anotherhadi/nixy
1
Fork 0
mirror of https://github.com/anotherhadi/nixy.git synced 2026-05-20 05:12:34 +02:00
Code Issues Packages Projects Releases Wiki Activity

Nix fmt

Browse Source 
Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
This commit is contained in:
Hadi
2026-05-04 20:40:09 +02:00
parent e805c868a7
commit d71c9d8169
61 changed files with 672 additions and 343 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server-modules/arr.nix
+4 -1
View File
@@ -49,7 +49,10 @@ in {
};
};
users.users.jellyfin.extraGroups = ["video" "render"];
users.users.jellyfin.extraGroups = [
"video"
"render"
];
services.cloudflared.tunnels."${config.var.tunnelId}".ingress = {
"media.${config.var.domain}" = "http://localhost:8096";
server-modules/awesome-wallpapers.nix
+15 -7
View File
@@ -1,19 +1,27 @@
{ config, inputs, lib, ... }:
let
inherit (import ./mk-container.nix { inherit lib config; }) mkContainer;
in
{
config,
inputs,
lib,
...
}: let
inherit (import ./mk-container.nix {inherit lib config;}) mkContainer;
in {
imports = [
(mkContainer {
name = "wallpapers";
hostIp = "10.233.4.1";
containerIp = "10.233.4.2";
nixosConfig = { pkgs, ... }: {
nixosConfig = {pkgs, ...}: {
services.nginx = {
enable = true;
virtualHosts."wallpapers" = {
root = "${inputs.awesome-wallpapers.packages.${pkgs.system}.default}/share/awesome-wallpapers";
listen = [{ addr = "0.0.0.0"; port = 8080; }];
listen = [
{
addr = "0.0.0.0";
port = 8080;
}
];
locations."/" = {
tryFiles = "$uri $uri/ /index.html";
};
@@ -23,7 +31,7 @@ in
'';
};
};
networking.firewall.allowedTCPPorts = [ 8080 ];
networking.firewall.allowedTCPPorts = [8080];
system.stateVersion = "24.05";
};
})
server-modules/blog.nix
+4 -1
View File
@@ -51,7 +51,10 @@ in {
};
};
};
networking.firewall.allowedTCPPorts = [8080 8081];
networking.firewall.allowedTCPPorts = [
8080
8081
];
system.stateVersion = "24.05";
};
})
server-modules/cyberchef.nix
+14 -7
View File
@@ -1,22 +1,29 @@
{ config, lib, ... }:
let
inherit (import ./mk-container.nix { inherit lib config; }) mkContainer;
in
{
config,
lib,
...
}: let
inherit (import ./mk-container.nix {inherit lib config;}) mkContainer;
in {
imports = [
(mkContainer {
name = "cyberchef";
hostIp = "10.233.5.1";
containerIp = "10.233.5.2";
nixosConfig = { pkgs, ... }: {
nixosConfig = {pkgs, ...}: {
services.nginx = {
enable = true;
virtualHosts."cyberchef" = {
root = "${pkgs.cyberchef}/share/cyberchef";
listen = [{ addr = "0.0.0.0"; port = 8080; }];
listen = [
{
addr = "0.0.0.0";
port = 8080;
}
];
};
};
networking.firewall.allowedTCPPorts = [ 8080 ];
networking.firewall.allowedTCPPorts = [8080];
system.stateVersion = "24.05";
};
})
server-modules/default-creds.nix
+11 -8
View File
@@ -1,21 +1,24 @@
{ config, inputs, lib, ... }:
let
inherit (import ./mk-container.nix { inherit lib config; }) mkContainer;
domain = config.var.domain;
in
{
config,
inputs,
lib,
...
}: let
inherit (import ./mk-container.nix {inherit lib config;}) mkContainer;
domain = config.var.domain;
in {
imports = [
(mkContainer {
name = "def-creds";
hostIp = "10.233.6.1";
containerIp = "10.233.6.2";
nixosConfig = { ... }: {
imports = [ inputs.default-creds.nixosModules.default ];
nixosConfig = {...}: {
imports = [inputs.default-creds.nixosModules.default];
services.default-creds = {
enable = true;
port = 8087;
};
networking.firewall.allowedTCPPorts = [ 8087 ];
networking.firewall.allowedTCPPorts = [8087];
systemd.services.default-creds.environment = {
HOST = lib.mkForce "0.0.0.0";
PUBLIC_UMAMI_URL = "https://umami.${domain}";
server-modules/gitea.nix
+17 -12
View File
@@ -1,14 +1,17 @@
{ config, pkgs, lib, ... }:
let
inherit (import ./mk-container.nix { inherit lib config; }) mkContainer;
{
config,
pkgs,
lib,
...
}: let
inherit (import ./mk-container.nix {inherit lib config;}) mkContainer;
domain = config.var.domain;
catppuccin-gitea = pkgs.fetchzip {
url = "https://github.com/catppuccin/gitea/releases/download/v1.0.2/catppuccin-gitea.tar.gz";
sha256 = "sha256-rZHLORwLUfIFcB6K9yhrzr+UwdPNQVSadsw6rg8Q7gs=";
stripRoot = false;
};
in
{
in {
imports = [
(mkContainer {
name = "gitea";
@@ -19,17 +22,19 @@ in
hostPath = "/var/lib/gitea";
isReadOnly = false;
};
nixosConfig = { lib, ... }: {
nixosConfig = {lib, ...}: {
users.users.gitea.uid = lib.mkForce 978;
users.groups.gitea.gid = lib.mkForce 968;
services.postgresql = {
enable = true;
ensureDatabases = [ "gitea" ];
ensureUsers = [{
name = "gitea";
ensureDBOwnership = true;
}];
ensureDatabases = ["gitea"];
ensureUsers = [
{
name = "gitea";
ensureDBOwnership = true;
}
];
};
services.gitea = {
@@ -69,7 +74,7 @@ in
ln -sfn ${catppuccin-gitea} /var/lib/gitea/custom/public/assets/css
'';
networking.firewall.allowedTCPPorts = [ 3002 ];
networking.firewall.allowedTCPPorts = [3002];
system.stateVersion = "24.05";
};
})
server-modules/glance/default.nix
+93 -39
View File
@@ -1,41 +1,87 @@
{ config, lib, ... }:
let
inherit (import ../mk-container.nix { inherit lib config; }) mkContainer;
{
config,
lib,
...
}: let
inherit (import ../mk-container.nix {inherit lib config;}) mkContainer;
domain = config.var.domain;
hostIp = "10.233.12.1";
# Convert 6-char hex color to "H S L" string for glance (integers, no % sign)
hexToGlanceHsl = hex:
let
h = lib.toLower hex;
d = c:
if c == "a" then 10 else if c == "b" then 11 else if c == "c" then 12
else if c == "d" then 13 else if c == "e" then 14 else if c == "f" then 15
else lib.toInt c;
byte = pos: d (builtins.substring pos 1 h) * 16 + d (builtins.substring (pos + 1) 1 h);
ri = byte 0; gi = byte 2; bi = byte 4;
r = ri * 1.0 / 255.0;
g = gi * 1.0 / 255.0;
b = bi * 1.0 / 255.0;
mx = if r >= g && r >= b then "r" else if g >= b then "g" else "b";
mn = if r <= g && r <= b then "r" else if g <= b then "g" else "b";
cmax = if mx == "r" then r else if mx == "g" then g else b;
cmin = if mn == "r" then r else if mn == "g" then g else b;
delta = cmax - cmin;
l = (cmax + cmin) / 2.0;
s = if delta < 0.0001 then 0.0
else if l <= 0.5 then delta / (cmax + cmin)
else delta / (2.0 - cmax - cmin);
hue =
if delta < 0.0001 then 0.0
else if mx == "r" then let raw = 60.0 * (g - b) / delta; in if raw < 0.0 then raw + 360.0 else raw
else if mx == "g" then 60.0 * ((b - r) / delta + 2.0)
else 60.0 * ((r - g) / delta + 4.0);
in "${toString (builtins.floor (hue + 0.5))} ${toString (builtins.floor (s * 100.0 + 0.5))} ${toString (builtins.floor (l * 100.0 + 0.5))}";
hexToGlanceHsl = hex: let
h = lib.toLower hex;
d = c:
if c == "a"
then 10
else if c == "b"
then 11
else if c == "c"
then 12
else if c == "d"
then 13
else if c == "e"
then 14
else if c == "f"
then 15
else lib.toInt c;
byte = pos: d (builtins.substring pos 1 h) * 16 + d (builtins.substring (pos + 1) 1 h);
ri = byte 0;
gi = byte 2;
bi = byte 4;
r = ri * 1.0 / 255.0;
g = gi * 1.0 / 255.0;
b = bi * 1.0 / 255.0;
mx =
if r >= g && r >= b
then "r"
else if g >= b
then "g"
else "b";
mn =
if r <= g && r <= b
then "r"
else if g <= b
then "g"
else "b";
cmax =
if mx == "r"
then r
else if mx == "g"
then g
else b;
cmin =
if mn == "r"
then r
else if mn == "g"
then g
else b;
delta = cmax - cmin;
l = (cmax + cmin) / 2.0;
s =
if delta < 0.0001
then 0.0
else if l <= 0.5
then delta / (cmax + cmin)
else delta / (2.0 - cmax - cmin);
hue =
if delta < 0.0001
then 0.0
else if mx == "r"
then let
raw = 60.0 * (g - b) / delta;
in
if raw < 0.0
then raw + 360.0
else raw
else if mx == "g"
then 60.0 * ((b - r) / delta + 2.0)
else 60.0 * ((r - g) / delta + 4.0);
in "${toString (builtins.floor (hue + 0.5))} ${toString (builtins.floor (s * 100.0 + 0.5))} ${
toString (builtins.floor (l * 100.0 + 0.5))
}";
c = config.stylix.base16Scheme;
in
{
in {
# 0444 so the glance user inside the container can read the bind-mounted file
sops.secrets.adguard-pwd.mode = "0444";
@@ -49,10 +95,13 @@ in
hostPath = config.sops.secrets.adguard-pwd.path;
isReadOnly = true;
};
nixosConfig = { lib, ... }: {
nixosConfig = {lib, ...}: {
_module.args.domain = domain;
_module.args.adguardUrl = "http://${hostIp}:3000";
imports = [ ./home.nix ./server.nix ];
imports = [
./home.nix
./server.nix
];
services.glance = {
enable = true;
@@ -64,9 +113,9 @@ in
theme = {
light = false;
background-color = hexToGlanceHsl c.base00; # background
primary-color = hexToGlanceHsl c.base0D; # accent (iris/purple)
positive-color = hexToGlanceHsl c.base0B; # positive (pine/teal)
negative-color = hexToGlanceHsl c.base08; # negative (love/rose)
primary-color = hexToGlanceHsl c.base0D; # accent (iris/purple)
positive-color = hexToGlanceHsl c.base0B; # positive (pine/teal)
negative-color = hexToGlanceHsl c.base08; # negative (love/rose)
};
};
};
@@ -77,7 +126,12 @@ in
proxy_cache_path /var/cache/nginx/glance levels=1:2 keys_zone=glance:1m inactive=30m max_size=100m;
'';
virtualHosts."glance" = {
listen = [{ addr = "0.0.0.0"; port = 8080; }];
listen = [
{
addr = "0.0.0.0";
port = 8080;
}
];
locations."/" = {
proxyPass = "http://127.0.0.1:5678";
extraConfig = ''
@@ -90,7 +144,7 @@ in
};
};
networking.firewall.allowedTCPPorts = [ 8080 ];
networking.firewall.allowedTCPPorts = [8080];
system.stateVersion = "24.05";
};
})
server-modules/glance/home.nix
+1 -1
View File
@@ -1,4 +1,4 @@
{ domain, ... }: {
{domain, ...}: {
services.glance.settings.pages = [
{
name = "Home";
server-modules/mazanoke.nix
+39 -32
View File
@@ -1,43 +1,50 @@
{ config, lib, ... }:
let
inherit (import ./mk-container.nix { inherit lib config; }) mkContainer;
in
{
config,
lib,
...
}: let
inherit (import ./mk-container.nix {inherit lib config;}) mkContainer;
in {
imports = [
(mkContainer {
name = "mazanoke";
hostIp = "10.233.7.1";
containerIp = "10.233.7.2";
nixosConfig = { pkgs, ... }:
let
version = "1.1.5";
mazanoke-pkg = pkgs.stdenv.mkDerivation {
inherit version;
pname = "mazanoke";
src = pkgs.fetchFromGitHub {
owner = "civilblur";
repo = "mazanoke";
rev = "v${version}";
hash = "sha256-B/AF4diMNxN94BzpZP/C+K8kNj9q+4SDKWa/qd4LrVU=";
};
installPhase = ''
mkdir -p $out/share/mazanoke
cp -r ./index.html ./favicon.ico ./manifest.json ./service-worker.js ./assets $out/share/mazanoke/
'';
nixosConfig = {pkgs, ...}: let
version = "1.1.5";
mazanoke-pkg = pkgs.stdenv.mkDerivation {
inherit version;
pname = "mazanoke";
src = pkgs.fetchFromGitHub {
owner = "civilblur";
repo = "mazanoke";
rev = "v${version}";
hash = "sha256-B/AF4diMNxN94BzpZP/C+K8kNj9q+4SDKWa/qd4LrVU=";
};
in
{
services.nginx = {
enable = true;
virtualHosts."mazanoke" = {
root = "${mazanoke-pkg}/share/mazanoke";
listen = [{ addr = "0.0.0.0"; port = 8080; }];
locations."/" = { index = "index.html"; };
};
};
networking.firewall.allowedTCPPorts = [ 8080 ];
system.stateVersion = "24.05";
installPhase = ''
mkdir -p $out/share/mazanoke
cp -r ./index.html ./favicon.ico ./manifest.json ./service-worker.js ./assets $out/share/mazanoke/
'';
};
in {
services.nginx = {
enable = true;
virtualHosts."mazanoke" = {
root = "${mazanoke-pkg}/share/mazanoke";
listen = [
{
addr = "0.0.0.0";
port = 8080;
}
];
locations."/" = {
index = "index.html";
};
};
};
networking.firewall.allowedTCPPorts = [8080];
system.stateVersion = "24.05";
};
})
];
server-modules/mealie.nix
+8 -6
View File
@@ -1,20 +1,22 @@
{ config, lib, ... }:
let
inherit (import ./mk-container.nix { inherit lib config; }) mkContainer;
in
{
config,
lib,
...
}: let
inherit (import ./mk-container.nix {inherit lib config;}) mkContainer;
in {
imports = [
(mkContainer {
name = "mealie";
hostIp = "10.233.8.1";
containerIp = "10.233.8.2";
internet = true;
nixosConfig = { ... }: {
nixosConfig = {...}: {
services.mealie = {
enable = true;
port = 8080;
};
networking.firewall.allowedTCPPorts = [ 8080 ];
networking.firewall.allowedTCPPorts = [8080];
system.stateVersion = "24.05";
};
})
server-modules/mk-container.nix
+62 -58
View File
@@ -1,5 +1,7 @@
{ lib, config }:
{
lib,
config,
}:
# Returns a NixOS module (attrset), to be used in `imports`.
#
# Options:
@@ -7,62 +9,64 @@
# externalInterface - WAN interface for NAT, required when internet = true
# bindMounts - host paths to mount into the container (see containers.<name>.bindMounts)
# config - NixOS module for the container
let
nginxHardening = { config, ... }: lib.mkIf config.services.nginx.enable {
services.nginx.serverTokens = false;
};
in
{
mkContainer =
{
name,
hostIp,
containerIp,
internet ? false,
externalInterface ? config.var.networkInterface,
bindMounts ? {},
nixosConfig,
}:
assert lib.assertMsg
(lib.stringLength "ve-${name}" <= 15)
"mkContainer: interface name 've-${name}' is ${toString (lib.stringLength "ve-${name}")} chars, max is 15";
{
containers.${name} = {
autoStart = true;
privateNetwork = true;
hostAddress = hostIp;
localAddress = containerIp;
inherit bindMounts;
config = { ... }: {
imports = [ nixosConfig nginxHardening ];
networking.nameservers = lib.mkIf internet [ "1.1.1.1" "1.0.0.1" ];
nginxHardening = {config, ...}:
lib.mkIf config.services.nginx.enable {
services.nginx.serverTokens = false;
};
in {
mkContainer = {
name,
hostIp,
containerIp,
internet ? false,
externalInterface ? config.var.networkInterface,
bindMounts ? {},
nixosConfig,
}:
assert lib.assertMsg (lib.stringLength "ve-${name}" <= 15)
"mkContainer: interface name 've-${name}' is ${toString (lib.stringLength "ve-${name}")} chars, max is 15";
{
containers.${name} = {
autoStart = true;
privateNetwork = true;
hostAddress = hostIp;
localAddress = containerIp;
inherit bindMounts;
config = {...}: {
imports = [
nixosConfig
nginxHardening
];
networking.nameservers = lib.mkIf internet [
"1.1.1.1"
"1.0.0.1"
];
};
};
};
}
// (lib.optionalAttrs internet {
boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkDefault true;
networking.nat = {
enable = true;
externalInterface = externalInterface;
internalInterfaces = [ "ve-${name}" ];
};
# CONTAINER-FWD (defined by another module) blocks all forwarding by default.
# Insert rules in FORWARD before it: allow return traffic, block LAN, allow internet.
networking.firewall.extraCommands = ''
iptables -I FORWARD 1 -s ${containerIp} -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD 1 -s ${containerIp} -d 192.168.0.0/16 -j DROP
iptables -I FORWARD 1 -s ${containerIp} -d 172.16.0.0/12 -j DROP
iptables -I FORWARD 1 -s ${containerIp} -d 10.0.0.0/8 -j DROP
iptables -I FORWARD 1 -d ${containerIp} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
'';
networking.firewall.extraStopCommands = ''
iptables -D FORWARD -s ${containerIp} -m conntrack --ctstate NEW -j ACCEPT 2>/dev/null || true
iptables -D FORWARD -s ${containerIp} -d 192.168.0.0/16 -j DROP 2>/dev/null || true
iptables -D FORWARD -s ${containerIp} -d 172.16.0.0/12 -j DROP 2>/dev/null || true
iptables -D FORWARD -s ${containerIp} -d 10.0.0.0/8 -j DROP 2>/dev/null || true
iptables -D FORWARD -d ${containerIp} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true
'';
});
}
// (lib.optionalAttrs internet {
boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkDefault true;
networking.nat = {
enable = true;
externalInterface = externalInterface;
internalInterfaces = ["ve-${name}"];
};
# CONTAINER-FWD (defined by another module) blocks all forwarding by default.
# Insert rules in FORWARD before it: allow return traffic, block LAN, allow internet.
networking.firewall.extraCommands = ''
iptables -I FORWARD 1 -s ${containerIp} -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD 1 -s ${containerIp} -d 192.168.0.0/16 -j DROP
iptables -I FORWARD 1 -s ${containerIp} -d 172.16.0.0/12 -j DROP
iptables -I FORWARD 1 -s ${containerIp} -d 10.0.0.0/8 -j DROP
iptables -I FORWARD 1 -d ${containerIp} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
'';
networking.firewall.extraStopCommands = ''
iptables -D FORWARD -s ${containerIp} -m conntrack --ctstate NEW -j ACCEPT 2>/dev/null || true
iptables -D FORWARD -s ${containerIp} -d 192.168.0.0/16 -j DROP 2>/dev/null || true
iptables -D FORWARD -s ${containerIp} -d 172.16.0.0/12 -j DROP 2>/dev/null || true
iptables -D FORWARD -s ${containerIp} -d 10.0.0.0/8 -j DROP 2>/dev/null || true
iptables -D FORWARD -d ${containerIp} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true
'';
});
}
server-modules/ssh.nix
+8 -2
View File
@@ -17,8 +17,14 @@ in {
AllowTcpForwarding = false;
ClientAliveInterval = 300;
ClientAliveCountMax = 2;
KexAlgorithms = ["curve25519-sha256" "curve25519-sha256@libssh.org"];
Ciphers = ["chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com"];
KexAlgorithms = [
"curve25519-sha256"
"curve25519-sha256@libssh.org"
];
Ciphers = [
"chacha20-poly1305@openssh.com"
"aes256-gcm@openssh.com"
];
};
};
server-modules/stirling-pdf.nix
+8 -6
View File
@@ -1,19 +1,21 @@
{ config, lib, ... }:
let
inherit (import ./mk-container.nix { inherit lib config; }) mkContainer;
in
{
config,
lib,
...
}: let
inherit (import ./mk-container.nix {inherit lib config;}) mkContainer;
in {
imports = [
(mkContainer {
name = "stirling-pdf";
hostIp = "10.233.9.1";
containerIp = "10.233.9.2";
nixosConfig = { ... }: {
nixosConfig = {...}: {
services.stirling-pdf = {
enable = true;
environment."SERVER_PORT" = "8080";
};
networking.firewall.allowedTCPPorts = [ 8080 ];
networking.firewall.allowedTCPPorts = [8080];
system.stateVersion = "24.05";
};
})
server-modules/umami.nix
+8 -6
View File
@@ -1,8 +1,10 @@
{ config, lib, ... }:
let
inherit (import ./mk-container.nix { inherit lib config; }) mkContainer;
in
{
config,
lib,
...
}: let
inherit (import ./mk-container.nix {inherit lib config;}) mkContainer;
in {
sops.secrets.umami-secret.mode = "0400";
imports = [
@@ -14,7 +16,7 @@ in
hostPath = config.sops.secrets.umami-secret.path;
isReadOnly = true;
};
nixosConfig = { ... }: {
nixosConfig = {...}: {
services.umami = {
enable = true;
settings = {
@@ -27,7 +29,7 @@ in
};
# PrivateUsers breaks systemd-creds inside nspawn containers (nested user namespaces)
systemd.services.umami.serviceConfig.PrivateUsers = lib.mkForce false;
networking.firewall.allowedTCPPorts = [ 8080 ];
networking.firewall.allowedTCPPorts = [8080];
system.stateVersion = "24.05";
};
})