fw/nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'main' of github.com:fwastring/nix

Browse source
This commit is contained in:
fwastring 2025-04-07 14:20:47 +02:00
commit 3d54b62018
6 changed files with 398 additions and 164 deletions
Download patch file Download diff file Expand all files Collapse all files

7
flake.nix
View file

@ -92,6 +92,13 @@
};
modules = [ ./maskiner/lillen/configuration.nix ];
};
macmini = nixpkgs.lib.nixosSystem {
specialArgs = {
inherit inputs outputs;
myhostname = "macmini";
};
modules = [ ./maskiner/macmini/configuration.nix ];
};
};
# Standalone home-manager configuration entrypoint

25
maskiner/desktop/configuration.nix
View file

@ -21,26 +21,45 @@
];
networking.firewall = {
enable = true;
allowedTCPPorts = [ 80 443 3000 8384 22000];
allowedTCPPorts = [ 8384 22000];
allowedUDPPortRanges = [
{ from = 4000; to = 4007; }
{ from = 8000; to = 8010; }
];
};
services.k3s = {
enable = true;
role = "server";
token = "supersupersecretkey";
extraFlags = toString ([
"--write-kubeconfig-mode \"0644\""
"--cluster-init"
"--disable local-storage"
"--disable traefik"
]);
clusterInit = true;
};
services.openiscsi = {
enable = true;
name = "iqn.2016-04.com.open-iscsi:desktop";
};
networking.firewall.allowedUDPPorts = [ 22000 21027 ];
services = {
openssh = {
enable = true;
ports = [55502];
# ports = [55502];
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
X11Forwarding = true;
};
extraConfig = ''
AllowUsers fw ios
AllowUsers fw ios jw
'';
};
syncthing = {

53
maskiner/macmini/configuration.nix Normal file
View file

@ -0,0 +1,53 @@
# This is your system's configuration file.
# Use this to configure your system environment (it replaces /etc/nixos/configuration.nix)
{
inputs,
lib,
config,
pkgs,
myhostname,
...
}: {
# You can import other NixOS modules here
imports = [
./hardware-configuration.nix
../../config/users.nix
];
environment.systemPackages = with pkgs; [
unstable.lego
];
networking.firewall = {
enable = true;
allowedTCPPorts = [ 80 443 3000 8384 22000];
allowedUDPPortRanges = [
{ from = 4000; to = 4007; }
{ from = 8000; to = 8010; }
];
};
networking.firewall.allowedUDPPorts = [ 22000 21027 ];
services = {
openssh = {
enable = true;
ports = [22];
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
X11Forwarding = true;
};
extraConfig = ''
AllowUsers fw
'';
};
};
security.rtkit.enable = true;
networking.hostName = myhostname;
services.xserver.dpi = 100;
system.stateVersion = "24.11";
}

39
maskiner/macmini/hardware-configuration.nix Normal file
View file

@ -0,0 +1,39 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ohci_pci" "ehci_pci" "ahci" "firewire_ohci" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" "wl" ];
boot.extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/1c7e7116-3486-45a8-90c0-d3deea8e96b0";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/B70D-941F";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp3s0b1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

6
maskiner/server/configuration.nix
View file

@ -30,7 +30,7 @@
];
fileSystems."/data" = {
fsType = "fuse.mergerfs";
device = "/mnt/drive*";
device = "/mnt/extern*";
options = ["cache.files=partial" "dropcacheonclose=true" "category.create=mfs"];
};
@ -96,7 +96,11 @@
console.keyMap = "sv-latin1";
programs.zsh.enable = true;
security.auditd.enable = true;
services = {
fail2ban = {
enable = true;
};
xserver = {
enable = true;
displayManager = {

196
shared/nginx.nix
View file

@ -15,21 +15,120 @@
recommendedTlsSettings = true;
virtualHosts = {
"brfmidgard.se" = {
sslCertificateKey = "/etc/letsencrypt/archive/brfmidgard.se/privkey1.pem";
sslCertificate = "/etc/letsencrypt/archive/brfmidgard.se/fullchain1.pem";
forceSSL = true;
locations."/" = {
proxyPass = "http://172.17.0.1:8005";
proxyWebsockets = true;
};
};
# "pass.brfmidgard.se" = {
# sslCertificateKey = "/etc/letsencrypt/archive/brfmidgard.se/privkey1.pem";
# sslCertificate = "/etc/letsencrypt/archive/brfmidgard.se/fullchain1.pem";
# forceSSL = true;
# locations."/" = {
# proxyPass = "http://172.17.0.1:21456";
# proxyWebsockets = true;
# };
# };
# "drive.brfmidgard.se" = {
# sslCertificateKey = "/etc/letsencrypt/archive/brfmidgard.se/privkey1.pem";
# sslCertificate = "/etc/letsencrypt/archive/brfmidgard.se/fullchain1.pem";
# forceSSL = true;
# locations."/" = {
# proxyPass = "http://172.16.57.1:13001";
# proxyWebsockets = true;
# };
# };
# "sandbox.brfmidgard.se" = {
# forceSSL = true;
# sslCertificateKey = "/etc/letsencrypt/archive/brfmidgard.se/privkey1.pem";
# sslCertificate = "/etc/letsencrypt/archive/brfmidgard.se/fullchain1.pem";
# locations."/" = {
# proxyPass = "http://172.16.57.1:13001";
# proxyWebsockets = true;
# };
# };
# "todo.brfmidgard.se" = {
# forceSSL = true;
# sslCertificateKey = "/etc/letsencrypt/archive/brfmidgard.se/privkey1.pem";
# sslCertificate = "/etc/letsencrypt/archive/brfmidgard.se/fullchain1.pem";
# locations."/" = {
# proxyPass = "http://172.17.0.1:13456";
# proxyWebsockets = true;
# };
# };
"wastring.com" = {
sslCertificateKey = "/certs/.lego/certificates/wastring.com.key";
sslCertificate = "/certs/.lego/certificates/wastring.com.crt";
forceSSL = true;
locations."/" = {
proxyPass = "http://172.17.0.1:8081";
proxyPass = "http://172.17.0.1:8003";
proxyWebsockets = true;
};
};
"pico.wastring.com" = {
"calibre.wastring.com" = {
sslCertificateKey = "/certs/.lego/certificates/wastring.com.key";
sslCertificate = "/certs/.lego/certificates/wastring.com.crt";
forceSSL = true;
locations."/" = {
proxyPass = "http://172.17.0.1:6976";
proxyPass = "http://172.17.0.1:8880";
proxyWebsockets = true;
};
};
"download.wastring.com" = {
sslCertificateKey = "/certs/.lego/certificates/wastring.com.key";
sslCertificate = "/certs/.lego/certificates/wastring.com.crt";
forceSSL = true;
locations."/" = {
proxyPass = "http://172.17.0.1:28000";
proxyWebsockets = true;
};
};
"books.wastring.com" = {
sslCertificateKey = "/certs/.lego/certificates/wastring.com.key";
sslCertificate = "/certs/.lego/certificates/wastring.com.crt";
forceSSL = true;
locations."/" = {
proxyPass = "http://172.17.0.1:8083";
proxyWebsockets = true;
};
};
"rss.wastring.com" = {
sslCertificateKey = "/certs/.lego/certificates/wastring.com.key";
sslCertificate = "/certs/.lego/certificates/wastring.com.crt";
forceSSL = true;
locations."/" = {
proxyPass = "http://172.16.59.1:18080";
proxyWebsockets = true;
};
};
"shop.wastring.com" = {
sslCertificateKey = "/certs/.lego/certificates/wastring.com.key";
sslCertificate = "/certs/.lego/certificates/wastring.com.crt";
forceSSL = true;
locations."/" = {
proxyPass = "http://172.17.0.1:8980";
proxyWebsockets = true;
};
};
"todo.wastring.com" = {
sslCertificateKey = "/certs/.lego/certificates/wastring.com.key";
sslCertificate = "/certs/.lego/certificates/wastring.com.crt";
forceSSL = true;
locations."/" = {
proxyPass = "http://172.16.58.1:3456";
proxyWebsockets = true;
};
};
"secret.wastring.com" = {
sslCertificateKey = "/certs/.lego/certificates/wastring.com.key";
sslCertificate = "/certs/.lego/certificates/wastring.com.crt";
forceSSL = true;
locations."/" = {
proxyPass = "http://172.17.0.1:3004";
proxyWebsockets = true;
};
};
@ -49,6 +148,9 @@
locations."/" = {
proxyPass = "http://172.17.0.1:2283";
proxyWebsockets = true;
extraConfig = ''
client_max_body_size 0;
'';
};
};
"git.wastring.com" = {
@ -83,7 +185,8 @@
sslCertificate = "/certs/.lego/certificates/wastring.com.crt";
forceSSL = true;
locations."/" = {
proxyPass = "http://172.17.0.1:8081";
# proxyPass = "http://172.17.0.1:8081";
proxyPass = "http://172.17.0.1:38080";
proxyWebsockets = true;
};
};
@ -114,15 +217,6 @@
proxyPass = "http://172.17.0.1:8380";
proxyWebsockets = true;
};
};
"text.wastring.com" = {
sslCertificateKey = "/certs/.lego/certificates/wastring.com.key";
sslCertificate = "/certs/.lego/certificates/wastring.com.crt";
forceSSL = true;
locations."/" = {
proxyPass = "http://172.17.0.1:7000";
proxyWebsockets = true;
};
};
"docs.wastring.com" = {
sslCertificateKey = "/certs/.lego/certificates/wastring.com.key";
@ -132,15 +226,6 @@
proxyPass = "http://172.17.0.1:8000";
proxyWebsockets = true;
};
};
"carpool.wastring.com" = {
sslCertificateKey = "/certs/.lego/certificates/wastring.com.key";
sslCertificate = "/certs/.lego/certificates/wastring.com.crt";
forceSSL = true;
locations."/" = {
proxyPass = "http://172.17.0.1:8080";
proxyWebsockets = true;
};
};
"search.wastring.com" = {
sslCertificateKey = "/certs/.lego/certificates/wastring.com.key";
@ -159,24 +244,6 @@
proxyPass = "http://localhost:3080";
proxyWebsockets = true;
};
};
"yt.wastring.com" = {
sslCertificateKey = "/certs/.lego/certificates/wastring.com.key";
sslCertificate = "/certs/.lego/certificates/wastring.com.crt";
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:40000";
proxyWebsockets = true;
};
};
"talk.wastring.com" = {
sslCertificateKey = "/certs/.lego/certificates/wastring.com.key";
sslCertificate = "/certs/.lego/certificates/wastring.com.crt";
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:9000";
proxyWebsockets = true;
};
};
"soulseek.wastring.com" = {
sslCertificateKey = "/certs/.lego/certificates/wastring.com.key";
@ -196,12 +263,57 @@
proxyWebsockets = true;
};
};
"ha.wastring.com" = {
"status.wastring.com" = {
sslCertificateKey = "/certs/.lego/certificates/wastring.com.key";
sslCertificate = "/certs/.lego/certificates/wastring.com.crt";
forceSSL = true;
locations."/" = {
proxyPass = "http://172.17.0.1:8123";
proxyPass = "http://172.17.0.1:3008";
proxyWebsockets = true;
};
};
"music.wastring.com" = {
sslCertificateKey = "/certs/.lego/certificates/wastring.com.key";
sslCertificate = "/certs/.lego/certificates/wastring.com.crt";
forceSSL = true;
locations."/" = {
proxyPass = "http://172.17.0.1:4747";
proxyWebsockets = true;
};
};
"wedding.wastring.com" = {
sslCertificateKey = "/certs/.lego/certificates/wastring.com.key";
sslCertificate = "/certs/.lego/certificates/wastring.com.crt";
forceSSL = true;
locations."/" = {
proxyPass = "http://172.17.0.1:8002";
proxyWebsockets = true;
};
};
"message.wastring.com" = {
sslCertificateKey = "/certs/.lego/certificates/wastring.com.key";
sslCertificate = "/certs/.lego/certificates/wastring.com.crt";
forceSSL = true;
locations."/" = {
proxyPass = "http://172.17.0.1:2203";
proxyWebsockets = true;
};
};
"filmer.wastring.com" = {
sslCertificateKey = "/certs/.lego/certificates/wastring.com.key";
sslCertificate = "/certs/.lego/certificates/wastring.com.crt";
forceSSL = true;
locations."/" = {
proxyPass = "http://192.168.80.1:8096";
proxyWebsockets = true;
};
};
"kube.wastring.com" = {
sslCertificateKey = "/certs/.lego/certificates/wastring.com.key";
sslCertificate = "/certs/.lego/certificates/wastring.com.crt";
forceSSL = true;
locations."/" = {
proxyPass = "http://192.168.1.100";
proxyWebsockets = true;
};
};