Initial commit.

2024-12-18 18:19:37 -06:00 · 2024-12-18 18:19:37 -06:00 · 67823cbed6
commit 67823cbed6
51 changed files with 1714 additions and 0 deletions
--- a/roles/authelia.nix
+++ b/roles/authelia.nix
@ -0,0 +1,110 @@
+{ config, ... }:
+
+{
+  age.secrets = {
+    ldap = {
+      mode = "440";
+      group = "authelia-main";
+    };
+    jwt = {
+      file = ../secrets/jwt.age;
+      owner = "authelia-main";
+      group = "authelia-main";
+      mode = "440";
+    };
+    autheliaSession = {
+      file = ../secrets/authelia_session.age;
+      owner = "authelia-main";
+      group = "authelia-main";
+      mode = "440";
+    };
+    autheliaStorageEncryptionKey = {
+      file = ../secrets/authelia_storage.age;
+      owner = "authelia-main";
+      group = "authelia-main";
+      mode = "440";
+    };
+  };
+  services = {
+    postgresql = {
+      ensureDatabases = [ "authelia" ];
+      ensureUsers = [
+        {
+          name = "authelia";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+    authelia.instances.main = {
+      enable = true;
+      secrets = {
+        jwtSecretFile = config.age.secrets.jwt.path;
+        sessionSecretFile = config.age.secrets.autheliaSession.path;
+        storageEncryptionKeyFile = config.age.secrets.autheliaStorageEncryptionKey.path;
+      };
+      environmentVariables = {
+        AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.age.secrets.ldap.path;
+      };
+      settings = {
+        authentication_backend = {
+          password_reset.disable = false;
+          refresh_interval = "1m";
+
+          ldap = {
+            implementation = "custom";
+            address = "ldap://localhost:3890";
+            timeout = "5s";
+            start_tls = false;
+            base_dn = "dc=thewordnerd,dc=info";
+            additional_users_dn = "ou=people";
+            users_filter = "(&({username_attribute}={input})(objectClass=person))";
+            additional_groups_dn = "ou=groups";
+            groups_filter = "(member={dn})";
+            user = "uid=service,ou=people,dc=thewordnerd,dc=info";
+            attributes = {
+              username = "uid";
+              display_name = "displayName";
+              group_name = "cn";
+              mail = "mail";
+            };
+          };
+        };
+        storage = {
+          postgres = {
+            address = "/run/postgresql";
+            database = "authelia";
+            username = "authelia";
+            password = "trusted";
+          };
+        };
+        access_control = {
+          rules = [
+            {
+              domain = "*.thewordnerd.info";
+              policy = "one_factor";
+            }
+          ];
+        };
+        session = {
+          cookies = [
+            {
+              domain = "thewordnerd.info";
+              authelia_url = "https://auth.thewordnerd.info";
+            }
+          ];
+        };
+        notifier = {
+          filesystem = {
+            filename = "/tmp/authelia.txt";
+          };
+        };
+        server.endpoints.authz.forward-auth.implementation = "ForwardAuth";
+      };
+    };
+    caddy.globalConfig = ''
+      servers {
+        trusted_proxies static 192.168.0.1
+      }
+    '';
+  };
+}
--- a/roles/caddy.nix
+++ b/roles/caddy.nix
@ -0,0 +1,10 @@
+{
+  services.caddy = {
+    enable = true;
+    email = "nolan@thewordnerd.info";
+  };
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+}
--- a/roles/espeakup.nix
+++ b/roles/espeakup.nix
@ -0,0 +1,5 @@
+{
+  imports = [ ../espeakup.nix ];
+
+  services.espeakup.enable = true;
+}
--- a/roles/flatpak.nix
+++ b/roles/flatpak.nix
@ -0,0 +1,7 @@
+{
+  services.flatpak.enable = true;
+  xdg.portal.enable = true;
+  environment.profileRelativeSessionVariables.PATH = [
+    "$HOME/.local/share/flatpak/exports/bin"
+  ];
+}
--- a/roles/games.nix
+++ b/roles/games.nix
@ -0,0 +1,18 @@
+{ pkgs, ... }:
+
+{
+  imports = [
+    ./nix-ld.nix
+  ];
+
+  programs.steam = {
+    enable = true;
+    remotePlay.openFirewall = true;
+    localNetworkGameTransfers.openFirewall = true;
+  };
+
+  environment.systemPackages = with pkgs; [
+    steam-tui
+    steamcmd
+  ];
+}
--- a/roles/gnome.nix
+++ b/roles/gnome.nix
@ -0,0 +1,19 @@
+{ pkgs, ... }:
+
+{
+
+  imports = [
+    ./gui.nix
+  ];
+
+  services = {
+    xserver.desktopManager.gnome.enable = true;
+    gnome.gnome-browser-connector.enable = true;
+  };
+
+  programs.gnome-terminal.enable = true;
+  environment.gnome.excludePackages = with pkgs; [
+    gnome-console
+    gnome-tour
+  ];
+}
--- a/roles/gui.nix
+++ b/roles/gui.nix
@ -0,0 +1,35 @@
+{ pkgs, ... }:
+
+{
+
+  imports = [
+    ./pipewire.nix
+    ./non-virtual.nix
+  ];
+
+  services = {
+    orca = {
+      enable = true;
+      package = pkgs.unstable.orca;
+    };
+    xserver = {
+      enable = true;
+      xkb.layout = "us";
+      displayManager.lightdm = {
+        enable = true;
+        greeters.gtk = {
+          extraConfig = ''
+            a11y-states = +reader
+            reader = orca
+          '';
+        };
+      };
+      excludePackages = [ pkgs.xterm ];
+    };
+  };
+
+  users.users.lightdm.extraGroups = [
+    "pipewire"
+    "pulse-access"
+  ];
+}
--- a/roles/k3s.nix
+++ b/roles/k3s.nix
@ -0,0 +1,26 @@
+{ config, pkgs, ... }:
+
+{
+  networking.firewall = {
+    allowedTCPPorts = [
+      6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
+      # 2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration
+      # 2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration
+    ];
+    # allowedUDPPorts = [
+    # 8472 # k3s, flannel: required if using multi-node for inter-node networking
+    # ];
+  };
+  services.k3s = {
+    enable = true;
+    role = "server";
+  };
+  environment.systemPackages = [ pkgs.nfs-utils ];
+  services.openiscsi = {
+    enable = true;
+    name = "${config.networking.hostName}-initiatorhost";
+  };
+  systemd.tmpfiles.rules = [
+    "L+ /usr/local/bin - - - - /run/current-system/sw/bin/"
+  ];
+}
--- a/roles/lldap.nix
+++ b/roles/lldap.nix
@ -0,0 +1,25 @@
+{
+  services = {
+    postgresql = {
+      ensureDatabases = [ "lldap" ];
+      ensureUsers = [
+        {
+          name = "lldap";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+    lldap = {
+      enable = true;
+      settings = {
+        ldap_user_email = "nolan@thewordnerd.info";
+        ldap_base_dn = "dc=thewordnerd,dc=info";
+        http_url = "https://users.thewordnerd.info";
+        database_url = "postgres://lldap@localhost/lldap";
+      };
+    };
+  };
+  networking.firewall.interfaces."ve-+".allowedTCPPorts = [
+    3890
+  ];
+}
--- a/roles/mate.nix
+++ b/roles/mate.nix
@ -0,0 +1,19 @@
+{ pkgs, ... }:
+
+{
+
+  imports = [
+    ./gui.nix
+  ];
+
+  hardware.bluetooth.enable = true;
+  services = {
+    xserver.desktopManager.mate.enable = true;
+    blueman.enable = true;
+  };
+
+  programs.nm-applet = {
+    enable = true;
+    indicator = false;
+  };
+}
--- a/roles/media-pc.nix
+++ b/roles/media-pc.nix
@ -0,0 +1,18 @@
+{ config, lib, ... }:
+
+{
+  options.services.mediaPC = {
+    enable = lib.mkEnableOption "Media PC";
+    autoLoginUser = lib.mkOption {
+      type = lib.types.str;
+      description = "User to autologin as";
+    };
+  };
+
+  config = lib.mkIf config.services.mediaPC.enable {
+    programs.firefox = {
+      enable = true;
+      # package = pkgs.firefox.override { nativeMessagingHosts = [ pkgs.gnome-browser-connector ]; };
+    };
+  };
+}
--- a/roles/minio.nix
+++ b/roles/minio.nix
@ -0,0 +1,6 @@
+{ pkgs, ... }:
+
+{
+  services.minio.enable = true;
+  environment.systemPackages = with pkgs; [ minio-client ];
+}
--- a/roles/networkmanager.nix
+++ b/roles/networkmanager.nix
@ -0,0 +1,3 @@
+{
+  networking.networkmanager.enable = true;
+}
--- a/roles/nginx.nix
+++ b/roles/nginx.nix
@ -0,0 +1,17 @@
+{
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+  };
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "nolan@thewordnerd.info";
+  };
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+}
--- a/roles/nix-ld.nix
+++ b/roles/nix-ld.nix
@ -0,0 +1,8 @@
+{ pkgs, ... }:
+
+{
+  programs.nix-ld = {
+    enable = true;
+    package = pkgs.nix-ld-rs;
+  };
+}
--- a/roles/non-virtual.nix
+++ b/roles/non-virtual.nix
@ -0,0 +1,7 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    usbutils
+    pciutils
+  ];
+}
--- a/roles/pipewire.nix
+++ b/roles/pipewire.nix
@ -0,0 +1,14 @@
+{
+  hardware.pulseaudio.enable = false;
+
+  security.rtkit.enable = true;
+
+  services.pipewire = {
+    enable = true;
+    systemWide = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+    jack.enable = true;
+  };
+}
--- a/roles/podman.nix
+++ b/roles/podman.nix
@ -0,0 +1,7 @@
+{
+  virtualisation.podman = {
+    enable = true;
+    dockerCompat = true;
+    dockerSocket.enable = true;
+  };
+}
--- a/roles/portunus.nix
+++ b/roles/portunus.nix
@ -0,0 +1,14 @@
+{
+  services = {
+    portunus = {
+      enable = true;
+      domain = "users.thewordnerd.info";
+      ldap = {
+        suffix = "dc=thewordnerd,dc=info";
+      };
+    };
+  };
+  networking.firewall.interfaces."ve-+".allowedTCPPorts = [
+    389
+  ];
+}
--- a/roles/postgres.nix
+++ b/roles/postgres.nix
@ -0,0 +1,20 @@
+{ pkgs, ... }:
+
+{
+  services.postgresql = {
+    enable = true;
+    identMap = ''
+      # ArbitraryMapName systemUser DBUser
+         superuser_map      root      postgres
+         superuser_map      postgres  postgres
+         # Let other names login as themselves
+         superuser_map      /^(.*)$   \1
+    '';
+    authentication = pkgs.lib.mkOverride 10 ''
+      local all  postgres     peer        map=superuser_map
+      local sameuser all trust
+      host  all      all     127.0.0.1/32   trust
+      host all       all     ::1/128        trust
+    '';
+  };
+}
--- a/roles/tailscale.nix
+++ b/roles/tailscale.nix
@ -0,0 +1,5 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.tailscale.enable = true;
+}
--- a/roles/traefik.nix
+++ b/roles/traefik.nix
@ -0,0 +1,39 @@
+{ config, ... }:
+
+{
+  services.traefik = {
+    enable = true;
+    staticConfigOptions = {
+      providers = {
+        docker = { };
+      };
+      entryPoints = {
+        web = {
+          address = ":80";
+          asDefault = true;
+          http.redirections.entrypoint = {
+            to = "websecure";
+            scheme = "https";
+          };
+        };
+
+        websecure = {
+          address = ":443";
+          asDefault = true;
+          http.tls.certResolver = "letsencrypt";
+        };
+      };
+
+      certificatesResolvers.letsencrypt.acme = {
+        email = "nolan@thewordnerd.info";
+        storage = "${config.services.traefik.dataDir}/acme.json";
+        httpChallenge.entryPoint = "web";
+      };
+    };
+  };
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+  users.users.traefik.extraGroups = [ "podman" ];
+}
--- a/roles/vscode-remote.nix
+++ b/roles/vscode-remote.nix
@ -0,0 +1,12 @@
+{ pkgs, ... }:
+
+{
+  imports = [
+    ./nix-ld.nix
+  ];
+
+  environment.systemPackages = with pkgs; [
+    nil
+    nixfmt-rfc-style
+  ];
+}
--- a/roles/zfs.nix
+++ b/roles/zfs.nix
@ -0,0 +1,27 @@
+{
+  services.zfs.autoScrub.enable = true;
+
+  services.sanoid = {
+    enable = true;
+    templates.backup = {
+      hourly = 36;
+      daily = 30;
+      monthly = 12;
+      yearly = 1;
+      autoprune = true;
+      autosnap = true;
+    };
+
+    datasets."zpool/root" = {
+      useTemplate = [ "backup" ];
+    };
+
+    datasets."zpool/home" = {
+      useTemplate = [ "backup" ];
+    };
+
+    datasets."zpool/var" = {
+      useTemplate = [ "backup" ];
+    };
+  };
+}