Compare commits

..

3 commits

Author SHA1 Message Date
6b375fea91
massicot,fix: fix missing module 2024-09-14 16:49:22 +08:00
5104c5943e
massicot,fix: switch to fix drive 2024-09-14 16:33:01 +08:00
37f59db944
fix after bump version 2024-09-05 09:29:54 +08:00
40 changed files with 907 additions and 720 deletions

View file

@ -116,11 +116,11 @@
}, },
"catppuccin": { "catppuccin": {
"locked": { "locked": {
"lastModified": 1724156255, "lastModified": 1725509983,
"narHash": "sha256-rpUCeS/QZwQdJmDrvCm0hRi8bFvQNQKAnIMK5ZDBfpM=", "narHash": "sha256-NHCgHVqumPraFJnLrkanoLDuhOoUHUvRhvp/RIHJR+A=",
"owner": "catppuccin", "owner": "catppuccin",
"repo": "nix", "repo": "nix",
"rev": "8886a68edadb1d93c7101337f995ffce4b410ff2", "rev": "45745fe5960acaefef2b60f3455bcac6a0ca6bc9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -433,11 +433,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1723986931, "lastModified": 1725694918,
"narHash": "sha256-Fy+KEvDQ+Hc8lJAV3t6leXhZJ2ncU5/esxkgt3b8DEY=", "narHash": "sha256-+HsjshXpqNiJHLaJaK0JnIicJ/a1NquKcfn4YZ3ILgg=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "2598861031b78aadb4da7269df7ca9ddfc3e1671", "rev": "aaebdea769a5c10f1c6e50ebdf5924c1a13f0cda",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -476,11 +476,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1715930644, "lastModified": 1726036828,
"narHash": "sha256-W9pyM3/vePxrffHtzlJI6lDS3seANQ+Nqp+i58O46LI=", "narHash": "sha256-ZQHbpyti0jcAKnwQY1lwmooecLmSG6wX1JakQ/eZNeM=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "e3ad5108f54177e6520535768ddbf1e6af54b59d", "rev": "8a1671642826633586d12ac3158e463c7a50a112",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -498,11 +498,11 @@
"nixvim": "nixvim" "nixvim": "nixvim"
}, },
"locked": { "locked": {
"lastModified": 1724306750, "lastModified": 1725247757,
"narHash": "sha256-mT8DXzj0zHfGJ+zuxFAnqnk+0bDEFgEk7TvEk59WbWQ=", "narHash": "sha256-M++z1VvmSo18FRVI02mdF2210bCYn+t25Zgflrdn9Tc=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "81990813485a580d69853d8429e3b8aece7f66a6", "rev": "7e0140a6a9eff2ab3292d8269bc99efeb3581835",
"revCount": 11, "revCount": 14,
"type": "git", "type": "git",
"url": "https://git.xinyang.life/xin/nixvim" "url": "https://git.xinyang.life/xin/nixvim"
}, },
@ -540,11 +540,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1723950649, "lastModified": 1725161148,
"narHash": "sha256-dHMkGjwwCGj0c2MKyCjRXVBXq2Sz3TWbbM23AS7/5Hc=", "narHash": "sha256-WfAHq3Ag3vLNFfWxKHjFBFdPI6JIideWFJod9mx1eoo=",
"owner": "Mic92", "owner": "Mic92",
"repo": "nix-index-database", "repo": "nix-index-database",
"rev": "392828aafbed62a6ea6ccab13728df2e67481805", "rev": "32058e9138248874773630c846563b1a78ee7a5b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -564,11 +564,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1724117347, "lastModified": 1725672853,
"narHash": "sha256-/nfm6P0owPtCRjT8ktq/8OChtg2HpkrvNaDJGm9N1Lk=", "narHash": "sha256-z1O6dzCJ27OZpF680tZL0mQphQETdg4DTryvhFOpZyA=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-vscode-extensions", "repo": "nix-vscode-extensions",
"rev": "2ef60116ef361d988317cbe52a09acfeda7d3416", "rev": "efd33fc8e5a149dd48d86ca6003b51ab3ce4ae21",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -579,11 +579,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1724067415, "lastModified": 1725477728,
"narHash": "sha256-WJBAEFXAtA41RMpK8mvw0cQ62CJkNMBtzcEeNIJV7b0=", "narHash": "sha256-ahej1VRqKmWbG7gewty+GlrSBEeGY/J2Zy8Nt8+3fdg=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "b09c46430ffcf18d575acf5c339b38ac4e1db5d2", "rev": "880be1ab837e1e9fe0449dae41ac4d034694d4ce",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -623,11 +623,11 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1723938990, "lastModified": 1725407940,
"narHash": "sha256-9tUadhnZQbWIiYVXH8ncfGXGvkNq3Hag4RCBEMUk7MI=", "narHash": "sha256-tiN5Rlg/jiY0tyky+soJZoRzLKbPyIdlQ77xVgREDNM=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "c42fcfbdfeae23e68fc520f9182dde9f38ad1890", "rev": "6f6c45b5134a8ee2e465164811e451dcb5ad86e3",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -655,11 +655,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1724160083, "lastModified": 1726296585,
"narHash": "sha256-ROiCJNYSbjO45ajyTfRxp+aqvX+R1M3xwlWOLtfD0iw=", "narHash": "sha256-inm7AIEqfgF4wXkhWB2M5IfmdITSF90xpeDDSU3DfNc=",
"owner": "xinyangli", "owner": "xinyangli",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "885d5117645517b70eb3922acfbb83226fc77dbb", "rev": "8539edfb09c674994303141378df4ab33cd765ad",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -671,11 +671,11 @@
}, },
"nixpkgs_3": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1714912032, "lastModified": 1726042813,
"narHash": "sha256-clkcOIkg8G4xuJh+1onLG4HPMpbtzdLv4rHxFzgsH9c=", "narHash": "sha256-LnNKCCxnwgF+575y0pxUdlGZBO/ru1CtGHIqQVfvjlA=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "ee4a6e0f566fe5ec79968c57a9c2c3c25f2cf41d", "rev": "159be5db480d1df880a0135ca0bfed84c2f88353",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -713,11 +713,11 @@
}, },
"nur": { "nur": {
"locked": { "locked": {
"lastModified": 1724159175, "lastModified": 1725687722,
"narHash": "sha256-3z9wRL+h+gTVFtecCUGrRaW6nvPPAtBCIDE9KAmZj7c=", "narHash": "sha256-LPv282y5okYk8ebiBsEbDXy2WykwdBPpAthjKSmTfNI=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NUR", "repo": "NUR",
"rev": "0b86d5643d99e3982471f0d79e553871c6f35396", "rev": "ff7f8143f33751c4f37caec678ed1eb63006c0d3",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -774,11 +774,11 @@
"nixpkgs-stable": "nixpkgs-stable_2" "nixpkgs-stable": "nixpkgs-stable_2"
}, },
"locked": { "locked": {
"lastModified": 1723501126, "lastModified": 1725540166,
"narHash": "sha256-N9IcHgj/p1+2Pvk8P4Zc1bfrMwld5PcosVA0nL6IGdE=", "narHash": "sha256-htc9rsTMSAY5ek+DB3tpntdD/es0eam2hJgO92bWSys=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "be0eec2d27563590194a9206f551a6f73d52fa34", "rev": "d9d781523a1463965cd1e1333a306e70d9feff07",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -804,15 +804,15 @@
"systems": "systems_3" "systems": "systems_3"
}, },
"locked": { "locked": {
"lastModified": 1724444244, "lastModified": 1725416430,
"narHash": "sha256-fH1lyJvJjUhZ8xMlmiI18EZNzodDSe74rFuwlZDL0aQ=", "narHash": "sha256-DkF49DlcaZHV9v3m5ctQnC9qNqsEdfNhwjQArx5Q+Zw=",
"owner": "danth", "owner": "xinyangli",
"repo": "stylix", "repo": "stylix",
"rev": "d042af478ce87e188139480922a3085218194106", "rev": "7aad490478518af03367dabfb5811b3f87ea93a1",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "danth", "owner": "xinyangli",
"repo": "stylix", "repo": "stylix",
"type": "github" "type": "github"
} }

View file

@ -49,8 +49,15 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
catppuccin.url = "github:catppuccin/nix"; catppuccin = {
stylix.url = "github:danth/stylix"; url = "github:catppuccin/nix";
};
stylix = {
url = "github:xinyangli/stylix";
# inputs.nixpkgs.follows = "nixpkgs";
# inputs.home-manager.follows = "home-manager";
};
}; };
outputs = outputs =
@ -76,7 +83,7 @@
]; ];
}; };
deploymentModule = { deploymentModule = {
deployment.targetUser = "xin"; deployment.targetUser = "root";
}; };
sharedColmenaModules = [ sharedColmenaModules = [
self.nixosModules.default self.nixosModules.default
@ -107,14 +114,29 @@
} }
]; ];
}; };
mkHomeConfiguration = user: host: {
name = user;
value = home-manager.lib.homeManagerConfiguration {
pkgs = import nixpkgs { system = "x86_64-linux"; };
modules = [
(import ./home).${user}.${host}
overlayModule
] ++ sharedHmModules;
extraSpecialArgs = {
inherit inputs;
};
};
};
mkNixos = mkNixos =
{ {
system,
modules, modules,
specialArgs ? { }, specialArgs ? { },
}: }:
nixpkgs.lib.nixosSystem { nixpkgs.lib.nixosSystem {
inherit system;
specialArgs = specialArgs // { specialArgs = specialArgs // {
inherit inputs; inherit inputs system;
}; };
modules = [ modules = [
self.nixosModules.default self.nixosModules.default
@ -132,9 +154,11 @@
}; };
homeManagerModules = import ./modules/home-manager; homeManagerModules = import ./modules/home-manager;
homeConfigurations = builtins.listToAttrs [ (mkHomeConfiguration "xin" "calcite") ];
colmenaHive = inputs.colmena.lib.makeHive { colmenaHive = inputs.colmena.lib.makeHive {
meta = { meta = {
nixpkgs = import nixpkgs { localSystem = "x86_64-linux"; }; nixpkgs = import nixpkgs { system = "x86_64-linux"; };
specialArgs = { specialArgs = {
inherit inputs; inherit inputs;
}; };
@ -146,13 +170,17 @@
deployment.targetHost = "49.13.13.122"; deployment.targetHost = "49.13.13.122";
deployment.buildOnTarget = true; deployment.buildOnTarget = true;
imports = [ machines/massicot ] ++ sharedColmenaModules; imports = [
{ nixpkgs.system = "aarch64-linux"; }
machines/massicot
] ++ sharedColmenaModules;
}; };
tok-00 = tok-00 =
{ ... }: { ... }:
{ {
imports = [ machines/dolomite ] ++ sharedColmenaModules; imports = [ machines/dolomite ] ++ sharedColmenaModules;
nixpkgs.system = "x86_64-linux";
networking.hostName = "tok-00"; networking.hostName = "tok-00";
system.stateVersion = "23.11"; system.stateVersion = "23.11";
deployment = { deployment = {
@ -166,6 +194,7 @@
{ ... }: { ... }:
{ {
imports = [ machines/dolomite ] ++ sharedColmenaModules; imports = [ machines/dolomite ] ++ sharedColmenaModules;
nixpkgs.system = "x86_64-linux";
networking.hostName = "la-00"; networking.hostName = "la-00";
system.stateVersion = "21.05"; system.stateVersion = "21.05";
deployment = { deployment = {
@ -182,6 +211,7 @@
targetHost = "raspite.local"; targetHost = "raspite.local";
buildOnTarget = false; buildOnTarget = false;
}; };
nixpkgs.system = "aarch64-linux";
imports = [ imports = [
"${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix" "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
nixos-hardware.nixosModules.raspberry-pi-4 nixos-hardware.nixosModules.raspberry-pi-4
@ -198,28 +228,26 @@
targetPort = 22; targetPort = 22;
buildOnTarget = false; buildOnTarget = false;
}; };
nixpkgs.system = "x86_64-linux";
}; };
}; };
nixosConfigurations = {
calcite = mkNixos {
system = "x86_64-linux";
modules = [
nixos-hardware.nixosModules.asus-zephyrus-ga401
machines/calcite/configuration.nix
(mkHome "xin" "calcite")
];
};
} // self.colmenaHive.nodes;
} }
// flake-utils.lib.eachDefaultSystem ( // flake-utils.lib.eachDefaultSystem (
system: system:
let let
pkgs = import nixpkgs { localSystem = system; }; pkgs = nixpkgs.legacyPackages.${system};
mkHomeConfiguration = user: host: {
name = user;
value = home-manager.lib.homeManagerConfiguration {
inherit pkgs;
modules = [
(import ./home).${user}.${host}
overlayModule
] ++ sharedHmModules;
extraSpecialArgs = {
inherit inputs;
};
};
};
in in
{ {
devShells = { devShells = {
@ -238,18 +266,7 @@
packages = { packages = {
nixvim = my-nixvim.packages.${system}.default; nixvim = my-nixvim.packages.${system}.default;
nixosConfigurations = {
calcite = mkNixos {
modules = [
nixos-hardware.nixosModules.asus-zephyrus-ga401
machines/calcite/configuration.nix
(mkHome "xin" "calcite")
];
}; };
} // self.colmenaHive.nodes;
};
homeConfigurations = builtins.listToAttrs [ (mkHomeConfiguration "xin" "calcite") ];
} }
); );
} }

View file

@ -1,11 +0,0 @@
builds:
exclude: []
include:
- '*.x86_64-linux.*'
- defaultPackage.x86_64-linux
- devShell.x86_64-linux
- homeConfigurations.*
- darwinConfigurations.*
- nixosConfigurations.*
- nixosConfigurations.aarch64-linux.calcite
- homeConfigurations.aarch64-linux.xin

View file

@ -27,7 +27,7 @@
}; };
home.packages = with pkgs; [ home.packages = with pkgs; [
thunderbird # betterbird
remmina remmina
]; ];

View file

@ -215,7 +215,7 @@
gnomeExtensions.pano gnomeExtensions.pano
gnome-tweaks gnome-tweaks
gnome-themes-extra gnome-themes-extra
gnome.gnome-remote-desktop gnome-remote-desktop
bibata-cursors bibata-cursors
gthumb gthumb
oculante oculante
@ -357,4 +357,12 @@
}; };
services.nixseparatedebuginfod.enable = true; services.nixseparatedebuginfod.enable = true;
services.bloop = {
install = true;
extraOptions = [
"-J-Xmx2G"
"-J-XX:MaxInlineLevel=20"
"-J-XX:+UseParallelGC"
];
};
} }

View file

@ -19,8 +19,16 @@
"usbhid" "usbhid"
]; ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.initrd.luks.devices.cryptroot = {
boot.initrd = {
systemd.enable = true; # initrd uses systemd
luks = {
fido2Support = false; # because systemd
devices.cryptroot = {
device = "/dev/disk/by-uuid/5a51f623-6fbd-4843-9f83-c895067e8e7d"; device = "/dev/disk/by-uuid/5a51f623-6fbd-4843-9f83-c895067e8e7d";
crypttabExtraOpts = [ "fido2-device=auto" ]; # cryptenroll
};
};
}; };
boot.kernelModules = [ "kvm-amd" ]; boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
@ -69,5 +77,6 @@
hardware.nvidia = { hardware.nvidia = {
powerManagement.enable = true; powerManagement.enable = true;
dynamicBoost.enable = lib.mkForce false; dynamicBoost.enable = lib.mkForce false;
open = true;
}; };
} }

View file

@ -16,7 +16,6 @@ in
}; };
config = lib.mkIf cfg { config = lib.mkIf cfg {
nixpkgs.hostPlatform = "x86_64-linux";
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [
"ata_piix" "ata_piix"
"xhci_pci" "xhci_pci"
@ -46,5 +45,7 @@ in
networking.useDHCP = false; networking.useDHCP = false;
networking.interfaces.ens18.useDHCP = true; networking.interfaces.ens18.useDHCP = true;
networking.interfaces.ens19.useDHCP = true; networking.interfaces.ens19.useDHCP = true;
services.sing-box.settings.dns.strategy = "ipv4_only";
}; };
} }

View file

@ -25,8 +25,6 @@ in
}; };
config = mkIf config.isLightsail { config = mkIf config.isLightsail {
nixpkgs.hostPlatform = "x86_64-linux";
boot.loader.grub.device = "/dev/nvme0n1"; boot.loader.grub.device = "/dev/nvme0n1";
# from nixpkgs amazon-image.nix # from nixpkgs amazon-image.nix

View file

@ -11,6 +11,7 @@
inputs.sops-nix.nixosModules.sops inputs.sops-nix.nixosModules.sops
./hardware-configuration.nix ./hardware-configuration.nix
./networking.nix ./networking.nix
./services.nix
./services ./services
]; ];
@ -50,13 +51,13 @@
efiSupport = true; efiSupport = true;
configurationLimit = 5; configurationLimit = 5;
}; };
#
fileSystems."/mnt/storage" = { # fileSystems."/mnt/storage" = {
device = "//u380335-sub1.your-storagebox.de/u380335-sub1"; # device = "//u380335-sub1.your-storagebox.de/u380335-sub1";
fsType = "cifs"; # fsType = "cifs";
options = [ "credentials=${config.sops.secrets.storage_box_mount.path}" ]; # options = [ "credentials=${config.sops.secrets.storage_box_mount.path}" ];
}; # };
#
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
cifs-utils cifs-utils
git git

View file

@ -16,8 +16,17 @@
]; ];
boot.initrd.kernelModules = [ "nvme" ]; boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { fileSystems."/" = {
device = "/dev/sda1"; device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_35068215-part1";
fsType = "ext4"; fsType = "ext4";
}; };
nixpkgs.hostPlatform = "aarch64-linux";
fileSystems."/mnt/storage" = {
device = "/dev/disk/by-id/scsi-0HC_Volume_101302395";
fsType = "btrfs";
options = [
"subvol=storage"
"compress=zstd"
"noatime"
];
};
} }

View file

@ -0,0 +1,217 @@
{ config, lib, ... }:
{
sops.secrets = {
"kanidm/ocis_android_secret" = {
owner = "kanidm";
};
};
systemd.services.kanidm.serviceConfig = {
BindReadOnlyPaths = [
config.sops.secrets."kanidm/ocis_android_secret".path
];
};
services.kanidm.provision = {
enable = true;
autoRemove = true;
groups = {
forgejo-access = {
members = [ "xin" ];
};
forgejo-admin = {
members = [ "xin" ];
};
gts-users = {
members = [ "xin" ];
};
ocis-users = {
members = [ "xin" ];
};
linux_users = {
members = [ "xin" ];
};
hedgedoc-users = {
members = [ "xin" ];
};
immich-users = {
members = [
"xin"
"zhuo"
"ycm"
];
};
grafana-superadmins = {
members = [ "xin" ];
};
grafana-admins = {
members = [ "xin" ];
};
grafana-editors = {
members = [ "xin" ];
};
grafana-users = {
members = [ "xin" ];
};
miniflux-users = {
members = [ "xin" ];
};
idm_people_self_mail_write = {
members = [ ];
};
};
persons = {
xin = {
displayName = "Xinyang Li";
mailAddresses = [ "lixinyang411@gmail.com" ];
};
zhuo = {
displayName = "Zhuo";
mailAddresses = [ "13681104320@163.com" ];
};
ycm = {
displayName = "Chunming";
mailAddresses = [ "chunmingyou@gmail.com" ];
};
};
systems.oauth2 = {
forgejo = {
displayName = "ForgeJo";
originUrl = "https://git.xinyang.life/";
originLanding = "https://git.xinyang.life/user/oauth2/kandim";
allowInsecureClientDisablePkce = true;
scopeMaps = {
forgejo-access = [
"openid"
"email"
"profile"
"groups"
];
};
claimMaps = {
forgejo_role = {
joinType = "array";
valuesByGroup = {
forgejo-access = [ "Access" ];
forgejo-admin = [ "Admin" ];
};
};
};
};
gts = {
displayName = "GoToSocial";
originUrl = "https://xinyang.life/";
originLanding = "https://xinyang.life/";
allowInsecureClientDisablePkce = true;
scopeMaps = {
gts-users = [
"openid"
"email"
"profile"
"groups"
];
};
};
owncloud = {
displayName = "ownCloud";
originUrl = "https://drive.xinyang.life:8443/";
originLanding = "https://drive.xinyang.life:8443/";
public = true;
preferShortUsername = true;
scopeMaps = {
ocis-users = [
"openid"
"email"
"profile"
];
};
};
owncloud-android = {
displayName = "ownCloud Apps";
originLanding = "https://drive.xinyang.life:8443/";
originUrl = [
"http://localhost/"
"http://127.0.0.1/"
"oc://android.owncloud.com"
];
basicSecretFile = config.sops.secrets."kanidm/ocis_android_secret".path;
preferShortUsername = true;
scopeMaps = {
ocis-users = [
"openid"
"email"
"profile"
"offline_access"
];
};
};
hedgedoc = {
displayName = "HedgeDoc";
originUrl = "https://docs.xinyang.life/";
originLanding = "https://docs.xinyang.life/auth/oauth2";
allowInsecureClientDisablePkce = true;
scopeMaps = {
hedgedoc-users = [
"openid"
"email"
"profile"
];
};
};
immich = {
displayName = "Immich";
originUrl = [
"https://immich.xinyang.life:8000/api/oauth/mobile-redirect/"
"https://immich.xinyang.life:8000/auth/login/"
"https://immich.xinyang.life:8000/user-settings/"
];
originLanding = "https://immich.xinyang.life:8000/auth/login?autoLaunch=0";
allowInsecureClientDisablePkce = true;
scopeMaps = {
immich-users = [
"openid"
"email"
"profile"
];
};
};
miniflux = {
displayName = "Miniflux";
originUrl = "https://rss.xinyang.life/";
originLanding = "https://rss.xinyang.life/";
scopeMaps = {
miniflux-users = [
"openid"
"email"
"profile"
];
};
};
grafana = {
displayName = "Grafana";
originUrl = "https://grafana.xinyang.life/";
originLanding = "https://grafana.xinyang.life/";
scopeMaps = {
grafana-users = [
"openid"
"email"
"profile"
"groups"
];
};
claimMaps = {
grafana_role = {
joinType = "array";
valuesByGroup = {
grafana-superadmins = [ "GrafanaAdmin" ];
grafana-admins = [ "Admin" ];
grafana-editors = [ "Editor" ];
};
};
};
};
};
};
}

View file

@ -1,19 +1,12 @@
{ pkgs, ... }: { pkgs, ... }:
{ {
networking = { networking.useNetworkd = true;
interfaces = { systemd.network.networks."10-wan" = {
eth0.useDHCP = true; matchConfig.MACAddress = "96:00:02:68:7d:2d";
eth0.ipv6.addresses = [ networkConfig.DHCP = "ipv4";
{ networkConfig.Gateway = "fe80::1";
address = "2a01:4f8:c17:345f::1"; address = [
prefixLength = 64; "2a01:4f8:c17:345f::3/64"
}
]; ];
}; };
defaultGateway6 = {
address = "fe80::1";
interface = "eth0";
};
nameservers = [ ];
};
} }

View file

@ -1,11 +1,17 @@
storage_box_mount: ENC[AES256_GCM,data:9lOAL3tkfB0pN4/cuM4SX0xoMrW0UUEzTN8spw3MQ3BWrfsRc3Stsce3puXz1sRf,iv:7Q9wzpBgQ3tqcfy0n/c6Ya84Kg60nhR/e2H0pVntWsY=,tag:9a0xvNBGQpCvhxgmV3hrww==,type:str] storage_box_mount: ENC[AES256_GCM,data:9lOAL3tkfB0pN4/cuM4SX0xoMrW0UUEzTN8spw3MQ3BWrfsRc3Stsce3puXz1sRf,iv:7Q9wzpBgQ3tqcfy0n/c6Ya84Kg60nhR/e2H0pVntWsY=,tag:9a0xvNBGQpCvhxgmV3hrww==,type:str]
gts_env: ENC[AES256_GCM,data:StggMdJPevrDbrVDrBDETdQYnSOaTESkgSqpGKrSHXhS21nyCE5ya7/X4l0GVTXoGCyfWG7vK+PDW22mJxpYcj2CBaVUYDu/,iv:2fqWDaWAWxTXdG7w5HU6jBcappFEByNtYs0Jd6PaYnA=,tag:KGhrMemao6g4FkEAZmmacg==,type:str] gts_env: ENC[AES256_GCM,data:StggMdJPevrDbrVDrBDETdQYnSOaTESkgSqpGKrSHXhS21nyCE5ya7/X4l0GVTXoGCyfWG7vK+PDW22mJxpYcj2CBaVUYDu/,iv:2fqWDaWAWxTXdG7w5HU6jBcappFEByNtYs0Jd6PaYnA=,tag:KGhrMemao6g4FkEAZmmacg==,type:str]
hedgedoc_env: ENC[AES256_GCM,data:zwAA+zKSJT0tZyYArCaa1lfL0y8DNHDp/thS11DrVxNvjmk38o0ydsKArfZKzFYye+qNBzz1B4sPCdW4cFgQUNgbM+n9AvoMB8CssdmQ+sALKmozA5aEV23q+khZSGlHocP6WA==,iv:SgZruOS1nanK64Ex1dvgoD1HzbGbNa4DFSBuVoaNgEc=,tag:R+I8m1AloDCXs5PdpEpS0w==,type:str] hedgedoc_env: ENC[AES256_GCM,data:+rjEctM6IJUpn7WcAnBS9TkQi2lCq4wKPxbaOApffH0tFyu56SpECrLpmM749I7th3N+UGb0pLM7+Ywr7fbuuMfUuIWom6Y+CKYw4yMlgjzTaaNqBmstvMxLaPnmA01G9ie1rQ==,iv:YBIyQQ6xiUyxSnR5epE5hV9OqETLKC5CFTEaRJdErGU=,tag:77kHYQ2i2APVyadhMhmvWA==,type:str]
grafana_oauth_secret: ENC[AES256_GCM,data:43+EBnN912eK/08MdJokWPxi2Lxn/D4hSHPhNmHOk9awWQ7ut/el0vaAa+Epqnui3le2p4VuotQT6XlIuDLrixIomrc6Qw5HERAEdZmbrGvDlrrNhw==,iv:Pfn8rL0LtG3hym9EdSZRjaPLMlWlut/nt2FEtRWnULo=,tag:moDWqF3aBbnO4aG0Cysfcw==,type:str] grafana_oauth_secret: ENC[AES256_GCM,data:43+EBnN912eK/08MdJokWPxi2Lxn/D4hSHPhNmHOk9awWQ7ut/el0vaAa+Epqnui3le2p4VuotQT6XlIuDLrixIomrc6Qw5HERAEdZmbrGvDlrrNhw==,iv:Pfn8rL0LtG3hym9EdSZRjaPLMlWlut/nt2FEtRWnULo=,tag:moDWqF3aBbnO4aG0Cysfcw==,type:str]
miniflux: miniflux:
oauth2_secret: ENC[AES256_GCM,data:jcZR9E9jXNKfkAoGgBI19qQeaz26R6qiAWjP4XrftHSCQV974tjJl+fiU8Xgi0bViA==,iv:/aY0bL/oAAHBhohy3FHB/UEDYryw7A7JOKvEbLtDHJg=,tag:Fn/6NurNkRphXySR+y9S9Q==,type:str] oauth2_secret: ENC[AES256_GCM,data:jcZR9E9jXNKfkAoGgBI19qQeaz26R6qiAWjP4XrftHSCQV974tjJl+fiU8Xgi0bViA==,iv:/aY0bL/oAAHBhohy3FHB/UEDYryw7A7JOKvEbLtDHJg=,tag:Fn/6NurNkRphXySR+y9S9Q==,type:str]
forgejo: forgejo:
env: ENC[AES256_GCM,data:TMeguXfanISeyvsay9SBqm3SSGKpp5nCkqhHblf0QHNzHWGQKwpORmWfOtVfgOh9qdDqq8wYBpXznmbvixjV,iv:IR/rMoAIvZCw9FURmau4+g8c3pvI9BRs7v1NJ5ia4jI=,tag:kjwf6RN5HN8I2sUhDcr4UQ==,type:str] env: ENC[AES256_GCM,data:TMeguXfanISeyvsay9SBqm3SSGKpp5nCkqhHblf0QHNzHWGQKwpORmWfOtVfgOh9qdDqq8wYBpXznmbvixjV,iv:IR/rMoAIvZCw9FURmau4+g8c3pvI9BRs7v1NJ5ia4jI=,tag:kjwf6RN5HN8I2sUhDcr4UQ==,type:str]
restic:
repo: ENC[AES256_GCM,data:/vybkTU7LMWSlco9W2pJouU9wm4okXClSHXQMCA6SGIHWp4Ppl6C+jS4sNJALc6ntKzcEHyWO/R3JPjQKjZNH4YtrnNQp/ZY9g==,iv:gAvp6blg5JuBKzLw6YSgM1Uc24Aesov3ttCRXZXBvJw=,tag:pvH1y6BFOl7jIn/qQejUbQ==,type:str]
password: ENC[AES256_GCM,data:5eIIBtGtBFwcAQ+ZwTYOtg==,iv:3GEM8Imu0i1aTwwSspvz2EzwJOXUC/b15hzkFFuZ+YY=,tag:wscba+nMtshldgUtcEKnOw==,type:str]
kanidm:
ocis_android_secret: ENC[AES256_GCM,data:vuEIvBEhIME+C/s3xoskddtf5nogC9nPq+HUyyAl3u9nvH3bTzUkfE/1wolaCLeeupnD3pDokdRyKzjEmoZACQ==,iv:cmx/0i23p1uEI0oAiWdcvGRq4+075+VuAMkFSfXzfso=,tag:yVnqz16L5kyW9vAVng53pA==,type:str]
ocis_desktop_secret: ENC[AES256_GCM,data:WTfUQzTB9An9p9xof2nuIkD5mYzMaisS62Cv86zX05rkB/wXmTnZiY7ztUoN9OmhGoPgeZg0+d+Jo6bV1hoqlw==,iv:V4iqtYIOcyDXIijcD0IXqpaSs2rxyWiOSZGer/BFSe4=,tag:1nCU1KmWQcY5ZXjlzhxaQQ==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -30,8 +36,8 @@ sops:
dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i
V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g== V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-21T05:54:31Z" lastmodified: "2024-09-14T05:48:04Z"
mac: ENC[AES256_GCM,data:oNBabsDRuHjMBXynr8ytCLmv5NPyA0mRUcPJfFZjjAb9ZbGP+pquwJT3S0l2yo4Nsd0YQP8X1pGS3PEv9v+N538bxmMJJCERR7iZ5U5G4h0AvKi+UkjkveDdhPWBXhC1O+Up7reT/LLzOiZ1WUHCYRQfcb9R1RL3G2NpeYuOShk=,iv:FLmtKyZjZuGDnMjOgJdoIU9EXLQSZavs8f4q2C+Sxbk=,tag:sGoJNppCTYxZ2u2l0eMHgg==,type:str] mac: ENC[AES256_GCM,data:zdGdvk2pMaZYUsTI9XsSUpgtWrNmZNPg7KoV0zAt19h7Qccu3OGTSfXD+rhhhxhhWgBohGIhDVAVQcORnAw1Y/ykgqxERCANuzoBvvR1eKfPcRNiCEr2dmUAybDF7B2MWKlJ5Fsnpk/caK717Fe8XdAJDuplFwmMWi2c1c61/NQ=,iv:KPQTGzFQH+CQmLeXBzMSbU4lVH0/Wc6CeTp6w/pMMOY=,tag:UVA+sQwQa2bpy2/woBgAkQ==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.0 version: 3.9.0

View file

@ -0,0 +1,303 @@
{
config,
pkgs,
lib,
...
}:
let
kanidm_listen_port = 5324;
in
{
imports = [
./kanidm-provision.nix
];
networking.firewall.allowedTCPPorts = [
80
443
2222
8448
];
networking.firewall.allowedUDPPorts = [
80
443
8448
];
custom.vaultwarden = {
enable = true;
domain = "vaultwarden.xinyang.life";
};
custom.hedgedoc = {
enable = true;
caddy = true;
domain = "docs.xinyang.life";
mediaPath = "/mnt/storage/hedgedoc";
oidc = {
enable = true;
baseURL = "https://auth.xinyang.life/oauth2/openid/hedgedoc";
authorizationURL = "https://auth.xinyang.life/ui/oauth2";
tokenURL = "https://auth.xinyang.life/oauth2/token";
userProfileURL = "https://auth.xinyang.life/oauth2/openid/hedgedoc/userinfo";
};
environmentFile = config.sops.secrets.hedgedoc_env.path;
};
custom.prometheus = {
enable = true;
exporters.blackbox.enable = true;
exporters.miniflux.enable = true;
};
security.acme = {
acceptTerms = true;
certs."auth.xinyang.life" = {
email = "lixinyang411@gmail.com";
listenHTTP = "127.0.0.1:1360";
group = "kanidm";
};
};
services.ntfy-sh = {
enable = true;
group = "caddy";
settings = {
listen-unix = "/var/run/ntfy-sh/ntfy.sock";
listen-unix-mode = 432; # octal 0660
base-url = "https://ntfy.xinyang.life";
};
};
systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = "ntfy-sh";
services.kanidm = {
package = pkgs.kanidm.withSecretProvisioning;
enableServer = true;
serverSettings = {
domain = "auth.xinyang.life";
origin = "https://auth.xinyang.life";
bindaddress = "[::]:${toString kanidm_listen_port}";
tls_key = ''${config.security.acme.certs."auth.xinyang.life".directory}/key.pem'';
tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem'';
online_backup.versions = 7;
# db_path = "/var/lib/kanidm/kanidm.db";
};
};
custom.miniflux = {
enable = true;
environment = {
LOG_LEVEL = "debug";
LISTEN_ADDR = "127.0.0.1:58173";
BASE_URL = "https://rss.xinyang.life/";
OAUTH2_PROVIDER = "oidc";
OAUTH2_CLIENT_ID = "miniflux";
OAUTH2_REDIRECT_URL = "https://rss.xinyang.life/oauth2/oidc/callback";
OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.xinyang.life/oauth2/openid/miniflux";
OAUTH2_USER_CREATION = 1;
};
oauth2SecretFile = config.sops.secrets."miniflux/oauth2_secret".path;
};
services.matrix-conduit = {
enable = true;
# package = inputs.conduit.packages.${pkgs.system}.default;
package = pkgs.matrix-conduit;
settings.global = {
server_name = "xinyang.life";
port = 6167;
# database_path = "/var/lib/matrix-conduit/";
max_concurrent_requests = 100;
log = "info";
database_backend = "rocksdb";
allow_registration = false;
well_known = {
client = "https://msg.xinyang.life";
server = "msg.xinyang.life:443";
};
};
};
users.users.conduit = {
isSystemUser = true;
group = "conduit";
};
users.groups.conduit = { };
services.gotosocial = {
enable = true;
settings = {
log-level = "debug";
host = "xinyang.life";
letsencrypt-enabled = false;
bind-address = "localhost";
instance-expose-public-timeline = true;
oidc-enabled = true;
oidc-idp-name = "Kanidm";
oidc-issuer = "https://auth.xinyang.life/oauth2/openid/gts";
oidc-client-id = "gts";
oidc-link-existing = true;
storage-local-base-path = "/mnt/storage/gotosocial/storage";
};
environmentFile = config.sops.secrets.gts_env.path;
};
services.forgejo = {
enable = true;
# Use cutting edge instead of lts
package = pkgs.forgejo;
repositoryRoot = "/mnt/storage/forgejo/repositories";
lfs = {
enable = true;
contentDir = "/mnt/storage/forgejo/lfs";
};
settings = {
service.DISABLE_REGISTRATION = true;
server = {
ROOT_URL = "https://git.xinyang.life/";
START_SSH_SERVER = false;
SSH_USER = config.services.forgejo.user;
SSH_DOMAIN = "ssh.xinyang.life";
SSH_PORT = 22;
LFS_MAX_FILE_SIZE = 10737418240;
LANDING_PAGE = "/explore/repos";
};
repository = {
ENABLE_PUSH_CREATE_USER = true;
};
service = {
ENABLE_BASIC_AUTHENTICATION = false;
};
oauth2 = {
ENABLED = false; # Disable forgejo as oauth2 provider
};
oauth2_client = {
ACCOUNT_LINKING = "auto";
USERNAME = "email";
ENABLE_AUTO_REGISTRATION = true;
UPDATE_AVATAR = false;
OPENID_CONNECT_SCOPES = "openid profile email groups";
};
other = {
SHOW_FOOTER_VERSION = false;
};
};
};
systemd.services.forgejo = {
serviceConfig = {
EnvironmentFile = config.sops.secrets."forgejo/env".path;
ExecStartPost = ''
${lib.getExe config.services.forgejo.package} admin auth update-oauth \
--id 1 \
--name kanidm \
--provider openidConnect \
--key forgejo \
--secret $CLIENT_SECRET \
--icon-url https://auth.xinyang.life/pkg/img/favicon.png \
--group-claim-name forgejo_role --admin-group Admin
'';
};
};
services.grafana = {
enable = true;
settings = {
server = {
http_addr = "127.0.0.1";
http_port = 3003;
root_url = "https://grafana.xinyang.life";
domain = "grafana.xinyang.life";
};
"auth.generic_oauth" = {
enabled = true;
name = "Kanidm";
client_id = "grafana";
scopes = "openid,profile,email,groups";
auth_url = "https://auth.xinyang.life/ui/oauth2";
token_url = "https://auth.xinyang.life/oauth2/token";
api_url = "https://auth.xinyang.life/oauth2/openid/grafana/userinfo";
use_pkce = true;
use_refresh_token = true;
allow_sign_up = true;
login_attribute_path = "preferred_username";
groups_attribute_path = "groups";
role_attribute_path = "contains(grafana_role[*], 'GrafanaAdmin') && 'GrafanaAdmin' || contains(grafana_role[*], 'Admin') && 'Admin' || contains(grafana_role[*], 'Editor') && 'Editor' || 'Viewer'";
allow_assign_grafana_admin = true;
auto_login = true;
};
"auth" = {
disable_login_form = true;
};
};
};
systemd.services.grafana.serviceConfig.EnvironmentFile =
config.sops.secrets.grafana_oauth_secret.path;
users.users.git = {
isSystemUser = true;
useDefaultShell = true;
group = "git";
extraGroups = [ "forgejo" ];
};
users.groups.git = { };
users.users = {
${config.services.caddy.user}.extraGroups = [ config.services.ntfy-sh.group ];
};
services.caddy = {
enable = true;
virtualHosts."xinyang.life:443".extraConfig = ''
tls internal
encode zstd gzip
reverse_proxy /.well-known/matrix/* localhost:6167
reverse_proxy * http://localhost:8080 {
flush_interval -1
}
'';
virtualHosts."https://msg.xinyang.life:443".extraConfig = ''
reverse_proxy /_matrix/* localhost:6167
'';
virtualHosts."https://git.xinyang.life:443".extraConfig = ''
reverse_proxy http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT}
'';
virtualHosts."http://auth.xinyang.life:80".extraConfig = ''
reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP}
'';
virtualHosts."https://auth.xinyang.life".extraConfig = ''
reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} {
header_up Host {upstream_hostport}
header_down Access-Control-Allow-Origin "*"
transport http {
tls_server_name ${config.services.kanidm.serverSettings.domain}
}
}
'';
virtualHosts."https://rss.xinyang.life".extraConfig = ''
reverse_proxy ${config.custom.miniflux.environment.LISTEN_ADDR}
'';
virtualHosts."https://ntfy.xinyang.life".extraConfig = ''
reverse_proxy unix/${config.services.ntfy-sh.settings.listen-unix}
@httpget {
protocol http
method GET
path_regexp ^/([-_a-z0-9]{0,64}$|docs/|static/)
}
redir @httpget https://{host}{uri}
'';
virtualHosts."https://grafana.xinyang.life".extraConfig =
let
grafanaSettings = config.services.grafana.settings.server;
in
''
reverse_proxy http://${grafanaSettings.http_addr}:${toString grafanaSettings.http_port}
'';
};
}

View file

@ -1,46 +0,0 @@
{ pkgs, lib, ... }:
let
inherit (lib) mkForce;
in
{
config = {
custom.cifs-mounts = [ "conduit" ];
services.matrix-conduit = {
enable = true;
# package = inputs.conduit.packages.${pkgs.system}.default;
package = pkgs.matrix-conduit;
settings.global = {
server_name = "xinyang.life";
port = 6167;
# database_path = "/var/lib/matrix-conduit/";
max_concurrent_requests = 100;
log = "info";
database_backend = "rocksdb";
allow_registration = false;
well_known = {
client = "https://msg.xinyang.life";
server = "msg.xinyang.life:443";
};
};
};
systemd.services.conduit = {
serviceConfig = {
DynamicUser = mkForce false;
};
};
users.users.conduit = {
group = "conduit";
isSystemUser = true;
};
users.groups.conduit = { };
services.caddy.enable = true;
services.caddy.virtualHosts."https://msg.xinyang.life:443".extraConfig = ''
reverse_proxy /_matrix/* localhost:6167
'';
};
}

View file

@ -1,22 +1,5 @@
{ {
imports = [ imports = [
./conduit.nix ./restic.nix
./forgejo.nix
./gotosocial.nix
./grafana.nix
./hedgedoc.nix
./kanidm
./miniflux.nix
./ntfy.nix
./storagebox.nix
./vaultwarden.nix
]; ];
config = {
custom.prometheus = {
enable = true;
exporters.blackbox.enable = true;
exporters.miniflux.enable = true;
};
};
} }

View file

@ -1,84 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) getExe;
in
{
config = {
custom.cifs-mounts = [ "forgejo" ];
services.forgejo = {
enable = true;
# Use cutting edge instead of lts
package = pkgs.forgejo;
repositoryRoot = "/mnt/storage/forgejo/repositories";
lfs = {
enable = true;
contentDir = "/mnt/storage/forgejo/lfs";
};
settings = {
service.DISABLE_REGISTRATION = true;
server = {
ROOT_URL = "https://git.xinyang.life/";
START_SSH_SERVER = false;
SSH_USER = config.services.forgejo.user;
SSH_DOMAIN = "ssh.xinyang.life";
SSH_PORT = 22;
LFS_MAX_FILE_SIZE = 10737418240;
LANDING_PAGE = "/explore/repos";
};
repository = {
ENABLE_PUSH_CREATE_USER = true;
};
service = {
ENABLE_BASIC_AUTHENTICATION = false;
};
oauth2 = {
ENABLED = false; # Disable forgejo as oauth2 provider
};
oauth2_client = {
ACCOUNT_LINKING = "auto";
USERNAME = "email";
ENABLE_AUTO_REGISTRATION = true;
UPDATE_AVATAR = false;
OPENID_CONNECT_SCOPES = "openid profile email groups";
};
other = {
SHOW_FOOTER_VERSION = false;
};
};
};
systemd.services.forgejo = {
serviceConfig = {
EnvironmentFile = config.sops.secrets."forgejo/env".path;
ExecStartPost = ''
${getExe config.services.forgejo.package} admin auth update-oauth \
--id 1 \
--name kanidm \
--provider openidConnect \
--key forgejo \
--secret $CLIENT_SECRET \
--icon-url https://auth.xinyang.life/pkg/img/favicon.png \
--group-claim-name forgejo_role --admin-group Admin
'';
};
};
users.users.git = {
isSystemUser = true;
useDefaultShell = true;
group = "git";
extraGroups = [ "forgejo" ];
};
users.groups.git = { };
services.caddy.enable = true;
services.caddy.virtualHosts."https://git.xinyang.life:443".extraConfig = ''
reverse_proxy http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT}
'';
};
}

View file

@ -1,33 +0,0 @@
{ config, ... }:
{
config = {
custom.cifs-mounts = [ "gotosocial" ];
services.gotosocial = {
enable = true;
settings = {
log-level = "debug";
host = "xinyang.life";
letsencrypt-enabled = false;
bind-address = "localhost";
instance-expose-public-timeline = true;
oidc-enabled = true;
oidc-idp-name = "Kanidm";
oidc-issuer = "https://auth.xinyang.life/oauth2/openid/gts";
oidc-client-id = "gts";
oidc-link-existing = true;
storage-local-base-path = "/mnt/storage/gotosocial/storage";
};
environmentFile = config.sops.secrets.gts_env.path;
};
services.caddy.enable = true;
services.caddy.virtualHosts."xinyang.life:443".extraConfig = ''
tls internal
encode zstd gzip
reverse_proxy /.well-known/matrix/* localhost:6167
reverse_proxy * http://localhost:8080 {
flush_interval -1
}
'';
};
}

View file

@ -1,47 +0,0 @@
{ config, ... }:
{
config = {
services.grafana = {
enable = true;
settings = {
server = {
http_addr = "127.0.0.1";
http_port = 3003;
root_url = "https://grafana.xinyang.life";
domain = "grafana.xinyang.life";
};
"auth.generic_oauth" = {
enabled = true;
name = "Kanidm";
client_id = "grafana";
scopes = "openid,profile,email,groups";
auth_url = "https://auth.xinyang.life/ui/oauth2";
token_url = "https://auth.xinyang.life/oauth2/token";
api_url = "https://auth.xinyang.life/oauth2/openid/grafana/userinfo";
use_pkce = true;
use_refresh_token = true;
allow_sign_up = true;
login_attribute_path = "preferred_username";
groups_attribute_path = "groups";
role_attribute_path = "contains(grafana_role[*], 'GrafanaAdmin') && 'GrafanaAdmin' || contains(grafana_role[*], 'Admin') && 'Admin' || contains(grafana_role[*], 'Editor') && 'Editor' || 'Viewer'";
allow_assign_grafana_admin = true;
auto_login = true;
};
"auth" = {
disable_login_form = true;
};
};
};
systemd.services.grafana.serviceConfig.EnvironmentFile =
config.sops.secrets.grafana_oauth_secret.path;
services.caddy.virtualHosts."https://grafana.xinyang.life".extraConfig =
let
grafanaSettings = config.services.grafana.settings.server;
in
''
reverse_proxy http://${grafanaSettings.http_addr}:${toString grafanaSettings.http_port}
'';
};
}

View file

@ -1,20 +0,0 @@
{ config, ... }:
{
config = {
custom.cifs-mounts = [ "hedgedoc" ];
custom.hedgedoc = {
enable = true;
caddy = true;
domain = "docs.xinyang.life";
mediaPath = "/mnt/storage/hedgedoc";
oidc = {
enable = true;
baseURL = "https://auth.xinyang.life/oauth2/openid/hedgedoc";
authorizationURL = "https://auth.xinyang.life/ui/oauth2";
tokenURL = "https://auth.xinyang.life/oauth2/token";
userProfileURL = "https://auth.xinyang.life/oauth2/openid/hedgedoc/userinfo";
};
environmentFile = config.sops.secrets.hedgedoc_env.path;
};
};
}

View file

@ -1,52 +0,0 @@
{ config, pkgs, ... }:
let
kanidm_listen_port = 5324;
in
{
config = {
services.caddy = {
virtualHosts."http://auth.xinyang.life:80".extraConfig = ''
reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP}
'';
virtualHosts."https://auth.xinyang.life".extraConfig = ''
reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} {
header_up Host {upstream_hostport}
header_down Access-Control-Allow-Origin "*"
transport http {
tls_server_name ${config.services.kanidm.serverSettings.domain}
}
}
'';
};
services.kanidm = {
package = pkgs.kanidm.withSecretProvisioning;
enableServer = true;
serverSettings = {
domain = "auth.xinyang.life";
origin = "https://auth.xinyang.life";
bindaddress = "[::]:${toString kanidm_listen_port}";
tls_key = ''${config.security.acme.certs."auth.xinyang.life".directory}/key.pem'';
tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem'';
online_backup.versions = 7;
# db_path = "/var/lib/kanidm/kanidm.db";
};
provision = import ./kanidm-provision.nix;
};
networking.firewall.allowedTCPPorts = [
80
443
];
security.acme = {
acceptTerms = true;
certs."auth.xinyang.life" = {
email = "lixinyang411@gmail.com";
listenHTTP = "127.0.0.1:1360";
group = "kanidm";
};
};
};
}

View file

@ -1,178 +0,0 @@
{
enable = true;
autoRemove = true;
groups = {
forgejo-access = {
members = [ "xin" ];
};
forgejo-admin = {
members = [ "xin" ];
};
gts-users = {
members = [ "xin" ];
};
ocis-users = {
members = [ "xin" ];
};
linux_users = {
members = [ "xin" ];
};
hedgedoc-users = {
members = [ "xin" ];
};
immich-users = {
members = [
"xin"
"zhuo"
"ycm"
];
};
grafana-superadmins = {
members = [ "xin" ];
};
grafana-admins = {
members = [ "xin" ];
};
grafana-editors = {
members = [ "xin" ];
};
grafana-users = {
members = [ "xin" ];
};
miniflux-users = {
members = [ "xin" ];
};
idm_people_self_mail_write = {
members = [ ];
};
};
persons = {
xin = {
displayName = "Xinyang Li";
mailAddresses = [ "lixinyang411@gmail.com" ];
};
zhuo = {
displayName = "Zhuo";
mailAddresses = [ "13681104320@163.com" ];
};
ycm = {
displayName = "Chunming";
mailAddresses = [ "chunmingyou@gmail.com" ];
};
};
systems.oauth2 = {
forgejo = {
displayName = "ForgeJo";
originUrl = "https://git.xinyang.life/";
originLanding = "https://git.xinyang.life/user/oauth2/kandim";
allowInsecureClientDisablePkce = true;
scopeMaps = {
forgejo-access = [
"openid"
"email"
"profile"
"groups"
];
};
claimMaps = {
forgejo_role = {
joinType = "array";
valuesByGroup = {
forgejo-access = [ "Access" ];
forgejo-admin = [ "Admin" ];
};
};
};
};
gts = {
displayName = "GoToSocial";
originUrl = "https://xinyang.life/";
originLanding = "https://xinyang.life/";
allowInsecureClientDisablePkce = true;
scopeMaps = {
gts-users = [
"openid"
"email"
"profile"
"groups"
];
};
};
owncloud = {
displayName = "ownCloud";
originUrl = "https://home.xinyang.life:9201/";
originLanding = "https://home.xinyang.life:9201/";
public = true;
scopeMaps = {
ocis-users = [
"openid"
"email"
"profile"
];
};
};
hedgedoc = {
displayName = "HedgeDoc";
originUrl = "https://docs.xinyang.life/";
originLanding = "https://docs.xinyang.life/auth/oauth2";
allowInsecureClientDisablePkce = true;
scopeMaps = {
hedgedoc-users = [
"openid"
"email"
"profile"
];
};
};
immich-mobile = {
displayName = "Immich";
originUrl = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
originLanding = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
allowInsecureClientDisablePkce = true;
scopeMaps = {
immich-users = [
"openid"
"email"
"profile"
];
};
};
miniflux = {
displayName = "Miniflux";
originUrl = "https://rss.xinyang.life/";
originLanding = "https://rss.xinyang.life/";
scopeMaps = {
miniflux-users = [
"openid"
"email"
"profile"
];
};
};
grafana = {
displayName = "Grafana";
originUrl = "https://grafana.xinyang.life/";
originLanding = "https://grafana.xinyang.life/";
scopeMaps = {
grafana-users = [
"openid"
"email"
"profile"
"groups"
];
};
claimMaps = {
grafana_role = {
joinType = "array";
valuesByGroup = {
grafana-superadmins = [ "GrafanaAdmin" ];
grafana-admins = [ "Admin" ];
grafana-editors = [ "Editor" ];
};
};
};
};
};
}

View file

@ -1,26 +0,0 @@
{ config, ... }:
{
config = {
custom.miniflux = {
enable = true;
environment = {
LOG_LEVEL = "debug";
LISTEN_ADDR = "127.0.0.1:58173";
BASE_URL = "https://rss.xinyang.life/";
OAUTH2_PROVIDER = "oidc";
OAUTH2_CLIENT_ID = "miniflux";
OAUTH2_REDIRECT_URL = "https://rss.xinyang.life/oauth2/oidc/callback";
OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.xinyang.life/oauth2/openid/miniflux";
OAUTH2_USER_CREATION = 1;
};
oauth2SecretFile = config.sops.secrets."miniflux/oauth2_secret".path;
};
services.caddy = {
enable = true;
virtualHosts."https://rss.xinyang.life".extraConfig = ''
reverse_proxy ${config.custom.miniflux.environment.LISTEN_ADDR}
'';
};
};
}

View file

@ -1,29 +0,0 @@
{ config, ... }:
{
config = {
services.ntfy-sh = {
enable = true;
group = "caddy";
settings = {
listen-unix = "/var/run/ntfy-sh/ntfy.sock";
listen-unix-mode = 432; # octal 0660
base-url = "https://ntfy.xinyang.life";
};
};
systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = "ntfy-sh";
users.users = {
${config.services.caddy.user}.extraGroups = [ config.services.ntfy-sh.group ];
};
services.caddy.virtualHosts."https://ntfy.xinyang.life".extraConfig = ''
reverse_proxy unix/${config.services.ntfy-sh.settings.listen-unix}
@httpget {
protocol http
method GET
path_regexp ^/([-_a-z0-9]{0,64}$|docs/|static/)
}
redir @httpget https://{host}{uri}
'';
};
}

View file

@ -0,0 +1,51 @@
{
config,
lib,
pkgs,
...
}:
let
sqliteBackup = path: ''
mkdir -p /backup${path}
${lib.getExe pkgs.sqlite} ${path} "vacuum into '/var/backup${path}'"
'';
in
{
sops.secrets = {
"restic/repo" = {
sopsFile = ../secrets.yaml;
};
"restic/password" = {
sopsFile = ../secrets.yaml;
};
};
custom.restic = {
enable = true;
repositoryFile = config.sops.secrets."restic/repo".path;
passwordFile = config.sops.secrets."restic/password".path;
paths = [
"/var/backup"
"/mnt/storage"
];
};
services.postgresqlBackup = {
enable = true;
compression = "zstd";
compressionLevel = 9;
location = "/var/backup/postgresql";
};
services.restic.backups.${config.networking.hostName} = {
backupPrepareCommand = builtins.concatStringsSep "\n" [
(sqliteBackup "/var/lib/hedgedoc/db.sqlite")
(sqliteBackup "/var/lib/bitwarden_rs/db.sqlite3")
(sqliteBackup "/var/lib/gotosocial/database.sqlite")
(sqliteBackup "/var/lib/kanidm/kanidm.db")
];
extraBackupArgs = [
"--limit-upload=1024"
];
};
}

View file

@ -1,25 +0,0 @@
{ config, lib, ... }:
let
inherit (lib) mkDefault mkOption types;
cfg = config.custom;
in
{
options = {
custom.cifs-mounts = mkOption { type = with types; (listOf str); };
};
config = {
services.cachefilesd.enable = true;
systemd.mounts = map (share: {
what = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}";
where = "/mnt/storage/${share}";
type = "cifs";
options = mkDefault "rw,uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},_netdev,fsc";
before = [ "${share}.service" ];
after = [ "cachefilesd.service" ];
wantedBy = [ "${share}.service" ];
}) cfg.cifs-mounts;
};
}

View file

@ -1,8 +0,0 @@
{
config = {
custom.vaultwarden = {
enable = true;
domain = "vaultwarden.xinyang.life";
};
};
}

View file

@ -17,8 +17,6 @@
}) })
]; ];
nixpkgs.hostPlatform = "aarch64-linux";
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
git git
libraspberrypi libraspberrypi

View file

@ -2,17 +2,15 @@
inputs, inputs,
config, config,
pkgs, pkgs,
lib,
modulesPath, modulesPath,
... ...
}: }:
with lib;
{ {
imports = [ imports = [
inputs.sops-nix.nixosModules.sops inputs.sops-nix.nixosModules.sops
(modulesPath + "/profiles/qemu-guest.nix") (modulesPath + "/profiles/qemu-guest.nix")
./services
]; ];
config = { config = {
@ -50,6 +48,10 @@ with lib;
owner = "caddy"; owner = "caddy";
mode = "400"; mode = "400";
}; };
"immich/oauth_client_secret" = {
owner = "immich";
mode = "400";
};
}; };
}; };
@ -89,6 +91,31 @@ with lib;
environment = { environment = {
IMMICH_MACHINE_LEARNING_ENABLED = "false"; IMMICH_MACHINE_LEARNING_ENABLED = "false";
}; };
database.enable = true;
};
custom.immich.jsonSettings = {
oauth = {
enabled = true;
issuerUrl = "https://auth.xinyang.life/oauth2/openid/immich/";
clientId = "immich";
clientSecret = {
_secret = config.sops.secrets."immich/oauth_client_secret".path;
};
scope = "openid email profile";
signingAlgorithm = "ES256";
storageLabelClaim = "email";
buttonText = "Login with Kanidm";
autoLaunch = true;
mobileOverrideEnabled = true;
mobileRedirectUri = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
};
passwordLogin = {
enabled = false;
};
newVersionCheck = {
enabled = false;
};
}; };
services.dae = { services.dae = {

View file

@ -1,4 +1,6 @@
cloudflare_dns_token: ENC[AES256_GCM,data:m4euSkxxJmiMk9UPyeni/hwpl1W9A4MM0ssg71eOBsX4fFyG39NJeKbNTddW7omBx3gKJtnrRuDdOj5wpg==,iv:eRVzsGwz8hWC42jM+VeSUWCS9Gi8VGSY8Fyh+En0jEI=,tag:NNE8VeNQ8kp9KyziVokyuQ==,type:str] cloudflare_dns_token: ENC[AES256_GCM,data:m4euSkxxJmiMk9UPyeni/hwpl1W9A4MM0ssg71eOBsX4fFyG39NJeKbNTddW7omBx3gKJtnrRuDdOj5wpg==,iv:eRVzsGwz8hWC42jM+VeSUWCS9Gi8VGSY8Fyh+En0jEI=,tag:NNE8VeNQ8kp9KyziVokyuQ==,type:str]
immich:
oauth_client_secret: ENC[AES256_GCM,data:EFs2hPjGMj0idwY3oQVIDTOIWkdwoAoAVjDQE9Z2eAKzUDH3grmYpYE+33V8d/Ux,iv:A9cjwFr/ZqltG62/N8MQ1LhdDbSIVVAqIPVB492zYJw=,tag:VTTtE697BZTVsI32UF53/w==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -23,8 +25,8 @@ sops:
V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV
RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw== RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-29T09:05:41Z" lastmodified: "2024-09-07T14:56:37Z"
mac: ENC[AES256_GCM,data:4RX5WtJnI4R2OAKNljo8IhBNTR+PSSFsT4rE0mjS4pEdWyJilAgLwcVU0DEDp7thHeT+YyjDQ9d3z1aeGALlJ3sV57azu4F9/KXixvZMKJtmFRsC74OTSBzFfnA4W9MjOTn95L+RQOJ/3UH1FAZ7UHAe3Os98kNW98D/Nv4S9us=,iv:En7RNovlF1yRURu9fGHRgWvsr3FzpeLtrKELtqkJUb8=,tag:4eVlLsraN17rBbAL7xOHnQ==,type:str] mac: ENC[AES256_GCM,data:PvMTvWumdW8W3Qj8WG4VBug8TzM+g9vQBdJNMr2rHxhFLgBp9lNOsVJkyDASnse+RVx9EKesRYni6t43XB2F7Y6nsv6PA7m9GYm08ELFXxYOLUjjrUSPzI6PhEk2eUbJ/MO/ojcntVRcbw1pmLUhq2Dj4mpl4Po6w4OyutKNNOg=,iv:eX/IiUn44Ecv5uTEQ5urUpWuuq+dr7ElVpZF24QpRxQ=,tag:3WcjZ/SP/Jd4JVkORBvkWg==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.0 version: 3.9.0

View file

@ -0,0 +1,6 @@
{
imports = [
./ocis.nix
./restic.nix
];
}

View file

@ -0,0 +1,36 @@
{ config, pkgs, ... }:
{
sops = {
secrets = {
"ocis/env" = {
sopsFile = ../secrets.yaml;
};
};
};
services.ocis = {
enable = true;
package = pkgs.ocis-bin;
stateDir = "/var/lib/ocis";
url = "https://drive.xinyang.life:8443";
address = "127.0.0.1";
port = 9200;
environment = {
OCIS_INSECURE = "false";
OCIS_LOG_LEVEL = "trace";
OCIS_LOG_PRETTY = "true";
# For reverse proxy. Disable tls.
OCIS_PROXY_TLS = "false";
WEB_OIDC_CLIENT_ID = "owncloud";
WEB_OIDC_ISSUER = "https://auth.xinyang.life/oauth2/openid/owncloud";
OCIS_EXCLUDE_RUN_SERVICES = "idp";
PROXY_OIDC_REWRITE_WELLKNOWN = "true";
};
};
networking.allowedTCPPorts = [ 8443 ];
services.caddy.virtualHosts."${config.services.ocis.url}".extraConfig = ''
reverse_proxy ${config.services.ocis.address}:${config.services.ocis.address}
'';
}

View file

@ -0,0 +1,18 @@
{ config, ... }:
{
services.restic.server = {
enable = true;
dataDir = "/var/lib/restic";
listenAddress = "127.0.0.1:19573";
privateRepos = "true";
extraFlags = [
"--append-only"
];
};
networking.allowedTCPPorts = [ 8443 ];
services.caddy.virtualHosts."https://backup.xinyang.life:8443".extraConfig = ''
reverse_proxy ${config.services.restic.server.listenAddress}
'';
}

View file

@ -19,7 +19,7 @@ in
enable = mkEnableOption "Git ssh signing"; enable = mkEnableOption "Git ssh signing";
keyFile = mkOption { keyFile = mkOption {
type = types.str; type = types.str;
default = "~/.ssh/id_ecdsa.pub"; default = "~/.ssh/id_ed25519_sk.pub";
}; };
}; };
}; };

View file

@ -36,8 +36,7 @@ let
sourceRoot = "extension"; sourceRoot = "extension";
})) }))
twxs.cmake twxs.cmake
ms-vscode.cpptools ] ++ (with pkgs.vscode-extensions; [ ms-vscode.cpptools ]);
];
settings = { settings = {
"cmake.configureOnEdit" = false; "cmake.configureOnEdit" = false;
"cmake.showOptionsMovedNotification" = false; "cmake.showOptionsMovedNotification" = false;

View file

@ -13,5 +13,6 @@
./forgejo-actions-runner.nix ./forgejo-actions-runner.nix
./oidc-agent.nix ./oidc-agent.nix
./miniflux.nix ./miniflux.nix
./immich.nix
]; ];
} }

60
modules/nixos/immich.nix Normal file
View file

@ -0,0 +1,60 @@
{
config,
lib,
pkgs,
utils,
...
}:
let
cfg = config.custom.immich;
upstreamCfg = config.services.immich;
settingsFormat = pkgs.formats.json { };
user = config.systemd.services.immich-server.serviceConfig.User;
group = config.systemd.services.immich-server.serviceConfig.Group;
in
{
options = {
custom.immich.jsonSettings = lib.mkOption {
type = lib.types.submodule {
freeformType = settingsFormat.type;
};
default = { };
};
};
config = {
/*
LoadCredential happens before preStart. We need to ensure the
configuration file exist, otherwise LoadCredential will fail.
*/
systemd.tmpfiles.settings = lib.mkIf upstreamCfg.enable {
"10-etc-immich" = {
"/etc/immich" = {
d = {
inherit user group;
mode = "0700";
};
};
"/etc/immich/config.json" = {
"f+" = {
inherit user group;
mode = "0600";
};
};
};
};
systemd.services.immich-server = {
preStart = ''
umask 0077
${utils.genJqSecretsReplacementSnippet cfg.jsonSettings "/etc/immich/config.json"}
'';
serviceConfig = {
LoadCredential = "config:/etc/immich/config.json";
Environment = "IMMICH_CONFIG_FILE=%d/config";
};
};
# https://github.com/NixOS/nixpkgs/pull/324127/files#r1723763510
services.immich.redis.host = "/run/redis-immich/redis.sock";
};
}

View file

@ -1,6 +1,6 @@
# TODO: https://github.com/lilyinstarlight/foosteros/blob/dfe1ab3eb68bfebfaa709482d52fa04ebdde81c8/config/restic.nix#L23 <- this is better
{ {
config, config,
pkgs,
lib, lib,
... ...
}: }:
@ -11,6 +11,14 @@ in
options = { options = {
custom.restic = { custom.restic = {
enable = lib.mkEnableOption "restic"; enable = lib.mkEnableOption "restic";
paths = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [
"/home"
"/var/lib"
];
};
prune = lib.mkEnableOption "auto prune remote restic repo";
repositoryFile = lib.mkOption { repositoryFile = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = ""; default = "";
@ -22,14 +30,10 @@ in
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services.restic.backups = { services.restic.backups.${config.networking.hostName} = lib.mkMerge [
remotebackup = { {
repositoryFile = cfg.repositoryFile; repositoryFile = cfg.repositoryFile;
passwordFile = cfg.passwordFile; passwordFile = cfg.passwordFile;
paths = [
"/home"
"/var/lib"
];
exclude = [ exclude = [
"/home/*/.cache" "/home/*/.cache"
"/home/*/.cargo" "/home/*/.cargo"
@ -40,13 +44,24 @@ in
OnCalendar = "00:05"; OnCalendar = "00:05";
RandomizedDelaySec = "5h"; RandomizedDelaySec = "5h";
}; };
pruneOpts = [ pruneOpts = lib.mkIf cfg.prune [
"--keep-daily 7" "--keep-daily 7"
"--keep-weekly 5" "--keep-weekly 5"
"--keep-monthly 12" "--keep-monthly 12"
"--keep-yearly 75" "--keep-yearly 75"
]; ];
}; paths = lib.mkDefault cfg.paths;
}; initialize = true;
}
(lib.mkIf (config.fileSystems."/".fsType == "btrfs") {
backupPrepareCommand = ''
btrfs subvolume snapshot -r / backup
'';
backupCleanupCommand = ''
btrfs subvolume delete /backup
'';
paths = map (p: "/backup" + p) cfg.paths;
})
];
}; };
} }

View file

@ -30,24 +30,11 @@ in
stylix.autoEnable = false; stylix.autoEnable = false;
stylix.homeManagerIntegration.autoImport = true; stylix.homeManagerIntegration.autoImport = true;
stylix.homeManagerIntegration.followSystem = true; stylix.homeManagerIntegration.followSystem = true;
stylix.fonts = {
monospace = {
name = "JetBrainsMono Nerd Font";
package = pkgs.nerdfonts.override { fonts = [ "JetBrainsMono" ]; };
};
serif = {
name = "Noto Serif CJK SC";
package = pkgs.noto-fonts;
};
sansSerif = {
name = "Noto Sans CJK SC";
package = pkgs.noto-fonts;
};
};
stylix.targets = { stylix.targets = {
console.enable = true; console.enable = true;
gnome.enable = if config.services.xserver.desktopManager.gnome.enable then true else false; # gnome.enable = if config.services.xserver.desktopManager.gnome.enable then true else false;
gnome.enable = false;
gtk.enable = true; gtk.enable = true;
}; };
}; };

View file

@ -43,6 +43,7 @@ in
}; };
services.caddy = mkIf cfg.caddy { services.caddy = mkIf cfg.caddy {
enable = true; enable = true;
virtualHosts."https://${cfg.domain}".extraConfig = '' virtualHosts."https://${cfg.domain}".extraConfig = ''
reverse_proxy ${config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT} reverse_proxy ${config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT}
''; '';