liv/nixos-config
1
0
Fork 0
mirror of https://github.com/Ahwxorg/nixos-config.git synced 2025-12-04 15:00:13 +01:00
Code Issues 1 Projects Releases Packages Wiki Activity Actions

chore: merge remote-tracking branch 'refs/remotes/origin/master'

Browse source
This commit is contained in:
Ahwx 2025-05-25 01:02:56 +02:00
commit 093108b2c2
25 changed files with 550 additions and 135 deletions
Download patch file Download diff file Expand all files Collapse all files

11
modules/core/default.router.nix Normal file
View file

@ -0,0 +1,11 @@
{ ... }:
{
imports =
[ (import ./hardware.nix) ]
++ [ (import ./program.nix) ]
++ [ (import ./sshd.nix) ]
++ [ (import ./security.nix) ]
++ [ (import ./services.nix) ]
++ [ (import ./system.nix) ]
++ [ (import ./user.nix) ];
}

4
modules/core/sshd.nix
View file

@ -1,4 +1,4 @@
{ lib, ... }:
{ lib, config, ... }:
{
services.openssh = {
enable = true;
@ -11,6 +11,8 @@
};
};
networking.firewall.allowedTCPPorts = [ config.services.openssh.ports ];
users.users.liv.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGXi00z/rxVrWLKgYr+tWIsbHsSQO75hUMSTThNm5wUw liv@sakura" # main laptop
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ2nsQHyWnrmuQway0ehoMUcYYfhD8Ph/vpD0Tzip1b1 liv@meow" # main phone

2
modules/core/user.nix
View file

@ -23,6 +23,8 @@
[ ./../home/default.server.nix ]
else if (host == "dandelion") then
[ ./../home/default.server.nix ]
else if (host == "lily") then
[ ./../home/default.server.nix ]
# else if (host == "yoshino") then
# [ ./../home/default.nix ]
else

1
modules/home/hyprland/config.nix
View file

@ -214,6 +214,7 @@
bind = [
# keybindings
"$mainMod, Return, exec, kitty"
"$mainMod, Backspace, exec, [float; center; size 950 650] kitty"
"$mainMod, Q, killactive,"
"$mainMod, F, fullscreen, 0" # set 1 to 0 to set full screen without waybar
"$mainMod, Space, togglefloating,"

3
modules/home/hyprland/scripts.nix
View file

@ -12,6 +12,9 @@
case "$1" in
"w") setbg "$file" ;;
"d") mv "$file" "$HOME/.trash/";;
"s") mkdir -p "$HOME/temp" && cp "$file" "$HOME/temp" ;;
"r") mkdir -p "$HOME/temp" && cp "$(basename "$file" ".JPG").RAF" "$HOME/temp" ;;
"e") echo -e "'$(pwd)"/"$(basename "$file" ".JPG").RAF'\n'$(pwd)/""$file""'" ;;
esac
done
'';

11
modules/services/gokapi.nix
View file

@ -1,8 +1,15 @@
{ lib, config, pkgs, ... }: {
{
lib,
config,
pkgs,
...
}:
{
services = {
nginx.virtualHosts."share.liv.town" = {
useACMEHost = "liv.town";
forceSSL = true;
sslCertificate = "/var/lib/acme/liv.town/cert.pem";
sslCertificateKey = "/var/lib/acme/liv.town/key.pem";
locations."/" = {
proxyPass = "http://localhost:53842";
};

3
modules/services/grafana.nix
View file

@ -11,8 +11,9 @@
};
nginx.virtualHosts.${config.services.grafana.domain} = {
useACMEHost = "liv.town";
forceSSL = true;
sslCertificate = "/var/lib/acme/liv.town/cert.pem";
sslCertificateKey = "/var/lib/acme/liv.town/key.pem";
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
proxyWebsockets = true;

4
modules/services/immich.nix
View file

@ -1,11 +1,11 @@
{ config, ... }: {
{ config, ... }:
{
services.immich = {
enable = true;
port = 2283;
};
# services.nginx.virtualHosts."" = {
# enableACME = true;
# forceSSL = true;
# locations."/" = {
# proxyPass = "http://localhost:${toString config.services.immich.port}";

3
modules/services/invidious.nix
View file

@ -12,7 +12,8 @@
virtualHosts = {
"video.liv.town" = {
forceSSL = true;
enableACME = true;
sslCertificate = "/var/lib/acme/liv.town/cert.pem";
sslCertificateKey = "/var/lib/acme/liv.town/key.pem";
locations."/".proxyPass = "http://127.0.0.1:${toString config.services.invidious.port}";
};
};

10
modules/services/lily.nix Normal file
View file

@ -0,0 +1,10 @@
{ ... }:
{
imports =
[ (import ./docker.nix) ]
++ [ (import ./monitoring.nix) ]
++ [ (import ./smart-monitoring.nix) ]
++ [ (import ./unifi.nix) ]
++ [ (import ./tailscale.nix) ]
++ [ (import ./grafana.nix) ];
}

2
modules/services/monitoring.nix
View file

@ -26,8 +26,6 @@
networking.firewall = {
allowedTCPPorts = [
9001
22
9123 # always also allow ssh :screaming:
];
};
}

72
modules/services/nginx.nix
View file

@ -1,4 +1,11 @@
{ pkgs, config, lib, ... }: {
{
pkgs,
config,
lib,
...
}:
{
security.acme = {
acceptTerms = true;
defaults.email = lib.mkDefault "ahwx@ahwx.org";
@ -10,7 +17,15 @@
dnsProvider = "desec";
environmentFile = "/home/liv/desec.env"; # location of your DESEC_TOKEN=[value]
webroot = null;
};
};
"quack.social" = {
domain = "*.quack.social";
extraDomainNames = [ "quack.social" ];
group = config.services.nginx.group;
dnsProvider = "desec";
environmentFile = "/home/liv/desec.env"; # location of your DESEC_TOKEN=[value]
webroot = null;
};
};
};
@ -22,8 +37,42 @@
recommendedProxySettings = true;
clientMaxBodySize = lib.mkDefault "10G";
defaultListen =
let
listen = [
{
addr = "[::]";
port = 80;
extraParameters = [ "proxy_protocol" ];
}
{
addr = "[::]";
port = 443;
ssl = true;
extraParameters = [ "proxy_protocol" ];
}
];
in
map (x: (x // { addr = "0.0.0.0"; })) listen ++ listen;
# Hardened TLS and HSTS preloading
appendHttpConfig = ''
# Proxying
# real_ip_header proxy_protocol;
server {
listen 80 proxy_protocol;
listen 443 ssl proxy_protocol;
# set_real_ip_from 10.7.0.0/24;
}
ssl_certificate /var/lib/acme/quack.social/cert.pem;
ssl_certificate_key /var/lib/acme/quack.social/key.pem;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
# Add HSTS header with preloading to HTTPS requests.
# Do not add HSTS header to HTTP requests.
map $scheme $hsts_header {
@ -49,5 +98,24 @@
add_header pronouns "any but neopronouns";
add_header locale "[en_US, nl_NL]";
'';
appendConfig = ''
# https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
# set_real_ip_from 213.210.34.27;
# real_ip_header proxy_protocol;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $proxy_protocol_addr;
# proxy_set_header X-Forwarded-For $proxy_protocol_addr;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-Host $host;
# proxy_set_header X-Forwarded-Server $host;
'';
};
networking.firewall = {
allowedTCPPorts = [
80
443
];
};
}

6
modules/services/ntfy.nix
View file

@ -2,7 +2,8 @@ let
hostname = "notify.liv.town";
port = 2586;
url = "https://" + hostname;
in {
in
{
services = {
ntfy-sh = {
enable = true;
@ -16,8 +17,9 @@ in {
};
};
nginx.virtualHosts.${hostname} = {
useACMEHost = "liv.town";
forceSSL = true;
sslCertificate = "/var/lib/acme/liv.town/cert.pem";
sslCertificateKey = "/var/lib/acme/liv.town/key.pem";
locations."/" = {
proxyPass = "http://127.0.0.1:${toString port}";
proxyWebsockets = true;

23
modules/services/sharkey-proxy.nix
View file

@ -2,8 +2,9 @@
{
services = {
nginx.virtualHosts."quack.social" = {
enableACME = true;
forceSSL = true;
sslCertificate = "/var/lib/acme/quack.social/cert.pem";
sslCertificateKey = "/var/lib/acme/quack.social/key.pem";
locations."/" = {
proxyPass = "http://localhost:3000";
proxyWebsockets = true;
@ -16,26 +17,6 @@
'';
};
locations."/files/" = {
proxyPass = "http://localhost:3000";
proxyWebsockets = true;
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $remote_addr;
# Try cache?
# proxy_cache sharkey;
# proxy_cache_path /var/cache/nginx/sharkey levels=1:2 keys_zone=sharkey:15m;
# proxy_cache_lock on;
# proxy_cache_use_stale updating;
# proxy_force_ranges on;
# add_header X-Cache $upstream_cache_status;
'';
};
locations."/wiki/" = {
# Nepenthis
proxyPass = "http://localhost:8893";

3
modules/services/tailscale.nix Normal file
View file

@ -0,0 +1,3 @@
{
services.tailscale.enable = true;
}

66
modules/services/unifi.nix Normal file
View file

@ -0,0 +1,66 @@
{ pkgs, lib, ... }:
{
services.unifi = {
enable = true;
unifiPackage = pkgs.unifi8;
mongodbPackage = pkgs.mongodb-7_0;
};
# services.nginx = {
# enable = true;
# recommendedProxySettings = true;
# virtualHosts."unifi.local" = {
# forceSSL = true;
# useACMEHost = "unifi.local";
# locations."/" = {
# proxyPass = "https://127.0.0.1:8443";
# proxyWebsockets = true;
# };
# };
# };
# virtualisation.oci-containers.containers."unifi" = {
# image = "lscr.io/linuxserver/unifi-network-application:latest";
# autoStart = true;
# environmentFiles = [ /run/unifi/container-vars.env ];
# volumes = [
# "/etc/localtime:/etc/localtime:ro"
# "/run/unifi/data:/config"
# ];
# ports = [
# "8443:8443" # web admin UI
# "3478:3478/udp" # STUN
# "10001:10001/udp" # AP discovery
# "8080:8080" # device communication
# "6789:6789/udp" # mobile throughput test (assumption: wifiman)
# "5514:5514/udp" # remote syslog (optional)
# ];
# dependsOn = [
# "unifi-mongo"
# ];
# log-driver = "journald";
# };
# virtualisation.oci-containers.containers."unifi-mongo" = {
# image = "mongo:latest";
# autoStart = true;
# volumes = [
# "/etc/localtime:/etc/localtime:ro"
# "/run/unifi/mongo/db:/data/db"
# "/run/unifi/mongo/init-mongo.js:/docker-entrypoint-initdb.d/init-mongo.js:ro"
# ];
# log-driver = "journald";
# };
networking.firewall.interfaces."lan0" = {
allowedTCPPorts = [
8443 # web admin UI
8080 # device communication
];
allowedUDPPorts = [
6789 # mobile throughput test (assumption: wifiman)
5514 # remote syslog (optional)
3478 # STUN
10001 # AP discovery
];
};
}