Lithospherical/nix-config
1
0
Fork 0
forked from jan-leila/nix-config
Code Pull requests Activity

fixed database and permissions on service directories

Browse source
This commit is contained in:
Leyla Becker 2024-11-04 17:47:09 -06:00
parent 4e08a8ecf7
commit 87895e29b5
5 changed files with 130 additions and 112 deletions
Download patch file Download diff file Expand all files Collapse all files

3
README.md
View file

@ -49,8 +49,6 @@ to update passwords run: `nix shell nixpkgs#sops -c sops secrets/user-passwords.
## New Features ## New Features
- offline access for nfs mounts (overlay with rsync might be a good option here? https://www.spinics.net/lists/linux-unionfs/msg07105.html note about nfs4 and overlay fs) - offline access for nfs mounts (overlay with rsync might be a good option here? https://www.spinics.net/lists/linux-unionfs/msg07105.html note about nfs4 and overlay fs)
- Flake templates - Flake templates
- searxng
- nextcloud ???
- samba mounts - samba mounts
- firefox declarative??? - firefox declarative???
- figure out steam vr things? - figure out steam vr things?
@ -59,7 +57,6 @@ to update passwords run: `nix shell nixpkgs#sops -c sops secrets/user-passwords.
- openssh known hosts - openssh known hosts
- rotate sops encryption keys periodically (and somehow sync between devices?) - rotate sops encryption keys periodically (and somehow sync between devices?)
- zfs email after scrubbing - zfs email after scrubbing
- headscale server (just needs to be tested)
- mastodon server - mastodon server
- tail scale clients - tail scale clients
- wake on LAN - wake on LAN

11
enviroments/common/default.nix
View file

@ -92,6 +92,12 @@
group = "headscale"; group = "headscale";
isSystemUser = true; isSystemUser = true;
}; };
nextcloud = {
uid = 2006;
group = "nextcloud";
isSystemUser = true;
};
}; };
groups = { groups = {
@ -144,6 +150,11 @@
gid = 2005; gid = 2005;
members = ["headscale"]; members = ["headscale"];
}; };
nextcloud = {
gid = 2006;
members = ["nextcloud"];
};
}; };
}; };

150
enviroments/server/default.nix
View file

@ -10,6 +10,7 @@
dnsPort = 53; dnsPort = 53;
httpPort = 80; httpPort = 80;
httpsPort = 443; httpsPort = 443;
isDebug = false;
in { in {
imports = [ imports = [
../common ../common
@ -46,6 +47,18 @@ in {
type = lib.types.str; type = lib.types.str;
description = "ip address to use for pi-hole"; description = "ip address to use for pi-hole";
}; };
directory = {
root = lib.mkOption {
type = lib.types.str;
description = "directory that piholes will be hosted at";
default = "/var/lib/pihole";
};
data = lib.mkOption {
type = lib.types.str;
description = "directory that piholes data will be hosted at";
default = "${config.apps.pihole.directory.root}/data";
};
};
}; };
headscale = { headscale = {
subdomain = lib.mkOption { subdomain = lib.mkOption {
@ -70,48 +83,16 @@ in {
description = "hosname that jellyfin will be hosted at"; description = "hosname that jellyfin will be hosted at";
default = "${config.apps.jellyfin.subdomain}.${config.apps.base_domain}"; default = "${config.apps.jellyfin.subdomain}.${config.apps.base_domain}";
}; };
directory = { mediaDirectory = lib.mkOption {
root = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "directory that jellyfin will be at"; description = "directory that jellyfin will be at";
default = "/home/jellyfin"; default = "/home/jellyfin";
}; };
mediaDirectoryName = lib.mkOption {
type = lib.types.str;
description = "name of the directory to store the media in";
default = "media";
};
mediaDirectory = lib.mkOption {
type = lib.types.str;
description = "directory that jellyfin will store its media in";
default = "${config.apps.jellyfin.directory.root}/${config.apps.jellyfin.directory.mediaDirectoryName}";
};
dataDirectoryName = lib.mkOption {
type = lib.types.str;
description = "name of the directory to store the config in";
default = "data";
};
dataDirectory = lib.mkOption {
type = lib.types.str;
description = "directory that jellyfin will store its config in";
default = "${config.apps.jellyfin.directory.root}/${config.apps.jellyfin.directory.dataDirectoryName}";
};
cacheDirectoryName = lib.mkOption {
type = lib.types.str;
description = "name of the directory to store the cache in";
default = "cache";
};
cacheDirectory = lib.mkOption {
type = lib.types.str;
description = "directory that jellyfin will store its cache in";
default = "${config.apps.jellyfin.directory.root}/${config.apps.jellyfin.directory.cacheDirectoryName}";
};
};
}; };
forgejo = { forgejo = {
subdomain = lib.mkOption { subdomain = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "subdomain of base domain that foregjo will be hosted at"; description = "subdomain of base domain that forgejo will be hosted at";
default = "forgejo"; default = "forgejo";
}; };
hostname = lib.mkOption { hostname = lib.mkOption {
@ -144,6 +125,18 @@ in {
default = "${config.apps.searx.subdomain}.${config.apps.base_domain}"; default = "${config.apps.searx.subdomain}.${config.apps.base_domain}";
}; };
}; };
nextcloud = {
subdomain = lib.mkOption {
type = lib.types.str;
description = "subdomain of base domain that nextcloud will be hosted at";
default = "nextcloud";
};
hostname = lib.mkOption {
type = lib.types.str;
description = "hosname that nextcloud will be hosted at";
default = "${config.apps.nextcloud.subdomain}.${config.apps.base_domain}";
};
};
}; };
}; };
@ -155,6 +148,10 @@ in {
"services/searx" = { "services/searx" = {
sopsFile = "${inputs.secrets}/defiant-services.yaml"; sopsFile = "${inputs.secrets}/defiant-services.yaml";
}; };
"services/nextcloud_adminpass" = {
sopsFile = "${inputs.secrets}/defiant-services.yaml";
owner = config.users.users.nextcloud.name;
};
}; };
virtualisation = { virtualisation = {
@ -178,7 +175,7 @@ in {
in { in {
image = config.apps.pihole.image; image = config.apps.pihole.image;
volumes = [ volumes = [
"/home/pihole:/etc/pihole:rw" # TODO; set this based on configs and bond with tmpfiles.rules "${config.apps.pihole.directory.data}:/etc/pihole:rw"
"${config.sops.secrets."services/pi-hole".path}:${passwordFileLocation}" "${config.sops.secrets."services/pi-hole".path}:${passwordFileLocation}"
]; ];
environment = { environment = {
@ -197,16 +194,12 @@ in {
}; };
}; };
# TODO: dynamic users
systemd = { systemd = {
tmpfiles.rules = [ tmpfiles.rules = [
"d ${config.apps.jellyfin.directory.root} 755 jellyfin jellyfin -" "d ${config.apps.jellyfin.mediaDirectory} 2775 jellyfin jellyfin_media -" # is /home/docker/jellyfin/media on existing server
"d ${config.apps.jellyfin.directory.mediaDirectory} 2775 jellyfin jellyfin_media -" # is /home/docker/jellyfin/media on existing server "d ${config.apps.pihole.directory.root} 755 pihole pihole -" # is /home/docker/pihole on old system
"d ${config.apps.jellyfin.directory.dataDirectory} 2770 jellyfin jellyfin -" # is /home/docker/jellyfin/config on existing server "d ${config.apps.pihole.directory.data} 755 pihole pihole -" # is /home/docker/pihole on old system
"d ${config.apps.jellyfin.directory.cacheDirectory} 2750 jellyfin jellyfin -" # is /home/docker/jellyfin/cache on existing server
"d /home/forgejo 750 forgejo forgejo -"
"d /home/forgejo/data 750 forgejo forgejo -" # is /home/docker/forgejo on existing server
"d /home/pihole 750 pihole pihole -" # is /home/docker/pihole on old system
"d /home/hass 750 hass hass -" # is /home/docker/hass on old system
]; ];
services = { services = {
@ -241,6 +234,13 @@ in {
partOf = ["podman-compose-root.target"]; partOf = ["podman-compose-root.target"];
wantedBy = ["podman-compose-root.target"]; wantedBy = ["podman-compose-root.target"];
}; };
# nextcloud-setup = {
# after = ["network.target"];
# };
headscale = {
after = ["postgresql.service"];
requires = ["postgresql.service"];
};
}; };
# disable computer sleeping # disable computer sleeping
@ -278,18 +278,24 @@ in {
postgresql = { postgresql = {
enable = true; enable = true;
ensureDatabases = ["forgejo" "headscale"];
ensureUsers = [ ensureUsers = [
{ {
name = "postgres"; name = "postgres";
} }
{ {
name = "forgejo"; name = "forgejo";
ensureDBOwnership = true;
} }
{ {
name = "headscale"; name = "headscale";
ensureDBOwnership = true;
} }
]; ];
ensureDatabases = [
"forgejo"
"headscale"
# "nextcloud"
];
identMap = '' identMap = ''
# ArbitraryMapName systemUser DBUser # ArbitraryMapName systemUser DBUser
@ -300,11 +306,11 @@ in {
# Client Users # Client Users
superuser_map forgejo forgejo superuser_map forgejo forgejo
# superuser_map headscale headscale superuser_map headscale headscale
''; '';
# configuration here lets users access the db that matches their name and lets user postgres access everything # configuration here lets users access the db that matches their name and lets user postgres access everything
authentication = pkgs.lib.mkOverride 10 '' authentication = pkgs.lib.mkOverride 10 ''
# type database DBuser auth-method optional_ident_map # type database DBuser origin-address auth-method optional_ident_map
local all postgres peer map=superuser_map local all postgres peer map=superuser_map
local sameuser all peer map=superuser_map local sameuser all peer map=superuser_map
''; '';
@ -320,34 +326,27 @@ in {
server_url = "https://${config.apps.headscale.hostname}"; server_url = "https://${config.apps.headscale.hostname}";
dns.base_domain = "clients.${config.apps.headscale.hostname}"; dns.base_domain = "clients.${config.apps.headscale.hostname}";
logtail.enabled = true; logtail.enabled = true;
# database = { database = {
# type = "postgres"; type = "postgres";
# postgres = { postgres = {
# host = "localhost"; host = "/run/postgresql";
# port = 5432; port = config.services.postgresql.settings.port;
# user = "headscale"; user = "headscale";
# name = "headscale"; name = "headscale";
# }; };
# }; };
}; };
}; };
jellyfin = { jellyfin = {
enable = true; enable = true;
user = "jellyfin";
group = "jellyfin";
dataDir = config.apps.jellyfin.directory.dataDirectory;
cacheDir = config.apps.jellyfin.directory.cacheDirectory;
}; };
forgejo = { forgejo = {
enable = true; enable = true;
database = { database = {
type = "postgres"; type = "postgres";
host = "localhost"; socket = "/run/postgresql";
port = 5432;
user = "forgejo";
name = "forgejo";
}; };
lfs.enable = true; lfs.enable = true;
settings = { settings = {
@ -355,14 +354,11 @@ in {
DOMAIN = config.apps.forgejo.hostname; DOMAIN = config.apps.forgejo.hostname;
HTTP_PORT = 8081; HTTP_PORT = 8081;
}; };
service.DISABLE_REGISTRATION = true;
}; };
stateDir = "/home/forgejo/data";
}; };
home-assistant = { home-assistant = {
enable = false; enable = true;
configDir = "/home/hass";
config.http = { config.http = {
server_port = 8082; server_port = 8082;
use_x_forwarded_for = true; use_x_forwarded_for = true;
@ -383,6 +379,16 @@ in {
}; };
}; };
# nextcloud here is built using its auto setup mysql db because it was not playing nice with postgres
nextcloud = {
enable = true;
package = pkgs.nextcloud30;
hostName = config.apps.nextcloud.hostname;
config = {
adminpassFile = config.sops.secrets."services/nextcloud_adminpass".path;
};
};
nginx = { nginx = {
enable = true; enable = true;
virtualHosts = { virtualHosts = {
@ -423,17 +429,21 @@ in {
defaults.email = "jan-leila@protonmail.com"; defaults.email = "jan-leila@protonmail.com";
}; };
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts =
[
httpPort httpPort
httpsPort httpsPort
dnsPort dnsPort
nfsPort nfsPort
]
++ (lib.optional isDebug [
jellyfinPort jellyfinPort
config.services.headscale.port config.services.headscale.port
config.services.forgejo.settings.server.HTTP_PORT config.services.forgejo.settings.server.HTTP_PORT
# config.services.home-assistant.config.http.server_port config.services.home-assistant.config.http.server_port
config.services.postgresql.settings.port
config.services.searx.settings.server.port config.services.searx.settings.server.port
]; ]);
environment.systemPackages = [ environment.systemPackages = [
config.services.headscale.package config.services.headscale.package

48
flake.lock generated
View file

@ -7,11 +7,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1729281548, "lastModified": 1730751873,
"narHash": "sha256-MuojlSnwAJAwfhgmW8ZtZrwm2Sko4fqubCvReqbUzYw=", "narHash": "sha256-sdY29RWz0S7VbaoTwSy6RummdHKf0wUTaBlqPxrtvmQ=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "a6a3179ddf396dfc28a078e2f169354d0c137125", "rev": "856a2902156ba304efebd4c1096dbf7465569454",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -61,11 +61,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1729551526, "lastModified": 1730633670,
"narHash": "sha256-7LAGY32Xl14OVQp3y6M43/0AtHYYvV6pdyBcp3eoz0s=", "narHash": "sha256-ZFJqIXpvVKvzOVFKWNRDyIyAo+GYdmEPaYi1bZB6uf0=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "5ec753a1fc4454df9285d8b3ec0809234defb975", "rev": "8f6ca7855d409aeebe2a582c6fd6b6a8d0bf5661",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -83,11 +83,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1729475384, "lastModified": 1730685024,
"narHash": "sha256-x7ODafOKfxXMdgs/wPXVpmf04vOr7cJLEDWYT/TBjY0=", "narHash": "sha256-w0cQSTjLBaUSziPGwyI0nbWVD64+N3ByoSxC0CEZmeI=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-vscode-extensions", "repo": "nix-vscode-extensions",
"rev": "77a421d6c7ea09381c7e33d90c3017c9727dfbc3", "rev": "16ca007ec37c29a8b97e4899f33c013defbdb2f9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -98,11 +98,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1729509737, "lastModified": 1730537918,
"narHash": "sha256-8OHgqz+tFo21h3hg4/GHizFPws+MMzpEru/+62Z0E8c=", "narHash": "sha256-GJB1/aaTnAtt9sso/EQ77TAGJ/rt6uvlP0RqZFnWue8=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "cc2d3c0e060f981905d52337340ee6ec8b8eb037", "rev": "f6e0cd5c47d150c4718199084e5764f968f1b560",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -114,11 +114,9 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1729256560,
"narHash": "sha256-/uilDXvCIEs3C9l73JTACm4quuHUsIHcns1c+cHUJwA=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "4c2fcb090b1f3e5b47eaa7bd33913b574a11e0a0", "rev": "6eef3d72452247a6d9baafe05cffc1c9bc93f1c4",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -130,11 +128,11 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1729357638, "lastModified": 1730602179,
"narHash": "sha256-66RHecx+zohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4=", "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "bb8c2cf7ea0dd2e18a52746b2c3a5b0c73b93c22", "rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -158,11 +156,11 @@
"secrets": { "secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1729353554, "lastModified": 1730665670,
"narHash": "sha256-mLf7siPN9HtpZIZZA1eubwNTyVsIS/kHzWvJ+oX88xU=", "narHash": "sha256-MMwH5IcaslEWqeHaNqSjAsGWoS2NJ5qiIE7RLiJG+28=",
"ref": "main", "ref": "main",
"rev": "73b4f304d4445e8ce53f395e78289f264753efeb", "rev": "ef623d6a9e25c1f0ec9d282ab5ed5dff54674816",
"revCount": 3, "revCount": 6,
"type": "git", "type": "git",
"url": "https://git.jan-leila.com/jan-leila/nix-config-secrets" "url": "https://git.jan-leila.com/jan-leila/nix-config-secrets"
}, },
@ -180,11 +178,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1729394972, "lastModified": 1730746162,
"narHash": "sha256-fADlzOzcSaGsrO+THUZ8SgckMMc7bMQftztKFCLVcFI=", "narHash": "sha256-ZGmI+3AbT8NkDdBQujF+HIxZ+sWXuyT6X8B49etWY2g=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "c504fd7ac946d7a1b17944d73b261ca0a0b226a5", "rev": "59d6988329626132eaf107761643f55eb979eef1",
"type": "github" "type": "github"
}, },
"original": { "original": {

4
hosts/defiant/configuration.nix
View file

@ -1,6 +1,5 @@
# server nas # server nas
{ {
config,
pkgs, pkgs,
inputs, inputs,
... ...
@ -47,6 +46,9 @@
forgejo = { forgejo = {
subdomain = "git"; subdomain = "git";
}; };
nextcloud = {
subdomain = "drive";
};
}; };
services = { services = {