nx2/dotfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' of ssh://ssh.nx2.site:20022/nx2/dotfiles

Browse Source
This commit is contained in:
Lennart J. Kurzweg (Nx2)
2024-11-14 01:21:42 +01:00
parent 77e9aa4ddd e26ac7cbe2
commit 37eb70db63
9 changed files with 186 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
configuration.nix
View File

@@ -40,6 +40,7 @@
./system-modules/ydotool.nix ./system-modules/ydotool.nix
]) ++ (if (host == "NxACE") then [ ]) ++ (if (host == "NxACE") then [
./system-modules/nx2site.nix ./system-modules/nx2site.nix
./system-modules/postgres.nix
./system-modules/nx2site/proxy.nix ./system-modules/nx2site/proxy.nix
# ./system-modules/nx2site/gitea.nix # ./system-modules/nx2site/gitea.nix
# ./system-modules/nx2site/vaultwarden.nix # ./system-modules/nx2site/vaultwarden.nix

5
sops-secrets.yaml
View File

@@ -37,6 +37,7 @@ eduroam:
nxxpspw: ENC[AES256_GCM,data:IpzL3rsB9BN5fhUBMtAo3DPhk6LEDuizHUj+mPPtQA==,iv:zjH5Bcw0q57oyA/ce0scSIeDvmt51vQzttHq6hwDkwk=,tag:Gf0NUQ3O3fol0M0+2HpGEA==,type:str] nxxpspw: ENC[AES256_GCM,data:IpzL3rsB9BN5fhUBMtAo3DPhk6LEDuizHUj+mPPtQA==,iv:zjH5Bcw0q57oyA/ce0scSIeDvmt51vQzttHq6hwDkwk=,tag:Gf0NUQ3O3fol0M0+2HpGEA==,type:str]
tuda_nmconnection: ENC[AES256_GCM,data:LHy4lYZ6hf0Xfz25KSIY47TwrjNoEvqPi21mXKsfOq9/8Hmveca7UD9jfSbL2fyQ7dEBB2yoW01l6L63GilmSRUqd7eU2dhUCOdZ6L0j7IiFg51oT0FtJSKnQIf9BHslRWP3gQifOxKCIMGwhVEw6xMRINwRizjq073oCCDvgKtbW0cxLy8s4VOsBgAjCWiRDWaItYW83lLL6y49SYw8JJljZXGwrSxmE/wN2STJ05Wzc3cuah63b+lKnGAApkfCALGYGjdktJ/87wT0RveTyV7DzmKOd9Oo0N2cPB91vsnYOKlUBEsNo45x52tvlAx4qJ7358SjNTV0i4HD+k5/byKe8IvSnEsRjvnOLG9OXdCkdf17NcI7VvWPF6u3kAWp81Wc+6lFo9LXB5AE8dRpf5naC1wseLl2pU/8cdgj2EgVl89mo8QaaQfAPxEbaFDnQcNCEYXcRcwjVfBV5cQVqYIrcmmb/c1IVGOOSBijM8u19zq5DfUP1uc835RE9D6NL7NV69VvgoYjb/8/GGf11hDcDESaOEK3zULeyKU0K0hM7AluI8rnZsOZJK70OMLJsUPvVfI0GS9NGZXjYfCoALE0DAt2Qi4cKMNLQzQvHkvXGbdMpzI=,iv:SZmGSEOEPdzWvYvAe4/Iv8qNZjaAfSY+uVfpt3BBN9Q=,tag:NprSgZJwjBHCEKNNypESxg==,type:str] tuda_nmconnection: ENC[AES256_GCM,data:LHy4lYZ6hf0Xfz25KSIY47TwrjNoEvqPi21mXKsfOq9/8Hmveca7UD9jfSbL2fyQ7dEBB2yoW01l6L63GilmSRUqd7eU2dhUCOdZ6L0j7IiFg51oT0FtJSKnQIf9BHslRWP3gQifOxKCIMGwhVEw6xMRINwRizjq073oCCDvgKtbW0cxLy8s4VOsBgAjCWiRDWaItYW83lLL6y49SYw8JJljZXGwrSxmE/wN2STJ05Wzc3cuah63b+lKnGAApkfCALGYGjdktJ/87wT0RveTyV7DzmKOd9Oo0N2cPB91vsnYOKlUBEsNo45x52tvlAx4qJ7358SjNTV0i4HD+k5/byKe8IvSnEsRjvnOLG9OXdCkdf17NcI7VvWPF6u3kAWp81Wc+6lFo9LXB5AE8dRpf5naC1wseLl2pU/8cdgj2EgVl89mo8QaaQfAPxEbaFDnQcNCEYXcRcwjVfBV5cQVqYIrcmmb/c1IVGOOSBijM8u19zq5DfUP1uc835RE9D6NL7NV69VvgoYjb/8/GGf11hDcDESaOEK3zULeyKU0K0hM7AluI8rnZsOZJK70OMLJsUPvVfI0GS9NGZXjYfCoALE0DAt2Qi4cKMNLQzQvHkvXGbdMpzI=,iv:SZmGSEOEPdzWvYvAe4/Iv8qNZjaAfSY+uVfpt3BBN9Q=,tag:NprSgZJwjBHCEKNNypESxg==,type:str]
hsmw-vpn-secret: ENC[AES256_GCM,data:3bKxRGTQcbhRjzARSpYBW5ekQW/U/ixzNiFmO36gw0NKyDMLlbVbJBqXvi71M0GXgmo/FA==,iv:7bVDA8u9apDNXFY/vEMbz/0HywG5Pyrl5JfZrcNCr8w=,tag:xz4j7cEc5hvLwrItWjkx0Q==,type:str] hsmw-vpn-secret: ENC[AES256_GCM,data:3bKxRGTQcbhRjzARSpYBW5ekQW/U/ixzNiFmO36gw0NKyDMLlbVbJBqXvi71M0GXgmo/FA==,iv:7bVDA8u9apDNXFY/vEMbz/0HywG5Pyrl5JfZrcNCr8w=,tag:xz4j7cEc5hvLwrItWjkx0Q==,type:str]
postgres-pw: ENC[AES256_GCM,data:D9b7IbvLshmRuSyF9+V3WqVf/95+OhCJm0g=,iv:D4tpzEBzcCatbnQwtOGn8X0QSrXOye20rXaw8TSB7Gk=,tag:Q0B/86eDKkhu0Jnln1sUyg==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@@ -79,8 +80,8 @@ sops:
SHJLR3lvdlFiRmJuU25RUHFFTmpjamMKbzycdDvQBAuOiRROTZEQSnaXoPapz73L SHJLR3lvdlFiRmJuU25RUHFFTmpjamMKbzycdDvQBAuOiRROTZEQSnaXoPapz73L
yVS9EUP25FSx/sGqRqaCefbeaybuM1aso6LDnlomv4Bib7zjugWKSw== yVS9EUP25FSx/sGqRqaCefbeaybuM1aso6LDnlomv4Bib7zjugWKSw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-09T19:04:21Z" lastmodified: "2024-11-10T17:15:08Z"
mac: ENC[AES256_GCM,data:S2Y8EeIAh85xU30gR6HIUMGzO11/TP3g6S9UL+6QlHYY9lJKAcvdatWfD2DXJPdN7/dryYNZ1V1rYSIqEMi2QgBoiDN/fA9DF0/YPqfT2oLFBk5VASovRVqWb+x9kXDAnyev/RSX3i0wpJwsr9c1cGxv0ZYG8m+yyWkLJkcmRUo=,iv:MBP4jaUWnpOkUtR6BVTMDhDDP3oWspvBH2syPqL7uuw=,tag:8mySVfdq3D/xDZ3I272D3Q==,type:str] mac: ENC[AES256_GCM,data:VIPBKaDhSV7TG+pbo1OtdREJeqwdXqqDETeXkvhIs0Bz/c01MZXqPgubINW9tSLrNewFWSU5xI0O7L2ExBIjZxJ/nEmQkNkN+CUy1uGwatxsqa7gyVs1gXpIPPUGgStDMu8iukUSj9mLg9xQwGu0hGoC7DCbGqpu7blbUUzg0dE=,iv:+cR1vV7O3VdacP4MwAFkyBjKnqteL6AuV1H3Hh5hz28=,tag:WV/NHHPxvlkdslZbb0FBXA==,type:str]
pgp: pgp:
- created_at: "2024-06-09T19:44:41Z" - created_at: "2024-06-09T19:44:41Z"
enc: |- enc: |-

6
system-modules/gitea.nix
View File

@@ -1,6 +0,0 @@
{ pkgs, ... }:
{
services.gitea = {
enable = true;
};
}

12
system-modules/networking.nix
View File

@@ -13,10 +13,20 @@
networkmanager = { networkmanager = {
enable = true; enable = true;
}; };
enableIPv6 = false; enableIPv6 = true;
firewall.allowedTCPPorts = [ firewall.allowedTCPPorts = [
80 80
443 443
]; ];
}; };
environment.etc = {
"ssl/certs/tuda-eduroam-root.crt".source = "${pkgs.cacert.unbundled}/etc/ssl/certs/T-TeleSec_GlobalRoot_Class_2:1.crt";
};
sops.secrets = {
"eduroam/tuda_nmconnection" = {
mode = "0600";
owner = "root";
path = "/etc/NetworkManager/system-connections/eduroam.nmconnection";
};
};
} }

71
system-modules/nx2site/gitea.nix Normal file
View File

@@ -0,0 +1,71 @@
{ config, pkgs-unstable, domain, ... }:
{
sops.secrets = {
"postgres-pw" = { owner = "gitea"; };
};
services.gitea = {
enable = true;
package = pkgs-unstable.gitea;
group = "gitea"; # default
user = "gitea"; # default
appName = "NxGit";
stateDir = "/var/lib/gitea"; # default
useWizard = false; # default
# camoHmacKeyFile = ;
customDir = "${config.services.gitea.stateDir}/custom"; # default
database = {
createDatabase = false; # default
host = "127.0.0.1"; # default
port = 5432;
passwordFile = config.sops.secrets."postgres-pw".path;
# path = "${config.services.gitea.stateDir}/data/gitea.db"; # default
# socket = "/run/postgresql";
socket = null;
type = "postgres";
name = "gitea"; # default
user = "gitea"; # default
};
dump = {
enable = true;
backupDir = "${config.services.gitea.stateDir}/dump"; # default
file = null; # default
interval = "daily";
type = "zip"; # default
};
extraConfig = null; # default
lfs = {
enable = false; # default
contentDir = "${config.services.gitea.stateDir}/data/lfs"; # default
};
mailerPasswordFile = null; # default
metricsTokenFile = null; # default
repositoryRoot = "${config.services.gitea.stateDir}/repositories"; # default
settings = {
log = {
LEVEL = "Info";
# LEVEL = "Error";
ROOT_PATH = "${config.services.gitea.stateDir}/log"; # default
};
i18n = {
LANGS = "en-US";
};
server = {
DISABLE_SSH = false; # default
SSH_PORT = 20022;
DOMAIN = "pw2.${domain}";
HTTP_ADDR = "http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT}/";
HTTP_PORT = 3000; # default
PROTOCOL = "http"; # default
ROOT_URL = "https:pw2.${domain}/"; # default
STATIC_ROOT_PATH = "${config.services.gitea.stateDir}/static";
};
session = {
COOKIE_SECURE = true;
};
service = {
DISABLE_REGISTRATION = true;
};
};
};
}

2
system-modules/nx2site/proxy.nix
View File

@@ -110,7 +110,7 @@
}; };
"pw2.${domain}" = vh // { "pw2.${domain}" = vh // {
listen = dl; listen = dl;
locations = let d = "127.0.0.1:8222"; in { locations = let d = "127.0.0.1:3000"; in {
"/" = { proxyPass = "http://${d}"; }; "/" = { proxyPass = "http://${d}"; };
"/admin" = { proxyPass = "http://${d}"; }; "/admin" = { proxyPass = "http://${d}"; };
"/notifications/hub" = { proxyPass = "http://${d}"; }; "/notifications/hub" = { proxyPass = "http://${d}"; };

0
system-modules/nx2site/vaultwarden.nix Normal file
View File

83
system-modules/postgres.nix Normal file
View File

@@ -0,0 +1,83 @@
{ config, pkgs, lib, user, ... }:
{
services = {
postgresql = {
enable = true;
package = pkgs.postgresql_12;
dataDir = "/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}"; # default
# identMap = ''
# ${user} ${user} ${user}
# '';
enableJIT = false; # default
initdbArgs = []; # default
checkConfig = true; # default
enableTCPIP = false;
# # extraPlugins =
initialScript = null; # default
authentication = lib.mkForce ''
# TYPE DATABASE USER ADDRESS METHOD
local all all trust
host all all 127.0.0.1/32 trust #scram-sha-256
host all all ::1/128 trust #scram-sha-256
'';
# recoveryConfig = null;
ensureDatabases = [
"gitea"
# "vaultwarden"
];
settings = {
port = 5432; # default
listen_addresses = "localhost";
log_line_prefix = "[%p] "; # default
shared_preload_libraries = [ ]; # default
};
ensureUsers = [
# {
# name = "${user}";
# ensureDBOwnership = false;
# ensureClauses = {
# login = true;
# # inherit
# createdb = true;
# bypassrls = true;
# superuser = true;
# createrole = true;
# replication = true;
# };
# }
{
# as liong as there is no declarative user management you gotta set a pw by hand
# sudo -u postgres psql -c "ALTER USER gitea PASSWORD 'new-passwd';"
name = "gitea";
ensureDBOwnership = true;
}
];
};
# postgresqlBackup = {
# enable
# startAt
# location
# databases
# backupAll
# compression
# }
# postgresqlWalReceiver.receivers."main" = {
# postgresqlPackage = pkgs.postgresql_15;
# directory = /mnt/pg_wal/main/;
# slot = "main_wal_receiver";
# connection = "postgresql://user@somehost";
# compress
# extraArgs
# synchronous
# environment
# statusInterval
# };
# }
};
}

17
system-modules/users.nix
View File

@@ -5,7 +5,22 @@
users.users."${user}" = { users.users."${user}" = {
isNormalUser = true; isNormalUser = true;
extraGroups = [ "networkmanager" "wheel" "audio" "video" "docker" "libvirtd" "uinput" "input" "ydotool" "acme" "nginx" "adbusers" ]; extraGroups = [
"networkmanager"
"wheel"
"audio"
"video"
"docker"
"libvirtd"
"uinput"
"input"
"ydotool"
"acme"
"nginx"
"adbusers"
"gitea"
"postgres"
];
useDefaultShell = true; useDefaultShell = true;
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID1RPCcS8DtIf75a2FEW4d8X6WTVeLlmretoLqppvZlJ" # From [A] GPG Sub Key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID1RPCcS8DtIf75a2FEW4d8X6WTVeLlmretoLqppvZlJ" # From [A] GPG Sub Key