teml

modules/nixos/services/collabora/default.nix

@@ -5,58 +5,50 @@
   ...
 }:
 let
-  inherit (lib.${namespace}) mkOpt mkReverseProxyOpt;
+  name = "collabora";
-  cfg = config.${namespace}.services.collabora;
+  cfg = config.${namespace}.services.${name};
-
   jwtSecretFile = config.sops.secrets."jallen-nas/onlyoffice-key".path;
-in
-{
-  options.${namespace}.services.collabora = with lib; {
-    enable = lib.mkEnableOption "";
 
-    port = mkOpt types.int 9980 "Port for opencloud to be hosted on";
+  collaboraConfig = lib.${namespace}.mkModule {
+    inherit config name;
+    description = "collabora code server";
+    options = { };
+    moduleConfig = {
+      services.collabora-online = {
+        enable = true;
+        port = cfg.port;
+        settings = {
+          # Rely on reverse proxy for SSL
+          ssl = {
+            enable = false;
+            termination = true;
+          };
 
-    configPath = mkOpt types.str "/media/nas/main/nix-app-data/collabora" "Path to the data dir";
+          # Listen on loopback interface only, and accept requests from ::1
+          net = {
+            listen = cfg.listenAddress;
+            post_allow.host = [
+              "cloud.mjallen.dev"
+              "office.mjallen.dev"
+              "10.0.1.3"
+              "10.0.1.0/24"
+            ];
+            frame_ancestors = "cloud.mjallen.dev";
+          };
 
-    puid = mkOpt types.str "911" "puid";
+          # Restrict loading documents from WOPI Host
+          storage.wopi = {
+            "@allow" = true;
+            host = ["cloud.mjallen.dev"];
+          };
 
-    pgid = mkOpt types.str "1000" "pgid";
+          # Set FQDN of server
-
+          server_name = "office.mjallen.dev";
-    timeZone = mkOpt types.str "America/Chicago" "container tz";
-  };
-
-  config = lib.mkIf cfg.enable {
-    services.collabora-online = {
-      enable = true;
-      port = cfg.port;
-      settings = {
-        # Rely on reverse proxy for SSL
-        ssl = {
-          enable = false;
-          termination = true;
         };
-
-        # Listen on loopback interface only, and accept requests from ::1
-        net = {
-          listen = "0.0.0.0";
-          post_allow.host = [
-            "cloud.mjallen.dev"
-            "office.mjallen.dev"
-            "10.0.1.3"
-            "10.0.1.0/24"
-          ];
-          frame_ancestors = "cloud.mjallen.dev";
-        };
-
-        # Restrict loading documents from WOPI Host
-        storage.wopi = {
-          "@allow" = true;
-          host = ["cloud.mjallen.dev"];
-        };
-
-        # Set FQDN of server
-        server_name = "office.mjallen.dev";
       };
     };
   };
+in
+{
+  imports = [ collaboraConfig ];
 }

modules/nixos/services/crowdsec/default.nix

@@ -5,115 +5,124 @@
   ...
 }:
 let
-  cfg = config.${namespace}.services.crowdsec;
+  inherit (lib.${namespace}) mkOpt;
-in
+  name = "crowdsec";
-{
+  cfg = config.${namespace}.services.${name};
-  imports = [ ./options.nix ];
-  config = lib.mkIf cfg.enable {
 
-    services = {
+  crowdsecConfig = lib.${namespace}.mkModule {
-      crowdsec = {
+    inherit config name;
-        enable = true;
+    description = "crowdsec";
-        openFirewall = true;
+    options = with lib; {
-        hub = {
+      apiKey = mkOpt types.str "" "API key for crowdsec bouncer";
-          appSecConfigs = [
+    };
-            "crowdsecurity/appsec-default"
+    moduleConfig = {
-          ];
+      services = {
-          appSecRules = [
+        crowdsec = {
-            "crowdsecurity/base-config"
+          enable = true;
-          ];
+          openFirewall = cfg.openFirewall;
-          collections = [
+          hub = {
-            "crowdsecurity/http-cve"
+            appSecConfigs = [
-            "crowdsecurity/http-dos"
+              "crowdsecurity/appsec-default"
-            "crowdsecurity/linux"
+            ];
-            "crowdsecurity/nextcloud"
+            appSecRules = [
-            "crowdsecurity/pgsql"
+              "crowdsecurity/base-config"
-            "crowdsecurity/smb"
+            ];
-            "crowdsecurity/sshd"
+            collections = [
-            "crowdsecurity/traefik"
+              "crowdsecurity/http-cve"
-            "firix/authentik"
+              "crowdsecurity/http-dos"
-          ];
+              "crowdsecurity/linux"
-          parsers = [
+              "crowdsecurity/nextcloud"
-            "crowdsecurity/actual-budget-whitelist"
+              "crowdsecurity/pgsql"
-            "crowdsecurity/jellyfin-whitelist"
+              "crowdsecurity/smb"
-            "crowdsecurity/jellyseerr-whitelist"
+              "crowdsecurity/sshd"
-            "crowdsecurity/nextcloud-logs"
+              "crowdsecurity/traefik"
-            "crowdsecurity/nextcloud-whitelist"
+              "firix/authentik"
-            "crowdsecurity/pgsql-logs"
+            ];
-            "crowdsecurity/smb-logs"
+            parsers = [
-            "crowdsecurity/sshd-logs"
+              "crowdsecurity/actual-budget-whitelist"
-            "crowdsecurity/sshd-success-logs"
+              "crowdsecurity/jellyfin-whitelist"
-            "crowdsecurity/syslog-logs"
+              "crowdsecurity/jellyseerr-whitelist"
-          ];
+              "crowdsecurity/nextcloud-logs"
-          postOverflows = [
+              "crowdsecurity/nextcloud-whitelist"
-            "crowdsecurity/auditd-nix-wrappers-whitelist-process"
+              "crowdsecurity/pgsql-logs"
-          ];
+              "crowdsecurity/smb-logs"
-          scenarios = [
+              "crowdsecurity/sshd-logs"
-            "crowdsecurity/ssh-bf"
+              "crowdsecurity/sshd-success-logs"
-          ];
+              "crowdsecurity/syslog-logs"
-        };
+            ];
-        localConfig = {
+            postOverflows = [
-          acquisitions = [
+              "crowdsecurity/auditd-nix-wrappers-whitelist-process"
-            {
+            ];
-              journalctl_filter = [
+            scenarios = [
-                "_SYSTEMD_UNIT=authentik.service"
+              "crowdsecurity/ssh-bf"
-              ];
+            ];
-              labels = {
+          };
-                type = "syslog";
+          localConfig = {
-              };
+            acquisitions = [
-              source = "journalctl";
+              {
-            }
+                journalctl_filter = [
-            {
+                  "_SYSTEMD_UNIT=authentik.service"
-              journalctl_filter = [
+                ];
-                "_SYSTEMD_UNIT=postgresql.service"
+                labels = {
-              ];
+                  type = "syslog";
-              labels = {
+                };
-                type = "syslog";
+                source = "journalctl";
-              };
+              }
-              source = "journalctl";
+              {
-            }
+                journalctl_filter = [
-            {
+                  "_SYSTEMD_UNIT=postgresql.service"
-              journalctl_filter = [
+                ];
-                "_SYSTEMD_UNIT=smbd.service"
+                labels = {
-              ];
+                  type = "syslog";
-              labels = {
+                };
-                type = "syslog";
+                source = "journalctl";
-              };
+              }
-              source = "journalctl";
+              {
-            }
+                journalctl_filter = [
-            {
+                  "_SYSTEMD_UNIT=smbd.service"
-              journalctl_filter = [
+                ];
-                "_SYSTEMD_UNIT=sshd.service"
+                labels = {
-              ];
+                  type = "syslog";
-              labels = {
+                };
-                type = "syslog";
+                source = "journalctl";
-              };
+              }
-              source = "journalctl";
+              {
-            }
+                journalctl_filter = [
-            {
+                  "_SYSTEMD_UNIT=sshd.service"
-              journalctl_filter = [
+                ];
-                "_SYSTEMD_UNIT=traefik.service"
+                labels = {
-              ];
+                  type = "syslog";
-              labels = {
+                };
-                type = "syslog";
+                source = "journalctl";
-              };
+              }
-              source = "journalctl";
+              {
-            }
+                journalctl_filter = [
-          ];
+                  "_SYSTEMD_UNIT=traefik.service"
-        };
+                ];
-        settings = {
+                labels = {
-          general.api = {
+                  type = "syslog";
-            server = {
+                };
-              enable = true;
+                source = "journalctl";
-              listen_uri = "${cfg.apiAddress}:${toString cfg.port}";
+              }
-            };
+            ];
-            client = {
+          };
-              credentials_path = lib.mkForce "/media/nas/main/nix-app-data/crowdsec/client.yaml";
+          settings = {
-            };
+            general.api = {
+              server = {
+                enable = true;
+                listen_uri = "${cfg.listenAddress}:${toString cfg.port}";
+              };
+              client = {
+                credentials_path = lib.mkForce "/media/nas/main/nix-app-data/crowdsec/client.yaml";
+              };
+            };
+            capi.credentialsFile = lib.mkDefault "/media/nas/main/nix-app-data/crowdsec/capi.yaml";
           };
-          capi.credentialsFile = lib.mkDefault "/media/nas/main/nix-app-data/crowdsec/capi.yaml";
         };
       };
     };
   };
+in
+{
+  imports = [ crowdsecConfig ];
 }

overlays/redis/default.nix

@@ -3,4 +3,10 @@ final: _prev: {
   redis = final.valkey;
   uv = final.stable.uv;
   onnxruntime = final.stable.onnxruntime;
+  firefox = final.stable.firefox;
+  orca-slicer = final.stable.orca-slicer;
+  kde-connect = final.stable.kde-connect;
+  kdeconnect-kde = final.stable.kdeconnect-kde;
+  webkit-gtk = final.stable.webkit-gtk;
+  qtwebengine = final.stable.qtwebengine;
 }