Add garden and updates.

This commit is contained in:
Nolan Darilek 2024-12-23 11:20:27 -06:00
parent 67823cbed6
commit dab0af910b
14 changed files with 216 additions and 24 deletions

24
flake.lock generated
View File

@ -103,11 +103,11 @@
]
},
"locked": {
"lastModified": 1733951536,
"narHash": "sha256-Zb5ZCa7Xj+0gy5XVXINTSr71fCfAv+IKtmIXNrykT54=",
"lastModified": 1734366194,
"narHash": "sha256-vykpJ1xsdkv0j8WOVXrRFHUAdp9NXHpxdnn1F4pYgSw=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "1318c3f3b068cdcea922fa7c1a0a1f0c96c22f5f",
"rev": "80b0fdf483c5d1cb75aaad909bd390d48673857f",
"type": "github"
},
"original": {
@ -119,11 +119,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1733861262,
"narHash": "sha256-+jjPup/ByS0LEVIrBbt7FnGugJgLeG9oc+ivFASYn2U=",
"lastModified": 1734352517,
"narHash": "sha256-mfv+J/vO4nqmIOlq8Y1rRW8hVsGH3M+I2ESMjhuebDs=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "cf737e2eba82b603f54f71b10cb8fd09d22ce3f5",
"rev": "b12e314726a4226298fe82776b4baeaa7bcf3dcd",
"type": "github"
},
"original": {
@ -166,11 +166,11 @@
},
"nixpkgsUnstable": {
"locked": {
"lastModified": 1733759999,
"narHash": "sha256-463SNPWmz46iLzJKRzO3Q2b0Aurff3U1n0nYItxq7jU=",
"lastModified": 1734424634,
"narHash": "sha256-cHar1vqHOOyC7f1+tVycPoWTfKIaqkoe1Q6TnKzuti4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a73246e2eef4c6ed172979932bc80e1404ba2d56",
"rev": "d3c42f187194c26d9f0309a8ecc469d6c878ce33",
"type": "github"
},
"original": {
@ -182,11 +182,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1733808091,
"narHash": "sha256-KWwINTQelKOoQgrXftxoqxmKFZb9pLVfnRvK270nkVk=",
"lastModified": 1734600368,
"narHash": "sha256-nbG9TijTMcfr+au7ZVbKpAhMJzzE2nQBYmRvSdXUD8g=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a0f3e10d94359665dba45b71b4227b0aeb851f8e",
"rev": "b47fd6fa00c6afca88b8ee46cfdb00e104f50bca",
"type": "github"
},
"original": {

View File

@ -97,6 +97,22 @@
./hosts/hub
];
};
garden = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
agenix.nixosModules.default
{
environment.systemPackages = [ agenix.packages.${system}.default ];
}
(
{ config, pkgs, ... }:
{
nixpkgs.overlays = [ overlayUnstable ];
}
)
./hosts/garden
];
};
};
};
}

17
hosts/garden/default.nix Normal file
View File

@ -0,0 +1,17 @@
{ ... }:
{
imports = [
./hardware-configuration.nix
../../base.nix
../../users/root.nix
../../roles/tailscale.nix
../../roles/caddy.nix
../../roles/vscode-remote.nix
../../roles/syncthing.nix
];
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
networking.hostName = "GARDEN";
system.stateVersion = "23.11";
}

View File

@ -0,0 +1,14 @@
{ modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.grub = {
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
};
fileSystems."/boot" = { device = "/dev/disk/by-uuid/FAAB-A09E"; fsType = "vfat"; };
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
}

View File

@ -66,10 +66,14 @@
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
environment.sessionVariables = {
PATH = [ "${pkgs.gitea}/bin" ];
GITEA_WORK_DIR = "/var/lib/gitea";
};
};
bindMounts = {
"/run/postgresql/.s.PGSQL.5432" = {
hostPath = "/run/postgresql/.s.PGSQL.5432";
"/run/postgresql" = {
hostPath = "/run/postgresql";
};
};
};

View File

@ -31,7 +31,7 @@
package = pkgs.nextcloud30;
configureRedis = true;
maxUploadSize = "16G";
autoUpdateApps.enable = true;
# autoUpdateApps.enable = true;
notify_push.enable = true;
webfinger = true;
settings = {
@ -44,6 +44,7 @@
dbhost = "/run/postgresql";
adminpassFile = "/etc/nextcloud-admin-pass";
};
phpOptions."opcache.interned_strings_buffer" = "23";
};
onlyoffice = {
enable = true;
@ -51,6 +52,7 @@
};
resolved.enable = true;
};
programs.nix-ld.enable = true;
networking = {
firewall.allowedTCPPorts = [ 80 ];
useHostResolvConf = lib.mkForce false;
@ -62,11 +64,14 @@
};
};
bindMounts = {
"/run/postgresql/.s.PGSQL.5432" = {
hostPath = "/run/postgresql/.s.PGSQL.5432";
"/run/postgresql" = {
hostPath = "/run/postgresql";
};
};
};
services.caddy.virtualHosts."nextcloud.thewordnerd.info".extraConfig = ''reverse_proxy nextcloud'';
services.caddy.virtualHosts."nextcloud.thewordnerd.info".extraConfig = ''
reverse_proxy nextcloud
header Strict-Transport-Security max-age=31536000;
'';
}

View File

@ -10,6 +10,7 @@
../../roles/zfs.nix
../../base.nix
../../users/root.nix
../../roles/fail2ban.nix
../../roles/tailscale.nix
../../roles/lldap.nix
../../roles/authelia.nix
@ -18,6 +19,7 @@
../../roles/caddy.nix
../../roles/vscode-remote.nix
../../roles/postgres.nix
../../roles/syncthing.nix
./apps/dev.nix
./apps/nextcloud.nix
];
@ -64,11 +66,6 @@
acceptTerms = true;
defaults.email = "nolan@thewordnerd.info";
certs."thewordnerd.info" = {
domain = "*.thewordnerd.info";
dnsProvider = "cloudflare";
environmentFile = config.age.secrets.cloudflareApi.path;
};
certs."hub.thewordnerd.info" = {
dnsProvider = "cloudflare";
environmentFile = config.age.secrets.cloudflareApi.path;
};
@ -103,6 +100,15 @@
};
};
services.fail2ban.jails = {
dovecot.settings = {
filter = "dovecot[mode=aggressive]";
};
postfix.settings = {
filter = "postfix[mode=aggressive]";
};
};
services.caddy.virtualHosts."users.thewordnerd.info".extraConfig =
''reverse_proxy localhost:17170'';
@ -110,6 +116,22 @@
reverse_proxy localhost:9091
'';
services.authelia.instances.main.settings.access_control.rules = [
{
domain = "syncthing.thewordnerd.info";
policy = "one_factor";
}
];
services.caddy.virtualHosts."syncthing.thewordnerd.info".extraConfig = ''
forward_auth localhost:9091 {
uri /api/authz/forward-auth
}
reverse_proxy localhost:8384 {
header_up Host {upstream_hostport}
}
'';
services.caddy.virtualHosts."www.thewordnerd.info".extraConfig = ''
file_server
root * /var/www/thewordnerd.info

86
pkgs/caddy.nix Normal file
View File

@ -0,0 +1,86 @@
{
lib,
buildGoModule,
fetchFromGitHub,
nixosTests,
caddy,
testers,
installShellFiles,
stdenv,
}:
let
version = "2.8.4";
dist = fetchFromGitHub {
owner = "caddyserver";
rev = "f21c01b660c896bdd6bacc37178dc00d9af282b4";
repo = "dist";
hash = "sha256-O4s7PhSUTXoNEIi+zYASx8AgClMC5rs7se863G6w+l0=";
};
in
buildGoModule {
pname = "caddy";
version = "0-unstable-2024-12-22";
src = fetchFromGitHub {
owner = "tailscale";
repo = "caddy-tailscale";
rev = "f21c01b660c896bdd6bacc37178dc00d9af282b4";
hash = "sha256-CBfyqtWp3gYsYwaIxbfXO3AYaBiM7LutLC7uZgYXfkQ=";
};
vendorHash = "sha256-1Api8bBZJ1/oYk4ZGIiwWCSraLzK9L+hsKXkFtk6iVM=";
subPackages = [ "cmd/caddy" ];
ldflags = [
"-s"
"-w"
"-X github.com/caddyserver/caddy/v2.CustomVersion=${version}"
];
# matches upstream since v2.8.0
tags = [ "nobadger" ];
nativeBuildInputs = [ installShellFiles ];
postInstall =
''
install -Dm644 ${dist}/init/caddy.service ${dist}/init/caddy-api.service -t $out/lib/systemd/system
substituteInPlace $out/lib/systemd/system/caddy.service \
--replace-fail "/usr/bin/caddy" "$out/bin/caddy"
substituteInPlace $out/lib/systemd/system/caddy-api.service \
--replace-fail "/usr/bin/caddy" "$out/bin/caddy"
''
+ lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) ''
# Generating man pages and completions fail on cross-compilation
# https://github.com/NixOS/nixpkgs/issues/308283
$out/bin/caddy manpage --directory manpages
installManPage manpages/*
installShellCompletion --cmd caddy \
--bash <($out/bin/caddy completion bash) \
--fish <($out/bin/caddy completion fish) \
--zsh <($out/bin/caddy completion zsh)
'';
passthru.tests = {
inherit (nixosTests) caddy;
version = testers.testVersion {
command = "${caddy}/bin/caddy version";
package = caddy;
};
};
meta = with lib; {
homepage = "https://caddyserver.com";
description = "Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS";
license = licenses.asl20;
mainProgram = "caddy";
maintainers = with maintainers; [
Br1ght0ne
emilylange
techknowlogick
];
};
}

View File

@ -1,10 +1,20 @@
{ config, pkgs, ... }:
{
services.caddy = {
enable = true;
package = pkgs.callPackage ../pkgs/caddy.nix { };
email = "nolan@thewordnerd.info";
};
networking.firewall.allowedTCPPorts = [
80
443
];
age.secrets.tsAuthKey = {
file = ../secrets/ts_auth_key.age;
owner = config.services.caddy.user;
group = config.services.caddy.group;
mode = "600";
};
systemd.services.caddy.serviceConfig.EnvironmentFile = config.age.secrets.tsAuthKey.path;
}

6
roles/fail2ban.nix Normal file
View File

@ -0,0 +1,6 @@
{
services.fail2ban = {
enable = true;
ignoreIP = [ "192.168.0.0/16" ];
};
}

6
roles/syncthing.nix Normal file
View File

@ -0,0 +1,6 @@
{
services.syncthing = {
enable = true;
openDefaultPorts = true;
};
}

View File

@ -13,4 +13,5 @@ in
"authelia_session.age".publicKeys = [ hub ];
"authelia_storage.age".publicKeys = [ hub ];
"cloudflare_api.age".publicKeys = [ hub ];
"ts_auth_key.age".publicKeys = [ hub ];
}

BIN
secrets/ts_auth_key.age Normal file

Binary file not shown.

View File

@ -14,7 +14,12 @@
programs = {
firefox = {
enable = true;
package = pkgs.firefox.override { nativeMessagingHosts = [ pkgs.gnome-browser-connector ]; };
package = pkgs.firefox.override {
nativeMessagingHosts = with pkgs; [
firefoxpwa
gnome-browser-connector
];
};
};
};
};