commit a63200ac47b172ec9794eb2408571af207e20e22 parent 0e24b91218d7ff21cb3fac75274526a76da6c1dd Author: mtmn <miro@haravara.org> Date: Fri, 8 May 2026 10:03:21 +0200 feat: move secrets from modules; external flakes Diffstat:
32 files changed, 249 insertions(+), 271 deletions(-)
diff --git a/flake.lock b/flake.lock @@ -24,6 +24,28 @@ "type": "github" } }, + "bandeno": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "dir": "bandeno", + "lastModified": 1778231695, + "narHash": "sha256-UmyVAeBN5AuV0DRgA4HPp82Z/QcBiApxJmxD0xV1Ye0=", + "owner": "~mtmn", + "repo": "tools", + "rev": "81051135e22e2ae489da68862e5ac81276f4f77b", + "type": "sourcehut" + }, + "original": { + "dir": "bandeno", + "owner": "~mtmn", + "repo": "tools", + "type": "sourcehut" + } + }, "corpus": { "inputs": { "elm2nix": "elm2nix", @@ -327,6 +349,7 @@ }, "root": { "inputs": { + "bandeno": "bandeno", "corpus": "corpus", "deploy-rs": "deploy-rs", "disko": "disko", @@ -334,7 +357,7 @@ "nix-index-database": "nix-index-database", "nixpkgs": "nixpkgs_3", "ragenix": "ragenix", - "tools": "tools" + "shirts": "shirts" } }, "rust-overlay": { @@ -358,6 +381,28 @@ "type": "github" } }, + "shirts": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "dir": "shirts", + "lastModified": 1778231695, + "narHash": "sha256-UmyVAeBN5AuV0DRgA4HPp82Z/QcBiApxJmxD0xV1Ye0=", + "owner": "~mtmn", + "repo": "tools", + "rev": "81051135e22e2ae489da68862e5ac81276f4f77b", + "type": "sourcehut" + }, + "original": { + "dir": "shirts", + "owner": "~mtmn", + "repo": "tools", + "type": "sourcehut" + } + }, "systems": { "locked": { "lastModified": 1681028828, @@ -418,22 +463,6 @@ "type": "github" } }, - "tools": { - "flake": false, - "locked": { - "lastModified": 1778100744, - "narHash": "sha256-WoHhMIJ7ULwuj/lbg6C3OFNnOS+FvNgZ4AxL5QwN/H4=", - "owner": "~mtmn", - "repo": "tools", - "rev": "6a80f27249491b742ac6de34e2e6823eb2b45fcc", - "type": "sourcehut" - }, - "original": { - "owner": "~mtmn", - "repo": "tools", - "type": "sourcehut" - } - }, "utils": { "inputs": { "systems": "systems_2" diff --git a/flake.nix b/flake.nix @@ -29,9 +29,14 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - tools = { - url = "sourcehut:~mtmn/tools"; - flake = false; + bandeno = { + url = "sourcehut:~mtmn/tools?dir=bandeno"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + shirts = { + url = "sourcehut:~mtmn/tools?dir=shirts"; + inputs.nixpkgs.follows = "nixpkgs"; }; corpus = { @@ -136,19 +141,22 @@ (builtins.readDir ./modules/services)) // { base = import ./modules/nixos/base.nix; + haravara = import ./lib/haravara.nix; }; deploy = { nodes = deployNodes; }; - devShells = lib.genAttrs ["x86_64-linux" "aarch64-darwin"] (system: { - default = nixpkgs.legacyPackages.${system}.mkShell { + devShells = lib.genAttrs ["x86_64-linux" "aarch64-darwin"] (system: let + pkgs = nixpkgs.legacyPackages.${system}; + in { + default = pkgs.mkShell { packages = [ home-manager.packages.${system}.home-manager - nixpkgs.legacyPackages.${system}.nh - nixpkgs.legacyPackages.${system}.nvd + pkgs.nh + pkgs.nvd ] ++ lib.optionals (system == "x86_64-linux") [ deploy-rs.packages.${system}.deploy-rs diff --git a/home.nix b/home.nix @@ -33,6 +33,7 @@ builtins.elem (lib.getName pkg) [ "obsidian" "xnviewmp" + "claude-code" ]; nix = { diff --git a/hosts/nixaran/configuration.nix b/hosts/nixaran/configuration.nix Binary files differ. diff --git a/hosts/void/default.nix b/hosts/void/default.nix @@ -169,6 +169,7 @@ codex gitingest opencode + claude-code ]; other = [ diff --git a/lib/haravara.nix b/lib/haravara.nix @@ -0,0 +1,19 @@ +{lib, ...}: { + _module.args.haravara = { + authLabelOption = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + description = "Caddy auth snippet label to import (null = no auth)"; + }; + + mkAuthImport = authLabel: + lib.optionalString (authLabel != null) "import ${ + if authLabel == "default" + then "auth" + else "auth_${authLabel}" + }"; + + stripSubdomain = domain: + lib.concatStringsSep "." (lib.drop 1 (lib.splitString "." domain)); + }; +} diff --git a/modules/mixins/dotfiles/config/newsraft/feeds b/modules/mixins/dotfiles/config/newsraft/feeds @@ -391,7 +391,6 @@ https://www.youtube.com/feeds/videos.xml?channel_id=UCAMu6Dso0ENoNm3sKpQsy0g Nir https://www.youtube.com/feeds/videos.xml?channel_id=UCyb_ckNk0RIVBz1vW8wNo2Q kimylamp https://www.youtube.com/feeds/videos.xml?channel_id=UCz-yrxeZYIYdpEZgHGvIydA Nic Barker https://www.youtube.com/feeds/videos.xml?channel_id=UCGKEMK3s-ZPbjVOIuAV8clQ CoreDumped -https://www.youtube.com/feeds/videos.xml?channel_id=UC-mTIBh__DzAqW495JHXy5A The Coding Gopher https://www.youtube.com/feeds/videos.xml?channel_id=UCqSSszY8L-Qfn4HKAllnxVg leddoo https://www.youtube.com/feeds/videos.xml?channel_id=UCSju5G2aFaWMqn-_0YBtq5A Stand-up Maths https://www.youtube.com/feeds/videos.xml?channel_id=UCaSCt8s_4nfkRglWCvNSDrg CodeAesthetic diff --git a/modules/services/bandeno.nix b/modules/services/bandeno.nix @@ -3,19 +3,12 @@ lib, pkgs, inputs, + haravara, ... }: let cfg = config.services.haravara.bandeno; - bandeno-src = pkgs.stdenv.mkDerivation { - pname = "bandeno-src"; - version = "0.0.1"; - src = "${inputs.tools}/bandeno"; - installPhase = '' - mkdir -p $out - cp -r . $out/ - ''; - }; + bandeno-src = inputs.bandeno.packages.${pkgs.system}.default; in { options.services.haravara.bandeno = { enable = lib.mkEnableOption "Bandeno - Deno application"; @@ -70,7 +63,7 @@ in { reverse_proxy 127.0.0.1:${toString cfg.port} } handle { - redir https://${lib.concatStringsSep "." (lib.drop 1 (lib.splitString "." cfg.domain))} + redir https://${haravara.stripSubdomain cfg.domain} } ''; }; diff --git a/modules/services/bazel-cache.nix b/modules/services/bazel-cache.nix @@ -2,6 +2,7 @@ config, lib, pkgs, + haravara, ... }: let cfg = config.services.haravara.bazel-cache; @@ -62,12 +63,14 @@ in { users.groups.bazel-remote = {}; services.caddy.virtualHosts."${cfg.domain}".extraConfig = '' - reverse_proxy ${cfg.listenAddress}:${toString cfg.port} + basic_auth { + ${cfg.basicAuthUser} ${cfg.basicAuthHash} + } + handle / { + redir https://${haravara.stripSubdomain cfg.domain} + } handle { - basic_auth { - ${cfg.basicAuthUser} ${cfg.basicAuthHash} - } - redir / https://${lib.concatStringsSep "." (lib.drop 1 (lib.splitString "." cfg.domain))} + reverse_proxy ${cfg.listenAddress}:${toString cfg.port} } ''; }; diff --git a/modules/services/cinny.nix b/modules/services/cinny.nix @@ -2,6 +2,7 @@ config, lib, pkgs, + haravara, ... }: let cfg = config.services.haravara.cinny; @@ -11,20 +12,12 @@ in { domain = lib.mkOption { type = lib.types.str; }; - authLabel = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - description = "The auth snippet to import"; - }; + authLabel = haravara.authLabelOption; }; config = lib.mkIf cfg.enable { services.caddy.virtualHosts."${cfg.domain}".extraConfig = '' - ${lib.optionalString (cfg.authLabel != null) "import ${ - if cfg.authLabel == "default" - then "auth" - else "auth_${cfg.authLabel}" - }"} + ${haravara.mkAuthImport cfg.authLabel} root * ${pkgs.cinny} file_server ''; diff --git a/modules/services/corpus.nix b/modules/services/corpus.nix @@ -33,16 +33,11 @@ in { secretFile = lib.mkOption { type = lib.types.path; - default = ../../secrets/corpus.age; + description = "Path to the Corpus environment file (decrypted secret)"; }; }; config = lib.mkIf cfg.enable { - age.secrets.corpus = { - file = cfg.secretFile; - owner = "corpus"; - }; - systemd.services.corpus = { description = "Corpus - listening history frontend"; wantedBy = ["multi-user.target"]; @@ -57,7 +52,7 @@ in { serviceConfig = { ExecStart = "${inputs.corpus.packages.${pkgs.stdenv.hostPlatform.system}.default}/bin/corpus-server"; - EnvironmentFile = config.age.secrets.corpus.path; + EnvironmentFile = cfg.secretFile; Restart = "always"; User = "corpus"; Group = "corpus"; diff --git a/modules/services/couchdb.nix b/modules/services/couchdb.nix @@ -1,6 +1,7 @@ { config, lib, + haravara, ... }: let cfg = config.services.haravara.couchdb; @@ -17,16 +18,10 @@ in { publicDomain = lib.mkOption { type = lib.types.str; }; - authLabel = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - description = "The auth snippet to import"; - }; + authLabel = haravara.authLabelOption; }; config = lib.mkIf cfg.enable { - age.secrets.couchdb-admin-pass.file = ../../secrets/couchdb-admin-pass.age; - services = { couchdb = { enable = true; @@ -50,11 +45,7 @@ in { caddy.virtualHosts = lib.mkIf (cfg.publicDomain != null) { "${cfg.publicDomain}".extraConfig = '' handle /_utils* { - ${lib.optionalString (cfg.authLabel != null) "import ${ - if cfg.authLabel == "default" - then "auth" - else "auth_${cfg.authLabel}" - }"} + ${haravara.mkAuthImport cfg.authLabel} reverse_proxy localhost:5984 } handle { diff --git a/modules/services/dex.nix b/modules/services/dex.nix @@ -30,11 +30,13 @@ in { type = lib.types.attrsOf lib.types.str; default = {}; }; + clientSecretFile = lib.mkOption { + type = lib.types.path; + description = "Path to the Dex OIDC client secret file"; + }; }; config = lib.mkIf cfg.enable { - age.secrets.dex-client-secret.file = ../../secrets/dex-client-secret.age; - services.dex = { enable = true; settings = @@ -55,7 +57,7 @@ in { id = "caddy-proxy"; inherit (cfg) redirectURIs; name = "Caddy Auth Proxy"; - secretFile = config.age.secrets.dex-client-secret.path; + secretFile = cfg.clientSecretFile; } ]; diff --git a/modules/services/filestash.nix b/modules/services/filestash.nix Binary files differ. diff --git a/modules/services/forgejo.nix b/modules/services/forgejo.nix @@ -2,6 +2,7 @@ config, lib, pkgs, + haravara, ... }: let cfg = config.services.haravara.forgejo; @@ -51,7 +52,7 @@ in { }; server = { DOMAIN = cfg.domain; - SSH_DOMAIN = lib.concatStringsSep "." (lib.drop 1 (lib.splitString "." cfg.domain)); + SSH_DOMAIN = haravara.stripSubdomain cfg.domain; ROOT_URL = "https://${cfg.domain}/"; HTTP_PORT = cfg.httpPort; HTTP_ADDR = "127.0.0.1"; diff --git a/modules/services/gamja.nix b/modules/services/gamja.nix @@ -2,6 +2,7 @@ config, lib, pkgs, + haravara, ... }: let cfg = config.services.haravara.gamja; @@ -16,20 +17,12 @@ in { default = null; description = "WebSocket URL of the soju bouncer (e.g. wss://bouncer.example.org)"; }; - authLabel = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - description = "The auth snippet to import"; - }; + authLabel = haravara.authLabelOption; }; config = lib.mkIf cfg.enable { services.caddy.virtualHosts."${cfg.domain}".extraConfig = '' - ${lib.optionalString (cfg.authLabel != null) "import ${ - if cfg.authLabel == "default" - then "auth" - else "auth_${cfg.authLabel}" - }"} + ${haravara.mkAuthImport cfg.authLabel} root * ${ if cfg.serverUrl != null then pkgs.gamja.override {gamjaConfig = {server.url = cfg.serverUrl;};} diff --git a/modules/services/harmonia.nix b/modules/services/harmonia.nix @@ -1,6 +1,7 @@ { config, lib, + haravara, ... }: let cfg = config.services.haravara.harmonia; @@ -11,11 +12,7 @@ in { type = lib.types.str; description = "Domain name for the Harmonia cache"; }; - authLabel = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - description = "The auth snippet to import"; - }; + authLabel = haravara.authLabelOption; signKeyPaths = lib.mkOption { type = lib.types.listOf lib.types.path; default = []; @@ -56,7 +53,7 @@ in { config = lib.mkIf cfg.enable { services.harmonia.cache = { - enable = false; + enable = true; inherit (cfg) signKeyPaths; settings = { bind = "127.0.0.1:${toString cfg.port}"; diff --git a/modules/services/headscale.nix b/modules/services/headscale.nix @@ -40,7 +40,7 @@ in { grpc_allow_insecure = true; dns = { magic_dns = true; - base_domain = "$(cfg.magicDnsDomain)"; + base_domain = "${cfg.magicDnsDomain}"; nameservers.global = [ "1.1.1.1" "8.8.8.8" diff --git a/modules/services/miniflux.nix b/modules/services/miniflux.nix @@ -10,11 +10,13 @@ in { domain = lib.mkOption { type = lib.types.str; }; + credentialsFile = lib.mkOption { + type = lib.types.path; + description = "Path to file containing Miniflux admin credentials"; + }; }; config = lib.mkIf cfg.enable { - age.secrets.miniflux-secrets.file = ../../secrets/miniflux-secrets.age; - services.miniflux = { enable = true; config = { @@ -22,7 +24,7 @@ in { RUN_MIGRATIONS = 1; CREATE_ADMIN = 0; }; - adminCredentialsFile = config.age.secrets.miniflux-secrets.path; + adminCredentialsFile = cfg.credentialsFile; }; services.caddy.virtualHosts."${cfg.domain}".extraConfig = '' diff --git a/modules/services/monitoring.nix b/modules/services/monitoring.nix @@ -2,15 +2,12 @@ config, lib, pkgs, + haravara, ... }: let cfg = config.services.haravara.monitoring; - authSnippet = lib.optionalString (cfg.authLabel != null) "import ${ - if cfg.authLabel == "default" - then "auth" - else "auth_${cfg.authLabel}" - }"; + authSnippet = haravara.mkAuthImport cfg.authLabel; fetchDashboard = { name, @@ -77,10 +74,10 @@ in { victoriaDomain = lib.mkOption { type = lib.types.str; }; - authLabel = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - description = "The auth snippet to import"; + authLabel = haravara.authLabelOption; + grafanaSecretKeyFile = lib.mkOption { + type = lib.types.path; + description = "Path to Grafana secret key file"; }; alertmanager = { @@ -136,11 +133,6 @@ in { extraGroups = ["storage-users"]; }; - age.secrets.grafana-secret-key = { - file = ../../secrets/grafana-secret-key.age; - owner = "grafana"; - }; - systemd = { services = { vmalert = lib.mkIf cfg.vmalert.enable { @@ -381,7 +373,7 @@ in { http_port = 3001; }; security = { - secret_key = "$__file{${config.age.secrets.grafana-secret-key.path}}"; + secret_key = "$__file{${cfg.grafanaSecretKeyFile}}"; }; }; provision = { diff --git a/modules/services/oauth2-proxy.nix b/modules/services/oauth2-proxy.nix @@ -18,20 +18,25 @@ in { oidcIssuer = lib.mkOption { type = lib.types.str; }; + clientSecretFile = lib.mkOption { + type = lib.types.path; + description = "Path to the OAuth2 Proxy client secret file"; + }; + cookieSecretFile = lib.mkOption { + type = lib.types.path; + description = "Path to the OAuth2 Proxy cookie secret file"; + }; }; config = lib.mkIf cfg.enable { - age.secrets.oauth2-proxy-client-secret.file = ../../secrets/oauth2-proxy-client-secret.age; - age.secrets.oauth2-proxy-cookie-secret.file = ../../secrets/oauth2-proxy-cookie-secret.age; - services.oauth2-proxy = { enable = true; provider = "oidc"; clientID = "caddy-proxy"; - clientSecretFile = config.age.secrets.oauth2-proxy-client-secret.path; + inherit (cfg) clientSecretFile; cookie = { name = "_oauth2_proxy"; - secretFile = config.age.secrets.oauth2-proxy-cookie-secret.path; + secretFile = cfg.cookieSecretFile; domain = lib.concatStringsSep "," cfg.cookieDomains; expire = "24h"; refresh = "0h"; diff --git a/modules/services/radicale.nix b/modules/services/radicale.nix @@ -11,21 +11,20 @@ in { domain = lib.mkOption { type = lib.types.str; }; + htpasswdFile = lib.mkOption { + type = lib.types.path; + description = "Path to htpasswd file for Radicale auth"; + }; }; config = lib.mkIf cfg.enable { - age.secrets.radicale-htpasswd = { - file = ../../secrets/radicale-htpasswd.age; - owner = "radicale"; - }; - services.radicale = { enable = true; settings = { server.hosts = ["127.0.0.1:${toString port}"]; auth = { type = "htpasswd"; - htpasswd_filename = config.age.secrets.radicale-htpasswd.path; + htpasswd_filename = cfg.htpasswdFile; htpasswd_encryption = "bcrypt"; }; storage.filesystem_folder = "/var/lib/radicale/collections"; diff --git a/modules/services/redlib.nix b/modules/services/redlib.nix @@ -1,6 +1,7 @@ { config, lib, + haravara, ... }: let cfg = config.services.haravara.redlib; @@ -14,11 +15,7 @@ in { domain = lib.mkOption { type = lib.types.str; }; - authLabel = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - description = "The auth snippet to import"; - }; + authLabel = haravara.authLabelOption; }; config = lib.mkIf cfg.enable { @@ -36,11 +33,7 @@ in { }; services.caddy.virtualHosts."${cfg.domain}".extraConfig = '' - ${lib.optionalString (cfg.authLabel != null) "import ${ - if cfg.authLabel == "default" - then "auth" - else "auth_${cfg.authLabel}" - }"} + ${haravara.mkAuthImport cfg.authLabel} reverse_proxy 127.0.0.1:${toString cfg.port} ''; }; diff --git a/modules/services/searxng.nix b/modules/services/searxng.nix @@ -2,6 +2,7 @@ config, lib, pkgs, + haravara, ... }: let cfg = config.services.haravara.searxng; @@ -11,21 +12,14 @@ in { domain = lib.mkOption { type = lib.types.str; }; - authLabel = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - description = "The auth snippet to import"; - }; + authLabel = haravara.authLabelOption; secretKeyFile = lib.mkOption { type = lib.types.path; - default = config.age.secrets.searx-secret-key.path; description = "Path to file containing SEARX_SECRET_KEY"; }; }; config = lib.mkIf cfg.enable { - age.secrets.searx-secret-key.file = ../../secrets/searx-secret-key.age; - services.searx = { enable = true; package = pkgs.searxng; @@ -45,11 +39,7 @@ in { }; services.caddy.virtualHosts."${cfg.domain}".extraConfig = '' - ${lib.optionalString (cfg.authLabel != null) "import ${ - if cfg.authLabel == "default" - then "auth" - else "auth_${cfg.authLabel}" - }"} + ${haravara.mkAuthImport cfg.authLabel} reverse_proxy 127.0.0.1:8899 ''; }; diff --git a/modules/services/seaweedfs.nix b/modules/services/seaweedfs.nix @@ -2,6 +2,7 @@ config, lib, pkgs, + haravara, ... }: let cfg = config.services.haravara.seaweedfs; @@ -105,7 +106,7 @@ in { name = domain; value.extraConfig = '' reverse_proxy 127.0.0.1:8333 - redir / https://${lib.concatStringsSep "." (lib.drop 1 (lib.splitString "." domain))} + redir / https://${haravara.stripSubdomain domain} ''; }) cfg.domains); diff --git a/modules/services/shirt-linkener.nix b/modules/services/shirt-linkener.nix @@ -1,107 +0,0 @@ -{ - config, - lib, - pkgs, - inputs, - ... -}: let - cfg = config.services.haravara.shirt-linkener; - - shirt-linkener = pkgs.beamPackages.mixRelease { - pname = "shortener"; - version = "0.0.1"; - src = "${inputs.tools}/shirt_linkener"; - - nativeBuildInputs = [pkgs.beamPackages.elixir_1_18]; - - MIX_HOME = "nix-mix"; - HEX_HOME = "nix-hex"; - ELIXIR_MAKE_CACHE_DIR = "nix-elixir-make"; - - mixFodDeps = pkgs.beamPackages.fetchMixDeps { - pname = "shortener-deps"; - version = "0.0.1"; - src = "${inputs.tools}/shirt_linkener"; - sha256 = "sha256-U/tNP3s7b4bBUrQx5l4VtDHpV9DsWj6zBYj8jsM4Acw="; - }; - }; -in { - options.services.haravara.shirt-linkener = { - enable = lib.mkEnableOption "link shortener that beams up"; - - port = lib.mkOption { - type = lib.types.port; - default = 8721; - }; - - host = lib.mkOption { - type = lib.types.str; - default = "127.0.0.1"; - }; - - baseUrl = lib.mkOption { - type = lib.types.str; - }; - - authTokenFile = lib.mkOption { - type = lib.types.path; - }; - - domain = lib.mkOption { - type = lib.types.str; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.services.shirt-linkener = { - description = "Shirt Linkener URL Shortener"; - wantedBy = ["multi-user.target"]; - after = ["network.target"]; - - environment = { - PORT = toString cfg.port; - HOST = cfg.host; - ERL_EPMD_ADDRESS = "127.0.0.1"; - BASE_URL = cfg.baseUrl; - DB_PATH = "/var/lib/shirt-linkener/shortener.db"; - RELEASE_COOKIE = "shirt-linkener-cookie"; - RELEASE_NODE = "shirt-linkener@localhost"; - RELEASE_TMP = "/var/lib/shirt-linkener/tmp"; - ERL_AFLAGS = "-kernel inet_dist_use_interface '{127,0,0,1}'"; - }; - - serviceConfig = { - Type = "simple"; - LoadCredential = "auth_token:${toString cfg.authTokenFile}"; - ExecStart = pkgs.writeShellScript "shirt-linkener-start" '' - export AUTH_TOKEN=$(cat "$CREDENTIALS_DIRECTORY/auth_token") - exec ${shirt-linkener}/bin/shortener start - ''; - ExecStop = "${shirt-linkener}/bin/shortener stop"; - Restart = "always"; - RestartSec = "5s"; - User = "shirt-linkener"; - Group = "shirt-linkener"; - StateDirectory = "shirt-linkener"; - WorkingDirectory = "/var/lib/shirt-linkener"; - RuntimeDirectory = "shirt-linkener"; - SuccessExitStatus = [0 143]; - KillMode = "mixed"; - LimitNOFILE = 65535; - }; - }; - - users.users.shirt-linkener = { - isSystemUser = true; - group = "shirt-linkener"; - }; - users.groups.shirt-linkener = {}; - - services.caddy.virtualHosts = { - "${cfg.domain}".extraConfig = '' - reverse_proxy 127.0.0.1:${toString cfg.port} - redir / https://${lib.concatStringsSep "." (lib.drop 1 (lib.splitString "." cfg.domain))} - ''; - }; - }; -} diff --git a/modules/services/shirts.nix b/modules/services/shirts.nix @@ -0,0 +1,91 @@ +{ + config, + lib, + pkgs, + inputs, + haravara, + ... +}: let + cfg = config.services.haravara.shirts; + + shirts = inputs.shirts.packages.${pkgs.system}.default; +in { + options.services.haravara.shirts = { + enable = lib.mkEnableOption "link shortener that beams up"; + + port = lib.mkOption { + type = lib.types.port; + default = 8721; + }; + + host = lib.mkOption { + type = lib.types.str; + default = "127.0.0.1"; + }; + + baseUrl = lib.mkOption { + type = lib.types.str; + }; + + authTokenFile = lib.mkOption { + type = lib.types.path; + }; + + domain = lib.mkOption { + type = lib.types.str; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.shirts = { + description = "Shirts URL Shortener"; + wantedBy = ["multi-user.target"]; + after = ["network.target"]; + + environment = { + PORT = toString cfg.port; + HOST = cfg.host; + ERL_EPMD_ADDRESS = "127.0.0.1"; + BASE_URL = cfg.baseUrl; + DB_PATH = "/var/lib/shirts/shortener.db"; + RELEASE_COOKIE = "shirts-cookie"; + RELEASE_NODE = "shirts@localhost"; + RELEASE_TMP = "/var/lib/shirts/tmp"; + ERL_AFLAGS = "-kernel inet_dist_use_interface '{127,0,0,1}'"; + }; + + serviceConfig = { + Type = "simple"; + LoadCredential = "auth_token:${toString cfg.authTokenFile}"; + ExecStart = pkgs.writeShellScript "shirts-start" '' + export AUTH_TOKEN=$(cat "$CREDENTIALS_DIRECTORY/auth_token") + exec ${shirts}/bin/shortener start + ''; + ExecStop = "${shirts}/bin/shortener stop"; + Restart = "always"; + RestartSec = "5s"; + User = "shirts"; + Group = "shirts"; + StateDirectory = "shirts"; + WorkingDirectory = "/var/lib/shirts"; + RuntimeDirectory = "shirts"; + SuccessExitStatus = [0 143]; + KillMode = "mixed"; + LimitNOFILE = 65535; + }; + }; + + users.users.shirts = { + isSystemUser = true; + group = "shirts"; + }; + users.groups.shirts = {}; + + services.caddy.virtualHosts = { + "${cfg.domain}".extraConfig = '' + reverse_proxy 127.0.0.1:${toString cfg.port} + redir / https://${haravara.stripSubdomain cfg.domain} + ''; + }; + }; +} diff --git a/modules/services/soju.nix b/modules/services/soju.nix @@ -2,6 +2,7 @@ config, lib, pkgs, + haravara, ... }: let cfg = config.services.haravara.soju; @@ -54,11 +55,7 @@ in { description = "Internal port for the soju WebSocket listener"; }; - authLabel = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - description = "The auth snippet to import in Caddy"; - }; + authLabel = haravara.authLabelOption; listen = lib.mkOption { type = lib.types.listOf lib.types.str; @@ -186,13 +183,9 @@ in { }; services.caddy.virtualHosts."${cfg.domain}".extraConfig = lib.mkOrder 500 '' - ${lib.optionalString (cfg.authLabel != null) "import ${ - if cfg.authLabel == "default" - then "auth" - else "auth_${cfg.authLabel}" - }"} + ${haravara.mkAuthImport cfg.authLabel} reverse_proxy 127.0.0.1:${toString cfg.port} - redir / https://${lib.concatStringsSep "." (lib.drop 1 (lib.splitString "." cfg.domain))} + redir / https://${haravara.stripSubdomain cfg.domain} ''; }; } diff --git a/modules/services/storage-box.nix b/modules/services/storage-box.nix @@ -21,7 +21,6 @@ in { passwordFile = lib.mkOption { type = lib.types.path; - default = config.age.secrets.storage-box-pass.path; description = "Path to a file containing CIFS credentials (formatted as username=... and password=...)"; }; @@ -53,8 +52,6 @@ in { }; config = lib.mkIf cfg.enable { - age.secrets.storage-box-pass.file = ../../secrets/storage-box-pass.age; - environment.systemPackages = [pkgs.cifs-utils]; systemd.tmpfiles.rules = lib.concatLists [ diff --git a/modules/services/syncthing.nix b/modules/services/syncthing.nix @@ -2,6 +2,7 @@ config, lib, pkgs, + haravara, ... }: let cfg = config.services.haravara.syncthing; @@ -24,11 +25,7 @@ in { description = "Domain for the Syncthing web GUI"; }; - authLabel = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - description = "Caddy auth snippet label"; - }; + authLabel = haravara.authLabelOption; guiPort = lib.mkOption { type = lib.types.nullOr lib.types.str; @@ -96,7 +93,7 @@ in { }; services.caddy.virtualHosts."${cfg.domain}".extraConfig = '' - ${lib.optionalString (cfg.authLabel != null) "import auth_${cfg.authLabel}"} + ${haravara.mkAuthImport cfg.authLabel} reverse_proxy 127.0.0.1:${toString cfg.guiPort} { header_up Host 127.0.0.1:${toString cfg.guiPort} } diff --git a/secrets.nix b/secrets.nix @@ -19,6 +19,6 @@ in { "secrets/corpus.age".publicKeys = allKeys; "secrets/smtp-alerts-password.age".publicKeys = allKeys; "secrets/radicale-htpasswd.age".publicKeys = allKeys; - "secrets/shirt-linkener-auth-token.age".publicKeys = allKeys; + "secrets/shirts-auth-token.age".publicKeys = allKeys; "secrets/syncthing-s3-credentials.age".publicKeys = allKeys; } diff --git a/secrets/shirt-linkener-auth-token.age b/secrets/shirts-auth-token.age Binary files differ.