BeiNacht/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Mon Aug 15 12:11:21 PM CEST 2022

Browse Source
This commit is contained in:
Alexander Szczepanski
2022-08-15 12:11:21 +02:00
parent 6a5607ed9c
commit e2432a18de
2 changed files with 111 additions and 148 deletions
Download Patch File Download Diff File Expand all files Collapse all files

179
machine/vps.nix
View File

@ -3,15 +3,13 @@ let
secrets-desktop = import ../configs/secrets-desktop.nix;
secrets = import ../configs/secrets.nix;
be = import ../configs/borg-exclude.nix;
in
{
imports =
[
/etc/nixos/hardware-configuration.nix
../configs/common.nix
../configs/docker.nix
../configs/user.nix
];
in {
imports = [
/etc/nixos/hardware-configuration.nix
../configs/common.nix
../configs/docker.nix
../configs/user.nix
];
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
@ -29,20 +27,20 @@ in
time.timeZone = "Europe/Berlin";
networking = {
useDHCP = false;
# defaultGateway = {
# "address" = "gw.contabo.net";
# "interface" = "ens18";
# };
# defaultGateway = {
# "address" = "gw.contabo.net";
# "interface" = "ens18";
# };
interfaces.ens18 = {
useDHCP = true;
# ipv4.addresses = [ {
# address = "207.180.220.97";
# prefixLength = 24;
# } ];
ipv6.addresses = [ {
# ipv4.addresses = [ {
# address = "207.180.220.97";
# prefixLength = 24;
# } ];
ipv6.addresses = [{
address = "2a02:c207:3008:1547::1";
prefixLength = 64;
} ];
}];
};
wireguard.interfaces = {
wg0 = {
@ -70,7 +68,13 @@ in
publicKey = secrets.wireguard-mbp-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.4/32" ];
}];
}
{
publicKey = secrets.wireguard-phone1-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.5/32" ];
}
];
};
};
@ -83,9 +87,7 @@ in
allowPing = true;
allowedTCPPorts = [ 80 443 22000 ];
allowedUDPPorts = [ 80 443 51820 ];
interfaces.wg0 = {
allowedTCPPorts = [ 61208 19999 2049 ];
};
interfaces.wg0 = { allowedTCPPorts = [ 61208 19999 2049 ]; };
# extraCommands = ''
# iptables -A nixos-fw -p tcp --source 10.100.0.0/24 --dport 19999:19999 -j nixos-fw-accept
# '';
@ -135,123 +137,88 @@ in
"firefly.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8081/";
};
};
locations = { "/" = { proxyPass = "http://127.0.0.1:8081/"; }; };
};
"etesync.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8082/";
};
};
locations = { "/" = { proxyPass = "http://127.0.0.1:8082/"; }; };
};
"portainer.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8083/";
};
};
locations = { "/" = { proxyPass = "http://127.0.0.1:8083/"; }; };
};
"mail.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8084/";
};
};
locations = { "/" = { proxyPass = "http://127.0.0.1:8084/"; }; };
};
"git.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:49154/";
};
};
locations = { "/" = { proxyPass = "http://127.0.0.1:49154/"; }; };
};
"jellyfin.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8085/";
};
};
locations = { "/" = { proxyPass = "http://127.0.0.1:8085/"; }; };
};
"etesync-web.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8086/";
};
};
locations = { "/" = { proxyPass = "http://127.0.0.1:8086/"; }; };
};
"etesync-notes.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8087/";
};
};
locations = { "/" = { proxyPass = "http://127.0.0.1:8087/"; }; };
};
"file-manager.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8088/";
};
};
locations = { "/" = { proxyPass = "http://127.0.0.1:8088/"; }; };
};
"webdav.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8090/";
};
};
locations = { "/" = { proxyPass = "http://127.0.0.1:8090/"; }; };
};
"pihole.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8091/";
};
};
locations = { "/" = { proxyPass = "http://127.0.0.1:8091/"; }; };
};
"torrents.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:9091/";
};
};
locations = { "/" = { proxyPass = "http://127.0.0.1:9091/"; }; };
};
"syncthing.szczepan.ski" = {
forceSSL = true;
enableACME = true;
basicAuth = {
alex = secrets.nginx-syncthing-password;
};
basicAuth = { alex = secrets.nginx-syncthing-password; };
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8384/";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8384/;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
'';
};
};
};
"homeassistant.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = { "/" = { proxyPass = "http://10.0.0.3:8123/"; }; };
};
};
};
@ -265,12 +232,10 @@ in
scope = "/home/alex/docker/transmission-wireguard/downloads";
modify = true;
auth = true;
users = [
{
username = "alex";
password = secrets.webdav-password;
}
];
users = [{
username = "alex";
password = secrets.webdav-password;
}];
};
};
@ -286,7 +251,8 @@ in
shares = {
homes = {
browseable = "no"; # note: each home will be browseable; the "homes" share will not.
browseable =
"no"; # note: each home will be browseable; the "homes" share will not.
"read only" = "no";
"guest ok" = "no";
};
@ -304,18 +270,16 @@ in
fail2ban = {
enable = true;
jails.DEFAULT =
''
bantime = 7d
'';
jails.DEFAULT = ''
bantime = 7d
'';
jails.sshd =
''
filter = sshd
maxretry = 4
action = iptables[name=ssh, port=ssh, protocol=tcp]
enabled = true
'';
jails.sshd = ''
filter = sshd
maxretry = 4
action = iptables[name=ssh, port=ssh, protocol=tcp]
enabled = true
'';
};
netdata.enable = true;
@ -331,10 +295,11 @@ in
borgbackup.jobs.home = rec {
compression = "auto,zstd";
encryption = {
mode = "repokey-blake2" ;
mode = "repokey-blake2";
passphrase = secrets.borg-key;
};
extraCreateArgs = "--list --stats --verbose --checkpoint-interval 600 --exclude-caches";
extraCreateArgs =
"--list --stats --verbose --checkpoint-interval 600 --exclude-caches";
environment.BORG_RSH = "ssh -i /home/alex/.ssh/id_borg_rsa";
paths = "/home/alex";
repo = secrets.borg-repo;