kopatz/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

format

Browse Source
This commit is contained in:
Kopatz
2025-03-18 16:27:20 +01:00
parent 923ab37209
commit cc32af7b80
131 changed files with 2383 additions and 2224 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
modules/services/adam-site.nix
View File

@@ -1,4 +1,3 @@
{ config, pkgs, lib, inputs, ... }:
with lib;
let cfg = config.custom.services.adam-site;

284
modules/services/adguard.nix
View File

@@ -19,157 +19,159 @@ in {
description = "use https for the adguard instance";
};
};
config = let
ip = cfg.ip;
wireguardIp = config.custom.services.wireguard.ip;
in lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ 53 ];
networking.firewall.allowedUDPPorts = [ 53 ];
config =
let
ip = cfg.ip;
wireguardIp = config.custom.services.wireguard.ip;
in
lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ 53 ];
networking.firewall.allowedUDPPorts = [ 53 ];
security.acme.certs."${cfg.fqdn}".server =
"https://127.0.0.1:8443/acme/kop-acme/directory";
# nginx reverse proxy
services.nginx.virtualHosts.${cfg.fqdn} = {
forceSSL = cfg.useHttps;
enableACME = cfg.useHttps;
quic = cfg.useHttps;
http3 = cfg.useHttps;
locations."/" = {
proxyPass =
"http://127.0.0.1:${toString config.services.adguardhome.port}";
proxyWebsockets = true;
};
};
systemd.services.adguardhome = {
after = [ "nginx.service" "step-ca.service" ];
};
services.adguardhome = {
enable = true;
settings = {
schema_version = 28;
users = [{
name = "admin";
password =
"$2y$15$iPzjmUJPTwWUOsDp46GOPO/LYor/jDJjndwy2QlPddaKSD4QXvq9W";
}];
dns = {
bind_hosts = [ "127.0.0.1" ip ] ++ lib.lists.optionals config.custom.services.wireguard.enable [ wireguardIp ];
port = 53;
protection_enabled = true;
filtering_enabled = true;
upstream_dns = [
"https://dns10.quad9.net/dns-query"
"https://dns.adguard-dns.com/dns-query"
];
use_http3_upstreams = true;
security.acme.certs."${cfg.fqdn}".server =
"https://127.0.0.1:8443/acme/kop-acme/directory";
# nginx reverse proxy
services.nginx.virtualHosts.${cfg.fqdn} = {
forceSSL = cfg.useHttps;
enableACME = cfg.useHttps;
quic = cfg.useHttps;
http3 = cfg.useHttps;
locations."/" = {
proxyPass =
"http://127.0.0.1:${toString config.services.adguardhome.port}";
proxyWebsockets = true;
};
querylog = { enabled = false; };
filters = [
{
enabled = true;
url =
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt";
name = "adguard dns list";
id = 1;
}
{
enabled = true;
url =
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt";
name = "adguard block list";
id = 2;
}
{
enabled = true;
url = "https://dbl.oisd.nl/";
name = "big block list";
id = 3;
}
];
dhcp = { enabled = false; };
tls = { enabled = false; };
filtering = {
rewrites = [
};
systemd.services.adguardhome = {
after = [ "nginx.service" "step-ca.service" ];
};
services.adguardhome = {
enable = true;
settings = {
schema_version = 28;
users = [{
name = "admin";
password =
"$2y$15$iPzjmUJPTwWUOsDp46GOPO/LYor/jDJjndwy2QlPddaKSD4QXvq9W";
}];
dns = {
bind_hosts = [ "127.0.0.1" ip ] ++ lib.lists.optionals config.custom.services.wireguard.enable [ wireguardIp ];
port = 53;
protection_enabled = true;
filtering_enabled = true;
upstream_dns = [
"https://dns10.quad9.net/dns-query"
"https://dns.adguard-dns.com/dns-query"
];
use_http3_upstreams = true;
};
querylog = { enabled = false; };
filters = [
{
"domain" = "kopatz.ddns.net";
"answer" = ip;
enabled = true;
url =
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt";
name = "adguard dns list";
id = 1;
}
{
"domain" = "kop.oasch.net";
"answer" = ip;
enabled = true;
url =
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt";
name = "adguard block list";
id = 2;
}
{
"domain" = "kavita-kopatz.duckdns.org";
"answer" = ip;
enabled = true;
url = "https://dbl.oisd.nl/";
name = "big block list";
id = 3;
}
{
"domain" = "server.home";
"answer" = ip;
}
{
"domain" = "server.home.arpa";
"answer" = ip;
}
{
"domain" = "adguard.home.arpa";
"answer" = ip;
}
{
"domain" = "nextcloud.home.arpa";
"answer" = ip;
}
{
"domain" = "kavita.home.arpa";
"answer" = ip;
}
{
"domain" = "grafana.home.arpa";
"answer" = ip;
}
{
"domain" = "yt.home.arpa";
"answer" = ip;
}
{
"domain" = "nextcloud.home.arpa";
"answer" = wireguardIp;
}
{
"domain" = "kavita.home.arpa";
"answer" = wireguardIp;
}
{
"domain" = "yt.home.arpa";
"answer" = wireguardIp;
}
{
"domain" = "turnserver.home.arpa";
"answer" = wireguardIp;
}
{
"domain" = "powerline.home.arpa";
"answer" = "192.168.0.2";
}
{
"domain" = "3neo.home.arpa";
"answer" = "192.168.0.4";
}
{
"domain" = "alcatel.home.arpa";
"answer" = "192.168.0.5";
}
{
"domain" = "extender.home.arpa";
"answer" = "192.168.0.8";
}
{
"domain" = "inverter.home.arpa";
"answer" = "192.168.0.9";
}
];
dhcp = { enabled = false; };
tls = { enabled = false; };
filtering = {
rewrites = [
{
"domain" = "kopatz.ddns.net";
"answer" = ip;
}
{
"domain" = "kop.oasch.net";
"answer" = ip;
}
{
"domain" = "kavita-kopatz.duckdns.org";
"answer" = ip;
}
{
"domain" = "server.home";
"answer" = ip;
}
{
"domain" = "server.home.arpa";
"answer" = ip;
}
{
"domain" = "adguard.home.arpa";
"answer" = ip;
}
{
"domain" = "nextcloud.home.arpa";
"answer" = ip;
}
{
"domain" = "kavita.home.arpa";
"answer" = ip;
}
{
"domain" = "grafana.home.arpa";
"answer" = ip;
}
{
"domain" = "yt.home.arpa";
"answer" = ip;
}
{
"domain" = "nextcloud.home.arpa";
"answer" = wireguardIp;
}
{
"domain" = "kavita.home.arpa";
"answer" = wireguardIp;
}
{
"domain" = "yt.home.arpa";
"answer" = wireguardIp;
}
{
"domain" = "turnserver.home.arpa";
"answer" = wireguardIp;
}
{
"domain" = "powerline.home.arpa";
"answer" = "192.168.0.2";
}
{
"domain" = "3neo.home.arpa";
"answer" = "192.168.0.4";
}
{
"domain" = "alcatel.home.arpa";
"answer" = "192.168.0.5";
}
{
"domain" = "extender.home.arpa";
"answer" = "192.168.0.8";
}
{
"domain" = "inverter.home.arpa";
"answer" = "192.168.0.9";
}
];
};
};
};
};
};
}

77
modules/services/caldav.nix
View File

@@ -28,44 +28,47 @@ in {
large = [ "/var/lib/radicale/" ];
};
systemd.services.kop-fhcalendar = let
radicale = if lib.versionOlder lib.version "25.05" then
(builtins.elemAt
config.services.radicale.settings.storage.filesystem_folder 0)
else
config.services.radicale.settings.storage.filesystem_folder;
# not reproducible
working =
"${radicale}/collection-root/kopatz/b6d2c446-8109-714a-397f-1f35d3136639";
in {
description = "Download fh calendar";
wants = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ];
wantedBy = [ "multi-user.target" ];
startAt = "*-*-* 06:00:00";
systemd.services.kop-fhcalendar =
let
radicale =
if lib.versionOlder lib.version "25.05" then
(builtins.elemAt
config.services.radicale.settings.storage.filesystem_folder 0)
else
config.services.radicale.settings.storage.filesystem_folder;
# not reproducible
working =
"${radicale}/collection-root/kopatz/b6d2c446-8109-714a-397f-1f35d3136639";
in
{
description = "Download fh calendar";
wants = [ "network-online.target" ];
after = [ "network.target" "network-online.target" ];
wantedBy = [ "multi-user.target" ];
startAt = "*-*-* 06:00:00";
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.kop-fhcalendar}/bin/kop-fhcalendar";
WorkingDirectory = working;
BindPaths = [ working ];
User = "radicale";
Restart = "on-failure";
RestartSec = "5s";
PrivateMounts = lib.mkDefault true;
PrivateTmp = lib.mkDefault true;
PrivateUsers = lib.mkDefault true;
ProtectClock = lib.mkDefault true;
ProtectControlGroups = lib.mkDefault true;
ProtectHome = lib.mkDefault true;
ProtectHostname = lib.mkDefault true;
ProtectKernelLogs = lib.mkDefault true;
ProtectKernelModules = lib.mkDefault true;
ProtectKernelTunables = lib.mkDefault true;
ProtectSystem = lib.mkDefault "strict";
# Needs network access
PrivateNetwork = lib.mkDefault false;
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.kop-fhcalendar}/bin/kop-fhcalendar";
WorkingDirectory = working;
BindPaths = [ working ];
User = "radicale";
Restart = "on-failure";
RestartSec = "5s";
PrivateMounts = lib.mkDefault true;
PrivateTmp = lib.mkDefault true;
PrivateUsers = lib.mkDefault true;
ProtectClock = lib.mkDefault true;
ProtectControlGroups = lib.mkDefault true;
ProtectHome = lib.mkDefault true;
ProtectHostname = lib.mkDefault true;
ProtectKernelLogs = lib.mkDefault true;
ProtectKernelModules = lib.mkDefault true;
ProtectKernelTunables = lib.mkDefault true;
ProtectSystem = lib.mkDefault "strict";
# Needs network access
PrivateNetwork = lib.mkDefault false;
};
};
};
};
}

26
modules/services/coturn.nix
View File

@@ -1,12 +1,12 @@
{ config, pkgs, lib, inputs, ... }:
{
age.secrets.coturn-secret = {
file = ../../secrets/coturn-secret.age;
owner = "turnserver";
group = "turnserver";
};
age.secrets.coturn-secret = {
file = ../../secrets/coturn-secret.age;
owner = "turnserver";
group = "turnserver";
};
networking.firewall.allowedUDPPortRanges = [ { from = 49000; to=50000; } ];
networking.firewall.allowedUDPPortRanges = [{ from = 49000; to = 50000; }];
networking.firewall.allowedUDPPorts = [ 3478 ]; #5349 ];
networking.firewall.allowedTCPPorts = [ 3478 ]; #5349 ];
@@ -21,10 +21,10 @@
use-auth-secret = true;
static-auth-secret-file = config.age.secrets.coturn-secret.path;
relay-ips = [
"192.168.2.1"
"192.168.2.1"
];
listening-ips = [
"192.168.2.1"
"192.168.2.1"
];
realm = "kopatz.ddns.net";
#cert = "${config.security.acme.certs."kopatz.ddns.net".directory}/full.pem";
@@ -65,9 +65,9 @@
};
#systemd.services.coturn = {
# serviceConfig = {
# User = lib.mkForce "root";
# Group = lib.mkForce "root";
# };
# };
# serviceConfig = {
# User = lib.mkForce "root";
# Group = lib.mkForce "root";
# };
# };
}

2
modules/services/default.nix
View File

@@ -1,4 +1,4 @@
{ pkgs, config, ...}:
{ pkgs, config, ... }:
{
imports = [
./acme.nix

16
modules/services/dyndns.nix
View File

@@ -1,12 +1,12 @@
{ config, pkgs, lib, inputs, ... }:
{
age.secrets.duckdns = {
file = ../../secrets/duckdns.age;
};
services.ddclient = {
enable = true;
protocol = "duckdns";
passwordFile = config.age.secrets.duckdns.path;
domains = ["wachbirn.duckdns.org"];
age.secrets.duckdns = {
file = ../../secrets/duckdns.age;
};
services.ddclient = {
enable = true;
protocol = "duckdns";
passwordFile = config.age.secrets.duckdns.path;
domains = [ "wachbirn.duckdns.org" ];
};
}

14
modules/services/fileshelter.nix
View File

@@ -13,17 +13,17 @@ in
};
config = lib.mkIf cfg.enable {
users.users.fileshelter = {
isSystemUser = true;
uid = cfg.uid;
group = "fileshelter";
isSystemUser = true;
uid = cfg.uid;
group = "fileshelter";
};
users.groups.fileshelter = {};
users.groups.fileshelter = { };
age.secrets.fileshelter-conf = {
file = ../../secrets/fileshelter-conf.age;
owner = "fileshelter";
file = ../../secrets/fileshelter-conf.age;
owner = "fileshelter";
};
systemd.tmpfiles.rules = [
"d /data/fileshelter 0770 fileshelter fileshelter -"
"d /data/fileshelter 0770 fileshelter fileshelter -"
];
custom.misc.docker.enable = true;
virtualisation.oci-containers.backend = "docker";

2
modules/services/games/default.nix
View File

@@ -1,4 +1,4 @@
{ pkgs, config, ...}:
{ pkgs, config, ... }:
{
imports = [
./terraria.nix

102
modules/services/games/palworld.nix
View File

@@ -1,59 +1,61 @@
# valheim.nix
{config, pkgs, lib, ...}: let
{ config, pkgs, lib, ... }:
let
join = builtins.concatStringsSep " ";
in {
in
{
services.cron = {
enable = true;
systemCronJobs = [
"0 6 * * * root systemctl restart palworld"
];
};
services.cron = {
enable = true;
systemCronJobs = [
"0 6 * * * root systemctl restart palworld"
];
};
networking.firewall.allowedUDPPorts = [ 8211 ]; #5349 ];
users.users.palworld = {
isSystemUser = true;
# Valheim puts save data in the home directory.
home = "/var/lib/palworld";
createHome = true;
homeMode = "750";
group = "palworld";
};
networking.firewall.allowedUDPPorts = [ 8211 ]; #5349 ];
users.users.palworld = {
isSystemUser = true;
# Valheim puts save data in the home directory.
home = "/var/lib/palworld";
createHome = true;
homeMode = "750";
group = "palworld";
};
users.groups.palworld = {};
users.groups.palworld = { };
systemd.services.palworld = {
wantedBy = [ "multi-user.target" ];
systemd.services.palworld = {
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
serviceConfig = {
ExecStartPre = join [
"${pkgs.steamcmd}/bin/steamcmd"
"+force_install_dir /var/lib/palworld"
"+login anonymous"
"+app_update 2394010"
"+quit"
"&& mkdir -p /var/lib/palworld/.steam/sdk64"
"&& cp /var/lib/palworld/linux64/steamclient.so /var/lib/palworld/.steam/sdk64/."
];
ExecStart = join [
"${pkgs.steam-run}/bin/steam-run /var/lib/palworld/Pal/Binaries/Linux/PalServer-Linux-Test Pal"
"-useperfthreads"
"-NoAsyncLoadingThread"
"-UseMultithreadForDS"
];
Nice = "-5";
PrivateTmp = true;
Restart = "on-failure";
User = "palworld";
WorkingDirectory = "~";
};
environment = {
# linux64 directory is required by Valheim.
LD_LIBRARY_PATH = "/var/lib/palworld/linux64:${pkgs.glibc}/lib";
SteamAppId = "2394010";
};
};
serviceConfig = {
ExecStartPre = join [
"${pkgs.steamcmd}/bin/steamcmd"
"+force_install_dir /var/lib/palworld"
"+login anonymous"
"+app_update 2394010"
"+quit"
"&& mkdir -p /var/lib/palworld/.steam/sdk64"
"&& cp /var/lib/palworld/linux64/steamclient.so /var/lib/palworld/.steam/sdk64/."
];
ExecStart = join [
"${pkgs.steam-run}/bin/steam-run /var/lib/palworld/Pal/Binaries/Linux/PalServer-Linux-Test Pal"
"-useperfthreads"
"-NoAsyncLoadingThread"
"-UseMultithreadForDS"
];
Nice = "-5";
PrivateTmp = true;
Restart = "on-failure";
User = "palworld";
WorkingDirectory = "~";
};
environment = {
# linux64 directory is required by Valheim.
LD_LIBRARY_PATH = "/var/lib/palworld/linux64:${pkgs.glibc}/lib";
SteamAppId = "2394010";
};
};
}

54
modules/services/grafana.nix
View File

@@ -1,4 +1,4 @@
{pkgs, config, lib, ...}:
{ pkgs, config, lib, ... }:
let
useHttps = config.services.step-ca.enable;
fqdn = "grafana.home.arpa";
@@ -25,25 +25,25 @@ in
};
provision.alerting.contactPoints.path = config.age.secrets.grafana-contact-points.path;
provision.alerting.policies.path = ./grafana/notification-policies.yml;
provision.alerting.policies.path = ./grafana/notification-policies.yml;
provision.alerting.templates.path = ./grafana/alerts.yml;
provision.datasources.settings = {
datasources =
[
{
name = "DS_PROMETHEUS";
url = "http://127.0.0.1:${toString config.services.prometheus.port}";
type = "prometheus";
isDefault = true;
# This has to match the prometheus scrape interval, otherwise the $__rate_interval variable wont work.
jsonData.timeInterval = "60s";
}
{
name = "loki";
url = "http://localhost:3100";
type = "loki";
}
];
datasources =
[
{
name = "DS_PROMETHEUS";
url = "http://127.0.0.1:${toString config.services.prometheus.port}";
type = "prometheus";
isDefault = true;
# This has to match the prometheus scrape interval, otherwise the $__rate_interval variable wont work.
jsonData.timeInterval = "60s";
}
{
name = "loki";
url = "http://localhost:3100";
type = "loki";
}
];
};
provision.dashboards.settings.providers = [{
name = "provisioned-dashboards";
@@ -63,8 +63,8 @@ in
quic = useHttps;
http3 = useHttps;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
proxyWebsockets = true;
proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
proxyWebsockets = true;
};
};
@@ -91,7 +91,7 @@ in
settings.namespaces = [
{
name = "nginxlog";
source.files = ["/var/log/nginx/access.log"];
source.files = [ "/var/log/nginx/access.log" ];
format = "$remote_addr - $remote_user [$time_local] \"$request\" $status $body_bytes_sent \"$http_referer\" \"$http_user_agent\"";
}
];
@@ -101,18 +101,18 @@ in
{
job_name = "scrapema";
static_configs = [{
targets = [
"127.0.0.1:${toString config.services.prometheus.exporters.node.port}"
] ++
(lib.optional config.services.cadvisor.enable "${config.services.cadvisor.listenAddress}:${toString config.services.cadvisor.port}") ++
targets = [
"127.0.0.1:${toString config.services.prometheus.exporters.node.port}"
] ++
(lib.optional config.services.cadvisor.enable "${config.services.cadvisor.listenAddress}:${toString config.services.cadvisor.port}") ++
(lib.optional config.services.prometheus.exporters.nginx.enable "127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}") ++
(lib.optional config.services.prometheus.exporters.nginxlog.enable "127.0.0.1:${toString config.services.prometheus.exporters.nginxlog.port}")
;
}];
}];
}
];
};
services.cadvisor = {
enable = true;
listenAddress = "127.0.0.1";

4
modules/services/home-assistant.nix
View File

@@ -13,7 +13,7 @@
config = {
# Includes dependencies for a basic setup
# https://www.home-assistant.io/integrations/default_config/
default_config = {};
default_config = { };
};
};
}
}

2
modules/services/invidious.nix
View File

@@ -1,4 +1,4 @@
{ config, vars, ...} :
{ config, vars, ... }:
let
fqdn = "yt.home.arpa";
useHttps = config.services.step-ca.enable;

245
modules/services/kavita.nix
View File

@@ -21,133 +21,138 @@ in {
};
isTest = mkEnableOption "Is this a test vm?";
};
config = let
fqdn = "kavita-kopatz.duckdns.org";
useStepCa = false; # config.services.step-ca.enable;
useHttps = cfg.https;
baseDir = cfg.dir;
mangal = "${pkgs.mangal-patched}/bin/mangal";
githubRunnerEnabled = config.services.github-runners ? oberprofis.enable;
in lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ 5000 ];
systemd.tmpfiles.rules = [
(if githubRunnerEnabled then
"d ${baseDir} 0750 kavita github-actions-runner -"
else
"d ${baseDir} 0770 kavita kavita -")
"d ${baseDir}/manga 0770 kavita kavita -"
] ++ lib.optional githubRunnerEnabled
"d ${baseDir}/github 0770 github-actions-runner kavita -";
config =
let
fqdn = "kavita-kopatz.duckdns.org";
useStepCa = false; # config.services.step-ca.enable;
useHttps = cfg.https;
baseDir = cfg.dir;
mangal = "${pkgs.mangal-patched}/bin/mangal";
githubRunnerEnabled = config.services.github-runners ? oberprofis.enable;
in
lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ 5000 ];
systemd.tmpfiles.rules = [
(if githubRunnerEnabled then
"d ${baseDir} 0750 kavita github-actions-runner -"
else
"d ${baseDir} 0770 kavita kavita -")
"d ${baseDir}/manga 0770 kavita kavita -"
] ++ lib.optional githubRunnerEnabled
"d ${baseDir}/github 0770 github-actions-runner kavita -";
age.secrets.kavita = mkIf (!cfg.isTest) {
file = ../../secrets/kavita.age;
owner = "kavita";
group = "kavita";
};
services.kavita = {
enable = true;
user = "kavita";
package = let
backend = pkgs.unstable.kavita.backend.overrideAttrs
(old: { patches = old.patches ++ [ ./kavita-patches-chapter-parsing.diff ./kavita-page-size.diff ]; });
kavitaPatched = pkgs.unstable.kavita.overrideAttrs (old: { backend = backend; });
in kavitaPatched;
settings = {
Port = 5000;
IpAddresses = "127.0.0.1";
BaseUrl = "/kavita";
age.secrets.kavita = mkIf (!cfg.isTest) {
file = ../../secrets/kavita.age;
owner = "kavita";
group = "kavita";
};
dataDir = baseDir;
tokenKeyFile = if cfg.isTest then
(builtins.toFile "test"
"wWKNeGUslGILrUUp8Dnn4xyYnivZWBb8uqjKg3ALyCs7reV5v3CtE/E2b6i0Mwz1Xw1p9a0wcduRDNoa8Yh8kQ==")
else
config.age.secrets.kavita.path;
};
#todo: base url needs new kavita version
systemd.services = {
kavita = {
after = [ "nginx.service" ] ++ lib.optional useStepCa "step-ca.service";
services.kavita = {
enable = true;
user = "kavita";
package =
let
backend = pkgs.unstable.kavita.backend.overrideAttrs
(old: { patches = old.patches ++ [ ./kavita-patches-chapter-parsing.diff ./kavita-page-size.diff ]; });
kavitaPatched = pkgs.unstable.kavita.overrideAttrs (old: { backend = backend; });
in
kavitaPatched;
settings = {
Port = 5000;
IpAddresses = "127.0.0.1";
BaseUrl = "/kavita";
};
dataDir = baseDir;
tokenKeyFile =
if cfg.isTest then
(builtins.toFile "test"
"wWKNeGUslGILrUUp8Dnn4xyYnivZWBb8uqjKg3ALyCs7reV5v3CtE/E2b6i0Mwz1Xw1p9a0wcduRDNoa8Yh8kQ==")
else
config.age.secrets.kavita.path;
};
download-manga = mkIf cfg.autoDownload {
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
startAt = "*-*-* 19:00:00";
restartIfChanged = false;
script = ''
${mangal} clear -q
${mangal} clear -c
${mangal} inline -S Mangapill -q omniscient -m first -d
${mangal} inline -S Mangapill --query "oshi-no-ko" --manga first --download
${mangal} inline -S Mangapill --query "Frieren" --manga first --download -f
${mangal} inline -S Mangapill --query "Chainsaw" --manga first --download
${mangal} inline -S Mangapill --query "Jujutsu%20Kaisen" --manga first --download
${mangal} inline -S Mangapill --query "solo-leveling" --manga first --download
${mangal} inline -S Mangapill --query "the-greatest-real-estate" --manga first --download
${mangal} inline -S Mangapill --query "66666_years" --manga first --download
${mangal} inline -S Mangapill --query "Return_of_the_blossoming" --manga first --download
${mangal} inline -S Mangapill --query "path_of_the_shaman" --manga first --download
${mangal} inline -S Mangapill --query "pick_me_up" --manga first --download
${mangal} inline -S Mangapill --query "revenge_of_the_iron_blooded" --manga first --download
${mangal} inline -S Mangapill --query "northern_blade" --manga first --download
${mangal} inline -S Mangapill --query "Dungeon_reset" --manga first --download
${mangal} inline -S Mangapill --query "iruma-kun" --manga first --download
${mangal} inline -S Manganato --query "grand_blue" --manga first --download
${mangal} inline -S Manganato --query "sss-class_suicide" --manga first --download
${mangal} inline -S Manganato --query "cultivation_chat" --manga first --download
${mangal} inline -S Manganato --query "gokushufudo" --manga first --download
${mangal} inline -S Manganato --query "slime" --manga first --download
${mangal} inline -S Manganato --query "nano_machine" --manga first --download
${mangal} inline -S Manganato --query "kill_the_hero" --manga first --download
${mangal} inline -S Manganato --query "Seoul_Station_Necromancer" --manga first --download
${mangal} inline -S Manganato --query "grandmaster_of_demonic" --manga first --download
${mangal} inline -S Manganato --query "becoming_the_monarch" --manga first --download
${mangal} inline -S Manganato --query "sleeping" --manga first --download
${mangal} inline -S Manganato --query "Terror_man" --manga first --download
${mangal} inline -S Manganato --query "I_Stole_the_Number_One_Ranker" --manga first --download
${mangal} inline -S Manganato --query "hidan_no_aria" --manga first --download
${mangal} inline -S AsuraScans --query "the_max_level_hero" --manga first --download
${mangal} inline -S Manganato --query "Parallel_City" --manga first --download
${mangal} inline -S Manganato --query "Existence" --manga first --download
${mangal} inline -S Mangapill --query "Call_of_the_Night" --manga first --download
'';
serviceConfig = {
PrivateTmp = true;
User = "kavita";
Group = "kavita";
Type = "oneshot";
WorkingDirectory = "${baseDir}/manga";
#todo: base url needs new kavita version
systemd.services = {
kavita = {
after = [ "nginx.service" ] ++ lib.optional useStepCa "step-ca.service";
};
download-manga = mkIf cfg.autoDownload {
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
startAt = "*-*-* 19:00:00";
restartIfChanged = false;
script = ''
${mangal} clear -q
${mangal} clear -c
${mangal} inline -S Mangapill -q omniscient -m first -d
${mangal} inline -S Mangapill --query "oshi-no-ko" --manga first --download
${mangal} inline -S Mangapill --query "Frieren" --manga first --download -f
${mangal} inline -S Mangapill --query "Chainsaw" --manga first --download
${mangal} inline -S Mangapill --query "Jujutsu%20Kaisen" --manga first --download
${mangal} inline -S Mangapill --query "solo-leveling" --manga first --download
${mangal} inline -S Mangapill --query "the-greatest-real-estate" --manga first --download
${mangal} inline -S Mangapill --query "66666_years" --manga first --download
${mangal} inline -S Mangapill --query "Return_of_the_blossoming" --manga first --download
${mangal} inline -S Mangapill --query "path_of_the_shaman" --manga first --download
${mangal} inline -S Mangapill --query "pick_me_up" --manga first --download
${mangal} inline -S Mangapill --query "revenge_of_the_iron_blooded" --manga first --download
${mangal} inline -S Mangapill --query "northern_blade" --manga first --download
${mangal} inline -S Mangapill --query "Dungeon_reset" --manga first --download
${mangal} inline -S Mangapill --query "iruma-kun" --manga first --download
${mangal} inline -S Manganato --query "grand_blue" --manga first --download
${mangal} inline -S Manganato --query "sss-class_suicide" --manga first --download
${mangal} inline -S Manganato --query "cultivation_chat" --manga first --download
${mangal} inline -S Manganato --query "gokushufudo" --manga first --download
${mangal} inline -S Manganato --query "slime" --manga first --download
${mangal} inline -S Manganato --query "nano_machine" --manga first --download
${mangal} inline -S Manganato --query "kill_the_hero" --manga first --download
${mangal} inline -S Manganato --query "Seoul_Station_Necromancer" --manga first --download
${mangal} inline -S Manganato --query "grandmaster_of_demonic" --manga first --download
${mangal} inline -S Manganato --query "becoming_the_monarch" --manga first --download
${mangal} inline -S Manganato --query "sleeping" --manga first --download
${mangal} inline -S Manganato --query "Terror_man" --manga first --download
${mangal} inline -S Manganato --query "I_Stole_the_Number_One_Ranker" --manga first --download
${mangal} inline -S Manganato --query "hidan_no_aria" --manga first --download
${mangal} inline -S AsuraScans --query "the_max_level_hero" --manga first --download
${mangal} inline -S Manganato --query "Parallel_City" --manga first --download
${mangal} inline -S Manganato --query "Existence" --manga first --download
${mangal} inline -S Mangapill --query "Call_of_the_Night" --manga first --download
'';
serviceConfig = {
PrivateTmp = true;
User = "kavita";
Group = "kavita";
Type = "oneshot";
WorkingDirectory = "${baseDir}/manga";
};
};
};
};
# services.nginx.virtualHosts."kopatz.ddns.net".locations."/kavita" = {
# proxyPass = "http://127.0.0.1:5000";
# extraConfig = ''
# add_header Access-Control-Allow-Origin *;
# add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
# add_header Access-Control-Allow-Headers "Authorization, Origin, X-Requested-With, Content-Type, Accept";
# '';
# };
security.acme.certs."${fqdn}" = lib.mkIf useStepCa {
server = "https://127.0.0.1:8443/acme/kop-acme/directory";
# services.nginx.virtualHosts."kopatz.ddns.net".locations."/kavita" = {
# proxyPass = "http://127.0.0.1:5000";
# extraConfig = ''
# add_header Access-Control-Allow-Origin *;
# add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
# add_header Access-Control-Allow-Headers "Authorization, Origin, X-Requested-With, Content-Type, Accept";
# '';
# };
security.acme.certs."${fqdn}" = lib.mkIf useStepCa {
server = "https://127.0.0.1:8443/acme/kop-acme/directory";
};
services.nginx.virtualHosts."${fqdn}" = {
forceSSL = useHttps;
enableACME = useHttps;
quic = useHttps;
http3 = useHttps;
locations."/".proxyPass = "http://127.0.0.1:5000";
locations."/".extraConfig = ''
more_clear_headers 'x-frame-options';
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
add_header Access-Control-Allow-Headers "Authorization, Origin, X-Requested-With, Content-Type, Accept";
'';
};
};
services.nginx.virtualHosts."${fqdn}" = {
forceSSL = useHttps;
enableACME = useHttps;
quic = useHttps;
http3 = useHttps;
locations."/".proxyPass = "http://127.0.0.1:5000";
locations."/".extraConfig = ''
more_clear_headers 'x-frame-options';
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
add_header Access-Control-Allow-Headers "Authorization, Origin, X-Requested-With, Content-Type, Accept";
'';
};
};
}

68
modules/services/kubernetes.nix
View File

@@ -1,4 +1,4 @@
{ pkgs, config, lib, ...}:
{ pkgs, config, lib, ... }:
# idk, dont need this
with lib;
let
@@ -6,38 +6,40 @@ let
in
{
options.custom.services.kubernetes = {
enable = mkEnableOption "Enables kubernetes";
enable = mkEnableOption "Enables kubernetes";
};
config = let
kubeMasterIP = "localhost";
kubeMasterHostname = "localhost";
in lib.mkIf cfg.enable {
config =
let
kubeMasterIP = "localhost";
kubeMasterHostname = "localhost";
in
lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [
6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
# 2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration
# 2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration
];
networking.firewall.allowedUDPPorts = [
# 8472 # k3s, flannel: required if using multi-node for inter-node networking
];
services.k3s.enable = true;
services.k3s.role = "server";
services.k3s.extraFlags = toString [
# "--kubelet-arg=v=4" # Optionally add additional args to k3s
];
environment.systemPackages = with pkgs; [
k3s
];
#services.kubernetes = {
# roles = ["master" "node"];
# masterAddress = "localhost";
# apiserverAddress = "https://localhost:6443";
# apiserver = {
# advertiseAddress = "127.0.0.1";
# securePort = 6443;
# allowPrivileged = true;
# };
#};
};
networking.firewall.allowedTCPPorts = [
6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
# 2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration
# 2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration
];
networking.firewall.allowedUDPPorts = [
# 8472 # k3s, flannel: required if using multi-node for inter-node networking
];
services.k3s.enable = true;
services.k3s.role = "server";
services.k3s.extraFlags = toString [
# "--kubelet-arg=v=4" # Optionally add additional args to k3s
];
environment.systemPackages = with pkgs; [
k3s
];
#services.kubernetes = {
# roles = ["master" "node"];
# masterAddress = "localhost";
# apiserverAddress = "https://localhost:6443";
# apiserver = {
# advertiseAddress = "127.0.0.1";
# securePort = 6443;
# allowPrivileged = true;
# };
#};
};
}

126
modules/services/minecraft-server.nix
View File

@@ -1,66 +1,66 @@
{ pkgs, ...}:
{ pkgs, ... }:
{
services.minecraft-server = {
enable = true;
eula = true;
openFirewall = true;
package = pkgs.unstable.papermc;
declarative = true;
whitelist = {
coolBayram = "514afd03-8ca2-4f60-abe4-4c2a365d223b";
filipus098 = "a09fb009-be78-4e26-9f33-1534186e2228";
};
serverProperties = {
allow-flight=true;
allow-nether=true;
broadcast-console-to-ops=true;
broadcast-rcon-to-ops=true;
debug=false;
difficulty="hard";
enable-command-block=false;
enable-jmx-monitoring=false;
enable-query=false;
enable-rcon=false;
enable-status=true;
enforce-secure-profile=true;
enforce-whitelist=false;
entity-broadcast-range-percentage=100;
force-gamemode=false;
function-permission-level=2;
gamemode="survival";
generate-structures=true;
hardcore=false;
hide-online-players=false;
initial-enabled-packs="vanilla";
level-name="budak";
level-type="minecraft\:normal";
log-ips=true;
max-chained-neighbor-updates=1000000;
max-players=5;
max-tick-time=60000;
max-world-size=29999984;
motd="A Minecraft Server";
network-compression-threshold=256;
online-mode=true;
op-permission-level=4;
player-idle-timeout=0;
prevent-proxy-connections=false;
pvp=true;
"query.port"=25565;
rate-limit=0;
"rcon.password"="123asdadsqwe123123";
"rcon.port"=25575;
require-resource-pack=false;
server-port=25565;
simulation-distance=10;
spawn-animals=true;
spawn-monsters=true;
spawn-npcs=true;
spawn-protection=16;
sync-chunk-writes=true;
use-native-transport=true;
view-distance=10;
white-list=true;
};
services.minecraft-server = {
enable = true;
eula = true;
openFirewall = true;
package = pkgs.unstable.papermc;
declarative = true;
whitelist = {
coolBayram = "514afd03-8ca2-4f60-abe4-4c2a365d223b";
filipus098 = "a09fb009-be78-4e26-9f33-1534186e2228";
};
serverProperties = {
allow-flight = true;
allow-nether = true;
broadcast-console-to-ops = true;
broadcast-rcon-to-ops = true;
debug = false;
difficulty = "hard";
enable-command-block = false;
enable-jmx-monitoring = false;
enable-query = false;
enable-rcon = false;
enable-status = true;
enforce-secure-profile = true;
enforce-whitelist = false;
entity-broadcast-range-percentage = 100;
force-gamemode = false;
function-permission-level = 2;
gamemode = "survival";
generate-structures = true;
hardcore = false;
hide-online-players = false;
initial-enabled-packs = "vanilla";
level-name = "budak";
level-type = "minecraft\:normal";
log-ips = true;
max-chained-neighbor-updates = 1000000;
max-players = 5;
max-tick-time = 60000;
max-world-size = 29999984;
motd = "A Minecraft Server";
network-compression-threshold = 256;
online-mode = true;
op-permission-level = 4;
player-idle-timeout = 0;
prevent-proxy-connections = false;
pvp = true;
"query.port" = 25565;
rate-limit = 0;
"rcon.password" = "123asdadsqwe123123";
"rcon.port" = 25575;
require-resource-pack = false;
server-port = 25565;
simulation-distance = 10;
spawn-animals = true;
spawn-monsters = true;
spawn-npcs = true;
spawn-protection = 16;
sync-chunk-writes = true;
use-native-transport = true;
view-distance = 10;
white-list = true;
};
};
}

4
modules/services/netdata.nix
View File

@@ -1,5 +1,5 @@
{ vars, ... }:
let
let
ip = vars.ipv4;
wireguardIp = vars.wireguardIp;
in
@@ -54,6 +54,6 @@ in
perf = no
freeipmi = no
apps = yes
'';
'';
};
}

120
modules/services/nextcloud.nix
View File

@@ -5,70 +5,70 @@ let
useHttps = config.services.step-ca.enable;
in
{
imports = [ ./postgres.nix ];
security.acme.certs."${fqdn}".server = "https://127.0.0.1:8443/acme/kop-acme/directory";
services.nginx = {
enable = true;
imports = [ ./postgres.nix ];
security.acme.certs."${fqdn}".server = "https://127.0.0.1:8443/acme/kop-acme/directory";
services.nginx = {
enable = true;
# Use recommended settings
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# Use recommended settings
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# Only allow PFS-enabled ciphers with AES256
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
# Only allow PFS-enabled ciphers with AES256
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
# Setup Nextcloud virtual host to listen on ports
virtualHosts = {
"${fqdn}" = {
serverAliases = [ wireguardIp ];
## Force HTTP redirect to HTTPS
forceSSL = useHttps;
enableACME = useHttps;
locations."~ \\.php(?:$|/)".extraConfig = ''
client_max_body_size 20G;
'';
};
};
# Setup Nextcloud virtual host to listen on ports
virtualHosts = {
"${fqdn}" = {
serverAliases = [ wireguardIp ];
## Force HTTP redirect to HTTPS
forceSSL = useHttps;
enableACME = useHttps;
locations."~ \\.php(?:$|/)".extraConfig = ''
client_max_body_size 20G;
'';
};
};
};
age.secrets.nextcloud-admin = {
file = ../../secrets/nextcloud-admin.age;
owner = "nextcloud";
group = "nextcloud";
};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud28;
https = true;
hostName = "nextcloud.home.arpa";
config.adminpassFile = config.age.secrets.nextcloud-admin.path;
config.dbtype = "pgsql";
database.createLocally = true;
settings.trusted_domains = [ wireguardIp "nextcloud.home.arpa" ];
home = "/mnt/250ssd/nextcloud";
extraApps = with config.services.nextcloud.package.packages.apps; {
inherit onlyoffice calendar mail;
};
age.secrets.nextcloud-admin = {
file = ../../secrets/nextcloud-admin.age;
owner = "nextcloud";
group = "nextcloud";
};
services.nextcloud = {
enable = true;
package = pkgs.nextcloud28;
https = true;
hostName = "nextcloud.home.arpa";
config.adminpassFile = config.age.secrets.nextcloud-admin.path;
config.dbtype = "pgsql";
database.createLocally = true;
settings.trusted_domains = [ wireguardIp "nextcloud.home.arpa" ];
home = "/mnt/250ssd/nextcloud";
extraApps = with config.services.nextcloud.package.packages.apps; {
inherit onlyoffice calendar mail;
};
phpOptions = {
upload_max_filesize = lib.mkForce "20G";
post_max_size = lib.mkForce "20G";
};
extraAppsEnable = true;
settings.enabledPreviewProviders = [
"OC\\Preview\\BMP"
"OC\\Preview\\GIF"
"OC\\Preview\\JPEG"
"OC\\Preview\\Krita"
"OC\\Preview\\MarkDown"
"OC\\Preview\\MP3"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\PNG"
"OC\\Preview\\TXT"
"OC\\Preview\\XBitmap"
"OC\\Preview\\HEIC"
];
phpOptions = {
upload_max_filesize = lib.mkForce "20G";
post_max_size = lib.mkForce "20G";
};
extraAppsEnable = true;
settings.enabledPreviewProviders = [
"OC\\Preview\\BMP"
"OC\\Preview\\GIF"
"OC\\Preview\\JPEG"
"OC\\Preview\\Krita"
"OC\\Preview\\MarkDown"
"OC\\Preview\\MP3"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\PNG"
"OC\\Preview\\TXT"
"OC\\Preview\\XBitmap"
"OC\\Preview\\HEIC"
];
};
}

124
modules/services/nginx.nix
View File

@@ -45,72 +45,74 @@ in {
more_set_headers "Permissions-Policy: geolocation=(), microphone=()";
'';
virtualHosts = let
kopConfig = {
root = pkgs.kop-website;
forceSSL = cfg.https;
enableACME = cfg.https;
quic = cfg.https;
http3 = cfg.https;
locations = {
"~* \\.(jpg|png)$".extraConfig = ''
add_header Access-Control-Allow-Origin *;
'';
"/stash" = {
basicAuthFile = config.age.secrets.stash-auth.path;
extraConfig = ''
client_max_body_size 20000M;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:7777;
virtualHosts =
let
kopConfig = {
root = pkgs.kop-website;
forceSSL = cfg.https;
enableACME = cfg.https;
quic = cfg.https;
http3 = cfg.https;
locations = {
"~* \\.(jpg|png)$".extraConfig = ''
add_header Access-Control-Allow-Origin *;
'';
};
"/tracker-site" = {
tryFiles = "$uri $uri/ /tracker-site/index.html =404";
};
"/tracker-site/api" = {
extraConfig = ''
rewrite /tracker-site/api/(.*) /$1 break;
'';
proxyPass = "http://127.0.0.1:8080";
};
"/radicale/" = {
extraConfig = ''
proxy_set_header X-Script-Name /radicale;
'';
proxyPass = "http://localhost:5232/";
};
"/socket.io" = { proxyPass = "http://localhost:9955"; proxyWebsockets = true; };
"/comms/" = {
extraConfig = ''
"/stash" = {
basicAuthFile = config.age.secrets.stash-auth.path;
extraConfig = ''
client_max_body_size 20000M;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:7777;
'';
};
"/tracker-site" = {
tryFiles = "$uri $uri/ /tracker-site/index.html =404";
};
"/tracker-site/api" = {
extraConfig = ''
rewrite /tracker-site/api/(.*) /$1 break;
'';
proxyPass = "http://127.0.0.1:8080";
};
"/radicale/" = {
extraConfig = ''
proxy_set_header X-Script-Name /radicale;
'';
proxyPass = "http://localhost:5232/";
};
"/socket.io" = { proxyPass = "http://localhost:9955"; proxyWebsockets = true; };
"/comms/" = {
extraConfig = ''
more_set_headers "Permissions-Policy: geolocation=(), microphone=(self), camera=(self)";
'';
alias = "/comms/";
tryFiles = "$uri $uri/ /comms/index.html";
};
"/comms" = {
extraConfig = ''
return 301 /comms/;
'';
};
"/kavita-client" = {
extraConfig = ''
return 301 /kavita-client/;
'';
};
"/kavita-client/" = {
alias = "/kavita-client/";
'';
alias = "/comms/";
tryFiles = "$uri $uri/ /comms/index.html";
};
"/comms" = {
extraConfig = ''
return 301 /comms/;
'';
};
"/kavita-client" = {
extraConfig = ''
return 301 /kavita-client/;
'';
};
"/kavita-client/" = {
alias = "/kavita-client/";
};
};
};
in
{
"kopatz.ddns.net" = kopConfig;
"kop.oasch.net" = kopConfig;
};
in {
"kopatz.ddns.net" = kopConfig;
"kop.oasch.net" = kopConfig;
};
};
};
}

28
modules/services/paperless.nix
View File

@@ -1,20 +1,20 @@
{ config, pkgs, lib, inputs, vars, ... }:
let
let
ip = vars.ipv4;
wireguardIp = vars.wireguardIp;
in
{
networking.firewall.allowedTCPPorts = [ 28981 ];
age.secrets.paperless = {
file = ../../secrets/paperless.age;
owner = "paperless";
group = "paperless";
};
services.paperless = {
enable = true;
port = 28981;
passwordFile = config.age.secrets.paperless.path;
address = wireguardIp;
mediaDir = "/mnt/250ssd/paperless";
};
networking.firewall.allowedTCPPorts = [ 28981 ];
age.secrets.paperless = {
file = ../../secrets/paperless.age;
owner = "paperless";
group = "paperless";
};
services.paperless = {
enable = true;
port = 28981;
passwordFile = config.age.secrets.paperless.path;
address = wireguardIp;
mediaDir = "/mnt/250ssd/paperless";
};
}

40
modules/services/postgres.nix
View File

@@ -1,23 +1,23 @@
{ pkgs, ... }:
{
services.postgresql = {
enable = true;
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method optional_ident_map
local sameuser all peer map=superuser_map
local all postgres peer
'';
identMap = ''
# ArbitraryMapName systemUser DBUser
superuser_map root postgres
superuser_map postgres postgres
# Let other names login as themselves
superuser_map /^(.*)$ \1
'';
};
services.postgresqlBackup = {
enable = true;
location = "/var/backup/postgresql";
backupAll = true;
};
services.postgresql = {
enable = true;
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method optional_ident_map
local sameuser all peer map=superuser_map
local all postgres peer
'';
identMap = ''
# ArbitraryMapName systemUser DBUser
superuser_map root postgres
superuser_map postgres postgres
# Let other names login as themselves
superuser_map /^(.*)$ \1
'';
};
services.postgresqlBackup = {
enable = true;
location = "/var/backup/postgresql";
backupAll = true;
};
}

6
modules/services/rdp.nix
View File

@@ -3,7 +3,7 @@ let
wm = vars.wm;
in
{
services.xrdp.enable = true;
services.xrdp.defaultWindowManager = wm;
services.xrdp.openFirewall = true;
services.xrdp.enable = true;
services.xrdp.defaultWindowManager = wm;
services.xrdp.openFirewall = true;
}

68
modules/services/samba.nix
View File

@@ -1,37 +1,37 @@
{
#services.samba-wsdd.enable = true; # make shares visible for windows 10 clients
#networking.firewall.allowedTCPPorts = [
#5357 # wsdd
#];
#networking.firewall.allowedUDPPorts = [
#3702 # wsdd
#];
services.samba.openFirewall = true;
services.samba = {
enable = true;
securityType = "user";
invalidUsers = [
"root"
];
extraConfig = ''
disable netbios = yes
smb ports = 445
workgroup = WORKGROUP
server string = smbnix
security = user
#use sendfile = yes
#max protocol = smb2
# note: localhost is the ipv6 localhost ::1
hosts allow = 192.168.0. 192.168.174.1 127.0.0.1 localhost
hosts deny = 0.0.0.0/0
guest account = nobody
map to guest = bad user
'';
shares = {
homes = {
browseable = "no";
writable = "yes";
};
};
#services.samba-wsdd.enable = true; # make shares visible for windows 10 clients
#networking.firewall.allowedTCPPorts = [
#5357 # wsdd
#];
#networking.firewall.allowedUDPPorts = [
#3702 # wsdd
#];
services.samba.openFirewall = true;
services.samba = {
enable = true;
securityType = "user";
invalidUsers = [
"root"
];
extraConfig = ''
disable netbios = yes
smb ports = 445
workgroup = WORKGROUP
server string = smbnix
security = user
#use sendfile = yes
#max protocol = smb2
# note: localhost is the ipv6 localhost ::1
hosts allow = 192.168.0. 192.168.174.1 127.0.0.1 localhost
hosts deny = 0.0.0.0/0
guest account = nobody
map to guest = bad user
'';
shares = {
homes = {
browseable = "no";
writable = "yes";
};
};
};
}

3
modules/services/smartd.nix
View File

@@ -17,7 +17,8 @@ let
--data "$JSON"
'';
cfg = config.custom.services.smartd;
in {
in
{
options.custom.services.smartd = {
enable = lib.mkEnableOption "Enables smartd monitoring";

28
modules/services/ssh.nix
View File

@@ -1,16 +1,16 @@
{
networking.firewall.allowedTCPPorts = [ 22 ];
services.openssh = {
enable = true;
allowSFTP = false;
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
settings.X11Forwarding = false;
settings.PermitRootLogin = "prohibit-password";
extraConfig = ''
AllowAgentForwarding no
AllowStreamLocalForwarding no
AuthenticationMethods publickey
'';
};
networking.firewall.allowedTCPPorts = [ 22 ];
services.openssh = {
enable = true;
allowSFTP = false;
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
settings.X11Forwarding = false;
settings.PermitRootLogin = "prohibit-password";
extraConfig = ''
AllowAgentForwarding no
AllowStreamLocalForwarding no
AuthenticationMethods publickey
'';
};
}

54
modules/services/step-ca.nix
View File

@@ -2,33 +2,33 @@
let
root_ca =
''
-----BEGIN CERTIFICATE-----
MIIBjTCCATKgAwIBAgIRAMVH2+JHZ3wm2fLUlKjTYDswCgYIKoZIzj0EAwIwJDEM
MAoGA1UEChMDS29wMRQwEgYDVQQDEwtLb3AgUm9vdCBDQTAeFw0yMzEyMDgxNDUx
MTZaFw0zMzEyMDUxNDUxMTZaMCQxDDAKBgNVBAoTA0tvcDEUMBIGA1UEAxMLS29w
IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATdZBOkNynShXipzhuX
f6dUByD3chNupNWsagYC5AlPRJT9fAeHEIK/bxWkFwRtLBDopWvBu9lHahBgpHc7
y7rTo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNV
HQ4EFgQU9AVtwipW5HDBLfZRH1KZCnIKCfowCgYIKoZIzj0EAwIDSQAwRgIhAMHj
AipNdhQKIYPvMt/h1uW4xP3NTkitnmshM09+rIasAiEAlSalGddXDkqJBHhPD+Fr
gpuVkfVkA8gQCXNs5F9TnxA=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIBjTCCATKgAwIBAgIRAMVH2+JHZ3wm2fLUlKjTYDswCgYIKoZIzj0EAwIwJDEM
MAoGA1UEChMDS29wMRQwEgYDVQQDEwtLb3AgUm9vdCBDQTAeFw0yMzEyMDgxNDUx
MTZaFw0zMzEyMDUxNDUxMTZaMCQxDDAKBgNVBAoTA0tvcDEUMBIGA1UEAxMLS29w
IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATdZBOkNynShXipzhuX
f6dUByD3chNupNWsagYC5AlPRJT9fAeHEIK/bxWkFwRtLBDopWvBu9lHahBgpHc7
y7rTo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNV
HQ4EFgQU9AVtwipW5HDBLfZRH1KZCnIKCfowCgYIKoZIzj0EAwIDSQAwRgIhAMHj
AipNdhQKIYPvMt/h1uW4xP3NTkitnmshM09+rIasAiEAlSalGddXDkqJBHhPD+Fr
gpuVkfVkA8gQCXNs5F9TnxA=
-----END CERTIFICATE-----
'';
intermediate_ca =
''
-----BEGIN CERTIFICATE-----
MIIBtDCCAVqgAwIBAgIQbEVEV7LgtjVWO+qBrrmgETAKBggqhkjOPQQDAjAkMQww
CgYDVQQKEwNLb3AxFDASBgNVBAMTC0tvcCBSb290IENBMB4XDTIzMTIwODE0NTEx
N1oXDTMzMTIwNTE0NTExN1owLDEMMAoGA1UEChMDS29wMRwwGgYDVQQDExNLb3Ag
SW50ZXJtZWRpYXRlIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmv7jg7Cs
4L5v52+3yUmn79hZFS2vmm/5wwcUCL63dokEXQsHgbEjaRKsF/MW0yJDLTB6Sdhl
pCvoNJqITWuEN6NmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C
AQAwHQYDVR0OBBYEFDgVolMCmdrhDIXhuIs4q/KwRKNLMB8GA1UdIwQYMBaAFPQF
bcIqVuRwwS32UR9SmQpyCgn6MAoGCCqGSM49BAMCA0gAMEUCIQCQa01E+UvAJ8KR
DFfDducZUpW4tZRN35lqoge7T9nM2QIgK4FFt1NqDqcjOSabAXPOQ68bvdxlHW0y
AgN9qNc3Jbo=
-----END CERTIFICATE-----
'';
-----BEGIN CERTIFICATE-----
MIIBtDCCAVqgAwIBAgIQbEVEV7LgtjVWO+qBrrmgETAKBggqhkjOPQQDAjAkMQww
CgYDVQQKEwNLb3AxFDASBgNVBAMTC0tvcCBSb290IENBMB4XDTIzMTIwODE0NTEx
N1oXDTMzMTIwNTE0NTExN1owLDEMMAoGA1UEChMDS29wMRwwGgYDVQQDExNLb3Ag
SW50ZXJtZWRpYXRlIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmv7jg7Cs
4L5v52+3yUmn79hZFS2vmm/5wwcUCL63dokEXQsHgbEjaRKsF/MW0yJDLTB6Sdhl
pCvoNJqITWuEN6NmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C
AQAwHQYDVR0OBBYEFDgVolMCmdrhDIXhuIs4q/KwRKNLMB8GA1UdIwQYMBaAFPQF
bcIqVuRwwS32UR9SmQpyCgn6MAoGCCqGSM49BAMCA0gAMEUCIQCQa01E+UvAJ8KR
DFfDducZUpW4tZRN35lqoge7T9nM2QIgK4FFt1NqDqcjOSabAXPOQ68bvdxlHW0y
AgN9qNc3Jbo=
-----END CERTIFICATE-----
'';
in
{
@@ -82,9 +82,9 @@ in
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
];
minVersion = 1.2;
maxVersion = 1.3;
renegotiation = false;
minVersion = 1.2;
maxVersion = 1.3;
renegotiation = false;
};
};
};

16
modules/services/synapse.nix
View File

@@ -9,7 +9,8 @@ let
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in {
in
{
networking.domain = "kopatz.ddns.net";
networking.firewall.allowedTCPPorts = [ 80 443 ];
@@ -59,9 +60,9 @@ in {
};
age.secrets.matrix-registration = {
file = ../../secrets/matrix-registration.age;
owner = "matrix-synapse";
group = "matrix-synapse";
file = ../../secrets/matrix-registration.age;
owner = "matrix-synapse";
group = "matrix-synapse";
};
services.matrix-synapse = {
@@ -77,15 +78,16 @@ in {
config.age.secrets.matrix-registration.path
];
settings.listeners = [
{ port = 8008;
{
port = 8008;
bind_addresses = [ "::1" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [ {
resources = [{
names = [ "client" "federation" ];
compress = true;
} ];
}];
}
];
};

4
modules/services/wireguard-client.nix
View File

@@ -6,7 +6,7 @@
};
systemd.network.networks.wg0 = {
dns = [ "192.168.2.1"];
dns = [ "192.168.2.1" ];
};
networking.wg-quick.interfaces = {
wg0 = {
@@ -15,7 +15,7 @@
privateKeyFile = config.age.secrets.wireguard-client.path;
listenPort = 51820;
dns = [ "192.168.2.1" ];
address = ["192.168.2.22/24"];
address = [ "192.168.2.22/24" ];
peers = [
{
#allowedIPs = [ "192.168.2.0/24" "192.168.0.0/24" ];

207
modules/services/wireguard.nix
View File

@@ -5,109 +5,110 @@ let
in
{
options.custom.services.wireguard = {
enable = mkEnableOption "Enables wireguard";
ip = lib.mkOption {
default = "192.168.2.1";
type = types.str;
description = "ipv4 address";
};
};
config =
let
wireguardIp = cfg.ip;
in lib.mkIf cfg.enable {
age.secrets.wireguard-private = {
file = ../../secrets/wireguard-private.age;
};
networking.nat.enable = true;
networking.nat.externalInterface = "eth0";
networking.nat.internalInterfaces = [ "wg0" ];
networking.firewall.allowedUDPPorts = [ 51820 ];
networking.wg-quick.interfaces = {
wg0 = {
autostart = true;
listenPort = 51820;
address = [
"${wireguardIp}/24"
];
peers = [
{
allowedIPs = [
"192.168.2.2/32"
];
publicKey = "YgecbWSNRqOmylYqxr/V21LL3UpKEr5x42lXPAxriSc=";
}
{
allowedIPs = [
"192.168.2.3/32"
];
publicKey = "Eg5ZS3zN05mJ/gct6wJlwVAHTlXpkhxFfUd7yscANV0=";
}
# detschn pc
{
allowedIPs = [
"192.168.2.4/32"
];
publicKey = "8Eigfs+k2k2WPaMn+SqDmlSHdMv+I+xcBr/2qhtpGzI=";
}
# detschn laptop
{
allowedIPs = [
"192.168.2.5/32"
];
publicKey = "g5uTlA1IciXgtSbECjhVis0dajRAc53Oa7Hz6dUI+0Q=";
}
{
allowedIPs = [
"192.168.2.6/32"
];
publicKey = "5ClF2HcqndpXS7nVgDn2unWFUYcKo5fbudV6xX2OIVE=";
}
# handy
{
allowedIPs = [
"192.168.2.20/32"
];
publicKey = "25u1RSfjsx3wb1DMeTm0pvUfUkG7zTjGaN+m0w6ZjCw=";
}
{
allowedIPs = [
"192.168.2.21/32"
];
publicKey = "S+8F+yxSQvjjoU44LRYqRv1YulqmOKumUtYo/YIh7X8=";
}
# laptop
{
allowedIPs = [
"192.168.2.22/32"
];
publicKey = "/dIW7K49vB9HOghFeXvcY7wu2utQltuv6RfgCbxZwlk=";
}
{
allowedIPs = [
"192.168.2.23/32"
];
publicKey = "89rjQXNcyCRUCihqfqcOnctWmhiNR8snpRFF6dyHAmk=";
}
{
allowedIPs = [
"192.168.2.24/32"
];
publicKey = "adaWtboVz3UhpNBKFirs7slbU2+Y3GaV5yS2EoafwVU=";
}
# raphi
{
allowedIPs = [
"192.168.2.25/32"
];
publicKey = "AGBWzMeSTxmB3jwNdROYHbyiqhhAVyofMV5Ku5JIE1A=";
}
];
privateKeyFile = config.age.secrets.wireguard-private.path;
enable = mkEnableOption "Enables wireguard";
ip = lib.mkOption {
default = "192.168.2.1";
type = types.str;
description = "ipv4 address";
};
};
};
config =
let
wireguardIp = cfg.ip;
in
lib.mkIf cfg.enable {
age.secrets.wireguard-private = {
file = ../../secrets/wireguard-private.age;
};
networking.nat.enable = true;
networking.nat.externalInterface = "eth0";
networking.nat.internalInterfaces = [ "wg0" ];
networking.firewall.allowedUDPPorts = [ 51820 ];
networking.wg-quick.interfaces = {
wg0 = {
autostart = true;
listenPort = 51820;
address = [
"${wireguardIp}/24"
];
peers = [
{
allowedIPs = [
"192.168.2.2/32"
];
publicKey = "YgecbWSNRqOmylYqxr/V21LL3UpKEr5x42lXPAxriSc=";
}
{
allowedIPs = [
"192.168.2.3/32"
];
publicKey = "Eg5ZS3zN05mJ/gct6wJlwVAHTlXpkhxFfUd7yscANV0=";
}
# detschn pc
{
allowedIPs = [
"192.168.2.4/32"
];
publicKey = "8Eigfs+k2k2WPaMn+SqDmlSHdMv+I+xcBr/2qhtpGzI=";
}
# detschn laptop
{
allowedIPs = [
"192.168.2.5/32"
];
publicKey = "g5uTlA1IciXgtSbECjhVis0dajRAc53Oa7Hz6dUI+0Q=";
}
{
allowedIPs = [
"192.168.2.6/32"
];
publicKey = "5ClF2HcqndpXS7nVgDn2unWFUYcKo5fbudV6xX2OIVE=";
}
# handy
{
allowedIPs = [
"192.168.2.20/32"
];
publicKey = "25u1RSfjsx3wb1DMeTm0pvUfUkG7zTjGaN+m0w6ZjCw=";
}
{
allowedIPs = [
"192.168.2.21/32"
];
publicKey = "S+8F+yxSQvjjoU44LRYqRv1YulqmOKumUtYo/YIh7X8=";
}
# laptop
{
allowedIPs = [
"192.168.2.22/32"
];
publicKey = "/dIW7K49vB9HOghFeXvcY7wu2utQltuv6RfgCbxZwlk=";
}
{
allowedIPs = [
"192.168.2.23/32"
];
publicKey = "89rjQXNcyCRUCihqfqcOnctWmhiNR8snpRFF6dyHAmk=";
}
{
allowedIPs = [
"192.168.2.24/32"
];
publicKey = "adaWtboVz3UhpNBKFirs7slbU2+Y3GaV5yS2EoafwVU=";
}
# raphi
{
allowedIPs = [
"192.168.2.25/32"
];
publicKey = "AGBWzMeSTxmB3jwNdROYHbyiqhhAVyofMV5Ku5JIE1A=";
}
];
privateKeyFile = config.age.secrets.wireguard-private.path;
};
};
};
}