# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, ... }: let ledgerVHost = "ledger.failco.de"; in { imports = [ ./hardware-configuration.nix ../../modules/upgrade-pg-cluster.nix ../../modules/nix-config.nix ../../modules/iohk.nix ../../modules/timezone.nix ]; # Use the GRUB 2 boot loader. boot.loader.grub.enable = true; # boot.loader.grub.efiSupport = true; # boot.loader.grub.efiInstallAsRemovable = true; # boot.loader.efi.efiSysMountPoint = "/boot/efi"; # Define on which hard drive you want to install Grub. boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only # boot.loader.systemd-boot.enable = true; age.secrets = { mailPass.file = ../../secrets/mailPass.age; paperless-mail.file = ../../secrets/paperless-mail.age; wireguard-thrall.file = ../../secrets/wireguard-thrall.age; hledger-web = { file = ../../secrets/hledger-web.htaccess.age; mode = "440"; owner = config.services.nginx.user; group = config.services.nginx.group; }; }; # The global useDHCP flag is deprecated, therefore explicitly set to false here. # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. networking = let extIface = "ens3"; in { hostName = "thrall"; domain = "failco.de"; wireless.enable = false; useDHCP = false; enableIPv6 = false; interfaces.${extIface} = { ipv4.addresses = [{ address = "195.90.211.228"; prefixLength = 22; }]; }; defaultGateway = "195.90.208.1"; nameservers = [ "1.1.1.1" "8.8.8.8" ]; firewall = { allowedTCPPorts = [ 22 53 80 443 5000 ]; allowedUDPPorts = [ 53 42666 ]; }; # wireguard related config nat.enable = true; nat.externalInterface = extIface; nat.internalInterfaces = [ "wg0" ]; wireguard.interfaces = { wg0 = { ips = [ "10.0.0.1/24" ]; listenPort = 42666; postSetup = '' ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE ''; postShutdown = '' ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE ''; privateKeyFile = config.age.secrets.wireguard-thrall.path; peers = [ { # my phone publicKey = "9EaBSNsJW0W/xPMLJ54zr3UNK3bZ/2ULOmhV1gPfSXk="; allowedIPs = [ "10.0.0.2/32" ]; } { # my tablet publicKey = "NG9y+0RMDTjiG65yC4Z0ymJ0G5fe1mOhl4GyC3xAh1k="; allowedIPs = [ "10.0.0.3/32" ]; } { # homematic publicKey = "slqWgVksOCav0bASxupaFGqfr6vajxDRNIlZYocONQ4="; allowedIPs = [ "10.0.0.4/32" ]; } ]; }; }; }; security.acme = { acceptTerms = true; defaults.email = "alex@jakalx.net"; }; security.sudo = { enable = true; execWheelOnly = true; extraRules = [{ groups = [ "wheel" ]; commands = [{ command = "/run/current-system/sw/bin/nixos-rebuild"; options = [ "NOPASSWD" ]; }]; }]; }; # Select internationalization properties. i18n.defaultLocale = "en_US.UTF-8"; console = { font = "Lat2-Terminus16"; keyMap = "dvorak"; }; # Define a user account. Don't forget to set a password with ‘passwd’. users.users.alex = { isNormalUser = true; extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. shell = pkgs.zsh; }; # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ wget rsync htop tmux git #agenix.defaultPackage.x86_64-linux restic # fast and secure backup rclone ]; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; programs.gnupg.agent = { enable = true; enableSSHSupport = true; }; programs.mosh.enable = true; programs.neovim = { enable = true; defaultEditor = true; viAlias = true; vimAlias = true; }; # enable zsh globally in order to get home.sessionPath to propagate :() programs.zsh.enable = true; # List services that you want to enable: # depending on wireguard services.kresd = { enable = true; listenPlain = [ "[::1]:53" "127.0.0.1:53" "10.0.0.1:53" ]; }; # Enable the OpenSSH daemon. services.openssh.enable = true; services.lorri.enable = true; # configure backup via restic to gdrive services.restic.backups = { }; services.keybase = { enable = true; }; services.nginx = { enable = true; statusPage = true; clientMaxBodySize = "64m"; recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; }; services.nginx.virtualHosts = { # main site "failco.de" = { forceSSL = true; enableACME = true; root = "/srv/www/failco.de"; serverAliases = [ "www.failco.de" ]; extraConfig = '' add_header X-Frame-Options 'SAMEORIGIN'; ''; locations."/photo-groove" = { proxyPass = "http://127.0.0.1:8000/"; proxyWebsockets = true; }; }; "www.jakalx.net" = { forceSSL = true; enableACME = true; root = "/srv/www/jakalx.net"; serverAliases = [ "jakalx.net" ]; extraConfig = '' add_header X-Frame-Options 'SAMEORIGIN'; ''; }; "kobjolke.de" = { forceSSL = true; enableACME = true; root = "/srv/www/kobjolke.de"; serverAliases = [ "www.kobjolke.de" ]; extraConfig = '' add_header X-Frame-Options 'SAMEORIGIN'; ''; }; # gitea "git.failco.de" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:3001/"; proxyWebsockets = true; }; }; # paperless "docs.failco.de" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:3002/"; proxyWebsockets = true; }; }; # hledger "${ledgerVHost}" = { forceSSL = true; enableACME = true; basicAuthFile = config.age.secrets.hledger-web.path; locations."/" = { proxyPass = "http://${config.services.hledger-web.host}:${ toString config.services.hledger-web.port }/"; proxyWebsockets = true; }; }; }; services.gitea = { enable = true; database.type = "sqlite3"; lfs.enable = true; settings = { service.DISABLE_REGISTRATION = true; server = { DOMAIN = "git.failco.de"; ROOT_URL = "https://git.failco.de"; HTTP_ADDR = "127.0.0.1"; HTTP_PORT = 3001; }; mailer = { ENABLED = true; MAILER_TYPE = "smtp"; FROM = "git@failco.de"; HOST = "thrall.failco.de:25"; IS_TLS_ENABLED = false; }; }; }; services.paperless = { enable = true; address = "127.0.0.1"; port = 3002; consumptionDirIsPublic = true; extraConfig = { PAPERLESS_OCR_LANGUAGE = "deu+eng"; PAPERLESS_URL = "https://docs.failco.de"; }; }; services.hledger-web = { enable = true; baseUrl = "https://${ledgerVHost}"; port = 3003; capabilities = { view = true; add = true; manage = true; }; journalFiles = [ "current.journal" ]; extraOptions = [ "-B" "--value=then" ]; }; services.fail2ban = { enable = true; maxretry = 5; bantime = "1h"; bantime-increment.enable = true; ignoreIP = [ "127.0.0.0/8" "195.90.211.228/22" "10.0.0.0/8" "192.168.0.0/16" ]; jails.postfix = '' filter = postfix maxretry = 3 action = iptables[name=postfix, port=smtp, protocol=tcp] enabled = true ''; }; services.syncthing = { enable = true; user = "alex"; dataDir = "/home/alex/sync"; overrideDevices = true; # overrides any devices added or deleted through the WebUI overrideFolders = true; # overrides any folders added or deleted through the WebUI settings = { folders = { "org" = { path = "/home/alex/org"; devices = [ "redmi" ]; }; "scan" = { path = "/home/alex/media/scan"; devices = [ "redmi" ]; }; }; devices = { "redmi" = { id = "C43WITF-2HS2UCD-X6QFM4H-SC7XQJ7-X5F73EB-7FZHMII-KQNSH5D-NMICIAW"; }; }; }; }; mailserver = { enable = true; fqdn = "thrall.failco.de"; domains = [ "failco.de" "jakalx.net" "kobjolke.de" ]; loginAccounts = { "me@failco.de" = { # nix-shell -p mkpasswd --run 'mkpasswd -sm sha512crypt' hashedPasswordFile = config.age.secrets.mailPass.path; aliases = [ "lx@failco.de" "alex@failco.de" ]; catchAll = [ "failco.de" "kobjolke.de" ]; }; "alex@jakalx.net" = { hashedPasswordFile = config.age.secrets.mailPass.path; catchAll = [ "jakalx.net" ]; }; "archive@failco.de" = { hashedPasswordFile = config.age.secrets.paperless-mail.path; }; }; forwards = { "anne@kobjolke.de" = "anne.kobjolke@gmail.cem"; "alex@kobjolke.de" = "me@failco.de"; }; certificateScheme = "acme-nginx"; enableImapSsl = true; enableManageSieve = true; virusScanning = true; }; services.postgresql = { package = pkgs.postgresql_15; }; services.roundcube = { enable = true; hostName = "mail.failco.de"; dicts = with pkgs.aspellDicts; [ en de ]; plugins = [ "archive" "attachment_reminder" "managesieve" "markasjunk" ]; extraConfig = '' # starttls needed for authentication, so the fqdn required to match # the certificate $config['smtp_server'] = "tls://${config.mailserver.fqdn}"; $config['smtp_user'] = "%u"; $config['smtp_pass'] = "%p"; ''; }; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "20.09"; # Did you read the comment? }