jacob/nix_config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: jacob:34f9f3d180b5eeabb3a79f03e493bcbc4c4777d9
Branches Tags
jacob:main
jacob:pentablet
..
compare: jacob:a0f14a888ee83599a5d37618ba07565fcf5a79b9
Branches Tags
jacob:main
jacob:pentablet

No commits in common. "34f9f3d180b5eeabb3a79f03e493bcbc4c4777d9" and "a0f14a888ee83599a5d37618ba07565fcf5a79b9" have entirely different histories.
34f9f3d180 ... a0f14a888e

9 changed files with 105 additions and 184 deletions
Show Stats Expand all files Collapse all files

46
flake.nix
View File

@ -33,41 +33,43 @@
... ...
}: let }: let
system = "x86_64-linux"; system = "x86_64-linux";
homeManagerConfFor = config: { ... }: { homeManagerConfFor = config: {...}: {
#nixpkgs.overlays = [ nur.overlay ]; #nixpkgs.overlays = [ nur.overlay ];
imports = [ config ]; imports = [config];
}; };
jacobHome = homeManagerConfFor ./home/jacob.nix; jacobHome = homeManagerConfFor ./home/jacob.nix;
jacobHomeMod = { jacobHomeMod = {
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
home-manager.users.jacob = jacobHome; home-manager.users.jacob = jacobHome;
}; };
mkNixosSystem = extraModules: nixpkgs.lib.nixosSystem { in rec {
inherit system;
# see https://dataswamp.org/~solene/2022-07-20-nixos-flakes-command-sync-with-system.html
specialArgs = { inherit inputs; };
modules = [
home-manager.nixosModules.home-manager
jacobHomeMod
sops-nix.nixosModules.sops
] ++ extraModules;
};
in {
homeManagerConfigurations = { homeManagerConfigurations = {
jacob = jacobHome; jacob = jacobHome;
}; };
nixosConfigurations = { nixosConfigurations = {
# Thinkpad T470 laptop # Thinkpad T470 laptop
buck = mkNixosSystem [ buck = nixpkgs.lib.nixosSystem {
nixos-hardware.nixosModules.lenovo-thinkpad-t470s inherit system;
./machines/buck/configuration.nix modules = [
]; nixos-hardware.nixosModules.lenovo-thinkpad-t470s
./machines/buck/configuration.nix
home-manager.nixosModules.home-manager
jacobHomeMod
sops-nix.nixosModules.sops
];
};
# ThinkCentre M700 mini-pc (server) # ThinkCentre M700 mini-pc (server)
pedro = mkNixosSystem [ pedro = nixpkgs.lib.nixosSystem {
nixos-hardware.nixosModules.common-pc-hdd inherit system;
nixos-hardware.nixosModules.common-cpu-intel-cpu-only modules = [
./machines/pedro/configuration.nix nixos-hardware.nixosModules.common-pc-hdd
]; nixos-hardware.nixosModules.common-cpu-intel-cpu-only
./machines/pedro/configuration.nix
home-manager.nixosModules.home-manager
jacobHomeMod
sops-nix.nixosModules.sops
];
};
}; };
}; };
} }

9
machines/buck/configuration.nix
View File

@ -1,9 +1,6 @@
# Edit this configuration file to define what should be installed on # Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page # your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help). # and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, inputs, sops, ... }:
{ {
config, config,
pkgs, pkgs,
@ -15,12 +12,6 @@
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
# This lets us pin the nixpkgs registry by default to the nixpkgs used to build this system.
# Doing this means we are less likely to require the 30+MB download when
# running commands like nix search or nix run
# See: https://dataswamp.org/~solene/2022-07-20-nixos-flakes-command-sync-with-system.html
nix.registry.nixpkgs.flake = inputs.nixpkgs;
sops = { sops = {
# This will add secrets.yml to the nix store # This will add secrets.yml to the nix store
# You can avoid this by adding a string to the full path instead, i.e. # You can avoid this by adding a string to the full path instead, i.e.

57
machines/pedro/configuration.nix
View File

@ -1,17 +1,15 @@
# Edit this configuration file to define what should be installed on your system. Help is available in the configuration.nix(5) man page and in the NixOS manual (accessible by running nixos-help). # Edit this configuration file to define what should be installed on your system. Help is available in the configuration.nix(5) man page and in the NixOS manual (accessible by running nixos-help).
{
{ config, pkgs, inputs, options, sops, ... }: config,
pkgs,
{ imports = options,
[ # Include the results of the hardware scan. sops,
./hardware-configuration-zfs.nix ...
]; }: {
imports = [
# This lets us pin the nixpkgs registry by default to the nixpkgs used to build this system. # Include the results of the hardware scan.
# Doing this means we are less likely to require the 30+MB download when ./hardware-configuration-zfs.nix
# running commands like nix search or nix run ];
# See: https://dataswamp.org/~solene/2022-07-20-nixos-flakes-command-sync-with-system.html
nix.registry.nixpkgs.flake = inputs.nixpkgs;
sops = { sops = {
# This will add secrets.yml to the nix store # This will add secrets.yml to the nix store
@ -68,10 +66,6 @@
}; };
}; };
}; };
<<<<<<< HEAD
firewall = import ./firewall.nix;
timeServers = [ "192.168.88.1" ] ++ options.networking.timeServers.default;
=======
firewall = { firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
8384 8384
@ -108,7 +102,6 @@
]; ];
}; };
timeServers = ["192.168.88.1"] ++ options.networking.timeServers.default; timeServers = ["192.168.88.1"] ++ options.networking.timeServers.default;
>>>>>>> 337a41901fccf4591c5315525a74e6e52d33589c
}; };
hardware.video.hidpi.enable = false; hardware.video.hidpi.enable = false;
@ -119,13 +112,10 @@
#package = pkgs.pulseaudioFull; #package = pkgs.pulseaudioFull;
#}; #};
hardware.bluetooth.enable = false; hardware.bluetooth.enable = false;
<<<<<<< HEAD
=======
services.blueman.enable = false; services.blueman.enable = false;
# Enable CUPS to print documents. # Enable CUPS to print documents.
services.printing.enable = false; services.printing.enable = false;
>>>>>>> 337a41901fccf4591c5315525a74e6e52d33589c
# Enable sound. # Enable sound.
sound.enable = false; sound.enable = false;
@ -163,7 +153,6 @@
virtualisation.oci-containers.containers = let virtualisation.oci-containers.containers = let
serverIP = "192.168.88.21"; serverIP = "192.168.88.21";
in { in {
home-assistant = import ./home-assistant.nix serverIP;
pihole = import ./pihole.nix serverIP; pihole = import ./pihole.nix serverIP;
}; };
@ -171,16 +160,6 @@
services = { services = {
chrony.enable = true; chrony.enable = true;
fail2ban = {
enable = true;
maxretry = 5;
ignoreIP = [
"127.0.0.0/8" # localhost
"192.168.0.0/16" # LAN
"160.91.241.229" # lucky
];
};
gitea = import ./gitea.nix; gitea = import ./gitea.nix;
nginx = import ./nginx.nix; nginx = import ./nginx.nix;
@ -188,6 +167,10 @@
# Enable the OpenSSH daemon. # Enable the OpenSSH daemon.
openssh.enable = true; openssh.enable = true;
paperless = {
enable = true;
};
pipewire = { pipewire = {
enable = true; enable = true;
alsa.enable = true; alsa.enable = true;
@ -201,8 +184,6 @@
#media-session.enable = true; #media-session.enable = true;
}; };
syncthing = import ./syncthing.nix;
unifi = { unifi = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
@ -211,11 +192,9 @@
vaultwarden = { vaultwarden = {
enable = true; enable = true;
config = { # https://github.com/dani-garcia/vaultwarden/blob/1.25.2/.env.template config = {
DOMAIN = "https://vault.jhink.org"; domain = "http://pedro:8081";
ROCKET_ADDRESS = "0.0.0.0"; signupsAllowed = true;
ROCKET_PORT = 8222;
SIGNUPS_ALLOWED = true;
}; };
}; };

19
machines/pedro/firewall.nix
View File

@ -1,19 +0,0 @@
{
allowedTCPPorts = [
8384 22000 # syncthing
8080 8443 6789 8880 8843 27117 # unifi controller: https://help.ui.com/hc/en-us/articles/218506997-UniFi-Network-Required-Ports-Reference
53 8088 # pihole
#8123 # home-assistant
#3000 # gitea
#8081 # vaultwarden
80 443 # reverse proxy
];
allowedUDPPorts = [
22000 21027 # syncthing
3478 5514 10001 1900 123 # unifi
53 # pihole
];
allowedUDPPortRanges = [
{ from = 5656; to = 5699; } # unifi
];
}

126
machines/pedro/hardware-configuration-zfs.nix
View File

@ -32,81 +32,75 @@
fsType = "vfat"; fsType = "vfat";
}; };
fileSystems."/nix" = fileSystems."/nix" = {
{ device = "rpool/nixos/nix"; device = "rpool/nixos/nix";
fsType = "zfs"; fsType = "zfs";
neededForBoot = true; options = ["zfsutil"];
}; };
fileSystems."/etc" = fileSystems."/etc" = {
{ device = "rpool/nixos/etc"; device = "rpool/nixos/etc";
fsType = "zfs"; fsType = "zfs";
neededForBoot = true; options = ["zfsutil"];
}; };
fileSystems."/var" = fileSystems."/var" = {
{ device = "rpool/nixos/var"; device = "rpool/nixos/var";
fsType = "zfs"; fsType = "zfs";
neededForBoot = true; options = ["zfsutil"];
}; };
fileSystems."/var/lib" = fileSystems."/var/lib" = {
{ device = "rpool/nixos/var/lib"; device = "rpool/nixos/var/lib";
fsType = "zfs"; fsType = "zfs";
neededForBoot = true; options = ["zfsutil"];
}; };
fileSystems."/var/log" = fileSystems."/var/log" = {
{ device = "rpool/nixos/var/log"; device = "rpool/nixos/var/log";
fsType = "zfs"; fsType = "zfs";
neededForBoot = true; options = ["zfsutil"];
}; };
fileSystems."/var/spool" = fileSystems."/var/spool" = {
{ device = "rpool/nixos/var/spool"; device = "rpool/nixos/var/spool";
fsType = "zfs"; fsType = "zfs";
neededForBoot = true; options = ["zfsutil"];
}; };
fileSystems."/serverdata/pihole" = {
device = "rpool/serverdata/pihole";
fsType = "zfs";
options = ["zfsutil"];
};
fileSystems."/serverdata/gitea" = {
device = "rpool/serverdata/gitea";
fsType = "zfs";
options = ["zfsutil"];
};
fileSystems."/serverdata/home-assistant" = {
device = "rpool/serverdata/home-assistant";
fsType = "zfs";
options = ["zfsutil"];
};
fileSystems."/serverdata/gitea" = fileSystems."/home" = {
{ device = "rpool/serverdata/gitea"; device = "rpool/userdata/home";
fsType = "zfs"; fsType = "zfs";
neededForBoot = true; options = ["zfsutil"];
}; };
fileSystems."/serverdata/home-assistant" =
{ device = "rpool/serverdata/home-assistant";
fsType = "zfs";
neededForBoot = true;
};
fileSystems."/serverdata/pihole" =
{ device = "rpool/serverdata/pihole";
fsType = "zfs";
neededForBoot = true;
};
fileSystems."/serverdata/syncthing" =
{ device = "rpool/serverdata/syncthing";
fsType = "zfs";
neededForBoot = true;
};
fileSystems."/home" = fileSystems."/root" = {
{ device = "rpool/userdata/home"; device = "rpool/userdata/home/root";
fsType = "zfs"; fsType = "zfs";
neededForBoot = true; options = ["zfsutil"];
}; };
fileSystems."/root" = fileSystems."/home/jacob" = {
{ device = "rpool/userdata/home/root"; device = "rpool/userdata/home/jacob";
fsType = "zfs"; fsType = "zfs";
neededForBoot = true; options = ["zfsutil"];
}; };
fileSystems."/home/jacob" =
{ device = "rpool/userdata/home/jacob";
fsType = "zfs";
neededForBoot = true;
};
swapDevices = [ swapDevices = [
{ {

17
machines/pedro/home-assistant.nix
View File

@ -1,17 +0,0 @@
serverIP :
{
image = "ghcr.io/home-assistant/home-assistant:2022.8.5";
#ports = [
#"8123:8123"
#];
volumes = [
"/etc/localtime:/etc/localtime:ro"
"/serverdata/home-assistant:/config"
];
extraOptions = [
"--privileged"
"--network=host"
#"--device /dev/ttyUSB0"
#"--device /dev/ttyUSB1"
];
}

5
machines/pedro/nginx.nix
View File

@ -9,13 +9,14 @@
proxy_buffering off; proxy_buffering off;
''; '';
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString ip}"; proxyPass = "http://[::1]:${toString ip}";
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
in { in {
"home.jhink.org" = simpleProxy 8123; "home.jhink.org" = simpleProxy 8123;
"git.jhink.org" = simpleProxy 3000; "git.jhink.org" = simpleProxy 3000;
"vault.jhink.org" = simpleProxy 8222; "paperless.jhink.org" = simpleProxy 8000;
#"vault.jhink.org" = simpleProxy 8081;
}; };
} }

1
machines/pedro/pihole.nix
View File

@ -20,7 +20,6 @@ serverIP: {
"/run/secrets/pihole:/run/secrets/pihole" "/run/secrets/pihole:/run/secrets/pihole"
]; ];
extraOptions = [ extraOptions = [
"--cap-add=NET_ADMIN"
"--no-hosts" # do not populate internal /etc/hosts with container host's "--no-hosts" # do not populate internal /etc/hosts with container host's
]; ];
} }

9
machines/pedro/syncthing.nix
View File

@ -1,9 +0,0 @@
{
enable = true;
dataDir = "/serverdata/syncthing/";
user = "jacob";
group = "users";
#openDefaultPorts = true;
configDir = "/serverdata/syncthing/.config/syncthing";
guiAddress = "192.168.88.0:8234"; # for headless
}