repomaa/nixos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

modules/services: update octodns, sillytavern, webserver, and workout-sync

Browse Source
This commit is contained in:
Joakim Repomaa
2026-02-09 15:11:13 +02:00
parent 8823354606
commit 6aa4abeead
4 changed files with 9 additions and 169 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
modules/services/octodns.nix
View File

@@ -1,5 +1,6 @@
{
pkgs,
pkgs-unstable,
lib,
config,
...
@@ -47,7 +48,8 @@ let
};
default = { };
};
} // (types.ttlOptions 3600);
}
// (types.ttlOptions 3600);
};
aRecord = lib.types.submodule {
options = {
@@ -201,7 +203,7 @@ let
};
hetzner = {
class = "octodns_hetzner.HetznerProvider";
token = "env/HETZNER_API_KEY";
token = "env/HETZNER_API_TOKEN";
};
};
@@ -211,8 +213,8 @@ let
};
};
octodns = pkgs.octodns.withProviders (_: [
pkgs.octodns-providers.hetzner
octodns = pkgs-unstable.octodns.withProviders (_: [
pkgs-unstable.octodns-providers.hetzner
]);
in
{

165
modules/services/sillytavern.nix
View File

@@ -1,188 +1,27 @@
{
config,
lib,
pkgs-unstable,
...
}:
let
cfg = config.services.sillytavern;
fqdn = "${cfg.subdomain}.${config.networking.domain}";
defaultUser = "sillytavern";
defaultGroup = "sillytavern";
in
{
options.services.sillytavern = {
enable = lib.mkEnableOption "sillytavern";
subdomain = lib.mkOption {
type = lib.types.str;
default = "sillytavern";
};
user = lib.mkOption {
type = lib.types.str;
default = defaultUser;
description = ''
User account under which the web-application run.
'';
};
group = lib.mkOption {
type = lib.types.str;
default = defaultGroup;
description = ''
Group account under which the web-application run.
'';
};
package = lib.mkOption {
type = lib.types.package;
default = pkgs-unstable.sillytavern;
description = ''
SillyTavern package to use.
'';
};
configFile = lib.mkOption {
type = lib.types.path;
default = "${pkgs-unstable.sillytavern}/lib/node_modules/sillytavern/config.yaml";
defaultText = lib.literalExpression "\${pkgs.sillytavern}/lib/node_modules/sillytavern/config.yaml";
description = ''
Path to the SillyTavern configuration file.
'';
};
port = lib.mkOption {
type = lib.types.nullOr lib.types.port;
default = null;
example = 8045;
description = ''
Port on which SillyTavern will listen.
'';
};
listenAddressIPv4 = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
example = "127.0.0.1";
description = ''
Specific IPv4 address to listen to.
'';
};
listenAddressIPv6 = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
example = "::1";
description = ''
Specific IPv6 address to listen to.
'';
};
listen = lib.mkOption {
type = lib.types.nullOr lib.types.bool;
default = null;
example = true;
description = ''
Whether to listen on all network interfaces.
'';
};
whitelist = lib.mkOption {
type = lib.types.nullOr lib.types.bool;
default = null;
example = true;
description = ''
Enables whitelist mode.
'';
};
};
config = lib.mkIf cfg.enable {
systemd.services.sillytavern = {
description = "Silly Tavern";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
# required by sillytavern's extension manager
path = [ pkgs-unstable.git ];
environment.XDG_DATA_HOME = "%S";
serviceConfig = {
Type = "simple";
ExecStart =
let
f = x: name: lib.optional (x != null) "--${name}=${builtins.toString x}";
in
lib.concatStringsSep " " (
[
"${lib.getExe cfg.package}"
]
++ f cfg.port "port"
++ f cfg.listen "listen"
++ f cfg.listenAddressIPv4 "listenAddressIPv4"
++ f cfg.listenAddressIPv6 "listenAddressIPv6"
++ f cfg.whitelist "whitelist"
);
User = cfg.user;
Group = cfg.group;
Restart = "always";
StateDirectory = "SillyTavern";
BindPaths = [
"%S/SillyTavern/extensions:${cfg.package}/lib/node_modules/sillytavern/public/scripts/extensions/third-party"
];
# Security hardening
CapabilityBoundingSet = [ "" ];
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
};
};
users.users.${cfg.user} = lib.mkIf (cfg.user == defaultUser) {
description = "sillytavern service user";
isSystemUser = true;
inherit (cfg) group;
};
users.groups.${cfg.group} = lib.mkIf (cfg.group == defaultGroup) { };
systemd.tmpfiles.settings.sillytavern = {
"/var/lib/SillyTavern/data".d = {
mode = "0700";
inherit (cfg) user group;
};
"/var/lib/SillyTavern/extensions".d = {
mode = "0700";
inherit (cfg) user group;
};
"/var/lib/SillyTavern/config.yaml"."L+" = {
mode = "0600";
argument = cfg.configFile;
inherit (cfg) user group;
};
};
services.webserver = {
enable = lib.mkDefault true;
vHosts.${fqdn} = {
tailscaleAuth = true;
proxyBuffering = false;
locations."/" = {
proxyPort = cfg.port;
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
'';
};
locations."/".proxyPort = cfg.port;
};
};
};

1
modules/services/webserver.nix
View File

@@ -77,7 +77,6 @@ in
recommendedTlsSettings = true;
recommendedBrotliSettings = true;
recommendedGzipSettings = true;
recommendedZstdSettings = true;
recommendedOptimisation = true;
tailscaleAuth = {

2
modules/services/workout-sync.nix
View File

@@ -9,7 +9,7 @@ let
cfg = config.services.workout-sync;
fqdn = "${cfg.subdomain}.${config.networking.domain}";
port = cfg.port;
workout-sync = inputs.workout-sync.packages.${pkgs.system}.default;
workout-sync = inputs.workout-sync.packages.${pkgs.stdenv.hostPlatform.system}.default;
in
{
options.services.workout-sync = {