initial commit

hosts/rx4/services/alditalk-extender.nix

@@ -0,0 +1,43 @@
+{
+  outputs,
+  config,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    outputs.nixosModules.alditalk-extender
+  ];
+
+  services.alditalk-extender = {
+    enable = true;
+    package = pkgs.local.alditalk-true-unlimited;
+    envFile = config.sops.templates.alditalk-extender.path;
+  };
+
+  sops.secrets = {
+    "alditalk/username" = {
+      owner = "alditalk";
+      group = "alditalk";
+      mode = "0400";
+    };
+    "alditalk/password" = {
+      owner = "alditalk";
+      group = "alditalk";
+      mode = "0400";
+    };
+  };
+
+  sops.templates = {
+    alditalk-extender = {
+      owner = "alditalk";
+      group = "alditalk";
+      mode = "0400";
+      content = ''
+        USERNAME=${config.sops.placeholder."alditalk/username"}
+        PASSWORD=${config.sops.placeholder."alditalk/password"}
+      '';
+    };
+  };
+}

hosts/rx4/services/default.nix

@@ -0,0 +1,31 @@
+{
+  inputs,
+  outputs,
+  ...
+}:
+
+{
+  imports = [
+    inputs.synix.nixosModules.openssh
+    inputs.clients.nixosModules.syncthing
+
+    outputs.nixosModules.tailscale
+
+    ./forgejo.nix
+    ./miniflux.nix
+    ./netdata.nix
+    ./nginx.nix
+    ./open-webui-oci.nix
+    ./print-server.nix
+    ./rss-bridge.nix
+    # ./webdav.nix # FIXME
+
+    # ./alditalk-extender.nix # FIXME
+  ];
+
+  # bootstrap
+  # services.syncthing.enable = true;
+  # services.syncthing.guiAddress = "0.0.0.0:8384";
+
+  services.transmission.enable = true;
+}

hosts/rx4/services/forgejo.nix

@@ -0,0 +1,29 @@
+{
+  outputs,
+  config,
+  ...
+}:
+
+{
+  imports = [
+    outputs.nixosModules.forgejo
+    outputs.nixosModules.forgejo-runner
+  ];
+
+  services.forgejo = {
+    enable = true;
+  };
+
+  services.forgejo-runner = {
+    enable = true;
+    url = config.services.forgejo.settings.server.ROOT_URL;
+    tokenFile = config.sops.templates."forgejo-runner/token".path;
+  };
+
+  sops = {
+    secrets."forgejo-runner/token" = { };
+    templates."forgejo-runner/token".content = ''
+      TOKEN=${config.sops.placeholder."forgejo-runner/token"}
+    '';
+  };
+}

hosts/rx4/services/miniflux.nix

@@ -0,0 +1,13 @@
+{ inputs, constants, ... }:
+
+{
+  imports = [ inputs.synix.nixosModules.miniflux ];
+
+  services.miniflux = {
+    enable = true;
+    config = {
+      ADMIN_USERNAME = "sid";
+      PORT = constants.services.miniflux.port;
+    };
+  };
+}

hosts/rx4/services/netdata.nix

@@ -0,0 +1,54 @@
+{
+  config,
+  constants,
+  ...
+}:
+
+{
+  services.netdata = {
+    enable = true;
+    config.global = {
+      "debug log" = "syslog";
+      "access log" = "syslog";
+      "error log" = "syslog";
+    };
+    configDir = {
+      "stream.conf" = config.sops.templates."netdata/stream.conf".path;
+    };
+  };
+
+  sops =
+    let
+      owner = config.services.netdata.user;
+      group = config.services.netdata.group;
+      mode = "0400";
+      restartUnits = [ "netdata.service" ];
+    in
+    {
+      # generate with `uuidgen`
+      secrets."netdata/stream/rx4/uuid" = {
+        inherit
+          owner
+          group
+          mode
+          restartUnits
+          ;
+      };
+
+      templates."netdata/stream.conf" = {
+        inherit
+          owner
+          group
+          mode
+          restartUnits
+          ;
+        # child node
+        content = ''
+          [stream]
+          enabled = yes
+          destination = ${constants.hosts.sid.ip}:${builtins.toString constants.services.netdata.port}
+          api key = ${config.sops.placeholder."netdata/stream/rx4/uuid"}
+        '';
+      };
+    };
+}

hosts/rx4/services/nginx.nix

@@ -0,0 +1,37 @@
+{
+  inputs,
+  constants,
+  config,
+  ...
+}:
+
+let
+  cfg = config.services.nginx;
+in
+{
+  imports = [
+    inputs.synix.nixosModules.nginx
+  ];
+
+  systemd.tmpfiles.rules = [
+    "d /var/www 0755 gitea-runner ${cfg.group} -"
+  ];
+
+  systemd.services.gitea-runner-default.serviceConfig = {
+    ReadWritePaths = [ "/var/www" ];
+  };
+
+  services.nginx = {
+    enable = true;
+    openFirewall = false;
+    forceSSL = false;
+
+    virtualHosts = {
+      "${constants.services.docs.fqdn}" = {
+        locations."/" = {
+          root = "/var/www/doc";
+        };
+      };
+    };
+  };
+}

hosts/rx4/services/open-webui-oci.nix

@@ -0,0 +1,30 @@
+{
+  inputs,
+  constants,
+  config,
+  ...
+}:
+
+{
+  imports = [ inputs.synix.nixosModules.open-webui-oci ];
+
+  services.open-webui-oci = {
+    enable = true;
+    externalUrl = "https://" + constants.services.open-webui-oci.fqdn;
+    port = 8083;
+    # environmentFile = config.sops.templates."open-webui-oci/environment".path;
+    # environment = {
+    #   AUDIO_STT_ENGINE = "openai";
+    #   AUDIO_TTS_ENGINE = "openai";
+    # };
+  };
+
+  # sops = {
+  #   secrets."open-webui-oci/stt-api-key" = { };
+  #   secrets."open-webui-oci/tts-api-key" = { };
+  #   templates."open-webui-oci/environment".content = ''
+  #     AUDIO_STT_OPENAI_API_KEY=${config.sops.placeholder."open-webui-oci/stt-api-key"}
+  #     AUDIO_TTS_OPENAI_API_KEY=${config.sops.placeholder."open-webui-oci/tts-api-key"}
+  #   '';
+  # };
+}

hosts/rx4/services/print-server.nix

@@ -0,0 +1,12 @@
+{
+  inputs,
+  ...
+}:
+
+{
+  imports = [
+    inputs.synix.nixosModules.print-server
+  ];
+
+  services.print-server.enable = true;
+}

hosts/rx4/services/rss-bridge.nix

@@ -0,0 +1,14 @@
+{ inputs, constants, ... }:
+
+{
+  imports = [ inputs.synix.nixosModules.rss-bridge ];
+
+  services.rss-bridge = {
+    enable = true;
+    reverseProxy = {
+      enable = true;
+      subdomain = constants.services.rss-bridge.subdomain;
+      forceSSL = false;
+    };
+  };
+}

hosts/rx4/services/webdav.nix

@@ -0,0 +1,86 @@
+{ constants, config, ... }:
+
+# FIXME: floccus throws error: NetworkError when attempting to fetch resource.
+
+let
+  cfg = config.services.webdav;
+
+  inherit (constants.services.webdav) fqdn port;
+in
+{
+  services.webdav = {
+    enable = true;
+    environmentFile = config.sops.templates."webdav/env-file".path;
+
+    settings = {
+      inherit port;
+      address = "127.0.0.1";
+      prefix = "/";
+      directory = "/srv/webdav";
+      users = [
+        {
+          username = "{env}WEBDAV_USER";
+          password = "{env}WEBDAV_PASS";
+          permissions = "CRUD";
+        }
+      ];
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${cfg.settings.directory} 0750 ${cfg.user} ${cfg.group} -"
+  ];
+
+  networking.firewall.allowedTCPPorts = [ port ];
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."${fqdn}" = {
+      listen = [
+        {
+          addr = "0.0.0.0";
+          inherit port;
+        }
+      ];
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString port}";
+        extraConfig = ''
+          add_header 'Access-Control-Allow-Origin' '*' always;
+          add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, PROPFIND, OPTIONS' always;
+          add_header 'Access-Control-Allow-Headers' 'Authorization,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Depth' always;
+
+          if ($request_method = 'OPTIONS') {
+              add_header 'Access-Control-Allow-Origin' '*';
+              add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, PROPFIND, OPTIONS';
+              add_header 'Access-Control-Allow-Headers' 'Authorization,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Depth';
+              return 204;
+          }
+        '';
+      };
+    };
+  };
+
+  sops =
+    let
+      owner = cfg.user;
+      group = cfg.group;
+      mode = "0400";
+    in
+    {
+      secrets = {
+        "webdav/user" = {
+          inherit owner group mode;
+        };
+        "webdav/pass" = {
+          inherit owner group mode;
+        };
+      };
+      templates."webdav/env-file" = {
+        inherit owner group mode;
+        content = ''
+          WEBDAV_USER=${config.sops.placeholder."webdav/user"}
+          WEBDAV_PASS=${config.sops.placeholder."webdav/pass"}
+        '';
+      };
+    };
+}