tux/nixos-config
1
0
Fork 0
mirror of https://github.com/tuxdotrs/nixos-config.git synced 2025-07-07 02:06:34 +05:30
Code Issues Actions Packages Projects Releases Wiki Activity

refactor: categorised apps

Browse Source
This commit is contained in:
tux
2025-02-22 15:53:55 +05:30
parent e295b7039f
commit f4bd3b9b77
27 changed files with 22 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
modules/nixos/selfhosted/adguard.nix Normal file
View File

@ -0,0 +1,8 @@
{...}: {
services = {
adguardhome = {
enable = true;
openFirewall = true;
};
};
}

61
modules/nixos/selfhosted/containers/cs2.nix Normal file
View File

@ -0,0 +1,61 @@
{config, ...}: {
virtualisation.oci-containers.containers.cs2-server = {
image = "joedwards32/cs2";
environmentFiles = [
config.sops.secrets."cs2_secrets/SRCDS_TOKEN".path
config.sops.secrets."cs2_secrets/CS2_RCONPW".path
config.sops.secrets."cs2_secrets/CS2_PW".path
];
environment = {
# Server configuration
STEAMAPPVALIDATE = "0";
CS2_SERVERNAME = "tux's CS-2 Server";
CS2_CHEATS = "0";
CS2_PORT = "27015";
CS2_SERVER_HIBERNATE = "1";
CS2_RCON_PORT = "";
CS2_LAN = "0";
CS2_MAXPLAYERS = "10";
CS2_ADDITIONAL_ARGS = "";
CS2_CFG_URL = "";
# Game modes
CS2_GAMEALIAS = "competitive";
CS2_GAMETYPE = "0";
CS2_GAMEMODE = "1";
CS2_MAPGROUP = "mg_active";
CS2_STARTMAP = "de_mirage";
# Workshop Maps
CS2_HOST_WORKSHOP_COLLECTION = "";
CS2_HOST_WORKSHOP_MAP = "";
# Bots
CS2_BOT_DIFFICULTY = "3";
CS2_BOT_QUOTA = "";
CS2_BOT_QUOTA_MODE = "";
# TV
TV_AUTORECORD = "0";
TV_ENABLE = "0";
TV_PORT = "27020";
TV_PW = "changeme";
TV_RELAY_PW = "changeme";
TV_MAXRATE = "0";
TV_DELAY = "0";
# Logs
CS2_LOG = "on";
CS2_LOG_MONEY = "0";
CS2_LOG_DETAIL = "0";
CS2_LOG_ITEMS = "0";
};
volumes = [
"cs2:/home/steam/cs2-dedicated"
];
ports = [
"27015:27015/tcp"
"27015:27015/udp"
"27020:27020/udp"
];
extraOptions = [
"--interactive"
];
};
}

86
modules/nixos/selfhosted/cyber-tux.nix Normal file
View File

@ -0,0 +1,86 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.tux.services.cyber-tux;
in {
options.tux.services.cyber-tux = {
enable = mkEnableOption "Enable CyberTux Discord bot";
user = mkOption {
type = types.str;
default = "cyber-tux";
description = "User under which the CyberTux service runs.";
};
group = mkOption {
type = types.str;
default = "cyber-tux";
description = "Group under which the CyberTux service runs.";
};
environmentFile = mkOption {
type = types.path;
description = "Environment file containing DISCORD_TOKEN";
};
};
config = mkIf cfg.enable {
systemd.services = {
cyber-tux = {
description = "A discord bot for my server";
after = ["network.target"];
wantedBy = ["multi-user.target"];
serviceConfig = {
Type = "simple";
User = "cyber-tux";
Group = "cyber-tux";
EnvironmentFile = cfg.environmentFile;
ExecStart = getExe pkgs.cyber-tux;
Restart = "always";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateIPC = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RestrictNamespaces = "uts ipc pid user cgroup";
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = ["@system-service"];
UMask = "0077";
};
};
};
# Ensure the user and group exist
users.users = mkIf (cfg.user == "cyber-tux") {
${cfg.user} = {
isSystemUser = true;
group = cfg.group;
description = "CyberTux service user";
home = "/var/lib/cyber-tux";
createHome = true;
};
};
users.groups = mkIf (cfg.group == "cyber-tux") {
${cfg.group} = {};
};
};
}

29
modules/nixos/selfhosted/gitea.nix Normal file
View File

@ -0,0 +1,29 @@
{lib, ...}: {
services = {
gitea = {
enable = true;
settings = {
service.DISABLE_REGISTRATION = true;
server = {
DOMAIN = "git.tux.rs";
ROOT_URL = "https://git.tux.rs";
};
};
};
nginx = {
enable = lib.mkForce true;
virtualHosts = {
"git.tux.rs" = {
forceSSL = true;
useACMEHost = "tux.rs";
locations = {
"/" = {
proxyPass = "http://localhost:3000";
};
};
};
};
};
};
}

65
modules/nixos/selfhosted/headscale.nix Normal file
View File

@ -0,0 +1,65 @@
{
config,
pkgs,
lib,
email,
...
}: {
security = {
acme = {
defaults.email = "${email}";
acceptTerms = true;
};
};
services = {
headscale = {
enable = true;
port = 8080;
address = "0.0.0.0";
settings = {
dns = {
base_domain = "hs.tux.rs";
search_domains = ["tux.rs"];
magic_dns = true;
nameservers.global = [
"9.9.9.9"
];
};
# server_url = "https://hs.tux.rs:443";
metrics_listen_addr = "0.0.0.0:8095";
logtail = {
enabled = false;
};
log = {
level = "warn";
};
ip_prefixes = [
"100.64.0.0/10"
"fd7a:115c:a1e0::/48"
];
};
};
nginx = {
enable = lib.mkForce true;
virtualHosts = {
"hs.tux.rs" = {
forceSSL = true;
useACMEHost = "tux.rs";
locations = {
"/" = {
proxyPass = "http://localhost:${toString config.services.headscale.port}";
proxyWebsockets = true;
};
"/metrics" = {
proxyPass = "http://${config.services.headscale.settings.metrics_listen_addr}/metrics";
};
};
};
};
};
};
environment.systemPackages = with pkgs; [headscale];
}

45
modules/nixos/selfhosted/monitoring/grafana.nix Normal file
View File

@ -0,0 +1,45 @@
{
lib,
username,
email,
...
}: {
services = {
grafana = {
enable = true;
settings = {
server.http_port = 8888;
security = {
admin_user = "${username}";
admin_email = "${email}";
};
};
};
nginx = {
enable = lib.mkForce true;
virtualHosts = {
"grafana.tux.rs" = {
forceSSL = true;
useACMEHost = "tux.rs";
locations = {
"/" = {
proxyPass = "http://localhost:8888";
proxyWebsockets = true;
};
"/api/live/" = {
proxyPass = "http://localhost:8888";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
'';
};
};
};
};
};
};
}

77
modules/nixos/selfhosted/monitoring/loki.nix Normal file
View File

@ -0,0 +1,77 @@
{lib, ...}: {
services = {
loki = {
enable = true;
configuration = {
auth_enabled = false;
server = {
http_listen_port = 3100;
};
common = {
ring = {
instance_addr = "127.0.0.1";
kvstore = {
store = "inmemory";
};
};
replication_factor = 1;
path_prefix = "/tmp/loki";
};
schema_config = {
configs = [
{
from = "2020-05-15";
store = "tsdb";
object_store = "filesystem";
schema = "v13";
index = {
prefix = "index_";
period = "24h";
};
}
];
};
storage_config = {
filesystem = {
directory = "/tmp/loki/chunks";
};
};
};
};
nginx = {
enable = lib.mkForce true;
virtualHosts = {
"loki.tux.rs" = {
forceSSL = true;
useACMEHost = "tux.rs";
locations = {
"/" = {
proxyPass = "http://localhost:3100";
extraConfig = ''
proxy_http_version 1.1;
proxy_read_timeout 1800s;
proxy_connect_timeout 1600s;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Connection "Keep-Alive";
proxy_set_header Proxy-Connection "Keep-Alive";
proxy_redirect off;
'';
};
"/ready" = {
proxyPass = "http://localhost:3100";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Connection "Keep-Alive";
proxy_set_header Proxy-Connection "Keep-Alive";
proxy_redirect off;
'';
};
};
};
};
};
};
}

55
modules/nixos/selfhosted/monitoring/promtail.nix Normal file
View File

@ -0,0 +1,55 @@
{lib, ...}: {
services = {
promtail = {
enable = true;
configuration = {
server = {
http_listen_port = 9080;
grpc_listen_port = 0;
};
positions = {
filename = "/var/lib/promtail/positions.yaml";
};
clients = [
{
url = "https://loki.tux.rs/loki/api/v1/push";
}
];
scrape_configs = [
{
job_name = "journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
};
};
relabel_configs = [
{
source_labels = [
"__journal__systemd_unit"
];
target_label = "unit";
}
];
}
];
};
};
nginx = {
enable = lib.mkForce true;
virtualHosts = {
"promtail.tux.rs" = {
forceSSL = true;
useACMEHost = "tux.rs";
locations = {
"/" = {
proxyPass = "http://localhost:9080";
};
};
};
};
};
};
}

48
modules/nixos/selfhosted/nextcloud.nix Normal file
View File

@ -0,0 +1,48 @@
{
config,
pkgs,
lib,
username,
...
}: {
services = {
nginx = {
enable = lib.mkForce true;
virtualHosts = {
"cloud.tux.rs" = {
forceSSL = true;
useACMEHost = "tux.rs";
};
};
};
nextcloud = {
enable = true;
hostName = "cloud.tux.rs";
package = pkgs.nextcloud30;
database.createLocally = true;
configureRedis = true;
maxUploadSize = "16G";
https = true;
autoUpdateApps.enable = true;
extraAppsEnable = true;
extraApps = with config.services.nextcloud.package.packages.apps; {
inherit mail spreed;
};
config = {
dbtype = "sqlite";
adminuser = "${username}";
adminpassFile = config.sops.secrets.nextcloud_password.path;
};
settings = {
overwriteProtocol = "https";
default_phone_region = "IN";
};
};
};
environment.systemPackages = with pkgs; [nextcloud30];
}

28
modules/nixos/selfhosted/ntfy-sh.nix Normal file
View File

@ -0,0 +1,28 @@
{lib, ...}: {
services = {
ntfy-sh = {
enable = true;
settings = {
listen-http = ":7070";
base-url = "https://ntfy.tux.rs";
behind-proxy = true;
};
};
nginx = {
enable = lib.mkForce true;
virtualHosts = {
"ntfy.tux.rs" = {
forceSSL = true;
useACMEHost = "tux.rs";
locations = {
"/" = {
proxyPass = "http://localhost:7070";
proxyWebsockets = true;
};
};
};
};
};
};
}

11
modules/nixos/selfhosted/open-webui.nix Normal file
View File

@ -0,0 +1,11 @@
{...}: {
services.open-webui = {
enable = true;
openFirewall = true;
host = "0.0.0.0";
environment = {
ENABLE_OLLAMA_API = "True";
OLLAMA_BASE_URL = "http://pc:11434";
};
};
}

39
modules/nixos/selfhosted/plausible.nix Normal file
View File

@ -0,0 +1,39 @@
{
config,
lib,
...
}: {
services = {
plausible = {
enable = true;
server = {
baseUrl = "https://plausible.tux.rs";
port = 2100;
disableRegistration = true;
secretKeybaseFile = config.sops.secrets.plausible_key.path;
};
database.postgres = {
dbname = "plausible";
socket = "/run/postgresql";
};
};
nginx = {
enable = lib.mkForce true;
virtualHosts = {
"plausible.tux.rs" = {
forceSSL = true;
useACMEHost = "tux.rs";
locations = {
"/" = {
proxyPass = "http://localhost:2100";
proxyWebsockets = true;
};
};
};
};
};
};
}

97
modules/nixos/selfhosted/postgresql.nix Normal file
View File

@ -0,0 +1,97 @@
{
lib,
pkgs,
...
}: {
services.postgresql = {
enable = true;
package = pkgs.postgresql_16;
ensureDatabases = [
"plausible"
"wakapi"
];
ensureUsers = [
{
name = "postgres";
ensureClauses = {
superuser = true;
login = true;
createrole = true;
createdb = true;
replication = true;
};
}
{
name = "plausible";
ensureDBOwnership = true;
}
{
name = "wakapi";
ensureDBOwnership = true;
}
];
checkConfig = true;
enableTCPIP = false;
settings = {
max_connections = 100;
superuser_reserved_connections = 3;
shared_buffers = "1024 MB";
work_mem = "32 MB";
maintenance_work_mem = "320 MB";
huge_pages = "off";
effective_cache_size = "3 GB";
effective_io_concurrency = 100;
random_page_cost = 1.25;
shared_preload_libraries = "pg_stat_statements";
track_io_timing = "on";
track_functions = "pl";
wal_level = "replica";
max_wal_senders = 0;
synchronous_commit = "on";
checkpoint_timeout = "15 min";
checkpoint_completion_target = 0.9;
max_wal_size = "1024 MB";
min_wal_size = "512 MB";
wal_compression = "on";
wal_buffers = -1;
wal_writer_delay = "200ms";
wal_writer_flush_after = "1MB";
bgwriter_delay = "200ms";
bgwriter_lru_maxpages = 100;
bgwriter_lru_multiplier = 2.0;
bgwriter_flush_after = 0;
max_worker_processes = 3;
max_parallel_workers_per_gather = 2;
max_parallel_maintenance_workers = 2;
max_parallel_workers = 3;
parallel_leader_participation = "on";
enable_partitionwise_join = "on";
enable_partitionwise_aggregate = "on";
jit = "on";
jit_above_cost = 100000;
jit_inline_above_cost = 150000;
jit_optimize_above_cost = 500000;
log_min_duration_statement = 100;
"auto_explain.log_min_duration" = 100;
log_connections = true;
log_statement = "all";
logging_collector = true;
log_disconnections = true;
log_destination = lib.mkForce "syslog";
};
};
}

9
modules/nixos/selfhosted/rustdesk-server.nix Normal file
View File

@ -0,0 +1,9 @@
{...}: {
services = {
rustdesk-server = {
enable = true;
openFirewall = true;
signal.relayHosts = ["156.67.105.203"];
};
};
}

43
modules/nixos/selfhosted/searx.nix Normal file
View File

@ -0,0 +1,43 @@
{
pkgs,
lib,
config,
...
}: {
services = {
searx = {
enable = true;
package = pkgs.searxng;
environmentFile = config.sops.secrets.searx_secret_key.path;
settings = {
general = {
instance_name = "SearXNG";
};
server = {
bind_address = "0.0.0.0";
port = 3415;
base_url = "https://sx.tux.rs";
secret_key = "@secret_key@";
};
search = {
autocomplete = "google";
};
};
};
nginx = {
enable = lib.mkForce true;
virtualHosts = {
"sx.tux.rs" = {
forceSSL = true;
useACMEHost = "tux.rs";
locations = {
"/" = {
proxyPass = "http://localhost:3415";
};
};
};
};
};
};
}

28
modules/nixos/selfhosted/silver-bullet.nix Normal file
View File

@ -0,0 +1,28 @@
{
lib,
config,
...
}: {
services = {
silverbullet = {
enable = true;
listenPort = 9876;
envFile = config.sops.secrets.silver_bullet.path;
};
nginx = {
enable = lib.mkForce true;
virtualHosts = {
"notes.tux.rs" = {
forceSSL = true;
useACMEHost = "tux.rs";
locations = {
"/" = {
proxyPass = "http://localhost:9876";
};
};
};
};
};
};
}

102
modules/nixos/selfhosted/tfolio.nix Normal file
View File

@ -0,0 +1,102 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.tux.services.tfolio;
in {
options.tux.services.tfolio = {
enable = mkEnableOption "Enable tfolio";
host = mkOption {
type = lib.types.str;
default = "0.0.0.0";
description = "IP address or hostname on which the tfolio service will listen.";
};
port = mkOption {
type = lib.types.port;
default = 22;
description = "Port number on which the tfolio service will listen.";
};
dataDir = mkOption {
type = lib.types.str;
default = "/var/lib/tfolio/";
description = "Directory where tfolio will store its data files.";
};
user = mkOption {
type = types.str;
default = "tfolio";
description = "User under which the tfolio service runs.";
};
group = mkOption {
type = types.str;
default = "tfolio";
description = "Group under which the tfolio service runs.";
};
};
config = mkIf cfg.enable {
systemd.services = {
tfolio = {
description = "my portfolio in a ssh session";
after = ["network.target"];
wantedBy = ["multi-user.target"];
serviceConfig = {
Type = "simple";
User = cfg.user;
Group = cfg.group;
ExecStart = "${getExe pkgs.tfolio} -l ${cfg.host} -p ${toString cfg.port} -d ${cfg.dataDir}";
Restart = "always";
StateDirectory = "tfolio";
# Allow binding to privileged ports
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateIPC = true;
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = "read-only";
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "full";
RestrictNamespaces = "uts ipc pid user cgroup";
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = ["@system-service"];
UMask = "0077";
};
};
};
# Ensure the user and group exist
users.users = mkIf (cfg.user == "tfolio") {
${cfg.user} = {
isSystemUser = true;
group = cfg.group;
description = "tfolio service user";
home = "/var/lib/tfolio";
createHome = true;
};
};
users.groups = mkIf (cfg.group == "tfolio") {
${cfg.group} = {};
};
};
}

60
modules/nixos/selfhosted/upstream-proxy.nix Normal file
View File

@ -0,0 +1,60 @@
{
lib,
config,
pkgs,
...
}: let
cfg = config.tux.services.nginxStreamProxy;
upstreamServerType = lib.types.submodule ({config, ...}: {
options = {
address = lib.mkOption {
type = lib.types.str;
description = "IP address or hostname of the upstream server";
};
port = lib.mkOption {
type = lib.types.port;
default = 9999;
description = "Port number of the upstream server";
};
listenPort = lib.mkOption {
type = lib.types.port;
default = config.port;
defaultText = lib.literalExpression "port";
description = "Local port to listen for incoming connections (defaults to port)";
};
};
});
in {
options.tux.services.nginxStreamProxy = {
enable = lib.mkEnableOption "Enable nginx TCP stream proxy";
upstreamServers = lib.mkOption {
type = lib.types.listOf upstreamServerType;
default = [
{
address = "0.0.0.0";
port = 9999;
}
];
description = "List of upstream servers to proxy to, each with its own listen port";
};
};
config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = map (server: server.listenPort) cfg.upstreamServers;
services.nginx = {
enable = lib.mkForce true;
package = pkgs.nginx.override {withStream = true;};
streamConfig =
lib.concatMapStringsSep "\n" (server: ''
server {
listen ${toString server.listenPort};
proxy_pass ${server.address}:${toString server.port};
}
'')
cfg.upstreamServers;
};
};
}

22
modules/nixos/selfhosted/uptime-kuma.nix Normal file
View File

@ -0,0 +1,22 @@
{lib, ...}: {
services = {
uptime-kuma = {
enable = true;
};
nginx = {
enable = lib.mkForce true;
virtualHosts = {
"uptime.tux.rs" = {
forceSSL = true;
useACMEHost = "tux.rs";
locations = {
"/" = {
proxyPass = "http://localhost:3001";
};
};
};
};
};
};
}

29
modules/nixos/selfhosted/vaultwarden.nix Normal file
View File

@ -0,0 +1,29 @@
{lib, ...}: {
services = {
vaultwarden = {
enable = true;
config = {
domain = "https://bw.tux.rs";
enableWebsocket = true;
signupsAllowed = true;
disableIconDownload = true;
};
};
nginx = {
enable = lib.mkForce true;
virtualHosts = {
"bw.tux.rs" = {
forceSSL = true;
useACMEHost = "tux.rs";
locations = {
"/" = {
proxyPass = "http://localhost:8000";
proxyWebsockets = true;
};
};
};
};
};
};
}

50
modules/nixos/selfhosted/wakapi.nix Normal file
View File

@ -0,0 +1,50 @@
{
lib,
config,
...
}: {
services = {
wakapi = {
enable = true;
passwordSaltFile = config.sops.secrets.wakapi_salt.path;
database.createLocally = true;
settings = {
app.avatar_url_template = "https://www.gravatar.com/avatar/{email_hash}.png";
server = {
port = 15999;
public_url = "https://wakapi.tux.rs";
};
db = {
dialect = "postgres";
host = "/run/postgresql";
port = 5432;
name = "wakapi";
user = "wakapi";
};
security = {
allow_signup = false;
disable_frontpage = true;
};
};
};
nginx = {
enable = lib.mkForce true;
virtualHosts = {
"wakapi.tux.rs" = {
forceSSL = true;
useACMEHost = "tux.rs";
locations = {
"/" = {
proxyPass = "http://localhost:15999";
proxyWebsockets = true;
};
};
};
};
};
};
}