swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 09:07:21 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
.dotfiles/modules/nixos/server/microbin.nix
Leon Schwarzäugl 2cb67804d4 feat[server]: use confLib to manage services
2025-12-02 00:59:27 +01:00

135 lines
4.3 KiB
Nix
Raw Blame History

{ self, lib, config, dns, globals, confLib, ... }:
let
inherit (confLib.gen { name = "microbin"; port = 8777; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress serviceProxy proxyAddress4 proxyAddress6;
inherit (config.swarselsystems) sopsFile;
cfg = config.services.${serviceName};
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
};
users = {
groups.${serviceGroup} = { };
users.${serviceUser} = {
isSystemUser = true;
group = serviceGroup;
};
};
sops = {
secrets = {
microbin-admin-username = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
microbin-admin-password = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
microbin-uploader-password = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
};
templates = {
"microbin-env" = {
content = ''
MICROBIN_ADMIN_USERNAME="${config.sops.placeholder.microbin-admin-username}"
MICROBIN_ADMIN_PASSWORD="${config.sops.placeholder.microbin-admin-password}"
MICROBIN_UPLOADER_PASSWORD="${config.sops.placeholder.microbin-uploader-password}"
'';
owner = serviceUser;
group = serviceGroup;
mode = "0440";
};
};
};
topology.self.services.${serviceName} = {
name = lib.swarselsystems.toCapitalized serviceName;
info = "https://${serviceDomain}";
icon = "${self}/files/topology-images/${serviceName}.png";
};
globals.services.${serviceName} = {
domain = serviceDomain;
inherit proxyAddress4 proxyAddress6;
};
services.${serviceName} = {
enable = true;
passwordFile = config.sops.templates.microbin-env.path;
dataDir = "/var/lib/microbin";
settings = {
MICROBIN_HIDE_LOGO = true;
MICROBIN_PORT = servicePort;
MICROBIN_EDITABLE = true;
MICROBIN_HIDE_HEADER = true;
MICROBIN_HIDE_FOOTER = true;
MICROBIN_NO_LISTING = false;
MICROBIN_HIGHLIGHTSYNTAX = true;
MICROBIN_BIND = "0.0.0.0";
MICROBIN_PRIVATE = true;
MICROBIN_PUBLIC_PATH = "https://${serviceDomain}";
MICROBIN_READONLY = true;
MICROBIN_SHOW_READ_STATS = true;
MICROBIN_TITLE = "~SwarselScratch~";
MICROBIN_THREADS = 1;
MICROBIN_GC_DAYS = 30;
MICROBIN_ENABLE_BURN_AFTER = true;
MICROBIN_QR = true;
MICROBIN_ETERNAL_PASTA = true;
MICROBIN_ENABLE_READONLY = true;
MICROBIN_DEFAULT_EXPIRY = "1week";
MICROBIN_NO_FILE_UPLOAD = false;
MICROBIN_MAX_FILE_SIZE_ENCRYPTED_MB = 256;
MICROBIN_MAX_FILE_SIZE_UNENCRYPTED_MB = 1024;
MICROBIN_DISABLE_UPDATE_CHECKING = true;
MICROBIN_DISABLE_TELEMETRY = true;
MICROBIN_LIST_SERVER = false;
};
};
systemd.services = {
${serviceName} = {
serviceConfig = {
DynamicUser = lib.mkForce false;
User = serviceUser;
Group = serviceGroup;
};
};
};
networking.firewall.allowedTCPPorts = [ servicePort ];
environment.persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [
{ directory = cfg.dataDir; user = serviceUser; group = serviceGroup; mode = "0700"; }
];
nodes.${serviceProxy}.services.nginx = {
upstreams = {
${serviceName} = {
servers = {
"${serviceAddress}:${builtins.toString servicePort}" = { };
};
};
};
virtualHosts = {
"${serviceDomain}" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://${serviceName}";
extraConfig = ''
client_max_body_size 1G;
'';
};
};
};
};
};
};
}
Reference in a new issue View git blame Copy permalink