chore: merge remote-tracking branch 'refs/remotes/origin/master'

hosts/dandelion/default.nix

@@ -12,6 +12,10 @@
     ./../../modules/services/dandelion.nix
   ];
 
+  users.users.liv.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOLdcB5JFWx6OK2BAr8J0wPHNhr2VP2/Ci6fv3a+DPfo liv@violet" # allow violet to log in over ssh to do back ups
+  ];
+
   networking.hostName = "dandelion";
 
   liv.server.enable = true;

hosts/sakura/hardware-configuration.nix

@@ -1,29 +1,44 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
 
 {
-  imports =
+  imports = [
-    [ (modulesPath + "/installer/scan/not-detected.nix")
+    (modulesPath + "/installer/scan/not-detected.nix")
   ];
 
-  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" ];
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "xhci_pci"
+    "thunderbolt"
+    "usb_storage"
+    "sd_mod"
+  ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
+  fileSystems."/" = {
-    { device = "/dev/disk/by-uuid/24035f97-746a-4aec-b1d8-696bc32d3c97";
+    device = "/dev/disk/by-uuid/24035f97-746a-4aec-b1d8-696bc32d3c97";
     fsType = "ext4";
   };
 
-  boot.initrd.luks.devices."luks-156453ac-bbad-452c-ad92-4fc569db9347".device = "/dev/disk/by-uuid/156453ac-bbad-452c-ad92-4fc569db9347";
+  boot.initrd.luks.devices."luks-root".device = "/dev/nvme0n1p3";
 
-  fileSystems."/boot" =
+  fileSystems."/boot" = {
-    { device = "/dev/disk/by-uuid/0EFD-4B3F";
+    device = "/dev/disk/by-uuid/0EFD-4B3F";
     fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" ];
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+    ];
   };
 
   swapDevices = [ ];

hosts/violet/backups.nix

@@ -0,0 +1,54 @@
+let
+  borgbackupMonitor =
+    {
+      config,
+      pkgs,
+      lib,
+      ...
+    }:
+    with lib;
+    {
+      key = "borgbackupMonitor";
+      _file = "borgbackupMonitor";
+      config.systemd.services =
+        {
+          "notify-problems@" = {
+            enable = true;
+            serviceConfig.User = "liv";
+            environment.SERVICE = "%i";
+            script = ''
+              ${pkgs.curl}/bin/curl -d "$SERVICE FAILED! - service $SERVICE on host $(hostname) failed, run journalctl -u $SERVICE for details."
+            '';
+          };
+        }
+        // flip mapAttrs' config.services.borgbackup.jobs (
+          name: value:
+          nameValuePair "borgbackup-job-${name}" {
+            unitConfig.OnFailure = "notify-problems@%i.service";
+          }
+        );
+
+      # optional, but this actually forces backup after boot in case laptop was powered off during scheduled event
+      # for example, if you scheduled backups daily, your laptop should be powered on at 00:00
+      config.systemd.timers = flip mapAttrs' config.services.borgbackup.jobs (
+        name: value:
+        nameValuePair "borgbackup-job-${name}" {
+          timerConfig.Persistent = true;
+        }
+      );
+    };
+
+in
+{
+  imports = [ borgbackupMonitor ];
+  services = {
+    borgbackup.jobs.liv-violet = {
+      paths = "/home/liv";
+      encryption.mode = "none";
+      environment.BORG_RSH = "ssh -i /home/liv/.ssh/id_ed25519";
+      repo = "ssh://liv@100.115.178.50:9123/spinners/rootvol/backups/hosts/violet";
+      compression = "auto,zstd";
+      startAt = "daily";
+    };
+  };
+}

hosts/violet/default.nix

@@ -9,6 +9,7 @@
     ./hardware-configuration.nix
     ./../../modules/core/default.server.nix
     ./../../modules/services/violet.nix
+    # ./backups.nix # disable for now, test first.
   ];
 
   networking.hostName = "violet";
@@ -24,15 +25,16 @@
     pkgs.kitty.terminfo
   ];
 
-  services.smartd = {
+  services = {
+    smartd = {
       enable = lib.mkForce false;
       autodetect = lib.mkForce false;
     };
+    xserver.videoDrivers = [ "nvidia" ];
+  };
 
   liv.nvidia.enable = true;
 
-  services.xserver.videoDrivers = [ "nvidia" ];
-
   boot = {
     loader.grub = {
       enable = true;

hosts/yoshino/default.nix

@@ -23,7 +23,7 @@
     desktop.enable = true;
     creative.enable = true;
     amdgpu.enable = true;
-    wine.enable = true;
+    wine.enable = false;
     gui.enable = true;
   };
 

modules/core/printing.nix

@@ -1,7 +1,7 @@
 { pkgs, ... }:
 {
   services.avahi = {
-    enable = true;
+    enable = false;
     nssmdns4 = true;
     openFirewall = true;
   };

modules/core/sshd.nix

@@ -2,7 +2,7 @@
 {
   services.openssh = {
     enable = true;
-    ports = [ 22 ];
+    ports = [ 9123 ];
     settings = {
       PasswordAuthentication = lib.mkDefault false;
       AllowUsers = null;

modules/services/dandelion.nix

@@ -7,5 +7,6 @@
     ++ [ (import ./home-assistant.nix) ]
     ++ [ (import ./monitoring.nix) ]
     ++ [ (import ./smart-monitoring.nix) ]
+    ++ [ (import ./tailscale.nix) ]
     ++ [ (import ./hd-idle.nix) ];
 }

modules/services/monitoring.nix

@@ -23,9 +23,9 @@
       ];
     };
   };
-  networking.firewall = {
+  # networking.firewall = {
-    allowedTCPPorts = [
+  # allowedTCPPorts = [
-      9001
+  # 9001
-    ];
+  # ];
-  };
+  # };
 }

modules/services/mumble.nix

@@ -2,6 +2,6 @@
 {
   services.murmur = {
     enable = true;
-    openFirewall = true;
+    openFirewall = false;
   };
 }

modules/services/nginx.nix

@@ -37,41 +37,35 @@
     recommendedProxySettings = true;
     clientMaxBodySize = lib.mkDefault "10G";
 
-    defaultListen =
+    #defaultListen =
-      let
+    #  let
-        listen = [
+    #    listen = [
-          {
+    #      {
-            addr = "[::]";
+    #        addr = "[::]";
-            port = 80;
+    #        port = 80;
-            extraParameters = [ "proxy_protocol" ];
+    #        extraParameters = [ "proxy_protocol" ];
-          }
+    #      }
-          {
+    #      {
-            addr = "[::]";
+    #        addr = "[::]";
-            port = 443;
+    #        port = 443;
-            ssl = true;
+    #        ssl = true;
-            extraParameters = [ "proxy_protocol" ];
+    #        extraParameters = [ "proxy_protocol" ];
-          }
+    #      }
-        ];
+    #    ];
-      in
+    #  in
-      map (x: (x // { addr = "0.0.0.0"; })) listen ++ listen;
+    #  map (x: (x // { addr = "0.0.0.0"; })) listen ++ listen;
 
     # Hardened TLS and HSTS preloading
     appendHttpConfig = ''
       # Proxying
       # real_ip_header proxy_protocol;
 
-      server {
-        listen 80   proxy_protocol;
-        listen 443  ssl proxy_protocol;
-        # set_real_ip_from 10.7.0.0/24;
-      }
-
       ssl_certificate /var/lib/acme/quack.social/cert.pem;
       ssl_certificate_key /var/lib/acme/quack.social/key.pem;
 
-      proxy_set_header Host            $host;
+      # proxy_set_header Host            $host;
-      proxy_set_header X-Real-IP       $proxy_protocol_addr;
+      # proxy_set_header X-Real-IP       $proxy_protocol_addr;
-      proxy_set_header X-Forwarded-For $proxy_protocol_addr;
+      # proxy_set_header X-Forwarded-For $proxy_protocol_addr;
 
       # Add HSTS header with preloading to HTTPS requests.
       # Do not add HSTS header to HTTP requests.
@@ -98,19 +92,6 @@
       add_header pronouns "any but neopronouns";
       add_header locale "[en_US, nl_NL]";
     '';
-    appendConfig = ''
-      # https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
-      # set_real_ip_from 213.210.34.27;
-
-      # real_ip_header proxy_protocol;
-
-      # proxy_set_header Host               $host;
-      # proxy_set_header X-Real-IP          $proxy_protocol_addr;
-      # proxy_set_header X-Forwarded-For    $proxy_protocol_addr;
-      # proxy_set_header X-Forwarded-Proto  $scheme;
-      # proxy_set_header X-Forwarded-Host   $host;
-      # proxy_set_header X-Forwarded-Server $host;
-    '';
   };
   networking.firewall = {
     allowedTCPPorts = [

modules/services/ntfy.nix

@@ -12,7 +12,7 @@ in
         listen-http = "127.0.0.1:${toString port}";
         behind-proxy = true;
         visitor-attachment-daily-bandwidth-limit = "10M";
-        visitor-request-limit-burst = 5;
+        visitor-request-limit-burst = 15;
         visitor-request-limit-replenish = "15s";
       };
     };

modules/services/violet.nix

@@ -20,6 +20,7 @@
     ++ [ (import ./nginx.nix) ]
     # ++ [(import ./komga.nix)]
     ++ [ (import ./radicale.nix) ]
+    ++ [ (import ./tailscale.nix) ]
     ++ [ (import ./readarr.nix) ];
   # ++ [(import ./smart-monitoring.nix)]
   # ++ [(import ./jitsi-meet.nix)]