dachxy/nix-conf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

update: system update & refactor

Browse source 
# Breaking Changes
- sops location movod to "system/dev/<dev-name>/sops/sops-conf.nix"
- flake devices declaration changes
- whole flake update
This commit is contained in:
danny 2025-10-14 16:49:03 +08:00
parent 321f740af0
commit 6a71b601f5
116 changed files with 2576 additions and 3634 deletions
Download patch file Download diff file Expand all files Collapse all files

99
system/modules/crowdsec.nix Normal file
View file

@ -0,0 +1,99 @@
{
lapiCred,
capiCred,
consoleToken,
trusted_ips ? [ ],
extraAcq ? [ ],
extraJournal ? [ ],
enableServer ? false,
enablePrometheus ? true,
}:
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) mkDefault mkIf;
mkJournalFilter = service: {
journalctl_filter = [
"_SYSTEMD_UNIT=${service}"
];
labels = {
type = "syslog";
};
source = "journalctl";
};
# ==== Default Services ==== #
services = map (x: mkJournalFilter x) [
"sshd.service"
];
extraServices = map (x: mkJournalFilter x) extraJournal;
in
{
services.postgresql = {
enable = mkDefault true;
ensureDatabases = [ config.services.crowdsec.user ];
ensureUsers = [
{
name = config.services.crowdsec.user;
ensureDBOwnership = true;
}
];
};
services.crowdsec = {
enable = true;
settings.general = {
prometheus = {
enabled = enablePrometheus;
};
db_config = {
type = "postgresql";
db_name = config.services.crowdsec.user;
db_path = "/var/run/postgresql";
user = config.services.crowdsec.user;
sslmode = "disable";
flush.max_items = 5000;
flush.max_age = "7d";
};
api.client = {
insecure_skip_verify = false;
};
api.server = mkIf enableServer {
enable = true;
listen_uri = "127.0.0.1:31005";
trusted_ips = [
"127.0.0.1"
"10.0.0.0/24"
"::1"
]
++ trusted_ips;
};
};
settings = {
lapi.credentialsFile = lapiCred;
capi.credentialsFile = capiCred;
console.tokenFile = consoleToken;
};
localConfig = {
acquisitions = services ++ extraServices ++ extraAcq;
};
hub = {
scenarios = [
"crowdsecurity/ssh-bf"
"crowdsecurity/ssh-generic-test"
"crowdsecurity/http-generic-test"
];
postOverflows = [ "crowdsecurity/auditd-nix-wrappers-whitelist-process" ];
parsers = [ "crowdsecurity/sshd-logs" ];
collections = [ "crowdsecurity/linux" ];
appSecRules = [ "crowdsecurity/base-config" ];
appSecConfigs = [ "crowdsecurity/appsec-default" ];
};
autoUpdateService = true;
};
}

4
system/modules/davinci-resolve.nix
View file

@ -1,6 +1,6 @@
{
pkgs,
username,
config,
...
}:
let
@ -13,7 +13,7 @@ in
scriptBin
];
home-manager.users."${username}" = {
home-manager.users."${config.systemConf.username}" = {
xdg.desktopEntries."davindi-resolve" = {
name = "Davinci Resolve";
genericName = "Video Editor";

86
system/modules/docmost.nix Normal file
View file

@ -0,0 +1,86 @@
{
fqdn ? null,
port ? 32000,
https ? true,
openFirewall ? false,
extraConf ? { },
envFile ? null,
}:
{
lib,
config,
...
}:
let
inherit (lib) optionalString mkIf;
in
{
networking.firewall.allowedTCPPorts = mkIf openFirewall [
port
];
services.redis.servers."docmost" = {
enable = true;
port = 32001;
};
services.postgresql = {
ensureDatabases = [ "docmost" ];
ensureUsers = [
{
name = "docmost";
ensureDBOwnership = true;
}
];
};
virtualisation.oci-containers = {
backend = lib.mkDefault "docker";
containers = {
docmost = {
image = "docmost/docmost:latest";
environment = (
{
PORT = "${toString port}";
APP_URL = "${
if (fqdn != null) then
"${if https then "https" else "http"}://${fqdn}"
else
"http://localhost:${toString port}"
}";
DATABASE_URL = "postgresql://docmost@docmost?schema=public&host=/var/run/postgresql";
REDIS_URL = "redis://localhost:${toString config.services.redis.servers.docmost.port}";
}
// extraConf
);
extraOptions = [
"--network=host"
"${optionalString (envFile != null) "--env-file=${envFile}"}"
];
volumes = [
"/var/run/postgresql:/var/run/postgresql"
"docmost:/app/data/storage"
];
};
};
};
services.nginx = {
enable = lib.mkDefault true;
enableReload = lib.mkDefault true;
recommendedGzipSettings = lib.mkDefault true;
recommendedOptimisation = lib.mkDefault true;
recommendedTlsSettings = lib.mkDefault true;
recommendedProxySettings = lib.mkDefault true;
virtualHosts = lib.mkIf (fqdn != null) {
"${fqdn}" = {
enableACME = lib.mkIf https true;
forceSSL = lib.mkIf https true;
locations."/" = {
proxyPass = "http://localhost:${toString port}";
proxyWebsockets = true;
};
};
};
};
}

22
system/modules/grafana.nix
View file

@ -4,12 +4,23 @@
smtpDomain,
domain,
extraSettings ? { },
extraConf ? { },
}:
{ config, ... }:
let
email = "grafana@${smtpDomain}";
in
{
services.postgresql = {
ensureDatabases = [ "grafana" ];
ensureUsers = [
{
name = "grafana";
ensureDBOwnership = true;
}
];
};
services.grafana = {
enable = true;
settings = (
@ -31,11 +42,20 @@ in
security = {
admin_email = email;
admin_password = "$__file{${passFile}}";
secret_key = "$__file{${passFile}}";
};
database = {
type = "postgres";
user = "grafana";
name = "grafana";
host = "/var/run/postgresql";
};
}
// extraSettings
);
};
}
// extraConf;
services.nginx.virtualHosts."${domain}" = {
enableACME = true;

46
system/modules/hyprland.nix
View file

@ -1,17 +1,24 @@
{
pkgs,
config,
inputs,
lib,
...
}:
let
inherit (lib) mkIf;
hyprlandEnabled = config.programs.hyprland.enable;
in
{
programs.hyprland = {
enable = true;
enable = config.systemConf.hyprland.enable;
withUWSM = false;
package = inputs.hyprland.packages."${pkgs.system}".hyprland;
portalPackage = inputs.hyprland.packages.${pkgs.system}.xdg-desktop-portal-hyprland;
};
xdg.portal = {
xdg.portal = mkIf hyprlandEnabled {
enable = true;
xdgOpenUsePortal = true;
extraPortals = [
@ -19,29 +26,32 @@
];
};
environment.sessionVariables = {
environment.sessionVariables = mkIf hyprlandEnabled {
NIXOS_OZONE_WL = "1";
WLR_NO_HARDWARE_CURSORS = "1";
};
environment.systemPackages = with pkgs; [
pyprland
hyprsunset
hyprpicker
hyprshot
kitty
environment.systemPackages = mkIf hyprlandEnabled (
with pkgs;
[
pyprland
hyprsunset
hyprpicker
hyprshot
kitty
qt5.qtwayland
qt6.qtwayland
wlogout
wl-clipboard
# qt5.qtwayland
# qt6.qtwayland
wlogout
wl-clipboard
# Util
grim
slurp
];
# Util
grim
slurp
]
);
nix = {
nix = mkIf hyprlandEnabled {
settings = {
substituters = [ "https://hyprland.cachix.org" ];
trusted-public-keys = [

163
system/modules/mail-server/default.nix
View file

@ -1,163 +0,0 @@
{
config,
lib,
...
}:
with lib;
{
options.mail-server = {
enable = mkEnableOption "mail-server";
configureACME = mkEnableOption "Enable auto configuration of ACME" // {
default = false;
};
caFile = mkOption {
type = types.path;
default = config.security.pki.caBundle;
description = ''
Extra CA certification to trust;
'';
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = ''
This option results in following configuration:
networking.firewall.allowedTCPPorts = [
25 # SMTP
465 # SMTPS
587 # STARTTLS
143 # IMAP STARTTLS
993 # IMAPS
110 # POP3 STARTTLS
995 # POP3S
];
'';
};
rootAlias = mkOption {
type = with types; uniq str;
default = "";
description = "Root alias";
example = ''
<your username>
'';
};
virtual = mkOption {
type = lib.types.lines;
default = "";
description = ''
Entries for the virtual alias map, cf. man-page {manpage}`virtual(5)`.
'';
};
extraAliases = mkOption {
type = with types; str;
default = "";
description = "Extra aliases";
example = ''
something: root
gender: root
'';
};
mailDir = mkOption {
type = with types; uniq str;
description = "Path to store local mails";
default = "~/Maildir";
example = "~/Maildir";
};
virtualMailDir = mkOption {
type = with types; path;
description = "Path to store virtual mails";
default = "/var/mail/vhosts";
example = "/var/mail/vmails";
};
uid = mkOption {
type = with types; int;
default = 5000;
description = "UID for \"vmail\"";
};
gid = mkOption {
type = with types; int;
default = 5000;
description = "GID for \"vmail\"";
};
domain = mkOption {
type = with types; uniq str;
default = config.networking.fqdn;
description = "Domain name used for mail server";
};
origin = mkOption {
type = with types; uniq str;
default = "";
description = "Origin to use in outgoing e-mail. Leave blank to use hostname.";
};
destination = mkOption {
type = with types; listOf str;
default = [ ];
description = "Postfix destination";
};
networks = mkOption {
type = with types; listOf str;
default = [ ];
description = "Postfix networks";
};
oauth = {
username = mkOption {
type = with types; uniq str;
default = "keycloak";
description = "Keycloak username";
};
passwordFile = mkOption {
type = with types; path;
description = "Path to the keycloak password file";
example = "/run/secrets/keycloak/password";
};
};
ldap = {
passwordFile = mkOption {
type = with types; path;
description = "Path to the openldap password file";
example = "/run/secrets/ldap/password";
};
webEnv = mkOption {
type = with types; path;
description = "Path to phpLDAPadmin env file";
example = "/run/secrets/ldap/env";
};
};
rspamd = {
trainerSecret = mkOption {
type = with types; path;
description = "Path to rspamd trainer secret";
example = "/run/secrets/rspamd-trainer/secret";
};
port = mkOption {
type = with types; int;
default = 11334;
description = "Port for rspamd webUI";
};
};
};
imports = [
./server.nix
];
}

616
system/modules/mail-server/server.nix
View file

@ -1,616 +0,0 @@
{
config,
lib,
pkgs,
...
}:
with lib;
let
cfg = config.mail-server;
dcList = strings.splitString "." cfg.domain;
ldapDomain = strings.concatStringsSep "," (lists.forEach dcList (dc: "dc=" + dc));
dovecotSecretPath = "/run/dovecot-secret";
authBaseConf = pkgs.writeText "dovecot-auth.conf.ext" ''
passdb ldap {
auth_username_format = %{user | lower}
ldap_bind = no
ldap_filter = (&(objectClass=inetOrgPerson)(uid=%{user | username}))
use_worker = no
fields {
user = %{ldap:mail}
password = %{ldap:userPassword}
}
}
ldap_auth_dn = cn=admin,${ldapDomain}
ldap_auth_dn_password = $LDAP_PASSWORD
ldap_uris = ldap://localhost
ldap_base = ${ldapDomain}
'';
authConf = "${dovecotSecretPath}/dovecot-auth.conf.ext";
dovecotDomain = config.services.postfix.settings.main.myhostname;
in
{
config = mkIf cfg.enable {
security.acme.certs = mkIf cfg.configureACME {
"${config.services.postfix.settings.main.myhostname}" = {
dnsProvider = null;
webroot = "/var/lib/acme/acme-challenge";
postRun = ''
systemctl restart postfix.service
systemctl restart dovecot.service
'';
};
"${cfg.domain}" = {
dnsProvider = null;
webroot = "/var/lib/acme/acme-challenge";
};
};
# ===== opendkim ===== #
services.opendkim = {
enable = true;
domains = "csl:${cfg.domain}";
selector = "mail";
};
# ===== Postfix ===== #
environment.sessionVariables = {
MAILDIR = cfg.mailDir;
};
systemd.services.postfix = {
requires = [
"acme-finished-${config.services.postfix.settings.main.myhostname}.target"
];
serviceConfig.LoadCredential =
let
certDir =
config.security.acme.certs."${config.services.postfix.settings.main.myhostname}".directory;
in
[
"cert.pem:${certDir}/cert.pem"
"key.pem:${certDir}/key.pem"
];
};
services.postfix = {
enable = true;
virtual = cfg.virtual;
enableSubmissions = true;
settings.main =
let
credsDir = "/run/credentials/postfix.service";
certDir = "${credsDir}/cert.pem";
keyDir = "${credsDir}/key.pem";
in
{
myhostname = "mail.${cfg.domain}";
mynetworks = cfg.networks;
mydestination = cfg.destination;
myorigin = if cfg.origin == "" then cfg.domain else cfg.origin;
relayhost = [ "0.0.0.0:465" ];
smtpd_tls_security_level = "encrypt";
smtpd_client_restrictions = "permit_mynetworks, permit_sasl_authenticated, reject";
smtpd_relay_restrictions = "permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination";
milter_macro_daemon_name = "ORIGINATING";
virtual_uid_maps = [
"static:${toString cfg.uid}"
];
virtual_gid_maps = [
"static:${toString cfg.gid}"
];
virtual_mailbox_domains = [ cfg.domain ];
virtual_transport = "lmtp:unix:private/dovecot-lmtp";
smtpd_sasl_type = "dovecot";
smtpd_sasl_path = "private/auth";
smtpd_sasl_auth_enable = "yes";
tls_random_source = "dev:/dev/urandom";
smtp_tls_security_level = "may";
smtp_tls_chain_files = [
keyDir
certDir
];
smtpd_tls_chain_files = [
keyDir
certDir
];
home_mailbox = cfg.mailDir;
}
// optionalAttrs config.services.opendkim.enable (
let
opendkimSocket = strings.removePrefix "local:" config.services.opendkim.socket;
in
{
smtpd_milters = [ "unix:${opendkimSocket}" ];
non_smtpd_milters = [ "unix:${opendkimSocket}" ];
milter_default_action = "accept";
}
);
rootAlias = cfg.rootAlias;
postmasterAlias = "root";
extraAliases = ''
mailer-daemon: postmaster
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
''
+ cfg.extraAliases;
};
services.rspamd = {
enable = true;
postfix.enable = true;
workers = {
normal = {
includes = [ "$CONFDIR/worker-normal.inc" ];
bindSockets = [
{
socket = "/run/rspamd/rspamd.sock";
mode = "0660";
owner = "${config.services.rspamd.user}";
group = "${config.services.rspamd.group}";
}
];
};
controller = {
includes = [ "$CONFDIR/worker-controller.inc" ];
bindSockets = [ "127.0.0.1:${toString cfg.rspamd.port}" ];
extraConfig = ''
password=$2$w3asngzxwp3hoa67gimtrgmdxzmpq1n1$knfe5cyb1f769zro4rsi3j8ipc1p7ewh3u4cz63ngidmpjs8955y
'';
};
};
};
# ===== rspamd trainer ===== #
services.rspamd-trainer = {
enable = true;
settings = {
HOST = dovecotDomain;
USERNAME = "spam@${cfg.domain}";
INBOXPREFIX = "INBOX.";
};
secrets = [
cfg.rspamd.trainerSecret
];
};
systemd.services.rspamd-trainer = lib.mkIf config.services.rspamd-trainer.enable {
after = [
"postfix.service"
"dovecot.service"
"rspamd-trainer-pre.service"
];
requires = [ "rspamd-trainer-pre.service" ];
};
# ===== Create Mailbox for rspamd trainer ===== #
systemd.services.rspamd-trainer-pre = lib.mkIf config.services.rspamd-trainer.enable {
serviceConfig = {
ExecStart =
let
script = pkgs.writeShellScript "rspamd-trainer-pre.sh" ''
set -euo pipefail
username=${config.services.rspamd-trainer.settings.USERNAME}
domain="${cfg.domain}"
mailbox_list=("report_spam" "report_ham" "report_spam_reply")
for mailbox in ''\${mailbox_list[@]}; do
echo "Creating $mailbox..."
${pkgs.dovecot}/bin/doveadm mailbox create -u "$username@$domain" "INBOX.$mailbox" 2>/dev/null || true
done
'';
in
"${pkgs.bash}/bin/bash ${script}";
Type = "oneshot";
};
};
# ===== Dovecot ===== #
systemd.services.dovecot = {
requires = [ "acme-finished-${dovecotDomain}.target" ];
serviceConfig = {
RuntimeDirectory = [ "dovecot-secret" ];
RuntimeDirectoryMode = "0640";
ExecStartPre = [
''${pkgs.busybox.out}/bin/mkdir -p ${cfg.virtualMailDir}''
''${pkgs.busybox.out}/bin/chown -R vmail:vmail ${cfg.virtualMailDir}''
''${pkgs.busybox.out}/bin/chmod 770 ${cfg.virtualMailDir}''
''${pkgs.bash}/bin/bash -c "LDAP_PASSWORD=$(cat ${cfg.ldap.passwordFile}) ${pkgs.gettext.out}/bin/envsubst < ${authBaseConf} > ${authConf}"''
''${pkgs.busybox.out}/bin/chown ${config.services.dovecot.user}:${config.services.dovecot.group} ${authConf}''
''${pkgs.busybox.out}/bin/chmod 660 ${authConf}''
];
LoadCredential =
let
certDir = config.security.acme.certs."${dovecotDomain}".directory;
in
[
"cert.pem:${certDir}/cert.pem"
"key.pem:${certDir}/key.pem"
];
};
};
services.dovecot =
let
credsDir = "/run/credentials/dovecot.service";
certDir = "${credsDir}/cert.pem";
keyDir = "${credsDir}/key.pem";
in
{
enable = true;
enablePAM = false;
enableImap = true;
enablePop3 = true;
enableLmtp = true;
enableHealthCheck = true;
mailLocation = lib.mkDefault "${cfg.mailDir}";
mailUser = "vmail";
mailGroup = "vmail";
sslServerKey = keyDir;
sslServerCert = certDir;
mailboxes = {
Junk = {
specialUse = "Junk";
auto = "subscribe";
};
Drafts = {
specialUse = "Drafts";
auto = "subscribe";
};
Archive = {
specialUse = "Archive";
auto = "subscribe";
};
Sent = {
specialUse = "Sent";
auto = "subscribe";
};
};
extraConfig = ''
# authentication debug logging
log_path = /dev/stderr
log_debug = (category=auth-client) OR (event=auth_client_passdb_lookup_started)
auth_mechanisms = plain login
ssl = required
service auth {
unix_listener ${config.services.postfix.settings.main.queue_directory}/private/auth {
mode = 0660
user = ${config.services.postfix.user}
group = ${config.services.postfix.group}
type = postfix
}
}
service lmtp {
unix_listener ${config.services.postfix.settings.main.queue_directory}/private/dovecot-lmtp {
mode = 0660
user = ${config.services.postfix.user}
group = ${config.services.postfix.group}
type = postfix
}
}
userdb static {
fields {
uid = ${toString cfg.uid}
gid = ${toString cfg.gid}
home = ${cfg.virtualMailDir}/%{user | domain}/%{user | username}
}
}
lda_mailbox_autosubscribe = yes
lda_mailbox_autocreate = yes
!include ${authConf}
'';
};
systemd.services.dovecot-healthcheck = mkIf config.services.dovecot.enableHealthCheck (
let
pythonServer =
pkgs.writeScript "dovecot-healthcheck"
# python
''
#!${pkgs.python3}/bin/python3
import socket
from http.server import BaseHTTPRequestHandler, HTTPServer
DOVECOT_HOST = '127.0.0.1'
DOVECOT_PORT = ${toString config.services.dovecot.healthCheckPort}
class HealthCheckHandler(BaseHTTPRequestHandler):
def do_GET(self):
if self.path != '/ping':
self.send_response(404)
self.end_headers()
return
try:
with socket.create_connection((DOVECOT_HOST, DOVECOT_PORT), timeout=5) as sock:
sock.sendall(b"PING\n")
data = sock.recv(1024).strip()
except Exception as e:
self.send_response(500)
self.end_headers()
self.wfile.write(b"Error connecting to healthcheck service")
return
if data == b"PONG":
self.send_response(200)
self.send_header("Content-Type", "text/plain")
self.end_headers()
self.wfile.write(b"PONG")
else:
self.send_response(500)
self.end_headers()
self.wfile.write(b"Unexpected response")
if __name__ == '__main__':
server = HTTPServer(('0.0.0.0', 5002), HealthCheckHandler)
print("HTTP healthcheck proxy running on port 5002")
server.serve_forever()
'';
in
{
requires = [ "dovecot.service" ];
wantedBy = [ "multi-user.target" ];
after = [ "dovecot.service" ];
serviceConfig = {
Type = "simple";
ExecStart = pythonServer;
};
}
);
# ===== Firewall ===== #
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [
80 # HTTP
443 # HTTPS
25 # SMTP
465 # SMTPS
587 # STARTTLS
143 # IMAP STARTTLS
993 # IMAPS
110 # POP3 STARTTLS
995 # POP3S
389 # LDAP
];
services.postgresql = {
enable = true;
ensureDatabases = [ "keycloak" ];
ensureUsers = [
{
name = "keycloak";
ensureDBOwnership = true;
}
];
};
# ===== OAuth keycloak ===== #
services.keycloak = {
enable = true;
database = {
type = "postgresql";
host = "localhost";
name = "keycloak";
createLocally = false;
passwordFile = cfg.oauth.passwordFile;
};
settings = {
hostname = "keycloak.${cfg.domain}";
proxy-headers = "xforwarded";
http-port = 38080;
http-enabled = true;
health-enabled = true;
http-management-port = 38081;
truststore-paths = cfg.caFile;
};
};
# ==== LDAP ===== #
services.openldap = {
enable = true;
urlList = [ "ldap:///" ];
settings = {
attrs = {
olcLogLevel = "conns config";
};
children = {
"cn=schema".includes = [
"${pkgs.openldap}/etc/schema/core.ldif"
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
];
"olcDatabase={1}mdb" = {
attrs = {
objectClass = [
"olcDatabaseConfig"
"olcMdbConfig"
];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = ldapDomain;
olcRootDN = "cn=admin,${ldapDomain}";
olcRootPW.path = cfg.ldap.passwordFile;
olcAccess = [
''
{0}to attrs=userPassword
by dn.exact="cn=admin,${ldapDomain}" read
by dn.exact="uid=admin@${cfg.domain},ou=people,${ldapDomain}" write
by self write
by anonymous auth
by * none
''
''
{1}to *
by dn.exact="uid=admin@${cfg.domain},ou=people,${ldapDomain}" write
by * read
''
];
};
children = {
"olcOverlay={2}ppolicy".attrs = {
objectClass = [
"olcOverlayConfig"
"olcPPolicyConfig"
"top"
];
olcOverlay = "{2}ppolicy";
olcPPolicyHashCleartext = "TRUE";
};
"olcOverlay={3}memberof".attrs = {
objectClass = [
"olcOverlayConfig"
"olcMemberOf"
"top"
];
olcOverlay = "{3}memberof";
olcMemberOfRefInt = "TRUE";
olcMemberOfDangling = "ignore";
olcMemberOfGroupOC = "groupOfNames";
olcMemberOfMemberAD = "member";
olcMemberOfMemberOfAD = "memberOf";
};
"olcOverlay={4}refint".attrs = {
objectClass = [
"olcOverlayConfig"
"olcRefintConfig"
"top"
];
olcOverlay = "{4}refint";
olcRefintAttribute = "memberof member manager owner";
};
};
};
};
};
};
# ==== postsrsd ==== #
services.postsrsd = {
enable = true;
configurePostfix = true;
secretsFile = config.sops.secrets."postsrsd/secret".path;
settings = {
srs-domain = cfg.domain;
domains = [ cfg.domain ];
};
};
virtualisation = {
docker = {
enable = true;
rootless = {
enable = true;
setSocketVariable = true;
};
};
oci-containers = {
backend = "podman";
containers = {
phpLDAPadmin = {
extraOptions = [ "--network=host" ];
image = "phpldapadmin/phpldapadmin";
volumes = [
"/var/lib/pla/logs:/app/storage/logs"
"/var/lib/pla/sessions:/app/storage/framework/sessions"
];
environment = {
APP_URL = "https://ldap.${cfg.domain}";
ASSET_URL = "https://ldap.${cfg.domain}";
APP_TIMEZONE = "Asia/Taipei";
LDAP_HOST = "127.0.0.1";
SERVER_NAME = ":8080";
LDAP_LOGIN_OBJECTCLASS = "inetOrgPerson";
LDAP_BASE_DN = "${ldapDomain}";
LDAP_LOGIN_ATTR = "dn";
LDAP_LOGIN_ATTR_DESC = "Username";
};
environmentFiles = [
cfg.ldap.webEnv
];
};
};
};
};
# ===== Virtual Mail User ===== #
users.groups.vmail = {
gid = cfg.gid;
};
users.users.vmail = {
uid = cfg.uid;
group = "vmail";
};
services.nginx = {
enable = mkDefault true;
recommendedGzipSettings = mkDefault true;
recommendedOptimisation = mkDefault true;
recommendedTlsSettings = mkDefault true;
recommendedProxySettings = mkDefault true;
virtualHosts = {
"${config.services.postfix.settings.main.myhostname}" = {
enableACME = true;
forceSSL = true;
locations."/dovecot/ping".proxyPass = "http://localhost:${toString 5002}/ping";
};
"ldap.${cfg.domain}" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:${toString 8080}/";
};
"rspamd.${cfg.domain}" = mkIf config.services.rspamd.enable {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:${toString cfg.rspamd.port}/";
};
"${config.services.keycloak.settings.hostname}" = mkIf config.services.keycloak.enable {
enableACME = true;
forceSSL = true;
locations."/".proxyPass =
"http://localhost:${toString config.services.keycloak.settings.http-port}";
locations."/health".proxyPass =
"http://localhost:${toString config.services.keycloak.settings.http-management-port}/health";
};
};
};
};
}

32
system/modules/nextcloud.nix
View file

@ -2,11 +2,10 @@
hostname,
adminpassFile,
datadir ? null,
dataBackupPath ? null,
dbBackupPath ? null,
https ? true,
configureACME ? true,
trusted ? [ ],
trusted-domains ? [ ],
trusted-proxies ? [ ],
}:
{
config,
@ -17,9 +16,7 @@
let
inherit (lib) mkIf;
enableBackup = dataBackupPath != null || dbBackupPath != null;
nextcloudPkg = pkgs.nextcloud31.overrideAttrs (oldAttr: rec {
nextcloudPkg = pkgs.nextcloud32.overrideAttrs (oldAttr: rec {
caBundle = config.security.pki.caBundle;
postPatch = ''
cp ${caBundle} resources/config/ca-bundle.crt
@ -30,8 +27,8 @@ in
imports = [
"${
fetchTarball {
url = "https://github.com/onny/nixos-nextcloud-testumgebung/archive/fa6f062830b4bc3cedb9694c1dbf01d5fdf775ac.tar.gz";
sha256 = "0gzd0276b8da3ykapgqks2zhsqdv4jjvbv97dsxg0hgrhb74z0fs";
url = "https://github.com/onny/nixos-nextcloud-testumgebung/archive/c3fdbf165814d403a8f8e81ff8e15adcbe7eadd0.tar.gz";
sha256 = "sha256:19w6m1k4a0f48k1mnvdjkvcc8cnrlqg65kvyqzhxpkp5dbph9nzg";
}
}/nextcloud-extras.nix"
];
@ -54,7 +51,7 @@ in
package = nextcloudPkg;
configureRedis = true;
hostName = hostname;
https = if https then true else false;
https = https;
datadir = lib.mkIf (datadir != null) datadir;
phpExtraExtensions =
all: with all; [
@ -65,19 +62,13 @@ in
inherit (config.services.nextcloud.package.packages.apps)
contacts
calendar
tasks
whiteboard
user_oidc
;
camerarawpreviews = pkgs.fetchNextcloudApp {
url = "https://github.com/ariselseng/camerarawpreviews/releases/download/v0.8.7/camerarawpreviews_nextcloud.tar.gz";
sha256 = "sha256-aiMUSJQVbr3xlJkqOaE3cNhdZu3CnPEIWTNVOoG4HSo=";
license = "agpl3Plus";
};
user_oidc = pkgs.fetchNextcloudApp {
url = "https://github.com/nextcloud-releases/user_oidc/releases/download/v7.2.0/user_oidc-v7.2.0.tar.gz";
sha256 = "sha256-nXDWfRP9n9eH+JGg1a++kD5uLMsXh5BHAaTAOgLI9W4=";
url = "https://github.com/ariselseng/camerarawpreviews/releases/download/v0.8.8/camerarawpreviews_nextcloud.tar.gz";
sha256 = "sha256-Pnjm38hn90oV3l4cPAnQ+oeO6x57iyqkm80jZGqDo1I=";
license = "agpl3Plus";
};
};
@ -92,8 +83,8 @@ in
settings = {
allow_local_remote_servers = true;
log_type = "syslog";
trusted_proxies = trusted;
trusted_domains = trusted;
trusted_proxies = trusted-proxies;
trusted_domains = trusted-domains;
enabledPreviewProviders = [
"OC\\Preview\\BMP"
"OC\\Preview\\GIF"
@ -120,5 +111,4 @@ in
environment.systemPackages = with pkgs; [
exiftool
];
}

11
system/modules/packages.nix
View file

@ -1,4 +1,10 @@
{pkgs, ...}: {
{
pkgs,
inputs,
system,
...
}:
{
environment.systemPackages = with pkgs; [
file
@ -46,5 +52,8 @@
# Media
vlc
# Search nixpkgs util
inputs.nix-search-tv.packages.${system}.default
];
}

2
system/modules/presets/basic.nix
View file

@ -7,11 +7,11 @@
../bluetooth.nix
../display-manager.nix
../flatpak.nix
../hyprland.nix
../obs-studio.nix
../plymouth.nix
../polkit.nix
../security.nix
../hyprland.nix
];
programs.gdk-pixbuf.modulePackages = [ pkgs.librsvg ];

7
system/modules/programs.nix
View file

@ -36,7 +36,12 @@
dconf.enable = true;
zsh.enable = true;
mtr.enable = true;
fish.enable = true;
fish = {
enable = true;
shellAliases = {
"ns" = "nix-search-tv print | fzf --preview 'nix-search-tv preview {}' --scheme history";
};
};
# Set fish as default shell but not login shell
bash = {

6
system/modules/services.nix
View file

@ -1,10 +1,12 @@
{
lib,
pkgs,
username,
config,
...
}:
let
inherit (config.systemConf) username;
in
{
networking = {
firewall = {

2
system/modules/sops-nix.nix
View file

@ -1,6 +1,6 @@
{ config, ... }:
let
defaultSopsFile = ../.. + "/system/dev/${config.networking.hostName}/secret.yaml";
defaultSopsFile = ../.. + "/system/dev/${config.networking.hostName}/sops/secret.yaml";
ageKeyFile = "/var/lib/sops-nix/key.txt";
in
{

13
system/modules/stalwart.nix
View file

@ -3,7 +3,6 @@
dbPassFile,
dkimKey,
ldapConf,
oidcConf,
domain ? null,
acmeConf ? null,
enableNginx ? true,
@ -102,17 +101,6 @@ in
};
acme."letsencrypt" = mkIf (acmeConf != null) acmeConf;
session.auth = {
mechanisms = "[plain login oauthbearer]";
directory = mkCondition "listener != 'smtp'" "'ldap'" false;
require = mkCondition "listener != 'smtp'" true false;
};
session.rcpt = {
relay = mkCondition "!is_empty(authenticated_as)" true false;
directory = "'*'";
};
directory = {
"in-memory" = {
type = "memory";
@ -129,7 +117,6 @@ in
imap.lookup.domains = [
domain
];
"oidc" = oidcConf;
};
authentication.fallback-admin = {
user = "admin";

5
system/modules/stylix.nix
View file

@ -1,18 +1,17 @@
{
pkgs,
config,
username,
inputs,
...
}:
let
inherit (config.systemConf) username;
caskaydia = {
name = "CaskaydiaCove Nerd Font Mono";
package = pkgs.nerd-fonts.caskaydia-cove;
};
sf-pro-display-bold = pkgs.callPackage ../../pkgs/fonts/sf-pro-display-bold { };
# dfkai-sb = pkgs.callPackage ../../pkgs/fonts/dfkai-sb { src = inputs.kaiu-font; };
in
{
stylix = {

5
system/modules/users.nix
View file

@ -1,10 +1,11 @@
{
pkgs,
config,
username,
...
}:
let
inherit (config.systemConf) username;
in
{
users.users.${username} = {
isNormalUser = true;

7
system/modules/virtualization.nix
View file

@ -4,13 +4,6 @@
{
virtualisation = {
docker.enable = true;
# Run container as systemd service
oci-containers = {
backend = "podman";
containers = { };
};
spiceUSBRedirection.enable = true;
};
}