cy/nixos-config
cy/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

remove lots of dead code and refactor

Browse source
This commit is contained in:
cy 2025-03-03 15:26:01 -05:00
parent 471434366b
commit 7f7223d85f
Signed by: cy
SSH key fingerprint: SHA256:o/geVWV4om1QhUSkKvDQeW/eAihwnjyXkqMwrVdbuts
35 changed files with 227 additions and 1616 deletions
Download patch file Download diff file Expand all files Collapse all files

29
hosts/chunk/adguard.nix
View file

@ -1,29 +0,0 @@
{ ... }:
{
services.adguardhome = {
enable = true;
host = "127.0.0.1";
port = 8082;
settings = {
http.port = "8083";
users = [
{
name = "cy";
password = "$2y$10$BZy2zYJj5z4e8LZCq/GwuuhWUafL/MNFO.YcsAMmpDS.2krPxi7KC";
}
];
# do not listen eveywhere cause podman runs it's own DNS
dns.bind_hosts = [
"127.0.0.1"
"::1"
"31.59.129.225"
"2a0f:85c1:840:2bfb::1"
];
};
};
services.caddy.virtualHosts."dns.cything.io".extraConfig = ''
import common
reverse_proxy localhost:8082
'';
}

33
hosts/chunk/attic.nix
View file

@ -1,33 +0,0 @@
{ config, ... }:
{
services.atticd = {
enable = true;
environmentFile = config.sops.secrets."attic/env".path;
settings = {
listen = "[::]:8090";
api-endpoint = "https://cache.cy7.sh/";
allowed-hosts = [ "cache.cy7.sh" ];
require-proof-of-possession = false;
compression.type = "zstd";
database.url = "postgresql:///atticd?host=/run/postgresql";
storage = {
type = "s3";
region = "auto";
bucket = "attic";
endpoint = "https://e3e97aac307d106a7becea43cef8fcbd.r2.cloudflarestorage.com";
};
garbage-collection = {
default-retention-period = "2 weeks";
};
};
};
services.caddy.virtualHosts."cache.cy7.sh".extraConfig = ''
import common
reverse_proxy localhost:8090
'';
}

40
hosts/chunk/conduit.nix
View file

@ -1,40 +0,0 @@
{
pkgs,
config,
...
}:
{
virtualisation.oci-containers.containers.conduit = {
image = "ghcr.io/girlbossceo/conduwuit:main";
autoStart = true;
ports = [ "127.0.0.1:8448:8448" ];
pull = "newer";
environment = {
CONDUWUIT_SERVER_NAME = "cything.io";
CONDUWUIT_DATABASE_PATH = "/var/lib/conduwuit";
CONDUWUIT_PORT = "8448";
CONDUWUIT_MAX_REQUEST_SIZE = "20000000"; # in bytes ~20MB
CONDUWUIT_ALLOW_REGISTRATION = "false";
CONDUWUIT_ALLOW_FEDERATION = "true";
CONDUWUIT_ALLOW_CHECK_FOR_UPDATES = "true";
CONDUWUIT_TRUSTED_SERVERS = ''["matrix.org"]'';
CONDUWUIT_ADDRESS = "0.0.0.0";
# CONDUIT_CONFIG = "";
};
volumes = [
"/opt/conduit/db:/var/lib/conduwuit/"
];
networks = [ "conduit-net" ];
};
systemd.services.create-conduit-net = {
serviceConfig.Type = "oneshot";
wantedBy = with config.virtualisation.oci-containers; [
"${backend}-conduit.service"
];
script = ''
${pkgs.podman}/bin/podman network exists conduit-net || \
${pkgs.podman}/bin/podman network create conduit-net
'';
};
}

157
hosts/chunk/default.nix
View file

@ -71,81 +71,74 @@
system.stateVersion = "24.05";
# network stuff
networking = {
hostName = "chunk";
networkmanager.enable = true;
firewall = {
enable = true;
allowedTCPPorts = [
22
80
443
];
allowedUDPPorts = [
443
53
853
];
extraCommands =
let
ethtool = lib.getExe pkgs.ethtool;
tc = lib.getExe' pkgs.iproute2 "tc";
in
''
# disable TCP segmentation offload (https://wiki.archlinux.org/title/Advanced_traffic_control#Prerequisites)
${ethtool} -K ens18 tso off
networking.hostName = "chunk";
networking.networkmanager.enable = true;
networking.firewall = {
enable = true;
allowedTCPPorts = [
22
80
443
53
853
];
allowedUDPPorts = [
443
53
853
];
extraCommands =
let
ethtool = lib.getExe pkgs.ethtool;
tc = lib.getExe' pkgs.iproute2 "tc";
in
''
# disable TCP segmentation offload (https://wiki.archlinux.org/title/Advanced_traffic_control#Prerequisites)
${ethtool} -K ens18 tso off
# clear existing rules
${tc} qdisc del dev ens18 root || true
# clear existing rules
${tc} qdisc del dev ens18 root || true
# create HTB hierarchy
${tc} qdisc add dev ens18 root handle 1: htb default 30
${tc} class add dev ens18 parent 1: classid 1:1 htb rate 100% ceil 100%
# tailscale
${tc} class add dev ens18 parent 1:1 classid 1:10 htb rate 30% ceil 100%
# caddy
${tc} class add dev ens18 parent 1:1 classid 1:20 htb rate 30% ceil 100%
# rest
${tc} class add dev ens18 parent 1:1 classid 1:30 htb rate 40% ceil 100%
# create HTB hierarchy
${tc} qdisc add dev ens18 root handle 1: htb default 30
${tc} class add dev ens18 parent 1: classid 1:1 htb rate 100% ceil 100%
# tailscale
${tc} class add dev ens18 parent 1:1 classid 1:10 htb rate 30% ceil 100%
# caddy
${tc} class add dev ens18 parent 1:1 classid 1:20 htb rate 30% ceil 100%
# rest
${tc} class add dev ens18 parent 1:1 classid 1:30 htb rate 40% ceil 100%
# mark traffic
iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/tailscaled.service" -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/caddy.service" -j MARK --set-mark 2
# mark traffic
iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/tailscaled.service" -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -m cgroup --path "system.slice/caddy.service" -j MARK --set-mark 2
# route marked packets
${tc} filter add dev ens18 parent 1: protocol ip prio 1 handle 1 fw flowid 1:10
${tc} filter add dev ens18 parent 1: protocol ip prio 1 handle 2 fw flowid 1:20
'';
};
networking.interfaces.ens18 = {
ipv6.addresses = [
{
address = "2a0f:85c1:840:2bfb::1";
prefixLength = 64;
}
];
ipv4.addresses = [
{
address = "31.59.129.225";
prefixLength = 24;
}
];
};
networking.defaultGateway6 = {
address = "2a0f:85c1:840::1";
interface = "ens18";
};
networking.defaultGateway = {
address = "31.59.129.1";
interface = "ens18";
};
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
useXkbConfig = true;
# route marked packets
${tc} filter add dev ens18 parent 1: protocol ip prio 1 handle 1 fw flowid 1:10
${tc} filter add dev ens18 parent 1: protocol ip prio 1 handle 2 fw flowid 1:20
'';
};
interfaces.ens18 = {
ipv6.addresses = [
{
address = "2a0f:85c1:840:2bfb::1";
prefixLength = 64;
}
];
ipv4.addresses = [
{
address = "31.59.129.225";
prefixLength = 24;
}
];
};
defaultGateway6 = {
address = "2a0f:85c1:840::1";
interface = "ens18";
};
defaultGateway = {
address = "31.59.129.1";
interface = "ens18";
};
};
users.users.yt = {
@ -179,7 +172,6 @@
tmux
file
sops
attic-server
];
environment.variables = {
@ -199,28 +191,9 @@
programs.git.enable = true;
my.caddy.enable = true;
services.caddy.virtualHosts."cy7.sh" = {
serverAliases = [ "www.cy7.sh" ];
extraConfig = ''
import common
redir https://cything.io temporary
'';
};
# container stuff
virtualisation.containers.enable = true;
virtualisation.podman = {
enable = true;
# create 'docker' alias for podman, to use as
# drop-in replacement
dockerCompat = true;
defaultNetwork.settings = {
dns_enabled = true;
ipv6_enabled = true;
};
};
virtualisation.oci-containers.backend = "podman";
environment.enableAllTerminfo = true;
my.containerization.enable = true;
my.roundcube.enable = true;
my.zipline.enable = true;

15
hosts/chunk/deluge.nix
View file

@ -1,15 +0,0 @@
{ ... }:
{
services.deluge = {
enable = true;
web = {
enable = true;
port = 8112;
};
};
services.caddy.virtualHosts."t.cy7.sh".extraConfig = ''
import common
reverse_proxy localhost:8112
'';
}

35
hosts/chunk/gitlab.nix
View file

@ -1,35 +0,0 @@
{ config, ... }:
{
services.gitlab = {
enable = true;
https = true;
host = "git.cything.io";
user = "git"; # so that you can ssh with git@git.cything.io
group = "git";
port = 443; # this *not* the port gitlab will run on
puma.workers = 0; # https://docs.gitlab.com/omnibus/settings/memory_constrained_envs.html#optimize-puma
sidekiq.concurrency = 5;
databaseUsername = "git"; # needs to be same as user
initialRootEmail = "hi@cything.io";
initialRootPasswordFile = config.sops.secrets."gitlab/root".path;
secrets = {
secretFile = config.sops.secrets."gitlab/secret".path;
otpFile = config.sops.secrets."gitlab/otp".path;
jwsFile = config.sops.secrets."gitlab/jws".path;
dbFile = config.sops.secrets."gitlab/db".path;
};
backup = {
startAt = "daily";
# we already postgresqlbackup.service
skip = [ "db" ];
keepTime = 48; # hours
};
extraConfig = {
gitlab = {
# NOTE: default_syntax_highlighting_theme needs to be set in the application_settings table in the database
default_color_mode = 2;
};
prometheus.enabled = false;
};
};
}

8
hosts/chunk/jellyfin.nix
View file

@ -1,8 +0,0 @@
{ ... }:
{
services.jellyfin = {
enable = true;
dataDir = "/mnt/jellyfin";
configDir = "/var/lib/jellyfin/config";
};
}

36
hosts/common.nix
View file

@ -39,30 +39,46 @@
registry.nixpkgs.flake = inputs.nixpkgs;
};
i18n.defaultLocale = "en_US.UTF-8";
time.timeZone = "America/New_York";
networking = {
firewall.logRefusedConnections = false;
nameservers = [
# quad9
"2620:fe::fe"
"2620:fe::9"
"9.9.9.9"
"149.112.112.112"
# quad9 (unfiltered)
"2620:fe::10"
"2620:fe::fe:10"
"9.9.9.10"
"149.112.112.110"
];
timeServers = [
# https://github.com/jauderho/nts-servers
"ntp3.fau.de"
"ntppool1.time.nl"
"nts.netnod.se"
"ptbtime1.ptb.de"
"ohio.time.system76.com"
"time.txryan.com"
"time.dfm.dk"
"time.signorini.ch"
"stratum1.time.cifelli.xyz"
"nts.teambelgium.net"
"c.st1.ntp.br"
];
};
services.chrony = {
enable = true;
enableNTS = true;
enableMemoryLocking = true;
extraConfig = ''
# Expedited Forwarding
dscp 46
# disable command port
cmdport 0
# only allow NTS
authselectmode require
# update the clock only when at least 3 sources agree on the correct time
minsources 3
'';
};
# see journald.conf(5)
services.journald.extraConfig = "MaxRetentionSec=2d";
services.thermald.enable = true;
environment.enableAllTerminfo = true;
}

41
hosts/titan/Caddyfile
View file

@ -1,41 +0,0 @@
{
acme_ca https://acme.zerossl.com/v2/DV90
acme_eab {
key_id {$EAB_KEY_ID}
mac_key {$EAB_MAC_KEY}
}
}
(common) {
encode zstd gzip
header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
}
cything.io {
import common
header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin *
header /.well-known/matrix/* Access-Control-Allow-Methods GET,POST,PUT,DELETE,OPTIONS,PATCH,HEAD
header /.well-known/matrix/* Access-Control-Allow-Headers X-Requested-With,Content-Type,Authorization,Origin,Accept
route {
respond /.well-known/matrix/server {"m.server":"chat.cything.io:443"}
respond /.well-known/matrix/client {"m.server":{"base_url":"https://chat.cything.io"},"m.homeserver":{"base_url":"https://chat.cything.io"},"org.matrix.msc3575.proxy":{"url":"https://chat.cything.io"}}
redir https://cy7.sh/posts{uri} permanent
}
}
www.cything.io {
import common
redir https://cything.io{uri} permanent
}
ntfy.cything.io {
import common
reverse_proxy localhost:8083
}
status.cything.io {
import common
reverse_proxy localhost:3001
}

13
hosts/titan/backup.nix
View file

@ -1,13 +0,0 @@
{
config,
...
}:
{
my.backup = {
enable = true;
jobName = "titanRsync";
repo = "titan";
passFile = config.sops.secrets."borg/rsyncnet".path;
sshKeyFile = config.sops.secrets."rsyncnet/id_ed25519".path;
};
}

98
hosts/titan/default.nix
View file

@ -1,98 +0,0 @@
{
modulesPath,
config,
lib,
pkgs,
...
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
(modulesPath + "/profiles/qemu-guest.nix")
../common.nix
./disk-config.nix
./hardware-configuration.nix
./ghost.nix
./ntfy.nix
./uptime-kuma.nix
./backup.nix
];
sops.age.keyFile = "/root/.config/sops/age/keys.txt";
sops.secrets = {
"caddy/env" = {
sopsFile = ../../secrets/services/caddy.yaml;
};
"services/ntfy" = {
sopsFile = ../../secrets/services/ntfy.yaml;
};
"borg/rsyncnet" = {
sopsFile = ../../secrets/borg/titan.yaml;
};
"rsyncnet/id_ed25519" = {
sopsFile = ../../secrets/zh5061/titan.yaml;
};
};
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
tmp.cleanOnBoot = true;
kernelPackages = pkgs.linuxPackages_latest;
};
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyn2+OoRN4nExti+vFQ1NHEZip0slAoCH9C5/FzvgZD yt@ytnix"
];
system.stateVersion = "24.05";
environment.systemPackages = with pkgs; [
curl
git
];
# network stuff
networking.hostName = "titan";
networking.networkmanager.enable = true;
networking.firewall = {
enable = true;
allowedTCPPorts = [
22
80
443
];
allowedUDPPorts = [
443
];
};
# container stuff
virtualisation.containers.enable = true;
virtualisation.podman = {
enable = true;
# create 'docker' alias for podman, to use as
# drop-in replacement
dockerCompat = true;
defaultNetwork.settings = {
dns_enabled = true;
ipv6_enabled = true;
};
};
virtualisation.oci-containers.backend = "podman";
services.caddy = {
enable = true;
configFile = ./Caddyfile;
environmentFile = config.sops.secrets."caddy/env".path;
logFormat = lib.mkForce "level INFO";
};
}

33
hosts/titan/disk-config.nix
View file

@ -1,33 +0,0 @@
{
disko.devices = {
disk = {
main = {
device = "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
ESP = {
type = "EF00";
size = "500M";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
};
}

52
hosts/titan/ghost.nix
View file

@ -1,52 +0,0 @@
{
pkgs,
config,
...
}:
{
virtualisation.oci-containers.containers.ghost = {
image = "ghost:5-alpine";
autoStart = true;
ports = [ "127.0.0.1:8084:2368" ];
pull = "newer";
environment = {
database__client = "mysql";
database__connection__host = "ghost-db";
database__connection__user = "root";
database__connection__password = "example";
database__connection__database = "ghost";
url = "https://cything.io";
NODE_ENV = "production";
};
volumes = [
"/opt/ghost/data:/var/lib/ghost/content"
];
networks = [ "ghost-net" ];
dependsOn = [ "ghost-db" ];
};
virtualisation.oci-containers.containers.ghost-db = {
image = "mysql:8.0";
autoStart = true;
pull = "newer";
environment = {
MYSQL_ROOT_PASSWORD = "example";
};
volumes = [
"/opt/ghost/db:/var/lib/mysql"
];
networks = [ "ghost-net" ];
};
systemd.services.create-ghost-net = {
serviceConfig.Type = "oneshot";
wantedBy = with config.virtualisation.oci-containers; [
"${backend}-ghost.service"
"${backend}-ghost-db.service"
];
script = ''
${pkgs.podman}/bin/podman network exists ghost-net || \
${pkgs.podman}/bin/podman network create ghost-net
'';
};
}

26
hosts/titan/hardware-configuration.nix
View file

@ -1,26 +0,0 @@
# Do not modify this file! It was generated by ‘nixos-generate-config’
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
lib,
...
}:
{
imports = [ ];
boot.initrd.availableKernelModules = [ "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eth0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
virtualisation.hypervGuest.enable = true;
}

13
hosts/titan/ntfy.nix
View file

@ -1,13 +0,0 @@
{ ... }:
{
services.ntfy-sh = {
enable = true;
settings = {
listen-http = "127.0.0.1:8083";
base-url = "https://ntfy.cything.io";
upstream-base-url = "https://ntfy.sh";
auth-default-access = "deny-all";
behind-proxy = true;
};
};
}

9
hosts/titan/uptime-kuma.nix
View file

@ -1,9 +0,0 @@
{ ... }:
{
# data stored at /var/lib/uptime-kuma/ but does not expose
# an option to change it
services.uptime-kuma = {
enable = true;
settings.PORT = "3001";
};
}

70
hosts/ytnix/default.nix
View file

@ -37,10 +37,9 @@
loader = {
# lanzaboote replaces systemd-boot
systemd-boot.enable = lib.mkForce false;
efi.canTouchEfiVariables = false; # toggle when installing
efi.canTouchEfiVariables = true;
};
tmp.cleanOnBoot = true;
# upgrade after https://github.com/tomaspinho/rtl8821ce/issues/356 is fixed
kernelPackages = pkgs.linuxKernel.packages.linux_zen;
extraModulePackages = with config.boot.kernelPackages; [
rtl8821ce
@ -145,36 +144,25 @@
tmux
vim
wget
neovim
git
python3
wl-clipboard
# mako # sway config uses this
tree
kitty
borgbackup
brightnessctl
alsa-utils
nixd
bluetuith
libimobiledevice
pass-wayland
htop
file
dnsutils
q
age
compsize
wireguard-tools
traceroute
sops
restic
haskell-language-server
ghc
sbctl # secure boot
wine-wayland
wine64
solaar
gtk3
lm_sensors
sshfs
openssl
just
];
environment.sessionVariables = {
@ -196,11 +184,13 @@
};
};
fonts.packages = with pkgs; [
nerd-fonts.roboto-mono
ibm-plex
];
fonts.enableDefaultPackages = true;
fonts = {
packages = with pkgs; [
nerd-fonts.roboto-mono
ibm-plex
];
enableDefaultPackages = true;
};
hardware.enableAllFirmware = true;
hardware.bluetooth = {
@ -253,8 +243,9 @@
hardware.steam-hardware.enable = true;
services.logind = {
lidSwitch = "hibernate";
powerKey = "hibernate";
lidSwitch = "suspend";
powerKey = "poweroff";
suspendKey = "hibernate";
};
xdg.mime.defaultApplications = {
@ -263,31 +254,18 @@
"*/html" = "chromium-browser.desktop";
};
programs.thunar = {
enable = true;
plugins = with pkgs.xfce; [
thunar-archive-plugin
thunar-volman
];
};
# preference changes don't work in thunar without this
programs.xfconf.enable = true;
# mount, trash and stuff in thunar
services.gvfs.enable = true;
# thumbnails in thunar
services.tumbler.enable = true;
virtualisation = {
libvirtd.enable = true;
docker.enable = true;
};
programs.virt-manager.enable = true;
my.containerization.enable = true;
services.usbmuxd.enable = true;
programs.nix-ld.dev = {
enable = true;
# nix run github:thiagokokada/nix-alien#nix-alien-find-libs ./<binary>
libraries = with pkgs; [
# TODO: revisit what we actually need
mesa
extest
stdenv.cc.cc
@ -359,6 +337,7 @@
enable = true;
plugins = with pkgs.obs-studio-plugins; [
wlrobs
obs-pipewire-audio-capture
];
};
@ -382,12 +361,6 @@
SUBSYSTEM=="usb", SYSFS{idVendor}=="090c", SYSFS{idProduct}=="1000", ACTION=="add", GROUP="users", MODE="0664"
'';
programs.ssh = {
askPassword = "${pkgs.seahorse}/libexec/seahorse/ssh-askpass";
startAgent = true;
enableAskPassword = true;
};
services.desktopManager.plasma6 = {
enable = true;
enableQt5Integration = true;
@ -403,11 +376,6 @@
programs.kdeconnect.enable = true;
programs.dconf.enable = true;
programs.java = {
enable = true;
binfmt = true;
};
programs.ccache.enable = true;
nix.settings.extra-sandbox-paths = [ config.programs.ccache.cacheDir ];
}