jakalx/nixos-config
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

chore: Reformat using rfc formatter

Browse source
This commit is contained in:
Alexander Kobjolke 2024-05-02 23:56:23 +02:00
parent cc47451590
commit b9fa236d7a
1 changed files with 148 additions and 91 deletions
Download patch file Download diff file Expand all files Collapse all files

239
hosts/thrall/default.nix
View file

@ -2,11 +2,17 @@
# your system. Help is available in the configuration.nix(5) man page # your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help). # and in the NixOS manual (accessible by running nixos-help).
{ inputs, lib, config, pkgs, ... }: {
inputs,
lib,
config,
pkgs,
...
}:
let let
authorityFromUrl = url: authorityFromUrl = url: builtins.head (pkgs.lib.drop 1 (pkgs.lib.splitString "://" url));
builtins.head (pkgs.lib.drop 1 (pkgs.lib.splitString "://" url)); in
in { {
disabledModules = [ "services/web-apps/hledger-web.nix" ]; disabledModules = [ "services/web-apps/hledger-web.nix" ];
imports = [ imports = [
@ -48,66 +54,83 @@ in {
# The global useDHCP flag is deprecated, therefore explicitly set to false here. # The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config # Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour. # replicates the default behaviour.
networking = let extIface = "ens3"; networking =
in { let
hostName = "thrall"; extIface = "ens3";
domain = "failco.de"; in
wireless.enable = false; {
useDHCP = false; hostName = "thrall";
enableIPv6 = false; domain = "failco.de";
interfaces.${extIface} = { wireless.enable = false;
ipv4.addresses = [{ useDHCP = false;
address = "195.90.211.228"; enableIPv6 = false;
prefixLength = 22; interfaces.${extIface} = {
}]; ipv4.addresses = [
};
defaultGateway = "195.90.208.1";
nameservers = [ "1.1.1.1" "8.8.8.8" ];
firewall = {
allowedTCPPorts = [ 22 53 80 443 5000 ];
allowedUDPPorts = [ 53 42666 ];
};
# wireguard related config
nat.enable = true;
nat.externalInterface = extIface;
nat.internalInterfaces = [ "wg0" ];
wireguard.interfaces = {
wg0 = {
ips = [ "10.0.0.1/24" ];
listenPort = 42666;
postSetup = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
'';
privateKeyFile = config.age.secrets.wireguard-thrall.path;
peers = [
{ {
# my phone address = "195.90.211.228";
publicKey = "9EaBSNsJW0W/xPMLJ54zr3UNK3bZ/2ULOmhV1gPfSXk="; prefixLength = 22;
allowedIPs = [ "10.0.0.2/32" ];
}
{
# my tablet
publicKey = "NG9y+0RMDTjiG65yC4Z0ymJ0G5fe1mOhl4GyC3xAh1k=";
allowedIPs = [ "10.0.0.3/32" ];
}
{
# homematic
publicKey = "slqWgVksOCav0bASxupaFGqfr6vajxDRNIlZYocONQ4=";
allowedIPs = [ "10.0.0.4/32" ];
} }
]; ];
}; };
defaultGateway = "195.90.208.1";
nameservers = [
"1.1.1.1"
"8.8.8.8"
];
firewall = {
allowedTCPPorts = [
22
53
80
443
5000
];
allowedUDPPorts = [
53
42666
];
};
# wireguard related config
nat.enable = true;
nat.externalInterface = extIface;
nat.internalInterfaces = [ "wg0" ];
wireguard.interfaces = {
wg0 = {
ips = [ "10.0.0.1/24" ];
listenPort = 42666;
postSetup = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
'';
privateKeyFile = config.age.secrets.wireguard-thrall.path;
peers = [
{
# my phone
publicKey = "9EaBSNsJW0W/xPMLJ54zr3UNK3bZ/2ULOmhV1gPfSXk=";
allowedIPs = [ "10.0.0.2/32" ];
}
{
# my tablet
publicKey = "NG9y+0RMDTjiG65yC4Z0ymJ0G5fe1mOhl4GyC3xAh1k=";
allowedIPs = [ "10.0.0.3/32" ];
}
{
# homematic
publicKey = "slqWgVksOCav0bASxupaFGqfr6vajxDRNIlZYocONQ4=";
allowedIPs = [ "10.0.0.4/32" ];
}
];
};
};
}; };
};
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
@ -131,7 +154,14 @@ in {
# List packages installed in system profile. To search, run: # List packages installed in system profile. To search, run:
# $ nix search wget # $ nix search wget
environment.systemPackages = with pkgs; [ wget rsync htop tmux git rclone ]; environment.systemPackages = with pkgs; [
wget
rsync
htop
tmux
git
rclone
];
# Some programs need SUID wrappers, can be configured further or are # Some programs need SUID wrappers, can be configured further or are
# started in user sessions. # started in user sessions.
@ -155,7 +185,11 @@ in {
services.kresd = { services.kresd = {
enable = true; enable = true;
listenPlain = [ "[::1]:53" "127.0.0.1:53" "10.0.0.1:53" ]; listenPlain = [
"[::1]:53"
"127.0.0.1:53"
"10.0.0.1:53"
];
}; };
services.lorri.enable = true; services.lorri.enable = true;
@ -220,9 +254,7 @@ in {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${ proxyPass = "http://127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}/";
toString config.services.forgejo.settings.server.HTTP_PORT
}/";
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
@ -232,8 +264,7 @@ in {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {
proxyPass = proxyPass = "http://127.0.0.1:${toString config.services.paperless.port}/";
"http://127.0.0.1:${toString config.services.paperless.port}/";
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
@ -244,9 +275,7 @@ in {
enableACME = true; enableACME = true;
basicAuthFile = config.age.secrets.hledger-web.path; basicAuthFile = config.age.secrets.hledger-web.path;
locations."/" = { locations."/" = {
proxyPass = "http://${config.services.hledger-web.host}:${ proxyPass = "http://${config.services.hledger-web.host}:${toString config.services.hledger-web.port}/";
toString config.services.hledger-web.port
}/";
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
@ -282,7 +311,9 @@ in {
FROM = "noreply@failco.de"; FROM = "noreply@failco.de";
}; };
other = { SHOW_FOOTER_VERSION = false; }; other = {
SHOW_FOOTER_VERSION = false;
};
}; };
}; };
@ -313,7 +344,10 @@ in {
manage = true; manage = true;
}; };
journalFiles = [ "current.journal" ]; journalFiles = [ "current.journal" ];
extraOptions = [ "-B" "--value=then" ]; extraOptions = [
"-B"
"--value=then"
];
}; };
services.fail2ban = { services.fail2ban = {
@ -323,8 +357,12 @@ in {
bantime = "1h"; bantime = "1h";
bantime-increment.enable = true; bantime-increment.enable = true;
ignoreIP = ignoreIP = [
[ "127.0.0.0/8" "195.90.211.228/22" "10.0.0.0/8" "192.168.0.0/16" ]; "127.0.0.0/8"
"195.90.211.228"
"10.0.0.0/8"
"192.168.0.0/16"
];
jails.postfix = '' jails.postfix = ''
filter = postfix filter = postfix
@ -338,10 +376,8 @@ in {
enable = true; enable = true;
user = "alex"; user = "alex";
dataDir = "/home/alex/sync"; dataDir = "/home/alex/sync";
overrideDevices = overrideDevices = true; # overrides any devices added or deleted through the WebUI
true; # overrides any devices added or deleted through the WebUI overrideFolders = true; # overrides any folders added or deleted through the WebUI
overrideFolders =
true; # overrides any folders added or deleted through the WebUI
settings = { settings = {
folders = { folders = {
"org" = { "org" = {
@ -354,17 +390,18 @@ in {
}; };
"paperless" = { "paperless" = {
path = "${config.services.paperless.consumptionDir}"; path = "${config.services.paperless.consumptionDir}";
devices = [ "redmi" "dregil" ]; devices = [
"redmi"
"dregil"
];
}; };
}; };
devices = { devices = {
"redmi" = { "redmi" = {
id = id = "C43WITF-2HS2UCD-X6QFM4H-SC7XQJ7-X5F73EB-7FZHMII-KQNSH5D-NMICIAW";
"C43WITF-2HS2UCD-X6QFM4H-SC7XQJ7-X5F73EB-7FZHMII-KQNSH5D-NMICIAW";
}; };
"dregil" = { "dregil" = {
id = id = "SMVQO7Q-EB2V7PC-B4LP5IN-SM2UUE4-FUI2RI4-LARFW3S-LXHPAT5-FLNY7QH";
"SMVQO7Q-EB2V7PC-B4LP5IN-SM2UUE4-FUI2RI4-LARFW3S-LXHPAT5-FLNY7QH";
}; };
}; };
}; };
@ -373,16 +410,26 @@ in {
mailserver = { mailserver = {
enable = true; enable = true;
fqdn = "thrall.failco.de"; fqdn = "thrall.failco.de";
domains = [ "failco.de" "jakalx.net" "kobjolke.de" ]; domains = [
"failco.de"
"jakalx.net"
"kobjolke.de"
];
loginAccounts = { loginAccounts = {
"me@failco.de" = { "me@failco.de" = {
# nix-shell -p mkpasswd --run 'mkpasswd -sm sha512crypt' # nix-shell -p mkpasswd --run 'mkpasswd -sm sha512crypt'
hashedPasswordFile = config.age.secrets.mailPass.path; hashedPasswordFile = config.age.secrets.mailPass.path;
aliases = [ "lx@failco.de" "alex@failco.de" ]; aliases = [
"lx@failco.de"
"alex@failco.de"
];
catchAll = [ "failco.de" "kobjolke.de" ]; catchAll = [
"failco.de"
"kobjolke.de"
];
}; };
"alex@jakalx.net" = { "alex@jakalx.net" = {
@ -396,7 +443,9 @@ in {
}; };
}; };
extraVirtualAliases = { "familie@kobjolke.de" = [ "me@failco.de" ]; }; extraVirtualAliases = {
"familie@kobjolke.de" = [ "me@failco.de" ];
};
forwards = { forwards = {
"anne@kobjolke.de" = "anne.kobjolke@gmail.cem"; "anne@kobjolke.de" = "anne.kobjolke@gmail.cem";
@ -410,12 +459,22 @@ in {
virusScanning = true; virusScanning = true;
}; };
services.postgresql = { package = pkgs.postgresql_15; }; services.postgresql = {
package = pkgs.postgresql_15;
};
services.roundcube = { services.roundcube = {
enable = true; enable = true;
hostName = "mail.failco.de"; hostName = "mail.failco.de";
dicts = with pkgs.aspellDicts; [ en de ]; dicts = with pkgs.aspellDicts; [
plugins = [ "archive" "attachment_reminder" "managesieve" "markasjunk" ]; en
de
];
plugins = [
"archive"
"attachment_reminder"
"managesieve"
"markasjunk"
];
extraConfig = '' extraConfig = ''
# starttls needed for authentication, so the fqdn required to match # starttls needed for authentication, so the fqdn required to match
# the certificate # the certificate
@ -432,6 +491,4 @@ in {
# Before changing this value read the documentation for this option # Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "20.09"; # Did you read the comment? system.stateVersion = "20.09"; # Did you read the comment?
} }