Avery/NixOS
Avery/NixOS
1
0
Fork 0
Code Activity

refactor(greatyamada): Change port definitions format

Browse source
This commit is contained in:
Avery 2025-07-22 12:30:44 +02:00
parent f71272abe5
commit 0e6432592d
Signed by: Avery
GPG key ID: B684FD451B692E04
12 changed files with 64 additions and 60 deletions
Download patch file Download diff file Expand all files Collapse all files

33
hosts/greatyamada/services/_port-definitions.nix
View file

@ -1,21 +1,30 @@
{ {
tcp = { tcp = {
minecraft = 13914; adguardhome = {
minecraft-fabric-prod-bluemap = 8100; dns = 53;
http = 3001;
}; };
adguardhome-dns = 53; forgejo = 3000;
adguardhome-http = 3001; jellyfin = 8096;
adguardhome-dhcp-udp = 67;
forgejo-http = 3000;
jellyfin-http = 8096;
koito = 4110; koito = 4110;
navidrome-https = 4533; minecraft = {
nginx-https = 443; fabric_prod = {
ntfy-http = 2586; server = 13914;
bluemap = 8100;
};
};
nginx = 443;
pgadmin = 5050; pgadmin = 5050;
postgresql = 5432; postgresql = 5432;
radicale-http = 5232; radicale = 5232;
searxng = 8888; searxng = 8888;
wireguard = 51820;
vaultwarden = 8222; vaultwarden = 8222;
};
udp = {
adguardhome = {
dns = 53;
dhcp = 67;
};
wireguard = 51820;
};
} }

15
hosts/greatyamada/services/adguardhome.nix
View file

@ -1,27 +1,26 @@
{ ... }: { ... }:
let let
portDefinitions = import ./_port-definitions.nix; ports = import ./_port-definitions.nix;
nginxLocalServiceConfig = import ./nginx-local-config.nix; nginxLocalServiceConfig = import ./nginx-local-config.nix;
in { in {
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ portDefinitions.adguardhome-dns ]; allowedTCPPorts = with ports.tcp.adguardhome; [ dns ];
allowedUDPPorts = allowedUDPPorts = with ports.udp.adguardhome; [ dns dhcp ];
[ portDefinitions.adguardhome-dns portDefinitions.adguardhome-dhcp-udp ];
}; };
services = { services = {
adguardhome = { adguardhome = {
enable = true; enable = true;
allowDHCP = true; allowDHCP = true;
mutableSettings = true; mutableSettings = true;
port = portDefinitions.adguardhome-http; port = ports.tcp.adguardhome.http;
settings = { settings = {
http = { http = {
address = "127.0.0.1:${toString portDefinitions.adguardhome-http}"; address = "127.0.0.1:${toString ports.tcp.adguardhome.http}";
session_ttl = "720h"; session_ttl = "720h";
}; };
dns = { dns = {
bind_hosts = [ "10.0.0.1" ]; bind_hosts = [ "10.0.0.1" ];
port = portDefinitions.adguardhome-dns; port = ports.tcp.adguardhome.dns;
anonymize_client_ip = false; anonymize_client_ip = false;
ratelimit = 0; ratelimit = 0;
upstream_dns = [ "https://dns10.quad9.net/dns-query" ]; upstream_dns = [ "https://dns10.quad9.net/dns-query" ];
@ -267,7 +266,7 @@ in {
nginx.virtualHosts."dns.rcia.dev" = { nginx.virtualHosts."dns.rcia.dev" = {
forceSSL = true; forceSSL = true;
locations."/".proxyPass = locations."/".proxyPass =
"http://127.0.0.1:${toString portDefinitions.adguardhome-http}"; "http://127.0.0.1:${toString ports.tcp.adguardhome.http}";
extraConfig = nginxLocalServiceConfig; extraConfig = nginxLocalServiceConfig;
useACMEHost = "rcia.dev"; useACMEHost = "rcia.dev";
}; };

8
hosts/greatyamada/services/forgejo.nix
View file

@ -1,6 +1,6 @@
{ pkgs, lib, ... }: { pkgs, lib, ... }:
let let
portDefinitions = import ./_port-definitions.nix; ports = import ./_port-definitions.nix;
arrayToSecrets = elements: arrayToSecrets = elements:
builtins.listToAttrs (map (key: { builtins.listToAttrs (map (key: {
name = "forgejo/${key}"; name = "forgejo/${key}";
@ -13,7 +13,7 @@ in {
package = pkgs.forgejo; package = pkgs.forgejo;
database = { database = {
type = "postgres"; type = "postgres";
port = portDefinitions.postgresql; port = ports.tcp.postgresql;
passwordFile = "/run/secrets/forgejo/database_password"; passwordFile = "/run/secrets/forgejo/database_password";
}; };
secrets = { secrets = {
@ -30,7 +30,7 @@ in {
server = { server = {
DOMAIN = "git.rcia.dev"; DOMAIN = "git.rcia.dev";
ROOT_URL = "https://git.rcia.dev"; ROOT_URL = "https://git.rcia.dev";
HTTP_PORT = portDefinitions.forgejo-http; HTTP_PORT = ports.tcp.forgejo;
DISABLE_SSH = true; DISABLE_SSH = true;
LFS_START_SERVER = true; LFS_START_SERVER = true;
}; };
@ -43,7 +43,7 @@ in {
}; };
nginx.virtualHosts."git.rcia.dev" = { nginx.virtualHosts."git.rcia.dev" = {
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString portDefinitions.forgejo-http}"; proxyPass = "http://127.0.0.1:${toString ports.tcp.forgejo}";
}; };
forceSSL = true; forceSSL = true;
useACMEHost = "rcia.dev"; useACMEHost = "rcia.dev";

4
hosts/greatyamada/services/jellyfin.nix
View file

@ -1,11 +1,11 @@
{ ... }: { ... }:
let portDefinitions = import ./_port-definitions.nix; let ports = import ./_port-definitions.nix;
in { in {
services = { services = {
jellyfin.enable = true; jellyfin.enable = true;
nginx.virtualHosts."jellyfin.rcia.dev" = { nginx.virtualHosts."jellyfin.rcia.dev" = {
locations."/".proxyPass = locations."/".proxyPass =
"http://127.0.0.1:${toString portDefinitions.jellyfin-http}"; "http://127.0.0.1:${toString ports.tcp.jellyfin}";
forceSSL = true; forceSSL = true;
useACMEHost = "rcia.dev"; useACMEHost = "rcia.dev";
}; };

9
hosts/greatyamada/services/koito.nix
View file

@ -1,7 +1,5 @@
{ pkgs, lib, config, ... }: { pkgs, lib, config, ... }:
let let ports = import ./_port-definitions.nix;
portDefinitions = import ./_port-definitions.nix;
nginxLocalConfig = import ./nginx-local-config.nix;
in { in {
virtualisation.oci-containers.containers."koito" = { virtualisation.oci-containers.containers."koito" = {
image = "gabehf/koito:latest"; image = "gabehf/koito:latest";
@ -12,7 +10,7 @@ in {
}; };
environmentFiles = [ config.sops.templates."koito.env".path ]; environmentFiles = [ config.sops.templates."koito.env".path ];
volumes = [ "/mnt/hdd-01/koito:/etc/koito:rw" ]; volumes = [ "/mnt/hdd-01/koito:/etc/koito:rw" ];
ports = [ "${toString portDefinitions.koito}:4110/tcp" ]; ports = [ "${toString ports.tcp.koito}:4110/tcp" ];
log-driver = "journald"; log-driver = "journald";
extraOptions = [ "--network-alias=koito" "--network=koito_default" ]; extraOptions = [ "--network-alias=koito" "--network=koito_default" ];
}; };
@ -25,8 +23,7 @@ in {
}; };
services.nginx.virtualHosts."koito.rcia.dev" = { services.nginx.virtualHosts."koito.rcia.dev" = {
locations."/".proxyPass = locations."/".proxyPass = "http://localhost:${toString ports.tcp.koito}";
"http://localhost:${toString portDefinitions.koito}";
forceSSL = true; forceSSL = true;
useACMEHost = "rcia.dev"; useACMEHost = "rcia.dev";
}; };

7
hosts/greatyamada/services/minecraft/default.nix
View file

@ -25,7 +25,8 @@ let
}) players; }) players;
in { in {
environment.systemPackages = with pkgs; [ mcrcon ]; environment.systemPackages = with pkgs; [ mcrcon ];
networking.firewall.allowedTCPPorts = with ports.tcp; [ minecraft ]; networking.firewall.allowedTCPPorts = with ports.tcp.minecraft;
[ fabric_prod.server ];
nixpkgs.overlays = [ inputs.nix-minecraft.overlay ]; nixpkgs.overlays = [ inputs.nix-minecraft.overlay ];
services = { services = {
minecraft-servers = { minecraft-servers = {
@ -60,7 +61,7 @@ in {
pause-when-empty-seconds = 60; pause-when-empty-seconds = 60;
pvp = true; pvp = true;
"rcon.password" = "@MINECRAFT_RCON_PASSWORD@"; "rcon.password" = "@MINECRAFT_RCON_PASSWORD@";
server-port = ports.tcp.minecraft; server-port = ports.tcp.minecraft.fabric_prod.server;
simulation-distance = 10; simulation-distance = 10;
spawn-protection = 0; spawn-protection = 0;
view-distance = 10; view-distance = 10;
@ -176,7 +177,7 @@ in {
}; };
"~* ^/fabric_prod/(maps/[^/\\s]*/live/.*)" = { "~* ^/fabric_prod/(maps/[^/\\s]*/live/.*)" = {
proxyPass = "http://127.0.0.1:${ proxyPass = "http://127.0.0.1:${
toString ports.tcp.minecraft-fabric-prod-bluemap toString ports.tcp.minecraft.fabric-prod.bluemap
}/$1"; }/$1";
extraConfig = '' extraConfig = ''
error_page 502 504 = @server-offline; error_page 502 504 = @server-offline;

6
hosts/greatyamada/services/pgadmin.nix
View file

@ -1,6 +1,6 @@
{ ... }: { ... }:
let let
_portDefinitions = import ./_port-definitions.nix; ports = import ./_port-definitions.nix;
nginxLocalConfig = import ./nginx-local-config.nix; nginxLocalConfig = import ./nginx-local-config.nix;
in { in {
services = { services = {
@ -9,11 +9,11 @@ in {
initialEmail = "avery@localhost"; initialEmail = "avery@localhost";
initialPasswordFile = "/dev/null"; initialPasswordFile = "/dev/null";
minimumPasswordLength = 0; minimumPasswordLength = 0;
port = _portDefinitions.pgadmin; port = ports.tcp.pgadmin;
}; };
nginx.virtualHosts."pgadmin.rcia.dev" = { nginx.virtualHosts."pgadmin.rcia.dev" = {
locations."/".proxyPass = locations."/".proxyPass =
"http://localhost:${toString _portDefinitions.pgadmin}"; "http://localhost:${toString ports.tcp.pgadmin}";
forceSSL = true; forceSSL = true;
useACMEHost = "rcia.dev"; useACMEHost = "rcia.dev";
extraConfig = nginxLocalConfig; extraConfig = nginxLocalConfig;

4
hosts/greatyamada/services/postgresql.nix
View file

@ -1,5 +1,5 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
let portDefinitions = import ./_port-definitions.nix; let ports = import ./_port-definitions.nix;
in { in {
services.postgresql = { services.postgresql = {
enable = true; enable = true;
@ -7,7 +7,7 @@ in {
enableTCPIP = true; enableTCPIP = true;
dataDir = dataDir =
"/mnt/ssd-01/postgresql/${config.services.postgresql.package.psqlSchema}"; "/mnt/ssd-01/postgresql/${config.services.postgresql.package.psqlSchema}";
settings.port = portDefinitions.postgresql; settings.port = ports.tcp.postgresql;
authentication = pkgs.lib.mkOverride 10 '' authentication = pkgs.lib.mkOverride 10 ''
local all all trust local all all trust
host all all 127.0.0.1/32 trust host all all 127.0.0.1/32 trust

8
hosts/greatyamada/services/radicale.nix
View file

@ -1,14 +1,13 @@
{ ... }: { ... }:
let let
nginxLocalServiceConfig = import ./nginx-local-config.nix; nginxLocalServiceConfig = import ./nginx-local-config.nix;
portDefinitions = import ./_port-definitions.nix; ports = import ./_port-definitions.nix;
in { in {
services = { services = {
radicale = { radicale = {
enable = true; enable = true;
settings = { settings = {
server.hosts = server.hosts = [ "127.0.0.1:${toString ports.tcp.radicale}" ];
[ "127.0.0.1:${toString portDefinitions.radicale-http}" ];
auth = { auth = {
type = "htpasswd"; type = "htpasswd";
htpasswd_filename = "/var/lib/radicale/users"; htpasswd_filename = "/var/lib/radicale/users";
@ -18,8 +17,7 @@ in {
}; };
nginx.virtualHosts."radicale.rcia.dev" = { nginx.virtualHosts."radicale.rcia.dev" = {
locations."/" = { locations."/" = {
proxyPass = proxyPass = "http://127.0.0.1:${toString ports.tcp.radicale}";
"http://127.0.0.1:${toString portDefinitions.radicale-http}";
}; };
forceSSL = true; forceSSL = true;
useACMEHost = "rcia.dev"; useACMEHost = "rcia.dev";

8
hosts/greatyamada/services/searxng.nix
View file

@ -1,6 +1,6 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
let let
portDefinitions = import ./_port-definitions.nix; ports = import ./_port-definitions.nix;
nginxLocalServiceConfig = import ./nginx-local-config.nix; nginxLocalServiceConfig = import ./nginx-local-config.nix;
in { in {
services = { services = {
@ -12,13 +12,13 @@ in {
# runInUwsgi = true; # runInUwsgi = true;
# uwsgiConfig = { # uwsgiConfig = {
# socket = "/run/searx/searxng.sock"; # socket = "/run/searx/searxng.sock";
# http = ":${toString portDefinitions.searxng}"; # http = ":${toString ports.searxng}";
# chmod-socket = "660"; # chmod-socket = "660";
# }; # };
settings = { settings = {
base_url = "https://searxng.rcia.dev"; base_url = "https://searxng.rcia.dev";
bind_address = "127.0.0.1"; bind_address = "127.0.0.1";
port = portDefinitions.searxng; port = ports.tcp.searxng;
public_instance = false; public_instance = false;
limiter = false; limiter = false;
}; };
@ -26,7 +26,7 @@ in {
}; };
nginx.virtualHosts."searxng.rcia.dev" = { nginx.virtualHosts."searxng.rcia.dev" = {
locations."/".proxyPass = locations."/".proxyPass =
"http://127.0.0.1:${toString portDefinitions.searxng}"; "http://127.0.0.1:${toString ports.tcp.searxng}";
extraConfig = nginxLocalServiceConfig; extraConfig = nginxLocalServiceConfig;
forceSSL = true; forceSSL = true;
useACMEHost = "rcia.dev"; useACMEHost = "rcia.dev";

6
hosts/greatyamada/services/vaultwarden.nix
View file

@ -1,6 +1,6 @@
{ config, ... }: { config, ... }:
let let
portDefinitions = import ./_port-definitions.nix; ports = import ./_port-definitions.nix;
nginxLocalServiceConfig = import ./nginx-local-config.nix; nginxLocalServiceConfig = import ./nginx-local-config.nix;
in { in {
services = { services = {
@ -10,7 +10,7 @@ in {
config = { config = {
domain = "https://vaultwarden.rcia.dev"; domain = "https://vaultwarden.rcia.dev";
rocketAddress = "127.0.0.1"; rocketAddress = "127.0.0.1";
rocketPort = portDefinitions.vaultwarden; rocketPort = ports.tcp.vaultwarden;
showPasswordHint = false; showPasswordHint = false;
signupsAllowed = false; signupsAllowed = false;
}; };
@ -18,7 +18,7 @@ in {
}; };
nginx.virtualHosts."vaultwarden.rcia.dev" = { nginx.virtualHosts."vaultwarden.rcia.dev" = {
locations."/".proxyPass = locations."/".proxyPass =
"http://localhost:${toString portDefinitions.vaultwarden}"; "http://localhost:${toString ports.tcp.vaultwarden}";
forceSSL = true; forceSSL = true;
useACMEHost = "rcia.dev"; useACMEHost = "rcia.dev";
extraConfig = nginxLocalServiceConfig; extraConfig = nginxLocalServiceConfig;

6
hosts/greatyamada/services/wireguard.nix
View file

@ -1,5 +1,5 @@
{ pkgs, ... }: { pkgs, ... }:
let portDefinitions = import ./_port-definitions.nix; let ports = import ./_port-definitions.nix;
in { in {
networking = { networking = {
nat = { nat = {
@ -7,12 +7,12 @@ in {
externalInterface = "enp5s0"; externalInterface = "enp5s0";
internalInterfaces = [ "wg0" ]; internalInterfaces = [ "wg0" ];
}; };
firewall.allowedUDPPorts = [ portDefinitions.wireguard ]; firewall.allowedUDPPorts = with ports.udp; [ wireguard ];
wireguard = { wireguard = {
enable = true; enable = true;
interfaces.wg0 = { interfaces.wg0 = {
ips = [ "10.10.0.1/24" ]; ips = [ "10.10.0.1/24" ];
listenPort = portDefinitions.wireguard; listenPort = ports.udp.wireguard;
peers = [{ peers = [{
allowedIPs = [ "10.10.0.2/32" ]; allowedIPs = [ "10.10.0.2/32" ];
name = "Pixel9a"; name = "Pixel9a";