kopatz/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

format all

Browse Source
This commit is contained in:
Kopatz
2025-10-30 21:59:31 +01:00
parent b1dda4d037
commit 8a78e618bb
188 changed files with 3526 additions and 1825 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
modules/services/acme.nix
View File

@@ -1,4 +1,10 @@
{ config, pkgs, lib, inputs, ... }:
{
config,
pkgs,
lib,
inputs,
...
}:
with lib;
let
cfg = config.custom.services.acme;

19
modules/services/adam-site.nix
View File

@@ -1,7 +1,15 @@
{ config, pkgs, lib, inputs, ... }:
{
config,
pkgs,
lib,
inputs,
...
}:
with lib;
let cfg = config.custom.services.adam-site;
in {
let
cfg = config.custom.services.adam-site;
in
{
options.custom.services.adam-site = {
enable = mkEnableOption "Enables adams website";
};
@@ -9,7 +17,10 @@ in {
systemd.services.adam-site = {
description = "Adams Website";
wants = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ];
after = [
"network.target"
"network-online.target"
];
wantedBy = [ "multi-user.target" ];
preStart = ''
if [ ! -d "$STATE_DIRECTORY/data" ]; then

245
modules/services/adguard.nix
View File

@@ -1,8 +1,16 @@
{ config, pkgs, inputs, lib, ... }:
let cfg = config.custom.services.adguard;
ip = cfg.ip;
wireguardIp = config.custom.services.wireguard.ip;
in {
{
config,
pkgs,
inputs,
lib,
...
}:
let
cfg = config.custom.services.adguard;
ip = cfg.ip;
wireguardIp = config.custom.services.wireguard.ip;
in
{
options.custom.services.adguard = {
enable = lib.mkEnableOption "Enables adguard";
ip = lib.mkOption {
@@ -27,94 +35,96 @@ in {
};
rewrites = lib.mkOption {
type = lib.types.listOf (lib.types.attrsOf lib.types.str);
default = [ {
"domain" = "kopatz.ddns.net";
"answer" = ip;
}
{
"domain" = "kopatz.dev";
"answer" = ip;
}
{
"domain" = "kavita.kopatz.dev";
"answer" = ip;
}
{
"domain" = "kop.oasch.net";
"answer" = ip;
}
{
"domain" = "kop.bobin.at";
"answer" = ip;
}
{
"domain" = "kavita-kopatz.duckdns.org";
"answer" = ip;
}
{
"domain" = "server.home";
"answer" = ip;
}
{
"domain" = "server.home.arpa";
"answer" = ip;
}
{
"domain" = "adguard.home.arpa";
"answer" = ip;
}
{
"domain" = "nextcloud.home.arpa";
"answer" = ip;
}
{
"domain" = "kavita.home.arpa";
"answer" = ip;
}
{
"domain" = "grafana.home.arpa";
"answer" = ip;
}
{
"domain" = "yt.home.arpa";
"answer" = ip;
}
{
"domain" = "nextcloud.home.arpa";
"answer" = wireguardIp;
}
{
"domain" = "kavita.home.arpa";
"answer" = wireguardIp;
}
{
"domain" = "yt.home.arpa";
"answer" = wireguardIp;
}
{
"domain" = "turnserver.home.arpa";
"answer" = wireguardIp;
}
{
"domain" = "powerline.home.arpa";
"answer" = "192.168.0.2";
}
{
"domain" = "3neo.home.arpa";
"answer" = "192.168.0.4";
}
{
"domain" = "alcatel.home.arpa";
"answer" = "192.168.0.5";
}
{
"domain" = "extender.home.arpa";
"answer" = "192.168.0.8";
}
{
"domain" = "inverter.home.arpa";
"answer" = "192.168.0.9";
}];
default = [
{
"domain" = "kopatz.ddns.net";
"answer" = ip;
}
{
"domain" = "kopatz.dev";
"answer" = ip;
}
{
"domain" = "kavita.kopatz.dev";
"answer" = ip;
}
{
"domain" = "kop.oasch.net";
"answer" = ip;
}
{
"domain" = "kop.bobin.at";
"answer" = ip;
}
{
"domain" = "kavita-kopatz.duckdns.org";
"answer" = ip;
}
{
"domain" = "server.home";
"answer" = ip;
}
{
"domain" = "server.home.arpa";
"answer" = ip;
}
{
"domain" = "adguard.home.arpa";
"answer" = ip;
}
{
"domain" = "nextcloud.home.arpa";
"answer" = ip;
}
{
"domain" = "kavita.home.arpa";
"answer" = ip;
}
{
"domain" = "grafana.home.arpa";
"answer" = ip;
}
{
"domain" = "yt.home.arpa";
"answer" = ip;
}
{
"domain" = "nextcloud.home.arpa";
"answer" = wireguardIp;
}
{
"domain" = "kavita.home.arpa";
"answer" = wireguardIp;
}
{
"domain" = "yt.home.arpa";
"answer" = wireguardIp;
}
{
"domain" = "turnserver.home.arpa";
"answer" = wireguardIp;
}
{
"domain" = "powerline.home.arpa";
"answer" = "192.168.0.2";
}
{
"domain" = "3neo.home.arpa";
"answer" = "192.168.0.4";
}
{
"domain" = "alcatel.home.arpa";
"answer" = "192.168.0.5";
}
{
"domain" = "extender.home.arpa";
"answer" = "192.168.0.8";
}
{
"domain" = "inverter.home.arpa";
"answer" = "192.168.0.9";
}
];
description = "list of domains to rewrite to this server's ip";
};
};
@@ -134,33 +144,40 @@ in {
forceSSL = cfg.useHttps;
enableACME = cfg.useHttps;
locations."/" = {
proxyPass =
"http://127.0.0.1:${toString config.services.adguardhome.port}";
proxyPass = "http://127.0.0.1:${toString config.services.adguardhome.port}";
proxyWebsockets = true;
};
};
systemd.services.adguardhome = {
after = [ "nginx.service" "step-ca.service" ];
after = [
"nginx.service"
"step-ca.service"
];
};
services.adguardhome = {
enable = true;
settings = {
schema_version = 28;
users = [{
name = "admin";
password =
"$2y$15$iPzjmUJPTwWUOsDp46GOPO/LYor/jDJjndwy2QlPddaKSD4QXvq9W";
}];
users = [
{
name = "admin";
password = "$2y$15$iPzjmUJPTwWUOsDp46GOPO/LYor/jDJjndwy2QlPddaKSD4QXvq9W";
}
];
dns = {
bind_hosts = [ "127.0.0.1" ip ] ++ lib.lists.optionals config.custom.services.wireguard.enable [ wireguardIp ];
bind_hosts = [
"127.0.0.1"
ip
]
++ lib.lists.optionals config.custom.services.wireguard.enable [ wireguardIp ];
port = 53;
protection_enabled = true;
filtering_enabled = true;
upstream_dns = [
#"https://dns10.quad9.net/dns-query" slow
#"https://dns10.quad9.net/dns-query" slow
"quic://dns.adguard-dns.com"
#"tls://noads.libredns.gr" slow
#"tls://noads.libredns.gr" slow
"https://noads.joindns4.eu/dns-query"
"tls://getdnsapi.net"
];
@@ -170,19 +187,19 @@ in {
];
use_http3_upstreams = true;
};
querylog = { enabled = false; };
querylog = {
enabled = false;
};
filters = [
{
enabled = true;
url =
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt";
url = "https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt";
name = "adguard dns list";
id = 1;
}
{
enabled = true;
url =
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt";
url = "https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt";
name = "adguard block list";
id = 2;
}
@@ -199,12 +216,16 @@ in {
enabled = true;
url = pkgs.writeText "adguard-whitelist.txt" ''
@@|pool.supportxmr.com^
'';
'';
name = "adguard whitelist";
}
];
dhcp = { enabled = false; };
tls = { enabled = false; };
dhcp = {
enabled = false;
};
tls = {
enabled = false;
};
filtering = {
rewrites = cfg.rewrites;
};

33
modules/services/caldav.nix
View File

@@ -1,6 +1,14 @@
{ config, pkgs, lib, inputs, ... }:
let cfg = config.custom.services.caldav;
in {
{
config,
pkgs,
lib,
inputs,
...
}:
let
cfg = config.custom.services.caldav;
in
{
options.custom.services.caldav = {
enable = lib.mkEnableOption "Enables caldav server";
};
@@ -12,14 +20,18 @@ in {
services.radicale = {
enable = true;
settings = {
server = { hosts = [ "127.0.0.1:5232" ]; };
server = {
hosts = [ "127.0.0.1:5232" ];
};
#server = { hosts = [ "192.168.0.11:5232" ]; };
auth = {
type = "htpasswd";
htpasswd_filename = config.age.secrets.radicale-users.path;
htpasswd_encryption = "bcrypt";
};
storage = { filesystem_folder = "/var/lib/radicale/collections"; };
storage = {
filesystem_folder = "/var/lib/radicale/collections";
};
};
};
custom.misc.backup = lib.mkIf config.custom.misc.backup.enable {
@@ -32,18 +44,19 @@ in {
let
radicale =
if lib.versionOlder lib.version "25.05" then
(builtins.elemAt
config.services.radicale.settings.storage.filesystem_folder 0)
(builtins.elemAt config.services.radicale.settings.storage.filesystem_folder 0)
else
config.services.radicale.settings.storage.filesystem_folder;
# not reproducible
working =
"${radicale}/collection-root/kopatz/b6d2c446-8109-714a-397f-1f35d3136639";
working = "${radicale}/collection-root/kopatz/b6d2c446-8109-714a-397f-1f35d3136639";
in
{
description = "Download fh calendar";
wants = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ];
after = [
"network.target"
"network-online.target"
];
wantedBy = [ "multi-user.target" ];
startAt = "*-*-* 06:00:00";

22
modules/services/coturn.nix
View File

@@ -1,4 +1,10 @@
{ config, pkgs, lib, inputs, ... }:
{
config,
pkgs,
lib,
inputs,
...
}:
{
age.secrets.coturn-secret = {
file = ../../secrets/coturn-secret.age;
@@ -6,10 +12,14 @@
group = "turnserver";
};
networking.firewall.allowedUDPPortRanges = [{ from = 49000; to = 50000; }];
networking.firewall.allowedUDPPorts = [ 3478 ]; #5349 ];
networking.firewall.allowedTCPPorts = [ 3478 ]; #5349 ];
networking.firewall.allowedUDPPortRanges = [
{
from = 49000;
to = 50000;
}
];
networking.firewall.allowedUDPPorts = [ 3478 ]; # 5349 ];
networking.firewall.allowedTCPPorts = [ 3478 ]; # 5349 ];
services.coturn = {
enable = true;
@@ -68,6 +78,6 @@
# serviceConfig = {
# User = lib.mkForce "root";
# Group = lib.mkForce "root";
# };
# };
# };
}

8
modules/services/ddclient-cloudflare.nix
View File

@@ -1,4 +1,10 @@
{ config, pkgs, lib, ... }: {
{
config,
pkgs,
lib,
...
}:
{
age.secrets.cloudflare-api = {
file = ../../secrets/cloudflare-api.age;
};

14
modules/services/dnsmasq.nix
View File

@@ -1,7 +1,15 @@
{ config, pkgs, lib, inputs, ... }:
{
config,
pkgs,
lib,
inputs,
...
}:
with lib;
let cfg = config.custom.services.dnsmasq;
in {
let
cfg = config.custom.services.dnsmasq;
in
{
options.custom.services.dnsmasq = {
enable = mkEnableOption "Enables dnsmaq service";
server = mkOption { type = types.listOf types.string; };

12
modules/services/duckdns.nix
View File

@@ -1,4 +1,10 @@
{ config, pkgs, lib, inputs, ... }:
{
config,
pkgs,
lib,
inputs,
...
}:
{
age.secrets.duckdns = {
file = ../../secrets/duckdns.age;
@@ -9,7 +15,7 @@
domains = [ "kavita-kopatz" ];
};
systemd.services.duckdns = {
wantedBy = lib.mkForce [];
startAt = lib.mkForce "daily";
wantedBy = lib.mkForce [ ];
startAt = lib.mkForce "daily";
};
}

8
modules/services/ente.nix
View File

@@ -1,4 +1,10 @@
{ config, pkgs, lib, inputs, ... }:
{
config,
pkgs,
lib,
inputs,
...
}:
with lib;
let
cfg = config.custom.services.ente;

9
modules/services/fileshelter.nix
View File

@@ -1,4 +1,10 @@
{ config, pkgs, lib, inputs, ... }:
{
config,
pkgs,
lib,
inputs,
...
}:
with lib;
let
cfg = config.custom.services.fileshelter;
@@ -45,4 +51,3 @@ in
};
};
}

9
modules/services/games/palworld.nix
View File

@@ -1,5 +1,10 @@
# valheim.nix
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
let
join = builtins.concatStringsSep " ";
in
@@ -12,7 +17,7 @@ in
];
};
networking.firewall.allowedUDPPorts = [ 8211 ]; #5349 ];
networking.firewall.allowedUDPPorts = [ 8211 ]; # 5349 ];
users.users.palworld = {
isSystemUser = true;
# Valheim puts save data in the home directory.

8
modules/services/games/terraria.nix
View File

@@ -1,4 +1,10 @@
{ config, pkgs, lib, inputs, ... }:
{
config,
pkgs,
lib,
inputs,
...
}:
let
cfg = config.custom.services.terraria;
in

27
modules/services/github-runner.nix
View File

@@ -1,6 +1,14 @@
{ config, pkgs, lib, inputs, ... }:
let cfg = config.custom.services.github-runner;
in {
{
config,
pkgs,
lib,
inputs,
...
}:
let
cfg = config.custom.services.github-runner;
in
{
options.custom.services.github-runner = {
enable = lib.mkEnableOption "Enables github-runner service.";
};
@@ -34,11 +42,16 @@ in {
url = "https://github.com/oberprofis";
user = "github-actions-runner";
workDir = "/github-actions-runner";
extraPackages = with pkgs; [ rsync nodePackages.pnpm nodejs ];
extraPackages = with pkgs; [
rsync
nodePackages.pnpm
nodejs
];
serviceOverrides = {
BindPaths = [ "/github-actions-runner" ]
++ lib.optional config.custom.services.kavita.enable
config.custom.services.kavita.dir;
BindPaths = [
"/github-actions-runner"
]
++ lib.optional config.custom.services.kavita.enable config.custom.services.kavita.dir;
UMask = "022";
};
};

14
modules/services/gitolite.nix
View File

@@ -1,6 +1,14 @@
{ config, pkgs, lib, inputs, ... }:
let cfg = config.custom.services.gitolite;
in {
{
config,
pkgs,
lib,
inputs,
...
}:
let
cfg = config.custom.services.gitolite;
in
{
options.custom.services.gitolite = {
enable = lib.mkEnableOption "Enables ente";
};

67
modules/services/grafana.nix
View File

@@ -1,4 +1,9 @@
{ pkgs, config, lib, ... }:
{
pkgs,
config,
lib,
...
}:
let
useHttps = config.services.step-ca.enable;
fqdn = "grafana.home.arpa";
@@ -28,27 +33,28 @@ in
provision.alerting.policies.path = ./grafana/notification-policies.yml;
provision.alerting.templates.path = ./grafana/alerts.yml;
provision.datasources.settings = {
datasources =
[
{
name = "DS_PROMETHEUS";
url = "http://127.0.0.1:${toString config.services.prometheus.port}";
type = "prometheus";
isDefault = true;
# This has to match the prometheus scrape interval, otherwise the $__rate_interval variable wont work.
jsonData.timeInterval = "60s";
}
{
name = "loki";
url = "http://localhost:3100";
type = "loki";
}
];
datasources = [
{
name = "DS_PROMETHEUS";
url = "http://127.0.0.1:${toString config.services.prometheus.port}";
type = "prometheus";
isDefault = true;
# This has to match the prometheus scrape interval, otherwise the $__rate_interval variable wont work.
jsonData.timeInterval = "60s";
}
{
name = "loki";
url = "http://localhost:3100";
type = "loki";
}
];
};
provision.dashboards.settings.providers = [{
name = "provisioned-dashboards";
options.path = ./grafana/dashboards;
}];
provision.dashboards.settings.providers = [
{
name = "provisioned-dashboards";
options.path = ./grafana/dashboards;
}
];
};
systemd.services.grafana = {
@@ -100,15 +106,16 @@ in
scrapeConfigs = [
{
job_name = "scrapema";
static_configs = [{
targets = [
"127.0.0.1:${toString config.services.prometheus.exporters.node.port}"
] ++
(lib.optional config.services.cadvisor.enable "${config.services.cadvisor.listenAddress}:${toString config.services.cadvisor.port}") ++
(lib.optional config.services.prometheus.exporters.nginx.enable "127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}") ++
(lib.optional config.services.prometheus.exporters.nginxlog.enable "127.0.0.1:${toString config.services.prometheus.exporters.nginxlog.port}")
;
}];
static_configs = [
{
targets = [
"127.0.0.1:${toString config.services.prometheus.exporters.node.port}"
]
++ (lib.optional config.services.cadvisor.enable "${config.services.cadvisor.listenAddress}:${toString config.services.cadvisor.port}")
++ (lib.optional config.services.prometheus.exporters.nginx.enable "127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}")
++ (lib.optional config.services.prometheus.exporters.nginxlog.enable "127.0.0.1:${toString config.services.prometheus.exporters.nginxlog.port}");
}
];
}
];
};

43
modules/services/kavita.nix
View File

@@ -1,7 +1,15 @@
{ config, pkgs, lib, inputs, ... }:
{
config,
pkgs,
lib,
inputs,
...
}:
with lib;
let cfg = config.custom.services.kavita;
in {
let
cfg = config.custom.services.kavita;
in
{
options.custom.services.kavita = {
enable = mkEnableOption "Enables kavita";
https = mkOption {
@@ -33,13 +41,15 @@ in {
lib.mkIf cfg.enable {
# not needed with nginx networking.firewall.allowedTCPPorts = [ 5000 ];
systemd.tmpfiles.rules = [
(if githubRunnerEnabled then
"d ${baseDir} 0750 kavita github-actions-runner -"
else
"d ${baseDir} 0770 kavita kavita -")
(
if githubRunnerEnabled then
"d ${baseDir} 0750 kavita github-actions-runner -"
else
"d ${baseDir} 0770 kavita kavita -"
)
"d ${baseDir}/manga 0770 kavita kavita -"
] ++ lib.optional githubRunnerEnabled
"d ${baseDir}/github 0770 github-actions-runner kavita -";
]
++ lib.optional githubRunnerEnabled "d ${baseDir}/github 0770 github-actions-runner kavita -";
age.secrets.kavita = mkIf (!cfg.isTest) {
file = ../../secrets/kavita.age;
@@ -52,9 +62,15 @@ in {
user = "kavita";
package =
let
backend = pkgs.kavita-old.backend.overrideAttrs
(old: { patches = old.patches ++ [ ./kavita-patches-chapter-parsing.diff ./kavita-page-size.diff ]; });
kavitaPatched = pkgs.kavita-old.overrideAttrs (old: { backend = backend; });
backend = pkgs.kavita-old.backend.overrideAttrs (old: {
patches = old.patches ++ [
./kavita-patches-chapter-parsing.diff
./kavita-page-size.diff
];
});
kavitaPatched = pkgs.kavita-old.overrideAttrs (old: {
backend = backend;
});
in
kavitaPatched;
settings = {
@@ -65,8 +81,7 @@ in {
dataDir = baseDir;
tokenKeyFile =
if cfg.isTest then
(builtins.toFile "test"
"wWKNeGUslGILrUUp8Dnn4xyYnivZWBb8uqjKg3ALyCs7reV5v3CtE/E2b6i0Mwz1Xw1p9a0wcduRDNoa8Yh8kQ==")
(builtins.toFile "test" "wWKNeGUslGILrUUp8Dnn4xyYnivZWBb8uqjKg3ALyCs7reV5v3CtE/E2b6i0Mwz1Xw1p9a0wcduRDNoa8Yh8kQ==")
else
config.age.secrets.kavita.path;
};

18
modules/services/kop-fileshare.nix
View File

@@ -1,7 +1,14 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
with lib;
let cfg = config.custom.services.kop-fileshare;
in {
let
cfg = config.custom.services.kop-fileshare;
in
{
options = {
custom.services.kop-fileshare = {
enable = mkEnableOption "Enable the file upload server";
@@ -34,7 +41,10 @@ in {
systemd.services.kop-fileshare = {
description = "File Upload Server";
wants = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ];
after = [
"network.target"
"network-online.target"
];
wantedBy = [ "multi-user.target" ];
serviceConfig = {

19
modules/services/kop-monitor.nix
View File

@@ -1,7 +1,15 @@
{ config, pkgs, lib, inputs, ... }:
{
config,
pkgs,
lib,
inputs,
...
}:
with lib;
let cfg = config.custom.services.kop-monitor;
in {
let
cfg = config.custom.services.kop-monitor;
in
{
options.custom.services.kop-monitor = {
enable = mkEnableOption "Enables monitor";
};
@@ -13,7 +21,10 @@ in {
systemd.services.kop-monitor = {
description = "Kop Monitor";
wants = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ];
after = [
"network.target"
"network-online.target"
];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";

7
modules/services/kubernetes.nix
View File

@@ -1,4 +1,9 @@
{ pkgs, config, lib, ... }:
{
pkgs,
config,
lib,
...
}:
# idk, dont need this
with lib;
let

14
modules/services/nextcloud.nix
View File

@@ -1,4 +1,11 @@
{ config, pkgs, lib, inputs, vars, ... }:
{
config,
pkgs,
lib,
inputs,
vars,
...
}:
let
wireguardIp = vars.wireguardIp;
fqdn = "nextcloud.home.arpa";
@@ -46,7 +53,10 @@ in
config.adminpassFile = config.age.secrets.nextcloud-admin.path;
config.dbtype = "pgsql";
database.createLocally = true;
settings.trusted_domains = [ wireguardIp "nextcloud.home.arpa" ];
settings.trusted_domains = [
wireguardIp
"nextcloud.home.arpa"
];
home = "/mnt/250ssd/nextcloud";
extraApps = with config.services.nextcloud.package.packages.apps; {
inherit onlyoffice calendar mail;

32
modules/services/nginx.nix
View File

@@ -1,7 +1,15 @@
{ config, pkgs, lib, inputs, ... }:
{
config,
pkgs,
lib,
inputs,
...
}:
with lib;
let cfg = config.custom.services.nginx;
in {
let
cfg = config.custom.services.nginx;
in
{
options.custom.services.nginx = {
enable = mkEnableOption "Enables nginx";
https = mkOption {
@@ -11,8 +19,14 @@ in {
};
};
config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 80 443 ];
networking.firewall.allowedTCPPorts = [
80
443
];
networking.firewall.allowedUDPPorts = [
80
443
];
age.secrets.stash-auth = {
file = ../../secrets/stash-auth.age;
@@ -34,8 +48,7 @@ in {
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
statusPage =
lib.mkIf config.services.prometheus.exporters.nginx.enable true;
statusPage = lib.mkIf config.services.prometheus.exporters.nginx.enable true;
# Only allow PFS-enabled ciphers with AES256
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
@@ -101,7 +114,10 @@ in {
'';
proxyPass = "http://localhost:5232/";
};
"/socket.io" = { proxyPass = "http://localhost:9955"; proxyWebsockets = true; };
"/socket.io" = {
proxyPass = "http://localhost:9955";
proxyWebsockets = true;
};
"/comms/" = {
extraConfig = ''
more_set_headers "Permissions-Policy: geolocation=(), microphone=(self), camera=(self)";

3
modules/services/nix-cache.nix
View File

@@ -1,4 +1,5 @@
{ config, ... }: {
{ config, ... }:
{
age.secrets.binary-cache = {
file = ../../secrets/binary-cache.age;

14
modules/services/opensnitch.nix
View File

@@ -1,6 +1,14 @@
{ config, pkgs, lib, inputs, ... }:
let cfg = config.custom.services.opensnitch;
in {
{
config,
pkgs,
lib,
inputs,
...
}:
let
cfg = config.custom.services.opensnitch;
in
{
options.custom.services.opensnitch = {
enable = lib.mkEnableOption "Enables opensnitch";
};

9
modules/services/paperless.nix
View File

@@ -1,4 +1,11 @@
{ config, pkgs, lib, inputs, vars, ... }:
{
config,
pkgs,
lib,
inputs,
vars,
...
}:
let
ip = vars.ipv4;
wireguardIp = vars.wireguardIp;

14
modules/services/plausible.nix
View File

@@ -1,6 +1,14 @@
{ config, pkgs, lib, inputs, ... }:
let cfg = config.custom.services.plausible;
in {
{
config,
pkgs,
lib,
inputs,
...
}:
let
cfg = config.custom.services.plausible;
in
{
options.custom.services.plausible = {
enable = lib.mkEnableOption "Enables plausible";
};

8
modules/services/rdp.nix
View File

@@ -1,4 +1,10 @@
{ config, pkgs, lib, vars, ... }:
{
config,
pkgs,
lib,
vars,
...
}:
let
wm = vars.wm;
in

14
modules/services/smartd.nix
View File

@@ -1,4 +1,11 @@
{ config, pkgs, inputs, system, lib, ... }:
{
config,
pkgs,
inputs,
system,
lib,
...
}:
let
notifyScript = pkgs.writeScript "smartd-notify.sh" ''
#!${pkgs.runtimeShell}
@@ -25,7 +32,7 @@ in
};
config = lib.mkIf cfg.enable {
age.secrets.webhook-smartd = {
file = ../../secrets/webhook.age; #File contains WEBHOOK_URL="https://discord.com/api/webhooks/..."
file = ../../secrets/webhook.age; # File contains WEBHOOK_URL="https://discord.com/api/webhooks/..."
owner = "root";
group = "root";
mode = "400";
@@ -39,8 +46,7 @@ in
wall.enable = false;
mail.enable = false;
};
defaults.autodetected =
"-a -o on -s (S/../.././02|L/../../7/04) -m <nomailer> -M exec ${notifyScript} -M test";
defaults.autodetected = "-a -o on -s (S/../.././02|L/../../7/04) -m <nomailer> -M exec ${notifyScript} -M test";
};
};
}

70
modules/services/step-ca.nix
View File

@@ -1,34 +1,37 @@
{ pkgs, lib, config, ... }:
{
pkgs,
lib,
config,
...
}:
let
root_ca =
''
-----BEGIN CERTIFICATE-----
MIIBjTCCATKgAwIBAgIRAMVH2+JHZ3wm2fLUlKjTYDswCgYIKoZIzj0EAwIwJDEM
MAoGA1UEChMDS29wMRQwEgYDVQQDEwtLb3AgUm9vdCBDQTAeFw0yMzEyMDgxNDUx
MTZaFw0zMzEyMDUxNDUxMTZaMCQxDDAKBgNVBAoTA0tvcDEUMBIGA1UEAxMLS29w
IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATdZBOkNynShXipzhuX
f6dUByD3chNupNWsagYC5AlPRJT9fAeHEIK/bxWkFwRtLBDopWvBu9lHahBgpHc7
y7rTo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNV
HQ4EFgQU9AVtwipW5HDBLfZRH1KZCnIKCfowCgYIKoZIzj0EAwIDSQAwRgIhAMHj
AipNdhQKIYPvMt/h1uW4xP3NTkitnmshM09+rIasAiEAlSalGddXDkqJBHhPD+Fr
gpuVkfVkA8gQCXNs5F9TnxA=
-----END CERTIFICATE-----
'';
intermediate_ca =
''
-----BEGIN CERTIFICATE-----
MIIBtDCCAVqgAwIBAgIQbEVEV7LgtjVWO+qBrrmgETAKBggqhkjOPQQDAjAkMQww
CgYDVQQKEwNLb3AxFDASBgNVBAMTC0tvcCBSb290IENBMB4XDTIzMTIwODE0NTEx
N1oXDTMzMTIwNTE0NTExN1owLDEMMAoGA1UEChMDS29wMRwwGgYDVQQDExNLb3Ag
SW50ZXJtZWRpYXRlIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmv7jg7Cs
4L5v52+3yUmn79hZFS2vmm/5wwcUCL63dokEXQsHgbEjaRKsF/MW0yJDLTB6Sdhl
pCvoNJqITWuEN6NmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C
AQAwHQYDVR0OBBYEFDgVolMCmdrhDIXhuIs4q/KwRKNLMB8GA1UdIwQYMBaAFPQF
bcIqVuRwwS32UR9SmQpyCgn6MAoGCCqGSM49BAMCA0gAMEUCIQCQa01E+UvAJ8KR
DFfDducZUpW4tZRN35lqoge7T9nM2QIgK4FFt1NqDqcjOSabAXPOQ68bvdxlHW0y
AgN9qNc3Jbo=
-----END CERTIFICATE-----
'';
root_ca = ''
-----BEGIN CERTIFICATE-----
MIIBjTCCATKgAwIBAgIRAMVH2+JHZ3wm2fLUlKjTYDswCgYIKoZIzj0EAwIwJDEM
MAoGA1UEChMDS29wMRQwEgYDVQQDEwtLb3AgUm9vdCBDQTAeFw0yMzEyMDgxNDUx
MTZaFw0zMzEyMDUxNDUxMTZaMCQxDDAKBgNVBAoTA0tvcDEUMBIGA1UEAxMLS29w
IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATdZBOkNynShXipzhuX
f6dUByD3chNupNWsagYC5AlPRJT9fAeHEIK/bxWkFwRtLBDopWvBu9lHahBgpHc7
y7rTo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNV
HQ4EFgQU9AVtwipW5HDBLfZRH1KZCnIKCfowCgYIKoZIzj0EAwIDSQAwRgIhAMHj
AipNdhQKIYPvMt/h1uW4xP3NTkitnmshM09+rIasAiEAlSalGddXDkqJBHhPD+Fr
gpuVkfVkA8gQCXNs5F9TnxA=
-----END CERTIFICATE-----
'';
intermediate_ca = ''
-----BEGIN CERTIFICATE-----
MIIBtDCCAVqgAwIBAgIQbEVEV7LgtjVWO+qBrrmgETAKBggqhkjOPQQDAjAkMQww
CgYDVQQKEwNLb3AxFDASBgNVBAMTC0tvcCBSb290IENBMB4XDTIzMTIwODE0NTEx
N1oXDTMzMTIwNTE0NTExN1owLDEMMAoGA1UEChMDS29wMRwwGgYDVQQDExNLb3Ag
SW50ZXJtZWRpYXRlIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmv7jg7Cs
4L5v52+3yUmn79hZFS2vmm/5wwcUCL63dokEXQsHgbEjaRKsF/MW0yJDLTB6Sdhl
pCvoNJqITWuEN6NmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C
AQAwHQYDVR0OBBYEFDgVolMCmdrhDIXhuIs4q/KwRKNLMB8GA1UdIwQYMBaAFPQF
bcIqVuRwwS32UR9SmQpyCgn6MAoGCCqGSM49BAMCA0gAMEUCIQCQa01E+UvAJ8KR
DFfDducZUpW4tZRN35lqoge7T9nM2QIgK4FFt1NqDqcjOSabAXPOQ68bvdxlHW0y
AgN9qNc3Jbo=
-----END CERTIFICATE-----
'';
in
{
@@ -50,7 +53,12 @@ in
port = 8443;
intermediatePasswordFile = config.age.secrets.step-ca-pw.path;
settings = {
dnsNames = [ "localhost" "127.0.0.1" "*.home.arpa" "192.168.0.10" ];
dnsNames = [
"localhost"
"127.0.0.1"
"*.home.arpa"
"192.168.0.10"
];
root = pkgs.writeTextFile {
name = "root.ca";
text = root_ca;

25
modules/services/synapse.nix
View File

@@ -1,4 +1,9 @@
{ pkgs, lib, config, ... }:
{
pkgs,
lib,
config,
...
}:
let
fqdn = "${config.networking.domain}";
baseUrl = "https://${fqdn}";
@@ -12,7 +17,10 @@ let
in
{
networking.domain = "kopatz.ddns.net";
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedTCPPorts = [
80
443
];
services.postgresql.enable = true;
services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
@@ -84,10 +92,15 @@ in
type = "http";
tls = false;
x_forwarded = true;
resources = [{
names = [ "client" "federation" ];
compress = true;
}];
resources = [
{
names = [
"client"
"federation"
];
compress = true;
}
];
}
];
};

86
modules/services/syncthing.nix
View File

@@ -1,6 +1,14 @@
{ config, pkgs, lib, inputs, ... }:
let cfg = config.custom.services.syncthing;
in {
{
config,
pkgs,
lib,
inputs,
...
}:
let
cfg = config.custom.services.syncthing;
in
{
options.custom.services.syncthing = {
enable = lib.mkEnableOption "Enables syncthing";
basePath = lib.mkOption {
@@ -10,8 +18,7 @@ in {
};
};
config = lib.mkIf cfg.enable {
systemd.tmpfiles.rules =
[ "d ${cfg.basePath} 0700 ${config.mainUser.name} users -" ];
systemd.tmpfiles.rules = [ "d ${cfg.basePath} 0700 ${config.mainUser.name} users -" ];
# check device id: syncthing cli --gui-address=/synced/gui-socket --gui-apikey=<key> show system
environment.systemPackages = with pkgs; [ syncthing ];
@@ -33,61 +40,92 @@ in {
devices = {
kop-pc = {
id =
"DZKIUS7-WCGTYEV-4OKVSZU-MIVL2NC-N45AKZL-ABT3VN2-I7RXUMF-RF4CYAU";
id = "DZKIUS7-WCGTYEV-4OKVSZU-MIVL2NC-N45AKZL-ABT3VN2-I7RXUMF-RF4CYAU";
addresses = [ "tcp://192.168.0.11" ];
};
server = {
id =
"FK3DW4B-6Y7C25O-IDBSOMV-GOUSWZW-KQR7ELS-QUKS4UR-AFZXLZE-67QJXAX";
addresses = [ "tcp://192.168.0.10" "tcp://192.168.2.1" ];
id = "FK3DW4B-6Y7C25O-IDBSOMV-GOUSWZW-KQR7ELS-QUKS4UR-AFZXLZE-67QJXAX";
addresses = [
"tcp://192.168.0.10"
"tcp://192.168.2.1"
];
};
laptop = {
id =
"ACLM2MY-G6TK6QH-NEVVG3R-6QGXWYI-GHGA2FJ-SI6DFZJ-JWKWAOA-DPMEEQO";
addresses = [ "tcp://192.168.2.22" "tcp://192.168.0.166" ];
id = "ACLM2MY-G6TK6QH-NEVVG3R-6QGXWYI-GHGA2FJ-SI6DFZJ-JWKWAOA-DPMEEQO";
addresses = [
"tcp://192.168.2.22"
"tcp://192.168.0.166"
];
};
phone = {
id =
"JKZGIMH-4YWAMUN-SQZBKFY-BVLEFP4-NBNZP2T-R2LSLSN-RVSL7BH-3AFIFAB";
addresses = [ "tcp://192.168.0.15" "tcp://192.168.2.20" ];
id = "JKZGIMH-4YWAMUN-SQZBKFY-BVLEFP4-NBNZP2T-R2LSLSN-RVSL7BH-3AFIFAB";
addresses = [
"tcp://192.168.0.15"
"tcp://192.168.2.20"
];
};
};
folders."default" = {
id = "default";
path = "${cfg.basePath}/default";
devices =
[ "kop-pc" "server" "laptop" "phone" ];
devices = [
"kop-pc"
"server"
"laptop"
"phone"
];
ignorePerms = false;
};
folders."books" = {
id = "books";
path = "${cfg.basePath}/books";
devices = [ "kop-pc" "server" "laptop" ];
devices = [
"kop-pc"
"server"
"laptop"
];
};
folders."fh" = {
id = "fh";
path = "${cfg.basePath}/fh";
devices = [ "kop-pc" "server" "laptop" ];
devices = [
"kop-pc"
"server"
"laptop"
];
};
folders."work_drive" = {
id = "work_drive";
path = "${cfg.basePath}/work_drive";
devices = [ "kop-pc" "server" "laptop" ];
devices = [
"kop-pc"
"server"
"laptop"
];
};
folders."no_backup" = {
id = "no_backup";
path = "${cfg.basePath}/no_backup";
devices = [ "kop-pc" "server" "laptop" ];
devices = [
"kop-pc"
"server"
"laptop"
];
};
};
};
networking.firewall.allowedTCPPorts = [ 8384 22000 ];
networking.firewall.allowedUDPPorts = [ 22000 21027 ];
networking.firewall.allowedTCPPorts = [
8384
22000
];
networking.firewall.allowedUDPPorts = [
22000
21027
];
};
}

13
modules/services/wireguard-client.nix
View File

@@ -1,4 +1,10 @@
{ config, pkgs, lib, inputs, ... }:
{
config,
pkgs,
lib,
inputs,
...
}:
{
age.secrets.wireguard-client = {
@@ -35,7 +41,10 @@
address = [ "192.168.2.22/24" ];
peers = [
{
allowedIPs = [ "192.168.2.0/24" "192.168.0.0/24" ];
allowedIPs = [
"192.168.2.0/24"
"192.168.0.0/24"
];
#allowedIPs = [ "0.0.0.0/0" ];
endpoint = "kopatz.dev:51820";
publicKey = "vyHNUy97R1cvqEvElznPpFQtoqm7WUHnT96UP6Dquwc=";

24
modules/services/wireguard.nix
View File

@@ -1,4 +1,10 @@
{ config, pkgs, lib, inputs, ... }:
{
config,
pkgs,
lib,
inputs,
...
}:
with lib;
let
cfg = config.custom.services.wireguard;
@@ -37,14 +43,14 @@ in
networking.nat.internalInterfaces = [ "wg0" ];
networking.firewall.allowedUDPPorts = [ 51820 ];
#[Interface]
#PrivateKey = <your private key here>
#Address = 192.168.2.20/24
#[Peer]
#PublicKey = vyHNUy97R1cvqEvElznPpFQtoqm7WUHnT96UP6Dquwc=
#AllowedIPs = 192.168.2.0/24
#Endpoint = kopatz.dev:51820
#PersistentKeepalive = 25
#[Interface]
#PrivateKey = <your private key here>
#Address = 192.168.2.20/24
#[Peer]
#PublicKey = vyHNUy97R1cvqEvElznPpFQtoqm7WUHnT96UP6Dquwc=
#AllowedIPs = 192.168.2.0/24
#Endpoint = kopatz.dev:51820
#PersistentKeepalive = 25
networking.wg-quick.interfaces = {
wg0 = {
autostart = true;