diff options
Diffstat (limited to 'profiles')
| -rw-r--r-- | profiles/acme.nix | 18 | ||||
| -rw-r--r-- | profiles/backup.nix | 49 | ||||
| -rw-r--r-- | profiles/btrfs.nix | 4 | ||||
| -rw-r--r-- | profiles/default.nix | 150 | ||||
| -rw-r--r-- | profiles/documentation.nix | 15 | ||||
| -rw-r--r-- | profiles/git-server.nix | 129 | ||||
| -rw-r--r-- | profiles/hardware/amd.nix | 6 | ||||
| -rw-r--r-- | profiles/hardware/intel.nix | 5 | ||||
| -rw-r--r-- | profiles/hardware/xps9300.nix | 36 | ||||
| -rw-r--r-- | profiles/laptop.nix | 20 | ||||
| -rw-r--r-- | profiles/monitoring/exporter.nix | 7 | ||||
| -rw-r--r-- | profiles/monitoring/loki.nix | 102 | ||||
| -rw-r--r-- | profiles/monitoring/promtail.nix | 54 | ||||
| -rw-r--r-- | profiles/music-server.nix | 40 | ||||
| -rw-r--r-- | profiles/nas.nix | 17 | ||||
| -rw-r--r-- | profiles/nginx.nix | 30 | ||||
| -rw-r--r-- | profiles/router.nix | 87 | ||||
| -rw-r--r-- | profiles/samba.nix | 33 | ||||
| -rw-r--r-- | profiles/seedbox.nix | 49 | ||||
| -rw-r--r-- | profiles/server.nix | 19 | ||||
| -rw-r--r-- | profiles/syncthing.nix | 44 | ||||
| -rw-r--r-- | profiles/tailscale.nix | 6 | ||||
| -rw-r--r-- | profiles/unifi.nix | 38 | ||||
| -rw-r--r-- | profiles/workstation.nix | 109 |
24 files changed, 0 insertions, 1067 deletions
diff --git a/profiles/acme.nix b/profiles/acme.nix deleted file mode 100644 index 7fc62d3..0000000 --- a/profiles/acme.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ pkgs, lib, config, ... }: -let - secrets = config.age.secrets; -in -{ - security.acme.acceptTerms = true; - security.acme.defaults = { - email = "le@fcuny.net"; - dnsProvider = "gandiv5"; - group = config.services.nginx.group; - credentialsFile = secrets."gandi/apikey".path; - dnsPropagationCheck = true; - }; - security.acme.certs."${config.homelab.domain}" = { - domain = "*.${config.homelab.domain}"; - extraDomainNames = [ config.homelab.domain ]; - }; -} diff --git a/profiles/backup.nix b/profiles/backup.nix deleted file mode 100644 index d1075e2..0000000 --- a/profiles/backup.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ self, pkgs, config, lib, ... }: -let - sshPub = builtins.fromTOML (builtins.readFile "${self}/configs/ssh-pubkeys.toml"); - secrets = config.age.secrets; - ssh-key-path = secrets."rsync.net/ssh-key".path; - backupDir = "/data/slow/backups/"; - backupDest = "de2664@de2664.rsync.net"; -in -{ - # a user used only for backups - users.users.backup = { - uid = 991; - createHome = false; - isSystemUser = true; - group = "users"; - home = "${backupDir}/hosts"; - openssh.authorizedKeys.keys = with sshPub; [ - restic - ]; - }; - - services.openssh.sftpServerExecutable = "internal-sftp"; - services.openssh.extraConfig = '' - Match User backup - ChrootDirectory ${config.users.users.backup.home} - ForceCommand internal-sftp - AllowTcpForwarding no - ''; - - systemd.timers.rsync-backups = { - description = "synchronize restic repository to rsync.net"; - wantedBy = [ "timers.target" ]; - partOf = [ "rsync-backups.service" ]; - timerConfig = { - OnCalendar = "04:00"; - }; - }; - - systemd.services.rsync-backups = { - description = "synchronize restic repository to rsync.net"; - serviceConfig.Type = "oneshot"; - script = '' - exec ${pkgs.rsync}/bin/rsync \ - -azq --delete \ - -e '${pkgs.openssh}/bin/ssh -i ${ssh-key-path}' \ - ${backupDir} ${backupDest}:backups/ - ''; - }; -} diff --git a/profiles/btrfs.nix b/profiles/btrfs.nix deleted file mode 100644 index 1b87165..0000000 --- a/profiles/btrfs.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ ... }: -{ - services.btrfs.autoScrub.enable = true; -} diff --git a/profiles/default.nix b/profiles/default.nix deleted file mode 100644 index 814bcdf..0000000 --- a/profiles/default.nix +++ /dev/null @@ -1,150 +0,0 @@ -{ pkgs, config, lib, ... }: -{ - # Users are managed through nix. If a user is added manually, it - # will be removed on system activation. - users.mutableUsers = false; - - boot = { - loader = { - # Use the systemd-boot EFI boot loader. - systemd-boot.enable = true; - # Prohibits gaining root access by passing init=/bin/sh as a - # kernel parameter - systemd-boot.editor = false; - efi.canTouchEfiVariables = true; - }; - - tmp = { - cleanOnBoot = true; - useTmpfs = true; - }; - kernelPackages = pkgs.linuxPackages_latest; - }; - - # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - - time.timeZone = "America/Los_Angeles"; - - # see https://www.man7.org/linux/man-pages/man5/loader.conf.5.html - boot.loader.systemd-boot.consoleMode = "max"; - - console = { - earlySetup = true; - font = "${pkgs.terminus_font}/share/consolefonts/ter-132n.psf.gz"; - packages = with pkgs; [ terminus_font ]; - keyMap = "us"; - }; - - security.sudo.wheelNeedsPassword = false; - security.polkit.enable = true; - - services.fstrim.enable = true; - - services.fwupd.enable = true; - - programs.ssh = { - # $ ssh-keyscan example.com - knownHosts = { - github = { - hostNames = [ "github.com" ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"; - }; - rsync = { - hostNames = [ "de2664.rsync.net" ]; - publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIObQN4P/deJ/k4P4kXh6a9K4Q89qdyywYetp9h3nwfPo"; - }; - }; - }; - - nix = { - package = pkgs.nixFlakes; - settings = { - trusted-users = [ "root" "@wheel" ]; - auto-optimise-store = true; - substituters = [ - "https://cachix.cachix.org" - "https://nix-community.cachix.org" - ]; - trusted-public-keys = [ - "cachix.cachix.org-1:eWNHQldwUO7G2VkjpnjDbWwy4KQ/HNxht7H4SSoMckM=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - ]; - experimental-features = [ "nix-command" "flakes" ]; - # Whether to warn about dirty Git/Mercurial trees - this is not - # useful information to me. - warn-dirty = false; - # The timeout (in seconds) for establishing connections in the binary - # cache substituter. It corresponds to curl’s –connect-timeout option. - # The default is equivalent to 300 seconds, way too long. - connect-timeout = 5; - # The number of lines of the tail of the log to show if a build fails. - # The default is 10 and it's usually too short. - log-lines = 25; - # If set to true, Nix will fall back to building from source if - # a binary substitute fails. This is equivalent to the –fallback - # flag. The default is false. - fallback = true; - }; - - gc = { - automatic = true; - options = "--delete-older-than 14d"; - }; - }; - - environment.shells = with pkgs; [ bashInteractive ]; - - environment.systemPackages = with pkgs; [ - binutils - cacert - curl - dmidecode - ethtool - flamegraph - git - htop - hwdata - iftop - iptraf-ng - linuxPackages.cpupower - config.boot.kernelPackages.perf - lm_sensors - lsb-release - lsof - man-pages - mg - mtr - numactl - parted - pciutils - perf-tools - powertop - rsync - sqlite - strace - tcpdump - tmux - traceroute - unzip - usbutils - vim - wget - wireguard-tools - - # my custom tools - tools.perf-flamegraph-pid - ]; - - programs.bcc.enable = true; - programs.zsh.enable = true; - - # Show installed packages (https://www.reddit.com/r/NixOS/comments/fsummx/comment/fm45htj/?utm_source=share&utm_medium=web2x&context=3) - environment.etc."installed-packages".text = - let - packages = builtins.map (p: "${p.name}") config.environment.systemPackages; - sortedUnique = builtins.sort builtins.lessThan (lib.unique packages); - formatted = builtins.concatStringsSep "\n" sortedUnique; - in - formatted; -} diff --git a/profiles/documentation.nix b/profiles/documentation.nix deleted file mode 100644 index 71ba06b..0000000 --- a/profiles/documentation.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - documentation = { - enable = true; - dev.enable = true; - info.enable = true; - man.enable = true; - nixos.enable = true; - }; - - environment.systemPackages = with pkgs; [ - man-pages - man-pages-posix - ]; -} diff --git a/profiles/git-server.nix b/profiles/git-server.nix deleted file mode 100644 index 19f5b5c..0000000 --- a/profiles/git-server.nix +++ /dev/null @@ -1,129 +0,0 @@ -{ config, pkgs, lib, ... }: -let - vhostName = "git.fcuny.net"; - stateDir = "/var/lib/gitolite"; - - # there's no need for web crawlers on that site - robots-deny = pkgs.writeText "robots.txt" '' - User-agent: * - Disallow: / - ''; - - cgitrc = '' - # Global configuration - virtual-root=/ - - enable-http-clone=1 - clone-url=https://${vhostName}/$CGIT_REPO_URL - - # I've fewer than 150 repos, all should be able to be listed on - # the main page - max-repo-count=150 - - # limit to year for the stats - max-stats=year - - snapshots=tar.gz - - source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py - about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh - - enable-git-config=1 - enable-index-owner=0 - - remove-suffix=1 - - # sort repositories by section and branches by date - repository-sort=age - branch-sort=age - - readme=:README.md - readme=:README.org - readme=:readme.org - - # print the number of modified files - enable-log-filecount=1 - - # print the number of modified lines - enable-log-linecount=1 - enable-follow-links=1 - enable-blame=1 - - root-title=¯\_(°ペ)_/¯ - root-desc=source code of my various projects - - # don't index or follow - robots="noindex, nofollow" - - project-list=${stateDir}/projects.list - scan-path=${stateDir}/repositories - ''; -in -{ - - # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/web-servers/fcgiwrap.nix - services.fcgiwrap = { - enable = true; - user = "git"; - group = "git"; - }; - - services.nginx.virtualHosts."${vhostName}" = { - # make cgit the default site: if a request goes through nginx - # without a host header, this will be the default site we serve - # for that request. - default = true; - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "192.168.6.40"; - port = 443; - ssl = true; - } - { - addr = "192.168.6.40"; - port = 80; - ssl = false; - } - ]; - locations = { - "~* ^.+.(css|png|ico)$" = { root = "${pkgs.cgit}/cgit"; }; - # as per https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md - # if you want to map a single file make sure the location starts with a =, e.g =/i.gif instead of /i.gif. - "=/robots.txt".alias = robots-deny; - "/".extraConfig = '' - include ${pkgs.nginx}/conf/fastcgi_params; - fastcgi_param CGIT_CONFIG ${pkgs.writeText "cgitrc" cgitrc}; - fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi; - fastcgi_split_path_info ^(/?)(.+)$; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param HTTP_HOST $server_name; - fastcgi_param QUERY_STRING $args; - fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; - if ($http_user_agent ~* "(Blackbox Exporter)" ) { - access_log off; - } - ''; - }; - }; - - # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/misc/gitolite.nix - services.gitolite = { - enable = true; - dataDir = stateDir; - adminPubkey = "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGX4+CuUjiX6Doi4n6RqmznzFUyRrxKhEFvuIxROzXDKAAAABHNzaDo="; - user = "git"; - group = "git"; - extraGitoliteRc = '' - # Make dirs/files group readable, needed for webserver/cgit. (Default - # setting is 0077.) - $RC{UMASK} = 0027; - $RC{GIT_CONFIG_KEYS} = 'cgit.desc cgit.hide cgit.ignore cgit.owner cgit.section'; - $RC{LOCAL_CODE} = "$rc{GL_ADMIN_BASE}/local"; - push( @{$RC{ENABLE}}, 'symbolic-ref' ); - ''; - }; - - my.services.backup.paths = [ stateDir ]; -} diff --git a/profiles/hardware/amd.nix b/profiles/hardware/amd.nix deleted file mode 100644 index dc933ee..0000000 --- a/profiles/hardware/amd.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - hardware.cpu.amd.updateMicrocode = true; - boot.kernelModules = [ "kvm-amd" "k10temp" ]; - boot.kernelParams = [ "amd_pstate=passive" ]; -} diff --git a/profiles/hardware/intel.nix b/profiles/hardware/intel.nix deleted file mode 100644 index 756ad9a..0000000 --- a/profiles/hardware/intel.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ ... }: -{ - hardware.cpu.intel.updateMicrocode = true; - boot.kernelModules = [ "kvm-intel" ]; -} diff --git a/profiles/hardware/xps9300.nix b/profiles/hardware/xps9300.nix deleted file mode 100644 index 72a8b5e..0000000 --- a/profiles/hardware/xps9300.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ config, pkgs, ... }: -{ - imports = [ - ./intel.nix - ]; - - boot.kernelParams = [ - "mem_sleep_default=deep" - ]; - - # Touchpad goes over i2c, and the psmouse module interferes with it - boot.blacklistedKernelModules = [ "psmouse" ]; - - # Includes the Wi-Fi and Bluetooth firmware for the QCA6390. - hardware.enableRedistributableFirmware = true; - - networking.wireless.iwd.enable = true; - hardware.bluetooth.enable = true; - services.blueman.enable = true; - - boot.initrd.kernelModules = [ "i915" "acpi_call" ]; - - environment.variables = { - VDPAU_DRIVER = "va_gl"; - }; - - hardware.opengl.extraPackages = with pkgs; [ - vaapiIntel - libvdpau-va-gl - intel-media-driver - ]; - - boot = { - extraModulePackages = with config.boot.kernelPackages; [ acpi_call ]; - }; -} diff --git a/profiles/laptop.nix b/profiles/laptop.nix deleted file mode 100644 index 9ae1742..0000000 --- a/profiles/laptop.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ pkgs, config, lib, ... }: -{ - imports = [ - ./workstation.nix - ]; - - services.logind.lidSwitch = "suspend-then-hibernate"; - services.upower.enable = true; - services.thermald.enable = true; - - services.tlp.enable = true; - services.tlp.settings = { - CPU_SCALING_GOVERNOR_ON_AC = "performance"; - CPU_SCALING_GOVERNOR_ON_BAT = "powersave"; - - # Keep charge between 60% and 80% to preserve battery life - START_CHARGE_THRESH_BAT0 = 60; - STOP_CHARGE_THRESH_BAT0 = 80; - }; -} diff --git a/profiles/monitoring/exporter.nix b/profiles/monitoring/exporter.nix deleted file mode 100644 index ded6423..0000000 --- a/profiles/monitoring/exporter.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: -{ - services.prometheus.exporters.node = { - enable = true; - enabledCollectors = [ "tcpstat" "systemd" "interrupts" ]; - }; -} diff --git a/profiles/monitoring/loki.nix b/profiles/monitoring/loki.nix deleted file mode 100644 index 4b31bb4..0000000 --- a/profiles/monitoring/loki.nix +++ /dev/null @@ -1,102 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - services.loki.enable = true; - services.loki.configuration = { - # no need for authentication, since we're binding on the - # wireguard interface, we can trust the connections. - auth_enabled = false; - - server = { - http_listen_port = 3100; - http_listen_address = "127.0.0.1"; - }; - - ingester = { - lifecycler = { - address = "127.0.0.1"; - ring = { - kvstore = { store = "inmemory"; }; - replication_factor = 1; - }; - final_sleep = "0s"; - }; - - # Any chunk not receiving new logs in this time will be flushed - chunk_idle_period = "1h"; - - # All chunks will be flushed when they hit this age, default is 1h - max_chunk_age = "1h"; - - # Loki will attempt to build chunks up to 1.5MB, flushing first if - # chunk_idle_period or max_chunk_age is reached first - chunk_target_size = 1048576; - - # Must be greater than index read cache TTL if using an index cache (Default - # index read cache TTL is 5m) - chunk_retain_period = "30s"; - - # Chunk transfers disabled - max_transfer_retries = 0; - }; - - schema_config = { - configs = [{ - from = "2020-10-24"; - store = "boltdb-shipper"; - object_store = "filesystem"; - schema = "v11"; - index = { - prefix = "index_"; - period = "24h"; - }; - }]; - }; - - storage_config = { - boltdb_shipper = { - active_index_directory = "/var/lib/loki/boltdb-shipper-active"; - cache_location = "/var/lib/loki/boltdb-shipper-cache"; - - # Can be increased for faster performance over longer query periods, - # uses more disk space - cache_ttl = "24h"; - - shared_store = "filesystem"; - }; - - filesystem = { directory = "/var/lib/loki/chunks"; }; - }; - - limits_config = { - reject_old_samples = true; - reject_old_samples_max_age = "168h"; - }; - - chunk_store_config = { max_look_back_period = "0s"; }; - - table_manager = { - retention_deletes_enabled = false; - retention_period = "0s"; - }; - - compactor = { - working_directory = "/var/lib/loki/boltdb-shipper-compactor"; - shared_store = "filesystem"; - }; - }; - - services.nginx.virtualHosts."loki.${config.homelab.domain}" = { - forceSSL = true; - useACMEHost = config.homelab.domain; - listen = [ - { - addr = "192.168.6.40"; - port = 443; - ssl = true; - } - ]; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}"; - }; - }; -} diff --git a/profiles/monitoring/promtail.nix b/profiles/monitoring/promtail.nix deleted file mode 100644 index a3b95c2..0000000 --- a/profiles/monitoring/promtail.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - services.promtail.enable = true; - services.promtail.configuration = { - clients = [{ url = "https://loki.${config.homelab.domain}/loki/api/v1/push"; }]; - scrape_configs = [ - { - job_name = "journal"; - journal = { - json = true; - path = "/var/log/journal"; - max_age = "12h"; - labels = { - host = config.networking.hostName; - job = "journal"; - "__path__" = "/var/log/journal"; - }; - }; - - relabel_configs = [ - { - source_labels = [ "__journal__systemd_unit" ]; - target_label = "unit"; - } - { - source_labels = [ "__journal_priority" ]; - target_label = "priority"; - } - { - source_labels = [ "__journal_syslog_identifier" ]; - target_label = "syslog_id"; - } - ]; - } - - { - job_name = "nginx"; - static_configs = [{ - labels = { - host = config.networking.hostName; - job = "nginx"; - __path__ = "/var/log/nginx/*"; - }; - }]; - } - ]; - - server = { - http_listen_port = 9832; - http_path_prefix = "/promtail"; - grpc_listen_port = 0; - }; - }; -} diff --git a/profiles/music-server.nix b/profiles/music-server.nix deleted file mode 100644 index 5757db5..0000000 --- a/profiles/music-server.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ config, pkgs, lib, ... }: -let - musicFolder = "/data/fast/music"; - vhostName = "music.${config.homelab.domain}"; -in -{ - # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/audio/navidrome.nix - services.navidrome = { - enable = true; - settings = { - MusicFolder = musicFolder; - }; - }; - - services.nginx.virtualHosts."${vhostName}" = { - forceSSL = true; - useACMEHost = config.homelab.domain; - listen = [ - { - addr = "192.168.6.40"; - port = 443; - ssl = true; - } - { - addr = "192.168.6.40"; - port = 80; - ssl = false; - } - ]; - locations."/" = { - proxyPass = "http://127.0.0.1:4533"; - proxyWebsockets = true; - }; - }; - - my.services.backup = { - paths = [ config.systemd.services.navidrome.serviceConfig.WorkingDirectory ]; - exclude = [ "${config.systemd.services.navidrome.serviceConfig.WorkingDirectory}/cache/" ]; - }; -} diff --git a/profiles/nas.nix b/profiles/nas.nix deleted file mode 100644 index 296c364..0000000 --- a/profiles/nas.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ config, pkgs, ... }: -{ - imports = [ - ./server.nix - ]; - - users.groups.nas.gid = 5000; - users.users.nas = { - uid = 5000; - group = "nas"; - isSystemUser = true; - }; - - # Use systemd-resolved - services.resolved.enable = true; - services.resolved.dnssec = "false"; -} diff --git a/profiles/nginx.nix b/profiles/nginx.nix deleted file mode 100644 index e32106f..0000000 --- a/profiles/nginx.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ pkgs, lib, config, ... }: -{ - services.nginx = { - enable = true; - - # For monitoring scraping. If we don't set a default port, it will - # by default use port 80, which will conflict with the - # configuration of the router, since we need to listen on port 80 - # too for streaming. - statusPage = true; - defaultHTTPListenPort = 8008; - - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedTlsSettings = true; - recommendedProxySettings = true; - }; - - services.prometheus.exporters.nginx = { - enable = true; - scrapeUri = "http://127.0.0.1:${toString config.services.nginx.defaultHTTPListenPort}/nginx_status"; - listenAddress = "127.0.0.1"; - port = 9113; - }; - - # Nginx needs to be able to read the certificates - users.users.nginx.extraGroups = [ "acme" ]; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; -} diff --git a/profiles/router.nix b/profiles/router.nix deleted file mode 100644 index d259d6a..0000000 --- a/profiles/router.nix +++ /dev/null @@ -1,87 +0,0 @@ -{ lib, config, pkgs, ... }: -{ - boot.kernel.sysctl = { - "net.ipv4.conf.all.forwarding" = true; - "net.ipv4.conf.default.forwarding" = true; - "net.core.default_qdisc" = "fq"; - "net.ipv4.tcp_congestion_control" = "bbr"; - }; - - services.dnsmasq = { - enable = true; - resolveLocalQueries = true; - extraConfig = '' - log-dhcp - - bind-interfaces - - server=8.8.8.8 - server=4.4.4.4 - cache-size=1000 - - domain-needed - domain=home - local=/home/ - no-resolv - - dhcp-script=${pkgs.tools.dnsmasq-to-html}/bin/dnsmasq-leases-html - script-on-renewal - - dhcp-authoritative - - interface=mgmt0 - dhcp-range=set:mgmt0,192.168.0.100,192.168.0.199,30m - dhcp-option=tag:mgmt0,option:router,192.168.0.1 - - interface=iot - dhcp-range=set:iot,192.168.10.100,192.168.10.199,30m - dhcp-option=tag:iot,option:router,192.168.10.1 - - interface=guest - dhcp-range=set:guest,192.168.20.100,192.168.20.199,30m - dhcp-option=tag:guest,option:router,192.168.20.1 - - dhcp-option=option:dns-server,192.168.0.1,8.8.8.8 - - dhcp-host=b4:fb:e4:81:4f:0f,ap-media-room,192.168.0.30,infinite - dhcp-host=74:83:c2:12:67:2d,ap-living-room,192.168.0.31,infinite - dhcp-host=b4:fb:e4:81:52:6c,ap-office,192.168.0.32,infinite - dhcp-host=b4:fb:e4:b2:bd:b8,switch-garage,192.168.0.33,infinite - dhcp-host=fc:ec:da:78:d8:92,switch-media-room,192.168.0.34,infinite - dhcp-host=b4:fb:e4:8f:69:0e,switch-office,192.168.0.35,infinite - dhcp-host=d8:bb:c1:44:1c:d3,tahoe,192.168.0.40,infinite - - # hosted names - host-record=loki,loki.${config.homelab.domain},192.168.6.40 - ''; - }; - - # dnsmasq needs the interfaces to be online - # https://serverfault.com/a/907603 - systemd.services.dnsmasq = { - after = [ "network-online.target" "network.target" ]; - wants = [ "network-online.target" ]; - }; - - # DNS / DHCPv4 / DHCPv6 - networking.firewall.allowedUDPPorts = [ 53 67 547 ]; - - services.nginx.virtualHosts."dnsmasq" = { - listen = [ - { - addr = "192.168.6.1"; - port = 8067; - } - ]; - locations."/" = { - root = "/var/lib/dnsmasq"; - index = "leases.html"; - }; - }; - - services.prometheus.exporters.dnsmasq = { - enable = true; - leasesPath = "/var/lib/dnsmasq/dnsmasq.leases"; - }; - -} diff --git a/profiles/samba.nix b/profiles/samba.nix deleted file mode 100644 index 4ae8839..0000000 --- a/profiles/samba.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ config, pkgs, lib, ... }: -let - makePublicShare = path: { - name = builtins.baseNameOf path; - value = { - inherit path; - browseable = "yes"; - writeable = "no"; - "guest ok" = "yes"; - "guest only" = "yes"; - "force user" = "nobody"; - }; - }; - publicShares = [ "/data/fast/music" "/data/fast/videos" ]; -in -{ - # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/network-filesystems/samba.nix - services.samba = { - enable = true; - extraConfig = '' - workgroup = WORKGROUP - server string = tahoe - netbios name = tahoe - security = user - guest account = nobody - mangled names = no - client min protocol = SMB2 - map to guest = bad user - ntlm auth = true - ''; - shares = with lib; (listToAttrs (map makePublicShare publicShares)); - }; -} diff --git a/profiles/seedbox.nix b/profiles/seedbox.nix deleted file mode 100644 index 9825a44..0000000 --- a/profiles/seedbox.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ config, lib, pkgs, ... }: -let - secrets = config.age.secrets; - vhostName = "bt.${config.homelab.domain}"; -in -{ - - # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/torrent/transmission.nix - services.transmission = { - enable = true; - group = "nas"; - performanceNetParameters = true; - home = "/data/fast/torrents"; - openPeerPorts = true; - settings = { - dht-enabled = false; - cache-size-mb = 128; - peer-port = 52213; - peer-port-random-low = 49152; - peer-port-random-high = 65535; - message-level = 2; - - rpc-enabled = true; - rpc-host-whitelist-enabled = false; - verify-threads = 4; - }; - }; - - services.nginx.virtualHosts."${vhostName}" = { - forceSSL = true; - useACMEHost = config.homelab.domain; - listen = [ - { - addr = "192.168.6.40"; - port = 443; - ssl = true; - } - { - addr = "192.168.6.40"; - port = 80; - ssl = false; - } - ]; - locations."/" = { - proxyPass = "http://127.0.0.1:9091"; - proxyWebsockets = true; - }; - }; -} diff --git a/profiles/server.nix b/profiles/server.nix deleted file mode 100644 index 47cdc17..0000000 --- a/profiles/server.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ pkgs, config, lib, ... }: -{ - imports = [ - ./default.nix - ./tailscale.nix - ]; - - powerManagement.cpuFreqGovernor = "schedutil"; - - services.openssh = { - enable = true; - settings = { - PermitRootLogin = "yes"; - PasswordAuthentication = false; - }; - }; - - networking.firewall.allowedTCPPorts = [ 22 ]; -} diff --git a/profiles/syncthing.nix b/profiles/syncthing.nix deleted file mode 100644 index 6dcb503..0000000 --- a/profiles/syncthing.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ config, pkgs, lib, ... }: -let - secrets = config.age.secrets; -in -{ - services.syncthing = { - enable = true; - openDefaultPorts = true; - user = "fcuny"; - group = "users"; - dataDir = "/home/fcuny/.local/state/syncthing"; - cert = secrets."syncthing/cert".path; - key = secrets."syncthing/key".path; - - folders.Documents = { - path = "/home/fcuny/documents"; - devices = [ "aptos" "tahoe" ]; - }; - - folders.PixelCamera = { - path = "/home/fcuny/media/pixel/camera"; - id = "pixel_5_vwsr-photos"; - devices = lib.attrNames config.services.syncthing.devices; - }; - - devices = { - aptos = { - id = - "JAN5UMH-2FAQQ7S-KLQ2YXM-C7KKK7U-HVHUK7I-CWOZQRM-VLQSO63-ZTP4WAN"; - introducer = false; - }; - tahoe = { - id = - "4Y36C3Y-LUTO6LD-JXNV73B-FLXSTNP-5Q3CSPY-HESHTPH-EDYA54K-WEICJAJ"; - introducer = true; - }; - pixel = { - id = - "J3JQFCJ-MY5RCF7-4NXMVU5-2JECKWO-UHFUS5T-KO64EMB-RNUV4F2-ZQ7Z6A6"; - introducer = false; - }; - }; - }; -} diff --git a/profiles/tailscale.nix b/profiles/tailscale.nix deleted file mode 100644 index 61c1a38..0000000 --- a/profiles/tailscale.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - services.tailscale.enable = true; - networking.firewall.trustedInterfaces = [ "tailscale0" ]; - networking.firewall.checkReversePath = "loose"; -} diff --git a/profiles/unifi.nix b/profiles/unifi.nix deleted file mode 100644 index 23cb1b4..0000000 --- a/profiles/unifi.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - secrets = config.age.secrets; - vhostName = "unifi.${config.homelab.domain}"; -in -{ - # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/unifi.nix - services.unifi = { - enable = true; - openFirewall = true; - unifiPackage = pkgs.unifi7; - mongodbPackage = pkgs.mongodb-4_2; - }; - - services.nginx.virtualHosts."${vhostName}" = { - forceSSL = true; - useACMEHost = config.homelab.domain; - listen = [ - { - addr = "192.168.6.40"; - port = 443; - ssl = true; - } - { - addr = "192.168.6.40"; - port = 80; - ssl = false; - } - ]; - locations."/" = { - proxyPass = "https://127.0.0.1:8443"; - proxyWebsockets = true; - }; - }; - - my.services.backup = { paths = [ "/var/lib/unifi/data/backup" ]; }; -} diff --git a/profiles/workstation.nix b/profiles/workstation.nix deleted file mode 100644 index a3a3fac..0000000 --- a/profiles/workstation.nix +++ /dev/null @@ -1,109 +0,0 @@ -{ pkgs, config, lib, ... }: -{ - imports = [ - ./default.nix - ./tailscale.nix - ]; - - virtualisation.docker.enable = false; - virtualisation.podman.enable = true; - virtualisation.podman.dockerCompat = true; - - services.dbus.enable = true; - services.dbus.packages = with pkgs; [ gcr dconf gnome.sushi ]; - services.udev.packages = with pkgs; [ gnome3.gnome-settings-daemon ]; - - services.gvfs.enable = true; - - programs.dconf.enable = true; - - services.avahi.enable = true; - services.avahi.nssmdns = true; - services.avahi.openFirewall = true; - - # for the yubikeys - services.pcscd.enable = true; - - # Install tools related to the scanner (scanimage etc) - hardware.sane.enable = true; - - # RealtimeKit is recommended - security.rtkit.enable = true; - - # Sound configuration - sound.enable = false; - - services.pipewire = { - enable = true; - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - jack.enable = true; - }; - - hardware.pulseaudio.enable = false; - - # This is a good source of information about fonts: - # https://github.com/system-fonts/modern-font-stacks - fonts = { - enableDefaultFonts = true; - fontDir.enable = true; - fontconfig = { - enable = true; - defaultFonts = { - serif = [ "DejaVu Serif" ]; - sansSerif = [ "DejaVu Sans Serif" ]; - monospace = [ "Source Code Pro" ]; - }; - }; - fonts = with pkgs; [ - dejavu_fonts - etBook - font-awesome_5 - noto-fonts - noto-fonts-cjk - noto-fonts-emoji - source-code-pro - powerline-fonts - roboto - roboto-mono - ]; - }; - - # Misc packages useful on a workstation - environment.systemPackages = with pkgs; [ - # sound related - pulseaudio - pavucontrol - easyeffects - ]; - - hardware.opengl.enable = true; - - # Use systemd-resolved - services.resolved.enable = true; - services.resolved.dnssec = "false"; - - xdg.portal = { - enable = true; - wlr.enable = true; - extraPortals = - [ pkgs.xdg-desktop-portal-gtk pkgs.xdg-desktop-portal-wlr ]; - }; - - programs.sway = { - enable = true; - wrapperFeatures.gtk = true; - extraPackages = with pkgs; [ - brightnessctl - polkit_gnome - xsettingsd - swaylock - swayidle - wl-clipboard - ]; - extraSessionCommands = '' - export MOZ_ENABLE_WAYLAND=1 - ''; - }; -} |