diff --git a/hosts/nixos/porthos/secrets/pyload/credentials.age b/hosts/nixos/porthos/secrets/pyload/credentials.age new file mode 100644 index 0000000..089f962 --- /dev/null +++ b/hosts/nixos/porthos/secrets/pyload/credentials.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 cKojmg nJbOfp0/wmFOZLzcWjoGB7wEB8e56aO1NntSmn5KomU +/Vio4Z/t7IPJrdzdwUPidVH3wrouSkwRzNHP0T4z3x0 +-> ssh-ed25519 jPowng QXg/xqs7/VfkYQg3X77w4i53q64bL9oYeTxqb9NVhiQ +sMHIXlmrIxtIr+s0X4lBqev/PPd3AKD5P7AP5K4NeJg +--- gzTn+6+aa4Ptic1lsvSt+r3IEBysHrvMMIyONogMDF0 +ˮUE_ a -bindurl www.google.com F hint -Jbc #search div:not(.action-menu) > a +bindurl www.google.com f hint -Jc #search a +bindurl www.google.com F hint -Jbc #search a " Only hint search results on DuckDuckGo bindurl ^https://duckduckgo.com f hint -Jc [data-testid="result-title-a"] diff --git a/modules/home/x/keyboard/default.nix b/modules/home/keyboard/default.nix similarity index 50% rename from modules/home/x/keyboard/default.nix rename to modules/home/keyboard/default.nix index 40af800..2216a08 100644 --- a/modules/home/x/keyboard/default.nix +++ b/modules/home/keyboard/default.nix @@ -1,8 +1,12 @@ { config, lib, ... }: let - cfg = config.my.home.x; + cfg = config.my.home.keyboard; in { + options.my.home.keyboard = with lib; { + enable = my.mkDisableOption "keyboard configuration"; + }; + config = lib.mkIf cfg.enable { home.keyboard = { layout = "fr"; diff --git a/modules/home/mpv/default.nix b/modules/home/mpv/default.nix index 9aef379..931c252 100644 --- a/modules/home/mpv/default.nix +++ b/modules/home/mpv/default.nix @@ -13,6 +13,7 @@ in scripts = [ pkgs.mpvScripts.mpris # Allow controlling using media keys + pkgs.mpvScripts.uosc # Nicer UI ]; }; }; diff --git a/modules/home/wm/i3bar/default.nix b/modules/home/wm/i3bar/default.nix index 5dbb505..5ae0e7d 100644 --- a/modules/home/wm/i3bar/default.nix +++ b/modules/home/wm/i3bar/default.nix @@ -74,7 +74,7 @@ in ) { block = "net"; - format = " $icon{| $ssid|} $ip{| $signal_strength|} "; + format = " $icon{| $ssid|}{| $ip|}{| $signal_strength|} "; } { block = "backlight"; diff --git a/modules/home/x/default.nix b/modules/home/x/default.nix index 0312bc4..c320e52 100644 --- a/modules/home/x/default.nix +++ b/modules/home/x/default.nix @@ -3,10 +3,6 @@ let cfg = config.my.home.x; in { - imports = [ - ./keyboard - ]; - options.my.home.x = with lib; { enable = mkEnableOption "X server configuration"; }; diff --git a/modules/nixos/services/blog/default.nix b/modules/nixos/services/blog/default.nix index 4b646c3..3e68df2 100644 --- a/modules/nixos/services/blog/default.nix +++ b/modules/nixos/services/blog/default.nix @@ -5,11 +5,10 @@ let domain = config.networking.domain; makeHostInfo = subdomain: { - inherit subdomain; root = "/var/www/${subdomain}"; }; - hostsInfo = map makeHostInfo [ "cv" "dev" "key" ]; + hostsInfo = lib.flip lib.genAttrs makeHostInfo [ "cv" "dev" "key" ]; in { options.my.services.blog = { diff --git a/modules/nixos/services/calibre-web/default.nix b/modules/nixos/services/calibre-web/default.nix index 858851c..b7bf9df 100644 --- a/modules/nixos/services/calibre-web/default.nix +++ b/modules/nixos/services/calibre-web/default.nix @@ -40,12 +40,11 @@ in # Set-up media group users.groups.media = { }; - my.services.nginx.virtualHosts = [ - { - subdomain = "library"; + my.services.nginx.virtualHosts = { + library = { inherit (cfg) port; - } - ]; + }; + }; my.services.backup = { paths = [ diff --git a/modules/nixos/services/default.nix b/modules/nixos/services/default.nix index b27570d..cb06808 100644 --- a/modules/nixos/services/default.nix +++ b/modules/nixos/services/default.nix @@ -26,6 +26,7 @@ ./podgrab ./postgresql ./postgresql-backup + ./pyload ./quassel ./rss-bridge ./sabnzbd diff --git a/modules/nixos/services/drone/server/default.nix b/modules/nixos/services/drone/server/default.nix index d651f85..a3a1e49 100644 --- a/modules/nixos/services/drone/server/default.nix +++ b/modules/nixos/services/drone/server/default.nix @@ -45,11 +45,10 @@ in }]; }; - my.services.nginx.virtualHosts = [ - { - subdomain = "drone"; + my.services.nginx.virtualHosts = { + drone = { inherit (cfg) port; - } - ]; + }; + }; }; } diff --git a/modules/nixos/services/flood/default.nix b/modules/nixos/services/flood/default.nix index ff5d941..155e73d 100644 --- a/modules/nixos/services/flood/default.nix +++ b/modules/nixos/services/flood/default.nix @@ -40,11 +40,10 @@ in }; }; - my.services.nginx.virtualHosts = [ - { - subdomain = "flood"; + my.services.nginx.virtualHosts = { + flood = { inherit (cfg) port; - } - ]; + }; + }; }; } diff --git a/modules/nixos/services/gitea/default.nix b/modules/nixos/services/gitea/default.nix index 00ba941..4a8a3bb 100644 --- a/modules/nixos/services/gitea/default.nix +++ b/modules/nixos/services/gitea/default.nix @@ -116,18 +116,16 @@ in }; users.groups.git = { }; - my.services.nginx.virtualHosts = [ + my.services.nginx.virtualHosts = { # Proxy to Gitea - { - subdomain = "git"; + git = { inherit (cfg) port; - } + }; # Redirect `gitea.` to actual forge subdomain - { - subdomain = "gitea"; + gitea = { redirect = config.services.gitea.settings.server.ROOT_URL; - } - ]; + }; + }; my.services.backup = { paths = [ diff --git a/modules/nixos/services/indexers/default.nix b/modules/nixos/services/indexers/default.nix index fb06a0b..8a42345 100644 --- a/modules/nixos/services/indexers/default.nix +++ b/modules/nixos/services/indexers/default.nix @@ -28,12 +28,11 @@ in }; }; - my.services.nginx.virtualHosts = [ - { - subdomain = "jackett"; + my.services.nginx.virtualHosts = { + jackett = { port = jackettPort; - } - ]; + }; + }; }) (lib.mkIf cfg.nzbhydra.enable { @@ -41,12 +40,11 @@ in enable = true; }; - my.services.nginx.virtualHosts = [ - { - subdomain = "nzbhydra"; + my.services.nginx.virtualHosts = { + nzbhydra = { port = nzbhydraPort; - } - ]; + }; + }; }) (lib.mkIf cfg.prowlarr.enable { @@ -54,12 +52,11 @@ in enable = true; }; - my.services.nginx.virtualHosts = [ - { - subdomain = "prowlarr"; + my.services.nginx.virtualHosts = { + prowlarr = { port = prowlarrPort; - } - ]; + }; + }; services.fail2ban.jails = { prowlarr = '' diff --git a/modules/nixos/services/jellyfin/default.nix b/modules/nixos/services/jellyfin/default.nix index 2fcf51e..9efe11e 100644 --- a/modules/nixos/services/jellyfin/default.nix +++ b/modules/nixos/services/jellyfin/default.nix @@ -17,9 +17,8 @@ in # Set-up media group users.groups.media = { }; - my.services.nginx.virtualHosts = [ - { - subdomain = "jellyfin"; + my.services.nginx.virtualHosts = { + jellyfin = { port = 8096; extraConfig = { locations."/" = { @@ -33,7 +32,7 @@ in proxyWebsockets = true; }; }; - } - ]; + }; + }; }; } diff --git a/modules/nixos/services/lohr/default.nix b/modules/nixos/services/lohr/default.nix index 245567c..dd4eea8 100644 --- a/modules/nixos/services/lohr/default.nix +++ b/modules/nixos/services/lohr/default.nix @@ -98,11 +98,10 @@ in }; users.groups.lohr = { }; - my.services.nginx.virtualHosts = [ - { - subdomain = "lohr"; + my.services.nginx.virtualHosts = { + lohr = { inherit (cfg) port; - } - ]; + }; + }; }; } diff --git a/modules/nixos/services/matrix/default.nix b/modules/nixos/services/matrix/default.nix index 52b60c5..bd2a017 100644 --- a/modules/nixos/services/matrix/default.nix +++ b/modules/nixos/services/matrix/default.nix @@ -117,10 +117,9 @@ in }; }; - my.services.nginx.virtualHosts = [ + my.services.nginx.virtualHosts = { # Element Web app deployment - { - subdomain = "chat"; + chat = { root = pkgs.element-web.override { conf = { default_server_config = { @@ -145,22 +144,19 @@ in }; }; }; - } + }; # Dummy VHosts for port collision detection - { - subdomain = "matrix-federation"; + matrix-federation = { port = federationPort.private; - } - { - subdomain = "matrix-client"; + }; + matrix-client = { port = clientPort.private; - } + }; # Sliding sync - { - subdomain = "matrix-sync"; + matrix-sync = { inherit (cfg.slidingSync) port; - } - ]; + }; + }; # Those are too complicated to use my wrapper... services.nginx.virtualHosts = { diff --git a/modules/nixos/services/miniflux/default.nix b/modules/nixos/services/miniflux/default.nix index 6d9ffc8..5104c8b 100644 --- a/modules/nixos/services/miniflux/default.nix +++ b/modules/nixos/services/miniflux/default.nix @@ -43,11 +43,10 @@ in }; }; - my.services.nginx.virtualHosts = [ - { - subdomain = "reader"; + my.services.nginx.virtualHosts = { + reader = { inherit (cfg) port; - } - ]; + }; + }; }; } diff --git a/modules/nixos/services/monitoring/default.nix b/modules/nixos/services/monitoring/default.nix index 829bfe0..49919c1 100644 --- a/modules/nixos/services/monitoring/default.nix +++ b/modules/nixos/services/monitoring/default.nix @@ -125,11 +125,10 @@ in ]; }; - my.services.nginx.virtualHosts = [ - { - subdomain = "monitoring"; + my.services.nginx.virtualHosts = { + monitoring = { inherit (cfg.grafana) port; - } - ]; + }; + }; }; } diff --git a/modules/nixos/services/navidrome/default.nix b/modules/nixos/services/navidrome/default.nix index 6c001fd..944a97a 100644 --- a/modules/nixos/services/navidrome/default.nix +++ b/modules/nixos/services/navidrome/default.nix @@ -47,11 +47,10 @@ in }; }; - my.services.nginx.virtualHosts = [ - { - subdomain = "music"; + my.services.nginx.virtualHosts = { + music = { inherit (cfg) port; - } - ]; + }; + }; }; } diff --git a/modules/nixos/services/nginx/default.nix b/modules/nixos/services/nginx/default.nix index 6ca2e42..7980ad9 100644 --- a/modules/nixos/services/nginx/default.nix +++ b/modules/nixos/services/nginx/default.nix @@ -5,10 +5,11 @@ let domain = config.networking.domain; - virtualHostOption = with lib; types.submodule { + virtualHostOption = with lib; types.submodule ({ name, ... }: { options = { subdomain = mkOption { type = types.str; + default = name; example = "dev"; description = '' Which subdomain, under config.networking.domain, to use @@ -72,7 +73,7 @@ let ''; }; }; - }; + }); in { imports = [ @@ -97,20 +98,18 @@ in }; virtualHosts = mkOption { - type = types.listOf virtualHostOption; - default = [ ]; + type = types.attrsOf virtualHostOption; + default = { }; example = litteralExample '' - [ - { - subdomain = "gitea"; + { + gitea = { + subdomain = "git"; port = 8080; - } - { - subdomain = "dev"; + }; + dev = { root = "/var/www/dev"; - } - { - subdomain = "jellyfin"; + }; + jellyfin = { port = 8096; extraConfig = { locations."/socket" = { @@ -118,8 +117,8 @@ in proxyWebsockets = true; }; }; - } - ] + }; + } ''; description = '' List of virtual hosts to set-up using default settings. @@ -190,7 +189,7 @@ in config = lib.mkIf cfg.enable { assertions = [ ] - ++ (lib.flip builtins.map cfg.virtualHosts ({ subdomain, ... } @ args: + ++ (lib.flip lib.mapAttrsToList cfg.virtualHosts (_: { subdomain, ... } @ args: let conflicts = [ "port" "root" "socket" "redirect" ]; optionsNotNull = builtins.map (v: args.${v} != null) conflicts; @@ -209,7 +208,7 @@ in ports = lib.my.mapFilter (v: v != null) ({ port, ... }: port) - cfg.virtualHosts; + (lib.attrValues cfg.virtualHosts); portCounts = lib.my.countValues ports; nonUniquesCounts = lib.filterAttrs (_: v: v != 1) portCounts; nonUniques = builtins.attrNames nonUniquesCounts; @@ -221,7 +220,7 @@ in map mkAssertion nonUniques ) ++ ( let - subs = map ({ subdomain, ... }: subdomain) cfg.virtualHosts; + subs = lib.mapAttrsToList (_: { subdomain, ... }: subdomain) cfg.virtualHosts; subsCounts = lib.my.countValues subs; nonUniquesCounts = lib.filterAttrs (_: v: v != 1) subsCounts; nonUniques = builtins.attrNames nonUniquesCounts; @@ -325,7 +324,7 @@ in ]) ); in - lib.my.genAttrs' cfg.virtualHosts mkVHost; + lib.my.genAttrs' (lib.attrValues cfg.virtualHosts) mkVHost; sso = { enable = true; @@ -403,12 +402,11 @@ in }; }; - my.services.nginx.virtualHosts = [ - { - subdomain = "login"; + my.services.nginx.virtualHosts = { + ${cfg.sso.subdomain} = { inherit (cfg.sso) port; - } - ]; + }; + }; networking.firewall.allowedTCPPorts = [ 80 443 ]; diff --git a/modules/nixos/services/nix-cache/default.nix b/modules/nixos/services/nix-cache/default.nix index b3bdbf3..1ce3161 100644 --- a/modules/nixos/services/nix-cache/default.nix +++ b/modules/nixos/services/nix-cache/default.nix @@ -43,11 +43,10 @@ in signKeyPath = cfg.secretKeyFile; }; - my.services.nginx.virtualHosts = [ - { - subdomain = "cache"; + my.services.nginx.virtualHosts = { + cache = { inherit (cfg) port; - } - ]; + }; + }; }; } diff --git a/modules/nixos/services/paperless/default.nix b/modules/nixos/services/paperless/default.nix index 90f6b0c..c40e895 100644 --- a/modules/nixos/services/paperless/default.nix +++ b/modules/nixos/services/paperless/default.nix @@ -143,9 +143,8 @@ in extraGroups = [ "media" ]; }; - my.services.nginx.virtualHosts = [ - { - subdomain = "paperless"; + my.services.nginx.virtualHosts = { + paperless = { inherit (cfg) port; sso = { enable = true; @@ -155,8 +154,8 @@ in extraConfig = { locations."/".proxyWebsockets = true; }; - } - ]; + }; + }; my.services.backup = { paths = [ diff --git a/modules/nixos/services/pirate/default.nix b/modules/nixos/services/pirate/default.nix index 59f9794..e500b54 100644 --- a/modules/nixos/services/pirate/default.nix +++ b/modules/nixos/services/pirate/default.nix @@ -21,12 +21,11 @@ let }; mkRedirection = service: { - my.services.nginx.virtualHosts = [ - { - subdomain = service; + my.services.nginx.virtualHosts = { + ${service} = { port = ports.${service}; - } - ]; + }; + }; }; mkFail2Ban = service: lib.mkIf cfg.${service}.enable { diff --git a/modules/nixos/services/podgrab/default.nix b/modules/nixos/services/podgrab/default.nix index 9793d60..5ceebb6 100644 --- a/modules/nixos/services/podgrab/default.nix +++ b/modules/nixos/services/podgrab/default.nix @@ -31,11 +31,10 @@ in inherit (cfg) passwordFile port; }; - my.services.nginx.virtualHosts = [ - { - subdomain = "podgrab"; + my.services.nginx.virtualHosts = { + podgrab = { inherit (cfg) port; - } - ]; + }; + }; }; } diff --git a/modules/nixos/services/pyload/default.nix b/modules/nixos/services/pyload/default.nix new file mode 100644 index 0000000..e6a978f --- /dev/null +++ b/modules/nixos/services/pyload/default.nix @@ -0,0 +1,66 @@ +{ config, lib, ... }: +let + cfg = config.my.services.pyload; +in +{ + imports = [ + ./nixos.nix + ]; + + options.my.services.pyload = with lib; { + enable = mkEnableOption "pyload download manager"; + + credentialsFile = mkOption { + type = types.path; + example = "/run/secrets/pyload-credentials.env"; + description = "pyload credentials"; + }; + + downloadDirectory = mkOption { + type = types.str; + default = "/data/downloads"; + example = "/var/lib/pyload/download"; + description = "Download directory"; + }; + + port = mkOption { + type = types.port; + default = 9093; + example = 8080; + description = "Internal port for webui"; + }; + }; + + config = lib.mkIf cfg.enable { + services.pyload = { + enable = true; + + # Listening on `localhost` leads to 502 with the reverse proxy... + listenAddress = "127.0.0.1"; + + inherit (cfg) + credentialsFile + downloadDirectory + port + ; + }; + + # User media group when downloading files + systemd. services. pyload = { + serviceConfig = { + Group = lib.mkForce "media"; + }; + }; + + # Set-up media group + users.groups.media = { }; + + my.services.nginx.virtualHosts = { + pyload = { + inherit (cfg) port; + }; + }; + + # FIXME: fail2ban + }; +} diff --git a/modules/nixos/services/pyload/nixos.nix b/modules/nixos/services/pyload/nixos.nix new file mode 100644 index 0000000..5ce7d7c --- /dev/null +++ b/modules/nixos/services/pyload/nixos.nix @@ -0,0 +1,144 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.services.pyload; + + stateDir = "/var/lib/pyload"; + userDir = "${stateDir}/config"; +in +{ + options = with lib; { + services.pyload = { + enable = mkEnableOption "pyload download manager"; + + package = mkPackageOption pkgs "pyload-ng" { }; + + listenAddress = mkOption { + type = types.str; + default = "localhost"; + example = "0.0.0.0"; + description = "Address to listen on for the web UI."; + }; + + port = mkOption { + type = types.port; + default = 8000; + example = 9876; + description = "Port to listen on for the web UI."; + }; + + downloadDirectory = mkOption { + type = types.path; + default = "${stateDir}/downloads"; + example = "/mnt/downloads"; + description = "Directory to store downloads"; + }; + + credentialsFile = mkOption { + type = with types; nullOr path; + default = null; + example = "/run/secrets/pyload-credentials.env"; + description = '' + File containing PYLOAD_DEFAULT_USERNAME and PYLOAD_DEFAULT_PASSWORD + in the format of an EnvironmentFile=, as described by systemd.exec(5). + + If not given, they default to the username/password combo of + pyload/pyload. + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.tmpfiles.rules = [ + "d ${cfg.downloadDirectory}" + ]; + + systemd.services.pyload = { + description = "pyload service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + # NOTE: unlike what the documentation says, it looks like `HOME` is not + # defined with this service definition... + # Since pyload tries to do the equivalent of `cd ~`, it needs to be able + # to resolve $HOME, which fails when `RootDirectory` is set. + # FIXME: check if `SetLoginEnvironment` fixes this issue in version 255 + environment = { + HOME = stateDir; + PYLOAD__WEBUI__HOST = cfg.listenAddress; + PYLOAD__WEBUI__PORT = builtins.toString cfg.port; + }; + + serviceConfig = { + # FIXME: use getExe + ExecStart = "${lib.getExe' cfg.package "pyload"} ${lib.escapeShellArgs [ + "--userdir" userDir + "--storagedir" cfg.downloadDirectory + ]}"; + + User = "pyload"; + Group = "pyload"; + DynamicUser = true; + + EnvironmentFile = lib.optional (cfg.credentialsFile != null) cfg.credentialsFile; + + StateDirectory = "pyload"; + WorkingDirectory = stateDir; + RuntimeDirectory = "pyload"; + RuntimeDirectoryMode = "0700"; + RootDirectory = "/run/pyload"; + BindReadOnlyPaths = [ + builtins.storeDir # Needed to run the python interpreter + ]; + BindPaths = [ + cfg.downloadDirectory + ]; + + # Hardening options + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ]; + UMask = "0002"; + CapabilityBoundingSet = [ + "~CAP_BLOCK_SUSPEND" + "~CAP_BPF" + "~CAP_CHOWN" + "~CAP_IPC_LOCK" + "~CAP_KILL" + "~CAP_LEASE" + "~CAP_LINUX_IMMUTABLE" + "~CAP_NET_ADMIN" + "~CAP_SYS_ADMIN" + "~CAP_SYS_BOOT" + "~CAP_SYS_CHROOT" + "~CAP_SYS_NICE" + "~CAP_SYS_PACCT" + "~CAP_SYS_PTRACE" + "~CAP_SYS_RESOURCE" + "~CAP_SYS_TTY_CONFIG" + ]; + }; + }; + }; +} diff --git a/modules/nixos/services/sabnzbd/default.nix b/modules/nixos/services/sabnzbd/default.nix index 7ab145f..9e0d9c3 100644 --- a/modules/nixos/services/sabnzbd/default.nix +++ b/modules/nixos/services/sabnzbd/default.nix @@ -18,12 +18,11 @@ in # Set-up media group users.groups.media = { }; - my.services.nginx.virtualHosts = [ - { - subdomain = "sabnzbd"; + my.services.nginx.virtualHosts = { + sabnzbd = { inherit port; - } - ]; + }; + }; services.fail2ban.jails = { sabnzbd = '' diff --git a/modules/nixos/services/tandoor-recipes/default.nix b/modules/nixos/services/tandoor-recipes/default.nix index 541e198..f5dc2db 100644 --- a/modules/nixos/services/tandoor-recipes/default.nix +++ b/modules/nixos/services/tandoor-recipes/default.nix @@ -70,11 +70,10 @@ in ]; }; - my.services.nginx.virtualHosts = [ - { - subdomain = "recipes"; + my.services.nginx.virtualHosts = { + recipes = { inherit (cfg) port; - } - ]; + }; + }; }; } diff --git a/modules/nixos/services/transmission/default.nix b/modules/nixos/services/transmission/default.nix index 28df477..aeb88b7 100644 --- a/modules/nixos/services/transmission/default.nix +++ b/modules/nixos/services/transmission/default.nix @@ -80,12 +80,11 @@ in # Default transmission webui, I prefer combustion but its development # seems to have stalled - my.services.nginx.virtualHosts = [ - { - subdomain = "transmission"; + my.services.nginx.virtualHosts = { + transmission = { inherit (cfg) port; - } - ]; + }; + }; networking.firewall = { allowedTCPPorts = [ cfg.peerPort ]; diff --git a/modules/nixos/services/vikunja/default.nix b/modules/nixos/services/vikunja/default.nix index 8c051b0..9767d00 100644 --- a/modules/nixos/services/vikunja/default.nix +++ b/modules/nixos/services/vikunja/default.nix @@ -59,9 +59,8 @@ in }; # This is a weird setup - my.services.nginx.virtualHosts = [ - { - inherit subdomain; + my.services.nginx.virtualHosts = { + ${subdomain} = { # Serve the root for the web-ui root = config.services.vikunja.package-frontend; @@ -80,8 +79,8 @@ in }; }; }; - } - ]; + }; + }; systemd.services.vikunja-api = { serviceConfig = { diff --git a/modules/nixos/services/woodpecker/server/default.nix b/modules/nixos/services/woodpecker/server/default.nix index cebbc9b..f02a5c5 100644 --- a/modules/nixos/services/woodpecker/server/default.nix +++ b/modules/nixos/services/woodpecker/server/default.nix @@ -52,16 +52,14 @@ in }]; }; - my.services.nginx.virtualHosts = [ - { - subdomain = "woodpecker"; + my.services.nginx.virtualHosts = { + woodpecker = { inherit (cfg) port; - } + }; # I might want to be able to RPC from other hosts in the future - { - subdomain = "woodpecker-rpc"; + woodpecker-rpc = { port = cfg.rpcPort; - } - ]; + }; + }; }; } diff --git a/overlays/pyload-declarative-user-management/declarative-config.patch b/overlays/pyload-declarative-user-management/declarative-config.patch new file mode 100644 index 0000000..42f89ee --- /dev/null +++ b/overlays/pyload-declarative-user-management/declarative-config.patch @@ -0,0 +1,18 @@ +diff --git a/src/pyload/core/__init__.py b/src/pyload/core/__init__.py +index 4324fc700..5d915a85e 100644 +--- a/src/pyload/core/__init__.py ++++ b/src/pyload/core/__init__.py +@@ -128,6 +128,13 @@ class Core: + else: + self._debug = max(0, int(debug)) + ++ # Allow setting any option declaratively, for the NixOS module ++ for env, value in os.environ.items(): ++ if not env.startswith("PYLOAD__"): ++ continue ++ section, opt = env.removeprefix("PYLOAD__").lower().split("__") ++ self.config.set(section, opt, value) ++ + # If no argument set, read storage dir from config file, + # otherwise save setting to config dir + if storagedir is None: diff --git a/overlays/pyload-declarative-user-management/declarative-default-user.patch b/overlays/pyload-declarative-user-management/declarative-default-user.patch new file mode 100644 index 0000000..3c3e6f4 --- /dev/null +++ b/overlays/pyload-declarative-user-management/declarative-default-user.patch @@ -0,0 +1,15 @@ +diff --git a/src/pyload/core/__init__.py b/src/pyload/core/__init__.py +index 4324fc700..f7fcd66ec 100644 +--- a/src/pyload/core/__init__.py ++++ b/src/pyload/core/__init__.py +@@ -46,8 +46,8 @@ class Exit(Exception): + # improve external scripts + class Core: + LOCALE_DOMAIN = APPID +- DEFAULT_USERNAME = APPID +- DEFAULT_PASSWORD = APPID ++ DEFAULT_USERNAME = os.getenv("PYLOAD_DEFAULT_USERNAME", APPID) ++ DEFAULT_PASSWORD = os.getenv("PYLOAD_DEFAULT_PASSWORD", APPID) + DEFAULT_DATADIR = os.path.join( + os.getenv("APPDATA") or USERHOMEDIR, "pyLoad" if os.name == "nt" else ".pyload" + ) diff --git a/overlays/pyload-declarative-user-management/default.nix b/overlays/pyload-declarative-user-management/default.nix new file mode 100644 index 0000000..475f126 --- /dev/null +++ b/overlays/pyload-declarative-user-management/default.nix @@ -0,0 +1,4 @@ +self: _super: +{ + pyload-ng = self.callPackage ./package.nix { }; +} diff --git a/overlays/pyload-declarative-user-management/package.nix b/overlays/pyload-declarative-user-management/package.nix new file mode 100644 index 0000000..4daa125 --- /dev/null +++ b/overlays/pyload-declarative-user-management/package.nix @@ -0,0 +1,60 @@ +{ lib, fetchPypi, python3 }: + +python3.pkgs.buildPythonApplication rec { + version = "0.5.0b3.dev75"; + pname = "pyload-ng"; + pyproject = true; + + src = fetchPypi { + inherit pname version; + hash = "sha256-1lPIKkZESonDaVCnac0iUu/gCqXVDBhNZrk5S0eC6F0="; + }; + + patches = [ + # Makes it possible to change the default username/password in the module + ./declarative-default-user.patch + ./declarative-config.patch + ]; + + postPatch = '' + # relax version bounds + sed -i 's/\([A-z0-9]*\)~=.*$/\1/' setup.cfg + # not sure what Flask-Session2 is but flask-session works just fine + sed -i '/Flask-Session2/d' setup.cfg + ''; + + propagatedBuildInputs = with python3.pkgs; [ + bitmath + certifi + cheroot + cryptography + filetype + flask + flask-babel + flask-caching + flask-compress + flask-session + flask-themes2 + js2py + pycurl + semver + setuptools + ]; + + passthru.optional-dependencies = { + plugins = with python3.pkgs; [ + beautifulsoup4 # for some plugins + colorlog # colorful console logging + pillow # for some CAPTCHA plugin + send2trash # send some files to trash instead of deleting them + slixmpp # XMPP plugin + ]; + }; + + meta = with lib; { + description = "Free and open-source download manager with support for 1-click-hosting sites"; + homepage = "https://github.com/pyload/pyload"; + license = licenses.agpl3Plus; + maintainers = with maintainers; [ ruby0b ]; + }; +} diff --git a/pkgs/default.nix b/pkgs/default.nix index f5036fe..6b7fce1 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -14,8 +14,6 @@ pkgs.lib.makeScope pkgs.newScope (pkgs: { drone-rsync = pkgs.callPackage ./drone-rsync { }; - drone-scp = pkgs.callPackage ./drone-scp { }; - i3-get-window-criteria = pkgs.callPackage ./i3-get-window-criteria { }; lohr = pkgs.callPackage ./lohr { }; @@ -30,9 +28,5 @@ pkgs.lib.makeScope pkgs.newScope (pkgs: { unbound-zones-adblock = pkgs.callPackage ./unbound-zones-adblock { }; - unified-hosts-lists = pkgs.callPackage ./unified-hosts-lists { }; - - wifi-qr = pkgs.callPackage ./wifi-qr { }; - zsh-done = pkgs.callPackage ./zsh-done { }; }) diff --git a/pkgs/drone-scp/default.nix b/pkgs/drone-scp/default.nix deleted file mode 100644 index 7437b06..0000000 --- a/pkgs/drone-scp/default.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ lib, buildGoModule, fetchFromGitHub }: -buildGoModule rec { - pname = "drone-scp"; - version = "1.6.3"; - - src = fetchFromGitHub { - owner = "appleboy"; - repo = "drone-scp"; - rev = "v${version}"; - hash = "sha256-ELjPqoRR4O6gmc/PgthQuSXuSTQNzBZoAUT80zVVbV0="; - }; - - vendorHash = "sha256-/c103hTJ/Qdz2KTkdl/ACvAaSSTKcl1DQY3+Us6OxaI="; - - doCheck = false; # Needs a specific user... - - meta = with lib; { - description = '' - Copy files and artifacts via SSH using a binary, docker or Drone CI - ''; - homepage = "https://github.com/appleboy/drone-scp"; - license = licenses.mit; - mainProgram = "drone-scp"; - }; -} diff --git a/pkgs/unbound-zones-adblock/default.nix b/pkgs/unbound-zones-adblock/default.nix index b8392ae..642ac41 100644 --- a/pkgs/unbound-zones-adblock/default.nix +++ b/pkgs/unbound-zones-adblock/default.nix @@ -1,9 +1,9 @@ -{ lib, gawk, stdenvNoCC, unified-hosts-lists }: +{ lib, gawk, stdenvNoCC, stevenblack-blocklist }: stdenvNoCC.mkDerivation { name = "unbound-zones-adblock"; - version = unified-hosts-lists.version; + version = stevenblack-blocklist.rev; - src = unified-hosts-lists; + src = stevenblack-blocklist; dontUnpack = true; @@ -18,9 +18,11 @@ stdenvNoCC.mkDerivation { ]; in '' - mkdir -p $out - for file in $src/*; do - ${gawkCmd} $file | tr '[:upper:]' '[:lower:]' | sort -u > $out/$(basename $file) + shopt -s globstar + for file in $src/**/hosts; do + outFile="$out/''${file#$src}" + mkdir -p "$(dirname "$outFile")" + ${gawkCmd} $file | tr '[:upper:]' '[:lower:]' | sort -u > "$outFile" done ''; diff --git a/pkgs/unified-hosts-lists/default.nix b/pkgs/unified-hosts-lists/default.nix deleted file mode 100644 index 6a71fdf..0000000 --- a/pkgs/unified-hosts-lists/default.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ lib, fetchFromGitHub, stdenvNoCC }: -stdenvNoCC.mkDerivation rec { - pname = "unified-hosts-lists"; - version = "3.14.37"; - - src = fetchFromGitHub { - owner = "StevenBlack"; - repo = "hosts"; - rev = version; - hash = "sha256-HoNX57lCoIr36B/7HMuazWSWeAPPfWY1oZf6dXnxYIE="; - }; - - dontUnpack = true; - - installPhase = '' - mkdir -p $out - cp -r $src/hosts $out - for file in $src/alternates/*/hosts; do - cp $file $out/$(basename $(dirname $file)) - done - ''; - - meta = with lib; { - description = "Unified host lists"; - longDescription = '' - Consolidating and extending hosts files from several well-curated sources. - Optionally pick extensions for porn, social media, and other categories. - ''; - homepage = "https://github.com/StevenBlack/hosts"; - license = licenses.mit; - maintainers = with maintainers; [ ambroisie ]; - platforms = platforms.all; - }; -} diff --git a/pkgs/wifi-qr/default.nix b/pkgs/wifi-qr/default.nix deleted file mode 100644 index 88164e5..0000000 --- a/pkgs/wifi-qr/default.nix +++ /dev/null @@ -1,81 +0,0 @@ -{ lib -, fetchFromGitHub -, gnome -, installShellFiles -, makeWrapper -, networkmanager -, qrencode -, stdenvNoCC -, xdg-utils -, zbar -}: -stdenvNoCC.mkDerivation rec { - pname = "wifi-qr"; - version = "unstable-2023-04-19"; - - outputs = [ "out" "man" ]; - - src = fetchFromGitHub { - owner = "kokoye2007"; - repo = "wifi-qr"; - rev = "b81d4a44257252f07e745464879aa5618ae3d434"; - hash = "sha256-oGTAr+raJGpK4PV4GdBxX8fIUE8gcbXw7W0SvQJAee0="; - }; - - nativeBuildInputs = [ - installShellFiles - makeWrapper - ]; - - dontBuild = true; - - dontConfigure = true; - - postPatch = '' - substituteInPlace wifi-qr.desktop \ - --replace "Exec=sh -c 'wifi-qr g'" "Exec=$out/bin/wifi-qr g" \ - --replace "Exec=sh -c 'wifi-qr q'" "Exec=$out/bin/wifi-qr q" \ - --replace "Exec=sh -c 'wifi-qr p'" "Exec=$out/bin/wifi-qr p" \ - --replace "Exec=sh -c 'wifi-qr c'" "Exec=$out/bin/wifi-qr c" \ - --replace "Icon=wifi-qr.svg" "Icon=wifi-qr" - ''; - - installPhase = '' - runHook preInstall - - install -Dm755 wifi-qr $out/bin/wifi-qr - - install -Dm644 wifi-qr.desktop $out/share/applications/wifi-qr.desktop - install -Dm644 wifi-qr.svg $out/share/icons/hicolor/scalable/apps/wifi-qr.svg - - installManPage wifi-qr.1 - - runHook postInstall - ''; - - wrapperPath = lib.makeBinPath [ - gnome.zenity - networkmanager - qrencode - xdg-utils - zbar - ]; - - fixupPhase = '' - runHook preFixup - - patchShebangs $out/bin/wifi-qr - wrapProgram $out/bin/wifi-qr --suffix PATH : "${wrapperPath}" - - runHook postFixup - ''; - - meta = with lib; { - description = "WiFi password sharing via QR codes"; - homepage = "https://github.com/kokoye2007/wifi-qr"; - license = with licenses; [ gpl3Plus ]; - mainProgram = "wifi-qr"; - maintainers = with maintainers; [ ambroisie ]; - platforms = platforms.linux; - }; -}