xyno/nix-configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

initial(ish) commit

Browse source
This commit is contained in:
Philipp Hochkamp 2022-03-01 23:53:11 +01:00
commit b744693f0e
No known key found for this signature in database
GPG key ID: 3676AB4CB36E5641
88 changed files with 4925 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

213
hosts/ds9/default.nix Normal file
View file

@ -0,0 +1,213 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, inputs, pkgs, lib, ... }:
{
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
];
# Don't Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
services.syncthing.enable = true;
services.syncthing.user = "ragon";
security.sudo.wheelNeedsPassword = false;
networking.useDHCP = true;
networking.bridges."br0".interfaces = [ ];
networking.hostId = "7b4c2932";
boot.binfmt.emulatedSystems = [ "aarch64-linux" "armv7l-linux" ];
boot.initrd.network = {
enable = true;
postCommands = ''
zpool import rpool
echo "zfs load-key -a; killall zfs" >> /root/.profile
'';
ssh = {
enable = true;
port = 2222;
hostKeys = [
"/persistent/etc/nixos/secrets/initrd/ssh_host_rsa_key"
"/persistent/etc/nixos/secrets/initrd/ssh_host_ed25519_key"
];
authorizedKeys = pkgs.pubkeys.ragon.computers;
};
};
# services.restic.backups."ds9" = {
# rcloneConfigFile = "/run/secrets/ds9rcloneConfig";
# passwordFile = "/run/secrets/ds9resticPassword";
# pruneOpts = [
# "--keep-daily 7"
# "--keep-weekly 5"
# "--keep-monthly 12"
# "--keep-yearly 75"
# ];
# initialize = true;
# repository = "rclone:ds9:/ds9";
# paths = [
# "/data"
# "/persistent/var/lib"
# ];
# };
ragon.agenix.secrets."ds9rcloneConfig" = { };
ragon.agenix.secrets."ds9resticPassword" = { };
# Enable Scanning
hardware.sane.enable = true;
hardware.sane.extraBackends = [ pkgs.sane-airscan ];
services.avahi.enable = true;
services.avahi.nssmdns = true;
services.avahi.publish.enable = true;
services.avahi.extraServiceFiles.smb = ''
<?xml version="1.0" standalone='no'?>
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">%h</name>
<service>
<type>_smb._tcp</type>
<port>445</port>
<host-name>ds9.hailsatan.eu</host-name>
</service>
<service>
<type>_device-info._tcp</type>
<port>0</port>
<txt-record>model=MacPro7,1@ECOLOR=226,226,224</txt-record>
</service>
<service>
<type>_adisk._tcp</type>
<txt-record>sys=waMa=0,adVF=0x100</txt-record>
<txt-record>dk0=adVN=TimeMachine,adVF=0x82</txt-record>
<host-name>ds9.hailsatan.eu</host-name>
</service>
</service-group>
'';
# Webhook service to trigger scanning the ADF from HomeAssistant
systemd.services.scanhook = {
description = "webhook go server to trigger scanning";
documentation = [ "https://github.com/adnanh/webhook" ];
wantedBy = [ "multi-user.target" ];
path = with pkgs; [ bash ];
serviceConfig = {
TemporaryFileSystem = "/:ro";
BindReadOnlyPaths = [
"/nix/store"
"-/etc/resolv.conf"
"-/etc/nsswitch.conf"
"-/etc/hosts"
"-/etc/localtime"
];
BindPaths = [
"/data/applications/paperless-consumption"
];
LockPersonality = true;
NoNewPrivileges = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectHome = true;
ProtectControlGroups = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
DynamicUser = true;
ExecStart =
let
scanScript = pkgs.writeScript "plscan.sh" ''
#!/usr/bin/env bash
export PATH=${lib.makeBinPath [ pkgs.strace pkgs.gnugrep pkgs.coreutils pkgs.sane-backends pkgs.sane-airscan pkgs.imagemagick ]}
export LD_LIBRARY_PATH=${config.environment.sessionVariables.LD_LIBRARY_PATH} # Adds SANE Libraries to the ld library path of this script
set -x
date="''$(date --iso-8601=seconds)"
filename="Scan ''$date.pdf"
tmpdir="''$(mktemp -d)"
pushd "''$tmpdir"
scanimage --batch=out%d.jpg --format=jpeg --mode Gray -d "airscan:e0:Canon MB5100 series" --source "ADF Duplex" --resolution 300
for i in $(ls out*.jpg | grep 'out.*[24680]\.jpg'); do convert $i -rotate 180 $i; done # rotate even stuff
convert out*.jpg /data/applications/paperless-consumption/"''$filename"
chmod 666 /data/applications/paperless-consumption/"''$filename"
popd
rm -r "''$tmpdir"
'';
hooksFile = pkgs.writeText "webhook.json" (builtins.toJSON [
{
id = "scan-webhook";
execute-command = "${scanScript}";
}
]);
in
"${pkgs.webhook}/bin/webhook -hooks ${hooksFile} -verbose";
};
};
networking.firewall.allowedTCPPorts = [ 9000 ];
# Immutable users due to tmpfs
users.mutableUsers = false;
services.samba.extraConfig = ''
min protocol = SMB3
vfs objects = acl_xattr catia fruit streams_xattr
fruit:nfs_aces = no
inherit permissions = yes
fruit:posix_rename = yes
fruit:model = MacPro7,1@ECOLOR=226,226,224
fruit:veto_appledouble = no
fruit:wipe_intentionally_left_blank_rfork = yes
fruit:delete_empty_adfiles = yes
fruit:metadata = stream
'';
ragon = {
cli.enable = true;
user.enable = true;
home-manager.enable = true;
persist.enable = true;
persist.extraDirectories = [ "/var/lib/syncthing" ];
services = {
samba.enable = true;
samba.shares = {
TimeMachine = {
path = "/backups/DaedalusTimeMachine";
comment = "DaedalusTimeMachine";
"write list" = "@wheel";
"fruit:time machine" = "yes";
"fruit:time machine max size" = "2050G";
"vfs objects" = "acl_xattr fruit streams_xattr";
"inherit acls" = "yes";
};
data = {
path = "/data";
comment = "some data for the people";
"write list" = "@wheel";
};
};
docker.enable = true;
ssh.enable = true;
nginx.enable = true;
jellyfin.enable = true;
tailscale.enable = true;
grafana.enable = true;
libvirt.enable = true;
paperless.enable = true;
unifi.enable = true;
};
};
}

52
hosts/ds9/hardware-configuration.nix Normal file
View file

@ -0,0 +1,52 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ "${modulesPath}/installer/scan/not-detected.nix" ];
boot.initrd.availableKernelModules = [ "r8169" "ahci" "vfio-pci" "xhci_pci" "ehci_pci" "nvme" "usbhid" "sd_mod" "sr_mod" ];
boot.kernelModules = [ "kvm-amd" ];
nix.maxJobs = lib.mkDefault 12;
powerManagement.cpuFreqGovernor = "performance";
services.zfs.autoScrub.enable = true;
ragon.system.fs = {
enable = true;
mediadata = false;
swap = false;
persistentSnapshot = false;
nix = "rpool/content/local/nix";
varlog = "rpool/content/local/journal";
persistent = "rpool/content/safe/persist";
arcSize = 8;
};
services.syncoid.enable = false; # TODO setup offsite backups
services.sanoid.datasets."rpool/content/safe".recursive = true;
services.sanoid.datasets."rpool/content/local/backups" = { };
services.sanoid.enable = true;
swapDevices = [ { device = "/dev/disk/by-id/nvme-eui.000000000000000100a075202c247839-part1"; randomEncryption = true; } ];
fileSystems."/boot".device = "/dev/disk/by-uuid/149F-23AA";
fileSystems."/data" = {
device = "rpool/content/safe/data";
fsType = "zfs";
};
fileSystems."/data/media" = {
device = "rpool/content/safe/data/media";
fsType = "zfs";
};
fileSystems."/backups" = {
device = "rpool/content/local/backups";
fsType = "zfs";
};
fileSystems."/data/media/nzbr" = {
device = "10.0.1.2:/storage/media";
fsType = "nfs";
options = [ "x-systemd.automount" "noauto" ];
};
}