Jimbo/nixos-config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Move server to persistence, still have stuff to fix

Browse source
This commit is contained in:
Jimbo 2025-01-17 17:06:28 -05:00
parent ce6ffd9ee7
commit cc68f883ba
35 changed files with 293 additions and 235 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
hosts/kitty/boot/default.nix
View file

@ -1,11 +1,7 @@
{ config, lib, pkgs, ... }:
{
boot = {
kernelPackages = pkgs.linuxPackages_hardened;
initrd.systemd.services.root-reset.enable = lib.mkForce false;
swraid = {
enable = true;
mdadmConf = "MAILADDR contact@${config.domains.p2}";
};
boot.swraid = {
enable = true;
mdadmConf = "MAILADDR contact@${config.domains.p2}";
};
}

5
hosts/kitty/default.nix
View file

@ -14,13 +14,12 @@
hostId = "38ba3f57";
};
environment.persistence."/persist".enable = lib.mkForce false;
system = {
desktop.enable = false;
server.enable = true;
webserver.enable = true;
fileserver.enable = true;
socials.enable = true;
socialserver.enable = true;
wireless.enable = false;
wireguard.server.enable = true;
stateVersion = "24.05";

30
hosts/kitty/filesystems/default.nix
View file

@ -4,22 +4,23 @@
"/" = {
device = "/dev/disk/by-uuid/b8b7ed47-c98c-4a49-af01-b2832dde1287";
fsType = "btrfs";
options = [ "subvol=@" ];
options = [ "subvol=root" ];
};
"/home" = {
"/prev" = {
device = "/dev/disk/by-uuid/b8b7ed47-c98c-4a49-af01-b2832dde1287";
fsType = "btrfs";
options = [ "subvol=@home" ];
options = [ "subvol=prev" ];
};
"/persist" = {
device = "/dev/disk/by-uuid/acf95700-8669-45c7-9a72-bf3215b3c325";
fsType = "btrfs";
neededForBoot = true;
options = [ "subvol=persist" "compress=zstd" ];
};
"/nix" = {
device = "/dev/disk/by-uuid/b8b7ed47-c98c-4a49-af01-b2832dde1287";
fsType = "btrfs";
options = [ "subvol=@nix" ];
};
"/var" = {
device = "/dev/disk/by-uuid/acf95700-8669-45c7-9a72-bf3215b3c325";
fsType = "btrfs";
options = [ "subvol=@var" ];
options = [ "subvol=nix" ];
};
"/boot" = {
device = "/dev/disk/by-uuid/CD94-1D3F";
@ -28,23 +29,12 @@
};
# Subvols and bindmounts
"/persist" = {
device = "/dev/disk/by-uuid/acf95700-8669-45c7-9a72-bf3215b3c325";
fsType = "btrfs";
options = [ "subvol=persist" "compress=zstd" ];
};
"/export/KittyNFS" = {
depends = [ "/persist" ];
device = "/persist/export/KittyNFS";
fsType = "none";
options = [ "bind" ];
};
"/srv/minecraft" = {
depends = [ "/persist" ];
device = "/persist/srv/minecraft";
fsType = "none";
options = [ "bind" ];
};
};
swapDevices = [

7
modules/system/services/server/acme/default.nix
View file

@ -1,7 +0,0 @@
{ config, ... }:
{
security.acme = {
acceptTerms = true;
defaults.email = "contact@${config.domains.p2}";
};
}

21
modules/system/services/server/ddclient/default.nix
View file

@ -1,21 +0,0 @@
{ pkgs, config, ... }:
{
services.ddclient = {
enable = config.system.server.enable;
protocol = "cloudflare";
zone = "${config.domains.p2}";
usev6 = "";
username = "token";
passwordFile = "${pkgs.writeText "cloudflareapikey" config.secrets.flareApiKey}";
domains = [
"${config.domains.p2}"
"*.${config.domains.p2}"
"sv.${config.domains.p2}"
"git.${config.domains.p2}"
"turn.${config.domains.p2}"
"dew.${config.domains.p2}"
"john.${config.domains.p2}"
"rogue.${config.domains.p2}"
];
};
}

6
modules/system/services/server/default.nix
View file

@ -1,17 +1,15 @@
{ ... }:
{
imports = [
./acme
./ddclient
./fileserver
./forgejo
./icecast
./mailserver
./minecraft
./mysql
./nginx
./social
./socialserver
./transmission
./vaultwarden
./webserver
];
}

9
modules/system/services/server/fileserver/jellyfin/default.nix
View file

@ -1,8 +1,13 @@
{ config, ... }:
{ config, lib, ... }:
{
imports = [
./nginx
];
services.jellyfin.enable = config.system.fileserver.enable;
config = lib.mkIf config.system.fileserver.enable {
services.jellyfin.enable = true;
environment.persistence."/persist".directories = [
"/var/lib/jellyfin"
];
};
}

50
modules/system/services/server/fileserver/nextcloud/default.nix
View file

@ -1,32 +1,36 @@
{ pkgs, config, ... }:
{ config, lib, pkgs, ... }:
{
imports = [
./collabora
./nginx
];
services.nextcloud = {
enable = config.system.fileserver.enable;
package = pkgs.nextcloud30;
hostName = "cloud.${config.domains.p2}";
datadir = "/mnt/nextcloud";
https = true;
config = {
adminuser = config.sysusers.main;
adminpassFile = "${pkgs.writeText "initial" config.secrets.initialPass}";
};
settings = {
trusted_proxies = [ "127.0.0.1" ];
trusted_domains = [ "cloud.${config.domains.p2}" ];
overwriteprotocol = "https";
mail_smtphost = "mx.${config.domains.p1}";
mail_domain = "${config.domains.p1}";
mail_from_address = "noreply";
mail_smtpauth = "true";
mail_smtpname = "noreply@${config.domains.p2}";
mail_smtppassword = config.secrets.noreplyPassword;
mail_smtpmode = "smtp";
mail_smtpport = 587;
config = lib.mkIf config.system.fileserver.enable {
services.nextcloud = {
enable = true;
package = pkgs.nextcloud30;
hostName = "cloud.${config.domains.p2}";
https = true;
config = {
adminuser = config.sysusers.main;
adminpassFile = "${pkgs.writeText "initial" config.secrets.initialPass}";
};
settings = {
trusted_proxies = [ "127.0.0.1" ];
trusted_domains = [ "cloud.${config.domains.p2}" ];
overwriteprotocol = "https";
mail_smtphost = "mx.${config.domains.p1}";
mail_domain = "${config.domains.p1}";
mail_from_address = "noreply";
mail_smtpauth = "true";
mail_smtpname = "noreply@${config.domains.p2}";
mail_smtppassword = config.secrets.noreplyPassword;
mail_smtpmode = "smtp";
mail_smtpport = 587;
};
};
environment.persistence."/persist".directories = [
"/var/lib/nextcloud"
];
};
}

4
modules/system/services/server/forgejo/default.nix
View file

@ -30,5 +30,9 @@
};
networking.firewall.allowedTCPPorts = [ 2299 ];
environment.persistence."/persist".directories = [
"/var/lib/forgejo"
];
};
}

16
modules/system/services/server/minecraft/default.nix
View file

@ -1,4 +1,4 @@
{ minecraft, config, ... }:
{ minecraft, config, lib, ... }:
{
imports = [
minecraft.nixosModules.minecraft-servers
@ -10,10 +10,16 @@
./servers/uberbeta
];
nixpkgs.overlays = [ minecraft.overlay ];
config = lib.mkIf config.system.server.enable {
nixpkgs.overlays = [ minecraft.overlay ];
services.minecraft-servers = {
enable = config.system.server.enable;
eula = true;
services.minecraft-servers = {
enable = true;
eula = true;
};
environment.persistence."/persist".directories = [
"/srv/minecraft"
];
};
}

34
modules/system/services/server/mysql/default.nix
View file

@ -1,19 +1,23 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
{
services.mysql = {
enable = config.system.server.enable;
package = pkgs.mariadb;
dataDir = "/var/lib/mysql";
ensureDatabases = [
"minecraft"
];
ensureUsers = [
{
name = "minecraft";
ensurePermissions = {
"minecraft.*" = "ALL PRIVILEGES";
};
}
config = lib.mkIf config.system.server.enable {
services.mysql = {
enable = true;
package = pkgs.mariadb;
ensureDatabases = [
"minecraft"
];
ensureUsers = [
{
name = "minecraft";
ensurePermissions = {
"minecraft.*" = "ALL PRIVILEGES";
};
}
];
};
environment.persistence."/persist".directories = [
"/var/lib/mysql"
];
};
}

18
modules/system/services/server/social/mastodon/default.nix
View file

@ -1,18 +0,0 @@
{ pkgs, config, ... }:
{
services.mastodon = {
enable = config.system.socials.enable;
localDomain = "social.${config.domains.p2}";
streamingProcesses = 4;
configureNginx = true;
smtp = {
createLocally = false;
host = "mx.${config.domains.p1}";
port = 587;
authenticate = true;
fromAddress = "NixFox Mastodon <noreply@${config.domains.p2}>";
user = "noreply@${config.domains.p2}";
passwordFile = pkgs.writeText "smtp_pass.txt" config.secrets.noreplyPassword;
};
};
}

73
modules/system/services/server/social/matrix/synapse/default.nix
View file

@ -1,73 +0,0 @@
{ pkgs, config, ... }:
{
imports = [
./nginx
];
services.matrix-synapse = {
enable = config.system.socials.enable;
settings = {
server_name = "${config.domains.p1}";
public_baseurl = "https://matrix.${config.domains.p1}";
suppress_key_server_warning = true;
listeners = [
{
port = 8008;
bind_addresses = [ "::" "0.0.0.0" ];
resources = [{
compress = true;
names = [
"client"
"federation"
];
}];
type = "http";
tls = false;
x_forwarded = true;
}
];
email = {
notif_from = "NixFox Matrix <noreply@${config.domains.p2}>";
smtp_host = "mx.${config.domains.p1}";
smtp_user = "noreply@${config.domains.p2}";
smtp_pass = config.secrets.noreplyPassword;
enable_tls = true;
smtp_port = 587;
require_transport_security = true;
};
# Disable registration without email
registrations_require_3pid = [ "email" ];
# Allow only this range of emails
allowed_local_3pids = [
{
medium = "email";
pattern = ''^[^@]+@nixfox\.ca$'';
}
{
medium = "email";
pattern = ''^[^@]+@freecorn1854\.win$'';
}
{
medium = "email";
pattern = ''^[^@]+@lunamoonlight\.xyz$'';
}
];
# Set the type of database
database.name = "sqlite3";
# Allow account registration
enable_registration = true;
# General settings
url_preview_enabled = true;
max_upload_size = "50M";
report_stats = false;
burst_count = 15;
};
};
}

11
modules/system/services/server/social/owncast/default.nix
View file

@ -1,11 +0,0 @@
{ config, ... }:
{
imports = [ ./nginx ];
services.owncast = {
enable = config.system.socials.enable;
port = 8060;
rtmp-port = 1945;
listen = "0.0.0.0";
};
}

2
modules/system/services/server/social/default.nix → modules/system/services/server/socialserver/default.nix
View file

@ -1,6 +1,6 @@
{ lib, ... }:
{
options.system.socials.enable = lib.mkOption {
options.system.socialserver.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};

23
modules/system/services/server/socialserver/mastodon/default.nix Normal file
View file

@ -0,0 +1,23 @@
{ config, lib, pkgs, ... }:
{
config = lib.mkIf config.system.socialserver.enable {
services.mastodon = {
enable = true;
localDomain = "social.${config.domains.p2}";
streamingProcesses = 4;
configureNginx = true;
smtp = {
createLocally = false;
host = "mx.${config.domains.p1}";
port = 587;
authenticate = true;
fromAddress = "NixFox Mastodon <noreply@${config.domains.p2}>";
user = "noreply@${config.domains.p2}";
passwordFile = pkgs.writeText "smtp_pass.txt" config.secrets.noreplyPassword;
};
};
environment.persistence."/persist".directories = [
"/var/lib/mastodon"
];
};
}

0
modules/system/services/server/social/matrix/coturn/default.nix → modules/system/services/server/socialserver/matrix/coturn/default.nix
View file

0
modules/system/services/server/social/matrix/coturn/nginx/default.nix → modules/system/services/server/socialserver/matrix/coturn/nginx/default.nix
View file

0
modules/system/services/server/social/matrix/default.nix → modules/system/services/server/socialserver/matrix/default.nix
View file

0
modules/system/services/server/social/matrix/element/default.nix → modules/system/services/server/socialserver/matrix/element/default.nix
View file

0
modules/system/services/server/social/matrix/element/nginx/default.nix → modules/system/services/server/socialserver/matrix/element/nginx/default.nix
View file

78
modules/system/services/server/socialserver/matrix/synapse/default.nix Normal file
View file

@ -0,0 +1,78 @@
{ config, lib, pkgs, ... }:
{
imports = [
./nginx
];
config = lib.mkIf config.system.socialserver.enable {
services.matrix-synapse = {
enable = true;
settings = {
server_name = "${config.domains.p1}";
public_baseurl = "https://matrix.${config.domains.p1}";
suppress_key_server_warning = true;
listeners = [
{
port = 8008;
bind_addresses = [ "::" "0.0.0.0" ];
resources = [{
compress = true;
names = [
"client"
"federation"
];
}];
type = "http";
tls = false;
x_forwarded = true;
}
];
email = {
notif_from = "NixFox Matrix <noreply@${config.domains.p2}>";
smtp_host = "mx.${config.domains.p1}";
smtp_user = "noreply@${config.domains.p2}";
smtp_pass = config.secrets.noreplyPassword;
enable_tls = true;
smtp_port = 587;
require_transport_security = true;
};
# Disable registration without email
registrations_require_3pid = [ "email" ];
# Allow only this range of emails
allowed_local_3pids = [
{
medium = "email";
pattern = ''^[^@]+@nixfox\.ca$'';
}
{
medium = "email";
pattern = ''^[^@]+@freecorn1854\.win$'';
}
{
medium = "email";
pattern = ''^[^@]+@lunamoonlight\.xyz$'';
}
];
# Set the type of database
database.name = "sqlite3";
# Allow account registration
enable_registration = true;
# General settings
url_preview_enabled = true;
max_upload_size = "50M";
report_stats = false;
burst_count = 15;
};
};
environment.persistence."/persist".directories = [
"/var/lib/matrix-synapse"
];
};
}

0
modules/system/services/server/social/matrix/synapse/nginx/default.nix → modules/system/services/server/socialserver/matrix/synapse/nginx/default.nix
View file

16
modules/system/services/server/socialserver/owncast/default.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, lib, ... }:
{
imports = [ ./nginx ];
config = lib.mkIf config.system.socialserver.enable {
services.owncast = {
enable = true;
port = 8060;
rtmp-port = 1945;
listen = "0.0.0.0";
};
environment.persistence."/persist".directories = [
"/var/lib/owncast"
];
};
}

0
modules/system/services/server/social/owncast/nginx/default.nix → modules/system/services/server/socialserver/owncast/nginx/default.nix
View file

17
modules/system/services/server/transmission/default.nix
View file

@ -1,11 +1,16 @@
{ pkgs, config, ... }:
{ config, lib, pkgs, ... }:
{
imports = [ ./nginx ];
services.transmission = {
enable = config.system.server.enable;
credentialsFile = pkgs.writeText "credentials" config.secrets.transmissionCredFile;
openPeerPorts = true;
settings.rpc-authentication-required = true;
config = lib.mkIf config.system.server.enable {
services.transmission = {
enable = true;
credentialsFile = pkgs.writeText "credentials" config.secrets.transmissionCredFile;
openPeerPorts = true;
settings.rpc-authentication-required = true;
};
environment.persistence."/persist".directories = [
"/var/lib/transmission"
];
};
}

41
modules/system/services/server/vaultwarden/default.nix
View file

@ -1,25 +1,30 @@
{ config, ... }:
{ config, lib, ... }:
{
imports = [ ./nginx ];
services.vaultwarden = {
enable = config.system.server.enable;
config = {
DOMAIN = "https://pass.${config.domains.p2}";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
ROCKET_LOG = "critical";
config = lib.mkIf config.system.server.enable {
services.vaultwarden = {
enable = true;
config = {
DOMAIN = "https://pass.${config.domains.p2}";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
ROCKET_LOG = "critical";
# Smtp email
SMTP_HOST = "mx.${config.domains.p1}";
SMTP_FROM = "noreply@${config.domains.p2}";
SMTP_FROM_NAME = "Vaultwarden";
SMTP_USERNAME = "noreply@${config.domains.p2}";
SMTP_PASSWORD = config.secrets.noreplyPassword;
SMTP_SECURITY = "starttls";
SMTP_PORT = 587;
SMTP_TIMEOUT = 15;
# Smtp email
SMTP_HOST = "mx.${config.domains.p1}";
SMTP_FROM = "noreply@${config.domains.p2}";
SMTP_FROM_NAME = "Vaultwarden";
SMTP_USERNAME = "noreply@${config.domains.p2}";
SMTP_PASSWORD = config.secrets.noreplyPassword;
SMTP_SECURITY = "starttls";
SMTP_PORT = 587;
SMTP_TIMEOUT = 15;
};
};
environment.persistence."/persist".directories = [
"/var/lib/bitwarden_rs"
];
};
}

12
modules/system/services/server/webserver/acme/default.nix Normal file
View file

@ -0,0 +1,12 @@
{ config, lib, ... }:
{
config = lib.mkIf config.system.webserver.enable {
security.acme = {
acceptTerms = true;
defaults.email = "contact@${config.domains.p2}";
};
environment.persistence."/persist".directories = [
"/var/lib/acme"
];
};
}

26
modules/system/services/server/webserver/ddclient/default.nix Normal file
View file

@ -0,0 +1,26 @@
{ config, lib, pkgs, ... }:
{
config = lib.mkIf config.system.webserver.enable {
services.ddclient = {
enable = true;
protocol = "cloudflare";
zone = "${config.domains.p2}";
usev6 = "";
username = "token";
passwordFile = "${pkgs.writeText "cloudflareapikey" config.secrets.flareApiKey}";
domains = [
"${config.domains.p2}"
"*.${config.domains.p2}"
"sv.${config.domains.p2}"
"git.${config.domains.p2}"
"turn.${config.domains.p2}"
"dew.${config.domains.p2}"
"john.${config.domains.p2}"
"rogue.${config.domains.p2}"
];
};
environment.persistence."/persist".directories = [
"/var/lib/private/ddclient"
];
};
}

13
modules/system/services/server/webserver/default.nix Normal file
View file

@ -0,0 +1,13 @@
{ lib, ... }:
{
options.system.webserver.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
imports = [
./acme
./ddclient
./nginx
];
}

6
modules/system/services/server/nginx/default.nix → modules/system/services/server/webserver/nginx/default.nix
View file

@ -5,7 +5,7 @@
./virtualhosts
];
config = lib.mkIf (config.system.server.enable || config.system.mailserver.enable) {
config = lib.mkIf config.system.webserver.enable {
services.nginx = {
enable = true;
recommendedTlsSettings = true;
@ -14,6 +14,10 @@
recommendedProxySettings = true;
};
environment.persistence."/persist".directories = [
"/var/www"
];
networking.firewall.allowedTCPPorts = [
80
443

0
modules/system/services/server/nginx/rtmp/default.nix → modules/system/services/server/webserver/nginx/rtmp/default.nix
View file

0
modules/system/services/server/nginx/virtualhosts/default.nix → modules/system/services/server/webserver/nginx/virtualhosts/default.nix
View file

0
modules/system/services/server/nginx/virtualhosts/p1/default.nix → modules/system/services/server/webserver/nginx/virtualhosts/p1/default.nix
View file

0
modules/system/services/server/nginx/virtualhosts/p2/default.nix → modules/system/services/server/webserver/nginx/virtualhosts/p2/default.nix
View file