tux/nix-config
1
0
Fork 0
mirror of https://github.com/tuxdotrs/nix-config.git synced 2026-05-07 02:16:33 +05:30
Code Issues Actions Packages Projects Releases Wiki Activity

start fresh rewrite

Browse Source
This commit is contained in:
tux
2026-05-02 14:47:06 +05:30
parent 31d65fafa8
commit a62346367f
208 changed files with 0 additions and 10017 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
modules/nixos/desktop/awesome/default.nix
View File

@@ -1,70 +0,0 @@
{
lib,
pkgs,
...
}: {
services = {
displayManager = {
defaultSession = "none+awesome";
ly = {
enable = true;
settings = {
session_log = "null";
};
};
};
xserver = {
enable = true;
windowManager.awesome = {
enable = true;
luaModules = lib.attrValues {
inherit
(pkgs.luajitPackages)
lgi
ldbus
luadbi-mysql
luaposix
dkjson
;
};
};
};
acpid.enable = true;
picom.enable = true;
upower.enable = true;
blueman.enable = true;
};
programs.dconf.enable = true;
environment.systemPackages = with pkgs; [
luajit
acpi
linuxKernel.packages.linux_zen.acpi_call
lxappearance
inotify-tools
polkit_gnome
xdotool
xclip
xbacklight
gpick
alsa-utils
pavucontrol
brightnessctl
libnotify
feh
maim
mpdris2
python311Packages.mutagen
xdg-utils
playerctl
pulsemixer
easyeffects
procps
sct
slop
sddm-sugar-dark
];
}

55
modules/nixos/desktop/default.nix
View File

@@ -1,55 +0,0 @@
{pkgs, ...}: {
services = {
displayManager = {
defaultSession = "none+awesome";
ly = {
enable = true;
settings = {
session_log = "null";
};
};
};
acpid.enable = true;
picom.enable = true;
upower.enable = true;
blueman.enable = true;
};
programs.dconf.enable = true;
xdg.mime = {
enable = true;
defaultApplications = {
"application/pdf" = ["brave-browser.desktop"];
"text/html" = ["brave-browser.desktop"];
"x-scheme-handler/http" = ["brave-browser.desktop"];
"x-scheme-handler/https" = ["brave-browser.desktop"];
"x-scheme-handler/about" = ["brave-browser.desktop"];
"x-scheme-handler/unknown" = ["brave-browser.desktop"];
};
};
environment.systemPackages = with pkgs; [
acpi
linuxKernel.packages.linux_zen.acpi_call
inotify-tools
polkit_gnome
xdotool
xclip
xbacklight
gpick
alsa-utils
pavucontrol
brightnessctl
libnotify
feh
maim
mpdris2
xdg-utils
playerctl
pulsemixer
easyeffects
procps
];
}

28
modules/nixos/desktop/hyprland/default.nix
View File

@@ -1,28 +0,0 @@
{pkgs, ...}: {
programs.hyprland = {
enable = true;
package = pkgs.hyprland-git.hyprland;
portalPackage = pkgs.hyprland-git.xdg-desktop-portal-hyprland;
};
environment.systemPackages = [
(pkgs.writeShellScriptBin "mirror-display" ''
hyprctl keyword monitor "eDP-1,2560x1440@90,0x0,1" \
&& hyprctl keyword monitor "HDMI-A-1,preferred,0x0,1,mirror,eDP-1" \
&& ags quit \
&& ${pkgs.tpanel}/bin/tpanel &
'')
(pkgs.writeShellScriptBin "extend-display" ''
hyprctl keyword monitor "eDP-1,2560x1440@90,0x0,1" \
&& hyprctl keyword monitor "HDMI-A-1,preferred,0x-1440,1" \
&& ags quit \
&& ${pkgs.tpanel}/bin/tpanel &
'')
(pkgs.writeShellScriptBin "dock-display" ''
hyprctl keyword monitor "eDP-1,disable" \
&& hyprctl keyword monitor "HDMI-A-1,preferred,0x0,1" \
&& ags quit \
&& ${pkgs.tpanel}/bin/tpanel &
'')
];
}

26
modules/nixos/desktop/mango/default.nix
View File

@@ -1,26 +0,0 @@
{
inputs,
pkgs,
lib,
...
}: {
imports = [
inputs.mango.nixosModules.mango
];
programs.mango.enable = true;
xdg.portal = {
enable = lib.mkDefault true;
extraPortals = with pkgs; [
hyprland-git.xdg-desktop-portal-hyprland
xdg-desktop-portal-wlr
xdg-desktop-portal-gtk
];
config.mango = {
default = lib.mkForce ["hyprland" "gtk"];
"org.freedesktop.impl.portal.ScreenCast" = lib.mkForce ["hyprland"];
"org.freedesktop.impl.portal.ScreenShot" = lib.mkForce ["hyprland"];
};
};
}

112
modules/nixos/distrobox.nix
View File

@@ -1,112 +0,0 @@
{
config,
pkgs,
lib,
...
}:
with lib; let
cfg = config.tux.packages.distrobox;
in {
options.tux.packages.distrobox = {
enable = mkEnableOption "Enable DistroBox";
};
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [
distrobox
(writeShellScriptBin "dbox-create" ''
#!/usr/bin/env bash
# 1. Initialize variables
IMAGE=""
NAME=""
# Array to hold optional arguments (like volumes)
declare -a EXTRA_ARGS
# 2. Parse arguments
while [[ $# -gt 0 ]]; do
case $1 in
-i|--image)
IMAGE="$2"
shift 2
;;
-n|--name)
NAME="$2"
shift 2
;;
-p|--profile)
echo ":: Profile mode enabled: Mounting Nix store and user profiles (Read-Only)"
# Add volume flags to the array
EXTRA_ARGS+=( "--volume" "/nix/store:/nix/store:ro" )
EXTRA_ARGS+=( "--volume" "/etc/profiles/per-user:/etc/profiles/per-user:ro" )
EXTRA_ARGS+=( "--volume" "/etc/static/profiles/per-user:/etc/static/profiles/per-user:ro" )
shift 1
;;
*)
echo "Unknown option $1"
exit 1
;;
esac
done
if [ -z "$IMAGE" ] || [ -z "$NAME" ]; then
echo "Usage: dbox-create -i <image> -n <name> [-p]"
exit 1
fi
# 3. Define the custom home path
CUSTOM_HOME="$HOME/Distrobox/$NAME"
echo "------------------------------------------------"
echo "Creating Distrobox: $NAME"
echo "Location: $CUSTOM_HOME"
echo "------------------------------------------------"
# 4. Run Distrobox Create
# We expand "''${EXTRA_ARGS[@]}" to properly pass the volume arguments
${pkgs.distrobox}/bin/distrobox create \
--image "$IMAGE" \
--name "$NAME" \
--home "$CUSTOM_HOME" \
"''${EXTRA_ARGS[@]}"
# Check exit code
if [ $? -ne 0 ]; then
echo "Error: Distrobox creation failed."
exit 1
fi
# 5. Post-Creation: Symlink Config Files
echo "--> Linking configurations to $NAME..."
# Helper function to symlink
link_config() {
SRC="$1"
DEST="$2"
DEST_DIR=$(dirname "$DEST")
# Create parent directory if it doesn't exist
mkdir -p "$DEST_DIR"
if [ -e "$SRC" ]; then
# ln -sf: symbolic link, force overwrite
ln -sf "$SRC" "$DEST"
echo " [LINK] $DEST -> $SRC"
else
echo " [SKIP] $SRC not found on host"
fi
}
# Create Symlinks
link_config "$HOME/.zshrc" "$CUSTOM_HOME/.zshrc"
link_config "$HOME/.zshenv" "$CUSTOM_HOME/.zshenv"
link_config "$HOME/.config/fastfetch" "$CUSTOM_HOME/.config/fastfetch"
link_config "$HOME/.config/starship.toml" "$CUSTOM_HOME/.config/starship.toml"
echo "--> Done! Enter via: distrobox enter $NAME"
'')
];
};
}

32
modules/nixos/fail2ban.nix
View File

@@ -1,32 +0,0 @@
{config, ...}: let
isFirewallEnabled = config.networking.firewall.enable;
in {
services.fail2ban = {
enable = isFirewallEnabled;
maxretry = 5;
banaction = "iptables-multiport[blocktype=DROP]";
ignoreIP = [
"127.0.0.0/8"
"10.0.0.0/8"
"192.168.0.0/16"
];
bantime = "24h";
bantime-increment = {
enable = true;
rndtime = "12m";
overalljails = true;
multipliers = "4 8 16 32 64 128 256 512 1024 2048";
maxtime = "192h";
};
jails = {
sshd.settings = {
enabled = true;
port = toString config.services.openssh.ports;
mode = "aggressive";
filter = "sshd";
};
};
};
}

69
modules/nixos/networking/ssh.nix
View File

@@ -1,69 +0,0 @@
{
config,
lib,
...
}:
with lib; let
cfg = config.tux.services.openssh;
# Sops needs acess to the keys before the persist dirs are even mounted; so
# just persisting the keys won't work, we must point at /persist
hasOptinPersistence = config.environment.persistence."/persist".enable;
in {
options.tux.services.openssh = {
enable = mkEnableOption "Enable OpenSSH server";
ports = mkOption {
type = types.listOf types.port;
default = [22];
description = ''
Specifies on which ports the SSH daemon listens.
'';
};
};
config = mkIf cfg.enable {
services.openssh = {
enable = true;
startWhenNeeded = true;
allowSFTP = true;
ports = cfg.ports;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
AuthenticationMethods = "publickey";
PubkeyAuthentication = "yes";
ChallengeResponseAuthentication = "no";
UsePAM = false;
UseDns = false;
X11Forwarding = false;
KexAlgorithms = [
"curve25519-sha256"
"curve25519-sha256@libssh.org"
"diffie-hellman-group16-sha512"
"diffie-hellman-group18-sha512"
"sntrup761x25519-sha512@openssh.com"
"diffie-hellman-group-exchange-sha256"
"mlkem768x25519-sha256"
"sntrup761x25519-sha512"
];
Macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
];
ClientAliveCountMax = 5;
ClientAliveInterval = 60;
};
hostKeys = [
{
path = "${lib.optionalString hasOptinPersistence "/persist"}/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
];
};
};
}

7
modules/nixos/obs-studio.nix
View File

@@ -1,7 +0,0 @@
{pkgs, ...}: {
programs.obs-studio = {
enable = true;
enableVirtualCamera = true;
plugins = with pkgs.obs-studio-plugins; [obs-vaapi wlrobs obs-source-record];
};
}

8
modules/nixos/selfhosted/adguard.nix
View File

@@ -1,8 +0,0 @@
{...}: {
services = {
adguardhome = {
enable = true;
openFirewall = true;
};
};
}

61
modules/nixos/selfhosted/containers/aiostreams.nix
View File

@@ -1,61 +0,0 @@
{
config,
lib,
...
}:
with lib; let
cfg = config.tux.containers.aiostreams;
in {
options.tux.containers.aiostreams = {
enable = mkEnableOption "Enable AIOStreams";
port = mkOption {
type = types.int;
default = 3000;
};
dataDir = mkOption {
type = types.path;
default = "/var/lib/aiostreams";
description = "Directory to store persistent AIOStreams data";
};
environment = mkOption {
type = with types; attrsOf str;
default = {};
};
environmentFiles = mkOption {
type = with types; listOf path;
default = [];
};
};
config = mkIf cfg.enable {
virtualisation.oci-containers.containers.aiostreams = {
autoStart = true;
image = "ghcr.io/viren070/aiostreams:latest";
ports = [
"${toString cfg.port}:3000"
];
environment = cfg.environment;
environmentFiles = cfg.environmentFiles;
volumes = [
"${cfg.dataDir}:/app/data"
];
};
services.nginx.virtualHosts = {
"${cfg.environment.ADDON_ID}" = {
forceSSL = true;
useACMEHost = "tux.rs";
locations = {
"/" = {
proxyPass = "http://localhost:${toString cfg.port}";
};
};
};
};
};
}

61
modules/nixos/selfhosted/containers/cs2.nix
View File

@@ -1,61 +0,0 @@
{config, ...}: {
virtualisation.oci-containers.containers.cs2-server = {
image = "joedwards32/cs2";
environmentFiles = [
config.sops.secrets."cs2_secrets/SRCDS_TOKEN".path
config.sops.secrets."cs2_secrets/CS2_RCONPW".path
config.sops.secrets."cs2_secrets/CS2_PW".path
];
environment = {
# Server configuration
STEAMAPPVALIDATE = "0";
CS2_SERVERNAME = "tux's CS-2 Server";
CS2_CHEATS = "0";
CS2_PORT = "27015";
CS2_SERVER_HIBERNATE = "1";
CS2_RCON_PORT = "";
CS2_LAN = "0";
CS2_MAXPLAYERS = "10";
CS2_ADDITIONAL_ARGS = "";
CS2_CFG_URL = "";
# Game modes
CS2_GAMEALIAS = "competitive";
CS2_GAMETYPE = "0";
CS2_GAMEMODE = "1";
CS2_MAPGROUP = "mg_active";
CS2_STARTMAP = "de_mirage";
# Workshop Maps
CS2_HOST_WORKSHOP_COLLECTION = "";
CS2_HOST_WORKSHOP_MAP = "";
# Bots
CS2_BOT_DIFFICULTY = "3";
CS2_BOT_QUOTA = "";
CS2_BOT_QUOTA_MODE = "";
# TV
TV_AUTORECORD = "0";
TV_ENABLE = "0";
TV_PORT = "27020";
TV_PW = "changeme";
TV_RELAY_PW = "changeme";
TV_MAXRATE = "0";
TV_DELAY = "0";
# Logs
CS2_LOG = "on";
CS2_LOG_MONEY = "0";
CS2_LOG_DETAIL = "0";
CS2_LOG_ITEMS = "0";
};
volumes = [
"cs2:/home/steam/cs2-dedicated"
];
ports = [
"27015:27015/tcp"
"27015:27015/udp"
"27020:27020/udp"
];
extraOptions = [
"--interactive"
];
};
}

86
modules/nixos/selfhosted/cyber-tux.nix
View File

@@ -1,86 +0,0 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.tux.services.cyber-tux;
in {
options.tux.services.cyber-tux = {
enable = mkEnableOption "Enable CyberTux Discord bot";
user = mkOption {
type = types.str;
default = "cyber-tux";
description = "User under which the CyberTux service runs.";
};
group = mkOption {
type = types.str;
default = "cyber-tux";
description = "Group under which the CyberTux service runs.";
};
environmentFile = mkOption {
type = types.path;
description = "Environment file containing DISCORD_TOKEN";
};
};
config = mkIf cfg.enable {
systemd.services = {
cyber-tux = {
description = "A discord bot for my server";
after = ["network.target"];
wantedBy = ["multi-user.target"];
serviceConfig = {
Type = "simple";
User = "cyber-tux";
Group = "cyber-tux";
EnvironmentFile = cfg.environmentFile;
ExecStart = getExe pkgs.cyber-tux;
Restart = "always";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateIPC = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RestrictNamespaces = "uts ipc pid user cgroup";
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = ["@system-service"];
UMask = "0077";
};
};
};
# Ensure the user and group exist
users.users = mkIf (cfg.user == "cyber-tux") {
${cfg.user} = {
isSystemUser = true;
group = cfg.group;
description = "CyberTux service user";
home = "/var/lib/cyber-tux";
createHome = true;
};
};
users.groups = mkIf (cfg.group == "cyber-tux") {
${cfg.group} = {};
};
};
}

29
modules/nixos/selfhosted/gitea.nix
View File

@@ -1,29 +0,0 @@
{lib, ...}: {
services = {
gitea = {
enable = true;
settings = {
service.DISABLE_REGISTRATION = true;
server = {
DOMAIN = "git.tux.rs";
ROOT_URL = "https://git.tux.rs";
};
};
};
nginx = {
enable = lib.mkForce true;
virtualHosts = {
"git.tux.rs" = {
forceSSL = true;
useACMEHost = "tux.rs";
locations = {
"/" = {
proxyPass = "http://localhost:3000";
};
};
};
};
};
};
}

43
modules/nixos/selfhosted/glance/default.nix
View File

@@ -1,43 +0,0 @@
{
username,
lib,
config,
...
}: let
home = import ./home.nix;
in {
services = {
glance = {
enable = true;
openFirewall = true;
settings = {
server = {
host = "0.0.0.0";
port = 5678;
};
branding = {
custom-footer = "<p><a href='https://tux.rs'>${username}</a></p>";
};
pages = [
home.page
];
};
};
nginx = {
enable = lib.mkForce true;
virtualHosts = {
"home.tux.rs" = {
forceSSL = true;
useACMEHost = "tux.rs";
locations = {
"/" = {
proxyPass = "http://${config.services.glance.settings.server.host}:${toString config.services.glance.settings.server.port}";
proxyWebsockets = true;
};
};
};
};
};
};
}

86
modules/nixos/selfhosted/glance/home.nix
View File

@@ -1,86 +0,0 @@
{
page = {
name = "Dashboard - tux";
width = "slim";
hide-desktop-navigation = true;
center-vertically = true;
columns = [
{
size = "full";
widgets = [
{
type = "search";
autofocus = true;
}
{
type = "markets";
markets = [
{
symbol = "BTC-USD";
name = "Bitcoin";
chart-link = "https://www.tradingview.com/chart/?symbol=INDEX:BTCUSD";
}
{
symbol = "ETH-USD";
name = "Ethereum";
chart-link = "https://www.tradingview.com/chart/?symbol=INDEX:ETHUSD";
}
{
symbol = "SOL-USD";
name = "Solana";
chart-link = "https://www.tradingview.com/chart/?symbol=INDEX:SOLUSD";
}
];
}
{
type = "monitor";
cache = "1m";
title = "Services";
sites = [
{
title = "Gitea";
url = "https://git.tux.rs";
icon = "si:gitea";
}
{
title = "Vaultwarden";
url = "https://bw.tux.rs";
icon = "si:vaultwarden";
}
{
title = "Ntfy";
url = "https://ntfy.tux.rs";
icon = "si:ntfy";
}
{
title = "Grafana";
url = "https://grafana.tux.rs";
icon = "si:grafana";
}
{
title = "SearXNG";
url = "https://sx.tux.rs";
icon = "si:searxng";
}
{
title = "Wakapi";
url = "https://wakapi.tux.rs";
icon = "si:wakatime";
}
];
}
{
type = "reddit";
subreddit = "selfhosted";
style = "horizontal-cards";
}
{
type = "reddit";
subreddit = "homelab";
style = "horizontal-cards";
}
];
}
];
};
}

65
modules/nixos/selfhosted/headscale.nix
View File

@@ -1,65 +0,0 @@
{
config,
pkgs,
lib,
email,
...
}: {
security = {
acme = {
defaults.email = "${email}";
acceptTerms = true;
};
};
services = {
headscale = {
enable = true;
port = 8080;
address = "0.0.0.0";
settings = {
dns = {
base_domain = "hs.tux.rs";
search_domains = ["tux.rs"];
magic_dns = true;
nameservers.global = [
"9.9.9.9"
];
};
# server_url = "https://hs.tux.rs:443";
metrics_listen_addr = "0.0.0.0:8095";
logtail = {
enabled = false;
};
log = {
level = "warn";
};
ip_prefixes = [
"100.64.0.0/10"
"fd7a:115c:a1e0::/48"
];
};
};
nginx = {
enable = lib.mkForce true;
virtualHosts = {
"hs.tux.rs" = {
forceSSL = true;
useACMEHost = "tux.rs";
locations = {
"/" = {
proxyPass = "http://localhost:${toString config.services.headscale.port}";
proxyWebsockets = true;
};
"/metrics" = {
proxyPass = "http://${config.services.headscale.settings.metrics_listen_addr}/metrics";
};
};
};
};
};
};
environment.systemPackages = with pkgs; [headscale];
}

24
modules/nixos/selfhosted/kasmweb.nix
View File

@@ -1,24 +0,0 @@
{lib, ...}: {
services = {
kasmweb = {
enable = true;
listenPort = 8843;
};
nginx = {
enable = lib.mkForce true;
virtualHosts = {
"kasm.tux.rs" = {
forceSSL = true;
useACMEHost = "tux.rs";
locations = {
"/" = {
proxyPass = "https://127.0.0.1:8843";
proxyWebsockets = true;
};
};
};
};
};
};
}

45
modules/nixos/selfhosted/monitoring/grafana.nix
View File

@@ -1,45 +0,0 @@
{
lib,
username,
email,
...
}: {
services = {
grafana = {
enable = true;
settings = {
server.http_port = 8888;
security = {
admin_user = "${username}";
admin_email = "${email}";
};
};
};
nginx = {
enable = lib.mkForce true;
virtualHosts = {
"grafana.tux.rs" = {
forceSSL = true;
useACMEHost = "tux.rs";
locations = {
"/" = {
proxyPass = "http://localhost:8888";
proxyWebsockets = true;
};
"/api/live/" = {
proxyPass = "http://localhost:8888";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
'';
};
};
};
};
};
};
}

77
modules/nixos/selfhosted/monitoring/loki.nix
View File

@@ -1,77 +0,0 @@
{lib, ...}: {
services = {
loki = {
enable = true;
configuration = {
auth_enabled = false;
server = {
http_listen_port = 3100;
};
common = {
ring = {
instance_addr = "127.0.0.1";
kvstore = {
store = "inmemory";
};
};
replication_factor = 1;
path_prefix = "/tmp/loki";
};
schema_config = {
configs = [
{
from = "2020-05-15";
store = "tsdb";
object_store = "filesystem";
schema = "v13";
index = {
prefix = "index_";
period = "24h";
};
}
];
};
storage_config = {
filesystem = {
directory = "/tmp/loki/chunks";
};
};
};
};
nginx = {
enable = lib.mkForce true;
virtualHosts = {
"loki.tux.rs" = {
forceSSL = true;
useACMEHost = "tux.rs";
locations = {
"/" = {
proxyPass = "http://localhost:3100";
extraConfig = ''
proxy_http_version 1.1;
proxy_read_timeout 1800s;
proxy_connect_timeout 1600s;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Connection "Keep-Alive";
proxy_set_header Proxy-Connection "Keep-Alive";
proxy_redirect off;
'';
};
"/ready" = {
proxyPass = "http://localhost:3100";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Connection "Keep-Alive";
proxy_set_header Proxy-Connection "Keep-Alive";
proxy_redirect off;
'';
};
};
};
};
};
};
}

55
modules/nixos/selfhosted/monitoring/promtail.nix
View File

@@ -1,55 +0,0 @@
{lib, ...}: {
services = {
promtail = {
enable = true;
configuration = {
server = {
http_listen_port = 9080;
grpc_listen_port = 0;
};
positions = {
filename = "/var/lib/promtail/positions.yaml";
};
clients = [
{
url = "https://loki.tux.rs/loki/api/v1/push";
}
];
scrape_configs = [
{
job_name = "journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
};
};
relabel_configs = [
{
source_labels = [
"__journal__systemd_unit"
];
target_label = "unit";
}
];
}
];
};
};
nginx = {
enable = lib.mkForce true;
virtualHosts = {
"promtail.tux.rs" = {
forceSSL = true;
useACMEHost = "tux.rs";
locations = {
"/" = {
proxyPass = "http://localhost:9080";
};
};
};
};
};
};
}

50
modules/nixos/selfhosted/nextcloud.nix
View File

@@ -1,50 +0,0 @@
{
config,
pkgs,
lib,
username,
...
}: {
services = {
nginx = {
enable = lib.mkForce true;
virtualHosts = {
"cloud.tux.rs" = {
forceSSL = true;
useACMEHost = "tux.rs";
};
};
};
nextcloud = {
enable = true;
hostName = "cloud.tux.rs";
package = pkgs.nextcloud32;
database.createLocally = true;
configureRedis = true;
maxUploadSize = "16G";
https = true;
autoUpdateApps.enable = true;
extraAppsEnable = true;
extraApps = with config.services.nextcloud.package.packages.apps; {
inherit mail spreed;
};
config = {
dbtype = "sqlite";
adminuser = "${username}";
adminpassFile = config.sops.secrets.nextcloud_password.path;
};
settings = {
overwriteProtocol = "https";
default_phone_region = "IN";
};
};
};
environment.systemPackages = with pkgs; [
nextcloud32
];
}

28
modules/nixos/selfhosted/ntfy-sh.nix
View File

@@ -1,28 +0,0 @@
{lib, ...}: {
services = {
ntfy-sh = {
enable = true;
settings = {
listen-http = ":7070";
base-url = "https://ntfy.tux.rs";
behind-proxy = true;
};
};
nginx = {
enable = lib.mkForce true;
virtualHosts = {
"ntfy.tux.rs" = {
forceSSL = true;
useACMEHost = "tux.rs";
locations = {
"/" = {
proxyPass = "http://localhost:7070";
proxyWebsockets = true;
};
};
};
};
};
};
}

35
modules/nixos/selfhosted/open-webui.nix
View File

@@ -1,35 +0,0 @@
{
lib,
config,
...
}: {
services = {
open-webui = {
enable = true;
openFirewall = true;
host = "0.0.0.0";
port = 1111;
environment = {
WEBUI_URL = "https://chat.tux.rs";
ENABLE_OLLAMA_API = "True";
OLLAMA_BASE_URL = "http://pc:11434";
};
};
nginx = {
enable = lib.mkForce true;
virtualHosts = {
"chat.tux.rs" = {
forceSSL = true;
useACMEHost = "tux.rs";
locations = {
"/" = {
proxyPass = "http://${config.services.open-webui.host}:${toString config.services.open-webui.port}";
proxyWebsockets = true;
};
};
};
};
};
};
}

39
modules/nixos/selfhosted/plausible.nix
View File

@@ -1,39 +0,0 @@
{
config,
lib,
...
}: {
services = {
plausible = {
enable = true;
server = {
baseUrl = "https://plausible.tux.rs";
port = 2100;
disableRegistration = true;
secretKeybaseFile = config.sops.secrets.plausible_key.path;
};
database.postgres = {
dbname = "plausible";
socket = "/run/postgresql";
};
};
nginx = {
enable = lib.mkForce true;
virtualHosts = {
"plausible.tux.rs" = {
forceSSL = true;
useACMEHost = "tux.rs";
locations = {
"/" = {
proxyPass = "http://localhost:2100";
proxyWebsockets = true;
};
};
};
};
};
};
}

97
modules/nixos/selfhosted/postgresql.nix
View File

@@ -1,97 +0,0 @@
{
lib,
pkgs,
...
}: {
services.postgresql = {
enable = true;
package = pkgs.postgresql_16;
ensureDatabases = [
"plausible"
"wakapi"
];
ensureUsers = [
{
name = "postgres";
ensureClauses = {
superuser = true;
login = true;
createrole = true;
createdb = true;
replication = true;
};
}
{
name = "plausible";
ensureDBOwnership = true;
}
{
name = "wakapi";
ensureDBOwnership = true;
}
];
checkConfig = true;
enableTCPIP = false;
settings = {
max_connections = 100;
superuser_reserved_connections = 3;
shared_buffers = "1024 MB";
work_mem = "32 MB";
maintenance_work_mem = "320 MB";
huge_pages = "off";
effective_cache_size = "3 GB";
effective_io_concurrency = 100;
random_page_cost = 1.25;
shared_preload_libraries = "pg_stat_statements";
track_io_timing = "on";
track_functions = "pl";
wal_level = "replica";
max_wal_senders = 0;
synchronous_commit = "on";
checkpoint_timeout = "15 min";
checkpoint_completion_target = 0.9;
max_wal_size = "1024 MB";
min_wal_size = "512 MB";
wal_compression = "on";
wal_buffers = -1;
wal_writer_delay = "200ms";
wal_writer_flush_after = "1MB";
bgwriter_delay = "200ms";
bgwriter_lru_maxpages = 100;
bgwriter_lru_multiplier = 2.0;
bgwriter_flush_after = 0;
max_worker_processes = 3;
max_parallel_workers_per_gather = 2;
max_parallel_maintenance_workers = 2;
max_parallel_workers = 3;
parallel_leader_participation = "on";
enable_partitionwise_join = "on";
enable_partitionwise_aggregate = "on";
jit = "on";
jit_above_cost = 100000;
jit_inline_above_cost = 150000;
jit_optimize_above_cost = 500000;
log_min_duration_statement = 100;
"auto_explain.log_min_duration" = 100;
log_connections = true;
log_statement = "all";
logging_collector = true;
log_disconnections = true;
log_destination = lib.mkForce "syslog";
};
};
}

9
modules/nixos/selfhosted/rustdesk-server.nix
View File

@@ -1,9 +0,0 @@
{...}: {
services = {
rustdesk-server = {
enable = true;
openFirewall = true;
signal.relayHosts = ["156.67.105.203"];
};
};
}

43
modules/nixos/selfhosted/searx.nix
View File

@@ -1,43 +0,0 @@
{
pkgs,
lib,
config,
...
}: {
services = {
searx = {
enable = true;
package = pkgs.searxng;
environmentFile = config.sops.secrets.searx_secret_key.path;
settings = {
general = {
instance_name = "SearXNG";
};
server = {
bind_address = "0.0.0.0";
port = 3415;
base_url = "https://sx.tux.rs";
secret_key = "@secret_key@";
};
search = {
autocomplete = "google";
};
};
};
nginx = {
enable = lib.mkForce true;
virtualHosts = {
"sx.tux.rs" = {
forceSSL = true;
useACMEHost = "tux.rs";
locations = {
"/" = {
proxyPass = "http://localhost:3415";
};
};
};
};
};
};
}

33
modules/nixos/selfhosted/send.nix
View File

@@ -1,33 +0,0 @@
{
lib,
config,
...
}: {
services = {
send = {
enable = true;
port = 1443;
environment = {
DEFAULT_DOWNLOADS = 5;
DETECT_BASE_URL = true;
};
};
nginx = {
enable = lib.mkForce true;
virtualHosts = {
"share.tux.rs" = {
forceSSL = true;
useACMEHost = "tux.rs";
locations = {
"/" = {
proxyPass = "http://${config.services.send.host}:${toString config.services.send.port}";
proxyWebsockets = true;
};
};
};
};
};
};
}

28
modules/nixos/selfhosted/silver-bullet.nix
View File

@@ -1,28 +0,0 @@
{
lib,
config,
...
}: {
services = {
silverbullet = {
enable = true;
listenPort = 9876;
envFile = config.sops.secrets.silver_bullet.path;
};
nginx = {
enable = lib.mkForce true;
virtualHosts = {
"notes.tux.rs" = {
forceSSL = true;
useACMEHost = "tux.rs";
locations = {
"/" = {
proxyPass = "http://localhost:9876";
};
};
};
};
};
};
}

102
modules/nixos/selfhosted/tfolio.nix
View File

@@ -1,102 +0,0 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.tux.services.tfolio;
in {
options.tux.services.tfolio = {
enable = mkEnableOption "Enable tfolio";
host = mkOption {
type = lib.types.str;
default = "0.0.0.0";
description = "IP address or hostname on which the tfolio service will listen.";
};
port = mkOption {
type = lib.types.port;
default = 22;
description = "Port number on which the tfolio service will listen.";
};
dataDir = mkOption {
type = lib.types.str;
default = "/var/lib/tfolio/";
description = "Directory where tfolio will store its data files.";
};
user = mkOption {
type = types.str;
default = "tfolio";
description = "User under which the tfolio service runs.";
};
group = mkOption {
type = types.str;
default = "tfolio";
description = "Group under which the tfolio service runs.";
};
};
config = mkIf cfg.enable {
systemd.services = {
tfolio = {
description = "my portfolio in a ssh session";
after = ["network.target"];
wantedBy = ["multi-user.target"];
serviceConfig = {
Type = "simple";
User = cfg.user;
Group = cfg.group;
ExecStart = "${getExe pkgs.tfolio} -l ${cfg.host} -p ${toString cfg.port} -d ${cfg.dataDir}";
Restart = "always";
StateDirectory = "tfolio";
# Allow binding to privileged ports
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateIPC = true;
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = "read-only";
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "full";
RestrictNamespaces = "uts ipc pid user cgroup";
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = ["@system-service"];
UMask = "0077";
};
};
};
# Ensure the user and group exist
users.users = mkIf (cfg.user == "tfolio") {
${cfg.user} = {
isSystemUser = true;
group = cfg.group;
description = "tfolio service user";
home = "/var/lib/tfolio";
createHome = true;
};
};
users.groups = mkIf (cfg.group == "tfolio") {
${cfg.group} = {};
};
};
}

32
modules/nixos/selfhosted/umami.nix
View File

@@ -1,32 +0,0 @@
{
lib,
config,
...
}: {
services = {
umami = {
enable = true;
settings = {
APP_SECRET_FILE = config.sops.secrets.umami.path;
PORT = 4645;
};
createPostgresqlDatabase = true;
};
nginx = {
enable = lib.mkForce true;
virtualHosts = {
"umami.tux.rs" = {
forceSSL = true;
useACMEHost = "tux.rs";
locations = {
"/" = {
proxyPass = "http://localhost:${toString config.services.umami.settings.PORT}";
proxyWebsockets = true;
};
};
};
};
};
};
}

60
modules/nixos/selfhosted/upstream-proxy.nix
View File

@@ -1,60 +0,0 @@
{
lib,
config,
pkgs,
...
}: let
cfg = config.tux.services.nginxStreamProxy;
upstreamServerType = lib.types.submodule ({config, ...}: {
options = {
address = lib.mkOption {
type = lib.types.str;
description = "IP address or hostname of the upstream server";
};
port = lib.mkOption {
type = lib.types.port;
default = 9999;
description = "Port number of the upstream server";
};
listenPort = lib.mkOption {
type = lib.types.port;
default = config.port;
defaultText = lib.literalExpression "port";
description = "Local port to listen for incoming connections (defaults to port)";
};
};
});
in {
options.tux.services.nginxStreamProxy = {
enable = lib.mkEnableOption "Enable nginx TCP stream proxy";
upstreamServers = lib.mkOption {
type = lib.types.listOf upstreamServerType;
default = [
{
address = "0.0.0.0";
port = 9999;
}
];
description = "List of upstream servers to proxy to, each with its own listen port";
};
};
config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = map (server: server.listenPort) cfg.upstreamServers;
services.nginx = {
enable = lib.mkForce true;
package = pkgs.nginx.override {withStream = true;};
streamConfig =
lib.concatMapStringsSep "\n" (server: ''
server {
listen ${toString server.listenPort};
proxy_pass ${server.address}:${toString server.port};
}
'')
cfg.upstreamServers;
};
};
}

22
modules/nixos/selfhosted/uptime-kuma.nix
View File

@@ -1,22 +0,0 @@
{lib, ...}: {
services = {
uptime-kuma = {
enable = true;
};
nginx = {
enable = lib.mkForce true;
virtualHosts = {
"uptime.tux.rs" = {
forceSSL = true;
useACMEHost = "tux.rs";
locations = {
"/" = {
proxyPass = "http://localhost:3001";
};
};
};
};
};
};
}

29
modules/nixos/selfhosted/vaultwarden.nix
View File

@@ -1,29 +0,0 @@
{lib, ...}: {
services = {
vaultwarden = {
enable = true;
config = {
domain = "https://bw.tux.rs";
enableWebsocket = true;
signupsAllowed = true;
disableIconDownload = true;
};
};
nginx = {
enable = lib.mkForce true;
virtualHosts = {
"bw.tux.rs" = {
forceSSL = true;
useACMEHost = "tux.rs";
locations = {
"/" = {
proxyPass = "http://localhost:8000";
proxyWebsockets = true;
};
};
};
};
};
};
}

50
modules/nixos/selfhosted/wakapi.nix
View File

@@ -1,50 +0,0 @@
{
lib,
config,
...
}: {
services = {
wakapi = {
enable = true;
passwordSaltFile = config.sops.secrets.wakapi_salt.path;
database.createLocally = true;
settings = {
app.avatar_url_template = "https://www.gravatar.com/avatar/{email_hash}.png";
server = {
port = 15999;
public_url = "https://wakapi.tux.rs";
};
db = {
dialect = "postgres";
host = "/run/postgresql";
port = 5432;
name = "wakapi";
user = "wakapi";
};
security = {
allow_signup = false;
disable_frontpage = true;
};
};
};
nginx = {
enable = lib.mkForce true;
virtualHosts = {
"wakapi.tux.rs" = {
forceSSL = true;
useACMEHost = "tux.rs";
locations = {
"/" = {
proxyPass = "http://localhost:15999";
proxyWebsockets = true;
};
};
};
};
};
};
}

7
modules/nixos/steam.nix
View File

@@ -1,7 +0,0 @@
{...}: {
programs.steam = {
enable = true;
};
hardware.graphics.enable32Bit = true;
}

7
modules/nixos/virtualisation/default.nix
View File

@@ -1,7 +0,0 @@
{
imports = [
./docker.nix
./waydroid.nix
./qemu.nix
];
}

14
modules/nixos/virtualisation/docker.nix
View File

@@ -1,14 +0,0 @@
{
username,
pkgs,
...
}: {
virtualisation = {
oci-containers.backend = "docker";
docker.enable = true;
};
environment.systemPackages = with pkgs; [lazydocker];
users.users.${username}.extraGroups = ["docker"];
}

22
modules/nixos/virtualisation/qemu.nix
View File

@@ -1,22 +0,0 @@
{
pkgs,
username,
...
}: {
virtualisation = {
libvirtd = {
enable = true;
qemu = {
swtpm.enable = true;
};
};
spiceUSBRedirection.enable = true;
};
users.users.${username}.extraGroups = ["libvirtd"];
environment.systemPackages = with pkgs; [
virt-manager
virt-viewer
];
}

5
modules/nixos/virtualisation/waydroid.nix
View File

@@ -1,5 +0,0 @@
{...}: {
virtualisation = {
waydroid.enable = true;
};
}