cy/nixos-config
cy/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

massive restructuring

Browse source
This commit is contained in:
cy 2024-12-15 02:44:50 -05:00
parent c1b64baea7
commit d4c962fee7
18 changed files with 242 additions and 219 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

0
home/yt/foot.nix → home/foot.nix
View file

0
home/yt/tmux.nix → home/tmux.nix
View file

4
home/yt/common.nix
View file

@ -1,7 +1,7 @@
{...}: { {...}: {
imports = [ imports = [
./tmux.nix ../tmux.nix
./zsh ../zsh
]; ];
home.sessionVariables = { home.sessionVariables = {

2
home/yt/ytnix.nix
View file

@ -8,7 +8,7 @@
}: { }: {
imports = [ imports = [
./common.nix ./common.nix
./foot.nix ../foot.nix
]; ];
home = { home = {
username = "yt"; username = "yt";

0
home/yt/zsh/default.nix → home/zsh/default.nix
View file

0
home/yt/zsh/p10k.zsh → home/zsh/p10k.zsh
View file

16
hosts/chunk/adguard.nix Normal file
View file

@ -0,0 +1,16 @@
{...}: {
services.adguardhome = {
enable = true;
host = "127.0.0.1";
port = 8082;
settings = {
http.port = "8083";
users = [
{
name = "cy";
password = "$2y$10$BZy2zYJj5z4e8LZCq/GwuuhWUafL/MNFO.YcsAMmpDS.2krPxi7KC";
}
];
};
};
}

27
hosts/chunk/borg.nix Normal file
View file

@ -0,0 +1,27 @@
{pkgs, ...}: {
services.borgbackup.jobs = {
crashRsync = {
paths = ["/root" "/home" "/var/backup" "/var/lib" "/var/log" "/opt" "/etc" "/vw-data"];
exclude = ["**/.cache" "**/node_modules" "**/cache" "**/Cache" "/var/lib/docker/overlay*"];
repo = "de3911@de3911.rsync.net:borg/crash";
encryption = {
mode = "repokey-blake2";
passCommand = "cat /run/secrets/borg/crash";
};
environment = {
BORG_RSH = "ssh -i /home/yt/.ssh/id_ed25519";
BORG_REMOTE_PATH = "borg1";
};
compression = "auto,zstd";
startAt = "daily";
extraCreateArgs = ["--stats"];
# warnings are often not that serious
failOnWarnings = false;
postHook = ''
${pkgs.curl}/bin/curl -u $(cat /run/secrets/ntfy) -d "chunk: backup completed with exit code: $exitStatus
$(journalctl -u borgbackup-job-crashRsync.service|tail -n 5)" \
https://ntfy.cything.io/chunk
'';
};
};
}

230
hosts/chunk/default.nix
View file

@ -10,6 +10,18 @@
./hardware-configuration.nix ./hardware-configuration.nix
"${inputs.testpkgs}/nixos/modules/services/web-servers/caddy" "${inputs.testpkgs}/nixos/modules/services/web-servers/caddy"
../common.nix ../common.nix
./gitlab.nix
./borg.nix
./rclone.nix
./postgres.nix
./wireguard.nix
./adguard.nix
./hedgedoc.nix
./miniflux.nix
./ntfy.nix
./redlib.nix
./vaultwarden.nix
./wireguard.nix
]; ];
sops.defaultSopsFile = ./secrets.yaml; sops.defaultSopsFile = ./secrets.yaml;
@ -52,6 +64,8 @@
system.stateVersion = "24.05"; system.stateVersion = "24.05";
# network stuff
networking.hostName = "chunk"; networking.hostName = "chunk";
networking.networkmanager.enable = true; networking.networkmanager.enable = true;
networking.firewall = { networking.firewall = {
@ -127,222 +141,6 @@
environmentFile = "/run/secrets/caddy"; environmentFile = "/run/secrets/caddy";
logFormat = lib.mkForce "level INFO"; logFormat = lib.mkForce "level INFO";
}; };
# systemd.services.caddy.serviceConfig = {
# EnvironmentFile = "/run/secrets/caddy";
# };
services.postgresql = {
enable = true;
settings.port = 5432;
package = pkgs.postgresql_17;
enableTCPIP = true;
ensureDatabases = [
"hedgedoc"
];
authentication = lib.mkForce ''
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
host all all 172.18.0.0/16 trust
'';
};
services.postgresqlBackup.enable = true;
virtualisation.docker.enable = true; virtualisation.docker.enable = true;
services.borgbackup.jobs = {
crashRsync = {
paths = ["/root" "/home" "/var/backup" "/var/lib" "/var/log" "/opt" "/etc" "/vw-data"];
exclude = ["**/.cache" "**/node_modules" "**/cache" "**/Cache" "/var/lib/docker/overlay*"];
repo = "de3911@de3911.rsync.net:borg/crash";
encryption = {
mode = "repokey-blake2";
passCommand = "cat /run/secrets/borg/crash";
};
environment = {
BORG_RSH = "ssh -i /home/yt/.ssh/id_ed25519";
BORG_REMOTE_PATH = "borg1";
};
compression = "auto,zstd";
startAt = "daily";
extraCreateArgs = ["--stats"];
# warnings are often not that serious
failOnWarnings = false;
postHook = ''
${pkgs.curl}/bin/curl -u $(cat /run/secrets/ntfy) -d "chunk: backup completed with exit code: $exitStatus
$(journalctl -u borgbackup-job-crashRsync.service|tail -n 5)" \
https://ntfy.cything.io/chunk
'';
};
};
services.vaultwarden = {
enable = true;
dbBackend = "postgresql";
environmentFile = "/run/secrets/vaultwarden";
config = {
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = "8081";
DATA_FOLDER = "/vw-data";
DATABASE_URL = "postgresql://vaultwarden:vaultwarden@127.0.0.1:5432/vaultwarden";
};
};
services.ntfy-sh = {
enable = true;
settings = {
listen-http = "127.0.0.1:8083";
base-url = "https://ntfy.cything.io";
upstream-base-url = "https://ntfy.sh";
auth-default-access = "deny-all";
behind-proxy = true;
};
};
systemd.services.immich-mount = {
enable = true;
description = "Mount the immich data remote";
after = ["network-online.target"];
requires = ["network-online.target"];
wantedBy = ["default.target"];
serviceConfig = {
Type = "notify";
ExecStartPre = "/usr/bin/env mkdir -p /mnt/photos";
ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --transfers=32 --dir-cache-time 720h --poll-interval 0 --vfs-cache-mode writes photos: /mnt/photos ";
ExecStop = "/bin/fusermount -u /mnt/photos";
EnvironmentFile = "/run/secrets/rclone";
};
};
systemd.services.nextcloud-mount = {
enable = true;
description = "Mount the nextcloud data remote";
after = ["network-online.target"];
requires = ["network-online.target"];
wantedBy = ["default.target"];
serviceConfig = {
Type = "notify";
ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --uid 33 --gid 0 --allow-other --file-perms 0770 --dir-perms 0770 --transfers=32 rsyncnet:nextcloud /mnt/nextcloud";
ExecStop = "/bin/fusermount -u /mnt/nextcloud";
EnvironmentFile = "/run/secrets/rclone";
};
};
programs.fuse.userAllowOther = true;
services.hedgedoc = {
enable = true;
environmentFile = "/run/secrets/hedgedoc";
settings = {
db = {
username = "hedgedoc";
database = "hedgedoc";
host = "/run/postgresql";
dialect = "postgresql";
};
port = 8085;
domain = "pad.cything.io";
allowEmailRegister = false;
protocolUseSSL = true;
};
};
services.redlib = {
enable = true;
port = 8087;
address = "127.0.0.1";
settings = {
# settings are just env vars
REDLIB_ENABLE_RSS = "on";
REDLIB_ROBOTS_DISABLE_INDEXING = "on";
};
};
# wireguard stuff
networking.nat = {
enable = true;
enableIPv6 = true;
externalInterface = "ens18";
internalInterfaces = ["wg0"];
};
networking.wg-quick.interfaces.wg0 = {
address = ["10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64"];
listenPort = 51820;
privateKeyFile = "/run/secrets/wireguard/private";
postUp = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -A FORWARD -o wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE
${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -A FORWARD -o wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -o ens18 -j MASQUERADE
'';
preDown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -D FORWARD -o wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE
${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -D FORWARD -o wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -o ens18 -j MASQUERADE
'';
peers = [
{
publicKey = "qUhWoTPVC7jJdDEJLYY92OeiwPkaf8I5pv5kkMcSW3g=";
allowedIPs = ["10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128"];
presharedKeyFile = "/run/secrets/wireguard/psk";
}
{
publicKey = "JIGi60wzLw717Cim1dSFoLCdJz5rePa5AIFfuisJI0k=";
allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"];
presharedKeyFile = "/run/secrets/wireguard/pskphone";
}
];
};
# adguard
services.adguardhome = {
enable = true;
host = "127.0.0.1";
port = 8082;
settings = {
http.port = "8083";
users = [
{
name = "cy";
password = "$2y$10$BZy2zYJj5z4e8LZCq/GwuuhWUafL/MNFO.YcsAMmpDS.2krPxi7KC";
}
];
};
};
services.miniflux = {
enable = true;
adminCredentialsFile = "/run/secrets/miniflux";
config = {
PORT = 8080;
BASE_URL = "https://rss.cything.io";
FORCE_REFRESH_INTERVAL = 0;
};
};
services.gitlab = {
enable = true;
https = true;
host = "git.cything.io";
user = "git"; # so that you can ssh with git@git.cything.io
group = "git";
port = 443; # this *not* the port gitlab will run on
puma.workers = 0; # https://docs.gitlab.com/omnibus/settings/memory_constrained_envs.html#optimize-puma
sidekiq.concurrency = 10;
databaseUsername = "git"; # needs to be same as user
initialRootEmail = "hi@cything.io";
initialRootPasswordFile = "/run/secrets/gitlab/root";
secrets = {
secretFile = "/run/secrets/gitlab/secret";
otpFile = "/run/secrets/gitlab/otp";
jwsFile = "/run/secrets/gitlab/jws";
dbFile = "/run/secrets/gitlab/db";
};
};
} }

21
hosts/chunk/gitlab.nix Normal file
View file

@ -0,0 +1,21 @@
{...}: {
services.gitlab = {
enable = true;
https = true;
host = "git.cything.io";
user = "git"; # so that you can ssh with git@git.cything.io
group = "git";
port = 443; # this *not* the port gitlab will run on
puma.workers = 0; # https://docs.gitlab.com/omnibus/settings/memory_constrained_envs.html#optimize-puma
sidekiq.concurrency = 10;
databaseUsername = "git"; # needs to be same as user
initialRootEmail = "hi@cything.io";
initialRootPasswordFile = "/run/secrets/gitlab/root";
secrets = {
secretFile = "/run/secrets/gitlab/secret";
otpFile = "/run/secrets/gitlab/otp";
jwsFile = "/run/secrets/gitlab/jws";
dbFile = "/run/secrets/gitlab/db";
};
};
}

18
hosts/chunk/hedgedoc.nix Normal file
View file

@ -0,0 +1,18 @@
{...}: {
services.hedgedoc = {
enable = true;
environmentFile = "/run/secrets/hedgedoc";
settings = {
db = {
username = "hedgedoc";
database = "hedgedoc";
host = "/run/postgresql";
dialect = "postgresql";
};
port = 8085;
domain = "pad.cything.io";
allowEmailRegister = false;
protocolUseSSL = true;
};
};
}

11
hosts/chunk/miniflux.nix Normal file
View file

@ -0,0 +1,11 @@
{...}: {
services.miniflux = {
enable = true;
adminCredentialsFile = "/run/secrets/miniflux";
config = {
PORT = 8080;
BASE_URL = "https://rss.cything.io";
FORCE_REFRESH_INTERVAL = 0; # don't rate limit me
};
};
}

12
hosts/chunk/ntfy.nix Normal file
View file

@ -0,0 +1,12 @@
{...}: {
services.ntfy-sh = {
enable = true;
settings = {
listen-http = "127.0.0.1:8083";
base-url = "https://ntfy.cything.io";
upstream-base-url = "https://ntfy.sh";
auth-default-access = "deny-all";
behind-proxy = true;
};
};
}

22
hosts/chunk/postgres.nix Normal file
View file

@ -0,0 +1,22 @@
{
pkgs,
lib,
...
}: {
services.postgresql = {
enable = true;
settings.port = 5432;
package = pkgs.postgresql_17;
enableTCPIP = true;
ensureDatabases = [
"hedgedoc"
];
authentication = lib.mkForce ''
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
host all all 172.18.0.0/16 trust
'';
};
services.postgresqlBackup.enable = true;
}

31
hosts/chunk/rclone.nix Normal file
View file

@ -0,0 +1,31 @@
{pkgs, ...}: {
systemd.services.immich-mount = {
enable = true;
description = "Mount the immich data remote";
after = ["network-online.target"];
requires = ["network-online.target"];
wantedBy = ["default.target"];
serviceConfig = {
Type = "notify";
ExecStartPre = "/usr/bin/env mkdir -p /mnt/photos";
ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --transfers=32 --dir-cache-time 720h --poll-interval 0 --vfs-cache-mode writes photos: /mnt/photos ";
ExecStop = "/bin/fusermount -u /mnt/photos";
EnvironmentFile = "/run/secrets/rclone";
};
};
systemd.services.nextcloud-mount = {
enable = true;
description = "Mount the nextcloud data remote";
after = ["network-online.target"];
requires = ["network-online.target"];
wantedBy = ["default.target"];
serviceConfig = {
Type = "notify";
ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --uid 33 --gid 0 --allow-other --file-perms 0770 --dir-perms 0770 --transfers=32 rsyncnet:nextcloud /mnt/nextcloud";
ExecStop = "/bin/fusermount -u /mnt/nextcloud";
EnvironmentFile = "/run/secrets/rclone";
};
};
programs.fuse.userAllowOther = true;
}

12
hosts/chunk/redlib.nix Normal file
View file

@ -0,0 +1,12 @@
{...}: {
services.redlib = {
enable = true;
port = 8087;
address = "127.0.0.1";
settings = {
# settings are just env vars
REDLIB_ENABLE_RSS = "on";
REDLIB_ROBOTS_DISABLE_INDEXING = "on";
};
};
}

13
hosts/chunk/vaultwarden.nix Normal file
View file

@ -0,0 +1,13 @@
{...}: {
services.vaultwarden = {
enable = true;
dbBackend = "postgresql";
environmentFile = "/run/secrets/vaultwarden";
config = {
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = "8081";
DATA_FOLDER = "/vw-data";
DATABASE_URL = "postgresql://vaultwarden:vaultwarden@127.0.0.1:5432/vaultwarden";
};
};
}

42
hosts/chunk/wireguard.nix Normal file
View file

@ -0,0 +1,42 @@
{pkgs, ...}: {
networking.nat = {
enable = true;
enableIPv6 = true;
externalInterface = "ens18";
internalInterfaces = ["wg0"];
};
networking.wg-quick.interfaces.wg0 = {
address = ["10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64"];
listenPort = 51820;
privateKeyFile = "/run/secrets/wireguard/private";
postUp = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -A FORWARD -o wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE
${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -A FORWARD -o wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -o ens18 -j MASQUERADE
'';
preDown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -D FORWARD -o wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE
${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -D FORWARD -o wg0 -j ACCEPT
${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -o ens18 -j MASQUERADE
'';
peers = [
{
publicKey = "qUhWoTPVC7jJdDEJLYY92OeiwPkaf8I5pv5kkMcSW3g=";
allowedIPs = ["10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128"];
presharedKeyFile = "/run/secrets/wireguard/psk";
}
{
publicKey = "JIGi60wzLw717Cim1dSFoLCdJz5rePa5AIFfuisJI0k=";
allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"];
presharedKeyFile = "/run/secrets/wireguard/pskphone";
}
];
};
}