From 97bf3bb177dc2c39ffa86f031151739494f45f86 Mon Sep 17 00:00:00 2001 From: Avery Date: Sat, 21 Jun 2025 15:42:06 +0200 Subject: [PATCH] Update greatyamada config --- common/nixos.nix | 8 +- common/zsh.nix | 18 +- flake.lock | 163 +++++------- flake.nix | 15 ++ hosts/greatyamada/nixos/default.nix | 36 ++- hosts/greatyamada/nixos/filesystems.nix | 28 +-- .../services/_port-definitions.nix | 13 +- hosts/greatyamada/services/acme.nix | 11 +- hosts/greatyamada/services/adguardhome.nix | 233 +++++++++++++++++- hosts/greatyamada/services/default.nix | 6 +- hosts/greatyamada/services/forgejo.nix | 27 +- hosts/greatyamada/services/inadyn.nix | 13 +- hosts/greatyamada/services/jellyfin.nix | 19 +- hosts/greatyamada/services/nginx.nix | 8 +- hosts/greatyamada/services/pgadmin.nix | 21 ++ hosts/greatyamada/services/postgresql.nix | 5 +- hosts/greatyamada/services/radicale.nix | 9 +- hosts/greatyamada/services/searxng.nix | 46 ++++ hosts/greatyamada/services/vaultwarden.nix | 36 +++ hosts/greatyamada/services/wireguard.nix | 34 +-- hosts/mizuki/development.nix | 9 +- hosts/mizuki/nixos.nix | 10 +- 22 files changed, 556 insertions(+), 212 deletions(-) create mode 100644 hosts/greatyamada/services/pgadmin.nix create mode 100644 hosts/greatyamada/services/searxng.nix create mode 100644 hosts/greatyamada/services/vaultwarden.nix diff --git a/common/nixos.nix b/common/nixos.nix index e8f3d53..0882840 100644 --- a/common/nixos.nix +++ b/common/nixos.nix @@ -40,7 +40,13 @@ }; }; - services.openssh.enable = true; + services.openssh = { + enable = true; + settings = { + X11Forwarding = false; + PermitRootLogin = "no"; + }; + }; sops = { secrets.avery_password = { diff --git a/common/zsh.nix b/common/zsh.nix index 5016573..b93a554 100644 --- a/common/zsh.nix +++ b/common/zsh.nix @@ -1,8 +1,14 @@ -{ config, ... }: { +{ config, lib, ... }: { programs = { zsh = { enable = true; - initExtra = '' + initContent = lib.mkBefore '' + setopt AUTO_PUSHD + setopt SHARE_HISTORY + setopt MENUCOMPLETE + autoload -U history-search-end + zle -N history-beginning-search-backward-end history-search-end + zle -N history-beginning-search-forward-end history-search-end bindkey "^[OA" history-beginning-search-backward-end bindkey "^[OB" history-beginning-search-forward-end bindkey "^r" history-incremental-search-backward @@ -20,14 +26,6 @@ fastfetch ''; - initExtraFirst = '' - setopt AUTO_PUSHD - setopt SHARE_HISTORY - setopt MENUCOMPLETE - autoload -U history-search-end - zle -N history-beginning-search-backward-end history-search-end - zle -N history-beginning-search-forward-end history-search-end - ''; history.path = "${config.xdg.dataHome}/zhistory"; syntaxHighlighting.enable = true; }; diff --git a/flake.lock b/flake.lock index d801ea7..6ceec71 100644 --- a/flake.lock +++ b/flake.lock @@ -34,11 +34,11 @@ ] }, "locked": { - "lastModified": 1742012573, - "narHash": "sha256-/M7hD64NRtg+QIIhMhe5v+u8fkW8zNkBoobCdYO9cWo=", + "lastModified": 1749968237, + "narHash": "sha256-K72058wQbyefCV/jx8UskyBh4r7mOMARatXfzZPcoyQ=", "owner": "nix-community", "repo": "autofirma-nix", - "rev": "99559fb377b1139cdf1317ce80ecbb27edb5da4e", + "rev": "76d28ab9d5ff3a1dfad58c0168fe823523913802", "type": "github" }, "original": { @@ -82,15 +82,12 @@ } }, "crane": { - "inputs": { - "nixpkgs": "nixpkgs_2" - }, "locked": { - "lastModified": 1717535930, - "narHash": "sha256-1hZ/txnbd/RmiBPNUs7i8UQw2N89uAK3UzrGAWdnFfU=", + "lastModified": 1731098351, + "narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=", "owner": "ipetkov", "repo": "crane", - "rev": "55e7754ec31dac78980c8be45f8a28e80e370946", + "rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28", "type": "github" }, "original": { @@ -118,11 +115,11 @@ "flake-compat_2": { "flake": false, "locked": { - "lastModified": 1733328505, - "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", + "lastModified": 1747046372, + "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", "owner": "edolstra", "repo": "flake-compat", - "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", + "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", "type": "github" }, "original": { @@ -139,11 +136,11 @@ ] }, "locked": { - "lastModified": 1741352980, - "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=", + "lastModified": 1749398372, + "narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9", + "rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569", "type": "github" }, "original": { @@ -160,11 +157,11 @@ ] }, "locked": { - "lastModified": 1717285511, - "narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=", + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", "type": "github" }, "original": { @@ -181,11 +178,11 @@ ] }, "locked": { - "lastModified": 1738453229, - "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=", + "lastModified": 1749398372, + "narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd", + "rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569", "type": "github" }, "original": { @@ -212,24 +209,6 @@ "type": "github" } }, - "flake-utils_2": { - "inputs": { - "systems": "systems_3" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, "gitignore": { "inputs": { "nixpkgs": [ @@ -257,11 +236,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1741955947, - "narHash": "sha256-2lbURKclgKqBNm7hVRtWh0A7NrdsibD0EaWhahUVhhY=", + "lastModified": 1749779443, + "narHash": "sha256-r6YTIMprNCYcJcA4oZ0x1wPaHPPHUxb8CnyEeMkhGks=", "owner": "nix-community", "repo": "home-manager", - "rev": "4e12151c9e014e2449e0beca2c0e9534b96a26b4", + "rev": "18f3a0d21c3739a242aafa17c04c5238bbab5a41", "type": "github" }, "original": { @@ -277,11 +256,11 @@ ] }, "locked": { - "lastModified": 1741955947, - "narHash": "sha256-2lbURKclgKqBNm7hVRtWh0A7NrdsibD0EaWhahUVhhY=", + "lastModified": 1750107071, + "narHash": "sha256-yfuHCO4m+gu3OBNGnP0/TL5W8nLXrC/EV1fs/+YcoL8=", "owner": "nix-community", "repo": "home-manager", - "rev": "4e12151c9e014e2449e0beca2c0e9534b96a26b4", + "rev": "0edffd088e42fdc48598b37d88eb5345e2ca3937", "type": "github" }, "original": { @@ -304,16 +283,16 @@ ] }, "locked": { - "lastModified": 1729958008, - "narHash": "sha256-EiOq8jF4Z/zQe0QYVc3+qSKxRK//CFHMB84aYrYGwEs=", + "lastModified": 1748294338, + "narHash": "sha256-FVO01jdmUNArzBS7NmaktLdGA5qA3lUMJ4B7a05Iynw=", "owner": "NuschtOS", "repo": "ixx", - "rev": "9fd01aad037f345350eab2cd45e1946cc66da4eb", + "rev": "cc5f390f7caf265461d4aab37e98d2292ebbdb85", "type": "github" }, "original": { "owner": "NuschtOS", - "ref": "v0.0.6", + "ref": "v0.0.8", "repo": "ixx", "type": "github" } @@ -397,11 +376,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1741624954, - "narHash": "sha256-VjLS010BEfwuK343Dst08NnQNS8SRtVCDkz1zTsHuvI=", + "lastModified": 1745514172, + "narHash": "sha256-FV8uIBumYYmqOMEa6WR3lFxs0ocANT7bbawEDg+vWjo=", "owner": "nix-community", "repo": "nix-unit", - "rev": "e9d81f6cffe67681e7c04a967d29f18c2c540af5", + "rev": "be0d299e89a31e246c5472bf0e1005d4cc1e9e55", "type": "github" }, "original": { @@ -418,11 +397,11 @@ ] }, "locked": { - "lastModified": 1741870048, - "narHash": "sha256-odXRdNZGdXg1LmwlAeWL85kgy/FVHsgKlDwrvbR2BsU=", + "lastModified": 1749574455, + "narHash": "sha256-fm2/8KPOYvvIAnNVtjDlTt/My00lIbZQ+LMrfQIWVzs=", "owner": "nix-community", "repo": "NixOS-WSL", - "rev": "5d76001e33ee19644a598ad80e7318ab0957b122", + "rev": "917af390377c573932d84b5e31dd9f2c1b5c0f09", "type": "github" }, "original": { @@ -434,11 +413,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1741513245, - "narHash": "sha256-7rTAMNTY1xoBwz0h7ZMtEcd8LELk9R5TzBPoHuhNSCk=", + "lastModified": 1749285348, + "narHash": "sha256-frdhQvPbmDYaScPFiCnfdh3B/Vh81Uuoo0w5TkWmmjU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e3e32b642a31e6714ec1b712de8c91a3352ce7e1", + "rev": "3e3afe5174c561dee0df6f2c2b2236990146329f", "type": "github" }, "original": { @@ -450,43 +429,27 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1710695816, - "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=", + "lastModified": 1730741070, + "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "614b4613980a522ba49f0d194531beddbb7220d3", + "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-23.11", + "ref": "nixos-24.05", "repo": "nixpkgs", "type": "github" } }, "nixpkgs_2": { "locked": { - "lastModified": 1743076231, - "narHash": "sha256-yQugdVfi316qUfqzN8JMaA2vixl+45GxNm4oUfXlbgw=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "6c5963357f3c1c840201eda129a99d455074db04", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { - "locked": { - "lastModified": 1743095683, - "narHash": "sha256-gWd4urRoLRe8GLVC/3rYRae1h+xfQzt09xOfb0PaHSk=", + "lastModified": 1749794982, + "narHash": "sha256-Kh9K4taXbVuaLC0IL+9HcfvxsSUx8dPB5s5weJcc9pc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5e5402ecbcb27af32284d4a62553c019a3a49ea6", + "rev": "ee930f9755f58096ac6e8ca94a1887e0534e2d81", "type": "github" }, "original": { @@ -502,14 +465,15 @@ "nixpkgs": [ "nixpkgs" ], - "nuschtosSearch": "nuschtosSearch" + "nuschtosSearch": "nuschtosSearch", + "systems": "systems_3" }, "locked": { - "lastModified": 1741709061, - "narHash": "sha256-G1YTksB0CnVhpU1gEmvO3ugPS5CAmUpm5UtTIUIPnEI=", + "lastModified": 1750105753, + "narHash": "sha256-reWddMyGkxjackE4VSZ2NjOQlAdfiofhCEWFHapblNI=", "owner": "nix-community", "repo": "nixvim", - "rev": "3a3abf11700f76738d8ad9d15054ceaf182d2974", + "rev": "ab0a3682cc40da89029dcb3f467b46ae3b8c0fd1", "type": "github" }, "original": { @@ -520,7 +484,7 @@ }, "nuschtosSearch": { "inputs": { - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils", "ixx": "ixx", "nixpkgs": [ "nixvim", @@ -528,11 +492,11 @@ ] }, "locked": { - "lastModified": 1738508923, - "narHash": "sha256-4DaDrQDAIxlWhTjH6h/+xfG05jt3qDZrZE/7zDLQaS4=", + "lastModified": 1749730855, + "narHash": "sha256-L3x2nSlFkXkM6tQPLJP3oCBMIsRifhIDPMQQdHO5xWo=", "owner": "NuschtOS", "repo": "search", - "rev": "86e2038290859006e05ca7201425ea5b5de4aecb", + "rev": "8dfe5879dd009ff4742b668d9c699bc4b9761742", "type": "github" }, "original": { @@ -555,11 +519,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1717664902, - "narHash": "sha256-7XfBuLULizXjXfBYy/VV+SpYMHreNRHk9nKMsm1bgb4=", + "lastModified": 1731363552, + "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "cc4d466cb1254af050ff7bdf47f6d404a7c646d1", + "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0", "type": "github" }, "original": { @@ -575,25 +539,24 @@ "home-manager": "home-manager_2", "lanzaboote": "lanzaboote", "nixos-wsl": "nixos-wsl", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_2", "nixvim": "nixvim", "sops-nix": "sops-nix" } }, "rust-overlay": { "inputs": { - "flake-utils": "flake-utils", "nixpkgs": [ "lanzaboote", "nixpkgs" ] }, "locked": { - "lastModified": 1717813066, - "narHash": "sha256-wqbRwq3i7g5EHIui0bIi84mdqZ/It1AXBSLJ5tafD28=", + "lastModified": 1731897198, + "narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "6dc3e45fe4aee36efeed24d64fc68b1f989d5465", + "rev": "0be641045af6d8666c11c2c40e45ffc9667839b5", "type": "github" }, "original": { @@ -609,11 +572,11 @@ ] }, "locked": { - "lastModified": 1741861888, - "narHash": "sha256-ynOgXAyToeE1UdLNfrUn/hL7MN0OpIS2BtNdLjpjPf0=", + "lastModified": 1749592509, + "narHash": "sha256-VunQzfZFA+Y6x3wYi2UE4DEQ8qKoAZZCnZPUlSoqC+A=", "owner": "Mic92", "repo": "sops-nix", - "rev": "d016ce0365b87d848a57c12ffcfdc71da7a2b55f", + "rev": "50754dfaa0e24e313c626900d44ef431f3210138", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index c48c197..ac6ba13 100644 --- a/flake.nix +++ b/flake.nix @@ -78,6 +78,21 @@ ./hosts/greatyamada/nixos ./hosts/greatyamada/services inputs.sops-nix.nixosModules.sops + inputs.home-manager.nixosModules.home-manager + { + home-manager = { + backupFileExtension = "bak"; + useUserPackages = true; + users.avery = { + imports = [ + inputs.nixvim.homeManagerModules.nixvim + ./common/home.nix + ./common/zsh.nix + ./hosts/totsugeki/home-manager/development/nixvim + ]; + }; + }; + } ]; }; # WSL development system diff --git a/hosts/greatyamada/nixos/default.nix b/hosts/greatyamada/nixos/default.nix index ff6aadf..f9b5961 100644 --- a/hosts/greatyamada/nixos/default.nix +++ b/hosts/greatyamada/nixos/default.nix @@ -1,15 +1,34 @@ { lib, pkgs, ... }: { imports = [ ./filesystems.nix ]; - boot.loader.systemd-boot.enable = true; + boot = { + loader.systemd-boot.enable = true; + kernelPackages = pkgs.linuxKernel.packages.linux_zen; + initrd.availableKernelModules = + [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + initrd.kernelModules = [ ]; + kernelModules = [ "kvm-amd" ]; + extraModulePackages = [ ]; + }; - environment.systemPackages = with pkgs; [ iptables ]; + environment.systemPackages = with pkgs; [ arion docker-client ]; networking = { firewall.enable = true; hostName = "greatyamada"; networkmanager.enable = true; useDHCP = lib.mkDefault false; + interfaces.enp5s0 = { + ipv4.addresses = [{ + address = "10.0.0.1"; + prefixLength = 24; + }]; + }; + defaultGateway = { + address = "10.0.0.254"; + interface = "enp5s0"; + }; + nameservers = [ "9.9.9.9" ]; }; sops = { @@ -17,7 +36,18 @@ age.keyFile = "/etc/nixos/keys.txt"; }; - system.stateVersion = "25.05"; + system.stateVersion = "24.05"; + + users = { + groups.media = { }; + users.avery.extraGroups = [ "media" ]; + }; + + virtualisation.podman = { + enable = true; + dockerSocket.enable = true; + defaultNetwork.settings.dns_enabled = true; + }; time.timeZone = "UTC"; } diff --git a/hosts/greatyamada/nixos/filesystems.nix b/hosts/greatyamada/nixos/filesystems.nix index e8a5838..74798fd 100644 --- a/hosts/greatyamada/nixos/filesystems.nix +++ b/hosts/greatyamada/nixos/filesystems.nix @@ -2,27 +2,27 @@ fileSystems = { "/" = { device = "/dev/disk/by-label/NIXROOT"; - fsType = "btrfs"; - options = [ "compress=zstd:15" ]; + fsType = "ext4"; }; "/boot" = { device = "/dev/disk/by-label/NIXBOOT"; fsType = "vfat"; }; - "/mnt/Datos" = { - device = "/dev/disk/by-label/Datos"; - fsType = "btrfs"; - options = [ "compress=zstd:15" ]; + "/mnt/ssd-01" = { + device = "/dev/disk/by-label/ssd-01"; + fsType = "ext4"; }; - "/mnt/Datos/minecraft" = { - device = "/dev/disk/by-label/Datos"; - fsType = "btrfs"; - options = [ "compress=zstd:4" "subvol=/minecraft" ]; + "/mnt/hdd-01" = { + device = "/dev/disk/by-label/hdd-01"; + fsType = "ext4"; }; - "/mnt/Datos/music" = { - device = "/dev/disk/by-label/Datos"; - fsType = "btrfs"; - options = [ "subvol=/music" ]; + "/mnt/hdd-02" = { + device = "/dev/disk/by-label/hdd-02"; + fsType = "ext4"; }; }; + swapDevices = [{ + device = "/.swapfile"; + size = 4 * 1024; + }]; } diff --git a/hosts/greatyamada/services/_port-definitions.nix b/hosts/greatyamada/services/_port-definitions.nix index 44fcc47..e70eabf 100644 --- a/hosts/greatyamada/services/_port-definitions.nix +++ b/hosts/greatyamada/services/_port-definitions.nix @@ -1,20 +1,17 @@ { adguardhome-dns = 53; adguardhome-http = 3001; - coturn-turn = 3478; - coturn-turn-alt = 3479; - coturn-minimum = 49192; - coturn-maximum = 49200; + adguardhome-dhcp-udp = 67; forgejo-http = 3000; jellyfin-http = 8096; - matrix-http = 8008; - matrix-https = 8448; - matrix-bridges-http = 8088; - mautrix-whatsapp = 29318; minecraft = 13914; + navidrome-https = 4533; nginx-https = 443; ntfy-http = 2586; + pgadmin = 5050; postgresql = 5432; radicale-http = 5232; + searxng = 8888; wireguard = 51820; + vaultwarden = 8222; } diff --git a/hosts/greatyamada/services/acme.nix b/hosts/greatyamada/services/acme.nix index 8c44d73..9f17c7f 100644 --- a/hosts/greatyamada/services/acme.nix +++ b/hosts/greatyamada/services/acme.nix @@ -2,18 +2,13 @@ security.acme = { acceptTerms = true; defaults.email = "aveeryy@protonmail.com"; - # Temporarily use staging server for testing - defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; certs."rcia.dev" = { - credentialFiles.CLOUDFLARE_DNS_API_TOKEN_FILE = - "/run/secrets/cloudflare_api_token"; + credentialFiles.CLOUDFLARE_DNS_API_TOKEN_FILE = "/run/secrets/acme_token"; + extraDomainNames = [ "*.rcia.dev" ]; dnsProvider = "cloudflare"; group = "nginx"; webroot = null; }; }; - sops.secrets."cloudflare/api_token" = { - path = "/run/secrets/cloudflare_api_token"; - group = "acme"; - }; + sops.secrets."acme_token".group = "acme"; } diff --git a/hosts/greatyamada/services/adguardhome.nix b/hosts/greatyamada/services/adguardhome.nix index 919c63e..818f4a0 100644 --- a/hosts/greatyamada/services/adguardhome.nix +++ b/hosts/greatyamada/services/adguardhome.nix @@ -3,18 +3,21 @@ let portDefinitions = import ./_port-definitions.nix; nginxLocalServiceConfig = import ./nginx-local-config.nix; in { - networking.firewall.allowedTCPPorts = [ portDefinitions.adguardhome-dns ]; - networking.firewall.allowedUDPPorts = [ portDefinitions.adguardhome-dns ]; + networking.firewall = { + allowedTCPPorts = [ portDefinitions.adguardhome-dns ]; + allowedUDPPorts = + [ portDefinitions.adguardhome-dns portDefinitions.adguardhome-dhcp-udp ]; + }; services = { adguardhome = { enable = true; allowDHCP = true; - port = portDefinitions.adguardhome-http; mutableSettings = true; + port = portDefinitions.adguardhome-http; settings = { http = { address = "127.0.0.1:${toString portDefinitions.adguardhome-http}"; - session_ttl = "1440h"; + session_ttl = "720h"; }; dns = { bind_hosts = [ "0.0.0.0" ]; @@ -38,9 +41,231 @@ in { icmp_timeout_msec = 1000; }; }; + filtering = { + safe_search.enabled = false; + filtering_enabled = true; + parental_enabled = false; + safebrowsing_enabled = false; + protection_enabled = true; + cache_time = 30; + filters_update_interval = 24; + rewrites = [ + { + domain = "rcia.dev"; + answer = "10.0.0.1"; + } + { + domain = "*.rcia.dev"; + answer = "10.0.0.1"; + } + ]; + }; + clients = { + runtime_sources = { + whois = true; + arp = true; + rdns = true; + dhcp = true; + hosts = true; + }; + persistent = [ + { + name = "Decodificador"; + ids = [ "10.0.0.200" ]; + tags = [ "device_tv" ]; + upstreams = [ "172.26.23.3" ]; + use_global_settings = true; + } + { + name = "Poco X3"; + ids = [ "10.0.0.202" ]; + tags = [ "device_phone" ]; + use_global_settings = false; + filtering_enabled = false; + } + { + name = "Tablet Samsung"; + ids = [ "10.0.0.201" ]; + tags = [ "device_tablet" ]; + use_global_settings = false; + filtering_enabled = false; + } + ]; + }; + filters = [ + { + enabled = true; + url = + "https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt"; + name = "AdGuard DNS filter"; + id = 1; + } + { + enabled = true; + url = + "https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt"; + name = "AdAway Default Blocklist"; + id = 2; + } + { + enabled = true; + url = + "https://adguardteam.github.io/HostlistsRegistry/assets/filter_23.txt"; + name = "WindowsSpyBlocker - Hosts spy rules"; + id = 1687062393; + } + { + enabled = true; + url = + "https://adguardteam.github.io/HostlistsRegistry/assets/filter_6.txt"; + name = "Dandelion Sprout's Game Console Adblock List"; + id = 1687062394; + } + { + enabled = true; + url = + "https://adguardteam.github.io/HostlistsRegistry/assets/filter_30.txt"; + name = "Phishing URL Blocklist (PhishTank and OpenPhish)"; + id = 1687062395; + } + { + enabled = true; + url = + "https://adguardteam.github.io/HostlistsRegistry/assets/filter_7.txt"; + name = "Perflyst and Dandelion Sprout's Smart-TV Blocklist"; + id = 1687062396; + } + { + enabled = true; + url = + "https://adguardteam.github.io/HostlistsRegistry/assets/filter_12.txt"; + name = "Dandelion Sprout's Anti-Malware List"; + id = 1687062397; + } + { + enabled = true; + url = + "https://adguardteam.github.io/HostlistsRegistry/assets/filter_10.txt"; + name = "Scam Blocklist by DurableNapkin"; + id = 1687062398; + } + { + enabled = true; + url = + "https://adguardteam.github.io/HostlistsRegistry/assets/filter_9.txt"; + name = "The Big List of Hacked Malware Web Sites"; + id = 1687062399; + } + { + enabled = true; + url = + "https://adguardteam.github.io/HostlistsRegistry/assets/filter_33.txt"; + name = "Steven Black's List"; + id = 1687062400; + } + { + enabled = true; + url = + "https://adguardteam.github.io/HostlistsRegistry/assets/filter_4.txt"; + name = "Dan Pollock's List"; + id = 1687062401; + } + { + enabled = true; + url = + "https://adguardteam.github.io/HostlistsRegistry/assets/filter_11.txt"; + name = "Malicious URL Blocklist (URLHaus)"; + id = 1687062402; + } + { + enabled = true; + url = + "https://adguardteam.github.io/HostlistsRegistry/assets/filter_3.txt"; + name = "Peter Lowe's Blocklist"; + id = 1687062403; + } + { + enabled = true; + url = + "https://adguardteam.github.io/HostlistsRegistry/assets/filter_32.txt"; + name = "The NoTracking blocklist"; + id = 1687062404; + } + { + enabled = true; + url = + "https://adguardteam.github.io/HostlistsRegistry/assets/filter_31.txt"; + name = "Stalkerware Indicators List"; + id = 1694924469; + } + { + enabled = true; + url = + "https://adguardteam.github.io/HostlistsRegistry/assets/filter_44.txt"; + name = "HaGeZi's Threat Intelligence Feeds"; + id = 1694924470; + } + { + enabled = true; + url = + "https://adguardteam.github.io/HostlistsRegistry/assets/filter_8.txt"; + name = "NoCoin Filter List"; + id = 1694924471; + } + ]; + user_rules = [ + "||www.googleadservices.com^$important" + "||rdvs.alljoyn.org^$important" + "||safebrowsing.google.com^$client='10.0.0.28'" + "||fm.nvc.heil.nuancemobility.net^$client='10.0.0.230'" + "@@||npdl.cdn.nintendowifi.net^$important" + "||tse3.mm.bing.net^$important" + "@@||repo.webosbrew.org^$important" + "||es.lgeapi.com^$important" + "||discovery.meethue.com^$important" + "||eic.lgtviot.com^$important" + "||qs2-nevoai-iothub-02-prod.azure-devices.net^$important" + "||snu.lge.com^$important" + "||su.lge.com^$important" + "||su-ssl.lge.com^$important" + "||snu-dev.lge.com^$important" + "||su-dev.lge.com^$important" + "||nsu.lge.com^$important" + "||eic.commonpush.lgtviot.com^$important" + "||eic.sports.lgtviot.com^$important" + "||es.lgtvsdp.com^$important" + "||prod-ripcut-delivery.disney-plus.net^$client='TV'" + "||ngfts.lge.com^$important" + "||lgtvonline.lge.com^$important" + "||www.ueiwsp.com^$important" + "||temu.com^$important" + "||www.temu.com^$important" + "@@||unity3d.com^$client='10.0.0.7'" + "@@||config.ads.vungle.com^$client='10.0.0.7'" + "@@||rayjump.com^$client='10.0.0.7'" + "@@||vungle.com^$client='10.0.0.7'" + "@@||mtgglobals.com^$client='10.0.0.7'" + "@@||fundingchoicesmessages.google.com^$client='10.0.0.7'" + "@@||applovin.com^$client='10.0.0.7'" + "@@||rovio.com^$client='10.0.0.7'" + "@@||gov.aniview.com^$client='10.0.0.7'" + "@@||unity3d.com^$client='10.10.0.3'" + "@@||config.ads.vungle.com^$client='10.10.0.3'" + "@@||rayjump.com^$client='10.10.0.3'" + "@@||vungle.com^$client='10.10.0.3'" + "@@||mtgglobals.com^$client='10.10.0.3'" + "@@||fundingchoicesmessages.google.com^$client='10.10.0.3'" + "@@||googleads.g.doubleclick.net^$client='10.10.0.3'" + "@@||applovin.com^$client='10.10.0.3'" + "@@||rovio.com^$client='10.10.0.3'" + "@@||gov.aniview.com^$client='10.10.0.3'" + "@@||cdn.liftoff-creatives.io^$client='10.0.0.7'" + "||googleads.g.doubleclick.net^$client='Tablet'" + ]; }; }; nginx.virtualHosts."dns.rcia.dev" = { + forceSSL = true; locations."/".proxyPass = "http://127.0.0.1:${toString portDefinitions.adguardhome-http}"; extraConfig = nginxLocalServiceConfig; diff --git a/hosts/greatyamada/services/default.nix b/hosts/greatyamada/services/default.nix index e9dc2e8..0e68cdc 100644 --- a/hosts/greatyamada/services/default.nix +++ b/hosts/greatyamada/services/default.nix @@ -1,13 +1,17 @@ { ... }: { imports = [ ./acme.nix + ./adguardhome.nix ./forgejo.nix ./inadyn.nix ./jellyfin.nix - ./minecraft + # ./minecraft ./nginx.nix + ./pgadmin.nix ./postgresql.nix ./radicale.nix + ./searxng.nix + ./vaultwarden.nix ./wireguard.nix ]; # paperlessngx diff --git a/hosts/greatyamada/services/forgejo.nix b/hosts/greatyamada/services/forgejo.nix index 468e704..4a40230 100644 --- a/hosts/greatyamada/services/forgejo.nix +++ b/hosts/greatyamada/services/forgejo.nix @@ -1,14 +1,10 @@ -{ pkgs, ... }: +{ pkgs, lib, ... }: let - forgejoSecretsPath = "/run/secrets/forgejo_"; portDefinitions = import ./_port-definitions.nix; arrayToSecrets = elements: builtins.listToAttrs (map (key: { name = "forgejo/${key}"; - value = { - path = "${forgejoSecretsPath}${key}"; - owner = "forgejo"; - }; + value.owner = "forgejo"; }) elements); in { services = { @@ -18,15 +14,17 @@ in { database = { type = "postgres"; port = portDefinitions.postgresql; - passwordFile = "${forgejoSecretsPath}database_password"; + passwordFile = "/run/secrets/forgejo/database_password"; }; secrets = { - server.LFS_JWT_SECRET = "${forgejoSecretsPath}lfs_jwt_secret"; + server.LFS_JWT_SECRET = + lib.mkForce "/run/secrets/forgejo/lfs_jwt_secret"; security = { - INTERNAL_TOKEN = "${forgejoSecretsPath}internal_token"; - SECRET_KEY = "${forgejoSecretsPath}secret_key"; + INTERNAL_TOKEN = lib.mkForce "/run/secrets/forgejo/internal_token"; + SECRET_KEY = lib.mkForce "/run/secrets/forgejo/secret_key"; }; - oauth2.JWT_SECRET = "${forgejoSecretsPath}oauth2_jwt_secret"; + oauth2.JWT_SECRET = + lib.mkForce "/run/secrets/forgejo/oauth2_jwt_secret"; }; settings = { server = { @@ -43,12 +41,13 @@ in { locations."/" = { proxyPass = "http://127.0.0.1:${toString portDefinitions.forgejo-http}"; }; + forceSSL = true; useACMEHost = "rcia.dev"; }; }; - systemd.services.forgejo.preStart = '' - ${pkgs.forgejo}/bin/gitea migrate - ''; + # systemd.services.forgejo.preStart = '' + # ${pkgs.forgejo}/bin/gitea migrate + # ''; sops.secrets = arrayToSecrets [ "database_password" "internal_token" diff --git a/hosts/greatyamada/services/inadyn.nix b/hosts/greatyamada/services/inadyn.nix index 334d987..9326691 100644 --- a/hosts/greatyamada/services/inadyn.nix +++ b/hosts/greatyamada/services/inadyn.nix @@ -1,10 +1,19 @@ { config, ... }: { services.inadyn = { enable = true; - provider."cloudflare.com" = { + settings.provider."cloudflare.com" = { hostname = [ "rcia.dev" "*.rcia.dev" ]; username = "rcia.dev"; - password = "${config.sops.placeholder.cloudflare.api_key}"; + include = config.sops.templates."inadyn-password.conf".path; + }; + }; + sops = { + secrets."cloudflare/api_token" = { }; + templates."inadyn-password.conf" = { + content = '' + password = ${config.sops.placeholder."cloudflare/api_token"} + ''; + owner = "inadyn"; }; }; } diff --git a/hosts/greatyamada/services/jellyfin.nix b/hosts/greatyamada/services/jellyfin.nix index 22e3650..778adf5 100644 --- a/hosts/greatyamada/services/jellyfin.nix +++ b/hosts/greatyamada/services/jellyfin.nix @@ -1,21 +1,14 @@ { ... }: -let - jellyfinPath = "/mnt/Datos/jellyfin"; - nginxLocalServiceConfig = import ./nginx-local-config.nix; - portDefinitions = import ./_port-definitions.nix; +let portDefinitions = import ./_port-definitions.nix; in { services = { - jellyfin = { - enable = true; - dataDir = "${jellyfinPath}/data/"; - }; + jellyfin.enable = true; nginx.virtualHosts."jellyfin.rcia.dev" = { - locations."/" = { - proxyPass = - "http://127.0.0.1:${toString portDefinitions.jellyfin-http}"; - }; - extraConfig = nginxLocalServiceConfig; + locations."/".proxyPass = + "http://127.0.0.1:${toString portDefinitions.jellyfin-http}"; + forceSSL = true; useACMEHost = "rcia.dev"; }; }; + users.users.jellyfin.extraGroups = [ "media" ]; } diff --git a/hosts/greatyamada/services/nginx.nix b/hosts/greatyamada/services/nginx.nix index b924e08..ed3e388 100644 --- a/hosts/greatyamada/services/nginx.nix +++ b/hosts/greatyamada/services/nginx.nix @@ -1,10 +1,16 @@ { ... }: { + networking.firewall.allowedTCPPorts = [ 443 ]; services.nginx = { enable = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; virtualHosts = { "rcia.dev" = { forceSSL = true; - enableACME = true; + # enableACME = true; + useACMEHost = "rcia.dev"; serverAliases = [ "*.rcia.dev" ]; # locations."/" = { root = /var/www/public; }; }; diff --git a/hosts/greatyamada/services/pgadmin.nix b/hosts/greatyamada/services/pgadmin.nix new file mode 100644 index 0000000..b281975 --- /dev/null +++ b/hosts/greatyamada/services/pgadmin.nix @@ -0,0 +1,21 @@ +{ ... }: +let + _portDefinitions = import ./_port-definitions.nix; + nginxLocalConfig = import ./nginx-local-config.nix; +in { + services = { + pgadmin = { + enable = true; + initialEmail = "avery@rcia.dev"; + initialPasswordFile = "/etc/nixos/a.txt"; + port = _portDefinitions.pgadmin; + }; + nginx.virtualHosts."pgadmin.rcia.dev" = { + locations."/".proxyPass = + "http://localhost:${toString _portDefinitions.pgadmin}"; + forceSSL = true; + useACMEHost = "rcia.dev"; + extraConfig = nginxLocalConfig; + }; + }; +} diff --git a/hosts/greatyamada/services/postgresql.nix b/hosts/greatyamada/services/postgresql.nix index 0683293..3c7596f 100644 --- a/hosts/greatyamada/services/postgresql.nix +++ b/hosts/greatyamada/services/postgresql.nix @@ -1,8 +1,11 @@ -{ ... }: +{ config, pkgs, ... }: let portDefinitions = import ./_port-definitions.nix; in { services.postgresql = { enable = true; + package = pkgs.postgresql_16; + dataDir = + "/mnt/ssd-01/postgresql/${config.services.postgresql.package.psqlSchema}"; settings.port = portDefinitions.postgresql; }; } diff --git a/hosts/greatyamada/services/radicale.nix b/hosts/greatyamada/services/radicale.nix index 05222ba..bc71b6f 100644 --- a/hosts/greatyamada/services/radicale.nix +++ b/hosts/greatyamada/services/radicale.nix @@ -2,7 +2,6 @@ let nginxLocalServiceConfig = import ./nginx-local-config.nix; portDefinitions = import ./_port-definitions.nix; - radicalePath = "/mnt/Datos/radicale"; in { services = { radicale = { @@ -12,10 +11,9 @@ in { [ "127.0.0.1:${toString portDefinitions.radicale-http}" ]; auth = { type = "htpasswd"; - htpasswd_filename = "/etc/radicale/users"; + htpasswd_filename = "/var/lib/radicale/users"; htpasswd_encryption = "bcrypt"; }; - storage.filesystem_folder = radicalePath; }; }; nginx.virtualHosts."radicale.rcia.dev" = { @@ -23,12 +21,13 @@ in { proxyPass = "http://127.0.0.1:${toString portDefinitions.radicale-http}"; }; - extraConfig = nginxLocalServiceConfig; + forceSSL = true; useACMEHost = "rcia.dev"; + extraConfig = nginxLocalServiceConfig; }; }; sops.secrets."radicale/users" = { - path = "/etc/radicale/users"; + path = "/var/lib/radicale/users"; owner = "radicale"; }; } diff --git a/hosts/greatyamada/services/searxng.nix b/hosts/greatyamada/services/searxng.nix new file mode 100644 index 0000000..38f692a --- /dev/null +++ b/hosts/greatyamada/services/searxng.nix @@ -0,0 +1,46 @@ +{ config, pkgs, ... }: +let + portDefinitions = import ./_port-definitions.nix; + nginxLocalServiceConfig = import ./nginx-local-config.nix; +in { + services = { + searx = { + enable = true; + package = pkgs.searxng; + environmentFile = config.sops.templates."searxng_secret_key.env".path; + redisCreateLocally = true; + # runInUwsgi = true; + # uwsgiConfig = { + # socket = "/run/searx/searxng.sock"; + # http = ":${toString portDefinitions.searxng}"; + # chmod-socket = "660"; + # }; + settings = { + base_url = "https://searxng.rcia.dev"; + bind_address = "127.0.0.1"; + port = portDefinitions.searxng; + public_instance = false; + limiter = false; + }; + + }; + nginx.virtualHosts."searxng.rcia.dev" = { + locations."/".proxyPass = + "http://127.0.0.1:${toString portDefinitions.searxng}"; + extraConfig = nginxLocalServiceConfig; + forceSSL = true; + useACMEHost = "rcia.dev"; + }; + }; + sops = { + secrets."searxng_secret_key".owner = "searx"; + templates."searxng_secret_key.env" = { + content = '' + SEARXNG_SECRET=${config.sops.placeholder."searxng_secret_key"} + ''; + owner = "searx"; + }; + }; + systemd.services.nginx.serviceConfig.ProtectHome = false; + users.groups.searx.members = [ "nginx" ]; +} diff --git a/hosts/greatyamada/services/vaultwarden.nix b/hosts/greatyamada/services/vaultwarden.nix new file mode 100644 index 0000000..2373f03 --- /dev/null +++ b/hosts/greatyamada/services/vaultwarden.nix @@ -0,0 +1,36 @@ +{ config, ... }: +let + portDefinitions = import ./_port-definitions.nix; + nginxLocalServiceConfig = import ./nginx-local-config.nix; +in { + services = { + vaultwarden = { + enable = true; + dbBackend = "postgresql"; + config = { + domain = "https://vaultwarden.rcia.dev"; + rocketAddress = "127.0.0.1"; + rocketPort = portDefinitions.vaultwarden; + showPasswordHint = false; + signupsAllowed = false; + }; + environmentFile = config.sops.templates."vaultwarden.env".path; + }; + nginx.virtualHosts."vaultwarden.rcia.dev" = { + locations."/".proxyPass = + "http://localhost:${toString portDefinitions.vaultwarden}"; + forceSSL = true; + useACMEHost = "rcia.dev"; + extraConfig = nginxLocalServiceConfig; + }; + }; + sops = { + secrets."vaultwarden_database_url" = { }; + templates."vaultwarden.env" = { + content = '' + DATABASE_URL=${config.sops.placeholder."vaultwarden_database_url"} + ''; + owner = "vaultwarden"; + }; + }; +} diff --git a/hosts/greatyamada/services/wireguard.nix b/hosts/greatyamada/services/wireguard.nix index 6f7ddae..ca69076 100644 --- a/hosts/greatyamada/services/wireguard.nix +++ b/hosts/greatyamada/services/wireguard.nix @@ -1,34 +1,36 @@ -{ ... }: +{ pkgs, ... }: let portDefinitions = import ./_port-definitions.nix; in { networking = { + nat = { + enable = true; + externalInterface = "enp5s0"; + internalInterfaces = [ "wg0" ]; + }; firewall.allowedUDPPorts = [ portDefinitions.wireguard ]; wireguard = { enable = true; interfaces.wg0 = { ips = [ "10.10.0.1/24" ]; + listenPort = portDefinitions.wireguard; peers = [{ allowedIPs = [ "10.10.0.2/32" ]; - name = "Note9"; + name = "Pixel9a"; publicKey = "Y5A5iv0ukg1TQMcIdtXd+bmDxtrqHCuoEhYRmBqwkFY="; - presharedKeyFile = "/run/secrets/preshared_keys_note9"; + presharedKeyFile = "/run/secrets/wireguard/preshared_keys/note9"; }]; - postSetup = - "iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp5s0 -j MASQUERADE"; - postShutdown = - "iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp5s0 -j MASQUERADE"; - privateKeyFile = "/run/secrets/wg_private_key"; + postSetup = '' + ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -o enp5s0 -j MASQUERADE + ''; + postShutdown = '' + ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.10.0.0/24 -o enp5s0 -j MASQUERADE + ''; + privateKeyFile = "/run/secrets/wireguard/private_key"; }; }; }; sops.secrets = { - "wireguard/private_key" = { - path = "/run/secrets/wg_private_key"; - owner = "root"; - }; - "wireguard/preshared_keys/note9" = { - path = "/run/secrets/preshared_keys_note9"; - owner = "root"; - }; + "wireguard/private_key" = { owner = "root"; }; + "wireguard/preshared_keys/note9" = { owner = "root"; }; }; } diff --git a/hosts/mizuki/development.nix b/hosts/mizuki/development.nix index 4867b5b..cc91bc4 100644 --- a/hosts/mizuki/development.nix +++ b/hosts/mizuki/development.nix @@ -1,12 +1,5 @@ { pkgs, ... }: { - home.packages = with pkgs; [ - xh - gnupg - git-credential-manager - pass - wslu - python3 - ]; + home.packages = with pkgs; [ xh gnupg git-credential-manager pass wslu ]; programs = { git = { enable = true; diff --git a/hosts/mizuki/nixos.nix b/hosts/mizuki/nixos.nix index a95af33..dd0c6a1 100644 --- a/hosts/mizuki/nixos.nix +++ b/hosts/mizuki/nixos.nix @@ -1,7 +1,7 @@ { lib, pkgs, ... }: { environment.shells = with pkgs; [ zsh ]; - environment.systemPackages = with pkgs; [ xorg.setxkbmap android-tools ]; + environment.systemPackages = with pkgs; [ xorg.setxkbmap ]; fonts = { packages = with pkgs; [ inter notonoto ]; @@ -26,15 +26,19 @@ wheelNeedsPassword = true; }; + services.mysql = { + enable = true; + package = pkgs.mysql84; + }; + users = { defaultUserShell = pkgs.zsh; - users.avery.extraGroups = [ "wheel" "adbusers" ]; + users.avery.extraGroups = [ "wheel" ]; }; wsl = { enable = true; defaultUser = "avery"; - usbip.enable = true; }; virtualisation.docker.enable = true;