palo/nixos-config
palo/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: palo:7ce8bc0d2667de54e4a22da415ea60cae170e1b7
Branches Tags
palo:main
palo:feature/bugwarrior3
palo:update
palo:refactor/component/ssh
palo:orbi-ssh-unlock-works
..
compare: palo:a085c8d3e5183c5a8947072932569e6ba0dccb54
Branches Tags
palo:main
palo:feature/bugwarrior3
palo:update
palo:refactor/component/ssh
palo:orbi-ssh-unlock-works

No commits in common. "7ce8bc0d2667de54e4a22da415ea60cae170e1b7" and "a085c8d3e5183c5a8947072932569e6ba0dccb54" have entirely different histories.
7ce8bc0d26 ... a085c8d3e5

58 changed files with 4028 additions and 39 deletions
Show stats Expand all files Collapse all files

3
.gitmodules vendored
View file

@ -4,3 +4,6 @@
[submodule "wetten"] [submodule "wetten"]
path = wetten path = wetten
url = ssh://gogs@git.ingolf-wagner.de:443/palo/wetten.git url = ssh://gogs@git.ingolf-wagner.de:443/palo/wetten.git
[submodule "submodules/property"]
path = submodules/property
url = ssh://gogs@git.ingolf-wagner.de:443/palo/property_crawlers.git

29
README.md
View file

@ -1,26 +1,14 @@
# My NixOS configuration # My NixOS configuration
## terranix ## Folder Structure
some terranix scripts
## images
some images I use and build via nixos-generators.
## nixos
### system
Holds system type information like `server` and `desktop`.
### configs ### configs
This should container system specific configurations This should container system specific configurations
## library ### system
some nix-lang functions and tools I use. Holds system type information like `server` and `desktop`.
### modules ### modules
@ -34,3 +22,14 @@ My overlay is in here.
assets, like scripts which I dont want to write in nix-lang. assets, like scripts which I dont want to write in nix-lang.
### terranix
some terranix scripts
### library
some nix-lang functions and tools I use.
### images
some images I use and build via nixos-generators.

14
flake.nix
View file

@ -167,20 +167,6 @@
}; };
}; };
sternchen = { name, nodes, pkgs, ... }: {
deployment.targetHost = "${name}.secret";
deployment.tags = [ "desktop" ];
imports = [
grocy-scanner.nixosModule
];
home-manager.users.mainUser = {
imports = [
doom-emacs-nix.hmModule
home-manager-utils.hmModule
];
};
};
pepe = { name, nodes, pkgs, ... }: { pepe = { name, nodes, pkgs, ... }: {
deployment.targetHost = "${name}.private"; deployment.targetHost = "${name}.private";
deployment.tags = [ "server" ]; deployment.tags = [ "server" ];

56
nixos/configs/porani/configuration.nix Normal file
View file

@ -0,0 +1,56 @@
{ pkgs, lib, config, ... }: {
imports = [
<system/server>
./hardware-configuration.nix
./tinc.nix
./syncthing.nix
#./kodi.nix
];
networking.hostName = "porani";
# not needed because not encrypted
# enable initrd ssh
#configuration.init-ssh = {
# enable = "enabled";
# kernelModules = [ "e1000e" ];
# hostECDSAKey = <secrets/init-ssh/host_ecdsa_key>;
#};
# programs
programs.custom.vim.enable = true;
environment.systemPackages = [ pkgs.mosh ];
# wifi setup
system.custom.wifi = {
enable = true;
configurationFile = <secrets/wpa_supplicant>;
interfaces = [ "wlp3s0" ];
};
# nix-shell -p speedtest_cli --run speedtest
configuration.fireqos = {
enable = true;
interface = "wlp3s0";
input = 2500;
output = 1200;
balance = false;
};
# nix-shell -p speedtest_cli --run speedtest
#configuration.fireqos = {
# enable = true;
# interface = "eth0";
# input = 2500;
# output = 1200;
# balance = false;
#};
# new Zealand overwrites
# services.netdata.enable = lib.mkForce false ;
services.SystemdJournal2Gelf.enable = lib.mkForce false;
}

81
nixos/configs/porani/hardware-configuration.nix Normal file
View file

@ -0,0 +1,81 @@
{ config, lib, pkgs, ... }: {
imports = [
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
# boot loader
# -----------
{
# Use the systemd-boot EFI boot loader, not grub
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
#boot.loader.grub = {
# device = "/dev/sda";
# enable = true;
# version = 2;
#};
}
# kernel
# ------
{
boot.initrd.availableKernelModules =
[ "ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
}
# automount
# ---------
(
let mediaUUID = "3d106f56-89e5-400d-9d6b-1dd957919548";
in {
fileSystems."/media" = {
device = "/dev/disk/by-uuid/${mediaUUID}";
fsType = "ext4";
options = [
"nofail"
"noauto"
#"x-systemd.device-timeout=1ms"
];
};
systemd.mounts = [{
enable = true;
options = "nofail,noauto";
type = "ext4";
wantedBy = [ "multi-user.target" ];
what = "/dev/disk/by-uuid/${mediaUUID}";
where = "/media";
}];
}
)
];
# NTFS support
# ------------
environment.systemPackages = [ pkgs.ntfs3g ];
# partitions
# ----------
fileSystems."/" = {
device = "/dev/disk/by-uuid/77a3e839-5a80-4777-93c3-31be7f0cb99d";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/FBFB-8DA5";
fsType = "vfat";
};
fileSystems."/home" = {
device = "/dev/disk/by-uuid/192a8bd6-e5f7-4e66-b69e-f3da701da343";
fsType = "ext4";
};
fileSystems."/backup" = {
device = "/dev/disk/by-uuid/ca895f0e-f932-4a9e-b2ff-a1a488b0953d";
fsType = "ext4";
};
swapDevices = [ ];
nix.maxJobs = lib.mkDefault 4;
}

38
nixos/configs/porani/kodi.nix Normal file
View file

@ -0,0 +1,38 @@
{ config, lib, pkgs, ... }: {
services.xserver = {
enable = true;
autorun = true;
desktopManager = {
kodi.enable = true;
default = "kodi";
xterm.enable = false;
};
displayManager = {
sddm = {
enable = true;
autoLogin = {
enable = true;
relogin = true;
user = config.users.users.kodi.name;
};
};
};
};
users = {
# mutableUsers = true;
users.kodi = {
isNormalUser = true;
name = "kodi";
uid = 1338;
initialPassword = lib.fileContents <secrets/kodi/password>;
};
};
# allow everybody in the net to access the wifi
networking.firewall = {
allowedTCPPorts = [ 8080 ];
allowedUDPPorts = [ 8080 ];
};
}

11
nixos/configs/porani/mpd.nix Normal file
View file

@ -0,0 +1,11 @@
{ config, lib, ... }: {
sound.enable = true;
services.mpd = {
enable = true;
network.listenAddress = "any";
musicDirectory = "/media/music-library";
};
}

5
nixos/configs/porani/packages.nix Normal file
View file

@ -0,0 +1,5 @@
{ pkgs, ... }: {
environment.systemPackages = [ ];
}

67
nixos/configs/porani/syncthing.nix Normal file
View file

@ -0,0 +1,67 @@
{ config, pkgs, lib, ... }: {
networking.firewall.interfaces."tinc.secure".allowedTCPPorts = [ 8384 ];
custom.samba-share = {
enable = true;
folders = {
movies = config.services.syncthing.declarative.folders.movies.path;
series = config.services.syncthing.declarative.folders.series.path;
music = config.services.syncthing.declarative.folders.music-library.path;
};
};
services.syncthing = {
guiAddress = lib.mkForce "${config.networking.hostName}.secret:8384";
enable = true;
openDefaultPorts = true;
declarative = {
cert = toString <secrets/syncthing/cert.pem>;
key = toString <secrets/syncthing/key.pem>;
overrideFolders = true;
folders = {
# on media hard drive (not encrypted)
# -----------------------------------
movies = {
enable = true;
path = "/media/movies";
rescanInterval = 8 * 3600;
};
music-library = {
enable = true;
path = "/media/music-library";
rescanInterval = 8 * 3600;
};
series = {
enable = true;
path = "/media/series";
rescanInterval = 8 * 3600;
};
};
};
};
system.permown."/media" = {
owner = "syncthing";
group = "syncthing";
};
systemd.services."permown._media" = {
bindsTo = [ "media.mount" ];
after = [ "media.mount" ];
};
systemd.services."syncthing" = {
bindsTo = [ "media.mount" ];
after = [ "media.mount" ];
};
users.groups."syncthing".members = [
"mpd"
"syncthing"
"kodi"
"palo"
];
backup.dirs = [ "/var/lib/syncthing/finance" ];
}

16
nixos/configs/porani/tinc.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, lib, pkgs, ... }: {
module.cluster.services.tinc = {
#"private" = {
# enable = true;
# openPort = true;
# connectTo = [ "sputnik" ];
#};
"secure" = {
enable = true;
openPort = true;
connectTo = [ "sputnik" ];
};
};
}

76
nixos/configs/porani/wifi-access-point.nix Normal file
View file

@ -0,0 +1,76 @@
{ lib, pkgs, ... }:
let
wifi = "wlp0s29u1u2";
ipAddress = "10.23.45.1";
prefixLength = 24;
servedAddressRange = "10.23.45.2,10.23.45.150,12h";
ssid = "palosiot";
wifiPassword = lib.fileContents <secrets/iot_wifi>;
in
{
# todo only open needed ports
networking.firewall.trustedInterfaces = [ wifi ];
networking.networkmanager.unmanaged = [ wifi ];
networking.dhcpcd.denyInterfaces = [ wifi ];
networking.interfaces."${wifi}".ipv4.addresses = [{
address = ipAddress;
prefixLength = prefixLength;
}];
systemd.services.hostapd = {
description = "hostapd wireless AP";
path = [ pkgs.hostapd ];
wantedBy = [ "network.target" ];
after = [
"${wifi}-cfg.service"
"nat.service"
"bind.service"
"dhcpd.service"
"sys-subsystem-net-devices-${wifi}.device"
];
serviceConfig = {
ExecStart = "${pkgs.hostapd}/bin/hostapd ${
pkgs.writeText "hostapd.conf" ''
interface=${wifi}
hw_mode=g
channel=10
ieee80211d=1
country_code=DE
ieee80211n=1
wmm_enabled=1
ssid=${ssid}
auth_algs=1
wpa=2
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
wpa_passphrase=${wifiPassword}
''
}";
Restart = "always";
};
};
services.dnsmasq = {
enable = true;
extraConfig = ''
# Only listen to routers' LAN NIC. Doing so opens up tcp/udp port 53 to
# localhost and udp port 67 to world:
interface=${wifi}
# Explicitly specify the address to listen on
listen-address=${ipAddress}
# Dynamic range of IPs to make available to LAN PC and the lease time.
# Ideally set the lease time to 5m only at first to test everything works okay before you set long-lasting records.
dhcp-range=${servedAddressRange}
'';
};
}

2
nixos/configs/porani/wifi-networking.nix Normal file
View file

@ -0,0 +1,2 @@
{ config, lib, ... }:
{ }

12
nixos/configs/sputnik/bitwarden.nix Normal file
View file

@ -0,0 +1,12 @@
{ config, pkgs, lib, ... }: {
services.bitwarden_rs = {
enable = true;
config = {
domain = "https://bitwarden.ingolf-wagner.de";
signupsAllowed = false;
rocketPort = 8222;
rocketLog = "critical";
};
};
backup.dirs = [ "/var/lib/bitwarden_rs" ];
}

38
nixos/configs/sputnik/codimd.nix Normal file
View file

@ -0,0 +1,38 @@
{ config, lib, pkgs, ... }:
let
domain = "md.ingolf-wagner.de";
in
{
services.nginx.enable = true;
services.nginx.virtualHosts.hedgedoc = {
enableACME = true;
forceSSL = true;
serverName = domain;
locations."/" = {
proxyPass = "http://localhost:3091";
proxyWebsockets = true;
#extraConfig = ''
# client_max_body_size 4G;
#'';
};
};
services.hedgedoc = {
enable = true;
configuration = {
db = {
dialect = "sqlite";
storage = "/var/lib/hedgedoc/db.sqlite";
useCDN = false;
};
allowFreeURL = true;
domain = domain;
port = 3091;
useCDN = false;
};
};
}

56
nixos/configs/sputnik/configuration.nix Normal file
View file

@ -0,0 +1,56 @@
{ config, pkgs, lib, ... }: {
imports = [
../../system/proxy
./hardware-configuration.nix
../../system/server/packages.nix
./nginx.nix
./tinc.nix
./bitwarden.nix
#./codimd.nix
#./syncplay.nix
./grocy.nix
];
sops.defaultSopsFile = ../../secrets/sputnik.yaml;
networking.hostName = "sputnik";
networking.useDHCP = true;
boot.kernelParams = [ "net.ifnames=0" ];
boot.loader.grub = {
enable = true;
version = 2;
device = "/dev/sda";
};
# nix-shell -p speedtest_cli --run speedtest
configuration.fireqos = {
enable = true;
interface = "eth0";
input = 55000;
output = 4000;
balance = false;
};
services.custom.ssh.sshd.rootKeyFiles =
[ ../../assets/ssh/jenkins.pub ];
# make sure ssh is only available trough the tinc
networking.firewall.extraCommands = ''
iptables -t nat -A PREROUTING ! -i tinc.private -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 0
'';
# enable all subdomains to be reached to make nginx rules easier
services.dnsmasq = with lib; {
enable = true;
extraConfig = ''
${concatStringsSep "\n"
(flip mapAttrsToList config.module.cluster.services.tinc."private".hosts
(name: attrs: "address=/.${name}.private/${attrs.tincIp}"))}
'';
};
}

16
nixos/configs/sputnik/grocy.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, lib, pkgs, ... }:
{
services.grocy = {
enable = true;
settings = {
culture = "de";
currency = "EUR";
};
hostName = "grocy.ingolf-wagner.de";
nginx.enableSSL = true;
};
backup.dirs = [ config.services.grocy.dataDir ];
}

23
nixos/configs/sputnik/hardware-configuration.nix Normal file
View file

@ -0,0 +1,23 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ modulesPath, config, lib, pkgs, ... }:
{
#imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ];
imports = [ "${modulesPath}/profiles/qemu-guest.nix" ];
boot.initrd.availableKernelModules =
[ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/8f2986a3-d2b0-4735-be98-9ec081b87984";
fsType = "ext4";
};
swapDevices = [ ];
nix.maxJobs = lib.mkDefault 1;
}

20
nixos/configs/sputnik/iodined.nix Normal file
View file

@ -0,0 +1,20 @@
{ pkgs, config, ... }:
let
domain = "io.ingolf-wagner.de";
publicIp = "195.201.134.247";
pw = import <secrets/iodinepw.nix>;
in
{
services.iodine.server = {
enable = true;
domain = domain;
ip = "172.16.10.1/24";
extraConfig = "-c -P ${pw} -l ${publicIp}";
};
#krebs.iptables.tables.filter.INPUT.rules = [
#{ predicate = "-p udp --dport 53"; target = "ACCEPT";}
#];
}

458
nixos/configs/sputnik/nginx.nix Normal file
View file

@ -0,0 +1,458 @@
{ config, lib, pkgs, ... }:
let
# todo create flake for this
errorPages = pkgs.fetchgit {
url = "https://git.ingolf-wagner.de/palo/http-errors.git";
rev = "74b8e4c1d9bbba3db6ad858b888e1867318af1f0";
sha256 = "0czdzafx4k76q773lyf3vsjm74g1995iz542dhw15kpy5xbivsrg";
};
error = {
extraConfig = ''
error_page 400 /errors/400.html;
error_page 401 /errors/401.html;
error_page 402 /errors/402.html;
error_page 403 /errors/403.html;
error_page 404 /errors/404.html;
error_page 405 /errors/405.html;
error_page 406 /errors/406.html;
error_page 500 /errors/500.html;
error_page 501 /errors/501.html;
error_page 502 /errors/502.html;
error_page 503 /errors/503.html;
error_page 504 /errors/504.html;
'';
locations."^~ /errors/" = {
extraConfig = "internal;";
root = "${errorPages}/";
};
};
in
{
networking.firewall.allowedTCPPorts =
[ 80 443 2222 config.services.taskserver.listenPort ];
networking.firewall.allowedUDPPorts =
[ 80 443 2222 config.services.taskserver.listenPort ];
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts = {
"bitwarden.ingolf-wagner.de" = {
#listen = [
# {
# addr = "0.0.0.0";
# port = 4443;
# ssl = true;
# }
# {
# addr = "0.0.0.0";
# port = 80;
# ssl = false;
# }
#];
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:${
toString config.services.bitwarden_rs.config.rocketPort
}";
};
};
#"git.ingolf-wagner.de" = {
# #listen = [
# # {
# # addr = "0.0.0.0";
# # port = 4443;
# # ssl = true;
# # }
# # {
# # addr = "0.0.0.0";
# # port = 80;
# # ssl = false;
# # }
# #];
# forceSSL = true;
# enableACME = true;
# extraConfig = error.extraConfig;
# locations = {
# "/" = {
# proxyPass = "http://workhorse.private:3000";
# extraConfig = ''
# if ($request_method = 'OPTIONS') {
# add_header 'Access-Control-Allow-Origin' '*';
# add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
# #
# # Custom headers and headers various browsers *should* be OK with but aren't
# #
# add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
# #
# # Tell client that this pre-flight info is valid for 20 days
# #
# add_header 'Access-Control-Max-Age' 1728000;
# add_header 'Content-Type' 'text/plain; charset=utf-8';
# add_header 'Content-Length' 0;
# return 204;
# }
# if ($request_method = 'POST') {
# add_header 'Access-Control-Allow-Origin' '*';
# add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
# add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
# add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
# }
# if ($request_method = 'GET') {
# add_header 'Access-Control-Allow-Origin' '*';
# add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
# add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
# add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
# }
# '';
# };
# } // error.locations;
#};
#"grocy.ingolf-wagner.de" = {
# listen = [
# {
# addr = "0.0.0.0";
# port = 4443;
# ssl = true;
# }
# {
# addr = "0.0.0.0";
# port = 80;
# ssl = false;
# }
# ];
#};
#"paste.ingolf-wagner.de" = {
# #listen = [
# # {
# # addr = "0.0.0.0";
# # port = 4443;
# # ssl = true;
# # }
# # {
# # addr = "0.0.0.0";
# # port = 80;
# # ssl = false;
# # }
# #];
# forceSSL = true;
# enableACME = true;
# extraConfig = error.extraConfig;
# locations = {
# "/" = { proxyPass = "http://workhorse.private:8000"; };
# } // error.locations;
#};
"travel.ingolf-wagner.de" = {
#listen = [
# {
# addr = "0.0.0.0";
# port = 4443;
# ssl = true;
# }
# {
# addr = "0.0.0.0";
# port = 80;
# ssl = false;
# }
#];
forceSSL = true;
enableACME = true;
extraConfig = error.extraConfig;
locations = {
"/" = {
root = "/srv/www/travel";
extraConfig = ''
if (-d $request_filename) {
rewrite [^/]$ $scheme://$http_host$request_uri/ permanent;
}
'';
};
} // error.locations;
};
"tech.ingolf-wagner.de" = {
#listen = [
# {
# addr = "0.0.0.0";
# port = 4443;
# ssl = true;
# }
# {
# addr = "0.0.0.0";
# port = 80;
# ssl = false;
# }
#];
forceSSL = true;
enableACME = true;
extraConfig = error.extraConfig;
locations = {
"/" = {
root = "/srv/www/tech";
extraConfig = ''
if (-d $request_filename) {
rewrite [^/]$ $scheme://$http_host$request_uri/ permanent;
}
'';
};
} // error.locations;
};
"preview.tech.ingolf-wagner.de" = {
#listen = [
# {
# addr = "0.0.0.0";
# port = 4443;
# ssl = true;
# }
# {
# addr = "0.0.0.0";
# port = 80;
# ssl = false;
# }
#];
forceSSL = true;
enableACME = true;
extraConfig = error.extraConfig;
locations = {
"/" = {
basicAuth.moderator = "IwantitIwantitIwantit";
root = "/srv/www/tech_preview";
extraConfig = ''
if (-d $request_filename) {
rewrite [^/]$ $scheme://$http_host$request_uri/ permanent;
}
'';
};
} // error.locations;
};
"terranix.org" = {
#listen = [
# {
# addr = "0.0.0.0";
# port = 4443;
# ssl = true;
# }
# {
# addr = "0.0.0.0";
# port = 80;
# ssl = false;
# }
#];
forceSSL = true;
enableACME = true;
extraConfig = error.extraConfig;
locations = {
"/" = {
root = "/srv/www/terranix";
extraConfig = ''
if (-d $request_filename) {
rewrite [^/]$ $scheme://$http_host$request_uri/ permanent;
}
'';
};
} // error.locations;
};
#"chat.ingolf-wagner.de" = {
# listen = [
# {
# addr = "0.0.0.0";
# port = 4443;
# ssl = true;
# }
# {
# addr = "0.0.0.0";
# port = 80;
# ssl = false;
# }
# ];
# forceSSL = true;
# enableACME = true;
# extraConfig = error.extraConfig;
# locations = {
# "/" = {
# proxyPass = "http://chat.workhorse.private";
# proxyWebsockets = true;
# extraConfig = ''
# sub_filter "http://chat.ingolf-wagner.de" "https://chat.ingolf-wagner.de";
# sub_filter "chat.workhorse.private" "chat.ingolf-wagner.de";
# '';
# };
# } // error.locations;
#};
"nextcloud.ingolf-wagner.de" = {
#listen = [
# {
# addr = "0.0.0.0";
# port = 4443;
# ssl = true;
# }
# {
# addr = "0.0.0.0";
# port = 80;
# ssl = false;
# }
#];
forceSSL = true;
enableACME = true;
extraConfig = error.extraConfig;
locations = {
"/" = {
proxyPass = "http://nextcloud.workhorse.private";
extraConfig = ''
sub_filter "http://nextcloud.ingolf-wagner.de" "https://nextcloud.ingolf-wagner.de";
sub_filter "nextcloud.workhorse.private" "nextcloud.ingolf-wagner.de";
# used for view/edit office file via Office Online Server
client_max_body_size 0;
'';
};
"= /.well-known/carddav" = {
priority = 210;
extraConfig = "return 301 $scheme://$host/remote.php/dav;";
};
"= /.well-known/caldav" = {
priority = 210;
extraConfig = "return 301 $scheme://$host/remote.php/dav;";
};
"~ .(?:css|js|svg|gif)$" = {
proxyPass = "http://nextcloud.workhorse.private$request_uri";
extraConfig = ''
expires 6M; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
sub_filter "http://nextcloud.ingolf-wagner.de" "https://nextcloud.ingolf-wagner.de";
sub_filter "nextcloud.workhorse.private" "nextcloud.ingolf-wagner.de";
# used for view/edit office file via Office Online Server
client_max_body_size 0;
'';
};
"~ .woff2?$" = {
proxyPass = "http://nextcloud.workhorse.private$request_uri";
extraConfig = ''
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
sub_filter "http://nextcloud.ingolf-wagner.de" "https://nextcloud.ingolf-wagner.de";
sub_filter "nextcloud.workhorse.private" "nextcloud.ingolf-wagner.de";
# used for view/edit office file via Office Online Server
client_max_body_size 0;
'';
};
} // error.locations;
};
"gaykraft.com" = {
#listen = [
# {
# addr = "0.0.0.0";
# port = 4443;
# ssl = true;
# }
# {
# addr = "0.0.0.0";
# port = 80;
# ssl = false;
# }
#];
forceSSL = true;
enableACME = true;
extraConfig = error.extraConfig;
locations = {
"/" = { root = "/srv/www/gaykraft"; };
} // error.locations;
};
};
};
services.sslh = {
enable = false;
listenAddresses = [ "0.0.0.0" ];
port = 443;
verbose = true;
transparent = true;
# List of protocols
#
# Each protocol entry consists of:
# name: name of the probe. These are listed on the command line (ssh -?), plus 'regex' and 'timeout'.
# service: (optional) libwrap service name (see hosts_access(5))
# host, port: where to connect when this probe succeeds
# log_level: 0 to turn off logging
# 1 to log each incoming connection
# keepalive: Should TCP keepalive be on or off for that
# connection (default is off)
# fork: Should a new process be forked for this protocol?
# (only useful for sslh-select)
# tfo_ok: Set to true if the server supports TCP FAST OPEN
#
# Probe-specific options:
# (sslh will try each probe in order they are declared, and
# connect to the first that matches.)
#
# tls:
# sni_hostnames: list of FQDN for that target
# alpn_protocols: list of ALPN protocols for that target, see:
# https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
#
# if both sni_hostnames AND alpn_protocols are specified, both must match
#
# if neither are set, it is just checked whether this is the TLS protocol or not
#
# Obviously set the most specific probes
# first, and if you use TLS with no ALPN/SNI
# set it as the last TLS probe
# regex:
# regex_patterns: list of patterns to match for
# that target.
#
# You can specify several of 'regex' and 'tls'.
appendConfig = ''
protocols:
(
{ name: "ssh"; service: "ssh"; host: "localhost"; port: "2222";},
{ name: "tls"; host: "localhost"; port: "4443";},
{ name: "tinc"; host: "localhost"; port: "655"; }
);
'';
};
#systemd.services."socat-proxy" = {
# wantedBy = [ "sslh.service" "multi-user.target" ];
# after = [ "sslh.service" ];
# script = ''
# ${pkgs.socat}/bin/socat TCP-LISTEN:2222,fork TCP:workhorse.private:2222
# '';
#};
systemd.services."socat-taskd" = {
wantedBy = [ "multi-user.target" ];
script =
let port = toString config.services.taskserver.listenPort;
in ''
${pkgs.socat}/bin/socat TCP-LISTEN:${port},fork TCP:workhorse.private:${port}
'';
};
#systemd.services."socat-gogs-ssh" = {
# wantedBy = [ "multi-user.target" ];
# script =
# let port = "2222";
# in ''
# ${pkgs.socat}/bin/socat TCP-LISTEN:${port},fork TCP:workhorse.private:${port}
# '';
#};
}

5
nixos/configs/sputnik/syncplay.nix Normal file
View file

@ -0,0 +1,5 @@
{ config, ... }: {
services.syncplay.enable = true;
networking.firewall.allowedTCPPorts = [ config.services.syncplay.port ];
networking.firewall.allowedUDPPorts = [ config.services.syncplay.port ];
}

16
nixos/configs/sputnik/tinc.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, lib, pkgs, ... }: {
module.cluster.services.tinc = {
"private" = {
enable = true;
openPort = true;
};
"secret" = {
enable = true;
openPort = true;
};
};
users.users."tinc.secret".group = "tinc.secret";
users.groups."tinc.secret" = { };
}

20
nixos/configs/sternchen/packages.nix
View file

@ -15,7 +15,7 @@
keepassxc keepassxc
firefox firefox
google-chrome google-chrome
skypeforlinux skype
tipp10 tipp10
zoom-us zoom-us
gnome3.gnome-todo gnome3.gnome-todo
@ -45,15 +45,15 @@
gwenview gwenview
skanlite skanlite
tor-browser-bundle-bin #tor-browser-bundle-bin
#(tor-browser-bundle-bin.overrideAttrs (old: rec { (tor-browser-bundle-bin.overrideAttrs (old: rec {
# version = "11.0.1"; version = "11.0.1";
# name = "tor-browser-bundle-${version}"; name = "tor-browser-bundle-${version}";
# src = pkgs.fetchurl { src = pkgs.fetchurl {
# url = "https://dist.torproject.org/torbrowser/11.0.1/tor-browser-linux64-11.0.1_en-US.tar.xz"; url = "https://dist.torproject.org/torbrowser/11.0.1/tor-browser-linux64-11.0.1_en-US.tar.xz";
# sha256 = "sha256-E6GCjMiSs4sPUDNIJhHJ/zB0aj3xe/DzWcUpxNZHpbM="; sha256 = "sha256-E6GCjMiSs4sPUDNIJhHJ/zB0aj3xe/DzWcUpxNZHpbM=";
# }; };
#})) }))
]; ];

30
nixos/configs/workhorse/borg.nix Normal file
View file

@ -0,0 +1,30 @@
{ lib, config, pkgs, ... }: {
services.borgbackup.repos = {
default = {
quota = "100G";
allowSubRepos = true;
authorizedKeys = [
(lib.fileContents ../../assets/ssh/borg_access.pub)
(lib.fileContents ../../assets/ssh/card_rsa.pub)
];
};
};
# mirror backup folder to /media
systemd.services.borg-mirror-to-media = {
enable = true;
script = ''
${pkgs.rsync}/bin/rsync -a \
/var/lib/borgbackup/ \
/media/borg-backup-mirror \
--delete-after
'';
};
systemd.timers.borg-mirror-to-media = {
enable = true;
timerConfig.OnCalendar = "daily";
wantedBy = [ "multi-user.target" ];
};
}

22
nixos/configs/workhorse/castget.nix Normal file
View file

@ -0,0 +1,22 @@
{ config, lib, ... }:
let
home = "/home/syncthing/podcasts";
in
{
custom.services.castget = {
enable = true;
user = "root";
feeds = {
Alternativlos = {
url = "https://alternativlos.org/alternativlos.rss";
spool = "${home}/alternativlos";
};
gegenstandpunkt = {
url = "https://pc.argudiss.de/";
spool = "${home}/GegenStandpunkt";
};
};
};
}

77
nixos/configs/workhorse/configuration.nix Normal file
View file

@ -0,0 +1,77 @@
{ lib, config, pkgs, ... }: {
imports = [
../../system/server
./hardware-configuration.nix
./mail-fetcher.nix
#./transmission.nix
#./nextcloud.nix
./borg.nix
./finance.nix
./gogs.nix
./grafana.nix
./graylog.nix
#./jenkins.nix
#./kibana.nix
./mysql.nix
./packages.nix
./prometheus.nix
#./syncthing.nix
./taskserver.nix
./tinc.nix
./weechat.nix
#./property.nix # flask sucks, find something else
];
sops.defaultSopsFile = ../../secrets/workhorse.yaml;
nixpkgs.config.permittedInsecurePackages =
[ "gogs-0.11.91" ];
# todo: add this to each file instead summing that here
#on-failure.plans = {
# gogs.name = "gogs";
# jenkins.name = "jenkins";
# graylog.name = "graylog";
# prometheus.name = "prometheus";
# taskserver.name = "taskserver";
# weechat.name = "weechat";
# transmission.name = "transmission";
# mail-fetcher.name = "fetchmail";
#};
networking.hostName = "workhorse";
# font
# ----
programs.custom.urxvt.fontSize = 17;
programs.custom.xterm.fontSize = 17;
system.custom.fonts.dpi = 140;
# enable initrd ssh
configuration.init-ssh = {
enable = "enabled";
kernelModules = [ "r8169" ];
hostKey = "/etc/ssh/ssh_host_ed25519_key";
};
# nix-shell -p speedtest_cli --run speedtest
configuration.fireqos = {
enable = true;
interface = "enp2s0f1";
input = 45000;
output = 8000;
balance = false;
};
virtualisation = { docker.enable = false; };
services.printing.enable = false;
services.smartd.enable = true;
}

58
nixos/configs/workhorse/finance.nix Normal file
View file

@ -0,0 +1,58 @@
{ lib, config, pkgs, ... }:
let
# find symbols with
# https://www.alphavantage.co/query?function=SYMBOL_SEARCH&apikey=<api_key>&keywords=<keywords>
# as described here : https://www.alphavantage.co/documentation/#symbolsearch
#
# example:
# --------
# stocks = [
# {
# friendly_name = "google";
# symbol = "GOOGL.DEX";
# name = "google";
# currency = "$";
# }
# ];
# results in
# P 2020-01-30 GOOGL $123
stocks = import ../../private_assets/finance/stocks;
stocksFile = toString /home/syncthing/finance/hledger/stocks.journal;
in
{
systemd.services.pull_stocks = {
enable = true;
description = "pull stocks for hledger";
serviceConfig = {
User = "syncthing";
Type = "oneshot";
};
script =
let
command = { symbol, name, currency, ... }: ''
APIKEY=${lib.fileContents ../../private_assets/finance/alphavantage/apiKey}
SYMBOL="${symbol}"
${pkgs.curl}/bin/curl --location --silent \
"https://www.alphavantage.co/query?function=GLOBAL_QUOTE&symbol=$SYMBOL&apikey=$APIKEY" \
| ${pkgs.jq}/bin/jq --raw-output '.["Global Quote"]
| "P \(.["07. latest trading day"]) ${name} ${currency}\(.["05. price"] | tonumber)"' \
>> ${stocksFile}
sleep 1
'';
in
lib.concatStringsSep "\n" (map command stocks);
};
systemd.timers.pull_stocks = {
enable = true;
wantedBy = [ "multi-user.target" ];
timerConfig = {
OnCalendar = "weekly";
Persistent = "true";
};
};
}

122
nixos/configs/workhorse/gogs.nix Normal file
View file

@ -0,0 +1,122 @@
{ config, lib, pkgs, ... }:
let
errorPages = pkgs.fetchgit {
url = "https://git.ingolf-wagner.de/palo/http-errors.git";
rev = "74b8e4c1d9bbba3db6ad858b888e1867318af1f0";
sha256 = "0czdzafx4k76q773lyf3vsjm74g1995iz542dhw15kpy5xbivsrg";
};
error = {
extraConfig = ''
error_page 400 /errors/400.html;
error_page 401 /errors/401.html;
error_page 402 /errors/402.html;
error_page 403 /errors/403.html;
error_page 404 /errors/404.html;
error_page 405 /errors/405.html;
error_page 406 /errors/406.html;
error_page 500 /errors/500.html;
error_page 501 /errors/501.html;
error_page 502 /errors/502.html;
error_page 503 /errors/503.html;
error_page 504 /errors/504.html;
'';
locations."^~ /errors/" = {
extraConfig = "internal;";
root = "${errorPages}/";
};
};
in
{
services.nginx = {
enable = true;
statusPage = true;
virtualHosts = {
"git.${config.networking.hostName}.private" = {
extraConfig = error.extraConfig;
locations."/" = {
proxyPass = "http://${config.networking.hostName}.private:${
toString config.services.gogs.httpPort
}";
};
};
};
};
services.gogs = {
enable = true;
appName = "Kruck GoGs";
domain = "git.ingolf-wagner.de";
httpPort = 3000;
repositoryRoot = "/home/gogs/repositories";
stateDir = "/home/gogs";
rootUrl = "https://git.ingolf-wagner.de/";
extraConfig = ''
[service]
DISABLE_REGISTRATION = true
SHOW_REGISTRATION_BUTTON = false
[server]
SSH_DOMAIN = "git.ingolf-wagner.de"
SSH_PORT = 2222
START_SSH_SERVER = true
SSH_LISTEN_PORT = 2222
[log.file]
LEVEL = Warn
[log.console]
LEVEL = Warn
[log.sublogger.macaron]
LEVEL = Warn
'';
};
backup.dirs = [ config.services.gogs.repositoryRoot ];
# services.nginx = {
# enable = true;
# statusPage = true;
# virtualHosts = {
# "gitlab.${config.networking.hostName}.private" = {
# extraConfig = error.extraConfig;
# locations."/" = {
# proxyPass = "http://${config.networking.hostName}.private:${
# toString config.services.gitlab.port
# }";
# };
# };
# };
# };
# services.gitlab = {
# enable = true;
# host = "gitlab.${config.networking.hostname}.private";
# port = 9897;
# #databasePasswordFile = "path/todo";
# #initialRootPasswordFile = "path/todo";
#
# secrets = {
# # Make sure the secret is at least 30 characters and all random,
# # no regular words or you'll be exposed to dictionary attacks
# dbFile = "path/todo";
#
# # openssl genrsa 2048
# jwsFile = "path/todo";
#
# # Make sure the secret is at least 30 characters and all random,
# # no regular words or you'll be exposed to dictionary attacks
# otpFile = "path/todo";
#
# # Make sure the secret is at least 30 characters and all random,
# # no regular words or you'll be exposed to dictionary attacks
# secretFile = "path/todo";
# };
#
# # smtp?
#
# # gitlab-runner?
# };
}

38
nixos/configs/workhorse/grafana.nix Normal file
View file

@ -0,0 +1,38 @@
{ config, ... }: {
services.nginx = {
enable = true;
statusPage = true;
virtualHosts = {
"grafana.${config.networking.hostName}.private" = {
serverAliases = [ ];
locations."/" = {
proxyPass = "http://${config.networking.hostName}.private:${
toString config.services.grafana.port
}";
};
};
};
};
services.grafana = {
enable = true;
port = 5656;
addr =
config.module.cluster.services.tinc."private".hosts."${config.networking.hostName}".tincIp;
auth.anonymous = {
enable = true;
org_role = "Editor";
org_name = "AWESOME";
};
provision = {
enable = true;
datasources = [{
type = "prometheus";
isDefault = true;
name = "Prometheus Workhorse";
url = "http://workhorse.private:9090";
}];
};
};
}

130
nixos/configs/workhorse/graylog.nix Normal file
View file

@ -0,0 +1,130 @@
{ config, lib, pkgs, ... }:
let port = 9000;
in {
# configure nginx
services.nginx = {
enable = true;
virtualHosts = {
"graylog.workhorse.private" = {
locations."/" = {
proxyPass = "http://localhost:${toString port}";
extraConfig = ''
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 90;
proxy_redirect http://localhost:${
toString port
} https://graylog.workhorse.private/;
'';
};
};
};
};
services.mongodb.enable = true;
services.elasticsearch = {
enable = true;
listenAddress = "${config.networking.hostName}.private";
extraJavaOptions = [ "-Des.http.cname_in_publish_address=true" ];
};
services.graylog.enable = true;
services.graylog.elasticsearchHosts =
[ "http://${config.services.elasticsearch.listenAddress}:9200" ];
# https://docs.graylog.org/en/3.0/pages/configuration/server.conf.html
services.graylog.extraConfig = ''
http_bind_address = 0.0.0.0:${toString port}
http_publish_uri = http://workhorse.private:${toString port}/
'';
# other wise this does not work
services.graylog.nodeIdFile = "/var/lib/graylog/node-id";
# pwgen -N 1 -s 96
services.graylog.passwordSecret =
lib.fileContents ../../private_assets/graylog/password-secret;
# echo -n yourpassword | shasum -a 256
services.graylog.rootPasswordSha2 =
lib.fileContents ../../private_assets/graylog/root-password-hash;
services.graylog.plugins = [ pkgs.graylogPlugins.slack ];
# not working at the moment
#services.geoip-updater.enable = true;
# https://wiki.splunk.com/Http_status.csv
environment.etc."graylog/server/httpCodes.csv" = {
enable = true;
text = ''
status,status_description,status_type
100,Continue,Informational
101,Switching Protocols,Informational
200,OK,Successful
201,Created,Successful
202,Accepted,Successful
203,Non-Authoritative Information,Successful
204,No Content,Successful
205,Reset Content,Successful
206,Partial Content,Successful
300,Multiple Choices,Redirection
301,Moved Permanently,Redirection
302,Found,Redirection
303,See Other,Redirection
304,Not Modified,Redirection
305,Use Proxy,Redirection
307,Temporary Redirect,Redirection
400,Bad Request,Client Error
401,Unauthorized,Client Error
402,Payment Required,Client Error
403,Forbidden,Client Error
404,Not Found,Client Error
405,Method Not Allowed,Client Error
406,Not Acceptable,Client Error
407,Proxy Authentication Required,Client Error
408,Request Timeout,Client Error
409,Conflict,Client Error
410,Gone,Client Error
411,Length Required,Client Error
412,Precondition Failed,Client Error
413,Request Entity Too Large,Client Error
414,Request-URI Too Long,Client Error
415,Unsupported Media Type,Client Error
416,Requested Range Not Satisfiable,Client Error
417,Expectation Failed,Client Error
500,Internal Server Error,Server Error
501,Not Implemented,Server Error
502,Bad Gateway,Server Error
503,Service Unavailable,Server Error
504,Gateway Timeout,Server Error
505,HTTP Version Not Supported,Server Error
'';
};
environment.etc."graylog/server/known_servers.csv" = {
enable = true;
text = ''
"ip","host_name"
"95.216.1.150","lassul.us"
'';
};
environment.etc."graylog/systemd/loglevel.csv" = {
enable = true;
text = ''
"value","Servity","Description"
"0","emergency","System is unusable"
"1","alert","Should be corrected immediately"
"2","cirtical","Critical conditions"
"3","error","Error Condition"
"4","warning","May indicate that an error will occur if action is not taken."
"5","notice","Events that are unusual, but not error conditions."
"6","info","Normal operational messages that require no action."
"7","debug","Information useful to developers for debugging the application."
'';
};
}

121
nixos/configs/workhorse/hardware-configuration.nix Normal file
View file

@ -0,0 +1,121 @@
{ config, lib, pkgs, ... }:
let mainUserHome = "/home/palo";
in {
# grub configuration
# ------------------
boot.loader.grub = {
device = "/dev/sda";
enable = true;
version = 2;
};
# lvm volume group
# ----------------
boot.initrd.luks.devices = {
vg = {
device = "/dev/sda2";
preLVM = true;
};
};
# NTFS support
# ------------
environment.systemPackages = [ pkgs.ntfs3g ];
# root
# ----
fileSystems."/" = {
options = [ "noatime" "nodiratime" "discard" ];
device = "/dev/vg/root";
fsType = "ext4";
};
# boot
# ----
fileSystems."/boot" = {
device = "/dev/sda1";
fsType = "ext4";
};
# home
# ----
fileSystems."/home" = {
options = [ "noatime" "nodiratime" ];
device = "/dev/mapper/decrypted_home";
fsType = "ext4";
encrypted = {
enable = true;
keyFile = "/mnt-root/root/keys/home.key";
label = "decrypted_home";
blkDev = "/dev/mapper/store-home";
};
};
# var/lib/docker
# --------------
fileSystems."/var/lib/borgbackup" = {
options = [ "noatime" "nodiratime" ];
device = "/dev/mapper/decrypted_docker";
fsType = "ext4";
encrypted = {
enable = true;
keyFile = "/mnt-root/root/keys/docker.key";
label = "decrypted_docker";
blkDev = "/dev/mapper/store-docker";
};
};
imports = [
# automount
# ---------
(
let mediaUUID = "b8ba192e-e2aa-47dd-85ec-dcf97ec9310a";
in {
fileSystems."/media" = {
device = "/dev/disk/by-uuid/${mediaUUID}";
fsType = "ext4";
options = [
"nofail"
"noauto"
#"x-systemd.device-timeout=1ms"
];
};
systemd.mounts = [{
enable = true;
options = "nofail,noauto";
type = "ext4";
wantedBy = [ "multi-user.target" ];
what = "/dev/disk/by-uuid/${mediaUUID}";
where = "/media";
}];
}
)
(
let backupUUID = "f7fa1c0e-ac9f-4955-b4bd-644c1ddb0d89";
in {
fileSystems."/backup" = {
device = "/dev/disk/by-uuid/${backupUUID}";
fsType = "ext4";
options = [
"nofail"
"noauto"
#"x-systemd.device-timeout=1ms"
];
};
systemd.mounts = [{
enable = true;
options = "nofail,noauto";
type = "ext4";
wantedBy = [ "multi-user.target" ];
what = "/dev/disk/by-uuid/${backupUUID}";
where = "/backup";
}];
}
)
];
}

203
nixos/configs/workhorse/jenkins.nix Normal file
View file

@ -0,0 +1,203 @@
{ config, lib, pkgs, ... }:
with lib;
let
library = import ../../library { inherit pkgs lib; };
sync-repo = library.jenkins.syncJob;
job = library.jenkins.job;
in
{
environment.systemPackages = [ pkgs.cabal-install ];
services.nginx = {
enable = true;
virtualHosts = {
"jenkins.${config.networking.hostName}.private" = {
locations."/" = {
proxyPass =
"http://localhost:${toString config.services.jenkins.port}";
extraConfig = ''
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 90;
proxy_redirect http://localhost:${
toString config.services.jenkins.port
} https://jenkins.${config.networking.hostName}.private/;
'';
};
};
};
};
sops.secrets.jenkins_token = {
owner = "jenkins";
};
services.jenkins = {
enable = true;
home = "/home/jenkins";
port = 10420;
# Plugins to Install:
# - all the plugins recommended at the setup
# - Build pipeline
# - SSH Agent
# - mattermost plugin
jobBuilder = {
enable = true;
# create an access token in the admin users panel
accessTokenFile = config.sops.secrets.jenkins_token.path;
accessUser = "admin";
# https://docs.openstack.org/infra/jenkins-job-builder/definition.html#modules
nixJobs =
let
# ssh username + key
gogs-id = "bc584c99-0fb7-43fb-af75-4076d64c51b2";
# ssh username + key
github-id = "bc584c99-0fb7-43fb-af75-4076d64c51b2";
# ssh username + key
sshSputnik = "d91eb57c-5bff-434c-b317-68aad46848d7";
sync-to-github = name: source: target:
sync-repo name
{
url = source;
credentialsId = gogs-id;
}
{
url = target;
credentialsId = github-id;
};
in
[
(job "sync-retiolum"
{
url = "git@github.com:krebs/retiolum.git";
credentialsId = github-id;
triggers = [{ timed = "H/30 * * * *"; }];
} [
{
"Download Files" = [
"chmod 755 hosts"
"chmod 755 -R hosts"
''
nix-shell -p curl -p gnutar -p bzip2 --run "curl https://lassul.us/retiolum-hosts.tar.bz2 | tar xvjf - || true"''
"chmod 755 -R etc.hosts"
''
nix-shell -p curl --run "curl https://lassul.us/retiolum.hosts > etc.hosts || true"''
];
}
{
"update repo" = [
''nix-shell -p git --run "git add ."''
''
nix-shell -p git --run "git -c user.name=\'Ingolf Wagner\' -c user.email=\'contact@ingolf-wagner.de\' commit -m update-`date +%Y-%m-%dT%H:%M:%S` || exit 0"''
];
}
{
Push = [{
script = ''nix-shell -p git --run "git push origin master"'';
credentialsId = github-id;
}];
}
])
(job "test-taskninja"
{
url = "ssh://gogs@workhorse.private:2222/palo/taskninja.git";
credentialsId = gogs-id;
} [
{
"Create Shell" = [
''
nix-shell -p cabal2nix --run "cabal2nix --shell file://. > jenkins.nix"''
];
}
{ Update = [ ''nix-shell ./jenkins.nix --run "cabal update"'' ]; }
{
Configure = [
''nix-shell ./jenkins.nix --run "cabal configure --enable-tests"''
''
nix-shell ./jenkins.nix --run "cabal install --only-dependencies"''
];
}
{ Build = [ ''nix-shell ./jenkins.nix --run "cabal build"'' ]; }
{ Test = [ ''nix-shell ./jenkins.nix --run "cabal test"'' ]; }
])
# sync to github
# --------------
(sync-to-github "sync-radiodj"
"ssh://gogs@workhorse.private:2222/crashburn_radio/radio-dj2.git"
"git@github.com:crashburn-radio/radio-dj.git")
(sync-to-github "sync-radiodj-tracks"
"ssh://gogs@workhorse.private:2222/crashburn_radio/radio-dj-tracks.git"
"git@github.com:crashburn-radio/radio-dj-tracks.git")
(sync-to-github "sync-krops-module"
"ssh://gogs@workhorse.private:2222/nix-modules/krops.git"
"git@github.com:mrVanDalo/module.krops.git")
(sync-to-github "sync-cluster-module"
"ssh://gogs@workhorse.private:2222/nix-modules/cluster.git"
"git@github.com:mrVanDalo/module.cluster.git")
(sync-to-github "sync-backup-module"
"ssh://gogs@workhorse.private:2222/nix-modules/backup.git"
"git@github.com:mrVanDalo/module.backup.git")
(sync-to-github "sync-module-tinc"
"ssh://gogs@workhorse.private:2222/palo/nixos-tinc.git"
"git@github.com:mrVanDalo/nixos-tinc.git")
(sync-to-github "sync-memo"
"ssh://gogs@workhorse.private:2222/palo/memo.git"
"git@github.com:mrVanDalo/memo.git")
(sync-to-github "sync-diagrams-template"
"ssh://gogs@workhorse.private:2222/palo/diagrams-template.git"
"git@github.com:mrVanDalo/diagrams.git")
(sync-to-github "sync-plops"
"ssh://gogs@workhorse.private:2222/palo/plops.git"
"git@github.com:mrVanDalo/plops.git")
(sync-to-github "sync-image-generator"
"ssh://gogs@workhorse.private:2222/palo/image-generator2.git"
"git@github.com:mrVanDalo/image-generator.git")
(sync-to-github "sync-image-generator-lib"
"ssh://gogs@workhorse.private:2222/palo/image-generator-lib.git"
"git@github.com:mrVanDalo/image-generator-examples.git")
(sync-to-github "sync-tech.ingolf-wagner.de"
"ssh://gogs@workhorse.private:2222/palo/tech.ingolf-wagner.de.git"
"git@github.com:mrVanDalo/tech.ingolf-wagner.de.git")
(sync-to-github "sync-LineageOS-build"
"ssh://gogs@git.ingolf-wagner.de:2222/palo/LineagoOS-build.git"
"git@github.com:mrVanDalo/LineagoOS-build.git")
(sync-to-github "sync-http-errors"
"ssh://gogs@git.ingolf-wagner.de:2222/palo/http-errors.git"
"git@github.com:mrVanDalo/http-errors.git")
(sync-to-github "sync-light-control"
"ssh://gogs@git.ingolf-wagner.de:2222/palo/light-control.git"
"git@github.com:mrVanDalo/light-control.git")
];
};
};
}

71
nixos/configs/workhorse/jupyter.nix Normal file
View file

@ -0,0 +1,71 @@
{ pkgs, lib, config, ... }: {
services.jupyter = {
enable = true;
ip = "0.0.0.0";
#In [1]: from notebook.auth import passwd
#In [2]: passwd('test')
#Out[2]: 'sha1:1b961dc713fb:88483270a63e57d18d43cf337e629539de1436ba'
#NOTE: you need to keep the single quote inside nix string.
password = "'sha1:1b961dc713fb:88483270a63e57d18d43cf337e629539de1436ba'";
kernels = {
python3 =
let
env = (pkgs.python3.withPackages (pythonPackages:
with pythonPackages; [
ipykernel
pandas
# database stuff
mysqlclient
databases
asyncpg
psycopg2
aiomysql
pymysql
aiosqlite
#aiopg
sqlalchemy
# pdf export
nbconvert
]));
in
{
displayName = "Python 3";
argv = [
"${env.interpreter}"
"-m"
"ipykernel_launcher"
"-f"
"{connection_file}"
];
language = "python";
};
};
};
# to generate pdfs and such
environment.systemPackages = [ pkgs.pandoc ];
backup.dirs = [ "/var/lib/jupyter" ];
backup.exclude =
[ "/var/lib/jupyter/.local" "/var/lib/jupyter/.ipynb_checkpoints" ];
services.nginx = {
enable = true;
statusPage = true;
virtualHosts = {
"python.${config.networking.hostName}.private" = {
serverAliases = [ "jupyter.${config.networking.hostName}.private" ];
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://${config.networking.hostName}.private:${
toString config.services.jupyter.port
}";
};
};
};
};
}

25
nixos/configs/workhorse/kibana.nix Normal file
View file

@ -0,0 +1,25 @@
{ config, ... }: {
services.nginx = {
enable = true;
statusPage = true;
virtualHosts = {
"kibana.${config.networking.hostName}.private" = {
serverAliases = [ ];
locations."/" = {
proxyPass = "http://${config.networking.hostName}.private:${
toString config.services.kibana.port
}";
};
};
};
};
services.elasticsearch.enable = true;
services.elasticsearch.listenAddress = "workhorse.private";
services.kibana.enable = true;
services.kibana.elasticsearch.hosts = [ "http://workhorse.private:9200" ];
services.kibana.listenAddress = "workhorse.private";
services.kibana.port = 5601;
}

661
nixos/configs/workhorse/mail-fetcher.nix Normal file
View file

@ -0,0 +1,661 @@
# fetches mails for me
{ lib, pkgs, config, ... }:
let
junk_filter = [
"from:booking.com"
"subject:Gewinn"
"from:brompton.com"
"from:circleci.com OR (from:noreply@github.com AND to:audio-overlay@googlegroups.com)"
"from:codepen.io"
"from:congstarnews.de"
"from:cronullasurfingacademy.com"
"from:cryptohopper.com"
"from:digitalo.de"
"from:facebook.com OR from:facebookmail.com"
"from:fitnessfirst.de"
"from:flixbus.de"
"from:getdigital.de"
"from:getpocket.com"
"from:ghostinspector.com"
"from:globetrotter.de"
"from:hackster.io"
"from:hostelworld.com"
"from:immobilienscout24.de"
"from:kvraudio.com"
"from:letterboxd.com"
"from:linkedin.com"
"from:magix.net"
"from:mailings.gmx.net"
"from:mailings.web.de"
"from:matrix.org"
"from:menospese.com"
"from:microsoftstoreemail.com"
"from:mixcloudmail.com AND subject:Weekly Update"
"from:oknotify2.com AND NOT subject:New message"
"from:paulaschoice.com"
"from:puppet.com"
"from:runtastic.com"
"from:samplemagic.com OR from:wavealchemy.co.uk OR from:creators.gumroad.com"
"from:ticketmaster.de"
"from:trade4less.de"
"from:tumblr.com"
"from:turners.co.nz"
"from:twitch.tv"
"from:vstbuzz.com"
];
filters = [
{
query = "from:hv-geelen.de";
tags = [ "+wohnung" ];
}
{
query = "from:computerfutures.com OR from:computerfutures.de";
tags = [ "+jobs" "-inbox" ];
}
{
query = "from:seek.com.au or from:seek.co.nz";
tags = [ "+jobs" ];
}
{
query = "from:xing.com";
tags = [ "+jobs" "-inbox" ];
}
{
query = "from:no-reply@backtrace.io OR to:sononym@noreply.github.com";
tags = [ "+sononym" "-inbox" ];
}
{
query = "from:ebay.com OR from:ebay.de OR from:ebay.net";
tags = [ "+ebay" "+shop" "+billing" ];
}
{
query = "from:bahn.de";
tags = [ "+billing" "+bahn" ];
}
{
query =
"from:fysitech.atlassian.net OR to:engiadina-pwa@noreply.github.com";
tags = [ "+mia" "+work" "-unread" "-inbox" ];
}
{
query =
"from:space-left.org OR to:space-left.org OR subject:/\\[space-left\\]/";
tags = [ "+spaceleft" "+space-left" ];
}
{
query = "from:landr.com";
tags = [ "+landr" "+music" ];
}
{
query = "tag:landr and tag:billing";
tags = [ "+billing" ];
}
{
query = "from:oknotify2.com";
tags = [ "+okcupid" ];
}
{
query = "from:taxback.de OR to:taxback.de";
tags = [ "+steuer" ];
}
{
query = "from:campact.de";
tags = [ "+campact" "+politics" ];
}
{
query = "from:aliexpress.com";
tags = [ "+shop" "+aliexpress" ];
}
{
query = "from:congstar.de";
tags = [ "+billing" "+congstar" "-inbox" "-unread" ];
}
{
query =
"from:steampowered.com AND NOT ( subject:purchase OR subject:received )";
tags = [ "-inbox" "-unread" ];
}
{
query =
"from:steampowered.com AND ( subject:purchase OR subject:received )";
tags = [ "+billing" "+steam" ];
}
{
query = "from:gog.com AND NOT subject:Bestellung";
tags = [ "-inbox" "-unread" ];
}
{
query = "from:gog.com AND subject:Bestellung";
tags = [ "+billing" "+gog" ];
}
{
query = "from:stadtmobil.de";
tags = [ "+billing" "+stadtmobil" "-inbox" "-unread" ];
}
{
query = "from:drive-now.com";
tags = [ "+billing" "+drivenow" "-inbox" "-unread" ];
}
{
query = "from:data-treuhand.de";
tags = [ "+mindcurv" "+work" "-inbox" "-unread" "-junk" ];
}
{
query = "from:immocation.de";
tags = [ "+immobilien" "-inbox" ];
}
{
query = "from:tinc-vpn.org";
tags = [ "+tinc" ];
}
{
query = "from:mindfactory.de";
tags = [ "+shop" "+billing" ];
}
{
query = "from:zalando.de";
tags = [ "+shop" "+billing" "+zalando" ];
}
{
query = "from:ing.de";
tags = [ "+bank" "+ingdiba" ];
}
{
query = "from:nab.com.au";
tags = [ "+bank" "+nab" "-inbox" "-unread" ];
}
{
query = "from:dkb.de";
tags = [ "+bank" "+dkb" ];
}
{
query = "from:o2online.de";
tags = [ "+billing" "+o2" ];
}
{
query = "from:betfair.com";
tags = [ "+work" "+betfair" ];
}
{
query = "from:notifications@github.com";
tags = [ "+github" ];
}
{
query = "to:NUR@noreply.github.com";
tags = [ "+nur" "+nixos" "+list" ];
}
{
query = "to:nixpkgs@noreply.github.com";
tags = [ "+nixpkgs" "+nixos" "+list" ];
}
{
query = "from:travis-ci.org AND subject:mrVanDalo/navi";
tags = [ "+development" "+navi" ];
}
{
query = "from:travis-ci.org AND subject:nur-packages";
tags = [ "+development" "+nixos" "+nur-packages" ];
}
{
query = "from:travis-ci.org AND subject:csv-to-qif";
tags = [ "+development" "+csv-to-qif" ];
}
{
query = "to:proaudio@lists.tuxfamily.org";
tags = [ "-inbox" "-unread" ];
}
{
query = "from:nixos1@discoursemail.com";
tags = [ "+nixos" "+discourse" "+list" ];
}
{
query = "from:nixos1@discoursemail.com AND subject:Development";
tags = [ "+nixos" "+discourse" "+development" ];
}
{
query = "from:nixos1@discoursemail.com AND subject:Français";
tags = [ "+nixos" "+discourse" "-inbox" "-unread" ];
}
{
query = "from:nixos1@discoursemail.com AND subject:Announcements";
tags = [ "+nixos" "+discourse" "+announcements" ];
}
{
query = "from:nixos1@discoursemail.com AND subject:Links";
tags = [ "+nixos" "+discourse" "+links" ];
}
{
query = "from:nixos1@discoursemail.com AND subject:Games";
tags = [ "+nixos" "+discourse" "+games" ];
}
{
query = "from:nixos1@discoursemail.com AND subject:Meta";
tags = [ "+nixos" "+discourse" "+meta" ];
}
{
query = "from:nixos1@discoursemail.com AND subject:Events";
tags = [ "+nixos" "+discourse" "+events" ];
}
{
query = "from:limebike.com AND (subject:Funds OR subject:Receipt)";
tags = [ "-inbox" "-unread" "+billing" "+limebike" ];
}
{
query = "from:freemusicarchive.org";
tags = [ "+FMA" ];
}
{
query = "from:namecheap.com and subject:auto-renewal";
tags = [ "+namecheap" "+billing" ];
}
{
query = "from:namecheap.com and subject:order";
tags = [ "+namecheap" "+billing" ];
}
{
query = "tag:namecheap.com and tag:billing and body:gaykraft.com";
tags = [ "+namecheap" "+billing" ];
}
{
query = "from:nintendo.com";
tags = [ "+nintendo" "+billing" ];
}
{
query = "from:oculus.com AND subject:receipt";
tags = [ "+oculus" "+billing" ];
}
{
query = "from:car2go.com";
tags = [ "-inbox" "-unread" ];
}
{
query = "from:sixt.de";
tags = [ "-inbox" "-unread" ];
}
{
query = "from:meetup.com";
tags = [ "-inbox" "-unread" "+meetup" ];
}
{
query = "from:slack.com";
tags = [ "+slack" ];
}
{
query = "from:keybase.io";
tags = [ "+keybase" ];
}
{
query = "from:jobs2web.com";
tags = [ "+newzealand" "+jobs" "-inbox" ];
}
{
query = "from:paypal.de AND subject:Bestätigung";
tags = [ "-unread" "+paypal" "+billing" ];
}
{
query = "to:c-base.org";
tags = [ "+cbase" "+list" ];
}
{
query = "to:c-base.org AND subject=[auto-report]";
tags = [ "-unread" "-inbox" ];
}
{
query = "from:browserstack.com";
tags = [ "+browserstack" ];
}
{
query =
"to:renoise@ingolf-wagner.de OR to:root@renoise.com OR from:renoise.com OR to:admin@renoise.com";
tags = [ "+renoise" ];
}
{
query = "from:amazon.de OR from:amazon.com AND NOT to:renoise.com";
tags = [ "+shop" "+amazon" "+billing" ];
}
{
query = "from:hetzner.com OR from:hetzner.de";
tags = [ "+hetzner" ];
}
{
query =
"to:renoise.com AND NOT ( from:renoise.com OR from:root OR from:hetzner.com OR from:hetzner.de OR from:amazon.com OR from:gmail.com )";
tags = [ "-inbox" "-unread" "+junk" "+renoise" ];
}
{
query = "tag:hetzner and subject:Invoice";
tags = [ "+billing" ];
}
# final rules to make imap sync stuff easier
# there can only be one output folder tag, and theses rules are prioritized
{
query = "tag:fraud";
tags = [ "-inbox" "-archive" "-junk" "-unread" ];
message = "clean up tag fraud";
}
{
query = "tag:junk";
tags = [ "-inbox" "-archive" "-fraud" "-unread" ];
message = "clean up tag junk";
}
{
query = "tag:archive";
tags = [ "-inbox" "-junk" "-fraud" "-unread" ];
message = "clean up tag archive";
}
{
query = "tag:inbox";
tags = [ "-archive" "-junk" "-fraud" ];
message = "clean up inbox";
}
{
query = "tag:killed";
tags = [ "-inbox" "-unread" ];
message = "clean up tag killed";
}
{
query = "tag:muted";
tags = [ "-inbox" "-unread" ];
}
# remove new tag at the end
{
query = "tag:new";
tags = [ "-new" ];
message = "remove new tag at the end";
}
];
notmuchTagging =
let
template = index:
{ tags, query, message ? "generic", ... }:
let
command = ''
${pkgs.notmuch}/bin/notmuch tag ${lib.concatStringsSep " " tags} -- "${query}"
'';
in
''
echo '${command}'
${command}
'';
junk_template = index: query:
template index {
tags = [ "+junk" "-unread" "-inbox" ];
query = query;
message = "generic junk filter";
};
in
pkgs.writers.writeBash "notmuch-tagging" (lib.concatStringsSep "\n"
((lib.imap0 junk_template junk_filter) ++ (lib.imap0 template filters)));
notmuchTaggingNew =
let
template = index:
{ tags, query, message ? "generic", ... }:
let
command = ''
${pkgs.notmuch}/bin/notmuch tag ${
lib.concatStringsSep " " tags
} -- "${query} AND tag:new"
'';
in
''
echo '${command}'
${command}
'';
junk_template = index: query:
template index {
tags = [ "+junk" "-unread" "-inbox" ];
query = query;
message = "generic junk filter";
};
in
pkgs.writers.writeBash "notmuch-tagging-new" (lib.concatStringsSep "\n"
((lib.imap0 junk_template junk_filter) ++ (lib.imap0 template filters)));
in
{
backup.dirs = [ "/home/mailfetcher" ];
users.users.mailUser = {
isNormalUser = true;
description = "collects mails for me";
hashedPassword = "!";
name = "mailfetcher";
home = "/home/mailfetcher";
openssh.authorizedKeys.keyFiles =
config.users.users.root.openssh.authorizedKeys.keyFiles;
group = "mailfetcher";
};
users.groups.mailUser = {
name = "mailfetcher";
};
sops.secrets.mail_terranix = {
owner = config.users.users.mailUser.name;
group = config.users.users.mailUser.group;
};
sops.secrets.mail_gmail = {
owner = config.users.users.mailUser.name;
group = config.users.users.mailUser.group;
};
sops.secrets.mail_gmx_palo = {
owner = config.users.users.mailUser.name;
group = config.users.users.mailUser.group;
};
sops.secrets.mail_gmx_ingolf = {
owner = config.users.users.mailUser.name;
group = config.users.users.mailUser.group;
};
sops.secrets.mail_web = {
owner = config.users.users.mailUser.name;
group = config.users.users.mailUser.group;
};
sops.secrets.mail_siteground = {
owner = config.users.users.mailUser.name;
group = config.users.users.mailUser.group;
};
environment.systemPackages = [ pkgs.muchsync ];
# configure accounts
home-manager.users.mailUser.accounts.email = {
accounts = {
palo_van_dalo-gmx = {
primary = false;
address = "palo_van_dalo@gmx.de";
aliases = [ ];
realName = "Ingolf Wagner";
userName = "palo_van_dalo@gmx.de";
passwordCommand =
"cat ${toString config.sops.secrets.mail_gmx_palo.path }";
imap = {
host = "imap.gmx.net";
tls.enable = true;
port = 993;
};
mbsync = {
enable = true;
create = "both";
};
notmuch.enable = true;
};
ingolf-wagner-gmx = {
primary = false;
address = "ingolf.wagner@gmx.de";
aliases = [ ];
realName = "Ingolf Wagner";
userName = "ingolf.wagner@gmx.de";
passwordCommand =
"cat ${toString config.sops.secrets.mail_gmx_ingolf.path }";
imap = {
host = "imap.gmx.net";
tls.enable = true;
port = 993;
};
mbsync = {
enable = true;
create = "both";
};
notmuch.enable = true;
};
pali_palo = {
primary = false;
address = "pali_palo@web.de";
aliases = [ ];
realName = "Ingolf Wagner";
userName = "pali_palo@web.de";
passwordCommand =
"cat ${toString config.sops.secrets.mail_web.path }";
imap = {
host = "imap.web.de";
tls.enable = true;
port = 993;
};
mbsync = {
enable = true;
create = "both";
};
notmuch.enable = true;
};
gmail = {
# for google accounts you have to allow 'less secure apps' in accounts.google.com
primary = true;
address = "palipalo9@googlemail.com";
aliases = [ ];
realName = "Ingolf Wagner";
userName = "palipalo9@googlemail.com";
passwordCommand =
"cat ${toString config.sops.secrets.mail_gmail.path }";
imap = {
host = "imap.gmail.com";
tls.enable = true;
port = 993;
};
mbsync = {
enable = true;
create = "both";
};
notmuch.enable = true;
};
terranix_org = {
primary = false;
address = "palo@terranix.org";
aliases = [ ];
realName = "Ingolf Wagner";
userName = "palo@terranix.org";
passwordCommand = "cat ${toString config.sops.secrets.mail_terranix.path }";
imap = {
host = "mail.privateemail.com";
tls.enable = true;
port = 993;
};
mbsync = {
enable = true;
create = "both";
};
notmuch.enable = true;
};
ingolf-wagner-de = {
primary = false;
address = "contact@ingolf-wagner.de";
aliases = [ ];
realName = "Ingolf Wagner";
userName = "contact@ingolf-wagner.de";
passwordCommand =
"cat ${toString config.sops.secrets.mail_siteground.path }";
imap = {
host = "securees5.sgcpanel.com";
port = 993;
tls.enable = true;
#tls.useStartTls = true;
};
# make sure the upstream mail is deleted
getmail = {
enable = true;
delete = true;
readAll = false;
mailboxes = [ "ALL" ];
};
notmuch.enable = true;
};
};
};
# configure mbsync
home-manager.users.mailUser.programs.mbsync.enable = true;
# re-tag everything once a day
systemd.services.retagmail = {
enable = false;
serviceConfig = { User = config.users.users.mailUser.name; };
environment.NOTMUCH_CONFIG =
"${config.users.users.mailUser.home}/.config/notmuch/notmuchrc";
script = "${notmuchTagging}";
};
systemd.timers.retagmail = {
enable = false;
timerConfig = {
OnCalendar = "daily";
Persistent = "true";
};
wantedBy = [ "multi-user.target" ];
};
# fetch mails every 10 minutes
systemd.services.fetchmail =
let
threadTag = tag: ''
echo "tag threads with ${tag}"
${pkgs.notmuch}/bin/notmuch tag +${tag} $(${pkgs.notmuch}/bin/notmuch search --output=threads tag:${tag})
'';
in
{
enable = false;
serviceConfig = { User = config.users.users.mailUser.name; };
environment.NOTMUCH_CONFIG =
"${config.users.users.mailUser.home}/.config/notmuch/notmuchrc";
script = ''
echo "run mbsync"
${pkgs.isync}/bin/mbsync \
--all
echo "run getmail"
${pkgs.getmail}/bin/getmail \
--quiet \
--rcfile getmailingolf-wagner-de
echo "run notmuch"
${pkgs.notmuch}/bin/notmuch new
${notmuchTaggingNew}
${threadTag "muted"}
${threadTag "wohnung"}
${threadTag "flagged"}
'';
};
systemd.timers.fetchmail = {
enable = false;
# timerConfig.OnCalendar = " *-*-* *:00:00";
timerConfig.OnCalendar = "*:0/10";
wantedBy = [ "multi-user.target" ];
};
# configure notmuch
home-manager.users.mailUser.programs.notmuch = {
enable = true;
new.tags = [ "unread" "inbox" "new" ];
};
}

24
nixos/configs/workhorse/metabase.nix Normal file
View file

@ -0,0 +1,24 @@
/{ pkgs, lib, config, ... }: {
services.metabase = {
listen.port = 3040;
enable = true;
};
backup.dirs = [ "/var/lib/metabase" ];
services.nginx = {
enable = true;
statusPage = true;
virtualHosts = {
"metabase.${config.networking.hostName}.private" = {
locations."/" = {
proxyPass = "http://${config.networking.hostName}.private:${
toString config.services.metabase.listen.port
}";
};
};
};
};
}

52
nixos/configs/workhorse/mining.nix Normal file
View file

@ -0,0 +1,52 @@
{ pkgs, config, ... }:
let
maxPower = 90;
pool = "eu1.ethermine.org";
toolkit = "opencl";
wallet = "";
rig = config.networking.hostName;
recheckInterval = 2000;
package = pkgs.ethminer;
in
{
systemd.services.ethminer = {
description = "ethminer ethereum mining service";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
DynamicUser = true;
ExecStartPre = "${package}/bin/.ethminer-wrapped --list-devices";
Restart = "always";
};
script = ''
${package}/bin/.ethminer-wrapped \
--farm-recheck ${toString recheckInterval} \
--report-hashrate \
--${toolkit} \
--pool stratum1+tcp://${wallet}.${rig}@${pool}:4444
'';
};
# https://wiki.archlinux.org/title/GPGPU#Intel
hardware.opengl = {
enable = true;
extraPackages = with pkgs; [ intel-ocl intel-compute-runtime beignet ];
driSupport = true;
driSupport32Bit = true;
};
environment.systemPackages = with pkgs; [
package
# go-ethereum
go-ethereum
# to check opencl config
clinfo
# check temperature
i7z
];
}

20
nixos/configs/workhorse/mysql.nix Normal file
View file

@ -0,0 +1,20 @@
{ pkgs, lib, config, ... }: {
services.mysql = {
enable = true;
package = pkgs.mysql80;
initialScript = pkgs.writeText "initScript" ''
CREATE USER 'admin'@'%' IDENTIFIED BY 'admin';
GRANT ALL PRIVILEGES ON * . * TO 'admin'@'%';
'';
};
services.mysqlBackup = {
enable = true;
databases = [ "property" ];
#user = "admin";
};
backup.dirs = [ config.services.mysqlBackup.location ];
}

362
nixos/configs/workhorse/nextcloud.nix Normal file
View file

@ -0,0 +1,362 @@
{ pkgs, config, ... }:
let
hostAddress = "192.168.100.10";
containerAddress = "192.168.100.11";
#syncthingGid = config.users.groups.syncthing.gid;
nextcloudUid = 1000;
in
{
sops.secrets.nextcloud_database_password = {
owner = "nextcloud";
};
sops.secrets.nextcloud_root_password = {
owner = "nextcloud";
};
users.users.nextcloud = {
isSystemUser = true;
uid = nextcloudUid;
};
containers.nextcloud = {
# mount host folders
bindMounts = {
rootpassword = {
hostPath =
"/run/secrets/nextcloud_root_password";
#toString <secrets/nextcloud/root_password>;
mountPoint =
"/run/secrets/nextcloud_root_password";
#toString <secrets/nextcloud/root_password>;
isReadOnly = true;
};
databasepassword = {
hostPath =
"/run/secrets/nextcloud_database_password";
#toString <secrets/nextcloud/database_password>;
mountPoint =
"/run/secrets/nextcloud_database_password";
#toString <secrets/nextcloud/database_password>;
isReadOnly = true;
};
home = {
# make sure this folder exist on the host
hostPath = toString "/home/nextcloud";
mountPoint = "/var/lib/nextcloud";
isReadOnly = false;
};
db = {
# make sure this folder exist on the host
hostPath = toString "/home/nextcloud_db";
mountPoint = "/var/lib/mysql";
isReadOnly = false;
};
samples = {
mountPoint =
toString config.services.syncthing.declarative.folders.samples.path;
hostPath =
toString config.services.syncthing.declarative.folders.samples.path;
isReadOnly = true;
};
movies = {
mountPoint =
toString config.services.syncthing.declarative.folders.movies.path;
hostPath =
toString config.services.syncthing.declarative.folders.movies.path;
isReadOnly = true;
};
music = {
mountPoint = toString
config.services.syncthing.declarative.folders.music-library.path;
hostPath = toString
config.services.syncthing.declarative.folders.music-library.path;
isReadOnly = true;
};
series = {
mountPoint =
toString config.services.syncthing.declarative.folders.series.path;
hostPath =
toString config.services.syncthing.declarative.folders.series.path;
isReadOnly = true;
};
};
# container network setup
# see also nating on host system.
privateNetwork = true;
hostAddress = hostAddress;
localAddress = containerAddress;
autoStart = true;
config = { config, pkgs, lib, ... }: {
users.users.nextcloud.uid = nextcloudUid;
services.nginx = {
# Use recommended settings
recommendedGzipSettings = lib.mkDefault true;
recommendedOptimisation = lib.mkDefault true;
recommendedProxySettings = lib.mkDefault true;
recommendedTlsSettings = lib.mkDefault true;
# for graylog logging
commonHttpConfig =
let
access_log_sink = "${hostAddress}:12304";
error_log_sink = "${hostAddress}:12305";
in
''
log_format graylog2_json escape=json '{ "timestamp": "$time_iso8601", '
'"facility": "nginx", '
'"src_addr": "$remote_addr", '
'"body_bytes_sent": $body_bytes_sent, '
'"request_time": $request_time, '
'"response_status": $status, '
'"request": "$request", '
'"request_method": "$request_method", '
'"host": "$host",'
'"upstream_cache_status": "$upstream_cache_status",'
'"upstream_addr": "$upstream_addr",'
'"http_x_forwarded_for": "$http_x_forwarded_for",'
'"http_referrer": "$http_referer", '
'"http_user_agent": "$http_user_agent" }';
access_log syslog:server=${access_log_sink} graylog2_json;
error_log syslog:server=${error_log_sink};
'';
};
# don't forget the database backup before doing this
# https://docs.nextcloud.com/server/stable/admin_manual/maintenance/backup.html
# https://docs.nextcloud.com/server/stable/admin_manual/maintenance/upgrade.html
# use snapshots in case of a rollback
#nixpkgs.config.packageOverrides = super: {
# nextcloud = super.nextcloud.overrideAttrs (old: rec {
# name = "nextcloud-${version}";
# version = "18.0.1";
# src = super.fetchurl {
# url =
# "https://download.nextcloud.com/server/releases/nextcloud-18.0.1.tar.bz2";
# sha256 = "1h0rxpdssn1hc65k41zbvww9r4f79vbd9bixc9ri5n7hp0say3vp";
# };
# });
#};
networking.firewall.allowedTCPPorts = [ 80 ];
networking.firewall.allowedUDPPorts = [ 80 ];
# nextcloud database
# ==================
#
# set user password:
# -----------------
# #> mysql
# mysql> ALTER USER 'nextcloud'@'localhost' IDENTIFIED BY 'nextcloud-password';
#
# recreate database:
# ------------------
# mysql> DROP DATABASE nextcloud;
# mysql> CREATE DATABASE nextcloud;
#
# migration:
# ----------
# nextcloud-occ db:convert-type --all-apps mysql nextcloud 127.0.0.1 nextcloud
#
# 4-byte stuff:
# -------------
# https://docs.nextcloud.com/server/18/admin_manual/configuration_database/mysql_4byte_support.html
# if you do this don't forget --default-character-set=utf8mb4 for mysqldump
services.mysql = {
enable = true;
package = pkgs.mysql;
# https://nixos.org/manual/nixos/stable/release-notes.html#sec-release-20.09-incompatibilities
ensureDatabases = [ "nextcloud" ];
ensureUsers = [{
name = "nextcloud";
ensurePermissions = { "nextcloud.*" = "ALL PRIVILEGES"; };
}];
settings.mysqld = {
innodb_large_prefix = true;
innodb_file_format = "barracuda";
innodb_file_per_table = 1;
};
};
# Backup database
# ---------------
services.mysqlBackup = {
enable = true;
databases = config.services.mysql.ensureDatabases;
singleTransaction = true;
location = "/var/lib/nextcloud/database_backups";
};
systemd.services."mysql-backup".serviceConfig = {
ExecStartPre =
[ "+/run/current-system/sw/bin/nextcloud-occ maintenance:mode --on" ];
ExecStopPost = [
"+/run/current-system/sw/bin/nextcloud-occ maintenance:mode --off"
];
};
# in php
services.phpfpm.phpPackage = pkgs.php73;
# nextcloud setup
services.nextcloud = {
enable = true;
package = pkgs.nextcloud22;
#package = pkgs.nextcloud.overrideAttrs (old: rec {
# name = "nextcloud-${version}";
# version = "18.0.1";
# src = pkgs.fetchurl {
# url =
# "https://download.nextcloud.com/server/releases/nextcloud-18.0.1.tar.bz2";
# sha256 = "1h0rxpdssn1hc65k41zbvww9r4f79vbd9bixc9ri5n7hp0say3vp";
# };
#});
autoUpdateApps.enable = true;
#nginx.enable = true;
hostName = "nextcloud.ingolf-wagner.de";
logLevel = 2;
https = true;
config = {
adminpassFile =
#config.sops.secrets.nextcloud_root_password.path;
"/run/secrets/nextcloud_root_password";
overwriteProtocol = "https";
trustedProxies = [ "195.201.134.247" hostAddress ];
dbtype = "mysql";
dbpassFile =
#config.sops.secrets.nextcloud_database_password.path;
"/run/secrets/nextcloud_database_password";
dbport = 3306;
};
};
#sops.secrets.nextcloud_database_password = {};
#sops.secrets.nextcloud_root_password = {};
environment.systemPackages = [ pkgs.smbclient ];
services.journalbeat = {
enable = true;
extraConfig = ''
journalbeat.inputs:
- paths: []
# Position to start reading from journal. Valid values: head, tail, cursor
seek: cursor
# Fallback position if no cursor data is available.
cursor_seek_fallback: tail
output.logstash:
# Boolean flag to enable or disable the output module.
enabled: true
# Graylog host and the beats input
hosts: ["${hostAddress}:5044"]
# If enabled only a subset of events in a batch of events is transferred per
# transaction. The number of events to be sent increases up to `bulk_max_size`
# if no error is encountered.
slow_start: true
# The number of seconds to wait before trying to reconnect to Graylog
# after a network error. After waiting backoff.init seconds, the Beat
# tries to reconnect. If the attempt fails, the backoff timer is increased
# exponentially up to backoff.max. After a successful connection, the backoff
# timer is reset. The default is 1s.
backoff.init: 1s
# The maximum number of seconds to wait before attempting to connect to
# Graylog after a network error. The default is 60s.
backoff.max: 60s
'';
};
};
};
# give containers internet access
networking.nat.enable = true;
networking.nat.internalInterfaces = [ "ve-nextcloud" ];
networking.nat.externalInterface = "enp2s0f1";
# don't let networkmanager manger container network
networking.networkmanager.unmanaged = [ "interface-name:ve-*" ];
# open ports for logging
networking.firewall.interfaces."ve-nextcloud".allowedTCPPorts =
[ 5044 12304 12305 ];
networking.firewall.interfaces."ve-nextcloud".allowedUDPPorts =
[ 5044 12304 12305 ];
# host nginx setup
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts = {
"nextcloud.workhorse.private" = {
serverAliases = [ "nextcloud.ingolf-wagner.de" ];
locations."/" = {
proxyPass = "http://${containerAddress}";
extraConfig = ''
# allow big uploads
# -----------------
client_max_body_size 0;
'';
};
};
};
};
# Backup Config
# -------------
backup.dirs = [
"/home/nextcloud/config"
"/home/nextcloud/database_backups" # created by mysqlBackup
];
# Backup Files
# ------------
services.borgbackup.jobs = {
"nextcloud-to-media" = {
repo = "/media/syncthing/borg/nextcloud";
# make sure syncthing is capable of reading the files
postHook = ''
chown -R syncthing:syncthing /media/syncthing/borg/nextcloud
'';
compression = "lz4";
paths = [
"/home/nextcloud/data/tina/files/Documents"
"/home/nextcloud/data/tina/files/Pictures"
"/home/nextcloud/data/tina/files/Joplin"
"/home/nextcloud/data/tina/files/SofortUpload"
"/home/nextcloud/data/palo/files/InstantUpload"
"/home/nextcloud/data/palo/files/Joplin"
"/home/nextcloud/data/palo/files/Pictures"
"/home/nextcloud/data/palo/files/Unterlagen"
"/home/nextcloud/data/palo/files/Video"
"/home/nextcloud/data/palo-windows/files/Kunstbuch"
];
doInit = true;
encryption = {
mode = "repokey-blake2";
passCommand =
"cat ${config.sops.secrets.backup_repository_passphrase.path}";
};
startAt = "0/3:00:00";
prune.keep = {
within = "2d"; # Keep all backups in the last 10 days.
daily = 10; # Keep 10 additional end of day archives
weekly = 8; # Keep 8 additional end of week archives.
month = 8; # Keep 8 additional end of month archives.
};
};
};
}

1
nixos/configs/workhorse/packages.nix Normal file
View file

@ -0,0 +1 @@
{ config, pkgs, ... }: { environment.systemPackages = with pkgs; [ ]; }

106
nixos/configs/workhorse/prometheus.nix Normal file
View file

@ -0,0 +1,106 @@
{ config, pkgs, lib, ... }: {
services.nginx = {
enable = true;
statusPage = true;
virtualHosts = {
"prometheus.workhorse.private" = {
locations."/" = { proxyPass = "http://workhorse.private:9090"; };
};
};
};
services.prometheus = {
enable = true;
# keep data for 30 days
extraFlags = [ "--storage.tsdb.retention.time=30d" ];
scrapeConfigs = [
{
job_name = "nginx";
scrape_interval = "8s";
static_configs = [
{
targets = [ "sputnik.private:9113" ];
labels = {
service = "nginx";
server = "sputnik";
};
}
{
targets = [ "sputnik.private:9113" ];
labels = {
service = "nginx";
server = "sputnik";
};
}
{
targets = [ "workhorse.private:9113" ];
labels = {
service = "nginx";
server = "sputnik";
};
}
];
}
{
job_name = "netdata";
metrics_path = "/api/v1/allmetrics";
params.format = [ "prometheus" ];
scrape_interval = "5s";
static_configs = [
{
targets = [ "pepe.private:19999" ];
labels = {
service = "netdata";
server = "pepe";
};
}
{
targets = [ "sputnik.private:19999" ];
labels = {
service = "netdata";
server = "sputnik";
};
}
{
targets = [ "workhorse.private:19999" ];
labels = {
service = "netdata";
server = "workhorse";
};
}
];
}
{
job_name = "gogs";
metrics_path = "/-/metrics";
params.format = [ "prometheus" ];
scrape_interval = "10s";
static_configs = [{
targets = [ "workhorse.private:3000" ];
labels = {
service = "gogs";
server = "kruck";
};
}];
}
#{
# job_name = "home-assistant";
# scrape_interval = "60s";
# metrics_path = "/api/prometheus";
# # you can create this token on your user profile page
# # http://pepe.private:8123/profile
# bearer_token =
# lib.fileContents <secrets/prometheus/home-assistant/api_token>;
# static_configs = [{
# targets = [ "pepe.private:8123" ];
# labels = {
# service = "hass";
# server = "pepe";
# city = "essen";
# };
# }];
#}
];
};
}

43
nixos/configs/workhorse/property.nix Normal file
View file

@ -0,0 +1,43 @@
{ lib, pkgs, config, ... }: {
users.users.property = { isSystemUser = true; };
systemd.services.property = {
enable = true;
wantedBy = [ "multi-user.target" ];
path = [
(pkgs.python3.withPackages (ps:
with ps; [
flask
selenium
beautifulsoup4
urllib3
sqlalchemy
mysqlclient
pytest
dateparser
geopy
nltk
click
]))
];
serviceConfig = { User = "property"; };
script = ''
FLASK_APP=${<property>}/server.py \
FLASK_RUN_PORT=7888 \
flask run --host 0.0.0.0 \
"$@"
'';
};
services.nginx = {
enable = true;
virtualHosts = {
"property.workhorse.private" = {
locations."/" = { proxyPass = "http://localhost:7888"; };
};
};
};
}

140
nixos/configs/workhorse/syncthing.nix Normal file
View file

@ -0,0 +1,140 @@
{ config, pkgs, lib, ... }: {
custom.samba-share = {
enable = true;
folders = {
movies = config.services.syncthing.declarative.folders.movies.path;
series = config.services.syncthing.declarative.folders.series.path;
samples = config.services.syncthing.declarative.folders.samples.path;
music = config.services.syncthing.declarative.folders.music-library.path;
books = config.services.syncthing.declarative.folders.books.path;
};
};
sops.secrets.syncthing_cert = { };
sops.secrets.syncthing_key = { };
services.syncthing = {
enable = true;
openDefaultPorts = false;
dataDir = "/home/syncthing";
configDir = "/home/syncthing";
declarative = {
cert = toString config.sops.secrets.syncthing_cert.path;
key = toString config.sops.secrets.syncthing_key.path;
overrideFolders = true;
folders = {
# on encrypted hard drive
# -----------------------
private = {
enable = true;
path = "/home/syncthing/private";
};
desktop = {
enable = true;
path = "/home/syncthing/desktop";
};
finance = {
enable = true;
path = "/home/syncthing/finance";
};
fotos = {
enable = true;
path = "/home/syncthing/fotos";
};
lost-fotos = {
enable = true;
path = "/home/syncthing/lost-fotos.ct";
};
zettlr = {
enable = true;
path = "/home/syncthing/zettlr";
};
# on media hard drive (not encrypted)
# -----------------------------------
borg-mirror = {
enable = true;
path = "/media/syncthing/borg";
rescanInterval = 36 * 3600;
type = "sendonly";
};
video-material = {
enable = true;
path = "/home/syncthing/video-material";
};
music-library-free = {
enable = true;
path = "/media/syncthing/music-library-free";
rescanInterval = 8 * 3600;
};
books = {
enable = true;
path = "/media/syncthing/books";
rescanInterval = 8 * 3600;
};
samples = {
enable = true;
path = "/media/syncthing/samples";
rescanInterval = 8 * 3600;
};
movies = {
enable = true;
path = "/media/syncthing/movies";
rescanInterval = 8 * 3600;
};
# todo : no need to place it on encrypted drive
music-projects = {
enable = true;
path = "/home/syncthing/music-projects";
};
music-library = {
enable = true;
path = "/media/syncthing/music-library";
rescanInterval = 8 * 3600;
};
series = {
enable = true;
path = "/media/syncthing/series";
rescanInterval = 8 * 3600;
};
smartphone-folder = {
enable = true;
path = "/media/syncthing/smartphone-folder";
rescanInterval = 8 * 3600;
};
processing = {
enable = true;
path = "/media/syncthing/sketchbook";
rescanInterval = 8 * 3600;
};
};
};
};
system.permown."/home/syncthing" = {
owner = "syncthing";
group = "syncthing";
umask = "0022";
};
system.permown."/media/syncthing" = {
owner = "syncthing";
group = "syncthing";
umask = "0022";
};
systemd.services."permown._media_syncthing" = {
bindsTo = [ "media.mount" ];
after = [ "media.mount" ];
};
systemd.services."syncthing" = {
bindsTo = [ "media.mount" ];
after = [ "media.mount" ];
};
backup.dirs = [ "/home/syncthing/finance" ];
}

16
nixos/configs/workhorse/taskserver.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, lib, pkgs, ... }: {
services.taskserver = {
enable = true;
fqdn = "taskd.ingolf-wagner.de";
listenHost = "0.0.0.0";
requestLimit = 104857600;
trust = "strict";
dataDir = "/var/lib/taskserver";
organisations."1337".users = [ "palo" "beta" ];
ciphers = "SECURE256";
};
backup.dirs = [ config.services.taskserver.dataDir ];
}

23
nixos/configs/workhorse/tinc.nix Normal file
View file

@ -0,0 +1,23 @@
{ config, lib, pkgs, ... }: {
module.cluster.services.tinc = {
"private" = {
enable = true;
openPort = true;
connectTo = [ "sputnik" ];
};
"retiolum" = {
enable = true;
openPort = true;
};
"secret" = {
enable = true;
openPort = true;
connectTo = [ "sputnik" ];
};
};
sops.secrets.tinc_retiolum_ed25519_key = { };
sops.secrets.tinc_retiolum_rsa_key = { };
}

285
nixos/configs/workhorse/transmission.nix Normal file
View file

@ -0,0 +1,285 @@
{ pkgs, config, ... }:
let
hostAddress = "192.168.100.30";
containerAddress = "192.168.100.31";
in
{
#users.users.transmission = {
# isSystemUser = true;
# uid = config.ids.uids.transmission;
#};
sops.secrets.nordvpn = { };
containers.torrent = {
# mount host folders
bindMounts = {
#password = {
# hostPath = "/run/secrets/transmission_password";
# mountPoint = "/run/secrets/transmission_password";
# isReadOnly = true;
#};
nordvpnPassword = {
hostPath = "/run/secrets/nordvpn";
mountPoint = "/run/secrets/nordvpn";
isReadOnly = true;
};
home = {
hostPath = "/home/torrent";
mountPoint = "/home/torrent";
isReadOnly = false;
};
media = {
hostPath = "/media";
mountPoint =
"/home/torrent/downloads/media"; # must be here otherwise transmission can't see the folder
isReadOnly = false;
};
lib = {
hostPath = "/home/torrent/.config";
mountPoint = "/var/lib/transmission/.config";
isReadOnly = false;
};
};
# container network setup
# see also nating on host system.
privateNetwork = true;
hostAddress = hostAddress;
localAddress = containerAddress;
autoStart = true;
# needed for openvpn
enableTun = true;
config = { config, pkgs, lib, ... }: {
services.journalbeat = {
enable = true;
extraConfig = ''
journalbeat.inputs:
- paths: []
# Position to start reading from journal. Valid values: head, tail, cursor
seek: cursor
# Fallback position if no cursor data is available.
cursor_seek_fallback: tail
output.logstash:
# Boolean flag to enable or disable the output module.
enabled: true
# Graylog host and the beats input
hosts: ["${hostAddress}:5044"]
# If enabled only a subset of events in a batch of events is transferred per
# transaction. The number of events to be sent increases up to `bulk_max_size`
# if no error is encountered.
slow_start: true
# The number of seconds to wait before trying to reconnect to Graylog
# after a network error. After waiting backoff.init seconds, the Beat
# tries to reconnect. If the attempt fails, the backoff timer is increased
# exponentially up to backoff.max. After a successful connection, the backoff
# timer is reset. The default is 1s.
backoff.init: 1s
# The maximum number of seconds to wait before attempting to connect to
# Graylog after a network error. The default is 60s.
backoff.max: 60s
'';
};
services.journald.extraConfig = "SystemMaxUse=1G";
services.transmission = {
enable = true;
settings = {
download-dir = "/home/torrent/downloads";
incomplete-dir = "/home/torrent/incomplete";
incomplete-dir-enabled = true;
message-level = 1;
umask = "002";
rpc-whitelist-enabled = false;
rpc-host-whitelist-enabled = false;
rpc-port = 9091;
rpc-enable = true;
rpc-bind-address = "0.0.0.0";
# "normal" speed limits
speed-limit-down-enabled = false;
speed-limit-down = 800;
speed-limit-up-enabled = true;
speed-limit-up = 50;
upload-slots-per-torrent = 8;
# Queuing
# When true, Transmission will only download
# download-queue-size non-stalled torrents at once.
download-queue-enabled = true;
download-queue-size = 3;
# When true, torrents that have not shared data for
# queue-stalled-minutes are treated as 'stalled'
# and are not counted against the queue-download-size
# and seed-queue-size limits.
queue-stalled-enabled = true;
queue-stalled-minutes = 60;
# When true. Transmission will only seed seed-queue-size
# non-stalled torrents at once.
seed-queue-enabled = false;
seed-queue-size = 10;
# Enable UPnP or NAT-PMP.
peer-port = 51413;
port-forwarding-enabled = false;
# Start torrents as soon as they are added
start-added-torrents = true;
# notify me when download finished
script-torrent-done-enabled = true;
#script-torrent-done-filename =
# (pkgs.writers.writeBash "torrent-finished" ''
# JSON_STRING=$( ${pkgs.jq}/bin/jq -n --arg torrent_name "$TR_TORRENT_NAME" \
# '{text: ":tada: finished : \($torrent_name)", channel: "torrent"}' )
# ${pkgs.curl}/bin/curl \
# --include \
# --request POST \
# --data-urlencode \
# "payload=$JSON_STRING" \
# <url>
# '');
};
};
networking.firewall = {
allowedTCPPorts = [ 51413 ];
allowedUDPPorts = [ 51413 ];
interfaces.eth0 = {
allowedTCPPorts = [ 9091 ];
allowedUDPPorts = [ 9091 ];
};
};
# bind transmission to openvpn
systemd.services.transmission = {
bindsTo = [ "openvpn-nordvpn.service" ];
after = [ "openvpn-nordvpn.service" ];
serviceConfig.Restart = "always";
};
services.openvpn.servers.nordvpn.updateResolvConf = true;
services.openvpn.servers.nordvpn.config = ''
client
dev tun
proto udp
remote 152.89.163.99 1194
dhcp-option DNS 8.8.8.8
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no
remote-cert-tls server
auth-user-pass /run/secrets/nordvpn
verb 3
pull
resolv-retry infinite
fast-io
cipher AES-256-CBC
auth SHA512
<ca>
-----BEGIN CERTIFICATE-----
MIIFCjCCAvKgAwIBAgIBATANBgkqhkiG9w0BAQ0FADA5MQswCQYDVQQGEwJQQTEQ
MA4GA1UEChMHTm9yZFZQTjEYMBYGA1UEAxMPTm9yZFZQTiBSb290IENBMB4XDTE2
MDEwMTAwMDAwMFoXDTM1MTIzMTIzNTk1OVowOTELMAkGA1UEBhMCUEExEDAOBgNV
BAoTB05vcmRWUE4xGDAWBgNVBAMTD05vcmRWUE4gUm9vdCBDQTCCAiIwDQYJKoZI
hvcNAQEBBQADggIPADCCAgoCggIBAMkr/BYhyo0F2upsIMXwC6QvkZps3NN2/eQF
kfQIS1gql0aejsKsEnmY0Kaon8uZCTXPsRH1gQNgg5D2gixdd1mJUvV3dE3y9FJr
XMoDkXdCGBodvKJyU6lcfEVF6/UxHcbBguZK9UtRHS9eJYm3rpL/5huQMCppX7kU
eQ8dpCwd3iKITqwd1ZudDqsWaU0vqzC2H55IyaZ/5/TnCk31Q1UP6BksbbuRcwOV
skEDsm6YoWDnn/IIzGOYnFJRzQH5jTz3j1QBvRIuQuBuvUkfhx1FEwhwZigrcxXu
MP+QgM54kezgziJUaZcOM2zF3lvrwMvXDMfNeIoJABv9ljw969xQ8czQCU5lMVmA
37ltv5Ec9U5hZuwk/9QO1Z+d/r6Jx0mlurS8gnCAKJgwa3kyZw6e4FZ8mYL4vpRR
hPdvRTWCMJkeB4yBHyhxUmTRgJHm6YR3D6hcFAc9cQcTEl/I60tMdz33G6m0O42s
Qt/+AR3YCY/RusWVBJB/qNS94EtNtj8iaebCQW1jHAhvGmFILVR9lzD0EzWKHkvy
WEjmUVRgCDd6Ne3eFRNS73gdv/C3l5boYySeu4exkEYVxVRn8DhCxs0MnkMHWFK6
MyzXCCn+JnWFDYPfDKHvpff/kLDobtPBf+Lbch5wQy9quY27xaj0XwLyjOltpiST
LWae/Q4vAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqG
SIb3DQEBDQUAA4ICAQC9fUL2sZPxIN2mD32VeNySTgZlCEdVmlq471o/bDMP4B8g
nQesFRtXY2ZCjs50Jm73B2LViL9qlREmI6vE5IC8IsRBJSV4ce1WYxyXro5rmVg/
k6a10rlsbK/eg//GHoJxDdXDOokLUSnxt7gk3QKpX6eCdh67p0PuWm/7WUJQxH2S
DxsT9vB/iZriTIEe/ILoOQF0Aqp7AgNCcLcLAmbxXQkXYCCSB35Vp06u+eTWjG0/
pyS5V14stGtw+fA0DJp5ZJV4eqJ5LqxMlYvEZ/qKTEdoCeaXv2QEmN6dVqjDoTAo
k0t5u4YRXzEVCfXAC3ocplNdtCA72wjFJcSbfif4BSC8bDACTXtnPC7nD0VndZLp
+RiNLeiENhk0oTC+UVdSc+n2nJOzkCK0vYu0Ads4JGIB7g8IB3z2t9ICmsWrgnhd
NdcOe15BincrGA8avQ1cWXsfIKEjbrnEuEk9b5jel6NfHtPKoHc9mDpRdNPISeVa
wDBM1mJChneHt59Nh8Gah74+TM1jBsw4fhJPvoc7Atcg740JErb904mZfkIEmojC
VPhBHVQ9LHBAdM8qFI2kRK0IynOmAZhexlP/aT/kpEsEPyaZQlnBn3An1CRz8h0S
PApL8PytggYKeQmRhl499+6jLxcZ2IegLfqq41dzIjwHwTMplg+1pKIOVojpWA==
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
e685bdaf659a25a200e2b9e39e51ff03
0fc72cf1ce07232bd8b2be5e6c670143
f51e937e670eee09d4f2ea5a6e4e6996
5db852c275351b86fc4ca892d78ae002
d6f70d029bd79c4d1c26cf14e9588033
cf639f8a74809f29f72b9d58f9b8f5fe
fc7938eade40e9fed6cb92184abb2cc1
0eb1a296df243b251df0643d53724cdb
5a92a1d6cb817804c4a9319b57d53be5
80815bcfcb2df55018cc83fc43bc7ff8
2d51f9b88364776ee9d12fc85cc7ea5b
9741c4f598c485316db066d52db4540e
212e1518a9bd4828219e24b20d88f598
a196c9de96012090e333519ae18d3509
9427e7b372d348d352dc4c85e18cd4b9
3f8a56ddb2e64eb67adfc9b337157ff4
-----END OpenVPN Static key V1-----
</tls-auth>
'';
};
};
# give containers internet access
networking.nat.enable = true;
networking.nat.internalInterfaces = [ "ve-torrent" ];
networking.nat.externalInterface = "enp2s0f1";
# open ports for logging
networking.firewall.interfaces."ve-torrent".allowedTCPPorts =
[ 5044 12304 12305 ];
networking.firewall.interfaces."ve-torrent".allowedUDPPorts =
[ 5044 12304 12305 ];
# host nginx setup
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts = {
"transmission.workhorse.private" = {
locations."/" = { proxyPass = "http://${containerAddress}:9091"; };
};
};
};
}

38
nixos/configs/workhorse/weechat.nix Normal file
View file

@ -0,0 +1,38 @@
{ config, pkgs, lib, ... }:
# how to setup a relay
# * ssh on the maching
# * sudo -u weechat screen -r
# /set relay.network.password "mypassword"
# /relay add weechat 10000
{
# configure weechat
services.weechat = { enable = true; };
# configure bitlbee
services.bitlbee = {
enable = true;
libpurple_plugins = [
#pkgs.pidgin-otr
#pkgs.purple-facebook
#pkgs.purple-discord
#pkgs.purple-matrix
#pkgs.purple-hangouts
#pkgs.pidgin-latex
#pkgs.pidgin-opensteamworks
#pkgs.pidgin-skypeweb
pkgs.telegram-purple
#pkgs.purple-lurch
];
plugins =
[ pkgs.bitlbee-facebook pkgs.bitlbee-steam pkgs.bitlbee-mastodon ];
};
# otherwise xterm is the only thing that works
environment.systemPackages = [ pkgs.rxvt_unicode ];
backup.dirs = [ config.services.weechat.root ];
}

59
nixos/configs/workout/configuration.nix Normal file
View file

@ -0,0 +1,59 @@
{ lib, config, pkgs, ... }: {
imports = [
<system/desktop>
./hardware-configuration.nix
#./kibana.nix
./packages.nix
#./slack.nix
./syncthing.nix
./tinc.nix
./lan.nix
];
networking.hostName = "workout";
services.logind.lidSwitch = lib.mkForce "ignore";
security.wrappers = {
pmount.source = "${pkgs.pmount}/bin/pmount";
pumount.source = "${pkgs.pmount}/bin/pumount";
};
# nix-shell -p speedtest_cli --run speedtest
configuration.fireqos = {
enable = true;
interface = "wlp1s0";
input = 5000;
output = 1200;
balance = false;
};
programs.custom.steam.enable = true;
programs.custom.video.enable = true;
# font
# ----
programs.custom.urxvt.fontSize = 17;
programs.custom.xterm.fontSize = 17;
system.custom.fonts.dpi = 140;
services.printing.enable = true;
virtualisation = {
docker.enable = false;
virtualbox = {
host.enable = false;
guest.x11 = false;
guest.enable = false;
};
};
configuration.desktop = {
width = 2560;
height = 1440;
};
}

70
nixos/configs/workout/hardware-configuration.nix Normal file
View file

@ -0,0 +1,70 @@
{ config, lib, pkgs, ... }:
let mainUserHome = "/home/palo";
in {
# fix fileSystems.<name>.encrypted - false overwrite
# --------------------------------------------------
boot.initrd.luks.cryptoModules = [
"aes"
"aes_generic"
"blowfish"
"twofish"
"serpent"
"cbc"
"xts"
"lrw"
"sha1"
"sha256"
"sha512"
"aes_x86_64"
];
# todo : why should I use this here
boot.initrd.availableKernelModules =
[ "xhci_pci" "ahci" "usb_storage" "sd_mod" ];
boot.kernelModules = [ "kvm-intel" ];
nix.maxJobs = lib.mkDefault 8;
# lvm volume group
# ----------------
boot.initrd.luks.devices = {
vg = {
device = "/dev/sda2";
preLVM = true;
};
};
# NTFS support
# ------------
environment.systemPackages = [ pkgs.ntfs3g ];
# root
# ----
fileSystems."/" = {
options = [ "noatime" "nodiratime" "discard" ];
device = "/dev/vg/root";
fsType = "ext4";
};
# boot
# ----
fileSystems."/boot" = {
device = "/dev/sda1";
fsType = "ext4";
};
boot.loader.grub = {
device = "/dev/sda";
enable = true;
version = 2;
};
# home
# ----
fileSystems."/home" = {
options = [ "noatime" "nodiratime" "discard" ];
device = "/dev/vg/home";
fsType = "ext4";
};
}

26
nixos/configs/workout/kibana.nix Normal file
View file

@ -0,0 +1,26 @@
{ config, ... }: {
services.nginx = {
enable = true;
statusPage = true;
virtualHosts = {
"kibana.${config.networking.hostName}.private" = {
serverAliases = [ ];
locations."/" = {
proxyPass = "http://${config.networking.hostName}.private:${
toString config.services.kibana.port
}";
};
};
};
};
services.elasticsearch.enable = true;
services.elasticsearch.listenAddress =
"${config.networking.hostName}.private";
services.kibana.enable = true;
services.kibana.elasticsearch.hosts =
[ "http://${config.networking.hostName}.private:9200" ];
services.kibana.listenAddress = "${config.networking.hostName}.private";
services.kibana.port = 5601;
}

27
nixos/configs/workout/lan.nix Normal file
View file

@ -0,0 +1,27 @@
{ lib, pkgs, ... }:
let
interface = "eno1";
ipAddress = "10.1.0.1";
prefixLength = 24;
in
{
networking.extraHosts = ''
10.1.0.1 workout.lan
10.1.0.2 pepe.lan
'';
# todo only open needed ports
networking.firewall.trustedInterfaces = [ interface ];
networking.networkmanager.unmanaged = [ interface ];
networking.dhcpcd.denyInterfaces = [ interface ];
networking.interfaces."${interface}".ipv4.addresses = [{
address = ipAddress;
prefixLength = prefixLength;
}];
}

33
nixos/configs/workout/packages.nix Normal file
View file

@ -0,0 +1,33 @@
{ config, pkgs, ... }: {
# overlay included
nixpkgs.overlays = [ (import <mozilla-overlay/rust-overlay.nix>) ];
nixpkgs.config.packageOverrides = pkgs: {
nur = import
(builtins.fetchTarball
"https://github.com/nix-community/NUR/archive/master.tar.gz")
{
inherit pkgs;
};
};
environment.systemPackages = with pkgs; [
#bitwig-studio
sononym-crawler
# rust development environment
rustup
jetbrains.clion
# python
python3Full
jetbrains.pycharm-professional
jetbrains.datagrip
#nur.repos.mic92.nixos-shell
jetbrains.idea-ultimate
];
}

14
nixos/configs/workout/slack.nix Normal file
View file

@ -0,0 +1,14 @@
{ config, lib, pkgs, ... }: {
programs.custom.slack = {
enable = true;
homeBackup = "~/desktop/slack";
};
programs.custom.browser.configList.google-chrome = {
inherit (config.programs.custom.browser.configList.development)
home homeBackup user;
sudoUsers = [ "slack" ];
};
}

86
nixos/configs/workout/syncthing.nix Normal file
View file

@ -0,0 +1,86 @@
{ config, pkgs, lib, ... }: {
services.syncthing = {
enable = true;
openDefaultPorts = false;
user = "palo";
dataDir = "/home/palo/.syncthing";
configDir = "/home/palo/.syncthing";
declarative = {
cert = toString <secrets/syncthing/cert.pem>;
key = toString <secrets/syncthing/key.pem>;
overrideFolders = true;
folders = {
# on encrypted drive
# ------------------
desktop = {
enable = true;
path = "/home/palo/desktop";
};
finance = {
enable = true;
path = "/home/palo/finance";
};
lost-fotos = {
enable = true;
path = "/home/palo/.lost-fotos.ct";
};
fotos = {
enable = true;
path = "/home/palo/fotos";
};
programs = {
enable = true;
path = "/home/palo/programs";
};
# no need to be encrypted
# -----------------------
book = {
enable = true;
path = "/home/palo/books";
};
music-library-free = {
enable = true;
path = "/home/palo/music-library-free";
};
music-library = {
enable = true;
path = "/home/palo/music-library";
};
music-projects = {
enable = true;
path = "/home/palo/music-projects";
};
samples = {
enable = true;
path = "/home/palo/samples";
};
video-material = {
enable = true;
path = "/home/palo/video-material";
};
windows-sync = {
enable = true;
path = "/home/palo/windows-sync";
};
smartphone-folder = {
enable = true;
path = "/home/palo/smartphone-folder";
};
zettlr = {
enable = true;
path = "/home/palo/zettlr";
};
processing = {
enable = true;
path = "/home/palo/sketchbook";
};
};
};
};
}

14
nixos/configs/workout/tinc.nix Normal file
View file

@ -0,0 +1,14 @@
{ config, lib, pkgs, ... }: {
module.cluster.services.tinc = {
"private" = {
enable = true;
openPort = true;
connectTo = [ "sputnik" ];
};
"retiolum" = {
enable = true;
openPort = true;
};
};
}

1
nixos/system/desktop/home-manager/xmonad.nix
View file

@ -12,6 +12,7 @@ let
'' ''
module NixCommands where module NixCommands where
nixStartChat = "${pkgs.element-desktop}/bin/element-desktop"
nixStartAudacious = "${pkgs.audacious}/bin/audacious" nixStartAudacious = "${pkgs.audacious}/bin/audacious"
nixStartFlameshot = "${pkgs.flameshot}/bin/flameshot gui -p /share/" nixStartFlameshot = "${pkgs.flameshot}/bin/flameshot gui -p /share/"
nixInvertColors = "${pkgs.xcalib}/bin/xcalib -invert -alter" nixInvertColors = "${pkgs.xcalib}/bin/xcalib -invert -alter"

5
nixos/system/desktop/home-manager/xmonad/Main.hs
View file

@ -97,6 +97,11 @@ nonRemovableWorkspaces = myWorkspaces ++ autoSpawnWorkspaces
projects :: [Project] projects :: [Project]
projects = projects =
[ Project [ Project
{ projectName = "chat"
, projectDirectory = "~/"
, projectStartHook = Just $ spawn nixStartChat
}
, Project
{ projectName = "audio" { projectName = "audio"
, projectDirectory = "~/music-library" , projectDirectory = "~/music-library"
, projectStartHook = Just $ spawn nixStartAudacious , projectStartHook = Just $ spawn nixStartAudacious

1
submodules/property Submodule

@ -0,0 +1 @@
Subproject commit 8b2bb2d171b84489aed5dcfa0e93a701d6662054

1
system/desktop/home-manager/doom-emacs.nix Normal file
View file

@ -0,0 +1 @@