feat: refactor the modules/servers directory.

2026-01-19 21:36:24 +01:00 · 2026-01-19 21:36:24 +01:00 · 8b754d3a7e
commit 8b754d3a7e
parent 4e783c052b
69 changed files with 61 additions and 62 deletions
--- a/modules/servers/per-server/thor/default.nix
+++ b/modules/servers/per-server/thor/default.nix
@ -0,0 +1,15 @@
+{...}: let
+  servicesDir = ./services;
+  serviceFiles =
+    builtins.filter
+    (name: builtins.match "^.*\\.nix$" name != null)
+    (builtins.attrNames (builtins.readDir servicesDir));
+  hostModules = map (fn: import "${servicesDir}/${fn}") serviceFiles;
+in {
+  imports =
+    [
+      ../../common
+      ./secrets.nix
+    ]
+    ++ hostModules;
+}
--- a/modules/servers/per-server/thor/secrets.nix
+++ b/modules/servers/per-server/thor/secrets.nix
@ -0,0 +1,18 @@
+{
+  age = {
+    secrets = {
+      forgejo-db = {
+        file = ../../../../secrets/forgejo-db.age;
+      };
+      plausible = {
+        file = ../../../../secrets/plausible.age;
+      };
+      conduit = {
+        file = ../../../../secrets/conduit.age;
+      };
+      lemmy-env = {
+        file = ../../../../secrets/lemmy.env.age;
+      };
+    };
+  };
+}
--- a/modules/servers/per-server/thor/services/changedetection-io.nix
+++ b/modules/servers/per-server/thor/services/changedetection-io.nix
@ -0,0 +1,30 @@
+{...}: {
+  services.changedetection-io = {
+    enable = true;
+    playwrightSupport = true;
+    baseURL = "https://changedetection.cronyakatsuki.xyz";
+    behindProxy = true;
+  };
+
+  services.traefik.dynamicConfigOptions.http = {
+    services.changedetection.loadBalancer.servers = [
+      {
+        url = "http://localhost:5000";
+      }
+    ];
+
+    routers.changedetection = {
+      rule = "Host(`changedetection.cronyakatsuki.xyz`)";
+      tls = {
+        certResolver = "porkbun";
+      };
+      service = "changedetection";
+      entrypoints = "websecure";
+    };
+  };
+
+  services.restic.backups = {
+    local.paths = ["/var/lib/changedetection-io"];
+    server.paths = ["/var/lib/changedetection-io"];
+  };
+}
--- a/modules/servers/per-server/thor/services/conduit.nix
+++ b/modules/servers/per-server/thor/services/conduit.nix
@ -0,0 +1,39 @@
+{config, ...}: {
+  services.matrix-conduit = {
+    enable = true;
+    settings = {
+      global = {
+        server_name = "cronyakatsuki.xyz";
+        database_backend = "rocksdb";
+        allow_registration = true;
+        allow_check_for_updates = true;
+      };
+    };
+  };
+
+  systemd.services.conduit.serviceConfig = {
+    EnvironmentFile = ["${config.age.secrets.conduit.path}"];
+  };
+
+  services.traefik.dynamicConfigOptions.http = {
+    services.conduit.loadBalancer.servers = [
+      {
+        url = "http://localhost:6167";
+      }
+    ];
+
+    routers.conduit = {
+      rule = "Host(`matrix.cronyakatsuki.xyz`)";
+      tls = {
+        certResolver = "porkbun";
+      };
+      service = "conduit";
+      entrypoints = "websecure";
+    };
+  };
+
+  services.restic.backups = {
+    local.paths = ["/var/lib/matrix-conduit"];
+    server.paths = ["/var/lib/matrix-conduit"];
+  };
+}
--- a/modules/servers/per-server/thor/services/forgejo.nix
+++ b/modules/servers/per-server/thor/services/forgejo.nix
@ -0,0 +1,51 @@
+{config, ...}: {
+  services.forgejo = {
+    enable = true;
+    settings = {
+      session = {
+        COOKIE_SECURE = true;
+      };
+      service = {
+        REGISTER_MANUAL_CONFIRM = true;
+        ENABLE_CAPTCHA = true;
+        REQUIRE_CAPTCHA_FOR_LOGIN = true;
+      };
+      server = {
+        ROOT_URL = "https://git.cronyakatsuki.xyz";
+        HTTP_ADDR = "127.0.0.1";
+      };
+    };
+    database = {
+      passwordFile = "${config.age.secrets.forgejo-db.path}";
+    };
+  };
+
+  services.traefik.dynamicConfigOptions.http = {
+    services.forgejo.loadBalancer.servers = [
+      {
+        url = "http://localhost:3000";
+      }
+    ];
+
+    routers.forgejo = {
+      rule = "Host(`git.cronyakatsuki.xyz`)";
+      tls = {
+        certResolver = "porkbun";
+      };
+      service = "forgejo";
+      entrypoints = "websecure";
+    };
+  };
+
+  services.openssh = {
+    authorizedKeysFiles = ["/var/lib/%u/.ssh/authorized_keys"];
+    settings = {
+      AllowUsers = ["forgejo"];
+    };
+  };
+
+  services.restic.backups = {
+    local.paths = ["/var/lib/forgejo"];
+    server.paths = ["/var/lib/forgejo"];
+  };
+}
--- a/modules/servers/per-server/thor/services/lemmy.nix
+++ b/modules/servers/per-server/thor/services/lemmy.nix
@ -0,0 +1,241 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}: {
+  # Enable container name DNS for all Podman networks.
+  networking.firewall.interfaces = let
+    matchAll =
+      if !config.networking.nftables.enable
+      then "podman+"
+      else "podman*";
+  in {
+    "${matchAll}".allowedUDPPorts = [53];
+  };
+
+  # Containers
+  virtualisation.oci-containers.containers."lemmy-backend" = {
+    image = "dessalines/lemmy:0.19.13";
+    environmentFiles = [
+      "/run/agenix/lemmy-env"
+    ];
+    volumes = [
+      "/var/lib/lemmy/lemmy.hjson:/config/config.hjson:rw,Z"
+    ];
+    dependsOn = [
+      "lemmy-db"
+      "lemmy-pictrs"
+    ];
+    log-driver = "journald";
+    extraOptions = [
+      "--hostname=lemmy"
+      "--network-alias=lemmy"
+      "--network=lemmy_default"
+    ];
+  };
+  systemd.services."podman-lemmy-backend" = {
+    serviceConfig = {
+      Restart = lib.mkOverride 90 "always";
+    };
+    after = [
+      "podman-network-lemmy_default.service"
+    ];
+    requires = [
+      "podman-network-lemmy_default.service"
+    ];
+    partOf = [
+      "podman-compose-lemmy-root.target"
+    ];
+    wantedBy = [
+      "podman-compose-lemmy-root.target"
+    ];
+  };
+  virtualisation.oci-containers.containers."lemmy-db" = {
+    image = "docker.io/postgres:16-alpine";
+    environmentFiles = [
+      "/run/agenix/lemmy-env"
+    ];
+    volumes = [
+      "/var/lib/lemmy/volumes/postgres:/var/lib/postgresql/data:rw,Z"
+    ];
+    log-driver = "journald";
+    extraOptions = [
+      "--hostname=postgres-lemmy"
+      "--network-alias=postgres"
+      "--network=lemmy_default"
+    ];
+  };
+  systemd.services."podman-lemmy-db" = {
+    serviceConfig = {
+      Restart = lib.mkOverride 90 "always";
+    };
+    after = [
+      "podman-network-lemmy_default.service"
+    ];
+    requires = [
+      "podman-network-lemmy_default.service"
+    ];
+    partOf = [
+      "podman-compose-lemmy-root.target"
+    ];
+    wantedBy = [
+      "podman-compose-lemmy-root.target"
+    ];
+  };
+  virtualisation.oci-containers.containers."lemmy-pictrs" = {
+    image = "docker.io/asonix/pictrs:0.5";
+    environmentFiles = [
+      "/run/agenix/lemmy-env"
+    ];
+    volumes = [
+      "/var/lib/lemmy/volumes/pictrs:/mnt:rw,Z"
+    ];
+    user = "991:991";
+    log-driver = "journald";
+    extraOptions = [
+      "--hostname=pictrs"
+      "--memory=723517440b"
+      "--network-alias=pictrs"
+      "--network=lemmy_default"
+    ];
+  };
+  systemd.services."podman-lemmy-pictrs" = {
+    serviceConfig = {
+      Restart = lib.mkOverride 90 "always";
+    };
+    after = [
+      "podman-network-lemmy_default.service"
+    ];
+    requires = [
+      "podman-network-lemmy_default.service"
+    ];
+    partOf = [
+      "podman-compose-lemmy-root.target"
+    ];
+    wantedBy = [
+      "podman-compose-lemmy-root.target"
+    ];
+  };
+  virtualisation.oci-containers.containers."lemmy-proxy" = {
+    image = "nginx:1-alpine";
+    environmentFiles = [
+      "/run/agenix/lemmy-env"
+    ];
+    volumes = [
+      "/var/lib/lemmy/nginx_internal.conf:/etc/nginx/nginx.conf:ro,Z"
+      "/var/lib/lemmy/proxy_params:/etc/nginx/proxy_params:ro,Z"
+    ];
+    ports = [
+      "127.0.0.1:1236:8536/tcp"
+    ];
+    dependsOn = [
+      "lemmy-pictrs"
+      "lemmy-ui"
+    ];
+    log-driver = "journald";
+    extraOptions = [
+      "--network-alias=proxy"
+      "--network=lemmy_default"
+    ];
+  };
+  systemd.services."podman-lemmy-proxy" = {
+    serviceConfig = {
+      Restart = lib.mkOverride 90 "always";
+    };
+    after = [
+      "podman-network-lemmy_default.service"
+    ];
+    requires = [
+      "podman-network-lemmy_default.service"
+    ];
+    partOf = [
+      "podman-compose-lemmy-root.target"
+    ];
+    wantedBy = [
+      "podman-compose-lemmy-root.target"
+    ];
+  };
+  virtualisation.oci-containers.containers."lemmy-ui" = {
+    image = "dessalines/lemmy-ui:0.19.13";
+    environmentFiles = [
+      "/run/agenix/lemmy-env"
+    ];
+    volumes = [
+      "/var/lib/lemmy/volumes/lemmy-ui/extra_themes:/app/extra_themes:rw"
+    ];
+    dependsOn = [
+      "lemmy-backend"
+      "lemmy-pictrs"
+    ];
+    log-driver = "journald";
+    extraOptions = [
+      "--network-alias=lemmy-ui"
+      "--network=lemmy_default"
+    ];
+  };
+  systemd.services."podman-lemmy-ui" = {
+    serviceConfig = {
+      Restart = lib.mkOverride 90 "always";
+    };
+    after = [
+      "podman-network-lemmy_default.service"
+    ];
+    requires = [
+      "podman-network-lemmy_default.service"
+    ];
+    partOf = [
+      "podman-compose-lemmy-root.target"
+    ];
+    wantedBy = [
+      "podman-compose-lemmy-root.target"
+    ];
+  };
+
+  # Networks
+  systemd.services."podman-network-lemmy_default" = {
+    path = [pkgs.podman];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStop = "podman network rm -f lemmy_default";
+    };
+    script = ''
+      podman network inspect lemmy_default || podman network create lemmy_default
+    '';
+    partOf = ["podman-compose-lemmy-root.target"];
+    wantedBy = ["podman-compose-lemmy-root.target"];
+  };
+
+  # Root service
+  # When started, this will automatically create all resources and start
+  # the containers. When stopped, this will teardown all resources.
+  systemd.targets."podman-compose-lemmy-root" = {
+    unitConfig = {
+      Description = "Root target generated by compose2nix.";
+    };
+    wantedBy = ["multi-user.target"];
+  };
+
+  services.traefik.dynamicConfigOptions.http = {
+    services.lemmy.loadBalancer.servers = [
+      {
+        url = "http://localhost:1236";
+      }
+    ];
+
+    routers.lemmy = {
+      rule = "Host(`lemmy.cronyakatsuki.xyz`)";
+      tls = {
+        certResolver = "porkbun";
+      };
+      service = "lemmy";
+      entrypoints = "websecure";
+    };
+  };
+
+  services.restic.backups = {
+    local.paths = ["/var/lib/lemmy"];
+    server.paths = ["/var/lib/lemmy"];
+  };
+}
--- a/modules/servers/per-server/thor/services/plausible.nix
+++ b/modules/servers/per-server/thor/services/plausible.nix
@ -0,0 +1,31 @@
+{config, ...}: {
+  services.plausible = {
+    enable = true;
+    server = {
+      baseUrl = "https://plausible.cronyakatsuki.xyz";
+      secretKeybaseFile = "${config.age.secrets.plausible.path}";
+    };
+  };
+
+  services.traefik.dynamicConfigOptions.http = {
+    services.plausible.loadBalancer.servers = [
+      {
+        url = "http://localhost:8000";
+      }
+    ];
+
+    routers.plausible = {
+      rule = "Host(`plausible.cronyakatsuki.xyz`)";
+      tls = {
+        certResolver = "porkbun";
+      };
+      service = "plausible";
+      entrypoints = "websecure";
+    };
+  };
+
+  services.restic.backups = {
+    local.paths = ["/var/lib/plausible"];
+    server.paths = ["/var/lib/plausible"];
+  };
+}