peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Removed old mods

Browse Source
This commit is contained in:
Giulio De Pasquale 2025-08-11 18:17:39 +01:00
parent 0e263ee06b
commit 8e51146132
9 changed files with 0 additions and 402 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
hosts/architect/calibre.nix
View File

@ -1,39 +0,0 @@
{ config, lib, ... }:
let
domain = "books.giugl.io";
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in
{
services = {
calibre-web = {
enable = true;
group = "media";
options = {
enableBookConversion = true;
enableBookUploading = true;
};
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8083";
extraConfig = ''
client_max_body_size 500M;
'' + auth_block { access_role = "calibre"; };
};
};
};
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
users.groups.media.members = [ "calibre-web" ];
}

1
hosts/architect/default.nix
View File

@ -19,7 +19,6 @@ in
./tailscale.nix ./tailscale.nix
./sunshine.nix ./sunshine.nix
./postgres.nix ./postgres.nix
./netdata.nix
./searx.nix ./searx.nix
]; ];

82
hosts/architect/librephotos.nix
View File

@ -1,82 +0,0 @@
{ config, lib, ... }:
let
domain = "photos.giugl.io";
backendPort = 8001;
frontendPort = 3000;
in
{
architect.vhost.${domain} = {
dnsInterfaces = [ "tailscale" ];
locations."/" = {
host = "172.17.0.1";
port = frontendPort;
# allowLan = true;
# allow = [ config.architect.networks."tailscale".net ];
};
locations."~ ^/(api|media)/" = {
host = "172.17.0.1";
port = backendPort;
# allowLan = true;
# allow = [ config.architect.networks."tailscale".net ];
};
locations."/ws" = {
host = "172.17.0.1";
port = backendPort;
proxyWebsockets = true;
# allowLan = true;
# allow = [ config.architect.networks."tailscale".net ];
};
};
services.redis.servers."librephotos" = {
enable = true;
port = 1233;
bind = "172.17.0.1";
extraParams = [ "--protected-mode no" ];
};
virtualisation.oci-containers = {
containers = {
librephotos-front = {
image = "reallibrephotos/librephotos-frontend:latest";
autoStart = true;
ports = [
"172.17.0.1:${toString frontendPort}:${toString frontendPort}"
];
};
librephotos-back = {
image = "reallibrephotos/librephotos:latest";
autoStart = true;
ports = [
"172.17.0.1:${toString backendPort}:${toString backendPort}"
];
environment = {
SECRET_KEY = "LOLOL";
BACKEND_HOST = domain;
ADMIN_EMAIL = "me@giugl.io";
ADMIN_USERNAME = "giulio";
ADMIN_PASSWORD = "giulio";
ALLOWED_HOSTS = domain;
DB_BACKEND = "mysql";
DB_NAME = "librephotos";
DB_USER = "librephotos";
DB_PASS = "librephotos";
DB_HOST = "172.17.0.1";
DB_PORT = toString config.services.mysql.settings.mysqld.port;
REDIS_HOST = "172.17.0.1";
REDIS_PORT = toString config.services.redis.servers."librephotos".port;
MAPBOX_API_KEY = "SOME_KEY";
WEB_CONCURRENCY = "24";
DEBUG = "0";
};
};
};
};
}

26
hosts/architect/netdata.nix
View File

@ -1,26 +0,0 @@
{ config, pkgs, ... }:
let
domain = "monitor.giugl.io";
in
{
services.netdata = {
enable = true;
package = pkgs.unstablePkgs.netdata;
config = {
db.mode = "dbengine";
};
};
architect.vhost.${domain} = with config.architect.networks; {
dnsInterfaces = [ "tailscale" "lan" ];
locations."/" = {
port = 19999;
allowLan = true;
allow = [
tailscale.net
];
};
};
}

50
hosts/architect/openid.nix
View File

@ -1,50 +0,0 @@
{ lib }:
{
openresty_oidc_block =
{ access_role ? "", whitelisted_ips ? [ ] }: ''
'';
# access_by_lua_block {
# local opts = {
# discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
# client_id = "nginx",
# client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8",
# logout_path = "/logout",
# redirect_after_logout_uri = "/",
# redirect_uri = "/redirect_uri",
# keepalive = "yes",
# accept_none_alg = true,
# revoke_tokens_on_logout = true,
# -- access token valid for a day
# access_token_expires_in = 86400
# }
# ${lib.optionalString (whitelisted_ips != []) ''
# local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}
# if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then
# return
# end
# ''}
# -- call introspect for OAuth 2.0 Bearer Access Token validation
# local res, err = require("resty.openidc").authenticate(opts)
# if err then
# ngx.status = 403
# ngx.say(err)
# ngx.exit(ngx.HTTP_FORBIDDEN)
# end
# ${lib.optionalString (access_role != "") ''
# if not check_role(res, "${access_role}") then
# ngx.status = 401
# ngx.header.content_type = 'text/html';
# ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
# ngx.exit(ngx.HTTP_UNAUTHORIZED)
# end
# ''}
# }
# '';
}

37
hosts/architect/photoprism.nix
View File

@ -1,37 +0,0 @@
{ config, pkgs, lib, ... }:
let
domain = "photos.giugl.io";
in
{
services.photoprism = {
enable = true;
package = pkgs.unstablePkgs.photoprism;
originalsPath = "/var/lib/private/photoprism/originals";
address = "0.0.0.0";
settings = {
PHOTOPRISM_DEFAULT_LOCALE = "en";
PHOTOPRISM_DATABASE_DRIVER = "mysql";
PHOTOPRISM_DATABASE_NAME = "photoprism";
PHOTOPRISM_DATABASE_SERVER = "/run/mysqld/mysqld.sock";
PHOTOPRISM_DATABASE_USER = "photoprism";
PHOTOPRISM_SITE_URL = "https://${domain}";
PHOTOPRISM_SITE_TITLE = "PePrism";
PHOTOPRISM_FFMPEG_ENCODER = "nvidia";
PHOTOPRISM_INIT = "tensorflow";
NVIDIA_VISIBLE_DEVICES = "all";
NVIDIA_DRIVER_CAPABILITIES = "compute,video,utility";
PHOTOPRISM_FFMPEG_BIN = "${pkgs.ffmpeg}/bin/ffmpeg";
};
};
architect.vhost.${domain} = {
dnsInterfaces = [ "tailscale" "lan" ];
locations."/" = {
port = config.services.photoprism.port;
allowLan = true;
allow = [ config.architect.networks."tailscale".net ];
proxyWebsockets = true;
};
};
}

55
hosts/architect/prosody.nix
View File

@ -1,55 +0,0 @@
{ lib, config, ... }:
let
domain = "xmpp.giugl.io";
conference_domain = "conference.${domain}";
upload_domain = "uploads.${domain}";
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in
{
architect.firewall = {
openTCP = [ 5222 5269 ];
};
services = {
prosody = {
enable = true;
virtualHosts.${domain} = {
inherit domain;
enabled = true;
ssl.key = "${config.security.acme.certs.${domain}.directory}/key.pem";
ssl.cert =
"${config.security.acme.certs.${domain}.directory}/fullchain.pem";
};
muc = [{ domain = conference_domain; }];
uploadHttp = { domain = upload_domain; };
admins = [ "giulio@${domain}" ];
#httpInterfaces = [ "wg0" ];
#httpsInterfaces = [ "wg0" ];
};
nginx.virtualHosts = {
"${domain}" = {
enableACME = true;
forceSSL = true;
};
# "${conference_domain}".enableACME = true;
# "${upload_domain}".enableACME = true;
};
};
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
users.groups = {
acme.members = [ "prosody" ];
nginx.members = [ "prosody" ];
};
}

48
hosts/architect/runas.nix
View File

@ -1,48 +0,0 @@
{ config, pkgs, lib, ... }:
let
domain = "runas.rocks";
runas_root = "/var/lib/runas.rocks/dist";
service_name = "runas.rocks-pull";
mkStartScript = name: pkgs.writeShellScript "${name}.sh" ''
set -euo pipefail
cd ${runas_root}
git pull origin main --rebase
'';
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in
{
services.nginx.virtualHosts.${domain} = {
enableACME = true;
forceSSL = true;
locations."/".root = runas_root;
locations."/.git" = { return = "404"; };
};
systemd = {
services.${service_name} = {
path = [ pkgs.git ];
enable = true;
serviceConfig = {
Type = "oneshot";
ExecStart = mkStartScript "${service_name}";
};
};
timers.${service_name} = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "hourly";
Unit = "${service_name}.service";
};
};
};
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
}

64
hosts/architect/teslamate.nix
View File

@ -1,64 +0,0 @@
{ config, ... }:
let
domain = "tesla.giugl.io";
teslamatePort = 11234;
grafanaPort = 11334;
allowLan = true;
allowWAN = false;
in
{
age.secrets.teslamate = {
file = ../../secrets/teslamate.age;
owner = "teslamate";
};
architect.vhost.${domain} = with config.architect.networks; {
dnsInterfaces = [ "lan" "tailscale" ];
locations = {
"/" = {
inherit allowLan allowWAN;
port = teslamatePort;
proxyWebsockets = true;
allow = [
tailscale.net
];
};
"/live/websocket" = {
inherit allowLan allowWAN;
port = teslamatePort;
proxyWebsockets = true;
allow = [
tailscale.net
];
};
"/grafana" = {
inherit allowLan allowWAN;
port = grafanaPort;
proxyWebsockets = true;
allow = [
tailscale.net
];
};
};
};
services.teslamate = {
enable = true;
port = teslamatePort;
listenAddress = "127.0.0.1";
secretsFile = config.age.secrets.teslamate.path;
virtualHost = domain;
postgres.enable_server = true;
grafana = {
enable = true;
port = grafanaPort;
listenAddress = "127.0.0.1";
urlPath = "/grafana";
};
mqtt = {
enable = true;
};
};
}