chema/nix_config
1
0
Fork 0
forked from fabian/nix_config
Code Pull requests Activity

it's forkin' time config de fabian

Browse source
This commit is contained in:
chem 2025-08-24 12:55:26 -06:00
parent 98a32736d6
commit b77f64cc27
46 changed files with 119 additions and 1326 deletions
Download patch file Download diff file Expand all files Collapse all files

14
sys/modules/users.nix
View file

@ -31,22 +31,10 @@ in {
config = {
local.sys.users = {
fabian = {
chem = {
unixId = mkDefault 1000;
admin = true;
};
vanessa = {
unixId = mkDefault 1001;
admin = false;
};
soto = {
unixId = mkDefault 1010;
admin = false;
};
diaz = {
unixId = mkDefault 1011;
admin = false;
};
};
users = let

44
sys/platforms/posixlycorrect/hardware-configuration.nix
View file

@ -1,44 +0,0 @@
{
config,
lib,
pkgs,
flakes,
modulesPath,
...
}: let
subvol = subvol: {
device = "/dev/disk/by-uuid/645fdba0-5c03-4285-926b-facded1ee259";
fsType = "btrfs";
options = ["subvol=${subvol}" "compress=zstd" "noatime" "ssd"];
};
in {
imports = [
flakes.nixpkgs.nixosModules.notDetected
];
boot.initrd = {
availableKernelModules = ["xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"];
luks.devices."toplevel" = {
device = "/dev/disk/by-uuid/58277baa-90d4-4a5e-a658-1b918b89130a";
preLVM = false;
};
};
fileSystems = {
"/" = subvol "root";
"/toplevel" = subvol "/";
"/boot" = {
device = "/dev/disk/by-uuid/B007-B007";
fsType = "vfat";
options = ["umask=027"];
};
"/extern" = {
device = "/dev/disk/by-uuid/7d8d3ec9-b456-4e2a-9396-551dcaf7705b";
fsType = "btrfs";
options = ["noatime" "compress=zstd"];
};
};
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

67
sys/platforms/t14/default.nix
View file

@ -1,67 +0,0 @@
{
config,
pkgs,
lib,
flakes,
...
}: {
imports = [
flakes.home-manager.nixosModules.home-manager
flakes.impermanence.nixosModule
./hardware-configuration.nix
];
local.sys = {
baseline.enable = true;
yubikey.enable = true;
audio.enable = true;
graphics.enable = true;
androidSupport.enable = true;
bluetooth.enable = true;
users = {
fabian = {
enable = true;
unixId = 1002;
};
vanessa.enable = true;
};
};
networking = {
hostName = "t14";
networkmanager.enable = true;
useDHCP = false; # The global useDHCP flag is deprecated, therefore explicitly set to false here.
interfaces.enp7s0.useDHCP = true; # Per-interface useDHCP will be mandatory in the future, so this generated config
interfaces.wlp6s0.useDHCP = true; # replicates the default behaviour.
};
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
tmp.useTmpfs = true;
kernelPackages = pkgs.linuxPackages_latest;
};
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8"; #todo: move to baseline?
time.timeZone = "America/Costa_Rica"; #todo: move to baseline?
###### MODULARIZE AFTER THIS
services = {
fwupd.enable = true;
thinkfan.enable = true;
tlp.enable = true;
pcscd.enable = true;
};
hardware.acpilight.enable = true;
services.fprintd.enable = true;
}

62
sys/platforms/t14/hardware-configuration.nix
View file

@ -1,62 +0,0 @@
{
config,
lib,
pkgs,
flakes,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
services.xserver.videoDrivers = ["i915" "modesetting" "fbdev"];
boot = {
initrd = {
availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "sdhci_pci"];
kernelModules = ["dm-snapshot"];
luks.devices."tomb" = {
device = "/dev/disk/by-uuid/0b2b9aec-c239-4cce-948d-4411d9300c1d";
preLVM = true;
};
};
kernelModules = ["kvm-intel"];
extraModulePackages = [];
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/2774158f-8ec5-4ba1-a4fb-a37f55b8bb38";
fsType = "btrfs";
options = ["subvol=root"];
};
"/boot" = {
device = "/dev/disk/by-uuid/A7E5-EEAB";
fsType = "vfat";
};
"/nix" = {
device = "/dev/disk/by-uuid/2774158f-8ec5-4ba1-a4fb-a37f55b8bb38";
fsType = "btrfs";
options = ["subvol=nix"];
};
"/home" = {
device = "/dev/disk/by-uuid/2774158f-8ec5-4ba1-a4fb-a37f55b8bb38";
fsType = "btrfs";
options = ["subvol=home"];
};
"/toplevel" = {
device = "/dev/disk/by-uuid/2774158f-8ec5-4ba1-a4fb-a37f55b8bb38";
fsType = "btrfs";
};
};
swapDevices = [];
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

117
sys/platforms/vps/default.nix
View file

@ -1,117 +0,0 @@
{
config,
lib,
pkgs,
flakes,
modulesPath,
...
}:
with lib; {
imports = [
flakes.vpsadminos.nixosConfigurations.container
flakes.home-manager.nixosModules.home-manager
flakes.impermanence.nixosModule
./hardware-configuration.nix
./srv
./networkMap.nix
];
local.sys = {
baseline.enable = true;
users.fabian = {
enable = true;
sshKeyPublicFile = [public_files/pki/fabian.ssh];
};
};
networking = {
hostName = "vps";
domain = "posixlycorrect.com";
};
services.openssh = {
settings.PasswordAuthentication = false;
};
programs.mosh.enable = true;
home-manager = {
useGlobalPkgs = true;
useUserPackages = true;
extraSpecialArgs = {inherit flakes;};
users.fabian = {
imports = [
flakes.impermanence.nixosModules.home-manager.impermanence
"${flakes.self}/home/platforms/fabian@vps"
"${flakes.self}/home"
];
};
};
networking.firewall.allowedUDPPorts = [51820]; #TODO
systemd = {
extraConfig = ''
DefaultTimeoutStartSec=900s
'';
network = let
inherit (config.local.sys) nets;
in {
enable = true;
netdevs = {
wg-vpn = {
netdevConfig = {
Name = "wg-vpn";
Kind = "wireguard";
};
wireguardConfig = {
PrivateKeyFile = "/var/trust/wg/vpn/key.priv";
ListenPort = "51820";
};
wireguardPeers = [
{
PublicKey = "wwUp3Uu/rSxbp+6J745O+cpnZHGWOJYWfWEsTjRE3yU=";
PresharedKeyFile = "/var/trust/wg/vpn/vps-posixlycorrect.psk";
AllowedIPs = ["${nets.vpn-posixlycorrect.v6.cidr}"];
}
{
PublicKey = "YFqg/ED26KygSRSmGzvUXpwnXPqMOI3R3caVfAtHVks=";
PresharedKeyFile = "/var/trust/wg/vpn/vps-pixel8.psk";
AllowedIPs = ["${nets.vpn-pixel8.v6.cidr}"];
}
];
};
};
networks = {
wg-vpn = {
name = "wg-vpn";
networkConfig = {
Address = [
nets.vpn-vps.hosts.vps.v6.cidr
];
};
routes = [
{
Destination = nets.vpn.v6.cidr;
}
{
Source = nets.vpn.v6.cidr;
}
];
};
};
};
};
time.timeZone = "Europe/Amsterdam";
}

29
sys/platforms/vps/hardware-configuration.nix
View file

@ -1,29 +0,0 @@
{
config,
lib,
pkgs,
flakes,
modulesPath,
...
}: let
in {
fileSystems = {
"/mnt/export2008" = {
device = "172.16.129.19:/nas/5876";
fsType = "nfs";
options = ["nofail" "noatime"];
};
"/mnt/export2178" = {
device = "172.16.129.151:/nas/5876/immich";
fsType = "nfs";
options = ["nofail" "noatime"];
};
"/mnt/export2179" = {
device = "172.16.131.31:/nas/5876/syncthing";
fsType = "nfs";
options = ["nofail"];
};
};
}

78
sys/platforms/vps/networkMap.nix
View file

@ -1,78 +0,0 @@
{
config,
pkgs,
lib,
flakes,
...
}:
with lib; {
local.sys.nets = {
default = {
v4 = {
bits = 32;
prefix = "37.205.12.34";
};
v6 = {
bits = 64;
prefix = "2a03:3b40:fe:102";
};
hosts = {
vps.v6.suffix = "1";
vps.v4.suffix = "";
};
};
vpn = {
v6 = {
bits = 48;
prefix = "2a03:3b40:2b";
};
};
vpn-vps = {
v6 = {
bits = 64;
prefix = "2a03:3b40:2b:1000";
};
hosts = {
vps.v6.suffix = "1";
};
};
vpn-posixlycorrect = {
v6 = {
bits = 64;
prefix = "2a03:3b40:2b:1001";
};
hosts = {
posixlycorrect.v6.suffix = "1";
};
};
vpn-pixel8 = {
v6 = {
bits = 64;
prefix = "2a03:3b40:2b:1002";
};
hosts = {
pixel8.v6.suffix = "1";
};
};
vpn-t14 = {
v6 = {
bits = 64;
prefix = "2a03:3b40:2b:1003";
};
hosts = {
t14.v6.suffix = "1";
};
};
};
}

1
sys/platforms/vps/public_files/factorio_blueprints/nauvis_science.txt
View file

File diff suppressed because one or more lines are too long

1
sys/platforms/vps/public_files/factorio_blueprints/red_circuits.txt
View file

File diff suppressed because one or more lines are too long

BIN
sys/platforms/vps/public_files/memorias_de_seda.pdf
View file

Binary file not shown.

1
sys/platforms/vps/public_files/pki/fabian.ssh
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHkK2Cg3dozG78AEA2OTzydezcKVnNTTj0MUJZcP/mrN fabian@posixlycorrect.com

25
sys/platforms/vps/public_files/pki/fabian_primary.gpg
View file

@ -1,25 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEZHlROBYJKwYBBAHaRw8BAQdAhzA1JCghQ6KoHOuf6JPQhEmchHLVXFVye4I2
pRUOUMO0KkZhYmlhbiBNb250ZXJvIDxmYWJpYW5AcG9zaXhseWNvcnJlY3QuY29t
PoiUBBMWCgA8FiEEeqJ35gSkFzkWu7TpH/rDXheYF08FAmR5UTgCGwMFCQlmAYAE
CwkIBwQVCgkIBRYCAwEAAh4FAheAAAoJEB/6w14XmBdPP2EA/i9ugFxpIFF6oOQs
clMfr+sNj6Il0OUTJK0dqpp4mGorAP0awa6nfhU8T1Ju7UWr6cfSmnL4bM6M/4Z3
D+AF/L5PBokCMwQQAQoAHRYhBOd6gIv5qVXWaO7qZHP6nJy18CSbBQJkeVKDAAoJ
EHP6nJy18CSbzTkP/Reio0ObRrRW+QSw62ZXrUG0mFcNeeoM9amldCToFRyGnSDu
wtZ9nqwLiTJ01VPBOsEZLsl4VonO3rdadqnMTZ3XqKK9VHBl6UNot3DQ8INDAcko
GW1zvEdxNkpMxhtAja0JkcBdG7+zxc2aEGeKfEna2qDXA+xtYw5+pssOWYMip7hm
jQ2NzYMYav2KYRBC7eXTkAIIIJi/l9pR1IwHtY3a0gfbkQymgCyt5wVG6LneYFIR
+ycNVCObwyP8gFASdId0bWnA23rkilc9ZBOCps/cGfDLM+KQ+sLAWBFBQyQeEjcv
tU+pLXncAEvWy/SFmprVSLDQMMooFaEJMZChojGcCkwAPG1twsihqIA3E44Q3/+G
K0gZN57jGMnfvuQiuLuttOMdu27KwEu++t3YUt0P6S4kARpx51zZJ7A2Yj2u22aM
7EL8qq6KTNdNoS7FgwQkrWbokdDZIl0HV+5TeMQfylPqOPhuFK/1A9qztqknBPVY
QUx2t6FZUgH9sT7uD+5gXxyeqmEIFo2i6D8G/4TEPbKtWivJfeOqDEBn4QEY2nvE
zgJLLU5XCv9xPz5rizRCa+h+kg+i4mH6fLCBCCAPXsbAAo0gUlGJvX4slPh7uPOa
T2r7A/7uezResBzP/L/vostlmjO5c8cOl9Wc6D1kRZq17/AjMUgy6+KR3iVnuDgE
ZHlROBIKKwYBBAGXVQEFAQEHQPRbCS2p8xpt3fRxfyRnDOdH9pULY4NtGmZUS0ve
ZGkTAwEIB4h+BBgWCgAmFiEEeqJ35gSkFzkWu7TpH/rDXheYF08FAmR5UTgCGwwF
CQlmAYAACgkQH/rDXheYF0/65AD+LtDeedCYv9zs+1Ia3DvejVZM256WEH+dRH5h
Pm3RzQ8A/2+bXRnfsgGqacj/kKEL3spuos95ngRNRkrQ39nc1koP
=PAxr
-----END PGP PUBLIC KEY BLOCK-----

19
sys/platforms/vps/public_files/pki/fabian_yubikey.gpg
View file

@ -1,19 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEZukhMBYJKwYBBAHaRw8BAQdAC/Gy2p7RPFw3k+ROFnKpJvCVqQb+BUYboE2u
CP1kz/C0KkZhYmlhbiBNb250ZXJvIDxmYWJpYW5AcG9zaXhseWNvcnJlY3QuY29t
PoiTBBMWCgA7FiEEcgbY7iR0898Y6odvDsFpH/jBqB8FAmbpITACGwMFCwkIBwIC
IgIGFQoJCAsCBBYCAwECHgcCF4AACgkQDsFpH/jBqB+oGwEAhmegCZJAt8Opv/9+
HBbL51f2035qymHPgkV/SyFM1GEBAOVQY6A5U+NrLNiaQTN5Z7jcfQuBobzk4ksn
RzROhTcAiHUEEBYKAB0WIQR6onfmBKQXORa7tOkf+sNeF5gXTwUCZutnFQAKCRAf
+sNeF5gXT1juAQDsH/lDorfMdWxuP87eV9OP8jQvibuTuZ9n2jUllXsLcQEA5gDJ
05NW5Tw2g9mvlrocWr7N2/PC5UvFct4akwDXtA+4MwRm6SEwFgkrBgEEAdpHDwEB
B0AHSmncE+krtL9ZGe4eq865vjaLiUAVnZQaVObKm11CBYh4BBgWCgAgFiEEcgbY
7iR0898Y6odvDsFpH/jBqB8FAmbpITACGyAACgkQDsFpH/jBqB+hBwD/Y9vAcbPG
CTmZvtgYlZW5Oey5T3hHoANv1THOZwv9G58BALEBZRvDztmYPjRaMyAMonrpc2P0
GPHYLcqCPVbjkaAKuDgEZukhMBIKKwYBBAGXVQEFAQEHQC2+QJcHEJjdZikBYeMj
ks53MjfeawAXU31KtAU60KACAwEIB4h4BBgWCgAgFiEEcgbY7iR0898Y6odvDsFp
H/jBqB8FAmbpITACGwwACgkQDsFpH/jBqB+0TwD+K4IcFstNGLrijlgH2zuQaI+p
8QT8AInjSpGfC4zcMlEBAIVYvdTYw4IXPSQOs0qPyR0nhfGIeoBMeWrAAfoxQ0oB
=wpc0
-----END PGP PUBLIC KEY BLOCK-----

BIN
sys/platforms/vps/public_files/sfd_ClientesLinux_DEB64_Rev26.zip
View file

Binary file not shown.

31
sys/platforms/vps/srv/calibre-web.nix
View file

@ -1,31 +0,0 @@
{
lib,
pkgs,
...
}:
with lib; {
services = {
nginx = {
virtualHosts."calibre.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
locations."/" = {
proxyPass = "http://[::1]:8083";
};
};
};
calibre-web = {
enable = true;
openFirewall = true;
options = {
enableBookUploading = true;
calibreLibrary = "/var/lib/calibre-web/calibre_library";
};
};
};
}

24
sys/platforms/vps/srv/default.nix
View file

@ -1,24 +0,0 @@
{
config,
pkgs,
lib,
flakes,
...
}:
with lib; {
imports = [
./net.nix
./mediawiki.nix
./forgejo.nix
./vaultwarden.nix
./msmtp.nix
./paperless.nix
./trilium.nix
./syncthing.nix
./shiori.nix
./calibre-web.nix
./immich.nix
./wiki-js.nix
./mealie.nix
];
}

62
sys/platforms/vps/srv/forgejo.nix
View file

@ -1,62 +0,0 @@
{
config,
lib,
...
}:
with lib; {
config = {
environment.etc."fail2ban/filter.d/gitea.local".text = ''
[Definition]
failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
ignoreregex =
'';
services = {
nginx = {
virtualHosts."git.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
locations."/".proxyPass = "http://localhost:9170";
};
};
fail2ban.jails.gitea.settings = {
filter = "gitea";
logpath = "${config.services.gitea.stateDir}/log/gitea.log";
maxretry = "10";
findtime = "3600";
bantime = "900";
action = "iptables-allports";
};
forgejo = {
enable = true;
lfs.enable = true;
useWizard = false;
settings = {
general.APP_NAME = "posixlycorrect";
ui.DEFAULT_THEME = "forgejo-dark";
server = {
DOMAIN = "git.posixlycorrect.com";
ROOT_URL = "https://git.posixlycorrect.com";
HTTP_PORT = 9170;
LANDING_PAGE = "explore";
};
service.DISABLE_REGISTRATION = true;
actions = {
ENABLED = true;
};
mailer = {
ENABLED = false;
};
};
};
};
};
}

73
sys/platforms/vps/srv/immich.nix
View file

@ -1,73 +0,0 @@
{
lib,
pkgs,
...
}:
with lib; {
services = {
nginx = {
virtualHosts."photos.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
locations."/" = {
proxyPass = "http://localhost:2283";
};
};
};
immich = {
enable = true;
secretsFile = "/var/trust/immich/secrets.txt";
openFirewall = true;
mediaLocation = "/mnt/export2178/immich/media";
machine-learning.enable = false;
environment = {
IMMICH_TELEMETRY_EXCLUDE = "host,api,io,repo,job";
};
settings = {
machineLearning = {
enabled = false;
};
job = {
backgroundTask = {
concurrency = 1;
};
smartSearch = {
concurrency = 1;
};
metadataExtraction = {
concurrency = 1;
};
faceDetection = {
concurrency = 1;
};
search = {
concurrency = 1;
};
sidecar = {
concurrency = 1;
};
library = {
concurrency = 1;
};
migration = {
concurrency = 1;
};
thumbnailGeneration = {
concurrency = 1;
};
videoConversion = {
concurrency = 1;
};
notifications = {
concurrency = 1;
};
};
};
};
};
}

37
sys/platforms/vps/srv/mealie.nix
View file

@ -1,37 +0,0 @@
{
lib,
pkgs,
...
}:
with lib; {
systemd.services.wiki-js = {
requires = ["postgresql.service"];
after = ["postgresql.service"];
};
services = {
nginx = {
virtualHosts."food.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
locations."/" = {
proxyPass = "http://127.0.0.1:9000";
};
};
};
mealie = {
enable = true;
listenAddress = "127.0.0.1";
port = 9000;
credentialsFile = "/var/trust/mealie/credentials.env";
settings = {
ALLOW_SIGNUP = "false";
};
};
};
}

71
sys/platforms/vps/srv/mediawiki.nix
View file

@ -1,71 +0,0 @@
{
lib,
pkgs,
flakes,
...
}:
with lib; {
services = {
nginx = {
virtualHosts."wiki.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
};
};
mediawiki = {
enable = true;
name = "posixlycorrect wiki";
webserver = "nginx";
nginx.hostName = "wiki.posixlycorrect.com";
database.type = "postgres";
passwordFile = "/run/keys/mediawiki-password";
skins = {
citizen = "${flakes.mediawikiSkinCitizen}";
};
extraConfig = ''
# Disable anonymous editing and account creation
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['createaccount'] = false;
$wgDefaultSkin = 'citizen';
$wgDefaultMobileSkin = 'citizen';
$wgCitizenThemeDefault = 'dark';
$wgCitizenShowPageTools = 'login';
$wgLogos = [
'icon' => "https://posixlycorrect.com/favicon.png",
'1x' => "https://posixlycorrect.com/favicon.png",
'2x' => "https://posixlycorrect.com/favicon.png",
];
$wgEnableEmail = false; #TODO: arreglar esto
$wgNoReplyAddress = 'mediawiki@posixlycorrect.com';
$wgEmergencyContact = 'mediawiki@posixlycorrect.com';
$wgPasswordSender = 'mediawiki@posixlycorrect.com';
'';
extensions = {
# some extensions are included and can enabled by passing null
VisualEditor = null;
CategoryTree = null;
CiteThisPage = null;
Scribunto = null;
Cite = null;
CodeEditor = null;
Math = null;
MultimediaViewer = null;
PdfHandler = null;
Poem = null;
SecureLinkFixer = null;
WikiEditor = null;
ParserFunctions = null;
};
};
};
}

35
sys/platforms/vps/srv/msmtp.nix
View file

@ -1,35 +0,0 @@
{
lib,
pkgs,
...
}:
with lib; {
users.groups = {
mailsenders = {
members = ["fabian" "mediawiki"];
};
};
# esto sirve para que PHP pueda accesar la clave smtp de fastmail
#systemd.services.phpfpm-mediawiki = {
# path = [ "/run/wrappers" ];
# serviceConfig.ReadWritePaths = [ "/run/wrappers" "/var/trust/fastmail" ];
#};
programs = {
msmtp = {
enable = true;
accounts = {
default = {
auth = true;
host = "smtp.fastmail.com";
port = 587;
passwordeval = "cat /var/trust/fastmail/smtp_key";
user = "fabianmontero@fastmail.com";
tls = true;
tls_starttls = true;
};
};
};
};
}

89
sys/platforms/vps/srv/net.nix
View file

@ -1,89 +0,0 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
inherit (config.local.sys) nets;
in {
networking = {
nftables.enable = false; # learn how to use this later
firewall = {
enable = true;
allowedTCPPorts = [80 443];
};
domain = "posixlycorrect.com";
};
# ver https://nixos.org/manual/nixos/stable/index.html#module-security-acme-nginx
security.acme = {
acceptTerms = true;
defaults.email = "fabian@posixlycorrect.com";
};
services = {
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
logError = "/var/log/nginx/error.log";
clientMaxBodySize = "99M";
virtualHosts = {
"posixlycorrect.com" = {
forceSSL = true;
enableACME = true;
locations = {
"/".root = "${pkgs.local.homepage}";
"~ ^/public(?:/(.*))?$" = {
# https://serverfault.com/a/476368
alias = "${../public_files}/$1";
extraConfig = ''
autoindex on;
autoindex_exact_size on;
autoindex_localtime on;
autoindex_format html;
'';
};
};
};
};
};
fail2ban = {
enable = true;
bantime = "10m";
ignoreIP = [
nets.default.hosts.vps.v6.cidr
nets.default.hosts.vps.v4.address
nets.vpn.v6.cidr
];
bantime-increment = {
enable = true;
formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
maxtime = "48h"; # Do not ban for more than 48h
rndtime = "10m";
overalljails = true; # Calculate the bantime based on all the violations
};
jails = {
# https://discourse.nixos.org/t/fail2ban-with-nginx-and-authelia/31419
nginx-botsearch.settings = {
# Usar log en vez de journalctl
# TODO: Pasar todo a systemd?
backend = "pyinotify";
logpath = "/var/log/nginx/*.log";
journalmatch = "";
};
nginx-bad-request.settings = {
backend = "pyinotify";
logpath = "/var/log/nginx/*.log";
journalmatch = "";
maxretry = 10;
};
};
};
};
}

39
sys/platforms/vps/srv/paperless.nix
View file

@ -1,39 +0,0 @@
{
lib,
pkgs,
...
}:
with lib; {
services = {
nginx = {
virtualHosts."docs.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
locations."/" = {
proxyPass = "http://127.0.0.1:28981";
};
};
};
paperless = {
enable = true;
user = "paperless";
passwordFile = "/var/trust/paperless/passwordFile";
openMPThreadingWorkaround = true; # see https://github.com/NixOS/nixpkgs/issues/240591
address = "127.0.0.1";
port = 28981;
settings = {
PAPERLESS_URL = "docs.posixlycorrect.com";
PAPERLESS_OCR_LANGUAGE = "eng+spa";
PAPERLESS_APP_TITLE = "posixlycorrect";
PAPERLESS_OCR_USER_ARGS = {
"invalidate_digital_signatures" = true;
};
};
};
};
}

29
sys/platforms/vps/srv/shiori.nix
View file

@ -1,29 +0,0 @@
{
lib,
pkgs,
...
}:
with lib; {
services = {
nginx = {
virtualHosts."bookmarks.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
locations."/" = {
proxyPass = "http://127.0.0.1:8089";
};
};
};
shiori = {
enable = true;
address = "127.0.0.1";
port = 8089;
environmentFile = "/var/trust/shiori/env";
};
};
}

42
sys/platforms/vps/srv/syncthing.nix
View file

@ -1,42 +0,0 @@
{
lib,
pkgs,
...
}:
with lib; {
services = {
syncthing = {
enable = true;
systemService = true;
overrideFolders = false;
overrideDevices = false;
openDefaultPorts = true;
guiAddress = "127.0.0.1:8384";
settings.options.urAccepted = -1;
dataDir = "/mnt/export2179/syncthing";
relay = {
enable = true;
pools = [];
providedBy = "vps.posixlycorrect.com";
};
};
};
# calibre web stuff. make this better someday, this is pure duct-tape
users.groups."calybresync".members = ["syncthing" "calibre-web"];
systemd = {
services."calybreown" = {
script = ''
chgrp -R calybresync /var/lib/calibre-web/calibre_library
chmod -R g+w /var/lib/calibre-web/calibre_library
'';
serviceConfig.Type = "oneshot";
};
timers."calybreown" = {
wantedBy = [
"timers.target"
];
timerConfig.OnCalendar = "*-*-* *:00/30:00";
};
};
}

33
sys/platforms/vps/srv/trilium.nix
View file

@ -1,33 +0,0 @@
{
lib,
pkgs,
...
}:
with lib; {
services = {
nginx = {
virtualHosts."notes.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
};
};
trilium-server = {
enable = true;
package = pkgs.trilium-next-server;
host = "127.0.0.1";
port = 8458;
noAuthentication = false;
instanceName = "posixlycorrect";
dataDir = "/var/lib/trilium";
nginx = {
enable = true;
hostName = "notes.posixlycorrect.com";
};
};
};
}

63
sys/platforms/vps/srv/vaultwarden.nix
View file

@ -1,63 +0,0 @@
{
config,
lib,
...
}:
with lib; {
services = {
nginx = {
virtualHosts."vault.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
locations."/".proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
};
};
#fail2ban.jails.gitea.settings = { };
postgresql = {
ensureDatabases = ["vaultwarden"];
ensureUsers = [
{
name = "vaultwarden";
ensureDBOwnership = true;
}
];
};
vaultwarden = {
enable = true;
dbBackend = "postgresql";
environmentFile = "/var/trust/vaultwarden/smtp_key";
config = {
DOMAIN = "https://vault.posixlycorrect.com";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
ROCKET_LOG = "critical";
# Using FASTMAIL mail server
# If you use an external mail server, follow:
# https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
SMTP_HOST = "smtp.fastmail.com";
SMTP_PORT = 587;
SMTP_SECURITY = "starttls";
SMTP_FROM = "vault@posixlycorrect.com";
SMTP_FROM_NAME = "posixlycorrect vaultwarden server";
SMTP_AUTH_MECHANISM = "PLAIN";
DATABASE_URL = "postgresql:///vaultwarden";
};
};
bitwarden-directory-connector-cli.domain = "https://vault.posixlycorrect.com";
};
}

53
sys/platforms/vps/srv/wiki-js.nix
View file

@ -1,53 +0,0 @@
{
lib,
pkgs,
...
}:
with lib; {
systemd.services.wiki-js = {
requires = ["postgresql.service"];
after = ["postgresql.service"];
};
services = {
nginx = {
virtualHosts."wjs.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
locations."/" = {
proxyPass = "http://127.0.0.1:3000";
};
};
};
wiki-js = {
enable = true;
environmentFile = "/var/trust/wiki-js/env.txt";
settings = {
bindIP = "127.0.0.1";
port = 3000;
db = {
db = "wiki-js";
user = "wiki-js";
type = "postgres";
host = "/run/postgresql";
};
};
};
postgresql = {
enable = true;
ensureDatabases = ["wiki-js"];
ensureUsers = [
{
name = "wiki-js";
ensureDBOwnership = true;
}
];
};
};
}

5
sys/platforms/posixlycorrect/default.nix → sys/platforms/yuki/default.nix
View file

@ -23,18 +23,17 @@
gtklock.enable = true;
users = {
fabian = {
chem = {
enable = true;
unixId = 1002;
};
vanessa.enable = true;
};
};
trivium.sway.enable = true;
networking = {
hostName = "posixlycorrect";
hostName = "yuki";
networkmanager.enable = true;
useDHCP = false; # The global useDHCP flag is deprecated, therefore explicitly set to false here.

38
sys/platforms/yuki/hardware-configuration.nix Normal file
View file

@ -0,0 +1,38 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/b925ebc0-f717-4f0d-83ca-a9a29990b8e2";
fsType = "btrfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/EC62-0FDF";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}