jonas/nixos
1
0
Fork 0
mirror of https://github.com/Ascyii/nixos.git synced 2026-01-01 06:44:26 -05:00
Code Issues Packages Projects Releases Wiki Activity

Made it work

Browse Source
This commit is contained in:
Jonas Hahn
2025-08-30 21:19:51 +02:00
parent fdbaf09146
commit 75d30efc6c
23 changed files with 148 additions and 1356 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
modules/server/collabora.nix
View File

@@ -1,55 +0,0 @@
{ config, lib, pkgs, inputs, ... }:
{
# setup collabora config declaratively
systemd.services.nextcloud-config-collabora = let
inherit (config.services.nextcloud) occ;
wopi_url = "http://[::1]:${toString config.services.collabora-online.port}";
public_wopi_url = "https://cool.hahn1.one";
wopi_allowlist = lib.concatStringsSep "," [
"127.0.0.1"
"::1"
];
in {
wantedBy = ["multi-user.target"];
after = ["nextcloud-setup.service" "coolwsd.service"];
requires = ["coolwsd.service"];
script = ''
${occ}/bin/nextcloud-occ config:app:set richdocuments wopi_url --value ${lib.escapeShellArg wopi_url}
${occ}/bin/nextcloud-occ config:app:set richdocuments public_wopi_url --value ${lib.escapeShellArg public_wopi_url}
${occ}/bin/nextcloud-occ config:app:set richdocuments wopi_allowlist --value ${lib.escapeShellArg wopi_allowlist}
${occ}/bin/nextcloud-occ richdocuments:setup
'';
serviceConfig = {
Type = "oneshot";
User = "nextcloud";
};
};
# setup the collabora server
services.collabora-online = {
enable = true;
port = 9980; # default
settings = {
# Rely on reverse proxy for SSL
ssl = {
enable = false;
termination = true;
# this is for dev purposes
# can be enabled in production when there is a real certificate
ssl_verification = true;
};
# Listen on loopback interface only, and accept requests from ::1
net = {
listen = "loopback";
post_allow.host = ["::1"];
};
# Set FQDN of server
server_name = "cool.hahn1.one";
};
};
}

16
modules/server/ddclient.nix
View File

@@ -1,16 +0,0 @@
{ pkgs, config, lib, inputs, ...}:
{
imports =
[
#inputs.sops-nix.nixosModules.sops
];
# also one can access the path and then cat it
services.ddclient = {
enable = true;
configFile = config.sops.templates."ddclient-temp".path;
};
}

20
modules/server/default.nix
View File

@@ -1,20 +0,0 @@
{ pkgs, config, lib, inputs, ...}:
let
thisDir = ./.;
nixFiles = builtins.attrNames (builtins.readDir thisDir);
moduleFiles = builtins.filter (name: builtins.match ".*\\.nix" name != null && name != "default.nix") nixFiles;
modules = builtins.map (name: thisDir + "/${name}") moduleFiles;
in {
# Import all the old modules
imports = modules;
############ TEMP Module inputs
# Got from here https://nixos.wiki/wiki/OpenLDAP#Setting_up_a_server_with_SSL_certs_via_ACME
}

25
modules/server/email.nix Normal file
View File

@@ -0,0 +1,25 @@
{ ... }: {
imports = [
(builtins.fetchTarball {
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-25.05/nixos-mailserver-nixos-25.05.tar.gz";
sha256 = "0jpp086m839dz6xh6kw5r8iq0cm4nd691zixzy6z11c4z2vf8v85";
})
];
mailserver = {
enable = true;
fqdn = "mail.hahn1.one";
domains = [ "hahn1.one" ];
# A list of all login accounts. To create the password hashes, use
# nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
loginAccounts = {
"jonas@hahn1.one" = {
hashedPassword = "$2b$05$aOMZAUvp4p42su99UwQ0FeKPTVKrHBJX1w7IBG9J39rSjSqyT5Y7C";
aliases = ["postmaster@hahn1.one" "j@hahn1.one"];
};
};
certificateScheme = "acme-nginx";
};
}

144
modules/server/monitor.nix
View File

@@ -1,144 +0,0 @@
# MONITORING: services run on loopback interface
# nginx reverse proxy exposes services to network
{ config, lib, pkgs, ... }:
let
grafana_port = 7000;
in {
# Logging metrics
# Disable loki
services.loki = {
enable = false;
configuration = {
server.http_listen_port = 3100;
auth_enabled = false;
ingester = {
lifecycler = {
address = "127.0.0.1";
ring = {
kvstore = {
store = "inmemory";
};
replication_factor = 1;
};
};
chunk_idle_period = "1h";
max_chunk_age = "1h";
chunk_target_size = 999999;
chunk_retain_period = "30s";
};
schema_config = {
configs = [{
store = "tsdb";
object_store = "filesystem";
schema = "v13";
index = {
prefix = "index_";
period = "24h";
};
}];
};
storage_config = {
tsdb_shipper = {
active_index_directory = "/var/lib/loki/tsdb-shipper-active";
cache_location = "/var/lib/loki/tsdb-shipper-cache";
cache_ttl = "24h";
};
filesystem = {
directory = "/var/lib/loki/chunks";
};
};
limits_config = {
reject_old_samples = true;
reject_old_samples_max_age = "168h";
};
table_manager = {
retention_deletes_enabled = false;
retention_period = "0s";
};
compactor = {
working_directory = "/var/lib/loki";
compactor_ring = {
kvstore = {
store = "inmemory";
};
};
};
};
};
# Disable
services.promtail = {
enable = false;
configuration = {
server = {
http_listen_port = 3031;
grpc_listen_port = 0;
};
positions = {
filename = "/tmp/positions.yaml";
};
clients = [{
url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
}];
scrape_configs = [{
job_name = "journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = "misox";
};
};
relabel_configs = [{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}];
}];
};
};
# System metrics
services.prometheus = {
enable = true;
exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" "tcpstat" "processes" "interrupts" ];
port = 9100;
};
};
#globalConfig.scrape_interval = "1m";
scrapeConfigs = [{
job_name = "node";
static_configs = [{
targets = [
"localhost:${toString config.services.prometheus.exporters.node.port}"
];
}];
}];
};
# Dashboard
services.grafana = {
enable = true;
settings = {
server = {
http_addr = "127.0.0.1";
http_port = 3000;
domain = "grafana.misox";
#root_url = "http://misox:${toString grafana_port}/";
};
};
};
}

50
modules/server/networking.nix
View File

@@ -1,50 +0,0 @@
{ config, lib, pkgs, ... }:
{
networking.hostName = "misox"; # Define your hostname.
# networking.interfaces.eno1 = {
# Assign a static IPv6 address (same as your example)
# ipv6.addresses = [
# {
# address = "2003:ca:7f20:cf00:dd2d:ebde:44e6:7eca"; # Static IPv6 address
# prefixLength = 64; # Prefix length (usually 64)
# }
# ];
#
# Enable temporary addresses (privacy addresses) as well
#ipv6.useTempAddresses = true;
#};
# The ping behind fritzbox still does not work
networking.enableIPv6 = true;
networking.firewall.allowedTCPPorts = [
# Opening ssh and the web
22
80
443
############
# Jonas Stuff
# LifeDash Deploy
8000
];
# Rewrite for local host support
# to make this global you need to confifure a custom dns
networking.hosts = {
"127.0.0.1" = [ "hahn1.one" "cloud.hahn1.one" "cool.hahn1.one" "grafana.hahn1.one"];
"::1" = [ "hahn1.one" "cloud.hahn1.one" "cool.hahn1.one" "grafana.hahn1.one"];
#"127.0.0.1" = ["nextcloud.misox" "default.misox" "grafana.misox" "collabora.misox"];
#"::1" = ["nextcloud.misox" "grafana.misox" "default.misox" "collabora.misox"];
};
networking.networkmanager.wifi.powersave = false;
}

0
modules/server/cloud.nix → modules/server/nextcloud.nix
View File

107
modules/server/nginx.nix
View File

@@ -1,107 +0,0 @@
{ config, lib, pkgs, ... }:
{
security.acme = {
acceptTerms = true;
defaults.email = "jonashahn1@gmx.net";
#defaults.dnsProvider = "route53";
#defaults.dnsResolver = "2606:4700:4700::1111";
certs = {
"cloud.hahn1.one" = {
webroot = "/var/lib/acme/.challenges";
group = "nginx";
};
};
};
users.users.nginx.extraGroups = [ "acme" ];
# Setting the port for nextcloud
services.nginx = let
# support for local vars
mkDevCert = name: commonName:
pkgs.runCommandLocal "${name}-dev-cert" { buildInputs = [ pkgs.openssl ]; } ''
mkdir -p $out
openssl req -x509 -newkey rsa:4096 -keyout $out/key.pem -out $out/cert.pem -days 3650 -nodes \
-subj "/CN=${commonName}"
'';
# dev certs
# collaboraCert = mkDevCert "collabora-misox-cert" "collabora.misox";
# nextCert = mkDevCert "nextcloud-misox-cert" "nextcloud.misox";
# defCert = mkDevCert "default-misox-cert" "misox";
# default domain to use in the configuration
domain = "hahn1.one";
in {
# enable nginx
enable = true;
recommendedProxySettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
# setup virtual hosts
virtualHosts = {
# Expose nextcloud
# this is how to setup a dev cert route with ssl
#"${config.services.nextcloud.hostName}" = {
# enableACME = false;
# forceSSL = true;
# sslCertificate = "${nextCert}/cert.pem";
# sslCertificateKey = "${nextCert}/key.pem";
#};
"${config.services.nextcloud.hostName}" = {
enableACME = true;
addSSL = true;
};
"grafana.${domain}" = {
enableACME = true;
addSSL = true;
# this is to create a default listener
#listen = [{ addr = "0.0.0.0"; port = grafana_port;}];
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
proxyWebsockets = true;
};
};
"acmechallenge.${domain}" = {
# Catchall vhost, will redirect users to HTTPS for all vhosts
serverAliases = [ "*.example.com" ];
locations."/.well-known/acme-challenge" = {
root = "/var/lib/acme/.challenges";
};
locations."/" = {
return = "301 https://$host$request_uri";
};
};
"cool.${domain}" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://[::1]:${toString config.services.collabora-online.port}";
proxyWebsockets = true;
};
};
# This is the last and therefor occupies the http://misox?
# NO!
"${domain}" = {
default = true;
enableACME = true;
addSSL = true;
locations."/" = {
root = "${pkgs.nginx}/html";
index = "index.html";
};
};
};
};
}

114
modules/server/services.nix
View File

@@ -1,114 +0,0 @@
{ pkgs, config, lib, inputs, ...}:
{
# figure out how this works
services.openldap = {
enable = true;
/* enable plain connections only */
urlList = [ "ldap:///" ];
settings = {
attrs = {
olcLogLevel = "conns config";
};
children = {
"cn=schema".includes = [
"${pkgs.openldap}/etc/schema/core.ldif"
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
];
"olcDatabase={1}mdb".attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=example,dc=com";
/* your admin account, do not use writeText on a production system */
olcRootDN = "cn=admin,dc=example,dc=com";
olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
olcAccess = [
/* custom access rules for userPassword attributes */
''{0}to attrs=userPassword
by self write
by anonymous auth
by * none''
/* allow read on anything else */
''{1}to *
by * read''
];
};
};
};
};
# Enable all the old services on gullfoss
services.postgresql = {
enable = true;
ensureDatabases = [ "mydatabase" ];
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all trust
'';
};
# TODO: need to configure this
services.samba = {
enable = true;
openFirewall = true;
settings = {
global = {
"workgroup" = "WORKGROUP";
"server string" = "smbnix";
"netbios name" = "smbnix";
"security" = "user";
#"use sendfile" = "yes";
#"max protocol" = "smb2";
# note: localhost is the ipv6 localhost ::1
"hosts allow" = "192.168.0. 127.0.0.1 localhost";
"hosts deny" = "0.0.0.0/0";
"guest account" = "nobody";
"map to guest" = "bad user";
};
"public" = {
"path" = "/mnt/Shares/Public";
"browseable" = "yes";
"read only" = "no";
"guest ok" = "yes";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "username";
"force group" = "groupname";
};
"private" = {
"path" = "/mnt/Shares/Private";
"browseable" = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "username";
"force group" = "groupname";
};
};
};
services.samba-wsdd = {
enable = true;
openFirewall = true;
};
services.cron = {
enable = true;
systemCronJobs = [
"*/5 * * * * root date >> /tmp/cron.log"
];
};
}