kopatz/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:Kropatz/dotfiles

Browse Source
This commit is contained in:
Kopatz
2023-11-15 13:35:28 +01:00
parent ab112ebe7e 743ed91af9
commit f37d03337f
16 changed files with 241 additions and 106 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
modules/adguard.nix
View File

@@ -1,4 +1,8 @@
{
{ config, pkgs, inputs, vars, ... }:
let
ip = vars.ipv4;
in
{
networking.firewall.allowedTCPPorts = [ 53 ];
networking.firewall.allowedUDPPorts = [ 53 ];
@@ -12,7 +16,7 @@
}
];
dns = {
bind_hosts = [ "127.0.0.1" "192.168.0.6" ]; # "192.168.2.1" ];
bind_hosts = [ "127.0.0.1" "${ip}" ]; # "192.168.2.1" ];
port = 53;
protection_enabled = true;
filtering_enabled = true;
@@ -26,33 +30,33 @@
rewrites = [
{
"domain" = "kopatz.ddns.net";
"answer" = "192.168.0.6";
"answer" = ip;
}
{
"domain" = "server.home";
"answer" = "192.168.0.6";
"answer" = ip;
}
{
"domain" = "server.local";
"answer" = "192.168.0.6";
"answer" = ip;
}
{
{
"domain" = "adguard.local";
"answer" = "192.168.0.6";
"answer" = ip;
}
{
"domain" = "nextcloud.local";
"answer" = ip;
}
{
"domain" = "turnserver.local";
"answer" = "192.168.2.1";
}
{
"domain" = "nextcloud.local";
"answer" = "192.168.0.6";
}
{
"domain" = "turnserver.local";
"answer" = "192.168.2.1";
}
{
"domain" = "inverter.local";
"answer" = "192.168.0.9";
}
];
];
};
querylog = {
enabled = false;

34
modules/backup.nix
View File

@@ -27,6 +27,7 @@
"/mnt/250ssd/matrix-synapse/media_store/"
"/mnt/250ssd/nextcloud"
"/mnt/250ssd/paperless"
"/mnt/250ssd/kavita"
];
pruneOpts = [ "--keep-daily 7" "--keep-weekly 10" "--keep-monthly 12" "--keep-yearly 75" ];
repository = "/mnt/2tb/restic";
@@ -36,12 +37,13 @@
passwordFile = config.age.secrets.restic-pw.path;
paths = [
"/home"
"/var/backup/postgresql"
"/mnt/250ssd/matrix-synapse/media_store/"
"/mnt/250ssd/nextcloud"
"/mnt/250ssd/paperless"
"/var/backup/postgresql"
"/mnt/250ssd/matrix-synapse/media_store/"
"/mnt/250ssd/nextcloud"
"/mnt/250ssd/paperless"
"/mnt/250ssd/kavita"
];
exclude = [
exclude = [
"/home/**/Cache"
"/home/**/.cache"
"/home/**/__pycache__"
@@ -60,12 +62,12 @@
passwordFile = config.age.secrets.restic-pw.path;
paths = [
"/home"
"/var/backup/postgresql"
"/mnt/250ssd/matrix-synapse/media_store/"
"/mnt/250ssd/nextcloud"
"/mnt/250ssd/paperless"
"/var/backup/postgresql"
"/mnt/250ssd/matrix-synapse/media_store/"
"/mnt/250ssd/nextcloud"
"/mnt/250ssd/paperless"
];
exclude = [
exclude = [
"/home/**/Cache"
"/home/**/.cache"
"/home/**/__pycache__"
@@ -81,7 +83,7 @@
};
};
remotebackup = {
exclude = [
exclude = [
"/home/**/Cache"
"/home/**/.cache"
"/home/**/__pycache__"
@@ -90,17 +92,17 @@
];
initialize = true;
passwordFile = config.age.secrets.restic-pw.path;
environmentFile = config.age.secrets.restic-s3.path;
environmentFile = config.age.secrets.restic-s3.path;
paths = [
"/home"
];
pruneOpts = [ "--keep-daily 5" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
timerConfig = {
OnCalendar = "*-*-03,06,09,12,15,18,21,24,27,30 00:00:00";
Persistent = true;
};
OnCalendar = "*-*-03,06,09,12,15,18,21,24,27,30 00:00:00";
Persistent = true;
};
repository = "s3:s3.us-west-002.backblazeb2.com/kop-bucket";
};
};
};
};
}

31
modules/kavita.nix Normal file
View File

@@ -0,0 +1,31 @@
{ config, pkgs, lib, inputs, ... }:
{
networking.firewall.allowedTCPPorts = [ 5000 ];
age.secrets.kavita = {
file = ../secrets/kavita.age;
owner = "kavita";
group = "kavita";
};
services.kavita = {
enable = true;
user = "kavita";
port = 5000;
dataDir = "/mnt/250ssd/kavita";
tokenKeyFile = config.age.secrets.kavita.path;
};
#todo: base url needs new kavita version
systemd.services.kavita = {
preStart = ''
umask u=rwx,g=rx,o=
cat > "/mnt/250ssd/kavita/config/appsettings.json" <<EOF
{
"TokenKey": "$(cat ${config.age.secrets.kavita.path})",
"Port": 5000,
"BaseUrl" : "/books",
"IpAddresses": "${lib.concatStringsSep "," ["0.0.0.0" "::"]}"
}
EOF
'';
};
}

59
modules/netdata.nix Normal file
View File

@@ -0,0 +1,59 @@
{ vars, ... }:
let
ip = vars.ipv4;
wireguardIp = vars.wireguardIp;
in
{
networking.firewall.allowedTCPPorts = [ 19999 ];
services.netdata = {
enable = true;
configText = ''
[global]
update every = 2
[web]
default port = 19999
bind to = ${ip} ${wireguardIp}
allow connections from = localhost 192.168.0.* 192.168.2.*
[db]
# number of tiers used (1 to 5, 3 being default)
storage tiers = 3
# Tier 0, per second data
dbengine multihost disk space MB = 256
# Tier 1, per minute data
dbengine tier 1 multihost disk space MB = 128
dbengine tier 1 update every iterations = 60
# Tier 2, per hour data
dbengine tier 2 multihost disk space MB = 64
dbengine tier 2 update every iterations = 60
[logs]
error = syslog
[plugins]
timex = no
idlejitter = no
# netdata monitoring = yes
tc = no
# diskspace = yes
# proc = yes
# cgroups = yes
statsd = no
#enable running new plugins = yes
#check for new plugins every = 60
slabinfo = no
nfacct = no
charts.d = no
python.d = no
go.d = no
ioping = no
perf = no
freeipmi = no
apps = yes
'';
};
}

38
modules/nextcloud.nix
View File

@@ -1,4 +1,7 @@
{ config, pkgs, lib, inputs, ... }:
{ config, pkgs, lib, inputs, vars, ... }:
let
wireguardIp = vars.wireguardIp;
in
{
age.secrets.nextcloud-cert = {
file = ../secrets/nextcloud-cert.age;
@@ -26,15 +29,15 @@
# Setup Nextcloud virtual host to listen on ports
virtualHosts = {
"nextcloud.local" = {
serverAliases = [ "192.168.2.1" ];
serverAliases = [ wireguardIp ];
## Force HTTP redirect to HTTPS
forceSSL = true;
locations."~ ^\\/(?:index|remote|public|cron|core\\/ajax\\/update|status|ocs\\/v[12]|updater\\/.+|oc[s]-provider\\/.+|.+\\/richdocumentscode\\/proxy)\\.php(?:$|\\/)".extraConfig = ''
client_max_body_size 5G;
'';
#sslTrustedCertificate = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
sslCertificate = config.age.secrets.nextcloud-cert.path;
sslCertificateKey = config.age.secrets.nextcloud-key.path;
locations."~ ^\\/(?:index|remote|public|cron|core\\/ajax\\/update|status|ocs\\/v[12]|updater\\/.+|oc[s]-provider\\/.+|.+\\/richdocumentscode\\/proxy)\\.php(?:$|\\/)".extraConfig = ''
client_max_body_size 5G;
'';
#sslTrustedCertificate = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
sslCertificate = config.age.secrets.nextcloud-cert.path;
sslCertificateKey = config.age.secrets.nextcloud-key.path;
## LetsEncrypt
#enableACME = true;
};
@@ -49,26 +52,25 @@
services.nextcloud = {
enable = true;
package = pkgs.nextcloud27;
https = true;
https = true;
hostName = "nextcloud.local";
config.adminpassFile = config.age.secrets.nextcloud-admin.path;
config.dbtype = "pgsql";
database.createLocally = true;
config.extraTrustedDomains = [ "192.168.2.1" ];
config.dbtype = "pgsql";
database.createLocally = true;
config.extraTrustedDomains = [ wireguardIp ];
home = "/mnt/250ssd/nextcloud";
extraApps = with config.services.nextcloud.package.packages.apps; {
inherit keeweb onlyoffice calendar mail;
inherit keeweb onlyoffice calendar mail;
spreed = pkgs.fetchNextcloudApp rec {
url = "https://github.com/nextcloud-releases/spreed/releases/download/v17.1.1/spreed-v17.1.1.tar.gz";
sha256 = "sha256-LaUG0maatc2YtWQjff7J54vadQ2RE4X6FcW8vFefBh8=";
};
};
phpOptions = {
upload_max_filesize = "5G";
post_max_size = "5G";
};
phpOptions = {
upload_max_filesize = "5G";
post_max_size = "5G";
};
extraAppsEnable = true;
extraOptions.enabledPreviewProviders = [
"OC\\Preview\\BMP"

3
modules/nginx.nix
View File

@@ -52,6 +52,9 @@
'';
proxyPass = "http://127.0.0.1:8080";
};
#locations."~/books(.*)$" = {
# proxyPass = "http://127.0.0.1:5000";
#};
};
"adguard.local" = {
locations."/".proxyPass = "http://127.0.0.1:3000";

8
modules/paperless.nix
View File

@@ -1,4 +1,8 @@
{ config, pkgs, lib, inputs, ... }:
{ config, pkgs, lib, inputs, vars, ... }:
let
ip = vars.ipv4;
wireguardIp = vars.wireguardIp;
in
{
networking.firewall.allowedTCPPorts = [ 28981 ];
age.secrets.paperless = {
@@ -10,7 +14,7 @@
enable = true;
port = 28981;
passwordFile = config.age.secrets.paperless.path;
address = "192.168.2.1";
address = wireguardIp;
mediaDir = "/mnt/250ssd/paperless";
};
}

23
modules/static-ip-server.nix
View File

@@ -1,23 +0,0 @@
{
networking = {
defaultGateway = "192.168.0.1";
useDHCP = false;
firewall = {
enable = true;
allowedUDPPorts = [ 5000 ];
};
nameservers = [
"127.0.0.1"
"1.1.1.1"
];
interfaces = {
"enp0s31f6" = {
name = "eth0";
ipv4.addresses = [{
address = "192.168.0.6";
prefixLength = 24;
}];
};
};
};
}

46
modules/wireguard.nix
View File

@@ -1,4 +1,7 @@
{ config, pkgs, lib, inputs, ... }:
{ config, pkgs, lib, inputs, vars, ... }:
let
wireguardIp = vars.wireguardIp;
in
{
age.secrets.wireguard-private = {
@@ -15,72 +18,79 @@
autostart = true;
listenPort = 51820;
address = [
"192.168.2.1/24"
"${wireguardIp}/24"
];
peers = [
{
allowedIPs = [
"192.168.2.2/32"
];
persistentKeepalive = 25;
persistentKeepalive = 25;
publicKey = "dUBPIEnAiHIZCMjqV0ya8qotN3UnMhlEVyGNQcR3gVI=";
}
{
allowedIPs = [
"192.168.2.3/32"
];
persistentKeepalive = 25;
persistentKeepalive = 25;
publicKey = "Eg5ZS3zN05mJ/gct6wJlwVAHTlXpkhxFfUd7yscANV0=";
}
{
{
allowedIPs = [
"192.168.2.4/32"
];
persistentKeepalive = 25;
persistentKeepalive = 25;
publicKey = "8Eigfs+k2k2WPaMn+SqDmlSHdMv+I+xcBr/2qhtpGzI=";
}
{
{
allowedIPs = [
"192.168.2.20/32"
];
persistentKeepalive = 25;
persistentKeepalive = 25;
publicKey = "25u1RSfjsx3wb1DMeTm0pvUfUkG7zTjGaN+m0w6ZjCw=";
}
{
{
allowedIPs = [
"192.168.2.21/32"
];
persistentKeepalive = 25;
persistentKeepalive = 25;
publicKey = "S+8F+yxSQvjjoU44LRYqRv1YulqmOKumUtYo/YIh7X8=";
}
{
{
allowedIPs = [
"192.168.2.22/32"
];
persistentKeepalive = 25;
persistentKeepalive = 25;
publicKey = "/dIW7K49vB9HOghFeXvcY7wu2utQltuv6RfgCbxZwlk=";
}
{
{
allowedIPs = [
"192.168.2.23/32"
];
persistentKeepalive = 25;
persistentKeepalive = 25;
publicKey = "89rjQXNcyCRUCihqfqcOnctWmhiNR8snpRFF6dyHAmk=";
}
{
{
allowedIPs = [
"192.168.2.24/32"
];
persistentKeepalive = 25;
persistentKeepalive = 25;
publicKey = "adaWtboVz3UhpNBKFirs7slbU2+Y3GaV5yS2EoafwVU=";
}
{
{
allowedIPs = [
"192.168.2.5/32"
];
persistentKeepalive = 25;
persistentKeepalive = 25;
publicKey = "g5uTlA1IciXgtSbECjhVis0dajRAc53Oa7Hz6dUI+0Q=";
}
{
allowedIPs = [
"192.168.2.6/32"
];
persistentKeepalive = 25;
publicKey = "5ClF2HcqndpXS7nVgDn2unWFUYcKo5fbudV6xX2OIVE=";
}
];
privateKeyFile = config.age.secrets.wireguard-private.path;
};