palo/nixos-config
palo/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

🔥 delete cream

Browse source
This commit is contained in:
Ingolf Wagner 2024-10-19 16:24:26 +09:00
parent 79db8373c2
commit 74f7208936
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
26 changed files with 24 additions and 543 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
components/network/nginx.nix
View file

@ -175,7 +175,7 @@ with lib;
]; ];
}) })
(entry { machine = "cherry"; }) (entry { machine = "cherry"; })
(entry { machine = "cream"; }) #(entry { machine = "cream"; })
(entry { machine = "mobi"; }) (entry { machine = "mobi"; })
(entry { machine = "bobi"; }) (entry { machine = "bobi"; })
{ {

12
components/network/syncthing.nix
View file

@ -61,7 +61,7 @@ with lib;
path = lib.mkDefault "/tmp/books"; path = lib.mkDefault "/tmp/books";
devices = [ devices = [
"chungus" "chungus"
"cream" # "cream"
"cherry" "cherry"
]; ];
versioning = { versioning = {
@ -74,7 +74,7 @@ with lib;
path = lib.mkDefault "/tmp/desktop"; path = lib.mkDefault "/tmp/desktop";
devices = [ devices = [
"chungus" "chungus"
"cream" # "cream"
"cherry" "cherry"
]; ];
}; };
@ -83,7 +83,7 @@ with lib;
path = lib.mkDefault "/tmp/finance"; path = lib.mkDefault "/tmp/finance";
devices = [ devices = [
"chungus" "chungus"
"cream" # "cream"
"cherry" "cherry"
]; ];
versioning = { versioning = {
@ -122,7 +122,7 @@ with lib;
path = lib.mkDefault "/tmp/oscar_cpap"; path = lib.mkDefault "/tmp/oscar_cpap";
devices = [ devices = [
"chungus" "chungus"
"cream" # "cream"
"cherry" "cherry"
]; ];
}; };
@ -131,7 +131,7 @@ with lib;
path = lib.mkDefault "/tmp/password-store"; path = lib.mkDefault "/tmp/password-store";
devices = [ devices = [
"chungus" "chungus"
"cream" # "cream"
"cherry" "cherry"
]; ];
versioning = { versioning = {
@ -144,7 +144,7 @@ with lib;
enable = lib.mkDefault false; enable = lib.mkDefault false;
path = lib.mkDefault "/tmp/password-store"; path = lib.mkDefault "/tmp/password-store";
devices = [ devices = [
"cream" # "cream"
"cherry" "cherry"
"orbi" "orbi"
]; ];

10
components/network/tinc/private.nix
View file

@ -14,7 +14,7 @@ let
bobi = "10.23.42.25"; bobi = "10.23.42.25";
cherry = "10.23.42.29"; cherry = "10.23.42.29";
chungus = "10.23.42.28"; chungus = "10.23.42.28";
cream = "10.23.42.27"; # cream = "10.23.42.27";
mobi = "10.23.42.23"; mobi = "10.23.42.23";
orbi = "10.23.42.100"; orbi = "10.23.42.100";
}; };
@ -67,10 +67,10 @@ in
subnets = [ { address = hosts.bobi; } ]; subnets = [ { address = hosts.bobi; } ];
settings.Ed25519PublicKey = "jwvNd4oAgz2cWEI74VTVYU1qgPWq823/a0iEDqJ8KMD"; settings.Ed25519PublicKey = "jwvNd4oAgz2cWEI74VTVYU1qgPWq823/a0iEDqJ8KMD";
}; };
cream = { # cream = {
subnets = [ { address = hosts.cream; } ]; # subnets = [ { address = hosts.cream; } ];
settings.Ed25519PublicKey = Ed25519PublicKey "cream"; # settings.Ed25519PublicKey = Ed25519PublicKey "cream";
}; # };
cherry = { cherry = {
subnets = [ { address = hosts.cherry; } ]; subnets = [ { address = hosts.cherry; } ];
settings.Ed25519PublicKey = Ed25519PublicKey "cherry"; settings.Ed25519PublicKey = Ed25519PublicKey "cherry";

24
components/network/tinc/secret.nix
View file

@ -12,7 +12,7 @@ let
port = 721; port = 721;
hosts = { hosts = {
cherry = "10.123.42.29"; cherry = "10.123.42.29";
cream = "10.123.42.27"; # cream = "10.123.42.27";
robi = "10.123.42.123"; robi = "10.123.42.123";
sternchen = "10.123.42.25"; sternchen = "10.123.42.25";
sterni = "10.123.42.24"; sterni = "10.123.42.24";
@ -35,10 +35,10 @@ in
subnets = [ { address = hosts.sternchen; } ]; subnets = [ { address = hosts.sternchen; } ];
settings.Ed25519PublicKey = "Z567IKl00Kw5JFBNwMvjL33QYe2hRoNtQcNIDFRPReB"; settings.Ed25519PublicKey = "Z567IKl00Kw5JFBNwMvjL33QYe2hRoNtQcNIDFRPReB";
}; };
cream = { # cream = {
subnets = [ { address = hosts.cream; } ]; # subnets = [ { address = hosts.cream; } ];
settings.Ed25519PublicKey = "Y/YRA90mAlNEmdhUWlUTHjjsco6d6hlvW11sPtarIdL"; # settings.Ed25519PublicKey = "Y/YRA90mAlNEmdhUWlUTHjjsco6d6hlvW11sPtarIdL";
}; # };
cherry = { cherry = {
subnets = [ { address = hosts.cherry; } ]; subnets = [ { address = hosts.cherry; } ];
settings.Ed25519PublicKey = "BsPIrZjbzn0aryC0HO3OXSb4oFCMmzNDmMDQmxUXUuC"; settings.Ed25519PublicKey = "BsPIrZjbzn0aryC0HO3OXSb4oFCMmzNDmMDQmxUXUuC";
@ -80,13 +80,13 @@ in
); );
services.openssh.knownHosts = { services.openssh.knownHosts = {
"cream.${network}" = { # "cream.${network}" = {
hostNames = [ # hostNames = [
"cream.${network}" # "cream.${network}"
hosts.cream # hosts.cream
]; # ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIConHiCL7INgAhuN6Z9TqP0zP+xNpdV7+OHwUca4IRDD"; # publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIConHiCL7INgAhuN6Z9TqP0zP+xNpdV7+OHwUca4IRDD";
}; # };
"sternchen.${network}" = { "sternchen.${network}" = {
hostNames = [ hostNames = [
"sterni.${network}" "sterni.${network}"

22
flake.nix
View file

@ -404,28 +404,6 @@
machines = { machines = {
cream = clanSetup {
name = "cream";
host = "cream.bear";
modules = [
defaultAuthorizedKeys
zerotierModules
nixos-hardware.nixosModules.framework-12th-gen-intel
retiolum.nixosModules.retiolum
private-parts.nixosModules.cream
homeManagerModules
stylixModules
{ home-manager.users.mainUser.gui.enable = true; }
{
home-manager.users.mainUser = import ./homes/palo;
home-manager.users.root = import ./homes/root;
}
{
clan.core.machineDescription = "Laptop";
}
];
};
cherry = clanSetup { cherry = clanSetup {
name = "cherry"; name = "cherry";
host = "cherry.bear"; host = "cherry.bear";

137
machines/cream/configuration.nix
View file

@ -1,137 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
imports = [
./hardware-configuration.nix
./syncthing.nix
./network-tinc.nix
./network-tinc_retiolum.nix
./network-wireguard-wg0.nix
./network-wireguard-wg1.nix
];
system.stateVersion = "22.11";
# Use the systemd-boot EFI boot loader, not grub
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.tmp.useTmpfs = true; # make /tmp a tmpfs (performance!)
components.virtualisation.enable = true;
components.gui.enable = true;
components.gui.xorg.enable = true;
components.gui.wayland.enable = false;
components.mainUser.enable = true;
components.media.enable = true;
components.media.tts-client.enable = false;
components.network.enable = true;
components.network.wifi.enable = true;
components.terminal.enable = true;
telemetry.enable = true;
telemetry.opentelemetry.exporter.endpoint = "10.100.0.1:4317"; # orbi
telemetry.prometheus.exporters.zfs.enable = false;
home-manager.users.mainUser.home.sessionPath = [ "$HOME/.timewarrior/scripts" ];
home-manager.users.mainUser.bugwarrior.config = {
general = {
targets = [
"terranix"
"my_github"
];
log_level = "INFO";
static_fields = [ "priority" ];
merge_annotations = false;
};
terranix = {
service = "github";
login = "mrVanDalo";
token = "@oracle:eval:${pkgs.pass}/bin/pass development/github/mrVanDalo/bugwarriorAccessToken";
username = "mrVanDalo";
default_priority = "";
description_template = "{{githubtitle}} {{githuburl}}";
add_tags = "github";
project_template = "terranix";
involved_issues = true;
query = "org:terranix is:open";
include_user_issues = false;
include_user_repos = false;
};
my_github = {
service = "github";
login = "mrVanDalo";
token = "@oracle:eval:${pkgs.pass}/bin/pass development/github/mrVanDalo/bugwarriorAccessToken";
username = "mrVanDalo";
description_template = "{{githubtitle}} {{githuburl}}";
add_tags = "github";
include_user_issues = true;
include_user_repos = true;
exclude_repos = [
"azubi"
"csv-to-qif"
"stepp0r"
];
};
# todo : add github issues
};
users.users.mainUser.extraGroups = [ "pipewire" ];
services.nginx.enable = true;
networking.hostName = "cream";
#services.flatpak.enable = true;
# make sure battery is charged in a way to live for a long time
services.power-profiles-daemon.enable = false;
services.tlp = {
enable = true;
settings = {
CPU_BOOST_ON_BAT = 0;
CPU_SCALING_GOVERNOR_ON_BATTERY = "powersave";
START_CHARGE_THRESH_BAT0 = 30;
STOP_CHARGE_THRESH_BAT0 = 85;
RUNTIME_PM_ON_BAT = "auto";
};
};
security.wrappers = {
pmount = {
source = "${pkgs.pmount}/bin/pmount";
setuid = true;
owner = "root";
group = "root";
};
pumount = {
source = "${pkgs.pmount}/bin/pumount";
setuid = true;
owner = "root";
group = "root";
};
};
services.printing.enable = true;
samba-share = {
enable = false;
folders = {
share = "/home/share";
video = "/home/video-material";
};
};
# for congress and streaming
hardware.graphics.enable = true;
}

1
machines/cream/facts/ssh.id_ed25519.pub
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPz1SRSthwDEmXZXcBMi0FZhqgZxF7i1lDcGT534Gy7 nixbld@cherry

1
machines/cream/facts/ssh.jobrad.id_ed25519.pub
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIArokGctZ2VLf92FhfE8pHzkx/bjz0/J1QjeaGgDSj1s ingolf.wagner@jobrad.org

1
machines/cream/facts/syncthing.pub
View file

@ -1 +0,0 @@
VQSHJ6K-MUWCTPJ-LJINXBP-7O244YK-TIY3D5B-T6PU7BY-2NPWPXI-HO2Q5Q6

1
machines/cream/facts/tinc.private.ed25519_key.pub
View file

@ -1 +0,0 @@
b8xU34/kYj3LxYfdrozDnpmXt25mLbYsnhUxgvFz2CG

13
machines/cream/facts/tinc.private.rsa_key.pub
View file

@ -1,13 +0,0 @@
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAqFNvj8lg1ET9rala1W7RSi+ObQoN8JoQ7fTZ63XBycDr3bEkubGk
vIbLFFsdhIiMrJG6eRr25EiKQxew6Pb4HwwqjCJugHzSELHgiWN93Dx5hgl+EXV2
8EYQ3xWO+8ZH4PQsfUMqxBx553UMOiDZ0L4OE275z5XuLyDXnjXqv2WCU7qY57lt
MlJ3BFOhtWz7wl7fOu8rzalVuDLc/yp3KKhzLxr7lUUIHOZOT8EsoSAOiy+qUq6Q
K9JrHcTGP3FmBucY5bSyVQxbX75tLqBiadTvlcx4n0mHTbCyHjC2tIHmN2MtUhsS
Qw4uITn7NTd/c9H89Le2Z3Z01sRNEo1eZ3ru0JlYqUEL0sE2lAtPJWRgRePEzCWs
s8GN6LFrAvl8T/FmW6XFzxGBViOhFqP61HO17KhALwl5kVXpUMFKxbn1/ZXP5Ono
+h/Aaph56D/EZAFVvAPR7xx/Cp+cjOvKaKLgnZ5vG3VrjmbL9KkDtHiiiHcKC/Z8
OrOirkxalJJd2bMYpIUO/7TYEUCQzni3ollYae3myFuwRIeiqNnVjtHiQnPMEYmn
pjgWmvtYjvPLJkpnnP96nn+FI7FXqro8nY59COaIne3m0SxPo6JrGwugvYuLeOJS
96v4hcSTrB3LEaH49a3vaFKQUsEOFCCTc6Qx+/ejgV/3cEzQjDblep8CAwEAAQ==
-----END RSA PUBLIC KEY-----

1
machines/cream/facts/tinc.retiolum.ed25519_key.pub
View file

@ -1 +0,0 @@
B3EKYRxqFjIGR2VYajjDqX0gltPJNwcno5PUhafKWKB

13
machines/cream/facts/tinc.retiolum.rsa_key.pub
View file

@ -1,13 +0,0 @@
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAnzhalF1rqLdSsT6HAGuQ6x1kC9Ty3FjoKR2Y5RCO9YIyEgRE8qfR
jkne+wIIleODUDMZYuvUe9X5hm8w6wDzxlwCPitwhDlOxoSBnXfbL6YL9rZBn3lC
JFkpEPtAJYnfM64R4/UjSndHlCVuH7tltD/1tmfG6IbSsIeDVz+pWZdEmBJfCiDl
aqP2gb1oIwe9TgJX2EC2ugW+6Jh9oPNIOP2Q5eLvty5WPhUSGQDWVMr5u0Rgc1oU
hhAvrfue7MFqUwX+o0Zq93eVAu/51dhTtqwwVgZVlHK7Wkak4yTRGPAP9v9vbKeK
7GpQuvbiI5OphhSFPjyCN1XMqVgFxqsnLsflIPbQdxCkBgFxhmNf31BDlXWHWD5e
7BfFYc1tZFcEWKhguoCSesJvh1BVsiZzfya96lGd/+ttcKBUKX4tdznEQsV/MVhC
cVnQD6k8PN4BIWVJtcq5oM9h6Yt6avtv8TeuaLp/Janco4JmYYFIfRETnz6ye/fG
OiKJnGQ1yohSE6n8ZUK1QYdYezZfI8QhF7GHK7he9x13L9xmXoybV+REXlRvh4S2
bi9lWTKhQVIHb/qLIdQuaAnK1xg4tdNzL43KEpPstGlAnG8uUNL8hCJL3m220RPK
lEbtLhayRzQ9zgj/hBQZa/hMGGyiqV1hiTbEEWAusJdGTUPYhjAelOkCAwEAAQ==
-----END RSA PUBLIC KEY-----

1
machines/cream/facts/tinc.secret.ed25519_key.pub
View file

@ -1 +0,0 @@
nrSEGYNGKiEdXaVAnGkb7ihBnKf/PcpGJEvn1NMLNoB

13
machines/cream/facts/tinc.secret.rsa_key.pub
View file

@ -1,13 +0,0 @@
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEA8xuGW5yLty6aWYhhBK/T+7TmP3QsU2Y3ew7KvSNLhuxQc63CwzSA
eJpDHYgoLujoi6VGd1L+I7G3Imy0wF5FsFgsFKY7wTbSL/Y/6gc6wm7yL/gYebH7
zm//n6wqMSlrFKMpnWQj9x43f8eseMl0D3rlXYpE7HfKZI3sPTNexUrWRsqVFUFN
Jmi5SQHIWuczWh0EGUaSc8ueMYHh9WkzDHS7Y8UbLy7bSclRSPxIp7D87513n7YT
0OH7dEDD/is0uoRHQg+TpgFm9HcJeX5ULmsv1x6gssm7D7r+nXF7ATNJrKO0h78O
hAS7kfugHFzrYQP/NRxNLRETSuyL4kQS5WiVfdQWIi+UJtasCSPH4hT34DBPN8vX
GC0nneV9RztnTBUpuIH/BsBOmHBHwLTb9miN6dTyq1MAL/NsiO8+zgxE4gJnownR
r6Dn3fF2bGX9ij9/7WUyi9hez+3c5q3CsG0CDccDsvgkFc4nDdWxmwqKtIg4hM7x
M6FA5W9g1hgupcIdRt/+dKp+nwGH5TYAXa9+XFwfSuegds2hZFluEhmgfet2tB26
wA4w6+mNcTzikvU0262w9VvkvIhAXWxAvMFtDTOzY2aWqoYJfDTmdaRHdj8c2F7A
UCknUC9a3Kwi3BubAARtO1zTe6fhvkdAm9eJi985Y98xaHHXU6QeDX0CAwEAAQ==
-----END RSA PUBLIC KEY-----

1
machines/cream/facts/wireguard.wg0.cidr
View file

@ -1 +0,0 @@
10.100.0.6/32

1
machines/cream/facts/wireguard.wg0.ip
View file

@ -1 +0,0 @@
10.100.0.6

1
machines/cream/facts/wireguard.wg0.pub
View file

@ -1 +0,0 @@
u0HcEa3lGDxqGqrot+9AtrqQNqNzOtCv/PDuuZqB9Ek=

1
machines/cream/facts/zerotier-ip
View file

@ -1 +0,0 @@
fdb3:fdc0:b880:37a1:3a99:93df:ed1c:3754

75
machines/cream/hardware-configuration.nix
View file

@ -1,75 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [
"xhci_pci"
"thunderbolt"
"nvme"
"usb_storage"
"uas"
"sd_mod"
];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.luks.devices = {
pool = {
device = "/dev/nvme0n1p2";
preLVM = true;
};
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/48228fad-8123-4e87-9c70-2e4c204d7a49";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/13A0-D756";
fsType = "vfat";
};
fileSystems."/home" = {
device = "/dev/disk/by-uuid/d73dd71d-9f0f-4c49-8267-9ad7e3f01ff1";
fsType = "ext4";
};
#fileSystems."/removable" =
# {
# device = "/dev/disk/by-uuid/081de08c-b080-4a05-9915-235caae193e7";
# fsType = "ext4";
# };
fileSystems."/share" = {
device = "none";
fsType = "tmpfs";
};
fileSystems."/browsers" = {
device = "none";
fsType = "tmpfs";
};
swapDevices = [ ];
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

10
machines/cream/network-tinc.nix
View file

@ -1,10 +0,0 @@
{ config, ... }:
{
tinc.private.enable = true;
tinc.private.ipv4 = "10.23.42.27";
#tinc.secret.enable = true;
#tinc.secret.ipv4 = "10.123.42.27";
}

29
machines/cream/network-tinc_retiolum.nix
View file

@ -1,29 +0,0 @@
{ config, factsGenerator, ... }:
{
clan.core.facts.services.tinc_retiolum = factsGenerator.tinc { name = "retiolum"; };
networking.retiolum.port = 720;
networking.retiolum.nodename = "sol";
services.tinc.networks.retiolum = {
ed25519PrivateKeyFile =
config.clan.core.facts.services.tinc_retiolum.secret."tinc.retiolum.ed25519_key.priv".path;
rsaPrivateKeyFile =
config.clan.core.facts.services.tinc_retiolum.secret."tinc.retiolum.rsa_key.priv".path;
};
#fileSystems."/retiolum/sicily" = {
# device = "//sicily.r/tonne";
# fsType = "cifs";
# options = [
# "guest"
# "nofail"
# "noauto"
# "ro"
# "rsize=16777216"
# "cache=loose"
# "x-systemd.after=network.target"
# ];
#};
}

38
machines/cream/network-wireguard-wg0.nix
View file

@ -1,38 +0,0 @@
{
config,
factsGenerator,
clanLib,
...
}:
{
networking.firewall.allowedUDPPorts = [ 51820 ];
clan.core.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
clan.core.facts.services.wireguard_ip = factsGenerator.public {
"wireguard.wg0.cidr" = "10.100.0.6/32";
"wireguard.wg0.ip" = "10.100.0.6";
};
# Enable WireGuard
networking.wg-quick.interfaces = {
# Hub and Spoke Setup
# https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/
wg0 = {
address = [
config.clan.core.facts.services.wireguard_ip.public."wireguard.wg0.cidr".value
];
listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
privateKeyFile = config.clan.core.facts.services.wireguard.secret."wireguard.wg0.key".path;
mtu = 1280;
peers = [
{
publicKey = clanLib.readFact "wireguard.wg0.pub" "orbi";
allowedIPs = [
(clanLib.readFact "wireguard.wg0.cidr" "orbi")
];
endpoint = clanLib.readFact "wireguard.wg0.endpoint" "orbi";
}
];
};
};
}

27
machines/cream/network-wireguard-wg1.nix
View file

@ -1,27 +0,0 @@
{ pkgs, config, ... }:
{
clan.core.facts.services.wg1 = {
secret."wg1.conf" = { };
generator = {
# I download the config from my fritz.box
# cat wg_config.conf | pass insert -m machiens/<name>/wg1.conf
prompt = "please enter the wg1.conf";
path = with pkgs; [ coreutils ];
script = ''
echo "$prompt_value" > "$secrets"/wg1.conf
'';
};
};
home-manager.users.root.home.packages = [
(pkgs.writers.writeBashBin "wg1-up" ''
${pkgs.wireguard-tools}/bin/wg-quick up ${
config.clan.core.facts.services.wg1.secret."wg1.conf".path
}
'')
(pkgs.writers.writeBashBin "wg1-down" ''
${pkgs.wireguard-tools}/bin/wg-quick up ${
config.clan.core.facts.services.wg1.secret."wg1.conf".path
}
'')
];
}

69
machines/cream/proxy.nix
View file

@ -1,69 +0,0 @@
{ config, lib, ... }:
let
domain = "awesome.cache";
in
{
networking.extraHosts = ''
127.0.0.1 ${domain}
'';
services.nginx = {
enable = true;
proxyCachePath.nixos = {
enable = true;
inactive = "365d";
keysZoneSize = "100m";
keysZoneName = "nixos";
};
virtualHosts = {
${domain} = {
extraConfig = ''
proxy_cache nixos;
proxy_ignore_headers "Set-Cookie";
proxy_hide_header "Set-Cookie";
proxy_buffering on;
'';
locations."/" = {
recommendedProxySettings = false;
proxyPass = "https://cache.nixos.org";
extraConfig = ''
proxy_set_header Host "cache.nixos.org";
'';
};
};
};
};
# most likely not needed
systemd.services.nginx.serviceConfig = {
RestrictNamespaces = lib.mkForce false;
ProtectSystem = lib.mkForce false;
ProtectControlGroups = lib.mkForce false;
ProtectHome = lib.mkForce false;
ProtectHostname = lib.mkForce false;
ProtectKernelLogs = lib.mkForce false;
ProtectKernelModules = lib.mkForce false;
ProtectKernelTunables = lib.mkForce false;
PrivateDevices = lib.mkForce false;
PrivateMounts = lib.mkForce false;
PrivateTmp = lib.mkForce false;
MemoryDenyWriteExecute = lib.mkForce false;
NoNewPrivileges = lib.mkForce false;
ProtectProc = lib.mkForce "default";
RestrictRealtime = lib.mkForce false;
RestrictSUIDSGID = lib.mkForce false;
};
#services.permown."/data" = {
# owner = "nginx";
#};
#systemd.services."permown./data" = {
# bindsTo = [ "nginx.service" ];
# after = [ "nginx.service" ];
#};
}

63
machines/cream/syncthing.nix
View file

@ -1,63 +0,0 @@
{
config,
pkgs,
lib,
...
}:
{
services.syncthing = {
enable = true;
openDefaultPorts = false;
user = "palo";
group = "users";
dataDir = "/home/palo/.syncthing";
configDir = "/home/palo/.syncthing";
overrideFolders = true;
settings.folders = {
oscar_cpap = {
enable = true;
path = "/home/palo/Documents/OSCAR_Data";
};
password-store = {
enable = true;
path = "/home/palo/.password-store";
};
logseq = {
enable = true;
path = "/home/palo/logseq";
};
art = {
enable = true;
path = "/home/palo/art";
};
desktop = {
enable = true;
path = "/home/palo/desktop";
};
finance = {
enable = true;
path = "/home/palo/finance";
};
share = {
enable = true;
path = "/home/palo/share";
type = "sendonly";
};
books = {
enable = true;
path = "/home/palo/books";
};
};
};
services.permown."/home/palo/music-library" = {
owner = "palo";
group = "users";
};
services.permown."/home/palo/finance" = {
owner = "palo";
group = "syncthing";
};
}