about summary refs log tree commit diff
path: root/modules/nixos
diff options
context:
space:
mode:
authorAzat Bahawi <azat@bahawi.net>2023-11-12 17:50:43 +0300
committerAzat Bahawi <azat@bahawi.net>2023-11-12 17:50:43 +0300
commit011c1632f3762e1bc1ecfdee9d9f3b3f44be74e5 (patch)
treee9d7d5955f25f82cdb671f1c44da663d2d839485 /modules/nixos
parent2023-11-09 (diff)
2023-11-12
Diffstat (limited to '')
-rw-r--r--modules/nixos/alertmanager.nix5
-rw-r--r--modules/nixos/games/lutris.nix4
-rw-r--r--modules/nixos/git/default.nix6
-rw-r--r--modules/nixos/gotify.nix3
-rw-r--r--modules/nixos/grafana.nix3
-rw-r--r--modules/nixos/ipfs.nix5
-rw-r--r--modules/nixos/jackett.nix3
-rw-r--r--modules/nixos/lidarr.nix3
-rw-r--r--modules/nixos/loki.nix3
-rw-r--r--modules/nixos/nginx.nix17
-rw-r--r--modules/nixos/ntfy.nix3
-rw-r--r--modules/nixos/plausible.nix198
-rw-r--r--modules/nixos/prometheus.nix3
-rw-r--r--modules/nixos/radarr.nix3
-rw-r--r--modules/nixos/radicale.nix3
-rw-r--r--modules/nixos/rss-bridge.nix3
-rw-r--r--modules/nixos/rtorrent.nix8
-rw-r--r--modules/nixos/searx.nix3
-rw-r--r--modules/nixos/sonarr.nix3
-rw-r--r--modules/nixos/syncthing.nix3
-rw-r--r--modules/nixos/victoriametrics.nix3
21 files changed, 159 insertions, 126 deletions
diff --git a/modules/nixos/alertmanager.nix b/modules/nixos/alertmanager.nix
index c8f0bf2..acbf7df 100644
--- a/modules/nixos/alertmanager.nix
+++ b/modules/nixos/alertmanager.nix
@@ -2,6 +2,7 @@
   config,
   inputs,
   lib,
+  libNginx,
   ...
 }:
 with lib; let
@@ -28,12 +29,12 @@ in {
   config = mkIf cfg.enable {
     nixfiles.modules = {
       ntfy.enable = true;
-      nginx = with cfg; {
+      nginx = {
         enable = true;
         upstreams.alertmanager.servers."127.0.0.1:${toString cfg.port}" = {};
         virtualHosts.${cfg.domain} = {
           locations."/".proxyPass = "http://alertmanager";
-          extraConfig = nginxInternalOnly;
+          extraConfig = libNginx.config.internalOnly;
         };
       };
     };
diff --git a/modules/nixos/games/lutris.nix b/modules/nixos/games/lutris.nix
index ad1e43e..feaeefa 100644
--- a/modules/nixos/games/lutris.nix
+++ b/modules/nixos/games/lutris.nix
@@ -17,7 +17,9 @@ in {
     };
 
     hm.home.packages = with pkgs; [
-      lutris
+      (lutris.override {
+        extraPkgs = _: [wine];
+      })
       vkBasalt
       winetricks
     ];
diff --git a/modules/nixos/git/default.nix b/modules/nixos/git/default.nix
index 4268f82..67cc07b 100644
--- a/modules/nixos/git/default.nix
+++ b/modules/nixos/git/default.nix
@@ -1,5 +1,7 @@
 {
   config,
+  libNginx,
+  libPlausible,
   lib,
   pkgs,
   ...
@@ -73,9 +75,9 @@ in {
             fastcgi_param QUERY_STRING $args;
             fastcgi_param HTTP_HOST $server_name;
 
-            ${nginxAppendHead [
+            ${libNginx.config.appendHead [
               ''<meta name="go-import" content="$host$uri git https://$host$uri">''
-              (htmlPlausibleScript {inherit (cfg.server) domain;})
+              (libPlausible.htmlPlausibleScript {inherit (cfg.server) domain;})
             ]}
           '';
           "~* ^.+(cgit.css|robots.txt)$".extraConfig = ''
diff --git a/modules/nixos/gotify.nix b/modules/nixos/gotify.nix
index db47bb4..41e1956 100644
--- a/modules/nixos/gotify.nix
+++ b/modules/nixos/gotify.nix
@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  libNginx,
   ...
 }:
 with lib; let
@@ -29,7 +30,7 @@ in {
               proxyPass = "http://gotify";
               proxyWebsockets = true;
             };
-            extraConfig = nginxInternalOnly;
+            extraConfig = libNginx.config.internalOnly;
           };
         };
         postgresql = {
diff --git a/modules/nixos/grafana.nix b/modules/nixos/grafana.nix
index c191e38..ae79d17 100644
--- a/modules/nixos/grafana.nix
+++ b/modules/nixos/grafana.nix
@@ -1,5 +1,6 @@
 {
   config,
+  libNginx,
   inputs,
   lib,
   ...
@@ -56,7 +57,7 @@ in {
               proxyPass = "http://grafana";
               proxyWebsockets = true;
             };
-            extraConfig = nginxInternalOnly;
+            extraConfig = libNginx.config.internalOnly;
           };
         };
         postgresql = {
diff --git a/modules/nixos/ipfs.nix b/modules/nixos/ipfs.nix
index 43ddb70..bf93a3c 100644
--- a/modules/nixos/ipfs.nix
+++ b/modules/nixos/ipfs.nix
@@ -1,5 +1,6 @@
 {
   config,
+  libNginx,
   lib,
   this,
   ...
@@ -129,7 +130,7 @@ in {
         virtualHosts = {
           ${cfg.domain} = {
             locations."/".proxyPass = "http://kubo_gateway";
-            extraConfig = nginxInternalOnly;
+            extraConfig = libNginx.config.internalOnly;
           };
           "api.${cfg.domain}" = {
             locations = {
@@ -138,7 +139,7 @@ in {
                 optionalString config.nixfiles.modules.acme.enable "s"
               }://api.${cfg.domain}/webui";
             };
-            extraConfig = nginxInternalOnly;
+            extraConfig = libNginx.config.internalOnly;
           };
         };
       };
diff --git a/modules/nixos/jackett.nix b/modules/nixos/jackett.nix
index f8e45ba..772e0e9 100644
--- a/modules/nixos/jackett.nix
+++ b/modules/nixos/jackett.nix
@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  libNginx,
   ...
 }:
 with lib; let
@@ -24,7 +25,7 @@ in {
       upstreams.jackett.servers."127.0.0.1:9117" = {};
       virtualHosts.${cfg.domain} = {
         locations."/".proxyPass = "http://jackett";
-        extraConfig = nginxInternalOnly;
+        extraConfig = libNginx.config.internalOnly;
       };
     };
 
diff --git a/modules/nixos/lidarr.nix b/modules/nixos/lidarr.nix
index ffa0735..b0c833c 100644
--- a/modules/nixos/lidarr.nix
+++ b/modules/nixos/lidarr.nix
@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  libNginx,
   ...
 }:
 with lib; let
@@ -24,7 +25,7 @@ in {
       upstreams.lidarr.servers."127.0.0.1:8686" = {};
       virtualHosts.${cfg.domain} = {
         locations."/".proxyPass = "http://lidarr";
-        extraConfig = nginxInternalOnly;
+        extraConfig = libNginx.config.internalOnly;
       };
     };
 
diff --git a/modules/nixos/loki.nix b/modules/nixos/loki.nix
index 90a051c..c5194e1 100644
--- a/modules/nixos/loki.nix
+++ b/modules/nixos/loki.nix
@@ -1,5 +1,6 @@
 {
   config,
+  libNginx,
   lib,
   pkgs,
   ...
@@ -31,7 +32,7 @@ in {
       upstreams.loki.servers."127.0.0.1:${toString cfg.port}" = {};
       virtualHosts.${domain} = {
         locations."/".proxyPass = "http://loki";
-        extraConfig = nginxInternalOnly;
+        extraConfig = libNginx.config.internalOnly;
       };
     };
 
diff --git a/modules/nixos/nginx.nix b/modules/nixos/nginx.nix
index 9ca6936..05c6a06 100644
--- a/modules/nixos/nginx.nix
+++ b/modules/nixos/nginx.nix
@@ -25,6 +25,23 @@ in {
   };
 
   config = mkIf cfg.enable {
+    _module.args.libNginx.config = {
+      internalOnly = ''
+        if ($internal != 1) {
+          return 403;
+        }
+        access_log off;
+      '';
+      appendHead = text: ''
+        sub_filter '</head>' '${lib.concatStrings text}</head>';
+        sub_filter_once on;
+      '';
+      noProxyBuffering = ''
+        proxy_buffering off;
+        proxy_cache off;
+      '';
+    };
+
     services = {
       nginx = {
         enable = true;
diff --git a/modules/nixos/ntfy.nix b/modules/nixos/ntfy.nix
index 1682b7e..037f84a 100644
--- a/modules/nixos/ntfy.nix
+++ b/modules/nixos/ntfy.nix
@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  libNginx,
   this,
   ...
 }:
@@ -55,7 +56,7 @@ in {
             deny all;
           '';
         };
-        extraConfig = nginxInternalOnly;
+        extraConfig = libNginx.config.internalOnly;
       };
     };
 
diff --git a/modules/nixos/plausible.nix b/modules/nixos/plausible.nix
index 6553462..91bdff9 100644
--- a/modules/nixos/plausible.nix
+++ b/modules/nixos/plausible.nix
@@ -6,126 +6,124 @@
 }:
 with lib; let
   cfg = config.nixfiles.modules.plausible;
-in {
-  options.nixfiles.modules.plausible = {
-    enable = mkEnableOption "Plausible Analytics";
+in
+  {
+    options.nixfiles.modules.plausible = {
+      enable = mkEnableOption "Plausible Analytics";
 
-    port = mkOption {
-      description = "Port.";
-      type = with types; port;
-      default = 8000;
-    };
+      port = mkOption {
+        description = "Port.";
+        type = with types; port;
+        default = 8000;
+      };
 
-    domain = mkOption {
-      description = "Domain name sans protocol scheme.";
-      type = with types; nullOr str;
-      default = "plausible.${config.networking.domain}";
+      domain = mkOption {
+        description = "Domain name sans protocol scheme.";
+        type = with types; nullOr str;
+        default = "plausible.${config.networking.domain}";
+      };
     };
-  };
 
-  config = let
-    db = "plausible";
-  in
-    mkIf cfg.enable {
-      secrets = {
-        plausible-key = {
-          file = "${inputs.self}/secrets/plausible-key";
-          mode = "0444"; # The user is dynamic so the file must be world-readable.
+    config = let
+      db = "plausible";
+    in
+      mkIf cfg.enable {
+        _module.args.libPlausible = {
+          htmlPlausibleScript = {
+            domain ? "$host",
+            src ? "https://${cfg.domain}/js/script.js",
+          }: ''<script defer data-domain="${domain}" src="${src}"></script>'';
         };
-        plausible-admin-password = {
-          file = "${inputs.self}/secrets/plausible-admin-password";
-          mode = "0444"; # The user is dynamic so the file must be world-readable.
-        };
-        plausible-smtp-password = {
-          file = "${inputs.self}/secrets/smtp-password";
-          mode = "0444"; # The user is dynamic so the file must be world-readable.
-        };
-        plausible-release-cookie = {
-          file = "${inputs.self}/secrets/plausible-release-cookie";
-          mode = "0444"; # The user is dynamic so the file must be world-readable.
+
+        secrets = {
+          plausible-key.file = "${inputs.self}/secrets/plausible-key";
+          plausible-admin-password.file = "${inputs.self}/secrets/plausible-admin-password";
+          plausible-smtp-password.file = "${inputs.self}/secrets/smtp-password";
         };
-      };
 
-      nixfiles.modules = {
-        nginx = {
-          enable = true;
-          upstreams.plausible.servers."127.0.0.1:${toString cfg.port}" = {};
-          virtualHosts.${cfg.domain}.locations."/" = {
-            proxyPass = "http://plausible";
-            proxyWebsockets = true;
+        nixfiles.modules = {
+          nginx = {
+            enable = true;
+            upstreams.plausible.servers."127.0.0.1:${toString cfg.port}" = {};
+            virtualHosts.${cfg.domain}.locations."/" = {
+              proxyPass = "http://plausible";
+              proxyWebsockets = true;
+            };
+          };
+          postgresql = {
+            enable = true;
+            extraPostStart = [
+              ''
+                $PSQL "${db}" -tAc 'GRANT ALL ON SCHEMA "public" TO "${db}"'
+                $PSQL "${db}" -tAc 'CREATE EXTENSION IF NOT EXISTS citext'
+              ''
+            ];
           };
+          clickhouse.enable = true;
         };
-        postgresql = {
-          enable = true;
-          extraPostStart = [
-            ''
-              $PSQL "${db}" -tAc 'GRANT ALL ON SCHEMA "public" TO "${db}"'
-              $PSQL "${db}" -tAc 'CREATE EXTENSION IF NOT EXISTS citext'
-            ''
+
+        services.postgresql = {
+          ensureDatabases = [db];
+          ensureUsers = [
+            {
+              name = db;
+              ensurePermissions."DATABASE \"${db}\"" = "ALL";
+            }
           ];
         };
-        clickhouse.enable = true;
-      };
 
-      services.postgresql = {
-        ensureDatabases = [db];
-        ensureUsers = [
-          {
-            name = db;
-            ensurePermissions."DATABASE \"${db}\"" = "ALL";
-          }
-        ];
-      };
-
-      services.plausible = {
-        enable = true;
+        services.plausible = {
+          enable = true;
 
-        adminUser = {
-          name = "admin";
-          email = "admin@${my.domain.shire}";
-          passwordFile = config.secrets.plausible-admin-password.path;
-          activate = false;
-        };
+          adminUser = {
+            name = "admin";
+            email = "admin@${my.domain.shire}";
+            passwordFile = config.secrets.plausible-admin-password.path;
+            activate = false;
+          };
 
-        mail = {
-          email = "admin+plausible@${my.domain.shire}";
-          smtp = {
-            hostAddr = my.domain.shire;
-            hostPort = 465;
-            enableSSL = true;
-            user = "azahi@${my.domain.shire}";
-            passwordFile = config.secrets.plausible-smtp-password.path;
+          mail = {
+            email = "admin+plausible@${my.domain.shire}";
+            smtp = {
+              hostAddr = my.domain.shire;
+              hostPort = 465;
+              enableSSL = true;
+              user = "azahi@${my.domain.shire}";
+              passwordFile = config.secrets.plausible-smtp-password.path;
+            };
           };
-        };
 
-        database = {
-          clickhouse = {
-            setup = false;
-            url = "http://127.0.0.1:8123/default";
+          database = {
+            clickhouse = {
+              setup = false;
+              url = "http://127.0.0.1:8123/default";
+            };
+
+            postgres = {
+              setup = true;
+              dbname = db;
+            };
           };
 
-          postgres = {
-            setup = true;
-            dbname = db;
+          server = {
+            baseUrl = "https://${cfg.domain}";
+            disableRegistration = true;
+            listenAddress = "127.0.0.1";
+            inherit (cfg) port;
+            secretKeybaseFile = config.secrets.plausible-key.path;
           };
         };
 
-        server = {
-          baseUrl = "https://${cfg.domain}";
-          disableRegistration = true;
-          inherit (cfg) port;
-          secretKeybaseFile = config.secrets.plausible-key.path;
+        systemd.services.plausible = rec {
+          after = [
+            "postgresql.service"
+            "clickhouse.service"
+          ];
+          requires = after;
         };
-
-        releaseCookiePath = config.secrets.plausible-release-cookie.path;
       };
-
-      systemd.services.plausible = rec {
-        after = [
-          "postgresql.service"
-          "clickhouse.service"
-        ];
-        requires = after;
-      };
-    };
-}
+  }
+  // lib.moduleFromRef
+  "services/web-apps/plausible.nix"
+  "nh2:plausible-listen-address-no-distributed-erlang"
+  "080c1rdz99xj8y876cw1p3zxmmaqq75jhrpf9f5z1da8v7yvs078"
diff --git a/modules/nixos/prometheus.nix b/modules/nixos/prometheus.nix
index 6de294f..5e61e73 100644
--- a/modules/nixos/prometheus.nix
+++ b/modules/nixos/prometheus.nix
@@ -1,5 +1,6 @@
 {
   config,
+  libNginx,
   lib,
   ...
 }:
@@ -28,7 +29,7 @@ in {
       upstreams.prometheus.servers."127.0.0.1:${toString cfg.port}" = {};
       virtualHosts.${domain} = {
         locations."/".proxyPass = "http://prometheus";
-        extraConfig = nginxInternalOnly;
+        extraConfig = libNginx.config.internalOnly;
       };
     };
 
diff --git a/modules/nixos/radarr.nix b/modules/nixos/radarr.nix
index 1551934..72abfac 100644
--- a/modules/nixos/radarr.nix
+++ b/modules/nixos/radarr.nix
@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  libNginx,
   ...
 }:
 with lib; let
@@ -24,7 +25,7 @@ in {
       upstreams.radarr.servers."127.0.0.1:7878" = {};
       virtualHosts.${cfg.domain} = {
         locations."/".proxyPass = "http://radarr";
-        extraConfig = nginxInternalOnly;
+        extraConfig = libNginx.config.internalOnly;
       };
     };
 
diff --git a/modules/nixos/radicale.nix b/modules/nixos/radicale.nix
index d072899..3c6a230 100644
--- a/modules/nixos/radicale.nix
+++ b/modules/nixos/radicale.nix
@@ -1,4 +1,5 @@
 {
+  libNginx,
   config,
   inputs,
   lib,
@@ -34,7 +35,7 @@ in {
         upstreams.radicale.servers."127.0.0.1:${toString port}" = {};
         virtualHosts.${cfg.domain} = {
           locations."/".proxyPass = "http://radicale";
-          extraConfig = nginxInternalOnly;
+          extraConfig = libNginx.config.internalOnly;
         };
       };
 
diff --git a/modules/nixos/rss-bridge.nix b/modules/nixos/rss-bridge.nix
index 1fcaac8..486f2bf 100644
--- a/modules/nixos/rss-bridge.nix
+++ b/modules/nixos/rss-bridge.nix
@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  libNginx,
   ...
 }:
 with lib; let
@@ -21,7 +22,7 @@ in {
 
     nixfiles.modules.nginx = {
       enable = true;
-      virtualHosts.${cfg.domain}.extraConfig = nginxInternalOnly;
+      virtualHosts.${cfg.domain}.extraConfig = libNginx.config.internalOnly;
     };
 
     services.rss-bridge = {
diff --git a/modules/nixos/rtorrent.nix b/modules/nixos/rtorrent.nix
index a4cade7..5d2dba5 100644
--- a/modules/nixos/rtorrent.nix
+++ b/modules/nixos/rtorrent.nix
@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  libNginx,
   pkgs,
   ...
 }:
@@ -225,13 +226,10 @@ in {
                 "/".tryFiles = "$uri /index.html";
                 "/api" = {
                   proxyPass = "http://flood";
-                  extraConfig = ''
-                    proxy_buffering off;
-                    proxy_cache off;
-                  '';
+                  extraConfig = libNginx.config.noProxyBuffering;
                 };
               };
-              extraConfig = nginxInternalOnly;
+              extraConfig = libNginx.config.internalOnly;
             };
           };
 
diff --git a/modules/nixos/searx.nix b/modules/nixos/searx.nix
index 9462d5d..5c37f58 100644
--- a/modules/nixos/searx.nix
+++ b/modules/nixos/searx.nix
@@ -2,6 +2,7 @@
   config,
   inputs,
   lib,
+  libNginx,
   ...
 }:
 with lib; let
@@ -35,7 +36,7 @@ in {
       upstreams.searx.servers."127.0.0.1:${toString cfg.port}" = {};
       virtualHosts.${cfg.domain} = {
         locations."/".proxyPass = "http://searx";
-        extraConfig = nginxInternalOnly;
+        extraConfig = libNginx.config.internalOnly;
       };
     };
 
diff --git a/modules/nixos/sonarr.nix b/modules/nixos/sonarr.nix
index 2d2feb9..5cd8931 100644
--- a/modules/nixos/sonarr.nix
+++ b/modules/nixos/sonarr.nix
@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  libNginx,
   ...
 }:
 with lib; let
@@ -24,7 +25,7 @@ in {
       upstreams.sonarr.servers."127.0.0.1:8989" = {};
       virtualHosts.${cfg.domain} = {
         locations."/".proxyPass = "http://sonarr";
-        extraConfig = nginxInternalOnly;
+        extraConfig = libNginx.config.internalOnly;
       };
     };
 
diff --git a/modules/nixos/syncthing.nix b/modules/nixos/syncthing.nix
index 8815f98..755e2db 100644
--- a/modules/nixos/syncthing.nix
+++ b/modules/nixos/syncthing.nix
@@ -1,5 +1,6 @@
 {
   config,
+  libNginx,
   inputs,
   lib,
   this,
@@ -137,7 +138,7 @@ in {
         upstreams.syncthing.servers.${config.services.syncthing.guiAddress} = {};
         virtualHosts.${cfg.domain} = {
           locations."/".proxyPass = "http://syncthing";
-          extraConfig = nginxInternalOnly;
+          extraConfig = libNginx.config.internalOnly;
         };
       };
     })
diff --git a/modules/nixos/victoriametrics.nix b/modules/nixos/victoriametrics.nix
index 509ee17..89d3ddb 100644
--- a/modules/nixos/victoriametrics.nix
+++ b/modules/nixos/victoriametrics.nix
@@ -1,5 +1,6 @@
 {
   config,
+  libNginx,
   lib,
   ...
 }:
@@ -28,7 +29,7 @@ in {
       upstreams.victoriametrics.servers."127.0.0.1:${toString cfg.port}" = {};
       virtualHosts.${domain} = {
         locations."/".proxyPass = "http://victoriametrics";
-        extraConfig = nginxInternalOnly;
+        extraConfig = libNginx.config.internalOnly;
       };
     };
 

Consider giving Nix/NixOS a try! <3