init

2024-02-04 21:51:11 +01:00 · 2024-02-04 21:51:11 +01:00 · 3ab713a5b3
commit 3ab713a5b3
64 changed files with 2043 additions and 0 deletions
--- a/hosts/abacus/default.nix
+++ b/hosts/abacus/default.nix
@ -0,0 +1,42 @@
+{modulesPath, ...}: {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+
+    ./mailserver.nix
+    ./nextcloud.nix
+    ./nginx.nix
+    ./static.nix
+    ./vaultwarden.nix
+    # TODO: dendrite/conduit, gitea/forgejo
+  ];
+
+  nixpkgs.hostPlatform = "aarch64-linux";
+
+  boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod"];
+
+  system.stateVersion = "24.05";
+
+  powerManagement.cpuFreqGovernor = "performance";
+
+  networking = let
+    interface = "enp1s0";
+  in {
+    domain = "wrz.one";
+    interfaces.${interface}.ipv6.addresses = [
+      {
+        address = "2a01:4f9:c012:92b5::2";
+        prefixLength = 64;
+      }
+    ];
+    defaultGateway6 = {
+      address = "fe80::1";
+      inherit interface;
+    };
+    firewall.allowedTCPPorts = [80 443];
+  };
+
+  security.acme = {
+    defaults.email = "lukasatwrzdotone@gmail.com";
+    acceptTerms = true;
+  };
+}
--- a/hosts/abacus/mailserver.nix
+++ b/hosts/abacus/mailserver.nix
@ -0,0 +1,38 @@
+{config, ...}: let
+  inherit (config.networking) domain;
+  inherit (config.networking) fqdn;
+in {
+  age.secrets.mail-lukas.file = ../../secrets/mail-lukas.age;
+
+  environment.persistence."/persist".directories = [
+    config.mailserver.dkimKeyDirectory
+    config.mailserver.mailDirectory
+    config.mailserver.sieveDirectory
+  ];
+
+  mailserver = {
+    enable = true;
+    openFirewall = true;
+    inherit fqdn;
+    domains = [domain];
+
+    loginAccounts = {
+      "lukas@${domain}" = {
+        hashedPasswordFile = config.age.secrets.mail-lukas.path;
+        aliases = ["postmaster@${domain}"];
+      };
+    };
+
+    certificateScheme = "acme-nginx";
+  };
+
+  # FIXME: This is unnecessary when https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/275 is closed
+  services.dovecot2.sieve.extensions = ["fileinto"];
+
+  services.nginx.virtualHosts."mta-sts.${domain}" = {
+    locations."= /.well-known/mta-sts.txt".return = ''200 "version: STSv1\nmode: enforce\nmx: ${fqdn}\nmax_age: 86400"'';
+    enableACME = true;
+    forceSSL = true;
+    quic = true;
+  };
+}
--- a/hosts/abacus/nextcloud.nix
+++ b/hosts/abacus/nextcloud.nix
@ -0,0 +1,69 @@
+{
+  config,
+  pkgs,
+  ...
+}: let
+  hostName = "cloud.${config.networking.domain}";
+in {
+  age.secrets.nextcloud-lukas = {
+    file = ../../secrets/nextcloud-lukas.age;
+    owner = "nextcloud";
+    group = "nextcloud";
+  };
+
+  system.fsPackages = [pkgs.sshfs];
+  fileSystems."${config.services.nextcloud.home}/data/${config.services.nextcloud.config.adminuser}/files/remote" = {
+    device = "u385962@u385962.your-storagebox.de:/";
+    fsType = "sshfs";
+    options = [
+      "allow_other"
+      "IdentityFile=/persist/etc/ssh/ssh_host_ed25519_key"
+      "_netdev"
+      "reconnect"
+      "ServerAliveInterval=15"
+      "x-systemd.automount"
+    ];
+  };
+
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud28;
+
+    inherit hostName;
+    https = true;
+
+    configureRedis = true;
+
+    # TODO: news
+    extraApps = {
+      inherit
+        (config.services.nextcloud.package.packages.apps)
+        bookmarks
+        calendar
+        contacts
+        deck
+        forms
+        mail
+        maps
+        notes
+        phonetrack
+        tasks
+        ;
+    };
+    extraAppsEnable = true;
+
+    database.createLocally = true;
+    config = {
+      dbtype = "pgsql";
+
+      adminuser = "lukas";
+      adminpassFile = config.age.secrets.nextcloud-lukas.path;
+    };
+  };
+
+  services.nginx.virtualHosts.${hostName} = {
+    enableACME = true;
+    forceSSL = true;
+    quic = true;
+  };
+}
--- a/hosts/abacus/nginx.nix
+++ b/hosts/abacus/nginx.nix
@ -0,0 +1,20 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  environment.persistence."/persist".directories = ["/var/www"];
+
+  services.nginx = {
+    enable = true;
+    package = pkgs.nginxQuic;
+
+    recommendedBrotliSettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedZstdSettings = true;
+    commonHttpConfig = "access_log syslog:server=unix:/dev/log;";
+  };
+}
--- a/hosts/abacus/static.nix
+++ b/hosts/abacus/static.nix
@ -0,0 +1,20 @@
+{config, ...}: {
+  services.nginx = {
+    virtualHosts = let
+      inherit (config.networking) domain;
+    in {
+      ${domain} = {
+        root = "/var/www/${domain}";
+        enableACME = true;
+        forceSSL = true;
+        quic = true;
+      };
+      "log.${domain}" = {
+        root = "/var/www/log.${domain}";
+        enableACME = true;
+        forceSSL = true;
+        quic = true;
+      };
+    };
+  };
+}
--- a/hosts/abacus/vaultwarden.nix
+++ b/hosts/abacus/vaultwarden.nix
@ -0,0 +1,20 @@
+{config, ...}: let
+  inherit (config.networking) domain;
+in {
+  services.vaultwarden = {
+    enable = true;
+
+    config = {
+      SIGNUPS_ALLOWED = false;
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = 8000;
+    };
+  };
+
+  services.nginx.virtualHosts."vault.${domain}" = {
+    locations."/".proxyPass = "http://${config.services.vaultwarden.config.ROCKET_ADDRESS}:${builtins.toString config.services.vaultwarden.config.ROCKET_PORT}";
+    enableACME = true;
+    forceSSL = true;
+    quic = true;
+  };
+}
--- a/hosts/flamingo/default.nix
+++ b/hosts/flamingo/default.nix
@ -0,0 +1,25 @@
+{
+  inputs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+
+    inputs.hardware.nixosModules.lenovo-thinkpad-t480
+  ];
+
+  nixpkgs.hostPlatform = "x86_64-linux";
+
+  boot = {
+    initrd.availableKernelModules = ["xhci_pci" "nvme" "usb_storage" "sd_mod"];
+    kernelModules = ["kvm-intel"];
+  };
+
+  system.stateVersion = "24.05";
+
+  powerManagement.cpuFreqGovernor = "powersave";
+
+  console.keyMap = "de";
+  services.xserver.layout = "de";
+}
--- a/hosts/glacier/default.nix
+++ b/hosts/glacier/default.nix
@ -0,0 +1,31 @@
+{
+  pkgs,
+  inputs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+
+    inputs.hardware.nixosModules.common-cpu-amd
+    inputs.hardware.nixosModules.common-gpu-amd
+    inputs.hardware.nixosModules.common-pc-ssd
+
+    ./printing.nix
+  ];
+
+  nixpkgs.hostPlatform = "x86_64-linux";
+
+  boot = {
+    initrd = {
+      availableKernelModules = ["nvme" "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod"];
+      kernelModules = ["amdgpu"];
+    };
+    kernelModules = ["kvm-amd"];
+    binfmt.emulatedSystems = ["aarch64-linux"];
+  };
+
+  system.stateVersion = "24.05";
+
+  powerManagement.cpuFreqGovernor = "performance";
+}
--- a/hosts/glacier/printing.nix
+++ b/hosts/glacier/printing.nix
@ -0,0 +1,6 @@
+{pkgs, ...}: {
+  services.printing.drivers = with pkgs; [
+    epson-escpr
+    epson-escpr2
+  ];
+}
--- a/hosts/scenery/default.nix
+++ b/hosts/scenery/default.nix
@ -0,0 +1,25 @@
+{
+  inputs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+
+    inputs.hardware.nixosModules.lenovo-thinkpad-x260
+  ];
+
+  nixpkgs.hostPlatform = "x86_64-linux";
+
+  boot = {
+    initrd.availableKernelModules = ["xhci_pci" "nvme" "usb_storage" "sd_mod"];
+    kernelModules = ["kvm-intel"];
+  };
+
+  system.stateVersion = "24.05";
+
+  powerManagement.cpuFreqGovernor = "powersave";
+
+  console.keyMap = "de";
+  services.xserver.layout = "de";
+}
--- a/hosts/vessel/backup.nix
+++ b/hosts/vessel/backup.nix
@ -0,0 +1,31 @@
+{
+  pkgs,
+  lib,
+  ...
+}: {
+  systemd.timers.local-backup = {
+    description = "Local rsync Backup";
+    wantedBy = ["timers.target"];
+    timerConfig = {
+      OnCalendar = "*-*-* 00:00:00";
+      Persistent = true;
+      Unit = "local-backup.service";
+    };
+  };
+
+  systemd.services.local-backup = {
+    description = "Local rsync Backup";
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = ''${lib.getExe pkgs.rsync} --verbose --verbose --archive --update --delete /srv/storage/ /srv/backup/'';
+      User = "root";
+      Group = "root";
+    };
+  };
+
+  fileSystems."/srv/backup" = {
+    device = "/dev/disk/by-label/backup";
+    fsType = "btrfs";
+    options = ["subvol=main" "compress=zstd" "noatime"];
+  };
+}
--- a/hosts/vessel/default.nix
+++ b/hosts/vessel/default.nix
@ -0,0 +1,32 @@
+{
+  inputs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+
+    inputs.hardware.nixosModules.common-cpu-intel
+    inputs.hardware.nixosModules.common-gpu-intel
+    inputs.hardware.nixosModules.common-pc-ssd
+
+    ./backup.nix
+  ];
+
+  nixpkgs.hostPlatform = "x86_64-linux";
+
+  boot = {
+    initrd.availableKernelModules = ["ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod"];
+    kernelModules = ["kvm-intel"];
+  };
+
+  system.stateVersion = "24.05";
+
+  powerManagement.cpuFreqGovernor = "performance";
+
+  fileSystems."/srv/storage" = {
+    device = "/dev/disk/by-label/storage";
+    fsType = "btrfs";
+    options = ["subvol=main" "compress=zstd" "noatime"];
+  };
+}