diff options
author | Azat Bahawi <azat@bahawi.net> | 2023-11-12 17:50:43 +0300 |
---|---|---|
committer | Azat Bahawi <azat@bahawi.net> | 2023-11-12 17:50:43 +0300 |
commit | 011c1632f3762e1bc1ecfdee9d9f3b3f44be74e5 (patch) | |
tree | e9d7d5955f25f82cdb671f1c44da663d2d839485 /modules/nixos | |
parent | 2023-11-09 (diff) |
2023-11-12
Diffstat (limited to 'modules/nixos')
-rw-r--r-- | modules/nixos/alertmanager.nix | 5 | ||||
-rw-r--r-- | modules/nixos/games/lutris.nix | 4 | ||||
-rw-r--r-- | modules/nixos/git/default.nix | 6 | ||||
-rw-r--r-- | modules/nixos/gotify.nix | 3 | ||||
-rw-r--r-- | modules/nixos/grafana.nix | 3 | ||||
-rw-r--r-- | modules/nixos/ipfs.nix | 5 | ||||
-rw-r--r-- | modules/nixos/jackett.nix | 3 | ||||
-rw-r--r-- | modules/nixos/lidarr.nix | 3 | ||||
-rw-r--r-- | modules/nixos/loki.nix | 3 | ||||
-rw-r--r-- | modules/nixos/nginx.nix | 17 | ||||
-rw-r--r-- | modules/nixos/ntfy.nix | 3 | ||||
-rw-r--r-- | modules/nixos/plausible.nix | 198 | ||||
-rw-r--r-- | modules/nixos/prometheus.nix | 3 | ||||
-rw-r--r-- | modules/nixos/radarr.nix | 3 | ||||
-rw-r--r-- | modules/nixos/radicale.nix | 3 | ||||
-rw-r--r-- | modules/nixos/rss-bridge.nix | 3 | ||||
-rw-r--r-- | modules/nixos/rtorrent.nix | 8 | ||||
-rw-r--r-- | modules/nixos/searx.nix | 3 | ||||
-rw-r--r-- | modules/nixos/sonarr.nix | 3 | ||||
-rw-r--r-- | modules/nixos/syncthing.nix | 3 | ||||
-rw-r--r-- | modules/nixos/victoriametrics.nix | 3 |
21 files changed, 159 insertions, 126 deletions
diff --git a/modules/nixos/alertmanager.nix b/modules/nixos/alertmanager.nix index c8f0bf2..acbf7df 100644 --- a/modules/nixos/alertmanager.nix +++ b/modules/nixos/alertmanager.nix @@ -2,6 +2,7 @@ config, inputs, lib, + libNginx, ... }: with lib; let @@ -28,12 +29,12 @@ in { config = mkIf cfg.enable { nixfiles.modules = { ntfy.enable = true; - nginx = with cfg; { + nginx = { enable = true; upstreams.alertmanager.servers."127.0.0.1:${toString cfg.port}" = {}; virtualHosts.${cfg.domain} = { locations."/".proxyPass = "http://alertmanager"; - extraConfig = nginxInternalOnly; + extraConfig = libNginx.config.internalOnly; }; }; }; diff --git a/modules/nixos/games/lutris.nix b/modules/nixos/games/lutris.nix index ad1e43e..feaeefa 100644 --- a/modules/nixos/games/lutris.nix +++ b/modules/nixos/games/lutris.nix @@ -17,7 +17,9 @@ in { }; hm.home.packages = with pkgs; [ - lutris + (lutris.override { + extraPkgs = _: [wine]; + }) vkBasalt winetricks ]; diff --git a/modules/nixos/git/default.nix b/modules/nixos/git/default.nix index 4268f82..67cc07b 100644 --- a/modules/nixos/git/default.nix +++ b/modules/nixos/git/default.nix @@ -1,5 +1,7 @@ { config, + libNginx, + libPlausible, lib, pkgs, ... @@ -73,9 +75,9 @@ in { fastcgi_param QUERY_STRING $args; fastcgi_param HTTP_HOST $server_name; - ${nginxAppendHead [ + ${libNginx.config.appendHead [ ''<meta name="go-import" content="$host$uri git https://$host$uri">'' - (htmlPlausibleScript {inherit (cfg.server) domain;}) + (libPlausible.htmlPlausibleScript {inherit (cfg.server) domain;}) ]} ''; "~* ^.+(cgit.css|robots.txt)$".extraConfig = '' diff --git a/modules/nixos/gotify.nix b/modules/nixos/gotify.nix index db47bb4..41e1956 100644 --- a/modules/nixos/gotify.nix +++ b/modules/nixos/gotify.nix @@ -1,6 +1,7 @@ { config, lib, + libNginx, ... }: with lib; let @@ -29,7 +30,7 @@ in { proxyPass = "http://gotify"; proxyWebsockets = true; }; - extraConfig = nginxInternalOnly; + extraConfig = libNginx.config.internalOnly; }; }; postgresql = { diff --git a/modules/nixos/grafana.nix b/modules/nixos/grafana.nix index c191e38..ae79d17 100644 --- a/modules/nixos/grafana.nix +++ b/modules/nixos/grafana.nix @@ -1,5 +1,6 @@ { config, + libNginx, inputs, lib, ... @@ -56,7 +57,7 @@ in { proxyPass = "http://grafana"; proxyWebsockets = true; }; - extraConfig = nginxInternalOnly; + extraConfig = libNginx.config.internalOnly; }; }; postgresql = { diff --git a/modules/nixos/ipfs.nix b/modules/nixos/ipfs.nix index 43ddb70..bf93a3c 100644 --- a/modules/nixos/ipfs.nix +++ b/modules/nixos/ipfs.nix @@ -1,5 +1,6 @@ { config, + libNginx, lib, this, ... @@ -129,7 +130,7 @@ in { virtualHosts = { ${cfg.domain} = { locations."/".proxyPass = "http://kubo_gateway"; - extraConfig = nginxInternalOnly; + extraConfig = libNginx.config.internalOnly; }; "api.${cfg.domain}" = { locations = { @@ -138,7 +139,7 @@ in { optionalString config.nixfiles.modules.acme.enable "s" }://api.${cfg.domain}/webui"; }; - extraConfig = nginxInternalOnly; + extraConfig = libNginx.config.internalOnly; }; }; }; diff --git a/modules/nixos/jackett.nix b/modules/nixos/jackett.nix index f8e45ba..772e0e9 100644 --- a/modules/nixos/jackett.nix +++ b/modules/nixos/jackett.nix @@ -1,6 +1,7 @@ { config, lib, + libNginx, ... }: with lib; let @@ -24,7 +25,7 @@ in { upstreams.jackett.servers."127.0.0.1:9117" = {}; virtualHosts.${cfg.domain} = { locations."/".proxyPass = "http://jackett"; - extraConfig = nginxInternalOnly; + extraConfig = libNginx.config.internalOnly; }; }; diff --git a/modules/nixos/lidarr.nix b/modules/nixos/lidarr.nix index ffa0735..b0c833c 100644 --- a/modules/nixos/lidarr.nix +++ b/modules/nixos/lidarr.nix @@ -1,6 +1,7 @@ { config, lib, + libNginx, ... }: with lib; let @@ -24,7 +25,7 @@ in { upstreams.lidarr.servers."127.0.0.1:8686" = {}; virtualHosts.${cfg.domain} = { locations."/".proxyPass = "http://lidarr"; - extraConfig = nginxInternalOnly; + extraConfig = libNginx.config.internalOnly; }; }; diff --git a/modules/nixos/loki.nix b/modules/nixos/loki.nix index 90a051c..c5194e1 100644 --- a/modules/nixos/loki.nix +++ b/modules/nixos/loki.nix @@ -1,5 +1,6 @@ { config, + libNginx, lib, pkgs, ... @@ -31,7 +32,7 @@ in { upstreams.loki.servers."127.0.0.1:${toString cfg.port}" = {}; virtualHosts.${domain} = { locations."/".proxyPass = "http://loki"; - extraConfig = nginxInternalOnly; + extraConfig = libNginx.config.internalOnly; }; }; diff --git a/modules/nixos/nginx.nix b/modules/nixos/nginx.nix index 9ca6936..05c6a06 100644 --- a/modules/nixos/nginx.nix +++ b/modules/nixos/nginx.nix @@ -25,6 +25,23 @@ in { }; config = mkIf cfg.enable { + _module.args.libNginx.config = { + internalOnly = '' + if ($internal != 1) { + return 403; + } + access_log off; + ''; + appendHead = text: '' + sub_filter '</head>' '${lib.concatStrings text}</head>'; + sub_filter_once on; + ''; + noProxyBuffering = '' + proxy_buffering off; + proxy_cache off; + ''; + }; + services = { nginx = { enable = true; diff --git a/modules/nixos/ntfy.nix b/modules/nixos/ntfy.nix index 1682b7e..037f84a 100644 --- a/modules/nixos/ntfy.nix +++ b/modules/nixos/ntfy.nix @@ -1,6 +1,7 @@ { config, lib, + libNginx, this, ... }: @@ -55,7 +56,7 @@ in { deny all; ''; }; - extraConfig = nginxInternalOnly; + extraConfig = libNginx.config.internalOnly; }; }; diff --git a/modules/nixos/plausible.nix b/modules/nixos/plausible.nix index 6553462..91bdff9 100644 --- a/modules/nixos/plausible.nix +++ b/modules/nixos/plausible.nix @@ -6,126 +6,124 @@ }: with lib; let cfg = config.nixfiles.modules.plausible; -in { - options.nixfiles.modules.plausible = { - enable = mkEnableOption "Plausible Analytics"; +in + { + options.nixfiles.modules.plausible = { + enable = mkEnableOption "Plausible Analytics"; - port = mkOption { - description = "Port."; - type = with types; port; - default = 8000; - }; + port = mkOption { + description = "Port."; + type = with types; port; + default = 8000; + }; - domain = mkOption { - description = "Domain name sans protocol scheme."; - type = with types; nullOr str; - default = "plausible.${config.networking.domain}"; + domain = mkOption { + description = "Domain name sans protocol scheme."; + type = with types; nullOr str; + default = "plausible.${config.networking.domain}"; + }; }; - }; - config = let - db = "plausible"; - in - mkIf cfg.enable { - secrets = { - plausible-key = { - file = "${inputs.self}/secrets/plausible-key"; - mode = "0444"; # The user is dynamic so the file must be world-readable. + config = let + db = "plausible"; + in + mkIf cfg.enable { + _module.args.libPlausible = { + htmlPlausibleScript = { + domain ? "$host", + src ? "https://${cfg.domain}/js/script.js", + }: ''<script defer data-domain="${domain}" src="${src}"></script>''; }; - plausible-admin-password = { - file = "${inputs.self}/secrets/plausible-admin-password"; - mode = "0444"; # The user is dynamic so the file must be world-readable. - }; - plausible-smtp-password = { - file = "${inputs.self}/secrets/smtp-password"; - mode = "0444"; # The user is dynamic so the file must be world-readable. - }; - plausible-release-cookie = { - file = "${inputs.self}/secrets/plausible-release-cookie"; - mode = "0444"; # The user is dynamic so the file must be world-readable. + + secrets = { + plausible-key.file = "${inputs.self}/secrets/plausible-key"; + plausible-admin-password.file = "${inputs.self}/secrets/plausible-admin-password"; + plausible-smtp-password.file = "${inputs.self}/secrets/smtp-password"; }; - }; - nixfiles.modules = { - nginx = { - enable = true; - upstreams.plausible.servers."127.0.0.1:${toString cfg.port}" = {}; - virtualHosts.${cfg.domain}.locations."/" = { - proxyPass = "http://plausible"; - proxyWebsockets = true; + nixfiles.modules = { + nginx = { + enable = true; + upstreams.plausible.servers."127.0.0.1:${toString cfg.port}" = {}; + virtualHosts.${cfg.domain}.locations."/" = { + proxyPass = "http://plausible"; + proxyWebsockets = true; + }; + }; + postgresql = { + enable = true; + extraPostStart = [ + '' + $PSQL "${db}" -tAc 'GRANT ALL ON SCHEMA "public" TO "${db}"' + $PSQL "${db}" -tAc 'CREATE EXTENSION IF NOT EXISTS citext' + '' + ]; }; + clickhouse.enable = true; }; - postgresql = { - enable = true; - extraPostStart = [ - '' - $PSQL "${db}" -tAc 'GRANT ALL ON SCHEMA "public" TO "${db}"' - $PSQL "${db}" -tAc 'CREATE EXTENSION IF NOT EXISTS citext' - '' + + services.postgresql = { + ensureDatabases = [db]; + ensureUsers = [ + { + name = db; + ensurePermissions."DATABASE \"${db}\"" = "ALL"; + } ]; }; - clickhouse.enable = true; - }; - services.postgresql = { - ensureDatabases = [db]; - ensureUsers = [ - { - name = db; - ensurePermissions."DATABASE \"${db}\"" = "ALL"; - } - ]; - }; - - services.plausible = { - enable = true; + services.plausible = { + enable = true; - adminUser = { - name = "admin"; - email = "admin@${my.domain.shire}"; - passwordFile = config.secrets.plausible-admin-password.path; - activate = false; - }; + adminUser = { + name = "admin"; + email = "admin@${my.domain.shire}"; + passwordFile = config.secrets.plausible-admin-password.path; + activate = false; + }; - mail = { - email = "admin+plausible@${my.domain.shire}"; - smtp = { - hostAddr = my.domain.shire; - hostPort = 465; - enableSSL = true; - user = "azahi@${my.domain.shire}"; - passwordFile = config.secrets.plausible-smtp-password.path; + mail = { + email = "admin+plausible@${my.domain.shire}"; + smtp = { + hostAddr = my.domain.shire; + hostPort = 465; + enableSSL = true; + user = "azahi@${my.domain.shire}"; + passwordFile = config.secrets.plausible-smtp-password.path; + }; }; - }; - database = { - clickhouse = { - setup = false; - url = "http://127.0.0.1:8123/default"; + database = { + clickhouse = { + setup = false; + url = "http://127.0.0.1:8123/default"; + }; + + postgres = { + setup = true; + dbname = db; + }; }; - postgres = { - setup = true; - dbname = db; + server = { + baseUrl = "https://${cfg.domain}"; + disableRegistration = true; + listenAddress = "127.0.0.1"; + inherit (cfg) port; + secretKeybaseFile = config.secrets.plausible-key.path; }; }; - server = { - baseUrl = "https://${cfg.domain}"; - disableRegistration = true; - inherit (cfg) port; - secretKeybaseFile = config.secrets.plausible-key.path; + systemd.services.plausible = rec { + after = [ + "postgresql.service" + "clickhouse.service" + ]; + requires = after; }; - - releaseCookiePath = config.secrets.plausible-release-cookie.path; }; - - systemd.services.plausible = rec { - after = [ - "postgresql.service" - "clickhouse.service" - ]; - requires = after; - }; - }; -} + } + // lib.moduleFromRef + "services/web-apps/plausible.nix" + "nh2:plausible-listen-address-no-distributed-erlang" + "080c1rdz99xj8y876cw1p3zxmmaqq75jhrpf9f5z1da8v7yvs078" diff --git a/modules/nixos/prometheus.nix b/modules/nixos/prometheus.nix index 6de294f..5e61e73 100644 --- a/modules/nixos/prometheus.nix +++ b/modules/nixos/prometheus.nix @@ -1,5 +1,6 @@ { config, + libNginx, lib, ... }: @@ -28,7 +29,7 @@ in { upstreams.prometheus.servers."127.0.0.1:${toString cfg.port}" = {}; virtualHosts.${domain} = { locations."/".proxyPass = "http://prometheus"; - extraConfig = nginxInternalOnly; + extraConfig = libNginx.config.internalOnly; }; }; diff --git a/modules/nixos/radarr.nix b/modules/nixos/radarr.nix index 1551934..72abfac 100644 --- a/modules/nixos/radarr.nix +++ b/modules/nixos/radarr.nix @@ -1,6 +1,7 @@ { config, lib, + libNginx, ... }: with lib; let @@ -24,7 +25,7 @@ in { upstreams.radarr.servers."127.0.0.1:7878" = {}; virtualHosts.${cfg.domain} = { locations."/".proxyPass = "http://radarr"; - extraConfig = nginxInternalOnly; + extraConfig = libNginx.config.internalOnly; }; }; diff --git a/modules/nixos/radicale.nix b/modules/nixos/radicale.nix index d072899..3c6a230 100644 --- a/modules/nixos/radicale.nix +++ b/modules/nixos/radicale.nix @@ -1,4 +1,5 @@ { + libNginx, config, inputs, lib, @@ -34,7 +35,7 @@ in { upstreams.radicale.servers."127.0.0.1:${toString port}" = {}; virtualHosts.${cfg.domain} = { locations."/".proxyPass = "http://radicale"; - extraConfig = nginxInternalOnly; + extraConfig = libNginx.config.internalOnly; }; }; diff --git a/modules/nixos/rss-bridge.nix b/modules/nixos/rss-bridge.nix index 1fcaac8..486f2bf 100644 --- a/modules/nixos/rss-bridge.nix +++ b/modules/nixos/rss-bridge.nix @@ -1,6 +1,7 @@ { config, lib, + libNginx, ... }: with lib; let @@ -21,7 +22,7 @@ in { nixfiles.modules.nginx = { enable = true; - virtualHosts.${cfg.domain}.extraConfig = nginxInternalOnly; + virtualHosts.${cfg.domain}.extraConfig = libNginx.config.internalOnly; }; services.rss-bridge = { diff --git a/modules/nixos/rtorrent.nix b/modules/nixos/rtorrent.nix index a4cade7..5d2dba5 100644 --- a/modules/nixos/rtorrent.nix +++ b/modules/nixos/rtorrent.nix @@ -1,6 +1,7 @@ { config, lib, + libNginx, pkgs, ... }: @@ -225,13 +226,10 @@ in { "/".tryFiles = "$uri /index.html"; "/api" = { proxyPass = "http://flood"; - extraConfig = '' - proxy_buffering off; - proxy_cache off; - ''; + extraConfig = libNginx.config.noProxyBuffering; }; }; - extraConfig = nginxInternalOnly; + extraConfig = libNginx.config.internalOnly; }; }; diff --git a/modules/nixos/searx.nix b/modules/nixos/searx.nix index 9462d5d..5c37f58 100644 --- a/modules/nixos/searx.nix +++ b/modules/nixos/searx.nix @@ -2,6 +2,7 @@ config, inputs, lib, + libNginx, ... }: with lib; let @@ -35,7 +36,7 @@ in { upstreams.searx.servers."127.0.0.1:${toString cfg.port}" = {}; virtualHosts.${cfg.domain} = { locations."/".proxyPass = "http://searx"; - extraConfig = nginxInternalOnly; + extraConfig = libNginx.config.internalOnly; }; }; diff --git a/modules/nixos/sonarr.nix b/modules/nixos/sonarr.nix index 2d2feb9..5cd8931 100644 --- a/modules/nixos/sonarr.nix +++ b/modules/nixos/sonarr.nix @@ -1,6 +1,7 @@ { config, lib, + libNginx, ... }: with lib; let @@ -24,7 +25,7 @@ in { upstreams.sonarr.servers."127.0.0.1:8989" = {}; virtualHosts.${cfg.domain} = { locations."/".proxyPass = "http://sonarr"; - extraConfig = nginxInternalOnly; + extraConfig = libNginx.config.internalOnly; }; }; diff --git a/modules/nixos/syncthing.nix b/modules/nixos/syncthing.nix index 8815f98..755e2db 100644 --- a/modules/nixos/syncthing.nix +++ b/modules/nixos/syncthing.nix @@ -1,5 +1,6 @@ { config, + libNginx, inputs, lib, this, @@ -137,7 +138,7 @@ in { upstreams.syncthing.servers.${config.services.syncthing.guiAddress} = {}; virtualHosts.${cfg.domain} = { locations."/".proxyPass = "http://syncthing"; - extraConfig = nginxInternalOnly; + extraConfig = libNginx.config.internalOnly; }; }; }) diff --git a/modules/nixos/victoriametrics.nix b/modules/nixos/victoriametrics.nix index 509ee17..89d3ddb 100644 --- a/modules/nixos/victoriametrics.nix +++ b/modules/nixos/victoriametrics.nix @@ -1,5 +1,6 @@ { config, + libNginx, lib, ... }: @@ -28,7 +29,7 @@ in { upstreams.victoriametrics.servers."127.0.0.1:${toString cfg.port}" = {}; virtualHosts.${domain} = { locations."/".proxyPass = "http://victoriametrics"; - extraConfig = nginxInternalOnly; + extraConfig = libNginx.config.internalOnly; }; }; |