pub-solar/os
5
0
Fork 2
Code Issues 4 Pull requests Packages Projects 1 Releases Wiki Activity

move own modules to separate flake

Browse source
This commit is contained in:
Hendrik Sokolowski 2023-11-11 21:17:58 +01:00
parent 664e542de6
commit 73b8ad83d5
18 changed files with 28 additions and 732 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
flake.nix
View file

@ -36,6 +36,8 @@
musnix.inputs.nixpkgs.follows = "nixpkgs";
nixpkgs-hensoko.url = "git+https://git.b12f.io/hensoko/nixpkgs";
nixmodules-hensoko.url = "git+ssh://gitea@git.pub.solar/hensoko/nix-modules.git?ref=main";
nixos-config.url = "git+ssh://gitea@git.pub.solar/hensoko/nixos-config.git?ref=main";
factorio-pr.url = "github:werner291/nixpkgs/master";
};

63
modules/concourse-server/default.nix
View file

@ -1,63 +0,0 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar;
cfg = config.pub-solar.concourse-server;
in {
options.pub-solar.concourse-server = {
enable = mkOption {
description = "Concourse server";
default = false;
};
hostStateDir = mkOption {
description = "sets the state directory on host side";
default = "/srv/concourse-server/data";
};
};
config = mkIf cfg.enable {
containers."concourse-server" = {
autoStart = true;
ephemeral = true;
bindMounts."/data" = {
hostPath = cfg.hostStateDir;
isReadOnly = false;
};
config = {
config,
pkgs,
...
}: {
nixpkgs.overlays = [ (self: super: {
concourse = self.pkgs.concourse;
}) ];
system.stateVersion = "23.05";
networking.firewall.enable = false;
services.postgresql = {
enable = true;
};
systemd.services.concourse-web = {
enable = true;
description = "concourse web";
unitConfig = {
Type = "simple";
};
serviceConfig = {
ExecStart = "${pkgs.concourse}/bin/concourse";
};
wantedBy = [ "multi-user.target" ];
};
};
};
};
}

25
modules/default.nix
View file

@ -26,6 +26,7 @@ in
self.nixosModules.home-manager
inputs.agenix.nixosModules.default
inputs.musnix.nixosModules.musnix
inputs.nixmodules-hensoko.nixosModules.all
({
flake,
@ -35,18 +36,34 @@ in
master,
...
}: {
nixpkgs.overlays = (import ../overlays) ++ [
nixpkgs.overlays = (import ../overlays) ++
[
(prev: next: {
scan2paperless = inputs.scan2paperless.legacyPackages.${prev.system}.scan2paperless;
nixd = inputs.unstable.legacyPackages.${prev.system}.nixd;
factorio-headless = inputs.master.legacyPackages.${prev.system}.factorio-headless;
paperless-ngx = inputs.master.legacyPackages.${prev.system}.paperless-ngx;
# needed by sway module
waybar = inputs.master.legacyPackages.${prev.system}.waybar;
# unstable
appflowy = inputs.unstable.legacyPackages.${prev.system}.appflowy;
docker_24 = inputs.unstable.legacyPackages.${prev.system}.docker_24;
home-assistant = inputs.unstable.legacyPackages.${prev.system}.home-assistant;
scan2paperless = inputs.scan2paperless.legacyPackages.${prev.system}.scan2paperless;
paperless-ngx = inputs.master.legacyPackages.${prev.system}.paperless-ngx;
factorio-headless = inputs.master.legacyPackages.${prev.system}.factorio-headless;
element-desktop = inputs.master.legacyPackages.${prev.system}.element-desktop;
adlist = inputs.adblock-unbound.packages.${prev.system};
})
(prev: next: {
vimPlugins = next.vimPlugins // {
inherit (inputs.master.legacyPackages.${prev.system}.vimPlugins) nvim-lspconfig;
};
})
];
nix.nixPath = [

68
modules/home-assistant/default.nix
View file

@ -1,68 +0,0 @@
{
lib,
config,
options,
pkgs,
flake,
...
}:
with lib; let
cfg = config.pub-solar.home-assistant;
in {
imports = [
./home-assistant.nix
./mqtt.nix
./zigbee.nix
(flake.inputs.unstable + "/nixos/modules/services/home-automation/home-assistant.nix")
];
disabledModules = [
"services/home-automation/home-assistant.nix"
];
options.pub-solar.home-assistant = {
enable = mkOption {
description = "Control your home";
type = types.bool;
default = false;
};
config = options.services.home-assistant.config;
extraComponents = options.services.home-assistant.extraComponents;
extraPackages = options.services.home-assistant.extraPackages;
mqtt = {
enable = mkOption {
description = "use mqtt";
type = types.bool;
default = true;
};
users = mkOption {
description = "mqtt users";
# type = types.AttrSet;
default = null;
};
};
zigbee2mqtt = {
enable = mkOption {
description = "Enable zigbee2mqtt";
type = types.bool;
default = false;
};
device = mkOption {
description = "Device to connect to zigbee network";
type = types.nullOr types.str;
default = null;
};
adapter = mkOption {
description = "Specify zigbee adapter type";
type = types.nullOr types.str;
default = null;
};
};
};
}

23
modules/home-assistant/home-assistant.nix
View file

@ -1,23 +0,0 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
cfg = config.pub-solar.home-assistant;
in {
config = mkIf cfg.enable {
networking.firewall.allowedUDPPorts = [1900];
services.home-assistant = {
enable = true;
openFirewall = true;
extraComponents =
cfg.extraComponents
++ lib.optionals cfg.mqtt.enable ["mqtt"];
extraPackages = cfg.extraPackages;
config = cfg.config;
};
};
}

21
modules/home-assistant/mqtt.nix
View file

@ -1,21 +0,0 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
haCfg = config.pub-solar.home-assistant;
cfg = config.pub-solar.home-assistant.mqtt;
in {
config = mkIf (haCfg.enable && cfg.enable) {
networking.firewall.allowedTCPPorts = [
1883 # mosquitto
];
services.mosquitto = {
enable = true;
listeners = [{users = cfg.users;}];
};
};
}

46
modules/home-assistant/zigbee.nix
View file

@ -1,46 +0,0 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
haCfg = config.pub-solar.home-assistant;
cfg = config.pub-solar.home-assistant.zigbee2mqtt;
in {
config = mkIf (haCfg.enable && cfg.enable) {
networking.firewall.allowedTCPPorts = [
8081 # zigbee2mqtt
];
services.zigbee2mqtt = {
enable = true;
settings = {
frontend = {
port = 8081;
};
permit_join = false;
homeassistant = {
legacy_entity_attributes = false;
};
availability = true;
advanced = {
legacy_api = false;
legacy_availability_payload = false;
};
mqtt = {
user = "z2m";
password = "!secrets.yaml mqtt_password";
};
serial = {
port = cfg.device;
adapter = mkIf (cfg.adapter != null) cfg.adapter;
};
groups = "groups.yaml";
ota = {
zigbee_ota_override_index_location = "/var/lib/zigbee2mqtt/index.json";
};
};
};
};
}

8
modules/home-controller/avahi.nix
View file

@ -1,8 +0,0 @@
{ ... }:
{
services.avahi = {
enable = true;
publish.enable = true;
};
}

34
modules/home-controller/default.nix
View file

@ -1,34 +0,0 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar;
cfg = config.pub-solar.home-controller;
in {
imports = [
./avahi.nix
./wireguard.nix
./monitoring-client.nix
];
options.pub-solar.home-controller = {
enable = mkEnableOption "Control your home";
ownIp = mkOption {
description = ''
Internal ip in wireguard used for cluster control-plane communication.
'';
type = types.str;
};
wireguardPrivateKeyFile = mkOption {
description = ''
Location of private key file
'';
type = types.path;
};
};
}

13
modules/home-controller/monitoring-client.nix
View file

@ -1,13 +0,0 @@
{
config,
pkgs,
lib,
...
}: let
cfg = config.pub-solar.home-controller;
in {
pub-solar.monitoring-client = lib.mkIf cfg.enable {
enable = true;
listenAddress = cfg.ownIp;
};
}

35
modules/home-controller/wireguard.nix
View file

@ -1,35 +0,0 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar;
cfg = config.pub-solar.home-controller;
in {
config = mkIf cfg.enable {
systemd.services.wireguard-wghome.serviceConfig.Restart = "on-failure";
systemd.services.wireguard-wghome.serviceConfig.RestartSec = "5s";
networking.firewall.allowedUDPPorts = [51899];
networking.wireguard.interfaces = {
wghome = {
ips = [cfg.ownIp];
listenPort = 51899;
privateKeyFile = cfg.wireguardPrivateKeyFile;
mtu = 1400;
peers = [
{
# chonk
publicKey = "t1DS0y6eVzyGwomKAEWTWVsHK3xB7M/fNQ3wLgE3+B8=";
allowedIPs = ["10.0.1.0/24"];
endpoint = "vpn.gssws.de:51899";
persistentKeepalive = 25;
}
];
};
};
};
}

34
modules/monitoring-client/default.nix
View file

@ -1,34 +0,0 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar;
cfg = config.pub-solar.monitoring-client;
in {
options.pub-solar.monitoring-client = {
enable = mkEnableOption "Install a monitoring client node";
listenAddress = mkOption {
type = types.str;
};
};
config = mkIf cfg.enable {
services.prometheus.exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
port = 9002;
openFirewall = true;
listenAddress = cfg.listenAddress;
};
wireguard = {
enable = true;
openFirewall = true;
listenAddress = cfg.listenAddress;
};
};
};
}

139
modules/monitoring-server/default.nix
View file

@ -1,139 +0,0 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar;
cfg = config.pub-solar.monitoring-server;
in {
options.pub-solar.monitoring-server = {
enable = mkEnableOption "Install a monitoring server node";
listenAddress = mkOption {
type = types.str;
default = "127.0.0.1";
};
grafana = {
enable = mkEnableOption "Run grafana";
port = mkOption {
type = types.int;
default = 2342;
};
};
node_exporter = {
enable = mkEnableOption "prometheus node-exporter support";
hosts = mkOption {
type = types.listOf types.str;
};
};
snmp = {
enable = mkEnableOption "prometheus snmp export support";
hosts = mkOption {
#type = types.Or (types.AttrSet types.listOf types.str);
};
settings = mkOption {
type = types.NullOr types.AttrSet;
default = null;
};
};
smokeping = {
enable = mkEnableOption "prometheus smokeping support";
hosts = mkOption {
type = types.listOf types.str;
};
};
};
config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [cfg.grafana.port 9001 9374];
pub-solar.monitoring-client = {
enable = true;
listenAddress = cfg.listenAddress;
};
services.grafana = mkIf cfg.grafana.enable {
enable = true;
settings = {
server = {
http_addr = cfg.listenAddress;
http_port = cfg.grafana.port;
};
};
};
services.prometheus = {
enable = true;
listenAddress = cfg.listenAddress;
port = 9001;
scrapeConfigs = [
{
job_name = "snmp_wohnung_aachen_mikrotik";
scrape_interval = "15s";
static_configs = [
{
targets = cfg.snmp.hosts;
}
];
metrics_path = "/snmp";
params = {
auth = ["public_v2"];
module = ["if_mib"];
};
relabel_configs = [
{
source_labels = ["__address__"];
target_label = "__param_target";
}
{
source_labels = ["__param_target"];
target_label = "instance";
}
{
target_label = "__address__";
replacement = "10.0.1.254:9116";
}
];
}
{
job_name = "node_exporters";
static_configs = [
{
targets =
["${cfg.listenAddress}:9002"]
++ cfg.node_exporter.hosts;
}
];
}
{
job_name = "wireguard";
static_configs = [
{
targets =
["${cfg.listenAddress}:9586"]
++ cfg.node_exporter.hosts;
}
];
}
{
job_name = "smokeping";
scrape_interval = "15s";
static_configs = [
{
targets = [
"${cfg.listenAddress}:9374"
];
}
];
}
];
exporters.smokeping = mkIf cfg.smokeping.enable {
enable = true;
listenAddress = cfg.listenAddress;
hosts = cfg.smokeping.hosts;
};
};
};
}

105
modules/paperless/container.nix
View file

@ -1,105 +0,0 @@
{
config,
lib,
...
}:
with lib; let
psCfg = config.pub-solar;
cfg = config.pub-solar.paperless;
in {
systemd.services."container@paperless".unitConfig.RequiresMountsFor = [cfg.hostStateDir];
containers."paperless" = mkIf cfg.enable {
autoStart = true;
ephemeral = true;
tmpfs = ["/tmp:size=2G"];
timeoutStartSec = "5min";
bindMounts."/data" = {
hostPath = cfg.hostStateDir;
isReadOnly = false;
};
config = {
config,
pkgs,
...
}: {
networking.firewall.enable = false;
# paperless
services.paperless = {
enable = true;
dataDir = "/data";
consumptionDir = "/data/ftp/consume";
consumptionDirIsPublic = true;
port = 8899;
extraConfig = {
PAPERLESS_FORCE_SCRIPT_NAME = "${cfg.path}";
PAPERLESS_OCR_LANGUAGE = "deu+eng";
PAPERLESS_ALLOWED_HOSTS = "${cfg.domain}";
PAPERLESS_CSRF_TRUSTED_ORIGINS = "http://${cfg.domain}";
PAPERLESS_CORS_ALLOWED_HOSTS = "http://${cfg.domain}";
PAPERLESS_FILENAME_FORMAT = "{created_year}/{correspondent}/{created_month}_{created_day}_{title}";
PAPERLESS_TASK_WORKERS=2;
PAPERLESS_CONSUMER_INOTIFY_DELAY=5;
PAPERLESS_CONSUMER_RECURSIVE=1;
PAPERLESS_CONSUMER_SUBDIRS_AS_TAGS=1;
};
};
# increase timeout for systemd service
systemd.services."paperless-scheduler".serviceConfig."TimeoutStartSec" = "300";
# ftp
users.users."paperless".extraGroups = mkIf cfg.ftp.enable ["ftp"];
services.vsftpd = mkIf cfg.ftp.enable {
enable = true;
anonymousUser = true;
anonymousUserNoPassword = true;
anonymousUserHome = "/data/ftp";
anonymousUploadEnable = true;
anonymousUmask = "007";
writeEnable = true;
extraConfig = ''
listen=YES
listen_ipv6=NO
listen_port=${toString cfg.ftp.listenPort}
chown_uploads=YES
chown_username=paperless
download_enable=NO
pasv_min_port=${toString cfg.ftp.pasvMinPort}
pasv_max_port=${toString cfg.ftp.pasvMaxPort}
'';
};
# nextcloud
systemd.services.nextcloud-autosync = mkIf cfg.nextcloud.enable {
unitConfig = {
Description = "Auto sync Nextcloud";
After = "network-online.target";
};
serviceConfig = {
User = "paperless";
Type = "simple";
ExecStart = "${pkgs.nextcloud-client}/bin/nextcloudcmd -h -n --path Documents/_paperless /data/media/documents https://data.gssws.de";
TimeoutStopSec = "180";
KillMode = "process";
KillSignal = "SIGINT";
};
wantedBy = ["multi-user.target"];
};
systemd.timers.nextcloud-autosync = mkIf cfg.nextcloud.enable {
unitConfig.Description = "Automatic sync files with Nextcloud and rerun every 60 minutes";
timerConfig.OnUnitActiveSec = "60min";
wantedBy = ["multi-user.target" "timers.target"];
};
system.stateVersion = "23.05";
};
};
}

79
modules/paperless/default.nix
View file

@ -1,79 +0,0 @@
{
config,
lib,
...
}:
with lib; let
psCfg = config.pub-solar;
cfg = config.pub-solar.paperless;
in {
imports = [
./container.nix
./nginx.nix
];
options.pub-solar.paperless = {
enable = mkEnableOption {default = false;};
openFirewall = mkEnableOption (lib.mdDoc "opening of the relay port(s) in the firewall");
domain = mkOption {
type = types.str;
default = "paperless.local";
};
path = mkOption {
type = types.str;
description = "Sets the path to listen on. Use empty string to listen on root.";
default = "";
};
hostStateDir = mkOption {
type = types.str;
default = "/var/lib/paperless-container";
};
listenPort = mkOption {
type = types.int;
default = 80;
};
# ftp
ftp = {
enable = mkEnableOption (lib.mdDoc ''enable vsftpd ftp service'');
listenPort = mkOption {
type = types.int;
default = 21;
};
pasvMinPort = mkOption {
type = types.int;
default = 20021;
};
pasvMaxPort = mkOption {
type = types.int;
default = 22021;
};
};
# nextcloud
nextcloud = {
enable = mkEnableOption (lib.mdDoc ''enable backup to nextcloud'');
};
};
config = mkIf cfg.enable {
networking.firewall = {
allowedTCPPorts = [
cfg.listenPort
cfg.ftp.listenPort
];
allowedTCPPortRanges = [
{
from = cfg.ftp.pasvMinPort;
to = cfg.ftp.pasvMaxPort;
}
];
};
};
}

22
modules/paperless/nginx.nix
View file

@ -1,22 +0,0 @@
{ config, ... }:
let
cfg = config.pub-solar.paperless;
nginxLocation = if cfg.path == "" then "/" else cfg.path;
in
{
services.nginx = {
enable = true;
virtualHosts."${cfg.domain}" = {
locations."${nginxLocation}" = {
proxyPass = "http://127.0.0.1:8899";
proxyWebsockets = true;
extraConfig = ''
proxy_read_timeout 300s;
proxy_set_header Host ${cfg.domain};
proxy_set_header X-Forwarded-For ''$remote_addr;
'';
};
};
};
}

8
modules/paranoia/default.nix
View file

@ -26,9 +26,7 @@ in {
# The options below are directly taken from or inspired by
# https://xeiaso.net/blog/paranoid-nixos-2021-07-18
# Don't set this if you need sftp
services.openssh.openFirewall = false; # Lock yourself out
services.openssh.settings.AllowSFTP = false;
# Limit the use of sudo to the group wheel
security.sudo.execWheelOnly = true;
@ -40,7 +38,11 @@ in {
# fileSystems."/".options = [ "noexec" ];
services.openssh = {
kbdInteractiveAuthentication = false;
settings = {
# Don't set this if you need sftp
AllowSFTP = false;
KbdInteractiveAuthentication = false;
};
extraConfig = ''
AllowTcpForwarding yes
X11Forwarding no

35
modules/server/default.nix
View file

@ -1,35 +0,0 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
psCfg = config.pub-solar;
cfg = config.pub-solar.server;
in {
options.pub-solar.server = {
enable = mkEnableOption "Enable server options like sshd";
};
config = mkIf cfg.enable {
pub-solar.core.lite = true;
nix.gc.automatic = true;
services = {
lldpd.enable = true;
openssh = {
enable = true;
openFirewall = true;
settings = {
PermitRootLogin = lib.mkForce "prohibit-password";
PasswordAuthentication = true;
};
};
};
networking.networkmanager.enable = lib.mkForce false;
pub-solar.nextcloud.enable = lib.mkForce false;
};
}