diff --git a/README.md b/README.md index f0227a8..825bc9b 100755 --- a/README.md +++ b/README.md @@ -6,6 +6,10 @@ nix flake config! this is just used on my personal server at the moment this flake is built for a multi-user experience per host, enforced by [`modules/users.nix`](./modules/users.nix), and found in the `default.nix` file for each host. +## secrets + +run `rg /etc/secrets/` to see where you need to add secret files when deploying on new systems + ## todo - find a better way to do cloudflare ips diff --git a/default.nix b/default.nix index 2505a00..b0dcf7f 100755 --- a/default.nix +++ b/default.nix @@ -8,6 +8,7 @@ in { imports = [ inputs.home-manager.nixosModules.home-manager + inputs.amdl.nixosModules.default inputs.vscode-server.nixosModules.default ] ++ (mapModulesRec' (toString ./modules) import); diff --git a/flake.lock b/flake.lock old mode 100755 new mode 100644 index 1901fe1..6acf82f --- a/flake.lock +++ b/flake.lock @@ -1,8 +1,27 @@ { "nodes": { + "amdl": { + "inputs": { + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1747635452, + "narHash": "sha256-h2cyRLeBwIhtjkkrmDUkPYpY4i3CwkWh7D1M5U9TblY=", + "ref": "refs/heads/main", + "rev": "1c247a133f1d023ed85b56f8fc3fa161837861bb", + "revCount": 12, + "type": "git", + "url": "https://git.reidlab.pink/reidlab/amdl.git" + }, + "original": { + "type": "git", + "url": "https://git.reidlab.pink/reidlab/amdl.git" + } + }, "flake-utils": { "inputs": { - "systems": "systems" + "systems": "systems_2" }, "locked": { "lastModified": 1681202837, @@ -54,6 +73,22 @@ } }, "nixpkgs": { + "locked": { + "lastModified": 1739866667, + "narHash": "sha256-EO1ygNKZlsAC9avfcwHkKGMsmipUk1Uc0TbrEZpkn64=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "73cf49b8ad837ade2de76f87eb53fc85ed5d4680", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { "locked": { "lastModified": 1742422364, "narHash": "sha256-mNqIplmEohk5jRkqYqG19GA8MbQ/D4gQSK0Mu4LvfRQ=", @@ -69,7 +104,7 @@ "type": "github" } }, - "nixpkgs_2": { + "nixpkgs_3": { "locked": { "lastModified": 1682134069, "narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=", @@ -85,13 +120,29 @@ }, "root": { "inputs": { + "amdl": "amdl", "hardware": "hardware", "home-manager": "home-manager", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "vscode-server": "vscode-server" } }, "systems": { + "locked": { + "lastModified": 1689347949, + "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", + "owner": "nix-systems", + "repo": "default-linux", + "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default-linux", + "type": "github" + } + }, + "systems_2": { "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", @@ -109,7 +160,7 @@ "vscode-server": { "inputs": { "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_3" }, "locked": { "lastModified": 1729422940, diff --git a/flake.nix b/flake.nix index fc5a260..ee33fb5 100755 --- a/flake.nix +++ b/flake.nix @@ -9,6 +9,8 @@ hardware.url = "github:nixos/nixos-hardware"; + amdl.url = "git+https://git.reidlab.pink/reidlab/amdl.git"; + vscode-server.url = "github:nix-community/nixos-vscode-server"; }; @@ -21,7 +23,7 @@ import pkgs { inherit system; config.allowUnfree = true; - config.allowAliases = false; + config.allowAliases = true; overlays = extraOverlays ++ (lib.attrValues self.overlays); }; pkgs = mkPkgs nixpkgs [ self.overlays.default ]; diff --git a/hosts/nixos-server-reid/webapps/default.nix b/hosts/nixos-server-reid/webapps/default.nix index 336a23f..56beee5 100755 --- a/hosts/nixos-server-reid/webapps/default.nix +++ b/hosts/nixos-server-reid/webapps/default.nix @@ -30,6 +30,11 @@ in { enable = true; domain = "grafana.reidlab.pink"; }; + + amdl = { + enable = true; + domain = "amdl.reidlab.pink"; + }; }; }; @@ -40,6 +45,7 @@ in { add_header Access-Control-Allow-Origin "*"; ''; # TODO: we should perhaps add something to help with this in staticSites? + # just seems a little redundant if we get more pages like this extraConfig = '' error_page 404 /404.html; ''; diff --git a/modules/services/amdl.nix b/modules/services/amdl.nix new file mode 100644 index 0000000..0640c2d --- /dev/null +++ b/modules/services/amdl.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs, options, ... }: + +with lib; +let + cfg = config.modules.services.amdl; +in { + options.modules.services.amdl = { + enable = mkEnableOption "enable amdl, an apple music download server"; + port = mkOption { + type = types.int; + default = 3001; + }; + domain = mkOption { + type = types.str; + default = "amdl.reidlab.pink"; + }; + }; + + config = mkIf cfg.enable { + services.amdl = { + enable = true; + + stateDir = "/var/lib/${cfg.domain}"; + env = { + MEDIA_USER_TOKEN = builtins.readFile /etc/secrets/amdl/media_user_token; + WIDEVINE_CLIENT_ID = builtins.readFile /etc/secrets/amdl/widevine_client_id; + WIDEVINE_PRIVATE_KEY = builtins.readFile /etc/secrets/amdl/widevine_private_key; + }; + }; + + services.nginx.virtualHosts."${cfg.domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${cfg.port}"; + }; + }; + }; +} diff --git a/modules/services/forgejo.nix b/modules/services/forgejo.nix index c93bcee..eb58a95 100755 --- a/modules/services/forgejo.nix +++ b/modules/services/forgejo.nix @@ -6,6 +6,10 @@ let in { options.modules.services.forgejo = { enable = mkEnableOption "enable forgejo, a lightweight git server"; + port = mkOption { + type = types.int; + default = 3000; + }; domain = mkOption { type = types.str; default = "git.reidlab.pink"; @@ -26,6 +30,7 @@ in { INSTALL_LOCK = true; PASSWORD_HASH_ALGO = "argon2"; PASSWORD_CHECK_PWN = true; + REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128"; }; "ui.meta" = { AUTHOR = "reidlab"; @@ -33,7 +38,8 @@ in { }; "server" = { DOMAIN = cfg.domain; - PROTOCOL = "http+unix"; + PROTOCOL = "http"; + HTTP_PORT = cfg.port; ROOT_URL = "https://${cfg.domain}/"; }; "repository" = { @@ -60,7 +66,7 @@ in { forceSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}"; + proxyPass = "http://127.0.0.1:${cfg.port}"; extraConfig = '' client_max_body_size 512M; ''; diff --git a/modules/services/metrics.nix b/modules/services/metrics.nix index 5926e0a..3575655 100644 --- a/modules/services/metrics.nix +++ b/modules/services/metrics.nix @@ -16,15 +16,15 @@ in { }; grafanaPort = mkOption { type = types.int; - default = 3000; + default = 2000; }; promtailPort = mkOption { type = types.int; - default = 3001; + default = 2001; }; lokiPort = mkOption { type = types.int; - default = 3002; + default = 2002; }; prometheusPort = mkOption { type = types.int; diff --git a/modules/services/mysql.nix b/modules/services/mysql.nix index 87fbe9e..79e77ca 100644 --- a/modules/services/mysql.nix +++ b/modules/services/mysql.nix @@ -5,10 +5,7 @@ let cfg = config.modules.services.mysql; in { options.modules.services.mysql = { - enable = mkOption { - type = types.bool; - default = false; - }; + enable = mkEnableOption "enable mysql, a relational database management system"; }; config = mkIf cfg.enable { diff --git a/modules/services/nginx-conf.nix b/modules/services/nginx-conf.nix index 4653da2..5cc9bbf 100755 --- a/modules/services/nginx-conf.nix +++ b/modules/services/nginx-conf.nix @@ -6,6 +6,14 @@ let in { options.modules.services.nginx-config = { enable = mkEnableOption "enable and configure nginx, a high performance web server"; + port = mkOption { + type = types.int; + default = 80; + }; + sslPort = mkOption { + type = types.int; + default = 443; + }; }; config = mkIf cfg.enable { @@ -19,6 +27,9 @@ in { services.nginx = { enable = true; + defaultHTTPListenPort = cfg.port; + defaultSSLListenPort = cfg.sslPort; + recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; diff --git a/packages/.gitkeep b/packages/.gitkeep old mode 100755 new mode 100644