diff --git a/hosts/dandelion/default.nix b/hosts/dandelion/default.nix index 98e0a49..93d87f7 100644 --- a/hosts/dandelion/default.nix +++ b/hosts/dandelion/default.nix @@ -12,6 +12,10 @@ ./../../modules/services/dandelion.nix ]; + users.users.liv.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOLdcB5JFWx6OK2BAr8J0wPHNhr2VP2/Ci6fv3a+DPfo liv@violet" # allow violet to log in over ssh to do back ups + ]; + networking.hostName = "dandelion"; liv.server.enable = true; diff --git a/hosts/sakura/hardware-configuration.nix b/hosts/sakura/hardware-configuration.nix index 19346a2..e0d299a 100644 --- a/hosts/sakura/hardware-configuration.nix +++ b/hosts/sakura/hardware-configuration.nix @@ -1,30 +1,45 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" ]; + boot.initrd.availableKernelModules = [ + "nvme" + "xhci_pci" + "thunderbolt" + "usb_storage" + "sd_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/24035f97-746a-4aec-b1d8-696bc32d3c97"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/24035f97-746a-4aec-b1d8-696bc32d3c97"; + fsType = "ext4"; + }; - boot.initrd.luks.devices."luks-156453ac-bbad-452c-ad92-4fc569db9347".device = "/dev/disk/by-uuid/156453ac-bbad-452c-ad92-4fc569db9347"; + boot.initrd.luks.devices."luks-root".device = "/dev/nvme0n1p3"; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/0EFD-4B3F"; - fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" ]; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/0EFD-4B3F"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; swapDevices = [ ]; diff --git a/hosts/violet/backups.nix b/hosts/violet/backups.nix new file mode 100644 index 0000000..d8183e5 --- /dev/null +++ b/hosts/violet/backups.nix @@ -0,0 +1,54 @@ +let + borgbackupMonitor = + { + config, + pkgs, + lib, + ... + }: + with lib; + { + key = "borgbackupMonitor"; + _file = "borgbackupMonitor"; + config.systemd.services = + { + "notify-problems@" = { + enable = true; + serviceConfig.User = "liv"; + environment.SERVICE = "%i"; + script = '' + ${pkgs.curl}/bin/curl -d "$SERVICE FAILED! - service $SERVICE on host $(hostname) failed, run journalctl -u $SERVICE for details." + ''; + }; + } + // flip mapAttrs' config.services.borgbackup.jobs ( + name: value: + nameValuePair "borgbackup-job-${name}" { + unitConfig.OnFailure = "notify-problems@%i.service"; + } + ); + + # optional, but this actually forces backup after boot in case laptop was powered off during scheduled event + # for example, if you scheduled backups daily, your laptop should be powered on at 00:00 + config.systemd.timers = flip mapAttrs' config.services.borgbackup.jobs ( + name: value: + nameValuePair "borgbackup-job-${name}" { + timerConfig.Persistent = true; + } + ); + }; + +in +{ + imports = [ borgbackupMonitor ]; + services = { + borgbackup.jobs.liv-violet = { + paths = "/home/liv"; + encryption.mode = "none"; + environment.BORG_RSH = "ssh -i /home/liv/.ssh/id_ed25519"; + repo = "ssh://liv@100.115.178.50:9123/spinners/rootvol/backups/hosts/violet"; + compression = "auto,zstd"; + startAt = "daily"; + }; + }; +} diff --git a/hosts/violet/default.nix b/hosts/violet/default.nix index f1fd5d8..8aa285d 100644 --- a/hosts/violet/default.nix +++ b/hosts/violet/default.nix @@ -9,6 +9,7 @@ ./hardware-configuration.nix ./../../modules/core/default.server.nix ./../../modules/services/violet.nix + # ./backups.nix # disable for now, test first. ]; networking.hostName = "violet"; @@ -24,15 +25,16 @@ pkgs.kitty.terminfo ]; - services.smartd = { - enable = lib.mkForce false; - autodetect = lib.mkForce false; + services = { + smartd = { + enable = lib.mkForce false; + autodetect = lib.mkForce false; + }; + xserver.videoDrivers = [ "nvidia" ]; }; liv.nvidia.enable = true; - services.xserver.videoDrivers = [ "nvidia" ]; - boot = { loader.grub = { enable = true; diff --git a/hosts/yoshino/default.nix b/hosts/yoshino/default.nix index 6ff088c..7abf5ae 100644 --- a/hosts/yoshino/default.nix +++ b/hosts/yoshino/default.nix @@ -23,7 +23,7 @@ desktop.enable = true; creative.enable = true; amdgpu.enable = true; - wine.enable = true; + wine.enable = false; gui.enable = true; }; diff --git a/modules/core/printing.nix b/modules/core/printing.nix index 7622bee..0bf8a60 100644 --- a/modules/core/printing.nix +++ b/modules/core/printing.nix @@ -1,7 +1,7 @@ { pkgs, ... }: { services.avahi = { - enable = true; + enable = false; nssmdns4 = true; openFirewall = true; }; diff --git a/modules/core/sshd.nix b/modules/core/sshd.nix index 6e1a9e8..13fba58 100644 --- a/modules/core/sshd.nix +++ b/modules/core/sshd.nix @@ -2,7 +2,7 @@ { services.openssh = { enable = true; - ports = [ 22 ]; + ports = [ 9123 ]; settings = { PasswordAuthentication = lib.mkDefault false; AllowUsers = null; diff --git a/modules/services/dandelion.nix b/modules/services/dandelion.nix index 74ad09f..edf193d 100644 --- a/modules/services/dandelion.nix +++ b/modules/services/dandelion.nix @@ -7,5 +7,6 @@ ++ [ (import ./home-assistant.nix) ] ++ [ (import ./monitoring.nix) ] ++ [ (import ./smart-monitoring.nix) ] + ++ [ (import ./tailscale.nix) ] ++ [ (import ./hd-idle.nix) ]; } diff --git a/modules/services/monitoring.nix b/modules/services/monitoring.nix index a22d5f9..43b5319 100644 --- a/modules/services/monitoring.nix +++ b/modules/services/monitoring.nix @@ -23,9 +23,9 @@ ]; }; }; - networking.firewall = { - allowedTCPPorts = [ - 9001 - ]; - }; + # networking.firewall = { + # allowedTCPPorts = [ + # 9001 + # ]; + # }; } diff --git a/modules/services/mumble.nix b/modules/services/mumble.nix index 14c9487..eaa0836 100644 --- a/modules/services/mumble.nix +++ b/modules/services/mumble.nix @@ -2,6 +2,6 @@ { services.murmur = { enable = true; - openFirewall = true; + openFirewall = false; }; } diff --git a/modules/services/nginx.nix b/modules/services/nginx.nix index 952473a..6e6f98f 100644 --- a/modules/services/nginx.nix +++ b/modules/services/nginx.nix @@ -37,41 +37,35 @@ recommendedProxySettings = true; clientMaxBodySize = lib.mkDefault "10G"; - defaultListen = - let - listen = [ - { - addr = "[::]"; - port = 80; - extraParameters = [ "proxy_protocol" ]; - } - { - addr = "[::]"; - port = 443; - ssl = true; - extraParameters = [ "proxy_protocol" ]; - } - ]; - in - map (x: (x // { addr = "0.0.0.0"; })) listen ++ listen; + #defaultListen = + # let + # listen = [ + # { + # addr = "[::]"; + # port = 80; + # extraParameters = [ "proxy_protocol" ]; + # } + # { + # addr = "[::]"; + # port = 443; + # ssl = true; + # extraParameters = [ "proxy_protocol" ]; + # } + # ]; + # in + # map (x: (x // { addr = "0.0.0.0"; })) listen ++ listen; # Hardened TLS and HSTS preloading appendHttpConfig = '' # Proxying # real_ip_header proxy_protocol; - server { - listen 80 proxy_protocol; - listen 443 ssl proxy_protocol; - # set_real_ip_from 10.7.0.0/24; - } - ssl_certificate /var/lib/acme/quack.social/cert.pem; ssl_certificate_key /var/lib/acme/quack.social/key.pem; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $proxy_protocol_addr; - proxy_set_header X-Forwarded-For $proxy_protocol_addr; + # proxy_set_header Host $host; + # proxy_set_header X-Real-IP $proxy_protocol_addr; + # proxy_set_header X-Forwarded-For $proxy_protocol_addr; # Add HSTS header with preloading to HTTPS requests. # Do not add HSTS header to HTTP requests. @@ -98,19 +92,6 @@ add_header pronouns "any but neopronouns"; add_header locale "[en_US, nl_NL]"; ''; - appendConfig = '' - # https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/ - # set_real_ip_from 213.210.34.27; - - # real_ip_header proxy_protocol; - - # proxy_set_header Host $host; - # proxy_set_header X-Real-IP $proxy_protocol_addr; - # proxy_set_header X-Forwarded-For $proxy_protocol_addr; - # proxy_set_header X-Forwarded-Proto $scheme; - # proxy_set_header X-Forwarded-Host $host; - # proxy_set_header X-Forwarded-Server $host; - ''; }; networking.firewall = { allowedTCPPorts = [ diff --git a/modules/services/ntfy.nix b/modules/services/ntfy.nix index 19c3fba..bdd592e 100644 --- a/modules/services/ntfy.nix +++ b/modules/services/ntfy.nix @@ -12,7 +12,7 @@ in listen-http = "127.0.0.1:${toString port}"; behind-proxy = true; visitor-attachment-daily-bandwidth-limit = "10M"; - visitor-request-limit-burst = 5; + visitor-request-limit-burst = 15; visitor-request-limit-replenish = "15s"; }; }; diff --git a/modules/services/violet.nix b/modules/services/violet.nix index 85b483d..5c43ba1 100644 --- a/modules/services/violet.nix +++ b/modules/services/violet.nix @@ -20,6 +20,7 @@ ++ [ (import ./nginx.nix) ] # ++ [(import ./komga.nix)] ++ [ (import ./radicale.nix) ] + ++ [ (import ./tailscale.nix) ] ++ [ (import ./readarr.nix) ]; # ++ [(import ./smart-monitoring.nix)] # ++ [(import ./jitsi-meet.nix)]