jan-leila/nix-config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: jan-leila:395a25eff1e6647c2bfe6e2348ab15800b4dc8f3
Branches Tags
jan-leila:main
jan-leila:469ba567
..
compare: jan-leila:7b9b394ad26fa67fe50acdf1cde582f29805c3df
Branches Tags
jan-leila:main
jan-leila:469ba567

No commits in common. "395a25eff1e6647c2bfe6e2348ab15800b4dc8f3" and "7b9b394ad26fa67fe50acdf1cde582f29805c3df" have entirely different histories.
395a25eff1 ... 7b9b394ad2

15 changed files with 280 additions and 239 deletions
Show stats Expand all files Collapse all files

1
README.md
View file

@ -50,7 +50,6 @@ nix multi user, multi system, configuration with `sops` secret management, `home
- monitor configuration in `~/.config/monitors.xml` should be sym linked to `/run/gdm/.config/monitors.xml` (https://www.reddit.com/r/NixOS/comments/u09cz9/home_manager_create_my_own_symlinks_automatically/) - monitor configuration in `~/.config/monitors.xml` should be sym linked to `/run/gdm/.config/monitors.xml` (https://www.reddit.com/r/NixOS/comments/u09cz9/home_manager_create_my_own_symlinks_automatically/)
- syncthing folders should just be enabled per devices and then combined with "extraDevices" to give final folder configurations - syncthing folders should just be enabled per devices and then combined with "extraDevices" to give final folder configurations
- syncthing folder passwords - syncthing folder passwords
- nfs export should be backed by the same values for server and client
- move fail2ban configs out of fail2ban.nix and into configs for their respective services - move fail2ban configs out of fail2ban.nix and into configs for their respective services
- nginx config should be reworked to give a list of subdomains and then the config information to apply to each proxy - nginx config should be reworked to give a list of subdomains and then the config information to apply to each proxy
## New Features ## New Features

11
configurations/home-manager/leyla/firefox.nix
View file

@ -261,7 +261,14 @@
bookmarks = [ bookmarks = [
{ {
name = "Media"; name = "Media";
url = "https://media.jan-leila.com/"; url = "https://jellyfin.jan-leila.com/";
# url = "https://media.jan-leila.com/";
keyword = "";
tags = [""];
}
{
name = "Drive";
url = "https://drive.jan-leila.com/";
keyword = ""; keyword = "";
tags = [""]; tags = [""];
} }
@ -273,7 +280,7 @@
} }
{ {
name = "Home Automation"; name = "Home Automation";
url = "https://home.jan-leila.com/"; url = "https://home-assistant.jan-leila.com/";
keyword = ""; keyword = "";
tags = [""]; tags = [""];
} }

12
configurations/nixos/defiant/configuration.nix
View file

@ -55,18 +55,18 @@
enable = true; enable = true;
directories = [ directories = [
{ {
folder = "leyla_documents"; folder = "leyla";
user = "leyla"; user = "leyla";
group = "leyla"; group = "leyla";
bind = "/home/leyla/documents"; bind = "/home/leyla/documents";
} }
{ {
folder = "eve_documents"; folder = "eve";
user = "eve"; user = "eve";
group = "eve"; group = "eve";
} }
{ {
folder = "users_documents"; folder = "users";
user = "root"; user = "root";
group = "users"; group = "users";
} }
@ -79,7 +79,7 @@
]; ];
nfs = { nfs = {
enable = true; enable = true;
directories = ["leyla_documents" "eve_documents" "users_documents" "media"]; directories = ["leyla" "eve"];
}; };
}; };
reverse_proxy = { reverse_proxy = {
@ -114,6 +114,10 @@
adguardhome = { adguardhome = {
enable = false; enable = false;
}; };
nextcloud = {
enable = false;
subdomain = "drive";
};
sync = { sync = {
enable = true; enable = true;
folders = { folders = {

8
configurations/nixos/horizon/hardware-configuration.nix
View file

@ -39,19 +39,19 @@
}; };
"/mnt/leyla_documents" = { "/mnt/leyla_documents" = {
device = "defiant:/exports/leyla_documents"; device = "defiant:/exports/leyla";
fsType = "nfs"; fsType = "nfs";
options = ["x-systemd.automount" "user" "noatime" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"]; options = ["x-systemd.automount" "user" "noatime" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"];
}; };
"/mnt/eve_documents" = { "/mnt/eve_documents" = {
device = "defiant:/exports/eve_documents"; device = "defiant:/exports/eve";
fsType = "nfs"; fsType = "nfs";
options = ["x-systemd.automount" "user" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"]; options = ["x-systemd.automount" "user" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"];
}; };
"/mnt/users_documents" = { "/mnt/users_documents" = {
device = "defiant:/exports/users_documents"; device = "defiant:/exports/users";
fsType = "nfs"; fsType = "nfs";
options = ["x-systemd.automount" "user" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"]; options = ["x-systemd.automount" "user" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"];
}; };
@ -59,7 +59,7 @@
"/mnt/media" = { "/mnt/media" = {
device = "defiant:/exports/media"; device = "defiant:/exports/media";
fsType = "nfs"; fsType = "nfs";
options = ["user" "noatime" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"]; options = ["x-systemd.automount" "noauto" "user" "noatime" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"];
}; };
}; };

95
configurations/syncthing/default.nix
View file

@ -1,95 +0,0 @@
{config, ...}: {
folders = {
leyla_documents = {
id = "hvrj0-9bm1p";
};
leyla_calendar = {
id = "8oatl-1rv6w";
};
leyla_notes = {
id = "dwbuv-zffnf";
};
share = {
id = "73ot0-cxmkx";
};
};
devices = {
defiant = {
id = "3R6E6Y4-2F7MF2I-IGB4WE6-A3SQSMV-LIBYSAM-2OXHHU2-KJ6CGIV-QNMCPAR";
folders = {
leyla_documents = {
folder = config.folders.leyla_documents;
path = "/mnt/sync/leyla/documents";
};
leyla_calendar = {
folder = config.folders.leyla_calendar;
path = "/mnt/sync/leyla/calendar";
};
leyla_notes = {
folder = config.folders.leyla_notes;
path = "/mnt/sync/leyla/notes";
};
share = {
folder = config.folders.share;
path = "/mnt/sync/default/share";
};
};
};
twilight = {
id = "UDIYL7V-OAZ2BI3-EJRAWFB-GZYVDWR-JNUYW3F-FFQ35MU-XBTGWEF-QD6K6QN";
folders = {
leyla_documents = {
folder = config.folders.leyla_documents;
path = "/mnt/sync/leyla/documents";
};
share = {
folder = config.folders.share;
path = "/mnt/sync/default/share";
};
};
};
horizon = {
id = "OGPAEU6-5UR56VL-SP7YC4Y-IMVCRTO-XFD4CYN-Z6T5TZO-PFZNAT6-4MKWPQS";
folders = {
leyla_documents = {
folder = config.folders.leyla_documents;
path = "/mnt/sync/leyla/documents";
};
share = {
folder = config.folders.share;
path = "/mnt/sync/default/share";
};
};
};
coven = {
id = "QGU7NN6-OMXTWVA-YCZ73S5-2O7ECTS-MUCTN4M-YH6WLEL-U4U577I-7PBNCA5";
folders = {
share = {
folder = config.folders.share;
};
};
};
ceder = {
id = "MGXUJBS-7AENXHB-7YQRNWG-QILKEJD-5462U2E-WAQW4R4-I2TVK5H-SMK6LAA";
folders = {
share = {
folder = config.folders.share;
};
leyla_calendar = {
folder = config.folders.leyla_calendar;
};
leyla_notes = {
folder = config.folders.leyla_notes;
};
};
};
shale = {
id = "AOAXEVD-QJ2IVRA-6G44Q7Q-TGUPXU2-FWWKOBH-DPKWC5N-LBAEHWJ-7EQF4AM";
folders = {
share = {
folder = config.folders.share;
};
};
};
};
}

87
flake.lock
View file

@ -7,11 +7,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1741786315, "lastModified": 1740485968,
"narHash": "sha256-VT65AE2syHVj6v/DGB496bqBnu1PXrrzwlw07/Zpllc=", "narHash": "sha256-WK+PZHbfDjLyveXAxpnrfagiFgZWaTJglewBWniTn2Y=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "0d8c6ad4a43906d14abd5c60e0ffe7b587b213de", "rev": "19c1140419c4f1cdf88ad4c1cfb6605597628940",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -29,11 +29,11 @@
}, },
"locked": { "locked": {
"dir": "pkgs/firefox-addons", "dir": "pkgs/firefox-addons",
"lastModified": 1741838604, "lastModified": 1741233805,
"narHash": "sha256-ytHdrfSbbPvla43Ykd61cVkS2JLA8wBEHcnf4yLFP7Y=", "narHash": "sha256-aNmlbxeKPUfuOynHvIMBPrNgEs1ldHDIz1wbkitKDSs=",
"owner": "rycee", "owner": "rycee",
"repo": "nur-expressions", "repo": "nur-expressions",
"rev": "e41884886e7798003973f487f37b979ee92f7d99", "rev": "a1cc22e90f45f6075a991348e896f1595c4efce9",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
@ -58,6 +58,22 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": { "flake-utils": {
"locked": { "locked": {
"lastModified": 1629284811, "lastModified": 1629284811,
@ -131,11 +147,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1741791118, "lastModified": 1741217763,
"narHash": "sha256-4Y427uj0eql4yRU5rely3EcOlB9q457UDbG9omPtXiA=", "narHash": "sha256-g/TrltIjFHIjtzKY5CJpoPANfHQWDD43G5U1a/v5oVg=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "18780912345970e5b546b1b085385789b6935a83", "rev": "486b066025dccd8af7fbe5dd2cc79e46b88c80da",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -201,11 +217,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1741794429, "lastModified": 1741229100,
"narHash": "sha256-4J46D8sOZ3UroVyGYKYMU3peq9gv0tjRX0KbZihWhhw=", "narHash": "sha256-0HwrTDXp9buEwal/1ymK9uQmzUD5ozIA7CJGqnT/gLs=",
"owner": "LnL7", "owner": "LnL7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "2fb6b09b678a1ab258cf88e3ea4a966edceec6a8", "rev": "adf5c88ba1fe21af5c083b4d655004431f20c5ab",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -214,40 +230,20 @@
"type": "github" "type": "github"
} }
}, },
"nix-syncthing": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1741849924,
"narHash": "sha256-5vyb1H6HtW24QVqfI56P4QVQP6vHh1jS9ULwnunCO94=",
"ref": "main",
"rev": "86bcb200c83b6a5d13b3583126b9d8dc6770613a",
"revCount": 6,
"type": "git",
"url": "https://git.jan-leila.com/jan-leila/nix-syncthing"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.jan-leila.com/jan-leila/nix-syncthing"
}
},
"nix-vscode-extensions": { "nix-vscode-extensions": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_2",
"flake-utils": "flake-utils_3", "flake-utils": "flake-utils_3",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1741830545, "lastModified": 1740275623,
"narHash": "sha256-SzbDILDATgMCYk2SxPYLCBVdT6mHtlyeYZDn2SZaIuU=", "narHash": "sha256-LQ9hq3hKwWqm+dzBhgsIkr2KO6Bb0aU+yO/TtI7hXXo=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-vscode-extensions", "repo": "nix-vscode-extensions",
"rev": "28318c164b39b70a14851aed7ad0ea7f03ca417e", "rev": "35ff5dce04469e7b4e56a9d997e5201bfce52ae3",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -258,11 +254,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1741792691, "lastModified": 1740646007,
"narHash": "sha256-f0BVt1/cvA0DQ/q3rB+HY4g4tKksd03ZkzI4xehC2Ew=", "narHash": "sha256-dMReDQobS3kqoiUCQIYI9c0imPXRZnBubX20yX/G5LE=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "e1f12151258b12c567f456d8248e4694e9390613", "rev": "009b764ac98a3602d41fc68072eeec5d24fc0e49",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -274,11 +270,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1741513245, "lastModified": 1741173522,
"narHash": "sha256-7rTAMNTY1xoBwz0h7ZMtEcd8LELk9R5TzBPoHuhNSCk=", "narHash": "sha256-k7VSqvv0r1r53nUI/IfPHCppkUAddeXn843YlAC5DR0=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "e3e32b642a31e6714ec1b712de8c91a3352ce7e1", "rev": "d69ab0d71b22fa1ce3dbeff666e6deb4917db049",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -297,7 +293,6 @@
"impermanence": "impermanence", "impermanence": "impermanence",
"lix-module": "lix-module", "lix-module": "lix-module",
"nix-darwin": "nix-darwin", "nix-darwin": "nix-darwin",
"nix-syncthing": "nix-syncthing",
"nix-vscode-extensions": "nix-vscode-extensions", "nix-vscode-extensions": "nix-vscode-extensions",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
@ -328,11 +323,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1741644481, "lastModified": 1741043164,
"narHash": "sha256-E0RrMykMtEv15V3QhpsFutgoSKhL1JBhidn+iZajOyg=", "narHash": "sha256-9lfmSZLz6eq9Ygr6cCmvQiiBEaPb54pUBcjvbEMPORc=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "e653d71e82575a43fe9d228def8eddb73887b866", "rev": "3f2412536eeece783f0d0ad3861417f347219f4d",
"type": "github" "type": "github"
}, },
"original": { "original": {

10
flake.nix
View file

@ -22,12 +22,6 @@
flake = false; flake = false;
}; };
# common config for syncthing
nix-syncthing = {
url = "git+https://git.jan-leila.com/jan-leila/nix-syncthing?ref=main";
inputs.nixpkgs.follows = "nixpkgs";
};
# disk configurations # disk configurations
disko = { disko = {
url = "github:nix-community/disko"; url = "github:nix-community/disko";
@ -77,7 +71,6 @@
self, self,
nixpkgs, nixpkgs,
sops-nix, sops-nix,
nix-syncthing,
home-manager, home-manager,
impermanence, impermanence,
... ...
@ -89,7 +82,6 @@
mkNixosSystem = util.mkNixosSystem; mkNixosSystem = util.mkNixosSystem;
mkDarwinSystem = util.mkDarwinSystem; mkDarwinSystem = util.mkDarwinSystem;
mkHome = util.mkHome; mkHome = util.mkHome;
syncthingConfiguration = util.syncthingConfiguration;
installerSystems = { installerSystems = {
basic = mkNixosInstaller "basic" []; basic = mkNixosInstaller "basic" [];
@ -159,7 +151,5 @@
darwinConfigurations = darwinSystems; darwinConfigurations = darwinSystems;
homeConfigurations = homeConfigurations; homeConfigurations = homeConfigurations;
syncthingConfiguration = syncthingConfiguration;
}; };
} }

1
modules/nixos-modules/server/default.nix
View file

@ -10,5 +10,6 @@
./searx.nix ./searx.nix
./home-assistant.nix ./home-assistant.nix
./adguardhome.nix ./adguardhome.nix
./nextcloud.nix
]; ];
} }

60
modules/nixos-modules/server/fail2ban.nix
View file

@ -1,6 +1,5 @@
{ {
lib, lib,
pkgs,
config, config,
... ...
}: let }: let
@ -13,41 +12,6 @@ in {
config = lib.mkIf config.host.fail2ban.enable (lib.mkMerge [ config = lib.mkIf config.host.fail2ban.enable (lib.mkMerge [
{ {
environment.etc = {
"fail2ban/filter.d/nginx.local".text = lib.mkIf config.services.nginx.enable (
pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[Definition]
failregex = "limiting requests, excess:.* by zone.*client: <HOST>"
'')
);
"fail2ban/filter.d/jellyfin.local".text = lib.mkIf config.services.jellyfin.enable (
pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[Definition]
failregex = "^.*Authentication request for .* has been denied \\\(IP: \"<ADDR>\"\\\)\\\."
'')
);
"fail2ban/filter.d/forgejo.local".text = lib.mkIf config.services.forgejo.enable (
pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[Definition]
failregex = ".*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>"
'')
);
"fail2ban/filter.d/hass.local".text = lib.mkIf config.services.home-assistant.enable (
pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[INCLUDES]
before = common.conf
[Definition]
failregex = ^%(__prefix_line)s.*Login attempt or request with invalid authentication from <HOST>.*$
ignoreregex =
[Init]
datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S
'')
);
};
services.fail2ban = { services.fail2ban = {
enable = true; enable = true;
maxretry = 5; maxretry = 5;
@ -70,40 +34,54 @@ in {
}; };
jails = { jails = {
nginx-iptables.settings = lib.mkIf config.services.nginx.enable { nginx-iptables.settings = lib.mkIf config.services.nginx.enable {
enabled = true;
filter = "nginx"; filter = "nginx";
action = ''iptables-multiport[name=HTTP, port="http,https"]''; action = ''iptables-multiport[name=HTTP, port="http,https"]'';
backend = "auto"; backend = "auto";
failregex = "limiting requests, excess:.* by zone.*client: <HOST>";
findtime = 600; findtime = 600;
bantime = 600; bantime = 600;
maxretry = 5; maxretry = 5;
}; };
jellyfin-iptables.settings = lib.mkIf config.services.jellyfin.enable { jellyfin-iptables.settings = lib.mkIf config.services.jellyfin.enable {
enabled = true;
filter = "jellyfin"; filter = "jellyfin";
action = ''iptables-multiport[name=HTTP, port="http,https"]''; action = ''iptables-multiport[name=HTTP, port="http,https"]'';
logpath = "${config.services.jellyfin.dataDir}/log/*.log"; logpath = "${config.services.jellyfin.dataDir}/log/*.log";
backend = "auto"; backend = "auto";
failregex = "^.*Authentication request for .* has been denied \\\(IP: \"<ADDR>\"\\\)\\\.";
findtime = 600;
bantime = 600;
maxretry = 5;
};
nextcloud-iptables.settings = lib.mkIf config.services.nextcloud.enable {
filter = "nextcloud";
action = ''iptables-multiport[name=HTTP, port="http,https"]'';
logpath = "${config.services.nextcloud.datadir}/*.log";
backend = "auto";
failregex = ''
^{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}$
^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","user,:".*","app":"no app in context".*","method":".*","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)".*}$
^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","user":".*","app":".*","method":".*","url":".*","message":"Login failed: .* \(Remote IP: <HOST>\).*}$
'';
findtime = 600; findtime = 600;
bantime = 600; bantime = 600;
maxretry = 5; maxretry = 5;
}; };
forgejo-iptables.settings = lib.mkIf config.services.forgejo.enable { forgejo-iptables.settings = lib.mkIf config.services.forgejo.enable {
enabled = true;
filter = "forgejo"; filter = "forgejo";
action = ''iptables-multiport[name=HTTP, port="http,https"]''; action = ''iptables-multiport[name=HTTP, port="http,https"]'';
logpath = "${config.services.forgejo.stateDir}/log/*.log"; logpath = "${config.services.forgejo.stateDir}/log/*.log";
backend = "auto"; backend = "auto";
failregex = ".*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>";
findtime = 600; findtime = 600;
bantime = 600; bantime = 600;
maxretry = 5; maxretry = 5;
}; };
home-assistant-iptables.settings = lib.mkIf config.services.home-assistant.enable { home-assistant-iptables.settings = lib.mkIf config.services.home-assistant.enable {
enabled = true; filter = "home-assistant";
filter = "hass";
action = ''iptables-multiport[name=HTTP, port="http,https"]''; action = ''iptables-multiport[name=HTTP, port="http,https"]'';
logpath = "${config.services.home-assistant.configDir}/*.log"; logpath = "${config.services.home-assistant.configDir}/*.log";
backend = "auto"; backend = "auto";
failregex = "^%(__prefix_line)s.*Login attempt or request with invalid authentication from <HOST>.*$";
findtime = 600; findtime = 600;
bantime = 600; bantime = 600;
maxretry = 5; maxretry = 5;

32
modules/nixos-modules/server/home-assistant.nix
View file

@ -1,9 +1,11 @@
{ {
lib, lib,
pkgs,
config, config,
... ...
}: let }: let
configDir = "/var/lib/hass"; configDir = "/var/lib/hass";
db_user = "hass";
in { in {
options.host.home-assistant = { options.host.home-assistant = {
enable = lib.mkEnableOption "should home-assistant be enabled on this computer"; enable = lib.mkEnableOption "should home-assistant be enabled on this computer";
@ -21,6 +23,13 @@ in {
]; ];
services.home-assistant = { services.home-assistant = {
enable = true; enable = true;
package =
(pkgs.home-assistant.override {
extraPackages = py: with py; [psycopg2];
})
.overrideAttrs (oldAttrs: {
doInstallCheck = false;
});
configDir = configDir; configDir = configDir;
extraComponents = [ extraComponents = [
"met" "met"
@ -34,6 +43,7 @@ in {
"sonos" "sonos"
"analytics_insights" "analytics_insights"
"unifi" "unifi"
"minecraft_server"
"openweathermap" "openweathermap"
]; ];
config = { config = {
@ -44,17 +54,21 @@ in {
ip_ban_enabled = true; ip_ban_enabled = true;
login_attempts_threshold = 10; login_attempts_threshold = 10;
}; };
# recorder.db_url = "postgresql://@/${db_user}"; recorder.db_url = "postgresql://@/${db_user}";
"automation manual" = []; "automation manual" = [];
"automation ui" = "!include automations.yaml"; "automation ui" = "!include automations.yaml";
}; };
extraPackages = python3Packages: extraPackages = python3Packages:
with python3Packages; [ with python3Packages; [
hassil
numpy numpy
gtts gtts
]; ];
}; };
systemd.services.home-assistant = {
requires = [
"postgresql.service"
];
};
host = { host = {
reverse_proxy.subdomains.${config.host.home-assistant.subdomain} = { reverse_proxy.subdomains.${config.host.home-assistant.subdomain} = {
target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}"; target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}";
@ -75,6 +89,20 @@ in {
proxy_read_timeout 90; proxy_read_timeout 90;
''; '';
}; };
postgres = {
enable = true;
extraUsers = {
${db_user} = {
isClient = true;
createUser = true;
};
};
extraDatabases = {
${db_user} = {
name = db_user;
};
};
};
}; };
} }
(lib.mkIf config.host.impermanence.enable { (lib.mkIf config.host.impermanence.enable {

4
modules/nixos-modules/server/jellyfin.nix
View file

@ -38,6 +38,8 @@ in {
extraConfig = '' extraConfig = ''
client_max_body_size 20M; client_max_body_size 20M;
add_header X-Content-Type-Options "nosniff"; add_header X-Content-Type-Options "nosniff";
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
@ -57,6 +59,8 @@ in {
extraConfig = '' extraConfig = ''
client_max_body_size 20M; client_max_body_size 20M;
add_header X-Content-Type-Options "nosniff"; add_header X-Content-Type-Options "nosniff";
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;

19
modules/nixos-modules/server/network_storage/nfs.nix
View file

@ -38,18 +38,15 @@
services.nfs.server = { services.nfs.server = {
enable = true; enable = true;
exports = lib.strings.concatLines ( exports = lib.strings.concatLines (
[ lib.lists.imap0 (
"/export 100.64.0.0/10(rw,fsid=0,no_subtree_check)" i: directory: "${directory._directory} 100.64.0.0/10(rw,sync,no_subtree_check,crossmnt,fsid=${builtins.toString i})"
] )
++ (builtins.map ( (
directory: "${directory._directory} 100.64.0.0/10(rw,nohide,sync,no_subtree_check,crossmnt)" builtins.filter (
directory: lib.lists.any (target: target == directory.folder) config.host.network_storage.nfs.directories
) )
( config.host.network_storage.directories
builtins.filter ( )
directory: lib.lists.any (target: target == directory.folder) config.host.network_storage.nfs.directories
)
config.host.network_storage.directories
))
); );
}; };
networking.firewall.interfaces.${config.services.tailscale.interfaceName}.allowedTCPPorts = [ networking.firewall.interfaces.${config.services.tailscale.interfaceName}.allowedTCPPorts = [

69
modules/nixos-modules/server/nextcloud.nix Normal file
View file

@ -0,0 +1,69 @@
{
lib,
pkgs,
config,
inputs,
...
}: let
dataDir = "/var/lib/nextcloud";
in {
options.host.nextcloud = {
enable = lib.mkEnableOption "should nextcloud be enabled on this computer";
subdomain = lib.mkOption {
type = lib.types.str;
description = "subdomain of base domain that nextcloud will be hosted at";
default = "nextcloud";
};
};
config = lib.mkIf config.host.nextcloud.enable (lib.mkMerge [
{
sops.secrets = {
"services/nextcloud_adminpass" = {
sopsFile = "${inputs.secrets}/defiant-services.yaml";
owner = config.users.users.nextcloud.name;
};
};
host = {
reverse_proxy.subdomains.${config.host.nextcloud.subdomain} = {
target = "http://localhost:${toString 8009}";
};
};
services = {
nextcloud = {
enable = true;
package = pkgs.nextcloud31;
hostName = "${config.host.nextcloud.subdomain}.${config.host.reverse_proxy.hostname}";
settings.log_type = "file";
config = {
adminpassFile = config.sops.secrets."services/nextcloud_adminpass".path;
adminuser = "admin";
dbtype = "sqlite";
};
};
};
}
(lib.mkIf config.host.impermanence.enable {
assertions = [
{
assertion = config.services.nextcloud.datadir == dataDir;
message = "nextcloud data directory does not match persistence";
}
];
environment.persistence."/persist/system/root" = {
enable = true;
hideMounts = true;
directories = [
{
directory = dataDir;
user = "nextcloud";
group = "nextcloud";
}
];
};
})
]);
}

102
modules/nixos-modules/sync.nix
View file

@ -1,7 +1,6 @@
{ {
config, config,
lib, lib,
outputs,
... ...
}: let }: let
mountDir = "/mnt/sync"; mountDir = "/mnt/sync";
@ -60,24 +59,97 @@ in {
configDir = configDir; configDir = configDir;
overrideDevices = true; overrideDevices = true;
overrideFolders = true; overrideFolders = true;
configuration = outputs.syncthingConfiguration; settings = {
deviceName = config.networking.hostName; devices = {
ceder = {
id = "MGXUJBS-7AENXHB-7YQRNWG-QILKEJD-5462U2E-WAQW4R4-I2TVK5H-SMK6LAA";
};
coven = {
id = "QGU7NN6-OMXTWVA-YCZ73S5-2O7ECTS-MUCTN4M-YH6WLEL-U4U577I-7PBNCA5";
};
defiant = lib.mkIf (config.networking.hostName != "defiant") {
id = "3R6E6Y4-2F7MF2I-IGB4WE6-A3SQSMV-LIBYSAM-2OXHHU2-KJ6CGIV-QNMCPAR";
};
twilight = lib.mkIf (config.networking.hostName != "twilight") {
id = "UDIYL7V-OAZ2BI3-EJRAWFB-GZYVDWR-JNUYW3F-FFQ35MU-XBTGWEF-QD6K6QN";
};
horizon = lib.mkIf (config.networking.hostName != "horizon") {
id = "OGPAEU6-5UR56VL-SP7YC4Y-IMVCRTO-XFD4CYN-Z6T5TZO-PFZNAT6-4MKWPQS";
};
shale = {
id = "AOAXEVD-QJ2IVRA-6G44Q7Q-TGUPXU2-FWWKOBH-DPKWC5N-LBAEHWJ-7EQF4AM";
};
};
folders = let
ceder = "ceder";
coven = "coven";
shale = "shale";
defiant = lib.mkIf (config.networking.hostName != "defiant") "defiant";
twilight = lib.mkIf (config.networking.hostName != "twilight") "twilight";
horizon = lib.mkIf (config.networking.hostName != "horizon") "horizon";
in
lib.mkMerge [
config.host.sync.folders.extraFolders
(lib.mkIf config.host.sync.folders.leyla.documents.enable {
"documents" = {
id = "hvrj0-9bm1p";
path = "${mountDir}/leyla/documents";
devices = [
defiant
ceder
coven
twilight
horizon
];
};
})
(lib.mkIf config.host.sync.folders.share.calendar.enable {
"calendar" = {
id = "8oatl-1rv6w";
path = "${mountDir}/default/calendar";
devices = [
defiant
ceder
shale
];
};
})
(lib.mkIf config.host.sync.folders.leyla.notes.enable {
"notes" = {
id = "dwbuv-zffnf";
path = "${mountDir}/leyla/notes";
devices = [
defiant
ceder
];
};
})
(lib.mkIf config.host.sync.folders.share.enable {
"share" = {
id = "73ot0-cxmkx";
path = "${mountDir}/default/share";
devices = [
defiant
ceder
coven
twilight
horizon
shale
];
};
})
];
};
}; };
} }
(lib.mkIf config.host.impermanence.enable { (lib.mkIf config.host.impermanence.enable {
assertions = assertions = [
[ {
{ assertion = config.services.syncthing.configDir == configDir;
assertion = config.services.syncthing.configDir == configDir; message = "syncthing config dir does not match persistence";
message = "syncthing config dir does not match persistence"; }
} ];
]
++ lib.attrsets.mapAttrsToList (_: folder: {
assertion = lib.strings.hasPrefix mountDir folder.path;
message = "syncthing folder ${folder.label} is stored at ${folder.path} which not under the persisted path of ${mountDir}";
})
config.services.syncthing.folders;
environment.persistence = { environment.persistence = {
"/persist/system/root" = { "/persist/system/root" = {
enable = true; enable = true;

8
util/default.nix
View file

@ -7,7 +7,6 @@
home-manager = inputs.home-manager; home-manager = inputs.home-manager;
nix-darwin = inputs.nix-darwin; nix-darwin = inputs.nix-darwin;
sops-nix = inputs.sops-nix; sops-nix = inputs.sops-nix;
nix-syncthing = inputs.nix-syncthing;
disko = inputs.disko; disko = inputs.disko;
impermanence = inputs.impermanence; impermanence = inputs.impermanence;
lix-module = inputs.lix-module; lix-module = inputs.lix-module;
@ -74,7 +73,6 @@ in {
system-modules system-modules
++ [ ++ [
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
nix-syncthing.nixosModules.syncthing
impermanence.nixosModules.impermanence impermanence.nixosModules.impermanence
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
disko.nixosModules.disko disko.nixosModules.disko
@ -109,10 +107,4 @@ in {
../configurations/home-manager/${user} ../configurations/home-manager/${user}
]; ];
}; };
syncthingConfiguration = nix-syncthing.lib.syncthingConfiguration {
modules = [
(import ../configurations/syncthing)
];
};
} }