diff --git a/README.md b/README.md index 448c91d..9a1c362 100644 --- a/README.md +++ b/README.md @@ -50,6 +50,7 @@ nix multi user, multi system, configuration with `sops` secret management, `home - monitor configuration in `~/.config/monitors.xml` should be sym linked to `/run/gdm/.config/monitors.xml` (https://www.reddit.com/r/NixOS/comments/u09cz9/home_manager_create_my_own_symlinks_automatically/) - syncthing folders should just be enabled per devices and then combined with "extraDevices" to give final folder configurations - syncthing folder passwords +- nfs export should be backed by the same values for server and client - move fail2ban configs out of fail2ban.nix and into configs for their respective services - nginx config should be reworked to give a list of subdomains and then the config information to apply to each proxy ## New Features diff --git a/configurations/home-manager/leyla/firefox.nix b/configurations/home-manager/leyla/firefox.nix index 3f6a09c..59450c4 100644 --- a/configurations/home-manager/leyla/firefox.nix +++ b/configurations/home-manager/leyla/firefox.nix @@ -261,14 +261,7 @@ bookmarks = [ { name = "Media"; - url = "https://jellyfin.jan-leila.com/"; - # url = "https://media.jan-leila.com/"; - keyword = ""; - tags = [""]; - } - { - name = "Drive"; - url = "https://drive.jan-leila.com/"; + url = "https://media.jan-leila.com/"; keyword = ""; tags = [""]; } @@ -280,7 +273,7 @@ } { name = "Home Automation"; - url = "https://home-assistant.jan-leila.com/"; + url = "https://home.jan-leila.com/"; keyword = ""; tags = [""]; } diff --git a/configurations/nixos/defiant/configuration.nix b/configurations/nixos/defiant/configuration.nix index f70a15d..3923715 100644 --- a/configurations/nixos/defiant/configuration.nix +++ b/configurations/nixos/defiant/configuration.nix @@ -55,18 +55,18 @@ enable = true; directories = [ { - folder = "leyla"; + folder = "leyla_documents"; user = "leyla"; group = "leyla"; bind = "/home/leyla/documents"; } { - folder = "eve"; + folder = "eve_documents"; user = "eve"; group = "eve"; } { - folder = "users"; + folder = "users_documents"; user = "root"; group = "users"; } @@ -79,7 +79,7 @@ ]; nfs = { enable = true; - directories = ["leyla" "eve"]; + directories = ["leyla_documents" "eve_documents" "users_documents" "media"]; }; }; reverse_proxy = { @@ -114,10 +114,6 @@ adguardhome = { enable = false; }; - nextcloud = { - enable = false; - subdomain = "drive"; - }; sync = { enable = true; folders = { diff --git a/configurations/nixos/horizon/hardware-configuration.nix b/configurations/nixos/horizon/hardware-configuration.nix index cb72d55..65c2aa2 100644 --- a/configurations/nixos/horizon/hardware-configuration.nix +++ b/configurations/nixos/horizon/hardware-configuration.nix @@ -39,19 +39,19 @@ }; "/mnt/leyla_documents" = { - device = "defiant:/exports/leyla"; + device = "defiant:/exports/leyla_documents"; fsType = "nfs"; options = ["x-systemd.automount" "user" "noatime" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"]; }; "/mnt/eve_documents" = { - device = "defiant:/exports/eve"; + device = "defiant:/exports/eve_documents"; fsType = "nfs"; options = ["x-systemd.automount" "user" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"]; }; "/mnt/users_documents" = { - device = "defiant:/exports/users"; + device = "defiant:/exports/users_documents"; fsType = "nfs"; options = ["x-systemd.automount" "user" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"]; }; @@ -59,7 +59,7 @@ "/mnt/media" = { device = "defiant:/exports/media"; fsType = "nfs"; - options = ["x-systemd.automount" "noauto" "user" "noatime" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"]; + options = ["user" "noatime" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"]; }; }; diff --git a/configurations/syncthing/default.nix b/configurations/syncthing/default.nix new file mode 100644 index 0000000..bc557eb --- /dev/null +++ b/configurations/syncthing/default.nix @@ -0,0 +1,95 @@ +{config, ...}: { + folders = { + leyla_documents = { + id = "hvrj0-9bm1p"; + }; + leyla_calendar = { + id = "8oatl-1rv6w"; + }; + leyla_notes = { + id = "dwbuv-zffnf"; + }; + share = { + id = "73ot0-cxmkx"; + }; + }; + devices = { + defiant = { + id = "3R6E6Y4-2F7MF2I-IGB4WE6-A3SQSMV-LIBYSAM-2OXHHU2-KJ6CGIV-QNMCPAR"; + folders = { + leyla_documents = { + folder = config.folders.leyla_documents; + path = "/mnt/sync/leyla/documents"; + }; + leyla_calendar = { + folder = config.folders.leyla_calendar; + path = "/mnt/sync/leyla/calendar"; + }; + leyla_notes = { + folder = config.folders.leyla_notes; + path = "/mnt/sync/leyla/notes"; + }; + share = { + folder = config.folders.share; + path = "/mnt/sync/default/share"; + }; + }; + }; + twilight = { + id = "UDIYL7V-OAZ2BI3-EJRAWFB-GZYVDWR-JNUYW3F-FFQ35MU-XBTGWEF-QD6K6QN"; + folders = { + leyla_documents = { + folder = config.folders.leyla_documents; + path = "/mnt/sync/leyla/documents"; + }; + share = { + folder = config.folders.share; + path = "/mnt/sync/default/share"; + }; + }; + }; + horizon = { + id = "OGPAEU6-5UR56VL-SP7YC4Y-IMVCRTO-XFD4CYN-Z6T5TZO-PFZNAT6-4MKWPQS"; + folders = { + leyla_documents = { + folder = config.folders.leyla_documents; + path = "/mnt/sync/leyla/documents"; + }; + share = { + folder = config.folders.share; + path = "/mnt/sync/default/share"; + }; + }; + }; + coven = { + id = "QGU7NN6-OMXTWVA-YCZ73S5-2O7ECTS-MUCTN4M-YH6WLEL-U4U577I-7PBNCA5"; + folders = { + share = { + folder = config.folders.share; + }; + }; + }; + ceder = { + id = "MGXUJBS-7AENXHB-7YQRNWG-QILKEJD-5462U2E-WAQW4R4-I2TVK5H-SMK6LAA"; + folders = { + share = { + folder = config.folders.share; + }; + leyla_calendar = { + folder = config.folders.leyla_calendar; + }; + leyla_notes = { + folder = config.folders.leyla_notes; + }; + }; + }; + shale = { + id = "AOAXEVD-QJ2IVRA-6G44Q7Q-TGUPXU2-FWWKOBH-DPKWC5N-LBAEHWJ-7EQF4AM"; + folders = { + share = { + folder = config.folders.share; + }; + }; + }; + }; +} diff --git a/flake.lock b/flake.lock index ce9b77d..11bbff8 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1740485968, - "narHash": "sha256-WK+PZHbfDjLyveXAxpnrfagiFgZWaTJglewBWniTn2Y=", + "lastModified": 1741786315, + "narHash": "sha256-VT65AE2syHVj6v/DGB496bqBnu1PXrrzwlw07/Zpllc=", "owner": "nix-community", "repo": "disko", - "rev": "19c1140419c4f1cdf88ad4c1cfb6605597628940", + "rev": "0d8c6ad4a43906d14abd5c60e0ffe7b587b213de", "type": "github" }, "original": { @@ -29,11 +29,11 @@ }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1741233805, - "narHash": "sha256-aNmlbxeKPUfuOynHvIMBPrNgEs1ldHDIz1wbkitKDSs=", + "lastModified": 1741838604, + "narHash": "sha256-ytHdrfSbbPvla43Ykd61cVkS2JLA8wBEHcnf4yLFP7Y=", "owner": "rycee", "repo": "nur-expressions", - "rev": "a1cc22e90f45f6075a991348e896f1595c4efce9", + "rev": "e41884886e7798003973f487f37b979ee92f7d99", "type": "gitlab" }, "original": { @@ -58,22 +58,6 @@ "type": "github" } }, - "flake-compat_2": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, "flake-utils": { "locked": { "lastModified": 1629284811, @@ -147,11 +131,11 @@ ] }, "locked": { - "lastModified": 1741217763, - "narHash": "sha256-g/TrltIjFHIjtzKY5CJpoPANfHQWDD43G5U1a/v5oVg=", + "lastModified": 1741791118, + "narHash": "sha256-4Y427uj0eql4yRU5rely3EcOlB9q457UDbG9omPtXiA=", "owner": "nix-community", "repo": "home-manager", - "rev": "486b066025dccd8af7fbe5dd2cc79e46b88c80da", + "rev": "18780912345970e5b546b1b085385789b6935a83", "type": "github" }, "original": { @@ -217,11 +201,11 @@ ] }, "locked": { - "lastModified": 1741229100, - "narHash": "sha256-0HwrTDXp9buEwal/1ymK9uQmzUD5ozIA7CJGqnT/gLs=", + "lastModified": 1741794429, + "narHash": "sha256-4J46D8sOZ3UroVyGYKYMU3peq9gv0tjRX0KbZihWhhw=", "owner": "LnL7", "repo": "nix-darwin", - "rev": "adf5c88ba1fe21af5c083b4d655004431f20c5ab", + "rev": "2fb6b09b678a1ab258cf88e3ea4a966edceec6a8", "type": "github" }, "original": { @@ -230,20 +214,40 @@ "type": "github" } }, + "nix-syncthing": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1741849924, + "narHash": "sha256-5vyb1H6HtW24QVqfI56P4QVQP6vHh1jS9ULwnunCO94=", + "ref": "main", + "rev": "86bcb200c83b6a5d13b3583126b9d8dc6770613a", + "revCount": 6, + "type": "git", + "url": "https://git.jan-leila.com/jan-leila/nix-syncthing" + }, + "original": { + "ref": "main", + "type": "git", + "url": "https://git.jan-leila.com/jan-leila/nix-syncthing" + } + }, "nix-vscode-extensions": { "inputs": { - "flake-compat": "flake-compat_2", "flake-utils": "flake-utils_3", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1740275623, - "narHash": "sha256-LQ9hq3hKwWqm+dzBhgsIkr2KO6Bb0aU+yO/TtI7hXXo=", + "lastModified": 1741830545, + "narHash": "sha256-SzbDILDATgMCYk2SxPYLCBVdT6mHtlyeYZDn2SZaIuU=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "35ff5dce04469e7b4e56a9d997e5201bfce52ae3", + "rev": "28318c164b39b70a14851aed7ad0ea7f03ca417e", "type": "github" }, "original": { @@ -254,11 +258,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1740646007, - "narHash": "sha256-dMReDQobS3kqoiUCQIYI9c0imPXRZnBubX20yX/G5LE=", + "lastModified": 1741792691, + "narHash": "sha256-f0BVt1/cvA0DQ/q3rB+HY4g4tKksd03ZkzI4xehC2Ew=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "009b764ac98a3602d41fc68072eeec5d24fc0e49", + "rev": "e1f12151258b12c567f456d8248e4694e9390613", "type": "github" }, "original": { @@ -270,11 +274,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1741173522, - "narHash": "sha256-k7VSqvv0r1r53nUI/IfPHCppkUAddeXn843YlAC5DR0=", + "lastModified": 1741513245, + "narHash": "sha256-7rTAMNTY1xoBwz0h7ZMtEcd8LELk9R5TzBPoHuhNSCk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d69ab0d71b22fa1ce3dbeff666e6deb4917db049", + "rev": "e3e32b642a31e6714ec1b712de8c91a3352ce7e1", "type": "github" }, "original": { @@ -293,6 +297,7 @@ "impermanence": "impermanence", "lix-module": "lix-module", "nix-darwin": "nix-darwin", + "nix-syncthing": "nix-syncthing", "nix-vscode-extensions": "nix-vscode-extensions", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", @@ -323,11 +328,11 @@ ] }, "locked": { - "lastModified": 1741043164, - "narHash": "sha256-9lfmSZLz6eq9Ygr6cCmvQiiBEaPb54pUBcjvbEMPORc=", + "lastModified": 1741644481, + "narHash": "sha256-E0RrMykMtEv15V3QhpsFutgoSKhL1JBhidn+iZajOyg=", "owner": "Mic92", "repo": "sops-nix", - "rev": "3f2412536eeece783f0d0ad3861417f347219f4d", + "rev": "e653d71e82575a43fe9d228def8eddb73887b866", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index f36ee44..8c64e2b 100644 --- a/flake.nix +++ b/flake.nix @@ -22,6 +22,12 @@ flake = false; }; + # common config for syncthing + nix-syncthing = { + url = "git+https://git.jan-leila.com/jan-leila/nix-syncthing?ref=main"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + # disk configurations disko = { url = "github:nix-community/disko"; @@ -71,6 +77,7 @@ self, nixpkgs, sops-nix, + nix-syncthing, home-manager, impermanence, ... @@ -82,6 +89,7 @@ mkNixosSystem = util.mkNixosSystem; mkDarwinSystem = util.mkDarwinSystem; mkHome = util.mkHome; + syncthingConfiguration = util.syncthingConfiguration; installerSystems = { basic = mkNixosInstaller "basic" []; @@ -151,5 +159,7 @@ darwinConfigurations = darwinSystems; homeConfigurations = homeConfigurations; + + syncthingConfiguration = syncthingConfiguration; }; } diff --git a/modules/nixos-modules/server/default.nix b/modules/nixos-modules/server/default.nix index a031b0d..8854936 100644 --- a/modules/nixos-modules/server/default.nix +++ b/modules/nixos-modules/server/default.nix @@ -10,6 +10,5 @@ ./searx.nix ./home-assistant.nix ./adguardhome.nix - ./nextcloud.nix ]; } diff --git a/modules/nixos-modules/server/fail2ban.nix b/modules/nixos-modules/server/fail2ban.nix index 2f6dc58..cd2a978 100644 --- a/modules/nixos-modules/server/fail2ban.nix +++ b/modules/nixos-modules/server/fail2ban.nix @@ -1,5 +1,6 @@ { lib, + pkgs, config, ... }: let @@ -12,6 +13,41 @@ in { config = lib.mkIf config.host.fail2ban.enable (lib.mkMerge [ { + environment.etc = { + "fail2ban/filter.d/nginx.local".text = lib.mkIf config.services.nginx.enable ( + pkgs.lib.mkDefault (pkgs.lib.mkAfter '' + [Definition] + failregex = "limiting requests, excess:.* by zone.*client: " + '') + ); + "fail2ban/filter.d/jellyfin.local".text = lib.mkIf config.services.jellyfin.enable ( + pkgs.lib.mkDefault (pkgs.lib.mkAfter '' + [Definition] + failregex = "^.*Authentication request for .* has been denied \\\(IP: \"\"\\\)\\\." + '') + ); + "fail2ban/filter.d/forgejo.local".text = lib.mkIf config.services.forgejo.enable ( + pkgs.lib.mkDefault (pkgs.lib.mkAfter '' + [Definition] + failregex = ".*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from " + '') + ); + "fail2ban/filter.d/hass.local".text = lib.mkIf config.services.home-assistant.enable ( + pkgs.lib.mkDefault (pkgs.lib.mkAfter '' + [INCLUDES] + before = common.conf + + [Definition] + failregex = ^%(__prefix_line)s.*Login attempt or request with invalid authentication from .*$ + + ignoreregex = + + [Init] + datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S + '') + ); + }; + services.fail2ban = { enable = true; maxretry = 5; @@ -34,54 +70,40 @@ in { }; jails = { nginx-iptables.settings = lib.mkIf config.services.nginx.enable { + enabled = true; filter = "nginx"; action = ''iptables-multiport[name=HTTP, port="http,https"]''; backend = "auto"; - failregex = "limiting requests, excess:.* by zone.*client: "; findtime = 600; bantime = 600; maxretry = 5; }; jellyfin-iptables.settings = lib.mkIf config.services.jellyfin.enable { + enabled = true; filter = "jellyfin"; action = ''iptables-multiport[name=HTTP, port="http,https"]''; logpath = "${config.services.jellyfin.dataDir}/log/*.log"; backend = "auto"; - failregex = "^.*Authentication request for .* has been denied \\\(IP: \"\"\\\)\\\."; - findtime = 600; - bantime = 600; - maxretry = 5; - }; - nextcloud-iptables.settings = lib.mkIf config.services.nextcloud.enable { - filter = "nextcloud"; - action = ''iptables-multiport[name=HTTP, port="http,https"]''; - logpath = "${config.services.nextcloud.datadir}/*.log"; - backend = "auto"; - failregex = '' - ^{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: ''\)","level":2,"time":".*"}$ - ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","user,:".*","app":"no app in context".*","method":".*","message":"Login failed: '.*' \(Remote IP: ''\)".*}$ - ^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","user":".*","app":".*","method":".*","url":".*","message":"Login failed: .* \(Remote IP: \).*}$ - ''; findtime = 600; bantime = 600; maxretry = 5; }; forgejo-iptables.settings = lib.mkIf config.services.forgejo.enable { + enabled = true; filter = "forgejo"; action = ''iptables-multiport[name=HTTP, port="http,https"]''; logpath = "${config.services.forgejo.stateDir}/log/*.log"; backend = "auto"; - failregex = ".*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from "; findtime = 600; bantime = 600; maxretry = 5; }; home-assistant-iptables.settings = lib.mkIf config.services.home-assistant.enable { - filter = "home-assistant"; + enabled = true; + filter = "hass"; action = ''iptables-multiport[name=HTTP, port="http,https"]''; logpath = "${config.services.home-assistant.configDir}/*.log"; backend = "auto"; - failregex = "^%(__prefix_line)s.*Login attempt or request with invalid authentication from .*$"; findtime = 600; bantime = 600; maxretry = 5; diff --git a/modules/nixos-modules/server/home-assistant.nix b/modules/nixos-modules/server/home-assistant.nix index 5c4b81f..01423e6 100644 --- a/modules/nixos-modules/server/home-assistant.nix +++ b/modules/nixos-modules/server/home-assistant.nix @@ -1,11 +1,9 @@ { lib, - pkgs, config, ... }: let configDir = "/var/lib/hass"; - db_user = "hass"; in { options.host.home-assistant = { enable = lib.mkEnableOption "should home-assistant be enabled on this computer"; @@ -23,13 +21,6 @@ in { ]; services.home-assistant = { enable = true; - package = - (pkgs.home-assistant.override { - extraPackages = py: with py; [psycopg2]; - }) - .overrideAttrs (oldAttrs: { - doInstallCheck = false; - }); configDir = configDir; extraComponents = [ "met" @@ -43,7 +34,6 @@ in { "sonos" "analytics_insights" "unifi" - "minecraft_server" "openweathermap" ]; config = { @@ -54,21 +44,17 @@ in { ip_ban_enabled = true; login_attempts_threshold = 10; }; - recorder.db_url = "postgresql://@/${db_user}"; + # recorder.db_url = "postgresql://@/${db_user}"; "automation manual" = []; "automation ui" = "!include automations.yaml"; }; extraPackages = python3Packages: with python3Packages; [ + hassil numpy gtts ]; }; - systemd.services.home-assistant = { - requires = [ - "postgresql.service" - ]; - }; host = { reverse_proxy.subdomains.${config.host.home-assistant.subdomain} = { target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}"; @@ -89,20 +75,6 @@ in { proxy_read_timeout 90; ''; }; - postgres = { - enable = true; - extraUsers = { - ${db_user} = { - isClient = true; - createUser = true; - }; - }; - extraDatabases = { - ${db_user} = { - name = db_user; - }; - }; - }; }; } (lib.mkIf config.host.impermanence.enable { diff --git a/modules/nixos-modules/server/jellyfin.nix b/modules/nixos-modules/server/jellyfin.nix index ba58fe9..e3eb986 100644 --- a/modules/nixos-modules/server/jellyfin.nix +++ b/modules/nixos-modules/server/jellyfin.nix @@ -38,8 +38,6 @@ in { extraConfig = '' client_max_body_size 20M; add_header X-Content-Type-Options "nosniff"; - add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'"; - add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; @@ -59,8 +57,6 @@ in { extraConfig = '' client_max_body_size 20M; add_header X-Content-Type-Options "nosniff"; - add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'"; - add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; diff --git a/modules/nixos-modules/server/network_storage/nfs.nix b/modules/nixos-modules/server/network_storage/nfs.nix index 9aaab39..b398582 100644 --- a/modules/nixos-modules/server/network_storage/nfs.nix +++ b/modules/nixos-modules/server/network_storage/nfs.nix @@ -38,15 +38,18 @@ services.nfs.server = { enable = true; exports = lib.strings.concatLines ( - lib.lists.imap0 ( - i: directory: "${directory._directory} 100.64.0.0/10(rw,sync,no_subtree_check,crossmnt,fsid=${builtins.toString i})" - ) - ( - builtins.filter ( - directory: lib.lists.any (target: target == directory.folder) config.host.network_storage.nfs.directories + [ + "/export 100.64.0.0/10(rw,fsid=0,no_subtree_check)" + ] + ++ (builtins.map ( + directory: "${directory._directory} 100.64.0.0/10(rw,nohide,sync,no_subtree_check,crossmnt)" ) - config.host.network_storage.directories - ) + ( + builtins.filter ( + directory: lib.lists.any (target: target == directory.folder) config.host.network_storage.nfs.directories + ) + config.host.network_storage.directories + )) ); }; networking.firewall.interfaces.${config.services.tailscale.interfaceName}.allowedTCPPorts = [ diff --git a/modules/nixos-modules/server/nextcloud.nix b/modules/nixos-modules/server/nextcloud.nix deleted file mode 100644 index ada61dd..0000000 --- a/modules/nixos-modules/server/nextcloud.nix +++ /dev/null @@ -1,69 +0,0 @@ -{ - lib, - pkgs, - config, - inputs, - ... -}: let - dataDir = "/var/lib/nextcloud"; -in { - options.host.nextcloud = { - enable = lib.mkEnableOption "should nextcloud be enabled on this computer"; - subdomain = lib.mkOption { - type = lib.types.str; - description = "subdomain of base domain that nextcloud will be hosted at"; - default = "nextcloud"; - }; - }; - - config = lib.mkIf config.host.nextcloud.enable (lib.mkMerge [ - { - sops.secrets = { - "services/nextcloud_adminpass" = { - sopsFile = "${inputs.secrets}/defiant-services.yaml"; - owner = config.users.users.nextcloud.name; - }; - }; - - host = { - reverse_proxy.subdomains.${config.host.nextcloud.subdomain} = { - target = "http://localhost:${toString 8009}"; - }; - }; - - services = { - nextcloud = { - enable = true; - package = pkgs.nextcloud31; - hostName = "${config.host.nextcloud.subdomain}.${config.host.reverse_proxy.hostname}"; - settings.log_type = "file"; - config = { - adminpassFile = config.sops.secrets."services/nextcloud_adminpass".path; - adminuser = "admin"; - dbtype = "sqlite"; - }; - }; - }; - } - (lib.mkIf config.host.impermanence.enable { - assertions = [ - { - assertion = config.services.nextcloud.datadir == dataDir; - message = "nextcloud data directory does not match persistence"; - } - ]; - - environment.persistence."/persist/system/root" = { - enable = true; - hideMounts = true; - directories = [ - { - directory = dataDir; - user = "nextcloud"; - group = "nextcloud"; - } - ]; - }; - }) - ]); -} diff --git a/modules/nixos-modules/sync.nix b/modules/nixos-modules/sync.nix index 516e141..e185781 100644 --- a/modules/nixos-modules/sync.nix +++ b/modules/nixos-modules/sync.nix @@ -1,6 +1,7 @@ { config, lib, + outputs, ... }: let mountDir = "/mnt/sync"; @@ -59,97 +60,24 @@ in { configDir = configDir; overrideDevices = true; overrideFolders = true; - settings = { - devices = { - ceder = { - id = "MGXUJBS-7AENXHB-7YQRNWG-QILKEJD-5462U2E-WAQW4R4-I2TVK5H-SMK6LAA"; - }; - coven = { - id = "QGU7NN6-OMXTWVA-YCZ73S5-2O7ECTS-MUCTN4M-YH6WLEL-U4U577I-7PBNCA5"; - }; - defiant = lib.mkIf (config.networking.hostName != "defiant") { - id = "3R6E6Y4-2F7MF2I-IGB4WE6-A3SQSMV-LIBYSAM-2OXHHU2-KJ6CGIV-QNMCPAR"; - }; - twilight = lib.mkIf (config.networking.hostName != "twilight") { - id = "UDIYL7V-OAZ2BI3-EJRAWFB-GZYVDWR-JNUYW3F-FFQ35MU-XBTGWEF-QD6K6QN"; - }; - horizon = lib.mkIf (config.networking.hostName != "horizon") { - id = "OGPAEU6-5UR56VL-SP7YC4Y-IMVCRTO-XFD4CYN-Z6T5TZO-PFZNAT6-4MKWPQS"; - }; - shale = { - id = "AOAXEVD-QJ2IVRA-6G44Q7Q-TGUPXU2-FWWKOBH-DPKWC5N-LBAEHWJ-7EQF4AM"; - }; - }; - folders = let - ceder = "ceder"; - coven = "coven"; - shale = "shale"; - defiant = lib.mkIf (config.networking.hostName != "defiant") "defiant"; - twilight = lib.mkIf (config.networking.hostName != "twilight") "twilight"; - horizon = lib.mkIf (config.networking.hostName != "horizon") "horizon"; - in - lib.mkMerge [ - config.host.sync.folders.extraFolders - (lib.mkIf config.host.sync.folders.leyla.documents.enable { - "documents" = { - id = "hvrj0-9bm1p"; - path = "${mountDir}/leyla/documents"; - devices = [ - defiant - ceder - coven - twilight - horizon - ]; - }; - }) - (lib.mkIf config.host.sync.folders.share.calendar.enable { - "calendar" = { - id = "8oatl-1rv6w"; - path = "${mountDir}/default/calendar"; - devices = [ - defiant - ceder - shale - ]; - }; - }) - (lib.mkIf config.host.sync.folders.leyla.notes.enable { - "notes" = { - id = "dwbuv-zffnf"; - path = "${mountDir}/leyla/notes"; - devices = [ - defiant - ceder - ]; - }; - }) - (lib.mkIf config.host.sync.folders.share.enable { - "share" = { - id = "73ot0-cxmkx"; - path = "${mountDir}/default/share"; - devices = [ - defiant - ceder - coven - twilight - horizon - shale - ]; - }; - }) - ]; - }; + configuration = outputs.syncthingConfiguration; + deviceName = config.networking.hostName; }; } (lib.mkIf config.host.impermanence.enable { - assertions = [ - { - assertion = config.services.syncthing.configDir == configDir; - message = "syncthing config dir does not match persistence"; - } - ]; + assertions = + [ + { + assertion = config.services.syncthing.configDir == configDir; + message = "syncthing config dir does not match persistence"; + } + ] + ++ lib.attrsets.mapAttrsToList (_: folder: { + assertion = lib.strings.hasPrefix mountDir folder.path; + message = "syncthing folder ${folder.label} is stored at ${folder.path} which not under the persisted path of ${mountDir}"; + }) + config.services.syncthing.folders; environment.persistence = { "/persist/system/root" = { enable = true; diff --git a/util/default.nix b/util/default.nix index cdc0caa..028212c 100644 --- a/util/default.nix +++ b/util/default.nix @@ -7,6 +7,7 @@ home-manager = inputs.home-manager; nix-darwin = inputs.nix-darwin; sops-nix = inputs.sops-nix; + nix-syncthing = inputs.nix-syncthing; disko = inputs.disko; impermanence = inputs.impermanence; lix-module = inputs.lix-module; @@ -73,6 +74,7 @@ in { system-modules ++ [ sops-nix.nixosModules.sops + nix-syncthing.nixosModules.syncthing impermanence.nixosModules.impermanence home-manager.nixosModules.home-manager disko.nixosModules.disko @@ -107,4 +109,10 @@ in { ../configurations/home-manager/${user} ]; }; + + syncthingConfiguration = nix-syncthing.lib.syncthingConfiguration { + modules = [ + (import ../configurations/syncthing) + ]; + }; }