cry/flake
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

super massive rewrite

Browse source
This commit is contained in:
do butterflies cry? 2026-02-09 01:51:30 +10:00
parent a2192c9341
commit 1de15c45f2
19 changed files with 746 additions and 1000 deletions
Download patch file Download diff file Expand all files Collapse all files

5
hosts/butterfly/services/default.nix Normal file
View file

@ -0,0 +1,5 @@
{...}: {
imports = [
./nginx.nix
];
}

150
hosts/butterfly/services/forgejo.nix Normal file
View file

@ -0,0 +1,150 @@
{...}: {
# more options here: https://mynixos.com/nixpkgs/options/services.forgejo
# TODO: set a favicon https://forgejo.org/docs/next/contributor/customization/#changing-the-logo
# (might need me to override settings in the nixpkg)
# TODO: create a custom theme for forgejo (modify the source files most likely)
services.forgejo = {
enable = true;
# enable support for Git Large File Storage
lfs.enable = true;
database = {
type = "sqlite3"; # postgres
host = "127.0.0.1";
port = "3306"; # 5432 if postgres
};
# settings are written directly to the `app.ini` config file
# refer to: https://forgejo.org/docs/latest/admin/config-cheat-sheet/
settings = {
server = {
# ENABLE_ACME = true;
# ACME_EMAIL = "eclarkboman@gmail.com"; # change this to "me@imbored.dev"
DOMAIN = "dobutterfliescry.net"; # should this be "imbored.dev"?
ROOT_URL = "https://forge.dobutterfliescry.net"; # full public URL of the Forgejo server
# address and port to listen on
HTTP_ADDR = "127.0.0.1";
HTTP_PORT = 3000;
PROTOCOL = "http"; # http internally, reverse proxy uses https externally
START_SSH_SERVER = true;
DISABLE_SSH = false;
SSH_PORT = 2222;
};
DEFAULT = {
APP_NAME = "tearforge";
APP_SLOGIN = "but cozy";
APP_DISPLAY_NAME_FORMAT = "{APP_NAME} ::{APP_SLOGAN}::";
};
repository = {
DEFAULT_PRIVATE = "private"; # last, private, public
# repo/org created on push to non-existent
ENABLE_PUSH_CREATE_USER = true;
ENABLE_PUSH_CREATE_ORG = false;
DEFAULT_PUSH_CREATE_PRIVATE = true;
MAX_CREATION_LIMIT = -1;
};
"repository.upload" = {
# max per-file size in MB
FILE_MAX_SIZE = 50;
# max number of files per upload
MAX_FILES = 5;
};
badges = let
# flat, flat-square, plastic, for-the-badge, social
style = "for-the-badge";
in {
ENABLED = true;
GENERATOR_URL_TEMPLATE = "https://img.shields.io/badge/{{.label}}-{{.text}}-{{.color}}?style=${style}";
};
ui = {
DEFAULT_THEME = "forgejo-dark";
THEMES = "forgejo-auto,forgejo-light,forgejo-dark";
};
"ui.meta" = {
AUTHOR = "Emile Clark-Boman - emileclarkb";
DESCRIPTION = "This is my personal self-hosted git forge, where I keep and maintain personal projects! PS do butterflies cry when they're sad?";
KEYWORDS = "emile,clark,boman,clarkboman,emileclarkb,git,forge,forgejo,self-hosted,dobutterfliescry,butterfly,butterflies";
};
markdown = {
ENABLE_HARD_LINE_BREAK_IN_COMMENTS = true;
ENABLE_MATH = true;
};
admin = {
DEFAULT_EMAIL_NOTIFICATIONS = "enabled";
SEND_NOTIFICATION_EMAIL_ON_NEW_USER = true;
};
security = {
# Controls access to the installation page.
# When set to “true”, the installation page is not accessible.
#INSTALL_LOCK = false;
PASSWORD_HASH_ALGO = "argon2"; # ARGON2 BEST ALGO FR!! (default: argon2$2$65536$8$50)
MIN_PASSWORD_LENGTH = 12;
PASSWORD_COMPLEXITY = "lower,upper,digit,spec";
PASSWORD_CHECK_PWN = true;
};
service = {
DISABLE_REGISTRATION = true; # toggle for new users
#DEFAULT_USER_IS_RESTRICTED = true;
# Forbid login with third-party services (ie github)
ALLOW_ONLY_INTERNAL_REGISTRATION = true;
ENABLE_CAPTCHA = true;
REQUIRE_CAPTCHA_FOR_LOGIN = true;
REQUIRE_EXTERNAL_REGISTRATION_CAPTCHA = true;
LOGIN_REMEMBER_DAYS = 365;
ENABLE_NOTIFY_MAIL = true;
};
"service.explore" = {
REQUIRE_SIGNIN_VIEW = false;
DISABLE_USERS_PAGE = false;
DISABLE_ORGANIZATIONS_PAGE = false;
DISABLE_CODE_PAGE = false;
};
cache = {
ADAPTER = "twoqueue";
HOST = "{\"size\":100, \"recent_ratio\":0.25, \"ghost_ratio\":0.5}";
ITEM_TTL = "16h";
};
# TODO: fill this in once my mail server is configured
# email.incoming = { ... };
# optional
# TODO: fill this in once my mail server is configured
mailer = {
ENABLED = false;
SMTP_ADDR = "mail.dobutterfliescry.net";
FROM = "iforgor@dobutterfliescry.net";
USER = "iforgor@dobutterfliescry.net";
};
log = {
MODE = "file";
LEVEL = "Info"; # "Trace", "Debug", "Info", "Warn", "Error", "Critical"
ENABLE_SSH_LOG = true;
};
cron = {
ENABLED = true;
RUN_AT_START = false;
};
other = {
SHOW_FOOTER_VERSION = true;
SHOW_FOOTER_TEMPLATE_LOAD_TIME = true;
SHOW_FOOTER_POWERED_BY = true;
ENABLE_SITEMAP = true;
ENABLE_FEED = true;
};
};
};
}

38
hosts/butterfly/services/mailserver.nix Normal file
View file

@ -0,0 +1,38 @@
{
config,
pkgs,
...
}: {
imports = [
(builtins.fetchTarball {
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-25.05/nixos-mailserver-nixos-25.05.tar.gz";
sha256 = "0jpp086m839dz6xh6kw5r8iq0cm4nd691zixzy6z11c4z2vf8v85";
})
];
# simple-nixos-mailserver
# DOCS: https://nixos-mailserver.readthedocs.io/en/latest
mailserver = {
enable = true;
# stateVersion = 3;
# Manually open the firewall instead
openFirewall = false;
virusScanning = false; # expensive memory usage
fqdn = "mail.imbored.dev";
domains = ["imbored.dev"];
# NOTE: generate hashes with `mkpasswd -sm bcrypt`
loginAccounts = {
"me@imbored.dev" = {
aliases = ["emile@imbored.dev"];
hashedPasswordFile = let
CWD = builtins.getEnv "PWD";
# XXX: TODO: use a secrets manager!
in "${CWD}/secrets/passwd/me";
};
};
certificateScheme = "acme-nginx";
};
}

65
hosts/butterfly/services/minecraft-server.nix Normal file
View file

@ -0,0 +1,65 @@
{
pkgs,
upkgs,
...
}: {
services.minecraft-server = {
enable = true;
package = upkgs.minecraft-server; # use latest version only!
declarative = true;
eula = true;
openFirewall = false; # do this manually instead
whitelist = {
"SECRET1" = "";
"SECRET2" = "";
};
# REF: https://minecraft.wiki/w/Server.properties#Java_Edition
serverProperties = {
server-ip = "195.114.14.69"; # listen on all addresses if unset
server-port = 45000; # connection port
"query.port" = 45000; # share game info/advertising information
user-native-transport = true; # Linux packet RX/TX optimizations
# Users Connections
enforce-secure-profile = true;
online-mode = true; # don't allow unlicensed minecraft accounts to join
prevent-proxy-connections = false;
rate-limit = 0;
# Server Functionality
enable-status = true; # where the server appears as "online"
hide-online-players = false;
log-ips = true;
pause-when-empty-seconds = 60; # pause server when no player online for x seconds
view-distance = 10; # range: 3-32
simulation-distance = 10; # range: 3-32
# Players
motd = "M&M's Cozycraft Realm <3";
max-players = 2;
white-list = true;
idle-player-timeout = 0; # never kick idle players
# Gameplay
gamemode = "survival";
force-gamemode = true;
difficulty = "normal";
hardcore = false;
pvp = true;
allow-cheats = true;
# World
level-name = "M&M's Cozycraft"; # world name
# level-seed = "" # random seed if unset
level-type = "minecraft:normal"; # world generation preset
generate-structures = true;
spawn-monsters = true;
spawn-protection = 0;
};
jvmOpts = "-Xms2046M -Xmx2046M -XX:+UseG1GC -XX:ParallelGCThreads=2 -XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=10";
};
}

83
hosts/butterfly/services/nginx.nix Normal file
View file

@ -0,0 +1,83 @@
{
inputs,
pkgs,
...
}: {
nixpkgs.overlays = [
(self: super: {
# in wake of CVE-2022-3602/CVE-2022-3786
nginxStable = super.nginxStable.override {openssl = pkgs.libressl;};
})
inputs.dobutterfliescry-net.overlays.default
];
# simple nginx instance to host static construction page
# TODO: I want sshd and forgejo's ssh server to both be bound to port 22
# So change sshd to listen on a different address/port (ie 2222 or 127.0.0.3:22, etc)
# and change forgejo to use 127.0.0.2:22 (use port 22, ONLY change loopback address)
services.nginx = {
enable = true;
# XXX: TODO: this should auto use the nginxStable overlay no?
# in wake of CVE-2022-3602/CVE-2022-3786
# package = pkgs.nginxStable.override {openssl = pkgs.libressl;};
recommendedGzipSettings = true;
recommendedZstdSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# streamConfig = ''
# server {
# listen 127.0.0.1:53 udp reuseport;
# proxy_timeout 20s;
# proxy_pass 192.168.0.1:53535;
# }
# '';
virtualHosts = let
localhost = "http://127.0.0.1";
std = {
# TODO: should I run over QUIC+HTTP3? (experimental)
# quic = true;
# http3 = true;
enableACME = true;
# kTLS = true; # offload TLS to the linux kernel
};
vault =
{
forceSSL = true;
locations."/".proxyPass = "${localhost}:8222";
}
// std;
forge =
{
forceSSL = true;
extraConfig = ''
client_max_body_size 512M;
'';
locations."/".proxyPass = "${localhost}:3000";
}
// std;
in {
"dobutterfliescry.net" =
{
default = true;
addSSL = true; # not strictly enforced <3
# root = "/var/www/cry";
root = "${pkgs.dobutterfliescry-net}/www";
# extraConfig = ''
# error_page 404 /custom_404.html;
# '';
}
// std;
# Route "vault" subdomain to vaultwarden
"vault.imbored.dev" = vault;
# Route "forge" subdomain to forgejo
# TODO: use `forgejo.settings.server.ENABLE_ACME` instead?
# "tearforge.net" = forge;
"forge.dobutterfliescry.net" = forge;
};
};
}

25
hosts/butterfly/services/vaultwarden.nix Normal file
View file

@ -0,0 +1,25 @@
{...}: {
services.vaultwarden = {
enable = true;
dbBackend = "sqlite";
# backupDir = "/var/backup/vaultwarden"; # disable with null
# https://mynixos.com/nixpkgs/option/services.vaultwarden.config
config = {
# internal address and port to listen on
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
# hostname to listen for
DOMAIN = "https://vault.imbored.dev";
# signup policy
SIGNUPS_ALLOWED = false;
SIGNUPS_VERIFY = true;
INVITATIONS_ALLOWED = true;
};
# https://mynixos.com/nixpkgs/option/services.vaultwarden.environmentFile
environmentFile = "/var/lib/vaultwarden/vaultwarden.env";
};
}