xyno/nix-configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

initial(ish) commit

Browse source
This commit is contained in:
Philipp Hochkamp 2022-03-01 23:53:11 +01:00
commit b744693f0e
No known key found for this signature in database
GPG key ID: 3676AB4CB36E5641
88 changed files with 4925 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

49
nixos-modules/services/bitwarden.nix Normal file
View file

@ -0,0 +1,49 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.services.bitwarden;
domain = config.ragon.services.nginx.domain;
in
{
options.ragon.services.bitwarden.enable = lib.mkEnableOption "Enables the vaultwarden BitWarden Server";
options.ragon.services.bitwarden.domainPrefix =
lib.mkOption {
type = lib.types.str;
default = "bw";
};
config = lib.mkIf cfg.enable {
services.vaultwarden = {
enable = true;
# backupDir = "/backups/vaultwarden";
config = {
domain = "https://${cfg.domainPrefix}.${domain}";
signupsAllowed = false;
rocketPort = 8222;
rocketAddress = "127.0.0.1";
databaseUrl = "postgresql://%2Frun%2Fpostgresql/vaultwarden";
webVaultEnabled = true;
};
dbBackend = "postgresql";
};
services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
locations."/".proxyPass = "http://${config.services.vaultwarden.config.rocketAddress}:${toString config.services.vaultwarden.config.rocketPort}";
};
services.postgresql = {
enable = true;
# Ensure the database, user, and permissions always exist
ensureDatabases = [ "vaultwarden" ];
ensureUsers = [
{
name = "vaultwarden";
ensurePermissions."DATABASE vaultwarden" = "ALL PRIVILEGES";
}
];
};
ragon.persist.extraDirectories = [
"/var/lib/vaultwarden"
];
};
}

60
nixos-modules/services/ddns.nix Normal file
View file

@ -0,0 +1,60 @@
{ config, lib, pkgs, ... }:
with lib;
with lib.my;
let
cfg = config.ragon.services.ddns;
domain = config.ragon.services.nginx.domain;
dataDir = "/var/lib/inadyn";
cacheDir = "/var/cache/inadyn";
in
{
options.ragon.services.ddns.enable = mkEnableOption "Enables CloudFlare DDNS to the domain specified in ragon.services.nginx.domain and all subdomains";
options.ragon.services.ddns.ipv4 = mkBoolOpt true;
options.ragon.services.ddns.ipv6 = mkBoolOpt true;
config = mkIf cfg.enable {
systemd.services.inadyn = {
description = "inadyn DDNS Client";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = rec {
Type = "simple";
ExecStart =
pkgs.writeScript "run-inadyn.sh" ''
#!${pkgs.bash}/bin/bash
export PATH=$PATH:${pkgs.bash}/bin/bash # idk if that helps
source ${config.age.secrets.cloudflareAcme.path}
cat >/run/${RuntimeDirectory}/inadyn.cfg <<EOF
period = 180
user-agent = Mozilla/5.0
allow-ipv6 = true
${optionalString cfg.ipv4 ''
# ipv4
provider cloudflare.com:1 {
checkip-server = ipv4.icanhazip.com
username = ${domain}
password = $CLOUDFLARE_DNS_API_TOKEN
hostname = ${domain}
}
''}
${optionalString cfg.ipv6 ''
# ipv6
provider cloudflare.com:2 {
checkip-server = ipv6.icanhazip.com
username = ${domain}
password = $CLOUDFLARE_DNS_API_TOKEN
hostname = ${domain}
}
''}
EOF
exec ${pkgs.inadyn}/bin/inadyn -n --cache-dir=${cacheDir} -f /run/${RuntimeDirectory}/inadyn.cfg
'';
RuntimeDirectory = StateDirectory;
StateDirectory = builtins.baseNameOf dataDir;
};
};
systemd.tmpfiles.rules = [
"d ${cacheDir} 1777 root root 10m"
];
ragon.agenix.secrets.cloudflareAcme = { };
};
}

16
nixos-modules/services/docker.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.services.docker;
in
{
options.ragon.services.docker.enable = lib.mkEnableOption "Enables docker";
config = lib.mkIf cfg.enable {
virtualisation.oci-containers.backend = "docker";
virtualisation.docker.enable = true;
ragon.user.extraGroups = [ "docker" "podman" ];
ragon.persist.extraDirectories = [
"/var/lib/docker"
"/var/cache/docker"
];
};
}

49
nixos-modules/services/gitlab.nix Normal file
View file

@ -0,0 +1,49 @@
{ config, lib, pkgs, ... }:
with lib;
with lib.my;
let
cfg = config.ragon.services.gitlab;
domain = config.ragon.services.nginx.domain;
in
{
options.ragon.services.gitlab.enable = mkEnableOption "Enables gitlab";
options.ragon.services.gitlab.domainPrefix =
mkOption {
type = lib.types.str;
default = "gitlab";
};
config = lib.mkIf cfg.enable {
services.gitlab = {
enable = true;
https = true;
initialRootPasswordFile = "${config.age.secrets.gitlabInitialRootPassword.path}";
port = 443;
host = "${cfg.domainPrefix}.${domain}";
secrets = {
dbFile = "${config.age.secrets.gitlabDBFile.path}";
jwsFile = "${config.age.secrets.gitlabJWSFile.path}";
otpFile = "${config.age.secrets.gitlabOTPFile.path}";
secretFile = "${config.age.secrets.gitlabSecretFile.path}";
};
};
ragon.agenix.secrets = foldl (a: b: a // b) { } (map (a: { ${a} = { owner = "gitlab"; }; }) [
"gitlabDBFile"
"gitlabInitialRootPassword"
"gitlabJWSFile"
"gitlabOTPFile"
"gitlabSecretFile"
]);
services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
useACMEHost = "${domain}";
forceSSL = true;
locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
locations."/".extraConfig = "client_max_body_size 4G;";
};
ragon.persist.extraDirectories = [
"${config.services.postgresql.dataDir}"
"${config.services.gitlab.statePath}"
];
};
}

32
nixos-modules/services/grafana.nix Normal file
View file

@ -0,0 +1,32 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.services.grafana;
domain = config.ragon.services.nginx.domain;
in
{
options.ragon.services.grafana.enable = lib.mkEnableOption "Enables grafana";
options.ragon.services.grafana.domainPrefix =
lib.mkOption {
type = lib.types.str;
default = "grafana";
};
config = lib.mkIf cfg.enable {
services.grafana = {
enable = true;
domain = "${cfg.domainPrefix}.${domain}";
rootUrl = "https://${cfg.domainPrefix}.${domain}/";
};
services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
useACMEHost = "${domain}";
addSSL = true;
locations = {
"/".proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
"/".proxyWebsockets = true;
};
};
ragon.persist.extraDirectories = [
"${config.services.grafana.dataDir}"
];
};
}

55
nixos-modules/services/hedgedoc.nix Normal file
View file

@ -0,0 +1,55 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.services.hedgedoc;
domain = config.ragon.services.nginx.domain;
in
{
options.ragon.services.hedgedoc.enable = lib.mkEnableOption "Enables the hedgedoc BitWarden Server";
options.ragon.services.hedgedoc.domainPrefix =
lib.mkOption {
type = lib.types.str;
default = "md";
};
config = lib.mkIf cfg.enable {
services.hedgedoc = {
enable = true;
environmentFile = "${config.age.secrets.hedgedocSecret.path}";
configuration = {
protocolUseSSL = true;
sessionSecret = "$SESSION_SECRET";
allowEmailRegister = false;
domain = "${cfg.domainPrefix}.${domain}";
db = {
dialect = "postgres";
host = "/run/postgresql";
database = "hedgedoc";
};
allowAnonymousEdits = false;
allowFreeURL = true;
};
};
ragon.agenix.secrets.hedgedocSecret.owner = "hedgedoc";
services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
locations."/".proxyWebsockets = true;
locations."/".proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.configuration.port}";
};
services.postgresql = {
enable = true;
# Ensure the database, user, and permissions always exist
ensureDatabases = [ "hedgedoc" ];
ensureUsers = [
{
name = "hedgedoc";
ensurePermissions."DATABASE hedgedoc" = "ALL PRIVILEGES";
}
];
};
ragon.persist.extraDirectories = [
"${config.services.hedgedoc.workDir}"
];
};
}

68
nixos-modules/services/jellyfin.nix Normal file
View file

@ -0,0 +1,68 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.services.jellyfin;
domain = config.ragon.services.nginx.domain;
in
{
options.ragon.services.jellyfin.enable = lib.mkEnableOption "Enables jellyfin";
options.ragon.services.jellyfin.domainPrefix =
lib.mkOption {
type = lib.types.str;
default = "j";
};
config = lib.mkIf cfg.enable {
services.jellyfin.enable = true;
services.jellyfin.openFirewall = true;
services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
useACMEHost = "${domain}";
addSSL = true;
locations = {
"= /".extraConfig = "return 302 https://$host/web/;";
"/" = {
extraConfig = ''
proxy_pass http://127.0.0.1:8096;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
'';
};
"= /web/" = {
extraConfig = ''
proxy_pass http://127.0.0.1:8096/web/index.html;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
'';
};
"/socket" = {
extraConfig = ''
proxy_pass http://127.0.0.1:8096;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
'';
};
};
};
ragon.persist.extraDirectories = [
"/var/cache/jellyfin"
"/var/lib/jellyfin"
];
};
}

17
nixos-modules/services/libvirt.nix Normal file
View file

@ -0,0 +1,17 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.services.libvirt;
domain = config.ragon.services.nginx.domain;
in
{
options.ragon.services.libvirt.enable = lib.mkEnableOption "Enables libvirt and stuff";
config = lib.mkIf cfg.enable {
virtualisation.libvirtd = {
enable = true;
};
ragon.user.extraGroups = [ "kvm" "libvirtd" ];
ragon.persist.extraDirectories = [
"/var/lib/libvirt"
];
};
}

162
nixos-modules/services/monitoring.nix Normal file
View file

@ -0,0 +1,162 @@
{ config, lib, pkgs, ... }:
with lib;
with lib.my;
let
cfg = importTOML ../../data/monitoring.toml;
hostName = config.networking.hostName;
getHost = (y:
if (y == hostName)
then "127.0.0.1"
else
(
if (builtins.elem y (builtins.attrNames cfg.hostOverrides))
then cfg.hostOverrides.${y}
else "${y}.hailsatan.eu"
)
);
in
{
config = mkMerge ([
(mkIf (cfg.master.hostname == hostName) {
services.loki.enable = true;
networking.firewall.allowedTCPPorts = [ 3100 ];
services.loki.configFile = pkgs.writeText "loki.yml" ''
auth_enabled: false
server:
http_listen_port: 3100
grpc_listen_port: 9096
ingester:
wal:
enabled: true
dir: /tmp/wal
lifecycler:
address: 127.0.0.1
ring:
kvstore:
store: inmemory
replication_factor: 1
final_sleep: 0s
chunk_idle_period: 1h # Any chunk not receiving new logs in this time will be flushed
max_chunk_age: 1h # All chunks will be flushed when they hit this age, default is 1h
chunk_target_size: 1048576 # Loki will attempt to build chunks up to 1.5MB, flushing first if chunk_idle_period or max_chunk_age is reached first
chunk_retain_period: 30s # Must be greater than index read cache TTL if using an index cache (Default index read cache TTL is 5m)
max_transfer_retries: 0 # Chunk transfers disabled
schema_config:
configs:
- from: 2020-10-24
store: boltdb-shipper
object_store: filesystem
schema: v11
index:
prefix: index_
period: 24h
storage_config:
boltdb_shipper:
active_index_directory: /tmp/loki/boltdb-shipper-active
cache_location: /tmp/loki/boltdb-shipper-cache
cache_ttl: 24h # Can be increased for faster performance over longer query periods, uses more disk space
shared_store: filesystem
filesystem:
directory: /tmp/loki/chunks
compactor:
working_directory: /tmp/loki/boltdb-shipper-compactor
shared_store: filesystem
limits_config:
reject_old_samples: true
reject_old_samples_max_age: 168h
chunk_store_config:
max_look_back_period: 0s
table_manager:
retention_deletes_enabled: false
retention_period: 0s
ruler:
storage:
type: local
local:
directory: /tmp/loki/rules
rule_path: /tmp/loki/rules-temp
alertmanager_url: http://localhost:9093
ring:
kvstore:
store: inmemory
enable_api: true
'';
services.prometheus = {
enable = true;
scrapeConfigs = foldl (a: b: a ++ b) [ ] (map
(x: (map
(y: {
job_name = "${x}_${y}";
static_configs = [
{
targets = [
''${getHost y}:${toString config.services.prometheus.exporters.${x}.port}''
];
}
];
})
cfg.exporters.${x}.hosts))
(builtins.attrNames cfg.exporters));
};
ragon.persist.extraDirectories = [
"/var/lib/${config.services.prometheus.stateDir}"
"${config.services.loki.dataDir}"
];
})
{
# some global settings
services.prometheus.exporters.node.enabledCollectors = [ "systemd" ];
services.prometheus.exporters.dnsmasq.leasesPath = "/var/lib/dnsmasq/dnsmasq.leases";
services.prometheus.exporters.smartctl.user = "root";
services.prometheus.exporters.smokeping.hosts = [ "1.1.1.1" ];
services.nginx.statusPage = true;
}
(mkIf (builtins.elem hostName cfg.promtail.hosts) {
services.promtail = {
enable = true;
configuration = {
server.http_listen_port = 28183;
positions.filename = "/tmp/positions.yaml";
clients = [{ url = "http://${getHost cfg.master.hostname}:3100/loki/api/v1/push"; }];
scrape_configs = [
{
job_name = "journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = hostName;
};
};
relabel_configs = [{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}];
}
];
};
};
})
] ++
(map
(x: {
services.prometheus.exporters.${x} = {
enable = (builtins.elem hostName cfg.exporters.${x}.hosts);
openFirewall = (hostName != cfg.master.hostname);
firewallFilter = if (hostName != cfg.master.hostname) then "-p tcp -s ${cfg.master.ip} -m tcp --dport ${toString config.services.prometheus.exporters.${x}.port}" else null;
};
})
(builtins.attrNames cfg.exporters))
);
}

38
nixos-modules/services/nginx.nix Normal file
View file

@ -0,0 +1,38 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.services.nginx;
in
{
options.ragon.services.nginx.enable = lib.mkEnableOption "Enables nginx";
options.ragon.services.nginx.domain =
lib.mkOption {
type = lib.types.str;
default = "hailsatan.eu";
};
config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
};
security.acme.defaults.email = "nixosacme@phochkamp.de";
security.acme.acceptTerms = true;
security.acme.certs."${cfg.domain}" = {
dnsProvider = "cloudflare";
dnsResolver = "1.1.1.1:53";
group = "nginx";
extraDomainNames = [
"*.${cfg.domain}"
];
credentialsFile = "${config.age.secrets.cloudflareAcme.path}";
};
ragon.agenix.secrets.cloudflareAcme = { group = "nginx"; mode = "0440"; };
ragon.persist.extraDirectories = [
"/var/lib/acme"
];
};
}

39
nixos-modules/services/paperless.nix Normal file
View file

@ -0,0 +1,39 @@
{ config, inputs, lib, pkgs, ... }:
with lib;
with lib.my;
let
cfg = config.ragon.services.paperless;
domain = config.ragon.services.nginx.domain;
in
{
options.ragon.services.paperless.enable = mkEnableOption "Enables paperless ng";
options.ragon.services.paperless.domainPrefix =
lib.mkOption {
type = lib.types.str;
default = "paperless";
};
config = mkIf cfg.enable {
services.paperless-ng = {
enable = true;
package = pkgs.paperless-ng.overrideAttrs (oldAttrs: rec { doCheck = false; doInstallCheck = false; });
mediaDir = mkDefault "/data/documents/paperless";
consumptionDir = mkDefault "/data/applications/paperless-consumption";
consumptionDirIsPublic = true;
passwordFile = "${config.age.secrets.paperlessAdminPW.path}";
extraConfig = {
PAPERLESS_OCR_LANGUAGE = "deu+eng";
};
};
ragon.agenix.secrets.paperlessAdminPW = { group = "${config.services.paperless-ng.user}"; mode = "0440"; };
services.nginx.clientMaxBodySize = "100m";
services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
useACMEHost = "${domain}";
addSSL = true;
locations."/".proxyPass = "http://${config.services.paperless-ng.address}:${toString config.services.paperless-ng.port}";
locations."/".proxyWebsockets = true;
};
ragon.persist.extraDirectories = [
"${config.services.paperless-ng.dataDir}"
];
};
}

28
nixos-modules/services/samba.nix Normal file
View file

@ -0,0 +1,28 @@
{ config, lib, pkgs, ... }:
with lib;
with lib.my;
with builtins;
let
cfg = config.ragon.services.samba;
allowedIPs = cfg.allowedIPs;
cfgExports = cfg.exports;
in
{
options.ragon.services.samba.enable = mkEnableOption "Enables Samba";
options.ragon.services.samba.shares = mkOption {
type = lib.types.attrs;
default = {};
};
config = mkIf cfg.enable {
services.samba = {
enable = true;
shares = cfg.shares;
};
ragon.persist.extraDirectories = [
"/var/lib/samba"
];
networking.firewall.allowedTCPPorts = [ 139 445 ];
networking.firewall.allowedUDPPorts = [ 137 138 ];
};
}

12
nixos-modules/services/ssh.nix Normal file
View file

@ -0,0 +1,12 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.services.ssh;
in
{
options.ragon.services.ssh.enable = lib.mkEnableOption "Enables sshd";
config = lib.mkIf cfg.enable {
services.openssh.permitRootLogin = "no";
services.openssh.enable = true;
services.openssh.passwordAuthentication = false;
};
}

130
nixos-modules/services/synapse.nix Normal file
View file

@ -0,0 +1,130 @@
{ config, lib, pkgs, ... }:
with lib;
with lib.my;
let
cfg = config.ragon.services.synapse;
fqdn = cfg.fqdn;
serverName = cfg.serverName;
domain = config.ragon.services.nginx.domain;
in
{
options.ragon.services.synapse.enable = mkEnableOption "Enables synapse";
options.ragon.services.synapse.fqdn =
lib.mkOption {
type = lib.types.str;
default = "m.ragon.xyz";
};
options.ragon.services.synapse.enableElement = mkBoolOpt true; # TODO fix
options.ragon.services.synapse.elementFqdn =
lib.mkOption {
type = lib.types.str;
default = "e.ragon.xyz";
};
options.ragon.services.synapse.serverName =
lib.mkOption {
type = lib.types.str;
default = "ragon.xyz";
};
config = lib.mkIf cfg.enable {
services.matrix-synapse = {
enable = true;
server_name = serverName;
listeners = [
{
port = 8008;
bind_address = "::1";
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = [ "client" "federation" ];
compress = false;
}
];
}
];
};
services.postgresql = {
enable = true;
};
services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
services.nginx.virtualHosts = {
"${cfg.elementFqdn}" = {
useACMEHost = "${domain}";
forceSSL = true;
root = pkgs.element-web.override {
conf = {
default_server_config."m.homeserver" = {
"base_url" = "https://${fqdn}";
"server_name" = "${domain}";
};
default_theme = "dark";
jitsi.preferredDomain = "${config.ragon.services.jitsi.domainPrefix}.${domain}";
}; # TODO make this less shit
};
};
"${cfg.serverName}" = {
forceSSL = true;
useACMEHost = "${domain}";
locations."= /.well-known/matrix/server".extraConfig =
let
# use 443 instead of the default 8448 port to unite
# the client-server and server-server port for simplicity
server = { "m.server" = "${fqdn}:443"; };
in
''
add_header Content-Type application/json;
return 200 '${builtins.toJSON server}';
'';
locations."= /.well-known/matrix/client".extraConfig =
let
client = {
"m.homeserver" = { "base_url" = "https://${fqdn}"; };
"m.identity_server" = { "base_url" = "https://vector.im"; };
"im.vector.riot.jitsi" = { "preferredDomain" = "jitsi.${domain}"; };
};
# ACAO required to allow element-web on any URL to request this json file
in
''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
'';
};
# Reverse proxy for Matrix client-server and server-server communication
"${fqdn}" = {
forceSSL = true;
useACMEHost = "${domain}";
# Or do a redirect instead of the 404, or whatever is appropriate for you.
# But do not put a Matrix Web client here! See the Element web section below.
locations."/".extraConfig = ''
return 404;
'';
# forward all Matrix API calls to the synapse Matrix homeserver
locations."/_matrix" = {
proxyPass = "http://[::1]:8008"; # without a trailing /
};
};
};
ragon.persist.extraDirectories = [
"${config.services.postgresql.dataDir}"
"${config.services.matrix-synapse.dataDir}"
];
};
}

22
nixos-modules/services/ts3.nix Normal file
View file

@ -0,0 +1,22 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.services.ts3;
in
{
options.ragon.services.ts3.enable = lib.mkEnableOption "Enables the Teamspeak 3 Server";
config = lib.mkIf cfg.enable {
services.teamspeak3 = {
enable = true;
};
networking.firewall.allowedTCPPorts = [
config.services.teamspeak3.queryPort
config.services.teamspeak3.fileTransferPort
];
networking.firewall.allowedUDPPorts = [
config.services.teamspeak3.defaultVoicePort
];
ragon.persist.extraDirectories = [
"${config.services.teamspeak3.dataDir}"
];
};
}

26
nixos-modules/services/unifi.nix Normal file
View file

@ -0,0 +1,26 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.services.unifi;
domain = config.ragon.services.nginx.domain;
in
{
options.ragon.services.unifi.enable = lib.mkEnableOption "Enables the unifi console";
options.ragon.services.unifi.domainPrefix =
lib.mkOption {
type = lib.types.str;
default = "unifi";
};
config = lib.mkIf cfg.enable {
services.unifi = {
enable = true;
};
services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
locations."/".proxyPass = "https://127.0.0.1:8443";
};
ragon.persist.extraDirectories = [
"/var/lib/unifi"
];
};
}