kiri/lux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Jelle Spreeuwenberg
2026-04-17 00:27:22 +02:00
commit 9af07bedff
80 changed files with 5389 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
modules/features/services/actual.nix Normal file
View File

@@ -0,0 +1,22 @@
{ den, ... }:
{
lux.services._.actual = den.lib.perHost (
{ host, ... }:
{
nixos =
{ config, ... }:
{
services.actual = {
enable = true;
openFirewall = false;
settings = {
port = 3000;
hostname = "127.0.0.1";
};
};
services.caddy.virtualHosts."finance.${host.serviceDomain}".extraConfig =
"reverse_proxy :${toString config.services.actual.settings.port}";
};
}
);
}

10
modules/features/services/caddy.nix Normal file
View File

@@ -0,0 +1,10 @@
{ den, ... }:
{
lux.services._.caddy = den.lib.perHost ({ host }: {
nixos.services.caddy = {
enable = true;
email = "mail@jelles.net";
openFirewall = true;
};
});
}

20
modules/features/services/deluge.nix Normal file
View File

@@ -0,0 +1,20 @@
{
lux.deluge = {
nixos =
{ config, ... }:
{
sops.secrets.deluge-auth-file = { };
services.deluge = {
enable = true;
# For some reason passwords never match??
declarative = false;
};
};
homeManager =
{ pkgs, ... }:
{
home.packages = [ pkgs.deluge ];
};
};
}

36
modules/features/services/gitea.nix Normal file
View File

@@ -0,0 +1,36 @@
{ den, ... }:
{
lux.services._.gitea = den.lib.perHost (
{ host }:
{
nixos =
{ config, ... }:
{
services.gitea = {
enable = true;
settings = {
server = {
DOMAIN = "git.${host.serviceDomain}";
ROOT_URL = "https://git.${host.serviceDomain}/";
HTTP_PORT = 3001;
HTTP_ADDR = "127.0.0.1";
START_SSH_SERVER = false;
SSH_PORT = 22;
};
service = {
DISABLE_REGISTRATION = true;
};
};
};
services.openssh.settings.AllowUsers = [ "gitea" ];
services.caddy.virtualHosts."git.${host.serviceDomain}".extraConfig =
"reverse_proxy :${toString config.services.gitea.settings.server.HTTP_PORT}";
};
}
);
}

80
modules/features/services/openssh.nix Normal file
View File

@@ -0,0 +1,80 @@
{ den, lib, ... }:
let
hostConfig =
{ host }:
{
nixos =
{ config, ... }:
{
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
AllowUsers = lib.attrNames host.users;
};
};
users.users = lib.mapAttrs (_: user: {
openssh.authorizedKeys.keys = user.authorizedSshKeys;
}) host.users;
assertions = lib.optionals host.requiresSshRecovery (
let
missingUsers = lib.filter (userName: !(builtins.hasAttr userName host.users)) host.sshRecoveryUsers;
usersWithoutKeys = lib.filter (
userName:
(builtins.hasAttr userName host.users) && host.users.${userName}.authorizedSshKeys == [ ]
) host.sshRecoveryUsers;
in
[
{
assertion = config.services.openssh.enable;
message = "Hosts with requiresSshRecovery must enable OpenSSH.";
}
{
assertion = config.services.openssh.settings.PasswordAuthentication == false;
message = "Hosts with requiresSshRecovery must disable SSH password authentication.";
}
{
assertion =
let
rootLogin = config.services.openssh.settings.PermitRootLogin;
in
rootLogin == false || rootLogin == "no";
message = "Hosts with requiresSshRecovery must disable SSH root login.";
}
{
assertion = host.sshRecoveryUsers != [ ];
message = "Hosts with requiresSshRecovery must declare at least one sshRecoveryUser.";
}
{
assertion = missingUsers == [ ];
message =
"All sshRecoveryUsers must exist on the host. Missing: "
+ lib.concatStringsSep ", " missingUsers;
}
{
assertion = usersWithoutKeys == [ ];
message =
"All sshRecoveryUsers must have plain authorizedSshKeys. Missing keys for: "
+ lib.concatStringsSep ", " usersWithoutKeys;
}
{
assertion = host.sopsHostSshKeyPath != null;
message = "Hosts with requiresSshRecovery must set sopsHostSshKeyPath.";
}
{
assertion = config.services.openssh.openFirewall || lib.elem 22 config.networking.firewall.allowedTCPPorts;
message = "Hosts with requiresSshRecovery must expose SSH through the firewall.";
}
]
);
};
};
in
{
lux.services._.openssh = den.lib.parametric.exactly {
includes = [ hostConfig ];
};
}

13
modules/features/services/qbittorrent.nix Normal file
View File

@@ -0,0 +1,13 @@
{ ... }:
{
lux.qbittorrent = {
nixos = {
services.qbittorrent = {
enable = true;
openFirewall = true;
torrentingPort = 43864;
webuiPort = 8123;
};
};
};
}

33
modules/features/services/radicale.nix Normal file
View File

@@ -0,0 +1,33 @@
{ den, ... }:
{
lux.services._.radicale = den.lib.perHost (
{ host }:
{
nixos =
{ config, ... }:
{
services.radicale = {
enable = true;
settings = {
server.hosts = [ "127.0.0.1:5232" ];
auth = {
type = "htpasswd";
htpasswd_filename = "/var/lib/radicale/users";
htpasswd_encryption = "bcrypt";
};
storage.filesystem_folder = "/var/lib/radicale/collections";
};
};
services.caddy.virtualHosts."radicale.${host.serviceDomain}".extraConfig = ''
reverse_proxy :5232 {
header_up X-Script-Name /
header_up X-Forwarded-For {remote}
header_up X-Remote-User {http.auth.user.id}
}'';
};
}
);
}

20
modules/features/services/vaultwarden.nix Normal file
View File

@@ -0,0 +1,20 @@
{ den, ... }:
{
lux.services._.vaultwarden = den.lib.perHost ({ host }: {
nixos = { config, ... }: {
services.vaultwarden = {
enable = true;
backupDir = "/var/backup/vaultwarden";
config = {
DOMAIN = "https://vault.${host.serviceDomain}";
SIGNUPS_ALLOWED = false;
ROCKET_PORT = 8100;
ROCKET_LOG = "critical";
};
};
services.caddy.virtualHosts."vault.${host.serviceDomain}".extraConfig =
"reverse_proxy :${toString config.services.vaultwarden.config.ROCKET_PORT}";
};
});
}