jakalx/nixos-config
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
nixos-config/hosts/thrall/default.nix

504 lines
13 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{
inputs,
lib,
config,
pkgs,
...
}:
let
authorityFromUrl = url: builtins.head (pkgs.lib.drop 1 (pkgs.lib.splitString "://" url));
in
{
disabledModules = [ "services/web-apps/hledger-web.nix" ];
imports = [
./hardware-configuration.nix
inputs.snm.nixosModule
inputs.agenix.nixosModules.age
../../modules/security.nix
../../modules/sudo.nix
../../modules/upgrade-pg-cluster.nix
../../modules/nix-config.nix
../../modules/iohk.nix
../../modules/timezone.nix
../../modules/keybase.nix
../../modules/ssh.nix
../../modules/hledger-web.nix
../../modules/tailscale
../../modules/mosh.nix
../../modules/nh.nix
];
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
# boot.loader.grub.efiSupport = true;
# boot.loader.grub.efiInstallAsRemovable = true;
# boot.loader.efi.efiSysMountPoint = "/boot/efi";
# Define on which hard drive you want to install Grub.
boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only
# boot.loader.systemd-boot.enable = true;
age.secrets = {
mailPass.file = ../../secrets/mailPass.age;
paperless-mail.file = ../../secrets/paperless-mail.age;
wireguard-thrall.file = ../../secrets/wireguard-thrall.age;
hledger-web = {
file = ../../secrets/hledger-web.htaccess.age;
mode = "440";
owner = config.services.nginx.user;
group = config.services.nginx.group;
};
};
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking =
let
extIface = "ens3";
in
{
hostName = "thrall";
domain = "failco.de";
wireless.enable = false;
useDHCP = false;
enableIPv6 = false;
interfaces.${extIface} = {
ipv4.addresses = [
{
address = "195.90.211.228";
prefixLength = 22;
}
];
};
defaultGateway = "195.90.208.1";
nameservers = [
"8.8.8.8"
"8.8.4.4"
];
firewall = {
allowedTCPPorts = [
22
53
80
443
5000
40005 # syncthing
];
allowedUDPPorts = [
53
];
};
# wireguard related config
nat.enable = true;
nat.externalInterface = extIface;
nat.internalInterfaces = [ "wg0" ];
wireguard.interfaces = {
wg0 = {
ips = [ "10.0.0.1/24" ];
listenPort = 42666;
postSetup = ''
${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o ${extIface} -j MASQUERADE
'';
privateKeyFile = config.age.secrets.wireguard-thrall.path;
peers = [
{
# my phone
publicKey = "9EaBSNsJW0W/xPMLJ54zr3UNK3bZ/2ULOmhV1gPfSXk=";
allowedIPs = [ "10.0.0.2/32" ];
}
{
# my tablet
publicKey = "NG9y+0RMDTjiG65yC4Z0ymJ0G5fe1mOhl4GyC3xAh1k=";
allowedIPs = [ "10.0.0.3/32" ];
}
{
# homematic
publicKey = "slqWgVksOCav0bASxupaFGqfr6vajxDRNIlZYocONQ4=";
allowedIPs = [ "10.0.0.4/32" ];
}
];
};
};
};
security.acme = {
acceptTerms = true;
defaults.email = "alex@jakalx.net";
};
# Select internationalization properties.
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "dvorak";
};
# Define a user account. Don't forget to set a password with passwd.
users.users.alex = {
description = "Alexander Kobjolke";
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user.
shell = pkgs.zsh;
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
wget
rsync
htop
tmux
git
rclone
];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
programs.neovim = {
enable = true;
defaultEditor = true;
viAlias = true;
vimAlias = true;
};
# enable zsh globally in order to get home.sessionPath to propagate :()
programs.zsh.enable = true;
# List services that you want to enable:
services.kresd = {
enable = true;
listenPlain = [
"[::1]:53"
"127.0.0.1:53"
"10.0.0.1:53"
];
};
services.lorri.enable = true;
# configure backup via restic to gdrive
services.restic.backups = { };
services.nginx = {
enable = true;
statusPage = true;
clientMaxBodySize = "64m";
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
};
services.nginx.virtualHosts = {
# main site
"failco.de" = {
forceSSL = true;
enableACME = true;
root = "/srv/www/failco.de";
serverAliases = [ "www.failco.de" ];
extraConfig = ''
add_header X-Frame-Options 'SAMEORIGIN';
'';
locations."/photo-groove" = {
proxyPass = "http://127.0.0.1:8000/";
proxyWebsockets = true;
};
locations."/elfeed" = {
proxyPass = "http://127.0.0.1:8080/elfeed";
proxyWebsockets = true;
};
};
"www.jakalx.net" = {
forceSSL = true;
enableACME = true;
root = "/srv/www/jakalx.net";
serverAliases = [ "jakalx.net" ];
extraConfig = ''
add_header X-Frame-Options 'SAMEORIGIN';
'';
};
"kobjolke.de" = {
forceSSL = true;
enableACME = true;
root = "/srv/www/kobjolke.de";
serverAliases = [ "www.kobjolke.de" ];
extraConfig = ''
add_header X-Frame-Options 'SAMEORIGIN';
'';
};
# forgejo - git web frontend
"${config.services.forgejo.settings.server.DOMAIN}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}/";
proxyWebsockets = true;
};
};
# paperless
"${authorityFromUrl config.services.paperless.settings.PAPERLESS_URL}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.paperless.port}/";
proxyWebsockets = true;
};
};
# hledger
"${authorityFromUrl config.services.hledger-web.baseUrl}" = {
forceSSL = true;
enableACME = true;
basicAuthFile = config.age.secrets.hledger-web.path;
locations."/" = {
proxyPass = "http://${config.services.hledger-web.host}:${toString config.services.hledger-web.port}/";
proxyWebsockets = true;
};
};
};
users.users.git = {
home = config.services.forgejo.stateDir;
useDefaultShell = true;
group = config.services.forgejo.group;
isSystemUser = true;
};
services.forgejo = {
enable = true;
user = "git";
database.type = "sqlite3";
lfs.enable = true;
settings = {
service.DISABLE_REGISTRATION = true;
server = {
DOMAIN = "git.failco.de";
ROOT_URL = "https://git.failco.de";
HTTP_ADDR = "127.0.0.1";
HTTP_PORT = 3001;
};
mailer = {
ENABLED = true;
PROTOCOL = "smtp";
SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail";
FROM = "noreply@failco.de";
};
other = {
SHOW_FOOTER_VERSION = false;
};
};
};
services.paperless = {
enable = true;
address = "127.0.0.1";
port = 3002;
consumptionDirIsPublic = true;
settings = {
PAPERLESS_OCR_LANGUAGE = "deu+eng";
PAPERLESS_OCR_USER_ARGS = ''{"invalidate_digital_signatures": true}'';
PAPERLESS_URL = "https://docs.failco.de";
PAPERLESS_CONSUMER_RECURSIVE = true;
PAPERLESS_CONSUMER_SUBDIRS_AS_TAGS = true;
# workaround for classification getting stuck, see
# https://github.com/NixOS/nixpkgs/issues/240591#issuecomment-1915678490
OMP_NUM_THREADS = 1;
};
};
services.hledger-web = {
enable = true;
baseUrl = "https://ledger.failco.de";
port = 3003;
capabilities = {
view = true;
add = true;
manage = true;
};
journalFiles = [ "current.journal" ];
extraOptions = [
"-B"
"--value=then"
];
};
services.fail2ban = {
enable = true;
maxretry = 5;
bantime = "1h";
bantime-increment.enable = true;
ignoreIP = [
"127.0.0.0/8"
"195.90.211.228"
"10.0.0.0/8"
"192.168.0.0/16"
];
jails.postfix = ''
filter = postfix
maxretry = 3
action = iptables[name=postfix, port=smtp, protocol=tcp]
enabled = true
'';
};
services.syncthing = {
enable = true;
user = "alex";
dataDir = "/home/alex/sync";
overrideDevices = true; # overrides any devices added or deleted through the WebUI
overrideFolders = true; # overrides any folders added or deleted through the WebUI
settings = {
folders = {
"org" = {
path = "/home/alex/org";
devices = [ "redmi" ];
};
"paperless" = {
path = "${config.services.paperless.consumptionDir}";
devices = [
"redmi"
"dregil"
"igor"
];
};
};
devices = {
redmi = {
id = "C43WITF-2HS2UCD-X6QFM4H-SC7XQJ7-X5F73EB-7FZHMII-KQNSH5D-NMICIAW";
};
dregil = {
id = "SMVQO7Q-EB2V7PC-B4LP5IN-SM2UUE4-FUI2RI4-LARFW3S-LXHPAT5-FLNY7QH";
};
igor = {
id = "NHSYYF6-I5GWMTI-2SQ6PIA-EU3TYZF-3I7BI3K-QTSRGCT-QVLSFG4-74TL2QW";
};
};
};
};
mailserver = {
enable = true;
stateVersion = 3;
fqdn = "thrall.failco.de";
domains = [
"failco.de"
"jakalx.net"
"kobjolke.de"
];
loginAccounts = {
"me@failco.de" = {
# nix-shell -p mkpasswd --run 'mkpasswd -sm sha512crypt'
hashedPasswordFile = config.age.secrets.mailPass.path;
aliases = [
"lx@failco.de"
"alex@failco.de"
"abuse@failco.de"
"postmaster@failco.de"
"abuse@kobjolke.de"
"postmaster@kobjolke.de"
"abuse@jakalx.net"
"postmaster@jakalx.net"
];
catchAll = [
];
};
"alex@jakalx.net" = {
hashedPasswordFile = config.age.secrets.mailPass.path;
};
"archive@failco.de" = {
hashedPasswordFile = config.age.secrets.paperless-mail.path;
};
};
extraVirtualAliases = {
"alex@kobjolke.de" = [ "me@failco.de" ];
};
forwards = {
"familie@kobjolke.de" = [
"alex@kobjolke.de"
"anne@kobjolke.de"
];
"anne@kobjolke.de" = "anne.kobjolke@gmail.com";
"alexander@kobjolke.de" = "alex@kobjolke.de";
};
certificateScheme = "acme-nginx";
enableImapSsl = true;
enableManageSieve = true;
virusScanning = true;
};
services.postgresql = {
package = pkgs.postgresql_15;
};
services.roundcube = {
enable = true;
hostName = "mail.failco.de";
dicts = with pkgs.aspellDicts; [
en
de
];
plugins = [
"archive"
"attachment_reminder"
"managesieve"
"markasjunk"
];
extraConfig = ''
# starttls needed for authentication, so the fqdn required to match
# the certificate
$config['smtp_server'] = "tls://${config.mailserver.fqdn}";
$config['smtp_user'] = "%u";
$config['smtp_pass'] = "%p";
'';
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "20.09"; # Did you read the comment?
}
Reference in a new issue View git blame Copy permalink