BeiNacht/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Mon Aug 15 12:11:21 PM CEST 2022

Browse Source
This commit is contained in:
Alexander Szczepanski
2022-08-15 12:11:21 +02:00
parent 6a5607ed9c
commit e2432a18de
2 changed files with 111 additions and 148 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
configs/user.nix
View File

@ -1,8 +1,6 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let unstable = import <nixos-unstable> { config.allowUnfree = true; };
unstable = import <nixos-unstable> { config.allowUnfree = true; }; in {
in
{
imports = [ <home-manager/nixos> ]; imports = [ <home-manager/nixos> ];
# Define a user account. Don't forget to set a password with passwd. # Define a user account. Don't forget to set a password with passwd.
@ -11,7 +9,16 @@ in
users.alex = { users.alex = {
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" "docker" "networkmanager" "libvirtd" "kvm" "lp" "scanner" "adbusers" ]; extraGroups = [
"wheel"
"docker"
"networkmanager"
"libvirtd"
"kvm"
"lp"
"scanner"
"adbusers"
];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDPSzeNjfkz7/B/18TcJxxmNFUhvTKoieBcexdzebWH7oncvyBXNRJp8vAqSIVFLzz5UUFQNFuilggs8/N48U84acmFOxlbUmxlkf8KZgeB/G6uQ8ncQh6M1HNNPH+9apTURgfctr7eEZe9seLIEBISQLXB2Sf3F1ogfDj25S8kH9RM4wM1/jDFK5IecWHScKxwQPmCoXeGE1LEJq6nkQLXMDsWhSihtWouaTxSR0p7/wp/Rqt/hzLEWj8e3+qLMc5JrrdaWksupUCysme7CnSfGSzNUv9RKiRCTFofYPT9tbRn5JzdpQ55v22S6OvmmXUHjST1MOzI8MpVPZCCqd/ZQ1E+gErFiMwjG4sn/xxdPK9/jbQaXMjLklbKtR+C5090Ew2u2kj78jqGk/8COhF1MXh/9qjcG+C51uD1AS9d410kfjPwkaUt4U2KktDMQ942nWywrvIWM0Gt2kgDLYotsy/70q/aTJ8bvaCoWoDOGmpWcyNNBalz4OYYGI2Z0WHrVTs0FpzSk/XeQz0OLkmueoh5GDGd8zrfO6Nf5LWI17aWGRePTpQP5mJIg6jC3j8/QVrthEP6QyIIkZsnfsmvSiMWVfXqEy1BxVlu3T6aLffaj679KCsxY+mx5mTH2hwd4ZdbSI4F0GCIt+WGaFhHs2V3ZQitoEZuraRPEc4HGw== alexander@szczepan.ski" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDPSzeNjfkz7/B/18TcJxxmNFUhvTKoieBcexdzebWH7oncvyBXNRJp8vAqSIVFLzz5UUFQNFuilggs8/N48U84acmFOxlbUmxlkf8KZgeB/G6uQ8ncQh6M1HNNPH+9apTURgfctr7eEZe9seLIEBISQLXB2Sf3F1ogfDj25S8kH9RM4wM1/jDFK5IecWHScKxwQPmCoXeGE1LEJq6nkQLXMDsWhSihtWouaTxSR0p7/wp/Rqt/hzLEWj8e3+qLMc5JrrdaWksupUCysme7CnSfGSzNUv9RKiRCTFofYPT9tbRn5JzdpQ55v22S6OvmmXUHjST1MOzI8MpVPZCCqd/ZQ1E+gErFiMwjG4sn/xxdPK9/jbQaXMjLklbKtR+C5090Ew2u2kj78jqGk/8COhF1MXh/9qjcG+C51uD1AS9d410kfjPwkaUt4U2KktDMQ942nWywrvIWM0Gt2kgDLYotsy/70q/aTJ8bvaCoWoDOGmpWcyNNBalz4OYYGI2Z0WHrVTs0FpzSk/XeQz0OLkmueoh5GDGd8zrfO6Nf5LWI17aWGRePTpQP5mJIg6jC3j8/QVrthEP6QyIIkZsnfsmvSiMWVfXqEy1BxVlu3T6aLffaj679KCsxY+mx5mTH2hwd4ZdbSI4F0GCIt+WGaFhHs2V3ZQitoEZuraRPEc4HGw== alexander@szczepan.ski"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDIsOYaj6+akcgTQPvm0/htYgO5z+PR1TJRxCnbRNI/ucqvcC6/eTzPU7tKG+UJtkfy30NSnwu/k9aENyb5zYLVoDHngOzH8DLl93B2nHgwUiLpv7kFXOhvD1jsA5RsryeumaL7YbtlePrso+FEJkUez8mncAjG4t9U/MifkTbujjS5AP35NONH01fQWKvivnqw4T0dq36e0J0YF/zcb1mQovt3dw7+NE0A6OwNGAElRNwVh619jL9g0TJBi3Ge8LASsHBildzTlNVHzIwdDzRdAvsoAXjYF42fjHSQXZJv5P5eJcT7JEt7x+yVWzTnk/K6/dtKi6kewbp/srUGSsVLP6x+o6QTQ5rYKoBRsM/3bfqG0PwijfDXEdn7bQn6+7PcnMhVi5wJppUeEOt0SbRBDSa3ewzTWjjESPW03b/oIlNrnDhk5UJmF5jlfxz9HHP73lqEpcNhEAiZMLbfvnwtufS/wYnZXz44i8rVEiNMfIOS2VIM74aNloPTvkq0Ek0GzTT6H4wQy7VbRgSOaW+XN5TSOEqtfZ0TpmYNrpskVx5yDrbOOArmULICGLlexed8fsFZX8P1ouTg96pM5Kr47HZsdEZzS8DKuDx8EP50ORYKbN6Kyb+f0FcMEfD1RQV+IECKnnFUyoozFjE0aV+ROjAKoDmyWdU2lpOPA8kRBw== alex@desktop" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDIsOYaj6+akcgTQPvm0/htYgO5z+PR1TJRxCnbRNI/ucqvcC6/eTzPU7tKG+UJtkfy30NSnwu/k9aENyb5zYLVoDHngOzH8DLl93B2nHgwUiLpv7kFXOhvD1jsA5RsryeumaL7YbtlePrso+FEJkUez8mncAjG4t9U/MifkTbujjS5AP35NONH01fQWKvivnqw4T0dq36e0J0YF/zcb1mQovt3dw7+NE0A6OwNGAElRNwVh619jL9g0TJBi3Ge8LASsHBildzTlNVHzIwdDzRdAvsoAXjYF42fjHSQXZJv5P5eJcT7JEt7x+yVWzTnk/K6/dtKi6kewbp/srUGSsVLP6x+o6QTQ5rYKoBRsM/3bfqG0PwijfDXEdn7bQn6+7PcnMhVi5wJppUeEOt0SbRBDSa3ewzTWjjESPW03b/oIlNrnDhk5UJmF5jlfxz9HHP73lqEpcNhEAiZMLbfvnwtufS/wYnZXz44i8rVEiNMfIOS2VIM74aNloPTvkq0Ek0GzTT6H4wQy7VbRgSOaW+XN5TSOEqtfZ0TpmYNrpskVx5yDrbOOArmULICGLlexed8fsFZX8P1ouTg96pM5Kr47HZsdEZzS8DKuDx8EP50ORYKbN6Kyb+f0FcMEfD1RQV+IECKnnFUyoozFjE0aV+ROjAKoDmyWdU2lpOPA8kRBw== alex@desktop"
@ -26,7 +33,10 @@ in
home-manager.users.alex = { pkgs, ... }: { home-manager.users.alex = { pkgs, ... }: {
imports = [ imports = [
"${fetchTarball "https://github.com/msteen/nixos-vscode-server/tarball/master"}/modules/vscode-server/home.nix" "${
fetchTarball
"https://github.com/msteen/nixos-vscode-server/tarball/master"
}/modules/vscode-server/home.nix"
]; ];
home = { home = {
@ -46,20 +56,16 @@ in
neofetch neofetch
nixfmt nixfmt
pstree pstree
qrencode
ranger ranger
sshfs sshfs
tealdeer tealdeer
unrar unrar
yt-dlp yt-dlp
]; ];
sessionPath = [ sessionPath = [ "$HOME/.npm-packages" "$HOME/.bin" ];
"$HOME/.npm-packages"
"$HOME/.bin"
];
file = { file = {
".npmrc" = { ".npmrc" = { source = ../home/npmrc; };
source = ../home/npmrc;
};
".bin/git-redate" = { ".bin/git-redate" = {
executable = true; executable = true;
source = ../home/bin/git-redate; source = ../home/bin/git-redate;
@ -80,7 +86,8 @@ in
matchBlocks."old-vps" = { matchBlocks."old-vps" = {
hostname = "2.56.97.114"; hostname = "2.56.97.114";
localForwards = [{ localForwards = [
{
bind.address = "127.0.0.1"; bind.address = "127.0.0.1";
bind.port = 8386; bind.port = 8386;
host.address = "127.0.0.1"; host.address = "127.0.0.1";
@ -91,7 +98,8 @@ in
bind.port = 9092; bind.port = 9092;
host.address = "127.0.0.1"; host.address = "127.0.0.1";
host.port = 9091; host.port = 9091;
}]; }
];
}; };
matchBlocks."szczepan.ski" = { matchBlocks."szczepan.ski" = {
@ -120,13 +128,9 @@ in
}]; }];
}; };
matchBlocks."mini" = { matchBlocks."mini" = { hostname = "192.168.0.101"; };
hostname = "192.168.0.101";
};
matchBlocks."pi" = { matchBlocks."pi" = { hostname = "192.168.1.143"; };
hostname = "192.168.1.143";
};
matchBlocks."router" = { matchBlocks."router" = {
hostname = "192.168.1.1"; hostname = "192.168.1.1";
@ -169,15 +173,8 @@ in
enableSyntaxHighlighting = true; enableSyntaxHighlighting = true;
oh-my-zsh = { oh-my-zsh = {
enable = true; enable = true;
plugins = [ plugins =
"cp" [ "cp" "common-aliases" "docker" "systemd" "wd" "kubectl" "git" ];
"common-aliases"
"docker"
"systemd"
"wd"
"kubectl"
"git"
];
}; };
plugins = [ plugins = [
{ {
@ -192,15 +189,18 @@ in
} }
]; ];
shellAliases = { shellAliases = {
active-services = "systemctl --no-page --no-legend --plain -t service --state=running"; active-services =
"systemctl --no-page --no-legend --plain -t service --state=running";
autofanspeed = "echo level auto | sudo tee /proc/acpi/ibm/fan"; autofanspeed = "echo level auto | sudo tee /proc/acpi/ibm/fan";
maxfanspeed = "echo level full-speed | sudo tee /proc/acpi/ibm/fan"; maxfanspeed = "echo level full-speed | sudo tee /proc/acpi/ibm/fan";
db = "sudo updatedb"; db = "sudo updatedb";
"-g C" = "| wc -l"; "-g C" = "| wc -l";
"-g G" = "| grep --ignore-case"; "-g G" = "| grep --ignore-case";
bat = "upower -i /org/freedesktop/UPower/devices/battery_BAT0"; bat = "upower -i /org/freedesktop/UPower/devices/battery_BAT0";
brightness-max = "echo 4794 | sudo tee /sys/class/backlight/intel_backlight/brightness"; brightness-max =
brightness-power-save = "echo 2300 | sudo tee /sys/class/backlight/intel_backlight/brightness"; "echo 4794 | sudo tee /sys/class/backlight/intel_backlight/brightness";
brightness-power-save =
"echo 2300 | sudo tee /sys/class/backlight/intel_backlight/brightness";
ff = "find . -type f -iname"; ff = "find . -type f -iname";
l = "exa --group-directories-first -l -g"; l = "exa --group-directories-first -l -g";
ll = "exa --group-directories-first -l -g"; ll = "exa --group-directories-first -l -g";
@ -208,9 +208,7 @@ in
}; };
}; };
tmux = { tmux = { enable = true; };
enable = true;
};
# exa = { # exa = {
# enable = true; # enable = true;

151
machine/vps.nix
View File

@ -3,10 +3,8 @@ let
secrets-desktop = import ../configs/secrets-desktop.nix; secrets-desktop = import ../configs/secrets-desktop.nix;
secrets = import ../configs/secrets.nix; secrets = import ../configs/secrets.nix;
be = import ../configs/borg-exclude.nix; be = import ../configs/borg-exclude.nix;
in in {
{ imports = [
imports =
[
/etc/nixos/hardware-configuration.nix /etc/nixos/hardware-configuration.nix
../configs/common.nix ../configs/common.nix
../configs/docker.nix ../configs/docker.nix
@ -29,20 +27,20 @@ in
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
networking = { networking = {
useDHCP = false; useDHCP = false;
# defaultGateway = { # defaultGateway = {
# "address" = "gw.contabo.net"; # "address" = "gw.contabo.net";
# "interface" = "ens18"; # "interface" = "ens18";
# }; # };
interfaces.ens18 = { interfaces.ens18 = {
useDHCP = true; useDHCP = true;
# ipv4.addresses = [ { # ipv4.addresses = [ {
# address = "207.180.220.97"; # address = "207.180.220.97";
# prefixLength = 24; # prefixLength = 24;
# } ]; # } ];
ipv6.addresses = [ { ipv6.addresses = [{
address = "2a02:c207:3008:1547::1"; address = "2a02:c207:3008:1547::1";
prefixLength = 64; prefixLength = 64;
} ]; }];
}; };
wireguard.interfaces = { wireguard.interfaces = {
wg0 = { wg0 = {
@ -70,7 +68,13 @@ in
publicKey = secrets.wireguard-mbp-public; publicKey = secrets.wireguard-mbp-public;
presharedKey = secrets.wireguard-preshared; presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.4/32" ]; allowedIPs = [ "10.100.0.4/32" ];
}]; }
{
publicKey = secrets.wireguard-phone1-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.5/32" ];
}
];
}; };
}; };
@ -83,9 +87,7 @@ in
allowPing = true; allowPing = true;
allowedTCPPorts = [ 80 443 22000 ]; allowedTCPPorts = [ 80 443 22000 ];
allowedUDPPorts = [ 80 443 51820 ]; allowedUDPPorts = [ 80 443 51820 ];
interfaces.wg0 = { interfaces.wg0 = { allowedTCPPorts = [ 61208 19999 2049 ]; };
allowedTCPPorts = [ 61208 19999 2049 ];
};
# extraCommands = '' # extraCommands = ''
# iptables -A nixos-fw -p tcp --source 10.100.0.0/24 --dport 19999:19999 -j nixos-fw-accept # iptables -A nixos-fw -p tcp --source 10.100.0.0/24 --dport 19999:19999 -j nixos-fw-accept
# ''; # '';
@ -135,123 +137,88 @@ in
"firefly.szczepan.ski" = { "firefly.szczepan.ski" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations = { locations = { "/" = { proxyPass = "http://127.0.0.1:8081/"; }; };
"/" = {
proxyPass = "http://127.0.0.1:8081/";
};
};
}; };
"etesync.szczepan.ski" = { "etesync.szczepan.ski" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations = { locations = { "/" = { proxyPass = "http://127.0.0.1:8082/"; }; };
"/" = {
proxyPass = "http://127.0.0.1:8082/";
};
};
}; };
"portainer.szczepan.ski" = { "portainer.szczepan.ski" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations = { locations = { "/" = { proxyPass = "http://127.0.0.1:8083/"; }; };
"/" = {
proxyPass = "http://127.0.0.1:8083/";
};
};
}; };
"mail.szczepan.ski" = { "mail.szczepan.ski" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations = { locations = { "/" = { proxyPass = "http://127.0.0.1:8084/"; }; };
"/" = {
proxyPass = "http://127.0.0.1:8084/";
};
};
}; };
"git.szczepan.ski" = { "git.szczepan.ski" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations = { locations = { "/" = { proxyPass = "http://127.0.0.1:49154/"; }; };
"/" = {
proxyPass = "http://127.0.0.1:49154/";
};
};
}; };
"jellyfin.szczepan.ski" = { "jellyfin.szczepan.ski" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations = { locations = { "/" = { proxyPass = "http://127.0.0.1:8085/"; }; };
"/" = {
proxyPass = "http://127.0.0.1:8085/";
};
};
}; };
"etesync-web.szczepan.ski" = { "etesync-web.szczepan.ski" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations = { locations = { "/" = { proxyPass = "http://127.0.0.1:8086/"; }; };
"/" = {
proxyPass = "http://127.0.0.1:8086/";
};
};
}; };
"etesync-notes.szczepan.ski" = { "etesync-notes.szczepan.ski" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations = { locations = { "/" = { proxyPass = "http://127.0.0.1:8087/"; }; };
"/" = {
proxyPass = "http://127.0.0.1:8087/";
};
};
}; };
"file-manager.szczepan.ski" = { "file-manager.szczepan.ski" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations = { locations = { "/" = { proxyPass = "http://127.0.0.1:8088/"; }; };
"/" = {
proxyPass = "http://127.0.0.1:8088/";
};
};
}; };
"webdav.szczepan.ski" = { "webdav.szczepan.ski" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations = { locations = { "/" = { proxyPass = "http://127.0.0.1:8090/"; }; };
"/" = {
proxyPass = "http://127.0.0.1:8090/";
};
};
}; };
"pihole.szczepan.ski" = { "pihole.szczepan.ski" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations = { locations = { "/" = { proxyPass = "http://127.0.0.1:8091/"; }; };
"/" = {
proxyPass = "http://127.0.0.1:8091/";
};
};
}; };
"torrents.szczepan.ski" = { "torrents.szczepan.ski" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations = { locations = { "/" = { proxyPass = "http://127.0.0.1:9091/"; }; };
"/" = {
proxyPass = "http://127.0.0.1:9091/";
};
};
}; };
"syncthing.szczepan.ski" = { "syncthing.szczepan.ski" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
basicAuth = { basicAuth = { alex = secrets.nginx-syncthing-password; };
alex = secrets.nginx-syncthing-password;
};
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://127.0.0.1:8384/"; extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8384/;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
'';
}; };
}; };
}; };
"homeassistant.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = { "/" = { proxyPass = "http://10.0.0.3:8123/"; }; };
};
}; };
}; };
@ -265,12 +232,10 @@ in
scope = "/home/alex/docker/transmission-wireguard/downloads"; scope = "/home/alex/docker/transmission-wireguard/downloads";
modify = true; modify = true;
auth = true; auth = true;
users = [ users = [{
{
username = "alex"; username = "alex";
password = secrets.webdav-password; password = secrets.webdav-password;
} }];
];
}; };
}; };
@ -286,7 +251,8 @@ in
shares = { shares = {
homes = { homes = {
browseable = "no"; # note: each home will be browseable; the "homes" share will not. browseable =
"no"; # note: each home will be browseable; the "homes" share will not.
"read only" = "no"; "read only" = "no";
"guest ok" = "no"; "guest ok" = "no";
}; };
@ -304,13 +270,11 @@ in
fail2ban = { fail2ban = {
enable = true; enable = true;
jails.DEFAULT = jails.DEFAULT = ''
''
bantime = 7d bantime = 7d
''; '';
jails.sshd = jails.sshd = ''
''
filter = sshd filter = sshd
maxretry = 4 maxretry = 4
action = iptables[name=ssh, port=ssh, protocol=tcp] action = iptables[name=ssh, port=ssh, protocol=tcp]
@ -331,10 +295,11 @@ in
borgbackup.jobs.home = rec { borgbackup.jobs.home = rec {
compression = "auto,zstd"; compression = "auto,zstd";
encryption = { encryption = {
mode = "repokey-blake2" ; mode = "repokey-blake2";
passphrase = secrets.borg-key; passphrase = secrets.borg-key;
}; };
extraCreateArgs = "--list --stats --verbose --checkpoint-interval 600 --exclude-caches"; extraCreateArgs =
"--list --stats --verbose --checkpoint-interval 600 --exclude-caches";
environment.BORG_RSH = "ssh -i /home/alex/.ssh/id_borg_rsa"; environment.BORG_RSH = "ssh -i /home/alex/.ssh/id_borg_rsa";
paths = "/home/alex"; paths = "/home/alex";
repo = secrets.borg-repo; repo = secrets.borg-repo;