initial commit to self-hosted git

9 files changed, 255 insertions, 0 deletions

diff --git a/modules/services/blocky/default.nix b/modules/services/blocky/default.nix
new file mode 100644
index 0000000..ca58f4f
--- /dev/null
+++ b/modules/services/blocky/default.nix
@@ -0,0 +1,93 @@
+{ pkgs, ... }:
+{
+  services.blocky = {
+    enable = true;
+    package = pkgs.blocky;
+    settings = {
+      upstreams = {
+        init.strategy = "fast";
+        groups.default = [
+          "9.9.9.9"
+          "149.112.112.112"
+        ];
+      };
+      bootstrapDns = [{
+        upstream = "https://dns.quad9.net/dns-query";
+        ips = [ "9.9.9.9" ];
+      }];
+      ports = {
+        dns = 53;
+        tls = 853;
+        https = 443;
+      };
+      blocking = {
+        denylists = {
+          ads = [
+            "https://adaway.org/hosts.txt"
+            "https://v.firebog.net/hosts/AdguardDNS.txt"
+            "https://v.firebog.net/hosts/Admiral.txt"
+            "https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt"
+            "https://v.firebog.net/hosts/Easylist.txt"
+            "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext"
+            "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts"
+            "https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts"
+          ];
+          malicious = [
+            "https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt"
+            "https://v.firebog.net/hosts/Prigent-Crypto.txt"
+            "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts"
+            "https://phishing.army/download/phishing_army_blocklist_extended.txt"
+            "https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt"
+            "https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt"
+            "https://raw.githubusercontent.com/AssoEchap/stalkerware-indicators/master/generated/hosts"
+            "https://urlhaus.abuse.ch/downloads/hostfile/"
+            "https://v.firebog.net/hosts/Prigent-Malware.txt"
+          ];
+          other = [
+            "https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser"
+          ];
+          suspicious = [
+            "https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt"
+            "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts"
+            "https://v.firebog.net/hosts/static/w3kbl.txt"
+            "https://raw.githubusercontent.com/matomo-org/referrer-spam-blacklist/master/spammers.txt"
+            "https://someonewhocares.org/hosts/zero/hosts"
+            "https://raw.githubusercontent.com/VeleSila/yhosts/master/hosts"
+            "https://winhelp2002.mvps.org/hosts.txt"
+            "https://v.firebog.net/hosts/neohostsbasic.txt"
+            "https://raw.githubusercontent.com/RooneyMcNibNug/pihole-stuff/master/SNAFU.txt"
+            "https://paulgb.github.io/BarbBlock/blacklists/hosts-file.txt"
+          ];
+          tracking-telemetry = [
+            "https://v.firebog.net/hosts/Easyprivacy.txt"
+            "https://v.firebog.net/hosts/Prigent-Ads.txt"
+            "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts"
+            "https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt"
+            "https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt"
+            "https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt"
+            "https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/android-tracking.txt"
+            "https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV.txt"
+            "https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/AmazonFireTV.txt"
+            "https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt"
+          ];
+        };
+        clientGroupsBlock.default = [
+          "ads"
+          "malicious"
+          "other"
+          "suspicious"
+          "tracking-telemetry"
+        ];
+        loading = {
+          concurrency = 16;
+          strategy = "failOnError";
+        };
+      };
+    };
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [ 53 443 853 ];
+    allowedUDPPorts = [ 53 ];
+  };
+}
diff --git a/modules/services/cgit/default.nix b/modules/services/cgit/default.nix
new file mode 100644
index 0000000..5309e6f
--- /dev/null
+++ b/modules/services/cgit/default.nix
@@ -0,0 +1,28 @@
+{ inputs, lib, pkgs, ... }:
+let
+  scanPath = "/tank/git";
+  domain = "git.tdback.net";
+in
+{
+  imports = lib.lists.singleton "${inputs.self}/modules/customs/cgit";
+
+  services.cgit = {
+    enable = true;
+    package = pkgs.cgit;
+    scanPath = scanPath;
+    virtualHost = domain;
+    authorizedKeys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEzLpTEoej7P04KoNzokQ9IOnNZiKyi2+YQ8yU5WSKCb"
+    ];
+    settings = {
+      root-title = domain;
+      root-desc = "tdback's git repositories";
+      enable-index-links = 1;
+      enable-index-owner = 0;
+      enable-commit-graph = 1;
+      enable-log-filecount = 1;
+      enable-log-linecount = 1;
+      readme = ":README.md";
+    };
+  };
+}
diff --git a/modules/services/fediverse/default.nix b/modules/services/fediverse/default.nix
new file mode 100644
index 0000000..0c3c696
--- /dev/null
+++ b/modules/services/fediverse/default.nix
@@ -0,0 +1,26 @@
+{ pkgs, ... }:
+let
+  domain = "social.tdback.net";
+  port = 8080;
+in
+{
+  services.gotosocial = {
+    enable = true;
+    package = pkgs.unstable.gotosocial;
+    settings = {
+      application-name = "gotosocial";
+      host = "${domain}";
+      protocol = "https";
+      bind-address = "localhost";
+      port = port;
+      db-type = "sqlite";
+      db-address = "/var/lib/gotosocial/database.sqlite";
+      storage-local-base-path = "/var/lib/gotosocial/storage";
+    };
+  };
+
+  services.caddy.virtualHosts.${domain}.extraConfig = ''
+    encode zstd gzip
+    reverse_proxy http://localhost:${builtins.toString port}
+  '';
+}
diff --git a/modules/services/immich/default.nix b/modules/services/immich/default.nix
new file mode 100644
index 0000000..e33dd97
--- /dev/null
+++ b/modules/services/immich/default.nix
@@ -0,0 +1,18 @@
+{ pkgs, ... }:
+{
+  services.immich = {
+    enable = true;
+    package = pkgs.immich;
+    host = "localhost";
+    port = 2283;
+    mediaLocation = "/lagoon/media/immich";
+    environment = {
+      IMMICH_LOG_LEVEL = "log";
+    };
+  };
+
+  services.caddy.virtualHosts."photographs.brownbread.net".extraConfig = ''
+    encode zstd gzip
+    reverse_proxy http://localhost:2283
+  '';
+}
diff --git a/modules/services/proxy/default.nix b/modules/services/proxy/default.nix
new file mode 100644
index 0000000..e11beab
--- /dev/null
+++ b/modules/services/proxy/default.nix
@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+{
+  services.caddy = {
+    enable = true;
+    package = pkgs.caddy;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}
diff --git a/modules/services/searx/default.nix b/modules/services/searx/default.nix
new file mode 100644
index 0000000..2b4a9d8
--- /dev/null
+++ b/modules/services/searx/default.nix
@@ -0,0 +1,33 @@
+{ pkgs, ... }:
+let
+  port = 8888;
+in
+{
+  services.searx = {
+    enable = true;
+    package = pkgs.searxng;
+    environmentFile = "/var/lib/searx/env";
+    settings = {
+      general = {
+        debug = false;
+        instance_name = "searx";
+      };
+      search = {
+        safe_search = 1;
+        autocomplete = "duckduckgo";
+        autocomplete_min = 4;
+        default_lang = "en-US";
+      };
+      server = {
+        port = port;
+        bind_address = "0.0.0.0";
+        secret_key = "@SEARX_SECRET_KEY@";
+        public_instance = false;
+        image_proxy = true;
+      };
+      ui.static_use_hash = true;
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ port ];
+}
diff --git a/modules/services/sftpgo/default.nix b/modules/services/sftpgo/default.nix
new file mode 100644
index 0000000..27318b2
--- /dev/null
+++ b/modules/services/sftpgo/default.nix
@@ -0,0 +1,21 @@
+{ config, pkgs, ... }:
+{
+  services.sftpgo = {
+    enable = true;
+    package = pkgs.sftpgo;
+    settings = {
+      httpd.bindings = [{
+        port = 8080;
+        address = "0.0.0.0";
+        enable_web_client = true;
+        enable_web_admin = true;
+      }];
+    };
+  };
+
+  services.caddy.virtualHosts."${config.networking.hostName}.brownbread.net".extraConfig = ''
+    root * /web/client
+    encode zstd gzip
+    reverse_proxy http://localhost:8080
+  '';
+}
diff --git a/modules/services/ssh/default.nix b/modules/services/ssh/default.nix
new file mode 100644
index 0000000..ec8f188
--- /dev/null
+++ b/modules/services/ssh/default.nix
@@ -0,0 +1,17 @@
+{ lib, ... }:
+let
+  ports = lib.lists.singleton 2222;
+in
+{
+  services.openssh = {
+    enable = lib.mkDefault true;
+    ports = ports;
+    openFirewall = true;
+    startWhenNeeded = true;
+    settings = {
+      AllowUsers = [ "tdback" ];
+      PermitRootLogin = "no";
+      PasswordAuthentication = lib.mkDefault false;
+    };
+  };
+}
diff --git a/modules/services/web/default.nix b/modules/services/web/default.nix
new file mode 100644
index 0000000..b6a45af
--- /dev/null
+++ b/modules/services/web/default.nix
@@ -0,0 +1,10 @@
+{ ... }:
+{
+  services.caddy.virtualHosts = {
+    "tdback.net".extraConfig = ''
+      root * /var/www/tdback.net/
+      encode zstd gzip
+      file_server
+    '';
+  };
+}