lukas/puter
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

improvements

Browse source
This commit is contained in:
Lukas Wurzinger 2024-02-14 23:06:49 +01:00
parent 3ab713a5b3
commit 4bc84394c4
23 changed files with 289 additions and 74 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
class/desktop/codium.nix
View file

@ -1,3 +0,0 @@
{pkgs, ...}: {
environment.systemPackages = [pkgs.vscodium-fhs];
}

2
class/desktop/default.nix
View file

@ -1,6 +1,5 @@
{
imports = [
./codium.nix
./compatibility.nix
./docker.nix
./fish.nix
@ -17,5 +16,6 @@
./plasma.nix
./printing.nix
./syncthing.nix
./vscode.nix
];
}

7
class/desktop/mullvad.nix
View file

@ -1,5 +1,8 @@
{
{pkgs, ...}: {
environment.persistence."/persist".directories = ["/etc/mullvad-vpn"];
services.mullvad-vpn.enable = true;
services.mullvad-vpn = {
enable = true;
package = pkgs.mullvad-vpn;
};
}

1
class/desktop/networking.nix
View file

@ -2,7 +2,6 @@
environment.persistence."/persist".directories = ["/etc/NetworkManager"];
services.resolved.enable = true;
services.opensnitch.enable = true;
networking = {
networkmanager = {

3
class/desktop/vscode.nix Normal file
View file

@ -0,0 +1,3 @@
{pkgs, ...}: {
environment.systemPackages = [pkgs.vscode-fhs];
}

44
common/bash.nix
View file

@ -3,30 +3,32 @@
pkgs,
...
}: {
programs.direnv.enable = true;
programs.command-not-found.enable = false;
programs = {
direnv.enable = true;
command-not-found.enable = false;
programs.bash = {
promptInit = ''
if [[ -v SSH_CLIENT && -v SSH_CONNECTION && -v SSH_TTY ]]; then
PS1='\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
PS1='\[\033[01;34m\]\w\[\033[00m\]\$ '
fi
'';
interactiveShellInit = ''
shopt -s histappend
HISTCONTROL='ignoredups:ignorespace'
HISTSIZE=1000
HISTFILESIZE=10000
bash = {
promptInit = ''
if [[ -v SSH_CLIENT && -v SSH_CONNECTION && -v SSH_TTY ]]; then
PS1='\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
PS1='\[\033[01;34m\]\w\[\033[00m\]\$ '
fi
'';
interactiveShellInit = ''
shopt -s histappend
HISTCONTROL='ignoredups:ignorespace'
HISTSIZE=1000
HISTFILESIZE=10000
shopt -s globstar
shopt -s nullglob
shopt -s extglob
shopt -s globstar
shopt -s nullglob
shopt -s extglob
shopt -s checkwinsize
shopt -s checkwinsize
eval "$(${lib.getExe pkgs.direnv} hook bash)"
'';
eval "$(${lib.getExe pkgs.direnv} hook bash)"
'';
};
};
}

2
common/default.nix
View file

@ -6,6 +6,8 @@
./dbus.nix
./fs.nix
./fwupd.nix
./git.nix
./helix.nix
./nix.nix
./opengl.nix
./openssh.nix

6
common/git.nix Normal file
View file

@ -0,0 +1,6 @@
{
programs.git = {
enable = true;
lfs.enable = true;
};
}

15
common/helix.nix Normal file
View file

@ -0,0 +1,15 @@
{
lib,
pkgs,
...
}: let
package = pkgs.helix;
in {
environment = {
systemPackages = [package];
variables = {
EDITOR = lib.getExe package;
VISUAL = lib.getExe package;
};
};
}

18
flake.lock
View file

@ -8,11 +8,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1703433843,
"narHash": "sha256-nmtA4KqFboWxxoOAA6Y1okHbZh+HsXaMPFkYHsoDRDw=",
"lastModified": 1707830867,
"narHash": "sha256-PAdwm5QqdlwIqGrfzzvzZubM+FXtilekQ/FA0cI49/o=",
"owner": "ryantm",
"repo": "agenix",
"rev": "417caa847f9383e111d1397039c9d4337d024bf0",
"rev": "8cb01a0e717311680e0cbca06a76cbceba6f3ed6",
"type": "github"
},
"original": {
@ -77,11 +77,11 @@
},
"hardware": {
"locked": {
"lastModified": 1706834982,
"narHash": "sha256-3CfxA7gZ+DVv/N9Pvw61bV5Oe/mWfxYPyVQGqp9TMJA=",
"lastModified": 1707842204,
"narHash": "sha256-M+HAq1qWQBi/gywaMZwX0odU+Qb/XeqVeANGKRBDOwU=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "83e571bb291161682b9c3ccd48318f115143a550",
"rev": "f1b2f71c86a5b1941d20608db0b1e88a07d31303",
"type": "github"
},
"original": {
@ -212,11 +212,11 @@
},
"nixpkgs_3": {
"locked": {
"lastModified": 1706732774,
"narHash": "sha256-hqJlyJk4MRpcItGYMF+3uHe8HvxNETWvlGtLuVpqLU0=",
"lastModified": 1707689078,
"narHash": "sha256-UUGmRa84ZJHpGZ1WZEBEUOzaPOWG8LZ0yPg1pdDF/yM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b8b232ae7b8b144397fdb12d20f592e5e7c1a64d",
"rev": "f9d39fb9aff0efee4a3d5f4a6d7c17701d38a1d8",
"type": "github"
},
"original": {

78
hosts/abacus/conduit.nix Normal file
View file

@ -0,0 +1,78 @@
{
config,
pkgs,
...
}: let
inherit (config.networking) domain;
subdomain = "matrix";
jsonFormat = pkgs.formats.json {};
wellKnownServer = jsonFormat.generate "well-known-matrix-server" {
"m.server" = "${subdomain}.${domain}:443";
};
wellKnownClient = jsonFormat.generate "well-known-matrix-client" {
"m.homeserver".base_url = "https://${subdomain}.${domain}";
};
in {
services.matrix-conduit = {
enable = true;
settings.global = {
server_name = domain;
address = "127.0.0.1";
port = 8010;
database_backend = "rocksdb";
allow_registration = false;
};
};
systemd.services.conduit.serviceConfig.LimitNOFILE = 8192;
services.nginx.virtualHosts = {
${domain}.locations = {
"=/.well-known/matrix/server" = {
alias = wellKnownServer;
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin "*";
'';
};
"=/.well-known/matrix/client" = {
alias = wellKnownClient;
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin "*";
'';
};
};
"${subdomain}.${domain}" = {
enableACME = true;
forceSSL = true;
quic = true;
locations = {
"/".return = "404";
"/_matrix/" = {
proxyPass = "http://${config.services.matrix-conduit.settings.global.address}:${toString config.services.matrix-conduit.settings.global.port}$request_uri";
proxyWebsockets = true;
extraConfig = ''
proxy_set_header Host $host;
proxy_buffering off;
'';
};
};
extraConfig = ''
merge_slashes off;
'';
};
};
}

5
hosts/abacus/default.nix
View file

@ -2,12 +2,13 @@
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
./conduit.nix
./forgejo.nix
./mailserver.nix
./navidrome.nix
./nextcloud.nix
./nginx.nix
./static.nix
./vaultwarden.nix
# TODO: dendrite/conduit, gitea/forgejo
];
nixpkgs.hostPlatform = "aarch64-linux";

38
hosts/abacus/forgejo.nix Normal file
View file

@ -0,0 +1,38 @@
{config, ...}: let
virtualHostName = "tea.${config.networking.domain}";
in {
services.forgejo = {
enable = true;
database.type = "postgres";
lfs.enable = true;
settings = {
session = {
COOKIE_SECURE = true;
PROVIDER = "db";
};
service = {
DISABLE_REGISTRATION = true;
};
server = {
PROTOCOL = "http";
HTTP_ADDR = "127.0.0.1";
HTTP_PORT = 8020;
DOMAIN = virtualHostName;
ROOT_URL = "https://${virtualHostName}/";
};
};
};
services.nginx.virtualHosts.${virtualHostName} = {
enableACME = true;
forceSSL = true;
quic = true;
locations."/".proxyPass = "http://${config.services.forgejo.settings.server.HTTP_ADDR}:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}";
};
}

31
hosts/abacus/mailserver.nix
View file

@ -1,6 +1,16 @@
{config, ...}: let
inherit (config.networking) domain;
inherit (config.networking) fqdn;
{
config,
pkgs,
...
}: let
inherit (config.networking) domain fqdn;
wellKnownMtaSts = pkgs.writeText "" ''
version: STSv1
mode: enforce
mx: ${fqdn}
max_age: 86400
'';
in {
age.secrets.mail-lukas.file = ../../secrets/mail-lukas.age;
@ -19,7 +29,7 @@ in {
loginAccounts = {
"lukas@${domain}" = {
hashedPasswordFile = config.age.secrets.mail-lukas.path;
aliases = ["postmaster@${domain}"];
aliases = ["postmaster@${domain}" "vault@${domain}"];
};
};
@ -30,9 +40,20 @@ in {
services.dovecot2.sieve.extensions = ["fileinto"];
services.nginx.virtualHosts."mta-sts.${domain}" = {
locations."= /.well-known/mta-sts.txt".return = ''200 "version: STSv1\nmode: enforce\nmx: ${fqdn}\nmax_age: 86400"'';
enableACME = true;
forceSSL = true;
quic = true;
locations = {
"/".return = "404";
"=/.well-known/mta-sts.txt" = {
alias = wellKnownMtaSts;
extraConfig = ''
default_type text/plain;
'';
};
};
};
}

24
hosts/abacus/navidrome.nix Normal file
View file

@ -0,0 +1,24 @@
{config, ...}: {
services.navidrome = {
enable = true;
settings = {
Address = "127.0.0.1";
Port = 8030;
MusicFolder = "/srv/music";
};
};
services.nginx.virtualHosts."navi.${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
quic = true;
locations."/".proxyPass = "http://${config.services.navidrome.settings.Address}:${builtins.toString config.services.navidrome.settings.Port}";
};
fileSystems.${config.services.navidrome.settings.MusicFolder} = {
device = "/dev/disk/by-label/music";
fsType = "btrfs";
options = ["compress=zstd" "noatime"];
};
}

8
hosts/abacus/nextcloud.nix
View file

@ -2,9 +2,7 @@
config,
pkgs,
...
}: let
hostName = "cloud.${config.networking.domain}";
in {
}: {
age.secrets.nextcloud-lukas = {
file = ../../secrets/nextcloud-lukas.age;
owner = "nextcloud";
@ -29,7 +27,7 @@ in {
enable = true;
package = pkgs.nextcloud28;
inherit hostName;
hostName = "cloud.${config.networking.domain}";
https = true;
configureRedis = true;
@ -61,7 +59,7 @@ in {
};
};
services.nginx.virtualHosts.${hostName} = {
services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
enableACME = true;
forceSSL = true;
quic = true;

32
hosts/abacus/nginx.nix
View file

@ -15,6 +15,36 @@
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedZstdSettings = true;
commonHttpConfig = "access_log syslog:server=unix:/dev/log;";
commonHttpConfig = ''
error_log stderr;
access_log /var/log/nginx/access.log;
'';
virtualHosts = let
inherit (config.networking) domain;
in {
"~.*" = {
default = true;
rejectSSL = true;
globalRedirect = domain;
};
${domain} = {
enableACME = true;
forceSSL = true;
quic = true;
root = "/var/www/${domain}";
};
"log.${domain}" = {
enableACME = true;
forceSSL = true;
quic = true;
root = "/var/www/log.${domain}";
};
};
};
}

20
hosts/abacus/static.nix
View file

@ -1,20 +0,0 @@
{config, ...}: {
services.nginx = {
virtualHosts = let
inherit (config.networking) domain;
in {
${domain} = {
root = "/var/www/${domain}";
enableACME = true;
forceSSL = true;
quic = true;
};
"log.${domain}" = {
root = "/var/www/log.${domain}";
enableACME = true;
forceSSL = true;
quic = true;
};
};
};
}

22
hosts/abacus/vaultwarden.nix
View file

@ -1,20 +1,38 @@
{config, ...}: let
inherit (config.networking) domain;
virtualHostName = "vault.${domain}";
in {
services.vaultwarden = {
enable = true;
config = {
DOMAIN = "https://${virtualHostName}";
SIGNUPS_ALLOWED = false;
INVITATIONS_ALLOWED = true;
INVITATION_ORG_NAME = domain;
SMTP_HOST = config.mailserver.fqdn;
SMTP_PORT = 587;
SMTP_SECURITY = "force_tls";
SMTP_TIMEOUT = 15;
SMTP_FROM = "vault@${domain}";
SMTP_FROM_NAME = "Vaultwarden";
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8000;
};
};
services.nginx.virtualHosts."vault.${domain}" = {
locations."/".proxyPass = "http://${config.services.vaultwarden.config.ROCKET_ADDRESS}:${builtins.toString config.services.vaultwarden.config.ROCKET_PORT}";
services.nginx.virtualHosts.${virtualHostName} = {
enableACME = true;
forceSSL = true;
quic = true;
locations."/" = {
proxyPass = "http://${config.services.vaultwarden.config.ROCKET_ADDRESS}:${builtins.toString config.services.vaultwarden.config.ROCKET_PORT}";
proxyWebsockets = true;
};
};
}

1
hosts/glacier/default.nix
View file

@ -1,5 +1,4 @@
{
pkgs,
inputs,
modulesPath,
...

2
part
View file

@ -92,7 +92,7 @@ while true; do
mainfs=$mainblkdev
break
;;
*) printf '%s\n' 'Please answer with yes or no' 1>&2 ;;
*) printf 'Please answer with yes or no\n' 1>&2 ;;
esac
done

1
secrets/secrets.nix
View file

@ -15,5 +15,6 @@ let
in {
"user-lukas.age".publicKeys = (builtins.attrValues users) ++ (builtins.attrValues hosts);
"mail-lukas.age".publicKeys = (builtins.attrValues users) ++ [hosts.abacus];
"vaultwarden.age".publicKeys = (builtins.attrValues users) ++ [hosts.abacus];
"nextcloud-lukas.age".publicKeys = (builtins.attrValues users) ++ [hosts.abacus];
}

BIN
secrets/vaultwarden.age Normal file
View file

Binary file not shown.