muon/flake
1
0
Fork 0
mirror of https://codeberg.org/muon/home.git synced 2026-03-08 03:25:16 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add embedded syntax hl

Browse source
This commit is contained in:
muon 2025-12-26 10:48:31 +00:00
parent 5bdf9e3a2c
commit fc14a394aa
5 changed files with 284 additions and 250 deletions
Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -25,7 +25,7 @@ sudo cp {/mnt,/mnt/persist}/etc/machine-id
## Erasure ## Erasure
```nix ```nix
boot.initrd.postResumeCommands = lib.mkAfter '' boot.initrd.postResumeCommands = lib.mkAfter /* bash */ ''
mkdir /btrfs_tmp mkdir /btrfs_tmp
mount /dev/mapper/crypted /btrfs_tmp mount /dev/mapper/crypted /btrfs_tmp
if [[ -e /btrfs_tmp/root ]]; then if [[ -e /btrfs_tmp/root ]]; then

8
modules/home/desktop/development.nix
View file

@ -12,7 +12,9 @@
programs.nyxt = { programs.nyxt = {
enable = false; enable = false;
config = '' config =
# lisp
''
(in-package #:nyxt-user) (in-package #:nyxt-user)
(defvar *my-search-engines* (defvar *my-search-engines*
@ -73,7 +75,9 @@
hm = "https://home-manager-options.extranix.com/?release=master&query={}"; hm = "https://home-manager-options.extranix.com/?release=master&query={}";
}; };
extraConfig = '' extraConfig =
# py
''
host = c.content.blocking.hosts.lists.append host = c.content.blocking.hosts.lists.append
host("https://www.github.developerdan.com/hosts/lists/facebook-extended.txt") host("https://www.github.developerdan.com/hosts/lists/facebook-extended.txt")

16
modules/nixos/impermanence.nix
View file

@ -1,14 +1,22 @@
{ pkgs, lib, config, ... }: {
pkgs,
lib,
config,
...
}:
with lib; { with lib; {
options.mods.impermanence.enable = mkEnableOption "enables impermanence"; options.mods.impermanence.enable = mkEnableOption "enables impermanence";
config = mkIf config.mods.impermanence.enable { config = mkIf config.mods.impermanence.enable {
environment.persistence."/persist" = { environment.persistence."/persist" = {
directories = [ "/var/lib/nixos" "/var/lib/systemd/coredump" ]; directories = ["/var/lib/nixos" "/var/lib/systemd/coredump"];
files = [ "/var/lib/sops-nix/key.txt" "/etc/machine-id" ]; files = ["/var/lib/sops-nix/key.txt" "/etc/machine-id"];
}; };
boot.initrd.postResumeCommands = lib.mkAfter '' boot.initrd.postResumeCommands =
lib.mkAfter # sh
''
mkdir /btrfs_tmp mkdir /btrfs_tmp
mount /dev/mapper/crypted /btrfs_tmp mount /dev/mapper/crypted /btrfs_tmp
if [[ -e /btrfs_tmp/root ]]; then if [[ -e /btrfs_tmp/root ]]; then

71
modules/nixos/server/grav/service.nix
View file

@ -1,10 +1,20 @@
{ config, lib, pkgs, ... }: {
config,
let lib,
pkgs,
inherit (lib) ...
generators mapAttrs mkDefault mkEnableOption mkIf mkPackageOption mkOption }: let
types; inherit
(lib)
generators
mapAttrs
mkDefault
mkEnableOption
mkIf
mkPackageOption
mkOption
types
;
cfg = config.mods.services.grav; cfg = config.mods.services.grav;
@ -12,9 +22,9 @@ let
poolName = "grav"; poolName = "grav";
pkgs_grav = pkgs.callPackage ./package.nix { }; pkgs_grav = pkgs.callPackage ./package.nix {};
servedRoot = pkgs.runCommand "grav-served-root" { } '' servedRoot = pkgs.runCommand "grav-served-root" {} ''
cp --reflink=auto --no-preserve=mode -r ${pkgs_grav} $out cp --reflink=auto --no-preserve=mode -r ${pkgs_grav} $out
for p in assets images user system/config; do for p in assets images user system/config; do
@ -22,10 +32,8 @@ let
ln -sf /var/lib/grav/$p $out/$p ln -sf /var/lib/grav/$p $out/$p
done done
''; '';
# systemSettingsYaml = # systemSettingsYaml =
# yamlFormat.generate "grav-settings.yaml" cfg.systemSettings; # yamlFormat.generate "grav-settings.yaml" cfg.systemSettings;
in { in {
options.mods.services.grav = { options.mods.services.grav = {
enable = mkEnableOption "grav"; enable = mkEnableOption "grav";
@ -70,7 +78,7 @@ in {
default = 3000; default = 3000;
}; };
phpPackage = mkPackageOption pkgs "php" { }; phpPackage = mkPackageOption pkgs "php" {};
maxUploadSize = mkOption { maxUploadSize = mkOption {
type = types.str; type = types.str;
@ -97,7 +105,10 @@ in {
group = "grav"; group = "grav";
phpPackage = cfg.phpPackage.buildEnv { phpPackage = cfg.phpPackage.buildEnv {
extensions = { all, enabled }: extensions = {
all,
enabled,
}:
with all; [ with all; [
apcu apcu
ctype ctype
@ -115,8 +126,9 @@ in {
zip zip
]; ];
extraConfig = generators.toKeyValue { extraConfig =
mkKeyValue = generators.mkKeyValueDefault { } " = "; generators.toKeyValue {
mkKeyValue = generators.mkKeyValueDefault {} " = ";
} { } {
output_buffering = "0"; output_buffering = "0";
short_open_tag = "Off"; short_open_tag = "Off";
@ -169,10 +181,12 @@ in {
${cfg.virtualHost} = { ${cfg.virtualHost} = {
root = "${servedRoot}"; root = "${servedRoot}";
listen = [{ listen = [
{
addr = cfg.addr; addr = cfg.addr;
port = cfg.port; port = cfg.port;
}]; }
];
locations = { locations = {
"= /robots.txt" = { "= /robots.txt" = {
@ -202,8 +216,7 @@ in {
}; };
# deny running scripts inside core system folders # deny running scripts inside core system folders
"~* /(system|vendor)/.*\\.(txt|xml|md|html|htm|shtml|shtm|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$" = "~* /(system|vendor)/.*\\.(txt|xml|md|html|htm|shtml|shtm|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$" = {
{
priority = 300; priority = 300;
extraConfig = '' extraConfig = ''
return 403; return 403;
@ -211,8 +224,7 @@ in {
}; };
# deny running scripts inside user folder # deny running scripts inside user folder
"~* /user/.*\\.(txt|md|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$" = "~* /user/.*\\.(txt|md|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$" = {
{
priority = 300; priority = 300;
extraConfig = '' extraConfig = ''
return 403; return 403;
@ -220,8 +232,7 @@ in {
}; };
# deny access to specific files in the root folder # deny access to specific files in the root folder
"~ /(LICENSE\\.txt|composer\\.lock|composer\\.json|nginx\\.conf|web\\.config|htaccess\\.txt|\\.htaccess)" = "~ /(LICENSE\\.txt|composer\\.lock|composer\\.json|nginx\\.conf|web\\.config|htaccess\\.txt|\\.htaccess)" = {
{
priority = 300; priority = 300;
extraConfig = '' extraConfig = ''
return 403; return 403;
@ -245,7 +256,9 @@ in {
}; };
}; };
extraConfig = '' extraConfig =
# sh
''
index index.php index.html /index.php$request_uri; index index.php index.html /index.php$request_uri;
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "1; mode=block";
@ -268,8 +281,10 @@ in {
}; };
}; };
systemd.tmpfiles.rules = let datadir = "/var/lib/grav"; systemd.tmpfiles.rules = let
in map (dir: "d '${dir}' 0750 grav grav - -") [ datadir = "/var/lib/grav";
in
map (dir: "d '${dir}' 0750 grav grav - -") [
"/var/cache/grav" "/var/cache/grav"
"${datadir}/assets" "${datadir}/assets"
"${datadir}/backup" "${datadir}/backup"
@ -287,7 +302,7 @@ in {
systemd.services = { systemd.services = {
"phpfpm-${poolName}" = mkIf (cfg.pool == "${poolName}") { "phpfpm-${poolName}" = mkIf (cfg.pool == "${poolName}") {
# restartTriggers = [ servedRoot systemSettingsYaml ]; # restartTriggers = [ servedRoot systemSettingsYaml ];
restartTriggers = [ servedRoot ]; restartTriggers = [servedRoot];
serviceConfig = { serviceConfig = {
ExecStartPre = pkgs.writeShellScript "grav-pre-start" '' ExecStartPre = pkgs.writeShellScript "grav-pre-start" ''
@ -329,6 +344,6 @@ in {
group = "grav"; group = "grav";
}; };
users.groups.grav = { members = [ config.services.nginx.user ]; }; users.groups.grav = {members = [config.services.nginx.user];};
}; };
} }

31
modules/nixos/server/nginx.nix
View file

@ -1,9 +1,12 @@
{ pkgs, lib, config, ... }: {
let pkgs,
lib,
config,
...
}: let
cfg = config.mods.server.nginx; cfg = config.mods.server.nginx;
in
in with lib; { with lib; {
options.mods.server.nginx = { options.mods.server.nginx = {
enable = mkEnableOption { enable = mkEnableOption {
default = false; default = false;
@ -22,14 +25,14 @@ in with lib; {
ports = mkOption { ports = mkOption {
type = types.attrsOf (types.ints.u16); type = types.attrsOf (types.ints.u16);
default = { }; default = {};
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
# ACME won't be able to authenticate your domain # ACME won't be able to authenticate your domain
# if ports 80 & 443 aren't open in your firewall. # if ports 80 & 443 aren't open in your firewall.
networking.firewall = { allowedTCPPorts = [ 443 80 ]; }; networking.firewall = {allowedTCPPorts = [443 80];};
security.acme.defaults.email = "acme@muon.host"; security.acme.defaults.email = "acme@muon.host";
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
@ -44,7 +47,9 @@ in with lib; {
# Only allow PFS-enabled ciphers with AES256 # Only allow PFS-enabled ciphers with AES256
# sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; # sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
appendHttpConfig = '' appendHttpConfig =
# sh
''
# Add HSTS header with preloading to HTTPS requests. # Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged # Adding this header to HTTP requests is discouraged
# map $scheme $hsts_header { # map $scheme $hsts_header {
@ -96,10 +101,12 @@ in with lib; {
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
in mapAttrs' (name: port: in
nameValuePair ("${name}.${cfg.domain}") mapAttrs' (name: port:
nameValuePair "${name}.${cfg.domain}"
# (proxy port // { default = true; })) cfg.ports; # (proxy port // { default = true; })) cfg.ports;
(proxy port)) cfg.ports; (proxy port))
cfg.ports;
}; };
}; };
} }