nixos/hosts/faunus-ater.nix

424 lines
14 KiB
Nix
Raw Normal View History

2022-05-27 18:11:47 +02:00
{
pkgs,
lib,
config,
inputs,
2022-05-27 18:11:47 +02:00
...
}: let
sopsPath = key: config.sops.secrets.${key}.path;
2023-09-21 16:05:17 +02:00
mkVirtHost = certificateName:
lib.attrsets.recursiveUpdate {
addSSL = true;
listenAddresses = [vpnIPv4 "[${vpnIPv6}]"];
sslTrustedCertificate = pkgs.writeText "ca.crt" (builtins.readFile ../secrets/ca.crt);
sslCertificateKey = sopsPath "certificate-key-${certificateName}";
sslCertificate = pkgs.writeText "${certificateName}.crt" (builtins.readFile ../secrets/pub/${certificateName}.crt);
};
2023-10-30 00:31:58 +01:00
vpnIPv4 = config.state.vpn.ipv4;
vpnIPv6 = config.state.vpn.ipv6;
in {
imports = [
inputs.nixos-hardware.nixosModules.common-cpu-intel #-cpu-only
../modules/nginx-reverse-proxy.nix
../hardware/asrock-z370-i3-black-box.nix
];
config = {
networking.hostName = "faunus-ater";
networking.hostId = "a4d7bec4";
networking.interfaces.eno1.useDHCP = true;
2022-05-27 18:11:47 +02:00
# === Make sure ZFS works ===
# TODO: Update and think of some automatic way of keeping this up to date.
boot.kernelPackages = pkgs.linuxPackages_5_15;
Update lockfile Fix flake nixConfig, do not override cache.nixos. Fix Kernel version for hosts using zfs. Fix path change in nix-colors library. • Updated input '2i-emulator': 'github:klemens/2i-emulator/3bd74bdeffbc6340ef4455269090cf50d07e2e5f' (2020-06-07) → 'github:klemens/2i-emulator/dbd022bce6ef22a798c36c2b22915ab72b64822d' (2022-06-05) • Updated input 'cataclysm-dda': 'github:CleverRaven/Cataclysm-DDA/5f60b52c16d71e42824cdc6244dba937a954f383' (2022-05-14) → 'github:CleverRaven/Cataclysm-DDA/f6be61e24299d493f714b4b1fe5189deeb5a4c06' (2022-06-16) • Updated input 'colmena': 'github:zhaofengli/colmena/11289dd7ff71f75bd252525167c5a9f685c06bcf' (2022-04-04) → 'github:zhaofengli/colmena/1b3c272b5873f809c18434924d99967c73d4e2cf' (2022-06-10) • Updated input 'colmena/flake-compat': 'github:edolstra/flake-compat/64a525ee38886ab9028e6f61790de0832aa3ef03' (2022-03-25) → 'github:edolstra/flake-compat/b4a34015c698c7793d592d66adbab377907a2be8' (2022-04-19) • Updated input 'colmena/stable': 'github:NixOS/nixpkgs/0aac710801aec4ba545527cf41a5706028fe6271' (2022-04-03) → 'github:NixOS/nixpkgs/ec6eaba9dfcfdd11547d75a193e91e26701bf7e3' (2022-05-31) • Updated input 'colmena/utils': 'github:numtide/flake-utils/0f8662f1319ad6abf89b3380dd2722369fc51ade' (2022-03-26) → 'github:numtide/flake-utils/1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1' (2022-05-30) • Updated input 'fenix': 'github:nix-community/fenix/1d50f0152aabfb527e90488ed18d9e22190f14cf' (2022-04-15) → 'github:nix-community/fenix/720b54260dee864d2a21745bd2bb55223f58e297' (2022-06-16) • Updated input 'fenix/rust-analyzer-src': 'github:rust-analyzer/rust-analyzer/7ce3ca5aabb906ac06c5132ef5b333a7c3af1b98' (2022-04-14) → 'github:rust-lang/rust-analyzer/519d7484f3b1beb25dec9f2249adeaaa21033433' (2022-06-15) • Updated input 'home-manager': 'github:nix-community/home-manager/d49d68f4196d32c5039cb9e91d730cee894f6f14' (2022-04-15) → 'github:nix-community/home-manager/504d6de6a061993c3f585f9a86c6a9f68927b1c0' (2022-06-15) • Added input 'home-manager/flake-compat': 'github:edolstra/flake-compat/b4a34015c698c7793d592d66adbab377907a2be8' (2022-04-19) • Added input 'home-manager/nmd': 'gitlab:rycee/nmd/9e7a20e6ee3f6751f699f79c0b299390f81f7bcd' (2022-05-23) • Added input 'home-manager/nmt': 'gitlab:rycee/nmt/d83601002c99b78c89ea80e5e6ba21addcfe12ae' (2022-03-23) • Added input 'home-manager/utils': 'github:numtide/flake-utils/1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1' (2022-05-30) • Updated input 'hydra': 'github:NixOS/hydra/c44d9d9e917f8f02ddb5c01a8620c439993540b6' (2022-04-08) → 'github:NixOS/hydra/cf9f38e43fd81f9298e3f2ff50c8a6ee0acc3af0' (2022-05-31) • Updated input 'nickel': 'github:tweag/nickel/91d9b3e214646387338081fb0278fe75cb3444e9' (2022-04-14) → 'github:tweag/nickel/24bdbde6bc34d99c046a01744413f1152d3a9b4c' (2022-06-14) • Updated input 'nickel/flake-utils': 'github:numtide/flake-utils/0f8662f1319ad6abf89b3380dd2722369fc51ade' (2022-03-26) → 'github:numtide/flake-utils/04c1b180862888302ddfb2e3ad9eaa63afc60cf8' (2022-05-17) • Updated input 'nickel/pre-commit-hooks': 'github:cachix/pre-commit-hooks.nix/b6bc0b21e1617e2b07d8205e7fae7224036dfa4b' (2022-03-01) → 'github:cachix/pre-commit-hooks.nix/521a524771a8e93caddaa0ac1d67d03766a8b0b3' (2022-05-16) • Updated input 'nickel/rust-overlay': 'github:oxalica/rust-overlay/7c90e17cd7c0b9e81d5b23f78b482088ac9961d1' (2022-04-02) → 'github:oxalica/rust-overlay/3bc2619665745f5e6f2efc3d0664edad4f62201b' (2022-05-21) • Updated input 'nix-colors': 'github:Misterio77/nix-colors/fe9fd38b9ddc81afe5d45be6d286472de3f89f03' (2022-05-12) → 'github:Misterio77/nix-colors/2c2e107765b7b2e54b10d3fc2ffe5ed2ca2c7731' (2022-06-12) • Added input 'nix-colors/base16-schemes': 'github:base16-project/base16-schemes/7c247f734eac7f04518c6e28d098635ee8dcabf5' (2022-06-10) • Updated input 'nixForHydra/nixpkgs': 'github:NixOS/nixpkgs/82891b5e2c2359d7e58d08849e4c89511ab94234' (2021-09-28) → 'github:NixOS/nixpkgs/530a53dcbc9437363471167a5e4762c5fcfa34a1' (2022-02-19) • Updated input 'nixos-hardware': 'github:NixOS/nixos-hardware/1a0ccdbf4583ed0fce37eea7955e8ef90f840a9f' (2022-04-13) → 'github:NixOS/nixos-hardware/0cab18a48de7914ef8cad35dca0bb36868f3e1af' (2022-06-01) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/ff9efb0724de5ae0f9db9df2debefced7eb1571d' (2022-04-13) → 'github:NixOS/nixpkgs/6616de389ed55fba6eeba60377fc04732d5a207c' (2022-06-14) • Updated input 'nixpkgs-wayland': 'github:nix-community/nixpkgs-wayland/7edb849271e82862e343c9e86cf38cdc825ba5b0' (2022-04-10) → 'github:nix-community/nixpkgs-wayland/7846b63c3524cabd82778c308d6b3d3fa79211b8' (2022-06-16) • Updated input 'nixpkgs-wayland/cachix': 'github:nixos/nixpkgs/530a53dcbc9437363471167a5e4762c5fcfa34a1' (2022-02-19) → 'github:nixos/nixpkgs/9227bbe43157225414e990b87587ccb1665225d9' (2022-06-14) • Updated input 'nixpkgs-wayland/flake-compat': 'github:edolstra/flake-compat/64a525ee38886ab9028e6f61790de0832aa3ef03' (2022-03-25) → 'github:edolstra/flake-compat/b4a34015c698c7793d592d66adbab377907a2be8' (2022-04-19) • Added input 'nixpkgs-wayland/lib-aggregate': 'github:nix-community/lib-aggregate/e0059f35f3727b94ea833489fd40d9e666f8da79' (2022-06-12) • Added input 'nixpkgs-wayland/lib-aggregate/flake-utils': 'github:numtide/flake-utils/1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1' (2022-05-30) • Added input 'nixpkgs-wayland/lib-aggregate/nixpkgs-lib': 'github:nix-community/nixpkgs.lib/8f09bff20b363b80213186156168126674990368' (2022-06-12) • Updated input 'qmk-udev-rules': 'github:qmk/qmk_firmware/8de4065b099a99bcffe436a038616b0c31ade7c3' (2022-04-14) → 'github:qmk/qmk_firmware/8e128452db4a5c93f0214a1f6ea38e213445235c' (2022-06-16) • Updated input 'radicale_infcloud': 'github:Unrud/RadicaleInfCloud/3e8e476fc2ff1467ea05aa0944058288ccdadf92' (2022-01-19) → 'github:Unrud/RadicaleInfCloud/53d3a95af5b58cfa3242cef645f8d40c731a7d95' (2022-04-18) • Updated input 'sops-nix': 'github:Mic92/sops-nix/c2614c4fe61943b3d280ac1892fcebe6e8eaf8c8' (2022-04-12) → 'github:Mic92/sops-nix/f075361ecbde21535b38e41dfaa28a28f160855c' (2022-06-05) • Added input 'sops-nix/nixpkgs-21_11': 'github:NixOS/nixpkgs/2de556c4cd46a59e8ce2f85ee4dd400983213d45' (2022-06-04) • Added input 'sops-nix/nixpkgs-22_05': 'github:NixOS/nixpkgs/d6cb04299ce8964290ae7fdcb87aa50da0500b5c' (2022-06-04) • Updated input 'utils': 'github:gytis-ivaskevicius/flake-utils-plus/06dba5f3b4fa2cc0bfc98ce9cd6f9a4d8db11d46' (2022-03-14) → 'github:gytis-ivaskevicius/flake-utils-plus/f8d6d1f87b6177e3bc674c29f247bdbf897ba274' (2022-05-16)
2022-06-16 11:14:07 +02:00
# === Can't handle this ===
systemd.enableEmergencyMode = false;
2022-06-08 23:31:35 +02:00
# === Settings ===
settings.ssh.openOutsideVPN = true;
2022-05-27 18:11:47 +02:00
# === ZFS services ===
services.zfs.trim.enable = true;
services.zfs.autoScrub.enable = true;
services.zfs.autoScrub.pools = ["rpool"];
2022-05-27 18:11:47 +02:00
# === Additional services ===
services.fwupd.enable = true;
powerManagement = {
enable = true;
powertop.enable = true;
cpuFreqGovernor = "powersave";
};
# === Git.home, because everything else sucks ===
2023-10-30 15:35:55 +01:00
services.gogs = {
enable = true;
stateDir = "/data/dirty/gogs";
2023-10-30 15:35:55 +01:00
appName = "Malte's Secret Git Stash";
cookieSecure = true;
database.passwordFile = sopsPath "gogs-database-password";
httpPort = config.state.services.git.port;
rootUrl = "https://git.tammena.me/";
domain = "git.tammena.me";
# FIXME: Remove after upstream fix of database type
extraConfig = ''
[database]
TYPE = sqlite3
[auth]
DISABLE_REGISTRATION = true
SHOW_REGISTRATION_BUTTON = false
'';
};
services.nginx.virtualHosts."git.home" = mkVirtHost "git-home" {
locations."/" = {
proxyPass = "http://${config.services.gogs.httpAddress}:${builtins.toString config.services.gogs.httpPort}";
proxyWebsockets = true;
};
};
virtualisation.oci-containers.backend = "podman";
virtualisation.podman = {
enable = true;
dockerCompat = true;
extraPackages = with pkgs; [zfs];
};
# Override storage driver
virtualisation.containers.storage.settings = {
storage = {
driver = "zfs";
graphroot = "/var/lib/containers/storage";
runroot = "/run/containers/storage";
};
2022-06-01 19:18:08 +02:00
};
virtualisation.oci-containers.containers."timetagger" = {
image = "ghcr.io/almarklein/timetagger:v23.2.1";
ports = ["5873:5873"];
environment = {
TIMETAGGER_BIND = "0.0.0.0:5873";
TIMETAGGER_DATADIR = "/root/_timetagger";
TIMETAGGER_LOG_LEVEL = "info";
TIMETAGGER_CREDENTIALS = "malte:$2a$08$P.e3SD0cnPK0P4mFYShELuoa37.1e1dEqE8MWa6LJ/kSJfje1BdBi,marie:$2a$08$ubOZWO510y5bgwIl0O4Ne.dKZdWoHqEMzvs56L6esqvLfBJ/6OgYm";
};
volumes = [
"/data/dirty/timetagger:/root/_timetagger"
];
2023-04-01 09:20:09 +02:00
};
2023-09-21 16:05:17 +02:00
services.nginx.virtualHosts."time.home" = mkVirtHost "time-home" {
locations."/" = {
proxyPass = "http://127.0.0.1:5873";
proxyWebsockets = true;
};
2023-04-01 09:20:09 +02:00
};
2023-09-21 16:05:17 +02:00
services.nginx.virtualHosts."todo.home" = mkVirtHost "todo-home" {
locations."/" = {
proxyPass = "http://127.0.0.1:7372";
proxyWebsockets = true;
};
};
2023-09-21 16:05:17 +02:00
services.nginx.virtualHosts."support.home" = mkVirtHost "support-home" {
locations."/" = {
proxyPass = "http://127.0.0.1:9999";
proxyWebsockets = true;
};
};
2023-09-21 16:05:17 +02:00
services.nginx.virtualHosts."config.home" = mkVirtHost "config-home" {
locations."/" = {
proxyPass = "http://127.0.0.1:8123";
proxyWebsockets = true;
};
};
virtualisation.oci-containers.containers.home-assistant = {
volumes = ["/data/dirty/home-assistant:/config"];
environment.TZ = "Europe/Berlin";
image = "ghcr.io/home-assistant/home-assistant:2023.9";
ports = [
"8123:8123"
"1400:1400/tcp"
];
extraOptions = [
# TODO: Fix the path of the zigbee controller using udev
"--device=/dev/serial/by-id/usb-Silicon_Labs_Sonoff_Zigbee_3.0_USB_Dongle_Plus_0001-if00-port0"
"--device=/dev/ttyUSB0"
"--cap-add=CAP_NET_RAW,CAP_NET_BIND_SERVICE"
];
};
# For SONOS
networking.firewall.allowedTCPPorts = [1400];
# === HYDRA & Friends. ===
services.hydra = {
enable = true;
package = pkgs.hydra;
notificationSender = "hydra@home";
hydraURL = "http://faunus-ater:${builtins.toString config.services.hydra.port}";
minimumDiskFree = 10;
useSubstitutes = true;
};
services.nix-serve = {
enable = true;
secretKeyFile = sopsPath "nix-store-signing-key";
# FIXME: Remove once fixed upstream
package = pkgs.nix-serve.override {
nix = pkgs.nixVersions.nix_2_12;
};
};
# Build on other machines aswell if possible
nix.buildMachines = [
{
hostName = "localhost";
maxJobs = 4;
speedFactor = 1;
sshKey = sopsPath "hydra-overseer-key";
sshUser = "hydra-minion";
systems = ["x86_64-linux" "i686-linux"];
}
{
hostName = "helix-texta";
maxJobs = 4;
speedFactor = 2;
sshKey = sopsPath "hydra-overseer-key";
sshUser = "hydra-minion";
supportedFeatures = ["kvm" "big-parallel"];
systems = ["x86_64-linux" "i686-linux"];
}
{
hostName = "murex-pecten";
maxJobs = 4;
speedFactor = 4;
sshKey = sopsPath "hydra-overseer-key";
sshUser = "hydra-minion";
supportedFeatures = ["kvm" "big-parallel"];
systems = ["x86_64-linux" "i686-linux"];
}
];
# TODO: This doesn't seem to work
programs.ssh.extraConfig = ''
Host *
StrictHostKeyChecking accept-new
'';
nix.extraOptions = ''
allowed-uris = http:// https://
'';
systemd.services."hydra-initial-setup" = {
description = "Setup hydra admin password once";
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
LoadCredential = "USER_PW:${sopsPath "hydra-admin-password"}";
};
wantedBy = lib.singleton "multi-user.target";
requires = lib.singleton "hydra-init.service";
after = lib.singleton "hydra-init.service";
environment = {
inherit (config.systemd.services.hydra-init.environment) HYDRA_DBI;
};
script = let
hydra-create-user = "${pkgs.hydra}/bin/hydra-create-user";
in ''
if [ ! -e ~hydra/.setup-is-complete ]; then
# create admin user
${hydra-create-user} admin --full-name 'Admin Mc. Admining' --email-address 'admin@faunus-ater' --password "$USER_PW" --role admin || exit 1
# done
touch ~hydra/.setup-is-complete
fi
'';
};
services.nginx.virtualHosts = {
2023-09-21 16:05:17 +02:00
"hydra.home" = mkVirtHost "hydra-home" {
locations."/" = {
proxyPass = "http://localhost:${builtins.toString config.services.hydra.port}";
};
};
2023-09-21 16:05:17 +02:00
"cache.home" = mkVirtHost "cache-home" {
locations."/" = {
proxyPass = "http://localhost:${builtins.toString config.services.nix-serve.port}";
};
};
};
# === PAPERLESS service, save me! ===
services.paperless = {
enable = true;
address = "[::1]";
passwordFile = sopsPath "paperless-admin-password";
dataDir = "/data/dirty/paperless";
extraConfig = {
2023-11-06 11:07:10 +01:00
PAPERLESS_CONSUMER_DELETE_DUPLICATES = true;
PAPERLESS_CONSUMER_RECURSIVE = true;
PAPERLESS_CONSUMER_SUBDIRS_AS_TAGS = true;
2023-11-06 11:07:10 +01:00
PAPERLESS_FILENAME_FORMAT = "{created_year}/{correspondent}/{created_year}-{created_month}-{created_day}-{document_type}-{title}-{tag_list}";
PAPERLESS_OCR_LANGUAGE = "deu";
PAPERLESS_URL = "https://doc.home";
};
};
2023-09-21 16:05:17 +02:00
services.nginx.virtualHosts."doc.home" = mkVirtHost "doc-home" {
locations."/" = {
proxyPass = "http://[::1]:${builtins.toString config.services.paperless.port}";
proxyWebsockets = true;
};
2022-06-01 19:18:08 +02:00
};
# === Komga, for my reading needs ===
services.komga = {
enable = true;
stateDir = "/data/dirty/komga";
};
2023-09-21 16:05:17 +02:00
services.nginx.virtualHosts."read.home" = mkVirtHost "read-home" {
locations."/" = {
proxyPass = "http://[::1]:${builtins.toString config.services.komga.port}";
proxyWebsockets = true;
};
};
# === Trilium ===
services.trilium-server = {
enable = true;
port = 10302;
dataDir = "/data/dirty/trilium";
};
2023-09-21 16:05:17 +02:00
services.nginx.virtualHosts."note.home" = mkVirtHost "note-home" {
locations."/" = {
proxyPass = "http://${config.services.trilium-server.host}:${builtins.toString config.services.trilium-server.port}";
proxyWebsockets = true;
};
};
# === Photoprism ===
services.photoprism = {
enable = true;
port = 2342;
storagePath = "/data/dirty/photoprism/storage";
originalsPath = "/data/dirty/photoprism/originals";
importPath = "/data/dirty/photoprism/import";
passwordFile = sopsPath "photoprism-admin-password";
settings = {
PHOTOPRISM_SESSION_MAXAGE = "31536000";
PHOTOPRISM_SESSION_TIMEOUT = "31536000";
PHOTOPRISM_UPLOAD_NSFW = "true";
PHOTOPRISM_DETECT_NSFW = "true";
PHOTOPRISM_SITE_URL = "https://foto.home";
PHOTOPRISM_SITE_TITLE = "PhotoPrism";
PHOTOPRISM_SITE_CAPTION = "All the pictures!";
PHOTOPRISM_SITE_DESCRIPTION = "";
PHOTOPRISM_SITE_AUTHOR = "";
};
Update flake.lock • Updated input 'cataclysm-dda': 'github:CleverRaven/Cataclysm-DDA/8e428ca5f21fb868b7eb6aa8380d1fcdbb960bd8' (2022-12-08) → 'github:CleverRaven/Cataclysm-DDA/03f25dcc19e8e27f765f768ef56cbd55dc6bbd29' (2023-01-31) • Updated input 'colmena': 'github:zhaofengli/colmena/64c46fa0169233d4faed70c52583cd3183c7f5aa' (2022-12-01) → 'github:zhaofengli/colmena/7602e548a78932bd28a7e2f621b3d62b4124e993' (2023-01-29) • Removed input 'colmena/nix-eval-jobs' • Removed input 'colmena/nix-eval-jobs/flake-utils' • Removed input 'colmena/nix-eval-jobs/nixpkgs' • Updated input 'fenix': 'github:nix-community/fenix/e7941faba7f6cd0a6058330ad8c40d8dc52d741c' (2022-12-08) → 'github:nix-community/fenix/97deb5c86b238c2a000ef4eb92fb40465f086706' (2023-01-31) • Updated input 'fenix/rust-analyzer-src': 'github:rust-lang/rust-analyzer/6e8a54d0f68702cf7981c8299357838eb0f4d5b2' (2022-12-07) → 'github:rust-lang/rust-analyzer/b75803ad31772d105d86f8ebee0cbc8844a4fa29' (2023-01-30) • Updated input 'glados': 'git+https://git.sr.ht/~megamanmalte/GLaDOS?ref=main&rev=c92d51bcfa27ea9e0cbabbfba6069c0e4e1243dc' (2022-03-30) → 'git+http://git.home/megamanmalte/GLaDOS?ref=main&rev=2954e07ad5f94cf4812891c0fc0fbd9c159c1540' (2021-12-10) • Updated input 'glados/nixCargoIntegration': 'github:yusdacra/nix-cargo-integration/15c34bac7a54d4519ba821a844f4a0867ffd0504' (2022-03-30) → 'github:yusdacra/nix-cargo-integration/a25206065a3a19d3dbcb2192d9bd273eea5cd919' (2021-11-19) • Updated input 'glados/nixCargoIntegration/devshell': 'github:numtide/devshell/4b5ac7cf7d9a1cc60b965bb51b59922f2210cbc7' (2021-06-30) → 'github:numtide/devshell/e8c2d4967b5c498b12551d1bb49352dcf9efa3e4' (2021-11-16) • Updated input 'glados/nixCargoIntegration/nixpkgs': 'github:NixOS/nixpkgs/6fc5211eddddc02c50ca7f98d6cc377726417fa9' (2021-08-13) → 'github:NixOS/nixpkgs/931ab058daa7e4cd539533963f95e2bb0dbd41e6' (2021-11-15) • Updated input 'glados/nixCargoIntegration/rustOverlay': 'github:oxalica/rust-overlay/ad311f5bb5c5ef475985f1e0f264e831470a8510' (2021-08-15) → 'github:oxalica/rust-overlay/ccc467eff80b2fbb8000cf425e999ef14fbe200c' (2021-11-19) • Updated input 'home-manager': 'github:nix-community/home-manager/2af0d07678fc15612345e0dd55337550dcf6465f' (2022-12-05) → 'github:nix-community/home-manager/08a778d80308353f4f65c9dcd3790b5da02d6306' (2023-01-28) • Updated input 'hydra': 'github:NixOS/hydra/d1fac69c213002721971cd983e2576b784677d40' (2022-12-05) → 'github:NixOS/hydra/f48f00ee6d5727ae3e488cbf9ce157460853fea8' (2022-12-23) • Updated input 'hyprland': 'github:hyprwm/Hyprland/668cc93962c738d791993e581443273eaca05086' (2022-12-19) → 'github:hyprwm/Hyprland/85c07c2fe0427ab5603addcef0e6b7cc211e1af7' (2023-01-31) • Updated input 'hyprland/hyprland-protocols': 'github:hyprwm/hyprland-protocols/d0d6db8cb5bef6d93ca3ad8fb2124964173396da' (2022-12-10) → 'github:hyprwm/hyprland-protocols/b8f55e02a328c47ed373133c52483bbfa20a1b75' (2022-12-23) • Added input 'hyprland/hyprland-protocols/nixpkgs': follows 'hyprland/nixpkgs' • Updated input 'hyprland/nixpkgs': 'github:NixOS/nixpkgs/04f574a1c0fde90b51bf68198e2297ca4e7cccf4' (2022-12-18) → 'github:NixOS/nixpkgs/0f213d0fee84280d8c3a97f7469b988d6fe5fcdf' (2023-01-12) • Updated input 'hyprland/wlroots': 'gitlab:wlroots/wlroots/c8eb24d30e18c165728b8788a10716611c3b633d' (2022-12-01) → 'gitlab:wlroots/wlroots/5f264a7d6c8af27d41ff440c05262b022c055593' (2023-01-04) • Updated input 'hyprland/xdph': 'github:hyprwm/xdg-desktop-portal-hyprland/9fb4fae94b9bd80395c193dcaf6fdf740550cff1' (2022-12-13) → 'github:hyprwm/xdg-desktop-portal-hyprland/d479c846531fd0e1d2357c9588b8310a2b859ef2' (2023-01-07) • Updated input 'hyprland/xdph/hyprland-protocols': 'github:hyprwm/hyprland-protocols/d0d6db8cb5bef6d93ca3ad8fb2124964173396da' (2022-12-10) → follows 'hyprland/hyprland-protocols' • Updated input 'jovian-nixos': 'github:Jovian-Experiments/Jovian-NixOS/6d70c2fda85377e1fd7f2ede9ac82ff02dfeb0d5' (2022-12-04) → 'github:Jovian-Experiments/Jovian-NixOS/212c8e630b7267a5a712b3b20e4403cf232fd9e0' (2023-01-17) • Updated input 'nickel': 'github:tweag/nickel/6110c7f61e46f39e57503889b8f699de8ef3d41e' (2022-12-07) → 'github:tweag/nickel/b930544978e657dc2f214a9357bcbb06979095d7' (2023-01-31) • Updated input 'nickel/crane': 'github:ipetkov/crane/24591d5f8cc979f7b243b88a2d39da09976970ad' (2022-11-28) → 'github:ipetkov/crane/b13963c8c18026aa694acd98d14f66d24666f70b' (2023-01-11) • Updated input 'nickel/crane/flake-compat': 'github:edolstra/flake-compat/b4a34015c698c7793d592d66adbab377907a2be8' (2022-04-19) → 'github:edolstra/flake-compat/009399224d5e398d03b22badca40a37ac85412a1' (2022-11-17) • Updated input 'nickel/crane/rust-overlay': 'github:oxalica/rust-overlay/cf668f737ac986c0a89e83b6b2e3c5ddbd8cf33b' (2022-11-03) → 'github:oxalica/rust-overlay/69fb7bf0a8c40e6c4c197fa1816773774c8ac59f' (2023-01-03) • Removed input 'nickel/import-cargo' • Updated input 'nickel/pre-commit-hooks': 'github:cachix/pre-commit-hooks.nix/2597510df32efafda4d05f5122efe612a7a5da66' (2022-12-03) → 'github:cachix/pre-commit-hooks.nix/53e766957b73298fa68b47478c48cbcc005cc18a' (2023-01-19) • Updated input 'nickel/pre-commit-hooks/flake-compat': 'github:edolstra/flake-compat/009399224d5e398d03b22badca40a37ac85412a1' (2022-11-17) → 'github:edolstra/flake-compat/35bb57c0c8d8b62bbfd284272c928ceb64ddbde9' (2023-01-17) • Updated input 'nickel/pre-commit-hooks/nixpkgs-stable': 'github:NixOS/nixpkgs/cf63ade6f74bbc9d2a017290f1b2e33e8fbfa70a' (2022-11-20) → 'github:NixOS/nixpkgs/2f9fd351ec37f5d479556cd48be4ca340da59b8f' (2023-01-15) • Updated input 'nickel/rust-overlay': 'github:oxalica/rust-overlay/a0d5773275ecd4f141d792d3a0376277c0fc0b65' (2022-12-03) → 'github:oxalica/rust-overlay/1fd6d280c132f4facad8cd023543fb10121e6487' (2023-01-21) • Updated input 'nix-colors': 'github:Misterio77/nix-colors/fcd345bd1c9e7c203c3320ee6ca39814c97ac1fe' (2022-12-05) → 'github:Misterio77/nix-colors/7e459f1d88ac54fc2f4b308adb5064863006e4b1' (2022-12-28) • Updated input 'nixos-hardware': 'github:NixOS/nixos-hardware/9d87bc030a0bf3f00e953dbf095a7d8e852dab6b' (2022-12-04) → 'github:NixOS/nixos-hardware/b7ac0a56029e4f9e6743b9993037a5aaafd57103' (2023-01-24) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/6e51c97f1c849efdfd4f3b78a4870e6aa2da4198' (2022-12-05) → 'github:NixOS/nixpkgs/2caf4ef5005ecc68141ecb4aac271079f7371c44' (2023-01-30) • Updated input 'nixpkgs-wayland': 'github:nix-community/nixpkgs-wayland/5097457af8e9dcf45a68fa892716919ad28e545a' (2022-12-08) → 'github:nix-community/nixpkgs-wayland/95408e974fd4a118ecff9820694d0c35750a18eb' (2023-01-31) • Updated input 'nixpkgs-wayland/flake-compat': 'github:edolstra/flake-compat/009399224d5e398d03b22badca40a37ac85412a1' (2022-11-17) → 'github:edolstra/flake-compat/35bb57c0c8d8b62bbfd284272c928ceb64ddbde9' (2023-01-17) • Updated input 'nixpkgs-wayland/lib-aggregate': 'github:nix-community/lib-aggregate/c0f784c05c85422cd7d532fd1a630ba5e8f2348f' (2022-12-04) → 'github:nix-community/lib-aggregate/c15111d65432ee32ce64d31b268219e2d4d1bae6' (2023-01-29) • Updated input 'nixpkgs-wayland/lib-aggregate/nixpkgs-lib': 'github:nix-community/nixpkgs.lib/77e67cb65014fb75c1c8ccfec60e9bd8b7d02c94' (2022-12-04) → 'github:nix-community/nixpkgs.lib/a6486be6c11c609cd60c01a427279e8a80a025fa' (2023-01-29) • Updated input 'nixpkgs-wayland/nix-eval-jobs': 'github:nix-community/nix-eval-jobs/6117ef2024f679d5c52876031880b752f2be4517' (2022-12-08) → 'github:nix-community/nix-eval-jobs/dd47d16dc2d88a210197079b362ffefed09a4265' (2023-01-30) • Added input 'nixpkgs-wayland/nix-eval-jobs/flake-parts': 'github:hercules-ci/flake-parts/7c7a8bce3dffe71203dcd4276504d1cb49dfe05f' (2023-01-26) • Added input 'nixpkgs-wayland/nix-eval-jobs/flake-parts/nixpkgs-lib': follows 'nixpkgs-wayland/nix-eval-jobs/nixpkgs' • Removed input 'nixpkgs-wayland/nix-eval-jobs/flake-utils' • Updated input 'nixpkgs-wayland/nix-eval-jobs/nixpkgs': follows 'nixpkgs-wayland/nixpkgs' → 'github:NixOS/nixpkgs/99f5676ba0a0c2d7605b63b2dd1b146c384f42dd' (2023-01-30) • Updated input 'nixpkgs-wayland/nixpkgs': 'github:nixos/nixpkgs/a518c77148585023ff56022f09c4b2c418a51ef5' (2023-01-05) → 'github:nixos/nixpkgs/2caf4ef5005ecc68141ecb4aac271079f7371c44' (2023-01-30) • Updated input 'qmk-udev-rules': 'github:qmk/qmk_firmware/bb3d694875e4b02d0befee60853d3f5997acabb8' (2022-12-07) → 'github:qmk/qmk_firmware/e296d671463f38a78c75ee0727016939634ef985' (2023-01-30) • Updated input 'sops-nix': 'github:Mic92/sops-nix/da98a111623101c64474a14983d83dad8f09f93d' (2022-12-04) → 'github:Mic92/sops-nix/b6ab3c61e2ca5e07d1f4eb1b67304e2670ea230c' (2023-01-24) • Updated input 'sops-nix/nixpkgs-stable': 'github:NixOS/nixpkgs/86370507cb20c905800527539fc049a2bf09c667' (2022-12-04) → 'github:NixOS/nixpkgs/918b760070bb8f48cb511300fcd7e02e13058a2e' (2023-01-22)
2023-01-31 16:02:20 +01:00
};
# TODO: Why does it not work without these? :/
systemd.services.photoprism.serviceConfig.User = lib.mkForce null;
systemd.services.photoprism.serviceConfig.Group = lib.mkForce null;
systemd.services.photoprism.serviceConfig.DynamicUser = lib.mkForce false;
systemd.services.photoprism.serviceConfig.SystemCallFilter = lib.mkForce [];
2023-09-21 16:05:17 +02:00
services.nginx.virtualHosts."foto.home" = mkVirtHost "foto-home" {
locations."/" = {
proxyPass = "http://localhost:${builtins.toString config.services.photoprism.port}";
proxyWebsockets = true;
};
extraConfig = ''
client_max_body_size 500M;
'';
2022-09-26 17:11:16 +02:00
};
# === Restic User Backup ===
services.resticConfigured = {
enable = true;
rootDir = "/data/dirty/restic";
openFirewall = true;
};
2022-09-26 17:11:16 +02:00
users.users.sftp = {
description = "User used for all sftp stuff";
isNormalUser = true;
group = "sftp";
openssh.authorizedKeys.keyFiles = [
../secrets/users/malte/sftp-key.pub
../secrets/users/marie/sftp-key.pub
];
};
users.groups.sftp = {};
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# === BACKUPS ===
services.restic.backups = {
# Make sure my 'active IO' disk get's saved once a day
zdirty = {
initialize = true;
repository = "/data/archive/dirty.bak";
timerConfig.OnCalendar = "daily";
paths = lib.singleton "/data/dirty";
pruneOpts = [
"--keep-daily 1"
"--keep-weekly 1"
"--keep-monthly 1"
"--keep-yearly 5"
];
passwordFile = sopsPath "internal-restic-password";
};
};
# === RUNTIME SECRETS ===
sops.defaultSopsFile = ../secrets/hosts/faunus-ater/secrets.yaml;
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
2023-09-21 16:05:17 +02:00
sops.secrets = let
nginxSecret = {
owner = config.users.users.nginx.name;
mode = "0400";
};
in {
"certificate-key-config-home" = nginxSecret;
"certificate-key-todo-home" = nginxSecret;
"certificate-key-time-home" = nginxSecret;
"certificate-key-support-home" = nginxSecret;
"certificate-key-hydra-home" = nginxSecret;
"certificate-key-cache-home" = nginxSecret;
"certificate-key-doc-home" = nginxSecret;
"certificate-key-read-home" = nginxSecret;
"certificate-key-note-home" = nginxSecret;
"certificate-key-foto-home" = nginxSecret;
"certificate-key-listen-home" = nginxSecret;
2023-10-04 16:33:37 +02:00
"certificate-key-git-home" = nginxSecret;
"paperless-admin-password" = {};
"photoprism-admin-password" = {};
2023-09-21 16:05:17 +02:00
"nginx-cert-key" = nginxSecret;
"nginx-cert-crt" = nginxSecret;
"fritzbox-exporter-env" = {};
"internal-restic-password" = {};
"nix-store-signing-key" = {};
"hydra-admin-password" = {
owner = config.users.users.hydra.name;
mode = "0400";
};
"hydra-overseer-key" = {
owner = config.users.users.hydra.name;
mode = "0440";
};
2023-09-21 16:05:17 +02:00
"gogs-database-password" = {
owner = config.users.users.gogs.name;
mode = "0400";
};
};
2023-10-30 15:35:55 +01:00
# All services that run here, that should be exposed need to be exposed on the VPN
networking.firewall.interfaces.${config.services.tailscale.interfaceName}.allowedTCPPorts = let
selectPort = name: config: config.port;
filterRunningHereAndExposed = lib.attrsets.filterAttrs (name: conf: conf.host == config.networking.hostName && conf ? external && conf.external);
in
lib.attrsets.mapAttrsToList selectPort (filterRunningHereAndExposed config.state.services);
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.05"; # Did you read the comment?
};
2022-05-27 18:11:47 +02:00
}