diff options
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/darwin/default.nix | 3 | ||||
| -rw-r--r-- | modules/nixos/cloudflare-proxy/default.nix | 109 | ||||
| -rw-r--r-- | modules/nixos/default.nix | 19 | ||||
| -rw-r--r-- | modules/nixos/disable-screen/default.nix | 61 | ||||
| -rw-r--r-- | modules/nixos/duksebot/default.nix | 72 | ||||
| -rw-r--r-- | modules/nixos/forsvarsarper/default.nix | 65 | ||||
| -rw-r--r-- | modules/nixos/forsvarsarper/script.py | 28 | ||||
| -rw-r--r-- | modules/nixos/git.linus.onl/about.html | 5 | ||||
| -rw-r--r-- | modules/nixos/git.linus.onl/default.nix | 95 | ||||
| -rw-r--r-- | modules/nixos/graphics/default.nix | 37 | ||||
| -rw-r--r-- | modules/nixos/hellohtml.linus.onl/default.nix | 60 | ||||
| -rw-r--r-- | modules/nixos/linus.onl/default.nix | 100 | ||||
| -rw-r--r-- | modules/nixos/nofitications.linus.onl/default.nix | 34 |
13 files changed, 3 insertions, 685 deletions
diff --git a/modules/darwin/default.nix b/modules/darwin/default.nix index 48f0511..832940f 100644 --- a/modules/darwin/default.nix +++ b/modules/darwin/default.nix @@ -1,4 +1,3 @@ { - general.still-awake = import ./still-awake; - personal = {}; + still-awake = import ./still-awake; } diff --git a/modules/nixos/cloudflare-proxy/default.nix b/modules/nixos/cloudflare-proxy/default.nix deleted file mode 100644 index 657722d..0000000 --- a/modules/nixos/cloudflare-proxy/default.nix +++ /dev/null @@ -1,109 +0,0 @@ -# This module adds some extra configuration useful when running behid a Cloudflare Proxy. -# -{ - config, - lib, - pkgs, - ... -}: let - inherit (lib.options) mkEnableOption mkOption; - inherit (lib.modules) mkIf; - inherit (lib.types) listOf nonEmptyStr port; - - # TODO: What happens when these get out of date??? Huh??? You little pissbaby - fileToList = x: lib.strings.splitString "\n" (builtins.readFile x); - cfipv4 = fileToList (pkgs.fetchurl { - url = "https://www.cloudflare.com/ips-v4"; - hash = "sha256-8Cxtg7wBqwroV3Fg4DbXAMdFU1m84FTfiE5dfZ5Onns="; - }); - cfipv6 = fileToList (pkgs.fetchurl { - url = "https://www.cloudflare.com/ips-v6"; - hash = "sha256-np054+g7rQDE3sr9U8Y/piAp89ldto3pN9K+KCNMoKk="; - }); - - cfg = config.modules.cloudflare-proxy; -in { - options.modules.cloudflare-proxy = { - enable = mkEnableOption "Cloudflare proxy IP extraction for NGINX"; - - firewall = { - IPv4Whitelist = mkOption { - description = "List of IPv4 addresses (or ranges) added to the whitelist."; - type = listOf nonEmptyStr; - default = []; - }; - - IPv6Whitelist = mkOption { - description = "List of IPv6 addresses (or ranges) added to the whitelist."; - type = listOf nonEmptyStr; - default = []; - }; - }; - }; - - config = mkIf cfg.enable { - # Teach NGINX how to extract the proxied IP from proxied requests. - # - # See: https://nixos.wiki/wiki/Nginx#Using_realIP_when_behind_CloudFlare_or_other_CDN - services.nginx.commonHttpConfig = let - realIpsFromList = lib.strings.concatMapStringsSep "\n" (x: "set_real_ip_from ${x};"); - in '' - ${realIpsFromList cfipv4} - ${realIpsFromList cfipv6} - real_ip_header CF-Connecting-IP; - ''; - - # Block non-Cloudflare IP addresses. - networking.firewall = let - chain = "cloudflare-whitelist"; - in { - extraCommands = let - allow-interface = lib.strings.concatMapStringsSep "\n" (i: ''ip46tables --append ${chain} --in-interface ${i} --jump RETURN''); - allow-ip = cmd: lib.strings.concatMapStringsSep "\n" (r: ''${cmd} --append ${chain} --source ${r} --jump RETURN''); - in '' - # Flush the old firewall rules. This behavior mirrors the default firewall service. - # See: https://github.com/NixOS/nixpkgs/blob/ac911bf685eecc17c2df5b21bdf32678b9f88c92/nixos/modules/services/networking/firewall-iptables.nix#L59-L66 - # TEMP: Removed 2>/dev/null - ip46tables --delete INPUT --protocol tcp --destination-port 80 --syn --jump ${chain} || true - ip46tables --delete INPUT --protocol tcp --destination-port 443 --syn --jump ${chain} || true - ip46tables --flush ${chain} || true - ip46tables --delete-chain ${chain} || true - - # Create a chain that only allows whitelisted IPs through. - ip46tables --new-chain ${chain} - - # Allow trusted interfaces through. - ${allow-interface config.networking.firewall.trustedInterfaces} - - # Allow local whitelisted IPs through - ${allow-ip "iptables" cfg.firewall.IPv4Whitelist} - ${allow-ip "ip6tables" cfg.firewall.IPv6Whitelist} - - # Allow Cloudflare's IP ranges through. - ${allow-ip "iptables" cfipv4} - ${allow-ip "ip6tables" cfipv6} - - # Everything else is dropped. - # - # TODO: I would like to use `nixos-fw-log-refuse` here, but I keep - # running into weird issues when reloading the firewall. - # Something about the table not being deleted properly. - ip46tables --append ${chain} --jump DROP - - # Inject our chain as the first check in INPUT (before nixos-fw). - # We want to capture any new incomming TCP connections. - ip46tables --insert INPUT 1 --protocol tcp --destination-port 80 --syn --jump ${chain} - ip46tables --insert INPUT 1 --protocol tcp --destination-port 443 --syn --jump ${chain} - ''; - extraStopCommands = '' - # Clean up added rulesets (${chain}). This mirrors the behavior of the - # default firewall at the time of writing. - # - # See: https://github.com/NixOS/nixpkgs/blob/ac911bf685eecc17c2df5b21bdf32678b9f88c92/nixos/modules/services/networking/firewall-iptables.nix#L218-L219 - # TEMP: Removed 2>/dev/null - ip46tables --delete INPUT --protocol tcp --destination-port 80 --syn --jump ${chain} || true - ip46tables --delete INPUT --protocol tcp --destination-port 443 --syn --jump ${chain} || true - ''; - }; - }; -} diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 1393627..b813155 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -1,19 +1,4 @@ { - # These components are - general = { - on-demand-minecraft = import ./on-demand-minecraft; - cloudflare-proxy = import ./cloudflare-proxy; - disable-screen = import ./disable-screen; - hellohtml = import ./hellohtml; - }; - - personal = { - duksebot = import ./duksebot; - graphics = import ./graphics; - "linus.onl" = import ./linus.onl; - "notifications.linus.onl" = import ./nofitications.linus.onl; - "git.linus.onl" = import ./git.linus.onl; - "hellohtml.linus.onl" = import ./hellohtml.linus.onl; - forsvarsarper = import ./forsvarsarper; - }; + on-demand-minecraft = import ./on-demand-minecraft; + hellohtml = import ./hellohtml; } diff --git a/modules/nixos/disable-screen/default.nix b/modules/nixos/disable-screen/default.nix deleted file mode 100644 index 638437a..0000000 --- a/modules/nixos/disable-screen/default.nix +++ /dev/null @@ -1,61 +0,0 @@ -# This file defines some configuration options which disable the screen. This -# is only relevant because this host is an old laptop running as a server. -{ - lib, - config, - ... -}: let - inherit (lib) mkEnableOption mkOption mkIf types; - - cfg = config.services.disable-screen; -in { - options.services.disable-screen = { - enable = mkEnableOption "disable screen"; - - device-path = mkOption { - description = "Path to the device in the `/sys` file system."; - type = types.str; - example = "/sys/class/backlight/intel_backlight"; - }; - - device-unit = mkOption { - description = "The systemd device unit that corresponds to the device speciefied in `device-path`."; - type = types.str; - example = "sys-devices-pci...-intel_backligt.device"; - }; - }; - - config = mkIf cfg.enable { - # Disable sleep on lid close. - services.logind = let - lidSwitchAction = "ignore"; - in { - lidSwitchExternalPower = lidSwitchAction; - lidSwitchDocked = lidSwitchAction; - lidSwitch = lidSwitchAction; - }; - - # Don't store screen brightness between boots. We always want to turn off the - # screen. - # - # See: https://wiki.archlinux.org/title/backlight#Save_and_restore_functionality - # See: https://github.com/NixOS/nixpkgs/blob/990398921f677615c0732d704857484b84c6c888/nixos/modules/system/boot/systemd.nix#L97-L101 - systemd.suppressedSystemUnits = ["[email protected]"]; - - # FIXME: Figure out how to enable screen when on-device debugging is necessary. - # Create a new service which turns off the display on boot. - # - # See: https://nixos.wiki/wiki/Backlight#.2Fsys.2Fclass.2Fbacklight.2F... - # See: https://superuser.com/questions/851846/how-to-write-a-systemd-service-that-depends-on-a-device-being-present - systemd.services.disable-screen = { - requires = [cfg.device-unit]; - after = [cfg.device-unit]; - wantedBy = [cfg.device-unit]; - - serviceConfig.Type = "oneshot"; - script = '' - tee ${cfg.device-path}/brightness <<<0 - ''; - }; - }; -} diff --git a/modules/nixos/duksebot/default.nix b/modules/nixos/duksebot/default.nix deleted file mode 100644 index 4c10cd8..0000000 --- a/modules/nixos/duksebot/default.nix +++ /dev/null @@ -1,72 +0,0 @@ -# This module defines an on-demand minecraft server service which turns off the -# server when it's not being used. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: let - inherit (lib) mkIf mkOption mkEnableOption types; - - cfg = config.services.duksebot; -in { - options.services.duksebot = { - enable = mkEnableOption "duksebot daily reminder"; - - package = mkOption { - description = "What package to use"; - default = pkgs.duksebot; - type = types.package; - }; - }; - - config = mkIf cfg.enable { - # Create a user to run the server under. - users.users.duksebot = { - description = "Runs daily dukse reminder"; - group = "duksebot"; - isSystemUser = true; - home = "/srv/duksebot"; - createHome = true; - }; - users.groups.duksebot = {}; - - age.secrets.duksebot-env = { - file = ../../../secrets/duksebot.env.age; - owner = config.users.users.duksebot.name; - group = config.users.users.duksebot.group; - mode = "0440"; - }; - - # Create a service which simply runs script. This will be invoked by our timer. - systemd.services.duksebot = { - serviceConfig = { - # We only want to run this once every time the timer triggers it. - Type = "oneshot"; - # Run as the user we created above. - User = "duksebot"; - Group = "duksebot"; - WorkingDirectory = config.users.users.duksebot.home; - }; - script = '' - # Load the secret environment variables. - export $(grep -v '^#' ${config.age.secrets.duksebot-env.path} | xargs) - # Kick off. - exec "${cfg.package}"/bin/duksebot - ''; - }; - - # Create a timer to activate our oneshot service. - systemd.timers.duksebot = { - wantedBy = ["timers.target"]; - partOf = ["duksebot.service"]; - after = ["network-online.target"]; - wants = ["network-online.target"]; - timerConfig = { - OnCalendar = "*-*-* 7:00:00"; - Unit = "duksebot.service"; - }; - }; - }; -} diff --git a/modules/nixos/forsvarsarper/default.nix b/modules/nixos/forsvarsarper/default.nix deleted file mode 100644 index 7052f04..0000000 --- a/modules/nixos/forsvarsarper/default.nix +++ /dev/null @@ -1,65 +0,0 @@ -# This module defines an on-demand minecraft server service which turns off the -# server when it's not being used. -{ - config, - lib, - pkgs, - ... -}: let - inherit (lib) mkIf mkEnableOption; - - cfg = config.services.forsvarsarper; -in { - options.services.forsvarsarper.enable = mkEnableOption "daily scan for tests"; - - config = mkIf cfg.enable { - # Create a user to run the server under. - users.users.forsvarsarper = { - description = "Runs daily scan for tests"; - group = "forsvarsarper"; - isSystemUser = true; - home = "/srv/forsvarsarper"; - createHome = true; - }; - users.groups.forsvarsarper = {}; - - age.secrets.forsvarsarper-env = { - file = ../../../secrets/forsvarsarper.env.age; - owner = config.users.users.forsvarsarper.name; - group = config.users.users.forsvarsarper.group; - mode = "0440"; - }; - - # Create a service which simply runs script. This will be invoked by our timer. - systemd.services.forsvarsarper = { - serviceConfig = { - # We only want to run this once every time the timer triggers it. - Type = "oneshot"; - # Run as the user we created above. - User = "forsvarsarper"; - Group = "forsvarsarper"; - WorkingDirectory = config.users.users.forsvarsarper.home; - }; - script = let - python3' = pkgs.python3.withPackages (ps: [ps.requests]); - in '' - # Load the secret environment variables. - export $(grep -v '^#' ${config.age.secrets.forsvarsarper-env.path} | xargs) - # Kick off. - exec ${python3'}/bin/python3 ${./script.py} - ''; - }; - - # Create a timer to activate our oneshot service. - systemd.timers.forsvarsarper = { - wantedBy = ["timers.target"]; - partOf = ["forsvarsarper.service"]; - after = ["network-online.target"]; - wants = ["network-online.target"]; - timerConfig = { - OnCalendar = "*-*-* 8:00:00"; - Unit = "forsvarsarper.service"; - }; - }; - }; -} diff --git a/modules/nixos/forsvarsarper/script.py b/modules/nixos/forsvarsarper/script.py deleted file mode 100644 index 7f12508..0000000 --- a/modules/nixos/forsvarsarper/script.py +++ /dev/null @@ -1,28 +0,0 @@ -import requests -import os - -URL = "https://karriere.forsvaret.dk/varnepligt/varnepligten/cybervarnepligt/" -TARGET_PHRASE = "Der er på nuværende tidspunkt ikke planlagt nogen afprøvninger." - -try: - response = requests.get(URL); - print(f"Forespørgsel til {URL} gav status {response.status_code}") -except: - message = "nejj den er ødelagt" -else: - if TARGET_PHRASE in response.text: - message = "der er stadig ikke planlagt nogle afprøvninger" - else: - message = "noget har ændret sig på siden!!" - print(response.text) - -token = os.getenv("TOKEN") -data = { - "title": "forsvaret status", - "message": message, - "url": URL, -} -response = requests.post(f"https://notifications.linus.onl/api/send-notification/{token}", json=data) -print(f"Forespørgsel til at sende notifikation gav status {response.status_code}") -response.raise_for_status() - diff --git a/modules/nixos/git.linus.onl/about.html b/modules/nixos/git.linus.onl/about.html deleted file mode 100644 index 2d18ca4..0000000 --- a/modules/nixos/git.linus.onl/about.html +++ /dev/null @@ -1,5 +0,0 @@ -<p>Welcome! This is where i keep my public repositories.</p> -<br> -<br> -<p>idk.</p> -<p>what do i say here?</p> diff --git a/modules/nixos/git.linus.onl/default.nix b/modules/nixos/git.linus.onl/default.nix deleted file mode 100644 index 88e4f6f..0000000 --- a/modules/nixos/git.linus.onl/default.nix +++ /dev/null @@ -1,95 +0,0 @@ -{ - lib, - config, - pkgs, - options, - metadata, - ... -}: let - inherit (lib) mkEnableOption mkOption types mkIf; - - git-shell = "${pkgs.gitMinimal}/bin/git-shell"; - - cfg = config.modules."git.linus.onl"; -in { - options.modules."git.linus.onl" = { - enable = mkEnableOption "git.linus.onl static site"; - - useACME = mkEnableOption "built-in HTTPS stuff"; - - location = mkOption { - description = "Where repositories will be stored."; - type = types.path; - default = "/srv/git"; - }; - }; - - config = mkIf cfg.enable { - # Create a user which - # See: https://git-scm.com/book/en/v2/Git-on-the-Server-Setting-Up-the-Server - users.users.git = { - description = "Git server user"; - isSystemUser = true; - group = "git"; - - # FIXME: Is serving the home-directory of a user (indirectly through CGit) a bad idea? - home = cfg.location; - createHome = false; - - # Restrict this user to Git-related activities. - # See: https://git-scm.com/docs/git-shell - shell = git-shell; - - # List of users who can ssh into this server and write to stuff. We add - # some restrictions on what users can do on the server. This works in - # tandem with the custom shell. - openssh.authorizedKeys.keys = - map (key: "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ${key}") - [ - metadata.hosts.muhammed.sshPubKey - ]; - }; - users.groups.git = {}; - - environment.shells = [git-shell]; - - # Create repo directory. It must be readable to NGINX. - # See: https://git.zx2c4.com/cgit/about/faq#why-doesnt-cgit-findshow-my-repo - system.activationScripts.create-cgit-scan-path = mkIf (cfg.location == options.modules."git.linus.onl".location.default) '' - mkdir -p ${cfg.location} - chown ${toString config.users.users.git.name} ${cfg.location} - chgrp ${toString config.users.groups.git.name} ${cfg.location} - chmod 755 ${cfg.location} - ''; - - # Public git viewer. - services.cgit."git.linus.onl" = { - enable = true; - scanPath = cfg.location; - settings = { - root-title = "Linus' public projects"; - root-desc = "hello yes this is the git server"; - root-readme = toString ./about.html; - }; - extraConfig = '' - readme=:README.md - readme=:README.rst - readme=:README.text - readme=:README.txt - readme=:readme.md - readme=:readme.rst - readme=:readme.text - readme=:readme.txt - ''; - }; - - # Register domain name. - services.cloudflare-dyndns.domains = ["git.linus.onl"]; - - # The CGit service creates the virtual host, but it does not enable ACME. - services.nginx.virtualHosts."git.linus.onl" = { - enableACME = cfg.useACME; - forceSSL = cfg.useACME; - }; - }; -} diff --git a/modules/nixos/graphics/default.nix b/modules/nixos/graphics/default.nix deleted file mode 100644 index f54d043..0000000 --- a/modules/nixos/graphics/default.nix +++ /dev/null @@ -1,37 +0,0 @@ -# This module configures a basic graphical environment. I use this sometimes for -# ahmed when muhammed is being repaired. -{ - config, - lib, - pkgs, - ... -}: let - inherit (lib) mkEnableOption mkIf; - - cfg = config.modules.graphics; -in { - options.modules.graphics.enable = mkEnableOption "basic graphical environment"; - - config = mkIf cfg.enable { - services.xserver.enable = true; - - # Match console keyboard layout but swap capslock and escape. - # TODO: Create a custom keymap with esc/capslock swap so console can use it. - services.xserver.layout = config.console.keyMap; - services.xserver.xkbOptions = "caps:swapescape"; - - # Enable touchpad support. - services.xserver.libinput.enable = true; - - services.xserver.windowManager.dwm.enable = true; - - # Enable sound. - sound.enable = true; - hardware.pulseaudio.enable = true; - - environment.systemPackages = with pkgs; [ - st # suckless terminal - dwm is pretty sucky without this - dmenu # application launcher - ]; - }; -} diff --git a/modules/nixos/hellohtml.linus.onl/default.nix b/modules/nixos/hellohtml.linus.onl/default.nix deleted file mode 100644 index feb56ba..0000000 --- a/modules/nixos/hellohtml.linus.onl/default.nix +++ /dev/null @@ -1,60 +0,0 @@ -{ - lib, - config, - ... -}: let - inherit (lib) mkEnableOption mkIf; - - cfg = config.modules."hellohtml.linus.onl"; -in { - options.modules."hellohtml.linus.onl" = { - enable = mkEnableOption "hellohtml.linus.onl site"; - - useACME = mkEnableOption "built-in HTTPS stuff"; - }; - - config = mkIf cfg.enable { - # Start service listening on socket /tmp/hellohtml.sock - services.hellohtml = { - enable = true; - }; - - # Register domain name. - services.cloudflare-dyndns.domains = ["hellohtml.linus.onl"]; - - # Use NGINX as reverse proxy. - services.nginx.virtualHosts."hellohtml.linus.onl" = { - enableACME = cfg.useACME; - forceSSL = cfg.useACME; - locations."/" = rec { - proxyPass = "http://localhost:8538"; - # Disable settings that might mess with the text/event-stream response of the /listen/:id endpoint. - # NOTE: These settings work in tanden with Cloudflare Proxy settings descibed here: - # https://blog.devops.dev/implementing-server-sent-events-with-fastapi-nginx-and-cloudflare-10ede1dffc18 - extraConfig = '' - location /listen/ { - # Have to duplicate this here, as this directive is not inherited. - # See: https://blog.martinfjordvald.com/understanding-the-nginx-configuration-inheritance-model/ - # See: https://serverfault.com/q/1082562 - proxy_pass ${proxyPass}; - # Disable connection header. - # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Connection - # See: https://www.nginx.com/blog/avoiding-top-10-nginx-configuration-mistakes/#no-keepalives - proxy_set_header Connection \'\'; - # Disable buffering. This is crucial for SSE to ensure that - # messages are sent immediately without waiting for a buffer to - # fill. - proxy_buffering off; - # Disable caching to ensure that all messages are sent and received - # in real-time without being cached by the proxy. - proxy_cache off; - # Set a long timeout for reading from the proxy to prevent the - # connection from timing out. You may need to adjust this value - # based on your specific requirements. - proxy_read_timeout 86400; - } - ''; - }; - }; - }; -} diff --git a/modules/nixos/linus.onl/default.nix b/modules/nixos/linus.onl/default.nix deleted file mode 100644 index 52703fe..0000000 --- a/modules/nixos/linus.onl/default.nix +++ /dev/null @@ -1,100 +0,0 @@ -{ - pkgs, - lib, - config, - ... -}: let - inherit (lib) mkEnableOption mkOption types mkIf optional; - - domain = "linus.onl"; - - cfg = config.modules."${domain}"; -in { - options.modules."${domain}" = { - enable = mkEnableOption "${domain} static site"; - - useACME = mkEnableOption "built-in HTTPS stuff"; - }; - - config = mkIf cfg.enable { - # Create a user to run the build script under. - users.users."${domain}-builder" = { - description = "builds ${domain}"; - group = "${domain}-builder"; - isSystemUser = true; - }; - users.groups."${domain}-builder" = {}; - - # Create the output directory. - system.activationScripts."${domain}-create-www" = lib.stringAfter ["var"] '' - mkdir -p /var/www/${domain} - chown ${domain}-builder /var/www/${domain} - chgrp ${domain}-builder /var/www/${domain} - chmod 0755 /var/www/${domain} - ''; - - # Create a systemd service which rebuild the site regularly. - # - # This can't be done using Nix because the site relies on the git build and - # there are some inherent difficulties with including .git/ in the - # inputSource for derivations. - # - # See: https://github.com/NixOS/nix/issues/6900 - # See: https://github.com/NixOS/nixpkgs/issues/8567 - # - # TODO: Integrate rebuilding with GitHub webhooks to rebuild on push. - systemd.services."${domain}-source" = { - description = "generate https://${domain} source"; - - serviceConfig = { - Type = "oneshot"; - User = "${domain}-builder"; - Group = "${domain}-builder"; - }; - startAt = "*-*-* *:00/5:00"; - - path = with pkgs; [ - git - rsync - coreutils-full - tcl-8_5 - gnumake - ]; - environment.TCLLIBPATH = "$TCLLIBPATH ${pkgs.tcl-cmark}/lib/tclcmark1.0"; - script = '' - set -ex - tmpdir="$(mktemp -d -t linus.onl-source.XXXXXXXXXXXX)" - cd "$tmpdir" - trap 'rm -rf $tmpdir' EXIT - # TODO: Only do minimal possible cloning - git clone https://github.com/linnnus/${domain} . - make _build - rsync --archive --delete _build/ /var/www/${domain} - ''; - - # TODO: Harden service - - # Network must be online for us to check. - after = ["network-online.target"]; - requires = ["network-online.target"]; - - # We must generate some files for NGINX to serve, so this should be run - # before NGINX. - before = ["nginx.service"]; - wantedBy = ["nginx.service"]; - }; - - # Register domain name with ddns. - services.cloudflare-dyndns.domains = [domain]; - - # Register virtual host. - services.nginx = { - virtualHosts."${domain}" = { - # NOTE: 'forceSSL' will cause an infite loop, if the cloudflare proxy does NOT connect over HTTPS. - enableACME = cfg.useACME; - forceSSL = cfg.useACME; - root = "/var/www/${domain}"; - }; - }; - }; -} diff --git a/modules/nixos/nofitications.linus.onl/default.nix b/modules/nixos/nofitications.linus.onl/default.nix deleted file mode 100644 index c050ef4..0000000 --- a/modules/nixos/nofitications.linus.onl/default.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ - lib, - config, - ... -}: let - inherit (lib) mkEnableOption mkIf; - - cfg = config.modules."notifications.linus.onl"; -in { - options.modules."notifications.linus.onl" = { - enable = mkEnableOption "notifications.linus.onl static site"; - - useACME = mkEnableOption "built-in HTTPS stuff"; - }; - - config = mkIf cfg.enable { - services.push-notification-api = { - enable = true; - }; - - # Register domain name. - services.cloudflare-dyndns.domains = ["notifications.linus.onl"]; - - # Use NGINX as reverse proxy. - services.nginx.virtualHosts."notifications.linus.onl" = { - enableACME = cfg.useACME; - forceSSL = cfg.useACME; - locations."/" = { - recommendedProxySettings = true; - proxyPass = "http://unix:/run/push-notification-api.sock"; - }; - }; - }; -} |