pederbs/config
pederbs/config
2
1
Fork 0
Code Issues Pull Requests Releases Activity

_module.args bad

Browse Source
This commit is contained in:
Peder Bergebakken Sundt 2025-03-20 13:30:55 +01:00
parent efb5d45317
commit da3f97b80d
47 changed files with 288 additions and 148 deletions

210
profiles/http/default.nix

@ -1,111 +1,119 @@
{ config, pkgs, lib, ... }:
let
mkDomain = subname: "${subname}.${config.networking.fqdn}";
inherit (config.pbsds.nginx) mkDomain allSubdomains;
in
{
# TODO: make these into nixos options with readonly=true
_module.args.mkDomain = mkDomain;
_module.args.allSubdomains = lib.pipe config.services.nginx.virtualHosts [
#(lib.mapAttrsToList (domain: vhost: [ domain ] ++ vhost.serverAliases))
(lib.mapAttrsToList (domain: vhost: [ domain ]))
lib.flatten
(builtins.filter (domain: domain != "" && domain != "_"))
(lib.sort (x: y: x<y))
];
security.acme.acceptTerms = true;
security.acme.defaults.email = "pbsds+acme@hotmail.com"; # TODO: parametrize per host
#security.acme.defaults.renewInterval = "daily";
#security.acme.defaults.reloadServices
# https://www.xf.is/2020/06/30/list-of-free-acme-ssl-providers/
#security.acme.defaults.server = "https://acme-v02.api.letsencrypt.org/directory" # default
#security.acme.defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; # STAGING
#security.acme.defaults.server = "https://api.buypass.com/acme/directory"; # no wildcards, rate limit: 20 domains/week, 5 duplicate certs / week
#security.acme.defaults.server = "https://api.test4.buypass.no/acme/directory"; # STAGING. no wildcards, rate limit: 20 domains/week, 5 duplicate certs / week
# DNS-based ACME:
# - https://go-acme.github.io/lego/dns/domeneshop/
# - https://nixos.org/manual/nixos/stable/index.html#module-security-acme-config-dns-with-vhosts
#security.acme.defaults.dnsProvider = "domeneshop";
#security.acme.defaults.credentialsFile = "/var/lib/secrets/domeneshop.key"; # TODO: this file must be made by hand, containing env variables.
services.nginx.enable = true;
networking.firewall.allowedTCPPorts = [ 80 443 ];
# TODO:
#services.nginx.commonHttpConfig = ''
# proxy_hide_header X-Frame-Options;
#'';
# TODO: Somehow distribute and add this to all location."/".extraConfig
#default = {
# #useACMEHost = config.networking.fqdn;
# forceSSL = true; # addSSL = true;
# enableACME = true; #useACMEHost = acmeDomain;
#}
# TODO: Somehow distribute and add this to all location."/".extraConfig
#commonProxySettings = ''
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-Host $host;
# proxy_set_header X-Forwarded-Server $host;
#'';
services.nginx.recommendedGzipSettings = true;
services.nginx.recommendedOptimisation = true;
services.nginx.recommendedProxySettings = true;
services.nginx.recommendedTlsSettings = true;
# nginx return 444 for all nonexistent virtualhosts
services.nginx.virtualHosts."_" = {
addSSL = true;
sslCertificate = "${pkgs.path}/nixos/tests/common/acme/server/acme.test.cert.pem";
sslCertificateKey = "${pkgs.path}/nixos/tests/common/acme/server/acme.test.key.pem";
extraConfig = "return 444;";
options.pbsds.nginx.mkDomain = lib.mkOption {
visible = false; internal = true; readOnly = true;
default = subname: "${subname}.${config.networking.fqdn}";
};
/** /
services.nginx.virtualHosts."" = {
default = true;
forceSSL = false;
enableACME = false;
root = pkgs.writeTextDir "index.html" ''
<!DOCTYPE html>
no
'';
};
/**/
# Website tunnel
# TODO: remove
/** /
services.nginx.virtualHosts.${config.networking.fqdn} = {
forceSSL = true; # addSSL = true;
enableACME = true;
#acmeRoot = null; # use DNS
default = true;
serverAliases = map mkDomain [
"www"
#"*" # requires DNS ACME
options.pbsds.nginx.allSubdomains = lib.mkOption {
visible = false; internal = true; readOnly = true;
default = lib.pipe config.services.nginx.virtualHosts [
#(lib.mapAttrsToList (domain: vhost: [ domain ] ++ vhost.serverAliases))
(lib.mapAttrsToList (domain: vhost: [ domain ]))
lib.flatten
(builtins.filter (domain: domain != "" && domain != "_"))
(lib.sort (x: y: x<y))
];
# The alternative to ^ is: config.security.acme.certs."${acmeDomain}".extraDomainNames = [ (mkDomain "foo") ];
# TODO: 'nox' alias for everything
locations."/" = {
proxyPass = "http://pbuntu.pbsds.net";
proxyWebsockets = true;
};
};
#services.nginx.virtualHosts.${mkDomain "www"} = {
# addSSL = true;
# useACMEHost = acmeDomain; #enableACME = true;
# locations."/" = {
# proxyPass = "http://pbuntu.pbsds.net";
# proxyWebsockets = true;
# };
#};
/**/
config = {
security.acme.acceptTerms = true;
security.acme.defaults.email = "pbsds+acme@hotmail.com"; # TODO: parametrize per host
#security.acme.defaults.renewInterval = "daily";
#security.acme.defaults.reloadServices
# https://www.xf.is/2020/06/30/list-of-free-acme-ssl-providers/
#security.acme.defaults.server = "https://acme-v02.api.letsencrypt.org/directory" # default
#security.acme.defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; # STAGING
#security.acme.defaults.server = "https://api.buypass.com/acme/directory"; # no wildcards, rate limit: 20 domains/week, 5 duplicate certs / week
#security.acme.defaults.server = "https://api.test4.buypass.no/acme/directory"; # STAGING. no wildcards, rate limit: 20 domains/week, 5 duplicate certs / week
# DNS-based ACME:
# - https://go-acme.github.io/lego/dns/domeneshop/
# - https://nixos.org/manual/nixos/stable/index.html#module-security-acme-config-dns-with-vhosts
#security.acme.defaults.dnsProvider = "domeneshop";
#security.acme.defaults.credentialsFile = "/var/lib/secrets/domeneshop.key"; # TODO: this file must be made by hand, containing env variables.
services.nginx.enable = true;
networking.firewall.allowedTCPPorts = [ 80 443 ];
# TODO:
#services.nginx.commonHttpConfig = ''
# proxy_hide_header X-Frame-Options;
#'';
# TODO: Somehow distribute and add this to all location."/".extraConfig
#default = {
# #useACMEHost = config.networking.fqdn;
# forceSSL = true; # addSSL = true;
# enableACME = true; #useACMEHost = acmeDomain;
#}
# TODO: Somehow distribute and add this to all location."/".extraConfig
#commonProxySettings = ''
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-Host $host;
# proxy_set_header X-Forwarded-Server $host;
#'';
services.nginx.recommendedGzipSettings = true;
services.nginx.recommendedOptimisation = true;
services.nginx.recommendedProxySettings = true;
services.nginx.recommendedTlsSettings = true;
# nginx return 444 for all nonexistent virtualhosts
services.nginx.virtualHosts."_" = {
addSSL = true;
sslCertificate = "${pkgs.path}/nixos/tests/common/acme/server/acme.test.cert.pem";
sslCertificateKey = "${pkgs.path}/nixos/tests/common/acme/server/acme.test.key.pem";
extraConfig = "return 444;";
};
/** /
services.nginx.virtualHosts."" = {
default = true;
forceSSL = false;
enableACME = false;
root = pkgs.writeTextDir "index.html" ''
<!DOCTYPE html>
no
'';
};
/**/
# Website tunnel
# TODO: remove
/** /
services.nginx.virtualHosts.${config.networking.fqdn} = {
forceSSL = true; # addSSL = true;
enableACME = true;
#acmeRoot = null; # use DNS
default = true;
serverAliases = map mkDomain [
"www"
#"*" # requires DNS ACME
];
# The alternative to ^ is: config.security.acme.certs."${acmeDomain}".extraDomainNames = [ (mkDomain "foo") ];
# TODO: 'nox' alias for everything
locations."/" = {
proxyPass = "http://pbuntu.pbsds.net";
proxyWebsockets = true;
};
};
#services.nginx.virtualHosts.${mkDomain "www"} = {
# addSSL = true;
# useACMEHost = acmeDomain; #enableACME = true;
# locations."/" = {
# proxyPass = "http://pbuntu.pbsds.net";
# proxyWebsockets = true;
# };
#};
/**/
};
}

4
profiles/http/docs/default.nix

@ -1,6 +1,8 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
cfg = config.services.docs-to-host;
# https://pagefind.app/docs/ui-usage/

4
profiles/http/index/default.nix

@ -1,5 +1,7 @@
{ config, pkgs, lib, mkDomain, allSubdomains, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain allSubdomains;
# TODO: support fully qualified urls as well
# `null` means filter
customDescriptions = rec {

6
profiles/http/services/attic.nix

@ -1,4 +1,8 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
# attic - multi-tenant nix binary cache
# https://docs.attic.rs/tutorial.html

5
profiles/http/services/censordodge.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# CensorDodge
# A lightweight and customisable web proxy

5
profiles/http/services/cinny.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
lib.mkIf pkgs.unstable.cinny.meta.available # no CVE's thank you

5
profiles/http/services/convos.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# Convos
# The simplest way to use IRC in your browser

5
profiles/http/services/cryptpad.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# Cryptpad

5
profiles/http/services/element.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# Element-web
# A glossy Matrix collaboration client for the web

2
profiles/http/services/flexget.nix

@ -3,7 +3,7 @@ let
cfg = config.services.flexget;
in
# TODO: run in VM mode if we run transmission in the same VM
# TODO: run in build-vm mode if we run transmission in the same machine
lib.mkIf (!config.virtualisation.isVmVariant)
{

5
profiles/http/services/galene.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# Galene
# Videoconferencing server that is easy to deploy, written in Go

5
profiles/http/services/gitea.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# Gitea
# Git with a cup of tea

5
profiles/http/services/graphana.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# Graphana
# Gorgeous metric viz, dashboards & editors for Graphite, InfluxDB & OpenTSDB

5
profiles/http/services/hedgedoc.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# hedgedoc
# Realtime collaborative markdown notes on all platforms

5
profiles/http/services/home-assistant.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# home-assistant

5
profiles/http/services/hydra.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# Hydra
# Nix-based continuous build system

5
profiles/http/services/invidious.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, inputs, mkDomain, ... }:
{ config, pkgs, lib, inputs, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# Invidious
# An open source alternative front-end to YouTube

5
profiles/http/services/jellyfin.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, inputs, mkDomain, ... }:
{ config, pkgs, lib, inputs, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
# don't mount if local VM
lib.mkIf (!config.virtualisation.isVmVariant)

5
profiles/http/services/jitsi-meet.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# Jitsi meet

5
profiles/http/services/kukkee.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# Kukkee
# Self-hosted Doodle alternative: a meeting poll tool

5
profiles/http/services/matrix-synapse.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# matrix-synapse
/**/

5
profiles/http/services/mattermost.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# Mattermost
# Open-source, self-hosted Slack-alternative

5
profiles/http/services/navidrome.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
# don't mount if local VM
lib.mkIf (!config.virtualisation.isVmVariant)

5
profiles/http/services/netdata.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# Netdata
# Real-time performance monitoring tool

5
profiles/http/services/nitter.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# Nitter
# Alternative Twitter front-end

5
profiles/http/services/ntopng.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# ntopng
# High-speed web-based traffic analysis and flow collection tool

5
profiles/http/services/openspeedtest.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# OpenSpeedtTest
# Pure HTML5 Network Performance Estimation Tool

5
profiles/http/services/owncast.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# OwnCast

5
profiles/http/services/paperless.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# paperless-ngx
# A supercharged version of paperless: scan, index, and archive all of your physical documents

5
profiles/http/services/plex.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, inputs, mkDomain, ... }:
{ config, pkgs, lib, inputs, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
# don't mount if local VM
lib.mkIf (!config.virtualisation.isVmVariant)

5
profiles/http/services/polaris.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# Polaris
# Self-host your music collection, and access it from any computer and mobile device

5
profiles/http/services/redlib.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# redlib, previously libreddit
# Private front-end for Reddit

5
profiles/http/services/resilio.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
# don't mount if local VM
lib.mkIf (!config.virtualisation.isVmVariant)

5
profiles/http/services/roundcube.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# Roundcube
# Open Source Webmail Software

5
profiles/http/services/shlink.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# Shlink
# URL shortener with REST API and command line interface

5
profiles/http/services/snappymail.nix

@ -1,7 +1,8 @@
# adapted from https://github.com/samrose/dotfiles-1/blob/8887ca3b01edecd83c2e95f01e42885ce26f76c5/nixos/eve/modules/snappymail.nix#L55
{ pkgs, config, lib, mkDomain, ... }:
{ pkgs, config, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
maxUploadSize = "256M";
toKeyValue = lib.generators.toKeyValue {
mkKeyValue = lib.generators.mkKeyValueDefault {} " = ";

5
profiles/http/services/sourcegraph.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# Sourcegraph
# Understand, fix, and automate across your codebase with this code intelligence platform

5
profiles/http/services/stickers.nix

@ -1,6 +1,9 @@
{ config, lib, mkDomain, inputs, ... }:
{ config, lib, inputs, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
myStickerPicker = inputs.maunium-stickerpicker-nix.createStickerPicker {
#homeserver = "https://matrix.pvv.ntnu.no";
#userId = "@stickerbot:my.matrix.server";

5
profiles/http/services/tautulli.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, inputs, mkDomain, ... }:
{ config, pkgs, lib, inputs, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# plex admin web ui

5
profiles/http/services/thelounge.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# thelunge
# The self-hosted Web IRC client

5
profiles/http/services/trivial-gradios/default.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# trivial gradios

5
profiles/http/services/vaultwarden.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# vaultwarden
# Unofficial Bitwarden compatible server written in Rust

5
profiles/http/services/webdav-zotero.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# webdav

5
profiles/http/sites/kuklefse.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
services.nginx.virtualHosts."kuklef.se" = {
forceSSL = true; # addSSL = true;

5
profiles/http/sites/linktree-pbsds.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, mkDomain, ... }:
{ config, pkgs, lib, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# links.pbsds.net

5
profiles/http/sites/refleksjon-no.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, inputs, mkDomain, ... }:
{ config, pkgs, lib, inputs, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# refleksjon.no

5
profiles/http/sites/roroslyd-no.nix

@ -1,4 +1,7 @@
{ config, pkgs, lib, inputs, mkDomain, ... }:
{ config, pkgs, lib, inputs, ... }:
let
inherit (config.pbsds.nginx) mkDomain;
in
{
# roroslyd.no