jonas/nixos
1
0
Fork 0
mirror of https://github.com/Ascyii/nixos.git synced 2025-12-31 22:44:23 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
75d30efc6ca9dc10906a1be9ee4431569e8b7bd8
nixos/hosts/stranox-strato/configuration_old.nix
Jonas Hahn 4ebc8b23fe Initial commit unclean
2025-08-30 20:31:10 +02:00

378 lines
7.9 KiB
Nix
Raw Blame History

{ pkgs, inputs, config, ... }: {
imports = [
./hardware-configuration.nix
../../modules/rare/realmail.nix
../../modules/misc/virt.nix
#../../modules/server/collabora.nix
inputs.sops-nix.nixosModules.sops
];
networking.hosts = {
#"127.0.0.1" = ["cloud.hahn1.one" "cool.hahn1.one"];
#"::1" = ["cloud.hahn1.one" "cool.hahn1.one"];
};
# Enable all the old services on gullfoss
services.postgresql = {
enable = true;
# Ensure databases here
ensureDatabases = [ "mydatabase" ];
# TODO: integrate the old permission
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all trust
'';
};
#systemd.services.nixBuildTmuxSession = {
# description = "Start tmux nix build session if not already running";
# after = [ "network.target" ];
# path = with pkgs; [nix tmux ];
# serviceConfig = {
# Type = "oneshot";
# User = "jonas"; # Change this!
# };
# script = ''exec /home/jonas/projects/perdash/start_server.sh'';
#};
services.cron.enable = true;
# Sops setup
sops = {
defaultSopsFile = ../../../secrets.yaml;
defaultSopsFormat = "yaml";
# hard code the username here
age.keyFile = "/home/jonas/.config/sops/age/keys.txt";
secrets = {
joncook = {};
jondash = {};
nextpass = {
group = "nextcloud";
owner = "nextcloud";
};
};
templates = {
"jontemp2" = {
owner = "nginx";
group = "nginx";
content = ''add_header Set-Cookie "letmein=${config.sops.placeholder.joncook};max-age=3153600000;path=/";'';
};
"jontemp" = {
owner = "nginx";
group = "nginx";
content = ''"${config.sops.placeholder.joncook}" "yes";'';
};
};
};
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
swapDevices = [ { device = "/swapfile"; size = 8192; } ];
networking.hostName = "stranox";
# setup syncthing
# This is not needed for now because one should only use syncthing when not having battery problems
services = {
syncthing = {
enable = true;
user = "jonas";
#guiAddress = "0.0.0.0:8384";
dataDir = "/home/jonas/syncthing";
configDir = "/home/jonas/.config/syncthing";
overrideDevices = true; # overrides any devices added or deleted through the WebUI
overrideFolders = true; # overrides any folders added or deleted through the WebUI
settings = {
devices = {
"thinix" = { id = "3JHI72U-HQKX7S2-ITUD5U7-CS2P3TO-HM6Y6MZ-PFSUGWF-5OHHV7Q-NXYC5AP"; };
};
folders = {
# This is the mail folder to keep synced accross everything
# Its nice to have this declarativery and just work with the respectively ids
# "syncthing" = {
# "synct path = "/home/jonas/synced";
# "synct devices = [ "thinix" ];
# "synct ignorePerms = true;
# "synct versioning = {
# "synct type = "staggered";
# "synct };
# "synct};
};
};
};
};
services.nextcloud = {
enable = false;
# Use the defualt home
#home = "/mnt/nextcloudStorage";
package = pkgs.nextcloud30;
hostName = "cloud.hahn1.one";
settings = {
#trusted_domains = [""];
};
config = {
adminpassFile = config.sops.secrets.nextpass.path;
dbtype = "sqlite";
};
extraApps = {inherit (config.services.nextcloud.package.packages.apps) calendar ;};
extraAppsEnable = true;
https = true;
configureRedis = true;
maxUploadSize = "1G";
};
# configure users for small machine
users = {
defaultUserShell = pkgs.zsh;
groups = {
nginx = {};
nextcloud = {};
podman = {};
docker = {};
};
users = {
nginx = {
isSystemUser = true;
group = "nginx";
};
nextcloud = {
isSystemUser = true;
group = "nextcloud";
};
root = {
openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID44xurDPkTQr+f62llnHHAeXQRJi4JeVeo0vFL85CLA jonas@thinix'' ];
};
jonas = {
isNormalUser = true;
extraGroups = [ "wheel" "docker" "podman" ];
openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID44xurDPkTQr+f62llnHHAeXQRJi4JeVeo0vFL85CLA jonas@thinix'' ];
packages = with pkgs; [
neovim
pkgs.unstable.yazi
zsh
git
starship
eza
bat
lazygit
btop
gdu
fastfetch
sops
w3m
typst
tmux
wget
curl
pipx
fd
python3
nodejs
gcc
gnumake
findutils.locate
gradle
lua
todo-txt-cli
];
};
};
};
#environment.etc."nginx/htpasswd/jondash".source = config.sops.secrets.jondash.path;
# source the local httppass for the nginx login
environment.etc."nginx/htpasswd/jondash".source = ./htpasswd;
networking.firewall = {
enable = true;
allowedTCPPorts = [3478 80 443 8080 ];
allowedUDPPorts = [3478 ];
};
# Services for the cloud
services = {
openssh.enable = true;
nginx = {
mapHashBucketSize = 128;
enable = true;
appendHttpConfig = ''
map $cookie_letmein $dash_hascookie {
include ${config.sops.templates.jontemp.path};
default "no";
}
map $dash_hascookie $dash_authentication {
"yes" "off";
default "Your credentials please";
}
'';
virtualHosts = {
"dash.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
proxyPass = "http://127.0.0.1:8000";
proxyWebsockets = true;
extraConfig = ''
auth_basic $dash_authentication;
auth_basic_user_file /etc/nginx/htpasswd/jondash;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
include ${config.sops.templates.jontemp2.path};
'';
};
};
"sync.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
proxyPass = "http://127.0.0.1:8384";
proxyWebsockets = true;
};
};
# Easter special for having a schintzeljagt that implements modern technology
"jagd.hahn1.one" = {
forceSSL = true;
enableACME = true;
#basicAuth = { jonas = "1234"; };
locations."/" = {
proxyPass = "http://127.0.0.1:2345";
proxyWebsockets = true;
};
};
"dev.hahn1.one" = {
forceSSL = true;
enableACME = true;
# This is of course not secure but better than to have nothing
# First one need to read this code to access
basicAuth = { dev = "dev"; };
# use a dev proxypass to test some applications
locations."/" = {
proxyPass = "http://127.0.0.1:8888";
proxyWebsockets = true;
};
};
"cloud.hahn1.one" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://localhost:11000";
proxyWebsockets = true;
};
};
"cool.hahn1.one" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://[::1]:${toString config.services.collabora-online.port}";
proxyWebsockets = true;
};
};
"hahn1.one" = {
forceSSL = true;
enableACME = true;
default = true;
locations."/" = {
root = "${pkgs.nginx}/html";
index = "index.html";
};
};
};
};
};
security.acme = {
acceptTerms = true;
#TODO: activate this mail
defaults.email = "security@hahn1.one";
};
nixpkgs.config.allowUnfree = true;
nix.settings.experimental-features = ["flakes" "nix-command"];
time.timeZone = "Europe/Berlin";
environment = {
sessionVariables = {
};
systemPackages = with pkgs; [
git
fastfetch
lazygit
unzip
fzf
zathura
# everywhere support
starship
zoxide
# add sync support
rsync
flock
unison
# curl for scripting
curl
];
};
programs.zsh = {
enable = true;
autosuggestions.enable = true;
ohMyZsh = {
enable = true;
plugins = [
"history-substring-search"
"git"
"zoxide"
"sudo"
"vi-mode"
"systemadmin"
];
};
};
# In case of gui usage
programs = {
nix-ld.enable = true;
};
# This was generated by the infect script I may just keep it this way for
# Security reasons
system.stateVersion = "23.11";
}
Reference in New Issue View Git Blame Copy Permalink