diff --git a/flake.nix b/flake.nix index 23a4e9b5..2a7b7ad8 100644 --- a/flake.nix +++ b/flake.nix @@ -36,6 +36,8 @@ musnix.inputs.nixpkgs.follows = "nixpkgs"; nixpkgs-hensoko.url = "git+https://git.b12f.io/hensoko/nixpkgs"; + nixmodules-hensoko.url = "git+ssh://gitea@git.pub.solar/hensoko/nix-modules.git?ref=main"; + nixos-config.url = "git+ssh://gitea@git.pub.solar/hensoko/nixos-config.git?ref=main"; factorio-pr.url = "github:werner291/nixpkgs/master"; }; diff --git a/modules/concourse-server/default.nix b/modules/concourse-server/default.nix deleted file mode 100644 index ebfd8508..00000000 --- a/modules/concourse-server/default.nix +++ /dev/null @@ -1,63 +0,0 @@ -{ - lib, - config, - pkgs, - ... -}: -with lib; let - psCfg = config.pub-solar; - cfg = config.pub-solar.concourse-server; -in { - options.pub-solar.concourse-server = { - enable = mkOption { - description = "Concourse server"; - default = false; - }; - - hostStateDir = mkOption { - description = "sets the state directory on host side"; - default = "/srv/concourse-server/data"; - }; - }; - - config = mkIf cfg.enable { - containers."concourse-server" = { - autoStart = true; - ephemeral = true; - bindMounts."/data" = { - hostPath = cfg.hostStateDir; - isReadOnly = false; - }; - - config = { - config, - pkgs, - ... - }: { - nixpkgs.overlays = [ (self: super: { - concourse = self.pkgs.concourse; - }) ]; - - system.stateVersion = "23.05"; - - networking.firewall.enable = false; - - services.postgresql = { - enable = true; - }; - - systemd.services.concourse-web = { - enable = true; - description = "concourse web"; - unitConfig = { - Type = "simple"; - }; - serviceConfig = { - ExecStart = "${pkgs.concourse}/bin/concourse"; - }; - wantedBy = [ "multi-user.target" ]; - }; - }; - }; - }; -} diff --git a/modules/default.nix b/modules/default.nix index 3358c716..355846ec 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -26,6 +26,7 @@ in self.nixosModules.home-manager inputs.agenix.nixosModules.default inputs.musnix.nixosModules.musnix + inputs.nixmodules-hensoko.nixosModules.all ({ flake, @@ -35,18 +36,34 @@ in master, ... }: { - nixpkgs.overlays = (import ../overlays) ++ [ + nixpkgs.overlays = (import ../overlays) ++ + [ (prev: next: { - scan2paperless = inputs.scan2paperless.legacyPackages.${prev.system}.scan2paperless; nixd = inputs.unstable.legacyPackages.${prev.system}.nixd; - factorio-headless = inputs.master.legacyPackages.${prev.system}.factorio-headless; - paperless-ngx = inputs.master.legacyPackages.${prev.system}.paperless-ngx; + # needed by sway module waybar = inputs.master.legacyPackages.${prev.system}.waybar; + + + # unstable + appflowy = inputs.unstable.legacyPackages.${prev.system}.appflowy; + docker_24 = inputs.unstable.legacyPackages.${prev.system}.docker_24; + home-assistant = inputs.unstable.legacyPackages.${prev.system}.home-assistant; + + scan2paperless = inputs.scan2paperless.legacyPackages.${prev.system}.scan2paperless; + paperless-ngx = inputs.master.legacyPackages.${prev.system}.paperless-ngx; + + factorio-headless = inputs.master.legacyPackages.${prev.system}.factorio-headless; element-desktop = inputs.master.legacyPackages.${prev.system}.element-desktop; adlist = inputs.adblock-unbound.packages.${prev.system}; }) + + (prev: next: { + vimPlugins = next.vimPlugins // { + inherit (inputs.master.legacyPackages.${prev.system}.vimPlugins) nvim-lspconfig; + }; + }) ]; nix.nixPath = [ diff --git a/modules/home-assistant/default.nix b/modules/home-assistant/default.nix deleted file mode 100644 index 935b1541..00000000 --- a/modules/home-assistant/default.nix +++ /dev/null @@ -1,68 +0,0 @@ -{ - lib, - config, - options, - pkgs, - flake, - ... -}: -with lib; let - cfg = config.pub-solar.home-assistant; -in { - imports = [ - ./home-assistant.nix - ./mqtt.nix - ./zigbee.nix - (flake.inputs.unstable + "/nixos/modules/services/home-automation/home-assistant.nix") - ]; - - disabledModules = [ - "services/home-automation/home-assistant.nix" - ]; - - options.pub-solar.home-assistant = { - enable = mkOption { - description = "Control your home"; - type = types.bool; - default = false; - }; - - config = options.services.home-assistant.config; - extraComponents = options.services.home-assistant.extraComponents; - extraPackages = options.services.home-assistant.extraPackages; - - mqtt = { - enable = mkOption { - description = "use mqtt"; - type = types.bool; - default = true; - }; - - users = mkOption { - description = "mqtt users"; - # type = types.AttrSet; - default = null; - }; - }; - - zigbee2mqtt = { - enable = mkOption { - description = "Enable zigbee2mqtt"; - type = types.bool; - default = false; - }; - - device = mkOption { - description = "Device to connect to zigbee network"; - type = types.nullOr types.str; - default = null; - }; - - adapter = mkOption { - description = "Specify zigbee adapter type"; - type = types.nullOr types.str; - default = null; - }; - }; - }; -} diff --git a/modules/home-assistant/home-assistant.nix b/modules/home-assistant/home-assistant.nix deleted file mode 100644 index 2d94ad42..00000000 --- a/modules/home-assistant/home-assistant.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ - lib, - config, - pkgs, - ... -}: -with lib; let - cfg = config.pub-solar.home-assistant; -in { - config = mkIf cfg.enable { - networking.firewall.allowedUDPPorts = [1900]; - - services.home-assistant = { - enable = true; - openFirewall = true; - extraComponents = - cfg.extraComponents - ++ lib.optionals cfg.mqtt.enable ["mqtt"]; - extraPackages = cfg.extraPackages; - config = cfg.config; - }; - }; -} diff --git a/modules/home-assistant/mqtt.nix b/modules/home-assistant/mqtt.nix deleted file mode 100644 index 32eb3718..00000000 --- a/modules/home-assistant/mqtt.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ - lib, - config, - pkgs, - ... -}: -with lib; let - haCfg = config.pub-solar.home-assistant; - cfg = config.pub-solar.home-assistant.mqtt; -in { - config = mkIf (haCfg.enable && cfg.enable) { - networking.firewall.allowedTCPPorts = [ - 1883 # mosquitto - ]; - - services.mosquitto = { - enable = true; - listeners = [{users = cfg.users;}]; - }; - }; -} diff --git a/modules/home-assistant/zigbee.nix b/modules/home-assistant/zigbee.nix deleted file mode 100644 index 4aedd8fe..00000000 --- a/modules/home-assistant/zigbee.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ - lib, - config, - pkgs, - ... -}: -with lib; let - haCfg = config.pub-solar.home-assistant; - cfg = config.pub-solar.home-assistant.zigbee2mqtt; -in { - config = mkIf (haCfg.enable && cfg.enable) { - networking.firewall.allowedTCPPorts = [ - 8081 # zigbee2mqtt - ]; - - services.zigbee2mqtt = { - enable = true; - settings = { - frontend = { - port = 8081; - }; - permit_join = false; - homeassistant = { - legacy_entity_attributes = false; - }; - availability = true; - advanced = { - legacy_api = false; - legacy_availability_payload = false; - }; - mqtt = { - user = "z2m"; - password = "!secrets.yaml mqtt_password"; - }; - serial = { - port = cfg.device; - adapter = mkIf (cfg.adapter != null) cfg.adapter; - }; - groups = "groups.yaml"; - ota = { - zigbee_ota_override_index_location = "/var/lib/zigbee2mqtt/index.json"; - }; - }; - }; - }; -} diff --git a/modules/home-controller/avahi.nix b/modules/home-controller/avahi.nix deleted file mode 100644 index ce1979ae..00000000 --- a/modules/home-controller/avahi.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ ... }: - -{ - services.avahi = { - enable = true; - publish.enable = true; - }; -} diff --git a/modules/home-controller/default.nix b/modules/home-controller/default.nix deleted file mode 100644 index f0da8e82..00000000 --- a/modules/home-controller/default.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ - lib, - config, - pkgs, - ... -}: -with lib; let - psCfg = config.pub-solar; - cfg = config.pub-solar.home-controller; -in { - imports = [ - ./avahi.nix - ./wireguard.nix - ./monitoring-client.nix - ]; - - options.pub-solar.home-controller = { - enable = mkEnableOption "Control your home"; - - ownIp = mkOption { - description = '' - Internal ip in wireguard used for cluster control-plane communication. - ''; - type = types.str; - }; - - wireguardPrivateKeyFile = mkOption { - description = '' - Location of private key file - ''; - type = types.path; - }; - }; -} diff --git a/modules/home-controller/monitoring-client.nix b/modules/home-controller/monitoring-client.nix deleted file mode 100644 index 3173aad0..00000000 --- a/modules/home-controller/monitoring-client.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ - config, - pkgs, - lib, - ... -}: let - cfg = config.pub-solar.home-controller; -in { - pub-solar.monitoring-client = lib.mkIf cfg.enable { - enable = true; - listenAddress = cfg.ownIp; - }; -} diff --git a/modules/home-controller/wireguard.nix b/modules/home-controller/wireguard.nix deleted file mode 100644 index d0d8b32e..00000000 --- a/modules/home-controller/wireguard.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ - lib, - config, - pkgs, - ... -}: -with lib; let - psCfg = config.pub-solar; - cfg = config.pub-solar.home-controller; -in { - config = mkIf cfg.enable { - systemd.services.wireguard-wghome.serviceConfig.Restart = "on-failure"; - systemd.services.wireguard-wghome.serviceConfig.RestartSec = "5s"; - - networking.firewall.allowedUDPPorts = [51899]; - - networking.wireguard.interfaces = { - wghome = { - ips = [cfg.ownIp]; - listenPort = 51899; - privateKeyFile = cfg.wireguardPrivateKeyFile; - mtu = 1400; - peers = [ - { - # chonk - publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8="; - allowedIPs = ["10.0.1.0/24"]; - endpoint = "vpn.gssws.de:51899"; - persistentKeepalive = 25; - } - ]; - }; - }; - }; -} diff --git a/modules/monitoring-client/default.nix b/modules/monitoring-client/default.nix deleted file mode 100644 index 7ca9a244..00000000 --- a/modules/monitoring-client/default.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ - lib, - config, - pkgs, - ... -}: -with lib; let - psCfg = config.pub-solar; - cfg = config.pub-solar.monitoring-client; -in { - options.pub-solar.monitoring-client = { - enable = mkEnableOption "Install a monitoring client node"; - listenAddress = mkOption { - type = types.str; - }; - }; - - config = mkIf cfg.enable { - services.prometheus.exporters = { - node = { - enable = true; - enabledCollectors = ["systemd"]; - port = 9002; - openFirewall = true; - listenAddress = cfg.listenAddress; - }; - wireguard = { - enable = true; - openFirewall = true; - listenAddress = cfg.listenAddress; - }; - }; - }; -} diff --git a/modules/monitoring-server/default.nix b/modules/monitoring-server/default.nix deleted file mode 100644 index beb348cb..00000000 --- a/modules/monitoring-server/default.nix +++ /dev/null @@ -1,139 +0,0 @@ -{ - lib, - config, - pkgs, - ... -}: -with lib; let - psCfg = config.pub-solar; - cfg = config.pub-solar.monitoring-server; -in { - options.pub-solar.monitoring-server = { - enable = mkEnableOption "Install a monitoring server node"; - listenAddress = mkOption { - type = types.str; - default = "127.0.0.1"; - }; - grafana = { - enable = mkEnableOption "Run grafana"; - port = mkOption { - type = types.int; - default = 2342; - }; - }; - node_exporter = { - enable = mkEnableOption "prometheus node-exporter support"; - hosts = mkOption { - type = types.listOf types.str; - }; - }; - snmp = { - enable = mkEnableOption "prometheus snmp export support"; - hosts = mkOption { - #type = types.Or (types.AttrSet types.listOf types.str); - }; - settings = mkOption { - type = types.NullOr types.AttrSet; - default = null; - }; - }; - smokeping = { - enable = mkEnableOption "prometheus smokeping support"; - hosts = mkOption { - type = types.listOf types.str; - }; - }; - }; - - config = mkIf cfg.enable { - networking.firewall.allowedTCPPorts = [cfg.grafana.port 9001 9374]; - - pub-solar.monitoring-client = { - enable = true; - listenAddress = cfg.listenAddress; - }; - - services.grafana = mkIf cfg.grafana.enable { - enable = true; - settings = { - server = { - http_addr = cfg.listenAddress; - http_port = cfg.grafana.port; - }; - }; - }; - - services.prometheus = { - enable = true; - listenAddress = cfg.listenAddress; - port = 9001; - scrapeConfigs = [ - { - job_name = "snmp_wohnung_aachen_mikrotik"; - scrape_interval = "15s"; - static_configs = [ - { - targets = cfg.snmp.hosts; - } - ]; - metrics_path = "/snmp"; - params = { - auth = ["public_v2"]; - module = ["if_mib"]; - }; - relabel_configs = [ - { - source_labels = ["__address__"]; - target_label = "__param_target"; - } - { - source_labels = ["__param_target"]; - target_label = "instance"; - } - { - target_label = "__address__"; - replacement = "10.0.1.254:9116"; - } - ]; - } - { - job_name = "node_exporters"; - static_configs = [ - { - targets = - ["${cfg.listenAddress}:9002"] - ++ cfg.node_exporter.hosts; - } - ]; - } - { - job_name = "wireguard"; - static_configs = [ - { - targets = - ["${cfg.listenAddress}:9586"] - ++ cfg.node_exporter.hosts; - } - ]; - } - { - job_name = "smokeping"; - scrape_interval = "15s"; - static_configs = [ - { - targets = [ - "${cfg.listenAddress}:9374" - ]; - } - ]; - } - ]; - - exporters.smokeping = mkIf cfg.smokeping.enable { - enable = true; - listenAddress = cfg.listenAddress; - hosts = cfg.smokeping.hosts; - }; - }; - }; -} diff --git a/modules/paperless/container.nix b/modules/paperless/container.nix deleted file mode 100644 index f6a9d771..00000000 --- a/modules/paperless/container.nix +++ /dev/null @@ -1,105 +0,0 @@ -{ - config, - lib, - ... -}: -with lib; let - psCfg = config.pub-solar; - cfg = config.pub-solar.paperless; -in { - systemd.services."container@paperless".unitConfig.RequiresMountsFor = [cfg.hostStateDir]; - - containers."paperless" = mkIf cfg.enable { - autoStart = true; - ephemeral = true; - - tmpfs = ["/tmp:size=2G"]; - - timeoutStartSec = "5min"; - - bindMounts."/data" = { - hostPath = cfg.hostStateDir; - isReadOnly = false; - }; - - config = { - config, - pkgs, - ... - }: { - networking.firewall.enable = false; - - # paperless - services.paperless = { - enable = true; - dataDir = "/data"; - consumptionDir = "/data/ftp/consume"; - consumptionDirIsPublic = true; - port = 8899; - extraConfig = { - PAPERLESS_FORCE_SCRIPT_NAME = "${cfg.path}"; - PAPERLESS_OCR_LANGUAGE = "deu+eng"; - PAPERLESS_ALLOWED_HOSTS = "${cfg.domain}"; - PAPERLESS_CSRF_TRUSTED_ORIGINS = "http://${cfg.domain}"; - PAPERLESS_CORS_ALLOWED_HOSTS = "http://${cfg.domain}"; - PAPERLESS_FILENAME_FORMAT = "{created_year}/{correspondent}/{created_month}_{created_day}_{title}"; - PAPERLESS_TASK_WORKERS=2; - PAPERLESS_CONSUMER_INOTIFY_DELAY=5; - PAPERLESS_CONSUMER_RECURSIVE=1; - PAPERLESS_CONSUMER_SUBDIRS_AS_TAGS=1; - }; - }; - - # increase timeout for systemd service - systemd.services."paperless-scheduler".serviceConfig."TimeoutStartSec" = "300"; - - # ftp - users.users."paperless".extraGroups = mkIf cfg.ftp.enable ["ftp"]; - - services.vsftpd = mkIf cfg.ftp.enable { - enable = true; - anonymousUser = true; - anonymousUserNoPassword = true; - anonymousUserHome = "/data/ftp"; - anonymousUploadEnable = true; - anonymousUmask = "007"; - writeEnable = true; - extraConfig = '' - listen=YES - listen_ipv6=NO - listen_port=${toString cfg.ftp.listenPort} - chown_uploads=YES - chown_username=paperless - download_enable=NO - pasv_min_port=${toString cfg.ftp.pasvMinPort} - pasv_max_port=${toString cfg.ftp.pasvMaxPort} - ''; - }; - - # nextcloud - systemd.services.nextcloud-autosync = mkIf cfg.nextcloud.enable { - unitConfig = { - Description = "Auto sync Nextcloud"; - After = "network-online.target"; - }; - serviceConfig = { - User = "paperless"; - Type = "simple"; - ExecStart = "${pkgs.nextcloud-client}/bin/nextcloudcmd -h -n --path Documents/_paperless /data/media/documents https://data.gssws.de"; - TimeoutStopSec = "180"; - KillMode = "process"; - KillSignal = "SIGINT"; - }; - wantedBy = ["multi-user.target"]; - }; - - systemd.timers.nextcloud-autosync = mkIf cfg.nextcloud.enable { - unitConfig.Description = "Automatic sync files with Nextcloud and rerun every 60 minutes"; - timerConfig.OnUnitActiveSec = "60min"; - wantedBy = ["multi-user.target" "timers.target"]; - }; - - system.stateVersion = "23.05"; - }; - }; -} diff --git a/modules/paperless/default.nix b/modules/paperless/default.nix deleted file mode 100644 index ca1083ee..00000000 --- a/modules/paperless/default.nix +++ /dev/null @@ -1,79 +0,0 @@ -{ - config, - lib, - ... -}: -with lib; let - psCfg = config.pub-solar; - cfg = config.pub-solar.paperless; -in { - imports = [ - ./container.nix - ./nginx.nix - ]; - - options.pub-solar.paperless = { - enable = mkEnableOption {default = false;}; - openFirewall = mkEnableOption (lib.mdDoc "opening of the relay port(s) in the firewall"); - - domain = mkOption { - type = types.str; - default = "paperless.local"; - }; - - path = mkOption { - type = types.str; - description = "Sets the path to listen on. Use empty string to listen on root."; - default = ""; - }; - - hostStateDir = mkOption { - type = types.str; - default = "/var/lib/paperless-container"; - }; - - listenPort = mkOption { - type = types.int; - default = 80; - }; - - # ftp - ftp = { - enable = mkEnableOption (lib.mdDoc ''enable vsftpd ftp service''); - listenPort = mkOption { - type = types.int; - default = 21; - }; - pasvMinPort = mkOption { - type = types.int; - default = 20021; - }; - pasvMaxPort = mkOption { - type = types.int; - default = 22021; - }; - }; - - # nextcloud - nextcloud = { - enable = mkEnableOption (lib.mdDoc ''enable backup to nextcloud''); - }; - }; - - config = mkIf cfg.enable { - networking.firewall = { - allowedTCPPorts = [ - cfg.listenPort - cfg.ftp.listenPort - ]; - - allowedTCPPortRanges = [ - { - from = cfg.ftp.pasvMinPort; - to = cfg.ftp.pasvMaxPort; - } - ]; - }; - - }; -} diff --git a/modules/paperless/nginx.nix b/modules/paperless/nginx.nix deleted file mode 100644 index 1ab8a7cf..00000000 --- a/modules/paperless/nginx.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ config, ... }: - -let - cfg = config.pub-solar.paperless; - nginxLocation = if cfg.path == "" then "/" else cfg.path; -in -{ - services.nginx = { - enable = true; - virtualHosts."${cfg.domain}" = { - locations."${nginxLocation}" = { - proxyPass = "http://127.0.0.1:8899"; - proxyWebsockets = true; - extraConfig = '' - proxy_read_timeout 300s; - proxy_set_header Host ${cfg.domain}; - proxy_set_header X-Forwarded-For ''$remote_addr; - ''; - }; - }; - }; -} diff --git a/modules/paranoia/default.nix b/modules/paranoia/default.nix index 60d69070..9a6de59a 100644 --- a/modules/paranoia/default.nix +++ b/modules/paranoia/default.nix @@ -26,9 +26,7 @@ in { # The options below are directly taken from or inspired by # https://xeiaso.net/blog/paranoid-nixos-2021-07-18 - # Don't set this if you need sftp services.openssh.openFirewall = false; # Lock yourself out - services.openssh.settings.AllowSFTP = false; # Limit the use of sudo to the group wheel security.sudo.execWheelOnly = true; @@ -40,7 +38,11 @@ in { # fileSystems."/".options = [ "noexec" ]; services.openssh = { - kbdInteractiveAuthentication = false; + settings = { + # Don't set this if you need sftp + AllowSFTP = false; + KbdInteractiveAuthentication = false; + }; extraConfig = '' AllowTcpForwarding yes X11Forwarding no diff --git a/modules/server/default.nix b/modules/server/default.nix deleted file mode 100644 index 124d9cfe..00000000 --- a/modules/server/default.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ - lib, - config, - pkgs, - ... -}: -with lib; let - psCfg = config.pub-solar; - cfg = config.pub-solar.server; -in { - options.pub-solar.server = { - enable = mkEnableOption "Enable server options like sshd"; - }; - - config = mkIf cfg.enable { - pub-solar.core.lite = true; - - nix.gc.automatic = true; - - services = { - lldpd.enable = true; - openssh = { - enable = true; - openFirewall = true; - settings = { - PermitRootLogin = lib.mkForce "prohibit-password"; - PasswordAuthentication = true; - }; - }; - }; - - networking.networkmanager.enable = lib.mkForce false; - pub-solar.nextcloud.enable = lib.mkForce false; - }; -}