chore: merge remote-tracking branch 'refs/remotes/origin/master'

2025-12-04 06:50:14 +01:00 · 2025-06-08 14:58:36 +02:00 · 2025-06-08 14:58:36 +02:00 · 8d92925a61
commit 8d92925a61
parent d2b5c9bf4f 1b514a44c2
13 changed files with 127 additions and 69 deletions
--- a/hosts/dandelion/default.nix
+++ b/hosts/dandelion/default.nix
@ -12,6 +12,10 @@
    ./../../modules/services/dandelion.nix
  ];

+  users.users.liv.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOLdcB5JFWx6OK2BAr8J0wPHNhr2VP2/Ci6fv3a+DPfo liv@violet" # allow violet to log in over ssh to do back ups
+  ];
+
  networking.hostName = "dandelion";

  liv.server.enable = true;
--- a/hosts/sakura/hardware-configuration.nix
+++ b/hosts/sakura/hardware-configuration.nix
@ -1,30 +1,45 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:

 {
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];

-  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" ];
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "xhci_pci"
+    "thunderbolt"
+    "usb_storage"
+    "sd_mod"
+  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];

-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/24035f97-746a-4aec-b1d8-696bc32d3c97";
-      fsType = "ext4";
-    };
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/24035f97-746a-4aec-b1d8-696bc32d3c97";
+    fsType = "ext4";
+  };

-  boot.initrd.luks.devices."luks-156453ac-bbad-452c-ad92-4fc569db9347".device = "/dev/disk/by-uuid/156453ac-bbad-452c-ad92-4fc569db9347";
+  boot.initrd.luks.devices."luks-root".device = "/dev/nvme0n1p3";

-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/0EFD-4B3F";
-      fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" ];
-    };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/0EFD-4B3F";
+    fsType = "vfat";
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+    ];
+  };

  swapDevices = [ ];

--- a/hosts/violet/backups.nix
+++ b/hosts/violet/backups.nix
@ -0,0 +1,54 @@
+let
+  borgbackupMonitor =
+    {
+      config,
+      pkgs,
+      lib,
+      ...
+    }:
+    with lib;
+    {
+      key = "borgbackupMonitor";
+      _file = "borgbackupMonitor";
+      config.systemd.services =
+        {
+          "notify-problems@" = {
+            enable = true;
+            serviceConfig.User = "liv";
+            environment.SERVICE = "%i";
+            script = ''
+              ${pkgs.curl}/bin/curl -d "$SERVICE FAILED! - service $SERVICE on host $(hostname) failed, run journalctl -u $SERVICE for details."
+            '';
+          };
+        }
+        // flip mapAttrs' config.services.borgbackup.jobs (
+          name: value:
+          nameValuePair "borgbackup-job-${name}" {
+            unitConfig.OnFailure = "notify-problems@%i.service";
+          }
+        );
+
+      # optional, but this actually forces backup after boot in case laptop was powered off during scheduled event
+      # for example, if you scheduled backups daily, your laptop should be powered on at 00:00
+      config.systemd.timers = flip mapAttrs' config.services.borgbackup.jobs (
+        name: value:
+        nameValuePair "borgbackup-job-${name}" {
+          timerConfig.Persistent = true;
+        }
+      );
+    };
+
+in
+{
+  imports = [ borgbackupMonitor ];
+  services = {
+    borgbackup.jobs.liv-violet = {
+      paths = "/home/liv";
+      encryption.mode = "none";
+      environment.BORG_RSH = "ssh -i /home/liv/.ssh/id_ed25519";
+      repo = "ssh://liv@100.115.178.50:9123/spinners/rootvol/backups/hosts/violet";
+      compression = "auto,zstd";
+      startAt = "daily";
+    };
+  };
+}
--- a/hosts/violet/default.nix
+++ b/hosts/violet/default.nix
@ -9,6 +9,7 @@
    ./hardware-configuration.nix
    ./../../modules/core/default.server.nix
    ./../../modules/services/violet.nix
+    # ./backups.nix # disable for now, test first.
  ];

  networking.hostName = "violet";
@ -24,15 +25,16 @@
    pkgs.kitty.terminfo
  ];

-  services.smartd = {
-    enable = lib.mkForce false;
-    autodetect = lib.mkForce false;
+  services = {
+    smartd = {
+      enable = lib.mkForce false;
+      autodetect = lib.mkForce false;
+    };
+    xserver.videoDrivers = [ "nvidia" ];
  };

  liv.nvidia.enable = true;

-  services.xserver.videoDrivers = [ "nvidia" ];
-
  boot = {
    loader.grub = {
      enable = true;
--- a/hosts/yoshino/default.nix
+++ b/hosts/yoshino/default.nix
@ -23,7 +23,7 @@
    desktop.enable = true;
    creative.enable = true;
    amdgpu.enable = true;
-    wine.enable = true;
+    wine.enable = false;
    gui.enable = true;
  };

--- a/modules/core/printing.nix
+++ b/modules/core/printing.nix
@ -1,7 +1,7 @@
 { pkgs, ... }:
 {
  services.avahi = {
-    enable = true;
+    enable = false;
    nssmdns4 = true;
    openFirewall = true;
  };
--- a/modules/core/sshd.nix
+++ b/modules/core/sshd.nix
@ -2,7 +2,7 @@
 {
  services.openssh = {
    enable = true;
-    ports = [ 22 ];
+    ports = [ 9123 ];
    settings = {
      PasswordAuthentication = lib.mkDefault false;
      AllowUsers = null;
--- a/modules/services/dandelion.nix
+++ b/modules/services/dandelion.nix
@ -7,5 +7,6 @@
    ++ [ (import ./home-assistant.nix) ]
    ++ [ (import ./monitoring.nix) ]
    ++ [ (import ./smart-monitoring.nix) ]
+    ++ [ (import ./tailscale.nix) ]
    ++ [ (import ./hd-idle.nix) ];
 }
--- a/modules/services/monitoring.nix
+++ b/modules/services/monitoring.nix
@ -23,9 +23,9 @@
      ];
    };
  };
-  networking.firewall = {
-    allowedTCPPorts = [
-      9001
-    ];
-  };
+  # networking.firewall = {
+  # allowedTCPPorts = [
+  # 9001
+  # ];
+  # };
 }
--- a/modules/services/mumble.nix
+++ b/modules/services/mumble.nix
@ -2,6 +2,6 @@
 {
  services.murmur = {
    enable = true;
-    openFirewall = true;
+    openFirewall = false;
  };
 }
--- a/modules/services/nginx.nix
+++ b/modules/services/nginx.nix
@ -37,41 +37,35 @@
    recommendedProxySettings = true;
    clientMaxBodySize = lib.mkDefault "10G";

-    defaultListen =
-      let
-        listen = [
-          {
-            addr = "[::]";
-            port = 80;
-            extraParameters = [ "proxy_protocol" ];
-          }
-          {
-            addr = "[::]";
-            port = 443;
-            ssl = true;
-            extraParameters = [ "proxy_protocol" ];
-          }
-        ];
-      in
-      map (x: (x // { addr = "0.0.0.0"; })) listen ++ listen;
+    #defaultListen =
+    #  let
+    #    listen = [
+    #      {
+    #        addr = "[::]";
+    #        port = 80;
+    #        extraParameters = [ "proxy_protocol" ];
+    #      }
+    #      {
+    #        addr = "[::]";
+    #        port = 443;
+    #        ssl = true;
+    #        extraParameters = [ "proxy_protocol" ];
+    #      }
+    #    ];
+    #  in
+    #  map (x: (x // { addr = "0.0.0.0"; })) listen ++ listen;

    # Hardened TLS and HSTS preloading
    appendHttpConfig = ''
      # Proxying
      # real_ip_header proxy_protocol;

-      server {
-        listen 80   proxy_protocol;
-        listen 443  ssl proxy_protocol;
-        # set_real_ip_from 10.7.0.0/24;
-      }
-
      ssl_certificate /var/lib/acme/quack.social/cert.pem;
      ssl_certificate_key /var/lib/acme/quack.social/key.pem;

-      proxy_set_header Host            $host;
-      proxy_set_header X-Real-IP       $proxy_protocol_addr;
-      proxy_set_header X-Forwarded-For $proxy_protocol_addr;
+      # proxy_set_header Host            $host;
+      # proxy_set_header X-Real-IP       $proxy_protocol_addr;
+      # proxy_set_header X-Forwarded-For $proxy_protocol_addr;

      # Add HSTS header with preloading to HTTPS requests.
      # Do not add HSTS header to HTTP requests.
@ -98,19 +92,6 @@
      add_header pronouns "any but neopronouns";
      add_header locale "[en_US, nl_NL]";
    '';
-    appendConfig = ''
-      # https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
-      # set_real_ip_from 213.210.34.27;
-
-      # real_ip_header proxy_protocol;
-
-      # proxy_set_header Host               $host;
-      # proxy_set_header X-Real-IP          $proxy_protocol_addr;
-      # proxy_set_header X-Forwarded-For    $proxy_protocol_addr;
-      # proxy_set_header X-Forwarded-Proto  $scheme;
-      # proxy_set_header X-Forwarded-Host   $host;
-      # proxy_set_header X-Forwarded-Server $host;
-    '';
  };
  networking.firewall = {
    allowedTCPPorts = [
--- a/modules/services/ntfy.nix
+++ b/modules/services/ntfy.nix
@ -12,7 +12,7 @@ in
        listen-http = "127.0.0.1:${toString port}";
        behind-proxy = true;
        visitor-attachment-daily-bandwidth-limit = "10M";
-        visitor-request-limit-burst = 5;
+        visitor-request-limit-burst = 15;
        visitor-request-limit-replenish = "15s";
      };
    };
--- a/modules/services/violet.nix
+++ b/modules/services/violet.nix
@ -20,6 +20,7 @@
    ++ [ (import ./nginx.nix) ]
    # ++ [(import ./komga.nix)]
    ++ [ (import ./radicale.nix) ]
+    ++ [ (import ./tailscale.nix) ]
    ++ [ (import ./readarr.nix) ];
  # ++ [(import ./smart-monitoring.nix)]
  # ++ [(import ./jitsi-meet.nix)]