mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

cleanup

Browse Source
This commit is contained in:
mjallen18
2026-03-18 20:39:24 -05:00
parent 4a7b2f835e
commit 46b249560f
18 changed files with 142 additions and 917 deletions
Download Patch File Download Diff File Expand all files Collapse all files

150
lib/module/default.nix
View File

@@ -14,8 +14,6 @@ let
mkDefault
mkForce
;
base64Lib = import ../base64 { inherit inputs; };
in
rec {
@@ -26,7 +24,9 @@ rec {
mod: mod.systems or [ ] == [ ] || builtins.elem system (mod.systems or [ ])
) modules;
# Create a module with common options
# Create a NixOS module with standard options (enable, port, reverseProxy,
# firewall, user, postgresql, redis) and optional caller-supplied options and
# config. All config is gated behind `cfg.enable`.
mkModule =
{
name,
@@ -51,9 +51,6 @@ rec {
defaultConfig = {
# Caddy reverse proxy: when reverseProxy.enable = true, contribute this
# service's named-matcher block into the shared wildcard virtual host.
# The TLS block stays in the caddy module itself; all services merge
# their handle blocks into the same "*.${domain}" extraConfig via the
# lines type (which concatenates automatically).
services.caddy.virtualHosts."*.${cfg.reverseProxy.domain}" = lib.mkIf cfg.reverseProxy.enable {
extraConfig = ''
@${name} host ${fqdn}
@@ -79,20 +76,15 @@ rec {
groups.${name} = { };
};
systemd.services.${serviceName} = {
requires = [
"media-nas-main.mount"
# "openvpn-us.protonvpn.udp.service"
];
after = lib.mkForce [
"media-nas-main.mount"
# "openvpn-us.protonvpn.udp.service"
];
# serviceConfig = {
# NetworkNamespacePath = lib.mkIf cfg.enableVpn "/run/netns/vpn";
# # Consider also setting DNS *inside* the netns (see note below).
# };
};
# Ensure the service waits for the filesystem that hosts configDir and
# dataDir to be mounted before starting. RequiresMountsFor is the
# idiomatic systemd way to express this: if the paths live on the root
# filesystem the directive is silently ignored, so it is safe on every
# host — not just the NAS.
systemd.services.${serviceName}.unitConfig.RequiresMountsFor = [
cfg.configDir
cfg.dataDir
];
services = {
postgresql = lib.mkIf cfg.configureDb {
@@ -110,12 +102,6 @@ rec {
port = cfg.redis.port;
};
};
# systemd.tmpfiles.rules = [
# "d ${cfg.configDir} 0700 ${name} ${name} - -"
# # "d ${cfg.configDir}/server-files 0775 ${name} ${name} - -"
# # "d ${cfg.configDir}/user-files 0775 ${name} ${name} - -"
# ];
};
in
{ lib, ... }:
@@ -134,44 +120,42 @@ rec {
options = {
enable = lib.mkEnableOption description;
port = mkOpt types.int 80 "Port for ${name} to be hosted on";
port = mkOpt types.int 80 "Port for ${name} to listen on";
configDir = mkOpt types.str "/media/nas/main/appdata" "Path to the config dir";
configDir = mkOpt types.str "/var/lib/${name}" "Path to the config directory";
dataDir = mkOpt types.str "/media/nas/main" "Path to the data dir";
dataDir = mkOpt types.str "/var/lib/${name}/data" "Path to the data directory";
createUser = mkBoolOpt false "create a user for this module/service";
createUser = mkBoolOpt false "Create a dedicated system user for this service";
configureDb = mkBoolOpt false "Manage db for this service";
configureDb = mkBoolOpt false "Manage a PostgreSQL database for this service";
environmentFile = mkOpt types.str "" "Environment File";
environmentFile =
mkOpt (types.nullOr types.str) null
"Path to an environment file (EnvironmentFile=)";
puid = mkOpt types.str "911" "default user id";
puid = mkOpt types.str "911" "User ID for container-based services";
pgid = mkOpt types.str "1000" "default group id";
pgid = mkOpt types.str "100" "Group ID for container-based services";
timeZone = mkOpt types.str "America/Chicago" "default timezone";
timeZone = mkOpt types.str "UTC" "Timezone for container-based services";
listenAddress = mkOpt types.str "0.0.0.0" "Environment File";
listenAddress = mkOpt types.str "0.0.0.0" "Listen address";
openFirewall = mkBoolOpt true "Open the firewall";
enableVpn = mkBoolOpt true "Enable routing through VPN";
openFirewall = mkBoolOpt true "Open firewall ports for this service";
redis = {
enable = lib.mkEnableOption "enable redis";
port = mkOpt types.int 80 "Port for ${name} redis to be hosted on";
enable = lib.mkEnableOption "a dedicated Redis server for this service";
port = mkOpt types.int 6379 "Redis port for ${name}";
};
hashedPassword =
mkOpt (types.nullOr types.str)
"$y$j9T$EkPXmsmIMFFZ.WRrBYCxS1$P0kwo6e4.WM5DsqUcEqWC3MrZp5KfCjxffraMFZWu06"
"Hashed password for code-server authentication";
mkOpt (types.nullOr types.str) null
"Hashed password (e.g. for web-based authentication)";
extraEnvironment =
mkOpt (types.attrsOf types.str) { }
"Extra environment variables for code-server";
"Extra environment variables passed to the service";
reverseProxy = mkReverseProxyOpt name;
}
@@ -181,58 +165,15 @@ rec {
};
};
# container
mkContainer =
{
name,
localAddress ? "127.0.0.1",
ports ? [ 80 ],
bindMounts ? { },
config ? { },
}:
{ lib, ... }:
{
containers.${name} = {
inherit localAddress bindMounts;
config = config // {
networking = {
firewall = {
enable = true;
allowedTCPPorts = ports;
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
system.stateVersion = "23.11";
};
autoStart = lib.mkDefault true;
privateNetwork = lib.mkDefault true;
hostAddress = lib.mkDefault "10.0.1.3";
};
networking = {
nat.forwardPorts = map (port: {
destination = lib.mkDefault "${localAddress}:${toString port}";
sourcePort = lib.mkDefault port;
}) ports;
firewall = {
allowedTCPPorts = ports;
allowedUDPPorts = ports;
};
};
};
# Migrated mjallen utilities
# ---------------------------------------------------------------------------
# Option creation helpers
# ---------------------------------------------------------------------------
mkOpt =
type: default: description:
mkOption { inherit type default description; };
mkOpt' = type: default: mkOpt type default null;
mkOpt' = type: default: mkOpt type default "";
mkBoolOpt = mkOpt types.bool;
@@ -245,26 +186,28 @@ rec {
domain = mkOpt types.str "mjallen.dev" "Base domain for the reverse proxy";
# Override the upstream URL if the backend is not on localhost at cfg.port.
# Leave empty to use http://127.0.0.1:<port> automatically.
upstreamUrl =
mkOpt (types.nullOr types.str) null
"Override upstream URL (e.g. for services on a different host). Defaults to http://127.0.0.1:<port>.";
"Override upstream URL (e.g. for a service on a different host). Defaults to http://127.0.0.1:<port>.";
# Extra Caddyfile directives inserted inside the virtual host block.
extraCaddyConfig = mkOpt types.lines "" "Extra Caddyfile directives for this virtual host block";
extraCaddyConfig = mkOpt types.lines "" "Extra Caddyfile directives inside this virtual host block";
};
# Standard enable/disable patterns
# ---------------------------------------------------------------------------
# Convenience shorthands
# ---------------------------------------------------------------------------
enabled = {
enable = true;
};
disabled = {
enable = false;
};
# ---------------------------------------------------------------------------
# String utilities
# ---------------------------------------------------------------------------
capitalize =
s:
let
@@ -272,10 +215,16 @@ rec {
in
if len == 0 then "" else (toUpper (substring 0 1 s)) + (substring 1 len s);
# ---------------------------------------------------------------------------
# Boolean utilities
# ---------------------------------------------------------------------------
boolToNum = bool: if bool then 1 else 0;
# ---------------------------------------------------------------------------
# Attribute manipulation utilities
# ---------------------------------------------------------------------------
default-attrs = mapAttrs (_key: mkDefault);
force-attrs = mapAttrs (_key: mkForce);
@@ -284,4 +233,3 @@ rec {
nested-force-attrs = mapAttrs (_key: force-attrs);
}
// base64Lib