPPorts = [ listening-port tls-listening-port ];
allowedTCPPorts = [ listening-port tls-listening-port ];
allowedUDPPortRanges = [{ from = min-port; to = max-port; }];
};
};
config =
let
inherit (inputs.config.nixos.services) coturn;
inherit (inputs.lib) mkIf;
in mkIf coturn.enable
{
services.coturn = let keydir = inputs.config.security.acme.certs.${coturn.hostname}.directory; in
{
enable = true;
use-auth-secret = true;
static-auth-secret-file = inputs.config.sops.secrets."coturn/auth-secret".path;
realm = coturn.hostname;
cert = "${keydir}/full.pem";
pkey = "${keydir}/key.pem";
no-cli = true;
};
sops.secrets."coturn/auth-secret".owner = inputs.config.systemd.services.coturn.serviceConfig.User;
nixos.services.acme =
{
enable = true;
cert.${coturn.hostname}.group = inputs.config.systemd.services.coturn.serviceConfig.Group;
};
networking.firewall = with inputs.config.services.coturn;
{
allowedUDPPorts = [ listening-port tls-listening-port ];
allowedTCPPorts = [ listening-port tls-listening-port ];
allowedUDPPortRanges = [ { from = min-port; to = max-port; } ];
};
};
}

2
modules/services/frp.nix
View File

@ -190,7 +190,7 @@ inputs:
};
secrets."frp/token" = {};
};
nixos.services.acme = { enable = true; cert.${frpServer.serverName}.group = "frp"; };
nixos.services.acme.cert.${frpServer.serverName}.group = "frp";
users =
{
users.frp = { uid = inputs.config.nixos.user.uid.frp; group = "frp"; isSystemUser = true; };

203
modules/services/fz-new-order/default.nix
View File

@ -1,115 +1,106 @@
inputs:
{
options.nixos.services.fz-new-order = let inherit (inputs.lib) mkOption types; in
options.nixos.services.fz-new-order = let inherit (inputs.lib) mkOption types; in mkOption
{
enable = mkOption { type = types.bool; default = false; };
type = types.nullOr (types.submodule {});
default = null;
};
config =
let
inherit (inputs.config.nixos.services) fz-new-order;
inherit (inputs.localLib) attrsToList;
inherit (inputs.lib) mkIf;
inherit (builtins) map listToAttrs toString concatLists;
in mkIf fz-new-order.enable
config = let inherit (inputs.config.nixos.services) fz-new-order; in inputs.lib.mkIf (fz-new-order != null)
{
users =
{
users =
users.fz-new-order =
{
users.fz-new-order =
{
uid = inputs.config.nixos.user.uid.fz-new-order;
group = "fz-new-order";
home = "/var/lib/fz-new-order";
createHome = true;
isSystemUser = true;
};
groups.fz-new-order.gid = inputs.config.nixos.user.gid.fz-new-order;
};
systemd =
{
timers.fz-new-order =
{
wantedBy = [ "timers.target" ];
timerConfig =
{
OnBootSec = "10m";
OnUnitActiveSec = "10m";
Unit = "fz-new-order.service";
};
};
services.fz-new-order = rec
{
description = "fz-new-order";
after = [ "network.target" ];
requires = after;
serviceConfig =
{
User = inputs.config.users.users."fz-new-order".name;
Group = inputs.config.users.users."fz-new-order".group;
WorkingDirectory = "/var/lib/fz-new-order";
ExecStart =
let
src = inputs.pkgs.substituteAll
{
src = ./main.cpp;
config_file = inputs.config.sops.templates."fz-new-order/config.json".path;
};
binary = inputs.pkgs.stdenv.mkDerivation
{
name = "fz-new-order";
inherit src;
buildInputs = with inputs.pkgs; [ jsoncpp.dev cereal fmt httplib ];
dontUnpack = true;
buildPhase =
''
runHook preBuild
g++ -std=c++20 -O2 -o fz-new-order ${src} -ljsoncpp -lfmt
runHook postBuild
'';
installPhase =
''
runHook preInstall
mkdir -p $out/bin
cp fz-new-order $out/bin/fz-new-order
runHook postInstall
'';
};
in "${binary}/bin/fz-new-order";
};
};
tmpfiles.rules =
[
"d /var/lib/fz-new-order 0700 fz-new-order fz-new-order"
"Z /var/lib/fz-new-order - fz-new-order fz-new-order"
];
};
sops = let userNum = 6; configNum = 2; in
{
templates."fz-new-order/config.json" =
{
owner = inputs.config.users.users."fz-new-order".name;
group = inputs.config.users.users."fz-new-order".group;
content = let placeholder = inputs.config.sops.placeholder; in builtins.toJSON
{
manager = placeholder."fz-new-order/manager";
token = placeholder."fz-new-order/token";
uids = map (j: placeholder."fz-new-order/uids/user${toString j}") (builtins.genList (n: n) userNum);
config = map
(i: listToAttrs (map
(attrName: { name = attrName; value = placeholder."fz-new-order/config${toString i}/${attrName}"; })
[ "username" "password" "comment" ]))
(builtins.genList (n: n) configNum);
};
};
secrets =
{ "fz-new-order/manager" = {}; "fz-new-order/token" = {}; }
// (listToAttrs (map
(i: { name = "fz-new-order/uids/user${toString i}"; value = {}; })
(builtins.genList (n: n) userNum)))
// (listToAttrs (concatLists (map
(i: map
(attrName: { name = "fz-new-order/config${toString i}/${attrName}"; value = {}; })
[ "username" "password" "comment" ])
(builtins.genList (n: n) configNum))));
uid = inputs.config.nixos.user.uid.fz-new-order;
group = "fz-new-order";
home = "/var/lib/fz-new-order";
createHome = true;
isSystemUser = true;
};
groups.fz-new-order.gid = inputs.config.nixos.user.gid.fz-new-order;
};
systemd =
{
timers.fz-new-order =
{
wantedBy = [ "timers.target" ];
timerConfig = { OnBootSec = "10m"; OnUnitActiveSec = "10m"; Unit = "fz-new-order.service"; };
};
services.fz-new-order = rec
{
description = "fz-new-order";
after = [ "network.target" ];
requires = after;
serviceConfig =
{
User = inputs.config.users.users."fz-new-order".name;
Group = inputs.config.users.users."fz-new-order".group;
WorkingDirectory = "/var/lib/fz-new-order";
ExecStart =
let
src = inputs.pkgs.substituteAll
{
src = ./main.cpp;
config_file = inputs.config.sops.templates."fz-new-order/config.json".path;
};
binary = inputs.pkgs.stdenv.mkDerivation
{
name = "fz-new-order";
inherit src;
buildInputs = with inputs.pkgs; [ jsoncpp.dev cereal fmt httplib ];
dontUnpack = true;
buildPhase =
''
runHook preBuild
g++ -std=c++20 -O2 -o fz-new-order ${src} -ljsoncpp -lfmt
runHook postBuild
'';
installPhase =
''
runHook preInstall
mkdir -p $out/bin
cp fz-new-order $out/bin/fz-new-order
runHook postInstall
'';
};
in "${binary}/bin/fz-new-order";
};
};
tmpfiles.rules =
[
"d /var/lib/fz-new-order 0700 fz-new-order fz-new-order"
"Z /var/lib/fz-new-order - fz-new-order fz-new-order"
];
};
sops = let userNum = 6; configNum = 2; in
{
templates."fz-new-order/config.json" =
{
owner = inputs.config.users.users."fz-new-order".name;
group = inputs.config.users.users."fz-new-order".group;
content = let placeholder = inputs.config.sops.placeholder; in builtins.toJSON
{
manager = placeholder."fz-new-order/manager";
token = placeholder."fz-new-order/token";
uids = builtins.map (j: placeholder."fz-new-order/uids/user${builtins.toString j}")
(builtins.genList (n: n) userNum);
config = builtins.map
(i: builtins.listToAttrs (builtins.map
(attrName: { name = attrName; value = placeholder."fz-new-order/config${toString i}/${attrName}"; })
[ "username" "password" "comment" ]))
(builtins.genList (n: n) configNum);
};
};
secrets =
{ "fz-new-order/manager" = {}; "fz-new-order/token" = {}; }
// (builtins.listToAttrs (builtins.map
(i: { name = "fz-new-order/uids/user${toString i}"; value = {}; })
(builtins.genList (n: n) userNum)))
// (builtins.listToAttrs (builtins.concatLists (builtins.map
(i: builtins.map
(attrName: { name = "fz-new-order/config${builtins.toString i}/${attrName}"; value = {}; })
[ "username" "password" "comment" ])
(builtins.genList (n: n) configNum))));
};
};
}

33
modules/services/httpua/default.nix
View File

@ -1,25 +1,20 @@
inputs:
{
options.nixos.services.httpua = let inherit (inputs.lib) mkOption types; in
options.nixos.services.httpua = let inherit (inputs.lib) mkOption types; in mkOption
{
enable = mkOption { type = types.bool; default = false; };
hostname = mkOption { type = types.nonEmptyStr; default = "ua.chn.moe"; };
};
config =
let
inherit (inputs.config.nixos.services) httpua;
inherit (inputs.lib) mkIf;
inherit (builtins) toString;
in mkIf httpua.enable
type = types.nullOr (types.submodule { options =
{
nixos.services =
{
phpfpm.instances.httpua = {};
nginx.http.${httpua.hostname}.php =
{
root = toString ./.;
fastcgiPass = inputs.config.nixos.services.phpfpm.instances.httpua.fastcgi;
};
};
hostname = mkOption { type = types.nonEmptyStr; default = "ua.chn.moe"; };
};});
default = null;
};
config = let inherit (inputs.config.nixos.services) httpua; in inputs.lib.mkIf (httpua != null)
{
nixos.services =
{
phpfpm.instances.httpua = {};
nginx.http.${httpua.hostname}.php =
{ root = "${./.}"; fastcgiPass = inputs.config.nixos.services.phpfpm.instances.httpua.fastcgi; };
};
};
}

2
modules/services/mirism.nix
View File

@ -56,7 +56,7 @@ inputs:
})
[ "entry." "" ]);
};
acme = { enable = true; cert = { "ng01.mirism.one".group = "mirism"; "beta.mirism.one".group = "mirism"; }; };
acme.cert = { "ng01.mirism.one".group = "mirism"; "beta.mirism.one".group = "mirism"; };
};
environment.etc = listToAttrs (concatLists (map
(instance:

10
modules/services/nginx/default.nix
View File

@ -670,13 +670,9 @@ inputs:
(site: { inherit (site) name; value.rewriteHttps = {}; })
(filter (site: site.value.global.rewriteHttps) sites));
};
acme =
{
enable = true;
cert = listToAttrs (map
(site: { inherit (site) name; value.group = inputs.config.services.nginx.group; })
sites);
};
acme.cert = listToAttrs (map
(site: { inherit (site) name; value.group = inputs.config.services.nginx.group; })
sites);
};
sops =
let

2
modules/services/xray.nix
View File

@ -514,7 +514,7 @@ inputs:
};
nixos.services =
{
acme = { enable = true; cert.${xray.server.serverName}.group = inputs.config.users.users.nginx.group; };
acme.cert.${xray.server.serverName}.group = inputs.config.users.users.nginx.group;
nginx =
{
enable = true;

8
modules/services/xrdp.nix
View File

@ -56,12 +56,8 @@ inputs:
services.xrdp =
let keydir = inputs.config.security.acme.certs.${mainDomain}.directory;
in { sslCert = "${keydir}/full.pem"; sslKey = "${keydir}/key.pem"; };
nixos.services.acme =
{
enable = true;
cert.${mainDomain} =
{ domains = xrdp.hostname; group = inputs.config.systemd.services.xrdp.serviceConfig.Group; };
};
nixos.services.acme.cert.${mainDomain} =
{ domains = xrdp.hostname; group = inputs.config.systemd.services.xrdp.serviceConfig.Group; };
}
)
)