BeiNacht/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

some changes

Browse Source
This commit is contained in:
Alexander Szczepanski
2022-08-11 19:18:41 +02:00
parent e5afe66c08
commit 6d9f59e21b
8 changed files with 241 additions and 101 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
configs/bspwm.nix → backup/bspwm.nix
View File

0
configs/gui.nix → backup/gui.nix
View File

1
configs/borg-exclude.nix
View File

@ -10,5 +10,6 @@
"Games/guild-wars-second/drive_c/Program Files/Guild Wars/Gw.dat"
"Games/guild-wars/drive_c/Program Files/Guild Wars/Gw.dat"
"shared"
"docker/jellyfin/data"
];
}

6
configs/common.nix
View File

@ -68,19 +68,21 @@ in
lm_sensors
lsd
lsof
manpages
man-pages
mlocate
nethogs
nix-du
nix-tree
nmap
nodejs
parallel
pciutils
# plocate
ruby
unixtools.xxd
unzip
usbutils
wget
nethogs
];
documentation.enable = false;

8
configs/user.nix
View File

@ -25,7 +25,12 @@ in
environment.pathsToLink = [ "/share/zsh" ];
home-manager.users.alex = { pkgs, ... }: {
imports = [
"${fetchTarball "https://github.com/msteen/nixos-vscode-server/tarball/master"}/modules/vscode-server/home.nix"
];
home = {
stateVersion = "22.05";
packages = with unstable.pkgs; [
exa
broot
@ -212,9 +217,10 @@ in
# };
};
services.vscode-server.enable = true;
# manuals not needed
manual.html.enable = false;
manual.json.enable = false;
manual.manpages.enable = false;
};
}

57
machine/raspberrypi4.nix
View File

@ -1,57 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports =
[
# <nixos-hardware/common/cpu/intel>
/etc/nixos/hardware-configuration.nix
#../configs/docker.nix
../configs/common.nix
../configs/user.nix
];
# Boot
boot.loader.grub.enable = false;
boot.loader.raspberryPi.enable = true;
boot.loader.raspberryPi.version = 4;
# Kernel configuration
boot.kernelPackages = pkgs.linuxPackages_rpi4;
boot.kernelParams = [ "cma=64M" "console=tty0" ];
# Enable additional firmware (such as Wi-Fi drivers).
hardware.enableRedistributableFirmware = true;
# # Filesystems
# fileSystems = {
# # There is no U-Boot on the Pi 4 (yet) -- the firmware partition has to be mounted as /boot.
# "/boot" = {
# device = "/dev/disk/by-label/FIRMWARE";
# fsType = "vfat";
# };
# "/" = {
# device = "/dev/disk/by-label/NIXOS_SD";
# fsType = "ext4";
# };
# };
swapDevices = [{ device = "/swapfile"; size = 1024; }];
networking.hostName = "raspberrypi4";
# Packages
environment.systemPackages = with pkgs; [
nano
git
htop
];
# Miscellaneous
time.timeZone = "Europe/Berlin"; # you probably want to change this -- otherwise, ciao!
# WARNING: if you remove this, then you need to assign a password to your user, otherwise
# `sudo` won't work. You can do that either by using `passwd` after the first rebuild or
# by setting an hashed password in the `users.users.yourName` block as `initialHashedPassword`.
security.sudo.wheelNeedsPassword = false;
system.stateVersion = "21.05";
}

241
machine/vps.nix
View File

@ -20,6 +20,11 @@ in
networking.hostName = "vps"; # Define your hostname.
fileSystems."/export/docker" = {
device = "/home/alex/docker";
options = [ "bind" ];
};
# Set your time zone.
time.timeZone = "Europe/Berlin";
networking = {
@ -50,15 +55,21 @@ in
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
'';
privateKey = secrets.wireguard-vps-private;
peers = [{
publicKey = secrets.wireguard-desktop-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.2/32" ];
}
peers = [
{
publicKey = secrets.wireguard-desktop-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.2/32" ];
}
{
publicKey = secrets.wireguard-mini-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.3/32" ];
}
{
publicKey = secrets.wireguard-mbp-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.4/32" ];
}];
};
};
@ -69,11 +80,12 @@ in
internalInterfaces = [ "wg0" ];
};
firewall = {
allowPing = true;
allowedTCPPorts = [ 80 443 22000 ];
allowedUDPPorts = [ 80 443 51820 ];
interfaces.wg0 = {
allowedTCPPorts = [ 61208 19999 ];
};
allowedTCPPorts = [ 61208 19999 2049 ];
};
# extraCommands = ''
# iptables -A nixos-fw -p tcp --source 10.100.0.0/24 --dport 19999:19999 -j nixos-fw-accept
# '';
@ -81,11 +93,214 @@ in
};
programs.mtr.enable = true;
programs.fuse.userAllowOther = true;
security.acme.email = "webmaster@szczepan.ski";
security.acme.defaults.email = "webmaster@szczepan.ski";
security.acme.acceptTerms = true;
services = {
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
clientMaxBodySize = "0";
virtualHosts = {
"szczepan.ski" = {
forceSSL = true;
enableACME = true;
#root = "/var/www/myhost.org";
};
"nextcloud.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8080/";
extraConfig = ''
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
'';
};
"/.well-known/carddav" = {
return = "301 $scheme://$host/remote.php/dav";
};
"/.well-known/caldav" = {
return = "301 $scheme://$host/remote.php/dav";
};
};
};
"firefly.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8081/";
};
};
};
"etesync.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8082/";
};
};
};
"portainer.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8083/";
};
};
};
"mail.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8084/";
};
};
};
"git.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:49154/";
};
};
};
"jellyfin.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8085/";
};
};
};
"etesync-web.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8086/";
};
};
};
"etesync-notes.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8087/";
};
};
};
"file-manager.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8088/";
};
};
};
"webdav.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8090/";
};
};
};
"pihole.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8091/";
};
};
};
"torrents.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:9091/";
};
};
};
"syncthing.szczepan.ski" = {
forceSSL = true;
enableACME = true;
basicAuth = {
alex = secrets.nginx-syncthing-password;
};
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8384/";
};
};
};
};
};
webdav = {
enable = true;
user = "alex";
group = "users";
settings = {
address = "127.0.0.1";
port = 8090;
scope = "/home/alex/docker/transmission-wireguard/downloads";
modify = true;
auth = true;
users = [
{
username = "alex";
password = secrets.webdav-password;
}
];
};
};
samba = {
enable = false;
openFirewall = true;
# This adds to the [global] section:
extraConfig = ''
browseable = yes
smb encrypt = required
'';
shares = {
homes = {
browseable = "no"; # note: each home will be browseable; the "homes" share will not.
"read only" = "no";
"guest ok" = "no";
};
};
};
nfs.server = {
enable = false;
exports = ''
/export 10.100.0.0/24(rw,fsid=0,no_subtree_check)
/export/docker 10.100.0.0/24(rw,nohide,insecure,no_subtree_check)
'';
};
fail2ban = {
enable = true;
@ -102,12 +317,14 @@ in
enabled = true
'';
};
netdata.enable = true;
syncthing = {
user = "alex";
group = "users";
enable = true;
dataDir = "/home/alex";
dataDir = "/home/alex/syncthing";
configDir = "/home/alex/.config/syncthing";
};
@ -115,12 +332,12 @@ in
compression = "auto,zstd";
encryption = {
mode = "repokey-blake2" ;
passphrase = secrets-desktop.borg-key;
passphrase = secrets.borg-key;
};
extraCreateArgs = "--list --stats --verbose --checkpoint-interval 600 --exclude-caches";
environment.BORG_RSH = "ssh -i /home/alex/.ssh/id_borg_rsa";
paths = "/home/alex";
repo = "ssh://u278697-sub3@u278697.your-storagebox.de:23/./borg";
repo = secrets.borg-repo;
startAt = "daily";
# user = "alex";
prune.keep = {
@ -136,5 +353,5 @@ in
# Limit stack size to reduce memory usage
systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024;
system.stateVersion = "21.05";
system.stateVersion = "22.05";
}

29
packages/idasen.nix
View File

@ -1,29 +0,0 @@
with import <nixpkgs> { };
(
let
idasen = pkgs.python3Packages.buildPythonPackage rec {
name = "idasen";
version = "v0.7.1";
src = pkgs.fetchFromGitHub {
owner = "newAM";
repo = "${name}";
rev = "${version}";
#sha256 = "1ibrwal80z27c2mh9hx85idmzilx6cpcmgc15z3lyz57bz0krigb";
};
meta = {
homepage = "https://github.com/newAM/idasen";
description = "This is a command line interface written in python to control the Idasen via bluetooth from a desktop computer.";
license = stdenv.lib.licenses.gpl3Plus;
maintainers = with maintainers; [ newAM ];
};
};
in
pkgs.python3.buildEnv.override rec {
extraLibs = with pkgs.python3Packages; [ numpy toolz vpn-slice ];
propagatedBuildInputs = with pkgs.python3Packages; [ setproctitle ];
}
).env