From 16d4ec69286206762d0ee9fe1f443aba893eb735 Mon Sep 17 00:00:00 2001 From: m3tam3re Date: Tue, 18 Jul 2023 12:53:55 +0200 Subject: [PATCH] m3-r1 --- flake.nix | 19 +++ home/features/coding/default.nix | 18 +- home/features/desktop/media.nix | 1 + home/users/m3tam3re/m3-r1.nix | 12 ++ hosts/m3-r1/default.nix | 69 ++++++++ hosts/m3-r1/hardware-configuration.nix | 55 ++++++ hosts/m3-r1/services/container.nix | 11 ++ hosts/m3-r1/services/containers/baserow.nix | 25 +++ .../m3-r1/services/containers/briefkasten.nix | 8 + hosts/m3-r1/services/containers/default.nix | 12 ++ .../m3-r1/services/containers/little-link.nix | 14 ++ hosts/m3-r1/services/containers/matomo.nix | 16 ++ hosts/m3-r1/services/containers/mautic.nix | 16 ++ hosts/m3-r1/services/containers/nextcloud.nix | 14 ++ hosts/m3-r1/services/containers/nginx.nix | 8 + hosts/m3-r1/services/containers/wireguard.nix | 15 ++ hosts/m3-r1/services/containers/wordpress.nix | 14 ++ hosts/m3-r1/services/default.nix | 13 ++ hosts/m3-r1/services/gitea.nix | 13 ++ hosts/m3-r1/services/mariadb.nix | 13 ++ hosts/m3-r1/services/n8n.nix | 15 ++ hosts/m3-r1/services/postgres.nix | 26 +++ hosts/m3-r1/services/searx.nix | 11 ++ hosts/m3-r1/services/syncthing.nix | 20 +++ hosts/m3-r1/services/tailscale.nix | 38 +++++ hosts/m3-r1/services/traefik.nix | 159 ++++++++++++++++++ hosts/m3-r1/services/vaultwarden.nix | 8 + modules/nixos/default.nix | 1 + modules/nixos/ordercollect.nix | 31 ++++ pkgs/bemoji/default.nix.~1~ | 24 --- pkgs/default.nix | 3 +- pkgs/ordercollect/default.nix | 23 +++ 32 files changed, 692 insertions(+), 33 deletions(-) create mode 100644 home/users/m3tam3re/m3-r1.nix create mode 100644 hosts/m3-r1/default.nix create mode 100644 hosts/m3-r1/hardware-configuration.nix create mode 100644 hosts/m3-r1/services/container.nix create mode 100644 hosts/m3-r1/services/containers/baserow.nix create mode 100644 hosts/m3-r1/services/containers/briefkasten.nix create mode 100644 hosts/m3-r1/services/containers/default.nix create mode 100644 hosts/m3-r1/services/containers/little-link.nix create mode 100644 hosts/m3-r1/services/containers/matomo.nix create mode 100644 hosts/m3-r1/services/containers/mautic.nix create mode 100644 hosts/m3-r1/services/containers/nextcloud.nix create mode 100644 hosts/m3-r1/services/containers/nginx.nix create mode 100644 hosts/m3-r1/services/containers/wireguard.nix create mode 100644 hosts/m3-r1/services/containers/wordpress.nix create mode 100644 hosts/m3-r1/services/default.nix create mode 100644 hosts/m3-r1/services/gitea.nix create mode 100644 hosts/m3-r1/services/mariadb.nix create mode 100644 hosts/m3-r1/services/n8n.nix create mode 100644 hosts/m3-r1/services/postgres.nix create mode 100644 hosts/m3-r1/services/searx.nix create mode 100644 hosts/m3-r1/services/syncthing.nix create mode 100644 hosts/m3-r1/services/tailscale.nix create mode 100644 hosts/m3-r1/services/traefik.nix create mode 100644 hosts/m3-r1/services/vaultwarden.nix create mode 100644 modules/nixos/default.nix create mode 100644 modules/nixos/ordercollect.nix delete mode 100644 pkgs/bemoji/default.nix.~1~ create mode 100644 pkgs/ordercollect/default.nix diff --git a/flake.nix b/flake.nix index 9b93932..dd1f6ce 100644 --- a/flake.nix +++ b/flake.nix @@ -28,6 +28,10 @@ modules = [ allowUnfree ./hosts/lkk-nix-1 agenix.nixosModules.default ]; }; + m3-r1 = lib.nixosSystem { + specialArgs = { inherit inputs; }; + modules = [ allowUnfree ./hosts/m3-r1 agenix.nixosModules.default ]; + }; lkk-prod-1 = lib.nixosSystem { specialArgs = { inherit inputs; }; modules = @@ -56,6 +60,12 @@ }; modules = [ ./home/users/m3tam3re/lkk-nix-1.nix ]; }; + "m3tam3re@m3-r1" = home-manager.lib.homeManagerConfiguration { + pkgs = nixpkgs.legacyPackages."x86_64-linux"; + extraSpecialArgs = { # pass things to t + }; + modules = [ ./home/users/m3tam3re/m3-r1.nix ]; + }; }; deploy.nodes.lkk-nix-1 = { hostname = "lkk-nix-1"; @@ -66,6 +76,15 @@ self.nixosConfigurations.lkk-nix-1; }; }; + deploy.nodes.m3-r1 = { + hostname = "lkk-nix-1"; + sshUser = "root"; + profiles.system = { + user = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos + self.nixosConfigurations.lkk-nix-1; + }; + }; deploy.nodes.lkk-prod-1 = { hostname = "lkk-prod-1"; sshUser = "root"; diff --git a/home/features/coding/default.nix b/home/features/coding/default.nix index 710b405..f876083 100644 --- a/home/features/coding/default.nix +++ b/home/features/coding/default.nix @@ -1,11 +1,13 @@ { pkgs, ... }: { - imports = [ ./emacs.nix ./golang.nix ./nix.nix ./nodejs.nix ./rust.nix ./tools.nix ]; + imports = + [ ./emacs.nix ./golang.nix ./nix.nix ./nodejs.nix ./rust.nix ./tools.nix ]; - home.packages = with pkgs; - [ - python3 - python311Packages.pip - guile_3_0 - tinyscheme - ]; + home.packages = with pkgs; [ + ispell + python3 + python311Packages.pip + python311Packages.setuptools + guile_3_0 + tinyscheme + ]; } diff --git a/home/features/desktop/media.nix b/home/features/desktop/media.nix index ca43ae7..4cf1346 100644 --- a/home/features/desktop/media.nix +++ b/home/features/desktop/media.nix @@ -18,6 +18,7 @@ in { handbrake libsForQt5.kdenlive makemkv + mediainfo mpv plexamp uxplay diff --git a/home/users/m3tam3re/m3-r1.nix b/home/users/m3tam3re/m3-r1.nix new file mode 100644 index 0000000..d68a52c --- /dev/null +++ b/home/users/m3tam3re/m3-r1.nix @@ -0,0 +1,12 @@ +{ config, pkgs, ... }: { + imports = [ ./base ../../features/cli ]; + + features = { + cli = { + fish.enable = true; + starship.enable = true; + }; + }; + + home.stateVersion = "22.11"; +} diff --git a/hosts/m3-r1/default.nix b/hosts/m3-r1/default.nix new file mode 100644 index 0000000..6cd0b0a --- /dev/null +++ b/hosts/m3-r1/default.nix @@ -0,0 +1,69 @@ +{ pkgs, ... }: { + imports = [ + ./hardware-configuration.nix + ../common/users/m3tam3re + ../common/base + ./services + ]; + + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only + + services.openssh.enable = true; + services.openssh.settings.PasswordAuthentication = false; + networking = { + hostName = "m3-r1"; + firewall.enable = true; + firewall.allowedTCPPortRanges = [{ + from = 3000; + to = 3100; + }]; + firewall.allowedTCPPorts = [ 53 80 443 5432 3306 3478 ]; + firewall.allowedUDPPorts = [ 53 51820 41641 ]; + firewall.allowedUDPPortRanges = [{ + from = 3478; + to = 3481; + }]; + }; + programs.fish.enable = true; + age = { + secrets = { + mj-smtp-user.file = ../../secrets/mj-smtp-user.age; + mj-smtp-pass.file = ../../secrets/mj-smtp-pass.age; + tailscale-key.file = ../../secrets/tailscale-key.age; + + vaultwarden-env = { + file = ../../secrets/vaultwarden-env.age; + mode = "770"; + }; + + n8n-env = { + file = ../../secrets/n8n-env.age; + mode = "770"; + }; + + traefik-env = { + file = ../../secrets/traefik-env.age; + mode = "770"; + owner = "traefik"; + }; + + searx-environmentFile = { + file = ../../secrets/searx-environmentFile.age; + mode = "770"; + owner = "searx"; + }; + + }; + identityPaths = [ "/root/.ssh/lkk-nix-1" ]; + }; + + nix = { + gc = { + automatic = true; + options = "--delete-older-than 30d"; + }; + optimise.automatic = true; + }; + system.stateVersion = "23.05"; # Did you read the comment? +} diff --git a/hosts/m3-r1/hardware-configuration.nix b/hosts/m3-r1/hardware-configuration.nix new file mode 100644 index 0000000..aa4baa7 --- /dev/null +++ b/hosts/m3-r1/hardware-configuration.nix @@ -0,0 +1,55 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/6f25ddea-6022-4663-9f5d-58b383de7e52"; + fsType = "btrfs"; + options = [ "subvol=root" ]; + }; + + fileSystems."/home" = + { device = "/dev/disk/by-uuid/6f25ddea-6022-4663-9f5d-58b383de7e52"; + fsType = "btrfs"; + options = [ "subvol=home" ]; + }; + + fileSystems."/nix" = + { device = "/dev/disk/by-uuid/6f25ddea-6022-4663-9f5d-58b383de7e52"; + fsType = "btrfs"; + options = [ "subvol=nix" ]; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/2550-EF31"; + fsType = "vfat"; + }; + + fileSystems."/var/backup" = + { device = "46.38.248.210:/voln527829a1"; + fsType = "nfs"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens3.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/m3-r1/services/container.nix b/hosts/m3-r1/services/container.nix new file mode 100644 index 0000000..8158f80 --- /dev/null +++ b/hosts/m3-r1/services/container.nix @@ -0,0 +1,11 @@ +{ config, pkgs, ... }: + +{ + imports = [ ./containers ]; + + virtualisation.podman = { + enable = true; + defaultNetwork.settings = { dns_enabled = true; }; + }; + virtualisation.oci-containers.backend = "podman"; +} diff --git a/hosts/m3-r1/services/containers/baserow.nix b/hosts/m3-r1/services/containers/baserow.nix new file mode 100644 index 0000000..cfa7c32 --- /dev/null +++ b/hosts/m3-r1/services/containers/baserow.nix @@ -0,0 +1,25 @@ +{ config, outputs, ... }: { + virtualisation.oci-containers.containers."baserow" = { + image = "docker.io/baserow/baserow:1.18.0"; + environment = { + BASEROW_PUBLIC_URL = "https://db.lanakk.com"; + + POSTGRES_USER = "baserow"; + POSTGRES_PASSWORD = "baserow"; + POSTGRES_DB = "baserow"; + DATABASE_HOST = "postgres"; + DATABASE_NAME = "baserow"; + DATABASE_USER = "baserow"; + DATABASE_PASSWORD = "baserow"; + + EMAIL_SMTP = "in-v3.mailjet.com"; + EMAIL_SMTP_HOST = "in-v3.mailjet.com"; + EMAIL_SMTP_PORT = "587"; + EMAIL_SMTP_USER = config.age.secrets.mj-smtp-user.path; + EMAIL_SMTP_PASSWORD = config.age.secrets.mj-smtp-pass.path; + }; + ports = [ "3001:80" ]; + volumes = [ "baserow_data:/baserow/data" ]; + extraOptions = [ "--add-host=postgres:10.88.0.1" "--ip=10.88.0.11" ]; + }; +} diff --git a/hosts/m3-r1/services/containers/briefkasten.nix b/hosts/m3-r1/services/containers/briefkasten.nix new file mode 100644 index 0000000..13c7160 --- /dev/null +++ b/hosts/m3-r1/services/containers/briefkasten.nix @@ -0,0 +1,8 @@ +{ config, outputs, ... }: { + virtualisation.oci-containers.containers."briefkasten" = { + image = "docker.io/ndom91/briefkasten"; + environmentFiles = [ config.age.secrets.briefkasten-env.path ]; + ports = [ "3009:3000" ]; + extraOptions = [ "--add-host=postgres:10.88.0.1" "--ip=10.88.0.19" ]; + }; +} diff --git a/hosts/m3-r1/services/containers/default.nix b/hosts/m3-r1/services/containers/default.nix new file mode 100644 index 0000000..6e64944 --- /dev/null +++ b/hosts/m3-r1/services/containers/default.nix @@ -0,0 +1,12 @@ +{ + imports = [ + ./baserow.nix + # ./briefkasten.nix + # ./little-link.nix + ./matomo.nix + ./mautic.nix + # ./nextcloud.nix + # ./nginx.nix + # ./wordpress.nix + ]; +} diff --git a/hosts/m3-r1/services/containers/little-link.nix b/hosts/m3-r1/services/containers/little-link.nix new file mode 100644 index 0000000..db7e12f --- /dev/null +++ b/hosts/m3-r1/services/containers/little-link.nix @@ -0,0 +1,14 @@ +{ config, outputs, ... }: { + virtualisation.oci-containers.containers."littlelink_lanakk" = { + image = "ghcr.io/techno-tim/littlelink-server"; + environmentFiles = [ config.age.secrets.littlelink-lanakk-env.path ]; + ports = [ "3010:3000" ]; + extraOptions = [ "--ip=10.88.0.20" ]; + }; + virtualisation.oci-containers.containers."littlelink_m3tam3re" = { + image = "ghcr.io/techno-tim/littlelink-server"; + environmentFiles = [ config.age.secrets.littlelink-m3tam3re-env.path ]; + ports = [ "3011:3000" ]; + extraOptions = [ "--ip=10.88.0.21" ]; + }; +} diff --git a/hosts/m3-r1/services/containers/matomo.nix b/hosts/m3-r1/services/containers/matomo.nix new file mode 100644 index 0000000..ee5e251 --- /dev/null +++ b/hosts/m3-r1/services/containers/matomo.nix @@ -0,0 +1,16 @@ +{ config, outputs, ... }: { + virtualisation.oci-containers.containers."matomo" = { + image = "docker.io/matomo"; + environment = { + MATOMO_DATABASE_HOST = "mysql"; + MATOMO_DATABASE_USERNAME = "matomo"; + MATOMO_DATABASE_PASSWORD = "matomo"; + MATOMO_DATABASE_DBNAME = "matomo"; + PHP_MEMORY_LIMIT="2048M"; + + }; + ports = [ "3003:80" ]; + volumes = [ "matomo_data:/var/www/html" ]; + extraOptions = [ "--add-host=mysql:10.88.0.1" "--ip=10.88.0.13" ]; + }; +} diff --git a/hosts/m3-r1/services/containers/mautic.nix b/hosts/m3-r1/services/containers/mautic.nix new file mode 100644 index 0000000..ecd490d --- /dev/null +++ b/hosts/m3-r1/services/containers/mautic.nix @@ -0,0 +1,16 @@ +{ config, outputs, ... }: { + virtualisation.oci-containers.containers."mautic" = { + image = "docker.io/mautic/mautic:v4-apache"; + environment = { + MAUTIC_DB_HOST = "mysql"; + MAUTIC_DB_USER = "mautic"; + MAUTIC_DB_PASSWORD = "mautic"; + MAUTIC_DB_DBNAME = "mautic"; + PHP_MEMORY_LIMIT="2048M"; + MAUTIC_RUN_CRON_JOBS="true"; + }; + ports = [ "3008:80" ]; + volumes = [ "mautic_data:/var/www/html" ]; + extraOptions = [ "--add-host=mysql:10.88.0.1" "--ip=10.88.0.23" ]; + }; +} diff --git a/hosts/m3-r1/services/containers/nextcloud.nix b/hosts/m3-r1/services/containers/nextcloud.nix new file mode 100644 index 0000000..c92ac77 --- /dev/null +++ b/hosts/m3-r1/services/containers/nextcloud.nix @@ -0,0 +1,14 @@ +{ config, outputs, ... }: { + virtualisation.oci-containers.containers."nextcloud" = { + image = "docker.io/nextcloud"; + environment = { + TRUSTED_PROXIES = "10.88.0.1/16"; + OVERWRITEPROTOCOL = "https"; + OVERWRITECLIURL = "https://cloud.lanakk.com"; + OVERWRITEHOST = "cloud.lanakk.com"; + }; + ports = [ "3005:80" ]; + volumes = [ "nextcloud_data:/var/www/html" ]; + extraOptions = [ "--add-host=mysql:10.88.0.1" "--ip=10.88.0.15" ]; + }; +} diff --git a/hosts/m3-r1/services/containers/nginx.nix b/hosts/m3-r1/services/containers/nginx.nix new file mode 100644 index 0000000..daa7f26 --- /dev/null +++ b/hosts/m3-r1/services/containers/nginx.nix @@ -0,0 +1,8 @@ +{ config, outputs, ... }: { + virtualisation.oci-containers.containers."http-images" = { + image = "docker.io/nginx:alpine"; + ports = [ "3012:80" ]; + volumes = [ "/opt/service-data/http-images:/usr/share/nginx/html"]; + extraOptions = [ "--ip=10.88.0.22" ]; + }; +} diff --git a/hosts/m3-r1/services/containers/wireguard.nix b/hosts/m3-r1/services/containers/wireguard.nix new file mode 100644 index 0000000..3ff4493 --- /dev/null +++ b/hosts/m3-r1/services/containers/wireguard.nix @@ -0,0 +1,15 @@ +{ config, outputs, ... }: { + virtualisation.oci-containers.containers."wireguard" = { + image = "docker.io/weejewel/wg-easy"; + environment = { WG_HOST = "wg.lanakk.com"; WG_DEFAULT_DNS = "10.88.0.1:5353"; }; + ports = [ "3007:51821/tcp" "51820:51820/udp" ]; + volumes = [ "wireguard_data:/etc/wireguard" ]; + extraOptions = [ + "--cap-add=NET_ADMIN" + "--cap-add=SYS_MODULE" + "--sysctl=net.ipv4.conf.all.src_valid_mark=1" + "--sysctl=net.ipv4.ip_forward=1" + "--ip=10.88.0.17" + ]; + }; +} diff --git a/hosts/m3-r1/services/containers/wordpress.nix b/hosts/m3-r1/services/containers/wordpress.nix new file mode 100644 index 0000000..c68d0b0 --- /dev/null +++ b/hosts/m3-r1/services/containers/wordpress.nix @@ -0,0 +1,14 @@ +{ config, outputs, ... }: { + virtualisation.oci-containers.containers."lanakk_blog" = { + image = "docker.io/wordpress"; + environment = { + WORDPRESS_DB_HOST = "mysql"; + WORDPRESS_DB_USER = "wp"; + WORDPRESS_DB_PASSWORD = "wp"; + WORDPRESS_DB_NAME = "lanakk_blog"; + }; + ports = [ "3002:80" ]; + volumes = [ "lanakk_blog_data:/var/www/html" ]; + extraOptions = [ "--add-host=mysql:10.88.0.1" "--ip=10.88.0.12" ]; + }; +} diff --git a/hosts/m3-r1/services/default.nix b/hosts/m3-r1/services/default.nix new file mode 100644 index 0000000..e06c828 --- /dev/null +++ b/hosts/m3-r1/services/default.nix @@ -0,0 +1,13 @@ +{ + imports = [ + ./container.nix + ./gitea.nix + ./n8n.nix + ./postgres.nix + ./searx.nix + ./syncthing.nix + ./tailscale.nix + ./traefik.nix + ./vaultwarden.nix + ]; +} diff --git a/hosts/m3-r1/services/gitea.nix b/hosts/m3-r1/services/gitea.nix new file mode 100644 index 0000000..13c8825 --- /dev/null +++ b/hosts/m3-r1/services/gitea.nix @@ -0,0 +1,13 @@ +{ config, pkgs, ... }: +{ + services.gitea = { + enable = true; + settings.server.ROOT_URL = "https://code.lanakk.com"; + lfs.enable = true; + dump = { + enable = true; + interval = "03:30:00"; + backupDir = "/var/backup/gitea"; + }; + }; +} diff --git a/hosts/m3-r1/services/mariadb.nix b/hosts/m3-r1/services/mariadb.nix new file mode 100644 index 0000000..55a71c4 --- /dev/null +++ b/hosts/m3-r1/services/mariadb.nix @@ -0,0 +1,13 @@ +{ pkgs, config, ... }: + +{ + services.mysql = { + enable = true; + package = pkgs.mariadb; + }; + services.mysqlBackup = { + enable = true; + calendar = "03:00:00"; + databases = [ "" ]; + }; +} diff --git a/hosts/m3-r1/services/n8n.nix b/hosts/m3-r1/services/n8n.nix new file mode 100644 index 0000000..54e184d --- /dev/null +++ b/hosts/m3-r1/services/n8n.nix @@ -0,0 +1,15 @@ +{ config, pkgs, ... }: { + + services.n8n = { + enable = true; + openFirewall = true; + settings = { + host = "wf.lanakk.com"; + protocol = "https"; + editorBaseUrl="https://wf.lanakk.com"; + }; + }; + systemd.services.n8n.serviceConfig = { + EnvironmentFile = "${config.age.secrets.n8n-env.path}"; + }; +} diff --git a/hosts/m3-r1/services/postgres.nix b/hosts/m3-r1/services/postgres.nix new file mode 100644 index 0000000..e234a36 --- /dev/null +++ b/hosts/m3-r1/services/postgres.nix @@ -0,0 +1,26 @@ +{ pkgs, config, ... }: + +{ + services.postgresql = { + enable = true; + enableTCPIP = true; + package = pkgs.postgresql_15; + authentication = pkgs.lib.mkOverride 10 '' + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + host all all 10.88.0.1/16 trust + ''; + initialScript = pkgs.writeText "backend-initScript" '' + CREATE USER baserow WITH ENCRYPTED PASSWORD 'baserow'; + CREATE DATABASE baserow; + GRANT ALL PRIVILEGES ON DATABASE baserow TO baserow; + ALTER DATABASE baserow OWNER to baserow; + ''; + }; + services.postgresqlBackup = { + enable = true; + startAt = "03:10:00"; + databases = [ "baserow" ]; + }; +} diff --git a/hosts/m3-r1/services/searx.nix b/hosts/m3-r1/services/searx.nix new file mode 100644 index 0000000..90b8544 --- /dev/null +++ b/hosts/m3-r1/services/searx.nix @@ -0,0 +1,11 @@ +{ pkgs, ... }: +{ + services.searx = { + enable = true; + package = pkgs.searxng; + settings = { + server.port = 3004; + server.secret_key = "@SEARX_SECRET_KEY@"; + }; + }; +} diff --git a/hosts/m3-r1/services/syncthing.nix b/hosts/m3-r1/services/syncthing.nix new file mode 100644 index 0000000..566dddf --- /dev/null +++ b/hosts/m3-r1/services/syncthing.nix @@ -0,0 +1,20 @@ +{ config, pkgs, ... }: { + services.syncthing = { + enable = true; + openDefaultPorts = true; + guiAddress = "0.0.0.0:8384"; + overrideDevices = true; + overrideFolders = true; + devices = { + "LK-DATA" = { + id = "BI7CMZF-2SGQMXW-RG47HRG-FEH454J-ZTCE544-BXNSCSJ-PXCE7A7-R4CX2Q3"; + }; + }; + folders = { + "Bildvorschauen" = { + path = "/opt/service-data/http-images"; + devices = [ "LK-DATA" ]; + }; + }; + }; +} diff --git a/hosts/m3-r1/services/tailscale.nix b/hosts/m3-r1/services/tailscale.nix new file mode 100644 index 0000000..f8baf9f --- /dev/null +++ b/hosts/m3-r1/services/tailscale.nix @@ -0,0 +1,38 @@ +{ config, pkgs, ... }: { + services.tailscale = { + enable = true; + useRoutingFeatures = "both"; + }; + networking.firewall = { + trustedInterfaces = [ "tailscale0" ]; + }; + systemd.services.tailscale-autoconnect = { + description = "Automatic connection to Tailscale"; + + # make sure tailscale is running before trying to connect to tailscale + after = [ "network-pre.target" "tailscale.service" ]; + wants = [ "network-pre.target" "tailscale.service" ]; + wantedBy = [ "multi-user.target" ]; + + # set this service as a oneshot job + serviceConfig = { + Type = "oneshot"; + EnvironmentFile = "${config.age.secrets.tailscale-key.path}"; + }; + + # have the job run this shell script + script = with pkgs; '' + # wait for tailscaled to settle + sleep 2 + + # check if we are already authenticated to tailscale + status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" + if [ $status = "Running" ]; then # if so, then do nothing + exit 0 + fi + + # otherwise authenticate with tailscale + ${tailscale}/bin/tailscale up --advertise-exit-node --authkey $TAILSCALE_KEY + ''; + }; +} diff --git a/hosts/m3-r1/services/traefik.nix b/hosts/m3-r1/services/traefik.nix new file mode 100644 index 0000000..2c5649b --- /dev/null +++ b/hosts/m3-r1/services/traefik.nix @@ -0,0 +1,159 @@ +{ config, ... }: { + services.traefik = { + enable = true; + staticConfigOptions = { + log = { level = "WARN"; }; + certificatesResolvers = { + godaddy = { + acme = { + email = "dev@lanakk.com"; + storage = "/var/lib/traefik/acme.json"; + dnsChallenge = { provider = "godaddy"; }; + }; + }; + lets-encrypt = { + acme = { + email = "acc@m3tam3re.com"; + storage = "/var/lib/traefik/acme.json"; + tlsChallenge = { }; + }; + }; + }; + api = { }; + entryPoints = { + web = { + address = ":80"; + http.redirections.entryPoint = { + to = "websecure"; + scheme = "https"; + }; + }; + websecure = { address = ":443"; }; + }; + }; + dynamicConfigOptions = { + http = { + middlewares = { + auth = { + basicAuth = { + users = [ "m3tam3re:$apr1$1xqdta2b$DIVNvvp5iTUGNccJjguKh." ]; + }; + }; + nextcloud_redirectregex = { + redirectRegex = { + permanent = true; + regex = "https://(.*)/.well-known/(?:card|cal)dav"; + replacement = "https://\${1}/remote.php/dav"; + }; + }; + nextcloud_headers = { + headers = { + referrerPolicy = "no-referrer"; + stsSeconds = "31536000"; + forceSTSHeader = true; + stsPreload = true; + stsIncludeSubdomains = true; + }; + }; + }; + services = { + baserow.loadBalancer.servers = [{ url = "http://localhost:3001/"; }]; + gitea.loadBalancer.servers = [{ url = "http://localhost:3000/"; }]; + n8n.loadBalancer.servers = [{ url = "http://localhost:5678/"; }]; + lanakk_blog.loadBalancer.servers = + [{ url = "http://localhost:3002/"; }]; + matomo.loadBalancer.servers = [{ url = "http://localhost:3003/"; }]; + searx.loadBalancer.servers = [{ url = "http://localhost:3004/"; }]; + mautic.loadBalancer.servers = [{ url = "http://localhost:3008/"; }]; + syncthing.loadBalancer.servers = + [{ url = "http://localhost:8384/"; }]; + vaultwarden.loadBalancer.servers = + [{ url = "http://localhost:3014/"; }]; + }; + routers = { + api = { + rule = "Host(`r.m3tam3re.com`)"; + tls = { certResolver = "lets-encrypt"; }; + service = "api@internal"; + middlewares = "auth"; + entrypoints = "websecure"; + }; + baserow = { + rule = "Host(`br.m3tam3re.com`)"; + tls = { certResolver = "lets-encrypt"; }; + service = "baserow"; + entrypoints = "websecure"; + }; + gitea = { + rule = "Host(`code.m3tam3re.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "code.m3tam3re.com"; + }; + service = "gitea"; + entrypoints = "websecure"; + }; + n8n = { + rule = "Host(`io.m3tam3re.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "io.m3tam3re.com"; + }; + service = "n8n"; + entrypoints = "websecure"; + }; + matomo-m3tam3re = { + rule = "Host(`stats.m3tam3re.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "stats.m3tam3re.com"; + }; + service = "matomo"; + entrypoints = "websecure"; + }; + searx = { + rule = "Host(`search.m3tam3re.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "search.m3tam3re.com"; + }; + service = "searx"; + entrypoints = "websecure"; + }; + mautic = { + rule = "Host(`ma.m3tam3re.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "ma.m3tam3re.com"; + }; + service = "mautic"; + entrypoints = "websecure"; + }; + syncthing = { + rule = "Host(`sync.m3tam3re.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "sync.m3tam3re.com"; + }; + service = "syncthing"; + entrypoints = "websecure"; + }; + vaultwarden = { + rule = "Host(`vw.m3tam3re.com`)"; + tls = { + certResolver = "lets-encrypt"; + domains = "vw.m3tam3re.com"; + }; + service = "vaultwarden"; + middlewares = "auth"; + entrypoints = "websecure"; + }; + }; + }; + }; + }; + + systemd.services.traefik.serviceConfig = { + EnvironmentFile = [ "${config.age.secrets.traefik-env.path}" ]; + }; +} diff --git a/hosts/m3-r1/services/vaultwarden.nix b/hosts/m3-r1/services/vaultwarden.nix new file mode 100644 index 0000000..27cce2d --- /dev/null +++ b/hosts/m3-r1/services/vaultwarden.nix @@ -0,0 +1,8 @@ +{ config, pkgs, ... }: { + + services.vaultwarden = { + enable = true; + backupDir = "/var/backup/vaultwarden"; + environmentFile = "${config.age.secrets.vaultwarden-env.path}"; + }; +} diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix new file mode 100644 index 0000000..01c6326 --- /dev/null +++ b/modules/nixos/default.nix @@ -0,0 +1 @@ +{ ordercollect = import ./ordercollect.nix; } diff --git a/modules/nixos/ordercollect.nix b/modules/nixos/ordercollect.nix new file mode 100644 index 0000000..18d021d --- /dev/null +++ b/modules/nixos/ordercollect.nix @@ -0,0 +1,31 @@ +{ config, lib, ... }: + +with lib; + +let cfg = config.services.ordercollect; + +in { + options.services.ordercollect = { + enable = mkEnableOption "Enable Ordercollect"; + port = mkOption { + type = types.str; + description = "The http port to run on"; + default = ""; + }; + package = mkOption { + type = types.package; + default = pkgs.ordercollect; + description = '' + The package for ordercollect + ''; + }; + }; + config = mkIf cfg.enable { + environment.systemPackages = [ cfg.package ]; + + systemd.services.ordercollect = { + ExecStart = "${cfg.package}/bin/ordercollect --port ${cfg.port}"; + Restart = "on-failure"; + }; + }; +} diff --git a/pkgs/bemoji/default.nix.~1~ b/pkgs/bemoji/default.nix.~1~ deleted file mode 100644 index f2ecdc5..0000000 --- a/pkgs/bemoji/default.nix.~1~ +++ /dev/null @@ -1,24 +0,0 @@ -{ stdenv, lib, fetchFromGitHub, bash, pkgs, makeWrapper }: - -with lib; -with pkgs; - -stdenv.mkDerivation { - pname = "wofi-pass"; - version = "0.1"; - src = fetchFromGitHub { - owner = "TinfoilSubmarine"; - repo = "wofi-pass"; - rev = "869c545"; - sha256 = "gcfW8E/3/dqv0P3S4z9fDv8k4R7czcIKwpo/OHFFWj0="; - }; - buildInputs = [ bash coreutils wl-clipboard wofi wtype ]; - - nativeBuildInputs = [ makeWrapper ]; - installPhase = '' - mkdir -p $out/bin - cp wofi-pass $out/bin/wofi-pass - wrapProgram $out/bin/wofi-pass \ - --prefix PATH : ${makeBinPath [ bash coreutils wl-clipboard wofi wtype ]} - ''; -} diff --git a/pkgs/default.nix b/pkgs/default.nix index 0e7c5c7..1bb061e 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -2,5 +2,6 @@ wofi-pass = pkgs.callPackage ./wofi-pass { }; bemoji = pkgs.callPackage ./bemoji { }; - + ordercollect = pkgs.callPackage ./ordercollect { }; + } diff --git a/pkgs/ordercollect/default.nix b/pkgs/ordercollect/default.nix new file mode 100644 index 0000000..3d2dd55 --- /dev/null +++ b/pkgs/ordercollect/default.nix @@ -0,0 +1,23 @@ +{ buildGoModule, fetchFromGitea, lib }: + +buildGoModule rec { + pname = "ordercollect"; + version = "0.1.0"; + + src = fetchFromGitea { + domain = "code.lanakk.com"; + owner = "LANAKK"; + repo = "ordercollect"; + rev = "9ecbfa46f6758214aa2fcee7ad96aa7730301a06"; + hash = "sha256-n4njl7LwG6GuoTj7x3rWOjErZ/a1Fog0qAymYxvsR2w="; + }; + + vendorHash = "sha256-G6k331XRuVN/cM4sNcdUV9/BzdISQI7Ljc4tesJnmH0="; + + meta = with lib; { + description = "A simple Api for creating orders, written in Go"; + homepage = "https://code.lanakk.com/LANAKK/ordercollect"; + license = licenses.mit; + maintainers = with maintainers; [ m3tam3re ]; + }; +}