diff --git a/legacy/bobi/configuration.nix b/legacy/bobi/configuration.nix deleted file mode 100644 index 3d0e629..0000000 --- a/legacy/bobi/configuration.nix +++ /dev/null @@ -1,81 +0,0 @@ -{ config, pkgs, lib, ... }: { - - imports = [ - - ../../components - ../../modules - - ./hardware-configuration.nix - ./tinc.nix - ./syncthing.nix - - ]; - - security.wrappers = { - pmount = { - source = "${pkgs.pmount}/bin/pmount"; - setuid = true; - owner = "root"; - group = "root"; - }; - pumount = { - source = "${pkgs.pmount}/bin/pumount"; - setuid = true; - owner = "root"; - group = "root"; - }; - }; - - components.gui.enable = true; - - configuration.desktop = { - width = 1366; - height = 768; - }; - - # grub configuraton - # ----------------- - boot.loader.grub.enable = true; - boot.loader.grub.efiSupport = true; - boot.loader.grub.device = "/dev/sda"; - boot.loader.grub.efiInstallAsRemovable = true; - boot.tmpOnTmpfs = true; - - networking.networkmanager.enable = true; - networking.hostName = "bobi"; - - # Set your time zone. - time.timeZone = "Europe/Berlin"; - - environment.systemPackages = with pkgs; [ - vim - wget - htop - silver-searcher - ]; - - environment.extraInit = '' - # use vi shortcuts - # ---------------- - set -o vi - EDITOR=vim - ''; - - boot.supportedFilesystems = [ "zfs" ]; - networking.hostId = "2ed43034"; - - services.openssh.enable = true; - components.network.sshd.onlyTincAccess = false; - - users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw== contact@ingolf-wagner.de" ]; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "22.05"; # Did you read the comment? - -} - diff --git a/legacy/bobi/hardware-configuration.nix b/legacy/bobi/hardware-configuration.nix deleted file mode 100644 index 5eba7c2..0000000 --- a/legacy/bobi/hardware-configuration.nix +++ /dev/null @@ -1,47 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci" ]; - boot.initrd.kernelModules = [ "dm-snapshot" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { - device = "/dev/disk/by-uuid/b3dc4880-fb1b-415d-a5a8-a53b9f0a9ab6"; - fsType = "ext4"; - }; - - boot.initrd.luks.devices."root-enc".device = "/dev/disk/by-uuid/c2a56e0f-f831-4d21-8cf4-7ddf3901ea8a"; - - fileSystems."/boot" = - { - device = "/dev/disk/by-uuid/EBCE-D756"; - fsType = "vfat"; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp0s25.useDHCP = lib.mkDefault true; - # networking.interfaces.tinc.private.useDHCP = lib.mkDefault true; - # networking.interfaces.tinc.retiolum.useDHCP = lib.mkDefault true; - # networking.interfaces.tinc.secret.useDHCP = lib.mkDefault true; - # networking.interfaces.virbr0.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; - - powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/legacy/bobi/syncthing.nix b/legacy/bobi/syncthing.nix deleted file mode 100644 index 0778de2..0000000 --- a/legacy/bobi/syncthing.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ config, pkgs, lib, ... }: { - - services.syncthing = { - enable = true; - openDefaultPorts = false; - user = "palo"; - dataDir = "/home/palo/.syncthing"; - configDir = "/home/palo/.syncthing"; - overrideFolders = true; - folders = { - - # on encrypted drive - # ------------------ - private = { - enable = true; - path = "/home/palo/private"; - }; - desktop = { - enable = true; - path = "/home/palo/desktop"; - }; - finance = { - enable = true; - path = "/home/palo/finance"; - }; - password-store = { - enable = true; - path = "/home/palo/.password-store"; - }; - }; - }; - - services.permown."/home/palo/music-library" = { - owner = "palo"; - group = "users"; - }; -} diff --git a/legacy/bobi/tinc.nix b/legacy/bobi/tinc.nix deleted file mode 100644 index 2693db2..0000000 --- a/legacy/bobi/tinc.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ config, ... }: -{ - tinc.private.enable = true; - tinc.private.ipv4 = "10.23.42.25"; -} diff --git a/legacy/borg-jobs.nix b/legacy/borg-jobs.nix deleted file mode 100644 index 1004814..0000000 --- a/legacy/borg-jobs.nix +++ /dev/null @@ -1,96 +0,0 @@ -{ config, lib, ... }: -# borg core setup -# --------------- -# provides an easy interface for all services -# to append it's files to be backuped -{ - - options = { - backup = { - enable = lib.mkEnableOption "enable borg backup"; - dirs = lib.mkOption { - default = [ ]; - type = with lib.types; listOf str; - description = '' - folders to backup - ''; - }; - exclude = lib.mkOption { - default = [ ]; - type = with lib.types; listOf str; - description = '' - exclude files and folders matching a pattern. - Theses patterns effect all folders in `backup.dirs`. - see man borg pattern for more information - ''; - example = [ ".git" "/home/*/.cache" ".stfolder" ]; - }; - servers = lib.mkOption { - default = { - robi.host = "144.76.13.147"; - pepe.host = "pepe.private"; - }; - type = with lib.types; attrsOf (submodule { - options = { - host = lib.mkOption { - type = with lib.types; str; - }; - user = lib.mkOption { - default = "borg"; - type = with lib.types; str; - }; - }; - }); - description = '' - servers to backup to - ''; - }; - }; - }; - - config = - let - myHostname = config.networking.hostName; - setup = { user, host }: { - paths = config.backup.dirs; - exclude = config.backup.exclude; - doInit = true; - repo = "${user}@${host}:./${myHostname}"; - encryption = { - mode = "repokey-blake2"; - passCommand = "cat ${config.sops.secrets.backup_repository_passphrase.path}"; - }; - environment = { - BORG_RSH = "ssh -i ${toString config.sops.secrets.backup_ssh_rsa_private.path}"; - BORG_RELOCATED_REPO_ACCESS_IS_OK = "yes"; - }; - compression = "auto,lzma"; - startAt = "daily"; - prune.keep = { - within = "10d"; # Keep all backups in the last 10 days. - weekly = 8; # Keep 8 additional end of week archives. - monthly = -1; # Keep end of month archive for every month - }; - }; - - in - - lib.mkIf config.backup.enable { - - sops.secrets.backup_repository_passphrase = { }; - sops.secrets.backup_ssh_rsa_private = { }; - - services.borgbackup.jobs = - lib.mapAttrs (_: target: setup target) config.backup.servers; - - #systemd.services = lib.mapAttrs' - # (name: _: { - # name = "borgbackup-job-${name}"; - # value = { enable = config.backup.dirs != [ ]; }; - # }) - # config.backup.servers; - - }; - - -} diff --git a/legacy/borg-scripts.nix b/legacy/borg-scripts.nix deleted file mode 100644 index ed0b6e8..0000000 --- a/legacy/borg-scripts.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ pkgs, lib, ... }: { - - environment.systemPackages = - let - createScript = command: target: repository: - pkgs.writers.writeBashBin - "borg-${command}-on-${target}-for-${repository}" '' - ${pkgs.borgbackup}/bin/borg \ - ${command} \ - --rsh='ssh -i ~/.ssh/palo_rsa.pub' ${target}.private:${repository}/. \ - "$@" - ''; - targets = [ "borg@pepe" "borg@robi" "borg@cream" "removable@cream" ]; - repositories = [ "pepe" "sterni" "robi" "cream" ]; - commands = [ "list" "mount" ]; - in - lib.flatten (map - (command: - map - (target: map (repository: createScript command target repository) repositories) - targets) - commands); - -} diff --git a/legacy/borg.nix b/legacy/borg.nix deleted file mode 100644 index dc8d19e..0000000 --- a/legacy/borg.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ lib, config, pkgs, ... }: { - - backup.enable = true; - - # provide repository - services.borgbackup.repos = { - default = { - quota = "300G"; - allowSubRepos = true; - authorizedKeys = [ - ]; - }; - }; - - -} diff --git a/legacy/dms.nix b/legacy/dms.nix deleted file mode 100644 index 7dbb073..0000000 --- a/legacy/dms.nix +++ /dev/null @@ -1,98 +0,0 @@ -{ lib, pkgs, config, ... }: - -# a very simple dms setup which. -# I have a brother ADS-1600W scanner, which is configured to send all -# PDFs to this machine in /home/ftp-upload/input -# from there the dms.py scans them and makes them searchable. - -let - dms = pkgs.fetchgit { - url = "https://github.com/mrVanDalo/dms.git"; - rev = "2f5c44f017bdfd8abfe908d419ef26bac300f809"; - sha256 = "0dxhk1ah6wwbsxyk4hd32rz7886w7r5gfy16485gjbvky1qsi8gd"; - }; -in -{ - - # setup ftp - services.vsftpd = { - enable = true; - userlist = [ "ftp-upload" ]; - userlistEnable = true; - localUsers = true; - writeEnable = true; - extraConfig = '' - # additional ports for directory list and stuff - pasv_min_port=4242 - pasv_max_port=4243 - ''; - }; - networking.firewall.allowedTCPPortRanges = [ - { - # ftp: additional ports for directory list and stuff - from = 4242; - to = 4243; - } - { - # ftp - from = 20; - to = 21; - } - ]; - - sops.secrets.ftp_password = { }; - - # create user - users.users.ftp-upload = { - passwordFile = config.sops.secrets.ftp_password.path; - isNormalUser = true; - }; - - # create dms service - systemd.services.dms = { - enable = true; - wantedBy = [ "multi-user.target" ]; - path = [ - (pkgs.python3.withPackages (ps: with ps; [ flask ])) - pkgs.imagemagickBig - (pkgs.pdfsandwich.override { imagemagick = pkgs.imagemagickBig; }) - pkgs.poppler_utils - pkgs.which - pkgs.netpbm - pkgs.gawk - pkgs.bash - ]; - serviceConfig = { User = "ftp-upload"; }; - preStart = '' - if [[ ! -L /home/ftp-upload/db/SOURCE_DIR ]] - then - rm -rf /home/ftp-upload/db/SOURCE_DIR - mkdir -p /home/ftp-upload/db - mkdir -p /home/ftp-upload/input - ln -s /home/ftp-upload/input /home/ftp-upload/db/SOURCE_DIR - fi - ''; - script = '' - DMSDATA=/home/ftp-upload/db \ - FLASK_APP=${dms}/dms.py \ - flask run --host 0.0.0.0 \ - "$@" - ''; - }; - - # host nginx setup - services.nginx = { - enable = true; - virtualHosts = { - "dms.pepe.private" = { - serverAliases = - [ "pdf.pepe.private" "docs.pepe.private" "dms.pepe.lan" ]; - locations."/" = { proxyPass = "http://localhost:5000"; }; - }; - }; - }; - - # add documents to backup - backup.dirs = [ "/home/ftp-upload/db" ]; - -} diff --git a/legacy/finance.nix b/legacy/finance.nix deleted file mode 100644 index 76de251..0000000 --- a/legacy/finance.nix +++ /dev/null @@ -1,58 +0,0 @@ -{ lib, config, pkgs, ... }: -let - - # find symbols with - # https://www.alphavantage.co/query?function=SYMBOL_SEARCH&apikey=&keywords= - # as described here : https://www.alphavantage.co/documentation/#symbolsearch - # - # example: - # -------- - # stocks = [ - # { - # friendly_name = "google"; - # symbol = "GOOGL.DEX"; - # name = "google"; - # currency = "$"; - # } - # ]; - # results in - # P 2020-01-30 GOOGL $123 - stocks = import ../../private_assets/finance/stocks; - stocksFile = toString /home/syncthing/finance/hledger/stocks.journal; - -in -{ - - systemd.services.pull_stocks = { - enable = true; - description = "pull stocks for hledger"; - serviceConfig = { - User = "syncthing"; - Type = "oneshot"; - }; - - script = - let - command = { symbol, name, currency, ... }: '' - APIKEY=${lib.fileContents ../../private_assets/finance/alphavantage/apiKey} - SYMBOL="${symbol}" - ${pkgs.curl}/bin/curl --location --silent \ - "https://www.alphavantage.co/query?function=GLOBAL_QUOTE&symbol=$SYMBOL&apikey=$APIKEY" \ - | ${pkgs.jq}/bin/jq --raw-output '.["Global Quote"] - | "P \(.["07. latest trading day"]) ${name} ${currency}\(.["05. price"] | tonumber)"' \ - >> ${stocksFile} - sleep 1 - ''; - in - lib.concatStringsSep "\n" (map command stocks); - }; - - systemd.timers.pull_stocks = { - enable = true; - wantedBy = [ "multi-user.target" ]; - timerConfig = { - OnCalendar = "weekly"; - Persistent = "true"; - }; - }; -} diff --git a/legacy/graylog.nix b/legacy/graylog.nix deleted file mode 100644 index 8a31746..0000000 --- a/legacy/graylog.nix +++ /dev/null @@ -1,130 +0,0 @@ -{ config, lib, pkgs, ... }: -let port = 9000; -in { - # configure nginx - services.nginx = { - enable = true; - virtualHosts = { - "graylog.workhorse.private" = { - locations."/" = { - proxyPass = "http://localhost:${toString port}"; - extraConfig = '' - proxy_set_header Host $host:$server_port; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_read_timeout 90; - proxy_redirect http://localhost:${ - toString port - } https://graylog.workhorse.private/; - ''; - }; - }; - }; - }; - - services.mongodb.enable = true; - services.elasticsearch = { - enable = true; - listenAddress = "${config.networking.hostName}.private"; - extraJavaOptions = [ "-Des.http.cname_in_publish_address=true" ]; - }; - - services.graylog.enable = true; - services.graylog.elasticsearchHosts = - [ "http://${config.services.elasticsearch.listenAddress}:9200" ]; - - # https://docs.graylog.org/en/3.0/pages/configuration/server.conf.html - services.graylog.extraConfig = '' - http_bind_address = 0.0.0.0:${toString port} - http_publish_uri = http://workhorse.private:${toString port}/ - ''; - - # other wise this does not work - services.graylog.nodeIdFile = "/var/lib/graylog/node-id"; - - # pwgen -N 1 -s 96 - services.graylog.passwordSecret = - lib.fileContents ../../private_assets/graylog/password-secret; - - # echo -n yourpassword | shasum -a 256 - services.graylog.rootPasswordSha2 = - lib.fileContents ../../private_assets/graylog/root-password-hash; - - services.graylog.plugins = [ pkgs.graylogPlugins.slack ]; - - # not working at the moment - #services.geoip-updater.enable = true; - - # https://wiki.splunk.com/Http_status.csv - environment.etc."graylog/server/httpCodes.csv" = { - enable = true; - text = '' - status,status_description,status_type - 100,Continue,Informational - 101,Switching Protocols,Informational - 200,OK,Successful - 201,Created,Successful - 202,Accepted,Successful - 203,Non-Authoritative Information,Successful - 204,No Content,Successful - 205,Reset Content,Successful - 206,Partial Content,Successful - 300,Multiple Choices,Redirection - 301,Moved Permanently,Redirection - 302,Found,Redirection - 303,See Other,Redirection - 304,Not Modified,Redirection - 305,Use Proxy,Redirection - 307,Temporary Redirect,Redirection - 400,Bad Request,Client Error - 401,Unauthorized,Client Error - 402,Payment Required,Client Error - 403,Forbidden,Client Error - 404,Not Found,Client Error - 405,Method Not Allowed,Client Error - 406,Not Acceptable,Client Error - 407,Proxy Authentication Required,Client Error - 408,Request Timeout,Client Error - 409,Conflict,Client Error - 410,Gone,Client Error - 411,Length Required,Client Error - 412,Precondition Failed,Client Error - 413,Request Entity Too Large,Client Error - 414,Request-URI Too Long,Client Error - 415,Unsupported Media Type,Client Error - 416,Requested Range Not Satisfiable,Client Error - 417,Expectation Failed,Client Error - 500,Internal Server Error,Server Error - 501,Not Implemented,Server Error - 502,Bad Gateway,Server Error - 503,Service Unavailable,Server Error - 504,Gateway Timeout,Server Error - 505,HTTP Version Not Supported,Server Error - ''; - }; - - environment.etc."graylog/server/known_servers.csv" = { - enable = true; - text = '' - "ip","host_name" - "95.216.1.150","lassul.us" - ''; - }; - - environment.etc."graylog/systemd/loglevel.csv" = { - enable = true; - text = '' - "value","Servity","Description" - "0","emergency","System is unusable" - "1","alert","Should be corrected immediately" - "2","cirtical","Critical conditions" - "3","error","Error Condition" - "4","warning","May indicate that an error will occur if action is not taken." - "5","notice","Events that are unusual, but not error conditions." - "6","info","Normal operational messages that require no action." - "7","debug","Information useful to developers for debugging the application." - ''; - }; - -} diff --git a/legacy/grocy.nix b/legacy/grocy.nix deleted file mode 100644 index df197bb..0000000 --- a/legacy/grocy.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - #services.grocy = { - # enable = true; - # settings = { - # culture = "de"; - # currency = "EUR"; - # }; - # hostName = "grocy.pepe.private"; - # nginx.enableSSL = false; - #}; - #backup.dirs = [ config.services.grocy.dataDir ]; - - services.grocy-scanner = { - enable = true; - host = "https://grocy.ingolf-wagner.de"; - device = "/dev/input/by-id/usb-Belon.cn_2.4G_Wireless_Device_Belon_Smart-event-kbd"; - apiKeyFile = config.sops.secrets.grocyApiKey.path; - }; - - sops.secrets.grocyApiKey = { }; - -} diff --git a/legacy/hass-wifi.nix b/legacy/hass-wifi.nix deleted file mode 100644 index dc7f601..0000000 --- a/legacy/hass-wifi.nix +++ /dev/null @@ -1,78 +0,0 @@ -{ lib, pkgs, config, ... }: - -let - # you find this device using `ifconfig -a` or `ip link` - wifi = "wlp3s0"; - ipAddress = "10.23.45.1"; - prefixLength = 24; - servedAddressRange = "10.23.45.2,10.23.45.150,12h"; - ssid = "home/wifi"; -in -{ - - # todo only open needed ports - networking.firewall.trustedInterfaces = [ wifi ]; - - networking.networkmanager.unmanaged = [ wifi ]; - networking.dhcpcd.denyInterfaces = [ wifi ]; - - networking.interfaces."${wifi}".ipv4.addresses = [{ - address = ipAddress; - prefixLength = prefixLength; - }]; - - systemd.services.hostapd = { - description = "hostapd wireless AP"; - path = [ pkgs.hostapd ]; - wantedBy = [ "network.target" ]; - - after = [ - "${wifi}-cfg.service" - "nat.service" - "bind.service" - "dhcpd.service" - "sys-subsystem-net-devices-${wifi}.device" - ]; - - serviceConfig = { - ExecStart = "${pkgs.hostapd}/bin/hostapd ${ - pkgs.writeText "hostapd.conf" '' - interface=${wifi} - hw_mode=g - channel=10 - ieee80211d=1 - country_code=DE - ieee80211n=1 - wmm_enabled=1 - - ssid=${ssid} - auth_algs=1 - wpa=2 - wpa_key_mgmt=WPA-PSK - rsn_pairwise=CCMP - wpa_psk_file=${config.sops.secrets.hostapd_wpa_psk.path} - '' - }"; - Restart = "always"; - }; - }; - - sops.secrets.hostapd_wpa_psk = { }; - - services.dnsmasq = { - enable = true; - extraConfig = '' - # Only listen to routers' LAN NIC. Doing so opens up tcp/udp port 53 to - # localhost and udp port 67 to world: - interface=${wifi} - - # Explicitly specify the address to listen on - listen-address=${ipAddress} - - # Dynamic range of IPs to make available to LAN PC and the lease time. - # Ideally set the lease time to 5m only at first to test everything works okay before you set long-lasting records. - dhcp-range=${servedAddressRange} - ''; - }; - -} diff --git a/legacy/kibana.nix b/legacy/kibana.nix deleted file mode 100644 index 279aea1..0000000 --- a/legacy/kibana.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ config, ... }: { - services.nginx = { - enable = true; - statusPage = true; - virtualHosts = { - "kibana.${config.networking.hostName}.private" = { - serverAliases = [ ]; - locations."/" = { - proxyPass = "http://${config.networking.hostName}.private:${ - toString config.services.kibana.port - }"; - }; - }; - }; - }; - - services.elasticsearch.enable = true; - services.elasticsearch.listenAddress = "workhorse.private"; - - services.kibana.enable = true; - services.kibana.elasticsearch.hosts = [ "http://workhorse.private:9200" ]; - services.kibana.listenAddress = "workhorse.private"; - services.kibana.port = 5601; - -} diff --git a/legacy/kiosk.nix b/legacy/kiosk.nix deleted file mode 100644 index cc844f2..0000000 --- a/legacy/kiosk.nix +++ /dev/null @@ -1,22 +0,0 @@ -# https://dataswamp.org/~solene/2022-10-06-nixos-kiosk.html -{ pkgs, config, ... }: -{ - services.cage = { - enable = true; - user = "kiosk"; - program = "${pkgs.firefox}/bin/firefox -kiosk -private-window http://grafana.chungus.private/d/0d1dfFU4k/default-dashboard?orgId=1&kiosk"; - }; - users = { - users.kiosk = { - isNormalUser = true; - name = "kiosk"; - group = config.users.groups.kiosk.name; - }; - groups.kiosk = { - name = "kiosk"; - }; - }; - # make sure cage ist starting instead of getty - systemd.defaultUnit = "graphical.target"; - -} diff --git a/legacy/mail-fetcher.nix b/legacy/mail-fetcher.nix deleted file mode 100644 index d8ca3dd..0000000 --- a/legacy/mail-fetcher.nix +++ /dev/null @@ -1,663 +0,0 @@ -# fetches mails for me -{ lib, pkgs, config, ... }: -let - junk_filter = [ - "from:booking.com" - "subject:Gewinn" - "from:brompton.com" - "from:circleci.com OR (from:noreply@github.com AND to:audio-overlay@googlegroups.com)" - "from:codepen.io" - "from:congstarnews.de" - "from:cronullasurfingacademy.com" - "from:cryptohopper.com" - "from:digitalo.de" - "from:facebook.com OR from:facebookmail.com" - "from:fitnessfirst.de" - "from:flixbus.de" - "from:getdigital.de" - "from:getpocket.com" - "from:ghostinspector.com" - "from:globetrotter.de" - "from:hackster.io" - "from:hostelworld.com" - "from:immobilienscout24.de" - "from:kvraudio.com" - "from:letterboxd.com" - "from:linkedin.com" - "from:magix.net" - "from:mailings.gmx.net" - "from:mailings.web.de" - "from:matrix.org" - "from:menospese.com" - "from:microsoftstoreemail.com" - "from:mixcloudmail.com AND subject:Weekly Update" - "from:oknotify2.com AND NOT subject:New message" - "from:paulaschoice.com" - "from:puppet.com" - "from:runtastic.com" - "from:samplemagic.com OR from:wavealchemy.co.uk OR from:creators.gumroad.com" - "from:ticketmaster.de" - "from:trade4less.de" - "from:tumblr.com" - "from:turners.co.nz" - "from:twitch.tv" - "from:vstbuzz.com" - ]; - filters = [ - { - query = "from:hv-geelen.de"; - tags = [ "+wohnung" ]; - } - { - query = "from:computerfutures.com OR from:computerfutures.de"; - tags = [ "+jobs" "-inbox" ]; - } - { - query = "from:seek.com.au or from:seek.co.nz"; - tags = [ "+jobs" ]; - } - { - query = "from:xing.com"; - tags = [ "+jobs" "-inbox" ]; - } - { - query = "from:no-reply@backtrace.io OR to:sononym@noreply.github.com"; - tags = [ "+sononym" "-inbox" ]; - } - { - query = "from:ebay.com OR from:ebay.de OR from:ebay.net"; - tags = [ "+ebay" "+shop" "+billing" ]; - } - { - query = "from:bahn.de"; - tags = [ "+billing" "+bahn" ]; - } - { - query = - "from:fysitech.atlassian.net OR to:engiadina-pwa@noreply.github.com"; - tags = [ "+mia" "+work" "-unread" "-inbox" ]; - } - { - query = - "from:space-left.org OR to:space-left.org OR subject:/\\[space-left\\]/"; - tags = [ "+spaceleft" "+space-left" ]; - } - { - query = "from:landr.com"; - tags = [ "+landr" "+music" ]; - } - { - query = "tag:landr and tag:billing"; - tags = [ "+billing" ]; - } - { - query = "from:oknotify2.com"; - tags = [ "+okcupid" ]; - } - { - query = "from:taxback.de OR to:taxback.de"; - tags = [ "+steuer" ]; - } - { - query = "from:campact.de"; - tags = [ "+campact" "+politics" ]; - } - { - query = "from:aliexpress.com"; - tags = [ "+shop" "+aliexpress" ]; - } - { - query = "from:congstar.de"; - tags = [ "+billing" "+congstar" "-inbox" "-unread" ]; - } - { - query = - "from:steampowered.com AND NOT ( subject:purchase OR subject:received )"; - tags = [ "-inbox" "-unread" ]; - } - { - query = - "from:steampowered.com AND ( subject:purchase OR subject:received )"; - tags = [ "+billing" "+steam" ]; - } - { - query = "from:gog.com AND NOT subject:Bestellung"; - tags = [ "-inbox" "-unread" ]; - } - { - query = "from:gog.com AND subject:Bestellung"; - tags = [ "+billing" "+gog" ]; - } - { - query = "from:stadtmobil.de"; - tags = [ "+billing" "+stadtmobil" "-inbox" "-unread" ]; - } - { - query = "from:drive-now.com"; - tags = [ "+billing" "+drivenow" "-inbox" "-unread" ]; - } - { - query = "from:data-treuhand.de"; - tags = [ "+mindcurv" "+work" "-inbox" "-unread" "-junk" ]; - } - { - query = "from:immocation.de"; - tags = [ "+immobilien" "-inbox" ]; - } - { - query = "from:tinc-vpn.org"; - tags = [ "+tinc" ]; - } - { - query = "from:mindfactory.de"; - tags = [ "+shop" "+billing" ]; - } - { - query = "from:zalando.de"; - tags = [ "+shop" "+billing" "+zalando" ]; - } - { - query = "from:ing.de"; - tags = [ "+bank" "+ingdiba" ]; - } - { - query = "from:nab.com.au"; - tags = [ "+bank" "+nab" "-inbox" "-unread" ]; - } - { - query = "from:dkb.de"; - tags = [ "+bank" "+dkb" ]; - } - { - query = "from:o2online.de"; - tags = [ "+billing" "+o2" ]; - } - { - query = "from:betfair.com"; - tags = [ "+work" "+betfair" ]; - } - { - query = "from:notifications@github.com"; - tags = [ "+github" ]; - } - { - query = "to:NUR@noreply.github.com"; - tags = [ "+nur" "+nixos" "+list" ]; - } - { - query = "to:nixpkgs@noreply.github.com"; - tags = [ "+nixpkgs" "+nixos" "+list" ]; - } - { - query = "from:travis-ci.org AND subject:mrVanDalo/navi"; - tags = [ "+development" "+navi" ]; - } - { - query = "from:travis-ci.org AND subject:nur-packages"; - tags = [ "+development" "+nixos" "+nur-packages" ]; - } - { - query = "from:travis-ci.org AND subject:csv-to-qif"; - tags = [ "+development" "+csv-to-qif" ]; - } - { - query = "to:proaudio@lists.tuxfamily.org"; - tags = [ "-inbox" "-unread" ]; - } - { - query = "from:nixos1@discoursemail.com"; - tags = [ "+nixos" "+discourse" "+list" ]; - } - { - query = "from:nixos1@discoursemail.com AND subject:Development"; - tags = [ "+nixos" "+discourse" "+development" ]; - } - { - query = "from:nixos1@discoursemail.com AND subject:Français"; - tags = [ "+nixos" "+discourse" "-inbox" "-unread" ]; - } - { - query = "from:nixos1@discoursemail.com AND subject:Announcements"; - tags = [ "+nixos" "+discourse" "+announcements" ]; - } - { - query = "from:nixos1@discoursemail.com AND subject:Links"; - tags = [ "+nixos" "+discourse" "+links" ]; - } - { - query = "from:nixos1@discoursemail.com AND subject:Games"; - tags = [ "+nixos" "+discourse" "+games" ]; - } - { - query = "from:nixos1@discoursemail.com AND subject:Meta"; - tags = [ "+nixos" "+discourse" "+meta" ]; - } - { - query = "from:nixos1@discoursemail.com AND subject:Events"; - tags = [ "+nixos" "+discourse" "+events" ]; - } - { - query = "from:limebike.com AND (subject:Funds OR subject:Receipt)"; - tags = [ "-inbox" "-unread" "+billing" "+limebike" ]; - } - { - query = "from:freemusicarchive.org"; - tags = [ "+FMA" ]; - } - { - query = "from:namecheap.com and subject:auto-renewal"; - tags = [ "+namecheap" "+billing" ]; - } - { - query = "from:namecheap.com and subject:order"; - tags = [ "+namecheap" "+billing" ]; - } - { - query = "tag:namecheap.com and tag:billing and body:gaykraft.com"; - tags = [ "+namecheap" "+billing" ]; - } - { - query = "from:nintendo.com"; - tags = [ "+nintendo" "+billing" ]; - } - { - query = "from:oculus.com AND subject:receipt"; - tags = [ "+oculus" "+billing" ]; - } - { - query = "from:car2go.com"; - tags = [ "-inbox" "-unread" ]; - } - { - query = "from:sixt.de"; - tags = [ "-inbox" "-unread" ]; - } - { - query = "from:meetup.com"; - tags = [ "-inbox" "-unread" "+meetup" ]; - } - { - query = "from:slack.com"; - tags = [ "+slack" ]; - } - { - query = "from:keybase.io"; - tags = [ "+keybase" ]; - } - { - query = "from:jobs2web.com"; - tags = [ "+newzealand" "+jobs" "-inbox" ]; - } - { - query = "from:paypal.de AND subject:Bestätigung"; - tags = [ "-unread" "+paypal" "+billing" ]; - } - { - query = "to:c-base.org"; - tags = [ "+cbase" "+list" ]; - } - { - query = "to:c-base.org AND subject=[auto-report]"; - tags = [ "-unread" "-inbox" ]; - } - { - query = "from:browserstack.com"; - tags = [ "+browserstack" ]; - } - { - query = - "to:renoise@ingolf-wagner.de OR to:root@renoise.com OR from:renoise.com OR to:admin@renoise.com"; - tags = [ "+renoise" ]; - } - { - query = "from:amazon.de OR from:amazon.com AND NOT to:renoise.com"; - tags = [ "+shop" "+amazon" "+billing" ]; - } - { - query = "from:hetzner.com OR from:hetzner.de"; - tags = [ "+hetzner" ]; - } - { - query = - "to:renoise.com AND NOT ( from:renoise.com OR from:root OR from:hetzner.com OR from:hetzner.de OR from:amazon.com OR from:gmail.com )"; - tags = [ "-inbox" "-unread" "+junk" "+renoise" ]; - } - { - query = "tag:hetzner and subject:Invoice"; - tags = [ "+billing" ]; - } - # final rules to make imap sync stuff easier - # there can only be one output folder tag, and theses rules are prioritized - { - query = "tag:fraud"; - tags = [ "-inbox" "-archive" "-junk" "-unread" ]; - message = "clean up tag fraud"; - } - { - query = "tag:junk"; - tags = [ "-inbox" "-archive" "-fraud" "-unread" ]; - message = "clean up tag junk"; - } - { - query = "tag:archive"; - tags = [ "-inbox" "-junk" "-fraud" "-unread" ]; - message = "clean up tag archive"; - } - { - query = "tag:inbox"; - tags = [ "-archive" "-junk" "-fraud" ]; - message = "clean up inbox"; - } - { - query = "tag:killed"; - tags = [ "-inbox" "-unread" ]; - message = "clean up tag killed"; - } - { - query = "tag:muted"; - tags = [ "-inbox" "-unread" ]; - } - # remove new tag at the end - { - query = "tag:new"; - tags = [ "-new" ]; - message = "remove new tag at the end"; - } - ]; - - notmuchTagging = - let - - template = index: - { tags, query, message ? "generic", ... }: - let - command = '' - ${pkgs.notmuch}/bin/notmuch tag ${lib.concatStringsSep " " tags} -- "${query}" - ''; - in - '' - echo '${command}' - ${command} - ''; - junk_template = index: query: - template index { - tags = [ "+junk" "-unread" "-inbox" ]; - query = query; - message = "generic junk filter"; - }; - - in - pkgs.writers.writeBash "notmuch-tagging" (lib.concatStringsSep "\n" - ((lib.imap0 junk_template junk_filter) ++ (lib.imap0 template filters))); - - notmuchTaggingNew = - let - - template = index: - { tags, query, message ? "generic", ... }: - let - command = '' - ${pkgs.notmuch}/bin/notmuch tag ${ - lib.concatStringsSep " " tags - } -- "${query} AND tag:new" - ''; - in - '' - echo '${command}' - ${command} - ''; - - junk_template = index: query: - template index { - tags = [ "+junk" "-unread" "-inbox" ]; - query = query; - message = "generic junk filter"; - }; - in - pkgs.writers.writeBash "notmuch-tagging-new" (lib.concatStringsSep "\n" - ((lib.imap0 junk_template junk_filter) ++ (lib.imap0 template filters))); - -in -{ - - backup.dirs = [ "/home/mailfetcher" ]; - - users.users.mailUser = { - isNormalUser = true; - description = "collects mails for me"; - hashedPassword = "!"; - name = "mailfetcher"; - home = "/home/mailfetcher"; - openssh.authorizedKeys.keyFiles = - config.users.users.root.openssh.authorizedKeys.keyFiles; - group = "mailfetcher"; - }; - - users.groups.mailUser = { - name = "mailfetcher"; - }; - - sops.secrets.mail_terranix = { - owner = config.users.users.mailUser.name; - group = config.users.users.mailUser.group; - }; - sops.secrets.mail_gmail = { - owner = config.users.users.mailUser.name; - group = config.users.users.mailUser.group; - }; - sops.secrets.mail_gmx_palo = { - owner = config.users.users.mailUser.name; - group = config.users.users.mailUser.group; - }; - sops.secrets.mail_gmx_ingolf = { - owner = config.users.users.mailUser.name; - group = config.users.users.mailUser.group; - }; - sops.secrets.mail_web = { - owner = config.users.users.mailUser.name; - group = config.users.users.mailUser.group; - }; - sops.secrets.mail_siteground = { - owner = config.users.users.mailUser.name; - group = config.users.users.mailUser.group; - }; - - environment.systemPackages = [ pkgs.muchsync ]; - - # configure accounts - home-manager.users.mailUser.accounts.email = { - accounts = { - - palo_van_dalo-gmx = { - primary = false; - address = "palo_van_dalo@gmx.de"; - aliases = [ ]; - realName = "Ingolf Wagner"; - userName = "palo_van_dalo@gmx.de"; - passwordCommand = - "cat ${toString config.sops.secrets.mail_gmx_palo.path }"; - imap = { - host = "imap.gmx.net"; - tls.enable = true; - port = 993; - }; - mbsync = { - enable = true; - create = "both"; - }; - notmuch.enable = true; - }; - - ingolf-wagner-gmx = { - primary = false; - address = "ingolf.wagner@gmx.de"; - aliases = [ ]; - realName = "Ingolf Wagner"; - userName = "ingolf.wagner@gmx.de"; - passwordCommand = - "cat ${toString config.sops.secrets.mail_gmx_ingolf.path }"; - imap = { - host = "imap.gmx.net"; - tls.enable = true; - port = 993; - }; - mbsync = { - enable = true; - create = "both"; - }; - notmuch.enable = true; - }; - - pali_palo = { - primary = false; - address = "pali_palo@web.de"; - aliases = [ ]; - realName = "Ingolf Wagner"; - userName = "pali_palo@web.de"; - passwordCommand = - "cat ${toString config.sops.secrets.mail_web.path }"; - imap = { - host = "imap.web.de"; - tls.enable = true; - port = 993; - }; - mbsync = { - enable = true; - create = "both"; - }; - notmuch.enable = true; - }; - - gmail = { - # for google accounts you have to allow 'less secure apps' in accounts.google.com - primary = true; - address = "palipalo9@googlemail.com"; - aliases = [ ]; - realName = "Ingolf Wagner"; - userName = "palipalo9@googlemail.com"; - passwordCommand = - "cat ${toString config.sops.secrets.mail_gmail.path }"; - imap = { - host = "imap.gmail.com"; - tls.enable = true; - port = 993; - }; - mbsync = { - enable = true; - create = "both"; - }; - notmuch.enable = true; - }; - - terranix_org = { - primary = false; - address = "palo@terranix.org"; - aliases = [ ]; - realName = "Ingolf Wagner"; - userName = "palo@terranix.org"; - passwordCommand = "cat ${toString config.sops.secrets.mail_terranix.path }"; - imap = { - host = "mail.privateemail.com"; - tls.enable = true; - port = 993; - }; - mbsync = { - enable = true; - create = "both"; - }; - notmuch.enable = true; - }; - - ingolf-wagner-de = { - primary = false; - address = "contact@ingolf-wagner.de"; - aliases = [ ]; - realName = "Ingolf Wagner"; - userName = "contact@ingolf-wagner.de"; - passwordCommand = - "cat ${toString config.sops.secrets.mail_siteground.path }"; - imap = { - host = "securees5.sgcpanel.com"; - port = 993; - tls.enable = true; - #tls.useStartTls = true; - }; - # make sure the upstream mail is deleted - getmail = { - enable = true; - delete = true; - readAll = false; - mailboxes = [ "ALL" ]; - }; - notmuch.enable = true; - }; - - }; - }; - - home-manager.users.mailUser.home.stateVersion = "22.11"; - - # configure mbsync - home-manager.users.mailUser.programs.mbsync.enable = true; - - # re-tag everything once a day - systemd.services.retagmail = { - enable = true; - serviceConfig = { User = config.users.users.mailUser.name; }; - environment.NOTMUCH_CONFIG = - "${config.users.users.mailUser.home}/.config/notmuch/notmuchrc"; - script = "${notmuchTagging}"; - }; - systemd.timers.retagmail = { - enable = true; - timerConfig = { - OnCalendar = "daily"; - Persistent = "true"; - }; - wantedBy = [ "multi-user.target" ]; - }; - - # fetch mails every 10 minutes - systemd.services.fetchmail = - let - threadTag = tag: '' - echo "tag threads with ${tag}" - ${pkgs.notmuch}/bin/notmuch tag +${tag} $(${pkgs.notmuch}/bin/notmuch search --output=threads tag:${tag}) - ''; - in - { - enable = true; - serviceConfig = { User = config.users.users.mailUser.name; }; - environment.NOTMUCH_CONFIG = - "${config.users.users.mailUser.home}/.config/notmuch/notmuchrc"; - script = '' - echo "run mbsync" - ${pkgs.isync}/bin/mbsync \ - --all - echo "run getmail" - ${pkgs.getmail}/bin/getmail \ - --quiet \ - --rcfile getmailingolf-wagner-de - - echo "run notmuch" - ${pkgs.notmuch}/bin/notmuch new - ${notmuchTaggingNew} - ${threadTag "muted"} - ${threadTag "wohnung"} - ${threadTag "flagged"} - ''; - }; - systemd.timers.fetchmail = { - enable = true; - # timerConfig.OnCalendar = " *-*-* *:00:00"; - timerConfig.OnCalendar = "*:0/10"; - wantedBy = [ "multi-user.target" ]; - }; - - # configure notmuch - home-manager.users.mailUser.programs.notmuch = { - enable = true; - new.tags = [ "unread" "inbox" "new" ]; - }; - -} diff --git a/legacy/mail-stuff.nix b/legacy/mail-stuff.nix deleted file mode 100644 index 52e40ce..0000000 --- a/legacy/mail-stuff.nix +++ /dev/null @@ -1,414 +0,0 @@ -{ config, pkgs, lib, ... }: -let - passcmd = id: "${pkgs.pass}/bin/pass ${id}"; - ticks = "''"; - -in -{ - - # Maildir <-> Server communication - # -------------------------------- - # mbsync: MailDir <-> IMAP - # msmtp: sendmail interface sending mails through your provider. - - # client backend - # -------------- - # notmuch: Tagdatabase for Emails - # muchsync: notmuch database synctool - - # clients - # ------- - # neomutt - - home-manager.users.mainUser.accounts.email.accounts = { - #palo_van_dalo-gmx = { - # address = "palo_van_dalo@gmx.de"; - # aliases = [ ]; - # realName = "Ingolf Wagner"; - # userName = "palo_van_dalo@gmx.de"; - # passwordCommand = passcmd "mail/gmx/palo_van_dalo@gmx.de"; - # smtp = { - # host = "smtp.gmx.net"; - # port = 465; - # }; - # notmuch.enable = true; - # msmtp = { enable = true; }; - #}; - #ingolf-wagner-gmx = { - # address = "ingolf.wagner@gmx.de"; - # aliases = [ ]; - # realName = "Ingolf Wagner"; - # userName = "ingolf.wagner@gmx.de"; - # passwordCommand = passcmd "mail/gmx/ingolf.wagner@gmx.de"; - # smtp = { - # host = "smtp.gmx.net"; - # port = 465; - # }; - # notmuch.enable = true; - # msmtp = { enable = true; }; - #}; - #pali_palo = { - # address = "pali_palo@web.de"; - # aliases = [ ]; - # realName = "Ingolf Wagner"; - # userName = "pali_palo@web.de"; - # passwordCommand = passcmd "mail/web.de/pali_palo@web.de"; - # smtp = { - # host = "smtp.web.de"; - # port = 465; - # }; - # notmuch.enable = true; - # msmtp = { enable = true; }; - #}; - gmail = { - # for google accounts you have to allow 'less secure apps' in accounts.google.com - primary = true; - address = "palipalo9@googlemail.com"; - aliases = [ ]; - realName = "Ingolf Wagner"; - userName = "palipalo9@googlemail.com"; - passwordCommand = passcmd "mail/gmail/palipalo9@googlemail.com"; - smtp = { - host = "smtp.gmail.com"; - port = 465; - }; - notmuch.enable = true; - msmtp = { - enable = true; - }; - gpg = { - encryptByDefault = true; - signByDefault = true; - key = "42AC51C9482D0834CF488AF1389EC2D64AC71EAC"; - }; - }; - terranix_org = { - address = "palo@terranix.org"; - aliases = [ ]; - realName = "Ingolf Wagner"; - userName = "palo@terranix.org"; - passwordCommand = passcmd "mail/namecheap/palo@terranix.org"; - smtp = { - host = "mail.privateemail.com"; - port = 465; - }; - notmuch.enable = true; - msmtp = { - enable = true; - }; - }; - ingolf-wagner = { - address = "contact@ingolf-wagner.de"; - aliases = [ ]; - realName = "Ingolf Wagner"; - userName = "contact@ingolf-wagner.de"; - passwordCommand = passcmd "mail/namecheap/contact@ingolf-wagner.de"; - notmuch.enable = true; - gpg = { - encryptByDefault = true; - signByDefault = true; - key = "42AC51C9482D0834CF488AF1389EC2D64AC71EAC"; - }; - smtp = { - host = "mail.privateemail.com"; - port = 465; - }; - msmtp = { - enable = true; - # msmtp --serverinfo --tls --tls-certcheck=off -a ingolf-wagner - }; - }; - }; - - # install mail programs - home-manager.users.mainUser.programs.msmtp.enable = true; - home-manager.users.mainUser.programs.notmuch.enable = true; - - # enable html emails - home-manager.users.mainUser.home.file.".mailcap".text = '' - text/html; ${pkgs.elinks}/bin/elinks -dump ; copiousoutput; - ''; - - home-manager.users.mainUser.home.file.".muttrc".text = - let - - index_format = pkgs.writers.writeDash "index_format" '' - # http://www.mutt.org/doc/manual/#formatstrings - recipent="$(echo $1 | sed 's/[^,]*<\([^>]*\)[^,]*/ \1/g')" - echo "%4C %Z %?GI?%GI& ? %[%y-%m-%d %H:%M] %-20.20a %?M?(%3M)& ? %s %> $recipent %?g?%g?%" - ''; - in - '' - # gpg - set crypt_use_gpgme=yes - set crypt_autosign=yes - set crypt_verify_sig=yes - set crypt_replysign=yes - set crypt_replyencrypt=yes - set crypt_replysignencrypted=yes - - # mutt is not smart enough to see if I have a key or not - #set crypt_autoencrypt = yes - - set pgp_check_gpg_decrypt_status_fd - set pgp_use_gpg_agent = yes - set pgp_self_encrypt = yes # needs default key - set pgp_default_key = 42AC51C9482D0834CF488AF1389EC2D64AC71EAC - - # read html mails - auto_view text/html - set mailcap_path = ~/.mailcap - - # notmuch - set nm_default_uri="notmuch://$HOME/Maildir" # path to the maildir - set nm_record = yes - set nm_record_tags = "-inbox me archive" - set nm_query_type = "threads" # we are not only interessted in messages - set virtual_spoolfile=yes # enable virtual folders - - set sendmail=${ - pkgs.writers.writeBash "msmtp" '' - ${pkgs.coreutils}/bin/tee >(${pkgs.notmuch}/bin/notmuch insert --create-folder +sent) | \ - ${pkgs.msmtp}/bin/msmtpq "$@" - '' - } - - set from="contact@ingolf-wagner.de" - #alternates ^.*@ingolf-wagner\.de$ ^.*@.*\.r$ - set use_from=yes - set envelope_from=yes - set reverse_name - - set sort=threads - - set index_format="${index_format} %r |" - folder-hook 'Discourse.*' 'set sort=reverse-date' - - virtual-mailboxes "INBOX" "notmuch://?query=(tag:inbox or (tag:sent and not tag:archive)) AND NOT tag:muted AND NOT tag:list AND NOT tag:fraud AND NOT tag:junk" - virtual-mailboxes "Unread" "notmuch://?query=(tag:unread AND NOT tag:muted)" - virtual-mailboxes "Space left" "notmuch://?query=((tag:spaceleft OR tag:space-lef) AND NOT tag:muted)" - virtual-mailboxes "Sononym" "notmuch://?query=(tag:sononym AND NOT tag:muted)" - virtual-mailboxes "c-base" "notmuch://?query=(tag:cbase AND NOT tag:muted)" - virtual-mailboxes "shopping" "notmuch://?query=((tag:billing OR tag:shopping) AND NOT tag:muted)" - virtual-mailboxes "Immobilien" "notmuch://?query=(tag:immobilien AND NOT tag:muted)" - virtual-mailboxes "NixOS Github" "notmuch://?query=(tag:github AND tag:nixos AND NOT tag:muted)" - virtual-mailboxes "Discourse.all" "notmuch://?query=(tag:discourse AND NOT tag:muted)" - virtual-mailboxes "Discourse.development" "notmuch://?query=(tag:discourse AND tag:development AND NOT tag:muted)" - virtual-mailboxes "Discourse.announcements" "notmuch://?query=(tag:discourse AND tag:announcements AND NOT tag:muted)" - virtual-mailboxes "Discourse.links" "notmuch://?query=(tag:discourse AND tag:links AND NOT tag:muted)" - virtual-mailboxes "Discourse.games" "notmuch://?query=(tag:discourse AND tag:games AND NOT tag:muted)" - virtual-mailboxes "Discourse.meta" "notmuch://?query=(tag:discourse AND tag:meta AND NOT tag:muted)" - virtual-mailboxes "Discourse.events" "notmuch://?query=(tag:discourse AND tag:events AND NOT tag:muted)" - virtual-mailboxes "Flagged" "notmuch://?query=tag:flagged" - virtual-mailboxes "Archive" "notmuch://?query=tag:archive" - virtual-mailboxes "Sent" "notmuch://?query=tag:sent" - virtual-mailboxes "Fraud" "notmuch://?query=(tag:fraud)" - virtual-mailboxes "Junk" "notmuch://?query=(tag:junk)" - virtual-mailboxes "All" "notmuch://?query=*" - - tag-transforms "junk" "k" \ - "unread" "u" \ - "replied" "↻" \ - - # notmuch bindings - bind index \\\\ noop - bind pager \\ noop - bind pager \\\\ noop - macro index \\\\ "" # looks up a hand made query - macro pager \\\\ "" # looks up a hand made query - - macro index + "+flagged\n" # tag as starred - macro pager + "+flagged\n" # tag as starred - macro index ! "+flagged\n" # tag as starred - macro pager ! "+flagged\n" # tag as starred - macro index - "-flagged\n" # tag as unstarred - macro pager - "-flagged\n" # tag as unstarred - - # Address Book - # ------------ - set query_command="${pkgs.notmuch-addrlookup}/bin/notmuch-addrlookup --mutt '%s'" - - # keys bindings - # ------------- - bind index d noop - bind index D noop - bind pager d noop - bind pager D noop - macro index D "-inbox -unread +deleted\n" # tag as deleted mail - macro index d "-deleted\n" # tag as deleted mail - macro pager D "-inbox -unread +deleted\n" # tag as deleted mail - macro pager d "-deleted\n" # tag as deleted mail - - bind index S noop - bind index s noop - bind pager S noop - bind pager s noop - macro index S "-inbox -unread +junk\n" # tag as junk mail - macro index s "-junk\n" # tag as junk mail - macro pager S "-inbox -unread +junk\n" # tag as junk mail - macro pager s "-junk\n" # tag as junk mail - - bind index r noop - bind index R noop - bind pager r noop - bind pager R noop - macro index r "" # reply to all - macro index R "" # reply - macro pager r "" # reply to all - macro pager R "" # reply - - - bind index A noop - bind index a noop - bind pager A noop - bind pager a noop - macro index A "+archive -unread -inbox\n" # tag as Archived - macro index a "-archive\n" # tag as Archived - macro pager A "+archive -unread -inbox\n" # tag as Archived - macro pager a "-archive\n" # tag as Archived - - bind index U noop - bind index u noop - bind pager U noop - bind pager u noop - macro index u "+unread\n" - macro index U "-unread\n" - macro pager u "+unread\n" - macro pager U "-unread\n" - - bind index l noop - bind pager l noop - macro index l "" # set tags manual - macro pager l "" # set tags manual - - # taskwarrior - # ----------- - # from https://www.nixternal.com/mark-e-mails-in-mutt-as-tasks-in-taskwarrior/ - bind index t noop - bind pager t noop - bind index T noop - bind pager T noop - macro index T "${ - pkgs.writers.writeDash "mutt2task" '' - ${pkgs.taskwarrior}/bin/task add +email scheduled:today E-mail: $( ${pkgs.gnugrep}/bin/grep 'Subject' $* | awk -F: '{print $2}' ) - '' - }" - - bind index i noop - bind pager i noop - bind index I noop - bind pager I noop - # notmuch config set query.chat - # notmuch search query:chat - # parse From and To, collect all mail addresses and remove my own mail lists, and create a query from it - #From: - #To: - macro index,pager I "${ - pkgs.writers.writeDash "show_query" '' - cat - '' - }" - - - - # top index bar in email view - set pager_index_lines=7 - # top_index_bar toggle - macro pager ,@1 " set pager_index_lines=0; macro pager ] ,@2 'Toggle indexbar" - macro pager ,@2 " set pager_index_lines=3; macro pager ] ,@3 'Toggle indexbar" - macro pager ,@3 " set pager_index_lines=7; macro pager ] ,@1 'Toggle indexbar" - macro pager ] ,@1 'Toggle indexbar - - # sidebar - # ------- - set sidebar_width = 20 - set sidebar_visible = yes # set to "no" to disable sidebar view at startup - color sidebar_new yellow default - # sidebar bindings - bind index sidebar-prev # got to previous folder in sidebar - bind index sidebar-next # got to next folder in sidebar - bind index sidebar-open # open selected folder from sidebar - - # sidebar toggle - #macro index,pager ,@) " set sidebar_visible=no; macro index,pager [ ,@( 'Toggle sidebar'" - #macro index,pager ,@( " set sidebar_visible=yes; macro index,pager [ ,@) 'Toggle sidebar'" - #macro index,pager [ ,@( 'Toggle sidebar' # toggle the sidebar - ''; - - environment.systemPackages = - let - - mailSync = pkgs.writers.writeDashBin "mail-sync" '' - ${pkgs.muchsync}/bin/muchsync mailfetcher@pepe.private \ - --config /home/mailfetcher/.config/notmuch/notmuchrc \ - --nonew - ''; - mailSend = pkgs.writers.writeDashBin "mail-send" '' - ${pkgs.msmtp}/bin/msmtp-queue -r - ''; - mailView = pkgs.writers.writeDashBin "mail-view" '' - ${pkgs.neomutt}/bin/neomutt"$@" - ''; - mutt = pkgs.writers.writeDashBin "mutt" '' - ${pkgs.neomutt}/bin/neomutt"$@" - ''; - mail = pkgs.writers.writeDashBin "mail" '' - ${mailSync}/bin/mail-sync - ${mailView}/bin/mail-view - ${mailSend}/bin/mail-send - ${mailSync}/bin/mail-sync - ''; - mailDelete = - let notmuch = "${pkgs.notmuch}/bin/notmuch"; - in pkgs.writers.writeBashBin "mail-delete" '' - set -efu - set -o pipefail - - if ! ${notmuch} search --exclude=false tag:deleted | tac ; then - echo 'No killed mail.' - exit 1 - fi - - printf 'want do rm this mail? \[y/N\] ' - read REPLY - - case "$REPLY" in - y|Y) :;; # continue - *) - echo 'abort.' - exit 2 - ;; - esac - - ${notmuch} search --output=files --exclude=false tag:deleted | while read line; do rm -v "$line" ; done - ${notmuch} new - ''; - plot_maildir = - let - years = [ 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 ]; - file = "~/Maildir/usage.csv"; - append_year = year: '' - echo -n "${toString year}," >> ${file} - ${pkgs.notmuch}/bin/notmuch count -- date:${toString year} >> ${file} - ''; - in - pkgs.writers.writeBashBin "mail-create-statistics" '' - rm ${file} - ${lib.concatStringsSep "\n" (map append_year years)} - ''; - - in - [ - pkgs.notmuch - pkgs.muchsync - mail - mailSync - mailView - mailSend - pkgs.neomutt - mutt - mailDelete - plot_maildir - ]; - -} diff --git a/legacy/media-tdarr.nix b/legacy/media-tdarr.nix deleted file mode 100644 index cb8dde7..0000000 --- a/legacy/media-tdarr.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - - # https://docs.tdarr.io/docs/installation/docker/run-compose - virtualisation.oci-containers = { - containers.tdarr = { - volumes = [ - "/srv2/tdarr/server:/app/server" - "/srv2/tdarr/configs:/app/configs" - "/srv2/tdarr/logs:/app/logs" - "/srv2/tdarr/transcode_cache:/temp" - "/media:/media" - ]; - environment = { - serverIP = "0.0.0.0"; - serverPort = "8266"; - webUIPort = "8265"; - internalNode = "false"; - inContainer = "true"; - nodeName = "ServerNode"; - TZ = "Europe/Berlin"; - PUID = toString config.users.users.media.uid; - PGID = toString config.users.groups.media.gid; - }; - ports = [ - "8265:8265" # WebUI - "8266:8266" # server port - ]; - image = "ghcr.io/haveagitgat/tdarr:latest"; # Warning: if the tag does not change, the image will not be updated - extraOptions = [ "--network=bridge" ]; - }; - }; - - networking.firewall.interfaces.wg0.allowedTCPPorts = [ 8266 ]; - networking.firewall.interfaces.wg0.allowedUDPPorts = [ 8266 ]; - - networking.firewall.interfaces.enp0s31f6.allowedTCPPorts = [ 8266 ]; - networking.firewall.interfaces.enp0s31f6.allowedUDPPorts = [ 8266 ]; - - services.nginx.virtualHosts."tdarr.${config.networking.hostName}.private" = { - serverAliases = [ "tdarr.${config.networking.hostName}" ]; - extraConfig = '' - allow ${config.tinc.private.subnet}; - deny all; - ''; - locations."/" = { - proxyPass = "http://localhost:8265"; - proxyWebsockets = true; - }; - }; - -} diff --git a/legacy/media-transmission.nix b/legacy/media-transmission.nix deleted file mode 100644 index 3b6d13d..0000000 --- a/legacy/media-transmission.nix +++ /dev/null @@ -1,259 +0,0 @@ -{ lib, pkgs, config, ... }: -let - hostInterface = "enp3s0"; - hostAddress = "192.168.100.30"; - containerAddress = "192.168.100.31"; - uiPort = 9091; -in -{ - - sops.secrets.nordvpn = { }; - sops.secrets.transmissionPushover = { }; - - containers.torrent = { - - # mount host folders - bindMounts = { - #password = { - # hostPath = "/run/secrets/transmission_password"; - # mountPoint = "/run/secrets/transmission_password"; - # isReadOnly = true; - #}; - transmissionPushover = { - hostPath = "/run/secrets/transmissionPushover"; - mountPoint = "/run/secrets/transmissionPushover"; - isReadOnly = true; - }; - nordvpnPassword = { - hostPath = "/run/secrets/nordvpn"; - mountPoint = "/run/secrets/nordvpn"; - isReadOnly = true; - }; - media = { - hostPath = "/media"; - mountPoint = "/media"; # must be here otherwise transmission can't see the folder - isReadOnly = false; - }; - lib = { - hostPath = "/media/torrent/torrent1_config"; - mountPoint = "/var/lib/transmission/.config"; - isReadOnly = false; - }; - }; - - # container network setup - # see also nating on host system. - privateNetwork = true; - hostAddress = hostAddress; - localAddress = containerAddress; - autoStart = true; - - # needed for openvpn - enableTun = true; - - config = { config, pkgs, lib, ... }: { - - system.stateVersion = "21.05"; - services.journald.extraConfig = "SystemMaxUse=1G"; - - # allow transmission to write in syncthing folders - users.groups.syncthing = { - gid = config.ids.gids.syncthing; - members = [ "transmission" ]; - }; - - services.transmission = { - enable = true; - settings = { - download-dir = "/media/torrent/downloads"; - incomplete-dir = "/media/torrent/incomplete"; - incomplete-dir-enabled = true; - message-level = 1; - umask = 2; - rpc-whitelist-enabled = false; - rpc-host-whitelist-enabled = false; - rpc-port = uiPort; - rpc-enable = true; - rpc-bind-address = "0.0.0.0"; - - # "normal" speed limits - speed-limit-down-enabled = false; - speed-limit-down = 800; - speed-limit-up-enabled = true; - speed-limit-up = 3000; - upload-slots-per-torrent = 8; - # Queuing - # When true, Transmission will only download - # download-queue-size non-stalled torrents at once. - download-queue-enabled = true; - download-queue-size = 3; - - # When true, torrents that have not shared data for - # queue-stalled-minutes are treated as 'stalled' - # and are not counted against the queue-download-size - # and seed-queue-size limits. - queue-stalled-enabled = true; - queue-stalled-minutes = 60; - - # When true. Transmission will only seed seed-queue-size - # non-stalled torrents at once. - seed-queue-enabled = false; - seed-queue-size = 10; - - # Enable UPnP or NAT-PMP. - peer-port = 51413; - port-forwarding-enabled = false; - - # Start torrents as soon as they are added - start-added-torrents = true; - }; - }; - - networking.firewall = { - allowedTCPPorts = [ 51413 ]; - allowedUDPPorts = [ 51413 ]; - # only allow access via nginx (proxy to localhost) - interfaces.eth0 = { - allowedTCPPorts = [ uiPort ]; - allowedUDPPorts = [ uiPort ]; - }; - }; - - # bind transmission to openvpn - systemd.services.transmission = { - bindsTo = [ "openvpn-nordvpn.service" ]; - after = [ "openvpn-nordvpn.service" ]; - serviceConfig = { - Restart = "always"; - EnvironmentFile = [ - "/run/secrets/transmissionPushover" - ]; - BindPaths = lib.mkForce [ - "/media" # this is needed otherwise cp -l is not working - "/var/lib/transmission/.config/transmission-daemon" - ]; - }; - }; - services.openvpn.servers.nordvpn.updateResolvConf = true; - services.openvpn.servers.nordvpn.config = '' - client - dev tun - proto udp - remote 152.89.163.99 1194 - dhcp-option DNS 8.8.8.8 - remote-random - nobind - tun-mtu 1500 - tun-mtu-extra 32 - mssfix 1450 - persist-key - persist-tun - ping 15 - ping-restart 0 - ping-timer-rem - reneg-sec 0 - comp-lzo no - - remote-cert-tls server - - auth-user-pass /run/secrets/nordvpn - - verb 3 - pull - resolv-retry infinite - fast-io - cipher AES-256-CBC - auth SHA512 - - - -----BEGIN CERTIFICATE----- - MIIFCjCCAvKgAwIBAgIBATANBgkqhkiG9w0BAQ0FADA5MQswCQYDVQQGEwJQQTEQ - MA4GA1UEChMHTm9yZFZQTjEYMBYGA1UEAxMPTm9yZFZQTiBSb290IENBMB4XDTE2 - MDEwMTAwMDAwMFoXDTM1MTIzMTIzNTk1OVowOTELMAkGA1UEBhMCUEExEDAOBgNV - BAoTB05vcmRWUE4xGDAWBgNVBAMTD05vcmRWUE4gUm9vdCBDQTCCAiIwDQYJKoZI - hvcNAQEBBQADggIPADCCAgoCggIBAMkr/BYhyo0F2upsIMXwC6QvkZps3NN2/eQF - kfQIS1gql0aejsKsEnmY0Kaon8uZCTXPsRH1gQNgg5D2gixdd1mJUvV3dE3y9FJr - XMoDkXdCGBodvKJyU6lcfEVF6/UxHcbBguZK9UtRHS9eJYm3rpL/5huQMCppX7kU - eQ8dpCwd3iKITqwd1ZudDqsWaU0vqzC2H55IyaZ/5/TnCk31Q1UP6BksbbuRcwOV - skEDsm6YoWDnn/IIzGOYnFJRzQH5jTz3j1QBvRIuQuBuvUkfhx1FEwhwZigrcxXu - MP+QgM54kezgziJUaZcOM2zF3lvrwMvXDMfNeIoJABv9ljw969xQ8czQCU5lMVmA - 37ltv5Ec9U5hZuwk/9QO1Z+d/r6Jx0mlurS8gnCAKJgwa3kyZw6e4FZ8mYL4vpRR - hPdvRTWCMJkeB4yBHyhxUmTRgJHm6YR3D6hcFAc9cQcTEl/I60tMdz33G6m0O42s - Qt/+AR3YCY/RusWVBJB/qNS94EtNtj8iaebCQW1jHAhvGmFILVR9lzD0EzWKHkvy - WEjmUVRgCDd6Ne3eFRNS73gdv/C3l5boYySeu4exkEYVxVRn8DhCxs0MnkMHWFK6 - MyzXCCn+JnWFDYPfDKHvpff/kLDobtPBf+Lbch5wQy9quY27xaj0XwLyjOltpiST - LWae/Q4vAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqG - SIb3DQEBDQUAA4ICAQC9fUL2sZPxIN2mD32VeNySTgZlCEdVmlq471o/bDMP4B8g - nQesFRtXY2ZCjs50Jm73B2LViL9qlREmI6vE5IC8IsRBJSV4ce1WYxyXro5rmVg/ - k6a10rlsbK/eg//GHoJxDdXDOokLUSnxt7gk3QKpX6eCdh67p0PuWm/7WUJQxH2S - DxsT9vB/iZriTIEe/ILoOQF0Aqp7AgNCcLcLAmbxXQkXYCCSB35Vp06u+eTWjG0/ - pyS5V14stGtw+fA0DJp5ZJV4eqJ5LqxMlYvEZ/qKTEdoCeaXv2QEmN6dVqjDoTAo - k0t5u4YRXzEVCfXAC3ocplNdtCA72wjFJcSbfif4BSC8bDACTXtnPC7nD0VndZLp - +RiNLeiENhk0oTC+UVdSc+n2nJOzkCK0vYu0Ads4JGIB7g8IB3z2t9ICmsWrgnhd - NdcOe15BincrGA8avQ1cWXsfIKEjbrnEuEk9b5jel6NfHtPKoHc9mDpRdNPISeVa - wDBM1mJChneHt59Nh8Gah74+TM1jBsw4fhJPvoc7Atcg740JErb904mZfkIEmojC - VPhBHVQ9LHBAdM8qFI2kRK0IynOmAZhexlP/aT/kpEsEPyaZQlnBn3An1CRz8h0S - PApL8PytggYKeQmRhl499+6jLxcZ2IegLfqq41dzIjwHwTMplg+1pKIOVojpWA== - -----END CERTIFICATE----- - - key-direction 1 - - # - # 2048 bit OpenVPN static key - # - -----BEGIN OpenVPN Static key V1----- - e685bdaf659a25a200e2b9e39e51ff03 - 0fc72cf1ce07232bd8b2be5e6c670143 - f51e937e670eee09d4f2ea5a6e4e6996 - 5db852c275351b86fc4ca892d78ae002 - d6f70d029bd79c4d1c26cf14e9588033 - cf639f8a74809f29f72b9d58f9b8f5fe - fc7938eade40e9fed6cb92184abb2cc1 - 0eb1a296df243b251df0643d53724cdb - 5a92a1d6cb817804c4a9319b57d53be5 - 80815bcfcb2df55018cc83fc43bc7ff8 - 2d51f9b88364776ee9d12fc85cc7ea5b - 9741c4f598c485316db066d52db4540e - 212e1518a9bd4828219e24b20d88f598 - a196c9de96012090e333519ae18d3509 - 9427e7b372d348d352dc4c85e18cd4b9 - 3f8a56ddb2e64eb67adfc9b337157ff4 - -----END OpenVPN Static key V1----- - - ''; - - }; - }; - - # give containers internet access - networking.nat.enable = true; - networking.nat.internalInterfaces = [ "ve-torrent" ]; - networking.nat.externalInterface = hostInterface; - - # open ports for logging - #networking.firewall.interfaces."ve-torrent".allowedTCPPorts = - # [ 5044 12304 12305 ]; - #networking.firewall.interfaces."ve-torrent".allowedUDPPorts = - # [ 5044 12304 12305 ]; - - # host nginx setup - - # curl -H "Host: transmission.robi.private" https://robi.private/ < will work - # curl -H "Host: transmission.robi.private" https://144.76.13.147/ < wont work - services.nginx = { - enable = true; - recommendedProxySettings = true; - virtualHosts = { - "transmission.${config.networking.hostName}.private" = { - extraConfig = '' - allow ${config.tinc.private.subnet}; - deny all; - ''; - locations."/" = { - proxyPass = "http://${containerAddress}:${toString uiPort}"; - }; - }; - }; - }; - -} diff --git a/legacy/media-unmanic.nix b/legacy/media-unmanic.nix deleted file mode 100644 index 4662769..0000000 --- a/legacy/media-unmanic.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - - virtualisation.oci-containers = { - containers.unmanic = { - volumes = [ - "/media/arr/unmanic/config:/config" - #"/media/arr/unmanic/library:/library" - "/media/arr/unmanic/tmp:/tmp/unmanic" - "/media:/library" - ]; - environment = { - PUID = toString config.users.users.media.uid; - PGID = toString config.users.groups.media.gid; - }; - ports = [ - "127.0.0.1:8889:8888" - ]; - image = "josh5/unmanic:latest"; - }; - }; - - #networking.firewall.interfaces.wg0.allowedTCPPorts = [ 8266 ]; - #networking.firewall.interfaces.wg0.allowedUDPPorts = [ 8266 ]; - - #networking.firewall.interfaces.enp0s31f6.allowedTCPPorts = [ 8266 ]; - #networking.firewall.interfaces.enp0s31f6.allowedUDPPorts = [ 8266 ]; - - services.nginx.virtualHosts."unmanic.${config.networking.hostName}.private" = { - extraConfig = '' - allow ${config.tinc.private.subnet}; - deny all; - ''; - locations."/" = { - proxyPass = "http://localhost:8889"; - proxyWebsockets = true; - }; - }; - -} diff --git a/legacy/mobi/configuration.nix b/legacy/mobi/configuration.nix deleted file mode 100644 index bd7f766..0000000 --- a/legacy/mobi/configuration.nix +++ /dev/null @@ -1,81 +0,0 @@ -{ config, pkgs, lib, ... }: { - - imports = [ - - ../../components - ../../modules - - ./hardware-configuration.nix - ./tinc.nix - ./syncthing.nix - - ]; - - security.wrappers = { - pmount = { - source = "${pkgs.pmount}/bin/pmount"; - setuid = true; - owner = "root"; - group = "root"; - }; - pumount = { - source = "${pkgs.pmount}/bin/pumount"; - setuid = true; - owner = "root"; - group = "root"; - }; - }; - - components.gui.enable = true; - - configuration.desktop = { - width = 1366; - height = 768; - }; - - # grub configuraton - # ----------------- - boot.loader.grub.enable = true; - boot.loader.grub.efiSupport = true; - boot.loader.grub.device = "/dev/sda"; - boot.loader.grub.efiInstallAsRemovable = true; - boot.tmpOnTmpfs = true; - - networking.networkmanager.enable = true; - networking.hostName = "mobi"; - - # Set your time zone. - time.timeZone = "Europe/Berlin"; - - environment.systemPackages = with pkgs; [ - vim - wget - htop - silver-searcher - ]; - - environment.extraInit = '' - # use vi shortcuts - # ---------------- - set -o vi - EDITOR=vim - ''; - - boot.supportedFilesystems = [ "zfs" ]; - networking.hostId = "5794a3f8"; - - services.openssh.enable = true; - components.network.sshd.onlyTincAccess = false; - - users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw== contact@ingolf-wagner.de" ]; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "22.05"; # Did you read the comment? - -} - diff --git a/legacy/mobi/hardware-configuration.nix b/legacy/mobi/hardware-configuration.nix deleted file mode 100644 index 6707e93..0000000 --- a/legacy/mobi/hardware-configuration.nix +++ /dev/null @@ -1,47 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci" ]; - boot.initrd.kernelModules = [ "dm-snapshot" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { - device = "/dev/disk/by-uuid/978cfc56-b47d-4d94-adae-18a4209519a5"; - fsType = "ext4"; - }; - - boot.initrd.luks.devices."root-enc".device = "/dev/disk/by-uuid/cf30f4a6-578e-418a-9d18-d32fbf992b0c"; - - fileSystems."/boot" = - { - device = "/dev/disk/by-uuid/AEE5-221F"; - fsType = "vfat"; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp0s25.useDHCP = lib.mkDefault true; - # networking.interfaces.tinc.private.useDHCP = lib.mkDefault true; - # networking.interfaces.tinc.retiolum.useDHCP = lib.mkDefault true; - # networking.interfaces.tinc.secret.useDHCP = lib.mkDefault true; - # networking.interfaces.virbr0.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; - - powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/legacy/mobi/syncthing.nix b/legacy/mobi/syncthing.nix deleted file mode 100644 index 0778de2..0000000 --- a/legacy/mobi/syncthing.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ config, pkgs, lib, ... }: { - - services.syncthing = { - enable = true; - openDefaultPorts = false; - user = "palo"; - dataDir = "/home/palo/.syncthing"; - configDir = "/home/palo/.syncthing"; - overrideFolders = true; - folders = { - - # on encrypted drive - # ------------------ - private = { - enable = true; - path = "/home/palo/private"; - }; - desktop = { - enable = true; - path = "/home/palo/desktop"; - }; - finance = { - enable = true; - path = "/home/palo/finance"; - }; - password-store = { - enable = true; - path = "/home/palo/.password-store"; - }; - }; - }; - - services.permown."/home/palo/music-library" = { - owner = "palo"; - group = "users"; - }; -} diff --git a/legacy/mobi/tinc.nix b/legacy/mobi/tinc.nix deleted file mode 100644 index ed50994..0000000 --- a/legacy/mobi/tinc.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ config, ... }: -{ - tinc.private.enable = true; - tinc.private.ipv4 = "10.23.42.23"; -} diff --git a/legacy/mpd.nix b/legacy/mpd.nix deleted file mode 100644 index ff9622d..0000000 --- a/legacy/mpd.nix +++ /dev/null @@ -1,78 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - services.mpd = { - enable = true; - network.listenAddress = "any"; - musicDirectory = "/media/syncthing/music-library"; - playlistDirectory = "/media/syncthing/music-library/playlists"; - }; - - users.groups."syncthing".members = [ "mpd" ]; - - sound.enable = true; - - networking.firewall.allowedTCPPorts = [ - 6680 # mopidy - 6600 # mpd - 1234 # zeroconf - ]; - - users.users."spotifyd" = { - isSystemUser = true; - group = "spotifyd"; - }; - users.groups.spotifyd = { }; - - sops.secrets.spotify_pass.owner = "spotifyd"; - sops.secrets.spotify_user.owner = "spotifyd"; - - services.spotifyd.enable = true; - services.spotifyd.settings = { - global = { - - username_cmd = "cat ${config.sops.secrets.spotify_user.path}"; - password_cmd = "cat ${config.sops.secrets.spotify_pass.path}"; - backend = "alsa"; # use portaudio for macOS [homebrew] - - # The alsa mixer used by `spotifyd`. - mixer = "PCM"; - - # A script that gets evaluated in the user's shell when the song changes [aliases: onevent] - on-song-change-hook = "${pkgs.mpc_cli}/bin/mpc --host localhost --port 6600 stop"; - - # The volume controller. Each one behaves different to - # volume increases. For possible values, run - # `spotifyd --help`. - volume_controller = "alsa"; - - # The name that gets displayed under the connect tab on - # official clients. Spaces are not allowed! - device_name = "DJane"; - - # The audio bitrate. 96, 160 or 320 kbit/s - bitrate = 320; - - # If set to true, audio data does NOT get cached. - no_audio_cache = true; - - # Volume on startup between 0 and 100 - # NOTE: This variable's type will change in v0.4, to a number (instead of string) - initial_volume = "90"; - - # If set to true, enables volume normalisation between songs. - volume_normalisation = false; - - # The normalisation pregain that is applied for each song. - # normalisation_pregain = -10 - - # The port `spotifyd` uses to announce its service over the network. - zeroconf_port = 1234; - - # The displayed device type in Spotify clients. - # Can be unknown, computer, tablet, smartphone, speaker, t_v, - # a_v_r (Audio/Video Receiver), s_t_b (Set-Top Box), and audio_dongle. - device_type = "computer"; - - }; - }; -} diff --git a/legacy/mysql.nix b/legacy/mysql.nix deleted file mode 100644 index 727df98..0000000 --- a/legacy/mysql.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ pkgs, lib, config, ... }: { - - services.mysql = { - enable = true; - package = pkgs.mysql80; - initialScript = pkgs.writeText "initScript" '' - CREATE USER 'admin'@'%' IDENTIFIED BY 'admin'; - GRANT ALL PRIVILEGES ON * . * TO 'admin'@'%'; - ''; - }; - - services.mysqlBackup = { - enable = true; - databases = [ "property" ]; - #user = "admin"; - }; - - backup.dirs = [ config.services.mysqlBackup.location ]; - -} diff --git a/legacy/nginx-logging.nix b/legacy/nginx-logging.nix deleted file mode 100644 index 24f2abc..0000000 --- a/legacy/nginx-logging.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ pkgs, lib, ... }: -let - access_log_sink = "workhorse.private:12304"; - error_log_sink = "workhorse.private:12305"; -in -{ - - security.acme.defaults.email = "contact@ingolf-wagner.de"; - security.acme.acceptTerms = true; - - services.nginx = { - - # Use recommended settings - recommendedGzipSettings = lib.mkDefault true; - recommendedOptimisation = lib.mkDefault true; - recommendedProxySettings = lib.mkDefault true; - recommendedTlsSettings = lib.mkDefault true; - - # for graylog logging - #commonHttpConfig = '' - # log_format graylog2_json escape=json '{ "timestamp": "$time_iso8601", ' - # '"facility": "nginx", ' - # '"src_addr": "$remote_addr", ' - # '"body_bytes_sent": $body_bytes_sent, ' - # '"request_time": $request_time, ' - # '"response_status": $status, ' - # '"request": "$request", ' - # '"request_method": "$request_method", ' - # '"host": "$host",' - # '"upstream_cache_status": "$upstream_cache_status",' - # '"upstream_addr": "$upstream_addr",' - # '"http_x_forwarded_for": "$http_x_forwarded_for",' - # '"http_referrer": "$http_referer", ' - # '"http_user_agent": "$http_user_agent" }'; - # access_log syslog:server=${access_log_sink} graylog2_json; - # error_log syslog:server=${error_log_sink}; - #''; - }; - - services.nginx.package = pkgs.nginxMainline; -} diff --git a/legacy/property.nix b/legacy/property.nix deleted file mode 100644 index 169f2c2..0000000 --- a/legacy/property.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ lib, pkgs, config, ... }: { - - users.users.property = { isSystemUser = true; }; - - systemd.services.property = { - enable = true; - wantedBy = [ "multi-user.target" ]; - path = [ - (pkgs.python3.withPackages (ps: - with ps; [ - flask - selenium - beautifulsoup4 - urllib3 - sqlalchemy - mysqlclient - pytest - dateparser - geopy - nltk - click - ])) - ]; - - serviceConfig = { User = "property"; }; - script = '' - FLASK_APP=${}/server.py \ - FLASK_RUN_PORT=7888 \ - flask run --host 0.0.0.0 \ - "$@" - ''; - }; - - services.nginx = { - enable = true; - virtualHosts = { - "property.workhorse.private" = { - locations."/" = { proxyPass = "http://localhost:7888"; }; - }; - }; - }; - -} diff --git a/legacy/robi/borg.nix b/legacy/robi/borg.nix deleted file mode 100644 index dc8d19e..0000000 --- a/legacy/robi/borg.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ lib, config, pkgs, ... }: { - - backup.enable = true; - - # provide repository - services.borgbackup.repos = { - default = { - quota = "300G"; - allowSubRepos = true; - authorizedKeys = [ - ]; - }; - }; - - -} diff --git a/legacy/robi/cache.nix b/legacy/robi/cache.nix deleted file mode 100644 index baa4944..0000000 --- a/legacy/robi/cache.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ ... }: -{ - services.nix-serve = { - enable = true; - - # needed if i want to trust my own build packages and dirivations - # nix-store --generate-binary-cache-key key-name secret-key-file public-key-file - # secretKeyFile = sops.nixServeSecretKeyFile.path - - }; - - -} diff --git a/legacy/robi/codimd.nix b/legacy/robi/codimd.nix deleted file mode 100644 index c44a0d8..0000000 --- a/legacy/robi/codimd.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ config, lib, pkgs, ... }: -let - domain = "md.ingolf-wagner.de"; -in -{ - - services.nginx.enable = true; - services.nginx.virtualHosts.hedgedoc = { - enableACME = true; - forceSSL = true; - serverName = domain; - locations."/" = { - proxyPass = "http://localhost:${toString config.services.hedgedoc.settings.port}"; - proxyWebsockets = true; - }; - }; - - services.hedgedoc = { - enable = true; - settings = { - db = { - dialect = "sqlite"; - storage = "/var/lib/hedgedoc/db.sqlite"; - useCDN = false; - }; - allowFreeURL = true; - domain = domain; - port = 3091; - useCDN = false; - }; - }; - -} - diff --git a/legacy/robi/configuration.nix b/legacy/robi/configuration.nix deleted file mode 100644 index d727fb4..0000000 --- a/legacy/robi/configuration.nix +++ /dev/null @@ -1,102 +0,0 @@ -{ lib, config, pkgs, ... }: { - imports = [ - - # ../../system/all/nginx-ingolf-wagner-de.nix - ../../system/all/defaults.nix - - ../../components - ../../modules - - ./hetzner.nix - - ./borg.nix - #./codimd.nix - #./gitea.nix - #./nextcloud.nix - ./packages.nix - #./taskserver.nix - #./vaultwarden.nix - #./nginx.nix - #./nginx-wkd.nix - - ./network-tinc.nix - #./network-wireguard.nix - - ./media-share.nix - #./media-jellyfin.nix - ./media-syncthing.nix - #./media-transmission.nix - #./media-transmission2.nix - #./media-arr.nix - - ./social-jitsi.nix - - # matrix - #./social-matrix.nix - - # logging - ./loki.nix - ./loki-promtail.nix - ./prometheus.nix - ./grafana.nix - ./telegraf.nix - - ./sync-opentracker.nix - ./sync-torrent.nix - - ./cache.nix - ]; - - - - - components.terminal.enable = true; - components.mainUser.enable = true; - components.gui.enable = false; - - components.network.enable = true; - components.network.wifi.enable = false; - - # 2 hours = 2 * 60 * 60 = 7200 seconds - #services.netdata.config.global.history = 7200; - # 4 hours = 4 * 60 * 60 = 14440 seconds - services.netdata.config.global.history = 14440; - # 24 hours = 24 * 60 * 60 = 86400 seconds - #services.netdata.config.global.history = 86400; - - services.sshguard.enable = true; - - security.acme.acceptTerms = true; - security.acme.defaults.email = "contact@ingolf-wagner.de"; - - sops.defaultSopsFile = ../../secrets/robi.yaml; - # virtualisation.docker.enable = false; - services.printing.enable = false; - services.smartd.enable = true; - - # chungus rsync - users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJkqVvuJSvRMO5pG2CHNNBxjB7HlJudK4TQs3BhbOWOD" ]; - fileSystems."/var/lib/nextcloud" = - { - device = "/dev/vg/nextcloud"; - fsType = "ext4"; - }; - - fileSystems."/var/lib/borgbackup" = - { - device = "/dev/vg/borg"; - fsType = "ext4"; - }; - - fileSystems."/media" = - { - device = "/dev/vg/media"; - fsType = "ext4"; - }; - - # usually part of the wifi.nix module - # because Networkd-wait-online is just failing. - #systemd.services.systemd-networkd-wait-online.enable = false; - systemd.services.NetworkManager-wait-online.enable = false; - -} diff --git a/legacy/robi/gitea.nix b/legacy/robi/gitea.nix deleted file mode 100644 index a359d41..0000000 --- a/legacy/robi/gitea.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - - services.nginx = { - enable = true; - statusPage = true; - virtualHosts = { - "git.ingolf-wagner.de" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://localhost:${toString config.services.gogs.httpPort}"; - }; - }; - }; - }; - - - # todo move to forgejo - services.gitea = { - enable = true; - appName = "git.ingolf-wagner.de"; - package = pkgs.forgejo; - #cookieSecure = true; - #disableRegistration = true; - settings = { - server.ROOT_URL = "https://git.ingolf-wagner.de/"; - server.DOMAIN = "git.ingolf-wagner.de"; - service.DISABLE_REGISTRATION = true; - session.COOKIE_SECURE = true; - log.LEVEL = "Warn"; - other = { - SHOW_FOOTER_VERSION = false; - }; - }; - }; - - backup.dirs = [ "/var/lib/gitea" ]; - -} diff --git a/legacy/robi/grafana.nix b/legacy/robi/grafana.nix deleted file mode 100644 index d8f5642..0000000 --- a/legacy/robi/grafana.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ config, ... }: -{ - - services.nginx.virtualHosts.${config.services.grafana.settings.server.domain} = { - extraConfig = '' - allow ${config.tinc.private.subnet}; - deny all; - ''; - locations."/" = { - proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}"; - proxyWebsockets = true; - }; - }; - - services.grafana = { - enable = true; - settings.server = { - domain = "grafana.robi.private"; - http_port = 2342; - http_addr = "localhost"; - }; - }; - -} diff --git a/legacy/robi/grocy.nix b/legacy/robi/grocy.nix deleted file mode 100644 index 614a8b9..0000000 --- a/legacy/robi/grocy.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - services.grocy = { - enable = true; - settings = { - culture = "de"; - currency = "EUR"; - }; - hostName = "grocy.ingolf-wagner.de"; - nginx.enableSSL = true; - }; - - backup.dirs = [ config.services.grocy.dataDir ]; - -} diff --git a/legacy/robi/hardware-configuration.nix b/legacy/robi/hardware-configuration.nix deleted file mode 100644 index 31cbc51..0000000 --- a/legacy/robi/hardware-configuration.nix +++ /dev/null @@ -1,38 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "ahci" "sd_mod" ]; - boot.initrd.kernelModules = [ "dm-snapshot" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { - device = "/dev/disk/by-uuid/d6a794d2-1da4-4457-9a9a-a39bf9521ae4"; - fsType = "ext4"; - }; - - fileSystems."/boot-1" = - { - device = "/dev/disk/by-uuid/519D-F289"; - fsType = "vfat"; - }; - - fileSystems."/boot-2" = - { - device = "/dev/disk/by-uuid/519E-6EF1"; - fsType = "vfat"; - }; - - swapDevices = [ ]; - - powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; -} diff --git a/legacy/robi/hetzner.nix b/legacy/robi/hetzner.nix deleted file mode 100644 index 0adbb30..0000000 --- a/legacy/robi/hetzner.nix +++ /dev/null @@ -1,123 +0,0 @@ -{ config, pkgs, modulesPath, lib, ... }: - -let - - hostName = "robi"; - - # apt install -y lshw - # lshw -C network | grep -Poh 'driver=[[:alnum:]]+' - - networkInterfaceModule = "r8169"; - - networkInterface = "enp3s0"; - - # From the Hetzner control panel - ipv4 = { - address = "144.76.13.147"; # the ip address - gateway = "144.76.13.129"; # the gateway ip address - netmask = "255.255.255.224"; # the netmask -- might not be the same for you! - prefixLength = 27; # must match the netmask, see - }; - ipv6 = { - address = "2a01:4f8:190:9147::1"; # the ipv6 addres - gateway = "fe80::1"; # the ipv6 gateway - prefixLength = 64; # shown in the control panel - }; - -in - -{ - imports = - [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - ]; - - # needed lvm for raid - boot.initrd.kernelModules = [ - "dm-snapshot" - "dm_mirror" - "dm_raid" - "dm_region_hash" - ]; - - # Use GRUB2 as the boot loader. - # We don't use systemd-boot because Hetzner uses BIOS legacy boot. - boot.loader.systemd-boot.enable = false; - boot.loader.grub = { - enable = true; - efiSupport = false; - }; - - # This will mirror all UEFI files, kernels, grub menus and - # things needed to boot to the other drive. - boot.loader.grub.mirroredBoots = [ - { path = "/boot-1"; devices = [ "/dev/sda" ]; } - { path = "/boot-2"; devices = [ "/dev/sdb" ]; } - ]; - - # We want to still be able to boot without one of these - fileSystems."/boot-1".options = [ "nofail" ]; - fileSystems."/boot-2".options = [ "nofail" ]; - - boot.initrd.luks.reusePassphrases = true; - boot.initrd.luks.devices = { - a_encrypted = { - device = "/dev/sda3"; - preLVM = true; - }; - b_encrypted = { - device = "/dev/sdb3"; - preLVM = true; - }; - }; - - networking.hostName = hostName; - - # Network configuration (Hetzner uses static IP assignments, and we don't use DHCP here) - networking.useDHCP = false; - networking.interfaces.${networkInterface} = { - ipv4 = { addresses = [{ address = ipv4.address; prefixLength = ipv4.prefixLength; }]; }; - ipv6 = { addresses = [{ address = ipv6.address; prefixLength = ipv6.prefixLength; }]; }; - }; - networking.defaultGateway = ipv4.gateway; - networking.defaultGateway6 = { address = ipv6.gateway; interface = networkInterface; }; - networking.nameservers = [ "8.8.8.8" ]; - - # Initial empty root password for easy login: - users.users.root.initialHashedPassword = ""; - services.openssh.settings.PermitRootLogin = "prohibit-password"; - services.openssh.settings.PasswordAuthentication = false; - - environment.systemPackages = [ pkgs.mosh ]; - - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw==" - ]; - - services.openssh.enable = true; - - system.stateVersion = "21.05"; - - # enable ssh on init - # ------------------ - - boot.kernelParams = [ - # See for docs on this - # ip=::::::::: - # The server ip refers to the NFS server -- we don't need it. - "ip=${ipv4.address}::${ipv4.gateway}:${ipv4.netmask}:${hostName}-initrd:${networkInterface}:off:8.8.8.8" - ]; - boot.initrd.availableKernelModules = [ networkInterfaceModule ]; - boot.initrd.network.enable = true; - boot.initrd.network.ssh = { - enable = true; - authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys; - port = 2222; - hostKeys = [ - /etc/secrets/initrd/ssh_host_rsa_key - /etc/secrets/initrd/ssh_host_ed25519_key - ]; - }; - -} diff --git a/legacy/robi/loki-promtail.nix b/legacy/robi/loki-promtail.nix deleted file mode 100644 index 1c64287..0000000 --- a/legacy/robi/loki-promtail.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ config, ... }: -{ - services.promtail = { - enable = true; - configuration = { - server = { - http_listen_port = 28183; - grpc_listen_port = 0; - }; - positions.filename = "/tmp/positions.yaml"; - clients = [ - { url = "http://127.0.0.1:3100/loki/api/v1/push"; } - ]; - - scrape_configs = [ - { - job_name = "journal"; - journal = { - max_age = "12h"; - labels = { - job = "systemd-journal"; - host = config.networking.hostName; - }; - }; - relabel_configs = [ - { - source_labels = [ "__journal__systemd_unit" ]; - target_label = "unit"; - } - { - source_labels = [ "__journal__transport" ]; - target_label = "transport"; - } - ]; - } - ]; - - }; - - }; -} diff --git a/legacy/robi/loki.nix b/legacy/robi/loki.nix deleted file mode 100644 index c0eba2c..0000000 --- a/legacy/robi/loki.nix +++ /dev/null @@ -1,99 +0,0 @@ -{ config, pkgs, ... }: -{ - - services.loki = { - enable = true; - configuration = { - server = { - http_listen_port = 3100; - log_level = "warn"; - }; - auth_enabled = false; - - ingester = { - lifecycler = { - address = "127.0.0.1"; - ring = { - kvstore = { - store = "inmemory"; - }; - replication_factor = 1; - }; - }; - chunk_idle_period = "1h"; - max_chunk_age = "1h"; - chunk_target_size = 999999; - chunk_retain_period = "30s"; - max_transfer_retries = 0; - }; - - schema_config = { - configs = [{ - from = "2022-06-06"; - store = "boltdb-shipper"; - object_store = "filesystem"; - schema = "v11"; - index = { - prefix = "index_"; - period = "24h"; - }; - }]; - }; - - storage_config = { - boltdb_shipper = { - active_index_directory = "/var/lib/loki/boltdb-shipper-active"; - cache_location = "/var/lib/loki/boltdb-shipper-cache"; - cache_ttl = "24h"; - shared_store = "filesystem"; - }; - - filesystem = { - directory = "/var/lib/loki/chunks"; - }; - }; - - limits_config = { - reject_old_samples = true; - reject_old_samples_max_age = "168h"; - }; - - chunk_store_config = { - max_look_back_period = "0s"; - }; - - table_manager = { - retention_deletes_enabled = false; - retention_period = "0s"; - }; - - compactor = { - working_directory = "/var/lib/loki"; - shared_store = "filesystem"; - compactor_ring = { - kvstore = { - store = "inmemory"; - }; - }; - }; - }; - # user, group, dataDir, extraFlags, (configFile) - }; - - #services.nginx = { - # enable = true; - # virtualHosts.loki = { - # serverName = "loki.pepe.private"; - # locations."/" = { - # proxyWebsockets = true; - # proxyPass = "http://127.0.0.1:3100"; - # #extraConfig = '' - # # access_log off; - # # allow ${config.tinc.private.subnet}; - # # deny all; - # #''; - # }; - # }; - #}; - -} diff --git a/legacy/robi/media-arr.nix b/legacy/robi/media-arr.nix deleted file mode 100644 index 4fd1632..0000000 --- a/legacy/robi/media-arr.nix +++ /dev/null @@ -1,80 +0,0 @@ -{ config, ... }: -{ - networking.firewall.interfaces.wg0.allowedTCPPorts = [ 7878 8989 ]; - - # download series - services.sonarr = { - enable = true; - group = "media"; - user = "media"; - }; - - # download movies - services.radarr = { - enable = true; - group = "media"; - user = "media"; - }; - - # better indexer apis - services.prowlarr = { - enable = true; - #group = "media"; - #user = "media"; - }; - - services.jellyseerr = { - enable = true; - }; - - services.permown."/media/arr" = { - owner = "media"; - group = "media"; - directory-mode = "770"; - file-mode = "770"; - }; - - services.nginx.virtualHosts = { - "radarr.${config.networking.hostName}.private" = { - extraConfig = '' - allow ${config.tinc.private.subnet}; - deny all; - ''; - locations."/" = { - proxyPass = "http://localhost:7878"; - proxyWebsockets = true; - }; - }; - "sonarr.${config.networking.hostName}.private" = { - extraConfig = '' - allow ${config.tinc.private.subnet}; - deny all; - ''; - locations."/" = { - proxyPass = "http://localhost:8989"; - proxyWebsockets = true; - }; - }; - "prowlarr.${config.networking.hostName}.private" = { - extraConfig = '' - allow ${config.tinc.private.subnet}; - deny all; - ''; - locations."/" = { - proxyPass = "http://localhost:9696"; - proxyWebsockets = true; - }; - }; - "jellyseerr.${config.networking.hostName}.private" = { - extraConfig = '' - allow ${config.tinc.private.subnet}; - deny all; - ''; - locations."/" = { - proxyPass = "http://localhost:${toString config.services.jellyseerr.port}"; - proxyWebsockets = true; - }; - }; - }; - -} diff --git a/legacy/robi/media-jellyfin.nix b/legacy/robi/media-jellyfin.nix deleted file mode 100644 index 8607b02..0000000 --- a/legacy/robi/media-jellyfin.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - - services.jellyfin = { - enable = true; - openFirewall = false; - group = "media"; - user = "media"; - }; - - hardware.opengl = { - enable = true; - driSupport = true; - driSupport32Bit = true; - }; - - services.nginx = - let - flixConfig = { - forceSSL = true; - enableACME = true; - extraConfig = '' - # Security / XSS Mitigation Headers - # NOTE: X-Frame-Options may cause issues with the webOS app - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Content-Type-Options "nosniff"; - ''; - locations."/" = { - recommendedProxySettings = true; - proxyWebsockets = true; - proxyPass = "http://localhost:8096"; - }; - }; - in - { - enable = true; - virtualHosts. "flix.ingolf-wagner.de" = flixConfig; - virtualHosts. "video.ingolf-wagner.de" = flixConfig; - }; -} diff --git a/legacy/robi/media-share.nix b/legacy/robi/media-share.nix deleted file mode 100644 index 86a1080..0000000 --- a/legacy/robi/media-share.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, ... }: -{ - - users.groups."media".gid = config.ids.gids.transmission; - users.users."media" = { - uid = config.ids.uids.transmission; - useDefaultShell = true; - home = "/home/media"; - createHome = true; - group = "media"; - }; - - services.permown."/media/media" = { - owner = "media"; - group = "media"; - directory-mode = "770"; - file-mode = "770"; - }; - - -} diff --git a/legacy/robi/media-syncthing.nix b/legacy/robi/media-syncthing.nix deleted file mode 100644 index cd55902..0000000 --- a/legacy/robi/media-syncthing.nix +++ /dev/null @@ -1,77 +0,0 @@ -{ config, pkgs, lib, ... }: { - - sops.secrets.syncthing_cert = { }; - sops.secrets.syncthing_key = { }; - - networking.firewall.allowedTCPPorts = [ 22000 ]; - networking.firewall.allowedUDPPorts = [ 22000 ]; - - services.syncthing = { - enable = true; - openDefaultPorts = false; - dataDir = "/media/syncthing/config"; - configDir = "/media/syncthing/config"; - overrideDevices = true; - overrideFolders = true; - cert = toString config.sops.secrets.syncthing_cert.path; - key = toString config.sops.secrets.syncthing_key.path; - - settings.folders = { - # on media hard drive (not encrypted) - # ----------------------------------- - #borg-mirror = { - # enable = true; - # path = "/media/syncthing/borg"; - # rescanInterval = 36 * 3600; - # type = "sendonly"; - #}; - #video-material = { - # enable = true; - # path = "/home/syncthing/video-material"; - #}; - books = { - enable = true; - path = "/media/syncthing/books"; - }; - lost-fotos = { - enable = true; - path = "/media/syncthing/lost-fotos.ct"; - rescanIntervalS = 40 * 24 * 3600; - }; - #media = { - # enable = true; - # watch = false; - # type = "sendonly"; - # path = "/media/syncthing/media"; - # rescanInterval = 27 * 24 * 3600; - #}; - music-projects = { - enable = true; - #watch = true; - path = "/media/syncthing/music-projects"; - }; - nextcloud_backup = { - enable = true; - #watch = true; - path = "/media/syncthing/nextcloud_backup"; - rescanIntervalS = 23 * 3600; - }; - }; - }; - - services.permown."/media/syncthing" = { - # not managed by syncthing anymore - owner = "syncthing"; - group = "syncthing"; - umask = "0002"; - }; - systemd.services."permown._media_syncthing" = { - bindsTo = [ "media.mount" ]; - after = [ "media.mount" ]; - }; - systemd.services."syncthing" = { - bindsTo = [ "media.mount" ]; - after = [ "media.mount" ]; - }; - -} diff --git a/legacy/robi/media-tdarr.nix b/legacy/robi/media-tdarr.nix deleted file mode 100644 index 3249efa..0000000 --- a/legacy/robi/media-tdarr.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - - # https://docs.tdarr.io/docs/installation/docker/run-compose - virtualisation.oci-containers = { - containers.tdarr = { - volumes = [ - "/media/arr/tdarr/server:/app/server" - "/media/arr/tdarr/configs:/app/configs" - "/media/arr/tdarr/logs:/app/logs" - "/media/arr/tdarr/transcode_cache:/temp" - "/media:/media" - ]; - environment = { - serverIP = "0.0.0.0"; - serverPort = "8266"; - webUIPort = "8265"; - internalNode = "true"; - inContainer = "true"; - nodeName = "robi"; - TZ = "Europe/Berlin"; - PUID = toString config.users.users.media.uid; - PGID = toString config.users.groups.media.gid; - }; - ports = [ - "127.0.0.1:8265:8265" # WebUI - # "8266:8266" # server port - ]; - image = "ghcr.io/haveagitgat/tdarr:latest"; # Warning: if the tag does not change, the image will not be updated - extraOptions = [ - #"--network=bridge" - #"--privileged" - ]; - }; - }; - - #networking.firewall.interfaces.wg0.allowedTCPPorts = [ 8266 ]; - #networking.firewall.interfaces.wg0.allowedUDPPorts = [ 8266 ]; - - #networking.firewall.interfaces.enp0s31f6.allowedTCPPorts = [ 8266 ]; - #networking.firewall.interfaces.enp0s31f6.allowedUDPPorts = [ 8266 ]; - - services.nginx.virtualHosts."tdarr.${config.networking.hostName}.private" = { - extraConfig = '' - allow ${config.tinc.private.subnet}; - deny all; - ''; - locations."/" = { - proxyPass = "http://localhost:8265"; - proxyWebsockets = true; - }; - }; - -} diff --git a/legacy/robi/media-transmission.nix b/legacy/robi/media-transmission.nix deleted file mode 100644 index 3b6d13d..0000000 --- a/legacy/robi/media-transmission.nix +++ /dev/null @@ -1,259 +0,0 @@ -{ lib, pkgs, config, ... }: -let - hostInterface = "enp3s0"; - hostAddress = "192.168.100.30"; - containerAddress = "192.168.100.31"; - uiPort = 9091; -in -{ - - sops.secrets.nordvpn = { }; - sops.secrets.transmissionPushover = { }; - - containers.torrent = { - - # mount host folders - bindMounts = { - #password = { - # hostPath = "/run/secrets/transmission_password"; - # mountPoint = "/run/secrets/transmission_password"; - # isReadOnly = true; - #}; - transmissionPushover = { - hostPath = "/run/secrets/transmissionPushover"; - mountPoint = "/run/secrets/transmissionPushover"; - isReadOnly = true; - }; - nordvpnPassword = { - hostPath = "/run/secrets/nordvpn"; - mountPoint = "/run/secrets/nordvpn"; - isReadOnly = true; - }; - media = { - hostPath = "/media"; - mountPoint = "/media"; # must be here otherwise transmission can't see the folder - isReadOnly = false; - }; - lib = { - hostPath = "/media/torrent/torrent1_config"; - mountPoint = "/var/lib/transmission/.config"; - isReadOnly = false; - }; - }; - - # container network setup - # see also nating on host system. - privateNetwork = true; - hostAddress = hostAddress; - localAddress = containerAddress; - autoStart = true; - - # needed for openvpn - enableTun = true; - - config = { config, pkgs, lib, ... }: { - - system.stateVersion = "21.05"; - services.journald.extraConfig = "SystemMaxUse=1G"; - - # allow transmission to write in syncthing folders - users.groups.syncthing = { - gid = config.ids.gids.syncthing; - members = [ "transmission" ]; - }; - - services.transmission = { - enable = true; - settings = { - download-dir = "/media/torrent/downloads"; - incomplete-dir = "/media/torrent/incomplete"; - incomplete-dir-enabled = true; - message-level = 1; - umask = 2; - rpc-whitelist-enabled = false; - rpc-host-whitelist-enabled = false; - rpc-port = uiPort; - rpc-enable = true; - rpc-bind-address = "0.0.0.0"; - - # "normal" speed limits - speed-limit-down-enabled = false; - speed-limit-down = 800; - speed-limit-up-enabled = true; - speed-limit-up = 3000; - upload-slots-per-torrent = 8; - # Queuing - # When true, Transmission will only download - # download-queue-size non-stalled torrents at once. - download-queue-enabled = true; - download-queue-size = 3; - - # When true, torrents that have not shared data for - # queue-stalled-minutes are treated as 'stalled' - # and are not counted against the queue-download-size - # and seed-queue-size limits. - queue-stalled-enabled = true; - queue-stalled-minutes = 60; - - # When true. Transmission will only seed seed-queue-size - # non-stalled torrents at once. - seed-queue-enabled = false; - seed-queue-size = 10; - - # Enable UPnP or NAT-PMP. - peer-port = 51413; - port-forwarding-enabled = false; - - # Start torrents as soon as they are added - start-added-torrents = true; - }; - }; - - networking.firewall = { - allowedTCPPorts = [ 51413 ]; - allowedUDPPorts = [ 51413 ]; - # only allow access via nginx (proxy to localhost) - interfaces.eth0 = { - allowedTCPPorts = [ uiPort ]; - allowedUDPPorts = [ uiPort ]; - }; - }; - - # bind transmission to openvpn - systemd.services.transmission = { - bindsTo = [ "openvpn-nordvpn.service" ]; - after = [ "openvpn-nordvpn.service" ]; - serviceConfig = { - Restart = "always"; - EnvironmentFile = [ - "/run/secrets/transmissionPushover" - ]; - BindPaths = lib.mkForce [ - "/media" # this is needed otherwise cp -l is not working - "/var/lib/transmission/.config/transmission-daemon" - ]; - }; - }; - services.openvpn.servers.nordvpn.updateResolvConf = true; - services.openvpn.servers.nordvpn.config = '' - client - dev tun - proto udp - remote 152.89.163.99 1194 - dhcp-option DNS 8.8.8.8 - remote-random - nobind - tun-mtu 1500 - tun-mtu-extra 32 - mssfix 1450 - persist-key - persist-tun - ping 15 - ping-restart 0 - ping-timer-rem - reneg-sec 0 - comp-lzo no - - remote-cert-tls server - - auth-user-pass /run/secrets/nordvpn - - verb 3 - pull - resolv-retry infinite - fast-io - cipher AES-256-CBC - auth SHA512 - - - -----BEGIN CERTIFICATE----- - MIIFCjCCAvKgAwIBAgIBATANBgkqhkiG9w0BAQ0FADA5MQswCQYDVQQGEwJQQTEQ - MA4GA1UEChMHTm9yZFZQTjEYMBYGA1UEAxMPTm9yZFZQTiBSb290IENBMB4XDTE2 - MDEwMTAwMDAwMFoXDTM1MTIzMTIzNTk1OVowOTELMAkGA1UEBhMCUEExEDAOBgNV - BAoTB05vcmRWUE4xGDAWBgNVBAMTD05vcmRWUE4gUm9vdCBDQTCCAiIwDQYJKoZI - hvcNAQEBBQADggIPADCCAgoCggIBAMkr/BYhyo0F2upsIMXwC6QvkZps3NN2/eQF - kfQIS1gql0aejsKsEnmY0Kaon8uZCTXPsRH1gQNgg5D2gixdd1mJUvV3dE3y9FJr - XMoDkXdCGBodvKJyU6lcfEVF6/UxHcbBguZK9UtRHS9eJYm3rpL/5huQMCppX7kU - eQ8dpCwd3iKITqwd1ZudDqsWaU0vqzC2H55IyaZ/5/TnCk31Q1UP6BksbbuRcwOV - skEDsm6YoWDnn/IIzGOYnFJRzQH5jTz3j1QBvRIuQuBuvUkfhx1FEwhwZigrcxXu - MP+QgM54kezgziJUaZcOM2zF3lvrwMvXDMfNeIoJABv9ljw969xQ8czQCU5lMVmA - 37ltv5Ec9U5hZuwk/9QO1Z+d/r6Jx0mlurS8gnCAKJgwa3kyZw6e4FZ8mYL4vpRR - hPdvRTWCMJkeB4yBHyhxUmTRgJHm6YR3D6hcFAc9cQcTEl/I60tMdz33G6m0O42s - Qt/+AR3YCY/RusWVBJB/qNS94EtNtj8iaebCQW1jHAhvGmFILVR9lzD0EzWKHkvy - WEjmUVRgCDd6Ne3eFRNS73gdv/C3l5boYySeu4exkEYVxVRn8DhCxs0MnkMHWFK6 - MyzXCCn+JnWFDYPfDKHvpff/kLDobtPBf+Lbch5wQy9quY27xaj0XwLyjOltpiST - LWae/Q4vAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqG - SIb3DQEBDQUAA4ICAQC9fUL2sZPxIN2mD32VeNySTgZlCEdVmlq471o/bDMP4B8g - nQesFRtXY2ZCjs50Jm73B2LViL9qlREmI6vE5IC8IsRBJSV4ce1WYxyXro5rmVg/ - k6a10rlsbK/eg//GHoJxDdXDOokLUSnxt7gk3QKpX6eCdh67p0PuWm/7WUJQxH2S - DxsT9vB/iZriTIEe/ILoOQF0Aqp7AgNCcLcLAmbxXQkXYCCSB35Vp06u+eTWjG0/ - pyS5V14stGtw+fA0DJp5ZJV4eqJ5LqxMlYvEZ/qKTEdoCeaXv2QEmN6dVqjDoTAo - k0t5u4YRXzEVCfXAC3ocplNdtCA72wjFJcSbfif4BSC8bDACTXtnPC7nD0VndZLp - +RiNLeiENhk0oTC+UVdSc+n2nJOzkCK0vYu0Ads4JGIB7g8IB3z2t9ICmsWrgnhd - NdcOe15BincrGA8avQ1cWXsfIKEjbrnEuEk9b5jel6NfHtPKoHc9mDpRdNPISeVa - wDBM1mJChneHt59Nh8Gah74+TM1jBsw4fhJPvoc7Atcg740JErb904mZfkIEmojC - VPhBHVQ9LHBAdM8qFI2kRK0IynOmAZhexlP/aT/kpEsEPyaZQlnBn3An1CRz8h0S - PApL8PytggYKeQmRhl499+6jLxcZ2IegLfqq41dzIjwHwTMplg+1pKIOVojpWA== - -----END CERTIFICATE----- - - key-direction 1 - - # - # 2048 bit OpenVPN static key - # - -----BEGIN OpenVPN Static key V1----- - e685bdaf659a25a200e2b9e39e51ff03 - 0fc72cf1ce07232bd8b2be5e6c670143 - f51e937e670eee09d4f2ea5a6e4e6996 - 5db852c275351b86fc4ca892d78ae002 - d6f70d029bd79c4d1c26cf14e9588033 - cf639f8a74809f29f72b9d58f9b8f5fe - fc7938eade40e9fed6cb92184abb2cc1 - 0eb1a296df243b251df0643d53724cdb - 5a92a1d6cb817804c4a9319b57d53be5 - 80815bcfcb2df55018cc83fc43bc7ff8 - 2d51f9b88364776ee9d12fc85cc7ea5b - 9741c4f598c485316db066d52db4540e - 212e1518a9bd4828219e24b20d88f598 - a196c9de96012090e333519ae18d3509 - 9427e7b372d348d352dc4c85e18cd4b9 - 3f8a56ddb2e64eb67adfc9b337157ff4 - -----END OpenVPN Static key V1----- - - ''; - - }; - }; - - # give containers internet access - networking.nat.enable = true; - networking.nat.internalInterfaces = [ "ve-torrent" ]; - networking.nat.externalInterface = hostInterface; - - # open ports for logging - #networking.firewall.interfaces."ve-torrent".allowedTCPPorts = - # [ 5044 12304 12305 ]; - #networking.firewall.interfaces."ve-torrent".allowedUDPPorts = - # [ 5044 12304 12305 ]; - - # host nginx setup - - # curl -H "Host: transmission.robi.private" https://robi.private/ < will work - # curl -H "Host: transmission.robi.private" https://144.76.13.147/ < wont work - services.nginx = { - enable = true; - recommendedProxySettings = true; - virtualHosts = { - "transmission.${config.networking.hostName}.private" = { - extraConfig = '' - allow ${config.tinc.private.subnet}; - deny all; - ''; - locations."/" = { - proxyPass = "http://${containerAddress}:${toString uiPort}"; - }; - }; - }; - }; - -} diff --git a/legacy/robi/media-transmission2.nix b/legacy/robi/media-transmission2.nix deleted file mode 100644 index 931131c..0000000 --- a/legacy/robi/media-transmission2.nix +++ /dev/null @@ -1,143 +0,0 @@ -{ lib, pkgs, config, ... }: -let - uiPort = 9091; -in -{ - - containers.torrent2 = { - - # mount host folders - bindMounts = { - media = { - hostPath = "/media"; - mountPoint = "/media"; # must be here otherwise transmission can't see the folder - isReadOnly = false; - }; - lib = { - hostPath = "/media/torrent/torrent2_config"; - mountPoint = "/var/lib/transmission/.config"; - isReadOnly = false; - }; - }; - - autoStart = true; - - config = { config, pkgs, lib, ... }: { - - system.stateVersion = "21.05"; - services.journald.extraConfig = "SystemMaxUse=1G"; - - # allow transmission to write in syncthing folders - users.groups.syncthing = { - gid = config.ids.gids.syncthing; - members = [ "transmission" ]; - }; - - services.transmission = { - enable = true; - #extraFlags = [ "--log-info" ]; - settings = { - download-dir = "/media/torrent/downloads"; - incomplete-dir = "/media/torrent/incomplete"; - incomplete-dir-enabled = true; - message-level = 1; - umask = 2; - rpc-whitelist-enabled = false; - rpc-host-whitelist-enabled = false; - rpc-port = uiPort; - rpc-enable = true; - rpc-bind-address = "127.0.0.1"; - - # "normal" speed limits - speed-limit-down-enabled = false; - speed-limit-down = 800; - speed-limit-up-enabled = true; - speed-limit-up = 3000; - upload-slots-per-torrent = 8; - # Queuing - # When true, Transmission will only download - # download-queue-size non-stalled torrents at once. - download-queue-enabled = true; - download-queue-size = 3; - - # When true, torrents that have not shared data for - # queue-stalled-minutes are treated as 'stalled' - # and are not counted against the queue-download-size - # and seed-queue-size limits. - queue-stalled-enabled = true; - queue-stalled-minutes = 60; - - # When true. Transmission will only seed seed-queue-size - # non-stalled torrents at once. - seed-queue-enabled = false; - seed-queue-size = 10; - - # Enable UPnP or NAT-PMP. - peer-port = 51413; - port-forwarding-enabled = false; - - # Start torrents as soon as they are added - start-added-torrents = true; - - # Encryption preference. - # 0 = Prefer unencrypted connections, - # 1 = Prefer encrypted connections, - # 2 = Require encrypted connections; - # default = 1 - # Encryption may help get around some ISP filtering, but at the cost of slightly - # higher CPU use - encryption = 2; - }; - }; - - networking.firewall = { - allowedTCPPorts = [ 51413 ]; - allowedUDPPorts = [ 51413 ]; - }; - - # bind transmission to openvpn - systemd.services.transmission = { - serviceConfig = { - Restart = "always"; - BindPaths = lib.mkForce [ - "/media" # this is needed otherwise cp -l is not working - "/var/lib/transmission/.config/transmission-daemon" - ]; - BindReadOnlyPaths = lib.mkForce [ builtins.storeDir "/etc" ]; - PrivateMounts = lib.mkForce false; - PrivateUsers = lib.mkForce false; - RootDirectoryStartOnly = lib.mkForce false; - RootDirectory = lib.mkForce "/var/lib"; - ExecStartPre = lib.mkForce [ ]; # this prevents configuration creation, but fixes startup problems - }; - }; - }; - }; - - networking.firewall = { - allowedTCPPorts = [ 51413 ]; - allowedUDPPorts = [ 51413 ]; - }; - - # host nginx setup - # ---------------- - - # curl -H "Host: transmission.robi.private" https://robi.private/ < will work - # curl -H "Host: transmission.robi.private" https://144.76.13.147/ < wont work - services.nginx = { - enable = true; - recommendedProxySettings = true; - virtualHosts = { - "transmission2.${config.networking.hostName}.private" = { - extraConfig = '' - allow ${config.tinc.private.subnet}; - deny all; - ''; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString uiPort}"; - }; - }; - }; - }; - -} diff --git a/legacy/robi/network-tinc.nix b/legacy/robi/network-tinc.nix deleted file mode 100644 index 0bf4df2..0000000 --- a/legacy/robi/network-tinc.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ - - - networking.firewall = { - allowedTCPPorts = [ 655 721 ]; - allowedUDPPorts = [ 655 721 ]; - }; - - tinc.private.enable = true; - tinc.private.ipv4 = "10.23.42.111"; - - tinc.secret.enable = true; - tinc.secret.ipv4 = "10.123.42.123"; - -} diff --git a/legacy/robi/network-wireguard.nix b/legacy/robi/network-wireguard.nix deleted file mode 100644 index ea4fac1..0000000 --- a/legacy/robi/network-wireguard.nix +++ /dev/null @@ -1,60 +0,0 @@ -{ pkgs, config, ... }: -{ - # networking.firewall.trustedInterfaces = [ "wg0" ]; - networking.firewall.allowedUDPPorts = [ 51820 ]; - sops.secrets.wireguard_private = { }; - boot.kernel.sysctl."net.ipv4.ip_forward" = true; - - # Enable WireGuard - networking.wg-quick.interfaces = { - # Hub and Spoke Setup - # https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/ - wg0 = { - address = [ "10.100.0.1/32" ]; - listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers) - privateKeyFile = config.sops.secrets.wireguard_private.path; - mtu = 1280; - - postUp = '' - ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT - ''; - postDown = '' - ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT - ''; - - # clients - peers = [ - { - # chungus - publicKey = "wb54y/fG8ocSH9QrDmfajez/fUcJBZK369xLu37XBHk="; - allowedIPs = [ "10.100.0.2/32" ]; - } - { - # sterni - publicKey = "SdMRgC5IM7dywzZxLAHm45cpj9J3IENTMClZm1BxbV4="; - allowedIPs = [ "10.100.0.3/32" ]; - } - { - # iphone - publicKey = "XPVzH+wBLsqukTHHjngkGJhYN0nRdQ7esadiimMJQnI="; - allowedIPs = [ "10.100.0.4/32" ]; - } - { - # tina - publicKey = "RZsuQfWfAQLMm45ZiuNLBwcpL+GEbPYTRTrASFzMCFQ="; - allowedIPs = [ "10.100.0.5/32" ]; - } - { - # cream - publicKey = "R1Vk1DDG/LsVU0HHRDmOJshXOVnNzPVbuv5hP7ZSGEQ="; - allowedIPs = [ "10.100.0.6/32" ]; - } - { - # cherry - publicKey = "ZNnlmPdxAGYtaUvOU2V47tcEhcB06LBCXkSxIvWZL2k="; - allowedIPs = [ "10.100.0.7/32" ]; - } - ]; - }; - }; -} diff --git a/legacy/robi/nextcloud.nix b/legacy/robi/nextcloud.nix deleted file mode 100644 index fbb5c2a..0000000 --- a/legacy/robi/nextcloud.nix +++ /dev/null @@ -1,301 +0,0 @@ -{ pkgs, config, ... }: - -# don't forget the database backup before upgrading -# ------------------------------------------------- -# https://docs.nextcloud.com/server/stable/admin_manual/maintenance/backup.html -# https://docs.nextcloud.com/server/stable/admin_manual/maintenance/upgrade.html -# -# ! use lvm snapshots to do rollback ! - -let - - hostInterface = "enp3s0"; - hostAddress = "192.168.100.10"; - containerAddress = "192.168.100.11"; - nextcloudUid = 1000; - borg_backup_folder = "/media/syncthing/nextcloud_backup/robi"; - -in -{ - - - # Host Setup - # ========== - - # give containers internet access - networking.nat.enable = true; - networking.nat.internalInterfaces = [ "ve-nextcloud" ]; - networking.nat.externalInterface = hostInterface; - - # don't let networkmanager manger container network - networking.networkmanager.unmanaged = [ "interface-name:ve-*" ]; - - # open ports for logging - #networking.firewall.interfaces."ve-nextcloud".allowedTCPPorts = - # [ 5044 12304 12305 ]; - #networking.firewall.interfaces."ve-nextcloud".allowedUDPPorts = - # [ 5044 12304 12305 ]; - - # host nginx - # ---------- - - networking.firewall.allowedTCPPorts = [ 80 443 ]; - networking.firewall.allowedUDPPorts = [ 80 443 ]; - - services.nginx = { - enable = true; - recommendedProxySettings = true; - virtualHosts = { - "nextcloud.ingolf-wagner.de" = { - forceSSL = true; - enableACME = true; - locations = { - "/" = { - proxyPass = "http://${containerAddress}"; - extraConfig = '' - sub_filter "http://nextcloud.ingolf-wagner.de" "https://nextcloud.ingolf-wagner.de"; - # used for view/edit office file via Office Online Server - client_max_body_size 0; - proxy_buffering off; # to download files bigger than 1GB - ''; - }; - "= /.well-known/carddav" = { - priority = 210; - extraConfig = "return 301 $scheme://$host/remote.php/dav;"; - }; - "= /.well-known/caldav" = { - priority = 210; - extraConfig = "return 301 $scheme://$host/remote.php/dav;"; - }; - #"~ .(?:css|js|svg|gif)$" = { - # proxyPass = "http://${containerAddress}$request_uri"; - # extraConfig = '' - # expires 6M; # Cache-Control policy borrowed from `.htaccess` - # access_log off; # Optional: Don't log access to assets - # sub_filter "http://nextcloud.ingolf-wagner.de" "https://nextcloud.ingolf-wagner.de"; - # sub_filter "nextcloud.workhorse.private" "nextcloud.ingolf-wagner.de"; - # # used for view/edit office file via Office Online Server - # client_max_body_size 0; - # ''; - #}; - #"~ .woff2?$" = { - # proxyPass = "http://${containerAddress}$request_uri"; - # extraConfig = '' - # expires 7d; # Cache-Control policy borrowed from `.htaccess` - # access_log off; # Optional: Don't log access to assets - # sub_filter "http://nextcloud.ingolf-wagner.de" "https://nextcloud.ingolf-wagner.de"; - # sub_filter "nextcloud.workhorse.private" "nextcloud.ingolf-wagner.de"; - # # used for view/edit office file via Office Online Server - # client_max_body_size 0; - # ''; - #}; - }; - }; - }; - }; - - sops.secrets.nextcloud_database_password.owner = "nextcloud"; - sops.secrets.nextcloud_root_password.owner = "nextcloud"; - - users.users.nextcloud = { - isSystemUser = true; - uid = nextcloudUid; - group = "nextcloud"; - }; - users.groups.nextcloud = { }; - - - # Container Setup - # =============== - # - # running: - # * nextcloud (php) - # * mysql - containers.nextcloud = { - - # mount host folders - bindMounts = { - rootpassword = { - hostPath = "/run/secrets/nextcloud_root_password"; - mountPoint = "/run/secrets/nextcloud_root_password"; - isReadOnly = true; - }; - databasepassword = { - hostPath = "/run/secrets/nextcloud_database_password"; - mountPoint = "/run/secrets/nextcloud_database_password"; - isReadOnly = true; - }; - - home = { - # make sure this folder exist on the host - hostPath = toString "/var/lib/nextcloud"; - mountPoint = "/var/lib/nextcloud"; - isReadOnly = false; - }; - db = { - # make sure this folder exist on the host - hostPath = toString "/var/lib/nextcloud_mysql"; - mountPoint = "/var/lib/mysql"; - isReadOnly = false; - }; - media = { - #mountPoint = toString config.services.syncthing.folders.media.path; - #hostPath = toString config.services.syncthing.folders.media.path; - mountPoint = "/media/syncthing/media"; - hostPath = "/media/media"; - isReadOnly = true; - }; - }; - - # container network setup - # see also nating on host system. - privateNetwork = true; - hostAddress = hostAddress; - localAddress = containerAddress; - - - autoStart = true; - - config = { config, pkgs, lib, ... }: { - - # Configuring nameservers for containers is currently broken. - # Therefore in some cases internet connectivity can be broken inside the containers. - # A temporary workaround is to manually write the /etc/nixos/resolv.conf file like this: - environment.etc."resolv.conf".text = "nameserver 8.8.8.8"; - - system.stateVersion = "21.05"; - - users.users.nextcloud.uid = nextcloudUid; - - services.nginx = { - # Use recommended settings - recommendedGzipSettings = lib.mkDefault true; - recommendedOptimisation = lib.mkDefault true; - recommendedProxySettings = lib.mkDefault true; - recommendedTlsSettings = lib.mkDefault true; - }; - - networking.firewall.allowedTCPPorts = [ 80 ]; - networking.firewall.allowedUDPPorts = [ 80 ]; - - # nextcloud database - # ================== - # - # set user password: - # ----------------- - # #> mysql - # mysql> ALTER USER 'nextcloud'@'localhost' IDENTIFIED BY 'nextcloud-password'; - # - # recreate database: - # ------------------ - # mysql> DROP DATABASE nextcloud; - # mysql> CREATE DATABASE nextcloud; - # - # migration: - # ---------- - # nextcloud-occ db:convert-type --all-apps mysql nextcloud 127.0.0.1 nextcloud - # - # 4-byte stuff: - # ------------- - # https://docs.nextcloud.com/server/18/admin_manual/configuration_database/mysql_4byte_support.html - # if you do this don't forget --default-character-set=utf8mb4 for mysqldump - services.mysql = { - enable = true; - package = pkgs.mysql; - # https://nixos.org/manual/nixos/stable/release-notes.html#sec-release-20.09-incompatibilities - ensureDatabases = [ "nextcloud" ]; - ensureUsers = [{ - name = "nextcloud"; - ensurePermissions = { "nextcloud.*" = "ALL PRIVILEGES"; }; - }]; - settings.mysqld = { - innodb_large_prefix = true; - innodb_file_format = "barracuda"; - innodb_file_per_table = 1; - innodb_read_only_compressed = 0; - }; - }; - - # Backup database - # --------------- - services.mysqlBackup = { - enable = true; - databases = config.services.mysql.ensureDatabases; - singleTransaction = true; - location = "/var/lib/nextcloud/database_backups"; - }; - systemd.services."mysql-backup".serviceConfig = { - ExecStartPre = [ "+/run/current-system/sw/bin/nextcloud-occ maintenance:mode --on" ]; - ExecStopPost = [ "+/run/current-system/sw/bin/nextcloud-occ maintenance:mode --off" ]; - }; - - # in php - services.phpfpm = { - phpPackage = pkgs.php73; - phpOptions = '' - opcache.revalidate_freq = 10 - ''; - }; - - # nextcloud setup - services.nextcloud = { - enable = true; - package = pkgs.nextcloud28; - autoUpdateApps.enable = true; - # nginx.enable = true; - # enableBrokenCiphersForSSE = false; # see https://github.com/NixOS/nixpkgs/pull/198470 - hostName = "nextcloud.ingolf-wagner.de"; - logLevel = 2; - https = true; - config = { - adminpassFile = "/run/secrets/nextcloud_root_password"; - overwriteProtocol = "https"; - trustedProxies = [ "144.76.13.147" hostAddress ]; - dbtype = "mysql"; - dbpassFile = "/run/secrets/nextcloud_database_password"; - dbhost = "localhost:3306"; - defaultPhoneRegion = "DE"; - }; - }; - }; - }; - - - # Backup Config - # ------------- - #backup.dirs = [ - # "/home/nextcloud/config" - # "/home/nextcloud/database_backups" # created by mysqlBackup - #]; - - # Backup Files - # ------------ - services.borgbackup.jobs = { - "nextcloud-to-media" = { - repo = borg_backup_folder; - # make sure syncthing is capable of reading the files - postHook = '' - chown -R syncthing:syncthing ${borg_backup_folder} - ''; - compression = "lz4"; - paths = [ - "/var/lib/nextcloud/data/tina/files" - "/var/lib/nextcloud/data/palo/files" - "/var/lib/nextcloud/data/palo-windows/files" - ]; - doInit = true; - encryption = { - mode = "repokey-blake2"; - passCommand = "cat ${config.sops.secrets.backup_repository_passphrase.path}"; - }; - startAt = "0/3:00:00"; - prune.keep = { - within = "2d"; # Keep all backups in the last 10 days. - daily = 10; # Keep 10 additional end of day archives - weekly = 8; # Keep 8 additional end of week archives. - month = 8; # Keep 8 additional end of month archives. - }; - }; - }; - -} diff --git a/legacy/robi/nginx-wkd.nix b/legacy/robi/nginx-wkd.nix deleted file mode 100644 index 78bd195..0000000 --- a/legacy/robi/nginx-wkd.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ config, pkgs, lib, assets, ... }: -let - server_name = "ingolf-wagner.de"; -in -{ - # check : - # - https://metacode.biz/openpgp/web-key-directory - # - $> gpg --homedir "$(mktemp -d)" -v --auto-key-locate clear,wkd,nodefault --locate-key contact@ingolf-wagner.de - services.nginx.virtualHosts.${server_name}.locations = - let - wkd = - { - extraConfig = '' - default_type application/octet-stream; - add_header Access-Control-Allow-Origin * always; - ''; - #alias = pkgs.runCommand "contact@ingolf-wagner.de" { } '' - # cat ${assets}/contact@ingolf-wagner.de.gpg | ${pkgs.gnupg}/bin/gpg --dearmor > $out - #''; - alias = toString "${assets}/contact@ingolf-wagner.de.gpg"; - }; - in - { - "= /.well-known/openpgpkey/policy".return = "200"; - # hashes generated by : gpg --with-wkd-hash --fingerprint contact@ingolf-wagner.de - "= /.well-known/openpgpkey/hu/dj3498u4hyyarh35rkjfnghbjxug6b19" = wkd; - }; - - # todo openpgpkey.ingolf-wagner.de noch einrichten -} diff --git a/legacy/robi/nginx.nix b/legacy/robi/nginx.nix deleted file mode 100644 index 346e618..0000000 --- a/legacy/robi/nginx.nix +++ /dev/null @@ -1,137 +0,0 @@ -{ config, lib, pkgs, private_assets, ... }: -let - # todo create flake for this - errorPages = pkgs.fetchFromGitHub { - owner = "mrvandalo"; - repo = "http-errors"; - rev = "74b8e4c1d9bbba3db6ad858b888e1867318af1f0"; - sha256 = "0czdzafx4k76q773lyf3vsjm74g1995iz542dhw15kpy5xbivsrg"; - }; - error = { - extraConfig = '' - error_page 400 /errors/400.html; - error_page 401 /errors/401.html; - error_page 402 /errors/402.html; - error_page 403 /errors/403.html; - error_page 404 /errors/404.html; - error_page 405 /errors/405.html; - error_page 406 /errors/406.html; - error_page 500 /errors/500.html; - error_page 501 /errors/501.html; - error_page 502 /errors/502.html; - error_page 503 /errors/503.html; - error_page 504 /errors/504.html; - ''; - locations."^~ /errors/" = { - extraConfig = "internal;"; - root = "${errorPages}/"; - }; - }; -in - -{ - networking.firewall.allowedTCPPorts = [ 80 443 ]; - networking.firewall.allowedUDPPorts = [ 80 443 ]; - - - services.nginx = { - enable = true; - recommendedProxySettings = true; - virtualHosts = { - - "${config.networking.hostName}.private".default = false; - - "ingolf-wagner.de" = { - default = true; - forceSSL = true; - enableACME = true; - extraConfig = error.extraConfig; - locations = { - "/" = { - root = pkgs.landingpage.override { - jsonConfig = [ - { - title = "Ingolf Wagner"; - text = '' - I'm a freelancing mathematician, musician and programmer. - - My PGP fingerprint is 42AC 51C9 482D 0834 CF48 8AF1 389E C2D6 4AC7 1EAC - ''; - } - { - text = '' - Here are some of my projects you might enjoy: - ''; - items = [ - { - label = "terranix"; - href = "https://terranix.org"; - image = "https://raw.githubusercontent.com/terranix/terranix-artwork/main/terranix-logo.svg"; - } - { - label = "Sononym"; - href = "https://www.sononym.net/"; - image = "https://www.sononym.net/press/logos/sononym-logo-symbol-black.png"; - } - { - label = "LandingPage"; - href = "https://github.com/mrVanDalo/landingpage"; - image = "https://media.giphy.com/media/2vNGq1w3nsJri/giphy.gif"; - } - { - label = "My Blog"; - href = "https://tech.ingolf-wagner.de/"; - image = "https://media.giphy.com/media/11I8v5lE8uq79C/giphy.gif"; - } - ]; - } - ]; - title = "Ingolf Wagner"; - max-width = "1010px"; - background-color = "#FEFAE0"; - title-color = "black"; - title-background-color = "#E9EDC9"; - text-color = "black"; - text-background-color = "#FAEDCD"; - item-color = "black"; - item-background-color = "#E9EDC9"; - image-width = "250px"; - image-height = "200px"; - }; - }; - }; - }; - - "travel.ingolf-wagner.de" = { - forceSSL = true; - enableACME = true; - extraConfig = error.extraConfig; - locations = { - "/" = { - root = "/srv/www/travel"; - extraConfig = '' - if (-d $request_filename) { - rewrite [^/]$ $scheme://$http_host$request_uri/ permanent; - } - ''; - }; - } // error.locations; - }; - "tech.ingolf-wagner.de" = { - forceSSL = true; - enableACME = true; - extraConfig = error.extraConfig; - locations = { - "/" = { - root = "/srv/www/tech"; - extraConfig = '' - if (-d $request_filename) { - rewrite [^/]$ $scheme://$http_host$request_uri/ permanent; - } - ''; - }; - } // error.locations; - }; - }; - }; -} diff --git a/legacy/robi/packages.nix b/legacy/robi/packages.nix deleted file mode 100644 index d637d63..0000000 --- a/legacy/robi/packages.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ config, pkgs, ... }: { - environment.systemPackages = with pkgs; [ - mosh - mediainfo - youtube-dl - ipset # for sshguard - - vulnix - (pkgs.writers.writeBashBin "vulnix-system" '' - ${pkgs.vulnix}/bin/vulnix --profile /nix/var/nix/profiles/system - '') - - ]; -} diff --git a/legacy/robi/prometheus.nix b/legacy/robi/prometheus.nix deleted file mode 100644 index 2fa4218..0000000 --- a/legacy/robi/prometheus.nix +++ /dev/null @@ -1,70 +0,0 @@ -{ config, pkgs, lib, ... }: { - - services.nginx = { - enable = true; - statusPage = true; - virtualHosts = { - "prometheus.robi.private" = { - extraConfig = '' - allow ${config.tinc.private.subnet}; - deny all; - ''; - locations."/" = { proxyPass = "http://localhost:${toString config.services.prometheus.port}"; }; - }; - }; - }; - - services.prometheus = { - enable = true; - # keep data for 30 days - extraFlags = [ "--storage.tsdb.retention.time=30d" ]; - - exporters = { - node = { - enable = true; - enabledCollectors = [ "systemd" ]; - port = 9002; - }; - }; - - scrapeConfigs = [ - { - job_name = "netdata"; - metrics_path = "/api/v1/allmetrics"; - params.format = [ "prometheus" ]; - scrape_interval = "5s"; - static_configs = [ - { - targets = [ "localhost:19999" ]; - labels = { - service = "netdata"; - server = "robi"; - }; - } - ]; - } - { - job_name = "systemd"; - static_configs = [{ - targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; - labels = { - service = "node-exporter"; - server = "robi"; - }; - }]; - } - { - # see https://www.home-assistant.io/integrations/prometheus/ - job_name = "telgraf"; - metrics_path = "/metrics"; - static_configs = [{ - targets = [ "localhost:9273" ]; - labels = { - service = "telegraf"; - server = "robi"; - }; - }]; - } - ]; - }; -} diff --git a/legacy/robi/social-jitsi.nix b/legacy/robi/social-jitsi.nix deleted file mode 100644 index fc308d2..0000000 --- a/legacy/robi/social-jitsi.nix +++ /dev/null @@ -1,60 +0,0 @@ -{ config, ... }: { - # + + - # | | - # | | - # v v - # 80, 443 TCP 443 TCP, 10000 UDP - # +--------------+ +---------------------+ - # | nginx | 5222, 5347 TCP | | - # | jitsi-meet |<-------------------+| jitsi-videobridge | - # | prosody | | | | - # | jicofo | | +---------------------+ - # +--------------+ | - # | +---------------------+ - # | | | - # +----------+| jitsi-videobridge | - # | | | - # | +---------------------+ - # | - # | +---------------------+ - # | | | - # +----------+| jitsi-videobridge | - # | | - # +---------------------+ - - # This is a one server setup - services.jitsi-meet = { - enable = true; - hostName = "meet.ingolf-wagner.de"; - - # JItsi COnference FOcus is a server side focus component used in Jitsi Meet conferences. - # https://github.com/jitsi/jicofo - jicofo.enable = true; - - # Whether to enable nginx virtual host that will serve the javascript application and act as a proxy for the XMPP server. - # Further nginx configuration can be done by adapting services.nginx.virtualHosts.. When this is enabled, ACME - # will be used to retrieve a TLS certificate by default. To disable this, set the - # services.nginx.virtualHosts..enableACME to false and if appropriate do the same for - # services.nginx.virtualHosts..forceSSL. - nginx.enable = true; - - # https://github.com/jitsi/jitsi-meet/blob/master/config.js - config = { - enableWelcomePage = false; - defaultLang = "en"; - }; - - # https://github.com/jitsi/jitsi-meet/blob/master/interface_config.js - interfaceConfig = { - SHOW_JITSI_WATERMARK = false; - SHOW_WATERMARK_FOR_GUESTS = false; - }; - - }; - - networking.firewall = { - allowedTCPPorts = [ 80 443 ]; - allowedUDPPorts = [ 10000 ]; - }; - -} diff --git a/legacy/robi/social-matrix.nix b/legacy/robi/social-matrix.nix deleted file mode 100644 index 9519792..0000000 --- a/legacy/robi/social-matrix.nix +++ /dev/null @@ -1,57 +0,0 @@ -{ config, pkgs, ... }: -let - # 1. create DNS entry `matrix.ingolf-wagner.de A - 95.216.66.212` - # 2. test with : https://federationtester.matrix.org/#ingolf-wagner.de - # 3. info at : https://silvio.github.io/docker-matrix/Example.configs.html - - domain = "ingolf-wagner.de"; - baseUrl = "https://matrix.${domain}"; - - clientConfig."m.homeserver".base_url = baseUrl; - serverConfig."m.server" = "matrix.${domain}:443"; - mkWellKnown = data: '' - default_type application/json; - add_header Access-Control-Allow-Origin *; - return 200 '${builtins.toJSON data}'; - ''; - -in -{ - - networking.firewall.allowedTCPPorts = [ 80 443 ]; - networking.firewall.allowedUDPPorts = [ 80 443 ]; - - services.nginx = { - enable = true; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - virtualHosts = { - # If the A and AAAA DNS records on example.org do not point on the same host as the - # records for myhostname.example.org, you can easily move the /.well-known - # virtualHost section of the code to the host that is serving example.org, while - # the rest stays on myhostname.example.org with no other changes required. - # This pattern also allows to seamlessly move the homeserver from - # myhostname.example.org to myotherhost.example.org by only changing the - # /.well-known redirection target. - "${domain}" = { - enableACME = true; - forceSSL = true; - # This section is not needed if the server_name of matrix-synapse is equal to - # the domain (i.e. example.org from @foo:example.org) and the federation port - # is 8448. - # Further reference can be found in the docs about delegation under - # https://element-hq.github.io/synapse/latest/delegate.html - locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; - # This is usually needed for homeserver discovery (from e.g. other Matrix clients). - # Further reference can be found in the upstream docs at - # https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient - locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; - }; - - }; - - }; - -} diff --git a/legacy/robi/sync-opentracker.nix b/legacy/robi/sync-opentracker.nix deleted file mode 100644 index aaec2bd..0000000 --- a/legacy/robi/sync-opentracker.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ - services.opentracker = { - enable = true; - }; -} diff --git a/legacy/robi/sync-torrent.nix b/legacy/robi/sync-torrent.nix deleted file mode 100644 index ee40fe4..0000000 --- a/legacy/robi/sync-torrent.nix +++ /dev/null @@ -1,111 +0,0 @@ -{ lib, pkgs, config, ... }: -let - uiPort = 9099; - announceIp = "10.23.42.111"; - peerPort = 51433; -in -{ - - containers.sync-torrent = { - - # mount host folders - bindMounts = { - media = { - hostPath = "/media/new"; - mountPoint = "/media"; # must be here otherwise transmission can't see the folder - isReadOnly = false; - }; - lib = { - hostPath = "/srv/sync-torrent"; - mountPoint = "/var/lib/transmission"; - isReadOnly = false; - }; - }; - - autoStart = true; - - config = { config, pkgs, lib, ... }: { - - system.stateVersion = "22.11"; - services.journald.extraConfig = "SystemMaxUse=1G"; - - services.transmission = { - enable = true; - settings = { - download-dir = "/media"; - incomplete-dir = "/var/lib/transmission/incomplete"; # todo put this somewhere with frequent snapshots but low keep. - incomplete-dir-enabled = true; - message-level = 1; - umask = 2; - rpc-whitelist-enabled = false; - rpc-host-whitelist-enabled = false; - rpc-port = uiPort; - rpc-enable = true; - rpc-bind-address = "0.0.0.0"; - - # "normal" speed limits - speed-limit-down-enabled = false; - speed-limit-down = 800; - speed-limit-up-enabled = true; - speed-limit-up = 3000; - upload-slots-per-torrent = 8; - # Queuing - # When true, Transmission will only download - # download-queue-size non-stalled torrents at once. - download-queue-enabled = true; - download-queue-size = 3; - - # When true, torrents that have not shared data for - # queue-stalled-minutes are treated as 'stalled' - # and are not counted against the queue-download-size - # and seed-queue-size limits. - queue-stalled-enabled = true; - queue-stalled-minutes = 60; - - # When true. Transmission will only seed seed-queue-size - # non-stalled torrents at once. - seed-queue-enabled = false; - seed-queue-size = 10; - - # Enable UPnP or NAT-PMP. - peer-port = peerPort; - port-forwarding-enabled = false; - announce-ip = announceIp; - announce-ip-enabled = true; - - # Start torrents as soon as they are added - start-added-torrents = true; - - }; - }; - - }; - }; - - # open ports for logging - #networking.firewall.interfaces."ve-torrent".allowedTCPPorts = - # [ 5044 12304 12305 ]; - #networking.firewall.interfaces."ve-torrent".allowedUDPPorts = - # [ 5044 12304 12305 ]; - - # host nginx setup - # ---------------- - # curl -H "Host: sync.robi.private" https://robi.private/ < will work - # curl -H "Host: sync.robi.private" https://144.76.13.147/ < wont work - services.nginx = { - enable = true; - recommendedProxySettings = true; - virtualHosts = { - "sync.${config.networking.hostName}.private" = { - extraConfig = '' - allow ${config.tinc.private.subnet}; - deny all; - ''; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString uiPort}"; - }; - }; - }; - }; - -} diff --git a/legacy/robi/taskserver.nix b/legacy/robi/taskserver.nix deleted file mode 100644 index 778a975..0000000 --- a/legacy/robi/taskserver.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ config, lib, pkgs, ... }: { - - services.taskserver = { - enable = true; - fqdn = "taskd.ingolf-wagner.de"; - listenHost = "0.0.0.0"; - requestLimit = 104857600; - trust = "strict"; - dataDir = "/var/lib/taskserver"; - organisations."1337".users = [ "palo" "beta" ]; - ciphers = "SECURE256"; - }; - - networking.firewall.allowedTCPPorts = [ config.services.taskserver.listenPort ]; - networking.firewall.allowedUDPPorts = [ config.services.taskserver.listenPort ]; - - backup.dirs = [ config.services.taskserver.dataDir ]; - -} diff --git a/legacy/robi/telegraf.nix b/legacy/robi/telegraf.nix deleted file mode 100644 index 5e7c662..0000000 --- a/legacy/robi/telegraf.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ - services.telegraf = { - enable = true; - extraConfig = { - outputs.prometheus_client = { - listen = ":9273"; - metric_version = 2; - }; - # https://github.com/influxdata/telegraf/tree/master/plugins/inputs < all them plugins - inputs = { - cpu = { - percpu = true; - totalcpu = true; - }; - disk = { }; - diskio = { }; - kernel = { }; - mem = { }; - processes = { }; - netstat = { }; - net = { }; - system = { }; - systemd_units = { }; - nginx.urls = [ "http://localhost/nginx_status" ]; - }; - }; - }; -} diff --git a/legacy/robi/vaultwarden.nix b/legacy/robi/vaultwarden.nix deleted file mode 100644 index 7f60209..0000000 --- a/legacy/robi/vaultwarden.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ config, pkgs, lib, ... }: { - services.vaultwarden = { - enable = true; - # backupDir = - config = { - domain = "https://bitwarden.ingolf-wagner.de"; - signupsAllowed = false; - rocketPort = 8222; - rocketLog = "critical"; - }; - }; - - backup.dirs = [ "/var/lib/bitwarden_rs" ]; - - services.nginx = { - enable = true; - recommendedProxySettings = true; - virtualHosts = { - - "bitwarden.ingolf-wagner.de" = { - forceSSL = true; - enableACME = true; - locations."/" = { - extraConfig = '' - client_max_body_size 500M; - ''; - proxyPass = "http://localhost:${ - toString config.services.vaultwarden.config.rocketPort - }"; - }; - }; - }; - }; - -} diff --git a/legacy/scanner.nix b/legacy/scanner.nix deleted file mode 100644 index bf3e1a2..0000000 --- a/legacy/scanner.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - services.grocy-scanner = { - enable = true; - host = "https://grocy.ingolf-wagner.de"; - device = "/dev/input/by-id/usb-Belon.cn_2.4G_Wireless_Device_Belon_Smart-event-kbd"; - apiKeyFile = toString (pkgs.writeText "key" "my-api-key-not"); - }; -} diff --git a/legacy/screeps.nix b/legacy/screeps.nix deleted file mode 100644 index d597ae4..0000000 --- a/legacy/screeps.nix +++ /dev/null @@ -1,73 +0,0 @@ -{ config, lib, pkgs, ... }: -with lib; -let - debug = true; - #version = "latest"; - # version = "142c079"; # 2 years ago. - # version = "v1.14.0"; # 2 years ago. - version = "v1.13.2"; # 2 years ago. -in -{ - virtualisation.oci-containers = { - containers.screeps = { - volumes = [ - "/srv/screeps:/screeps" - (optionalString debug "/srv/screeps-tmp:/tmp") - ]; - environment.TZ = "Europe/Berlin"; - image = "screepers/screeps-launcher:${version}"; - ports = [ "21025:21025" ]; - }; - }; - - systemd.services.docker-screeps = - let - configuration = builtins.toJSON { - steamKey = "keyFromStep3"; - version = "latest"; - mods = [ - #"screepsmod-auth" - #"screepsmod-admin-utils" - #"screepsmod-mongo" - ]; - bots = { - simplebot = "screepsbot-zeswarm"; - }; - serverConfig = { - welcomeText = "

My Cool Server

"; - constants = { - "TEST_CONSTANT" = 123; - }; - tickRate = 1000; - }; - }; - in - { - - unitConfig = { - StartLimitInterval = 200; - StartLimitBurst = 2; - }; - - serviceConfig = { - Restart = mkForce (if debug then "no" else "always"); - RestartSec = 30; - ExecStartPre = [ - (toString (pkgs.writers.writeDash "create-screeps-config" '' - mkdir -p /srv/screeps/ - chown 1000:1000 -R /srv/screeps - ${optionalString debug "mkdir -p /srv/screeps-tmp"} - ${optionalString debug "chown 1000:1000 -R /srv/screeps-tmp"} - echo '${configuration}' > /srv/screeps/config.yaml - '')) - ]; - }; - }; - - #networking.firewall.allowedTCPPorts = [ 8123 ]; - #networking.firewall.allowedUDPPorts = [ 8123 ]; - - #networking.firewall.interfaces.wg0.allowedTCPPorts = [ 8123 ]; - #networking.firewall.interfaces.wg0.allowedUDPPorts = [ 8123 ]; - -} diff --git a/legacy/shell-bash.nix b/legacy/shell-bash.nix deleted file mode 100644 index 0c1bd0e..0000000 --- a/legacy/shell-bash.nix +++ /dev/null @@ -1,84 +0,0 @@ -{ config, pkgs, lib, ... }: -let cfg = config.programs.custom.bash; -in { - - options.programs.custom.bash.enable = lib.mkEnableOption "enable bash config"; - - config = lib.mkIf cfg.enable { - - programs.bash = { - - # BashCompletion - # -------------- - enableCompletion = true; - - # Configure Shell - # --------------- - interactiveShellInit = # sh - '' - # use vi shortcuts - # ---------------- - set -o vi - - # Configure ls-colors - # ------------------- - export LS_COLORS='rs=0:di=01;35:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;33:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35::*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:' - ''; - - # Configure Prompt - # ---------------- - promptInit = # sh - '' - # PS1 content functions - # --------------------- - function nonzero_return() { - RETVAL=$? - [ $RETVAL -ne 0 ] && echo "[> $RETVAL <] " - } - - # Provide a nice prompt - # --------------------- - case $TERM in - xterm*|rxvt*|Eterm) - # used : http://ezprompt.net/ - USER_COLOR="\[\e[36m\]\u\[\e[m\]\[\e[32m\]@\[\e[m\]\[\e[36m\]\h\[\e[m\]" - CURRENT_PATH="\[\e[33m\][\[\e[m\]\[\e[33m\]\w\[\e[m\]\[\e[33m\]]\[\e[m\]" - if [[ $UID -eq 0 ]] - then - USER_COLOR="\[\e[31m\]\u\[\e[m\]\[\e[32m\]@\[\e[m\]\[\e[31m\]\h\[\e[m\]" - fi - export PS1="\[\e[31m\]\`nonzero_return\`\[\e[m\]\[\e[35m\]\A\[\e[m\] $USER_COLOR $CURRENT_PATH\[\e[31m\]\\$\[\e[m\] " - ;; - screen) - export PS1="\[\e[31m\]\`nonzero_return\`\[\e[m\]\[\e[35m\]\A\[\e[m\] \[\e[36m\]\u\[\e[m\]\[\e[32m\]@\[\e[m\]\[\e[36m\]\h\[\e[m\] \[\e[33m\][\[\e[m\]\[\e[33m\]\W\[\e[m\]\[\e[33m\]]\[\e[m\]\[\e[31m\]\\$\[\e[m\] " - ;; - esac - ''; - - # Shell Aliases - # ------------- - shellAliases = { - ls = "ls --color=tty"; - l = "ls -CFh"; - la = "ls -Ah"; - ll = "ls -lh"; - lt = "ls -lct --reverse"; - less = "less -S"; - top = "htop"; - version = "date '+%Y%m%d%H%M%S'"; - vclip = "xclip -selection clipboard"; - df = "df -h"; - - nix-search = "nix-env -qaP"; - nix-list = ''nix-env -qaP "*" --description''; - nix-list-haskell = ''nix-env -f "" -qaP -A haskellPackages''; - - nix-show-garbadge-roots = "ls -lh /nix/var/nix/gcroots/auto/"; - - }; - - }; - - }; -} - diff --git a/legacy/shell-tools.nix b/legacy/shell-tools.nix deleted file mode 100644 index 780be40..0000000 --- a/legacy/shell-tools.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let - - xterm-colors = pkgs.writeShellScriptBin "256-xterm-colors" - # sh - '' - for i in {0..255} ; do - printf "\x1b[38;5;%sm%3d\e[0m " "$i" "$i" - if (( i == 15 )) || (( i > 15 )) && (( (i-15) % 6 == 0 )); then - printf "\n"; - fi - done - ''; - - xterm-background-colors = pkgs.writeShellScriptBin - "256-xterm-colors-background" - # sh - '' - for i in {0..255} ; do - printf "\x1b[48;5;%sm%3d\e[0m " "$i" "$i" - if (( i == 15 )) || (( i > 15 )) && (( (i-15) % 6 == 0 )); then - printf "\n"; - fi - done - ''; - - cfg = config.programs.custom.shellTools; - -in -{ - - options.programs.custom.shellTools.enable = - mkEnableOption "enable shell tools"; - - config = mkIf cfg.enable { - environment.systemPackages = [ xterm-colors xterm-background-colors ]; - }; - -} - diff --git a/legacy/shell-zsh.nix b/legacy/shell-zsh.nix deleted file mode 100644 index 69cb523..0000000 --- a/legacy/shell-zsh.nix +++ /dev/null @@ -1,111 +0,0 @@ -{ config, pkgs, lib, ... }: -with lib; -let - cfg = config.programs.custom.zsh; -in -{ - - options.programs.custom.zsh = { - enable = mkEnableOption "enable zsh"; - mainUser = mkOption { - type = with types; nullOr str; - default = null; - description = '' - the main User if available - ''; - }; - }; - - config = mkIf cfg.enable { - - programs.zsh = { - - enable = true; - enableCompletion = true; - - syntaxHighlighting.enable = true; - - ohMyZsh = { - - custom = "/etc/zshcustom/"; - enable = false; - - # powerline themes - # ---------------- - theme = "powerlevel9k/powerlevel9k"; - - plugins = [ - "git" - "git-flow" - "screen" - "taskwarrior" - "systemd" - "tmux" - "vi-mode" - "wd" - ]; - }; - - #loginShellInit = '' - # export TERM="xterm-256color" - #''; - - shellAliases = { - ls = "ls --color=tty"; - l = "ls -CFh"; - la = "ls -Ah"; - ll = "ls -lh"; - lt = "ls -lct --reverse"; - less = "less -S"; - top = "htop"; - version = "date '+%Y%m%d%H%M%S'"; - vclip = "xclip -selection clipboard"; - df = "df -h"; - - timestamp = "date +%Y%m%d%H%M%S"; - - #nix-search = "nix-env -qaP"; - #nix-list = ''nix-env -qaP "*" --description''; - #nix-list-haskell = ''nix-env -f "" -qaP -A haskellPackages''; - #nix-list-node = ''nix-env -f "" -qaP -A nodePackages''; - #nix-list-beam = ''nix-env -f "" -qaP -A beamPackages''; - #nix-find = "clear ; ${pkgs.nix-index}/bin/nix-locate -1 -w"; - - nix-show-garbadge-roots = "ls -lh /nix/var/nix/gcroots/auto/"; - - }; - }; - - # only used to make quick config changes - # -------------------------------------- - #environment.etc."zshcustom/mainuser.zsh".source = - # pkgs.writeText "mainuser-zsh" (if (cfg.mainUser != null) then '' - # source ${config.users.users.mainUser.home}/.zshrc - # '' else - # "# programs.custom.zsh.mainUser not set "); - - # Theme - # ----- - #environment.etc."zshcustom/themes/powerlevel9k".source = - # pkgs.fetchFromGitHub { - # owner = "bhilburn"; - # repo = "powerlevel9k"; - # rev = "v0.6.4"; - # sha256 = "104wvlni3rilpw9v1dk848lnw8cm8qxl64xs70j04ly4s959dyb5"; - # }; - #environment.etc."zshcustom/powerlevel9kpatch.zsh".source = - # pkgs.writeText "powerlevel9kpatch.zsh" '' - # # prompt elements - # # --------------- - # POWERLEVEL9K_LEFT_PROMPT_ELEMENTS=(vi_mode context dir vcs custom_jail background_jobs time status) - # POWERLEVEL9K_RIGHT_PROMPT_ELEMENTS=() - # - # # root_indicator - # # -------------- - # POWERLEVEL9K_ROOT_ICON="#" - # POWERLEVEL9K_ROOT_INDICATOR_FOREGROUND="black" - # POWERLEVEL9K_ROOT_INDICATOR_BACKGROUND="red" - # ''; - }; -} - diff --git a/legacy/sterni/configuration.nix b/legacy/sterni/configuration.nix deleted file mode 100644 index b25d930..0000000 --- a/legacy/sterni/configuration.nix +++ /dev/null @@ -1,76 +0,0 @@ -{ config, pkgs, lib, ... }: { - - imports = [ - - ../../components - ../../modules - - ./hardware-configuration.nix - ./packages.nix - ./syncthing.nix - ./tinc.nix - ./wireguard.nix - - ]; - - components.gui.enable = true; - components.terminal.enable = true; - components.network.enable = true; - components.network.wifi.enable = true; - components.mainUser.enable = true; - users.users.mainUser.extraGroups = [ "adbusers" "video" ]; - - services.printing.enable = false; - - services.nginx.enable = true; - - networking.hostName = "sterni"; - - services.flatpak.enable = true; - - security.wrappers = { - pmount = { - source = "${pkgs.pmount}/bin/pmount"; - setuid = true; - owner = "root"; - group = "root"; - }; - pumount = { - source = "${pkgs.pmount}/bin/pumount"; - setuid = true; - owner = "root"; - group = "root"; - }; - }; - - # still needed? - home-manager.users.mainUser.home.stateVersion = "22.11"; - - virtualisation = { - docker.enable = true; - podman.enable = true; - - virtualbox = { - host.enable = false; - guest.enable = false; - }; - }; - - services.xserver.desktopManager.gnome.enable = true; - - samba-share = { - enable = false; - folders = { - share = "/home/share"; - video = "/home/video-material"; - }; - }; - - # for congress and streaming - hardware.opengl = { - enable = true; - driSupport = true; - driSupport32Bit = true; - }; - -} diff --git a/legacy/sterni/hardware-configuration.nix b/legacy/sterni/hardware-configuration.nix deleted file mode 100644 index 0f6c91c..0000000 --- a/legacy/sterni/hardware-configuration.nix +++ /dev/null @@ -1,85 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - - imports = [ "${modulesPath}/installer/scan/not-detected.nix" ]; - - boot.initrd.availableKernelModules = - [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ]; - boot.initrd.kernelModules = [ "dm-snapshot" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - # Use the systemd-boot EFI boot loader, not grub - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - boot.tmpOnTmpfs = true; # make /tmp a tmpfs (performance!) - - #zramSwap = { - # enable = true; - # numDevices = 2; - # swapDevices = 1; - # memoryPercent = 50; - #}; - - fileSystems."/share" = { - device = "none"; - fsType = "tmpfs"; - }; - - fileSystems."/browsers" = { - device = "none"; - fsType = "tmpfs"; - }; - - - nix.settings.max-jobs = lib.mkDefault 4; - - # lvm volume group - # ---------------- - boot.initrd.luks.devices = { - vg = { - device = "/dev/sda2"; - preLVM = true; - }; - }; - - # NTFS support - # ------------ - environment.systemPackages = [ pkgs.ntfs3g ]; - - # root - # ---- - fileSystems."/" = { - options = [ "noatime" "nodiratime" "discard" ]; - device = "/dev/vg/root"; - fsType = "ext4"; - }; - - # home - # ---- - fileSystems."/home" = { - options = [ "noatime" "nodiratime" "discard" ]; - device = "/dev/vg/home"; - fsType = "ext4"; - }; - - # /home/palo/private/.fotos.ct - # -------------------- - #fileSystems."/home/palo/private/.fotos.ct" = { - # options = [ "noatime" "nodiratime" "discard" ]; - # device = "/dev/vg/fotos"; - # fsType = "ext4"; - #}; - - # boot - # ---- - fileSystems."/boot" = { - device = "/dev/sda1"; - fsType = "vfat"; - }; - -} diff --git a/legacy/sterni/packages.nix b/legacy/sterni/packages.nix deleted file mode 100644 index 4890fb4..0000000 --- a/legacy/sterni/packages.nix +++ /dev/null @@ -1,96 +0,0 @@ -{ config, lib, pkgs, ... }: -let - nextcloudSync = folder: - let - password = "$( ${pkgs.pass}/bin/pass show home/nextcloud/palo/nextcloudcmd-token )"; - user = "palo"; - in - pkgs.writers.writeBashBin "nextcloud-sync-${folder}" '' - ${pkgs.nextcloud-client}/bin/nextcloudcmd \ - --path "${folder}" \ - ~/Nextcloud/${folder} \ - "https://${user}:${password}@nextcloud.ingolf-wagner.de" - ''; - - -in -{ - environment.systemPackages = with pkgs; [ - - ((ganttproject-bin.override { - jre = pkgs.openjdk11; - }).overrideAttrs (old: { - version = "3.1.3100"; - src = pkgs.fetchzip { - url = "https://dl.ganttproject.biz/ganttproject-3.1.3100/ganttproject-3.1.3100.zip"; - sha256 = "sha256-hw2paak0P670/kemiuqYHIaN0uUtkVKy+AX2X7OdnJ4="; - }; - })) - - autorandr - - (nextcloudSync "InstantUpload") - (nextcloudSync "Pictures") - (nextcloudSync "Unterlagen") - (nextcloudSync "Nähen") - (nextcloudSync "Video") - (nextcloudSync "Kunstbuch") - (nextcloudSync "AWS-SolutionArchitect-Professional") - - #(pkgs.writeShellScriptBin "nixFlakes" '' - # exec ${pkgs.nixUnstable}/bin/nix --experimental-features "nix-command flakes" "$@" - #'') - - valentina - - signal-desktop - legacy_2311.fluffychat - - sweethome3d.application - pkgs.polygon-art.polygon-art - - # bluetooth gui - blueberry - - nextcloud-client - gimp - inkscape - imagemagick - - bitwig-studio3 - #sononym-crawler - darktable - - #blender - mosquitto - (pkgs.writers.writeBashBin "mqtt-tail" '' - ${pkgs.mosquitto}/bin/mosquitto_sub -v \ - -h pepe.private \ - -u homeassistant \ - -P password \ - -t "#" - '') - - tor-browser-bundle-bin - #(tor-browser-bundle-bin.overrideAttrs (old: rec { - # version = "11.0.1"; - # name = "tor-browser-bundle-${version}"; - # src = pkgs.fetchurl { - # url = - # "https://dist.torproject.org/torbrowser/10.0.15/tor-browser-linux64-10.0.15_en-US.tar.xz"; - # "https://dist.torproject.org/torbrowser/11.0.1/tor-browser-linux64-11.0.1_en-US.tar.xz"; - # sha256 = "1ah69jmfgik063f9gkvyv9d4k706pqihmzc4k7cc95zyd17v8wrs"; - # }; - #})) - - sops - - bitwarden - - ]; - - home-manager.users.mainUser = { - programs.obs-studio.enable = true; - }; - -} diff --git a/legacy/sterni/qemu.nix b/legacy/sterni/qemu.nix deleted file mode 100644 index 91597bc..0000000 --- a/legacy/sterni/qemu.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - - virtualisation.libvirtd.enable = true; - virtualisation.libvirtd.onShutdown = "shutdown"; - - environment.systemPackages = [ - pkgs.qemu_kvm - pkgs.virt-manager - ]; - - users.users.mainUser.extraGroups = [ "libvirtd" ]; - - -} diff --git a/legacy/sterni/scanner.nix b/legacy/sterni/scanner.nix deleted file mode 100644 index bf3e1a2..0000000 --- a/legacy/sterni/scanner.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - services.grocy-scanner = { - enable = true; - host = "https://grocy.ingolf-wagner.de"; - device = "/dev/input/by-id/usb-Belon.cn_2.4G_Wireless_Device_Belon_Smart-event-kbd"; - apiKeyFile = toString (pkgs.writeText "key" "my-api-key-not"); - }; -} diff --git a/legacy/sterni/syncthing.nix b/legacy/sterni/syncthing.nix deleted file mode 100644 index ee92d8c..0000000 --- a/legacy/sterni/syncthing.nix +++ /dev/null @@ -1,66 +0,0 @@ -{ config, pkgs, lib, ... }: { - - sops.secrets.syncthing_cert = { }; - sops.secrets.syncthing_key = { }; - - services.syncthing = { - enable = true; - openDefaultPorts = false; - user = "palo"; - dataDir = "/home/palo/.syncthing"; - configDir = "/home/palo/.syncthing"; - cert = toString config.sops.secrets.syncthing_cert.path; - key = toString config.sops.secrets.syncthing_key.path; - overrideFolders = true; - folders = { - - # on encrypted drive - # ------------------ - password-store = { - enable = true; - path = "/home/palo/.password-store"; - }; - #private = { - # enable = true; - # path = "/home/palo/private"; - #}; - art = { - enable = true; - path = "/home/palo/art"; - }; - desktop = { - enable = true; - path = "/home/palo/desktop"; - }; - finance = { - enable = true; - path = "/home/palo/finance"; - }; - - # no need to be encrypted - # ----------------------- - books = { - enable = true; - path = "/home/palo/books"; - }; - music-library = { - enable = true; - path = "/home/palo/music-library"; - }; - #music-projects = { - # enable = true; - # path = "/home/palo/music-projects"; - #}; - }; - }; - - services.permown."/home/palo/music-library" = { - owner = "palo"; - group = "users"; - }; - - services.permown."/home/palo/finance" = { - owner = "palo"; - group = "syncthing"; - }; -} diff --git a/legacy/sterni/tinc.nix b/legacy/sterni/tinc.nix deleted file mode 100644 index 9dd0446..0000000 --- a/legacy/sterni/tinc.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ config, ... }: -{ - - tinc.private.enable = true; - tinc.private.ipv4 = "10.23.42.24"; - - tinc.secret.enable = true; - tinc.secret.ipv4 = "10.123.42.24"; - - # retiolum - #networking.retiolum.port = 720; - #sops.secrets.tinc_retiolum_ed25519_key = { }; - #services.tinc.networks.retiolum.ed25519PrivateKeyFile = config.sops.secrets.tinc_retiolum_ed25519_key.path; - -} diff --git a/legacy/sterni/wireguard.nix b/legacy/sterni/wireguard.nix deleted file mode 100644 index 16b9b00..0000000 --- a/legacy/sterni/wireguard.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ config, ... }: -{ - networking.firewall.allowedUDPPorts = [ 51820 ]; - sops.secrets.wireguard_private = { }; - - # Enable WireGuard - networking.wg-quick.interfaces = { - # Hub and Spoke Setup - # https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/ - wg0 = { - address = [ "10.100.0.3/32" ]; - listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers) - privateKeyFile = config.sops.secrets.wireguard_private.path; - mtu = 1280; - - peers = [ - { - # robi - publicKey = "uWR93xJe5oEbX3DsAYpOS9CuSg1VmXEQxJzdlJpe3DU="; - allowedIPs = [ "10.100.0.1/24" ]; - #endpoint = "ingolf-wagner.de:51820"; - endpoint = "95.216.66.212:51820"; - } - ]; - }; - }; -} diff --git a/legacy/sync-script.nix b/legacy/sync-script.nix deleted file mode 100644 index f052626..0000000 --- a/legacy/sync-script.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ pkgs, ... }: -{ - environment.systemPackages = [ - (pkgs.writers.writeBashBin "torrent-sync" '' - set -e - set -x - - file_folder=$( realpath "$1" ) - folder=$( dirname "$file_folder" ) - file=$( basename "$file_folder" ) - - pushd "$folder" - ${pkgs.transmission}/bin/transmission-create \ - -t udp://robi.private:6969/announce \ - -o ~/last.torrent \ - "$file" - popd - - ${pkgs.transmission}/bin/transmission-remote \ - sync.chungus.private:80 \ - -a ~/last.torrent \ - --download-dir "$folder" - - ${pkgs.transmission}/bin/transmission-remote \ - sync.robi.private:80 \ - -a ~/last.torrent \ - --download-dir "$folder" - - '') - ]; -} diff --git a/legacy/sync-torrent.nix b/legacy/sync-torrent.nix deleted file mode 100644 index aa7b1ea..0000000 --- a/legacy/sync-torrent.nix +++ /dev/null @@ -1,112 +0,0 @@ -{ lib, pkgs, config, ... }: -let - uiPort = 9099; - announceIp = "10.23.42.28"; - peerPort = 51433; -in -{ - - containers.sync-torrent = { - - # mount host folders - bindMounts = { - media = { - hostPath = "/media"; - mountPoint = "/media"; # must be here otherwise transmission can't see the folder - isReadOnly = false; - }; - lib = { - hostPath = "/srv/sync-torrent"; - mountPoint = "/var/lib/transmission"; - isReadOnly = false; - }; - }; - - autoStart = true; - - config = { config, pkgs, lib, ... }: { - - system.stateVersion = "23.11"; - services.journald.extraConfig = "SystemMaxUse=1G"; - - services.transmission = { - enable = true; - - settings = { - download-dir = "/media"; - incomplete-dir = "/var/lib/transmission/incomplete"; # todo put this somewhere with frequent snapshots but low keep. - incomplete-dir-enabled = true; - message-level = 1; - umask = 2; - rpc-whitelist-enabled = false; - rpc-host-whitelist-enabled = false; - rpc-port = uiPort; - rpc-enable = true; - rpc-bind-address = "0.0.0.0"; - - # "normal" speed limits - speed-limit-down-enabled = false; - speed-limit-down = 1000; # in Kib/s - speed-limit-up-enabled = true; - speed-limit-up = 1000; # in Kib/s - upload-slots-per-torrent = 8; - # Queuing - # When true, Transmission will only download - # download-queue-size non-stalled torrents at once. - download-queue-enabled = true; - download-queue-size = 3; - - # When true, torrents that have not shared data for - # queue-stalled-minutes are treated as 'stalled' - # and are not counted against the queue-download-size - # and seed-queue-size limits. - queue-stalled-enabled = true; - queue-stalled-minutes = 60; - - # When true. Transmission will only seed seed-queue-size - # non-stalled torrents at once. - seed-queue-enabled = false; - seed-queue-size = 10; - - # Enable UPnP or NAT-PMP. - peer-port = peerPort; - port-forwarding-enabled = false; - announce-ip = announceIp; - announce-ip-enabled = true; - - # Start torrents as soon as they are added - start-added-torrents = true; - - }; - }; - - }; - }; - - # open ports for logging - #networking.firewall.interfaces."ve-torrent".allowedTCPPorts = - # [ 5044 12304 12305 ]; - #networking.firewall.interfaces."ve-torrent".allowedUDPPorts = - # [ 5044 12304 12305 ]; - - # host nginx setup - # ---------------- - # curl -H "Host: sync.chungus.private" https://robi.private/ < will work - # curl -H "Host: sync.chungus.private" https://144.76.13.147/ < wont work - services.nginx = { - enable = true; - recommendedProxySettings = true; - virtualHosts = { - "sync.${config.networking.hostName}.private" = { - extraConfig = '' - allow ${config.tinc.private.subnet}; - deny all; - ''; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString uiPort}"; - }; - }; - }; - }; - -} diff --git a/legacy/terranix-dendrite.nix b/legacy/terranix-dendrite.nix deleted file mode 100644 index b976a21..0000000 --- a/legacy/terranix-dendrite.nix +++ /dev/null @@ -1,131 +0,0 @@ -{ config, pkgs, ... }: -let - - inherit (config.services.dendrite.settings.global) server_name; - - matrix_host = "matrix.terranix.org"; - element_host = "element.terranix.org"; - element-web-terranix.org = - pkgs.runCommand "element-web-with-config" - { - nativeBuildInputs = [ pkgs.buildPackages.jq ]; - } '' - cp -r ${pkgs.element-web} $out - chmod -R u+w $out - jq '."default_server_config"."m.homeserver" = { "base_url": "https://${matrix_host}:443", "server_name": "${server_name}" }' \ - > $out/config.json < ${pkgs.element-web}/config.json - ln -s $out/config.json $out/config.${matrix_host}.json - ''; -in -{ - - # $ nix-shell -p dendrite --run 'generate-keys --private-key /tmp/key' - sops.secrets.matrix-server-key = { }; - - services.dendrite = { - enable = true; - httpPort = 8043; - settings = { - global = { - server_name = "terranix.org"; - # `private_key` has the type `path` - # prefix a `/` to make `path` happy - private_key = "/$CREDENTIALS_DIRECTORY/matrix-server-key"; - trusted_third_party_id_servers = [ - "matrix.org" - "vector.im" - "xaos.space" - "lassul.us" - "thalheim.io" - "nixos.org" - "chaospott.de" - ]; - metrics.enabled = false; - }; - logging = [ - { - type = "std"; - level = "warn"; - } - ]; - client_api = { - registration_disabled = true; - rate_limiting.enabled = false; - # set only for the first admin account, than remove. - #registration_shared_secret = ""; # disable once first admin account is created - }; - media_api = { - dynamic_thumbnails = true; - }; - mscs = { - mscs = [ "msc2836" "msc2946" ]; - }; - sync_api = { - real_ip_header = "X-Real-IP"; - }; - federation_api = { - key_perspectives = [ - { - server_name = "matrix.org"; - keys = [ - { - key_id = "ed25519:auto"; - public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; - } - { - key_id = "ed25519:a_RXGa"; - public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ"; - } - ]; - } - ]; - prefer_direct_fetch = false; - }; - }; - }; - - systemd.services.dendrite.serviceConfig.LoadCredential = [ - "matrix-server-key:${config.sops.secrets.matrix-server-key.path}" - ]; - - # Verify if federation works with - # https://federationtester.matrix.org/#terranix.org - services.nginx.virtualHosts.${matrix_host} = { - listen = [ - { - addr = "0.0.0.0"; - port = 443; - ssl = true; - } - { - addr = "0.0.0.0"; - port = 8448; - ssl = true; - extraParameters = [ "default_server" ]; - } - ]; - forceSSL = true; - enableACME = true; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_read_timeout 600; - ''; - locations."/".proxyPass = "http://127.0.0.1:${toString config.services.dendrite.httpPort}"; - }; - - networking.firewall.allowedTCPPorts = [ 8448 ]; - networking.firewall.allowedUDPPorts = [ 8448 ]; - - services.nginx.virtualHosts.${element_host} = { - forceSSL = true; - enableACME = true; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_read_timeout 600; - ''; - locations."/".root = element-web-terranix.org; - }; - -} diff --git a/legacy/trilium.nix b/legacy/trilium.nix deleted file mode 100644 index 264b1fc..0000000 --- a/legacy/trilium.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, pkgs, ... }: -{ - - services.trilium-server = { - enable = true; - dataDir = "/srv/trilium"; - instanceName = config.networking.hostName; - host = "10.23.42.28"; - #noAuthentication = true; - nginx = { - enable = true; - hostName = "trilium.${config.networking.hostName}.private"; - }; - }; - - services.nginx.virtualHosts."${config.services.trilium-server.nginx.hostName}".extraConfig = '' - allow ${config.tinc.private.subnet}; - deny all; - ''; - -} diff --git a/legacy/vim.nix b/legacy/vim.nix deleted file mode 100644 index 7989c8a..0000000 --- a/legacy/vim.nix +++ /dev/null @@ -1,225 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - - cfg = config.programs.custom.vim; - - nix-xptemplates = pkgs.writeTextFile { - name = "nix-xptemplates"; - destination = "/ftplugin/nix/nix.xpt.vim"; - text = # vim - '' - XPTemplate priority=personal - - XPT option " tips - `name^ = mkOption { - type = with types; `type^; - description = ${"''"} - `cursor^ - ${"''"}; - }; - - XPT package " tips - { config, lib, ... }: - { - `cursor^ - } - - XPT terranix" tips - { config, lib, pkgs, ... }: - with lib; - let - cfg = config.`name^; - in { - - options.`name^ = mkOption { - default = {}; - type = with types; attrsOf (submodule ({ name, ... }:{ - options = { - enable = mkEnableOption "`name^.name"; - }; - })); - }; - - config = - let - allConfigs = cfg - in - mkIf (cfg != {} ){ - `cursor^ - }; - } - - XPT module " tips - { config, lib, pkgs, ... }: - - with lib; - - let - - cfg = config.`name^; - - in { - - options.`name^ = { - enable = mkEnableOption "enable `name^"; - }; - - config = mkIf cfg.enable { - `cursor^ - }; - } - - XPT shell " tips - { pkgs ? import {} }: - pkgs.mkShell { - - # needed pkgs - # ----------- - buildInputs = with pkgs; [ - `name^ - ]; - - # run this on start - # ----------------- - shellHook = ${"''"} - HISTFILE=${"$"}{toString ./.}/.history - ${"''"}; - } - - XPT fhsUser " tips - { pkgs ? import {} }: - (pkgs.buildFHSUserEnv { - name = "fhs-user-env"; - - targetPkgs = pkgs: with pkgs; [ - # core stuff - # ---------- - vim silver-searcher curl coreutils git tig - - # common X dependencies - # --------------------- - atk cairo dbus eudev expat fontconfig freetype gdk_pixbuf glib gnome3.GConf gtk2-x11 - mesa_glu nspr nss pango xlibs.libXScrnSaver xlibs.libXcomposite xlibs.libXcursor - xlibs.libXdamage xlibs.libXfixes xlibs.libXi xlibs.libXrender xlibs.libXtst xorg.libX11 - xorg.libXext xorg.libXinerama xorg.libxcb - liblo zlib fftw minixml libcxx alsaLib glibc - - # new stuff - # --------- - `cursor^ - - ]; - - # multilib packages - # ----------------- - # these are packages compiled 32bit and 64bit - multiPkgs = pkgs: with pkgs; [ - ]; - - # environment variables - # --------------------- - profile = ${"''"} - export TERM="xterm" - ${"''"}; - - }).env - - ''; - }; - - # active plugins - # -------------- - extra-runtimepath = with pkgs; - lib.concatMapStringsSep "," (pkg: "${pkg.outPath}") [ - vimPlugins.Syntastic - vimPlugins.ack-vim - vimPlugins.airline - vimPlugins.vim-nix - vimPlugins.xptemplate - ]; - - # the vimrc - # --------- - vimrc = pkgs.writeText "vimrc" '' - - " turn on linenumbers - " to turn of :set nonumber - :set number - - " show Trailing Whitespaces - :set list listchars=tab:»·,trail:¶ - - " Map leader is the key for shortcuts - nnoremap - let mapleader = "\" - - " move blocks of text in visual mode - " does not work correctly - vmap xkP`[V`] - vmap xp`[V`] - - " search/grep case insensitive - :set ignorecase - - " tabs should always be 2 spaces - set et ts=2 sts=2 sw=2 - - " installed vim-plugins - set runtimepath=${extra-runtimepath},$VIMRUNTIME,$HOME/.vim,${nix-xptemplates} - - " syntax highlighting on - syntax off - - " xptemplates - " ----------- - " a plugin to insert snippets on demand - set nocompatible - filetype plugin on - - " enable cursor cross - " ------------------- - ":hi CursorLine cterm=NONE ctermbg=darkred ctermfg=white guibg=darkred guifg=white - ":hi CursorColumn cterm=NONE ctermbg=darkred ctermfg=white guibg=darkred guifg=white - :hi CursorLine cterm=NONE ctermbg=0 guibg=#073642 - :hi CursorColumn cterm=NONE ctermbg=0 guibg=#073642 - set cursorline - set cursorcolumn - - " save view - " --------- - augroup AutoSaveFolds - autocmd! - autocmd BufWinLeave * mkview - autocmd BufWinEnter * silent loadview - augroup END - - " some language stuff - " ------------------- - :map s :setlocal spell spelllang=en - - ''; - -in -{ - - # no options - options.programs.custom.vim.enable = lib.mkEnableOption "vim"; - - config = lib.mkIf cfg.enable { - # create vimrc - # ------------ - # and load it as config for vim - environment.variables.VIMINIT = ":so /etc/vimrc"; - environment.etc.vimrc.source = vimrc; - - # set vim to the default editor - # ----------------------------- - programs.vim.defaultEditor = true; - - # install vim - # ----------- - environment.systemPackages = [ pkgs.vim ]; - }; - -} diff --git a/legacy/webhook-ring.nix b/legacy/webhook-ring.nix deleted file mode 100644 index 5bf5cd0..0000000 --- a/legacy/webhook-ring.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ config, pkgs, ... }: -# To create a sign at the door -# "Sorry Doorbell is broken, please scan this QR Code -# -# create QR Code with: -# qrencode -o ./test.png http://ring.ingolf-wagner.de -# -# for secure urls check -# https://www.nginx.com/blog/securing-urls-secure-link-module-nginx-plus/ -{ - - sops.secrets.ringPushover = { - owner = config.services.webhook.user; - }; - - services.webhook = { - enable = true; - hooks = { - ring = { - execute-command = - let - script = pkgs.writers.writeBash "ring-script" '' - . ${config.sops.secrets.ringPushover.path} - ${pkgs.curl}/bin/curl -s \ - --form-string "token=$API_KEY" \ - --form-string "user=$USER_KEY" \ - --form-string "title=Klingeling" \ - --form-string "message=Jemand an der Tür" \ - https://api.pushover.net/1/messages.json - ''; - in - toString script; - response-message = "It's ringing"; - }; - }; - }; - - services.nginx.virtualHosts."ring.ingolf-wagner.de" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://localhost:${toString config.services.webhook.port}/${config.services.webhook.urlPrefix}/ring"; - }; - }; -} diff --git a/legacy/weechat.nix b/legacy/weechat.nix deleted file mode 100644 index f008033..0000000 --- a/legacy/weechat.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ config, pkgs, lib, ... }: - -# how to setup a relay -# * ssh on the maching -# * sudo -u weechat screen -r -# /set relay.network.password "mypassword" -# /relay add weechat 10000 - -{ - - # configure weechat - services.weechat = { enable = true; }; - - # configure bitlbee - services.bitlbee = { - enable = true; - libpurple_plugins = [ - #pkgs.pidgin-otr - #pkgs.purple-facebook - #pkgs.purple-discord - #pkgs.purple-matrix - #pkgs.purple-hangouts - #pkgs.pidgin-latex - #pkgs.pidgin-opensteamworks - #pkgs.pidgin-skypeweb - pkgs.telegram-purple - #pkgs.purple-lurch - ]; - plugins = - [ pkgs.bitlbee-facebook pkgs.bitlbee-steam pkgs.bitlbee-mastodon ]; - }; - - # otherwise xterm is the only thing that works - environment.systemPackages = [ pkgs.rxvt_unicode ]; - - backup.dirs = [ config.services.weechat.root ]; - -} diff --git a/legacy/wifi-access-point.nix b/legacy/wifi-access-point.nix deleted file mode 100644 index 9ce0cc8..0000000 --- a/legacy/wifi-access-point.nix +++ /dev/null @@ -1,85 +0,0 @@ -{ lib, pkgs, ... }: - -let - wifi = "wlp0s29u1u2"; - ipAddress = "10.123.145.1"; - prefixLength = 24; - servedAddressRange = "10.123.145.2,10.123.145.150,12h"; - ssid = "bumbumbum"; - wifiPassword = lib.fileContents ; - -in -{ - # todo only open needed ports - networking.firewall.trustedInterfaces = [ wifi ]; - - networking.networkmanager.unmanaged = [ wifi ]; - networking.dhcpcd.denyInterfaces = [ wifi ]; - - networking.interfaces."${wifi}".ipv4.addresses = [{ - address = ipAddress; - prefixLength = prefixLength; - }]; - - # forward traffic coming in trough the access point => provide internet and vpn network access - # todo : forward to own servers - boot.kernel.sysctl = { - "net.ipv4.conf.${wifi}.forwarding" = true; - "net.ipv6.conf.${wifi}.forwarding" = true; - }; - - systemd.services.hostapd = { - description = "hostapd wireless AP"; - path = [ pkgs.hostapd ]; - - # start manual - # wantedBy = [ "network.target" ]; - - after = [ - "${wifi}-cfg.service" - "nat.service" - "bind.service" - "dhcpd.service" - "sys-subsystem-net-devices-${wifi}.device" - ]; - - serviceConfig = { - ExecStart = "${pkgs.hostapd}/bin/hostapd ${ - pkgs.writeText "hostapd.conf" '' - interface=${wifi} - hw_mode=g - channel=10 - ieee80211d=1 - country_code=DE - ieee80211n=1 - wmm_enabled=1 - - ssid=${ssid} - auth_algs=1 - wpa=2 - wpa_key_mgmt=WPA-PSK - rsn_pairwise=CCMP - wpa_passphrase=${wifiPassword} - '' - }"; - Restart = "always"; - }; - }; - - services.dnsmasq = { - enable = true; - extraConfig = '' - # Only listen to routers' LAN NIC. Doing so opens up tcp/udp port 53 to - # localhost and udp port 67 to world: - interface=${wifi} - - # Explicitly specify the address to listen on - listen-address=${ipAddress} - - # Dynamic range of IPs to make available to LAN PC and the lease time. - # Ideally set the lease time to 5m only at first to test everything works okay before you set long-lasting records. - dhcp-range=${servedAddressRange} - ''; - }; - -} diff --git a/legacy/wireshark.nix b/legacy/wireshark.nix deleted file mode 100644 index f4c1b07..0000000 --- a/legacy/wireshark.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ pkgs, config, ... }: { - - users.users.mainUser.extraGroups = [ "wireshark" ]; - programs.wireshark.enable = true; - - environment.systemPackages = [ - - pkgs.wireshark - - # alternative packet analyzer (only works with elasticsearch) - pkgs.packetbeat7 - ]; - - # elastic search is good for analysing stuff - # https://www.elastic.co/blog/analyzing-network-packets-with-wireshark-elasticsearch-and-kibana - services.elasticsearch.enable = true; - services.elasticsearch.listenAddress = - "${config.networking.hostName}.private"; - services.kibana.enable = true; - services.kibana.elasticsearch.hosts = - [ "http://${config.networking.hostName}.private:9200" ]; - services.kibana.listenAddress = "${config.networking.hostName}.private"; - services.kibana.port = 5601; - - # using tshark with elastic search - # -------------------------------- - # tshark -r file.pcap -T ek > packages.json - # curl -XPOST "sterni.private:9200/packets/doc/_bulk" -H 'Content-Type: application/json' --data-binary "@packets.json" - - services.nginx = { - enable = true; - statusPage = true; - virtualHosts = { - "kibana.${config.networking.hostName}.private" = { - serverAliases = [ ]; - locations."/" = { - proxyPass = "http://${config.networking.hostName}.private:${ - toString config.services.kibana.port - }"; - }; - }; - }; - }; - -}