pederbs/config
pederbs
/
config
1
1
Fork 0
Code Issues Pull Requests Releases Activity
config/profiles/nas/default.nix

1279 lines
43 KiB
Nix
Raw Normal View History

Initial commit
2022-10-17 22:40:48 +02:00
{ config, pkgs, ... }:
let
lib = pkgs.lib;
#webserver = "nginx" # httpd caddy lighttpd
domain = "${config.networking.hostName}.${config.networking.domain}";
mkDomain = subname: "${subname}.${domain}";
subdomains = lib.sort (x: y: x<y) ( # TODO: deduplicate <-
lib.flatten (
lib.mapAttrsToList
(k: v: [k] ++ v.serverAliases)
config.services.nginx.virtualHosts
)
);
in
with builtins; {
imports = [
./modules/webhook.nix
#./modules/kukkee.nix
<nixos-unstable/nixos/modules/services/misc/polaris.nix>
#/home/pbsds/repos/nixpkgs-polaris/nixos/modules/services/misc/polaris.nix
];
# ACME
# regenerate certs with:
# systemctl clean --what=state acme-noximilien.pbsds.net.service
security.acme.acceptTerms = true;
security.acme.defaults.email = "pbsds+acme@hotmail.com";
#security.acme.defaults.renewInterval = "daily";
#security.acme.defaults.reloadServices
# https://www.xf.is/2020/06/30/list-of-free-acme-ssl-providers/
#security.acme.defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; # STAGING
#security.acme.defaults.server = "https://api.buypass.com/acme/directory"; # no wildcards, rate limit: 20 domains/week, 5 duplicate certs / week
#security.acme.defaults.server = "https://api.test4.buypass.no/acme/directory"; # STAGING. no wildcards, rate limit: 20 domains/week, 5 duplicate certs / week
# DNS-based ACME:
# - https://go-acme.github.io/lego/dns/domeneshop/
# - https://nixos.org/manual/nixos/stable/index.html#module-security-acme-config-dns-with-vhosts
#security.acme.defaults.dnsProvider = "domeneshop";
#security.acme.defaults.credentialsFile = "/var/lib/secrets/domeneshop.key"; # TODO: this file must be made by hand, containing env variables.
services.nginx.enable = true;
# Website tunnel
# TODO: move to web profile?
services.nginx.virtualHosts.${domain} = {
forceSSL = true; # addSSL = true;
enableACME = true;
#acmeRoot = null; # use DNS
default = true;
serverAliases = map mkDomain [
"www"
#"*" # requires DNS ACME
];
# The alternative to ^ is: config.security.acme.certs."${acmeDomain}".extraDomainNames = [ (mkDomain "foo") ];
# TODO: 'nox' alias for everything
locations."/" = {
proxyPass = "http://pbuntu.pbsds.net";
proxyWebsockets = true;
};
};
#services.nginx.virtualHosts.${mkDomain "www"} = {
# addSSL = true;
# useACMEHost = acmeDomain; #enableACME = true;
# locations."/" = {
# proxyPass = "http://pbuntu.pbsds.net";
# proxyWebsockets = true;
# };
#};
# service index
# TODO: move to web profile?
services.nginx.virtualHosts.${mkDomain "index"} = {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
root = let
getName = domain: head (lib.splitString "." domain);
getDomain = domain: concatStringsSep "." (tail (lib.splitString "." domain));
custom = rec {
index = "This page";
links = "Linktree";
element = pkgs.element-web.meta.description;
refleksjon = "My dad is a cheapskate";
roroslyd = "My dad is a cheapskate";
www = "wwwwwwwwwwwwwww";
noximilien = www;
shlink = "Url shortener";
};
getDesc = domain: let
name = getName domain;
in if lib.hasAttr name custom
then custom.${name}
else if lib.hasAttr name pkgs.python3Packages
then pkgs.python3Packages.${name}.meta.description
else if lib.hasAttr name pkgs
then pkgs.${name}.meta.description
else if lib.hasAttrByPath [name "package"] config.services
then config.services.${name}.package.meta.description
else "";
mkRow = domain: ''<tr><td><a href="//${domain}">${getName domain}<span style=\"opacity: 0.65;\">.${getDomain domain}</span></a><td>${getDesc domain}'';
in pkgs.writeTextDir "index.html" ''
<!DOCTYPE html>
<table>
<tr><th>url<th>description
${lib.concatStringsSep "\n" (map mkRow subdomains)}
</table>
'';
};
# webdav
# Simple WebDAV server
services.webdav = {
enable = true;
# the webdav user uid:gid is fixed
settings = {
address = "127.0.0.1";
port = 9568;
prefix = "/";
scope = "/mnt/reidun/pub";
modify = false;
auth = true;
users = [
{
username = "zotero";
password = "{bcrypt}$2y$10$9zzZuwd2AvNZXb8WCG/bM..ibOroNnX0sN94UTAV.Jco9LnZ8Whs2";
#prefix = "/zotero/";
scope = "/mnt/reidun/Various/Zotero";
modify = true;
}
/** /
{
username = "guest";
password = "hunter2";
}
/**/
];
};
};
services.nginx.virtualHosts.${mkDomain "webdav"} = lib.mkIf config.services.webdav.enable {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.webdav.settings.port}";
#proxyWebsockets = true;
extraConfig = ''
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
client_max_body_size 2G;
'';
};
};
# Home assistant
services.home-assistant = {
#enable = true;
config = {
# https://www.home-assistant.io/integrations/default_config/
default_config = {};
# https://www.home-assistant.io/integrations/esphome/
#esphome = {};
# https://www.home-assistant.io/integrations/met/
#met = {};
};
};
# Flexget
# Multipurpose automation tool for all of your media
services.flexget = {
enable = true;
user = "flexget"; # The user under which to run flexget.
homeDir = "/var/lib/flexget";
interval = "30m";
config = ''
tasks:
shanaproject:
rss: 'https://www.shanaproject.com/feeds/secure/user/35853/J98B7OXAHO/'
accept_all: yes
no_entries_ok: yes
transmission:
host: 192.168.1.3
port: 9091
path: '/Reidun/shared/Downloads/shana project/'
username: pbsds
password: spismeg
'';
};
users.groups."${config.services.flexget.user}" = lib.mkIf config.services.flexget.enable { };
users.users."${config.services.flexget.user}" = lib.mkIf config.services.flexget.enable {
isSystemUser = true;
createHome = true;
home = config.services.flexget.homeDir;
group = "${config.services.flexget.user}";
};
# Graphana
# Gorgeous metric viz, dashboards & editors for Graphite, InfluxDB & OpenTSDB
services.grafana = rec {
#enable = true;
#addr = "127.0.0.1";
addr = "0.0.0.0";
port = 3000;
domain = mkDomain "grafana";
#rootUrl = "https://${domain}/grafana/"; # Not needed if it is `https://your.domain/`
};
services.nginx.virtualHosts."${config.services.grafana.domain}" = lib.mkIf config.services.grafana.enable {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
#locations."/grafana/" = {
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
proxyWebsockets = true;
};
};
# OwnCast
# self-hosted video live streaming solution
services.owncast = {
# the default /admin account is admin:abc123, don't enable if you don't intend to change it!
enable = true;
port = 3456; # default is 8080
rtmp-port = 1935; # remember to punch a TCP hole in the NAT
#listen = "0.0.0.0"; # default is "127.0.0.1"
openFirewall = true; # the rtmp port, and the http port if listen != "127.0.0.1"
};
services.nginx.virtualHosts.${mkDomain "owncast"} = lib.mkIf config.services.owncast.enable {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.owncast.port}";
proxyWebsockets = true;
};
};
# Cryptpad
# A collaborative office suite that is end-to-end encrypted and open-source.
services.cryptpad = {
#enable = true; # current node version used is marked insecure
# reference: https://github.com/xwiki-labs/cryptpad/blob/main/config/config.example.js
configFile = toFile "cryptpad-config.js" ''
module.exports = {
httpUnsafeOrigin: 'http://localhost:3457',
httpSafeOrigin: 'https://${mkDomain "cryptpad"}',
httpAddress: '127.0.0.1',
httpPort: 3457,
//adminKeys: [ // can be found on the settings page for registered users
// "[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]",
//],
// storage
//inactiveTime: 90, // days
//archiveRetentionTime: 15, // days
//accountRetentionTime: 365, // days, default is never
//maxUploadSize: 20 * 1024 * 1024, // bytes
//premiumUploadSize: 100 * 1024 * 1024, // bytes, (users with a plan in their customLimit)
filePath: './datastore/',
archivePath: './data/archive', // recovery in the event of accidental deletion
pinPath: './data/pins', // content stored indefinetly
taskPath: './data/tasks', // scheduled tasks
blockPath: './block', // users' authenticated blocks
blobPath: './blob', // uploaded encrypted blobs
blobStagingPath: './data/blobstage', // incomplete blobs
decreePath: './data/decrees', // undocumented
logPath: false, // logging of events, may be set to false
logToStdout: true,
logLevel: 'info', // silly, verbose, debug, feedback, info, warn, error
logFeedback: false, // data collection
verbose: false, // logging
installMethod: 'nixpkgs', // telemetry for devs
};
'';
};
services.nginx.virtualHosts.${mkDomain "cryptpad"} = lib.mkIf config.services.cryptpad.enable {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
proxyPass = "http://127.0.0.1:3457";
proxyWebsockets = true;
};
};
# Jellyfin
services.jellyfin = {
enable = true; # don't enable unless you intend to first-time-setup the admin user
# from https://jellyfin.org/docs/general/networking/index.html:
# - 8096/tcp is used by default for HTTP traffic. You can change this in the dashboard.
# - 8920/tcp is used by default for HTTPS traffic. You can change this in the dashboard.
# - 1900/udp is used for service auto-discovery. This is not configurable.
# - 7359/udp is also used for auto-discovery. This is not configurable.
openFirewall = false; # I do it manually below:
# TODO: configure initial collections and extensions
};
# firewall
networking.firewall = lib.mkIf config.service.jellyfin.enable {
# TODO: does this overwrite rules set by other stuff? should i use ++ ?
#allowedTCPPorts = [ 8096 8920 ];
allowedUDPPorts = [ 1900 7359 ]; # TODO: Only if behind a NAT?
};
services.nginx.virtualHosts.${mkDomain "jellyfin"} = lib.mkIf config.services.jellyfin.enable {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
proxyPass = "http://127.0.0.1:8096";
proxyWebsockets = true;
};
};
# Hardware acceleration
nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
};
hardware.opengl = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver
vaapiIntel
vaapiVdpau
libvdpau-va-gl
];
};
# Allow Jellyfin access to VAAPI
users.users.${config.services.jellyfin.user}.extraGroups = [ "video" "render" ];
systemd.services.jellyfin.serviceConfig.PrivateDevices = lib.mkForce false;
systemd.services.jellyfin.serviceConfig.DeviceAllow = lib.mkForce [ "/dev/dri/renderD128" ];
# Navidrome
# Music Server and Streamer compatible with Subsonic/Airsonic
services.navidrome = {
enable = true;
settings = {
# default hostname:port = "127.0.0.1:4533"
MusicFolder = "/mnt/reidun/Music/Albums";
#MusicFolder = pkgs.linkFarm "navidrome-music-library" [
# { name = "Albums"; path = "/mnt/reidun/Music/Albums"; }
# { name = "OST"; path = "/mnt/reidun/Music/OST"; }
# { name = "dojin.co"; path = "/mnt/reidun/Music/dojin.co"; }
# { name = "Touhou"; path = "/mnt/reidun/Music/Touhou"; }
# { name = "Kancolle"; path = "/mnt/reidun/Music/Kancolle"; }
# { name = "Vocaloid"; path = "/mnt/reidun/Music/Vocaloid"; }
#];
UIWelcomeMessage = "Spis meg";
DefaultTheme = "Spotify-ish";
};
};
services.nginx.virtualHosts.${mkDomain "navidrome"} = lib.mkIf config.services.navidrome.enable {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
proxyPass = "http://127.0.0.1:4533";
proxyWebsockets = true;
};
};
# Polaris
# Self-host your music collection, and access it from any computer and mobile device
services.polaris = {
enable = true;
#user = "pbsds";
#group = "users";
port = 7890;
package = pkgs.unstable.polaris; # instead of my overlay, TODO: move that overlay here
settings = {
settings.reindex_every_n_seconds = 7*24*60*60; # weekly, default is 1800, i.e. hourly
settings.album_art_pattern =
"([Cc]over|COVER|[Ff]older|FOLDER|[Ff]ront|FRONT)\.(jpeg|JPEG|jpg|JPG|png|PNG|bmp|BMP|gif|GIF)";
#"(?i)(cover|folder|front)\.(jpeg|jpg|png|bmp|gif)";
mount_dirs = [
{ source = "/mnt/reidun/Music/Albums"; name = "Albums"; }
{ source = "/mnt/reidun/Music/dojin.co"; name = "dojin.co"; }
{ source = "/mnt/reidun/Music/Vocaloid"; name = "Vocaloid"; }
{ source = "/mnt/reidun/Music/Touhou"; name = "Touhou"; }
{ source = "/mnt/reidun/Music/OST"; name = "OST"; }
{ source = "/mnt/reidun/Music/Kancolle"; name = "Kancolle"; }
{ source = "/mnt/reidun/Downloads/music"; name = "Downloads"; }
];
};
};
services.nginx.virtualHosts.${mkDomain "polaris"} = lib.mkIf config.services.polaris.enable {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.polaris.port}";
proxyWebsockets = true;
};
};
# Hydra
# Nix-based continuous build system
# https://github.com/NixOS/hydra
# https://nixos.wiki/wiki/Hydra
# sudo -u hydra hydra-create-user 'admin' --full-name '<NAME>' --email-address '<EMAIL>' --password-prompt --role admin
# https://blog.matejc.com/blogs/myblog/nixos-hydra-nginx
services.hydra = {
enable = true;
hydraURL = "https://${mkDomain "hydra"}";
#smtpHost = ;
listenHost = "localhost";
port = 4758;
notificationSender = "hydra@${domain}"; # Sender email address used for email notifications.
#buildMachinesFiles = [];
#useSubstitutes = true;
#debugServer = true;
#logo = /some/path.png;
#minimumDiskFree = 0; # Minimum disk space (GiB) determining if queue runner runs or not.
#minimumDiskFreeEvaluator = 0; # Minimum disk space (GiB) determining if evaluator runs or not.
};
services.nginx.virtualHosts.${mkDomain "hydra"} = lib.mkIf config.services.hydra.enable {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.hydra.port}";
proxyWebsockets = true;
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
'';
};
};
# Sourcegraph
# Understand, fix, and automate across your codebase with this code intelligence platform
/** /
# First user regitration becomes admin
# data can be destryoed with `nixos-container destroy sourcegraph`
virtualisation.oci-containers.containers."sourcegraph" = {
autoStart = true;
#image = "sourcegraph/server:3.41.0";
#image = "sourcegraph/server:latest";
image = "sourcegraph/server:insiders";
environment = {};
ports = [
"127.0.0.1:7080:7080/tcp" # webui?
"127.0.0.1:3370:3370/tcp" # admin? (graphana and stuff)
];
volumes = [
"/var/lib/sourcegraph/config:/etc/sourcegraph"
"/var/lib/sourcegraph/data:/var/opt/sourcegraph"
];
};
systemd.services."create-sourcegraph-volume-dirs" = {
wantedBy = [ "${config.virtualisation.oci-containers.backend}-sourcegraph.service" ];
serviceConfig.Type = "oneshot";
script = ''
mkdir -p /var/lib/sourcegraph/config
mkdir -p /var/lib/sourcegraph/data
'';
};
services.nginx.virtualHosts.${mkDomain "sourcegraph"}
= lib.mkIf config.virtualisation.oci-containers.containers."sourcegraph".autoStart {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
proxyPass = "http://127.0.0.1:7080";
proxyWebsockets = true;
};
#locations."/graphana/" = {
# proxyPass = "http://127.0.0.1:3370";
# proxyWebsockets = true;
#};
};
/**/
# Shlink
# URL shortener with REST API and command line interface
# manage with https://app.shlink.io/
# TODO: self-host shlink web client? https://shlink.io/documentation/shlink-web-client/
/** /
# data can be destryoed with `nixos-container destroy shlink`
virtualisation.oci-containers.containers."shlink" = {
autoStart = true;
image = "shlinkio/shlink:stable";
# https://shlink.io/documentation/install-docker-image/
environment = {
"DEFAULT_DOMAIN" = mkDomain "shlink";
"IS_HTTPS_ENABLED" = "true";
"TIMEZONE" = "Europe/Oslo";
#"GEOLITE_LICENSE_KEY" = ; # https://shlink.io/documentation/geolite-license-key/
# TODO: use postgres? default is sqlite3?
};
ports = [
"127.0.0.1:5757:8080/tcp" # webui
];
volumes = [
"/var/lib/shlink/database.sqlite:/etc/shlink/data/database.sqlite"
# TODO: where is the sqlite file?
];
};
systemd.services."create-shlink-volume-dirs" = {
wantedBy = [ "${config.virtualisation.oci-containers.backend}-shlink.service" ];
serviceConfig.Type = "oneshot";
script = ''
mkdir -p /var/lib/shlink
touch /var/lib/shlink/database.sqlite
'';
};
services.nginx.virtualHosts.${mkDomain "shlink"}
= lib.mkIf config.virtualisation.oci-containers.containers."shlink".autoStart {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
proxyPass = "http://127.0.0.1:5757";
proxyWebsockets = true;
};
};
programs.bash.shellAliases = {
shlink = "docker exec -it shlink shlink";
};
/**/
# Resilio Sync
# Automatically sync files via secure, distributed technology
services.resilio = {
#enable = true;
#downloadLimit = 0;
#uploadLimit = 0;
#directoryRoot = "/media" # Default directory to add folders in the web UI.
#storagePath = "/var/lib/resilio-sync/"; # Where BitTorrent Sync will store it's database files
httpLogin = "";
httpPass = "";
deviceName = "${config.networking.hostName}";
#apiKey = ; # API key, which enables the developer API.
#httpListenPort = 9000;
#httpListenAddr = "[::1]";
enableWebUI = false; # default is false
};
services.nginx.virtualHosts.${mkDomain "resilio"} = let
cfg = config.services.resilio;
in lib.mkIf (cfg.enable && cfg.enableWebUI) {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
proxyPass = "http://127.0.0.1:${cfg.httpListenPort}";
proxyWebsockets = true;
};
};
# Webhook
# incoming webhook server that executes shell commands
/**/
services.webhook = {
enable = true;
#listenHost = "0.0.0.0"; # default is "127.0.0.1"
listenPort = 7777; # default is 8080
urlPrefix = "spismeg"; # default is "hooks"
#httpMethods = [ "GET" "POST" ]; # default is [ "POST" ]
settings = [
{
id = "webhook-id";
execute-command = pkgs.writeShellScript "webhook-handler.sh" ''
echo foobar;
'';
}
];
};
services.nginx.virtualHosts.${mkDomain "webhook"} = lib.mkIf config.services.webhook.enable {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.webhook.listenPort}";
proxyWebsockets = true;
};
};
/**/
# Gitea
# Git with a cup of tea
services.gitea = rec {
enable = true;
disableRegistration = true; # disable after initial deploy
#https://docs.gitea.io/en-us/config-cheat-sheet/
#settings = {
# "cron.sync_external_users" = {
# RUN_AT_START = true;
# SCHEDULE = "@every 24h";
# UPDATE_EXISTING = true;
# };
# mailer = {
# ENABLED = true;
# MAILER_TYPE = "sendmail";
# FROM = "do-not-reply@example.org";
# SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail";
# };
# other = {
# SHOW_FOOTER_VERSION = false;
# };
#};
#appName = "gitea: spis meg";
appName = "gitea: private instance";
domain = mkDomain "gitea";
#ssh.enable # default is true
rootUrl = "https://${domain}/";
#ssh.clonePort # default is 22
#log.level = "Debug"; # default is "Info"
#lfs.enable = true; # default is false
httpPort = 9675; # default is 3000
httpAddress = "127.0.0.1"; # default is "0.0.0.0"
#extraConfig
#database.type # default is "sqlite3"
cookieSecure = true; # default is false, only send cookies over https
#stateDir # default is "/var/lib/gitea"
#mailerPasswordFile # Path to a file containing the SMTP password
#repositoryRoot # default is "${config.services.gitea.stateDir}/repositories"
#log.rootPath # TODO: move?
#lfs.contentDir
#dump.enable # default is false
staticRootPath = pkgs.symlinkJoin {
name = "gitea-static-root-data";
paths = let
giteaModern = pkgs.fetchFromGitea { # https://codeberg.org/Freeplay/Gitea-Modern
domain = "codeberg.org";
owner = "Freeplay";
repo = "Gitea-Modern";
rev = "0c0a05e6f0496521c166402dd56441a714487fd8";
sha256 = "q14E5ni2BvpGsmGOHWQgbCqD4lBh4bFtBFtIyNfAf0Q=";
};
giteaEarlGray = pkgs.fetchFromGitHub { # https://github.com/acoolstraw/earl-grey
owner = "acoolstraw";
repo = "earl-grey";
rev = "a6ca3dd3b9e6b48f6e45032b2aa691c2f16dc9bc";
sha256 = "55Piafc7kQ5hybwHQczx36AP+kX1AtWugxERYNdmqWk=";
};
in [
config.services.gitea.package.data
(pkgs.linkFarm "gitea-custom-dir" [
{ name = "public/css/theme-gitea-modern.css"; path = "${giteaModern}/Gitea/theme-gitea-modern.css"; }
{ name = "public/css/theme-earl-grey.css"; path = "${giteaEarlGray}/theme-earl-grey.css"; }
])
];
};
settings = {
# https://docs.gitea.io/en-us/config-cheat-sheet/
ui.THEMES = "gitea,arc-green,earl-grey,gitea-modern";
ui.DEFAULT_THEME = "earl-grey";
};
};
services.nginx.virtualHosts.${mkDomain "gitea"} = lib.mkIf config.services.gitea.enable {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.gitea.httpPort}";
proxyWebsockets = true;
};
};
# TODO: mailcatcher
# TODO: configure stuff to send its shit here
# ntopng
# High-speed web-based traffic analysis and flow collection tool
# WARNING: default username and password is admin:admin
services.ntopng = {
enable = true; # also enables redis for persistent data storage
httpPort = 3987; # HTTP port of embedded web server
#interfaces = [ "any" ];
#extraConfig = ";
#redis.address = "";
#redis.createInstance = "ntopng";
};
services.nginx.virtualHosts.${mkDomain "ntopng"} = lib.mkIf config.services.ntopng.enable {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.ntopng.httpPort}";
proxyWebsockets = true;
};
};
# TODO: kukkee or rallly
# https://noted.lol/2-self-hosted-alternatives-to-doodle-meeting-scheduling/
#https://rallly.co/
# Kukkee
# Self-hosted Doodle alternative: a meeting poll tool
/** /
services.kukkee = {
#enable = true;
port = 5666;
baseUrl = "https://${mkDomain "kukkee"}";
#mongodb.enable = false;
};
services.nginx.virtualHosts.${mkDomain "kukkee"} = lib.mkIf config.services.kukkee.enable {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.kukkee.port}";
proxyWebsockets = true;
};
};
/**/
# Nitter
# Alternative Twitter front-end
services.nitter = {
enable = true;
package = pkgs.unstable.nitter;
#openFirewall
#config.base64Media = false; # Use base64 encoding for proxied media URLs.
server.title = "Pjitter";
server.address = "127.0.0.1";
server.hostname = mkDomain "nitter";
server.https = true; # Secure cookies
server.port = 4965;
#preferences.autoplayGifs = ; # default is true
#preferences.bidiSupport = ; # Support bidirectional text (makes clicking on tweets harder). default is false
#preferences.hideBanner = ; # Hide profile banner. default is false
#preferences.hidePins = ; # Hide pinned tweets. default is false
#preferences.hideReplies = ; # Hide tweet replies. default is false
#preferences.hideTweetStats = ; # Hide tweet stats (replies, retweets, likes). default is false
preferences.hlsPlayback = true; # Enable HLS video streaming (requires JavaScript). default is false
preferences.infiniteScroll = true; # Infinite scrolling (requires JavaScript, experimental!). default is false
#preferences.mp4Playback = ; # Enable MP4 video playback. default is true
#preferences.muteVideos = ; # Mute videos by default. default is false
#preferences.proxyVideos = ; # Proxy video streaming through the server (might be slow). default is true
preferences.replaceInstagram = "bibliogram.art"; # Replace Instagram links with links to this instance (blank to disable). default is ""
preferences.replaceTwitter = mkDomain "nitter"; # Replace Twitter links with links to this instance (blank to disable). default is ""
preferences.replaceYouTube = lib.mkIf config.services.invidious.enable (mkDomain "invidious"); # Replace YouTube links with links to this instance (blank to disable). default is ""
settings = lib.mkIf config.services.libreddit.enable {
Preferences.replaceReddit = (mkDomain "libreddit"); # Replace Reddit links with links to this instance (blank to disable). default is ""
};
#preferences.stickyProfile = ; # Make profile sidebar stick to top. default is true
preferences.theme = "Twitter Dark"; # Instance theme. default is "Nitter"
};
services.nginx.virtualHosts.${mkDomain "nitter"} = lib.mkIf config.services.nitter.enable {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.nitter.server.port}";
proxyWebsockets = true;
};
};
# Invidious
# An open source alternative front-end to YouTube
services.invidious = {
enable = true;
domain = mkDomain "invidious";
port = 4765;
settings = {
host_binding = "127.0.0.1";
external_port = 443;
https_only = true;
statistics_enabled = false; # api endpoint required for public instances
registration_enabled = false;
login_enabled = false;
#admins = ["pbsds"];
banner = "spis meg";
default_user_preferences = {
#feed_menu = ["Popular", "Trending", "Subscriptions", "Playlists"]
feed_menu = ["Trending" "Subscriptions" "Playlists"];
default_home = "Trending";
};
};
};
services.nginx.virtualHosts.${mkDomain "invidious"} = lib.mkIf config.services.invidious.enable {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.invidious.port}";
proxyWebsockets = true;
};
};
# Libreddit
# Private front-end for Reddit
services.libreddit = {
enable = true;
address = "127.0.0.1";
port = 4876;
};
systemd.services.libreddit.environment = lib.mkIf config.services.libreddit.enable {
# https://github.com/spikecodes/libreddit#change-default-settings=
# TODO: merge my module addition
LIBREDDIT_DEFAULT_THEME = "gold";
};
services.nginx.virtualHosts.${mkDomain "libreddit"} = lib.mkIf config.services.libreddit.enable {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.libreddit.port}";
proxyWebsockets = true;
};
};
# paperless-ngx
# A supercharged version of paperless: scan, index, and archive all of your physical documents
services.paperless = {
enable = true;
#package = pkgs.paperless-ngx;
#port = 28981;
#address = "localhost";
#passwordfile = null; # file contining the superuser 'admin' password, optionally set with `${datadir}/paperless-manage createsuperuser`
#datadir = "/var/lib/paperless";
#mediadir = "${datadir}/media";
#consumptiondir = "${datadir}/consume"; # Directory from which new documents are imported. (TODO: zotero)
#extraconfig = {};
#consumptiondirispublic = false; # Whether all users can write to the consumption dir
};
services.nginx.virtualHosts.${mkDomain "paperless"} = lib.mkIf config.services.paperless.enable {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.paperless.port}";
proxyWebsockets = true;
};
};
# Netdata
# Real-time performance monitoring tool
services.netdata = {
enable = true;
#python.enable = false; # default is true
#python.extraPackages = ps: [];
#config = { # https://github.com/netdata/netdata/blob/master/daemon/config/README.md
# hostname = "";
# port = 19999;
#};
#configDir = {};
#extraPluginPaths = [];
};
services.nginx.virtualHosts.${mkDomain "netdata"} = lib.mkIf config.services.netdata.enable {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
proxyPass = "http://127.0.0.1:19999";
proxyWebsockets = true;
};
};
# upterm
# Secure terminal-session sharing
services.uptermd = {
enable = false;
openFirewall = true;
#listenAddress # default is "[::]";
#port = 2222; # default is 2222, uses ssh
#extraFlags
#hostKey = null;
};
# thelunge
# The self-hosted Web IRC client
services.thelounge = {
# configure user accounts by using the 'thelounge' command, or by adding entries to /var/lib/thelounge/users
enable = true;
public = false;
port = 5876;
# theLoungePlugins.themes is view of nodePackages_latest.thelounge-theme-*
# theLoungePlugins.plugins is view of nodePackages_latest.thelounge-plugin-*
plugins = with pkgs.theLoungePlugins;
(with lib; attrValues (filterAttrs (name: _: name != "recurseForDerivations") themes))
++ [
#plugins.giphy
#plugins.shortcuts
plugins.closepms
];
extraConfig.theme = "One Dark";
extraConfig.fileUpload.enable = true;
extraConfig.fileUpload.baseUrl = "${mkDomain "thelounge"}";
};
services.nginx.virtualHosts.${mkDomain "thelounge"} = lib.mkIf config.services.thelounge.enable {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.thelounge.port}";
proxyWebsockets = true;
};
};
# Convos
# The simplest way to use IRC in your browser
services.convos = {
enable = false; # user registration is borken. new major version (7) in unstable.
reverseProxy = true;
listenAddress = "127.0.0.1";
listenPort = 44649;
};
services.nginx.virtualHosts.${mkDomain "convos"} = lib.mkIf config.services.convos.enable {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.convos.listenPort}";
proxyWebsockets = true;
extraConfig = ''
#proxy_redirect off;
client_max_body_size 0;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Request-Base "$scheme://$host/";
#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header REMOTE-HOST $remote_addr;
'';
};
};
# Roundcube
# Open Source Webmail Software
services.roundcube = {
enable = true;
hostName = mkDomain "roundcube";
plugins = [
"archive"
"zipdownload"
"managesieve"
];
extraConfig = ''
$config['product_name'] = 'Spis meg';
$config['skin_logo'] = [
#'elastic:login' => 'https://links.pbsds.net/img/piuy_render.png',
#'elastic:*[small]' => 'https://links.pbsds.net/img/piuy_render.png',
'elastic:*' => 'https://links.pbsds.net/img/piuy_render.png',
#'elastic:*' => 'https://links.pbsds.net/img/nox.png',
];
#$config['blankpage_url'] = '/something.html' # TODO <-
$config['default_host'] = [
'tls://imap.fyrkat.no' => 'Fyrkat',
'tls://imap.pvv.ntnu.no' => 'PVV',
'tls://imap.nvg.ntnu.no' => 'NVG',
];
$config['smtp_server'] = [
'imap.fyrkat.no' => 'tls://smtp.fyrkat.no',
'imap.pvv.ntnu.no' => 'tls://smtp.pvv.ntnu.no',
'imap.nvg.ntnu.no' => 'tls://smtp.nvg.ntnu.no',
];
# plugins/managesieve/config.inc.php.dist
$config['managesieve_host'] = 'tls://%h';
'';
};
services.nginx.virtualHosts.${mkDomain "roundcube"} = lib.mkIf config.services.roundcube.enable {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/skins/elastic/images/logo.svg" = {
#alias = "/path/to/file";
#return = "302 https://links.pbsds.net/img/piuy_render.png";
return = "302 https://links.pbsds.net/img/nox.png";
};
};
# Galene
# Videoconferencing server that is easy to deploy, written in Go
services.galene = {
#enable = true;
insecure = true; # reverse proxy instead, but can i feed it the acme cert?
httpAddress = "127.0.0.1";
httpPort = 3975;
};
services.nginx.virtualHosts.${mkDomain "galene"} = lib.mkIf config.services.galene.enable {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.galene.httpPort}";
proxyWebsockets = true;
};
};
#networking.firewall = lib.mkIf config.service.jellyfin.enable {
# allowedTCPPorts = [ 1194 ];
# allowedUDPPorts = [ 1194 ]; # TODO: Only if behind a NAT?
#};
# Jitsi meet
services.jitsi-meet = {
#enable = true;
hostName = mkDomain "jitsi-meet";
config = {
# https://github.com/jitsi/jitsi-meet/blob/master/config.js
#enableWelcomePage = false;
defaultLang = "nb";
};
interfaceConfig = {
# https://github.com/jitsi/jitsi-meet/blob/master/interface_config.js"
APP_NAME = "Spis meg";
# SHOW_JITSI_WATERMARK = false;
# SHOW_WATERMARK_FOR_GUESTS = false;
};
jibri.enable = false; # record in a headless chrome instance
nginx.enable = true; # force ssl, acme, lots of routing rules
};
# Rocketchat
# A self-hosted discord/slack alternative
# TODO, docker exists, but no nixos module
# Mattermost
# Open-source, self-hosted Slack-alternative
services.mattermost = {
enable = true;
# will create and use a psql db
listenAddress = "[::1]:8065";
siteName = "Spis meg";
siteUrl = "https://${mkDomain "mattermost"}";
#mutableConfig = true; # default is false, if true, see also "preferNixConfig"
extraConfig = {
# https://docs.mattermost.com/configure/configuration-settings.html#reporting
# TODO: smtp
};
matterircd = {
#enable = true; # default is false
parameters = [
"-mmserver chat.example.com"
"-bind [::]:6667"
];
};
};
services.nginx.virtualHosts.${mkDomain "mattermost"} = lib.mkIf config.services.mattermost.enable {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
proxyPass = "http://${config.services.mattermost.listenAddress}";
proxyWebsockets = true;
};
};
# hedgedoc
# Realtime collaborative markdown notes on all platforms
services.hedgedoc = {
#enable = true; # FIXME: make it load
configuration.host = "127.0.0.1";
configuration.port = 44776;
configuration.db.dialect = "sqlite";
configuration.db.storage = "${config.services.hedgedoc.workDir}/db.hedgedoc.sqlite";
configuration.domain = mkDomain "hedgedoc";
configuration.allowAnonymous = true;
configuration.allowEmailRegister = false; # default is true
configuration.allowAnonymousEdits = false; # default is false
configuration.protocolUseSSL = true; # https prefix
configuration.useSSL = false; # nginx terminates ssl
#configuration.csp = {TODO}; # content security policy
#configuration.useCDN = true;
#configuration.debug = true;
# there are also a metric fuckton of integration services, like github, twitter, minio, mattermost, dropbox etc.
# there are also auth options, like ldap, saml and oauth2
};
services.nginx.virtualHosts.${mkDomain "hedgedoc"} = lib.mkIf config.services.hedgedoc.enable {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.configuration.port}";
proxyWebsockets = true;
# TODO: proxy headers:
# https://docs.hedgedoc.org/guides/reverse-proxy/
};
};
# Cinny
# Yet another Matrix client for the web
services.nginx.virtualHosts.${mkDomain "cinny"} = {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
root = pkgs.unstable.cinny.override {
conf = {
defaultHomeserver = 0;
homeserverList = [
"pvv.ntnu.no"
"matrix.org"
"dodsorf.as"
];
};
};
};
# Element-web
# A glossy Matrix collaboration client for the web
services.nginx.virtualHosts.${mkDomain "element"} = {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
root = pkgs.element-web.override {
conf = {
# https://github.com/vector-im/element-web/blob/develop/docs/config.md
# https://github.com/vector-im/element-web/blob/develop/config.sample.json
# https://github.com/vector-im/element-web/blob/develop/docs/labs.md
brand = "spis meg";
default_country_code = "NO";
default_server_config."m.homeserver" = {
server_name = "pvv.ntnu.no";
base_url = "https://matrix.pvv.ntnu.no";
};
roomDirectory.servers = [
"pvv.ntnu.no"
"matrix.org"
"nixos.org"
"agdersam.no"
"trygve.me"
"utwente.io"
];
disable_guests = true;
showLabsSettings = true;
features.feature_pinning = "labs";
features.feature_custom_status = "labs";
features.feature_custom_tags = "labs";
features.feature_state_counters = "labs";
features.feature_latex_maths = "labs";
setting_defaults.breadcrumbs = true;
UIFeature.urlPreviews = true;
UIFeature.shareQrCode = true;
UIFeature.registration = false;
};
};
};
# vaultwarden
# Unofficial Bitwarden compatible server written in Rust
services.vaultwarden = {
enable = true;
config = {
# https://github.com/dani-garcia/vaultwarden/blob/1.24.0/.env.template
# camelCase is converted to UPPER_SNAKE_CASE
domain = "https://${mkDomain "vaultwarden"}"; # port is supported
signupsAllowed = false;
# rocket is the http library
rocketAddress = "127.0.0.1";
rocketPort = 8222;
#rocketWorkers = 10;
rocketLog = "critical";
};
#dbBackend = "sqlite";
# backupDir = ""; # TODO
};
services.nginx.virtualHosts.${mkDomain "vaultwarden"} = lib.mkIf config.services.vaultwarden.enable {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.rocketPort}";
proxyWebsockets = true;
};
};
# matrix-synapse
/** /
services.matrix-synapse = {
enable = true;
settings = {
server_name = "pbsds.net"
public_baseurl = mkDomain "matrix";
url_preview_enabled = false;
max_upload_size = "100M";
trusted_key_servers = [
{server_name = "matrix.org";}
{server_name = "dodsorf.as";}
{server_name = "pvv.ntnu.no";}
];
listeners = [
{
bind_addresses = [
"127.0.0.1"
];
port = 8008;
resources = [
{
compress = true;
names = [
"client"
];
}
{
compress = false;
names = [
"federation"
];
}
];
tls = false;
type = "http";
x_forwarded = true;
}
];
};
};
services.nginx.virtualHosts.${mkDomain "matrix"} = lib.mkIf config.services.matrix-synapse.enable {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/_matrix" = {
proxyPass = "http://127.0.0.1:${toString (builtins.elemAt 0 config.services.matrix-synaps.listeners).port}";
#proxyWebsockets = true;
extraConfig = ''
client_max_body_size ${config.services.matrix-synaps.max_upload_size};
'';
};
locations."/_synapse/client" = {
proxyPass = "http://127.0.0.1:${toString (builtins.elemAt 0 config.services.matrix-synaps.listeners).port}/_synapse/client";
#proxyWebsockets = true;
};
};
/**/
}