xyno/nix-configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add 'old-conf/' from commit '62a64a79a8'

Browse source 
git-subtree-dir: old-conf
git-subtree-mainline: 4667974392
git-subtree-split: 62a64a79a8
This commit is contained in:
Lucy Hochkamp 2025-11-21 13:33:06 +01:00
commit 83de52d5db
195 changed files with 13408 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

400
old-conf/hosts/picard/default.nix Normal file
View file

@ -0,0 +1,400 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{
inputs,
config,
pkgs,
lib,
...
}:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./xynospace-matrix.nix
./plausible.nix
./obsidianshare.nix
./mail.nix
./gotosocial.nix
./ntfy.nix
# ./ts-ovpn.nix
../../nixos-modules/system/persist.nix
../../nixos-modules/system/agenix.nix
../../nixos-modules/system/fs.nix
../../nixos-modules/system/security.nix
../../nixos-modules/services/ssh.nix
../../nixos-modules/services/msmtp.nix
../../nixos-modules/services/caddy
../../nixos-modules/services/bitwarden.nix
../../nixos-modules/networking/tailscale.nix
# ../../nixos-modules/services/authelia.nix
../../nixos-modules/services/hedgedoc.nix
../../nixos-modules/services/ts3.nix
../../nixos-modules/user
];
documentation.enable = false;
documentation.nixos.enable = false;
documentation.man.enable = false;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
boot.loader.systemd-boot.enable = false;
services.syncthing.enable = true;
services.syncthing.group = "users";
services.syncthing.user = "ragon";
networking.interfaces."ens3" = {
ipv6 = {
addresses = [
{
address = "2a03:4000:6:8120::1";
prefixLength = 64;
}
];
};
};
networking.defaultGateway6 = {
address = "fe80::1";
interface = "enp0s3";
};
networking.nameservers = [
"1.1.1.1"
"8.8.8.8"
];
# networking.interfaces.eno1.useDHCP = true;
networking.hostId = "7c21236a";
# Immutable users due to tmpfs
users.mutableUsers = false;
services.postgresql.package = pkgs.postgresql_17_jit;
services.postgresql.settings = {
shared_buffers = "4GB";
work_mem = "64MB";
};
systemd.services.caddy.serviceConfig.EnvironmentFile = config.age.secrets.desec.path;
networking.firewall.allowedTCPPorts = [
80
443
config.services.forgejo.settings.server.SSH_PORT
25
143
465
587
993
];
networking.firewall.allowedUDPPorts = [ 443 ];
services.prometheus.exporters.node = {
enable = true;
enabledCollectors = [ "systemd" ];
};
services.prometheus.exporters.postgres = {
enable = true;
runAsLocalSuperUser = true;
};
services.caddy = {
logFormat = "level INFO";
enable = true;
globalConfig = ''
email ssl@xyno.systems
acme_ca https://acme-v02.api.letsencrypt.org/directory # hard coded so zerossl doesn't get used
acme_dns desec {
token "{$TOKEN}"
}
admin :2019
metrics {
per_host
}
'';
virtualHosts."*.hailsatan.eu".extraConfig = ''
tls ssl@xyno.systems {
propagation_delay 1m
ca https://acme-v02.api.letsencrypt.org/directory # hard coded so zerossl doesn't get used
dns desec {
token "{$TOKEN}"
}
}
reverse_proxy https://ds9.kangaroo-galaxy.ts.net {
transport http {
tls_server_name {host}
}
}
'';
virtualHosts."l621.net".extraConfig = ''
reverse_proxy http://127.0.0.1:8186
'';
virtualHosts."xyno.space".extraConfig =
let
fqdn = "matrix.xyno.space";
wkServer = {
"m.server" = "${fqdn}:443";
};
wkClient = {
"m.homeserver" = {
"base_url" = "https://${fqdn}";
};
"m.identity_server" = {
"base_url" = "https://vector.im";
};
# "org.matrix.msc3575.proxy" = { "url" = "https://slidingsync.ragon.xyz"; };
};
in
''
encode zstd gzip
handle /.well-known/matrix/server {
header Content-Type application/json
respond `${builtins.toJSON wkServer}` 200
}
handle /.well-known/matrix/client {
header Content-Type application/json
header Access-Control-Allow-Origin "*"
respond `${builtins.toJSON wkClient}` 200
}
handle /gyakapyukawfyuokfgwtyutf.js {
rewrite * /js/plausible.outbound-links.js
reverse_proxy http://127.0.0.1:${toString config.services.plausible.server.port}
}
handle /api/event {
reverse_proxy http://127.0.0.1:${toString config.services.plausible.server.port}
}
redir /post/nix-darwin-introduction /posts/nix-darwin-introduction/ 301
redir /post/nixos-utm-rosetta /posts/nixos-utm-rosetta/ 301
redir /post/nix-store-nfs /posts/nix-store-nfs/ 301
redir /post/parcel-quicktemplate /posts/parcel-quicktemplate/ 301
redir /posts.rss /atom.xml 301
redir /posts.atom /atom.xml 301
root * /srv/www/xynospace
file_server
'';
virtualHosts."*.xyno.space".extraConfig = ''
@stats host stats.xyno.space
handle @stats {
reverse_proxy http://127.0.0.1:${toString config.services.plausible.server.port}
}
@matrix host matrix.xyno.space
handle @matrix {
handle /_matrix/* {
reverse_proxy http://192.168.100.11:8008
}
handle /notifications {
reverse_proxy http://192.168.100.11:8008
}
handle /_synapse/client/* {
reverse_proxy http://192.168.100.11:8008
}
handle /health {
reverse_proxy http://192.168.100.11:8008
}
}
handle {
abort
}
'';
virtualHosts."*.xyno.systems".extraConfig = ''
@lost host lost.xyno.systems
handle @lost {
handle /register {
header ?Set-Cookie lost-registered=true
respond registered 200
}
@lost-registered {
header Cookie *lost-registered=true*
}
handle @lost-registered {
redir https://snipe-it.hailsatan.eu/hardware{uri}
}
handle {
redir https://xyno.space/contact?utm-source=lost&utm-content={uri}
}
}
@md host md.xyno.systems
handle @md {
reverse_proxy http://[::1]:${toString config.services.hedgedoc.settings.port}
}
# @sso host sso.xyno.systems
# handle @sso {
# reverse_proxy http://127.0.0.1:9091
# }
@git host git.xyno.systems
handle @git {
reverse_proxy http://127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}
}
@notes host notes.xyno.systems
handle @notes {
reverse_proxy http://127.0.0.1:8086
}
@ntfy host ntfy.xyno.systems
handle @ntfy {
reverse_proxy http://127.0.0.1:15992
}
@bw host bw.xyno.systems
handle @bw {
reverse_proxy http://${config.services.vaultwarden.config.rocketAddress}:${toString config.services.vaultwarden.config.rocketPort}
}
handle {
abort
}
'';
virtualHosts."xyno.systems".extraConfig = ''
redir https://xyno.space{uri}
'';
virtualHosts."robotgirl.cloud".extraConfig = ''
handle / {
header Content-Type text/html
header Access-Control-Allow-Origin "*"
respond `<!DOCTYPE html><html><head><title>beep</title></head><body>
<h2>
beep :3
</h2>
<p>
all the robots are on <a href="https://catgirl.cloud">catgirl.cloud</a> mew :3
</p>
</body></head>` 200
}
'';
};
services.forgejo = {
enable = true;
lfs.enable = true;
settings = {
global.APP_NAME = "xyno.systems git";
session.COOKIE_SECURE = true;
server.DOMAIN = "git.xyno.systems";
server.ROOT_URL = "https://git.xyno.systems/";
server.HTTP_PORT = 3031;
server.HTTP_HOST = "127.0.0.1";
service.DISABLE_REGISTRATION = false;
service.ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
service.SHOW_REGISTRATION_BUTTON = false;
openid = {
ENABLE_OPENID_SIGNIN = false;
ENABLE_OPENID_SIGNUP = true;
WHITELISTED_URIS = "auth.hailsatan.eu";
};
};
};
ragon.agenix.secrets."desec" = { };
ragon.agenix.secrets."picardResticPassword" = { };
ragon.agenix.secrets."picardResticSSHKey" = { };
ragon.agenix.secrets."picardResticHealthCheckUrl" = { };
ragon.agenix.secrets."picardSlidingSyncSecret" = { };
ragon.agenix.secrets."gatebridgeHostKeys" = { };
services.postgresql.ensureUsers = [
{
name = "root";
ensureClauses.superuser = true;
}
];
services.borgmatic = {
enable = true;
configurations."picard-ds9" = {
source_directories = [ "/persistent" ];
repositories = [
{
label = "ds9";
path = "ssh://picardbackup@ds9/backups/picard/borgmatic";
}
{
label = "gatebridge";
path = "ssh://root@gatebridge/media/backup/picard";
}
];
exclude_if_present = [ ".nobackup" ];
encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets.picardResticPassword.path}";
compression = "auto,zstd,10";
ssh_command = "ssh -o GlobalKnownHostsFile=${config.age.secrets.gatebridgeHostKeys.path} -i ${config.age.secrets.picardResticSSHKey.path}";
retention = {
keep_daily = 7;
keep_weekly = 4;
keep_monthly = 12;
keep_yearly = 10;
};
before_actions = [
"${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.picardResticHealthCheckUrl.path})/start"
];
after_actions = [
"${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.picardResticHealthCheckUrl.path})"
];
on_error = [
"${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.picardResticHealthCheckUrl.path})/fail"
];
postgresql_databases = [
{
name = "all";
pg_dump_command = "${pkgs.postgresql}/bin/pg_dumpall";
pg_restore_command = "${pkgs.postgresql}/bin/pg_restore";
}
];
};
};
nixpkgs.overlays = [
(self: super: {
zfs = super.zfs.override { enableMail = true; };
})
];
# services.xynoblog.enable = true;
# services.lolpizza2.enable = true;
programs.mosh.enable = true;
home-manager.users.ragon =
{
pkgs,
lib,
inputs,
config,
...
}:
{
imports = [
# ../../hm-modules/nvim
# ../../hm-modules/zsh
../../hm-modules/tmux
../../hm-modules/cli.nix
../../hm-modules/files.nix
];
programs.home-manager.enable = true;
home.stateVersion = "23.11";
};
ragon = {
user.enable = true;
persist.enable = true;
persist.extraDirectories = [
"/var/lib/nixos-containers"
"/srv/www"
config.services.caddy.dataDir
"/var/lib/syncthing"
# "/var/lib/${config.services.xynoblog.stateDirectory}"
"/var/lib/postgresql"
config.services.forgejo.stateDir
];
services = {
caddy.enable = true;
ssh.enable = true;
msmtp.enable = true;
bitwarden.enable = true;
tailscale.enable = true;
hedgedoc.enable = true;
# authelia.enable = true;
ts3.enable = true;
};
};
}