config/hosts/vno1-oh2/configuration.nix

{
  config,
  pkgs,
  myData,
  ...
}:
{
  zfs-root = {
    boot = {
      enable = true;
      devNodes = "/dev/disk/by-id/";
      bootDevices = [ "nvme-Samsung_SSD_970_EVO_Plus_2TB_S6P1NX0TA00913P" ];
      immutable = false;
      availableKernelModules = [
        "ahci"
        "xhci_pci"
        "nvme"
        "usbhid"
        "sdhci_pci"
        "r8169" # builtin non working
        "r8152" # startech usb-ethernet adapter
      ];
      removableEfi = true;
      kernelParams = [
        "ip=192.168.189.1::192.168.189.4:255.255.255.0:vno1-oh2.jakstys.lt:enp0s21f0u2:off"
      ];
    };
  };

  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];

  mj = {
    stateVersion = "23.05";
    timeZone = "Europe/Vilnius";
    username = "motiejus";

    base = {
      zfs.enable = true;
      users = {
        enable = true;
        root.hashedPasswordFile = config.age.secrets.root-passwd-hash.path;
        user.hashedPasswordFile = config.age.secrets.motiejus-passwd-hash.path;
      };

      snapshot = {
        enable = true;
        mountpoints = [
          "/home"
          "/var/lib"
          "/var/log"
        ];
      };

      zfsborg = {
        enable = true;
        passwordPath = config.age.secrets.borgbackup-password.path;
        sshKeyPath = "/etc/ssh/ssh_host_ed25519_key";
        dirs = [
          # TODO merge
          {
            mountpoint = "/var/lib";
            repo = "zh2769@zh2769.rsync.net:${config.networking.hostName}.${config.networking.domain}-var_lib";
            paths = [
              "tailscale"
              "private/soju"
            ];
            backup_at = "*-*-* 01:00:00 UTC";
            prune.keep = {
              within = "1d";
              daily = 1;
              weekly = 0;
              monthly = 0;
            };
          }
          {
            mountpoint = "/var/lib";
            repo = "borgstor@${
              myData.hosts."vno3-rp3b.servers.jakst".jakstIP
            }:${config.networking.hostName}.${config.networking.domain}-var_lib";
            paths = [
              "tailscale"
              "private/soju"
            ];
            backup_at = "*-*-* 01:00:00 UTC";
          }

        ];
      };

      unitstatus = {
        enable = true;
        email = "motiejus+alerts@jakstys.lt";
      };
    };

    services = {
      friendlyport.ports = [
        {
          subnets = [ myData.subnets.tailscale.cidr ];
          tcp = with myData.ports; [
            80
            443
            soju
            soju-ws
          ];
        }
      ];

      tailscale.enable = true;
      node_exporter.enable = true;
      sshguard.enable = true;

      nsd-acme =
        let
          accountKey = config.age.secrets.letsencrypt-account-key.path;
        in
        {
          enable = true;
          zones = {
            "irc.jakstys.lt".accountKey = accountKey;
            "hdd.jakstys.lt".accountKey = accountKey;
            "grafana.jakstys.lt".accountKey = accountKey;
            "bitwarden.jakstys.lt".accountKey = accountKey;
          };
        };

      deployerbot = {
        follower = {
          publicKeys = [ myData.hosts."fwminex.servers.jakst".publicKey ];

          enable = true;
          sshAllowSubnets = [ myData.subnets.tailscale.sshPattern ];
          uidgid = myData.uidgid.updaterbot-deployee;
        };
      };

      postfix = {
        enable = true;
        saslPasswdPath = config.age.secrets.sasl-passwd.path;
      };

      syncthing = {
        enable = true;
        dataDir = "/home/motiejus/";
        user = "motiejus";
        group = "users";
      };

      matrix-synapse = {
        enable = true;
        signingKeyPath = config.age.secrets.synapse-jakstys-signing-key.path;
        registrationSharedSecretPath = config.age.secrets.synapse-registration-shared-secret.path;
        macaroonSecretKeyPath = config.age.secrets.synapse-macaroon-secret-key.path;
      };

      remote-builder.client =
        let
          host = myData.hosts."fra1-b.servers.jakst";
        in
        {
          enable = true;
          inherit (host) system supportedFeatures;
          hostName = host.jakstIP;
          sshKey = "/etc/ssh/ssh_host_ed25519_key";
        };
    };
  };

  services = {

    nsd = {
      enable = true;
      interfaces = [
        "0.0.0.0"
        "::"
      ];
      zones = {
        "jakstys.lt.".data = myData.jakstysLTZone;
        "11sync.net.".data = myData.e11syncZone;
      };
    };

    soju = {
      enable = true;
      listen = [
        #"unix+admin://"
        ":${toString myData.ports.soju}"
        "wss://:${toString myData.ports.soju-ws}"
      ];
      tlsCertificate = "/run/soju/cert.pem";
      tlsCertificateKey = "/run/soju/key.pem";
      hostName = "irc.jakstys.lt";
      httpOrigins = [ "*" ];
      extraConfig = ''
        message-store fs /var/lib/soju
      '';
    };

    #syncthing.relay = {
    #  enable = true;
    #  providedBy = "11sync.net";
    #};
  };

  systemd.services = {
    soju =
      let
        acme = config.mj.services.nsd-acme.zones."irc.jakstys.lt";
      in
      {
        serviceConfig = {
          RuntimeDirectory = "soju";
          LoadCredential = [
            "irc.jakstys.lt-cert.pem:${acme.certFile}"
            "irc.jakstys.lt-key.pem:${acme.keyFile}"
          ];
        };
        preStart = ''
          ln -sf $CREDENTIALS_DIRECTORY/irc.jakstys.lt-cert.pem /run/soju/cert.pem
          ln -sf $CREDENTIALS_DIRECTORY/irc.jakstys.lt-key.pem /run/soju/key.pem
        '';
        after = [ "nsd-acme-irc.jakstys.lt.service" ];
        requires = [ "nsd-acme-irc.jakstys.lt.service" ];
      };

    syncthing-relay.restartIfChanged = false;

  };

  environment.systemPackages = with pkgs; [
    yt-dlp
    ffmpeg
    imapsync
    geoipWithDatabase
  ];

  networking = {
    hostId = "f9117e1b";
    hostName = "vno1-oh2";
    domain = "servers.jakst";
    defaultGateway = "192.168.189.4";
    nameservers = [ "192.168.189.4" ];
    interfaces.enp0s21f0u2.ipv4.addresses = [
      {
        address = "192.168.189.1";
        prefixLength = 24;
      }
    ];
    firewall = {
      allowedUDPPorts = [
        53
        80
        443
      ];
      allowedTCPPorts = [
        53
        80
        443
        config.services.syncthing.relay.port
        config.services.syncthing.relay.statusPort
      ];
      rejectPackets = true;
    };
  };
}
wip vno1-oh2 2023-07-22 16:05:44 +03:00			`{`
			`config,`
			`pkgs,`
			`myData,`
			`...`
nix fmt 2024-07-29 15:39:54 +03:00			`}:`
			`{`
wip vno1-oh2 2023-07-22 16:05:44 +03:00			`zfs-root = {`
			`boot = {`
			`enable = true;`
			`devNodes = "/dev/disk/by-id/";`
nix fmt 2024-07-29 15:39:54 +03:00			`bootDevices = [ "nvme-Samsung_SSD_970_EVO_Plus_2TB_S6P1NX0TA00913P" ];`
wip vno1-oh2 2023-07-22 16:05:44 +03:00			`immutable = false;`
vno1-oh2: mitigating the NIC 2023-09-12 09:59:55 +03:00			`availableKernelModules = [`
			`"ahci"`
			`"xhci_pci"`
			`"nvme"`
			`"usbhid"`
			`"sdhci_pci"`
			`"r8169" # builtin non working`
			`"r8152" # startech usb-ethernet adapter`
			`];`
wip vno1-oh2 2023-07-22 16:05:44 +03:00			`removableEfi = true;`
			`kernelParams = [`
vno1-oh2: mitigating the NIC 2023-09-12 09:59:55 +03:00			`"ip=192.168.189.1::192.168.189.4:255.255.255.0:vno1-oh2.jakstys.lt:enp0s21f0u2:off"`
wip vno1-oh2 2023-07-22 16:05:44 +03:00			`];`
			`};`
			`};`
Revert "Revert "vno1-oh2: emulate aarch64-linux"" This reverts commit d77bcd50632b63be74c0c6c7d6a4a5fee1f22411. 2023-08-15 23:37:06 +03:00
nix fmt 2024-07-29 15:39:54 +03:00			`boot.binfmt.emulatedSystems = [ "aarch64-linux" ];`
wip vno1-oh2 2023-07-22 16:05:44 +03:00
			`mj = {`
			`stateVersion = "23.05";`
			`timeZone = "Europe/Vilnius";`
vm: fix user propagation, refactor base.users 2024-03-06 10:33:48 +02:00			`username = "motiejus";`
wip vno1-oh2 2023-07-22 16:05:44 +03:00
			`base = {`
move common zfs settings to modules/base 2023-07-26 13:58:42 +03:00			`zfs.enable = true;`
start with vim 2023-08-18 16:39:03 +03:00			`users = {`
bring back "vm" 2024-02-04 16:18:47 +02:00			`enable = true;`
vm: fix user propagation, refactor base.users 2024-03-06 10:33:48 +02:00			`root.hashedPasswordFile = config.age.secrets.root-passwd-hash.path;`
			`user.hashedPasswordFile = config.age.secrets.motiejus-passwd-hash.path;`
wip vno1-oh2 2023-07-22 16:05:44 +03:00			`};`
vno1-oh2: snapshot /home 2023-07-26 13:09:40 +03:00
			`snapshot = {`
			`enable = true;`
nix fmt 2024-07-29 15:39:54 +03:00			`mountpoints = [`
			`"/home"`
			`"/var/lib"`
			`"/var/log"`
			`];`
vno1-oh2: snapshot /home 2023-07-26 13:09:40 +03:00			`};`
move common zfs settings to modules/base 2023-07-26 13:58:42 +03:00
vno1-oh2: backup /home/motiejus/annex2 2023-07-26 14:23:12 +03:00			`zfsborg = {`
			`enable = true;`
			`passwordPath = config.age.secrets.borgbackup-password.path;`
vno1-oh2: pass ssh key to borg 2023-07-26 14:39:34 +03:00			`sshKeyPath = "/etc/ssh/ssh_host_ed25519_key";`
zfsborg: restructure config Preparing for 2 repo destinations. 2023-09-11 17:25:12 +03:00			`dirs = [`
borgstor: add remaining paths 2023-09-11 17:50:35 +03:00			`# TODO merge`
zfsborg: restructure config Preparing for 2 repo destinations. 2023-09-11 17:25:12 +03:00			`{`
			`mountpoint = "/var/lib";`
vno1-oh2: backup /var/lib/{grafana,soju} 2023-08-22 15:18:24 +03:00			`repo = "zh2769@zh2769.rsync.net:${config.networking.hostName}.${config.networking.domain}-var_lib";`
			`paths = [`
zfsborg: remove the ${mountpoint}/.snapshot-latest prefix The path in the filesystem is quite clear from the archive name. 2023-09-15 11:04:20 +03:00			`"tailscale"`
			`"private/soju"`
vno1-oh2: backup /var/lib/{grafana,soju} 2023-08-22 15:18:24 +03:00			`];`
deployerbot and backups: move time around so they don't ovelap 2023-09-21 06:55:17 +03:00			`backup_at = "--* 01:00:00 UTC";`
rsync.net on zfsborg: less snapshots 2024-05-02 17:41:13 +03:00			`prune.keep = {`
			`within = "1d";`
			`daily = 1;`
			`weekly = 0;`
			`monthly = 0;`
			`};`
zfsborg: restructure config Preparing for 2 repo destinations. 2023-09-11 17:25:12 +03:00			`}`
borgstor: add remaining paths 2023-09-11 17:50:35 +03:00			`{`
			`mountpoint = "/var/lib";`
nix fmt 2024-07-29 15:39:54 +03:00			`repo = "borgstor@${`
			`myData.hosts."vno3-rp3b.servers.jakst".jakstIP`
			`}:${config.networking.hostName}.${config.networking.domain}-var_lib";`
borgstor: add remaining paths 2023-09-11 17:50:35 +03:00			`paths = [`
zfsborg: remove the ${mountpoint}/.snapshot-latest prefix The path in the filesystem is quite clear from the archive name. 2023-09-15 11:04:20 +03:00			`"tailscale"`
			`"private/soju"`
borgstor: add remaining paths 2023-09-11 17:50:35 +03:00			`];`
deployerbot and backups: move time around so they don't ovelap 2023-09-21 06:55:17 +03:00			`backup_at = "--* 01:00:00 UTC";`
borgstor: add remaining paths 2023-09-11 17:50:35 +03:00			`}`
borgstor: add /var/log for testing 2023-09-11 17:40:47 +03:00
zfsborg: restructure config Preparing for 2 repo destinations. 2023-09-11 17:25:12 +03:00			`];`
vno1-oh2: backup /home/motiejus/annex2 2023-07-26 14:23:12 +03:00			`};`

move common zfs settings to modules/base 2023-07-26 13:58:42 +03:00			`unitstatus = {`
			`enable = true;`
			`email = "motiejus+alerts@jakstys.lt";`
			`};`
wip vno1-oh2 2023-07-22 16:05:44 +03:00			`};`
zfsunlock 2023-07-24 09:23:20 +03:00
postfix: add to vno1-oh2 2023-07-26 13:26:11 +03:00			`services = {`
rewrite firewall rules 2023-09-12 15:46:44 +03:00			`friendlyport.ports = [`
			`{`
nix fmt 2024-07-29 15:39:54 +03:00			`subnets = [ myData.subnets.tailscale.cidr ];`
cosmetics 2023-10-22 09:10:09 +03:00			`tcp = with myData.ports; [`
rewrite firewall rules 2023-09-12 15:46:44 +03:00			`80`
			`443`
cosmetics 2023-10-22 09:10:09 +03:00			`soju`
soju: listen ws+insecure on :6698 2024-02-12 15:50:52 +02:00			`soju-ws`
rewrite firewall rules 2023-09-12 15:46:44 +03:00			`];`
			`}`
expose more ports to self 2023-08-06 00:15:13 +03:00			`];`
tailscaled: silence logs by default it works. 2023-10-22 20:14:25 +03:00
tailscale: silence logs on some machines 2023-09-14 14:37:55 +03:00			`tailscale.enable = true;`
move node_exporter to its own module 2023-08-18 09:31:19 +03:00			`node_exporter.enable = true;`
sshguard is now optional 2023-09-14 06:41:16 +03:00			`sshguard.enable = true;`
snmp: from package back to module 2023-09-05 14:41:52 +03:00
nix fmt 2024-07-29 15:39:54 +03:00			`nsd-acme =`
			`let`
			`accountKey = config.age.secrets.letsencrypt-account-key.path;`
			`in`
			`{`
			`enable = true;`
			`zones = {`
			`"irc.jakstys.lt".accountKey = accountKey;`
			`"hdd.jakstys.lt".accountKey = accountKey;`
bring back https to grafana not good with oicd 2024-08-03 12:10:29 +03:00			`"grafana.jakstys.lt".accountKey = accountKey;`
nix fmt 2024-07-29 15:39:54 +03:00			`"bitwarden.jakstys.lt".accountKey = accountKey;`
			`};`
statix 2023-11-27 18:17:27 +02:00			`};`
nsd-acme 2023-08-09 14:24:43 +03:00
updaterbot: move all to deployer 2023-07-30 05:49:54 +03:00			`deployerbot = {`
			`follower = {`
fwminex.{motiejus->servers}.jakst 2024-07-31 09:19:13 +03:00			`publicKeys = [ myData.hosts."fwminex.servers.jakst".publicKey ];`
statix: fix bugs with inherit now I know better what it does. 2023-10-01 23:26:01 +03:00
updaterbot: move all to deployer 2023-07-30 05:49:54 +03:00			`enable = true;`
nix fmt 2024-07-29 15:39:54 +03:00			`sshAllowSubnets = [ myData.subnets.tailscale.sshPattern ];`
updaterbot: move all to deployer 2023-07-30 05:49:54 +03:00			`uidgid = myData.uidgid.updaterbot-deployee;`
			`};`
updater: move to it's own service 2023-07-28 14:20:50 +03:00			`};`

postfix: add to vno1-oh2 2023-07-26 13:26:11 +03:00			`postfix = {`
			`enable = true;`
			`saslPasswdPath = config.age.secrets.sasl-passwd.path;`
			`};`
syncthing 2023-07-26 11:36:54 +03:00
postfix: add to vno1-oh2 2023-07-26 13:26:11 +03:00			`syncthing = {`
			`enable = true;`
			`dataDir = "/home/motiejus/";`
			`user = "motiejus";`
			`group = "users";`
			`};`

moving synapse to vno1-oh2 2023-08-25 15:55:06 +03:00			`matrix-synapse = {`
			`enable = true;`
			`signingKeyPath = config.age.secrets.synapse-jakstys-signing-key.path;`
			`registrationSharedSecretPath = config.age.secrets.synapse-registration-shared-secret.path;`
			`macaroonSecretKeyPath = config.age.secrets.synapse-macaroon-secret-key.path;`
			`};`

nix fmt 2024-07-29 15:39:54 +03:00			`remote-builder.client =`
			`let`
rm fra1-a 2024-07-31 09:06:53 +03:00			`host = myData.hosts."fra1-b.servers.jakst";`
nix fmt 2024-07-29 15:39:54 +03:00			`in`
			`{`
			`enable = true;`
			`inherit (host) system supportedFeatures;`
			`hostName = host.jakstIP;`
			`sshKey = "/etc/ssh/ssh_host_ed25519_key";`
			`};`
zfsunlock 2023-07-24 09:23:20 +03:00			`};`
wip vno1-oh2 2023-07-22 16:05:44 +03:00			`};`

			`services = {`
caddy: disable on hel1-a, enable logrotate on vno1-oh2 2023-08-25 17:03:01 +03:00
wip vno1-oh2 2023-07-22 16:05:44 +03:00			`nsd = {`
			`enable = true;`
nix fmt 2024-07-29 15:39:54 +03:00			`interfaces = [`
			`"0.0.0.0"`
			`"::"`
			`];`
wip vno1-oh2 2023-07-22 16:05:44 +03:00			`zones = {`
			`"jakstys.lt.".data = myData.jakstysLTZone;`
wip 11sync 2024-01-15 15:08:04 +02:00			`"11sync.net.".data = myData.e11syncZone;`
wip vno1-oh2 2023-07-22 16:05:44 +03:00			`};`
nsd: enable remote-control 2023-08-07 01:23:41 +03:00			`};`
enable soju 2023-08-22 14:28:59 +03:00
			`soju = {`
			`enable = true;`
soju: listen ws+insecure on :6698 2024-02-12 15:50:52 +02:00			`listen = [`
soju: disable admin socket for now 2024-06-05 23:18:40 +03:00			`#"unix+admin://"`
soju: listen ws+insecure on :6698 2024-02-12 15:50:52 +02:00			`":${toString myData.ports.soju}"`
irc: add wss listener 2024-02-12 16:03:32 +02:00			`"wss://:${toString myData.ports.soju-ws}"`
soju: listen ws+insecure on :6698 2024-02-12 15:50:52 +02:00			`];`
enable soju 2023-08-22 14:28:59 +03:00			`tlsCertificate = "/run/soju/cert.pem";`
			`tlsCertificateKey = "/run/soju/key.pem";`
			`hostName = "irc.jakstys.lt";`
nix fmt 2024-07-29 15:39:54 +03:00			`httpOrigins = [ "*" ];`
enable soju 2023-08-22 14:28:59 +03:00			`extraConfig = ''`
soju: store logs to files 2023-08-22 15:13:33 +03:00			`message-store fs /var/lib/soju`
enable soju 2023-08-22 14:28:59 +03:00			`'';`
			`};`
vaultwarden 2023-09-07 08:29:14 +03:00
move vaultwarden to fwminex 2024-08-03 06:53:37 +03:00			`#syncthing.relay = {`
			`# enable = true;`
			`# providedBy = "11sync.net";`
			`#};`
minidlna 2023-09-07 22:24:00 +03:00			`};`
vaultwarden: smtp and secrets 2023-09-07 13:04:38 +03:00
grafana now on https://grafana.jakstys.lt, over vpn 2023-08-14 08:46:41 +03:00			`systemd.services = {`
nix fmt 2024-07-29 15:39:54 +03:00			`soju =`
			`let`
			`acme = config.mj.services.nsd-acme.zones."irc.jakstys.lt";`
			`in`
			`{`
			`serviceConfig = {`
			`RuntimeDirectory = "soju";`
			`LoadCredential = [`
			`"irc.jakstys.lt-cert.pem:${acme.certFile}"`
			`"irc.jakstys.lt-key.pem:${acme.keyFile}"`
			`];`
			`};`
			`preStart = ''`
			`ln -sf $CREDENTIALS_DIRECTORY/irc.jakstys.lt-cert.pem /run/soju/cert.pem`
			`ln -sf $CREDENTIALS_DIRECTORY/irc.jakstys.lt-key.pem /run/soju/key.pem`
			`'';`
			`after = [ "nsd-acme-irc.jakstys.lt.service" ];`
			`requires = [ "nsd-acme-irc.jakstys.lt.service" ];`
			`};`
enable soju 2023-08-22 14:28:59 +03:00
syncthing-relay: restart less often 2024-02-22 10:08:19 +02:00			`syncthing-relay.restartIfChanged = false;`

grafana now on https://grafana.jakstys.lt, over vpn 2023-08-14 08:46:41 +03:00			`};`

move beta to it's own zone 2023-12-16 00:20:17 +02:00			`environment.systemPackages = with pkgs; [`
vno1-oh2: add yt-dlp 2024-01-14 18:23:17 +02:00			`yt-dlp`
vno1-oh2: +ffmpeg 2024-06-16 15:45:23 +03:00			`ffmpeg`
move beta to it's own zone 2023-12-16 00:20:17 +02:00			`imapsync`
			`geoipWithDatabase`
			`];`
add geoipWithDatabase 2023-12-07 22:56:16 +02:00
wip vno1-oh2 2023-07-22 16:05:44 +03:00			`networking = {`
			`hostId = "f9117e1b";`
			`hostName = "vno1-oh2";`
syncthing 2023-07-26 11:36:54 +03:00			`domain = "servers.jakst";`
wip vno1-oh2 2023-07-22 16:05:44 +03:00			`defaultGateway = "192.168.189.4";`
nix fmt 2024-07-29 15:39:54 +03:00			`nameservers = [ "192.168.189.4" ];`
vno1-oh2: mitigating the NIC 2023-09-12 09:59:55 +03:00			`interfaces.enp0s21f0u2.ipv4.addresses = [`
wip vno1-oh2 2023-07-22 16:05:44 +03:00			`{`
			`address = "192.168.189.1";`
			`prefixLength = 24;`
			`}`
			`];`
vno1-oh2: allow port 53 2023-08-07 00:33:37 +03:00			`firewall = {`
nix fmt 2024-07-29 15:39:54 +03:00			`allowedUDPPorts = [`
			`53`
			`80`
			`443`
			`];`
add syncthing-relay 2024-01-25 12:15:59 +02:00			`allowedTCPPorts = [`
			`53`
			`80`
			`443`
			`config.services.syncthing.relay.port`
			`config.services.syncthing.relay.statusPort`
			`];`
firewall: reject packets on some hosts 2023-09-21 15:08:26 +03:00			`rejectPackets = true;`
vno1-oh2: allow port 53 2023-08-07 00:33:37 +03:00			`};`
wip vno1-oh2 2023-07-22 16:05:44 +03:00			`};`
			`}`