tuxcord/tuxcord.nix
8
2
Fork 1
Code Issues 13 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Compare commits

base: tuxcord/tuxcord.nix:e7fbfceabd344678102b0ef0c5f76615471b49f2
Branches Tags
tuxcord/tuxcord.nix:main tuxcord/tuxcord.nix:staging tuxcord/tuxcord.nix:styling/forgejo tuxcord/tuxcord.nix:auth/authelia tuxcord/tuxcord.nix:auth/authentik
..
compare: tuxcord/tuxcord.nix:ed9ec1aecfadac0fb434b40f99ed62c4a5644c19
Branches Tags
tuxcord/tuxcord.nix:staging tuxcord/tuxcord.nix:styling/forgejo tuxcord/tuxcord.nix:auth/authelia tuxcord/tuxcord.nix:auth/authentik tuxcord/tuxcord.nix:main

7 Commits
e7fbfceabd .. ed9ec1aecf

Author SHA1 Message Date
javalsai ed9ec1aecf nixos/security: add acme through dns challenge
Check / Nix flake (push) Failing after 8s
Details
Lint / Nix expressions (push) Failing after 10s
Details 
few side refactors of this:
- no more `dns.domain`, it all must rely on `fqdn`, prevents
  inconsistencies.
- also added an specific host `tuxcord-acmetest` that uses the key zone
  for `nix.tuxcord.net` to test certificate pulling.
 2026-05-03 23:12:09 +02:00
javalsai 4f248dc3cb docs: document installation, secrets and setup steps
Check / Nix flake (push) Failing after 10s
Details
Lint / Nix expressions (push) Failing after 11s
Details
2026-05-03 13:38:03 -04:00
javalsai 054b293a69 nixos/services: make dns configuration easier 2026-05-03 13:38:03 -04:00
javalsai dda41aca4f nixos/service: add dns (bind named server) 2026-05-03 13:38:03 -04:00
javalsai 9586a83d3d nixos/programs: add bind utils 2026-05-03 13:38:03 -04:00
javalsai 97fbec56b1 nixos/services: add gitea server
Check / Nix flake (push) Failing after 9s
Details
Lint / Nix expressions (push) Failing after 11s
Details
2026-05-03 13:38:03 -04:00
javalsai 7ff5fb0da2 nixos/services: add nginx base configuration 2026-05-03 13:38:03 -04:00
9 changed files with 67 additions and 335 deletions
Expand all files Collapse all files
nixos/hosts/tuxcord-acmetest/default.nix
+6 -5
View File
@@ -1,11 +1,12 @@
{ config, ... }:
let
inherit (config.networking) fqdn;
in
{
acme = {
enable = true;
rfc2136.nameserver = "tuxcord.net";
};
acme.enable = true;
acme.rfc2136.nameserver = "tuxcord.net";
dns.enable = true;
networking.fqdn = "nix.tuxcord.net";
time.timeZone = "Europe/Madrid";
}
nixos/hosts/tuxcord-ca/default.nix
+3 -5
View File
@@ -1,16 +1,14 @@
{ config, ... }:
{
imports = [
./hardware.nix
./storage.nix
];
acme = {
enable = true;
useSelfDns = true;
};
acme.enable = true;
acme.useSelfDns = true;
dns.enable = true;
networking.fqdn = "tuxcord.net";
time.timeZone = "Canada/Eastern";
}
nixos/hosts/tuxcord-test/default.nix
-1
View File
@@ -1,6 +1,5 @@
{
acme.enable = false;
dns.enable = true;
networking.fqdn = "tuxcord.test";
}
nixos/modules/acme.nix
+4 -6
View File
@@ -5,8 +5,6 @@
...
}:
let
cfg = config.acme;
inherit (lib)
mkIf
mkEnableOption
@@ -15,6 +13,8 @@ let
;
inherit (config.networking) fqdn;
cfg = config.acme;
in
{
# we'll only support rfc2136 based challenges
@@ -71,9 +71,7 @@ in
certs."${fqdn}" = {
dnsProvider = "rfc2136";
environmentFile =
with cfg.rfc2136;
builtins.toFile "dns-01-challenge.cfg" ''
environmentFile = with cfg.rfc2136; builtins.toFile "dns-01-challenge.cfg" ''
RFC2136_NAMESERVER=${nameserver}
RFC2136_TSIG_FILE="${key}"
'';
@@ -82,7 +80,7 @@ in
"${fqdn}"
];
inherit (config.services.nginx) group;
group = config.services.nginx.group;
};
};
};
nixos/modules/dns.nix
+18 -21
View File
@@ -1,21 +1,8 @@
{
config,
lib,
self,
...
}:
{ config, lib, ... }:
let
cfg = config.dns;
inherit (lib)
mkEnableOption
mkIf
strings
;
inherit (config.networking) fqdn;
agenixDnsDir = "${self}/agenix/dns/${fqdn}";
agenixDnsDir = ../../agenix/dns + "/${fqdn}";
agenixKeys = builtins.attrNames (builtins.readDir agenixDnsDir);
keys = map (
@@ -25,17 +12,24 @@ let
subdomain = name: "subdomain ${name}";
zoneDomain =
if strings.hasSuffix ".key.age" filename then
strings.removeSuffix ".key.age" filename
if lib.strings.hasSuffix ".key.age" filename then
lib.strings.removeSuffix ".key.age" filename
else
throw "${filename} is not a `.key.age` file";
in
{
inherit (config.age.secrets."dns/${filename}") path;
name = zoneDomain;
path = config.age.secrets."dns/${filename}".path;
type = if zoneDomain == fqdn then zonesub else subdomain;
}
) agenixKeys;
cfg = config.dns;
inherit (lib)
mkEnableOption
mkOption
mkIf
;
in
{
options.dns = {
@@ -68,7 +62,8 @@ in
extraConfig = builtins.concatStringsSep "\n" (map (key: "include \"${key.path}\";") keys);
zones."${fqdn}" = {
zones = {
"${fqdn}" = {
# grant "tuxcord.net" zonesub ANY;
extraConfig = ''
update-policy {
@@ -81,6 +76,10 @@ in
master = true;
};
};
};
networking.firewall.allowedTCPPorts = [ config.services.bind.listenOnPort ];
networking.firewall.allowedUDPPorts = [ config.services.bind.listenOnPort ];
environment.persistence."/persist" = {
directories = [
@@ -91,7 +90,5 @@ in
}
];
};
networking.firewall.allowedUDPPorts = [ config.services.bind.listenOnPort ];
};
}
nixos/modules/gitea.nix
+13 -21
View File
@@ -1,40 +1,32 @@
{ config, ... }:
{ config, lib, ... }:
let
inherit (config.networking) fqdn;
acmeEnabled = config.acme.enable;
isHTTPS = config.acme.enable;
in
{
services.gitea = {
enable = true;
appName = "TuxCord Gitea";
appName = "Tuxcord's Gitea";
database.type = "mysql";
lfs.enable = true;
settings = {
server = {
DOMAIN = fqdn;
ROOT_URL = "${if acmeEnabled then "https" else "http"}://${fqdn}/";
HTTP_PORT = 3000;
};
settings.server.DOMAIN = fqdn;
settings.server.ROOT_URL = "${if isHTTPS then "https" else "http"}://${fqdn}/";
settings.server.HTTP_PORT = 3000;
service = {
DISABLE_REGISTRATION = true;
REQUIRE_SIGNIN_VIEW = false;
};
settings.service.DISABLE_REGISTRATION = true;
settings.service.REQUIRE_SIGNIN_VIEW = false;
repository = {
ENABLE_PUSH_CREATE_USER = true;
ENABLE_PUSH_CREATE_ORG = true;
DEFAULT_BRANCH = "main";
};
settings.repository.ENABLE_PUSH_CREATE_USER = true;
settings.repository.ENABLE_PUSH_CREATE_ORG = true;
settings.repository.DEFAULT_BRANCH = "main";
# ui.DEFAULT_THEME = "...";
# settings.ui.DEFAULT_THEME = "...";
# TODO: once we have email setup this would be nice
mailer.ENABLED = true;
};
settings.mailer.ENABLED = true;
};
}
nixos/modules/nginx.nix
+9 -9
View File
@@ -1,15 +1,15 @@
{ config, ... }:
{ config, lib, ... }:
let
inherit (config.networking) fqdn;
mkVhost =
attrs:
let
acmeEnabled = config.acme.enable;
isAcme = config.acme.enable;
in
{
forceSSL = acmeEnabled;
useACMEHost = if acmeEnabled then fqdn else null;
forceSSL = isAcme;
useACMEHost = if isAcme then fqdn else null;
}
// attrs;
@@ -18,6 +18,11 @@ let
};
in
{
networking.firewall.allowedTCPPorts = [
80
443
];
services.nginx = {
enable = true;
@@ -37,9 +42,4 @@ in
locations."/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
};
};
networking.firewall.allowedTCPPorts = [
80
443
];
}
npins/default.nix
-249
View File
@@ -1,249 +0,0 @@
/*
This file is provided under the MIT licence:
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the Software), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
# Generated by npins. Do not modify; will be overwritten regularly
let
# Backwards-compatibly make something that previously didn't take any arguments take some
# The function must return an attrset, and will unfortunately be eagerly evaluated
# Same thing, but it catches eval errors on the default argument so that one may still call it with other arguments
mkFunctor =
fn:
let
e = builtins.tryEval (fn { });
in
(if e.success then e.value else { error = fn { }; }) // { __functor = _self: fn; };
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
range =
first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1);
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
concatStrings = builtins.concatStringsSep "";
# If the environment variable NPINS_OVERRIDE_${name} is set, then use
# the path directly as opposed to the fetched source.
# (Taken from Niv for compatibility)
mayOverride =
name: path:
let
envVarName = "NPINS_OVERRIDE_${saneName}";
saneName = stringAsChars (c: if (builtins.match "[a-zA-Z0-9]" c) == null then "_" else c) name;
ersatz = builtins.getEnv envVarName;
in
if ersatz == "" then
path
else
# this turns the string into an actual Nix path (for both absolute and
# relative paths)
builtins.trace "Overriding path of \"${name}\" with \"${ersatz}\" due to set \"${envVarName}\"" (
if builtins.substring 0 1 ersatz == "/" then
/. + ersatz
else
/. + builtins.getEnv "PWD" + "/${ersatz}"
);
mkSource =
name: spec:
{
pkgs ? null,
}:
assert spec ? type;
let
# Unify across builtin and pkgs fetchers.
# `fetchGit` requires a wrapper because of slight API differences.
fetchers =
if pkgs == null then
{
inherit (builtins) fetchTarball fetchurl;
# For some fucking reason, fetchGit has a different signature than the other builtin fetchers …
fetchGit = args: (builtins.fetchGit args).outPath;
}
else
{
fetchTarball =
{
url,
sha256,
}:
pkgs.fetchzip {
inherit url sha256;
extension = "tar";
};
inherit (pkgs) fetchurl;
fetchGit =
{
url,
submodules,
rev,
name,
narHash,
}:
pkgs.fetchgit {
inherit url rev name;
fetchSubmodules = submodules;
hash = narHash;
};
};
# Dispatch to the correct code path based on the type
path =
if spec.type == "Git" then
mkGitSource fetchers spec
else if spec.type == "GitRelease" then
mkGitSource fetchers spec
else if spec.type == "PyPi" then
mkPyPiSource fetchers spec
else if spec.type == "Channel" then
mkChannelSource fetchers spec
else if spec.type == "Tarball" then
mkTarballSource fetchers spec
else if spec.type == "Container" then
mkContainerSource pkgs spec
else
builtins.throw "Unknown source type ${spec.type}";
in
spec // { outPath = mayOverride name path; };
mkGitSource =
{
fetchTarball,
fetchGit,
...
}:
{
repository,
revision,
url ? null,
submodules,
hash,
...
}:
assert repository ? type;
# At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
# In the latter case, there we will always be an url to the tarball
if url != null && !submodules then
fetchTarball {
inherit url;
sha256 = hash;
}
else
let
url =
if repository.type == "Git" then
repository.url
else if repository.type == "GitHub" then
"https://github.com/${repository.owner}/${repository.repo}.git"
else if repository.type == "GitLab" then
"${repository.server}/${repository.repo_path}.git"
else if repository.type == "Forgejo" then
"${repository.server}/${repository.owner}/${repository.repo}.git"
else
throw "Unrecognized repository type ${repository.type}";
urlToName =
url: rev:
let
matched = builtins.match "^.*/([^/]*)(\\.git)?$" url;
short = builtins.substring 0 7 rev;
appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else "";
in
"${if matched == null then "source" else builtins.head matched}${appendShort}";
name = urlToName url revision;
in
fetchGit {
rev = revision;
narHash = hash;
inherit name submodules url;
};
mkPyPiSource =
{ fetchurl, ... }:
{
url,
hash,
...
}:
fetchurl {
inherit url;
sha256 = hash;
};
mkChannelSource =
{ fetchTarball, ... }:
{
url,
hash,
...
}:
fetchTarball {
inherit url;
sha256 = hash;
};
mkTarballSource =
{ fetchTarball, ... }:
{
url,
locked_url ? url,
hash,
...
}:
fetchTarball {
url = locked_url;
sha256 = hash;
};
mkContainerSource =
pkgs:
{
image_name,
image_tag,
image_digest,
...
}:
if pkgs == null then
builtins.throw "container sources require passing in a Nixpkgs value: https://github.com/andir/npins/blob/master/README.md#using-the-nixpkgs-fetchers"
else
pkgs.dockerTools.pullImage {
imageName = image_name;
imageDigest = image_digest;
finalImageTag = image_tag;
};
in
mkFunctor (
{
input ? ./sources.json,
}:
let
data =
if builtins.isPath input then
# while `readFile` will throw an error anyways if the path doesn't exist,
# we still need to check beforehand because *our* error can be caught but not the one from the builtin
# *piegames sighs*
if builtins.pathExists input then
builtins.fromJSON (builtins.readFile input)
else
throw "Input path ${toString input} does not exist"
else if builtins.isAttrs input then
input
else
throw "Unsupported input type ${builtins.typeOf input}, must be a path or an attrset";
version = data.version;
in
if version == 7 then
builtins.mapAttrs (name: spec: mkFunctor (mkSource name spec)) data.pins
else
throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
)
npins/sources.json
-4
View File
@@ -1,4 +0,0 @@
{
"pins": {},
"version": 7
}