+ ];
- boot.initrd.availableKernelModules = [
- "xhci_pci"
- "ehci_pci"
- "ahci"
- "usb_storage"
- "sd_mod"
- ];
+ boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
@@ -30,19 +19,19 @@
hardware.nvidia.optimus_prime.nvidiaBusId = "PCI:1:0:0";
hardware.nvidia.optimus_prime.intelBusId = "PCI:0:2:0";
- fileSystems."/" = {
- device = "/dev/disk/by-uuid/7bd3a09b-b188-4ce7-bdcc-d5c5087edc86";
- fsType = "ext4";
- };
+ fileSystems."/" =
+ { device = "/dev/disk/by-uuid/7bd3a09b-b188-4ce7-bdcc-d5c5087edc86";
+ fsType = "ext4";
+ };
- fileSystems."/boot" = {
- device = "/dev/disk/by-uuid/A25A-1786";
- fsType = "vfat";
- };
+ fileSystems."/boot" =
+ { device = "/dev/disk/by-uuid/A25A-1786";
+ fsType = "vfat";
+ };
- swapDevices = [
- { device = "/dev/disk/by-uuid/156cd5e8-715c-48a5-9df4-14565227a6c9"; }
- ];
+ swapDevices =
+ [ { device = "/dev/disk/by-uuid/156cd5e8-715c-48a5-9df4-14565227a6c9"; }
+ ];
nix.maxJobs = lib.mkDefault 8;
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
diff --git a/systems/LoutreOS/config-overviewer.py b/systems/LoutreOS/config-overviewer.py
new file mode 100644
index 0000000..a307a38
--- /dev/null
+++ b/systems/LoutreOS/config-overviewer.py
@@ -0,0 +1,47 @@
+from .observer import MultiplexingObserver, LoggingObserver, JSObserver
+
+global escape
+from cgi import escape
+def signFilter(poi):
+ if poi['id'] == 'Sign' or poi['id'] == 'minecraft:sign':
+ return "" + "\n".join(map(escape, [poi['Text1'], poi['Text2'], poi['Text3'], poi['Text4']])) + "
"
+
+global json
+import json
+def petFilter(poi):
+ if "CustomName" in poi:
+ custom_name = json.loads(poi['CustomName'])
+ if "text" in custom_name:
+ return custom_name["text"]
+
+def playerIcons(poi):
+ if poi['id'] == 'Player':
+ poi['icon'] = "https://overviewer.org/avatar/%s" % poi['EntityId']
+ return "Last known location for %s" % poi['EntityId']
+
+processes = 2
+
+worlds["My world"] = "/var/lib/minecraft/world"
+
+renders["Vue normale"] = {
+ "world": "My world",
+ "title": "Vue normale",
+ "texturepath": "@CLIENT_JAR@",
+ "rendermode": smooth_lighting,
+ 'markers': [dict(name="All signs", filterFunction=signFilter),
+ dict(name="Pets", filterFunction=petFilter, icon="icons/marker_cat.png", createInfoWindow=False, checked=True),
+ dict(name="Position joueurs", filterFunction=playerIcons),],
+}
+
+cave_rendermode = [Base(), EdgeLines(), Cave(only_lit=True), DepthTinting()]
+
+renders["Grottes"] = {
+ "world": "My world",
+ "title": "Grottes",
+ "texturepath": "@CLIENT_JAR@",
+ "rendermode": cave_rendermode,
+}
+
+outputdir = "/var/www/minecraft-overviewer"
+
+observer = MultiplexingObserver(LoggingObserver(), JSObserver(outputdir))
diff --git a/systems/LoutreOS/configuration.nix b/systems/LoutreOS/configuration.nix
index 2e49dde..cf299f5 100644
--- a/systems/LoutreOS/configuration.nix
+++ b/systems/LoutreOS/configuration.nix
@@ -1,23 +1,18 @@
-{
- config,
- pkgs,
- inputs,
- ...
-}:
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, ... }:
{
imports = [
../common-cli.nix
./hardware-configuration.nix
- ./network.nix
./users.nix
./services.nix
];
- nix.settings.trusted-users = [
- "root"
- "paul"
- ];
+ nix.trustedUsers = [ "root" "paul" ];
boot = {
loader = {
@@ -27,29 +22,144 @@
supportedFilesystems = [ "zfs" ];
- tmp.useTmpfs = true;
-
- # Enabling both boot.enableContainers & virtualisation.containers on system.stateVersion < 22.05 is unsupported
- enableContainers = false;
+ tmpOnTmpfs = true;
};
documentation.nixos.enable = false;
+ nixpkgs.config.allowUnfree = false;
+ nixpkgs.config.allowUnfreePredicate = (pkg: builtins.elem pkg.pname or (builtins.parseDrvName pkg.name).name [ "factorio-headless" "perl5.32.1-slimserver" "minecraft-server" ]);
+
services.zfs = {
autoSnapshot.enable = true;
- autoScrub = {
+ autoScrub.enable = true;
+ };
+
+ hardware.usbWwan.enable = true;
+
+ # eno1 -> VLAN100 -> Internet
+ # eno2 -> LAN
+ # eno3 -> Legacy client DHCP
+ # eno4 -> Pas utilisé
+
+ networking = {
+ hostName = "loutreos"; # Define your hostname.
+ hostId = "7e66e347";
+
+ useNetworkd = true;
+ useDHCP = false;
+
+ vlans = {
+ bouygues = {
+ id = 100;
+ interface = "eno1";
+ };
+ chinoiseries = {
+ id = 20;
+ interface = "eno2";
+ };
+ };
+
+ interfaces = {
+ bouygues = {
+ # Adresse MAC BBox ? https://lafibre.info/remplacer-bbox/informations-de-connexion-ftth/msg598303/#msg598303
+ macAddress = "E8:AD:A6:21:73:68";
+ useDHCP = true;
+ };
+ eno2 = {
+ ipv4.addresses = [
+ { address = "10.30.0.1"; prefixLength = 16; }
+ ];
+ };
+ chinoiseries = {
+ ipv4.addresses = [
+ { address = "10.40.0.1"; prefixLength = 16; }
+ ];
+ };
+ enp0s21u2.useDHCP = true;
+ };
+
+ # NAT bouygues <-> eno2
+ nat = {
+ enable = true;
+ externalInterface = "bouygues";
+ # Permet d'utiliser le SNAT plus rapide au lieu de MASQUERADE
+ # externalIP = "0.0.0.0";
+ internalIPs = [ "10.30.0.0/16" "10.40.0.0/16" ];
+ internalInterfaces = [ "eno2" "chinoiseries" ];
+ forwardPorts = [
+ { destination = "10.30.0.1:22"; proto = "tcp"; sourcePort = 8443;}
+ { destination = "10.30.135.35:25565"; proto = "tcp"; sourcePort = 25565; loopbackIPs=[ "195.36.180.44" ];}
+ ];
+ };
+
+ firewall = {
+ allowedTCPPorts = [ 80 443 ];
+ allowedUDPPorts = [ ];
+ interfaces.eno2 = {
+ allowedTCPPorts = [
+ 111 2049 4000 4001 4002 # NFS
+ 3483 9000 9090 # Slimserver
+ 1935 # RTMP
+ ];
+ allowedUDPPorts = [
+ 111 2049 4000 4001 4002 # NFS
+ 3483 # Slimserver
+ ];
+ };
enable = true;
- interval = "monthly";
};
};
+ systemd.network.networks = {
+ "40-bouygues" = {
+ dhcpV4Config.RouteMetric = 1;
+ networkConfig.KeepConfiguration = "dhcp-on-stop";
+ };
+ "40-enp0s21u2".dhcpV4Config.RouteMetric = 1024;
+ };
+
+ services.dhcpd4 = {
+ enable = true;
+ interfaces = [ "eno2" "chinoiseries" ];
+ machines = [
+ { ethernetAddress = "50:c7:bf:b6:b8:ef"; hostName = "HS110"; ipAddress = "10.30.50.7"; }
+ { ethernetAddress = "ac:1f:6b:4b:01:15"; hostName = "IPMI"; ipAddress = "10.30.1.1"; }
+ { ethernetAddress = "b4:2e:99:ed:24:26"; hostName = "paul-fixe"; ipAddress = "10.30.50.1"; }
+
+ #ESPHome
+ { ethernetAddress = "e0:98:06:85:e9:ce"; hostName = "salonled"; ipAddress = "10.30.40.1"; }
+ { ethernetAddress = "e0:98:06:86:38:fc"; hostName = "bureauled"; ipAddress = "10.30.40.2"; }
+ { ethernetAddress = "50:02:91:78:be:be"; hostName = "guirlande"; ipAddress = "10.30.40.3"; }
+
+ # YeeLights
+ { ethernetAddress = "04:cf:8c:b5:7e:18"; hostName = "yeelink-light-color3_miap7e18"; ipAddress = "10.40.249.0"; }
+ { ethernetAddress = "04:cf:8c:b5:2d:28"; hostName = "yeelink-light-color3_miap2d28"; ipAddress = "10.40.249.1"; }
+ { ethernetAddress = "04:cf:8c:b5:71:04"; hostName = "yeelink-light-color3_miap7104"; ipAddress = "10.40.249.2"; }
+ ];
+ extraConfig = ''
+ option domain-name-servers 89.234.141.66, 80.67.169.12, 80.67.169.40;
+ option subnet-mask 255.255.0.0;
+ subnet 10.30.0.0 netmask 255.255.0.0 {
+ option routers 10.30.0.1;
+ range 10.30.100.0 10.30.200.0;
+ }
+ subnet 10.40.0.0 netmask 255.255.0.0 {
+ option routers 10.40.0.1;
+ range 10.40.100.0 10.40.200.0;
+ }
+ '';
+ };
+
+ nixpkgs.overlays = [
+ (import ../../overlays/riot-web.nix)
+ ];
+
services.openssh = {
enable = true;
- settings = {
- PermitRootLogin = "no";
- PasswordAuthentication = false;
- X11Forwarding = true;
- };
+ permitRootLogin = "no";
+ passwordAuthentication = false;
+ forwardX11 = true;
};
users = {
@@ -62,6 +172,8 @@
};
};
+ services.autossh.sessions = [ { extraArguments = "-N -R 0.0.0.0:2222:127.0.0.1:22 loutre@vps772619.ovh.net"; monitoringPort = 20000; name = "backup-ssh-reverse"; user = "autossh"; } ];
+
virtualisation.podman.enable = true;
security.sudo.wheelNeedsPassword = false;
diff --git a/systems/LoutreOS/hardware-configuration.nix b/systems/LoutreOS/hardware-configuration.nix
index 5421ad0..4984718 100644
--- a/systems/LoutreOS/hardware-configuration.nix
+++ b/systems/LoutreOS/hardware-configuration.nix
@@ -1,203 +1,181 @@
# Do not modify this file! It was generated by ‘nixos-generate-config’
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
-{
- config,
- lib,
- pkgs,
- ...
-}:
+{ config, lib, pkgs, ... }:
{
- boot.initrd.availableKernelModules = [
- "ahci"
- "xhci_pci"
- "nvme"
- "usbhid"
- "usb_storage"
- "sd_mod"
- "sr_mod"
- ];
+ boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
- fileSystems."/" = {
- device = "/dev/disk/by-uuid/fec13566-5528-4859-b185-ce37ac2665eb";
- fsType = "ext4";
- };
+ fileSystems."/" =
+ { device = "/dev/disk/by-uuid/fec13566-5528-4859-b185-ce37ac2665eb";
+ fsType = "ext4";
+ };
- fileSystems."/boot" = {
- device = "/dev/disk/by-uuid/5306-AD9A";
- fsType = "vfat";
- };
+ fileSystems."/boot" =
+ { device = "/dev/disk/by-uuid/5306-AD9A";
+ fsType = "vfat";
+ };
- fileSystems."/var/lib/acme" = {
- device = "loutrepool/var/acme";
- fsType = "zfs";
- };
+ fileSystems."/var/lib/acme" =
+ { device = "loutrepool/var/acme";
+ fsType = "zfs";
+ };
- fileSystems."/var/certs" = {
- device = "loutrepool/var/certs";
- fsType = "zfs";
- };
+ fileSystems."/var/certs" =
+ { device = "loutrepool/var/certs";
+ fsType = "zfs";
+ };
- fileSystems."/var/lib/transmission" = {
- device = "loutrepool/var/transmission";
- fsType = "zfs";
- };
+ fileSystems."/var/lib/transmission" =
+ { device = "loutrepool/var/transmission";
+ fsType = "zfs";
+ };
- fileSystems."/var/lib/matrix-synapse" = {
- device = "loutrepool/var/matrix-synapse";
- fsType = "zfs";
- };
+ fileSystems."/var/lib/matrix-synapse" =
+ { device = "loutrepool/var/matrix-synapse";
+ fsType = "zfs";
+ };
- fileSystems."/var/lib/radarr" = {
- device = "loutrepool/var/radarr";
- fsType = "zfs";
- };
+ fileSystems."/var/lib/radarr" =
+ { device = "loutrepool/var/radarr";
+ fsType = "zfs";
+ };
- fileSystems."/var/lib/grafana" = {
- device = "loutrepool/var/grafana";
- fsType = "zfs";
- };
+ fileSystems."/var/lib/grafana" =
+ { device = "loutrepool/var/grafana";
+ fsType = "zfs";
+ };
- fileSystems."/var/lib/slimserver" = {
- device = "loutrepool/var/slimserver";
- fsType = "zfs";
- };
+ fileSystems."/var/lib/slimserver" =
+ { device = "loutrepool/var/slimserver";
+ fsType = "zfs";
+ };
- fileSystems."/var/db/influxdb" = {
- device = "loutrepool/var/influxdb";
- fsType = "zfs";
- };
+ fileSystems."/var/db/influxdb" =
+ { device = "loutrepool/var/influxdb";
+ fsType = "zfs";
+ };
- fileSystems."/var/lib/postgresql" = {
- device = "loutrepool/var/postgresql";
- fsType = "zfs";
- };
+ fileSystems."/var/lib/postgresql" =
+ { device = "loutrepool/var/postgresql";
+ fsType = "zfs";
+ };
- fileSystems."/var/lib/syncthing" = {
- device = "loutrepool/var/syncthing";
- fsType = "zfs";
- };
+ fileSystems."/var/lib/syncthing" =
+ { device = "loutrepool/var/syncthing";
+ fsType = "zfs";
+ };
- fileSystems."/mnt/medias/incomplete" = {
- device = "loutrepool/torrent-dl";
- fsType = "zfs";
- };
+ fileSystems."/mnt/medias/incomplete" =
+ { device = "loutrepool/torrent-dl";
+ fsType = "zfs";
+ };
- fileSystems."/mnt/medias" = {
- device = "loutrepool/medias";
- fsType = "zfs";
- };
+ fileSystems."/mnt/medias" =
+ { device = "loutrepool/medias";
+ fsType = "zfs";
+ };
- fileSystems."/var/sieve" = {
- device = "loutrepool/var/sieve";
- fsType = "zfs";
- };
+ fileSystems."/var/sieve" =
+ { device = "loutrepool/var/sieve";
+ fsType = "zfs";
+ };
- fileSystems."/var/vmail" = {
- device = "loutrepool/var/vmail";
- fsType = "zfs";
- };
+ fileSystems."/var/vmail" =
+ { device = "loutrepool/var/vmail";
+ fsType = "zfs";
+ };
- fileSystems."/var/lib/sonarr" = {
- device = "loutrepool/var/sonarr";
- fsType = "zfs";
- };
+ fileSystems."/var/lib/sonarr" =
+ { device = "loutrepool/var/sonarr";
+ fsType = "zfs";
+ };
- fileSystems."/var/lib/jackett" = {
- device = "loutrepool/var/jackett";
- fsType = "zfs";
- };
+ fileSystems."/var/lib/jackett" =
+ { device = "loutrepool/var/jackett";
+ fsType = "zfs";
+ };
- fileSystems."/var/lib/gitea" = {
- device = "loutrepool/var/gitea";
- fsType = "zfs";
- };
+ fileSystems."/var/lib/gitea" =
+ { device = "loutrepool/var/gitea";
+ fsType = "zfs";
+ };
- fileSystems."/var/lib/private/sdtdserver" = {
- device = "loutrepool/var/sdtdserver";
- fsType = "zfs";
- };
+ fileSystems."/var/lib/private/sdtdserver" =
+ { device = "loutrepool/var/sdtdserver";
+ fsType = "zfs";
+ };
- fileSystems."/var/lib/private/factorio" = {
- device = "loutrepool/var/factorio";
- fsType = "zfs";
- };
+ fileSystems."/var/lib/private/factorio" =
+ { device = "loutrepool/var/factorio";
+ fsType = "zfs";
+ };
- fileSystems."/var/dkim" = {
- device = "loutrepool/var/dkim";
- fsType = "zfs";
- };
+ fileSystems."/var/dkim" =
+ { device = "loutrepool/var/dkim";
+ fsType = "zfs";
+ };
- fileSystems."/var/vsftpd" = {
- device = "loutrepool/var/vsftpd";
- fsType = "zfs";
- };
+ fileSystems."/var/vsftpd" =
+ { device = "loutrepool/var/vsftpd";
+ fsType = "zfs";
+ };
- # fileSystems."/mnt/backup" =
- # { device = "backup";
- # fsType = "zfs";
- # };
+ fileSystems."/mnt/backup" =
+ { device = "backup";
+ fsType = "zfs";
+ };
- fileSystems."/mnt/backup_loutre" = {
- device = "loutrepool/backup";
- fsType = "zfs";
- };
+ fileSystems."/mnt/backup_loutre" =
+ { device = "loutrepool/backup";
+ fsType = "zfs";
+ };
- fileSystems."/mnt/secrets" = {
- device = "loutrepool/secrets";
- fsType = "zfs";
- };
+ fileSystems."/mnt/secrets" =
+ { device = "loutrepool/secrets";
+ fsType = "zfs";
+ };
- fileSystems."/var/lib/minecraft" = {
- device = "loutrepool/var/minecraft";
- fsType = "zfs";
- };
+ fileSystems."/var/lib/minecraft" =
+ { device = "loutrepool/var/minecraft";
+ fsType = "zfs";
+ };
- fileSystems."/var/www" = {
- device = "loutrepool/var/www";
- fsType = "zfs";
- };
+ fileSystems."/var/www" =
+ { device = "loutrepool/var/www";
+ fsType = "zfs";
+ };
- fileSystems."/var/lib/mastodon" = {
- device = "loutrepool/var/mastodon";
- fsType = "zfs";
- };
+ fileSystems."/var/lib/mastodon" =
+ { device = "loutrepool/var/mastodon";
+ fsType = "zfs";
+ };
- fileSystems."/var/lib/hass" = {
- device = "loutrepool/var/hass";
- fsType = "zfs";
- };
+ fileSystems."/var/lib/hass" =
+ { device = "loutrepool/var/hass";
+ fsType = "zfs";
+ };
- fileSystems."/var/lib/nextcloud" = {
- device = "loutrepool/var/nextcloud";
- fsType = "zfs";
- };
+ fileSystems."/mnt/paul-home" =
+ { device = "loutrepool/zfs-replicate/paul-fixe/fastaf/home";
+ fsType = "zfs";
+ };
- fileSystems."/var/lib/private/photoprism" = {
- device = "loutrepool/var/photoprism";
- fsType = "zfs";
- };
+ fileSystems."/mnt/webdav" =
+ { device = "loutrepool/webdav";
+ fsType = "zfs";
+ };
- fileSystems."/mnt/paul-home" = {
- device = "loutrepool/zfs-replicate/paul-fixe/fastaf/home";
- fsType = "zfs";
- };
+ swapDevices =
+ [
+ {
+ device = "/var/swapfile";
+ size = 8096;
+ }
+ ];
- fileSystems."/mnt/webdav" = {
- device = "loutrepool/webdav";
- fsType = "zfs";
- };
-
- swapDevices = [
- {
- device = "/var/swapfile";
- size = 8096;
- }
- ];
-
- nix.settings.max-jobs = lib.mkDefault 4;
+ nix.maxJobs = lib.mkDefault 4;
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}
diff --git a/systems/LoutreOS/medias.nix b/systems/LoutreOS/medias.nix
index 742c719..c0bf930 100644
--- a/systems/LoutreOS/medias.nix
+++ b/systems/LoutreOS/medias.nix
@@ -1,16 +1,9 @@
-{
- config,
- lib,
- pkgs,
- pkgs-4a3fc4cf7,
- ...
-}:
+{ config, lib, pkgs, ... }:
{
services = {
transmission = {
enable = true;
- package = pkgs-4a3fc4cf7.transmission_4;
home = "/var/lib/transmission";
group = "medias";
settings = {
@@ -20,178 +13,25 @@
rpc-whitelist-enabled = false;
peer-port = 51413;
incomplete-dir = "/mnt/medias/incomplete";
- download-dir = "/mnt/medias/torrent";
};
};
radarr.enable = true;
sonarr.enable = true;
- prowlarr.enable = true;
- recyclarr = {
- enable = true;
- configuration = {
- radarr.radarr_main = {
- api_key = {
- _secret = "/run/credentials/recyclarr.service/radarr-api_key";
- };
- base_url = "http://localhost:7878";
- include = [
- {
- template = "radarr-quality-definition-movie";
- }
- {
- template = "radarr-quality-profile-hd-bluray-web-french-multi-vf";
- }
- {
- template = "radarr-custom-formats-hd-bluray-web-french-multi-vf";
- }
- {
- template = "radarr-quality-profile-hd-bluray-web-french-multi-vo";
- }
- {
- template = "radarr-custom-formats-hd-bluray-web-french-multi-vo";
- }
- ];
- delete_old_custom_formats = true;
- replace_existing_custom_formats = true;
- custom_formats = [
- # ===== Versions françaises =====
- {
- trash_ids = [
- "404c08fd0bd67f39b4d8e5709319094e" # VFF
- "29b5f7b1a5f20f64228786c3ab1bdc7d" # VF2
- ];
- assign_scores_to = [
- {
- name = "FR-MULTi-VF-HD";
- score = 101;
- }
- {
- name = "FR-MULTi-VO-HD";
- score = 101;
- }
- ];
- }
- {
- trash_ids = [
- "4cafa20d5584f6ba1871d1b8941aa3cb" # VOF
- "52772f1cad6b5d26c2551f79bc538a50" # VFI
- "f7caa1942be5cc547c266bd3dbc2cda9" # VOQ
- "95aa50f71a01c82354a7a2b385f1c4d8" # VQ
- "b3fb499641d7b3c2006be1d9eb014cb3" # VFB
- ];
- assign_scores_to = [
- {
- name = "FR-MULTi-VF-HD";
- score = 0;
- }
- {
- name = "FR-MULTi-VO-HD";
- score = 0;
- }
- ];
- }
- {
- trash_ids = [
- "b6ace47331a1d3b77942fc18156f6df6" # VFQ
- ];
- assign_scores_to = [
- {
- name = "FR-MULTi-VF-HD";
- score = -101;
- }
- {
- name = "FR-MULTi-VO-HD";
- score = -101;
- }
- ];
- }
- ];
- };
- sonarr.sonarr_main = {
- api_key = {
- _secret = "/run/credentials/recyclarr.service/sonarr-api_key";
- };
- base_url = "http://localhost:8989";
- include = [
- {
- template = "sonarr-quality-definition-series";
- }
- {
- template = "sonarr-v4-quality-profile-bluray-web-1080p-french-multi-vf";
- }
- {
- template = "sonarr-v4-custom-formats-bluray-web-1080p-french-multi-vf";
- }
- {
- template = "sonarr-v4-quality-profile-bluray-web-1080p-french-multi-vo";
- }
- {
- template = "sonarr-v4-custom-formats-bluray-web-1080p-french-multi-vo";
- }
- ];
- delete_old_custom_formats = true;
- replace_existing_custom_formats = true;
- custom_formats = [
- # ===== Versions françaises =====
- {
- trash_ids = [
- "2c29a39a4fdfd6d258799bc4c09731b9" # VFF
- "34789ec3caa819f087e23bbf9999daf7" # VF2
- ];
- assign_scores_to = [
- {
- name = "FR-MULTi-VF-WEB-1080p";
- score = 101;
- }
- {
- name = "FR-MULTi-VO-WEB-1080p";
- score = 101;
- }
- ];
- }
- {
- trash_ids = [
- "7ae924ee9b2f39df3283c6c0beb8a2aa" # VOF
- "b6816a0e1d4b64bf3550ad3b74b009b6" # VFI
- "802dd70b856c423a9b0cb7f34ac42be1" # VOQ
- "82085412d9a53ba8d8e46fc624eb701d" # VQ
- "0ce1e39a4676c6692ce47935278dac76" # VFB
- ];
- assign_scores_to = [
- {
- name = "FR-MULTi-VF-WEB-1080p";
- score = 0;
- }
- {
- name = "FR-MULTi-VO-WEB-1080p";
- score = 0;
- }
- ];
- }
- {
- trash_ids = [
- "7a7f4e4f58bd1058440236d033a90b67" # VFQ
- ];
- assign_scores_to = [
- {
- name = "FR-MULTi-VF-WEB-1080p";
- score = -101;
- }
- {
- name = "FR-MULTi-VO-WEB-1080p";
- score = -101;
- }
- ];
- }
- ];
+ jackett.enable = true;
- };
- };
+ jellyfin = {
+ enable = true;
+ package = pkgs.jellyfin;
};
- jellyfin.enable = true;
- slimserver.enable = true;
+ navidrome = {
+ enable = true;
+ settings = {
+ MusicFolder = "/mnt/medias/musique";
+ ImageCacheSize = 0;
+ };
+ };
};
systemd.services.transmission.serviceConfig = {
@@ -199,15 +39,6 @@
LimitNOFILE = 1048576;
};
- systemd.services.recyclarr.serviceConfig.LoadCredential = [
- "radarr-api_key:/mnt/secrets/radarr-api_key"
- "sonarr-api_key:/mnt/secrets/sonarr-api_key"
- ];
-
- systemd.services.transmission.serviceConfig = {
- TimeoutStartSec = "20min";
- };
-
networking = {
firewall.allowedTCPPorts = [
config.services.transmission.settings.peer-port
@@ -217,4 +48,25 @@
config.services.transmission.settings.peer-port
];
};
+
+ virtualisation.oci-containers = {
+ backend = "podman";
+ containers = {
+ slimserver = {
+ image = "docker.io/lmscommunity/logitechmediaserver:stable";
+ volumes = [
+ "/mnt/medias/musique:/music:ro"
+ "/var/lib/slimserver:/config:rw"
+ "/etc/localtime:/etc/localtime:ro"
+ ];
+ ports = [
+ "10.30.0.1:9000:9000/tcp"
+ "10.30.0.1:9090:9090/tcp"
+ "10.30.0.1:3483:3483/tcp"
+ "10.30.0.1:3483:3483/udp"
+ ];
+ extraOptions = ["--pull=always"];
+ };
+ };
+ };
}
diff --git a/systems/LoutreOS/monitoring.nix b/systems/LoutreOS/monitoring.nix
index f25843a..29915d2 100644
--- a/systems/LoutreOS/monitoring.nix
+++ b/systems/LoutreOS/monitoring.nix
@@ -1,7 +1,4 @@
-{
- pkgs,
- ...
-}:
+{ config, lib, pkgs, ... }:
let
domaine = "nyanlout.re";
@@ -10,7 +7,7 @@ in
services = {
smartd = {
enable = true;
- defaults.monitored = "-a -o on -s (S/../.././02|L/../15/./02)";
+ defaults.monitored = "-a -o on -s (S/../.././02|L/../../1/04)";
notifications.mail = {
enable = true;
recipient = "paul@nyanlout.re";
@@ -25,43 +22,29 @@ in
telegraf = {
enable = true;
extraConfig = {
- agent = {
- # Mitigation for periodic high load average
- # https://github.com/influxdata/telegraf/issues/3465
- collection_jitter = "5s";
- };
inputs = {
- zfs = {
- poolMetrics = true;
- };
- net = { };
- netstat = { };
- cpu = {
- totalcpu = true;
- };
- kernel = { };
- mem = { };
- processes = { };
- system = { };
- disk = { };
+ zfs = { poolMetrics = true; };
+ net = { interfaces = [ "eno1" "eno2" "eno3" "eno4" ]; };
+ netstat = {};
+ cpu = { totalcpu = true; };
+ kernel = {};
+ mem = {};
+ processes = {};
+ system = {};
+ disk = {};
cgroup = [
{
paths = [
"/sys/fs/cgroup/system.slice/*"
];
- files = [
- "memory.current"
- "cpu.stat"
- ];
+ files = ["memory.current" "cpu.stat"];
}
];
- ipmi_sensor = {
- path = "${pkgs.ipmitool}/bin/ipmitool";
- };
+ ipmi_sensor = { path = "${pkgs.ipmitool}/bin/ipmitool"; };
smart = {
path = "${pkgs.writeShellScriptBin "smartctl" "/run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl $@"}/bin/smartctl";
};
- exec = [
+ exec= [
{
commands = [
"${pkgs.python3}/bin/python ${pkgs.writeText "zpool.py" ''
@@ -93,10 +76,7 @@ in
];
};
outputs = {
- influxdb = {
- database = "telegraf";
- urls = [ "http://localhost:8086" ];
- };
+ influxdb = { database = "telegraf"; urls = [ "http://localhost:8086" ]; };
};
};
};
@@ -107,27 +87,18 @@ in
grafana = {
enable = true;
+ addr = "127.0.0.1";
dataDir = "/var/lib/grafana";
- settings = {
- server = {
- http_addr = "127.0.0.1";
- root_url = "https://grafana.${domaine}";
- };
- smtp = {
- enabled = true;
- from_address = "grafana@${domaine}";
- skip_verify = true;
- };
- auth = {
- disable_signout_menu = true;
- };
- "auth.basic" = {
- enabled = false;
- };
- "auth.proxy" = {
- enabled = true;
- header_name = "X-WEBAUTH-USER";
- };
+ extraOptions = {
+ SERVER_ROOT_URL = "https://grafana.${domaine}";
+ SMTP_ENABLED = "true";
+ SMTP_FROM_ADDRESS = "grafana@${domaine}";
+ SMTP_SKIP_VERIFY = "true";
+ AUTH_DISABLE_LOGIN_FORM = "true";
+ AUTH_DISABLE_SIGNOUT_MENU = "true";
+ AUTH_ANONYMOUS_ENABLED = "true";
+ AUTH_ANONYMOUS_ORG_ROLE = "Admin";
+ AUTH_BASIC_ENABLED = "false";
};
};
@@ -137,19 +108,7 @@ in
};
};
- systemd.services.influxdb.serviceConfig = {
- TimeoutStartSec = "10min";
- };
-
security.sudo.extraRules = [
- {
- commands = [
- {
- command = "${pkgs.smartmontools}/bin/smartctl";
- options = [ "NOPASSWD" ];
- }
- ];
- users = [ "telegraf" ];
- }
+ { commands = [ { command = "${pkgs.smartmontools}/bin/smartctl"; options = [ "NOPASSWD" ]; } ]; users = [ "telegraf" ]; }
];
}
diff --git a/systems/LoutreOS/network.nix b/systems/LoutreOS/network.nix
deleted file mode 100644
index 3e437bd..0000000
--- a/systems/LoutreOS/network.nix
+++ /dev/null
@@ -1,391 +0,0 @@
-{
- config,
- pkgs,
- inputs,
- ...
-}:
-
-{
- boot = {
- kernel.sysctl = {
- "net.ipv6.conf.all.forwarding" = true;
- "net.ipv6.conf.default.forwarding" = true;
- "net.ipv4.conf.all.forwarding" = true;
- "net.ipv4.conf.default.forwarding" = true;
- };
- };
-
- # Enable LTE drivers
- hardware.usb-modeswitch.enable = true;
-
- ##################
- # NETWORK CONFIG #
- ##################
-
- # eno1 -> VLAN100 -> Internet
- # eno2 -> LAN
- # eno3 -> Pas utilisé
- # eno4 -> Pas utilisé
- # enp0s21u1 -> Clé 4G Bouygues
- # wg0 -> Tunnel Wireguard ARN
-
- networking = {
- hostName = "loutreos"; # Define your hostname.
- hostId = "7e66e347";
-
- useNetworkd = true;
- useDHCP = false;
-
- nameservers = [
- # https://www.dns0.eu/fr
- "193.110.81.0"
- "185.253.5.0"
- ];
-
- vlans = {
- bouygues = {
- id = 100;
- interface = "eno1";
- };
- };
-
- interfaces = {
- bouygues = {
- # Adresse MAC BBox : https://lafibre.info/remplacer-bbox/informations-de-connexion-ftth/msg598303/#msg598303
- macAddress = "E8:AD:A6:21:73:68";
- useDHCP = true;
- };
- eno2 = {
- ipv4.addresses = [
- {
- address = "10.30.0.1";
- prefixLength = 16;
- }
- ];
- };
- enp0s21u1.useDHCP = true;
- };
-
- nftables = {
- enable = true;
- flushRuleset = false;
- tables = {
- "multi-wan-routing" = {
- family = "inet";
- content = ''
- chain PREROUTING {
- type filter hook prerouting priority mangle; policy accept;
- # Restore the packet's CONNMARK to the MARK for existing incoming connections
- counter meta mark set ct mark
- # If packet MARK is set, then it means that there is already a connection mark
- meta mark != 0x00000000 counter accept
- # Else, we need to mark the packet.
- # If the packet is incoming on bouygues then set MARK to 1, LTE MARK 2 and VPN MARK 3
- iifname "bouygues" counter meta mark set 0x1
- iifname "enp0s21u1" counter meta mark set 0x2
- iifname "wg0" counter meta mark set 0x3
- # Save new mark in CONNMARK
- counter ct mark set mark
- }
-
- chain OUTPUT {
- type route hook output priority mangle; policy accept;
- # Restore CONNMARK to MARK for outgoing packets before final routing decision
- counter meta mark set ct mark
- }
-
- chain POSTROUTING {
- type filter hook postrouting priority mangle; policy accept;
- # Save MARK to CONNMARK
- counter ct mark set mark
- }
- '';
- };
-
- "redirect-external-to-local" = {
- family = "ip";
- content = ''
- chain PREROUTING {
- type nat hook prerouting priority dstnat; policy accept;
- # Redirect local network request from server external IP to internal IP
- # This allow access to server without internet access
- ip saddr 10.30.0.0/16 ip daddr 176.180.172.105 counter dnat to 10.30.0.1
- }
- '';
- };
- };
- };
-
- firewall = {
- enable = true;
- allowedTCPPorts = [
- 80
- 443
- ];
- allowedUDPPorts = [ ];
-
- # Open ports on local netwok only
- interfaces.eno2 = {
- allowedTCPPorts = [
- 111
- 2049
- 4000
- 4001
- 4002 # NFS
- 3483
- 9000
- 9090 # Slimserver
- 1935 # RTMP
- ];
- allowedUDPPorts = [
- 111
- 2049
- 4000
- 4001
- 4002 # NFS
- 3483 # Slimserver
- 67 # DHCP
- ];
- };
-
- # Don't forward incoming IPv6 requests to local network
- filterForward = true;
- extraForwardRules = ''
- # Forward all IPv6 traffic from local network
- iifname "eno2" counter accept
- '';
- };
- };
-
- systemd.services.systemd-networkd = {
- unitConfig = {
- RequiresMountsFor = "/mnt/secrets/wireguard";
- };
- serviceConfig = {
- LoadCredential = [
- "network.wireguard.private.wg0:/mnt/secrets/wireguard/wireguard.private"
- "network.wireguard.preshared.wg0:/mnt/secrets/wireguard/wireguard.preshared"
- ];
- };
- };
-
- #################
- # ROUTING RULES #
- #################
-
- # 0: from all lookup local
- # 60: from all iif lo dport 25 lookup vpn # mails are forced to vpn table
- # 32766: from all lookup main # main table should contain no default routes, only local network routes
- # 32767: from all lookup default
- # 41000: from all fwmark 0x1 lookup fiber # fwmark indicate established connection that must go through same interface
- # 42000: from all fwmark 0x2 lookup lte
- # 43000: from all fwmark 0x3 lookup vpn
- # 51000: from all lookup fiber # first table encountered with a default route if fiber is up
- # 52000: from all lookup lte # first table encountered with a default route if fiber is down
-
- systemd.network =
- let
- routeTables = {
- fiber = 1;
- lte = 2;
- vpn = 3;
- };
- in
- {
- enable = true;
-
- config = {
- inherit routeTables;
- addRouteTablesToIPRoute2 = true;
- };
-
- # Wireguard ARN device configuation
- netdevs = {
- "10-wg0" = {
- netdevConfig = {
- Kind = "wireguard";
- Name = "wg0";
- MTUBytes = "1450";
- };
- wireguardConfig = {
- PrivateKey = "@network.wireguard.private.wg0";
- RouteTable = routeTables.vpn;
- };
- wireguardPeers = [
- {
- Endpoint = "89.234.141.83:8095";
- PublicKey = "t3+JkBfXI1uw8fa9P6JfxXJfTPm9cOHcgIN215UHg2g=";
- PresharedKey = "@network.wireguard.preshared.wg0";
- AllowedIPs = [
- "0.0.0.0/0"
- "::/0"
- ];
- PersistentKeepalive = 15;
- }
- ];
- };
- };
-
- networks = {
- #########
- # FIBER #
- #########
-
- # Set route metric to highest priority
- # Set DHCP client magic settings for Bouygues
- "40-bouygues" = {
- dhcpV4Config.RouteTable = routeTables.fiber;
-
- dhcpV6Config = {
- DUIDRawData = "00:03:00:01:E8:AD:A6:21:73:68";
- WithoutRA = "solicit";
- };
-
- ipv6AcceptRAConfig = {
- DHCPv6Client = true;
- RouteTable = routeTables.fiber;
- };
-
- networkConfig = {
- KeepConfiguration = "dynamic-on-stop";
- IPv6AcceptRA = true;
- DHCPPrefixDelegation = true;
- };
-
- # Static attribution of first IPv6 subnet
- dhcpPrefixDelegationConfig.SubnetId = "0";
-
- # Route everything to fiber link with a priority of 40000
- routingPolicyRules = [
- {
- FirewallMark = 1;
- Table = routeTables.fiber;
- Priority = 41000;
- Family = "both";
- }
- {
- Table = routeTables.fiber;
- Priority = 51000;
- Family = "both";
- }
- ];
- };
-
- # Don't check VLAN physical interface as it is not directly used
- "40-eno1".linkConfig.RequiredForOnline = "no";
-
- #######
- # LTE #
- #######
-
- # Set LTE route to lower priority
- "40-enp0s21u1" = {
- dhcpV4Config.RouteTable = routeTables.lte;
-
- # Route all to lte link with a priority of 50000
- routingPolicyRules = [
- {
- FirewallMark = 2;
- Table = routeTables.lte;
- Priority = 42000;
- Family = "both";
- }
- {
- Table = routeTables.lte;
- Priority = 52000;
- Family = "both";
- }
- ];
- };
-
- #######
- # VPN #
- #######
-
- # Wireguard ARN network configuation
- "10-wg0" = {
- matchConfig.Name = "wg0";
- address = [
- "89.234.141.196/32"
- "2a00:5881:8119:400::1/128"
- ];
- routingPolicyRules = [
- # Route outgoing emails to VPN table
- {
- IncomingInterface = "lo";
- DestinationPort = "25";
- Table = routeTables.vpn;
- Priority = 60;
- Family = "both";
- }
- # Route packets originating from wg0 device to VPN table
- # Allow server to respond on the wg0 interface requests
- {
- FirewallMark = 3;
- Table = routeTables.vpn;
- Priority = 43000;
- Family = "both";
- }
- ];
- };
-
- #######
- # LAN #
- #######
-
- # LAN DHCP server config
- "40-eno2" = {
- networkConfig = {
- IPv6SendRA = true;
- DHCPPrefixDelegation = true;
- DHCPServer = true;
- IPMasquerade = "ipv4";
- };
- dhcpServerConfig = {
- EmitRouter = true;
- EmitDNS = true;
- DNS = [
- # https://www.dns0.eu/fr
- "193.110.81.0"
- "185.253.5.0"
- ];
- };
- dhcpServerStaticLeases = [
- # IPMI
- {
- Address = "10.30.1.1";
- MACAddress = "ac:1f:6b:4b:01:15";
- }
- # paul-fixe
- {
- Address = "10.30.50.1";
- MACAddress = "b4:2e:99:ed:24:26";
- }
- # salonled
- {
- Address = "10.30.40.1";
- MACAddress = "e0:98:06:85:e9:ce";
- }
- # miroir-bleu
- {
- Address = "10.30.40.2";
- MACAddress = "e0:98:06:86:38:fc";
- }
- # miroir-orange
- {
- Address = "10.30.40.3";
- MACAddress = "50:02:91:78:be:be";
- }
- ];
- ipv6SendRAConfig = {
- EmitDNS = true;
- DNS = [
- # https://www.dns0.eu/fr
- "2a0f:fc80::"
- "2a0f:fc81::"
- ];
- };
- };
- };
- };
-}
diff --git a/systems/LoutreOS/services.nix b/systems/LoutreOS/services.nix
index 28cf410..71d4ca5 100644
--- a/systems/LoutreOS/services.nix
+++ b/systems/LoutreOS/services.nix
@@ -1,24 +1,17 @@
-{
- config,
- lib,
- pkgs,
- ...
-}:
+{ config, lib, pkgs, ... }:
with lib;
let
domaine = "nyanlout.re";
- sendMail =
- to: subject: message:
- pkgs.writeShellScriptBin "mail.sh" ''
- ${pkgs.system-sendmail}/bin/sendmail ${to} < { };
in
{
imports = [
+ ../../services/python-ci.nix
+ ../../services/sdtdserver.nix
+ # /mnt/secrets/factorio_secrets.nix
./monitoring.nix
./medias.nix
./web.nix
@@ -66,7 +62,7 @@ in
};
# Certificate setup
- certificateScheme = "manual";
+ certificateScheme = 1;
certificateFile = "/var/lib/acme/${domaine}/fullchain.pem";
keyFile = "/var/lib/acme/${domaine}/key.pem";
@@ -81,19 +77,46 @@ in
};
services = {
+ postfix = {
+ relayHost = "mailvps.nyanlout.re";
+ relayPort = 587;
+ config = {
+ smtp_tls_cert_file = lib.mkForce "/var/lib/postfix/postfixrelay.crt";
+ smtp_tls_key_file = lib.mkForce "/var/lib/postfix/postfixrelay.key";
+ };
+ };
+
rspamd.workers.controller.extraConfig = ''
- secure_ip = ["0.0.0.0/0", "::"];
+ secure_ip = ["0.0.0.0/0"];
'';
- # redis.enable = true;
+ redis.enable = true;
- # enable with nginx defult config
- logrotate.enable = true;
+ logrotate = {
+ enable = true;
+ paths = {
+ nginx = {
+ path = "/var/log/nginx/*.log";
+ user = config.services.nginx.user;
+ group = config.services.nginx.group;
+ keep = 7;
+ extraConfig = ''
+ compress
+ '';
+ };
+ };
+ };
fail2ban.enable = true;
fstrim.enable = true;
+ syncthing = {
+ enable = true;
+ dataDir = "/var/lib/syncthing";
+ openDefaultPorts = true;
+ };
+
nfs.server = {
enable = true;
exports = ''
@@ -114,32 +137,24 @@ in
"/var/lib/gitea"
"/var/lib/grafana"
"/var/lib/jackett"
- "/mnt/borgsnap/postgresql"
+ "/var/lib/matrix-synapse"
+ "/var/lib/postgresql/.zfs/snapshot/borgsnap"
"/var/lib/radarr"
"/var/lib/sonarr"
"/var/lib/transmission"
- "/var/lib/airsonic"
- "/var/lib/hass"
- "/var/lib/opendkim"
- "/var/lib/slimserver"
- "/var/lib/watcharr"
- "/var/lib/nextcloud"
+ "/mnt/medias/musique"
+ "/mnt/medias/torrent/lidarr"
+ "/mnt/medias/torrent/musique"
"/mnt/paul-home/paul"
"/var/sieve"
"/var/vmail"
- "/mnt/backup_loutre/amandoleen"
- "/mnt/secrets"
- "/mnt/medias/musique/musiclibrary.blb"
];
exclude = [
"/var/lib/radarr/.config/Radarr/radarr.db-wal"
"/var/lib/radarr/.config/Radarr/radarr.db-shm"
- "/mnt/paul-home/paul/.cache"
];
repo = "ssh://u306925@u306925.your-storagebox.de:23/./loutreos";
- environment = {
- BORG_RSH = "ssh -i /mnt/secrets/hetzner_ssh_key";
- };
+ environment = { BORG_RSH = "ssh -i /mnt/secrets/hetzner_ssh_key"; };
encryption = {
mode = "repokey-blake2";
passCommand = "cat /mnt/secrets/borgbackup_loutre_encryption_pass";
@@ -150,136 +165,106 @@ in
weekly = 4;
monthly = 12;
};
- preHook = ''
- ${pkgs.zfs}/bin/zfs snapshot loutrepool/var/postgresql@borgsnap
- mkdir -p /mnt/borgsnap/postgresql
- ${config.security.wrapperDir}/mount -t zfs loutrepool/var/postgresql@borgsnap /mnt/borgsnap/postgresql
- '';
+ preHook = "${pkgs.zfs}/bin/zfs snapshot loutrepool/var/postgresql@borgsnap";
readWritePaths = [ "/var/lib/postfix/queue/maildrop" ];
postHook = ''
- ${config.security.wrapperDir}/umount /mnt/borgsnap/postgresql
${pkgs.zfs}/bin/zfs destroy loutrepool/var/postgresql@borgsnap
+ if [[ $exitStatus == 0 ]]; then
+ ${pkgs.rclone}/bin/rclone --config /mnt/secrets/rclone_loutre.conf sync -v $BORG_REPO BackupStorage:default
+ else
+ ${backup_mail_alert}/bin/mail.sh
+ fi
'';
};
};
borgbackup.repos = {
diskstation = {
- authorizedKeys = [
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDllbxON66dBju7sMnhX8/E0VRo3+PDYvDsHP0/FK+h8JHol4+pouLmI7KIDKYOJmSuom283OqnyZOMqk+RShTwWIFm9hOd2R9aj45Zrd9jPW2APOCec/Epgogj0bwBnc0l2v6qxkxaBMgL5DnAQ+E00uvL1UQpK8c8j4GGiPlkWJD6Kf+pxmnfH1TIm+J2XCwl0oeCkSK/Frd8eM+wCraMSzoaGiEcfMz2jK8hxDWjDxX7epU0ELF22BVCuyN8cYRoFTnV88E38PlaqsOqD5ePkxk425gDh7j/C06f8QKgnasVH2diixo92kYSd7i/RmfeXDDwAD5xqUvODczEuIdt root@DiskStation"
- ];
+ authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDllbxON66dBju7sMnhX8/E0VRo3+PDYvDsHP0/FK+h8JHol4+pouLmI7KIDKYOJmSuom283OqnyZOMqk+RShTwWIFm9hOd2R9aj45Zrd9jPW2APOCec/Epgogj0bwBnc0l2v6qxkxaBMgL5DnAQ+E00uvL1UQpK8c8j4GGiPlkWJD6Kf+pxmnfH1TIm+J2XCwl0oeCkSK/Frd8eM+wCraMSzoaGiEcfMz2jK8hxDWjDxX7epU0ELF22BVCuyN8cYRoFTnV88E38PlaqsOqD5ePkxk425gDh7j/C06f8QKgnasVH2diixo92kYSd7i/RmfeXDDwAD5xqUvODczEuIdt root@DiskStation" ];
path = "/mnt/backup_loutre/diskstation_borg";
user = "synology";
};
minecraft-rezome = {
- authorizedKeys = [
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc1nGsSesW96k0DPMSt/chjvCrYmfgPgHG1hdUYB5x0pZPdOJaVRIlETWdoFlO+ViviC518B3TF7Qc3oJXPZMchJQl684Nukbc312juf+j9z/KT3dqD8YvKX6o5ynx1Dyq52ftrfkBAEAvzE0OfRljUPbwGBOM0dGRD4R1jbiHquTXpITlbgGTZymbwr4Jr9W9atgf5kHMiX7xOqMZcasDtUE8g+AG4ysHdpjOrBOUM9QeRbVP1bxEFP8xjqOOoET5tbkwektP4B2jaf+EHBPUy2lkwjVEKT6MaSlkJx/wMvUWp25kG9mrXgwUw1bgfOeZIsK6ztcki3l92BJQD9ip shame@minecraft.rezom.eu"
- ];
+ authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc1nGsSesW96k0DPMSt/chjvCrYmfgPgHG1hdUYB5x0pZPdOJaVRIlETWdoFlO+ViviC518B3TF7Qc3oJXPZMchJQl684Nukbc312juf+j9z/KT3dqD8YvKX6o5ynx1Dyq52ftrfkBAEAvzE0OfRljUPbwGBOM0dGRD4R1jbiHquTXpITlbgGTZymbwr4Jr9W9atgf5kHMiX7xOqMZcasDtUE8g+AG4ysHdpjOrBOUM9QeRbVP1bxEFP8xjqOOoET5tbkwektP4B2jaf+EHBPUy2lkwjVEKT6MaSlkJx/wMvUWp25kG9mrXgwUw1bgfOeZIsK6ztcki3l92BJQD9ip shame@minecraft.rezom.eu" ];
path = "/mnt/backup_loutre/minecraft_rezome";
user = "rezome";
};
};
+ sdtdserver.enable = false;
+
+ factorio = {
+ enable = false;
+ autosave-interval = 10;
+ game-name = "Shame";
+ public = true;
+ username = "nyanloutre";
+ };
+
+ minecraft-server = {
+ enable = false;
+ jvmOpts = "-Xms512m -Xmx3072m";
+ eula = true;
+ declarative = true;
+ openFirewall = true;
+ whitelist = {
+ nyanloutre = "db0669ea-e332-4ca3-8d50-f5d1458f5822";
+ Hautension = "f05677f4-be5a-47df-ad77-21c739180aa2";
+ LordDarkKiwi = "79290cfc-0b00-484f-9c94-ab0786402de6";
+ Madahin = "f5f747e3-fac2-43e8-9b9b-a67dc2f368ff";
+ Hopegcx = "4497f759-2210-48db-8764-307d33011442";
+ wyrd68 = "127a3021-cdc1-419f-9010-4651df9ae3af";
+ sparsyateloutre = "d2ff63c1-4e9f-4b21-9bfc-decce5d987b3";
+ };
+ serverProperties = {
+ difficulty = 2;
+ gamemode = 0;
+ max-players = 50;
+ motd = "Hi Mark !";
+ white-list = true;
+ };
+ };
+
kresd = {
enable = true;
};
- mosquitto = {
- enable = true;
- listeners = [
- {
- acl = [ "pattern readwrite #" ];
- omitPasswordAuth = true;
- address = "127.0.0.1";
- settings.allow_anonymous = true;
- }
- ];
- };
-
- zigbee2mqtt = {
- enable = true;
- package = pkgs.zigbee2mqtt_2;
- settings = {
- homeassistant.enabled = config.services.home-assistant.enable;
- serial = {
- port = "/dev/serial/by-id/usb-Texas_Instruments_TI_CC2531_USB_CDC___0X00124B0014D97058-if00";
- adapter = "zstack";
- };
- mqtt = {
- server = "mqtt://${(head config.services.mosquitto.listeners).address}:${toString (head config.services.mosquitto.listeners).port}";
- };
- frontend = {
- port = 8080;
- host = "127.0.0.1";
- url = "https://zigbee.nyanlout.re";
- };
- groups = {
- "101" = {
- friendly_name = "salon";
- devices = [
- "0x94deb8fffe760f3d"
- ];
- };
- "102" = {
- friendly_name = "cuisine";
- devices = [
- "0x003c84fffe6d9ee6"
- ];
- };
- "103" = {
- friendly_name = "entrée";
- devices = [
- "0x84ba20fffe5ec243"
- ];
- };
- "104" = {
- friendly_name = "tout";
- devices = [
- "0x94deb8fffe760f3d"
- "0x003c84fffe6d9ee6"
- "0x84ba20fffe5ec243"
- ];
- };
- "107" = {
- friendly_name = "chambre";
- devices = [
- "0x84ba20fffe5eb120"
- ];
- };
- };
- };
- };
-
home-assistant = {
enable = true;
- extraComponents = [
- # Components required to complete the onboarding
- "met"
- "radio_browser"
- ];
config = {
- default_config = { };
homeassistant = {
- country = "FR";
- latitude = 48.60038;
- longitude = 7.74063;
- elevation = 146;
+ elevation = 143;
};
- meteo_france = null;
+ influxdb = null;
+ config = null;
+ dhcp = null;
+ frontend = null;
+ history = null;
http = {
use_x_forwarded_for = true;
trusted_proxies = [ "127.0.0.1" ];
};
- mqtt = null;
+ logbook = null;
+ map = null;
+ mobile_app = null;
+ person = null;
+ script = null;
+ sun = null;
+ system_health = null;
+ yeelight.devices = {
+ "10.40.249.0".name = "Chambre";
+ "10.40.249.1".name = "Bureau";
+ "10.40.249.2".name = "Cuisine";
+ };
+ zha = null;
esphome = null;
light = [
{
platform = "group";
name = "Salon";
entities = [
- "light.salon_light"
- "light.cuisine_light"
- "light.entree_light"
+ "light.bureau"
+ "light.cuisine"
];
}
];
@@ -289,38 +274,317 @@ in
host = "10.30.0.1";
}
];
- };
- };
+ tplink.switch = [
+ { host = "10.30.50.7"; }
+ ];
+ sensor = [
+ {
+ platform = "template";
+ sensors = {
+ serveur_amps = {
+ friendly_name_template = "{{ states.switch.serveur.name}} Current";
+ value_template = ''{{ states.switch.serveur.attributes["current_a"] | float }}'';
+ unit_of_measurement = "A";
+ };
+ serveur_watts = {
+ friendly_name_template = "{{ states.switch.serveur.name}} Current Consumption";
+ value_template = ''{{ states.switch.serveur.attributes["current_power_w"] | float }}'';
+ unit_of_measurement = "W";
+ };
+ serveur_total_kwh = {
+ friendly_name_template = "{{ states.switch.serveur.name}} Total Consumption";
+ value_template = ''{{ states.switch.serveur.attributes["total_energy_kwh"] | float }}'';
+ unit_of_measurement = "kWh";
+ };
+ serveur_volts = {
+ friendly_name_template = "{{ states.switch.serveur.name}} Voltage";
+ value_template = ''{{ states.switch.serveur.attributes["voltage"] | float }}'';
+ unit_of_measurement = "V";
+ };
+ serveur_today_kwh = {
+ friendly_name_template = "{{ states.switch.serveur.name}} Today's Consumption";
+ value_template = ''{{ states.switch.serveur.attributes["today_energy_kwh"] | float }}'';
+ unit_of_measurement = "kWh";
+ };
+ };
+ }
+ ];
+ switch = [
+ {
+ platform = "wake_on_lan";
+ name = "PC Fixe";
+ mac = "b4:2e:99:ed:24:26";
+ host = "10.30.135.71";
+ broadcast_address = "10.30.255.255";
+ }
+ ];
+ device_tracker = [
+ {
+ platform = "ping";
+ hosts = { telephone_paul = "10.30.50.2"; };
+ }
+ ];
+ scene = [
+ {
+ name = "Movie";
+ icon = "mdi:movie-open";
+ entities = {
+ "light.salon" = {
+ state = "on";
+ xy_color = [0.299 0.115];
+ brightness = 50;
+ };
+ "light.bande_led_tv" = {
+ state = "on";
+ effect = "Movie";
+ brightness = 180;
+ };
+ "light.bande_led_bureau" = {
+ state = "on";
+ xy_color = [0.299 0.115];
+ brightness = 130;
+ };
+ };
+ }
+ {
+ name = "Home";
+ icon = "mdi:home";
+ entities = {
+ "light.salon" = {
+ state = "on";
+ kelvin = 2700;
+ brightness = 255;
+ };
+ };
+ }
+ {
+ name = "Night";
+ icon = "mdi:weather-night";
+ entities = {
+ "light.salon" = {
+ state = "off";
+ };
+ "light.bande_led_tv" = {
+ state = "off";
+ };
+ "light.bande_led_bureau" = {
+ state = "off";
+ };
+ "light.chambre" = {
+ state = "on";
+ kelvin = 1900;
+ brightness = 50;
+ };
+ };
+ }
+ ];
+ automation = let
+ min_sun_elevation = 4;
- photoprism = {
- enable = true;
- originalsPath = "/mnt/backup_loutre/amandoleen/d/Users/Amand/Pictures";
- passwordFile = "/mnt/secrets/photoprism_pass";
- settings = {
- PHOTOPRISM_READONLY = "1";
- PHOTOPRISM_DETECT_NSFW = "1";
- PHOTOPRISM_SITE_URL = "https://photo.nyanlout.re/";
- };
- };
- };
+ switch_chambre = {
+ domain = "zha";
+ platform = "device";
+ device_id = "3329ecdcad244e5e8fc0f4b96d52ffe1";
+ };
- systemd = {
- timers."lg-devmode-reset" = {
- wantedBy = [ "timers.target" ];
- timerConfig = {
- OnBootSec = "5m";
- OnUnitActiveSec = "1w";
- };
- };
- services = {
- "borgbackup-job-loutre".serviceConfig.TemporaryFileSystem = [ "/mnt/borgsnap" ];
- "lg-devmode-reset" = {
- script = ''
- ${pkgs.curl}/bin/curl https://developer.lge.com/secure/ResetDevModeSession.dev\?sessionToken\=9f94269da0dc14fd924b65d8dca28b076f931ad1ca04fe7a09ac78cdb0e22cb4
- '';
- serviceConfig = {
- Type = "oneshot";
- };
+ switch_entree = {
+ domain = "zha";
+ platform = "device";
+ device_id = "7cd814190ec543dba76a7aa7e7996c41";
+ };
+
+ remote = {
+ domain = "zha";
+ platform = "device";
+ device_id = "d1230b76264e483388a8fdaad4f44143";
+ };
+ in [
+ # ENTREE
+
+ {
+ alias = "Aziz lumière";
+ trigger = [
+ {
+ platform = "numeric_state";
+ entity_id = "sun.sun";
+ value_template = "{{ state.attributes.elevation }}";
+ below = min_sun_elevation;
+ }
+ ];
+ condition = [
+ {
+ condition = "state";
+ entity_id = "person.paul";
+ state = "home";
+ }
+ # Sun below max elevation
+ {
+ condition = "template";
+ value_template = "{{ state_attr('sun.sun', 'elevation') < ${toString min_sun_elevation} }}";
+ }
+ ];
+ action = {
+ scene = "scene.home";
+ };
+ }
+ {
+ alias = "Aziz lumière switch";
+ trigger = {
+ type = "remote_button_short_press";
+ subtype = "turn_on";
+ } // switch_entree;
+ action = {
+ scene = "scene.home";
+ };
+ }
+ {
+ alias = "Adios";
+ trigger = [
+ {
+ platform = "state";
+ entity_id = "person.paul";
+ to = "not_home";
+ }
+ ({
+ type = "remote_button_short_press";
+ subtype = "turn_off";
+ } // switch_entree)
+ ];
+ action = [
+ {
+ service = "light.turn_off";
+ entity_id = "all";
+ }
+ {
+ service = "media_player.turn_off";
+ entity_id = "all";
+ }
+ ];
+ }
+
+ # REMOTE
+
+ {
+ alias = "Button toggle";
+ trigger = {
+ type = "remote_button_short_press";
+ subtype = "turn_on";
+ } // remote;
+ action = {
+ choose = {
+ conditions = {
+ condition = "template";
+ value_template = ''
+ {% set domain = 'light' %}
+ {% set state = 'off' %}
+ {{ states[domain] | count == states[domain] | selectattr('state','eq',state) | list | count }}
+ '';
+ };
+ sequence = {
+ scene = "scene.home";
+ };
+ };
+ default = {
+ service = "light.turn_off";
+ entity_id = "all";
+ };
+ };
+ }
+ {
+ alias = "Button scene movie";
+ trigger = {
+ type = "remote_button_short_press";
+ subtype = "right";
+ } // remote;
+ action = {
+ scene = "scene.movie";
+ };
+ }
+ {
+ alias = "Button scene home";
+ trigger = {
+ type = "remote_button_short_press";
+ subtype = "left";
+ } // remote;
+ action = {
+ scene = "scene.home";
+ };
+ }
+ {
+ alias = "Button light up";
+ trigger = {
+ type = "remote_button_short_press";
+ subtype = "dim_up";
+ } // remote;
+ action = {
+ service = "light.turn_on";
+ entity_id = "light.salon";
+ data = {
+ brightness_step = 25;
+ };
+ };
+ }
+ {
+ alias = "Button light down";
+ trigger = {
+ type = "remote_button_short_press";
+ subtype = "dim_down";
+ } // remote;
+ action = {
+ service = "light.turn_on";
+ entity_id = "light.salon";
+ data = {
+ brightness_step = -25;
+ };
+ };
+ }
+
+ # CHAMBRE
+
+ {
+ alias = "Button scene night";
+ trigger = {
+ type = "remote_button_short_press";
+ subtype = "turn_on";
+ } // switch_chambre;
+ action = {
+ scene = "scene.night";
+ };
+ }
+ {
+ alias = "Button scene dodo";
+ trigger = {
+ type = "remote_button_short_press";
+ subtype = "turn_off";
+ } // switch_chambre;
+ action = {
+ service = "light.turn_off";
+ entity_id = "all";
+ };
+ }
+ {
+ alias = "Button scene lumière chambre ON";
+ trigger = {
+ type = "remote_button_long_press";
+ subtype = "dim_up";
+ } // switch_chambre;
+ action = {
+ service = "light.turn_on";
+ entity_id = "light.chambre";
+ };
+ }
+ {
+ alias = "Button scene lumière chambre OFF";
+ trigger = {
+ type = "remote_button_long_press";
+ subtype = "dim_down";
+ } // switch_chambre;
+ action = {
+ service = "light.turn_off";
+ entity_id = "light.chambre";
+ };
+ }
+ ];
};
};
};
@@ -329,27 +593,86 @@ in
ipmihddtemp.enable = true;
+ # systemd.services.minecraft-overviewer =
+ # let
+ # clientJar = pkgs.fetchurl {
+ # url = "https://overviewer.org/textures/1.14";
+ # sha256 = "0fij9wac7vj6h0kd3mfhqpn0w9gl8pbs9vs9s085zajm0szpr44k";
+ # name = "client.jar";
+ # };
+ # configFile = pkgs.runCommand "overviewer-config" { CLIENT_JAR = clientJar; } ''
+ # substitute ${./config-overviewer.py} $out \
+ # --subst-var CLIENT_JAR
+ # '';
+ # in
+ # {
+ # script = ''
+ # ${pkgs.minecraft-overviewer}/bin/overviewer.py --config ${configFile}
+ # ${pkgs.minecraft-overviewer}/bin/overviewer.py --config ${configFile} --genpoi
+ # rm /var/www/minecraft-overviewer/progress.json
+ # '';
+ # serviceConfig = {
+ # User = "nginx";
+ # Group = "nginx";
+ # };
+ # };
+
+ # systemd.timers.minecraft-overviewer = {
+ # wantedBy = [ "multi-user.target" ];
+ # timerConfig = {
+ # OnCalendar = "*-*-* 04:00:00";
+ # };
+ # };
+
+ # systemd.packages = with pkgs; [
+ # tgt
+ # ];
+
+ # environment.etc."tgt/targets.conf".text = ''
+ #
+ # backing-store /dev/zvol/loutrepool/steam-lun
+ # initiator-address 10.30.50.3
+ #
+ # '';
+
users.groups.nginx.members = [ "matrix-synapse" ];
- security.pam.services.sshd.text = pkgs.lib.mkDefault (
- pkgs.lib.mkAfter "session optional ${pkgs.pam}/lib/security/pam_exec.so seteuid ${login_mail_alert}/bin/mail_alert.sh"
- );
+ security.pam.services.sshd.text = pkgs.lib.mkDefault( pkgs.lib.mkAfter "session optional ${pkgs.pam}/lib/security/pam_exec.so seteuid ${login_mail_alert}/bin/mail_alert.sh" );
networking = {
+ wireguard.interfaces = {
+ wg0 = {
+ ips = [ "192.168.20.1/24" ];
+ privateKeyFile = "/mnt/secrets/wireguard/wg0.privatekey";
+ listenPort = 51820;
+ allowedIPsAsRoutes = true;
+ peers = [
+ {
+ allowedIPs = [ "192.168.20.2/32" ];
+ publicKey = "b/SXiqo+GPdNOc54lyEVeUBc6B5AbVMKh+g5EZPGzlE=";
+ }
+ ];
+ };
+ };
+
+ nat.internalInterfaces = [ "wg0" ];
+ nat.internalIPs = [ "192.168.20.0/24" ];
+
firewall.interfaces.eno2.allowedTCPPorts = [
3260
];
firewall.allowedTCPPorts = [
- 20
- 21 # FTP
+ 8448 # Matrix federation
+ 20 21 # FTP
];
firewall.allowedTCPPortRanges = [
- {
- from = 64000;
- to = 65535;
- } # FTP
+ { from = 64000; to = 65535; } # FTP
+ ];
+
+ firewall.allowedUDPPorts = [
+ config.networking.wireguard.interfaces.wg0.listenPort
];
};
}
diff --git a/systems/LoutreOS/users.nix b/systems/LoutreOS/users.nix
index c8372e7..3bac8e3 100644
--- a/systems/LoutreOS/users.nix
+++ b/systems/LoutreOS/users.nix
@@ -1,9 +1,4 @@
-{
- lib,
- config,
- pkgs,
- ...
-}:
+{ lib, config, pkgs, ... }:
{
users.users = {
@@ -11,19 +6,14 @@
uid = 1000;
isNormalUser = true;
description = "Paul TREHIOU";
- extraGroups = [
- "wheel"
- "medias"
- "transmission"
- "podman"
- ];
+ extraGroups = [ "wheel" "medias" "transmission" ];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAF7VlzHzgg70uFbRFtVTS34qNBke/RD36mRENAsa33RxztxrqMsIDscAD/d6CTe6HDy7MCGzJnWCJSXj5iOQFM4RRMvKNEgCKPHqfhmfVvO4YZuMjNB0ufVf6zhJL4Hy43STf7NIWrenGemUP+OvVSwN/ujgl2KKw4KJZt25/h/7JjlCgsZm4lWg4xcjoiKL701W2fbEoU73XKdbRTgTvKoeK1CGxdAPFefFDFcv/mtJ7d+wIxw9xODcLcA66Bu94WGMdpyEAJc4nF8IOy4pW8AzllDi0qNEZGCQ5+94upnLz0knG1ue9qU2ScAkW1/5rIJTHCVtBnmbLNSAOBAstaGQJuSL40TWZ1oPA5i1qUEhunNcJ+Sgtp6XP69qY34T/AeJvHRyw5M5LfN0g+4ka9k06NPBhbpHFASz4M8nabQ0iM63++xcapnw/8gk+EPhYVKW86SsyTa9ur+tt6oDWEKNaOhgscX44LexY7jKdeBRt3GaObtBJtVLBRx3Z2aRXgjgnKGqS40mGRiSkqb2DShspI1l8DV2RrPiuwdBzXVQjWRc0KXmJrcgXX9uoPSxihxwaUQyvmITOV1Y+NEuek4gRkVNOxjoG7RGnaYvYzxEQVoI5TwZC2/DCrAUgCv8DQawkcpEiWnBq7Q5VnpmFx5juVQ/I0G8byOkPXgRUOk9 openpgp:0xAB524BBC"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCACVI2dL4AmOdcb7RSl3JZpfK33NhqrYFfWfXMYow5SPJ9VPteOp5kVvKUuSbGH3chjpttYC/ueQJJhFagiKmkeftQTslIw6C009wUExGpJwRotHqISXv2ctURGURKy2FF848whd7xZJzdj49ZJ6S+SCbRFZvVWfT2dP/JwTiWW1mbEaWKyOgrixH6wSKt9ECumjX9KjqSWGw+k3yLJxIhdqiZAjNv4soJs1mQYdIlFCXCuznzoZIQBexZPQCx0j9HjczPz1feMLWkrHzEMexNjsBE2uA6yXLbH1wa8xCJ4VOeD7u9JqVY579AsicD62G+qIgw0B2zmyz7xTrdPv+061zmYn6qYr8EXGTk4dVgedZp8M1XzZ1PVoeeftPFcClXC7zCGyCR2uzJbQLzlaTwZrdghAiS9UhMRuKpNgZy2zDWw4MqdojrF5bndPkoijlXWYrPYBFED5OU1mpwzpanYgldowJC/Ixjwi+Hmse2q4XgZ+egfuotBqPfqB+bWsCa5GNiJWGdLP69uBSsXubGnqLwvE0FAQ2GHb+SEoZKFy/QV9GzOLlVrGlgK5YFgKJD+Q1nn1QRycXt1oMVC/AtR/NshOGanhdvIRpPATGmaxLVXSY093vyAOW4MPrS00fPAXzAfJUwIuWcloFfLMo5Jitj5rpE1s6FX8xrl4upQ== paul@nyanlout.re"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDstFRwMoTEip5IBSYE4dUj3miO0LsKrnUKQJmp7d5QYo3VhXk43jU6VUU0tVAegkzWLlQ3ohoFns+8bZyf7hj7roftrDfoC9bbbx4ihhWrZTlF0gzoH4t52yetFO5eC/tV2sm/zFoa+3IWLokOEFmAoknAVag1MmVLXTQ6WPoTPD4UsX/D3lyE4dbSKxHpMOIjqIdqSEgO0BeTdnHe5afvGXXO1VYTvPsGDHT9w8EHwQV9JXIPn7KVOp3qin7OwvFFrrB3QbiEVTJvGiH2hrfxcARTN/+TxGtf+aOFeuQykURG9Wz/aBK60EWE0wGrzuIymxtNdOR1NhmnNrUZ976Tb9WdR7FC+yM6+/kdfICy+sGQmmn8TLsGvcJTT/pl4Pa9uRAKjRJuLIEgYY6W/ms9lCRyf484yRkDlq+V0BPuN9Jy6Eb7x+tmZNkpEtkqso7wfXD8sf5BIwv2K69SVMpfTswydHGmDwHZ0zaDKGlyCiyJ1QGqUhCTXqtYVq+kQ3AcjKcysMwVEmwx/ySu0XFuV8oUkl9XK/RUoc++sMEd0EbHcn8uwCmBARNX+GLQ03vxwyMW3HyneP8EAxoqtSepZXbTdVP/0i+l7EUUeA7zsaWfU2a82ktZWpVPFGfxkuo0l3zLF19EsXPKZNqlRfkOWjSgp+qWihAkQIQk3GoduQ== openpgp:0x75EE3375"
];
};
-
+
victor = {
uid = 1111;
isNormalUser = true;
@@ -66,12 +56,6 @@
users.extraGroups.medias = {
gid = 498;
- members = [
- "slimserver"
- "radarr"
- "sonarr"
- "jellyfin"
- "transmission"
- ];
+ members = [ "slimserver" "radarr" "sonarr" "jellyfin" "transmission" ];
};
}
diff --git a/systems/LoutreOS/web.nix b/systems/LoutreOS/web.nix
index adeb85e..8055900 100644
--- a/systems/LoutreOS/web.nix
+++ b/systems/LoutreOS/web.nix
@@ -1,9 +1,4 @@
-{
- config,
- lib,
- pkgs,
- ...
-}:
+{ config, lib, pkgs, ... }:
with lib;
@@ -20,7 +15,7 @@ let
internal;
# Access /auth endpoint to query login state
- proxy_pass http://127.0.0.1:${toString (config.services.nginx.sso.configuration.listen.port)}/auth;
+ proxy_pass http://127.0.0.1:${toString(config.services.nginx.sso.configuration.listen.port)}/auth;
# Do not forward the request body (nginx-sso does not care about it)
proxy_pass_request_body off;
@@ -49,18 +44,19 @@ let
in
{
security.acme = {
- defaults = {
- email = "paul@nyanlout.re";
- # Use european ACME service
- server = "https://api.buypass.com/acme/directory";
- };
+ email = "paul@nyanlout.re";
acceptTerms = true;
};
users.groups = {
- webdav = { };
+ work = {};
+ webdav = {};
};
users.users = {
+ work = {
+ isSystemUser = true;
+ group = config.users.groups.work.name;
+ };
webdav = {
isSystemUser = true;
group = config.users.groups.webdav.name;
@@ -69,6 +65,19 @@ in
services = {
phpfpm.pools = {
+ work = {
+ user = config.users.users.work.name;
+ phpPackage = pkgs.php.withExtensions ({ all, ... }: with all; [ redis filter ]);
+ settings = {
+ "listen.owner" = config.services.nginx.user;
+ "pm" = "dynamic";
+ "pm.max_children" = 75;
+ "pm.start_servers" = 10;
+ "pm.min_spare_servers" = 5;
+ "pm.max_spare_servers" = 20;
+ "pm.max_requests" = 500;
+ };
+ };
drive = {
user = config.users.users.webdav.name;
settings = {
@@ -88,10 +97,7 @@ in
nginx = {
enable = true;
package = pkgs.nginx.override {
- modules = with pkgs.nginxModules; [
- dav
- moreheaders
- ];
+ modules = with pkgs.nginxModules; [ dav moreheaders ];
};
recommendedGzipSettings = true;
recommendedOptimisation = true;
@@ -123,12 +129,7 @@ in
};
audit_log = {
targets = [ "fd://stdout" ];
- events = [
- "access_denied"
- "login_success"
- "login_failure"
- "logout"
- ];
+ events = [ "access_denied" "login_success" "login_failure" "logout" ];
};
providers.simple = {
enable_basic_auth = true;
@@ -142,270 +143,188 @@ in
acl = {
rule_sets = [
{
- rules = [
- {
- field = "x-host";
- regexp = ".*";
- }
- ];
+ rules = [ { field = "x-host"; regexp = ".*"; } ];
allow = [ "@admins" ];
}
];
};
};
};
- virtualHosts =
- let
- base = locations: {
- locations = locations // {
- "@maintenance" = {
- root = "/var/www/errorpages/";
- extraConfig = ''
- rewrite ^(.*)$ /50x.html break;
- '';
- };
- };
- forceSSL = true;
- enableACME = true;
- extraConfig = ''
- error_page 500 502 503 504 = @maintenance;
- '';
- };
- simpleReverse =
- rport:
- base {
- "/" = {
- proxyPass = "http://127.0.0.1:${toString (rport)}/";
- };
- };
- authReverse =
- rport:
- zipAttrsWith (name: vs: if name == "extraConfig" then (concatStrings vs) else elemAt vs 0) [
- (base {
- "/" = {
- proxyPass = "http://127.0.0.1:${toString (rport)}/";
- extraConfig = ''
- auth_request_set $cookie $upstream_http_set_cookie;
- auth_request_set $username $upstream_http_x_username;
- proxy_set_header X-WEBAUTH-USER $username;
- add_header Set-Cookie $cookie;
- '';
- };
- })
- {
- extraConfig = ''
- include ${nginxSsoAuth};
- '';
- }
- ];
- in
- {
- "nyanlout.re" =
- base {
- "/" = {
- alias = "/var/www/site-perso/";
- };
- "/maintenance/" = {
- alias = "/var/www/errorpages/";
- };
- "/.well-known/openpgpkey/" = {
- alias = "/var/lib/gnupg/wks/nyanlout.re";
- extraConfig = ''
- add_header Access-Control-Allow-Origin * always;
- '';
- };
- }
- // {
- default = true;
- };
- "musique-meyenheim.fr" = base {
- "/" = {
- proxyPass = "http://unix:/run/site-musique.sock";
- };
- "/static/" = {
- alias = "/var/www/site-musique/staticfiles/";
- };
- "/media/" = {
- alias = "/var/www/site-musique/media/";
+ virtualHosts = let
+ base = locations: {
+ locations = locations // {
+ "@maintenance" = {
+ root = "/var/www/errorpages/";
+ extraConfig = ''
+ rewrite ^(.*)$ /50x.html break;
+ '';
};
};
- "www.musique-meyenheim.fr" = {
- enableACME = true;
- forceSSL = true;
- globalRedirect = "musique-meyenheim.fr";
- };
- "login.nyanlout.re" = simpleReverse config.services.nginx.sso.configuration.listen.port;
- "grafana.nyanlout.re" = authReverse config.services.grafana.settings.server.http_port;
- "transmission.nyanlout.re" = authReverse config.services.transmission.settings.rpc-port;
- "radarr.nyanlout.re" = authReverse 7878;
- "sonarr.nyanlout.re" = authReverse 8989;
- "syncthing.nyanlout.re" = authReverse 8384;
- "prowlarr.nyanlout.re" = authReverse 9696;
- "watcharr.nyanlout.re" = simpleReverse 3080;
- "emby.nyanlout.re" = recursiveUpdate (simpleReverse 8096) {
- locations."/" = {
- proxyWebsockets = true;
- };
- };
- "gitea.nyanlout.re" = simpleReverse config.services.forgejo.settings.server.HTTP_PORT;
- "photo.nyanlout.re" = recursiveUpdate (simpleReverse config.services.photoprism.port) {
- locations."/" = {
- proxyWebsockets = true;
- };
- };
- "zigbee.nyanlout.re" =
- recursiveUpdate (authReverse config.services.zigbee2mqtt.settings.frontend.port)
- {
- locations."/" = {
- proxyWebsockets = true;
- };
- };
- "apart.nyanlout.re" =
- recursiveUpdate (simpleReverse config.services.home-assistant.config.http.server_port)
- {
- locations."/" = {
- proxyWebsockets = true;
- };
- };
- "drive.nyanlout.re" =
- base {
- "/" = {
- extraConfig = ''
- fastcgi_split_path_info ^(.+\.php)(/.+)$;
- fastcgi_pass unix:${config.services.phpfpm.pools.drive.socket};
- include ${pkgs.nginx}/conf/fastcgi_params;
- include ${pkgs.nginx}/conf/fastcgi.conf;
- fastcgi_param SCRIPT_FILENAME $document_root/index.php;
- fastcgi_intercept_errors on;
- fastcgi_buffers 64 4K;
- client_body_temp_path /mnt/webdav/tmp_upload;
- client_max_body_size 0;
- proxy_request_buffering off;
- '';
- };
- }
- // {
- root = "/mnt/webdav";
- };
- "rspamd.nyanlout.re" =
- zipAttrsWith (name: vs: if name == "extraConfig" then (concatStrings vs) else elemAt vs 0)
- [
- (base {
- "/" = {
- proxyPass = "http://unix:/run/rspamd/worker-controller.sock";
- extraConfig = ''
- auth_request_set $cookie $upstream_http_set_cookie;
- add_header Set-Cookie $cookie;
- '';
- };
- })
- {
- extraConfig = ''
- include ${nginxSsoAuth};
- '';
- }
- ];
- "designyourfuture.amandoline-creations.fr" = base {
- "/".alias = "/var/www/amandoline-designyourfuture/";
- };
- "amandoline-creations.fr" = base {
- "/".alias = "/var/www/amandoline-portfolio/";
- };
- "www.amandoline-creations.fr" = {
- enableACME = true;
- forceSSL = true;
- globalRedirect = "amandoline-creations.fr";
- };
- "challenge.amandoline-creations.fr" = base {
- "/".alias = "/var/www/amandoline-challenge/";
- };
- ${config.services.nextcloud.hostName} = {
- forceSSL = true;
- enableACME = true;
+ forceSSL = true;
+ enableACME = true;
+ extraConfig = ''
+ error_page 500 502 503 504 = @maintenance;
+ '';
+ };
+ simpleReverse = rport: base {
+ "/" = {
+ proxyPass = "http://127.0.0.1:${toString(rport)}/";
};
};
+ authReverse = rport: zipAttrsWith (name: vs: if name == "extraConfig" then (concatStrings vs) else elemAt vs 0) [
+ (base {
+ "/" = {
+ proxyPass = "http://127.0.0.1:${toString(rport)}/";
+ extraConfig = ''
+ auth_request_set $cookie $upstream_http_set_cookie;
+ add_header Set-Cookie $cookie;
+ '';
+ };
+ })
+ {
+ extraConfig = ''
+ include ${nginxSsoAuth};
+ '';
+ }
+ ];
+ in {
+ "nyanlout.re" = base {
+ "/" = {
+ alias = "/var/www/site-perso/";
+ };
+ "/maintenance/" = {
+ alias = "/var/www/errorpages/";
+ };
+ "/.well-known/openpgpkey/" = {
+ alias = "/var/lib/gnupg/wks/nyanlout.re";
+ extraConfig = ''
+ add_header Access-Control-Allow-Origin * always;
+ '';
+ };
+ } // { default = true; };
+ "riot.nyanlout.re" = base { "/" = { root = pkgs.element-web; }; };
+ "factorio.nyanlout.re" = base { "/" = { root = "/var/www/factorio"; }; };
+ "minecraft.nyanlout.re" = base { "/" = { root = "/var/www/minecraft-overviewer"; }; };
+ "musique-meyenheim.fr" = base {
+ "/" = {
+ proxyPass = "http://unix:/run/site-musique.sock";
+ };
+ "/static/" = {
+ alias = "/var/www/site-musique/staticfiles/";
+ };
+ "/media/" = {
+ alias = "/var/www/site-musique/media/";
+ };
+ };
+ "maxspiegel.fr" = base { "/" = { root = "/run/python-ci/nyanloutre/site-max"; }; };
+ "stream.nyanlout.re" = base {
+ "/" = {
+ proxyPass = "http://10.30.135.71";
+ };
+ };
+ "login.nyanlout.re" = simpleReverse config.services.nginx.sso.configuration.listen.port;
+ "grafana.nyanlout.re" = authReverse config.services.grafana.port;
+ "transmission.nyanlout.re" = authReverse config.services.transmission.settings.rpc-port;
+ "radarr.nyanlout.re" = authReverse 7878;
+ "sonarr.nyanlout.re" = authReverse 8989;
+ "syncthing.nyanlout.re" = authReverse 8384;
+ "jackett.nyanlout.re" = authReverse 9117;
+ "matrix.nyanlout.re" = simpleReverse 8008;
+ "emby.nyanlout.re" = recursiveUpdate (simpleReverse 8096) {
+ locations."/" = {
+ proxyWebsockets = true;
+ };
+ };
+ "ci.nyanlout.re" = simpleReverse 52350;
+ "gitea.nyanlout.re" = simpleReverse config.services.gitea.httpPort;
+ "musique.nyanlout.re" = simpleReverse config.services.navidrome.settings.Port;
+ "apart.nyanlout.re" = recursiveUpdate (simpleReverse config.services.home-assistant.config.http.server_port) {
+ locations."/" = {
+ proxyWebsockets = true;
+ };
+ };
+ # "work.rezom.eu" = base {
+ # "/" = {
+ # index = "/_h5ai/public/index.php";
+ # extraConfig = ''
+ # dav_ext_methods PROPFIND OPTIONS;
+ # '';
+ # };
+ # "~ ^/(_h5ai/public/index|random).php" = {
+ # extraConfig = ''
+ # fastcgi_split_path_info ^(.+\.php)(/.+)$;
+ # fastcgi_pass unix:${config.services.phpfpm.pools.work.socket};
+ # include ${pkgs.nginx}/conf/fastcgi_params;
+ # include ${pkgs.nginx}/conf/fastcgi.conf;
+ # '';
+ # };
+ # } // {
+ # root = "/mnt/medias/iso_linux";
+ # extraConfig = ''
+ # access_log /var/log/nginx/$host.log;
+ # '';
+ # };
+ "drive.nyanlout.re" = base {
+ "/" = {
+ index = "/index.php";
+ extraConfig = ''
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+ fastcgi_pass unix:${config.services.phpfpm.pools.drive.socket};
+ include ${pkgs.nginx}/conf/fastcgi_params;
+ include ${pkgs.nginx}/conf/fastcgi.conf;
+
+ client_max_body_size 0;
+ '';
+ };
+ } // {
+ root = "/mnt/webdav";
+ };
+ "rspamd.nyanlout.re" = zipAttrsWith (name: vs: if name == "extraConfig" then (concatStrings vs) else elemAt vs 0) [
+ (base {
+ "/" = {
+ proxyPass = "http://unix:/run/rspamd/worker-controller.sock";
+ extraConfig = ''
+ auth_request_set $cookie $upstream_http_set_cookie;
+ add_header Set-Cookie $cookie;
+ '';
+ };
+ })
+ {
+ extraConfig = ''
+ include ${nginxSsoAuth};
+ '';
+ }
+ ];
+ };
};
postgresql = {
enable = true;
- package = pkgs.postgresql_14;
settings = {
full_page_writes = false;
};
};
- forgejo = {
+ gitea = {
enable = true;
- package = pkgs.forgejo;
- user = "gitea";
- group = "gitea";
- stateDir = "/var/lib/gitea";
+ cookieSecure = true;
+ httpPort = 3001;
+ rootUrl = "https://gitea.nyanlout.re/";
database = {
type = "postgres";
- user = "gitea";
+ port = 5432;
passwordFile = "/var/lib/gitea/custom/conf/database_password";
- name = "gitea";
};
+ log.level = "Warn";
+ disableRegistration = true;
settings = {
- server = rec {
- HTTP_PORT = 3001;
- DOMAIN = "gitea.nyanlout.re";
- ROOT_URL = "https://${DOMAIN}/";
- };
- log.LEVEL = "Warn";
- service.DISABLE_REGISTRATION = true;
- session.COOKIE_SECURE = true;
- };
- };
-
- nextcloud = {
- enable = true;
- package = pkgs.nextcloud31;
- hostName = "cloud.nyanlout.re";
- database.createLocally = true;
- https = true;
- maxUploadSize = "16G";
- config = {
- dbtype = "pgsql";
- adminpassFile = "$CREDENTIALS_DIRECTORY/nextcloud_admin.pass";
- };
- settings = {
- "preview_max_filesize_image" = "-1";
- "preview_max_memory" = "1024";
- "preview_ffmpeg_path" = "${pkgs.ffmpeg}/bin/ffmpeg";
- "enabledPreviewProviders" = [
- ''OC\Preview\BMP''
- ''OC\Preview\GIF''
- ''OC\Preview\JPEG''
- ''OC\Preview\Krita''
- ''OC\Preview\MarkDown''
- ''OC\Preview\MP3''
- ''OC\Preview\OpenDocument''
- ''OC\Preview\PNG''
- ''OC\Preview\TXT''
- ''OC\Preview\XBitmap''
- ''OC\Preview\Movie''
- ];
- "default_phone_region" = "FR";
- "maintenance_window_start" = "23"; # Start maintenance operations after 23:00 UTC (01:00 CEST)
- };
- autoUpdateApps.enable = true;
- phpOptions = {
- "opcache.interned_strings_buffer" = "23";
+ ui.DEFAULT_THEME = "arc-green";
};
};
+ python-ci.enable = true;
};
- users.users.gitea = {
- home = config.services.forgejo.stateDir;
- useDefaultShell = true;
- group = "gitea";
- isSystemUser = true;
- };
-
- users.groups.gitea = { };
-
systemd.services.nginx.serviceConfig = {
ReadWritePaths = [
"/var/www/hls"
@@ -413,60 +332,42 @@ in
];
};
- systemd.services.phpfpm-drive.serviceConfig = {
+ systemd.services.phpfpm-work.serviceConfig = {
+ ReadOnlyPaths = "/mnt/medias/iso_linux";
ReadWritePaths = [
- "/mnt/webdav"
+ "/mnt/medias/iso_linux/_h5ai"
];
};
- systemd.services.nextcloud-setup.serviceConfig = {
- LoadCredential = "nextcloud_admin.pass:/mnt/secrets/nextcloud_admin.pass";
- };
-
- systemd.services.site-musique =
- let
- djangoEnv = (
- pkgs.python3.withPackages (
- ps: with ps; [
- gunicorn
- django_4
- pillow
- setuptools
- ]
- )
- );
- in
- {
- description = "Site Django de la musique de Meyenheim";
- after = [ "network.target" ];
- requires = [ "site-musique.socket" ];
- preStart = ''
- ${djangoEnv}/bin/python manage.py migrate;
- ${djangoEnv}/bin/python manage.py collectstatic --no-input;
- '';
- environment = {
- DJANGO_SETTINGS_MODULE = "site_musique.settings.prod";
- NGINX_DIRECTORY = "/var/www/site-musique";
- };
- serviceConfig = {
- DynamicUser = true;
- Group = "nginx";
- StateDirectory = "site-musique";
- WorkingDirectory = "/var/www/site-musique/";
- ReadWritePaths = [
- "/var/www/site-musique/staticfiles"
- "/var/www/site-musique/media"
- ];
- EnvironmentFile = "/mnt/secrets/site-musique.env";
- ExecStart = ''
- ${djangoEnv}/bin/gunicorn \
- --access-logfile - \
- --bind unix:/run/site-musique.sock \
- site_musique.wsgi:application
- '';
- PrivateTmp = true;
- };
+ systemd.services.site-musique = let
+ djangoEnv =(pkgs.python3.withPackages (ps: with ps; [ gunicorn django_3 pillow setuptools ]));
+ in {
+ description = "Site Django de la musique de Meyenheim";
+ after = [ "network.target" ];
+ requires = [ "site-musique.socket" ];
+ preStart = ''
+ ${djangoEnv}/bin/python manage.py migrate;
+ ${djangoEnv}/bin/python manage.py collectstatic --no-input;
+ '';
+ environment = {
+ DJANGO_SETTINGS_MODULE = "site_musique.settings.prod";
+ NGINX_DIRECTORY = "/var/www/site-musique";
};
+ serviceConfig = {
+ DynamicUser = true;
+ Group = "nginx";
+ StateDirectory = "site-musique";
+ WorkingDirectory = "/var/www/site-musique/";
+ ReadWritePaths = [ "/var/www/site-musique/staticfiles" "/var/www/site-musique/media" ];
+ EnvironmentFile = "/mnt/secrets/site-musique.env";
+ ExecStart = ''${djangoEnv}/bin/gunicorn \
+ --access-logfile - \
+ --bind unix:/run/site-musique.sock \
+ site_musique.wsgi:application
+ '';
+ PrivateTmp = true;
+ };
+ };
systemd.sockets.site-musique = {
description = "Site Musique socket";
diff --git a/systems/PC-Fixe/configuration.nix b/systems/PC-Fixe/configuration.nix
index e1044d8..61304dd 100644
--- a/systems/PC-Fixe/configuration.nix
+++ b/systems/PC-Fixe/configuration.nix
@@ -5,16 +5,14 @@
{ config, pkgs, ... }:
{
- imports = [
- ./hardware-configuration.nix
- ../common-cli.nix
- ../common-gui.nix
- ];
+ imports =
+ [
+ ./hardware-configuration.nix
+ ../common-cli.nix
+ ../common-gui.nix
+ ];
- nix.settings.trusted-users = [
- "root"
- "paul"
- ];
+ nix.trustedUsers = [ "root" "paul" ];
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.grub = {
@@ -28,23 +26,21 @@
"acpi_enforce_resources=lax"
"zfs.zfs_arc_max=2147483648"
];
- boot.tmp.useTmpfs = false;
+ boot.tmpOnTmpfs = false;
boot.supportedFilesystems = [ "zfs" ];
- boot.extraModprobeConfig = ''
- options hid_apple fnmode=2
- '';
-
- zramSwap.enable = true;
+ virtualisation.virtualbox.host.enable = true;
+ # virtualisation.virtualbox.host.enableExtensionPack = true;
+ # virtualisation.anbox.enable = true;
virtualisation.podman.enable = true;
services.zfs = {
trim = {
- enable = false;
+ enable = true;
interval = "monthly";
};
autoScrub = {
- enable = false;
+ enable = true;
interval = "monthly";
};
autoSnapshot = {
@@ -64,7 +60,22 @@
hardware.bluetooth.enable = true;
# Logitech G920
- hardware.usb-modeswitch.enable = true;
+ hardware.usbWwan.enable = true;
+
+ # hardware.pulseaudio.extraConfig = ''
+ # load-module module-null-sink sink_name=mic_denoised_out rate=48000
+ # load-module module-ladspa-sink sink_name=mic_raw_in sink_master=mic_denoised_out label=noise_suppressor_mono plugin=${pkgs.rnnoise-plugin}/lib/ladspa/librnnoise_ladspa.so control=50
+ # load-module module-loopback source=alsa_input.pci-0000_09_00.4.analog-stereo sink=mic_raw_in channels=1 source_dont_move=true sink_dont_move=true
+
+ # load-module module-echo-cancel source_name=hd_mic source_master=mic_denoised_out.monitor sink_master=alsa_output.pci-0000_09_00.4.analog-stereo
+
+ # set-default-source hd_mic
+ # '';
+
+ # hardware.pulseaudio.configFile = pkgs.runCommand "default.pa" {} ''
+ # sed '/module-switch-on-port-available$/d' \
+ # ${pkgs.pulseaudio}/etc/pulse/default.pa > $out
+ # '';
services.udev.packages = with pkgs; [
usb-modeswitch-data # Logitech G920
@@ -74,41 +85,32 @@
ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", MODE="0664", GROUP="dialout"
'';
+ security.pki.certificateFiles = [ ./codemasters.pem ];
+
networking.hostName = "paul-fixe";
networking.hostId = "3a1f739e";
networking.hosts = {
- "10.30.0.1" = [
- "emby.nyanlout.re"
- "nyanlout.re"
- ];
+ "10.30.0.1" = ["emby.nyanlout.re" "nyanlout.re"];
};
environment.systemPackages = with pkgs; [
usb-modeswitch
- esphome
];
- programs = {
- wireshark.enable = true;
- alvr.enable = true;
- };
+ programs.wireshark.enable = true;
+ programs.wireshark.package = pkgs.wireshark;
networking.firewall.enable = false;
- services.displayManager.autoLogin.user = "paul";
+ services.xserver.displayManager.autoLogin = {
+ enable = true;
+ user = "paul";
+ };
users.users.paul = {
isNormalUser = true;
- extraGroups = [
- "wheel"
- "networkmanager"
- "wireshark"
- "input"
- "dialout"
- "libvirtd"
- "vboxusers"
- ];
+ extraGroups = [ "wheel" "networkmanager" "wireshark" "input" "dialout" "libvirtd" "vboxusers" ];
uid = 1000;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDstFRwMoTEip5IBSYE4dUj3miO0LsKrnUKQJmp7d5QYo3VhXk43jU6VUU0tVAegkzWLlQ3ohoFns+8bZyf7hj7roftrDfoC9bbbx4ihhWrZTlF0gzoH4t52yetFO5eC/tV2sm/zFoa+3IWLokOEFmAoknAVag1MmVLXTQ6WPoTPD4UsX/D3lyE4dbSKxHpMOIjqIdqSEgO0BeTdnHe5afvGXXO1VYTvPsGDHT9w8EHwQV9JXIPn7KVOp3qin7OwvFFrrB3QbiEVTJvGiH2hrfxcARTN/+TxGtf+aOFeuQykURG9Wz/aBK60EWE0wGrzuIymxtNdOR1NhmnNrUZ976Tb9WdR7FC+yM6+/kdfICy+sGQmmn8TLsGvcJTT/pl4Pa9uRAKjRJuLIEgYY6W/ms9lCRyf484yRkDlq+V0BPuN9Jy6Eb7x+tmZNkpEtkqso7wfXD8sf5BIwv2K69SVMpfTswydHGmDwHZ0zaDKGlyCiyJ1QGqUhCTXqtYVq+kQ3AcjKcysMwVEmwx/ySu0XFuV8oUkl9XK/RUoc++sMEd0EbHcn8uwCmBARNX+GLQ03vxwyMW3HyneP8EAxoqtSepZXbTdVP/0i+l7EUUeA7zsaWfU2a82ktZWpVPFGfxkuo0l3zLF19EsXPKZNqlRfkOWjSgp+qWihAkQIQk3GoduQ== openpgp:0x75EE3375"
@@ -116,23 +118,168 @@
];
};
+ services.netdata.enable = true;
+
services.openssh.enable = true;
- services.openssh.settings = {
- PasswordAuthentication = false;
- X11Forwarding = true;
+ services.openssh.passwordAuthentication = false;
+ services.openssh.forwardX11 = true;
+
+ # security.pki.certificates = [
+ # ''
+ # -----BEGIN CERTIFICATE-----
+ # MIIDoTCCAomgAwIBAgIGDorvJrq1MA0GCSqGSIb3DQEBCwUAMCgxEjAQBgNVBAMM
+ # CW1pdG1wcm94eTESMBAGA1UECgwJbWl0bXByb3h5MB4XDTIwMDgzMDE5MjA1NloX
+ # DTIzMDkwMTE5MjA1NlowKDESMBAGA1UEAwwJbWl0bXByb3h5MRIwEAYDVQQKDAlt
+ # aXRtcHJveHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsUHB2if9A
+ # L5ytR9VrZncwDdx3J6ZdA2+wZQe9EjtX5ax1r55bbQBoJmN2HqZCSA3vdvMzr42W
+ # Jx0ksNhNocEGvER2dTUIqkUKeeYQIRCc5CD9T5IpUVVKm3aeJo+FATmuzg4m23MZ
+ # a9Up4nCdUJwufSqzv0ZWvEHERWtRXPYRZ2t+vKqnCS+dOQ3NsGWvC+12i7kNMKyy
+ # 0ylFBY/BZfaH/kMVzUijAnNQPWpW3T/Wqpx7z+IXZ+ccCQ1U1N26FXhSMa/+DenW
+ # fo27QVNOu5cIIpAYmTl6+Oek0XLSH8oFLdjeVtBJuHFA1iAfmqPv4yJDKbSgg/d8
+ # Jb46BE2ZyW6RAgMBAAGjgdAwgc0wDwYDVR0TAQH/BAUwAwEB/zARBglghkgBhvhC
+ # AQEEBAMCAgQweAYDVR0lBHEwbwYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcD
+ # BAYIKwYBBQUHAwgGCisGAQQBgjcCARUGCisGAQQBgjcCARYGCisGAQQBgjcKAwEG
+ # CisGAQQBgjcKAwMGCisGAQQBgjcKAwQGCWCGSAGG+EIEATAOBgNVHQ8BAf8EBAMC
+ # AQYwHQYDVR0OBBYEFEiFqrQtFmTV66rlQ9SCqp7ohrtsMA0GCSqGSIb3DQEBCwUA
+ # A4IBAQBfH5xpxt4mCdnjiISaMeEcKuur2kfVbQEKNceDeKLZJfcwEkMtAr0LeyMV
+ # 1hkExtvyU0JPmgyzU7Le4UHEB8pwyyD3kYx7vBtxjVSXAbK1YKgDllPmXtlJGmA/
+ # SMuxnwkUXwMeZBxmu8LR1SOQiMX+aZvYbQIjigduXOC/ZSHYtJbh+RmrvHFEBu7L
+ # zZx8DzJKOmlfo9gohNIW1ucRM6B4B5yy5plqurGlkFPHlRqGoWkJPI4oB+cobzMh
+ # QidzHgk4Set3bqIuYAsqtHGxdTtnGooagQBUWt0CxmGdmonofzinsAAasKprcBl6
+ # QaNGz7o/LfHprXvCM1mHjbVVbZN2
+ # -----END CERTIFICATE-----
+ # ''
+ # ];
+
+ # services.wakeonlan.interfaces = [ { interface = "eno1"; method = "magicpacket"; } ];
+
+ services.nginx = {
+ enable = true;
+ recommendedGzipSettings = true;
+ recommendedOptimisation = true;
+ package = pkgs.nginx.override {
+ modules = with pkgs.nginxModules; [ rtmp ];
+ };
+ virtualHosts."stream.nyanlout.re" = {
+ locations."/" = {
+ root = "/var/www/hls/";
+ extraConfig = ''
+ add_header Cache-Control no-cache;
+ add_header Access-Control-Allow-Origin *;
+ '';
+ };
+ default = true;
+ };
+ appendConfig = let
+ rootLocation = config.services.nginx.virtualHosts."stream.nyanlout.re".locations."/".root;
+ in ''
+ rtmp {
+ server {
+ listen 1935;
+
+ application live {
+ live on;
+ interleave on;
+ exec_push ${pkgs.ffmpeg}/bin/ffmpeg -i rtmp://localhost/$app/$name -async 1 -vsync -1
+ -c:v libx264 -c:a aac -b:v 256k -b:a 96k -vf "scale=480:trunc(ow/a/2)*2" -tune zerolatency -preset veryfast -crf 23 -f flv rtmp://localhost/show/$name_low
+ -c:v libx264 -c:a aac -b:v 768k -b:a 96k -vf "scale=720:trunc(ow/a/2)*2" -tune zerolatency -preset veryfast -crf 23 -f flv rtmp://localhost/show/$name_mid
+ -c:v libx264 -c:a aac -b:v 1024k -b:a 128k -vf "scale=960:trunc(ow/a/2)*2" -tune zerolatency -preset veryfast -crf 23 -f flv rtmp://localhost/show/$name_high
+ -c:v libx264 -c:a aac -b:v 1920k -b:a 128k -vf "scale=1280:trunc(ow/a/2)*2" -tune zerolatency -preset veryfast -crf 23 -f flv rtmp://localhost/show/$name_hd720
+ -c copy -f flv rtmp://localhost/show/$name_src 2>>${rootLocation}/ffmpeg-$name.log;
+ }
+
+ application show {
+ live on;
+ hls on;
+
+ hls_path ${rootLocation};
+ hls_fragment 5;
+ hls_playlist_length 10;
+ hls_nested on;
+
+ hls_variant _low BANDWIDTH=352000; # Low bitrate, sub-SD resolution
+ hls_variant _mid BANDWIDTH=448000; # Medium bitrate, SD resolution
+ hls_variant _high BANDWIDTH=1152000; # High bitrate, higher-than-SD resolution
+ hls_variant _hd720 BANDWIDTH=2048000; # High bitrate, HD 720p resolution
+ hls_variant _src BANDWIDTH=8192000; # Source bitrate, source resolution
+ }
+ }
+ }
+ '';
};
services.xserver.deviceSection = ''
Option "metamodes" "DP-4: 3440x1440_144 +0+0 {AllowGSYNCCompatible=On}"
'';
- services.printing.enable = true;
- services.printing.drivers = [ pkgs.hplip ];
-
- systemd.services = {
- zfs-replication.serviceConfig.StateDirectory = "zfs-replication";
+ systemd = let
+ DP4Config = "--output DP-4 --mode 3440x1440 --rate 144";
+ HDMIConfig = "--output HDMI-0 --auto --left-of DP-4";
+ in {
+ services = {
+ wol = {
+ description = "Wake-on-LAN";
+ wantedBy = [ "multi-user.target" ];
+ requires = [ "network.target" ];
+ after = [ "network.target" ];
+ script = ''
+ ${pkgs.ethtool}/sbin/ethtool -s eno1 wol g
+ '';
+ serviceConfig.Type = "oneshot";
+ };
+ nginx.serviceConfig.ReadWritePaths = "/var/www/hls";
+ zfs-replication.serviceConfig.StateDirectory = "zfs-replication";
+ };
+ user.services = {
+ "enableTV" = {
+ description = "Enable TV output";
+ script = ''
+ ${pkgs.xorg.xrandr}/bin/xrandr ${DP4Config} --primary
+ /run/current-system/sw/bin/nvidia-settings --assign CurrentMetaMode="DP-4: 3440x1440_144 { AllowGSYNCCompatible=On }"
+ ${pkgs.xorg.xrandr}/bin/xrandr ${HDMIConfig}
+ ${pkgs.pipewire}/bin/pw-cli s 43 Profile '{ index: 1 }'
+ '';
+ conflicts = ["CSMode.service"];
+ serviceConfig.Type = "oneshot";
+ };
+ "primaryTV" = {
+ description = "Set TV output as primary";
+ script = ''
+ ${pkgs.xorg.xrandr}/bin/xrandr ${DP4Config}
+ /run/current-system/sw/bin/nvidia-settings --assign CurrentMetaMode="DP-4: 3440x1440_144 { AllowGSYNCCompatible=On }"
+ ${pkgs.xorg.xrandr}/bin/xrandr ${HDMIConfig} --primary
+ ${pkgs.pipewire}/bin/pw-cli s 43 Profile '{ index: 1 }'
+ '';
+ conflicts = ["CSMode.service"];
+ serviceConfig.Type = "oneshot";
+ };
+ "FreeSyncMode" = {
+ description = "Enable FreeSync screen only";
+ script = ''
+ ${pkgs.xorg.xrandr}/bin/xrandr ${DP4Config}
+ /run/current-system/sw/bin/nvidia-settings --assign CurrentMetaMode="DP-4: 3440x1440_144 { AllowGSYNCCompatible=On }"
+ ${pkgs.xorg.xrandr}/bin/xrandr --output HDMI-0 --off
+ '';
+ conflicts = ["CSMode.service"];
+ serviceConfig.Type = "oneshot";
+ };
+ "CSMode" = {
+ description = "Enable 4:3 black bars";
+ script = ''
+ ${pkgs.xorg.xrandr}/bin/xrandr ${DP4Config} --primary
+ /run/current-system/sw/bin/nvidia-settings --assign CurrentMetaMode="DP-4: 3440x1440_144 { ViewPortIn=3440x1440, ViewPortOut=1920x1440+760+0, AllowGSYNCCompatible=On }"
+ ${pkgs.xorg.xrandr}/bin/xrandr --output HDMI-0 --off
+ '';
+ preStop = ''
+ /run/current-system/sw/bin/nvidia-settings --assign CurrentMetaMode="DP-4: 3440x1440_144 { ViewPortIn=3440x1440, ViewPortOut=3440x1440+0+0, AllowGSYNCCompatible=On }"
+ '';
+ serviceConfig = {
+ Type = "oneshot";
+ RemainAfterExit = true;
+ };
+ };
+ };
};
- boot.enableContainers = false;
system.stateVersion = "20.03";
}
diff --git a/systems/PC-Fixe/hardware-configuration.nix b/systems/PC-Fixe/hardware-configuration.nix
index 4768bab..5d50505 100644
--- a/systems/PC-Fixe/hardware-configuration.nix
+++ b/systems/PC-Fixe/hardware-configuration.nix
@@ -1,79 +1,55 @@
# Do not modify this file! It was generated by ‘nixos-generate-config’
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
-{
- config,
- lib,
- pkgs,
- ...
-}:
+{ config, lib, pkgs, ... }:
{
- boot.initrd.availableKernelModules = [
- "nvme"
- "xhci_pci"
- "ahci"
- "usbhid"
- "usb_storage"
- "sd_mod"
- ];
+ boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
- boot.kernelModules = [
- "kvm-amd"
- "coretemp"
- "it87"
- ];
+ boot.kernelModules = [ "kvm-amd" "coretemp" "it87" ];
boot.extraModulePackages = [ ];
services.xserver.videoDrivers = [ "nvidia" ];
hardware.cpu.amd.updateMicrocode = true;
- hardware.nvidia = {
- open = false;
- modesetting.enable = true;
- package = config.boot.kernelPackages.nvidiaPackages.latest;
- };
- fileSystems."/" = {
- device = "rpool/root/nixos";
- fsType = "zfs";
- };
+ fileSystems."/" =
+ { device = "rpool/root/nixos";
+ fsType = "zfs";
+ };
- fileSystems."/boot" = {
- device = "/dev/disk/by-uuid/F4EC-57DF";
- fsType = "vfat";
- };
+ fileSystems."/boot" =
+ { device = "/dev/disk/by-uuid/F4EC-57DF";
+ fsType = "vfat";
+ };
- fileSystems."/home" = {
- device = "fastaf/home";
- fsType = "zfs";
- };
+ fileSystems."/home" =
+ { device = "fastaf/home";
+ fsType = "zfs";
+ };
- fileSystems."/mnt/steam" = {
- device = "fastaf/steam";
- fsType = "zfs";
- };
+ fileSystems."/mnt/steam" =
+ { device = "fastaf/steam";
+ fsType = "zfs";
+ };
- fileSystems."/mnt/games" = {
- device = "fastaf/games";
- fsType = "zfs";
- };
+ fileSystems."/mnt/games" =
+ { device = "fastaf/games";
+ fsType = "zfs";
+ };
- # fileSystems."/mnt/hdd" =
- # { device = "/dev/mapper/ManjaroVG-ManjaroRoot";
- # fsType = "ext4";
- # };
+ fileSystems."/mnt/hdd" =
+ { device = "/dev/mapper/ManjaroVG-ManjaroRoot";
+ fsType = "ext4";
+ };
- fileSystems."/mnt/medias" = {
- device = "10.30.0.1:/mnt/medias";
- fsType = "nfs";
- options = [
- "x-systemd.automount"
- "noauto"
- ];
- };
+ fileSystems."/mnt/medias" =
+ { device = "10.30.0.1:/mnt/medias";
+ fsType = "nfs";
+ options = ["x-systemd.automount" "noauto"];
+ };
swapDevices = [ ];
- nix.settings.max-jobs = lib.mkDefault 12;
+ nix.maxJobs = lib.mkDefault 12;
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}
diff --git a/systems/common-cli.nix b/systems/common-cli.nix
index 4651d9a..6d72c56 100644
--- a/systems/common-cli.nix
+++ b/systems/common-cli.nix
@@ -1,104 +1,35 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
{
time.timeZone = "Europe/Paris";
- programs.nixvim = {
- enable = true;
- viAlias = true;
- vimAlias = true;
- colorschemes.catppuccin.enable = true;
- highlight.ExtraWhitespace.bg = "red"; # Highlight extra white spaces
- performance = {
- byteCompileLua = {
- enable = true;
- nvimRuntime = true;
- configs = true;
- plugins = true;
- };
- };
- opts = {
- updatetime = 100; # Faster completion
-
- # Line numbers
- number = true; # Display the absolute line number of the current line
- hidden = true; # Keep closed buffer open in the background
- mouse = "a"; # Enable mouse control
- mousemodel = "extend"; # Mouse right-click extends the current selection
- splitbelow = true; # A new window is put below the current one
- splitright = true; # A new window is put right of the current one
-
- modeline = true; # Tags such as 'vim:ft=sh'
- modelines = 100; # Sets the type of modelines
- undofile = true; # Automatically save and restore undo history
- incsearch = true; # Incremental search: show match for partly typed search command
- ignorecase = true; # When the search query is lower-case, match both lower and upper-case patterns
- smartcase = true; # Override the 'ignorecase' option if the search pattern contains upper case characters
- cursorline = true; # Highlight the screen line of the cursor
- cursorcolumn = true; # Highlight the screen column of the cursor
- signcolumn = "yes"; # Whether to show the signcolumn
- laststatus = 3; # When to use a status line for the last window
- fileencoding = "utf-8"; # File-content encoding for the current buffer
- termguicolors = true; # Enables 24-bit RGB color in the |TUI|
- wrap = false; # Prevent text from wrapping
-
- # Tab options
- tabstop = 2; # Number of spaces a in the text stands for (local to buffer)
- shiftwidth = 2; # Number of spaces used for each step of (auto)indent (local to buffer)
- softtabstop = 0; # If non-zero, number of spaces to insert for a (local to buffer)
- expandtab = true; # Expand to spaces in Insert mode (local to buffer)
- autoindent = true; # Do clever autoindenting
-
- showmatch = true; # when closing a bracket, briefly flash the matching one
- matchtime = 1; # duration of that flashing n deci-seconds
- startofline = true; # motions like "G" also move to the first char
- report = 9001; # disable "x more/fewer lines" messages
- };
- plugins = {
- lualine.enable = true;
- lsp = {
- enable = true;
- inlayHints = true;
- servers = {
- nixd.enable = true;
- ruff.enable = true;
- };
- };
- lspkind.enable = true;
- lsp-lines.enable = true;
- lsp-signature.enable = true;
- bufferline.enable = true;
- telescope.enable = true;
- which-key.enable = true;
- treesitter = {
- enable = true;
- settings = {
- highlight = {
- enable = true;
- additional_vim_regex_highlighting = true;
- };
-
- indent = {
- enable = true;
- };
- };
- };
- cmp = {
- enable = true;
- autoEnableSources = true;
- settings.sources = [
- { name = "nvim_lsp"; }
- { name = "path"; }
- { name = "buffer"; }
- ];
- };
- web-devicons.enable = true;
- };
- };
-
environment.systemPackages = with pkgs; [
+ # Editeurs
+ (neovim.override {
+ viAlias = true;
+ vimAlias = true;
+ configure = {
+ customRC = ''
+ set tabstop=8
+ set shiftwidth=4
+ set softtabstop=0
+ set expandtab
+ set smarttab
+ set background=dark
+ '';
+ packages.myVimPackage = with pkgs.vimPlugins; {
+ start = [
+ vim-startify airline sensible
+ polyglot ale fugitive
+ ];
+ opt = [ ];
+ };
+ };
+ })
+
# Gestionnaires de version
+ gitMinimal
tig
gitAndTools.hub
quilt
@@ -118,6 +49,7 @@
inetutils
rclone
lftp
+ wireguard-tools
nfs-utils
nmap
@@ -125,7 +57,7 @@
fzf
file
ncdu
- yt-dlp
+ youtube-dl
tldr
starship
@@ -142,8 +74,6 @@
# Développement
openssl
- treefmt
- nixfmt-rfc-style
];
users.defaultUserShell = pkgs.zsh;
@@ -164,14 +94,8 @@
'';
ohMyZsh = {
enable = true;
- plugins = [
- "git"
- "colored-man-pages"
- "command-not-found"
- "extract"
- "nix"
- ];
- customPkgs = with pkgs; [
+ plugins = [ "git" "colored-man-pages" "command-not-found" "extract" "nix" ];
+ customPkgs = with pkgs;[
nix-zsh-completions
];
};
@@ -180,21 +104,18 @@
bash.interactiveShellInit = ''
eval "$(starship init bash)"
'';
-
- git.enable = true;
};
- environment.variables =
- let
- starshipConfToml = pkgs.writeText "starship.toml" ''
+ environment.variables = let
+ starshipConfToml =
+ pkgs.writeText "starship.toml" ''
[[battery.display]]
threshold = 50
'';
- in
- {
- EDITOR = "nvim";
- STARSHIP_CONFIG = "${starshipConfToml}";
- };
+ in {
+ EDITOR = "nvim";
+ STARSHIP_CONFIG = "${starshipConfToml}";
+ };
nix.gc.automatic = true;
nix.gc.options = "--delete-older-than 15d";
diff --git a/systems/common-gui.nix b/systems/common-gui.nix
index 74c0990..dd00f94 100644
--- a/systems/common-gui.nix
+++ b/systems/common-gui.nix
@@ -1,6 +1,8 @@
{ config, pkgs, ... }:
{
+ nixpkgs.config.allowUnfreePredicate = (pkg: true);
+
environment.systemPackages = with pkgs; [
filezilla
qbittorrent
@@ -8,49 +10,46 @@
sc-controller
steam-run
- prismlauncher
+ minecraft
lutris
teamspeak_client
- ryujinx
betaflight-configurator
+ electrum
+ electron-cash
ledger-live-desktop
monero-gui
+ firefox
tor-browser-bundle-bin
- brave
+ chromium
tdesktop
element-desktop
mumble
discord
- kdePackages.kleopatra
+ kleopatra
gnupg
gopass
xclip
- kdePackages.kdeplasma-addons
- kdePackages.ark
- kdePackages.kate
- kdePackages.kmail
- kdePackages.kdeconnect-kde
- kdePackages.okular
- kdePackages.yakuake
- kdePackages.konversation
- kdePackages.gwenview
- kdePackages.kcalc
- kdePackages.spectacle
- kdePackages.kinfocenter
+ kdeplasma-addons
+ ark
+ kate
+ kmail
+ kdeconnect
+ okular
+ yakuake
+ konversation
+ gwenview
+ kcalc
+ spectacle
+ kinfocenter
kile
(texlive.combine {
- inherit (texlive)
- scheme-small
- titling
- collection-langfrench
- cm-super
- ;
+ inherit (texlive) scheme-small titling collection-langfrench cm-super;
})
libsForQt5.breeze-gtk
@@ -63,80 +62,73 @@
obs-studio
vlc
mpv
+ jellyfin-mpv-shim
+ kdenlive
glxinfo
i7z
+ appimage-run
pavucontrol
];
- fonts.packages = with pkgs; [
- nerd-fonts.jetbrains-mono
- nerd-fonts.ubuntu-mono
- nerd-fonts.fira-mono
- ];
-
i18n = {
defaultLocale = "fr_FR.UTF-8";
};
console.keyMap = "fr";
+ programs.steam.enable = true;
+
+ # hardware = {
+ # pulseaudio.enable = true;
+ # };
+
+ # sound.enable = true;
+
+ security.rtkit.enable = true;
+
+ services.pipewire = {
+ enable = true;
+ alsa.enable = true;
+ alsa.support32Bit = true;
+ pulse.enable = true;
+ };
+
networking.networkmanager.enable = true;
systemd.extraConfig = "DefaultLimitNOFILE=1048576";
-
- security = {
- pam.loginLimits = [
- {
- domain = "*";
- type = "hard";
- item = "nofile";
- value = "1048576";
- }
- ];
- rtkit.enable = true;
- };
+ security.pam.loginLimits = [{
+ domain = "*";
+ type = "hard";
+ item = "nofile";
+ value = "1048576";
+ }];
programs = {
- gnupg.agent = {
- enable = true;
- enableSSHSupport = true;
- };
+ gnupg.agent = { enable = true; enableSSHSupport = true; };
browserpass.enable = true;
- steam.enable = true;
- firefox.enable = true;
- appimage.enable = true;
};
services = {
- desktopManager.plasma6.enable = true;
- displayManager = {
- sddm = {
- enable = true;
- wayland.enable = true;
- autoLogin.relogin = true;
- };
- };
xserver = {
enable = true;
- xkb.layout = "fr";
+ layout = "fr";
exportConfiguration = true;
- };
- pipewire = {
- enable = true;
- alsa.enable = true;
- alsa.support32Bit = true;
- pulse.enable = true;
- extraConfig.pipewire = {
- "10-clock-rate" = {
- "context.properties" = {
- "default.clock.allowed-rates" = [ 48000 ];
- };
- };
- };
+ displayManager.sddm.enable = true;
+ desktopManager.plasma5.enable = true;
};
udev.packages = with pkgs; [ ledger-udev-rules ];
- pcscd.enable = true;
+ pcscd = {
+ enable = true;
+ plugins = [
+ (pkgs.ccid.overrideAttrs (oldAttrs: rec {
+ preBuild = ''
+ echo "0x2C97:0x0001:Ledger Token" >> ./readers/supported_readers.txt
+ '';
+ })
+ )
+ ];
+ };
};
environment.etc = {
diff --git a/treefmt.toml b/treefmt.toml
deleted file mode 100644
index d8118ce..0000000
--- a/treefmt.toml
+++ /dev/null
@@ -1,3 +0,0 @@
-[formatter.nixfmt-rfc-style]
-command = "nixfmt"
-includes = ["*.nix"]