xyno/nix-configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

initial(ish) commit

Browse source
This commit is contained in:
Philipp Hochkamp 2022-03-01 23:53:11 +01:00
commit b744693f0e
No known key found for this signature in database
GPG key ID: 3676AB4CB36E5641
88 changed files with 4925 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

62
nixos-modules/cli/default.nix Normal file
View file

@ -0,0 +1,62 @@
{ config, lib, pkgs, inputs, ... }:
with lib;
with lib.my;
let
cfg = config.ragon.cli;
ragon = config.ragon;
in
{
options.ragon.cli.enable = lib.mkEnableOption "Enables ragons CLI stuff";
options.ragon.cli.maximal = mkBoolOpt true;
config = lib.mkIf cfg.enable {
security.sudo.extraConfig = "Defaults lecture = never";
# root shell
users.extraUsers.root.shell = pkgs.zsh;
environment.shellAliases = {
v = "nvim";
vim = "nvim";
gpl = "git pull";
gp = "git push";
lg = "lazygit";
gc = "git commit -v";
kb = "git commit -m \"\$(curl -s http://whatthecommit.com/index.txt)\"";
gs = "git status -v";
gfc = "git fetch && git checkout";
gl = "git log --graph";
l = "exa -la --git";
la = "exa -la --git";
ls = "exa";
ll = "exa -l --git";
cat = "bat";
};
environment.variables = {
EDITOR = "nvim";
VISUAL = "nvim";
};
environment.systemPackages = with pkgs; [
nnn
bat
htop
exa
curl
fd
file
fzf
git
neofetch
tmux
ripgrep
pv
direnv # needed for lorri
unzip
tmux
aria2
yt-dlp
neovim
];
};
}

53
nixos-modules/cli/zsh/zsh.nix Normal file
View file

@ -0,0 +1,53 @@
{ inputs, config, lib, pkgs, ... }:
let
cfg = config.ragon.cli;
in
{
config = lib.mkIf cfg.enable {
ragon.user.persistent = {
extraDirectories = [
".config/zsh"
];
};
programs.zsh = {
enable = true;
histSize = 10000;
histFile = "$HOME/.config/zsh/history";
# autosuggestions.enable = true;
enableCompletion = true;
setOptions = [
"HIST_IGNORE_DUPS"
"SHARE_HISTORY"
"HIST_FCNTL_LOCK"
"AUTO_CD"
"AUTO_MENU"
];
# interactiveShellInit broke agkozak-zsh-prompt for some reaaaaaaaason
promptInit =
let
zshrc = builtins.readFile ./zshrc;
sources = [
"${inputs.agkozak-zsh-prompt}/agkozak-zsh-prompt.plugin.zsh"
"${pkgs.oh-my-zsh}/share/oh-my-zsh/plugins/git/git.plugin.zsh"
"${pkgs.oh-my-zsh}/share/oh-my-zsh/plugins/globalias/globalias.plugin.zsh"
"${inputs.zsh-vim-mode}/zsh-vim-mode.plugin.zsh"
"${inputs.zsh-syntax-highlighting}/zsh-syntax-highlighting.plugin.zsh"
"${inputs.zsh-completions}/zsh-completions.plugin.zsh"
];
source = map (x: "source " + x) sources;
plugins = builtins.concatStringsSep "\n" (source);
in
''
${zshrc}
${plugins}
'';
};
};
}

46
nixos-modules/cli/zsh/zshrc Normal file
View file

@ -0,0 +1,46 @@
AGKOZAK_MULTILINE=0
AGKOZAK_PROMPT_CHAR=( "%F{red}N%f")
autoload -Uz history-search-end
zle -N history-beginning-search-backward-end history-search-end
zle -N history-beginning-search-forward-end history-search-end
bindkey -M vicmd '^[[A' history-beginning-search-backward-end \
'^[OA' history-beginning-search-backward-end \
'^[[B' history-beginning-search-forward-end \
'^[OB' history-beginning-search-forward-end
bindkey -M viins '^[[A' history-beginning-search-backward-end \
'^[OA' history-beginning-search-backward-end \
'^[[B' history-beginning-search-forward-end \
'^[OB' history-beginning-search-forward-end
hash go 2>/dev/null && export PATH=$PATH:$(go env GOPATH)/bin
hash yarn 2>/dev/null && export PATH=$PATH:$HOME/.yarn/bin
hash direnv 2>/dev/null && eval "$(direnv hook zsh)" # needed for lorri
hash helm 2>/dev/null && . <(helm completion zsh)
hash kubectl 2>/dev/null && . <(kubectl completion zsh)
export NNN_ARCHIVE="\\.(7z|a|ace|alz|arc|arj|bz|bz2|cab|cpio|deb|gz|jar|lha|lz|lzh|lzma|lzo|rar|rpm|rz|t7z|tar|tbz|tbz2|tgz|tlz|txz|tZ|tzo|war|xpi|xz|Z|zip)$"
n ()
{
# Block nesting of nnn in subshells
if [ -n $NNNLVL ] && [ "${NNNLVL:-0}" -ge 1 ]; then
echo "nnn is already running"
return
fi
export NNN_TMPFILE="$HOME/.config/nnn/.lastd"
# Unmask ^Q (, ^V etc.) (if required, see `stty -a`) to Quit nnn
# stty start undef
# stty stop undef
# stty lwrap undef
# stty lnext undef
nnn -d "$@"
if [ -f "$NNN_TMPFILE" ]; then
. "$NNN_TMPFILE"
rm -f "$NNN_TMPFILE" > /dev/null
fi
}

24
nixos-modules/hardware/bluetooth.nix Normal file
View file

@ -0,0 +1,24 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.hardware.bluetooth;
in
{
options.ragon.hardware.bluetooth.enable = lib.mkEnableOption "Enables bluetooth stuff (tlp,...)";
config = lib.mkIf cfg.enable {
hardware.bluetooth.enable = true;
services.blueman.enable = true;
hardware.pulseaudio = {
extraModules = [ pkgs.pulseaudio-modules-bt ];
package = pkgs.pulseaudioFull;
};
ragon.gui.autostart = [
[ "${pkgs.blueberry}/bin/blueberry-tray" ]
];
environment.systemPackages = (if config.ragon.gui.enable then [ pkgs.blueberry ] else [ ]);
ragon.persist.extraDirectories = [
"/var/lib/bluetooth"
];
};
}

23
nixos-modules/hardware/laptop.nix Normal file
View file

@ -0,0 +1,23 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.hardware.laptop;
in
{
options.ragon.hardware.laptop.enable = lib.mkEnableOption "Enables laptop stuff (tlp,...)";
config = lib.mkIf cfg.enable {
services.tlp = {
enable = true;
settings = {
CPU_ENERGY_PERF_POLICY_ON_AC = "performance";
CPU_ENERGY_PERF_POLICY_ON_BAT = "poversave";
};
};
services.xserver.libinput = {
enable = true;
};
hardware.acpilight.enable = true;
services.thermald.enable = true;
ragon.gui.laptop = true;
ragon.hardware.bluetooth.enable = true; # laptops normally have BT
};
}

12
nixos-modules/hardware/nvidia.nix Normal file
View file

@ -0,0 +1,12 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.hardware.nvidia;
in
{
options.ragon.hardware.nvidia.enable = lib.mkEnableOption "Enables nvidia stuff (why didnt i buy amd?)";
config = lib.mkIf cfg.enable {
# nivea
services.xserver.videoDrivers = [ "nvidia" ];
};
}

36
nixos-modules/hardware/rpi3.nix Normal file
View file

@ -0,0 +1,36 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.hardware.rpi3;
in
{
options.ragon.hardware.rpi3.enable = lib.mkEnableOption "Enables rpi3 quirks";
config = lib.mkIf cfg.enable {
boot.loader.raspberryPi = {
enable = true;
version = 3;
};
boot.extraModprobeConfig = ''
options cfg80211 ieee80211_regdom="DE"
'';
hardware.firmware = [ pkgs.wireless-regdb ];
#boot.kernelPackages = pkgs.linux_rpi3;
nixpkgs.overlays = [
(self: super: {
firmwareLinuxNonfree = super.firmwareLinuxNonfree.overrideAttrs (old: {
version = "2020-12-18";
src = pkgs.fetchgit {
url =
"https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git";
rev = "b79d2396bc630bfd9b4058459d3e82d7c3428599";
sha256 = "1rb5b3fzxk5bi6kfqp76q1qszivi0v1kdz1cwj2llp5sd9ns03b5";
};
outputHash = "1p7vn2hfwca6w69jhw5zq70w44ji8mdnibm1z959aalax6ndy146";
});
})
];
networking.wireless.enable = true;
hardware.enableRedistributableFirmware = true;
networking.wireless.interfaces = [ "wlan0" ];
};
}

45
nixos-modules/networking/tailscale.nix Normal file
View file

@ -0,0 +1,45 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.services.tailscale;
in
{
options.ragon.services.tailscale.enable = lib.mkEnableOption "Enables tailscale";
config = lib.mkIf cfg.enable {
# enable the tailscale service
services.tailscale.enable = true;
ragon.agenix.secrets.tailscaleKey = {};
networking.firewall = {
# always allow traffic from your Tailscale network
trustedInterfaces = [ "tailscale0" ];
# allow the Tailscale UDP port through the firewall
allowedUDPPorts = [ config.services.tailscale.port ];
};
systemd.services.tailscale-autoconnect = {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = [ "network-pre.target" "tailscale.service" ];
wants = [ "network-pre.target" "tailscale.service" ];
wantedBy = [ "multi-user.target" ];
# set this service as a oneshot job
serviceConfig.Type = "oneshot";
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
key=$(<${config.age.secrets.tailscaleKey.path})
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up -authkey $key
'';
};
};
}

49
nixos-modules/services/bitwarden.nix Normal file
View file

@ -0,0 +1,49 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.services.bitwarden;
domain = config.ragon.services.nginx.domain;
in
{
options.ragon.services.bitwarden.enable = lib.mkEnableOption "Enables the vaultwarden BitWarden Server";
options.ragon.services.bitwarden.domainPrefix =
lib.mkOption {
type = lib.types.str;
default = "bw";
};
config = lib.mkIf cfg.enable {
services.vaultwarden = {
enable = true;
# backupDir = "/backups/vaultwarden";
config = {
domain = "https://${cfg.domainPrefix}.${domain}";
signupsAllowed = false;
rocketPort = 8222;
rocketAddress = "127.0.0.1";
databaseUrl = "postgresql://%2Frun%2Fpostgresql/vaultwarden";
webVaultEnabled = true;
};
dbBackend = "postgresql";
};
services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
locations."/".proxyPass = "http://${config.services.vaultwarden.config.rocketAddress}:${toString config.services.vaultwarden.config.rocketPort}";
};
services.postgresql = {
enable = true;
# Ensure the database, user, and permissions always exist
ensureDatabases = [ "vaultwarden" ];
ensureUsers = [
{
name = "vaultwarden";
ensurePermissions."DATABASE vaultwarden" = "ALL PRIVILEGES";
}
];
};
ragon.persist.extraDirectories = [
"/var/lib/vaultwarden"
];
};
}

60
nixos-modules/services/ddns.nix Normal file
View file

@ -0,0 +1,60 @@
{ config, lib, pkgs, ... }:
with lib;
with lib.my;
let
cfg = config.ragon.services.ddns;
domain = config.ragon.services.nginx.domain;
dataDir = "/var/lib/inadyn";
cacheDir = "/var/cache/inadyn";
in
{
options.ragon.services.ddns.enable = mkEnableOption "Enables CloudFlare DDNS to the domain specified in ragon.services.nginx.domain and all subdomains";
options.ragon.services.ddns.ipv4 = mkBoolOpt true;
options.ragon.services.ddns.ipv6 = mkBoolOpt true;
config = mkIf cfg.enable {
systemd.services.inadyn = {
description = "inadyn DDNS Client";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = rec {
Type = "simple";
ExecStart =
pkgs.writeScript "run-inadyn.sh" ''
#!${pkgs.bash}/bin/bash
export PATH=$PATH:${pkgs.bash}/bin/bash # idk if that helps
source ${config.age.secrets.cloudflareAcme.path}
cat >/run/${RuntimeDirectory}/inadyn.cfg <<EOF
period = 180
user-agent = Mozilla/5.0
allow-ipv6 = true
${optionalString cfg.ipv4 ''
# ipv4
provider cloudflare.com:1 {
checkip-server = ipv4.icanhazip.com
username = ${domain}
password = $CLOUDFLARE_DNS_API_TOKEN
hostname = ${domain}
}
''}
${optionalString cfg.ipv6 ''
# ipv6
provider cloudflare.com:2 {
checkip-server = ipv6.icanhazip.com
username = ${domain}
password = $CLOUDFLARE_DNS_API_TOKEN
hostname = ${domain}
}
''}
EOF
exec ${pkgs.inadyn}/bin/inadyn -n --cache-dir=${cacheDir} -f /run/${RuntimeDirectory}/inadyn.cfg
'';
RuntimeDirectory = StateDirectory;
StateDirectory = builtins.baseNameOf dataDir;
};
};
systemd.tmpfiles.rules = [
"d ${cacheDir} 1777 root root 10m"
];
ragon.agenix.secrets.cloudflareAcme = { };
};
}

16
nixos-modules/services/docker.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.services.docker;
in
{
options.ragon.services.docker.enable = lib.mkEnableOption "Enables docker";
config = lib.mkIf cfg.enable {
virtualisation.oci-containers.backend = "docker";
virtualisation.docker.enable = true;
ragon.user.extraGroups = [ "docker" "podman" ];
ragon.persist.extraDirectories = [
"/var/lib/docker"
"/var/cache/docker"
];
};
}

49
nixos-modules/services/gitlab.nix Normal file
View file

@ -0,0 +1,49 @@
{ config, lib, pkgs, ... }:
with lib;
with lib.my;
let
cfg = config.ragon.services.gitlab;
domain = config.ragon.services.nginx.domain;
in
{
options.ragon.services.gitlab.enable = mkEnableOption "Enables gitlab";
options.ragon.services.gitlab.domainPrefix =
mkOption {
type = lib.types.str;
default = "gitlab";
};
config = lib.mkIf cfg.enable {
services.gitlab = {
enable = true;
https = true;
initialRootPasswordFile = "${config.age.secrets.gitlabInitialRootPassword.path}";
port = 443;
host = "${cfg.domainPrefix}.${domain}";
secrets = {
dbFile = "${config.age.secrets.gitlabDBFile.path}";
jwsFile = "${config.age.secrets.gitlabJWSFile.path}";
otpFile = "${config.age.secrets.gitlabOTPFile.path}";
secretFile = "${config.age.secrets.gitlabSecretFile.path}";
};
};
ragon.agenix.secrets = foldl (a: b: a // b) { } (map (a: { ${a} = { owner = "gitlab"; }; }) [
"gitlabDBFile"
"gitlabInitialRootPassword"
"gitlabJWSFile"
"gitlabOTPFile"
"gitlabSecretFile"
]);
services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
useACMEHost = "${domain}";
forceSSL = true;
locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
locations."/".extraConfig = "client_max_body_size 4G;";
};
ragon.persist.extraDirectories = [
"${config.services.postgresql.dataDir}"
"${config.services.gitlab.statePath}"
];
};
}

32
nixos-modules/services/grafana.nix Normal file
View file

@ -0,0 +1,32 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.services.grafana;
domain = config.ragon.services.nginx.domain;
in
{
options.ragon.services.grafana.enable = lib.mkEnableOption "Enables grafana";
options.ragon.services.grafana.domainPrefix =
lib.mkOption {
type = lib.types.str;
default = "grafana";
};
config = lib.mkIf cfg.enable {
services.grafana = {
enable = true;
domain = "${cfg.domainPrefix}.${domain}";
rootUrl = "https://${cfg.domainPrefix}.${domain}/";
};
services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
useACMEHost = "${domain}";
addSSL = true;
locations = {
"/".proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
"/".proxyWebsockets = true;
};
};
ragon.persist.extraDirectories = [
"${config.services.grafana.dataDir}"
];
};
}

55
nixos-modules/services/hedgedoc.nix Normal file
View file

@ -0,0 +1,55 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.services.hedgedoc;
domain = config.ragon.services.nginx.domain;
in
{
options.ragon.services.hedgedoc.enable = lib.mkEnableOption "Enables the hedgedoc BitWarden Server";
options.ragon.services.hedgedoc.domainPrefix =
lib.mkOption {
type = lib.types.str;
default = "md";
};
config = lib.mkIf cfg.enable {
services.hedgedoc = {
enable = true;
environmentFile = "${config.age.secrets.hedgedocSecret.path}";
configuration = {
protocolUseSSL = true;
sessionSecret = "$SESSION_SECRET";
allowEmailRegister = false;
domain = "${cfg.domainPrefix}.${domain}";
db = {
dialect = "postgres";
host = "/run/postgresql";
database = "hedgedoc";
};
allowAnonymousEdits = false;
allowFreeURL = true;
};
};
ragon.agenix.secrets.hedgedocSecret.owner = "hedgedoc";
services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
locations."/".proxyWebsockets = true;
locations."/".proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.configuration.port}";
};
services.postgresql = {
enable = true;
# Ensure the database, user, and permissions always exist
ensureDatabases = [ "hedgedoc" ];
ensureUsers = [
{
name = "hedgedoc";
ensurePermissions."DATABASE hedgedoc" = "ALL PRIVILEGES";
}
];
};
ragon.persist.extraDirectories = [
"${config.services.hedgedoc.workDir}"
];
};
}

68
nixos-modules/services/jellyfin.nix Normal file
View file

@ -0,0 +1,68 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.services.jellyfin;
domain = config.ragon.services.nginx.domain;
in
{
options.ragon.services.jellyfin.enable = lib.mkEnableOption "Enables jellyfin";
options.ragon.services.jellyfin.domainPrefix =
lib.mkOption {
type = lib.types.str;
default = "j";
};
config = lib.mkIf cfg.enable {
services.jellyfin.enable = true;
services.jellyfin.openFirewall = true;
services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
useACMEHost = "${domain}";
addSSL = true;
locations = {
"= /".extraConfig = "return 302 https://$host/web/;";
"/" = {
extraConfig = ''
proxy_pass http://127.0.0.1:8096;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
'';
};
"= /web/" = {
extraConfig = ''
proxy_pass http://127.0.0.1:8096/web/index.html;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
'';
};
"/socket" = {
extraConfig = ''
proxy_pass http://127.0.0.1:8096;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
'';
};
};
};
ragon.persist.extraDirectories = [
"/var/cache/jellyfin"
"/var/lib/jellyfin"
];
};
}

17
nixos-modules/services/libvirt.nix Normal file
View file

@ -0,0 +1,17 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.services.libvirt;
domain = config.ragon.services.nginx.domain;
in
{
options.ragon.services.libvirt.enable = lib.mkEnableOption "Enables libvirt and stuff";
config = lib.mkIf cfg.enable {
virtualisation.libvirtd = {
enable = true;
};
ragon.user.extraGroups = [ "kvm" "libvirtd" ];
ragon.persist.extraDirectories = [
"/var/lib/libvirt"
];
};
}

162
nixos-modules/services/monitoring.nix Normal file
View file

@ -0,0 +1,162 @@
{ config, lib, pkgs, ... }:
with lib;
with lib.my;
let
cfg = importTOML ../../data/monitoring.toml;
hostName = config.networking.hostName;
getHost = (y:
if (y == hostName)
then "127.0.0.1"
else
(
if (builtins.elem y (builtins.attrNames cfg.hostOverrides))
then cfg.hostOverrides.${y}
else "${y}.hailsatan.eu"
)
);
in
{
config = mkMerge ([
(mkIf (cfg.master.hostname == hostName) {
services.loki.enable = true;
networking.firewall.allowedTCPPorts = [ 3100 ];
services.loki.configFile = pkgs.writeText "loki.yml" ''
auth_enabled: false
server:
http_listen_port: 3100
grpc_listen_port: 9096
ingester:
wal:
enabled: true
dir: /tmp/wal
lifecycler:
address: 127.0.0.1
ring:
kvstore:
store: inmemory
replication_factor: 1
final_sleep: 0s
chunk_idle_period: 1h # Any chunk not receiving new logs in this time will be flushed
max_chunk_age: 1h # All chunks will be flushed when they hit this age, default is 1h
chunk_target_size: 1048576 # Loki will attempt to build chunks up to 1.5MB, flushing first if chunk_idle_period or max_chunk_age is reached first
chunk_retain_period: 30s # Must be greater than index read cache TTL if using an index cache (Default index read cache TTL is 5m)
max_transfer_retries: 0 # Chunk transfers disabled
schema_config:
configs:
- from: 2020-10-24
store: boltdb-shipper
object_store: filesystem
schema: v11
index:
prefix: index_
period: 24h
storage_config:
boltdb_shipper:
active_index_directory: /tmp/loki/boltdb-shipper-active
cache_location: /tmp/loki/boltdb-shipper-cache
cache_ttl: 24h # Can be increased for faster performance over longer query periods, uses more disk space
shared_store: filesystem
filesystem:
directory: /tmp/loki/chunks
compactor:
working_directory: /tmp/loki/boltdb-shipper-compactor
shared_store: filesystem
limits_config:
reject_old_samples: true
reject_old_samples_max_age: 168h
chunk_store_config:
max_look_back_period: 0s
table_manager:
retention_deletes_enabled: false
retention_period: 0s
ruler:
storage:
type: local
local:
directory: /tmp/loki/rules
rule_path: /tmp/loki/rules-temp
alertmanager_url: http://localhost:9093
ring:
kvstore:
store: inmemory
enable_api: true
'';
services.prometheus = {
enable = true;
scrapeConfigs = foldl (a: b: a ++ b) [ ] (map
(x: (map
(y: {
job_name = "${x}_${y}";
static_configs = [
{
targets = [
''${getHost y}:${toString config.services.prometheus.exporters.${x}.port}''
];
}
];
})
cfg.exporters.${x}.hosts))
(builtins.attrNames cfg.exporters));
};
ragon.persist.extraDirectories = [
"/var/lib/${config.services.prometheus.stateDir}"
"${config.services.loki.dataDir}"
];
})
{
# some global settings
services.prometheus.exporters.node.enabledCollectors = [ "systemd" ];
services.prometheus.exporters.dnsmasq.leasesPath = "/var/lib/dnsmasq/dnsmasq.leases";
services.prometheus.exporters.smartctl.user = "root";
services.prometheus.exporters.smokeping.hosts = [ "1.1.1.1" ];
services.nginx.statusPage = true;
}
(mkIf (builtins.elem hostName cfg.promtail.hosts) {
services.promtail = {
enable = true;
configuration = {
server.http_listen_port = 28183;
positions.filename = "/tmp/positions.yaml";
clients = [{ url = "http://${getHost cfg.master.hostname}:3100/loki/api/v1/push"; }];
scrape_configs = [
{
job_name = "journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = hostName;
};
};
relabel_configs = [{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}];
}
];
};
};
})
] ++
(map
(x: {
services.prometheus.exporters.${x} = {
enable = (builtins.elem hostName cfg.exporters.${x}.hosts);
openFirewall = (hostName != cfg.master.hostname);
firewallFilter = if (hostName != cfg.master.hostname) then "-p tcp -s ${cfg.master.ip} -m tcp --dport ${toString config.services.prometheus.exporters.${x}.port}" else null;
};
})
(builtins.attrNames cfg.exporters))
);
}

38
nixos-modules/services/nginx.nix Normal file
View file

@ -0,0 +1,38 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.services.nginx;
in
{
options.ragon.services.nginx.enable = lib.mkEnableOption "Enables nginx";
options.ragon.services.nginx.domain =
lib.mkOption {
type = lib.types.str;
default = "hailsatan.eu";
};
config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
};
security.acme.defaults.email = "nixosacme@phochkamp.de";
security.acme.acceptTerms = true;
security.acme.certs."${cfg.domain}" = {
dnsProvider = "cloudflare";
dnsResolver = "1.1.1.1:53";
group = "nginx";
extraDomainNames = [
"*.${cfg.domain}"
];
credentialsFile = "${config.age.secrets.cloudflareAcme.path}";
};
ragon.agenix.secrets.cloudflareAcme = { group = "nginx"; mode = "0440"; };
ragon.persist.extraDirectories = [
"/var/lib/acme"
];
};
}

39
nixos-modules/services/paperless.nix Normal file
View file

@ -0,0 +1,39 @@
{ config, inputs, lib, pkgs, ... }:
with lib;
with lib.my;
let
cfg = config.ragon.services.paperless;
domain = config.ragon.services.nginx.domain;
in
{
options.ragon.services.paperless.enable = mkEnableOption "Enables paperless ng";
options.ragon.services.paperless.domainPrefix =
lib.mkOption {
type = lib.types.str;
default = "paperless";
};
config = mkIf cfg.enable {
services.paperless-ng = {
enable = true;
package = pkgs.paperless-ng.overrideAttrs (oldAttrs: rec { doCheck = false; doInstallCheck = false; });
mediaDir = mkDefault "/data/documents/paperless";
consumptionDir = mkDefault "/data/applications/paperless-consumption";
consumptionDirIsPublic = true;
passwordFile = "${config.age.secrets.paperlessAdminPW.path}";
extraConfig = {
PAPERLESS_OCR_LANGUAGE = "deu+eng";
};
};
ragon.agenix.secrets.paperlessAdminPW = { group = "${config.services.paperless-ng.user}"; mode = "0440"; };
services.nginx.clientMaxBodySize = "100m";
services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
useACMEHost = "${domain}";
addSSL = true;
locations."/".proxyPass = "http://${config.services.paperless-ng.address}:${toString config.services.paperless-ng.port}";
locations."/".proxyWebsockets = true;
};
ragon.persist.extraDirectories = [
"${config.services.paperless-ng.dataDir}"
];
};
}

28
nixos-modules/services/samba.nix Normal file
View file

@ -0,0 +1,28 @@
{ config, lib, pkgs, ... }:
with lib;
with lib.my;
with builtins;
let
cfg = config.ragon.services.samba;
allowedIPs = cfg.allowedIPs;
cfgExports = cfg.exports;
in
{
options.ragon.services.samba.enable = mkEnableOption "Enables Samba";
options.ragon.services.samba.shares = mkOption {
type = lib.types.attrs;
default = {};
};
config = mkIf cfg.enable {
services.samba = {
enable = true;
shares = cfg.shares;
};
ragon.persist.extraDirectories = [
"/var/lib/samba"
];
networking.firewall.allowedTCPPorts = [ 139 445 ];
networking.firewall.allowedUDPPorts = [ 137 138 ];
};
}

12
nixos-modules/services/ssh.nix Normal file
View file

@ -0,0 +1,12 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.services.ssh;
in
{
options.ragon.services.ssh.enable = lib.mkEnableOption "Enables sshd";
config = lib.mkIf cfg.enable {
services.openssh.permitRootLogin = "no";
services.openssh.enable = true;
services.openssh.passwordAuthentication = false;
};
}

130
nixos-modules/services/synapse.nix Normal file
View file

@ -0,0 +1,130 @@
{ config, lib, pkgs, ... }:
with lib;
with lib.my;
let
cfg = config.ragon.services.synapse;
fqdn = cfg.fqdn;
serverName = cfg.serverName;
domain = config.ragon.services.nginx.domain;
in
{
options.ragon.services.synapse.enable = mkEnableOption "Enables synapse";
options.ragon.services.synapse.fqdn =
lib.mkOption {
type = lib.types.str;
default = "m.ragon.xyz";
};
options.ragon.services.synapse.enableElement = mkBoolOpt true; # TODO fix
options.ragon.services.synapse.elementFqdn =
lib.mkOption {
type = lib.types.str;
default = "e.ragon.xyz";
};
options.ragon.services.synapse.serverName =
lib.mkOption {
type = lib.types.str;
default = "ragon.xyz";
};
config = lib.mkIf cfg.enable {
services.matrix-synapse = {
enable = true;
server_name = serverName;
listeners = [
{
port = 8008;
bind_address = "::1";
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = [ "client" "federation" ];
compress = false;
}
];
}
];
};
services.postgresql = {
enable = true;
};
services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
services.nginx.virtualHosts = {
"${cfg.elementFqdn}" = {
useACMEHost = "${domain}";
forceSSL = true;
root = pkgs.element-web.override {
conf = {
default_server_config."m.homeserver" = {
"base_url" = "https://${fqdn}";
"server_name" = "${domain}";
};
default_theme = "dark";
jitsi.preferredDomain = "${config.ragon.services.jitsi.domainPrefix}.${domain}";
}; # TODO make this less shit
};
};
"${cfg.serverName}" = {
forceSSL = true;
useACMEHost = "${domain}";
locations."= /.well-known/matrix/server".extraConfig =
let
# use 443 instead of the default 8448 port to unite
# the client-server and server-server port for simplicity
server = { "m.server" = "${fqdn}:443"; };
in
''
add_header Content-Type application/json;
return 200 '${builtins.toJSON server}';
'';
locations."= /.well-known/matrix/client".extraConfig =
let
client = {
"m.homeserver" = { "base_url" = "https://${fqdn}"; };
"m.identity_server" = { "base_url" = "https://vector.im"; };
"im.vector.riot.jitsi" = { "preferredDomain" = "jitsi.${domain}"; };
};
# ACAO required to allow element-web on any URL to request this json file
in
''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
'';
};
# Reverse proxy for Matrix client-server and server-server communication
"${fqdn}" = {
forceSSL = true;
useACMEHost = "${domain}";
# Or do a redirect instead of the 404, or whatever is appropriate for you.
# But do not put a Matrix Web client here! See the Element web section below.
locations."/".extraConfig = ''
return 404;
'';
# forward all Matrix API calls to the synapse Matrix homeserver
locations."/_matrix" = {
proxyPass = "http://[::1]:8008"; # without a trailing /
};
};
};
ragon.persist.extraDirectories = [
"${config.services.postgresql.dataDir}"
"${config.services.matrix-synapse.dataDir}"
];
};
}

22
nixos-modules/services/ts3.nix Normal file
View file

@ -0,0 +1,22 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.services.ts3;
in
{
options.ragon.services.ts3.enable = lib.mkEnableOption "Enables the Teamspeak 3 Server";
config = lib.mkIf cfg.enable {
services.teamspeak3 = {
enable = true;
};
networking.firewall.allowedTCPPorts = [
config.services.teamspeak3.queryPort
config.services.teamspeak3.fileTransferPort
];
networking.firewall.allowedUDPPorts = [
config.services.teamspeak3.defaultVoicePort
];
ragon.persist.extraDirectories = [
"${config.services.teamspeak3.dataDir}"
];
};
}

26
nixos-modules/services/unifi.nix Normal file
View file

@ -0,0 +1,26 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.services.unifi;
domain = config.ragon.services.nginx.domain;
in
{
options.ragon.services.unifi.enable = lib.mkEnableOption "Enables the unifi console";
options.ragon.services.unifi.domainPrefix =
lib.mkOption {
type = lib.types.str;
default = "unifi";
};
config = lib.mkIf cfg.enable {
services.unifi = {
enable = true;
};
services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
locations."/".proxyPass = "https://127.0.0.1:8443";
};
ragon.persist.extraDirectories = [
"/var/lib/unifi"
];
};
}

39
nixos-modules/system/agenix.nix Normal file
View file

@ -0,0 +1,39 @@
{ options, config, inputs, lib, pkgs, ... }:
with builtins;
with lib;
with lib.my;
let
inherit (inputs) agenix;
secretsDir = "${toString ../../secrets}";
secretsFile = "${secretsDir}/secrets.nix";
cfg = config.ragon.agenix;
in
{
imports = [ agenix.nixosModules.age ];
options.ragon.agenix = {
enable = mkBoolOpt true;
secrets = mkOption {
type = types.attrs;
default = { };
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ agenix.defaultPackage.${pkgs.system} ];
# Set passwords
users.users.root.passwordFile = config.age.secrets.rootPasswd.path;
age.identityPaths =
[
"/persistent/etc/ssh/ssh_host_ed25519_key"
];
age.secrets = mapAttrs (name: obj: ({ file = "${secretsDir}/${name}.age"; } // obj))
(cfg.secrets //
{
rootPasswd = { };
}
);
assertions = [
{ assertion = (pathExists secretsFile); message = "${secretsFile} does not exist"; }
];
};
}

92
nixos-modules/system/fs.nix Normal file
View file

@ -0,0 +1,92 @@
{ config, lib, pkgs, ... }:
with lib;
with lib.my;
let
cfg = config.ragon.system.fs;
nix = cfg.nix;
varlog = cfg.varlog;
persistent = cfg.persistent;
persistentSnapshot = cfg.persistentSnapshot;
arcSize = cfg.arcSize;
hostName = config.networking.hostName;
in
{
options.ragon.system.fs = {
enable = lib.mkEnableOption "Enables ragons fs stuff, (tmpfs,zfs,backups,...)";
mediadata = mkBoolOpt true;
swap = mkBoolOpt true;
persistentSnapshot = mkBoolOpt true;
nix = lib.mkOption {
type = lib.types.str;
default = "pool/nix";
};
varlog = lib.mkOption {
type = lib.types.str;
default = "pool/varlog";
};
persistent = lib.mkOption {
type = lib.types.str;
default = "pool/persist";
};
arcSize = lib.mkOption {
type = lib.types.int;
default = 2;
description = "Sets the ZFS Arc Size (in GB)";
};
};
config = lib.mkIf cfg.enable {
services.zfs.autoScrub.enable = true;
services.sanoid = {
enable = mkDefault persistentSnapshot;
} // (if persistentSnapshot then { datasets."${persistent}" = { }; } else { });
services.syncoid = {
user = "root";
group = "root";
sshKey = /persistent/root/.ssh/id_rsa;
enable = mkDefault true;
commonArgs = [
];
commands."${persistent}" = {
target = "ragon@ds9:rpool/content/local/backups/${hostName}"; # FIXME extra user
recvOptions = "x encryption";
};
};
boot.kernelParams = [ "zfs.zfs_arc_max=${toString (arcSize * 1024 * 1024 * 1024)}" ];
fileSystems."/" =
{
device = "none";
fsType = "tmpfs";
options = [ "size=8G" "defaults" "mode=755" ];
};
fileSystems."/nix" =
{
device = "${nix}";
fsType = "zfs";
neededForBoot = true;
};
fileSystems."/persistent" =
{
device = "${persistent}";
fsType = "zfs";
neededForBoot = true;
};
fileSystems."/var/log" =
{
device = "${varlog}";
fsType = "zfs";
};
fileSystems."/boot" =
{
device = mkDefault "/dev/disk/by-label/boot";
fsType = "vfat";
options = [ "noauto" "x-systemd.automount" ];
};
swapDevices = mkIf cfg.swap [
{ device = "/persistent/pagefile.sys"; }
];
};
}

34
nixos-modules/system/persist.nix Normal file
View file

@ -0,0 +1,34 @@
{ config, lib, pkgs, inputs, ... }:
let
cfg = config.ragon.persist;
in
{
options.ragon.persist.enable = lib.mkEnableOption "Enables persistence";
options.ragon.persist.extraFiles = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
options.ragon.persist.extraDirectories = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
config = lib.mkIf cfg.enable {
environment.persistence."/persistent" = {
directories = [
"/etc/nixos"
"/etc/NetworkManager/system-connections"
"/root/.ssh"
] ++ (lib.unique cfg.extraDirectories);
files = [
"/etc/machine-id"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
] ++ cfg.extraFiles;
};
};
}

27
nixos-modules/system/security.nix Normal file
View file

@ -0,0 +1,27 @@
{ config, lib, pkgs, ... }:
with lib;
with lib.my;
let
cfg = config.ragon.system.security;
in
{
options.ragon.system.security = {
enable = mkBoolOpt true;
};
config = mkIf cfg.enable {
security.sudo.execWheelOnly = true;
services.openssh = {
passwordAuthentication = false;
allowSFTP = false; # just use rsync, lol
kbdInteractiveAuthentication = false;
extraConfig = ''
AllowTcpForwarding yes
X11Forwarding no
AllowAgentForwarding no
AllowStreamLocalForwarding no
AuthenticationMethods publickey
'';
};
};
}

65
nixos-modules/user/default.nix Normal file
View file

@ -0,0 +1,65 @@
{ config, lib, pkgs, ... }:
let
cfg = config.ragon.user;
uid = cfg.uid;
username = cfg.username;
extraGroups = cfg.extraGroups;
extraAuthorizedKeys = cfg.extraAuthorizedKeys;
pubkeys = import ../../data/pubkeys.nix {};
in
{
options.ragon.user = {
enable = lib.mkEnableOption "Enables my user.";
uid = lib.mkOption {
type = lib.types.nullOr lib.types.int;
default = 1000;
};
username = lib.mkOption {
type = lib.types.str;
default = "ragon";
description = "My username for this system.";
};
extraGroups = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
extraAuthorizedKeys = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = "Additional authorized keys";
};
persistent = {
homeDir = lib.mkOption {
type = lib.types.str;
default = "/persistent/home/${username}";
description = "Location of persistent home files";
};
extraFiles = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
extraDirectories = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
};
};
config = lib.mkIf cfg.enable {
# Let ~/bin/ be in $PATH
environment.homeBinInPath = true;
# Define my user account
users.extraUsers.${username} = {
isNormalUser = true;
uid = uid;
extraGroups = [ "wheel" ] ++ extraGroups;
shell = pkgs.zsh;
openssh.authorizedKeys.keys = pubkeys.ragon.computers ++ extraAuthorizedKeys;
passwordFile = config.age.secrets.ragonPasswd.path;
};
ragon.agenix.secrets.ragonPasswd = { };
};
}