chris/sneeuwvlok
chris/sneeuwvlok
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

started migration to snowfall

Browse source
This commit is contained in:
Chris Kruining 2025-07-23 10:03:10 +02:00
parent 091438d802
commit 5ba5d55108
No known key found for this signature in database
GPG key ID: EB894A3560CCCAD2
100 changed files with 49 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

225
_modules/system/services/auth/authelia.nix Normal file
View file

@ -0,0 +1,225 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mkIf mkEnableOption;
user = "authelia-testing";
cfg = config.modules.services.auth.authelia;
in
{
options.modules.services.auth.authelia = {
enable = mkEnableOption "Authelia";
};
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [
authelia
];
services.authelia.instances.testing = {
enable = true;
secrets = {
storageEncryptionKeyFile = "/etc/authelia/testing/storageEncryptionKeyFile";
jwtSecretFile = "/etc/authelia/testing/jwtSecretFile";
sessionSecretFile = "/etc/authelia/testing/sessionSecrets";
};
settings = {
theme = "auto";
server = {
address = "tcp://127.0.0.1:9091";
};
# administration = {
# enable = true;
# enable_ui = true;
# address = "tcp://127.0.0.1:9092";
# users = [ "chris" ];
# groups = [ "admin" ];
# };
log = {
level = "info";
format = "json";
};
authentication_backend.file.path = "/etc/authelia/testing/users_database.yml";
access_control = {
default_policy = "deny";
rules = [
{
domain = ["auth.kruining.eu"];
policy = "bypass";
}
{
domain = ["*.kruining.eu"];
policy = "one_factor";
}
];
};
session = {
name = "authelia_testing_session";
expiration = "12h";
inactivity = "45m";
remember_me = "1m";
# redis.host = "/run/redis-authelia-testing/redis.sock";
cookies = [
{
domain = "kruining.eu";
authelia_url = "https://auth.kruining.eu";
default_redirection_url = "https://media.kruining.eu";
name = "authelia_session";
}
];
};
regulation = {
max_retries = 300;
find_time = "5m";
ban_time = "15m";
};
storage = {
local.path = "/var/lib/authelia-testing/db.sqlite3";
};
notifier = {
disable_startup_check = false;
filesystem.filename = "/var/lib/authelia-testing/notifications.txt";
};
identity_providers.oidc = {
jwks = [
{
# Authelia wants at least one private RSA key (why not just allow ecdsa is beyond me)
key = "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCrkJ2iCcGbZwr9\ntWGiQLzL1OV7WoC8OpRIvtVusyJ6YQGkcB9F3PV+wjzBCojIibjMpWci6vq7sZQp\nnttRsXIBRxyhUoWcg1X8zR2ebFPMqPkfQEYhCPxts/5iaVwESt+77RAeaoJu6Va4\n6ugCHUsujMDGNhXNHWNn1euXT/jnTID8zT2eff8XYItK/vAJgv9ZbDDcamZFqNAK\nWBLGQZGO5GGCDtp99yFlGgG8zhaYpqw/eC/DhRr/O0N0PkQBRsD0mJ5aWCeVIVKB\nP/W35L23XFlgupOcWpZ4Bf7ivjxfakBHq/yYcvq60a9LjwLW+QXyvdvWe7jdV+Bp\nON9VlJ1PAgMBAAECggEANT8o7UWB5S1R5/QHXUgiUFC++E3abpDvvLQdocHPDZRV\n4ic6TYCKYND/8hnG4hZ8WGdtXxT2xJIUneZDw1MDQwpDBH6MIUtRwKgYbTbJu1cm\nGmDkYxRa4+FdLkXs3Rgv4C9vNUFxQeMBm1qsrxtQXh4pJlta4NIiK/Pkro2Pfplp\nyKb5E7HhusHiLqezcPhErYnYQmLPtmInqfQnBAsGehiY6ZL3TMIGTo1FDrIEhu9q\nz31WaK8NuNd/bUqiEdFIVtNt3cSOfqCrtC20LwTIYiv/tDz0ahFOCA42vHSdkz35\nnO1dEkP2YCimTHbw9KwHmzkYL6Q2jd89L8/oCe2dYQKBgQDRz2pvfJjdb4FXLRH/\n/iEsDseRu2z2fg7SBNMloTV/dQGpvBgsEZDWlJw7NyIm2rlZ0kkae9QfLECJeT6A\nZuXnOuUDNUBE5/nj2DBC34gHotpErcJBTlKmr/KfILnh1uDVwLizYNQ6KZ6s3EK8\nSvLXNbEDrJ3HkQbs6OPtZsEVawKBgQDRVcCf+8wxdK1AF474F1E9zAvN8i5+6xIW\nb+YUDuueCzJf8h3wU9Chf/ItEtknw1CHQFNOmLodtQJgGzGDG0R6xmQnfUQIsky1\nO3HDs4xlCggfq9AWm+RKr5r3T34CiJfA4ZUq6i2FKNkdQREArJWcC4cjRItZvGj6\nKJ5ZRDBsrQKBgCnD9lYXIX8DEWY/LJQfDI9uqb+S5c/zrBOWrkmRW8rxidE2BkHP\nhVuR3b/T69J8O+VrfO3utH04G+jB3/VDhoSPLsOCuDZ/TzlR8dl+EeAjRPvi8wZ5\nBu7zm4KdyyLv2XXzlVDv949UdafHeOluqgS5RXGLzSTK8+v5OFYr3EfdAoGAJIP4\n3e9mZxobPprdbZljqov1Yy9jvO/0b8WFNOqFX0REvUfWwR1dv046SHKJPs5rNaya\n25L4pEX27BzSPjR7dY812U2YmIvBpbuA1Mp1Kwrc7+lgmxEGeaC4P3u2V2rMTfEL\nvDitSBUgCmJXPO7eCiJYqGZEiJq9FSYQuTGT4OECgYEAjR+dtmZkcszRo77XdXDo\nRFMlx47R5Xk4R2+faYneCkNJ/MqZdeQ3CxcfQFQHpNJb+1kacXusRDvlm2/777fj\nCOLxaxY6akOEG6dkgmWHzzm9JpmZ63g0I9k+C3zbyQnFyNRQmNW2gGCVwekRmAz+\n/a98+6ip2LRkTQYhZ064rfc=\n-----END PRIVATE KEY-----";
}
];
clients = [
{
client_id = "jellyfin";
client_name = "Jellyfin";
# af0WDhM6DILapBO.8Puu8IR1tyXLPqQNUoROgx4A8JWVIxRno4IhvXCMaN1zveuJzw1yw2h3
client_secret = "$pbkdf2-sha512$310000$9C/krTomC0MUJ2QosHwEKA$43H4gm6yaz.fU5eZsN/KxPDuL/S4jPjaNOcAKyU/uz7IVNDSQo71XQ3sqKZITZ/FLYTN5kxTlVUhEMB9Orlh1g";
token_endpoint_auth_method = "client_secret_post";
public = false;
require_pkce = true;
pkce_challenge_method = "S256";
authorization_policy = "one_factor";
userinfo_signed_response_alg = "none";
consent_mode = "implicit";
scopes = [ "openid" "profile" "groups" ];
redirect_uris = [ "https://jellyfin.kruining.eu/sso/OID/redirect/authelia" ];
}
{
client_id = "streamarr";
client_name = "Streamarr";
# ZPuiW2gpVV6MGXIJFk5P3EeSW8V_ICgqduF.hJVCKkrnVmRqIQXRk0o~HSA8ZdCf8joA4m_F
client_secret = "$pbkdf2-sha512$310000$CzZjvJT75bz5z7MjwxsEtg$JtOiIgaY5/HcLLxJgyX4zvsQV9jIoow0e4JdlFsk/LWRDOJ0kc.PzstlYfw7QERTXtJILoWsDqPzmvpneK5Leg";
public = false;
require_pkce = true;
pkce_challenge_method = "S256";
token_endpoint_auth_method = "client_secret_post";
authorization_policy = "one_factor";
userinfo_signed_response_alg = "none";
consent_mode = "implicit";
scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ];
redirect_uris = [ "http://localhost:3000/api/auth/oauth2/callback/authelia" ];
}
];
};
};
};
systemd = {
tmpfiles.rules = [
"d /var/lib/authelia-testing 400 ${user} ${user} -"
];
};
# These should not be set from nix but through other means to not leak the secret!
# This is purely for testing purposes!
environment.etc = {
"authelia/testing/storageEncryptionKeyFile" = {
mode = "0400";
user = user;
text = "you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this";
};
"authelia/testing/jwtSecretFile" = {
mode = "0400";
user = user;
text = "a_very_important_secret";
};
"authelia/testing/sessionSecrets" = {
mode = "0400";
user = user;
text = "some_session_secrets";
};
"authelia/testing/users_database.yml" = {
mode = "0400";
user = user;
text = ''
users:
chris:
disabled: false
displayname: Chris Kruining
password: $argon2id$v=19$m=65536,t=3,p=4$xl+ILZXFedOXb0Vb/Pao0Q$jfTun8xPYLQNcsjZCcyCeXMzxHAQWOtR7+4BJ+VS6n4
email: 'chris@kruining.eu'
picture: 'https://avatars.githubusercontent.com/u/5786905?v=4'
groups:
- jellyfin-admins
- jellyfin-users
- admin
- dev
jacqueline:
disabled: false
displayname: Jacqueline Bevers
password: $argon2id$v=19$m=65536,t=3,p=4$XgN8yEJV+syAE5yeos3HsA$SlN+j/lJfxJ5VxLu2CdrwowlCiWQNNGhIrSyDpohq18
groups:
- jellyfin-users
martijn:
disabled: false
displayname: Martijn Kruining
password: $argon2id$v=19$m=65536,t=3,p=4$XgN8yEJV+syAE5yeos3HsA$SlN+j/lJfxJ5VxLu2CdrwowlCiWQNNGhIrSyDpohq18
groups:
- jellyfin-users
andrea:
disabled: false
displayname: Andrea Kruining
password: $argon2id$v=19$m=65536,t=3,p=4$XgN8yEJV+syAE5yeos3HsA$SlN+j/lJfxJ5VxLu2CdrwowlCiWQNNGhIrSyDpohq18
groups:
- jellyfin-users
'';
};
};
services.caddy = {
enable = true;
virtualHosts = {
"auth.kruining.eu".extraConfig = ''
reverse_proxy http://127.0.0.1:9091
'';
};
extraConfig = ''
(auth) {
forward_auth http://127.0.0.1:9091 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
}
'';
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
};
}

86
_modules/system/services/auth/zitadel.nix Normal file
View file

@ -0,0 +1,86 @@
{ config, options, lib, pkgs, ... }:
let
inherit (lib) mkIf mkEnableOption;
cfg = config.modules.services.auth.zitadel;
db_name = "zitadel";
db_user = "zitadel";
in
{
options.modules.services.auth.zitadel = {
enable = mkEnableOption "Zitadel";
};
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [
zitadel
];
services = {
zitadel = {
enable = true;
openFirewall = true;
masterKeyFile = config.sops.secrets."zitadel/masterKey".path;
tlsMode = "external";
settings = {
Port = 9092;
Database = {
Host = "/run/postgresql";
# Zitadel will report error if port is not set
Port = 5432;
Database = db_name;
User.Username = db_user;
};
};
steps = {
TestInstance = {
InstanceName = "Zitadel test";
Org = {
Name = "Kruining.eu";
Human = {
UserName = "admin";
Password = "kaas";
};
};
};
};
};
postgresql = {
enable = true;
ensureDatabases = [ db_name ];
ensureUsers = [
{
name = db_user;
ensureDBOwnership = true;
}
];
};
caddy = {
enable = true;
virtualHosts = {
"auth-z.kruining.eu".extraConfig = ''
reverse_proxy h2c://127.0.0.1:9092
'';
};
# extraConfig = ''
# (auth) {
# forward_auth h2c://127.0.0.1:9092 {
# uri /api/authz/forward-auth
# copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
# }
# }
# '';
};
};
# Secrets
sops.secrets."zitadel/masterKey" = {
owner = "zitadel";
group = "zitadel";
restartUnits = [ "zitadel.service" ];
};
};
}

4
_modules/system/services/default.nix Normal file
View file

@ -0,0 +1,4 @@
{ ... }:
{
options.modules.services = {};
}

168
_modules/system/services/games/minecraft.nix Normal file
View file

@ -0,0 +1,168 @@
{ inputs, config, lib, pkgs, ... }:
let
inherit (lib.modules) mkIf;
in
{
imports = [
inputs.nix-minecraft.nixosModules.minecraft-servers
];
options.modules.services.games.minecraft = let
inherit (lib.options) mkEnableOption;
in {
enable = mkEnableOption "Minecraft";
};
config = mkIf config.modules.services.games.minecraft.enable {
user.users."minecraft" = {
isSystemUser = true;
group = "minecraft";
};
services = {
minecraft-servers = {
enable = true;
eula = true;
openFirewall = true;
user = "minecraft";
dataDir = "/var/lib/minecraft";
managementSystem = {
tmux.enable = false;
systemd-socket.enable = true;
};
servers = let
whitelist = {
ChrisPBacon = "e6128495-075b-44a9-87f6-8d844d5ea0e4";
satanjr616 = "1718f9d5-df1d-4aac-b10c-3229a0f1e8b2";
Ono95 = "010e7652-6d5d-4f9e-af89-438c8fe694ca";
JackLeLumber = "41910a94-8c8e-4528-a8ca-a2d7043f069d";
DarkyLink = "6faddb7f-12a9-4aac-bc08-dd6db892a380";
Archonite86 = "b5ab594d-de1c-4453-ba32-9107452be51b";
NotACultist86 = "44ac3f7c-0e18-4234-bb04-11a0652cdaeb";
};
ops = [
{
uuid = "e6128495-075b-44a9-87f6-8d844d5ea0e4";
name = "ChrisPBacon";
level = 4;
bypassesPlayerLimit = false;
}
{
uuid = "6faddb7f-12a9-4aac-bc08-dd6db892a380";
name = "DarkyLink";
level = 4;
bypassesPlayerLimit = false;
}
];
jvmOpts = "-Xms2048M -Xmx2048M -XX:+UseG1GC";
in {
vanilla = {
enable = true;
autoStart = true;
restart = "always";
inherit whitelist;
inherit jvmOpts;
package = pkgs.fabricServers.fabric-1_21_4.override { loaderVersion = "0.16.10"; };
serverProperties = {
gamemode = "survival";
difficulty = 3;
motd = "Chris' vanilla server";
white-list = true;
simulation-distance = 10;
server-port = 25501;
level-name = "world";
allow-flight = true;
enable-command-block = true;
enforce-whitelist = true;
spawn-protection = 0;
};
files."ops.json" = {
value = ops;
};
symlinks = let
inherit (builtins) attrValues;
inherit (pkgs) linkFarmFromDrvs fetchurl;
in {
mods = linkFarmFromDrvs "mods" (attrValues {
FabricApi = fetchurl { url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/ZNwYCTsk/fabric-api-0.118.0%2B1.21.4.jar"; sha512 = "1e0d31b6663dc2c7be648f3a5a9cf7b698b9a0fd0f7ae16d1d3f32d943d7c5205ff63a4f81b0c4e94a8997482cce026b7ca486e99d9ce35ac069aeb29b02a30d"; };
Terralith = fetchurl { url = "https://cdn.modrinth.com/data/8oi3bsk5/versions/MuJMtPGQ/Terralith_1.21.x_v2.5.8.jar"; sha512 = "f862ed5435ce4c11a97d2ea5c40eee9f817c908f3223b5fd3e3fff0562a55111d7429dc73a2f1ca0b1af7b1ff6fa0470ed6efebb5de13336c40bb70fb357dd60"; };
# DistantHorizons = fetchurl { url = "https://cdn.modrinth.com/data/uCdwusMi/versions/jptcCdp2/DistantHorizons-2.2.1-a-1.20.4-forge-fabric.jar"; sha512 = "47368d91099d0b5f364339a69f4e425f8fb1e3a7c3250a8b649da76135e68a22f1a76b191c87e15a5cdc0a1d36bc57f2fa825490d96711d09d96807be97d575d"; };
});
};
};
tekxit = let
inherit (pkgs) fetchzip;
src = fetchzip {
url = "https://tekxit.b-cdn.net/downloads/tekxit4/12.0.0Tekxit4Server.zip";
hash = "sha256-4NqeMGOpji/gMH8XX8RemkBAOB9ID/i1S3/xXgD23to=";
stripRoot = true;
};
in {
enable = true;
autoStart = true;
restart = "no";
inherit whitelist;
inherit jvmOpts;
package = pkgs.fabricServers.fabric-1_19_2.override { loaderVersion = "0.16.9"; };
serverProperties = {
gamemode = "survival";
difficulty = 3;
motd = "Chris' vanilla server";
white-list = true;
simulation-distance = 10;
server-port = 25502;
level-name = "world";
allow-flight = true;
enable-command-block = true;
enforce-whitelist = true;
spawn-protection = 0;
};
files = let
inherit (builtins) readDir;
inherit (lib) concatMapAttrs;
readDirRec = src: dir: fn:
concatMapAttrs (name: type: if type == "directory"
then (readDirRec src "${dir}/${name}" fn)
else { "${dir}/${name}" = (fn "${dir}/${name}"); }
) (readDir "${src}/${dir}");
copyDir = dir: readDirRec src dir (x: "${src}/${x}");
in {
"ops.json" = {
value = ops;
};
}
// (copyDir "config");
symlinks = let
inherit (builtins) attrNames readDir map;
inherit (pkgs) linkFarm fetchzip;
linkFarmFromDir = name: dir: linkFarm name (map (x: { name = x; path = "${src}/${dir}/${x}"; }) (attrNames (readDir "${src}/${dir}")));
in {
Deftu = linkFarmFromDir "tekxit-deftu" "Deftu";
TKXAddons = linkFarmFromDir "tekxit-TKXAddons" "TKXAddons";
mods = linkFarmFromDir "tekxit-mods" "mods";
scripts = linkFarmFromDir "tekxit-scripts" "scripts";
};
};
};
};
};
};
}

25
_modules/system/services/games/palworld.nix Normal file
View file

@ -0,0 +1,25 @@
{ config, options, lib, pkgs, ... }:
let
inherit (lib.modules) mkIf;
in
{
options.modules.services.games.palworld = let
inherit (lib.options) mkEnableOption;
in {
enable = mkEnableOption "Palworld";
};
config = mkIf config.modules.services.games.palworld.enable {
# kaas = (pkgs.mkSteamServer rec {
# name = "Palworld";
# src = pkgs.fetchSteam {
# inherit name;
# appId = "2394010";
# hash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
# };
#
# sartCmd = "PalServer.sh";
# hash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
# });
};
}

167
_modules/system/services/media.nix Normal file
View file

@ -0,0 +1,167 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mkIf;
user = "media";
group = "media";
directory = "/var/media";
in
{
options.modules.services.media = let
inherit (lib.options) mkEnableOption;
in {
enable = mkEnableOption "Media tools";
};
imports = let
extras = fetchTarball {
url = "https://github.com/onny/nixos-nextcloud-testumgebung/archive/fa6f062830b4bc3cedb9694c1dbf01d5fdf775ac.tar.gz";
sha256 = "0gzd0276b8da3ykapgqks2zhsqdv4jjvbv97dsxg0hgrhb74z0fs";
};
in [
"${extras}/nextcloud-extras.nix"
];
config = mkIf config.modules.services.media.enable {
environment.systemPackages = with pkgs; [
podman-tui
jellyfin
jellyfin-web
jellyfin-ffmpeg
jellyseerr
mediainfo
id3v2
yt-dlp
];
# need to permit these outdated packages until servarr finally upgrades at some point...
permittedInsecurePackages = [
"dotnet-sdk-6.0.428"
"aspnetcore-runtime-6.0.36"
];
users = {
users.${user} = {
isSystemUser = true;
group = group;
};
groups.${group} = {};
};
systemd.tmpfiles.rules = [
"d '${directory}/series' 0700 ${user} ${group} - -"
"d '${directory}/movies' 0700 ${user} ${group} - -"
"d '${directory}/music' 0700 ${user} ${group} - -"
"d '${directory}/qbittorrent' 0700 ${user} ${group} - -"
"d '${directory}/sabnzbd' 0700 ${user} ${group} - -"
"d '${directory}/reiverr/config' 0700 ${user} ${group} - -"
"d '${directory}/downloads/incomplete' 0700 ${user} ${group} - -"
"d '${directory}/downloads/done' 0700 ${user} ${group} - -"
];
services = let
serviceConf = {
enable = true;
openFirewall = true;
user = user;
group = group;
};
in {
jellyfin = serviceConf;
radarr = serviceConf;
sonarr = serviceConf;
bazarr = serviceConf;
lidarr = serviceConf;
lanraragi = {
enable = true;
port = 6969;
};
jellyseerr = {
enable = true;
openFirewall = true;
};
prowlarr = {
enable = true;
openFirewall = true;
};
qbittorrent = {
enable = true;
openFirewall = true;
dataDir = "${directory}/qbittorrent";
port = 5000;
user = user;
group = group;
};
sabnzbd = {
enable = true;
openFirewall = true;
configFile = "${directory}/sabnzbd/config.ini";
user = user;
group = group;
};
caddy = {
enable = true;
virtualHosts = {
"media.kruining.eu".extraConfig = ''
import auth
reverse_proxy http://127.0.0.1:9494
'';
"jellyfin.kruining.eu".extraConfig = ''
reverse_proxy http://127.0.0.1:8096
'';
# "series.kruining.eu".extraConfig = ''
# reverse_proxy http://127.0.0.1:8989
# '';
# "movies.kruining.eu".extraConfig = ''
# reverse_proxy http://127.0.0.1:7878
# '';
# "indexer.kruining.eu".extraConfig = ''
# reverse_proxy http://127.0.0.1:9696
# '';
# "torrents.kruining.eu".extraConfig = ''
# reverse_proxy http://127.0.0.1:5000
# '';
# "usenet.kruining.eu".extraConfig = ''
# reverse_proxy http://127.0.0.1:8080
# '';
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 6969 ];
modules.virtualisation.podman.enable = true;
virtualisation = {
oci-containers = {
backend = "podman";
containers = {
flaresolverr = {
image = "flaresolverr/flaresolverr";
autoStart = true;
ports = [ "127.0.0.1:8191:8191" ];
};
reiverr = {
image = "ghcr.io/aleksilassila/reiverr:v2.2.0";
autoStart = true;
ports = [ "127.0.0.1:9494:9494" ];
volumes = [ "${directory}/reiverr/config:/config" ];
};
};
};
};
systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL";
};
}

79
_modules/system/services/nextcloud.nix Normal file
View file

@ -0,0 +1,79 @@
{ config, lib, pkgs, ... }:
let
inherit (lib.options) mkEnableOption;
inherit (lib.modules) mkIf;
user = "nextcloud";
group = "nextcloud";
in
{
options.modules.services.nextcloud = {
enable = mkEnableOption "Nextcloud";
};
config = mkIf config.modules.services.nextcloud.enable {
users = {
users.${user} = {
isSystemUser = true;
group = group;
};
groups.${group} = {};
};
home-manager.users.${user}.home = {
stateVersion = config.system.stateVersion;
file.".netrc".text = ''
login root
password KaasIsAwesome!
'';
};
services.nextcloud = {
enable = true;
webserver = "caddy";
package = pkgs.nextcloud31;
hostName = "localhost";
config = {
adminpassFile = "/var/lib/nextcloud/admin-pass";
dbtype = "sqlite";
};
};
# systemd.user = {
# services.nextcloud-autosync = {
# Unit = {
# Description = "Automatic nextcloud sync";
# After = "network-online.target";
# };
# WantedBy = [ "multi-user.target" ];
# Service = {
# Type = "simple";
# ExecStart = "${pkgs.nextcloud-client}/bin/nextcloudcmd -h -n --path /var/media/music https://cloud.kruining.eu";
# TimeoutStopSec = "180";
# KillMode = "process";
# KillSignal = "SIGINT";
# };
# };
# timers.nextcloud-autosync = {
# Unit.Description = "Automatic nextcloud sync";
# Timer.OnBootSec = "5min";
# Timer.OnUnitActiveSec = "60min";
# Install.WantedBy = [ "multi-user.target" "timers.target" ];
# };
# startServices = true;
# };
services.caddy = {
enable = true;
virtualHosts."cloud.kruining.eu".extraConfig = ''
php_fastcgi unix//run/phpfpm/nextcloud.sock {
env front_controller_active true
}
'';
};
};
}

29
_modules/system/services/security.nix Normal file
View file

@ -0,0 +1,29 @@
{ config, lib, pkgs, ... }:
let
inherit (lib.options) mkEnableOption;
inherit (lib.modules) mkIf;
cfg = config.modules.services.security;
in
{
options.modules.services.security = {
enable = mkEnableOption "Security service(s): Vaultwarden";
};
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [
vaultwarden
vaultwarden-postgresql
];
services.vaultwarden = {
enable = true;
dbBackend = "postgresql";
config = {
SIGNUPS_ALLOWED = false;
DOMAIN = "https://passwords.kruining.eu";
};
};
};
}