jonas/nixos
1
0
Fork 0
mirror of https://github.com/Ascyii/nixos.git synced 2026-01-01 14:54:26 -05:00
Code Issues Packages Projects Releases Wiki Activity

Initial commit unclean

Browse Source
This commit is contained in:
Jonas Hahn
2025-08-30 20:31:10 +02:00
commit 4ebc8b23fe
50 changed files with 5191 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

541
hosts/stranox-strato/configuration.nix Normal file
View File

@@ -0,0 +1,541 @@
{ pkgs, inputs, config, ... }: {
imports = [
./hardware-configuration.nix
../../modules/rare/realmail.nix
../../modules/misc/virt.nix
#../../modules/server/collabora.nix
inputs.sops-nix.nixosModules.sops
];
networking.hosts = {
"127.0.0.1" = [
"dash.hahn1.one"
"sync.hahn1.one"
"jagd.hahn1.one"
"cloud.hahn1.one"
"cool.hahn1.one"
"hahn1.one"
];
"::1" = [
"dash.hahn1.one"
"sync.hahn1.one"
"jagd.hahn1.one"
"cloud.hahn1.one"
"cool.hahn1.one"
"hahn1.one"
];
};
# Enable all the old services on gullfoss
services.postgresql = {
enable = true;
# Ensure databases here
ensureDatabases = [ "mydatabase" ];
# TODO: integrate the old permission
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all trust
'';
};
#systemd.services.nixBuildTmuxSession = {
# description = "Start tmux nix build session if not already running";
# after = [ "network.target" ];
# path = with pkgs; [nix tmux ];
# serviceConfig = {
# Type = "oneshot";
# User = "jonas"; # Change this!
# };
# script = ''exec /home/jonas/projects/perdash/start_server.sh'';
#};
services.cron.enable = true;
# Sops setup
sops = {
defaultSopsFile = ../../../secrets.yaml;
defaultSopsFormat = "yaml";
# hard code the username here
age.keyFile = "/home/jonas/.config/sops/age/keys.txt";
secrets = {
joncook = {};
jondash = {};
jondav = {};
jondavpass = {};
nextpass = {
group = "nextcloud";
owner = "nextcloud";
};
};
templates = {
"jontemp2" = {
owner = "nginx";
group = "nginx";
content = ''add_header Set-Cookie "letmein=${config.sops.placeholder.joncook};max-age=3153600000;path=/";'';
};
"jontemp" = {
owner = "nginx";
group = "nginx";
content = ''"${config.sops.placeholder.joncook}" "yes";'';
};
"webdavconf" = {
owner = "webdav";
group = "webdav";
content = ''
#permissions: CRUD
#debug: true
#behindProxy: true
address: 0.0.0.0
auth: true
modify: true
port: 6065
#scope: /var/lib/webdav/
directory: /var/lib/webdav/
#rules: []
#permissions: R
users:
- password: '${config.sops.placeholder.jondavpass}'
username: ${config.sops.placeholder.jondav}
permissions: CRUD
'';
path = "/etc/webdav/config.yaml";
};
};
};
systemd.tmpfiles.rules = [
"d /var/lib/webdav 0750 webdav webdav -"
];
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
swapDevices = [ { device = "/swapfile"; size = 8192; } ];
networking.hostName = "stranox";
# setup syncthing
# This is not needed for now because one should only use syncthing when not having battery problems
services = {
syncthing = {
enable = true;
user = "jonas";
#guiAddress = "0.0.0.0:8384";
dataDir = "/home/jonas/syncthing";
configDir = "/home/jonas/.config/syncthing";
overrideDevices = true; # overrides any devices added or deleted through the WebUI
overrideFolders = true; # overrides any folders added or deleted through the WebUI
settings = {
devices = {
"thinix" = { id = "3JHI72U-HQKX7S2-ITUD5U7-CS2P3TO-HM6Y6MZ-PFSUGWF-5OHHV7Q-NXYC5AP"; };
"androidp" = { id = "UIJS6LQ-CQY7UWH-3KTJ2VH-3N73VNK-V6NWTIE-L4ZUEWW-R625SV4-YKMVKQY"; };
};
folders = {
# This is the mail folder to keep synced accross everything
# Its nice to have this declarativery and just work with the respectively ids
# "syncthing" = {
# "synct path = "/home/jonas/synced";
# "synct devices = [ "thinix" ];
# "synct ignorePerms = true;
# "synct versioning = {
# "synct type = "staggered";
# "synct };
# "synct};
"syncthingtest" = {
path = "/home/jonas/phonebla";
devices = [ "androidp" ];
ignorePerms = true;
versioning = {
type = "staggered";
};
};
};
};
};
};
services.radicale = {
enable = true;
settings.server.hosts = [ "127.0.0.1:5232" ];
settings.auth.type = "none";
};
services.nextcloud = {
enable = false;
# Use the defualt home
#home = "/mnt/nextcloudStorage";
package = pkgs.nextcloud30;
hostName = "cloud.hahn1.one";
settings = {
#trusted_domains = [""];
};
config = {
adminpassFile = config.sops.secrets.nextpass.path;
dbtype = "sqlite";
};
extraApps = {inherit (config.services.nextcloud.package.packages.apps) calendar ;};
extraAppsEnable = true;
https = true;
configureRedis = true;
maxUploadSize = "1G";
};
# configure users for small machine
users = {
defaultUserShell = pkgs.zsh;
groups = {
nginx = {};
nextcloud = {};
podman = {};
docker = {};
webdav = {};
};
users = {
nginx = {
isSystemUser = true;
group = "nginx";
};
webdav = {
isSystemUser = true;
group = "webdav";
};
nextcloud = {
isSystemUser = true;
group = "nextcloud";
};
root = {
openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID44xurDPkTQr+f62llnHHAeXQRJi4JeVeo0vFL85CLA jonas@thinix'' ];
};
jonas = {
isNormalUser = true;
extraGroups = [ "wheel" "docker" "podman" "webdav" "davfs2" ];
openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID44xurDPkTQr+f62llnHHAeXQRJi4JeVeo0vFL85CLA jonas@thinix'' ];
packages = with pkgs; [
neovim
pkgs.unstable.yazi
zsh
git
starship
eza
bat
lazygit
btop
gdu
fastfetch
sops
w3m
typst
tmux
wget
curl
pipx
fd
python3
nodejs
gcc
gnumake
findutils.locate
gradle
lua
todo-txt-cli
];
};
};
};
#environment.etc."nginx/htpasswd/jondash".source = config.sops.secrets.jondash.path;
# source the local httppass for the nginx login
environment.etc."nginx/htpasswd/jondash".source = ./htpasswd;
networking.firewall = {
enable = true;
allowedTCPPorts = [6065 6443 3478 80 443 8080 ];
allowedUDPPorts = [3478 ];
};
# Services for the cloud
services = {
openssh.enable = true;
nginx = {
mapHashBucketSize = 128;
enable = true;
appendHttpConfig = ''
map $cookie_letmein $dash_hascookie {
include ${config.sops.templates.jontemp.path};
default "no";
}
map $dash_hascookie $dash_authentication {
"yes" "off";
default "Your credentials please";
}
'';
virtualHosts = {
"dash.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
proxyPass = "http://127.0.0.1:8000";
proxyWebsockets = true;
extraConfig = ''
auth_basic $dash_authentication;
auth_basic_user_file /etc/nginx/htpasswd/jondash;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
include ${config.sops.templates.jontemp2.path};
'';
};
};
"rad.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
root = "${pkgs.nginx}/html";
index = "index.html";
};
};
"dev.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
proxyPass = "http://127.0.0.1:8384";
proxyWebsockets = true;
};
};
# "qrank.hahn1.one" = {
# "qr forceSSL = true;
# "qr enableACME = true;
# "qr #basicAuth = { jonas = "1234"; };
# "qr locations."/" = {
# "qr proxyPass = "http://127.0.0.1:18765";
# "qr proxyWebsockets = true;
# "qr };
# "qr};
# Easter special for having a schintzeljagt that implements modern technology
"jagd.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
proxyPass = "http://127.0.0.1:2345";
proxyWebsockets = true;
};
};
#"dev.hahn1.one" = {
# forceSSL = true;
# forenableACME = true;
# for#basicAuth = { jonas = "1234"; };
# forlocations."/" = {
# for proxyPass = "http://127.0.0.1:6065";
# for proxyWebsockets = true;
# for};
#};
#"dev.hahn1.one" = {
# forceSSL = true;
# enableACME = true;
# # This is of course not secure but better than to have nothing
# # First one need to read this code to access
# basicAuth = { dev = "dev"; };
# # use a dev proxypass to test some applications
# locations."/" = {
# proxyPass = "http://127.0.0.1:8888";
# proxyWebsockets = true;
# };
#};
"cloud.hahn1.one" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://localhost:11000";
proxyWebsockets = true;
};
};
"sync.hahn1.one" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:6065";
extraConfig = ''
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
set $dest $http_destination;
if ($http_destination ~ "^https://dev.hahn1.one(?<path>(.+))") {
set $dest /$path;
}
proxy_set_header Destination $dest;
'';
proxyWebsockets = true;
};
};
"cool.hahn1.one" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://[::1]:${toString config.services.collabora-online.port}";
proxyWebsockets = true;
};
};
# Default nginx site to felx
"hahn1.one" = {
forceSSL = true;
enableACME = true;
default = true;
locations."/" = {
root = "${pkgs.nginx}/html";
index = "index.html";
};
locations."/radicale/" = {
proxyPass = "http://127.0.0.1:5232/";
extraConfig = ''
proxy_set_header X-Script-Name /radicale;
proxy_pass_header Authorization;
'';
};
};
};
};
};
#networking.firewall.allowedTCPPorts = [
# 6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
# # 2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration
# # 2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration
#];
#networking.firewall.allowedUDPPorts = [
# # 8472 # k3s, flannel: required if using multi-node for inter-node networking
#];
services.webdav.enable = true; # test turning off
services.webdav.user = "webdav";
services.webdav.group = "webdav";
#services.webdav.settings =
# {
# address = "0.0.0.0";
# port = 6065;
# #scope = "/var/lib/webdav/";
# directory = "/var/lib/webdav";
# modify = true;
# auth = true;
# users = [
# {
# username = "jonas";
# password = "jonasdav123";
# }
# ];
# };
services.webdav.configFile = "/etc/webdav/config.yaml" ;
# k3s testing
services.k3s = {
enable = true;
role = "server";
extraFlags = [
"--disable=traefik"
"--debug"
];
};
security.acme = {
acceptTerms = true;
defaults.email = "security@hahn1.one";
};
nixpkgs.config.allowUnfree = true;
nix.settings.experimental-features = ["flakes" "nix-command"];
time.timeZone = "Europe/Berlin";
environment = {
sessionVariables = {
};
systemPackages = with pkgs; [
git
fastfetch
ripgrep
lazygit
unzip
fzf
zathura
# everywhere support
starship
zoxide
# add sync support
rsync
flock
unison
# curl for scripting
curl
];
};
programs.zsh = {
enable = true;
autosuggestions.enable = true;
ohMyZsh = {
enable = true;
plugins = [
"history-substring-search"
"git"
"zoxide"
"sudo"
"vi-mode"
"systemadmin"
];
};
};
# In case of gui usage
programs = {
nix-ld.enable = true;
};
# This was generated by the infect script I may just keep it this way for
# Security reasons
system.stateVersion = "23.11";
}

449
hosts/stranox-strato/configuration_new.nix Normal file
View File

@@ -0,0 +1,449 @@
{ pkgs, inputs, config, ... }: {
imports = [
./hardware-configuration.nix
../../modules/rare/realmail.nix
../../modules/misc/virt.nix
#../../modules/server/collabora.nix
inputs.sops-nix.nixosModules.sops
];
networking.hosts = {
"127.0.0.1" = [
"dash.hahn1.one"
"sync.hahn1.one"
"jagd.hahn1.one"
"cloud.hahn1.one"
"cool.hahn1.one"
"hahn1.one"
];
"::1" = [
"dash.hahn1.one"
"sync.hahn1.one"
"jagd.hahn1.one"
"cloud.hahn1.one"
"cool.hahn1.one"
"hahn1.one"
];
};
# Enable all the old services on gullfoss
services.postgresql = {
enable = true;
# Ensure databases here
ensureDatabases = [ "mydatabase" ];
# TODO: integrate the old permission
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all trust
'';
};
#systemd.services.nixBuildTmuxSession = {
# description = "Start tmux nix build session if not already running";
# after = [ "network.target" ];
# path = with pkgs; [nix tmux ];
# serviceConfig = {
# Type = "oneshot";
# User = "jonas"; # Change this!
# };
# script = ''exec /home/jonas/projects/perdash/start_server.sh'';
#};
services.cron.enable = true;
# Sops setup
sops = {
defaultSopsFile = ../../../secrets.yaml;
defaultSopsFormat = "yaml";
# hard code the username here
age.keyFile = "/home/jonas/.config/sops/age/keys.txt";
secrets = {
joncook = {};
jondash = {};
jondav = {};
jondavpass = {};
nextpass = {
group = "nextcloud";
owner = "nextcloud";
};
};
templates = {
"jontemp2" = {
owner = "nginx";
group = "nginx";
content = ''add_header Set-Cookie "letmein=${config.sops.placeholder.joncook};max-age=3153600000;path=/";'';
};
"jontemp" = {
owner = "nginx";
group = "nginx";
content = ''"${config.sops.placeholder.joncook}" "yes";'';
};
"webdavconf" = {
owner = "webdav";
group = "webdav";
content = ''
address: 127.0.0.1
port: 6065
# The directory that will be able to be accessed by the users when connecting.
# This directory will be used by users unless they have their own 'directory' defined.
# Default is '.' (current directory).
directory: /home/jonas/webdav
# The default permissions for users. This is a case insensitive option. Possible
# permissions: C (Create), R (Read), U (Update), D (Delete). You can combine multiple
# permissions. For example, to allow to read and create, set "RC". Default is "R".
permissions: RCUD
# noPassword: true
users:
# Example 'admin' user with plaintext password.
- username: ${config.sops.placeholder.jondav}
password: ${config.sops.placeholder.jondavpass}
'';
path = "/etc/webdav/config.yaml";
};
};
};
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
swapDevices = [ { device = "/swapfile"; size = 8192; } ];
networking.hostName = "stranox";
# setup syncthing
# This is not needed for now because one should only use syncthing when not having battery problems
services = {
syncthing = {
enable = true;
user = "jonas";
#guiAddress = "0.0.0.0:8384";
dataDir = "/home/jonas/syncthing";
configDir = "/home/jonas/.config/syncthing";
overrideDevices = true; # overrides any devices added or deleted through the WebUI
overrideFolders = true; # overrides any folders added or deleted through the WebUI
settings = {
devices = {
"thinix" = { id = "3JHI72U-HQKX7S2-ITUD5U7-CS2P3TO-HM6Y6MZ-PFSUGWF-5OHHV7Q-NXYC5AP"; };
};
folders = {
# This is the mail folder to keep synced accross everything
# Its nice to have this declarativery and just work with the respectively ids
# "syncthing" = {
# "synct path = "/home/jonas/synced";
# "synct devices = [ "thinix" ];
# "synct ignorePerms = true;
# "synct versioning = {
# "synct type = "staggered";
# "synct };
# "synct};
};
};
};
};
services.nextcloud = {
enable = false;
# Use the defualt home
#home = "/mnt/nextcloudStorage";
package = pkgs.nextcloud30;
hostName = "cloud.hahn1.one";
settings = {
#trusted_domains = [""];
};
config = {
adminpassFile = config.sops.secrets.nextpass.path;
dbtype = "sqlite";
};
extraApps = {inherit (config.services.nextcloud.package.packages.apps) calendar ;};
extraAppsEnable = true;
https = true;
configureRedis = true;
maxUploadSize = "1G";
};
# configure users for small machine
users = {
defaultUserShell = pkgs.zsh;
groups = {
nginx = {};
nextcloud = {};
podman = {};
docker = {};
webdav = {};
};
users = {
nginx = {
isSystemUser = true;
group = "nginx";
};
webdav = {
isSystemUser = true;
group = "webdav";
};
nextcloud = {
isSystemUser = true;
group = "nextcloud";
};
root = {
openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID44xurDPkTQr+f62llnHHAeXQRJi4JeVeo0vFL85CLA jonas@thinix'' ];
};
jonas = {
isNormalUser = true;
extraGroups = [ "wheel" "docker" "podman" ];
openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID44xurDPkTQr+f62llnHHAeXQRJi4JeVeo0vFL85CLA jonas@thinix'' ];
packages = with pkgs; [
neovim
pkgs.unstable.yazi
zsh
git
starship
eza
bat
lazygit
btop
gdu
fastfetch
sops
w3m
typst
tmux
wget
curl
pipx
fd
python3
nodejs
gcc
gnumake
findutils.locate
gradle
lua
todo-txt-cli
];
};
};
};
#environment.etc."nginx/htpasswd/jondash".source = config.sops.secrets.jondash.path;
# source the local httppass for the nginx login
environment.etc."nginx/htpasswd/jondash".source = ./htpasswd;
networking.firewall = {
enable = true;
allowedTCPPorts = [6065 6443 3478 80 443 8080 ];
allowedUDPPorts = [3478 ];
};
# Services for the cloud
services = {
openssh.enable = true;
nginx = {
mapHashBucketSize = 128;
enable = true;
appendHttpConfig = ''
map $cookie_letmein $dash_hascookie {
include ${config.sops.templates.jontemp.path};
default "no";
}
map $dash_hascookie $dash_authentication {
"yes" "off";
default "Your credentials please";
}
'';
virtualHosts = {
"dash.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
proxyPass = "http://127.0.0.1:8000";
proxyWebsockets = true;
extraConfig = ''
auth_basic $dash_authentication;
auth_basic_user_file /etc/nginx/htpasswd/jondash;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
include ${config.sops.templates.jontemp2.path};
'';
};
};
"sync.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
proxyPass = "http://127.0.0.1:8384";
proxyWebsockets = true;
};
};
# Easter special for having a schintzeljagt that implements modern technology
"jagd.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
proxyPass = "http://127.0.0.1:2345";
proxyWebsockets = true;
};
};
#"dev.hahn1.one" = {
# forceSSL = true;
# forenableACME = true;
# for#basicAuth = { jonas = "1234"; };
# forlocations."/" = {
# for proxyPass = "http://127.0.0.1:6065";
# for proxyWebsockets = true;
# for};
#};
#"dev.hahn1.one" = {
# forceSSL = true;
# enableACME = true;
# # This is of course not secure but better than to have nothing
# # First one need to read this code to access
# basicAuth = { dev = "dev"; };
# # use a dev proxypass to test some applications
# locations."/" = {
# proxyPass = "http://127.0.0.1:8888";
# proxyWebsockets = true;
# };
#};
"cloud.hahn1.one" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://localhost:11000";
proxyWebsockets = true;
};
};
"cool.hahn1.one" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://[::1]:${toString config.services.collabora-online.port}";
proxyWebsockets = true;
};
};
"hahn1.one" = {
forceSSL = true;
enableACME = true;
default = true;
locations."/" = {
proxyPass = "http://127.0.0.1:2345";
proxyWebsockets = true;
};
};
};
};
};
#networking.firewall.allowedTCPPorts = [
# 6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
# # 2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration
# # 2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration
#];
#networking.firewall.allowedUDPPorts = [
# # 8472 # k3s, flannel: required if using multi-node for inter-node networking
#];
services.k3s.enable = true; # Not required for problem solving
services.webdav.enable = true; # test turning off
services.webdav.user = "webdav";
services.webdav.group = "webdav";
services.webdav.configFile = "/etc/webdav/config.yaml" ;
services.k3s.role = "server";
services.k3s.extraFlags = toString [
# "--debug" # Optionally add additional args to k3s
];
security.acme = {
acceptTerms = true;
defaults.email = "security@hahn1.one";
};
nixpkgs.config.allowUnfree = true;
nix.settings.experimental-features = ["flakes" "nix-command"];
time.timeZone = "Europe/Berlin";
environment = {
sessionVariables = {
};
systemPackages = with pkgs; [
git
fastfetch
ripgrep
lazygit
unzip
fzf
zathura
# everywhere support
starship
zoxide
# add sync support
rsync
flock
unison
# curl for scripting
curl
];
};
programs.zsh = {
enable = true;
autosuggestions.enable = true;
ohMyZsh = {
enable = true;
plugins = [
"history-substring-search"
"git"
"zoxide"
"sudo"
"vi-mode"
"systemadmin"
];
};
};
# In case of gui usage
programs = {
nix-ld.enable = true;
};
# This was generated by the infect script I may just keep it this way for
# Security reasons
system.stateVersion = "23.11";
}

377
hosts/stranox-strato/configuration_old.nix Normal file
View File

@@ -0,0 +1,377 @@
{ pkgs, inputs, config, ... }: {
imports = [
./hardware-configuration.nix
../../modules/rare/realmail.nix
../../modules/misc/virt.nix
#../../modules/server/collabora.nix
inputs.sops-nix.nixosModules.sops
];
networking.hosts = {
#"127.0.0.1" = ["cloud.hahn1.one" "cool.hahn1.one"];
#"::1" = ["cloud.hahn1.one" "cool.hahn1.one"];
};
# Enable all the old services on gullfoss
services.postgresql = {
enable = true;
# Ensure databases here
ensureDatabases = [ "mydatabase" ];
# TODO: integrate the old permission
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all trust
'';
};
#systemd.services.nixBuildTmuxSession = {
# description = "Start tmux nix build session if not already running";
# after = [ "network.target" ];
# path = with pkgs; [nix tmux ];
# serviceConfig = {
# Type = "oneshot";
# User = "jonas"; # Change this!
# };
# script = ''exec /home/jonas/projects/perdash/start_server.sh'';
#};
services.cron.enable = true;
# Sops setup
sops = {
defaultSopsFile = ../../../secrets.yaml;
defaultSopsFormat = "yaml";
# hard code the username here
age.keyFile = "/home/jonas/.config/sops/age/keys.txt";
secrets = {
joncook = {};
jondash = {};
nextpass = {
group = "nextcloud";
owner = "nextcloud";
};
};
templates = {
"jontemp2" = {
owner = "nginx";
group = "nginx";
content = ''add_header Set-Cookie "letmein=${config.sops.placeholder.joncook};max-age=3153600000;path=/";'';
};
"jontemp" = {
owner = "nginx";
group = "nginx";
content = ''"${config.sops.placeholder.joncook}" "yes";'';
};
};
};
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
swapDevices = [ { device = "/swapfile"; size = 8192; } ];
networking.hostName = "stranox";
# setup syncthing
# This is not needed for now because one should only use syncthing when not having battery problems
services = {
syncthing = {
enable = true;
user = "jonas";
#guiAddress = "0.0.0.0:8384";
dataDir = "/home/jonas/syncthing";
configDir = "/home/jonas/.config/syncthing";
overrideDevices = true; # overrides any devices added or deleted through the WebUI
overrideFolders = true; # overrides any folders added or deleted through the WebUI
settings = {
devices = {
"thinix" = { id = "3JHI72U-HQKX7S2-ITUD5U7-CS2P3TO-HM6Y6MZ-PFSUGWF-5OHHV7Q-NXYC5AP"; };
};
folders = {
# This is the mail folder to keep synced accross everything
# Its nice to have this declarativery and just work with the respectively ids
# "syncthing" = {
# "synct path = "/home/jonas/synced";
# "synct devices = [ "thinix" ];
# "synct ignorePerms = true;
# "synct versioning = {
# "synct type = "staggered";
# "synct };
# "synct};
};
};
};
};
services.nextcloud = {
enable = false;
# Use the defualt home
#home = "/mnt/nextcloudStorage";
package = pkgs.nextcloud30;
hostName = "cloud.hahn1.one";
settings = {
#trusted_domains = [""];
};
config = {
adminpassFile = config.sops.secrets.nextpass.path;
dbtype = "sqlite";
};
extraApps = {inherit (config.services.nextcloud.package.packages.apps) calendar ;};
extraAppsEnable = true;
https = true;
configureRedis = true;
maxUploadSize = "1G";
};
# configure users for small machine
users = {
defaultUserShell = pkgs.zsh;
groups = {
nginx = {};
nextcloud = {};
podman = {};
docker = {};
};
users = {
nginx = {
isSystemUser = true;
group = "nginx";
};
nextcloud = {
isSystemUser = true;
group = "nextcloud";
};
root = {
openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID44xurDPkTQr+f62llnHHAeXQRJi4JeVeo0vFL85CLA jonas@thinix'' ];
};
jonas = {
isNormalUser = true;
extraGroups = [ "wheel" "docker" "podman" ];
openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID44xurDPkTQr+f62llnHHAeXQRJi4JeVeo0vFL85CLA jonas@thinix'' ];
packages = with pkgs; [
neovim
pkgs.unstable.yazi
zsh
git
starship
eza
bat
lazygit
btop
gdu
fastfetch
sops
w3m
typst
tmux
wget
curl
pipx
fd
python3
nodejs
gcc
gnumake
findutils.locate
gradle
lua
todo-txt-cli
];
};
};
};
#environment.etc."nginx/htpasswd/jondash".source = config.sops.secrets.jondash.path;
# source the local httppass for the nginx login
environment.etc."nginx/htpasswd/jondash".source = ./htpasswd;
networking.firewall = {
enable = true;
allowedTCPPorts = [3478 80 443 8080 ];
allowedUDPPorts = [3478 ];
};
# Services for the cloud
services = {
openssh.enable = true;
nginx = {
mapHashBucketSize = 128;
enable = true;
appendHttpConfig = ''
map $cookie_letmein $dash_hascookie {
include ${config.sops.templates.jontemp.path};
default "no";
}
map $dash_hascookie $dash_authentication {
"yes" "off";
default "Your credentials please";
}
'';
virtualHosts = {
"dash.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
proxyPass = "http://127.0.0.1:8000";
proxyWebsockets = true;
extraConfig = ''
auth_basic $dash_authentication;
auth_basic_user_file /etc/nginx/htpasswd/jondash;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
include ${config.sops.templates.jontemp2.path};
'';
};
};
"sync.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
proxyPass = "http://127.0.0.1:8384";
proxyWebsockets = true;
};
};
# Easter special for having a schintzeljagt that implements modern technology
"jagd.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
proxyPass = "http://127.0.0.1:2345";
proxyWebsockets = true;
};
};
"dev.hahn1.one" = {
forceSSL = true;
enableACME = true;
# This is of course not secure but better than to have nothing
# First one need to read this code to access
basicAuth = { dev = "dev"; };
# use a dev proxypass to test some applications
locations."/" = {
proxyPass = "http://127.0.0.1:8888";
proxyWebsockets = true;
};
};
"cloud.hahn1.one" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://localhost:11000";
proxyWebsockets = true;
};
};
"cool.hahn1.one" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://[::1]:${toString config.services.collabora-online.port}";
proxyWebsockets = true;
};
};
"hahn1.one" = {
forceSSL = true;
enableACME = true;
default = true;
locations."/" = {
root = "${pkgs.nginx}/html";
index = "index.html";
};
};
};
};
};
security.acme = {
acceptTerms = true;
#TODO: activate this mail
defaults.email = "security@hahn1.one";
};
nixpkgs.config.allowUnfree = true;
nix.settings.experimental-features = ["flakes" "nix-command"];
time.timeZone = "Europe/Berlin";
environment = {
sessionVariables = {
};
systemPackages = with pkgs; [
git
fastfetch
lazygit
unzip
fzf
zathura
# everywhere support
starship
zoxide
# add sync support
rsync
flock
unison
# curl for scripting
curl
];
};
programs.zsh = {
enable = true;
autosuggestions.enable = true;
ohMyZsh = {
enable = true;
plugins = [
"history-substring-search"
"git"
"zoxide"
"sudo"
"vi-mode"
"systemadmin"
];
};
};
# In case of gui usage
programs = {
nix-ld.enable = true;
};
# This was generated by the infect script I may just keep it this way for
# Security reasons
system.stateVersion = "23.11";
}

9
hosts/stranox-strato/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,9 @@
{ modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.grub.device = "/dev/vda";
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; };
}

1
hosts/stranox-strato/htpasswd Normal file
View File

@@ -0,0 +1 @@
jonas:$2y$05$PQhZXP4kXq/hGvPwMQQ6A.G9T4VnxG4PJE4RG16D7z/rZffd6ezYu