swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 09:07:21 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: add globals system

Browse source
This commit is contained in:
Leon Schwarzäugl 2025-06-29 22:43:04 +02:00
parent 6cac368378
commit 2aa5e0095c
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
31 changed files with 833 additions and 528 deletions
Download patch file Download diff file Expand all files Collapse all files

467
SwarselSystems.org
View file

@ -155,21 +155,123 @@ In =outputs = inputs@ [...]=, the =inputs@= makes it so that all inputs are auto
}: }:
let let
<<flakelet>> <<flakelet>>
in
inputs.flake-parts.lib.mkFlake { inherit inputs; } {
imports = [
./nix/globals.nix
];
flake = { config, ... }:
let
<<flakelet>>
linuxUser = "swarsel";
macUser = "leon.schwarzaeugl";
mkFullHost = host: type: {
${host} =
let
systemFunc = if (type == "nixos") then lib.nixosSystem else inputs.nix-darwin.lib.darwinSystem;
in
systemFunc {
specialArgs = { inherit inputs outputs lib self; inherit (config) globals; };
modules = [
{
node.name = host;
node.secretsDir = ./hosts/${type}/${host}/secrets;
}
# put inports here that are for all hosts
inputs.disko.nixosModules.disko
inputs.sops-nix.nixosModules.sops
inputs.impermanence.nixosModules.impermanence
inputs.lanzaboote.nixosModules.lanzaboote
inputs.fw-fanctrl.nixosModules.default
"${self}/hosts/${type}/${host}"
{
_module.args.primaryUser = linuxUser;
}
] ++
(if (host == "iso") then [
inputs.nix-topology.nixosModules.default
] else
([
# put nixos imports here that are for all servers and normal hosts
inputs.nix-topology.nixosModules.default
"${self}/modules/${type}/common"
inputs.stylix.nixosModules.stylix
inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm
] ++ (if (type == "nixos") then [
inputs.home-manager.nixosModules.home-manager
"${self}/profiles/nixos"
"${self}/modules/nixos/server"
"${self}/modules/nixos/optional"
{
home-manager.users."${linuxUser}".imports = [
# put home-manager imports here that are for all normal hosts
"${self}/modules/home/common"
"${self}/modules/home/server"
"${self}/modules/home/optional"
"${self}/profiles/home"
];
}
] else [
# put nixos imports here that are for darwin hosts
"${self}/modules/darwin/nixos/common"
"${self}/profiles/darwin"
inputs.home-manager.darwinModules.home-manager
{
home-manager.users."${macUser}".imports = [
# put home-manager imports here that are for darwin hosts
"${self}/modules/darwin/home"
"${self}/modules/home/server"
"${self}/modules/home/optional"
"${self}/profiles/home"
];
}
])
));
};
};
mkHalfHost = host: type: pkgs: {
${host} =
let
systemFunc = if (type == "home") then inputs.home-manager.lib.homeManagerConfiguration else inputs.nix-on-droid.lib.nixOnDroidConfiguration;
in
systemFunc
{
inherit pkgs;
extraSpecialArgs = { inherit inputs outputs lib self; };
modules = [ "${self}/hosts/${type}/${host}" ];
};
};
mkFullHostConfigs = hosts: type: lib.foldl (acc: set: acc // set) { } (lib.map (host: mkFullHost host type) hosts);
mkHalfHostConfigs = hosts: type: pkgs: lib.foldl (acc: set: acc // set) { } (lib.map (host: mkHalfHost host type pkgs) hosts);
in in
{ {
<<flakeoutputgeneral>> <<flakeoutputgeneral>>
nixosConfigurations = nixosConfigurations = mkFullHostConfigs (lib.swarselsystems.readHosts "nixos") "nixos";
<<flakenixosconf>> homeConfigurations = mkHalfHostConfigs (lib.swarselsystems.readHosts "home") "home" lib.swarselsystems.pkgsFor.x86_64-linux;
homeConfigurations = darwinConfigurations = mkFullHostConfigs (lib.swarselsystems.readHosts "darwin") "darwin";
<<flakehomeconf>> nixOnDroidConfigurations = mkHalfHostConfigs (lib.swarselsystems.readHosts "android") "android" lib.swarselsystems.pkgsFor.aarch64-linux;
darwinConfigurations =
<<flakedarwinconf>>
nixOnDroidConfigurations =
<<flakedroidconf>>
topology = topology = lib.swarselsystems.forEachSystem (pkgs: import inputs.nix-topology {
<<topologyconf>> inherit pkgs;
modules = [
"${self}/topology"
{ inherit (self) nixosConfigurations; }
];
});
nodes = config.nixosConfigurations;
};
systems = [
"x86_64-linux"
"aarch64-linux"
];
}; };
} }
#+end_src #+end_src
@ -304,6 +406,7 @@ When setting this option normally, the password would normally be written world-
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
nix-topology.url = "github:oddlama/nix-topology"; nix-topology.url = "github:oddlama/nix-topology";
flake-parts.url = "github:hercules-ci/flake-parts";
#+end_src #+end_src
** let ** let
:PROPERTIES: :PROPERTIES:
@ -497,7 +600,6 @@ Note: The preceding =nixosConfigurations= is found in [[#h:aee5ec75-7ca6-40d8-b6
#+begin_src nix :tangle no :noweb-ref flakenixosconf #+begin_src nix :tangle no :noweb-ref flakenixosconf
lib.swarselsystems.mkFullHostConfigs (lib.swarselsystems.readHosts "nixos") "nixos";
#+end_src #+end_src
** darwinConfigurations ** darwinConfigurations
:PROPERTIES: :PROPERTIES:
@ -510,7 +612,6 @@ Note: The preceding =darwinConfigurations= is found in [[#h:aee5ec75-7ca6-40d8-b
=3a272b1 feat!: dynamically create hosts=, and the deprecated system definitions removed in =7457109 main chore: remove deprecated static host config=. See those commits for a state with a simpler config. =3a272b1 feat!: dynamically create hosts=, and the deprecated system definitions removed in =7457109 main chore: remove deprecated static host config=. See those commits for a state with a simpler config.
#+begin_src nix :tangle no :noweb-ref flakedarwinconf #+begin_src nix :tangle no :noweb-ref flakedarwinconf
lib.swarselsystems.mkFullHostConfigs (lib.swarselsystems.readHosts "darwin") "darwin";
#+end_src #+end_src
** homeConfigurations ** homeConfigurations
@ -530,7 +631,6 @@ In contrast, this defines home-manager systems, which I only have one of, that s
# ]; # ];
# }; # };
lib.swarselsystems.mkHalfHostConfigs (lib.swarselsystems.readHosts "home") "home" lib.swarselsystems.pkgsFor.x86_64-linux;
#+end_src #+end_src
** nixOnDroidConfigurations ** nixOnDroidConfigurations
@ -549,7 +649,6 @@ Nix on Android also demands an own flake output, which is provided here.
# ]; # ];
# }; # };
lib.swarselsystems.mkHalfHostConfigs (lib.swarselsystems.readHosts "android") "android" lib.swarselsystems.pkgsFor.aarch64-linux;
#+end_src #+end_src
@ -561,13 +660,6 @@ Nix on Android also demands an own flake output, which is provided here.
#+begin_src nix :tangle no :noweb-ref topologyconf #+begin_src nix :tangle no :noweb-ref topologyconf
lib.swarselsystems.forEachSystem (pkgs: import inputs.nix-topology {
inherit pkgs;
modules = [
"${self}/topology"
{ inherit (self) nixosConfigurations; }
];
});
#+end_src #+end_src
@ -2133,6 +2225,9 @@ Also, an initial bash history is provided to allow for a very quick local deploy
"${self}/modules/nixos/common/topology.nix" "${self}/modules/nixos/common/topology.nix"
"${self}/modules/home/common/sharedsetup.nix" "${self}/modules/home/common/sharedsetup.nix"
"${self}/modules/nixos/common/globals.nix"
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
{ {
home-manager.users."${primaryUser}".imports = [ home-manager.users."${primaryUser}".imports = [
@ -5092,11 +5187,7 @@ The interesting part is in the start:
TODO TODO
#+begin_src nix :tangle lib/default.nix #+begin_src nix :tangle lib/default.nix
{ self, lib, systems, inputs, outputs, ... }: { self, lib, systems, inputs, ... }:
let
linuxUser = "swarsel";
macUser = "leon.schwarzaeugl";
in
{ {
mkIfElseList = p: yes: no: lib.mkMerge [ mkIfElseList = p: yes: no: lib.mkMerge [
@ -5141,88 +5232,6 @@ TODO
forEachSystem = f: lib.genAttrs (import systems) (system: f lib.swarselsystems.pkgsFor.${system}); forEachSystem = f: lib.genAttrs (import systems) (system: f lib.swarselsystems.pkgsFor.${system});
mkFullHost = host: type: {
${host} =
let
systemFunc = if (type == "nixos") then lib.nixosSystem else inputs.nix-darwin.lib.darwinSystem;
in
systemFunc {
specialArgs = { inherit inputs outputs lib self; };
modules = [
{
node.name = host;
node.secretsDir = ../hosts/${type}/${host}/secrets;
}
# put inports here that are for all hosts
inputs.disko.nixosModules.disko
inputs.sops-nix.nixosModules.sops
inputs.impermanence.nixosModules.impermanence
inputs.lanzaboote.nixosModules.lanzaboote
inputs.fw-fanctrl.nixosModules.default
"${self}/hosts/${type}/${host}"
{
_module.args.primaryUser = linuxUser;
}
] ++
(if (host == "iso") then [
inputs.nix-topology.nixosModules.default
] else
([
# put nixos imports here that are for all servers and normal hosts
inputs.nix-topology.nixosModules.default
"${self}/modules/${type}/common"
inputs.stylix.nixosModules.stylix
inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm
] ++ (if (type == "nixos") then [
inputs.home-manager.nixosModules.home-manager
"${self}/profiles/nixos"
"${self}/modules/nixos/server"
"${self}/modules/nixos/optional"
{
home-manager.users."${linuxUser}".imports = [
# put home-manager imports here that are for all normal hosts
"${self}/modules/home/common"
"${self}/modules/home/server"
"${self}/modules/home/optional"
"${self}/profiles/home"
];
}
] else [
# put nixos imports here that are for darwin hosts
"${self}/modules/darwin/nixos/common"
"${self}/profiles/darwin"
inputs.home-manager.darwinModules.home-manager
{
home-manager.users."${macUser}".imports = [
# put home-manager imports here that are for darwin hosts
"${self}/modules/darwin/home"
"${self}/modules/home/server"
"${self}/modules/home/optional"
"${self}/profiles/home"
];
}
])
));
};
};
mkHalfHost = host: type: pkgs: {
${host} =
let
systemFunc = if (type == "home") then inputs.home-manager.lib.homeManagerConfiguration else inputs.nix-on-droid.lib.nixOnDroidConfiguration;
in
systemFunc
{
inherit pkgs;
extraSpecialArgs = { inherit inputs outputs lib self; };
modules = [ "${self}/hosts/${type}/${host}" ];
};
};
mkFullHostConfigs = hosts: type: lib.foldl (acc: set: acc // set) { } (lib.map (host: lib.swarselsystems.mkFullHost host type) hosts);
mkHalfHostConfigs = hosts: type: pkgs: lib.foldl (acc: set: acc // set) { } (lib.map (host: lib.swarselsystems.mkHalfHost host type pkgs) hosts);
readHosts = type: lib.attrNames (builtins.readDir "${self}/hosts/${type}"); readHosts = type: lib.attrNames (builtins.readDir "${self}/hosts/${type}");
readNix = type: lib.filter (name: name != "default.nix") (lib.attrNames (builtins.readDir "${self}/${type}")); readNix = type: lib.filter (name: name != "default.nix") (lib.attrNames (builtins.readDir "${self}/${type}"));
@ -5533,6 +5542,60 @@ in
}; };
} }
#+end_src
**** Globals
#+begin_src nix :tangle nix/globals.nix
{ inputs, ... }:
{
flake =
{
config,
lib,
...
}:
{
globals =
let
globalsSystem = lib.evalModules {
prefix = [ "globals" ];
specialArgs = {
inherit lib;
inherit inputs;
inherit (config) nodes;
};
modules = [
../modules/nixos/common/globals.nix
(
{ lib, ... }:
{
globals = lib.mkMerge (
lib.concatLists (
lib.flip lib.mapAttrsToList config.nodes (
name: cfg:
builtins.addErrorContext "while aggregating globals from nixosConfigurations.${name} into flake-level globals:" cfg.config._globalsDefs
)
)
);
}
)
];
};
in
{
# Make sure the keys of this attrset are trivially evaluatable to avoid infinite recursion,
# therefore we inherit relevant attributes from the config.
inherit (globalsSystem.config.globals)
domains
services
macs
myuser
root
;
};
};
}
#+end_src #+end_src
** NixOS ** NixOS
:PROPERTIES: :PROPERTIES:
@ -5604,38 +5667,6 @@ I usually use =mutableUsers = false= in my NixOS configuration. However, on a ne
isImpermanence = lib.mkEnableOption "use impermanence on this system"; isImpermanence = lib.mkEnableOption "use impermanence on this system";
isSecureBoot = lib.mkEnableOption "use secure boot on this system"; isSecureBoot = lib.mkEnableOption "use secure boot on this system";
}; };
globals = lib.mkOption {
default = { };
type = lib.types.submodule {
options = {
services = lib.mkOption {
type = lib.types.attrsOf (
lib.types.submodule {
options = {
domain = lib.mkOption {
type = lib.types.str;
description = "Domain that the service runs under";
};
};
}
);
};
domains = {
main = lib.mkOption {
type = lib.types.str;
description = "My main domain.";
};
};
};
};
};
# _globalsDefs = lib.mkOption {
# type = lib.types.unspecified;
# default = options.globals.definitions;
# readOnly = true;
# internal = true;
# };
}; };
} }
#+end_src #+end_src
@ -5810,6 +5841,86 @@ A breakdown of the flags being set:
} }
#+end_src #+end_src
**** Global options
#+begin_src nix :tangle modules/nixos/common/globals.nix
{ lib, options, ... }:
let
inherit (lib)
mkOption
types
;
in
{
options = {
globals = mkOption {
default = { };
type = types.submodule {
options = {
root = {
hashedPassword = mkOption {
type = types.str;
description = "My root user's password hash.";
};
};
myuser = {
name = mkOption {
type = types.str;
description = "My unix username.";
};
hashedPassword = mkOption {
type = types.str;
description = "My unix password hash.";
};
};
services = mkOption {
type = types.attrsOf (
types.submodule {
options = {
domain = mkOption {
type = types.str;
description = "The domain under which this service can be reached";
};
};
}
);
};
domains = {
me = mkOption {
type = types.str;
description = "My main domain.";
};
personal = mkOption {
type = types.str;
description = "My personal domain.";
};
};
macs = mkOption {
default = { };
type = types.attrsOf types.str;
description = "Known MAC addresses for external devices.";
};
};
};
};
_globalsDefs = mkOption {
type = types.unspecified;
default = options.globals.definitions;
readOnly = true;
internal = true;
};
};
}
#+end_src
**** System Packages **** System Packages
:PROPERTIES: :PROPERTIES:
:CUSTOM_ID: h:0e7e8bea-ec58-499c-9731-09dddfc39532 :CUSTOM_ID: h:0e7e8bea-ec58-499c-9731-09dddfc39532
@ -7910,7 +8021,7 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
let let
serviceName = "kavita"; serviceName = "kavita";
serviceUser = "kavita"; serviceUser = "kavita";
serviceDomain = "scroll.swarsel.win"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
servicePort = 8080; servicePort = 8080;
in in
{ {
@ -7933,6 +8044,7 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
info = "https://${serviceDomain}"; info = "https://${serviceDomain}";
icon = "${self}/topology/images/kavita.png"; icon = "${self}/topology/images/kavita.png";
}; };
globals.services.${serviceName}.domain = serviceDomain;
services.kavita = { services.kavita = {
enable = true; enable = true;
@ -8002,7 +8114,8 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
]; ];
}; };
topology.self.services.jellyfin.info = "https://${serviceDomain}"; topology.self.services.${serviceName}.info = "https://${serviceDomain}";
globals.services.${serviceName}.domain = serviceDomain;
services.jellyfin = { services.jellyfin = {
enable = true; enable = true;
@ -8085,6 +8198,8 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
networking.firewall.allowedTCPPorts = [ 4040 ]; networking.firewall.allowedTCPPorts = [ 4040 ];
globals.services.${serviceName}.domain = serviceDomain;
services.navidrome = { services.navidrome = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
@ -8444,6 +8559,8 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
}; };
}; };
globals.services.${serviceName}.domain = matrixDomain;
services = { services = {
postgresql = { postgresql = {
enable = true; enable = true;
@ -8728,6 +8845,9 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
}; };
}; };
globals.services.${serviceName}.domain = serviceDomain;
services = { services = {
nextcloud = { nextcloud = {
enable = true; enable = true;
@ -8785,7 +8905,7 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
:END: :END:
#+begin_src nix :tangle modules/nixos/server/immich.nix #+begin_src nix :tangle modules/nixos/server/immich.nix
{ lib, config, ... }: { lib, config, globals, ... }:
let let
serviceDomain = "shots.swarsel.win"; serviceDomain = "shots.swarsel.win";
servicePort = 3001; servicePort = 3001;
@ -8800,7 +8920,8 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
extraGroups = [ "video" "render" "users" ]; extraGroups = [ "video" "render" "users" ];
}; };
topology.self.services.immich.info = "https://${serviceDomain}"; topology.self.services.${serviceName}.info = "https://${serviceDomain}";
globals.services.${serviceName}.domain = serviceDomain;
services.immich = { services.immich = {
enable = true; enable = true;
@ -8891,6 +9012,8 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml=
networking.firewall.allowedTCPPorts = [ servicePort ]; networking.firewall.allowedTCPPorts = [ servicePort ];
globals.services.${serviceName}.domain = serviceDomain;
services = { services = {
paperless = { paperless = {
enable = true; enable = true;
@ -9085,6 +9208,8 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml=
prowlarr.info = "https://${serviceDomain}/prowlarr"; prowlarr.info = "https://${serviceDomain}/prowlarr";
}; };
globals.services.transmission.domain = serviceDomain;
services = { services = {
radarr = { radarr = {
enable = true; enable = true;
@ -9206,6 +9331,8 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml=
networking.firewall.allowedTCPPorts = [ servicePort ]; networking.firewall.allowedTCPPorts = [ servicePort ];
globals.services.${serviceName}.domain = serviceDomain;
services.syncthing = { services.syncthing = {
enable = true; enable = true;
user = serviceUser; user = serviceUser;
@ -9420,6 +9547,7 @@ This section exposes several metrics that I use to check the health of my server
networking.firewall.allowedTCPPorts = [ servicePort prometheusPort ]; networking.firewall.allowedTCPPorts = [ servicePort prometheusPort ];
topology.self.services.prometheus.info = "https://${serviceDomain}/${prometheusWebRoot}"; topology.self.services.prometheus.info = "https://${serviceDomain}/${prometheusWebRoot}";
globals.services.${moduleName}.domain = serviceDomain;
services = { services = {
grafana = { grafana = {
@ -9746,12 +9874,14 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with
# }; # };
}; };
topology.self.services.freshrss = { topology.self.services.${serviceName} = {
name = "FreshRSS"; name = "FreshRSS";
info = "https://${serviceDomain}"; info = "https://${serviceDomain}";
icon = "${self}/topology/images/freshrss.png"; icon = "${self}/topology/images/freshrss.png";
}; };
globals.services.${serviceName}.domain = serviceDomain;
services.freshrss = { services.freshrss = {
enable = true; enable = true;
virtualHost = serviceDomain; virtualHost = serviceDomain;
@ -9829,6 +9959,8 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with
kanidm-forgejo-client = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; kanidm-forgejo-client = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
}; };
globals.services.${serviceName}.domain = serviceDomain;
services.forgejo = { services.forgejo = {
enable = true; enable = true;
user = serviceUser; user = serviceUser;
@ -9976,11 +10108,13 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with
sops.secrets.swarsel = { owner = "root"; }; sops.secrets.swarsel = { owner = "root"; };
topology.self.services.anki = { topology.self.services.${serviceName} = {
name = lib.mkForce "Anki Sync Server"; name = lib.mkForce "Anki Sync Server";
info = "https://${serviceDomain}"; info = "https://${serviceDomain}";
}; };
globals.services.${serviceName}.domain = serviceDomain;
services.anki-sync-server = { services.anki-sync-server = {
enable = true; enable = true;
port = servicePort; port = servicePort;
@ -10036,7 +10170,7 @@ A stupid (but simple) way to get the =originUrl= is to simply set any URL there
To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clientID>/.well-known/oauth-authorization-server, e.g. https://sso.swarsel.win/oauth2/openid/nextcloud/.well-known/oauth-authorization-server, with clienID being the client name as specified in kanidm. To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clientID>/.well-known/oauth-authorization-server, e.g. https://sso.swarsel.win/oauth2/openid/nextcloud/.well-known/oauth-authorization-server, with clienID being the client name as specified in kanidm.
#+begin_src nix :tangle modules/nixos/server/kanidm.nix #+begin_src nix :tangle modules/nixos/server/kanidm.nix
{ self, lib, pkgs, config, ... }: { self, lib, pkgs, config, globals, ... }:
let let
certsSopsFile = self + /secrets/certs/secrets.yaml; certsSopsFile = self + /secrets/certs/secrets.yaml;
serviceDomain = "sso.swarsel.win"; serviceDomain = "sso.swarsel.win";
@ -10044,7 +10178,7 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
serviceUser = "kanidm"; serviceUser = "kanidm";
serviceGroup = serviceUser; serviceGroup = serviceUser;
serviceName = "kanidm"; serviceName = "kanidm";
oauth2ProxyDomain = "soauth.swarsel.win"; oauth2ProxyDomain = globals.services.oauth2Proxy.domain;
in in
{ {
options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server"; options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
@ -10075,6 +10209,8 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
networking.firewall.allowedTCPPorts = [ servicePort ]; networking.firewall.allowedTCPPorts = [ servicePort ];
globals.services.${serviceName}.domain = serviceDomain;
services = { services = {
kanidm = { kanidm = {
package = pkgs.kanidmWithSecretProvisioning; package = pkgs.kanidmWithSecretProvisioning;
@ -10289,9 +10425,9 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
#+begin_src nix :tangle modules/nixos/server/oauth2-proxy.nix #+begin_src nix :tangle modules/nixos/server/oauth2-proxy.nix
{ lib, config, ... }: { lib, config, globals, ... }:
let let
kanidmDomain = "sso.swarsel.win"; kanidmDomain = globals.services.kanidm.domain;
oauth2ProxyDomain = "soauth.swarsel.win"; oauth2ProxyDomain = "soauth.swarsel.win";
oauth2ProxyPort = 3004; oauth2ProxyPort = 3004;
in in
@ -10428,6 +10564,8 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
networking.firewall.allowedTCPPorts = [ oauth2ProxyPort ]; networking.firewall.allowedTCPPorts = [ oauth2ProxyPort ];
globals.services.oauth2Proxy.domain = oauth2ProxyDomain;
services = { services = {
oauth2-proxy = { oauth2-proxy = {
enable = true; enable = true;
@ -10515,7 +10653,7 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
{ self, lib, config, ... }: { self, lib, config, ... }:
let let
cfg = config.services.firefly-iii; cfg = config.services.firefly-iii;
fireflyDomain = "stonks.swarsel.win"; serviceDomain = "stonks.swarsel.win";
fireflyUser = "firefly-iii"; fireflyUser = "firefly-iii";
serviceName = "firefly"; serviceName = "firefly";
in in
@ -10536,9 +10674,10 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
topology.self.services.firefly-iii = { topology.self.services.firefly-iii = {
name = "Firefly-III"; name = "Firefly-III";
info = "https://${fireflyDomain}"; info = "https://${serviceDomain}";
icon = "${self}/topology/images/firefly-iii.png"; icon = "${self}/topology/images/firefly-iii.png";
}; };
globals.services.${serviceName}.domain = serviceDomain;
services = { services = {
firefly-iii = { firefly-iii = {
@ -10548,7 +10687,7 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
dataDir = "/Vault/data/firefly-iii"; dataDir = "/Vault/data/firefly-iii";
settings = { settings = {
TZ = config.repo.secrets.common.location.timezone; TZ = config.repo.secrets.common.location.timezone;
APP_URL = "https://${fireflyDomain}"; APP_URL = "https://${serviceDomain}";
APP_KEY_FILE = config.sops.secrets.firefly-iii-app-key.path; APP_KEY_FILE = config.sops.secrets.firefly-iii-app-key.path;
APP_ENV = "local"; APP_ENV = "local";
DB_CONNECTION = "sqlite"; DB_CONNECTION = "sqlite";
@ -10559,12 +10698,12 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
# AUTHENTICATION_GUARD_EMAIL = "X-Email"; # AUTHENTICATION_GUARD_EMAIL = "X-Email";
}; };
enableNginx = true; enableNginx = true;
virtualHost = fireflyDomain; virtualHost = serviceDomain;
}; };
nginx = { nginx = {
virtualHosts = { virtualHosts = {
"${fireflyDomain}" = { "${serviceDomain}" = {
locations = { locations = {
"/api" = { "/api" = {
setOauth2Headers = false; setOauth2Headers = false;
@ -10589,7 +10728,7 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
}; };
}; };
virtualHosts = { virtualHosts = {
"${fireflyDomain}" = { "${serviceDomain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
acmeRoot = null; acmeRoot = null;
@ -10645,6 +10784,7 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
info = "https://${serviceDomain}"; info = "https://${serviceDomain}";
icon = "${self}/topology/images/koillection.png"; icon = "${self}/topology/images/koillection.png";
}; };
globals.services.${serviceName}.domain = serviceDomain;
virtualisation.oci-containers.containers = { virtualisation.oci-containers.containers = {
koillection = { koillection = {
@ -10757,7 +10897,8 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server"; options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" { config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
topology.self.services.atuin.info = "https://${serviceDomain}"; topology.self.services.${serviceName}.info = "https://${serviceDomain}";
globals.services.${serviceName}.domain = serviceDomain;
services.atuin = { services.atuin = {
enable = true; enable = true;
@ -10834,7 +10975,8 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
}; };
}; };
topology.self.services.radicale.info = "https://${serviceDomain}"; topology.self.services.${serviceName}.info = "https://${serviceDomain}";
globals.services.${serviceName}.domain = serviceDomain;
services.radicale = { services.radicale = {
enable = true; enable = true;
@ -10950,7 +11092,8 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
}; };
}; };
topology.self.services.croc.info = "https://${serviceDomain}"; topology.self.services.${serviceName}.info = "https://${serviceDomain}";
globals.services.${serviceName}.domain = serviceDomain;
services.croc = { services.croc = {
enable = true; enable = true;
@ -11029,7 +11172,8 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
}; };
}; };
topology.self.services."${serviceName}".info = "https://${serviceDomain}"; topology.self.services.${serviceName}.info = "https://${serviceDomain}";
globals.services.${serviceName}.domain = serviceDomain;
services."${serviceName}" = { services."${serviceName}" = {
enable = true; enable = true;
@ -11167,6 +11311,9 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
{ directory = "/var/lib/containers"; } { directory = "/var/lib/containers"; }
]; ];
topology.self.services.${serviceName}.info = "https://${serviceDomain}";
globals.services.${serviceName}.domain = serviceDomain;
services.nginx = { services.nginx = {
upstreams = { upstreams = {
"${serviceName}" = { "${serviceName}" = {

50
flake.lock generated
View file

@ -270,6 +270,24 @@
} }
}, },
"flake-parts": { "flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1749398372,
"narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
"lanzaboote", "lanzaboote",
@ -290,9 +308,9 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts_2": { "flake-parts_3": {
"inputs": { "inputs": {
"nixpkgs-lib": "nixpkgs-lib" "nixpkgs-lib": "nixpkgs-lib_2"
}, },
"locked": { "locked": {
"lastModified": 1719994518, "lastModified": 1719994518,
@ -307,7 +325,7 @@
"type": "indirect" "type": "indirect"
} }
}, },
"flake-parts_3": { "flake-parts_4": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
"nur", "nur",
@ -328,7 +346,7 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts_4": { "flake-parts_5": {
"inputs": { "inputs": {
"nixpkgs-lib": [ "nixpkgs-lib": [
"stylix", "stylix",
@ -649,7 +667,7 @@
"inputs": { "inputs": {
"crane": "crane", "crane": "crane",
"flake-compat": "flake-compat_2", "flake-compat": "flake-compat_2",
"flake-parts": "flake-parts", "flake-parts": "flake-parts_2",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"pre-commit-hooks-nix": "pre-commit-hooks-nix", "pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay" "rust-overlay": "rust-overlay"
@ -973,6 +991,21 @@
} }
}, },
"nixpkgs-lib": { "nixpkgs-lib": {
"locked": {
"lastModified": 1748740939,
"narHash": "sha256-rQaysilft1aVMwF14xIdGS3sj1yHlI6oKQNBRTF40cc=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "656a64127e9d791a334452c6b6606d17539476e2",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixpkgs-lib_2": {
"locked": { "locked": {
"lastModified": 1719876945, "lastModified": 1719876945,
"narHash": "sha256-Fm2rDDs86sHy0/1jxTOKB1118Q0O3Uc7EC0iXvXKpbI=", "narHash": "sha256-Fm2rDDs86sHy0/1jxTOKB1118Q0O3Uc7EC0iXvXKpbI=",
@ -1247,7 +1280,7 @@
}, },
"nswitch-rcm-nix": { "nswitch-rcm-nix": {
"inputs": { "inputs": {
"flake-parts": "flake-parts_2", "flake-parts": "flake-parts_3",
"nixpkgs": "nixpkgs_6" "nixpkgs": "nixpkgs_6"
}, },
"locked": { "locked": {
@ -1266,7 +1299,7 @@
}, },
"nur": { "nur": {
"inputs": { "inputs": {
"flake-parts": "flake-parts_3", "flake-parts": "flake-parts_4",
"nixpkgs": "nixpkgs_7", "nixpkgs": "nixpkgs_7",
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
}, },
@ -1389,6 +1422,7 @@
"inputs": { "inputs": {
"disko": "disko", "disko": "disko",
"emacs-overlay": "emacs-overlay", "emacs-overlay": "emacs-overlay",
"flake-parts": "flake-parts",
"fw-fanctrl": "fw-fanctrl", "fw-fanctrl": "fw-fanctrl",
"home-manager": "home-manager", "home-manager": "home-manager",
"impermanence": "impermanence", "impermanence": "impermanence",
@ -1501,7 +1535,7 @@
"base16-vim": "base16-vim", "base16-vim": "base16-vim",
"firefox-gnome-theme": "firefox-gnome-theme", "firefox-gnome-theme": "firefox-gnome-theme",
"flake-compat": "flake-compat_6", "flake-compat": "flake-compat_6",
"flake-parts": "flake-parts_4", "flake-parts": "flake-parts_5",
"git-hooks": "git-hooks", "git-hooks": "git-hooks",
"gnome-shell": "gnome-shell", "gnome-shell": "gnome-shell",
"home-manager": "home-manager_3", "home-manager": "home-manager_3",

138
flake.nix
View file

@ -83,6 +83,7 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
nix-topology.url = "github:oddlama/nix-topology"; nix-topology.url = "github:oddlama/nix-topology";
flake-parts.url = "github:hercules-ci/flake-parts";
}; };
outputs = outputs =
inputs@{ self inputs@{ self
@ -96,6 +97,103 @@
inherit (self) outputs; inherit (self) outputs;
lib = (nixpkgs.lib // home-manager.lib).extend (_: _: { swarselsystems = import ./lib { inherit self lib inputs outputs systems; }; }); lib = (nixpkgs.lib // home-manager.lib).extend (_: _: { swarselsystems = import ./lib { inherit self lib inputs outputs systems; }; });
in
inputs.flake-parts.lib.mkFlake { inherit inputs; } {
imports = [
./nix/globals.nix
];
flake = { config, ... }:
let
inherit (self) outputs;
lib = (nixpkgs.lib // home-manager.lib).extend (_: _: { swarselsystems = import ./lib { inherit self lib inputs outputs systems; }; });
linuxUser = "swarsel";
macUser = "leon.schwarzaeugl";
mkFullHost = host: type: {
${host} =
let
systemFunc = if (type == "nixos") then lib.nixosSystem else inputs.nix-darwin.lib.darwinSystem;
in
systemFunc {
specialArgs = { inherit inputs outputs lib self; inherit (config) globals; };
modules = [
{
node.name = host;
node.secretsDir = ./hosts/${type}/${host}/secrets;
}
# put inports here that are for all hosts
inputs.disko.nixosModules.disko
inputs.sops-nix.nixosModules.sops
inputs.impermanence.nixosModules.impermanence
inputs.lanzaboote.nixosModules.lanzaboote
inputs.fw-fanctrl.nixosModules.default
"${self}/hosts/${type}/${host}"
{
_module.args.primaryUser = linuxUser;
}
] ++
(if (host == "iso") then [
inputs.nix-topology.nixosModules.default
] else
([
# put nixos imports here that are for all servers and normal hosts
inputs.nix-topology.nixosModules.default
"${self}/modules/${type}/common"
inputs.stylix.nixosModules.stylix
inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm
] ++ (if (type == "nixos") then [
inputs.home-manager.nixosModules.home-manager
"${self}/profiles/nixos"
"${self}/modules/nixos/server"
"${self}/modules/nixos/optional"
{
home-manager.users."${linuxUser}".imports = [
# put home-manager imports here that are for all normal hosts
"${self}/modules/home/common"
"${self}/modules/home/server"
"${self}/modules/home/optional"
"${self}/profiles/home"
];
}
] else [
# put nixos imports here that are for darwin hosts
"${self}/modules/darwin/nixos/common"
"${self}/profiles/darwin"
inputs.home-manager.darwinModules.home-manager
{
home-manager.users."${macUser}".imports = [
# put home-manager imports here that are for darwin hosts
"${self}/modules/darwin/home"
"${self}/modules/home/server"
"${self}/modules/home/optional"
"${self}/profiles/home"
];
}
])
));
};
};
mkHalfHost = host: type: pkgs: {
${host} =
let
systemFunc = if (type == "home") then inputs.home-manager.lib.homeManagerConfiguration else inputs.nix-on-droid.lib.nixOnDroidConfiguration;
in
systemFunc
{
inherit pkgs;
extraSpecialArgs = { inherit inputs outputs lib self; };
modules = [ "${self}/hosts/${type}/${host}" ];
};
};
mkFullHostConfigs = hosts: type: lib.foldl (acc: set: acc // set) { } (lib.map (host: mkFullHost host type) hosts);
mkHalfHostConfigs = hosts: type: pkgs: lib.foldl (acc: set: acc // set) { } (lib.map (host: mkHalfHost host type pkgs) hosts);
in in
{ {
inherit lib; inherit lib;
@ -168,36 +266,12 @@
diskoConfigurations.default = import .templates/hosts/nixos/disk-config.nix; diskoConfigurations.default = import .templates/hosts/nixos/disk-config.nix;
nixosConfigurations = nixosConfigurations = mkFullHostConfigs (lib.swarselsystems.readHosts "nixos") "nixos";
lib.swarselsystems.mkFullHostConfigs (lib.swarselsystems.readHosts "nixos") "nixos"; homeConfigurations = mkHalfHostConfigs (lib.swarselsystems.readHosts "home") "home" lib.swarselsystems.pkgsFor.x86_64-linux;
homeConfigurations = darwinConfigurations = mkFullHostConfigs (lib.swarselsystems.readHosts "darwin") "darwin";
nixOnDroidConfigurations = mkHalfHostConfigs (lib.swarselsystems.readHosts "android") "android" lib.swarselsystems.pkgsFor.aarch64-linux;
# "swarsel@home-manager" = inputs.home-manager.lib.homeManagerConfiguration { topology = lib.swarselsystems.forEachSystem (pkgs: import inputs.nix-topology {
# pkgs = lib.swarselsystems.pkgsFor.x86_64-linux;
# extraSpecialArgs = { inherit inputs outputs; };
# modules = homeModules ++ mixedModules ++ [
# ./hosts/home-manager
# ];
# };
lib.swarselsystems.mkHalfHostConfigs (lib.swarselsystems.readHosts "home") "home" lib.swarselsystems.pkgsFor.x86_64-linux;
darwinConfigurations =
lib.swarselsystems.mkFullHostConfigs (lib.swarselsystems.readHosts "darwin") "darwin";
nixOnDroidConfigurations =
# magicant = inputs.nix-on-droid.lib.nixOnDroidConfiguration {
# pkgs = lib.swarselsystems.pkgsFor.aarch64-linux;
# modules = [
# ./hosts/magicant
# ];
# };
lib.swarselsystems.mkHalfHostConfigs (lib.swarselsystems.readHosts "android") "android" lib.swarselsystems.pkgsFor.aarch64-linux;
topology =
lib.swarselsystems.forEachSystem (pkgs: import inputs.nix-topology {
inherit pkgs; inherit pkgs;
modules = [ modules = [
"${self}/topology" "${self}/topology"
@ -205,5 +279,11 @@
]; ];
}); });
nodes = config.nixosConfigurations;
};
systems = [
"x86_64-linux"
"aarch64-linux"
];
}; };
} }

3
hosts/nixos/iso/default.nix
View file

@ -13,6 +13,9 @@ in
"${self}/modules/nixos/common/topology.nix" "${self}/modules/nixos/common/topology.nix"
"${self}/modules/home/common/sharedsetup.nix" "${self}/modules/home/common/sharedsetup.nix"
"${self}/modules/nixos/common/globals.nix"
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
{ {
home-manager.users."${primaryUser}".imports = [ home-manager.users."${primaryUser}".imports = [

88
lib/default.nix
View file

@ -1,8 +1,4 @@
{ self, lib, systems, inputs, outputs, ... }: { self, lib, systems, inputs, ... }:
let
linuxUser = "swarsel";
macUser = "leon.schwarzaeugl";
in
{ {
mkIfElseList = p: yes: no: lib.mkMerge [ mkIfElseList = p: yes: no: lib.mkMerge [
@ -47,88 +43,6 @@ in
forEachSystem = f: lib.genAttrs (import systems) (system: f lib.swarselsystems.pkgsFor.${system}); forEachSystem = f: lib.genAttrs (import systems) (system: f lib.swarselsystems.pkgsFor.${system});
mkFullHost = host: type: {
${host} =
let
systemFunc = if (type == "nixos") then lib.nixosSystem else inputs.nix-darwin.lib.darwinSystem;
in
systemFunc {
specialArgs = { inherit inputs outputs lib self; };
modules = [
{
node.name = host;
node.secretsDir = ../hosts/${type}/${host}/secrets;
}
# put inports here that are for all hosts
inputs.disko.nixosModules.disko
inputs.sops-nix.nixosModules.sops
inputs.impermanence.nixosModules.impermanence
inputs.lanzaboote.nixosModules.lanzaboote
inputs.fw-fanctrl.nixosModules.default
"${self}/hosts/${type}/${host}"
{
_module.args.primaryUser = linuxUser;
}
] ++
(if (host == "iso") then [
inputs.nix-topology.nixosModules.default
] else
([
# put nixos imports here that are for all servers and normal hosts
inputs.nix-topology.nixosModules.default
"${self}/modules/${type}/common"
inputs.stylix.nixosModules.stylix
inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm
] ++ (if (type == "nixos") then [
inputs.home-manager.nixosModules.home-manager
"${self}/profiles/nixos"
"${self}/modules/nixos/server"
"${self}/modules/nixos/optional"
{
home-manager.users."${linuxUser}".imports = [
# put home-manager imports here that are for all normal hosts
"${self}/modules/home/common"
"${self}/modules/home/server"
"${self}/modules/home/optional"
"${self}/profiles/home"
];
}
] else [
# put nixos imports here that are for darwin hosts
"${self}/modules/darwin/nixos/common"
"${self}/profiles/darwin"
inputs.home-manager.darwinModules.home-manager
{
home-manager.users."${macUser}".imports = [
# put home-manager imports here that are for darwin hosts
"${self}/modules/darwin/home"
"${self}/modules/home/server"
"${self}/modules/home/optional"
"${self}/profiles/home"
];
}
])
));
};
};
mkHalfHost = host: type: pkgs: {
${host} =
let
systemFunc = if (type == "home") then inputs.home-manager.lib.homeManagerConfiguration else inputs.nix-on-droid.lib.nixOnDroidConfiguration;
in
systemFunc
{
inherit pkgs;
extraSpecialArgs = { inherit inputs outputs lib self; };
modules = [ "${self}/hosts/${type}/${host}" ];
};
};
mkFullHostConfigs = hosts: type: lib.foldl (acc: set: acc // set) { } (lib.map (host: lib.swarselsystems.mkFullHost host type) hosts);
mkHalfHostConfigs = hosts: type: pkgs: lib.foldl (acc: set: acc // set) { } (lib.map (host: lib.swarselsystems.mkHalfHost host type pkgs) hosts);
readHosts = type: lib.attrNames (builtins.readDir "${self}/hosts/${type}"); readHosts = type: lib.attrNames (builtins.readDir "${self}/hosts/${type}");
readNix = type: lib.filter (name: name != "default.nix") (lib.attrNames (builtins.readDir "${self}/${type}")); readNix = type: lib.filter (name: name != "default.nix") (lib.attrNames (builtins.readDir "${self}/${type}"));

75
modules/nixos/common/globals.nix Normal file
View file

@ -0,0 +1,75 @@
{ lib, options, ... }:
let
inherit (lib)
mkOption
types
;
in
{
options = {
globals = mkOption {
default = { };
type = types.submodule {
options = {
root = {
hashedPassword = mkOption {
type = types.str;
description = "My root user's password hash.";
};
};
myuser = {
name = mkOption {
type = types.str;
description = "My unix username.";
};
hashedPassword = mkOption {
type = types.str;
description = "My unix password hash.";
};
};
services = mkOption {
type = types.attrsOf (
types.submodule {
options = {
domain = mkOption {
type = types.str;
description = "The domain under which this service can be reached";
};
};
}
);
};
domains = {
me = mkOption {
type = types.str;
description = "My main domain.";
};
personal = mkOption {
type = types.str;
description = "My personal domain.";
};
};
macs = mkOption {
default = { };
type = types.attrsOf types.str;
description = "Known MAC addresses for external devices.";
};
};
};
};
_globalsDefs = mkOption {
type = types.unspecified;
default = options.globals.definitions;
readOnly = true;
internal = true;
};
};
}

32
modules/nixos/common/sharedsetup.nix
View file

@ -24,37 +24,5 @@
isImpermanence = lib.mkEnableOption "use impermanence on this system"; isImpermanence = lib.mkEnableOption "use impermanence on this system";
isSecureBoot = lib.mkEnableOption "use secure boot on this system"; isSecureBoot = lib.mkEnableOption "use secure boot on this system";
}; };
globals = lib.mkOption {
default = { };
type = lib.types.submodule {
options = {
services = lib.mkOption {
type = lib.types.attrsOf (
lib.types.submodule {
options = {
domain = lib.mkOption {
type = lib.types.str;
description = "Domain that the service runs under";
};
};
}
);
};
domains = {
main = lib.mkOption {
type = lib.types.str;
description = "My main domain.";
};
};
};
};
};
# _globalsDefs = lib.mkOption {
# type = lib.types.unspecified;
# default = options.globals.definitions;
# readOnly = true;
# internal = true;
# };
}; };
} }

4
modules/nixos/server/ankisync.nix
View file

@ -12,11 +12,13 @@ in
sops.secrets.swarsel = { owner = "root"; }; sops.secrets.swarsel = { owner = "root"; };
topology.self.services.anki = { topology.self.services.${serviceName} = {
name = lib.mkForce "Anki Sync Server"; name = lib.mkForce "Anki Sync Server";
info = "https://${serviceDomain}"; info = "https://${serviceDomain}";
}; };
globals.services.${serviceName}.domain = serviceDomain;
services.anki-sync-server = { services.anki-sync-server = {
enable = true; enable = true;
port = servicePort; port = servicePort;

3
modules/nixos/server/atuin.nix
View file

@ -8,7 +8,8 @@ in
options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server"; options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" { config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
topology.self.services.atuin.info = "https://${serviceDomain}"; topology.self.services.${serviceName}.info = "https://${serviceDomain}";
globals.services.${serviceName}.domain = serviceDomain;
services.atuin = { services.atuin = {
enable = true; enable = true;

3
modules/nixos/server/croc.nix
View file

@ -30,7 +30,8 @@ in
}; };
}; };
topology.self.services.croc.info = "https://${serviceDomain}"; topology.self.services.${serviceName}.info = "https://${serviceDomain}";
globals.services.${serviceName}.domain = serviceDomain;
services.croc = { services.croc = {
enable = true; enable = true;

13
modules/nixos/server/firefly-iii.nix
View file

@ -1,7 +1,7 @@
{ self, lib, config, ... }: { self, lib, config, ... }:
let let
cfg = config.services.firefly-iii; cfg = config.services.firefly-iii;
fireflyDomain = "stonks.swarsel.win"; serviceDomain = "stonks.swarsel.win";
fireflyUser = "firefly-iii"; fireflyUser = "firefly-iii";
serviceName = "firefly"; serviceName = "firefly";
in in
@ -22,9 +22,10 @@ in
topology.self.services.firefly-iii = { topology.self.services.firefly-iii = {
name = "Firefly-III"; name = "Firefly-III";
info = "https://${fireflyDomain}"; info = "https://${serviceDomain}";
icon = "${self}/topology/images/firefly-iii.png"; icon = "${self}/topology/images/firefly-iii.png";
}; };
globals.services.${serviceName}.domain = serviceDomain;
services = { services = {
firefly-iii = { firefly-iii = {
@ -34,7 +35,7 @@ in
dataDir = "/Vault/data/firefly-iii"; dataDir = "/Vault/data/firefly-iii";
settings = { settings = {
TZ = config.repo.secrets.common.location.timezone; TZ = config.repo.secrets.common.location.timezone;
APP_URL = "https://${fireflyDomain}"; APP_URL = "https://${serviceDomain}";
APP_KEY_FILE = config.sops.secrets.firefly-iii-app-key.path; APP_KEY_FILE = config.sops.secrets.firefly-iii-app-key.path;
APP_ENV = "local"; APP_ENV = "local";
DB_CONNECTION = "sqlite"; DB_CONNECTION = "sqlite";
@ -45,12 +46,12 @@ in
# AUTHENTICATION_GUARD_EMAIL = "X-Email"; # AUTHENTICATION_GUARD_EMAIL = "X-Email";
}; };
enableNginx = true; enableNginx = true;
virtualHost = fireflyDomain; virtualHost = serviceDomain;
}; };
nginx = { nginx = {
virtualHosts = { virtualHosts = {
"${fireflyDomain}" = { "${serviceDomain}" = {
locations = { locations = {
"/api" = { "/api" = {
setOauth2Headers = false; setOauth2Headers = false;
@ -75,7 +76,7 @@ in
}; };
}; };
virtualHosts = { virtualHosts = {
"${fireflyDomain}" = { "${serviceDomain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
acmeRoot = null; acmeRoot = null;

2
modules/nixos/server/forgejo.nix
View file

@ -23,6 +23,8 @@ in
kanidm-forgejo-client = { owner = serviceUser; group = serviceGroup; mode = "0440"; }; kanidm-forgejo-client = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
}; };
globals.services.${serviceName}.domain = serviceDomain;
services.forgejo = { services.forgejo = {
enable = true; enable = true;
user = serviceUser; user = serviceUser;

4
modules/nixos/server/freshrss.nix
View file

@ -44,12 +44,14 @@ in
# }; # };
}; };
topology.self.services.freshrss = { topology.self.services.${serviceName} = {
name = "FreshRSS"; name = "FreshRSS";
info = "https://${serviceDomain}"; info = "https://${serviceDomain}";
icon = "${self}/topology/images/freshrss.png"; icon = "${self}/topology/images/freshrss.png";
}; };
globals.services.${serviceName}.domain = serviceDomain;
services.freshrss = { services.freshrss = {
enable = true; enable = true;
virtualHost = serviceDomain; virtualHost = serviceDomain;

5
modules/nixos/server/immich.nix
View file

@ -1,4 +1,4 @@
{ lib, config, ... }: { lib, config, globals, ... }:
let let
serviceDomain = "shots.swarsel.win"; serviceDomain = "shots.swarsel.win";
servicePort = 3001; servicePort = 3001;
@ -13,7 +13,8 @@ in
extraGroups = [ "video" "render" "users" ]; extraGroups = [ "video" "render" "users" ];
}; };
topology.self.services.immich.info = "https://${serviceDomain}"; topology.self.services.${serviceName}.info = "https://${serviceDomain}";
globals.services.${serviceName}.domain = serviceDomain;
services.immich = { services.immich = {
enable = true; enable = true;

3
modules/nixos/server/jellyfin.nix
View file

@ -24,7 +24,8 @@ in
]; ];
}; };
topology.self.services.jellyfin.info = "https://${serviceDomain}"; topology.self.services.${serviceName}.info = "https://${serviceDomain}";
globals.services.${serviceName}.domain = serviceDomain;
services.jellyfin = { services.jellyfin = {
enable = true; enable = true;

6
modules/nixos/server/kanidm.nix
View file

@ -1,4 +1,4 @@
{ self, lib, pkgs, config, ... }: { self, lib, pkgs, config, globals, ... }:
let let
certsSopsFile = self + /secrets/certs/secrets.yaml; certsSopsFile = self + /secrets/certs/secrets.yaml;
serviceDomain = "sso.swarsel.win"; serviceDomain = "sso.swarsel.win";
@ -6,7 +6,7 @@ let
serviceUser = "kanidm"; serviceUser = "kanidm";
serviceGroup = serviceUser; serviceGroup = serviceUser;
serviceName = "kanidm"; serviceName = "kanidm";
oauth2ProxyDomain = "soauth.swarsel.win"; oauth2ProxyDomain = globals.services.oauth2Proxy.domain;
in in
{ {
options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server"; options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
@ -37,6 +37,8 @@ in
networking.firewall.allowedTCPPorts = [ servicePort ]; networking.firewall.allowedTCPPorts = [ servicePort ];
globals.services.${serviceName}.domain = serviceDomain;
services = { services = {
kanidm = { kanidm = {
package = pkgs.kanidmWithSecretProvisioning; package = pkgs.kanidmWithSecretProvisioning;

3
modules/nixos/server/kavita.nix
View file

@ -2,7 +2,7 @@
let let
serviceName = "kavita"; serviceName = "kavita";
serviceUser = "kavita"; serviceUser = "kavita";
serviceDomain = "scroll.swarsel.win"; serviceDomain = config.repo.secrets.common.services.domains.${serviceName};
servicePort = 8080; servicePort = 8080;
in in
{ {
@ -25,6 +25,7 @@ in
info = "https://${serviceDomain}"; info = "https://${serviceDomain}";
icon = "${self}/topology/images/kavita.png"; icon = "${self}/topology/images/kavita.png";
}; };
globals.services.${serviceName}.domain = serviceDomain;
services.kavita = { services.kavita = {
enable = true; enable = true;

1
modules/nixos/server/koillection.nix
View file

@ -23,6 +23,7 @@ in
info = "https://${serviceDomain}"; info = "https://${serviceDomain}";
icon = "${self}/topology/images/koillection.png"; icon = "${self}/topology/images/koillection.png";
}; };
globals.services.${serviceName}.domain = serviceDomain;
virtualisation.oci-containers.containers = { virtualisation.oci-containers.containers = {
koillection = { koillection = {

2
modules/nixos/server/matrix.nix
View file

@ -87,6 +87,8 @@ in
}; };
}; };
globals.services.${serviceName}.domain = matrixDomain;
services = { services = {
postgresql = { postgresql = {
enable = true; enable = true;

3
modules/nixos/server/microbin.nix
View file

@ -42,7 +42,8 @@ in
}; };
}; };
topology.self.services."${serviceName}".info = "https://${serviceDomain}"; topology.self.services.${serviceName}.info = "https://${serviceDomain}";
globals.services.${serviceName}.domain = serviceDomain;
services."${serviceName}" = { services."${serviceName}" = {
enable = true; enable = true;

1
modules/nixos/server/monitoring.nix
View file

@ -35,6 +35,7 @@ in
networking.firewall.allowedTCPPorts = [ servicePort prometheusPort ]; networking.firewall.allowedTCPPorts = [ servicePort prometheusPort ];
topology.self.services.prometheus.info = "https://${serviceDomain}/${prometheusWebRoot}"; topology.self.services.prometheus.info = "https://${serviceDomain}/${prometheusWebRoot}";
globals.services.${moduleName}.domain = serviceDomain;
services = { services = {
grafana = { grafana = {

2
modules/nixos/server/navidrome.nix
View file

@ -38,6 +38,8 @@ in
networking.firewall.allowedTCPPorts = [ 4040 ]; networking.firewall.allowedTCPPorts = [ 4040 ];
globals.services.${serviceName}.domain = serviceDomain;
services.navidrome = { services.navidrome = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;

3
modules/nixos/server/nextcloud.nix
View file

@ -22,6 +22,9 @@ in
}; };
}; };
globals.services.${serviceName}.domain = serviceDomain;
services = { services = {
nextcloud = { nextcloud = {
enable = true; enable = true;

6
modules/nixos/server/oauth2-proxy.nix
View file

@ -1,6 +1,6 @@
{ lib, config, ... }: { lib, config, globals, ... }:
let let
kanidmDomain = "sso.swarsel.win"; kanidmDomain = globals.services.kanidm.domain;
oauth2ProxyDomain = "soauth.swarsel.win"; oauth2ProxyDomain = "soauth.swarsel.win";
oauth2ProxyPort = 3004; oauth2ProxyPort = 3004;
in in
@ -137,6 +137,8 @@ in
networking.firewall.allowedTCPPorts = [ oauth2ProxyPort ]; networking.firewall.allowedTCPPorts = [ oauth2ProxyPort ];
globals.services.oauth2Proxy.domain = oauth2ProxyDomain;
services = { services = {
oauth2-proxy = { oauth2-proxy = {
enable = true; enable = true;

2
modules/nixos/server/paperless.nix
View file

@ -25,6 +25,8 @@ in
networking.firewall.allowedTCPPorts = [ servicePort ]; networking.firewall.allowedTCPPorts = [ servicePort ];
globals.services.${serviceName}.domain = serviceDomain;
services = { services = {
paperless = { paperless = {
enable = true; enable = true;

3
modules/nixos/server/radicale.nix
View file

@ -29,7 +29,8 @@ in
}; };
}; };
topology.self.services.radicale.info = "https://${serviceDomain}"; topology.self.services.${serviceName}.info = "https://${serviceDomain}";
globals.services.${serviceName}.domain = serviceDomain;
services.radicale = { services.radicale = {
enable = true; enable = true;

3
modules/nixos/server/shlink.nix
View file

@ -48,6 +48,9 @@ in
{ directory = "/var/lib/containers"; } { directory = "/var/lib/containers"; }
]; ];
topology.self.services.${serviceName}.info = "https://${serviceDomain}";
globals.services.${serviceName}.domain = serviceDomain;
services.nginx = { services.nginx = {
upstreams = { upstreams = {
"${serviceName}" = { "${serviceName}" = {

2
modules/nixos/server/syncthing.nix
View file

@ -21,6 +21,8 @@ in
networking.firewall.allowedTCPPorts = [ servicePort ]; networking.firewall.allowedTCPPorts = [ servicePort ];
globals.services.${serviceName}.domain = serviceDomain;
services.syncthing = { services.syncthing = {
enable = true; enable = true;
user = serviceUser; user = serviceUser;

2
modules/nixos/server/transmission.nix
View file

@ -85,6 +85,8 @@ in
prowlarr.info = "https://${serviceDomain}/prowlarr"; prowlarr.info = "https://${serviceDomain}/prowlarr";
}; };
globals.services.transmission.domain = serviceDomain;
services = { services = {
radarr = { radarr = {
enable = true; enable = true;

48
nix/globals.nix Normal file
View file

@ -0,0 +1,48 @@
{ inputs, ... }:
{
flake =
{ config
, lib
, ...
}:
{
globals =
let
globalsSystem = lib.evalModules {
prefix = [ "globals" ];
specialArgs = {
inherit lib;
inherit inputs;
inherit (config) nodes;
};
modules = [
../modules/nixos/common/globals.nix
(
{ lib, ... }:
{
globals = lib.mkMerge (
lib.concatLists (
lib.flip lib.mapAttrsToList config.nodes (
name: cfg:
builtins.addErrorContext "while aggregating globals from nixosConfigurations.${name} into flake-level globals:" cfg.config._globalsDefs
)
)
);
}
)
];
};
in
{
# Make sure the keys of this attrset are trivially evaluatable to avoid infinite recursion,
# therefore we inherit relevant attributes from the config.
inherit (globalsSystem.config.globals)
domains
services
macs
myuser
root
;
};
};
}

6
secrets/repo/pii.nix.enc
View file

@ -1,5 +1,5 @@
{ {
"data": "ENC[AES256_GCM,data:+CYlqWYF5RJ8/uzhGEG5uA638DmLc9vCMwRBiBZVFkUzb7Ja+jAZ5GVy6Sxw5SwqJsmZEdqKdGCV2TzTO1vcDBixJlwQlCQcwFDdi3W7ZokzEMdOP03vgx5qgd3kwwe0fEuBS7byragm6rt4Vg3bkBa4uwq1cnQEjKmGa69UTaG0FScKHBeFkEHLBUwIPgH0H52JRQurd8eCF1MPYKNTulpta8pDFb/OuM11zjdNfxJaoqtTN7I0PvS/RHTTuLtuNOi3vv8rJ+PeR3xj3B6mgBwWAews7MdlyfTrgOMd9BWFgnRrWBK4WcPa9gfOgEF4A1jkrh7l23lRo1xpWZFYhGEOl/zVQn6KsPwKtS8VU1e7gLi8EOSUMMkBPyAMfGu0SpRDUwISU0joVzeEvOZ5CrteB683qUYf16jWWfAx1v/7/gr2H01UGOpUsc/z4CPv5jeYzr2mBEa76wSBqSm9KjDS4uea6bHMFvLyVGDwg+ljzM+L5sAMEOoBSY2Pojb3lZuOwve6NI9R6aRRoKbuhLyHgcIH6dk1Dc9+scvrOeDMbzp2oppqLfW2uiG6mTcfvE5leJxQeeUV23LXhZsCkK2+UU5JfVj9JWLp6EBZWZdpTjOHDrMUdPBJtXvrirUu4W1s3Ny36o05d0esav4m+qEhwJEO3iDSAMRzQMFGdZhQOKgAgqCXyg3wUh47qdx54SMeyyLhQIHkz9AmeCeYmALnOxGrUrNGfnytNvPOA41qlmwD4e4yLeiwAowuWnVfw7GC5UGU9O5/B42VWN4WdsNgY6SdjBaRUaotil/UuDVISTczcwI3+NWqLtC5,iv:WmrLJN951DRaXKDVi7KHURWRRRusPisETUy+BH5U6/s=,tag:u36D+o4sA94D5W7CmjAizw==,type:str]", "data": "ENC[AES256_GCM,data:K6Exxoz4dyUuVSvS0BQOyjCQ7iuicPUJbDYhWtX350/9tOhu9XorVNmI1ezfFEmY8iAdxVy/E3QEEQcO+XjJVEVGKoX8NtAWSMUkRJT/S2MLG0nNt3kcsIhoya3S5SDiblMIA+S/yFJOmsyykgLUynYgR9QL5URdGj2utoSi9+WYvUsbxrlmcxIqk443huoq4AeZp5X+HVSIhq0rby0/Uc62ox6jz4S9CwSNTOc41xI6UNRz96xppqcAhru7NjZxomtbI9LaDBMVVRe+k5GrKCTyjqp7JCaeN19Sba/k7Uh+4VOVokNEEL0cYNIZXh8eBBxT3ogQhAfOZXfp+lWKf1bAZvVFBrXI4cSGjNUDcbYCIa1gv+rdaVMju29ZNBp+Hx9p4WjJz6zFAbC+tjmH6wBjGNz8Zeqn5Mmm755yPgdvsVAW4ZZfB49T6qOjkDnNSltoHw0n49qTVS7AmQRSQvzPERyAte3IyftQ0bIGALE27h5oB6ls7X9EXUPyNqaT1G0trnrq5D8L4C3xqYJB3KriHA7PNfpKyOVM50ryACyuF2QRHeWfBnFu78hQbMg4lWYXnVggZQdeFDaHZUeYpJCmeyehmSl88+v8f6hjV0aDPlYh8Yv7lfJokGyffMNq0ShmT2/FBPu+9iAvk/apcE8KFdlct5qtkRaOeXp2iwnHWr2bYg/JQ4D4/xePvqBfV22Qd2MarA1qW7ggVJNCbKcOSJzwbEjPGjBjkH6crfO4LD/SYmVMgSoSGojdyLc7hsAFoUtdhzfknV6vVF7h0TTIIEVIEYt0HJGIfMk3PQ4Z+4O7PSwZXxctT8d7GvuWA45QMO+Ok3pRxqNmWUxEHrJF75l+lZMnSrtjdR1r+vNPnwJxHOgn/2h0sYYvqGVVZdHapxdi+V6za0f/,iv:xXAjuNpqXRuReAH6dlunrbPgspj2/+VtCV3p+xjtOi0=,tag:m//iBHvmYmWw4vtgojbpFw==,type:str]",
"sops": { "sops": {
"age": [ "age": [
{ {
@ -27,8 +27,8 @@
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtU240VjVRZmJ5TGsrclJF\nRXRLbTRCZURtR0Z3d2E2eDNNeGRDODlXVEY4CllTeVFYbDJQWlRSS1RFLzAxSnlM\nZi9NU1c3cWo3YWRLcUJ2U2ZFWFBBVEEKLS0tIGtmZU9qSWdBT3RDeStaaFFDSWtk\ndkUzZXJwZUl4LzVxYXdidmxXRnNnclUKyAMZqCKSY/RQvTR4bbjLaPnGKwdBcHXc\nvtiVSrLdIdzMa6id/J07TJH5UesUmcp0wjU41MDa4aMBLy+cXhuBHA==\n-----END AGE ENCRYPTED FILE-----\n" "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtU240VjVRZmJ5TGsrclJF\nRXRLbTRCZURtR0Z3d2E2eDNNeGRDODlXVEY4CllTeVFYbDJQWlRSS1RFLzAxSnlM\nZi9NU1c3cWo3YWRLcUJ2U2ZFWFBBVEEKLS0tIGtmZU9qSWdBT3RDeStaaFFDSWtk\ndkUzZXJwZUl4LzVxYXdidmxXRnNnclUKyAMZqCKSY/RQvTR4bbjLaPnGKwdBcHXc\nvtiVSrLdIdzMa6id/J07TJH5UesUmcp0wjU41MDa4aMBLy+cXhuBHA==\n-----END AGE ENCRYPTED FILE-----\n"
} }
], ],
"lastmodified": "2025-06-14T20:56:55Z", "lastmodified": "2025-07-01T10:27:51Z",
"mac": "ENC[AES256_GCM,data:03b5V3zO7mmoP050rrgBaZqR7ik3eioW3PJt0dKab85zOaOXwyq22Ps7vftRV6tQ5S83dSXsAnXvYmdUQ3F3h0Z4zqHB680r1uJG24kJLik+9Pl1a8SwQFB0/yWCaXfKqCZhXIoektl83oBaoWFoCpTuOtYmdoF3rt2mVounIHM=,iv:vAzVQRgQyIMUbwWCG/r4n/QXP/67QN7B651tIzU4TpU=,tag:zcgKO/8g1VmhXHfU7XyeYA==,type:str]", "mac": "ENC[AES256_GCM,data:RyksomYlwuQTcCfmZqmxMMoanvIzu4FcJ+xlUjbBu9Kb/OU5cp8PJXdA78jY/58GOu9s3fkSD1wFewFrPTwtO8xry4Fvw8smr2wttvDS4c6nJ/9lg3Vab147JCEszqHLxghGV48tChvB2zfhpVy1LoF4y+vixMPIrlTFAw+ICzg=,iv:0LzxSmi8kCweETwQw9+UDpudZvJiTaT9UMLfmi990gQ=,tag:vl2y2f3G+Xn1fWwgkE7NfQ==,type:str]",
"pgp": [ "pgp": [
{ {
"created_at": "2025-06-13T20:13:06Z", "created_at": "2025-06-13T20:13:06Z",