Lithospherical/nix-config
1
0
Fork 0
forked from jan-leila/nix-config
Code Pull requests Activity

moved service config out of host namespace

Browse source
This commit is contained in:
Leyla Becker 2025-03-22 13:27:04 -05:00
parent c7938c3fe7
commit 597c25b49d
7 changed files with 98 additions and 125 deletions
Download patch file Download diff file Expand all files Collapse all files

1
README.md
View file

@ -51,7 +51,6 @@ nix multi user, multi system, configuration with `sops` secret management, `home
- syncthing folder passwords
- nfs export should be backed by the same values for server and client
- move fail2ban configs out of fail2ban.nix and into configs for their respective services
- move extra custom configuration for services out of host config and instead extend services
## New Features
- offline access for nfs mounts (overlay with rsync might be a good option here? https://www.spinics.net/lists/linux-unionfs/msg07105.html note about nfs4 and overlay fs)
- samba mounts

45
configurations/nixos/defiant/configuration.nix
View file

@ -48,9 +48,6 @@
];
};
};
fail2ban = {
enable = true;
};
network_storage = {
enable = true;
directories = [
@ -74,7 +71,7 @@
folder = "media";
user = "jellyfin";
group = "jellyfin_media";
bind = config.host.jellyfin.media_directory;
bind = config.services.jellyfin.media_directory;
}
];
nfs = {
@ -94,19 +91,6 @@
};
};
};
jellyfin = {
enable = true;
subdomain = "media";
extraSubdomains = ["jellyfin"];
};
forgejo = {
enable = true;
subdomain = "git";
};
searx = {
enable = true;
subdomain = "search";
};
home-assistant = {
enable = false;
subdomain = "home";
@ -114,10 +98,6 @@
adguardhome = {
enable = false;
};
immich = {
enable = true;
subdomain = "photos";
};
sync = {
enable = true;
folders = {
@ -187,6 +167,29 @@
"--accept-dns=false"
];
};
fail2ban.enable = true;
jellyfin = {
enable = true;
subdomain = "media";
extraSubdomains = ["jellyfin"];
};
immich = {
enable = true;
subdomain = "photos";
};
forgejo = {
enable = true;
subdomain = "git";
};
searx = {
enable = true;
subdomain = "search";
};
};
# disable computer sleeping

9
modules/nixos-modules/server/fail2ban.nix
View file

@ -7,11 +7,7 @@
dataFolder = "/var/lib/fail2ban";
dataFile = "fail2ban.sqlite3";
in {
options.host.fail2ban = {
enable = lib.mkEnableOption "should fail 2 ban be enabled on this server";
};
config = lib.mkIf config.host.fail2ban.enable (lib.mkMerge [
config = lib.mkIf config.services.fail2ban.enable (lib.mkMerge [
{
environment.etc = {
"fail2ban/filter.d/nginx.local".text = lib.mkIf config.services.nginx.enable (
@ -37,7 +33,6 @@ in {
};
services.fail2ban = {
enable = true;
maxretry = 5;
ignoreIP = [
# Whitelist local networks
@ -90,8 +85,6 @@ in {
];
environment.persistence."/persist/system/root" = {
enable = true;
hideMounts = true;
directories = [
{
directory = dataFolder;

54
modules/nixos-modules/server/forgejo.nix
View file

@ -9,8 +9,7 @@
db_user = "forgejo";
sshPort = 22222;
in {
options.host.forgejo = {
enable = lib.mkEnableOption "should forgejo be enabled on this computer";
options.services.forgejo = {
subdomain = lib.mkOption {
type = lib.types.str;
description = "subdomain of base domain that forgejo will be hosted at";
@ -18,10 +17,10 @@ in {
};
};
config = lib.mkIf config.host.forgejo.enable (lib.mkMerge [
config = lib.mkIf config.services.forgejo.enable (lib.mkMerge [
{
host = {
reverse_proxy.subdomains.${config.host.forgejo.subdomain} = {
reverse_proxy.subdomains.${config.services.forgejo.subdomain} = {
target = "http://localhost:${toString forgejoPort}";
};
postgres = {
@ -34,32 +33,29 @@ in {
};
};
services = {
forgejo = {
enable = true;
database = {
type = "postgres";
socket = "/run/postgresql";
services.forgejo = {
database = {
type = "postgres";
socket = "/run/postgresql";
};
lfs.enable = true;
settings = {
server = {
DOMAIN = "${config.services.forgejo.subdomain}.${config.host.reverse_proxy.hostname}";
HTTP_PORT = forgejoPort;
START_SSH_SERVER = true;
SSH_LISTEN_PORT = sshPort;
SSH_PORT = 22;
BUILTIN_SSH_SERVER_USER = config.users.users.git.name;
ROOT_URL = "https://git.jan-leila.com";
};
lfs.enable = true;
settings = {
server = {
DOMAIN = "${config.host.forgejo.subdomain}.${config.host.reverse_proxy.hostname}";
HTTP_PORT = forgejoPort;
START_SSH_SERVER = true;
SSH_LISTEN_PORT = sshPort;
SSH_PORT = 22;
BUILTIN_SSH_SERVER_USER = config.users.users.git.name;
ROOT_URL = "https://git.jan-leila.com";
};
service = {
DISABLE_REGISTRATION = true;
};
database = {
DB_TYPE = "postgres";
NAME = db_user;
USER = db_user;
};
service = {
DISABLE_REGISTRATION = true;
};
database = {
DB_TYPE = "postgres";
NAME = db_user;
USER = db_user;
};
};
};

15
modules/nixos-modules/server/immich.nix
View file

@ -6,8 +6,7 @@
}: let
mediaLocation = "/var/lib/immich";
in {
options.host.immich = {
enable = lib.mkEnableOption "should immich be enabled on this computer";
options.services.immich = {
subdomain = lib.mkOption {
type = lib.types.str;
description = "subdomain of base domain that immich will be hosted at";
@ -15,10 +14,10 @@ in {
};
};
config = lib.mkIf config.host.immich.enable (lib.mkMerge [
config = lib.mkIf config.services.immich.enable (lib.mkMerge [
{
host = {
reverse_proxy.subdomains.${config.host.immich.subdomain} = {
reverse_proxy.subdomains.${config.services.immich.subdomain} = {
target = "http://localhost:${toString config.services.immich.port}";
websockets.enable = true;
@ -45,12 +44,6 @@ in {
};
};
services.immich = {
enable = true;
port = 2283;
# redis.enable = false;
};
networking.firewall.interfaces.${config.services.tailscale.interfaceName} = {
allowedUDPPorts = [
config.services.immich.port
@ -89,8 +82,6 @@ in {
}
];
environment.persistence."/persist/system/root" = {
enable = true;
hideMounts = true;
directories = [
{
directory = mediaLocation;

15
modules/nixos-modules/server/jellyfin.nix
View file

@ -8,8 +8,7 @@
jellyfin_data_directory = "/var/lib/jellyfin";
jellyfin_cache_directory = "/var/cache/jellyfin";
in {
options.host.jellyfin = {
enable = lib.mkEnableOption "should jellyfin be enabled on this computer";
options.services.jellyfin = {
subdomain = lib.mkOption {
type = lib.types.str;
description = "subdomain of base domain that jellyfin will be hosted at";
@ -27,16 +26,14 @@ in {
};
};
config = lib.mkIf config.host.jellyfin.enable (
config = lib.mkIf config.services.jellyfin.enable (
lib.mkMerge [
{
services.jellyfin.enable = true;
host.reverse_proxy.subdomains.jellyfin = {
target = "http://localhost:${toString jellyfinPort}";
subdomain = config.host.jellyfin.subdomain;
extraSubdomains = config.host.jellyfin.extraSubdomains;
subdomain = config.services.jellyfin.subdomain;
extraSubdomains = config.services.jellyfin.extraSubdomains;
forwardHeaders.enable = true;
@ -107,8 +104,6 @@ in {
environment.persistence = {
"/persist/system/root" = {
enable = true;
hideMounts = true;
directories = [
{
directory = jellyfin_data_directory;
@ -128,7 +123,7 @@ in {
hideMounts = true;
directories = [
{
directory = config.host.jellyfin.media_directory;
directory = config.services.jellyfin.media_directory;
user = "jellyfin";
group = "jellyfin_media";
mode = "1770";

84
modules/nixos-modules/server/searx.nix
View file

@ -4,8 +4,7 @@
inputs,
...
}: {
options.host.searx = {
enable = lib.mkEnableOption "should searx be enabled on this computer";
options.services.searx = {
subdomain = lib.mkOption {
type = lib.types.str;
description = "subdomain of base domain that searx will be hosted at";
@ -13,7 +12,7 @@
};
};
config = lib.mkIf config.host.searx.enable {
config = lib.mkIf config.services.searx.enable {
sops.secrets = {
"services/searx" = {
sopsFile = "${inputs.secrets}/defiant-services.yaml";
@ -21,56 +20,53 @@
};
host = {
reverse_proxy.subdomains.searx = {
subdomain = config.host.searx.subdomain;
subdomain = config.services.searx.subdomain;
target = "http://localhost:${toString config.services.searx.settings.server.port}";
};
};
services = {
searx = {
enable = true;
environmentFile = config.sops.secrets."services/searx".path;
services.searx = {
environmentFile = config.sops.secrets."services/searx".path;
# Rate limiting
limiterSettings = {
real_ip = {
x_for = 1;
ipv4_prefix = 32;
ipv6_prefix = 56;
};
botdetection = {
ip_limit = {
filter_link_local = true;
link_token = true;
};
};
# Rate limiting
limiterSettings = {
real_ip = {
x_for = 1;
ipv4_prefix = 32;
ipv6_prefix = 56;
};
settings = {
server = {
port = 8083;
secret_key = "@SEARXNG_SECRET@";
botdetection = {
ip_limit = {
filter_link_local = true;
link_token = true;
};
# Search engine settings
search = {
safe_search = 2;
autocomplete_min = 2;
autocomplete = "duckduckgo";
};
# Enabled plugins
enabled_plugins = [
"Basic Calculator"
"Hash plugin"
"Tor check plugin"
"Open Access DOI rewrite"
"Hostnames plugin"
"Unit converter plugin"
"Tracker URL remover"
];
};
};
settings = {
server = {
port = 8083;
secret_key = "@SEARXNG_SECRET@";
};
# Search engine settings
search = {
safe_search = 2;
autocomplete_min = 2;
autocomplete = "duckduckgo";
};
# Enabled plugins
enabled_plugins = [
"Basic Calculator"
"Hash plugin"
"Tor check plugin"
"Open Access DOI rewrite"
"Hostnames plugin"
"Unit converter plugin"
"Tracker URL remover"
];
};
};
};
}