jan-leila/nix-config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

fixed database and permissions on service directories

Browse source
This commit is contained in:
Leyla Becker 2024-11-04 17:47:09 -06:00
parent 4e08a8ecf7
commit 87895e29b5
5 changed files with 130 additions and 112 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
README.md
View file

@ -49,8 +49,6 @@ to update passwords run: `nix shell nixpkgs#sops -c sops secrets/user-passwords.
## New Features
- offline access for nfs mounts (overlay with rsync might be a good option here? https://www.spinics.net/lists/linux-unionfs/msg07105.html note about nfs4 and overlay fs)
- Flake templates
- searxng
- nextcloud ???
- samba mounts
- firefox declarative???
- figure out steam vr things?
@ -59,7 +57,6 @@ to update passwords run: `nix shell nixpkgs#sops -c sops secrets/user-passwords.
- openssh known hosts
- rotate sops encryption keys periodically (and somehow sync between devices?)
- zfs email after scrubbing
- headscale server (just needs to be tested)
- mastodon server
- tail scale clients
- wake on LAN

11
enviroments/common/default.nix
View file

@ -92,6 +92,12 @@
group = "headscale";
isSystemUser = true;
};
nextcloud = {
uid = 2006;
group = "nextcloud";
isSystemUser = true;
};
};
groups = {
@ -144,6 +150,11 @@
gid = 2005;
members = ["headscale"];
};
nextcloud = {
gid = 2006;
members = ["nextcloud"];
};
};
};

176
enviroments/server/default.nix
View file

@ -10,6 +10,7 @@
dnsPort = 53;
httpPort = 80;
httpsPort = 443;
isDebug = false;
in {
imports = [
../common
@ -46,6 +47,18 @@ in {
type = lib.types.str;
description = "ip address to use for pi-hole";
};
directory = {
root = lib.mkOption {
type = lib.types.str;
description = "directory that piholes will be hosted at";
default = "/var/lib/pihole";
};
data = lib.mkOption {
type = lib.types.str;
description = "directory that piholes data will be hosted at";
default = "${config.apps.pihole.directory.root}/data";
};
};
};
headscale = {
subdomain = lib.mkOption {
@ -70,48 +83,16 @@ in {
description = "hosname that jellyfin will be hosted at";
default = "${config.apps.jellyfin.subdomain}.${config.apps.base_domain}";
};
directory = {
root = lib.mkOption {
type = lib.types.str;
description = "directory that jellyfin will be at";
default = "/home/jellyfin";
};
mediaDirectoryName = lib.mkOption {
type = lib.types.str;
description = "name of the directory to store the media in";
default = "media";
};
mediaDirectory = lib.mkOption {
type = lib.types.str;
description = "directory that jellyfin will store its media in";
default = "${config.apps.jellyfin.directory.root}/${config.apps.jellyfin.directory.mediaDirectoryName}";
};
dataDirectoryName = lib.mkOption {
type = lib.types.str;
description = "name of the directory to store the config in";
default = "data";
};
dataDirectory = lib.mkOption {
type = lib.types.str;
description = "directory that jellyfin will store its config in";
default = "${config.apps.jellyfin.directory.root}/${config.apps.jellyfin.directory.dataDirectoryName}";
};
cacheDirectoryName = lib.mkOption {
type = lib.types.str;
description = "name of the directory to store the cache in";
default = "cache";
};
cacheDirectory = lib.mkOption {
type = lib.types.str;
description = "directory that jellyfin will store its cache in";
default = "${config.apps.jellyfin.directory.root}/${config.apps.jellyfin.directory.cacheDirectoryName}";
};
mediaDirectory = lib.mkOption {
type = lib.types.str;
description = "directory that jellyfin will be at";
default = "/home/jellyfin";
};
};
forgejo = {
subdomain = lib.mkOption {
type = lib.types.str;
description = "subdomain of base domain that foregjo will be hosted at";
description = "subdomain of base domain that forgejo will be hosted at";
default = "forgejo";
};
hostname = lib.mkOption {
@ -144,6 +125,18 @@ in {
default = "${config.apps.searx.subdomain}.${config.apps.base_domain}";
};
};
nextcloud = {
subdomain = lib.mkOption {
type = lib.types.str;
description = "subdomain of base domain that nextcloud will be hosted at";
default = "nextcloud";
};
hostname = lib.mkOption {
type = lib.types.str;
description = "hosname that nextcloud will be hosted at";
default = "${config.apps.nextcloud.subdomain}.${config.apps.base_domain}";
};
};
};
};
@ -155,6 +148,10 @@ in {
"services/searx" = {
sopsFile = "${inputs.secrets}/defiant-services.yaml";
};
"services/nextcloud_adminpass" = {
sopsFile = "${inputs.secrets}/defiant-services.yaml";
owner = config.users.users.nextcloud.name;
};
};
virtualisation = {
@ -178,7 +175,7 @@ in {
in {
image = config.apps.pihole.image;
volumes = [
"/home/pihole:/etc/pihole:rw" # TODO; set this based on configs and bond with tmpfiles.rules
"${config.apps.pihole.directory.data}:/etc/pihole:rw"
"${config.sops.secrets."services/pi-hole".path}:${passwordFileLocation}"
];
environment = {
@ -197,16 +194,12 @@ in {
};
};
# TODO: dynamic users
systemd = {
tmpfiles.rules = [
"d ${config.apps.jellyfin.directory.root} 755 jellyfin jellyfin -"
"d ${config.apps.jellyfin.directory.mediaDirectory} 2775 jellyfin jellyfin_media -" # is /home/docker/jellyfin/media on existing server
"d ${config.apps.jellyfin.directory.dataDirectory} 2770 jellyfin jellyfin -" # is /home/docker/jellyfin/config on existing server
"d ${config.apps.jellyfin.directory.cacheDirectory} 2750 jellyfin jellyfin -" # is /home/docker/jellyfin/cache on existing server
"d /home/forgejo 750 forgejo forgejo -"
"d /home/forgejo/data 750 forgejo forgejo -" # is /home/docker/forgejo on existing server
"d /home/pihole 750 pihole pihole -" # is /home/docker/pihole on old system
"d /home/hass 750 hass hass -" # is /home/docker/hass on old system
"d ${config.apps.jellyfin.mediaDirectory} 2775 jellyfin jellyfin_media -" # is /home/docker/jellyfin/media on existing server
"d ${config.apps.pihole.directory.root} 755 pihole pihole -" # is /home/docker/pihole on old system
"d ${config.apps.pihole.directory.data} 755 pihole pihole -" # is /home/docker/pihole on old system
];
services = {
@ -241,6 +234,13 @@ in {
partOf = ["podman-compose-root.target"];
wantedBy = ["podman-compose-root.target"];
};
# nextcloud-setup = {
# after = ["network.target"];
# };
headscale = {
after = ["postgresql.service"];
requires = ["postgresql.service"];
};
};
# disable computer sleeping
@ -278,18 +278,24 @@ in {
postgresql = {
enable = true;
ensureDatabases = ["forgejo" "headscale"];
ensureUsers = [
{
name = "postgres";
}
{
name = "forgejo";
ensureDBOwnership = true;
}
{
name = "headscale";
ensureDBOwnership = true;
}
];
ensureDatabases = [
"forgejo"
"headscale"
# "nextcloud"
];
identMap = ''
# ArbitraryMapName systemUser DBUser
@ -300,13 +306,13 @@ in {
# Client Users
superuser_map forgejo forgejo
# superuser_map headscale headscale
superuser_map headscale headscale
'';
# configuration here lets users access the db that matches their name and lets user postgres access everything
authentication = pkgs.lib.mkOverride 10 ''
# type database DBuser auth-method optional_ident_map
local all postgres peer map=superuser_map
local sameuser all peer map=superuser_map
# type database DBuser origin-address auth-method optional_ident_map
local all postgres peer map=superuser_map
local sameuser all peer map=superuser_map
'';
};
@ -320,34 +326,27 @@ in {
server_url = "https://${config.apps.headscale.hostname}";
dns.base_domain = "clients.${config.apps.headscale.hostname}";
logtail.enabled = true;
# database = {
# type = "postgres";
# postgres = {
# host = "localhost";
# port = 5432;
# user = "headscale";
# name = "headscale";
# };
# };
database = {
type = "postgres";
postgres = {
host = "/run/postgresql";
port = config.services.postgresql.settings.port;
user = "headscale";
name = "headscale";
};
};
};
};
jellyfin = {
enable = true;
user = "jellyfin";
group = "jellyfin";
dataDir = config.apps.jellyfin.directory.dataDirectory;
cacheDir = config.apps.jellyfin.directory.cacheDirectory;
};
forgejo = {
enable = true;
database = {
type = "postgres";
host = "localhost";
port = 5432;
user = "forgejo";
name = "forgejo";
socket = "/run/postgresql";
};
lfs.enable = true;
settings = {
@ -355,14 +354,11 @@ in {
DOMAIN = config.apps.forgejo.hostname;
HTTP_PORT = 8081;
};
service.DISABLE_REGISTRATION = true;
};
stateDir = "/home/forgejo/data";
};
home-assistant = {
enable = false;
configDir = "/home/hass";
enable = true;
config.http = {
server_port = 8082;
use_x_forwarded_for = true;
@ -383,6 +379,16 @@ in {
};
};
# nextcloud here is built using its auto setup mysql db because it was not playing nice with postgres
nextcloud = {
enable = true;
package = pkgs.nextcloud30;
hostName = config.apps.nextcloud.hostname;
config = {
adminpassFile = config.sops.secrets."services/nextcloud_adminpass".path;
};
};
nginx = {
enable = true;
virtualHosts = {
@ -423,17 +429,21 @@ in {
defaults.email = "jan-leila@protonmail.com";
};
networking.firewall.allowedTCPPorts = [
httpPort
httpsPort
dnsPort
nfsPort
jellyfinPort
config.services.headscale.port
config.services.forgejo.settings.server.HTTP_PORT
# config.services.home-assistant.config.http.server_port
config.services.searx.settings.server.port
];
networking.firewall.allowedTCPPorts =
[
httpPort
httpsPort
dnsPort
nfsPort
]
++ (lib.optional isDebug [
jellyfinPort
config.services.headscale.port
config.services.forgejo.settings.server.HTTP_PORT
config.services.home-assistant.config.http.server_port
config.services.postgresql.settings.port
config.services.searx.settings.server.port
]);
environment.systemPackages = [
config.services.headscale.package

48
flake.lock
View file

@ -7,11 +7,11 @@
]
},
"locked": {
"lastModified": 1729281548,
"narHash": "sha256-MuojlSnwAJAwfhgmW8ZtZrwm2Sko4fqubCvReqbUzYw=",
"lastModified": 1730751873,
"narHash": "sha256-sdY29RWz0S7VbaoTwSy6RummdHKf0wUTaBlqPxrtvmQ=",
"owner": "nix-community",
"repo": "disko",
"rev": "a6a3179ddf396dfc28a078e2f169354d0c137125",
"rev": "856a2902156ba304efebd4c1096dbf7465569454",
"type": "github"
},
"original": {
@ -61,11 +61,11 @@
]
},
"locked": {
"lastModified": 1729551526,
"narHash": "sha256-7LAGY32Xl14OVQp3y6M43/0AtHYYvV6pdyBcp3eoz0s=",
"lastModified": 1730633670,
"narHash": "sha256-ZFJqIXpvVKvzOVFKWNRDyIyAo+GYdmEPaYi1bZB6uf0=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "5ec753a1fc4454df9285d8b3ec0809234defb975",
"rev": "8f6ca7855d409aeebe2a582c6fd6b6a8d0bf5661",
"type": "github"
},
"original": {
@ -83,11 +83,11 @@
]
},
"locked": {
"lastModified": 1729475384,
"narHash": "sha256-x7ODafOKfxXMdgs/wPXVpmf04vOr7cJLEDWYT/TBjY0=",
"lastModified": 1730685024,
"narHash": "sha256-w0cQSTjLBaUSziPGwyI0nbWVD64+N3ByoSxC0CEZmeI=",
"owner": "nix-community",
"repo": "nix-vscode-extensions",
"rev": "77a421d6c7ea09381c7e33d90c3017c9727dfbc3",
"rev": "16ca007ec37c29a8b97e4899f33c013defbdb2f9",
"type": "github"
},
"original": {
@ -98,11 +98,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1729509737,
"narHash": "sha256-8OHgqz+tFo21h3hg4/GHizFPws+MMzpEru/+62Z0E8c=",
"lastModified": 1730537918,
"narHash": "sha256-GJB1/aaTnAtt9sso/EQ77TAGJ/rt6uvlP0RqZFnWue8=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "cc2d3c0e060f981905d52337340ee6ec8b8eb037",
"rev": "f6e0cd5c47d150c4718199084e5764f968f1b560",
"type": "github"
},
"original": {
@ -114,11 +114,9 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1729256560,
"narHash": "sha256-/uilDXvCIEs3C9l73JTACm4quuHUsIHcns1c+cHUJwA=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "4c2fcb090b1f3e5b47eaa7bd33913b574a11e0a0",
"rev": "6eef3d72452247a6d9baafe05cffc1c9bc93f1c4",
"type": "github"
},
"original": {
@ -130,11 +128,11 @@
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1729357638,
"narHash": "sha256-66RHecx+zohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4=",
"lastModified": 1730602179,
"narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "bb8c2cf7ea0dd2e18a52746b2c3a5b0c73b93c22",
"rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
"type": "github"
},
"original": {
@ -158,11 +156,11 @@
"secrets": {
"flake": false,
"locked": {
"lastModified": 1729353554,
"narHash": "sha256-mLf7siPN9HtpZIZZA1eubwNTyVsIS/kHzWvJ+oX88xU=",
"lastModified": 1730665670,
"narHash": "sha256-MMwH5IcaslEWqeHaNqSjAsGWoS2NJ5qiIE7RLiJG+28=",
"ref": "main",
"rev": "73b4f304d4445e8ce53f395e78289f264753efeb",
"revCount": 3,
"rev": "ef623d6a9e25c1f0ec9d282ab5ed5dff54674816",
"revCount": 6,
"type": "git",
"url": "https://git.jan-leila.com/jan-leila/nix-config-secrets"
},
@ -180,11 +178,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1729394972,
"narHash": "sha256-fADlzOzcSaGsrO+THUZ8SgckMMc7bMQftztKFCLVcFI=",
"lastModified": 1730746162,
"narHash": "sha256-ZGmI+3AbT8NkDdBQujF+HIxZ+sWXuyT6X8B49etWY2g=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "c504fd7ac946d7a1b17944d73b261ca0a0b226a5",
"rev": "59d6988329626132eaf107761643f55eb979eef1",
"type": "github"
},
"original": {

4
hosts/defiant/configuration.nix
View file

@ -1,6 +1,5 @@
# server nas
{
config,
pkgs,
inputs,
...
@ -47,6 +46,9 @@
forgejo = {
subdomain = "git";
};
nextcloud = {
subdomain = "drive";
};
};
services = {