BeiNacht/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

some changes

Browse Source
This commit is contained in:
Alexander Szczepanski
2022-08-11 19:18:41 +02:00
parent e5afe66c08
commit 6d9f59e21b
8 changed files with 241 additions and 101 deletions
Download Patch File Download Diff File Expand all files Collapse all files

241
machine/vps.nix
View File

@ -20,6 +20,11 @@ in
networking.hostName = "vps"; # Define your hostname.
fileSystems."/export/docker" = {
device = "/home/alex/docker";
options = [ "bind" ];
};
# Set your time zone.
time.timeZone = "Europe/Berlin";
networking = {
@ -50,15 +55,21 @@ in
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
'';
privateKey = secrets.wireguard-vps-private;
peers = [{
publicKey = secrets.wireguard-desktop-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.2/32" ];
}
peers = [
{
publicKey = secrets.wireguard-desktop-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.2/32" ];
}
{
publicKey = secrets.wireguard-mini-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.3/32" ];
}
{
publicKey = secrets.wireguard-mbp-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.4/32" ];
}];
};
};
@ -69,11 +80,12 @@ in
internalInterfaces = [ "wg0" ];
};
firewall = {
allowPing = true;
allowedTCPPorts = [ 80 443 22000 ];
allowedUDPPorts = [ 80 443 51820 ];
interfaces.wg0 = {
allowedTCPPorts = [ 61208 19999 ];
};
allowedTCPPorts = [ 61208 19999 2049 ];
};
# extraCommands = ''
# iptables -A nixos-fw -p tcp --source 10.100.0.0/24 --dport 19999:19999 -j nixos-fw-accept
# '';
@ -81,11 +93,214 @@ in
};
programs.mtr.enable = true;
programs.fuse.userAllowOther = true;
security.acme.email = "webmaster@szczepan.ski";
security.acme.defaults.email = "webmaster@szczepan.ski";
security.acme.acceptTerms = true;
services = {
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
clientMaxBodySize = "0";
virtualHosts = {
"szczepan.ski" = {
forceSSL = true;
enableACME = true;
#root = "/var/www/myhost.org";
};
"nextcloud.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8080/";
extraConfig = ''
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
'';
};
"/.well-known/carddav" = {
return = "301 $scheme://$host/remote.php/dav";
};
"/.well-known/caldav" = {
return = "301 $scheme://$host/remote.php/dav";
};
};
};
"firefly.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8081/";
};
};
};
"etesync.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8082/";
};
};
};
"portainer.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8083/";
};
};
};
"mail.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8084/";
};
};
};
"git.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:49154/";
};
};
};
"jellyfin.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8085/";
};
};
};
"etesync-web.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8086/";
};
};
};
"etesync-notes.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8087/";
};
};
};
"file-manager.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8088/";
};
};
};
"webdav.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8090/";
};
};
};
"pihole.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8091/";
};
};
};
"torrents.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:9091/";
};
};
};
"syncthing.szczepan.ski" = {
forceSSL = true;
enableACME = true;
basicAuth = {
alex = secrets.nginx-syncthing-password;
};
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8384/";
};
};
};
};
};
webdav = {
enable = true;
user = "alex";
group = "users";
settings = {
address = "127.0.0.1";
port = 8090;
scope = "/home/alex/docker/transmission-wireguard/downloads";
modify = true;
auth = true;
users = [
{
username = "alex";
password = secrets.webdav-password;
}
];
};
};
samba = {
enable = false;
openFirewall = true;
# This adds to the [global] section:
extraConfig = ''
browseable = yes
smb encrypt = required
'';
shares = {
homes = {
browseable = "no"; # note: each home will be browseable; the "homes" share will not.
"read only" = "no";
"guest ok" = "no";
};
};
};
nfs.server = {
enable = false;
exports = ''
/export 10.100.0.0/24(rw,fsid=0,no_subtree_check)
/export/docker 10.100.0.0/24(rw,nohide,insecure,no_subtree_check)
'';
};
fail2ban = {
enable = true;
@ -102,12 +317,14 @@ in
enabled = true
'';
};
netdata.enable = true;
syncthing = {
user = "alex";
group = "users";
enable = true;
dataDir = "/home/alex";
dataDir = "/home/alex/syncthing";
configDir = "/home/alex/.config/syncthing";
};
@ -115,12 +332,12 @@ in
compression = "auto,zstd";
encryption = {
mode = "repokey-blake2" ;
passphrase = secrets-desktop.borg-key;
passphrase = secrets.borg-key;
};
extraCreateArgs = "--list --stats --verbose --checkpoint-interval 600 --exclude-caches";
environment.BORG_RSH = "ssh -i /home/alex/.ssh/id_borg_rsa";
paths = "/home/alex";
repo = "ssh://u278697-sub3@u278697.your-storagebox.de:23/./borg";
repo = secrets.borg-repo;
startAt = "daily";
# user = "alex";
prune.keep = {
@ -136,5 +353,5 @@ in
# Limit stack size to reduce memory usage
systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024;
system.stateVersion = "21.05";
system.stateVersion = "22.05";
}