xyno/nix-configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ahhh

Browse source
This commit is contained in:
Lucy Hochkamp 2025-06-02 16:52:06 +02:00
parent d7ce4d6800
commit a62aae0d45
No known key found for this signature in database
7 changed files with 200 additions and 63 deletions
Download patch file Download diff file Expand all files Collapse all files

7
hosts/ds9/containers.nix
View file

@ -207,6 +207,7 @@ in
]; ];
}; };
networking.firewall.interfaces."podman0".allowedTCPPorts = [ 9090 ];
virtualisation.oci-containers.containers.grafana = { virtualisation.oci-containers.containers.grafana = {
image = "grafana/grafana-oss:latest"; image = "grafana/grafana-oss:latest";
extraOptions = [ extraOptions = [
@ -219,11 +220,11 @@ in
[users] [users]
allow_sign_up = false allow_sign_up = false
auto_assign_org = true auto_assign_org = true
auto_assign_org_role = Editor auto_assign_org_role = Viewer
[auth.proxy] [auth.proxy]
enabled = true enabled = true
headers = Name:X-Authentik-Username Email:X-Authentik-Email Groups:X-Authentik-Groups headers = Name:X-Authentik-Username Email:X-Authentik-Email Role:X-Grafana-Role
header_name = X-Authentik-Username header_name = X-Authentik-Username
header_property = username header_property = username
auto_sign_up = true auto_sign_up = true
@ -258,6 +259,8 @@ in
"--network=podman" "--network=podman"
"--mount" "--mount"
"type=bind,source=/data/media,destination=/media,ro=true,relabel=private" "type=bind,source=/data/media,destination=/media,ro=true,relabel=private"
"-p"
"127.0.0.1:8096:8096"
]; ];
volumes = [ volumes = [
"jellyfin-config:/config" "jellyfin-config:/config"

205
hosts/ds9/default.nix
View file

@ -1,34 +1,40 @@
{ config, inputs, pkgs, lib, ... }: {
config,
inputs,
pkgs,
lib,
...
}:
let let
pubkeys = import ../../data/pubkeys.nix; pubkeys = import ../../data/pubkeys.nix;
caddy-with-plugins = import ./custom-caddy.nix { inherit pkgs; }; caddy-with-plugins = import ./custom-caddy.nix { inherit pkgs; };
in in
{ {
imports = imports = [
[ ./hardware-configuration.nix
./hardware-configuration.nix
./containers.nix ./containers.nix
./backup.nix ./backup.nix
# ./plex.nix # ./plex.nix
./samba.nix ./samba.nix
./paperless.nix ./paperless.nix
./maubot.nix
../../nixos-modules/networking/tailscale.nix ../../nixos-modules/networking/tailscale.nix
../../nixos-modules/services/docker.nix ../../nixos-modules/services/docker.nix
../../nixos-modules/services/libvirt.nix ../../nixos-modules/services/libvirt.nix
../../nixos-modules/services/msmtp.nix ../../nixos-modules/services/msmtp.nix
# ../../nixos-modules/services/paperless.nix # ../../nixos-modules/services/paperless.nix
# ../../nixos-modules/services/photoprism.nix # ../../nixos-modules/services/photoprism.nix
../../nixos-modules/services/samba.nix ../../nixos-modules/services/samba.nix
../../nixos-modules/services/ssh.nix ../../nixos-modules/services/ssh.nix
../../nixos-modules/services/caddy ../../nixos-modules/services/caddy
../../nixos-modules/system/agenix.nix ../../nixos-modules/system/agenix.nix
../../nixos-modules/system/fs.nix ../../nixos-modules/system/fs.nix
../../nixos-modules/system/persist.nix ../../nixos-modules/system/persist.nix
../../nixos-modules/system/security.nix ../../nixos-modules/system/security.nix
../../nixos-modules/user ../../nixos-modules/user
]; ];
# Don't Use the systemd-boot EFI boot loader. # Don't Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
@ -51,7 +57,12 @@ in
}; };
networking.bridges."br0".interfaces = [ ]; networking.bridges."br0".interfaces = [ ];
networking.hostId = "7b4c2932"; networking.hostId = "7b4c2932";
networking.firewall.allowedTCPPorts = [ 9000 25565 80 443 ]; networking.firewall.allowedTCPPorts = [
9000
25565
80
443
];
networking.firewall.allowedUDPPorts = [ 443 ]; # http3 :3 networking.firewall.allowedUDPPorts = [ 443 ]; # http3 :3
boot.initrd.network = { boot.initrd.network = {
enable = true; enable = true;
@ -80,7 +91,11 @@ in
users.users.nia = { users.users.nia = {
createHome = true; createHome = true;
isNormalUser = true; isNormalUser = true;
extraGroups = [ "docker" "podman" "wheel" ]; extraGroups = [
"docker"
"podman"
"wheel"
];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDq+jk1Bi8/x0lYDiVi/iVnp9nEleocoQ+xHmlpDt9Qs" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDq+jk1Bi8/x0lYDiVi/iVnp9nEleocoQ+xHmlpDt9Qs"
]; ];
@ -101,7 +116,11 @@ in
group = "minecraft"; group = "minecraft";
}; };
users.groups.minecraft = { }; users.groups.minecraft = { };
environment.systemPackages = [ pkgs.jdk17 pkgs.borgbackup pkgs.beets ]; environment.systemPackages = [
pkgs.jdk17
pkgs.borgbackup
pkgs.beets
];
services.smartd = { services.smartd = {
enable = true; enable = true;
@ -129,18 +148,17 @@ in
# dyndns # dyndns
systemd.services."dyndns-refresh" = { systemd.services."dyndns-refresh" = {
script = '' script = ''
set -eu set -eu
export PATH=$PATH:${pkgs.curl}/bin:${pkgs.jq}/bin:${pkgs.iproute2}/bin export PATH=$PATH:${pkgs.curl}/bin:${pkgs.jq}/bin:${pkgs.iproute2}/bin
${pkgs.bash}/bin/bash ${config.age.secrets.ds9DynDns.path} ${pkgs.bash}/bin/bash ${config.age.secrets.ds9DynDns.path}
''; '';
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
User = "root"; User = "root";
};
startAt = "*:0/10";
}; };
startAt = "*:0/10";
};
# services.tailscaleAuth.enable = true; # services.tailscaleAuth.enable = true;
# services.tailscaleAuth.group = config.services.caddy.group; # services.tailscaleAuth.group = config.services.caddy.group;
@ -181,7 +199,7 @@ in
resolvers 10.88.0.1 # podman dns resolvers 10.88.0.1 # podman dns
} }
uri /outpost.goauthentik.io/auth/caddy uri /outpost.goauthentik.io/auth/caddy
copy_headers X-Authentik-Username X-Copyparty-Group X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version copy_headers X-Authentik-Username X-Copyparty-Group X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version X-Grafana-Role
} }
reverse_proxy {args[:]} { reverse_proxy {args[:]} {
transport http { transport http {
@ -195,6 +213,12 @@ in
acme_dns desec { acme_dns desec {
token "{$TOKEN}" token "{$TOKEN}"
} }
metrics {
per_host
}
servers {
trusted_proxies static 100.96.45.2/32 fd7a:115c:a1e0:ab12:4843:cd96:6260:2d02/128
}
''; '';
virtualHosts."*.hailsatan.eu ".logFormat = '' virtualHosts."*.hailsatan.eu ".logFormat = ''
output file ${config.services.caddy.logDir}/access-*hailsatan.eu_internet.log output file ${config.services.caddy.logDir}/access-*hailsatan.eu_internet.log
@ -203,8 +227,15 @@ in
import blockBots import blockBots
@jellyfin host j.hailsatan.eu @jellyfin host j.hailsatan.eu
handle @jellyfin { handle @jellyfin {
handle /metrics* {
abort
}
import podmanRedir http://jellyfin:8096 import podmanRedir http://jellyfin:8096
} }
@mautrix-signal host mautrix-signal.hailsatan.eu
handle @mautrix-signal {
import podmanRedir http://mautrix-signal:29328
}
@auth host auth.hailsatan.eu @auth host auth.hailsatan.eu
handle @auth { handle @auth {
import podmanRedir http://authentik-server:9000 import podmanRedir http://authentik-server:9000
@ -248,12 +279,18 @@ in
} }
@copyparty host c.hailsatan.eu @copyparty host c.hailsatan.eu
handle @copyparty { handle @copyparty {
@proxy {
header_regexp Cookie authentik_proxy_([a-zA-Z0-9])
}
handle @proxy {
import podmanRedirWithAuth http://copyparty:3923
}
handle /shr/* { handle /shr/* {
import podmanRedir http://copyparty:3923 import podmanRedir http://copyparty:3923
} }
@noauth { @noauth {
method GET OPTIONS HEAD method GET OPTIONS HEAD
path /noauth/* path_regexp ^\/(noauth(\/.*|)|[a-z.]+\.(css|js)|[1-9].png)$
} }
handle @noauth { handle @noauth {
import podmanRedir http://copyparty:3923 import podmanRedir http://copyparty:3923
@ -268,22 +305,73 @@ in
''; '';
}; };
home-manager.users.ragon = { pkgs, lib, inputs, config, ... }: { services.prometheus = {
imports = [ enable = true;
# ../../hm-modules/nvim exporters.node = {
../../hm-modules/helix enable = true;
# ../../hm-modules/zsh enabledCollectors = [ "systemd" ];
../../hm-modules/tmux };
# ../../hm-modules/xonsh scrapeConfigs = [
../../hm-modules/cli.nix
../../hm-modules/files.nix
];
# ragon.xonsh.enable = true;
programs.home-manager.enable = true; {
home.stateVersion = "23.11"; job_name = "jellyfin";
static_configs = [
{
targets = [
"127.0.0.1:8096"
];
}
];
}
{
job_name = "caddy";
static_configs = [
{
targets = [
"localhost:2019"
"picard.kangaroo-galaxy.ts.net:2019"
];
}
];
}
{
job_name = "node";
static_configs = [
{
targets = [
"localhost:${toString config.services.prometheus.exporters.node.port}"
"picard.kangaroo-galaxy.ts.net:${toString config.services.prometheus.exporters.node.port}"
];
}
];
}
];
}; };
home-manager.users.ragon =
{
pkgs,
lib,
inputs,
config,
...
}:
{
imports = [
# ../../hm-modules/nvim
../../hm-modules/helix
# ../../hm-modules/zsh
../../hm-modules/tmux
# ../../hm-modules/xonsh
../../hm-modules/cli.nix
../../hm-modules/files.nix
];
# ragon.xonsh.enable = true;
programs.home-manager.enable = true;
home.stateVersion = "23.11";
};
# begin kube # begin kube
# services.k3s = { # services.k3s = {
# enable = true; # enable = true;
@ -297,7 +385,16 @@ in
agenix.secrets."ds9DynDns" = { }; agenix.secrets."ds9DynDns" = { };
user.enable = true; user.enable = true;
persist.enable = true; persist.enable = true;
persist.extraDirectories = [ "/home/nia" "/var/lib/syncthing" "/var/lib/minecraft" "/var/lib/bzzt" "/var/lib/rancher" "/etc/rancher" "/root/.cache" ]; persist.extraDirectories = [
"/home/nia"
"/var/lib/syncthing"
"/var/lib/minecraft"
"/var/lib/bzzt"
"/var/lib/rancher"
"/etc/rancher"
"/root/.cache"
"/var/lib/${config.services.prometheus.stateDir}"
];
services = { services = {
caddy.enable = true; caddy.enable = true;

25
hosts/ds9/maubot.nix Normal file
View file

@ -0,0 +1,25 @@
{
config,
pkgs,
lib,
...
}:
{
virtualisation.quadlet = {
containers = {
mautrix-signal = {
containerConfig.image = "dock.mau.dev/mautrix/signal:latest";
containerConfig.volumes = [
"mautrix-signal:/data"
];
# containerConfig.publishPorts = [
# "100.83.96.25:29328:29328"
# ];
containerConfig.networks = [
"podman"
"db-net"
];
};
};
};
}

11
hosts/picard/default.nix
View file

@ -68,6 +68,7 @@
systemd.services.caddy.serviceConfig.EnvironmentFile = config.age.secrets.desec.path; systemd.services.caddy.serviceConfig.EnvironmentFile = config.age.secrets.desec.path;
networking.firewall.allowedTCPPorts = [ 80 443 config.services.forgejo.settings.server.SSH_PORT 25 143 465 587 993 ]; networking.firewall.allowedTCPPorts = [ 80 443 config.services.forgejo.settings.server.SSH_PORT 25 143 465 587 993 ];
networking.firewall.allowedUDPPorts = [ 443 ]; networking.firewall.allowedUDPPorts = [ 443 ];
services.prometheus.exporters.node = { enable = true; enabledCollectors = [ "systemd" ]; };
services.caddy = { services.caddy = {
logFormat = "level INFO"; logFormat = "level INFO";
enable = true; enable = true;
@ -76,9 +77,17 @@
acme_dns desec { acme_dns desec {
token "{$TOKEN}" token "{$TOKEN}"
} }
admin :2019
metrics {
per_host
}
''; '';
virtualHosts."*.hailsatan.eu".extraConfig = '' virtualHosts."*.hailsatan.eu".extraConfig = ''
reverse_proxy https://j.hailsatan.eu reverse_proxy https://ds9.kangaroo-galaxy.ts.net {
transport http {
tls_server_name {host}
}
}
''; '';
virtualHosts."l621.net".extraConfig = '' virtualHosts."l621.net".extraConfig = ''
reverse_proxy http://127.0.0.1:8186 reverse_proxy http://127.0.0.1:8186

3
hosts/picard/xynospace-matrix.nix
View file

@ -77,6 +77,9 @@ in
settings.database.args.database = "matrix-synapse-xynospace"; settings.database.args.database = "matrix-synapse-xynospace";
settings.database.args.host = hostAddress; settings.database.args.host = hostAddress;
settings.database.args.password = "synapse"; settings.database.args.password = "synapse";
settings.app_service_config_files = [
"/var/lib/signalbot.yaml"
];
settings.listeners = [ settings.listeners = [
{ {
port = 8008; port = 8008;

10
nixos-modules/services/caddy/custom-caddy.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ... }: { pkgs, lib, ... }:
with pkgs; with pkgs;
@ -13,12 +13,12 @@ caddy.override {
nativeBuildInputs = [ nativeBuildInputs = [
cacert cacert
git
go go
]; ];
plugins = [ plugins = [
"github.com/caddy-dns/ionos@751e8e24162290ee74bea465ae733a2bf49551a6" "github.com/caddy-dns/desec@v1.0.1"
"github.com/caddy-dns/desec@822a6a2014b221e8fa589fbcfd0395abe9ee90f6"
]; ];
configurePhase = '' configurePhase = ''
@ -28,7 +28,7 @@ caddy.override {
''; '';
buildPhase = '' buildPhase = ''
${xcaddy}/bin/xcaddy build "${caddy.src.rev}" ${lib.concatMapStringsSep " " (plugin: "--with ${plugin}") plugins} ${xcaddy}/bin/xcaddy build "${lib.last (lib.splitString "/" caddy.src.rev)}" ${lib.concatMapStringsSep " " (plugin: "--with ${plugin}") plugins}
cd buildenv* cd buildenv*
go mod vendor go mod vendor
''; '';
@ -37,7 +37,7 @@ caddy.override {
cp -r --reflink=auto . $out cp -r --reflink=auto . $out
''; '';
outputHash = "sha256-Z2KQu4qayqaRudKfcxK4tLQ383//JZJ8q5vtX9/IX0I="; outputHash = "sha256-ZNimtuxtSz1mRZ9V0h/0jAyvwGb+OvfZSzHRaySTEWU=";
outputHashMode = "recursive"; outputHashMode = "recursive";
}; };

2
nixos-modules/services/caddy/default.nix
View file

@ -7,7 +7,7 @@ in
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services.caddy = { services.caddy = {
enable = true; enable = true;
package = import ./custom-caddy.nix { inherit pkgs; }; package = import ./custom-caddy.nix { inherit lib; pkgs = pkgs.unstable; };
}; };
ragon.persist.extraDirectories = [ config.services.caddy.dataDir ]; ragon.persist.extraDirectories = [ config.services.caddy.dataDir ];
}; };