diff --git a/hosts/lightsail-tokyo/default.nix b/hosts/lightsail-tokyo/default.nix index e48682f..579dede 100644 --- a/hosts/lightsail-tokyo/default.nix +++ b/hosts/lightsail-tokyo/default.nix @@ -1,6 +1,5 @@ { lib, - config, modulesPath, pkgs, ... @@ -9,6 +8,15 @@ "${modulesPath}/virtualisation/amazon-image.nix" ../../nixos/profiles/server ./anti-feature.nix + + ./services/forgejo.nix + ./services/hysteria.nix + ./services/keycloak.nix + ./services/miniflux.nix + ./services/murmur.nix + ./services/ntfy.nix + ./services/pixivfe.nix + ./services/searx.nix ]; time.timeZone = "Asia/Tokyo"; @@ -86,55 +94,6 @@ }; }; - services.hysteria = { - enable = true; - settings = { - auth = { - type = "userpass"; - userpass = { - _secret = "/run/credentials/hysteria.service/auth"; - quote = false; - }; - }; - masquerade = { - type = "proxy"; - proxy.url = "https://ny4.dev/"; - }; - tls = { - cert = "/run/credentials/hysteria.service/cert"; - key = "/run/credentials/hysteria.service/key"; - }; - }; - }; - - systemd.services."hysteria".serviceConfig.LoadCredential = [ - # FIXME: remove hardcoded path - "auth:${config.sops.secrets."hysteria/auth".path}" - "cert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.crt" - "key:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.key" - ]; - - # `journalctl -u murmur.service | grep Password` - services.murmur = { - enable = true; - openFirewall = true; - bandwidth = 256 * 1024; # 256 Kbit/s - }; - - services.searx = { - enable = true; - package = pkgs.searxng; - environmentFile = config.sops.secrets."searx/environment".path; - settings = { - general.contact_url = "mailto:guanran928@outlook.com"; - search.autocomplete = "google"; - server = { - port = 8100; - secret_key = "@SEARX_SECRET@"; - }; - }; - }; - services.wastebin = { enable = true; settings.WASTEBIN_ADDRESS_PORT = "127.0.0.1:8200"; @@ -145,82 +104,6 @@ settings.PORT = "8300"; }; - services.ntfy-sh = { - enable = true; - settings = { - base-url = "https://ntfy.ny4.dev"; - listen-http = ""; - listen-unix = "/run/ntfy-sh/ntfy.sock"; - listen-unix-mode = 511; # 0777 - behind-proxy = true; - }; - }; - - systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = ["ntfy-sh"]; - - services.pixivfe = { - enable = true; - EnvironmentFile = config.sops.secrets."pixivfe/environment".path; - settings = { - PIXIVFE_UNIXSOCKET = "/run/pixivfe/pixiv.sock"; - PIXIVFE_IMAGEPROXY = "https://i.pixiv.re"; - }; - }; - - systemd.services.pixivfe.serviceConfig = { - RuntimeDirectory = ["pixivfe"]; - ExecStartPost = pkgs.writeShellScript "pixivfe-unixsocket" '' - ${pkgs.coreutils}/bin/sleep 5 - ${pkgs.coreutils}/bin/chmod 777 /run/pixivfe/pixiv.sock - ''; - }; - - services.keycloak = { - enable = true; - settings = { - cache = "local"; - hostname = "id.ny4.dev"; - http-host = "127.0.0.1"; - http-port = 8800; - proxy = "edge"; - # proxy-headers = "xforwarded"; # FIXME: Key material not provided to setup HTTPS. - }; - database.passwordFile = toString (pkgs.writeText "password" "keycloak"); - }; - - services.forgejo = { - enable = true; - package = pkgs.forgejo; - database.type = "postgres"; - settings = { - server = { - DOMAIN = "git.ny4.dev"; - PROTOCOL = "http+unix"; - ROOT_URL = "https://git.ny4.dev/"; - SSH_DOMAIN = "tyo0.ny4.dev"; - }; - - service = { - ALLOW_ONLY_EXTERNAL_REGISTRATION = true; - }; - }; - }; - - services.miniflux = { - enable = true; - adminCredentialsFile = config.sops.secrets."miniflux/environment".path; - config = { - LISTEN_ADDR = "127.0.0.1:9300"; - BASE_URL = "https://rss.ny4.dev"; - - OAUTH2_PROVIDER = "oidc"; - OAUTH2_CLIENT_ID = "miniflux"; - # OAUTH2_CLIENT_SECRET = "replace_me"; # EnvironmentFile - OAUTH2_REDIRECT_URL = "https://rss.ny4.dev/oauth2/oidc/callback"; - OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://id.ny4.dev/realms/ny4"; - }; - }; - services.redlib = { enable = true; address = "127.0.0.1"; diff --git a/hosts/lightsail-tokyo/services/forgejo.nix b/hosts/lightsail-tokyo/services/forgejo.nix new file mode 100644 index 0000000..22b5067 --- /dev/null +++ b/hosts/lightsail-tokyo/services/forgejo.nix @@ -0,0 +1,19 @@ +{pkgs, ...}: { + services.forgejo = { + enable = true; + package = pkgs.forgejo; + database.type = "postgres"; + settings = { + server = { + DOMAIN = "git.ny4.dev"; + PROTOCOL = "http+unix"; + ROOT_URL = "https://git.ny4.dev/"; + SSH_DOMAIN = "tyo0.ny4.dev"; + }; + + service = { + ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + }; + }; + }; +} diff --git a/hosts/lightsail-tokyo/services/hysteria.nix b/hosts/lightsail-tokyo/services/hysteria.nix new file mode 100644 index 0000000..7b70978 --- /dev/null +++ b/hosts/lightsail-tokyo/services/hysteria.nix @@ -0,0 +1,29 @@ +{config, ...}: { + services.hysteria = { + enable = true; + settings = { + auth = { + type = "userpass"; + userpass = { + _secret = "/run/credentials/hysteria.service/auth"; + quote = false; + }; + }; + masquerade = { + type = "proxy"; + proxy.url = "https://ny4.dev/"; + }; + tls = { + cert = "/run/credentials/hysteria.service/cert"; + key = "/run/credentials/hysteria.service/key"; + }; + }; + }; + + systemd.services."hysteria".serviceConfig.LoadCredential = [ + # FIXME: remove hardcoded path + "auth:${config.sops.secrets."hysteria/auth".path}" + "cert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.crt" + "key:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.key" + ]; +} diff --git a/hosts/lightsail-tokyo/services/keycloak.nix b/hosts/lightsail-tokyo/services/keycloak.nix new file mode 100644 index 0000000..f0c4046 --- /dev/null +++ b/hosts/lightsail-tokyo/services/keycloak.nix @@ -0,0 +1,14 @@ +{pkgs, ...}: { + services.keycloak = { + enable = true; + settings = { + cache = "local"; + hostname = "id.ny4.dev"; + http-host = "127.0.0.1"; + http-port = 8800; + proxy = "edge"; + # proxy-headers = "xforwarded"; # FIXME: Key material not provided to setup HTTPS. + }; + database.passwordFile = toString (pkgs.writeText "password" "keycloak"); + }; +} diff --git a/hosts/lightsail-tokyo/services/miniflux.nix b/hosts/lightsail-tokyo/services/miniflux.nix new file mode 100644 index 0000000..6b28b7a --- /dev/null +++ b/hosts/lightsail-tokyo/services/miniflux.nix @@ -0,0 +1,16 @@ +{config, ...}: { + services.miniflux = { + enable = true; + adminCredentialsFile = config.sops.secrets."miniflux/environment".path; + config = { + LISTEN_ADDR = "127.0.0.1:9300"; + BASE_URL = "https://rss.ny4.dev"; + + OAUTH2_PROVIDER = "oidc"; + OAUTH2_CLIENT_ID = "miniflux"; + # OAUTH2_CLIENT_SECRET = "replace_me"; # EnvironmentFile + OAUTH2_REDIRECT_URL = "https://rss.ny4.dev/oauth2/oidc/callback"; + OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://id.ny4.dev/realms/ny4"; + }; + }; +} diff --git a/hosts/lightsail-tokyo/services/murmur.nix b/hosts/lightsail-tokyo/services/murmur.nix new file mode 100644 index 0000000..ddb86aa --- /dev/null +++ b/hosts/lightsail-tokyo/services/murmur.nix @@ -0,0 +1,8 @@ +{ + # `journalctl -u murmur.service | grep Password` + services.murmur = { + enable = true; + openFirewall = true; + bandwidth = 256 * 1024; # 256 Kbit/s + }; +} diff --git a/hosts/lightsail-tokyo/services/ntfy.nix b/hosts/lightsail-tokyo/services/ntfy.nix new file mode 100644 index 0000000..ce6902e --- /dev/null +++ b/hosts/lightsail-tokyo/services/ntfy.nix @@ -0,0 +1,14 @@ +{ + services.ntfy-sh = { + enable = true; + settings = { + base-url = "https://ntfy.ny4.dev"; + listen-http = ""; + listen-unix = "/run/ntfy-sh/ntfy.sock"; + listen-unix-mode = 511; # 0777 + behind-proxy = true; + }; + }; + + systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = ["ntfy-sh"]; +} diff --git a/hosts/lightsail-tokyo/services/pixivfe.nix b/hosts/lightsail-tokyo/services/pixivfe.nix new file mode 100644 index 0000000..34568de --- /dev/null +++ b/hosts/lightsail-tokyo/services/pixivfe.nix @@ -0,0 +1,22 @@ +{ + pkgs, + config, + ... +}: { + services.pixivfe = { + enable = true; + EnvironmentFile = config.sops.secrets."pixivfe/environment".path; + settings = { + PIXIVFE_UNIXSOCKET = "/run/pixivfe/pixiv.sock"; + PIXIVFE_IMAGEPROXY = "https://i.pixiv.re"; + }; + }; + + systemd.services.pixivfe.serviceConfig = { + RuntimeDirectory = ["pixivfe"]; + ExecStartPost = pkgs.writeShellScript "pixivfe-unixsocket" '' + ${pkgs.coreutils}/bin/sleep 5 + ${pkgs.coreutils}/bin/chmod 777 /run/pixivfe/pixiv.sock + ''; + }; +} diff --git a/hosts/lightsail-tokyo/services/searx.nix b/hosts/lightsail-tokyo/services/searx.nix new file mode 100644 index 0000000..49c565a --- /dev/null +++ b/hosts/lightsail-tokyo/services/searx.nix @@ -0,0 +1,19 @@ +{ + pkgs, + config, + ... +}: { + services.searx = { + enable = true; + package = pkgs.searxng; + environmentFile = config.sops.secrets."searx/environment".path; + settings = { + general.contact_url = "mailto:guanran928@outlook.com"; + search.autocomplete = "google"; + server = { + port = 8100; + secret_key = "@SEARX_SECRET@"; + }; + }; + }; +}