walkah/athens
1
0
Fork 0
Code Issues 9 Pull Requests Projects Releases Wiki Activity

♻️ consolidate nix configs

Browse Source
This commit is contained in:
James Walker
2024-09-02 10:47:02 -04:00
parent 49884d40e5
commit 06ddc96680
49 changed files with 26 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

99
nix/modules/akkoma/default.nix Normal file
View File

@ -0,0 +1,99 @@
{ config, pkgs, ... }:
let
inherit (config.services) akkoma;
inherit (config.sops) secrets;
inherit ((pkgs.formats.elixirConf { }).lib) mkRaw;
in
{
services = {
akkoma = {
enable = true;
config = {
":pleroma" = {
":instance" = {
name = "walkah.social";
email = "walkah@walkah.net";
notify_email = "walkah@walkah.net";
description = "James Walker's personal Akkoma instance";
registrations_open = false;
invites_enabled = true;
federating = true;
federation_incoming_replies_max_depth = null;
allow_relay = true;
safe_dm_mentions = true;
external_user_synchronization = true;
cleanup_attachments = true;
};
":media_proxy" = {
enabled = false;
redirect_on_failure = true;
};
"Pleroma.Repo" = {
adapter = mkRaw "Ecto.Adapters.Postgres";
socket_dir = "/run/postgresql";
username = config.services.akkoma.user;
database = "akkoma";
prepare = mkRaw ":named";
parameters.plan_cache_mode = "force_custom_plan";
};
"Pleroma.Web.Endpoint" = {
secret_key_base = { _secret = secrets.akkoma-secret-key-base.path; };
signing_salt = { _secret = secrets.akkoma-signing-salt.path; };
live_view.signing_salt = { _secret = secrets.akkoma-signing-salt.path; };
url = {
host = "walkah.social";
scheme = "https";
port = 443;
};
http = {
ip = "127.0.0.1";
port = 4000;
};
};
};
":web_push_encryption" = {
":vapid_details" = {
private_key = { _secret = secrets.akkoma-vapid-private-key.path; };
public_key = { _secret = secrets.akkoma-vapid-public-key.path; };
};
};
":joken" = {
":default_signer" = { _secret = secrets.akkoma-joken-signer.path; };
};
};
nginx = null; # doing this manually
};
postgresql = {
enable = true;
};
postgresqlBackup = {
enable = true;
databases = [ "akkoma" ];
};
};
sops = {
secrets = {
akkoma-secret-key-base = {
owner = akkoma.user;
};
akkoma-signing-salt = {
owner = akkoma.user;
};
akkoma-vapid-private-key = {
owner = akkoma.user;
};
akkoma-vapid-public-key = {
owner = akkoma.user;
};
akkoma-joken-signer = {
owner = akkoma.user;
};
};
};
}

16
nix/modules/akkoma/nginx.nix Normal file
View File

@ -0,0 +1,16 @@
_:
{
services.nginx = {
enable = true;
virtualHosts = {
"walkah.social" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:4000";
proxyWebsockets = true;
};
};
};
};
}

39
nix/modules/base/common.nix Normal file
View File

@ -0,0 +1,39 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
dogdns
htop
inetutils
vim
];
nix = {
extraOptions = ''
experimental-features = nix-command flakes
'';
gc = {
automatic = true;
};
settings = {
substituters = [
"https://walkah.cachix.org"
"https://cache.garnix.io"
];
trusted-public-keys = [
"walkah.cachix.org-1:D8cO78JoJC6UPV1ZMgd1V5znpk3jNUERGIeAKN15hxo="
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
];
};
};
programs = {
zsh = {
enable = true;
promptInit = "";
};
};
}

57
nix/modules/base/darwin.nix Normal file
View File

@ -0,0 +1,57 @@
{ pkgs, dotfiles, ... }: {
imports = [ ./common.nix ];
nix = {
configureBuildUsers = true;
extraOptions = ''
extra-platforms = x86_64-darwin aarch64-darwin
'';
gc = {
interval = {
Hour = 3;
Minute = 16;
Weekday = 6;
};
options = "--delete-older-than 30d";
};
settings = {
trusted-users = [ "root" "@admin" ];
};
};
environment.etc = {
"sudoers.d/walkah".text = ''
walkah ALL = (ALL) NOPASSWD: ALL
'';
};
homebrew = {
enable = true;
brewPrefix = "/opt/homebrew/bin";
global = {
brewfile = true;
lockfiles = false;
};
onActivation = {
autoUpdate = true;
cleanup = "zap";
upgrade = true;
};
};
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
users.walkah = import "${dotfiles}/home.nix";
};
users.users.walkah = {
home = "/Users/walkah";
shell = pkgs.zsh;
};
system.stateVersion = 4;
}

37
nix/modules/base/nixos.nix Normal file
View File

@ -0,0 +1,37 @@
{ config, ... }: {
imports = [ ./common.nix ../monitoring ];
nix = {
gc = {
persistent = true;
dates = "weekly";
options = "--delete-older-than 30d";
};
settings = {
auto-optimise-store = true;
trusted-users = [ "root" "walkah" ];
};
};
programs = {
mosh.enable = true;
};
services = {
openssh.enable = true;
tailscale.enable = true;
};
system = {
autoUpgrade = {
enable = true;
flake = "github:walkah/athens#${config.networking.hostName}";
dates = "daily";
randomizedDelaySec = "5m";
};
stateVersion = "23.05";
};
}

30
nix/modules/builder/default.nix Normal file
View File

@ -0,0 +1,30 @@
_: {
nix = {
distributedBuilds = true;
buildMachines = [
{
hostName = "plato";
systems = [ "x86_64-linux" "aarch64-linux" ];
maxJobs = 6;
supportedFeatures = [ "benchmark" "big-parallel" "kvm" ];
}
];
extraOptions = ''
builders-use-substitutes = true
'';
linux-builder = {
enable = true;
ephemeral = true;
maxJobs = 4;
speedFactor = 2;
config = {
virtualisation = {
darwin-builder = {
memorySize = 8 * 1024;
};
cores = 4;
};
};
};
};
}

5
nix/modules/code-server/default.nix Normal file
View File

@ -0,0 +1,5 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [ code-server ];
}

17
nix/modules/code-server/nginx.nix Normal file
View File

@ -0,0 +1,17 @@
_:
{
services.nginx = {
enable = true;
virtualHosts = {
"walkah.codes" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://100.66.26.116:8080";
proxyWebsockets = true;
};
};
};
};
}

45
nix/modules/coredns/default.nix Normal file
View File

@ -0,0 +1,45 @@
{ config, lib, ... }:
with lib;
let cfg = config.walkah.coredns;
in
{
options.walkah.coredns = {
enable = mkEnableOption "";
addr = mkOption {
type = types.str;
default = "0.0.0.0";
example = "192.168.6.1";
};
};
config = mkIf cfg.enable {
services.coredns = {
enable = true;
config = ''
. {
bind 127.0.0.1
bind ${cfg.addr}
prometheus ${cfg.addr}:9153
log
errors
cache
dnssec
forward . tls://1.1.1.1 tls://1.0.0.1 {
tls_servername cloudflare-dns.com
}
}
walkah.lab {
bind ${cfg.addr}
file ${./walkah.lab.zone}
}
'';
};
networking = {
nameservers = [ "127.0.0.1" ];
search = [ "walkah.lab" ];
};
};
}

19
nix/modules/coredns/walkah.lab.zone Normal file
View File

@ -0,0 +1,19 @@
$ORIGIN walkah.lab.
@ 3600 IN SOA plato.walkah.lab. walkah.walkah.net. (
2023091000 ; serial
7200 ; refresh (2 hours)
3600 ; retry (1 hour)
1209600 ; expire (2 weeks)
3600 ; minimum (1 hour)
)
socrates IN A 100.103.57.96
plato IN A 100.111.208.75
; aristotle
agent IN A 100.95.167.126
form IN A 100.87.220.71
matter IN A 100.126.255.109
purpose IN A 100.74.59.80
parthenon IN A 100.106.65.39
epicurus IN A 100.66.26.116

39
nix/modules/dev/default.nix Normal file
View File

@ -0,0 +1,39 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
# Cloud
awscli2
google-cloud-sdk
doppler
# Git / CI
drone-cli
mr
tea
# NodeJS
bun
nodejs
pnpm
# Golang
go
# k8s
chart-testing
k9s
kind
kubectl
kubernetes-helm
# Nix
cachix
nixd
nixf
nixpkgs-fmt
# My stuff
workon
];
}

46
nix/modules/drone/default.nix Normal file
View File

@ -0,0 +1,46 @@
{ pkgs, config, ... }: {
sops.secrets.drone = {
owner = "drone";
};
services = {
postgresql = {
ensureDatabases = [ "drone" ];
ensureUsers = [
{
name = "drone";
ensureDBOwnership = true;
}
];
};
postgresqlBackup.databases = [ "drone" ];
};
systemd.services.drone = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
EnvironmentFile = [
config.sops.secrets.drone.path
];
Environment = [
"DRONE_GITEA_SERVER=https://walkah.dev"
"DRONE_DATABASE_DATASOURCE=postgres:///drone?host=/run/postgresql"
"DRONE_DATABASE_DRIVER=postgres"
"DRONE_SERVER_HOST=https://drone.walkah.dev"
"DRONE_SERVER_PORT=:3030"
"DRONE_SERVER_PROTO=https"
"DRONE_USER_CREATE=username:walkah,admin:true"
];
ExecStart = "${pkgs.drone}/bin/drone-server";
User = "drone";
Group = "drone";
};
};
users.users.drone = {
isSystemUser = true;
createHome = true;
group = "drone";
};
users.groups.drone = { };
}

17
nix/modules/drone/nginx.nix Normal file
View File

@ -0,0 +1,17 @@
_:
{
services.nginx = {
enable = true;
virtualHosts = {
"drone.walkah.dev" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://100.111.208.75:3030";
proxyWebsockets = true;
};
};
};
};
}

22
nix/modules/drone/runner-docker.nix Normal file
View File

@ -0,0 +1,22 @@
{ pkgs, config, ... }: {
systemd.services.drone-runner-docker = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Environment = [
];
EnvironmentFile = [
config.sops.secrets.drone.path
];
ExecStart = "${pkgs.drone-runner-docker}/bin/drone-runner-docker";
User = "drone-runner-docker";
Group = "drone-runner-docker";
};
};
users.users.drone-runner-docker = {
isSystemUser = true;
group = "drone-runner-docker";
extraGroups = [ "docker" ];
};
users.groups.drone-runner-docker = { };
}

65
nix/modules/drone/runner-exec.nix Normal file
View File

@ -0,0 +1,65 @@
{ pkgs, config, ... }:
{
nix.settings.allowed-users = [ "drone-runner-exec" ];
systemd.services.drone-runner-exec = {
wantedBy = [ "multi-user.target" ];
# might break deployment
restartIfChanged = false;
confinement.enable = true;
confinement.packages = [
pkgs.git
pkgs.gnutar
pkgs.bash
pkgs.nix
pkgs.gzip
];
path = [
pkgs.git
pkgs.gnutar
pkgs.bash
pkgs.nix
pkgs.gzip
];
serviceConfig = {
Environment = [
"DRONE_RUNNER_CAPACITY=10"
"CLIENT_DRONE_RPC_HOST=127.0.0.1:3030"
"NIX_REMOTE=daemon"
"PAGER=cat"
];
BindPaths = [
"/nix/var/nix/daemon-socket/socket"
"/run/nscd/socket"
"/var/lib/drone"
];
BindReadOnlyPaths = [
"/etc/passwd:/etc/passwd"
"/etc/group:/etc/group"
"/nix/var/nix/profiles/system/etc/nix:/etc/nix"
"${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt"
"${config.environment.etc."ssh/ssh_known_hosts".source}:/etc/ssh/ssh_known_hosts"
"${
builtins.toFile "ssh_config" ''
Host eve.thalheim.io
ForwardAgent yes
''
}:/etc/ssh/ssh_config"
"/etc/machine-id"
# channels are dynamic paths in the nix store, therefore we need to bind mount the whole thing
"/nix/"
];
EnvironmentFile = [
config.sops.secrets.drone.path
];
ExecStart = "${pkgs.drone-runner-exec}/bin/drone-runner-exec";
User = "drone-runner-exec";
Group = "drone-runner-exec";
};
};
users.users.drone-runner-exec = {
isSystemUser = true;
group = "drone-runner-exec";
};
users.groups.drone-runner-exec = { };
}

57
nix/modules/gitea/default.nix Normal file
View File

@ -0,0 +1,57 @@
{ config, ... }:
let cfg = config.services.gitea;
in
{
users.users.git = {
description = "Gitea Service";
home = cfg.stateDir;
useDefaultShell = true;
group = "git";
isSystemUser = true;
};
users.groups.git = { };
services = {
gitea = {
enable = true;
user = "git";
appName = "walkah forge";
lfs.enable = true;
settings = {
log = { LEVEL = "Error"; };
other = { SHOW_FOOTER_VERSION = false; };
repository = { DEFAULT_BRANCH = "main"; };
server = {
DOMAIN = "walkah.dev";
HTTP_ADDR = "0.0.0.0";
HTTP_PORT = 8003;
ROOT_URL = "https://walkah.dev/";
SSH_DOMAIN = "git.walkah.dev";
};
service = { DISABLE_REGISTRATION = true; };
session = { COOKIE_SECURE = true; };
};
dump.enable = false;
database = {
createDatabase = false;
type = "postgres";
name = "gitea";
socket = "/run/postgresql";
user = "git";
};
};
postgresql = {
ensureDatabases = [ "gitea" ];
ensureUsers = [
{
name = "git";
}
];
};
postgresqlBackup.databases = [ "gitea" ];
};
}

20
nix/modules/gitea/nginx.nix Normal file
View File

@ -0,0 +1,20 @@
_:
{
services.nginx = {
enable = true;
virtualHosts = {
"walkah.dev" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://100.111.208.75:8003";
proxyWebsockets = true;
extraConfig = ''
client_max_body_size 0;
'';
};
};
};
};
}

17
nix/modules/home-assistant/nginx.nix Normal file
View File

@ -0,0 +1,17 @@
_:
{
services.nginx = {
enable = true;
virtualHosts = {
"hass.nerdhaus.ca" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://100.72.37.46:8123";
proxyWebsockets = true;
};
};
};
};
}

913231
nix/modules/ipfs/badbits.deny Normal file
View File

File diff suppressed because it is too large Load Diff

36
nix/modules/ipfs/cluster.nix Normal file
View File

@ -0,0 +1,36 @@
{ config, ... }:
{
imports = [
./default.nix
../../services/ipfs-cluster.nix
];
services = {
kubo = {
enable = true;
settings = {
Discovery = { MDNS = { Enabled = true; }; };
Swarm = {
AddrFilters = null;
ConnMgr = {
Type = "basic";
LowWater = 25;
HighWater = 50;
GracePeriod = "1m0s";
};
};
};
};
ipfs-cluster = {
enable = true;
consensus = "crdt";
secretFile = config.sops.secrets.ipfs-cluster-secret.path;
};
};
sops.secrets.ipfs-cluster-secret = {
owner = "ipfs";
};
}

25
nix/modules/ipfs/default.nix Normal file
View File

@ -0,0 +1,25 @@
_:
{
services = {
kubo = {
enable = true;
settings = {
Addresses = {
Announce = [ ];
API = "/ip4/0.0.0.0/tcp/5001";
Gateway = "/ip4/0.0.0.0/tcp/8080";
NoAnnounce = [ ];
Swarm = [
"/ip4/0.0.0.0/tcp/4001"
"/ip6/::/tcp/4001"
"/ip4/0.0.0.0/udp/4001/quic"
"/ip6/::/udp/4001/quic"
];
};
API = { HTTPHeaders = { Access-Control-Allow-Origin = [ "*" ]; }; };
Routing = { Type = "dht"; };
};
};
};
}

67
nix/modules/ipfs/gateway.nix Normal file
View File

@ -0,0 +1,67 @@
{ pkgs, ... }:
let
peers = [
{
ID = "12D3KooWMQSgdfa4tUrDhkFx4zP3ZpgT1ryj9KH5RGUae62Vsc7y";
Addrs = [ "/ip4/100.95.167.126/tcp/4001" ];
}
{
ID = "12D3KooWMqSiDukubKNKrK7J4PaF3mfNnZFVAd3Lh7qj3Y3e5bcN";
Addrs = [ "/ip4/100.87.220.71/tcp/4001" ];
}
{
ID = "12D3KooWGmNRyqP969QbyP8NLVRZNK2i6yCcP6N6N2r2DCG4H34v";
Addrs = [ "/ip4/100.126.255.109/tcp/4001" ];
}
{
ID = "12D3KooWFkR8nsG5pzffoAfMzmwBcSakXxnogVa6inRxUbpfN5ua";
Addrs = [ "/ip4/100.74.59.80/tcp/4001" ];
}
];
in
{
imports = [ ./default.nix ];
environment.systemPackages = with pkgs; [ ipfs-migrator ];
environment.etc = {
"ipfs/denylists/badbits.deny".source = ./badbits.deny;
};
networking.firewall = {
allowedTCPPorts = [ 4001 ];
allowedUDPPorts = [ 4001 ];
};
services = {
kubo = {
enable = true;
settings = {
Discovery = { MDNS = { Enabled = false; }; };
Peering = { Peers = peers; };
Swarm = { AddrFilters = null; };
};
};
nginx = {
# IPFS Gateway
virtualHosts."walkah.cloud" = {
forceSSL = true;
enableACME = true;
locations."/" = { proxyPass = "http://127.0.0.1:8080"; };
};
# Hosted Sites
virtualHosts."walkah.net" = {
forceSSL = true;
enableACME = true;
locations."/" = { proxyPass = "http://127.0.0.1:8080"; };
serverAliases = [
"www.walkah.net"
];
};
};
};
}

67
nix/modules/matrix/default.nix Normal file
View File

@ -0,0 +1,67 @@
{ config, pkgs, ... }:
{
environment.systemPackages = with pkgs; [
matrix-synapse-tools.synadm
];
services = {
postgresql = {
enable = true;
initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse";
CREATE DATABASE "matrix" WITH OWNER "matrix-synapse"
TEMPLATE template0
ENCODING 'UTF8'
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
};
postgresqlBackup.databases = [ "matrix" "matrix-syncv3" ];
matrix-synapse = {
enable = true;
settings = {
server_name = "walkah.chat";
public_baseurl = "https://matrix.walkah.chat";
enable_metrics = true;
enable_registration = false;
database = {
name = "psycopg2";
args = { database = "matrix"; };
};
listeners = [{
bind_addresses = [
"0.0.0.0"
];
port = 8008;
type = "http";
tls = false;
x_forwarded = true;
resources = [{
compress = false;
names = [ "client" "federation" ];
}];
}];
};
extraConfigFiles = [
config.sops.secrets.matrix-registration-secret.path
];
};
matrix-sliding-sync = {
enable = true;
settings = {
SYNCV3_SERVER = "https://matrix.walkah.chat";
SYNCV3_BINDADDR = "0.0.0.0:8088";
};
environmentFile = config.sops.secrets.matrix-sliding-sync-secret.path;
};
};
sops.secrets.matrix-registration-secret = {
owner = "matrix-synapse";
};
sops.secrets.matrix-sliding-sync-secret = { };
}

48
nix/modules/matrix/nginx.nix Normal file
View File

@ -0,0 +1,48 @@
{ pkgs, ... }:
{
services.nginx = {
enable = true;
virtualHosts = {
"matrix.walkah.chat" = {
forceSSL = true;
enableACME = true;
locations."/" = { proxyPass = "http://100.111.208.75:8008"; };
};
"syncv3.walkah.chat" = {
forceSSL = true;
enableACME = true;
locations."/" = { proxyPass = "http://100.111.208.75:8088"; };
};
"walkah.chat" = {
forceSSL = true;
enableACME = true;
locations = {
"= /.well-known/matrix/server".extraConfig =
let server = { "m.server" = "matrix.walkah.chat:443"; };
in
''
default_type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON server}';
'';
"= /.well-known/matrix/client".extraConfig =
let
client = {
"m.homeserver" = { "base_url" = "https://matrix.walkah.chat"; };
"org.matrix.msc3575.proxy" = { "url" = "https://syncv3.walkah.chat"; };
};
in
''
default_type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
'';
"/" = { root = pkgs.element-web; };
};
};
};
};
}

26
nix/modules/minecraft/default.nix Normal file
View File

@ -0,0 +1,26 @@
_: {
services.minecraft-server = {
enable = true;
eula = true;
declarative = true;
# see here for more info: https://minecraft.gamepedia.com/Server.properties#server.properties
serverProperties = {
server-port = 25565;
enable-query = true;
gamemode = "survival";
motd = "Vanilla Survival";
max-players = 20;
white-list = true;
};
# Grab UUIDs from https://mcuuid.net/
whitelist = {
walkahj = "7209094c-b3ef-4c89-b8cd-0aef7c1d57a6";
puffpuffpassion = "72e0d040-fa54-47e8-a6e7-162fdaa0cac5";
rafadoodle = "9a7c860e-e269-4c38-b2f7-ca5533c27e98";
camylamb = "c9fcbfa1-89da-4cf9-97fe-b9e5290a4eb4";
};
};
}

32
nix/modules/minecraft/proxy.nix Normal file
View File

@ -0,0 +1,32 @@
_:
let
dest_ip = "100.111.208.75";
dest_port = 25565;
in
{
networking = {
firewall = {
enable = true;
allowedTCPPorts = [ dest_port ];
};
nat = {
enable = true;
internalInterfaces = [ "tailscale0" ];
externalInterface = "eth0";
forwardPorts = [
{
sourcePort = dest_port;
proto = "tcp";
destination = "${dest_ip}:${toString dest_port}";
}
];
};
};
services = {
tailscale = {
useRoutingFeatures = "server";
extraUpFlags = [ "--stateful-filtering=false" ];
};
};
}

17
nix/modules/monitoring/default.nix Normal file
View File

@ -0,0 +1,17 @@
_:
{
services = {
prometheus = {
enable = true;
port = 9090;
exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" ];
port = 9100;
};
};
};
};
}

44
nix/modules/postgresql/default.nix Normal file
View File

@ -0,0 +1,44 @@
{ pkgs, config, ... }: {
services = {
postgresql = {
enable = true;
package = pkgs.postgresql_14;
};
postgresqlBackup = {
enable = true;
};
};
# Postgres upgrades: https://nixos.org/manual/nixos/stable/index.html#module-services-postgres-upgrading
environment.systemPackages = [
(
let
# XXX specify the postgresql package you'd like to upgrade to.
# Do not forget to list the extensions you need.
newPostgres = pkgs.postgresql_15;
in
pkgs.writeScriptBin "upgrade-pg-cluster" ''
set -eux
# XXX it's perhaps advisable to stop all services that depend on postgresql
systemctl stop postgresql
export NEWDATA="/var/lib/postgresql/${newPostgres.psqlSchema}"
export NEWBIN="${newPostgres}/bin"
export OLDDATA="${config.services.postgresql.dataDir}"
export OLDBIN="${config.services.postgresql.package}/bin"
install -d -m 0700 -o postgres -g postgres "$NEWDATA"
cd "$NEWDATA"
sudo -u postgres $NEWBIN/initdb -D "$NEWDATA"
sudo -u postgres $NEWBIN/pg_upgrade \
--old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \
--old-bindir $OLDBIN --new-bindir $NEWBIN \
"$@"
''
)
];
}

6
nix/modules/sops/default.nix Normal file
View File

@ -0,0 +1,6 @@
{ sops-nix, ... }:
{
imports = [ sops-nix.nixosModules.sops ];
sops.defaultSopsFile = ../../secrets/secrets.yaml;
}

51
nix/modules/traefik/default.nix Normal file
View File

@ -0,0 +1,51 @@
{ config, ... }:
{
services.traefik = {
enable = true;
group = "docker";
environmentFiles = [
config.sops.secrets.traefik.path
];
staticConfigOptions = {
api = {
dashboard = true;
insecure = true;
};
certificatesResolvers = {
myresolver = {
acme = {
email = "walkah@walkah.net";
storage = "/var/lib/traefik/acme.json";
dnsChallenge = {
provider = "cloudflare";
};
};
};
};
entryPoints = {
web = {
address = ":80";
http = {
redirections = {
entryPoint = {
to = "websecure";
scheme = "https";
};
};
};
};
websecure = {
address = ":443";
};
};
providers = {
docker = { };
};
};
};
sops.secrets.traefik = {
owner = "traefik";
};
}