BeiNacht/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

vps-arm-2024-08-10-21-42-14

Browse Source
This commit is contained in:
Alexander Szczepanski
2024-08-10 21:42:14 +02:00
parent 7f0ad0a85e
commit 6c5d958f40
4 changed files with 113 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
machine/vps-arm.nix
View File

@ -46,21 +46,23 @@ in
firewall = { firewall = {
allowPing = true; allowPing = true;
allowedTCPPorts = [ allowedTCPPorts = [
80 # web 53 # adguardhome DNS
# 222 # SSH for gitea 80 # nginxs
443 # web 443 # nginx
# 9898 # i2p 853 # adguardhome DoT
]; ];
allowedUDPPorts = [ allowedUDPPorts = [
80 # web 53 # adguardhome
443 # web 80 # nginx
443 # nginx
853 # adguardhome DoT
3478 # headscale 3478 # headscale
# 9898 # i2p
# 51820 # wireguard
]; ];
}; };
}; };
nix.settings.experimental-features = [ "nix-command" "flakes" ];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
goaccess goaccess
xd xd
@ -79,6 +81,8 @@ in
}; };
services = { services = {
dnscrypt-proxy2.enable = lib.mkForce false;
nginx = { nginx = {
enable = true; enable = true;
@ -97,11 +101,19 @@ in
''; '';
virtualHosts = { virtualHosts = {
${config.services.adguardhome.settings.tls.server_name} = { "szczepan.ski" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
globalRedirect = "alexander.szczepan.ski";
};
"alexander.szczepan.ski" = {
forceSSL = true;
enableACME = true;
root = "/var/www/alexander.szczepan.ski";
locations = { locations = {
"/" = { proxyPass = "https://127.0.0.1:3003/"; }; "/" = {
tryFiles = "$uri $uri.html $uri/ =404";
};
}; };
}; };
@ -122,6 +134,7 @@ in
tailscale = { tailscale = {
enable = true; enable = true;
useRoutingFeatures = "both"; useRoutingFeatures = "both";
openFirewall = true;
}; };
fail2ban = { fail2ban = {

52
services/adguardhome.nix
View File

@ -1,29 +1,53 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let
dns-domain = "dns.szczepan.ski";
in
{ {
security.acme.certs.${dns-domain}.postRun =
''
cp fullchain.pem /var/lib/AdGuardHome/chain.pem \
&& cp key.pem /var/lib/AdGuardHome/key.pem \
&& chown adguardhome:adguardhome /var/lib/AdGuardHome/chain.pem \
&& chown adguardhome:adguardhome /var/lib/AdGuardHome/key.pem
'';
services = { services = {
nginx = {
virtualHosts = {
${dns-domain} = {
forceSSL = true;
enableACME = true;
locations = {
"/" = { proxyPass = "https://127.0.0.1:3003/"; };
};
};
};
};
adguardhome = { adguardhome = {
enable = true; enable = true;
# mutableSettings = true; mutableSettings = true;
host = "127.0.0.1"; host = "127.0.0.1";
port = 3002; port = 3002;
settings = { settings = {
users = [{ users = [{
name = "alex"; name = "alex";
password = "$2a$10$g5byXeV9EsVAhUdmso5hv.MkeMi0XGKbEejzx0Y4xmucAg1BNGKoi"; password = "$2y$10$UhKvi4oztTfULWlIKnQhveORKXpIKCqpawJ/skSBAH96Njn4YDhTC";
}]; }];
dns = { dns = {
bind_hots = [ bind_hots = [
"127.0.0.1" "0.0.0.0"
]; ];
port = 54; port = 53;
upstream_dns = [ upstream_dns = [
# Example config with quad9 "https://dns.quad9.net/dns-query"
"9.9.9.9" "sdns://AgcAAAAAAAAADTk0LjE0MC4xNC4xNDAgmjo09yfeubylEAPZzpw5-PJ92cUkKQHCurGkTmNaAhkNOTQuMTQwLjE0LjE0MAovZG5zLXF1ZXJ5"
"149.112.112.112" "tls://one.one.one.one"
# Uncomment the following to use a local DNS service (e.g. Unbound) "tls://dns.google"
# Additionally replace the address & port as needed
# "127.0.0.1:5335"
]; ];
cache_size = 4194304;
cache_ttl_min = 2400;
cache_ttl_max = 84600;
}; };
filtering = { filtering = {
protection_enabled = true; protection_enabled = true;
@ -38,16 +62,16 @@
enabled = true; enabled = true;
}; };
tls = { tls = {
server_name = "dns.v220240679185274666.nicesrv.de"; server_name = dns-domain;
enabled = true; enabled = true;
allow_unencrypted_doh = true; allow_unencrypted_doh = false;
port_dns_over_tls = 853; port_dns_over_tls = 853;
port_dns_over_quic = 0; port_dns_over_quic = 0;
port_https = 3003; port_https = 3003;
certificate_chain = ""; certificate_chain = "";
private_key = ""; private_key = "";
certificate_path = "/var/lib/chain.pem"; certificate_path = "/var/lib/AdGuardHome/chain.pem";
private_key_path = "/var/lib/key.pem"; private_key_path = "/var/lib/AdGuardHome/key.pem";
}; };
# The following notation uses map # The following notation uses map
# to not have to manually create {enabled = true; url = "";} for every filter # to not have to manually create {enabled = true; url = "";} for every filter

53
services/frigate.nix
View File

@ -1,13 +1,24 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
unstable = import <nixos-unstable> { config.allowUnfree = true; }; unstable = import <nixos-unstable> { config.allowUnfree = true; };
secrets = import ../configs/secrets.nix;
in in
{ {
services = { services = {
nginx = {
virtualHosts = {
"frigate.szczepan.ski" = {
forceSSL = true;
enableACME = true;
basicAuth = { alex = secrets.frigate-password; };
};
};
};
frigate = { frigate = {
enable = true; enable = true;
package = unstable.pkgs.frigate; package = unstable.pkgs.frigate;
hostname = "100.64.0.7"; hostname = "frigate.szczepan.ski";
settings = { settings = {
logger = { logger = {
@ -24,12 +35,32 @@ in
num_threads = 4; num_threads = 4;
}; };
# ffmpeg.hwaccel_args = "preset-vaapi";
cameras = { cameras = {
home = { # home = {
# ffmpeg.inputs = [{
# path = "rtsp://admin:REMOVED@192.168.178.34:554/H.264";
# # input_args = "preset-rtsp-restream";
# # roles = [ "record" "detect" ];
# roles = [ "record" ];
# }];
# record = {
# enabled = true;
# retain = {
# days = 7;
# mode = "all";
# };
# # events = {
# # retain = {
# # default = 14;
# # };
# # };
# };
# };
garage = {
ffmpeg.inputs = [{ ffmpeg.inputs = [{
path = "rtsp://admin:REMOVED@192.168.178.34:554/H.264"; path = "rtsp://admin:REMOVED@192.168.178.42:554/H.264";
# input_args = "preset-rtsp-restream"; # input_args = "preset-rtsp-restream";
# roles = [ "record" "detect" ]; # roles = [ "record" "detect" ];
roles = [ "record" ]; roles = [ "record" ];
@ -41,16 +72,16 @@ in
days = 7; days = 7;
mode = "all"; mode = "all";
}; };
# events = { events = {
# retain = { retain = {
# default = 14; default = 14;
# }; };
# }; };
};
}; };
}; };
}; };
}; };
}; };
};
} }

14
services/headscale.nix
View File

@ -5,7 +5,6 @@
services = { services = {
nginx = { nginx = {
virtualHosts = { virtualHosts = {
# ${config.services.headscale.settings.dns_config.domains} = {
"headscale.szczepan.ski" = { "headscale.szczepan.ski" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
@ -29,14 +28,21 @@
server_url = "https://headscale.szczepan.ski"; server_url = "https://headscale.szczepan.ski";
ip_prefixes = [ ip_prefixes = [
"100.64.0.0/10" "100.64.0.0/10"
"fd7a:115c:a1e0::/48"
]; ];
# later
# prefixes = {
# v4 = "100.64.0.0/10";
# v6 = "fd7a:115c:a1e0::/48";
# };
dns_config = { dns_config = {
override_local_dns = true;
base_domain = "szczepan.ski"; base_domain = "szczepan.ski";
magic_dns = true; magic_dns = true;
domains = [ "headscale.szczepan.ski" ]; domains = [ "main.szczepan.ski" ];
nameservers = [ nameservers = [
"1.1.1.1" "100.64.0.2"
"9.9.9.9" "127.0.0.1"
]; ];
}; };
}; };