jan-leila/nix-config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: jan-leila:7b9b394ad26fa67fe50acdf1cde582f29805c3df
Branches Tags
jan-leila:main
jan-leila:469ba567
..
compare: jan-leila:395a25eff1e6647c2bfe6e2348ab15800b4dc8f3
Branches Tags
jan-leila:main
jan-leila:469ba567

10 commits
7b9b394ad2 ... 395a25eff1

Author SHA1 Message Date
Leyla Becker 395a25eff1 adopted new syncthing flake 2025-03-13 02:13:11 -05:00
Leyla Becker 80092713e3 updated flake lock 2025-03-13 01:40:26 -05:00
Leyla Becker 32e00602f0 removed some extra config from jellyfin nginx config to fix webos 2025-03-11 18:48:44 -05:00
Leyla Becker 3cd17b3693 removed postgres from home-assistant db 2025-03-11 00:33:23 -05:00
Leyla Becker 5964554060 added task to tech debt 2025-03-10 18:00:30 -05:00
Leyla Becker 9ef33d0d8b fixed nfs shares 2025-03-10 17:55:00 -05:00
Leyla Becker 682e911e3c updated bookmarks in firefox 2025-03-10 00:41:56 -05:00
Leyla Becker 769da44f84 removed next cloud 2025-03-09 21:50:09 -05:00
Leyla Becker c4c84503f5 added package to home assistant 2025-03-09 21:48:27 -05:00
Leyla Becker 06adc798da added more config to media folder 2025-03-09 14:41:01 -05:00
15 changed files with 239 additions and 280 deletions
Show stats Expand all files Collapse all files

1
README.md
View file

@ -50,6 +50,7 @@ nix multi user, multi system, configuration with `sops` secret management, `home
- monitor configuration in `~/.config/monitors.xml` should be sym linked to `/run/gdm/.config/monitors.xml` (https://www.reddit.com/r/NixOS/comments/u09cz9/home_manager_create_my_own_symlinks_automatically/)
- syncthing folders should just be enabled per devices and then combined with "extraDevices" to give final folder configurations
- syncthing folder passwords
- nfs export should be backed by the same values for server and client
- move fail2ban configs out of fail2ban.nix and into configs for their respective services
- nginx config should be reworked to give a list of subdomains and then the config information to apply to each proxy
## New Features

11
configurations/home-manager/leyla/firefox.nix
View file

@ -261,14 +261,7 @@
bookmarks = [
{
name = "Media";
url = "https://jellyfin.jan-leila.com/";
# url = "https://media.jan-leila.com/";
keyword = "";
tags = [""];
}
{
name = "Drive";
url = "https://drive.jan-leila.com/";
url = "https://media.jan-leila.com/";
keyword = "";
tags = [""];
}
@ -280,7 +273,7 @@
}
{
name = "Home Automation";
url = "https://home-assistant.jan-leila.com/";
url = "https://home.jan-leila.com/";
keyword = "";
tags = [""];
}

12
configurations/nixos/defiant/configuration.nix
View file

@ -55,18 +55,18 @@
enable = true;
directories = [
{
folder = "leyla";
folder = "leyla_documents";
user = "leyla";
group = "leyla";
bind = "/home/leyla/documents";
}
{
folder = "eve";
folder = "eve_documents";
user = "eve";
group = "eve";
}
{
folder = "users";
folder = "users_documents";
user = "root";
group = "users";
}
@ -79,7 +79,7 @@
];
nfs = {
enable = true;
directories = ["leyla" "eve"];
directories = ["leyla_documents" "eve_documents" "users_documents" "media"];
};
};
reverse_proxy = {
@ -114,10 +114,6 @@
adguardhome = {
enable = false;
};
nextcloud = {
enable = false;
subdomain = "drive";
};
sync = {
enable = true;
folders = {

8
configurations/nixos/horizon/hardware-configuration.nix
View file

@ -39,19 +39,19 @@
};
"/mnt/leyla_documents" = {
device = "defiant:/exports/leyla";
device = "defiant:/exports/leyla_documents";
fsType = "nfs";
options = ["x-systemd.automount" "user" "noatime" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"];
};
"/mnt/eve_documents" = {
device = "defiant:/exports/eve";
device = "defiant:/exports/eve_documents";
fsType = "nfs";
options = ["x-systemd.automount" "user" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"];
};
"/mnt/users_documents" = {
device = "defiant:/exports/users";
device = "defiant:/exports/users_documents";
fsType = "nfs";
options = ["x-systemd.automount" "user" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"];
};
@ -59,7 +59,7 @@
"/mnt/media" = {
device = "defiant:/exports/media";
fsType = "nfs";
options = ["x-systemd.automount" "noauto" "user" "noatime" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"];
options = ["user" "noatime" "nofail" "soft" "x-systemd.idle-timeout=600" "fsc"];
};
};

95
configurations/syncthing/default.nix Normal file
View file

@ -0,0 +1,95 @@
{config, ...}: {
folders = {
leyla_documents = {
id = "hvrj0-9bm1p";
};
leyla_calendar = {
id = "8oatl-1rv6w";
};
leyla_notes = {
id = "dwbuv-zffnf";
};
share = {
id = "73ot0-cxmkx";
};
};
devices = {
defiant = {
id = "3R6E6Y4-2F7MF2I-IGB4WE6-A3SQSMV-LIBYSAM-2OXHHU2-KJ6CGIV-QNMCPAR";
folders = {
leyla_documents = {
folder = config.folders.leyla_documents;
path = "/mnt/sync/leyla/documents";
};
leyla_calendar = {
folder = config.folders.leyla_calendar;
path = "/mnt/sync/leyla/calendar";
};
leyla_notes = {
folder = config.folders.leyla_notes;
path = "/mnt/sync/leyla/notes";
};
share = {
folder = config.folders.share;
path = "/mnt/sync/default/share";
};
};
};
twilight = {
id = "UDIYL7V-OAZ2BI3-EJRAWFB-GZYVDWR-JNUYW3F-FFQ35MU-XBTGWEF-QD6K6QN";
folders = {
leyla_documents = {
folder = config.folders.leyla_documents;
path = "/mnt/sync/leyla/documents";
};
share = {
folder = config.folders.share;
path = "/mnt/sync/default/share";
};
};
};
horizon = {
id = "OGPAEU6-5UR56VL-SP7YC4Y-IMVCRTO-XFD4CYN-Z6T5TZO-PFZNAT6-4MKWPQS";
folders = {
leyla_documents = {
folder = config.folders.leyla_documents;
path = "/mnt/sync/leyla/documents";
};
share = {
folder = config.folders.share;
path = "/mnt/sync/default/share";
};
};
};
coven = {
id = "QGU7NN6-OMXTWVA-YCZ73S5-2O7ECTS-MUCTN4M-YH6WLEL-U4U577I-7PBNCA5";
folders = {
share = {
folder = config.folders.share;
};
};
};
ceder = {
id = "MGXUJBS-7AENXHB-7YQRNWG-QILKEJD-5462U2E-WAQW4R4-I2TVK5H-SMK6LAA";
folders = {
share = {
folder = config.folders.share;
};
leyla_calendar = {
folder = config.folders.leyla_calendar;
};
leyla_notes = {
folder = config.folders.leyla_notes;
};
};
};
shale = {
id = "AOAXEVD-QJ2IVRA-6G44Q7Q-TGUPXU2-FWWKOBH-DPKWC5N-LBAEHWJ-7EQF4AM";
folders = {
share = {
folder = config.folders.share;
};
};
};
};
}

87
flake.lock
View file

@ -7,11 +7,11 @@
]
},
"locked": {
"lastModified": 1740485968,
"narHash": "sha256-WK+PZHbfDjLyveXAxpnrfagiFgZWaTJglewBWniTn2Y=",
"lastModified": 1741786315,
"narHash": "sha256-VT65AE2syHVj6v/DGB496bqBnu1PXrrzwlw07/Zpllc=",
"owner": "nix-community",
"repo": "disko",
"rev": "19c1140419c4f1cdf88ad4c1cfb6605597628940",
"rev": "0d8c6ad4a43906d14abd5c60e0ffe7b587b213de",
"type": "github"
},
"original": {
@ -29,11 +29,11 @@
},
"locked": {
"dir": "pkgs/firefox-addons",
"lastModified": 1741233805,
"narHash": "sha256-aNmlbxeKPUfuOynHvIMBPrNgEs1ldHDIz1wbkitKDSs=",
"lastModified": 1741838604,
"narHash": "sha256-ytHdrfSbbPvla43Ykd61cVkS2JLA8wBEHcnf4yLFP7Y=",
"owner": "rycee",
"repo": "nur-expressions",
"rev": "a1cc22e90f45f6075a991348e896f1595c4efce9",
"rev": "e41884886e7798003973f487f37b979ee92f7d99",
"type": "gitlab"
},
"original": {
@ -58,22 +58,6 @@
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": {
"locked": {
"lastModified": 1629284811,
@ -147,11 +131,11 @@
]
},
"locked": {
"lastModified": 1741217763,
"narHash": "sha256-g/TrltIjFHIjtzKY5CJpoPANfHQWDD43G5U1a/v5oVg=",
"lastModified": 1741791118,
"narHash": "sha256-4Y427uj0eql4yRU5rely3EcOlB9q457UDbG9omPtXiA=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "486b066025dccd8af7fbe5dd2cc79e46b88c80da",
"rev": "18780912345970e5b546b1b085385789b6935a83",
"type": "github"
},
"original": {
@ -217,11 +201,11 @@
]
},
"locked": {
"lastModified": 1741229100,
"narHash": "sha256-0HwrTDXp9buEwal/1ymK9uQmzUD5ozIA7CJGqnT/gLs=",
"lastModified": 1741794429,
"narHash": "sha256-4J46D8sOZ3UroVyGYKYMU3peq9gv0tjRX0KbZihWhhw=",
"owner": "LnL7",
"repo": "nix-darwin",
"rev": "adf5c88ba1fe21af5c083b4d655004431f20c5ab",
"rev": "2fb6b09b678a1ab258cf88e3ea4a966edceec6a8",
"type": "github"
},
"original": {
@ -230,20 +214,40 @@
"type": "github"
}
},
"nix-syncthing": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1741849924,
"narHash": "sha256-5vyb1H6HtW24QVqfI56P4QVQP6vHh1jS9ULwnunCO94=",
"ref": "main",
"rev": "86bcb200c83b6a5d13b3583126b9d8dc6770613a",
"revCount": 6,
"type": "git",
"url": "https://git.jan-leila.com/jan-leila/nix-syncthing"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.jan-leila.com/jan-leila/nix-syncthing"
}
},
"nix-vscode-extensions": {
"inputs": {
"flake-compat": "flake-compat_2",
"flake-utils": "flake-utils_3",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1740275623,
"narHash": "sha256-LQ9hq3hKwWqm+dzBhgsIkr2KO6Bb0aU+yO/TtI7hXXo=",
"lastModified": 1741830545,
"narHash": "sha256-SzbDILDATgMCYk2SxPYLCBVdT6mHtlyeYZDn2SZaIuU=",
"owner": "nix-community",
"repo": "nix-vscode-extensions",
"rev": "35ff5dce04469e7b4e56a9d997e5201bfce52ae3",
"rev": "28318c164b39b70a14851aed7ad0ea7f03ca417e",
"type": "github"
},
"original": {
@ -254,11 +258,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1740646007,
"narHash": "sha256-dMReDQobS3kqoiUCQIYI9c0imPXRZnBubX20yX/G5LE=",
"lastModified": 1741792691,
"narHash": "sha256-f0BVt1/cvA0DQ/q3rB+HY4g4tKksd03ZkzI4xehC2Ew=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "009b764ac98a3602d41fc68072eeec5d24fc0e49",
"rev": "e1f12151258b12c567f456d8248e4694e9390613",
"type": "github"
},
"original": {
@ -270,11 +274,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1741173522,
"narHash": "sha256-k7VSqvv0r1r53nUI/IfPHCppkUAddeXn843YlAC5DR0=",
"lastModified": 1741513245,
"narHash": "sha256-7rTAMNTY1xoBwz0h7ZMtEcd8LELk9R5TzBPoHuhNSCk=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "d69ab0d71b22fa1ce3dbeff666e6deb4917db049",
"rev": "e3e32b642a31e6714ec1b712de8c91a3352ce7e1",
"type": "github"
},
"original": {
@ -293,6 +297,7 @@
"impermanence": "impermanence",
"lix-module": "lix-module",
"nix-darwin": "nix-darwin",
"nix-syncthing": "nix-syncthing",
"nix-vscode-extensions": "nix-vscode-extensions",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
@ -323,11 +328,11 @@
]
},
"locked": {
"lastModified": 1741043164,
"narHash": "sha256-9lfmSZLz6eq9Ygr6cCmvQiiBEaPb54pUBcjvbEMPORc=",
"lastModified": 1741644481,
"narHash": "sha256-E0RrMykMtEv15V3QhpsFutgoSKhL1JBhidn+iZajOyg=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "3f2412536eeece783f0d0ad3861417f347219f4d",
"rev": "e653d71e82575a43fe9d228def8eddb73887b866",
"type": "github"
},
"original": {

10
flake.nix
View file

@ -22,6 +22,12 @@
flake = false;
};
# common config for syncthing
nix-syncthing = {
url = "git+https://git.jan-leila.com/jan-leila/nix-syncthing?ref=main";
inputs.nixpkgs.follows = "nixpkgs";
};
# disk configurations
disko = {
url = "github:nix-community/disko";
@ -71,6 +77,7 @@
self,
nixpkgs,
sops-nix,
nix-syncthing,
home-manager,
impermanence,
...
@ -82,6 +89,7 @@
mkNixosSystem = util.mkNixosSystem;
mkDarwinSystem = util.mkDarwinSystem;
mkHome = util.mkHome;
syncthingConfiguration = util.syncthingConfiguration;
installerSystems = {
basic = mkNixosInstaller "basic" [];
@ -151,5 +159,7 @@
darwinConfigurations = darwinSystems;
homeConfigurations = homeConfigurations;
syncthingConfiguration = syncthingConfiguration;
};
}

1
modules/nixos-modules/server/default.nix
View file

@ -10,6 +10,5 @@
./searx.nix
./home-assistant.nix
./adguardhome.nix
./nextcloud.nix
];
}

60
modules/nixos-modules/server/fail2ban.nix
View file

@ -1,5 +1,6 @@
{
lib,
pkgs,
config,
...
}: let
@ -12,6 +13,41 @@ in {
config = lib.mkIf config.host.fail2ban.enable (lib.mkMerge [
{
environment.etc = {
"fail2ban/filter.d/nginx.local".text = lib.mkIf config.services.nginx.enable (
pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[Definition]
failregex = "limiting requests, excess:.* by zone.*client: <HOST>"
'')
);
"fail2ban/filter.d/jellyfin.local".text = lib.mkIf config.services.jellyfin.enable (
pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[Definition]
failregex = "^.*Authentication request for .* has been denied \\\(IP: \"<ADDR>\"\\\)\\\."
'')
);
"fail2ban/filter.d/forgejo.local".text = lib.mkIf config.services.forgejo.enable (
pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[Definition]
failregex = ".*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>"
'')
);
"fail2ban/filter.d/hass.local".text = lib.mkIf config.services.home-assistant.enable (
pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[INCLUDES]
before = common.conf
[Definition]
failregex = ^%(__prefix_line)s.*Login attempt or request with invalid authentication from <HOST>.*$
ignoreregex =
[Init]
datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S
'')
);
};
services.fail2ban = {
enable = true;
maxretry = 5;
@ -34,54 +70,40 @@ in {
};
jails = {
nginx-iptables.settings = lib.mkIf config.services.nginx.enable {
enabled = true;
filter = "nginx";
action = ''iptables-multiport[name=HTTP, port="http,https"]'';
backend = "auto";
failregex = "limiting requests, excess:.* by zone.*client: <HOST>";
findtime = 600;
bantime = 600;
maxretry = 5;
};
jellyfin-iptables.settings = lib.mkIf config.services.jellyfin.enable {
enabled = true;
filter = "jellyfin";
action = ''iptables-multiport[name=HTTP, port="http,https"]'';
logpath = "${config.services.jellyfin.dataDir}/log/*.log";
backend = "auto";
failregex = "^.*Authentication request for .* has been denied \\\(IP: \"<ADDR>\"\\\)\\\.";
findtime = 600;
bantime = 600;
maxretry = 5;
};
nextcloud-iptables.settings = lib.mkIf config.services.nextcloud.enable {
filter = "nextcloud";
action = ''iptables-multiport[name=HTTP, port="http,https"]'';
logpath = "${config.services.nextcloud.datadir}/*.log";
backend = "auto";
failregex = ''
^{"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*"}$
^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","user,:".*","app":"no app in context".*","method":".*","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)".*}$
^{"reqId":".*","level":2,"time":".*","remoteAddr":".*","user":".*","app":".*","method":".*","url":".*","message":"Login failed: .* \(Remote IP: <HOST>\).*}$
'';
findtime = 600;
bantime = 600;
maxretry = 5;
};
forgejo-iptables.settings = lib.mkIf config.services.forgejo.enable {
enabled = true;
filter = "forgejo";
action = ''iptables-multiport[name=HTTP, port="http,https"]'';
logpath = "${config.services.forgejo.stateDir}/log/*.log";
backend = "auto";
failregex = ".*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>";
findtime = 600;
bantime = 600;
maxretry = 5;
};
home-assistant-iptables.settings = lib.mkIf config.services.home-assistant.enable {
filter = "home-assistant";
enabled = true;
filter = "hass";
action = ''iptables-multiport[name=HTTP, port="http,https"]'';
logpath = "${config.services.home-assistant.configDir}/*.log";
backend = "auto";
failregex = "^%(__prefix_line)s.*Login attempt or request with invalid authentication from <HOST>.*$";
findtime = 600;
bantime = 600;
maxretry = 5;

32
modules/nixos-modules/server/home-assistant.nix
View file

@ -1,11 +1,9 @@
{
lib,
pkgs,
config,
...
}: let
configDir = "/var/lib/hass";
db_user = "hass";
in {
options.host.home-assistant = {
enable = lib.mkEnableOption "should home-assistant be enabled on this computer";
@ -23,13 +21,6 @@ in {
];
services.home-assistant = {
enable = true;
package =
(pkgs.home-assistant.override {
extraPackages = py: with py; [psycopg2];
})
.overrideAttrs (oldAttrs: {
doInstallCheck = false;
});
configDir = configDir;
extraComponents = [
"met"
@ -43,7 +34,6 @@ in {
"sonos"
"analytics_insights"
"unifi"
"minecraft_server"
"openweathermap"
];
config = {
@ -54,21 +44,17 @@ in {
ip_ban_enabled = true;
login_attempts_threshold = 10;
};
recorder.db_url = "postgresql://@/${db_user}";
# recorder.db_url = "postgresql://@/${db_user}";
"automation manual" = [];
"automation ui" = "!include automations.yaml";
};
extraPackages = python3Packages:
with python3Packages; [
hassil
numpy
gtts
];
};
systemd.services.home-assistant = {
requires = [
"postgresql.service"
];
};
host = {
reverse_proxy.subdomains.${config.host.home-assistant.subdomain} = {
target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}";
@ -89,20 +75,6 @@ in {
proxy_read_timeout 90;
'';
};
postgres = {
enable = true;
extraUsers = {
${db_user} = {
isClient = true;
createUser = true;
};
};
extraDatabases = {
${db_user} = {
name = db_user;
};
};
};
};
}
(lib.mkIf config.host.impermanence.enable {

4
modules/nixos-modules/server/jellyfin.nix
View file

@ -38,8 +38,6 @@ in {
extraConfig = ''
client_max_body_size 20M;
add_header X-Content-Type-Options "nosniff";
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
@ -59,8 +57,6 @@ in {
extraConfig = ''
client_max_body_size 20M;
add_header X-Content-Type-Options "nosniff";
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;

9
modules/nixos-modules/server/network_storage/nfs.nix
View file

@ -38,15 +38,18 @@
services.nfs.server = {
enable = true;
exports = lib.strings.concatLines (
lib.lists.imap0 (
i: directory: "${directory._directory} 100.64.0.0/10(rw,sync,no_subtree_check,crossmnt,fsid=${builtins.toString i})"
[
"/export 100.64.0.0/10(rw,fsid=0,no_subtree_check)"
]
++ (builtins.map (
directory: "${directory._directory} 100.64.0.0/10(rw,nohide,sync,no_subtree_check,crossmnt)"
)
(
builtins.filter (
directory: lib.lists.any (target: target == directory.folder) config.host.network_storage.nfs.directories
)
config.host.network_storage.directories
)
))
);
};
networking.firewall.interfaces.${config.services.tailscale.interfaceName}.allowedTCPPorts = [

69
modules/nixos-modules/server/nextcloud.nix
View file

@ -1,69 +0,0 @@
{
lib,
pkgs,
config,
inputs,
...
}: let
dataDir = "/var/lib/nextcloud";
in {
options.host.nextcloud = {
enable = lib.mkEnableOption "should nextcloud be enabled on this computer";
subdomain = lib.mkOption {
type = lib.types.str;
description = "subdomain of base domain that nextcloud will be hosted at";
default = "nextcloud";
};
};
config = lib.mkIf config.host.nextcloud.enable (lib.mkMerge [
{
sops.secrets = {
"services/nextcloud_adminpass" = {
sopsFile = "${inputs.secrets}/defiant-services.yaml";
owner = config.users.users.nextcloud.name;
};
};
host = {
reverse_proxy.subdomains.${config.host.nextcloud.subdomain} = {
target = "http://localhost:${toString 8009}";
};
};
services = {
nextcloud = {
enable = true;
package = pkgs.nextcloud31;
hostName = "${config.host.nextcloud.subdomain}.${config.host.reverse_proxy.hostname}";
settings.log_type = "file";
config = {
adminpassFile = config.sops.secrets."services/nextcloud_adminpass".path;
adminuser = "admin";
dbtype = "sqlite";
};
};
};
}
(lib.mkIf config.host.impermanence.enable {
assertions = [
{
assertion = config.services.nextcloud.datadir == dataDir;
message = "nextcloud data directory does not match persistence";
}
];
environment.persistence."/persist/system/root" = {
enable = true;
hideMounts = true;
directories = [
{
directory = dataDir;
user = "nextcloud";
group = "nextcloud";
}
];
};
})
]);
}

94
modules/nixos-modules/sync.nix
View file

@ -1,6 +1,7 @@
{
config,
lib,
outputs,
...
}: let
mountDir = "/mnt/sync";
@ -59,97 +60,24 @@ in {
configDir = configDir;
overrideDevices = true;
overrideFolders = true;
settings = {
devices = {
ceder = {
id = "MGXUJBS-7AENXHB-7YQRNWG-QILKEJD-5462U2E-WAQW4R4-I2TVK5H-SMK6LAA";
};
coven = {
id = "QGU7NN6-OMXTWVA-YCZ73S5-2O7ECTS-MUCTN4M-YH6WLEL-U4U577I-7PBNCA5";
};
defiant = lib.mkIf (config.networking.hostName != "defiant") {
id = "3R6E6Y4-2F7MF2I-IGB4WE6-A3SQSMV-LIBYSAM-2OXHHU2-KJ6CGIV-QNMCPAR";
};
twilight = lib.mkIf (config.networking.hostName != "twilight") {
id = "UDIYL7V-OAZ2BI3-EJRAWFB-GZYVDWR-JNUYW3F-FFQ35MU-XBTGWEF-QD6K6QN";
};
horizon = lib.mkIf (config.networking.hostName != "horizon") {
id = "OGPAEU6-5UR56VL-SP7YC4Y-IMVCRTO-XFD4CYN-Z6T5TZO-PFZNAT6-4MKWPQS";
};
shale = {
id = "AOAXEVD-QJ2IVRA-6G44Q7Q-TGUPXU2-FWWKOBH-DPKWC5N-LBAEHWJ-7EQF4AM";
};
};
folders = let
ceder = "ceder";
coven = "coven";
shale = "shale";
defiant = lib.mkIf (config.networking.hostName != "defiant") "defiant";
twilight = lib.mkIf (config.networking.hostName != "twilight") "twilight";
horizon = lib.mkIf (config.networking.hostName != "horizon") "horizon";
in
lib.mkMerge [
config.host.sync.folders.extraFolders
(lib.mkIf config.host.sync.folders.leyla.documents.enable {
"documents" = {
id = "hvrj0-9bm1p";
path = "${mountDir}/leyla/documents";
devices = [
defiant
ceder
coven
twilight
horizon
];
};
})
(lib.mkIf config.host.sync.folders.share.calendar.enable {
"calendar" = {
id = "8oatl-1rv6w";
path = "${mountDir}/default/calendar";
devices = [
defiant
ceder
shale
];
};
})
(lib.mkIf config.host.sync.folders.leyla.notes.enable {
"notes" = {
id = "dwbuv-zffnf";
path = "${mountDir}/leyla/notes";
devices = [
defiant
ceder
];
};
})
(lib.mkIf config.host.sync.folders.share.enable {
"share" = {
id = "73ot0-cxmkx";
path = "${mountDir}/default/share";
devices = [
defiant
ceder
coven
twilight
horizon
shale
];
};
})
];
};
configuration = outputs.syncthingConfiguration;
deviceName = config.networking.hostName;
};
}
(lib.mkIf config.host.impermanence.enable {
assertions = [
assertions =
[
{
assertion = config.services.syncthing.configDir == configDir;
message = "syncthing config dir does not match persistence";
}
];
]
++ lib.attrsets.mapAttrsToList (_: folder: {
assertion = lib.strings.hasPrefix mountDir folder.path;
message = "syncthing folder ${folder.label} is stored at ${folder.path} which not under the persisted path of ${mountDir}";
})
config.services.syncthing.folders;
environment.persistence = {
"/persist/system/root" = {
enable = true;

8
util/default.nix
View file

@ -7,6 +7,7 @@
home-manager = inputs.home-manager;
nix-darwin = inputs.nix-darwin;
sops-nix = inputs.sops-nix;
nix-syncthing = inputs.nix-syncthing;
disko = inputs.disko;
impermanence = inputs.impermanence;
lix-module = inputs.lix-module;
@ -73,6 +74,7 @@ in {
system-modules
++ [
sops-nix.nixosModules.sops
nix-syncthing.nixosModules.syncthing
impermanence.nixosModules.impermanence
home-manager.nixosModules.home-manager
disko.nixosModules.disko
@ -107,4 +109,10 @@ in {
../configurations/home-manager/${user}
];
};
syncthingConfiguration = nix-syncthing.lib.syncthingConfiguration {
modules = [
(import ../configurations/syncthing)
];
};
}