motiejus/config
1
Fork 0
Code Packages Releases Activity

nix fmt

Browse Source
This commit is contained in:
Motiejus Jakštys
2024-07-29 15:39:54 +03:00
parent 3da42ead11
commit 9ea80639a3
51 changed files with 2040 additions and 1758 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
hosts/fra1-a/configuration.nix
View File

@@ -4,25 +4,31 @@
myData,
modulesPath,
...
}: {
imports = [(modulesPath + "/profiles/qemu-guest.nix")];
}:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
zfs-root = {
boot = {
enable = true;
devNodes = "/dev/disk/by-id/";
bootDevices = ["scsi-0QEMU_QEMU_HARDDISK_36151096"];
bootDevices = [ "scsi-0QEMU_QEMU_HARDDISK_36151096" ];
immutable = false;
availableKernelModules = ["xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod" "virtio_gpu"];
availableKernelModules = [
"xhci_pci"
"virtio_pci"
"virtio_scsi"
"usbhid"
"sr_mod"
"virtio_gpu"
];
removableEfi = true;
kernelParams = ["console=tty"];
kernelParams = [ "console=tty" ];
sshUnlock = {
enable = true;
authorizedKeys =
(builtins.attrValues myData.people_pubkeys)
++ [
myData.hosts."vno1-oh2.servers.jakst".publicKey
];
authorizedKeys = (builtins.attrValues myData.people_pubkeys) ++ [
myData.hosts."vno1-oh2.servers.jakst".publicKey
];
};
};
};
@@ -46,7 +52,7 @@
snapshot = {
enable = true;
mountpoints = ["/var/lib"];
mountpoints = [ "/var/lib" ];
};
};
@@ -79,22 +85,24 @@
];
enable = true;
sshAllowSubnets = [myData.subnets.tailscale.sshPattern];
sshAllowSubnets = [ myData.subnets.tailscale.sshPattern ];
uidgid = myData.uidgid.updaterbot-deployee;
};
};
zfsunlock = {
enable = false;
targets."vno1-oh2.servers.jakst" = let
host = myData.hosts."vno1-oh2.servers.jakst";
in {
sshEndpoint = host.publicIP;
pingEndpoint = host.jakstIP;
remotePubkey = host.initrdPubKey;
pwFile = config.age.secrets.zfs-passphrase-vno1-oh2.path;
startAt = "*-*-* *:00/5:00";
};
targets."vno1-oh2.servers.jakst" =
let
host = myData.hosts."vno1-oh2.servers.jakst";
in
{
sshEndpoint = host.publicIP;
pingEndpoint = host.jakstIP;
remotePubkey = host.initrdPubKey;
pwFile = config.age.secrets.zfs-passphrase-vno1-oh2.path;
startAt = "*-*-* *:00/5:00";
};
};
};
};
@@ -120,7 +128,10 @@
nsd = {
enable = true;
interfaces = ["0.0.0.0" "::"];
interfaces = [
"0.0.0.0"
"::"
];
zones = {
"jakstys.lt.".data = myData.jakstysLTZone;
"11sync.net.".data = myData.e11syncZone;
@@ -134,8 +145,16 @@
domain = "servers.jakst";
useDHCP = true;
firewall = {
allowedUDPPorts = [53 443];
allowedTCPPorts = [22 53 80 443];
allowedUDPPorts = [
53
443
];
allowedTCPPorts = [
22
53
80
443
];
};
};

42
hosts/fwminex/configuration.nix
View File

@@ -3,20 +3,28 @@
pkgs,
config,
...
}: let
}:
let
nvme = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_2TB_S6P1NS0TA01331A_1";
in {
in
{
imports = [
../../modules
../../modules/profiles/btrfs
];
boot = {
kernelModules = ["kvm-intel"];
kernelModules = [ "kvm-intel" ];
loader.systemd-boot.enable = true;
initrd = {
kernelModules = ["usb_storage"];
availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "usbhid" "tpm_tis"];
kernelModules = [ "usb_storage" ];
availableKernelModules = [
"xhci_pci"
"thunderbolt"
"nvme"
"usbhid"
"tpm_tis"
];
systemd.enableTpm2 = true;
luks.devices = {
luksroot = {
@@ -44,7 +52,7 @@ in {
"/" = {
device = "/dev/mapper/luksroot";
fsType = "btrfs";
options = ["compress=zstd"];
options = [ "compress=zstd" ];
};
"/boot" = {
device = "${nvme}-part1";
@@ -86,18 +94,20 @@ in {
verboseLogs = false;
};
remote-builder.client = let
host = myData.hosts."fra1-a.servers.jakst";
in {
enable = true;
inherit (host) system supportedFeatures;
hostName = host.jakstIP;
sshKey = "/etc/ssh/ssh_host_ed25519_key";
};
remote-builder.client =
let
host = myData.hosts."fra1-a.servers.jakst";
in
{
enable = true;
inherit (host) system supportedFeatures;
hostName = host.jakstIP;
sshKey = "/etc/ssh/ssh_host_ed25519_key";
};
node_exporter = {
enable = true;
extraSubnets = [myData.subnets.vno1.cidr];
extraSubnets = [ myData.subnets.vno1.cidr ];
};
deployerbot = {
@@ -127,7 +137,7 @@ in {
enable = true;
uidgid = myData.uidgid.updaterbot-deployee;
sshAllowSubnets = with myData.subnets; [tailscale.sshPattern];
sshAllowSubnets = with myData.subnets; [ tailscale.sshPattern ];
};
};

48
hosts/mtworx/configuration.nix
View File

@@ -1,10 +1,8 @@
{
config,
myData,
...
}: let
{ config, myData, ... }:
let
nvme = "/dev/disk/by-id/nvme-WD_PC_SN810_SDCQNRY-1T00-1201_23234W800017";
in {
in
{
imports = [
../../shared/work
../../modules
@@ -14,10 +12,16 @@ in {
];
boot = {
kernelModules = ["kvm-intel"];
kernelModules = [ "kvm-intel" ];
loader.systemd-boot.enable = true;
initrd = {
availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "usbhid" "tpm_tis"];
availableKernelModules = [
"xhci_pci"
"thunderbolt"
"nvme"
"usbhid"
"tpm_tis"
];
systemd = {
enableTpm2 = true;
emergencyAccess = true;
@@ -26,7 +30,7 @@ in {
luksroot = {
device = "${nvme}-part3";
allowDiscards = true;
crypttabExtraOpts = ["tpm2-device=auto"];
crypttabExtraOpts = [ "tpm2-device=auto" ];
};
};
};
@@ -43,7 +47,7 @@ in {
"/" = {
device = "/dev/mapper/luksroot";
fsType = "btrfs";
options = ["compress=zstd"];
options = [ "compress=zstd" ];
};
"/boot" = {
device = "${nvme}-part1";
@@ -81,18 +85,20 @@ in {
toUser = config.mj.username;
};
remote-builder.client = let
host = myData.hosts."fra1-a.servers.jakst";
in {
enable = true;
inherit (host) system supportedFeatures;
hostName = host.jakstIP;
sshKey = "/etc/ssh/ssh_host_ed25519_key";
};
remote-builder.client =
let
host = myData.hosts."fra1-a.servers.jakst";
in
{
enable = true;
inherit (host) system supportedFeatures;
hostName = host.jakstIP;
sshKey = "/etc/ssh/ssh_host_ed25519_key";
};
node_exporter = {
enable = true;
extraSubnets = [myData.subnets.vno1.cidr];
extraSubnets = [ myData.subnets.vno1.cidr ];
};
deployerbot = {
@@ -104,7 +110,7 @@ in {
enable = true;
uidgid = myData.uidgid.updaterbot-deployee;
sshAllowSubnets = with myData.subnets; [tailscale.sshPattern];
sshAllowSubnets = with myData.subnets; [ tailscale.sshPattern ];
};
};
@@ -131,7 +137,7 @@ in {
};
};
users.extraGroups.vboxusers.members = ["motiejus"];
users.extraGroups.vboxusers.members = [ "motiejus" ];
security.tpm2.enable = true;

14
hosts/vm/configuration.nix
View File

@@ -1,8 +1,5 @@
{ self, modulesPath, ... }:
{
self,
modulesPath,
...
}: {
imports = [
"${modulesPath}/profiles/all-hardware.nix"
"${modulesPath}/installer/cd-dvd/iso-image.nix"
@@ -21,7 +18,10 @@
};
boot.loader.systemd-boot.enable = true;
boot.supportedFilesystems = ["zfs" "btrfs"];
boot.supportedFilesystems = [
"zfs"
"btrfs"
];
isoImage = {
isoName = "toolshed-${self.lastModifiedDate}.iso";
@@ -31,7 +31,7 @@
makeUsbBootable = true; # USB booting
};
swapDevices = [];
swapDevices = [ ];
services = {
getty.autologinUser = "nixos";
@@ -45,7 +45,7 @@
networking = {
hostName = "vm";
domain = "jakstys.lt";
firewall.allowedTCPPorts = [22];
firewall.allowedTCPPorts = [ 22 ];
hostId = "abefef01";
};
}

362
hosts/vno1-oh2/configuration.nix
View File

@@ -4,12 +4,13 @@
pkgs,
myData,
...
}: {
}:
{
zfs-root = {
boot = {
enable = true;
devNodes = "/dev/disk/by-id/";
bootDevices = ["nvme-Samsung_SSD_970_EVO_Plus_2TB_S6P1NX0TA00913P"];
bootDevices = [ "nvme-Samsung_SSD_970_EVO_Plus_2TB_S6P1NX0TA00913P" ];
immutable = false;
availableKernelModules = [
"ahci"
@@ -26,14 +27,14 @@
];
sshUnlock = {
enable = true;
authorizedKeys =
(builtins.attrValues myData.people_pubkeys)
++ [myData.hosts."fra1-a.servers.jakst".publicKey];
authorizedKeys = (builtins.attrValues myData.people_pubkeys) ++ [
myData.hosts."fra1-a.servers.jakst".publicKey
];
};
};
};
boot.binfmt.emulatedSystems = ["aarch64-linux"];
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
mj = {
stateVersion = "23.05";
@@ -50,7 +51,11 @@
snapshot = {
enable = true;
mountpoints = ["/home" "/var/lib" "/var/log"];
mountpoints = [
"/home"
"/var/lib"
"/var/log"
];
};
zfsborg = {
@@ -73,9 +78,7 @@
"tailscale"
"private/soju"
];
patterns = [
"- gitea/data/repo-archive/"
];
patterns = [ "- gitea/data/repo-archive/" ];
backup_at = "*-*-* 01:00:00 UTC";
prune.keep = {
within = "1d";
@@ -86,7 +89,9 @@
}
{
mountpoint = "/var/lib";
repo = "borgstor@${myData.hosts."vno3-rp3b.servers.jakst".jakstIP}:${config.networking.hostName}.${config.networking.domain}-var_lib";
repo = "borgstor@${
myData.hosts."vno3-rp3b.servers.jakst".jakstIP
}:${config.networking.hostName}.${config.networking.domain}-var_lib";
paths = [
"bitwarden_rs"
"caddy"
@@ -98,9 +103,7 @@
"tailscale"
"private/soju"
];
patterns = [
"- gitea/data/repo-archive/"
];
patterns = [ "- gitea/data/repo-archive/" ];
backup_at = "*-*-* 01:00:00 UTC";
}
@@ -108,7 +111,7 @@
{
mountpoint = "/var/log";
repo = "zh2769@zh2769.rsync.net:${config.networking.hostName}.${config.networking.domain}-var_log";
paths = ["caddy"];
paths = [ "caddy" ];
patterns = [
"+ caddy/access-jakstys.lt.log-*.zst"
"- *"
@@ -117,8 +120,10 @@
}
{
mountpoint = "/var/log";
repo = "borgstor@${myData.hosts."vno3-rp3b.servers.jakst".jakstIP}:${config.networking.hostName}.${config.networking.domain}-var_log";
paths = ["caddy"];
repo = "borgstor@${
myData.hosts."vno3-rp3b.servers.jakst".jakstIP
}:${config.networking.hostName}.${config.networking.domain}-var_log";
paths = [ "caddy" ];
patterns = [
"+ caddy/access-jakstys.lt.log-*.zst"
"- *"
@@ -138,7 +143,9 @@
}
{
mountpoint = "/home";
repo = "borgstor@${myData.hosts."vno3-rp3b.servers.jakst".jakstIP}:${config.networking.hostName}.${config.networking.domain}-home-motiejus-annex2";
repo = "borgstor@${
myData.hosts."vno3-rp3b.servers.jakst".jakstIP
}:${config.networking.hostName}.${config.networking.domain}-home-motiejus-annex2";
paths = [
"motiejus/annex2"
"motiejus/.config/syncthing"
@@ -157,7 +164,7 @@
services = {
friendlyport.ports = [
{
subnets = [myData.subnets.tailscale.cidr];
subnets = [ myData.subnets.tailscale.cidr ];
tcp = with myData.ports; [
80
443
@@ -181,18 +188,20 @@
subnetCIDR = myData.subnets.tailscale.cidr;
};
nsd-acme = let
accountKey = config.age.secrets.letsencrypt-account-key.path;
in {
enable = true;
zones = {
"irc.jakstys.lt".accountKey = accountKey;
"hdd.jakstys.lt".accountKey = accountKey;
"hass.jakstys.lt".accountKey = accountKey;
"grafana.jakstys.lt".accountKey = accountKey;
"bitwarden.jakstys.lt".accountKey = accountKey;
nsd-acme =
let
accountKey = config.age.secrets.letsencrypt-account-key.path;
in
{
enable = true;
zones = {
"irc.jakstys.lt".accountKey = accountKey;
"hdd.jakstys.lt".accountKey = accountKey;
"hass.jakstys.lt".accountKey = accountKey;
"grafana.jakstys.lt".accountKey = accountKey;
"bitwarden.jakstys.lt".accountKey = accountKey;
};
};
};
deployerbot = {
follower = {
@@ -202,7 +211,7 @@
];
enable = true;
sshAllowSubnets = [myData.subnets.tailscale.sshPattern];
sshAllowSubnets = [ myData.subnets.tailscale.sshPattern ];
uidgid = myData.uidgid.updaterbot-deployee;
};
};
@@ -228,25 +237,29 @@
zfsunlock = {
enable = true;
targets."fra1-a.servers.jakst" = let
host = myData.hosts."fra1-a.servers.jakst";
in {
sshEndpoint = host.publicIP;
pingEndpoint = host.jakstIP;
remotePubkey = host.initrdPubKey;
pwFile = config.age.secrets.zfs-passphrase-fra1-a.path;
startAt = "*-*-* *:00/5:00";
};
targets."fra1-a.servers.jakst" =
let
host = myData.hosts."fra1-a.servers.jakst";
in
{
sshEndpoint = host.publicIP;
pingEndpoint = host.jakstIP;
remotePubkey = host.initrdPubKey;
pwFile = config.age.secrets.zfs-passphrase-fra1-a.path;
startAt = "*-*-* *:00/5:00";
};
};
remote-builder.client = let
host = myData.hosts."fra1-a.servers.jakst";
in {
enable = true;
inherit (host) system supportedFeatures;
hostName = host.jakstIP;
sshKey = "/etc/ssh/ssh_host_ed25519_key";
};
remote-builder.client =
let
host = myData.hosts."fra1-a.servers.jakst";
in
{
enable = true;
inherit (host) system supportedFeatures;
hostName = host.jakstIP;
sshKey = "/etc/ssh/ssh_host_ed25519_key";
};
};
};
@@ -301,25 +314,27 @@
"www.jakstys.lt".extraConfig = ''
redir https://jakstys.lt
'';
"irc.jakstys.lt".extraConfig = let
gamja = pkgs.compressDrvWeb (pkgs.gamja.override {
gamjaConfig = {
server = {
url = "irc.jakstys.lt:6698";
nick = "motiejus";
"irc.jakstys.lt".extraConfig =
let
gamja = pkgs.compressDrvWeb (pkgs.gamja.override {
gamjaConfig = {
server = {
url = "irc.jakstys.lt:6698";
nick = "motiejus";
};
};
};
}) {};
in ''
@denied not remote_ip ${myData.subnets.tailscale.cidr}
abort @denied
tls {$CREDENTIALS_DIRECTORY}/irc.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/irc.jakstys.lt-key.pem
}) { };
in
''
@denied not remote_ip ${myData.subnets.tailscale.cidr}
abort @denied
tls {$CREDENTIALS_DIRECTORY}/irc.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/irc.jakstys.lt-key.pem
root * ${gamja}
file_server browse {
precompressed br gzip
}
'';
root * ${gamja}
file_server browse {
precompressed br gzip
}
'';
"dl.jakstys.lt".extraConfig = ''
root * /var/www/dl
file_server browse {
@@ -452,47 +467,52 @@
evaluation_interval = "1m";
};
scrapeConfigs = let
port = builtins.toString myData.ports.exporters.node;
in [
{
job_name = "prometheus";
static_configs = [{targets = ["127.0.0.1:${toString myData.ports.prometheus}"];}];
}
{
job_name = "caddy";
static_configs = [{targets = ["127.0.0.1:${toString myData.ports.exporters.caddy}"];}];
}
{
job_name = "${config.networking.hostName}.${config.networking.domain}";
static_configs = [{targets = ["127.0.0.1:${port}"];}];
}
{
job_name = "fra1-a.servers.jakst";
static_configs = [{targets = ["${myData.hosts."fra1-a.servers.jakst".jakstIP}:${port}"];}];
}
{
job_name = "vno3-rp3b.servers.jakst";
static_configs = [{targets = ["${myData.hosts."vno3-rp3b.servers.jakst".jakstIP}:${port}"];}];
}
{
job_name = "fwminex.motiejus.jakst";
static_configs = [{targets = ["${myData.hosts."fwminex.motiejus.jakst".jakstIP}:${port}"];}];
}
{
job_name = "mtworx.motiejus.jakst";
static_configs = [{targets = ["${myData.hosts."mtworx.motiejus.jakst".jakstIP}:${port}"];}];
}
{
job_name = "vno1-vinc.vincentas.jakst";
static_configs = [{targets = ["${myData.hosts."vno1-vinc.vincentas.jakst".jakstIP}:9100"];}];
}
];
scrapeConfigs =
let
port = builtins.toString myData.ports.exporters.node;
in
[
{
job_name = "prometheus";
static_configs = [ { targets = [ "127.0.0.1:${toString myData.ports.prometheus}" ]; } ];
}
{
job_name = "caddy";
static_configs = [ { targets = [ "127.0.0.1:${toString myData.ports.exporters.caddy}" ]; } ];
}
{
job_name = "${config.networking.hostName}.${config.networking.domain}";
static_configs = [ { targets = [ "127.0.0.1:${port}" ]; } ];
}
{
job_name = "fra1-a.servers.jakst";
static_configs = [ { targets = [ "${myData.hosts."fra1-a.servers.jakst".jakstIP}:${port}" ]; } ];
}
{
job_name = "vno3-rp3b.servers.jakst";
static_configs = [ { targets = [ "${myData.hosts."vno3-rp3b.servers.jakst".jakstIP}:${port}" ]; } ];
}
{
job_name = "fwminex.motiejus.jakst";
static_configs = [ { targets = [ "${myData.hosts."fwminex.motiejus.jakst".jakstIP}:${port}" ]; } ];
}
{
job_name = "mtworx.motiejus.jakst";
static_configs = [ { targets = [ "${myData.hosts."mtworx.motiejus.jakst".jakstIP}:${port}" ]; } ];
}
{
job_name = "vno1-vinc.vincentas.jakst";
static_configs = [ { targets = [ "${myData.hosts."vno1-vinc.vincentas.jakst".jakstIP}:9100" ]; } ];
}
];
};
nsd = {
enable = true;
interfaces = ["0.0.0.0" "::"];
interfaces = [
"0.0.0.0"
"::"
];
zones = {
"jakstys.lt.".data = myData.jakstysLTZone;
"11sync.net.".data = myData.e11syncZone;
@@ -509,7 +529,7 @@
tlsCertificate = "/run/soju/cert.pem";
tlsCertificateKey = "/run/soju/key.pem";
hostName = "irc.jakstys.lt";
httpOrigins = ["*"];
httpOrigins = [ "*" ];
extraConfig = ''
message-store fs /var/lib/soju
'';
@@ -544,7 +564,7 @@
enable = true;
openFirewall = true;
settings = {
media_dir = ["/home/motiejus/video"];
media_dir = [ "/home/motiejus/video" ];
friendly_name = "vno1-oh2";
inotify = "yes";
};
@@ -557,62 +577,64 @@
};
systemd.services = {
caddy = let
irc = config.mj.services.nsd-acme.zones."irc.jakstys.lt";
hass = config.mj.services.nsd-acme.zones."hass.jakstys.lt";
grafana = config.mj.services.nsd-acme.zones."grafana.jakstys.lt";
bitwarden = config.mj.services.nsd-acme.zones."bitwarden.jakstys.lt";
in {
serviceConfig.LoadCredential = [
"irc.jakstys.lt-cert.pem:${irc.certFile}"
"irc.jakstys.lt-key.pem:${irc.keyFile}"
"hass.jakstys.lt-cert.pem:${hass.certFile}"
"hass.jakstys.lt-key.pem:${hass.keyFile}"
"grafana.jakstys.lt-cert.pem:${grafana.certFile}"
"grafana.jakstys.lt-key.pem:${grafana.keyFile}"
"bitwarden.jakstys.lt-cert.pem:${bitwarden.certFile}"
"bitwarden.jakstys.lt-key.pem:${bitwarden.keyFile}"
];
after = [
"nsd-acme-irc.jakstys.lt.service"
"nsd-acme-hass.jakstys.lt.service"
"nsd-acme-grafana.jakstys.lt.service"
"nsd-acme-bitwarden.jakstys.lt.service"
];
requires = [
"nsd-acme-irc.jakstys.lt.service"
"nsd-acme-hass.jakstys.lt.service"
"nsd-acme-grafana.jakstys.lt.service"
"nsd-acme-bitwarden.jakstys.lt.service"
];
};
soju = let
acme = config.mj.services.nsd-acme.zones."irc.jakstys.lt";
in {
serviceConfig = {
RuntimeDirectory = "soju";
LoadCredential = [
"irc.jakstys.lt-cert.pem:${acme.certFile}"
"irc.jakstys.lt-key.pem:${acme.keyFile}"
caddy =
let
irc = config.mj.services.nsd-acme.zones."irc.jakstys.lt";
hass = config.mj.services.nsd-acme.zones."hass.jakstys.lt";
grafana = config.mj.services.nsd-acme.zones."grafana.jakstys.lt";
bitwarden = config.mj.services.nsd-acme.zones."bitwarden.jakstys.lt";
in
{
serviceConfig.LoadCredential = [
"irc.jakstys.lt-cert.pem:${irc.certFile}"
"irc.jakstys.lt-key.pem:${irc.keyFile}"
"hass.jakstys.lt-cert.pem:${hass.certFile}"
"hass.jakstys.lt-key.pem:${hass.keyFile}"
"grafana.jakstys.lt-cert.pem:${grafana.certFile}"
"grafana.jakstys.lt-key.pem:${grafana.keyFile}"
"bitwarden.jakstys.lt-cert.pem:${bitwarden.certFile}"
"bitwarden.jakstys.lt-key.pem:${bitwarden.keyFile}"
];
after = [
"nsd-acme-irc.jakstys.lt.service"
"nsd-acme-hass.jakstys.lt.service"
"nsd-acme-grafana.jakstys.lt.service"
"nsd-acme-bitwarden.jakstys.lt.service"
];
requires = [
"nsd-acme-irc.jakstys.lt.service"
"nsd-acme-hass.jakstys.lt.service"
"nsd-acme-grafana.jakstys.lt.service"
"nsd-acme-bitwarden.jakstys.lt.service"
];
};
preStart = ''
ln -sf $CREDENTIALS_DIRECTORY/irc.jakstys.lt-cert.pem /run/soju/cert.pem
ln -sf $CREDENTIALS_DIRECTORY/irc.jakstys.lt-key.pem /run/soju/key.pem
'';
after = ["nsd-acme-irc.jakstys.lt.service"];
requires = ["nsd-acme-irc.jakstys.lt.service"];
};
soju =
let
acme = config.mj.services.nsd-acme.zones."irc.jakstys.lt";
in
{
serviceConfig = {
RuntimeDirectory = "soju";
LoadCredential = [
"irc.jakstys.lt-cert.pem:${acme.certFile}"
"irc.jakstys.lt-key.pem:${acme.keyFile}"
];
};
preStart = ''
ln -sf $CREDENTIALS_DIRECTORY/irc.jakstys.lt-cert.pem /run/soju/cert.pem
ln -sf $CREDENTIALS_DIRECTORY/irc.jakstys.lt-key.pem /run/soju/key.pem
'';
after = [ "nsd-acme-irc.jakstys.lt.service" ];
requires = [ "nsd-acme-irc.jakstys.lt.service" ];
};
vaultwarden = {
preStart = "ln -sf $CREDENTIALS_DIRECTORY/secrets.env /run/vaultwarden/secrets.env";
serviceConfig = {
EnvironmentFile = ["-/run/vaultwarden/secrets.env"];
EnvironmentFile = [ "-/run/vaultwarden/secrets.env" ];
RuntimeDirectory = "vaultwarden";
LoadCredential = [
"secrets.env:${config.age.secrets.vaultwarden-secrets-env.path}"
];
LoadCredential = [ "secrets.env:${config.age.secrets.vaultwarden-secrets-env.path}" ];
};
};
@@ -621,13 +643,13 @@
serviceConfig = {
LogsDirectory = "grafana";
RuntimeDirectory = "grafana";
LoadCredential = ["oidc:${config.age.secrets.grafana-oidc.path}"];
LoadCredential = [ "oidc:${config.age.secrets.grafana-oidc.path}" ];
};
};
cert-watcher = {
description = "Restart caddy when tls keys/certs change";
wantedBy = ["multi-user.target"];
wantedBy = [ "multi-user.target" ];
unitConfig = {
StartLimitIntervalSec = 10;
StartLimitBurst = 5;
@@ -642,7 +664,7 @@
serviceConfig = {
ProtectSystem = "strict";
ProtectHome = "tmpfs";
BindReadOnlyPaths = ["/home/motiejus/video"];
BindReadOnlyPaths = [ "/home/motiejus/video" ];
};
};
@@ -659,7 +681,7 @@
systemd.paths = {
cert-watcher = {
wantedBy = ["multi-user.target"];
wantedBy = [ "multi-user.target" ];
pathConfig = {
PathChanged = [
config.mj.services.nsd-acme.zones."irc.jakstys.lt".certFile
@@ -672,15 +694,17 @@
};
};
users = let
uidgid = myData.uidgid.photoprism;
in {
groups.photoprism.gid = uidgid;
users.photoprism = {
group = "photoprism";
uid = uidgid;
users =
let
uidgid = myData.uidgid.photoprism;
in
{
groups.photoprism.gid = uidgid;
users.photoprism = {
group = "photoprism";
uid = uidgid;
};
};
};
environment.systemPackages = with pkgs; [
yt-dlp
@@ -694,7 +718,7 @@
hostName = "vno1-oh2";
domain = "servers.jakst";
defaultGateway = "192.168.189.4";
nameservers = ["192.168.189.4"];
nameservers = [ "192.168.189.4" ];
interfaces.enp0s21f0u2.ipv4.addresses = [
{
address = "192.168.189.1";
@@ -702,7 +726,11 @@
}
];
firewall = {
allowedUDPPorts = [53 80 443];
allowedUDPPorts = [
53
80
443
];
allowedTCPPorts = [
53
80

28
hosts/vno3-rp3b/configuration.nix
View File

@@ -6,24 +6,26 @@
pkgs,
myData,
...
}: {
imports = [
../../modules/profiles/sdcard
];
}:
{
imports = [ ../../modules/profiles/sdcard ];
boot = {
initrd = {
availableKernelModules = ["usbhid"];
kernelModules = ["vc4" "bcm2835_dma"];
availableKernelModules = [ "usbhid" ];
kernelModules = [
"vc4"
"bcm2835_dma"
];
};
loader = {
grub.enable = false;
generic-extlinux-compatible.enable = true;
};
kernelModules = [];
extraModulePackages = [];
supportedFilesystems = ["zfs"];
kernelModules = [ ];
extraModulePackages = [ ];
supportedFilesystems = [ "zfs" ];
zfs.forceImportRoot = false;
};
@@ -48,7 +50,7 @@
};
};
swapDevices = [];
swapDevices = [ ];
mj = {
stateVersion = "23.05";
@@ -69,7 +71,7 @@
snapshot = {
enable = true;
mountpoints = ["/data/shared"];
mountpoints = [ "/data/shared" ];
};
};
@@ -100,7 +102,7 @@
];
enable = true;
sshAllowSubnets = [myData.subnets.tailscale.sshPattern];
sshAllowSubnets = [ myData.subnets.tailscale.sshPattern ];
uidgid = myData.uidgid.updaterbot-deployee;
};
};
@@ -108,7 +110,7 @@
jakstpub = {
enable = true;
dataDir = "/data/shared";
requires = ["data-shared.mount"];
requires = [ "data-shared.mount" ];
uidgid = myData.uidgid.jakstpub;
hostname = "hdd.jakstys.lt";
};