tyo0: file structure
This commit is contained in:
parent
6f27a20e7a
commit
c91c32d01c
9 changed files with 150 additions and 126 deletions
|
@ -1,6 +1,5 @@
|
||||||
{
|
{
|
||||||
lib,
|
lib,
|
||||||
config,
|
|
||||||
modulesPath,
|
modulesPath,
|
||||||
pkgs,
|
pkgs,
|
||||||
...
|
...
|
||||||
|
@ -9,6 +8,15 @@
|
||||||
"${modulesPath}/virtualisation/amazon-image.nix"
|
"${modulesPath}/virtualisation/amazon-image.nix"
|
||||||
../../nixos/profiles/server
|
../../nixos/profiles/server
|
||||||
./anti-feature.nix
|
./anti-feature.nix
|
||||||
|
|
||||||
|
./services/forgejo.nix
|
||||||
|
./services/hysteria.nix
|
||||||
|
./services/keycloak.nix
|
||||||
|
./services/miniflux.nix
|
||||||
|
./services/murmur.nix
|
||||||
|
./services/ntfy.nix
|
||||||
|
./services/pixivfe.nix
|
||||||
|
./services/searx.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
time.timeZone = "Asia/Tokyo";
|
time.timeZone = "Asia/Tokyo";
|
||||||
|
@ -86,55 +94,6 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.hysteria = {
|
|
||||||
enable = true;
|
|
||||||
settings = {
|
|
||||||
auth = {
|
|
||||||
type = "userpass";
|
|
||||||
userpass = {
|
|
||||||
_secret = "/run/credentials/hysteria.service/auth";
|
|
||||||
quote = false;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
masquerade = {
|
|
||||||
type = "proxy";
|
|
||||||
proxy.url = "https://ny4.dev/";
|
|
||||||
};
|
|
||||||
tls = {
|
|
||||||
cert = "/run/credentials/hysteria.service/cert";
|
|
||||||
key = "/run/credentials/hysteria.service/key";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services."hysteria".serviceConfig.LoadCredential = [
|
|
||||||
# FIXME: remove hardcoded path
|
|
||||||
"auth:${config.sops.secrets."hysteria/auth".path}"
|
|
||||||
"cert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.crt"
|
|
||||||
"key:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.key"
|
|
||||||
];
|
|
||||||
|
|
||||||
# `journalctl -u murmur.service | grep Password`
|
|
||||||
services.murmur = {
|
|
||||||
enable = true;
|
|
||||||
openFirewall = true;
|
|
||||||
bandwidth = 256 * 1024; # 256 Kbit/s
|
|
||||||
};
|
|
||||||
|
|
||||||
services.searx = {
|
|
||||||
enable = true;
|
|
||||||
package = pkgs.searxng;
|
|
||||||
environmentFile = config.sops.secrets."searx/environment".path;
|
|
||||||
settings = {
|
|
||||||
general.contact_url = "mailto:guanran928@outlook.com";
|
|
||||||
search.autocomplete = "google";
|
|
||||||
server = {
|
|
||||||
port = 8100;
|
|
||||||
secret_key = "@SEARX_SECRET@";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.wastebin = {
|
services.wastebin = {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings.WASTEBIN_ADDRESS_PORT = "127.0.0.1:8200";
|
settings.WASTEBIN_ADDRESS_PORT = "127.0.0.1:8200";
|
||||||
|
@ -145,82 +104,6 @@
|
||||||
settings.PORT = "8300";
|
settings.PORT = "8300";
|
||||||
};
|
};
|
||||||
|
|
||||||
services.ntfy-sh = {
|
|
||||||
enable = true;
|
|
||||||
settings = {
|
|
||||||
base-url = "https://ntfy.ny4.dev";
|
|
||||||
listen-http = "";
|
|
||||||
listen-unix = "/run/ntfy-sh/ntfy.sock";
|
|
||||||
listen-unix-mode = 511; # 0777
|
|
||||||
behind-proxy = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = ["ntfy-sh"];
|
|
||||||
|
|
||||||
services.pixivfe = {
|
|
||||||
enable = true;
|
|
||||||
EnvironmentFile = config.sops.secrets."pixivfe/environment".path;
|
|
||||||
settings = {
|
|
||||||
PIXIVFE_UNIXSOCKET = "/run/pixivfe/pixiv.sock";
|
|
||||||
PIXIVFE_IMAGEPROXY = "https://i.pixiv.re";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.pixivfe.serviceConfig = {
|
|
||||||
RuntimeDirectory = ["pixivfe"];
|
|
||||||
ExecStartPost = pkgs.writeShellScript "pixivfe-unixsocket" ''
|
|
||||||
${pkgs.coreutils}/bin/sleep 5
|
|
||||||
${pkgs.coreutils}/bin/chmod 777 /run/pixivfe/pixiv.sock
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
services.keycloak = {
|
|
||||||
enable = true;
|
|
||||||
settings = {
|
|
||||||
cache = "local";
|
|
||||||
hostname = "id.ny4.dev";
|
|
||||||
http-host = "127.0.0.1";
|
|
||||||
http-port = 8800;
|
|
||||||
proxy = "edge";
|
|
||||||
# proxy-headers = "xforwarded"; # FIXME: Key material not provided to setup HTTPS.
|
|
||||||
};
|
|
||||||
database.passwordFile = toString (pkgs.writeText "password" "keycloak");
|
|
||||||
};
|
|
||||||
|
|
||||||
services.forgejo = {
|
|
||||||
enable = true;
|
|
||||||
package = pkgs.forgejo;
|
|
||||||
database.type = "postgres";
|
|
||||||
settings = {
|
|
||||||
server = {
|
|
||||||
DOMAIN = "git.ny4.dev";
|
|
||||||
PROTOCOL = "http+unix";
|
|
||||||
ROOT_URL = "https://git.ny4.dev/";
|
|
||||||
SSH_DOMAIN = "tyo0.ny4.dev";
|
|
||||||
};
|
|
||||||
|
|
||||||
service = {
|
|
||||||
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.miniflux = {
|
|
||||||
enable = true;
|
|
||||||
adminCredentialsFile = config.sops.secrets."miniflux/environment".path;
|
|
||||||
config = {
|
|
||||||
LISTEN_ADDR = "127.0.0.1:9300";
|
|
||||||
BASE_URL = "https://rss.ny4.dev";
|
|
||||||
|
|
||||||
OAUTH2_PROVIDER = "oidc";
|
|
||||||
OAUTH2_CLIENT_ID = "miniflux";
|
|
||||||
# OAUTH2_CLIENT_SECRET = "replace_me"; # EnvironmentFile
|
|
||||||
OAUTH2_REDIRECT_URL = "https://rss.ny4.dev/oauth2/oidc/callback";
|
|
||||||
OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://id.ny4.dev/realms/ny4";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.redlib = {
|
services.redlib = {
|
||||||
enable = true;
|
enable = true;
|
||||||
address = "127.0.0.1";
|
address = "127.0.0.1";
|
||||||
|
|
19
hosts/lightsail-tokyo/services/forgejo.nix
Normal file
19
hosts/lightsail-tokyo/services/forgejo.nix
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
{pkgs, ...}: {
|
||||||
|
services.forgejo = {
|
||||||
|
enable = true;
|
||||||
|
package = pkgs.forgejo;
|
||||||
|
database.type = "postgres";
|
||||||
|
settings = {
|
||||||
|
server = {
|
||||||
|
DOMAIN = "git.ny4.dev";
|
||||||
|
PROTOCOL = "http+unix";
|
||||||
|
ROOT_URL = "https://git.ny4.dev/";
|
||||||
|
SSH_DOMAIN = "tyo0.ny4.dev";
|
||||||
|
};
|
||||||
|
|
||||||
|
service = {
|
||||||
|
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
29
hosts/lightsail-tokyo/services/hysteria.nix
Normal file
29
hosts/lightsail-tokyo/services/hysteria.nix
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
{config, ...}: {
|
||||||
|
services.hysteria = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
auth = {
|
||||||
|
type = "userpass";
|
||||||
|
userpass = {
|
||||||
|
_secret = "/run/credentials/hysteria.service/auth";
|
||||||
|
quote = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
masquerade = {
|
||||||
|
type = "proxy";
|
||||||
|
proxy.url = "https://ny4.dev/";
|
||||||
|
};
|
||||||
|
tls = {
|
||||||
|
cert = "/run/credentials/hysteria.service/cert";
|
||||||
|
key = "/run/credentials/hysteria.service/key";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services."hysteria".serviceConfig.LoadCredential = [
|
||||||
|
# FIXME: remove hardcoded path
|
||||||
|
"auth:${config.sops.secrets."hysteria/auth".path}"
|
||||||
|
"cert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.crt"
|
||||||
|
"key:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.key"
|
||||||
|
];
|
||||||
|
}
|
14
hosts/lightsail-tokyo/services/keycloak.nix
Normal file
14
hosts/lightsail-tokyo/services/keycloak.nix
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
{pkgs, ...}: {
|
||||||
|
services.keycloak = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
cache = "local";
|
||||||
|
hostname = "id.ny4.dev";
|
||||||
|
http-host = "127.0.0.1";
|
||||||
|
http-port = 8800;
|
||||||
|
proxy = "edge";
|
||||||
|
# proxy-headers = "xforwarded"; # FIXME: Key material not provided to setup HTTPS.
|
||||||
|
};
|
||||||
|
database.passwordFile = toString (pkgs.writeText "password" "keycloak");
|
||||||
|
};
|
||||||
|
}
|
16
hosts/lightsail-tokyo/services/miniflux.nix
Normal file
16
hosts/lightsail-tokyo/services/miniflux.nix
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
{config, ...}: {
|
||||||
|
services.miniflux = {
|
||||||
|
enable = true;
|
||||||
|
adminCredentialsFile = config.sops.secrets."miniflux/environment".path;
|
||||||
|
config = {
|
||||||
|
LISTEN_ADDR = "127.0.0.1:9300";
|
||||||
|
BASE_URL = "https://rss.ny4.dev";
|
||||||
|
|
||||||
|
OAUTH2_PROVIDER = "oidc";
|
||||||
|
OAUTH2_CLIENT_ID = "miniflux";
|
||||||
|
# OAUTH2_CLIENT_SECRET = "replace_me"; # EnvironmentFile
|
||||||
|
OAUTH2_REDIRECT_URL = "https://rss.ny4.dev/oauth2/oidc/callback";
|
||||||
|
OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://id.ny4.dev/realms/ny4";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
8
hosts/lightsail-tokyo/services/murmur.nix
Normal file
8
hosts/lightsail-tokyo/services/murmur.nix
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
{
|
||||||
|
# `journalctl -u murmur.service | grep Password`
|
||||||
|
services.murmur = {
|
||||||
|
enable = true;
|
||||||
|
openFirewall = true;
|
||||||
|
bandwidth = 256 * 1024; # 256 Kbit/s
|
||||||
|
};
|
||||||
|
}
|
14
hosts/lightsail-tokyo/services/ntfy.nix
Normal file
14
hosts/lightsail-tokyo/services/ntfy.nix
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
{
|
||||||
|
services.ntfy-sh = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
base-url = "https://ntfy.ny4.dev";
|
||||||
|
listen-http = "";
|
||||||
|
listen-unix = "/run/ntfy-sh/ntfy.sock";
|
||||||
|
listen-unix-mode = 511; # 0777
|
||||||
|
behind-proxy = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = ["ntfy-sh"];
|
||||||
|
}
|
22
hosts/lightsail-tokyo/services/pixivfe.nix
Normal file
22
hosts/lightsail-tokyo/services/pixivfe.nix
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
{
|
||||||
|
pkgs,
|
||||||
|
config,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
services.pixivfe = {
|
||||||
|
enable = true;
|
||||||
|
EnvironmentFile = config.sops.secrets."pixivfe/environment".path;
|
||||||
|
settings = {
|
||||||
|
PIXIVFE_UNIXSOCKET = "/run/pixivfe/pixiv.sock";
|
||||||
|
PIXIVFE_IMAGEPROXY = "https://i.pixiv.re";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.pixivfe.serviceConfig = {
|
||||||
|
RuntimeDirectory = ["pixivfe"];
|
||||||
|
ExecStartPost = pkgs.writeShellScript "pixivfe-unixsocket" ''
|
||||||
|
${pkgs.coreutils}/bin/sleep 5
|
||||||
|
${pkgs.coreutils}/bin/chmod 777 /run/pixivfe/pixiv.sock
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
19
hosts/lightsail-tokyo/services/searx.nix
Normal file
19
hosts/lightsail-tokyo/services/searx.nix
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
{
|
||||||
|
pkgs,
|
||||||
|
config,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
services.searx = {
|
||||||
|
enable = true;
|
||||||
|
package = pkgs.searxng;
|
||||||
|
environmentFile = config.sops.secrets."searx/environment".path;
|
||||||
|
settings = {
|
||||||
|
general.contact_url = "mailto:guanran928@outlook.com";
|
||||||
|
search.autocomplete = "google";
|
||||||
|
server = {
|
||||||
|
port = 8100;
|
||||||
|
secret_key = "@SEARX_SECRET@";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue