xyno/nix-configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nix-configs/old-conf/hosts/picard/default.nix
Lucy Hochkamp 83de52d5db Add 'old-conf/' from commit '62a64a79a8' 
git-subtree-dir: old-conf
git-subtree-mainline: 4667974392
git-subtree-split: 62a64a79a8
2025-11-21 13:33:06 +01:00

400 lines
11 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{
inputs,
config,
pkgs,
lib,
...
}:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./xynospace-matrix.nix
./plausible.nix
./obsidianshare.nix
./mail.nix
./gotosocial.nix
./ntfy.nix
# ./ts-ovpn.nix
../../nixos-modules/system/persist.nix
../../nixos-modules/system/agenix.nix
../../nixos-modules/system/fs.nix
../../nixos-modules/system/security.nix
../../nixos-modules/services/ssh.nix
../../nixos-modules/services/msmtp.nix
../../nixos-modules/services/caddy
../../nixos-modules/services/bitwarden.nix
../../nixos-modules/networking/tailscale.nix
# ../../nixos-modules/services/authelia.nix
../../nixos-modules/services/hedgedoc.nix
../../nixos-modules/services/ts3.nix
../../nixos-modules/user
];
documentation.enable = false;
documentation.nixos.enable = false;
documentation.man.enable = false;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
boot.loader.systemd-boot.enable = false;
services.syncthing.enable = true;
services.syncthing.group = "users";
services.syncthing.user = "ragon";
networking.interfaces."ens3" = {
ipv6 = {
addresses = [
{
address = "2a03:4000:6:8120::1";
prefixLength = 64;
}
];
};
};
networking.defaultGateway6 = {
address = "fe80::1";
interface = "enp0s3";
};
networking.nameservers = [
"1.1.1.1"
"8.8.8.8"
];
# networking.interfaces.eno1.useDHCP = true;
networking.hostId = "7c21236a";
# Immutable users due to tmpfs
users.mutableUsers = false;
services.postgresql.package = pkgs.postgresql_17_jit;
services.postgresql.settings = {
shared_buffers = "4GB";
work_mem = "64MB";
};
systemd.services.caddy.serviceConfig.EnvironmentFile = config.age.secrets.desec.path;
networking.firewall.allowedTCPPorts = [
80
443
config.services.forgejo.settings.server.SSH_PORT
25
143
465
587
993
];
networking.firewall.allowedUDPPorts = [ 443 ];
services.prometheus.exporters.node = {
enable = true;
enabledCollectors = [ "systemd" ];
};
services.prometheus.exporters.postgres = {
enable = true;
runAsLocalSuperUser = true;
};
services.caddy = {
logFormat = "level INFO";
enable = true;
globalConfig = ''
email ssl@xyno.systems
acme_ca https://acme-v02.api.letsencrypt.org/directory # hard coded so zerossl doesn't get used
acme_dns desec {
token "{$TOKEN}"
}
admin :2019
metrics {
per_host
}
'';
virtualHosts."*.hailsatan.eu".extraConfig = ''
tls ssl@xyno.systems {
propagation_delay 1m
ca https://acme-v02.api.letsencrypt.org/directory # hard coded so zerossl doesn't get used
dns desec {
token "{$TOKEN}"
}
}
reverse_proxy https://ds9.kangaroo-galaxy.ts.net {
transport http {
tls_server_name {host}
}
}
'';
virtualHosts."l621.net".extraConfig = ''
reverse_proxy http://127.0.0.1:8186
'';
virtualHosts."xyno.space".extraConfig =
let
fqdn = "matrix.xyno.space";
wkServer = {
"m.server" = "${fqdn}:443";
};
wkClient = {
"m.homeserver" = {
"base_url" = "https://${fqdn}";
};
"m.identity_server" = {
"base_url" = "https://vector.im";
};
# "org.matrix.msc3575.proxy" = { "url" = "https://slidingsync.ragon.xyz"; };
};
in
''
encode zstd gzip
handle /.well-known/matrix/server {
header Content-Type application/json
respond `${builtins.toJSON wkServer}` 200
}
handle /.well-known/matrix/client {
header Content-Type application/json
header Access-Control-Allow-Origin "*"
respond `${builtins.toJSON wkClient}` 200
}
handle /gyakapyukawfyuokfgwtyutf.js {
rewrite * /js/plausible.outbound-links.js
reverse_proxy http://127.0.0.1:${toString config.services.plausible.server.port}
}
handle /api/event {
reverse_proxy http://127.0.0.1:${toString config.services.plausible.server.port}
}
redir /post/nix-darwin-introduction /posts/nix-darwin-introduction/ 301
redir /post/nixos-utm-rosetta /posts/nixos-utm-rosetta/ 301
redir /post/nix-store-nfs /posts/nix-store-nfs/ 301
redir /post/parcel-quicktemplate /posts/parcel-quicktemplate/ 301
redir /posts.rss /atom.xml 301
redir /posts.atom /atom.xml 301
root * /srv/www/xynospace
file_server
'';
virtualHosts."*.xyno.space".extraConfig = ''
@stats host stats.xyno.space
handle @stats {
reverse_proxy http://127.0.0.1:${toString config.services.plausible.server.port}
}
@matrix host matrix.xyno.space
handle @matrix {
handle /_matrix/* {
reverse_proxy http://192.168.100.11:8008
}
handle /notifications {
reverse_proxy http://192.168.100.11:8008
}
handle /_synapse/client/* {
reverse_proxy http://192.168.100.11:8008
}
handle /health {
reverse_proxy http://192.168.100.11:8008
}
}
handle {
abort
}
'';
virtualHosts."*.xyno.systems".extraConfig = ''
@lost host lost.xyno.systems
handle @lost {
handle /register {
header ?Set-Cookie lost-registered=true
respond registered 200
}
@lost-registered {
header Cookie *lost-registered=true*
}
handle @lost-registered {
redir https://snipe-it.hailsatan.eu/hardware{uri}
}
handle {
redir https://xyno.space/contact?utm-source=lost&utm-content={uri}
}
}
@md host md.xyno.systems
handle @md {
reverse_proxy http://[::1]:${toString config.services.hedgedoc.settings.port}
}
# @sso host sso.xyno.systems
# handle @sso {
# reverse_proxy http://127.0.0.1:9091
# }
@git host git.xyno.systems
handle @git {
reverse_proxy http://127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}
}
@notes host notes.xyno.systems
handle @notes {
reverse_proxy http://127.0.0.1:8086
}
@ntfy host ntfy.xyno.systems
handle @ntfy {
reverse_proxy http://127.0.0.1:15992
}
@bw host bw.xyno.systems
handle @bw {
reverse_proxy http://${config.services.vaultwarden.config.rocketAddress}:${toString config.services.vaultwarden.config.rocketPort}
}
handle {
abort
}
'';
virtualHosts."xyno.systems".extraConfig = ''
redir https://xyno.space{uri}
'';
virtualHosts."robotgirl.cloud".extraConfig = ''
handle / {
header Content-Type text/html
header Access-Control-Allow-Origin "*"
respond `<!DOCTYPE html><html><head><title>beep</title></head><body>
<h2>
beep :3
</h2>
<p>
all the robots are on <a href="https://catgirl.cloud">catgirl.cloud</a> mew :3
</p>
</body></head>` 200
}
'';
};
services.forgejo = {
enable = true;
lfs.enable = true;
settings = {
global.APP_NAME = "xyno.systems git";
session.COOKIE_SECURE = true;
server.DOMAIN = "git.xyno.systems";
server.ROOT_URL = "https://git.xyno.systems/";
server.HTTP_PORT = 3031;
server.HTTP_HOST = "127.0.0.1";
service.DISABLE_REGISTRATION = false;
service.ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
service.SHOW_REGISTRATION_BUTTON = false;
openid = {
ENABLE_OPENID_SIGNIN = false;
ENABLE_OPENID_SIGNUP = true;
WHITELISTED_URIS = "auth.hailsatan.eu";
};
};
};
ragon.agenix.secrets."desec" = { };
ragon.agenix.secrets."picardResticPassword" = { };
ragon.agenix.secrets."picardResticSSHKey" = { };
ragon.agenix.secrets."picardResticHealthCheckUrl" = { };
ragon.agenix.secrets."picardSlidingSyncSecret" = { };
ragon.agenix.secrets."gatebridgeHostKeys" = { };
services.postgresql.ensureUsers = [
{
name = "root";
ensureClauses.superuser = true;
}
];
services.borgmatic = {
enable = true;
configurations."picard-ds9" = {
source_directories = [ "/persistent" ];
repositories = [
{
label = "ds9";
path = "ssh://picardbackup@ds9/backups/picard/borgmatic";
}
{
label = "gatebridge";
path = "ssh://root@gatebridge/media/backup/picard";
}
];
exclude_if_present = [ ".nobackup" ];
encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.age.secrets.picardResticPassword.path}";
compression = "auto,zstd,10";
ssh_command = "ssh -o GlobalKnownHostsFile=${config.age.secrets.gatebridgeHostKeys.path} -i ${config.age.secrets.picardResticSSHKey.path}";
retention = {
keep_daily = 7;
keep_weekly = 4;
keep_monthly = 12;
keep_yearly = 10;
};
before_actions = [
"${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.picardResticHealthCheckUrl.path})/start"
];
after_actions = [
"${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.picardResticHealthCheckUrl.path})"
];
on_error = [
"${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.picardResticHealthCheckUrl.path})/fail"
];
postgresql_databases = [
{
name = "all";
pg_dump_command = "${pkgs.postgresql}/bin/pg_dumpall";
pg_restore_command = "${pkgs.postgresql}/bin/pg_restore";
}
];
};
};
nixpkgs.overlays = [
(self: super: {
zfs = super.zfs.override { enableMail = true; };
})
];
# services.xynoblog.enable = true;
# services.lolpizza2.enable = true;
programs.mosh.enable = true;
home-manager.users.ragon =
{
pkgs,
lib,
inputs,
config,
...
}:
{
imports = [
# ../../hm-modules/nvim
# ../../hm-modules/zsh
../../hm-modules/tmux
../../hm-modules/cli.nix
../../hm-modules/files.nix
];
programs.home-manager.enable = true;
home.stateVersion = "23.11";
};
ragon = {
user.enable = true;
persist.enable = true;
persist.extraDirectories = [
"/var/lib/nixos-containers"
"/srv/www"
config.services.caddy.dataDir
"/var/lib/syncthing"
# "/var/lib/${config.services.xynoblog.stateDirectory}"
"/var/lib/postgresql"
config.services.forgejo.stateDir
];
services = {
caddy.enable = true;
ssh.enable = true;
msmtp.enable = true;
bitwarden.enable = true;
tailscale.enable = true;
hedgedoc.enable = true;
# authelia.enable = true;
ts3.enable = true;
};
};
}
Reference in a new issue View git blame Copy permalink