felixalb/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Move more services to defiant. Remove sarek.

Browse Source
This commit is contained in:
Felix Albrigtsen
2023-12-25 01:37:05 +01:00
committed by Felix Albrigtsen
parent b19fd41233
commit 5d10f85c18
17 changed files with 212 additions and 277 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
hosts/defiant/configuration.nix
View File

@@ -10,6 +10,9 @@
./services/postgresql.nix
./services/nginx.nix
./services/matrix-synapse.nix
./services/flame.nix
./services/hedgedoc.nix
./services/pihole.nix
];
networking = {

27
hosts/defiant/hardware-configuration.nix
View File

@@ -4,26 +4,29 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/45ceae6b-cf6d-42d6-9694-d14c1d42b49f";
fsType = "ext4";
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/45ceae6b-cf6d-42d6-9694-d14c1d42b49f";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/DDDC-5C0C";
fsType = "vfat";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/DDDC-5C0C";
fsType = "vfat";
};
swapDevices = [ ];
swapDevices = [ {
device = "/swapfile";
size = 8*1024;
} ];
networking.useDHCP = lib.mkDefault false;
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;

22
hosts/defiant/services/flame.nix Normal file
View File

@@ -0,0 +1,22 @@
{ config, pkgs, lib, ... }:
let
domain = "flame.home.feal.no";
host = "127.0.1.2";
port = "5005";
in {
# Flame - Homelab dashboard/linktree
virtualisation.oci-containers.containers = {
flame = {
image = "pawelmalak/flame";
ports = [ "${host}:${port}:5005" ];
volumes = [
"/var/lib/flame/data:/app/data/"
];
};
};
services.nginx.virtualHosts."${domain}" = {
locations."/".proxyPass = "http://${host}:${port}";
};
}

117
hosts/defiant/services/hedgedoc.nix Normal file
View File

@@ -0,0 +1,117 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.hedgedoc.settings;
domain = "md.feal.no";
port = 3300;
host = "127.0.1.2";
authServerUrl = "https://auth.feal.no";
in {
# Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
sops.secrets."hedgedoc/env" = {
restartUnits = [ "hedgedoc.service" ];
};
services.hedgedoc = {
enable = true;
environmentFile = config.sops.secrets."hedgedoc/env".path;
settings = {
inherit domain port host;
protocolUseSSL = true;
sessionSecret = "$CMD_SESSION_SECRET";
allowFreeURL = true;
allowAnonymous = false;
allowAnonymousEdits = true; # Allow anonymous edits with the "freely" permission
# dbURL = "postgres://hedgedoc@localhost/hedgedoc";
db = {
username = "hedgedoc";
database = "hedgedoc";
host = "/run/postgresql";
dialect = "postgresql";
};
email = false;
oauth2 = {
baseURL = "${authServerUrl}/oauth2";
tokenURL = "${authServerUrl}/oauth2/token";
authorizationURL = "${authServerUrl}/ui/oauth2";
userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";
clientID = "hedgedoc";
clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
scope = "openid email profile";
userProfileUsernameAttr = "name";
userProfileEmailAttr = "email";
userProfileDisplayNameAttr = "displayname";
providerName = "KaniDM";
};
};
};
systemd.services.hedgedoc = {
requires = [
"postgresql.service"
# "kanidm.service"
];
serviceConfig = let
workDir = "/var/lib/hedgedoc";
in {
WorkingDirectory = lib.mkForce workDir;
StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];
# Better safe than sorry :)
CapabilityBoundingSet = "";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
ReadWritePaths = [ workDir ];
RemoveIPC = true;
RestrictSUIDSGID = true;
UMask = "0007";
RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
SystemCallArchitectures = "native";
# SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
};
};
services.postgresql = {
ensureDatabases = [ "hedgedoc" ];
ensureUsers = [{
name = "hedgedoc";
ensureDBOwnership = true;
}];
};
services.nginx.virtualHosts."${domain}" = {
listen = [
{ addr = "192.168.10.175"; port = 43443; ssl = true; }
{ addr = "192.168.10.175"; port = 43080; ssl = false; }
];
enableACME = true;
forceSSL = true;
locations = {
"/" = {
proxyPass = "http://${host}:${toString port}";
};
"/socket.io" = {
proxyPass = "http://${host}:${toString port}";
proxyWebsockets = true;
};
};
};
}

20
hosts/defiant/services/nginx.nix
View File

@@ -12,7 +12,7 @@
defaultListen = [
{
addr = "192.168.10.175";
port = "80";
port = 80;
ssl = false;
}
];
@@ -27,4 +27,22 @@
acceptTerms = true;
defaults.email = "felix@albrigtsen.it";
};
# Publicly exposed services:
services.nginx.virtualHosts = let
publicProxy = upstream: {
listen = [
{ addr = "192.168.10.175"; port = 43443; ssl = true; }
{ addr = "192.168.10.175"; port = 43080; ssl = false; }
];
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "${upstream}";
};
in {
"jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/";
# "wiki.wackattack.eu" = publicProxy "http://pascal.wackattack.home.feal.no/";
};
}

30
hosts/defiant/services/pihole.nix Normal file
View File

@@ -0,0 +1,30 @@
{ config, pkgs, lib, ... }:
let
domain = "pihole.home.feal.no";
dnsHost = "192.168.10.175";
webuiListen = "127.0.1.2:5053";
in {
# Flame - Homelab dashboard/linktree
virtualisation.oci-containers.containers = {
pihole = {
image = "pihole/pihole";
ports = [
"${dnsHost}:53:53/tcp"
"${dnsHost}:53:53/udp"
"${webuiListen}:80"
];
environment.TZ = "Europe/Oslo";
volumes = [
"/var/lib/pihole/etc:/etc/pihole"
"/var/lib/pihole/dnsmasq:/etc/dnsmasq.d"
];
};
};
services.nginx.virtualHosts."${domain}" = {
locations."/".proxyPass = "http://${webuiListen}";
};
}

3
hosts/defiant/services/postgresql.nix
View File

@@ -6,12 +6,11 @@
};
services.postgresqlBackup = {
enable = true;
# enable = true;
location = "/data/backup/postgresql/";
startAt = "*-*-* 03:15:00";
backupAll = true;
};
environment.systemPackages = [ config.services.postgresql.package ];
}

54
hosts/sarek/configuration.nix
View File

@@ -1,54 +0,0 @@
{ config, pkgs, lib, modulesPath, ... }:
{
imports =
[
(modulesPath + "/virtualisation/proxmox-lxc.nix")
../../base.nix
../../common/metrics-exporters.nix
./services/flame.nix
./services/hedgedoc.nix
./services/nginx.nix
./services/postgresql.nix
];
# Boot and console is handled by proxmoxLXC.
boot.loader.systemd-boot.enable = lib.mkForce false; # Enabled in base.nix, forced off here.
# Override proxmox networking
proxmoxLXC.manageNetwork = true;
networking = {
hostName = "sarek";
defaultGateway = "192.168.10.1";
interfaces."eth0".ipv4 = {
addresses = [
{ address = "192.168.10.181"; prefixLength = 24; }
];
};
hostId = "15dd36bc";
};
sops.defaultSopsFile = ../../secrets/sarek/sarek.yaml;
virtualisation.docker.enable = true;
virtualisation.oci-containers.backend = "docker";
# Undo https://github.com/NixOS/nixpkgs/commit/59e37267556eb917146ca3110ab7c96905b9ffbd to work on unprivileged LXC containers
system.activationScripts.var = lib.mkForce ''
# Various log/runtime directories.
mkdir -p /var/tmp
chmod 1777 /var/tmp
# Empty, immutable home directory of many system accounts.
mkdir -p /var/empty
# Make sure it's really empty
${pkgs.e2fsprogs}/bin/chattr -f -i /var/empty || true
find /var/empty -mindepth 1 -delete
chmod 0555 /var/empty
chown root:root /var/empty
${pkgs.e2fsprogs}/bin/chattr -f +i /var/empty || true
'';
systemd.tmpfiles.rules = lib.mkForce [];
system.stateVersion = "23.05";
}

20
hosts/sarek/home.nix
View File

@@ -1,20 +0,0 @@
{ pkgs, lib, ... }:
{
home.packages = with pkgs; [
bat
bottom
ncdu
neofetch
nix-index
];
imports = [
./../../home/base.nix
];
programs = {
zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
};
home.stateVersion = "23.05";
}

24
hosts/sarek/services/flame.nix
View File

@@ -1,24 +0,0 @@
{ config, pkgs, lib, ... }:
let
domain = "flame.home.feal.no";
host = "127.0.1.2";
port = "5005";
in {
# Flame - Homelab dashboard/linktree
virtualisation.oci-containers.containers = {
flame = {
image = "pawelmalak/flame";
ports = [ "${host}:${port}:5005" ];
volumes = [
"/var/lib/flame/data:/app/data/"
];
};
};
services.nginx.virtualHosts."${domain}" = {
locations."/" = {
proxyPass = "http://${host}:${port}";
};
};
}

94
hosts/sarek/services/hedgedoc.nix
View File

@@ -1,94 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.hedgedoc.settings;
domain = "md.feal.no";
port = 3300;
host = "0.0.0.0";
authServerUrl = "https://auth.feal.no";
in {
# Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
sops.secrets."hedgedoc/env" = {
restartUnits = [ "hedgedoc.service" ];
};
services.hedgedoc = {
enable = true;
environmentFile = config.sops.secrets."hedgedoc/env".path;
settings = {
inherit domain port host;
protocolUseSSL = true;
sessionSecret = "$CMD_SESSION_SECRET";
allowFreeURL = true;
allowAnonymous = false;
allowAnonymousEdits = true; # Allow anonymous edits with the "freely" permission
dbURL = "postgres://hedgedoc:@localhost/hedgedoc";
email = false;
oauth2 = {
baseURL = "${authServerUrl}/oauth2";
tokenURL = "${authServerUrl}/oauth2/token";
authorizationURL = "${authServerUrl}/ui/oauth2";
userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";
clientID = "hedgedoc";
clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
scope = "openid email profile";
userProfileUsernameAttr = "name";
userProfileEmailAttr = "email";
userProfileDisplayNameAttr = "displayname";
providerName = "KaniDM";
};
};
};
systemd.services.hedgedoc = {
requires = [
"postgresql.service"
# "kanidm.service"
];
serviceConfig = let
workDir = "/var/lib/hedgedoc";
in {
WorkingDirectory = lib.mkForce workDir;
StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];
# Better safe than sorry :)
CapabilityBoundingSet = "";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
ReadWritePaths = [ workDir ];
RemoveIPC = true;
RestrictSUIDSGID = true;
UMask = "0007";
RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
SystemCallArchitectures = "native";
# SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
};
};
networking.firewall.allowedTCPPorts = [ port ];
services.postgresql = {
ensureDatabases = [ "hedgedoc" ];
ensureUsers = [{
name = "hedgedoc";
ensureDBOwnership = true;
}];
};
}

19
hosts/sarek/services/nginx.nix
View File

@@ -1,19 +0,0 @@
{ config, values, ... }:
{
services.nginx = {
enable = true;
enableReload = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
/* security.acme = { */
/* acceptTerms = true; */
/* email = "felix@albrigtsen.it"; */
/* }; */
}

22
hosts/sarek/services/postgresql.nix
View File

@@ -1,22 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.postgresql = {
enable = true;
enableTCPIP = true; # Expose on the network
authentication = pkgs.lib.mkOverride 10 ''
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
'';
};
services.postgresqlBackup = {
enable = true;
location = "/backup/postgresql/";
startAt = "*-*-* 03:15:00";
backupAll = true;
};
environment.systemPackages = [ config.services.postgresql.package ];
}

2
hosts/worf/configuration.nix
View File

@@ -34,7 +34,7 @@
sshKey = "/var/root/.ssh/nix-builder";
}
{
hostName = "sarek.home.feal.no";
hostName = "defiant.home.feal.no";
system = "x86_64-linux";
maxJobs = 6;