migrate from raffauflabs flake and drop dependency (#102)

* migrate from raffauflabs and drop dependency

* slateport/nginx: fix forĝejo url

flake.lock

@@ -568,26 +568,6 @@
         "type": "github"
       }
     },
-    "raffauflabs": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1724047987,
-        "narHash": "sha256-2be2gK4DRyPwLbddSQ5A9I9UjLM/tGrgdltrosE2AsU=",
-        "owner": "alyraffauf",
-        "repo": "raffauflabs",
-        "rev": "fd6bb8de83bb23f0724cf464fe6ac4a3f07ed831",
-        "type": "github"
-      },
-      "original": {
-        "owner": "alyraffauf",
-        "repo": "raffauflabs",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
         "agenix": "agenix",
@@ -599,7 +579,6 @@
         "nixpkgs": "nixpkgs",
         "nixpkgs-unstable": "nixpkgs-unstable",
         "nur": "nur",
-        "raffauflabs": "raffauflabs",
         "stylix": "stylix"
       }
     },

flake.nix

@@ -26,8 +26,8 @@
     };
 
     lanzaboote = {
-      url = "github:nix-community/lanzaboote/v0.4.1";
       inputs.nixpkgs.follows = "nixpkgs";
+      url = "github:nix-community/lanzaboote/v0.4.1";
     };
 
     nixhw = {
@@ -37,11 +37,6 @@
 
     nur.url = "github:nix-community/NUR";
 
-    raffauflabs = {
-      inputs.nixpkgs.follows = "nixpkgs";
-      url = "github:alyraffauf/raffauflabs";
-    };
-
     stylix = {
       inputs.nixpkgs.follows = "nixpkgs";
       url = "github:danth/stylix";

hosts/mauville/default.nix

@@ -6,19 +6,18 @@
   ...
 }: let
   archiveDirectory = "/mnt/Archive";
-  domain = "raffauflabs.com";
   mediaDirectory = "/mnt/Media";
 in {
   imports = [
     ./disko.nix
     ./home.nix
+    ./raffauflabs.nix
     ./secrets.nix
     ./stylix.nix
     self.inputs.nixhw.nixosModules.common-amd-cpu
     self.inputs.nixhw.nixosModules.common-amd-gpu
     self.inputs.nixhw.nixosModules.common-bluetooth
     self.inputs.nixhw.nixosModules.common-ssd
-    self.inputs.raffauflabs.nixosModules.raffauflabs
     self.nixosModules.common-auto-upgrade
     self.nixosModules.common-base
     self.nixosModules.common-locale
@@ -50,8 +49,6 @@ in {
   networking.hostName = "mauville";
 
   services = {
-    forgejo.settings.service.DISABLE_REGISTRATION = lib.mkForce true;
-
     samba = {
       enable = true;
       openFirewall = true;
@@ -94,20 +91,6 @@ in {
       enable = true;
       openFirewall = true;
     };
-
-    transmission = {
-      enable = true;
-      credentialsFile = config.age.secrets.transmission.path;
-      openFirewall = true;
-      openRPCPort = true;
-
-      settings = {
-        download-dir = mediaDirectory;
-        peer-port = 51413;
-        rpc-bind-address = "0.0.0.0";
-        rpc-port = 9091;
-      };
-    };
   };
 
   environment.variables.GDK_SCALE = "1.25";
@@ -153,39 +136,4 @@ in {
       };
     };
   };
-
-  raffauflabs = {
-    inherit domain;
-    enable = true;
-
-    containers.oci.freshRSS.enable = true;
-
-    services = {
-      audiobookshelf.enable = true;
-
-      ddclient = {
-        enable = true;
-        passwordFile = config.age.secrets.cloudflare.path;
-        protocol = "cloudflare";
-      };
-
-      forgejo.enable = true;
-
-      navidrome = {
-        enable = true;
-
-        lastfm = {
-          idFile = config.age.secrets.lastfmId.path;
-          secretFile = config.age.secrets.lastfmSecret.path;
-        };
-
-        spotify = {
-          idFile = config.age.secrets.spotifyId.path;
-          secretFile = config.age.secrets.spotifySecret.path;
-        };
-      };
-
-      plexMediaServer.enable = true;
-    };
-  };
 }

hosts/mauville/raffauflabs.nix

@@ -0,0 +1,147 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  audiobookshelf.port = 13378;
+  domain = "raffauflabs.com";
+  mediaDirectory = "/mnt/Media";
+  musicDirectory = "${mediaDirectory}/Music";
+
+  navidrome = {
+    port = 4533;
+
+    lastfm = {
+      idFile = config.age.secrets.lastfmId.path;
+      secretFile = config.age.secrets.lastfmSecret.path;
+    };
+
+    spotify = {
+      idFile = config.age.secrets.spotifyId.path;
+      secretFile = config.age.secrets.spotifySecret.path;
+    };
+  };
+
+  transmission = {
+    port = 9091;
+    bitTorrentPort = 5143;
+  };
+in {
+  services = {
+    audiobookshelf = {
+      enable = true;
+      port = audiobookshelf.port;
+    };
+
+    forgejo = {
+      enable = true;
+      lfs.enable = true;
+
+      settings = {
+        actions = {
+          ENABLED = true;
+          DEFAULT_ACTIONS_URL = "https://github.com";
+        };
+
+        cron = {
+          ENABLED = true;
+          RUN_AT_START = false;
+        };
+
+        DEFAULT.APP_NAME = "Forĝejo";
+
+        repository = {
+          DEFAULT_BRANCH = "master";
+          ENABLE_PUSH_CREATE_ORG = true;
+          ENABLE_PUSH_CREATE_USER = true;
+          PREFERRED_LICENSES = "GPL-3.0";
+        };
+
+        federation.ENABLED = true;
+        picture.ENABLE_FEDERATED_AVATAR = true;
+        security.PASSWORD_CHECK_PWN = true;
+
+        server = {
+          LANDING_PAGE = "explore";
+          ROOT_URL = "https://git.${domain}/";
+        };
+
+        service = {
+          ALLOW_ONLY_INTERNAL_REGISTRATION = true;
+          DISABLE_REGISTRATION = true;
+          ENABLE_NOTIFY_MAIL = true;
+        };
+
+        session.COOKIE_SECURE = true;
+
+        ui.DEFAULT_THEME = "forgejo-auto";
+        "ui.meta" = {
+          AUTHOR = "Forĝejo @ ${domain}";
+          DESCRIPTION = "Self-hosted git forge for projects + toys.";
+          KEYWORDS = "git,source code,forge,forĝejo,aly raffauf";
+        };
+      };
+    };
+
+    plex = {
+      enable = true;
+      openFirewall = true;
+    };
+
+    transmission = {
+      enable = true;
+      credentialsFile = config.age.secrets.transmission.path;
+      openFirewall = true;
+      openRPCPort = true;
+
+      settings = {
+        download-dir = mediaDirectory;
+        peer-port = transmission.bitTorrentPort;
+        rpc-bind-address = "0.0.0.0";
+        rpc-port = transmission.port;
+      };
+    };
+  };
+
+  systemd.services.navidrome.serviceConfig = let
+    navidromeConfig = builtins.toFile "navidrome.json" (lib.generators.toJSON {} {
+      Address = "0.0.0.0";
+      DefaultTheme = "Auto";
+      MusicFolder = musicDirectory;
+      Port = navidrome.port;
+      SubsonicArtistParticipations = true;
+      UIWelcomeMessage = "Welcome to Navidrome @ ${domain}";
+      "Spotify.ID" = "@spotifyClientId@";
+      "Spotify.Secret" = "@spotifyClientSecret@";
+      "LastFM.Enabled" = true;
+      "LastFM.ApiKey" = "@lastFMApiKey@";
+      "LastFM.Secret" = "@lastFMSecret@";
+      "LastFM.Language" = "en";
+    });
+
+    navidrome-secrets = pkgs.writeShellScript "navidrome-secrets" ''
+      lastFMApiKey=$(cat "${navidrome.lastfm.idFile}")
+      lastFMSecret=$(cat "${navidrome.lastfm.secretFile}")
+      spotifyClientId=$(cat "${navidrome.spotify.idFile}")
+      spotifyClientSecret=$(cat "${navidrome.spotify.secretFile}")
+      ${pkgs.gnused}/bin/sed -e "s/@lastFMApiKey@/$lastFMApiKey/" -e "s/@lastFMSecret@/$lastFMSecret/" \
+        -e "s/@spotifyClientId@/$spotifyClientId/" -e "s/@spotifyClientSecret@/$spotifyClientSecret/" \
+        ${navidromeConfig} > /var/lib/navidrome/navidrome.json
+    '';
+  in {
+    BindReadOnlyPaths = [
+      navidrome.lastfm.idFile
+      navidrome.lastfm.secretFile
+      navidrome.spotify.idFile
+      navidrome.spotify.secretFile
+      musicDirectory
+    ];
+
+    ExecStartPre = navidrome-secrets;
+    ExecStart = lib.mkForce ''
+      ${config.services.navidrome.package}/bin/navidrome --configfile /var/lib/navidrome/navidrome.json \
+        --datafolder /var/lib/navidrome/
+    '';
+  };
+}

hosts/slateport/default.nix

@@ -2,18 +2,16 @@
   config,
   self,
   ...
-}: let
+}: {
-  domain = "raffauflabs.com";
-in {
   imports = [
     ./disko.nix
     ./home.nix
+    ./raffauflabs.nix
     ./secrets.nix
     self.inputs.nixhw.nixosModules.common-intel-cpu
     self.inputs.nixhw.nixosModules.common-intel-gpu
     self.inputs.nixhw.nixosModules.common-bluetooth
     self.inputs.nixhw.nixosModules.common-ssd
-    self.inputs.raffauflabs.nixosModules.raffauflabs
     self.nixosModules.common-auto-upgrade
     self.nixosModules.common-base
     self.nixosModules.common-locale
@@ -36,14 +34,6 @@ in {
 
   hardware.enableAllFirmware = true;
   networking.hostName = "slateport";
-
-  services.k3s = {
-    enable = true;
-    clusterInit = true;
-    role = "server";
-    tokenFile = config.age.secrets.k3s.path;
-  };
-
   system.stateVersion = "24.05";
   zramSwap.memoryPercent = 100;
 
@@ -62,15 +52,4 @@ in {
       };
     };
   };
-
-  raffauflabs = {
-    inherit domain;
-    enable = true;
-
-    services.ddclient = {
-      enable = true;
-      passwordFile = config.age.secrets.cloudflare.path;
-      protocol = "cloudflare";
-    };
-  };
 }

hosts/slateport/raffauflabs.nix

@@ -0,0 +1,132 @@
+{config, ...}: let
+  ip = "192.168.0.103";
+  domain = "raffauflabs.com";
+in {
+  networking = {
+    firewall.allowedTCPPorts = [80 443];
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "alyraffauf@fastmail.com";
+  };
+
+  services = {
+    ddclient = {
+      enable = true;
+
+      domains = [
+        "bt.${domain}"
+        "git.${domain}"
+        "music.${domain}"
+        "plex.${domain}"
+        "podcasts.${domain}"
+        domain
+      ];
+
+      interval = "10min";
+      passwordFile = config.age.secrets.cloudflare.path;
+      protocol = "cloudflare";
+      ssl = true;
+      use = "web, web=dynamicdns.park-your-domain.com/getip, web-skip='Current IP Address: '";
+      username = "token";
+      zone = domain;
+    };
+
+    fail2ban = {
+      enable = true;
+      bantime = "1h";
+    };
+
+    k3s = {
+      enable = true;
+      clusterInit = true;
+      role = "server";
+      tokenFile = config.age.secrets.k3s.path;
+    };
+
+    nginx = {
+      enable = true;
+      recommendedGzipSettings = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+
+      virtualHosts = {
+        "bt.${domain}" = {
+          enableACME = true;
+          forceSSL = true;
+
+          locations."/" = {
+            proxyPass = "${ip}:${toString 9091}";
+            proxyWebsockets = true;
+
+            extraConfig = ''
+              proxy_buffering off;
+            '';
+          };
+        };
+
+        "git.${domain}" = {
+          enableACME = true;
+          forceSSL = true;
+
+          locations."/" = {
+            proxyPass = "http://${ip}:${toString 3000}";
+
+            extraConfig = ''
+              client_max_body_size 512M;
+            '';
+          };
+        };
+
+        "music.${domain}" = {
+          enableACME = true;
+          forceSSL = true;
+
+          locations."/" = {
+            proxyPass = "${ip}:${toString 4533}";
+            proxyWebsockets = true;
+
+            extraConfig = ''
+              proxy_buffering off;
+            '';
+          };
+        };
+
+        "plex.${domain}" = {
+          enableACME = true;
+          forceSSL = true;
+
+          locations."/" = {
+            proxyPass = "${ip}:32400";
+            proxyWebsockets = true;
+
+            extraConfig = ''
+              proxy_buffering off;
+            '';
+          };
+        };
+
+        "podcasts.${domain}" = {
+          enableACME = true;
+          forceSSL = true;
+
+          locations."/" = {
+            proxyPass = "${ip}:${toString 13378}";
+
+            extraConfig = ''
+              client_max_body_size 500M;
+              proxy_buffering off;
+              proxy_redirect                      http:// https://;
+              proxy_set_header Host               $host;
+              proxy_set_header X-Forwarded-Proto  $scheme;
+              proxy_set_header Connection         "upgrade";
+              proxy_set_header Upgrade            $http_upgrade;
+              proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
+            '';
+          };
+        };
+      };
+    };
+  };
+}