Compare commits

..

1 commit

Author SHA1 Message Date
Tristan Daniël Maat aef71f548a
WIP: authelia: Add SSO 2024-06-14 01:01:39 +02:00
40 changed files with 1167 additions and 1064 deletions

View file

@ -1,11 +0,0 @@
# Run this command to always ignore formatting commits in `git blame`
# git config blame.ignoreRevsFile .git-blame-ignore-revs
# Switch to nixfmt formatting
04f7a7ef1d38906163afc9cddfa8ce2b0ebf3b45
# Switch to nixpkgs-fmt formatting
fd138d45e6a2cad89fead6e9f246ba282070d6b7
# Switch to alejandra formatting
046a88905ddfa7f9edc3291c310dbb985dee34f9

View file

@ -5,8 +5,7 @@
modulesPath, modulesPath,
flake-inputs, flake-inputs,
... ...
}: }: {
{
imports = [ imports = [
flake-inputs.disko.nixosModules.disko flake-inputs.disko.nixosModules.disko
flake-inputs.sops-nix.nixosModules.sops flake-inputs.sops-nix.nixosModules.sops
@ -16,6 +15,7 @@
(import ../modules) (import ../modules)
./services/afvalcalendar.nix ./services/afvalcalendar.nix
./services/auth.nix
./services/backups.nix ./services/backups.nix
./services/battery-manager.nix ./services/battery-manager.nix
./services/conduit.nix ./services/conduit.nix
@ -26,7 +26,7 @@
./services/nextcloud.nix ./services/nextcloud.nix
./services/webserver.nix ./services/webserver.nix
./services/wireguard.nix ./services/wireguard.nix
# ./services/starbound.nix -- Not currently used ./services/starbound.nix
./services/postgres.nix ./services/postgres.nix
./nginx.nix ./nginx.nix
./sops.nix ./sops.nix
@ -51,12 +51,12 @@
settings.trusted-users = ["@wheel"]; settings.trusted-users = ["@wheel"];
}; };
nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) ["steam-original" "steam-runtime" "steam-run" "steamcmd"];
# Optimization for minecraft servers, see: # Optimization for minecraft servers, see:
# https://bugs.mojang.com/browse/MC-183518 # https://bugs.mojang.com/browse/MC-183518
boot.kernelParams = [ boot.kernelParams = ["highres=off" "nohz=off"];
"highres=off"
"nohz=off"
];
networking = { networking = {
usePredictableInterfaceNames = false; usePredictableInterfaceNames = false;

View file

@ -25,7 +25,9 @@
}; };
} }
# IPv6 # IPv6
{ addressConfig.Address = "2a01:4f8:10b:3c85::2/64"; } {
addressConfig.Address = "2a01:4f8:10b:3c85::2/64";
}
]; ];
networkConfig = { networkConfig = {

View file

@ -1,6 +1,5 @@
{ {
disko.devices.disk = disko.devices.disk = let
let
bootPartition = { bootPartition = {
size = "1M"; size = "1M";
type = "EF02"; type = "EF02";
@ -19,12 +18,8 @@
}; };
}; };
mountOptions = [ mountOptions = ["compress=zstd" "noatime"];
"compress=zstd" in {
"noatime"
];
in
{
sda = { sda = {
type = "disk"; type = "disk";
device = "/dev/sda"; device = "/dev/sda";
@ -57,15 +52,7 @@
type = "btrfs"; type = "btrfs";
# Hack to get multi-device btrfs going # Hack to get multi-device btrfs going
# See https://github.com/nix-community/disko/issues/99 # See https://github.com/nix-community/disko/issues/99
extraArgs = [ extraArgs = ["-d" "raid1" "-m" "raid1" "--runtime-features" "quota" "/dev/sda3"];
"-d"
"raid1"
"-m"
"raid1"
"--runtime-features"
"quota"
"/dev/sda3"
];
subvolumes = { subvolumes = {
"/volume" = {}; "/volume" = {};
"/volume/root" = { "/volume/root" = {

View file

@ -1,5 +1,4 @@
{ lib, ... }: {lib, ...}: {
{
users.users.tlater.password = "insecure"; users.users.tlater.password = "insecure";
# Disable graphical tty so -curses works # Disable graphical tty so -curses works

View file

@ -1,5 +1,8 @@
{ config, lib, ... }:
{ {
config,
lib,
...
}: {
services.nginx = { services.nginx = {
enable = true; enable = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
@ -24,8 +27,7 @@
# Override the default, just keep fewer logs # Override the default, just keep fewer logs
nginx.rotate = 6; nginx.rotate = 6;
} }
// lib.mapAttrs' ( // lib.mapAttrs' (virtualHost: _:
virtualHost: _:
lib.nameValuePair "/var/log/nginx/${virtualHost}/access.log" { lib.nameValuePair "/var/log/nginx/${virtualHost}/access.log" {
frequency = "daily"; frequency = "daily";
rotate = 2; rotate = 2;
@ -33,14 +35,16 @@
delaycompress = true; delaycompress = true;
su = "${config.services.nginx.user} ${config.services.nginx.group}"; su = "${config.services.nginx.user} ${config.services.nginx.group}";
postrotate = "[ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`"; postrotate = "[ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`";
} })
) config.services.nginx.virtualHosts; config.services.nginx.virtualHosts;
systemd.tmpfiles.rules = lib.mapAttrsToList ( systemd.tmpfiles.rules =
lib.mapAttrsToList (
virtualHost: _: virtualHost: _:
# #
"d /var/log/nginx/${virtualHost} 0750 ${config.services.nginx.user} ${config.services.nginx.group}" "d /var/log/nginx/${virtualHost} 0750 ${config.services.nginx.user} ${config.services.nginx.group}"
) config.services.nginx.virtualHosts; )
config.services.nginx.virtualHosts;
security.acme = { security.acme = {
defaults.email = "tm@tlater.net"; defaults.email = "tm@tlater.net";
@ -56,8 +60,8 @@
services.backups.acme = { services.backups.acme = {
user = "acme"; user = "acme";
paths = lib.mapAttrsToList ( paths =
virtualHost: _: "/var/lib/acme/${virtualHost}" lib.mapAttrsToList (virtualHost: _: "/var/lib/acme/${virtualHost}")
) config.services.nginx.virtualHosts; config.services.nginx.virtualHosts;
}; };
} }

View file

@ -1,5 +1,8 @@
{ pkgs, config, ... }:
{ {
pkgs,
config,
...
}: {
systemd.services.afvalcalendar = { systemd.services.afvalcalendar = {
description = "Enschede afvalcalendar -> ical converter"; description = "Enschede afvalcalendar -> ical converter";
wantedBy = ["multi-user.target"]; wantedBy = ["multi-user.target"];
@ -23,23 +26,16 @@
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectKernelLogs = true; ProtectKernelLogs = true;
ProtectControlGroups = true; ProtectControlGroups = true;
RestrictAddressFamilies = [ RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
"AF_UNIX"
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true; RestrictNamespaces = true;
LockPersonality = true; LockPersonality = true;
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = [ SystemCallFilter = ["@system-service" "~@privileged @resources @setuid @keyring"];
"@system-service"
"~@privileged @resources @setuid @keyring"
];
Umask = 2; Umask = 0002;
SupplementaryGroups = "afvalcalendar-hosting"; SupplementaryGroups = "afvalcalendar-hosting";
ReadWritePaths = "/srv/afvalcalendar"; ReadWritePaths = "/srv/afvalcalendar";

View file

@ -0,0 +1,95 @@
{
pkgs,
config,
...
}: let
user = config.services.authelia.instances.main.user;
domain = "auth.${config.services.nginx.domain}";
in {
services.authelia.instances.main = {
enable = true;
settings = {
theme = "auto";
access_control.default_policy = "one_factor";
authentication_backend = {
password_reset.disable = true;
file.path = "/var/lib/authelia-main/users.yml";
};
notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt";
session = {
domain = config.services.nginx.domain;
redis.host = config.services.redis.servers.authelia.unixSocket;
};
storage.postgres = {
host = "/run/postgresql";
port = 5432;
database = user;
username = user;
password = "unnecessary";
};
};
secrets = {
storageEncryptionKeyFile = config.sops.secrets."authelia/storageEncryptionKey".path; # Database
sessionSecretFile = config.sops.secrets."authelia/sessionSecret".path; # Redis
jwtSecretFile = config.sops.secrets."authelia/jwtSecret".path;
};
};
systemd.services.authelia-main.after = ["postgresql.service"];
services.nginx = {
# TODO(tlater): Possibly remove on next authelia release
additionalModules = with pkgs.nginxModules; [
develkit
set-misc
];
virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
enableHSTS = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:9091";
recommendedProxySettings = false;
enableAutheliaProxy = true;
};
"/api/verify" = {
proxyPass = "http://127.0.0.1:9091";
recommendedProxySettings = false;
};
};
};
};
services.redis.servers.authelia = {
inherit user;
enable = true;
};
sops.secrets = {
"authelia/storageEncryptionKey" = {
owner = user;
group = user;
};
"authelia/sessionSecret" = {
owner = user;
group = user;
};
"authelia/jwtSecret" = {
owner = user;
group = user;
};
};
}

View file

@ -3,33 +3,27 @@
pkgs, pkgs,
lib, lib,
... ...
}: }: let
let
inherit (lib) types optional singleton; inherit (lib) types optional singleton;
mkShutdownScript = mkShutdownScript = service:
service:
pkgs.writeShellScript "backup-${service}-shutdown" '' pkgs.writeShellScript "backup-${service}-shutdown" ''
if systemctl is-active --quiet '${service}'; then if systemctl is-active --quiet '${service}'; then
touch '/tmp/${service}-was-active' touch '/tmp/${service}-was-active'
systemctl stop '${service}' systemctl stop '${service}'
fi fi
''; '';
mkRestartScript = mkRestartScript = service:
service:
pkgs.writeShellScript "backup-${service}-restart" '' pkgs.writeShellScript "backup-${service}-restart" ''
if [ -f '/tmp/${service}-was-active' ]; then if [ -f '/tmp/${service}-was-active' ]; then
rm '/tmp/${service}-was-active' rm '/tmp/${service}-was-active'
systemctl start '${service}' systemctl start '${service}'
fi fi
''; '';
writeScript = writeScript = name: packages: text:
name: packages: text: lib.getExe (pkgs.writeShellApplication {
lib.getExe (
pkgs.writeShellApplication {
inherit name text; inherit name text;
runtimeInputs = packages; runtimeInputs = packages;
} });
);
# *NOT* a TOML file, for some reason quotes are interpreted # *NOT* a TOML file, for some reason quotes are interpreted
# *literally # *literally
@ -48,17 +42,17 @@ let
RESTIC_REPOSITORY = "rclone:storagebox:backups"; RESTIC_REPOSITORY = "rclone:storagebox:backups";
RCLONE_CONFIG = rcloneConfig; RCLONE_CONFIG = rcloneConfig;
}; };
in in {
{
options = { options = {
services.backups = lib.mkOption { services.backups = lib.mkOption {
description = lib.mdDoc '' description = lib.mdDoc ''
Configure restic backups with a specific tag. Configure restic backups with a specific tag.
''; '';
type = types.attrsOf ( type = types.attrsOf (types.submodule ({
types.submodule ( config,
{ config, name, ... }: name,
{ ...
}: {
options = { options = {
user = lib.mkOption { user = lib.mkOption {
type = types.str; type = types.str;
@ -133,9 +127,7 @@ in
''; '';
}; };
}; };
} }));
)
);
}; };
}; };
@ -172,13 +164,14 @@ in
}; };
}; };
} }
// lib.mapAttrs' ( // lib.mapAttrs' (name: backup:
name: backup:
lib.nameValuePair "backup-${name}" { lib.nameValuePair "backup-${name}" {
# Don't want to restart mid-backup # Don't want to restart mid-backup
restartIfChanged = false; restartIfChanged = false;
environment = resticEnv // { environment =
resticEnv
// {
RESTIC_CACHE_DIR = "%C/backup-${name}"; RESTIC_CACHE_DIR = "%C/backup-${name}";
}; };
@ -203,37 +196,25 @@ in
PrivateTmp = true; PrivateTmp = true;
ExecStart = [ ExecStart = [
(lib.concatStringsSep " " ( (lib.concatStringsSep " " (["${pkgs.restic}/bin/restic" "backup" "--tag" name] ++ backup.paths))
[
"${pkgs.restic}/bin/restic"
"backup"
"--tag"
name
]
++ backup.paths
))
]; ];
ExecStartPre = ExecStartPre =
map (service: "+${mkShutdownScript service}") backup.pauseServices map (service: "+${mkShutdownScript service}") backup.pauseServices
++ singleton ( ++ singleton (writeScript "backup-${name}-repo-init" [] ''
writeScript "backup-${name}-repo-init" [ ] ''
restic snapshots || restic init restic snapshots || restic init
'' '')
) ++ optional (backup.preparation.text != null)
++ optional (backup.preparation.text != null) ( (writeScript "backup-${name}-prepare" backup.preparation.packages backup.preparation.text);
writeScript "backup-${name}-prepare" backup.preparation.packages backup.preparation.text
);
# TODO(tlater): Add repo pruning/checking # TODO(tlater): Add repo pruning/checking
ExecStopPost = ExecStopPost =
map (service: "+${mkRestartScript service}") backup.pauseServices map (service: "+${mkRestartScript service}") backup.pauseServices
++ optional (backup.cleanup.text != null) ( ++ optional (backup.cleanup.text != null)
writeScript "backup-${name}-cleanup" backup.cleanup.packages backup.cleanup.text (writeScript "backup-${name}-cleanup" backup.cleanup.packages backup.cleanup.text);
);
}; };
} })
) config.services.backups; config.services.backups;
systemd.timers = systemd.timers =
{ {
@ -245,8 +226,7 @@ in
# of the backup jobs. # of the backup jobs.
}; };
} }
// lib.mapAttrs' ( // lib.mapAttrs' (name: backup:
name: backup:
lib.nameValuePair "backup-${name}" { lib.nameValuePair "backup-${name}" {
wantedBy = ["timers.target"]; wantedBy = ["timers.target"];
timerConfig = { timerConfig = {
@ -255,8 +235,8 @@ in
FixedRandomDelay = true; FixedRandomDelay = true;
Persistent = true; Persistent = true;
}; };
} })
) config.services.backups; config.services.backups;
users = { users = {
# This user is only used to own the ssh key, because apparently # This user is only used to own the ssh key, because apparently

View file

@ -1,6 +1,11 @@
{ config, flake-inputs, ... }:
{ {
imports = [ flake-inputs.sonnenshift.nixosModules.default ]; config,
flake-inputs,
...
}: {
imports = [
flake-inputs.sonnenshift.nixosModules.default
];
services.batteryManager = { services.batteryManager = {
enable = true; enable = true;

View file

@ -3,15 +3,13 @@
config, config,
lib, lib,
... ...
}: }: let
let
inherit (lib.strings) concatMapStringsSep; inherit (lib.strings) concatMapStringsSep;
cfg = config.services.matrix-conduit; cfg = config.services.matrix-conduit;
domain = "matrix.${config.services.nginx.domain}"; domain = "matrix.${config.services.nginx.domain}";
turn-realm = "turn.${config.services.nginx.domain}"; turn-realm = "turn.${config.services.nginx.domain}";
in in {
{
services.matrix-conduit = { services.matrix-conduit = {
enable = true; enable = true;
settings.global = { settings.global = {
@ -19,19 +17,10 @@ in
server_name = domain; server_name = domain;
database_backend = "rocksdb"; database_backend = "rocksdb";
# Set up delegation: https://docs.conduit.rs/delegation.html#automatic-recommended turn_uris = let
# This is primarily to make sliding sync work
well_known = {
client = "https://${domain}";
server = "${domain}:443";
};
turn_uris =
let
address = "${config.services.coturn.realm}:${toString config.services.coturn.listening-port}"; address = "${config.services.coturn.realm}:${toString config.services.coturn.listening-port}";
tls-address = "${config.services.coturn.realm}:${toString config.services.coturn.tls-listening-port}"; tls-address = "${config.services.coturn.realm}:${toString config.services.coturn.tls-listening-port}";
in in [
[
"turn:${address}?transport=udp" "turn:${address}?transport=udp"
"turn:${address}?transport=tcp" "turn:${address}?transport=tcp"
"turns:${tls-address}?transport=udp" "turns:${tls-address}?transport=udp"
@ -40,11 +29,9 @@ in
}; };
}; };
systemd.services.heisenbridge = systemd.services.heisenbridge = let
let
replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret"; replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
registrationFile = builtins.toFile "heisenbridge-registration.yaml" ( registrationFile = builtins.toFile "heisenbridge-registration.yaml" (builtins.toJSON {
builtins.toJSON {
id = "heisenbridge"; id = "heisenbridge";
url = "http://127.0.0.1:9898"; url = "http://127.0.0.1:9898";
as_token = "@AS_TOKEN@"; as_token = "@AS_TOKEN@";
@ -65,8 +52,7 @@ in
aliases = []; aliases = [];
rooms = []; rooms = [];
}; };
} });
);
# TODO(tlater): Starting with systemd 253 it will become possible # TODO(tlater): Starting with systemd 253 it will become possible
# to do the credential setup as part of ExecStartPre/preStart # to do the credential setup as part of ExecStartPre/preStart
@ -87,8 +73,7 @@ in
--owner @tlater:matrix.tlater.net \ --owner @tlater:matrix.tlater.net \
'http://localhost:${toString cfg.settings.global.port}' 'http://localhost:${toString cfg.settings.global.port}'
''; '';
in in {
{
description = "Matrix<->IRC bridge"; description = "Matrix<->IRC bridge";
wantedBy = ["multi-user.target"]; wantedBy = ["multi-user.target"];
after = ["conduit.service"]; after = ["conduit.service"];
@ -117,7 +102,7 @@ in
RestrictRealtime = true; RestrictRealtime = true;
ProtectProc = "invisible"; ProtectProc = "invisible";
ProcSubset = "pid"; ProcSubset = "pid";
UMask = 77; UMask = 0077;
# For the identd port # For the identd port
# CapabilityBoundingSet = ["CAP_NET_BIND_SERVICE"]; # CapabilityBoundingSet = ["CAP_NET_BIND_SERVICE"];
@ -137,7 +122,9 @@ in
use-auth-secret = true; use-auth-secret = true;
static-auth-secret-file = config.sops.secrets."turn/secret".path; static-auth-secret-file = config.sops.secrets."turn/secret".path;
realm = turn-realm; realm = turn-realm;
relay-ips = [ "116.202.158.55" ]; relay-ips = [
"116.202.158.55"
];
# SSL config # SSL config
# #
@ -238,15 +225,28 @@ in
proxy_buffering off; proxy_buffering off;
''; '';
}; };
"/.well-known/matrix" = {
proxyPass = "http://${cfg.settings.global.address}:${toString cfg.settings.global.port}"; # Add Element X support
# TODO(tlater): Remove when no longer required: https://github.com/vector-im/element-x-android/issues/1085
"=/.well-known/matrix/client" = {
alias = pkgs.writeText "well-known-matrix-client" (builtins.toJSON {
"m.homeserver".base_url = "https://${domain}";
"org.matrix.msc3575.proxy".url = "https://${domain}";
});
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin "*";
'';
}; };
}; };
}; };
services.backups.conduit = { services.backups.conduit = {
user = "root"; user = "root";
paths = [ "/var/lib/private/matrix-conduit/" ]; paths = [
"/var/lib/private/matrix-conduit/"
];
# Other services store their data in conduit, so no other services # Other services store their data in conduit, so no other services
# need to be shut down currently. # need to be shut down currently.
pauseServices = ["conduit.service"]; pauseServices = ["conduit.service"];

View file

@ -1,5 +1,4 @@
{ pkgs, ... }: {pkgs, ...}: {
{
services.fail2ban = { services.fail2ban = {
enable = true; enable = true;
extraPackages = [pkgs.ipset]; extraPackages = [pkgs.ipset];

View file

@ -2,13 +2,10 @@
lib, lib,
config, config,
flake-inputs, flake-inputs,
pkgs,
... ...
}: }: let
let
domain = "foundryvtt.${config.services.nginx.domain}"; domain = "foundryvtt.${config.services.nginx.domain}";
in in {
{
imports = [flake-inputs.foundryvtt.nixosModules.foundryvtt]; imports = [flake-inputs.foundryvtt.nixosModules.foundryvtt];
services.foundryvtt = { services.foundryvtt = {
@ -17,18 +14,15 @@ in
minifyStaticFiles = true; minifyStaticFiles = true;
proxySSL = true; proxySSL = true;
proxyPort = 443; proxyPort = 443;
package = flake-inputs.foundryvtt.packages.${pkgs.system}.foundryvtt_11;
}; };
# Want to start it manually when I need it, not have it constantly # Want to start it manually when I need it, not have it constantly
# running # running
systemd.services.foundryvtt.wantedBy = lib.mkForce []; systemd.services.foundryvtt.wantedBy = lib.mkForce [];
services.nginx.virtualHosts."${domain}" = services.nginx.virtualHosts."${domain}" = let
let
inherit (config.services.foundryvtt) port; inherit (config.services.foundryvtt) port;
in in {
{
forceSSL = true; forceSSL = true;
useACMEHost = "tlater.net"; useACMEHost = "tlater.net";
enableHSTS = true; enableHSTS = true;
@ -41,7 +35,9 @@ in
services.backups.foundryvtt = { services.backups.foundryvtt = {
user = "foundryvtt"; user = "foundryvtt";
paths = [ config.services.foundryvtt.dataDir ]; paths = [
config.services.foundryvtt.dataDir
];
pauseServices = ["foundryvtt.service"]; pauseServices = ["foundryvtt.service"];
}; };
} }

View file

@ -3,11 +3,9 @@
config, config,
lib, lib,
... ...
}: }: let
let
domain = "gitea.${config.services.nginx.domain}"; domain = "gitea.${config.services.nginx.domain}";
in in {
{
services.forgejo = { services.forgejo = {
enable = true; enable = true;
database.type = "postgres"; database.type = "postgres";
@ -29,21 +27,19 @@ in
}; };
}; };
systemd.services.forgejo.serviceConfig.ExecStartPre = systemd.services.forgejo.serviceConfig.ExecStartPre = let
let
replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret"; replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
secretPath = config.sops.secrets."forgejo/metrics-token".path; secretPath = config.sops.secrets."forgejo/metrics-token".path;
runConfig = "${config.services.forgejo.customDir}/conf/app.ini"; runConfig = "${config.services.forgejo.customDir}/conf/app.ini";
in in [
[ "+${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'" ]; "+${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'"
];
# Set up SSL # Set up SSL
services.nginx.virtualHosts."${domain}" = services.nginx.virtualHosts."${domain}" = let
let
httpAddress = config.services.forgejo.settings.server.HTTP_ADDR; httpAddress = config.services.forgejo.settings.server.HTTP_ADDR;
httpPort = config.services.forgejo.settings.server.HTTP_PORT; httpPort = config.services.forgejo.settings.server.HTTP_PORT;
in in {
{
forceSSL = true; forceSSL = true;
useACMEHost = "tlater.net"; useACMEHost = "tlater.net";
enableHSTS = true; enableHSTS = true;

View file

@ -3,25 +3,23 @@
pkgs, pkgs,
lib, lib,
... ...
}: }: let
let
yaml = pkgs.formats.yaml {}; yaml = pkgs.formats.yaml {};
in in {
{
services.prometheus = { services.prometheus = {
exporters = { exporters = {
# Periodically check domain registration status # Periodically check domain registration status
domain = { domain = {
enable = true; enable = true;
listenAddress = "127.0.0.1"; listenAddress = "127.0.0.1";
extraFlags = extraFlags = let
let
conf.domains = [ conf.domains = [
"tlater.net" "tlater.net"
"tlater.com" "tlater.com"
]; ];
in in [
[ "--config=${yaml.generate "domains.yml" conf}" ]; "--config=${yaml.generate "domains.yml" conf}"
];
}; };
# System statistics # System statistics
@ -50,7 +48,8 @@ in
listenAddress = "127.0.0.1"; listenAddress = "127.0.0.1";
group = "nginx"; group = "nginx";
settings.namespaces = lib.mapAttrsToList (name: virtualHost: { settings.namespaces =
lib.mapAttrsToList (name: virtualHost: {
inherit name; inherit name;
metrics_override.prefix = "nginxlog"; metrics_override.prefix = "nginxlog";
namespace_label = "vhost"; namespace_label = "vhost";
@ -63,28 +62,25 @@ in
''uht="$upstream_header_time" urt="$upstream_response_time"'' ''uht="$upstream_header_time" urt="$upstream_response_time"''
]; ];
source.files = [ "/var/log/nginx/${name}/access.log" ]; source.files = [
}) config.services.nginx.virtualHosts; "/var/log/nginx/${name}/access.log"
];
})
config.services.nginx.virtualHosts;
}; };
}; };
extraExporters = { extraExporters = {
fail2ban = fail2ban = let
let
cfg = config.services.prometheus.extraExporters.fail2ban; cfg = config.services.prometheus.extraExporters.fail2ban;
in in {
{
port = 9191; port = 9191;
serviceOpts = { serviceOpts = {
after = ["fail2ban.service"]; after = ["fail2ban.service"];
requires = ["fail2ban.service"]; requires = ["fail2ban.service"];
serviceConfig = { serviceConfig = {
Group = "fail2ban"; Group = "fail2ban";
RestrictAddressFamilies = [ RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
"AF_UNIX"
"AF_INET"
"AF_INET6"
];
ExecStart = lib.concatStringsSep " " [ ExecStart = lib.concatStringsSep " " [
"${pkgs.local.prometheus-fail2ban-exporter}/bin/fail2ban-prometheus-exporter" "${pkgs.local.prometheus-fail2ban-exporter}/bin/fail2ban-prometheus-exporter"
"--collector.f2b.socket=/var/run/fail2ban/fail2ban.sock" "--collector.f2b.socket=/var/run/fail2ban/fail2ban.sock"

View file

@ -1,8 +1,6 @@
{ config, ... }: {config, ...}: let
let
domain = "metrics.${config.services.nginx.domain}"; domain = "metrics.${config.services.nginx.domain}";
in in {
{
services.grafana = { services.grafana = {
enable = true; enable = true;
settings = { settings = {
@ -42,12 +40,7 @@ in
forceSSL = true; forceSSL = true;
useACMEHost = "tlater.net"; useACMEHost = "tlater.net";
enableHSTS = true; enableHSTS = true;
locations = { enableAuthorization = true;
"/".proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}"; locations."/".proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
"/api/live" = {
proxyWebsockets = true;
proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
};
};
}; };
} }

View file

@ -3,17 +3,14 @@
config, config,
lib, lib,
... ...
}: }: let
let
inherit (lib) types mkOption mkDefault; inherit (lib) types mkOption mkDefault;
yaml = pkgs.formats.yaml {}; yaml = pkgs.formats.yaml {};
in in {
{
options = { options = {
services.prometheus = { services.prometheus = {
extraExporters = mkOption { extraExporters = mkOption {
type = types.attrsOf ( type = types.attrsOf (types.submodule {
types.submodule {
options = { options = {
port = mkOption { port = mkOption {
type = types.int; type = types.int;
@ -29,16 +26,16 @@ in
description = "An attrset to be merged with the exporter's systemd service."; description = "An attrset to be merged with the exporter's systemd service.";
}; };
}; };
} });
);
}; };
}; };
services.victoriametrics.scrapeConfigs = mkOption { services.victoriametrics.scrapeConfigs = mkOption {
type = types.attrsOf ( type = types.attrsOf (types.submodule ({
types.submodule ( name,
{ name, self, ... }: self,
{ ...
}: {
options = { options = {
job_name = mkOption { job_name = mkOption {
type = types.str; type = types.str;
@ -65,8 +62,7 @@ in
static_configs = mkOption { static_configs = mkOption {
default = []; default = [];
type = types.listOf ( type = types.listOf (types.submodule {
types.submodule {
options = { options = {
targets = mkOption { targets = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
@ -84,22 +80,17 @@ in
default = {}; default = {};
}; };
}; };
} });
);
}; };
}; };
} }));
)
);
}; };
}; };
config = { config = {
systemd.services = lib.mkMerge [ systemd.services = lib.mkMerge [
(lib.mapAttrs' ( (lib.mapAttrs' (name: exporter:
name: exporter: lib.nameValuePair "prometheus-${name}-exporter" (lib.mkMerge [
lib.nameValuePair "prometheus-${name}-exporter" (
lib.mkMerge [
{ {
# Shamelessly copied from upstream because the upstream # Shamelessly copied from upstream because the upstream
# module is an intractable mess # module is an intractable mess
@ -125,10 +116,7 @@ in
serviceConfig.ProtectKernelTunables = true; serviceConfig.ProtectKernelTunables = true;
serviceConfig.ProtectSystem = mkDefault "strict"; serviceConfig.ProtectSystem = mkDefault "strict";
serviceConfig.RemoveIPC = true; serviceConfig.RemoveIPC = true;
serviceConfig.RestrictAddressFamilies = [ serviceConfig.RestrictAddressFamilies = ["AF_INET" "AF_INET6"];
"AF_INET"
"AF_INET6"
];
serviceConfig.RestrictNamespaces = true; serviceConfig.RestrictNamespaces = true;
serviceConfig.RestrictRealtime = true; serviceConfig.RestrictRealtime = true;
serviceConfig.RestrictSUIDSGID = true; serviceConfig.RestrictSUIDSGID = true;
@ -136,35 +124,29 @@ in
serviceConfig.UMask = "0077"; serviceConfig.UMask = "0077";
} }
exporter.serviceOpts exporter.serviceOpts
] ]))
) config.services.prometheus.extraExporters)
) config.services.prometheus.extraExporters)
{ {
vmagent-scrape-exporters = vmagent-scrape-exporters = let
let
listenAddress = config.services.victoriametrics.listenAddress; listenAddress = config.services.victoriametrics.listenAddress;
vmAddr = (lib.optionalString (lib.hasPrefix ":" listenAddress) "127.0.0.1") + listenAddress; vmAddr = (lib.optionalString (lib.hasPrefix ":" listenAddress) "127.0.0.1") + listenAddress;
promscrape = yaml.generate "prometheus.yml" { promscrape = yaml.generate "prometheus.yml" {
scrape_configs = lib.mapAttrsToList ( scrape_configs = lib.mapAttrsToList (_: scrape:
_: scrape:
lib.recursiveUpdate { lib.recursiveUpdate {
inherit (scrape) job_name; inherit (scrape) job_name;
static_configs = static_configs =
scrape.static_configs scrape.static_configs
++ lib.optional (scrape.targets != []) {targets = scrape.targets;}; ++ lib.optional (scrape.targets != []) {targets = scrape.targets;};
} scrape.extraSettings }
) config.services.victoriametrics.scrapeConfigs; scrape.extraSettings)
config.services.victoriametrics.scrapeConfigs;
}; };
in in {
{
enable = true; enable = true;
path = [pkgs.victoriametrics]; path = [pkgs.victoriametrics];
wantedBy = ["multi-user.target"]; wantedBy = ["multi-user.target"];
after = [ after = ["network.target" "victoriametrics.service"];
"network.target"
"victoriametrics.service"
];
serviceConfig = { serviceConfig = {
ExecStart = [ ExecStart = [
(lib.concatStringsSep " " [ (lib.concatStringsSep " " [
@ -193,10 +175,7 @@ in
ProtectKernelTunables = true; ProtectKernelTunables = true;
ProtectSystem = "strict"; ProtectSystem = "strict";
RemoveIPC = true; RemoveIPC = true;
RestrictAddressFamilies = [ RestrictAddressFamilies = ["AF_INET" "AF_INET6"];
"AF_INET"
"AF_INET6"
];
RestrictNamespaces = true; RestrictNamespaces = true;
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
@ -209,17 +188,17 @@ in
users.groups.metrics = {}; users.groups.metrics = {};
services.victoriametrics.scrapeConfigs = services.victoriametrics.scrapeConfigs = let
let allExporters =
allExporters = lib.mapAttrs (name: exporter: { inherit (exporter) listenAddress port; }) ( lib.mapAttrs (name: exporter: {
(lib.filterAttrs ( inherit (exporter) listenAddress port;
_: exporter: builtins.isAttrs exporter && exporter.enable }) ((lib.filterAttrs (_: exporter: builtins.isAttrs exporter && exporter.enable)
) config.services.prometheus.exporters) config.services.prometheus.exporters)
// config.services.prometheus.extraExporters // config.services.prometheus.extraExporters);
);
in in
lib.mapAttrs (_: exporter: { lib.mapAttrs (_: exporter: {
targets = ["${exporter.listenAddress}:${toString exporter.port}"]; targets = ["${exporter.listenAddress}:${toString exporter.port}"];
}) allExporters; })
allExporters;
}; };
} }

View file

@ -1,8 +1,9 @@
{ config, ... }: {config, ...}: {
{
config.services.victoriametrics = { config.services.victoriametrics = {
enable = true; enable = true;
extraOptions = [ "-storage.minFreeDiskSpaceBytes=5GB" ]; extraOptions = [
"-storage.minFreeDiskSpaceBytes=5GB"
];
scrapeConfigs = { scrapeConfigs = {
forgejo = { forgejo = {

View file

@ -1,35 +1,18 @@
{ {
pkgs, pkgs,
config, config,
lib,
... ...
}: }: let
let
# Update pending on rewrite of nextcloud news, though there is an # Update pending on rewrite of nextcloud news, though there is an
# alpha to switch to if it becomes necessary: # alpha to switch to if it becomes necessary:
# https://github.com/nextcloud/news/issues/2610 # https://github.com/nextcloud/news/issues/2610
nextcloud = pkgs.nextcloud28; nextcloud = pkgs.nextcloud27;
hostName = "nextcloud.${config.services.nginx.domain}"; hostName = "nextcloud.${config.services.nginx.domain}";
in in {
{
services.nextcloud = { services.nextcloud = {
inherit hostName; inherit hostName;
package = nextcloud; package = nextcloud;
phpPackage = lib.mkForce (
pkgs.php.override {
packageOverrides = final: prev: {
extensions = prev.extensions // {
pgsql = prev.extensions.pgsql.overrideAttrs (old: {
configureFlags = [ "--with-pgsql=${config.services.postgresql.package}" ];
});
pdo_pgsql = prev.extensions.pdo_pgsql.overrideAttrs (old: {
configureFlags = [ "--with-pdo-pgsql=${config.services.postgresql.package}" ];
});
};
};
}
);
enable = true; enable = true;
maxUploadSize = "2G"; maxUploadSize = "2G";
https = true; https = true;
@ -54,14 +37,7 @@ in
}; };
extraApps = { extraApps = {
inherit (pkgs.local) inherit (pkgs.local) bookmarks calendar contacts cookbook news notes;
bookmarks
calendar
contacts
cookbook
news
notes
;
}; };
}; };

View file

@ -1,5 +1,8 @@
{ pkgs, ... }:
{ {
config,
pkgs,
...
}: {
services.postgresql = { services.postgresql = {
package = pkgs.postgresql_14; package = pkgs.postgresql_14;
enable = true; enable = true;
@ -25,11 +28,16 @@
name = "nextcloud"; name = "nextcloud";
ensureDBOwnership = true; ensureDBOwnership = true;
} }
{
name = config.services.authelia.instances.main.user;
ensureDBOwnership = true;
}
]; ];
ensureDatabases = [ ensureDatabases = [
"grafana" "grafana"
"nextcloud" "nextcloud"
config.services.authelia.instances.main.user
]; ];
}; };
} }

View file

@ -1,8 +1,10 @@
{ pkgs, lib, ... }:
let
inherit (lib) concatStringsSep;
in
{ {
pkgs,
lib,
...
}: let
inherit (lib) concatStringsSep;
in {
# Sadly, steam-run requires some X libs # Sadly, steam-run requires some X libs
environment.noXlibs = false; environment.noXlibs = false;
@ -111,7 +113,9 @@ in
services.backups.starbound = { services.backups.starbound = {
user = "root"; user = "root";
paths = [ "/var/lib/private/starbound/storage/universe/" ]; paths = [
"/var/lib/private/starbound/storage/universe/"
];
pauseServices = ["starbound.service"]; pauseServices = ["starbound.service"];
}; };
} }

View file

@ -1,8 +1,6 @@
{ config, ... }: {config, ...}: let
let
domain = config.services.nginx.domain; domain = config.services.nginx.domain;
in in {
{
services.tlaternet-webserver = { services.tlaternet-webserver = {
enable = true; enable = true;
listen = { listen = {
@ -12,11 +10,9 @@ in
}; };
# Set up SSL # Set up SSL
services.nginx.virtualHosts."${domain}" = services.nginx.virtualHosts."${domain}" = let
let
inherit (config.services.tlaternet-webserver.listen) addr port; inherit (config.services.tlaternet-webserver.listen) addr port;
in in {
{
serverAliases = ["www.${domain}"]; serverAliases = ["www.${domain}"];
forceSSL = true; forceSSL = true;

View file

@ -1,5 +1,4 @@
{ config, ... }: {config, ...}: {
{
# iptables needs to permit forwarding from wg0 to wg0 # iptables needs to permit forwarding from wg0 to wg0
networking.firewall.extraCommands = '' networking.firewall.extraCommands = ''
iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT

View file

@ -7,11 +7,11 @@
"utils": "utils" "utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1718194053, "lastModified": 1711973905,
"narHash": "sha256-FaGrf7qwZ99ehPJCAwgvNY5sLCqQ3GDiE/6uLhxxwSY=", "narHash": "sha256-UFKME/N1pbUtn+2Aqnk+agUt8CekbpuqwzljivfIme8=",
"owner": "serokell", "owner": "serokell",
"repo": "deploy-rs", "repo": "deploy-rs",
"rev": "3867348fa92bc892eba5d9ddb2d7a97b9e127a8a", "rev": "88b3059b020da69cbe16526b8d639bd5e0b51c8b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -27,11 +27,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1723685519, "lastModified": 1714103775,
"narHash": "sha256-GkXQIoZmW2zCPp1YFtAYGg/xHNyFH/Mgm79lcs81rq0=", "narHash": "sha256-kcBiIrmqzt3bNTr2GMBfAyA+on8BEKO1iKzzDFQZkjI=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "276a0d055a720691912c6a34abb724e395c8e38a", "rev": "285e26465a0bae510897ca04da26ce6307c652b4",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -47,11 +47,11 @@
"pyproject-nix": "pyproject-nix" "pyproject-nix": "pyproject-nix"
}, },
"locked": { "locked": {
"lastModified": 1719685993, "lastModified": 1702457430,
"narHash": "sha256-04gy1icwnGO3ZXF6r96yBm/C0PNPzeLxA/8xzzq0dBI=", "narHash": "sha256-8NQiXtYCOiC7XFayy6GPGDudCBrPROry3mfWjpdVj5g=",
"owner": "nix-community", "owner": "nix-community",
"repo": "dream2nix", "repo": "dream2nix",
"rev": "1b5e01219a32324c8f6889fe1f4db933ec7932f6", "rev": "262198033e23e9ee832f0cc8133d38f07598f555",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -69,11 +69,11 @@
"rust-analyzer-src": "rust-analyzer-src" "rust-analyzer-src": "rust-analyzer-src"
}, },
"locked": { "locked": {
"lastModified": 1719815435, "lastModified": 1704003651,
"narHash": "sha256-K2xFp142onP35jcx7li10xUxNVEVRWjAdY8DSuR7Naw=", "narHash": "sha256-bA3d4E1CX5G7TVbKwJOm9jZfVOGOPp6u5CKEUzNsE8E=",
"owner": "nix-community", "owner": "nix-community",
"repo": "fenix", "repo": "fenix",
"rev": "ebfe2c639111d7e82972a12711206afaeeda2450", "rev": "c6d82e087ac96f24b90c5787a17e29a72566c2b4",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -157,11 +157,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1722661736, "lastModified": 1712623723,
"narHash": "sha256-0lujsK40JV/2PlqCjhZMGpHKL4vDKzJcnkFJYnG1WZA=", "narHash": "sha256-jPD5+M+QPyMRk52zfFMIeHdv7yXYJ/yNGqwS0PhYF+E=",
"owner": "reckenrode", "owner": "reckenrode",
"repo": "nix-foundryvtt", "repo": "nix-foundryvtt",
"rev": "699a175398410688214615a9d977354e9ef98d2d", "rev": "6025615b431170558c3c13f16b549fc0126425e1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -210,59 +210,59 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1721524707, "lastModified": 1713638189,
"narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=", "narHash": "sha256-q7APLfB6FmmSMI1Su5ihW9IwntBsk2hWNXh8XtSdSIk=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "556533a23879fc7e5f98dd2e0b31a6911a213171", "rev": "74574c38577914733b4f7a775dd77d24245081dd",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "release-24.05", "ref": "release-23.11",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1723957280, "lastModified": 1714253743,
"narHash": "sha256-J08Yqf2IJ73y7myI69qEKsQ048ibweG6FeJeCxbIdB4=", "narHash": "sha256-mdTQw2XlariysyScCv2tTE45QSU9v/ezLcHJ22f0Nxc=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "abcef4da4ebb72240bddc370a27263627e64877f", "rev": "58a1abdbae3217ca6b702f03d3b35125d88a2994",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "nixos",
"ref": "nixos-unstable-small", "ref": "nixos-unstable",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1723920526, "lastModified": 1718208800,
"narHash": "sha256-USs6A60raDKZ/8BEpqja1XjZIsRzADX+NtWKH6wIxIw=", "narHash": "sha256-US1tAChvPxT52RV8GksWZS415tTS7PV42KTc2PNDBmc=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "1cbd3d585263dc620c483e138d352a39b9f0e3ec", "rev": "cc54fb41d13736e92229c21627ea4f22199fee6b",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "nixos",
"ref": "nixos-24.05-small", "ref": "nixos-24.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs_3": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1719468428, "lastModified": 1702272962,
"narHash": "sha256-vN5xJAZ4UGREEglh3lfbbkIj+MPEYMuqewMn4atZFaQ=", "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "1e3deb3d8a86a870d925760db1a5adecc64d329d", "rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -281,11 +281,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1718252448, "lastModified": 1713333471,
"narHash": "sha256-xZZBdKqe1ByITzvx65pVgGQ5jeb73MybjgrcfI84lEo=", "narHash": "sha256-sIVQKOXzruxtTYiBRHZa8UQH+CSIa9K5MZlY6vavYfA=",
"owner": "berberman", "owner": "berberman",
"repo": "nvfetcher", "repo": "nvfetcher",
"rev": "fa7609950023462c6f91c425de7610c0bb6b86ba", "rev": "2a824322dc6a755ffda83a13b948d42304521e4d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -375,11 +375,11 @@
"rust-analyzer-src": { "rust-analyzer-src": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1719760370, "lastModified": 1703965384,
"narHash": "sha256-fsxAuW6RxKZYjAP3biUC6C4vaYFhDfWv8lp1Tmx3ZCY=", "narHash": "sha256-3iyouqkBvhh/E48TkBlt4JmmcIEyfQwY7pokKBx9WNg=",
"owner": "rust-lang", "owner": "rust-lang",
"repo": "rust-analyzer", "repo": "rust-analyzer",
"rev": "ea7fdada6a0940b239ddbde2048a4d7dac1efe1e", "rev": "e872f5085cf5b0e44558442365c1c033d486eff2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -442,11 +442,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1723501126, "lastModified": 1713892811,
"narHash": "sha256-N9IcHgj/p1+2Pvk8P4Zc1bfrMwld5PcosVA0nL6IGdE=", "narHash": "sha256-uIGmA2xq41vVFETCF1WW4fFWFT2tqBln+aXnWrvjGRE=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "be0eec2d27563590194a9206f551a6f73d52fa34", "rev": "f1b0adc27265274e3b0c9b872a8f476a098679bd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -523,11 +523,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1719851829, "lastModified": 1704840002,
"narHash": "sha256-M5miiIbiwP4uArTyeIr/RKA857rP14AEJUe11AZsKAc=", "narHash": "sha256-ik2LeuRjcnRXwBLoRSOyGEMXscE+coO8G79IFhZhdJk=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "4a099f27a27f4107ceb14969e2158eaabebcf1d4", "rev": "d14f50c8dcc8ab30a5e5fa907b392ac0df6c7b52",
"revCount": 74, "revCount": 73,
"type": "git", "type": "git",
"url": "https://gitea.tlater.net/tlaternet/tlaternet.git" "url": "https://gitea.tlater.net/tlaternet/tlaternet.git"
}, },

View file

@ -2,8 +2,8 @@
description = "tlater.net host configuration"; description = "tlater.net host configuration";
inputs = { inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05-small"; nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
disko = { disko = {
url = "github:nix-community/disko"; url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@ -32,30 +32,17 @@
}; };
}; };
outputs = outputs = {
{
self, self,
nixpkgs, nixpkgs,
sops-nix, sops-nix,
nvfetcher, nvfetcher,
deploy-rs, deploy-rs,
... ...
}@inputs: } @ inputs: let
let
system = "x86_64-linux"; system = "x86_64-linux";
pkgs = nixpkgs.legacyPackages.${system}; pkgs = nixpkgs.legacyPackages.${system};
in {
vm = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs.flake-inputs = inputs;
modules = [
./configuration
./configuration/hardware-specific/vm.nix
];
};
in
{
################## ##################
# Configurations # # Configurations #
################## ##################
@ -85,12 +72,7 @@
}; };
sshUser = "tlater"; sshUser = "tlater";
sshOpts = [ sshOpts = ["-p" "2222" "-o" "ForwardAgent=yes"];
"-p"
"2222"
"-o"
"ForwardAgent=yes"
];
}; };
}; };
@ -99,12 +81,6 @@
######### #########
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib; checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
###########################
# Garbage collection root #
###########################
packages.${system}.default = vm.config.system.build.vm;
################### ###################
# Utility scripts # # Utility scripts #
################### ###################
@ -113,36 +89,45 @@
run-vm = { run-vm = {
type = "app"; type = "app";
program = program = let
let vm = nixpkgs.lib.nixosSystem {
inherit system;
specialArgs.flake-inputs = inputs;
modules = [
./configuration
./configuration/hardware-specific/vm.nix
];
};
in in
(pkgs.writeShellScript "" '' (pkgs.writeShellScript "" ''
${vm.config.system.build.vm.outPath}/bin/run-testvm-vm ${vm.config.system.build.vm.outPath}/bin/run-testvm-vm
'').outPath; '')
.outPath;
}; };
update-pkgs = { update-pkgs = {
type = "app"; type = "app";
program = program = let
let
nvfetcher-bin = "${nvfetcher.packages.${system}.default}/bin/nvfetcher"; nvfetcher-bin = "${nvfetcher.packages.${system}.default}/bin/nvfetcher";
in in
(pkgs.writeShellScript "update-pkgs" '' (pkgs.writeShellScript "update-pkgs" ''
cd "$(git rev-parse --show-toplevel)/pkgs" cd "$(git rev-parse --show-toplevel)/pkgs"
${nvfetcher-bin} -o _sources_pkgs -c nvfetcher.toml ${nvfetcher-bin} -o _sources_pkgs -c nvfetcher.toml
'').outPath; '')
.outPath;
}; };
update-nextcloud-apps = { update-nextcloud-apps = {
type = "app"; type = "app";
program = program = let
let
nvfetcher-bin = "${nvfetcher.packages.${system}.default}/bin/nvfetcher"; nvfetcher-bin = "${nvfetcher.packages.${system}.default}/bin/nvfetcher";
in in
(pkgs.writeShellScript "update-nextcloud-apps" '' (pkgs.writeShellScript "update-nextcloud-apps" ''
cd "$(git rev-parse --show-toplevel)/pkgs" cd "$(git rev-parse --show-toplevel)/pkgs"
${nvfetcher-bin} -o _sources_nextcloud -c nextcloud-apps.toml ${nvfetcher-bin} -o _sources_nextcloud -c nextcloud-apps.toml
'').outPath; '')
.outPath;
}; };
}; };
@ -150,18 +135,15 @@
# Development environment # # Development environment #
########################### ###########################
devShells.${system}.default = nixpkgs.legacyPackages.${system}.mkShell { devShells.${system}.default = nixpkgs.legacyPackages.${system}.mkShell {
sopsPGPKeyDirs = [ sopsPGPKeyDirs = ["./keys/hosts/" "./keys/users/"];
"./keys/hosts/" nativeBuildInputs = [
"./keys/users/" sops-nix.packages.${system}.sops-import-keys-hook
]; ];
nativeBuildInputs = [ sops-nix.packages.${system}.sops-import-keys-hook ];
packages = with pkgs; [ packages = with pkgs; [
sops-nix.packages.${system}.sops-init-gpg-key sops-nix.packages.${system}.sops-init-gpg-key
deploy-rs.packages.${system}.default deploy-rs.packages.${system}.default
nixpkgs-fmt
cargo cargo
clippy clippy
rustc rustc

View file

@ -1,4 +1,6 @@
hetzner-api: ENC[AES256_GCM,data:OsUfo86AzcBe/OELkfB5brEfsZ4gkbeehxwIVUBwQgE=,iv:Bt/cjlZ6oZEVUOQjWMDL7/mfL3HWLFAw1tEGeLMgeKg=,tag:TMU2XiHlMgP4aes10mIQYQ==,type:str] authelia:
storageEncryptionKey: ENC[AES256_GCM,data:OUCC+6Gcr6U7Mub1+DaIyswTV6da1wd1u0WGEm4wpJ8L0mi7WSpEmVjH79YyRhp7AmiZhdFFDXFeEYthBb2AZl+xoS9gqs6rWyfU4ezaCbXBiS/dIhsA5foPg13wq5A33qJWtPTy7DJEgqHaIonnaBuVJIBwH3wzPTHc3bDvBo4=,iv:intiZzngz5cMTtjEI9rTKMW0Xv3KB3ZEgtYN3amwKCE=,tag:AKxfbeZlPs54esHCsVnNCg==,type:str]
sessionSecret: ENC[AES256_GCM,data:GEMWhBltOIOs0g9FsWk3OQGs6dMcbwz3ZuhlyBFYROylsIZb4xTXWLgNwIpHwQukQU3TgvIxbCW/fGRWiALPanE2koSVAHNx0UU0hj1mVNRFQGK4H3EL10tPp7l4PofrcdeCbLPrOwM/xLOuPt+52sKlcbL2Awz5/MmpUVpCKXc=,iv:kWX2ptOpTgW3obBgri0MvVv6gCEPR3o77sldOXFQeks=,tag:je4pqLcEOhuBTQkoZHYNCw==,type:str]
battery-manager: battery-manager:
email: ENC[AES256_GCM,data:rYLUACXR/n+bLBmZ,iv:sUBEkh2+7qGjHZ5R23e/hoCiyTA7GTL4bJvXmxjZ5Sw=,tag:fdPMllaQQfRgX0WZKIre4g==,type:str] email: ENC[AES256_GCM,data:rYLUACXR/n+bLBmZ,iv:sUBEkh2+7qGjHZ5R23e/hoCiyTA7GTL4bJvXmxjZ5Sw=,tag:fdPMllaQQfRgX0WZKIre4g==,type:str]
password: ENC[AES256_GCM,data:7cokZa6Q6ahSeiFPz+cV,iv:vz405P0IcG9FsAQXlY7mi78GuushQUKJm2irG6buGzc=,tag:JLHG2jTkJDGbinAq9dXRsQ==,type:str] password: ENC[AES256_GCM,data:7cokZa6Q6ahSeiFPz+cV,iv:vz405P0IcG9FsAQXlY7mi78GuushQUKJm2irG6buGzc=,tag:JLHG2jTkJDGbinAq9dXRsQ==,type:str]
@ -32,8 +34,8 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age: []
lastmodified: "2024-04-15T23:13:18Z" lastmodified: "2024-04-11T23:38:56Z"
mac: ENC[AES256_GCM,data:3/v+WgSWJ+VcBSBe1Wkis3z+tMmSjbKzLFqBB8xugc6DvgQG8J+1HRrPucLnpNNtEdmpyoTa72U6fPm6JnyUsuj5pLEghLprOJkqQNdRI06fllhw+9d3e3twx6D4oIIsVH6/io4ElXrGsGQTsfNbYhgn+987wa3WP5N25fBac3U=,iv:FL3tzPutOMN6IPkQfXIu/JOZT+OzUSqpMSQrUeXZQHE=,tag:jL1BTsYTA9XjrsjFszxZhA==,type:str] mac: ENC[AES256_GCM,data:GjIB0EbWsh4o+QoFSyIXgGYnNhRlvfSmue1LyTt6oUlIjNgODhdIB8px8LnRo0rmm/f1YHbDq2MFOxlgdm3PTNaqm/MoKyW3r/wuAeWADsYayQszLNxyhTMXcjWtfm6zCRIuc/+YyM44pXRfVrOZRAin9B6pmJZsRJwBAZpogbU=,iv:r/ZQZvrP0E9dOW5fhBH2I21Z0uv2e3njdEGmadxEALg=,tag:iZvbGTvRJFo80n8aoKSSmQ==,type:str]
pgp: pgp:
- created_at: "2024-03-18T04:02:00Z" - created_at: "2024-03-18T04:02:00Z"
enc: |- enc: |-

View file

@ -1,4 +1,7 @@
hetzner-api: ENC[AES256_GCM,data:1Zjp003j60g=,iv:+vDcyiqYm4A9CMIrW4oGZKdZiczatBcvfL4qYYhKwCg=,tag:Xeu8JuRm+b+5RO+wFR2M8w==,type:str] authelia:
storageEncryptionKey: ENC[AES256_GCM,data:8X6Zvq7ct1MkMH+lc5kTTHXOo6rGyhSzc3aWxGRA5tnBet+TGcENo0RYTYmactsPGVpTIUGGplaG7B7dqRPhkdDHhbCCZCm2nLaYjpVJ241DrpUNKHn8lvg/bMxUQ/Dvw76ByYuWN6bREr3XRaBztBSPzld8zTSYx71I0CKY7vk=,iv:cJSwfuVWO39qqKCGt2Mvw7pN8+hD6kRH9v4c/u4hLuk=,tag:YhdlXuX2ETxjb443RI8MsA==,type:str]
sessionSecret: ENC[AES256_GCM,data:dnoWmc4HND62w3jMXL+akncAEb61c/I70DgRytx55Wxcn4rMiswp6zCkRdsP4CkouTQ1lyAcQrubp5I8M9Kyow/KBMYz9dPkr4+2xJ9w0SEmAVhyPe2DFvYos3x0Uvx5S0B3o1mXoXqbg78e4w5yEIbALiJT8VPGrWK8Cl4nVPo=,iv:FHDXUW2DWUmEZzWUYkYduogdVOtvMlRH4/fVg05cZaI=,tag:u282WQnHpBsZGYJH7mFFKA==,type:str]
jwtSecret: ENC[AES256_GCM,data:0M3AyoMp+orrljl5NsxmthzrHMmu0REcz7+9fpFKbwwqV6KqlpgGddjYZIsTpHEWEq9zhZ2YWLJkMxKdDgROVHUFZGKut28JPSAjjY+1V0wxNBnfSCnxEv5BUw2+cCxcpCwYQyNfRK6SotTt8aqpxvda4oRXpzxV6SW7ogDjc6E=,iv:D57SynZkW2JuFyX6bpZYkxpR2KtkOmKaySg1Bxim0r8=,tag:JCPGZaumdHrtgcH16A7b+g==,type:str]
battery-manager: battery-manager:
email: ENC[AES256_GCM,data:LM/EGzWHfVQ=,iv:jFaoUQuUfuGoOyj/GFpdI8TerH/c8D9fjvio+IEt2Tc=,tag:IWLiN011JEnHRLIXWQgfmA==,type:str] email: ENC[AES256_GCM,data:LM/EGzWHfVQ=,iv:jFaoUQuUfuGoOyj/GFpdI8TerH/c8D9fjvio+IEt2Tc=,tag:IWLiN011JEnHRLIXWQgfmA==,type:str]
password: ENC[AES256_GCM,data:SUxjqS7SJHM=,iv:LvdKk88S+nSImh6/ZezbFGLCUBu1Lpdu+neF2xyHdBg=,tag:rcMyZuW4FVNbcbz00wQKBg==,type:str] password: ENC[AES256_GCM,data:SUxjqS7SJHM=,iv:LvdKk88S+nSImh6/ZezbFGLCUBu1Lpdu+neF2xyHdBg=,tag:rcMyZuW4FVNbcbz00wQKBg==,type:str]
@ -32,8 +35,8 @@ sops:
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: [] age: []
lastmodified: "2024-04-15T23:13:27Z" lastmodified: "2024-04-12T01:00:31Z"
mac: ENC[AES256_GCM,data:JhEVrKF2Jsqpdztcr3g5lMrgEFeLXfBRQTwQJ6PmLSNyDORcTU09TJPNWTPDnR5okDrvIU/wlzi5DZ8A0ebNhrKf6l0tNFBT9LSvQFHU5SBxqY/m8uEJKSrEC4IL5lugOOISDka2KSvYXVCXrumMHE5FnmOS/CgOZaZk6LUjPYA=,iv:ygygnSedcTo2Vsc56s2qrz1qkWchvSgvoiMTebRxQQ8=,tag:vf6z8rxsXmqzwpDy9Avifw==,type:str] mac: ENC[AES256_GCM,data:fVnMwfvGi7vtP1Fg4NLrhGvLF2PcIgZPOcwk4Ssm4iw5iSj0K1npOX3pd5BWzyszqchfYYRHY99GllAump0bZmprVAld9rf70B2HZIVvowBPuUXfc9Cz/5q0z+s8bQ5vCdElW1Bh7h8W/POePdc8cFGAyBS4i1ZVNheIDOHdDjI=,iv:Bi6rekXOx3/dwwPRryF3CoAoQi3D06ABysRF1oBeG5A=,tag:0TCra+AkhBDczj4uvAzKMw==,type:str]
pgp: pgp:
- created_at: "2023-12-29T15:25:27Z" - created_at: "2023-12-29T15:25:27Z"
enc: | enc: |

View file

@ -1 +1,5 @@
{ imports = [ ./nginxExtensions.nix ]; } {
imports = [
./nginxExtensions.nix
];
}

View file

@ -3,20 +3,80 @@
pkgs, pkgs,
lib, lib,
... ...
}: }: {
{
options = { options = {
services.nginx.domain = lib.mkOption { services.nginx.domain = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "The base domain name to append to virtual domain names"; description = "The base domain name to append to virtual domain names";
}; };
services.nginx.virtualHosts = services.nginx.virtualHosts = let
let autheliaDomain = "auth.${config.services.nginx.domain}";
extraVirtualHostOptions = extraLocationOptions = {config, ...}: {
{ name, config, ... }:
{
options = { options = {
enableAutheliaProxy = lib.mkEnableOption "Enable recommended authelia proxy settings";
enableAuthorization = lib.mkEnableOption "Enable authorization via authelia";
};
config = {
recommendedProxySettings = lib.mkIf config.enableAutheliaProxy false;
extraConfig = lib.concatStringsSep "\n" [
(lib.optionalString config.enableAutheliaProxy ''
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-URI $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Connection "";
client_body_buffer_size 128k;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;
'')
(lib.optionalString config.enableAuthorization ''
auth_request /authelia;
set_escape_uri $target_url $scheme://$http_host$request_uri;
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name;
auth_request_set $email $upstream_http_remote_email;
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Email $email;
proxy_set_header Remote-Name $name;
error_page 401 =302 https://${autheliaDomain}/?rd=$target_url;
'')
];
};
};
extraVirtualHostOptions = {
name,
config,
...
}: {
options = {
enableAuthorization = lib.mkEnableOption "Enable authorization via authelia";
enableHSTS = lib.mkEnableOption "Enable HSTS"; enableHSTS = lib.mkEnableOption "Enable HSTS";
addAccessLog = lib.mkOption { addAccessLog = lib.mkOption {
@ -26,6 +86,10 @@
Add special logging to `/var/log/nginx/''${serverName}` Add special logging to `/var/log/nginx/''${serverName}`
''; '';
}; };
locations = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule extraLocationOptions);
};
}; };
config = { config = {
@ -37,23 +101,58 @@
access_log /var/log/nginx/${name}/access.log upstream_time; access_log /var/log/nginx/${name}/access.log upstream_time;
'') '')
]; ];
locations = lib.mkIf config.enableAuthorization {
"/".enableAuthorization = true;
"/authelia" = {
proxyPass = "http://127.0.0.1:9091/api/verify";
recommendedProxySettings = false;
extraConfig = ''
internal;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Forwarded-Method $request_method;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Content-Length "";
proxy_set_header Connection "";
proxy_pass_request_body off;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 4 32k;
client_body_buffer_size 128k;
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
'';
};
};
}; };
}; };
in in
lib.mkOption { type = lib.types.attrsOf (lib.types.submodule extraVirtualHostOptions); }; lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule extraVirtualHostOptions);
};
}; };
config = { config = {
# Don't attempt to run acme if the domain name is not tlater.net # Don't attempt to run acme if the domain name is not tlater.net
systemd.services = systemd.services = let
let
confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]''; confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]'';
in in
lib.mapAttrs' ( lib.mapAttrs' (cert: _:
cert: _:
lib.nameValuePair "acme-${cert}" { lib.nameValuePair "acme-${cert}" {
serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' ''; serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';
} })
) config.security.acme.certs; config.security.acme.certs;
}; };
} }

View file

@ -7,11 +7,11 @@
"passthru": null, "passthru": null,
"pinned": false, "pinned": false,
"src": { "src": {
"sha256": "sha256-V4zZsAwPn8QiCXEDqOgNFHaXqMOcHMpMbJ1Oz3Db0pc=", "sha256": "sha256-JXNQNnWXoii71QhtKktuEBEIqzmONVetULBhpSjM9xo=",
"type": "tarball", "type": "tarball",
"url": "https://github.com/nextcloud/bookmarks/releases/download/v14.2.4/bookmarks-14.2.4.tar.gz" "url": "https://github.com/nextcloud/bookmarks/releases/download/v13.1.3/bookmarks-13.1.3.tar.gz"
}, },
"version": "14.2.4" "version": "13.1.3"
}, },
"calendar": { "calendar": {
"cargoLocks": null, "cargoLocks": null,
@ -21,11 +21,11 @@
"passthru": null, "passthru": null,
"pinned": false, "pinned": false,
"src": { "src": {
"sha256": "sha256-sipXeyOL4OhENz7V2beFeSYBAoFZdCWtqftIy0lsqEY=", "sha256": "sha256-hZfjWAMi/0qs5xMMgOlcoSXG6kcZ2aeDaez+NqSZFKI=",
"type": "tarball", "type": "tarball",
"url": "https://github.com/nextcloud-releases/calendar/releases/download/v4.7.15/calendar-v4.7.15.tar.gz" "url": "https://github.com/nextcloud-releases/calendar/releases/download/v4.6.7/calendar-v4.6.7.tar.gz"
}, },
"version": "v4.7.15" "version": "v4.6.7"
}, },
"contacts": { "contacts": {
"cargoLocks": null, "cargoLocks": null,
@ -49,11 +49,11 @@
"passthru": null, "passthru": null,
"pinned": false, "pinned": false,
"src": { "src": {
"sha256": "sha256-a8ekMnEzudHGiqHF53jPtgsVTOTc2QLuPg6YtTw5h68=", "sha256": "sha256-TE/w8SgyIPaGl5wZUAsG234nxoPj25QoRPF3zjbMoRk=",
"type": "tarball", "type": "tarball",
"url": "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.11.1/Cookbook-0.11.1.tar.gz" "url": "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.10.5/Cookbook-0.10.5.tar.gz"
}, },
"version": "0.11.1" "version": "0.10.5"
}, },
"news": { "news": {
"cargoLocks": null, "cargoLocks": null,
@ -63,11 +63,11 @@
"passthru": null, "passthru": null,
"pinned": false, "pinned": false,
"src": { "src": {
"sha256": "sha256-AhTZGQCLeNgsRBF5w3+Lf9JtNN4D1QncB5t+odU+XUc=", "sha256": "sha256-cfJkKRNSz15L4E3w1tnEb+t4MrVwVzb8lb6vCOA4cK4=",
"type": "tarball", "type": "tarball",
"url": "https://github.com/nextcloud/news/releases/download/25.0.0-alpha8/news.tar.gz" "url": "https://github.com/nextcloud/news/releases/download/24.0.0/news.tar.gz"
}, },
"version": "25.0.0-alpha8" "version": "24.0.0"
}, },
"notes": { "notes": {
"cargoLocks": null, "cargoLocks": null,
@ -77,10 +77,10 @@
"passthru": null, "passthru": null,
"pinned": false, "pinned": false,
"src": { "src": {
"sha256": "sha256-A3QNWGWeC2OcZngMrh9NpYbU5qp5x9xiDcRfB9cRXBo=", "sha256": "sha256-ydpxatwuZUz7XIgK8FMklZlxNQklpsP8Uqpxvt3iK0k=",
"type": "tarball", "type": "tarball",
"url": "https://github.com/nextcloud-releases/notes/releases/download/v4.10.1/notes-v4.10.1.tar.gz" "url": "https://github.com/nextcloud/notes/releases/download/v4.10.0/notes.tar.gz"
}, },
"version": "v4.10.1" "version": "v4.10.0"
} }
} }

View file

@ -3,18 +3,18 @@
{ {
bookmarks = { bookmarks = {
pname = "bookmarks"; pname = "bookmarks";
version = "14.2.4"; version = "13.1.3";
src = fetchTarball { src = fetchTarball {
url = "https://github.com/nextcloud/bookmarks/releases/download/v14.2.4/bookmarks-14.2.4.tar.gz"; url = "https://github.com/nextcloud/bookmarks/releases/download/v13.1.3/bookmarks-13.1.3.tar.gz";
sha256 = "sha256-V4zZsAwPn8QiCXEDqOgNFHaXqMOcHMpMbJ1Oz3Db0pc="; sha256 = "sha256-JXNQNnWXoii71QhtKktuEBEIqzmONVetULBhpSjM9xo=";
}; };
}; };
calendar = { calendar = {
pname = "calendar"; pname = "calendar";
version = "v4.7.15"; version = "v4.6.7";
src = fetchTarball { src = fetchTarball {
url = "https://github.com/nextcloud-releases/calendar/releases/download/v4.7.15/calendar-v4.7.15.tar.gz"; url = "https://github.com/nextcloud-releases/calendar/releases/download/v4.6.7/calendar-v4.6.7.tar.gz";
sha256 = "sha256-sipXeyOL4OhENz7V2beFeSYBAoFZdCWtqftIy0lsqEY="; sha256 = "sha256-hZfjWAMi/0qs5xMMgOlcoSXG6kcZ2aeDaez+NqSZFKI=";
}; };
}; };
contacts = { contacts = {
@ -27,26 +27,26 @@
}; };
cookbook = { cookbook = {
pname = "cookbook"; pname = "cookbook";
version = "0.11.1"; version = "0.10.5";
src = fetchTarball { src = fetchTarball {
url = "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.11.1/Cookbook-0.11.1.tar.gz"; url = "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.10.5/Cookbook-0.10.5.tar.gz";
sha256 = "sha256-a8ekMnEzudHGiqHF53jPtgsVTOTc2QLuPg6YtTw5h68="; sha256 = "sha256-TE/w8SgyIPaGl5wZUAsG234nxoPj25QoRPF3zjbMoRk=";
}; };
}; };
news = { news = {
pname = "news"; pname = "news";
version = "25.0.0-alpha8"; version = "24.0.0";
src = fetchTarball { src = fetchTarball {
url = "https://github.com/nextcloud/news/releases/download/25.0.0-alpha8/news.tar.gz"; url = "https://github.com/nextcloud/news/releases/download/24.0.0/news.tar.gz";
sha256 = "sha256-AhTZGQCLeNgsRBF5w3+Lf9JtNN4D1QncB5t+odU+XUc="; sha256 = "sha256-cfJkKRNSz15L4E3w1tnEb+t4MrVwVzb8lb6vCOA4cK4=";
}; };
}; };
notes = { notes = {
pname = "notes"; pname = "notes";
version = "v4.10.1"; version = "v4.10.0";
src = fetchTarball { src = fetchTarball {
url = "https://github.com/nextcloud-releases/notes/releases/download/v4.10.1/notes-v4.10.1.tar.gz"; url = "https://github.com/nextcloud/notes/releases/download/v4.10.0/notes.tar.gz";
sha256 = "sha256-A3QNWGWeC2OcZngMrh9NpYbU5qp5x9xiDcRfB9cRXBo="; sha256 = "sha256-ydpxatwuZUz7XIgK8FMklZlxNQklpsP8Uqpxvt3iK0k=";
}; };
}; };
} }

View file

@ -13,7 +13,6 @@
"name": null, "name": null,
"rev": "v0.10.1", "rev": "v0.10.1",
"sha256": "sha256-zGEhDy3uXIbvx4agSA8Mx7bRtiZZtoDZGbNbHc9L+yI=", "sha256": "sha256-zGEhDy3uXIbvx4agSA8Mx7bRtiZZtoDZGbNbHc9L+yI=",
"sparseCheckout": [],
"type": "git", "type": "git",
"url": "https://gitlab.com/hectorjsmith/fail2ban-prometheus-exporter" "url": "https://gitlab.com/hectorjsmith/fail2ban-prometheus-exporter"
}, },

View file

@ -10,7 +10,6 @@
fetchSubmodules = false; fetchSubmodules = false;
deepClone = false; deepClone = false;
leaveDotGit = false; leaveDotGit = false;
sparseCheckout = [ ];
sha256 = "sha256-zGEhDy3uXIbvx4agSA8Mx7bRtiZZtoDZGbNbHc9L+yI="; sha256 = "sha256-zGEhDy3uXIbvx4agSA8Mx7bRtiZZtoDZGbNbHc9L+yI=";
}; };
}; };

View file

@ -1,12 +1,20 @@
{ pkgs, rustPlatform, ... }: {
pkgs,
rustPlatform,
...
}:
rustPlatform.buildRustPackage { rustPlatform.buildRustPackage {
pname = "afvalcalendar"; pname = "afvalcalendar";
version = "0.1.0"; version = "0.1.0";
src = ./.; src = ./.;
nativeBuildInputs = with pkgs; [ pkg-config ]; nativeBuildInputs = with pkgs; [
pkg-config
];
buildInputs = with pkgs; [ openssl ]; buildInputs = with pkgs; [
openssl
];
cargoHash = "sha256-JXx6aUKdKbUTBCwlBw5i1hZy8ofCfSrhLCwFzqdA8cI="; cargoHash = "sha256-JXx6aUKdKbUTBCwlBw5i1hZy8ofCfSrhLCwFzqdA8cI=";
} }

View file

@ -1,5 +1,7 @@
{ pkgs, lib }: {
let pkgs,
lib,
}: let
inherit (builtins) fromJSON mapAttrs readFile; inherit (builtins) fromJSON mapAttrs readFile;
inherit (pkgs) callPackage; inherit (pkgs) callPackage;
in in

View file

@ -1,5 +1,7 @@
{ fetchNextcloudApp, lib }: {
source: fetchNextcloudApp,
lib,
}: source:
fetchNextcloudApp { fetchNextcloudApp {
url = source.src.url; url = source.src.url;
sha256 = source.src.sha256; sha256 = source.src.sha256;

View file

@ -1,10 +1,12 @@
[bookmarks] [bookmarks]
src.github = "nextcloud/bookmarks" # src.github = "nextcloud/bookmarks"
src.prefix = "v" src.prefix = "v"
src.manual = "v13.1.3"
fetch.tarball = "https://github.com/nextcloud/bookmarks/releases/download/v$ver/bookmarks-$ver.tar.gz" fetch.tarball = "https://github.com/nextcloud/bookmarks/releases/download/v$ver/bookmarks-$ver.tar.gz"
[calendar] [calendar]
src.github = "nextcloud-releases/calendar" # src.github = "nextcloud-releases/calendar"
src.manual = "v4.6.7"
fetch.tarball = "https://github.com/nextcloud-releases/calendar/releases/download/$ver/calendar-$ver.tar.gz" fetch.tarball = "https://github.com/nextcloud-releases/calendar/releases/download/$ver/calendar-$ver.tar.gz"
[contacts] [contacts]
@ -13,16 +15,17 @@ src.manual = "v5.5.3"
fetch.tarball = "https://github.com/nextcloud-releases/contacts/releases/download/$ver/contacts-$ver.tar.gz" fetch.tarball = "https://github.com/nextcloud-releases/contacts/releases/download/$ver/contacts-$ver.tar.gz"
[cookbook] [cookbook]
src.github = "christianlupus-nextcloud/cookbook-releases" # src.github = "christianlupus-nextcloud/cookbook-releases"
src.prefix = "v" src.prefix = "v"
src.manual = "0.10.5"
fetch.tarball = "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v$ver/Cookbook-$ver.tar.gz" fetch.tarball = "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v$ver/Cookbook-$ver.tar.gz"
[news] [news]
# Update manually until angular rewrite is done
# src.github = "nextcloud/news" # src.github = "nextcloud/news"
src.manual = "25.0.0-alpha8" # Update to 25 when angular rewrite is done/the alpha when I need to switch to nextcloud 28+
src.manual = "24.0.0"
fetch.tarball = "https://github.com/nextcloud/news/releases/download/$ver/news.tar.gz" fetch.tarball = "https://github.com/nextcloud/news/releases/download/$ver/news.tar.gz"
[notes] [notes]
src.github = "nextcloud-releases/notes" src.github = "nextcloud/notes"
fetch.tarball = "https://github.com/nextcloud-releases/notes/releases/download/$ver/notes-$ver.tar.gz" fetch.tarball = "https://github.com/nextcloud/notes/releases/download/$ver/notes.tar.gz"

View file

@ -1,4 +1,7 @@
{ buildGoModule, sources }: {
buildGoModule,
sources,
}:
buildGoModule { buildGoModule {
inherit (sources.prometheus-fail2ban-exporter) pname src version; inherit (sources.prometheus-fail2ban-exporter) pname src version;
vendorHash = "sha256-5o8p5p0U/c0WAIV5dACnWA3ThzSh2tt5LIFMb59i9GY="; vendorHash = "sha256-5o8p5p0U/c0WAIV5dACnWA3ThzSh2tt5LIFMb59i9GY=";

View file

@ -5,17 +5,14 @@
patchelf, patchelf,
steamPackages, steamPackages,
replace-secret, replace-secret,
}: }: let
let
# Use the directory in which starbound is installed so steamcmd # Use the directory in which starbound is installed so steamcmd
# doesn't have to be reinstalled constantly (we're using DynamicUser # doesn't have to be reinstalled constantly (we're using DynamicUser
# with StateDirectory to persist this). # with StateDirectory to persist this).
steamcmd = steamPackages.steamcmd.override { steamRoot = "/var/lib/starbound/.steamcmd"; }; steamcmd = steamPackages.steamcmd.override {
wrapperPath = lib.makeBinPath [ steamRoot = "/var/lib/starbound/.steamcmd";
patchelf };
steamcmd wrapperPath = lib.makeBinPath [patchelf steamcmd replace-secret];
replace-secret
];
in in
stdenv.mkDerivation { stdenv.mkDerivation {
name = "starbound-update-script"; name = "starbound-update-script";