Compare commits

..

No commits in common. "4adae24732830801155c9f8f166bdf4a31e45d63" and "5203e82efa8e9be48cb5f415b65384e1fc2d041b" have entirely different histories.

15 changed files with 44 additions and 89 deletions

View File

@ -26,13 +26,13 @@ Other installed packages and tools are described in the config files (like ./hos
## Public / important services ## Public / important services
- Matrix ([source](./hosts/defiant/services/matrix/default.nix)) - Decentralized, encrypted chat - Contact me at @felixalb:feal.no - Matrix ([source](./hosts/defiant/services/matrix/default.nix)) - Decentralized, encrypted chat - Contact me at @felixalb:feal.no
- [Nextcloud](https://cloud.feal.no) ([source](./hosts/challenger/services/nextcloud.nix)) - Personal cloud services and "google replacements", including file hosting, notes, calendar and webmail - [Nextcloud](https://cloud.feal.no) ([source](./hosts/voyager/services/nextcloud.nix)) - Personal cloud services and "google replacements", including file hosting, notes, calendar and webmail
- [Gitea](https://git.feal.no) ([source](./hosts/defiant/services/gitea.nix)) - Software forge / git server - [Gitea](https://git.feal.no) ([source](./hosts/defiant/services/gitea.nix)) - Software forge / git server
- [Hedgedoc](https://md.feal.no) ([source](./hosts/defiant/services/hedgedoc.nix)) - Collaborative markdown notes editor - [Hedgedoc](https://md.feal.no) ([source](./hosts/defiant/services/hedgedoc.nix)) - Collaborative markdown notes editor
- HomeAssistant ([source](./hosts/defiant/services/home-assistant.nix))- Home automation / IOT controller - HomeAssistant ([source](./hosts/defiant/services/home-assistant.nix))- Home automation / IOT controller
- [VaultWarden](https://pw.feal.no) ([source](./hosts/defiant/services/vaultwarden.nix)) - BitWarden Password Manager backend - [VaultWarden](https://pw.feal.no) ([source](./hosts/defiant/services/vaultwarden.nix)) - BitWarden Password Manager backend
- [KeyCloak](https://iam.feal.no) ([source](./hosts/defiant/services/nextcloud.nix)) - Authentication provider, giving SSO with OIDC or SAML - [KeyCloak](https://iam.feal.no) ([source](./hosts/defiant/services/nextcloud.nix)) - Authentication provider, giving SSO with OIDC or SAML
- [Jellyfin](https://jf.feal.no) ([source](./hosts/challenger/services/jellyfin.nix)) - Local media streaming - [Jellyfin](https://jf.feal.no) ([source](./hosts/voyager/services/jellyfin.nix)) - Local media streaming
## Networking ## Networking

View File

@ -1,38 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.borgbackup.jobs =
let
borgJob = name: {
environment.BORG_RSH = "ssh -i /root/.ssh/fealsyn1";
environment.BORG_REMOTE_PATH = "/usr/local/bin/borg";
repo = "ssh://backup@feal-syn1.home.feal.no/volume2/backup/borg/voyager/${name}";
compression = "auto,zstd";
};
in {
postgresDaily = borgJob "postgres::daily" // {
paths = "/var/backup/postgres";
startAt = "*-*-* 05:15:00"; # 2 hours after postgresqlBackup
extraInitArgs = "--storage-quota 10G";
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
};
};
postgresWeekly = borgJob "postgres::weekly" // {
paths = "/var/backup/postgres";
startAt = "Mon *-*-* 05:15:00"; # 2 hours after postgresqlBackup
extraInitArgs = "--storage-quota 10G";
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
};
};
# TODO: timemachine, nextcloud, komga, calibre
};
sops.secrets."borg/postgres" = { };
sops.secrets."borg/transmission" = { };
}

View File

@ -1,23 +1,13 @@
{ config, pkgs, lib, ... }: { config, pkgs, ... }:
{ {
imports = imports =
[ [
./hardware-configuration.nix
../../base.nix ../../base.nix
../../common/metrics-exporters.nix ../../common/metrics-exporters.nix
./backup.nix ./hardware-configuration.nix
./exports.nix ./exports.nix
./filesystems.nix ./filesystems.nix
./services/calibre.nix
./services/jellyfin.nix
./services/komga.nix
./services/nextcloud.nix
./services/nginx.nix
./services/postgres.nix
./services/timemachine.nix
]; ];
networking = { networking = {
@ -42,14 +32,6 @@
virtualisation.docker.enable = true; virtualisation.docker.enable = true;
virtualisation.oci-containers.backend = "docker"; virtualisation.oci-containers.backend = "docker";
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"nvidia-x11"
"nvidia-settings"
];
hardware.nvidia.modesetting.enable = true;
hardware.opengl.enable = true;
services.xserver.videoDrivers = ["nvidia"];
system.stateVersion = "24.05"; system.stateVersion = "24.05";
} }

View File

@ -6,10 +6,7 @@
# Local zfs # Local zfs
boot = { boot = {
zfs = { # zfs.extraPools = [ "tank" ];
extraPools = [ "tank" ];
requestEncryptionCredentials = false;
};
supportedFilesystems = [ "zfs" ]; supportedFilesystems = [ "zfs" ];
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
}; };

View File

@ -17,13 +17,13 @@ in {
static_configs = [ static_configs = [
{ {
targets = [ targets = [
"challenger.home.feal.no:9100" "voyager.home.feal.no:9100"
"defiant.home.feal.no:9100" "sulu.home.feal.no:9100"
"mccoy.home.feal.no:9100"
"dlink-feal.home.feal.no:9100" "dlink-feal.home.feal.no:9100"
"edison.home.feal.no:9100" "edison.home.feal.no:9100"
"mccoy.home.feal.no:9100" "defiant.home.feal.no:9100"
"scotty.home.feal.no:9100" "scotty.home.feal.no:9100"
"sulu.home.feal.no:9100"
]; ];
} }
]; ];

View File

@ -10,8 +10,14 @@
./exports.nix ./exports.nix
./filesystems.nix ./filesystems.nix
./services/calibre.nix
./services/fancontrol.nix ./services/fancontrol.nix
./services/jellyfin.nix
./services/komga.nix
./services/nextcloud.nix
./services/nginx
./services/podgrab.nix ./services/podgrab.nix
./services/postgres.nix
./services/snappymail.nix ./services/snappymail.nix
./services/timemachine.nix ./services/timemachine.nix
]; ];

View File

@ -38,7 +38,12 @@
}; };
fileSystems."/tank/media/jellyfin/Music" = { fileSystems."/tank/media/jellyfin/Music" = {
device = "tank/media/music"; depends = [
fsType = "zfs"; "/tank/media/music"
"/tank/media/jellyfin"
];
options = [ "bind" ];
device = "/tank/media/music";
}; };
} }

View File

@ -3,12 +3,6 @@ let
domain = "komga.home.feal.no"; domain = "komga.home.feal.no";
cfg = config.services.komga; cfg = config.services.komga;
in { in {
services.komga = {
enable = true;
stateDir = "/tank/media/komga";
port = 5001;
};
services.nginx.virtualHosts.${domain} = { services.nginx.virtualHosts.${domain} = {
locations."/".proxyPass = "http://127.0.0.1:${toString cfg.port}"; locations."/".proxyPass = "http://127.0.0.1:${toString cfg.port}";
@ -16,4 +10,10 @@ in {
client_max_body_size 512M; client_max_body_size 512M;
''; '';
}; };
services.komga = {
enable = true;
stateDir = "/tank/media/komga";
port = 8034;
};
} }

View File

@ -109,7 +109,6 @@ in {
ProtectProc = "invisible"; ProtectProc = "invisible";
ReadWritePaths = [ "/tank/nextcloud" "/run/phpfpm" "/run/systemd" ]; ReadWritePaths = [ "/tank/nextcloud" "/run/phpfpm" "/run/systemd" ];
ReadOnlyPaths = [ "/run/secrets" "/nix/store" ]; ReadOnlyPaths = [ "/run/secrets" "/nix/store" ];
InaccessbilePaths = [ "/tank/media" "/tank/backup" ];
RemoveIPC = true; RemoveIPC = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
UMask = "0007"; UMask = "0007";

View File

@ -19,3 +19,4 @@
/* email = "felix@albrigtsen.it"; */ /* email = "felix@albrigtsen.it"; */
/* }; */ /* }; */
} }

View File

@ -19,3 +19,5 @@
environment.systemPackages = [ config.services.postgresql.package ]; environment.systemPackages = [ config.services.postgresql.package ];
} }

View File

@ -1,11 +1,4 @@
transmission: hello: ENC[AES256_GCM,data:YmN1loEaJo8sCOerV1WTRCIbPScil4vVyGD9lFlQj45jmQwNluu89ZGa6gQWBBRApko=,iv:/CFu9JOkoahVVmLmAPjkLIc4j3r06sLc3GSwn6NGl8k=,tag:hqyUmTY2IQpeU17SWR2D9Q==,type:str]
vpncreds: ENC[AES256_GCM,data:XtsbPvIZXZoIEa0k/A6euANO09x85RergUAKc8v2yd5SScaH9C/AKIqiYih3g2Dq7UMzsMWi1w3/8B33eiP2KU7TUdD23SBVIdkQocdpsr6H3alAPiTlQz+PcmYjuMlA4jeUyUH/ioN/tWT5GVMPaB81Ii0kqjMdgI995Q9of71z5hhwscwSNM49ZNFr/ne63Hk08GRvksl47LkviSKjyj3rKYAvdI91xCvVYsM=,iv:TmWC4i1MGgEXG5J2WjzSgINAWfVEZqEBMMgwZ6zv6h0=,tag:+8kmhrYk4s9v/8N/tJuouw==,type:str]
nextcloud:
adminpass: ENC[AES256_GCM,data:DL5SnyPPUxiVjfIHZ/ZYJi2pNu6x,iv:/bThFVYgHsN3Yr2EJf0+YWhAVIei9ENaHfAH1ADC5Ws=,tag:bNp+2trtwFNYOqruvqPRGw==,type:str]
secretsjson: ENC[AES256_GCM,data:xmdwWBe8LWsSEI64KhSeXbA1B0ahfoGwNmgl33JWteF4AakdI73zfbdIhUBqqlqfbL0uCGlqCiOyRA02h8197mk=,iv:ncKz9ObwoFoVjT0qMzBJ0BqVBNx0ScdMRl82ZNQp4FI=,tag:6S8fqHhvE/gaknxsb+q3Jg==,type:str]
borg:
transmission: ENC[AES256_GCM,data:umr0UEKMT/n0ZRTyfq/qWX4A,iv:R92qRZqQ8onLYDlkYMtHiumFqjVuxOIZAp+k2qTcDps=,tag:WhCP5YmIutR3ckgNIw/Hww==,type:str]
postgres: ENC[AES256_GCM,data:KHL02u+X2fGlZSUrujvkkGI=,iv:gjdPbmRHmO0APXvMJzqN+Swuh2l9mdsUJQRKsSYkEyM=,tag:0Rf9MeW7xTpj2uvnAOhuBA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -30,8 +23,8 @@ sops:
bVhLUVBWL3QyMmVjVEswZmtDRXRRUGMKizaESv67KWTOnUkZg1R0c3BkpJrDUxJR bVhLUVBWL3QyMmVjVEswZmtDRXRRUGMKizaESv67KWTOnUkZg1R0c3BkpJrDUxJR
heau8QcBXtNS6Ct1RsJQD3oTmBPAP1NHJ2BD11kEEtpo8FhCOjcqVQ== heau8QcBXtNS6Ct1RsJQD3oTmBPAP1NHJ2BD11kEEtpo8FhCOjcqVQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-03T20:11:44Z" lastmodified: "2024-07-01T22:30:06Z"
mac: ENC[AES256_GCM,data:feOeO7XrNEtbxp2c2a0EbwVAWUJ+PCZavmRT/4DMFfsJWwjogCqAia2KfC249RufAL2WFVZAw8UfymjtHHKp2v7alN3kqcIZ2rjwtkkzi8JqRQvbbCJwTXLkl8wr21lZD7UdNuAfZHxbwJRchRR/6bsLnxipW8AH8YCv1/Knsg0=,iv:fO4dUfRgJOaDuvJNgl6CVZFovVphQB4rlLIKGgzy7S4=,tag:8Ts1XozKYoSghho4ORDW0Q==,type:str] mac: ENC[AES256_GCM,data:p0olgrOkDMbpvPniSl/VL8sI6QM0EttswJ+RbEK8vC46+jnSoN+bTPdYIdVu9hIRPD7iJCldrYxvwpFifkwO03m3RvtOl6cjqcRL39fMw+Xv0R5girHgmTM2Iq1O2xwZkRHbwnceU/FdF+cKS6OuMmXFqlMJkpxUFVQoNDG5+uk=,iv:lrrruA4FT97Ix04LEXVaaFEF8/6vOayZmDfzWZRCYBE=,tag:Jve/CqdBbhoEDkBr4Z0e6g==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1

View File

@ -8,6 +8,14 @@
#ENC[AES256_GCM,data:T+pI1ogtfjo57NrOvCuhbs//,iv:mqkwAHWxqvt9XkQX0EKXQyJrK5KOCVDpva1Ok37XvKc=,tag:qrp2QeNrJSDr3ECN6cBDiA==,type:comment] #ENC[AES256_GCM,data:T+pI1ogtfjo57NrOvCuhbs//,iv:mqkwAHWxqvt9XkQX0EKXQyJrK5KOCVDpva1Ok37XvKc=,tag:qrp2QeNrJSDr3ECN6cBDiA==,type:comment]
#ENC[AES256_GCM,data:46+Qt0FRlg2tN8A=,iv:4y5C0S75gp4qFFkJ4lOMcPbftOLyzB12wApqNOFYan4=,tag:T/4zLU7d90GkzDohJd2XTg==,type:comment] #ENC[AES256_GCM,data:46+Qt0FRlg2tN8A=,iv:4y5C0S75gp4qFFkJ4lOMcPbftOLyzB12wApqNOFYan4=,tag:T/4zLU7d90GkzDohJd2XTg==,type:comment]
#ENC[AES256_GCM,data:fvJA2s0OEs7PDOr/,iv:HlO9MCqBHtz1Hm9tILlEsJ2gfgTPThmmyoCXlGyy/9Y=,tag:7L1Kl4RgAFG+WLvtk30nYQ==,type:comment] #ENC[AES256_GCM,data:fvJA2s0OEs7PDOr/,iv:HlO9MCqBHtz1Hm9tILlEsJ2gfgTPThmmyoCXlGyy/9Y=,tag:7L1Kl4RgAFG+WLvtk30nYQ==,type:comment]
transmission:
vpncreds: ENC[AES256_GCM,data:KWm6AGlJze0Of9Nkz0moaQCAXMwylsZ+BIZR4BnbuDRbjKRMJSWCOFBSbG3esGprLhoCnYwc9mghSeoP2AQRAT++sERpxX3JTHF9QuauNmhRWb1xLsOfQAu6vsA/0dTshQr8ivhJSnEz57rasdOraovYjVsRXd7cuclajPoS4nl3+1/IrSkAlxNzx8F0PMmyOrvoPVMmqQ4PcKFfkXc1f59O2iJ19Bmt/x5yIxU=,iv:VAYlqL8Pb5J4g+W3QClrgRftYw5UofXmG9cfEsZdLr4=,tag:zJIxYaGEedFjM8IsBfnQog==,type:str]
nextcloud:
adminpass: ENC[AES256_GCM,data:r2Z6KsQ1hP90/Bf8J804a5D7BTS7,iv:f3TkiPVxw8lAPcyStWqOZuhF4p/5nUPkzL2j/yjsnyg=,tag:c2JWdxZUjkHQWNWDILBrRQ==,type:str]
secretsjson: ENC[AES256_GCM,data:xvUdDoTaTum/gkDBujSfHeunAmwmYhZMY7zY72Ct9wly9gpcbNrJNiwuWSgBP3uYtwArce+n6co33OYZvV8rs/Q=,iv:6nLq9ZxgBHKbjD8I1PbjWf/9XthTSrm3lOwx/YX+Tc4=,tag:UN+c2fjUHK1lpyRsTBpOUw==,type:str]
borg:
transmission: ENC[AES256_GCM,data:VGP23BjX6rjMbcEMA6O7UEX6,iv:C0ehtDSO0eMkIYbwi9wYAKncOBrNCiJB4S5tJ1rxctI=,tag:RNcGwihAxOwCt3XOSoCvfw==,type:str]
postgres: ENC[AES256_GCM,data:nA+Ga56rG8XippMmHsOLEik=,iv:41llHBWEU7ESiUetJC/SkcjHG+beXs/ur8QTmxDGFE8=,tag:92n88ZtrDQWz0gYZmuWD8g==,type:str]
podgrab: podgrab:
password: ENC[AES256_GCM,data:mH/AZfmUCaUVH9km/dY9+AsmJQ==,iv:1/L0tslY7senVgfi+1g7ijcP3dt9cI4ecyGpkgF0OMo=,tag:fUG+lk7kgI5R9OZyCYP0nQ==,type:str] password: ENC[AES256_GCM,data:mH/AZfmUCaUVH9km/dY9+AsmJQ==,iv:1/L0tslY7senVgfi+1g7ijcP3dt9cI4ecyGpkgF0OMo=,tag:fUG+lk7kgI5R9OZyCYP0nQ==,type:str]
sops: sops:
@ -34,8 +42,8 @@ sops:
RmU5MnR3Tmt3dis0YjB4U1JtVW9mTkEKRBSWg2HOB/Q+zHNooV8YsePdrkUzd+Ug RmU5MnR3Tmt3dis0YjB4U1JtVW9mTkEKRBSWg2HOB/Q+zHNooV8YsePdrkUzd+Ug
ALu4+IhIl8YHtvBcPiFmupm/Qk173mTvi+x3ZkwzoCaTwDcxsy9FtA== ALu4+IhIl8YHtvBcPiFmupm/Qk173mTvi+x3ZkwzoCaTwDcxsy9FtA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-03T20:11:59Z" lastmodified: "2024-06-12T18:57:43Z"
mac: ENC[AES256_GCM,data:JI0klnv4yA+mwotpMAfQYfc5KTBHYX406jgXtsJh8BRzBZJ7fZZknmuCZpYW1u/pyflqTZ1JK+OKnvlOWrY2C/a6ySIuS3FNiKKQ1gvPc8T7+G9vrVyDNd3VkPMgmNiJuzVQaeYICWr5jHZgzduhZCnAU16VS8VThO7TeF7jFL4=,iv:fxqmMtxPfDzsVZqiKY2vTFFaVXTZeiU69bes1Pik1qQ=,tag:OKnrmx5385oO4Xv8FLQQ+A==,type:str] mac: ENC[AES256_GCM,data:46xA8exSUbaEJBufvzt5TbUXQa4956sGQUh9hS8a1nhXasDkdwTtGgSfZq/ENcL/VoEz0ORVJ43OwVE+TV1j9aOzwck96c/KDKTp4iEVbRfcsK/PMccf2FJke3TUmSV6f1hFBpGHpdujghHQTiGct+XQNuuI3RPXYLEYPJrqyeY=,iv:fzQL+ymHTP6XET9YlaCaW1ZGUJaZzCM0neGzMveoSt4=,tag:rsDV5tkU5pTlq4YTel6V1g==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1