From 2144d9ef61a51af58dc9a980c54722227345e980 Mon Sep 17 00:00:00 2001 From: Jimbo Date: Fri, 28 Feb 2025 12:21:09 -0500 Subject: [PATCH] Wtf why did it remove everything. --- modules/home/settings/aliases/default.nix | 21 +++++++ modules/system/accounts/default.nix | 6 ++ modules/system/accounts/groups/default.nix | 4 ++ .../accounts/groups/nfsShare/default.nix | 4 ++ .../system/accounts/users/custom/default.nix | 7 +++ modules/system/accounts/users/default.nix | 9 +++ .../system/accounts/users/system/default.nix | 9 +++ .../users/system/jellyfin/default.nix | 12 ++++ .../users/system/liquidsoap/default.nix | 12 ++++ .../users/system/nextcloud/default.nix | 12 ++++ .../accounts/users/system/nginx/default.nix | 15 +++++ .../system/devices/boot/extlinux/default.nix | 10 +++ .../system/devices/boot/services/default.nix | 6 ++ .../boot/services/root-reset/default.nix | 31 ++++++++++ modules/system/devices/disks/default.nix | 9 +++ .../devices/disks/filesystems/default.nix | 13 ++++ .../devices/disks/immutable/default.nix | 5 ++ .../devices/disks/impermanence/default.nix | 8 +++ .../disks/impermanence/main/default.nix | 46 ++++++++++++++ .../disks/impermanence/root/default.nix | 15 +++++ .../system/devices/disks/snapper/default.nix | 12 ++++ .../devices/disks/snapper/main/default.nix | 12 ++++ .../devices/disks/snapper/root/default.nix | 12 ++++ .../devices/networking/wireless/default.nix | 13 ++++ modules/system/programs/git/default.nix | 7 +++ modules/system/services/default.nix | 7 +++ .../services/general/earlyoom/default.nix | 4 ++ .../services/general/libvirtd/default.nix | 39 ++++++++++++ .../services/general/snowflake/default.nix | 4 ++ .../system/services/general/ssh/default.nix | 22 +++++++ .../services/general/ssh/fail2ban/default.nix | 10 +++ .../system/services/general/tlp/default.nix | 4 ++ .../services/general/userborn/default.nix | 4 ++ .../services/server/cfdyndns/default.nix | 7 +++ .../services/server/fileserver/default.nix | 10 +++ .../server/fileserver/jellyfin/default.nix | 11 ++++ .../fileserver/jellyfin/nginx/default.nix | 11 ++++ .../nextcloud/collabora/default.nix | 4 ++ .../server/fileserver/nextcloud/default.nix | 34 ++++++++++ .../fileserver/nextcloud/nginx/default.nix | 18 ++++++ .../server/fileserver/nfs/default.nix | 11 ++++ .../services/server/forgejo/default.nix | 39 ++++++++++++ .../services/server/forgejo/nginx/default.nix | 11 ++++ .../system/services/server/mysql/default.nix | 23 +++++++ .../services/server/socialserver/default.nix | 10 +++ .../server/socialserver/mastodon/default.nix | 23 +++++++ .../socialserver/matrix/coturn/default.nix | 46 ++++++++++++++ .../matrix/coturn/nginx/default.nix | 22 +++++++ .../server/socialserver/matrix/default.nix | 8 +++ .../socialserver/matrix/element/default.nix | 23 +++++++ .../matrix/element/nginx/default.nix | 8 +++ .../socialserver/matrix/synapse/default.nix | 62 +++++++++++++++++++ .../matrix/synapse/nginx/default.nix | 13 ++++ .../server/socialserver/owncast/default.nix | 16 +++++ .../socialserver/owncast/nginx/default.nix | 11 ++++ .../services/server/transmission/default.nix | 16 +++++ .../server/transmission/nginx/default.nix | 11 ++++ .../services/server/vaultwarden/default.nix | 29 +++++++++ .../server/vaultwarden/nginx/default.nix | 11 ++++ .../server/webserver/acme/default.nix | 10 +++ .../services/server/webserver/default.nix | 9 +++ .../server/webserver/nginx/rtmp/default.nix | 32 ++++++++++ .../webserver/nginx/virtualhosts/default.nix | 7 +++ .../virtualhosts/jimbosfiles/default.nix | 27 ++++++++ .../nginx/virtualhosts/nixfox/default.nix | 16 +++++ modules/system/settings/minimal/default.nix | 21 +++++++ modules/system/settings/nix/default.nix | 23 +++++++ modules/system/settings/nix/gc/default.nix | 8 +++ .../settings/security/apparmor/default.nix | 4 ++ modules/system/settings/security/default.nix | 1 + .../settings/security/polkit/default.nix | 7 +++ .../settings/security/privilege/default.nix | 16 +++++ modules/system/settings/timezone/default.nix | 4 ++ 73 files changed, 1077 insertions(+) create mode 100644 modules/home/settings/aliases/default.nix create mode 100644 modules/system/accounts/default.nix create mode 100644 modules/system/accounts/groups/default.nix create mode 100644 modules/system/accounts/groups/nfsShare/default.nix create mode 100644 modules/system/accounts/users/custom/default.nix create mode 100644 modules/system/accounts/users/default.nix create mode 100644 modules/system/accounts/users/system/default.nix create mode 100644 modules/system/accounts/users/system/jellyfin/default.nix create mode 100644 modules/system/accounts/users/system/liquidsoap/default.nix create mode 100644 modules/system/accounts/users/system/nextcloud/default.nix create mode 100644 modules/system/accounts/users/system/nginx/default.nix create mode 100644 modules/system/devices/boot/extlinux/default.nix create mode 100644 modules/system/devices/boot/services/default.nix create mode 100644 modules/system/devices/boot/services/root-reset/default.nix create mode 100644 modules/system/devices/disks/default.nix create mode 100644 modules/system/devices/disks/filesystems/default.nix create mode 100644 modules/system/devices/disks/immutable/default.nix create mode 100644 modules/system/devices/disks/impermanence/default.nix create mode 100644 modules/system/devices/disks/impermanence/main/default.nix create mode 100644 modules/system/devices/disks/impermanence/root/default.nix create mode 100644 modules/system/devices/disks/snapper/default.nix create mode 100644 modules/system/devices/disks/snapper/main/default.nix create mode 100644 modules/system/devices/disks/snapper/root/default.nix create mode 100644 modules/system/devices/networking/wireless/default.nix create mode 100644 modules/system/programs/git/default.nix create mode 100644 modules/system/services/default.nix create mode 100644 modules/system/services/general/earlyoom/default.nix create mode 100644 modules/system/services/general/libvirtd/default.nix create mode 100644 modules/system/services/general/snowflake/default.nix create mode 100644 modules/system/services/general/ssh/default.nix create mode 100644 modules/system/services/general/ssh/fail2ban/default.nix create mode 100644 modules/system/services/general/tlp/default.nix create mode 100644 modules/system/services/general/userborn/default.nix create mode 100644 modules/system/services/server/cfdyndns/default.nix create mode 100644 modules/system/services/server/fileserver/default.nix create mode 100644 modules/system/services/server/fileserver/jellyfin/default.nix create mode 100644 modules/system/services/server/fileserver/jellyfin/nginx/default.nix create mode 100644 modules/system/services/server/fileserver/nextcloud/collabora/default.nix create mode 100644 modules/system/services/server/fileserver/nextcloud/default.nix create mode 100644 modules/system/services/server/fileserver/nextcloud/nginx/default.nix create mode 100644 modules/system/services/server/fileserver/nfs/default.nix create mode 100644 modules/system/services/server/forgejo/default.nix create mode 100644 modules/system/services/server/forgejo/nginx/default.nix create mode 100644 modules/system/services/server/mysql/default.nix create mode 100644 modules/system/services/server/socialserver/default.nix create mode 100644 modules/system/services/server/socialserver/mastodon/default.nix create mode 100644 modules/system/services/server/socialserver/matrix/coturn/default.nix create mode 100644 modules/system/services/server/socialserver/matrix/coturn/nginx/default.nix create mode 100644 modules/system/services/server/socialserver/matrix/default.nix create mode 100644 modules/system/services/server/socialserver/matrix/element/default.nix create mode 100644 modules/system/services/server/socialserver/matrix/element/nginx/default.nix create mode 100644 modules/system/services/server/socialserver/matrix/synapse/default.nix create mode 100644 modules/system/services/server/socialserver/matrix/synapse/nginx/default.nix create mode 100644 modules/system/services/server/socialserver/owncast/default.nix create mode 100644 modules/system/services/server/socialserver/owncast/nginx/default.nix create mode 100644 modules/system/services/server/transmission/default.nix create mode 100644 modules/system/services/server/transmission/nginx/default.nix create mode 100644 modules/system/services/server/vaultwarden/default.nix create mode 100644 modules/system/services/server/vaultwarden/nginx/default.nix create mode 100644 modules/system/services/server/webserver/acme/default.nix create mode 100644 modules/system/services/server/webserver/default.nix create mode 100644 modules/system/services/server/webserver/nginx/rtmp/default.nix create mode 100644 modules/system/services/server/webserver/nginx/virtualhosts/default.nix create mode 100644 modules/system/services/server/webserver/nginx/virtualhosts/jimbosfiles/default.nix create mode 100644 modules/system/services/server/webserver/nginx/virtualhosts/nixfox/default.nix create mode 100644 modules/system/settings/minimal/default.nix create mode 100644 modules/system/settings/nix/default.nix create mode 100644 modules/system/settings/nix/gc/default.nix create mode 100644 modules/system/settings/security/apparmor/default.nix create mode 100644 modules/system/settings/security/polkit/default.nix create mode 100644 modules/system/settings/security/privilege/default.nix create mode 100644 modules/system/settings/timezone/default.nix diff --git a/modules/home/settings/aliases/default.nix b/modules/home/settings/aliases/default.nix new file mode 100644 index 0000000..22cc025 --- /dev/null +++ b/modules/home/settings/aliases/default.nix @@ -0,0 +1,21 @@ +{ pkgs, ... }: +{ + home.shellAliases = { + # NixOS + flakedate = "doas nix flake update --flake /etc/nixos"; + nhs = "doas nh os switch -R /etc/nixos"; + nhu = "flakedate && nhs"; + + nixclean = "nix store gc; nix store optimise"; + nixpurge = "doas nix-collect-garbage --delete-old"; + nixscrub = "nixclean; nixpurge"; + + # Shortcuts + ff = "clear && fastfetch"; + ip = "ip -c"; + cat = "${pkgs.bat}/bin/bat --paging never"; + copycat = "wl-copy <"; + myip = "curl ifconfig.co"; + seneca = "ssh jhampton1@matrix.senecapolytechnic.ca"; + }; +} diff --git a/modules/system/accounts/default.nix b/modules/system/accounts/default.nix new file mode 100644 index 0000000..5c525dd --- /dev/null +++ b/modules/system/accounts/default.nix @@ -0,0 +1,6 @@ +{ ... }: { + imports = [ + ./users + ./groups + ]; +} diff --git a/modules/system/accounts/groups/default.nix b/modules/system/accounts/groups/default.nix new file mode 100644 index 0000000..293cc0d --- /dev/null +++ b/modules/system/accounts/groups/default.nix @@ -0,0 +1,4 @@ +{ ... }: +{ + imports = [ ./nfsShare ]; +} diff --git a/modules/system/accounts/groups/nfsShare/default.nix b/modules/system/accounts/groups/nfsShare/default.nix new file mode 100644 index 0000000..362f176 --- /dev/null +++ b/modules/system/accounts/groups/nfsShare/default.nix @@ -0,0 +1,4 @@ +{ ... }: +{ + users.groups.nfsShare.gid = 983; +} diff --git a/modules/system/accounts/users/custom/default.nix b/modules/system/accounts/users/custom/default.nix new file mode 100644 index 0000000..d2600a9 --- /dev/null +++ b/modules/system/accounts/users/custom/default.nix @@ -0,0 +1,7 @@ +{ home-manager, ... }: +{ + imports = [ + ./main + home-manager.nixosModules.home-manager + ]; +} diff --git a/modules/system/accounts/users/default.nix b/modules/system/accounts/users/default.nix new file mode 100644 index 0000000..59e3555 --- /dev/null +++ b/modules/system/accounts/users/default.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + imports = [ + ./custom + ./system + ]; + + users.mutableUsers = false; +} diff --git a/modules/system/accounts/users/system/default.nix b/modules/system/accounts/users/system/default.nix new file mode 100644 index 0000000..ffbaa7a --- /dev/null +++ b/modules/system/accounts/users/system/default.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + imports = [ + ./jellyfin + ./liquidsoap + ./nextcloud + ./nginx + ]; +} diff --git a/modules/system/accounts/users/system/jellyfin/default.nix b/modules/system/accounts/users/system/jellyfin/default.nix new file mode 100644 index 0000000..ed8cc7b --- /dev/null +++ b/modules/system/accounts/users/system/jellyfin/default.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + users = { + users.jellyfin = { + group = "jellyfin"; + extraGroups = [ "nfsShare" ]; + isSystemUser = true; + uid = 983; + }; + groups.jellyfin = {}; + }; +} diff --git a/modules/system/accounts/users/system/liquidsoap/default.nix b/modules/system/accounts/users/system/liquidsoap/default.nix new file mode 100644 index 0000000..f83e9cc --- /dev/null +++ b/modules/system/accounts/users/system/liquidsoap/default.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + users = { + users.liquidsoap = { + group = "liquidsoap"; + extraGroups = [ "nginx" ]; + isSystemUser = true; + uid = 155; + }; + groups.liquidsoap = {}; + }; +} diff --git a/modules/system/accounts/users/system/nextcloud/default.nix b/modules/system/accounts/users/system/nextcloud/default.nix new file mode 100644 index 0000000..0722276 --- /dev/null +++ b/modules/system/accounts/users/system/nextcloud/default.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + users = { + users.nextcloud = { + group = "nextcloud"; + extraGroups = [ "nfsShare" ]; + isSystemUser = true; + uid = 218; + }; + groups.nextcloud = {}; + }; +} diff --git a/modules/system/accounts/users/system/nginx/default.nix b/modules/system/accounts/users/system/nginx/default.nix new file mode 100644 index 0000000..2c5fa8a --- /dev/null +++ b/modules/system/accounts/users/system/nginx/default.nix @@ -0,0 +1,15 @@ +{ ... }: +{ + users = { + users.nginx = { + group = "nginx"; + extraGroups = [ + "turnserver" + "virtualMail" + ]; + isSystemUser = true; + uid = 60; + }; + groups.nginx = {}; + }; +} diff --git a/modules/system/devices/boot/extlinux/default.nix b/modules/system/devices/boot/extlinux/default.nix new file mode 100644 index 0000000..95858ea --- /dev/null +++ b/modules/system/devices/boot/extlinux/default.nix @@ -0,0 +1,10 @@ +{ config, lib, ... }: +{ + options.system.extlinux.enable = lib.mkEnableOption "Enable extlinux"; + + config.boot.loader = lib.mkIf config.system.extlinux.enable { + grub.enable = false; + systemd-boot.enable = lib.mkForce false; + generic-extlinux-compatible.enable = true; + }; +} diff --git a/modules/system/devices/boot/services/default.nix b/modules/system/devices/boot/services/default.nix new file mode 100644 index 0000000..1d42ae2 --- /dev/null +++ b/modules/system/devices/boot/services/default.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + imports = [ ./root-reset ]; + + boot.initrd.systemd.enable = true; +} diff --git a/modules/system/devices/boot/services/root-reset/default.nix b/modules/system/devices/boot/services/root-reset/default.nix new file mode 100644 index 0000000..44d2a1b --- /dev/null +++ b/modules/system/devices/boot/services/root-reset/default.nix @@ -0,0 +1,31 @@ +{ config, ... }: +{ + boot.initrd.systemd.services.root-reset = { + enable = config.environment.persistence."/persist".enable; + description = "Create new and snapshot previous root"; + wantedBy = [ "initrd.target" ]; + before = [ "sysroot.mount" ]; + after = [ "initrd-root-device.target" ]; + unitConfig.DefaultDependencies = "no"; + serviceConfig.Type = "oneshot"; + script = '' + mkdir -p /mnt + mount -t btrfs /dev/${config.networking.hostName}/root /mnt + + if [[ -e /mnt/prev ]]; then + btrfs subvolume delete /mnt/prev + fi + + btrfs subvolume snapshot /mnt/root /mnt/prev + + btrfs subvolume list -o /mnt/root | cut -f9 -d' ' | while read subvolume; do + btrfs subvolume delete "/mnt/$subvolume" + done + + btrfs subvolume delete /mnt/root + btrfs subvolume create /mnt/root + + umount /mnt + ''; + }; +} diff --git a/modules/system/devices/disks/default.nix b/modules/system/devices/disks/default.nix new file mode 100644 index 0000000..727bef5 --- /dev/null +++ b/modules/system/devices/disks/default.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + imports = [ + ./filesystems + ./immutable + ./impermanence + ./snapper + ]; +} diff --git a/modules/system/devices/disks/filesystems/default.nix b/modules/system/devices/disks/filesystems/default.nix new file mode 100644 index 0000000..be9bebf --- /dev/null +++ b/modules/system/devices/disks/filesystems/default.nix @@ -0,0 +1,13 @@ +{ pkgs, ... }: +{ + boot.supportedFilesystems = { + btrfs = true; + ntfs = true; + zfs = true; + }; + + services = { + btrfs.autoScrub.enable = true; + fstrim.enable = true; + }; +} diff --git a/modules/system/devices/disks/immutable/default.nix b/modules/system/devices/disks/immutable/default.nix new file mode 100644 index 0000000..9b07e92 --- /dev/null +++ b/modules/system/devices/disks/immutable/default.nix @@ -0,0 +1,5 @@ +{ ... }: +{ + system.etc.overlay.mutable = false; + boot.tmp.cleanOnBoot = true; +} diff --git a/modules/system/devices/disks/impermanence/default.nix b/modules/system/devices/disks/impermanence/default.nix new file mode 100644 index 0000000..e73882d --- /dev/null +++ b/modules/system/devices/disks/impermanence/default.nix @@ -0,0 +1,8 @@ +{ impermanence, ... }: +{ + imports = [ + ./main + ./root + impermanence.nixosModules.impermanence + ]; +} diff --git a/modules/system/devices/disks/impermanence/main/default.nix b/modules/system/devices/disks/impermanence/main/default.nix new file mode 100644 index 0000000..cca8d2c --- /dev/null +++ b/modules/system/devices/disks/impermanence/main/default.nix @@ -0,0 +1,46 @@ +{ config, ... }: +{ + environment.persistence."/persist" = { + hideMounts = true; + users.${config.sysusers.main} = { + directories = [ + "Keepers" + "Documents" + "Pictures" + "Videos" + "Games" + "VMs" + + ".snapshots" + ".mozilla" + ".thunderbird" + + ".config/blender" + ".config/dconf" + ".config/vesktop" + ".config/sunshine" + ".config/heroic" + ".config/obs-studio" + + ".local/share/mpd" + ".local/share/nvim/undo" + ".local/share/PrismLauncher" + ".local/share/Steam" + ".local/share/TelegramDesktop" + + ".local/state/wireplumber" + + ".cache/nix-index" + + { directory = ".ssh"; mode = "0700"; } + { directory = ".gnupg"; mode = "0700"; } + { directory = ".local/share/keyrings"; mode = "0700"; } + ]; + files = [ + ".zsh_history" + ".local/state/lazygit/state.yml" + ".local/share/applications" # Create directory so nothing generates inside of it + ]; + }; + }; +} diff --git a/modules/system/devices/disks/impermanence/root/default.nix b/modules/system/devices/disks/impermanence/root/default.nix new file mode 100644 index 0000000..e611e07 --- /dev/null +++ b/modules/system/devices/disks/impermanence/root/default.nix @@ -0,0 +1,15 @@ +{ ... }: +{ + environment.persistence."/persist" = { + hideMounts = true; + directories = [ + "/etc/nixos" + "/etc/secureboot" + "/var/lib/nixos" + ]; + files = [ + "/etc/machine-id" + "/root/.gitconfig" + ]; + }; +} diff --git a/modules/system/devices/disks/snapper/default.nix b/modules/system/devices/disks/snapper/default.nix new file mode 100644 index 0000000..112c378 --- /dev/null +++ b/modules/system/devices/disks/snapper/default.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + imports = [ + ./main + ./root + ]; + + services.snapper = { + snapshotInterval = "0/6:00:00"; + persistentTimer = true; + }; +} diff --git a/modules/system/devices/disks/snapper/main/default.nix b/modules/system/devices/disks/snapper/main/default.nix new file mode 100644 index 0000000..cac62e4 --- /dev/null +++ b/modules/system/devices/disks/snapper/main/default.nix @@ -0,0 +1,12 @@ +{ config, lib, ... }: +{ + services.snapper.configs.${config.sysusers.main} = lib.mkIf config.environment.persistence."/persist".enable { + SUBVOLUME = "/persist/home/${config.sysusers.main}"; + TIMELINE_CREATE = true; + TIMELINE_CLEANUP = true; + TIMELINE_LIMIT_DAILY = 1; + TIMELINE_LIMIT_WEEKLY = 1; + TIMELINE_LIMIT_MONTHLY = 0; + TIMELINE_LIMIT_YEARLY = 0; + }; +} diff --git a/modules/system/devices/disks/snapper/root/default.nix b/modules/system/devices/disks/snapper/root/default.nix new file mode 100644 index 0000000..b6de751 --- /dev/null +++ b/modules/system/devices/disks/snapper/root/default.nix @@ -0,0 +1,12 @@ +{ config, lib, ... }: +{ + services.snapper.configs.root = lib.mkIf config.environment.persistence."/persist".enable { + SUBVOLUME = "/persist"; + TIMELINE_CREATE = true; + TIMELINE_CLEANUP = true; + TIMELINE_LIMIT_DAILY = 1; + TIMELINE_LIMIT_WEEKLY = 0; + TIMELINE_LIMIT_MONTHLY = 0; + TIMELINE_LIMIT_YEARLY = 0; + }; +} diff --git a/modules/system/devices/networking/wireless/default.nix b/modules/system/devices/networking/wireless/default.nix new file mode 100644 index 0000000..cac36dc --- /dev/null +++ b/modules/system/devices/networking/wireless/default.nix @@ -0,0 +1,13 @@ +{ config, lib, pkgs, ... }: +{ + options.system.wireless.enable = lib.mkEnableOption "Enable wireless stack"; + + config = lib.mkIf config.system.wireless.enable { + networking.wireless.iwd.enable = true; + + environment = { + systemPackages = with pkgs; [ impala ]; + persistence."/persist".directories = [ "/var/lib/iwd/" ]; + }; + }; +} diff --git a/modules/system/programs/git/default.nix b/modules/system/programs/git/default.nix new file mode 100644 index 0000000..a887b85 --- /dev/null +++ b/modules/system/programs/git/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + programs.git = { + enable = true; + lfs.enable = true; + }; +} diff --git a/modules/system/services/default.nix b/modules/system/services/default.nix new file mode 100644 index 0000000..6866490 --- /dev/null +++ b/modules/system/services/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./general + ./server + ]; +} diff --git a/modules/system/services/general/earlyoom/default.nix b/modules/system/services/general/earlyoom/default.nix new file mode 100644 index 0000000..314cf48 --- /dev/null +++ b/modules/system/services/general/earlyoom/default.nix @@ -0,0 +1,4 @@ +{ ... }: +{ + services.earlyoom.enable = true; +} diff --git a/modules/system/services/general/libvirtd/default.nix b/modules/system/services/general/libvirtd/default.nix new file mode 100644 index 0000000..9324286 --- /dev/null +++ b/modules/system/services/general/libvirtd/default.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs, ... }: +{ + options.system.libvirtd.enable = lib.mkEnableOption "Enable libvirtd services"; + + config = lib.mkIf config.system.libvirtd.enable { + virtualisation.libvirtd = { + enable = true; + onBoot = "ignore"; + onShutdown = "shutdown"; + qemu = { + ovmf = { + enable = true; + packages = with pkgs; [ OVMFFull.fd ]; + }; + vhostUserPackages = with pkgs; [ virtiofsd ]; + swtpm.enable = true; + }; + }; + + programs.virt-manager.enable = true; + + environment.persistence."/persist".directories = [ + "/var/lib/libvirt/dnsmasq" + "/var/lib/libvirt/nwfilter" + "/var/lib/libvirt/qemu" + "/var/lib/libvirt/secrets" + "/var/lib/libvirt/storage" + "/var/lib/libvirt/swtpm" + ]; + + # Needed to make NAT work + networking.firewall.trustedInterfaces = [ + "virbr0" + "virbr1" + ]; + + systemd.tmpfiles.rules = [ "f /dev/shm/looking-glass 0660 - libvirtd -" ]; + }; +} diff --git a/modules/system/services/general/snowflake/default.nix b/modules/system/services/general/snowflake/default.nix new file mode 100644 index 0000000..6c9a989 --- /dev/null +++ b/modules/system/services/general/snowflake/default.nix @@ -0,0 +1,4 @@ +{ ... }: +{ + services.snowflake-proxy.enable = true; +} diff --git a/modules/system/services/general/ssh/default.nix b/modules/system/services/general/ssh/default.nix new file mode 100644 index 0000000..ec13d9c --- /dev/null +++ b/modules/system/services/general/ssh/default.nix @@ -0,0 +1,22 @@ +{ lib, ... }: +{ + imports = [ ./fail2ban ]; + + services.openssh = { + enable = true; + settings = { + PermitRootLogin = lib.mkForce "no"; + PrintLastLog = "no"; + PasswordAuthentication = false; + UsePAM = false; + X11Forwarding = false; + }; + }; + + environment.persistence."/persist".files = [ + "/etc/ssh/ssh_host_ed25519_key" + "/etc/ssh/ssh_host_ed25519_key.pub" + "/etc/ssh/ssh_host_rsa_key" + "/etc/ssh/ssh_host_rsa_key.pub" + ]; +} diff --git a/modules/system/services/general/ssh/fail2ban/default.nix b/modules/system/services/general/ssh/fail2ban/default.nix new file mode 100644 index 0000000..acc00f8 --- /dev/null +++ b/modules/system/services/general/ssh/fail2ban/default.nix @@ -0,0 +1,10 @@ +{ ... }: +{ + services.fail2ban = { + enable = true; + maxretry = 5; + bantime = "10m"; + }; + + environment.persistence."/persist".directories = [ "/var/lib/fail2ban" ]; +} diff --git a/modules/system/services/general/tlp/default.nix b/modules/system/services/general/tlp/default.nix new file mode 100644 index 0000000..097e7bc --- /dev/null +++ b/modules/system/services/general/tlp/default.nix @@ -0,0 +1,4 @@ +{ ... }: +{ + services.tlp.enable = true; +} diff --git a/modules/system/services/general/userborn/default.nix b/modules/system/services/general/userborn/default.nix new file mode 100644 index 0000000..f7261ee --- /dev/null +++ b/modules/system/services/general/userborn/default.nix @@ -0,0 +1,4 @@ +{ ... }: +{ + services.userborn.enable = true; +} diff --git a/modules/system/services/server/cfdyndns/default.nix b/modules/system/services/server/cfdyndns/default.nix new file mode 100644 index 0000000..42f6b57 --- /dev/null +++ b/modules/system/services/server/cfdyndns/default.nix @@ -0,0 +1,7 @@ +{ config, pkgs, ... }: +{ + services.cloudflare-dyndns = { + enable = config.system.server.enable; + apiTokenFile = "${pkgs.writeText "cloudflareapikey" config.secrets.flareApiKey}"; + }; +} diff --git a/modules/system/services/server/fileserver/default.nix b/modules/system/services/server/fileserver/default.nix new file mode 100644 index 0000000..98de5ed --- /dev/null +++ b/modules/system/services/server/fileserver/default.nix @@ -0,0 +1,10 @@ +{ lib, ... }: +{ + options.system.fileserver.enable = lib.mkEnableOption "Enable file serving services"; + + imports = [ + ./jellyfin + ./nextcloud + ./nfs + ]; +} diff --git a/modules/system/services/server/fileserver/jellyfin/default.nix b/modules/system/services/server/fileserver/jellyfin/default.nix new file mode 100644 index 0000000..4047385 --- /dev/null +++ b/modules/system/services/server/fileserver/jellyfin/default.nix @@ -0,0 +1,11 @@ +{ config, lib, ... }: +{ + imports = [ + ./nginx + ]; + + config = lib.mkIf config.system.fileserver.enable { + services.jellyfin.enable = true; + environment.persistence."/persist".directories = [ "/var/lib/jellyfin" ]; + }; +} diff --git a/modules/system/services/server/fileserver/jellyfin/nginx/default.nix b/modules/system/services/server/fileserver/jellyfin/nginx/default.nix new file mode 100644 index 0000000..bc9db65 --- /dev/null +++ b/modules/system/services/server/fileserver/jellyfin/nginx/default.nix @@ -0,0 +1,11 @@ +{ config, lib, ... }: +{ + services.nginx.virtualHosts."jelly.nixfox.ca" = lib.mkIf config.services.forgejo.enable { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8096"; + proxyWebsockets = true; + }; + }; +} diff --git a/modules/system/services/server/fileserver/nextcloud/collabora/default.nix b/modules/system/services/server/fileserver/nextcloud/collabora/default.nix new file mode 100644 index 0000000..f53c879 --- /dev/null +++ b/modules/system/services/server/fileserver/nextcloud/collabora/default.nix @@ -0,0 +1,4 @@ +{ config, lib, ... }: +{ + services.collabora-online.enable = config.services.nextcloud.enable; +} diff --git a/modules/system/services/server/fileserver/nextcloud/default.nix b/modules/system/services/server/fileserver/nextcloud/default.nix new file mode 100644 index 0000000..220e275 --- /dev/null +++ b/modules/system/services/server/fileserver/nextcloud/default.nix @@ -0,0 +1,34 @@ +{ config, lib, pkgs, ... }: +{ + imports = [ + ./collabora + ./nginx + ]; + + config = lib.mkIf config.system.fileserver.enable { + services.nextcloud = { + enable = true; + package = pkgs.nextcloud30; + hostName = "cloud.nixfox.ca"; + https = true; + config = { + adminuser = config.sysusers.main; + adminpassFile = "${pkgs.writeText "initial" config.secrets.initialPass}"; + }; + settings = { + trusted_proxies = [ "127.0.0.1" ]; + trusted_domains = [ "cloud.nixfox.ca" ]; + overwriteprotocol = "https"; + mail_smtphost = "mx.nixfox.ca"; + mail_domain = "nixfox.ca"; + mail_from_address = "noreply"; + mail_smtpauth = "true"; + mail_smtpname = "noreply@nixfox.ca"; + mail_smtppassword = config.secrets.noreplyPassword; + mail_smtpmode = "smtp"; + mail_smtpport = 587; + }; + }; + environment.persistence."/persist".directories = [ "/var/lib/nextcloud" ]; + }; +} diff --git a/modules/system/services/server/fileserver/nextcloud/nginx/default.nix b/modules/system/services/server/fileserver/nextcloud/nginx/default.nix new file mode 100644 index 0000000..88712d4 --- /dev/null +++ b/modules/system/services/server/fileserver/nextcloud/nginx/default.nix @@ -0,0 +1,18 @@ +{ config, lib, ... }: +{ + services.nginx.virtualHosts."cloud.nixfox.ca" = lib.mkIf config.services.nextcloud.enable { + enableACME = true; + addSSL = true; + locations."/" = { + proxyWebsockets = true; + extraConfig = '' + location /.well-known/carddav { + return 301 $scheme://$host/remote.php/dav; + } + location /.well-known/caldav { + return 301 $scheme://$host/remote.php/dav; + } + ''; + }; + }; +} diff --git a/modules/system/services/server/fileserver/nfs/default.nix b/modules/system/services/server/fileserver/nfs/default.nix new file mode 100644 index 0000000..d343495 --- /dev/null +++ b/modules/system/services/server/fileserver/nfs/default.nix @@ -0,0 +1,11 @@ +{ config, ... }: +{ + services.nfs.server = { + enable = config.system.fileserver.enable; + exports = '' + /export/KittyNFS/Files *(rw,sync,no_subtree_check) + /export/KittyNFS/Media *(rw,sync,no_subtree_check) + /export/KittyNFS/Music *(rw,sync,no_subtree_check) + ''; + }; +} diff --git a/modules/system/services/server/forgejo/default.nix b/modules/system/services/server/forgejo/default.nix new file mode 100644 index 0000000..9735402 --- /dev/null +++ b/modules/system/services/server/forgejo/default.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs, ... }: +{ + imports = [ ./nginx ]; + + config = lib.mkIf config.system.server.enable { + services.forgejo = { + enable = true; + package = pkgs.forgejo; + settings = { + server = { + DOMAIN = "git.nixfox.ca"; + ROOT_URL = "https://git.nixfox.ca:443"; + HTTP_PORT = 3110; + SSH_PORT = 2299; + START_SSH_SERVER = true; + }; + mailer = { + ENABLED = true; + SMTP_ADDR = "mx.nixfox.ca"; + FROM = "NixFox Git "; + USER = "noreply@nixfox.ca"; + PASSWD = config.secrets.noreplyPassword; + PROTOCOL = "smtps"; + }; + service = { + REGISTER_EMAIL_CONFIRM = true; + DISABLE_REGISTRATION = true; + }; + ui.DEFAULT_THEME = "forgejo-dark"; + }; + }; + + networking.firewall.allowedTCPPorts = [ 2299 ]; + + services.cloudflare-dyndns.domains = [ "git.nixfox.ca" ]; + + environment.persistence."/persist".directories = [ "/var/lib/forgejo" ]; + }; +} diff --git a/modules/system/services/server/forgejo/nginx/default.nix b/modules/system/services/server/forgejo/nginx/default.nix new file mode 100644 index 0000000..5428884 --- /dev/null +++ b/modules/system/services/server/forgejo/nginx/default.nix @@ -0,0 +1,11 @@ +{ config, lib, ... }: +{ + services.nginx.virtualHosts."git.nixfox.ca" = lib.mkIf config.services.forgejo.enable { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:3110"; + proxyWebsockets = true; + }; + }; +} diff --git a/modules/system/services/server/mysql/default.nix b/modules/system/services/server/mysql/default.nix new file mode 100644 index 0000000..39d54f0 --- /dev/null +++ b/modules/system/services/server/mysql/default.nix @@ -0,0 +1,23 @@ +{ config, lib, pkgs, ... }: +{ + config = lib.mkIf config.system.server.enable { + services.mysql = { + enable = true; + package = pkgs.mariadb; + ensureDatabases = [ + "minecraft" + ]; + ensureUsers = [ + { + name = "minecraft"; + ensurePermissions = { + "minecraft.*" = "ALL PRIVILEGES"; + }; + } + ]; + }; + environment.persistence."/persist".directories = [ + "/var/lib/mysql" + ]; + }; +} diff --git a/modules/system/services/server/socialserver/default.nix b/modules/system/services/server/socialserver/default.nix new file mode 100644 index 0000000..825a43d --- /dev/null +++ b/modules/system/services/server/socialserver/default.nix @@ -0,0 +1,10 @@ +{ lib, ... }: +{ + options.system.socialserver.enable = lib.mkEnableOption "Enable social media like services"; + + imports = [ + ./mastodon + ./matrix + ./owncast + ]; +} diff --git a/modules/system/services/server/socialserver/mastodon/default.nix b/modules/system/services/server/socialserver/mastodon/default.nix new file mode 100644 index 0000000..193fe26 --- /dev/null +++ b/modules/system/services/server/socialserver/mastodon/default.nix @@ -0,0 +1,23 @@ +{ config, lib, pkgs, ... }: +{ + config = lib.mkIf config.system.socialserver.enable { + services.mastodon = { + enable = true; + localDomain = "social.nixfox.ca"; + streamingProcesses = 4; + configureNginx = true; + smtp = { + createLocally = false; + host = "mx.nixfox.ca"; + port = 587; + authenticate = true; + fromAddress = "NixFox Mastodon "; + user = "noreply@nixfox.ca"; + passwordFile = pkgs.writeText "smtp_pass.txt" config.secrets.noreplyPassword; + }; + }; + environment.persistence."/persist".directories = [ + "/var/lib/mastodon" + ]; + }; +} diff --git a/modules/system/services/server/socialserver/matrix/coturn/default.nix b/modules/system/services/server/socialserver/matrix/coturn/default.nix new file mode 100644 index 0000000..5c49d78 --- /dev/null +++ b/modules/system/services/server/socialserver/matrix/coturn/default.nix @@ -0,0 +1,46 @@ +{ config, lib, ... }: +{ + imports = [ ./nginx ]; + + config = lib.mkIf config.services.matrix-synapse.enable { + services = { + coturn = { + enable = true; + no-cli = true; + no-tcp-relay = true; + min-port = 49000; + max-port = 50000; + use-auth-secret = true; + static-auth-secret = config.secrets.coturnSecret; + realm = "turn.jimbosfiles.com"; + cert = "/var/lib/acme/turn.jimbosfiles.com/fullchain.pem"; + pkey = "/var/lib/acme/turn.jimbosfiles.com/key.pem"; + }; + + # Enable coturn on Synapse + matrix-synapse.settings = { + turn_uris = [ + "turn:turn.jimbosfiles.com:3478?transport=udp" + "turn:turn.jimbosfiles.com:3478?transport=tcp" + ]; + turn_shared_secret = config.secrets.coturnSecret; + turn_user_lifetime = "1h"; + }; + + # Sync the IP to Cloudflare + cloudflare-dyndns.domains = [ "turn.jimbosfiles.com" ]; + }; + + # Open coturn ports + networking.firewall = { + allowedUDPPorts = [ + 3478 + 5349 + ]; + allowedUDPPortRanges = [{ + from = config.services.coturn.min-port; + to = config.services.coturn.max-port; + }]; + }; + }; +} diff --git a/modules/system/services/server/socialserver/matrix/coturn/nginx/default.nix b/modules/system/services/server/socialserver/matrix/coturn/nginx/default.nix new file mode 100644 index 0000000..effae07 --- /dev/null +++ b/modules/system/services/server/socialserver/matrix/coturn/nginx/default.nix @@ -0,0 +1,22 @@ +{ config, lib, ... }: +{ + config = lib.mkIf config.services.coturn.enable { + services.nginx.virtualHosts."turn.jimbosfiles.com" = { + enableACME = true; + forceSSL = true; + listen = [{ + addr = "0.0.0.0"; + port = 80; + ssl = false; + }]; + locations."/".proxyPass = "http://127.0.0.1:1380"; + }; + + security.acme.certs = { + "turn.jimbosfiles.com" = { + group = "turnserver"; + postRun = "systemctl restart coturn.service"; + }; + }; + }; +} diff --git a/modules/system/services/server/socialserver/matrix/default.nix b/modules/system/services/server/socialserver/matrix/default.nix new file mode 100644 index 0000000..2a569ee --- /dev/null +++ b/modules/system/services/server/socialserver/matrix/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./coturn + ./element + ./synapse + ]; +} diff --git a/modules/system/services/server/socialserver/matrix/element/default.nix b/modules/system/services/server/socialserver/matrix/element/default.nix new file mode 100644 index 0000000..f63c763 --- /dev/null +++ b/modules/system/services/server/socialserver/matrix/element/default.nix @@ -0,0 +1,23 @@ +{ config, lib, ... }: +{ + imports = [ ./nginx ]; + + config = lib.mkIf config.services.matrix-synapse.enable { + nixpkgs.config.element-web.conf = { + default_server_config."m.homeserver" = { + base_url = "https://matrix.jimbosfiles.com"; + server_name = "matrix.jimbosfiles.com"; + }; + branding = { + #welcome_background_url = "https://staging.jimbosfiles.com/images/backgrounds/template-background.png"; + #auth_header_logo_url = "https://staging.jimbosfiles.com/images/logos/template-logo.png"; + }; + embedded_pages = { + home_url = "https://www.jimbosfiles.com/"; + }; + disable_custom_urls = true; + disable_guests = true; + default_theme = "dark"; + }; + }; +} diff --git a/modules/system/services/server/socialserver/matrix/element/nginx/default.nix b/modules/system/services/server/socialserver/matrix/element/nginx/default.nix new file mode 100644 index 0000000..1c085eb --- /dev/null +++ b/modules/system/services/server/socialserver/matrix/element/nginx/default.nix @@ -0,0 +1,8 @@ +{ config, lib, pkgs, ... }: +{ + services.nginx.virtualHosts."chat.nixfox.ca" = lib.mkIf config.services.matrix-synapse.enable { + enableACME = true; + addSSL = true; + root = "${pkgs.element-web}"; + }; +} diff --git a/modules/system/services/server/socialserver/matrix/synapse/default.nix b/modules/system/services/server/socialserver/matrix/synapse/default.nix new file mode 100644 index 0000000..3420d0c --- /dev/null +++ b/modules/system/services/server/socialserver/matrix/synapse/default.nix @@ -0,0 +1,62 @@ +{ config, lib, pkgs, ... }: +{ + imports = [ + ./nginx + ]; + + config = lib.mkIf config.system.socialserver.enable { + services.matrix-synapse = { + enable = true; + settings = { + server_name = "jimbosfiles.com"; + public_baseurl = "https://matrix.jimbosfiles.com"; + suppress_key_server_warning = true; + + listeners = [{ + port = 8008; + bind_addresses = [ + "::" + "0.0.0.0" + ]; + resources = [{ + compress = true; + names = [ + "client" + "federation" + ]; + }]; + type = "http"; + tls = false; + x_forwarded = true; + }]; + + email = { + notif_from = "NixFox Matrix "; + smtp_host = "mx.nixfox.ca"; + smtp_user = "noreply@nixfox.ca"; + smtp_pass = config.secrets.noreplyPassword; + enable_tls = true; + smtp_port = 587; + require_transport_security = true; + }; + + # Disable registration without email + registrations_require_3pid = [ "email" ]; + + # Set the type of database + database.name = "sqlite3"; + + # Allow account registration + #enable_registration = true; + + # General settings + url_preview_enabled = true; + max_upload_size = "50M"; + report_stats = false; + burst_count = 15; + }; + }; + + environment.persistence."/persist".directories = [ "/var/lib/matrix-synapse" ]; + }; +} diff --git a/modules/system/services/server/socialserver/matrix/synapse/nginx/default.nix b/modules/system/services/server/socialserver/matrix/synapse/nginx/default.nix new file mode 100644 index 0000000..f326cbc --- /dev/null +++ b/modules/system/services/server/socialserver/matrix/synapse/nginx/default.nix @@ -0,0 +1,13 @@ +{ config, lib, ... }: +{ + services.nginx.virtualHosts."matrix.jimbosfiles.com" = lib.mkIf config.services.matrix-synapse.enable { + enableACME = true; + forceSSL = true; + locations = { + "/".extraConfig = ''return 403;''; + "/client".proxyPass = "http://127.0.0.1:8008"; + "/_matrix".proxyPass = "http://127.0.0.1:8008"; + "/_synapse/client".proxyPass = "http://127.0.0.1:8008"; + }; + }; +} diff --git a/modules/system/services/server/socialserver/owncast/default.nix b/modules/system/services/server/socialserver/owncast/default.nix new file mode 100644 index 0000000..b2dfe6a --- /dev/null +++ b/modules/system/services/server/socialserver/owncast/default.nix @@ -0,0 +1,16 @@ +{ config, lib, ... }: +{ + imports = [ ./nginx ]; + + config = lib.mkIf config.system.socialserver.enable { + services.owncast = { + enable = true; + port = 8060; + rtmp-port = 1945; + listen = "0.0.0.0"; + }; + environment.persistence."/persist".directories = [ + "/var/lib/owncast" + ]; + }; +} diff --git a/modules/system/services/server/socialserver/owncast/nginx/default.nix b/modules/system/services/server/socialserver/owncast/nginx/default.nix new file mode 100644 index 0000000..abc052f --- /dev/null +++ b/modules/system/services/server/socialserver/owncast/nginx/default.nix @@ -0,0 +1,11 @@ +{ config, lib, ... }: +{ + services.nginx.virtualHosts."live.nixfox.ca" = lib.mkIf config.services.owncast.enable { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8060"; + proxyWebsockets = true; + }; + }; +} diff --git a/modules/system/services/server/transmission/default.nix b/modules/system/services/server/transmission/default.nix new file mode 100644 index 0000000..b23b9dd --- /dev/null +++ b/modules/system/services/server/transmission/default.nix @@ -0,0 +1,16 @@ +{ config, lib, pkgs, ... }: +{ + imports = [ ./nginx ]; + + config = lib.mkIf config.system.server.enable { + services.transmission = { + enable = true; + credentialsFile = pkgs.writeText "credentials" config.secrets.transmissionCredFile; + openPeerPorts = true; + settings.rpc-authentication-required = true; + }; + environment.persistence."/persist".directories = [ + "/var/lib/transmission" + ]; + }; +} diff --git a/modules/system/services/server/transmission/nginx/default.nix b/modules/system/services/server/transmission/nginx/default.nix new file mode 100644 index 0000000..c4c737a --- /dev/null +++ b/modules/system/services/server/transmission/nginx/default.nix @@ -0,0 +1,11 @@ +{ config, lib, ... }: +{ + services.nginx.virtualHosts."tor.nixfox.ca" = lib.mkIf config.services.transmission.enable { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:9091"; + proxyWebsockets = true; + }; + }; +} diff --git a/modules/system/services/server/vaultwarden/default.nix b/modules/system/services/server/vaultwarden/default.nix new file mode 100644 index 0000000..ef1dcb6 --- /dev/null +++ b/modules/system/services/server/vaultwarden/default.nix @@ -0,0 +1,29 @@ +{ config, lib, ... }: +{ + imports = [ ./nginx ]; + + config = lib.mkIf config.system.server.enable { + services.vaultwarden = { + enable = true; + config = { + DOMAIN = "https://pass.nixfox.ca"; + SIGNUPS_ALLOWED = false; + ROCKET_ADDRESS = "127.0.0.1"; + ROCKET_PORT = 8222; + ROCKET_LOG = "critical"; + + # Smtp email + SMTP_HOST = "mx.nixfox.ca"; + SMTP_FROM = "noreply@nixfox.ca"; + SMTP_FROM_NAME = "Vaultwarden"; + SMTP_USERNAME = "noreply@nixfox.ca"; + SMTP_PASSWORD = config.secrets.noreplyPassword; + SMTP_SECURITY = "starttls"; + SMTP_PORT = 587; + SMTP_TIMEOUT = 15; + }; + }; + + environment.persistence."/persist".directories = [ "/var/lib/bitwarden_rs" ]; + }; +} diff --git a/modules/system/services/server/vaultwarden/nginx/default.nix b/modules/system/services/server/vaultwarden/nginx/default.nix new file mode 100644 index 0000000..0877413 --- /dev/null +++ b/modules/system/services/server/vaultwarden/nginx/default.nix @@ -0,0 +1,11 @@ +{ config, lib, ... }: +{ + services.nginx.virtualHosts."pass.nixfox.ca" = lib.mkIf config.services.vaultwarden.enable { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8222"; + proxyWebsockets = true; + }; + }; +} diff --git a/modules/system/services/server/webserver/acme/default.nix b/modules/system/services/server/webserver/acme/default.nix new file mode 100644 index 0000000..a88a2b7 --- /dev/null +++ b/modules/system/services/server/webserver/acme/default.nix @@ -0,0 +1,10 @@ +{ config, lib, ... }: +{ + config = lib.mkIf config.services.nginx.enable { + security.acme = { + acceptTerms = true; + defaults.email = "contact@nixfox.ca"; + }; + environment.persistence."/persist".directories = [ "/var/lib/acme" ]; + }; +} diff --git a/modules/system/services/server/webserver/default.nix b/modules/system/services/server/webserver/default.nix new file mode 100644 index 0000000..5e54d9d --- /dev/null +++ b/modules/system/services/server/webserver/default.nix @@ -0,0 +1,9 @@ +{ lib, ... }: +{ + options.system.webserver.enable = lib.mkEnableOption "Enable nginx related services"; + + imports = [ + ./acme + ./nginx + ]; +} diff --git a/modules/system/services/server/webserver/nginx/rtmp/default.nix b/modules/system/services/server/webserver/nginx/rtmp/default.nix new file mode 100644 index 0000000..3826d9d --- /dev/null +++ b/modules/system/services/server/webserver/nginx/rtmp/default.nix @@ -0,0 +1,32 @@ +{ config, lib, pkgs, ... }: +{ + options.services.nginx.rtmp.enable = lib.mkEnableOption "Enable an RTMP server using Nginx"; + + config = lib.mkIf config.services.nginx.rtmp.enable { + services.nginx = { + package = (pkgs.nginx.override { + modules = with pkgs.nginxModules; [ rtmp ]; + }); + appendConfig = '' + rtmp { + server { + listen 1935; + chunk_size 4096; + allow publish all; + application stream { + record off; + live on; + allow play all; + hls on; + hls_path /var/www/landing-page/streams/hls/; + hls_fragment_naming system; + hls_fragment 3; + hls_playlist_length 40; + } + } + } + ''; + }; + systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www/landing-page/streams/hls/" ]; + }; +} diff --git a/modules/system/services/server/webserver/nginx/virtualhosts/default.nix b/modules/system/services/server/webserver/nginx/virtualhosts/default.nix new file mode 100644 index 0000000..ffe0d77 --- /dev/null +++ b/modules/system/services/server/webserver/nginx/virtualhosts/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./nixfox + ./jimbosfiles + ]; +} diff --git a/modules/system/services/server/webserver/nginx/virtualhosts/jimbosfiles/default.nix b/modules/system/services/server/webserver/nginx/virtualhosts/jimbosfiles/default.nix new file mode 100644 index 0000000..df17ceb --- /dev/null +++ b/modules/system/services/server/webserver/nginx/virtualhosts/jimbosfiles/default.nix @@ -0,0 +1,27 @@ +{ config, lib, ... }: +{ + services.nginx.virtualHosts."jimbosfiles.com" = lib.mkIf config.system.server.enable { + enableACME = true; + addSSL = true; + globalRedirect = "www.nixfox.ca"; + locations = { + "/.well-known/matrix/client".extraConfig = '' + default_type application/json; + return 200 ' + { + "m.homeserver": { + "base_url": "https://matrix.jimbosfiles.com" + }, + "m.identity_server": { + "base_url": "https://matrix.org" + } + } + '; + ''; + "/.well-known/matrix/server".extraConfig = '' + default_type application/json; + return 200 '{ "m.server": "matrix.jimbosfiles.com:443" }'; + ''; + }; + }; +} diff --git a/modules/system/services/server/webserver/nginx/virtualhosts/nixfox/default.nix b/modules/system/services/server/webserver/nginx/virtualhosts/nixfox/default.nix new file mode 100644 index 0000000..8a93ae5 --- /dev/null +++ b/modules/system/services/server/webserver/nginx/virtualhosts/nixfox/default.nix @@ -0,0 +1,16 @@ +{ config, lib, ... }: +{ + services.nginx.virtualHosts = lib.mkIf config.system.server.enable { + "www.nixfox.ca" = { + enableACME = true; + addSSL = true; + default = true; + root = "/var/www/landing-page"; + }; + "nixfox.ca" = { + enableACME = true; + addSSL = true; + globalRedirect = "www.nixfox.ca"; + }; + }; +} diff --git a/modules/system/settings/minimal/default.nix b/modules/system/settings/minimal/default.nix new file mode 100644 index 0000000..ceb98ab --- /dev/null +++ b/modules/system/settings/minimal/default.nix @@ -0,0 +1,21 @@ +{ ... }: +{ + environment = { + defaultPackages = [ ]; + stub-ld.enable = false; + }; + + documentation = { + doc.enable = false; + info.enable = false; + nixos.enable = false; + }; + + programs = { + nano.enable = false; + less.lessopen = null; + command-not-found.enable = false; + }; + + services.logrotate.enable = false; +} diff --git a/modules/system/settings/nix/default.nix b/modules/system/settings/nix/default.nix new file mode 100644 index 0000000..54b369f --- /dev/null +++ b/modules/system/settings/nix/default.nix @@ -0,0 +1,23 @@ +{ config, lib, pkgs, unstable, ... }: +{ + imports = [ ./gc ]; + + options.nixpkgs.allowUnfreePackages = lib.mkOption { + type = with lib.types; listOf str; + }; + + config = { + nix.settings = { + experimental-features = [ + "nix-command" + "flakes" + ]; + auto-optimise-store = true; + }; + + _module.args.pkgsUnstable = import unstable { + inherit (pkgs.stdenv.hostPlatform) system; + inherit (config.nixpkgs) config; + }; + }; +} diff --git a/modules/system/settings/nix/gc/default.nix b/modules/system/settings/nix/gc/default.nix new file mode 100644 index 0000000..0ec262a --- /dev/null +++ b/modules/system/settings/nix/gc/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 7d"; + }; +} diff --git a/modules/system/settings/security/apparmor/default.nix b/modules/system/settings/security/apparmor/default.nix new file mode 100644 index 0000000..d247578 --- /dev/null +++ b/modules/system/settings/security/apparmor/default.nix @@ -0,0 +1,4 @@ +{ ... }: +{ + security.apparmor.enable = true; +} diff --git a/modules/system/settings/security/default.nix b/modules/system/settings/security/default.nix index 17b2a7d..e187a55 100644 --- a/modules/system/settings/security/default.nix +++ b/modules/system/settings/security/default.nix @@ -2,6 +2,7 @@ { imports = [ ./apparmor + ./polkit ./privilege ]; } diff --git a/modules/system/settings/security/polkit/default.nix b/modules/system/settings/security/polkit/default.nix new file mode 100644 index 0000000..2539503 --- /dev/null +++ b/modules/system/settings/security/polkit/default.nix @@ -0,0 +1,7 @@ +{ config, lib, ... }: +{ + security = lib.mkIf config.system.desktop.enable { + polkit.enable = true; + rtkit.enable = true; + }; +} diff --git a/modules/system/settings/security/privilege/default.nix b/modules/system/settings/security/privilege/default.nix new file mode 100644 index 0000000..b40d8ea --- /dev/null +++ b/modules/system/settings/security/privilege/default.nix @@ -0,0 +1,16 @@ +{ ... }: +{ + security = { + sudo.enable = false; + doas = { + enable = true; + extraRules = [ + { # Give wheel root access + groups = [ "wheel" ]; + keepEnv = true; + persist = true; + } + ]; + }; + }; +} diff --git a/modules/system/settings/timezone/default.nix b/modules/system/settings/timezone/default.nix new file mode 100644 index 0000000..f0b23fa --- /dev/null +++ b/modules/system/settings/timezone/default.nix @@ -0,0 +1,4 @@ +{ ... }: +{ + time.timeZone = "America/Toronto"; +}