cy/nixos-config
cy/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

bring chunk here and some restructuring

Browse source
This commit is contained in:
cy 2024-12-13 21:54:49 -05:00
parent 7b9a097d6f
commit badd080f02
6 changed files with 365 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
nix/flake.nix
View file

@ -11,7 +11,10 @@
url = "github:nix-community/home-manager"; url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
# it's not really "master"
master.url = "github:NixOS/nixpkgs/2ab79c44f98391b6ee2edfb11f4c7a57ce1404b5"; master.url = "github:NixOS/nixpkgs/2ab79c44f98391b6ee2edfb11f4c7a57ce1404b5";
# this has the caddy module with environmentFile option
testpkgs.url = "github:NixOS/nixpkgs/248081c4729259c3add830d502779c5d04cbe074";
}; };
outputs = { outputs = {

7
nix/hosts/chunk/.sops.yaml Normal file
View file

@ -0,0 +1,7 @@
keys:
- &primary age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
creation_rules:
- path_regex: secrets/secrets.yaml$
key_groups:
- age:
- *primary

295
nix/hosts/chunk/default.nix Normal file
View file

@ -0,0 +1,295 @@
{ config, lib, pkgs, inputs, ... }:
let
fake-gitea = pkgs.writeShellScriptBin "gitea" ''
ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" /usr/local/bin/gitea $@"
'';
in {
disabledModules = [ "services/web-servers/caddy/default.nix" ];
imports =
[
./hardware-configuration.nix
"${inputs.testpkgs}/nixos/modules/services/web-servers/caddy"
];
sops.defaultSopsFile = ./secrets.yaml;
sops.age.keyFile = "/root/.config/sops/age/keys.txt";
sops.secrets = {
"borg/crash" = { };
"ntfy" = { };
"rclone" = { };
"vaultwarden" = { };
"caddy" = { };
"hedgedoc" = { };
};
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
system.stateVersion = "24.05";
networking.hostName = "chunk";
networking.networkmanager.enable = true;
networking.nftables.enable = true;
networking.firewall = {
enable = true;
allowedTCPPorts = [ 22 80 443 ];
allowedUDPPorts = [ 443 ];
extraInputRules = ''
ip saddr 172.18.0.0/16 tcp dport 5432 accept
'';
};
networking.interfaces.ens18 = {
ipv6.addresses = [{
address = "2a0f:85c1:840:2bfb::1";
prefixLength = 64;
}];
};
networking.defaultGateway6 = {
address = "2a0f:85c1:840::1";
interface = "ens18";
};
time.timeZone = "America/Toronto";
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
useXkbConfig = true;
};
users.users.yt = {
isNormalUser = true;
extraGroups = [ "wheel" "networkmanager" "docker"];
openssh.authorizedKeys.keys =
[ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux" ];
packages = with pkgs; [
fzf
eza
zoxide
delta
lua-language-server
vim-language-server
python312Packages.python-lsp-server
nixd
gopls
bash-language-server
llvmPackages_19.clang-tools
rust-analyzer
yt-dlp
gnumake
hedgedoc
];
shell = pkgs.zsh;
};
users.users.root.openssh.authorizedKeys.keys =
[ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux" ];
programs.zsh.enable = true;
users.users.git = {
isNormalUser = true;
packages = [ fake-gitea ];
};
environment.systemPackages = with pkgs; [
vim
neovim
wget
curl
tree
python3Full
tmux
borgbackup
rclone
restic
htop
btop
file
sops
age
];
environment.variables = {
EDITOR = "nvim";
VISUAL = "nvim";
};
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
security.sudo.enable = true;
security.sudo.wheelNeedsPassword = false;
programs.gnupg.agent.enable = true;
programs.git.enable = true;
services.caddy = {
enable = true;
configFile = ../Caddyfile;
environmentFile = "/run/secrets/caddy";
logFormat = lib.mkForce "level INFO";
};
# systemd.services.caddy.serviceConfig = {
# EnvironmentFile = "/run/secrets/caddy";
# };
services.postgresql = {
enable = true;
settings.port = 5432;
package = pkgs.postgresql_17;
enableTCPIP = true;
ensureDatabases = [
"forgejo"
"freshrss"
"hedgedoc"
"linkwarden"
];
ensureUsers = [
{
name = "forgejo";
ensureDBOwnership = true;
}
{
name = "linkwarden";
ensureDBOwnership = true;
}
{
name = "freshrss";
ensureDBOwnership = true;
}
{
name = "hedgedoc";
ensureDBOwnership = true;
}
];
authentication = lib.mkForce ''
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
host all all 172.18.0.0/16 trust
'';
};
services.postgresqlBackup.enable = true;
virtualisation.docker.enable = true;
services.borgbackup.jobs = {
crashRsync = {
paths = [ "/root" "/home" "/var/backup" "/var/lib" "/var/log" "/opt" "/etc" "/vw-data" ];
exclude = [ "**/.cache" "**/node_modules" "**/cache" "**/Cache" "/var/lib/docker/overlay*" ];
repo = "de3911@de3911.rsync.net:borg/crash";
encryption = {
mode = "repokey-blake2";
passCommand = "cat /run/secrets/borg/crash";
};
environment = {
BORG_RSH = "ssh -i /home/yt/.ssh/id_ed25519";
BORG_REMOTE_PATH = "borg1";
};
compression = "auto,zstd";
startAt = "daily";
extraCreateArgs = [ "--stats" ];
# warnings are often not that serious
failOnWarnings = false;
postHook = ''
${pkgs.curl}/bin/curl -u $(cat /run/secrets/ntfy) -d "chunk: backup completed with exit code: $exitStatus
$(journalctl -u borgbackup-job-crashRsync.service|tail -n 5)" \
https://ntfy.cything.io/chunk
'';
};
};
nix.settings.experimental-features = [ "nix-command" "flakes" ];
services.vaultwarden = {
enable = true;
dbBackend = "postgresql";
environmentFile = "/run/secrets/vaultwarden";
config = {
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = "8081";
DATA_FOLDER = "/vw-data";
DATABASE_URL = "postgresql://vaultwarden:vaultwarden@127.0.0.1:5432/vaultwarden";
};
};
services.ntfy-sh = {
enable = true;
settings = {
listen-http = "127.0.0.1:8083";
base-url = "https://ntfy.cything.io";
upstream-base-url = "https://ntfy.sh";
auth-default-access = "deny-all";
behind-proxy = true;
};
};
systemd.services.immich-mount = {
enable = true;
description = "Mount the immich data remote";
after = [ "network-online.target" ];
requires = [ "network-online.target" ];
wantedBy = [ "default.target" ];
serviceConfig = {
Type = "notify";
ExecStartPre = "/usr/bin/env mkdir -p /mnt/photos";
ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --transfers=32 --dir-cache-time 720h --poll-interval 0 --vfs-cache-mode writes photos: /mnt/photos ";
ExecStop = "/bin/fusermount -u /mnt/photos";
EnvironmentFile = "/run/secrets/rclone";
};
};
systemd.services.nextcloud-mount = {
enable = true;
description = "Mount the nextcloud data remote";
after = [ "network-online.target" ];
requires = [ "network-online.target" ];
wantedBy = [ "default.target" ];
serviceConfig = {
Type = "notify";
ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --uid 33 --gid 0 --allow-other --file-perms 0770 --dir-perms 0770 --transfers=32 rsyncnet:nextcloud /mnt/nextcloud";
ExecStop = "/bin/fusermount -u /mnt/nextcloud";
EnvironmentFile = "/run/secrets/rclone";
};
};
programs.fuse.userAllowOther = true;
nix.optimise = {
automatic = true;
dates = [ "03:45" ];
};
nix.settings.auto-optimise-store = true;
services.hedgedoc = {
enable = true;
environmentFile = "/run/secrets/hedgedoc";
settings = {
db = {
username = "hedgedoc";
database = "hedgedoc";
host = "/run/postgresql";
dialect = "postgresql";
};
port = 8085;
domain = "pad.cything.io";
allowEmailRegister = false;
protocolUseSSL = true;
};
};
services.redlib = {
enable = true;
port = 8087;
address = "127.0.0.1";
settings = {
# settings are just env vars
REDLIB_ENABLE_RSS = "on";
REDLIB_ROBOTS_DISABLE_INDEXING = "on";
};
};
}

31
nix/hosts/chunk/hardware-configuration.nix Normal file
View file

@ -0,0 +1,31 @@
# Do not modify this file! It was generated by ‘nixos-generate-config’
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/6fff5dd4-8d7a-43fa-85be-eec74ef2089e";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

29
nix/hosts/chunk/secrets.yaml Normal file
View file

@ -0,0 +1,29 @@
borg:
crash: ENC[AES256_GCM,data:vEeCjPi62gEy29F7HbUFOLTg9yLdppKL2w==,iv:4gYocu4xSFyoupzyQgfnzrxhFVDLAGeY3OnLiVZmwnE=,tag:p7JxbSeKYWHK/YJ8tx1hKA==,type:str]
anki:
cy: ENC[AES256_GCM,data:5XNv5jaC9/T6E/8KaQM=,iv:xneSmhtb+CTyTJFjeSe4Cdun/AT5x1fwqvPTtBaWWS8=,tag:Vw1JkIg+m62kCAMLM0z7/g==,type:str]
ntfy: ENC[AES256_GCM,data:IShnk2cH/oKUwHCEfA==,iv:bEshwLBbIdwg0CJhonaOZtTJkfHY70YSUwfcsAYB98E=,tag:tD3uWleBwxFlKHqQOOLE4w==,type:str]
rclone: ENC[AES256_GCM,data:IYxR45rQP0cQA84HMRSAJaBsmB/YArIEdWpD191omnKg1kfN0ShYKwEPsoe+,iv:cTn8Z/fxWmGW8iPS6DcrjUe0RUZXOi0D1LVnIxCLPSo=,tag:Ie8JWis40JN9mca4OjfInw==,type:str]
vaultwarden: ENC[AES256_GCM,data:fnl8hVezSu8g3tAXCwDUe9+wVjK7F8bC8qJJBj8Wq1BX6ygtjKNkf4wGAMo0XTb4Ukx1A+KwfJ2DlTWkDPo6ALxaIC/ZR4RYQJ3xE5rJ5QKkD+1Abebis5W1UXEEsiMRoo+vCz2GiU39NXY6/CjxM/gBhcBtyeUNtWcYalmOUQOLfd7GKPCElbA+BWKnjL1tl5DjWgACBvm5AozLoElVGiiMviz8V623NY1DkPQjJxl9ziU9Ncft4KS5rw0IIXmBj6QRF6+qOwz7TxcamDBIW2BWvDNmfPzQdl2cI4NwVWPiImcMedTQiH4m00oW5QBl0QM8F89N7CgOnA==,iv:hmAydcZd5LDPSQkekl5pD/i4Gr6GnR4BqYHXYR/mqHY=,tag:utwQNWPGSTvl1VRJr+89gw==,type:str]
caddy: ENC[AES256_GCM,data:iRTGzvJdWQbwxM2mEhQuw3tRC/HLCryOJOgdIb+HSQ2bxRqNNp32H82+Rx/CPwCPOvQN+gXjwHPlMuLX2KbmPLugx2pETgVPddVAe18sT4UtFQ5Ym/wM8dXqNXmhZ2hkxJUjPg3l1Aov75iNH9kD7rzivEiGb0ET09iYEmbtVqx8BVc8pw==,iv:nBziWIlTAlnmfbBJa/AnpmjirtLqbSSoyJVgw1w63t4=,tag:ZSrWE1b1AY7fX4WUYV0uag==,type:str]
hedgedoc: ENC[AES256_GCM,data:3DWGGXE3E4nay5NhbBkNcyDlv40G8KvhLbvu1Qba3zJLDeVtuBBF/ZjFCddUx+Sw83OLMsZBQMu3Y4Cq0rcqRT+YHnQzwboUY3xngNHgVMBGh9c8,iv:GuSYHMlM9eXf7AcArGXnISDNnfsAN38NxxVTO0/iwKM=,tag:0WKKUZS3WaYOCUFNw4HqFA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTkUySDA1ODMxWlF0MmpQ
N1ZzTGRjRVB4dnJmSXA3dzJIdmprMk5BN2dJCkxIVTlmOHAwOWNkRWt5UGUrUEFY
RVNSWml2M2JRT1BLaUhvd3N3QzZLT1UKLS0tIG1LbXJiSGwwYjVFRkNlcVQ0cDUx
R1lNZjFGelFvcXQ0enZTZ2pWRFZ2VVUKtGKbLyijIV1h0HFX7DMAkvXwdG70+pg/
sJ0PRcU6QGKz1NtVFdcXC1KQIqrv0XOGU26cRt8mji88JMzzgL7CHg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-09T01:58:21Z"
mac: ENC[AES256_GCM,data:AdpE5LsndQPbOpAHmUnmyyP8bpYtu4AC7OqH6s2ejwwVIqm134CSJ1e8IQj86nH+Qanex3yMEWoy+bb9kzi3WPbEZ9E0ez7iBJaRlZN7Qn6ZlIKVZJ3yJQm7TmaY0xxIM+hShGtRNFHbAKXlg0yiDvxNwPFvAxbkOI9tVyqLbHQ=,iv:3/RpDCfx3R+5orU2uDvN/21wJJUgWu2YJ1VVbyAkfqc=,tag:7hVkGdX0oP3YnQz91Iea3Q==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

0
nix/.sops.yaml → nix/hosts/ytnix/.sops.yaml
View file