fmt
This commit is contained in:
parent
f4615cbae9
commit
a7734d312b
25 changed files with 328 additions and 222 deletions
|
@ -56,9 +56,7 @@ in
|
|||
};
|
||||
|
||||
boot = {
|
||||
kernelParams = [
|
||||
"quiet"
|
||||
];
|
||||
kernelParams = [ "quiet" ];
|
||||
loader.efi.canTouchEfiVariables = true;
|
||||
initrd.availableKernelModules = [
|
||||
"xhci_pci"
|
||||
|
|
|
@ -83,9 +83,7 @@ in
|
|||
|
||||
services.power-profiles-daemon.enable = false;
|
||||
services.upower.enable = true;
|
||||
boot.extraModulePackages = [
|
||||
cpupower
|
||||
] ++ optional enable_perf_policy x86_energy_perf_policy;
|
||||
boot.extraModulePackages = [ cpupower ] ++ optional enable_perf_policy x86_energy_perf_policy;
|
||||
|
||||
services.tlp = {
|
||||
enable = true;
|
||||
|
|
|
@ -17,7 +17,11 @@ in
|
|||
|
||||
programs.xonsh = {
|
||||
enable = true;
|
||||
config = lib.concatLines (lib.mapAttrsToList (name: value: ''aliases["${name}"] = "${value}"'') config.environment.shellAliases);
|
||||
config = lib.concatLines (
|
||||
lib.mapAttrsToList (
|
||||
name: value: ''aliases["${name}"] = "${value}"''
|
||||
) config.environment.shellAliases
|
||||
);
|
||||
package = pkgs.xonsh.override {
|
||||
extraPackages =
|
||||
ps: with ps; [
|
||||
|
|
|
@ -9,12 +9,17 @@ let
|
|||
nivSources = import ./nix/sources.nix;
|
||||
asGithubRef = src: "github:${src.owner}/${src.repo}/${src.rev}";
|
||||
|
||||
build_target = let env_host = builtins.getEnv "NIXOS_TARGET_HOST"; in if env_host != "" then env_host else builtins.replaceStrings ["\n"] [""] (lib.toLower (builtins.readFile /proc/sys/kernel/hostname));
|
||||
build_target =
|
||||
let
|
||||
env_host = builtins.getEnv "NIXOS_TARGET_HOST";
|
||||
in
|
||||
if env_host != "" then
|
||||
env_host
|
||||
else
|
||||
builtins.replaceStrings [ "\n" ] [ "" ] (lib.toLower (builtins.readFile /proc/sys/kernel/hostname));
|
||||
|
||||
host_modules = {
|
||||
grimmauld-nixos = [
|
||||
./specific/grimm-nixos-laptop/configuration.nix
|
||||
];
|
||||
grimmauld-nixos = [ ./specific/grimm-nixos-laptop/configuration.nix ];
|
||||
|
||||
grimmauld-nixos-server = [
|
||||
./specific/grimmauld-nixos-server/configuration.nix
|
||||
|
|
|
@ -1,22 +1,40 @@
|
|||
{ config, lib, pkgs, ...}: let
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
bridge_port = 9005; # netstat -nlp | grep 9005
|
||||
in {
|
||||
nixpkgs.overlays = [ (final: prev: { matrix-appservice-discord = prev.matrix-appservice-discord.overrideAttrs (old: {
|
||||
in
|
||||
{
|
||||
nixpkgs.overlays = [
|
||||
(final: prev: {
|
||||
matrix-appservice-discord = prev.matrix-appservice-discord.overrideAttrs (old: {
|
||||
src = pkgs.fetchFromGitHub {
|
||||
owner = "t2bot";
|
||||
repo = "matrix-appservice-discord";
|
||||
rev = "8361ca6121bf1f0902154baa538cb6d5766e477f";
|
||||
hash = "sha256-oXon6pFJgqQ1uBLtsSVNH7XSOpxxJYqpW2n9cFrs3sU=";
|
||||
};
|
||||
patches = (let oldPatches = old.patches or []; in if oldPatches == null then [] else oldPatches) ++ [ ./patch_bridge_perms.patch ];
|
||||
patches =
|
||||
(
|
||||
let
|
||||
oldPatches = old.patches or [ ];
|
||||
in
|
||||
if oldPatches == null then [ ] else oldPatches
|
||||
)
|
||||
++ [ ./patch_bridge_perms.patch ];
|
||||
doCheck = false;
|
||||
});})
|
||||
});
|
||||
})
|
||||
];
|
||||
|
||||
|
||||
age.secrets.matrix_discord_bridge_token.file = ../secrets/matrix_discord_bridge_token.age;
|
||||
|
||||
services.matrix-synapse-next.settings.app_service_config_files = [ "/var/lib/matrix-synapse/discord-registration.yaml" ];
|
||||
services.matrix-synapse-next.settings.app_service_config_files = [
|
||||
"/var/lib/matrix-synapse/discord-registration.yaml"
|
||||
];
|
||||
|
||||
services.matrix-appservice-discord = {
|
||||
enable = true;
|
||||
|
@ -40,4 +58,3 @@ in {
|
|||
environmentFile = config.age.secrets.matrix_discord_bridge_token.path;
|
||||
};
|
||||
}
|
||||
|
||||
|
|
|
@ -2,7 +2,8 @@
|
|||
let
|
||||
inherit (config.networking) domain;
|
||||
mail_host = "mail.${domain}";
|
||||
in {
|
||||
in
|
||||
{
|
||||
security.acme.certs."${domain}".extraDomainNames = [ mail_host ];
|
||||
|
||||
# services.dovecot2.sieve.extensions = [ "fileinto" ]; # sives break without this for some reason
|
||||
|
@ -35,7 +36,8 @@ in {
|
|||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."${mail_host}" = { # you should NOT be here from a browser :P
|
||||
virtualHosts."${mail_host}" = {
|
||||
# you should NOT be here from a browser :P
|
||||
serverName = mail_host;
|
||||
forceSSL = true;
|
||||
useACMEHost = domain;
|
||||
|
|
|
@ -1,10 +1,13 @@
|
|||
{ ... }: {
|
||||
{ ... }:
|
||||
{
|
||||
services.fail2ban = {
|
||||
enable = true;
|
||||
maxretry = 5;
|
||||
ignoreIP = [
|
||||
# Whitelist some subnets
|
||||
"10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16"
|
||||
"10.0.0.0/8"
|
||||
"172.16.0.0/12"
|
||||
"192.168.0.0/16"
|
||||
"matrix.org"
|
||||
"app.element.io" # don't ratelimit matrix users
|
||||
];
|
||||
|
|
|
@ -1,10 +1,17 @@
|
|||
{ lib, config, inputs, pkgs, ... }:
|
||||
{
|
||||
lib,
|
||||
config,
|
||||
inputs,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (config.networking) domain;
|
||||
gitea_host = "git.${domain}";
|
||||
gitea_port = 8081;
|
||||
gitea_ssh_port = 2222;
|
||||
in {
|
||||
in
|
||||
{
|
||||
services.gitea = {
|
||||
enable = true;
|
||||
settings = {
|
||||
|
@ -27,10 +34,7 @@ in {
|
|||
lfs.enable = true;
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
gitea
|
||||
];
|
||||
|
||||
environment.systemPackages = with pkgs; [ gitea ];
|
||||
|
||||
security.acme.certs."${domain}".extraDomainNames = [ gitea_host ];
|
||||
networking.firewall.allowedTCPPorts = [ gitea_ssh_port ];
|
||||
|
@ -47,4 +51,3 @@ in {
|
|||
};
|
||||
};
|
||||
}
|
||||
|
||||
|
|
|
@ -3,7 +3,8 @@ let
|
|||
inherit (config.networking) domain;
|
||||
grafana_host = "grafana.${domain}";
|
||||
grafana_port = 8082;
|
||||
in {
|
||||
in
|
||||
{
|
||||
age.secrets.grafana_admin_pass = {
|
||||
file = ../secrets/grafana_admin_pass.age;
|
||||
owner = "grafana";
|
||||
|
|
|
@ -1,8 +1,15 @@
|
|||
{ lib, config, inputs, pkgs, ... }:
|
||||
{
|
||||
lib,
|
||||
config,
|
||||
inputs,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (config.networking) domain;
|
||||
root_email = "contact@${domain}";
|
||||
in {
|
||||
in
|
||||
{
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults.email = root_email;
|
||||
|
|
|
@ -2,7 +2,8 @@
|
|||
let
|
||||
inherit (config.networking) domain;
|
||||
mastodon_host = "mastodon.${domain}";
|
||||
in {
|
||||
in
|
||||
{
|
||||
security.acme.certs."${domain}".extraDomainNames = [ mastodon_host ];
|
||||
services.mastodon = {
|
||||
enable = true;
|
||||
|
|
|
@ -1,8 +1,15 @@
|
|||
{ lib, config, inputs, pkgs, ... }:
|
||||
{
|
||||
lib,
|
||||
config,
|
||||
inputs,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (config.networking) domain;
|
||||
matrix_host = "matrix.${domain}";
|
||||
in {
|
||||
in
|
||||
{
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
# CREATE DATABASE synapse ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER synapse;
|
||||
|
@ -37,9 +44,11 @@ host replication all ::1/128 md5
|
|||
'';
|
||||
};
|
||||
|
||||
systemd.services.postgresql.postStart = let
|
||||
systemd.services.postgresql.postStart =
|
||||
let
|
||||
password_file_path = config.age.secrets.synapse_db_pass.path;
|
||||
in ''
|
||||
in
|
||||
''
|
||||
$PSQL -tA <<'EOF'
|
||||
DO $$
|
||||
DECLARE password TEXT;
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{ config, ... }:
|
||||
let
|
||||
|
||||
in {
|
||||
in
|
||||
{
|
||||
age.secrets = {
|
||||
matrix_mjolnir_pass = {
|
||||
file = ../secrets/matrix_mjolnir_pass.age;
|
||||
|
@ -22,9 +22,7 @@ in {
|
|||
services.mjolnir = {
|
||||
enable = true;
|
||||
homeserverUrl = config.services.matrix-synapse-next.settings.public_baseurl;
|
||||
protectedRooms = [
|
||||
"https://matrix.to/#/!zDkrFrfuMIKbqYFbFv:grimmauld.de"
|
||||
];
|
||||
protectedRooms = [ "https://matrix.to/#/!zDkrFrfuMIKbqYFbFv:grimmauld.de" ];
|
||||
managementRoom = "!kgfXXqEYHGgToIwhMP:grimmauld.de";
|
||||
pantalaimon = {
|
||||
enable = true;
|
||||
|
@ -37,23 +35,25 @@ in {
|
|||
};
|
||||
|
||||
services.logrotate.checkConfig = false; # needed or this explodes
|
||||
containers.mjolnirtle = let
|
||||
containers.mjolnirtle =
|
||||
let
|
||||
baseurl = config.services.matrix-synapse-next.settings.public_baseurl;
|
||||
pass_file = config.age.secrets.matrix_mjolnir_tle_pass.path;
|
||||
in {
|
||||
in
|
||||
{
|
||||
privateNetwork = false; # don't want nat
|
||||
autoStart = true;
|
||||
bindMounts."${pass_file}".isReadOnly = true;
|
||||
config = { config, ... }: {
|
||||
config =
|
||||
{ config, ... }:
|
||||
{
|
||||
system.stateVersion = "unstable";
|
||||
# tle mjolnir
|
||||
services.logrotate.checkConfig = false;
|
||||
services.mjolnir = {
|
||||
enable = true;
|
||||
homeserverUrl = baseurl;
|
||||
protectedRooms = [
|
||||
"https://matrix.to/#/!BgDBnHgMgilMMnPMyp:grimmauld.de"
|
||||
];
|
||||
protectedRooms = [ "https://matrix.to/#/!BgDBnHgMgilMMnPMyp:grimmauld.de" ];
|
||||
managementRoom = "!NQedmlMeoQErGgAwxm:grimmauld.de";
|
||||
pantalaimon = {
|
||||
enable = true;
|
||||
|
|
|
@ -1,9 +1,15 @@
|
|||
{ lib, pkgs, config, ...} :
|
||||
{
|
||||
lib,
|
||||
pkgs,
|
||||
config,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (config.networking) domain;
|
||||
nextcloud_host = "cloud.${domain}";
|
||||
nextcloud_port = 8083;
|
||||
in {
|
||||
in
|
||||
{
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
ensureDatabases = [ "nextcloud" ];
|
||||
|
@ -64,7 +70,6 @@ in {
|
|||
port = 6379;
|
||||
timeout = 0.0;
|
||||
};
|
||||
|
||||
};
|
||||
phpOptions = {
|
||||
"opcache.interned_strings_buffer" = "12";
|
||||
|
|
|
@ -3,7 +3,8 @@ let
|
|||
inherit (config.networking) domain;
|
||||
prometheus_host = "prometheus.${domain}";
|
||||
prometheus_port = 9090; # netstat -nlp | grep 9090
|
||||
in {
|
||||
in
|
||||
{
|
||||
security.acme.certs."${domain}".extraDomainNames = [ prometheus_host ];
|
||||
|
||||
services.prometheus = {
|
||||
|
@ -13,13 +14,15 @@ in {
|
|||
scrapeConfigs = [
|
||||
{
|
||||
job_name = "chrysalis";
|
||||
static_configs = [{
|
||||
static_configs = [
|
||||
{
|
||||
targets = [
|
||||
"127.0.0.1:${toString config.services.prometheus.exporters.node.port}"
|
||||
"127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}"
|
||||
"127.0.0.1:${toString config.services.prometheus.exporters.postgres.port}"
|
||||
];
|
||||
}];
|
||||
}
|
||||
];
|
||||
}
|
||||
];
|
||||
exporters = {
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
{config, pkgs, ...}: let
|
||||
{ config, pkgs, ... }:
|
||||
let
|
||||
inherit (config.networking) domain;
|
||||
root_email = "contact@${domain}";
|
||||
ptero_host = "ptero.${domain}";
|
||||
|
@ -7,7 +8,8 @@
|
|||
local_bridge = "ptero-local-br";
|
||||
ptero_ver = "1.11.5";
|
||||
ptero_port = "8042";
|
||||
in {
|
||||
in
|
||||
{
|
||||
users.users.${panel_user} = {
|
||||
isSystemUser = true;
|
||||
extraGroups = [ "docker" ];
|
||||
|
@ -43,8 +45,11 @@ chmod +777 -R ${DATA_DIR}
|
|||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
serviceConfig.Type = "oneshot";
|
||||
script = let podmancli = "${config.virtualisation.podman.package}/bin/podman";
|
||||
in ''
|
||||
script =
|
||||
let
|
||||
podmancli = "${config.virtualisation.podman.package}/bin/podman";
|
||||
in
|
||||
''
|
||||
check=$(${podmancli} pod ls | grep "ptero" || true)
|
||||
if [ -z "$check" ]; then
|
||||
${podmancli} pod create -p "${ptero_port}:80" ptero
|
||||
|
@ -54,7 +59,6 @@ chmod +777 -R ${DATA_DIR}
|
|||
'';
|
||||
};
|
||||
|
||||
|
||||
virtualisation.oci-containers.containers."ptero-mysql" = {
|
||||
image = "library/mysql:8.0";
|
||||
workdir = "${DATA_DIR}/database";
|
||||
|
@ -64,7 +68,10 @@ chmod +777 -R ${DATA_DIR}
|
|||
"MYSQL_DATABASE" = "panel";
|
||||
};
|
||||
environmentFiles = [ config.age.secrets.ptero_env.path ];
|
||||
volumes = ["${DATA_DIR}/database:/var/lib/mysql" "${DATA_DIR}/database:${DATA_DIR}/database"];
|
||||
volumes = [
|
||||
"${DATA_DIR}/database:/var/lib/mysql"
|
||||
"${DATA_DIR}/database:${DATA_DIR}/database"
|
||||
];
|
||||
cmd = [ "--default-authentication-plugin=mysql_native_password" ];
|
||||
};
|
||||
|
||||
|
|
|
@ -1,4 +1,10 @@
|
|||
{ lib, config, inputs, pkgs, ... }:
|
||||
{
|
||||
lib,
|
||||
config,
|
||||
inputs,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (config.networking) domain;
|
||||
puffer_port = 8080;
|
||||
|
@ -6,7 +12,8 @@ let
|
|||
puffer_host = "puffer.${domain}";
|
||||
tlemap_host = "tlemap.${domain}";
|
||||
tlemap_port = 8100;
|
||||
in {
|
||||
in
|
||||
{
|
||||
services.pufferpanel = {
|
||||
enable = true;
|
||||
environment = {
|
||||
|
@ -35,10 +42,19 @@ in {
|
|||
proxyPass = "http://127.0.0.1:${builtins.toString tlemap_port}";
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
security.acme.certs."${domain}".extraDomainNames = [ puffer_host tlemap_host ];
|
||||
networking.firewall.allowedTCPPorts = [ puffer_sftp_port 25565 25566 25567 25568 7270 ];
|
||||
security.acme.certs."${domain}".extraDomainNames = [
|
||||
puffer_host
|
||||
tlemap_host
|
||||
];
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
puffer_sftp_port
|
||||
25565
|
||||
25566
|
||||
25567
|
||||
25568
|
||||
7270
|
||||
];
|
||||
|
||||
# virtualisation.podman.enable = true;
|
||||
virtualisation.docker.enable = true;
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
{config, pkgs, ...}: let
|
||||
{ config, pkgs, ... }:
|
||||
let
|
||||
git_user = "Grimmauld";
|
||||
in {
|
||||
in
|
||||
{
|
||||
environment.systemPackages = with pkgs; [
|
||||
(writeShellScriptBin "silent-add" "git add --intent-to-add $@ ; git update-index --assume-unchanged $@")
|
||||
(writeShellScriptBin "systemd-owner" "systemctl show -pUser,UID $@")
|
||||
|
@ -39,7 +41,12 @@ in {
|
|||
'';
|
||||
packages.myVimPackage = with pkgs.vimPlugins; {
|
||||
# loaded on launch
|
||||
start = [ vim-nix vim-scala fugitive autoclose-nvim ];
|
||||
start = [
|
||||
vim-nix
|
||||
vim-scala
|
||||
fugitive
|
||||
autoclose-nvim
|
||||
];
|
||||
# manually loadable by calling `:packadd $plugin-name`
|
||||
opt = [ ];
|
||||
};
|
||||
|
|
|
@ -6,7 +6,10 @@ let
|
|||
contabo_nix_pub = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCCsCsjhJleQCBm0gwnUj5R7zewC0SoRvth1qhXtUCeWM3KHkX+CjiHvVaHs+ftYE9uCe5jwVMB+b4UPkNU8EfQeL99iOYtkcn+fEQqjUJe/x/Pn0NxfS1DCvFpI6s3485ysDmagi640XN9S+eIiiMZIqWTsIlUtkEwGF0wuv+xqzbBOlUtIkL2AMpMeFCFovOcpu2JwEAIpDUiW+FanAFImw6rvNmpAtaaFGheYOGJwnpVfdaIeRPqEN3fqtIRBIQVgxt25BGYX83vaIH3Y/OaEKMGUa/4Fe/PRpGJyhCtdae6kcVfx57hs0e7/HezjgfS90HTu2cy6BrJOvGUspCjCbdElddfboE9wtBeNYsgjUOdU926m2M1tTn7Ex6ZMOQRKRlVFac6Yo+CedRTe4u6lkrWcsDdmnajel7uxoW8VMEre/CBCtK+ZlGaDwJjIVNCn7J3KZBKeaB/t/1iSr7/buaXYh5VV1Q0gv0mtvx+D7YLngaTv3sLFpLV8Wk1mgXt9R2hHxcRBKGJYx5RWa8aMHK62RP1GRc5yCzREj2Mc5qUJyd8oirnQYms/BsaDybUJde9IL4REeMzIBYyi/MG/+OAIUSAtdYygABWco+Swv4jP52UODHikcmyejHdFhRngsb4IYzGZXbS5pobkCyqCMJ20v5BG3WNFmujAlXRw==";
|
||||
in
|
||||
{
|
||||
"nextcloud_pass.age".publicKeys = [ laptop_pub laptop_pub_ed ];
|
||||
"nextcloud_pass.age".publicKeys = [
|
||||
laptop_pub
|
||||
laptop_pub_ed
|
||||
];
|
||||
|
||||
# "duckdns_token.age".publicKeys = [ contabo_nix_pub ];
|
||||
"synapse_db_pass.age".publicKeys = [ contabo_nix_pub ];
|
||||
|
|
|
@ -1,12 +1,20 @@
|
|||
{ lib, config, inputs, pkgs, ... }:
|
||||
{
|
||||
lib,
|
||||
config,
|
||||
inputs,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
inherit (config.networking) domain;
|
||||
in {
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
in
|
||||
{
|
||||
imports = [ ./hardware-configuration.nix ];
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
80
|
||||
443
|
||||
];
|
||||
networking.hostName = "grimmauld-nixos-server";
|
||||
networking.domain = "grimmauld.de";
|
||||
services.openssh.enable = true;
|
||||
|
|
|
@ -2,12 +2,19 @@
|
|||
{
|
||||
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
|
||||
boot.loader.grub.device = "/dev/sda";
|
||||
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
|
||||
boot.initrd.availableKernelModules = [
|
||||
"ata_piix"
|
||||
"uhci_hcd"
|
||||
"xen_blkfront"
|
||||
"vmw_pvscsi"
|
||||
];
|
||||
boot.initrd.kernelModules = [ "nvme" ];
|
||||
fileSystems."/" = { device = "/dev/sda3"; fsType = "ext4"; };
|
||||
fileSystems."/" = {
|
||||
device = "/dev/sda3";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
environment.sessionVariables = {
|
||||
OMP_NUM_THREADS = "8";
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
@ -35,7 +35,9 @@
|
|||
{ remote = "Videos"; }
|
||||
];
|
||||
|
||||
packages = with pkgs; lib.optionals config.grimmShared.graphical [
|
||||
packages =
|
||||
with pkgs;
|
||||
lib.optionals config.grimmShared.graphical [
|
||||
webcord
|
||||
discord
|
||||
obs-studio
|
||||
|
|
Loading…
Reference in a new issue