diff --git a/class/desktop/syncthing.nix b/class/desktop/syncthing.nix index 0ec4025..8b1f0d8 100644 --- a/class/desktop/syncthing.nix +++ b/class/desktop/syncthing.nix @@ -1,4 +1,5 @@ { + #what? services.syncthing = { enable = true; overrideDevices = false; diff --git a/class/desktop/users.nix b/class/desktop/users.nix index b52535d..5ba1911 100644 --- a/class/desktop/users.nix +++ b/class/desktop/users.nix @@ -1,3 +1,5 @@ { users.mutableUsers = true; + + # install neovide/neovim for user? } diff --git a/class/server/default.nix b/class/server/default.nix index fbf50e8..e10d867 100644 --- a/class/server/default.nix +++ b/class/server/default.nix @@ -2,5 +2,6 @@ imports = [ ./fs.nix ./time.nix + ./users.nix ]; } diff --git a/class/server/fs.nix b/class/server/fs.nix index 78cbd80..da52d7a 100644 --- a/class/server/fs.nix +++ b/class/server/fs.nix @@ -1,3 +1,3 @@ { - fileSystems."/".device = "/dev/disk/by-label/main"; + fileSystems."/".label = "main"; } diff --git a/common/fish.nix b/common/fish.nix index 44effb3..fc9c0ae 100644 --- a/common/fish.nix +++ b/common/fish.nix @@ -5,7 +5,7 @@ nixpkgs.overlays = [ (final: prev: { - fish = prev.fish.overrideAttrs (oldAttrs: { + fish = prev.fish.overrideAttrs (_: { postInstall = '' rm $out/share/applications/fish.desktop ''; diff --git a/common/fs.nix b/common/fs.nix index c866aec..f61bcb5 100644 --- a/common/fs.nix +++ b/common/fs.nix @@ -7,7 +7,7 @@ options = ["noatime"]; }; "/boot" = { - device = "/dev/disk/by-label/BOOT"; + label = "BOOT"; fsType = "vfat"; }; }; diff --git a/flake.lock b/flake.lock index 2a5c124..04bd83d 100644 --- a/flake.lock +++ b/flake.lock @@ -8,11 +8,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1722339003, - "narHash": "sha256-ZeS51uJI30ehNkcZ4uKqT4ZDARPyqrHADSKAwv5vVCU=", + "lastModified": 1723293904, + "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=", "owner": "ryantm", "repo": "agenix", - "rev": "3f1dae074a12feb7327b4bf43cbac0d124488bb7", + "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", "type": "github" }, "original": { @@ -45,7 +45,6 @@ }, "devshell": { "inputs": { - "flake-utils": "flake-utils", "nixpkgs": [ "myvim", "nixvim", @@ -53,11 +52,11 @@ ] }, "locked": { - "lastModified": 1717408969, - "narHash": "sha256-Q0OEFqe35fZbbRPPRdrjTUUChKVhhWXz3T9ZSKmaoVY=", + "lastModified": 1722113426, + "narHash": "sha256-Yo/3loq572A8Su6aY5GP56knpuKYRvM2a1meP9oJZCw=", "owner": "numtide", "repo": "devshell", - "rev": "1ebbe68d57457c8cae98145410b164b5477761f4", + "rev": "67cce7359e4cd3c45296fb4aaf6a19e2a9c757ae", "type": "github" }, "original": { @@ -103,11 +102,11 @@ "nixpkgs-lib": "nixpkgs-lib_2" }, "locked": { - "lastModified": 1719994518, - "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=", + "lastModified": 1722555600, + "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7", + "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", "type": "github" }, "original": { @@ -125,11 +124,11 @@ ] }, "locked": { - "lastModified": 1719877454, - "narHash": "sha256-g5N1yyOSsPNiOlFfkuI/wcUjmtah+nxdImJqrSATjOU=", + "lastModified": 1722555600, + "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "4e3583423212f9303aa1a6337f8dffb415920e4f", + "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", "type": "github" }, "original": { @@ -143,11 +142,11 @@ "systems": "systems_2" }, "locked": { - "lastModified": 1701680307, - "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", "type": "github" }, "original": { @@ -176,11 +175,11 @@ ] }, "locked": { - "lastModified": 1719259945, - "narHash": "sha256-F1h+XIsGKT9TkGO3omxDLEb/9jOOsI6NnzsXFsZhry4=", + "lastModified": 1722857853, + "narHash": "sha256-3Zx53oz/MSIyevuWO/SumxABkrIvojnB7g9cimxkhiE=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "0ff4381bbb8f7a52ca4a851660fc7a437a4c6e07", + "rev": "06939f6b7ec4d4f465bf3132a05367cccbbf64da", "type": "github" }, "original": { @@ -214,11 +213,11 @@ }, "hardware": { "locked": { - "lastModified": 1722332872, - "narHash": "sha256-2xLM4sc5QBfi0U/AANJAW21Bj4ZX479MHPMPkB+eKBU=", + "lastModified": 1723310128, + "narHash": "sha256-IiH8jG6PpR4h9TxSGMYh+2/gQiJW9MwehFvheSb5rPc=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "14c333162ba53c02853add87a0000cbd7aa230c2", + "rev": "c54cf53e022b0b3c1d3b8207aa0f9b194c24f0cf", "type": "github" }, "original": { @@ -257,11 +256,11 @@ ] }, "locked": { - "lastModified": 1719827439, - "narHash": "sha256-tneHOIv1lEavZ0vQ+rgz67LPNCgOZVByYki3OkSshFU=", + "lastModified": 1722630065, + "narHash": "sha256-QfM/9BMRkCmgWzrPDK+KbgJOUlSJnfX4OvsUupEUZvA=", "owner": "nix-community", "repo": "home-manager", - "rev": "59ce796b2563e19821361abbe2067c3bb4143a7d", + "rev": "afc892db74d65042031a093adb6010c4c3378422", "type": "github" }, "original": { @@ -277,11 +276,11 @@ "nixvim": "nixvim" }, "locked": { - "lastModified": 1720826561, - "narHash": "sha256-ieLivNcp3gJ0eEgd/Er9130XD3B0LD3Kyt37QitgxGk=", + "lastModified": 1723337900, + "narHash": "sha256-sikwTpsSGRagCWS8wVP731ibDFuwZUj2+nukOjJifKo=", "owner": "lukaswrz", "repo": "myvim", - "rev": "44f386248c02517e26a4e372a307de9a9b31588f", + "rev": "c39a65463856678ee5dfd691e0d6acf1a4106331", "type": "github" }, "original": { @@ -299,11 +298,11 @@ ] }, "locked": { - "lastModified": 1719845423, - "narHash": "sha256-ZLHDmWAsHQQKnmfyhYSHJDlt8Wfjv6SQhl2qek42O7A=", + "lastModified": 1722924007, + "narHash": "sha256-+CQDamNwqO33REJLft8c26NbUi2Td083hq6SvAm2xkU=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "ec12b88104d6c117871fad55e931addac4626756", + "rev": "91010a5613ffd7ee23ee9263213157a1c422b705", "type": "github" }, "original": { @@ -342,14 +341,14 @@ }, "nixpkgs-lib_2": { "locked": { - "lastModified": 1719876945, - "narHash": "sha256-Fm2rDDs86sHy0/1jxTOKB1118Q0O3Uc7EC0iXvXKpbI=", + "lastModified": 1722555339, + "narHash": "sha256-uFf2QeW7eAHlYXuDktm9c25OxOyCoUOQmh5SZ9amE5Q=", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz" }, "original": { "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz" } }, "nixpkgs_2": { @@ -370,11 +369,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1719848872, - "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=", + "lastModified": 1722813957, + "narHash": "sha256-IAoYyYnED7P8zrBFMnmp7ydaJfwTnwcnqxUElC1I26Y=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8", + "rev": "cb9a96f23c491c081b38eab96d22fa958043c9fa", "type": "github" }, "original": { @@ -386,11 +385,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1722813957, - "narHash": "sha256-IAoYyYnED7P8zrBFMnmp7ydaJfwTnwcnqxUElC1I26Y=", + "lastModified": 1723362943, + "narHash": "sha256-dFZRVSgmJkyM0bkPpaYRtG/kRMRTorUIDj8BxoOt1T4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "cb9a96f23c491c081b38eab96d22fa958043c9fa", + "rev": "a58bc8ad779655e790115244571758e8de055e3d", "type": "github" }, "original": { @@ -409,14 +408,15 @@ "home-manager": "home-manager_2", "nix-darwin": "nix-darwin", "nixpkgs": "nixpkgs_3", + "nuschtosSearch": "nuschtosSearch", "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1720804407, - "narHash": "sha256-mLVzkOpfOqYPmwjAAHRmeVUoOUmpLpxmfKDObT1FVtc=", + "lastModified": 1723230145, + "narHash": "sha256-FyjcuYZMqXdiKOXkHaIC2ubag+TPV9Z12urC/sdVI6A=", "owner": "nix-community", "repo": "nixvim", - "rev": "89d74cdce173223f57754c6a315c929f8fc14229", + "rev": "4852f94f8ccae551514df0092a077014bafb95ca", "type": "github" }, "original": { @@ -425,6 +425,29 @@ "type": "github" } }, + "nuschtosSearch": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": [ + "myvim", + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1722772237, + "narHash": "sha256-3eCYmzeLngX8eutIsTZAG8DIvT/0DWQQxiszTQz8n0s=", + "owner": "NuschtOS", + "repo": "search", + "rev": "aa5f6246565cc9b1e697d2c9d6ed2c842b17fff6", + "type": "github" + }, + "original": { + "owner": "NuschtOS", + "repo": "search", + "type": "github" + } + }, "root": { "inputs": { "agenix": "agenix", @@ -473,11 +496,11 @@ ] }, "locked": { - "lastModified": 1719887753, - "narHash": "sha256-p0B2r98UtZzRDM5miGRafL4h7TwGRC4DII+XXHDHqek=", + "lastModified": 1722330636, + "narHash": "sha256-uru7JzOa33YlSRwf9sfXpJG+UAV+bnBEYMjrzKrQZFw=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "bdb6355009562d8f9313d9460c0d3860f525bc6c", + "rev": "768acdb06968e53aa1ee8de207fd955335c754b7", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 3ef8488..8174fb3 100644 --- a/flake.nix +++ b/flake.nix @@ -10,6 +10,7 @@ }; outputs = { + self, nixpkgs, flake-parts, ... diff --git a/hosts/abacus/backup.nix b/hosts/abacus/backup.nix new file mode 100644 index 0000000..77f3a1d --- /dev/null +++ b/hosts/abacus/backup.nix @@ -0,0 +1,20 @@ +{ + attrName, + config, + ... +}: { + age.secrets."restic-${attrName}".file = ../../secrets/restic-${attrName}.age; + + services.restic.backups.${attrName} = { + repository = "sftp:u385962@u385962.your-storagebox.de:/restic/${attrName}"; + initialize = true; + paths = [config.services.syncthing.dataDir]; + passwordFile = config.age.secrets."restic-${attrName}".path; + pruneOpts = ["--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12"]; + timerConfig = { + OnCalendar = "*-*-* 03:00:00"; + Persistent = true; + }; + extraOptions = ["sftp.args='-i /etc/ssh/ssh_host_ed25519_key -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'"]; + }; +} diff --git a/hosts/abacus/conduit.nix b/hosts/abacus/conduit.nix index 7afda11..a59b15a 100644 --- a/hosts/abacus/conduit.nix +++ b/hosts/abacus/conduit.nix @@ -60,11 +60,10 @@ in { "/".return = "404"; "/_matrix/" = { - proxyPass = "http://${config.services.matrix-conduit.settings.global.address}:${toString config.services.matrix-conduit.settings.global.port}$request_uri"; + proxyPass = "http://${config.services.matrix-conduit.settings.global.address}:${toString config.services.matrix-conduit.settings.global.port}"; proxyWebsockets = true; extraConfig = '' - proxy_set_header Host $host; proxy_buffering off; ''; }; diff --git a/hosts/abacus/default.nix b/hosts/abacus/default.nix index d163ddd..2c20658 100644 --- a/hosts/abacus/default.nix +++ b/hosts/abacus/default.nix @@ -2,6 +2,8 @@ imports = [ "${modulesPath}/profiles/qemu-guest.nix" + ./microbin.nix + ./miniflux.nix ./nginx.nix ./vaultwarden.nix ]; diff --git a/hosts/abacus/microbin.nix b/hosts/abacus/microbin.nix new file mode 100644 index 0000000..27fb007 --- /dev/null +++ b/hosts/abacus/microbin.nix @@ -0,0 +1,37 @@ +{config, ...}: let + inherit (config.networking) domain; + virtualHostName = "bin.${domain}"; +in { + age.secrets.microbin.file = ../../secrets/microbin.age; + + services.microbin = { + enable = true; + passwordFile = config.age.secrets.microbin.path; + settings = { + MICROBIN_BIND = "localhost"; + MICROBIN_PORT = 8020; + + MICROBIN_ADMIN_USERNAME = "lukas"; + + MICROBIN_PUBLIC_PATH = "https://${virtualHostName}/"; + MICROBIN_QR = true; + + MICROBIN_ETERNAL_PASTA = false; + + MICROBIN_MAX_FILE_SIZE_ENCRYPTED_MB = 1024; + MICROBIN_MAX_FILE_SIZE_UNENCRYPTED_MB = 4096; + + MICROBIN_DISABLE_UPDATE_CHECKING = false; + MICROBIN_DISABLE_TELEMETRY = true; + MICROBIN_LIST_SERVER = false; + }; + }; + + services.nginx.virtualHosts.${virtualHostName} = { + enableACME = true; + forceSSL = true; + quic = true; + + locations."/".proxyPass = "http://${config.services.microbin.settings.MICROBIN_BIND}:${builtins.toString config.services.microbin.settings.MICROBIN_PORT}"; + }; +} diff --git a/hosts/abacus/miniflux.nix b/hosts/abacus/miniflux.nix new file mode 100644 index 0000000..df96c2a --- /dev/null +++ b/hosts/abacus/miniflux.nix @@ -0,0 +1,23 @@ +{config, ...}: let + inherit (config.networking) domain; + virtualHostName = "bin.${domain}"; +in { + services.miniflux = { + enable = true; + createDatabaseLocally = true; + adminCredentialsFile = ""; + config = { + LISTEN_ADDR = "localhost:8040"; + BASE_URL = "https://${virtualHostName}"; + WEBAUTHN = true; + }; + }; + + services.nginx.virtualHosts.${virtualHostName} = { + enableACME = true; + forceSSL = true; + quic = true; + + locations."/".proxyPass = "http://${config.services.miniflux.config.LISTEN_ADDR}"; + }; +} diff --git a/hosts/vessel/backup.nix b/hosts/vessel/backup.nix index 6db998c..1b59552 100644 --- a/hosts/vessel/backup.nix +++ b/hosts/vessel/backup.nix @@ -5,42 +5,45 @@ pkgs, ... }: let - safePath = "/srv/storage/safe"; + backupPath = "/srv/backup"; + backups = { + storage = "/srv/storage"; + safe = "/srv/safe"; + sync = config.services.syncthing.dataDir; + }; in { - systemd = { - timers.local-backup = { - description = "Local rsync Backup"; - wantedBy = ["timers.target"]; - timerConfig = { - OnCalendar = "*-*-* 03:00:00"; - Persistent = true; - Unit = "local-backup.service"; - }; - }; + systemd = lib.mkMerge (map ( + backupName: let + systemdName = "${backupName}-backup"; + in { + timers.${systemdName} = { + description = "Local rsync Backup ${backupName}"; + wantedBy = ["timers.target"]; + timerConfig = { + OnCalendar = "*-*-* 03:00:00"; + Persistent = true; + Unit = "${systemdName}.service"; + }; + }; - services.local-backup = { - description = "Local rsync Backup"; - serviceConfig = { - Type = "oneshot"; - ExecStart = "${lib.getExe pkgs.rsync} --verbose --verbose --archive --update --delete /srv/storage/ /srv/backup/"; - User = "root"; - Group = "root"; - }; - }; + services.${systemdName} = { + description = "Local rsync Backup ${backupName}"; + serviceConfig = { + Type = "oneshot"; + User = "root"; + Group = "root"; + }; + script = '' + ${lib.getExe pkgs.rsync} --verbose --verbose --archive --update --delete --mkpath ${backups.${backupName}} ${backupPath}/${backupName}/ + ''; + }; + } + ) (lib.attrNames backups)); - tmpfiles.settings = { - "10-storage-safe".${safePath}.d = { - user = "root"; - group = "root"; - mode = "0755"; - }; - }; - }; - - fileSystems."/srv/backup" = { - device = "/dev/disk/by-label/backup"; - fsType = "btrfs"; - options = ["subvol=/" "compress=zstd" "noatime"]; + fileSystems.${backupPath} = { + label = "backup"; + fsType = "ext4"; + options = ["noatime"]; }; age.secrets."restic-${attrName}".file = ../../secrets/restic-${attrName}.age; @@ -48,7 +51,7 @@ in { services.restic.backups.${attrName} = { repository = "sftp:u385962@u385962.your-storagebox.de:/restic/${attrName}"; initialize = true; - paths = [safePath]; + paths = [backups.safe backups.sync]; passwordFile = config.age.secrets."restic-${attrName}".path; pruneOpts = ["--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12"]; timerConfig = { diff --git a/hosts/vessel/default.nix b/hosts/vessel/default.nix index 2626c4a..7c7fcf3 100644 --- a/hosts/vessel/default.nix +++ b/hosts/vessel/default.nix @@ -12,6 +12,8 @@ ./backup.nix ./blocky.nix + ./storage.nix + ./syncthing.nix ]; nixpkgs.hostPlatform = "x86_64-linux"; diff --git a/hosts/vessel/storage.nix b/hosts/vessel/storage.nix new file mode 100644 index 0000000..ed5de47 --- /dev/null +++ b/hosts/vessel/storage.nix @@ -0,0 +1,15 @@ +{ + systemd.tmpfiles.settings = { + "10-safe"."/srv/safe".d = { + user = "root"; + group = "root"; + mode = "0755"; + }; + + "10-storage"."/srv/storage".d = { + user = "root"; + group = "root"; + mode = "0755"; + }; + }; +} diff --git a/hosts/vessel/syncthing.nix b/hosts/vessel/syncthing.nix new file mode 100644 index 0000000..3edf0bf --- /dev/null +++ b/hosts/vessel/syncthing.nix @@ -0,0 +1,7 @@ +{ + services.syncthing = { + enable = true; + systemService = true; + openDefaultPorts = true; + }; +} diff --git a/secrets/microbin.age b/secrets/microbin.age new file mode 100644 index 0000000..67480f3 --- /dev/null +++ b/secrets/microbin.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 SFHVrw F95W8SsHzaohI3esnMon2BAFepiV3n780P7fcCYQUDQ +K/9OutO7/MAAP+G4DX+lKP9MV18x686fkwWQFRjSUrk +-> ssh-ed25519 S+dwQQ goTruGBCq5cmiZ3H7fur99lCmjlHlA/milfbMryi5n4 +9K5s3zCTwW23BOdzD3oHW3ptl7tbY4D+fEZdHDjCsGU +-> ssh-ed25519 ffmsLw 6FKkfm2o7ese13ZRrZ1xxdqT0wn77HoRfPTrBKZvRxA +1QohzDabU+Fa1yoLQhL5Iz+lLMRFEerPhDV1yRi/Z9U +--- H3k2LojeNCCv4WehZlRJyTXCbivbsq+4cwixlx3rnGo +dh%-fFVg/L8ʬ]_k[˪*]OR>N O:QtmٸMTPj)z`)~֚*-6OU 7Y_eCz \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 4f17e80..bb44d02 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,5 +1,9 @@ with import ../pubkeys.nix; { "user-lukas.age".publicKeys = (builtins.attrValues users) ++ (builtins.attrValues hosts); + + "microbin.age".publicKeys = (builtins.attrValues users) ++ [hosts.abacus]; "vaultwarden.age".publicKeys = (builtins.attrValues users) ++ [hosts.abacus]; + "restic-vessel.age".publicKeys = (builtins.attrValues users) ++ [hosts.vessel]; + "restic-abacus.age".publicKeys = (builtins.attrValues users) ++ [hosts.vessel]; }