From 07333b454434a9eb596c113ffc9830f3026ecf35 Mon Sep 17 00:00:00 2001 From: cnst Date: Tue, 14 Oct 2025 21:50:44 +0200 Subject: [PATCH] feat(refactor): ready for merge --- hosts/default.nix | 4 +-- hosts/sobotka/server.nix | 15 ++++++++- hosts/sobotka/settings.nix | 4 +++ lib/server/default.nix | 29 +++++++++++++--- lib/server/serviceurl/default.nix | 23 ------------- lib/server/serviceurl/serviceurl.nix | 11 ------- modules/home/programs/hyprlock/default.nix | 4 +-- modules/home/services/hyprpaper/default.nix | 4 +-- modules/server/default.nix | 12 +++++-- modules/server/infra/traefik/default.nix | 17 +++++----- modules/server/infra/unbound/default.nix | 28 +++++++++++----- modules/server/services/gitea/default.nix | 9 ++--- .../services/homepage-dashboard/default.nix | 19 +++++++---- modules/settings/accounts/default.nix | 31 +++++++++++++----- secrets/homepageEnvironment.age | Bin 574 -> 579 bytes 15 files changed, 125 insertions(+), 85 deletions(-) delete mode 100644 lib/server/serviceurl/default.nix delete mode 100644 lib/server/serviceurl/serviceurl.nix diff --git a/hosts/default.nix b/hosts/default.nix index f9126462..0cad4d23 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -6,7 +6,7 @@ ... }: { flake.nixosConfigurations = let - cLib = import ../lib inputs.nixpkgs.lib; + # clib = import ../lib inputs.nixpkgs.lib; userConfig = "${self}/home"; systemConfig = "${self}/system"; hostConfig = "${self}/hosts"; @@ -22,7 +22,7 @@ specialArgs = { inherit - cLib + # clib inputs outputs self diff --git a/hosts/sobotka/server.nix b/hosts/sobotka/server.nix index 3cca1160..7b1fae3c 100644 --- a/hosts/sobotka/server.nix +++ b/hosts/sobotka/server.nix @@ -57,12 +57,14 @@ services = { homepage-dashboard = { enable = true; - subdomain = ""; + subdomain = "dash"; + exposure = "local"; port = 8082; }; n8n = { enable = true; subdomain = "n8n"; + exposure = "local"; port = 5678; homepage = { name = "n8n"; @@ -74,6 +76,7 @@ bazarr = { enable = true; subdomain = "bazarr"; + exposure = "local"; port = 6767; homepage = { name = "Bazarr"; @@ -85,6 +88,7 @@ prowlarr = { enable = true; subdomain = "prowlarr"; + exposure = "local"; port = 9696; homepage = { name = "prowlarr"; @@ -96,6 +100,7 @@ flaresolverr = { enable = true; subdomain = "flaresolverr"; + exposure = "local"; port = 8191; homepage = { name = "FlareSolverr"; @@ -107,6 +112,7 @@ lidarr = { enable = true; subdomain = "lidarr"; + exposure = "local"; port = 8686; homepage = { name = "Lidarr"; @@ -118,6 +124,7 @@ sonarr = { enable = true; subdomain = "sonarr"; + exposure = "local"; port = 8989; homepage = { name = "Sonarr"; @@ -129,6 +136,7 @@ radarr = { enable = true; subdomain = "radarr"; + exposure = "local"; port = 7878; homepage = { name = "Radarr"; @@ -140,6 +148,7 @@ jellyseerr = { enable = true; subdomain = "jellyseerr"; + exposure = "local"; port = 5055; homepage = { name = "Jellyseerr"; @@ -163,6 +172,7 @@ uptime-kuma = { enable = true; subdomain = "uptime"; + exposure = "local"; port = 3001; homepage = { name = "Uptime Kuma"; @@ -218,6 +228,7 @@ qbittorrent = { enable = true; subdomain = "qbt"; + exposure = "local"; port = 8080; homepage = { name = "qBittorrent"; @@ -229,6 +240,7 @@ slskd = { enable = true; subdomain = "slskd"; + exposure = "local"; port = 5030; homepage = { name = "Soulseek"; @@ -240,6 +252,7 @@ pihole = { enable = true; subdomain = "pihole"; + exposure = "local"; port = 8053; homepage = { name = "PiHole"; diff --git a/hosts/sobotka/settings.nix b/hosts/sobotka/settings.nix index 3c42b75d..b200a2d1 100644 --- a/hosts/sobotka/settings.nix +++ b/hosts/sobotka/settings.nix @@ -4,6 +4,10 @@ username = "cnst"; mail = "adam@cnst.dev"; sshUser = "sobotka"; + domains = { + local = "cnix.dev"; + public = "cnst.dev"; + }; }; }; } diff --git a/lib/server/default.nix b/lib/server/default.nix index 9d87bca6..2f3cc182 100644 --- a/lib/server/default.nix +++ b/lib/server/default.nix @@ -1,5 +1,26 @@ -{ - imports = [ - ./serviceurl - ]; +{lib}: let + server = { + mkDomain = config: service: let + localDomain = config.settings.accounts.domains.local; + publicDomain = config.settings.accounts.domains.public; + tailscaleDomain = "ts.${publicDomain}"; + in + if service.exposure == "tunnel" + then publicDomain + else if service.exposure == "tailscale" + then tailscaleDomain + else localDomain; + + mkFullDomain = config: service: let + domain = server.mkDomain config service; + in "${service.subdomain}.${domain}"; + + mkHostDomain = config: service: let + domain = server.mkDomain config service; + in "${domain}"; + + mkSubDomain = config: service: "${service.subdomain}"; + }; +in { + server = server; } diff --git a/lib/server/serviceurl/default.nix b/lib/server/serviceurl/default.nix deleted file mode 100644 index 2d11508f..00000000 --- a/lib/server/serviceurl/default.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ - lib, - config, - ... -}: let - mkServiceUrl' = import ./serviceurl.nix {inherit config;}; -in { - options.clib = { - server = { - mkServiceUrl = lib.mkOption { - type = lib.types.function; - readOnly = true; - description = "Helper function to generate a service URL."; - }; - }; - }; - - config.clib = { - server = { - mkServiceUrl = mkServiceUrl'; - }; - }; -} diff --git a/lib/server/serviceurl/serviceurl.nix b/lib/server/serviceurl/serviceurl.nix deleted file mode 100644 index f3cdca7a..00000000 --- a/lib/server/serviceurl/serviceurl.nix +++ /dev/null @@ -1,11 +0,0 @@ -{config}: service: let - mainDomain = config.server.networking.domain; - tailscaleDomain = "ts.${mainDomain}"; - - domain = - if service.exposure == "tunnel" - then mainDomain - else if service.exposure == "tailscale" - then tailscaleDomain - else (service.domain or mainDomain); -in "${service.subdomain}.${domain}" diff --git a/modules/home/programs/hyprlock/default.nix b/modules/home/programs/hyprlock/default.nix index 82ab96a5..5cc69813 100644 --- a/modules/home/programs/hyprlock/default.nix +++ b/modules/home/programs/hyprlock/default.nix @@ -3,7 +3,7 @@ pkgs, lib, osConfig, - cLib, + clib, ... }: let inherit (lib) mkIf mkEnableOption; @@ -13,7 +13,7 @@ # hyprlockPkg = pkgs.hyprlock; # bg = osConfig.settings.theme.background; - inherit (cLib.theme.bgs) resolve; + inherit (clib.theme.bgs) resolve; in { config = mkIf cfg.enable { programs.hyprlock = { diff --git a/modules/home/services/hyprpaper/default.nix b/modules/home/services/hyprpaper/default.nix index 2511e56d..dac6688c 100644 --- a/modules/home/services/hyprpaper/default.nix +++ b/modules/home/services/hyprpaper/default.nix @@ -3,7 +3,7 @@ pkgs, inputs, osConfig, - cLib, + clib, ... }: let inherit (lib) mkIf; @@ -11,7 +11,7 @@ cfg = osConfig.nixos.programs.hyprland; hyprpaperFlake = inputs.hyprpaper.packages.${pkgs.system}.default; bg = osConfig.settings.theme.background; - bgs = cLib.theme.bgs; + bgs = clib.theme.bgs; monitorMappings = [ { diff --git a/modules/server/default.nix b/modules/server/default.nix index b3514378..9b3ebf24 100644 --- a/modules/server/default.nix +++ b/modules/server/default.nix @@ -1,6 +1,14 @@ -{self, ...}: { +{ + self, + lib, + ... +}: let + clib = import "${self}/lib/server" {inherit lib;}; +in { imports = [ - "${self}/lib/server" + { + _module.args.clib = clib; + } ./options.nix ./infra ./services diff --git a/modules/server/infra/traefik/default.nix b/modules/server/infra/traefik/default.nix index e487f4a8..5ced27bd 100644 --- a/modules/server/infra/traefik/default.nix +++ b/modules/server/infra/traefik/default.nix @@ -1,5 +1,6 @@ { lib, + clib, config, pkgs, self, @@ -29,21 +30,21 @@ # } # ) (lib.filterAttrs (name: service: service.enable) services); - generateRouters = services: + generateRouters = services: config: lib.mapAttrs' ( name: service: - lib.nameValuePair "${service.subdomain}" { + lib.nameValuePair name { entryPoints = ["websecure"]; - rule = "Host(`${config.clib.server.mkServiceUrl service}`)"; - service = service.subdomain; + # FIX 3: Use backticks for the Host rule and interpolation + rule = "Host(`${clib.server.mkFullDomain config service}`)"; + service = name; tls.certResolver = "letsencrypt"; } ) (lib.filterAttrs (_: s: s.enable) services); - # Generates all Traefik backend services generateServices = services: lib.mapAttrs' (name: service: - lib.nameValuePair "${service.subdomain}" { + lib.nameValuePair name { loadBalancer.servers = [{url = "http://localhost:${toString service.port}";}]; }) (lib.filterAttrs (name: service: service.enable) services); @@ -168,12 +169,10 @@ in { dynamicConfigOptions = { http = { - # Generate the services from your central list services = generateServices srv.services; - # Generate the routers and manually add the special 'api' router routers = - (generateRouters srv.services) + (generateRouters srv.services config) // { api = { entryPoints = ["websecure"]; diff --git a/modules/server/infra/unbound/default.nix b/modules/server/infra/unbound/default.nix index 8072cfbe..280e211c 100644 --- a/modules/server/infra/unbound/default.nix +++ b/modules/server/infra/unbound/default.nix @@ -8,10 +8,22 @@ cfg = config.server.infra.${unit}; srv = config.server; - generateLocalRecords = services: - lib.mapAttrsToList ( - name: service: "local-data: \"${service.subdomain}.${srv.domain}. A ${srv.ip}\"" - ) (lib.filterAttrs (name: service: service.enable) services); + svcNames = lib.attrNames srv.services; + + localARecords = builtins.concatLists (map ( + name: let + s = srv.services.${name}; + in + if s != null && s.enable && s.subdomain != null + then [''"${s.subdomain}.${srv.domain}. A ${srv.ip}"''] + else [] + ) + svcNames); + + revParts = lib.lists.reverseList (lib.splitString "." srv.ip); + revName = lib.concatStringsSep "." revParts; + + localPTRs = ["${revName}.in-addr.arpa. PTR traefik.${srv.domain}"]; hostIp = hostname: if hostname == "ziggy" @@ -104,10 +116,10 @@ in { "255.255.255.255/32" "2001:db8::/32" ]; - local-data = generateLocalRecords srv.services; - local-data-ptr = [ - "local-data: \"traefik.${srv.domain}. A ${srv.ip}\"" - ]; + local-data = localARecords; + + # Example PTR entry: "14.88.168.192.in-addr.arpa. PTR traefik.cnix.dev." + # local-data-ptr = localPTRs; }; }; }; diff --git a/modules/server/services/gitea/default.nix b/modules/server/services/gitea/default.nix index 91ed0eb1..63825bbf 100644 --- a/modules/server/services/gitea/default.nix +++ b/modules/server/services/gitea/default.nix @@ -12,16 +12,13 @@ in { age.secrets.giteaCloudflared.file = "${self}/secrets/giteaCloudflared.age"; server.infra = { - fail2ban.jails.unit = { + fail2ban.jails.${unit} = { serviceName = "${unit}"; - failRegex = '' - .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* - from - ''; + failRegex = ''.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from ''; }; postgresql.databases = [ - {database = unit;} + {database = "gitea";} ]; }; diff --git a/modules/server/services/homepage-dashboard/default.nix b/modules/server/services/homepage-dashboard/default.nix index 30b230b9..0f78cad8 100644 --- a/modules/server/services/homepage-dashboard/default.nix +++ b/modules/server/services/homepage-dashboard/default.nix @@ -2,6 +2,7 @@ config, lib, self, + clib, ... }: let unit = "homepage-dashboard"; @@ -90,9 +91,10 @@ in { "Downloads" "Services" ]; - allServices = srv.services; + getDomain = s: clib.server.mkHostDomain config s; + homepageServicesFor = category: lib.filterAttrs ( @@ -108,12 +110,15 @@ in { "${cat}" = lib.lists.forEach (lib.attrsets.mapAttrsToList (name: _value: name) (homepageServicesFor cat)) - (x: { - "${allServices.${x}.homepage.name}" = { - icon = allServices.${x}.homepage.icon; - description = allServices.${x}.homepage.description; - href = "https://${allServices.${x}.url}"; - siteMonitor = "https://${allServices.${x}.url}"; + (x: let + service = allServices.${x}; + domain = getDomain service; + in { + "${service.homepage.name}" = { + icon = service.homepage.icon; + description = service.homepage.description; + href = "https://${domain}"; + siteMonitor = "https://${domain}"; }; }); }) diff --git a/modules/settings/accounts/default.nix b/modules/settings/accounts/default.nix index 3602fe11..101351e9 100644 --- a/modules/settings/accounts/default.nix +++ b/modules/settings/accounts/default.nix @@ -2,8 +2,7 @@ lib, config, ... -}: -let +}: let inherit (lib) mkOption types; sshKeys = { @@ -16,14 +15,14 @@ let keyName = config.settings.accounts.sshUser or null; selectedKey = - if keyName != null then + if keyName != null + then lib.attrByPath [ keyName - ] (builtins.abort "No SSH key defined for hostname/key '${toString keyName}'") sshKeys - else - builtins.abort "No accounts.sshUser provided, cannot select SSH key."; -in -{ + ] (builtins.abort "No SSH key defined for hostname/key '${toString keyName}'") + sshKeys + else builtins.abort "No accounts.sshUser provided, cannot select SSH key."; +in { options.settings.accounts = { username = mkOption { type = types.str; @@ -46,5 +45,21 @@ in default = null; description = "Optional override for selecting an SSH key by name"; }; + domains = lib.mkOption { + type = lib.types.submodule { + options = { + local = lib.mkOption { + type = lib.types.str; + default = "127.0.0.1"; + description = "The local domain of the host"; + }; + public = lib.mkOption { + type = lib.types.str; + default = "example.com"; + description = "The public domain of the host"; + }; + }; + }; + }; }; } diff --git a/secrets/homepageEnvironment.age b/secrets/homepageEnvironment.age index f5a686db7263c4b9b979104621642e17b34f3e95..7d021e55a739cdb365e20d70e80cd34ab706f8f1 100644 GIT binary patch delta 507 zcmdnTa+qa;PJMBHs8gwru|bHZn_rbdaj{>qV|sB!nNx&Cm4|0)dR9n9L{xZLep+6r zFPD#bpiiV{US5Q^v7d)!PJm09QF2&fS+0w>t6P$zqiJPHL{en7Wr4P-Czr0BLUD11 zZfc5=si~o*f_G@7ubZPnpmx4*RjPiKdqs(}Wnh(Kuv?10QE6C2sk3W^c0h85kztsh zzN4vgMTmzZS7xcDwxf}LNl{j=c43i)Wt2&IZc1cecBN%zs*6);X|SJnqNz`Wxof%S z#E;_PRi$YrCaI<7Zh6inrG+6;u1Q%@Nfy42M&@qGmVO2SDP|@Hp826+A$cZTMak}o zKBoD_&dJVh>E)Is?s;XIRc0>1E=KykIl*38UX@M-UJ(HyxxOZo;~B;4^RkRQqN2yz6+1L$t!j<=`=zDli1tht&-Tc$FDK=*_x^9&#t#4wc&^g` delta 502 zcmX@ivX5ngPJKv-yJxOjRfS1XVu^o2P)2TKq*rE1Qbn+HX{twLR#1g^vRPcA!a$Uv5@fSyj2avx`?wu18UTbB?=Fg?72g z#E;_Pd4}2*Nv`Qh#bIV9uI_&M$vy^!*=|);UIhllAp!2j;aL$bt`^w^9uXE?E~fe^ zJ_cDyMkWDf<&i!X5gA!kQE7!CE~x?O89tr`UKPgfWs!cFCXRuV;~B;4bHYR23@r;i zQe4aewfzFTGBQHE-HR&y^TSQTJW49V-AZ#@gWN4M^_{c1!n{0#3ib7K0z9+QGK!t^ zjYnp4nQI_TYlRH`P`N1^^DCucrV2