diff --git a/README.md b/README.md index 94476a5..5f4848e 100644 --- a/README.md +++ b/README.md @@ -49,8 +49,6 @@ to update passwords run: `nix shell nixpkgs#sops -c sops secrets/user-passwords. ## New Features - offline access for nfs mounts (overlay with rsync might be a good option here? https://www.spinics.net/lists/linux-unionfs/msg07105.html note about nfs4 and overlay fs) - Flake templates -- searxng -- nextcloud ??? - samba mounts - firefox declarative??? - figure out steam vr things? @@ -59,7 +57,6 @@ to update passwords run: `nix shell nixpkgs#sops -c sops secrets/user-passwords. - openssh known hosts - rotate sops encryption keys periodically (and somehow sync between devices?) - zfs email after scrubbing -- headscale server (just needs to be tested) - mastodon server - tail scale clients - wake on LAN diff --git a/enviroments/common/default.nix b/enviroments/common/default.nix index c07382f..8df4c0e 100644 --- a/enviroments/common/default.nix +++ b/enviroments/common/default.nix @@ -92,6 +92,12 @@ group = "headscale"; isSystemUser = true; }; + + nextcloud = { + uid = 2006; + group = "nextcloud"; + isSystemUser = true; + }; }; groups = { @@ -144,6 +150,11 @@ gid = 2005; members = ["headscale"]; }; + + nextcloud = { + gid = 2006; + members = ["nextcloud"]; + }; }; }; diff --git a/enviroments/server/default.nix b/enviroments/server/default.nix index fee58c6..4cd45ff 100644 --- a/enviroments/server/default.nix +++ b/enviroments/server/default.nix @@ -10,6 +10,7 @@ dnsPort = 53; httpPort = 80; httpsPort = 443; + isDebug = false; in { imports = [ ../common @@ -46,6 +47,18 @@ in { type = lib.types.str; description = "ip address to use for pi-hole"; }; + directory = { + root = lib.mkOption { + type = lib.types.str; + description = "directory that piholes will be hosted at"; + default = "/var/lib/pihole"; + }; + data = lib.mkOption { + type = lib.types.str; + description = "directory that piholes data will be hosted at"; + default = "${config.apps.pihole.directory.root}/data"; + }; + }; }; headscale = { subdomain = lib.mkOption { @@ -70,48 +83,16 @@ in { description = "hosname that jellyfin will be hosted at"; default = "${config.apps.jellyfin.subdomain}.${config.apps.base_domain}"; }; - directory = { - root = lib.mkOption { - type = lib.types.str; - description = "directory that jellyfin will be at"; - default = "/home/jellyfin"; - }; - mediaDirectoryName = lib.mkOption { - type = lib.types.str; - description = "name of the directory to store the media in"; - default = "media"; - }; - mediaDirectory = lib.mkOption { - type = lib.types.str; - description = "directory that jellyfin will store its media in"; - default = "${config.apps.jellyfin.directory.root}/${config.apps.jellyfin.directory.mediaDirectoryName}"; - }; - dataDirectoryName = lib.mkOption { - type = lib.types.str; - description = "name of the directory to store the config in"; - default = "data"; - }; - dataDirectory = lib.mkOption { - type = lib.types.str; - description = "directory that jellyfin will store its config in"; - default = "${config.apps.jellyfin.directory.root}/${config.apps.jellyfin.directory.dataDirectoryName}"; - }; - cacheDirectoryName = lib.mkOption { - type = lib.types.str; - description = "name of the directory to store the cache in"; - default = "cache"; - }; - cacheDirectory = lib.mkOption { - type = lib.types.str; - description = "directory that jellyfin will store its cache in"; - default = "${config.apps.jellyfin.directory.root}/${config.apps.jellyfin.directory.cacheDirectoryName}"; - }; + mediaDirectory = lib.mkOption { + type = lib.types.str; + description = "directory that jellyfin will be at"; + default = "/home/jellyfin"; }; }; forgejo = { subdomain = lib.mkOption { type = lib.types.str; - description = "subdomain of base domain that foregjo will be hosted at"; + description = "subdomain of base domain that forgejo will be hosted at"; default = "forgejo"; }; hostname = lib.mkOption { @@ -144,6 +125,18 @@ in { default = "${config.apps.searx.subdomain}.${config.apps.base_domain}"; }; }; + nextcloud = { + subdomain = lib.mkOption { + type = lib.types.str; + description = "subdomain of base domain that nextcloud will be hosted at"; + default = "nextcloud"; + }; + hostname = lib.mkOption { + type = lib.types.str; + description = "hosname that nextcloud will be hosted at"; + default = "${config.apps.nextcloud.subdomain}.${config.apps.base_domain}"; + }; + }; }; }; @@ -155,6 +148,10 @@ in { "services/searx" = { sopsFile = "${inputs.secrets}/defiant-services.yaml"; }; + "services/nextcloud_adminpass" = { + sopsFile = "${inputs.secrets}/defiant-services.yaml"; + owner = config.users.users.nextcloud.name; + }; }; virtualisation = { @@ -178,7 +175,7 @@ in { in { image = config.apps.pihole.image; volumes = [ - "/home/pihole:/etc/pihole:rw" # TODO; set this based on configs and bond with tmpfiles.rules + "${config.apps.pihole.directory.data}:/etc/pihole:rw" "${config.sops.secrets."services/pi-hole".path}:${passwordFileLocation}" ]; environment = { @@ -197,16 +194,12 @@ in { }; }; + # TODO: dynamic users systemd = { tmpfiles.rules = [ - "d ${config.apps.jellyfin.directory.root} 755 jellyfin jellyfin -" - "d ${config.apps.jellyfin.directory.mediaDirectory} 2775 jellyfin jellyfin_media -" # is /home/docker/jellyfin/media on existing server - "d ${config.apps.jellyfin.directory.dataDirectory} 2770 jellyfin jellyfin -" # is /home/docker/jellyfin/config on existing server - "d ${config.apps.jellyfin.directory.cacheDirectory} 2750 jellyfin jellyfin -" # is /home/docker/jellyfin/cache on existing server - "d /home/forgejo 750 forgejo forgejo -" - "d /home/forgejo/data 750 forgejo forgejo -" # is /home/docker/forgejo on existing server - "d /home/pihole 750 pihole pihole -" # is /home/docker/pihole on old system - "d /home/hass 750 hass hass -" # is /home/docker/hass on old system + "d ${config.apps.jellyfin.mediaDirectory} 2775 jellyfin jellyfin_media -" # is /home/docker/jellyfin/media on existing server + "d ${config.apps.pihole.directory.root} 755 pihole pihole -" # is /home/docker/pihole on old system + "d ${config.apps.pihole.directory.data} 755 pihole pihole -" # is /home/docker/pihole on old system ]; services = { @@ -241,6 +234,13 @@ in { partOf = ["podman-compose-root.target"]; wantedBy = ["podman-compose-root.target"]; }; + # nextcloud-setup = { + # after = ["network.target"]; + # }; + headscale = { + after = ["postgresql.service"]; + requires = ["postgresql.service"]; + }; }; # disable computer sleeping @@ -278,18 +278,24 @@ in { postgresql = { enable = true; - ensureDatabases = ["forgejo" "headscale"]; ensureUsers = [ { name = "postgres"; } { name = "forgejo"; + ensureDBOwnership = true; } { name = "headscale"; + ensureDBOwnership = true; } ]; + ensureDatabases = [ + "forgejo" + "headscale" + # "nextcloud" + ]; identMap = '' # ArbitraryMapName systemUser DBUser @@ -300,13 +306,13 @@ in { # Client Users superuser_map forgejo forgejo - # superuser_map headscale headscale + superuser_map headscale headscale ''; # configuration here lets users access the db that matches their name and lets user postgres access everything authentication = pkgs.lib.mkOverride 10 '' - # type database DBuser auth-method optional_ident_map - local all postgres peer map=superuser_map - local sameuser all peer map=superuser_map + # type database DBuser origin-address auth-method optional_ident_map + local all postgres peer map=superuser_map + local sameuser all peer map=superuser_map ''; }; @@ -320,34 +326,27 @@ in { server_url = "https://${config.apps.headscale.hostname}"; dns.base_domain = "clients.${config.apps.headscale.hostname}"; logtail.enabled = true; - # database = { - # type = "postgres"; - # postgres = { - # host = "localhost"; - # port = 5432; - # user = "headscale"; - # name = "headscale"; - # }; - # }; + database = { + type = "postgres"; + postgres = { + host = "/run/postgresql"; + port = config.services.postgresql.settings.port; + user = "headscale"; + name = "headscale"; + }; + }; }; }; jellyfin = { enable = true; - user = "jellyfin"; - group = "jellyfin"; - dataDir = config.apps.jellyfin.directory.dataDirectory; - cacheDir = config.apps.jellyfin.directory.cacheDirectory; }; forgejo = { enable = true; database = { type = "postgres"; - host = "localhost"; - port = 5432; - user = "forgejo"; - name = "forgejo"; + socket = "/run/postgresql"; }; lfs.enable = true; settings = { @@ -355,14 +354,11 @@ in { DOMAIN = config.apps.forgejo.hostname; HTTP_PORT = 8081; }; - service.DISABLE_REGISTRATION = true; }; - stateDir = "/home/forgejo/data"; }; home-assistant = { - enable = false; - configDir = "/home/hass"; + enable = true; config.http = { server_port = 8082; use_x_forwarded_for = true; @@ -383,6 +379,16 @@ in { }; }; + # nextcloud here is built using its auto setup mysql db because it was not playing nice with postgres + nextcloud = { + enable = true; + package = pkgs.nextcloud30; + hostName = config.apps.nextcloud.hostname; + config = { + adminpassFile = config.sops.secrets."services/nextcloud_adminpass".path; + }; + }; + nginx = { enable = true; virtualHosts = { @@ -423,17 +429,21 @@ in { defaults.email = "jan-leila@protonmail.com"; }; - networking.firewall.allowedTCPPorts = [ - httpPort - httpsPort - dnsPort - nfsPort - jellyfinPort - config.services.headscale.port - config.services.forgejo.settings.server.HTTP_PORT - # config.services.home-assistant.config.http.server_port - config.services.searx.settings.server.port - ]; + networking.firewall.allowedTCPPorts = + [ + httpPort + httpsPort + dnsPort + nfsPort + ] + ++ (lib.optional isDebug [ + jellyfinPort + config.services.headscale.port + config.services.forgejo.settings.server.HTTP_PORT + config.services.home-assistant.config.http.server_port + config.services.postgresql.settings.port + config.services.searx.settings.server.port + ]); environment.systemPackages = [ config.services.headscale.package diff --git a/flake.lock b/flake.lock index 7fc8f4b..4d181fa 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1729281548, - "narHash": "sha256-MuojlSnwAJAwfhgmW8ZtZrwm2Sko4fqubCvReqbUzYw=", + "lastModified": 1730751873, + "narHash": "sha256-sdY29RWz0S7VbaoTwSy6RummdHKf0wUTaBlqPxrtvmQ=", "owner": "nix-community", "repo": "disko", - "rev": "a6a3179ddf396dfc28a078e2f169354d0c137125", + "rev": "856a2902156ba304efebd4c1096dbf7465569454", "type": "github" }, "original": { @@ -61,11 +61,11 @@ ] }, "locked": { - "lastModified": 1729551526, - "narHash": "sha256-7LAGY32Xl14OVQp3y6M43/0AtHYYvV6pdyBcp3eoz0s=", + "lastModified": 1730633670, + "narHash": "sha256-ZFJqIXpvVKvzOVFKWNRDyIyAo+GYdmEPaYi1bZB6uf0=", "owner": "nix-community", "repo": "home-manager", - "rev": "5ec753a1fc4454df9285d8b3ec0809234defb975", + "rev": "8f6ca7855d409aeebe2a582c6fd6b6a8d0bf5661", "type": "github" }, "original": { @@ -83,11 +83,11 @@ ] }, "locked": { - "lastModified": 1729475384, - "narHash": "sha256-x7ODafOKfxXMdgs/wPXVpmf04vOr7cJLEDWYT/TBjY0=", + "lastModified": 1730685024, + "narHash": "sha256-w0cQSTjLBaUSziPGwyI0nbWVD64+N3ByoSxC0CEZmeI=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "77a421d6c7ea09381c7e33d90c3017c9727dfbc3", + "rev": "16ca007ec37c29a8b97e4899f33c013defbdb2f9", "type": "github" }, "original": { @@ -98,11 +98,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1729509737, - "narHash": "sha256-8OHgqz+tFo21h3hg4/GHizFPws+MMzpEru/+62Z0E8c=", + "lastModified": 1730537918, + "narHash": "sha256-GJB1/aaTnAtt9sso/EQ77TAGJ/rt6uvlP0RqZFnWue8=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "cc2d3c0e060f981905d52337340ee6ec8b8eb037", + "rev": "f6e0cd5c47d150c4718199084e5764f968f1b560", "type": "github" }, "original": { @@ -114,11 +114,9 @@ }, "nixpkgs": { "locked": { - "lastModified": 1729256560, - "narHash": "sha256-/uilDXvCIEs3C9l73JTACm4quuHUsIHcns1c+cHUJwA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "4c2fcb090b1f3e5b47eaa7bd33913b574a11e0a0", + "rev": "6eef3d72452247a6d9baafe05cffc1c9bc93f1c4", "type": "github" }, "original": { @@ -130,11 +128,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1729357638, - "narHash": "sha256-66RHecx+zohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4=", + "lastModified": 1730602179, + "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "bb8c2cf7ea0dd2e18a52746b2c3a5b0c73b93c22", + "rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c", "type": "github" }, "original": { @@ -158,11 +156,11 @@ "secrets": { "flake": false, "locked": { - "lastModified": 1729353554, - "narHash": "sha256-mLf7siPN9HtpZIZZA1eubwNTyVsIS/kHzWvJ+oX88xU=", + "lastModified": 1730665670, + "narHash": "sha256-MMwH5IcaslEWqeHaNqSjAsGWoS2NJ5qiIE7RLiJG+28=", "ref": "main", - "rev": "73b4f304d4445e8ce53f395e78289f264753efeb", - "revCount": 3, + "rev": "ef623d6a9e25c1f0ec9d282ab5ed5dff54674816", + "revCount": 6, "type": "git", "url": "https://git.jan-leila.com/jan-leila/nix-config-secrets" }, @@ -180,11 +178,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1729394972, - "narHash": "sha256-fADlzOzcSaGsrO+THUZ8SgckMMc7bMQftztKFCLVcFI=", + "lastModified": 1730746162, + "narHash": "sha256-ZGmI+3AbT8NkDdBQujF+HIxZ+sWXuyT6X8B49etWY2g=", "owner": "Mic92", "repo": "sops-nix", - "rev": "c504fd7ac946d7a1b17944d73b261ca0a0b226a5", + "rev": "59d6988329626132eaf107761643f55eb979eef1", "type": "github" }, "original": { diff --git a/hosts/defiant/configuration.nix b/hosts/defiant/configuration.nix index 07017bd..76dba60 100644 --- a/hosts/defiant/configuration.nix +++ b/hosts/defiant/configuration.nix @@ -1,6 +1,5 @@ # server nas { - config, pkgs, inputs, ... @@ -47,6 +46,9 @@ forgejo = { subdomain = "git"; }; + nextcloud = { + subdomain = "drive"; + }; }; services = {