{ pkgs, inputs, config, ... }: { imports = [ ./hardware-configuration.nix ../../modules/rare/realmail.nix ../../modules/misc/virt.nix #../../modules/server/collabora.nix inputs.sops-nix.nixosModules.sops ]; networking.hosts = { "127.0.0.1" = [ "dash.hahn1.one" "sync.hahn1.one" "jagd.hahn1.one" "cloud.hahn1.one" "cool.hahn1.one" "hahn1.one" ]; "::1" = [ "dash.hahn1.one" "sync.hahn1.one" "jagd.hahn1.one" "cloud.hahn1.one" "cool.hahn1.one" "hahn1.one" ]; }; # Enable all the old services on gullfoss services.postgresql = { enable = true; # Ensure databases here ensureDatabases = [ "mydatabase" ]; # TODO: integrate the old permission authentication = pkgs.lib.mkOverride 10 '' #type database DBuser auth-method local all all trust ''; }; #systemd.services.nixBuildTmuxSession = { # description = "Start tmux nix build session if not already running"; # after = [ "network.target" ]; # path = with pkgs; [nix tmux ]; # serviceConfig = { # Type = "oneshot"; # User = "jonas"; # Change this! # }; # script = ''exec /home/jonas/projects/perdash/start_server.sh''; #}; services.cron.enable = true; # Sops setup sops = { defaultSopsFile = ../../../secrets.yaml; defaultSopsFormat = "yaml"; # hard code the username here age.keyFile = "/home/jonas/.config/sops/age/keys.txt"; secrets = { joncook = {}; jondash = {}; jondav = {}; jondavpass = {}; nextpass = { group = "nextcloud"; owner = "nextcloud"; }; }; templates = { "jontemp2" = { owner = "nginx"; group = "nginx"; content = ''add_header Set-Cookie "letmein=${config.sops.placeholder.joncook};max-age=3153600000;path=/";''; }; "jontemp" = { owner = "nginx"; group = "nginx"; content = ''"${config.sops.placeholder.joncook}" "yes";''; }; "webdavconf" = { owner = "webdav"; group = "webdav"; content = '' #permissions: CRUD #debug: true #behindProxy: true address: 0.0.0.0 auth: true modify: true port: 6065 #scope: /var/lib/webdav/ directory: /var/lib/webdav/ #rules: [] #permissions: R users: - password: '${config.sops.placeholder.jondavpass}' username: ${config.sops.placeholder.jondav} permissions: CRUD ''; path = "/etc/webdav/config.yaml"; }; }; }; systemd.tmpfiles.rules = [ "d /var/lib/webdav 0750 webdav webdav -" ]; boot.tmp.cleanOnBoot = true; zramSwap.enable = true; swapDevices = [ { device = "/swapfile"; size = 8192; } ]; networking.hostName = "stranox"; # setup syncthing # This is not needed for now because one should only use syncthing when not having battery problems services = { syncthing = { enable = true; user = "jonas"; #guiAddress = "0.0.0.0:8384"; dataDir = "/home/jonas/syncthing"; configDir = "/home/jonas/.config/syncthing"; overrideDevices = true; # overrides any devices added or deleted through the WebUI overrideFolders = true; # overrides any folders added or deleted through the WebUI settings = { devices = { "thinix" = { id = "3JHI72U-HQKX7S2-ITUD5U7-CS2P3TO-HM6Y6MZ-PFSUGWF-5OHHV7Q-NXYC5AP"; }; "androidp" = { id = "UIJS6LQ-CQY7UWH-3KTJ2VH-3N73VNK-V6NWTIE-L4ZUEWW-R625SV4-YKMVKQY"; }; }; folders = { # This is the mail folder to keep synced accross everything # Its nice to have this declarativery and just work with the respectively ids # "syncthing" = { # "synct path = "/home/jonas/synced"; # "synct devices = [ "thinix" ]; # "synct ignorePerms = true; # "synct versioning = { # "synct type = "staggered"; # "synct }; # "synct}; "syncthingtest" = { path = "/home/jonas/phonebla"; devices = [ "androidp" ]; ignorePerms = true; versioning = { type = "staggered"; }; }; }; }; }; }; services.radicale = { enable = true; settings.server.hosts = [ "127.0.0.1:5232" ]; settings.auth.type = "none"; }; services.nextcloud = { enable = false; # Use the defualt home #home = "/mnt/nextcloudStorage"; package = pkgs.nextcloud30; hostName = "cloud.hahn1.one"; settings = { #trusted_domains = [""]; }; config = { adminpassFile = config.sops.secrets.nextpass.path; dbtype = "sqlite"; }; extraApps = {inherit (config.services.nextcloud.package.packages.apps) calendar ;}; extraAppsEnable = true; https = true; configureRedis = true; maxUploadSize = "1G"; }; # configure users for small machine users = { defaultUserShell = pkgs.zsh; groups = { nginx = {}; nextcloud = {}; podman = {}; docker = {}; webdav = {}; }; users = { nginx = { isSystemUser = true; group = "nginx"; }; webdav = { isSystemUser = true; group = "webdav"; }; nextcloud = { isSystemUser = true; group = "nextcloud"; }; root = { openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID44xurDPkTQr+f62llnHHAeXQRJi4JeVeo0vFL85CLA jonas@thinix'' ]; }; jonas = { isNormalUser = true; extraGroups = [ "wheel" "docker" "podman" "webdav" "davfs2" ]; openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID44xurDPkTQr+f62llnHHAeXQRJi4JeVeo0vFL85CLA jonas@thinix'' ]; packages = with pkgs; [ neovim pkgs.unstable.yazi zsh git starship eza bat lazygit btop gdu fastfetch sops w3m typst tmux wget curl pipx fd python3 nodejs gcc gnumake findutils.locate gradle lua todo-txt-cli ]; }; }; }; #environment.etc."nginx/htpasswd/jondash".source = config.sops.secrets.jondash.path; # source the local httppass for the nginx login environment.etc."nginx/htpasswd/jondash".source = ./htpasswd; networking.firewall = { enable = true; allowedTCPPorts = [6065 6443 3478 80 443 8080 ]; allowedUDPPorts = [3478 ]; }; # Services for the cloud services = { openssh.enable = true; nginx = { mapHashBucketSize = 128; enable = true; appendHttpConfig = '' map $cookie_letmein $dash_hascookie { include ${config.sops.templates.jontemp.path}; default "no"; } map $dash_hascookie $dash_authentication { "yes" "off"; default "Your credentials please"; } ''; virtualHosts = { "dash.hahn1.one" = { forceSSL = true; enableACME = true; #basicAuth = { jonas = "1234"; }; locations."/" = { proxyPass = "http://127.0.0.1:8000"; proxyWebsockets = true; extraConfig = '' auth_basic $dash_authentication; auth_basic_user_file /etc/nginx/htpasswd/jondash; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; include ${config.sops.templates.jontemp2.path}; ''; }; }; "rad.hahn1.one" = { forceSSL = true; enableACME = true; #basicAuth = { jonas = "1234"; }; locations."/" = { root = "${pkgs.nginx}/html"; index = "index.html"; }; }; "dev.hahn1.one" = { forceSSL = true; enableACME = true; #basicAuth = { jonas = "1234"; }; locations."/" = { proxyPass = "http://127.0.0.1:8384"; proxyWebsockets = true; }; }; # "qrank.hahn1.one" = { # "qr forceSSL = true; # "qr enableACME = true; # "qr #basicAuth = { jonas = "1234"; }; # "qr locations."/" = { # "qr proxyPass = "http://127.0.0.1:18765"; # "qr proxyWebsockets = true; # "qr }; # "qr}; # Easter special for having a schintzeljagt that implements modern technology "jagd.hahn1.one" = { forceSSL = true; enableACME = true; #basicAuth = { jonas = "1234"; }; locations."/" = { proxyPass = "http://127.0.0.1:2345"; proxyWebsockets = true; }; }; #"dev.hahn1.one" = { # forceSSL = true; # forenableACME = true; # for#basicAuth = { jonas = "1234"; }; # forlocations."/" = { # for proxyPass = "http://127.0.0.1:6065"; # for proxyWebsockets = true; # for}; #}; #"dev.hahn1.one" = { # forceSSL = true; # enableACME = true; # # This is of course not secure but better than to have nothing # # First one need to read this code to access # basicAuth = { dev = "dev"; }; # # use a dev proxypass to test some applications # locations."/" = { # proxyPass = "http://127.0.0.1:8888"; # proxyWebsockets = true; # }; #}; "cloud.hahn1.one" = { enableACME = true; addSSL = true; locations."/" = { proxyPass = "http://localhost:11000"; proxyWebsockets = true; }; }; "sync.hahn1.one" = { enableACME = true; addSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:6065"; extraConfig = '' proxy_set_header X-Real-IP $remote_addr; proxy_set_header REMOTE-HOST $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_redirect off; set $dest $http_destination; if ($http_destination ~ "^https://dev.hahn1.one(?(.+))") { set $dest /$path; } proxy_set_header Destination $dest; ''; proxyWebsockets = true; }; }; "cool.hahn1.one" = { enableACME = true; addSSL = true; locations."/" = { proxyPass = "http://[::1]:${toString config.services.collabora-online.port}"; proxyWebsockets = true; }; }; # Default nginx site to felx "hahn1.one" = { forceSSL = true; enableACME = true; default = true; locations."/" = { root = "${pkgs.nginx}/html"; index = "index.html"; }; locations."/radicale/" = { proxyPass = "http://127.0.0.1:5232/"; extraConfig = '' proxy_set_header X-Script-Name /radicale; proxy_pass_header Authorization; ''; }; }; }; }; }; #networking.firewall.allowedTCPPorts = [ # 6443 # k3s: required so that pods can reach the API server (running on port 6443 by default) # # 2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration # # 2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration #]; #networking.firewall.allowedUDPPorts = [ # # 8472 # k3s, flannel: required if using multi-node for inter-node networking #]; services.webdav.enable = true; # test turning off services.webdav.user = "webdav"; services.webdav.group = "webdav"; #services.webdav.settings = # { # address = "0.0.0.0"; # port = 6065; # #scope = "/var/lib/webdav/"; # directory = "/var/lib/webdav"; # modify = true; # auth = true; # users = [ # { # username = "jonas"; # password = "jonasdav123"; # } # ]; # }; services.webdav.configFile = "/etc/webdav/config.yaml" ; # k3s testing services.k3s = { enable = true; role = "server"; extraFlags = [ "--disable=traefik" "--debug" ]; }; security.acme = { acceptTerms = true; defaults.email = "security@hahn1.one"; }; nixpkgs.config.allowUnfree = true; nix.settings.experimental-features = ["flakes" "nix-command"]; time.timeZone = "Europe/Berlin"; environment = { sessionVariables = { }; systemPackages = with pkgs; [ git fastfetch ripgrep lazygit unzip fzf zathura # everywhere support starship zoxide # add sync support rsync flock unison # curl for scripting curl ]; }; programs.zsh = { enable = true; autosuggestions.enable = true; ohMyZsh = { enable = true; plugins = [ "history-substring-search" "git" "zoxide" "sudo" "vi-mode" "systemadmin" ]; }; }; # In case of gui usage programs = { nix-ld.enable = true; }; # This was generated by the infect script I may just keep it this way for # Security reasons system.stateVersion = "23.11"; }