sora/nixconfig
1
0
Fork 1
Code Issues 2 Pull Requests Actions Releases Activity

rename and fix

Browse Source
This commit is contained in:
soraefir
2026-05-08 20:46:23 +02:00
parent 4d398d5596
commit df523c48e5
12 changed files with 21 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
modules/server/containers/default.nix
View File

@@ -4,7 +4,7 @@ let
builder = import ./builder.nix { inherit config lib serverCfg; }; builder = import ./builder.nix { inherit config lib serverCfg; };
enabledConfigs = lib.filterAttrs (name: c: c.enable) serverCfg.containers; enabledConfigs = lib.filterAttrs (name: c: c.enable) serverCfg.containers;
containerSetsList = lib.mapAttrsToList (name: containerCfg: containerSetsList = lib.mapAttrsToList (name: containerCfg:
let defs = import (./defs + "/${name}.nix") {inherit config pkgs lib containerCfg builder;}; let defs = import (./defs + "/${name}.nix") {inherit config pkgs lib containerCfg builder name;};
in{ in{
containers = lib.mapAttrs' (cName: cValue: containers = lib.mapAttrs' (cName: cValue:
lib.nameValuePair "${name}-${cName}" cValue lib.nameValuePair "${name}-${cName}" cValue

4
modules/server/containers/defs/authentik.nix
View File

@@ -1,4 +1,4 @@
{ config, containerCfg, pkgs, lib, builder, ... }: { config, containerCfg, pkgs, lib, builder, name, ... }:
let let
version = "2026.2.2"; version = "2026.2.2";
serverCfg = config.syscfg.server; serverCfg = config.syscfg.server;
@@ -19,7 +19,7 @@ in {
image = "ghcr.io/goauthentik/server:${version}"; image = "ghcr.io/goauthentik/server:${version}";
port = containerCfg.port; port = containerCfg.port;
ip = containerCfg.ip; ip = containerCfg.ip;
secret = "authentik"; secret = name;
extraEnv = { extraEnv = {
"AUTHENTIK_REDIS__HOST" = builder.host; "AUTHENTIK_REDIS__HOST" = builder.host;
"AUTHENTIK_POSTGRESQL__HOST" = builder.host; "AUTHENTIK_POSTGRESQL__HOST" = builder.host;

4
modules/server/containers/defs/collabora.nix
View File

@@ -1,4 +1,4 @@
{ config, containerCfg, pkgs, lib, builder, ... }: { config, containerCfg, pkgs, lib, builder, name, ... }:
let let
version = "latest"; version = "latest";
serverCfg = config.syscfg.server; serverCfg = config.syscfg.server;
@@ -9,7 +9,7 @@ in {
image = "collabora/code:${version}"; image = "collabora/code:${version}";
port = containerCfg.port; port = containerCfg.port;
ip = containerCfg.ip; ip = containerCfg.ip;
secret = "collabora"; secret = name;
extraEnv = { extraEnv = {
"aliasgroup1" = "https://${serverCfg.containers.nextcloud.subdomain}.${serverCfg.hostDomain}"; "aliasgroup1" = "https://${serverCfg.containers.nextcloud.subdomain}.${serverCfg.hostDomain}";
"server_name" = "${containerCfg.subdomain}.${serverCfg.hostDomain}"; "server_name" = "${containerCfg.subdomain}.${serverCfg.hostDomain}";

4
modules/server/containers/defs/etherpad.nix
View File

@@ -1,4 +1,4 @@
{ config, containerCfg, pkgs, lib, builder, ... }: { config, containerCfg, pkgs, lib, builder, name,... }:
let let
version = "latest"; version = "latest";
serverCfg = config.syscfg.server; serverCfg = config.syscfg.server;
@@ -20,7 +20,7 @@ in {
image = "etherpad/etherpad:${version}"; image = "etherpad/etherpad:${version}";
port = containerCfg.port; port = containerCfg.port;
ip = containerCfg.ip; ip = containerCfg.ip;
secret = "etherpad"; secret = name;
extraEnv = { extraEnv = {
NODE_ENV = "production"; NODE_ENV = "production";
TITLE = "Pad"; TITLE = "Pad";

4
modules/server/containers/defs/nextcloud.nix
View File

@@ -1,4 +1,4 @@
{ config, containerCfg, pkgs, lib, builder, ... }: { config, containerCfg, pkgs, lib, builder, name,... }:
let let
version = "27"; version = "27";
serverCfg = config.syscfg.server; serverCfg = config.syscfg.server;
@@ -20,7 +20,7 @@ in {
image = "nextcloud:${version}"; image = "nextcloud:${version}";
port = containerCfg.port; port = containerCfg.port;
ip = containerCfg.ip; ip = containerCfg.ip;
secret = "nextcloud"; secret = name;
extraEnv = { extraEnv = {
REDIS_HOST = builder.host; REDIS_HOST = builder.host;
POSTGRES_HOST = builder.host; POSTGRES_HOST = builder.host;

5
modules/server/containers/defs/traefik.nix
View File

@@ -1,4 +1,4 @@
{ config, containerCfg, pkgs, lib, builder, ... }: { config, containerCfg, pkgs, lib, builder, name,... }:
let let
version = "2026.2.2"; version = "2026.2.2";
serverCfg = config.syscfg.server; serverCfg = config.syscfg.server;
@@ -19,8 +19,9 @@ in {
image = "traefik:${version}"; image = "traefik:${version}";
port = containerCfg.port; port = containerCfg.port;
ip = containerCfg.ip; ip = containerCfg.ip;
secret = name;
extraEnv = { extraEnv = {
"INFOMANIAK_ACCESS_TOKEN" = config.sops.secrets.INFOMANIAK_API_KEY.path; config.sops.secrets.INFOMANIAK_API_KEY.path
}; };
overrides = { overrides = {
cmd = [ cmd = [

2
modules/server/default.nix
View File

@@ -1,3 +1,3 @@
{ config, pkgs, lib, ... }:{ { config, pkgs, lib, ... }:{
imports = [ ./containers ./database ./nftables ./nginx ./openssh ./sops ]; imports = [ ./containers ./database ./nftables ./openssh ./sops ];
} }

11
modules/server/nftables/default.nix
View File

@@ -1,7 +1,8 @@
{ config, lib, ... }: { config, lib, ... }:
let let
cfg = config.syscfg.server; cfg = config.syscfg.server;
in{ in {
config = mkIf (cfg.ipfw.enable) {
boot.kernel.sysctl = { boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1; "net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1; "net.ipv6.conf.all.forwarding" = 1;
@@ -9,7 +10,6 @@ in{
networking.nftables.enable = true; networking.nftables.enable = true;
networking.nftables.ruleset = '' networking.nftables.ruleset = ''
${if cfg.nftables.enable then ''
table inet nat { table inet nat {
chain prerouting { chain prerouting {
type nat hook prerouting priority dstnat; policy accept; type nat hook prerouting priority dstnat; policy accept;
@@ -28,13 +28,14 @@ in{
iifname "${srcInt}" tcp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort} iifname "${srcInt}" tcp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort}
iifname "${srcInt}" udp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort} iifname "${srcInt}" udp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort}
'' ''
) config.syscfg.server.nftables.ports} ) cfg.ipfw.ports}
} }
chain postrouting { chain postrouting {
type nat hook postrouting priority srcnat; policy accept; type nat hook postrouting priority srcnat; policy accept;
oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') config.syscfg.server.nftables.ifs} } masquerade oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') cfg.ipfw.ifs} } masquerade
}
} }
}'' else ""}
''; '';
};
} }

2
modules/server/sops/default.nix
View File

@@ -5,7 +5,6 @@ let
(lib.filterAttrs (name: cfg: cfg.db or cfg.sops or false) config.syscfg.server.containers); (lib.filterAttrs (name: cfg: cfg.db or cfg.sops or false) config.syscfg.server.containers);
allApps = lib.unique (listNames ++ containerNames); allApps = lib.unique (listNames ++ containerNames);
in{ in{
config = lib.mkIf (config.syscfg.server.sops) {
sops.secrets = { sops.secrets = {
INFOMANIAK_API_KEY = { sopsFile = ./server.yaml; }; INFOMANIAK_API_KEY = { sopsFile = ./server.yaml; };
} // (lib.genAttrs (map (name: "${lib.toUpper name}") allApps) (name: { } // (lib.genAttrs (map (name: "${lib.toUpper name}") allApps) (name: {
@@ -13,5 +12,4 @@ in{
mode = "0644"; mode = "0644";
sopsFile = ./server.yaml; sopsFile = ./server.yaml;
})); }));
};
} }

15
modules/shared/syscfg/default.nix
View File

@@ -82,18 +82,9 @@ let
}; };
serverOpt = with lib; { serverOpt = with lib; {
hostDomain = mkOption { type = types.str; }; hostDomain = mkOption { type = types.str; };
shortName = mkOption { type = types.str; };
mailDomain = mkOption { type = types.str; }; mailDomain = mkOption { type = types.str; };
mailServer = mkOption { type = types.str; }; mailServer = mkOption { type = types.str; };
dbHost = mkOption {
type = types.str;
default = "localhost";
};
dbPort = mkOption {
type = types.str;
default = "3306";
};
configPath = mkOption { configPath = mkOption {
type = types.str; type = types.str;
default = "/media/config"; default = "/media/config";
@@ -117,10 +108,6 @@ let
}); });
default = {}; default = {};
}; };
sops = mkOption {
type = types.bool;
default = false;
};
openssh = mkOption { openssh = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
@@ -133,7 +120,7 @@ let
type = types.bool; type = types.bool;
default = false; default = false;
}; };
nftables = { ipfw = {
enable = mkOption { enable = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;

2
systems/gateway/cfg.nix
View File

@@ -29,7 +29,7 @@
openssh = true; openssh = true;
wireguard = true; wireguard = true;
web = true; web = true;
nftables = { ipfw = {
enable = true; enable = true;
ifs = ["ens3" "wg0" ]; ifs = ["ens3" "wg0" ];
ports = [ ports = [

8
systems/sandbox/cfg.nix
View File

@@ -21,17 +21,12 @@
server = { server = {
openssh = true; openssh = true;
web = true; web = true;
sops = true;
hostDomain = "test.helcel.net"; hostDomain = "test.helcel.net";
shortName = "testcel";
mailDomain = "test@helcel"; mailDomain = "test@helcel";
mailServer = "infomaniak.ch"; mailServer = "infomaniak.ch";
dbHost = "localhost";
containers = { containers = {
#cloud = {enable = true;};
authentik = { authentik = {
enable = true; enable = true;
db = true; db = true;
@@ -44,21 +39,18 @@
enable = true; enable = true;
db = true; db = true;
subdomain = "cloud"; subdomain = "cloud";
ip = "10.88.0.126";
port = 80; port = 80;
}; };
collabora = { collabora = {
enable = true; enable = true;
sops = true; sops = true;
subdomain = "office"; subdomain = "office";
ip = "10.88.0.127";
port = 9980; port = 9980;
}; };
etherpad = { etherpad = {
enable = true; enable = true;
db = true; db = true;
subdomain = "pad"; subdomain = "pad";
ip = "10.88.0.128";
port = 80; port = 80;
}; };
}; };