nolan/nixos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add garden and updates.

Browse Source
This commit is contained in:
Nolan Darilek 2024-12-23 11:20:27 -06:00
parent 67823cbed6
commit dab0af910b
14 changed files with 216 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
flake.lock generated
View File

@ -103,11 +103,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1733951536, "lastModified": 1734366194,
"narHash": "sha256-Zb5ZCa7Xj+0gy5XVXINTSr71fCfAv+IKtmIXNrykT54=", "narHash": "sha256-vykpJ1xsdkv0j8WOVXrRFHUAdp9NXHpxdnn1F4pYgSw=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "1318c3f3b068cdcea922fa7c1a0a1f0c96c22f5f", "rev": "80b0fdf483c5d1cb75aaad909bd390d48673857f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -119,11 +119,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1733861262, "lastModified": 1734352517,
"narHash": "sha256-+jjPup/ByS0LEVIrBbt7FnGugJgLeG9oc+ivFASYn2U=", "narHash": "sha256-mfv+J/vO4nqmIOlq8Y1rRW8hVsGH3M+I2ESMjhuebDs=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "cf737e2eba82b603f54f71b10cb8fd09d22ce3f5", "rev": "b12e314726a4226298fe82776b4baeaa7bcf3dcd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -166,11 +166,11 @@
}, },
"nixpkgsUnstable": { "nixpkgsUnstable": {
"locked": { "locked": {
"lastModified": 1733759999, "lastModified": 1734424634,
"narHash": "sha256-463SNPWmz46iLzJKRzO3Q2b0Aurff3U1n0nYItxq7jU=", "narHash": "sha256-cHar1vqHOOyC7f1+tVycPoWTfKIaqkoe1Q6TnKzuti4=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a73246e2eef4c6ed172979932bc80e1404ba2d56", "rev": "d3c42f187194c26d9f0309a8ecc469d6c878ce33",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -182,11 +182,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1733808091, "lastModified": 1734600368,
"narHash": "sha256-KWwINTQelKOoQgrXftxoqxmKFZb9pLVfnRvK270nkVk=", "narHash": "sha256-nbG9TijTMcfr+au7ZVbKpAhMJzzE2nQBYmRvSdXUD8g=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a0f3e10d94359665dba45b71b4227b0aeb851f8e", "rev": "b47fd6fa00c6afca88b8ee46cfdb00e104f50bca",
"type": "github" "type": "github"
}, },
"original": { "original": {

16
flake.nix
View File

@ -97,6 +97,22 @@
./hosts/hub ./hosts/hub
]; ];
}; };
garden = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
agenix.nixosModules.default
{
environment.systemPackages = [ agenix.packages.${system}.default ];
}
(
{ config, pkgs, ... }:
{
nixpkgs.overlays = [ overlayUnstable ];
}
)
./hosts/garden
];
};
}; };
}; };
} }

17
hosts/garden/default.nix Normal file
View File

@ -0,0 +1,17 @@
{ ... }:
{
imports = [
./hardware-configuration.nix
../../base.nix
../../users/root.nix
../../roles/tailscale.nix
../../roles/caddy.nix
../../roles/vscode-remote.nix
../../roles/syncthing.nix
];
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
networking.hostName = "GARDEN";
system.stateVersion = "23.11";
}

14
hosts/garden/hardware-configuration.nix Normal file
View File

@ -0,0 +1,14 @@
{ modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.grub = {
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
};
fileSystems."/boot" = { device = "/dev/disk/by-uuid/FAAB-A09E"; fsType = "vfat"; };
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
}

8
hosts/hub/apps/dev.nix
View File

@ -66,10 +66,14 @@
useHostResolvConf = lib.mkForce false; useHostResolvConf = lib.mkForce false;
}; };
services.resolved.enable = true; services.resolved.enable = true;
environment.sessionVariables = {
PATH = [ "${pkgs.gitea}/bin" ];
GITEA_WORK_DIR = "/var/lib/gitea";
};
}; };
bindMounts = { bindMounts = {
"/run/postgresql/.s.PGSQL.5432" = { "/run/postgresql" = {
hostPath = "/run/postgresql/.s.PGSQL.5432"; hostPath = "/run/postgresql";
}; };
}; };
}; };

13
hosts/hub/apps/nextcloud.nix
View File

@ -31,7 +31,7 @@
package = pkgs.nextcloud30; package = pkgs.nextcloud30;
configureRedis = true; configureRedis = true;
maxUploadSize = "16G"; maxUploadSize = "16G";
autoUpdateApps.enable = true; # autoUpdateApps.enable = true;
notify_push.enable = true; notify_push.enable = true;
webfinger = true; webfinger = true;
settings = { settings = {
@ -44,6 +44,7 @@
dbhost = "/run/postgresql"; dbhost = "/run/postgresql";
adminpassFile = "/etc/nextcloud-admin-pass"; adminpassFile = "/etc/nextcloud-admin-pass";
}; };
phpOptions."opcache.interned_strings_buffer" = "23";
}; };
onlyoffice = { onlyoffice = {
enable = true; enable = true;
@ -51,6 +52,7 @@
}; };
resolved.enable = true; resolved.enable = true;
}; };
programs.nix-ld.enable = true;
networking = { networking = {
firewall.allowedTCPPorts = [ 80 ]; firewall.allowedTCPPorts = [ 80 ];
useHostResolvConf = lib.mkForce false; useHostResolvConf = lib.mkForce false;
@ -62,11 +64,14 @@
}; };
}; };
bindMounts = { bindMounts = {
"/run/postgresql/.s.PGSQL.5432" = { "/run/postgresql" = {
hostPath = "/run/postgresql/.s.PGSQL.5432"; hostPath = "/run/postgresql";
}; };
}; };
}; };
services.caddy.virtualHosts."nextcloud.thewordnerd.info".extraConfig = ''reverse_proxy nextcloud''; services.caddy.virtualHosts."nextcloud.thewordnerd.info".extraConfig = ''
reverse_proxy nextcloud
header Strict-Transport-Security max-age=31536000;
'';
} }

32
hosts/hub/default.nix
View File

@ -10,6 +10,7 @@
../../roles/zfs.nix ../../roles/zfs.nix
../../base.nix ../../base.nix
../../users/root.nix ../../users/root.nix
../../roles/fail2ban.nix
../../roles/tailscale.nix ../../roles/tailscale.nix
../../roles/lldap.nix ../../roles/lldap.nix
../../roles/authelia.nix ../../roles/authelia.nix
@ -18,6 +19,7 @@
../../roles/caddy.nix ../../roles/caddy.nix
../../roles/vscode-remote.nix ../../roles/vscode-remote.nix
../../roles/postgres.nix ../../roles/postgres.nix
../../roles/syncthing.nix
./apps/dev.nix ./apps/dev.nix
./apps/nextcloud.nix ./apps/nextcloud.nix
]; ];
@ -64,11 +66,6 @@
acceptTerms = true; acceptTerms = true;
defaults.email = "nolan@thewordnerd.info"; defaults.email = "nolan@thewordnerd.info";
certs."thewordnerd.info" = { certs."thewordnerd.info" = {
domain = "*.thewordnerd.info";
dnsProvider = "cloudflare";
environmentFile = config.age.secrets.cloudflareApi.path;
};
certs."hub.thewordnerd.info" = {
dnsProvider = "cloudflare"; dnsProvider = "cloudflare";
environmentFile = config.age.secrets.cloudflareApi.path; environmentFile = config.age.secrets.cloudflareApi.path;
}; };
@ -103,6 +100,15 @@
}; };
}; };
services.fail2ban.jails = {
dovecot.settings = {
filter = "dovecot[mode=aggressive]";
};
postfix.settings = {
filter = "postfix[mode=aggressive]";
};
};
services.caddy.virtualHosts."users.thewordnerd.info".extraConfig = services.caddy.virtualHosts."users.thewordnerd.info".extraConfig =
''reverse_proxy localhost:17170''; ''reverse_proxy localhost:17170'';
@ -110,6 +116,22 @@
reverse_proxy localhost:9091 reverse_proxy localhost:9091
''; '';
services.authelia.instances.main.settings.access_control.rules = [
{
domain = "syncthing.thewordnerd.info";
policy = "one_factor";
}
];
services.caddy.virtualHosts."syncthing.thewordnerd.info".extraConfig = ''
forward_auth localhost:9091 {
uri /api/authz/forward-auth
}
reverse_proxy localhost:8384 {
header_up Host {upstream_hostport}
}
'';
services.caddy.virtualHosts."www.thewordnerd.info".extraConfig = '' services.caddy.virtualHosts."www.thewordnerd.info".extraConfig = ''
file_server file_server
root * /var/www/thewordnerd.info root * /var/www/thewordnerd.info

86
pkgs/caddy.nix Normal file
View File

@ -0,0 +1,86 @@
{
lib,
buildGoModule,
fetchFromGitHub,
nixosTests,
caddy,
testers,
installShellFiles,
stdenv,
}:
let
version = "2.8.4";
dist = fetchFromGitHub {
owner = "caddyserver";
rev = "f21c01b660c896bdd6bacc37178dc00d9af282b4";
repo = "dist";
hash = "sha256-O4s7PhSUTXoNEIi+zYASx8AgClMC5rs7se863G6w+l0=";
};
in
buildGoModule {
pname = "caddy";
version = "0-unstable-2024-12-22";
src = fetchFromGitHub {
owner = "tailscale";
repo = "caddy-tailscale";
rev = "f21c01b660c896bdd6bacc37178dc00d9af282b4";
hash = "sha256-CBfyqtWp3gYsYwaIxbfXO3AYaBiM7LutLC7uZgYXfkQ=";
};
vendorHash = "sha256-1Api8bBZJ1/oYk4ZGIiwWCSraLzK9L+hsKXkFtk6iVM=";
subPackages = [ "cmd/caddy" ];
ldflags = [
"-s"
"-w"
"-X github.com/caddyserver/caddy/v2.CustomVersion=${version}"
];
# matches upstream since v2.8.0
tags = [ "nobadger" ];
nativeBuildInputs = [ installShellFiles ];
postInstall =
''
install -Dm644 ${dist}/init/caddy.service ${dist}/init/caddy-api.service -t $out/lib/systemd/system
substituteInPlace $out/lib/systemd/system/caddy.service \
--replace-fail "/usr/bin/caddy" "$out/bin/caddy"
substituteInPlace $out/lib/systemd/system/caddy-api.service \
--replace-fail "/usr/bin/caddy" "$out/bin/caddy"
''
+ lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) ''
# Generating man pages and completions fail on cross-compilation
# https://github.com/NixOS/nixpkgs/issues/308283
$out/bin/caddy manpage --directory manpages
installManPage manpages/*
installShellCompletion --cmd caddy \
--bash <($out/bin/caddy completion bash) \
--fish <($out/bin/caddy completion fish) \
--zsh <($out/bin/caddy completion zsh)
'';
passthru.tests = {
inherit (nixosTests) caddy;
version = testers.testVersion {
command = "${caddy}/bin/caddy version";
package = caddy;
};
};
meta = with lib; {
homepage = "https://caddyserver.com";
description = "Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS";
license = licenses.asl20;
mainProgram = "caddy";
maintainers = with maintainers; [
Br1ght0ne
emilylange
techknowlogick
];
};
}

10
roles/caddy.nix
View File

@ -1,10 +1,20 @@
{ config, pkgs, ... }:
{ {
services.caddy = { services.caddy = {
enable = true; enable = true;
package = pkgs.callPackage ../pkgs/caddy.nix { };
email = "nolan@thewordnerd.info"; email = "nolan@thewordnerd.info";
}; };
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
80 80
443 443
]; ];
age.secrets.tsAuthKey = {
file = ../secrets/ts_auth_key.age;
owner = config.services.caddy.user;
group = config.services.caddy.group;
mode = "600";
};
systemd.services.caddy.serviceConfig.EnvironmentFile = config.age.secrets.tsAuthKey.path;
} }

6
roles/fail2ban.nix Normal file
View File

@ -0,0 +1,6 @@
{
services.fail2ban = {
enable = true;
ignoreIP = [ "192.168.0.0/16" ];
};
}

6
roles/syncthing.nix Normal file
View File

@ -0,0 +1,6 @@
{
services.syncthing = {
enable = true;
openDefaultPorts = true;
};
}

1
secrets/secrets.nix
View File

@ -13,4 +13,5 @@ in
"authelia_session.age".publicKeys = [ hub ]; "authelia_session.age".publicKeys = [ hub ];
"authelia_storage.age".publicKeys = [ hub ]; "authelia_storage.age".publicKeys = [ hub ];
"cloudflare_api.age".publicKeys = [ hub ]; "cloudflare_api.age".publicKeys = [ hub ];
"ts_auth_key.age".publicKeys = [ hub ];
} }

BIN
secrets/ts_auth_key.age Normal file
View File

Binary file not shown.

7
users/nolan/desktop-minimal.nix
View File

@ -14,7 +14,12 @@
programs = { programs = {
firefox = { firefox = {
enable = true; enable = true;
package = pkgs.firefox.override { nativeMessagingHosts = [ pkgs.gnome-browser-connector ]; }; package = pkgs.firefox.override {
nativeMessagingHosts = with pkgs; [
firefoxpwa
gnome-browser-connector
];
};
}; };
}; };
}; };