cy/nixos-config
cy/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

rm dotbot; move everything to home manager

Browse source
This commit is contained in:
cy 2024-12-15 02:14:00 -05:00
parent cedd2c1983
commit c1b64baea7
39 changed files with 7 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

348
hosts/chunk/default.nix Normal file
View file

@ -0,0 +1,348 @@
{
config,
lib,
pkgs,
inputs,
...
}: {
disabledModules = ["services/web-servers/caddy/default.nix"];
imports = [
./hardware-configuration.nix
"${inputs.testpkgs}/nixos/modules/services/web-servers/caddy"
../common.nix
];
sops.defaultSopsFile = ./secrets.yaml;
sops.age.keyFile = "/root/.config/sops/age/keys.txt";
sops.secrets = {
"borg/crash" = {};
"ntfy" = {};
"rclone" = {};
"vaultwarden" = {};
"caddy" = {};
"hedgedoc" = {};
"wireguard/private" = {};
"wireguard/psk" = {};
"wireguard/pskphone" = {};
"miniflux" = {};
"gitlab/root" = {
owner = config.users.users.git.name;
group = config.users.users.git.group;
};
"gitlab/secret" = {
owner = config.users.users.git.name;
group = config.users.users.git.group;
};
"gitlab/jws" = {
owner = config.users.users.git.name;
group = config.users.users.git.group;
};
"gitlab/db" = {
owner = config.users.users.git.name;
group = config.users.users.git.group;
};
"gitlab/otp" = {
owner = config.users.users.git.name;
group = config.users.users.git.group;
};
};
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
system.stateVersion = "24.05";
networking.hostName = "chunk";
networking.networkmanager.enable = true;
networking.firewall = {
enable = true;
allowedTCPPorts = [22 80 443 53 853];
allowedUDPPorts = [443 51820 53 853]; # 51820 is wireguard
trustedInterfaces = ["wg0" "br-2a019a56bbcc"]; # the second one is docker, idk if this changes
};
networking.interfaces.ens18 = {
ipv6.addresses = [
{
address = "2a0f:85c1:840:2bfb::1";
prefixLength = 64;
}
];
};
networking.defaultGateway6 = {
address = "2a0f:85c1:840::1";
interface = "ens18";
};
networking.nameservers = ["127.0.0.1" "::1"];
time.timeZone = "America/Toronto";
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
useXkbConfig = true;
};
users.users.yt = {
isNormalUser = true;
extraGroups = ["wheel" "networkmanager" "docker"];
openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux"];
shell = pkgs.zsh;
};
programs.zsh.enable = true;
users.users.root.openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux"];
environment.systemPackages = with pkgs; [
vim
wget
curl
tree
python3Full
tmux
borgbackup
rclone
file
sops
age
];
environment.variables = {
EDITOR = "nvim";
VISUAL = "nvim";
};
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
security.sudo.enable = true;
security.sudo.wheelNeedsPassword = false;
programs.gnupg.agent.enable = true;
programs.git.enable = true;
services.caddy = {
enable = true;
configFile = ./Caddyfile;
environmentFile = "/run/secrets/caddy";
logFormat = lib.mkForce "level INFO";
};
# systemd.services.caddy.serviceConfig = {
# EnvironmentFile = "/run/secrets/caddy";
# };
services.postgresql = {
enable = true;
settings.port = 5432;
package = pkgs.postgresql_17;
enableTCPIP = true;
ensureDatabases = [
"hedgedoc"
];
authentication = lib.mkForce ''
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
host all all 172.18.0.0/16 trust
'';
};
services.postgresqlBackup.enable = true;
virtualisation.docker.enable = true;
services.borgbackup.jobs = {
crashRsync = {
paths = ["/root" "/home" "/var/backup" "/var/lib" "/var/log" "/opt" "/etc" "/vw-data"];
exclude = ["**/.cache" "**/node_modules" "**/cache" "**/Cache" "/var/lib/docker/overlay*"];
repo = "de3911@de3911.rsync.net:borg/crash";
encryption = {
mode = "repokey-blake2";
passCommand = "cat /run/secrets/borg/crash";
};
environment = {
BORG_RSH = "ssh -i /home/yt/.ssh/id_ed25519";
BORG_REMOTE_PATH = "borg1";
};
compression = "auto,zstd";
startAt = "daily";
extraCreateArgs = ["--stats"];
# warnings are often not that serious
failOnWarnings = false;
postHook = ''
${pkgs.curl}/bin/curl -u $(cat /run/secrets/ntfy) -d "chunk: backup completed with exit code: $exitStatus
$(journalctl -u borgbackup-job-crashRsync.service|tail -n 5)" \
https://ntfy.cything.io/chunk
'';
};
};
services.vaultwarden = {
enable = true;
dbBackend = "postgresql";
environmentFile = "/run/secrets/vaultwarden";
config = {
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = "8081";
DATA_FOLDER = "/vw-data";
DATABASE_URL = "postgresql://vaultwarden:vaultwarden@127.0.0.1:5432/vaultwarden";
};
};
services.ntfy-sh = {
enable = true;
settings = {
listen-http = "127.0.0.1:8083";
base-url = "https://ntfy.cything.io";
upstream-base-url = "https://ntfy.sh";
auth-default-access = "deny-all";
behind-proxy = true;
};
};
systemd.services.immich-mount = {
enable = true;
description = "Mount the immich data remote";
after = ["network-online.target"];
requires = ["network-online.target"];
wantedBy = ["default.target"];
serviceConfig = {
Type = "notify";
ExecStartPre = "/usr/bin/env mkdir -p /mnt/photos";
ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --transfers=32 --dir-cache-time 720h --poll-interval 0 --vfs-cache-mode writes photos: /mnt/photos ";
ExecStop = "/bin/fusermount -u /mnt/photos";
EnvironmentFile = "/run/secrets/rclone";
};
};
systemd.services.nextcloud-mount = {
enable = true;
description = "Mount the nextcloud data remote";
after = ["network-online.target"];
requires = ["network-online.target"];
wantedBy = ["default.target"];
serviceConfig = {
Type = "notify";
ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --uid 33 --gid 0 --allow-other --file-perms 0770 --dir-perms 0770 --transfers=32 rsyncnet:nextcloud /mnt/nextcloud";
ExecStop = "/bin/fusermount -u /mnt/nextcloud";
EnvironmentFile = "/run/secrets/rclone";
};
};
programs.fuse.userAllowOther = true;
services.hedgedoc = {
enable = true;
environmentFile = "/run/secrets/hedgedoc";
settings = {
db = {
username = "hedgedoc";
database = "hedgedoc";
host = "/run/postgresql";
dialect = "postgresql";
};
port = 8085;
domain = "pad.cything.io";
allowEmailRegister = false;
protocolUseSSL = true;
};
};
services.redlib = {
enable = true;
port = 8087;
address = "127.0.0.1";
settings = {
# settings are just env vars
REDLIB_ENABLE_RSS = "on";
REDLIB_ROBOTS_DISABLE_INDEXING = "on";
};
};
# wireguard stuff
networking.nat = {
enable = true;
enableIPv6 = true;
externalInterface = "ens18";
internalInterfaces = ["wg0"];
};
networking.wg-quick.interfaces.wg0 = {
address = ["10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64"];
listenPort = 51820;
privateKeyFile = "/run/secrets/wireguard/private";
postUp = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -A FORWARD -o wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE
${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -A FORWARD -o wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -o ens18 -j MASQUERADE
'';
preDown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -D FORWARD -o wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE
${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -D FORWARD -o wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -o ens18 -j MASQUERADE
'';
peers = [
{
publicKey = "qUhWoTPVC7jJdDEJLYY92OeiwPkaf8I5pv5kkMcSW3g=";
allowedIPs = ["10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128"];
presharedKeyFile = "/run/secrets/wireguard/psk";
}
{
publicKey = "JIGi60wzLw717Cim1dSFoLCdJz5rePa5AIFfuisJI0k=";
allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"];
presharedKeyFile = "/run/secrets/wireguard/pskphone";
}
];
};
# adguard
services.adguardhome = {
enable = true;
host = "127.0.0.1";
port = 8082;
settings = {
http.port = "8083";
users = [
{
name = "cy";
password = "$2y$10$BZy2zYJj5z4e8LZCq/GwuuhWUafL/MNFO.YcsAMmpDS.2krPxi7KC";
}
];
};
};
services.miniflux = {
enable = true;
adminCredentialsFile = "/run/secrets/miniflux";
config = {
PORT = 8080;
BASE_URL = "https://rss.cything.io";
FORCE_REFRESH_INTERVAL = 0;
};
};
services.gitlab = {
enable = true;
https = true;
host = "git.cything.io";
user = "git"; # so that you can ssh with git@git.cything.io
group = "git";
port = 443; # this *not* the port gitlab will run on
puma.workers = 0; # https://docs.gitlab.com/omnibus/settings/memory_constrained_envs.html#optimize-puma
sidekiq.concurrency = 10;
databaseUsername = "git"; # needs to be same as user
initialRootEmail = "hi@cything.io";
initialRootPasswordFile = "/run/secrets/gitlab/root";
secrets = {
secretFile = "/run/secrets/gitlab/secret";
otpFile = "/run/secrets/gitlab/otp";
jwsFile = "/run/secrets/gitlab/jws";
dbFile = "/run/secrets/gitlab/db";
};
};
}