0xa/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

nixpkgs-fmt

Browse source
This commit is contained in:
root@dishwasher 2022-06-26 21:19:15 +02:00
parent 35e93ce43b
commit ebc2829be8
Signed by: 0xa
GPG key ID: 91FA5E5BF9AA901C
11 changed files with 157 additions and 144 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
hosts/cirrus/configuration.nix
View file

@ -22,7 +22,7 @@
networks."uplink" = { networks."uplink" = {
matchConfig = { Name = "enp1s0"; }; matchConfig = { Name = "enp1s0"; };
networkConfig = { networkConfig = {
DHCP="yes"; # hetzner suggests this as default DHCP = "yes"; # hetzner suggests this as default
}; };
}; };
}; };

9
hosts/cirrus/hardware-configuration.nix
View file

@ -5,7 +5,8 @@
{ {
imports = imports =
[ (modulesPath + "/profiles/qemu-guest.nix") [
(modulesPath + "/profiles/qemu-guest.nix")
]; ];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sd_mod" "sr_mod" ]; boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sd_mod" "sr_mod" ];
@ -14,12 +15,14 @@
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" =
{ device = "/dev/disk/by-uuid/627952eb-107a-43c3-8223-bfea9af92837"; {
device = "/dev/disk/by-uuid/627952eb-107a-43c3-8223-bfea9af92837";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/5CA6-CCE4"; {
device = "/dev/disk/by-uuid/5CA6-CCE4";
fsType = "vfat"; fsType = "vfat";
}; };

8
hosts/cirrus/nextcloud-proxy.nix
View file

@ -24,14 +24,14 @@
''; '';
locations = { locations = {
"/" = { "/" = {
# extraConfig = '' return 503; ''; # extraConfig = '' return 503; '';
proxyPass = "http://10.34.45.100:8080"; proxyPass = "http://10.34.45.100:8080";
}; };
"/well-known/carddav" = { "/well-known/carddav" = {
return = "301 $scheme://$host/remote.php/dav"; return = "301 $scheme://$host/remote.php/dav";
}; };
"/well-known/caldav" = { "/well-known/caldav" = {
return = "301 $scheme://$host/remote.php/dav"; return = "301 $scheme://$host/remote.php/dav";
}; };
}; };

32
hosts/cirrus/wireguard-server.nix
View file

@ -19,20 +19,20 @@
{ {
# microwave # microwave
wireguardPeerConfig = { wireguardPeerConfig = {
# nextcloud down, have to keep things in here: https://www.youtube.com/watch?v=1c6v7j1TUBI # nextcloud down, have to keep things in here: https://www.youtube.com/watch?v=1c6v7j1TUBI
PublicKey = "0zpfcNrmbsNwwbnDDX4SMl4BVTB0zuhGKixT9TJQoHc="; PublicKey = "0zpfcNrmbsNwwbnDDX4SMl4BVTB0zuhGKixT9TJQoHc=";
AllowedIPs = [ "10.66.66.10/32" ]; AllowedIPs = [ "10.66.66.10/32" ];
PersistentKeepalive = 25; PersistentKeepalive = 25;
}; };
} }
{ {
# Dishwasher # Dishwasher
wireguardPeerConfig = { wireguardPeerConfig = {
# nextcloud down, have to keep things in here: https://www.youtube.com/watch?v=1c6v7j1TUBI # nextcloud down, have to keep things in here: https://www.youtube.com/watch?v=1c6v7j1TUBI
PublicKey = "AdWUBbyeRkxdP9HUu25PpISoxbgQ8oeCw3BmV93xtAw="; PublicKey = "AdWUBbyeRkxdP9HUu25PpISoxbgQ8oeCw3BmV93xtAw=";
AllowedIPs = [ "10.66.66.100/32" ]; AllowedIPs = [ "10.66.66.100/32" ];
PersistentKeepalive = 25; PersistentKeepalive = 25;
}; };
} }
]; ];
}; };
@ -60,12 +60,12 @@
wireguardPeers = [ wireguardPeers = [
# nextcloud # nextcloud
{ {
wireguardPeerConfig = { wireguardPeerConfig = {
PublicKey ="KCYoGx7TGei4X79EZo2NONCcmQjPzBUN1Ds6I9lQbz0="; PublicKey = "KCYoGx7TGei4X79EZo2NONCcmQjPzBUN1Ds6I9lQbz0=";
AllowedIPs = [ "10.34.45.100/32" ]; AllowedIPs = [ "10.34.45.100/32" ];
PersistentKeepalive = 25; PersistentKeepalive = 25;
}; };
} }
]; ];
}; };
networks."oxaproxy" = { networks."oxaproxy" = {

11
hosts/dishwasher/configuration.nix
View file

@ -6,9 +6,10 @@
{ {
imports = imports =
[ # Include the results of the hardware scan. [
./hardware-configuration.nix # Include the results of the hardware scan.
]; ./hardware-configuration.nix
];
# Use the systemd-boot EFI boot loader. # Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
@ -35,7 +36,7 @@
}; };
networkConfig = { networkConfig = {
DHCP = "yes"; DHCP = "yes";
LinkLocalAddressing="ipv6"; LinkLocalAddressing = "ipv6";
IPv6AcceptRA = "yes"; IPv6AcceptRA = "yes";
}; };
dhcpV6Config = { dhcpV6Config = {
@ -47,7 +48,7 @@
}; };
}; };
services.resolved={ services.resolved = {
enable = true; enable = true;
fallbackDns = [ fallbackDns = [
"8.8.8.8" "8.8.8.8"

21
hosts/dishwasher/hardware-configuration.nix
View file

@ -5,7 +5,8 @@
{ {
imports = imports =
[ (modulesPath + "/installer/scan/not-detected.nix") [
(modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
@ -14,37 +15,43 @@
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" =
{ device = "/dev/disk/by-uuid/2971597a-b364-405d-8bb2-287556e819e1"; {
device = "/dev/disk/by-uuid/2971597a-b364-405d-8bb2-287556e819e1";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=nixos" "compress=zstd" "noatime" ]; options = [ "subvol=nixos" "compress=zstd" "noatime" ];
}; };
fileSystems."/var/lib" = fileSystems."/var/lib" =
{ device = "/dev/disk/by-uuid/2971597a-b364-405d-8bb2-287556e819e1"; {
device = "/dev/disk/by-uuid/2971597a-b364-405d-8bb2-287556e819e1";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=var-lib" "compress=zstd" "noatime" ]; options = [ "subvol=var-lib" "compress=zstd" "noatime" ];
}; };
fileSystems."/var/log" = fileSystems."/var/log" =
{ device = "/dev/disk/by-uuid/2971597a-b364-405d-8bb2-287556e819e1"; {
device = "/dev/disk/by-uuid/2971597a-b364-405d-8bb2-287556e819e1";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=var-log" "compress=zstd" "noatime" ]; options = [ "subvol=var-log" "compress=zstd" "noatime" ];
}; };
fileSystems."/var/microvms" = fileSystems."/var/microvms" =
{ device = "/dev/disk/by-uuid/2971597a-b364-405d-8bb2-287556e819e1"; {
device = "/dev/disk/by-uuid/2971597a-b364-405d-8bb2-287556e819e1";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=microvms" "compress=zstd" "noatime" ]; options = [ "subvol=microvms" "compress=zstd" "noatime" ];
}; };
fileSystems."/nix" = fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/2971597a-b364-405d-8bb2-287556e819e1"; {
device = "/dev/disk/by-uuid/2971597a-b364-405d-8bb2-287556e819e1";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=nix" "compress=zstd" "noatime" ]; options = [ "subvol=nix" "compress=zstd" "noatime" ];
}; };
fileSystems."/boot" = fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/2A04-BFAE"; {
device = "/dev/disk/by-uuid/2A04-BFAE";
fsType = "vfat"; fsType = "vfat";
}; };

19
hosts/dishwasher/mcvm-network.nix
View file

@ -11,14 +11,15 @@
DHCPServer = false; DHCPServer = false;
IPv6SendRA = true; IPv6SendRA = true;
}; };
addresses = [ { addresses = [{
addressConfig.Address = "10.99.99.1/24"; addressConfig.Address = "10.99.99.1/24";
} { }
addressConfig.Address = "fd12:3456:789a::1/64"; {
} ]; addressConfig.Address = "fd12:3456:789a::1/64";
ipv6Prefixes = [ { }];
ipv6Prefixes = [{
ipv6PrefixConfig.Prefix = "fd12:3456:789a::/64"; ipv6PrefixConfig.Prefix = "fd12:3456:789a::/64";
} ]; }];
# networkConfig = { # networkConfig = {
# Address = "10.99.99.1/24"; # Address = "10.99.99.1/24";
# IPForward = "ipv4"; # IPForward = "ipv4";
@ -27,9 +28,9 @@
# routeConfig = { # routeConfig = {
# GatewayOnLink = true; # GatewayOnLink = true;
# };}]; # };}];
# IPForward = "ipv4"; # IPForward = "ipv4";
# DHCPServer = true; # DHCPServer = true;
# IPv6SendRA = true; # IPv6SendRA = true;
# addresses = [{ # addresses = [{
# addressConfig.Address = "10.99.99.1/24"; # addressConfig.Address = "10.99.99.1/24";
# }]; # }];

10
hosts/dishwasher/oxalab.nix
View file

@ -15,11 +15,11 @@
{ {
# cirrus # cirrus
wireguardPeerConfig = { wireguardPeerConfig = {
PublicKey = "5nCVC21BL+1r70OGwA4Q6Z/gcPLC3+ZF8sTurdn7N0E="; PublicKey = "5nCVC21BL+1r70OGwA4Q6Z/gcPLC3+ZF8sTurdn7N0E=";
AllowedIPs = [ "10.66.66.0/24" ]; AllowedIPs = [ "10.66.66.0/24" ];
Endpoint = [ "95.216.166.21:51820" ]; Endpoint = [ "95.216.166.21:51820" ];
PersistentKeepalive = 25; PersistentKeepalive = 25;
}; };
} }
]; ];
}; };

157
microvms/nextcloud/default.nix
View file

@ -26,97 +26,98 @@
recommendedOptimisation = true; recommendedOptimisation = true;
virtualHosts."nc.oxapentane.com" = { virtualHosts."nc.oxapentane.com" = {
extraConfig = '' extraConfig = ''
# HTTP response headers borrowed from Nextcloud .htaccess # HTTP response headers borrowed from Nextcloud .htaccess
add_header Referrer-Policy "no-referrer" always; add_header Referrer-Policy "no-referrer" always;
#add_header X-Content-Type-Options "nosniff" always; #add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always; add_header X-Download-Options "noopen" always;
#add_header X-Frame-Options "SAMEORIGIN" always; #add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always; add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always; add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak # Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By; fastcgi_hide_header X-Powered-By;
''; '';
listen = [{ listen = [{
# We are listening on wireguard interface only # We are listening on wireguard interface only
addr = "10.34.45.100"; addr = "10.34.45.100";
port = 8080; port = 8080;
ssl = false; ssl = false;
}]; }];
}; };
}; };
services.nextcloud = { services.nextcloud = {
enable = true; enable = true;
hostName = "nc.oxapentane.com"; hostName = "nc.oxapentane.com";
home = "/var/lib/nextcloud-oxa"; home = "/var/lib/nextcloud-oxa";
package = pkgs.nextcloud24; package = pkgs.nextcloud24;
maxUploadSize = "5000M"; maxUploadSize = "5000M";
caching.redis = true; caching.redis = true;
autoUpdateApps = { autoUpdateApps = {
enable = true; enable = true;
startAt = "07:00:00"; startAt = "07:00:00";
}; };
config = { config = {
overwriteProtocol = "https"; overwriteProtocol = "https";
trustedProxies = [ "10.34.45.1" ]; trustedProxies = [ "10.34.45.1" ];
dbtype = "pgsql"; dbtype = "pgsql";
dbuser = "nextcloud"; dbuser = "nextcloud";
dbhost = "/run/postgresql"; dbhost = "/run/postgresql";
dbname = "nextcloud"; dbname = "nextcloud";
adminuser = "admin"; adminuser = "admin";
adminpassFile = config.sops.secrets."nextcloud/adminpass".path; adminpassFile = config.sops.secrets."nextcloud/adminpass".path;
}; };
}; };
systemd.services."nextcloud-setup" = { systemd.services."nextcloud-setup" = {
requires = [ "postgresql.service" ]; requires = [ "postgresql.service" ];
after = [ "postgresql.service" ]; after = [ "postgresql.service" ];
}; };
microvm = { microvm = {
hypervisor = "qemu"; hypervisor = "qemu";
mem = 4 * 1024; mem = 4 * 1024;
shares = [{ shares = [{
source = "/nix/store"; source = "/nix/store";
mountPoint = "/nix/.ro-store"; mountPoint = "/nix/.ro-store";
tag = "store"; tag = "store";
proto = "virtiofs"; proto = "virtiofs";
socket = "store.socket"; socket = "store.socket";
}] ++ map (dir: { }] ++ map
source = "/var/lib/microvms/${config.networking.hostName}/${dir}"; (dir: {
mountPoint = "/${dir}"; source = "/var/lib/microvms/${config.networking.hostName}/${dir}";
tag = dir; mountPoint = "/${dir}";
proto = "virtiofs"; tag = dir;
socket = "${dir}.socket"; proto = "virtiofs";
}) [ "etc" "var" "home" ]; socket = "${dir}.socket";
}) [ "etc" "var" "home" ];
interfaces = [{ interfaces = [{
type = "tap"; type = "tap";
id = "vm-nextcloud"; id = "vm-nextcloud";
mac = "EA:40:E8:60:C5:36"; mac = "EA:40:E8:60:C5:36";
}]; }];
}; };
networking = { networking = {
hostName = "nextcloud"; hostName = "nextcloud";
}; };
services.openssh = { services.openssh = {
enable = true; enable = true;
permitRootLogin = "prohibit-password"; permitRootLogin = "prohibit-password";
}; };
networking.firewall.allowedTCPPorts = [ 22 ]; networking.firewall.allowedTCPPorts = [ 22 ];
users.users.root.openssh.authorizedKeys.keys = [ users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDP6xE2ey0C8XXfvniiiHiqXsCC277jKI9RXEA+s2LQLUI5zl7v350i3Oa8H3NCcPj39lfMreqE6ncxcOhqYyzahPrrMkOqgbPAoRvq8H3ophLK+56O3xdHoKwLBwRD1yoGACjqG4UTiTrmnN2ateENgYcnTEY1e4vDw1qMj1drUXCsZ/6mkBBmHJiFfCaR4yCMt1r4gGi/dAC7ifnBP3oSyV/lJEwPxYYkGlbOBIvX/7Ar98pJS6xYPB3jHs9gwyNNON63d0fNYrwBojXPPCnGGaRZNOkBTzex3zZYp12ThINQ2xl8tRp9D8qpZ7vrLjhTD6AXkOBRzmDj+NsCeEaeTuWajqUM93iKncYUI+JxR1t7q8gA2pBMFzLesMXnx7R+5Kw7QDtSJM7a4GMIfsocPwf64BH6rzxEz68rXFE3P+J77PPM9CuaYw90JXHo3z220zYw2nMQ/1qjATVZw/hiVrLmQMVfmFJIufnGjTBs2sy3IoNyzvYm/oDeNNg1cdSV9gyyRKZhK08fxjXN5GSf9vZkfZa9tHtqaZ99HI40GQBHUVx1K2/NQJY8TVTSA+v16SFnJK8BIbmp/WFCuvDcMkgLIbqiYtDASe7P2mKIib86uOENT+P820egeLiTQ06kFw/gfUa8t69d5qEcjiQZ+lxCeYIs/E9KrEXHvRUWew== cardno:16 811 348" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDP6xE2ey0C8XXfvniiiHiqXsCC277jKI9RXEA+s2LQLUI5zl7v350i3Oa8H3NCcPj39lfMreqE6ncxcOhqYyzahPrrMkOqgbPAoRvq8H3ophLK+56O3xdHoKwLBwRD1yoGACjqG4UTiTrmnN2ateENgYcnTEY1e4vDw1qMj1drUXCsZ/6mkBBmHJiFfCaR4yCMt1r4gGi/dAC7ifnBP3oSyV/lJEwPxYYkGlbOBIvX/7Ar98pJS6xYPB3jHs9gwyNNON63d0fNYrwBojXPPCnGGaRZNOkBTzex3zZYp12ThINQ2xl8tRp9D8qpZ7vrLjhTD6AXkOBRzmDj+NsCeEaeTuWajqUM93iKncYUI+JxR1t7q8gA2pBMFzLesMXnx7R+5Kw7QDtSJM7a4GMIfsocPwf64BH6rzxEz68rXFE3P+J77PPM9CuaYw90JXHo3z220zYw2nMQ/1qjATVZw/hiVrLmQMVfmFJIufnGjTBs2sy3IoNyzvYm/oDeNNg1cdSV9gyyRKZhK08fxjXN5GSf9vZkfZa9tHtqaZ99HI40GQBHUVx1K2/NQJY8TVTSA+v16SFnJK8BIbmp/WFCuvDcMkgLIbqiYtDASe7P2mKIib86uOENT+P820egeLiTQ06kFw/gfUa8t69d5qEcjiQZ+lxCeYIs/E9KrEXHvRUWew== cardno:16 811 348"
]; ];
system.stateVersion = "22.05"; system.stateVersion = "22.05";
} }

18
microvms/nextcloud/oxaproxy.nix
View file

@ -12,9 +12,9 @@
wireguardConfig = { wireguardConfig = {
PrivateKeyFile = config.sops.secrets."wg/oxaproxy-seckey".path; PrivateKeyFile = config.sops.secrets."wg/oxaproxy-seckey".path;
#own pubkey: KCYoGx7TGei4X79EZo2NONCcmQjPzBUN1Ds6I9lQbz0= #own pubkey: KCYoGx7TGei4X79EZo2NONCcmQjPzBUN1Ds6I9lQbz0=
}; };
wireguardPeers = [ wireguardPeers = [
{ {
# cirrus # cirrus
wireguardPeerConfig = { wireguardPeerConfig = {
PublicKey = "0KMtL2fQOrrCH6c2a2l4FKiM73G86sUuyaNj4FarzVM="; PublicKey = "0KMtL2fQOrrCH6c2a2l4FKiM73G86sUuyaNj4FarzVM=";
@ -40,16 +40,16 @@
routes = [ routes = [
{ {
routeConfig = { routeConfig = {
Gateway="10.99.99.1"; Gateway = "10.99.99.1";
Destination="0.0.0.0/0"; Destination = "0.0.0.0/0";
Metric=1024; Metric = 1024;
}; };
} }
{ {
routeConfig = { routeConfig = {
Gateway="10.99.99.1"; Gateway = "10.99.99.1";
Destination="10.99.99.0/24"; Destination = "10.99.99.0/24";
Metric=1024; Metric = 1024;
}; };
} }
]; ];

14
modules/wireguard.nix
View file

@ -14,17 +14,17 @@
} }
]; ];
}; };
wg-dvb = { wg-dvb = {
privateKeyFile = config.sops.secrets."wg/wg-dvb-seckey".path; privateKeyFile = config.sops.secrets."wg/wg-dvb-seckey".path;
address = [ "10.13.37.3/32" ]; address = [ "10.13.37.3/32" ];
peers = [ { peers = [{
publicKey = "WDvCObJ0WgCCZ0ORV2q4sdXblBd8pOPZBmeWr97yphY="; publicKey = "WDvCObJ0WgCCZ0ORV2q4sdXblBd8pOPZBmeWr97yphY=";
allowedIPs = [ "10.13.37.0/24" ]; allowedIPs = [ "10.13.37.0/24" ];
endpoint = "academicstrokes.com:51820"; endpoint = "academicstrokes.com:51820";
persistentKeepalive = 25; persistentKeepalive = 25;
} ]; }];
}; };
mlwd-nl = { mlwd-nl = {