xyno/nix-configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

some slight changes

Browse source
This commit is contained in:
Lucy Hochkamp 2024-03-17 09:07:28 +01:00
parent be17bb97d2
commit ff468ca2d7
No known key found for this signature in database
70 changed files with 245 additions and 2131 deletions
Download patch file Download diff file Expand all files Collapse all files

45
nixos-modules/cli/default.nix
View file

@ -13,50 +13,5 @@ in
# root shell
users.extraUsers.root.shell = pkgs.zsh;
environment.shellAliases = {
v = "nvim";
vim = "nvim";
gpl = "git pull";
gp = "git push";
lg = "lazygit";
gc = "git commit -v";
kb = "git commit -m \"\$(curl -s http://whatthecommit.com/index.txt)\"";
gs = "git status -v";
gfc = "git fetch && git checkout";
gl = "git log --graph";
l = "eza -la --git";
la = "eza -la --git";
ls = "eza";
ll = "eza -l --git";
cat = "bat";
};
environment.variables = {
EDITOR = "nvim";
VISUAL = "nvim";
};
environment.systemPackages = with pkgs; [
nnn
bat
htop
eza
curl
fd
file
fzf
git
neofetch
tmux
ripgrep
pv
direnv # needed for lorri
unzip
tmux
aria2
yt-dlp
neovim
];
};
}

53
nixos-modules/cli/zsh/zsh.nix
View file

@ -1,53 +0,0 @@
{ inputs, config, lib, pkgs, ... }:
let
cfg = config.ragon.cli;
in
{
config = lib.mkIf cfg.enable {
ragon.user.persistent = {
extraDirectories = [
".config/zsh"
];
};
programs.zsh = {
enable = true;
histSize = 10000;
histFile = "$HOME/.config/zsh/history";
# autosuggestions.enable = true;
enableCompletion = true;
setOptions = [
"HIST_IGNORE_DUPS"
"SHARE_HISTORY"
"HIST_FCNTL_LOCK"
"AUTO_CD"
"AUTO_MENU"
];
# interactiveShellInit broke agkozak-zsh-prompt for some reaaaaaaaason
promptInit =
let
zshrc = builtins.readFile ./zshrc;
sources = [
"${inputs.agkozak-zsh-prompt}/agkozak-zsh-prompt.plugin.zsh"
"${pkgs.oh-my-zsh}/share/oh-my-zsh/plugins/git/git.plugin.zsh"
"${pkgs.oh-my-zsh}/share/oh-my-zsh/plugins/globalias/globalias.plugin.zsh"
"${inputs.zsh-vim-mode}/zsh-vim-mode.plugin.zsh"
"${inputs.zsh-syntax-highlighting}/zsh-syntax-highlighting.plugin.zsh"
"${inputs.zsh-completions}/zsh-completions.plugin.zsh"
];
source = map (x: "source " + x) sources;
plugins = builtins.concatStringsSep "\n" (source);
in
''
${zshrc}
${plugins}
'';
};
};
}

46
nixos-modules/cli/zsh/zshrc
View file

@ -1,46 +0,0 @@
AGKOZAK_MULTILINE=0
AGKOZAK_PROMPT_CHAR=( "%F{red}N%f")
autoload -Uz history-search-end
zle -N history-beginning-search-backward-end history-search-end
zle -N history-beginning-search-forward-end history-search-end
bindkey -M vicmd '^[[A' history-beginning-search-backward-end \
'^[OA' history-beginning-search-backward-end \
'^[[B' history-beginning-search-forward-end \
'^[OB' history-beginning-search-forward-end
bindkey -M viins '^[[A' history-beginning-search-backward-end \
'^[OA' history-beginning-search-backward-end \
'^[[B' history-beginning-search-forward-end \
'^[OB' history-beginning-search-forward-end
hash go 2>/dev/null && export PATH=$PATH:$(go env GOPATH)/bin
hash yarn 2>/dev/null && export PATH=$PATH:$HOME/.yarn/bin
hash direnv 2>/dev/null && eval "$(direnv hook zsh)" # needed for lorri
hash helm 2>/dev/null && . <(helm completion zsh)
hash kubectl 2>/dev/null && . <(kubectl completion zsh)
export NNN_ARCHIVE="\\.(7z|a|ace|alz|arc|arj|bz|bz2|cab|cpio|deb|gz|jar|lha|lz|lzh|lzma|lzo|rar|rpm|rz|t7z|tar|tbz|tbz2|tgz|tlz|txz|tZ|tzo|war|xpi|xz|Z|zip)$"
n ()
{
# Block nesting of nnn in subshells
if [ -n $NNNLVL ] && [ "${NNNLVL:-0}" -ge 1 ]; then
echo "nnn is already running"
return
fi
export NNN_TMPFILE="$HOME/.config/nnn/.lastd"
# Unmask ^Q (, ^V etc.) (if required, see `stty -a`) to Quit nnn
# stty start undef
# stty stop undef
# stty lwrap undef
# stty lnext undef
nnn -d "$@"
if [ -f "$NNN_TMPFILE" ]; then
. "$NNN_TMPFILE"
rm -f "$NNN_TMPFILE" > /dev/null
fi
}

20
nixos-modules/hardware/bluetooth.nix
View file

@ -1,20 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.hardware.bluetooth;
in
{
options.ragon.hardware.bluetooth.enable = lib.mkEnableOption "Enables bluetooth stuff (tlp,...)";
config = lib.mkIf cfg.enable {
hardware.bluetooth.enable = true;
services.blueman.enable = true;
hardware.pulseaudio = {
extraModules = [ pkgs.pulseaudio-modules-bt ];
package = pkgs.pulseaudioFull;
};
ragon.persist.extraDirectories = [
"/var/lib/bluetooth"
];
};
}

53
nixos-modules/hardware/hifiberry-dac.nix
View file

@ -1,53 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.hardware.hifiberry-dac;
in
{
options.ragon.hardware.hifiberry-dac.enable = lib.mkEnableOption "Enables hifiberry dac";
config = lib.mkIf cfg.enable {
hardware.deviceTree = {
overlays = [
# Equivalent to: https://github.com/raspberrypi/linux/blob/rpi-5.10.y/arch/arm/boot/dts/overlays/hifiberry-dac-overlay.dts
{
name = "hifiberry-dac-overlay";
dtsText = ''
// Definitions for HiFiBerry DAC
/dts-v1/;
/plugin/;
/ {
compatible = "brcm,bcm2835";
fragment@0 {
target = <&i2s>;
__overlay__ {
status = "okay";
};
};
fragment@1 {
target-path = "/";
__overlay__ {
pcm5102a-codec {
#sound-dai-cells = <0>;
compatible = "ti,pcm5102a";
status = "okay";
};
};
};
fragment@2 {
target = <&sound>;
__overlay__ {
compatible = "hifiberry,hifiberry-dac";
i2s-controller = <&i2s>;
status = "okay";
};
};
};
'';
}
];
};
};
}

22
nixos-modules/hardware/laptop.nix
View file

@ -1,22 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.hardware.laptop;
in
{
options.ragon.hardware.laptop.enable = lib.mkEnableOption "Enables laptop stuff (tlp,...)";
config = lib.mkIf cfg.enable {
services.tlp = {
enable = true;
settings = {
CPU_ENERGY_PERF_POLICY_ON_AC = "performance";
CPU_ENERGY_PERF_POLICY_ON_BAT = "poversave";
};
};
services.xserver.libinput = {
enable = true;
};
hardware.acpilight.enable = true;
services.thermald.enable = true;
ragon.hardware.bluetooth.enable = true; # laptops normally have BT
};
}

12
nixos-modules/hardware/nvidia.nix
View file

@ -1,12 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.hardware.nvidia;
in
{
options.ragon.hardware.nvidia.enable = lib.mkEnableOption "Enables nvidia stuff (why didnt i buy amd?)";
config = lib.mkIf cfg.enable {
# nivea
services.xserver.videoDrivers = [ "nvidia" ];
};
}

60
nixos-modules/services/ddns.nix
View file

@ -1,60 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
with lib.my;
let
cfg = config.ragon.services.ddns;
domain = config.ragon.services.nginx.domain;
dataDir = "/var/lib/inadyn";
cacheDir = "/var/cache/inadyn";
in
{
options.ragon.services.ddns.enable = mkEnableOption "Enables CloudFlare DDNS to the domain specified in ragon.services.nginx.domain and all subdomains";
options.ragon.services.ddns.ipv4 = mkBoolOpt true;
options.ragon.services.ddns.ipv6 = mkBoolOpt true;
config = mkIf cfg.enable {
systemd.services.inadyn = {
description = "inadyn DDNS Client";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = rec {
Type = "simple";
ExecStart =
pkgs.writeScript "run-inadyn.sh" ''
#!${pkgs.bash}/bin/bash
export PATH=$PATH:${pkgs.bash}/bin/bash # idk if that helps
source ${config.age.secrets.cloudflareAcme.path}
cat >/run/${RuntimeDirectory}/inadyn.cfg <<EOF
period = 180
user-agent = Mozilla/5.0
allow-ipv6 = true
${optionalString cfg.ipv4 ''
# ipv4
provider cloudflare.com:1 {
checkip-server = ipv4.icanhazip.com
username = ${domain}
password = $CLOUDFLARE_DNS_API_TOKEN
hostname = ${domain}
}
''}
${optionalString cfg.ipv6 ''
# ipv6
provider cloudflare.com:2 {
checkip-server = ipv6.icanhazip.com
username = ${domain}
password = $CLOUDFLARE_DNS_API_TOKEN
hostname = ${domain}
}
''}
EOF
exec ${pkgs.inadyn}/bin/inadyn -n --cache-dir=${cacheDir} -f /run/${RuntimeDirectory}/inadyn.cfg
'';
RuntimeDirectory = StateDirectory;
StateDirectory = builtins.baseNameOf dataDir;
};
};
systemd.tmpfiles.rules = [
"d ${cacheDir} 1777 root root 10m"
];
ragon.agenix.secrets.cloudflareAcme = { };
};
}

49
nixos-modules/services/gitlab.nix
View file

@ -1,49 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
with lib.my;
let
cfg = config.ragon.services.gitlab;
domain = config.ragon.services.nginx.domain;
in
{
options.ragon.services.gitlab.enable = mkEnableOption "Enables gitlab";
options.ragon.services.gitlab.domainPrefix =
mkOption {
type = lib.types.str;
default = "gitlab";
};
config = lib.mkIf cfg.enable {
services.gitlab = {
enable = true;
https = true;
initialRootPasswordFile = "${config.age.secrets.gitlabInitialRootPassword.path}";
port = 443;
host = "${cfg.domainPrefix}.${domain}";
secrets = {
dbFile = "${config.age.secrets.gitlabDBFile.path}";
jwsFile = "${config.age.secrets.gitlabJWSFile.path}";
otpFile = "${config.age.secrets.gitlabOTPFile.path}";
secretFile = "${config.age.secrets.gitlabSecretFile.path}";
};
};
ragon.agenix.secrets = foldl (a: b: a // b) { } (map (a: { ${a} = { owner = "gitlab"; }; }) [
"gitlabDBFile"
"gitlabInitialRootPassword"
"gitlabJWSFile"
"gitlabOTPFile"
"gitlabSecretFile"
]);
services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
useACMEHost = "${domain}";
forceSSL = true;
locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
locations."/".extraConfig = "client_max_body_size 4G;";
};
ragon.persist.extraDirectories = [
"${config.services.postgresql.dataDir}"
"${config.services.gitlab.statePath}"
];
};
}

32
nixos-modules/services/grafana.nix
View file

@ -1,32 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.services.grafana;
domain = config.ragon.services.nginx.domain;
in
{
options.ragon.services.grafana.enable = lib.mkEnableOption "Enables grafana";
options.ragon.services.grafana.domainPrefix =
lib.mkOption {
type = lib.types.str;
default = "grafana";
};
config = lib.mkIf cfg.enable {
services.grafana = {
enable = true;
settings.server.domain = "${cfg.domainPrefix}.${domain}";
settings.server.root_url = "https://${cfg.domainPrefix}.${domain}/";
};
services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
useACMEHost = "${domain}";
addSSL = true;
locations = {
"/".proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
"/".proxyWebsockets = true;
};
};
ragon.persist.extraDirectories = [
"${config.services.grafana.dataDir}"
];
};
}

68
nixos-modules/services/jellyfin.nix
View file

@ -1,68 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.services.jellyfin;
domain = config.ragon.services.nginx.domain;
in
{
options.ragon.services.jellyfin.enable = lib.mkEnableOption "Enables jellyfin";
options.ragon.services.jellyfin.domainPrefix =
lib.mkOption {
type = lib.types.str;
default = "j";
};
config = lib.mkIf cfg.enable {
services.jellyfin.enable = true;
services.jellyfin.openFirewall = true;
services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
useACMEHost = "${domain}";
addSSL = true;
locations = {
"= /".extraConfig = "return 302 https://$host/web/;";
"/" = {
extraConfig = ''
proxy_pass http://127.0.0.1:8096;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
'';
};
"= /web/" = {
extraConfig = ''
proxy_pass http://127.0.0.1:8096/web/index.html;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
'';
};
"/socket" = {
extraConfig = ''
proxy_pass http://127.0.0.1:8096;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
'';
};
};
};
ragon.persist.extraDirectories = [
"/var/cache/jellyfin"
"/var/lib/jellyfin"
];
};
}

168
nixos-modules/services/monitoring.nix
View file

@ -1,168 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
with lib.my;
let
cfg = importTOML ../../data/monitoring.toml;
hostName = config.networking.hostName;
getHost = (y:
if (y == hostName)
then "127.0.0.1"
else
(
if (builtins.elem y (builtins.attrNames cfg.hostOverrides))
then cfg.hostOverrides.${y}
else y
)
);
in
{
config = mkMerge ([
(mkIf (cfg.master.hostname == hostName) {
services.loki.enable = true;
services.loki.configFile = pkgs.writeText "loki.yml" ''
ingester:
chunk_target_size: 5242880
auth_enabled: false
server:
http_listen_port: 3100
grpc_listen_port: 9096
common:
ring:
instance_addr: 127.0.0.1
kvstore:
store: inmemory
replication_factor: 1
path_prefix: /tmp/loki
schema_config:
configs:
- from: 2020-05-15
store: boltdb-shipper
object_store: filesystem
schema: v11
index:
prefix: index_
period: 24h
ruler:
alertmanager_url: http://localhost:9093
analytics:
reporting_enabled: false
'';
services.prometheus = {
# alertmanager.enable = true;
enable = true;
scrapeConfigs = foldl (a: b: a ++ b) [ ] (map
(x: (map
(y: {
job_name = "${x}_${y}";
static_configs = [
{
targets = [
''${getHost y}:${toString config.services.prometheus.exporters.${x}.port}''
];
}
];
})
cfg.exporters.${x}.hosts))
(builtins.attrNames cfg.exporters));
};
ragon.persist.extraDirectories = [
"/var/lib/${config.services.prometheus.stateDir}"
"${config.services.loki.dataDir}"
];
})
{
# some global settings
services.prometheus.exporters.node.enabledCollectors = [ "systemd" ];
services.prometheus.exporters.smokeping.hosts = [ "1.1.1.1" ];
}
(mkIf (builtins.elem hostName cfg.promtail.hosts) {
systemd.services.promtail.serviceConfig.SupplementaryGroups = lib.optional config.services.nginx.enable [ "nginx" ];
systemd.services.promtail.serviceConfig.ReadWritePaths = [ "/var/log/nginx" ];
services.promtail = {
enable = true;
configuration = {
server.http_listen_port = 28183;
positions.filename = "/tmp/positions.yaml";
clients = [{ url = "http://${cfg.master.ip}:3100/loki/api/v1/push"; }];
scrape_configs = [
{
job_name = "journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = hostName;
};
};
relabel_configs = [{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}];
}
] ++ lib.optionals false [
{
job_name = "nginx";
static_configs = [
{
targets = [ "localhost" ];
labels = {
job = "nginx";
__path__ = "/var/log/nginx/access.log";
host = hostName;
};
}
];
pipeline_stages = [
{
regex = {
expression = ''(?P<remote_addr>.+) - - \[(?P<time_local>.+)\] "(?P<method>.+) (?P<url>.+) (HTTP\/(?P<version>\d.\d))" (?P<status>\d{3}) (?P<body_bytes_sent>\d+) (["](?P<http_referer>(\-)|(.+))["]) (["](?P<http_user_agent>.+)["])'';
};
}
{
labels = {
remote_addr = null;
time_local = null;
method = null;
url = null;
status = null;
body_bytes_sent = null;
http_referer = null;
http_user_agent = null;
};
}
{
timestamp = {
source = "time_local";
format = "02/Jan/2006:15:04:05 -0700";
};
}
{
drop = {
source = "url";
expression = ''/(_matrix|.well-known|notifications|api|identity).*'';
};
}
];
}
];
};
};
})
] ++
(map
(x: {
services.prometheus.exporters.${x} = {
enable = (builtins.elem hostName cfg.exporters.${x}.hosts);
#openFirewall = (hostName != cfg.master.hostname);
#firewallFilter = if (hostName != cfg.master.hostname) then "-p tcp -s ${cfg.master.ip} -m tcp --dport ${toString config.services.prometheus.exporters.${x}.port}" else null;
};
})
(builtins.attrNames cfg.exporters))
);
}

56
nixos-modules/services/nginx.nix
View file

@ -1,56 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.services.nginx;
in
{
options.ragon.services.nginx.enable = lib.mkEnableOption "Enables nginx";
options.ragon.services.nginx.domain =
lib.mkOption {
type = lib.types.str;
default = "hailsatan.eu";
};
options.ragon.services.nginx.domains =
lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
clientMaxBodySize = "500m";
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
};
security.acme.defaults.email = "nixosacme@phochkamp.de";
security.acme.acceptTerms = true;
security.acme.certs."${cfg.domain}" = {
dnsProvider = "ionos";
dnsResolver = "1.1.1.1:53";
group = "nginx";
extraDomainNames = [
"*.${cfg.domain}"
];
credentialsFile = "${config.age.secrets.cloudflareAcme.path}";
};
services.nginx.virtualHosts."_" = {
useACMEHost = "${cfg.domain}";
addSSL = true;
locations = {
"/" = {
extraConfig = ''
return 404;
'';
};
};
};
ragon.agenix.secrets.cloudflareAcme = { group = "nginx"; mode = "0440"; };
ragon.persist.extraDirectories = [
"/var/lib/acme"
];
};
}

11
nixos-modules/services/paperless.nix
View file

@ -7,10 +7,10 @@ let
in
{
options.ragon.services.paperless.enable = mkEnableOption "Enables paperless ng";
options.ragon.services.paperless.domainPrefix =
options.ragon.services.paperless.location =
lib.mkOption {
type = lib.types.str;
default = "paperless";
default = "http://${config.services.paperless.address}:${toString config.services.paperless.port}";
};
config = mkIf cfg.enable {
services.paperless = {
@ -25,13 +25,6 @@ in
};
};
ragon.agenix.secrets.paperlessAdminPW = { group = "${config.services.paperless.user}"; mode = "0440"; };
services.nginx.clientMaxBodySize = "100m";
services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
useACMEHost = "${domain}";
addSSL = true;
locations."/".proxyPass = "http://${config.services.paperless.address}:${toString config.services.paperless.port}";
locations."/".proxyWebsockets = true;
};
ragon.persist.extraDirectories = [
"${config.services.paperless.dataDir}"
];

12
nixos-modules/services/photoprism.nix
View file

@ -7,10 +7,10 @@ let
in
{
options.ragon.services.photoprism.enable = mkEnableOption "Enables the hedgedoc BitWarden Server";
options.ragon.services.photoprism.domainPrefix =
mkOption {
options.ragon.services.photoprism.location =
lib.mkOption {
type = lib.types.str;
default = "photos";
default = "http://127.0.0.1:${toString config.ragon.services.photoprism.port}";
};
options.ragon.services.photoprism.port =
mkOption {
@ -31,12 +31,6 @@ in
];
};
ragon.agenix.secrets.photoprismEnv.owner = "root";
services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
locations."/".proxyWebsockets = true;
locations."/".proxyPass = "http://127.0.0.1:${cfg.port}";
};
ragon.persist.extraDirectories = [
"/var/lib/photoprism"
];

68
nixos-modules/services/tailscale-to-vpn.nix
View file

@ -1,68 +0,0 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.ragon.tailscaleToVpn;
ovpnConfigPath = cfg.ovpnConfigPath;
stateVer = config.system.stateVersion;
in
{
options.ragon.tailscaleToVpn = {
enable = mkEnableOption "tailscale-to-vpn. you need to enable nat to ve-+ able to use this";
ovpnConfigPath = mkOption {
type = types.str;
default = "/etc/openvpn/client.conf";
description = "full path to the OpenVPN client configuration file, is expected to be in /run";
};
};
config = mkIf cfg.enable {
networking.bridges.br-ovpn-ts = {
interfaces = [ ];
};
containers.TSTVPN-openvpn = {
ephemeral = true;
enableTun = true;
interfaces = [ "br-ovpn-ts" ];
localAddress = "192.168.102.11";
hostAddress = "192.168.102.10";
config = { config, pkgs, ... }: {
system.stateVersion = stateVer;
networking.interfaces.br-ovpn-ts = {
ipv4.addresses = [ "192.168.101.1/24" ];
};
services.openvpn.servers.bridge = {
config = ''
config /host${ovpnConfigPath}
dev ovpn-bridge
dev-type tun
'';
};
networking.nat = {
externalInterface = "ovpn-bridge";
internalInterfaces = [ "br-ovpn-ts" ];
};
};
privateNetwork = true;
bindMounts = {
"/host/run" = { hostPath = "/run"; isReadOnly = true; };
"/run/agenix.d" = { hostPath = "/run/agenix.d"; isReadOnly = true; };
};
};
containers.TSTVPN-tailscale = {
enableTun = true;
hostBridge = "br-ovpn-ts";
localAddress = "192.168.101.2/24";
privateNetwork = true;
config = { config, pkgs, ... }: {
system.stateVersion = stateVer;
services.tailscale = {
enable = true;
useRoutingFeatures = "both";
};
};
};
};
}

28
nixos-modules/services/unifi.nix
View file

@ -1,28 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.services.unifi;
domain = config.ragon.services.nginx.domain;
in
{
options.ragon.services.unifi.enable = lib.mkEnableOption "Enables the unifi console";
options.ragon.services.unifi.domainPrefix =
lib.mkOption {
type = lib.types.str;
default = "unifi";
};
config = lib.mkIf cfg.enable {
services.unifi = {
enable = true;
openFirewall = true;
};
services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
locations."/".proxyPass = "https://127.0.0.1:8443";
locations."/".proxyWebsockets = true;
};
ragon.persist.extraDirectories = [
"/var/lib/unifi"
];
};
}