From 07cfed44d332801fc4a3950239837f9938857702 Mon Sep 17 00:00:00 2001 From: Dmitry Voronin Date: Mon, 2 Dec 2024 21:12:45 +0300 Subject: [PATCH] Goodbye containers. --- container/Change.nix | 52 ----- container/Chat.nix | 72 ------ container/Cloud.nix | 104 --------- container/Dns.nix | 127 ----------- container/Download.nix | 63 ------ container/Frkn.nix | 124 ---------- container/Git.nix | 129 ----------- container/Home.nix | 54 ----- container/Iot.nix | 119 ---------- container/Jobber.nix | 79 ------- container/Mail.nix | 224 ------------------- container/Office.nix | 101 --------- container/Paper.nix | 99 -------- container/Pass.nix | 59 ----- container/Paste.nix | 134 ----------- container/Postgres.nix | 95 -------- container/Print.nix | 72 ------ container/Proxy.nix | 94 -------- container/Rabbitmq.nix | 53 ----- container/Read.nix | 59 ----- container/Redis.nix | 35 --- container/Search.nix | 138 ------------ container/Status.nix | 66 ------ container/Stock.nix | 62 ----- container/Terraria.nix | 60 ----- container/Vpn.nix | 122 ---------- container/Watch.nix | 87 ------- container/Yt.nix | 65 ------ container/default.nix | 57 ----- container/proxy/host/Camera.nix | 30 --- container/proxy/host/Change.nix | 33 --- container/proxy/host/Chat.nix | 31 --- container/proxy/host/Cloud.nix | 34 --- container/proxy/host/Download.nix | 30 --- container/proxy/host/Git.nix | 33 --- container/proxy/host/Home.nix | 30 --- container/proxy/host/Iot.nix | 37 --- container/proxy/host/Mail.nix | 30 --- container/proxy/host/Office.nix | 31 --- container/proxy/host/Paper.nix | 30 --- container/proxy/host/Pass.nix | 30 --- container/proxy/host/Paste.nix | 29 --- container/proxy/host/Print.nix | 35 --- container/proxy/host/Printer.nix | 32 --- container/proxy/host/Read.nix | 30 --- container/proxy/host/Resume.nix | 26 --- container/proxy/host/Router.nix | 32 --- container/proxy/host/Search.nix | 30 --- container/proxy/host/Status.nix | 37 --- container/proxy/host/Stock.nix | 30 --- container/proxy/host/Watch.nix | 30 --- container/proxy/host/Yt.nix | 40 ---- flake.nix | 8 +- host/x86_64-linux/home/Backup.nix | 22 +- host/x86_64-linux/home/Bind.nix | 40 ++++ host/x86_64-linux/home/Blocky.nix | 97 ++++++++ host/x86_64-linux/home/Change.nix | 9 + host/x86_64-linux/home/Container.nix | 88 -------- host/x86_64-linux/home/Cups.nix | 22 ++ host/x86_64-linux/home/Ddns.nix | 23 ++ host/x86_64-linux/home/Deluge.nix | 14 ++ host/x86_64-linux/home/Forgejo.nix | 54 +++++ host/x86_64-linux/home/Frkn.nix | 41 ++++ host/x86_64-linux/home/Grocy.nix | 16 ++ host/x86_64-linux/home/Hass.nix | 45 ++++ host/x86_64-linux/home/Homer.nix | 15 ++ host/x86_64-linux/home/Invidious.nix | 31 +++ host/x86_64-linux/home/Jellyfin.nix | 14 ++ host/x86_64-linux/home/Jobber.nix | 70 ++++++ host/x86_64-linux/home/Kavita.nix | 13 ++ host/x86_64-linux/home/Mailserver.nix | 166 ++++++++++++++ host/x86_64-linux/home/Network.nix | 95 +++----- host/x86_64-linux/home/Nextcloud.nix | 38 ++++ host/x86_64-linux/home/Nginx.nix | 50 +++++ host/x86_64-linux/home/OnlyOffice.nix | 20 ++ host/x86_64-linux/home/Ovpn.nix | 62 +++++ host/x86_64-linux/home/Paperless.nix | 24 ++ host/x86_64-linux/home/Postgres.nix | 48 ++++ host/x86_64-linux/home/Privatebin.nix | 45 ++++ host/x86_64-linux/home/Rabbitmq.nix | 8 + host/x86_64-linux/home/Redis.nix | 9 + host/x86_64-linux/home/SearX.nix | 108 +++++++++ host/x86_64-linux/home/Terraria.nix | 20 ++ host/x86_64-linux/home/UptimeKuma.nix | 19 ++ host/x86_64-linux/home/Vaultwarden.nix | 15 ++ host/x86_64-linux/home/nginx/Camera.nix | 20 ++ host/x86_64-linux/home/nginx/Change.nix | 23 ++ host/x86_64-linux/home/nginx/Cups.nix | 25 +++ host/x86_64-linux/home/nginx/Deluge.nix | 20 ++ host/x86_64-linux/home/nginx/Forgejo.nix | 24 ++ host/x86_64-linux/home/nginx/Grocy.nix | 30 +++ host/x86_64-linux/home/nginx/Hass.nix | 27 +++ host/x86_64-linux/home/nginx/Homer.nix | 20 ++ host/x86_64-linux/home/nginx/Invidious.nix | 30 +++ host/x86_64-linux/home/nginx/Jellyfin.nix | 20 ++ host/x86_64-linux/home/nginx/Kavita.nix | 20 ++ host/x86_64-linux/home/nginx/Mailserver.nix | 29 +++ host/x86_64-linux/home/nginx/Nextcloud.nix | 22 ++ host/x86_64-linux/home/nginx/OnlyOffice.nix | 21 ++ host/x86_64-linux/home/nginx/Paperless.nix | 20 ++ host/x86_64-linux/home/nginx/Printer.nix | 20 ++ host/x86_64-linux/home/nginx/Privatebin.nix | 44 ++++ host/x86_64-linux/home/nginx/Resume.nix | 20 ++ host/x86_64-linux/home/nginx/Router.nix | 20 ++ host/x86_64-linux/home/nginx/SearX.nix | 20 ++ host/x86_64-linux/home/nginx/UptimeKuma.nix | 20 ++ host/x86_64-linux/home/nginx/Valutwarden.nix | 20 ++ lib/Container.nix | 83 ------- package/homer/Config.nix | 38 ++-- package/jobber/project/jobber/__init__.py | 4 +- package/privatebin/Config.nix | 2 +- user/Dasha.nix | 4 +- 112 files changed, 1716 insertions(+), 3614 deletions(-) delete mode 100644 container/Change.nix delete mode 100644 container/Chat.nix delete mode 100644 container/Cloud.nix delete mode 100644 container/Dns.nix delete mode 100644 container/Download.nix delete mode 100644 container/Frkn.nix delete mode 100644 container/Git.nix delete mode 100644 container/Home.nix delete mode 100644 container/Iot.nix delete mode 100644 container/Jobber.nix delete mode 100644 container/Mail.nix delete mode 100644 container/Office.nix delete mode 100644 container/Paper.nix delete mode 100644 container/Pass.nix delete mode 100644 container/Paste.nix delete mode 100644 container/Postgres.nix delete mode 100644 container/Print.nix delete mode 100644 container/Proxy.nix delete mode 100644 container/Rabbitmq.nix delete mode 100644 container/Read.nix delete mode 100644 container/Redis.nix delete mode 100644 container/Search.nix delete mode 100644 container/Status.nix delete mode 100644 container/Stock.nix delete mode 100644 container/Terraria.nix delete mode 100644 container/Vpn.nix delete mode 100644 container/Watch.nix delete mode 100644 container/Yt.nix delete mode 100644 container/default.nix delete mode 100644 container/proxy/host/Camera.nix delete mode 100644 container/proxy/host/Change.nix delete mode 100644 container/proxy/host/Chat.nix delete mode 100644 container/proxy/host/Cloud.nix delete mode 100644 container/proxy/host/Download.nix delete mode 100644 container/proxy/host/Git.nix delete mode 100644 container/proxy/host/Home.nix delete mode 100644 container/proxy/host/Iot.nix delete mode 100644 container/proxy/host/Mail.nix delete mode 100644 container/proxy/host/Office.nix delete mode 100644 container/proxy/host/Paper.nix delete mode 100644 container/proxy/host/Pass.nix delete mode 100644 container/proxy/host/Paste.nix delete mode 100644 container/proxy/host/Print.nix delete mode 100644 container/proxy/host/Printer.nix delete mode 100644 container/proxy/host/Read.nix delete mode 100644 container/proxy/host/Resume.nix delete mode 100644 container/proxy/host/Router.nix delete mode 100644 container/proxy/host/Search.nix delete mode 100644 container/proxy/host/Status.nix delete mode 100644 container/proxy/host/Stock.nix delete mode 100644 container/proxy/host/Watch.nix delete mode 100644 container/proxy/host/Yt.nix create mode 100644 host/x86_64-linux/home/Bind.nix create mode 100644 host/x86_64-linux/home/Blocky.nix create mode 100644 host/x86_64-linux/home/Change.nix delete mode 100644 host/x86_64-linux/home/Container.nix create mode 100644 host/x86_64-linux/home/Cups.nix create mode 100644 host/x86_64-linux/home/Ddns.nix create mode 100644 host/x86_64-linux/home/Deluge.nix create mode 100644 host/x86_64-linux/home/Forgejo.nix create mode 100644 host/x86_64-linux/home/Frkn.nix create mode 100644 host/x86_64-linux/home/Grocy.nix create mode 100644 host/x86_64-linux/home/Hass.nix create mode 100644 host/x86_64-linux/home/Homer.nix create mode 100644 host/x86_64-linux/home/Invidious.nix create mode 100644 host/x86_64-linux/home/Jellyfin.nix create mode 100644 host/x86_64-linux/home/Jobber.nix create mode 100644 host/x86_64-linux/home/Kavita.nix create mode 100644 host/x86_64-linux/home/Mailserver.nix create mode 100644 host/x86_64-linux/home/Nextcloud.nix create mode 100644 host/x86_64-linux/home/Nginx.nix create mode 100644 host/x86_64-linux/home/OnlyOffice.nix create mode 100644 host/x86_64-linux/home/Ovpn.nix create mode 100644 host/x86_64-linux/home/Paperless.nix create mode 100644 host/x86_64-linux/home/Postgres.nix create mode 100644 host/x86_64-linux/home/Privatebin.nix create mode 100644 host/x86_64-linux/home/Rabbitmq.nix create mode 100644 host/x86_64-linux/home/Redis.nix create mode 100644 host/x86_64-linux/home/SearX.nix create mode 100644 host/x86_64-linux/home/Terraria.nix create mode 100644 host/x86_64-linux/home/UptimeKuma.nix create mode 100644 host/x86_64-linux/home/Vaultwarden.nix create mode 100644 host/x86_64-linux/home/nginx/Camera.nix create mode 100644 host/x86_64-linux/home/nginx/Change.nix create mode 100644 host/x86_64-linux/home/nginx/Cups.nix create mode 100644 host/x86_64-linux/home/nginx/Deluge.nix create mode 100644 host/x86_64-linux/home/nginx/Forgejo.nix create mode 100644 host/x86_64-linux/home/nginx/Grocy.nix create mode 100644 host/x86_64-linux/home/nginx/Hass.nix create mode 100644 host/x86_64-linux/home/nginx/Homer.nix create mode 100644 host/x86_64-linux/home/nginx/Invidious.nix create mode 100644 host/x86_64-linux/home/nginx/Jellyfin.nix create mode 100644 host/x86_64-linux/home/nginx/Kavita.nix create mode 100644 host/x86_64-linux/home/nginx/Mailserver.nix create mode 100644 host/x86_64-linux/home/nginx/Nextcloud.nix create mode 100644 host/x86_64-linux/home/nginx/OnlyOffice.nix create mode 100644 host/x86_64-linux/home/nginx/Paperless.nix create mode 100644 host/x86_64-linux/home/nginx/Printer.nix create mode 100644 host/x86_64-linux/home/nginx/Privatebin.nix create mode 100644 host/x86_64-linux/home/nginx/Resume.nix create mode 100644 host/x86_64-linux/home/nginx/Router.nix create mode 100644 host/x86_64-linux/home/nginx/SearX.nix create mode 100644 host/x86_64-linux/home/nginx/UptimeKuma.nix create mode 100644 host/x86_64-linux/home/nginx/Valutwarden.nix delete mode 100644 lib/Container.nix diff --git a/container/Change.nix b/container/Change.nix deleted file mode 100644 index d3b8a344..00000000 --- a/container/Change.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ - config, - container, - lib, - ... -}: let - cfg = config.container.module.change; -in { - options.container.module.change = { - enable = lib.mkEnableOption "the change detection service"; - address = lib.mkOption { - default = "10.1.0.41"; - type = lib.types.str; - }; - port = lib.mkOption { - default = 5000; - type = lib.types.int; - }; - domain = lib.mkOption { - default = "change.${config.container.domain}"; - type = lib.types.str; - }; - storage = lib.mkOption { - default = "${config.container.storage}/change"; - type = lib.types.str; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.tmpfiles.rules = container.mkContainerDir cfg [ - "data" - ]; - - containers.change = container.mkContainer cfg { - bindMounts = { - "/var/lib/changedetection-io" = { - hostPath = "${cfg.storage}/data"; - isReadOnly = false; - }; - }; - - config = { ... }: container.mkContainerConfig cfg { - services.changedetection-io = { - enable = true; - baseURL = cfg.domain; - behindProxy = true; - listenAddress = cfg.address; - }; - }; - }; - }; -} diff --git a/container/Chat.nix b/container/Chat.nix deleted file mode 100644 index e6055eb4..00000000 --- a/container/Chat.nix +++ /dev/null @@ -1,72 +0,0 @@ -{ - config, - container, - lib, - pkgs, - ... -}: let - cfg = config.container.module.chat; - db = config.container.module.postgres; -in { - options.container.module.chat = { - enable = lib.mkEnableOption "the chat container."; - address = lib.mkOption { - default = "10.1.0.20"; - type = lib.types.str; - }; - port = lib.mkOption { - default = 8065; - type = lib.types.int; - }; - domain = lib.mkOption { - default = "chat.${config.container.domain}"; - type = lib.types.str; - }; - storage = lib.mkOption { - default = "${config.container.storage}/chat"; - type = lib.types.str; - }; - }; - - # WIP: https://search.nixos.org/options?channel=24.05&from=0&size=50&sort=relevance&type=packages&query=mattermost - config = lib.mkIf cfg.enable { - systemd.tmpfiles.rules = container.mkContainerDir cfg [ - "data" - ]; - - containers.chat = container.mkContainer cfg { - bindMounts = { - "/var/lib/mattermost" = { - hostPath = "${cfg.storage}/data"; - isReadOnly = false; - }; - }; - - config = { ... }: container.mkContainerConfig cfg { - services.mattermost = { - enable = true; - listenAddress = ":${toString cfg.port}"; - localDatabaseCreate = false; - mutableConfig = false; - package = pkgs.mattermost; - siteName = "Chat"; - siteUrl = "https://${cfg.domain}"; - statePath = "/var/lib/mattermost"; - plugins = [ - (pkgs.fetchurl rec { - hash = "sha256-yQGBpBPgXxC+Pm6dHlbwlNEdvn6wg9neSpNNTC4YYAA="; - url = "https://github.com/mattermost/mattermost-plugin-calls/releases/download/v${version}/mattermost-plugin-calls-v${version}.tar.gz"; - version = "1.2.0"; - }) - ]; - extraConfig = { - SqlSettings = { - DataSource = "postgres://mattermost:any@${db.address}:${toString db.port}/mattermost?sslmode=disable&connect_timeout=10"; - DriverName = "postgres"; - }; - }; - }; - }; - }; - }; -} diff --git a/container/Cloud.nix b/container/Cloud.nix deleted file mode 100644 index 00450839..00000000 --- a/container/Cloud.nix +++ /dev/null @@ -1,104 +0,0 @@ -{ - config, - container, - lib, - pkgs, - ... -}: let - cfg = config.container.module.cloud; - postgres = config.container.module.postgres; - proxy = config.container.module.proxy; -in { - options.container.module.cloud = { - enable = lib.mkEnableOption "the file cloud service."; - address = lib.mkOption { - default = "10.1.0.13"; - type = lib.types.str; - }; - port = lib.mkOption { - default = 80; - type = lib.types.int; - }; - domain = lib.mkOption { - default = "cloud.${config.container.domain}"; - type = lib.types.str; - }; - storage = lib.mkOption { - default = "${config.container.storage}/cloud"; - type = lib.types.str; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.tmpfiles.rules = container.mkContainerDir cfg [ - "data" - ]; - - containers.cloud = container.mkContainer cfg { - bindMounts = { - "/var/lib/nextcloud" = { - hostPath = "${cfg.storage}/data"; - isReadOnly = false; - }; - }; - - config = { config, ... }: container.mkContainerConfig cfg { - services.nextcloud = { - enable = true; - hostName = cfg.domain; - # package = pkgs.nextcloud29; - # phpOptions = { - # memory_limit = lib.mkForce "20G"; - # }; - config = { - adminpassFile = "${pkgs.writeText "NextcloudPassword" "root"}"; - adminuser = "root"; - dbhost = postgres.address; - dbname = "nextcloud"; - dbpassFile = "${pkgs.writeText "NextcloudDbPassword" "nextcloud"}"; - dbtype = "pgsql"; - dbuser = "nextcloud"; - }; - extraApps = { - inherit (config.services.nextcloud.package.packages.apps) - contacts calendar onlyoffice; - }; - extraAppsEnable = true; - settings = { - allow_local_remote_servers = true; - trusted_domains = [ - cfg.address - cfg.domain - ]; - trusted_proxies = [ - proxy.address - ]; - }; - }; - - # HACK: This is required for TCP postgres connection. - systemd = { - services = { - nextcloud-setup = { - serviceConfig.PrivateNetwork = lib.mkForce false; - wantedBy = lib.mkForce [ ]; - }; - nextcloud-update-db = { - serviceConfig.PrivateNetwork = lib.mkForce false; - wantedBy = lib.mkForce [ ]; - }; - }; - timers.fixsystemd = { - timerConfig = { - OnBootSec = 5; - Unit = "nextcloud-setup.service"; - }; - wantedBy = [ - "timers.target" - ]; - }; - }; - }; - }; - }; -} diff --git a/container/Dns.nix b/container/Dns.nix deleted file mode 100644 index b0585f1c..00000000 --- a/container/Dns.nix +++ /dev/null @@ -1,127 +0,0 @@ -{ - config, - container, - lib, - pkgs, - ... -}: let - cfg = config.container.module.dns; -in { - options.container.module.dns = { - enable = lib.mkEnableOption "the DNS server."; - address = lib.mkOption { - default = "10.1.0.6"; - type = lib.types.str; - }; - port = lib.mkOption { - default = 53; - type = lib.types.int; - }; - }; - - config = lib.mkIf cfg.enable { - containers.dns = container.mkContainer cfg { - config = { ... }: container.mkContainerConfig cfg { - services.blocky = { - enable = true; - # REF: https://0xerr0r.github.io/blocky/main/configuration/ - settings = { - bootstrapDns = "tcp+udp:1.1.1.1"; - connectIPVersion = "v4"; - ports.dns = cfg.port; - # httpPort = "80"; - upstreams.groups = { - default = [ - "https://dns.quad9.net/dns-query" - ]; - }; - caching = { - maxItemsCount = 100000; - maxTime = "30m"; - minTime = "5m"; - prefetchExpires = "2h"; - prefetchMaxItemsCount = 100000; - prefetchThreshold = 5; - prefetching = true; - }; - blocking = { - blockTTL = "1m"; - blockType = "zeroIP"; - loading = { - refreshPeriod = "24h"; - strategy = "blocking"; - downloads = { - attempts = 3; - cooldown = "10s"; - timeout = "5m"; - }; - }; - # SRC: https://oisd.nl - # SRC: https://v.firebog.net - denylists = { - suspicious = [ - "https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt" - "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" # https://github.com/StevenBlack/hosts - "https://v.firebog.net/hosts/static/w3kbl.txt" - ]; - ads = [ - "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext" - "https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts" - "https://v.firebog.net/hosts/AdguardDNS.txt" - "https://v.firebog.net/hosts/Admiral.txt" - "https://v.firebog.net/hosts/Easylist.txt" - ]; - tracking = [ - "https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt" - "https://v.firebog.net/hosts/Easyprivacy.txt" - "https://v.firebog.net/hosts/Prigent-Ads.txt" - ]; - malicious = [ - "https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt" - "https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt" - "https://phishing.army/download/phishing_army_blocklist_extended.txt" - "https://raw.githubusercontent.com/AssoEchap/stalkerware-indicators/master/generated/hosts" - "https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt" - "https://urlhaus.abuse.ch/downloads/hostfile/" - "https://v.firebog.net/hosts/Prigent-Crypto.txt" - "https://v.firebog.net/hosts/Prigent-Malware.txt" - ]; - other = [ - "https://big.oisd.nl/domainswild" - "https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser" - ]; - }; - # allowlists = { - # other = [ - # "/.*.vk.com/" - # ]; - # }; - clientGroupsBlock = { - default = [ - "ads" - "malicious" - "other" - "suspicious" - "tracking" - ]; - }; - }; - customDNS = { - mapping = let - block = host: { ${host} = "0.0.0.0"; }; - in { - # All subdomains to current host. - # ${config.container.domain} = config.container.host; - "voronind.com" = "10.0.0.1,fd09:8d46:b26::1"; - } - // block "gosuslugi.ru" - // block "rutube.ru" - // block "vk.com" - ; - }; - }; - }; - }; - }; - }; -} diff --git a/container/Download.nix b/container/Download.nix deleted file mode 100644 index f1a0f521..00000000 --- a/container/Download.nix +++ /dev/null @@ -1,63 +0,0 @@ -{ - config, - container, - lib, - ... -}: let - cfg = config.container.module.download; -in { - options.container.module.download = { - enable = lib.mkEnableOption "the bit-torrent downloader."; - address = lib.mkOption { - default = "10.1.0.12"; - type = lib.types.str; - }; - port = lib.mkOption { - default = 8112; - type = lib.types.int; - }; - domain = lib.mkOption { - default = "download.${config.container.domain}"; - type = lib.types.str; - }; - storage = lib.mkOption { - default = "${config.container.storage}/download"; - type = lib.types.str; - }; - memLimit = lib.mkOption { - default = "4G"; - type = lib.types.str; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.tmpfiles.rules = container.mkContainerDir cfg [ - "data" - ]; - - containers.download = container.mkContainer cfg { - enableTun = true; - bindMounts = { - "/var/lib/deluge/.config/deluge" = { - hostPath = "${cfg.storage}/data"; - isReadOnly = false; - }; - } - // container.attachMedia "download" false - ; - - config = { ... }: container.mkContainerConfig cfg { - services.deluge = { - enable = true; - dataDir = "/var/lib/deluge"; - web.enable = true; - }; - systemd.services.deluged.serviceConfig = { - MemoryLimit = cfg.memLimit; - Restart = lib.mkForce "always"; - RuntimeMaxSec = "3h"; - }; - }; - }; - }; -} diff --git a/container/Frkn.nix b/container/Frkn.nix deleted file mode 100644 index 82974b7e..00000000 --- a/container/Frkn.nix +++ /dev/null @@ -1,124 +0,0 @@ -{ - __findFile, - config, - container, - inputs, - lib, - pkgs, - pkgsMaster, - util, - ... -} @args: let - cfg = config.container.module.frkn; -in { - options.container.module.frkn = { - enable = lib.mkEnableOption "the Allmighty FRKN service."; - address = lib.mkOption { - default = "10.1.0.69"; - type = lib.types.str; - }; - port = lib.mkOption { - default = 1080; - type = lib.types.int; - }; - torport = lib.mkOption { - default = 9150; - type = lib.types.int; - }; - xrayport = lib.mkOption { - default = 1081; - type = lib.types.int; - }; - storage = lib.mkOption { - default = "${config.container.storage}/frkn"; - type = lib.types.str; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.tmpfiles.rules = container.mkContainerDir cfg [ - "data" - ]; - - containers.frkn = container.mkContainer cfg { - bindMounts = { - "/data" = { - hostPath = "${cfg.storage}/data"; - isReadOnly = true; - }; - }; - - config = { ... }: container.mkContainerConfig cfg { - disabledModules = [ "services/networking/zapret.nix" ]; - imports = [ "${inputs.nixpkgsMaster}/nixos/modules/services/networking/zapret.nix" ]; - - boot.kernel.sysctl = { - "net.ipv4.conf.all.src_valid_mark" = 1; - "net.ipv4.ip_forward" = 1; - }; - - services.zapret = { - inherit (config.services.zapret) params; - enable = true; - package = pkgsMaster.zapret; - }; - - services = { - microsocks = { - enable = true; - disableLogging = true; - ip = cfg.address; - port = cfg.port; - }; - - tor = { - enable = true; - openFirewall = true; - settings = let - exclude = "{RU},{UA},{BY},{KZ},{CN},{??}"; - in { - # ExcludeExitNodes = exclude; - # ExcludeNodes = exclude; - # DNSPort = dnsport; - UseBridges = true; - ClientTransportPlugin = "obfs4 exec ${pkgs.obfs4}/bin/lyrebird"; - Bridge = [ - "obfs4 121.45.140.249:12123 0922E212E33B04F0B7C1E398161E8EDE06734F26 cert=3AQ4iJFAzxzt7a/zgXIiFEs6fvrXInXt1Dtr09DgnpvUzG/iiyRTdXYZKSYpI124Zt3ZUA iat-mode=0" - "obfs4 145.239.31.71:10161 882125D15B59BB82BE66F999056CB676D3F061F8 cert=AnD+EvcBMuQDVM7PwW7NgFAzW1M5jDm7DjQtIIcBSjoyAf1FJ2p535rrYL2Kk8POAd0+aw iat-mode=0" - "obfs4 79.137.11.45:45072 ECA3197D49A29DDECD4ACBF9BCF15E4987B78137 cert=2FKyLWkPgMNCWxBD3cNOTRxJH3XP+HdStPGKMjJfw2YbvVjihIp3X2BCrtxQya9m5II5XA iat-mode=0" - "obfs4 94.103.89.153:4443 5617848964FD6546968B5BF3FFA6C11BCCABE58B cert=tYsmuuTe9phJS0Gh8NKIpkVZP/XKs7gJCqi31o8LClwYetxzFz0fQZgsMwhNcIlZ0HG5LA iat-mode=0" - ]; - }; - - client = { - enable = true; - # dns.enable = true; - socksListenAddress = { - IsolateDestAddr = true; - addr = cfg.address; - port = cfg.torport; - }; - }; - }; - - xray = { - enable = true; - settingsFile = "/data/Client.json"; - }; - }; - - systemd = { - services.tor.wantedBy = lib.mkForce [ ]; - - timers.tor = { - timerConfig = { - OnBootSec = 5; - Unit = "tor.service"; - }; - wantedBy = [ "timers.target" ]; - }; - }; - }; - }; - }; -} diff --git a/container/Git.nix b/container/Git.nix deleted file mode 100644 index 9e5438c4..00000000 --- a/container/Git.nix +++ /dev/null @@ -1,129 +0,0 @@ -{ - config, - container, - lib, - pkgs, - ... -}: let - cfg = config.container.module.git; -in { - options.container.module.git = { - enable = lib.mkEnableOption "the git server."; - address = lib.mkOption { - default = "10.1.0.8"; - type = lib.types.str; - }; - port = lib.mkOption { - default = 3000; - type = lib.types.int; - }; - portSsh = lib.mkOption { - default = 22144; - type = lib.types.int; - }; - domain = lib.mkOption { - default = "git.${config.container.domain}"; - type = lib.types.str; - }; - storage = lib.mkOption { - default = "${config.container.storage}/git"; - type = lib.types.str; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.tmpfiles.rules = container.mkContainerDir cfg [ - "data" - ]; - - containers.git = container.mkContainer cfg { - bindMounts = { - "/var/lib/forgejo" = { - hostPath = "${cfg.storage}/data"; - isReadOnly = false; - }; - }; - - config = { ... }: container.mkContainerConfig cfg { - environment.systemPackages = with pkgs; [ - forgejo - ]; - - services.forgejo = { - enable = true; - stateDir = "/var/lib/forgejo"; - - database = let - postgre = config.container.module.postgres; - in { - createDatabase = false; - host = postgre.address; - name = "forgejo"; - port = postgre.port; - type = "postgres"; - user = "forgejo"; - }; - - settings = let - gcArgs = "--aggressive --no-cruft --prune=now"; - gcTimeout = 600; - in { - "cron.cleanup_actions".ENABLED = true; - "cron.update_mirrors".SCHEDULE = "@midnight"; - "git".GC_ARGS = gcArgs; - "git.timeout".GC = gcTimeout; - "log".LEVEL = "Error"; - "repo-archive".ENABLED = false; - "repository.issue".MAX_PINNED = 99999; - "repository.pull-request".DEFAULT_MERGE_STYLE = "rebase"; - "service".DISABLE_REGISTRATION = true; - "server" = { - DOMAIN = cfg.domain; - HTTP_ADDR = cfg.address; - ROOT_URL = "https://${cfg.domain}"; - BUILTIN_SSH_SERVER_USER = "git"; - DISABLE_SSH = false; - SSH_PORT = cfg.portSsh; - START_SSH_SERVER = true; - }; - "ui" = { - AMBIGUOUS_UNICODE_DETECTION = false; - }; - "repository" = { - DEFAULT_PRIVATE = "private"; - DEFAULT_PUSH_CREATE_PRIVATE = true; - }; - "cron" = { - ENABLED = true; - RUN_AT_START = true; - }; - "cron.git_gc_repos" = { - ENABLED = true; - ARGS = gcArgs; - SCHEDULE = "@midnight"; - TIMEOUT = gcTimeout; - }; - }; - }; - - systemd = { - services = { - forgejo = { - serviceConfig.PrivateNetwork = lib.mkForce false; - wantedBy = lib.mkForce [ ]; - }; - }; - timers.fixsystemd = { - timerConfig = { - OnBootSec = 5; - Unit = "forgejo.service"; - }; - wantedBy = [ - "timers.target" - ]; - }; - }; - }; - }; - }; -} diff --git a/container/Home.nix b/container/Home.nix deleted file mode 100644 index fa9efe65..00000000 --- a/container/Home.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ - __findFile, - config, - container, - lib, - pkgs, - util, - ... -} @args: let - cfg = config.container.module.home; - package = (pkgs.callPackage args); -in { - options.container.module.home = { - enable = lib.mkEnableOption "the dashboard."; - address = lib.mkOption { - default = "10.1.0.18"; - type = lib.types.str; - }; - port = lib.mkOption { - default = 80; - type = lib.types.int; - }; - domain = lib.mkOption { - default = "home.${config.container.domain}"; - type = lib.types.str; - }; - }; - - config = lib.mkIf cfg.enable { - containers.home = container.mkContainer cfg { - config = { ... }: container.mkContainerConfig cfg { - environment.systemPackages = [ - package - ]; - systemd.packages = [ - package - ]; - - services.nginx = { - enable = true; - virtualHosts.${cfg.domain} = container.mkServer { - default = true; - root = "${package}"; - locations = { - "/".extraConfig = util.trimTabs '' - try_files $uri $uri/index.html; - ''; - }; - }; - }; - }; - }; - }; -} diff --git a/container/Iot.nix b/container/Iot.nix deleted file mode 100644 index 76124216..00000000 --- a/container/Iot.nix +++ /dev/null @@ -1,119 +0,0 @@ -{ - config, - container, - lib, - ... -}: let - cfg = config.container.module.iot; -in { - options.container.module.iot = { - enable = lib.mkEnableOption "IoT service."; - address = lib.mkOption { - default = "10.1.0.27"; - type = lib.types.str; - }; - port = lib.mkOption { - default = 8123; - type = lib.types.int; - }; - domain = lib.mkOption { - default = "iot.${config.container.domain}"; - type = lib.types.str; - }; - storage = lib.mkOption { - default = "${config.container.storage}/iot"; - type = lib.types.str; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.tmpfiles.rules = container.mkContainerDir cfg [ - "data" - ]; - - containers.iot = container.mkContainer cfg { - bindMounts = { - "/var/lib/hass" = { - hostPath = "${cfg.storage}/data"; - isReadOnly = false; - }; - "/dev/ttyACM0" = { - hostPath = "/dev/ttyACM0"; - isReadOnly = false; - }; - "/dev/serial/by-id" = { - hostPath = "/dev/serial/by-id"; - isReadOnly = false; - }; - } - // container.attachMedia "photo" true - ; - - allowedDevices = [ - { - modifier = "rwm"; - node = "/dev/ttyACM0"; - } - ]; - - config = { ... }: container.mkContainerConfig cfg { - # Allow Hass to talk to Zigbee dongle. - users.users.hass.extraGroups = [ - "dialout" - "tty" - ]; - - services.home-assistant = { - # NOTE: Missing: hacs. Inside hacs: `card-mod`, `Clock Weather Card`, `WallPanel` and `Yandex.Station`. - enable = true; - # NOTE: Using imperative config because of secrets. - config = null; - configDir = "/var/lib/hass"; - extraComponents = [ - "caldav" - "met" - "sun" - "systemmonitor" - "zha" - ]; - extraPackages = - python3Packages: with python3Packages; [ - aiodhcpwatcher - aiodiscover - aiogithubapi - arrow - async-upnp-client - av - gtts - ha-ffmpeg - hassil - home-assistant-intents - mutagen - numpy - pymicro-vad - pynacl - pyspeex-noise - python-telegram-bot - pyturbojpeg - zeroconf - ]; - # lovelaceConfig = { - # title = "Home IoT control center."; - # }; - }; - - # HACK: Delay so that nextcloud calendar can reply on reboot. - systemd = { - services."home-assistant".wantedBy = lib.mkForce [ ]; - timers.fixsystemd = { - timerConfig = { - OnBootSec = 60; - Unit = "home-assistant.service"; - }; - wantedBy = [ "timers.target" ]; - }; - }; - }; - }; - }; -} diff --git a/container/Jobber.nix b/container/Jobber.nix deleted file mode 100644 index 62d78734..00000000 --- a/container/Jobber.nix +++ /dev/null @@ -1,79 +0,0 @@ -{ - __findFile, - config, - container, - lib, - pkgsJobber, - poetry2nixJobber, - ... -}: let - cfg = config.container.module.jobber; - script = import { - pkgs = pkgsJobber; - poetry2nix = poetry2nixJobber; - }; -in { - options.container.module.jobber = { - enable = lib.mkEnableOption "Stanley - the button pusher."; - address = lib.mkOption { - default = "10.1.0.32"; - type = lib.types.str; - }; - storage = lib.mkOption { - default = "${config.container.storage}/jobber"; - type = lib.types.str; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.tmpfiles.rules = container.mkContainerDir cfg [ - "data" - ]; - - containers.jobber = container.mkContainer cfg { - bindMounts = { - "/data" = { - hostPath = "${cfg.storage}/data"; - isReadOnly = true; - }; - }; - - enableTun = true; - - config = { ... }: let - packages = [ - script - ] ++ (with pkgsJobber; [ - firefox - geckodriver - openvpn - python311 - ]); - in container.mkContainerConfig cfg { - networking = lib.mkForce { - nameservers = [ - "10.30.218.2" - ]; - }; - - systemd.services.jobber = { - description = "My job is pushing the button."; - enable = true; - path = packages; - wantedBy = [ - "multi-user.target" - ]; - environment = { - PYTHONDONTWRITEBYTECODE = "1"; - PYTHONUNBUFFERED = "1"; - }; - serviceConfig = { - ExecStart = "${script}/bin/jobber -u"; - Restart = "on-failure"; - Type = "simple"; - }; - }; - }; - }; - }; -} diff --git a/container/Mail.nix b/container/Mail.nix deleted file mode 100644 index e99e37d1..00000000 --- a/container/Mail.nix +++ /dev/null @@ -1,224 +0,0 @@ -# Guide: https://nixos-mailserver.readthedocs.io/en/latest/setup-guide.html -{ - config, - const, - container, - lib, - pkgs, - util, - ... -}: let - cfg = config.container.module.mail; - domain = config.container.domain; -in { - options.container.module.mail = { - enable = lib.mkEnableOption "the email server."; - address = lib.mkOption { - default = "10.1.0.5"; - type = lib.types.str; - }; - port = lib.mkOption { - default = 80; - type = lib.types.int; - }; - domain = lib.mkOption { - default = "mail.${config.container.domain}"; - type = lib.types.str; - }; - storage = lib.mkOption { - default = "${config.container.storage}/mail"; - type = lib.types.str; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.tmpfiles.rules = container.mkContainerDir cfg [ - "data" - ]; - - containers.mail = container.mkContainer cfg { - bindMounts = { - "/var/lib/dovecot/indices" = { - hostPath = "${cfg.storage}/data/indices"; - isReadOnly = false; - }; - "/var/vmail" = { - hostPath = "${cfg.storage}/data/vmail"; - isReadOnly = false; - }; - "/var/sieve" = { - hostPath = "${cfg.storage}/data/sieve"; - isReadOnly = false; - }; - "/var/dkim" = { - hostPath = "${cfg.storage}/data/dkim"; - isReadOnly = false; - }; - "/acme" = { - hostPath = "${config.container.module.proxy.storage}/letsencrypt"; - isReadOnly = true; - }; - }; - - config = { config, ... }: container.mkContainerConfig cfg { - imports = [ - (builtins.fetchTarball { - sha256 = "sha256:0clvw4622mqzk1aqw1qn6shl9pai097q62mq1ibzscnjayhp278b"; - url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-${const.stateVersion}/nixos-mailserver-nixos-${const.stateVersion}.tar.gz"; - }) - ]; - - mailserver = { - enable = true; - domains = [ domain ]; - fqdn = cfg.domain; - sendingFqdn = domain; - - # Use `mkpasswd -sm bcrypt`. - loginAccounts = let - defaultQuota = "1G"; - in { - "admin@${domain}" = { - hashedPassword = "$2b$05$1O.dxXxaVshcBNybcqDRYuTlnYt3jDBwfPZWoDtP4BjOLoL0StYsi"; - name = "admin"; - quota = defaultQuota; - }; - "account@${domain}" = { - hashedPassword = "$2b$05$sCyZHdk98KqQ1qsTIvbrUeRJlNBOwBqDgpdc1QxiSnONlEkZ8xGNO"; - name = "account"; - quota = defaultQuota; - }; - "hi@${domain}" = { - hashedPassword = "$2b$05$6fT5hIhzIasNfp9IQr/ds.5RuxH95VKU3QJWlX3hmrAzDF3mExanq"; - name = "hi"; - quota = defaultQuota; - aliases = [ - "voronind@${domain}" - ]; - }; - "job@${domain}" = { - hashedPassword = "$2b$05$.sUmv2.9EWPfLwJn/oZw2e1UbR7HrpNQ2THc5jjX3ysy7CY8ZWHUC"; - name = "job"; - quota = defaultQuota; - }; - "trash@${domain}" = { - hashedPassword = "$2b$05$kn5ygZjN9NR3LXjnKKRw/.DXaZQNW.1XEottlCFIoKiDpIj.JGLJm"; - name = "trash"; - quota = defaultQuota; - catchAll = [ - domain - ]; - }; - "noreply@${domain}" = { - hashedPassword = "$2b$05$TaKwoYmcmkAhsRRv6xG5wOkChcz50cB9BP6QPUDKNAcxMbrY6AeMK"; - name = "noreply"; - quota = defaultQuota; - sendOnly = true; - }; - }; - - enableImap = true; - enableImapSsl = true; - enableSubmission = true; - enableSubmissionSsl = true; - - enableManageSieve = true; - virusScanning = false; - - certificateFile = "/acme/live/${domain}/cert.pem"; - certificateScheme = "manual"; - keyFile = "/acme/live/${domain}/privkey.pem"; - - dkimKeyDirectory = "/var/dkim"; - indexDir = "/var/lib/dovecot/indices"; - mailDirectory = "/var/vmail"; - sieveDirectory = "/var/sieve"; - - mailboxes = let - mkSpecialBox = specialUse: { - ${specialUse} = { - inherit specialUse; - auto = "subscribe"; - }; - }; - in builtins.foldl' (acc: box: acc // (mkSpecialBox box)) {} [ - "All" - "Archive" - "Drafts" - "Junk" - "Sent" - "Trash" - ]; - - dmarcReporting = { - inherit domain; - enable = true; - organizationName = "voronind"; - # email = "noreply@${domain}"; - }; - - # monitoring = { - # enable = true; - # alertAddress = "admin@${domain}"; - # }; - }; - - services = { - roundcube = { - enable = true; - hostName = cfg.domain; - dicts = with pkgs.aspellDicts; [ - en - ru - ]; - plugins = [ - "managesieve" - ]; - extraConfig = util.trimTabs '' - $config['smtp_server'] = "localhost:25"; - $config['smtp_auth_type'] = null; - $config['smtp_user'] = ""; - $config['smtp_pass'] = ""; - # $config['smtp_user'] = "%u"; - # $config['smtp_pass'] = "%p"; - ''; - }; - - nginx.virtualHosts.${cfg.domain} = { - enableACME = false; - forceSSL = false; - }; - }; - - systemd = { - services.autoexpunge = { - description = "Delete old mail"; - serviceConfig = { - Type = "oneshot"; - }; - path = [ - pkgs.dovecot - ]; - script = util.trimTabs '' - doveadm expunge -A mailbox Junk SENTBEFORE 7d - doveadm expunge -A mailbox Trash SENTBEFORE 30d - doveadm expunge -u trash@voronind.com mailbox Inbox SENTBEFORE 30d - doveadm purge -A - ''; - }; - - timers.autoexpunge = { - timerConfig = { - OnCalendar = "daily"; - Persistent = true; - Unit = "autoexpunge.service"; - }; - wantedBy = [ - "timers.target" - ]; - }; - }; - }; - }; - }; -} diff --git a/container/Office.nix b/container/Office.nix deleted file mode 100644 index 5e5f5c76..00000000 --- a/container/Office.nix +++ /dev/null @@ -1,101 +0,0 @@ -# NOTE: Imperative part: -# 1. You need to change PSQL tables owner from root to onlyoffice, too. They don't do that automatically for some reason. -# 2. TODO: Generate JWT secret at /var/lib/onlyoffice/jwt, i.e. 9wLfMGha1YrfvWpb5hyYjZf8pvJQ3swS -# See https://git.voronind.com/voronind/nixos/issues/74 -{ - config, - container, - lib, - pkgs, - util, - ... -}: let - cfg = config.container.module.office; -in { - options.container.module.office = { - enable = lib.mkEnableOption "the office web suite."; - address = lib.mkOption { - default = "10.1.0.21"; - type = lib.types.str; - }; - port = lib.mkOption { - default = 8000; - type = lib.types.int; - }; - domain = lib.mkOption { - default = "office.${config.container.domain}"; - type = lib.types.str; - }; - storage = lib.mkOption { - default = "${config.container.storage}/office"; - type = lib.types.str; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.tmpfiles.rules = container.mkContainerDir cfg [ - "data" - ]; - - containers.office = container.mkContainer cfg { - bindMounts = { - "/var/lib/onlyoffice" = { - hostPath = "${cfg.storage}/data"; - isReadOnly = false; - }; - }; - - # HACK: Temporarely run in docker due to https://github.com/ONLYOFFICE/onlyoffice-nextcloud/issues/931 - config = { pkgs, ... }: container.mkContainerConfig cfg { - virtualisation.oci-containers.backend = "docker"; - virtualisation.oci-containers.containers.office = { - autoStart = true; - image = "dockerhub.timeweb.cloud/onlyoffice/documentserver:latest"; - # ports = [ "${toString cfg.port}:8000" ]; - extraOptions = [ - "--network=host" - "--privileged" - ]; - environment = { - AMQP_URI = "amqp://guest:guest@${config.container.module.rabbitmq.address}:${toString config.container.module.rabbitmq.port}"; - DB_HOST = config.container.module.postgres.address; - DB_NAME = "onlyoffice"; - DB_PORT = toString config.container.module.postgres.port; - DB_PWD = "onlyoffice"; - DB_USER = "onlyoffice"; - JWT_ENABLED = "true"; - JWT_SECRET = "8wLfKGha8YRfvwpB5hYYjZf8vtUQs3wS"; - }; - }; - }; - - # config = { pkgs, ... }: container.mkContainerConfig cfg { - # # HACK: For whatever reason it does not detect my global allowUnfree (I pass pkgs from host system in mkContainerConfig). - # nixpkgs.overlays = [ (final: prev: { - # corefonts = prev.corefonts.overrideAttrs (old: { - # meta.license = mkForce licenses.mit; - # }); - # })]; - - # services.onlyoffice = let - # dbName = "onlyoffice"; - # in { - # enable = true; - # hostname = cfg.domain; - - # postgresName = dbName; - # postgresHost = config.container.module.postgres.address; - # postgresUser = dbName; - # postgresPasswordFile = "${pkgs.writeText "OfficeDbPassword" dbName}"; - - # jwtSecretFile = "/var/lib/onlyoffice/jwt"; - - # rabbitmqUrl = "amqp://guest:guest@${config.container.module.rabbitmq.address}:${toString config.container.module.rabbitmq.port}"; - - # examplePort = cfg.port; - # enableExampleServer = true; - # }; - # }; - }; - }; -} diff --git a/container/Paper.nix b/container/Paper.nix deleted file mode 100644 index 0677e766..00000000 --- a/container/Paper.nix +++ /dev/null @@ -1,99 +0,0 @@ -{ - config, - container, - lib, - pkgs, - ... -}: let - cfg = config.container.module.paper; -in { - options.container.module.paper = { - enable = lib.mkEnableOption "the paper scans manager."; - address = lib.mkOption { - default = "10.1.0.40"; - type = lib.types.str; - }; - port = lib.mkOption { - default = 28981; - type = lib.types.int; - }; - domain = lib.mkOption { - default = "paper.${config.container.domain}"; - type = lib.types.str; - }; - storage = lib.mkOption { - default = "${config.container.storage}/paper"; - type = lib.types.str; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.tmpfiles.rules = container.mkContainerDir cfg [ - "data" - ]; - - containers.paper = container.mkContainer cfg { - bindMounts = { - "/var/lib/paperless" = { - hostPath = "${cfg.storage}/data"; - isReadOnly = false; - }; - "/var/lib/paperless/media" = { - hostPath = "${lib.elemAt config.container.media.paper 0}"; - isReadOnly = false; - }; - }; - - config = { ... }: container.mkContainerConfig cfg { - services.paperless = { - enable = true; - address = "0.0.0.0"; - dataDir = "/var/lib/paperless"; - port = cfg.port; - passwordFile = pkgs.writeText "PaperlessPassword" "root"; # NOTE: Only for initial setup, change later. - settings = { - PAPERLESS_ADMIN_USER = "root"; - PAPERLESS_DBENGINE = "postgresql"; - PAPERLESS_DBHOST = config.container.module.postgres.address; - PAPERLESS_DBNAME = "paperless"; - PAPERLESS_DBPASS = "paperless"; - PAPERLESS_DBPORT = config.container.module.postgres.port; - PAPERLESS_DBUSER = "paperless"; - PAPERLESS_OCR_LANGUAGE = "rus"; - PAPERLESS_REDIS = "redis://${config.container.module.redis.address}:${toString config.container.module.redis.port}"; - PAPERLESS_URL = "https://${cfg.domain}"; - }; - }; - - # HACK: This is required for TCP postgres connection. - systemd = { - services = { - paperless-scheduler = { - serviceConfig.PrivateNetwork = lib.mkForce false; - wantedBy = lib.mkForce [ ]; - }; - paperless-consumer = { - serviceConfig.PrivateNetwork = lib.mkForce false; - wantedBy = lib.mkForce [ ]; - }; - paperless-web = { - wantedBy = lib.mkForce [ ]; - }; - paperless-task-queue = { - wantedBy = lib.mkForce [ ]; - }; - }; - timers.fixsystemd = { - timerConfig = { - OnBootSec = 5; - Unit = "paperless-web.service"; - }; - wantedBy = [ - "timers.target" - ]; - }; - }; - }; - }; - }; -} diff --git a/container/Pass.nix b/container/Pass.nix deleted file mode 100644 index b1fa052b..00000000 --- a/container/Pass.nix +++ /dev/null @@ -1,59 +0,0 @@ -{ - config, - container, - lib, - ... -}: let - cfg = config.container.module.pass; -in { - options.container.module.pass = { - enable = lib.mkEnableOption "the password manager."; - address = lib.mkOption { - default = "10.1.0.9"; - type = lib.types.str; - }; - port = lib.mkOption { - default = 8000; - type = lib.types.int; - }; - domain = lib.mkOption { - default = "pass.${config.container.domain}"; - type = lib.types.str; - }; - storage = lib.mkOption { - default = "${config.container.storage}/pass"; - type = lib.types.str; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.tmpfiles.rules = container.mkContainerDir cfg [ - "data" - ]; - - containers.pass = container.mkContainer cfg { - bindMounts = { - "/var/lib/vaultwarden" = { - hostPath = "${cfg.storage}/data"; - isReadOnly = false; - }; - }; - - config = { ... }: container.mkContainerConfig cfg { - services.vaultwarden = { - enable = true; - dbBackend = "sqlite"; - environmentFile = "/var/lib/vaultwarden/Env"; - config = { - DATA_FOLDER = "/var/lib/vaultwarden"; - DOMAIN = "http://${cfg.domain}"; - ROCKET_ADDRESS = cfg.address; - ROCKET_PORT = cfg.port; - SIGNUPS_ALLOWED = false; - WEB_VAULT_ENABLED = true; - }; - }; - }; - }; - }; -} diff --git a/container/Paste.nix b/container/Paste.nix deleted file mode 100644 index 457cccf0..00000000 --- a/container/Paste.nix +++ /dev/null @@ -1,134 +0,0 @@ -{ - __findFile, - config, - container, - lib, - pkgs, - util, - ... -} @args: let - cfg = config.container.module.paste; - package = (pkgs.callPackage args); -in { - options.container.module.paste = { - enable = lib.mkEnableOption "the text share platform."; - address = lib.mkOption { - default = "10.1.0.14"; - type = lib.types.str; - }; - port = lib.mkOption { - default = 80; - type = lib.types.int; - }; - domain = lib.mkOption { - default = "paste.${config.container.domain}"; - type = lib.types.str; - }; - storage = lib.mkOption { - default = "${config.container.storage}/paste"; - type = lib.types.str; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.tmpfiles.rules = container.mkContainerDir cfg [ - "config" - "data" - "nginxtmp" - "tmp" - ]; - - containers.paste = container.mkContainer cfg { - bindMounts = { - "/srv/data" = { - hostPath = "${cfg.storage}/data"; - isReadOnly = false; - }; - "/tmp" = { - hostPath = "${cfg.storage}/tmp"; - isReadOnly = false; - }; - "/var/lib/nginx/tmp" = { - hostPath = "${cfg.storage}/nginxtmp"; - isReadOnly = false; - }; - "/srv/config" = { - hostPath = "${cfg.storage}/config"; - isReadOnly = false; - }; - }; - - config = { config, ... }: container.mkContainerConfig cfg { - environment.systemPackages = [ - package - ]; - systemd.packages = [ - package - ]; - - users.users.paste = { - group = "nginx"; - isSystemUser = true; - }; - - services = { - phpfpm.pools.paste = { - group = "nginx"; - user = "paste"; - phpPackage = pkgs.php; - settings = { - "catch_workers_output" = true; - "listen.owner" = "nginx"; - "php_admin_flag[log_errors]" = true; - "php_admin_value[error_log]" = "stderr"; - "pm" = "dynamic"; - "pm.max_children" = "32"; - "pm.max_requests" = "500"; - "pm.max_spare_servers" = "4"; - "pm.min_spare_servers" = "2"; - "pm.start_servers" = "2"; - }; - phpEnv = { - # CONFIG_PATH = "${package}/cfg"; # NOTE: Not working? - }; - }; - - nginx = { - enable = true; - virtualHosts.${cfg.domain} = container.mkServer { - default = true; - root = "${package}"; - locations = { - "/".extraConfig = util.trimTabs '' - rewrite ^ /index.php; - ''; - - "~ \\.php$".extraConfig = util.trimTabs '' - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:${config.services.phpfpm.pools.paste.socket}; - include ${config.services.nginx.package}/conf/fastcgi.conf; - include ${config.services.nginx.package}/conf/fastcgi_params; - ''; - - "~ \\.(js|css|ttf|woff2?|png|jpe?g|svg)$".extraConfig = util.trimTabs '' - add_header Cache-Control "public, max-age=15778463"; - add_header Referrer-Policy no-referrer; - add_header X-Content-Type-Options nosniff; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header X-Robots-Tag none; - add_header X-XSS-Protection "1; mode=block"; - access_log off; - ''; - }; - - extraConfig = util.trimTabs '' - try_files $uri /index.php; - ''; - }; - }; - }; - }; - }; - }; -} diff --git a/container/Postgres.nix b/container/Postgres.nix deleted file mode 100644 index 416ea99a..00000000 --- a/container/Postgres.nix +++ /dev/null @@ -1,95 +0,0 @@ -{ - config, - container, - lib, - pkgs, - ... -}: let - cfg = config.container.module.postgres; -in { - options.container.module.postgres = { - enable = lib.mkEnableOption "the PostgreSQL server."; - address = lib.mkOption { - default = "10.1.0.3"; - type = lib.types.str; - }; - port = lib.mkOption { - default = 5432; - type = lib.types.int; - }; - storage = lib.mkOption { - default = "${config.container.storage}/postgres"; - type = lib.types.str; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.tmpfiles.rules = container.mkContainerDir cfg [ - "data" - ]; - - containers.postgres = container.mkContainer cfg { - bindMounts = { - "/var/lib/postgresql/data" = { - hostPath = "${cfg.storage}/data"; - isReadOnly = false; - }; - }; - - config = { ... }: container.mkContainerConfig cfg { - services.postgresql = let - # Populate with services here. - configurations = with config.container.module; { - forgejo = git; - invidious = yt; - mattermost = chat; - nextcloud = cloud; - onlyoffice = office; - paperless = paper; - privatebin = paste; - }; - - access = configurations // { - all.address = config.container.host; - }; - - authentication = let - rules = lib.mapAttrsToList (db: cfg: - "host ${db} ${db} ${cfg.address}/32 trust" - ) access; - in builtins.foldl' (acc: item: acc + "${item}\n") "" rules; - - ensureDatabases = [ - "root" - ] ++ lib.mapAttrsToList (name: _: name) configurations; - - ensureUsers = map (name: { - inherit name; - ensureDBOwnership = true; - ensureClauses = if name == "root" then { - createdb = true; - createrole = true; - superuser = true; - } else { }; - }) ensureDatabases; - in { - inherit authentication ensureDatabases ensureUsers; - - enable = true; - dataDir = "/var/lib/postgresql/data/14"; - enableTCPIP = true; - package = pkgs.postgresql_14; - - # NOTE: Debug mode. - # settings = { - # log_connections = true; - # log_destination = lib.mkForce "syslog"; - # log_disconnections = true; - # log_statement = "all"; - # logging_collector = true; - # }; - }; - }; - }; - }; -} diff --git a/container/Print.nix b/container/Print.nix deleted file mode 100644 index 78e06bf3..00000000 --- a/container/Print.nix +++ /dev/null @@ -1,72 +0,0 @@ -# NOTE: Login to contaier, run passwd and use that root/pw combo for administration. `AllowFrom = all` doesn't seem to work. -# ipp://192.168.2.237 -# Pantum M6500W-Series -{ - __findFile, - config, - container, - lib, - pkgs, - ... -} @args: let - cfg = config.container.module.print; - host = config.container.host; - package = pkgs.callPackage args; -in { - options.container.module.print = { - enable = lib.mkEnableOption "the printing server."; - address = lib.mkOption { - default = "10.1.0.46"; - type = lib.types.str; - }; - port = lib.mkOption { - default = 631; - type = lib.types.int; - }; - domain = lib.mkOption { - default = "print.${config.container.domain}"; - type = lib.types.str; - }; - storage = lib.mkOption { - default = "${config.container.storage}/print"; - type = lib.types.str; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.tmpfiles.rules = container.mkContainerDir cfg [ - "data" - ]; - - containers.print = container.mkContainer cfg { - bindMounts = { - "/var/lib/cups" = { - hostPath = "${cfg.storage}/data"; - isReadOnly = false; - }; - }; - - config = { ... }: container.mkContainerConfig cfg { - networking.interfaces."eth0".ipv4.routes = [ - { - address = "192.168.2.237"; # NOTE: Printer's IP address. - prefixLength = 32; - via = host; - } - ]; - - services.printing = { - enable = true; - allowFrom = [ "all" ]; - browsing = true; - defaultShared = true; - drivers = [ package ]; - listenAddresses = [ "${cfg.address}:${toString cfg.port}" ]; - startWhenNeeded = true; - stateless = false; - webInterface = true; - }; - }; - }; - }; -} diff --git a/container/Proxy.nix b/container/Proxy.nix deleted file mode 100644 index fb04ccfd..00000000 --- a/container/Proxy.nix +++ /dev/null @@ -1,94 +0,0 @@ -# NOTE: To generate self-signed certs use: `openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./privkey.pem -out ./fullchain.pem` -# For dhparams: `openssl dhparam -out ./ssl-dhparam.pem 4096` -# Example for options-ssl-nginx.conf: -# ``` -# ssl_session_cache shared:le_nginx_SSL:10m; -# ssl_session_timeout 1440m; -# ssl_protocols TLSv1.2 TLSv1.3; -# ssl_prefer_server_ciphers off; -# ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; -# ``` -# For certbot to generate new keys: `certbot certonly --manual --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory -d "*.voronind.com" -d voronind.com` -{ - config, - container, - lib, - pkgs, - util, - ... -} @args: let - cfg = config.container.module.proxy; - virtualHosts = util.catSet (util.ls ./proxy/host) args; -in { - options.container.module.proxy = { - enable = lib.mkEnableOption "the proxy server."; - address = lib.mkOption { - default = "10.1.0.2"; - type = lib.types.str; - }; - port = lib.mkOption { - default = 443; - type = lib.types.int; - }; - storage = lib.mkOption { - default = "${config.container.storage}/proxy"; - type = lib.types.str; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.tmpfiles.rules = container.mkContainerDir cfg [ - "challenge" - "letsencrypt" - ]; - - containers.proxy = container.mkContainer cfg { - bindMounts = { - "/etc/letsencrypt" = { - hostPath = "${cfg.storage}/letsencrypt"; - isReadOnly = false; - }; - "/var/www/.well-known" = { - hostPath = "${cfg.storage}/challenge"; - isReadOnly = false; - }; - }; - - config = { ... }: container.mkContainerConfig cfg { - environment.systemPackages = with pkgs; [ - certbot - ]; - - services.nginx = { - inherit virtualHosts; - enable = true; - clientMaxBodySize = "4096m"; - recommendedOptimisation = true; - recommendedProxySettings = true; - appendConfig = util.trimTabs '' - worker_processes 4; - ''; - eventsConfig = util.trimTabs '' - worker_connections 4096; - ''; - appendHttpConfig = util.trimTabs '' - proxy_max_temp_file_size 0; - proxy_buffering off; - - server { - listen 443 ssl default_server; - server_name _; - - ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem; - include /etc/letsencrypt/conf/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; - - return 403; - } - ''; - }; - }; - }; - }; -} diff --git a/container/Rabbitmq.nix b/container/Rabbitmq.nix deleted file mode 100644 index 5a015f04..00000000 --- a/container/Rabbitmq.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ - config, - container, - lib, - pkgs, - util, - ... -}: let - cfg = config.container.module.rabbitmq; -in { - options.container.module.rabbitmq = { - enable = lib.mkEnableOption "the mqtt server."; - address = lib.mkOption { - default = "10.1.0.28"; - type = lib.types.str; - }; - port = lib.mkOption { - default = 5672; - type = lib.types.int; - }; - storage = lib.mkOption { - default = "${config.container.storage}/rabbitmq"; - type = lib.types.str; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.tmpfiles.rules = container.mkContainerDir cfg [ - "data" - ]; - - containers.rabbitmq = container.mkContainer cfg { - bindMounts = { - "/var/lib/rabbitmq" = { - hostPath = "${cfg.storage}/data"; - isReadOnly = false; - }; - }; - - config = { ... }: container.mkContainerConfig cfg { - services.rabbitmq = { - enable = true; - dataDir = "/var/lib/rabbitmq"; - listenAddress = cfg.address; - port = cfg.port; - configItems = { - "loopback_users" = "none"; - }; - }; - }; - }; - }; -} diff --git a/container/Read.nix b/container/Read.nix deleted file mode 100644 index f1da1a94..00000000 --- a/container/Read.nix +++ /dev/null @@ -1,59 +0,0 @@ -{ - config, - container, - lib, - pkgs, - ... -}: let - cfg = config.container.module.read; -in { - options.container.module.read = { - enable = lib.mkEnableOption "the reading server."; - address = lib.mkOption { - default = "10.1.0.39"; - type = lib.types.str; - }; - port = lib.mkOption { - default = 5000; - type = lib.types.int; - }; - domain = lib.mkOption { - default = "read.${config.container.domain}"; - type = lib.types.str; - }; - storage = lib.mkOption { - default = "${config.container.storage}/read"; - type = lib.types.str; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.tmpfiles.rules = container.mkContainerDir cfg [ - "data" - ]; - - containers.read = container.mkContainer cfg { - bindMounts = { - "/var/lib/kavita" = { - hostPath = "${cfg.storage}/data"; - isReadOnly = false; - }; - } - // container.attachMedia "book" true - // container.attachMedia "manga" true - ; - - config = { ... }: container.mkContainerConfig cfg { - services.kavita = { - enable = true; - dataDir = "/var/lib/kavita"; - tokenKeyFile = pkgs.writeText "KavitaToken" "xY19aQOa939/Ie6GCRGbubVK8zRwrgBY/20AuyMpYshUjwK1Uyl7bw1yknVh6jJIFIfwq2vAjeotOUq7NEsf9Q=="; - settings = { - IpAddresses = cfg.address; - Port = cfg.port; - }; - }; - }; - }; - }; -} diff --git a/container/Redis.nix b/container/Redis.nix deleted file mode 100644 index fb888996..00000000 --- a/container/Redis.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ - config, - container, - lib, - ... -}: let - cfg = config.container.module.redis; -in { - options.container.module.redis = { - enable = lib.mkEnableOption "the Redis server."; - address = lib.mkOption { - default = "10.1.0.38"; - type = lib.types.str; - }; - port = lib.mkOption { - default = 6379; - type = lib.types.int; - }; - }; - - config = lib.mkIf cfg.enable { - containers.redis = container.mkContainer cfg { - config = { ... }: container.mkContainerConfig cfg { - services.redis.servers.main = { - enable = true; - port = cfg.port; - bind = cfg.address; - extraParams = [ - "--protected-mode no" - ]; - }; - }; - }; - }; -} diff --git a/container/Search.nix b/container/Search.nix deleted file mode 100644 index e376c50d..00000000 --- a/container/Search.nix +++ /dev/null @@ -1,138 +0,0 @@ -{ - config, - container, - lib, - pkgs, - ... -}: let - cfg = config.container.module.search; -in { - options.container.module.search = { - enable = lib.mkEnableOption "the search frontend."; - address = lib.mkOption { - default = "10.1.0.26"; - type = lib.types.str; - }; - port = lib.mkOption { - default = 8080; - type = lib.types.int; - }; - domain = lib.mkOption { - default = "search.${config.container.domain}"; - type = lib.types.str; - }; - storage = lib.mkOption { - default = "${config.container.storage}/search"; - type = lib.types.str; - }; - }; - - config = lib.mkIf cfg.enable { - containers.search = container.mkContainer cfg { - config = { ... }: container.mkContainerConfig cfg { - services.searx = { - enable = true; - package = pkgs.searxng; - # REF: https://github.com/searxng/searxng/blob/master/searx/settings.yml - settings = { - general = { - debug = false; - enable_metrics = false; - instance_name = "SearX"; - }; - server = { - bind_address = cfg.address; - image_proxy = false; - limiter = false; - method = "GET"; - port = cfg.port; - public_instance = false; - secret_key = "searxxx"; - }; - search = { - autocomplete = ""; - autocomplete_min = 4; - default_lang = "auto"; - safe_search = 0; - }; - ui = { - center_alignment = false; - default_locale = ""; - default_theme = "simple"; - hotkeys = "vim"; - infinite_scroll = false; - simple_style = "dark"; - }; - outgoing = { - enable_http2 = true; - max_request_timeout = 10.0; - pool_connections = 100; - pool_maxsize = 20; - request_timeout = 3.0; - # proxies = { - # "all://" = with config.container.module; [ - # # "socks5:${frkn.address}:${frkn.port}" - # "socks5:${frkn.address}:1081" - # # "socks5:${frkn.address}:9150" - # ]; - # }; - # using_tor_proxy = true; - # extra_proxy_timeout = 10; - }; - # plugins = [ ]; - enabled_plugins = [ - "Basic Calculator" - "Hostnames plugin" - "Tracker URL remover" - ]; - hostnames = { - replace = with config.container.module; { - "(.*\.)?youtu\.be$" = yt.domain; - "(.*\.)?youtube\.com$" = yt.domain; - }; - remove = [ - "(.*\.)?dzen\.ru$" - "(.*\.)?facebook.com$" - "(.*\.)?gosuslugi\.ru$" - "(.*\.)?quora\.com$" - "(.*\.)?rutube\.ru$" - "(.*\.)?vk\.com$" - ]; - low_priority = [ - "(.*\.)?google(\..*)?$" - "(.*\.)?microsoft\.com$" - ]; - high_priority = [ - "(.*\.)?4pda.to$" - "(.*\.)?github.com$" - "(.*\.)?wikipedia.org$" - ]; - }; - categories_as_tabs = { - files = { }; - general = { }; - images = { }; - it = { }; - map = { }; - news = { }; - videos = { }; - }; - engines = let - mkEnable = name: { - inherit name; - disabled = false; - }; - mkDisable = name: { - inherit name; - disabled = true; - }; - in [ - (mkEnable "bing") - (mkDisable "qwant") - ]; - }; - }; - }; - }; - }; -} diff --git a/container/Status.nix b/container/Status.nix deleted file mode 100644 index a65431dc..00000000 --- a/container/Status.nix +++ /dev/null @@ -1,66 +0,0 @@ -{ - config, - container, - lib, - ... -}: let - cfg = config.container.module.status; -in { - options.container.module.status = { - enable = lib.mkEnableOption "the status monitor."; - address = lib.mkOption { - default = "10.1.0.22"; - type = lib.types.str; - }; - port = lib.mkOption { - default = 3001; - type = lib.types.int; - }; - domain = lib.mkOption { - default = "status.${config.container.domain}"; - type = lib.types.str; - }; - storage = lib.mkOption { - default = "${config.container.storage}/status"; - type = lib.types.str; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.tmpfiles.rules = container.mkContainerDir cfg [ - "data" - ]; - - containers.status = container.mkContainer cfg { - bindMounts = { - "/var/lib/uptime-kuma" = { - hostPath = "${cfg.storage}/data"; - isReadOnly = false; - }; - }; - - config = { ... }: container.mkContainerConfig cfg { - networking = { - nameservers = lib.mkForce [ - config.container.module.dns.address - ]; - }; - - services.uptime-kuma = { - enable = true; - settings = { - DATA_DIR = "/var/lib/uptime-kuma/"; - HOST = cfg.address; - PORT = toString cfg.port; - }; - }; - - systemd.services.uptime-kuma = { - serviceConfig = { - DynamicUser = lib.mkForce false; - }; - }; - }; - }; - }; -} diff --git a/container/Stock.nix b/container/Stock.nix deleted file mode 100644 index 61a41ede..00000000 --- a/container/Stock.nix +++ /dev/null @@ -1,62 +0,0 @@ -{ - config, - container, - lib, - ... -}: let - cfg = config.container.module.stock; -in { - options.container.module.stock = { - enable = lib.mkEnableOption "the stock management."; - address = lib.mkOption { - default = "10.1.0.45"; - type = lib.types.str; - }; - port = lib.mkOption { - default = 80; - type = lib.types.int; - }; - domain = lib.mkOption { - default = "stock.${config.container.domain}"; - type = lib.types.str; - }; - storage = lib.mkOption { - default = "${config.container.storage}/stock"; - type = lib.types.str; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.tmpfiles.rules = container.mkContainerDir cfg [ - "data" - ]; - - containers.stock = container.mkContainer cfg { - bindMounts = { - "/var/lib/grocy" = { - hostPath = "${cfg.storage}/data"; - isReadOnly = false; - }; - }; - - config = { ... }: container.mkContainerConfig cfg { - services.grocy = { - enable = true; - dataDir = "/var/lib/grocy"; - hostName = cfg.domain; - nginx = { - enableSSL = false; - }; - settings = { - calendar = { - firstDayOfWeek = 1; - showWeekNumber = true; - }; - culture = "en"; - currency = "RUB"; - }; - }; - }; - }; - }; -} diff --git a/container/Terraria.nix b/container/Terraria.nix deleted file mode 100644 index 7636c5d2..00000000 --- a/container/Terraria.nix +++ /dev/null @@ -1,60 +0,0 @@ -{ - config, - container, - lib, - ... -}: let - cfg = config.container.module.terraria; -in { - options.container.module.terraria = { - enable = lib.mkEnableOption "the Terraria server."; - address = lib.mkOption { - default = "10.1.0.77"; - type = lib.types.str; - }; - port = lib.mkOption { - default = 22777; - type = lib.types.int; - }; - storage = lib.mkOption { - default = "${config.container.storage}/terraria"; - type = lib.types.str; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.tmpfiles.rules = container.mkContainerDir cfg [ - "data" - ]; - - containers.terraria = container.mkContainer cfg { - bindMounts = { - "/var/lib/terraria" = { - hostPath = "${cfg.storage}/data"; - isReadOnly = false; - }; - }; - - config = { pkgs, ... }: container.mkContainerConfig cfg { - # NOTE: Admin with `tmux -S /var/lib/terraria/terraria.sock attach-session -t 0` - environment.systemPackages = with pkgs; [ tmux ]; - - services.terraria = let - dataDir = "/var/lib/terraria"; - in { - inherit (cfg) port; - inherit dataDir; - enable = true; - autoCreatedWorldSize = "large"; - maxPlayers = 4; - messageOfTheDay = "<3"; - noUPnP = false; - openFirewall = false; - password = "mishadima143"; - secure = false; - worldPath = "${dataDir}/.local/share/Terraria/Worlds/Together.wld"; - }; - }; - }; - }; -} diff --git a/container/Vpn.nix b/container/Vpn.nix deleted file mode 100644 index b151df6a..00000000 --- a/container/Vpn.nix +++ /dev/null @@ -1,122 +0,0 @@ -# easyrsa --days=36500 init-pki -# easyrsa --days=36500 build-ca -# easyrsa --days=36500 build-server-full nopass -# easyrsa --days=36500 build-client-full nopass -# easyrsa gen-crl -# openssl dhparam -out dh2048.pem 2048 -# Don't forget to set tls hostname on the client to match SERVER_NAME *AND* disable ipv6 ? - -# easyrsa revoke -# easyrsa gen-crl -# restart container - -# SEE: https://github.com/OpenVPN/openvpn/blob/master/sample/sample-config-files/server.conf -# SRC: https://github.com/TinCanTech/easy-tls -{ - config, - container, - lib, - pkgs, - util, - ... -}: let - cfg = config.container.module.vpn; -in { - options.container.module.vpn = { - enable = lib.mkEnableOption "the vpn server."; - address = lib.mkOption { - default = "10.1.0.23"; - type = lib.types.str; - }; - port = lib.mkOption { - default = 22145; - type = lib.types.int; - }; - storage = lib.mkOption { - default = "${config.container.storage}/vpn"; - type = lib.types.str; - }; - clients = lib.mkOption { - default = "10.1.1.0/24"; - type = lib.types.str; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.tmpfiles.rules = container.mkContainerDir cfg [ - "data" - ]; - - # HACK: I have no idea how to fully manage the container interface via networkd, so just add a route manually. - systemd.services.vpn-route = util.mkStaticSystemdService { - enable = true; - description = "Hack vpn routes on host"; - after = [ "container@vpn.service" ]; - wants = [ "container@vpn.service" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - Type = "oneshot"; - }; - script = '' - ${pkgs.iproute2}/bin/ip route add ${cfg.clients} via ${cfg.address} dev ve-vpn || true - ''; - }; - - containers.vpn = container.mkContainer cfg { - bindMounts = { - "/data" = { - hostPath = "${cfg.storage}/data"; - isReadOnly = true; - }; - }; - - config = { ... }: container.mkContainerConfig cfg { - boot.kernel.sysctl = { - "net.ipv4.conf.all.src_valid_mark" = 1; - "net.ipv4.ip_forward" = 1; - }; - environment.systemPackages = with pkgs; [ - easyrsa - openvpn - ]; - users = { - groups.openvpn = {}; - users.openvpn = { - group = "openvpn"; - isSystemUser = true; - uid = 1000; - }; - }; - # NOTE: Change the `server` to match `cfg.clients` or write a substring here. - services.openvpn.servers.vpn = { - autoStart = true; - config = util.trimTabs '' - ca /data/pki/ca.crt - cert /data/pki/issued/home.crt - client-to-client - crl-verify /data/pki/crl.pem - dev tun - dh /data/dh2048.pem - explicit-exit-notify 1 - group openvpn - ifconfig-pool-persist ipp.txt - keepalive 10 120 - key /data/pki/private/home.key - persist-tun - port ${toString cfg.port} - proto udp - push "dhcp-option DNS 10.0.0.1" - push "dhcp-option DNS 10.0.0.1" - push "route 10.0.0.0 255.0.0.0" - push "route 192.168.1.0 255.255.255.0" - server 10.1.1.0 255.255.255.0 - status openvpn-status.log - topology subnet - user openvpn - verb 4 - ''; - }; - }; - }; - }; -} diff --git a/container/Watch.nix b/container/Watch.nix deleted file mode 100644 index c94d5a6b..00000000 --- a/container/Watch.nix +++ /dev/null @@ -1,87 +0,0 @@ -{ - config, - container, - lib, - ... -}: let - cfg = config.container.module.watch; -in { - options.container.module.watch = { - enable = lib.mkEnableOption "the media server."; - address = lib.mkOption { - default = "10.1.0.11"; - type = lib.types.str; - }; - port = lib.mkOption { - default = 8096; - type = lib.types.int; - }; - domain = lib.mkOption { - default = "watch.${config.container.domain}"; - type = lib.types.str; - }; - storage = lib.mkOption { - default = "${config.container.storage}/watch"; - type = lib.types.str; - }; - memLimit = lib.mkOption { - default = "8G"; - type = lib.types.str; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.tmpfiles.rules = container.mkContainerDir cfg [ - "cache" - "data" - ]; - - containers.watch = container.mkContainer cfg { - bindMounts = { - "/var/lib/jellyfin" = { - hostPath = "${cfg.storage}/data"; - isReadOnly = false; - }; - "/var/cache/jellyfin" = { - hostPath = "${cfg.storage}/cache"; - isReadOnly = false; - }; - "/dev/dri" = { - hostPath = "/dev/dri"; - isReadOnly = false; - }; - } - // container.attachMedia "anime" true - // container.attachMedia "download" true - // container.attachMedia "movie" true - // container.attachMedia "music" true - // container.attachMedia "photo" true - // container.attachMedia "porn" true - // container.attachMedia "show" true - // container.attachMedia "study" true - // container.attachMedia "work" true - // container.attachMedia "youtube" true - ; - - allowedDevices = [ - { - modifier = "rwm"; - node = "/dev/dri/renderD128"; - } - ]; - - config = { ... }: container.mkContainerConfig cfg { - systemd.services.jellyfin.serviceConfig.MemoryLimit = cfg.memLimit; - services.jellyfin = { - enable = true; - cacheDir = "/var/cache/jellyfin"; - dataDir = "/var/lib/jellyfin"; - }; - # users.users.jellyfin.extraGroups = [ - # "video" - # "render" - # ]; - }; - }; - }; -} diff --git a/container/Yt.nix b/container/Yt.nix deleted file mode 100644 index bdde52ac..00000000 --- a/container/Yt.nix +++ /dev/null @@ -1,65 +0,0 @@ -{ - __findFile, - config, - container, - inputs, - lib, - pkgs, - pkgsMaster, - ... -}: let - cfg = config.container.module.yt; -in { - options.container.module.yt = { - enable = lib.mkEnableOption "the YouTube frontend."; - address = lib.mkOption { - default = "10.1.0.19"; - type = lib.types.str; - }; - port = lib.mkOption { - default = 3000; - type = lib.types.int; - }; - domain = lib.mkOption { - default = "yt.${config.container.domain}"; - type = lib.types.str; - }; - storage = lib.mkOption { - default = "${config.container.storage}/yt"; - type = lib.types.str; - }; - }; - - config = lib.mkIf cfg.enable { - containers.yt = container.mkContainer cfg { - config = { ... }: container.mkContainerConfig cfg { - disabledModules = [ "services/web-apps/invidious.nix" ]; - imports = [ "${inputs.nixpkgsMaster}/nixos/modules/services/web-apps/invidious.nix" ]; - - services.invidious = { - enable = true; - domain = cfg.domain; - package = pkgsMaster.invidious; - port = cfg.port; - nginx.enable = false; - database = { - host = config.container.module.postgres.address; - port = config.container.module.postgres.port; - createLocally = false; - passwordFile = "${pkgs.writeText "InvidiousDbPassword" "invidious"}"; - }; - settings = { - captcha_enabled = false; - check_tables = true; - external_port = 443; - https_only = true; - registration_enabled = false; - admins = [ - "root" - ]; - }; - }; - }; - }; - }; -} diff --git a/container/default.nix b/container/default.nix deleted file mode 100644 index 0c5d9cee..00000000 --- a/container/default.nix +++ /dev/null @@ -1,57 +0,0 @@ -{ - config, - lib, - ... -}: let - cfg = config.container; -in { - options.container = { - enable = lib.mkEnableOption "Containers!!"; - autoStart = lib.mkOption { - default = false; - type = lib.types.bool; - }; - host = lib.mkOption { - default = "0.0.0.0"; - type = lib.types.str; - }; - localAccess = lib.mkOption { - default = "0.0.0.0"; - type = lib.types.str; - }; - storage = lib.mkOption { - default = "/tmp/container"; - type = lib.types.str; - }; - domain = lib.mkOption { - default = "local"; - type = lib.types.str; - }; - interface = lib.mkOption { - default = "lo"; - type = lib.types.str; - }; - media = lib.mkOption { - default = { }; - type = lib.types.attrs; - }; - }; - - config = lib.mkIf cfg.enable { - # This is the network for all the containers. - # They are not available to the external interface by default, - # instead they all expose specific ports in their configuration. - networking = { - nat = { - enable = true; - externalInterface = config.container.interface; - internalInterfaces = [ - "ve-+" - ]; - }; - networkmanager.unmanaged = [ - "interface-name:ve-*" - ]; - }; - }; -} diff --git a/container/proxy/host/Camera.nix b/container/proxy/host/Camera.nix deleted file mode 100644 index a3e95f13..00000000 --- a/container/proxy/host/Camera.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ - config, - container, - util, - ... -}: let - address = "192.168.2.249"; - domain = "camera.${config.container.domain}"; - port = 554; -in { - ${domain} = container.mkServer { - extraConfig = util.trimTabs '' - listen 443 ssl; - - location / { - allow ${config.container.localAccess}; - allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.clients}; - allow ${config.container.module.frkn.address}; - deny all; - return 301 rtsp://${address}:${toString port}/live/main; - } - - ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem; - include /etc/letsencrypt/conf/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; - ''; - }; -} diff --git a/container/proxy/host/Change.nix b/container/proxy/host/Change.nix deleted file mode 100644 index 04a72c4e..00000000 --- a/container/proxy/host/Change.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ - config, - container, - util, - ... -}: let - cfg = config.container.module.change; - name = "change"; -in { - ${cfg.domain} = container.mkServer { - extraConfig = util.trimTabs '' - listen 443 ssl; - set ''$${name} ${cfg.address}:${toString cfg.port}; - - location / { - allow ${config.container.localAccess}; - allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.clients}; - allow ${config.container.module.frkn.address}; - deny all; - - proxy_pass http://''$${name}$request_uri; - - add_header Referrer-Policy 'origin'; - } - - ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem; - include /etc/letsencrypt/conf/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; - ''; - }; -} diff --git a/container/proxy/host/Chat.nix b/container/proxy/host/Chat.nix deleted file mode 100644 index b0bb83be..00000000 --- a/container/proxy/host/Chat.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ - config, - container, - util, - ... -}: let - cfg = config.container.module.chat; - name = "chat"; -in { - ${cfg.domain} = container.mkServer { - extraConfig = util.trimTabs '' - listen 443 ssl; - set ''$${name} ${cfg.address}:${toString cfg.port}; - - location / { - allow ${config.container.localAccess}; - allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.clients}; - allow ${config.container.module.frkn.address}; - deny all; - - proxy_pass http://''$${name}$request_uri; - } - - ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem; - include /etc/letsencrypt/conf/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; - ''; - }; -} diff --git a/container/proxy/host/Cloud.nix b/container/proxy/host/Cloud.nix deleted file mode 100644 index ebc4f339..00000000 --- a/container/proxy/host/Cloud.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ - config, - container, - util, - ... -}: let - cfg = config.container.module.cloud; - name = "cloud"; -in { - ${cfg.domain} = container.mkServer { - extraConfig = util.trimTabs '' - listen 443 ssl; - set ''$${name} ${cfg.address}:${toString cfg.port}; - - location ~ ^/(settings/admin|settings/users|settings/apps|login|api) { - allow ${config.container.localAccess}; - allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.clients}; - allow ${config.container.module.frkn.address}; - deny all; - proxy_pass http://''$${name}$request_uri; - } - - location / { - proxy_pass http://''$${name}$request_uri; - } - - ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem; - include /etc/letsencrypt/conf/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; - ''; - }; -} diff --git a/container/proxy/host/Download.nix b/container/proxy/host/Download.nix deleted file mode 100644 index 2e852952..00000000 --- a/container/proxy/host/Download.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ - config, - container, - util, - ... -}: let - cfg = config.container.module.download; - name = "download"; -in { - ${cfg.domain} = container.mkServer { - extraConfig = util.trimTabs '' - listen 443 ssl; - set ''$${name} ${cfg.address}:${toString cfg.port}; - - location / { - allow ${config.container.localAccess}; - allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.clients}; - allow ${config.container.module.frkn.address}; - deny all; - proxy_pass http://''$${name}$request_uri; - } - - ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem; - include /etc/letsencrypt/conf/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; - ''; - }; -} diff --git a/container/proxy/host/Git.nix b/container/proxy/host/Git.nix deleted file mode 100644 index 41617721..00000000 --- a/container/proxy/host/Git.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ - container, - config, - util, - ... -}: let - cfg = config.container.module.git; - name = "git"; -in { - ${cfg.domain} = container.mkServer { - extraConfig = util.trimTabs '' - listen 443 ssl; - set ''$${name} ${cfg.address}:${toString cfg.port}; - - location ~ ^/(admin|api|user) { - allow ${config.container.localAccess}; - allow ${config.container.module.vpn.clients}; - allow ${config.container.module.frkn.address}; - deny all; - proxy_pass http://''$${name}$request_uri; - } - - location / { - proxy_pass http://''$${name}$request_uri; - } - - ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem; - include /etc/letsencrypt/conf/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; - ''; - }; -} diff --git a/container/proxy/host/Home.nix b/container/proxy/host/Home.nix deleted file mode 100644 index eaea0cd9..00000000 --- a/container/proxy/host/Home.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ - config, - container, - util, - ... -}: let - cfg = config.container.module.home; - name = "home"; -in { - ${cfg.domain} = container.mkServer { - extraConfig = util.trimTabs '' - listen 443 ssl; - set ''$${name} ${cfg.address}:${toString cfg.port}; - - location / { - allow ${config.container.localAccess}; - allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.clients}; - allow ${config.container.module.frkn.address}; - deny all; - proxy_pass http://''$${name}$request_uri; - } - - ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem; - include /etc/letsencrypt/conf/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; - ''; - }; -} diff --git a/container/proxy/host/Iot.nix b/container/proxy/host/Iot.nix deleted file mode 100644 index 9eb903f1..00000000 --- a/container/proxy/host/Iot.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ - container, - config, - util, - ... -}: let - cfg = config.container.module.iot; - name = "iot"; -in { - ${cfg.domain} = container.mkServer { - extraConfig = util.trimTabs '' - listen 443 ssl; - set ''$${name} ${cfg.address}:${toString cfg.port}; - - location / { - allow ${config.container.localAccess}; - allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.clients}; - allow ${config.container.module.frkn.address}; - deny all; - - # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $host; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - - proxy_pass http://''$${name}$request_uri; - } - - ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem; - include /etc/letsencrypt/conf/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; - ''; - }; -} diff --git a/container/proxy/host/Mail.nix b/container/proxy/host/Mail.nix deleted file mode 100644 index ff3bd144..00000000 --- a/container/proxy/host/Mail.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ - container, - config, - util, - ... -}: let - cfg = config.container.module.mail; - name = "mail"; -in { - ${cfg.domain} = container.mkServer { - extraConfig = util.trimTabs '' - listen 443 ssl; - set ''$${name} ${cfg.address}:${toString cfg.port}; - - location / { - allow ${config.container.localAccess}; - allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.clients}; - allow ${config.container.module.frkn.address}; - deny all; - proxy_pass http://''$${name}$request_uri; - } - - ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem; - include /etc/letsencrypt/conf/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; - ''; - }; -} diff --git a/container/proxy/host/Office.nix b/container/proxy/host/Office.nix deleted file mode 100644 index 22acea63..00000000 --- a/container/proxy/host/Office.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ - container, - config, - util, - ... -}: let - cfg = config.container.module.office; - name = "office"; -in { - ${cfg.domain} = container.mkServer { - extraConfig = util.trimTabs '' - listen 443 ssl; - set ''$${name} ${cfg.address}:${toString cfg.port}; - - location / { - # allow ${config.container.localAccess}; - # allow ${config.container.module.status.address}; - # allow ${config.container.module.vpn.clients}; - # allow ${config.container.module.frkn.address}; - # deny all; - add_header X-Forwarded-Proto https; - proxy_pass http://''$${name}$request_uri; - } - - ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem; - include /etc/letsencrypt/conf/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; - ''; - }; -} diff --git a/container/proxy/host/Paper.nix b/container/proxy/host/Paper.nix deleted file mode 100644 index e1d1a2fd..00000000 --- a/container/proxy/host/Paper.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ - container, - config, - util, - ... -}: let - cfg = config.container.module.paper; - name = "paper"; -in { - ${cfg.domain} = container.mkServer { - extraConfig = util.trimTabs '' - listen 443 ssl; - set ''$${name} ${cfg.address}:${toString cfg.port}; - - location / { - allow ${config.container.localAccess}; - allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.clients}; - allow ${config.container.module.frkn.address}; - deny all; - proxy_pass http://''$${name}$request_uri; - } - - ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem; - include /etc/letsencrypt/conf/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; - ''; - }; -} diff --git a/container/proxy/host/Pass.nix b/container/proxy/host/Pass.nix deleted file mode 100644 index 93aa07fa..00000000 --- a/container/proxy/host/Pass.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ - container, - config, - util, - ... -}: let - cfg = config.container.module.pass; - name = "pass"; -in { - ${cfg.domain} = container.mkServer { - extraConfig = util.trimTabs '' - listen 443 ssl; - set ''$${name} ${cfg.address}:${toString cfg.port}; - - location / { - allow ${config.container.localAccess}; - allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.clients}; - allow ${config.container.module.frkn.address}; - deny all; - proxy_pass http://''$${name}$request_uri; - } - - ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem; - include /etc/letsencrypt/conf/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; - ''; - }; -} diff --git a/container/proxy/host/Paste.nix b/container/proxy/host/Paste.nix deleted file mode 100644 index 36c00049..00000000 --- a/container/proxy/host/Paste.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ - container, - config, - util, - ... -}: let - cfg = config.container.module.paste; - name = "paste"; -in { - ${cfg.domain} = container.mkServer { - extraConfig = util.trimTabs '' - listen 443 ssl; - set ''$${name} ${cfg.address}:${toString cfg.port}; - - location = / { - return 403; - } - - location / { - proxy_pass http://''$${name}$request_uri; - } - - ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem; - include /etc/letsencrypt/conf/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; - ''; - }; -} diff --git a/container/proxy/host/Print.nix b/container/proxy/host/Print.nix deleted file mode 100644 index 12bff3af..00000000 --- a/container/proxy/host/Print.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ - container, - config, - util, - ... -}: let - cfg = config.container.module.print; - name = "print"; -in { - ${cfg.domain} = container.mkServer { - extraConfig = util.trimTabs '' - listen 443 ssl; - set ''$${name} ${cfg.address}:${toString cfg.port}; - - location / { - allow ${config.container.localAccess}; - allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.clients}; - allow ${config.container.module.frkn.address}; - deny all; - - proxy_pass http://''$${name}$request_uri; - - proxy_set_header Host "127.0.0.1"; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; - } - - ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem; - include /etc/letsencrypt/conf/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; - ''; - }; -} diff --git a/container/proxy/host/Printer.nix b/container/proxy/host/Printer.nix deleted file mode 100644 index 3268f764..00000000 --- a/container/proxy/host/Printer.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ - container, - config, - util, - ... -}: let - address = "192.168.2.237"; - domain = "printer.${config.container.domain}"; - name = "printer"; - port = 80; -in { - ${domain} = container.mkServer { - extraConfig = util.trimTabs '' - listen 443 ssl; - set ''$${name} ${address}:${toString port}; - - location / { - allow ${config.container.localAccess}; - allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.clients}; - allow ${config.container.module.frkn.address}; - deny all; - proxy_pass http://''$${name}$request_uri; - } - - ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem; - include /etc/letsencrypt/conf/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; - ''; - }; -} diff --git a/container/proxy/host/Read.nix b/container/proxy/host/Read.nix deleted file mode 100644 index bc0a5323..00000000 --- a/container/proxy/host/Read.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ - container, - config, - util, - ... -}: let - cfg = config.container.module.read; - name = "read"; -in { - ${cfg.domain} = container.mkServer { - extraConfig = util.trimTabs '' - listen 443 ssl; - set ''$${name} ${cfg.address}:${toString cfg.port}; - - location / { - allow ${config.container.localAccess}; - allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.clients}; - allow ${config.container.module.frkn.address}; - deny all; - proxy_pass http://''$${name}$request_uri; - } - - ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem; - include /etc/letsencrypt/conf/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; - ''; - }; -} diff --git a/container/proxy/host/Resume.nix b/container/proxy/host/Resume.nix deleted file mode 100644 index 0229df0d..00000000 --- a/container/proxy/host/Resume.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ - container, - config, - util, - ... -}: let - domain = "resume.${config.container.domain}"; -in { - ${domain} = container.mkServer { - extraConfig = util.trimTabs '' - server_name ${domain}; - listen 443 ssl; - - ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem; - include /etc/letsencrypt/conf/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; - - if ($http_accept_language ~ ru) { - return 301 https://${config.container.module.git.domain}/voronind/resume/releases/download/latest/VoronindRu.pdf; - } - - return 301 https://${config.container.module.git.domain}/voronind/resume/releases/download/latest/VoronindEn.pdf; - ''; - }; -} diff --git a/container/proxy/host/Router.nix b/container/proxy/host/Router.nix deleted file mode 100644 index 425623a0..00000000 --- a/container/proxy/host/Router.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ - container, - config, - util, - ... -}: let - address = "10.0.0.2"; - domain = "router.${config.container.domain}"; - name = "router"; - port = 80; -in { - ${domain} = container.mkServer { - extraConfig = util.trimTabs '' - listen 443 ssl; - set ''$${name} ${address}:${toString port}; - - location / { - allow ${config.container.localAccess}; - allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.clients}; - allow ${config.container.module.frkn.address}; - deny all; - proxy_pass http://''$${name}$request_uri; - } - - ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem; - include /etc/letsencrypt/conf/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; - ''; - }; -} diff --git a/container/proxy/host/Search.nix b/container/proxy/host/Search.nix deleted file mode 100644 index e66a561c..00000000 --- a/container/proxy/host/Search.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ - container, - config, - util, - ... -}: let - cfg = config.container.module.search; - name = "search"; -in { - ${cfg.domain} = container.mkServer { - extraConfig = util.trimTabs '' - listen 443 ssl; - set ''$${name} ${cfg.address}:${toString cfg.port}; - - location / { - allow ${config.container.localAccess}; - allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.clients}; - allow ${config.container.module.frkn.address}; - deny all; - proxy_pass http://''$${name}$request_uri; - } - - ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem; - include /etc/letsencrypt/conf/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; - ''; - }; -} diff --git a/container/proxy/host/Status.nix b/container/proxy/host/Status.nix deleted file mode 100644 index 5e5c4a1b..00000000 --- a/container/proxy/host/Status.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ - container, - config, - util, - ... -}: let - cfg = config.container.module.status; - name = "sstatus"; -in { - ${cfg.domain} = container.mkServer { - extraConfig = util.trimTabs '' - listen 443 ssl; - set ''$${name} ${cfg.address}:${toString cfg.port}; - - location ~ ^/(dashboard|settings) { - allow ${config.container.localAccess}; - allow ${config.container.module.vpn.clients}; - allow ${config.container.module.frkn.address}; - deny all; - proxy_pass http://''$${name}$request_uri; - } - - location / { - allow ${config.container.localAccess}; - allow ${config.container.module.vpn.clients}; - allow ${config.container.module.frkn.address}; - deny all; - proxy_pass http://''$${name}$request_uri; - } - - ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem; - include /etc/letsencrypt/conf/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; - ''; - }; -} diff --git a/container/proxy/host/Stock.nix b/container/proxy/host/Stock.nix deleted file mode 100644 index 904218c1..00000000 --- a/container/proxy/host/Stock.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ - container, - config, - util, - ... -}: let - cfg = config.container.module.stock; - name = "stock"; -in { - ${cfg.domain} = container.mkServer { - extraConfig = util.trimTabs '' - listen 443 ssl; - set ''$${name} ${cfg.address}:${toString cfg.port}; - - location / { - allow ${config.container.localAccess}; - allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.clients}; - allow ${config.container.module.frkn.address}; - deny all; - proxy_pass http://''$${name}$request_uri; - } - - ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem; - include /etc/letsencrypt/conf/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; - ''; - }; -} diff --git a/container/proxy/host/Watch.nix b/container/proxy/host/Watch.nix deleted file mode 100644 index ceb4d3c7..00000000 --- a/container/proxy/host/Watch.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ - container, - config, - util, - ... -}: let - cfg = config.container.module.watch; - name = "watch"; -in { - ${cfg.domain} = container.mkServer { - extraConfig = util.trimTabs '' - listen 443 ssl; - set ''$${name} ${cfg.address}:${toString cfg.port}; - - location / { - allow ${config.container.localAccess}; - allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.clients}; - allow ${config.container.module.frkn.address}; - deny all; - proxy_pass http://''$${name}$request_uri; - } - - ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem; - include /etc/letsencrypt/conf/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; - ''; - }; -} diff --git a/container/proxy/host/Yt.nix b/container/proxy/host/Yt.nix deleted file mode 100644 index c466e329..00000000 --- a/container/proxy/host/Yt.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ - container, - config, - util, - ... -}: let - cfg = config.container.module.yt; - name = "yt"; -in { - ${cfg.domain} = container.mkServer { - extraConfig = util.trimTabs '' - listen 443 ssl; - set ''$${name} ${cfg.address}:${toString cfg.port}; - - location / { - allow ${config.container.localAccess}; - allow ${config.container.module.status.address}; - allow ${config.container.module.vpn.clients}; - allow ${config.container.module.frkn.address}; - deny all; - - proxy_pass http://''$${name}$request_uri; - - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header Host $host; - proxy_http_version 1.1; - proxy_set_header Connection ""; - - proxy_hide_header Content-Security-Policy; - proxy_hide_header X-Frame-Options; - proxy_hide_header X-Content-Type-Options; - } - - ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem; - include /etc/letsencrypt/conf/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; - ''; - }; -} diff --git a/flake.nix b/flake.nix index d047d227..2401c878 100644 --- a/flake.nix +++ b/flake.nix @@ -120,7 +120,6 @@ # HM config. ./home/NixOs.nix ] - ++ (self.ls ./container) ++ (self.ls ./host/${system}/${hostname}) ++ (self.ls ./option) ++ (self.ls ./config) @@ -128,14 +127,11 @@ ++ (self.ls ./system) ; specialArgs = let - pkgs = nixpkgs.legacyPackages.${system}.pkgs; - lib = nixpkgs.lib; - config = self.nixosConfigurations.${hostname}.config; - util = import ./lib/Util.nix { inherit lib; }; + lib = nixpkgs.lib; + util = import ./lib/Util.nix { inherit lib; }; in { inherit (self) const __findFile; inherit inputs self poetry2nixJobber util; - container = import ./lib/Container.nix { inherit lib pkgs config util; inherit (self) const; }; pkgsJobber = nixpkgsJobber.legacyPackages.${system}.pkgs; pkgsMaster = nixpkgsMaster.legacyPackages.${system}.pkgs; pkgsUnstable = nixpkgsUnstable.legacyPackages.${system}.pkgs; diff --git a/host/x86_64-linux/home/Backup.nix b/host/x86_64-linux/home/Backup.nix index 2e1b5bb7..40636b05 100644 --- a/host/x86_64-linux/home/Backup.nix +++ b/host/x86_64-linux/home/Backup.nix @@ -17,7 +17,7 @@ path_src="/storage/hot" path_mount="/storage/cold_1" path_backup="''${path_mount}/backup" - path_container="''${path_backup}/home" + path_data="''${path_backup}/home" path_media="/storage/cold_1 /storage/cold_2" # Check if backup drive is mounted. @@ -41,10 +41,10 @@ archive ColdMedia.txt && rm ColdMedia.txt || report "Backup : Failed to archive media list!" cd - - # Backup containers. - container=$(archive container/) - bupsize=$(tdu ''${container} | awk '{print $1}') - mv ''${container} ''${path_container}/ || report "Backup : Failed to save containers!" + # Backup data. + data=$(archive data/) + bupsize=$(tdu ''${data} | awk '{print $1}') + mv ''${data} ''${path_data}/ || report "Backup : Failed to save data!" # Backup some media. cd ''${path_src} @@ -61,14 +61,9 @@ archive_prune ColdMediaTxt 30 cd - - # Prune old container copies. - cd ''${path_container} - archive_prune Container 7 - cd - - - # Prune game saves. - cd "''${path_backup}/save/" - archive_prune + # Prune old data copies. + cd ''${path_data} + archive_prune Data 7 cd - # Sync writes. @@ -90,6 +85,7 @@ in { curl gawk gnutar + mount procps pv xz diff --git a/host/x86_64-linux/home/Bind.nix b/host/x86_64-linux/home/Bind.nix new file mode 100644 index 00000000..7fd98ec9 --- /dev/null +++ b/host/x86_64-linux/home/Bind.nix @@ -0,0 +1,40 @@ +{ + lib, + ... +}: let + storage = "/storage/hot/data"; + + binds = [ + (mkBind "change" "/var/lib/changedetection-io") + (mkBind "cups" "/var/lib/cups") + (mkBind "deluge" "/var/lib/deluge/.config/deluge") + (mkBind "dkim" "/var/dkim") + (mkBind "dovecot_index" "/var/lib/dovecot/indices") + (mkBind "forgejo" "/var/lib/forgejo") + (mkBind "grocy" "/var/lib/grocy") + (mkBind "hass" "/var/lib/hass") + (mkBind "jellyfin" "/var/lib/jellyfin") + (mkBind "jellyfin_cache" "/var/cache/jellyfin") + (mkBind "kavita" "/var/lib/kavita") + (mkBind "letsencrypt" "/etc/letsencrypt") + (mkBind "nextcloud" "/var/lib/nextcloud") + (mkBind "ovpn" "/var/lib/ovpn") + (mkBind "paperless" "/var/lib/paperless") + (mkBind "postgres" "/var/lib/postgresql") + (mkBind "rabbitmq" "/var/lib/rabbitmq") + (mkBind "sieve" "/var/sieve") + (mkBind "terraria" "/var/lib/terraria") + (mkBind "uptime_kuma" "/var/lib/uptime-kuma") + (mkBind "vaultwarden" "/var/lib/vaultwarden") + (mkBind "vmail" "/var/vmail") + ]; + + mkBind = name: path: { + ${path} = { + device = "${storage}/${name}"; + options = [ "bind" "nofail" "X-mount.mkdir=1777" ]; + }; + }; +in { + fileSystems = lib.foldl' (acc: bind: acc // bind) { } binds; +} diff --git a/host/x86_64-linux/home/Blocky.nix b/host/x86_64-linux/home/Blocky.nix new file mode 100644 index 00000000..cd97507b --- /dev/null +++ b/host/x86_64-linux/home/Blocky.nix @@ -0,0 +1,97 @@ +{ ... }: { + services.blocky = { + enable = true; + # REF: https://0xerr0r.github.io/blocky/main/configuration/ + settings = { + bootstrapDns = "tcp+udp:1.1.1.1"; + ports.dns = 53; + # connectIPVersion = "v4"; + # httpPort = "80"; + upstreams.groups = { + default = [ + "https://dns.quad9.net/dns-query" + ]; + }; + caching = { + maxItemsCount = 100000; + maxTime = "30m"; + minTime = "5m"; + prefetchExpires = "2h"; + prefetchMaxItemsCount = 100000; + prefetchThreshold = 5; + prefetching = true; + }; + blocking = { + blockTTL = "1m"; + blockType = "zeroIP"; + loading = { + refreshPeriod = "24h"; + strategy = "blocking"; + downloads = { + attempts = 3; + cooldown = "10s"; + timeout = "5m"; + }; + }; + # SRC: https://oisd.nl + # SRC: https://v.firebog.net + denylists = { + suspicious = [ + "https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt" + "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" # https://github.com/StevenBlack/hosts + "https://v.firebog.net/hosts/static/w3kbl.txt" + ]; + ads = [ + "https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext" + "https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts" + "https://v.firebog.net/hosts/AdguardDNS.txt" + "https://v.firebog.net/hosts/Admiral.txt" + "https://v.firebog.net/hosts/Easylist.txt" + ]; + tracking = [ + "https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt" + "https://v.firebog.net/hosts/Easyprivacy.txt" + "https://v.firebog.net/hosts/Prigent-Ads.txt" + ]; + malicious = [ + "https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt" + "https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt" + "https://phishing.army/download/phishing_army_blocklist_extended.txt" + "https://raw.githubusercontent.com/AssoEchap/stalkerware-indicators/master/generated/hosts" + "https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt" + "https://urlhaus.abuse.ch/downloads/hostfile/" + "https://v.firebog.net/hosts/Prigent-Crypto.txt" + "https://v.firebog.net/hosts/Prigent-Malware.txt" + ]; + other = [ + "https://big.oisd.nl/domainswild" + "https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser" + ]; + }; + # allowlists = { + # other = [ + # "/.*.vk.com/" + # ]; + # }; + clientGroupsBlock = { + default = [ + "ads" + "malicious" + "other" + "suspicious" + "tracking" + ]; + }; + }; + customDNS.mapping = let + block = host: { ${host} = "0.0.0.0"; }; + in { + "voronind.com" = "10.0.0.1,fd09:8d46:b26::1"; + } + // block "gosuslugi.ru" + // block "rutube.ru" + # // block "vk.com" + ; + }; + }; +} diff --git a/host/x86_64-linux/home/Change.nix b/host/x86_64-linux/home/Change.nix new file mode 100644 index 00000000..7dd11e4e --- /dev/null +++ b/host/x86_64-linux/home/Change.nix @@ -0,0 +1,9 @@ +{ ... }: { + services.changedetection-io = { + enable = true; + baseURL = "change.voronind.com"; + behindProxy = true; + listenAddress = "0.0.0.0"; + port = 5001; + }; +} diff --git a/host/x86_64-linux/home/Container.nix b/host/x86_64-linux/home/Container.nix deleted file mode 100644 index e19d6c02..00000000 --- a/host/x86_64-linux/home/Container.nix +++ /dev/null @@ -1,88 +0,0 @@ -{ ... }: { - container = { - enable = true; - autoStart = true; - domain = "voronind.com"; - host = "188.242.247.132"; - interface = "enp8s0"; - localAccess = "10.0.0.0/24"; - storage = "/storage/hot/container"; - module = { - change.enable = true; - cloud.enable = true; - dns.enable = true; - download.enable = true; - frkn.enable = true; - git.enable = true; - home.enable = true; - iot.enable = true; - jobber.enable = true; - mail.enable = true; - office.enable = true; - paper.enable = true; - pass.enable = true; - paste.enable = true; - postgres.enable = true; - print.enable = true; - proxy.enable = true; - rabbitmq.enable = true; - read.enable = true; - redis.enable = true; - search.enable = true; - status.enable = true; - stock.enable = true; - terraria.enable = true; - vpn.enable = true; - watch.enable = true; - yt.enable = true; - }; - media = { - anime = [ - "/storage/cold_1/anime" - "/storage/cold_2/anime" - ]; - book = [ - "/storage/hot/book" - ]; - download = [ - "/storage/hot/download" - ]; - manga = [ - "/storage/cold_1/manga" - "/storage/cold_2/manga" - ]; - movie = [ - "/storage/cold_1/movie" - "/storage/cold_2/movie" - ]; - music = [ - "/storage/cold_2/music" - ]; - paper = [ - "/storage/hot/paper" - ]; - porn = [ - "/storage/cold_2/porn" - ]; - photo = [ - "/storage/hot/container/cloud/data/data/cakee/files/photo" - "/storage/cold_1/backup/tmp/photo" - ]; - show = [ - "/storage/cold_1/show" - "/storage/cold_2/show" - ]; - study = [ - "/storage/cold_1/study" - "/storage/cold_2/study" - ]; - work = [ - "/storage/cold_2/work" - ]; - youtube = [ - "/storage/cold_1/youtube" - "/storage/cold_2/youtube" - ]; - }; - }; -} diff --git a/host/x86_64-linux/home/Cups.nix b/host/x86_64-linux/home/Cups.nix new file mode 100644 index 00000000..07393e73 --- /dev/null +++ b/host/x86_64-linux/home/Cups.nix @@ -0,0 +1,22 @@ +# NOTE: Login to contaier, run passwd and use that root/pw combo for administration. `AllowFrom = all` doesn't seem to work. +# ipp://10.0.0.10 +# Pantum M6500W-Series +{ + __findFile, + pkgs, + ... +} @args: let + package = pkgs.callPackage args; +in { + services.printing = { + enable = true; + allowFrom = [ "all" ]; + browsing = true; + defaultShared = true; + drivers = [ package ]; + listenAddresses = [ "0.0.0.0:631" ]; + startWhenNeeded = true; + stateless = false; + webInterface = true; + }; +} diff --git a/host/x86_64-linux/home/Ddns.nix b/host/x86_64-linux/home/Ddns.nix new file mode 100644 index 00000000..5d4d2a4c --- /dev/null +++ b/host/x86_64-linux/home/Ddns.nix @@ -0,0 +1,23 @@ +{ ... }: { + services.cloudflare-dyndns = { + enable = true; + apiTokenFile = "/storage/hot/data/CfToken"; + deleteMissing = false; + ipv4 = true; + ipv6 = true; + proxied = false; + domains = let + domain = "voronind.com"; + in [ + domain + ] ++ map (sub: "${sub}.${domain}") [ + "cloud" + "git" + "mail" + "office" + "paste" + "play" + "vpn" + ]; + }; +} diff --git a/host/x86_64-linux/home/Deluge.nix b/host/x86_64-linux/home/Deluge.nix new file mode 100644 index 00000000..29568541 --- /dev/null +++ b/host/x86_64-linux/home/Deluge.nix @@ -0,0 +1,14 @@ +{ + lib, + ... +}: { + services.deluge = { + enable = true; + web.enable = true; + }; + systemd.services.deluged.serviceConfig = { + MemoryMax = "4G"; + Restart = lib.mkForce "always"; + RuntimeMaxSec = "3h"; + }; +} diff --git a/host/x86_64-linux/home/Forgejo.nix b/host/x86_64-linux/home/Forgejo.nix new file mode 100644 index 00000000..df505e2c --- /dev/null +++ b/host/x86_64-linux/home/Forgejo.nix @@ -0,0 +1,54 @@ +{ ... }: { + services.forgejo = { + enable = true; + stateDir = "/var/lib/forgejo"; + + database = { + createDatabase = true; + name = "forgejo"; + type = "postgres"; + user = "forgejo"; + }; + + settings = let + gcArgs = "--aggressive --no-cruft --prune=now"; + gcTimeout = 600; + in { + "cron.cleanup_actions".ENABLED = true; + "cron.update_mirrors".SCHEDULE = "@midnight"; + "git".GC_ARGS = gcArgs; + "git.timeout".GC = gcTimeout; + "log".LEVEL = "Error"; + "repo-archive".ENABLED = false; + "repository.issue".MAX_PINNED = 99999; + "repository.pull-request".DEFAULT_MERGE_STYLE = "rebase"; + "service".DISABLE_REGISTRATION = true; + "server" = { + DOMAIN = "git.voronind.com"; + HTTP_ADDR = "0.0.0.0"; + ROOT_URL = "https://git.voronind.com"; + BUILTIN_SSH_SERVER_USER = "git"; + DISABLE_SSH = false; + SSH_PORT = 22144; + START_SSH_SERVER = true; + }; + "ui" = { + AMBIGUOUS_UNICODE_DETECTION = false; + }; + "repository" = { + DEFAULT_PRIVATE = "private"; + DEFAULT_PUSH_CREATE_PRIVATE = true; + }; + "cron" = { + ENABLED = true; + RUN_AT_START = true; + }; + "cron.git_gc_repos" = { + ENABLED = true; + ARGS = gcArgs; + SCHEDULE = "@midnight"; + TIMEOUT = gcTimeout; + }; + }; + }; +} diff --git a/host/x86_64-linux/home/Frkn.nix b/host/x86_64-linux/home/Frkn.nix new file mode 100644 index 00000000..26e02a27 --- /dev/null +++ b/host/x86_64-linux/home/Frkn.nix @@ -0,0 +1,41 @@ +{ + pkgs, + ... +}: { + services = { + tor = { + enable = true; + openFirewall = true; + settings = let + exclude = "{RU},{UA},{BY},{KZ},{CN},{??}"; + in { + # ExcludeExitNodes = exclude; + # ExcludeNodes = exclude; + # DNSPort = dnsport; + UseBridges = true; + ClientTransportPlugin = "obfs4 exec ${pkgs.obfs4}/bin/lyrebird"; + Bridge = [ + "obfs4 121.45.140.249:12123 0922E212E33B04F0B7C1E398161E8EDE06734F26 cert=3AQ4iJFAzxzt7a/zgXIiFEs6fvrXInXt1Dtr09DgnpvUzG/iiyRTdXYZKSYpI124Zt3ZUA iat-mode=0" + "obfs4 145.239.31.71:10161 882125D15B59BB82BE66F999056CB676D3F061F8 cert=AnD+EvcBMuQDVM7PwW7NgFAzW1M5jDm7DjQtIIcBSjoyAf1FJ2p535rrYL2Kk8POAd0+aw iat-mode=0" + "obfs4 79.137.11.45:45072 ECA3197D49A29DDECD4ACBF9BCF15E4987B78137 cert=2FKyLWkPgMNCWxBD3cNOTRxJH3XP+HdStPGKMjJfw2YbvVjihIp3X2BCrtxQya9m5II5XA iat-mode=0" + "obfs4 94.103.89.153:4443 5617848964FD6546968B5BF3FFA6C11BCCABE58B cert=tYsmuuTe9phJS0Gh8NKIpkVZP/XKs7gJCqi31o8LClwYetxzFz0fQZgsMwhNcIlZ0HG5LA iat-mode=0" + ]; + }; + client = { + enable = true; + # dns.enable = true; + socksListenAddress = { + IsolateDestAddr = true; + port = 9050; + # addr = cfg.address; + # port = cfg.torport; + }; + }; + }; + + xray = { + enable = true; + settingsFile = "/storage/hot/data/XrayClient.json"; + }; + }; +} diff --git a/host/x86_64-linux/home/Grocy.nix b/host/x86_64-linux/home/Grocy.nix new file mode 100644 index 00000000..4922bf51 --- /dev/null +++ b/host/x86_64-linux/home/Grocy.nix @@ -0,0 +1,16 @@ +{ ... }: { + services.grocy = { + enable = true; + # dataDir = "/var/lib/grocy"; + hostName = "stock.voronind.com"; + nginx.enableSSL = false; + settings = { + calendar = { + firstDayOfWeek = 1; + showWeekNumber = true; + }; + culture = "en"; + currency = "RUB"; + }; + }; +} diff --git a/host/x86_64-linux/home/Hass.nix b/host/x86_64-linux/home/Hass.nix new file mode 100644 index 00000000..73cc236a --- /dev/null +++ b/host/x86_64-linux/home/Hass.nix @@ -0,0 +1,45 @@ +{ ... }: { + # Allow Hass to talk to Zigbee dongle. + users.users.hass.extraGroups = [ + "dialout" + "tty" + ]; + + services.home-assistant = { + # NOTE: Missing: hacs. Inside hacs: `card-mod`, `Clock Weather Card`, `WallPanel` and `Yandex.Station`. + enable = true; + # NOTE: Using imperative config because of secrets. + config = null; + extraComponents = [ + "caldav" + "met" + "sun" + "systemmonitor" + "zha" + ]; + extraPackages = python3Packages: with python3Packages; [ + aiodhcpwatcher + aiodiscover + aiogithubapi + arrow + async-upnp-client + av + go2rtc-client + gtts + ha-ffmpeg + hassil + home-assistant-intents + mutagen + numpy + pymicro-vad + pynacl + pyspeex-noise + python-telegram-bot + pyturbojpeg + zeroconf + ]; + # lovelaceConfig = { + # title = "Home IoT control center."; + # }; + }; +} diff --git a/host/x86_64-linux/home/Homer.nix b/host/x86_64-linux/home/Homer.nix new file mode 100644 index 00000000..fa3732ca --- /dev/null +++ b/host/x86_64-linux/home/Homer.nix @@ -0,0 +1,15 @@ +{ + __findFile, + pkgs, + util, + ... +} @args: let + package = (pkgs.callPackage args); +in { + services.nginx = { + enable = true; + virtualHosts."home.voronind.com" = { + root = "${package}"; + }; + }; +} diff --git a/host/x86_64-linux/home/Invidious.nix b/host/x86_64-linux/home/Invidious.nix new file mode 100644 index 00000000..f323ef1b --- /dev/null +++ b/host/x86_64-linux/home/Invidious.nix @@ -0,0 +1,31 @@ +{ + __findFile, + config, + inputs, + pkgs, + pkgsMaster, + ... +}: { + disabledModules = [ "services/web-apps/invidious.nix" ]; + imports = [ "${inputs.nixpkgsMaster}/nixos/modules/services/web-apps/invidious.nix" ]; + + services.invidious = { + enable = true; + domain = "yt.voronind.com"; + package = pkgsMaster.invidious; + port = 3001; + nginx.enable = false; + database = { + createLocally = true; + # passwordFile = "${pkgs.writeText "InvidiousDbPassword" "invidious"}"; + }; + settings = { + admins = [ "root" ]; + captcha_enabled = false; + check_tables = true; + external_port = 443; + https_only = true; + registration_enabled = false; + }; + }; +} diff --git a/host/x86_64-linux/home/Jellyfin.nix b/host/x86_64-linux/home/Jellyfin.nix new file mode 100644 index 00000000..79fffc8f --- /dev/null +++ b/host/x86_64-linux/home/Jellyfin.nix @@ -0,0 +1,14 @@ +{ ... }: { + # systemd.services.jellyfin.serviceConfig.MemoryMax = cfg.memLimit; + + users.users.jellyfin.extraGroups = [ + "video" + "render" + ]; + + services.jellyfin = { + enable = true; + # cacheDir = "/var/cache/jellyfin"; + # dataDir = "/var/lib/jellyfin"; + }; +} diff --git a/host/x86_64-linux/home/Jobber.nix b/host/x86_64-linux/home/Jobber.nix new file mode 100644 index 00000000..b8ec3fd4 --- /dev/null +++ b/host/x86_64-linux/home/Jobber.nix @@ -0,0 +1,70 @@ +# Use `nixos-container login jobber` as root and empty pw. +{ + __findFile, + const, + lib, + pkgsJobber, + poetry2nixJobber, + ... +}: let + script = import { + pkgs = pkgsJobber; + poetry2nix = poetry2nixJobber; + }; +in { + networking.nat = { + enable = true; + externalInterface = "enp8s0"; + internalInterfaces = [ "ve-+" ]; + }; + + containers.jobber = { + autoStart = true; + enableTun = true; + privateNetwork = true; + hostAddress = "188.242.247.132"; + localAddress = "10.1.0.2"; + + config = { ... }: let + packages = [ + script + ] ++ (with pkgsJobber; [ + firefox + geckodriver + openvpn + python311 + ]); + in { + boot.isContainer = true; + system.stateVersion = const.stateVersion; + users = { + users.root.password = ""; + mutableUsers = false; + }; + networking = { + useHostResolvConf = lib.mkForce false; + nameservers = [ + "10.30.218.2" + ]; + }; + + systemd.services.jobber = { + description = "My job is pushing the button."; + enable = true; + path = packages; + wantedBy = [ + "multi-user.target" + ]; + environment = { + PYTHONDONTWRITEBYTECODE = "1"; + PYTHONUNBUFFERED = "1"; + }; + serviceConfig = { + ExecStart = "${script}/bin/jobber -u"; + Restart = "on-failure"; + Type = "simple"; + }; + }; + }; + }; +} diff --git a/host/x86_64-linux/home/Kavita.nix b/host/x86_64-linux/home/Kavita.nix new file mode 100644 index 00000000..d546bb4e --- /dev/null +++ b/host/x86_64-linux/home/Kavita.nix @@ -0,0 +1,13 @@ +{ + pkgs, + ... +}: { + services.kavita = { + enable = true; + tokenKeyFile = pkgs.writeText "KavitaToken" "xY19aQOa939/Ie6GCRGbubVK8zRwrgBY/20AuyMpYshUjwK1Uyl7bw1yknVh6jJIFIfwq2vAjeotOUq7NEsf9Q=="; + settings = { + # IpAddresses = cfg.address; + Port = 5000; + }; + }; +} diff --git a/host/x86_64-linux/home/Mailserver.nix b/host/x86_64-linux/home/Mailserver.nix new file mode 100644 index 00000000..4104685a --- /dev/null +++ b/host/x86_64-linux/home/Mailserver.nix @@ -0,0 +1,166 @@ +# REF: https://nixos-mailserver.readthedocs.io/en/latest/setup-guide.html +{ + pkgs, + util, + ... +}: let + domain = "voronind.com"; + + # SEE: https://gitlab.com/simple-nixos-mailserver/nixos-mailserver#release-branches + version = "24.05"; + sha256 = "sha256:0clvw4622mqzk1aqw1qn6shl9pai097q62mq1ibzscnjayhp278b"; +in { + imports = [ + (builtins.fetchTarball { + inherit sha256; + url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-${version}/nixos-mailserver-nixos-${version}.tar.gz"; + }) + ]; + + mailserver = { + enable = true; + domains = [ domain ]; + fqdn = "mail.${domain}"; + sendingFqdn = domain; + localDnsResolver = false; + + # Use `mkpasswd -sm bcrypt`. + loginAccounts = let + defaultQuota = "1G"; + in { + "admin@${domain}" = { + hashedPassword = "$2b$05$1O.dxXxaVshcBNybcqDRYuTlnYt3jDBwfPZWoDtP4BjOLoL0StYsi"; + name = "admin"; + quota = defaultQuota; + }; + "account@${domain}" = { + hashedPassword = "$2b$05$sCyZHdk98KqQ1qsTIvbrUeRJlNBOwBqDgpdc1QxiSnONlEkZ8xGNO"; + name = "account"; + quota = defaultQuota; + }; + "hi@${domain}" = { + hashedPassword = "$2b$05$6fT5hIhzIasNfp9IQr/ds.5RuxH95VKU3QJWlX3hmrAzDF3mExanq"; + name = "hi"; + quota = defaultQuota; + aliases = [ + "voronind@${domain}" + ]; + }; + "job@${domain}" = { + hashedPassword = "$2b$05$.sUmv2.9EWPfLwJn/oZw2e1UbR7HrpNQ2THc5jjX3ysy7CY8ZWHUC"; + name = "job"; + quota = defaultQuota; + }; + "trash@${domain}" = { + hashedPassword = "$2b$05$kn5ygZjN9NR3LXjnKKRw/.DXaZQNW.1XEottlCFIoKiDpIj.JGLJm"; + name = "trash"; + quota = defaultQuota; + catchAll = [ + domain + ]; + }; + "noreply@${domain}" = { + hashedPassword = "$2b$05$TaKwoYmcmkAhsRRv6xG5wOkChcz50cB9BP6QPUDKNAcxMbrY6AeMK"; + name = "noreply"; + quota = defaultQuota; + sendOnly = true; + }; + }; + + enableImap = true; + enableImapSsl = true; + enableSubmission = true; + enableSubmissionSsl = true; + + enableManageSieve = true; + virusScanning = false; + + certificateFile = "/etc/letsencrypt/live/${domain}/cert.pem"; + certificateScheme = "manual"; + keyFile = "/etc/letsencrypt/live/${domain}/privkey.pem"; + + dkimKeyDirectory = "/var/dkim"; + indexDir = "/var/lib/dovecot/indices"; + mailDirectory = "/var/vmail"; + sieveDirectory = "/var/sieve"; + + mailboxes = let + mkSpecialBox = specialUse: { + ${specialUse} = { + inherit specialUse; + auto = "subscribe"; + }; + }; + in builtins.foldl' (acc: box: acc // (mkSpecialBox box)) {} [ + "All" + "Archive" + "Drafts" + "Junk" + "Sent" + "Trash" + ]; + + dmarcReporting = { + inherit domain; + enable = true; + organizationName = "voronind"; + # email = "noreply@${domain}"; + }; + + # monitoring = { + # enable = true; + # alertAddress = "admin@${domain}"; + # }; + }; + + services = { + roundcube = { + enable = true; + hostName = "mail.${domain}"; + dicts = with pkgs.aspellDicts; [ + en + ru + ]; + plugins = [ + "managesieve" + ]; + extraConfig = util.trimTabs '' + $config['smtp_server'] = "localhost:25"; + $config['smtp_auth_type'] = null; + $config['smtp_user'] = ""; + $config['smtp_pass'] = ""; + # $config['smtp_user'] = "%u"; + # $config['smtp_pass'] = "%p"; + ''; + }; + }; + + systemd = { + services.autoexpunge = { + description = "Delete old mail"; + serviceConfig = { + Type = "oneshot"; + }; + path = [ + pkgs.dovecot + ]; + script = util.trimTabs '' + doveadm expunge -A mailbox Junk SENTBEFORE 7d + doveadm expunge -A mailbox Trash SENTBEFORE 30d + doveadm expunge -u trash@voronind.com mailbox Inbox SENTBEFORE 30d + doveadm purge -A + ''; + }; + + timers.autoexpunge = { + timerConfig = { + OnCalendar = "daily"; + Persistent = true; + Unit = "autoexpunge.service"; + }; + wantedBy = [ + "timers.target" + ]; + }; + }; +} diff --git a/host/x86_64-linux/home/Network.nix b/host/x86_64-linux/home/Network.nix index d6bb2536..055780fd 100644 --- a/host/x86_64-linux/home/Network.nix +++ b/host/x86_64-linux/home/Network.nix @@ -1,6 +1,5 @@ # 10.0.0.0/24 & fd09:8d46:0b26::/48 - phys clients (lan). -# 10.1.0.0/24 & fd76:c80a:8e86::/48 - containers. -# 10.1.1.0/24 - vpn clients. +# 10.0.1.0/24 - vpn clients. { config, const, @@ -8,10 +7,8 @@ util, ... }: let - external = "188.242.247.132"; # Wan host IP address. - internal = "10.0.0.1"; # Lan host IP address. - external6 = "2a05:3580:f42c:c800:aaa1:59ff:fe47:fda2"; # Wan host IP6 address. - internal6 = "fd09:8d46:b26::1"; # Lan host IP6 address. + internal = "10.0.0.1"; # Lan host IP address. + internal6 = "fd09:8d46:b26:0:8079:82ff:fe1a:916a"; # Lan host IP6 address. lan = "br0"; # Lan interface. wan = "enp8s0"; # Wan interface. @@ -19,6 +16,9 @@ in { # Disable SSH access from everywhere, configure access bellow. services.openssh.openFirewall = false; + # Disable systemd-resolved for DNS server. + services.resolved.enable = false; + # NOTE: Debugging. # systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug"; @@ -82,7 +82,7 @@ in { linkConfig.RequiredForOnline = "carrier"; address = [ "${internal}/24" - "${internal6}/48" + # "${internal6}/48" ]; networkConfig = { DHCPPrefixDelegation = true; @@ -96,7 +96,7 @@ in { }; ipv6Prefixes = [ { - AddressAutoconfiguration = true; + Assign = true; Prefix = "${internal6}/64"; } ]; @@ -120,7 +120,7 @@ in { UplinkInterface = wan; }; dhcpServerStaticLeases = let - mkStatic = Address: MACAddress: { dhcpServerStaticLeaseConfig = { inherit Address MACAddress; }; }; + mkStatic = Address: MACAddress: { inherit Address MACAddress; }; in [ # TODO: Add pocket. (mkStatic "10.0.0.2" "9c:9d:7e:8e:3d:c7") # Wifi AP. @@ -163,23 +163,9 @@ in { logRefusedPackets = false; logRefusedUnicastsOnly = true; - extraCommands = let - # Container configs. - cfg = config.container.module; - - # Const. - tcp = "tcp"; - udp = "udp"; - - # Create port forwarding rule. - mkForward = src: sport: dst: dport: proto: "iptables -t nat -I PREROUTING -d ${src} -p ${proto} --dport ${toString sport} -j DNAT --to-destination ${dst}:${toString dport}\n"; - in (util.trimTabs '' - # Wan access for 10.0.0.0/24 subnet. - iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 0/0 -o ${wan} -j MASQUERADE - - # Full access from VPN clients. - iptables -I INPUT -j ACCEPT -s ${cfg.vpn.clients} -d ${internal} - iptables -I INPUT -j ACCEPT -s ${cfg.frkn.address} -d ${internal} + extraCommands = util.trimTabs '' + # Wan access for 10.0.0.0/8 subnet. + iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -d 0/0 -o ${wan} -j MASQUERADE # Full access from Lan. iptables -I INPUT -j ACCEPT -i ${lan} -d ${internal} @@ -187,52 +173,29 @@ in { # Allow DHCP. iptables -I INPUT -j ACCEPT -i ${lan} -p udp --dport 67 - '') - # Expose DNS server for internal network. - + (mkForward internal cfg.dns.port cfg.dns.address cfg.dns.port tcp) - + (mkForward internal cfg.dns.port cfg.dns.address cfg.dns.port udp) - # Email server. - + (mkForward external 25 cfg.mail.address 25 tcp) - + (mkForward internal 25 cfg.mail.address 25 tcp) - + (mkForward internal 465 cfg.mail.address 465 tcp) - + (mkForward internal 993 cfg.mail.address 993 tcp) + # Public email server. + ip46tables -I INPUT -j ACCEPT -i ${wan} -p tcp --dport 25 - # FRKN internal proxy server. - + (mkForward internal cfg.frkn.port cfg.frkn.address cfg.frkn.port tcp) - + (mkForward internal cfg.frkn.torport cfg.frkn.address cfg.frkn.torport tcp) - + (mkForward internal cfg.frkn.xrayport cfg.frkn.address cfg.frkn.xrayport tcp) - + (mkForward internal cfg.frkn.port cfg.frkn.address cfg.frkn.port udp) - + (mkForward internal cfg.frkn.torport cfg.frkn.address cfg.frkn.torport udp) - + (mkForward internal cfg.frkn.xrayport cfg.frkn.address cfg.frkn.xrayport udp) + # Public VPN service. + ip46tables -I INPUT -j ACCEPT -i ${wan} -p udp --dport 22145 + iptables -I INPUT -j ACCEPT -s 10.0.1.0/24 -d ${internal} - # VPN connections. - + (mkForward external cfg.vpn.port cfg.vpn.address cfg.vpn.port udp) + # Public Nginx. + ip46tables -I INPUT -j ACCEPT -i ${wan} -p tcp --dport 443 - # Nginx HTTP. - + (mkForward external cfg.proxy.port cfg.proxy.address cfg.proxy.port tcp) - + (mkForward internal cfg.proxy.port cfg.proxy.address cfg.proxy.port tcp) + # Deluge torrenting ports. + ip46tables -I INPUT -j ACCEPT -i ${wan} -p tcp --dport 54630 + ip46tables -I INPUT -j ACCEPT -i ${wan} -p udp --dport 54630 + ip46tables -I INPUT -j ACCEPT -i ${wan} -p tcp --dport 54631 + ip46tables -I INPUT -j ACCEPT -i ${wan} -p udp --dport 54631 - # Download ports for torrents. - + (mkForward external 54630 cfg.download.address 54630 tcp) - + (mkForward external 54631 cfg.download.address 54631 tcp) - + (mkForward external 54630 cfg.download.address 54630 udp) - + (mkForward external 54631 cfg.download.address 54631 udp) + # Terraria server. + ip46tables -I INPUT -j ACCEPT -i ${wan} -p tcp --dport 22777 - # Git SSH connections. - + (mkForward external cfg.git.portSsh cfg.git.address cfg.git.portSsh tcp) - + (mkForward internal cfg.git.portSsh cfg.git.address cfg.git.portSsh tcp) - - # Print serivce. - + (mkForward internal cfg.print.port cfg.print.address cfg.print.port tcp) - - # Terraria server. - + (mkForward external cfg.terraria.port cfg.terraria.address cfg.terraria.port tcp) - + (mkForward internal cfg.terraria.port cfg.terraria.address cfg.terraria.port tcp) - - # SSH access from WAN. - # + (mkForward external 22143 config.container.host 22143 tcp) - ; + # Public SSH access. + # ip46tables -I INPUT -j ACCEPT -i ${wan} -p tcp --dport 22143 + ''; }; }; } diff --git a/host/x86_64-linux/home/Nextcloud.nix b/host/x86_64-linux/home/Nextcloud.nix new file mode 100644 index 00000000..ef8004d9 --- /dev/null +++ b/host/x86_64-linux/home/Nextcloud.nix @@ -0,0 +1,38 @@ +{ + config, + pkgs, + ... +}: { + services.nextcloud = { + enable = true; + database.createLocally = true; + extraAppsEnable = true; + hostName = "cloud.voronind.com"; + https = true; + # package = pkgs.nextcloud29; + # phpOptions = { + # memory_limit = lib.mkForce "20G"; + # }; + config = { + adminpassFile = "${pkgs.writeText "NextcloudPassword" "root"}"; + adminuser = "root"; + dbname = "nextcloud"; + # dbpassFile = "${pkgs.writeText "NextcloudDbPassword" "nextcloud"}"; + dbtype = "pgsql"; + dbuser = "nextcloud"; + }; + extraApps = { + inherit (config.services.nextcloud.package.packages.apps) + contacts calendar onlyoffice; + }; + settings = { + allow_local_remote_servers = true; + trusted_domains = [ + "cloud.voronind.com" + ]; + trusted_proxies = [ + # proxy.address + ]; + }; + }; +} diff --git a/host/x86_64-linux/home/Nginx.nix b/host/x86_64-linux/home/Nginx.nix new file mode 100644 index 00000000..85c368a2 --- /dev/null +++ b/host/x86_64-linux/home/Nginx.nix @@ -0,0 +1,50 @@ +# NOTE: To generate self-signed certs use: `openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./privkey.pem -out ./fullchain.pem` +# For dhparams: `openssl dhparam -out ./ssl-dhparam.pem 4096` +# Example for options-ssl-nginx.conf: +# ``` +# ssl_session_cache shared:le_nginx_SSL:10m; +# ssl_session_timeout 1440m; +# ssl_protocols TLSv1.2 TLSv1.3; +# ssl_prefer_server_ciphers off; +# ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; +# ``` +# For certbot to generate new keys: `certbot certonly --manual --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory -d "*.voronind.com" -d voronind.com` +{ + pkgs, + util, + ... +} @args: let + virtualHosts = util.catSet (util.ls ./nginx) args; +in { + environment.systemPackages = with pkgs; [ certbot ]; + + services.nginx = { + inherit virtualHosts; + enable = true; + clientMaxBodySize = "4096m"; + recommendedOptimisation = true; + recommendedProxySettings = true; + appendConfig = util.trimTabs '' + worker_processes 4; + ''; + eventsConfig = util.trimTabs '' + worker_connections 4096; + ''; + appendHttpConfig = util.trimTabs '' + proxy_max_temp_file_size 0; + proxy_buffering off; + + server { + listen 443 ssl default_server; + server_name _; + + ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem; + include /etc/letsencrypt/conf/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; + + return 403; + } + ''; + }; +} diff --git a/host/x86_64-linux/home/OnlyOffice.nix b/host/x86_64-linux/home/OnlyOffice.nix new file mode 100644 index 00000000..581766d3 --- /dev/null +++ b/host/x86_64-linux/home/OnlyOffice.nix @@ -0,0 +1,20 @@ +# NOTE: Imperative part: +# 1. You need to change PSQL tables owner from root to onlyoffice, too. They don't do that automatically for some reason. +# 2. TODO: Generate JWT secret at /var/lib/onlyoffice/jwt, i.e. 9wLfMGha1YrfvWpb5hyYjZf8pvJQ3swS +# SEE: https://git.voronind.com/voronind/nixos/issues/74 +{ + config, + lib, + ... +}: { + # services.onlyoffice = { + # enable = true; + # hostname = "office.voronind.com"; + # jwtSecretFile = "/var/www/onlyoffice/jwt"; + # + # postgresName = "onlyoffice"; + # postgresUser = "onlyoffice"; + # # postgresPasswordFile = "${pkgs.writeText "OfficeDbPassword" dbName}"; + # # rabbitmqUrl = "amqp://guest:guest@${config.container.module.rabbitmq.address}:${toString config.container.module.rabbitmq.port}"; + # }; +} diff --git a/host/x86_64-linux/home/Ovpn.nix b/host/x86_64-linux/home/Ovpn.nix new file mode 100644 index 00000000..01607494 --- /dev/null +++ b/host/x86_64-linux/home/Ovpn.nix @@ -0,0 +1,62 @@ +# easyrsa --days=36500 init-pki +# easyrsa --days=36500 build-ca +# easyrsa --days=36500 build-server-full nopass +# easyrsa --days=36500 build-client-full nopass +# easyrsa gen-crl +# openssl dhparam -out dh2048.pem 2048 +# Don't forget to set tls hostname on the client to match SERVER_NAME *AND* disable ipv6 ? + +# easyrsa revoke +# easyrsa gen-crl +# restart container + +# SEE: https://github.com/OpenVPN/openvpn/blob/master/sample/sample-config-files/server.conf +# SRC: https://github.com/TinCanTech/easy-tls +{ + pkgs, + util, + ... +}: { + environment.systemPackages = with pkgs; [ + easyrsa + openvpn + ]; + + users = { + groups.openvpn = {}; + users.openvpn = { + group = "openvpn"; + isSystemUser = true; + # uid = 1000; + }; + }; + + # NOTE: Change the `server` to match `cfg.clients` or write a substring here. + services.openvpn.servers.vpn = { + autoStart = true; + config = util.trimTabs '' + ca /var/lib/ovpn/pki/ca.crt + cert /var/lib/ovpn/pki/issued/home.crt + client-to-client + crl-verify /var/lib/ovpn/pki/crl.pem + dev tun + dh /var/lib/ovpn/dh2048.pem + explicit-exit-notify 1 + group openvpn + ifconfig-pool-persist ipp.txt + keepalive 10 120 + key /var/lib/ovpn/pki/private/home.key + persist-tun + port 22145 + proto udp + push "dhcp-option DNS 10.0.0.1" + push "dhcp-option DNS 10.0.0.1" + push "route 10.0.0.0 255.0.0.0" + server 10.0.1.0 255.255.255.0 + status openvpn-status.log + topology subnet + user openvpn + verb 4 + ''; + }; +} diff --git a/host/x86_64-linux/home/Paperless.nix b/host/x86_64-linux/home/Paperless.nix new file mode 100644 index 00000000..90b31628 --- /dev/null +++ b/host/x86_64-linux/home/Paperless.nix @@ -0,0 +1,24 @@ +{ + lib, + pkgs, + ... +}: { + services.paperless = { + enable = true; + address = "0.0.0.0"; + dataDir = "/var/lib/paperless"; + # port = cfg.port; + passwordFile = pkgs.writeText "PaperlessPassword" "root"; # NOTE: Only for initial setup, change later. + settings = { + PAPERLESS_ADMIN_USER = "root"; + PAPERLESS_DBHOST = "/run/postgresql"; + PAPERLESS_DBENGINE = "postgresql"; + PAPERLESS_DBNAME = "paperless"; + PAPERLESS_DBPASS = "paperless"; + PAPERLESS_DBUSER = "paperless"; + PAPERLESS_OCR_LANGUAGE = "rus"; + # PAPERLESS_REDIS = "redis://${config.container.module.redis.address}:${toString config.container.module.redis.port}"; + PAPERLESS_URL = "https://paper.voronind.com"; + }; + }; +} diff --git a/host/x86_64-linux/home/Postgres.nix b/host/x86_64-linux/home/Postgres.nix new file mode 100644 index 00000000..9cb5db6e --- /dev/null +++ b/host/x86_64-linux/home/Postgres.nix @@ -0,0 +1,48 @@ +{ + config, + lib, + pkgs, + ... +}: { + services.postgresql = let + # Populate with services here. + configurations = [ + "forgejo" + "invidious" + "mattermost" + "nextcloud" + "onlyoffice" + "paperless" + "privatebin" + ]; + + ensureDatabases = [ "root" ] ++ configurations; + + ensureUsers = map (name: { + inherit name; + ensureDBOwnership = true; + ensureClauses = if name == "root" then { + createdb = true; + createrole = true; + superuser = true; + } else { }; + }) ensureDatabases; + + authentication = "local all all trust"; + in { + inherit authentication ensureDatabases ensureUsers; + + enable = true; + dataDir = "/var/lib/postgresql/14"; + package = pkgs.postgresql_14; + + # NOTE: Debug mode. + # settings = { + # log_connections = true; + # log_destination = lib.mkForce "syslog"; + # log_disconnections = true; + # log_statement = "all"; + # logging_collector = true; + # }; + }; +} diff --git a/host/x86_64-linux/home/Privatebin.nix b/host/x86_64-linux/home/Privatebin.nix new file mode 100644 index 00000000..6350f295 --- /dev/null +++ b/host/x86_64-linux/home/Privatebin.nix @@ -0,0 +1,45 @@ +{ + __findFile, + pkgs, + ... +} @args: let + package = (pkgs.callPackage args); +in { + environment.systemPackages = [ package ]; + systemd.packages = [ package ]; + + users.users.paste = { + group = "nginx"; + isSystemUser = true; + }; + + services = { + phpfpm.pools.paste = { + group = "nginx"; + user = "paste"; + phpPackage = pkgs.php; + settings = { + "catch_workers_output" = true; + "listen.owner" = "nginx"; + "php_admin_flag[log_errors]" = true; + "php_admin_value[error_log]" = "stderr"; + "pm" = "dynamic"; + "pm.max_children" = "32"; + "pm.max_requests" = "500"; + "pm.max_spare_servers" = "4"; + "pm.min_spare_servers" = "2"; + "pm.start_servers" = "2"; + }; + phpEnv = { + # CONFIG_PATH = "${package}/cfg"; # NOTE: Not working? + }; + }; + + nginx = { + enable = true; + virtualHosts."paste.voronind.com" = { + root = "${package}"; + }; + }; + }; +} diff --git a/host/x86_64-linux/home/Rabbitmq.nix b/host/x86_64-linux/home/Rabbitmq.nix new file mode 100644 index 00000000..b9471a02 --- /dev/null +++ b/host/x86_64-linux/home/Rabbitmq.nix @@ -0,0 +1,8 @@ +{ ... }: { + services.rabbitmq = { + enable = true; + # configItems = { + # "loopback_users" = "none"; + # }; + }; +} diff --git a/host/x86_64-linux/home/Redis.nix b/host/x86_64-linux/home/Redis.nix new file mode 100644 index 00000000..46e8109f --- /dev/null +++ b/host/x86_64-linux/home/Redis.nix @@ -0,0 +1,9 @@ +{ ... }: { + services.redis.servers.main = { + enable = true; + # port = cfg.port; + # extraParams = [ + # "--protected-mode no" + # ]; + }; +} diff --git a/host/x86_64-linux/home/SearX.nix b/host/x86_64-linux/home/SearX.nix new file mode 100644 index 00000000..80ccd8eb --- /dev/null +++ b/host/x86_64-linux/home/SearX.nix @@ -0,0 +1,108 @@ +{ + config, + pkgs, + ... +}: { + services.searx = { + enable = true; + package = pkgs.searxng; + # REF: https://github.com/searxng/searxng/blob/master/searx/settings.yml + settings = { + general = { + debug = false; + enable_metrics = false; + instance_name = "SearX"; + }; + server = { + # bind_address = cfg.address; + image_proxy = false; + limiter = false; + method = "GET"; + port = 34972; + public_instance = false; + secret_key = "searxxx"; + }; + search = { + autocomplete = ""; + autocomplete_min = 4; + default_lang = "auto"; + safe_search = 0; + }; + ui = { + center_alignment = false; + default_locale = ""; + default_theme = "simple"; + hotkeys = "vim"; + infinite_scroll = false; + simple_style = "dark"; + }; + outgoing = { + enable_http2 = true; + max_request_timeout = 10.0; + pool_connections = 100; + pool_maxsize = 20; + request_timeout = 3.0; + # proxies = { + # "all://" = with config.container.module; [ + # # "socks5:${frkn.address}:${frkn.port}" + # "socks5:${frkn.address}:1081" + # # "socks5:${frkn.address}:9150" + # ]; + # }; + # using_tor_proxy = true; + # extra_proxy_timeout = 10; + }; + # plugins = [ ]; + enabled_plugins = [ + "Basic Calculator" + "Hostnames plugin" + "Tracker URL remover" + ]; + hostnames = { + replace = { + "(.*\.)?youtu\.be$" = "yt.voronind.com"; + "(.*\.)?youtube\.com$" = "yt.voronind.com"; + }; + remove = [ + "(.*\.)?dzen\.ru$" + "(.*\.)?facebook.com$" + "(.*\.)?gosuslugi\.ru$" + "(.*\.)?quora\.com$" + "(.*\.)?rutube\.ru$" + "(.*\.)?vk\.com$" + ]; + low_priority = [ + "(.*\.)?google(\..*)?$" + "(.*\.)?microsoft\.com$" + ]; + high_priority = [ + "(.*\.)?4pda.to$" + "(.*\.)?github.com$" + "(.*\.)?wikipedia.org$" + ]; + }; + categories_as_tabs = { + files = { }; + general = { }; + images = { }; + it = { }; + map = { }; + news = { }; + videos = { }; + }; + engines = let + mkEnable = name: { + inherit name; + disabled = false; + }; + mkDisable = name: { + inherit name; + disabled = true; + }; + in [ + (mkEnable "bing") + (mkDisable "qwant") + ]; + }; + }; +} diff --git a/host/x86_64-linux/home/Terraria.nix b/host/x86_64-linux/home/Terraria.nix new file mode 100644 index 00000000..b0aadeeb --- /dev/null +++ b/host/x86_64-linux/home/Terraria.nix @@ -0,0 +1,20 @@ +{ + pkgs, + ... +}: { + # NOTE: Admin with `tmux -S /var/lib/terraria/terraria.sock attach-session -t 0` + environment.systemPackages = with pkgs; [ tmux ]; + + services.terraria = { + enable = true; + autoCreatedWorldSize = "large"; + messageOfTheDay = "<3"; + maxPlayers = 4; + noUPnP = false; + openFirewall = false; + password = "mishadima143"; + port = 22777; + secure = false; + worldPath = "/var/lib/terraria/.local/share/Terraria/Worlds/World.wld"; + }; +} diff --git a/host/x86_64-linux/home/UptimeKuma.nix b/host/x86_64-linux/home/UptimeKuma.nix new file mode 100644 index 00000000..8ba436f9 --- /dev/null +++ b/host/x86_64-linux/home/UptimeKuma.nix @@ -0,0 +1,19 @@ +{ + lib, + ... +}: { + services.uptime-kuma = { + enable = true; + settings = { + DATA_DIR = "/var/lib/uptime-kuma/"; + PORT = "64901"; + # HOST = cfg.address; + }; + }; + + systemd.services.uptime-kuma = { + serviceConfig = { + DynamicUser = lib.mkForce false; + }; + }; +} diff --git a/host/x86_64-linux/home/Vaultwarden.nix b/host/x86_64-linux/home/Vaultwarden.nix new file mode 100644 index 00000000..ffa53086 --- /dev/null +++ b/host/x86_64-linux/home/Vaultwarden.nix @@ -0,0 +1,15 @@ +{ ... }: { + services.vaultwarden = { + enable = true; + dbBackend = "sqlite"; + environmentFile = "/var/lib/vaultwarden/Env"; + config = { + DATA_FOLDER = "/var/lib/vaultwarden"; + DOMAIN = "https://pass.voronind.com"; + # ROCKET_ADDRESS = cfg.address; + ROCKET_PORT = 8001; + SIGNUPS_ALLOWED = false; + WEB_VAULT_ENABLED = true; + }; + }; +} diff --git a/host/x86_64-linux/home/nginx/Camera.nix b/host/x86_64-linux/home/nginx/Camera.nix new file mode 100644 index 00000000..81526afa --- /dev/null +++ b/host/x86_64-linux/home/nginx/Camera.nix @@ -0,0 +1,20 @@ +{ + util, + ... +}: { + "camera.voronind.com".extraConfig = util.trimTabs '' + listen 443 ssl; + + location / { + allow 10.0.0.0/8; + allow fd09:8d46:b26::/48; + deny all; + return 301 rtsp://10.0.0.12:554/live/main; + } + + ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem; + include /etc/letsencrypt/conf/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; + ''; +} diff --git a/host/x86_64-linux/home/nginx/Change.nix b/host/x86_64-linux/home/nginx/Change.nix new file mode 100644 index 00000000..044c15d7 --- /dev/null +++ b/host/x86_64-linux/home/nginx/Change.nix @@ -0,0 +1,23 @@ +{ + util, + ... +}: { + "change.voronind.com".extraConfig = util.trimTabs '' + listen 443 ssl; + + location / { + allow 10.0.0.0/8; + allow fd09:8d46:b26::/48; + deny all; + + proxy_pass http://127.0.0.1:5001$request_uri; + + add_header Referrer-Policy 'origin'; + } + + ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem; + include /etc/letsencrypt/conf/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; + ''; +} diff --git a/host/x86_64-linux/home/nginx/Cups.nix b/host/x86_64-linux/home/nginx/Cups.nix new file mode 100644 index 00000000..5dfbfa8e --- /dev/null +++ b/host/x86_64-linux/home/nginx/Cups.nix @@ -0,0 +1,25 @@ +{ + util, + ... +}: { + "print.voronind.com".extraConfig = util.trimTabs '' + listen 443 ssl; + + location / { + allow 10.0.0.0/8; + allow fd09:8d46:b26::/48; + deny all; + + proxy_pass http://127.0.0.1:631$request_uri; + + proxy_set_header Host "127.0.0.1"; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; + } + + ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem; + include /etc/letsencrypt/conf/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; + ''; +} diff --git a/host/x86_64-linux/home/nginx/Deluge.nix b/host/x86_64-linux/home/nginx/Deluge.nix new file mode 100644 index 00000000..684a46a4 --- /dev/null +++ b/host/x86_64-linux/home/nginx/Deluge.nix @@ -0,0 +1,20 @@ +{ + util, + ... +}: { + "download.voronind.com".extraConfig = util.trimTabs '' + listen 443 ssl; + + location / { + allow 10.0.0.0/8; + allow fd09:8d46:b26::/48; + deny all; + proxy_pass http://127.0.0.1:8112$request_uri; + } + + ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem; + include /etc/letsencrypt/conf/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; + ''; +} diff --git a/host/x86_64-linux/home/nginx/Forgejo.nix b/host/x86_64-linux/home/nginx/Forgejo.nix new file mode 100644 index 00000000..d5f9d626 --- /dev/null +++ b/host/x86_64-linux/home/nginx/Forgejo.nix @@ -0,0 +1,24 @@ +{ + util, + ... +}: { + "git.voronind.com".extraConfig = util.trimTabs '' + listen 443 ssl; + + location ~ ^/(admin|api|user) { + allow 10.0.0.0/8; + allow fd09:8d46:b26::/48; + deny all; + proxy_pass http://127.0.0.1:3000$request_uri; + } + + location / { + proxy_pass http://127.0.0.1:3000$request_uri; + } + + ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem; + include /etc/letsencrypt/conf/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; + ''; +} diff --git a/host/x86_64-linux/home/nginx/Grocy.nix b/host/x86_64-linux/home/nginx/Grocy.nix new file mode 100644 index 00000000..5b8386be --- /dev/null +++ b/host/x86_64-linux/home/nginx/Grocy.nix @@ -0,0 +1,30 @@ +{ + config, + lib, + util, + ... +}: { + "stock.voronind.com" = { + locations."~ \\.php$".extraConfig = lib.mkForce (util.trimTabs '' + allow 10.0.0.0/8; + allow fd09:8d46:b26::/48; + deny all; + + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:${config.services.phpfpm.pools.grocy.socket}; + include ${config.services.nginx.package}/conf/fastcgi.conf; + include ${config.services.nginx.package}/conf/fastcgi_params; + ''); + + extraConfig = lib.mkForce (util.trimTabs '' + listen 443 ssl; + + ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem; + include /etc/letsencrypt/conf/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; + + try_files $uri /index.php; + ''); + }; +} diff --git a/host/x86_64-linux/home/nginx/Hass.nix b/host/x86_64-linux/home/nginx/Hass.nix new file mode 100644 index 00000000..f039c71f --- /dev/null +++ b/host/x86_64-linux/home/nginx/Hass.nix @@ -0,0 +1,27 @@ +{ + util, + ... +}: { + "iot.voronind.com".extraConfig = util.trimTabs '' + listen 443 ssl; + + location / { + allow 10.0.0.0/8; + allow fd09:8d46:b26::/48; + deny all; + + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + proxy_pass http://127.0.0.1:8123$request_uri; + } + + ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem; + include /etc/letsencrypt/conf/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; + ''; +} diff --git a/host/x86_64-linux/home/nginx/Homer.nix b/host/x86_64-linux/home/nginx/Homer.nix new file mode 100644 index 00000000..63302150 --- /dev/null +++ b/host/x86_64-linux/home/nginx/Homer.nix @@ -0,0 +1,20 @@ +{ + util, + ... +}: { + "home.voronind.com".extraConfig = util.trimTabs '' + listen 443 ssl; + + location / { + allow 10.0.0.0/8; + allow fd09:8d46:b26::/48; + deny all; + try_files $uri $uri/index.html; + } + + ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem; + include /etc/letsencrypt/conf/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; + ''; +} diff --git a/host/x86_64-linux/home/nginx/Invidious.nix b/host/x86_64-linux/home/nginx/Invidious.nix new file mode 100644 index 00000000..148ac138 --- /dev/null +++ b/host/x86_64-linux/home/nginx/Invidious.nix @@ -0,0 +1,30 @@ +{ + util, + ... +}: { + "yt.voronind.com".extraConfig = util.trimTabs '' + listen 443 ssl; + + location / { + allow 10.0.0.0/8; + allow fd09:8d46:b26::/48; + deny all; + + proxy_pass http://127.0.0.1:3001$request_uri; + + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $host; + proxy_http_version 1.1; + proxy_set_header Connection ""; + + proxy_hide_header Content-Security-Policy; + proxy_hide_header X-Frame-Options; + proxy_hide_header X-Content-Type-Options; + } + + ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem; + include /etc/letsencrypt/conf/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; + ''; +} diff --git a/host/x86_64-linux/home/nginx/Jellyfin.nix b/host/x86_64-linux/home/nginx/Jellyfin.nix new file mode 100644 index 00000000..0a1e1f5c --- /dev/null +++ b/host/x86_64-linux/home/nginx/Jellyfin.nix @@ -0,0 +1,20 @@ +{ + util, + ... +}: { + "watch.voronind.com".extraConfig = util.trimTabs '' + listen 443 ssl; + + location / { + allow 10.0.0.0/8; + allow fd09:8d46:b26::/48; + deny all; + proxy_pass http://127.0.0.1:8096$request_uri; + } + + ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem; + include /etc/letsencrypt/conf/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; + ''; +} diff --git a/host/x86_64-linux/home/nginx/Kavita.nix b/host/x86_64-linux/home/nginx/Kavita.nix new file mode 100644 index 00000000..b363fb37 --- /dev/null +++ b/host/x86_64-linux/home/nginx/Kavita.nix @@ -0,0 +1,20 @@ +{ + util, + ... +}: { + "read.voronind.com".extraConfig = util.trimTabs '' + listen 443 ssl; + + location / { + allow 10.0.0.0/8; + allow fd09:8d46:b26::/48; + deny all; + proxy_pass http://127.0.0.1:5000$request_uri; + } + + ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem; + include /etc/letsencrypt/conf/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; + ''; +} diff --git a/host/x86_64-linux/home/nginx/Mailserver.nix b/host/x86_64-linux/home/nginx/Mailserver.nix new file mode 100644 index 00000000..43dfa0d2 --- /dev/null +++ b/host/x86_64-linux/home/nginx/Mailserver.nix @@ -0,0 +1,29 @@ +{ + config, + lib, + util, + ... +}: { + "mail.voronind.com" = { + enableACME = false; + forceSSL = false; + locations."~* \\.php(/|$)".extraConfig = lib.mkForce (util.trimTabs '' + allow 10.0.0.0/8; + allow fd09:8d46:b26::/48; + deny all; + + fastcgi_pass unix:${config.services.phpfpm.pools.roundcube.socket}; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include ${config.services.nginx.package}/conf/fastcgi.conf; + ''); + extraConfig = lib.mkForce (util.trimTabs '' + listen 443 ssl; + + ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem; + include /etc/letsencrypt/conf/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; + ''); + }; +} diff --git a/host/x86_64-linux/home/nginx/Nextcloud.nix b/host/x86_64-linux/home/nginx/Nextcloud.nix new file mode 100644 index 00000000..1021ce21 --- /dev/null +++ b/host/x86_64-linux/home/nginx/Nextcloud.nix @@ -0,0 +1,22 @@ +{ + util, + ... +}: { + "cloud.voronind.com" = { + locations."~ ^/(settings/admin|settings/users|settings/apps|login|api)".extraConfig = util.trimTabs '' + allow 10.0.0.0/8; + allow fd09:8d46:b26::/48; + deny all; + try_files $uri $uri/ /index.php$request_uri; + ''; + + extraConfig = util.trimTabs '' + listen 443 ssl; + + ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem; + include /etc/letsencrypt/conf/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; + ''; + }; +} diff --git a/host/x86_64-linux/home/nginx/OnlyOffice.nix b/host/x86_64-linux/home/nginx/OnlyOffice.nix new file mode 100644 index 00000000..cb4e3c14 --- /dev/null +++ b/host/x86_64-linux/home/nginx/OnlyOffice.nix @@ -0,0 +1,21 @@ +{ + lib, + util, + ... +}: { + "office.voronind.com" = { + locations."/".extraConfig = lib.mkForce (util.trimTabs '' + add_header X-Forwarded-Proto https; + proxy_pass http://127.0.0.1:8000$request_uri; + ''); + + extraConfig = util.trimTabs '' + listen 443 ssl; + + ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem; + include /etc/letsencrypt/conf/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; + ''; + }; +} diff --git a/host/x86_64-linux/home/nginx/Paperless.nix b/host/x86_64-linux/home/nginx/Paperless.nix new file mode 100644 index 00000000..a49f4a5e --- /dev/null +++ b/host/x86_64-linux/home/nginx/Paperless.nix @@ -0,0 +1,20 @@ +{ + util, + ... +}: { + "paper.voronind.com".extraConfig = util.trimTabs '' + listen 443 ssl; + + location / { + allow 10.0.0.0/8; + allow fd09:8d46:b26::/48; + deny all; + proxy_pass http://127.0.0.1:28981$request_uri; + } + + ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem; + include /etc/letsencrypt/conf/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; + ''; +} diff --git a/host/x86_64-linux/home/nginx/Printer.nix b/host/x86_64-linux/home/nginx/Printer.nix new file mode 100644 index 00000000..da210a76 --- /dev/null +++ b/host/x86_64-linux/home/nginx/Printer.nix @@ -0,0 +1,20 @@ +{ + util, + ... +}: { + "printer.voronind.com".extraConfig = util.trimTabs '' + listen 443 ssl; + + location / { + allow 10.0.0.0/8; + allow fd09:8d46:b26::/48; + deny all; + proxy_pass http://10.0.0.10:80$request_uri; + } + + ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem; + include /etc/letsencrypt/conf/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; + ''; +} diff --git a/host/x86_64-linux/home/nginx/Privatebin.nix b/host/x86_64-linux/home/nginx/Privatebin.nix new file mode 100644 index 00000000..af5178ff --- /dev/null +++ b/host/x86_64-linux/home/nginx/Privatebin.nix @@ -0,0 +1,44 @@ +{ + config, + util, + ... +}: { + "paste.voronind.com" = { + locations = { + "= /".extraConfig = util.trimTabs '' + return 403; + ''; + + "~ \\.php$".extraConfig = util.trimTabs '' + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:${config.services.phpfpm.pools.paste.socket}; + include ${config.services.nginx.package}/conf/fastcgi.conf; + include ${config.services.nginx.package}/conf/fastcgi_params; + ''; + + "~ \\.(js|css|ttf|woff2?|png|jpe?g|svg)$".extraConfig = util.trimTabs '' + add_header Cache-Control "public, max-age=15778463"; + add_header Referrer-Policy no-referrer; + add_header X-Content-Type-Options nosniff; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header X-Robots-Tag none; + add_header X-XSS-Protection "1; mode=block"; + access_log off; + ''; + + "/".extraConfig = util.trimTabs '' + rewrite ^ /index.php; + ''; + }; + + extraConfig = util.trimTabs '' + listen 443 ssl; + ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem; + include /etc/letsencrypt/conf/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; + try_files $uri /index.php; + ''; + }; +} diff --git a/host/x86_64-linux/home/nginx/Resume.nix b/host/x86_64-linux/home/nginx/Resume.nix new file mode 100644 index 00000000..7fdceebf --- /dev/null +++ b/host/x86_64-linux/home/nginx/Resume.nix @@ -0,0 +1,20 @@ +{ + util, + ... +}: { + "resume.voronind.com".extraConfig = util.trimTabs '' + server_name resume.voronind.com; + listen 443 ssl; + + ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem; + include /etc/letsencrypt/conf/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; + + if ($http_accept_language ~ ru) { + return 301 https://git.voronind.com/voronind/resume/releases/download/latest/VoronindRu.pdf; + } + + return 301 https://git.voronind.com/voronind/resume/releases/download/latest/VoronindEn.pdf; + ''; +} diff --git a/host/x86_64-linux/home/nginx/Router.nix b/host/x86_64-linux/home/nginx/Router.nix new file mode 100644 index 00000000..97383970 --- /dev/null +++ b/host/x86_64-linux/home/nginx/Router.nix @@ -0,0 +1,20 @@ +{ + util, + ... +}: { + "router.voronind.com".extraConfig = util.trimTabs '' + listen 443 ssl; + + location / { + allow 10.0.0.0/8; + allow fd09:8d46:b26::/48; + deny all; + proxy_pass http://10.0.0.2:80$request_uri; + } + + ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem; + include /etc/letsencrypt/conf/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; + ''; +} diff --git a/host/x86_64-linux/home/nginx/SearX.nix b/host/x86_64-linux/home/nginx/SearX.nix new file mode 100644 index 00000000..48c6c64f --- /dev/null +++ b/host/x86_64-linux/home/nginx/SearX.nix @@ -0,0 +1,20 @@ +{ + util, + ... +}: { + "search.voronind.com".extraConfig = util.trimTabs '' + listen 443 ssl; + + location / { + allow 10.0.0.0/8; + allow fd09:8d46:b26::/48; + deny all; + proxy_pass http://127.0.0.1:34972$request_uri; + } + + ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem; + include /etc/letsencrypt/conf/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; + ''; +} diff --git a/host/x86_64-linux/home/nginx/UptimeKuma.nix b/host/x86_64-linux/home/nginx/UptimeKuma.nix new file mode 100644 index 00000000..c7726e2c --- /dev/null +++ b/host/x86_64-linux/home/nginx/UptimeKuma.nix @@ -0,0 +1,20 @@ +{ + util, + ... +}: { + "status.voronind.com".extraConfig = util.trimTabs '' + listen 443 ssl; + + location / { + allow 10.0.0.0/8; + allow fd09:8d46:b26::/48; + deny all; + proxy_pass http://127.0.0.1:64901$request_uri; + } + + ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem; + include /etc/letsencrypt/conf/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; + ''; +} diff --git a/host/x86_64-linux/home/nginx/Valutwarden.nix b/host/x86_64-linux/home/nginx/Valutwarden.nix new file mode 100644 index 00000000..aee257b6 --- /dev/null +++ b/host/x86_64-linux/home/nginx/Valutwarden.nix @@ -0,0 +1,20 @@ +{ + util, + ... +}: { + "pass.voronind.com".extraConfig = util.trimTabs '' + listen 443 ssl; + + location / { + allow 10.0.0.0/8; + allow fd09:8d46:b26::/48; + deny all; + proxy_pass http://127.0.0.1:8001$request_uri; + } + + ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/voronind.com/privkey.pem; + include /etc/letsencrypt/conf/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem; + ''; +} diff --git a/lib/Container.nix b/lib/Container.nix deleted file mode 100644 index bfb04368..00000000 --- a/lib/Container.nix +++ /dev/null @@ -1,83 +0,0 @@ -{ - config, - const, - lib, - util, - ... -}: { - mkContainer = cfg: extra: lib.recursiveUpdate { - # Allow nested containers. - additionalCapabilities = [ ''all" --system-call-filter="add_key keyctl bpf" --capability="all'' ]; - enableTun = true; - - # Start containers with the system by default. - autoStart = config.container.autoStart; - - # IP Address of the host. This is required for container to have access to the Internet. - hostAddress = config.container.host; - - # Container's IP address. - localAddress = cfg.address; - - # Isolate container from other hosts. - privateNetwork = true; - } extra; - - # Common configuration for the system inside the container. - mkContainerConfig = cfg: extra: lib.recursiveUpdate { - boot.isContainer = true; - - # Release version. - system.stateVersion = const.stateVersion; - - # Nix is fucking annoying. - nixpkgs.config = { - allowUnfree = true; - allowInsecurePredicate = x: true; - }; - - # Allow passwordless login as root. - users = { - users.root.password = ""; - mutableUsers = false; - }; - - networking = { - # Default DNS servers. - nameservers = [ - "1.1.1.1" - "1.0.0.1" - ]; - - # HACK: Fix for upstream issue: https://github.com/NixOS/nixpkgs/issues/162686 - useHostResolvConf = lib.mkForce false; - - # Configure firewall. - firewall = { - enable = true; - extraCommands = (util.trimTabs '' - # Full access from the host. - iptables -I INPUT -s ${config.container.host} -j ALLOW - ''); - }; - }; - } extra; - - # Create a directory on the host for container use. - mkContainerDir = cfg: dirs: map (path: "d '${cfg.storage}/${path}' 1777 root root - -") dirs; - - # Common configuration for Nginx server. - mkServer = cfg: lib.recursiveUpdate { forceSSL = false; } cfg; - - # Attach the host media directory to container. - # They will be added to /type/{0..9} - attachMedia = type: ro: builtins.listToAttrs ( - lib.imap0 (i: path: { - name = "/${type}/${toString i}"; - value = { - hostPath = path; - isReadOnly = ro; - }; - }) config.container.media.${type} - ); -} diff --git a/package/homer/Config.nix b/package/homer/Config.nix index 31a34ff5..28675e67 100644 --- a/package/homer/Config.nix +++ b/package/homer/Config.nix @@ -5,30 +5,30 @@ }: let iconTheme = "fa-solid"; links = [ - (mkLink "Status" "fa-heartbeat" "https://${config.container.module.status.domain}") + (mkLink "Status" "fa-heartbeat" "https://status.voronind.com") ]; services = [ (mkGroup "App" "fa-server" [ - (mkLink "Change" "fa-user-secret" "https://${config.container.module.change.domain}") - (mkLink "Cloud" "fa-cloud" "https://${config.container.module.cloud.domain}") - (mkLink "Download" "fa-download" "https://${config.container.module.download.domain}") - (mkLink "Git" "fab fa-git-alt" "https://${config.container.module.git.domain}") - (mkLink "Iot" "fa-home" "https://${config.container.module.iot.domain}") - (mkLink "Mail" "fa-envelope" "https://${config.container.module.mail.domain}") - (mkLink "Paper" "fa-paperclip" "https://${config.container.module.paper.domain}") - (mkLink "Pass" "fa-key" "https://${config.container.module.pass.domain}") - (mkLink "Paste" "fa-paste" "https://${config.container.module.paste.domain}/s") - (mkLink "Print" "fa-print" "https://${config.container.module.print.domain}") - (mkLink "Read" "fa-book" "https://${config.container.module.read.domain}") - (mkLink "Search" "fa-search" "https://${config.container.module.search.domain}") - (mkLink "Stock" "fa-boxes-stacked" "https://${config.container.module.stock.domain}") - (mkLink "Watch" "fa-film" "https://${config.container.module.watch.domain}") - (mkLink "YouTube" "fab fa-youtube" "https://${config.container.module.yt.domain}") + (mkLink "Change" "fa-user-secret" "https://change.voronind.com") + (mkLink "Cloud" "fa-cloud" "https://cloud.voronind.com") + (mkLink "Download" "fa-download" "https://download.voronind.com") + (mkLink "Git" "fab fa-git-alt" "https://git.voronind.com") + (mkLink "Iot" "fa-home" "https://iot.voronind.com") + (mkLink "Mail" "fa-envelope" "https://mail.voronind.com") + (mkLink "Paper" "fa-paperclip" "https://paper.voronind.com") + (mkLink "Pass" "fa-key" "https://pass.voronind.com") + (mkLink "Paste" "fa-paste" "https://paste.voronind.com") + (mkLink "Print" "fa-print" "https://print.voronind.com") + (mkLink "Read" "fa-book" "https://read.voronind.com") + (mkLink "Search" "fa-search" "https://search.voronind.com") + (mkLink "Stock" "fa-boxes-stacked" "https://stock.voronind.com") + (mkLink "Watch" "fa-film" "https://watch.voronind.com") + (mkLink "YouTube" "fab fa-youtube" "https://yt.voronind.com") ]) (mkGroup "System" "fa-shield" [ - (mkLink "Camera" "fa-camera" "https://camera.${config.container.domain}") - (mkLink "Printer" "fa-print" "https://printer.${config.container.domain}") - (mkLink "Router" "fa-route" "https://router.${config.container.domain}") + (mkLink "Camera" "fa-camera" "https://camera.voronind.com") + (mkLink "Printer" "fa-print" "https://printer.voronind.com") + (mkLink "Router" "fa-route" "https://router.voronind.com") ]) (mkGroup "Bookmark" "fa-bookmark" [ (mkLink "2gis" "fa-map-location-dot" "https://2gis.ru") diff --git a/package/jobber/project/jobber/__init__.py b/package/jobber/project/jobber/__init__.py index 95dd49ee..8c4b5702 100644 --- a/package/jobber/project/jobber/__init__.py +++ b/package/jobber/project/jobber/__init__.py @@ -29,8 +29,8 @@ URL_SCHEME = "https://" URL = "portal.fsight.ru/" # DRIVER = "/data/geckodriver" DRIVER = "geckodriver" -USERS = "/data/users.txt" -OVPN = "/data/fsight.ovpn" +USERS = "/storage/hot/data/jobber/users.txt" +OVPN = "/storage/hot/data/jobber/fsight.ovpn" BUTTON = "//*[contains(@id, '_InOutButton')]" TEXT_HERE = "Пришёл" TEXT_GONE = "Ушёл" diff --git a/package/privatebin/Config.nix b/package/privatebin/Config.nix index bb87077f..41518b7a 100644 --- a/package/privatebin/Config.nix +++ b/package/privatebin/Config.nix @@ -39,7 +39,7 @@ }; model_options = { "opt[12]" = true; - dsn = "pgsql:host=${config.container.module.postgres.address};dbname=privatebin"; + dsn = "pgsql:dbname=privatebin"; pwd = "privatebin"; tbl = "privatebin_"; usr = "privatebin"; diff --git a/user/Dasha.nix b/user/Dasha.nix index 14e01685..797f4552 100644 --- a/user/Dasha.nix +++ b/user/Dasha.nix @@ -1,6 +1,7 @@ { - lib, config, + lib, + pkgs, ... }: let cfg = config.user; @@ -8,6 +9,7 @@ in { options.user.dasha = lib.mkEnableOption "dasha."; config = lib.mkIf cfg.dasha { + environment.systemPackages = with pkgs; [ nautilus ]; # NOTE: She wants it. home.nixos.users = [{ homeDirectory = "/home/dasha"; username = "dasha";