Compare commits
3 Commits
5203e82efa
...
4adae24732
| Author | SHA1 | Date |
|---|---|---|
 Felix Albrigtsen
|
4adae24732 | |
|
Felix Albrigtsen
|
0e3e8218a7 | |
|
Felix Albrigtsen
|
ed08b6a0e4 |
|
|
@ -26,13 +26,13 @@ Other installed packages and tools are described in the config files (like ./hos
|
|||
## Public / important services
|
||||
|
||||
- Matrix ([source](./hosts/defiant/services/matrix/default.nix)) - Decentralized, encrypted chat - Contact me at @felixalb:feal.no
|
||||
- [Nextcloud](https://cloud.feal.no) ([source](./hosts/voyager/services/nextcloud.nix)) - Personal cloud services and "google replacements", including file hosting, notes, calendar and webmail
|
||||
- [Nextcloud](https://cloud.feal.no) ([source](./hosts/challenger/services/nextcloud.nix)) - Personal cloud services and "google replacements", including file hosting, notes, calendar and webmail
|
||||
- [Gitea](https://git.feal.no) ([source](./hosts/defiant/services/gitea.nix)) - Software forge / git server
|
||||
- [Hedgedoc](https://md.feal.no) ([source](./hosts/defiant/services/hedgedoc.nix)) - Collaborative markdown notes editor
|
||||
- HomeAssistant ([source](./hosts/defiant/services/home-assistant.nix))- Home automation / IOT controller
|
||||
- [VaultWarden](https://pw.feal.no) ([source](./hosts/defiant/services/vaultwarden.nix)) - BitWarden Password Manager backend
|
||||
- [KeyCloak](https://iam.feal.no) ([source](./hosts/defiant/services/nextcloud.nix)) - Authentication provider, giving SSO with OIDC or SAML
|
||||
- [Jellyfin](https://jf.feal.no) ([source](./hosts/voyager/services/jellyfin.nix)) - Local media streaming
|
||||
- [Jellyfin](https://jf.feal.no) ([source](./hosts/challenger/services/jellyfin.nix)) - Local media streaming
|
||||
|
||||
## Networking
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,38 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
{
|
||||
services.borgbackup.jobs =
|
||||
let
|
||||
borgJob = name: {
|
||||
environment.BORG_RSH = "ssh -i /root/.ssh/fealsyn1";
|
||||
environment.BORG_REMOTE_PATH = "/usr/local/bin/borg";
|
||||
repo = "ssh://backup@feal-syn1.home.feal.no/volume2/backup/borg/voyager/${name}";
|
||||
compression = "auto,zstd";
|
||||
};
|
||||
in {
|
||||
postgresDaily = borgJob "postgres::daily" // {
|
||||
paths = "/var/backup/postgres";
|
||||
startAt = "*-*-* 05:15:00"; # 2 hours after postgresqlBackup
|
||||
extraInitArgs = "--storage-quota 10G";
|
||||
encryption = {
|
||||
mode = "repokey-blake2";
|
||||
passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
|
||||
};
|
||||
};
|
||||
|
||||
postgresWeekly = borgJob "postgres::weekly" // {
|
||||
paths = "/var/backup/postgres";
|
||||
startAt = "Mon *-*-* 05:15:00"; # 2 hours after postgresqlBackup
|
||||
extraInitArgs = "--storage-quota 10G";
|
||||
encryption = {
|
||||
mode = "repokey-blake2";
|
||||
passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
|
||||
};
|
||||
};
|
||||
|
||||
# TODO: timemachine, nextcloud, komga, calibre
|
||||
|
||||
};
|
||||
|
||||
sops.secrets."borg/postgres" = { };
|
||||
sops.secrets."borg/transmission" = { };
|
||||
}
|
||||
|
|
@ -1,13 +1,23 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
./hardware-configuration.nix
|
||||
|
||||
../../base.nix
|
||||
../../common/metrics-exporters.nix
|
||||
./hardware-configuration.nix
|
||||
./backup.nix
|
||||
./exports.nix
|
||||
./filesystems.nix
|
||||
|
||||
./services/calibre.nix
|
||||
./services/jellyfin.nix
|
||||
./services/komga.nix
|
||||
./services/nextcloud.nix
|
||||
./services/nginx.nix
|
||||
./services/postgres.nix
|
||||
./services/timemachine.nix
|
||||
];
|
||||
|
||||
networking = {
|
||||
|
|
@ -32,6 +42,14 @@
|
|||
virtualisation.docker.enable = true;
|
||||
virtualisation.oci-containers.backend = "docker";
|
||||
|
||||
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
|
||||
"nvidia-x11"
|
||||
"nvidia-settings"
|
||||
];
|
||||
hardware.nvidia.modesetting.enable = true;
|
||||
hardware.opengl.enable = true;
|
||||
services.xserver.videoDrivers = ["nvidia"];
|
||||
|
||||
system.stateVersion = "24.05";
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -6,7 +6,10 @@
|
|||
|
||||
# Local zfs
|
||||
boot = {
|
||||
# zfs.extraPools = [ "tank" ];
|
||||
zfs = {
|
||||
extraPools = [ "tank" ];
|
||||
requestEncryptionCredentials = false;
|
||||
};
|
||||
supportedFilesystems = [ "zfs" ];
|
||||
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
|
||||
};
|
||||
|
|
|
|||
|
|
@ -38,12 +38,7 @@
|
|||
};
|
||||
|
||||
fileSystems."/tank/media/jellyfin/Music" = {
|
||||
depends = [
|
||||
"/tank/media/music"
|
||||
"/tank/media/jellyfin"
|
||||
];
|
||||
options = [ "bind" ];
|
||||
device = "/tank/media/music";
|
||||
device = "tank/media/music";
|
||||
fsType = "zfs";
|
||||
};
|
||||
}
|
||||
|
||||
|
|
@ -3,6 +3,12 @@ let
|
|||
domain = "komga.home.feal.no";
|
||||
cfg = config.services.komga;
|
||||
in {
|
||||
services.komga = {
|
||||
enable = true;
|
||||
stateDir = "/tank/media/komga";
|
||||
port = 5001;
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts.${domain} = {
|
||||
locations."/".proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
|
||||
|
|
@ -10,10 +16,4 @@ in {
|
|||
client_max_body_size 512M;
|
||||
'';
|
||||
};
|
||||
|
||||
services.komga = {
|
||||
enable = true;
|
||||
stateDir = "/tank/media/komga";
|
||||
port = 8034;
|
||||
};
|
||||
}
|
||||
|
|
@ -109,6 +109,7 @@ in {
|
|||
ProtectProc = "invisible";
|
||||
ReadWritePaths = [ "/tank/nextcloud" "/run/phpfpm" "/run/systemd" ];
|
||||
ReadOnlyPaths = [ "/run/secrets" "/nix/store" ];
|
||||
InaccessbilePaths = [ "/tank/media" "/tank/backup" ];
|
||||
RemoveIPC = true;
|
||||
RestrictSUIDSGID = true;
|
||||
UMask = "0007";
|
||||
|
|
@ -19,4 +19,3 @@
|
|||
/* email = "felix@albrigtsen.it"; */
|
||||
/* }; */
|
||||
}
|
||||
|
||||
|
|
@ -19,5 +19,3 @@
|
|||
|
||||
environment.systemPackages = [ config.services.postgresql.package ];
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -17,13 +17,13 @@ in {
|
|||
static_configs = [
|
||||
{
|
||||
targets = [
|
||||
"voyager.home.feal.no:9100"
|
||||
"sulu.home.feal.no:9100"
|
||||
"mccoy.home.feal.no:9100"
|
||||
"challenger.home.feal.no:9100"
|
||||
"defiant.home.feal.no:9100"
|
||||
"dlink-feal.home.feal.no:9100"
|
||||
"edison.home.feal.no:9100"
|
||||
"defiant.home.feal.no:9100"
|
||||
"mccoy.home.feal.no:9100"
|
||||
"scotty.home.feal.no:9100"
|
||||
"sulu.home.feal.no:9100"
|
||||
];
|
||||
}
|
||||
];
|
||||
|
|
|
|||
|
|
@ -10,14 +10,8 @@
|
|||
./exports.nix
|
||||
./filesystems.nix
|
||||
|
||||
./services/calibre.nix
|
||||
./services/fancontrol.nix
|
||||
./services/jellyfin.nix
|
||||
./services/komga.nix
|
||||
./services/nextcloud.nix
|
||||
./services/nginx
|
||||
./services/podgrab.nix
|
||||
./services/postgres.nix
|
||||
./services/snappymail.nix
|
||||
./services/timemachine.nix
|
||||
];
|
||||
|
|
|
|||
|
|
@ -1,4 +1,11 @@
|
|||
hello: ENC[AES256_GCM,data:YmN1loEaJo8sCOerV1WTRCIbPScil4vVyGD9lFlQj45jmQwNluu89ZGa6gQWBBRApko=,iv:/CFu9JOkoahVVmLmAPjkLIc4j3r06sLc3GSwn6NGl8k=,tag:hqyUmTY2IQpeU17SWR2D9Q==,type:str]
|
||||
transmission:
|
||||
vpncreds: ENC[AES256_GCM,data:XtsbPvIZXZoIEa0k/A6euANO09x85RergUAKc8v2yd5SScaH9C/AKIqiYih3g2Dq7UMzsMWi1w3/8B33eiP2KU7TUdD23SBVIdkQocdpsr6H3alAPiTlQz+PcmYjuMlA4jeUyUH/ioN/tWT5GVMPaB81Ii0kqjMdgI995Q9of71z5hhwscwSNM49ZNFr/ne63Hk08GRvksl47LkviSKjyj3rKYAvdI91xCvVYsM=,iv:TmWC4i1MGgEXG5J2WjzSgINAWfVEZqEBMMgwZ6zv6h0=,tag:+8kmhrYk4s9v/8N/tJuouw==,type:str]
|
||||
nextcloud:
|
||||
adminpass: ENC[AES256_GCM,data:DL5SnyPPUxiVjfIHZ/ZYJi2pNu6x,iv:/bThFVYgHsN3Yr2EJf0+YWhAVIei9ENaHfAH1ADC5Ws=,tag:bNp+2trtwFNYOqruvqPRGw==,type:str]
|
||||
secretsjson: ENC[AES256_GCM,data:xmdwWBe8LWsSEI64KhSeXbA1B0ahfoGwNmgl33JWteF4AakdI73zfbdIhUBqqlqfbL0uCGlqCiOyRA02h8197mk=,iv:ncKz9ObwoFoVjT0qMzBJ0BqVBNx0ScdMRl82ZNQp4FI=,tag:6S8fqHhvE/gaknxsb+q3Jg==,type:str]
|
||||
borg:
|
||||
transmission: ENC[AES256_GCM,data:umr0UEKMT/n0ZRTyfq/qWX4A,iv:R92qRZqQ8onLYDlkYMtHiumFqjVuxOIZAp+k2qTcDps=,tag:WhCP5YmIutR3ckgNIw/Hww==,type:str]
|
||||
postgres: ENC[AES256_GCM,data:KHL02u+X2fGlZSUrujvkkGI=,iv:gjdPbmRHmO0APXvMJzqN+Swuh2l9mdsUJQRKsSYkEyM=,tag:0Rf9MeW7xTpj2uvnAOhuBA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
|
@ -23,8 +30,8 @@ sops:
|
|||
bVhLUVBWL3QyMmVjVEswZmtDRXRRUGMKizaESv67KWTOnUkZg1R0c3BkpJrDUxJR
|
||||
heau8QcBXtNS6Ct1RsJQD3oTmBPAP1NHJ2BD11kEEtpo8FhCOjcqVQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-07-01T22:30:06Z"
|
||||
mac: ENC[AES256_GCM,data:p0olgrOkDMbpvPniSl/VL8sI6QM0EttswJ+RbEK8vC46+jnSoN+bTPdYIdVu9hIRPD7iJCldrYxvwpFifkwO03m3RvtOl6cjqcRL39fMw+Xv0R5girHgmTM2Iq1O2xwZkRHbwnceU/FdF+cKS6OuMmXFqlMJkpxUFVQoNDG5+uk=,iv:lrrruA4FT97Ix04LEXVaaFEF8/6vOayZmDfzWZRCYBE=,tag:Jve/CqdBbhoEDkBr4Z0e6g==,type:str]
|
||||
lastmodified: "2024-07-03T20:11:44Z"
|
||||
mac: ENC[AES256_GCM,data:feOeO7XrNEtbxp2c2a0EbwVAWUJ+PCZavmRT/4DMFfsJWwjogCqAia2KfC249RufAL2WFVZAw8UfymjtHHKp2v7alN3kqcIZ2rjwtkkzi8JqRQvbbCJwTXLkl8wr21lZD7UdNuAfZHxbwJRchRR/6bsLnxipW8AH8YCv1/Knsg0=,iv:fO4dUfRgJOaDuvJNgl6CVZFovVphQB4rlLIKGgzy7S4=,tag:8Ts1XozKYoSghho4ORDW0Q==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
|
|
|
|||
|
|
@ -8,14 +8,6 @@
|
|||
#ENC[AES256_GCM,data:T+pI1ogtfjo57NrOvCuhbs//,iv:mqkwAHWxqvt9XkQX0EKXQyJrK5KOCVDpva1Ok37XvKc=,tag:qrp2QeNrJSDr3ECN6cBDiA==,type:comment]
|
||||
#ENC[AES256_GCM,data:46+Qt0FRlg2tN8A=,iv:4y5C0S75gp4qFFkJ4lOMcPbftOLyzB12wApqNOFYan4=,tag:T/4zLU7d90GkzDohJd2XTg==,type:comment]
|
||||
#ENC[AES256_GCM,data:fvJA2s0OEs7PDOr/,iv:HlO9MCqBHtz1Hm9tILlEsJ2gfgTPThmmyoCXlGyy/9Y=,tag:7L1Kl4RgAFG+WLvtk30nYQ==,type:comment]
|
||||
transmission:
|
||||
vpncreds: ENC[AES256_GCM,data:KWm6AGlJze0Of9Nkz0moaQCAXMwylsZ+BIZR4BnbuDRbjKRMJSWCOFBSbG3esGprLhoCnYwc9mghSeoP2AQRAT++sERpxX3JTHF9QuauNmhRWb1xLsOfQAu6vsA/0dTshQr8ivhJSnEz57rasdOraovYjVsRXd7cuclajPoS4nl3+1/IrSkAlxNzx8F0PMmyOrvoPVMmqQ4PcKFfkXc1f59O2iJ19Bmt/x5yIxU=,iv:VAYlqL8Pb5J4g+W3QClrgRftYw5UofXmG9cfEsZdLr4=,tag:zJIxYaGEedFjM8IsBfnQog==,type:str]
|
||||
nextcloud:
|
||||
adminpass: ENC[AES256_GCM,data:r2Z6KsQ1hP90/Bf8J804a5D7BTS7,iv:f3TkiPVxw8lAPcyStWqOZuhF4p/5nUPkzL2j/yjsnyg=,tag:c2JWdxZUjkHQWNWDILBrRQ==,type:str]
|
||||
secretsjson: ENC[AES256_GCM,data:xvUdDoTaTum/gkDBujSfHeunAmwmYhZMY7zY72Ct9wly9gpcbNrJNiwuWSgBP3uYtwArce+n6co33OYZvV8rs/Q=,iv:6nLq9ZxgBHKbjD8I1PbjWf/9XthTSrm3lOwx/YX+Tc4=,tag:UN+c2fjUHK1lpyRsTBpOUw==,type:str]
|
||||
borg:
|
||||
transmission: ENC[AES256_GCM,data:VGP23BjX6rjMbcEMA6O7UEX6,iv:C0ehtDSO0eMkIYbwi9wYAKncOBrNCiJB4S5tJ1rxctI=,tag:RNcGwihAxOwCt3XOSoCvfw==,type:str]
|
||||
postgres: ENC[AES256_GCM,data:nA+Ga56rG8XippMmHsOLEik=,iv:41llHBWEU7ESiUetJC/SkcjHG+beXs/ur8QTmxDGFE8=,tag:92n88ZtrDQWz0gYZmuWD8g==,type:str]
|
||||
podgrab:
|
||||
password: ENC[AES256_GCM,data:mH/AZfmUCaUVH9km/dY9+AsmJQ==,iv:1/L0tslY7senVgfi+1g7ijcP3dt9cI4ecyGpkgF0OMo=,tag:fUG+lk7kgI5R9OZyCYP0nQ==,type:str]
|
||||
sops:
|
||||
|
|
@ -42,8 +34,8 @@ sops:
|
|||
RmU5MnR3Tmt3dis0YjB4U1JtVW9mTkEKRBSWg2HOB/Q+zHNooV8YsePdrkUzd+Ug
|
||||
ALu4+IhIl8YHtvBcPiFmupm/Qk173mTvi+x3ZkwzoCaTwDcxsy9FtA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-06-12T18:57:43Z"
|
||||
mac: ENC[AES256_GCM,data:46xA8exSUbaEJBufvzt5TbUXQa4956sGQUh9hS8a1nhXasDkdwTtGgSfZq/ENcL/VoEz0ORVJ43OwVE+TV1j9aOzwck96c/KDKTp4iEVbRfcsK/PMccf2FJke3TUmSV6f1hFBpGHpdujghHQTiGct+XQNuuI3RPXYLEYPJrqyeY=,iv:fzQL+ymHTP6XET9YlaCaW1ZGUJaZzCM0neGzMveoSt4=,tag:rsDV5tkU5pTlq4YTel6V1g==,type:str]
|
||||
lastmodified: "2024-07-03T20:11:59Z"
|
||||
mac: ENC[AES256_GCM,data:JI0klnv4yA+mwotpMAfQYfc5KTBHYX406jgXtsJh8BRzBZJ7fZZknmuCZpYW1u/pyflqTZ1JK+OKnvlOWrY2C/a6ySIuS3FNiKKQ1gvPc8T7+G9vrVyDNd3VkPMgmNiJuzVQaeYICWr5jHZgzduhZCnAU16VS8VThO7TeF7jFL4=,iv:fxqmMtxPfDzsVZqiKY2vTFFaVXTZeiU69bes1Pik1qQ=,tag:OKnrmx5385oO4Xv8FLQQ+A==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
|
|
|
|||
Loading…
Reference in New Issue