jonas/nixos
1
0
Fork 0
mirror of https://github.com/Ascyii/nixos.git synced 2026-01-01 06:44:26 -05:00
Code Issues Packages Projects Releases Wiki Activity

Cleanup stuff only necessary

Browse Source
This commit is contained in:
Jonas Hahn
2025-08-31 01:20:48 +02:00
parent 75d30efc6c
commit b1b36e418f
20 changed files with 28 additions and 1832 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
hosts/asuox-acer/configuration.nix
View File

@@ -1,29 +0,0 @@
{ config, lib, pkgs, ... }:
let
var22 = "22";
in
{
nixpkgs.config.allowUnfree = true;
imports = [
./hardware-configuration.nix
# Installing needed modules
../../modules/tweaks.nix
../../users.nix
../../modules/workstation.nix
# Disabling the powersaving to save the wifi?
# ../../modules/laptop.nix
../../common.nix
];
networking.hostName = "asuox";
bootMode = "legacy";
# TODO: make this a module
networking.networkmanager.wifi.powersave = false;
# Never change this!
system.stateVersion = "24.11";
}

33
hosts/asuox-acer/hardware-configuration.nix
View File

@@ -1,33 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "sd_mod" "sr_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" "wl" ];
boot.extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/95b00222-f6c7-4055-b4d8-9ef53ce69775";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

35
hosts/bananapi-rpi/configuration.nix
View File

@@ -1,35 +0,0 @@
{ config, pkgs, lib, ... }:
{
# NixOS wants to enable GRUB by default
boot.loader.grub.enable = false;
# Enables the generation of /boot/extlinux/extlinux.conf
boot.loader.generic-extlinux-compatible.enable = true;
# !!! If your board is a Raspberry Pi 1, select this:
boot.kernelPackages = pkgs.linuxPackages_rpi;
# On other boards, pick a different kernel, note that on most boards with good mainline support, default, latest and hardened should all work
# Others might need a BSP kernel, which should be noted in their respective wiki entries
# nixos-generate-config should normally set up file systems correctly
imports = [ ./hardware-configuration.nix ];
# If not, you can set them up manually as shown below
/*
fileSystems = {
# Prior to 19.09, the boot partition was hosted on the smaller first partition
# Starting with 19.09, the /boot folder is on the main bigger partition.
# The following is to be used only with older images. Note such old images should not be considered supported anymore whatsoever, but if you installed back then, this might be needed
/*
"/boot" = {
device = "/dev/disk/by-label/NIXOS_BOOT";
fsType = "vfat";
};
*/
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
};
swapDevices = [ { device = "/swapfile"; size = 8192; } ];
}

59
hosts/gullfoss-homelab/configuration.nix
View File

@@ -1,59 +0,0 @@
{ config, lib, pkgs, inputs, ... }:
{
imports =
[
# Loading the high level modules
./hardware-configuration.nix
# Loading modules
../../modules/server_gull
# Loading single modules
../../modules/misc/virt.nix
../../common.nix
../../users.nix
# Random (can be disabled)
# ../../modules/minecraft.nix
inputs.sops-nix.nixosModules.sops
];
# This is the sops setup and should be done here??
# Sops configuration and initialisation
sops.defaultSopsFile = ../../../secrets.yaml;
sops.defaultSopsFormat = "yaml";
# hard code the username here
sops.age.keyFile = "/home/jonas/.config/sops/age/keys.txt";
# ensure a user is there to own the template
users.users.ddclient = {
isSystemUser = true;
group = "ddclient";
};
users.groups.ddclient = {};
# setup the templates to use them in services
sops.secrets.strato_dns_bitzz = {};
sops.templates."ddclient-temp" = {
owner = "ddclient";
# This is the main strato configuration
# use api6 for ipv6
content = ''
ssl=yes
protocol=dyndns2
use=web, web=api.ipify.org
server=dyndns.strato.com/nic/update
login=bitzz.de
password='${config.sops.placeholder.strato_dns_bitzz}'
bitzz.de,cloud.bitzz.de,app.bitzz.de
'';
};
networking.hostName = "gullfoss";
#system.copySystemConfiguration = true;
system.stateVersion = "24.11";
}

58
hosts/misox-workstation/configuration.nix
View File

@@ -1,58 +0,0 @@
{ config, lib, pkgs, inputs, ... }:
{
imports =
[
# Loading the high level modules
./hardware-configuration.nix
# Core of the config
../../modules/server
# Loading modules
../../common.nix
../../users.nix
../../modules/misc/virt.nix
#../../modules/rare/minecraft.nix
# set the keyboard for local dev
../../modules/tweaks.nix
# Load sops
inputs.sops-nix.nixosModules.sops
];
# This is the sops setup and should be done here??
# Sops configuration and initialisation
sops.defaultSopsFile = ../../../secrets.yaml;
sops.defaultSopsFormat = "yaml";
# hard code the username here
sops.age.keyFile = "/home/jonas/.config/sops/age/keys.txt";
# ensure a user is there to own the template
users.users.ddclient = {
isSystemUser = true;
group = "ddclient";
};
users.groups.ddclient = {};
# setup the templates to use them in services
sops.secrets.strato_dns = {};
sops.templates."ddclient-temp" = {
owner = "ddclient";
# This is the main strato configuration
content = ''
ssl=yes
protocol=dyndns2
use=web, web=api6.ipify.org
server=dyndns.strato.com/nic/update
login=hahn1.one
password='${config.sops.placeholder.strato_dns}'
hahn1.one,cloud.hahn1.one,app.hahn1.one,dash.hahn1.one,grafana.hahn1.one,cool.hahn1.one,acmechallenge.hahn1.one
'';
};
#system.copySystemConfiguration = true;
system.stateVersion = "24.11";
}

38
hosts/misox-workstation/hardware-configuration.nix
View File

@@ -1,38 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/191c0c61-d012-4b35-8df9-75ae40d6004c";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/B425-9C77";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices =
[ { device = "/dev/disk/by-uuid/94b57e8b-8417-4a1f-a9e4-b6c92cc26ba4"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp6s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

27
hosts/nixyos-asus/configuration.nix
View File

@@ -1,33 +1,20 @@
# Edit this configuration file to define what should be installed on
# your system.
{ ... }:
{ lib, pkgs, ... }:
let
test_variable = "Hello world";
in {
{
imports = [
./hardware-configuration.nix
# Installing the common modules
# Still need to modularize this
# ../../modules/networking.nix
../../user/users.nix
../../modules/common.nix
# Common modules
../../users.nix
../../modules/tweaks.nix
../../modules/laptop.nix
../../common.nix
../../modules/hardware/battery.nix
../../modules/hardware/xremap.nix
];
# TEST INSERT
nixpkgs.config.allowUnfree = true;
networking.hostName = "nixyos";
networking.networkmanager.wifi.powersave = true;
networking.hostName = "nixyos";
system.stateVersion = "24.11"; # Did you read the comment?
}

2
hosts/nixyos-asus/hardware-configuration.nix
View File

@@ -1,7 +1,7 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations.
{ config, lib, pkgs, modulesPath, ... }:
{ config, lib, modulesPath, ... }:
{
imports =

541
hosts/stranox-strato/configuration.nix
View File

@@ -1,541 +0,0 @@
{ pkgs, inputs, config, ... }: {
imports = [
./hardware-configuration.nix
../../modules/rare/realmail.nix
../../modules/misc/virt.nix
#../../modules/server/collabora.nix
inputs.sops-nix.nixosModules.sops
];
networking.hosts = {
"127.0.0.1" = [
"dash.hahn1.one"
"sync.hahn1.one"
"jagd.hahn1.one"
"cloud.hahn1.one"
"cool.hahn1.one"
"hahn1.one"
];
"::1" = [
"dash.hahn1.one"
"sync.hahn1.one"
"jagd.hahn1.one"
"cloud.hahn1.one"
"cool.hahn1.one"
"hahn1.one"
];
};
# Enable all the old services on gullfoss
services.postgresql = {
enable = true;
# Ensure databases here
ensureDatabases = [ "mydatabase" ];
# TODO: integrate the old permission
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all trust
'';
};
#systemd.services.nixBuildTmuxSession = {
# description = "Start tmux nix build session if not already running";
# after = [ "network.target" ];
# path = with pkgs; [nix tmux ];
# serviceConfig = {
# Type = "oneshot";
# User = "jonas"; # Change this!
# };
# script = ''exec /home/jonas/projects/perdash/start_server.sh'';
#};
services.cron.enable = true;
# Sops setup
sops = {
defaultSopsFile = ../../../secrets.yaml;
defaultSopsFormat = "yaml";
# hard code the username here
age.keyFile = "/home/jonas/.config/sops/age/keys.txt";
secrets = {
joncook = {};
jondash = {};
jondav = {};
jondavpass = {};
nextpass = {
group = "nextcloud";
owner = "nextcloud";
};
};
templates = {
"jontemp2" = {
owner = "nginx";
group = "nginx";
content = ''add_header Set-Cookie "letmein=${config.sops.placeholder.joncook};max-age=3153600000;path=/";'';
};
"jontemp" = {
owner = "nginx";
group = "nginx";
content = ''"${config.sops.placeholder.joncook}" "yes";'';
};
"webdavconf" = {
owner = "webdav";
group = "webdav";
content = ''
#permissions: CRUD
#debug: true
#behindProxy: true
address: 0.0.0.0
auth: true
modify: true
port: 6065
#scope: /var/lib/webdav/
directory: /var/lib/webdav/
#rules: []
#permissions: R
users:
- password: '${config.sops.placeholder.jondavpass}'
username: ${config.sops.placeholder.jondav}
permissions: CRUD
'';
path = "/etc/webdav/config.yaml";
};
};
};
systemd.tmpfiles.rules = [
"d /var/lib/webdav 0750 webdav webdav -"
];
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
swapDevices = [ { device = "/swapfile"; size = 8192; } ];
networking.hostName = "stranox";
# setup syncthing
# This is not needed for now because one should only use syncthing when not having battery problems
services = {
syncthing = {
enable = true;
user = "jonas";
#guiAddress = "0.0.0.0:8384";
dataDir = "/home/jonas/syncthing";
configDir = "/home/jonas/.config/syncthing";
overrideDevices = true; # overrides any devices added or deleted through the WebUI
overrideFolders = true; # overrides any folders added or deleted through the WebUI
settings = {
devices = {
"thinix" = { id = "3JHI72U-HQKX7S2-ITUD5U7-CS2P3TO-HM6Y6MZ-PFSUGWF-5OHHV7Q-NXYC5AP"; };
"androidp" = { id = "UIJS6LQ-CQY7UWH-3KTJ2VH-3N73VNK-V6NWTIE-L4ZUEWW-R625SV4-YKMVKQY"; };
};
folders = {
# This is the mail folder to keep synced accross everything
# Its nice to have this declarativery and just work with the respectively ids
# "syncthing" = {
# "synct path = "/home/jonas/synced";
# "synct devices = [ "thinix" ];
# "synct ignorePerms = true;
# "synct versioning = {
# "synct type = "staggered";
# "synct };
# "synct};
"syncthingtest" = {
path = "/home/jonas/phonebla";
devices = [ "androidp" ];
ignorePerms = true;
versioning = {
type = "staggered";
};
};
};
};
};
};
services.radicale = {
enable = true;
settings.server.hosts = [ "127.0.0.1:5232" ];
settings.auth.type = "none";
};
services.nextcloud = {
enable = false;
# Use the defualt home
#home = "/mnt/nextcloudStorage";
package = pkgs.nextcloud30;
hostName = "cloud.hahn1.one";
settings = {
#trusted_domains = [""];
};
config = {
adminpassFile = config.sops.secrets.nextpass.path;
dbtype = "sqlite";
};
extraApps = {inherit (config.services.nextcloud.package.packages.apps) calendar ;};
extraAppsEnable = true;
https = true;
configureRedis = true;
maxUploadSize = "1G";
};
# configure users for small machine
users = {
defaultUserShell = pkgs.zsh;
groups = {
nginx = {};
nextcloud = {};
podman = {};
docker = {};
webdav = {};
};
users = {
nginx = {
isSystemUser = true;
group = "nginx";
};
webdav = {
isSystemUser = true;
group = "webdav";
};
nextcloud = {
isSystemUser = true;
group = "nextcloud";
};
root = {
openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID44xurDPkTQr+f62llnHHAeXQRJi4JeVeo0vFL85CLA jonas@thinix'' ];
};
jonas = {
isNormalUser = true;
extraGroups = [ "wheel" "docker" "podman" "webdav" "davfs2" ];
openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID44xurDPkTQr+f62llnHHAeXQRJi4JeVeo0vFL85CLA jonas@thinix'' ];
packages = with pkgs; [
neovim
pkgs.unstable.yazi
zsh
git
starship
eza
bat
lazygit
btop
gdu
fastfetch
sops
w3m
typst
tmux
wget
curl
pipx
fd
python3
nodejs
gcc
gnumake
findutils.locate
gradle
lua
todo-txt-cli
];
};
};
};
#environment.etc."nginx/htpasswd/jondash".source = config.sops.secrets.jondash.path;
# source the local httppass for the nginx login
environment.etc."nginx/htpasswd/jondash".source = ./htpasswd;
networking.firewall = {
enable = true;
allowedTCPPorts = [6065 6443 3478 80 443 8080 ];
allowedUDPPorts = [3478 ];
};
# Services for the cloud
services = {
openssh.enable = true;
nginx = {
mapHashBucketSize = 128;
enable = true;
appendHttpConfig = ''
map $cookie_letmein $dash_hascookie {
include ${config.sops.templates.jontemp.path};
default "no";
}
map $dash_hascookie $dash_authentication {
"yes" "off";
default "Your credentials please";
}
'';
virtualHosts = {
"dash.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
proxyPass = "http://127.0.0.1:8000";
proxyWebsockets = true;
extraConfig = ''
auth_basic $dash_authentication;
auth_basic_user_file /etc/nginx/htpasswd/jondash;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
include ${config.sops.templates.jontemp2.path};
'';
};
};
"rad.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
root = "${pkgs.nginx}/html";
index = "index.html";
};
};
"dev.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
proxyPass = "http://127.0.0.1:8384";
proxyWebsockets = true;
};
};
# "qrank.hahn1.one" = {
# "qr forceSSL = true;
# "qr enableACME = true;
# "qr #basicAuth = { jonas = "1234"; };
# "qr locations."/" = {
# "qr proxyPass = "http://127.0.0.1:18765";
# "qr proxyWebsockets = true;
# "qr };
# "qr};
# Easter special for having a schintzeljagt that implements modern technology
"jagd.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
proxyPass = "http://127.0.0.1:2345";
proxyWebsockets = true;
};
};
#"dev.hahn1.one" = {
# forceSSL = true;
# forenableACME = true;
# for#basicAuth = { jonas = "1234"; };
# forlocations."/" = {
# for proxyPass = "http://127.0.0.1:6065";
# for proxyWebsockets = true;
# for};
#};
#"dev.hahn1.one" = {
# forceSSL = true;
# enableACME = true;
# # This is of course not secure but better than to have nothing
# # First one need to read this code to access
# basicAuth = { dev = "dev"; };
# # use a dev proxypass to test some applications
# locations."/" = {
# proxyPass = "http://127.0.0.1:8888";
# proxyWebsockets = true;
# };
#};
"cloud.hahn1.one" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://localhost:11000";
proxyWebsockets = true;
};
};
"sync.hahn1.one" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:6065";
extraConfig = ''
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
set $dest $http_destination;
if ($http_destination ~ "^https://dev.hahn1.one(?<path>(.+))") {
set $dest /$path;
}
proxy_set_header Destination $dest;
'';
proxyWebsockets = true;
};
};
"cool.hahn1.one" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://[::1]:${toString config.services.collabora-online.port}";
proxyWebsockets = true;
};
};
# Default nginx site to felx
"hahn1.one" = {
forceSSL = true;
enableACME = true;
default = true;
locations."/" = {
root = "${pkgs.nginx}/html";
index = "index.html";
};
locations."/radicale/" = {
proxyPass = "http://127.0.0.1:5232/";
extraConfig = ''
proxy_set_header X-Script-Name /radicale;
proxy_pass_header Authorization;
'';
};
};
};
};
};
#networking.firewall.allowedTCPPorts = [
# 6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
# # 2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration
# # 2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration
#];
#networking.firewall.allowedUDPPorts = [
# # 8472 # k3s, flannel: required if using multi-node for inter-node networking
#];
services.webdav.enable = true; # test turning off
services.webdav.user = "webdav";
services.webdav.group = "webdav";
#services.webdav.settings =
# {
# address = "0.0.0.0";
# port = 6065;
# #scope = "/var/lib/webdav/";
# directory = "/var/lib/webdav";
# modify = true;
# auth = true;
# users = [
# {
# username = "jonas";
# password = "jonasdav123";
# }
# ];
# };
services.webdav.configFile = "/etc/webdav/config.yaml" ;
# k3s testing
services.k3s = {
enable = true;
role = "server";
extraFlags = [
"--disable=traefik"
"--debug"
];
};
security.acme = {
acceptTerms = true;
defaults.email = "security@hahn1.one";
};
nixpkgs.config.allowUnfree = true;
nix.settings.experimental-features = ["flakes" "nix-command"];
time.timeZone = "Europe/Berlin";
environment = {
sessionVariables = {
};
systemPackages = with pkgs; [
git
fastfetch
ripgrep
lazygit
unzip
fzf
zathura
# everywhere support
starship
zoxide
# add sync support
rsync
flock
unison
# curl for scripting
curl
];
};
programs.zsh = {
enable = true;
autosuggestions.enable = true;
ohMyZsh = {
enable = true;
plugins = [
"history-substring-search"
"git"
"zoxide"
"sudo"
"vi-mode"
"systemadmin"
];
};
};
# In case of gui usage
programs = {
nix-ld.enable = true;
};
# This was generated by the infect script I may just keep it this way for
# Security reasons
system.stateVersion = "23.11";
}

449
hosts/stranox-strato/configuration_new.nix
View File

@@ -1,449 +0,0 @@
{ pkgs, inputs, config, ... }: {
imports = [
./hardware-configuration.nix
../../modules/rare/realmail.nix
../../modules/misc/virt.nix
#../../modules/server/collabora.nix
inputs.sops-nix.nixosModules.sops
];
networking.hosts = {
"127.0.0.1" = [
"dash.hahn1.one"
"sync.hahn1.one"
"jagd.hahn1.one"
"cloud.hahn1.one"
"cool.hahn1.one"
"hahn1.one"
];
"::1" = [
"dash.hahn1.one"
"sync.hahn1.one"
"jagd.hahn1.one"
"cloud.hahn1.one"
"cool.hahn1.one"
"hahn1.one"
];
};
# Enable all the old services on gullfoss
services.postgresql = {
enable = true;
# Ensure databases here
ensureDatabases = [ "mydatabase" ];
# TODO: integrate the old permission
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all trust
'';
};
#systemd.services.nixBuildTmuxSession = {
# description = "Start tmux nix build session if not already running";
# after = [ "network.target" ];
# path = with pkgs; [nix tmux ];
# serviceConfig = {
# Type = "oneshot";
# User = "jonas"; # Change this!
# };
# script = ''exec /home/jonas/projects/perdash/start_server.sh'';
#};
services.cron.enable = true;
# Sops setup
sops = {
defaultSopsFile = ../../../secrets.yaml;
defaultSopsFormat = "yaml";
# hard code the username here
age.keyFile = "/home/jonas/.config/sops/age/keys.txt";
secrets = {
joncook = {};
jondash = {};
jondav = {};
jondavpass = {};
nextpass = {
group = "nextcloud";
owner = "nextcloud";
};
};
templates = {
"jontemp2" = {
owner = "nginx";
group = "nginx";
content = ''add_header Set-Cookie "letmein=${config.sops.placeholder.joncook};max-age=3153600000;path=/";'';
};
"jontemp" = {
owner = "nginx";
group = "nginx";
content = ''"${config.sops.placeholder.joncook}" "yes";'';
};
"webdavconf" = {
owner = "webdav";
group = "webdav";
content = ''
address: 127.0.0.1
port: 6065
# The directory that will be able to be accessed by the users when connecting.
# This directory will be used by users unless they have their own 'directory' defined.
# Default is '.' (current directory).
directory: /home/jonas/webdav
# The default permissions for users. This is a case insensitive option. Possible
# permissions: C (Create), R (Read), U (Update), D (Delete). You can combine multiple
# permissions. For example, to allow to read and create, set "RC". Default is "R".
permissions: RCUD
# noPassword: true
users:
# Example 'admin' user with plaintext password.
- username: ${config.sops.placeholder.jondav}
password: ${config.sops.placeholder.jondavpass}
'';
path = "/etc/webdav/config.yaml";
};
};
};
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
swapDevices = [ { device = "/swapfile"; size = 8192; } ];
networking.hostName = "stranox";
# setup syncthing
# This is not needed for now because one should only use syncthing when not having battery problems
services = {
syncthing = {
enable = true;
user = "jonas";
#guiAddress = "0.0.0.0:8384";
dataDir = "/home/jonas/syncthing";
configDir = "/home/jonas/.config/syncthing";
overrideDevices = true; # overrides any devices added or deleted through the WebUI
overrideFolders = true; # overrides any folders added or deleted through the WebUI
settings = {
devices = {
"thinix" = { id = "3JHI72U-HQKX7S2-ITUD5U7-CS2P3TO-HM6Y6MZ-PFSUGWF-5OHHV7Q-NXYC5AP"; };
};
folders = {
# This is the mail folder to keep synced accross everything
# Its nice to have this declarativery and just work with the respectively ids
# "syncthing" = {
# "synct path = "/home/jonas/synced";
# "synct devices = [ "thinix" ];
# "synct ignorePerms = true;
# "synct versioning = {
# "synct type = "staggered";
# "synct };
# "synct};
};
};
};
};
services.nextcloud = {
enable = false;
# Use the defualt home
#home = "/mnt/nextcloudStorage";
package = pkgs.nextcloud30;
hostName = "cloud.hahn1.one";
settings = {
#trusted_domains = [""];
};
config = {
adminpassFile = config.sops.secrets.nextpass.path;
dbtype = "sqlite";
};
extraApps = {inherit (config.services.nextcloud.package.packages.apps) calendar ;};
extraAppsEnable = true;
https = true;
configureRedis = true;
maxUploadSize = "1G";
};
# configure users for small machine
users = {
defaultUserShell = pkgs.zsh;
groups = {
nginx = {};
nextcloud = {};
podman = {};
docker = {};
webdav = {};
};
users = {
nginx = {
isSystemUser = true;
group = "nginx";
};
webdav = {
isSystemUser = true;
group = "webdav";
};
nextcloud = {
isSystemUser = true;
group = "nextcloud";
};
root = {
openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID44xurDPkTQr+f62llnHHAeXQRJi4JeVeo0vFL85CLA jonas@thinix'' ];
};
jonas = {
isNormalUser = true;
extraGroups = [ "wheel" "docker" "podman" ];
openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID44xurDPkTQr+f62llnHHAeXQRJi4JeVeo0vFL85CLA jonas@thinix'' ];
packages = with pkgs; [
neovim
pkgs.unstable.yazi
zsh
git
starship
eza
bat
lazygit
btop
gdu
fastfetch
sops
w3m
typst
tmux
wget
curl
pipx
fd
python3
nodejs
gcc
gnumake
findutils.locate
gradle
lua
todo-txt-cli
];
};
};
};
#environment.etc."nginx/htpasswd/jondash".source = config.sops.secrets.jondash.path;
# source the local httppass for the nginx login
environment.etc."nginx/htpasswd/jondash".source = ./htpasswd;
networking.firewall = {
enable = true;
allowedTCPPorts = [6065 6443 3478 80 443 8080 ];
allowedUDPPorts = [3478 ];
};
# Services for the cloud
services = {
openssh.enable = true;
nginx = {
mapHashBucketSize = 128;
enable = true;
appendHttpConfig = ''
map $cookie_letmein $dash_hascookie {
include ${config.sops.templates.jontemp.path};
default "no";
}
map $dash_hascookie $dash_authentication {
"yes" "off";
default "Your credentials please";
}
'';
virtualHosts = {
"dash.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
proxyPass = "http://127.0.0.1:8000";
proxyWebsockets = true;
extraConfig = ''
auth_basic $dash_authentication;
auth_basic_user_file /etc/nginx/htpasswd/jondash;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
include ${config.sops.templates.jontemp2.path};
'';
};
};
"sync.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
proxyPass = "http://127.0.0.1:8384";
proxyWebsockets = true;
};
};
# Easter special for having a schintzeljagt that implements modern technology
"jagd.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
proxyPass = "http://127.0.0.1:2345";
proxyWebsockets = true;
};
};
#"dev.hahn1.one" = {
# forceSSL = true;
# forenableACME = true;
# for#basicAuth = { jonas = "1234"; };
# forlocations."/" = {
# for proxyPass = "http://127.0.0.1:6065";
# for proxyWebsockets = true;
# for};
#};
#"dev.hahn1.one" = {
# forceSSL = true;
# enableACME = true;
# # This is of course not secure but better than to have nothing
# # First one need to read this code to access
# basicAuth = { dev = "dev"; };
# # use a dev proxypass to test some applications
# locations."/" = {
# proxyPass = "http://127.0.0.1:8888";
# proxyWebsockets = true;
# };
#};
"cloud.hahn1.one" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://localhost:11000";
proxyWebsockets = true;
};
};
"cool.hahn1.one" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://[::1]:${toString config.services.collabora-online.port}";
proxyWebsockets = true;
};
};
"hahn1.one" = {
forceSSL = true;
enableACME = true;
default = true;
locations."/" = {
proxyPass = "http://127.0.0.1:2345";
proxyWebsockets = true;
};
};
};
};
};
#networking.firewall.allowedTCPPorts = [
# 6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
# # 2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration
# # 2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration
#];
#networking.firewall.allowedUDPPorts = [
# # 8472 # k3s, flannel: required if using multi-node for inter-node networking
#];
services.k3s.enable = true; # Not required for problem solving
services.webdav.enable = true; # test turning off
services.webdav.user = "webdav";
services.webdav.group = "webdav";
services.webdav.configFile = "/etc/webdav/config.yaml" ;
services.k3s.role = "server";
services.k3s.extraFlags = toString [
# "--debug" # Optionally add additional args to k3s
];
security.acme = {
acceptTerms = true;
defaults.email = "security@hahn1.one";
};
nixpkgs.config.allowUnfree = true;
nix.settings.experimental-features = ["flakes" "nix-command"];
time.timeZone = "Europe/Berlin";
environment = {
sessionVariables = {
};
systemPackages = with pkgs; [
git
fastfetch
ripgrep
lazygit
unzip
fzf
zathura
# everywhere support
starship
zoxide
# add sync support
rsync
flock
unison
# curl for scripting
curl
];
};
programs.zsh = {
enable = true;
autosuggestions.enable = true;
ohMyZsh = {
enable = true;
plugins = [
"history-substring-search"
"git"
"zoxide"
"sudo"
"vi-mode"
"systemadmin"
];
};
};
# In case of gui usage
programs = {
nix-ld.enable = true;
};
# This was generated by the infect script I may just keep it this way for
# Security reasons
system.stateVersion = "23.11";
}

377
hosts/stranox-strato/configuration_old.nix
View File

@@ -1,377 +0,0 @@
{ pkgs, inputs, config, ... }: {
imports = [
./hardware-configuration.nix
../../modules/rare/realmail.nix
../../modules/misc/virt.nix
#../../modules/server/collabora.nix
inputs.sops-nix.nixosModules.sops
];
networking.hosts = {
#"127.0.0.1" = ["cloud.hahn1.one" "cool.hahn1.one"];
#"::1" = ["cloud.hahn1.one" "cool.hahn1.one"];
};
# Enable all the old services on gullfoss
services.postgresql = {
enable = true;
# Ensure databases here
ensureDatabases = [ "mydatabase" ];
# TODO: integrate the old permission
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all trust
'';
};
#systemd.services.nixBuildTmuxSession = {
# description = "Start tmux nix build session if not already running";
# after = [ "network.target" ];
# path = with pkgs; [nix tmux ];
# serviceConfig = {
# Type = "oneshot";
# User = "jonas"; # Change this!
# };
# script = ''exec /home/jonas/projects/perdash/start_server.sh'';
#};
services.cron.enable = true;
# Sops setup
sops = {
defaultSopsFile = ../../../secrets.yaml;
defaultSopsFormat = "yaml";
# hard code the username here
age.keyFile = "/home/jonas/.config/sops/age/keys.txt";
secrets = {
joncook = {};
jondash = {};
nextpass = {
group = "nextcloud";
owner = "nextcloud";
};
};
templates = {
"jontemp2" = {
owner = "nginx";
group = "nginx";
content = ''add_header Set-Cookie "letmein=${config.sops.placeholder.joncook};max-age=3153600000;path=/";'';
};
"jontemp" = {
owner = "nginx";
group = "nginx";
content = ''"${config.sops.placeholder.joncook}" "yes";'';
};
};
};
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
swapDevices = [ { device = "/swapfile"; size = 8192; } ];
networking.hostName = "stranox";
# setup syncthing
# This is not needed for now because one should only use syncthing when not having battery problems
services = {
syncthing = {
enable = true;
user = "jonas";
#guiAddress = "0.0.0.0:8384";
dataDir = "/home/jonas/syncthing";
configDir = "/home/jonas/.config/syncthing";
overrideDevices = true; # overrides any devices added or deleted through the WebUI
overrideFolders = true; # overrides any folders added or deleted through the WebUI
settings = {
devices = {
"thinix" = { id = "3JHI72U-HQKX7S2-ITUD5U7-CS2P3TO-HM6Y6MZ-PFSUGWF-5OHHV7Q-NXYC5AP"; };
};
folders = {
# This is the mail folder to keep synced accross everything
# Its nice to have this declarativery and just work with the respectively ids
# "syncthing" = {
# "synct path = "/home/jonas/synced";
# "synct devices = [ "thinix" ];
# "synct ignorePerms = true;
# "synct versioning = {
# "synct type = "staggered";
# "synct };
# "synct};
};
};
};
};
services.nextcloud = {
enable = false;
# Use the defualt home
#home = "/mnt/nextcloudStorage";
package = pkgs.nextcloud30;
hostName = "cloud.hahn1.one";
settings = {
#trusted_domains = [""];
};
config = {
adminpassFile = config.sops.secrets.nextpass.path;
dbtype = "sqlite";
};
extraApps = {inherit (config.services.nextcloud.package.packages.apps) calendar ;};
extraAppsEnable = true;
https = true;
configureRedis = true;
maxUploadSize = "1G";
};
# configure users for small machine
users = {
defaultUserShell = pkgs.zsh;
groups = {
nginx = {};
nextcloud = {};
podman = {};
docker = {};
};
users = {
nginx = {
isSystemUser = true;
group = "nginx";
};
nextcloud = {
isSystemUser = true;
group = "nextcloud";
};
root = {
openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID44xurDPkTQr+f62llnHHAeXQRJi4JeVeo0vFL85CLA jonas@thinix'' ];
};
jonas = {
isNormalUser = true;
extraGroups = [ "wheel" "docker" "podman" ];
openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID44xurDPkTQr+f62llnHHAeXQRJi4JeVeo0vFL85CLA jonas@thinix'' ];
packages = with pkgs; [
neovim
pkgs.unstable.yazi
zsh
git
starship
eza
bat
lazygit
btop
gdu
fastfetch
sops
w3m
typst
tmux
wget
curl
pipx
fd
python3
nodejs
gcc
gnumake
findutils.locate
gradle
lua
todo-txt-cli
];
};
};
};
#environment.etc."nginx/htpasswd/jondash".source = config.sops.secrets.jondash.path;
# source the local httppass for the nginx login
environment.etc."nginx/htpasswd/jondash".source = ./htpasswd;
networking.firewall = {
enable = true;
allowedTCPPorts = [3478 80 443 8080 ];
allowedUDPPorts = [3478 ];
};
# Services for the cloud
services = {
openssh.enable = true;
nginx = {
mapHashBucketSize = 128;
enable = true;
appendHttpConfig = ''
map $cookie_letmein $dash_hascookie {
include ${config.sops.templates.jontemp.path};
default "no";
}
map $dash_hascookie $dash_authentication {
"yes" "off";
default "Your credentials please";
}
'';
virtualHosts = {
"dash.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
proxyPass = "http://127.0.0.1:8000";
proxyWebsockets = true;
extraConfig = ''
auth_basic $dash_authentication;
auth_basic_user_file /etc/nginx/htpasswd/jondash;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
include ${config.sops.templates.jontemp2.path};
'';
};
};
"sync.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
proxyPass = "http://127.0.0.1:8384";
proxyWebsockets = true;
};
};
# Easter special for having a schintzeljagt that implements modern technology
"jagd.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
proxyPass = "http://127.0.0.1:2345";
proxyWebsockets = true;
};
};
"dev.hahn1.one" = {
forceSSL = true;
enableACME = true;
# This is of course not secure but better than to have nothing
# First one need to read this code to access
basicAuth = { dev = "dev"; };
# use a dev proxypass to test some applications
locations."/" = {
proxyPass = "http://127.0.0.1:8888";
proxyWebsockets = true;
};
};
"cloud.hahn1.one" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://localhost:11000";
proxyWebsockets = true;
};
};
"cool.hahn1.one" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://[::1]:${toString config.services.collabora-online.port}";
proxyWebsockets = true;
};
};
"hahn1.one" = {
forceSSL = true;
enableACME = true;
default = true;
locations."/" = {
root = "${pkgs.nginx}/html";
index = "index.html";
};
};
};
};
};
security.acme = {
acceptTerms = true;
#TODO: activate this mail
defaults.email = "security@hahn1.one";
};
nixpkgs.config.allowUnfree = true;
nix.settings.experimental-features = ["flakes" "nix-command"];
time.timeZone = "Europe/Berlin";
environment = {
sessionVariables = {
};
systemPackages = with pkgs; [
git
fastfetch
lazygit
unzip
fzf
zathura
# everywhere support
starship
zoxide
# add sync support
rsync
flock
unison
# curl for scripting
curl
];
};
programs.zsh = {
enable = true;
autosuggestions.enable = true;
ohMyZsh = {
enable = true;
plugins = [
"history-substring-search"
"git"
"zoxide"
"sudo"
"vi-mode"
"systemadmin"
];
};
};
# In case of gui usage
programs = {
nix-ld.enable = true;
};
# This was generated by the infect script I may just keep it this way for
# Security reasons
system.stateVersion = "23.11";
}

9
hosts/stranox-strato/hardware-configuration.nix
View File

@@ -1,9 +0,0 @@
{ modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.grub.device = "/dev/vda";
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; };
}

1
hosts/stranox-strato/htpasswd
View File

@@ -1 +0,0 @@
jonas:$2y$05$PQhZXP4kXq/hGvPwMQQ6A.G9T4VnxG4PJE4RG16D7z/rZffd6ezYu

160
hosts/thinix-thinkpad/configuration.nix
View File

@@ -1,57 +1,19 @@
# Configuratoin for my thinkpad t470s
{ pkgs, config, inputs, ... }:
{ pkgs, ... }:
{
imports = [
# Import neccessities
./hardware-configuration.nix
./../../user/users.nix
# Import own modules
../../users.nix
# ../../modules/workstation.nix
../../modules/tweaks.nix
../../modules/laptop.nix
../../common.nix
./../../modules/common.nix
inputs.sops-nix.nixosModules.sops
./../../modules/hardware/xremap.nix
./../../modules/hardware/battery.nix
];
sops = {
defaultSopsFile = ../../../secrets.yaml;
defaultSopsFormat = "yaml";
# hard code the username here
age.keyFile = "/home/jonas/.config/sops/age/keys.txt";
templates = {
"davtemp" = {
owner = "root";
content = ''${config.sops.placeholder.davurl} ${config.sops.placeholder.jondav} ${config.sops.placeholder.jondavpass}'';
mode = "0600";
path = "/etc/davfs2/secrets";
};
};
secrets = {
davurl = {
owner = "jonas";
};
jondav = {
owner = "jonas";
};
jondavpass = {
owner = "jonas";
};
};
};
networking.hostName = "thinix";
batMode = "double";
networking.firewall.allowedTCPPorts = [
# Opening ssh and the web
80
443
# Dev ports
8888
2345
8080
];
programs.gnupg.agent = {
enable = true;
pinentryPackage = with pkgs; pinentry-all;
@@ -68,124 +30,18 @@
services.davfs2.enable = true;
# ensure the mountpoint directory exists
systemd.tmpfiles.rules = [
"d /mnt/webdav 0755 jonas users -"
#"d /var/cache/davfs2/sync.hahn1.one+mnt-webdav+jonas 0700 jonas users -"
];
# Just works
systemd.mounts = [
{
description = "Webdav mount point";
#after = [ "network-online.target" ];
wants = [ "network-online.target" ];
what = "https://sync.hahn1.one";
where = "/mnt/webdav";
type = "davfs";
options = "uid=1000,gid=1000,file_mode=0664,dir_mode=2775,_netdev";
mountConfig.TimeoutSec = "15s";
#wantedBy = [ "multi-user.target" ];
}
];
# systemd.automounts = [
# {
# where = "/mnt/webdav";
# wantedBy = [ "multi-user.target" ];
# automountConfig = {
# TimeoutIdleSec = "20m";
# };
# }
# ];
nixpkgs.config.allowUnfree = true;
services = {
syncthing = {
enable = true;
user = "jonas";
# Have to set the bandwidth for the syncing manually for laptops
#guiAddress = "0.0.0.0:8384";
dataDir = "/home/jonas/synced";
configDir = "/home/jonas/.config/syncthing";
overrideDevices = true; # overrides any devices added or deleted through the WebUI
overrideFolders = false; # overrides any folders added or deleted through the WebUI
settings = {
devices = {
"stranox" = { id = "KTFN5YR-NU2Y6EV-WU6D635-H2AUZTJ-KL6UIVE-L7N2EU5-GPY34N7-ZQ36MAI"; };
};
folders = {
# This is the mail folder to keep synced accross everything
# Auto opt in for the sync folder that is on the server
# Further down the line you can split your sync setup into multiple folders
## "synced" = {
# path = "/home/jonas/syncedokay";
# devices = [ "stranox" ];
# ignorePerms = true;
# #fsWatcherDelayS="10";
# # Try to save battery with this
# # Remember to also look at options that are not in the
# # nixos options search
# fsWatcherEnabled = true;
# #disableFsync = true;
# pullerPauseS = 600;
# rescanIntervalS = 1200;
# versioning = {
# type = "staggered";
# };
#};
};
};
};
};
###### TEMP AREA
# security.krb5 = {
# enable = true;
# settings = {
# libdefaults = {
# default_realm = "UNI-GOETTINGEN.DE"; # Replace with actual realm
# };
# };
# };
# Thinkpad specific fingerprint reader does not work yet
# For further information see: https://gitlab.freedesktop.org/3v1n0/libfprint-tod-vfs0090
#services.fprintd = {
# enable = true;
# tod = {
# enable = true;
# driver = pkgs.libfprint-2-tod1-vfs0090;
# };
#};
#####
networking.hostName = "thinix";
batMode = "double";
networking = {
networkmanager = {
wifi.powersave = true;
};
};
services.dnsmasq.enable = true;
# Setting up swap in case of emergency
swapDevices = [
{
device = "/swapfile";
size = 4096; # size in MB (4096 MB = 4 GB)
size = 4096;
}
];
# this does not work with flakes
#system.copySystemConfiguration = true;
system.stateVersion = "24.11";
}