kiri/lux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: move from den based to flake-parts based

Browse Source
This commit is contained in:
Jelle Spreeuwenberg
2026-04-21 00:59:54 +02:00
parent d2ab961c48
commit 5bed1336c0
71 changed files with 1832 additions and 2472 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/features/services/actual.nix
+13 -18
View File
@@ -1,22 +1,17 @@
{ den, ... }:
{
lux.services._.actual = den.lib.perHost (
{ host, ... }:
flake.modules.nixos.actual =
{ config, ... }:
{
nixos =
{ config, ... }:
{
services.actual = {
enable = true;
openFirewall = false;
settings = {
port = 3000;
hostname = "127.0.0.1";
};
};
services.caddy.virtualHosts."finance.${host.serviceDomain}".extraConfig =
"reverse_proxy :${toString config.services.actual.settings.port}";
services.actual = {
enable = true;
openFirewall = false;
settings = {
port = 3000;
hostname = "127.0.0.1";
};
}
);
};
services.caddy.virtualHosts."finance.jelles.net".extraConfig =
"reverse_proxy :${toString config.services.actual.settings.port}";
};
}
modules/features/services/caddy.nix
+3 -4
View File
@@ -1,10 +1,9 @@
{ den, ... }:
{
lux.services._.caddy = den.lib.perHost ({ host }: {
nixos.services.caddy = {
flake.modules.nixos.caddy = {
services.caddy = {
enable = true;
email = "mail@jelles.net";
openFirewall = true;
};
});
};
}
modules/features/services/deluge.nix
+14 -16
View File
@@ -1,20 +1,18 @@
{
lux.deluge = {
nixos =
{ config, ... }:
{
sops.secrets.deluge-auth-file = { };
flake.modules.nixos.delugeService =
{ ... }:
{
sops.secrets.deluge-auth-file = { };
services.deluge = {
enable = true;
# For some reason passwords never match??
declarative = false;
};
services.deluge = {
enable = true;
declarative = false;
};
homeManager =
{ pkgs, ... }:
{
home.packages = [ pkgs.deluge ];
};
};
};
flake.modules.homeManager.delugeClient =
{ pkgs, ... }:
{
home.packages = [ pkgs.deluge ];
};
}
modules/features/services/gitea.nix
+20 -28
View File
@@ -1,36 +1,28 @@
{ den, ... }:
{
lux.services._.gitea = den.lib.perHost (
{ host }:
flake.modules.nixos.gitea =
{ config, ... }:
{
nixos =
{ config, ... }:
{
services.gitea = {
enable = true;
services.gitea = {
enable = true;
settings = {
server = {
DOMAIN = "git.${host.serviceDomain}";
ROOT_URL = "https://git.${host.serviceDomain}/";
HTTP_PORT = 3001;
HTTP_ADDR = "127.0.0.1";
settings = {
server = {
DOMAIN = "git.jelles.net";
ROOT_URL = "https://git.jelles.net/";
HTTP_PORT = 3001;
HTTP_ADDR = "127.0.0.1";
START_SSH_SERVER = false;
SSH_PORT = 22;
};
service = {
DISABLE_REGISTRATION = true;
};
};
START_SSH_SERVER = false;
SSH_PORT = 22;
};
services.openssh.settings.AllowUsers = [ "gitea" ];
services.caddy.virtualHosts."git.${host.serviceDomain}".extraConfig =
"reverse_proxy :${toString config.services.gitea.settings.server.HTTP_PORT}";
service.DISABLE_REGISTRATION = true;
};
}
);
};
services.openssh.settings.AllowUsers = [ "gitea" ];
services.caddy.virtualHosts."git.jelles.net".extraConfig =
"reverse_proxy :${toString config.services.gitea.settings.server.HTTP_PORT}";
};
}
modules/features/services/openssh.nix
+26 -78
View File
@@ -1,80 +1,28 @@
{ den, lib, ... }:
let
hostConfig =
{ host }:
{
nixos =
{ config, ... }:
{
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
AllowUsers = lib.attrNames host.users;
};
};
users.users = lib.mapAttrs (_: user: {
openssh.authorizedKeys.keys = user.authorizedSshKeys;
}) host.users;
assertions = lib.optionals host.requiresSshRecovery (
let
missingUsers = lib.filter (userName: !(builtins.hasAttr userName host.users)) host.sshRecoveryUsers;
usersWithoutKeys = lib.filter (
userName:
(builtins.hasAttr userName host.users) && host.users.${userName}.authorizedSshKeys == [ ]
) host.sshRecoveryUsers;
in
[
{
assertion = config.services.openssh.enable;
message = "Hosts with requiresSshRecovery must enable OpenSSH.";
}
{
assertion = config.services.openssh.settings.PasswordAuthentication == false;
message = "Hosts with requiresSshRecovery must disable SSH password authentication.";
}
{
assertion =
let
rootLogin = config.services.openssh.settings.PermitRootLogin;
in
rootLogin == false || rootLogin == "no";
message = "Hosts with requiresSshRecovery must disable SSH root login.";
}
{
assertion = host.sshRecoveryUsers != [ ];
message = "Hosts with requiresSshRecovery must declare at least one sshRecoveryUser.";
}
{
assertion = missingUsers == [ ];
message =
"All sshRecoveryUsers must exist on the host. Missing: "
+ lib.concatStringsSep ", " missingUsers;
}
{
assertion = usersWithoutKeys == [ ];
message =
"All sshRecoveryUsers must have plain authorizedSshKeys. Missing keys for: "
+ lib.concatStringsSep ", " usersWithoutKeys;
}
{
assertion = host.sopsHostSshKeyPath != null;
message = "Hosts with requiresSshRecovery must set sopsHostSshKeyPath.";
}
{
assertion = config.services.openssh.openFirewall || lib.elem 22 config.networking.firewall.allowedTCPPorts;
message = "Hosts with requiresSshRecovery must expose SSH through the firewall.";
}
]
);
};
};
in
{ ... }:
{
lux.services._.openssh = den.lib.parametric.exactly {
includes = [ hostConfig ];
};
flake.modules.nixos.openssh =
{
config,
lib,
host ? {
isServer = false;
},
...
}:
let
hostUserNames = builtins.attrNames (
lib.filterAttrs (_: user: user.isNormalUser or false) config.users.users
);
in
{
services.openssh = {
enable = true;
openFirewall = host.isServer;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
AllowUsers = hostUserNames;
};
};
};
}
modules/features/services/qbittorrent.nix
+6 -8
View File
@@ -1,13 +1,11 @@
{ ... }:
{
lux.qbittorrent = {
nixos = {
services.qbittorrent = {
enable = true;
openFirewall = true;
torrentingPort = 43864;
webuiPort = 8123;
};
flake.modules.nixos.qbittorrent = {
services.qbittorrent = {
enable = true;
openFirewall = true;
torrentingPort = 43864;
webuiPort = 8123;
};
};
}
modules/features/services/radicale.nix
+20 -26
View File
@@ -1,33 +1,27 @@
{ den, ... }:
{
lux.services._.radicale = den.lib.perHost (
{ host }:
flake.modules.nixos.radicale =
{ ... }:
{
nixos =
{ config, ... }:
{
services.radicale = {
enable = true;
settings = {
server.hosts = [ "127.0.0.1:5232" ];
services.radicale = {
enable = true;
settings = {
server.hosts = [ "127.0.0.1:5232" ];
auth = {
type = "htpasswd";
htpasswd_filename = "/var/lib/radicale/users";
htpasswd_encryption = "bcrypt";
};
storage.filesystem_folder = "/var/lib/radicale/collections";
};
auth = {
type = "htpasswd";
htpasswd_filename = "/var/lib/radicale/users";
htpasswd_encryption = "bcrypt";
};
services.caddy.virtualHosts."radicale.${host.serviceDomain}".extraConfig = ''
reverse_proxy :5232 {
header_up X-Script-Name /
header_up X-Forwarded-For {remote}
header_up X-Remote-User {http.auth.user.id}
}'';
storage.filesystem_folder = "/var/lib/radicale/collections";
};
}
);
};
services.caddy.virtualHosts."radicale.jelles.net".extraConfig = ''
reverse_proxy :5232 {
header_up X-Script-Name /
header_up X-Forwarded-For {remote}
header_up X-Remote-User {http.auth.user.id}
}'';
};
}
modules/features/services/vaultwarden.nix
+5 -6
View File
@@ -1,20 +1,19 @@
{ den, ... }:
{
lux.services._.vaultwarden = den.lib.perHost ({ host }: {
nixos = { config, ... }: {
flake.modules.nixos.vaultwarden =
{ config, ... }:
{
services.vaultwarden = {
enable = true;
backupDir = "/var/backup/vaultwarden";
config = {
DOMAIN = "https://vault.${host.serviceDomain}";
DOMAIN = "https://vault.jelles.net";
SIGNUPS_ALLOWED = false;
ROCKET_PORT = 8100;
ROCKET_LOG = "critical";
};
};
services.caddy.virtualHosts."vault.${host.serviceDomain}".extraConfig =
services.caddy.virtualHosts."vault.jelles.net".extraConfig =
"reverse_proxy :${toString config.services.vaultwarden.config.ROCKET_PORT}";
};
});
}