From 0a5754541bb01e96021ca7ee74f1256a8ee68bc4 Mon Sep 17 00:00:00 2001 From: tdback Date: Sat, 21 Dec 2024 15:32:13 -0500 Subject: initial commit to self-hosted git --- modules/services/blocky/default.nix | 93 ++++++++++++++++++++++++++++++++++ modules/services/cgit/default.nix | 28 ++++++++++ modules/services/fediverse/default.nix | 26 ++++++++++ modules/services/immich/default.nix | 18 +++++++ modules/services/proxy/default.nix | 9 ++++ modules/services/searx/default.nix | 33 ++++++++++++ modules/services/sftpgo/default.nix | 21 ++++++++ modules/services/ssh/default.nix | 17 +++++++ modules/services/web/default.nix | 10 ++++ 9 files changed, 255 insertions(+) create mode 100644 modules/services/blocky/default.nix create mode 100644 modules/services/cgit/default.nix create mode 100644 modules/services/fediverse/default.nix create mode 100644 modules/services/immich/default.nix create mode 100644 modules/services/proxy/default.nix create mode 100644 modules/services/searx/default.nix create mode 100644 modules/services/sftpgo/default.nix create mode 100644 modules/services/ssh/default.nix create mode 100644 modules/services/web/default.nix (limited to 'modules/services') diff --git a/modules/services/blocky/default.nix b/modules/services/blocky/default.nix new file mode 100644 index 0000000..ca58f4f --- /dev/null +++ b/modules/services/blocky/default.nix @@ -0,0 +1,93 @@ +{ pkgs, ... }: +{ + services.blocky = { + enable = true; + package = pkgs.blocky; + settings = { + upstreams = { + init.strategy = "fast"; + groups.default = [ + "9.9.9.9" + "149.112.112.112" + ]; + }; + bootstrapDns = [{ + upstream = "https://dns.quad9.net/dns-query"; + ips = [ "9.9.9.9" ]; + }]; + ports = { + dns = 53; + tls = 853; + https = 443; + }; + blocking = { + denylists = { + ads = [ + "https://adaway.org/hosts.txt" + "https://v.firebog.net/hosts/AdguardDNS.txt" + "https://v.firebog.net/hosts/Admiral.txt" + "https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt" + "https://v.firebog.net/hosts/Easylist.txt" + "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext" + "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts" + "https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts" + ]; + malicious = [ + "https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt" + "https://v.firebog.net/hosts/Prigent-Crypto.txt" + "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts" + "https://phishing.army/download/phishing_army_blocklist_extended.txt" + "https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt" + "https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt" + "https://raw.githubusercontent.com/AssoEchap/stalkerware-indicators/master/generated/hosts" + "https://urlhaus.abuse.ch/downloads/hostfile/" + "https://v.firebog.net/hosts/Prigent-Malware.txt" + ]; + other = [ + "https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser" + ]; + suspicious = [ + "https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt" + "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts" + "https://v.firebog.net/hosts/static/w3kbl.txt" + "https://raw.githubusercontent.com/matomo-org/referrer-spam-blacklist/master/spammers.txt" + "https://someonewhocares.org/hosts/zero/hosts" + "https://raw.githubusercontent.com/VeleSila/yhosts/master/hosts" + "https://winhelp2002.mvps.org/hosts.txt" + "https://v.firebog.net/hosts/neohostsbasic.txt" + "https://raw.githubusercontent.com/RooneyMcNibNug/pihole-stuff/master/SNAFU.txt" + "https://paulgb.github.io/BarbBlock/blacklists/hosts-file.txt" + ]; + tracking-telemetry = [ + "https://v.firebog.net/hosts/Easyprivacy.txt" + "https://v.firebog.net/hosts/Prigent-Ads.txt" + "https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts" + "https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt" + "https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt" + "https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt" + "https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/android-tracking.txt" + "https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV.txt" + "https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/AmazonFireTV.txt" + "https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt" + ]; + }; + clientGroupsBlock.default = [ + "ads" + "malicious" + "other" + "suspicious" + "tracking-telemetry" + ]; + loading = { + concurrency = 16; + strategy = "failOnError"; + }; + }; + }; + }; + + networking.firewall = { + allowedTCPPorts = [ 53 443 853 ]; + allowedUDPPorts = [ 53 ]; + }; +} diff --git a/modules/services/cgit/default.nix b/modules/services/cgit/default.nix new file mode 100644 index 0000000..5309e6f --- /dev/null +++ b/modules/services/cgit/default.nix @@ -0,0 +1,28 @@ +{ inputs, lib, pkgs, ... }: +let + scanPath = "/tank/git"; + domain = "git.tdback.net"; +in +{ + imports = lib.lists.singleton "${inputs.self}/modules/customs/cgit"; + + services.cgit = { + enable = true; + package = pkgs.cgit; + scanPath = scanPath; + virtualHost = domain; + authorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEzLpTEoej7P04KoNzokQ9IOnNZiKyi2+YQ8yU5WSKCb" + ]; + settings = { + root-title = domain; + root-desc = "tdback's git repositories"; + enable-index-links = 1; + enable-index-owner = 0; + enable-commit-graph = 1; + enable-log-filecount = 1; + enable-log-linecount = 1; + readme = ":README.md"; + }; + }; +} diff --git a/modules/services/fediverse/default.nix b/modules/services/fediverse/default.nix new file mode 100644 index 0000000..0c3c696 --- /dev/null +++ b/modules/services/fediverse/default.nix @@ -0,0 +1,26 @@ +{ pkgs, ... }: +let + domain = "social.tdback.net"; + port = 8080; +in +{ + services.gotosocial = { + enable = true; + package = pkgs.unstable.gotosocial; + settings = { + application-name = "gotosocial"; + host = "${domain}"; + protocol = "https"; + bind-address = "localhost"; + port = port; + db-type = "sqlite"; + db-address = "/var/lib/gotosocial/database.sqlite"; + storage-local-base-path = "/var/lib/gotosocial/storage"; + }; + }; + + services.caddy.virtualHosts.${domain}.extraConfig = '' + encode zstd gzip + reverse_proxy http://localhost:${builtins.toString port} + ''; +} diff --git a/modules/services/immich/default.nix b/modules/services/immich/default.nix new file mode 100644 index 0000000..e33dd97 --- /dev/null +++ b/modules/services/immich/default.nix @@ -0,0 +1,18 @@ +{ pkgs, ... }: +{ + services.immich = { + enable = true; + package = pkgs.immich; + host = "localhost"; + port = 2283; + mediaLocation = "/lagoon/media/immich"; + environment = { + IMMICH_LOG_LEVEL = "log"; + }; + }; + + services.caddy.virtualHosts."photographs.brownbread.net".extraConfig = '' + encode zstd gzip + reverse_proxy http://localhost:2283 + ''; +} diff --git a/modules/services/proxy/default.nix b/modules/services/proxy/default.nix new file mode 100644 index 0000000..e11beab --- /dev/null +++ b/modules/services/proxy/default.nix @@ -0,0 +1,9 @@ +{ pkgs, ... }: +{ + services.caddy = { + enable = true; + package = pkgs.caddy; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; +} diff --git a/modules/services/searx/default.nix b/modules/services/searx/default.nix new file mode 100644 index 0000000..2b4a9d8 --- /dev/null +++ b/modules/services/searx/default.nix @@ -0,0 +1,33 @@ +{ pkgs, ... }: +let + port = 8888; +in +{ + services.searx = { + enable = true; + package = pkgs.searxng; + environmentFile = "/var/lib/searx/env"; + settings = { + general = { + debug = false; + instance_name = "searx"; + }; + search = { + safe_search = 1; + autocomplete = "duckduckgo"; + autocomplete_min = 4; + default_lang = "en-US"; + }; + server = { + port = port; + bind_address = "0.0.0.0"; + secret_key = "@SEARX_SECRET_KEY@"; + public_instance = false; + image_proxy = true; + }; + ui.static_use_hash = true; + }; + }; + + networking.firewall.allowedTCPPorts = [ port ]; +} diff --git a/modules/services/sftpgo/default.nix b/modules/services/sftpgo/default.nix new file mode 100644 index 0000000..27318b2 --- /dev/null +++ b/modules/services/sftpgo/default.nix @@ -0,0 +1,21 @@ +{ config, pkgs, ... }: +{ + services.sftpgo = { + enable = true; + package = pkgs.sftpgo; + settings = { + httpd.bindings = [{ + port = 8080; + address = "0.0.0.0"; + enable_web_client = true; + enable_web_admin = true; + }]; + }; + }; + + services.caddy.virtualHosts."${config.networking.hostName}.brownbread.net".extraConfig = '' + root * /web/client + encode zstd gzip + reverse_proxy http://localhost:8080 + ''; +} diff --git a/modules/services/ssh/default.nix b/modules/services/ssh/default.nix new file mode 100644 index 0000000..ec8f188 --- /dev/null +++ b/modules/services/ssh/default.nix @@ -0,0 +1,17 @@ +{ lib, ... }: +let + ports = lib.lists.singleton 2222; +in +{ + services.openssh = { + enable = lib.mkDefault true; + ports = ports; + openFirewall = true; + startWhenNeeded = true; + settings = { + AllowUsers = [ "tdback" ]; + PermitRootLogin = "no"; + PasswordAuthentication = lib.mkDefault false; + }; + }; +} diff --git a/modules/services/web/default.nix b/modules/services/web/default.nix new file mode 100644 index 0000000..b6a45af --- /dev/null +++ b/modules/services/web/default.nix @@ -0,0 +1,10 @@ +{ ... }: +{ + services.caddy.virtualHosts = { + "tdback.net".extraConfig = '' + root * /var/www/tdback.net/ + encode zstd gzip + file_server + ''; + }; +} -- cgit v1.2.3