diff --git a/configs/user.nix b/configs/user.nix index ab08c30..4a0cf07 100644 --- a/configs/user.nix +++ b/configs/user.nix @@ -1,8 +1,6 @@ { config, pkgs, lib, ... }: -let - unstable = import { config.allowUnfree = true; }; -in -{ +let unstable = import { config.allowUnfree = true; }; +in { imports = [ ]; # Define a user account. Don't forget to set a password with ‘passwd’. @@ -11,7 +9,16 @@ in users.alex = { isNormalUser = true; - extraGroups = [ "wheel" "docker" "networkmanager" "libvirtd" "kvm" "lp" "scanner" "adbusers" ]; + extraGroups = [ + "wheel" + "docker" + "networkmanager" + "libvirtd" + "kvm" + "lp" + "scanner" + "adbusers" + ]; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDPSzeNjfkz7/B/18TcJxxmNFUhvTKoieBcexdzebWH7oncvyBXNRJp8vAqSIVFLzz5UUFQNFuilggs8/N48U84acmFOxlbUmxlkf8KZgeB/G6uQ8ncQh6M1HNNPH+9apTURgfctr7eEZe9seLIEBISQLXB2Sf3F1ogfDj25S8kH9RM4wM1/jDFK5IecWHScKxwQPmCoXeGE1LEJq6nkQLXMDsWhSihtWouaTxSR0p7/wp/Rqt/hzLEWj8e3+qLMc5JrrdaWksupUCysme7CnSfGSzNUv9RKiRCTFofYPT9tbRn5JzdpQ55v22S6OvmmXUHjST1MOzI8MpVPZCCqd/ZQ1E+gErFiMwjG4sn/xxdPK9/jbQaXMjLklbKtR+C5090Ew2u2kj78jqGk/8COhF1MXh/9qjcG+C51uD1AS9d410kfjPwkaUt4U2KktDMQ942nWywrvIWM0Gt2kgDLYotsy/70q/aTJ8bvaCoWoDOGmpWcyNNBalz4OYYGI2Z0WHrVTs0FpzSk/XeQz0OLkmueoh5GDGd8zrfO6Nf5LWI17aWGRePTpQP5mJIg6jC3j8/QVrthEP6QyIIkZsnfsmvSiMWVfXqEy1BxVlu3T6aLffaj679KCsxY+mx5mTH2hwd4ZdbSI4F0GCIt+WGaFhHs2V3ZQitoEZuraRPEc4HGw== alexander@szczepan.ski" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDIsOYaj6+akcgTQPvm0/htYgO5z+PR1TJRxCnbRNI/ucqvcC6/eTzPU7tKG+UJtkfy30NSnwu/k9aENyb5zYLVoDHngOzH8DLl93B2nHgwUiLpv7kFXOhvD1jsA5RsryeumaL7YbtlePrso+FEJkUez8mncAjG4t9U/MifkTbujjS5AP35NONH01fQWKvivnqw4T0dq36e0J0YF/zcb1mQovt3dw7+NE0A6OwNGAElRNwVh619jL9g0TJBi3Ge8LASsHBildzTlNVHzIwdDzRdAvsoAXjYF42fjHSQXZJv5P5eJcT7JEt7x+yVWzTnk/K6/dtKi6kewbp/srUGSsVLP6x+o6QTQ5rYKoBRsM/3bfqG0PwijfDXEdn7bQn6+7PcnMhVi5wJppUeEOt0SbRBDSa3ewzTWjjESPW03b/oIlNrnDhk5UJmF5jlfxz9HHP73lqEpcNhEAiZMLbfvnwtufS/wYnZXz44i8rVEiNMfIOS2VIM74aNloPTvkq0Ek0GzTT6H4wQy7VbRgSOaW+XN5TSOEqtfZ0TpmYNrpskVx5yDrbOOArmULICGLlexed8fsFZX8P1ouTg96pM5Kr47HZsdEZzS8DKuDx8EP50ORYKbN6Kyb+f0FcMEfD1RQV+IECKnnFUyoozFjE0aV+ROjAKoDmyWdU2lpOPA8kRBw== alex@desktop" @@ -26,7 +33,10 @@ in home-manager.users.alex = { pkgs, ... }: { imports = [ - "${fetchTarball "https://github.com/msteen/nixos-vscode-server/tarball/master"}/modules/vscode-server/home.nix" + "${ + fetchTarball + "https://github.com/msteen/nixos-vscode-server/tarball/master" + }/modules/vscode-server/home.nix" ]; home = { @@ -46,20 +56,16 @@ in neofetch nixfmt pstree + qrencode ranger sshfs tealdeer unrar yt-dlp ]; - sessionPath = [ - "$HOME/.npm-packages" - "$HOME/.bin" - ]; + sessionPath = [ "$HOME/.npm-packages" "$HOME/.bin" ]; file = { - ".npmrc" = { - source = ../home/npmrc; - }; + ".npmrc" = { source = ../home/npmrc; }; ".bin/git-redate" = { executable = true; source = ../home/bin/git-redate; @@ -80,18 +86,20 @@ in matchBlocks."old-vps" = { hostname = "2.56.97.114"; - localForwards = [{ - bind.address = "127.0.0.1"; - bind.port = 8386; - host.address = "127.0.0.1"; - host.port = 8384; - } + localForwards = [ + { + bind.address = "127.0.0.1"; + bind.port = 8386; + host.address = "127.0.0.1"; + host.port = 8384; + } { bind.address = "127.0.0.1"; bind.port = 9092; host.address = "127.0.0.1"; host.port = 9091; - }]; + } + ]; }; matchBlocks."szczepan.ski" = { @@ -120,13 +128,9 @@ in }]; }; - matchBlocks."mini" = { - hostname = "192.168.0.101"; - }; + matchBlocks."mini" = { hostname = "192.168.0.101"; }; - matchBlocks."pi" = { - hostname = "192.168.1.143"; - }; + matchBlocks."pi" = { hostname = "192.168.1.143"; }; matchBlocks."router" = { hostname = "192.168.1.1"; @@ -169,15 +173,8 @@ in enableSyntaxHighlighting = true; oh-my-zsh = { enable = true; - plugins = [ - "cp" - "common-aliases" - "docker" - "systemd" - "wd" - "kubectl" - "git" - ]; + plugins = + [ "cp" "common-aliases" "docker" "systemd" "wd" "kubectl" "git" ]; }; plugins = [ { @@ -192,15 +189,18 @@ in } ]; shellAliases = { - active-services = "systemctl --no-page --no-legend --plain -t service --state=running"; + active-services = + "systemctl --no-page --no-legend --plain -t service --state=running"; autofanspeed = "echo level auto | sudo tee /proc/acpi/ibm/fan"; maxfanspeed = "echo level full-speed | sudo tee /proc/acpi/ibm/fan"; db = "sudo updatedb"; "-g C" = "| wc -l"; "-g G" = "| grep --ignore-case"; bat = "upower -i /org/freedesktop/UPower/devices/battery_BAT0"; - brightness-max = "echo 4794 | sudo tee /sys/class/backlight/intel_backlight/brightness"; - brightness-power-save = "echo 2300 | sudo tee /sys/class/backlight/intel_backlight/brightness"; + brightness-max = + "echo 4794 | sudo tee /sys/class/backlight/intel_backlight/brightness"; + brightness-power-save = + "echo 2300 | sudo tee /sys/class/backlight/intel_backlight/brightness"; ff = "find . -type f -iname"; l = "exa --group-directories-first -l -g"; ll = "exa --group-directories-first -l -g"; @@ -208,9 +208,7 @@ in }; }; - tmux = { - enable = true; - }; + tmux = { enable = true; }; # exa = { # enable = true; diff --git a/machine/vps.nix b/machine/vps.nix index 5add2e1..a48194a 100644 --- a/machine/vps.nix +++ b/machine/vps.nix @@ -3,15 +3,13 @@ let secrets-desktop = import ../configs/secrets-desktop.nix; secrets = import ../configs/secrets.nix; be = import ../configs/borg-exclude.nix; -in -{ - imports = - [ - /etc/nixos/hardware-configuration.nix - ../configs/common.nix - ../configs/docker.nix - ../configs/user.nix - ]; +in { + imports = [ + /etc/nixos/hardware-configuration.nix + ../configs/common.nix + ../configs/docker.nix + ../configs/user.nix + ]; # Use the GRUB 2 boot loader. boot.loader.grub.enable = true; @@ -29,20 +27,20 @@ in time.timeZone = "Europe/Berlin"; networking = { useDHCP = false; -# defaultGateway = { -# "address" = "gw.contabo.net"; -# "interface" = "ens18"; -# }; + # defaultGateway = { + # "address" = "gw.contabo.net"; + # "interface" = "ens18"; + # }; interfaces.ens18 = { useDHCP = true; -# ipv4.addresses = [ { -# address = "207.180.220.97"; -# prefixLength = 24; -# } ]; - ipv6.addresses = [ { + # ipv4.addresses = [ { + # address = "207.180.220.97"; + # prefixLength = 24; + # } ]; + ipv6.addresses = [{ address = "2a02:c207:3008:1547::1"; prefixLength = 64; - } ]; + }]; }; wireguard.interfaces = { wg0 = { @@ -70,7 +68,13 @@ in publicKey = secrets.wireguard-mbp-public; presharedKey = secrets.wireguard-preshared; allowedIPs = [ "10.100.0.4/32" ]; - }]; + } + { + publicKey = secrets.wireguard-phone1-public; + presharedKey = secrets.wireguard-preshared; + allowedIPs = [ "10.100.0.5/32" ]; + } + ]; }; }; @@ -83,9 +87,7 @@ in allowPing = true; allowedTCPPorts = [ 80 443 22000 ]; allowedUDPPorts = [ 80 443 51820 ]; - interfaces.wg0 = { - allowedTCPPorts = [ 61208 19999 2049 ]; - }; + interfaces.wg0 = { allowedTCPPorts = [ 61208 19999 2049 ]; }; # extraCommands = '' # iptables -A nixos-fw -p tcp --source 10.100.0.0/24 --dport 19999:19999 -j nixos-fw-accept # ''; @@ -135,123 +137,88 @@ in "firefly.szczepan.ski" = { forceSSL = true; enableACME = true; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:8081/"; - }; - }; + locations = { "/" = { proxyPass = "http://127.0.0.1:8081/"; }; }; }; "etesync.szczepan.ski" = { forceSSL = true; enableACME = true; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:8082/"; - }; - }; + locations = { "/" = { proxyPass = "http://127.0.0.1:8082/"; }; }; }; "portainer.szczepan.ski" = { forceSSL = true; enableACME = true; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:8083/"; - }; - }; + locations = { "/" = { proxyPass = "http://127.0.0.1:8083/"; }; }; }; "mail.szczepan.ski" = { forceSSL = true; enableACME = true; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:8084/"; - }; - }; + locations = { "/" = { proxyPass = "http://127.0.0.1:8084/"; }; }; }; "git.szczepan.ski" = { forceSSL = true; enableACME = true; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:49154/"; - }; - }; + locations = { "/" = { proxyPass = "http://127.0.0.1:49154/"; }; }; }; "jellyfin.szczepan.ski" = { forceSSL = true; enableACME = true; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:8085/"; - }; - }; + locations = { "/" = { proxyPass = "http://127.0.0.1:8085/"; }; }; }; "etesync-web.szczepan.ski" = { forceSSL = true; enableACME = true; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:8086/"; - }; - }; + locations = { "/" = { proxyPass = "http://127.0.0.1:8086/"; }; }; }; "etesync-notes.szczepan.ski" = { forceSSL = true; enableACME = true; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:8087/"; - }; - }; + locations = { "/" = { proxyPass = "http://127.0.0.1:8087/"; }; }; }; "file-manager.szczepan.ski" = { forceSSL = true; enableACME = true; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:8088/"; - }; - }; + locations = { "/" = { proxyPass = "http://127.0.0.1:8088/"; }; }; }; "webdav.szczepan.ski" = { forceSSL = true; enableACME = true; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:8090/"; - }; - }; + locations = { "/" = { proxyPass = "http://127.0.0.1:8090/"; }; }; }; "pihole.szczepan.ski" = { forceSSL = true; enableACME = true; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:8091/"; - }; - }; + locations = { "/" = { proxyPass = "http://127.0.0.1:8091/"; }; }; }; "torrents.szczepan.ski" = { forceSSL = true; enableACME = true; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:9091/"; - }; - }; + locations = { "/" = { proxyPass = "http://127.0.0.1:9091/"; }; }; }; "syncthing.szczepan.ski" = { forceSSL = true; enableACME = true; - basicAuth = { - alex = secrets.nginx-syncthing-password; - }; + basicAuth = { alex = secrets.nginx-syncthing-password; }; locations = { "/" = { - proxyPass = "http://127.0.0.1:8384/"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_pass http://localhost:8384/; + + proxy_read_timeout 600s; + proxy_send_timeout 600s; + ''; }; }; }; + "homeassistant.szczepan.ski" = { + forceSSL = true; + enableACME = true; + locations = { "/" = { proxyPass = "http://10.0.0.3:8123/"; }; }; + }; }; }; @@ -265,12 +232,10 @@ in scope = "/home/alex/docker/transmission-wireguard/downloads"; modify = true; auth = true; - users = [ - { - username = "alex"; - password = secrets.webdav-password; - } - ]; + users = [{ + username = "alex"; + password = secrets.webdav-password; + }]; }; }; @@ -286,7 +251,8 @@ in shares = { homes = { - browseable = "no"; # note: each home will be browseable; the "homes" share will not. + browseable = + "no"; # note: each home will be browseable; the "homes" share will not. "read only" = "no"; "guest ok" = "no"; }; @@ -304,18 +270,16 @@ in fail2ban = { enable = true; - jails.DEFAULT = - '' - bantime = 7d - ''; + jails.DEFAULT = '' + bantime = 7d + ''; - jails.sshd = - '' - filter = sshd - maxretry = 4 - action = iptables[name=ssh, port=ssh, protocol=tcp] - enabled = true - ''; + jails.sshd = '' + filter = sshd + maxretry = 4 + action = iptables[name=ssh, port=ssh, protocol=tcp] + enabled = true + ''; }; netdata.enable = true; @@ -331,10 +295,11 @@ in borgbackup.jobs.home = rec { compression = "auto,zstd"; encryption = { - mode = "repokey-blake2" ; + mode = "repokey-blake2"; passphrase = secrets.borg-key; }; - extraCreateArgs = "--list --stats --verbose --checkpoint-interval 600 --exclude-caches"; + extraCreateArgs = + "--list --stats --verbose --checkpoint-interval 600 --exclude-caches"; environment.BORG_RSH = "ssh -i /home/alex/.ssh/id_borg_rsa"; paths = "/home/alex"; repo = secrets.borg-repo;