cnst/cnix
1
0
Fork 0
Code Issues Pull Requests Activity

feat(refactor): WIP refactor server modules

Browse Source
This commit is contained in:
cnst
2025-10-12 21:07:30 +02:00
parent 57cb48a11c
commit d2bd385367
43 changed files with 1004 additions and 1414 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
modules/server/services/bazarr/default.nix Normal file
View File

@@ -0,0 +1,17 @@
{
config,
lib,
...
}: let
unit = "bazarr";
srv = config.server;
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
};
}

16
modules/server/services/flaresolverr/default.nix Normal file
View File

@@ -0,0 +1,16 @@
{
config,
lib,
...
}: let
unit = "flaresolverr";
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services = {
${unit} = {
enable = true;
};
};
};
}

108
modules/server/services/gitea/default.nix Normal file
View File

@@ -0,0 +1,108 @@
# "inspired" by @jtojnar <3
{
config,
lib,
self,
...
}: let
unit = "gitea";
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
age.secrets = {
giteaCloudflared.file = "${self}/secrets/giteaCloudflared.age";
};
server.infra = {
fail2ban = {
jails = {
gitea = {
serviceName = "gitea";
failRegex = ''.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>'';
};
};
};
};
services = {
cloudflared = {
enable = true;
tunnels.${cfg.cloudflared.tunnelId} = {
credentialsFile = cfg.cloudflared.credentialsFile;
default = "http_status:404";
ingress."${cfg.url}".service = "http://localhost:${toString cfg.port}";
};
};
${unit} = {
enable = true;
appName = "cnix code forge";
database = {
type = "postgres";
socket = "/run/postgresql";
name = "gitea";
user = "gitea";
createDatabase = false;
};
lfs = {
enable = true;
};
settings = {
cors = {
ENABLED = true;
SCHEME = "https";
ALLOW_DOMAIN = cfg.url;
};
log = {
MODE = "console";
};
mailer = {
ENABLED = false;
MAILER_TYPE = "sendmail";
FROM = "noreply+adam@cnst.dev";
SENDMAIL_PATH = "/run/wrappers/bin/sendmail";
};
picture = {
DISABLE_GRAVATAR = true;
};
repository = {
DEFAULT_BRANCH = "main";
DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true;
};
indexer = {
REPO_INDEXER_ENABLED = true;
};
oauth2_client = {
ENABLE_AUTO_REGISTRATION = true;
ACCOUNT_LINKING = "auto";
};
server = {
DOMAIN = cfg.url;
LANDING_PAGE = "explore";
HTTP_PORT = cfg.port;
ROOT_URL = "https://${cfg.url}/";
};
security = {
DISABLE_GIT_HOOKS = false;
};
service = {
DISABLE_REGISTRATION = true;
};
session = {
COOKIE_SECURE = true;
};
};
};
};
server.infra.postgresql.databases = [
{
database = "gitea";
}
];
};
}

182
modules/server/services/homepage-dashboard/default.nix Normal file
View File

@@ -0,0 +1,182 @@
{
config,
lib,
self,
...
}: let
unit = "homepage-dashboard";
cfg = config.server.services.homepage-dashboard;
srv = config.server;
in {
config = lib.mkIf cfg.enable {
age.secrets = {
homepageEnvironment = {
file = "${self}/secrets/homepageEnvironment.age";
};
};
services = {
glances.enable = true;
${unit} = {
enable = true;
environmentFile = config.age.secrets.homepageEnvironment.path;
settings = {
layout = [
{
Glances = {
header = false;
style = "row";
columns = 4;
};
}
{
Arr = {
header = true;
style = "column";
};
}
{
Downloads = {
header = true;
style = "column";
};
}
{
Media = {
header = true;
style = "column";
};
}
{
Services = {
header = true;
style = "column";
};
}
];
headerStyle = "clean";
statusStyle = "dot";
hideVersion = "true";
};
widgets = [
{
openmeteo = {
label = "Kalmar";
timezone = "Europe/Stockholm";
units = "metric";
cache = 5;
latitude = 56.707262;
longitude = 16.324541;
};
}
{
resources = {
label = "SYSTEM";
memory = true;
cpu = true;
uptime = false;
};
}
];
services = let
homepageCategories = [
"Arr"
"Media"
"Downloads"
"Services"
];
hl = config.server.services;
homepageServices = x: (lib.attrsets.filterAttrs (
_name: value: value ? homepage && value.homepage.category == x
)
srv.services);
in
lib.lists.forEach homepageCategories (cat: {
"${cat}" =
lib.lists.forEach (lib.attrsets.mapAttrsToList (name: _value: name) (homepageServices "${cat}"))
(x: {
"${hl.${x}.homepage.name}" = {
icon = hl.${x}.homepage.icon;
description = hl.${x}.homepage.description;
href = "https://${hl.${x}.url}";
siteMonitor = "https://${hl.${x}.url}";
};
});
})
++ [
{
Glances = let
port = toString config.services.glances.port;
in [
{
Info = {
widget = {
type = "glances";
url = "http://localhost:${port}";
metric = "info";
chart = false;
version = 4;
};
};
}
{
"CPU Temp" = {
widget = {
type = "glances";
url = "http://localhost:${port}";
metric = "sensor:Tctl";
chart = false;
version = 4;
};
};
}
{
"GPU Radeon" = {
widget = {
type = "glances";
url = "http://localhost:${port}";
metric = "sensor:junction";
chart = false;
version = 4;
};
};
}
{
"GPU Intel" = {
widget = {
type = "glances";
url = "http://localhost:${port}";
metric = "sensor:pkg";
chart = false;
version = 4;
};
};
}
{
Processes = {
widget = {
type = "glances";
url = "http://localhost:${port}";
metric = "process";
chart = false;
version = 4;
};
};
}
{
Network = {
widget = {
type = "glances";
url = "http://localhost:${port}";
metric = "network:enp6s0";
chart = false;
version = 4;
};
};
}
];
}
];
};
};
};
}

21
modules/server/services/jellyfin/default.nix Normal file
View File

@@ -0,0 +1,21 @@
{
config,
lib,
pkgs,
...
}: let
unit = "jellyfin";
cfg = config.server.services.${unit};
srv = config.server;
in {
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
environment.systemPackages = with pkgs; [
jellyfin-ffmpeg
];
};
}

15
modules/server/services/jellyseerr/default.nix Normal file
View File

@@ -0,0 +1,15 @@
{
config,
lib,
...
}: let
unit = "jellyseerr";
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
port = cfg.port;
};
};
}

17
modules/server/services/lidarr/default.nix Normal file
View File

@@ -0,0 +1,17 @@
{
config,
lib,
...
}: let
unit = "lidarr";
srv = config.server;
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
};
}

17
modules/server/services/n8n/default.nix Normal file
View File

@@ -0,0 +1,17 @@
{
config,
lib,
...
}: let
unit = "n8n";
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services = {
n8n = {
enable = true;
openFirewall = true;
};
};
};
}

105
modules/server/services/nextcloud/default.nix Normal file
View File

@@ -0,0 +1,105 @@
{
config,
pkgs,
lib,
self,
...
}: let
unit = "nextcloud";
cfg = config.server.services.${unit};
srv = config.server;
in {
config = lib.mkIf cfg.enable {
age.secrets = {
nextcloudAdminPass.file = "${self}/secrets/nextcloudAdminPass.age";
nextcloudCloudflared.file = "${self}/secrets/nextcloudCloudflared.age";
};
server.infra.fail2ban = lib.mkIf srv.infra.fail2ban.enable {
jails = {
nextcloud = {
serviceName = "${unit}";
_groupsre = ''(?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)'';
failRegex = ''
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Two-factor challenge failed:
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
'';
datePattern = '',?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"'';
};
};
};
services = {
${unit} = {
enable = true;
package = pkgs.nextcloud32;
hostName = "nextcloud";
configureRedis = true;
caching = {
redis = true;
};
phpOptions = {
"opcache.interned_strings_buffer" = "32";
};
maxUploadSize = "50G";
settings = {
maintenance_window_start = "1";
trusted_proxies = [
"127.0.0.1"
"::1"
];
trusted_domains = ["cloud.${srv.domain}"];
overwriteprotocol = "https";
enabledPreviewProviders = [
"OC\\Preview\\BMP"
"OC\\Preview\\GIF"
"OC\\Preview\\JPEG"
"OC\\Preview\\Krita"
"OC\\Preview\\MarkDown"
"OC\\Preview\\MP3"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\PNG"
"OC\\Preview\\TXT"
"OC\\Preview\\XBitmap"
"OC\\Preview\\HEIC"
];
};
config = {
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "/run/postgresql";
dbname = "nextcloud";
adminuser = "cnst";
adminpassFile = config.age.secrets.nextcloudAdminPass.path;
};
};
nginx = {
defaultListen = [
{
addr = "127.0.0.1";
port = 8182;
}
{
addr = "127.0.0.1";
port = 8482;
}
];
virtualHosts.nextcloud = {
forceSSL = false;
};
};
};
server.infra.postgresql.databases = [
{
database = "nextcloud";
}
];
systemd.services."nextcloud-setup" = {
requires = ["postgresql.service"];
after = ["postgresql.service"];
};
};
}

16
modules/server/services/prowlarr/default.nix Normal file
View File

@@ -0,0 +1,16 @@
{
config,
lib,
...
}: let
unit = "prowlarr";
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services = {
${unit} = {
enable = true;
};
};
};
}

17
modules/server/services/radarr/default.nix Normal file
View File

@@ -0,0 +1,17 @@
{
config,
lib,
...
}: let
unit = "radarr";
srv = config.server;
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
};
}

17
modules/server/services/sonarr/default.nix Normal file
View File

@@ -0,0 +1,17 @@
{
config,
lib,
...
}: let
unit = "sonarr";
srv = config.server;
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
};
}

16
modules/server/services/uptime-kuma/default.nix Normal file
View File

@@ -0,0 +1,16 @@
{
config,
lib,
...
}: let
unit = "uptime-kuma";
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services = {
${unit} = {
enable = true;
};
};
};
}

65
modules/server/services/vaultwarden/default.nix Normal file
View File

@@ -0,0 +1,65 @@
# from @fufexan & @notthebee
{
config,
lib,
self,
...
}: let
unit = "vaultwarden";
cfg = config.server.services.${unit};
www = config.server.infra.www;
in {
config = lib.mkIf cfg.enable {
age.secrets = {
vaultwardenCloudflared.file = "${self}/secrets/vaultwardenCloudflared.age";
vaultwardenEnvironment.file = "${self}/secrets/vaultwardenEnvironment.age";
};
server.infra = {
fail2ban = {
jails = {
vaultwarden = {
serviceName = "${unit}";
failRegex = ''^.*?Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$'';
};
};
};
};
services = {
cloudflared = {
enable = true;
tunnels.${cfg.cloudflared.tunnelId} = {
credentialsFile = cfg.cloudflared.credentialsFile;
default = "http_status:404";
ingress."${cfg.url}".service = "http://localhost:${toString cfg.port}";
};
};
vaultwarden = {
enable = true;
environmentFile = config.age.secrets.vaultwardenEnvironment.path;
backupDir = "/var/backup/vaultwarden";
config = {
DOMAIN = "https://vault.${www.url}";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = cfg.port;
IP_HEADER = "CF-Connecting-IP";
logLevel = "warn";
extendedLogging = true;
useSyslog = true;
invitationsAllowed = true;
showPasswordHint = false;
};
};
};
systemd.services.backup-vaultwarden.serviceConfig = {
User = "root";
Group = "root";
};
};
}