diff --git a/modules/nixos/services/actual/default.nix b/modules/nixos/services/actual/default.nix index 325eae0..e363480 100644 --- a/modules/nixos/services/actual/default.nix +++ b/modules/nixos/services/actual/default.nix @@ -102,13 +102,16 @@ let bindMounts = bindMounts; config = actualConfig; }) { inherit lib; }; -in -{ - imports = [ ./options.nix ]; - - config = mkIf cfg.enable { + + fullConfig = { ${namespace}.services.traefik = lib.mkIf cfg.reverseProxy.enable { reverseProxies = [ reverseProxyConfig ]; }; } // actualContainer; +in +{ + imports = [ ./options.nix ]; + + config = mkIf cfg.enable fullConfig; } + diff --git a/modules/nixos/services/gitea/default.nix b/modules/nixos/services/gitea/default.nix index 1da8610..78bc6eb 100644 --- a/modules/nixos/services/gitea/default.nix +++ b/modules/nixos/services/gitea/default.nix @@ -7,139 +7,109 @@ with lib; let cfg = config.${namespace}.services.gitea; - hostAddress = "10.0.1.3"; - # localAddress = "10.0.4.18"; - # httpPort = 3000; - # sshPort = 2222; rootUrl = "https://gitea.mjallen.dev/"; - # stateDir = "/media/nas/main/nix-app-data/gitea"; dataDir = "/var/lib/gitea"; secretsDir = "/run/secrets/jallen-nas/gitea"; mailerPasswordFile = config.sops.secrets."jallen-nas/gitea/mail-key".path; metricsTokenFile = config.sops.secrets."jallen-nas/gitea/metrics-key".path; + + serviceConfig = + { lib, ... }: + { + services.gitea = { + enable = true; + stateDir = dataDir; + mailerPasswordFile = mailerPasswordFile; + metricsTokenFile = metricsTokenFile; + settings = { + server = { + DOMAIN = "jallen-nas"; + HTTP_ADDR = "0.0.0.0"; + HTTP_PORT = cfg.httpPort; + PROTOCOL = "http"; + ROOT_URL = rootUrl; + START_SSH_SERVER = true; + SSH_PORT = cfg.sshPort; + }; + service = { + REGISTER_EMAIL_CONFIRM = false; + ENABLE_CAPTCHA = false; + DISABLE_REGISTRATION = true; + ENABLE_OPENID_SIGNIN = false; + ENABLE_LDAP_SIGNIN = false; + ENABLE_SSH_SIGNIN = true; + ENABLE_BUILTIN_SSH_SERVER = true; + ENABLE_REVERSE_PROXY_AUTHENTICATION = true; + }; + }; + }; + + users.users.gitea = { + extraGroups = [ "keys" ]; + }; + + networking = { + firewall = { + enable = true; + allowedTCPPorts = [ + cfg.httpPort + cfg.sshPort + ]; + }; + # Use systemd-resolved inside the container + # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 + useHostResolvConf = lib.mkForce false; + }; + + # Create and set permissions for required directories + system.activationScripts.gitea-dirs = '' + mkdir -p /var/lib/gitea + chown -R gitea:gitea /var/lib/gitea + chmod -R 775 /var/lib/gitea + mkdir -p /run/secrets/jallen-nas + chown -R gitea:gitea /run/secrets/jallen-nas + chmod -R 775 /run/secrets/jallen-nas + ''; + + services.resolved.enable = true; + system.stateVersion = "23.11"; + }; + + bindMounts = { + ${dataDir} = { + hostPath = cfg.dataDir; + isReadOnly = false; + }; + secrets = { + hostPath = secretsDir; + isReadOnly = true; + mountPoint = secretsDir; + }; + }; + + # Create reverse proxy configuration using mkReverseProxy + reverseProxyConfig = lib.${namespace}.mkReverseProxy { + name = "gitea"; + subdomain = cfg.reverseProxy.subdomain; + url = "http://${cfg.localAddress}:${toString cfg.httpPort}"; + middlewares = cfg.reverseProxy.middlewares; + }; + + containerConfig = (lib.${namespace}.mkContainer { + name = "gitea"; + localAddress = cfg.localAddress; + port = cfg.httpPort; + bindMounts = bindMounts; + config = serviceConfig; + }) { inherit lib; }; + + giteaConfig = { + ${namespace}.services.traefik = lib.mkIf cfg.reverseProxy.enable { + reverseProxies = [ reverseProxyConfig ]; + }; + } // containerConfig; in { imports = [ ./options.nix ]; - config = mkIf cfg.enable { - containers.gitea = { - autoStart = true; - privateNetwork = true; - hostAddress = hostAddress; - localAddress = cfg.localAddress; - - bindMounts = { - ${dataDir} = { - hostPath = cfg.dataDir; - isReadOnly = false; - }; - secrets = { - hostPath = secretsDir; - isReadOnly = true; - mountPoint = secretsDir; - }; - }; - - config = - { lib, ... }: - { - services.gitea = { - enable = true; - stateDir = dataDir; - mailerPasswordFile = mailerPasswordFile; - metricsTokenFile = metricsTokenFile; - settings = { - server = { - DOMAIN = "jallen-nas"; - HTTP_ADDR = "0.0.0.0"; - HTTP_PORT = cfg.httpPort; - PROTOCOL = "http"; - ROOT_URL = rootUrl; - START_SSH_SERVER = true; - SSH_PORT = cfg.sshPort; - }; - service = { - REGISTER_EMAIL_CONFIRM = false; - ENABLE_CAPTCHA = false; - DISABLE_REGISTRATION = true; - ENABLE_OPENID_SIGNIN = false; - ENABLE_LDAP_SIGNIN = false; - ENABLE_SSH_SIGNIN = true; - ENABLE_BUILTIN_SSH_SERVER = true; - ENABLE_REVERSE_PROXY_AUTHENTICATION = true; - }; - }; - }; - - users.users.gitea = { - extraGroups = [ "keys" ]; - }; - - networking = { - firewall = { - enable = true; - allowedTCPPorts = [ - cfg.httpPort - cfg.sshPort - ]; - }; - # Use systemd-resolved inside the container - # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 - useHostResolvConf = lib.mkForce false; - }; - - # Create and set permissions for required directories - system.activationScripts.gitea-dirs = '' - mkdir -p /var/lib/gitea - chown -R gitea:gitea /var/lib/gitea - chmod -R 775 /var/lib/gitea - mkdir -p /run/secrets/jallen-nas - chown -R gitea:gitea /run/secrets/jallen-nas - chmod -R 775 /run/secrets/jallen-nas - ''; - - services.resolved.enable = true; - system.stateVersion = "23.11"; - }; - }; - - services.traefik.dynamicConfigOptions = lib.mkIf cfg.reverseProxy.enable { - services.gitea.loadBalancer.servers = [ - { - url = "http://${cfg.localAddress}:${toString cfg.httpPort}"; - } - ]; - routers.gitea = { - entryPoints = [ "websecure" ]; - rule = "Host(`${cfg.reverseProxy.host}`)"; - service = "gitea"; - middlewares = cfg.reverseProxy.middlewares; - tls.certResolver = "letsencrypt"; - }; - }; - - networking = { - nat = { - forwardPorts = [ - { - destination = "${cfg.localAddress}:${toString cfg.httpPort}"; - sourcePort = cfg.httpPort; - } - { - destination = "${cfg.localAddress}:${toString cfg.sshPort}"; - sourcePort = cfg.sshPort; - } - ]; - }; - firewall = { - allowedTCPPorts = [ - cfg.httpPort - cfg.sshPort - ]; - allowedUDPPorts = [ - cfg.httpPort - cfg.sshPort - ]; - }; - }; - }; + config = mkIf cfg.enable giteaConfig; } diff --git a/modules/nixos/services/gitea/options.nix b/modules/nixos/services/gitea/options.nix index af34b09..685af55 100644 --- a/modules/nixos/services/gitea/options.nix +++ b/modules/nixos/services/gitea/options.nix @@ -24,19 +24,6 @@ with lib; default = ""; }; - reverseProxy = { - enable = mkOption { - type = types.bool; - default = false; - }; - host = mkOption { - type = types.str; - default = ""; - }; - middlewares = mkOption { - type = with types; listOf str; - default = [ ]; - }; - }; + reverseProxy = lib.${namespace}.mkReverseProxyOpt; }; } diff --git a/modules/nixos/services/nextcloud/default.nix b/modules/nixos/services/nextcloud/default.nix index a26ea28..7baa306 100755 --- a/modules/nixos/services/nextcloud/default.nix +++ b/modules/nixos/services/nextcloud/default.nix @@ -20,9 +20,9 @@ let nextcloudPortExtHttps = 9943; onlyofficePortExt = 9943; - nextcloudPhotos = pkgs.${namespace}.photos; - nextcloudPdfViewer = pkgs.${namespace}.pdfviewer; - nextcloudAssist = pkgs.${namespace}.assistant; + nextcloudPhotos = pkgs.${namespace}.nextcloud-app-photos; + nextcloudPdfViewer = pkgs.${namespace}.nextcloud-app-pdfviewer; + nextcloudAssist = pkgs.${namespace}.nextcloud-app-assistant; in { imports = [ ./options.nix ]; diff --git a/packages/nextcloud/assistant/default.nix b/packages/nextcloud/nextcloud-app-assistant/default.nix similarity index 86% rename from packages/nextcloud/assistant/default.nix rename to packages/nextcloud/nextcloud-app-assistant/default.nix index edf1849..72aa41b 100644 --- a/packages/nextcloud/assistant/default.nix +++ b/packages/nextcloud/nextcloud-app-assistant/default.nix @@ -3,7 +3,7 @@ ... }: fetchNextcloudApp { - name = "assistant"; + name = "nextcloud-app-assistant"; sha256 = "sha256-kW2rbgfhCg4RHp/RW+L1vuoyVXOp5r4Mc1VdI0g5cXA="; url = "https://github.com/nextcloud/assistant/archive/refs/tags/v2.8.0.tar.gz"; license = "agpl3Only"; diff --git a/packages/nextcloud/pdfviewer/default.nix b/packages/nextcloud/nextcloud-app-pdfviewer/default.nix similarity index 84% rename from packages/nextcloud/pdfviewer/default.nix rename to packages/nextcloud/nextcloud-app-pdfviewer/default.nix index cd1bcf0..99bc520 100644 --- a/packages/nextcloud/pdfviewer/default.nix +++ b/packages/nextcloud/nextcloud-app-pdfviewer/default.nix @@ -3,7 +3,7 @@ ... }: fetchNextcloudApp { - name = "files_pdfviewer"; + name = "nextcloud-app-files_pdfviewer"; sha256 = "sha256-TeNOzRczeXK15DURrZ5al0cvXhRj7+y1VA4axPROvD4="; url = "https://github.com/nextcloud/files_pdfviewer/archive/refs/tags/v31.0.8.tar.gz"; license = "agpl3Only"; diff --git a/packages/nextcloud/photos/default.nix b/packages/nextcloud/nextcloud-app-photos/default.nix similarity index 87% rename from packages/nextcloud/photos/default.nix rename to packages/nextcloud/nextcloud-app-photos/default.nix index 34d8121..32c4ac4 100644 --- a/packages/nextcloud/photos/default.nix +++ b/packages/nextcloud/nextcloud-app-photos/default.nix @@ -3,7 +3,7 @@ ... }: fetchNextcloudApp { - name = "photos"; + name = "nextcloud-app-photos"; sha256 = "sha256-F2hh/0RlLG2zcEatfd4fejRV0i2hMkwONM4P7nhdh18="; url = "https://github.com/nextcloud/photos/archive/refs/tags/v31.0.8.tar.gz"; license = "agpl3Only"; diff --git a/systems/x86_64-linux/jallen-nas/apps.nix b/systems/x86_64-linux/jallen-nas/apps.nix index af1fd64..687e09e 100755 --- a/systems/x86_64-linux/jallen-nas/apps.nix +++ b/systems/x86_64-linux/jallen-nas/apps.nix @@ -79,7 +79,7 @@ dataDir = "/media/nas/main/nix-app-data/gitea"; reverseProxy = { enable = true; - host = "gitea.mjallen.dev"; + subdomain = "gitea"; middlewares = [ "crowdsec" "whitelist-geoblock"