peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

mah boh

Browse Source
This commit is contained in:
Giulio De Pasquale 2022-07-06 20:34:12 +02:00
parent b640bd32a1
commit 7bd60d982b
12 changed files with 152 additions and 109 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
flake.lock generated
View File

@ -7,11 +7,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1639871969, "lastModified": 1651519540,
"narHash": "sha256-6feWUnMygRzA9tzkrfAzpA5/NBYg75bkFxnqb1DtD7E=", "narHash": "sha256-3k6p8VsTwwRPQjE8rrMh+o2AZACZn/eeYJ7ivdQ/Iro=",
"owner": "rycee", "owner": "rycee",
"repo": "home-manager", "repo": "home-manager",
"rev": "697cc8c68ed6a606296efbbe9614c32537078756", "rev": "d93d56ab8c1c6aa575854a79b9d2f69d491db7d0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -23,27 +23,27 @@
}, },
"nixos-unstable": { "nixos-unstable": {
"locked": { "locked": {
"lastModified": 1639699734, "lastModified": 1657132020,
"narHash": "sha256-tlX6WebGmiHb2Hmniff+ltYp+7dRfdsBxw9YczLsP60=", "narHash": "sha256-MkDlX9c9FxgHsCAbtJtk92BKk2GjosrNPEePmbh1A4I=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "03ec468b14067729a285c2c7cfa7b9434a04816c", "rev": "2039758aae57dbd5f2f4a6e79daa85a69441b544",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-unstable", "ref": "master",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1639794673, "lastModified": 1656782578,
"narHash": "sha256-bjauV0+Z4WmxeiHXecyiEOEwo+XysO6kx36beeatbl0=", "narHash": "sha256-1eMCBEqJplPotTo/SZ/t5HU6Sf2I8qKlZi9MX7jv9fw=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "2627c4b795107ba94562626925f5a9a2bc62ebc6", "rev": "573603b7fdb9feb0eb8efc16ee18a015c667ab1b",
"type": "github" "type": "github"
}, },
"original": { "original": {

12
flake.nix
View File

@ -1,15 +1,14 @@
{ {
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.11"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.11";
nixos-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; nixos-unstable.url = "github:NixOS/nixpkgs/master";
home-manager = { home-manager = {
url = "github:rycee/home-manager/release-21.11"; url = "github:rycee/home-manager/release-21.11";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
navidrome.url = "github:antifuchs/nixpkgs/fix-151550";
}; };
outputs = inputs@{ self, nixpkgs, nixos-unstable, home-manager, navidrome}: outputs = inputs@{ self, nixpkgs, nixos-unstable, home-manager}:
let let
system = "x86_64-linux"; system = "x86_64-linux";
@ -38,13 +37,6 @@
user = "giulio"; user = "giulio";
roles = [ ]; roles = [ ];
}]; }];
imports = [
{
disabledModules = [ "services/audio/navidrome.nix" ];
imports =
[ (navidrome + "/nixos/modules/services/audio/navidrome.nix") ];
}
];
}; };
gAluminum = host.mkHost { gAluminum = host.mkHost {
name = "gAluminum"; name = "gAluminum";

53
hosts/architect/default.nix
View File

@ -23,40 +23,29 @@ in {
./matrix.nix ./matrix.nix
./fail2ban.nix ./fail2ban.nix
./dns.nix ./dns.nix
#./minecraft.nix # ./minecraft.nix
./prowlarr.nix ./prowlarr.nix
# ./plex.nix # ./plex.nix
./githubrunner.nix #./githubrunner.nix
./libreddit.nix ./libreddit.nix
./invidious.nix ./invidious.nix
./nitter.nix ./nitter.nix
./ccache.nix ./ccache.nix
./lidarr.nix ./lidarr.nix
./navidrome.nix # ./navidrome.nix
./jellyfin.nix ./jellyfin.nix
./prosody.nix ./prosody.nix
./deluge.nix ./deluge.nix
# ./calibre.nix # ./calibre.nix
../../cachix.nix ../../cachix.nix
./docker.nix ./docker.nix
]; ];
nixpkgs.config.permittedInsecurePackages = [ "nodejs-12.22.12" ];
time.timeZone = "Europe/Rome"; time.timeZone = "Europe/Rome";
system.stateVersion = "21.11"; # Did you read the comment? system.stateVersion = "21.11"; # Did you read the comment?
users.users.giulio.openssh.authorizedKeys.keys = pubkeys; users.users.giulio.openssh.authorizedKeys.keys = pubkeys;
services.fwupd.enable = true;
boot = { boot = {
kernelParams = [
"ip=${network.architect-lan}::10.0.0.1:255.255.255.0::${network.wan-if}:off"
"nvme_core.default_ps_max_latency_us=5500"
];
kernel.sysctl= {
"net.ipv4.ip_forward" = 1;
"fs.protected_regular" = 0;
};
initrd = { initrd = {
availableKernelModules = [ "igc" "r8169" ]; availableKernelModules = [ "igc" "r8169" ];
network = { network = {
@ -64,22 +53,33 @@ in {
ssh = { ssh = {
enable = true; enable = true;
port = 22; port = 22;
hostKeys = [ /boot/ssh_host_rsa_key ]; hostKeys = [ /secrets/ssh_host_rsa_key ];
authorizedKeys = pubkeys; authorizedKeys = pubkeys;
}; };
postCommands = '' # postCommands = ''
zpool import backedpool # zpool import backedpool -f
zpool import zpool # zpool import zpool -f
mkdir /mnt-root # echo "zfs load-key -ar; killall zfs" >> /root/.profile
echo "zfs load-key -ar; mount -t zfs zpool/nixos/root /mnt-root; zfs load-key -a; umount /mnt-root; rmdir /mnt-root; killall zfs" >> /root/.profile # '';
'';
}; };
}; };
};
services.fwupd.enable = true;
boot = {
kernelParams = [
"ip=${network.architect-lan}::10.0.0.1:255.255.255.0::${network.wan-if}:off"
"nvme_core.default_ps_max_latency_us=5500"
"zfs_arc_max=1073741824"
"memmap=32M$0x4ca6f9478"
];
kernel.sysctl = { "net.ipv4.ip_forward" = 1; };
loader = { loader = {
systemd-boot ={ systemd-boot = {
enable = true; enable = true;
memtest86.enable = true; memtest86.enable = true;
}; };
@ -150,6 +150,9 @@ in {
enable = true; enable = true;
passwordAuthentication = false; passwordAuthentication = false;
challengeResponseAuthentication = false; challengeResponseAuthentication = false;
extraConfig = ''
MaxAuthTries 15
'';
}; };
smartd.enable = true; smartd.enable = true;
}; };

9
hosts/architect/dns.nix
View File

@ -1,10 +1,15 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let
adguard_port = "5300";
dnsproxy_port = "5353";
in
{ {
services = { services = {
dnsmasq = { dnsmasq = {
enable = true; enable = true;
servers = [ "127.0.0.1#5300" ]; # adguard port
servers = [ "127.0.0.1#${adguard_port}" ];
extraConfig = '' extraConfig = ''
localise-queries localise-queries
min-cache-ttl=120 min-cache-ttl=120
@ -20,7 +25,7 @@
dnscrypt-proxy2 = { dnscrypt-proxy2 = {
enable = true; enable = true;
settings = { settings = {
listen_addresses = [ "127.0.0.1:5353" ]; listen_addresses = [ "127.0.0.1:${dnsproxy_port}" ];
ipv4_servers = true; ipv4_servers = true;
ipv6_servers = false; ipv6_servers = false;
block_ipv6 = true; block_ipv6 = true;

14
hosts/architect/docker.nix
View File

@ -1,10 +1,10 @@
{ {
virtualisation.docker = { # virtualisation.docker = {
enable = true; # enable = true;
extraOptions = '' # extraOptions = ''
--dns 127.0.0.1 --dns 10.0.0.250 --data-root /docker # --dns 127.0.0.1 --dns 10.0.0.250 --data-root /docker
''; # '';
enableOnBoot = false; # enableOnBoot = false;
}; # };
users.users.giulio.extraGroups = [ "docker" ]; users.users.giulio.extraGroups = [ "docker" ];
} }

40
hosts/architect/hardware.nix
View File

@ -6,22 +6,22 @@
{ {
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules =
[ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ]; boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = { fileSystems."/" = {
device = "zpool/nixos/root"; device = "/dev/disk/by-uuid/28ce6650-de21-4c1d-ae42-95d1e3507740";
fsType = "zfs"; fsType = "ext4";
}; };
fileSystems."/home" = { fileSystems."/boot" = {
device = "zpool/data/home"; device = "/dev/disk/by-uuid/B790-869D";
fsType = "zfs"; fsType = "vfat";
}; };
hardware.cpu.amd.updateMicrocode =
lib.mkDefault config.hardware.enableRedistributableFirmware;
fileSystems."/media" = { fileSystems."/media" = {
device = "datapool/media"; device = "datapool/media";
fsType = "zfs"; fsType = "zfs";
@ -32,19 +32,21 @@
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/var/lib" = { fileSystems."/services" = {
device = "backedpool/services"; device = "backedpool/services";
fsType = "zfs"; fsType = "zfs";
}; };
boot = {
fileSystems."/boot" = { initrd.luks.devices = {
device = "/dev/disk/by-uuid/AF19-5616"; root = {
fsType = "vfat"; device = "/dev/disk/by-uuid/bdd5f111-ecec-48d8-861f-94083098c724";
preLVM = true;
allowDiscards = true;
fallbackToPassword = true;
};
};
initrd.availableKernelModules =
[ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
initrd.kernelModules = [ "dm-snapshot" ];
}; };
swapDevices = [{
device = "/dev/sdc1";
size = 10000;
}];
} }

2
hosts/architect/jellyfin.nix
View File

@ -19,7 +19,7 @@ in {
enableACME = true; enableACME = true;
extraConfig = '' extraConfig = ''
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'"; #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
# Disable buffering when the nginx proxy gets very resource heavy upon streaming # Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off; proxy_buffering off;
''; '';

55
hosts/architect/navidrome.nix
View File

@ -3,13 +3,15 @@
let let
domain = "music.giugl.io"; domain = "music.giugl.io";
network = import ./network.nix; network = import ./network.nix;
library_path = "/media/Music";
beets_config = "/media/beets.conf";
in { in {
services = { services = {
navidrome = { navidrome = {
enable = true; enable = true;
settings = { settings = {
MusicFolder = "/media/Music"; MusicFolder = library_path;
LastFM.enable = true; LastFM.enable = true;
LastFM.ApiKey = "5cef5cb5f9d31326b97d0f929ca9cf20"; LastFM.ApiKey = "5cef5cb5f9d31326b97d0f929ca9cf20";
LastFM.Secret = "d1296896126f4caae47407aecf080b25"; LastFM.Secret = "d1296896126f4caae47407aecf080b25";
@ -34,14 +36,51 @@ in {
}; };
}; };
systemd.services."beets-rename" = { systemd.services = {
enable = true; "beets-update" = {
serviceConfig = { enable = true;
Type = "oneshot"; # requires = [ "remove-badmp3.service" "remove-badflac.service" ];
ExecStart = before = [ "beets-import.service" ];
"${pkgs.findutils}/bin/find /media/Music -type d -mindepth 2 -maxdepth 2 -exec ${pkgs.beets}/bin/beet -c /media/config.conf import --flat -q {} \\;"; serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.beets}/bin/beet -c ${beets_config} update";
};
};
"beets-import" = {
enable = true;
path = [ pkgs.imagemagick ];
requires = [ "beets-update.service" ];
after = [ "beets-update.service" ];
serviceConfig = {
Type = "oneshot";
ExecStart =
"${pkgs.beets}/bin/beet -c ${beets_config} import --flat -q ${library_path}";
};
startAt = "daily";
};
"remove-badmp3" = {
enable = true;
before = [ "beets-import.service" "beets-update.service" ];
serviceConfig = {
Type = "oneshot";
ExecStart = ''
${pkgs.findutils}/bin/find ${library_path} -name "*.mp3" -type f -exec ${pkgs.bash}/bin/sh -c '${pkgs.mp3val}/bin/mp3val "{}" | grep -Pi error 1>/dev/null && ${pkgs.busybox}/bin/rm "{}"' \;
'';
};
};
"remove-badflac" = {
enable = true;
before = [ "beets-import.service" "beets-update.service" ];
serviceConfig = {
Type = "oneshot";
ExecStart = ''
${pkgs.findutils}/bin/find ${library_path} -name "*.flac" -type f -exec ${pkgs.bash}/bin/sh -c '${pkgs.flac}/bin/flac -st "{}" || ${pkgs.busybox}/bin/rm "{}"' \;
'';
};
}; };
startAt = "daily";
}; };
networking.extraHosts = '' networking.extraHosts = ''

12
hosts/architect/network.nix
View File

@ -49,19 +49,19 @@ rec {
parina-wg = "10.3.0.31"; parina-wg = "10.3.0.31";
nilo-wg = "10.3.0.32"; nilo-wg = "10.3.0.32";
parina-ipad-wg = "10.3.0.33"; parina-ipad-wg = "10.3.0.33";
kclvm-wg = "10.3.0.34";
eleonora-wg = "10.3.0.100"; eleonora-wg = "10.3.0.100";
angellane-wg = "10.3.0.200"; angellane-wg = "10.3.0.203";
hotpottino-wg = "10.3.0.201"; hotpottino-wg = "10.3.0.201";
dodino-wg = "10.3.0.202"; dodino-wg = "10.3.0.202";
wolfsonhouse-wg = "10.3.0.203";
# groups # groups
gdevices-wg = gdevices-wg =
[ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg wolfsonhouse-wg ]; [ galuminum-wg oneplus-wg gbeast-wg peppiniell-wg kclvm-wg ] ++ routers-wg;
routers-wg = [ hotpottino-wg angellane-wg dodino-wg wolfsonhouse-wg ]; routers-wg = [ hotpottino-wg angellane-wg dodino-wg ];
c2c-wg = [ ] ++ gdevices-wg; c2c-wg = [ ] ++ gdevices-wg;
towan-wg = [ shield-wg parisaphone-wg parisapc-wg parina-wg parina-ipad-wg ] ++ gdevices-wg towan-wg = [ shield-wg parisaphone-wg parisapc-wg parina-wg parina-ipad-wg ]
++ routers-wg; ++ gdevices-wg ++ routers-wg;
gamenet-wg = [ gamenet-wg = [
andrew-wg andrew-wg
galuminum-wg galuminum-wg

2
hosts/architect/nextcloud.nix
View File

@ -14,7 +14,7 @@ in {
enable = true; enable = true;
hostName = "${domain}"; hostName = "${domain}";
https = true; https = true;
package = pkgs.unstable.nextcloud23; package = pkgs.unstable.nextcloud24;
caching.redis = true; caching.redis = true;

4
hosts/architect/nginx.nix
View File

@ -30,7 +30,9 @@
# }; # };
# }; # };
# }; # };
appendConfig = ''
worker_processes 24;
'';
}; };
users.groups.acme.members = [ "nginx" ]; users.groups.acme.members = [ "nginx" ];
} }

38
hosts/architect/wireguard.nix
View File

@ -28,25 +28,25 @@ with import ./network.nix; {
${mikey-wg} mikey.devs.giugl.io ${mikey-wg} mikey.devs.giugl.io
${andrew-wg} andrew.devs.giugl.io ${andrew-wg} andrew.devs.giugl.io
${mikeylaptop-wg} mikeylaptop.devs.giugl.io ${mikeylaptop-wg} mikeylaptop.devs.giugl.io
${wolfsonhouse-wg} wolfsonhouse.devs.giugl.io
${frznn-wg} frznn.devs.giugl.io ${frznn-wg} frznn.devs.giugl.io
${ludo-wg} ludo.devs.giugl.io ${ludo-wg} ludo.devs.giugl.io
${parina-wg} parina.devs.giugl.io ${parina-wg} parina.devs.giugl.io
${parina-ipad-wg} parinaipad.devs.giugl.io ${parina-ipad-wg} parinaipad.devs.giugl.io
${nilo-wg} nilo.devs.giugl.io ${nilo-wg} nilo.devs.giugl.io
${kclvm-wg} kclvm.devs.giugl.io
''; '';
wireguard = { wireguard = {
interfaces.${proxy-if} = { # interfaces.${proxy-if} = {
ips = [ "10.4.0.2/32" ]; # ips = [ "10.4.0.2/32" ];
privateKeyFile = "/secrets/wireguard/proxy.key"; # privateKeyFile = "/secrets/wireguard/proxy.key";
peers = [{ # peers = [{
publicKey = "WmJBpXpYebcmJEF8nVTKMqQK01KyBe42vzc38K66rVs="; # publicKey = "WmJBpXpYebcmJEF8nVTKMqQK01KyBe42vzc38K66rVs=";
allowedIPs = [ "10.4.0.1/32" ]; # allowedIPs = [ "10.4.0.1/32" ];
endpoint = "giugl.io:1195"; # endpoint = "giugl.io:1195";
persistentKeepalive = 21; # persistentKeepalive = 21;
}]; # }];
}; # };
interfaces.${vpn-if} = { interfaces.${vpn-if} = {
listenPort = 1194; listenPort = 1194;
@ -120,12 +120,6 @@ with import ./network.nix; {
publicKey = "bzoW3Rx+7Un9hx/2opgBQJmmnZ/hgj1lQ2FnonCHjTc="; publicKey = "bzoW3Rx+7Un9hx/2opgBQJmmnZ/hgj1lQ2FnonCHjTc=";
} }
{
# angellane
allowedIPs = [ angellane-wg ];
publicKey = "MZ+nZklHpBxTL7QN9QJpBBx7yOYRZLONfvqAnuk85x0=";
}
{ {
# hotpottino # hotpottino
allowedIPs = [ hotpottino-wg ]; allowedIPs = [ hotpottino-wg ];
@ -199,8 +193,8 @@ with import ./network.nix; {
} }
{ {
# wolfsonhouse # angel-lane
allowedIPs = [ wolfsonhouse-wg ]; allowedIPs = [ angellane-wg ];
publicKey = "UJRJcAOcnEjEB3o4K2I7gEM97SrhENEesZNf28z+EBQ="; publicKey = "UJRJcAOcnEjEB3o4K2I7gEM97SrhENEesZNf28z+EBQ=";
} }
@ -263,6 +257,12 @@ with import ./network.nix; {
allowedIPs = [ parina-ipad-wg ]; allowedIPs = [ parina-ipad-wg ];
publicKey = "ezkCzl2qC7Hd7rFKfqMa0JXDKRhVqy79H52rA06x7mU="; publicKey = "ezkCzl2qC7Hd7rFKfqMa0JXDKRhVqy79H52rA06x7mU=";
} }
{
# kcl vm
allowedIPs = [ kclvm-wg ];
publicKey = "jVBaY8AhgAA7myVjU/PJPDUCOjsCi23LT+pGZUoNEkE=";
}
]; ];
}; };
}; };