oysteikt/nix-dotfiles
1
1
Fork 0
Code Issues 141 Pull Requests Activity

Initial commit

Browse Source
This commit is contained in:
Oystein Kristoffer Tveit
2022-03-07 16:01:52 +01:00
commit 1f105ac9d1
71 changed files with 6231 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

284
hosts/eisei/configuration.nix Normal file
View File

@@ -0,0 +1,284 @@
{ pkgs, config, ... }: let
# FIXME: lib should be imported directly as a module argument.
inherit (pkgs) lib;
# TODO: Split this file
in {
imports = [
./hardware-configuration.nix
../../pluggables/tools/programming.nix
];
systemd.targets = {
sleep.enable = false;
suspend.enable = false;
hibernate.enable = false;
hybrid-sleep.enable = false;
};
boot.loader = {
efi.canTouchEfiVariables = false;
grub = {
enable = true;
device = "/dev/sda";
version = 2;
};
};
time.timeZone = "Europe/Oslo";
networking = {
hostName = "Eisei";
networkmanager.enable = true;
useDHCP = false;
interfaces = {
eno1.useDHCP = true;
wlo1.useDHCP = true;
};
# firewall = {
# enable = false;
# allowedTCPPorts = [ ... ];
# allowedUDPPorts = [ ... ];
# };
};
i18n = {
defaultLocale = "en_US.UTF-8";
inputMethod = {
enabled = "fcitx";
fcitx.engines = with pkgs.fcitx-engines; [ mozc ];
};
# inputMethod = {
# enabled = "fcitx5";
# fcitx5.addons = with pkgs; [
# fcitx5-mozc
# fcitx5-gtk
# ];
# };
};
console = {
font = "Lat2-Terminus16";
keyMap = "us";
};
services = {
openssh.enable = true;
gnome.gnome-keyring.enable = true;
printing.enable = true;
dbus = {
enable = true;
packages = with pkgs; [
gcr
gnome3.dconf
];
};
cron = {
enable = true;
systemCronJobs = [
# "*/5 * * * * root date >> /tmp/cron.log"
];
};
xserver = {
enable = true;
layout = "us";
xkbOptions = "caps:escape";
libinput = {
enable = true;
touchpad.disableWhileTyping = true;
};
windowManager.xmonad = {
enable = true;
enableContribAndExtras = true;
};
};
};
sound.enable = true;
hardware.pulseaudio.enable = true;
hardware.bluetooth.enable = true;
nixpkgs.config = {
allowUnfree = true;
};
nix = {
distributedBuilds = true;
package = pkgs.nixFlakes;
binaryCaches = [
"https://cache.nixos.org/"
];
extraOptions = ''
experimental-features = nix-command flakes
builders-use-substitutes = true
'';
buildMachines = [
{
hostName = "Tsuki";
system = "x86_64-linux";
maxJobs = 1;
speedFactor = 3;
supportedFeatures = [
"nixos-test"
"benchmark"
"big-paralell"
"kvm"
];
mandatoryFeatures = [];
}
];
};
users.users.h7x4 = {
isNormalUser = true;
extraGroups = [
"wheel"
"networkmanager"
"docker"
"disk"
"audio"
"video"
"libvirtd"
"input"
];
shell = pkgs.zsh;
};
environment = {
variables = {
EDITOR = "nvim";
VISUAL = "nvim";
};
systemPackages = with pkgs; [
wget
haskellPackages.xmobar
];
shells = with pkgs; [
bashInteractive
zsh
dash
];
etc = {
# TODO: move this out of etc, and reference it directly in sudo config.
sudoLecture = {
target = "sudo.lecture";
text = lib.termColors.front.red "Be careful or something, idk...\n";
};
currentSystemPackages = {
target = "current-system-packages";
text = let
inherit (lib.strings) concatStringsSep;
inherit (lib.lists) sort;
inherit (lib.trivial) lessThan;
packages = map (p: "${p.name}") config.environment.systemPackages;
sortedUnique = sort lessThan (lib.unique packages);
in concatStringsSep "\n" sortedUnique;
};
};
};
fonts = {
enableDefaultFonts = true;
fonts = with pkgs; [
cm_unicode
dejavu_fonts
fira-code
fira-code-symbols
powerline-fonts
iosevka
symbola
corefonts
ipaexfont
ipafont
liberation_ttf
migmix
noto-fonts
noto-fonts-cjk
noto-fonts-emoji
open-sans
source-han-sans
source-sans
ubuntu_font_family
victor-mono
(nerdfonts.override { fonts = [ "FiraCode" "DroidSansMono" ]; })
];
fontconfig = {
defaultFonts = {
serif = [ "Droid Sans Serif" "Ubuntu" ];
sansSerif = [ "Droid Sans" "Ubuntu" ];
monospace = [ "Fira Code" "Ubuntu" ];
emoji = [ "Noto Sans Emoji" ];
};
};
};
programs = {
dconf.enable = true;
git.enable = true;
light.enable = true;
npm.enable = true;
tmux.enable = true;
neovim = {
enable = true;
defaultEditor = true;
viAlias = true;
vimAlias = true;
configure = {
packages.myVimPackage = with pkgs.vimPlugins; {
start = [
direnv-vim
vim-nix
vim-polyglot
];
opt = [
vim-monokai
];
};
customRC = ''
set number relativenumber
set undofile
set undodir=~/.cache/vim/undodir
packadd! vim-monokai
colorscheme monokai
'';
};
};
gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
};
security.sudo.extraConfig = ''
Defaults lecture = always
Defaults lecture_file = /etc/${config.environment.etc.sudoLecture.target}
'';
virtualisation = {
docker.enable = true;
libvirtd.enable = true;
};
system.stateVersion = "21.11";
}

37
hosts/eisei/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,37 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/59d56b94-29f0-45be-81cc-16050c712902";
fsType = "ext4";
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/e66ad6d8-28d5-4411-8289-5ec47d60858b";
fsType = "ext4";
};
fileSystems."/home/h7x4/Dropbox" =
{ device = "/dev/disk/by-uuid/b6b244ab-fdb2-4d90-8a38-b21b0932027b";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/62738962-4764-4136-bdd3-348de09400d0"; }
];
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

237
hosts/tsuki/configuration.nix Normal file
View File

@@ -0,0 +1,237 @@
{ config, lib, pkgs, ... }:
{
imports =
[
./hardware-configuration.nix
../../pluggables/tools/programming.nix
./services/nginx.nix
# ./services/dokuwiki.nix
# ./services/gitlab
./services/gitea.nix
./services/jitsi.nix
# ./services/openldap.nix
./services/plex.nix
./services/hydra.nix
./services/matrix.nix
# ./services/libvirt.nix
./services/grafana.nix
# ./services/calibre.nix
./services/openvpn.nix
# ./services/samba.nix
./services/searx.nix
# ./services/syncthing.nix
];
systemd.targets = {
sleep.enable = false;
suspend.enable = false;
hibernate.enable = false;
hybrid-sleep.enable = false;
};
nix.package = pkgs.nixFlakes;
nix.extraOptions = ''
experimental-features = nix-command flakes
'';
# security.pam.services.login.unixAuth = true;
boot.loader = {
grub = {
enable = true;
version = 2;
efiSupport = true;
fsIdentifier = "label";
device = "nodev";
efiInstallAsRemovable = true;
};
# efi.efiSysMountPoint = "/boot/efi";
# efi.canTouchEfiVariables = true;
};
time.timeZone = "Europe/Oslo";
networking = {
hostName = "Tsuki";
networkmanager.enable = true;
useDHCP = false;
interfaces.ens18.useDHCP = true;
nameservers = [
"1.1.1.1"
"8.8.8.8"
];
firewall.enable=true;
};
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "us";
};
services = {
openssh = {
enable = true;
passwordAuthentication = false;
challengeResponseAuthentication = false;
permitRootLogin = "no";
};
printing.enable = true;
cron = {
enable = true;
systemCronJobs = [
# "*/5 * * * * root date >> /tmp/cron.log"
];
};
};
users.groups.media = {};
users.users = {
h7x4 = {
isNormalUser = true;
extraGroups = [
"wheel"
"networkmanager"
"docker"
"disk"
"libvirtd"
"input"
];
shell = pkgs.zsh;
};
media = {
isSystemUser = true;
group = "media";
};
};
environment = {
variables = {
EDITOR = "nvim";
VISUAL = "nvim";
};
systemPackages = with pkgs; [
wget
];
shells = with pkgs; [
bashInteractive
zsh
dash
];
etc = {
sudoLecture = {
target = "sudo.lecture";
text = "Be careful or something, idk...\n";
};
"resolv.conf" = with lib; with pkgs; {
source = writeText "resolv.conf" ''
${concatStringsSep "\n" (map (ns: "nameserver ${ns}") config.networking.nameservers)}
options edns0
'';
};
currentSystemPackages = {
target = "current-system-packages";
text = let
inherit (lib.strings) concatStringsSep;
inherit (lib.lists) sort;
inherit (lib.trivial) lessThan;
packages = map (p: "${p.name}") config.environment.systemPackages;
sortedUnique = sort lessThan (lib.unique packages);
in concatStringsSep "\n" sortedUnique;
};
};
};
fonts = {
enableDefaultFonts = true;
fonts = with pkgs; [
cm_unicode
dejavu_fonts
fira-code
fira-code-symbols
powerline-fonts
iosevka
symbola
corefonts
ipaexfont
ipafont
liberation_ttf
migmix
noto-fonts
noto-fonts-cjk
noto-fonts-emoji
open-sans
source-han-sans
source-sans
ubuntu_font_family
victor-mono
(nerdfonts.override { fonts = [ "FiraCode" "DroidSansMono" ]; })
];
fontconfig = {
defaultFonts = {
serif = [ "Droid Sans Serif" "Ubuntu" ];
sansSerif = [ "Droid Sans" "Ubuntu" ];
monospace = [ "Fira Code" "Ubuntu" ];
emoji = [ "Noto Sans Emoji" ];
};
};
};
programs = {
git.enable = true;
npm.enable = true;
tmux.enable = true;
neovim = {
enable = true;
defaultEditor = true;
viAlias = true;
vimAlias = true;
configure = {
packages.myVimPackage = with pkgs.vimPlugins; {
start = [
direnv-vim
vim-nix
vim-polyglot
];
opt = [
vim-monokai
];
};
customRC = ''
set number relativenumber
set undofile
set undodir=~/.cache/vim/undodir
packadd! vim-monokai
colorscheme monokai
'';
};
};
};
security.sudo.extraConfig = ''
Defaults lecture = always
Defaults lecture_file = /etc/${config.environment.etc.sudoLecture.target}
'';
virtualisation = {
docker.enable = true;
libvirtd.enable = true;
};
system.stateVersion = "21.11";
}

36
hosts/tsuki/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,36 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/54b9fd58-0df5-410c-ab87-766860967653";
fsType = "btrfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/0A60-2885";
fsType = "vfat";
};
fileSystems."/data" =
{ device = "/dev/disk/by-uuid/87354b26-4f7f-4b94-96fd-4bbeb834a03b";
fsType = "btrfs";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/92a1a33f-89a8-45de-a45e-6c303172cd7f"; }
];
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

12
hosts/tsuki/services/calibre.todo.nix Normal file
View File

@@ -0,0 +1,12 @@
{ ... }:
{
services.calibre-server = {
# user = ""
# group = ""
enable = true;
# libraries = [
# /etc/abc
# ];
# libraryDir = ????
};
}

0
hosts/tsuki/services/cron-backups/mail.nix Normal file
View File

0
hosts/tsuki/services/cron-backups/pixiv.nix Normal file
View File

0
hosts/tsuki/services/cron-backups/reddit.nix Normal file
View File

0
hosts/tsuki/services/cron-backups/youtube.nix Normal file
View File

9
hosts/tsuki/services/dokuwiki.todo.nix Normal file
View File

@@ -0,0 +1,9 @@
{ ... }:
{
services.dokuwiki.sites = {
# TODO: research?
wiki = {
enable = false;
};
};
}

62
hosts/tsuki/services/gitea.nix Normal file
View File

@@ -0,0 +1,62 @@
{config, pkgs, lib, secrets, ...}:
{
security.pam.services."gitea".unixAuth = true;
users.users.git = {
description = "Gitea service";
home = config.services.gitea.stateDir;
useDefaultShell = true;
group = "gitea";
isSystemUser = true;
uid = config.ids.uids.git;
};
services.gitea = {
enable = true;
user = "git";
appName = "Git Gud";
cookieSecure = true;
rootUrl = "https://git.nani.wtf/";
domain = "git.nani.wtf";
# # TODO: move to secrets
httpPort = secrets.ports.gitea;
disableRegistration = true;
database = {
user = "git";
};
settings = {
server = {
BUILTIN_SSH_SERVER_USER="git";
};
ui.DEFAULT_THEME = "arc-green";
indexer.REPO_INDEXER_ENABLED = true;
mailer = {
ENABLED = true;
FROM = "gitea@nani.wtf";
};
# markup = let
# docutils = pkgs.python37.withPackages (ps: with ps; [
# docutils # Provides rendering of ReStructured Text files
# pygments # Provides syntax highlighting
# ]);
# in {
# restructuredtext = {
# ENABLED = true;
# FILE_EXTENSIONS = ".rst";
# RENDER_COMMAND = "${docutils}/bin/rst2html.py";
# IS_INPUT_FILE = false;
# };
# asciidoc = {
# ENABLED = true;
# FILE_EXTENSIONS = ".adoc,.asciidoc";
# RENDER_COMMAND = "${pkgs.asciidoctor}/bin/asciidoctor -e -a leveloffset=-1 --out-file=- -";
# IS_INPUT_FILE = false;
# };
# };
};
};
}

94
hosts/tsuki/services/gitlab/default.nix Normal file
View File

@@ -0,0 +1,94 @@
{ pkgs, lib, config, secrets, ... }:
let
gitlab-port = secrets.ports.gitlab;
gitlab-host = "gitlab.nani.wtf";
# TODO: this should optimally be extracted out to nix-secrets completely.
gitlab-keydir = secrets.hosts.${config.networking.hostName}.keydir + "/gitlab";
in
{
# TODO: Set up gitlab-runner
# imports = [ ./runner.nix ];
services.gitlab = {
enable = false;
host = gitlab-host;
port = gitlab-port + 1;
user = "gitlab";
group = "gitlab";
databaseUsername = "gitlab";
statePath = "${secrets.hosts.${config.networking.hostName}.dataStatePath}/gitlab";
# A file containing the initial password of the root gitlab-account.
# This file should be readable to the user defined in `services.gitlab.user`,
# optimally having only read write permissions for that user.
initialRootPasswordFile = secrets.keys.gitlab.root_password;
secrets = { inherit (secrets.keys.gitlab) secretFile dbFile otpFile jwsFile; };
# TODO: Activate GitLabs Prometheus service
# extraGitlabRb = ''
# prometheus['enabled'] = true
# prometheus['server_address'] = '0.0.0.0:10392'
# '';
smtp = {
tls = true;
# address = gitlab-host;
port = gitlab-port + 2;
};
# TODO: Set up registry
# registry = {
# enable = true;
# # host = gitlab-host;
# port = gitlab-port + 3;
# externalPort = gitlab-port + 3;
# certFile = /var/cert.pem;
# keyFile = /var/key.pem;
# };
pagesExtraArgs = [
"-gitlab-server" "http://${gitlab-host}"
"-listen-proxy" "127.0.0.1:${toString (gitlab-port + 4)}"
"-log-format" "text"
];
# https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/misc/gitlab.nix
# https://gitlab.com/gitlab-org/gitlab/blob/master/config/gitlab.yml.example
extraConfig = {
# gitlab = {};
gravatar.enabled = false;
# TODO: Fix pages API connection
# pages = {
# enabled = true;
# host = gitlab-host;
# secret_file = "${toString gitlab-keydir}/pages_secret";
# local_store.enabled = true;
# };
};
};
# TODO: Set up registry
# services.dockerRegistry = {
# enable = true;
# };
# TODO: Connect plantuml to gitlab
services.plantuml-server = {
enable = true;
listenPort = gitlab-port + 5;
};
# TODO: Make module for kroki, and connect to gitlab
# services.kroki = {
#
# };
}

25
hosts/tsuki/services/gitlab/genfiles.sh Executable file
View File

@@ -0,0 +1,25 @@
#!/usr/bin/env bash
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit 1
fi
KEYDIR='/var/keys/gitlab'
umask u=rwx,g=,o=
mkdir -p $KEYDIR
chmod 755 '/var/keys'
for FILE in secretFile dbFile otpFile pages_secret; do
tr -dc A-Za-z0-9 < /dev/random | head -c 128 > $KEYDIR/$FILE
done
nix-shell -p openssl --run "openssl genrsa 2048 > $KEYDIR/jwsFile"
chmod 600 $KEYDIR/jwsFile
read -s -p "Root password: " ROOTPASS
echo $ROOTPASS > $KEYDIR/root_password
chown -R git:git $KEYDIR

51
hosts/tsuki/services/gitlab/runner.nix Normal file
View File

@@ -0,0 +1,51 @@
{ ... }:
{
# See https://nixos.wiki/wiki/Gitlab_runner
# boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1
# virtualisation.docker.enable = true;
# services.gitlab-runner = {
# enable = true;
# services= {
# # runner for building in docker via host's nix-daemon
# # nix store will be readable in runner, might be insecure
# nix = with lib;{
# # File should contain at least these two variables:
# # `CI_SERVER_URL`
# # `REGISTRATION_TOKEN`
# registrationConfigFile = toString ./path/to/ci-env; # 2
# dockerImage = "alpine";
# dockerVolumes = [
# "/nix/store:/nix/store:ro"
# "/nix/var/nix/db:/nix/var/nix/db:ro"
# "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
# ];
# dockerDisableCache = true;
# preBuildScript = pkgs.writeScript "setup-container" ''
# mkdir -p -m 0755 /nix/var/log/nix/drvs
# mkdir -p -m 0755 /nix/var/nix/gcroots
# mkdir -p -m 0755 /nix/var/nix/profiles
# mkdir -p -m 0755 /nix/var/nix/temproots
# mkdir -p -m 0755 /nix/var/nix/userpool
# mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
# mkdir -p -m 1777 /nix/var/nix/profiles/per-user
# mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
# mkdir -p -m 0700 "$HOME/.nix-defexpr"
# . ${pkgs.nix}/etc/profile.d/nix.sh
# ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-20.09 nixpkgs # 3
# ${pkgs.nix}/bin/nix-channel --update nixpkgs
# ${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [ nix cacert git openssh ])}
# '';
# environmentVariables = {
# ENV = "/etc/profile";
# USER = "root";
# NIX_REMOTE = "daemon";
# PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
# NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
# };
# tagList = [ "nix" ];
# };
# };
# };
}

76
hosts/tsuki/services/grafana.nix Normal file
View File

@@ -0,0 +1,76 @@
{ config, lib, secrets, ... }:
{
services.grafana = {
enable = true;
domain = "log.nani.wtf";
port = secrets.ports.grafana;
addr = "0.0.0.0";
};
# services.influxdb = {
# enable = true;
# dataDir = "/data/var/influxdb";
# extraConfig = {
# udp = {
# enabled = true;
# bind-address = "0.0.0.0:8089";
# database = "proxmox";
# batch-size = 1000;
# batch-timeout = "1s";
# };
# };
# };
services.prometheus = {
enable = true;
port = secrets.ports.prometheus;
scrapeConfigs = [
{
job_name = "synapse";
scrape_interval = "15s";
metrics_path = "/_synapse/metrics";
static_configs = [
{
targets = [ "localhost:${toString secrets.ports.matrix.listener}" ];
}
];
}
{
job_name = "minecraft";
# scrape_interval = "15s";
# metrics_path = "/_synapse/metrics";
static_configs = [
{
targets = [ "${secrets.ips.crafty}:${toString secrets.ports.prometheus-crafty}" ];
labels = {
server_name = "my-minecraft-server";
};
}
];
}
];
exporters = {
jitsi.enable = true;
nginx.enable = true;
nginxlog.enable = true;
systemd.enable = true;
# postgres.enable = true;
};
# globalConfig = {
# };
};
# services.loki = {
# enable = true;
# configFile = ./loki-local-config.yaml;
# config = {
# };
# };
}

9
hosts/tsuki/services/hydra.nix Normal file
View File

@@ -0,0 +1,9 @@
{ secrets, ... }:
{
services.hydra = {
enable = true;
hydraURL = "http://hydra.nani.wtf";
notificationSender = "hydra@nani.wtf";
port = secrets.ports.hydra;
};
}

16
hosts/tsuki/services/jitsi.nix Normal file
View File

@@ -0,0 +1,16 @@
{ ... }:
{
services.jitsi-meet = {
enable = true;
hostName = "jitsi.nani.wtf";
config = {
enableWelcomePage = false;
prejoinPageEnabled = true;
defaultLang = "en";
};
interfaceConfig = {
SHOW_JITSI_WATERMARK = false;
SHOW_WATERMARK_FOR_GUESTS = false;
};
};
}

0
hosts/tsuki/services/libvirt.todo.nix Normal file
View File

134
hosts/tsuki/services/matrix.nix Normal file
View File

@@ -0,0 +1,134 @@
{config, pkgs, lib, secrets, ...}: {
# configure synapse to point users to coturn
services.matrix-synapse = {
enable = true;
turn_uris = let
inherit (config.services.coturn) realm;
p = toString secrets.ports.matrix.default;
in ["turn:${realm}:${p}?transport=udp" "turn:${realm}:${p}?transport=tcp"];
turn_shared_secret = config.services.coturn.static-auth-secret;
turn_user_lifetime = "1h";
server_name = "nani.wtf";
public_baseurl = "https://matrix.nani.wtf";
enable_metrics = true;
listeners = [
{
port = secrets.ports.matrix.listener;
bind_address = "::1";
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = [ "client" "federation" "metrics" ];
compress = false;
}
];
}
];
enable_registration = false;
# password_config.enabled = lib.mkForce false;
dataDir = "/data/var/matrix";
database_type = "psycopg2";
database_args = {
password = "synapse";
};
# redis.enabled = true;
# settings = {
# };
};
services.redis.enable = true;
# enable coturn
services.coturn = rec {
enable = true;
no-cli = true;
no-tcp-relay = true;
min-port = secrets.ports.matrix.min;
max-port = secrets.ports.matrix.max;
use-auth-secret = true;
static-auth-secret = secrets.keys.matrix.static-auth-secret;
realm = "turn.nani.wtf";
cert = "${secrets.keys.certificates.server.crt}";
pkey = "${secrets.keys.certificates.server.key}";
extraConfig = ''
# for debugging
verbose
# ban private IP ranges
no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
denied-peer-ip=::1
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
'';
};
services.postgresql = {
enable = true;
## postgresql user and db name remains in the
## service.matrix-synapse.database_args setting which
## by default is matrix-synapse
initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
};
# open the firewall
networking.firewall = {
interfaces.enp2s0 = let
range = with config.services.coturn; [ {
from = secrets.ports.matrix.min;
to = secrets.ports.matrix.max;
} ];
in
{
allowedUDPPortRanges = range;
allowedUDPPorts = [ secrets.ports.matrix.default ];
allowedTCPPortRanges = range;
allowedTCPPorts = [ secrets.ports.matrix.default ];
};
};
# get a certificate
# security.acme.certs.${config.services.coturn.realm} = {
# /* insert here the right configuration to obtain a certificate */
# postRun = "systemctl restart coturn.service";
# group = "turnserver";
# };
}

64
hosts/tsuki/services/minecraft.todo.nix Normal file
View File

@@ -0,0 +1,64 @@
{ pkgs, lib, ... }:
# See https://github.com/InfinityGhost/nixos-workstation/blob/master/minecraft-server.nix
let
allocatedMemory = "4096M";
in {
services.minecraft-server = let
version = "1.18.1";
spigot = pkgs.minecraft-server.overrideAttrs (old: {
src = pkgs.fetchurl {
url = "https://hub.spigotmc.org/jenkins/job/BuildTools/141/artifact/target/BuildTools.jar";
sha1 = "?";
};
buildPhase = ''
cat > minecraft-server << EOF
#!${pkgs.bash}/bin/sh
exec ${pkgs.adoptopenjdk-jre-hotspot-bin-17}/bin/java \$@ -jar $out/bin/spigot-${version}.jar nogui
java -jar $src --rev ${version}
'';
installPhase = ''
mkdir -p $out/bin $out/lib/minecraft
cp -v spigot-${version}.jar $out/lib/minecraft
cp -v minecraft-server $out/bin
chmod +x $out/bin/minecraft-server
'';
});
in {
enable = true;
eula = true;
package = pkgs.spigot;
declarative = true;
dataDir = "/home/h7x4/minecraft";
openFirewall = true;
jvmOpts = lib.concatStringsSep " " [
"-Xmx${allocatedMemory}"
"-Xms${allocatedMemory}"
"-XX:+UseG1GC"
"-XX:ParallelGCThreads=2"
"-XX:MinHeapFreeRatio=5"
"-XX:MaxHeapFreeRatio=10"
];
serverProperties = {
motd = "NixOS Minecraft Server";
server-port = 25565;
difficulty = 2;
gamemode = 0;
max-players = 5;
white-list = false;
enable-rcon = false;
allow-flight = true;
};
# whitelist = {};
};
}

143
hosts/tsuki/services/nginx.nix Normal file
View File

@@ -0,0 +1,143 @@
{ pkgs, config, secrets, ... }:
let
# TODO: fix lib
lib = pkgs.lib;
inherit (secrets) ips ports;
s = toString;
in
{
security.acme = {
email = "h7x4abk3g@protonmail.com";
acceptTerms = true;
};
services.nginx = let
generateServerAliases =
domains: subdomains:
lib.lists.flatten (map (s: map (d: "${s}.${d}") domains) subdomains);
in {
enable = true;
statusPage = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = let
inherit (lib.attrsets) nameValuePair listToAttrs recursiveUpdate;
inherit (lib.lists) head drop;
inherit (secrets) domains keys;
makeHost =
subdomains: extraSettings:
nameValuePair "${head subdomains}.${head domains}" (recursiveUpdate {
serverAliases = drop 1 (generateServerAliases domains subdomains);
forceSSL = true;
sslCertificate = keys.certificates.server.crt;
sslCertificateKey = keys.certificates.server.key;
} extraSettings);
makeACMEHost =
subdomains: extraSettings:
nameValuePair "${head subdomains}.${head domains}" (recursiveUpdate {
serverAliases = drop 1 (generateServerAliases domains subdomains);
enableACME = true;
forceSSL = true;
} extraSettings);
makeClientCertHost =
subdomains: extraSettings:
nameValuePair "${head subdomains}.${head domains}" (recursiveUpdate {
serverAliases = drop 1 (generateServerAliases domains subdomains);
enableACME = true;
forceSSL = true;
extraConfig = ''
ssl_client_certificate ${secrets.keys.certificates.CA.crt};
ssl_verify_client optional;
'';
locations."/".extraConfig = ''
if ($ssl_client_verify != SUCCESS) {
return 403;
}
'';
} extraSettings);
makeProxy =
subdomains: url: extraSettings:
makeHost subdomains (recursiveUpdate { locations."/".proxyPass = url; } extraSettings);
makeACMEProxy =
subdomains: url: extraSettings:
makeACMEHost subdomains (recursiveUpdate { locations."/".proxyPass = url; } extraSettings);
makeClientCertProxy =
subdomains: url: extraSettings:
makeClientCertHost subdomains (recursiveUpdate { locations."/".proxyPass = url; } extraSettings);
in (listToAttrs [
# (makeACMEProxy ["gitlab"] "http://unix:/run/gitlab/gitlab-workhorse.socket" {})
(makeACMEProxy ["plex"] "http://localhost:${s ports.plex}" {})
(makeACMEHost ["www"] { root = "/data/www"; })
(makeACMEProxy ["matrix"] "http://localhost:${s ports.matrix.listener}" {})
(makeACMEProxy ["git"] "http://localhost:${s ports.gitea}" {})
(makeClientCertHost ["cache"] { root = "/var/lib/nix-cache"; })
(makeClientCertProxy ["px1"] "https://${ips.px1}:${s ports.proxmox}" {
locations."/".proxyWebsockets = true;
})
(makeClientCertProxy ["idrac"] "https://${ips.idrac}" {})
(makeClientCertProxy ["searx"] "http://localhost:${s ports.searx}" {})
(makeACMEProxy ["dyn"] "http://${ips.crafty}:${s ports.dynmap}" {
basicAuthFile = keys.htpasswds.default;
})
(makeClientCertProxy ["log"] "http://localhost:${s ports.grafana}" {
locations."/".proxyWebsockets = true;
})
# (makeProxy ["wiki"] "" {})
# (makeHost ["vpn"] "" {})
(makeClientCertProxy ["hydra"] "http://localhost:${s ports.hydra}" {})
# (makePassProxy ["sync" "drive"] "" {})
# (makePassProxy ["music" "mpd"] "" {})
]) // {
${config.services.jitsi-meet.hostName} = {
enableACME = true;
forceSSL = true;
};
};
upstreams = {};
streamConfig = ''
upstream minecraft {
server ${ips.crafty}:${s ports.minecraft};
}
server {
listen 0.0.0.0:${s ports.minecraft};
listen [::0]:${s ports.minecraft};
proxy_pass minecraft;
}
'';
# upstream openvpn {
# server localhost:${s ports.openvpn};
# }
# server {
# listen 0.0.0.0:${s ports.openvpn};
# listen [::0]:${s ports.openvpn};
# proxy_pass openvpn;
# }
};
networking.firewall.allowedTCPPorts = [
80
443
# secrets.ports.openvpn
ports.minecraft
];
}

74
hosts/tsuki/services/openldap.todo.nix Normal file
View File

@@ -0,0 +1,74 @@
{ pkgs, ... }:
{
services.openldap = {
enable = true;
# dataDir = "/data/var/openldap";
urlList = [ "ldap:///" "ldapi:///" ]; # Add ldaps to this list to listen with SSL (requires configured certificates)
# suffix = "dc=nixos,dc=org";
# rootdn = "cn=admin,dc=nixos,dc=org";
# rootpwFile = "/var/keys/ldap/rootpw";
# See https://www.openldap.org/doc/admin24/slapdconfig.html
# extraDatabaseConfig = ''
# access to dn.base="dc=nixos,dc=org" by * read
# # Add your own ACLs here…
# # Drop everything that wasn't handled by previous ACLs:
# access to * by * none
# index objectClass eq
# index uid eq
# index mail sub
# # Accelerates replication if you use it
# index entryCSN eq
# index entryUUID eq
# '';
settings = {
attrs.olcLogLevel = [ "stats" ];
children = {
"cn=schema".includes = [
"${pkgs.openldap}/etc/schema/core.ldif"
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
];
"olcDatabase={-1}frontend" = {
attrs = {
objectClass = "olcDatabaseConfig";
olcDatabase = "{-1}frontend";
olcAccess = [ "{0}to * by dn.exact=uidNumber=0+gidNumber=0,cn=peercred,cn=external,cn=auth manage stop by * none stop" ];
};
};
"olcDatabase={0}config" = {
attrs = {
objectClass = "olcDatabaseConfig";
olcDatabase = "{0}config";
olcAccess = [ "{0}to * by * none break" ];
};
};
"olcDatabase={1}mdb" = {
attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb";
olcDbDirectory = "/data/var/openldap/db";
olcDbIndex = [
"objectClass eq"
"cn pres,eq"
"uid pres,eq"
"sn pres,eq,subany"
];
olcSuffix = "dc=example,dc=com";
olcAccess = [ "{0}to * by * read break" ];
};
};
};
};
# Setting this causes OpenLDAP to drop the entire database on startup and write the contents of
# of this LDIF string into the database. This ensures that only nix-managed content is found in the
# database. Note that if a lot of entries are created in conjunction with a lot of indexes, this might hurt
# startup performance.
# Also, you can set `readonly on` in `extraDatabaseConfig` to ensure nobody writes data that will be
# lost.
# declarativeContents = "…";
};
}

53
hosts/tsuki/services/openvpn.nix Normal file
View File

@@ -0,0 +1,53 @@
{ config, pkgs, secrets, ... }:
let
inherit (secrets) ips ports;
in {
services = {
openvpn.servers = let
inherit (secrets.keys.certificates) openvpn CA server;
inherit (secrets.openvpn) ip-range;
in {
tsuki = {
config = ''
dev tap
server-bridge ${ips.tsuki} 255.255.255.0 ${ip-range.start} ${ip-range.end}
local 0.0.0.0
port ${toString ports.openvpn}
user nobody
group nogroup
comp-lzo no
push 'comp-lzo no'
persist-key
persist-tun
keepalive 10 120
topology subnet
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.8.8"
dh none
ecdh-curve prime256v1
tls-crypt ${openvpn.tls-crypt}
ca ${CA.crt}
cert ${server.crt}
key ${server.key}
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
status /var/openvpn/status.log
verb 3
'';
autoStart = false;
updateResolvConf = true;
};
};
};
networking.firewall = {
allowedUDPPorts = [ ports.openvpn ];
allowedTCPPorts = [ ports.openvpn ];
};
# networking.bridges.br0.interfaces = [ "tap0" "ens18" ];
}

21
hosts/tsuki/services/plex.nix Normal file
View File

@@ -0,0 +1,21 @@
{ secrets, ... }:
{
services.plex = {
enable = true;
openFirewall = true;
dataDir = "/data/var/plex";
};
# TODO: make default directories.
services.samba.shares.plex = {
path = "/data/media";
browseable = "yes";
"read only" = "no";
"guest ok" = "no";
"create mode" = 0664;
"directory mode" = 2775;
comment = "Movies, Series and other stuff for Plex";
};
networking.firewall.allowedTCPPorts = [ secrets.ports.plex ];
}

23
hosts/tsuki/services/samba.todo.nix Normal file
View File

@@ -0,0 +1,23 @@
{}:
{
services.samba = {
enable = true;
extraConfig = ''
'';
shares = {
plex = {
path = "/data/media";
"read only" = false;
browseable = "yes";
"guest ok" = "no";
comment = "Pictures, music, videos, etc.";
};
# home = {
# };
};
};
}

61
hosts/tsuki/services/searx.nix Normal file
View File

@@ -0,0 +1,61 @@
{ secrets, ... }:
{
# TODO: Make secret keys.
services.searx = {
enable = true;
settings = {
general = {
debug = false;
instance_name = "Searx";
};
server = {
port = secrets.ports.searx;
bind_address = "0.0.0.0";
secret_key = secrets.keys.searx.key;
};
ui = {
default_theme = "oscar";
theme_args.oscar_style = "logicodev-dark";
};
engines = [
# {
# name = "YouTube";
# shortcut = "yt";
# engine = "youtube_api";
# }
{
name = "fdroid";
engine = "fdroid";
}
{
name = "github";
engine = "github";
}
{
name = "ebay";
engine = "ebay";
}
# {
# name = "bandcamp";
# engine = "bandcamp";
# }
{
name = "arch_linux_wiki";
shortcut = "aw";
engine = "archlinux";
}
];
};
# runInUwsgi = true;
# uwsgiConfig = {
# disable-logging = false;
# http = ":11000";
# socket = "/run/searx/searx.sock";
# };
};
}

0
hosts/tsuki/services/syncthing.todo.nix Normal file
View File