fruchti/hosts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add Rupert’s configuration

Browse source
This commit is contained in:
fruchti 2023-02-26 16:42:49 +01:00
commit 2b4264d32d
31 changed files with 1742 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

119
hosts/Rupert.nix Normal file
View file

@ -0,0 +1,119 @@
{ config, lib, pkgs, ... }:
let
definedInPersonalDotNix = lib.mkDefault (throw "Configuration option missing from personal.nix");
in
{
imports = [
./nextcloud.nix
./dyndns.nix
./adguard.nix
./mpd.nix
./burp-server.nix
./hedgedoc.nix
./transcode.nix
./development.nix
./bspwm.nix
# ./open-pgsql.nix
];
users.users = {
waldi = {
isNormalUser = true;
extraGroups = [ "audio" ];
shell = pkgs.fish;
openssh.authorizedKeys.keys = definedInPersonalDotNix;
};
};
users.extraGroups = {
pulse-access = {
members = [ "waldi" "fruchti" ];
};
music = {
members = [ "fruchti" ];
};
};
environment.systemPackages = with pkgs; [
ntfsprogs
texlive.combined.scheme-full
ncmpcpp
];
services.burp.client = {
enable = true;
password = config.services.burp.server.clients."${config.networking.hostName}".password;
};
# Flatpak
services.flatpak.enable = true;
xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
xdg.portal.enable = true;
hardware.bluetooth = {
enable = true;
};
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
# List services that you want to enable:
# Enable the OpenSSH daemon.
services.openssh = {
enable = true;
forwardX11 = true;
passwordAuthentication = false;
};
services.avahi.enable = true;
networking.firewall.allowedTCPPorts = [
22
1935 # RTMP
4971 # BURP
];
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
system.autoUpgrade.enable = true;
system.autoUpgrade.allowReboot = false;
system.autoUpgrade.sendEmail = true;
# systemd.services.nixos-upgrade.onFailure = lib.mkIf config.system.autoUpgrade.enable [ "status-email@%n.service" ];
nix.gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
};
services.btrfsScrub = {
enable = true;
paths = {
"/" = {
onCalendar = "*-*-* 02:00:00";
};
"/data" = {
onCalendar = "Thu *-*-* 02:00:00";
};
};
};
security.acme = {
defaults = {
email = config.email.adminEmail;
};
acceptTerms = true;
};
services.udev.extraRules = ''
SUBSYSTEM=="video4linux", ATTRS{idProduct}=="0002", ATTRS{idVendor}=="1d6b", SYMLINK+="hdmi_capture"
'';
}

28
hosts/adguard.nix Normal file
View file

@ -0,0 +1,28 @@
{ config, pkgs, ... }:
{
services.adguardhome = {
enable = true;
};
services.nginx = {
enable = true;
virtualHosts = {
"ad.guard" = {
listenAddresses = [ "0.0.0.0" "[::]" ];
locations."/" = {
proxyPass = "http://localhost:5380";
};
};
};
};
networking.firewall.allowedUDPPorts = [ 53 67 68 ];
# Capabilities for DHCP server
systemd.services.adguardhome.serviceConfig.AmbientCapabilities = [ "CAP_NET_RAW" ];
systemd.services."adguardhome" = {
# requires = ["dhcpcd.service"];
after = ["dhcpcd.service"];
};
}

22
hosts/bspwm.nix Normal file
View file

@ -0,0 +1,22 @@
{ config, pkgs, ... }:
{
services.xserver = {
enable = true;
windowManager.bspwm.enable = true;
displayManager = {
defaultSession = "none+bspwm";
lightdm.enable = true;
autoLogin.enable = true;
autoLogin.user = "waldi";
};
};
services.unclutter-xfixes = {
enable = true;
};
environment.systemPackages = with pkgs; [
rofi
ranger
];
}

38
hosts/burp-server.nix Normal file
View file

@ -0,0 +1,38 @@
{ config, lib, ... }:
let
definedInPersonalDotNix = lib.mkDefault (throw "Configuration option missing from personal.nix");
in
{
services.burp.server = {
enable = true;
dataDirectory = "/data/burp";
sslKeyPassword = definedInPersonalDotNix;
workingDirRecoveryMethod = "resume";
maxResumeAttempts = 3;
keep = [ 14 4 6 2 ];
clients = {
${config.networking.hostName} = {
password = definedInPersonalDotNix;
};
Pullach = {
password = definedInPersonalDotNix;
};
Disco = {
password = definedInPersonalDotNix;
};
Berthold = {
password = definedInPersonalDotNix;
};
Ernesto = {
password = definedInPersonalDotNix;
};
};
superClients = [
config.networking.hostName
];
timerArgs = [
"20h"
"Mon,Tue,Wed,Thu,Fri,Sat,Sun,00,01,02,03,04,05,06,07,08,17,18,19,20,21,22,23"
];
};
}

14
hosts/development.nix Normal file
View file

@ -0,0 +1,14 @@
{ config, pkgs, ... }:
{
environment.systemPackages = with pkgs; [
picocom
usbutils # lsusb etc.
binwalk
];
users.extraGroups = {
plugdev = {
members = [ "fruchti" ];
};
};
}

54
hosts/dyndns.nix Normal file
View file

@ -0,0 +1,54 @@
{ config, pkgs, lib, ... }:
let
definedInPersonalDotNix = lib.mkDefault (throw "Configuration option missing from personal.nix");
getipv6 = pkgs.writeText "getipv6.sh" ''
${pkgs.nettools}/bin/ifconfig enp3s0 | sed -n -E 's/^\ *inet6 (2001(:[0-9a-f]+)+)\ .*$/\1/p'
'';
in
{
networking.tempAddresses = "disabled";
# networking.interfaces.enp3s0 = {
# tempAddress = "disabled";
# ipv4.addresses = [{
# address = "192.168.178.43";
# prefixLength = 24;
# }];
# };
networking.defaultGateway = "192.168.178.1";
networking.nameservers = [ "9.9.9.9" "8.8.8.8" ];
networking.dhcpcd = {
enable = true;
persistent = true;
extraConfig = ''
duid
vendorclassid
slaac hwaddr
noipv4ll
#ia_pd 1 internal
interface enp3s0
static ip_address=192.168.178.43/24
static routers=192.168.178.1
static domain_name_servers=192.168.178.1 8.8.8.8
ia_pd
'';
};
services.ddclient = {
enable = true;
verbose = true;
use = "cmd, cmd='${pkgs.bash}/bin/bash ${getipv6}'";
domains = [
((lib.toLower config.networking.hostName) + ".gvfr.de")
];
ipv6 = true;
server = definedInPersonalDotNix;
username = definedInPersonalDotNix;
passwordFile = "/secrets/dyndns_password_${config.services.ddclient.username}.txt";
extraConfig = ''
wildcard=no
'';
};
}

79
hosts/hedgedoc.nix Normal file
View file

@ -0,0 +1,79 @@
{ config, lib, pkgs, ... }:
let
domain = "md.gvfr.de";
in
{
services.hedgedoc = {
enable = true;
workDir = "/data/hedgedoc";
settings = {
port = 7000;
domain = domain;
protocolUseSSL = true;
uploadsPath = "/data/hedgedoc/uploads";
allowGravatar = false;
db = {
dialect = "postgres";
host = "/run/postgresql";
username = "hedgedoc";
database = "hedgedoc";
};
allowAnonymous = false;
allowAnonymousEdits = true;
csp = {
enable = true;
directives = {
scriptSrc = "gvfr.de";
};
upgradeInsecureRequest = "auto";
addDefaults = true;
};
allowEmailRegister = false;
};
};
services.postgresql = {
enable = true;
ensureUsers = [
{
name = "hedgedoc";
ensurePermissions = {
"DATABASE hedgedoc" = "ALL PRIVILEGES";
};
}
];
ensureDatabases = [ "hedgedoc" ];
};
services.nginx = {
enable = true;
virtualHosts.${domain} = {
listenAddresses = [ "0.0.0.0" "[::]" ];
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://localhost:7000";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
"/socket.io/" = {
proxyPass = "http://localhost:7000";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
'';
};
};
};
};
}

63
hosts/mpd.nix Normal file
View file

@ -0,0 +1,63 @@
{ config, pkgs, ... }:
let
httpStreamPort = 8000;
in
{
services.mpd = {
enable = true;
musicDirectory = "/data/music/flac";
playlistDirectory = "/data/music/playlists";
network.listenAddress = "any";
extraConfig = ''
audio_output {
type "pulse"
name "Local Music Player Daemon"
server "127.0.0.1"
mixer_type "software"
}
audio_output {
type "fifo"
name "fft"
path "/tmp/mpd.fifo"
format "44100:16:2"
}
audio_output {
type "httpd"
name "HTTP-Stream (Port 8000)"
encoder "vorbis" # optional
bind_to_address "0.0.0.0"
port "${toString httpStreamPort}"
# quality "5.0" # do not define if bitrate is defined
bitrate "128" # do not define if quality is defined
format "48000:16:1"
always_on "yes" # prevent MPD from disconnecting all listeners when playback is stopped.
tags "yes" # httpd supports sending tags to listening streams.
}
'';
};
hardware.pulseaudio = {
enable = true;
systemWide = true;
tcp.enable = true;
tcp.anonymousClients.allowedIpRanges = [ "127.0.0.1" ];
};
users.extraGroups.pulse-access = {
members = [ "mpd" ];
};
# users.extraGroups.music = {
# members = [ "mpd" ];
# };
# Workaround https://github.com/NixOS/nixpkgs/issues/114399
system.activationScripts.fix-pulse-permissions = ''
chmod 755 /run/pulse
'';
environment.systemPackages = with pkgs; [ mpc-cli ];
networking.firewall.allowedTCPPorts = [ config.services.mpd.network.port httpStreamPort ];
}

62
hosts/nextcloud.nix Normal file
View file

@ -0,0 +1,62 @@
{ config, lib, pkgs, ... }:
let
hostName = (lib.toLower config.networking.hostName) + ".gvfr.de";
in
{
services.nextcloud = {
enable = true;
https = true;
package = pkgs.nextcloud25;
hostName = hostName;
datadir = "/data/nextcloud";
config = {
dbtype = "pgsql";
dbhost = "/run/postgresql";
adminpassFile = "/secrets/nextcloud_admin_password.txt";
extraTrustedDomains = [
((lib.toLower config.networking.hostName) + ".lan")
(lib.toLower config.networking.hostName)
];
};
caching.redis = true;
enableBrokenCiphersForSSE = false;
};
services.postgresql = {
enable = true;
ensureUsers = [
{
name = "nextcloud";
ensurePermissions = {
"DATABASE nextcloud" = "ALL PRIVILEGES";
};
}
{
name = "superuser";
ensurePermissions = {
"ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
};
}
];
ensureDatabases = [ "nextcloud" ];
};
# Ensure that postgres is running *before* running the setup
systemd.services."nextcloud-setup" = {
requires = ["postgresql.service"];
after = ["postgresql.service"];
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
virtualHosts.${hostName} = {
forceSSL = true;
enableACME = true;
};
};
users.extraGroups.music = {
members = [ "nextcloud" ];
};
}

11
hosts/open-pgsql.nix Normal file
View file

@ -0,0 +1,11 @@
{ ... }:
{
# Open PostgreSQL port for data transfer
services.postgresql = {
enableTCPIP = true;
authentication = ''
host all all 192.168.178.0/24 trust
'';
};
networking.firewall.allowedTCPPorts = [ 5432 ];
}

42
hosts/reboot-check-email.nix Normal file
View file

@ -0,0 +1,42 @@
{ pkgs, lib, config, ... }:
{
systemd.services.reboot-check = {
description = "Check if the system needs a reboot";
onFailure = [ "status-email@%n.service" ];
serviceConfig = {
Type = "oneshot";
};
script = ''
#!${pkgs.bash}/bin/bash
booted="$(readlink /run/booted-system/{initrd,kernel,kernel-modules})"
built="$(readlink /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules})"
indent()
{
while read line ; do
echo " $line"
done <<< "$1"
}
if [ "$booted" != "$built" ] ; then
echo "Booted kernel version"
indent "$booted"
echo "does not match currently active"
indent "$built"
echo "A reboot is required."
exit 1
fi
'';
};
systemd.timers.reboot-check = {
wantedBy = [ "timers.target" ];
enable = true;
timerConfig = {
Unit = "reboot-check.service";
OnCalendar = "*-*-* 18:30:00";
Persistent = true;
};
};
}

33
hosts/transcode.nix Normal file
View file

@ -0,0 +1,33 @@
{ config, pkgs, ... }:
let
transcode = pkgs.callPackage ../packages/transcode.nix {};
flacPath = "/data/music/flac";
mp3Path = "/data/music/mp3";
oggPath = "/data/music/ogg";
in
{
systemd.services.transcode = {
description = "Transcode music form FLAC to MP3 and OGG";
onFailure = [ "status-email@%n.service" ];
serviceConfig = {
Type = "simple";
ExecStart = "${transcode}/bin/transcode --mp3-out \"${mp3Path}\" --ogg-out \"${oggPath}\" \"${flacPath}\"";
DynamicUser = true;
Group = "music";
UMask = "002";
ReadOnlyDirectories = [ flacPath ];
ReadWriteDirectories = [ mp3Path oggPath ];
Nice = 19;
NoNewPrivileges = true;
PrivateTmp = true;
PrivateDevices = true;
PrivateUsers = true;
ProtectClock = true;
ProtectSystem = "strict";
ProtectHome = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectProc = "invisible";
};
};
}