nyancat/flake
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

tyo0: file structure

Browse source
This commit is contained in:
Guanran Wang 2024-08-11 18:13:36 +08:00
parent 6f27a20e7a
commit c91c32d01c
Signed by: nyancat
GPG key ID: 91F97D9ED12639CF
9 changed files with 150 additions and 126 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

135
hosts/lightsail-tokyo/default.nix
View file

@ -1,6 +1,5 @@
{ {
lib, lib,
config,
modulesPath, modulesPath,
pkgs, pkgs,
... ...
@ -9,6 +8,15 @@
"${modulesPath}/virtualisation/amazon-image.nix" "${modulesPath}/virtualisation/amazon-image.nix"
../../nixos/profiles/server ../../nixos/profiles/server
./anti-feature.nix ./anti-feature.nix
./services/forgejo.nix
./services/hysteria.nix
./services/keycloak.nix
./services/miniflux.nix
./services/murmur.nix
./services/ntfy.nix
./services/pixivfe.nix
./services/searx.nix
]; ];
time.timeZone = "Asia/Tokyo"; time.timeZone = "Asia/Tokyo";
@ -86,55 +94,6 @@
}; };
}; };
services.hysteria = {
enable = true;
settings = {
auth = {
type = "userpass";
userpass = {
_secret = "/run/credentials/hysteria.service/auth";
quote = false;
};
};
masquerade = {
type = "proxy";
proxy.url = "https://ny4.dev/";
};
tls = {
cert = "/run/credentials/hysteria.service/cert";
key = "/run/credentials/hysteria.service/key";
};
};
};
systemd.services."hysteria".serviceConfig.LoadCredential = [
# FIXME: remove hardcoded path
"auth:${config.sops.secrets."hysteria/auth".path}"
"cert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.crt"
"key:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.key"
];
# `journalctl -u murmur.service | grep Password`
services.murmur = {
enable = true;
openFirewall = true;
bandwidth = 256 * 1024; # 256 Kbit/s
};
services.searx = {
enable = true;
package = pkgs.searxng;
environmentFile = config.sops.secrets."searx/environment".path;
settings = {
general.contact_url = "mailto:guanran928@outlook.com";
search.autocomplete = "google";
server = {
port = 8100;
secret_key = "@SEARX_SECRET@";
};
};
};
services.wastebin = { services.wastebin = {
enable = true; enable = true;
settings.WASTEBIN_ADDRESS_PORT = "127.0.0.1:8200"; settings.WASTEBIN_ADDRESS_PORT = "127.0.0.1:8200";
@ -145,82 +104,6 @@
settings.PORT = "8300"; settings.PORT = "8300";
}; };
services.ntfy-sh = {
enable = true;
settings = {
base-url = "https://ntfy.ny4.dev";
listen-http = "";
listen-unix = "/run/ntfy-sh/ntfy.sock";
listen-unix-mode = 511; # 0777
behind-proxy = true;
};
};
systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = ["ntfy-sh"];
services.pixivfe = {
enable = true;
EnvironmentFile = config.sops.secrets."pixivfe/environment".path;
settings = {
PIXIVFE_UNIXSOCKET = "/run/pixivfe/pixiv.sock";
PIXIVFE_IMAGEPROXY = "https://i.pixiv.re";
};
};
systemd.services.pixivfe.serviceConfig = {
RuntimeDirectory = ["pixivfe"];
ExecStartPost = pkgs.writeShellScript "pixivfe-unixsocket" ''
${pkgs.coreutils}/bin/sleep 5
${pkgs.coreutils}/bin/chmod 777 /run/pixivfe/pixiv.sock
'';
};
services.keycloak = {
enable = true;
settings = {
cache = "local";
hostname = "id.ny4.dev";
http-host = "127.0.0.1";
http-port = 8800;
proxy = "edge";
# proxy-headers = "xforwarded"; # FIXME: Key material not provided to setup HTTPS.
};
database.passwordFile = toString (pkgs.writeText "password" "keycloak");
};
services.forgejo = {
enable = true;
package = pkgs.forgejo;
database.type = "postgres";
settings = {
server = {
DOMAIN = "git.ny4.dev";
PROTOCOL = "http+unix";
ROOT_URL = "https://git.ny4.dev/";
SSH_DOMAIN = "tyo0.ny4.dev";
};
service = {
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
};
};
};
services.miniflux = {
enable = true;
adminCredentialsFile = config.sops.secrets."miniflux/environment".path;
config = {
LISTEN_ADDR = "127.0.0.1:9300";
BASE_URL = "https://rss.ny4.dev";
OAUTH2_PROVIDER = "oidc";
OAUTH2_CLIENT_ID = "miniflux";
# OAUTH2_CLIENT_SECRET = "replace_me"; # EnvironmentFile
OAUTH2_REDIRECT_URL = "https://rss.ny4.dev/oauth2/oidc/callback";
OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://id.ny4.dev/realms/ny4";
};
};
services.redlib = { services.redlib = {
enable = true; enable = true;
address = "127.0.0.1"; address = "127.0.0.1";

19
hosts/lightsail-tokyo/services/forgejo.nix Normal file
View file

@ -0,0 +1,19 @@
{pkgs, ...}: {
services.forgejo = {
enable = true;
package = pkgs.forgejo;
database.type = "postgres";
settings = {
server = {
DOMAIN = "git.ny4.dev";
PROTOCOL = "http+unix";
ROOT_URL = "https://git.ny4.dev/";
SSH_DOMAIN = "tyo0.ny4.dev";
};
service = {
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
};
};
};
}

29
hosts/lightsail-tokyo/services/hysteria.nix Normal file
View file

@ -0,0 +1,29 @@
{config, ...}: {
services.hysteria = {
enable = true;
settings = {
auth = {
type = "userpass";
userpass = {
_secret = "/run/credentials/hysteria.service/auth";
quote = false;
};
};
masquerade = {
type = "proxy";
proxy.url = "https://ny4.dev/";
};
tls = {
cert = "/run/credentials/hysteria.service/cert";
key = "/run/credentials/hysteria.service/key";
};
};
};
systemd.services."hysteria".serviceConfig.LoadCredential = [
# FIXME: remove hardcoded path
"auth:${config.sops.secrets."hysteria/auth".path}"
"cert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.crt"
"key:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.key"
];
}

14
hosts/lightsail-tokyo/services/keycloak.nix Normal file
View file

@ -0,0 +1,14 @@
{pkgs, ...}: {
services.keycloak = {
enable = true;
settings = {
cache = "local";
hostname = "id.ny4.dev";
http-host = "127.0.0.1";
http-port = 8800;
proxy = "edge";
# proxy-headers = "xforwarded"; # FIXME: Key material not provided to setup HTTPS.
};
database.passwordFile = toString (pkgs.writeText "password" "keycloak");
};
}

16
hosts/lightsail-tokyo/services/miniflux.nix Normal file
View file

@ -0,0 +1,16 @@
{config, ...}: {
services.miniflux = {
enable = true;
adminCredentialsFile = config.sops.secrets."miniflux/environment".path;
config = {
LISTEN_ADDR = "127.0.0.1:9300";
BASE_URL = "https://rss.ny4.dev";
OAUTH2_PROVIDER = "oidc";
OAUTH2_CLIENT_ID = "miniflux";
# OAUTH2_CLIENT_SECRET = "replace_me"; # EnvironmentFile
OAUTH2_REDIRECT_URL = "https://rss.ny4.dev/oauth2/oidc/callback";
OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://id.ny4.dev/realms/ny4";
};
};
}

8
hosts/lightsail-tokyo/services/murmur.nix Normal file
View file

@ -0,0 +1,8 @@
{
# `journalctl -u murmur.service | grep Password`
services.murmur = {
enable = true;
openFirewall = true;
bandwidth = 256 * 1024; # 256 Kbit/s
};
}

14
hosts/lightsail-tokyo/services/ntfy.nix Normal file
View file

@ -0,0 +1,14 @@
{
services.ntfy-sh = {
enable = true;
settings = {
base-url = "https://ntfy.ny4.dev";
listen-http = "";
listen-unix = "/run/ntfy-sh/ntfy.sock";
listen-unix-mode = 511; # 0777
behind-proxy = true;
};
};
systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = ["ntfy-sh"];
}

22
hosts/lightsail-tokyo/services/pixivfe.nix Normal file
View file

@ -0,0 +1,22 @@
{
pkgs,
config,
...
}: {
services.pixivfe = {
enable = true;
EnvironmentFile = config.sops.secrets."pixivfe/environment".path;
settings = {
PIXIVFE_UNIXSOCKET = "/run/pixivfe/pixiv.sock";
PIXIVFE_IMAGEPROXY = "https://i.pixiv.re";
};
};
systemd.services.pixivfe.serviceConfig = {
RuntimeDirectory = ["pixivfe"];
ExecStartPost = pkgs.writeShellScript "pixivfe-unixsocket" ''
${pkgs.coreutils}/bin/sleep 5
${pkgs.coreutils}/bin/chmod 777 /run/pixivfe/pixiv.sock
'';
};
}

19
hosts/lightsail-tokyo/services/searx.nix Normal file
View file

@ -0,0 +1,19 @@
{
pkgs,
config,
...
}: {
services.searx = {
enable = true;
package = pkgs.searxng;
environmentFile = config.sops.secrets."searx/environment".path;
settings = {
general.contact_url = "mailto:guanran928@outlook.com";
search.autocomplete = "google";
server = {
port = 8100;
secret_key = "@SEARX_SECRET@";
};
};
};
}