diff --git a/README.md b/README.md index ad643c2..9a1c362 100644 --- a/README.md +++ b/README.md @@ -48,12 +48,14 @@ nix multi user, multi system, configuration with `sops` secret management, `home ## Tech Debt - monitor configuration in `~/.config/monitors.xml` should be sym linked to `/run/gdm/.config/monitors.xml` (https://www.reddit.com/r/NixOS/comments/u09cz9/home_manager_create_my_own_symlinks_automatically/) +- syncthing folders should just be enabled per devices and then combined with "extraDevices" to give final folder configurations - syncthing folder passwords - nfs export should be backed by the same values for server and client - move fail2ban configs out of fail2ban.nix and into configs for their respective services - nginx config should be reworked to give a list of subdomains and then the config information to apply to each proxy ## New Features - offline access for nfs mounts (overlay with rsync might be a good option here? https://www.spinics.net/lists/linux-unionfs/msg07105.html note about nfs4 and overlay fs) +- Flake templates - we need to add these to some kind of local registry??? `nix flake show templates` - https://nix.dev/manual/nix/2.18/command-ref/new-cli/nix3-flake-init - samba mounts - figure out steam vr things? - Open GL? @@ -68,5 +70,3 @@ nix multi user, multi system, configuration with `sops` secret management, `home - SMART test with email results - Create Tor guard/relay server - remote distributed builds - https://nix.dev/tutorials/nixos/distributed-builds-setup.html -- migrate away from flakes and move to npins -- forgejo dedicated sshd that can only do forgejo things and that the main deamon proxies to when trying to log in with the git user, with the goal of being able to host that deamon on port 22222 and set up a port forward rule on gateway for 22 -> deamon:22222 \ No newline at end of file diff --git a/configurations/home-manager/default.nix b/configurations/home-manager/default.nix index a7fa478..3aa4c0e 100644 --- a/configurations/home-manager/default.nix +++ b/configurations/home-manager/default.nix @@ -1,12 +1,10 @@ { lib, config, - osConfig, ... }: let users = config.host.users; in { leyla = lib.mkIf users.leyla.isNormalUser (import ./leyla); eve = lib.mkIf users.eve.isNormalUser (import ./eve); - git = lib.mkIf (osConfig.services.forgejo.enable or false) (import ./git); } diff --git a/configurations/home-manager/git/default.nix b/configurations/home-manager/git/default.nix deleted file mode 100644 index 2276e7a..0000000 --- a/configurations/home-manager/git/default.nix +++ /dev/null @@ -1,20 +0,0 @@ -{osConfig, ...}: { - home = { - username = osConfig.users.users.git.name; - homeDirectory = osConfig.users.users.git.home; - - # This value determines the Home Manager release that your configuration is - # compatible with. This helps avoid breakage when a new Home Manager release - # introduces backwards incompatible changes. - # - # You should not change this value, even if you update Home Manager. If you do - # want to update the value, then make sure to first check the Home Manager - # release notes. - stateVersion = "23.11"; # Please read the comment before changing. - }; - - programs.ssh.extraConfig = '' - AuthorizedKeysFile - /var/lib/forgejo/.ssh/authorized_keys - ''; -} diff --git a/flake.nix b/flake.nix index f9cb9a6..8c64e2b 100644 --- a/flake.nix +++ b/flake.nix @@ -114,12 +114,7 @@ nixpkgs.lib.attrsets.mapAttrsToList (hostname: system: ( nixpkgs.lib.attrsets.mapAttrs' (user: _: { name = "${user}@${hostname}"; - value = mkHome { - user = user; - host = hostname; - system = system.pkgs.hostPlatform.system; - osConfig = system.config; - }; + value = mkHome user hostname system.pkgs.hostPlatform.system system.config; }) system.config.home-manager.users )) diff --git a/modules/nixos-modules/server/fail2ban.nix b/modules/nixos-modules/server/fail2ban.nix index a84b5ad..cd2a978 100644 --- a/modules/nixos-modules/server/fail2ban.nix +++ b/modules/nixos-modules/server/fail2ban.nix @@ -92,7 +92,7 @@ in { enabled = true; filter = "forgejo"; action = ''iptables-multiport[name=HTTP, port="http,https"]''; - logpath = "${config.services.forgejo.settings.log.ROOT_PATH}/*.log"; + logpath = "${config.services.forgejo.stateDir}/log/*.log"; backend = "auto"; findtime = 600; bantime = 600; diff --git a/modules/nixos-modules/server/forgejo.nix b/modules/nixos-modules/server/forgejo.nix index f0c1974..a6b3ede 100644 --- a/modules/nixos-modules/server/forgejo.nix +++ b/modules/nixos-modules/server/forgejo.nix @@ -6,7 +6,7 @@ forgejoPort = 8081; stateDir = "/var/lib/forgejo"; db_user = "forgejo"; - sshPort = 22222; + sshPort = 2222; in { options.host.forgejo = { enable = lib.mkEnableOption "should forgejo be enabled on this computer"; @@ -33,32 +33,31 @@ in { }; }; - services = { - forgejo = { - enable = true; - database = { - type = "postgres"; - socket = "/run/postgresql"; + services.forgejo = { + enable = true; + database = { + type = "postgres"; + socket = "/run/postgresql"; + }; + lfs.enable = true; + settings = { + server = { + DOMAIN = "${config.host.forgejo.subdomain}.${config.host.reverse_proxy.hostname}"; + HTTP_PORT = forgejoPort; + START_SSH_SERVER = true; + SSH_LISTEN_PORT = sshPort; + SSH_PORT = 22; + # TODO: we need to create this user, and then store their authorized keys somewhere and have both ssh server allow login in as that user based on those authorized keys + BUILTIN_SSH_SERVER_USER = "git"; + ROOT_URL = "https://git.jan-leila.com:"; }; - lfs.enable = true; - settings = { - server = { - DOMAIN = "${config.host.forgejo.subdomain}.${config.host.reverse_proxy.hostname}"; - HTTP_PORT = forgejoPort; - START_SSH_SERVER = true; - SSH_LISTEN_PORT = sshPort; - SSH_PORT = 22; - BUILTIN_SSH_SERVER_USER = config.users.users.git.name; - ROOT_URL = "https://git.jan-leila.com"; - }; - service = { - DISABLE_REGISTRATION = true; - }; - database = { - DB_TYPE = "postgres"; - NAME = db_user; - USER = db_user; - }; + service = { + DISABLE_REGISTRATION = true; + }; + database = { + DB_TYPE = "postgres"; + NAME = db_user; + USER = db_user; }; }; }; diff --git a/modules/nixos-modules/server/network_storage/nfs.nix b/modules/nixos-modules/server/network_storage/nfs.nix index 1b52d26..b398582 100644 --- a/modules/nixos-modules/server/network_storage/nfs.nix +++ b/modules/nixos-modules/server/network_storage/nfs.nix @@ -37,15 +37,20 @@ lib.mkIf (config.host.network_storage.nfs.enable && config.host.network_storage.enable) { services.nfs.server = { enable = true; - exports = lib.strings.concatLines (lib.lists.imap0 ( - i: directory: "${directory._directory} 100.64.0.0/10(fsid=${toString i},rw,nohide,sync,no_subtree_check,crossmnt)" - ) - ( - builtins.filter ( - directory: lib.lists.any (target: target == directory.folder) config.host.network_storage.nfs.directories + exports = lib.strings.concatLines ( + [ + "/export 100.64.0.0/10(rw,fsid=0,no_subtree_check)" + ] + ++ (builtins.map ( + directory: "${directory._directory} 100.64.0.0/10(rw,nohide,sync,no_subtree_check,crossmnt)" ) - config.host.network_storage.directories - )); + ( + builtins.filter ( + directory: lib.lists.any (target: target == directory.folder) config.host.network_storage.nfs.directories + ) + config.host.network_storage.directories + )) + ); }; networking.firewall.interfaces.${config.services.tailscale.interfaceName}.allowedTCPPorts = [ config.host.network_storage.nfs.port diff --git a/modules/nixos-modules/sync.nix b/modules/nixos-modules/sync.nix index de361e6..e185781 100644 --- a/modules/nixos-modules/sync.nix +++ b/modules/nixos-modules/sync.nix @@ -77,7 +77,7 @@ in { assertion = lib.strings.hasPrefix mountDir folder.path; message = "syncthing folder ${folder.label} is stored at ${folder.path} which not under the persisted path of ${mountDir}"; }) - config.services.syncthing.settings.folders; + config.services.syncthing.folders; environment.persistence = { "/persist/system/root" = { enable = true; diff --git a/modules/nixos-modules/users.nix b/modules/nixos-modules/users.nix index 92f4016..f57e894 100644 --- a/modules/nixos-modules/users.nix +++ b/modules/nixos-modules/users.nix @@ -20,9 +20,9 @@ adguardhome = 2003; hass = 2004; headscale = 2005; + nextcloud = 2006; syncthing = 2007; ollama = 2008; - git = 2009; }; gids = { @@ -35,9 +35,9 @@ adguardhome = 2003; hass = 2004; headscale = 2005; + nextcloud = 2006; syncthing = 2007; ollama = 2008; - git = 2009; }; users = config.users.users; @@ -141,6 +141,12 @@ in { group = config.users.users.headscale.name; }; + nextcloud = { + uid = lib.mkForce uids.nextcloud; + isSystemUser = true; + group = config.users.users.nextcloud.name; + }; + syncthing = { uid = lib.mkForce uids.syncthing; isSystemUser = true; @@ -152,13 +158,6 @@ in { isSystemUser = true; group = config.users.users.ollama.name; }; - - git = { - uid = lib.mkForce uids.git; - isSystemUser = !config.services.forgejo.enable; - isNormalUser = config.services.forgejo.enable; - group = config.users.users.git.name; - }; }; groups = { @@ -233,6 +232,14 @@ in { ]; }; + nextcloud = { + gid = lib.mkForce gids.nextcloud; + members = [ + users.nextcloud.name + # leyla + ]; + }; + syncthing = { gid = lib.mkForce gids.syncthing; members = [ @@ -248,13 +255,6 @@ in { users.ollama.name ]; }; - - git = { - gid = lib.mkForce gids.git; - members = [ - users.git.name - ]; - }; }; }; } diff --git a/util/default.nix b/util/default.nix index c6e0e06..028212c 100644 --- a/util/default.nix +++ b/util/default.nix @@ -36,13 +36,8 @@ home-manager-config = nixpkgs: { home-manager.useUserPackages = true; home-manager.backupFileExtension = "backup"; - home-manager.extraSpecialArgs = { - inherit inputs outputs util; - }; - home-manager.users = import ../configurations/home-manager (nixpkgs - // { - osConfig = nixpkgs.config; - }); + home-manager.extraSpecialArgs = {inherit inputs outputs util;}; + home-manager.users = import ../configurations/home-manager nixpkgs; home-manager.sharedModules = home-manager-modules; }; @@ -66,7 +61,7 @@ in { nixpkgs.lib.nixosSystem { modules = [ { - # TODO: authorized keys for all users and hosts + # TODO: authorized keys for all users } ../configurations/nixos/${host} ]; @@ -102,12 +97,7 @@ in { ]; }; - mkHome = { - user, - host, - system, - osConfig, - }: + mkHome = user: host: system: osConfig: home-manager.lib.homeManagerConfiguration { pkgs = pkgsFor system; extraSpecialArgs = {