Olivier/chiasson-nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Rebase to flake parts #11

Browse Source
This commit is contained in:
OlivierChiasson
2026-05-29 00:08:10 -03:00
parent 6978396646
commit 9a4ed1b04b
11 changed files with 232 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/hosts/nix-server/_services/cloudflare-dyndns.nix
+26
View File
@@ -0,0 +1,26 @@
# Cloudflare dynamic DNS via NixOS (kissgyorgy/cloudflare-dyndns).
{ config, ... }:
let
secretFilePath = ../secrets.yaml;
in
{
sops.secrets."cloudflare-ddns/api-token".sopsFile = secretFilePath;
services.cloudflare-dyndns = {
enable = true;
apiTokenFile = config.sops.secrets."cloudflare-ddns/api-token".path;
domains = [
"chiasson.cloud"
"chiassoncloud.services"
"swiftshare.cloud"
"blackfry.day"
"yestur.day"
"rp-own.life"
"xn--1iu.cc"
];
proxied = true;
ipv4 = true;
ipv6 = false;
# Default: *:0/5 (every 5 minutes).
};
}
modules/hosts/nix-server/_services/gitea.nix
+47
View File
@@ -0,0 +1,47 @@
{ lib, ... }:
{
services.gitea = {
enable = true;
# Migrated sqlite DB and repos; do not provision a fresh database.
database = {
type = "sqlite3";
createDatabase = false;
};
settings = {
server = {
DOMAIN = "git.chiasson.cloud";
HTTP_PORT = 3002;
ROOT_URL = "https://git.chiasson.cloud/";
# Clone URLs and LAN git@… -p 222 (was Docker host 222 → container 22).
# Port 222 is <1024 (privileged); systemd must grant CAP_NET_BIND_SERVICE below.
SSH_PORT = 222;
START_SSH_SERVER = true;
SSH_LISTEN_HOST = "0.0.0.0";
SSH_LISTEN_PORT = 222;
};
service.DISABLE_REGISTRATION = false;
};
};
# First boot after migration runs DB migrate + hook regen; default WatchdogSec=30 kills
# gitea while storage/actions init is still running. Type=notify also fails if startup
# is slow; PrivateUsers breaks access to migrated files owned by the real gitea uid.
# Port 222 is privileged (<1024); Docker mapped host 222→container 22 as root.
systemd.services.gitea.serviceConfig = {
Type = lib.mkForce "simple";
PrivateUsers = lib.mkForce false;
NoNewPrivileges = lib.mkForce false;
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
CapabilityBoundingSet = lib.mkForce [ "CAP_NET_BIND_SERVICE" ];
TimeoutStartSec = lib.mkForce "20min";
WatchdogSec = lib.mkForce 0;
};
networking.firewall.allowedTCPPorts = [
3002
222
];
}
modules/hosts/nix-server/_services/personal-website.nix
+56
View File
@@ -0,0 +1,56 @@
{ config, ... }:
let
secretFilePath = ../secrets.yaml;
in
{
sops.secrets."personal-website/database-password".sopsFile = secretFilePath;
sops.secrets."personal-website/auth-secret".sopsFile = secretFilePath;
sops.secrets."personal-website/oauth-discord-client-secret".sopsFile = secretFilePath;
sops.templates."personal-website-postgres.env" = {
content = ''
POSTGRES_PASSWORD=${config.sops.placeholder."personal-website/database-password"}
POSTGRES_USER=chiassoncloud
POSTGRES_DB=chiassoncloud
'';
};
sops.templates."personal-website.env" = {
content = ''
DATABASE_URL=postgresql://chiassoncloud:${config.sops.placeholder."personal-website/database-password"}@personal-website-db:5432/chiassoncloud
AUTH_SECRET=${config.sops.placeholder."personal-website/auth-secret"}
AUTH_DISCORD_SECRET=${config.sops.placeholder."personal-website/oauth-discord-client-secret"}
'';
};
services.personalWebsite = {
enable = true;
app = {
image = "ghcr.io/olivierchiasson/personal-website:main";
ghcr = {
username = "olivierchiasson";
passwordFile = config.sops.secrets."swiftshare/ghcr-token".path;
};
port = 3001;
authUrl = "https://chiasson.cloud";
publicUrl = "https://chiasson.cloud";
disableTelemetry = true;
environmentFiles = [ config.sops.templates."personal-website.env".path ];
};
database = {
user = "chiassoncloud";
name = "chiassoncloud";
environmentFiles = [ config.sops.templates."personal-website-postgres.env".path ];
};
auth.discord.clientId = "1400660345068191855";
umami = {
websiteId = "3b2f29d3-11b8-4a3b-bc76-bda3f27926d1";
scriptUrl = "https://analytics.chiasson.cloud/script.js";
};
};
}