From 719b48e8a5fc2812c0e58252a65a72768f0c50cb Mon Sep 17 00:00:00 2001 From: Kopatz <7265381+Kropatz@users.noreply.github.com> Date: Tue, 14 Nov 2023 14:19:29 +0100 Subject: [PATCH] extract some varaibles --- flake.nix | 18 ++++----- modules/adguard.nix | 36 +++++++++-------- modules/netdata.nix | 7 +++- modules/nextcloud.nix | 38 +++++++++--------- modules/paperless.nix | 8 +++- modules/wireguard.nix | 39 ++++++++++--------- systems/server/configuration.nix | 1 + .../server/static-ip.nix | 11 ++++-- systems/server/userdata.nix | 5 +++ 9 files changed, 96 insertions(+), 67 deletions(-) rename modules/static-ip-server.nix => systems/server/static-ip.nix (68%) create mode 100644 systems/server/userdata.nix diff --git a/flake.nix b/flake.nix index 68235f4..c9eb097 100644 --- a/flake.nix +++ b/flake.nix @@ -31,11 +31,13 @@ in { nixosConfigurations.server = nixpkgs.lib.nixosSystem { inherit system; - modules = [ + modules = [ + ### User specific ### ./users/anon.nix - ./modules/static-ip-server.nix + ### System sepecific ### ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; }) ./systems/server/configuration.nix + ### Modules ### ./modules/hdd-spindown.nix ./modules/minecraft-server.nix ./modules/motd.nix @@ -44,13 +46,9 @@ ./modules/nix-settings.nix ./modules/adguard.nix ./modules/git.nix - #./modules/vmware-guest.nix ./modules/github-runner.nix ./modules/synapse.nix - ./modules/nextcloud.nix - #./modules/coturn.nix - ./modules/acme.nix ./modules/samba.nix ./modules/backup.nix @@ -63,12 +61,14 @@ ./modules/paperless.nix ./modules/kavita.nix ./modules/netdata.nix - #./modules/dyndns.nix i think ddclient is deprecated - #./modules/home-assistant.nix idk dont like this home-manager.nixosModules.home-manager agenix.nixosModules.default ]; - specialArgs = { inherit inputs; }; + specialArgs = { + ## Custom variables (e.g. ip, interface, etc) + vars = (import ./systems/server/userdata.nix); + inherit inputs ; + }; }; nixosConfigurations."nix-laptop" = nixpkgs.lib.nixosSystem { inherit system; diff --git a/modules/adguard.nix b/modules/adguard.nix index 77c79af..f5853d4 100644 --- a/modules/adguard.nix +++ b/modules/adguard.nix @@ -1,4 +1,8 @@ - { +{ config, pkgs, inputs, vars, ... }: +let + ip = vars.ipv4; +in +{ networking.firewall.allowedTCPPorts = [ 53 ]; networking.firewall.allowedUDPPorts = [ 53 ]; @@ -12,7 +16,7 @@ } ]; dns = { - bind_hosts = [ "127.0.0.1" "192.168.0.6" ]; # "192.168.2.1" ]; + bind_hosts = [ "127.0.0.1" "${ip}" ]; # "192.168.2.1" ]; port = 53; protection_enabled = true; filtering_enabled = true; @@ -26,33 +30,33 @@ rewrites = [ { "domain" = "kopatz.ddns.net"; - "answer" = "192.168.0.6"; + "answer" = ip; } { "domain" = "server.home"; - "answer" = "192.168.0.6"; + "answer" = ip; } { "domain" = "server.local"; - "answer" = "192.168.0.6"; + "answer" = ip; } - { + { "domain" = "adguard.local"; - "answer" = "192.168.0.6"; + "answer" = ip; + } + { + "domain" = "nextcloud.local"; + "answer" = ip; + } + { + "domain" = "turnserver.local"; + "answer" = "192.168.2.1"; } - { - "domain" = "nextcloud.local"; - "answer" = "192.168.0.6"; - } - { - "domain" = "turnserver.local"; - "answer" = "192.168.2.1"; - } { "domain" = "inverter.local"; "answer" = "192.168.0.9"; } - ]; + ]; }; querylog = { enabled = false; diff --git a/modules/netdata.nix b/modules/netdata.nix index ae34da7..eb363d5 100644 --- a/modules/netdata.nix +++ b/modules/netdata.nix @@ -1,3 +1,8 @@ +{ vars, ... }: +let + ip = vars.ipv4; + wireguardIp = vars.wireguardIp; +in { networking.firewall.allowedTCPPorts = [ 19999 ]; services.netdata = { @@ -8,7 +13,7 @@ [web] default port = 19999 - bind to = 192.168.0.6 192.168.2.1 + bind to = ${ip} ${wireguardIp} allow connections from = localhost 192.168.0.* 192.168.2.* [db] diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix index 12c9b98..39b963f 100644 --- a/modules/nextcloud.nix +++ b/modules/nextcloud.nix @@ -1,4 +1,7 @@ -{ config, pkgs, lib, inputs, ... }: +{ config, pkgs, lib, inputs, vars, ... }: +let + wireguardIp = vars.wireguardIp; +in { age.secrets.nextcloud-cert = { file = ../secrets/nextcloud-cert.age; @@ -26,15 +29,15 @@ # Setup Nextcloud virtual host to listen on ports virtualHosts = { "nextcloud.local" = { - serverAliases = [ "192.168.2.1" ]; + serverAliases = [ wireguardIp ]; ## Force HTTP redirect to HTTPS forceSSL = true; - locations."~ ^\\/(?:index|remote|public|cron|core\\/ajax\\/update|status|ocs\\/v[12]|updater\\/.+|oc[s]-provider\\/.+|.+\\/richdocumentscode\\/proxy)\\.php(?:$|\\/)".extraConfig = '' - client_max_body_size 5G; - ''; - #sslTrustedCertificate = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; - sslCertificate = config.age.secrets.nextcloud-cert.path; - sslCertificateKey = config.age.secrets.nextcloud-key.path; + locations."~ ^\\/(?:index|remote|public|cron|core\\/ajax\\/update|status|ocs\\/v[12]|updater\\/.+|oc[s]-provider\\/.+|.+\\/richdocumentscode\\/proxy)\\.php(?:$|\\/)".extraConfig = '' + client_max_body_size 5G; + ''; + #sslTrustedCertificate = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + sslCertificate = config.age.secrets.nextcloud-cert.path; + sslCertificateKey = config.age.secrets.nextcloud-key.path; ## LetsEncrypt #enableACME = true; }; @@ -49,26 +52,25 @@ services.nextcloud = { enable = true; package = pkgs.nextcloud27; - https = true; + https = true; hostName = "nextcloud.local"; config.adminpassFile = config.age.secrets.nextcloud-admin.path; - config.dbtype = "pgsql"; - database.createLocally = true; - config.extraTrustedDomains = [ "192.168.2.1" ]; + config.dbtype = "pgsql"; + database.createLocally = true; + config.extraTrustedDomains = [ wireguardIp ]; home = "/mnt/250ssd/nextcloud"; - extraApps = with config.services.nextcloud.package.packages.apps; { - inherit keeweb onlyoffice calendar mail; + inherit keeweb onlyoffice calendar mail; spreed = pkgs.fetchNextcloudApp rec { url = "https://github.com/nextcloud-releases/spreed/releases/download/v17.1.1/spreed-v17.1.1.tar.gz"; sha256 = "sha256-LaUG0maatc2YtWQjff7J54vadQ2RE4X6FcW8vFefBh8="; }; }; - phpOptions = { - upload_max_filesize = "5G"; - post_max_size = "5G"; - }; + phpOptions = { + upload_max_filesize = "5G"; + post_max_size = "5G"; + }; extraAppsEnable = true; extraOptions.enabledPreviewProviders = [ "OC\\Preview\\BMP" diff --git a/modules/paperless.nix b/modules/paperless.nix index a8f7fdd..3e60830 100644 --- a/modules/paperless.nix +++ b/modules/paperless.nix @@ -1,4 +1,8 @@ -{ config, pkgs, lib, inputs, ... }: +{ config, pkgs, lib, inputs, vars, ... }: +let + ip = vars.ipv4; + wireguardIp = vars.wireguardIp; +in { networking.firewall.allowedTCPPorts = [ 28981 ]; age.secrets.paperless = { @@ -10,7 +14,7 @@ enable = true; port = 28981; passwordFile = config.age.secrets.paperless.path; - address = "192.168.2.1"; + address = wireguardIp; mediaDir = "/mnt/250ssd/paperless"; }; } diff --git a/modules/wireguard.nix b/modules/wireguard.nix index f616fd5..855525f 100644 --- a/modules/wireguard.nix +++ b/modules/wireguard.nix @@ -1,4 +1,7 @@ -{ config, pkgs, lib, inputs, ... }: +{ config, pkgs, lib, inputs, vars, ... }: +let + wireguardIp = vars.wireguardIp; +in { age.secrets.wireguard-private = { @@ -15,70 +18,70 @@ autostart = true; listenPort = 51820; address = [ - "192.168.2.1/24" + "${wireguardIp}/24" ]; peers = [ { allowedIPs = [ "192.168.2.2/32" ]; - persistentKeepalive = 25; + persistentKeepalive = 25; publicKey = "dUBPIEnAiHIZCMjqV0ya8qotN3UnMhlEVyGNQcR3gVI="; } { allowedIPs = [ "192.168.2.3/32" ]; - persistentKeepalive = 25; + persistentKeepalive = 25; publicKey = "Eg5ZS3zN05mJ/gct6wJlwVAHTlXpkhxFfUd7yscANV0="; } - { + { allowedIPs = [ "192.168.2.4/32" ]; - persistentKeepalive = 25; + persistentKeepalive = 25; publicKey = "8Eigfs+k2k2WPaMn+SqDmlSHdMv+I+xcBr/2qhtpGzI="; } - { + { allowedIPs = [ "192.168.2.20/32" ]; - persistentKeepalive = 25; + persistentKeepalive = 25; publicKey = "25u1RSfjsx3wb1DMeTm0pvUfUkG7zTjGaN+m0w6ZjCw="; } - { + { allowedIPs = [ "192.168.2.21/32" ]; - persistentKeepalive = 25; + persistentKeepalive = 25; publicKey = "S+8F+yxSQvjjoU44LRYqRv1YulqmOKumUtYo/YIh7X8="; } - { + { allowedIPs = [ "192.168.2.22/32" ]; - persistentKeepalive = 25; + persistentKeepalive = 25; publicKey = "/dIW7K49vB9HOghFeXvcY7wu2utQltuv6RfgCbxZwlk="; } - { + { allowedIPs = [ "192.168.2.23/32" ]; - persistentKeepalive = 25; + persistentKeepalive = 25; publicKey = "89rjQXNcyCRUCihqfqcOnctWmhiNR8snpRFF6dyHAmk="; } - { + { allowedIPs = [ "192.168.2.24/32" ]; - persistentKeepalive = 25; + persistentKeepalive = 25; publicKey = "adaWtboVz3UhpNBKFirs7slbU2+Y3GaV5yS2EoafwVU="; } - { + { allowedIPs = [ "192.168.2.5/32" ]; - persistentKeepalive = 25; + persistentKeepalive = 25; publicKey = "g5uTlA1IciXgtSbECjhVis0dajRAc53Oa7Hz6dUI+0Q="; } ]; diff --git a/systems/server/configuration.nix b/systems/server/configuration.nix index 613bb82..b892755 100644 --- a/systems/server/configuration.nix +++ b/systems/server/configuration.nix @@ -12,6 +12,7 @@ in{ imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix + ./static-ip.nix ]; # Bootloader. diff --git a/modules/static-ip-server.nix b/systems/server/static-ip.nix similarity index 68% rename from modules/static-ip-server.nix rename to systems/server/static-ip.nix index d9813fa..328f3c8 100644 --- a/modules/static-ip-server.nix +++ b/systems/server/static-ip.nix @@ -1,3 +1,8 @@ +{ config, vars, ...}: +let + ip = vars.ipv4; + interface = vars.interface; +in { networking = { defaultGateway = "192.168.0.1"; @@ -11,10 +16,10 @@ "1.1.1.1" ]; interfaces = { - "enp0s31f6" = { + ${interface} = { name = "eth0"; - ipv4.addresses = [{ - address = "192.168.0.6"; + ipv4.addresses = [{ + address = ip; prefixLength = 24; }]; }; diff --git a/systems/server/userdata.nix b/systems/server/userdata.nix new file mode 100644 index 0000000..4d87e6f --- /dev/null +++ b/systems/server/userdata.nix @@ -0,0 +1,5 @@ +{ + interface = "enp0s31f6"; + ipv4 = "192.168.0.6"; + wireguardIp = "192.168.2.1"; +}