This commit is contained in:
m3tam3re 2023-07-18 12:53:55 +02:00
parent 5fa6d0b0ee
commit 16d4ec6928
32 changed files with 692 additions and 33 deletions

View File

@ -28,6 +28,10 @@
modules =
[ allowUnfree ./hosts/lkk-nix-1 agenix.nixosModules.default ];
};
m3-r1 = lib.nixosSystem {
specialArgs = { inherit inputs; };
modules = [ allowUnfree ./hosts/m3-r1 agenix.nixosModules.default ];
};
lkk-prod-1 = lib.nixosSystem {
specialArgs = { inherit inputs; };
modules =
@ -56,6 +60,12 @@
};
modules = [ ./home/users/m3tam3re/lkk-nix-1.nix ];
};
"m3tam3re@m3-r1" = home-manager.lib.homeManagerConfiguration {
pkgs = nixpkgs.legacyPackages."x86_64-linux";
extraSpecialArgs = { # pass things to t
};
modules = [ ./home/users/m3tam3re/m3-r1.nix ];
};
};
deploy.nodes.lkk-nix-1 = {
hostname = "lkk-nix-1";
@ -66,6 +76,15 @@
self.nixosConfigurations.lkk-nix-1;
};
};
deploy.nodes.m3-r1 = {
hostname = "lkk-nix-1";
sshUser = "root";
profiles.system = {
user = "root";
path = deploy-rs.lib.x86_64-linux.activate.nixos
self.nixosConfigurations.lkk-nix-1;
};
};
deploy.nodes.lkk-prod-1 = {
hostname = "lkk-prod-1";
sshUser = "root";

View File

@ -1,10 +1,12 @@
{ pkgs, ... }: {
imports = [ ./emacs.nix ./golang.nix ./nix.nix ./nodejs.nix ./rust.nix ./tools.nix ];
imports =
[ ./emacs.nix ./golang.nix ./nix.nix ./nodejs.nix ./rust.nix ./tools.nix ];
home.packages = with pkgs;
[
home.packages = with pkgs; [
ispell
python3
python311Packages.pip
python311Packages.setuptools
guile_3_0
tinyscheme
];

View File

@ -18,6 +18,7 @@ in {
handbrake
libsForQt5.kdenlive
makemkv
mediainfo
mpv
plexamp
uxplay

View File

@ -0,0 +1,12 @@
{ config, pkgs, ... }: {
imports = [ ./base ../../features/cli ];
features = {
cli = {
fish.enable = true;
starship.enable = true;
};
};
home.stateVersion = "22.11";
}

69
hosts/m3-r1/default.nix Normal file
View File

@ -0,0 +1,69 @@
{ pkgs, ... }: {
imports = [
./hardware-configuration.nix
../common/users/m3tam3re
../common/base
./services
];
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
services.openssh.enable = true;
services.openssh.settings.PasswordAuthentication = false;
networking = {
hostName = "m3-r1";
firewall.enable = true;
firewall.allowedTCPPortRanges = [{
from = 3000;
to = 3100;
}];
firewall.allowedTCPPorts = [ 53 80 443 5432 3306 3478 ];
firewall.allowedUDPPorts = [ 53 51820 41641 ];
firewall.allowedUDPPortRanges = [{
from = 3478;
to = 3481;
}];
};
programs.fish.enable = true;
age = {
secrets = {
mj-smtp-user.file = ../../secrets/mj-smtp-user.age;
mj-smtp-pass.file = ../../secrets/mj-smtp-pass.age;
tailscale-key.file = ../../secrets/tailscale-key.age;
vaultwarden-env = {
file = ../../secrets/vaultwarden-env.age;
mode = "770";
};
n8n-env = {
file = ../../secrets/n8n-env.age;
mode = "770";
};
traefik-env = {
file = ../../secrets/traefik-env.age;
mode = "770";
owner = "traefik";
};
searx-environmentFile = {
file = ../../secrets/searx-environmentFile.age;
mode = "770";
owner = "searx";
};
};
identityPaths = [ "/root/.ssh/lkk-nix-1" ];
};
nix = {
gc = {
automatic = true;
options = "--delete-older-than 30d";
};
optimise.automatic = true;
};
system.stateVersion = "23.05"; # Did you read the comment?
}

View File

@ -0,0 +1,55 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/6f25ddea-6022-4663-9f5d-58b383de7e52";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/6f25ddea-6022-4663-9f5d-58b383de7e52";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/6f25ddea-6022-4663-9f5d-58b383de7e52";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/2550-EF31";
fsType = "vfat";
};
fileSystems."/var/backup" =
{ device = "46.38.248.210:/voln527829a1";
fsType = "nfs";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens3.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View File

@ -0,0 +1,11 @@
{ config, pkgs, ... }:
{
imports = [ ./containers ];
virtualisation.podman = {
enable = true;
defaultNetwork.settings = { dns_enabled = true; };
};
virtualisation.oci-containers.backend = "podman";
}

View File

@ -0,0 +1,25 @@
{ config, outputs, ... }: {
virtualisation.oci-containers.containers."baserow" = {
image = "docker.io/baserow/baserow:1.18.0";
environment = {
BASEROW_PUBLIC_URL = "https://db.lanakk.com";
POSTGRES_USER = "baserow";
POSTGRES_PASSWORD = "baserow";
POSTGRES_DB = "baserow";
DATABASE_HOST = "postgres";
DATABASE_NAME = "baserow";
DATABASE_USER = "baserow";
DATABASE_PASSWORD = "baserow";
EMAIL_SMTP = "in-v3.mailjet.com";
EMAIL_SMTP_HOST = "in-v3.mailjet.com";
EMAIL_SMTP_PORT = "587";
EMAIL_SMTP_USER = config.age.secrets.mj-smtp-user.path;
EMAIL_SMTP_PASSWORD = config.age.secrets.mj-smtp-pass.path;
};
ports = [ "3001:80" ];
volumes = [ "baserow_data:/baserow/data" ];
extraOptions = [ "--add-host=postgres:10.88.0.1" "--ip=10.88.0.11" ];
};
}

View File

@ -0,0 +1,8 @@
{ config, outputs, ... }: {
virtualisation.oci-containers.containers."briefkasten" = {
image = "docker.io/ndom91/briefkasten";
environmentFiles = [ config.age.secrets.briefkasten-env.path ];
ports = [ "3009:3000" ];
extraOptions = [ "--add-host=postgres:10.88.0.1" "--ip=10.88.0.19" ];
};
}

View File

@ -0,0 +1,12 @@
{
imports = [
./baserow.nix
# ./briefkasten.nix
# ./little-link.nix
./matomo.nix
./mautic.nix
# ./nextcloud.nix
# ./nginx.nix
# ./wordpress.nix
];
}

View File

@ -0,0 +1,14 @@
{ config, outputs, ... }: {
virtualisation.oci-containers.containers."littlelink_lanakk" = {
image = "ghcr.io/techno-tim/littlelink-server";
environmentFiles = [ config.age.secrets.littlelink-lanakk-env.path ];
ports = [ "3010:3000" ];
extraOptions = [ "--ip=10.88.0.20" ];
};
virtualisation.oci-containers.containers."littlelink_m3tam3re" = {
image = "ghcr.io/techno-tim/littlelink-server";
environmentFiles = [ config.age.secrets.littlelink-m3tam3re-env.path ];
ports = [ "3011:3000" ];
extraOptions = [ "--ip=10.88.0.21" ];
};
}

View File

@ -0,0 +1,16 @@
{ config, outputs, ... }: {
virtualisation.oci-containers.containers."matomo" = {
image = "docker.io/matomo";
environment = {
MATOMO_DATABASE_HOST = "mysql";
MATOMO_DATABASE_USERNAME = "matomo";
MATOMO_DATABASE_PASSWORD = "matomo";
MATOMO_DATABASE_DBNAME = "matomo";
PHP_MEMORY_LIMIT="2048M";
};
ports = [ "3003:80" ];
volumes = [ "matomo_data:/var/www/html" ];
extraOptions = [ "--add-host=mysql:10.88.0.1" "--ip=10.88.0.13" ];
};
}

View File

@ -0,0 +1,16 @@
{ config, outputs, ... }: {
virtualisation.oci-containers.containers."mautic" = {
image = "docker.io/mautic/mautic:v4-apache";
environment = {
MAUTIC_DB_HOST = "mysql";
MAUTIC_DB_USER = "mautic";
MAUTIC_DB_PASSWORD = "mautic";
MAUTIC_DB_DBNAME = "mautic";
PHP_MEMORY_LIMIT="2048M";
MAUTIC_RUN_CRON_JOBS="true";
};
ports = [ "3008:80" ];
volumes = [ "mautic_data:/var/www/html" ];
extraOptions = [ "--add-host=mysql:10.88.0.1" "--ip=10.88.0.23" ];
};
}

View File

@ -0,0 +1,14 @@
{ config, outputs, ... }: {
virtualisation.oci-containers.containers."nextcloud" = {
image = "docker.io/nextcloud";
environment = {
TRUSTED_PROXIES = "10.88.0.1/16";
OVERWRITEPROTOCOL = "https";
OVERWRITECLIURL = "https://cloud.lanakk.com";
OVERWRITEHOST = "cloud.lanakk.com";
};
ports = [ "3005:80" ];
volumes = [ "nextcloud_data:/var/www/html" ];
extraOptions = [ "--add-host=mysql:10.88.0.1" "--ip=10.88.0.15" ];
};
}

View File

@ -0,0 +1,8 @@
{ config, outputs, ... }: {
virtualisation.oci-containers.containers."http-images" = {
image = "docker.io/nginx:alpine";
ports = [ "3012:80" ];
volumes = [ "/opt/service-data/http-images:/usr/share/nginx/html"];
extraOptions = [ "--ip=10.88.0.22" ];
};
}

View File

@ -0,0 +1,15 @@
{ config, outputs, ... }: {
virtualisation.oci-containers.containers."wireguard" = {
image = "docker.io/weejewel/wg-easy";
environment = { WG_HOST = "wg.lanakk.com"; WG_DEFAULT_DNS = "10.88.0.1:5353"; };
ports = [ "3007:51821/tcp" "51820:51820/udp" ];
volumes = [ "wireguard_data:/etc/wireguard" ];
extraOptions = [
"--cap-add=NET_ADMIN"
"--cap-add=SYS_MODULE"
"--sysctl=net.ipv4.conf.all.src_valid_mark=1"
"--sysctl=net.ipv4.ip_forward=1"
"--ip=10.88.0.17"
];
};
}

View File

@ -0,0 +1,14 @@
{ config, outputs, ... }: {
virtualisation.oci-containers.containers."lanakk_blog" = {
image = "docker.io/wordpress";
environment = {
WORDPRESS_DB_HOST = "mysql";
WORDPRESS_DB_USER = "wp";
WORDPRESS_DB_PASSWORD = "wp";
WORDPRESS_DB_NAME = "lanakk_blog";
};
ports = [ "3002:80" ];
volumes = [ "lanakk_blog_data:/var/www/html" ];
extraOptions = [ "--add-host=mysql:10.88.0.1" "--ip=10.88.0.12" ];
};
}

View File

@ -0,0 +1,13 @@
{
imports = [
./container.nix
./gitea.nix
./n8n.nix
./postgres.nix
./searx.nix
./syncthing.nix
./tailscale.nix
./traefik.nix
./vaultwarden.nix
];
}

View File

@ -0,0 +1,13 @@
{ config, pkgs, ... }:
{
services.gitea = {
enable = true;
settings.server.ROOT_URL = "https://code.lanakk.com";
lfs.enable = true;
dump = {
enable = true;
interval = "03:30:00";
backupDir = "/var/backup/gitea";
};
};
}

View File

@ -0,0 +1,13 @@
{ pkgs, config, ... }:
{
services.mysql = {
enable = true;
package = pkgs.mariadb;
};
services.mysqlBackup = {
enable = true;
calendar = "03:00:00";
databases = [ "" ];
};
}

View File

@ -0,0 +1,15 @@
{ config, pkgs, ... }: {
services.n8n = {
enable = true;
openFirewall = true;
settings = {
host = "wf.lanakk.com";
protocol = "https";
editorBaseUrl="https://wf.lanakk.com";
};
};
systemd.services.n8n.serviceConfig = {
EnvironmentFile = "${config.age.secrets.n8n-env.path}";
};
}

View File

@ -0,0 +1,26 @@
{ pkgs, config, ... }:
{
services.postgresql = {
enable = true;
enableTCPIP = true;
package = pkgs.postgresql_15;
authentication = pkgs.lib.mkOverride 10 ''
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
host all all 10.88.0.1/16 trust
'';
initialScript = pkgs.writeText "backend-initScript" ''
CREATE USER baserow WITH ENCRYPTED PASSWORD 'baserow';
CREATE DATABASE baserow;
GRANT ALL PRIVILEGES ON DATABASE baserow TO baserow;
ALTER DATABASE baserow OWNER to baserow;
'';
};
services.postgresqlBackup = {
enable = true;
startAt = "03:10:00";
databases = [ "baserow" ];
};
}

View File

@ -0,0 +1,11 @@
{ pkgs, ... }:
{
services.searx = {
enable = true;
package = pkgs.searxng;
settings = {
server.port = 3004;
server.secret_key = "@SEARX_SECRET_KEY@";
};
};
}

View File

@ -0,0 +1,20 @@
{ config, pkgs, ... }: {
services.syncthing = {
enable = true;
openDefaultPorts = true;
guiAddress = "0.0.0.0:8384";
overrideDevices = true;
overrideFolders = true;
devices = {
"LK-DATA" = {
id = "BI7CMZF-2SGQMXW-RG47HRG-FEH454J-ZTCE544-BXNSCSJ-PXCE7A7-R4CX2Q3";
};
};
folders = {
"Bildvorschauen" = {
path = "/opt/service-data/http-images";
devices = [ "LK-DATA" ];
};
};
};
}

View File

@ -0,0 +1,38 @@
{ config, pkgs, ... }: {
services.tailscale = {
enable = true;
useRoutingFeatures = "both";
};
networking.firewall = {
trustedInterfaces = [ "tailscale0" ];
};
systemd.services.tailscale-autoconnect = {
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = [ "network-pre.target" "tailscale.service" ];
wants = [ "network-pre.target" "tailscale.service" ];
wantedBy = [ "multi-user.target" ];
# set this service as a oneshot job
serviceConfig = {
Type = "oneshot";
EnvironmentFile = "${config.age.secrets.tailscale-key.path}";
};
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${tailscale}/bin/tailscale up --advertise-exit-node --authkey $TAILSCALE_KEY
'';
};
}

View File

@ -0,0 +1,159 @@
{ config, ... }: {
services.traefik = {
enable = true;
staticConfigOptions = {
log = { level = "WARN"; };
certificatesResolvers = {
godaddy = {
acme = {
email = "dev@lanakk.com";
storage = "/var/lib/traefik/acme.json";
dnsChallenge = { provider = "godaddy"; };
};
};
lets-encrypt = {
acme = {
email = "acc@m3tam3re.com";
storage = "/var/lib/traefik/acme.json";
tlsChallenge = { };
};
};
};
api = { };
entryPoints = {
web = {
address = ":80";
http.redirections.entryPoint = {
to = "websecure";
scheme = "https";
};
};
websecure = { address = ":443"; };
};
};
dynamicConfigOptions = {
http = {
middlewares = {
auth = {
basicAuth = {
users = [ "m3tam3re:$apr1$1xqdta2b$DIVNvvp5iTUGNccJjguKh." ];
};
};
nextcloud_redirectregex = {
redirectRegex = {
permanent = true;
regex = "https://(.*)/.well-known/(?:card|cal)dav";
replacement = "https://\${1}/remote.php/dav";
};
};
nextcloud_headers = {
headers = {
referrerPolicy = "no-referrer";
stsSeconds = "31536000";
forceSTSHeader = true;
stsPreload = true;
stsIncludeSubdomains = true;
};
};
};
services = {
baserow.loadBalancer.servers = [{ url = "http://localhost:3001/"; }];
gitea.loadBalancer.servers = [{ url = "http://localhost:3000/"; }];
n8n.loadBalancer.servers = [{ url = "http://localhost:5678/"; }];
lanakk_blog.loadBalancer.servers =
[{ url = "http://localhost:3002/"; }];
matomo.loadBalancer.servers = [{ url = "http://localhost:3003/"; }];
searx.loadBalancer.servers = [{ url = "http://localhost:3004/"; }];
mautic.loadBalancer.servers = [{ url = "http://localhost:3008/"; }];
syncthing.loadBalancer.servers =
[{ url = "http://localhost:8384/"; }];
vaultwarden.loadBalancer.servers =
[{ url = "http://localhost:3014/"; }];
};
routers = {
api = {
rule = "Host(`r.m3tam3re.com`)";
tls = { certResolver = "lets-encrypt"; };
service = "api@internal";
middlewares = "auth";
entrypoints = "websecure";
};
baserow = {
rule = "Host(`br.m3tam3re.com`)";
tls = { certResolver = "lets-encrypt"; };
service = "baserow";
entrypoints = "websecure";
};
gitea = {
rule = "Host(`code.m3tam3re.com`)";
tls = {
certResolver = "lets-encrypt";
domains = "code.m3tam3re.com";
};
service = "gitea";
entrypoints = "websecure";
};
n8n = {
rule = "Host(`io.m3tam3re.com`)";
tls = {
certResolver = "lets-encrypt";
domains = "io.m3tam3re.com";
};
service = "n8n";
entrypoints = "websecure";
};
matomo-m3tam3re = {
rule = "Host(`stats.m3tam3re.com`)";
tls = {
certResolver = "lets-encrypt";
domains = "stats.m3tam3re.com";
};
service = "matomo";
entrypoints = "websecure";
};
searx = {
rule = "Host(`search.m3tam3re.com`)";
tls = {
certResolver = "lets-encrypt";
domains = "search.m3tam3re.com";
};
service = "searx";
entrypoints = "websecure";
};
mautic = {
rule = "Host(`ma.m3tam3re.com`)";
tls = {
certResolver = "lets-encrypt";
domains = "ma.m3tam3re.com";
};
service = "mautic";
entrypoints = "websecure";
};
syncthing = {
rule = "Host(`sync.m3tam3re.com`)";
tls = {
certResolver = "lets-encrypt";
domains = "sync.m3tam3re.com";
};
service = "syncthing";
entrypoints = "websecure";
};
vaultwarden = {
rule = "Host(`vw.m3tam3re.com`)";
tls = {
certResolver = "lets-encrypt";
domains = "vw.m3tam3re.com";
};
service = "vaultwarden";
middlewares = "auth";
entrypoints = "websecure";
};
};
};
};
};
systemd.services.traefik.serviceConfig = {
EnvironmentFile = [ "${config.age.secrets.traefik-env.path}" ];
};
}

View File

@ -0,0 +1,8 @@
{ config, pkgs, ... }: {
services.vaultwarden = {
enable = true;
backupDir = "/var/backup/vaultwarden";
environmentFile = "${config.age.secrets.vaultwarden-env.path}";
};
}

View File

@ -0,0 +1 @@
{ ordercollect = import ./ordercollect.nix; }

View File

@ -0,0 +1,31 @@
{ config, lib, ... }:
with lib;
let cfg = config.services.ordercollect;
in {
options.services.ordercollect = {
enable = mkEnableOption "Enable Ordercollect";
port = mkOption {
type = types.str;
description = "The http port to run on";
default = "";
};
package = mkOption {
type = types.package;
default = pkgs.ordercollect;
description = ''
The package for ordercollect
'';
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
systemd.services.ordercollect = {
ExecStart = "${cfg.package}/bin/ordercollect --port ${cfg.port}";
Restart = "on-failure";
};
};
}

View File

@ -1,24 +0,0 @@
{ stdenv, lib, fetchFromGitHub, bash, pkgs, makeWrapper }:
with lib;
with pkgs;
stdenv.mkDerivation {
pname = "wofi-pass";
version = "0.1";
src = fetchFromGitHub {
owner = "TinfoilSubmarine";
repo = "wofi-pass";
rev = "869c545";
sha256 = "gcfW8E/3/dqv0P3S4z9fDv8k4R7czcIKwpo/OHFFWj0=";
};
buildInputs = [ bash coreutils wl-clipboard wofi wtype ];
nativeBuildInputs = [ makeWrapper ];
installPhase = ''
mkdir -p $out/bin
cp wofi-pass $out/bin/wofi-pass
wrapProgram $out/bin/wofi-pass \
--prefix PATH : ${makeBinPath [ bash coreutils wl-clipboard wofi wtype ]}
'';
}

View File

@ -2,5 +2,6 @@
wofi-pass = pkgs.callPackage ./wofi-pass { };
bemoji = pkgs.callPackage ./bemoji { };
ordercollect = pkgs.callPackage ./ordercollect { };
}

View File

@ -0,0 +1,23 @@
{ buildGoModule, fetchFromGitea, lib }:
buildGoModule rec {
pname = "ordercollect";
version = "0.1.0";
src = fetchFromGitea {
domain = "code.lanakk.com";
owner = "LANAKK";
repo = "ordercollect";
rev = "9ecbfa46f6758214aa2fcee7ad96aa7730301a06";
hash = "sha256-n4njl7LwG6GuoTj7x3rWOjErZ/a1Fog0qAymYxvsR2w=";
};
vendorHash = "sha256-G6k331XRuVN/cM4sNcdUV9/BzdISQI7Ljc4tesJnmH0=";
meta = with lib; {
description = "A simple Api for creating orders, written in Go";
homepage = "https://code.lanakk.com/LANAKK/ordercollect";
license = licenses.mit;
maintainers = with maintainers; [ m3tam3re ];
};
}