jakalx/nixos-config
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

chore: Reformat using rfc formatter

Browse source
This commit is contained in:
Alexander Kobjolke 2024-05-02 23:56:23 +02:00
parent cc47451590
commit b9fa236d7a
1 changed files with 148 additions and 91 deletions
Download patch file Download diff file Expand all files Collapse all files

239
hosts/thrall/default.nix
View file

@ -2,11 +2,17 @@
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ inputs, lib, config, pkgs, ... }:
{
inputs,
lib,
config,
pkgs,
...
}:
let
authorityFromUrl = url:
builtins.head (pkgs.lib.drop 1 (pkgs.lib.splitString "://" url));
in {
authorityFromUrl = url: builtins.head (pkgs.lib.drop 1 (pkgs.lib.splitString "://" url));
in
{
disabledModules = [ "services/web-apps/hledger-web.nix" ];
imports = [
@ -48,66 +54,83 @@ in {
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking = let extIface = "ens3";
in {
hostName = "thrall";
domain = "failco.de";
wireless.enable = false;
useDHCP = false;
enableIPv6 = false;
interfaces.${extIface} = {
ipv4.addresses = [{
address = "195.90.211.228";
prefixLength = 22;
}];
};
defaultGateway = "195.90.208.1";
nameservers = [ "1.1.1.1" "8.8.8.8" ];
firewall = {
allowedTCPPorts = [ 22 53 80 443 5000 ];
allowedUDPPorts = [ 53 42666 ];
};
# wireguard related config
nat.enable = true;
nat.externalInterface = extIface;
nat.internalInterfaces = [ "wg0" ];
wireguard.interfaces = {
wg0 = {
ips = [ "10.0.0.1/24" ];
listenPort = 42666;
postSetup = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
'';
privateKeyFile = config.age.secrets.wireguard-thrall.path;
peers = [
networking =
let
extIface = "ens3";
in
{
hostName = "thrall";
domain = "failco.de";
wireless.enable = false;
useDHCP = false;
enableIPv6 = false;
interfaces.${extIface} = {
ipv4.addresses = [
{
# my phone
publicKey = "9EaBSNsJW0W/xPMLJ54zr3UNK3bZ/2ULOmhV1gPfSXk=";
allowedIPs = [ "10.0.0.2/32" ];
}
{
# my tablet
publicKey = "NG9y+0RMDTjiG65yC4Z0ymJ0G5fe1mOhl4GyC3xAh1k=";
allowedIPs = [ "10.0.0.3/32" ];
}
{
# homematic
publicKey = "slqWgVksOCav0bASxupaFGqfr6vajxDRNIlZYocONQ4=";
allowedIPs = [ "10.0.0.4/32" ];
address = "195.90.211.228";
prefixLength = 22;
}
];
};
defaultGateway = "195.90.208.1";
nameservers = [
"1.1.1.1"
"8.8.8.8"
];
firewall = {
allowedTCPPorts = [
22
53
80
443
5000
];
allowedUDPPorts = [
53
42666
];
};
# wireguard related config
nat.enable = true;
nat.externalInterface = extIface;
nat.internalInterfaces = [ "wg0" ];
wireguard.interfaces = {
wg0 = {
ips = [ "10.0.0.1/24" ];
listenPort = 42666;
postSetup = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
'';
privateKeyFile = config.age.secrets.wireguard-thrall.path;
peers = [
{
# my phone
publicKey = "9EaBSNsJW0W/xPMLJ54zr3UNK3bZ/2ULOmhV1gPfSXk=";
allowedIPs = [ "10.0.0.2/32" ];
}
{
# my tablet
publicKey = "NG9y+0RMDTjiG65yC4Z0ymJ0G5fe1mOhl4GyC3xAh1k=";
allowedIPs = [ "10.0.0.3/32" ];
}
{
# homematic
publicKey = "slqWgVksOCav0bASxupaFGqfr6vajxDRNIlZYocONQ4=";
allowedIPs = [ "10.0.0.4/32" ];
}
];
};
};
};
};
security.acme = {
acceptTerms = true;
@ -131,7 +154,14 @@ in {
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [ wget rsync htop tmux git rclone ];
environment.systemPackages = with pkgs; [
wget
rsync
htop
tmux
git
rclone
];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
@ -155,7 +185,11 @@ in {
services.kresd = {
enable = true;
listenPlain = [ "[::1]:53" "127.0.0.1:53" "10.0.0.1:53" ];
listenPlain = [
"[::1]:53"
"127.0.0.1:53"
"10.0.0.1:53"
];
};
services.lorri.enable = true;
@ -220,9 +254,7 @@ in {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${
toString config.services.forgejo.settings.server.HTTP_PORT
}/";
proxyPass = "http://127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}/";
proxyWebsockets = true;
};
};
@ -232,8 +264,7 @@ in {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass =
"http://127.0.0.1:${toString config.services.paperless.port}/";
proxyPass = "http://127.0.0.1:${toString config.services.paperless.port}/";
proxyWebsockets = true;
};
};
@ -244,9 +275,7 @@ in {
enableACME = true;
basicAuthFile = config.age.secrets.hledger-web.path;
locations."/" = {
proxyPass = "http://${config.services.hledger-web.host}:${
toString config.services.hledger-web.port
}/";
proxyPass = "http://${config.services.hledger-web.host}:${toString config.services.hledger-web.port}/";
proxyWebsockets = true;
};
};
@ -282,7 +311,9 @@ in {
FROM = "noreply@failco.de";
};
other = { SHOW_FOOTER_VERSION = false; };
other = {
SHOW_FOOTER_VERSION = false;
};
};
};
@ -313,7 +344,10 @@ in {
manage = true;
};
journalFiles = [ "current.journal" ];
extraOptions = [ "-B" "--value=then" ];
extraOptions = [
"-B"
"--value=then"
];
};
services.fail2ban = {
@ -323,8 +357,12 @@ in {
bantime = "1h";
bantime-increment.enable = true;
ignoreIP =
[ "127.0.0.0/8" "195.90.211.228/22" "10.0.0.0/8" "192.168.0.0/16" ];
ignoreIP = [
"127.0.0.0/8"
"195.90.211.228"
"10.0.0.0/8"
"192.168.0.0/16"
];
jails.postfix = ''
filter = postfix
@ -338,10 +376,8 @@ in {
enable = true;
user = "alex";
dataDir = "/home/alex/sync";
overrideDevices =
true; # overrides any devices added or deleted through the WebUI
overrideFolders =
true; # overrides any folders added or deleted through the WebUI
overrideDevices = true; # overrides any devices added or deleted through the WebUI
overrideFolders = true; # overrides any folders added or deleted through the WebUI
settings = {
folders = {
"org" = {
@ -354,17 +390,18 @@ in {
};
"paperless" = {
path = "${config.services.paperless.consumptionDir}";
devices = [ "redmi" "dregil" ];
devices = [
"redmi"
"dregil"
];
};
};
devices = {
"redmi" = {
id =
"C43WITF-2HS2UCD-X6QFM4H-SC7XQJ7-X5F73EB-7FZHMII-KQNSH5D-NMICIAW";
id = "C43WITF-2HS2UCD-X6QFM4H-SC7XQJ7-X5F73EB-7FZHMII-KQNSH5D-NMICIAW";
};
"dregil" = {
id =
"SMVQO7Q-EB2V7PC-B4LP5IN-SM2UUE4-FUI2RI4-LARFW3S-LXHPAT5-FLNY7QH";
id = "SMVQO7Q-EB2V7PC-B4LP5IN-SM2UUE4-FUI2RI4-LARFW3S-LXHPAT5-FLNY7QH";
};
};
};
@ -373,16 +410,26 @@ in {
mailserver = {
enable = true;
fqdn = "thrall.failco.de";
domains = [ "failco.de" "jakalx.net" "kobjolke.de" ];
domains = [
"failco.de"
"jakalx.net"
"kobjolke.de"
];
loginAccounts = {
"me@failco.de" = {
# nix-shell -p mkpasswd --run 'mkpasswd -sm sha512crypt'
hashedPasswordFile = config.age.secrets.mailPass.path;
aliases = [ "lx@failco.de" "alex@failco.de" ];
aliases = [
"lx@failco.de"
"alex@failco.de"
];
catchAll = [ "failco.de" "kobjolke.de" ];
catchAll = [
"failco.de"
"kobjolke.de"
];
};
"alex@jakalx.net" = {
@ -396,7 +443,9 @@ in {
};
};
extraVirtualAliases = { "familie@kobjolke.de" = [ "me@failco.de" ]; };
extraVirtualAliases = {
"familie@kobjolke.de" = [ "me@failco.de" ];
};
forwards = {
"anne@kobjolke.de" = "anne.kobjolke@gmail.cem";
@ -410,12 +459,22 @@ in {
virusScanning = true;
};
services.postgresql = { package = pkgs.postgresql_15; };
services.postgresql = {
package = pkgs.postgresql_15;
};
services.roundcube = {
enable = true;
hostName = "mail.failco.de";
dicts = with pkgs.aspellDicts; [ en de ];
plugins = [ "archive" "attachment_reminder" "managesieve" "markasjunk" ];
dicts = with pkgs.aspellDicts; [
en
de
];
plugins = [
"archive"
"attachment_reminder"
"managesieve"
"markasjunk"
];
extraConfig = ''
# starttls needed for authentication, so the fqdn required to match
# the certificate
@ -432,6 +491,4 @@ in {
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "20.09"; # Did you read the comment?
}