nix-home/nki-personal-do/configuration.nix

228 lines
6.8 KiB
Nix
Raw Permalink Normal View History

2022-12-17 17:51:29 +00:00
{ pkgs, config, lib, ... }: {
2021-10-27 19:36:16 +00:00
imports = [
./hardware-configuration.nix
2021-10-31 21:37:04 +00:00
# Set up cloud
2023-04-26 21:23:28 +00:00
../modules/cloud/authentik
2023-04-27 00:32:10 +00:00
../modules/cloud/firezone
2021-10-31 21:37:04 +00:00
../modules/cloud/postgresql
../modules/cloud/traefik
2021-11-01 01:41:29 +00:00
../modules/cloud/bitwarden
2021-11-01 19:50:30 +00:00
../modules/cloud/mail
2022-06-10 20:50:07 +00:00
../modules/cloud/conduit
2023-05-04 12:34:00 +00:00
../modules/cloud/gotosocial
2023-05-04 16:30:55 +00:00
# Encrypted DNS
../modules/services/edns
2023-05-04 16:30:55 +00:00
./headscale.nix
2023-05-04 21:06:26 +00:00
./gitea.nix
2023-05-18 18:46:55 +00:00
./miniflux.nix
2023-05-18 23:02:37 +00:00
./writefreely.nix
2023-06-24 15:50:42 +00:00
./synapse.nix
2023-07-16 13:49:44 +00:00
./phanpy.nix
2023-10-17 05:58:25 +00:00
./invidious.nix
2023-10-19 21:28:04 +00:00
./owncast.nix
2024-03-16 14:35:12 +00:00
./peertube.nix
./outline.nix
2021-10-27 19:36:16 +00:00
];
system.stateVersion = "21.11";
2023-04-19 12:23:10 +00:00
common.linux.enable = false; # Don't enable the "common linux" module, this is a special machine.
# Personal user
users.users.nki = {
isNormalUser = true;
createHome = true;
extraGroups = [ "wheel" ];
group = "users";
uid = 1000;
};
2023-06-03 11:39:55 +00:00
boot.tmp.cleanOnBoot = true;
2021-10-27 19:36:16 +00:00
networking.hostName = "nki-personal";
networking.firewall.allowPing = true;
services.openssh.enable = true;
2023-06-03 11:39:55 +00:00
services.openssh.settings.PasswordAuthentication = false;
2021-10-27 19:36:16 +00:00
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLr1Q+PJuDYJtBAVMSU0U2kZi4V0Z7dE+dpRxa4aEDupSlcPCwSEtcpNME1up7z0yxjcIHHkBYq0RobIaLqwEmntnZzz37jg/iiHwyZsN93jZljId1X0uykcMem4ljiqgmRg3Fs8RKj2+N1ovpIZVDOWINLJJDVJntNvwW/anSCtx27FATVdroHoiyXCwVknG6p3bHU5Nd3idRMn45kZ7Qf1J50XUhtu3ehIWI2/5nYIbi8WDnzY5vcRZEHROyTk2pv/m9rRkCTaGnUdZsv3wfxeeT3223k0mUfRfCsiPtNDGwXn66HcG2cmhrBIeDoZQe4XNkzspaaJ2+SGQfO8Zf natsukagami@gmail.com"
2021-10-27 19:36:16 +00:00
];
2022-06-11 21:41:43 +00:00
users.users.root.shell = pkgs.fish;
2023-06-03 11:39:55 +00:00
programs.fish.enable = true;
2021-10-27 19:36:16 +00:00
environment.systemPackages = with pkgs; [
2021-11-01 18:41:55 +00:00
git
2023-05-17 13:13:37 +00:00
htop-vim
kakoune
2022-12-17 17:51:29 +00:00
docker-compose
2021-10-27 19:36:16 +00:00
];
2022-12-17 17:51:29 +00:00
virtualisation.docker.enable = true;
2021-10-27 19:36:16 +00:00
services.do-agent.enable = true;
nix = {
extraOptions = ''
experimental-features = nix-command flakes
'';
};
2021-10-28 20:35:02 +00:00
nki.services.edns.enable = true;
nki.services.edns.ipv6 = true;
2021-10-28 20:35:02 +00:00
# Secret management
sops.defaultSopsFile = ./secrets/secrets.yaml;
2022-12-01 18:14:40 +00:00
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
2021-10-28 20:35:02 +00:00
# tinc
services.my-tinc.enable = true;
2021-10-28 21:05:06 +00:00
services.my-tinc.hostName = "cloud";
2022-10-17 11:51:03 +00:00
sops.secrets."tinc/rsa-private-key" = { };
sops.secrets."tinc/ed25519-private-key" = { };
services.my-tinc.rsaPrivateKey = config.sops.secrets."tinc/rsa-private-key".path;
services.my-tinc.ed25519PrivateKey = config.sops.secrets."tinc/ed25519-private-key".path;
2021-10-31 21:37:04 +00:00
sops.secrets."nix-build-farm/private-key" = { mode = "0400"; };
services.nix-build-farm.hostname = "home";
services.nix-build-farm.privateKeyFile = config.sops.secrets."nix-build-farm/private-key".path;
2021-10-31 21:37:04 +00:00
# Set up traefik
2021-11-01 19:44:19 +00:00
sops.secrets.cloudflare-dns-api-token = { owner = "traefik"; };
sops.secrets.traefik-dashboard-users = { owner = "traefik"; };
2021-10-31 21:37:04 +00:00
cloud.traefik.cloudflareKeyFile = config.sops.secrets.cloudflare-dns-api-token.path;
2021-11-01 19:44:19 +00:00
cloud.traefik.dashboard = {
enable = true;
usersFile = config.sops.secrets.traefik-dashboard-users.path;
};
2021-11-01 19:50:30 +00:00
cloud.traefik.certsDumper.enable = true;
2023-03-31 14:48:33 +00:00
2023-06-13 09:47:58 +00:00
# Uptime-Kuma
services.uptime-kuma = {
enable = true;
settings.HOST = "127.0.0.1";
settings.PORT = "16904";
};
cloud.traefik.hosts.uptime-kuma = { host = "status.nkagami.me"; port = 16904; noCloudflare = true; };
2023-06-13 09:47:58 +00:00
cloud.traefik.hosts.uptime-kuma-dtth = { host = "status.dtth.ch"; port = 16904; };
cloud.traefik.hosts.uptime-kuma-codefun = { host = "status.codefun.vn"; port = 16904; };
2023-08-10 18:49:16 +00:00
# Bitwarden
sops.secrets.vaultwarden-env = { };
cloud.bitwarden.envFile = config.sops.secrets.vaultwarden-env.path;
2023-06-13 09:47:58 +00:00
2023-04-26 21:23:28 +00:00
# Arion
virtualisation.arion.backend = "docker";
2023-03-31 14:48:33 +00:00
# Conduit
sops.secrets.heisenbridge = { owner = "heisenbridge"; };
2022-06-10 20:50:07 +00:00
cloud.conduit.enable = true;
2023-04-04 09:29:56 +00:00
cloud.conduit.instances = {
"nkagami" = {
host = "m.nkagami.me";
port = 6167;
well-known_port = 6168;
noCloudflare = true;
2023-04-04 09:29:56 +00:00
};
};
2023-03-31 14:48:33 +00:00
cloud.conduit.heisenbridge = {
enable = true;
package = pkgs.heisenbridge.overrideAttrs (old: rec {
version = "1.14.2";
src = pkgs.fetchFromGitHub {
owner = "hifi";
repo = "heisenbridge";
rev = "refs/tags/v${version}";
sha256 = "sha256-qp0LVcmWf5lZ52h0V58S6FoIM8RLOd6Y3FRb85j7KRg=";
};
});
appserviceFile = config.sops.secrets.heisenbridge.path;
2023-04-04 09:29:56 +00:00
homeserver = "https://m.nkagami.me";
};
2021-11-01 19:50:30 +00:00
2022-06-11 19:53:34 +00:00
# Navidrome back to the PC
cloud.traefik.hosts.navidrome = {
host = "navidrome.nkagami.me";
port = 4533;
localHost = "11.0.0.2";
noCloudflare = true;
2022-06-11 19:53:34 +00:00
};
2021-11-01 19:50:30 +00:00
# Mail
sops.secrets.mail-users = { owner = "maddy"; };
cloud.mail = {
enable = true;
2021-12-01 19:38:53 +00:00
debug = true;
2023-09-06 07:25:23 +00:00
local_ip = config.secrets.ipAddresses."nki.personal";
2021-11-01 19:50:30 +00:00
tls.certFile = "${config.cloud.traefik.certsDumper.destination}/${config.cloud.mail.hostname}/certificate.crt";
tls.keyFile = "${config.cloud.traefik.certsDumper.destination}/${config.cloud.mail.hostname}/privatekey.key";
usersFile = config.sops.secrets.mail-users.path;
};
2021-11-03 17:22:27 +00:00
# Youmubot
sops.secrets.youmubot-env = { };
2021-11-03 17:22:27 +00:00
services.youmubot = {
enable = true;
2023-06-19 23:27:51 +00:00
package = pkgs.youmubot.override { enableCodeforces = false; };
2021-11-03 17:22:27 +00:00
envFile = config.sops.secrets.youmubot-env.path;
};
2023-04-27 00:32:10 +00:00
# Authentik
2023-04-26 21:23:28 +00:00
sops.secrets.authentik-env = { };
cloud.authentik.enable = true;
cloud.authentik.envFile = config.sops.secrets.authentik-env.path;
cloud.traefik.hosts.authentik = { host = "auth.dtth.ch"; port = config.cloud.authentik.port; };
2022-12-17 17:51:29 +00:00
2023-04-27 00:32:10 +00:00
# Firezone
sops.secrets.firezone-env = { };
cloud.firezone.enable = true;
cloud.firezone.envFile = config.sops.secrets.firezone-env.path;
cloud.traefik.hosts.firezone = {
host = "vpn.dtth.ch";
port = config.cloud.firezone.httpPort;
localHost = "127.0.0.1";
2023-05-26 21:50:47 +00:00
noCloudflare = true;
2023-04-27 00:32:10 +00:00
};
cloud.traefik.hosts.firezone-vpn = {
host = "vpn.dtth.ch";
port = config.cloud.firezone.wireguardPort;
entrypoints = [ "wireguard" ];
protocol = "udp";
};
2023-05-04 12:34:00 +00:00
# GoToSocial
sops.secrets.gts-env = { restartUnits = [ "gotosocial.service" ]; };
2023-05-04 12:34:00 +00:00
cloud.gotosocial = {
enable = true;
envFile = config.sops.secrets.gts-env.path;
};
2023-05-07 12:28:46 +00:00
# ntfy
cloud.traefik.hosts.ntfy-sh = { host = "ntfy.nkagami.me"; port = 11161; noCloudflare = true; };
2023-05-07 12:28:46 +00:00
services.ntfy-sh = {
enable = true;
settings = {
listen-http = "127.0.0.1:11161";
cache-file = "/var/lib/ntfy-sh/cache.db";
auth-file = "/var/lib/ntfy-sh/auth.db";
auth-default-access = "deny-all";
behind-proxy = true;
base-url = "https://ntfy.nkagami.me";
attachment-cache-dir = "/var/lib/ntfy-sh/attachments";
enable-login = true;
enable-reservations = true;
upstream-base-url = "https://ntfy.sh";
};
};
systemd.services.ntfy-sh.serviceConfig = {
WorkingDirectory = "/var/lib/ntfy-sh";
StateDirectory = "ntfy-sh";
};
systemd.services.ntfy-sh.preStart = ''
mkdir -p /var/lib/ntfy-sh/attachments
'';
2021-10-27 19:36:16 +00:00
}
2022-12-17 17:51:29 +00:00