diff --git a/home/yt/foot.nix b/home/foot.nix similarity index 100% rename from home/yt/foot.nix rename to home/foot.nix diff --git a/home/yt/tmux.nix b/home/tmux.nix similarity index 100% rename from home/yt/tmux.nix rename to home/tmux.nix diff --git a/home/yt/common.nix b/home/yt/common.nix index 59e386c..cd904e6 100644 --- a/home/yt/common.nix +++ b/home/yt/common.nix @@ -1,7 +1,7 @@ {...}: { imports = [ - ./tmux.nix - ./zsh + ../tmux.nix + ../zsh ]; home.sessionVariables = { diff --git a/home/yt/ytnix.nix b/home/yt/ytnix.nix index f605fcb..f15bf6f 100644 --- a/home/yt/ytnix.nix +++ b/home/yt/ytnix.nix @@ -8,7 +8,7 @@ }: { imports = [ ./common.nix - ./foot.nix + ../foot.nix ]; home = { username = "yt"; diff --git a/home/yt/zsh/default.nix b/home/zsh/default.nix similarity index 100% rename from home/yt/zsh/default.nix rename to home/zsh/default.nix diff --git a/home/yt/zsh/p10k.zsh b/home/zsh/p10k.zsh similarity index 100% rename from home/yt/zsh/p10k.zsh rename to home/zsh/p10k.zsh diff --git a/hosts/chunk/adguard.nix b/hosts/chunk/adguard.nix new file mode 100644 index 0000000..3223a9f --- /dev/null +++ b/hosts/chunk/adguard.nix @@ -0,0 +1,16 @@ +{...}: { + services.adguardhome = { + enable = true; + host = "127.0.0.1"; + port = 8082; + settings = { + http.port = "8083"; + users = [ + { + name = "cy"; + password = "$2y$10$BZy2zYJj5z4e8LZCq/GwuuhWUafL/MNFO.YcsAMmpDS.2krPxi7KC"; + } + ]; + }; + }; +} diff --git a/hosts/chunk/borg.nix b/hosts/chunk/borg.nix new file mode 100644 index 0000000..e06d83e --- /dev/null +++ b/hosts/chunk/borg.nix @@ -0,0 +1,27 @@ +{pkgs, ...}: { + services.borgbackup.jobs = { + crashRsync = { + paths = ["/root" "/home" "/var/backup" "/var/lib" "/var/log" "/opt" "/etc" "/vw-data"]; + exclude = ["**/.cache" "**/node_modules" "**/cache" "**/Cache" "/var/lib/docker/overlay*"]; + repo = "de3911@de3911.rsync.net:borg/crash"; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat /run/secrets/borg/crash"; + }; + environment = { + BORG_RSH = "ssh -i /home/yt/.ssh/id_ed25519"; + BORG_REMOTE_PATH = "borg1"; + }; + compression = "auto,zstd"; + startAt = "daily"; + extraCreateArgs = ["--stats"]; + # warnings are often not that serious + failOnWarnings = false; + postHook = '' + ${pkgs.curl}/bin/curl -u $(cat /run/secrets/ntfy) -d "chunk: backup completed with exit code: $exitStatus + $(journalctl -u borgbackup-job-crashRsync.service|tail -n 5)" \ + https://ntfy.cything.io/chunk + ''; + }; + }; +} diff --git a/hosts/chunk/default.nix b/hosts/chunk/default.nix index 77de3f2..60ad714 100644 --- a/hosts/chunk/default.nix +++ b/hosts/chunk/default.nix @@ -10,6 +10,18 @@ ./hardware-configuration.nix "${inputs.testpkgs}/nixos/modules/services/web-servers/caddy" ../common.nix + ./gitlab.nix + ./borg.nix + ./rclone.nix + ./postgres.nix + ./wireguard.nix + ./adguard.nix + ./hedgedoc.nix + ./miniflux.nix + ./ntfy.nix + ./redlib.nix + ./vaultwarden.nix + ./wireguard.nix ]; sops.defaultSopsFile = ./secrets.yaml; @@ -52,6 +64,8 @@ system.stateVersion = "24.05"; + # network stuff + networking.hostName = "chunk"; networking.networkmanager.enable = true; networking.firewall = { @@ -127,222 +141,6 @@ environmentFile = "/run/secrets/caddy"; logFormat = lib.mkForce "level INFO"; }; - # systemd.services.caddy.serviceConfig = { - # EnvironmentFile = "/run/secrets/caddy"; - # }; - - services.postgresql = { - enable = true; - settings.port = 5432; - package = pkgs.postgresql_17; - enableTCPIP = true; - ensureDatabases = [ - "hedgedoc" - ]; - authentication = lib.mkForce '' - local all all trust - host all all 127.0.0.1/32 trust - host all all ::1/128 trust - host all all 172.18.0.0/16 trust - ''; - }; - services.postgresqlBackup.enable = true; virtualisation.docker.enable = true; - - services.borgbackup.jobs = { - crashRsync = { - paths = ["/root" "/home" "/var/backup" "/var/lib" "/var/log" "/opt" "/etc" "/vw-data"]; - exclude = ["**/.cache" "**/node_modules" "**/cache" "**/Cache" "/var/lib/docker/overlay*"]; - repo = "de3911@de3911.rsync.net:borg/crash"; - encryption = { - mode = "repokey-blake2"; - passCommand = "cat /run/secrets/borg/crash"; - }; - environment = { - BORG_RSH = "ssh -i /home/yt/.ssh/id_ed25519"; - BORG_REMOTE_PATH = "borg1"; - }; - compression = "auto,zstd"; - startAt = "daily"; - extraCreateArgs = ["--stats"]; - # warnings are often not that serious - failOnWarnings = false; - postHook = '' - ${pkgs.curl}/bin/curl -u $(cat /run/secrets/ntfy) -d "chunk: backup completed with exit code: $exitStatus - $(journalctl -u borgbackup-job-crashRsync.service|tail -n 5)" \ - https://ntfy.cything.io/chunk - ''; - }; - }; - - services.vaultwarden = { - enable = true; - dbBackend = "postgresql"; - environmentFile = "/run/secrets/vaultwarden"; - config = { - ROCKET_ADDRESS = "127.0.0.1"; - ROCKET_PORT = "8081"; - DATA_FOLDER = "/vw-data"; - DATABASE_URL = "postgresql://vaultwarden:vaultwarden@127.0.0.1:5432/vaultwarden"; - }; - }; - - services.ntfy-sh = { - enable = true; - settings = { - listen-http = "127.0.0.1:8083"; - base-url = "https://ntfy.cything.io"; - upstream-base-url = "https://ntfy.sh"; - auth-default-access = "deny-all"; - behind-proxy = true; - }; - }; - - systemd.services.immich-mount = { - enable = true; - description = "Mount the immich data remote"; - after = ["network-online.target"]; - requires = ["network-online.target"]; - wantedBy = ["default.target"]; - serviceConfig = { - Type = "notify"; - ExecStartPre = "/usr/bin/env mkdir -p /mnt/photos"; - ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --transfers=32 --dir-cache-time 720h --poll-interval 0 --vfs-cache-mode writes photos: /mnt/photos "; - ExecStop = "/bin/fusermount -u /mnt/photos"; - EnvironmentFile = "/run/secrets/rclone"; - }; - }; - - systemd.services.nextcloud-mount = { - enable = true; - description = "Mount the nextcloud data remote"; - after = ["network-online.target"]; - requires = ["network-online.target"]; - wantedBy = ["default.target"]; - serviceConfig = { - Type = "notify"; - ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --uid 33 --gid 0 --allow-other --file-perms 0770 --dir-perms 0770 --transfers=32 rsyncnet:nextcloud /mnt/nextcloud"; - ExecStop = "/bin/fusermount -u /mnt/nextcloud"; - EnvironmentFile = "/run/secrets/rclone"; - }; - }; - - programs.fuse.userAllowOther = true; - - services.hedgedoc = { - enable = true; - environmentFile = "/run/secrets/hedgedoc"; - settings = { - db = { - username = "hedgedoc"; - database = "hedgedoc"; - host = "/run/postgresql"; - dialect = "postgresql"; - }; - port = 8085; - domain = "pad.cything.io"; - allowEmailRegister = false; - protocolUseSSL = true; - }; - }; - - services.redlib = { - enable = true; - port = 8087; - address = "127.0.0.1"; - settings = { - # settings are just env vars - REDLIB_ENABLE_RSS = "on"; - REDLIB_ROBOTS_DISABLE_INDEXING = "on"; - }; - }; - - # wireguard stuff - networking.nat = { - enable = true; - enableIPv6 = true; - externalInterface = "ens18"; - internalInterfaces = ["wg0"]; - }; - - networking.wg-quick.interfaces.wg0 = { - address = ["10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64"]; - listenPort = 51820; - privateKeyFile = "/run/secrets/wireguard/private"; - postUp = '' - ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -A FORWARD -o wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE - ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/ip6tables -A FORWARD -o wg0 -j ACCEPT - ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -o ens18 -j MASQUERADE - ''; - preDown = '' - ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -D FORWARD -o wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE - ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/ip6tables -D FORWARD -o wg0 -j ACCEPT - ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -o ens18 -j MASQUERADE - ''; - peers = [ - { - publicKey = "qUhWoTPVC7jJdDEJLYY92OeiwPkaf8I5pv5kkMcSW3g="; - allowedIPs = ["10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128"]; - presharedKeyFile = "/run/secrets/wireguard/psk"; - } - { - publicKey = "JIGi60wzLw717Cim1dSFoLCdJz5rePa5AIFfuisJI0k="; - allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"]; - presharedKeyFile = "/run/secrets/wireguard/pskphone"; - } - ]; - }; - - # adguard - services.adguardhome = { - enable = true; - host = "127.0.0.1"; - port = 8082; - settings = { - http.port = "8083"; - users = [ - { - name = "cy"; - password = "$2y$10$BZy2zYJj5z4e8LZCq/GwuuhWUafL/MNFO.YcsAMmpDS.2krPxi7KC"; - } - ]; - }; - }; - - services.miniflux = { - enable = true; - adminCredentialsFile = "/run/secrets/miniflux"; - config = { - PORT = 8080; - BASE_URL = "https://rss.cything.io"; - FORCE_REFRESH_INTERVAL = 0; - }; - }; - - services.gitlab = { - enable = true; - https = true; - host = "git.cything.io"; - user = "git"; # so that you can ssh with git@git.cything.io - group = "git"; - port = 443; # this *not* the port gitlab will run on - puma.workers = 0; # https://docs.gitlab.com/omnibus/settings/memory_constrained_envs.html#optimize-puma - sidekiq.concurrency = 10; - databaseUsername = "git"; # needs to be same as user - initialRootEmail = "hi@cything.io"; - initialRootPasswordFile = "/run/secrets/gitlab/root"; - secrets = { - secretFile = "/run/secrets/gitlab/secret"; - otpFile = "/run/secrets/gitlab/otp"; - jwsFile = "/run/secrets/gitlab/jws"; - dbFile = "/run/secrets/gitlab/db"; - }; - }; } diff --git a/hosts/chunk/gitlab.nix b/hosts/chunk/gitlab.nix new file mode 100644 index 0000000..7ce1425 --- /dev/null +++ b/hosts/chunk/gitlab.nix @@ -0,0 +1,21 @@ +{...}: { + services.gitlab = { + enable = true; + https = true; + host = "git.cything.io"; + user = "git"; # so that you can ssh with git@git.cything.io + group = "git"; + port = 443; # this *not* the port gitlab will run on + puma.workers = 0; # https://docs.gitlab.com/omnibus/settings/memory_constrained_envs.html#optimize-puma + sidekiq.concurrency = 10; + databaseUsername = "git"; # needs to be same as user + initialRootEmail = "hi@cything.io"; + initialRootPasswordFile = "/run/secrets/gitlab/root"; + secrets = { + secretFile = "/run/secrets/gitlab/secret"; + otpFile = "/run/secrets/gitlab/otp"; + jwsFile = "/run/secrets/gitlab/jws"; + dbFile = "/run/secrets/gitlab/db"; + }; + }; +} diff --git a/hosts/chunk/hedgedoc.nix b/hosts/chunk/hedgedoc.nix new file mode 100644 index 0000000..6aed82b --- /dev/null +++ b/hosts/chunk/hedgedoc.nix @@ -0,0 +1,18 @@ +{...}: { + services.hedgedoc = { + enable = true; + environmentFile = "/run/secrets/hedgedoc"; + settings = { + db = { + username = "hedgedoc"; + database = "hedgedoc"; + host = "/run/postgresql"; + dialect = "postgresql"; + }; + port = 8085; + domain = "pad.cything.io"; + allowEmailRegister = false; + protocolUseSSL = true; + }; + }; +} diff --git a/hosts/chunk/miniflux.nix b/hosts/chunk/miniflux.nix new file mode 100644 index 0000000..fff4967 --- /dev/null +++ b/hosts/chunk/miniflux.nix @@ -0,0 +1,11 @@ +{...}: { + services.miniflux = { + enable = true; + adminCredentialsFile = "/run/secrets/miniflux"; + config = { + PORT = 8080; + BASE_URL = "https://rss.cything.io"; + FORCE_REFRESH_INTERVAL = 0; # don't rate limit me + }; + }; +} diff --git a/hosts/chunk/ntfy.nix b/hosts/chunk/ntfy.nix new file mode 100644 index 0000000..0d26d6b --- /dev/null +++ b/hosts/chunk/ntfy.nix @@ -0,0 +1,12 @@ +{...}: { + services.ntfy-sh = { + enable = true; + settings = { + listen-http = "127.0.0.1:8083"; + base-url = "https://ntfy.cything.io"; + upstream-base-url = "https://ntfy.sh"; + auth-default-access = "deny-all"; + behind-proxy = true; + }; + }; +} diff --git a/hosts/chunk/postgres.nix b/hosts/chunk/postgres.nix new file mode 100644 index 0000000..e600243 --- /dev/null +++ b/hosts/chunk/postgres.nix @@ -0,0 +1,22 @@ +{ + pkgs, + lib, + ... +}: { + services.postgresql = { + enable = true; + settings.port = 5432; + package = pkgs.postgresql_17; + enableTCPIP = true; + ensureDatabases = [ + "hedgedoc" + ]; + authentication = lib.mkForce '' + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + host all all 172.18.0.0/16 trust + ''; + }; + services.postgresqlBackup.enable = true; +} diff --git a/hosts/chunk/rclone.nix b/hosts/chunk/rclone.nix new file mode 100644 index 0000000..0e4e84d --- /dev/null +++ b/hosts/chunk/rclone.nix @@ -0,0 +1,31 @@ +{pkgs, ...}: { + systemd.services.immich-mount = { + enable = true; + description = "Mount the immich data remote"; + after = ["network-online.target"]; + requires = ["network-online.target"]; + wantedBy = ["default.target"]; + serviceConfig = { + Type = "notify"; + ExecStartPre = "/usr/bin/env mkdir -p /mnt/photos"; + ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --transfers=32 --dir-cache-time 720h --poll-interval 0 --vfs-cache-mode writes photos: /mnt/photos "; + ExecStop = "/bin/fusermount -u /mnt/photos"; + EnvironmentFile = "/run/secrets/rclone"; + }; + }; + + systemd.services.nextcloud-mount = { + enable = true; + description = "Mount the nextcloud data remote"; + after = ["network-online.target"]; + requires = ["network-online.target"]; + wantedBy = ["default.target"]; + serviceConfig = { + Type = "notify"; + ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --uid 33 --gid 0 --allow-other --file-perms 0770 --dir-perms 0770 --transfers=32 rsyncnet:nextcloud /mnt/nextcloud"; + ExecStop = "/bin/fusermount -u /mnt/nextcloud"; + EnvironmentFile = "/run/secrets/rclone"; + }; + }; + programs.fuse.userAllowOther = true; +} diff --git a/hosts/chunk/redlib.nix b/hosts/chunk/redlib.nix new file mode 100644 index 0000000..74821ed --- /dev/null +++ b/hosts/chunk/redlib.nix @@ -0,0 +1,12 @@ +{...}: { + services.redlib = { + enable = true; + port = 8087; + address = "127.0.0.1"; + settings = { + # settings are just env vars + REDLIB_ENABLE_RSS = "on"; + REDLIB_ROBOTS_DISABLE_INDEXING = "on"; + }; + }; +} diff --git a/hosts/chunk/vaultwarden.nix b/hosts/chunk/vaultwarden.nix new file mode 100644 index 0000000..581ca88 --- /dev/null +++ b/hosts/chunk/vaultwarden.nix @@ -0,0 +1,13 @@ +{...}: { + services.vaultwarden = { + enable = true; + dbBackend = "postgresql"; + environmentFile = "/run/secrets/vaultwarden"; + config = { + ROCKET_ADDRESS = "127.0.0.1"; + ROCKET_PORT = "8081"; + DATA_FOLDER = "/vw-data"; + DATABASE_URL = "postgresql://vaultwarden:vaultwarden@127.0.0.1:5432/vaultwarden"; + }; + }; +} diff --git a/hosts/chunk/wireguard.nix b/hosts/chunk/wireguard.nix new file mode 100644 index 0000000..cfb8f7c --- /dev/null +++ b/hosts/chunk/wireguard.nix @@ -0,0 +1,42 @@ +{pkgs, ...}: { + networking.nat = { + enable = true; + enableIPv6 = true; + externalInterface = "ens18"; + internalInterfaces = ["wg0"]; + }; + + networking.wg-quick.interfaces.wg0 = { + address = ["10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64"]; + listenPort = 51820; + privateKeyFile = "/run/secrets/wireguard/private"; + postUp = '' + ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -A FORWARD -o wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE + ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/ip6tables -A FORWARD -o wg0 -j ACCEPT + ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -o ens18 -j MASQUERADE + ''; + preDown = '' + ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -D FORWARD -o wg0 -j ACCEPT + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE + ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT + ${pkgs.iptables}/bin/ip6tables -D FORWARD -o wg0 -j ACCEPT + ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -o ens18 -j MASQUERADE + ''; + peers = [ + { + publicKey = "qUhWoTPVC7jJdDEJLYY92OeiwPkaf8I5pv5kkMcSW3g="; + allowedIPs = ["10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128"]; + presharedKeyFile = "/run/secrets/wireguard/psk"; + } + { + publicKey = "JIGi60wzLw717Cim1dSFoLCdJz5rePa5AIFfuisJI0k="; + allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"]; + presharedKeyFile = "/run/secrets/wireguard/pskphone"; + } + ]; + }; +}