xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

chore: move caddy to common settings

Browse source
This commit is contained in:
xinyangli 2025-05-10 00:27:51 +08:00
parent e78f1fe200
commit 9b3e4038a9
No known key found for this signature in database
21 changed files with 69 additions and 6709 deletions
Download patch file Download diff file Expand all files Collapse all files

7
modules/nixos/common-settings/proxy-server.nix
View file

@ -176,11 +176,8 @@ in
reverse_proxy 127.0.0.1:30310
'';
networking.firewall.allowedTCPPorts = [
80
cfg.trojan.port
];
networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);
networking.firewall.allowedTCPPorts = [ cfg.trojan.port ];
networking.firewall.allowedUDPPorts = lib.range 6311 6314;
services.sing-box = {
enable = true;

56
modules/nixos/common-settings/server.nix Normal file
View file

@ -0,0 +1,56 @@
{
config,
pkgs,
lib,
...
}:
let
cfg = config.commonSettings.serverComponents;
in
{
options = {
commonSettings.serverComponents = {
enable = lib.mkEnableOption "Common components on servers";
};
};
config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [
80
443
];
services.caddy = {
enable = true;
package = pkgs.caddy.withPlugins {
plugins = [
"github.com/caddy-dns/cloudflare@v0.2.1"
];
hash = "sha256-saKJatiBZ4775IV2C5JLOmZ4BwHKFtRZan94aS5pO90=";
};
};
services.caddy.globalConfig = ''
servers {
metrics
}
admin unix//var/run/caddy/admin.sock {
origins 127.0.0.1 ${config.networking.hostName}.coho-tet.ts.net:2019
}
'';
systemd.services.caddy.serviceConfig = {
RuntimeDirectory = "caddy";
RuntimeDirectoryMode = "0700";
};
custom.monitoring = {
promtail.enable = true;
};
custom.prometheus.exporters = {
enable = true;
node.enable = true;
};
};
}

1
modules/nixos/default.nix
View file

@ -7,6 +7,7 @@
./common-settings/proxy-server.nix
./common-settings/mainland.nix
./common-settings/network.nix
./common-settings/server.nix
./disk-partitions
./restic.nix
./monitor

45
modules/nixos/forgejo-actions-runner.nix
View file

@ -1,45 +0,0 @@
{
config,
pkgs,
lib,
...
}:
let
cfg = config.custom.forgejo-actions-runner;
settingsFormat = pkgs.formats.yaml { };
in
{
options = {
custom.forgejo-actions-runner = {
enable = lib.mkEnableOption "TPM supported ssh agent in go";
tokenFile = lib.mkOption { type = lib.types.path; };
settings = lib.mkOption {
type = lib.types.submodule {
freeformType = settingsFormat.type;
};
default = { };
};
};
};
config = lib.mkIf cfg.enable {
virtualisation.docker.enable = true;
services.gitea-actions-runner.package = pkgs.forgejo-actions-runner;
services.gitea-actions-runner.instances = {
"git.xinyang.life" = {
enable = true;
url = "https://git.xinyang.life";
tokenFile = cfg.tokenFile;
name = config.networking.hostName;
labels = [
"debian-latest:docker://node:18-bullseye"
"ubuntu-latest:docker://node:18-bullseye"
"nix:docker://xiny/nix-runner:2.21.0-pkgs-23.11"
];
settings = {
container.network = "host";
} // cfg.settings;
};
};
};
}

81
modules/nixos/kanidm-client.nix
View file

@ -1,81 +0,0 @@
{
config,
pkgs,
lib,
...
}:
with lib;
let
cfg = config.custom.kanidm-client;
in
{
options = {
custom.kanidm-client = {
enable = mkEnableOption "Kanidm client service";
asSSHAuth = mkOption {
type = types.submodule {
options = {
enable = mkEnableOption "Kanidm as system authentication source";
allowedGroups = mkOption {
type = types.listOf types.str;
example = [ "linux_users" ];
};
hardening = mkOption {
type = types.bool;
default = false;
};
};
};
};
sudoers = mkOption {
type = types.listOf types.str;
default = [ ];
};
uri = mkOption { type = types.str; };
};
};
config = mkIf cfg.enable {
services.kanidm = mkMerge [
(mkIf cfg.enable {
package = pkgs.kanidm_1_5;
enableClient = true;
clientSettings = {
uri = cfg.uri;
};
})
(mkIf cfg.asSSHAuth.enable {
enablePam = true;
unixSettings = {
pam_allowed_login_groups = cfg.asSSHAuth.allowedGroups;
default_shell = "/bin/sh";
};
})
];
services.openssh = mkIf cfg.asSSHAuth.enable {
enable = true;
authorizedKeysCommand = "/etc/ssh/auth %u";
authorizedKeysCommandUser = "kanidm-ssh-runner";
settings = mkIf cfg.asSSHAuth.enable {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = lib.mkForce "no";
};
};
environment.etc."ssh/auth" = mkIf cfg.asSSHAuth.enable {
mode = "0555";
text = ''
#!${pkgs.stdenv.shell}
${pkgs.kanidm}/bin/kanidm_ssh_authorizedkeys $1
'';
};
users.groups.wheel.members = cfg.sudoers;
users.groups.kanidm-ssh-runner = { };
users.users.kanidm-ssh-runner = {
isSystemUser = true;
group = "kanidm-ssh-runner";
};
};
}

52
modules/nixos/vaultwarden.nix
View file

@ -1,52 +0,0 @@
{
config,
pkgs,
lib,
...
}:
with lib;
let
cfg = config.custom.vaultwarden;
in
{
options = {
custom.vaultwarden = {
enable = mkEnableOption "vaultwarden server";
domain = mkOption {
type = types.str;
default = "bitwarden.example.com";
description = "Domain name of the vaultwarden server";
};
caddy = mkOption {
type = types.bool;
default = true;
description = "Enable Caddy as reverse proxy";
};
# TODO: mailserver support
};
};
config = mkIf cfg.enable {
services.vaultwarden = {
enable = true;
dbBackend = "sqlite";
config = {
DOMAIN = "https://${cfg.domain}";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
ROCKET_LOG = "critical";
};
};
services.caddy = mkIf cfg.caddy {
enable = true;
virtualHosts."https://${cfg.domain}".extraConfig = ''
reverse_proxy ${config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT}
'';
};
};
}