Compare commits
10 Commits
e3211a77f5
...
ebbb7538fc
Author | SHA1 | Date |
---|---|---|
Azalea Gardenia | ebbb7538fc | |
Jill | f428081a8c | |
Jill | 749bbcd236 | |
Jill | c2837a6ac0 | |
Jill | bee47b8402 | |
Jill | 0107a38b56 | |
Jill | 4bf1b580ce | |
Jill | a8cfb4188c | |
Jill | 50dd0ef901 | |
Jill | 7c36864787 |
92
flake.lock
92
flake.lock
|
@ -68,11 +68,11 @@
|
|||
"nixpkgs-stable": "nixpkgs-stable"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1697137147,
|
||||
"narHash": "sha256-s1KYOB3t5TVxQJDlrM699O9Hx7iY/St2UG3SuKnVa4g=",
|
||||
"lastModified": 1700793713,
|
||||
"narHash": "sha256-Y1TUGNWmp8Pm83OnpVI+QAerdltEV1gupl2fVPcSJ0E=",
|
||||
"owner": "nix-community",
|
||||
"repo": "emacs-overlay",
|
||||
"rev": "bd5c5e9a9b460a275df97c7226f573cd88cb27ef",
|
||||
"rev": "cc8840b8c004b94164b38d003581cba25bb44c99",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -195,11 +195,11 @@
|
|||
"nixpkgs": "nixpkgs_4"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1695108154,
|
||||
"narHash": "sha256-gSg7UTVtls2yO9lKtP0yb66XBHT1Fx5qZSZbGMpSn2c=",
|
||||
"lastModified": 1700392168,
|
||||
"narHash": "sha256-v5LprEFx3u4+1vmds9K0/i7sHjT0IYGs7u9v54iz/OA=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "07682fff75d41f18327a871088d20af2710d4744",
|
||||
"rev": "28535c3a34d79071f2ccb68671971ce0c0984d7e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -218,11 +218,11 @@
|
|||
"xdph": "xdph"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1697127995,
|
||||
"narHash": "sha256-da9pd4ZTs4JzSgjj0sriX3e97vsZ9LcP3ciZq4An2EY=",
|
||||
"lastModified": 1700739112,
|
||||
"narHash": "sha256-lsJWWR8JjIWku1AcMrHa7wO4UILytsFRgkFY7T9yRGQ=",
|
||||
"owner": "hyprwm",
|
||||
"repo": "Hyprland",
|
||||
"rev": "e4bcd2e2da3136fb55886c4f02dd4a01099e687b",
|
||||
"rev": "e40e486f61f2643578b9977b86f408799dbc75fd",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -261,11 +261,11 @@
|
|||
"nixpkgs": "nixpkgs_6"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1696724955,
|
||||
"narHash": "sha256-7CczVKotC1RJuSyJMxgzUP11Y1txku9JAga5eFxpA+4=",
|
||||
"lastModified": 1699969928,
|
||||
"narHash": "sha256-c3ZGon18Cm37iTIe86nLkeNkVj16DvEvzvs6UqbvAd4=",
|
||||
"owner": "hyprwm",
|
||||
"repo": "hyprpaper",
|
||||
"rev": "72735ae6352085ef842f6ed496889115afd76ce4",
|
||||
"rev": "38e18b70777be4e8af45698b8c7bdbf3a04387a0",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -279,11 +279,11 @@
|
|||
"nixpkgs": "nixpkgs_7"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1697019850,
|
||||
"narHash": "sha256-o5YxKQjs2SGMCt7I7U+CFleAVzXjoXAWRicMNATQQ94=",
|
||||
"lastModified": 1698684516,
|
||||
"narHash": "sha256-x+6yy526dR75HBmTJvbrzN+sXINVL26yN5TY75Dgpwk=",
|
||||
"owner": "hyprwm",
|
||||
"repo": "hyprpicker",
|
||||
"rev": "94010d6b9afae7d9dfde910cf18b81d148374426",
|
||||
"rev": "b6130e3901ed5c6d423f168705929e555608d870",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -299,11 +299,11 @@
|
|||
"nixpkgs": "nixpkgs_8"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1697073334,
|
||||
"narHash": "sha256-2O5lBt+2phbcecD7ELxu0oG4cDL9f1IwHi7GBBcJ+Gs=",
|
||||
"lastModified": 1700788664,
|
||||
"narHash": "sha256-Z7LTeRl8kGkpnIzwdhvbXpH9+nBil5LWHzc3HSjOE0w=",
|
||||
"owner": "Infinidoge",
|
||||
"repo": "nix-minecraft",
|
||||
"rev": "ed52ace2bc71d751e273e4638b0719131cce5c79",
|
||||
"rev": "c26a7e6671d0f327116b15e3d68827fb6b2a14e2",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -314,11 +314,11 @@
|
|||
},
|
||||
"nixos-hardware": {
|
||||
"locked": {
|
||||
"lastModified": 1697100850,
|
||||
"narHash": "sha256-qSAzJVzNRIo+r3kBjL8TcpJctcgcHlnZyqdzpWgtg0M=",
|
||||
"lastModified": 1700559156,
|
||||
"narHash": "sha256-gL4epO/qf+wo30JjC3g+b5Bs8UrpxzkhNBBsUYxpw2g=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "fb6af288f6cf0f00d3af60cf9d5110433b954565",
|
||||
"rev": "c3abafb01cd7045dba522af29b625bd1e170c2fb",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -345,11 +345,11 @@
|
|||
},
|
||||
"nixpkgs-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1696983906,
|
||||
"narHash": "sha256-L7GyeErguS7Pg4h8nK0wGlcUTbfUMDu+HMf1UcyP72k=",
|
||||
"lastModified": 1700678569,
|
||||
"narHash": "sha256-2Ki+2UvOidxEb3xB4ADqlbPQ2BZOF4uZMR094O8or2I=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "bd1cde45c77891214131cbbea5b1203e485a9d51",
|
||||
"rev": "8f1180704ac35baded1a74164365ac7cdfba6f38",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -361,11 +361,11 @@
|
|||
},
|
||||
"nixpkgs-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1696879762,
|
||||
"narHash": "sha256-Ud6bH4DMcYHUDKavNMxAhcIpDGgHMyL/yaDEAVSImQY=",
|
||||
"lastModified": 1700612854,
|
||||
"narHash": "sha256-yrQ8osMD+vDLGFX7pcwsY/Qr5PUd6OmDMYJZzZi0+zc=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "f99e5f03cc0aa231ab5950a15ed02afec45ed51a",
|
||||
"rev": "19cbff58383a4ae384dea4d1d0c823d72b49d614",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -406,11 +406,11 @@
|
|||
},
|
||||
"nixpkgs_3": {
|
||||
"locked": {
|
||||
"lastModified": 1696879762,
|
||||
"narHash": "sha256-Ud6bH4DMcYHUDKavNMxAhcIpDGgHMyL/yaDEAVSImQY=",
|
||||
"lastModified": 1700612854,
|
||||
"narHash": "sha256-yrQ8osMD+vDLGFX7pcwsY/Qr5PUd6OmDMYJZzZi0+zc=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "f99e5f03cc0aa231ab5950a15ed02afec45ed51a",
|
||||
"rev": "19cbff58383a4ae384dea4d1d0c823d72b49d614",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -438,11 +438,11 @@
|
|||
},
|
||||
"nixpkgs_5": {
|
||||
"locked": {
|
||||
"lastModified": 1694767346,
|
||||
"narHash": "sha256-5uH27SiVFUwsTsqC5rs3kS7pBoNhtoy9QfTP9BmknGk=",
|
||||
"lastModified": 1698134075,
|
||||
"narHash": "sha256-foCD+nuKzfh49bIoiCBur4+Fx1nozo+4C/6k8BYk4sg=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "ace5093e36ab1e95cb9463863491bee90d5a4183",
|
||||
"rev": "8efd5d1e283604f75a808a20e6cde0ef313d07d4",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -486,11 +486,11 @@
|
|||
},
|
||||
"nixpkgs_8": {
|
||||
"locked": {
|
||||
"lastModified": 1683408522,
|
||||
"narHash": "sha256-9kcPh6Uxo17a3kK3XCHhcWiV1Yu1kYj22RHiymUhMkU=",
|
||||
"lastModified": 1698318101,
|
||||
"narHash": "sha256-gUihHt3yPD7bVqg+k/UVHgngyaJ3DMEBchbymBMvK1E=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "897876e4c484f1e8f92009fd11b7d988a121a4e7",
|
||||
"rev": "63678e9f3d3afecfeafa0acead6239cdb447574c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -502,11 +502,11 @@
|
|||
},
|
||||
"nixpkgs_9": {
|
||||
"locked": {
|
||||
"lastModified": 1696983906,
|
||||
"narHash": "sha256-L7GyeErguS7Pg4h8nK0wGlcUTbfUMDu+HMf1UcyP72k=",
|
||||
"lastModified": 1700678569,
|
||||
"narHash": "sha256-2Ki+2UvOidxEb3xB4ADqlbPQ2BZOF4uZMR094O8or2I=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "bd1cde45c77891214131cbbea5b1203e485a9d51",
|
||||
"rev": "8f1180704ac35baded1a74164365ac7cdfba6f38",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -629,18 +629,18 @@
|
|||
"flake": false,
|
||||
"locked": {
|
||||
"host": "gitlab.freedesktop.org",
|
||||
"lastModified": 1696410538,
|
||||
"narHash": "sha256-ecDhdYLXWHsxMv+EWG36mCNDvzRbu9qfjH7dLxL7aGM=",
|
||||
"lastModified": 1699292815,
|
||||
"narHash": "sha256-HXu98PyBMKEWLqiTb8viuLDznud/SdkdJsx5A5CWx7I=",
|
||||
"owner": "wlroots",
|
||||
"repo": "wlroots",
|
||||
"rev": "3406c1b17a4a7e6d4e2a7d9c1176affa72bce1bc",
|
||||
"rev": "5de9e1a99d6642c2d09d589aa37ff0a8945dcee1",
|
||||
"type": "gitlab"
|
||||
},
|
||||
"original": {
|
||||
"host": "gitlab.freedesktop.org",
|
||||
"owner": "wlroots",
|
||||
"repo": "wlroots",
|
||||
"rev": "3406c1b17a4a7e6d4e2a7d9c1176affa72bce1bc",
|
||||
"rev": "5de9e1a99d6642c2d09d589aa37ff0a8945dcee1",
|
||||
"type": "gitlab"
|
||||
}
|
||||
},
|
||||
|
@ -660,11 +660,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1694628480,
|
||||
"narHash": "sha256-Qg9hstRw0pvjGu5hStkr2UX1D73RYcQ9Ns/KnZMIm9w=",
|
||||
"lastModified": 1697981233,
|
||||
"narHash": "sha256-y8q4XUwx+gVK7i2eLjfR32lVo7TYvEslyzrmzYEaPZU=",
|
||||
"owner": "hyprwm",
|
||||
"repo": "xdg-desktop-portal-hyprland",
|
||||
"rev": "8f45a6435069b9e24ebd3160eda736d7a391cbf2",
|
||||
"rev": "22e7a65ff9633e1dedfa5317fdffc49f68de2ff2",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
|
@ -174,6 +174,11 @@ in {
|
|||
dataDir = "/var/lib/terraria";
|
||||
};
|
||||
|
||||
nextcloud = {
|
||||
enable = true;
|
||||
domain = "nextcloud.dark-firepit.cloud";
|
||||
};
|
||||
|
||||
jmusicbot = let
|
||||
baseOptions = {
|
||||
owner = 276416332894044160;
|
||||
|
@ -189,6 +194,7 @@ in {
|
|||
|
||||
npimages = true;
|
||||
stayinchannel = true;
|
||||
updatealerts = false;
|
||||
|
||||
aliases = {
|
||||
nowplaying = [ "np" "current" ];
|
||||
|
@ -277,8 +283,8 @@ in {
|
|||
|
||||
firewall.allowPing = true;
|
||||
# minecraft proximity voice chat
|
||||
firewall.allowedTCPPorts = [ 24454 24464 25567 25577 4499 21025 ];
|
||||
firewall.allowedUDPPorts = [ 24454 24464 25567 25577 4499 21025 ];
|
||||
firewall.allowedTCPPorts = [ 24454 24464 25567 25577 4499 21025 21027 ];
|
||||
firewall.allowedUDPPorts = [ 24454 24464 25567 25577 4499 21025 21027 ];
|
||||
};
|
||||
|
||||
# environment.etc."dhcpcd.duid".text = "d0:50:99:d4:04:68:d0:50:99:d4:04:68";
|
||||
|
|
|
@ -76,6 +76,7 @@ in {
|
|||
"mayf.pink".dataDir = "/var/www/mayf.pink";
|
||||
"mayf.pink".php = true;
|
||||
"mayf.pink".phpHandlePathing = true;
|
||||
"star.yugoslavia.best".dataDir = "/var/www/star.yugoslavia.best";
|
||||
#"wint0r.zone".dataDir = "/var/www/wint0r.zone";
|
||||
#"puzzle.wint0r.zone".dataDir = "/var/www/puzzle.wint0r.zone";
|
||||
"femboy.industries".dataDir = "/var/www/femboy.industries";
|
||||
|
@ -111,21 +112,6 @@ in {
|
|||
# domain = "dev-firepit.oat.zone";
|
||||
# port = 4444;
|
||||
#};
|
||||
|
||||
/*
|
||||
ghost = {
|
||||
enable = true;
|
||||
domain = "blog.oat.zone";
|
||||
port = 1357;
|
||||
};
|
||||
*/
|
||||
|
||||
isso = {
|
||||
enable = true;
|
||||
port = 1995;
|
||||
domain = "comments.oat.zone";
|
||||
target = "blog.oat.zone";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -166,16 +152,26 @@ in {
|
|||
proxyPass = "http://127.0.0.1:3436/";
|
||||
};
|
||||
};
|
||||
|
||||
# https://www.edwinwenink.xyz/posts/47-tilde_server/
|
||||
# todo: fix this
|
||||
"dark-firepit.cloud" = {
|
||||
locations."~ ^/~([^/\\s]+?)(/[^\\s]*)?$".extraConfig = ''
|
||||
add_header X-debug-message "/home/$1/www$2" always;
|
||||
alias /home/$1/www$2;
|
||||
index index.html index.htm;
|
||||
autoindex on;
|
||||
'';
|
||||
# todo: move to flake
|
||||
"jillo.oat.zone" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:15385/";
|
||||
};
|
||||
};
|
||||
"drawdog.oat.zone" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:33363/";
|
||||
extraConfig = ''
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_set_header Host $host;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
#"git.oat.zone" = {
|
||||
|
|
|
@ -2,101 +2,107 @@
|
|||
|
||||
with lib;
|
||||
let
|
||||
cfg = config.modules.services.dendrite;
|
||||
fullDomain = "matrix." + cfg.hostDomain;
|
||||
cfg = config.modules.services.dendrite;
|
||||
fullDomain = "${cfg.prefix}.${cfg.hostDomain}";
|
||||
maxUploadMegabytes = 600;
|
||||
in {
|
||||
options.modules.services.dendrite = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
};
|
||||
options.modules.services.dendrite = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
};
|
||||
|
||||
hostDomain = mkOption {
|
||||
type = types.str;
|
||||
default = null;
|
||||
};
|
||||
hostDomain = mkOption {
|
||||
type = types.str;
|
||||
default = null;
|
||||
};
|
||||
|
||||
port = mkOption {
|
||||
type = types.port;
|
||||
default = 8008;
|
||||
};
|
||||
};
|
||||
prefix = mkOption {
|
||||
type = types.str;
|
||||
default = "matrix";
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
assertions = [
|
||||
{ assertion = cfg.hostDomain != null;
|
||||
description = "@config.modules.services.dendrite.hostDomain@ must not equal null";
|
||||
}
|
||||
];
|
||||
port = mkOption {
|
||||
type = types.port;
|
||||
default = 8008;
|
||||
};
|
||||
};
|
||||
|
||||
services.dendrite = {
|
||||
enable = true;
|
||||
httpPort = cfg.port;
|
||||
# httpsPort = cfg.port;
|
||||
tlsCert = "/var/lib/dendrite_keys/server.cert";
|
||||
tlsKey = "/var/lib/dendrite_keys/server.key";
|
||||
loadCredential = [ "private_key:/var/lib/dendrite_keys/private/private_key.pem" ];
|
||||
environmentFile = "/var/lib/dendrite_keys/registration_secret";
|
||||
settings = {
|
||||
global = {
|
||||
server_name = cfg.hostDomain;
|
||||
private_key = "/var/lib/dendrite_keys/private/private_key.pem";
|
||||
presence = {
|
||||
enable_inbound = true;
|
||||
enable_outbound = true;
|
||||
};
|
||||
};
|
||||
client_api = {
|
||||
registration_shared_secret = "$REGISTRATION_SHARED_SECRET";
|
||||
};
|
||||
media_api = {
|
||||
max_file_size_bytes = maxUploadMegabytes;
|
||||
dynamic_thumbnails = true;
|
||||
};
|
||||
};
|
||||
config = mkIf cfg.enable {
|
||||
assertions = [
|
||||
{ assertion = cfg.hostDomain != null;
|
||||
description = "@config.modules.services.dendrite.hostDomain@ must not equal null";
|
||||
}
|
||||
];
|
||||
|
||||
};
|
||||
services.dendrite = {
|
||||
enable = true;
|
||||
httpPort = cfg.port;
|
||||
# httpsPort = cfg.port;
|
||||
tlsCert = "/var/lib/dendrite_keys/server.crt";
|
||||
tlsKey = "/var/lib/dendrite_keys/server.key";
|
||||
loadCredential = [ "private_key:/var/lib/dendrite_keys/private/private_key.pem" ];
|
||||
environmentFile = "/var/lib/dendrite_keys/registration_secret";
|
||||
settings = {
|
||||
global = {
|
||||
server_name = cfg.hostDomain;
|
||||
private_key = "/var/lib/dendrite_keys/private/private_key.pem";
|
||||
presence = {
|
||||
enable_inbound = true;
|
||||
enable_outbound = true;
|
||||
};
|
||||
};
|
||||
client_api = {
|
||||
registration_shared_secret = "$REGISTRATION_SHARED_SECRET";
|
||||
};
|
||||
media_api = {
|
||||
max_file_size_bytes = maxUploadMegabytes;
|
||||
dynamic_thumbnails = true;
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."${fullDomain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
};
|
||||
|
||||
listen = [
|
||||
{ addr = "0.0.0.0";
|
||||
port = 443;
|
||||
ssl = true;
|
||||
}
|
||||
{ addr = "[::]";
|
||||
port = 443;
|
||||
ssl = true;
|
||||
}
|
||||
];
|
||||
services.nginx.virtualHosts."${fullDomain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
|
||||
locations."/_matrix".proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
#listen = [
|
||||
# { addr = "0.0.0.0";
|
||||
# port = 443;
|
||||
# ssl = true;
|
||||
# }
|
||||
# { addr = "[::]";
|
||||
# port = 443;
|
||||
# ssl = true;
|
||||
# }
|
||||
#];
|
||||
|
||||
extraConfig = ''
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-RealIP $remote_addr;
|
||||
proxy_read_timeout 600;
|
||||
client_max_body_size ${toString maxUploadMegabytes}M;
|
||||
'';
|
||||
};
|
||||
locations."/_matrix".proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
#locations."/_matrix".proxyPass = "https://localhost:${toString cfg.port}";
|
||||
|
||||
services.nginx.virtualHosts."${cfg.hostDomain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
extraConfig = ''
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-RealIP $remote_addr;
|
||||
proxy_read_timeout 600;
|
||||
client_max_body_size ${toString maxUploadMegabytes}M;
|
||||
'';
|
||||
};
|
||||
|
||||
locations."/.well-known/matrix/server".return = "200 '{ \"m.server\": \"${fullDomain}:443\"}'";
|
||||
services.nginx.virtualHosts."${cfg.hostDomain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
|
||||
# locations."/.well-known/matrix/client".return = "200 '{ \"m.homserver\": { \"base_url\": \"https://${cfg.hostDomain}\"} }'";
|
||||
locations."/.well-known/matrix/client".extraConfig = ''
|
||||
add_header Access-Control-Allow-Origin '*';
|
||||
return 200 '{ \"m.homserver\": { \"base_url\": \"https://${cfg.hostDomain}\"} }';
|
||||
'';
|
||||
};
|
||||
locations."/.well-known/matrix/server".return = "200 '{ \"m.server\": \"${fullDomain}:443\"}'";
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
networking.firewall.allowedUDPPorts = [ 80 443 ];
|
||||
};
|
||||
# locations."/.well-known/matrix/client".return = "200 '{ \"m.homserver\": { \"base_url\": \"https://${cfg.hostDomain}\"} }'";
|
||||
locations."/.well-known/matrix/client".extraConfig = ''
|
||||
add_header Access-Control-Allow-Origin '*';
|
||||
return 200 '{ \"m.homeserver\": { \"base_url\": \"https://${fullDomain}\"} }';
|
||||
'';
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
networking.firewall.allowedUDPPorts = [ 80 443 ];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,158 +0,0 @@
|
|||
{ pkgs, lib, config, options, ... }:
|
||||
|
||||
with lib;
|
||||
let
|
||||
cfg = config.modules.services.ghost;
|
||||
# user used to run the Ghost service
|
||||
userName = builtins.replaceStrings [ "." ] [ "_" ] cfg.domain;
|
||||
in {
|
||||
options.modules.services.ghost = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
};
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
default = pkgs._.ghost;
|
||||
};
|
||||
domain = mkOption {
|
||||
type = types.str;
|
||||
default = "blog.oat.zone";
|
||||
};
|
||||
port = mkOption {
|
||||
type = types.int;
|
||||
default = 1357;
|
||||
};
|
||||
dataDir = mkOption {
|
||||
type = types.str;
|
||||
default = "/var/lib/${userName}";
|
||||
};
|
||||
};
|
||||
|
||||
config = let
|
||||
# directory used to save the blog content
|
||||
dataDir = cfg.dataDir;
|
||||
# script that sets up the Ghost content directory
|
||||
setupScript = pkgs.writeScript "${cfg.domain}-setup.sh" ''
|
||||
#! ${pkgs.stdenv.shell} -e
|
||||
chmod g+s "${dataDir}"
|
||||
[[ ! -d "${dataDir}/content" ]] && cp -r "${cfg.package}/content" "${dataDir}/content"
|
||||
chown -R "${userName}":"${userName}" "${dataDir}/content"
|
||||
chmod -R +w "${dataDir}/content"
|
||||
ln -f -s "/etc/${cfg.domain}.json" "${dataDir}/config.production.json"
|
||||
[[ -d "${dataDir}/current" ]] && rm "${dataDir}/current"
|
||||
ln -f -s "${cfg.package}/current" "${dataDir}/current"
|
||||
[[ -d "${dataDir}/content/themes/casper" ]] && rm "${dataDir}/content/themes/casper"
|
||||
ln -f -s "${cfg.package}/current/content/themes/casper" "${dataDir}/content/themes/casper"
|
||||
'';
|
||||
in lib.mkIf cfg.enable {
|
||||
# Creates the user and group
|
||||
users.users.${userName} = {
|
||||
isSystemUser = true;
|
||||
group = userName;
|
||||
createHome = true;
|
||||
home = dataDir;
|
||||
};
|
||||
users.groups.${userName} = { };
|
||||
|
||||
# Creates the Ghost config
|
||||
environment.etc."${cfg.domain}.json".text = ''
|
||||
{
|
||||
"url": "https://${cfg.domain}",
|
||||
"server": {
|
||||
"port": ${toString cfg.port},
|
||||
"host": "0.0.0.0"
|
||||
},
|
||||
"database": {
|
||||
"client": "mysql",
|
||||
"connection": {
|
||||
"host": "localhost",
|
||||
"user": "${userName}",
|
||||
"database": "${userName}",
|
||||
"password": "",
|
||||
"socketPath": "/run/mysqld/mysqld.sock"
|
||||
}
|
||||
},
|
||||
"mail": {
|
||||
"transport": "sendmail"
|
||||
},
|
||||
"logging": {
|
||||
"transports": ["stdout"]
|
||||
},
|
||||
"paths": {
|
||||
"contentPath": "${dataDir}/content"
|
||||
}
|
||||
}
|
||||
'';
|
||||
|
||||
# Sets up the Systemd service
|
||||
systemd.services."${cfg.domain}" = {
|
||||
enable = true;
|
||||
description = "${cfg.domain} ghost blog";
|
||||
restartIfChanged = true;
|
||||
restartTriggers =
|
||||
[ cfg.package config.environment.etc."${cfg.domain}.json".source ];
|
||||
requires = [ "mysql.service" ];
|
||||
after = [ "mysql.service" ];
|
||||
path = [ pkgs.nodejs pkgs.vips ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
User = userName;
|
||||
Group = userName;
|
||||
WorkingDirectory = dataDir;
|
||||
# Executes the setup script before start
|
||||
ExecStartPre = setupScript;
|
||||
# Runs Ghost with node
|
||||
ExecStart = "${pkgs.nodejs}/bin/node current/index.js";
|
||||
# Sandboxes the Systemd service
|
||||
AmbientCapabilities = [ ];
|
||||
CapabilityBoundingSet = [ ];
|
||||
KeyringMode = "private";
|
||||
LockPersonality = true;
|
||||
NoNewPrivileges = true;
|
||||
PrivateDevices = true;
|
||||
PrivateMounts = true;
|
||||
PrivateTmp = true;
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectSystem = "full";
|
||||
RemoveIPC = true;
|
||||
RestrictAddressFamilies = [ ];
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
};
|
||||
environment = { NODE_ENV = "production"; };
|
||||
};
|
||||
|
||||
# Sets up the blog virtual host on NGINX
|
||||
services.nginx.virtualHosts.${cfg.domain} = {
|
||||
# Sets up Lets Encrypt SSL certificates for the blog
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.port}"; };
|
||||
extraConfig = ''
|
||||
charset UTF-8;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=2592000; includeSubDomains" always;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin";
|
||||
add_header X-Frame-Options "SAMEORIGIN";
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
'';
|
||||
};
|
||||
|
||||
# Sets up MySQL database and user for Ghost
|
||||
services.mysql = {
|
||||
ensureDatabases = [ userName ];
|
||||
ensureUsers = [{
|
||||
name = userName;
|
||||
ensurePermissions = { "${userName}.*" = "ALL PRIVILEGES"; };
|
||||
}];
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,82 +0,0 @@
|
|||
{ config, lib, pkgs, options, ... }:
|
||||
|
||||
with lib;
|
||||
let
|
||||
cfg = config.modules.services.isso;
|
||||
in {
|
||||
options.modules.services.isso = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
};
|
||||
domain = mkOption {
|
||||
type = types.str;
|
||||
default = "comments.oat.zone";
|
||||
};
|
||||
target = mkOption {
|
||||
type = types.str;
|
||||
default = "blog.oat.zone";
|
||||
};
|
||||
port = mkOption {
|
||||
type = types.port;
|
||||
default = 1550;
|
||||
};
|
||||
dataDir = mkOption {
|
||||
type = types.str;
|
||||
default = "/var/lib/isso";
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
services = {
|
||||
isso = {
|
||||
enable = true;
|
||||
settings = {
|
||||
general = {
|
||||
dbpath = "${cfg.dataDir}/comments.db";
|
||||
host = "https://${cfg.target}";
|
||||
latest-enabled = true;
|
||||
};
|
||||
server = {
|
||||
listen = "http://localhost:${toString cfg.port}";
|
||||
samesite = "Lax";
|
||||
public-endpoint = "https://${cfg.domain}";
|
||||
};
|
||||
guard = {
|
||||
enabled = true;
|
||||
require-author = true;
|
||||
ratelimit = 4;
|
||||
};
|
||||
admin = {
|
||||
enabled = true;
|
||||
password = removeSuffix "\n" (builtins.readFile /etc/isso_admin_pass);
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
nginx.enable = true;
|
||||
nginx.virtualHosts."${cfg.domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://localhost:${toString cfg.port}";
|
||||
extraConfig = ''
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.isso.serviceConfig = {
|
||||
preStart = ''
|
||||
umask u=rwx,g=rwx,o=rx
|
||||
mkdir -p ${cfg.dataDir}
|
||||
cd ${cfg.dataDir}
|
||||
${pkgs.coreutils}/bin/chown -R isso:isso .
|
||||
${pkgs.coreutils}/bin/chmod -R 775 .
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
|
@ -12,7 +12,7 @@ in {
|
|||
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
default = pkgs.nextcloud24;
|
||||
default = pkgs.nextcloud27;
|
||||
};
|
||||
|
||||
domain = mkOption {
|
||||
|
@ -28,10 +28,16 @@ in {
|
|||
}
|
||||
];
|
||||
|
||||
# vomit inducing
|
||||
# nixpkgs.config.permittedInsecurePackages = [
|
||||
# "openssl-1.1.1w"
|
||||
# ];
|
||||
|
||||
services.nextcloud = {
|
||||
enable = true;
|
||||
package = cfg.package;
|
||||
hostName = cfg.domain;
|
||||
enableBrokenCiphersForSSE = false;
|
||||
config = {
|
||||
dbtype = "pgsql";
|
||||
dbuser = "nextcloud";
|
||||
|
|
|
@ -1,9 +0,0 @@
|
|||
source "$stdenv"/setup
|
||||
|
||||
export HOME=$(mktemp -d)
|
||||
|
||||
npm install --loglevel=info --logs-max=0 "ghost-cli@$ghostCliVersion"
|
||||
|
||||
mkdir --parents "$out"/
|
||||
node_modules/ghost-cli/bin/ghost install "$version" --db=sqlite3 \
|
||||
--no-enable --no-prompt --no-stack --no-setup --no-start --dir "$out"
|
|
@ -1,11 +0,0 @@
|
|||
{ pkgs }:
|
||||
|
||||
let
|
||||
pname = "ghost";
|
||||
version = "5.33.2";
|
||||
in pkgs.stdenv.mkDerivation {
|
||||
inherit pname version;
|
||||
buildInputs = with pkgs; [ nodejs yarn vips ];
|
||||
ghostCliVersion = "1.24.0";
|
||||
builder = ./builder.sh;
|
||||
}
|
Loading…
Reference in New Issue