jan-leila/nix-config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: jan-leila:597c25b49dcaded5ff32864fa42ac99cc8dcff4c
Branches Tags
jan-leila:main
jan-leila:469ba567
..
compare: jan-leila:76d68cf146e11b75c86b9c1270d53b38593bf127
Branches Tags
jan-leila:main
jan-leila:469ba567

No commits in common. "597c25b49dcaded5ff32864fa42ac99cc8dcff4c" and "76d68cf146e11b75c86b9c1270d53b38593bf127" have entirely different histories.
597c25b49d ... 76d68cf146

7 changed files with 168 additions and 170 deletions
Show stats Expand all files Collapse all files

1
README.md
View file

@ -51,6 +51,7 @@ nix multi user, multi system, configuration with `sops` secret management, `home
- syncthing folder passwords - syncthing folder passwords
- nfs export should be backed by the same values for server and client - nfs export should be backed by the same values for server and client
- move fail2ban configs out of fail2ban.nix and into configs for their respective services - move fail2ban configs out of fail2ban.nix and into configs for their respective services
- move extra custom configuration for services out of host config and instead extend services
## New Features ## New Features
- offline access for nfs mounts (overlay with rsync might be a good option here? https://www.spinics.net/lists/linux-unionfs/msg07105.html note about nfs4 and overlay fs) - offline access for nfs mounts (overlay with rsync might be a good option here? https://www.spinics.net/lists/linux-unionfs/msg07105.html note about nfs4 and overlay fs)
- samba mounts - samba mounts

45
configurations/nixos/defiant/configuration.nix
View file

@ -48,6 +48,9 @@
]; ];
}; };
}; };
fail2ban = {
enable = true;
};
network_storage = { network_storage = {
enable = true; enable = true;
directories = [ directories = [
@ -71,7 +74,7 @@
folder = "media"; folder = "media";
user = "jellyfin"; user = "jellyfin";
group = "jellyfin_media"; group = "jellyfin_media";
bind = config.services.jellyfin.media_directory; bind = config.host.jellyfin.media_directory;
} }
]; ];
nfs = { nfs = {
@ -91,6 +94,19 @@
}; };
}; };
}; };
jellyfin = {
enable = true;
subdomain = "media";
extraSubdomains = ["jellyfin"];
};
forgejo = {
enable = true;
subdomain = "git";
};
searx = {
enable = true;
subdomain = "search";
};
home-assistant = { home-assistant = {
enable = false; enable = false;
subdomain = "home"; subdomain = "home";
@ -98,6 +114,10 @@
adguardhome = { adguardhome = {
enable = false; enable = false;
}; };
immich = {
enable = true;
subdomain = "photos";
};
sync = { sync = {
enable = true; enable = true;
folders = { folders = {
@ -167,29 +187,6 @@
"--accept-dns=false" "--accept-dns=false"
]; ];
}; };
fail2ban.enable = true;
jellyfin = {
enable = true;
subdomain = "media";
extraSubdomains = ["jellyfin"];
};
immich = {
enable = true;
subdomain = "photos";
};
forgejo = {
enable = true;
subdomain = "git";
};
searx = {
enable = true;
subdomain = "search";
};
}; };
# disable computer sleeping # disable computer sleeping

53
modules/nixos-modules/server/fail2ban.nix
View file

@ -7,7 +7,11 @@
dataFolder = "/var/lib/fail2ban"; dataFolder = "/var/lib/fail2ban";
dataFile = "fail2ban.sqlite3"; dataFile = "fail2ban.sqlite3";
in { in {
config = lib.mkIf config.services.fail2ban.enable (lib.mkMerge [ options.host.fail2ban = {
enable = lib.mkEnableOption "should fail 2 ban be enabled on this server";
};
config = lib.mkIf config.host.fail2ban.enable (lib.mkMerge [
{ {
environment.etc = { environment.etc = {
"fail2ban/filter.d/nginx.local".text = lib.mkIf config.services.nginx.enable ( "fail2ban/filter.d/nginx.local".text = lib.mkIf config.services.nginx.enable (
@ -16,6 +20,18 @@ in {
failregex = "limiting requests, excess:.* by zone.*client: <HOST>" failregex = "limiting requests, excess:.* by zone.*client: <HOST>"
'') '')
); );
"fail2ban/filter.d/jellyfin.local".text = lib.mkIf config.services.jellyfin.enable (
pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[Definition]
failregex = "^.*Authentication request for .* has been denied \\\(IP: \"<ADDR>\"\\\)\\\."
'')
);
"fail2ban/filter.d/forgejo.local".text = lib.mkIf config.services.forgejo.enable (
pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[Definition]
failregex = ".*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>"
'')
);
# "fail2ban/filter.d/hass.local".text = lib.mkIf config.services.home-assistant.enable ( # "fail2ban/filter.d/hass.local".text = lib.mkIf config.services.home-assistant.enable (
# pkgs.lib.mkDefault (pkgs.lib.mkAfter '' # pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
# [INCLUDES] # [INCLUDES]
@ -30,9 +46,17 @@ in {
# datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S # datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S
# '') # '')
# ); # );
"fail2ban/filter.d/immich.local".text = lib.mkIf config.services.immich.enable (
pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[Definition]
failregex = immich-server.*Failed login attempt for user.+from ip address\s?<ADDR>
journalmatch = CONTAINER_TAG=immich-server
'')
);
}; };
services.fail2ban = { services.fail2ban = {
enable = true;
maxretry = 5; maxretry = 5;
ignoreIP = [ ignoreIP = [
# Whitelist local networks # Whitelist local networks
@ -61,6 +85,26 @@ in {
bantime = 600; bantime = 600;
maxretry = 5; maxretry = 5;
}; };
jellyfin-iptables.settings = lib.mkIf config.services.jellyfin.enable {
enabled = true;
filter = "jellyfin";
action = ''iptables-multiport[name=HTTP, port="http,https"]'';
logpath = "${config.services.jellyfin.dataDir}/log/*.log";
backend = "auto";
findtime = 600;
bantime = 600;
maxretry = 5;
};
forgejo-iptables.settings = lib.mkIf config.services.forgejo.enable {
enabled = true;
filter = "forgejo";
action = ''iptables-multiport[name=HTTP, port="http,https"]'';
logpath = "${config.services.forgejo.settings.log.ROOT_PATH}/*.log";
backend = "auto";
findtime = 600;
bantime = 600;
maxretry = 5;
};
# home-assistant-iptables.settings = lib.mkIf config.services.home-assistant.enable { # home-assistant-iptables.settings = lib.mkIf config.services.home-assistant.enable {
# enabled = true; # enabled = true;
# filter = "hass"; # filter = "hass";
@ -71,6 +115,11 @@ in {
# bantime = 600; # bantime = 600;
# maxretry = 5; # maxretry = 5;
# }; # };
immich-iptables.settings = lib.mkIf config.services.immich.enable {
enabled = true;
filter = "immich";
backend = "systemd";
};
# TODO; figure out if there is any fail2ban things we can do on searx # TODO; figure out if there is any fail2ban things we can do on searx
# searx-iptables.settings = lib.mkIf config.services.searx.enable {}; # searx-iptables.settings = lib.mkIf config.services.searx.enable {};
}; };
@ -85,6 +134,8 @@ in {
]; ];
environment.persistence."/persist/system/root" = { environment.persistence."/persist/system/root" = {
enable = true;
hideMounts = true;
directories = [ directories = [
{ {
directory = dataFolder; directory = dataFolder;

80
modules/nixos-modules/server/forgejo.nix
View file

@ -1,7 +1,6 @@
{ {
lib, lib,
config, config,
pkgs,
... ...
}: let }: let
forgejoPort = 8081; forgejoPort = 8081;
@ -9,7 +8,8 @@
db_user = "forgejo"; db_user = "forgejo";
sshPort = 22222; sshPort = 22222;
in { in {
options.services.forgejo = { options.host.forgejo = {
enable = lib.mkEnableOption "should forgejo be enabled on this computer";
subdomain = lib.mkOption { subdomain = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "subdomain of base domain that forgejo will be hosted at"; description = "subdomain of base domain that forgejo will be hosted at";
@ -17,10 +17,10 @@ in {
}; };
}; };
config = lib.mkIf config.services.forgejo.enable (lib.mkMerge [ config = lib.mkIf config.host.forgejo.enable (lib.mkMerge [
{ {
host = { host = {
reverse_proxy.subdomains.${config.services.forgejo.subdomain} = { reverse_proxy.subdomains.${config.host.forgejo.subdomain} = {
target = "http://localhost:${toString forgejoPort}"; target = "http://localhost:${toString forgejoPort}";
}; };
postgres = { postgres = {
@ -33,29 +33,32 @@ in {
}; };
}; };
services.forgejo = { services = {
database = { forgejo = {
type = "postgres"; enable = true;
socket = "/run/postgresql";
};
lfs.enable = true;
settings = {
server = {
DOMAIN = "${config.services.forgejo.subdomain}.${config.host.reverse_proxy.hostname}";
HTTP_PORT = forgejoPort;
START_SSH_SERVER = true;
SSH_LISTEN_PORT = sshPort;
SSH_PORT = 22;
BUILTIN_SSH_SERVER_USER = config.users.users.git.name;
ROOT_URL = "https://git.jan-leila.com";
};
service = {
DISABLE_REGISTRATION = true;
};
database = { database = {
DB_TYPE = "postgres"; type = "postgres";
NAME = db_user; socket = "/run/postgresql";
USER = db_user; };
lfs.enable = true;
settings = {
server = {
DOMAIN = "${config.host.forgejo.subdomain}.${config.host.reverse_proxy.hostname}";
HTTP_PORT = forgejoPort;
START_SSH_SERVER = true;
SSH_LISTEN_PORT = sshPort;
SSH_PORT = 22;
BUILTIN_SSH_SERVER_USER = config.users.users.git.name;
ROOT_URL = "https://git.jan-leila.com";
};
service = {
DISABLE_REGISTRATION = true;
};
database = {
DB_TYPE = "postgres";
NAME = db_user;
USER = db_user;
};
}; };
}; };
}; };
@ -64,31 +67,6 @@ in {
config.services.forgejo.settings.server.SSH_LISTEN_PORT config.services.forgejo.settings.server.SSH_LISTEN_PORT
]; ];
} }
(lib.mkIf config.services.fail2ban.enable {
environment.etc = {
"fail2ban/filter.d/forgejo.local".text = lib.mkIf config.services.forgejo.enable (
pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[Definition]
failregex = ".*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>"
'')
);
};
services.fail2ban = {
jails = {
forgejo-iptables.settings = lib.mkIf config.services.forgejo.enable {
enabled = true;
filter = "forgejo";
action = ''iptables-multiport[name=HTTP, port="http,https"]'';
logpath = "${config.services.forgejo.settings.log.ROOT_PATH}/*.log";
backend = "auto";
findtime = 600;
bantime = 600;
maxretry = 5;
};
};
};
})
(lib.mkIf config.host.impermanence.enable { (lib.mkIf config.host.impermanence.enable {
assertions = [ assertions = [
{ {

37
modules/nixos-modules/server/immich.nix
View file

@ -1,12 +1,12 @@
{ {
lib, lib,
config, config,
pkgs,
... ...
}: let }: let
mediaLocation = "/var/lib/immich"; mediaLocation = "/var/lib/immich";
in { in {
options.services.immich = { options.host.immich = {
enable = lib.mkEnableOption "should immich be enabled on this computer";
subdomain = lib.mkOption { subdomain = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "subdomain of base domain that immich will be hosted at"; description = "subdomain of base domain that immich will be hosted at";
@ -14,10 +14,10 @@ in {
}; };
}; };
config = lib.mkIf config.services.immich.enable (lib.mkMerge [ config = lib.mkIf config.host.immich.enable (lib.mkMerge [
{ {
host = { host = {
reverse_proxy.subdomains.${config.services.immich.subdomain} = { reverse_proxy.subdomains.${config.host.immich.subdomain} = {
target = "http://localhost:${toString config.services.immich.port}"; target = "http://localhost:${toString config.services.immich.port}";
websockets.enable = true; websockets.enable = true;
@ -44,6 +44,12 @@ in {
}; };
}; };
services.immich = {
enable = true;
port = 2283;
# redis.enable = false;
};
networking.firewall.interfaces.${config.services.tailscale.interfaceName} = { networking.firewall.interfaces.${config.services.tailscale.interfaceName} = {
allowedUDPPorts = [ allowedUDPPorts = [
config.services.immich.port config.services.immich.port
@ -53,27 +59,6 @@ in {
]; ];
}; };
} }
(lib.mkIf config.services.fail2ban.enable {
environment.etc = {
"fail2ban/filter.d/immich.local".text = lib.mkIf config.services.immich.enable (
pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[Definition]
failregex = immich-server.*Failed login attempt for user.+from ip address\s?<ADDR>
journalmatch = CONTAINER_TAG=immich-server
'')
);
};
services.fail2ban = {
jails = {
immich-iptables.settings = lib.mkIf config.services.immich.enable {
enabled = true;
filter = "immich";
backend = "systemd";
};
};
};
})
(lib.mkIf config.host.impermanence.enable { (lib.mkIf config.host.impermanence.enable {
assertions = [ assertions = [
{ {
@ -82,6 +67,8 @@ in {
} }
]; ];
environment.persistence."/persist/system/root" = { environment.persistence."/persist/system/root" = {
enable = true;
hideMounts = true;
directories = [ directories = [
{ {
directory = mediaLocation; directory = mediaLocation;

40
modules/nixos-modules/server/jellyfin.nix
View file

@ -8,7 +8,8 @@
jellyfin_data_directory = "/var/lib/jellyfin"; jellyfin_data_directory = "/var/lib/jellyfin";
jellyfin_cache_directory = "/var/cache/jellyfin"; jellyfin_cache_directory = "/var/cache/jellyfin";
in { in {
options.services.jellyfin = { options.host.jellyfin = {
enable = lib.mkEnableOption "should jellyfin be enabled on this computer";
subdomain = lib.mkOption { subdomain = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "subdomain of base domain that jellyfin will be hosted at"; description = "subdomain of base domain that jellyfin will be hosted at";
@ -26,14 +27,16 @@ in {
}; };
}; };
config = lib.mkIf config.services.jellyfin.enable ( config = lib.mkIf config.host.jellyfin.enable (
lib.mkMerge [ lib.mkMerge [
{ {
services.jellyfin.enable = true;
host.reverse_proxy.subdomains.jellyfin = { host.reverse_proxy.subdomains.jellyfin = {
target = "http://localhost:${toString jellyfinPort}"; target = "http://localhost:${toString jellyfinPort}";
subdomain = config.services.jellyfin.subdomain; subdomain = config.host.jellyfin.subdomain;
extraSubdomains = config.services.jellyfin.extraSubdomains; extraSubdomains = config.host.jellyfin.extraSubdomains;
forwardHeaders.enable = true; forwardHeaders.enable = true;
@ -50,31 +53,6 @@ in {
pkgs.jellyfin-ffmpeg pkgs.jellyfin-ffmpeg
]; ];
} }
(lib.mkIf config.services.fail2ban.enable {
environment.etc = {
"fail2ban/filter.d/jellyfin.local".text = lib.mkIf config.services.jellyfin.enable (
pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[Definition]
failregex = "^.*Authentication request for .* has been denied \\\(IP: \"<ADDR>\"\\\)\\\."
'')
);
};
services.fail2ban = {
jails = {
jellyfin-iptables.settings = lib.mkIf config.services.jellyfin.enable {
enabled = true;
filter = "jellyfin";
action = ''iptables-multiport[name=HTTP, port="http,https"]'';
logpath = "${config.services.jellyfin.dataDir}/log/*.log";
backend = "auto";
findtime = 600;
bantime = 600;
maxretry = 5;
};
};
};
})
(lib.mkIf config.host.impermanence.enable { (lib.mkIf config.host.impermanence.enable {
fileSystems."/persist/system/jellyfin".neededForBoot = true; fileSystems."/persist/system/jellyfin".neededForBoot = true;
@ -104,6 +82,8 @@ in {
environment.persistence = { environment.persistence = {
"/persist/system/root" = { "/persist/system/root" = {
enable = true;
hideMounts = true;
directories = [ directories = [
{ {
directory = jellyfin_data_directory; directory = jellyfin_data_directory;
@ -123,7 +103,7 @@ in {
hideMounts = true; hideMounts = true;
directories = [ directories = [
{ {
directory = config.services.jellyfin.media_directory; directory = config.host.jellyfin.media_directory;
user = "jellyfin"; user = "jellyfin";
group = "jellyfin_media"; group = "jellyfin_media";
mode = "1770"; mode = "1770";

82
modules/nixos-modules/server/searx.nix
View file

@ -4,7 +4,8 @@
inputs, inputs,
... ...
}: { }: {
options.services.searx = { options.host.searx = {
enable = lib.mkEnableOption "should searx be enabled on this computer";
subdomain = lib.mkOption { subdomain = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "subdomain of base domain that searx will be hosted at"; description = "subdomain of base domain that searx will be hosted at";
@ -12,7 +13,7 @@
}; };
}; };
config = lib.mkIf config.services.searx.enable { config = lib.mkIf config.host.searx.enable {
sops.secrets = { sops.secrets = {
"services/searx" = { "services/searx" = {
sopsFile = "${inputs.secrets}/defiant-services.yaml"; sopsFile = "${inputs.secrets}/defiant-services.yaml";
@ -20,52 +21,55 @@
}; };
host = { host = {
reverse_proxy.subdomains.searx = { reverse_proxy.subdomains.searx = {
subdomain = config.services.searx.subdomain; subdomain = config.host.searx.subdomain;
target = "http://localhost:${toString config.services.searx.settings.server.port}"; target = "http://localhost:${toString config.services.searx.settings.server.port}";
}; };
}; };
services.searx = { services = {
environmentFile = config.sops.secrets."services/searx".path; searx = {
enable = true;
environmentFile = config.sops.secrets."services/searx".path;
# Rate limiting # Rate limiting
limiterSettings = { limiterSettings = {
real_ip = { real_ip = {
x_for = 1; x_for = 1;
ipv4_prefix = 32; ipv4_prefix = 32;
ipv6_prefix = 56; ipv6_prefix = 56;
}; };
botdetection = { botdetection = {
ip_limit = { ip_limit = {
filter_link_local = true; filter_link_local = true;
link_token = true; link_token = true;
};
}; };
}; };
};
settings = { settings = {
server = { server = {
port = 8083; port = 8083;
secret_key = "@SEARXNG_SECRET@"; secret_key = "@SEARXNG_SECRET@";
};
# Search engine settings
search = {
safe_search = 2;
autocomplete_min = 2;
autocomplete = "duckduckgo";
};
# Enabled plugins
enabled_plugins = [
"Basic Calculator"
"Hash plugin"
"Tor check plugin"
"Open Access DOI rewrite"
"Hostnames plugin"
"Unit converter plugin"
"Tracker URL remover"
];
}; };
# Search engine settings
search = {
safe_search = 2;
autocomplete_min = 2;
autocomplete = "duckduckgo";
};
# Enabled plugins
enabled_plugins = [
"Basic Calculator"
"Hash plugin"
"Tor check plugin"
"Open Access DOI rewrite"
"Hostnames plugin"
"Unit converter plugin"
"Tracker URL remover"
];
}; };
}; };
}; };