2
2
mirror of https://git.feal.no/felixalb/nixos-config.git synced 2024-12-22 04:07:28 +01:00

Move more services to defiant. Remove sarek.

This commit is contained in:
Felix Albrigtsen 2023-12-25 01:37:05 +01:00 committed by Felix Albrigtsen
parent b19fd41233
commit 5d10f85c18
17 changed files with 212 additions and 277 deletions

View File

@ -2,7 +2,6 @@ keys:
- &user_felixalb_old age1n6j9umxfn5ekvmsrqngdhux0y994yh72sd5xdt6sxec86k4dyu9shsgjkw
- &user_felixalb age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
- &host_voyager age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu
- &host_sarek age1yjc08ykd5d687p9tmn6mpsna3azryreuuz6akj2p0dtft9xqq5lsuamljk
- &host_defiant age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64
creation_rules:
@ -26,10 +25,3 @@ creation_rules:
- age:
- *host_defiant
- *user_felixalb
- path_regex: secrets/sarek/[^/]+\.yaml$
key_groups:
- age:
- *host_sarek
- *user_felixalb_old
- *user_felixalb

View File

@ -92,24 +92,6 @@
}
];
};
sarek = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {
inherit inputs;
};
modules = [
# Overlays-module makes "pkgs.unstable" available in configuration.nix
({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
./hosts/sarek/configuration.nix
sops-nix.nixosModules.sops
home-manager.nixosModules.home-manager {
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users."felixalb" = import ./hosts/sarek/home.nix;
}
];
};
redshirt = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {

View File

@ -10,6 +10,9 @@
./services/postgresql.nix
./services/nginx.nix
./services/matrix-synapse.nix
./services/flame.nix
./services/hedgedoc.nix
./services/pihole.nix
];
networking = {

View File

@ -4,26 +4,29 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/45ceae6b-cf6d-42d6-9694-d14c1d42b49f";
fsType = "ext4";
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/45ceae6b-cf6d-42d6-9694-d14c1d42b49f";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/DDDC-5C0C";
fsType = "vfat";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/DDDC-5C0C";
fsType = "vfat";
};
swapDevices = [ ];
swapDevices = [ {
device = "/swapfile";
size = 8*1024;
} ];
networking.useDHCP = lib.mkDefault false;
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;

View File

@ -0,0 +1,22 @@
{ config, pkgs, lib, ... }:
let
domain = "flame.home.feal.no";
host = "127.0.1.2";
port = "5005";
in {
# Flame - Homelab dashboard/linktree
virtualisation.oci-containers.containers = {
flame = {
image = "pawelmalak/flame";
ports = [ "${host}:${port}:5005" ];
volumes = [
"/var/lib/flame/data:/app/data/"
];
};
};
services.nginx.virtualHosts."${domain}" = {
locations."/".proxyPass = "http://${host}:${port}";
};
}

View File

@ -0,0 +1,117 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.hedgedoc.settings;
domain = "md.feal.no";
port = 3300;
host = "127.0.1.2";
authServerUrl = "https://auth.feal.no";
in {
# Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
sops.secrets."hedgedoc/env" = {
restartUnits = [ "hedgedoc.service" ];
};
services.hedgedoc = {
enable = true;
environmentFile = config.sops.secrets."hedgedoc/env".path;
settings = {
inherit domain port host;
protocolUseSSL = true;
sessionSecret = "$CMD_SESSION_SECRET";
allowFreeURL = true;
allowAnonymous = false;
allowAnonymousEdits = true; # Allow anonymous edits with the "freely" permission
# dbURL = "postgres://hedgedoc@localhost/hedgedoc";
db = {
username = "hedgedoc";
database = "hedgedoc";
host = "/run/postgresql";
dialect = "postgresql";
};
email = false;
oauth2 = {
baseURL = "${authServerUrl}/oauth2";
tokenURL = "${authServerUrl}/oauth2/token";
authorizationURL = "${authServerUrl}/ui/oauth2";
userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";
clientID = "hedgedoc";
clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
scope = "openid email profile";
userProfileUsernameAttr = "name";
userProfileEmailAttr = "email";
userProfileDisplayNameAttr = "displayname";
providerName = "KaniDM";
};
};
};
systemd.services.hedgedoc = {
requires = [
"postgresql.service"
# "kanidm.service"
];
serviceConfig = let
workDir = "/var/lib/hedgedoc";
in {
WorkingDirectory = lib.mkForce workDir;
StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];
# Better safe than sorry :)
CapabilityBoundingSet = "";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
ReadWritePaths = [ workDir ];
RemoveIPC = true;
RestrictSUIDSGID = true;
UMask = "0007";
RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
SystemCallArchitectures = "native";
# SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
};
};
services.postgresql = {
ensureDatabases = [ "hedgedoc" ];
ensureUsers = [{
name = "hedgedoc";
ensureDBOwnership = true;
}];
};
services.nginx.virtualHosts."${domain}" = {
listen = [
{ addr = "192.168.10.175"; port = 43443; ssl = true; }
{ addr = "192.168.10.175"; port = 43080; ssl = false; }
];
enableACME = true;
forceSSL = true;
locations = {
"/" = {
proxyPass = "http://${host}:${toString port}";
};
"/socket.io" = {
proxyPass = "http://${host}:${toString port}";
proxyWebsockets = true;
};
};
};
}

View File

@ -12,7 +12,7 @@
defaultListen = [
{
addr = "192.168.10.175";
port = "80";
port = 80;
ssl = false;
}
];
@ -27,4 +27,22 @@
acceptTerms = true;
defaults.email = "felix@albrigtsen.it";
};
# Publicly exposed services:
services.nginx.virtualHosts = let
publicProxy = upstream: {
listen = [
{ addr = "192.168.10.175"; port = 43443; ssl = true; }
{ addr = "192.168.10.175"; port = 43080; ssl = false; }
];
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "${upstream}";
};
in {
"jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/";
# "wiki.wackattack.eu" = publicProxy "http://pascal.wackattack.home.feal.no/";
};
}

View File

@ -0,0 +1,30 @@
{ config, pkgs, lib, ... }:
let
domain = "pihole.home.feal.no";
dnsHost = "192.168.10.175";
webuiListen = "127.0.1.2:5053";
in {
# Flame - Homelab dashboard/linktree
virtualisation.oci-containers.containers = {
pihole = {
image = "pihole/pihole";
ports = [
"${dnsHost}:53:53/tcp"
"${dnsHost}:53:53/udp"
"${webuiListen}:80"
];
environment.TZ = "Europe/Oslo";
volumes = [
"/var/lib/pihole/etc:/etc/pihole"
"/var/lib/pihole/dnsmasq:/etc/dnsmasq.d"
];
};
};
services.nginx.virtualHosts."${domain}" = {
locations."/".proxyPass = "http://${webuiListen}";
};
}

View File

@ -6,12 +6,11 @@
};
services.postgresqlBackup = {
enable = true;
# enable = true;
location = "/data/backup/postgresql/";
startAt = "*-*-* 03:15:00";
backupAll = true;
};
environment.systemPackages = [ config.services.postgresql.package ];
}

View File

@ -1,54 +0,0 @@
{ config, pkgs, lib, modulesPath, ... }:
{
imports =
[
(modulesPath + "/virtualisation/proxmox-lxc.nix")
../../base.nix
../../common/metrics-exporters.nix
./services/flame.nix
./services/hedgedoc.nix
./services/nginx.nix
./services/postgresql.nix
];
# Boot and console is handled by proxmoxLXC.
boot.loader.systemd-boot.enable = lib.mkForce false; # Enabled in base.nix, forced off here.
# Override proxmox networking
proxmoxLXC.manageNetwork = true;
networking = {
hostName = "sarek";
defaultGateway = "192.168.10.1";
interfaces."eth0".ipv4 = {
addresses = [
{ address = "192.168.10.181"; prefixLength = 24; }
];
};
hostId = "15dd36bc";
};
sops.defaultSopsFile = ../../secrets/sarek/sarek.yaml;
virtualisation.docker.enable = true;
virtualisation.oci-containers.backend = "docker";
# Undo https://github.com/NixOS/nixpkgs/commit/59e37267556eb917146ca3110ab7c96905b9ffbd to work on unprivileged LXC containers
system.activationScripts.var = lib.mkForce ''
# Various log/runtime directories.
mkdir -p /var/tmp
chmod 1777 /var/tmp
# Empty, immutable home directory of many system accounts.
mkdir -p /var/empty
# Make sure it's really empty
${pkgs.e2fsprogs}/bin/chattr -f -i /var/empty || true
find /var/empty -mindepth 1 -delete
chmod 0555 /var/empty
chown root:root /var/empty
${pkgs.e2fsprogs}/bin/chattr -f +i /var/empty || true
'';
systemd.tmpfiles.rules = lib.mkForce [];
system.stateVersion = "23.05";
}

View File

@ -1,20 +0,0 @@
{ pkgs, lib, ... }:
{
home.packages = with pkgs; [
bat
bottom
ncdu
neofetch
nix-index
];
imports = [
./../../home/base.nix
];
programs = {
zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
};
home.stateVersion = "23.05";
}

View File

@ -1,24 +0,0 @@
{ config, pkgs, lib, ... }:
let
domain = "flame.home.feal.no";
host = "127.0.1.2";
port = "5005";
in {
# Flame - Homelab dashboard/linktree
virtualisation.oci-containers.containers = {
flame = {
image = "pawelmalak/flame";
ports = [ "${host}:${port}:5005" ];
volumes = [
"/var/lib/flame/data:/app/data/"
];
};
};
services.nginx.virtualHosts."${domain}" = {
locations."/" = {
proxyPass = "http://${host}:${port}";
};
};
}

View File

@ -1,94 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.hedgedoc.settings;
domain = "md.feal.no";
port = 3300;
host = "0.0.0.0";
authServerUrl = "https://auth.feal.no";
in {
# Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
sops.secrets."hedgedoc/env" = {
restartUnits = [ "hedgedoc.service" ];
};
services.hedgedoc = {
enable = true;
environmentFile = config.sops.secrets."hedgedoc/env".path;
settings = {
inherit domain port host;
protocolUseSSL = true;
sessionSecret = "$CMD_SESSION_SECRET";
allowFreeURL = true;
allowAnonymous = false;
allowAnonymousEdits = true; # Allow anonymous edits with the "freely" permission
dbURL = "postgres://hedgedoc:@localhost/hedgedoc";
email = false;
oauth2 = {
baseURL = "${authServerUrl}/oauth2";
tokenURL = "${authServerUrl}/oauth2/token";
authorizationURL = "${authServerUrl}/ui/oauth2";
userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";
clientID = "hedgedoc";
clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
scope = "openid email profile";
userProfileUsernameAttr = "name";
userProfileEmailAttr = "email";
userProfileDisplayNameAttr = "displayname";
providerName = "KaniDM";
};
};
};
systemd.services.hedgedoc = {
requires = [
"postgresql.service"
# "kanidm.service"
];
serviceConfig = let
workDir = "/var/lib/hedgedoc";
in {
WorkingDirectory = lib.mkForce workDir;
StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];
# Better safe than sorry :)
CapabilityBoundingSet = "";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
ReadWritePaths = [ workDir ];
RemoveIPC = true;
RestrictSUIDSGID = true;
UMask = "0007";
RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
SystemCallArchitectures = "native";
# SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
};
};
networking.firewall.allowedTCPPorts = [ port ];
services.postgresql = {
ensureDatabases = [ "hedgedoc" ];
ensureUsers = [{
name = "hedgedoc";
ensureDBOwnership = true;
}];
};
}

View File

@ -1,19 +0,0 @@
{ config, values, ... }:
{
services.nginx = {
enable = true;
enableReload = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
/* security.acme = { */
/* acceptTerms = true; */
/* email = "felix@albrigtsen.it"; */
/* }; */
}

View File

@ -1,22 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.postgresql = {
enable = true;
enableTCPIP = true; # Expose on the network
authentication = pkgs.lib.mkOverride 10 ''
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
'';
};
services.postgresqlBackup = {
enable = true;
location = "/backup/postgresql/";
startAt = "*-*-* 03:15:00";
backupAll = true;
};
environment.systemPackages = [ config.services.postgresql.package ];
}

View File

@ -34,7 +34,7 @@
sshKey = "/var/root/.ssh/nix-builder";
}
{
hostName = "sarek.home.feal.no";
hostName = "defiant.home.feal.no";
system = "x86_64-linux";
maxJobs = 6;

View File

@ -1,6 +1,8 @@
matrix:
synapse:
registrationsecret: ENC[AES256_GCM,data:6gRW6t080VSyNRAmIrMqXL/oj7dj0JbcQekG3lac7zcdvJbgkUaqEGoWdrym2XiEOSLBOVMthnpLdalC2wcyJdmxB7xMNsYS4RfjR3PMKIo1Ap7JSmuKBl3eeaOalHk=,iv:dZl4/qFMoqEbSwL4JF/sjG21e6DuKVxbXwrGHkxfW4U=,tag:LWdCcmUUeTO4YAHkHOSJuw==,type:str]
hedgedoc:
env: ENC[AES256_GCM,data:7UU8MNo3AEpG1L0lpbfow4mGsIj7qMgtldCxv2T8rimintl1PN+avb2yxXz2P+1MqxNhacYYfBn5AkVqUJvAvo/HaQmsu+M1iFuMG6vEQuMGZZ1bjcslKxjVFWe9Rxzb9O33jqielsBiUmkP7f0MoGzfdyncpRuGjge+ADL7YXdRdH2zyDLW0txM3P593MQYiGo9wzwb7ZpycX4NsuE=,iv:4QE4RwD6c7KQS/w15YP/P2u7iOTWd36/YhpA2Jtdu0U=,tag:QBvO3q5C9TK0oSeso367/Q==,type:str]
sops:
kms: []
gcp_kms: []
@ -25,8 +27,8 @@ sops:
RXcvQU1JYnl0bUtocTZuNkRxcGQwR2MKnyAYtF2y7XBmNuIYi6RzqEJEPPg7B22A
fQVeDfIhiNSVva784KTU+y4TU1UPxumriRrLRFPF3h42ZEq2zQAgrQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-24T17:26:56Z"
mac: ENC[AES256_GCM,data:lj6GLwoKmDyZ7Gs7X4LOl531jHXn/yiollTFtKNTRfXKoayg40edWuyZR4eQBUWyjmznWeWSB7DT4L82S5DX6NNEqzBFMBlPFrz6DLDfWW/nMdmHW3l7tPxydm8BbmVi1kvp6W7JnHeA3dTaHyMaq5mwwPxhui64joN7964ABWA=,iv:TeESIqgS4ml7cYERq8+NItIjU+HLuxhXdzGMErcSrjg=,tag:fCIHhf77O6SjY9KjHVdrYw==,type:str]
lastmodified: "2023-12-24T23:15:29Z"
mac: ENC[AES256_GCM,data:h+omoqeN7ssm7lfF/kdUCX7umQwWtTeph2C9tJQEAP7naL+Sm5WgXl/6PYHjjDSJ8X56tQgNdA2F5P5xIwTEfi6ip0Xbqy9vL+TfqjRhaT897O9W3Gka0zKTIkLFH2klgv3FXRd1CybxfyZpuz8Gpyy/tHZMcdIbEt+snlAII/A=,iv:+MgU7SfErnTMc63liEr8SmJLAthlbG8kU/xY6fUC7jU=,tag:I56xwXpVOF38QelGqW0XPg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1