aylac.top / nixcfg-own-knot
forked from aylac.top/nixcfg
this repo has no description
fork atom

put all public services in containers. the postgresql databases might've gotten less secure tho because now there's no passwords for them i couldn't figure out how...

aylac.top cbc906eb 3d5ddf59

options
unified split
Changed files
+226 -141
flake.lock
modules
nixos
profiles
backups
default.nix
services
default.nix
forgejo
default.nix
glance
default.nix
miniflux
default.nix
ntfy
default.nix
pds
default.nix
postgresql
default.nix
+3 -3
flake.lock 
···

       
1054

       
1054

       
 

       
    "secrets": {


     

       
1055

       
1055

       
 

       
      "flake": false,


     

       
1056

       
1056

       
 

       
      "locked": {


     

       
1057

       

       
-

       
        "lastModified": 1756147116,


     

       
1058

       

       
-

       
        "narHash": "sha256-g5F0PnFqq+8VNIoYhxtl+Xokwfw2ErNUUoCyu+dMDdo=",


     

       

       
1057

       
+

       
        "lastModified": 1756518813,


     

       

       
1058

       
+

       
        "narHash": "sha256-tuhglLbJSQzfWeOYYMnbx4XhwFQp8cF1GdtmznPiKTQ=",


     

       
1059

       
1059

       
 

       
        "owner": "ayla6",


     

       
1060

       
1060

       
 

       
        "repo": "secrets",


     

       
1061

       

       
-

       
        "rev": "ef47bc3a658c30bf331035e1380384edcca4f46f",


     

       

       
1061

       
+

       
        "rev": "646cbc68c306569c502e78a31be22e6c2919b5ae",


     

       
1062

       
1062

       
 

       
        "type": "github"


     

       
1063

       
1063

       
 

       
      },


     

       
1064

       
1064

       
 

       
      "original": {
+18 -9
modules/nixos/profiles/backups/default.nix 
···

       
79

       
79

       
 

       
        repo = repoKey;


     

       
80

       
80

       
 

       
        service = service.name;


     

       
81

       
81

       
 

       
      };


     

       
82

       

       
-

       
      systemdService = service.name;


     

       
83

       

       
-

       
      backupMode = service.backupMode or "stop"; # "stop", "notify", "none"


     

       

       
82

       
+

       
      systemdService =


     

       

       
83

       
+

       
        if service.containerised or false


     

       

       
84

       
+

       
        then "container@" + service.name


     

       

       
85

       
+

       
        else service.name;


     

       

       
86

       
+

       
      backupMode = service.backupMode or "stop"; # "stop", "notify", "quiet"


     

       
84

       
87

       
 

       



     

       
85

       
88

       
 

       
      commands =


     

       
86

       
89

       
 

       
        if backupMode == "stop"


     
···

       
139

       
142

       
 

       
        paths = [config.services.couchdb.databaseDir];


     

       
140

       
143

       
 

       
      }


     

       
141

       
144

       
 

       
      {


     

       

       
145

       
+

       
        # damn this is ugly


     

       
142

       
146

       
 

       
        name = "forgejo";


     

       
143

       

       
-

       
        enable = config.services.forgejo.enable && config.services.forgejo.settings.storage.STORAGE_TYPE != "minio";


     

       
144

       

       
-

       
        paths = [config.services.forgejo.stateDir];


     

       

       
147

       
+

       
        containerised = true;


     

       

       
148

       
+

       
        inherit (config.containers.forgejo.config.services.forgejo) enable;


     

       

       
149

       
+

       
        paths = ["/var/lib/nixos-containers/forgejo${config.containers.forgejo.config.services.forgejo.stateDir}"];


     

       
145

       
150

       
 

       
        backupMode = "none";


     

       
146

       
151

       
 

       
      }


     

       
147

       
152

       
 

       
      # {


     
···

       
172

       
177

       
 

       
        paths = [config.services.ombi.dataDir];


     

       
173

       
178

       
 

       
      }


     

       
174

       
179

       
 

       
      {


     

       

       
180

       
+

       
        # damn this is ugly


     

       
175

       
181

       
 

       
        name = "pds";


     

       
176

       

       
-

       
        inherit (config.services.bluesky-pds) enable;


     

       
177

       

       
-

       
        paths = [config.services.bluesky-pds.settings.PDS_DATA_DIRECTORY];


     

       

       
182

       
+

       
        containerised = true;


     

       

       
183

       
+

       
        inherit (config.containers.pds.config.services.bluesky-pds) enable;


     

       

       
184

       
+

       
        paths = ["/var/lib/nixos-containers/pds${config.containers.pds.config.services.bluesky-pds.settings.PDS_DATA_DIRECTORY}"];


     

       
178

       
185

       
 

       
      }


     

       
179

       
186

       
 

       
      {


     

       
180

       
187

       
 

       
        name = "plex";


     
···

       
185

       
192

       
 

       
        };


     

       
186

       
193

       
 

       
      }


     

       
187

       
194

       
 

       
      {


     

       

       
195

       
+

       
        # damn this is ugly


     

       
188

       
196

       
 

       
        name = "postgresql";


     

       
189

       

       
-

       
        inherit (config.services.postgresql) enable;


     

       
190

       

       
-

       
        paths = [config.services.postgresql.dataDir];


     

       
191

       

       
-

       
        backupMode = "none";


     

       

       
197

       
+

       
        containerised = true;


     

       

       
198

       
+

       
        inherit (config.containers.postgresql.config.services.postgresql) enable;


     

       

       
199

       
+

       
        paths = ["/var/lib/nixos-containers/postgresql${config.containers.postgresql.config.services.postgresql.dataDir}"];


     

       

       
200

       
+

       
        backupMode = "quiet";


     

       
192

       
201

       
 

       
      }


     

       
193

       
202

       
 

       
      {


     

       
194

       
203

       
 

       
        name = "prowlarr";
+1
modules/nixos/services/default.nix 
···

       
20

       
20

       
 

       
    ./nitter


     

       
21

       
21

       
 

       
    ./ntfy


     

       
22

       
22

       
 

       
    ./pds


     

       

       
23

       
+

       
    ./postgresql


     

       
23

       
24

       
 

       
    ./qbittorrent


     

       
24

       
25

       
 

       
    ./radicale


     

       
25

       
26

       
 

       
    ./redlib
+93 -89
modules/nixos/services/forgejo/default.nix 
···

       

       
1

       
+

       
# damn this is really messy


     

       
1

       
2

       
 

       
{


     

       
2

       
3

       
 

       
  config,


     

       
3

       
4

       
 

       
  lib,


     

       
4

       
5

       
 

       
  pkgs,


     

       
5

       

       
-

       
  self,


     

       
6

       
6

       
 

       
  ...


     

       
7

       
7

       
 

       
}: let


     

       
8

       
8

       
 

       
  name = "forgejo";


     
···

       
11

       
11

       
 

       
  network = config.mySnippets.aylac-top;


     

       
12

       
12

       
 

       
  service = network.networkMap.${name};


     

       
13

       
13

       
 

       
in {


     

       
14

       

       
-

       
  options.myNixOS.services.forgejo = {


     

       

       
14

       
+

       
  options.myNixOS.services.${name} = {


     

       
15

       
15

       
 

       
    enable = lib.mkEnableOption "forgejo git forge";


     

       
16

       
16

       
 

       



     

       
17

       
17

       
 

       
    db = lib.mkOption {


     
···

       
29

       
29

       
 

       
  };


     

       
30

       
30

       
 

       



     

       
31

       
31

       
 

       
  config = lib.mkIf cfg.enable {


     

       
32

       

       
-

       
    age.secrets.forgejo.file = "${self.inputs.secrets}/postgres/forgejo.age";


     

       

       
32

       
+

       
    services.cloudflared.tunnels."${network.cloudflareTunnel}".ingress = lib.mkIf cfg.autoProxy {


     

       

       
33

       
+

       
      "${service.vHost}" = "http://${service.hostName}:${toString service.port}";


     

       

       
34

       
+

       
    };


     

       
33

       
35

       
 

       



     

       
34

       

       
-

       
    services = {


     

       
35

       

       
-

       
      cloudflared.tunnels."${network.cloudflareTunnel}".ingress = lib.mkIf cfg.autoProxy {


     

       
36

       

       
-

       
        "${service.vHost}" = "http://${service.hostName}:${toString service.port}";


     

       
37

       

       
-

       
      };


     

       

       
36

       
+

       
    myNixOS.services.postgresql = lib.mkIf (cfg.db == "postgresql") {


     

       

       
37

       
+

       
      enable = true;


     

       

       
38

       
+

       
      databases = ["forgejo"];


     

       

       
39

       
+

       
    };


     

       
38

       
40

       
 

       



     

       
39

       

       
-

       
      postgresql = lib.mkIf (cfg.db


     

       
40

       

       
-

       
        == "postgresql") {


     

       
41

       

       
-

       
        enable = true;


     

       
42

       

       
-

       
        package = pkgs.postgresql_16;


     

       
43

       

       
-

       
        ensureDatabases = ["forgejo"];


     

       

       
41

       
+

       
    containers.forgejo = {


     

       

       
42

       
+

       
      autoStart = true;


     

       
44

       
43

       
 

       



     

       
45

       

       
-

       
        ensureUsers = [


     

       
46

       

       
-

       
          {


     

       
47

       

       
-

       
            name = "forgejo";


     

       
48

       

       
-

       
            ensureDBOwnership = true;


     

       
49

       

       
-

       
          }


     

       
50

       

       
-

       
        ];


     

       
51

       

       
-

       
      };


     

       

       
44

       
+

       
      config = {


     

       

       
45

       
+

       
        services = {


     

       

       
46

       
+

       
          postgresql.enable = lib.mkForce false;


     

       
52

       
47

       
 

       



     

       
53

       

       
-

       
      forgejo = {


     

       
54

       

       
-

       
        enable = true;


     

       

       
48

       
+

       
          forgejo = {


     

       

       
49

       
+

       
            enable = true;


     

       
55

       
50

       
 

       



     

       
56

       

       
-

       
        database = lib.mkIf (cfg.db


     

       
57

       

       
-

       
          == "postgresql") {


     

       
58

       

       
-

       
          createDatabase = true;


     

       
59

       

       
-

       
          host = "127.0.0.1";


     

       
60

       

       
-

       
          name = "forgejo";


     

       
61

       

       
-

       
          passwordFile = config.age.secrets.forgejo.path;


     

       
62

       

       
-

       
          type = "postgres";


     

       
63

       

       
-

       
          user = "forgejo";


     

       
64

       

       
-

       
        };


     

       

       
51

       
+

       
            database = lib.mkIf (cfg.db


     

       

       
52

       
+

       
              == "postgresql") {


     

       

       
53

       
+

       
              host = "127.0.0.1";


     

       

       
54

       
+

       
              name = "forgejo";


     

       

       
55

       
+

       
              type = "postgres";


     

       

       
56

       
+

       
              user = "forgejo";


     

       

       
57

       
+

       
              socket = null;


     

       

       
58

       
+

       
            };


     

       
65

       
59

       
 

       



     

       
66

       

       
-

       
        lfs.enable = true;


     

       
67

       

       
-

       
        package = pkgs.forgejo;


     

       

       
60

       
+

       
            lfs.enable = true;


     

       

       
61

       
+

       
            package = pkgs.forgejo;


     

       
68

       
62

       
 

       



     

       
69

       

       
-

       
        settings = {


     

       
70

       

       
-

       
          actions = {


     

       
71

       

       
-

       
            ARTIFACT_RETENTION_DAYS = 15;


     

       
72

       

       
-

       
            DEFAULT_ACTIONS_URL = "https://github.com";


     

       
73

       

       
-

       
            ENABLED = false;


     

       
74

       

       
-

       
          };


     

       

       
63

       
+

       
            settings = {


     

       

       
64

       
+

       
              actions = {


     

       

       
65

       
+

       
                ARTIFACT_RETENTION_DAYS = 15;


     

       

       
66

       
+

       
                DEFAULT_ACTIONS_URL = "https://github.com";


     

       

       
67

       
+

       
                ENABLED = false;


     

       

       
68

       
+

       
              };


     

       
75

       
69

       
 

       



     

       
76

       

       
-

       
          cron = {


     

       
77

       

       
-

       
            ENABLED = true;


     

       
78

       

       
-

       
            RUN_AT_START = false;


     

       
79

       

       
-

       
          };


     

       

       
70

       
+

       
              cron = {


     

       

       
71

       
+

       
                ENABLED = true;


     

       

       
72

       
+

       
                RUN_AT_START = false;


     

       

       
73

       
+

       
              };


     

       
80

       
74

       
 

       



     

       
81

       

       
-

       
          DEFAULT.APP_NAME = "git.aylac.top";


     

       
82

       

       
-

       
          federation.ENABLED = true;


     

       
83

       

       
-

       
          indexer.REPO_INDEXER_ENABLED = true;


     

       

       
75

       
+

       
              DEFAULT.APP_NAME = "git.aylac.top";


     

       

       
76

       
+

       
              federation.ENABLED = true;


     

       

       
77

       
+

       
              indexer.REPO_INDEXER_ENABLED = true;


     

       
84

       
78

       
 

       



     

       
85

       

       
-

       
          log = {


     

       
86

       

       
-

       
            ENABLE_SSH_LOG = true;


     

       
87

       

       
-

       
            LEVEL = "Debug";


     

       
88

       

       
-

       
          };


     

       

       
79

       
+

       
              log = {


     

       

       
80

       
+

       
                ENABLE_SSH_LOG = true;


     

       

       
81

       
+

       
                LEVEL = "Debug";


     

       

       
82

       
+

       
              };


     

       
89

       
83

       
 

       



     

       
90

       

       
-

       
          mailer = {


     

       
91

       

       
-

       
            ENABLED = false;


     

       
92

       

       
-

       
          };


     

       

       
84

       
+

       
              mailer = {


     

       

       
85

       
+

       
                ENABLED = false;


     

       

       
86

       
+

       
              };


     

       
93

       
87

       
 

       



     

       
94

       

       
-

       
          migrations = {


     

       
95

       

       
-

       
            ALLOW_LOCALNETWORKS = true;


     

       
96

       

       
-

       
          };


     

       

       
88

       
+

       
              migrations = {


     

       

       
89

       
+

       
                ALLOW_LOCALNETWORKS = true;


     

       

       
90

       
+

       
              };


     

       
97

       
91

       
 

       



     

       
98

       

       
-

       
          picture = {


     

       
99

       

       
-

       
            AVATAR_MAX_FILE_SIZE = 5242880;


     

       
100

       

       
-

       
            ENABLE_FEDERATED_AVATAR = true;


     

       
101

       

       
-

       
          };


     

       

       
92

       
+

       
              picture = {


     

       

       
93

       
+

       
                AVATAR_MAX_FILE_SIZE = 5242880;


     

       

       
94

       
+

       
                ENABLE_FEDERATED_AVATAR = true;


     

       

       
95

       
+

       
              };


     

       
102

       
96

       
 

       



     

       
103

       

       
-

       
          repository = {


     

       
104

       

       
-

       
            DEFAULT_BRANCH = "main";


     

       
105

       

       
-

       
            ENABLE_PUSH_CREATE_ORG = true;


     

       
106

       

       
-

       
            ENABLE_PUSH_CREATE_USER = true;


     

       
107

       

       
-

       
            PREFERRED_LICENSES = "GPL-3.0";


     

       
108

       

       
-

       
          };


     

       

       
97

       
+

       
              repository = {


     

       

       
98

       
+

       
                DEFAULT_BRANCH = "main";


     

       

       
99

       
+

       
                ENABLE_PUSH_CREATE_ORG = true;


     

       

       
100

       
+

       
                ENABLE_PUSH_CREATE_USER = true;


     

       

       
101

       
+

       
                PREFERRED_LICENSES = "GPL-3.0";


     

       

       
102

       
+

       
              };


     

       
109

       
103

       
 

       



     

       
110

       

       
-

       
          security.PASSWORD_CHECK_PWN = true;


     

       

       
104

       
+

       
              security.PASSWORD_CHECK_PWN = true;


     

       
111

       
105

       
 

       



     

       
112

       

       
-

       
          server = {


     

       
113

       

       
-

       
            DOMAIN = service.vHost;


     

       
114

       

       
-

       
            HTTP_PORT = service.port;


     

       
115

       

       
-

       
            LANDING_PAGE = "explore";


     

       
116

       

       
-

       
            LFS_START_SERVER = true;


     

       
117

       

       
-

       
            ROOT_URL = "https://${service.vHost}/";


     

       
118

       

       
-

       
            DISABLE_SSH = true;


     

       
119

       

       
-

       
          };


     

       

       
106

       
+

       
              server = {


     

       

       
107

       
+

       
                DOMAIN = service.vHost;


     

       

       
108

       
+

       
                HTTP_PORT = service.port;


     

       

       
109

       
+

       
                LANDING_PAGE = "explore";


     

       

       
110

       
+

       
                LFS_START_SERVER = true;


     

       

       
111

       
+

       
                ROOT_URL = "https://${service.vHost}/";


     

       

       
112

       
+

       
                DISABLE_SSH = true;


     

       

       
113

       
+

       
              };


     

       
120

       
114

       
 

       



     

       
121

       

       
-

       
          service = {


     

       
122

       

       
-

       
            ALLOW_ONLY_INTERNAL_REGISTRATION = true;


     

       
123

       

       
-

       
            DISABLE_REGISTRATION = true;


     

       
124

       

       
-

       
            ENABLE_NOTIFY_MAIL = true;


     

       
125

       

       
-

       
          };


     

       

       
115

       
+

       
              service = {


     

       

       
116

       
+

       
                ALLOW_ONLY_INTERNAL_REGISTRATION = true;


     

       

       
117

       
+

       
                DISABLE_REGISTRATION = true;


     

       

       
118

       
+

       
                ENABLE_NOTIFY_MAIL = true;


     

       

       
119

       
+

       
              };


     

       
126

       
120

       
 

       



     

       
127

       

       
-

       
          session.COOKIE_SECURE = true;


     

       

       
121

       
+

       
              session.COOKIE_SECURE = true;


     

       
128

       
122

       
 

       



     

       
129

       

       
-

       
          storage = {


     

       
130

       

       
-

       
            STORAGE_TYPE = "local";


     

       
131

       

       
-

       
            PATH = "/var/lib/forgejo/data";


     

       
132

       

       
-

       
          };


     

       

       
123

       
+

       
              storage = {


     

       

       
124

       
+

       
                STORAGE_TYPE = "local";


     

       

       
125

       
+

       
                PATH = "/var/lib/forgejo/data";


     

       

       
126

       
+

       
              };


     

       
133

       
127

       
 

       



     

       
134

       

       
-

       
          ui.DEFAULT_THEME = "forgejo-auto";


     

       

       
128

       
+

       
              ui.DEFAULT_THEME = "forgejo-auto";


     

       
135

       
129

       
 

       



     

       
136

       

       
-

       
          "ui.meta" = {


     

       
137

       

       
-

       
            AUTHOR = "Ayla";


     

       
138

       

       
-

       
            DESCRIPTION = "i can't set up ssh via cloudflare tunnels!";


     

       
139

       

       
-

       
            KEYWORDS = "git,source code,forge,forĝejo,aylac";


     

       

       
130

       
+

       
              "ui.meta" = {


     

       

       
131

       
+

       
                AUTHOR = "Ayla";


     

       

       
132

       
+

       
                DESCRIPTION = "i can't set up ssh via cloudflare tunnels!";


     

       

       
133

       
+

       
                KEYWORDS = "git,source code,forge,forgejo,aylac";


     

       

       
134

       
+

       
              };


     

       

       
135

       
+

       
            };


     

       
140

       
136

       
 

       
          };


     

       
141

       
137

       
 

       
        };


     

       

       
138

       
+

       



     

       

       
139

       
+

       
        systemd.services.forgejo = lib.mkIf (cfg.db


     

       

       
140

       
+

       
          == "postgresql") {


     

       

       
141

       
+

       
          after = lib.mkForce ["network.target" "forgejo-secrets.service"];


     

       

       
142

       
+

       
          requires = lib.mkForce ["forgejo-secrets.service"];


     

       

       
143

       
+

       
        };


     

       

       
144

       
+

       



     

       

       
145

       
+

       
        system.stateVersion = "25.11";


     

       
142

       
146

       
 

       
      };


     

       
143

       
147

       
 

       
    };


     

       
144

       
148

       
 

       
  };
+2 -2
modules/nixos/services/glance/default.nix 
···

       
80

       
80

       
 

       
                      sites = [


     

       
81

       
81

       
 

       
                        {


     

       
82

       
82

       
 

       
                          title = "Vaultwarden";


     

       
83

       

       
-

       
                          url = "https://${aylac-top.networkMap.vaultwarden.vHost}/";


     

       
84

       

       
-

       
                          check-url = "http://${aylac-top.networkMap.vaultwarden.hostName}:${toString aylac-top.networkMap.vaultwarden.port}/";


     

       

       
83

       
+

       
                          url = "https://${tailnet.networkMap.vaultwarden.vHost}/";


     

       

       
84

       
+

       
                          check-url = "http://${tailnet.networkMap.vaultwarden.hostName}:${toString tailnet.networkMap.vaultwarden.port}/";


     

       
85

       
85

       
 

       
                          icon = "di:vaultwarden";


     

       
86

       
86

       
 

       
                        }


     

       
87

       
87

       
 

       
                        {
+11 -2
modules/nixos/services/miniflux/default.nix 
···

       
21

       
21

       
 

       
  };


     

       
22

       
22

       
 

       



     

       
23

       
23

       
 

       
  config = lib.mkIf cfg.enable {


     

       
24

       

       
-

       
    age.secrets.miniflux.file = "${self.inputs.secrets}/miniflux.age";


     

       

       
24

       
+

       
    age.secrets = {


     

       

       
25

       
+

       
      miniflux.file = "${self.inputs.secrets}/miniflux.age";


     

       

       
26

       
+

       
      postgresMiniflux.file = "${self.inputs.secrets}/postgres/miniflux.age";


     

       

       
27

       
+

       
    };


     

       

       
28

       
+

       



     

       

       
29

       
+

       
    myNixOS.services.postgresql = {


     

       

       
30

       
+

       
      enable = true;


     

       

       
31

       
+

       
      databases = ["miniflux"];


     

       

       
32

       
+

       
    };


     

       
25

       
33

       
 

       



     

       
26

       
34

       
 

       
    services = {


     

       
27

       
35

       
 

       
      caddy.virtualHosts."${service.vHost}".extraConfig = lib.mkIf cfg.autoProxy ''


     
···

       
33

       
41

       
 

       
      miniflux = {


     

       
34

       
42

       
 

       
        enable = true;


     

       
35

       
43

       
 

       
        adminCredentialsFile = config.age.secrets.miniflux.path;


     

       

       
44

       
+

       
        createDatabaseLocally = false;


     

       
36

       
45

       
 

       
        config = {


     

       
37

       
46

       
 

       
          BATCH_SIZE = 100;


     

       
38

       
47

       
 

       
          CLEANUP_FREQUENCY_HOURS = 48;


     

       
39

       
48

       
 

       
          LISTEN_ADDR = "${service.hostName}:${toString service.port}";


     

       
40

       
49

       
 

       
          BASE_URL = "https://${service.vHost}";


     

       
41

       

       
-

       
          WEBAUTHN = 1;


     

       

       
50

       
+

       
          DATABASE_URL = ''user=miniflux dbname=miniflux sslmode=disable'';


     

       
42

       
51

       
 

       
        };


     

       
43

       
52

       
 

       
      };


     

       
44

       
53

       
 

       
    };
+33 -28
modules/nixos/services/ntfy/default.nix 
···

       
20

       
20

       
 

       
  };


     

       
21

       
21

       
 

       



     

       
22

       
22

       
 

       
  config = lib.mkIf cfg.enable {


     

       
23

       

       
-

       
    services = {


     

       
24

       

       
-

       
      cloudflared.tunnels."${network.cloudflareTunnel}".ingress = lib.mkIf cfg.autoProxy {


     

       
25

       

       
-

       
        "${service.vHost}" = "http://${service.hostName}:${toString service.port}";


     

       
26

       

       
-

       
      };


     

       

       
23

       
+

       
    services.cloudflared.tunnels."${network.cloudflareTunnel}".ingress = lib.mkIf cfg.autoProxy {


     

       

       
24

       
+

       
      "${service.vHost}" = "http://${service.hostName}:${toString service.port}";


     

       

       
25

       
+

       
    };


     

       
27

       
26

       
 

       



     

       
28

       

       
-

       
      ntfy-sh = {


     

       
29

       

       
-

       
        enable = true;


     

       
30

       

       
-

       
        user = "ntfy";


     

       
31

       

       
-

       
        group = "ntfy";


     

       
32

       

       
-

       
        settings = {


     

       
33

       

       
-

       
          listen-http = ":${toString service.port}";


     

       
34

       

       
-

       
          base-url = "https://${service.vHost}";


     

       
35

       

       
-

       
          cache-duration = "30d";


     

       
36

       

       
-

       
          cache-startup-queries = ''


     

       
37

       

       
-

       
            pragma journal_mode = WAL;


     

       
38

       

       
-

       
            pragma synchronous = normal;


     

       
39

       

       
-

       
            pragma temp_store = memory;


     

       
40

       

       
-

       
          '';


     

       
41

       

       
-

       
          behind-proxy = true;


     

       
42

       

       
-

       
          auth-default-access = "deny-all";


     

       
43

       

       
-

       
          auth-users = [


     

       
44

       

       
-

       
            "ayla:$2a$10$hh05DMOuVQ3Zf67Rn8VUl.HYUop/.90V04IhNPmOsSYh9FSHCbL1K:admin"


     

       
45

       

       
-

       
            "auto:$2a$10$w7EDB/6orrpM9JVBqu4jHeBKvXliA4jvRI7Nd.fn.Fo4rGTHD50ju:user"


     

       
46

       

       
-

       
          ];


     

       
47

       

       
-

       
          auth-access = [


     

       
48

       

       
-

       
            "everyone:up*:wo"


     

       
49

       

       
-

       
            "auto:*:wo"


     

       
50

       

       
-

       
            "everyone:message-to-ayla:wo"


     

       
51

       

       
-

       
          ];


     

       

       
27

       
+

       
    containers.ntfy = {


     

       

       
28

       
+

       
      autoStart = true;


     

       

       
29

       
+

       
      config = {


     

       

       
30

       
+

       
        services.ntfy-sh = {


     

       

       
31

       
+

       
          enable = true;


     

       

       
32

       
+

       
          user = "ntfy";


     

       

       
33

       
+

       
          group = "ntfy";


     

       

       
34

       
+

       
          settings = {


     

       

       
35

       
+

       
            listen-http = ":${toString service.port}";


     

       

       
36

       
+

       
            base-url = "https://${service.vHost}";


     

       

       
37

       
+

       
            cache-duration = "30d";


     

       

       
38

       
+

       
            cache-startup-queries = ''


     

       

       
39

       
+

       
              pragma journal_mode = WAL;


     

       

       
40

       
+

       
              pragma synchronous = normal;


     

       

       
41

       
+

       
              pragma temp_store = memory;


     

       

       
42

       
+

       
            '';


     

       

       
43

       
+

       
            behind-proxy = true;


     

       

       
44

       
+

       
            auth-default-access = "deny-all";


     

       

       
45

       
+

       
            auth-users = [


     

       

       
46

       
+

       
              "ayla:$2a$10$hh05DMOuVQ3Zf67Rn8VUl.HYUop/.90V04IhNPmOsSYh9FSHCbL1K:admin"


     

       

       
47

       
+

       
              "auto:$2a$10$w7EDB/6orrpM9JVBqu4jHeBKvXliA4jvRI7Nd.fn.Fo4rGTHD50ju:user"


     

       

       
48

       
+

       
            ];


     

       

       
49

       
+

       
            auth-access = [


     

       

       
50

       
+

       
              "everyone:up*:wo"


     

       

       
51

       
+

       
              "auto:*:wo"


     

       

       
52

       
+

       
              "everyone:message-to-ayla:wo"


     

       

       
53

       
+

       
            ];


     

       

       
54

       
+

       
          };


     

       
52

       
55

       
 

       
        };


     

       

       
56

       
+

       



     

       

       
57

       
+

       
        system.stateVersion = "25.11";


     

       
53

       
58

       
 

       
      };


     

       
54

       
59

       
 

       
    };


     

       
55

       
60

       
 

       
  };
+16 -8
modules/nixos/services/pds/default.nix 
···

       
51

       
51

       
 

       
          reverse_proxy ${service.hostName}:${toString service.port}


     

       
52

       
52

       
 

       
        }


     

       
53

       
53

       
 

       
      '';


     

       

       
54

       
+

       
    };


     

       
54

       
55

       
 

       



     

       
55

       

       
-

       
      bluesky-pds = {


     

       
56

       

       
-

       
        enable = true;


     

       
57

       

       
-

       
        environmentFiles = [config.age.secrets.pds.path];


     

       
58

       

       
-

       
        pdsadmin.enable = true;


     

       
59

       

       
-

       
        settings = {


     

       
60

       

       
-

       
          PDS_HOSTNAME = service.vHost;


     

       
61

       

       
-

       
          # PDS_BSKY_APP_VIEW_URL = "https://bsky.zeppelin.social";


     

       
62

       

       
-

       
          # PDS_BSKY_APP_VIEW_DID = "did:web:bsky.zeppelin.social";


     

       

       
56

       
+

       
    containers.pds = {


     

       

       
57

       
+

       
      autoStart = true;


     

       

       
58

       
+

       
      bindMounts."${config.age.secrets.pds.path}".isReadOnly = true;


     

       

       
59

       
+

       
      config = {


     

       

       
60

       
+

       
        services.bluesky-pds = {


     

       

       
61

       
+

       
          enable = true;


     

       

       
62

       
+

       
          environmentFiles = [config.age.secrets.pds.path];


     

       

       
63

       
+

       
          pdsadmin.enable = true;


     

       

       
64

       
+

       
          settings = {


     

       

       
65

       
+

       
            PDS_HOSTNAME = service.vHost;


     

       

       
66

       
+

       
            # PDS_BSKY_APP_VIEW_URL = "https://bsky.zeppelin.social";


     

       

       
67

       
+

       
            # PDS_BSKY_APP_VIEW_DID = "did:web:bsky.zeppelin.social";


     

       

       
68

       
+

       
          };


     

       
63

       
69

       
 

       
        };


     

       

       
70

       
+

       



     

       

       
71

       
+

       
        system.stateVersion = "25.11";


     

       
64

       
72

       
 

       
      };


     

       
65

       
73

       
 

       
    };


     

       
66

       
74

       
 

       
  };
+49
modules/nixos/services/postgresql/default.nix 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  lib,


     

       

       
3

       
+

       
  config,


     

       

       
4

       
+

       
  pkgs,


     

       

       
5

       
+

       
  self,


     

       

       
6

       
+

       
  ...


     

       

       
7

       
+

       
}: let


     

       

       
8

       
+

       
  name = "postgresql";


     

       

       
9

       
+

       
  cfg = config.myNixOS.services.${name};


     

       

       
10

       
+

       
in {


     

       

       
11

       
+

       
  options.myNixOS.services.${name} = {


     

       

       
12

       
+

       
    enable = lib.mkEnableOption "${name} server";


     

       

       
13

       
+

       
    databases = lib.mkOption {


     

       

       
14

       
+

       
      type = lib.types.listOf lib.types.str;


     

       

       
15

       
+

       
      default = {};


     

       

       
16

       
+

       
      description = "PostgreSQL databases.";


     

       

       
17

       
+

       
    };


     

       

       
18

       
+

       
  };


     

       

       
19

       
+

       



     

       

       
20

       
+

       
  config.containers.postgresql = lib.mkIf cfg.enable {


     

       

       
21

       
+

       
    autoStart = true;


     

       

       
22

       
+

       
    config = {


     

       

       
23

       
+

       
      imports = [self.nixosModules.locale-en-gb];


     

       

       
24

       
+

       



     

       

       
25

       
+

       
      services.postgresql = {


     

       

       
26

       
+

       
        enable = true;


     

       

       
27

       
+

       
        enableTCPIP = true;


     

       

       
28

       
+

       
        package = pkgs.postgresql_16;


     

       

       
29

       
+

       



     

       

       
30

       
+

       
        ensureDatabases = cfg.databases;


     

       

       
31

       
+

       
        ensureUsers =


     

       

       
32

       
+

       
          lib.map (dbName: {


     

       

       
33

       
+

       
            name = dbName;


     

       

       
34

       
+

       
            ensureDBOwnership = true;


     

       

       
35

       
+

       
          })


     

       

       
36

       
+

       
          cfg.databases;


     

       

       
37

       
+

       



     

       

       
38

       
+

       
        authentication = lib.concatStringsSep "\n" (


     

       

       
39

       
+

       
          lib.map (dbName: ''


     

       

       
40

       
+

       
            host ${dbName} ${dbName} samehost trust


     

       

       
41

       
+

       
          '')


     

       

       
42

       
+

       
          cfg.databases


     

       

       
43

       
+

       
        );


     

       

       
44

       
+

       
      };


     

       

       
45

       
+

       



     

       

       
46

       
+

       
      system.stateVersion = "25.11";


     

       

       
47

       
+

       
    };


     

       

       
48

       
+

       
  };


     

       

       
49

       
+

       
}