From 51a67d039fefdf08f9fc45b84e842783cff918b4 Mon Sep 17 00:00:00 2001 From: Emile Clark-Boman Date: Thu, 29 Jan 2026 14:39:15 +1000 Subject: [PATCH 1/7] add nix-unit --- hosts/lolcathost/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/lolcathost/default.nix b/hosts/lolcathost/default.nix index 1c9c270..f3c5943 100755 --- a/hosts/lolcathost/default.nix +++ b/hosts/lolcathost/default.nix @@ -321,6 +321,7 @@ in { nixd # lsp for nix nix-prefetch-git nix-index + nix-unit deploy-rs # Python From ba1a3fe07e3af0c56527b1f8123371e2cd4519d3 Mon Sep 17 00:00:00 2001 From: Emile Clark-Boman Date: Thu, 29 Jan 2026 14:39:59 +1000 Subject: [PATCH 2/7] helix module remove redudancy --- homes/modules/editor/helix.nix | 117 ++++++++++++++++++++------------- hosts/lolcathost/default.nix | 8 +-- hosts/myputer/default.nix | 15 ----- 3 files changed, 74 insertions(+), 66 deletions(-) diff --git a/homes/modules/editor/helix.nix b/homes/modules/editor/helix.nix index 30dad17..81f7959 100755 --- a/homes/modules/editor/helix.nix +++ b/homes/modules/editor/helix.nix @@ -1,5 +1,55 @@ -{pkgs, ...}: { - # read https://docs.helix-editor.com/editor.html +{ + pkgs, + pkgs-unstable, + ... +}: let + lsps = let + mkLsp = pkg: path: {inherit pkg path;}; + in { + bash-language-server = + mkLsp + pkgs.bash-language-server + "/bin/bash-language-server"; + + clangd = + mkLsp + pkgs.clang-tools + "/bin/clangd"; + + haskell-language-server = + mkLsp + pkgs.haskell-language-server + "/bin/haskell-language-server-wrapper"; + + # TODO: once upgraded past Nix-24.07 this line won't be necessary (I think) + # helix will support nixd by default + # SOURCE: https://github.com/nix-community/nixd/blob/main/nixd/docs/editor-setup.md#Helix + nixd = + mkLsp + pkgs.nixd + "/bin/nixd"; + + OmniSharp = + mkLsp + pkgs.omnisharp-roslyn + "/bin/OmniSharp"; + + rust-analyzer = + mkLsp + pkgs.rust-analyzer + "/bin/rust-analyzer"; + + ty = + mkLsp + pkgs.ty + "/bin/ty"; + }; +in { + environment.systemPackages = + lsps + |> map (lsp: lsp.pkg); + + # REF: https://docs.helix-editor.com/editor.html programs.helix = { enable = true; settings = { @@ -128,11 +178,12 @@ }; auto-format = false; # my python is beautiful ^_^ rulers = [80]; + language-servers = ["ty"]; } { name = "c"; file-types = ["c" "h"]; # use .hpp for C++ - auto-format = false; + auto-format = true; formatter.command = "${pkgs.clang-tools}/bin/clang-format"; language-servers = ["clangd"]; } @@ -152,49 +203,27 @@ formatter.command = "${pkgs.rustfmt}/bin/rustfmt"; language-servers = ["rust-analyzer"]; } - # { - # name = "c-sharp"; - # source = "source.cs"; - # file-types = ["cs"]; - # indent = { - # tab-width = 4; - # unit = " "; - # }; - # block-comment-tokens = { - # start = "/*"; - # end = "*/"; - # }; - # # auto-format = false; - # # formatter.command = "${pkgs.omnisharp-roslyn}/bin/OmniSharp"; - # # language-servers = ["OmniSharp"]; - # } + { + name = "c-sharp"; + source = "source.cs"; + file-types = ["cs"]; + indent = { + tab-width = 4; + unit = " "; + }; + block-comment-tokens = { + start = "/*"; + end = "*/"; + }; + # auto-format = false; + # formatter.command = "${pkgs.omnisharp-roslyn}/bin/OmniSharp"; + # language-servers = ["OmniSharp"]; + } ]; - language-server = { - # use nixd as default nix lsp (I haven't tried nil yet) - # NOTE: nixd will be supported by default after nix 24.07 - # SOURCE: https://github.com/nix-community/nixd/blob/main/nixd/docs/editor-setup.md#Helix - nixd = { - command = "${pkgs.nixd}/bin/nixd"; - }; - # clangd for C - clangd = { - command = "${pkgs.clang-tools}/bin/clangd"; - }; - - haskell-language-server = { - command = "${pkgs.haskell-language-server}/bin/haskell-language-server-wrapper"; - }; - - rust-analyzer = { - command = "${pkgs.rust-analyzer}/bin/rust-analyzer"; - }; - - # C# language services - OmniSharp = { - command = "${pkgs.omnisharp-roslyn}/bin/OmniSharp"; - }; - }; + language-server = + lsps + |> builtins.mapAttrs (_: lsp: "${lsp.pkg}${lsp.path}"); }; }; } diff --git a/hosts/lolcathost/default.nix b/hosts/lolcathost/default.nix index f3c5943..4119d78 100755 --- a/hosts/lolcathost/default.nix +++ b/hosts/lolcathost/default.nix @@ -296,13 +296,12 @@ in { # C Family gcc clang - clang-tools + # Rust cargo rustc rustfmt - rust-analyzer # Go go # Nim @@ -311,14 +310,9 @@ in { # Haskell ghc ghcid - haskell-language-server ormolu # Nix - # TODO: once upgraded past Nix-24.07 this line won't be necessary (I think) - # helix will support nixd by default - # SOURCE: https://github.com/nix-community/nixd/blob/main/nixd/docs/editor-setup.md#Helix - nixd # lsp for nix nix-prefetch-git nix-index nix-unit diff --git a/hosts/myputer/default.nix b/hosts/myputer/default.nix index aecd7ce..60098b1 100755 --- a/hosts/myputer/default.nix +++ b/hosts/myputer/default.nix @@ -307,19 +307,9 @@ in { # Haskell ghc ghcid - haskell-language-server ormolu # Java - # jdk17 - # (jre8.overrideAttrs - # (oldAttrs: { - # enableJavaFX = true; - # })) - # (jdk8.overrideAttrs - # (oldAttrs: { - # enableJavaFX = true; - # })) visualvm # Python @@ -357,11 +347,6 @@ in { tesseract # for my work with Agribit - # TODO: once upgraded past Nix-24.07 this line won't be necessary (I think) - # helix will support nixd by default - # SOURCE: https://github.com/nix-community/nixd/blob/main/nixd/docs/editor-setup.md#Helix - # nixd # lsp for nix # DEBUG - # Pretty necessary git git-filter-repo From 3a5e6dcbed3d815992af5b9621b73ef85d2024e2 Mon Sep 17 00:00:00 2001 From: Emile Clark-Boman Date: Thu, 29 Jan 2026 14:40:18 +1000 Subject: [PATCH 3/7] ./deploy use --intend-to-add on call to `git add` --- deploy | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/deploy b/deploy index 911d054..08b95d0 100755 --- a/deploy +++ b/deploy @@ -19,7 +19,8 @@ collect_garbage () { rebuild_flake () { # make sure all changes are visible to nixos - git add . --verbose + # (--intent-to-add tracks files but DOES NOT stage them) + git add . --intent-to-add --verbose local FLAGS= if [ "$1" = "reinstall-bootloader" ]; then FLAGS="--install-bootloader" From 7d4353bffeb5740f4b76aef1b1222d6a8bcc84d1 Mon Sep 17 00:00:00 2001 From: Emile Clark-Boman Date: Sat, 31 Jan 2026 08:36:10 +1000 Subject: [PATCH 4/7] major buff to the helix module --- homes/modules/editor/helix.nix | 59 ++++++++++++++++++---------------- 1 file changed, 32 insertions(+), 27 deletions(-) diff --git a/homes/modules/editor/helix.nix b/homes/modules/editor/helix.nix index 81f7959..3d831c1 100755 --- a/homes/modules/editor/helix.nix +++ b/homes/modules/editor/helix.nix @@ -3,50 +3,56 @@ pkgs-unstable, ... }: let - lsps = let - mkLsp = pkg: path: {inherit pkg path;}; - in { + lsps = { bash-language-server = - mkLsp - pkgs.bash-language-server - "/bin/bash-language-server"; + { + pkg = pkgs.bash-language-server; + cmd = "bash-language-server"; + }; clangd = - mkLsp - pkgs.clang-tools - "/bin/clangd"; + { + pkg = pkgs.clang-tools; + cmd = "clangd"; + }; haskell-language-server = - mkLsp - pkgs.haskell-language-server - "/bin/haskell-language-server-wrapper"; + { + pkg = pkgs.haskell-language-server; + cmd = "haskell-language-server-wrapper"; + }; # TODO: once upgraded past Nix-24.07 this line won't be necessary (I think) # helix will support nixd by default # SOURCE: https://github.com/nix-community/nixd/blob/main/nixd/docs/editor-setup.md#Helix nixd = - mkLsp - pkgs.nixd - "/bin/nixd"; + { + pkg = pkgs.nixd; + cmd = "nixd"; + }; OmniSharp = - mkLsp - pkgs.omnisharp-roslyn - "/bin/OmniSharp"; + { + pkg = pkgs.omnisharp-roslyn; + cmd = "OmniSharp"; + }; rust-analyzer = - mkLsp - pkgs.rust-analyzer - "/bin/rust-analyzer"; + { + pkg = pkgs.rust-analyzer; + cmd = "rust-analyzer"; + }; ty = - mkLsp - pkgs.ty - "/bin/ty"; + { + pkg = pkgs-unstable.ty; + cmd = "ty"; + }; }; in { - environment.systemPackages = + home.packages = lsps + |> builtins.attrValues |> map (lsp: lsp.pkg); # REF: https://docs.helix-editor.com/editor.html @@ -205,7 +211,6 @@ in { } { name = "c-sharp"; - source = "source.cs"; file-types = ["cs"]; indent = { tab-width = 4; @@ -223,7 +228,7 @@ in { language-server = lsps - |> builtins.mapAttrs (_: lsp: "${lsp.pkg}${lsp.path}"); + |> builtins.mapAttrs (_: lsp: { command = "${lsp.pkg}/bin/${lsp.cmd}"; }); }; }; } From 6b6ce26c66e849096d5f06d828151216ad926184 Mon Sep 17 00:00:00 2001 From: Emile Clark-Boman Date: Sat, 31 Jan 2026 08:36:33 +1000 Subject: [PATCH 5/7] move hyrule services to services/ --- hosts/hyrule/{ => services}/mailserver.nix | 1 + hosts/hyrule/{ => services}/minecraft-server.nix | 0 2 files changed, 1 insertion(+) rename hosts/hyrule/{ => services}/mailserver.nix (95%) rename hosts/hyrule/{ => services}/minecraft-server.nix (100%) diff --git a/hosts/hyrule/mailserver.nix b/hosts/hyrule/services/mailserver.nix similarity index 95% rename from hosts/hyrule/mailserver.nix rename to hosts/hyrule/services/mailserver.nix index 49274f2..cd2adfc 100644 --- a/hosts/hyrule/mailserver.nix +++ b/hosts/hyrule/services/mailserver.nix @@ -28,6 +28,7 @@ aliases = ["emile@imbored.dev"]; hashedPasswordFile = let CWD = builtins.getEnv "PWD"; + # XXX: TODO: use a secrets manager! in "${CWD}/secrets/passwd/me"; }; }; diff --git a/hosts/hyrule/minecraft-server.nix b/hosts/hyrule/services/minecraft-server.nix similarity index 100% rename from hosts/hyrule/minecraft-server.nix rename to hosts/hyrule/services/minecraft-server.nix From 83e9a001db75d37742612958c27407294c527fab Mon Sep 17 00:00:00 2001 From: Emile Clark-Boman Date: Sat, 31 Jan 2026 08:37:39 +1000 Subject: [PATCH 6/7] hyrule use bashistrans.nix --- hosts/hyrule/default.nix | 29 ++--------------------------- hosts/modules/bashistrans.nix | 32 ++++++++++++++++++-------------- 2 files changed, 20 insertions(+), 41 deletions(-) diff --git a/hosts/hyrule/default.nix b/hosts/hyrule/default.nix index 72cf59f..c87d1ba 100755 --- a/hosts/hyrule/default.nix +++ b/hosts/hyrule/default.nix @@ -1,8 +1,6 @@ { pkgs, pkgs-unstable, - inputs, - lib, ... }: let home-manager = builtins.fetchTarball { @@ -20,6 +18,7 @@ in { #../modules/server/nginx.nix #../modules/server/ssh.nix #../modules/server/fail2ban.nix + ../modules/bashistrans.nix ]; nix.settings = { @@ -33,15 +32,6 @@ in { ]; }; - # nixpkgs.config.allowUnfreePredicate = let - # whitelist = map lib.getName [ - # "minecraft-server" - # pkgs.minecraft-server - # pkgs-unstable.minecraft-server - # ]; - # in - # pkg: builtins.elem (lib.getName pkg) whitelist; - time.timeZone = "Australia/Brisbane"; i18n.defaultLocale = "en_US.UTF-8"; @@ -480,6 +470,7 @@ in { }; }; }; + security = { # accept Lets Encrypt's security policy (for nginx) acme = { @@ -507,21 +498,5 @@ in { helix ]; - programs = { - fish.enable = true; - - bash = { - completion.enable = true; - - interactiveShellInit = '' - if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]] - then - shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION="" - exec ${pkgs.fish}/bin/fish $LOGIN_OPTION - fi - ''; - }; - }; - system.stateVersion = "24.11"; # DO NOT MODIFY } diff --git a/hosts/modules/bashistrans.nix b/hosts/modules/bashistrans.nix index d3b285c..e9d74ae 100644 --- a/hosts/modules/bashistrans.nix +++ b/hosts/modules/bashistrans.nix @@ -2,22 +2,26 @@ # I want to use fish as my login shell but it always goes terrible # cause it isn't POSIX compliant, so instead Bash is my login and # will just exec fish (^-^) - programs.bash = { - blesh.enable = false; # ble.sh replacement for GNU readline - completion.enable = true; + programs = { + fish.enable = true; - interactiveShellInit = '' - # help bash transition into a beautiful fish! - if [[ -z $CRY_BASH_IS_TRANS ]] - then - if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]] + bash = { + blesh.enable = false; # ble.sh replacement for GNU readline + completion.enable = true; + + interactiveShellInit = '' + # help bash transition into a beautiful fish! + if [[ -z $CRY_BASH_IS_TRANS ]] then - shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION="" - exec ${pkgs.fish}/bin/fish $LOGIN_OPTION + if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]] + then + shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION="" + exec ${pkgs.fish}/bin/fish $LOGIN_OPTION + fi fi - fi - # bash is trans now! (no more transitioning required) - export CRY_BASH_IS_TRANS=true - ''; + # bash is trans now! (no more transitioning required) + export CRY_BASH_IS_TRANS=true + ''; + }; }; } From 56af3c8919a817ea06f3613ef692f7a03567a93a Mon Sep 17 00:00:00 2001 From: Emile Clark-Boman Date: Sat, 31 Jan 2026 08:38:36 +1000 Subject: [PATCH 7/7] split hyrule config --- hosts/hyrule/default.nix | 324 +------------------------- hosts/hyrule/services/forgejo.nix | 150 ++++++++++++ hosts/hyrule/services/nginx.nix | 99 ++++++++ hosts/hyrule/services/vaultwarden.nix | 25 ++ 4 files changed, 278 insertions(+), 320 deletions(-) create mode 100644 hosts/hyrule/services/forgejo.nix create mode 100644 hosts/hyrule/services/nginx.nix create mode 100644 hosts/hyrule/services/vaultwarden.nix diff --git a/hosts/hyrule/default.nix b/hosts/hyrule/default.nix index c87d1ba..837fc4d 100755 --- a/hosts/hyrule/default.nix +++ b/hosts/hyrule/default.nix @@ -12,12 +12,12 @@ in { ./hardware-configuration.nix (import "${home-manager}/nixos") + ./services/forgejo.nix + ./services/vaultwarden.nix + ./services/nginx.nix # ./mailserver.nix # TEMP: location # ./minecraft-server.nix # TEMP: location - #../modules/server/nginx.nix - #../modules/server/ssh.nix - #../modules/server/fail2ban.nix ../modules/bashistrans.nix ]; @@ -82,30 +82,6 @@ in { ]; }; - # wireguard.interfaces = { - # wg0 = { - # ips = ["10.10.10.4/24"]; # my IP and the subnet (keyword: "AND") - # listenPort = 54231; - # - # privateKeyFile = "/root/wg_agrivpn_hyrule"; - # - # peers = [ - # { - # # peer's public key - # publicKey = "iZ4aqYjbT8O8tfUHEuV+yWLtdoQbdBb6Nt0M4usMSiY="; - # - # # choose which traffic to forward - # allowedIPs = ["10.0.51.0/24" "10.10.10.0/24"]; - # - # # TODO: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577 - # endpoint = "150.242.34.33:54231"; - # - # # send keepalives every 25 seconds. Important to keep NAT tables alive. - # persistentKeepalive = 25; - # } - # ]; - # }; - # }; wg-quick.interfaces = { wg0 = { address = [ @@ -140,7 +116,7 @@ in { extraGroups = ["wheel"]; shell = pkgs.bash; openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCsUZY45rgezi+8iROdcR5vPeacJ2fbMjlDijfUrH9hRX2FzCsg/4e3aFKhi2seZMmyTfbstxmDrrH8paUS5TibFgLFBGNngaF3CTjg85i5pm25Hr4IVo31oziBnTWaG6j3buYKtz5e1qSPzXywinJR+5+FCUJU7Fxa+EWTZcOX4wYgArSj4q73rZmvk5N0X44Mudt4nvpD2chvxygsdTzD6ph92qCuaJ/AbfmOoC7b/xvOaOVydUfgDLpHi9VZbd3akvvKxRfW6ZklldgXEzPXKMuastN0mwcBxvIb5G1Vkj8jtSVtKPc5psZ9/NWA5l38xH4qZ6z7eib6thtEMdtcKmTZEEWDADjqTea5Gj61c1n18cr6f3Tff+0bn/cxsl4Y0esi+aDeuCXYiIYNmeKBx0ttDNIxpk4J5Fdh6Xs+AZif5lnJErtu8TPy2aC0bc9wehTjMyvilTHfyerOD1ZJXhN2XwRVDGN7t7leAJZISJlPjqTDcw3Vfvzte/5JqS+FR+hbpG4uz2ix8kUa20u5YF2oSdGl8+zsdozVsdQm10Iv9WSXBV7t4m+oyodgtfzydBpmXq7aBXudCiEKw+7TC7F+1a4YFrVrCNXKFgKUpd1MiVLl7DIbzm5U9MD2BB3Fy7BPCzr3tW6/ExOhhpBWY+HnzVGQfkNr7dRcqfipKw== ae@imbored.dev" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCsUZY45rgezi+8iROdcR5vPeacJ2fbMjlDijfUrH9hRX2FzCsg/4e3aFKhi2seZMmyTfbstxmDrrH8paUS5TibFgLFBGNngaF3CTjg85i5pm25Hr4IVo31oziBnTWaG6j3buYKtz5e1qSPzXywinJR+5+FCUJU7Fxa+EWTZcOX4wYgArSj4q73rZmvk5N0X44Mudt4nvpD2chvxygsdTzD6ph92qCuaJ/AbfmOoC7b/xvOaOVydUfgDLpHi9VZbd3akvvKxRfW6ZklldgXEzPXKMuastN0mwcBxvIb5G1Vkj8jtSVtKPc5psZ9/NWA5l38xH4qZ6z7eib6thtEMdtcKmTZEEWDADjqTea5Gj61c1n18cr6f3Tff+0bn/cxsl4Y0esi+aDeuCXYiIYNmeKBx0ttDNIxpk4J5Fdh6Xs+AZif5lnJErtu8TPy2aC0bc9wehTjMyvilTHfyerOD1ZJXhN2XwRVDGN7t7leAJZISJlPjqTDcw3Vfvzte/5JqS+FR+hbpG4uz2ix8kUa20u5YF2oSdGl8+zsdozVsdQm10Iv9WSXBV7t4m+oyodgtfzydBpmXq7aBXudCiEKw+7TC7F+1a4YFrVrCNXKFgKUpd1MiVLl7DIbzm5U9MD2BB3Fy7BPCzr3tW6/ExOhhpBWY+HnzVGQfkNr7dRcqfipKw== ae@dobutterfliescry.net" ]; }; @@ -166,70 +142,6 @@ in { }; services = { - # simple nginx instance to host static construction page - # TODO: I want sshd and forgejo's ssh server to both be bound to port 22 - # So change sshd to listen on a different address/port (ie 2222 or 127.0.0.3:22, etc) - # and change forgejo to use 127.0.0.2:22 (use port 22, ONLY change loopback address) - nginx = { - enable = true; - # in wake of CVE-2022-3602/CVE-2022-3786 - package = pkgs.nginxStable.override {openssl = pkgs.libressl;}; - - recommendedGzipSettings = true; - recommendedZstdSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - - # streamConfig = '' - # server { - # listen 127.0.0.1:53 udp reuseport; - # proxy_timeout 20s; - # proxy_pass 192.168.0.1:53535; - # } - # ''; - - virtualHosts = let - localhost = "http://127.0.0.1"; - std = { - # TODO: should I run over QUIC+HTTP3? (experimental) - # quic = true; - # http3 = true; - enableACME = true; - # kTLS = true; # offload TLS to the linux kernel - }; - in { - "imbored.dev" = - { - default = true; - addSSL = true; # not strictly enforced <3 - root = "/var/www/imbored"; - # extraConfig = '' - # error_page 404 /custom_404.html; - # ''; - } - // std; - # Route "vault" subdomain to vaultwarden - "vault.imbored.dev" = - { - forceSSL = true; - locations."/".proxyPass = "${localhost}:8222"; - } - // std; - # Route "forge" subdomain to forgejo - # TODO: use `forgejo.settings.server.ENABLE_ACME` instead? - "forge.imbored.dev" = - { - forceSSL = true; - extraConfig = '' - client_max_body_size 512M; - ''; - locations."/".proxyPass = "${localhost}:3000"; - } - // std; - }; - }; - openssh = { enable = true; ports = [22]; @@ -241,234 +153,6 @@ in { X11Forwarding = false; }; }; - - vaultwarden = { - enable = true; - dbBackend = "sqlite"; - - # backupDir = "/var/backup/vaultwarden"; # disable with null - - # https://mynixos.com/nixpkgs/option/services.vaultwarden.config - config = { - # internal address and port to listen on - ROCKET_ADDRESS = "127.0.0.1"; - ROCKET_PORT = 8222; - - # hostname to listen for - DOMAIN = "https://vault.imbored.dev"; - - # signup policy - SIGNUPS_ALLOWED = false; - SIGNUPS_VERIFY = true; - INVITATIONS_ALLOWED = true; - }; - # https://mynixos.com/nixpkgs/option/services.vaultwarden.environmentFile - environmentFile = "/var/lib/vaultwarden/vaultwarden.env"; - }; - - # stalwart-mail = let - # domain = "imbored.dev"; - # in { - # enable = false; # true; - # # openFirewall = true; # im doing this manually rn - # settings = { - # certificate."${domain}" = { - # cert = "file://${certs.${domain}.cert}"; - # private-key = "file://${certs.${domain}.key}"; - # }; - # server = { - # hostname = domain; - # tls = { - # certificate = "${domain}"; - # enable = true; - # implicit = false; - # }; - # listener = { - # "smtp-submission" = { - # bind = ["127.0.0.1:587"]; - # protocol = "smtp"; - # }; - # "imap" = { - # bind = ["127.0.0.1:143"]; - # protocol = "imap"; - # }; - # }; - # }; - # session = { - # rcpt.directory = "in-memory"; - # auth = { - # mechanisms = ["PLAIN"]; - # directory = "in-memory"; - # }; - # }; - # jmap.directory = "in-memory"; - # queue.outbound.next-hop = ["local"]; - # directory."in-memory" = { - # type = "memory"; - # users = [ - # { - # name = "me"; - # secret = "foobar"; - # email = ["me@${domain}"]; - # } - # { - # name = "Emile"; - # secret = "foobar"; - # email = ["emile@${domain}"]; - # } - # ]; - # }; - # }; - # }; - - # more options here: https://mynixos.com/nixpkgs/options/services.forgejo - # TODO: set a favicon https://forgejo.org/docs/next/contributor/customization/#changing-the-logo - # (might need me to override settings in the nixpkg) - # TODO: create a custom theme for forgejo (modify the source files most likely) - forgejo = { - enable = true; - # enable support for Git Large File Storage - lfs.enable = true; - database = { - type = "sqlite3"; # postgres - host = "127.0.0.1"; - port = "3306"; # 5432 if postgres - }; - # settings are written directly to the `app.ini` config file - # refer to: https://forgejo.org/docs/latest/admin/config-cheat-sheet/ - settings = { - server = { - # ENABLE_ACME = true; - # ACME_EMAIL = "eclarkboman@gmail.com"; # change this to "me@imbored.dev" - DOMAIN = "forge.imbored.dev"; # should this be "imbored.dev"? - ROOT_URL = "https://forge.imbored.dev"; # full public URL of the Forgejo server - # address and port to listen on - HTTP_ADDR = "127.0.0.1"; - HTTP_PORT = 3000; - PROTOCOL = "http"; # http internally, reverse proxy uses https externally - - START_SSH_SERVER = true; - DISABLE_SSH = false; - SSH_PORT = 2222; - }; - - DEFAULT = { - APP_NAME = "tearforge"; - APP_SLOGIN = "but cozy"; - APP_DISPLAY_NAME_FORMAT = "{APP_NAME} ::{APP_SLOGAN}::"; - }; - - repository = { - DEFAULT_PRIVATE = "private"; # last, private, public - # repo/org created on push to non-existent - ENABLE_PUSH_CREATE_USER = true; - ENABLE_PUSH_CREATE_ORG = false; - DEFAULT_PUSH_CREATE_PRIVATE = true; - MAX_CREATION_LIMIT = -1; - }; - - "repository.upload" = { - # max per-file size in MB - FILE_MAX_SIZE = 50; - # max number of files per upload - MAX_FILES = 5; - }; - - badges = let - # flat, flat-square, plastic, for-the-badge, social - style = "for-the-badge"; - in { - ENABLED = true; - GENERATOR_URL_TEMPLATE = "https://img.shields.io/badge/{{.label}}-{{.text}}-{{.color}}?style=${style}"; - }; - - ui = { - DEFAULT_THEME = "forgejo-dark"; - THEMES = "forgejo-auto,forgejo-light,forgejo-dark"; - }; - "ui.meta" = { - AUTHOR = "Emile Clark-Boman - emileclarkb"; - DESCRIPTION = "This is my personal self-hosted git forge, where I keep and maintain personal projects! PS do butterflies cry when they're sad?"; - KEYWORDS = "emile,clark,boman,clarkboman,emileclarkb,git,forge,forgejo,self-hosted,dobutterfliescry,butterfly,butterflies"; - }; - - markdown = { - ENABLE_HARD_LINE_BREAK_IN_COMMENTS = true; - ENABLE_MATH = true; - }; - - admin = { - DEFAULT_EMAIL_NOTIFICATIONS = "enabled"; - SEND_NOTIFICATION_EMAIL_ON_NEW_USER = true; - }; - - security = { - # Controls access to the installation page. - # When set to “true”, the installation page is not accessible. - #INSTALL_LOCK = false; - - PASSWORD_HASH_ALGO = "argon2"; # ARGON2 BEST ALGO FR!! (default: argon2$2$65536$8$50) - MIN_PASSWORD_LENGTH = 12; - PASSWORD_COMPLEXITY = "lower,upper,digit,spec"; - PASSWORD_CHECK_PWN = true; - }; - - service = { - DISABLE_REGISTRATION = true; # toggle for new users - #DEFAULT_USER_IS_RESTRICTED = true; - # Forbid login with third-party services (ie github) - ALLOW_ONLY_INTERNAL_REGISTRATION = true; - ENABLE_CAPTCHA = true; - REQUIRE_CAPTCHA_FOR_LOGIN = true; - REQUIRE_EXTERNAL_REGISTRATION_CAPTCHA = true; - LOGIN_REMEMBER_DAYS = 365; - ENABLE_NOTIFY_MAIL = true; - }; - "service.explore" = { - REQUIRE_SIGNIN_VIEW = false; - DISABLE_USERS_PAGE = false; - DISABLE_ORGANIZATIONS_PAGE = false; - DISABLE_CODE_PAGE = false; - }; - - cache = { - ADAPTER = "twoqueue"; - HOST = "{\"size\":100, \"recent_ratio\":0.25, \"ghost_ratio\":0.5}"; - ITEM_TTL = "16h"; - }; - - # TODO: fill this in once my mail server is configured - # email.incoming = { ... }; - - # optional - # TODO: fill this in once my mail server is configured - mailer = { - ENABLED = false; - SMTP_ADDR = "mail.imbored.dev"; - FROM = "noreply@imbored.dev"; - USER = "noreply@imbored.dev"; - }; - - log = { - MODE = "file"; - LEVEL = "Info"; # "Trace", "Debug", "Info", "Warn", "Error", "Critical" - ENABLE_SSH_LOG = true; - }; - - cron = { - ENABLED = true; - RUN_AT_START = false; - }; - - other = { - SHOW_FOOTER_VERSION = true; - SHOW_FOOTER_TEMPLATE_LOAD_TIME = true; - SHOW_FOOTER_POWERED_BY = true; - ENABLE_SITEMAP = true; - ENABLE_FEED = true; - }; - }; - }; }; security = { diff --git a/hosts/hyrule/services/forgejo.nix b/hosts/hyrule/services/forgejo.nix new file mode 100644 index 0000000..f228116 --- /dev/null +++ b/hosts/hyrule/services/forgejo.nix @@ -0,0 +1,150 @@ +{...}: { + # more options here: https://mynixos.com/nixpkgs/options/services.forgejo + # TODO: set a favicon https://forgejo.org/docs/next/contributor/customization/#changing-the-logo + # (might need me to override settings in the nixpkg) + # TODO: create a custom theme for forgejo (modify the source files most likely) + services.forgejo = { + enable = true; + # enable support for Git Large File Storage + lfs.enable = true; + database = { + type = "sqlite3"; # postgres + host = "127.0.0.1"; + port = "3306"; # 5432 if postgres + }; + # settings are written directly to the `app.ini` config file + # refer to: https://forgejo.org/docs/latest/admin/config-cheat-sheet/ + settings = { + server = { + # ENABLE_ACME = true; + # ACME_EMAIL = "eclarkboman@gmail.com"; # change this to "me@imbored.dev" + DOMAIN = "forge.imbored.dev"; # should this be "imbored.dev"? + ROOT_URL = "https://forge.imbored.dev"; # full public URL of the Forgejo server + # address and port to listen on + HTTP_ADDR = "127.0.0.1"; + HTTP_PORT = 3000; + PROTOCOL = "http"; # http internally, reverse proxy uses https externally + + START_SSH_SERVER = true; + DISABLE_SSH = false; + SSH_PORT = 2222; + }; + + DEFAULT = { + APP_NAME = "tearforge"; + APP_SLOGIN = "but cozy"; + APP_DISPLAY_NAME_FORMAT = "{APP_NAME} ::{APP_SLOGAN}::"; + }; + + repository = { + DEFAULT_PRIVATE = "private"; # last, private, public + # repo/org created on push to non-existent + ENABLE_PUSH_CREATE_USER = true; + ENABLE_PUSH_CREATE_ORG = false; + DEFAULT_PUSH_CREATE_PRIVATE = true; + MAX_CREATION_LIMIT = -1; + }; + + "repository.upload" = { + # max per-file size in MB + FILE_MAX_SIZE = 50; + # max number of files per upload + MAX_FILES = 5; + }; + + badges = let + # flat, flat-square, plastic, for-the-badge, social + style = "for-the-badge"; + in { + ENABLED = true; + GENERATOR_URL_TEMPLATE = "https://img.shields.io/badge/{{.label}}-{{.text}}-{{.color}}?style=${style}"; + }; + + ui = { + DEFAULT_THEME = "forgejo-dark"; + THEMES = "forgejo-auto,forgejo-light,forgejo-dark"; + }; + "ui.meta" = { + AUTHOR = "Emile Clark-Boman - emileclarkb"; + DESCRIPTION = "This is my personal self-hosted git forge, where I keep and maintain personal projects! PS do butterflies cry when they're sad?"; + KEYWORDS = "emile,clark,boman,clarkboman,emileclarkb,git,forge,forgejo,self-hosted,dobutterfliescry,butterfly,butterflies"; + }; + + markdown = { + ENABLE_HARD_LINE_BREAK_IN_COMMENTS = true; + ENABLE_MATH = true; + }; + + admin = { + DEFAULT_EMAIL_NOTIFICATIONS = "enabled"; + SEND_NOTIFICATION_EMAIL_ON_NEW_USER = true; + }; + + security = { + # Controls access to the installation page. + # When set to “true”, the installation page is not accessible. + #INSTALL_LOCK = false; + + PASSWORD_HASH_ALGO = "argon2"; # ARGON2 BEST ALGO FR!! (default: argon2$2$65536$8$50) + MIN_PASSWORD_LENGTH = 12; + PASSWORD_COMPLEXITY = "lower,upper,digit,spec"; + PASSWORD_CHECK_PWN = true; + }; + + service = { + DISABLE_REGISTRATION = true; # toggle for new users + #DEFAULT_USER_IS_RESTRICTED = true; + # Forbid login with third-party services (ie github) + ALLOW_ONLY_INTERNAL_REGISTRATION = true; + ENABLE_CAPTCHA = true; + REQUIRE_CAPTCHA_FOR_LOGIN = true; + REQUIRE_EXTERNAL_REGISTRATION_CAPTCHA = true; + LOGIN_REMEMBER_DAYS = 365; + ENABLE_NOTIFY_MAIL = true; + }; + "service.explore" = { + REQUIRE_SIGNIN_VIEW = false; + DISABLE_USERS_PAGE = false; + DISABLE_ORGANIZATIONS_PAGE = false; + DISABLE_CODE_PAGE = false; + }; + + cache = { + ADAPTER = "twoqueue"; + HOST = "{\"size\":100, \"recent_ratio\":0.25, \"ghost_ratio\":0.5}"; + ITEM_TTL = "16h"; + }; + + # TODO: fill this in once my mail server is configured + # email.incoming = { ... }; + + # optional + # TODO: fill this in once my mail server is configured + mailer = { + ENABLED = false; + SMTP_ADDR = "mail.dobutterfliescry.net"; + FROM = "iforgor@dobutterfliescry.net"; + USER = "iforgor@dobutterfliescry.net"; + }; + + log = { + MODE = "file"; + LEVEL = "Info"; # "Trace", "Debug", "Info", "Warn", "Error", "Critical" + ENABLE_SSH_LOG = true; + }; + + cron = { + ENABLED = true; + RUN_AT_START = false; + }; + + other = { + SHOW_FOOTER_VERSION = true; + SHOW_FOOTER_TEMPLATE_LOAD_TIME = true; + SHOW_FOOTER_POWERED_BY = true; + ENABLE_SITEMAP = true; + ENABLE_FEED = true; + }; + }; + }; +} diff --git a/hosts/hyrule/services/nginx.nix b/hosts/hyrule/services/nginx.nix new file mode 100644 index 0000000..d719841 --- /dev/null +++ b/hosts/hyrule/services/nginx.nix @@ -0,0 +1,99 @@ +{pkgs, ...}: { + nixpkgs.overlays = [ + (self: super: { + # in wake of CVE-2022-3602/CVE-2022-3786 + nginxStable = super.nginxStable.override {openssl = pkgs.libressl;}; + }) + ]; + + # simple nginx instance to host static construction page + # TODO: I want sshd and forgejo's ssh server to both be bound to port 22 + # So change sshd to listen on a different address/port (ie 2222 or 127.0.0.3:22, etc) + # and change forgejo to use 127.0.0.2:22 (use port 22, ONLY change loopback address) + services.nginx = { + enable = true; + # XXX: TODO: this should auto use the nginxStable overlay no? + # in wake of CVE-2022-3602/CVE-2022-3786 + # package = pkgs.nginxStable.override {openssl = pkgs.libressl;}; + + recommendedGzipSettings = true; + recommendedZstdSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # streamConfig = '' + # server { + # listen 127.0.0.1:53 udp reuseport; + # proxy_timeout 20s; + # proxy_pass 192.168.0.1:53535; + # } + # ''; + + virtualHosts = let + localhost = "http://127.0.0.1"; + std = { + # TODO: should I run over QUIC+HTTP3? (experimental) + # quic = true; + # http3 = true; + enableACME = true; + # kTLS = true; # offload TLS to the linux kernel + }; + website = + { + default = true; + addSSL = true; # not strictly enforced <3 + root = "/var/www/imbored"; + # extraConfig = '' + # error_page 404 /custom_404.html; + # ''; + } + // std; + + vault = + { + forceSSL = true; + locations."/".proxyPass = "${localhost}:8222"; + } + // std; + forge = + { + forceSSL = true; + extraConfig = '' + client_max_body_size 512M; + ''; + locations."/".proxyPass = "${localhost}:3000"; + } + // std; + in { + # XXX: TODO: imbored.dev and dobutterfliescry.net can't + # XXX: TODO: be active at the same time??? why?? + # "imbored.dev" = + # { + # default = true; + # addSSL = true; # not strictly enforced <3 + # root = "/var/www/imbored"; + # # extraConfig = '' + # # error_page 404 /custom_404.html; + # # ''; + # } + # // std; + "dobutterfliescry.net" = + { + default = true; + addSSL = true; # not strictly enforced <3 + root = "/var/www/cry"; + # extraConfig = '' + # error_page 404 /custom_404.html; + # ''; + } + // std; + # Route "vault" subdomain to vaultwarden + "vault.imbored.dev" = vault; + # Route "forge" subdomain to forgejo + # TODO: use `forgejo.settings.server.ENABLE_ACME` instead? + "forge.imbored.dev" = forge; + # "forge.dobutterfliescry.net" = forge; + }; + }; +} diff --git a/hosts/hyrule/services/vaultwarden.nix b/hosts/hyrule/services/vaultwarden.nix new file mode 100644 index 0000000..6cde9ab --- /dev/null +++ b/hosts/hyrule/services/vaultwarden.nix @@ -0,0 +1,25 @@ +{...}: { + services.vaultwarden = { + enable = true; + dbBackend = "sqlite"; + + # backupDir = "/var/backup/vaultwarden"; # disable with null + + # https://mynixos.com/nixpkgs/option/services.vaultwarden.config + config = { + # internal address and port to listen on + ROCKET_ADDRESS = "127.0.0.1"; + ROCKET_PORT = 8222; + + # hostname to listen for + DOMAIN = "https://vault.imbored.dev"; + + # signup policy + SIGNUPS_ALLOWED = false; + SIGNUPS_VERIFY = true; + INVITATIONS_ALLOWED = true; + }; + # https://mynixos.com/nixpkgs/option/services.vaultwarden.environmentFile + environmentFile = "/var/lib/vaultwarden/vaultwarden.env"; + }; +}