peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

moving to flakes, wip. no home-manager

Browse Source
This commit is contained in:
Giulio De Pasquale 2021-07-13 10:53:22 +02:00
parent 863cc724f5
commit 905945dfdd
15 changed files with 529 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
result
result/

24
common.nix
View File

@ -1,8 +1,6 @@
{ pkgs, variables, ... }:
{
# Select internationalisation properties.
{
console = {
keyMap = "us";
font = "Lat2-Terminus16";
@ -12,13 +10,11 @@
nix = {
autoOptimiseStore = true;
nixPath = [
"nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos"
"nixos-config=/etc/nixos/hosts/${variables.hostname}/default.nix"
"/nix/var/nix/profiles/per-user/root/channels"
];
package = pkgs.nixUnstable;
extraOptions = ''
experimental-features = nix-command flakes
'';
gc = {
automatic = true;
dates = "weekly";
@ -49,13 +45,9 @@
ripgrep
tmux
parted
unzip
tree
];
fileSystems."/tmp" = {
device = "tmpfs";
fsType = "tmpfs";
options = ["size=5G"];
};
fileSystems."/var/cache" = {
device = "tmpfs";

66
flake.lock generated Normal file
View File

@ -0,0 +1,66 @@
{
"nodes": {
"home-manager": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1626073055,
"narHash": "sha256-vocByfpVu6m9zvtJugDvmd6/9iT2HJuG4tmDICKd0lI=",
"owner": "rycee",
"repo": "home-manager",
"rev": "775cb20bd4af7781fbf336fb201df02ee3d544bb",
"type": "github"
},
"original": {
"owner": "rycee",
"ref": "master",
"repo": "home-manager",
"type": "github"
}
},
"nixos-unstable": {
"locked": {
"lastModified": 1625874246,
"narHash": "sha256-7cGgcysIXz/j/lRpJn7cNJjf0+k7sQ5EuGn62252Svw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "45fc7d4a35c5343e58541a7847f6415654ccbb37",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1625919529,
"narHash": "sha256-Epn7JRegnKN81hQh4hGx1FOwfp3fBxDCIuSZDgqaBQ4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "cf59fbd539681f5ec2f4a82cf77aae7ab827a03f",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-21.05",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"home-manager": "home-manager",
"nixos-unstable": "nixos-unstable",
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

45
flake.nix Normal file
View File

@ -0,0 +1,45 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.05";
nixos-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
home-manager = {
url = "github:rycee/home-manager/master";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = { self, nixpkgs, nixos-unstable, home-manager }:
let
system = "x86_64-linux";
unstable = import nixos-unstable {
inherit system;
config.allowUnfree = true;
};
pkgs = import nixpkgs {
inherit system;
config.allowUnfree = true;
overlays = [ (final: prev: { inherit unstable; }) ];
};
in {
nixosConfigurations.architect = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
{
nixpkgs.pkgs = pkgs;
nix.nixPath = [
"nixpkgs=${nixpkgs}"
"unstable=${nixos-unstable}"
];
nix.registry.nixpkgs.flake = nixpkgs;
nix.registry.unstable.flake = nixos-unstable;
}
# home-manager.nixosModules.home-manager
./hosts/architect/default.nix
];
};
};
}

36
hosts/architect/default.nix
View File

@ -1,12 +1,7 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, variables, ... }:
{ config, pkgs, ... }:
with import ./network.nix;
let
unstable = import <nixos-unstable> {};
pubkeys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230"];
hostname = "architect";
in
@ -14,7 +9,6 @@ in
imports =
[ # Include the results of the hardware scan.
./hardware.nix
../../variables.nix
../../common.nix
../../users.nix
./firewall.nix
@ -25,15 +19,24 @@ in
./bazarr.nix
./nzbget.nix
./jellyfin.nix
./nextcloud.nix
./wireguard.nix
./minio.nix
];
variables.hostname = hostname;
time.timeZone = "Europe/Rome";
system.stateVersion = "21.05"; # Did you read the comment?
users.users.giulio.openssh.authorizedKeys.keys = pubkeys;
fileSystems."/tmp" = {
device = "tmpfs";
fsType = "tmpfs";
options = ["size=20G"];
};
boot = {
kernelParams = ["ip=${architect-lan}::10.0.0.1:255.255.255.0::${wan-if}:off"];
kernel.sysctl."net.ipv4.ip_forward" = 1;
initrd = {
availableKernelModules = ["igc" "r8169"];
@ -76,17 +79,17 @@ in
wlp4s0.useDHCP = false;
};
extraHosts = ''
127.0.0.1 ${hostname}.devs.giugl.io localhost
127.0.0.1 ${hostname}.devs.giugl.io giugl.io localhost
# LAN
${architect-lan} ${hostname}.devs.giugl.io
${architect-lan} ${hostname}.devs.giugl.io giugl.io
10.0.0.1 router.devs.giugl.io
${dvr-lan} dvr.devs.giugl.io
${nas-lan} nas.devs.giugl.io
# Wireguard hosts
${architect-wg} ${hostname}.devs.giugl.io
${architect-wg} ${hostname}.devs.giugl.io giugl.io
${galuminum-wg} galuminum.devs.giugl.io
${oneplus-wg} oneplus.devs.giugl.io
${ipad-wg} ipad.devs.giugl.io
@ -104,6 +107,10 @@ in
${eleonora-wg} eleonora.devs.giugl.io
${broccolino-wg} broccolino.devs.giugl.io
${hotpottino-wg} hotpottino.devs.giugl.io
${salvatore-wg} salvatore.devs.giugl.io
${papa-wg} papa.devs.giugl.io
${defy-wg} defy.devs.giugl.io
${germano-wg} germano.devs.giugl.io
# Blacklist
0.0.0.0 metrics.plex.tv
@ -148,14 +155,14 @@ in
zfs.autoScrub.enable = true;
xserver.videoDrivers = [ "nvidia" ];
openssh.enable = true;
mysql.enable = true;
mysql.package = with pkgs; mysql80;
dnsmasq = {
enable = true;
servers = ["127.0.0.1#5353"];
extraConfig = ''
localise-queries
min-cache-ttl=120
max-cache-ttl=2400
'';
};
@ -165,6 +172,7 @@ in
listen_addresses = ["127.0.0.1:5353"];
ipv4_servers = true;
ipv6_servers = false;
block_ipv6 = true;
dnscrypt_servers = true;
doh_servers = true;
require_nolog = true;
@ -174,6 +182,8 @@ in
lb_estimator = true;
ignore_system_dns = true;
fallback_resolvers = ["1.1.1.1:53" "9.9.9.9:53"];
cache_min_ttl = 450;
cache_max_ttl = 2400;
};
};
};

6
hosts/architect/firewall.nix
View File

@ -127,8 +127,10 @@ in {
# client to client
ip saddr {${lib.concatStringsSep "," c2c-wg}} ip daddr {${lib.concatStringsSep "," c2c-wg}} accept
# gdevices talking to each other
ip saddr {${lib.concatStringsSep "," gdevices-wg}} ip daddr {${lib.concatStringsSep "," gdevices-wg}} accept
# gdevices talking to everyone in VPN
ip saddr {${lib.concatStringsSep "," gdevices-wg}} ip daddr ${vpn-net} accept
# nat to wan
oifname ${wan-if} ip saddr {${lib.concatStringsSep "," towan-wg}} accept

8
hosts/architect/hardware.nix
View File

@ -28,10 +28,10 @@
fsType = "zfs";
};
# fileSystems."/docker" =
# { device = "backedpool/docker";
# fsType = "zfs";
# };
fileSystems."/secrets" =
{ device = "backedpool/secrets";
fsType = "zfs";
};
fileSystems."/var/lib" =
{ device = "backedpool/services";

7
hosts/architect/jellyfin.nix
View File

@ -1,5 +1,12 @@
{ pkgs, ... }:
with import ./network.nix;
{
disabledModules = ["services/misc/jellyfin.nix"];
imports = [
./modules/jellyfin.nix
];
services = {
jellyfin.enable = true;

25
hosts/architect/minio.nix Normal file
View File

@ -0,0 +1,25 @@
with import ./network.nix;
{
services = {
minio.enable = true;
nginx.virtualHosts.${miniodomain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:9000";
extraConfig = ''
allow 10.0.0.0/24;
allow 10.3.0.0/24;
deny all;
'';
};
};
};
networking.extraHosts = ''
127.0.0.1 ${miniodomain}
${architect-lan} ${miniodomain}
${architect-wg} ${miniodomain}
'';
}

127
hosts/architect/modules/jellyfin.nix Normal file
View File

@ -0,0 +1,127 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.jellyfin;
in
{
options = {
services.jellyfin = {
enable = mkEnableOption "Jellyfin Media Server";
user = mkOption {
type = types.str;
default = "jellyfin";
description = "User account under which Jellyfin runs.";
};
package = mkOption {
type = types.package;
default = pkgs.jellyfin;
example = literalExample "pkgs.jellyfin";
description = ''
Jellyfin package to use.
'';
};
group = mkOption {
type = types.str;
default = "jellyfin";
description = "Group under which jellyfin runs.";
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = ''
Open the default ports in the firewall for the media server. The
HTTP/HTTPS ports can be changed in the Web UI, so this option should
only be used if they are unchanged.
'';
};
};
};
config = mkIf cfg.enable {
systemd.services.jellyfin = {
description = "Jellyfin Media Server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = rec {
User = cfg.user;
Group = cfg.group;
# Allows access to drm devices for transcoding with hardware acceleration
SupplementaryGroups = [ "video" ];
StateDirectory = "jellyfin";
CacheDirectory = "jellyfin";
ExecStart = "${cfg.package}/bin/jellyfin --datadir '/var/lib/${StateDirectory}' --cachedir '/var/cache/${CacheDirectory}'";
Restart = "on-failure";
# Security options:
NoNewPrivileges = true;
AmbientCapabilities = "";
CapabilityBoundingSet = "";
# ProtectClock= adds DeviceAllow=char-rtc r
# DeviceAllow = [
# "char-drm r"
# "/dev/nvidia0 r"
# "/dev/nvidiactl r"
# "/dev/nvidia-uvm r"
# "/dev/nvidia-uvm-tools r"
# ];
# LockPersonality = true;
#
PrivateTmp = true;
# PrivateUsers = true;
#
# ProtectClock = true;
# ProtectControlGroups = true;
# ProtectHostname = true;
# ProtectKernelLogs = true;
# ProtectKernelModules = true;
# ProtectKernelTunables = true;
#
# RemoveIPC = true;
#
# RestrictNamespaces = true;
# # AF_NETLINK needed because Jellyfin monitors the network connection
# RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" ];
# RestrictRealtime = true;
# RestrictSUIDSGID = true;
#
# SystemCallArchitectures = "native";
# SystemCallErrorNumber = "EPERM";
# SystemCallFilter = [
# "@system-service"
# "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid"
# ];
};
};
users.users = mkIf (cfg.user == "jellyfin") {
jellyfin = {
group = cfg.group;
isSystemUser = true;
};
};
users.groups = mkIf (cfg.group == "jellyfin") {
jellyfin = {};
};
networking.firewall = mkIf cfg.openFirewall {
# from https://jellyfin.org/docs/general/networking/index.html
allowedTCPPorts = [ 8096 8920 ];
allowedUDPPorts = [ 1900 7359 ];
};
};
meta.maintainers = with lib.maintainers; [ minijackson ];
}

7
hosts/architect/network.nix
View File

@ -28,6 +28,10 @@ rec {
angelino-wg = "10.3.0.13";
pepos_one-wg = "10.3.0.14";
pepos_two-wg = "10.3.0.15";
salvatore-wg = "10.3.0.16";
papa-wg = "10.3.0.17";
defy-wg = "10.3.0.18";
germano-wg = "10.3.0.19";
eleonora-wg = "10.3.0.100";
broccolino-wg = "10.3.0.200";
hotpottino-wg = "10.3.0.201";
@ -45,4 +49,7 @@ rec {
nzbgetdomain = "htnzb.giugl.io";
mediadomain = "media.giugl.io";
gitdomain = "git.giugl.io";
nextclouddomain = "cloud.giugl.io";
miniodomain = "s3.giugl.io";
clouddomain = "cloud.giugl.io";
}

50
hosts/architect/nextcloud.nix Normal file
View File

@ -0,0 +1,50 @@
{pkgs, ...}:
with import ./network.nix;
{
services = {
mysql.enable = true;
mysql.package = pkgs.unstable.mysql80;
redis.enable = true;
nextcloud = {
enable = true;
hostName = "${nextclouddomain}";
https = true;
caching.redis = true;
autoUpdateApps.enable = true;
autoUpdateApps.startAt = "05:00:00";
logLevel = 1;
config = {
overwriteProtocol = "https";
dbtype = "mysql";
dbuser = "oc_giulio2";
dbhost = "localhost";
dbname = "nextcloud_final";
dbpassFile = "/secrets/nextcloud/dbpass.txt";
adminpassFile = "/secrets/nextcloud/adminpass.txt";
adminuser = "giulio";
extraTrustedDomains = ["${nextclouddomain}"];
};
};
};
systemd.services."nextcloud-setup" = {
requires = ["mysql.service"];
after = ["mysql.service"];
};
networking.extraHosts = ''
127.0.0.1 ${clouddomain}
${architect-lan} ${clouddomain}
${architect-wg} ${clouddomain}
'';
services.nginx.virtualHosts.${clouddomain} = {
forceSSL = true;
enableACME = true;
};
}

153
hosts/architect/wireguard.nix Normal file
View File

@ -0,0 +1,153 @@
with import ./network.nix;
{
networking.wireguard = {
interfaces.${vpn-if} = {
listenPort = 1194;
ips = ["10.3.0.1/24"];
privateKeyFile = "/secrets/wireguard/server.key";
peers = [
{
# gAluminum
allowedIPs = [galuminum-wg];
publicKey = "pEEgSs7xmO0cfyvoQlU8lfwqdYM1ISgmPAunPtF+0xw=";
}
{
# OnePlus
allowedIPs = [oneplus-wg];
publicKey = "uOQUJo+AfhTAFq50Pt80rdX4PmO28WUARngE2AtwdXU=";
}
{
# iPad
allowedIPs = [ipad-wg];
publicKey = "DPpd+P/hV1XLuvdcrCRv1sgz8BeZt1y5D6VehNuhjSQ=";
}
{
# Manduria
allowedIPs = [manduria-wg];
publicKey = "wT38oXvDQ8g0hI+pAXQobOWf/Wott2zhwo8TLvXK400=";
}
{
# Antonio
allowedIPs = [antonio-wg];
publicKey = "SPndCvEzuLHtGAQV8u/4dfLlFHoPcXS3L98oFOwTljc=";
}
{
# Eleonora
allowedIPs = [eleonora-wg];
publicKey = "SL54f1ZeieFyn5X5UAPmypP10GV/c419O94vCzGHFhg=";
}
{
# padulino
allowedIPs = [padulino-wg];
publicKey = "sk2Wr2OesND9jcuP/8k7BirSpR4pNNbS9gBkbOxZxwg=";
}
{
# GBEAST
allowedIPs = [gbeast-wg];
publicKey = "XiK+wk+DErz0RmCWRxuaJN1cvdj+3DoiU6tcR+uZfAI=";
}
{
# parisa-phone
allowedIPs = [parisaphone-wg];
publicKey = "t9EUnIkfr1b2HPlTXi17+AKMMe5VfeKq7exRVAwaai0=";
}
{
# parisa-pc
allowedIPs = [parisapc-wg];
publicKey = "b2QzZDTgGQbNXSCLYB4KUzq0/099pH2T8H5BckfNSTQ=";
}
{
# peppiniell
allowedIPs = [peppiniell-wg];
publicKey = "bzoW3Rx+7Un9hx/2opgBQJmmnZ/hgj1lQ2FnonCHjTc=";
}
{
# broccolino
allowedIPs = [broccolino-wg];
publicKey = "Ig97XCKYZvMperGlQgoKdqvw6VyNHf5+MvcimKEUs1Y=";
}
{
# hotpottino
allowedIPs = [hotpottino-wg];
publicKey = "YqtzTWqGBs2GwSPNO0aRSV4nvJDW3UHHt6fV4UC7vnU=";
}
{
# shield
allowedIPs = [shield-wg];
publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs=";
}
{
# angelino
allowedIPs = [angelino-wg];
publicKey = "MhY4d824LuKPltQHfaUbtWGiQz4XsfqCRAx0n1FDaiY=";
}
{
# pepos_one
allowedIPs = [pepos_one-wg];
publicKey = "HcIqulGahsHJeuq6zAt5EJieWhDSKX4tFlUOEr2U1gA=";
}
{
# pepos_two
allowedIPs = [pepos_two-wg];
publicKey = "mb1VaMLML5J24oCMBuhqvBrT6S4tAqWERn30z+h/LwM=";
}
{
# salvatore
allowedIPs = [salvatore-wg];
publicKey = "fhlnBHeMyHZKLUCTSA9kmkKoM5x/qzz/rnCJrUh3Gzs=";
}
{
# papa
allowedIPs = [papa-wg];
publicKey = "oGHygt02Oni3IFbScKD0NVEfHKCp6bpw68aq5g4RrAA=";
}
{
# defy
allowedIPs = [defy-wg];
publicKey = "wEkDNap9/qmkGd0a0PN8ANHgXgxwp+ZdmDW1CmIl4kM=";
}
{
# germano
allowedIPs = [germano-wg];
publicKey = "gi4o+pZWKItzVs7vY8fvXh98jX6CNeCwc1YDzhc3mA4=";
}
];
};
};
}

6
hosts/gAluminum/default.nix
View File

@ -93,11 +93,5 @@ in {
system.stateVersion = "21.05"; # Did you read the comment?
security.pam.services.gdm.enableGnomeKeyring = true;
fileSystems."/tmp" = {
device = "tmpfs";
fsType = "tmpfs";
options = ["size=2G"];
};
}

18
users.nix
View File

@ -1,8 +1,6 @@
{config, pkgs, ...}:
{config, pkgs, home-manager, ...}:
{
imports = [ <home-manager/nixos> ];
users.users = {
giulio = {
description = "Giulio De Pasquale";
@ -21,13 +19,13 @@
enableCompletion = true;
};
home-manager.users.root = {
imports = [ ./home/zsh.nix ./home/code.nix ];
};
home-manager.users.giulio = {
imports = [ ./home ];
};
# home-manager.users.root = {
# imports = [ ./home/zsh.nix ./home/code.nix ];
# };
#
# home-manager.users.giulio = {
# imports = [ ./home ];
# };
fileSystems."/home/giulio/Downloads" = {
device = "tmpfs";