Merge branch 'main' of git.jhink.org:jacob/nix_config

flake.nix

@@ -33,43 +33,41 @@
     ...
   }: let
     system = "x86_64-linux";
-    homeManagerConfFor = config: {...}: {
+    homeManagerConfFor = config: { ... }: {
       #nixpkgs.overlays = [ nur.overlay ];
-      imports = [config];
+      imports = [ config ];
     };
     jacobHome = homeManagerConfFor ./home/jacob.nix;
     jacobHomeMod = {
       home-manager.useUserPackages = true;
       home-manager.users.jacob = jacobHome;
     };
-  in rec {
+    mkNixosSystem = extraModules: nixpkgs.lib.nixosSystem {
+      inherit system;
+      # see https://dataswamp.org/~solene/2022-07-20-nixos-flakes-command-sync-with-system.html
+      specialArgs = { inherit inputs; };
+      modules = [
+        home-manager.nixosModules.home-manager
+        jacobHomeMod
+        sops-nix.nixosModules.sops
+      ] ++ extraModules;
+    };
+  in {
     homeManagerConfigurations = {
       jacob = jacobHome;
     };
     nixosConfigurations = {
       # Thinkpad T470 laptop
-      buck = nixpkgs.lib.nixosSystem {
+      buck = mkNixosSystem [
-        inherit system;
+        nixos-hardware.nixosModules.lenovo-thinkpad-t470s
-        modules = [
+        ./machines/buck/configuration.nix
-          nixos-hardware.nixosModules.lenovo-thinkpad-t470s
+      ];
-          ./machines/buck/configuration.nix
-          home-manager.nixosModules.home-manager
-          jacobHomeMod
-          sops-nix.nixosModules.sops
-        ];
-      };
       # ThinkCentre M700 mini-pc (server)
-      pedro = nixpkgs.lib.nixosSystem {
+      pedro = mkNixosSystem [
-        inherit system;
+        nixos-hardware.nixosModules.common-pc-hdd
-        modules = [
+        nixos-hardware.nixosModules.common-cpu-intel-cpu-only
-          nixos-hardware.nixosModules.common-pc-hdd
+        ./machines/pedro/configuration.nix 
-          nixos-hardware.nixosModules.common-cpu-intel-cpu-only
+      ];
-          ./machines/pedro/configuration.nix
-          home-manager.nixosModules.home-manager
-          jacobHomeMod
-          sops-nix.nixosModules.sops
-        ];
-      };
     };
   };
 }

machines/buck/configuration.nix

@@ -1,6 +1,9 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, inputs, sops, ... }:
+
 {
   config,
   pkgs,
@@ -12,6 +15,12 @@
     ./hardware-configuration.nix
   ];
 
+  # This lets us pin the nixpkgs registry by default to the nixpkgs used to build this system.
+  # Doing this means we are less likely to require the 30+MB download when
+  # running commands like nix search or nix run
+  # See: https://dataswamp.org/~solene/2022-07-20-nixos-flakes-command-sync-with-system.html
+  nix.registry.nixpkgs.flake = inputs.nixpkgs;
+
   sops = {
     # This will add secrets.yml to the nix store
     # You can avoid this by adding a string to the full path instead, i.e.

machines/pedro/configuration.nix

@@ -1,15 +1,17 @@
 # Edit this configuration file to define what should be installed on your system.  Help is available in the configuration.nix(5) man page and in the NixOS manual (accessible by running ‘nixos-help’).
-{
+
-  config,
+{ config, pkgs, inputs, options, sops, ... }:
-  pkgs,
+
-  options,
+{ imports =
-  sops,
+    [ # Include the results of the hardware scan.
-  ...
+      ./hardware-configuration-zfs.nix
-}: {
+    ];
-  imports = [
+
-    # Include the results of the hardware scan.
+  # This lets us pin the nixpkgs registry by default to the nixpkgs used to build this system.
-    ./hardware-configuration-zfs.nix
+  # Doing this means we are less likely to require the 30+MB download when
-  ];
+  # running commands like nix search or nix run
+  # See: https://dataswamp.org/~solene/2022-07-20-nixos-flakes-command-sync-with-system.html
+  nix.registry.nixpkgs.flake = inputs.nixpkgs;
 
   sops = {
     # This will add secrets.yml to the nix store
@@ -66,6 +68,10 @@
         };
       };
     };
+<<<<<<< HEAD
+    firewall = import ./firewall.nix;
+    timeServers = [ "192.168.88.1" ] ++ options.networking.timeServers.default;
+=======
     firewall = {
       allowedTCPPorts = [
         8384
@@ -102,6 +108,7 @@
       ];
     };
     timeServers = ["192.168.88.1"] ++ options.networking.timeServers.default;
+>>>>>>> 337a41901fccf4591c5315525a74e6e52d33589c
   };
 
   hardware.video.hidpi.enable = false;
@@ -112,10 +119,13 @@
   #package = pkgs.pulseaudioFull;
   #};
   hardware.bluetooth.enable = false;
+<<<<<<< HEAD
+=======
   services.blueman.enable = false;
 
   # Enable CUPS to print documents.
   services.printing.enable = false;
+>>>>>>> 337a41901fccf4591c5315525a74e6e52d33589c
 
   # Enable sound.
   sound.enable = false;
@@ -153,6 +163,7 @@
   virtualisation.oci-containers.containers = let
     serverIP = "192.168.88.21";
   in {
+    home-assistant = import ./home-assistant.nix serverIP;
     pihole = import ./pihole.nix serverIP;
   };
 
@@ -160,6 +171,16 @@
   services = {
     chrony.enable = true;
 
+    fail2ban = {
+      enable = true;
+      maxretry = 5;
+      ignoreIP = [
+        "127.0.0.0/8"     # localhost
+        "192.168.0.0/16"  # LAN
+        "160.91.241.229"  # lucky
+      ];
+    };
+
     gitea = import ./gitea.nix;
 
     nginx = import ./nginx.nix;
@@ -167,10 +188,6 @@
     # Enable the OpenSSH daemon.
     openssh.enable = true;
 
-    paperless = {
-      enable = true;
-    };
-
     pipewire = {
       enable = true;
       alsa.enable = true;
@@ -184,6 +201,8 @@
       #media-session.enable = true;
     };
 
+    syncthing = import ./syncthing.nix;
+
     unifi = {
       enable = true;
       openFirewall = true;
@@ -192,9 +211,11 @@
 
     vaultwarden = {
       enable = true;
-      config = {
+      config = {  # https://github.com/dani-garcia/vaultwarden/blob/1.25.2/.env.template
-        domain = "http://pedro:8081";
+        DOMAIN = "https://vault.jhink.org";
-        signupsAllowed = true;
+        ROCKET_ADDRESS = "0.0.0.0";
+        ROCKET_PORT = 8222;
+        SIGNUPS_ALLOWED = true;
       };
     };
 

machines/pedro/firewall.nix

@@ -0,0 +1,19 @@
+{
+  allowedTCPPorts = [
+    8384 22000  # syncthing
+    8080 8443 6789 8880 8843 27117  # unifi controller: https://help.ui.com/hc/en-us/articles/218506997-UniFi-Network-Required-Ports-Reference
+    53 8088  # pihole
+    #8123  # home-assistant
+    #3000  # gitea
+    #8081  # vaultwarden
+    80 443  # reverse proxy
+  ];
+  allowedUDPPorts = [
+    22000 21027  # syncthing
+    3478 5514 10001 1900 123 # unifi
+    53  # pihole
+  ];
+  allowedUDPPortRanges = [
+    { from = 5656; to = 5699; }  # unifi
+  ];
+}

machines/pedro/hardware-configuration-zfs.nix

@@ -32,75 +32,81 @@
     fsType = "vfat";
   };
 
-  fileSystems."/nix" = {
+  fileSystems."/nix" =
-    device = "rpool/nixos/nix";
+    { device = "rpool/nixos/nix";
-    fsType = "zfs";
+      fsType = "zfs";
-    options = ["zfsutil"];
+      neededForBoot = true;
-  };
+    };
 
-  fileSystems."/etc" = {
+  fileSystems."/etc" =
-    device = "rpool/nixos/etc";
+    { device = "rpool/nixos/etc";
-    fsType = "zfs";
+      fsType = "zfs";
-    options = ["zfsutil"];
+      neededForBoot = true;
-  };
+    };
 
-  fileSystems."/var" = {
+  fileSystems."/var" =
-    device = "rpool/nixos/var";
+    { device = "rpool/nixos/var";
-    fsType = "zfs";
+      fsType = "zfs";
-    options = ["zfsutil"];
+      neededForBoot = true;
-  };
+    };
 
-  fileSystems."/var/lib" = {
+  fileSystems."/var/lib" =
-    device = "rpool/nixos/var/lib";
+    { device = "rpool/nixos/var/lib";
-    fsType = "zfs";
+      fsType = "zfs";
-    options = ["zfsutil"];
+      neededForBoot = true;
-  };
+    };
 
-  fileSystems."/var/log" = {
+  fileSystems."/var/log" =
-    device = "rpool/nixos/var/log";
+    { device = "rpool/nixos/var/log";
-    fsType = "zfs";
+      fsType = "zfs";
-    options = ["zfsutil"];
+      neededForBoot = true;
-  };
+    };
 
-  fileSystems."/var/spool" = {
+  fileSystems."/var/spool" =
-    device = "rpool/nixos/var/spool";
+    { device = "rpool/nixos/var/spool";
-    fsType = "zfs";
+      fsType = "zfs";
-    options = ["zfsutil"];
+      neededForBoot = true;
-  };
+    };
 
-  fileSystems."/serverdata/pihole" = {
-    device = "rpool/serverdata/pihole";
-    fsType = "zfs";
-    options = ["zfsutil"];
-  };
-  fileSystems."/serverdata/gitea" = {
-    device = "rpool/serverdata/gitea";
-    fsType = "zfs";
-    options = ["zfsutil"];
-  };
-  fileSystems."/serverdata/home-assistant" = {
-    device = "rpool/serverdata/home-assistant";
-    fsType = "zfs";
-    options = ["zfsutil"];
-  };
 
-  fileSystems."/home" = {
+  fileSystems."/serverdata/gitea" =
-    device = "rpool/userdata/home";
+    { device = "rpool/serverdata/gitea";
-    fsType = "zfs";
+      fsType = "zfs";
-    options = ["zfsutil"];
+      neededForBoot = true;
-  };
+    };
+  fileSystems."/serverdata/home-assistant" =
+    { device = "rpool/serverdata/home-assistant";
+      fsType = "zfs";
+      neededForBoot = true;
+    };
+  fileSystems."/serverdata/pihole" =
+    { device = "rpool/serverdata/pihole";
+      fsType = "zfs";
+      neededForBoot = true;
+    };
+  fileSystems."/serverdata/syncthing" =
+    { device = "rpool/serverdata/syncthing";
+      fsType = "zfs";
+      neededForBoot = true;
+    };
 
-  fileSystems."/root" = {
+  fileSystems."/home" =
-    device = "rpool/userdata/home/root";
+    { device = "rpool/userdata/home";
-    fsType = "zfs";
+      fsType = "zfs";
-    options = ["zfsutil"];
+      neededForBoot = true;
-  };
+    };
 
-  fileSystems."/home/jacob" = {
+  fileSystems."/root" =
-    device = "rpool/userdata/home/jacob";
+    { device = "rpool/userdata/home/root";
-    fsType = "zfs";
+      fsType = "zfs";
-    options = ["zfsutil"];
+      neededForBoot = true;
-  };
+    };
+
+  fileSystems."/home/jacob" =
+    { device = "rpool/userdata/home/jacob";
+      fsType = "zfs";
+      neededForBoot = true;
+    };
 
   swapDevices = [
     {

machines/pedro/home-assistant.nix

@@ -0,0 +1,17 @@
+serverIP :
+{
+  image = "ghcr.io/home-assistant/home-assistant:2022.8.5";
+  #ports = [
+    #"8123:8123"
+  #];
+  volumes = [
+    "/etc/localtime:/etc/localtime:ro"
+    "/serverdata/home-assistant:/config"
+  ];
+  extraOptions = [
+    "--privileged"
+    "--network=host"
+    #"--device /dev/ttyUSB0"
+    #"--device /dev/ttyUSB1"
+  ];
+}

machines/pedro/nginx.nix

@@ -9,14 +9,13 @@
         proxy_buffering off;
       '';
       locations."/" = {
-        proxyPass = "http://[::1]:${toString ip}";
+        proxyPass = "http://127.0.0.1:${toString ip}";
         proxyWebsockets = true;
       };
     };
   in {
     "home.jhink.org" = simpleProxy 8123;
     "git.jhink.org" = simpleProxy 3000;
-    "paperless.jhink.org" = simpleProxy 8000;
+    "vault.jhink.org" = simpleProxy 8222;
-    #"vault.jhink.org" = simpleProxy 8081;
   };
 }

machines/pedro/pihole.nix

@@ -20,6 +20,7 @@ serverIP: {
     "/run/secrets/pihole:/run/secrets/pihole"
   ];
   extraOptions = [
+    "--cap-add=NET_ADMIN"
     "--no-hosts" # do not populate internal /etc/hosts with container host's
   ];
 }

machines/pedro/syncthing.nix

@@ -0,0 +1,9 @@
+{
+  enable = true;
+  dataDir = "/serverdata/syncthing/";
+  user = "jacob";
+  group = "users";
+  #openDefaultPorts = true;
+  configDir = "/serverdata/syncthing/.config/syncthing";
+  guiAddress = "192.168.88.0:8234";  # for headless
+}