From badd080f02b653eb745cfce48fb6f7b5cb848e62 Mon Sep 17 00:00:00 2001 From: cy Date: Fri, 13 Dec 2024 21:54:49 -0500 Subject: [PATCH] bring chunk here and some restructuring --- nix/flake.nix | 3 + nix/hosts/chunk/.sops.yaml | 7 + nix/hosts/chunk/default.nix | 295 +++++++++++++++++++++ nix/hosts/chunk/hardware-configuration.nix | 31 +++ nix/hosts/chunk/secrets.yaml | 29 ++ nix/{ => hosts/ytnix}/.sops.yaml | 0 6 files changed, 365 insertions(+) create mode 100644 nix/hosts/chunk/.sops.yaml create mode 100644 nix/hosts/chunk/default.nix create mode 100644 nix/hosts/chunk/hardware-configuration.nix create mode 100644 nix/hosts/chunk/secrets.yaml rename nix/{ => hosts/ytnix}/.sops.yaml (100%) diff --git a/nix/flake.nix b/nix/flake.nix index bcb4472..1f14581 100644 --- a/nix/flake.nix +++ b/nix/flake.nix @@ -11,7 +11,10 @@ url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; }; + # it's not really "master" master.url = "github:NixOS/nixpkgs/2ab79c44f98391b6ee2edfb11f4c7a57ce1404b5"; + # this has the caddy module with environmentFile option + testpkgs.url = "github:NixOS/nixpkgs/248081c4729259c3add830d502779c5d04cbe074"; }; outputs = { diff --git a/nix/hosts/chunk/.sops.yaml b/nix/hosts/chunk/.sops.yaml new file mode 100644 index 0000000..462edd7 --- /dev/null +++ b/nix/hosts/chunk/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &primary age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn +creation_rules: + - path_regex: secrets/secrets.yaml$ + key_groups: + - age: + - *primary diff --git a/nix/hosts/chunk/default.nix b/nix/hosts/chunk/default.nix new file mode 100644 index 0000000..5db700b --- /dev/null +++ b/nix/hosts/chunk/default.nix @@ -0,0 +1,295 @@ +{ config, lib, pkgs, inputs, ... }: + +let + fake-gitea = pkgs.writeShellScriptBin "gitea" '' +ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" /usr/local/bin/gitea $@" + ''; + +in { + disabledModules = [ "services/web-servers/caddy/default.nix" ]; + imports = + [ + ./hardware-configuration.nix + "${inputs.testpkgs}/nixos/modules/services/web-servers/caddy" + ]; + + sops.defaultSopsFile = ./secrets.yaml; + sops.age.keyFile = "/root/.config/sops/age/keys.txt"; + sops.secrets = { + "borg/crash" = { }; + "ntfy" = { }; + "rclone" = { }; + "vaultwarden" = { }; + "caddy" = { }; + "hedgedoc" = { }; + }; + + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/vda"; + + system.stateVersion = "24.05"; + + networking.hostName = "chunk"; + networking.networkmanager.enable = true; + networking.nftables.enable = true; + networking.firewall = { + enable = true; + allowedTCPPorts = [ 22 80 443 ]; + allowedUDPPorts = [ 443 ]; + extraInputRules = '' + ip saddr 172.18.0.0/16 tcp dport 5432 accept + ''; + }; + networking.interfaces.ens18 = { + ipv6.addresses = [{ + address = "2a0f:85c1:840:2bfb::1"; + prefixLength = 64; + }]; + }; + networking.defaultGateway6 = { + address = "2a0f:85c1:840::1"; + interface = "ens18"; + }; + + time.timeZone = "America/Toronto"; + + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + useXkbConfig = true; + }; + + users.users.yt = { + isNormalUser = true; + extraGroups = [ "wheel" "networkmanager" "docker"]; + openssh.authorizedKeys.keys = + [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux" ]; + packages = with pkgs; [ + fzf + eza + zoxide + delta + lua-language-server + vim-language-server + python312Packages.python-lsp-server + nixd + gopls + bash-language-server + llvmPackages_19.clang-tools + rust-analyzer + yt-dlp + gnumake + hedgedoc + ]; + shell = pkgs.zsh; + }; + users.users.root.openssh.authorizedKeys.keys = + [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux" ]; + programs.zsh.enable = true; + + users.users.git = { + isNormalUser = true; + packages = [ fake-gitea ]; + }; + + environment.systemPackages = with pkgs; [ + vim + neovim + wget + curl + tree + python3Full + tmux + borgbackup + rclone + restic + htop + btop + file + sops + age + ]; + + environment.variables = { + EDITOR = "nvim"; + VISUAL = "nvim"; + }; + + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + }; + + security.sudo.enable = true; + security.sudo.wheelNeedsPassword = false; + + programs.gnupg.agent.enable = true; + programs.git.enable = true; + + services.caddy = { + enable = true; + configFile = ../Caddyfile; + environmentFile = "/run/secrets/caddy"; + logFormat = lib.mkForce "level INFO"; + }; + # systemd.services.caddy.serviceConfig = { + # EnvironmentFile = "/run/secrets/caddy"; + # }; + + services.postgresql = { + enable = true; + settings.port = 5432; + package = pkgs.postgresql_17; + enableTCPIP = true; + ensureDatabases = [ + "forgejo" + "freshrss" + "hedgedoc" + "linkwarden" + ]; + ensureUsers = [ + { + name = "forgejo"; + ensureDBOwnership = true; + } + { + name = "linkwarden"; + ensureDBOwnership = true; + } + { + name = "freshrss"; + ensureDBOwnership = true; + } + { + name = "hedgedoc"; + ensureDBOwnership = true; + } + ]; + authentication = lib.mkForce '' + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + host all all 172.18.0.0/16 trust + ''; + }; + services.postgresqlBackup.enable = true; + + virtualisation.docker.enable = true; + + services.borgbackup.jobs = { + crashRsync = { + paths = [ "/root" "/home" "/var/backup" "/var/lib" "/var/log" "/opt" "/etc" "/vw-data" ]; + exclude = [ "**/.cache" "**/node_modules" "**/cache" "**/Cache" "/var/lib/docker/overlay*" ]; + repo = "de3911@de3911.rsync.net:borg/crash"; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat /run/secrets/borg/crash"; + }; + environment = { + BORG_RSH = "ssh -i /home/yt/.ssh/id_ed25519"; + BORG_REMOTE_PATH = "borg1"; + }; + compression = "auto,zstd"; + startAt = "daily"; + extraCreateArgs = [ "--stats" ]; + # warnings are often not that serious + failOnWarnings = false; + postHook = '' + ${pkgs.curl}/bin/curl -u $(cat /run/secrets/ntfy) -d "chunk: backup completed with exit code: $exitStatus + $(journalctl -u borgbackup-job-crashRsync.service|tail -n 5)" \ + https://ntfy.cything.io/chunk + ''; + }; + }; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + services.vaultwarden = { + enable = true; + dbBackend = "postgresql"; + environmentFile = "/run/secrets/vaultwarden"; + config = { + ROCKET_ADDRESS = "127.0.0.1"; + ROCKET_PORT = "8081"; + DATA_FOLDER = "/vw-data"; + DATABASE_URL = "postgresql://vaultwarden:vaultwarden@127.0.0.1:5432/vaultwarden"; + }; + }; + + services.ntfy-sh = { + enable = true; + settings = { + listen-http = "127.0.0.1:8083"; + base-url = "https://ntfy.cything.io"; + upstream-base-url = "https://ntfy.sh"; + auth-default-access = "deny-all"; + behind-proxy = true; + }; + }; + + systemd.services.immich-mount = { + enable = true; + description = "Mount the immich data remote"; + after = [ "network-online.target" ]; + requires = [ "network-online.target" ]; + wantedBy = [ "default.target" ]; + serviceConfig = { + Type = "notify"; + ExecStartPre = "/usr/bin/env mkdir -p /mnt/photos"; + ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --transfers=32 --dir-cache-time 720h --poll-interval 0 --vfs-cache-mode writes photos: /mnt/photos "; + ExecStop = "/bin/fusermount -u /mnt/photos"; + EnvironmentFile = "/run/secrets/rclone"; + }; + }; + + systemd.services.nextcloud-mount = { + enable = true; + description = "Mount the nextcloud data remote"; + after = [ "network-online.target" ]; + requires = [ "network-online.target" ]; + wantedBy = [ "default.target" ]; + serviceConfig = { + Type = "notify"; + ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --uid 33 --gid 0 --allow-other --file-perms 0770 --dir-perms 0770 --transfers=32 rsyncnet:nextcloud /mnt/nextcloud"; + ExecStop = "/bin/fusermount -u /mnt/nextcloud"; + EnvironmentFile = "/run/secrets/rclone"; + }; + }; + + programs.fuse.userAllowOther = true; + + nix.optimise = { + automatic = true; + dates = [ "03:45" ]; + }; + nix.settings.auto-optimise-store = true; + + services.hedgedoc = { + enable = true; + environmentFile = "/run/secrets/hedgedoc"; + settings = { + db = { + username = "hedgedoc"; + database = "hedgedoc"; + host = "/run/postgresql"; + dialect = "postgresql"; + }; + port = 8085; + domain = "pad.cything.io"; + allowEmailRegister = false; + protocolUseSSL = true; + }; + }; + + services.redlib = { + enable = true; + port = 8087; + address = "127.0.0.1"; + settings = { + # settings are just env vars + REDLIB_ENABLE_RSS = "on"; + REDLIB_ROBOTS_DISABLE_INDEXING = "on"; + }; + }; +} + diff --git a/nix/hosts/chunk/hardware-configuration.nix b/nix/hosts/chunk/hardware-configuration.nix new file mode 100644 index 0000000..acdf1e3 --- /dev/null +++ b/nix/hosts/chunk/hardware-configuration.nix @@ -0,0 +1,31 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/6fff5dd4-8d7a-43fa-85be-eec74ef2089e"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/nix/hosts/chunk/secrets.yaml b/nix/hosts/chunk/secrets.yaml new file mode 100644 index 0000000..26642e7 --- /dev/null +++ b/nix/hosts/chunk/secrets.yaml @@ -0,0 +1,29 @@ +borg: + crash: ENC[AES256_GCM,data:vEeCjPi62gEy29F7HbUFOLTg9yLdppKL2w==,iv:4gYocu4xSFyoupzyQgfnzrxhFVDLAGeY3OnLiVZmwnE=,tag:p7JxbSeKYWHK/YJ8tx1hKA==,type:str] +anki: + cy: ENC[AES256_GCM,data:5XNv5jaC9/T6E/8KaQM=,iv:xneSmhtb+CTyTJFjeSe4Cdun/AT5x1fwqvPTtBaWWS8=,tag:Vw1JkIg+m62kCAMLM0z7/g==,type:str] +ntfy: ENC[AES256_GCM,data:IShnk2cH/oKUwHCEfA==,iv:bEshwLBbIdwg0CJhonaOZtTJkfHY70YSUwfcsAYB98E=,tag:tD3uWleBwxFlKHqQOOLE4w==,type:str] +rclone: ENC[AES256_GCM,data:IYxR45rQP0cQA84HMRSAJaBsmB/YArIEdWpD191omnKg1kfN0ShYKwEPsoe+,iv:cTn8Z/fxWmGW8iPS6DcrjUe0RUZXOi0D1LVnIxCLPSo=,tag:Ie8JWis40JN9mca4OjfInw==,type:str] +vaultwarden: ENC[AES256_GCM,data:fnl8hVezSu8g3tAXCwDUe9+wVjK7F8bC8qJJBj8Wq1BX6ygtjKNkf4wGAMo0XTb4Ukx1A+KwfJ2DlTWkDPo6ALxaIC/ZR4RYQJ3xE5rJ5QKkD+1Abebis5W1UXEEsiMRoo+vCz2GiU39NXY6/CjxM/gBhcBtyeUNtWcYalmOUQOLfd7GKPCElbA+BWKnjL1tl5DjWgACBvm5AozLoElVGiiMviz8V623NY1DkPQjJxl9ziU9Ncft4KS5rw0IIXmBj6QRF6+qOwz7TxcamDBIW2BWvDNmfPzQdl2cI4NwVWPiImcMedTQiH4m00oW5QBl0QM8F89N7CgOnA==,iv:hmAydcZd5LDPSQkekl5pD/i4Gr6GnR4BqYHXYR/mqHY=,tag:utwQNWPGSTvl1VRJr+89gw==,type:str] +caddy: ENC[AES256_GCM,data:iRTGzvJdWQbwxM2mEhQuw3tRC/HLCryOJOgdIb+HSQ2bxRqNNp32H82+Rx/CPwCPOvQN+gXjwHPlMuLX2KbmPLugx2pETgVPddVAe18sT4UtFQ5Ym/wM8dXqNXmhZ2hkxJUjPg3l1Aov75iNH9kD7rzivEiGb0ET09iYEmbtVqx8BVc8pw==,iv:nBziWIlTAlnmfbBJa/AnpmjirtLqbSSoyJVgw1w63t4=,tag:ZSrWE1b1AY7fX4WUYV0uag==,type:str] +hedgedoc: ENC[AES256_GCM,data:3DWGGXE3E4nay5NhbBkNcyDlv40G8KvhLbvu1Qba3zJLDeVtuBBF/ZjFCddUx+Sw83OLMsZBQMu3Y4Cq0rcqRT+YHnQzwboUY3xngNHgVMBGh9c8,iv:GuSYHMlM9eXf7AcArGXnISDNnfsAN38NxxVTO0/iwKM=,tag:0WKKUZS3WaYOCUFNw4HqFA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTkUySDA1ODMxWlF0MmpQ + N1ZzTGRjRVB4dnJmSXA3dzJIdmprMk5BN2dJCkxIVTlmOHAwOWNkRWt5UGUrUEFY + RVNSWml2M2JRT1BLaUhvd3N3QzZLT1UKLS0tIG1LbXJiSGwwYjVFRkNlcVQ0cDUx + R1lNZjFGelFvcXQ0enZTZ2pWRFZ2VVUKtGKbLyijIV1h0HFX7DMAkvXwdG70+pg/ + sJ0PRcU6QGKz1NtVFdcXC1KQIqrv0XOGU26cRt8mji88JMzzgL7CHg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-12-09T01:58:21Z" + mac: ENC[AES256_GCM,data:AdpE5LsndQPbOpAHmUnmyyP8bpYtu4AC7OqH6s2ejwwVIqm134CSJ1e8IQj86nH+Qanex3yMEWoy+bb9kzi3WPbEZ9E0ez7iBJaRlZN7Qn6ZlIKVZJ3yJQm7TmaY0xxIM+hShGtRNFHbAKXlg0yiDvxNwPFvAxbkOI9tVyqLbHQ=,iv:3/RpDCfx3R+5orU2uDvN/21wJJUgWu2YJ1VVbyAkfqc=,tag:7hVkGdX0oP3YnQz91Iea3Q==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nix/.sops.yaml b/nix/hosts/ytnix/.sops.yaml similarity index 100% rename from nix/.sops.yaml rename to nix/hosts/ytnix/.sops.yaml