mirror of
https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git
synced 2026-07-04 09:51:47 +02:00
Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| e9bc07d6e9 |
@@ -35,7 +35,6 @@
|
|||||||
./services/prometheus-node-exporter.nix
|
./services/prometheus-node-exporter.nix
|
||||||
./services/prometheus-systemd-exporter.nix
|
./services/prometheus-systemd-exporter.nix
|
||||||
./services/roowho2.nix
|
./services/roowho2.nix
|
||||||
./services/scrutiny-collector.nix
|
|
||||||
./services/smartd.nix
|
./services/smartd.nix
|
||||||
./services/thermald.nix
|
./services/thermald.nix
|
||||||
./services/uptimed.nix
|
./services/uptimed.nix
|
||||||
|
|||||||
@@ -6,13 +6,10 @@ in
|
|||||||
security.polkit.enable = true;
|
security.polkit.enable = true;
|
||||||
|
|
||||||
environment.etc."polkit-1/rules.d/9-nixos-overrides.rules".text = lib.mkIf cfg.enable ''
|
environment.etc."polkit-1/rules.d/9-nixos-overrides.rules".text = lib.mkIf cfg.enable ''
|
||||||
polkit.addRule(function(action, subject) {
|
polkit.addAdminRule(function(action, subject) {
|
||||||
if (
|
if(subject.isInGroup("wheel")) {
|
||||||
action.id.startsWith("org.freedesktop.systemd1.") &&
|
return ["unix-user:"+subject.user];
|
||||||
subject.isInGroup("wheel")
|
}
|
||||||
) {
|
});
|
||||||
return polkit.Result.AUTH_SELF_KEEP;
|
|
||||||
}
|
|
||||||
});
|
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,11 +0,0 @@
|
|||||||
{ config, ... }:
|
|
||||||
{
|
|
||||||
services.scrutiny.collector = {
|
|
||||||
enable = !config.services.qemuGuest.enable;
|
|
||||||
settings = {
|
|
||||||
version = 1;
|
|
||||||
host.id = config.networking.hostName;
|
|
||||||
api.endpoint = "https://scrutiny.pvv.ntnu.no/";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
||||||
@@ -119,7 +119,6 @@ in {
|
|||||||
services.nginx.virtualHosts."pvv.ntnu.no" = {
|
services.nginx.virtualHosts."pvv.ntnu.no" = {
|
||||||
globalRedirect = cfg.domainName;
|
globalRedirect = cfg.domainName;
|
||||||
redirectCode = 307;
|
redirectCode = 307;
|
||||||
kTLS = true;
|
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
useACMEHost = "www.pvv.ntnu.no";
|
useACMEHost = "www.pvv.ntnu.no";
|
||||||
};
|
};
|
||||||
@@ -127,7 +126,6 @@ in {
|
|||||||
services.nginx.virtualHosts."www.pvv.org" = {
|
services.nginx.virtualHosts."www.pvv.org" = {
|
||||||
globalRedirect = cfg.domainName;
|
globalRedirect = cfg.domainName;
|
||||||
redirectCode = 307;
|
redirectCode = 307;
|
||||||
kTLS = true;
|
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
useACMEHost = "www.pvv.ntnu.no";
|
useACMEHost = "www.pvv.ntnu.no";
|
||||||
};
|
};
|
||||||
@@ -135,13 +133,11 @@ in {
|
|||||||
services.nginx.virtualHosts."pvv.org" = {
|
services.nginx.virtualHosts."pvv.org" = {
|
||||||
globalRedirect = cfg.domainName;
|
globalRedirect = cfg.domainName;
|
||||||
redirectCode = 307;
|
redirectCode = 307;
|
||||||
kTLS = true;
|
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
useACMEHost = "www.pvv.ntnu.no";
|
useACMEHost = "www.pvv.ntnu.no";
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts.${cfg.domainName} = {
|
services.nginx.virtualHosts.${cfg.domainName} = {
|
||||||
kTLS = true;
|
|
||||||
locations = {
|
locations = {
|
||||||
# Proxy home directories
|
# Proxy home directories
|
||||||
"^~ /~" = {
|
"^~ /~" = {
|
||||||
|
|||||||
@@ -83,7 +83,6 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."mirrors.pvv.ntnu.no" = {
|
services.nginx.virtualHosts."mirrors.pvv.ntnu.no" = {
|
||||||
kTLS = true;
|
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
|
|
||||||
|
|||||||
@@ -146,7 +146,6 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."hookshot.pvv.ntnu.no" = {
|
services.nginx.virtualHosts."hookshot.pvv.ntnu.no" = {
|
||||||
kTLS = true;
|
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
addSSL = true;
|
addSSL = true;
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
|
|||||||
@@ -80,7 +80,6 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."ooye.pvv.ntnu.no" = {
|
services.nginx.virtualHosts."ooye.pvv.ntnu.no" = {
|
||||||
kTLS = true;
|
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
locations."/".proxyPass = "http://localhost:${cfg.socket}";
|
locations."/".proxyPass = "http://localhost:${cfg.socket}";
|
||||||
|
|||||||
@@ -0,0 +1,39 @@
|
|||||||
|
# Do modify this file! It was generated by „nixos-generate-config“
|
||||||
|
# and may be overwritten by future invocations. Please make changes
|
||||||
|
# to /etc/nixos/configuration.nix and run ⟪nix-env --switch-profile⟫ instead.
|
||||||
|
{ config, lib, pkgs, modulesPath, home-manager, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "af_alg" "esp4" "esp6" "rds" ];
|
||||||
|
boot.initrd.kernelModules = [ ];
|
||||||
|
boot.kernelModules = [ "kvm-amd" ];
|
||||||
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
fileSystems."/" =
|
||||||
|
{ device = "/dev/sdj1";
|
||||||
|
fsType = "bcachefs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boott" =
|
||||||
|
{ device = "/dev/disk/by-uuid/AAAA-AAAA";
|
||||||
|
fsType = "vfat";
|
||||||
|
};
|
||||||
|
|
||||||
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
# still possible to use this option, but it's recommended to use it in conjunction
|
||||||
|
# with explicit per-interface declarations with ‹networking.interfaces.<interface>.useDHCP›.
|
||||||
|
networking.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.em1.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.em2.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.pflog0.useDHCP = lib.mkDefault true;
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "i686-freebsd";
|
||||||
|
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||||
|
hardware.infiniband.enable = true;
|
||||||
|
hardware.flipperzero.enable = lib.mkIf (config.security.isolate.cgRoot == "auto:/run/isolate/tank") true;
|
||||||
|
}
|
||||||
@@ -5,7 +5,6 @@
|
|||||||
./grafana.nix
|
./grafana.nix
|
||||||
./loki.nix
|
./loki.nix
|
||||||
./prometheus
|
./prometheus
|
||||||
./scrutiny.nix
|
|
||||||
./uptime-kuma.nix
|
./uptime-kuma.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,40 +0,0 @@
|
|||||||
{ config, values, ... }:
|
|
||||||
let
|
|
||||||
cfg = config.services.scrutiny;
|
|
||||||
in
|
|
||||||
{
|
|
||||||
services.scrutiny = {
|
|
||||||
enable = true;
|
|
||||||
settings = {
|
|
||||||
web.listen = {
|
|
||||||
host = "127.0.0.1";
|
|
||||||
port = 18293;
|
|
||||||
basepath = "";
|
|
||||||
};
|
|
||||||
|
|
||||||
# notify.urls = [
|
|
||||||
# "matrix://username:password@host:port/[?rooms=!roomID1[,roomAlias2]]"
|
|
||||||
# ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.nginx.virtualHosts."scrutiny.pvv.ntnu.no" = {
|
|
||||||
kTLS = true;
|
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
|
||||||
locations."/" = {
|
|
||||||
proxyPass = "http://${cfg.settings.web.listen.host}:${toString cfg.settings.web.listen.port}";
|
|
||||||
};
|
|
||||||
|
|
||||||
# TODO: allow website access to the outside world, but restrict input api
|
|
||||||
extraConfig = ''
|
|
||||||
allow ${values.hosts.ildkule.ipv4}/32;
|
|
||||||
allow ${values.hosts.ildkule.ipv6}/128;
|
|
||||||
allow 127.0.0.1/32;
|
|
||||||
allow ::1/128;
|
|
||||||
allow ${values.ipv4-space};
|
|
||||||
allow ${values.ipv6-space};
|
|
||||||
deny all;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
}
|
|
||||||
@@ -18,6 +18,9 @@
|
|||||||
anyInterface = true;
|
anyInterface = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# There are no smart devices
|
||||||
|
services.smartd.enable = false;
|
||||||
|
|
||||||
# Don't change (even during upgrades) unless you know what you are doing.
|
# Don't change (even during upgrades) unless you know what you are doing.
|
||||||
# See https://search.nixos.org/options?show=system.stateVersion
|
# See https://search.nixos.org/options?show=system.stateVersion
|
||||||
system.stateVersion = "25.05";
|
system.stateVersion = "25.05";
|
||||||
|
|||||||
Reference in New Issue
Block a user