dhimas/nixos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update

Browse Source
This commit is contained in:
Hadi
2024-06-21 13:58:14 +02:00
parent d100690333
commit 154c21859d
17 changed files with 20 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
hosts/server/configuration.nix
View File

@@ -2,20 +2,20 @@
imports = [
./hardware-configuration.nix
./variables.nix
../modules/server/security.nix
../modules/server/openssh.nix
../modules/server/sops.nix
../modules/server/cloudflare-dyndns.nix
../modules/server/nginx.nix
../modules/server/nextcloud.nix
../modules/server/vaultwarden.nix
../modules/server/www
../modules/server/adguard.nix
../modules/server/ntfy-sh.nix
../modules/server/tailscale.nix
../modules/server/kuma.nix
../modules/server/bitcoin-git.nix
# ../modules/server/unifi.nix # FIXME: unifi5 is deprecated
./modules/security.nix
./modules/openssh.nix
./modules/sops.nix
./modules/cloudflare-dyndns.nix
./modules/nginx.nix
./modules/nextcloud.nix
./modules/vaultwarden.nix
./modules/www
./modules/adguard.nix
./modules/ntfy-sh.nix
./modules/tailscale.nix
./modules/kuma.nix
./modules/bitcoin-git.nix
# ./modules/unifi.nix # FIXME: unifi5 is deprecated
];

12
hosts/server/modules/adguard.nix Normal file
View File

@@ -0,0 +1,12 @@
# Network-wide ads & trackers blocking DNS server
# Change your router primary DNS server to {this server IP} to make it network wide.
{
services.adguardhome = {
enable = false;
host = "0.0.0.0";
port = 3000;
allowDHCP = true;
openFirewall = true;
};
networking.firewall.allowedTCPPorts = [ 53 3000 ];
}

31
hosts/server/modules/bitcoin-git.nix Normal file
View File

@@ -0,0 +1,31 @@
{ pkgs, ... }: {
systemd.timers."bitcoin-git" = {
wantedBy = [ "timers.target" ];
timerConfig = {
Unit = "bitcoin-git.service";
OnCalendar = "daily";
Persistent = true;
};
};
systemd.services."bitcoin-git" = {
script = ''
[ ! -d "/home/hadi/btcprice" ] && ${pkgs.git}/bin/git clone git@github.com:anotherhadi/btcprice /home/hadi/btcprice
cd "/home/hadi/btcprice"
price=$(${pkgs.curl}/bin/curl eur.rate.sx/1BTC)
echo "# Bitcoin Price in EURO" >README.md
echo "" >>README.md
echo "1 Bitcoin = $price" >>README.md
echo "" >>README.md
echo "Date: $(date)" >>README.md
${pkgs.git}/bin/git add .
${pkgs.git}/bin/git commit -m "Update price (hadi)"
${pkgs.git}/bin/git push -u origin main
exit 0
'';
serviceConfig = {
Type = "oneshot";
User = "hadi";
};
};
}

20
hosts/server/modules/cloudflare-dyndns.nix Normal file
View File

@@ -0,0 +1,20 @@
# CloudFlare Dynamic DNS client
{
services.cloudflare-dyndns = {
enable = true;
ipv4 = true;
domains = [
"cloud.anotherhadi.com"
"vault.anotherhadi.com"
"anotherhadi.com"
"www.anotherhadi.com"
"test.anotherhadi.com"
"jack.anotherhadi.com"
"ntfy.anotherhadi.com"
"home.anotherhadi.com"
"kuma.anotherhadi.com"
];
proxied = true;
apiTokenFile = "/etc/cloudflare/apiToken";
};
}

14
hosts/server/modules/kuma.nix Normal file
View File

@@ -0,0 +1,14 @@
{
services.uptime-kuma = {
enable = true;
settings = {
HOST = "127.0.0.1";
PORT = "3005";
};
};
services.nginx.virtualHosts."kuma.anotherhadi.com" = {
enableACME = true;
locations."/" = { proxyPass = "http://127.0.0.1:3005"; };
};
networking.firewall.allowedTCPPorts = [ 3005 ];
}

22
hosts/server/modules/nextcloud.nix Normal file
View File

@@ -0,0 +1,22 @@
# Nextcloud
let hostname = "cloud.anotherhadi.com";
in {
services.nextcloud = {
enable = true;
hostName = hostname;
https = true;
config = {
adminuser = "jack";
adminpassFile = "/etc/nextcloud/adminpassFile";
};
settings = {
trusted_domains =
[ "localhost" "127.0.0.1" "192.168.2.23" "cloud.anotherhadi.com" ];
};
nginx.recommendedHttpHeaders = true;
};
services.nginx.virtualHosts.${hostname} = {
forceSSL = false;
enableACME = true;
};
}

10
hosts/server/modules/nginx.nix Normal file
View File

@@ -0,0 +1,10 @@
# Nginx Reverse Proxy & ACME certs
{ config, ... }: {
services.nginx.enable = true;
security.acme = {
acceptTerms = true;
defaults.email = config.var.git.email;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

21
hosts/server/modules/ntfy-sh.nix Normal file
View File

@@ -0,0 +1,21 @@
# Push Notification Server
# https://mynixos.com/nixpkgs/options/services.ntfy-sh
let
hostname = "ntfy.anotherhadi.com";
port = 8082;
url = "https://" + hostname;
in {
services.ntfy-sh = {
enable = true;
settings = {
base-url = url;
listen-http = "127.0.0.1:${toString port}";
behind-proxy = true;
};
};
services.nginx.virtualHosts.${hostname} = {
enableACME = true;
locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; };
};
networking.firewall.allowedTCPPorts = [ port ];
}

15
hosts/server/modules/openssh.nix Normal file
View File

@@ -0,0 +1,15 @@
# SSH server
{
services.openssh = {
enable = true;
ports = [ 22 ];
settings = {
PasswordAuthentication = true;
AllowUsers = null; # Allows all users by default. Can be [ "user1" "user2" ]
UseDns = true;
X11Forwarding = false;
PermitRootLogin = "no"; # "yes", "without-password", "prohibit-password", "forced-commands-only", "no"
};
};
networking.firewall.allowedTCPPorts = [ 22 ];
}

8
hosts/server/modules/security.nix Normal file
View File

@@ -0,0 +1,8 @@
# Firewall & fail2ban
{
networking.firewall.enable = true;
services.fail2ban = {
enable = true;
maxretry = 5;
};
}

30
hosts/server/modules/sops.nix Normal file
View File

@@ -0,0 +1,30 @@
{
sops = {
age.keyFile = "/home/hadi/.config/sops/age/keys.txt";
defaultSopsFile = ../../../secrets/server.yaml;
defaultSopsFormat = "yaml";
secrets = {
sshconfig = {
path = "/home/hadi/.ssh/config";
owner = "hadi";
};
github-key = {
path = "/home/hadi/.ssh/github";
owner = "hadi";
};
nextcloud-adminpass = {
mode = "0444"; # FIXME
path = "/etc/nextcloud/adminpassFile";
};
cloudflare-apitoken = {
mode = "0444"; # FIXME
path = "/etc/cloudflare/apiToken";
};
tailscaled-authKey = {
mode = "0444"; # FIXME
path = "/etc/tailscale/authKey";
};
};
};
}

13
hosts/server/modules/tailscale.nix Normal file
View File

@@ -0,0 +1,13 @@
{ config, ... }: {
services.tailscale = {
enable = config.var.tailscale;
useRoutingFeatures = "both";
authKeyFile = "/etc/tailscale/authKey";
openFirewall = true;
extraUpFlags = [ "--advertise-exit-node" ];
};
# Fix DNS & IPv6 bugs
networking.nftables.enable = true;
services.resolved.enable = true;
}

7
hosts/server/modules/unifi.nix Normal file
View File

@@ -0,0 +1,7 @@
# unifi controller service
{
services.unifi = {
enable = true;
openFirewall = true; # 8443(webui) and other port use by AP
};
}

22
hosts/server/modules/vaultwarden.nix Normal file
View File

@@ -0,0 +1,22 @@
# Password manager
let
hostname = "vault.anotherhadi.com";
url = "https://" + hostname;
port = 8222;
in {
services.vaultwarden = {
enable = true;
config = {
DOMAIN = url;
SIGNUPS_ALLOWED = true;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = port;
ROCKET_LOG = "critical";
};
};
services.nginx.virtualHosts.${hostname} = {
enableACME = true;
locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; };
};
networking.firewall.allowedTCPPorts = [ port ];
}

12
hosts/server/modules/www/anotherhadi.com/index.html Normal file
View File

@@ -0,0 +1,12 @@
<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body>
Anotherhadi website
</body>
</html>

13
hosts/server/modules/www/default.nix Normal file
View File

@@ -0,0 +1,13 @@
{
imports = [ ./homepage.nix ];
services.nginx.virtualHosts = {
"anotherhadi.com" = {
serverAliases = [ "www.anotherhadi.com" ];
root = "/etc/www/anotherhadi.com";
};
"test.anotherhadi.com" = { root = "/var/www/test"; };
};
environment.etc."www/anotherhadi.com" = { source = ./anotherhadi.com; };
}

100
hosts/server/modules/www/homepage.nix Normal file
View File

@@ -0,0 +1,100 @@
{ pkgs, lib, ... }:
let
settings = ''
{
"config": {
"title" : "Jack's Home",
"openLinksInNewTab": false,
"locale": "fr-FR",
"colors": {
"primary": "#89b4fa",
"background": "#01010b",
"foreground": "#cdd6f4",
"muted": "#313244"
},
"folders": [
{
"name": "Home",
"links": [
{
"title": "Nextcloud",
"url": "https://cloud.anotherhadi.com",
"icon": "󰅟"
},
{
"title": "Vaultwarden",
"url": "https://vault.anotherhadi.com",
"icon": ""
},
{
"title": "Uptime Kuma",
"url": "https://kuma.anotherhadi.com",
"icon": "󱎫"
}
]
},
{
"name": "Admin",
"links": [
{
"title": "Adguard Home",
"url": "http://192.168.2.24:3001",
"icon": "󰷱"
},
{
"title": "Proxmox",
"url": "https://192.168.2.17:8006",
"icon": ""
},
{
"title": "Cloudflare",
"url": "https://dash.cloudflare.com/",
"icon": ""
},
{
"title": "Tailscale",
"url": "https://login.tailscale.com/admin/machines",
"icon": "󰖂"
}
]
}
]
}
}
'';
package = pkgs.buildNpmPackage {
pname = "homepage";
version = "0.0.0";
src = pkgs.fetchFromGitHub {
owner = "anotherhadi";
repo = "homepage";
rev = "19f56771ae7ac04e2710cbde763f70bb097eb250";
hash = "sha256-8IzXcQ/hm2ZDzFKUL4B3501PoWoEOiKIN7rP2UrvG84=";
};
npmDepsHash = "sha256-bG+CHTq2Rst3JMxsjAC81KhK+G7WwsTVD1eyP87g0z4=";
buildPhase = ''
npm install
cp ${
pkgs.writeText "src/routes/config.json" settings
} src/routes/config.json
npm run build
mkdir $out
mv build $out
'';
meta = {
description = "homepage";
homepage = "https://github.com/anotherhadi/homepage";
};
};
in {
services.nginx.virtualHosts."home.anotherhadi.com" = {
enableACME = true;
root = package + "/build";
};
}