nx2/dotfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' of ssh://git.nx2.site:20022/nx2/dotfiles

Browse Source
This commit is contained in:
Lennart J. Kurzweg (Nx2)
2024-09-04 17:17:16 +02:00
parent 5eda39414a 20f8ea51c6
commit d626a5bd7d
8 changed files with 277 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
git-crypt/secrets.nix
View File

Binary file not shown.

1
home.nix
View File

@@ -73,6 +73,7 @@
piper-tts
sssnake pipes
dig
screen
gnumake
cmake

6
sops-secrets.yaml
View File

File diff suppressed because one or more lines are too long

27
system-modules/hsmw.nix
View File

@@ -1,5 +1,4 @@
{ pkgs, lib, host, secrets, ... }:
lib.mkIf (host != "NxACE")
{
environment.systemPackages = with pkgs; [
strongswanNM
@@ -38,19 +37,19 @@ lib.mkIf (host != "NxACE")
};
connections = {
hsmw = {
keyexchange = "ikev2";
left = "%defaultroute";
leftid = "%any";
leftauth = "eap";
eap_identity = "${secrets.email.hsmw.un}@hs-mittweida.de";
leftsourceip = "%config";
leftdns = "%config4";
leftfirewall = "no";
right = "141.55.128.84";
rightid = "@vpn4.hs-mittweida.de";
rightsubnet = "0.0.0.0/0";
rightauth = "pubkey";
auto = "add";
keyexchange = "ikev2";
left = "%defaultroute";
leftid = "%any";
leftauth = "eap";
eap_identity = "${secrets.email.hsmw.un}@hs-mittweida.de";
leftsourceip = "%config";
leftdns = "%config4"; # Ensure that DNS resolution works as expected
leftfirewall = "no"; # Keep firewall disabled, but manually check rules
right = "141.55.128.84";
rightid = "@vpn4.hs-mittweida.de";
rightsubnet = "141.55.128.0/16"; # Split tunneling: Only route traffic for the VPN subnet
rightauth = "pubkey";
auto = "add";
};
};
managePlugins = true;

6
system-modules/networking.nix
View File

@@ -3,6 +3,10 @@
let
in
{
networking.nameservers = [
"1.1.1.1"
"8.8.8.8"
];
networking.hostName = host;
@@ -10,5 +14,5 @@ in
enable = true;
};
networking.enableIPv6 = true;
networking.enableIPv6 = false;
}

54
system-modules/nx2site.nix
View File

@@ -1,5 +1,8 @@
{ config, pkgs, lib, user, host, ... }:
# lib.mkIf false
lib.mkIf (host == "NxACE")
# ((import ./nx2site/proxy.nix { inherit config pkgs lib user; }) //
(
{
sops.secrets = {
"nx2site/namecheap.pw" = { };
@@ -14,18 +17,15 @@ lib.mkIf (host == "NxACE")
Unit = "namecheap-dynamic-dns.service";
};
};
services."namecheap-dynamic-dns" =
let
services."namecheap-dynamic-dns" = let
u = let
domain = "nx2.site";
passord-file-path = config.sops.secrets."nx2site/namecheap.pw".path;
# passord-file-path = config.sops.secrets."nx2site/namecheap.pw".path;
log-file-path = "/var/log/update_namecheap.log";
count-file-path = "/var/log/update_namecheap-count.txt";
in
pkgs.writers.writePython3Bin "update_namecheap" {
libraries = with pkgs.python311Packages; [
requests
];
in pkgs.writers.writePython3Bin "update_namecheap" {
libraries = with pkgs.python311Packages; [ requests ];
flakeIgnore = [ "E501" "E305" "E701" "E704" "E302" "E114" "F841" ];
} ''
import requests
@@ -74,16 +74,48 @@ lib.mkIf (host == "NxACE")
main(args.force)
'';
in
{
in {
script = ''
set -eu
${u}/bin/update_namecheap
'';
serviceConfig = {
Type = "oneshot";
# User = "nx2";
};
};
};
}
# I can't use this becasue API Access for Namecheap needs a static whitelisted IP, which I don't have
# security.acme = {
# acceptTerms = true;
# certs."nx2site" = { };
# };
environment.systemPackages = with pkgs; [
certbot
(writeShellApplication {
name = "refresh_ssl_certificate";
runtimeInputs = [ certbot ];
# https://forum.endeavouros.com/t/tutorial-add-a-systemd-boot-loader-menu-entry-for-a-windows-installation-using-a-separate-esp-partition/37431
text = let
webroot = /home/nx2/nx2site/staticweb/content;
in /*bash*/ ''
cartbot
ls ${webroot}
'';
})
];
networking.hosts = { # docker network inspect nx2site_default | grep -E "Name|IPv4" | tr "\n" " " | sed -r 's- +- -g;s-\n?"Name": -\n-g' | sed -r '1d;2d;s-"(.+?)", "IPv4Address": "(.+)/16",- "\2" = [ "\1.docker" ];-g'
"172.1.2.1" = [ "staticweb.docker" ];
"172.1.3.1" = [ "matrix.docker" ];
# "172.1.0.9" = [ "matrixdb.docker" ];
"172.1.4.1" = [ "matrix-ss.docker" ];
# "172.1.0.7" = [ "matrix-ssdb.docker" ];
"172.1.5.1" = [ "pw.docker" ];
"172.1.6.1" = [ "git.docker" ];
# "172.1.0.10" = [ "gitdb.docker" ];
"172.1.7.1" = [ "nn.docker" ];
"172.1.8.1" = [ "llm.docker" ];
# "172.1.9.1" = [ "proxy.docker" ];
"172.1.10.1" = [ "share.docker" ];
"172.1.11.1" = [ "odq.docker" ];
};
})

180
system-modules/nx2site/proxy.nix Normal file
View File

@@ -0,0 +1,180 @@
{ config, pkgs, lib, user }:
lib.mkIf false
{
sops.secrets = {
"nx2site/sslCertificate.pem" = { owner = config.services.nginx.user; };
"nx2site/sslCertificateKey.pem" = { owner = config.services.nginx.user; };
"nx2site/dhparams.pem" = { owner = config.services.nginx.user; };
};
services.nginx = {
enable = true;
additionalModules = [];
# appendConfig = '''';
clientMaxBodySize = "20m";
defaultHTTPListenPort = 80;
defaultListenAddresses = [ "0.0.0.0" ] ++ lib.optional config.networking.enableIPv6 "[::0]";
defaultListen = [ {
addr = "0.0.0.0";
ssl = true;
port = 443;
proxyProtocol = true;
}];
defaultMimeTypes = "${pkgs.mailcap}/etc/nginx/mime.types";
defaultSSLListenPort = 443;
enableQuicBPF = true;
enableReload = true;
# eventsConfig = '''';
# logError = ;
# mapHashBucketSize = ;
# mapHashMaxSize = ;
package = pkgs.nginxQuic;
# preStart = true;
proxyResolveWhileRunning = false;
proxyTimeout = "20s";
recommendedBrotliSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedZstdSettings = true;
serverTokens = false;
# sslCiphers = true;
sslDhparam = config.sops.secrets."nx2site/dhparams.pem".path;
sslProtocols = "TLSv1.2 TLSv1.3";
statusPage = false;
streamConfig = ""; # udp config
validateConfigFile = true;
upstreams = {
"staticweb".servers = { "staticweb.docker:80" = {}; };
"matrix".servers = { "matrix.docker:80" = {}; };
"matrix-ss".servers = { "matrix-ss.docker:80" = {}; };
"pw".servers = { "pw.docker:80" = {}; };
"git".servers = { "git.docker:80" = {}; };
"nn".servers = { "nn.docker:80" = {}; };
"llm".servers = { "llm.docker:80" = {}; };
"share".servers = { "share.docker:80" = {}; };
"sync".servers = { "localhost:8384" = {}; };
};
virtualHosts = let
sslCertificate = config.sops.secrets."nx2site/sslCertificate.pem".path;
sslCertificateKey = config.sops.secrets."nx2site/sslCertificateKey.pem".path;
kTLS = true; http2 = true; http3 = true; http3_hq = true; quic = true;
in
{
"nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
locations = {
"/" = {
proxyPass = "http://staticweb";
# extraConfig = [ ''add_header Alt-Svc 'h3=":443"; ma=86400';'' ''add_header Cache-Control "public";'' ] ++ common-location-conf;
};
"/.well-known/matrix/client" = {
return = ''200 '{"m.homeserver": {"base_url": "https://matrix.nx2.site"}, "org.matrix.msc3575.proxy": {"url": "https://matrix-ss.nx2.site"}}' '';
extraConfig = [ "default_type application/json;" "add_header Access-Control-Allow-Origin *;" ];
};
"/.well-known/matrix/server" = {
return = ''200 '{"m.server":"matrix.nx2.site:443"}' '';
extraConfig = [ "default_type application/json;" "add_header Access-Control-Allow-Origin *;" ];
};
"~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
proxyPass = "http://matrix-ss";
# extraConfig = [ ''proxy_set_header X-Forwarded-For $remote_addr;'' ''proxy_set_header X-Forwarded-Proto $scheme;'' ''proxy_set_header Host $host;'' ];
};
"~ ^(\/_matrix|\/_synapse\/client)" = {
return = ''200 '{"m.server":"matrix.nx2.site:443"}' '';
# extraConfig = [];
};
};
};
"matrix.nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
listen = [
{ addr = "0.0.0.0"; port = 443; ssl = true; }
{ addr = "0.0.0.0"; port = 8448; ssl = true; }
];
locations = {
"/" = {
proxyPass = "http://matrix";
# extraConfig = [ ''add_header Alt-Svc 'h3=":443"; ma=86400';'' ''add_header Cache-Control "public";'' ] ++ common-location-conf;
};
};
};
"matrix-ss.nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
# "resolver 1.1.1.1;"
# "client_max_body_size 500M;"
# ];
locations = {
"/" = { proxyPass = "http://pw"; };
};
};
# "dev.nx2.site" = {
# inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
# locations = {
# "/" = {
# proxyPass = "http://dev";
# };
# };
# };
"pw.nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
locations = {
"/" = { proxyPass = "http://pw"; };
"/admin" = { proxyPass = "http://pw"; };
"/notifications/hub" = { proxyPass = "http://pw"; };
"/notifications/hub/negotiate" = { proxyPass = "http://pw"; };
};
};
"share.nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
locations = {
"/" = { proxyPass = "http://share"; # ''proxy_hide_header Content-Disposition;''
# ''proxy_set_header Content-Disposition $upstream_http_content_disposition;''
# ''proxy_set_header X-Real-IP $remote_addr;''
# ''proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;''
# ''proxy_set_header Host $http_host;''
# ];
};
"/socket.io" = {
proxyPass = "http://share/socket.io";
proxyWebsockets = true;
# extraConfig = [
# ''proxy_http_version 1.1;''
# ''proxy_set_header Upgrade $http_upgrade;''
# ''proxy_set_header Connection "upgrade";''
# ];
};
};
};
"sync.nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
locations = {
"/" = { proxyPass = "http://sync"; };
};
};
"git.nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
locations = {
"/" = { proxyPass = "http://git"; };
};
};
"~^(.*)\.nx2\.site$" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
root = "/home/nx2/nx2site/staticweb/xcontent/";
locations = {
"~.*" = { return = "502 /502.html"; };
};
};
};
};
}

32
system-modules/syncthing.nix
View File

@@ -17,7 +17,12 @@ let
};
dirs = {
default = { name = "sync"; path = "/home/${user}/sync"; };
default = { name = "sync"; path = "/home/${user}/sync"; };
s21u-dcim = { name = "s21u-dcim"; path = "/vault/Pictures/Lennart"; };
diane-dcim = { name = "diane-dcim"; path = "/vault/Pictures/Diane"; };
dianesd-dcim = { name = "dianesd-dcim"; path = "/vault/Pictures/Diane-SD"; };
daniel-dcim = { name = "daniel-dcim"; path = "/vault/Pictures/Daniel"; };
tessa-dcim = { name = "tessa-dcim"; path = "/vault/Pictures/Tessa"; };
};
in
lib.mkIf (user != "tv")
@@ -45,8 +50,7 @@ lib.mkIf (user != "tv")
) else if (host == "NxNORTH") then (
xps // ace // s21u
) else (
# north // xps // s21u // diane // daniel // tessa // georg
north // xps // s21u
north // xps // s21u // diane // daniel // tessa // georg
);
folders = with dirs; if (host == "NxXPS") then {
"${default.name}" = {
@@ -58,11 +62,31 @@ lib.mkIf (user != "tv")
path = default.path;
devices = with devices; (justname [ xps ace s21u ]);
};
} else {
} else { # NxACE
"${default.name}" = {
path = default.path;
devices = with devices; (justname [ xps north s21u ]);
};
"${s21u-dcim.name}" = {
path = s21u-dcim.path;
devices = with devices; (justname [ s21u ]);
};
"${diane-dcim.name}" = {
path = diane-dcim.path;
devices = with devices; (justname [ diane ]);
};
"${dianesd-dcim.name}" = {
path = dianesd-dcim.path;
devices = with devices; (justname [ diane ]);
};
"${daniel-dcim.name}" = {
path = daniel-dcim.path;
devices = with devices; (justname [ daniel ]);
};
"${tessa-dcim.name}" = {
path = tessa-dcim.path;
devices = with devices; (justname [ tessa ]);
};
};
gui = {
theme = "black";