nx2/dotfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' of ssh://ssh.nx2.site:50022/nx2/dotfiles

Browse Source
This commit is contained in:
Lennart J. Kurzweg (Nx2)
2024-11-21 22:17:48 +01:00
parent e4ec830aaa edbe4e7f66
commit d12b9ddf2f
14 changed files with 233 additions and 128 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
system-modules/games.nix
View File

@@ -1,5 +1,5 @@
{ lib, host, ... }:
lib.mkIf (host == "NxNORTH")
lib.mkIf (host == "NxNORTH" || host == "NxACE")
{
programs = {
gamemode = {

109
system-modules/nx2site.nix
View File

@@ -1,9 +1,23 @@
{ config, pkgs, domain, secrets, ... }:
{ config, pkgs, user, domain, secrets, ... }:
let dns-user = "cloudflare"; in
{
sops.secrets = {
"nx2site/namecheap.pw" = { };
# "nx2site/namecheap.pw" = { };
# "nx2site/cloudflare/api-token-dns-edit" = { };
"nx2site/cloudflare/global-api-key" = { };
"nx2site/cloudflare/global-api-key" = {
owner = dns-user;
};
};
users = {
users = {
"${dns-user}" = {
isSystemUser = true;
group = dns-user;
};
"${user}".extraGroups = [ dns-user ];
};
groups."${dns-user}" = {};
};
systemd = {
@@ -19,22 +33,24 @@
u = let
account_id = secrets.email.gmail-online.mail;
zone_id = "33fecab36e060f49d492127345ea95a0";
record_id = {
record_id = { # curl --request GET --url https://api.cloudflare.com/client/v4/zones/33fecab36e060f49d492127345ea95a0/dns_records --header 'Content-Type: application/json' --header 'X-Auth-Email: <hidden>@gmail.com' --header "X-Auth-Key: <hiddenreadinsops>" -s | jq
base = "58d3412e8d88889d1a611b3669f0700f";
sub = "fc861353142bc05d5dbad1799178e6a1";
base6 = "d1b90e21d2d747dcb30448bd65312927";
sub = "fc861353142bc05d5dbad1799178e6a1";
sub6 = "b8082b7afe9e80971fc9f9dda16ec284";
ssh = "c0f14f17f32d6595c202f041dd836eb3";
ssh6 = "f1ecb2d9d0522d4eec06437688ca76da";
};
passord-file-path = config.sops.secrets."nx2site/cloudflare/global-api-key".path;
log-file-path = "/var/log/couldflare.log";
count-file-path = "/var/log/cloudflare-count.txt";
in pkgs.writers.writePython3Bin "dyn_dns" {
libraries = with pkgs.python311Packages; [ requests ];
flakeIgnore = [ "E501" "E305" "E701" "E704" "E302" "E114" "F841" "E121" "E261" "E303"];
flakeIgnore = [ "E501" "E305" "E701" "E704" "E302" "E114" "F841" "E121" "E261" "E303" ];
} /* python */ ''
import requests
import subprocess
from datetime import datetime
# from datetime import datetime
def get_public_ip(ipv6=False):
return subprocess.run(['${pkgs.curl}/bin/curl', '-s', '-6' if ipv6 else '-4', 'https://ifconfig.me'], capture_output=True, text=True).stdout.strip()
@@ -43,13 +59,13 @@
my_ip = get_public_ip()
my_ip6 = get_public_ip(ipv6=True)
with open("${count-file-path}", "r") as f:
content = f.read()
if content == "": count = 0
else: count = int(content)
count += 1
with open("${count-file-path}", "w") as f:
f.write(str(count))
# with open("${count-file-path}", "r") as f:
# content = f.read()
# if content == "": count = 0
# else: count = int(content)
# count += 1
# with open("${count-file-path}", "w") as f:
# f.write(str(count))
# 4
with open("${passord-file-path}", 'r') as pw_file:
@@ -85,7 +101,7 @@
},
json={
"comment": "Domain verification record",
"name": "${domain}",
"name": "*.${domain}",
"proxied": True,
"settings": {},
"tags": [],
@@ -95,15 +111,34 @@
}
)
resp_sshd = requests.patch(
'https://api.cloudflare.com/client/v4/zones/${zone_id}/dns_records/${record_id.ssh}',
headers={
'Content-Type': 'application/json',
'X-Auth-Email': '${account_id}',
'X-Auth-Key': pw
},
json={
"comment": "Domain verification record",
"name": "ssh.${domain}",
"proxied": False,
"settings": {},
"tags": [],
"ttl": 1, # automatic
"content": my_ip,
"type": "A"
}
)
if resp_base.status_code != 200:
print(resp_base.text)
now_str = datetime.now().strftime('%Y/%m/%d-%R')
log_entry = f"At {now_str} - to {my_ip} - Response {resp_base.status_code}\n"
print(log_entry, end="")
with open("${log-file-path}", 'a') as log_file:
log_file.write(log_entry)
# now_str = datetime.now().strftime('%Y/%m/%d-%R')
# log_entry = f"At {now_str} - to {my_ip} - Response {resp_base.status_code}\n"
# print(log_entry, end="")
# with open("${log-file-path}", 'a') as log_file:
# log_file.write(log_entry)
# Perform DNS updates
# https://developers.cloudflare.com/api/operations/dns-records-for-a-zone-update-dns-record
@@ -135,7 +170,7 @@
},
json={
"comment": "Domain verification record",
"name": "${domain}",
"name": "*.${domain}",
"proxied": True,
"settings": {},
"tags": [],
@@ -145,14 +180,32 @@
}
)
resp_sshd = requests.patch(
'https://api.cloudflare.com/client/v4/zones/${zone_id}/dns_records/${record_id.ssh6}',
headers={
'Content-Type': 'application/json',
'X-Auth-Email': '${account_id}',
'X-Auth-Key': pw
},
json={
"comment": "Domain verification record",
"name": "ssh.${domain}",
"proxied": False,
"settings": {},
"tags": [],
"ttl": 1, # automatic
"content": my_ip6,
"type": "AAAA"
}
)
if resp_base.status_code != 200:
print(resp_base.text)
now_str = datetime.now().strftime('%Y/%m/%d-%R')
log_entry = f"At {now_str} - to {my_ip6} - Response {resp_base.status_code}\n"
print(log_entry, end="")
with open("${log-file-path}", 'a') as log_file: log_file.write(log_entry)
# now_str = datetime.now().strftime('%Y/%m/%d-%R')
# log_entry = f"At {now_str} - to {my_ip6} - Response {resp_base.status_code}\n"
# print(log_entry, end="")
# with open("${log-file-path}", 'a') as log_file: log_file.write(log_entry)
if __name__ == "__main__":
main()
@@ -164,7 +217,7 @@
'';
serviceConfig = {
Type = "oneshot";
User = "root";
User = dns-user;
};
};
};
@@ -174,7 +227,7 @@
# "172.1.0.9" = [ "matrixdb.docker" ];
# "172.1.4.1" = [ "matrix-ss.docker" ];
# "172.1.0.7" = [ "matrix-ssdb.docker" ];
"172.1.5.1" = [ "pw.docker" ];
# "172.1.5.1" = [ "pw.docker" ];
"172.1.6.1" = [ "git.docker" ];
# "172.1.0.10" = [ "gitdb.docker" ];
# "172.1.7.1" = [ "nn.docker" ];

71
system-modules/nx2site/gitea.nix
View File

@@ -1,26 +1,41 @@
{ config, pkgs-unstable, domain, ... }:
{ config, pkgs, secrets, user, domain, ... }:
let git-user = "git"; in
{
sops.secrets = {
"postgres-pw" = { owner = "gitea"; };
"postgres-pw" = { owner = config.services.gitea.user; };
};
environment.systemPackages = with pkgs; [
gitea
];
users = {
users = {
"${user}".extraGroups = [ git-user ];
"${git-user}" = {
isSystemUser = true;
group = git-user;
useDefaultShell = true;
home = config.services.gitea.stateDir;
openssh.authorizedKeys.keys = config.users.users."${user}".openssh.authorizedKeys.keys;
};
};
groups."${git-user}" = {};
};
services.gitea = {
enable = true;
package = pkgs-unstable.gitea;
group = "gitea"; # default
user = "gitea"; # default
package = pkgs.gitea;
group = git-user;
user = git-user;
appName = "NxGit";
stateDir = "/var/lib/gitea"; # default
useWizard = false; # default
# camoHmacKeyFile = ;
customDir = "${config.services.gitea.stateDir}/custom"; # default
database = {
createDatabase = false; # default
host = "127.0.0.1"; # default
port = 5432;
passwordFile = config.sops.secrets."postgres-pw".path;
# path = "${config.services.gitea.stateDir}/data/gitea.db"; # default
# socket = "/run/postgresql";
socket = null;
type = "postgres";
name = "gitea"; # default
@@ -28,37 +43,35 @@
};
dump = {
enable = true;
backupDir = "${config.services.gitea.stateDir}/dump"; # default
file = null; # default
backupDir = "/var/backup/gitea";
file = null; # default = chosen by gitea
interval = "daily";
type = "zip"; # default
};
extraConfig = null; # default
lfs = {
enable = false; # default
contentDir = "${config.services.gitea.stateDir}/data/lfs"; # default
};
mailerPasswordFile = null; # default
metricsTokenFile = null; # default
repositoryRoot = "${config.services.gitea.stateDir}/repositories"; # default
# extraConfig = null; # default
# lfs = {
# enable = false; # default
# contentDir = "${config.services.gitea.stateDir}/data/lfs"; # default
# };
# mailerPasswordFile = null; # default
# metricsTokenFile = null; # default
# repositoryRoot = "${config.services.gitea.stateDir}/repositories"; # default
settings = {
log = {
LEVEL = "Info";
# LEVEL = "Error";
ROOT_PATH = "${config.services.gitea.stateDir}/log"; # default
};
i18n = {
LANGS = "en-US";
};
server = {
DISABLE_SSH = false; # default
SSH_PORT = 20022;
DOMAIN = "pw2.${domain}";
HTTP_ADDR = "http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT}/";
HTTP_PORT = 3000; # default
PROTOCOL = "http"; # default
ROOT_URL = "https:pw2.${domain}/"; # default
STATIC_ROOT_PATH = "${config.services.gitea.stateDir}/static";
START_SSH_SERVER = false; # default
SSH_LISTEN_HOST = "0.0.0.0";
SSH_PORT = secrets.ssh.port;
DOMAIN = "pw.${domain}";
SSH_DOMAIN = "ssh.${domain}";
# HTTP_ADDR = "${config.services.gitea.settings.server.DOMAIN}";
# HTTP_PORT = 3000; # default
# PROTOCOL = "http"; # default
# ROOT_URL = "https:pw.${domain}/"; # default
};
session = {
COOKIE_SECURE = true;

35
system-modules/nx2site/proxy.nix
View File

@@ -14,7 +14,7 @@
};
certs = {
"${domain}" = {
extraDomainNames = builtins.map (subd: "${subd}.${domain}") [ "git" "git2" "pw" "pw2" "sync" ];
extraDomainNames = builtins.map (subd: "${subd}.${domain}") [ "git" "pw" "sync" ];
};
};
};
@@ -99,18 +99,20 @@
listen = dl;
locations = { "~.*" = { return = "502"; }; };
};
# "pw.${domain}" = vh // {
# listen = dl;
# locations = let d = "pw.docker:80"; in {
# "/" = { proxyPass = "http://${d}"; };
# "/admin" = { proxyPass = "http://${d}"; };
# "/notifications/hub" = { proxyPass = "http://${d}"; };
# "/notifications/hub/negotiate" = { proxyPass = "http://${d}"; };
# };
# };
"pw.${domain}" = vh // {
listen = dl;
locations = let d = "pw.docker:80"; in {
"/" = { proxyPass = "http://${d}"; };
"/admin" = { proxyPass = "http://${d}"; };
"/notifications/hub" = { proxyPass = "http://${d}"; };
"/notifications/hub/negotiate" = { proxyPass = "http://${d}"; };
};
};
"pw2.${domain}" = vh // {
listen = dl;
locations = let d = "127.0.0.1:3000"; in {
locations = let
d = with config.services.vaultwarden.config; "${ROCKET_ADDRESS}:${builtins.toString ROCKET_PORT}";
in {
"/" = { proxyPass = "http://${d}"; };
"/admin" = { proxyPass = "http://${d}"; };
"/notifications/hub" = { proxyPass = "http://${d}"; };
@@ -121,13 +123,14 @@
listen = dl;
locations = { "/" = { proxyPass = "http://127.0.0.1:11434"; }; };
};
# "git.${domain}" = vh // {
# listen = dl;
# locations = { "/" = { proxyPass = "http://git.docker:3000"; }; };
# };
"git.${domain}" = vh // {
http2 = false;
listen = dl;
locations = { "/" = { proxyPass = "http://git.docker:3000"; }; };
};
"git2.${domain}" = vh // {
listen = dl;
locations = { "/" = { proxyPass = "http://127.0.0.1:8222"; }; };
locations = { "/" = { proxyPass = "http://127.0.0.1:3000"; }; };
};
"~^(.*).${domain}$" = {
listen = dl;

43
system-modules/nx2site/vaultwarden.nix
View File

@@ -0,0 +1,43 @@
{ config, pkgs, secrets, domain, ... }:
{
sops.secrets = {
"nx2site/vaultwarden.env" = {
owner = "vaultwarden";
};
};
services.vaultwarden = {
enable = true;
package = pkgs.vaultwarden;
webVaultPackage = pkgs.vaultwarden.webvault;
dbBackend = "postgresql";
# backupDir = "/var/backup/vaultwarden";
environmentFile = config.sops.secrets."nx2site/vaultwarden.env".path;
config = {
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
DATABASE_URL = "@DATABASE_URL@";
# DATABASE_URL = "postgresql://vaultwarden:fakepw123@127.0.0.1:5432/vaultwarden";
SMTP_HOST = "smtp.gmail.com";
SMTP_FROM = secrets.email.gmail-online.mail;
SMTP_PORT = 587;
SMTP_SECURITY = "starttls";
SMTP_USERNAME = secrets.email.gmail-online.mail;
SMTP_PASSWORD = "@SMTP_PASSWORD@";
LOGIN_RATELIMIT_MAX_BURST = 10;
LOGIN_RATELIMIT_SECONDS = 60;
DOMAIN = "https://pw.${domain}";
INVITATION_ORG_NAME = "NxPW";
INVITATIONS_ALLOWED = true;
ADMIN_TOKEN = "@ADMIN_TOKEN@";
SIGNUPS_ALLOWED = false;
SIGNUPS_VERIFY = true;
SIGNUPS_VERIFY_RESEND_TIME = 3600;
SIGNUPS_VERIFY_RESEND_LIMIT = 6;
EMERGENCY_ACCESS_ALLOWED = true;
SENDS_ALLOWED = true;
WEB_VAULT_ENABLED = true;
};
};
}

69
system-modules/postgres.nix
View File

@@ -23,7 +23,7 @@
# recoveryConfig = null;
ensureDatabases = [
"gitea"
# "vaultwarden"
"vaultwarden"
];
settings = {
port = 5432; # default
@@ -32,49 +32,40 @@
shared_preload_libraries = [ ]; # default
};
ensureUsers = [
# {
# name = "${user}";
# ensureDBOwnership = false;
# ensureClauses = {
# login = true;
# # inherit
# createdb = true;
# bypassrls = true;
# superuser = true;
# createrole = true;
# replication = true;
# };
# }
# as liong as there is no declarative user management you gotta set a pw by hand
# sudo -u postgres psql -c "ALTER USER gitea PASSWORD 'new-passwd';"
{
# as liong as there is no declarative user management you gotta set a pw by hand
# sudo -u postgres psql -c "ALTER USER gitea PASSWORD 'new-passwd';"
name = "gitea";
name = "gitea";
ensureDBOwnership = true;
}
{
name = "vaultwarden";
ensureDBOwnership = true;
}
];
};
# postgresqlBackup = {
# enable
# startAt
# location
# databases
# backupAll
# compression
# }
# postgresqlWalReceiver.receivers."main" = {
# postgresqlPackage = pkgs.postgresql_15;
# directory = /mnt/pg_wal/main/;
# slot = "main_wal_receiver";
# connection = "postgresql://user@somehost";
# compress
# extraArgs
# synchronous
# environment
# statusInterval
# };
# }
postgresqlBackup = {
enable = true;
# startAt = "*-*-* 01:15:00";
# location = "/var/backup/postgresql";
databases = config.services.postgresql.ensureDatabases;
backupAll = false;
# compression = "gzip";
# pgdumpOptions = "-C";
# compressionLevel = 6;
};
# postgresqlWalReceiver.receivers."main" = {
# postgresqlPackage = pkgs.postgresql_15;
# directory = /mnt/pg_wal/main/;
# slot = "main_wal_receiver";
# connection = "postgresql://user@somehost";
# compress
# extraArgs
# synchronous
# environment
# statusInterval
# };
# };
};
}

4
system-modules/sshd.nix
View File

@@ -3,7 +3,7 @@
{
environment.etc."ssh/ssh_host_ed25519_key.pub".text = if (host == "NxNORTH") then
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF1r5gUQPPS/dGB0SsvWtP6WdNWoxMwhhHRrqlO19cJt root@NxNORTH"
else if ( host == "NxXPS") then
else if ( host == "NxXPS" ) then
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPf+08+t8a0lY2+nR1mhIU3vuksStiJOlojJjzCwFk7r root@NxXPS"
else
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBFfZpWVPlujsz3FklSVAM+tuYn4pzDSijhp5CeYNOZk root@NxACE";
@@ -13,7 +13,7 @@
};
services.openssh = {
enable = true;
ports = secrets.ssh.ports;
ports = [ secrets.ssh.port ];
settings = {
PasswordAuthentication = false;
};

2
system-modules/users.nix
View File

@@ -6,6 +6,7 @@
users.users."${user}" = {
isNormalUser = true;
extraGroups = [
# TODO: actually put the groups into the relevant files
"networkmanager"
"wheel"
"audio"
@@ -18,7 +19,6 @@
"acme"
"nginx"
"adbusers"
"gitea"
"postgres"
];
useDefaultShell = true;