mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

cleanup

Browse Source
This commit is contained in:
mjallen18
2025-09-09 21:43:09 -05:00
parent fc4096d5d9
commit efbbfde6f5
8 changed files with 113 additions and 153 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
modules/nixos/services/actual/default.nix
View File

@@ -102,13 +102,16 @@ let
bindMounts = bindMounts; bindMounts = bindMounts;
config = actualConfig; config = actualConfig;
}) { inherit lib; }; }) { inherit lib; };
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable { fullConfig = {
${namespace}.services.traefik = lib.mkIf cfg.reverseProxy.enable { ${namespace}.services.traefik = lib.mkIf cfg.reverseProxy.enable {
reverseProxies = [ reverseProxyConfig ]; reverseProxies = [ reverseProxyConfig ];
}; };
} // actualContainer; } // actualContainer;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable fullConfig;
} }

224
modules/nixos/services/gitea/default.nix
View File

@@ -7,139 +7,109 @@
with lib; with lib;
let let
cfg = config.${namespace}.services.gitea; cfg = config.${namespace}.services.gitea;
hostAddress = "10.0.1.3";
# localAddress = "10.0.4.18";
# httpPort = 3000;
# sshPort = 2222;
rootUrl = "https://gitea.mjallen.dev/"; rootUrl = "https://gitea.mjallen.dev/";
# stateDir = "/media/nas/main/nix-app-data/gitea";
dataDir = "/var/lib/gitea"; dataDir = "/var/lib/gitea";
secretsDir = "/run/secrets/jallen-nas/gitea"; secretsDir = "/run/secrets/jallen-nas/gitea";
mailerPasswordFile = config.sops.secrets."jallen-nas/gitea/mail-key".path; mailerPasswordFile = config.sops.secrets."jallen-nas/gitea/mail-key".path;
metricsTokenFile = config.sops.secrets."jallen-nas/gitea/metrics-key".path; metricsTokenFile = config.sops.secrets."jallen-nas/gitea/metrics-key".path;
serviceConfig =
{ lib, ... }:
{
services.gitea = {
enable = true;
stateDir = dataDir;
mailerPasswordFile = mailerPasswordFile;
metricsTokenFile = metricsTokenFile;
settings = {
server = {
DOMAIN = "jallen-nas";
HTTP_ADDR = "0.0.0.0";
HTTP_PORT = cfg.httpPort;
PROTOCOL = "http";
ROOT_URL = rootUrl;
START_SSH_SERVER = true;
SSH_PORT = cfg.sshPort;
};
service = {
REGISTER_EMAIL_CONFIRM = false;
ENABLE_CAPTCHA = false;
DISABLE_REGISTRATION = true;
ENABLE_OPENID_SIGNIN = false;
ENABLE_LDAP_SIGNIN = false;
ENABLE_SSH_SIGNIN = true;
ENABLE_BUILTIN_SSH_SERVER = true;
ENABLE_REVERSE_PROXY_AUTHENTICATION = true;
};
};
};
users.users.gitea = {
extraGroups = [ "keys" ];
};
networking = {
firewall = {
enable = true;
allowedTCPPorts = [
cfg.httpPort
cfg.sshPort
];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
# Create and set permissions for required directories
system.activationScripts.gitea-dirs = ''
mkdir -p /var/lib/gitea
chown -R gitea:gitea /var/lib/gitea
chmod -R 775 /var/lib/gitea
mkdir -p /run/secrets/jallen-nas
chown -R gitea:gitea /run/secrets/jallen-nas
chmod -R 775 /run/secrets/jallen-nas
'';
services.resolved.enable = true;
system.stateVersion = "23.11";
};
bindMounts = {
${dataDir} = {
hostPath = cfg.dataDir;
isReadOnly = false;
};
secrets = {
hostPath = secretsDir;
isReadOnly = true;
mountPoint = secretsDir;
};
};
# Create reverse proxy configuration using mkReverseProxy
reverseProxyConfig = lib.${namespace}.mkReverseProxy {
name = "gitea";
subdomain = cfg.reverseProxy.subdomain;
url = "http://${cfg.localAddress}:${toString cfg.httpPort}";
middlewares = cfg.reverseProxy.middlewares;
};
containerConfig = (lib.${namespace}.mkContainer {
name = "gitea";
localAddress = cfg.localAddress;
port = cfg.httpPort;
bindMounts = bindMounts;
config = serviceConfig;
}) { inherit lib; };
giteaConfig = {
${namespace}.services.traefik = lib.mkIf cfg.reverseProxy.enable {
reverseProxies = [ reverseProxyConfig ];
};
} // containerConfig;
in in
{ {
imports = [ ./options.nix ]; imports = [ ./options.nix ];
config = mkIf cfg.enable { config = mkIf cfg.enable giteaConfig;
containers.gitea = {
autoStart = true;
privateNetwork = true;
hostAddress = hostAddress;
localAddress = cfg.localAddress;
bindMounts = {
${dataDir} = {
hostPath = cfg.dataDir;
isReadOnly = false;
};
secrets = {
hostPath = secretsDir;
isReadOnly = true;
mountPoint = secretsDir;
};
};
config =
{ lib, ... }:
{
services.gitea = {
enable = true;
stateDir = dataDir;
mailerPasswordFile = mailerPasswordFile;
metricsTokenFile = metricsTokenFile;
settings = {
server = {
DOMAIN = "jallen-nas";
HTTP_ADDR = "0.0.0.0";
HTTP_PORT = cfg.httpPort;
PROTOCOL = "http";
ROOT_URL = rootUrl;
START_SSH_SERVER = true;
SSH_PORT = cfg.sshPort;
};
service = {
REGISTER_EMAIL_CONFIRM = false;
ENABLE_CAPTCHA = false;
DISABLE_REGISTRATION = true;
ENABLE_OPENID_SIGNIN = false;
ENABLE_LDAP_SIGNIN = false;
ENABLE_SSH_SIGNIN = true;
ENABLE_BUILTIN_SSH_SERVER = true;
ENABLE_REVERSE_PROXY_AUTHENTICATION = true;
};
};
};
users.users.gitea = {
extraGroups = [ "keys" ];
};
networking = {
firewall = {
enable = true;
allowedTCPPorts = [
cfg.httpPort
cfg.sshPort
];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
# Create and set permissions for required directories
system.activationScripts.gitea-dirs = ''
mkdir -p /var/lib/gitea
chown -R gitea:gitea /var/lib/gitea
chmod -R 775 /var/lib/gitea
mkdir -p /run/secrets/jallen-nas
chown -R gitea:gitea /run/secrets/jallen-nas
chmod -R 775 /run/secrets/jallen-nas
'';
services.resolved.enable = true;
system.stateVersion = "23.11";
};
};
services.traefik.dynamicConfigOptions = lib.mkIf cfg.reverseProxy.enable {
services.gitea.loadBalancer.servers = [
{
url = "http://${cfg.localAddress}:${toString cfg.httpPort}";
}
];
routers.gitea = {
entryPoints = [ "websecure" ];
rule = "Host(`${cfg.reverseProxy.host}`)";
service = "gitea";
middlewares = cfg.reverseProxy.middlewares;
tls.certResolver = "letsencrypt";
};
};
networking = {
nat = {
forwardPorts = [
{
destination = "${cfg.localAddress}:${toString cfg.httpPort}";
sourcePort = cfg.httpPort;
}
{
destination = "${cfg.localAddress}:${toString cfg.sshPort}";
sourcePort = cfg.sshPort;
}
];
};
firewall = {
allowedTCPPorts = [
cfg.httpPort
cfg.sshPort
];
allowedUDPPorts = [
cfg.httpPort
cfg.sshPort
];
};
};
};
} }

15
modules/nixos/services/gitea/options.nix
View File

@@ -24,19 +24,6 @@ with lib;
default = ""; default = "";
}; };
reverseProxy = { reverseProxy = lib.${namespace}.mkReverseProxyOpt;
enable = mkOption {
type = types.bool;
default = false;
};
host = mkOption {
type = types.str;
default = "";
};
middlewares = mkOption {
type = with types; listOf str;
default = [ ];
};
};
}; };
} }

6
modules/nixos/services/nextcloud/default.nix
View File

@@ -20,9 +20,9 @@ let
nextcloudPortExtHttps = 9943; nextcloudPortExtHttps = 9943;
onlyofficePortExt = 9943; onlyofficePortExt = 9943;
nextcloudPhotos = pkgs.${namespace}.photos; nextcloudPhotos = pkgs.${namespace}.nextcloud-app-photos;
nextcloudPdfViewer = pkgs.${namespace}.pdfviewer; nextcloudPdfViewer = pkgs.${namespace}.nextcloud-app-pdfviewer;
nextcloudAssist = pkgs.${namespace}.assistant; nextcloudAssist = pkgs.${namespace}.nextcloud-app-assistant;
in in
{ {
imports = [ ./options.nix ]; imports = [ ./options.nix ];

2
packages/nextcloud/assistant/default.nix → packages/nextcloud/nextcloud-app-assistant/default.nix
View File

@@ -3,7 +3,7 @@
... ...
}: }:
fetchNextcloudApp { fetchNextcloudApp {
name = "assistant"; name = "nextcloud-app-assistant";
sha256 = "sha256-kW2rbgfhCg4RHp/RW+L1vuoyVXOp5r4Mc1VdI0g5cXA="; sha256 = "sha256-kW2rbgfhCg4RHp/RW+L1vuoyVXOp5r4Mc1VdI0g5cXA=";
url = "https://github.com/nextcloud/assistant/archive/refs/tags/v2.8.0.tar.gz"; url = "https://github.com/nextcloud/assistant/archive/refs/tags/v2.8.0.tar.gz";
license = "agpl3Only"; license = "agpl3Only";

2
packages/nextcloud/pdfviewer/default.nix → packages/nextcloud/nextcloud-app-pdfviewer/default.nix
View File

@@ -3,7 +3,7 @@
... ...
}: }:
fetchNextcloudApp { fetchNextcloudApp {
name = "files_pdfviewer"; name = "nextcloud-app-files_pdfviewer";
sha256 = "sha256-TeNOzRczeXK15DURrZ5al0cvXhRj7+y1VA4axPROvD4="; sha256 = "sha256-TeNOzRczeXK15DURrZ5al0cvXhRj7+y1VA4axPROvD4=";
url = "https://github.com/nextcloud/files_pdfviewer/archive/refs/tags/v31.0.8.tar.gz"; url = "https://github.com/nextcloud/files_pdfviewer/archive/refs/tags/v31.0.8.tar.gz";
license = "agpl3Only"; license = "agpl3Only";

2
packages/nextcloud/photos/default.nix → packages/nextcloud/nextcloud-app-photos/default.nix
View File

@@ -3,7 +3,7 @@
... ...
}: }:
fetchNextcloudApp { fetchNextcloudApp {
name = "photos"; name = "nextcloud-app-photos";
sha256 = "sha256-F2hh/0RlLG2zcEatfd4fejRV0i2hMkwONM4P7nhdh18="; sha256 = "sha256-F2hh/0RlLG2zcEatfd4fejRV0i2hMkwONM4P7nhdh18=";
url = "https://github.com/nextcloud/photos/archive/refs/tags/v31.0.8.tar.gz"; url = "https://github.com/nextcloud/photos/archive/refs/tags/v31.0.8.tar.gz";
license = "agpl3Only"; license = "agpl3Only";

2
systems/x86_64-linux/jallen-nas/apps.nix
View File

@@ -79,7 +79,7 @@
dataDir = "/media/nas/main/nix-app-data/gitea"; dataDir = "/media/nas/main/nix-app-data/gitea";
reverseProxy = { reverseProxy = {
enable = true; enable = true;
host = "gitea.mjallen.dev"; subdomain = "gitea";
middlewares = [ middlewares = [
"crowdsec" "crowdsec"
"whitelist-geoblock" "whitelist-geoblock"