faukah/nichts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

added stuff

Browse source
This commit is contained in:
vali 2024-04-09 23:11:33 +02:00
commit 236b8c2a6b
907 changed files with 70990 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

7
nyx/modules/options/system/activation.nix Normal file
View file

@ -0,0 +1,7 @@
{lib, ...}: let
inherit (lib) mkEnableOption;
in {
options.modules.system.activation = {
diffGenerations = mkEnableOption "diff view between rebuilds";
};
}

133
nyx/modules/options/system/boot.nix Normal file
View file

@ -0,0 +1,133 @@
{
config,
lib,
pkgs,
...
}: let
inherit (lib) literalExpression mkEnableOption mkOption types;
cfg = config.modules.system.boot;
in {
# pre-boot and bootloader configurations
options.modules.system.boot = {
enableKernelTweaks = mkEnableOption "security and performance related kernel parameters";
recommendedLoaderConfig = mkEnableOption "tweaks for common bootloader configs per my liking";
loadRecommendedModules = mkEnableOption "kernel modules that accommodate for most use cases";
tmpOnTmpfs =
mkEnableOption ''
`/tmp` living on tmpfs. false means it will be cleared manually on each reboot
This option defaults to `true` if the host provides patches to the kernel package in
`boot.kernelPatches`
''
// {default = config.boot.kernelPatches == [];};
secureBoot = mkEnableOption ''
secure-boot with the necessary packages. Requires systemd-boot to be disabled
'';
silentBoot =
mkEnableOption ''
almost entirely silent boot process through `quiet` kernel parameter
''
// {default = config.modules.system.boot.plymouth.enable;};
initrd = {
enableTweaks = mkEnableOption "quality of life tweaks for the initrd stage";
optimizeCompressor = mkEnableOption ''
initrd compression algorithm optimizations for size.
Enabling this option will force initrd to use zstd (default) with
level 19 and -T0 (STDIN). This will reduce the initrd size greatly
at the cost of compression speed.
Not recommended for low-end hardware.
'';
};
kernel = mkOption {
type = with types; nullOr raw;
default = pkgs.linuxPackages_latest;
example = literalExpression "pkgs.linuxPackages_latest";
description = "The kernel to use for the system.";
};
extraModprobeConfig = mkOption {
type = types.str;
default = ''options hid_apple fnmode=1'';
description = "Extra modprobe config that will be passed to system modprobe config.";
};
extraKernelParams = mkOption {
type = with types; listOf str;
default = [];
description = "Extra kernel parameters to be added to the kernel command line.";
};
extraModulePackages = mkOption {
type = with types; listOf package;
default = [];
example = literalExpression ''with config.boot.kernelPackages; [acpi_call]'';
description = "Extra kernel modules to be loaded.";
};
loader = mkOption {
type = types.enum ["none" "grub" "systemd-boot"];
default = "none";
description = "The bootloader that should be used for the device.";
};
grub = {
device = mkOption {
type = with types; nullOr str;
default = "nodev";
description = "The device to install the bootloader to.";
};
};
plymouth = {
enable = mkEnableOption "Plymouth boot splash";
withThemes = mkEnableOption ''
Whether or not themes from https://github.com/adi1090x/plymouth-themes
should be enabled and configured
'';
pack = mkOption {
type = types.enum [1 2 3 4];
default = 3;
description = "The pack number for the theme to be selected from.";
};
theme = mkOption {
type = types.str;
default = "hud_3";
description = "The theme name from the selected theme pack";
};
};
memtest = {
enable = mkEnableOption "memtest86+";
package = mkOption {
type = types.package;
default = pkgs.memtest86plus;
description = "The memtest package to use.";
};
};
};
config = {
assertions = [
{
assertion = cfg.kernel != null;
message = ''
Your system does not specify a kernel package. This is intended behaviour
and is to avoid specifying default kernels that are not compatible with
active hardware.
To supress this error, you must set `config.modules.system.boot.kernel`
to a valid kernel package.
'';
}
];
};
}

45
nyx/modules/options/system/containers.nix Normal file
View file

@ -0,0 +1,45 @@
{
config,
lib,
...
}: let
inherit (lib) mkEnableOption mkOption types literalExpression;
cfg = config.modules.system.containers;
in {
options.modules.system.containers = {
enable = mkEnableOption "systemd-nspawn containers";
availableContainers = mkOption {
type = with types; listOf str;
default = ["alpha" "beta" "gamma"];
readOnly = true;
internal = true;
description = ''
Containers that are made available to the host system, and can freely be enabled using
the {option}`enabledContainers` option.
Do keep in mind that nspawn-containers not yet provide host isolation, and elevated privileges
inside the container can be used to escape the container and gain access to the host system.
Only enable containers that you know are properly sandboxed.
'';
};
enabledContainers = mkOption {
type = with types; listOf (enum cfg.availableContainers);
default = [];
example = literalExpression ''["alpha" "beta"]'';
description = ''
A list of enabled containers selected from the list of available containers.
Enabling a container may not always mean it will start automatically, and must
done so with care.
Container Specialization:
- alpha: Sandboxed playground for testing software, networking and builds.
- beta: Minimal container for running an ephemeral PostgreSQL database.
'';
};
};
}

128
nyx/modules/options/system/default.nix Normal file
View file

@ -0,0 +1,128 @@
{
config,
lib,
...
}: let
inherit (lib) optionals mkEnableOption mkOption types;
in {
imports = [
# configuration options for nixos activation scripts
./activation.nix
# boot/impermanence mounts
./boot.nix
./impermanence.nix
# network and overall hardening
./networking
./security.nix
./encryption.nix
# emulation and virtualization
./emulation.nix
./virtualization.nix
# package and program related options
./services
./programs
# systemd-nspawn containers
./containers.nix
];
config = {
warnings =
(optionals (config.modules.system.fs == []) [
''
You have not added any filesystems to be supported by your system. You may end up with an unbootable system!
Consider setting {option}`config.modules.system.fs` in your configuration
''
])
++ (optionals (config.modules.system.users == []) [
''
You have not added any users to be supported by your system. You may end up with an unbootable system!
Consider setting {option}`config.modules.system.users` in your configuration
''
]);
};
options.modules.system = {
mainUser = mkOption {
type = types.enum config.modules.system.users;
default = builtins.elemAt config.modules.system.users 0;
description = ''
The username of the main user for your system.
In case of a multiple systems, this will be the user with priority in ordered lists and enabled options.
'';
};
users = mkOption {
type = with types; listOf str;
default = ["notashelf"];
description = "A list of home-manager users on the system.";
};
autoLogin = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable passwordless login. This is generally useful on systems with
FDE (Full Disk Encryption) enabled. It is a security risk for systems without FDE.
'';
};
fs = mkOption {
type = with types; listOf str;
default = ["vfat" "ext4" "btrfs"]; # TODO: zfs, ntfs
description = ''
A list of filesystems available supported by the system
it will enable services based on what strings are found in the list.
It would be a good idea to keep vfat and ext4 so you can mount common external storage.
'';
};
yubikeySupport = {
enable = mkEnableOption "yubikey support";
deviceType = mkOption {
type = with types; nullOr (enum ["NFC5" "nano"]);
default = null;
description = "A list of device models to enable Yubikey support for";
};
};
sound = {
enable = mkEnableOption "sound related programs and audio-dependent programs";
};
video = {
enable = mkEnableOption "video drivers and programs that require a graphical user interface";
};
bluetooth = {
enable = mkEnableOption "bluetooth modules, drivers and configuration program(s)";
};
# should the device enable printing module and try to load common printer modules
# you might need to add more drivers to the printing module for your printer to work
printing = {
enable = mkEnableOption "printing";
extraDrivers = mkOption {
type = with types; listOf str;
default = [];
description = "A list of extra drivers to enable for printing";
};
"3d" = {
enable = mkEnableOption "3D printing suite";
extraPrograms = mkOption {
type = with types; listOf package;
default = [];
description = "A list of extra programs to enable for 3D printing";
};
};
};
};
}

29
nyx/modules/options/system/emulation.nix Normal file
View file

@ -0,0 +1,29 @@
{
pkgs,
lib,
...
}: let
inherit (lib) mkEnableOption mkOption types;
in {
options.modules.system.emulation = {
# should we enable emulation for additional architechtures?
# enabling this option will make it so that you can build for, e.g.
# aarch64 on x86_&4 and vice verse - not recommended on weaker machines
enable = mkEnableOption ''
emulation of additional arcitechtures via binfmt. Enabling this option will make it so that the system can build for
addiitonal systems such as aarc64 on x86_64 and vice versa.
'';
systems = mkOption {
type = with types; listOf str;
# default = ["x86_64-linux" "aarch64-linux" "i686-linux"];
default = builtins.filter (system: system != pkgs.system) ["aarch64-linux" "i686-linux"];
description = ''
Systems that will be emulated by the host system.
If overriding the default, you must make sure that the list of systems does not contain the same system as the host
in order to avoid an unbootable machine.
'';
};
};
}

57
nyx/modules/options/system/encryption.nix Normal file
View file

@ -0,0 +1,57 @@
{
config,
lib,
...
}: let
inherit (lib) mkEnableOption mkOption types mkIf;
in {
config = mkIf config.modules.system.encryption.enable {
warnings =
if config.modules.system.encryption.device == ""
then [
''
You have enabled LUKS encryption, but have not selected a device, you may not be able to decrypt your disk on boot.
''
]
else [];
};
options.modules.system.encryption = {
enable = mkEnableOption "LUKS encryption";
device = mkOption {
type = types.str; # this should actually be a list
default = "";
description = ''
The LUKS label for the device that will be decrypted on boot.
Currently does not support multiple devices at once.
'';
};
keyFile = mkOption {
type = with types; nullOr str;
default = null;
description = ''
The path to the keyfile that will be used to decrypt the device.
Needs to be an absolute path, and the file must exist. Set to `null`
to disable.
'';
};
keySize = mkOption {
type = types.int;
default = 4096;
description = ''
The size of the keyfile in bytes.
'';
};
fallbackToPassword = mkOption {
type = types.bool;
default = !config.boot.initrd.systemd.enable;
description = ''
Whether or not to fallback to password authentication if the keyfile
is not present.
'';
};
};
}

87
nyx/modules/options/system/impermanence.nix Normal file
View file

@ -0,0 +1,87 @@
{
config,
lib,
...
}: let
inherit (lib) mkEnableOption mkOption literalExpression;
cfg = config.modules.system.impermanence;
in {
options.modules.system.impermanence = {
enable = mkOption {
default = cfg.root.enable || cfg.home.enable;
readOnly = true;
description = ''
Internal option for deciding if Impermanence module is enabled
based on the values of `modules.system.impermanence.root.enable`
and `modules.system.impermanence.home.enable`.
'';
};
root = {
enable = mkEnableOption ''
the Impermanence module for persisting important state directories.
By default, Impermanence will not touch user's $HOME, which is not
ephemeral unlike root.
'';
extraFiles = mkOption {
default = [];
example = literalExpression ''["/etc/nix/id_rsa"]'';
description = ''
Additional files in the root to link to persistent storage.
'';
};
extraDirectories = mkOption {
default = [];
example = literalExpression ''["/var/lib/libvirt"]'';
description = ''
Additional directories in the root to link to persistent
storage.
'';
};
};
home = {
enable = mkEnableOption ''
the Impermanence module for persisting important state directories.
This option will also make user's home ephemeral, on top of the root subvolume
'';
mountDotfiles = mkOption {
default = true;
description = ''
Whether the repository with my configuration flake should be bound to a location
in $HOME after a rebuild. It will symlink ''${self} to ~/.config/nyx where I
usually put my configuration files
'';
};
extraFiles = mkOption {
default = [];
example = literalExpression ''
[
".gnupg/pubring.kbx"
".gnupg/sshcontrol"
".gnupg/trustdb.gpg"
".gnupg/random_seed"
]
'';
description = ''
Additional files in the home directory to link to persistent
storage.
'';
};
extraDirectories = mkOption {
default = [];
example = literalExpression ''[".config/gsconnect"]'';
description = ''
Additional directories in the home directory to link to
persistent storage.
'';
};
};
};
}

36
nyx/modules/options/system/networking/default.nix Normal file
View file

@ -0,0 +1,36 @@
{lib, ...}: let
inherit (lib) mkEnableOption mkOption types;
in {
imports = [
./nftables.nix
./tailscale.nix
];
options.modules.system.networking = {
nftables.enable = mkEnableOption "nftables firewall";
tarpit.enable = mkEnableOption "endlessh-go tarpit";
optimizeTcp = mkEnableOption "TCP optimizations";
wireless = {
allowImperative = mkEnableOption ''
imperative networking via wpa_cli.
Enabling this option will make it so that users in the wheel group will
be able to manage networking via wpa_cli.
'';
backend = mkOption {
type = types.enum ["iwd" "wpa_supplicant"];
default = "wpa_supplicant";
description = ''
Backend that will be used for wireless connections using either
`networking.wireless` or `networking.networkmanager.wifi.backend`
Defaults to wpa_supplicant until iwd is stable.
'';
};
};
# TODO: optionally use encrypted DNS
# encryptDns = mkOption {};
};
}

82
nyx/modules/options/system/networking/nftables.nix Normal file
View file

@ -0,0 +1,82 @@
{lib, ...}: let
inherit (lib) mkTable mkPrerouteChain mkForwardChain mkOutputChain mkInputChain mkPostrouteChain mkIngressChain;
in {
options.networking.nftables.rules = {
# man nft(8)
netdev = mkTable "netdev address family netfilter table" {
filter.ingress = mkIngressChain "netdev";
};
bridge = mkTable "bridge address family netfilter table" {
filter = {
prerouting = mkPrerouteChain "bridge";
input = mkInputChain "bridge";
forward = mkForwardChain "bridge";
output = mkOutputChain "bridge";
postrouting = mkPostrouteChain "bridge";
};
};
inet = mkTable "internet (IPv4/IPv6) address family netfilter table" {
filter = {
prerouting = mkPrerouteChain "inet";
input = mkInputChain "inet";
forward = mkForwardChain "inet";
output = mkOutputChain "inet";
postrouting = mkPostrouteChain "inet";
};
nat = {
prerouting = mkPrerouteChain "inet";
input = mkInputChain "inet";
output = mkOutputChain "inet";
postrouting = mkPostrouteChain "inet";
};
};
arp = mkTable "ARP (IPv4) address family netfilter table" {
filter = {
input = mkInputChain "arp";
output = mkOutputChain "arp";
};
};
ip = mkTable "internet (IPv4) address family netfilter table" {
filter = {
prerouting = mkPrerouteChain "ip";
input = mkInputChain "ip";
forward = mkForwardChain "ip";
output = mkOutputChain "ip";
postrouting = mkPostrouteChain "ip";
};
nat = {
prerouting = mkPrerouteChain "ip";
input = mkInputChain "ip";
output = mkOutputChain "ip";
postrouting = mkPostrouteChain "ip";
};
route.output = mkForwardChain "ip";
};
ip6 = mkTable "internet (IPv6) address family netfilter table" {
filter = {
prerouting = mkPrerouteChain "ip6";
input = mkInputChain "ip6";
forward = mkForwardChain "ip6";
output = mkOutputChain "ip6";
postrouting = mkPostrouteChain "ip6";
};
nat = {
prerouting = mkPrerouteChain "ip6";
input = mkInputChain "ip6";
output = mkOutputChain "ip6";
postrouting = mkPostrouteChain "ip6";
};
route.output = mkForwardChain "ip6";
};
};
}

76
nyx/modules/options/system/networking/tailscale.nix Normal file
View file

@ -0,0 +1,76 @@
{
config,
lib,
...
}: let
inherit (lib) mkEnableOption mkOption types;
sys = config.modules.system;
cfg = sys.networking.tailscale;
in {
options.modules.system.networking.tailscale = {
enable = mkEnableOption "Tailscale VPN";
autoLogin = mkEnableOption ''
systemd-service for bootstrapping a Tailscale connection automatically
'';
endpoint = mkOption {
type = types.str;
default = "https://hs.notashelf.dev";
description = ''
The URL of the Tailscale control server to use. In case you
would like to use a self-hosted Headscale server, such as
the default value, you may change this value accordingly.
'';
};
operator = mkOption {
type = types.str;
default = sys.mainUser;
description = ''
The name of the Tailscale operator to use. This is used to
avoid using sudo in command-line operations and if set, will
run the auto-authentication service as the specified user.
'';
};
flags = {
default = mkOption {
type = with types; listOf str;
default = ["--ssh"];
description = ''
A list of command-line flags that will be passed to the Tailscale
daemon automatically when it is started, using
{option}`config.services.tailscale.extraUpFlags`
If `isServer` is set to true, the server-specific values will be
appended to the list defined in this option.
'';
};
};
isClient = mkOption {
type = types.bool;
default = cfg.enable;
example = true;
description = ''
Whether the target host should utilize Tailscale client features";
This option is mutually exlusive with {option}`tailscale.isServer`
as they both configure Taiscale, but with different flags
'';
};
isServer = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
Whether the target host should utilize Tailscale server features.
This option is mutually exlusive with {option}`tailscale.isClient`
as they both configure Taiscale, but with different flags
'';
};
};
}

94
nyx/modules/options/system/programs/default.nix Normal file
View file

@ -0,0 +1,94 @@
{lib, ...}: let
inherit (lib) mkEnableOption mkOption types;
in {
imports = [
./gaming.nix
];
options.modules.system.programs = {
gui.enable = mkEnableOption "GUI package sets" // {default = true;};
cli.enable = mkEnableOption "CLI package sets" // {default = true;};
dev.enable = mkEnableOption "development related package sets";
libreoffice.enable = mkEnableOption "LibreOffice suite";
discord.enable = mkEnableOption "Discord messenger";
element.enable = mkEnableOption "Element Matrix client";
obs.enable = mkEnableOption "OBS Studio";
spotify.enable = mkEnableOption "Spotify music player";
thunderbird.enable = mkEnableOption "Thunderbird mail client";
vscode.enable = mkEnableOption "Visual Studio Code";
steam.enable = mkEnableOption "Steam game client";
kdeconnect.enable = mkEnableOption "KDE Connect utility";
webcord.enable = mkEnableOption "Webcord Discord client";
zathura.enable = mkEnableOption "Zathura document viewer";
nextcloud.enable = mkEnableOption "Nextcloud sync client";
rnnoise.enable = mkEnableOption "RNNoise noise suppression plugin";
noisetorch.enable = mkEnableOption "NoiseTorch noise suppression plugin";
chromium = {
enable = mkEnableOption "Chromium browser";
ungoogle = mkOption {
type = types.bool;
default = true;
description = "Enable ungoogled-chromium features";
};
};
firefox = {
enable = mkEnableOption "Firefox browser";
schizofox.enable = mkOption {
type = types.bool;
default = true;
description = "Enable Schizofox Firefox Tweaks";
};
};
editors = {
neovim.enable = mkEnableOption "Neovim text editor";
helix.enable = mkEnableOption "Helix text editor";
};
terminals = {
kitty.enable = mkEnableOption "Kitty terminal emulator";
wezterm.enable = mkEnableOption "WezTerm terminal emulator";
foot.enable = mkEnableOption "Foot terminal emulator";
};
git = {
signingKey = mkOption {
type = types.str;
default = "";
description = "The default gpg key used for signing commits";
};
};
# default program options
default = {
# what program should be used as the default terminal
terminal = mkOption {
type = types.enum ["foot" "kitty" "wezterm"];
default = "kitty";
};
fileManager = mkOption {
type = types.enum ["thunar" "dolphin" "nemo"];
default = "dolphin";
};
browser = mkOption {
type = types.enum ["firefox" "librewolf" "chromium"];
default = "firefox";
};
editor = mkOption {
type = types.enum ["neovim" "helix" "emacs"];
default = "neovim";
};
launcher = mkOption {
type = types.enum ["rofi" "wofi" "anyrun"];
default = "rofi";
};
};
};
}

24
nyx/modules/options/system/programs/gaming.nix Normal file
View file

@ -0,0 +1,24 @@
{
config,
lib,
...
}: let
inherit (lib.options) mkEnableOption;
inherit (config) modules;
prg = modules.system.programs;
in {
options.modules.system.programs.gaming = {
enable = mkEnableOption ''
packages, services and warappers required for the device to be gaming-ready.
Setting this option to true will also enable certain other options with
the option to disable them explicitly.
'';
steam.enable = mkEnableOption "Steam client" // {default = prg.gaming.enable;};
gamemode.enable = mkEnableOption "Feral-Interactive's Gamemode with userspace optimizations" // {default = prg.gaming.enable;};
gamescope.enable = mkEnableOption "Gamescope compositing manager" // {default = prg.gaming.enable;};
mangohud.enable = mkEnableOption "MangoHud overlay" // {default = prg.gaming.enable;};
};
}

138
nyx/modules/options/system/security.nix Normal file
View file

@ -0,0 +1,138 @@
{
pkgs,
lib,
...
}: let
inherit (lib) mkOption mkEnableOption types;
in {
options.modules.system.security = {
fixWebcam = mkEnableOption "the purposefully disabled webcam by un-blacklisting the related kernel module.";
fprint.enable = mkEnableOption "Fingerprint reader service";
tor.enable = mkEnableOption "Tor daemon";
usbguard.enable = mkEnableOption "USBGuard service for blocking unauthorized USB devices";
lockModules = mkEnableOption ''
kernel module locking to prevent kernel modules that are not specified in the config from being loaded
This is a highly breaking option, and will break many things including virtualization
and firewall if the required modules are not explicitly loaded in your kernel configuration.
'';
mitigations = {
disable = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
Whether to disable spectre and meltdown mitigations in the kernel. This is rather a sandbox
option than something you should consider on a production/mission critical system. Unless
you know what *exactly* you are doing, do not enable this.
'';
};
acceptRisk = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
You are either really stupid, or very knowledable. In either case,
this must be explicitly true in order to ensure users know what they are doing
when they disable security mitigations.
'';
};
};
selinux = {
enable = mkEnableOption "system SELinux support + kernel patches";
state = mkOption {
type = with types; enum ["enforcing" "permissive" "disabled"];
default = "enforcing";
description = ''
SELinux state to boot with. The default is enforcing.
'';
};
type = mkOption {
type = with types; enum ["targeted" "minimum" "mls"];
default = "targeted";
description = ''
SELinux policy type to boot with. The default is targeted.
'';
};
};
auditd = {
enable = mkEnableOption "the audit daemon.";
autoPrune = {
enable = mkEnableOption "auto-pruning of old audit logs.";
size = mkOption {
type = types.int;
default = 524288000; # roughly 500 megabytes
description = "The maximum size of the audit log in bytes. The default is 500MBs";
};
dates = mkOption {
type = types.str;
default = "daily";
example = "weekly";
description = "How often cleaning is triggered. Passed to systemd.time";
};
};
};
clamav = {
enable = mkEnableOption "ClamAV daemon.";
daemon = {
settings = mkOption {
type = with types; attrsOf (oneOf [bool int str (listOf str)]);
default = {
LogFile = "/var/log/clamd.log";
LogTime = true;
DetectPUA = true;
VirusEvent = lib.escapeShellArgs [
"${pkgs.libnotify}/bin/notify-send"
"--"
"ClamAV Virus Scan"
"Found virus: %v"
];
};
description = ''
ClamAV configuration. Refer to <https://linux.die.net/man/5/clamd.conf>,
for details on supported values.
'';
};
};
updater = {
enable = mkEnableOption "ClamAV freshclam updater";
frequency = mkOption {
type = types.int;
default = 12;
description = ''
Number of database checks per day.
'';
};
interval = mkOption {
type = types.str;
default = "hourly";
description = ''
How often freshclam is invoked. See systemd.time(7) for more
information about the format.
'';
};
settings = mkOption {
type = with types; attrsOf (oneOf [bool int str (listOf str)]);
default = {};
description = ''
freshclam configuration. Refer to <https://linux.die.net/man/5/freshclam.conf>,
for details on supported values.
'';
};
};
};
};
}

21
nyx/modules/options/system/services/bincache.nix Normal file
View file

@ -0,0 +1,21 @@
{lib, ...}: let
inherit (lib) mkModule;
in {
options.modules.system.services = {
# binary cache backends
bincache = {
harmonia = mkModule {
name = "Harmonia";
type = "binary cache";
host = "[::]";
port = 5000;
};
atticd = mkModule {
name = "Atticd";
type = "binary cache";
port = 8100;
};
};
};
}

38
nyx/modules/options/system/services/databases.nix Normal file
View file

@ -0,0 +1,38 @@
{lib, ...}: let
inherit (lib) mkModule;
in {
options.modules.system.services = {
# database backends
database = {
mysql = mkModule {
name = "MySQL";
type = "database";
port = 3306;
};
mongodb = mkModule {
name = "MongoDB";
type = "database";
port = 27017;
};
redis = mkModule {
name = "Redis";
type = "database";
port = 6379;
};
postgresql = mkModule {
name = "PostgreSQL";
type = "database";
port = 5432;
};
garage = mkModule {
name = "Garage";
type = "S3 storage";
port = 5432;
};
};
};
}

79
nyx/modules/options/system/services/default.nix Normal file
View file

@ -0,0 +1,79 @@
{lib, ...}: let
inherit (lib) mkEnableOption mkModule;
in {
imports = [
./bincache.nix
./databases.nix
./monitoring.nix
./networking.nix
./social.nix
];
options.modules.system = {
services = {
mailserver.enable = mkEnableOption "nixos-mailserver service";
mkm.enable = mkEnableOption "mkm-ticketing service";
nextcloud = mkModule {
name = "Nextcloud";
type = "cloud storage";
};
nginx = mkModule {
name = "Nginx";
type = "webserver";
};
vaultwarden = mkModule {
name = "Vaultwarden";
type = "password manager";
port = 8222;
host = "127.0.0.1";
};
forgejo = mkModule {
name = "Forgejo";
type = "forge";
port = 7000;
};
quassel = mkModule {
name = "Quassel";
type = "IRC";
port = 4242;
};
jellyfin = mkModule {
name = "Jellyfin";
type = "media";
port = 8096;
};
searxng = mkModule {
name = "Searxng";
type = "meta search engine";
port = 8888;
};
miniflux = mkModule {
name = "Miniflux";
type = "RSS reader";
};
reposilite = mkModule {
name = "Reposilite";
port = 8084;
};
elasticsearch = mkModule {
name = "Elasticsearch";
port = 9200;
};
kanidm = mkModule {
name = "Kanidm";
port = 8443;
};
};
};
}

26
nyx/modules/options/system/services/monitoring.nix Normal file
View file

@ -0,0 +1,26 @@
{
config,
lib,
...
}: let
inherit (lib) mkEnableOption;
sys = config.modules.system;
cfg = sys.services;
# mkEnableOption is the same as mkEnableOption but with the default value being equal to cfg.monitoring.enable
mkEnableOption' = desc: mkEnableOption "${desc}" // {default = cfg.monitoring.enable;};
in {
options.modules.system.services = {
# monitoring tools
# TODO: how do I mkModule those? they feature multiple host-specific parts
# that need to be adressed
monitoring = {
enable = mkEnableOption "system monitoring stack";
prometheus.enable = mkEnableOption' "Prometheus monitoring service";
grafana.enable = mkEnableOption' "Grafana monitoring service";
loki.enable = mkEnableOption' "Loki monitoring service";
uptime-kuma.enable = mkEnableOption' "Uptime Kuma monitoring service";
};
};
}

25
nyx/modules/options/system/services/networking.nix Normal file
View file

@ -0,0 +1,25 @@
{lib, ...}: let
inherit (lib) mkEnableOption mkModule;
inherit (lib.types) str;
in {
options.modules.system.services = {
# networking
networking = {
wireguard.enable = mkEnableOption "Wireguard service";
headscale = mkModule {
name = "Headscale";
type = "networking";
port = 8085;
/*
extraOptions = {
domain = mkOption {
type = str;
example = "headscale.example.com";
description = "The domain name to use for headscale";
};
};
*/
};
};
};
}

18
nyx/modules/options/system/services/social.nix Normal file
View file

@ -0,0 +1,18 @@
{lib, ...}: let
inherit (lib) mkModule;
in {
options.modules.system.services = {
# self-hosted/decentralized social networks
social = {
mastodon = mkModule {
name = "Mastodon";
type = "social";
};
matrix = mkModule {
name = "Matrix";
type = "social";
port = 8008;
};
};
};
}

13
nyx/modules/options/system/virtualization.nix Normal file
View file

@ -0,0 +1,13 @@
{lib, ...}: let
inherit (lib) mkEnableOption;
in {
options.modules.system.virtualization = {
enable = mkEnableOption "virtualization";
libvirt = {enable = mkEnableOption "libvirt";};
docker = {enable = mkEnableOption "docker";};
podman = {enable = mkEnableOption "podman";};
qemu = {enable = mkEnableOption "qemu";};
waydroid = {enable = mkEnableOption "waydroid";};
distrobox = {enable = mkEnableOption "distrobox";};
};
}