Refactoring LoutreOS

systems/LoutreOS/configuration.nix

@@ -5,37 +5,35 @@
 { config, pkgs, ... }:
 
 {
-  imports =
+  imports = [
-    [ # Include the results of the hardware scan.
     ./hardware-configuration.nix
     ./users.nix
     ./services.nix
   ];
 
-  # Use the systemd-boot EFI boot loader.
+  boot = {
-  boot.loader.systemd-boot.enable = true;
+    loader = {
-  boot.loader.efi.canTouchEfiVariables = true;
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
 
-  boot.supportedFilesystems = [ "zfs" ];
+    supportedFilesystems = [ "zfs" ];
 
-  services.zfs.autoSnapshot.enable = true;
+    tmpOnTmpfs = true;
-  services.zfs.autoScrub.enable = true;
+  };
 
-  networking.hostName = "loutreos"; # Define your hostname.
+  services.zfs = {
-  networking.hostId = "7e66e347";
+    autoSnapshot.enable = true;
+    autoScrub.enable = true;
+  };
 
-  # Select internationalisation properties.
+  networking = {
-  # i18n = {
+    hostName = "loutreos"; # Define your hostname.
-  #   consoleFont = "Lat2-Terminus16";
+    hostId = "7e66e347";
-  #   consoleKeyMap = "en";
+  };
-  #   defaultLocale = "en_US.UTF-8";
-  # };
 
-  # Set your time zone.
   time.timeZone = "Europe/Paris";
 
-  # List packages installed in system profile. To search by name, run:
-  # $ nix-env -qaP | grep wget
   nixpkgs.overlays = [
     (import ../../overlays/riot-web.nix)
     (import ../../overlays/sudo.nix)
@@ -86,30 +84,23 @@
 
   environment.variables = { EDITOR = "nvim"; };
 
-  # Some programs need SUID wrappers, can be configured further or are
+  services.openssh = {
-  # started in user sessions.
+    enable = true;
-  # programs.bash.enableCompletion = true;
+    permitRootLogin = "no";
-  # programs.mtr.enable = true;
+    passwordAuthentication = false;
-  # programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
+  };
 
-  # List services that you want to enable:
+  networking.firewall = {
-
+    allowedTCPPorts = [  ];
-  # Enable the OpenSSH daemon.
+    allowedUDPPorts = [  ];
-  services.openssh.enable = true;
+    enable = true;
-  services.openssh.permitRootLogin = "no";
+  };
-  services.openssh.passwordAuthentication = false;
-
-  networking.firewall.allowedTCPPorts = [  ];
-  networking.firewall.allowedUDPPorts = [  ];
-  networking.firewall.enable = true;
 
   security.sudo.wheelNeedsPassword = false;
 
   system.autoUpgrade.enable = true;
   systemd.services.nixos-upgrade.path = with pkgs; [ gzip gnutar xz.bin config.nix.package.out ];
 
-  services.fstrim.enable = true;
-
   nix.gc.automatic = true;
   nix.gc.options = "--delete-older-than 15d";
 

systems/LoutreOS/services.nix

@@ -10,12 +10,7 @@ let
   max_port = 52348;
   musique_port = 52349;
 
-  ekleog_matrix_0_33 = pkgs.fetchgit {
+  unstable = import <nixos-unstable> {};
-    url = "https://github.com/Ekleog/nixpkgs.git";
-    rev = "fe1fa933d168faec56767a9bd1daa0d47070bdf0";
-    sha256 = "02nlcs46ijjkwl8i521555gpd0w2if87p9bmdn2s5g728pz8mh27";
-  };
-  ekleog_matrix_0_33_pkgs = import ekleog_matrix_0_33 {};
 in
 
 {
@@ -26,15 +21,25 @@ in
     ../../services/site-max.nix
   ];
 
-  services.fail2ban.enable = true;
+  services = {
 
-  services.smartd.enable = true;
+    fail2ban.enable = true;
-  services.smartd.notifications.mail.enable = true;
-  services.smartd.notifications.mail.recipient = "paul@nyanlout.re";
 
-  services.haproxy-acme.enable = true;
+    smartd = {
-  services.haproxy-acme.domaine = domaine;
+      enable = true;
-  services.haproxy-acme.services = {
+      defaults.monitored = "-a -o on -s (S/../.././02|L/../../7/04)";
+      notifications.mail = {
+        enable = true;
+        recipient = "paul@nyanlout.re";
+      };
+    };
+
+    fstrim.enable = true;
+
+    haproxy-acme = {
+      enable = true;
+      domaine = domaine;
+      services = {
         "grafana.${domaine}" = { ip = "127.0.0.1"; port = 3000; auth = true; };
         "emby.${domaine}" = { ip = "127.0.0.1"; port = 8096; auth = false; };
         "radarr.${domaine}" = { ip = "127.0.0.1"; port = 7878; auth = true; extraAcls = "acl API url_beg /api\n"; aclBool = "!AUTH_OK !API"; };
@@ -48,15 +53,21 @@ in
         "pgmanage.${domaine}" = { ip = "127.0.0.1"; port = pgmanage_port; auth = true; };
         "gitea.${domaine}" = { ip = "127.0.0.1"; port = 3001; auth = false; };
       };
+    };
 
-  services.mailserver.enable = true;
+    mailserver = {
-  services.mailserver.domaine = domaine;
+      enable = true;
+      domaine = domaine;
+    };
 
-  services.influxdb.enable = true;
+    influxdb = {
-  services.influxdb.dataDir = "/var/db/influxdb";
+      enable = true;
+      dataDir = "/var/db/influxdb";
+    };
 
-  services.telegraf.enable = true;
+    telegraf = {
-  services.telegraf.extraConfig = {
+      enable = true;
+      extraConfig = {
         inputs = {
           zfs = { poolMetrics = true; };
           net = { interfaces = [ "eno1" "eno2" "eno3" "eno4" ]; };
@@ -118,19 +129,17 @@ in
           influxdb = { database = "telegraf"; urls = [ "http://localhost:8086" ]; };
         };
       };
+    };
 
-  services.udev.extraRules = ''
+    udev.extraRules = ''
       KERNEL=="ipmi*", MODE="660", OWNER="telegraf"
     '';
 
-  security.sudo.extraRules = [
+    grafana = {
-    { commands = [ { command = "${pkgs.smartmontools}/bin/smartctl"; options = [ "NOPASSWD" ]; } ]; users = [ "telegraf" ]; }
+      enable = true;
-  ];
+      addr = "127.0.0.1";
-
+      dataDir = "/var/lib/grafana";
-  services.grafana.enable = true;
+      extraOptions = {
-  services.grafana.addr = "127.0.0.1";
-  services.grafana.dataDir = "/var/lib/grafana";
-  services.grafana.extraOptions = {
         SERVER_ROOT_URL = "https://grafana.${domaine}";
         SMTP_ENABLED = "true";
         SMTP_FROM_ADDRESS = "grafana@${domaine}";
@@ -141,18 +150,25 @@ in
         AUTH_ANONYMOUS_ORG_ROLE = "Admin";
         AUTH_BASIC_ENABLED = "false";
       };
+    };
 
-  services.emby.enable = true;
+    emby = {
-  services.emby.dataDir = "/var/lib/emby/ProgramData-Server";
+      enable = true;
+      dataDir = "/var/lib/emby/ProgramData-Server";
+    };
 
-  services.slimserver.enable = true;
+    slimserver = {
-  services.slimserver.dataDir = "/var/lib/slimserver";
+      enable = true;
+      dataDir = "/var/lib/slimserver";
+    };
 
-  services.syncthing.enable = true;
+    syncthing = {
-  services.syncthing.dataDir = "/var/lib/syncthing";
+      enable = true;
-  services.syncthing.openDefaultPorts = true;
+      dataDir = "/var/lib/syncthing";
+      openDefaultPorts = true;
+    };
 
-  services.nfs.server = {
+    nfs.server = {
       enable = true;
       exports = ''
         /mnt/medias  192.168.0.0/24(ro,no_root_squash)
@@ -163,32 +179,38 @@ in
       mountdPort = 4002;
     };
 
-  services.transmission.enable = true;
+    transmission = {
-  services.transmission.home = "/var/lib/transmission";
+      enable = true;
-  services.transmission.settings = {
+      home = "/var/lib/transmission";
+      settings = {
         rpc-bind-address = "127.0.0.1";
         rpc-host-whitelist = "*";
         rpc-whitelist-enabled = false;
       };
+    };
 
-  services.radarr.enable = true;
+    radarr.enable = true;
-  services.sonarr.enable = true;
+    sonarr.enable = true;
-  services.jackett.enable = true;
+    jackett.enable = true;
 
-  services.searx.enable = true;
+    searx.enable = true;
 
-  services.nginx.enable = true;
+    nginx = {
-  services.nginx.virtualHosts = {
+      enable = true;
+      virtualHosts = {
         "riot" = {
           listen = [ { addr = "127.0.0.1"; port = riot_port; } ];
           locations = { "/" = { root = pkgs.riot-web; }; };
         };
       };
+    };
 
-  services.postgresql.enable = true;
+    postgresql.enable = true;
-  services.matrix-synapse = {
+
+  /*
+    matrix-synapse = {
       enable = true;
-    package = ekleog_matrix_0_33_pkgs.matrix-synapse;
+      package = unstable.matrix-synapse;
       enable_registration = true;
       server_name = "nyanlout.re";
       listeners = [
@@ -247,19 +269,18 @@ in
         disable_existing_loggers: False
       '';
     };
+  */
 
-  systemd.services.matrix-synapse.serviceConfig = {
+    pgmanage = {
-    MemoryHigh = "3G";
+      enable = true;
-    MemoryMax = "4G";
+      port = pgmanage_port;
-  };
+      connections = {
-
-  services.pgmanage.enable = true;
-  services.pgmanage.port = pgmanage_port;
-  services.pgmanage.connections = {
         localhost = "hostaddr=127.0.0.1 port=5432 dbname=postgres";
       };
+    };
 
-  services.borgbackup.jobs = {
+    /*
+    borgbackup.jobs = {
       loutre = {
         paths = [
           "/var/certs"
@@ -299,8 +320,9 @@ in
         '';
       };
     };
+    */
 
-  services.borgbackup.repos = {
+    borgbackup.repos = {
       diskstation = {
         authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDllbxON66dBju7sMnhX8/E0VRo3+PDYvDsHP0/FK+h8JHol4+pouLmI7KIDKYOJmSuom283OqnyZOMqk+RShTwWIFm9hOd2R9aj45Zrd9jPW2APOCec/Epgogj0bwBnc0l2v6qxkxaBMgL5DnAQ+E00uvL1UQpK8c8j4GGiPlkWJD6Kf+pxmnfH1TIm+J2XCwl0oeCkSK/Frd8eM+wCraMSzoaGiEcfMz2jK8hxDWjDxX7epU0ELF22BVCuyN8cYRoFTnV88E38PlaqsOqD5ePkxk425gDh7j/C06f8QKgnasVH2diixo92kYSd7i/RmfeXDDwAD5xqUvODczEuIdt root@DiskStation" ];
         path = "/mnt/backup_loutre/diskstation_borg";
@@ -308,17 +330,19 @@ in
       };
     };
 
-  services.gitea = {
+    gitea = {
       enable = true;
       cookieSecure = true;
       httpPort = 3001;
       rootUrl = "https://gitea.nyanlout.re/";
-    database.type = "postgres";
+      database = {
-    database.port = 5432;
+        type = "postgres";
-    database.passwordFile = "/mnt/secrets/gitea_database_passwordFile";
+        port = 5432;
+        passwordFile = "/mnt/secrets/gitea_database_passwordFile";
+      };
     };
 
-  services.vsftpd = {
+    vsftpd = {
       enable = true;
       forceLocalLoginsSSL = true;
       forceLocalDataSSL = true;
@@ -332,13 +356,18 @@ in
       '';
     };
 
-  services.site-musique.enable = true;
+    site-musique = {
-  services.site-musique.port = musique_port;
+      enable = true;
-  services.site-musique.domaine = "musique-meyenheim.fr";
+      port = musique_port;
+      domaine = "musique-meyenheim.fr";
+    };
 
-  services.site-max.enable = true;
+    site-max = {
-  services.site-max.port = max_port;
+      enable = true;
-  services.site-max.domaine = "maxspiegel.fr";
+      port = max_port;
+      domaine = "maxspiegel.fr";
+    };
+  };
 
   /*
   systemd.services.dogetipbot-telegram = {
@@ -352,8 +381,19 @@ in
       Group = "nogroup";
     };
   };
+
+  systemd.services.matrix-synapse = {
+    serviceConfig = {
+      MemoryHigh = "3G";
+      MemoryMax = "5G";
+    };
+  };
   */
 
+  security.sudo.extraRules = [
+    { commands = [ { command = "${pkgs.smartmontools}/bin/smartctl"; options = [ "NOPASSWD" ]; } ]; users = [ "telegraf" ]; }
+  ];
+
   networking.firewall.allowedTCPPorts = [
     111 2049 4000 4001 4002 # NFS
     3483 9000 9090 # Slimserver

systems/LoutreOS/users.nix

@@ -34,8 +34,7 @@
     };
   };
 
-  users.extraGroups.medias =
+  users.extraGroups.medias = {
-  {
     gid = 498;
     members = [ "slimserver" "radarr" "sonarr" "emby" "transmission" ];
   };