diff --git a/README.md b/README.md index 9a1c362..448c91d 100644 --- a/README.md +++ b/README.md @@ -50,7 +50,6 @@ nix multi user, multi system, configuration with `sops` secret management, `home - monitor configuration in `~/.config/monitors.xml` should be sym linked to `/run/gdm/.config/monitors.xml` (https://www.reddit.com/r/NixOS/comments/u09cz9/home_manager_create_my_own_symlinks_automatically/) - syncthing folders should just be enabled per devices and then combined with "extraDevices" to give final folder configurations - syncthing folder passwords -- nfs export should be backed by the same values for server and client - move fail2ban configs out of fail2ban.nix and into configs for their respective services - nginx config should be reworked to give a list of subdomains and then the config information to apply to each proxy ## New Features diff --git a/configurations/home-manager/leyla/firefox.nix b/configurations/home-manager/leyla/firefox.nix index 59450c4..3f6a09c 100644 --- a/configurations/home-manager/leyla/firefox.nix +++ b/configurations/home-manager/leyla/firefox.nix @@ -261,7 +261,14 @@ bookmarks = [ { name = "Media"; - url = "https://media.jan-leila.com/"; + url = "https://jellyfin.jan-leila.com/"; + # url = "https://media.jan-leila.com/"; + keyword = ""; + tags = [""]; + } + { + name = "Drive"; + url = "https://drive.jan-leila.com/"; keyword = ""; tags = [""]; } @@ -273,7 +280,7 @@ } { name = "Home Automation"; - url = "https://home.jan-leila.com/"; + url = "https://home-assistant.jan-leila.com/"; keyword = ""; tags = [""]; } diff --git a/configurations/nixos/defiant/configuration.nix b/configurations/nixos/defiant/configuration.nix index 3923715..f70a15d 100644 --- a/configurations/nixos/defiant/configuration.nix +++ b/configurations/nixos/defiant/configuration.nix @@ -55,18 +55,18 @@ enable = true; directories = [ { - folder = "leyla_documents"; + folder = "leyla"; user = "leyla"; group = "leyla"; bind = "/home/leyla/documents"; } { - folder = "eve_documents"; + folder = "eve"; user = "eve"; group = "eve"; } { - folder = "users_documents"; + folder = "users"; user = "root"; group = "users"; } @@ -79,7 +79,7 @@ ]; nfs = { enable = true; - directories = ["leyla_documents" "eve_documents" "users_documents" "media"]; + directories = ["leyla" "eve"]; }; }; reverse_proxy = { @@ -114,6 +114,10 @@ adguardhome = { enable = false; }; + nextcloud = { + enable = false; + subdomain = "drive"; + }; sync = { enable = true; folders = { diff --git a/configurations/nixos/horizon/hardware-configuration.nix b/configurations/nixos/horizon/hardware-configuration.nix index 65c2aa2..cb72d55 100644 --- a/configurations/nixos/horizon/hardware-configuration.nix +++ b/configurations/nixos/horizon/hardware-configuration.nix @@ -39,19 +39,19 @@ }; "/mnt/leyla_documents" = { - device = "defiant:/exports/leyla_documents"; + device = "defiant:/exports/leyla"; fsType = "nfs"; options = ["x-systemd.automount" "user" "noatime" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"]; }; "/mnt/eve_documents" = { - device = "defiant:/exports/eve_documents"; + device = "defiant:/exports/eve"; fsType = "nfs"; options = ["x-systemd.automount" "user" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"]; }; "/mnt/users_documents" = { - device = "defiant:/exports/users_documents"; + device = "defiant:/exports/users"; fsType = "nfs"; options = ["x-systemd.automount" "user" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"]; }; @@ -59,7 +59,7 @@ "/mnt/media" = { device = "defiant:/exports/media"; fsType = "nfs"; - options = ["user" "noatime" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"]; + options = ["x-systemd.automount" "noauto" "user" "noatime" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"]; }; }; diff --git a/configurations/syncthing/default.nix b/configurations/syncthing/default.nix deleted file mode 100644 index bc557eb..0000000 --- a/configurations/syncthing/default.nix +++ /dev/null @@ -1,95 +0,0 @@ -{config, ...}: { - folders = { - leyla_documents = { - id = "hvrj0-9bm1p"; - }; - leyla_calendar = { - id = "8oatl-1rv6w"; - }; - leyla_notes = { - id = "dwbuv-zffnf"; - }; - share = { - id = "73ot0-cxmkx"; - }; - }; - devices = { - defiant = { - id = "3R6E6Y4-2F7MF2I-IGB4WE6-A3SQSMV-LIBYSAM-2OXHHU2-KJ6CGIV-QNMCPAR"; - folders = { - leyla_documents = { - folder = config.folders.leyla_documents; - path = "/mnt/sync/leyla/documents"; - }; - leyla_calendar = { - folder = config.folders.leyla_calendar; - path = "/mnt/sync/leyla/calendar"; - }; - leyla_notes = { - folder = config.folders.leyla_notes; - path = "/mnt/sync/leyla/notes"; - }; - share = { - folder = config.folders.share; - path = "/mnt/sync/default/share"; - }; - }; - }; - twilight = { - id = "UDIYL7V-OAZ2BI3-EJRAWFB-GZYVDWR-JNUYW3F-FFQ35MU-XBTGWEF-QD6K6QN"; - folders = { - leyla_documents = { - folder = config.folders.leyla_documents; - path = "/mnt/sync/leyla/documents"; - }; - share = { - folder = config.folders.share; - path = "/mnt/sync/default/share"; - }; - }; - }; - horizon = { - id = "OGPAEU6-5UR56VL-SP7YC4Y-IMVCRTO-XFD4CYN-Z6T5TZO-PFZNAT6-4MKWPQS"; - folders = { - leyla_documents = { - folder = config.folders.leyla_documents; - path = "/mnt/sync/leyla/documents"; - }; - share = { - folder = config.folders.share; - path = "/mnt/sync/default/share"; - }; - }; - }; - coven = { - id = "QGU7NN6-OMXTWVA-YCZ73S5-2O7ECTS-MUCTN4M-YH6WLEL-U4U577I-7PBNCA5"; - folders = { - share = { - folder = config.folders.share; - }; - }; - }; - ceder = { - id = "MGXUJBS-7AENXHB-7YQRNWG-QILKEJD-5462U2E-WAQW4R4-I2TVK5H-SMK6LAA"; - folders = { - share = { - folder = config.folders.share; - }; - leyla_calendar = { - folder = config.folders.leyla_calendar; - }; - leyla_notes = { - folder = config.folders.leyla_notes; - }; - }; - }; - shale = { - id = "AOAXEVD-QJ2IVRA-6G44Q7Q-TGUPXU2-FWWKOBH-DPKWC5N-LBAEHWJ-7EQF4AM"; - folders = { - share = { - folder = config.folders.share; - }; - }; - }; - }; -} diff --git a/flake.lock b/flake.lock index 11bbff8..ce9b77d 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1741786315, - "narHash": "sha256-VT65AE2syHVj6v/DGB496bqBnu1PXrrzwlw07/Zpllc=", + "lastModified": 1740485968, + "narHash": "sha256-WK+PZHbfDjLyveXAxpnrfagiFgZWaTJglewBWniTn2Y=", "owner": "nix-community", "repo": "disko", - "rev": "0d8c6ad4a43906d14abd5c60e0ffe7b587b213de", + "rev": "19c1140419c4f1cdf88ad4c1cfb6605597628940", "type": "github" }, "original": { @@ -29,11 +29,11 @@ }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1741838604, - "narHash": "sha256-ytHdrfSbbPvla43Ykd61cVkS2JLA8wBEHcnf4yLFP7Y=", + "lastModified": 1741233805, + "narHash": "sha256-aNmlbxeKPUfuOynHvIMBPrNgEs1ldHDIz1wbkitKDSs=", "owner": "rycee", "repo": "nur-expressions", - "rev": "e41884886e7798003973f487f37b979ee92f7d99", + "rev": "a1cc22e90f45f6075a991348e896f1595c4efce9", "type": "gitlab" }, "original": { @@ -58,6 +58,22 @@ "type": "github" } }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-utils": { "locked": { "lastModified": 1629284811, @@ -131,11 +147,11 @@ ] }, "locked": { - "lastModified": 1741791118, - "narHash": "sha256-4Y427uj0eql4yRU5rely3EcOlB9q457UDbG9omPtXiA=", + "lastModified": 1741217763, + "narHash": "sha256-g/TrltIjFHIjtzKY5CJpoPANfHQWDD43G5U1a/v5oVg=", "owner": "nix-community", "repo": "home-manager", - "rev": "18780912345970e5b546b1b085385789b6935a83", + "rev": "486b066025dccd8af7fbe5dd2cc79e46b88c80da", "type": "github" }, "original": { @@ -201,11 +217,11 @@ ] }, "locked": { - "lastModified": 1741794429, - "narHash": "sha256-4J46D8sOZ3UroVyGYKYMU3peq9gv0tjRX0KbZihWhhw=", + "lastModified": 1741229100, + "narHash": "sha256-0HwrTDXp9buEwal/1ymK9uQmzUD5ozIA7CJGqnT/gLs=", "owner": "LnL7", "repo": "nix-darwin", - "rev": "2fb6b09b678a1ab258cf88e3ea4a966edceec6a8", + "rev": "adf5c88ba1fe21af5c083b4d655004431f20c5ab", "type": "github" }, "original": { @@ -214,40 +230,20 @@ "type": "github" } }, - "nix-syncthing": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1741849924, - "narHash": "sha256-5vyb1H6HtW24QVqfI56P4QVQP6vHh1jS9ULwnunCO94=", - "ref": "main", - "rev": "86bcb200c83b6a5d13b3583126b9d8dc6770613a", - "revCount": 6, - "type": "git", - "url": "https://git.jan-leila.com/jan-leila/nix-syncthing" - }, - "original": { - "ref": "main", - "type": "git", - "url": "https://git.jan-leila.com/jan-leila/nix-syncthing" - } - }, "nix-vscode-extensions": { "inputs": { + "flake-compat": "flake-compat_2", "flake-utils": "flake-utils_3", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1741830545, - "narHash": "sha256-SzbDILDATgMCYk2SxPYLCBVdT6mHtlyeYZDn2SZaIuU=", + "lastModified": 1740275623, + "narHash": "sha256-LQ9hq3hKwWqm+dzBhgsIkr2KO6Bb0aU+yO/TtI7hXXo=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "28318c164b39b70a14851aed7ad0ea7f03ca417e", + "rev": "35ff5dce04469e7b4e56a9d997e5201bfce52ae3", "type": "github" }, "original": { @@ -258,11 +254,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1741792691, - "narHash": "sha256-f0BVt1/cvA0DQ/q3rB+HY4g4tKksd03ZkzI4xehC2Ew=", + "lastModified": 1740646007, + "narHash": "sha256-dMReDQobS3kqoiUCQIYI9c0imPXRZnBubX20yX/G5LE=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "e1f12151258b12c567f456d8248e4694e9390613", + "rev": "009b764ac98a3602d41fc68072eeec5d24fc0e49", "type": "github" }, "original": { @@ -274,11 +270,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1741513245, - "narHash": "sha256-7rTAMNTY1xoBwz0h7ZMtEcd8LELk9R5TzBPoHuhNSCk=", + "lastModified": 1741173522, + "narHash": "sha256-k7VSqvv0r1r53nUI/IfPHCppkUAddeXn843YlAC5DR0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "e3e32b642a31e6714ec1b712de8c91a3352ce7e1", + "rev": "d69ab0d71b22fa1ce3dbeff666e6deb4917db049", "type": "github" }, "original": { @@ -297,7 +293,6 @@ "impermanence": "impermanence", "lix-module": "lix-module", "nix-darwin": "nix-darwin", - "nix-syncthing": "nix-syncthing", "nix-vscode-extensions": "nix-vscode-extensions", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", @@ -328,11 +323,11 @@ ] }, "locked": { - "lastModified": 1741644481, - "narHash": "sha256-E0RrMykMtEv15V3QhpsFutgoSKhL1JBhidn+iZajOyg=", + "lastModified": 1741043164, + "narHash": "sha256-9lfmSZLz6eq9Ygr6cCmvQiiBEaPb54pUBcjvbEMPORc=", "owner": "Mic92", "repo": "sops-nix", - "rev": "e653d71e82575a43fe9d228def8eddb73887b866", + "rev": "3f2412536eeece783f0d0ad3861417f347219f4d", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 8c64e2b..f36ee44 100644 --- a/flake.nix +++ b/flake.nix @@ -22,12 +22,6 @@ flake = false; }; - # common config for syncthing - nix-syncthing = { - url = "git+https://git.jan-leila.com/jan-leila/nix-syncthing?ref=main"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - # disk configurations disko = { url = "github:nix-community/disko"; @@ -77,7 +71,6 @@ self, nixpkgs, sops-nix, - nix-syncthing, home-manager, impermanence, ... @@ -89,7 +82,6 @@ mkNixosSystem = util.mkNixosSystem; mkDarwinSystem = util.mkDarwinSystem; mkHome = util.mkHome; - syncthingConfiguration = util.syncthingConfiguration; installerSystems = { basic = mkNixosInstaller "basic" []; @@ -159,7 +151,5 @@ darwinConfigurations = darwinSystems; homeConfigurations = homeConfigurations; - - syncthingConfiguration = syncthingConfiguration; }; } diff --git a/modules/nixos-modules/server/default.nix b/modules/nixos-modules/server/default.nix index 8854936..a031b0d 100644 --- a/modules/nixos-modules/server/default.nix +++ b/modules/nixos-modules/server/default.nix @@ -10,5 +10,6 @@ ./searx.nix ./home-assistant.nix ./adguardhome.nix + ./nextcloud.nix ]; } diff --git a/modules/nixos-modules/server/fail2ban.nix b/modules/nixos-modules/server/fail2ban.nix index cd2a978..2f6dc58 100644 --- a/modules/nixos-modules/server/fail2ban.nix +++ b/modules/nixos-modules/server/fail2ban.nix @@ -1,6 +1,5 @@ { lib, - pkgs, config, ... }: let @@ -13,41 +12,6 @@ in { config = lib.mkIf config.host.fail2ban.enable (lib.mkMerge [ { - environment.etc = { - "fail2ban/filter.d/nginx.local".text = lib.mkIf config.services.nginx.enable ( - pkgs.lib.mkDefault (pkgs.lib.mkAfter '' - [Definition] - failregex = "limiting requests, excess:.* by zone.*client: " - '') - ); - "fail2ban/filter.d/jellyfin.local".text = lib.mkIf config.services.jellyfin.enable ( - pkgs.lib.mkDefault (pkgs.lib.mkAfter '' - [Definition] - failregex = "^.*Authentication request for .* has been denied \\\(IP: \"\"\\\)\\\." - '') - ); - "fail2ban/filter.d/forgejo.local".text = lib.mkIf config.services.forgejo.enable ( - pkgs.lib.mkDefault (pkgs.lib.mkAfter '' - [Definition] - failregex = ".*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from " - '') - ); - "fail2ban/filter.d/hass.local".text = lib.mkIf config.services.home-assistant.enable ( - pkgs.lib.mkDefault (pkgs.lib.mkAfter '' - [INCLUDES] - before = common.conf - - [Definition] - failregex = ^%(__prefix_line)s.*Login attempt or request with invalid authentication from .*$ - - ignoreregex = - - [Init] - datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S - '') - ); - }; - services.fail2ban = { enable = true; maxretry = 5; @@ -70,40 +34,54 @@ in { }; jails = { nginx-iptables.settings = lib.mkIf config.services.nginx.enable { - enabled = true; filter = "nginx"; action = ''iptables-multiport[name=HTTP, port="http,https"]''; backend = "auto"; + failregex = "limiting requests, excess:.* by zone.*client: "; findtime = 600; bantime = 600; maxretry = 5; }; jellyfin-iptables.settings = lib.mkIf config.services.jellyfin.enable { - enabled = true; filter = "jellyfin"; action = ''iptables-multiport[name=HTTP, port="http,https"]''; logpath = "${config.services.jellyfin.dataDir}/log/*.log"; backend = "auto"; + failregex = "^.*Authentication request for .* has been denied \\\(IP: \"\"\\\)\\\."; + findtime = 600; + bantime = 600; + maxretry = 5; + }; + nextcloud-iptables.settings = lib.mkIf config.services.nextcloud.enable { + filter = "nextcloud"; + action = ''iptables-multiport[name=HTTP, port="http,https"]''; + logpath = "${config.services.nextcloud.datadir}/*.log"; + backend = "auto"; + failregex = '' + ^{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: ''\)","level":2,"time":".*"}$ + ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","user,:".*","app":"no app in context".*","method":".*","message":"Login failed: '.*' \(Remote IP: ''\)".*}$ + ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","user":".*","app":".*","method":".*","url":".*","message":"Login failed: .* \(Remote IP: \).*}$ + ''; findtime = 600; bantime = 600; maxretry = 5; }; forgejo-iptables.settings = lib.mkIf config.services.forgejo.enable { - enabled = true; filter = "forgejo"; action = ''iptables-multiport[name=HTTP, port="http,https"]''; logpath = "${config.services.forgejo.stateDir}/log/*.log"; backend = "auto"; + failregex = ".*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from "; findtime = 600; bantime = 600; maxretry = 5; }; home-assistant-iptables.settings = lib.mkIf config.services.home-assistant.enable { - enabled = true; - filter = "hass"; + filter = "home-assistant"; action = ''iptables-multiport[name=HTTP, port="http,https"]''; logpath = "${config.services.home-assistant.configDir}/*.log"; backend = "auto"; + failregex = "^%(__prefix_line)s.*Login attempt or request with invalid authentication from .*$"; findtime = 600; bantime = 600; maxretry = 5; diff --git a/modules/nixos-modules/server/home-assistant.nix b/modules/nixos-modules/server/home-assistant.nix index 01423e6..5c4b81f 100644 --- a/modules/nixos-modules/server/home-assistant.nix +++ b/modules/nixos-modules/server/home-assistant.nix @@ -1,9 +1,11 @@ { lib, + pkgs, config, ... }: let configDir = "/var/lib/hass"; + db_user = "hass"; in { options.host.home-assistant = { enable = lib.mkEnableOption "should home-assistant be enabled on this computer"; @@ -21,6 +23,13 @@ in { ]; services.home-assistant = { enable = true; + package = + (pkgs.home-assistant.override { + extraPackages = py: with py; [psycopg2]; + }) + .overrideAttrs (oldAttrs: { + doInstallCheck = false; + }); configDir = configDir; extraComponents = [ "met" @@ -34,6 +43,7 @@ in { "sonos" "analytics_insights" "unifi" + "minecraft_server" "openweathermap" ]; config = { @@ -44,17 +54,21 @@ in { ip_ban_enabled = true; login_attempts_threshold = 10; }; - # recorder.db_url = "postgresql://@/${db_user}"; + recorder.db_url = "postgresql://@/${db_user}"; "automation manual" = []; "automation ui" = "!include automations.yaml"; }; extraPackages = python3Packages: with python3Packages; [ - hassil numpy gtts ]; }; + systemd.services.home-assistant = { + requires = [ + "postgresql.service" + ]; + }; host = { reverse_proxy.subdomains.${config.host.home-assistant.subdomain} = { target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}"; @@ -75,6 +89,20 @@ in { proxy_read_timeout 90; ''; }; + postgres = { + enable = true; + extraUsers = { + ${db_user} = { + isClient = true; + createUser = true; + }; + }; + extraDatabases = { + ${db_user} = { + name = db_user; + }; + }; + }; }; } (lib.mkIf config.host.impermanence.enable { diff --git a/modules/nixos-modules/server/jellyfin.nix b/modules/nixos-modules/server/jellyfin.nix index e3eb986..ba58fe9 100644 --- a/modules/nixos-modules/server/jellyfin.nix +++ b/modules/nixos-modules/server/jellyfin.nix @@ -38,6 +38,8 @@ in { extraConfig = '' client_max_body_size 20M; add_header X-Content-Type-Options "nosniff"; + add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'"; + add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; @@ -57,6 +59,8 @@ in { extraConfig = '' client_max_body_size 20M; add_header X-Content-Type-Options "nosniff"; + add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'"; + add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; diff --git a/modules/nixos-modules/server/network_storage/nfs.nix b/modules/nixos-modules/server/network_storage/nfs.nix index b398582..9aaab39 100644 --- a/modules/nixos-modules/server/network_storage/nfs.nix +++ b/modules/nixos-modules/server/network_storage/nfs.nix @@ -38,18 +38,15 @@ services.nfs.server = { enable = true; exports = lib.strings.concatLines ( - [ - "/export 100.64.0.0/10(rw,fsid=0,no_subtree_check)" - ] - ++ (builtins.map ( - directory: "${directory._directory} 100.64.0.0/10(rw,nohide,sync,no_subtree_check,crossmnt)" + lib.lists.imap0 ( + i: directory: "${directory._directory} 100.64.0.0/10(rw,sync,no_subtree_check,crossmnt,fsid=${builtins.toString i})" + ) + ( + builtins.filter ( + directory: lib.lists.any (target: target == directory.folder) config.host.network_storage.nfs.directories ) - ( - builtins.filter ( - directory: lib.lists.any (target: target == directory.folder) config.host.network_storage.nfs.directories - ) - config.host.network_storage.directories - )) + config.host.network_storage.directories + ) ); }; networking.firewall.interfaces.${config.services.tailscale.interfaceName}.allowedTCPPorts = [ diff --git a/modules/nixos-modules/server/nextcloud.nix b/modules/nixos-modules/server/nextcloud.nix new file mode 100644 index 0000000..ada61dd --- /dev/null +++ b/modules/nixos-modules/server/nextcloud.nix @@ -0,0 +1,69 @@ +{ + lib, + pkgs, + config, + inputs, + ... +}: let + dataDir = "/var/lib/nextcloud"; +in { + options.host.nextcloud = { + enable = lib.mkEnableOption "should nextcloud be enabled on this computer"; + subdomain = lib.mkOption { + type = lib.types.str; + description = "subdomain of base domain that nextcloud will be hosted at"; + default = "nextcloud"; + }; + }; + + config = lib.mkIf config.host.nextcloud.enable (lib.mkMerge [ + { + sops.secrets = { + "services/nextcloud_adminpass" = { + sopsFile = "${inputs.secrets}/defiant-services.yaml"; + owner = config.users.users.nextcloud.name; + }; + }; + + host = { + reverse_proxy.subdomains.${config.host.nextcloud.subdomain} = { + target = "http://localhost:${toString 8009}"; + }; + }; + + services = { + nextcloud = { + enable = true; + package = pkgs.nextcloud31; + hostName = "${config.host.nextcloud.subdomain}.${config.host.reverse_proxy.hostname}"; + settings.log_type = "file"; + config = { + adminpassFile = config.sops.secrets."services/nextcloud_adminpass".path; + adminuser = "admin"; + dbtype = "sqlite"; + }; + }; + }; + } + (lib.mkIf config.host.impermanence.enable { + assertions = [ + { + assertion = config.services.nextcloud.datadir == dataDir; + message = "nextcloud data directory does not match persistence"; + } + ]; + + environment.persistence."/persist/system/root" = { + enable = true; + hideMounts = true; + directories = [ + { + directory = dataDir; + user = "nextcloud"; + group = "nextcloud"; + } + ]; + }; + }) + ]); +} diff --git a/modules/nixos-modules/sync.nix b/modules/nixos-modules/sync.nix index e185781..516e141 100644 --- a/modules/nixos-modules/sync.nix +++ b/modules/nixos-modules/sync.nix @@ -1,7 +1,6 @@ { config, lib, - outputs, ... }: let mountDir = "/mnt/sync"; @@ -60,24 +59,97 @@ in { configDir = configDir; overrideDevices = true; overrideFolders = true; - configuration = outputs.syncthingConfiguration; - deviceName = config.networking.hostName; + settings = { + devices = { + ceder = { + id = "MGXUJBS-7AENXHB-7YQRNWG-QILKEJD-5462U2E-WAQW4R4-I2TVK5H-SMK6LAA"; + }; + coven = { + id = "QGU7NN6-OMXTWVA-YCZ73S5-2O7ECTS-MUCTN4M-YH6WLEL-U4U577I-7PBNCA5"; + }; + defiant = lib.mkIf (config.networking.hostName != "defiant") { + id = "3R6E6Y4-2F7MF2I-IGB4WE6-A3SQSMV-LIBYSAM-2OXHHU2-KJ6CGIV-QNMCPAR"; + }; + twilight = lib.mkIf (config.networking.hostName != "twilight") { + id = "UDIYL7V-OAZ2BI3-EJRAWFB-GZYVDWR-JNUYW3F-FFQ35MU-XBTGWEF-QD6K6QN"; + }; + horizon = lib.mkIf (config.networking.hostName != "horizon") { + id = "OGPAEU6-5UR56VL-SP7YC4Y-IMVCRTO-XFD4CYN-Z6T5TZO-PFZNAT6-4MKWPQS"; + }; + shale = { + id = "AOAXEVD-QJ2IVRA-6G44Q7Q-TGUPXU2-FWWKOBH-DPKWC5N-LBAEHWJ-7EQF4AM"; + }; + }; + folders = let + ceder = "ceder"; + coven = "coven"; + shale = "shale"; + defiant = lib.mkIf (config.networking.hostName != "defiant") "defiant"; + twilight = lib.mkIf (config.networking.hostName != "twilight") "twilight"; + horizon = lib.mkIf (config.networking.hostName != "horizon") "horizon"; + in + lib.mkMerge [ + config.host.sync.folders.extraFolders + (lib.mkIf config.host.sync.folders.leyla.documents.enable { + "documents" = { + id = "hvrj0-9bm1p"; + path = "${mountDir}/leyla/documents"; + devices = [ + defiant + ceder + coven + twilight + horizon + ]; + }; + }) + (lib.mkIf config.host.sync.folders.share.calendar.enable { + "calendar" = { + id = "8oatl-1rv6w"; + path = "${mountDir}/default/calendar"; + devices = [ + defiant + ceder + shale + ]; + }; + }) + (lib.mkIf config.host.sync.folders.leyla.notes.enable { + "notes" = { + id = "dwbuv-zffnf"; + path = "${mountDir}/leyla/notes"; + devices = [ + defiant + ceder + ]; + }; + }) + (lib.mkIf config.host.sync.folders.share.enable { + "share" = { + id = "73ot0-cxmkx"; + path = "${mountDir}/default/share"; + devices = [ + defiant + ceder + coven + twilight + horizon + shale + ]; + }; + }) + ]; + }; }; } (lib.mkIf config.host.impermanence.enable { - assertions = - [ - { - assertion = config.services.syncthing.configDir == configDir; - message = "syncthing config dir does not match persistence"; - } - ] - ++ lib.attrsets.mapAttrsToList (_: folder: { - assertion = lib.strings.hasPrefix mountDir folder.path; - message = "syncthing folder ${folder.label} is stored at ${folder.path} which not under the persisted path of ${mountDir}"; - }) - config.services.syncthing.folders; + assertions = [ + { + assertion = config.services.syncthing.configDir == configDir; + message = "syncthing config dir does not match persistence"; + } + ]; environment.persistence = { "/persist/system/root" = { enable = true; diff --git a/util/default.nix b/util/default.nix index 028212c..cdc0caa 100644 --- a/util/default.nix +++ b/util/default.nix @@ -7,7 +7,6 @@ home-manager = inputs.home-manager; nix-darwin = inputs.nix-darwin; sops-nix = inputs.sops-nix; - nix-syncthing = inputs.nix-syncthing; disko = inputs.disko; impermanence = inputs.impermanence; lix-module = inputs.lix-module; @@ -74,7 +73,6 @@ in { system-modules ++ [ sops-nix.nixosModules.sops - nix-syncthing.nixosModules.syncthing impermanence.nixosModules.impermanence home-manager.nixosModules.home-manager disko.nixosModules.disko @@ -109,10 +107,4 @@ in { ../configurations/home-manager/${user} ]; }; - - syncthingConfiguration = nix-syncthing.lib.syncthingConfiguration { - modules = [ - (import ../configurations/syncthing) - ]; - }; }