noah/dotfiles
1
0
Fork 0
mirror of https://github.com/nmasur/dotfiles synced 2025-07-06 16:40:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

convert to proper module layout

Browse Source
This commit is contained in:
Noah Masur
2022-12-21 14:18:03 -07:00
parent bf1d2f1e9e
commit d040077d3a
95 changed files with 1196 additions and 895 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
modules/services/backups.nix
View File

@ -1,21 +1,22 @@
{ config, pkgs, lib, ... }: {
imports = [ ./secrets.nix ];
options = {
backupS3 = {
backup.s3 = {
endpoint = lib.mkOption {
type = lib.types.str;
description = "S3 endpoint for backups";
default = null;
};
bucket = lib.mkOption {
type = lib.types.str;
description = "S3 bucket for backups";
default = null;
};
accessKeyId = lib.mkOption {
type = lib.types.str;
description = "S3 access key ID for backups";
default = null;
};
};

12
modules/services/caddy.nix
View File

@ -1,18 +1,20 @@
{ config, pkgs, lib, ... }: {
options = {
caddyRoutes = lib.mkOption {
caddy.enable = lib.mkEnableOption "Caddy reverse proxy.";
caddy.routes = lib.mkOption {
type = lib.types.listOf lib.types.attrs;
description = "Caddy JSON routes for http servers";
default = [ ];
};
caddyBlocks = lib.mkOption {
caddy.blocks = lib.mkOption {
type = lib.types.listOf lib.types.attrs;
description = "Caddy JSON error blocks for http servers";
default = [ ];
};
};
config = {
config = lib.mkIf (config.caddy.enable && config.caddy.routes != [ ]) {
services.caddy = {
enable = true;
@ -20,8 +22,8 @@
configFile = pkgs.writeText "Caddyfile" (builtins.toJSON {
apps.http.servers.main = {
listen = [ ":443" ];
routes = config.caddyRoutes;
errors.routes = config.caddyBlocks;
routes = config.caddy.routes;
errors.routes = config.caddy.blocks;
};
});

7
modules/services/calibre.nix
View File

@ -1,15 +1,14 @@
{ config, pkgs, lib, ... }: {
imports = [ ./caddy.nix ./backups.nix ];
options = {
bookServer = lib.mkOption {
type = lib.types.str;
description = "Hostname for Calibre library";
default = null;
};
};
config = {
config = lib.mkIf config.bookServer != null {
services.calibre-web = {
enable = true;
@ -31,7 +30,7 @@
})
];
caddyRoutes = [{
caddy.routes = [{
match = [{ host = [ config.bookServer ]; }];
handle = [{
handler = "reverse_proxy";

8
modules/services/cloudflare.nix
View File

@ -1,6 +1,6 @@
# This module is necessary for hosts that are serving through Cloudflare.
{ ... }:
{ config, lib, ... }:
let
@ -36,12 +36,12 @@ let
in {
imports = [ ./caddy.nix ];
options.cloudflare.enable = lib.mkEnableOption "Use Cloudflare.";
config = {
config = lib.mkIf config.cloudflare.enable {
# Forces Caddy to error if coming from a non-Cloudflare IP
caddyBlocks = [{
caddy.blocks = [{
match = [{ not = [{ remote_ip.ranges = cloudflareIpRanges; }]; }];
handle = [{
handler = "static_response";

25
modules/services/default.nix Normal file
View File

@ -0,0 +1,25 @@
{ ... }: {
imports = [
./backups.nix
./caddy.nix
./calibre.nix
./cloudflare.nix
./gitea.nix
./gnupg.nix
./honeypot.nix
./jellyfin.nix
./keybase.nix
./mullvad.nix
./n8n.nix
./netdata.nix
./nextcloud.nix
./prometheus.nix
./secrets.nix
./sshd.nix
./transmission.nix
./vaultwarden.nix
./wireguard.nix
];
}

7
modules/services/gitea.nix
View File

@ -4,18 +4,17 @@ let giteaPath = "/var/lib/gitea"; # Default service directory
in {
imports = [ ./caddy.nix ./backups.nix ];
options = {
giteaServer = lib.mkOption {
description = "Hostname for Gitea.";
type = lib.types.str;
default = null;
};
};
config = {
config = lib.mkIf config.giteaServer != null {
services.gitea = {
enable = true;
httpPort = 3001;
@ -47,7 +46,7 @@ in {
networking.firewall.allowedTCPPorts = [ 122 ];
caddyRoutes = [{
caddy.routes = [{
match = [{ host = [ config.giteaServer ]; }];
handle = [{
handler = "reverse_proxy";

4
modules/services/gnupg.nix
View File

@ -1,6 +1,8 @@
{ config, pkgs, lib, ... }: {
home-manager.users.${config.user} = {
options.gpg.enable = lib.mkEnableOption "GnuPG encryption.";
home-manager.users.${config.user} = lib.mkIf config.gpg.enable {
programs.gpg.enable = true;
services.gpg-agent = {
enable = true;

6
modules/services/honeypot.nix
View File

@ -1,4 +1,4 @@
{ lib, pkgs, ... }:
{ config, lib, pkgs, ... }:
# Currently has some issues that don't make this viable.
@ -38,7 +38,9 @@ let
in {
networking.firewall = {
options.honeypot.enable = lib.mkEnableOption "Honeypot fail2ban system.";
networking.firewall = lib.mkIf config.honeypot.enable {
extraPackages = [ pkgs.ipset ];
# allowedTCPPorts = portsToBlock;

5
modules/services/jellyfin.nix
View File

@ -4,14 +4,15 @@
streamServer = lib.mkOption {
type = lib.types.str;
description = "Hostname for Jellyfin library";
default = null;
};
};
config = {
config = lib.mkIf config.streamServer != null {
services.jellyfin.enable = true;
caddyRoutes = [{
caddy.routes = [{
match = [{ host = [ config.streamServer ]; }];
handle = [{
handler = "reverse_proxy";

48
modules/services/keybase.nix
View File

@ -1,28 +1,34 @@
{ config, pkgs, lib, ... }: {
services.keybase.enable = true;
services.kbfs = {
enable = true;
# enableRedirector = true;
mountPoint = "/run/user/1000/keybase/kbfs";
};
security.wrappers.keybase-redirector = {
setuid = true;
owner = "root";
group = "root";
source = "${pkgs.kbfs}/bin/redirector";
};
options.keybase.enable = lib.mkEnableOption "Keybase.";
home-manager.users.${config.user} = {
home.packages = [ (lib.mkIf config.gui.enable pkgs.keybase-gui) ];
home.file = let
ignorePatterns = ''
keybase/
kbfs/'';
in {
".rgignore".text = ignorePatterns;
".fdignore".text = ignorePatterns;
config = lib.mkIf config.keybase.enable {
services.keybase.enable = true;
services.kbfs = {
enable = true;
# enableRedirector = true;
mountPoint = "/run/user/1000/keybase/kbfs";
};
security.wrappers.keybase-redirector = {
setuid = true;
owner = "root";
group = "root";
source = "${pkgs.kbfs}/bin/redirector";
};
home-manager.users.${config.user} = {
home.packages = [ (lib.mkIf config.gui.enable pkgs.keybase-gui) ];
home.file = let
ignorePatterns = ''
keybase/
kbfs/'';
in {
".rgignore".text = ignorePatterns;
".fdignore".text = ignorePatterns;
};
};
};
}

12
modules/services/mullvad.nix
View File

@ -1,6 +1,12 @@
{ pkgs, ... }: {
{ config, pkgs, lib, ... }: {
services.mullvad-vpn.enable = true;
environment.systemPackages = [ pkgs.mullvad-vpn ];
options.mullvad.enable = lib.mkEnableOption "Mullvad VPN.";
config = lib.mkIf config.mullvad.enable {
services.mullvad-vpn.enable = true;
environment.systemPackages = [ pkgs.mullvad-vpn ];
};
}

40
modules/services/n8n.nix
View File

@ -1,21 +1,33 @@
{ ... }: {
{ config, pkgs, lib, ... }: {
services.n8n = {
enable = true;
settings = {
n8n = {
listenAddress = "127.0.0.1";
port = 5678;
};
options = {
n8nServer = lib.mkOption {
type = lib.types.str;
description = "Hostname for n8n automation";
default = null;
};
};
caddyRoutes = [{
match = [{ host = [ config.n8nServer ]; }];
handle = [{
handler = "reverse_proxy";
upstreams = [{ dial = "localhost:5678"; }];
config = lib.mkIf config.n8nServer != null {
services.n8n = {
enable = true;
settings = {
n8n = {
listenAddress = "127.0.0.1";
port = 5678;
};
};
};
caddy.routes = [{
match = [{ host = [ config.n8nServer ]; }];
handle = [{
handler = "reverse_proxy";
upstreams = [{ dial = "localhost:5678"; }];
}];
}];
}];
};
}

4
modules/services/netdata.nix
View File

@ -1,6 +1,8 @@
{ config, pkgs, lib, ... }: {
config = {
options.netdata.enable = lib.mkEnableOption "Netdata metrics.";
config = lib.mkIf config.netdata.enable {
services.netdata = {
enable = true;

7
modules/services/nextcloud.nix
View File

@ -1,17 +1,16 @@
{ config, pkgs, lib, ... }: {
imports = [ ./caddy.nix ./secrets.nix ./backups.nix ];
options = {
nextcloudServer = lib.mkOption {
type = lib.types.str;
description = "Hostname for Nextcloud";
default = null;
};
};
config = {
config = lib.mkIf config.nextcloudServer != null {
services.nextcloud = {
enable = true;
@ -32,7 +31,7 @@
}];
# Point Caddy to Nginx
caddyRoutes = [{
caddy.routes = [{
match = [{ host = [ config.nextcloudServer ]; }];
handle = [{
handler = "reverse_proxy";

5
modules/services/prometheus.nix
View File

@ -3,9 +3,10 @@
options.metricsServer = lib.mkOption {
type = lib.types.str;
description = "Hostname of the Grafana server.";
default = null;
};
config = {
config = lib.mkIf config.metricsServer != null {
services.grafana.enable = true;
@ -21,7 +22,7 @@
}];
};
caddyRoutes = [{
caddy.routes = [{
match = [{ host = [ config.metricsServer ]; }];
handle = [{
handler = "reverse_proxy";

2
modules/services/secrets.nix
View File

@ -47,7 +47,7 @@
};
config = {
config = lib.mkIf (pkgs.stdenv.isLinux && !config.wsl.enable) {
# Create a default directory to place secrets

2
modules/services/sshd.nix
View File

@ -12,7 +12,7 @@
};
};
config = {
config = lib.mkIf (pkgs.stdenv.isLinux && !config.wsl.enable) {
services.openssh = {
enable = true;
ports = [ 22 ];

5
modules/services/transmission.nix
View File

@ -1,11 +1,10 @@
{ config, pkgs, lib, ... }: {
imports = [ ./wireguard.nix ./secrets.nix ];
options = {
transmissionServer = lib.mkOption {
type = lib.types.str;
description = "Hostname for Transmission";
default = null;
};
};
@ -13,7 +12,7 @@
namespace = config.networking.wireguard.interfaces.wg0.interfaceNamespace;
vpnIp = lib.strings.removeSuffix "/32"
(builtins.head config.networking.wireguard.interfaces.wg0.ips);
in {
in lib.mkIf (config.wireguard.enable && config.transmissionServer != null) {
# Setup transmission
services.transmission = {

5
modules/services/vaultwarden.nix
View File

@ -4,18 +4,17 @@ let vaultwardenPath = "/var/lib/bitwarden_rs"; # Default service directory
in {
imports = [ ./caddy.nix ./secrets.nix ./backups.nix ];
options = {
vaultwardenServer = lib.mkOption {
description = "Hostname for Vaultwarden.";
type = lib.types.str;
default = null;
};
};
config = {
config = lib.mkIf config.vaultwardenServer != null {
services.vaultwarden = {
enable = true;
config = {

4
modules/services/wireguard.nix
View File

@ -1,8 +1,8 @@
{ config, pkgs, lib, ... }: {
imports = [ ./secrets.nix ];
options.wireguard.enable = lib.mkEnableOption "Wireguard VPN setup.";
config = {
config = lib.mkIf (pkgs.stdenv.isLinux && config.wireguard.enable) {
networking.wireguard = {
enable = true;