diff options
| author | DanConwayDev <DanConwayDev@protonmail.com> | 2026-01-10 21:55:28 +0000 |
|---|---|---|
| committer | DanConwayDev <DanConwayDev@protonmail.com> | 2026-01-10 21:55:28 +0000 |
| commit | 8536be07962ee6b23ecca0f1c084db11a3c104e0 (patch) | |
| tree | eb53898684353527958a6ff3ae16c5cd19df8c56 /nix/example-configuration.nix | |
| parent | a9ff76e7e294fb54ae3a6876bca3e30ac6a5bdef (diff) | |
feat: add NixOS module for deployment
- Create nix/module.nix with comprehensive systemd service
- Support both relayOwnerNsecFile and relayOwnerNsec options
- Auto-generate nsec if neither specified
- Add security hardening (NoNewPrivileges, ProtectSystem, etc.)
- Expose as nixosModules.default and nixosModules.ngit-grasp
- Include example configuration in nix/example-configuration.nix
- Add outputHashes for nostr git dependency
Diffstat (limited to 'nix/example-configuration.nix')
| -rw-r--r-- | nix/example-configuration.nix | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/nix/example-configuration.nix b/nix/example-configuration.nix new file mode 100644 index 0000000..a00d970 --- /dev/null +++ b/nix/example-configuration.nix | |||
| @@ -0,0 +1,60 @@ | |||
| 1 | # Example NixOS configuration using ngit-grasp module | ||
| 2 | # | ||
| 3 | # Usage: | ||
| 4 | # 1. Add to your server's flake.nix inputs: | ||
| 5 | # inputs.ngit-grasp.url = "github:DanConwayDev/ngit-grasp"; | ||
| 6 | # | ||
| 7 | # 2. Import the module in your configuration: | ||
| 8 | # imports = [ inputs.ngit-grasp.nixosModules.default ]; | ||
| 9 | # | ||
| 10 | # 3. Configure the service (example below) | ||
| 11 | |||
| 12 | { inputs, ... }: | ||
| 13 | |||
| 14 | { | ||
| 15 | imports = [ inputs.ngit-grasp.nixosModules.default ]; | ||
| 16 | |||
| 17 | services.ngit-grasp = { | ||
| 18 | enable = true; | ||
| 19 | domain = "ngit.danconwaydev.com"; | ||
| 20 | |||
| 21 | # Network | ||
| 22 | bindAddress = "127.0.0.1"; | ||
| 23 | port = 8082; # Same port as current ngit-relay for Caddy compatibility | ||
| 24 | |||
| 25 | # Storage (reuse existing persistent path pattern) | ||
| 26 | dataDir = "/persistent/ngit-danconwaydev-com-ngit-grasp"; | ||
| 27 | |||
| 28 | # Identity | ||
| 29 | relayName = "DanConwayDev's ngit-grasp"; | ||
| 30 | relayDescription = "personal instance of ngit-grasp, a Rust GRASP implementation with proactive sync"; | ||
| 31 | |||
| 32 | # Option 1: Use nsec file (recommended - more secure) | ||
| 33 | relayOwnerNsecFile = "/persistent/ngit-danconwaydev-com-ngit-grasp/relay-owner.nsec"; | ||
| 34 | |||
| 35 | # Option 2: Inline nsec (less secure, ends up in nix store) | ||
| 36 | # relayOwnerNsec = "nsec1..."; | ||
| 37 | |||
| 38 | # Option 3: Auto-generate (default if neither above is set) | ||
| 39 | # ngit-grasp will create .relay-owner.nsec in dataDir automatically | ||
| 40 | |||
| 41 | # Sync | ||
| 42 | syncBootstrapRelayUrl = "wss://relay.ngit.dev"; | ||
| 43 | |||
| 44 | # Metrics | ||
| 45 | metricsEnabled = true; | ||
| 46 | |||
| 47 | # Logging | ||
| 48 | logLevel = "info"; # Options: trace, debug, info, warn, error | ||
| 49 | }; | ||
| 50 | |||
| 51 | # Caddy reverse proxy (unchanged from current setup) | ||
| 52 | services.caddy.virtualHosts."ngit.danconwaydev.com" = { | ||
| 53 | extraConfig = '' | ||
| 54 | reverse_proxy 127.0.0.1:8082 { | ||
| 55 | header_down X-Real-IP {http.request.remote} | ||
| 56 | header_down X-Forwarded-For {http.request.remote} | ||
| 57 | } | ||
| 58 | ''; | ||
| 59 | }; | ||
| 60 | } | ||