helvetica/puter
1
0
Fork 0
Code Activity

snapshot

Browse source
This commit is contained in:
Lukas Wurzinger 2024-12-01 04:05:16 +01:00
parent 47036cde64
commit 0968b6f955
57 changed files with 426 additions and 86 deletions
Download patch file Download diff file Expand all files Collapse all files

6
hosts/server/abacus/acme.nix Normal file
View file

@ -0,0 +1,6 @@
{
security.acme = {
defaults.email = "lukas@wrz.one";
acceptTerms = true;
};
}

24
hosts/server/abacus/backup.nix Normal file
View file

@ -0,0 +1,24 @@
{
attrName,
config,
lib,
...
}: {
age.secrets = lib.mkSecrets {"restic-${attrName}" = {};};
services.restic.backups.${attrName} = {
repository = "sftp:u385962@u385962.your-storagebox.de:/restic/${attrName}";
initialize = true;
paths = [
config.services.vaultwarden.backupDir
config.services.syncthing.dataDir
];
passwordFile = config.age.secrets."restic-${attrName}".path;
pruneOpts = ["--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12"];
timerConfig = {
OnCalendar = "*-*-* 03:00:00";
Persistent = true;
};
extraOptions = ["sftp.args='-i /etc/ssh/ssh_host_ed25519_key -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'"];
};
}

7
hosts/server/abacus/fs.nix Normal file
View file

@ -0,0 +1,7 @@
{config, ...}: {
fileSystems.${config.services.navidrome.settings.MusicFolder} = {
label = "music";
fsType = "ext4";
options = ["noatime"];
};
}

9
hosts/server/abacus/hardware.nix Normal file
View file

@ -0,0 +1,9 @@
{modulesPath, ...}: {
imports = ["${modulesPath}/profiles/qemu-guest.nix"];
nixpkgs.hostPlatform = "aarch64-linux";
boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod"];
powerManagement.cpuFreqGovernor = "performance";
}

49
hosts/server/abacus/microbin.nix Normal file
View file

@ -0,0 +1,49 @@
{
config,
lib,
...
}: let
inherit (config.networking) domain;
virtualHostName = "bin.${domain}";
in {
age.secrets = lib.mkSecrets {microbin = {};};
services.microbin = {
enable = true;
passwordFile = config.age.secrets.microbin.path;
settings = {
MICROBIN_BIND = "127.0.0.1";
MICROBIN_PORT = 8020;
MICROBIN_PUBLIC_PATH = "https://${virtualHostName}/";
MICROBIN_READONLY = true;
MICROBIN_EDITABLE = true;
MICROBIN_ETERNAL_PASTA = true;
MICROBIN_HIGHLIGHTSYNTAX = true;
MICROBIN_PRIVATE = true;
MICROBIN_ENABLE_BURN_AFTER = true;
MICROBIN_QR = true;
MICROBIN_NO_FILE_UPLOAD = false;
MICROBIN_ENCRYPTION_CLIENT_SIDE = true;
MICROBIN_MAX_FILE_SIZE_ENCRYPTED_MB = 1024;
MICROBIN_MAX_FILE_SIZE_UNENCRYPTED_MB = 4096;
MICROBIN_DISABLE_UPDATE_CHECKING = true;
MICROBIN_DISABLE_TELEMETRY = true;
MICROBIN_LIST_SERVER = false;
};
};
services.nginx.virtualHosts.${virtualHostName} = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://${lib.formatHostPort {
host = config.services.microbin.settings.MICROBIN_BIND;
port = config.services.microbin.settings.MICROBIN_PORT;
}}";
};
}

29
hosts/server/abacus/miniflux.nix Normal file
View file

@ -0,0 +1,29 @@
{
config,
lib,
...
}: let
inherit (config.networking) domain;
virtualHostName = "flux.${domain}";
in {
age.secrets = lib.mkSecrets {miniflux = {};};
services.miniflux = {
enable = true;
createDatabaseLocally = true;
adminCredentialsFile = config.age.secrets.miniflux.path;
config = {
LISTEN_ADDR = "localhost:8030";
BASE_URL = "https://${virtualHostName}";
CREATE_ADMIN = 1;
WEBAUTHN = 1;
};
};
services.nginx.virtualHosts.${virtualHostName} = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://${config.services.miniflux.config.LISTEN_ADDR}";
};
}

27
hosts/server/abacus/navidrome.nix Normal file
View file

@ -0,0 +1,27 @@
{
config,
lib,
...
}: let
inherit (config.networking) domain;
virtualHostName = "navi.${domain}";
in {
services.navidrome = {
enable = true;
settings = {
Address = "localhost";
Port = 8050;
MusicFolder = "/srv/music";
};
};
services.nginx.virtualHosts.${virtualHostName} = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://${lib.formatHostPort {
host = config.services.navidrome.settings.Address;
port = config.services.navidrome.settings.Port;
}}";
};
}

18
hosts/server/abacus/networking.nix Normal file
View file

@ -0,0 +1,18 @@
{
networking = let
interface = "enp1s0";
in {
domain = "wrz.one";
interfaces.${interface}.ipv6.addresses = [
{
address = "2a01:4f9:c012:92b5::2";
prefixLength = 64;
}
];
defaultGateway6 = {
address = "fe80::1";
inherit interface;
};
firewall.allowedTCPPorts = [80 443];
};
}

22
hosts/server/abacus/nginx.nix Normal file
View file

@ -0,0 +1,22 @@
{config, ...}: {
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
commonHttpConfig = ''
error_log stderr;
access_log /var/log/nginx/access.log;
'';
virtualHosts."~.*" = {
default = true;
rejectSSL = true;
globalRedirect = config.networking.domain;
};
};
}

31
hosts/server/abacus/static.nix Normal file
View file

@ -0,0 +1,31 @@
{
config,
lib,
...
}: let
inherit (config.networking) domain;
parent = "/var/www";
sites = [
domain
"log.${domain}"
];
in
lib.mkMerge (map (
virtualHostName: let
root = "${parent}/${virtualHostName}";
in {
services.nginx.virtualHosts.${virtualHostName} = {
enableACME = true;
forceSSL = true;
inherit root;
};
systemd.tmpfiles.settings."10-static-sites".${root}.d = {
user = config.users.mainUser;
group = "users";
mode = "0755";
};
}
)
sites)

18
hosts/server/abacus/syncthing.nix Normal file
View file

@ -0,0 +1,18 @@
{config, ...}: let
inherit (config.networking) domain;
virtualHostName = "sync.${domain}";
in {
services.syncthing = {
enable = true;
systemService = true;
openDefaultPorts = true;
guiAddress = "localhost:8040";
};
services.nginx.virtualHosts.${virtualHostName} = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://${config.services.syncthing.guiAddress}";
};
}

3
hosts/server/abacus/system.nix Normal file
View file

@ -0,0 +1,3 @@
{
system.stateVersion = "24.11";
}

48
hosts/server/abacus/vaultwarden.nix Normal file
View file

@ -0,0 +1,48 @@
{
config,
lib,
...
}: let
inherit (config.networking) domain;
virtualHostName = "vault.${domain}";
backupDir = "/srv/backup/vaultwarden";
in {
age.secrets = lib.mkSecrets {vaultwarden = {};};
services.vaultwarden = {
enable = true;
dbBackend = "sqlite";
inherit backupDir;
config = {
DOMAIN = "https://${virtualHostName}";
SIGNUPS_ALLOWED = false;
INVITATIONS_ALLOWED = false;
ENABLE_WEBSOCKET = true;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8000;
};
environmentFile = config.age.secrets.vaultwarden.path;
};
systemd.timers.backup-vaultwarden.timerConfig.OnCalendar = "*-*-* 02:00:00";
services.nginx.virtualHosts.${virtualHostName} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://${lib.formatHostPort {
host = config.services.vaultwarden.config.ROCKET_ADDRESS;
port = config.services.vaultwarden.config.ROCKET_PORT;
}}";
proxyWebsockets = true;
};
};
}

84
hosts/server/vessel/audiocomp.nix Normal file
View file

@ -0,0 +1,84 @@
{
inputs,
lib,
pkgs,
...
}: let
audiocomp = pkgs.writeShellApplication {
name = "audiocomp";
runtimeInputs = [
pkgs.parallel
pkgs.rsync
pkgs.openssh
];
text = let
remoteDir = inputs.self.nixosConfigurations.abacus.config.services.navidrome.settings.MusicFolder;
enc = pkgs.writeShellApplication {
name = "enc";
runtimeInputs = [
pkgs.opusTools
];
text = ''
src=$1
dst=$src
dst=''${dst%.flac}.opus
dst=/srv/compmusic/''${dst#/srv/music/}
if [[ -f "$dst" ]]; then
exit
fi
mkdir --parents -- "$(dirname -- "$dst")"
echo "encoding ''${src@Q} -> ''${dst@Q}" >&2
exec opusenc --quiet --bitrate 96.000 -- "$src" "$dst"
'';
};
clean = pkgs.writeShellApplication {
name = "clean";
text = ''
del=$1
chk=$del
chk=''${chk%.opus}.flac
chk=/srv/music/''${chk#/srv/compmusic/}
if [[ ! -f "$chk" ]]; then
echo "deleting ''${del@Q}" >&2
rm --force -- "$del"
fi
'';
};
in ''
shopt -s globstar nullglob
find /srv/music -name '*.flac' -print0 | parallel --null -- ${lib.getExe enc} {}
find /srv/compmusic -name '*.flac' -exec ${clean} {} \;
echo syncing >&2
rsync --verbose --verbose --archive --update --delete --mkpath --exclude lost+found \
--rsh 'ssh -i /etc/ssh/ssh_host_ed25519_key -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null' \
-- /srv/compmusic/ root@wrz.one:${remoteDir}
'';
};
in {
systemd.services.audiocomp = {
description = "Compress and sync music";
serviceConfig = {
Type = "oneshot";
User = "root";
Group = "root";
ExecStart = lib.getExe audiocomp;
};
};
systemd.timers.audiocomp = {
description = "Compress and sync music daily";
wantedBy = ["timers.target"];
timerConfig = {
OnCalendar = "*-*-* 03:00:00";
Persistent = true;
Unit = "audiocomp.service";
};
};
}

60
hosts/server/vessel/backup.nix Normal file
View file

@ -0,0 +1,60 @@
{
attrName,
config,
lib,
pkgs,
...
}: let
backups = {
music = "/srv/music";
safe = "/srv/safe";
storage = "/srv/storage";
sync = config.services.syncthing.dataDir;
};
in {
systemd = lib.mkMerge (map (
backupName: let
systemdName = "${backupName}-backup";
in {
timers.${systemdName} = {
description = "Local rsync Backup ${backupName}";
wantedBy = ["timers.target"];
timerConfig = {
OnCalendar = "*-*-* 03:00:00";
Persistent = true;
Unit = "${systemdName}.service";
};
};
services.${systemdName} = {
description = "Local rsync Backup ${backupName}";
serviceConfig = {
Type = "oneshot";
User = "root";
Group = "root";
};
script = ''
${lib.getExe pkgs.rsync} --verbose --verbose --archive --update --delete --mkpath -- ${backups.${backupName}}/ /srv/backup/${backupName}/
'';
};
}
) (lib.attrNames backups));
age.secrets = lib.mkSecrets {"restic-${attrName}" = {};};
services.restic.backups.${attrName} = {
repository = "sftp:u385962@u385962.your-storagebox.de:/restic/${attrName}";
initialize = true;
paths = [
backups.safe
backups.sync
];
passwordFile = config.age.secrets."restic-${attrName}".path;
pruneOpts = ["--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12"];
timerConfig = {
OnCalendar = "*-*-* 03:00:00";
Persistent = true;
};
extraOptions = ["sftp.args='-i /etc/ssh/ssh_host_ed25519_key -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'"];
};
}

24
hosts/server/vessel/blocky.nix Normal file
View file

@ -0,0 +1,24 @@
let
upstream = "https://one.one.one.one/dns-query";
in {
services.blocky = {
enable = true;
settings = {
port = 53;
upstream.default = [upstream];
bootstrapDns = {
inherit upstream;
ips = ["1.1.1.1" "1.0.0.1"];
};
blocking = {
blackLists.ads = ["https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"];
clientGroupsBlock.default = ["ads"];
};
caching = {
minTime = "5m";
maxTime = "30m";
prefetching = true;
};
};
};
}

7
hosts/server/vessel/fs.nix Normal file
View file

@ -0,0 +1,7 @@
{
fileSystems."/srv/backup" = {
label = "backup";
fsType = "ext4";
options = ["noatime"];
};
}

22
hosts/server/vessel/hardware.nix Normal file
View file

@ -0,0 +1,22 @@
{
inputs,
modulesPath,
...
}: {
imports = [
"${modulesPath}/installer/scan/not-detected.nix"
inputs.hardware.nixosModules.common-cpu-intel
inputs.hardware.nixosModules.common-gpu-intel
inputs.hardware.nixosModules.common-pc-ssd
];
nixpkgs.hostPlatform = "x86_64-linux";
boot = {
initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
kernelModules = ["kvm-intel"];
};
powerManagement.cpuFreqGovernor = "powersave";
}

27
hosts/server/vessel/storage.nix Normal file
View file

@ -0,0 +1,27 @@
{
systemd.tmpfiles.settings = {
"10-safe"."/srv/safe".d = {
user = "lukas";
group = "users";
mode = "0755";
};
"10-storage"."/srv/storage".d = {
user = "lukas";
group = "users";
mode = "0755";
};
"10-music"."/srv/music".d = {
user = "lukas";
group = "users";
mode = "0755";
};
"10-compmusic"."/srv/compmusic".d = {
user = "lukas";
group = "users";
mode = "0755";
};
};
}

15
hosts/server/vessel/syncthing.nix Normal file
View file

@ -0,0 +1,15 @@
{lib, ...}: let
guiPort = 8384;
in {
services.syncthing = {
enable = true;
systemService = true;
openDefaultPorts = true;
guiAddress = lib.formatHostPort {
host = "0.0.0.0";
port = guiPort;
};
};
networking.firewall.allowedTCPPorts = [guiPort];
}

3
hosts/server/vessel/system.nix Normal file
View file

@ -0,0 +1,3 @@
{
system.stateVersion = "24.11";
}