xyno/nix-configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

some slight changes

Browse source
This commit is contained in:
Lucy Hochkamp 2024-03-17 09:07:28 +01:00
parent be17bb97d2
commit ff468ca2d7
No known key found for this signature in database
70 changed files with 245 additions and 2131 deletions
Download patch file Download diff file Expand all files Collapse all files

155
hosts/beliskner/default.nix
View file

@ -1,155 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ inputs, config, pkgs, lib, ... }:
{
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
];
documentation.enable = false;
documentation.nixos.enable = false;
documentation.man.enable = false;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
boot.loader.systemd-boot.enable = false;
networking.interfaces."ens3" = {
ipv6 = {
addresses = [
{
address = "2a00:6800:3:744::1";
prefixLength = 64;
}
];
};
ipv4 = {
addresses = [
{
address = "195.90.211.163";
prefixLength = 22;
}
];
};
};
networking.defaultGateway6 = { address = "2a00:6800:3::1"; interface = "ens3"; };
networking.defaultGateway = { address = "195.90.208.1"; interface = "ens3"; };
networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
networking.useDHCP = false;
# networking.interfaces.eno1.useDHCP = true;
networking.hostId = "7c28236a";
# Immutable users due to tmpfs
users.mutableUsers = false;
services.postgresql.package = pkgs.postgresql_13;
services.grafana = {
enable = true;
settings.server = {
domain = "beliskner.kangaroo-galaxy.ts.net";
root_url = "https://beliskner.kangaroo-galaxy.ts.net/";
};
};
services.grafana.settings = {
analytics.reporting_enabled = false;
users = {
allow_sign_up = false;
};
#auth.proxy = ''
# enabled = true
# header_name = "X-Webauth-User"
# header_property = "username"
# auto_sign_up = true
# allow_sign_up = true
# whitelist = "127.0.0.1, ::1"
#'';
};
ragon.agenix.secrets."prometheusBlackboxConfig.yaml" = { owner = "prometheus"; };
services.prometheus.scrapeConfigs = [{
job_name = "blackbox";
file_sd_configs = [{
files = [
config.age.secrets."prometheusBlackboxConfig.yaml".path
];
}];
}];
services.prometheus.checkConfig = false;
services.prometheus.exporters.blackbox = {
enable = true;
configFile = pkgs.writeText "blackboxexporter" ''
modules:
dns:
prober: dns
http_2xx:
prober: http
timeout: 5s
http:
method: GET
preferred_ip_protocol: "ip4" # defaults to "ip6"
'';
};
services.caddy = {
enable = true;
virtualHosts = {
"beliskner.kangaroo-galaxy.ts.net" = {
extraConfig = ''
#forward_auth unix//run/tailscale/tailscaled.sock {
# uri /auth
# header_up Remote-Addr {remote_host}
# header_up Remote-Port {remote_port}
# header_up Original-URI {uri}
# copy_headers {
# Tailscale-User>X-Webauth-User
# Tailscale-Name>X-Webauth-Name
# Tailscale-Login>X-Webauth-Login
# Tailscale-Tailnet>X-Webauth-Tailnet
# Tailscale-Profile-Picture>X-Webauth-Profile-Picture
# }
#}
reverse_proxy {
to http://localhost:${toString config.services.grafana.settings.server.http_port}
flush_interval -1
transport http {
keepalive 310s
compression off
}
}
'';
};
};
};
networking.firewall.trustedInterfaces = [ "lo" "tailscale0" ];
services.tailscale = {
enable = true;
permitCertUid = "caddy";
};
age.identityPaths = lib.mkForce [ "/nix/persistent/etc/ssh/ssh_host_ed25519_key" ];
ragon = {
cli.enable = false;
user.enable = false;
tailscaleToVpn.enable = true;
persist.enable = true;
persist.baseDir = "/nix/persistent";
persist.extraDirectories = [
"/var/lib/tailscale"
"/var/lib/caddy"
"/var/log"
];
services = {
ssh.enable = true;
};
};
}

85
hosts/beliskner/disk-config.nix
View file

@ -1,85 +0,0 @@
{ ... }: {
disko.devices = {
disk = {
vda = {
type = "disk";
device = "/dev/vda";
content = {
type = "table";
format = "gpt";
partitions = [
{
name = "boot";
start = "0";
end = "1M";
part-type = "primary";
flags = [ "bios_grub" ];
}
{
name = "esp";
start = "1MiB";
end = "265MiB";
part-type = "primary";
bootable = true;
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [
"defaults"
];
};
}
{
name = "luks";
start = "265MiB";
end = "100%";
part-type = "primary";
content = {
type = "luks";
name = "crypted";
extraOpenArgs = [ "--allow-discards" ];
# if you want to use the key for interactive login be sure there is no trailing newline
# for example use `echo -n "password" > /tmp/secret.key`
keyFile = "/tmp/secret.key";
content = {
type = "lvm_pv";
vg = "pool";
};
};
}
];
};
};
};
lvm_vg = {
pool = {
type = "lvm_vg";
lvs = {
nix = {
size = "100%FREE";
content = {
type = "filesystem";
format = "xfs";
mountpoint = "/nix";
mountOptions = [
"defaults"
];
};
};
};
};
};
nodev = {
"/" = {
fsType = "tmpfs";
mountOptions = [
"size=2G"
"defaults"
"mode=755"
];
};
};
};
}

27
hosts/beliskner/hardware-configuration.nix
View file

@ -1,27 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, inputs, ... }:
let
pubkeys = import ../../data/pubkeys.nix;
in
{
imports = [ "${modulesPath}/profiles/qemu-guest.nix" inputs.disko.nixosModules.disko ./disk-config.nix ];
#boot.initrd.luks.devices."crypted".device = "/dev/vda2";
boot.initrd = {
network = {
enable = true;
ssh = {
enable = true;
port = 2222;
hostKeys = [
"/nix/persistent/etc/nixos/secrets/initrd/ssh_host_rsa_key"
"/nix/persistent/etc/nixos/secrets/initrd/ssh_host_ed25519_key"
];
authorizedKeys = pubkeys.ragon.user;
};
};
};
powerManagement.cpuFreqGovernor = "performance";
}

150
hosts/daedalus/default.nix
View file

@ -63,65 +63,72 @@ with lib.my;
environment.pathsToLink = [ "/share/fish" ];
ragon.services.borgmatic =
let
tmMountPath = "/tmp/timeMachineSnapshotForBorg";
in
{
enable = false;
configurations."daedalus-ds9" = {
source_directories = [
# tmMountPath
"/Users/ragon"
];
exclude_if_present = [ ".nobackup" ];
repositories = [
{ path = "ssh://ragon@ds9/backups/daedalus/borgmatic"; label = "ds9"; }
{ path = "ssh://root@gatebridge/media/backup/daedalus"; label = "gatebridge"; }
];
encryption_passcommand = pkgs.writeShellScript "getBorgmaticPw" ''security find-generic-password -a daedalus -s borgmaticKey -g 2>&1 | grep -E 'password' | sed 's/^.*"\(.*\)"$/\1/g' '';
compression = "auto,zstd,10";
#ssh_command = "ssh -o GlobalKnownHostsFile=${config.age.secrets.gatebridgeHostKeys.path} -i ${config.age.secrets.picardResticSSHKey.path}";
keep_hourly = 24;
keep_daily = 7;
keep_weekly = 4;
keep_monthly = 12;
keep_yearly = 10;
# before_backup = [
# (pkgs.writeShellScript
# "apfsSnapshot"
# ''
# tmutil localsnapshot
# SNAPSHOT=$(tmutil listlocalsnapshots / | grep TimeMachine | tail -n 1)
# mkdir -p "${tmMountPath}"
# mount_apfs -s $SNAPSHOT /System/Volumes/Data "${tmMountPath}"
# '')
# ];
# after_backup = [
# (pkgs.writeShellScript
# "apfsSnapshotUnmount"
# ''
# diskutil unmount "${tmMountPath}"
# SNAPSHOT=$(tmutil listlocalsnapshots / | grep TimeMachine | tail -n 1)
# tmutil deletelocalsnapshots $(echo $SNAPSHOT | sed 's/com\.apple\.TimeMachine\.\(.*\)\.local/\1/g')
# '')
# ];
# on_error = [
#
# (pkgs.writeShellScript
# "apfsSnapshotUnmountError"
# ''
# diskutil unmount "${tmMountPath}"
# '')
# ];
};
#ragon.services.borgmatic =
# let
# tmMountPath = "/tmp/timeMachineSnapshotForBorg";
# in
# {
# enable = false;
# configurations."daedalus-ds9" = {
# source_directories = [
# # tmMountPath
# "/Users/ragon"
# ];
# exclude_if_present = [ ".nobackup" ];
# repositories = [
# { path = "ssh://ragon@ds9/backups/daedalus/borgmatic"; label = "ds9"; }
# { path = "ssh://root@gatebridge/media/backup/daedalus"; label = "gatebridge"; }
# ];
# encryption_passcommand = pkgs.writeShellScript "getBorgmaticPw" ''security find-generic-password -a daedalus -s borgmaticKey -g 2>&1 | grep -E 'password' | sed 's/^.*"\(.*\)"$/\1/g' '';
# compression = "auto,zstd,10";
# #ssh_command = "ssh -o GlobalKnownHostsFile=${config.age.secrets.gatebridgeHostKeys.path} -i ${config.age.secrets.picardResticSSHKey.path}";
# keep_hourly = 24;
# keep_daily = 7;
# keep_weekly = 4;
# keep_monthly = 12;
# keep_yearly = 10;
# # before_backup = [
# # (pkgs.writeShellScript
# # "apfsSnapshot"
# # ''
# # tmutil localsnapshot
# # SNAPSHOT=$(tmutil listlocalsnapshots / | grep TimeMachine | tail -n 1)
# # mkdir -p "${tmMountPath}"
# # mount_apfs -s $SNAPSHOT /System/Volumes/Data "${tmMountPath}"
# # '')
# # ];
# # after_backup = [
# # (pkgs.writeShellScript
# # "apfsSnapshotUnmount"
# # ''
# # diskutil unmount "${tmMountPath}"
# # SNAPSHOT=$(tmutil listlocalsnapshots / | grep TimeMachine | tail -n 1)
# # tmutil deletelocalsnapshots $(echo $SNAPSHOT | sed 's/com\.apple\.TimeMachine\.\(.*\)\.local/\1/g')
# # '')
# # ];
# # on_error = [
# #
# # (pkgs.writeShellScript
# # "apfsSnapshotUnmountError"
# # ''
# # diskutil unmount "${tmMountPath}"
# # '')
# # ];
# };
};
# };
programs.gnupg.agent.enable = lib.mkForce false;
home-manager.users.xyno = { pkgs, lib, inputs, config, ... }:
{
ragon.nvim.maximal = true;
imports = [
../../hm-modules/nvim
../../hm-modules/tmux
../../hm-modules/vscode
../../hm-modules/xonsh
../../cli.nix
../../files.nix
];
ragon.nvim.maximal = false;
home.file.".hammerspoon/init.lua".source =
let
@ -134,7 +141,6 @@ with lib.my;
src = ./hammerspoon.lua; inherit notmuchMails;
};
home.file.".hammerspoon/Spoons/MiroWindowsManager.spoon".source = "${inputs.miro}/MiroWindowsManager.spoon";
home.file.".finicky.js".source = ./finicky.js;
ragon.vscode.enable = true;
ragon.xonsh.enable = true;
@ -150,8 +156,6 @@ with lib.my;
EDITOR = "nvim";
VISUAL = "nvim";
COLORTERM = "truecolor"; # emacs tty fix
PATH = "$PATH:$HOME/go/bin:$HOME/development/flutter/bin:/Applications/Android Studio.app/Contents/bin/:/Applications/Docker.app/Contents/Resources/bin:/Applications/Android Studio.app/Contents/jre/Contents/Home/bin";
# JAVA_HOME = "/Applications/Android Studio.app/Contents/jre/Contents/Home/";
};
home.packages = with pkgs; [
mosh
@ -164,38 +168,8 @@ with lib.my;
pandoc
micromamba
#unstable.qutebrowser
#unstable.python311Packages.adblock
];
# home.activation = {
# aliasApplications =
# let
# apps = pkgs.buildEnv {
# name = "home-manager-applications";
# paths = config.home.packages;
# pathsToLink = "/Applications";
# };
# in
# lib.hm.dag.entryAfter [ "writeBoundary" ] ''
# # Install MacOS applications to the user environment.
# HM_APPS="$HOME/Applications/Home Manager Apps"
# # Reset current state
# [ -e "$HM_APPS" ] && $DRY_RUN_CMD rm -r "$HM_APPS"
# $DRY_RUN_CMD mkdir -p "$HM_APPS"
# # .app dirs need to be actual directories for Finder to detect them as Apps.
# # The files inside them can be symlinks though.
# $DRY_RUN_CMD cp --recursive --symbolic-link --no-preserve=mode -H ${apps}/Applications/* "$HM_APPS" || true # can fail if no apps exist
# # Modes need to be stripped because otherwise the dirs wouldn't have +w,
# # preventing us from deleting them again
# # In the env of Apps we build, the .apps are symlinks. We pass all of them as
# # arguments to cp and make it dereference those using -H
# '';
# };
};
}

22
hosts/daedalus/finicky.js
View file

@ -1,22 +0,0 @@
module.exports = {
defaultBrowser: "/Applications/Arc.app",
handlers: [
{
match: /^https?:\/\/gitlab\.com\/.*$/,
browser: "Vivaldi.app"
},
{
match: /^https?:\/\/.*\.atlassian\.com\/.*$/,
browser: "Vivaldi.app"
},
{
match: 'localhost:44422',
browser: "Vivaldi.app"
},
{
match: 'localhost:7104',
browser: "Vivaldi.app"
}
]
}

64
hosts/daedalusvm/default.nix
View file

@ -1,64 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, inputs, pkgs, lib, ... }:
{
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
];
# Don't Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Immutable users due to tmpfs
users.mutableUsers = false;
users.users."nzbr" = {
extraGroups = [ "wheel" ];
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIkFgHr6OMwsnGhdG4TwKdthlJC/B9ELqZfrmJ9Sf7qk"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIkNP8Lo20fw3Ysq3B64Iep9WyVKWxdv5KJOZRLmAaaM"
];
};
services.openssh.forwardX11 = true;
services.rpcbind.enable = true;
boot.supportedFilesystems = [ "nfs" "nfs4" ];
environment.systemPackages = [ pkgs.nfs-utils pkgs.virt-manager pkgs.firefox pkgs.kitty inputs.nixpkgs.legacyPackages.x86_64-linux.hello ];
services.tailscale.enable = true;
nix.settings.extra-platforms = [ "x86_64-linux" ];
nix.settings.extra-sandbox-paths = [ "/tmp/rosetta" "/run/binfmt" ];
boot.binfmt.registrations."rosetta" = {
interpreter = "/tmp/rosetta/rosetta";
fixBinary = true;
wrapInterpreterInShell = false;
matchCredentials = true;
magicOrExtension = ''\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x3e\x00'';
mask = ''\xff\xff\xff\xff\xff\xfe\xfe\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff'';
};
services.qemuGuest.enable = true;
services.xserver.desktopManager.xfce.enable = true;
services.xserver.desktopManager.xfce.enableScreensaver = false;
services.xserver.enable = true;
services.spice-vdagentd.enable = true;
programs.gnome-terminal.enable = true;
services.gvfs.enable = true;
ragon = {
cli.enable = true;
user.enable = true;
system.security.enable = false;
services = {
docker.enable = true;
ssh.enable = true;
};
};
}

41
hosts/daedalusvm/hardware-configuration.nix
View file

@ -1,41 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
fileSystems."/tmp/rosetta" = {
device = "rosetta";
fsType = "virtiofs";
};
imports = [ ];
boot.initrd.availableKernelModules = [ "virtio_pci" "xhci_pci" "usb_storage" "usbhid" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "/dev/disk/by-uuid/cd9a98fe-0ba3-401d-a2e0-4332faf279dd";
fsType = "btrfs";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/7A8E-EF98";
fsType = "vfat";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/f322c2e1-2aec-4a21-bf76-f01022d07f10"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}

42
hosts/ds9/backup.nix Normal file
View file

@ -0,0 +1,42 @@
{ pkgs, lib, ... }: {
ragon.agenix.secrets."ds9OffsiteBackupSSH" = { };
ragon.agenix.secrets."ds9SyncoidHealthCheckUrl" = { };
ragon.agenix.secrets."gatebridgeHostKeys" = { };
ragon.agenix.secrets."borgmaticEncryptionKey" = { };
# Backup Target
users.users.picardbackup = {
createHome = false;
group = "users";
uid = 993;
home = "/backups/picard";
shell = "/run/current-system/sw/bin/bash";
isSystemUser = true;
openssh.authorizedKeys.keys = [
''command="${pkgs.borgbackup}/bin/borg serve --restrict-to-path /backups/picard/",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvCF8KGgpF9O8Q7k+JXqZ5eMeEeTaMhCIk/2ZFOzXL0''
];
};
services.borgmatic = {
enable = true;
configurations."ds9-offsite" = {
source_directories = [ "/backups" "/data" "/persistent" ];
repositories = [{ label = "gatebridge"; path = "ssh://root@gatebridge/media/backup/ds9"; }];
exclude_if_present = [ ".nobackup" ];
#upload_rate_limit = "4000";
encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets.borgmaticEncryptionKey.path}";
compression = "auto,zstd,10";
ssh_command = "ssh -o GlobalKnownHostsFile=${config.age.secrets.gatebridgeHostKeys.path} -i ${config.age.secrets.ds9OffsiteBackupSSH.path}";
before_actions = [ "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.ds9SyncoidHealthCheckUrl.path})/start" ];
after_actions = [ "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.ds9SyncoidHealthCheckUrl.path})" ];
on_error = [ "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.ds9SyncoidHealthCheckUrl.path})/fail" ];
retention = {
keep_daily = 7;
keep_weekly = 4;
keep_monthly = 12;
keep_yearly = 10;
};
};
};
}

47
hosts/ds9/custom-caddy.nix Normal file
View file

@ -0,0 +1,47 @@
{ pkgs, ... }:
with pkgs;
caddy.override {
buildGoModule = args: buildGoModule (args // {
src = stdenv.mkDerivation rec {
pname = "caddy-using-xcaddy-${xcaddy.version}";
inherit (caddy) version;
dontUnpack = true;
dontFixup = true;
nativeBuildInputs = [
cacert
go
];
plugins = [
"github.com/caddy-dns/ionos@751e8e24162290ee74bea465ae733a2bf49551a6"
];
configurePhase = ''
export GOCACHE=$TMPDIR/go-cache
export GOPATH="$TMPDIR/go"
export XCADDY_SKIP_BUILD=1
'';
buildPhase = ''
${xcaddy}/bin/xcaddy build "${caddy.src.rev}" ${lib.concatMapStringsSep " " (plugin: "--with ${plugin}") plugins}
cd buildenv*
go mod vendor
'';
installPhase = ''
cp -r --reflink=auto . $out
'';
outputHash = "sha256-QsGrtpBJ9b2Nn3i5mUHYA60481ceTJDeCRl0qL6OWlE=";
outputHashMode = "recursive";
};
subPackages = [ "." ];
ldflags = [ "-s" "-w" ]; ## don't include version info twice
vendorHash = null;
});
}

246
hosts/ds9/default.nix
View file

@ -1,16 +1,29 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, inputs, pkgs, lib, ... }:
let
pubkeys = import ../../data/pubkeys.nix;
caddy-with-plugins = import ./custom-caddy.nix { inherit pkgs; };
in
{
imports =
[
# Include the results of the hardware scan.
./backup.nix
./plex.nix
./hardware-configuration.nix
../../nixos-modules/networking/tailscale.nix
../../nixos-modules/services/docker.nix
../../nixos-modules/services/libvirt.nix
../../nixos-modules/services/msmtp.nix
../../nixos-modules/services/paperless.nix
../../nixos-modules/services/photoprism.nix
../../nixos-modules/services/samba.nix
../../nixos-modules/services/ssh.nix
../../nixos-modules/system/agenix.nix
../../nixos-modules/system/fs.nix
../../nixos-modules/system/persist.nix
../../nixos-modules/system/security.nix
../../nixos-modules/user
];
# Don't Use the systemd-boot EFI boot loader.
@ -25,84 +38,13 @@ in
services.syncthing.enable = true;
services.syncthing.user = "ragon";
ragon.agenix.secrets."ds9OffsiteBackupSSH" = { };
ragon.agenix.secrets."ds9SyncoidHealthCheckUrl" = { };
ragon.agenix.secrets."gatebridgeHostKeys" = { };
ragon.agenix.secrets."borgmaticEncryptionKey" = { };
# services.syncoid =
# let
# datasets = {
# backups = "rpool/content/local/backups";
# data = "rpool/content/safe/data";
# ds9persist2 = "spool/safe/persist";
# hassosvm2 = "spool/safe/vms/hassos";
# };
# in
# lib.mkMerge (
# [{
# localSourceAllow = [
# "hold"
# "send"
# "snapshot"
# "destroy"
# "mount"
# ];
# enable = true;
# interval = "*-*-* 2:15:00";
# commonArgs = [ "--sshoption" "GlobalKnownHostsFile=${config.age.secrets.gatebridgeHostKeys.path}" ];
# sshKey = lib.mkForce "${config.age.secrets.ds9OffsiteBackupSSH.path}";
# }] ++
# (builtins.attrValues
# (builtins.mapAttrs (n: v: { commands.${n} = { target = "root@gatebridge:backup/${n}"; source = v; sendOptions = "w"; }; }) (datasets))
# )
# );
# systemd.services."syncoid-ds9persist2" = {
# # ExecStartPost commands are only run if the ExecStart command succeeded
# # serviceConfig.ExecStartPost = pkgs.writeShellScript "backupSuccessful" ''
# # ${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(cat ${config.age.secrets.ds9SyncoidHealthCheckUrl.path})
# # '';
# unitConfig.OnFailure = "backupFailure.service";
# };
# systemd.services.backupFailure = {
# enable = true;
# script = "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(cat ${config.age.secrets.ds9SyncoidHealthCheckUrl.path})/fail";
# };
services.borgmatic = {
enable = true;
configurations."ds9-offsite" = {
source_directories = [ "/backups" "/data" "/persistent" ];
repositories = [{ label = "gatebridge"; path = "ssh://root@gatebridge/media/backup/ds9"; }];
exclude_if_present = [ ".nobackup" ];
#upload_rate_limit = "4000";
encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets.borgmaticEncryptionKey.path}";
compression = "auto,zstd,10";
ssh_command = "ssh -o GlobalKnownHostsFile=${config.age.secrets.gatebridgeHostKeys.path} -i ${config.age.secrets.ds9OffsiteBackupSSH.path}";
before_actions = [ "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.ds9SyncoidHealthCheckUrl.path})/start" ];
after_actions = [ "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.ds9SyncoidHealthCheckUrl.path})" ];
on_error = [ "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.ds9SyncoidHealthCheckUrl.path})/fail" ];
# postgresql_databases = [{ name = "all"; pg_dump_command = "${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dumpall"; pg_restore_command = "${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_restore"; }];
retention = {
keep_daily = 7;
keep_weekly = 4;
keep_monthly = 12;
keep_yearly = 10;
};
};
};
programs.mosh.enable = true;
security.sudo.wheelNeedsPassword = false;
networking.useDHCP = true;
networking.bridges."br0".interfaces = [ ];
networking.hostId = "7b4c2932";
networking.firewall.allowedTCPPorts = [ 9000 25565 ];
boot.binfmt.emulatedSystems = [ "aarch64-linux" "armv7l-linux" ];
services.nginx.defaultListenAddresses = [ "100.83.96.25" ];
services.nginx.clientMaxBodySize = lib.mkForce "8g";
services.nginx.virtualHosts."_".
listenAddresses = [ "0.0.0.0" "[::0]" ];
boot.initrd.network = {
enable = true;
postCommands = ''
@ -124,25 +66,6 @@ in
};
boot.kernel.sysctl."fs.inotify.max_user_instances" = 512;
services.openssh.sftpServerExecutable = "internal-sftp";
# Backup Target
users.users.picardbackup = {
createHome = false;
group = "users";
uid = 993;
home = "/backups/picard";
shell = "/run/current-system/sw/bin/bash";
isSystemUser = true;
openssh.authorizedKeys.keys = [
''command="${pkgs.borgbackup}/bin/borg serve --restrict-to-path /backups/picard/",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvCF8KGgpF9O8Q7k+JXqZ5eMeEeTaMhCIk/2ZFOzXL0''
];
};
# Enable Scanning
hardware.sane.enable = true;
hardware.sane.extraBackends = [ pkgs.sane-airscan ];
services.avahi.enable = true;
services.avahi.nssmdns = true;
services.avahi.publish.enable = true;
@ -169,70 +92,6 @@ in
</service>
</service-group>
'';
# Webhook service to trigger scanning the ADF from HomeAssistant
#systemd.services.scanhook = {
# description = "webhook go server to trigger scanning";
# documentation = [ "https://github.com/adnanh/webhook" ];
# wantedBy = [ "multi-user.target" ];
# path = with pkgs; [ bash ];
# serviceConfig = {
# TemporaryFileSystem = "/:ro";
# BindReadOnlyPaths = [
# "/nix/store"
# "-/etc/resolv.conf"
# "-/etc/nsswitch.conf"
# "-/etc/hosts"
# "-/etc/localtime"
# ];
# BindPaths = [
# "/data/applications/paperless-consumption"
# ];
# LockPersonality = true;
# NoNewPrivileges = true;
# PrivateMounts = true;
# PrivateTmp = true;
# PrivateUsers = true;
# ProcSubset = "pid";
# ProtectHome = true;
# ProtectControlGroups = true;
# ProtectKernelLogs = true;
# ProtectKernelModules = true;
# ProtectKernelTunables = true;
# ProtectProc = "invisible";
# RestrictNamespaces = true;
# RestrictRealtime = true;
# RestrictSUIDSGID = true;
# DynamicUser = true;
# ExecStart =
# let
# scanScript = pkgs.writeScript "plscan.sh" ''
# #!/usr/bin/env bash
# export PATH=${lib.makeBinPath [ pkgs.strace pkgs.gnugrep pkgs.coreutils pkgs.sane-backends pkgs.sane-airscan pkgs.imagemagick ]}
# export LD_LIBRARY_PATH=${config.environment.sessionVariables.LD_LIBRARY_PATH} # Adds SANE Libraries to the ld library path of this script
# set -x
# date="''$(date --iso-8601=seconds)"
# filename="Scan ''$date.pdf"
# tmpdir="''$(mktemp -d)"
# pushd "''$tmpdir"
# scanimage --batch=out%d.jpg --format=jpeg --mode Gray -d "airscan:e0:Canon MB5100 series" --source "ADF Duplex" --resolution 300
# for i in $(ls out*.jpg | grep 'out.*[24680]\.jpg'); do convert $i -rotate 180 $i; done # rotate even stuff
# convert out*.jpg /data/applications/paperless-consumption/"''$filename"
# chmod 666 /data/applications/paperless-consumption/"''$filename"
# popd
# rm -r "''$tmpdir"
# '';
# hooksFile = pkgs.writeText "webhook.json" (builtins.toJSON [
# {
# id = "scan-webhook";
# execute-command = "${scanScript}";
# }
# ]);
# in
# "${pkgs.webhook}/bin/webhook -hooks ${hooksFile} -verbose";
# };
#};
networking.firewall.allowedTCPPorts = [ 9000 25565 ];
# Immutable users due to tmpfs
users.mutableUsers = false;
@ -272,7 +131,7 @@ in
services.smartd = {
enable = true;
extraOptions = [ "--interval=7200" ];
#notifications.test = true;
notifications.test = true;
};
nixpkgs.overlays = [
(self: super: {
@ -286,54 +145,54 @@ in
ZED_EMAIL_OPTS = "@ADDRESS@";
ZED_NOTIFY_INTERVAL_SECS = 7200;
#ZED_NOTIFY_VERBOSE = true;
ZED_NOTIFY_VERBOSE = true;
ZED_USE_ENCLOSURE_LEDS = false;
ZED_SCRUB_AFTER_RESILVER = true;
};
services.plex = {
systemd.services.caddy.serviceConfig.EnvironmentFile = config.age.secrets.ionos.path;
services.caddy = {
enable = true;
openFirewall = true;
user = "ragon";
group = "users";
package = caddy-with-plugins;
globalConfig = ''
acme_dns ionos {
api_token "{$IONOS_API_KEY}"
}
'';
virtualHosts."*.hailsatan.eu".extraConfig = ''
@paperless host paperless.hailsatan.eu
handle @paperless {
reverse_proxy ${config.ragon.services.paperless.location}
}
@photos host photos.hailsatan.eu
handle @photos {
reverse_proxy ${config.ragon.services.photoprism.location}
}
@bzzt-api host bzzt-api.hailsatan.eu
handle @bzzt-api {
reverse_proxy http://127.0.0.1:5001
}
@bzzt-lcg host bzzt-lcg.hailsatan.eu
handle @bzzt-lcg {
reverse_proxy http://127.0.0.1:5003
}
@bzzt host bzzt.hailsatan.eu
handle @bzzt {
reverse_proxy http://127.0.0.1:5002
}
'';
};
services.nginx.virtualHosts."bzzt-api.hailsatan.eu" = {
useACMEHost = "hailsatan.eu";
listenAddresses = [ "10.0.0.2" "100.83.96.25" ];
addSSL = true;
locations = {
"/".proxyPass = "http://127.0.0.1:5001";
"/".proxyWebsockets = true;
};
};
services.nginx.virtualHosts."bzzt-lcg.hailsatan.eu" = {
useACMEHost = "hailsatan.eu";
addSSL = true;
listenAddresses = [ "10.0.0.2" "100.83.96.25" ];
locations = {
"/".proxyPass = "http://127.0.0.1:5003";
"/".proxyWebsockets = true;
};
};
services.nginx.virtualHosts."bzzt.hailsatan.eu" = {
useACMEHost = "hailsatan.eu";
forceSSL = true;
locations = {
"/".proxyPass = "http://127.0.0.1:5002";
"/".proxyWebsockets = true;
};
};
virtualisation.docker.enable = true;
ragon = {
agenix.secrets."ionos" = { };
cli.enable = true;
user.enable = true;
persist.enable = true;
persist.extraDirectories = [ "/var/lib/syncthing" config.services.plex.dataDir "/var/lib/minecraft" "/var/lib/bzzt" ];
services = {
docker.enable = true;
samba.enable = true;
samba.shares = {
TimeMachine = {
@ -356,7 +215,6 @@ in
};
docker.enable = true;
ssh.enable = true;
nginx.enable = true;
msmtp.enable = true;
photoprism.enable = true;
tailscale.enable = true;

9
hosts/ds9/plex.nix Normal file
View file

@ -0,0 +1,9 @@
{ config, pkgs, lib, inputs, ... }: {
ragon.persist.extraDirectories = [ config.services.plex.dataDir ];
services.plex = {
enable = true;
openFirewall = true;
user = "ragon";
group = "users";
};
}

41
hosts/icarus/default.nix
View file

@ -1,41 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ inputs, config, pkgs, lib, ... }:
{
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
];
documentation.enable = false;
documentation.nixos.enable = false;
documentation.man.enable = false;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
security.polkit.enable = true; # needed for libvirtd
services.glusterfs.enable = true;
environment.systemPackages = [ pkgs.python3 ];
virtualisation.libvirtd = {
enable = true;
qemu.swtpm.enable = true;
};
# Immutable users due to tmpfs
users.mutableUsers = false;
programs.mosh.enable = true;
ragon = {
services = {
ssh.enable = true;
};
};
}

43
hosts/icarus/hardware-configuration.nix
View file

@ -1,43 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "/dev/disk/by-uuid/1687e097-8b1f-45bb-9b6c-1ccea8ba05e5";
fsType = "ext4";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/B52A-633F";
fsType = "vfat";
};
fileSystems."/gluster" =
{
device = "/dev/disk/by-uuid/09b6577c-af50-4fab-abe5-9d89fb85cad7";
fsType = "xfs";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/e71527bd-1461-46cd-88aa-a168c429d44b"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
#networking.useDHCP = lib.mkDefault true;
networking.interfaces.enp5s0.useDHCP = lib.mkDefault true;
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

60
hosts/octopi/default.nix
View file

@ -1,60 +0,0 @@
{ config, inputs, pkgs, lib, ... }:
{
imports = [
"${inputs.nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
"${inputs.nixos-hardware}/raspberry-pi/4/default.nix"
];
nixpkgs.overlays = [
(final: super: {
makeModulesClosure = x:
super.makeModulesClosure (x // { allowMissing = true; });
})
];
boot.loader.systemd-boot.enable = false;
boot.kernelPackages = pkgs.linuxPackages_rpi4;
# networking.usePredictableInterfaceNames = false;
documentation.enable = false;
documentation.nixos.enable = false;
nix = {
autoOptimiseStore = true;
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
};
# Free up to 1GiB whenever there is less than 100MiB left.
extraOptions = ''
min-free = ${toString (100 * 1024 * 1024)}
max-free = ${toString (1024 * 1024 * 1024)}
'';
};
powerManagement.cpuFreqGovernor = "ondemand";
# Assuming this is installed on top of the disk image.
fileSystems = {
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
options = [ "noatime" ];
};
};
ragon.services.ssh.enable = true;
ragon.services.tailscale.enable = true;
networking.useDHCP = true;
services.mjpg-streamer.enable = true;
services.mjpg-streamer.inputPlugin = "input_uvc.so -d /dev/video0 -r 1280x720 -f 15 -u";
services.octoprint = {
enable = true;
plugins = plugins: with plugins; [ telegram ];
};
security.sudo.wheelNeedsPassword = false;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIkFgHr6OMwsnGhdG4TwKdthlJC/B9ELqZfrmJ9Sf7qk"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH8RjUQ6DDDDgsVbqq+6zz1q6cBkus/BLUGa9JoWsqB4"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIkNP8Lo20fw3Ysq3B64Iep9WyVKWxdv5KJOZRLmAaaM"
];
networking.firewall.allowedTCPPorts = [ 5000 5050 ];
}

35
hosts/picard/calcom.nix
View file

@ -1,35 +0,0 @@
{ config, pkgs, lib, ... }:
{
users.users.calcom = {
group = "calcom";
shell = "${pkgs.bash}/bin/bash";
uid = 592;
};
users.groups.calcom = {
gid = config.users.users.calcom.uid;
};
virtualisation.oci-containers.containers."calcom" = {
image = "calcom/cal.com:latest";
ports = [ "127.0.0.1:3469:3000" ];
user = "${toString config.users.users.calcom.uid}:${toString config.users.groups.calcom.gid}";
volumes = [
"/run/postgresql:/run/postgresql"
];
environmentFiles = [ config.age.secrets.picardCalCom.path ];
environment = {
DATABASE_URL = "postgresql://calcom:calcom@/run/postgresql";
NEXT_PUBLIC_WEBAPP_URL = "https://cal.xyno.systems";
CALCOM_TELEMETRY_DISABLED = 1;
};
};
services.postgresql = {
ensureDatabases = [ "calcom" ];
ensureUsers = [
{
name = "calcom";
ensureDBOwnership = true;
}
];
};
}