jakalx/nixos-config
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: jakalx:7767c0a3182213f69deb91aa676fd02f3b4b128e
Branches Tags
jakalx:main
jakalx:develop
jakalx:feature/hledger-web-module
..
compare: jakalx:77898172f1fdde7bf6a8480a20d59b5b9dcfed38
Branches Tags
jakalx:develop
jakalx:main
jakalx:feature/hledger-web-module

No commits in common. "7767c0a3182213f69deb91aa676fd02f3b4b128e" and "77898172f1fdde7bf6a8480a20d59b5b9dcfed38" have entirely different histories.
7767c0a318 ... 77898172f1

2 changed files with 96 additions and 154 deletions
Download patch file Download diff file Expand all files Collapse all files

11
home/alex/programs/emacs/doom/config.el
View file

@ -141,7 +141,7 @@
(setq! bibtex-completion-bibliography ak/bibliography) (setq! bibtex-completion-bibliography ak/bibliography)
(setq! citar-bibliography ak/bibliography) (setq! citar-bibliography ak/bibliography)
(use-package! ledger-mode (use-package! ledger
:config :config
(setq (setq
;; Use an ISO date format for ledger entries ;; Use an ISO date format for ledger entries
@ -254,13 +254,12 @@
(use-package! denote (use-package! denote
:after org :after org
:config :config
(setq denote-directory (concat org-directory "/notes")) (setq denote-directory (concat org-directory "/notes")
(require 'denote-journal-extras)
(setq denote-journal-extras-title-format 'day-date-month-year) )
(map! :leader (map! :leader
(:prefix ("n" . "notes") (:prefix ("n" . "notes")
:desc "Denote" "d" #'denote-open-or-create-with-command :desc "Denote" "d" #'denote-open-or-create-with-command
:desc "New journal entry" "j" #'denote-journal-extras-new-or-existing-entry
)) ))
:bind :bind
(("C-c n d" . #'denote-open-or-create-with-command)) (("C-c n d" . #'denote-open-or-create-with-command))

239
hosts/thrall/default.nix
View file

@ -2,17 +2,11 @@
# your system. Help is available in the configuration.nix(5) man page # your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help). # and in the NixOS manual (accessible by running nixos-help).
{ { inputs, lib, config, pkgs, ... }:
inputs,
lib,
config,
pkgs,
...
}:
let let
authorityFromUrl = url: builtins.head (pkgs.lib.drop 1 (pkgs.lib.splitString "://" url)); authorityFromUrl = url:
in builtins.head (pkgs.lib.drop 1 (pkgs.lib.splitString "://" url));
{ in {
disabledModules = [ "services/web-apps/hledger-web.nix" ]; disabledModules = [ "services/web-apps/hledger-web.nix" ];
imports = [ imports = [
@ -54,83 +48,66 @@ in
# The global useDHCP flag is deprecated, therefore explicitly set to false here. # The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config # Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour. # replicates the default behaviour.
networking = networking = let extIface = "ens3";
let in {
extIface = "ens3"; hostName = "thrall";
in domain = "failco.de";
{ wireless.enable = false;
hostName = "thrall"; useDHCP = false;
domain = "failco.de"; enableIPv6 = false;
wireless.enable = false; interfaces.${extIface} = {
useDHCP = false; ipv4.addresses = [{
enableIPv6 = false; address = "195.90.211.228";
interfaces.${extIface} = { prefixLength = 22;
ipv4.addresses = [ }];
};
defaultGateway = "195.90.208.1";
nameservers = [ "1.1.1.1" "8.8.8.8" ];
firewall = {
allowedTCPPorts = [ 22 53 80 443 5000 ];
allowedUDPPorts = [ 53 42666 ];
};
# wireguard related config
nat.enable = true;
nat.externalInterface = extIface;
nat.internalInterfaces = [ "wg0" ];
wireguard.interfaces = {
wg0 = {
ips = [ "10.0.0.1/24" ];
listenPort = 42666;
postSetup = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
'';
privateKeyFile = config.age.secrets.wireguard-thrall.path;
peers = [
{ {
address = "195.90.211.228"; # my phone
prefixLength = 22; publicKey = "9EaBSNsJW0W/xPMLJ54zr3UNK3bZ/2ULOmhV1gPfSXk=";
allowedIPs = [ "10.0.0.2/32" ];
}
{
# my tablet
publicKey = "NG9y+0RMDTjiG65yC4Z0ymJ0G5fe1mOhl4GyC3xAh1k=";
allowedIPs = [ "10.0.0.3/32" ];
}
{
# homematic
publicKey = "slqWgVksOCav0bASxupaFGqfr6vajxDRNIlZYocONQ4=";
allowedIPs = [ "10.0.0.4/32" ];
} }
]; ];
}; };
defaultGateway = "195.90.208.1";
nameservers = [
"1.1.1.1"
"8.8.8.8"
];
firewall = {
allowedTCPPorts = [
22
53
80
443
5000
];
allowedUDPPorts = [
53
42666
];
};
# wireguard related config
nat.enable = true;
nat.externalInterface = extIface;
nat.internalInterfaces = [ "wg0" ];
wireguard.interfaces = {
wg0 = {
ips = [ "10.0.0.1/24" ];
listenPort = 42666;
postSetup = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
'';
privateKeyFile = config.age.secrets.wireguard-thrall.path;
peers = [
{
# my phone
publicKey = "9EaBSNsJW0W/xPMLJ54zr3UNK3bZ/2ULOmhV1gPfSXk=";
allowedIPs = [ "10.0.0.2/32" ];
}
{
# my tablet
publicKey = "NG9y+0RMDTjiG65yC4Z0ymJ0G5fe1mOhl4GyC3xAh1k=";
allowedIPs = [ "10.0.0.3/32" ];
}
{
# homematic
publicKey = "slqWgVksOCav0bASxupaFGqfr6vajxDRNIlZYocONQ4=";
allowedIPs = [ "10.0.0.4/32" ];
}
];
};
};
}; };
};
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
@ -154,14 +131,7 @@ in
# List packages installed in system profile. To search, run: # List packages installed in system profile. To search, run:
# $ nix search wget # $ nix search wget
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [ wget rsync htop tmux git rclone ];
wget
rsync
htop
tmux
git
rclone
];
# Some programs need SUID wrappers, can be configured further or are # Some programs need SUID wrappers, can be configured further or are
# started in user sessions. # started in user sessions.
@ -185,11 +155,7 @@ in
services.kresd = { services.kresd = {
enable = true; enable = true;
listenPlain = [ listenPlain = [ "[::1]:53" "127.0.0.1:53" "10.0.0.1:53" ];
"[::1]:53"
"127.0.0.1:53"
"10.0.0.1:53"
];
}; };
services.lorri.enable = true; services.lorri.enable = true;
@ -254,7 +220,9 @@ in
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}/"; proxyPass = "http://127.0.0.1:${
toString config.services.forgejo.settings.server.HTTP_PORT
}/";
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
@ -264,7 +232,8 @@ in
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.paperless.port}/"; proxyPass =
"http://127.0.0.1:${toString config.services.paperless.port}/";
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
@ -275,7 +244,9 @@ in
enableACME = true; enableACME = true;
basicAuthFile = config.age.secrets.hledger-web.path; basicAuthFile = config.age.secrets.hledger-web.path;
locations."/" = { locations."/" = {
proxyPass = "http://${config.services.hledger-web.host}:${toString config.services.hledger-web.port}/"; proxyPass = "http://${config.services.hledger-web.host}:${
toString config.services.hledger-web.port
}/";
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
@ -311,9 +282,7 @@ in
FROM = "noreply@failco.de"; FROM = "noreply@failco.de";
}; };
other = { other = { SHOW_FOOTER_VERSION = false; };
SHOW_FOOTER_VERSION = false;
};
}; };
}; };
@ -344,10 +313,7 @@ in
manage = true; manage = true;
}; };
journalFiles = [ "current.journal" ]; journalFiles = [ "current.journal" ];
extraOptions = [ extraOptions = [ "-B" "--value=then" ];
"-B"
"--value=then"
];
}; };
services.fail2ban = { services.fail2ban = {
@ -357,12 +323,8 @@ in
bantime = "1h"; bantime = "1h";
bantime-increment.enable = true; bantime-increment.enable = true;
ignoreIP = [ ignoreIP =
"127.0.0.0/8" [ "127.0.0.0/8" "195.90.211.228/22" "10.0.0.0/8" "192.168.0.0/16" ];
"195.90.211.228"
"10.0.0.0/8"
"192.168.0.0/16"
];
jails.postfix = '' jails.postfix = ''
filter = postfix filter = postfix
@ -376,8 +338,10 @@ in
enable = true; enable = true;
user = "alex"; user = "alex";
dataDir = "/home/alex/sync"; dataDir = "/home/alex/sync";
overrideDevices = true; # overrides any devices added or deleted through the WebUI overrideDevices =
overrideFolders = true; # overrides any folders added or deleted through the WebUI true; # overrides any devices added or deleted through the WebUI
overrideFolders =
true; # overrides any folders added or deleted through the WebUI
settings = { settings = {
folders = { folders = {
"org" = { "org" = {
@ -390,18 +354,17 @@ in
}; };
"paperless" = { "paperless" = {
path = "${config.services.paperless.consumptionDir}"; path = "${config.services.paperless.consumptionDir}";
devices = [ devices = [ "redmi" "dregil" ];
"redmi"
"dregil"
];
}; };
}; };
devices = { devices = {
"redmi" = { "redmi" = {
id = "C43WITF-2HS2UCD-X6QFM4H-SC7XQJ7-X5F73EB-7FZHMII-KQNSH5D-NMICIAW"; id =
"C43WITF-2HS2UCD-X6QFM4H-SC7XQJ7-X5F73EB-7FZHMII-KQNSH5D-NMICIAW";
}; };
"dregil" = { "dregil" = {
id = "SMVQO7Q-EB2V7PC-B4LP5IN-SM2UUE4-FUI2RI4-LARFW3S-LXHPAT5-FLNY7QH"; id =
"SMVQO7Q-EB2V7PC-B4LP5IN-SM2UUE4-FUI2RI4-LARFW3S-LXHPAT5-FLNY7QH";
}; };
}; };
}; };
@ -410,26 +373,16 @@ in
mailserver = { mailserver = {
enable = true; enable = true;
fqdn = "thrall.failco.de"; fqdn = "thrall.failco.de";
domains = [ domains = [ "failco.de" "jakalx.net" "kobjolke.de" ];
"failco.de"
"jakalx.net"
"kobjolke.de"
];
loginAccounts = { loginAccounts = {
"me@failco.de" = { "me@failco.de" = {
# nix-shell -p mkpasswd --run 'mkpasswd -sm sha512crypt' # nix-shell -p mkpasswd --run 'mkpasswd -sm sha512crypt'
hashedPasswordFile = config.age.secrets.mailPass.path; hashedPasswordFile = config.age.secrets.mailPass.path;
aliases = [ aliases = [ "lx@failco.de" "alex@failco.de" ];
"lx@failco.de"
"alex@failco.de"
];
catchAll = [ catchAll = [ "failco.de" "kobjolke.de" ];
"failco.de"
"kobjolke.de"
];
}; };
"alex@jakalx.net" = { "alex@jakalx.net" = {
@ -443,9 +396,7 @@ in
}; };
}; };
extraVirtualAliases = { extraVirtualAliases = { "familie@kobjolke.de" = [ "me@failco.de" ]; };
"familie@kobjolke.de" = [ "me@failco.de" ];
};
forwards = { forwards = {
"anne@kobjolke.de" = "anne.kobjolke@gmail.cem"; "anne@kobjolke.de" = "anne.kobjolke@gmail.cem";
@ -459,22 +410,12 @@ in
virusScanning = true; virusScanning = true;
}; };
services.postgresql = { services.postgresql = { package = pkgs.postgresql_15; };
package = pkgs.postgresql_15;
};
services.roundcube = { services.roundcube = {
enable = true; enable = true;
hostName = "mail.failco.de"; hostName = "mail.failco.de";
dicts = with pkgs.aspellDicts; [ dicts = with pkgs.aspellDicts; [ en de ];
en plugins = [ "archive" "attachment_reminder" "managesieve" "markasjunk" ];
de
];
plugins = [
"archive"
"attachment_reminder"
"managesieve"
"markasjunk"
];
extraConfig = '' extraConfig = ''
# starttls needed for authentication, so the fqdn required to match # starttls needed for authentication, so the fqdn required to match
# the certificate # the certificate
@ -491,4 +432,6 @@ in
# Before changing this value read the documentation for this option # Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "20.09"; # Did you read the comment? system.stateVersion = "20.09"; # Did you read the comment?
} }