From 6d9f59e21b6897201e4c51fef3a100ecc81a9fdc Mon Sep 17 00:00:00 2001 From: Alexander Szczepanski Date: Thu, 11 Aug 2022 19:18:41 +0200 Subject: [PATCH] some changes --- {configs => backup}/bspwm.nix | 0 {configs => backup}/gui.nix | 0 configs/borg-exclude.nix | 1 + configs/common.nix | 6 +- configs/user.nix | 8 +- machine/raspberrypi4.nix | 57 -------- machine/vps.nix | 241 ++++++++++++++++++++++++++++++++-- packages/idasen.nix | 29 ---- 8 files changed, 241 insertions(+), 101 deletions(-) rename {configs => backup}/bspwm.nix (100%) rename {configs => backup}/gui.nix (100%) delete mode 100644 machine/raspberrypi4.nix delete mode 100644 packages/idasen.nix diff --git a/configs/bspwm.nix b/backup/bspwm.nix similarity index 100% rename from configs/bspwm.nix rename to backup/bspwm.nix diff --git a/configs/gui.nix b/backup/gui.nix similarity index 100% rename from configs/gui.nix rename to backup/gui.nix diff --git a/configs/borg-exclude.nix b/configs/borg-exclude.nix index 9c5a1a7..c52a316 100644 --- a/configs/borg-exclude.nix +++ b/configs/borg-exclude.nix @@ -10,5 +10,6 @@ "Games/guild-wars-second/drive_c/Program Files/Guild Wars/Gw.dat" "Games/guild-wars/drive_c/Program Files/Guild Wars/Gw.dat" "shared" + "docker/jellyfin/data" ]; } diff --git a/configs/common.nix b/configs/common.nix index 4dbcfd6..9a86ea8 100644 --- a/configs/common.nix +++ b/configs/common.nix @@ -68,19 +68,21 @@ in lm_sensors lsd lsof - manpages + man-pages + mlocate + nethogs nix-du nix-tree nmap nodejs parallel pciutils + # plocate ruby unixtools.xxd unzip usbutils wget - nethogs ]; documentation.enable = false; diff --git a/configs/user.nix b/configs/user.nix index 6eb8d2f..4198fb1 100644 --- a/configs/user.nix +++ b/configs/user.nix @@ -25,7 +25,12 @@ in environment.pathsToLink = [ "/share/zsh" ]; home-manager.users.alex = { pkgs, ... }: { + imports = [ + "${fetchTarball "https://github.com/msteen/nixos-vscode-server/tarball/master"}/modules/vscode-server/home.nix" + ]; + home = { + stateVersion = "22.05"; packages = with unstable.pkgs; [ exa broot @@ -212,9 +217,10 @@ in # }; }; + services.vscode-server.enable = true; + # manuals not needed manual.html.enable = false; manual.json.enable = false; - manual.manpages.enable = false; }; } diff --git a/machine/raspberrypi4.nix b/machine/raspberrypi4.nix deleted file mode 100644 index 876bf26..0000000 --- a/machine/raspberrypi4.nix +++ /dev/null @@ -1,57 +0,0 @@ -{ config, pkgs, lib, ... }: -{ - imports = - [ - # - /etc/nixos/hardware-configuration.nix - #../configs/docker.nix - ../configs/common.nix - ../configs/user.nix - ]; - - # Boot - boot.loader.grub.enable = false; - boot.loader.raspberryPi.enable = true; - boot.loader.raspberryPi.version = 4; - - # Kernel configuration - boot.kernelPackages = pkgs.linuxPackages_rpi4; - boot.kernelParams = [ "cma=64M" "console=tty0" ]; - - # Enable additional firmware (such as Wi-Fi drivers). - hardware.enableRedistributableFirmware = true; - - # # Filesystems - # fileSystems = { - # # There is no U-Boot on the Pi 4 (yet) -- the firmware partition has to be mounted as /boot. - # "/boot" = { - # device = "/dev/disk/by-label/FIRMWARE"; - # fsType = "vfat"; - # }; - # "/" = { - # device = "/dev/disk/by-label/NIXOS_SD"; - # fsType = "ext4"; - # }; - # }; - - swapDevices = [{ device = "/swapfile"; size = 1024; }]; - - networking.hostName = "raspberrypi4"; - - # Packages - environment.systemPackages = with pkgs; [ - nano - git - htop - ]; - - # Miscellaneous - time.timeZone = "Europe/Berlin"; # you probably want to change this -- otherwise, ciao! - - # WARNING: if you remove this, then you need to assign a password to your user, otherwise - # `sudo` won't work. You can do that either by using `passwd` after the first rebuild or - # by setting an hashed password in the `users.users.yourName` block as `initialHashedPassword`. - security.sudo.wheelNeedsPassword = false; - - system.stateVersion = "21.05"; -} diff --git a/machine/vps.nix b/machine/vps.nix index 273e357..5add2e1 100644 --- a/machine/vps.nix +++ b/machine/vps.nix @@ -20,6 +20,11 @@ in networking.hostName = "vps"; # Define your hostname. + fileSystems."/export/docker" = { + device = "/home/alex/docker"; + options = [ "bind" ]; + }; + # Set your time zone. time.timeZone = "Europe/Berlin"; networking = { @@ -50,15 +55,21 @@ in ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE ''; privateKey = secrets.wireguard-vps-private; - peers = [{ - publicKey = secrets.wireguard-desktop-public; - presharedKey = secrets.wireguard-preshared; - allowedIPs = [ "10.100.0.2/32" ]; - } + peers = [ + { + publicKey = secrets.wireguard-desktop-public; + presharedKey = secrets.wireguard-preshared; + allowedIPs = [ "10.100.0.2/32" ]; + } { publicKey = secrets.wireguard-mini-public; presharedKey = secrets.wireguard-preshared; allowedIPs = [ "10.100.0.3/32" ]; + } + { + publicKey = secrets.wireguard-mbp-public; + presharedKey = secrets.wireguard-preshared; + allowedIPs = [ "10.100.0.4/32" ]; }]; }; }; @@ -69,11 +80,12 @@ in internalInterfaces = [ "wg0" ]; }; firewall = { + allowPing = true; allowedTCPPorts = [ 80 443 22000 ]; allowedUDPPorts = [ 80 443 51820 ]; interfaces.wg0 = { - allowedTCPPorts = [ 61208 19999 ]; - }; + allowedTCPPorts = [ 61208 19999 2049 ]; + }; # extraCommands = '' # iptables -A nixos-fw -p tcp --source 10.100.0.0/24 --dport 19999:19999 -j nixos-fw-accept # ''; @@ -81,11 +93,214 @@ in }; programs.mtr.enable = true; + programs.fuse.userAllowOther = true; - security.acme.email = "webmaster@szczepan.ski"; + security.acme.defaults.email = "webmaster@szczepan.ski"; security.acme.acceptTerms = true; services = { + nginx = { + enable = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + clientMaxBodySize = "0"; + + virtualHosts = { + "szczepan.ski" = { + forceSSL = true; + enableACME = true; + #root = "/var/www/myhost.org"; + }; + "nextcloud.szczepan.ski" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:8080/"; + extraConfig = '' + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + ''; + }; + "/.well-known/carddav" = { + return = "301 $scheme://$host/remote.php/dav"; + }; + "/.well-known/caldav" = { + return = "301 $scheme://$host/remote.php/dav"; + }; + }; + }; + "firefly.szczepan.ski" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:8081/"; + }; + }; + }; + "etesync.szczepan.ski" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:8082/"; + }; + }; + }; + "portainer.szczepan.ski" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:8083/"; + }; + }; + }; + "mail.szczepan.ski" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:8084/"; + }; + }; + }; + "git.szczepan.ski" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:49154/"; + }; + }; + }; + "jellyfin.szczepan.ski" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:8085/"; + }; + }; + }; + "etesync-web.szczepan.ski" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:8086/"; + }; + }; + }; + "etesync-notes.szczepan.ski" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:8087/"; + }; + }; + }; + "file-manager.szczepan.ski" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:8088/"; + }; + }; + }; + "webdav.szczepan.ski" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:8090/"; + }; + }; + }; + "pihole.szczepan.ski" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:8091/"; + }; + }; + }; + "torrents.szczepan.ski" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:9091/"; + }; + }; + }; + "syncthing.szczepan.ski" = { + forceSSL = true; + enableACME = true; + basicAuth = { + alex = secrets.nginx-syncthing-password; + }; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:8384/"; + }; + }; + }; + }; + }; + + webdav = { + enable = true; + user = "alex"; + group = "users"; + settings = { + address = "127.0.0.1"; + port = 8090; + scope = "/home/alex/docker/transmission-wireguard/downloads"; + modify = true; + auth = true; + users = [ + { + username = "alex"; + password = secrets.webdav-password; + } + ]; + }; + }; + + samba = { + enable = false; + openFirewall = true; + + # This adds to the [global] section: + extraConfig = '' + browseable = yes + smb encrypt = required + ''; + + shares = { + homes = { + browseable = "no"; # note: each home will be browseable; the "homes" share will not. + "read only" = "no"; + "guest ok" = "no"; + }; + }; + }; + + nfs.server = { + enable = false; + exports = '' + /export 10.100.0.0/24(rw,fsid=0,no_subtree_check) + /export/docker 10.100.0.0/24(rw,nohide,insecure,no_subtree_check) + ''; + }; + fail2ban = { enable = true; @@ -102,12 +317,14 @@ in enabled = true ''; }; + netdata.enable = true; + syncthing = { user = "alex"; group = "users"; enable = true; - dataDir = "/home/alex"; + dataDir = "/home/alex/syncthing"; configDir = "/home/alex/.config/syncthing"; }; @@ -115,12 +332,12 @@ in compression = "auto,zstd"; encryption = { mode = "repokey-blake2" ; - passphrase = secrets-desktop.borg-key; + passphrase = secrets.borg-key; }; extraCreateArgs = "--list --stats --verbose --checkpoint-interval 600 --exclude-caches"; environment.BORG_RSH = "ssh -i /home/alex/.ssh/id_borg_rsa"; paths = "/home/alex"; - repo = "ssh://u278697-sub3@u278697.your-storagebox.de:23/./borg"; + repo = secrets.borg-repo; startAt = "daily"; # user = "alex"; prune.keep = { @@ -136,5 +353,5 @@ in # Limit stack size to reduce memory usage systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024; - system.stateVersion = "21.05"; + system.stateVersion = "22.05"; } diff --git a/packages/idasen.nix b/packages/idasen.nix deleted file mode 100644 index d678f4f..0000000 --- a/packages/idasen.nix +++ /dev/null @@ -1,29 +0,0 @@ -with import { }; - -( - let - idasen = pkgs.python3Packages.buildPythonPackage rec { - name = "idasen"; - version = "v0.7.1"; - - src = pkgs.fetchFromGitHub { - owner = "newAM"; - repo = "${name}"; - rev = "${version}"; - #sha256 = "1ibrwal80z27c2mh9hx85idmzilx6cpcmgc15z3lyz57bz0krigb"; - }; - - meta = { - homepage = "https://github.com/newAM/idasen"; - description = "This is a command line interface written in python to control the Idasen via bluetooth from a desktop computer."; - license = stdenv.lib.licenses.gpl3Plus; - maintainers = with maintainers; [ newAM ]; - }; - }; - - in - pkgs.python3.buildEnv.override rec { - extraLibs = with pkgs.python3Packages; [ numpy toolz vpn-slice ]; - propagatedBuildInputs = with pkgs.python3Packages; [ setproctitle ]; - } -).env