dot013/spacestation
1
0
Fork 0
Code Issues Pull Requests Activity

feat: simplify configuration

Browse Source
This commit is contained in:
Guz
2025-09-13 11:28:42 -03:00
parent c05c137e90
commit 40b0e0af69
41 changed files with 265 additions and 3685 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
modules/adguardhome.nix
View File

@@ -1,61 +0,0 @@
{
config,
lib,
...
}: let
cfg = config.services.adguardhome;
in {
imports = [];
options.services.adguardhome = with lib;
with lib.types; {
dns.filters = mkOption {
type = attrsOf (submodule ({lib, ...}: {
options = {
name = mkOption {
type = nullOr str;
default = null;
};
url = mkOption {
type = str;
};
enabled = mkOption {
type = bool;
default = true;
};
};
}));
default = {};
};
dns.rewrites = mkOption {
type = attrsOf str;
default = {};
};
};
config = with lib;
mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [53];
networking.firewall.allowedUDPPorts = [53 51820];
services.adguardhome = {
settings = {
filtering.rewrites = builtins.attrValues (builtins.mapAttrs
(from: to: {
domain = from;
answer = to;
})
cfg.dns.rewrites);
filters = attrValues (mapAttrs
(id: list: {
name =
if isNull list.name
then id
else list.name;
ID = id;
url = list.url;
enabled = list.enabled;
})
cfg.dns.filters);
};
};
};
}

155
modules/anubis/default.nix
View File

@@ -1,155 +0,0 @@
{
config,
lib,
pkgs-unstable,
...
}: let
cfg = config.services.anubis;
in {
options.services.anubis = with lib; {
enable = mkEnableOption "Enable anubis systemd services";
user = mkOption {
type = with types; str;
default = "anubis";
};
group = mkOption {
type = with types; str;
default = cfg.user;
};
package = mkOption {
type = with types; package;
default = pkgs-unstable.callPackage ./derivation.nix {}; # it uses Golang 1.24.1
};
instances = mkOption {
type = with types;
attrsOf (submodule ({
config,
lib,
...
}: {
options = with lib; {
user = mkOption {
type = with types; str;
default = cfg.user;
};
group = mkOption {
type = with types; str;
default = cfg.group;
};
bind = mkOption {
type = with types; str;
default = ":8923";
};
bindNetwork = mkOption {
type = with types; (enum ["tcp" "tcp4" "tcp6" "unix" "unixpacket"]);
default = "tcp";
};
cookieDomain = mkOption {
type = with types; str;
default = "";
};
cookiePartitioned = mkOption {
type = with types; bool;
default = false;
};
difficulty = mkOption {
type = with types; ints.unsigned;
default = 5;
};
ed25519PrivateKeyHex = mkOption {
type = with types; str;
default = "";
};
ed25519PrivateKeyHexFile = mkOption {
type = with types; (either str path);
default = "";
};
metricsBind = mkOption {
type = with types; str;
default = ":9090";
};
metricsBindNetwork = mkOption {
type = with types; (enum ["tcp" "tcp4" "tcp6" "unix" "unixpacket"]);
default = "tcp";
};
socketMode = mkOption {
type = with types; nullOr ints.unsigned;
default = null;
};
policyFName = mkOption {
type = with types; str;
default = "";
};
serveRobotsTxt = mkOption {
type = with types; bool;
default = false;
};
target = mkOption {
type = with types; str;
default = "http://localhost:3923";
};
useRemoteAddress = mkOption {
type = with types; bool;
default = false;
};
};
}));
default = {};
};
};
config = lib.mkIf cfg.enable {
systemd.services = with lib;
with lib.attrsets;
mapAttrs' (n: v:
nameValuePair "anubis-${n}" {
after = ["network.target"];
wantedBy = ["multi-user.target"];
environment = {
BIND = toString v.bind;
BIND_NETWORK = toString v.bindNetwork;
COOKIE_DOMAIN = toString v.cookieDomain;
COOKIE_PARTITIONED = toString v.cookiePartitioned;
DIFFICULTY = toString v.difficulty;
ED25519_PRIVATE_KEY_HEX = toString v.ed25519PrivateKeyHex;
ED25519_PRIVATE_KEY_HEX_FILE = toString v.ed25519PrivateKeyHexFile;
METRICS_BIND = toString v.metricsBind;
METRICS_BIND_NETWORK = toString v.metricsBindNetwork;
SOCKET_MODE = mkIf (!isNull v.socketMode) (toString v.socketMode);
POLICY_FNAME = toString v.policyFName;
SERVE_ROBOTS_TXT = toString v.serveRobotsTxt;
TARGET = toString v.target;
USE_REMOTE_ADDRESS = toString v.useRemoteAddress;
};
serviceConfig = {
Type = "simple";
User = v.user;
Group = v.user;
ExecStart = "${escapeShellArg (getExe cfg.package)}";
Restart = "on-success";
};
})
cfg.instances;
users.users = with lib.attrsets;
(mapAttrs' (n: v:
nameValuePair (v.user) {
isSystemUser = true;
group = v.group;
})
cfg.instances)
// {
"${cfg.user}" = {
isSystemUser = true;
group = cfg.group;
};
};
users.groups = with lib.attrsets;
(mapAttrs' (n: v:
nameValuePair (v.user) {})
cfg.instances)
// {
"${cfg.group}" = {};
};
};
}

25
modules/anubis/derivation.nix
View File

@@ -1,25 +0,0 @@
{
buildGoModule,
fetchFromGitHub,
...
}:
buildGoModule {
name = "Anubis";
pname = "anubis";
version = "1.15.2";
src = fetchFromGitHub {
owner = "TecharoHQ";
repo = "anubis";
rev = "35e0a8179a70678708ceb90c9a285940f99b9774";
hash = "sha256-5OqpmuRTrM+hseIhR2sTb+K01Co6X+Rhb6mN+U54NAI=";
};
vendorHash = "sha256-Rcra5cu7zxGm2LhL2x9Kd3j/uQaEb8OOh/j5Rhh8S1k=";
doCheck = false;
meta = {
mainProgram = "anubis";
};
}

11
modules/default.nix
View File

@@ -1,11 +0,0 @@
{...}: {
imports = [
./adguardhome.nix
./anubis
./forgejo
./locales.nix
./medama.nix
./nh
./tailscale.nix
];
}

36
modules/forgejo/default.nix
View File

@@ -154,23 +154,23 @@ in {
virtualisation.docker.enable = mkIf cfg.actions.enable (mkDefault true);
virtualisation.oci-containers.backend = mkIf cfg.actions.enable (mkDefault "docker");
services.gitea-actions-runner = mkIf cfg.actions.enable {
package =
if config.services.gitea.enable
then pkgs.gitea-actions-runner
else pkgs.forgejo-actions-runner;
instances."forgejo${toString cfg.settings.server.HTTP_PORT}" = {
enable = mkDefault true;
token = mkDefault cfg.actions.token;
name = mkDefault "${cfg.settings.DEFAULT.APP_NAME} - Actions";
url = cfg.actions.url;
labels = mkDefault cfg.actions.labels;
settings = {
runner = {
insecure = true;
};
};
};
};
# services.gitea-actions-runner = mkIf cfg.actions.enable {
# package =
# if config.services.gitea.enable
# then pkgs.gitea-actions-runner
# else pkgs.forgejo-actions-runner;
# instances."forgejo${toString cfg.settings.server.HTTP_PORT}" = {
# enable = mkDefault true;
# token = mkDefault cfg.actions.token;
# name = mkDefault "${cfg.settings.DEFAULT.APP_NAME} - Actions";
# url = cfg.actions.url;
# labels = mkDefault cfg.actions.labels;
# settings = {
# runner = {
# insecure = true;
# };
# };
# };
# };
};
}

64
modules/locales.nix
View File

@@ -1,64 +0,0 @@
{
config,
lib,
...
}: let
cfg = config.profiles.locale;
in {
imports = [];
options.profiles.locale = with lib;
with lib.types; {
enable = mkEnableOption "";
locale = mkOption {
type = str;
default = "en_US.UTF-8";
};
extraLocales = mkOption {
type = attrsOf str;
default = rec {
LC_ADDRESS = "pt_BR.UTF-8";
LC_IDENTIFICATION = LC_ADDRESS;
LC_MEASUREMENT = LC_ADDRESS;
LC_MONETARY = LC_ADDRESS;
LC_NAME = LC_ADDRESS;
LC_NUMERIC = LC_ADDRESS;
LC_PAPER = LC_ADDRESS;
LC_TELEPHONE = LC_ADDRESS;
LC_TIME = LC_ADDRESS;
};
};
keymap.layout = mkOption {
type = str;
default = "br";
};
keymap.variant = mkOption {
type = str;
default = "";
};
keymap.console = mkOption {
type = str;
default = "br-abnt2";
};
timeZone = mkOption {
type = str;
default = "America/Sao_Paulo";
};
};
config = {
i18n = {
defaultLocale = cfg.locale;
extraLocaleSettings = cfg.extraLocales;
};
services.xserver = {
xkb.layout = cfg.keymap.layout;
xkb.variant = cfg.keymap.variant;
};
console.keyMap = cfg.keymap.console;
time = {
timeZone = cfg.timeZone;
};
};
}

26
modules/nh/default.nix
View File

@@ -1,26 +0,0 @@
{
config,
lib,
pkgs,
...
}: let
cfg = config.programs.nh;
wrapper = pkgs.writeShellScriptBin "nh" ''
function alejandra() { ${pkgs.alejandra}/bin/alejandra "$@"; }
function git() { ${pkgs.git}/bin/git "$@"; }
function lazygit() { ${pkgs.lazygit}/bin/lazygit "$@"; }
function nh() { ${pkgs.nh}/bin/nh "$@"; }
function shellharden() { ${pkgs.shellharden}/bin/shellharden "$@"; }
FLAKE_DIR=${toString cfg.flake}
${builtins.readFile ./wrapper.sh}
'';
in {
options.programs.nh = with lib; with lib.types; {};
config = with lib;
mkIf cfg.enable {
programs.nh.package = wrapper;
# programs.nh.clean.enable = mkDefault true;
};
}

154
modules/nh/wrapper.sh
View File

@@ -1,154 +0,0 @@
function set_colors() {
COLOR_CYAN='\033[0;35m'
COLOR_RED='\033[0;31m'
COLOR_YELLOW='\033[1;33m'
COLOR_NC='\033[0m'
}
function set_labels() {
set_colors
function echo_info() {
if [ -t 1 ]; then
echo -e "${COLOR_CYAN}INFO:${COLOR_NC} $@";
else
echo -e "INFO: $@";
fi
}
function echo_warn() {
if [ -t 1 ]; then
echo -e "${COLOR_YELLOW}WARN:${COLOR_NC} $@";
else
echo -e "WARN: $@";
fi
}
function echo_error() {
if [ -t 1 ]; then
echo -e "${COLOR_RED}ERRO:${COLOR_NC} $@";
else
echo -e "ERRO: $@";
fi
}
}
set_labels
function decrypt_lesser_secrets() {
set -e
pushd "$FLAKE_DIR" > /dev/null
for f in ./secrets/*.lesser.*; do
local filename="$(basename -- "$f")"
local extension="${filename##*.}"
local filename="${filename%.*}"
local subextenstion="${filename##*.}"
if [[ "$subextenstion" == "decrypted" ]]; then
echo_warn "$PREFIX - File already decrypted! file=$f"
else
echo_info "$PREFIX - Decrypting lesser secret file. file=$f"
sops --output "./secrets/$filename.decrypted.$extension" -d "$f"
fi
done
echo_info "$PREFIX - Adding decrypted secret files"
git add ./secrets/*.decrypted.*
popd > /dev/null
}
function remove_decrypted_secrets() {
set -e
pushd "$FLAKE_DIR" > /dev/null
echo_info "$PREFIX - Removing descrypted files"
for f in "$FLAKE_DIR"/secrets/*.decrypted.*; do
echo_info "$PREFIX - Removing descrypted files. file=$f"
git reset "$f"
rm "$f"
done
popd > /dev/null
}
function format_files() {
set -e
pushd "$FLAKE_DIR" > /dev/null
echo_info "$PREFIX - Formatting *.nix files"
alejandra . &>/dev/null \
|| (alejandra . ; \
echo_error - "$PREFIX - Failed to format files" \
&& exit 1)
echo_info "$PREFIX - Formatting *.sh files"
find "$FLAKE_DIR" -type f -name "*.sh" -execdir shellharden --replace {} \;
popd > /dev/null
}
function build_os() {
set -e
pushd "$FLAKE_DIR" > /dev/null
echo_info "$PREFIX - Building NixOS"
nh os switch "$@" "$FLAKE_DIR" \
|| (echo_error "$PREFIX - Failed to build NixOS" \
&& remove_decrypted_secrets \
&& exit 1)
popd > /dev/null
}
case "$1" in
"os")
case "$2" in
"switch")
PREFIX="nh os switch"
decrypt_lesser_secrets
format_files
shift 2
build_os "$@"
remove_decrypted_secrets
;;
*) echo_error "\"$2\" subcommand does not exist"
;;
esac
;;
"edit")
pushd "$FLAKE_DIR" > /dev/null
"$EDITOR" .
popd > /dev/null
;;
"sync")
pushd "$FLAKE_DIR" > /dev/null
lazygit
popd > /dev/null
;;
"secrets")
PREFIX="nh secrets"
case "$2" in
"-d"|"--decrypt") decrypt_lesser_secrets
;;
"-r"|"--remove") remove_decrypted_secrets
;;
esac
;;
"format")
pushd "$FLAKE_DIR" > /dev/null
format_files
popd > /dev/null
;;
"--")
shift 1
nh "$@"
;;
*) echo_error "\"$1\" command does not exist"
;;
esac

47
modules/tailscale.nix
View File

@@ -1,47 +0,0 @@
{
config,
lib,
...
}: let
cfg = config.services.tailscale;
in {
imports = [];
options.services.tailscale = with lib;
with lib.types; {
exitNode = mkOption {
type = bool;
default = false;
};
};
config = with lib;
mkIf cfg.enable {
services.tailscale = {
extraUpFlags = [
(
if cfg.exitNode
then "--advertise-exit-node"
else null
)
(
if cfg.exitNode
then "--exit-node"
else null
)
];
useRoutingFeatures = mkDefault (
if cfg.exitNode
then "server"
else "client"
);
};
systemd.services."tailscaled" = mkIf config.services.caddy.enable (mkDefault {
serviceConfig = {
Environment = ["TS_PERMIT_CERT_UID=caddy"];
};
});
boot.kernel.sysctl."net.ipv4.ip_forward" = mkIf cfg.exitNode (mkDefault 1);
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = mkIf cfg.exitNode (mkDefault 1);
};
}