Regroupement configurations

2018-06-09 13:23:26 +02:00 · 2018-06-09 13:23:26 +02:00 · 2901854e84
commit 2901854e84
parent 071c0d6ac9
8 changed files with 221 additions and 12 deletions
--- a/systems/LoutreOS/configuration.nix
+++ b/systems/LoutreOS/configuration.nix
@ -0,0 +1,95 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ./users.nix
+      ./services.nix
+    ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  boot.supportedFilesystems = [ "zfs" ];
+
+  services.zfs.autoSnapshot.enable = true;
+  services.zfs.autoScrub.enable = true;
+
+  networking.hostName = "loutreos"; # Define your hostname.
+  networking.hostId = "7e66e347";
+
+  # Select internationalisation properties.
+  # i18n = {
+  #   consoleFont = "Lat2-Terminus16";
+  #   consoleKeyMap = "en";
+  #   defaultLocale = "en_US.UTF-8";
+  # };
+
+  # Set your time zone.
+  time.timeZone = "Europe/Paris";
+
+  # List packages installed in system profile. To search by name, run:
+  # $ nix-env -qaP | grep wget
+  nixpkgs.overlays = [
+    (import ../../overlays/riot-web.nix)
+    (import ../../overlays/lidarr.nix)
+    (import ../../overlays/organizr.nix)
+    (import ../../overlays/sudo.nix)
+    (import ../../overlays/neovim.nix)
+    (import ../../overlays/site-max.nix)
+    (import ../../overlays/site-musique.nix)
+  ];
+  environment.systemPackages = with pkgs; [
+    neovim
+    git
+    tmux
+    ncdu
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+
+  users.defaultUserShell = pkgs.zsh;
+  programs.zsh.enable = true;
+  programs.zsh.enableAutosuggestions = true;
+  programs.zsh.enableCompletion = true;
+  programs.zsh.syntaxHighlighting.enable = true;
+  programs.zsh.ohMyZsh.enable = true;
+  programs.zsh.ohMyZsh.plugins = [ "git" "colored-man-pages" "command-not-found" "extract" ];
+  programs.zsh.ohMyZsh.theme = "bureau";
+
+  environment.variables = { EDITOR = "nvim"; };
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  # programs.bash.enableCompletion = true;
+  # programs.mtr.enable = true;
+  # programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
+
+  # List services that you want to enable:
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+  services.openssh.permitRootLogin = "no";
+
+  networking.firewall.allowedTCPPorts = [  ];
+  networking.firewall.allowedUDPPorts = [  ];
+  networking.firewall.enable = true;
+
+  security.sudo.wheelNeedsPassword = false;
+
+  system.autoUpgrade.enable = true;
+  systemd.services.nixos-upgrade.path = with pkgs; [ gzip gnutar xz.bin config.nix.package.out ];
+
+  services.fstrim.enable = true;
+
+  nix.gc.automatic = true;
+  nix.gc.options = "--delete-older-than 15d";
+
+  system.stateVersion = "18.03";
+}
--- a/systems/LoutreOS/hardware-configuration.nix
+++ b/systems/LoutreOS/hardware-configuration.nix
@ -0,0 +1,130 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "nvme" "usbhid" "sd_mod" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-label/nixos";
+      fsType = "ext4";
+    };
+
+  fileSystems."/var/lib/acme" =
+    { device = "loutrepool/var/acme";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/transmission" =
+    { device = "loutrepool/var/transmission";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/matrix-synapse" =
+    { device = "loutrepool/var/matrix-synapse";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/radarr" =
+    { device = "loutrepool/var/radarr";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/grafana" =
+    { device = "loutrepool/var/grafana";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/slimserver" =
+    { device = "loutrepool/var/slimserver";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/db/influxdb" =
+    { device = "loutrepool/var/influxdb";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/postgresql" =
+    { device = "loutrepool/var/postgresql";
+      fsType = "zfs";
+    };
+
+  fileSystems."/exports/steam" =
+    { device = "loutrepool/steam";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/emby/ProgramData-Server" =
+    { device = "loutrepool/var/emby";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/syncthing" =
+    { device = "loutrepool/var/syncthing";
+      fsType = "zfs";
+    };
+
+  fileSystems."/mnt/medias" =
+    { device = "loutrepool/medias";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/sieve" =
+    { device = "loutrepool/var/sieve";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/vmail" =
+    { device = "loutrepool/var/vmail";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/sonarr" =
+    { device = "loutrepool/var/sonarr";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/jackett" =
+    { device = "loutrepool/var/jackett";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/lib/gitea" =
+    { device = "loutrepool/var/gitea";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/dkim" =
+    { device = "loutrepool/var/dkim";
+      fsType = "zfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-label/boot";
+      fsType = "vfat";
+    };
+
+  fileSystems."/mnt/backup" =
+    { device = "backup";
+      fsType = "zfs";
+    };
+
+  swapDevices =
+    [
+      {
+        device = "/var/swapfile";
+        size = 8096;
+      }
+    ];
+
+  nix.maxJobs = lib.mkDefault 4;
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+}
--- a/systems/LoutreOS/services.nix
+++ b/systems/LoutreOS/services.nix
@ -0,0 +1,281 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  domaine = "nyanlout.re";
+
+  riot_port = 52345;
+  organizr_port = 52346;
+  pgmanage_port = 52347;
+  max_port = 52348;
+  musique_port = 52349;
+in
+
+{
+  imports = [
+    ../../services/haproxy-acme.nix
+    ../../services/mail-server.nix
+    ../../services/lidarr.nix
+    ../../services/site-musique.nix
+    ../../services/site-max.nix
+  ];
+
+  services.smartd.enable = true;
+  services.smartd.notifications.mail.enable = true;
+  services.smartd.notifications.mail.recipient = "paul@nyanlout.re";
+
+  services.haproxy-acme.enable = true;
+  services.haproxy-acme.domaine = domaine;
+  services.haproxy-acme.services = {
+    "grafana.${domaine}" = { ip = "127.0.0.1"; port = 3000; auth = false; };
+    "emby.${domaine}" = { ip = "127.0.0.1"; port = 8096; auth = false; };
+    "radarr.${domaine}" = { ip = "127.0.0.1"; port = 7878; auth = false; };
+    "sonarr.${domaine}" = { ip = "127.0.0.1"; port = 8989; auth = false; };
+    "lidarr.${domaine}" = { ip = "127.0.0.1"; port = 8686; auth = false; };
+    "transmission.${domaine}" = { ip = "127.0.0.1"; port = 9091; auth = true; };
+    "syncthing.${domaine}" = { ip = "127.0.0.1"; port = 8384; auth = true; };
+    "jackett.${domaine}" = { ip = "127.0.0.1"; port = 9117; auth = true; };
+    "searx.${domaine}" = { ip = "127.0.0.1"; port = 8888; auth = false; };
+    "riot.${domaine}" = { ip = "127.0.0.1"; port = riot_port; auth = false; };
+    "matrix.${domaine}" = { ip = "127.0.0.1"; port = 8008; auth = false; };
+    "organizr.${domaine}" = { ip = "127.0.0.1"; port = organizr_port; auth = true; };
+    "pgmanage.${domaine}" = { ip = "127.0.0.1"; port = pgmanage_port; auth = true; };
+    "gitea.${domaine}" = { ip = "127.0.0.1"; port = 3001; auth = false; };
+  };
+
+  services.mailserver.enable = true;
+  services.mailserver.domaine = domaine;
+
+  services.influxdb.enable = true;
+  services.influxdb.dataDir = "/var/db/influxdb";
+
+  services.telegraf.enable = true;
+  services.telegraf.extraConfig = {
+    inputs = {
+      zfs = { poolMetrics = true; };
+      net = { interfaces = [ "eno1" "eno2" "eno3" "eno4" ]; };
+      netstat = {};
+      cpu = { totalcpu = true; };
+      kernel = {};
+      mem = {};
+      processes = {};
+      system = {};
+      disk = {};
+      ipmi_sensor = { path = "${pkgs.ipmitool}/bin/ipmitool"; };
+      smart = {
+        path = "${pkgs.writeShellScriptBin "smartctl" "/run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl $@"}/bin/smartctl";
+      };
+    };
+    outputs = {
+      influxdb = { database = "telegraf"; urls = [ "http://localhost:8086" ]; };
+    };
+  };
+
+  services.udev.extraRules = ''
+    KERNEL=="ipmi*", MODE="660", OWNER="telegraf"
+  '';
+
+  security.sudo.extraRules = [
+    { commands = [ { command = "${pkgs.smartmontools}/bin/smartctl"; options = [ "NOPASSWD" ]; } ]; users = [ "telegraf" ]; }
+  ];
+
+  services.grafana.enable = true;
+  services.grafana.addr = "127.0.0.1";
+  services.grafana.dataDir = "/var/lib/grafana";
+  services.grafana.extraOptions = {
+    SERVER_ROOT_URL = "https://grafana.${domaine}";
+    SMTP_ENABLED = "true";
+    SMTP_FROM_ADDRESS = "grafana@${domaine}";
+    SMTP_SKIP_VERIFY = "true";
+  };
+
+  services.emby.enable = true;
+  services.emby.dataDir = "/var/lib/emby/ProgramData-Server";
+
+  services.slimserver.enable = true;
+  services.slimserver.dataDir = "/var/lib/slimserver";
+
+  services.syncthing.enable = true;
+  services.syncthing.dataDir = "/var/lib/syncthing";
+  services.syncthing.openDefaultPorts = true;
+  
+  services.nfs.server = {
+    enable = true;
+    exports = ''
+      /mnt/medias  192.168.0.0/24(ro,no_root_squash)
+      /exports/steam  192.168.0.0/24(rw,no_root_squash)
+    '';
+    statdPort = 4000;
+    lockdPort = 4001;
+    mountdPort = 4002;
+  };
+
+  services.transmission.enable = true;
+  services.transmission.home = "/var/lib/transmission";
+  services.transmission.settings = {
+    rpc-bind-address = "127.0.0.1";
+    rpc-host-whitelist = "*";
+    rpc-whitelist-enabled = false;
+  };
+
+  services.radarr.enable = true;
+  services.sonarr.enable = true;
+  services.jackett.enable = true;
+
+  services.searx.enable = true;
+
+  services.nginx.enable = true;
+  services.nginx.virtualHosts = {
+    "riot" = {
+      listen = [ { addr = "127.0.0.1"; port = riot_port; } ];
+      locations = { "/" = { root = pkgs.riot-web; }; };
+    };
+    "organizr" = {
+      listen = [ { addr = "127.0.0.1"; port = organizr_port; } ];
+      locations."/" = {
+        root = pkgs.organizr;
+        index = "index.php";
+        extraConfig = ''
+          location ~* \.php$ {
+            fastcgi_split_path_info ^(.+\.php)(/.+)$;
+            fastcgi_pass unix:/run/phpfpm/nginx;
+            include ${pkgs.nginx}/conf/fastcgi_params;
+            include ${pkgs.nginx}/conf/fastcgi.conf;
+          }
+        '';
+      };
+    };
+  };
+
+  services.phpfpm.poolConfigs.mypool = ''
+    listen = /run/phpfpm/nginx
+    listen.owner = nginx
+    listen.group = nginx
+    listen.mode = 0660
+    user = nginx
+    pm = dynamic
+    pm.max_children = 75
+    pm.start_servers = 2
+    pm.min_spare_servers = 1
+    pm.max_spare_servers = 20
+    pm.max_requests = 500
+    php_admin_value[error_log] = 'stderr'
+    php_admin_flag[log_errors] = on
+    catch_workers_output = yes
+  '';
+
+  services.postgresql.enable = true;
+  services.matrix-synapse = {
+    enable = true;
+    enable_registration = true;
+    server_name = "nyanlout.re";
+    listeners = [
+      { # federation
+        bind_address = "";
+        port = 8448;
+        resources = [
+          { compress = true; names = [ "client" "webclient" ]; }
+          { compress = false; names = [ "federation" ]; }
+        ];
+        tls = true;
+        type = "http";
+        x_forwarded = false;
+      }
+      { # client
+        bind_address = "127.0.0.1";
+        port = 8008;
+        resources = [
+          { compress = true; names = [ "client" "webclient" ]; }
+        ];
+        tls = false;
+        type = "http";
+        x_forwarded = true;
+      }
+    ];
+    database_type = "psycopg2";
+    database_args = {
+      database = "matrix-synapse";
+    };
+    extraConfig = ''
+      max_upload_size: "100M"
+    '';
+  };
+
+  services.pgmanage.enable = true;
+  services.pgmanage.port = pgmanage_port;
+  services.pgmanage.connections = {
+    localhost = "hostaddr=127.0.0.1 port=5432 dbname=postgres";
+  };
+
+  services.borgbackup.jobs = {
+    loutre = {
+      paths = [
+        "/var/certs"
+        "/var/dkim"
+        "/var/lib/gitea"
+        "/var/lib/grafana"
+        "/var/lib/matrix-synapse"
+        "/var/lib/jackett"
+        "/var/lib/postgresql/.zfs/snapshot/borgsnap"
+        "/var/lib/radarr"
+        "/var/lib/sonarr"
+        "/var/lib/syncthing"
+        "/var/lib/transmission"
+        "/mnt/medias/musique"
+        "/mnt/medias/torrent/lidarr"
+        "/mnt/medias/torrent/musique"
+        "/var/sieve"
+        "/var/vmail"
+      ];
+      repo = "/mnt/backup/borg";
+      encryption = {
+        mode = "repokey-blake2";
+        passCommand = "cat /root/borg/medias_encryption_pass";
+      };
+      startAt = "weekly";
+      prune.keep = {
+        within = "1d";
+        weekly = 4;
+        monthly = 12;
+      };
+      preHook = "${pkgs.zfs}/bin/zfs snapshot loutrepool/var/postgresql@borgsnap";
+      postHook = ''
+        ${pkgs.zfs}/bin/zfs destroy loutrepool/var/postgresql@borgsnap
+        if [[ $exitStatus == 0 ]]; then
+          ${pkgs.rclone}/bin/rclone --config /root/.config/rclone/rclone.conf sync -v $BORG_REPO loutre_ovh:loutre
+        fi
+      '';
+    };
+  };
+
+  services.gitea = {
+    enable = true;
+    cookieSecure = true;
+    httpPort = 3001;
+    rootUrl = "https://gitea.nyanlout.re/";
+    database.type = "postgres";
+    database.port = 5432;
+    database.password = "gitea";
+  };
+
+  services.site-musique.enable = true;
+  services.site-musique.port = musique_port;
+  services.site-musique.domaine = "musique-meyenheim.fr";
+
+  services.site-max.enable = true;
+  services.site-max.port = max_port;
+  services.site-max.domaine = "maxspiegel.fr";
+
+  networking.firewall.allowedTCPPorts = [
+    111 2049 4000 4001 4002 # NFS
+    3483 9000 9090 # Slimserver
+    51413 # Transmission
+    8448 # Matrix federation
+  ];
+  networking.firewall.allowedUDPPorts = [
+    111 2049 4000 4001 4002 # NFS
+    3483 # Slimserver
+    51413 # Transmission
+  ];
+}
--- a/systems/LoutreOS/users.nix
+++ b/systems/LoutreOS/users.nix
@ -0,0 +1,25 @@
+{ config, pkgs, ... }:
+
+{
+  users.extraUsers.paul =
+  { uid = 1000;
+    isNormalUser = true;
+    description = "Paul TREHIOU";
+    extraGroups = [ "wheel" "networkmanager" "medias" ];
+    openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAF7VlzHzgg70uFbRFtVTS34qNBke/RD36mRENAsa33RxztxrqMsIDscAD/d6CTe6HDy7MCGzJnWCJSXj5iOQFM4RRMvKNEgCKPHqfhmfVvO4YZuMjNB0ufVf6zhJL4Hy43STf7NIWrenGemUP+OvVSwN/ujgl2KKw4KJZt25/h/7JjlCgsZm4lWg4xcjoiKL701W2fbEoU73XKdbRTgTvKoeK1CGxdAPFefFDFcv/mtJ7d+wIxw9xODcLcA66Bu94WGMdpyEAJc4nF8IOy4pW8AzllDi0qNEZGCQ5+94upnLz0knG1ue9qU2ScAkW1/5rIJTHCVtBnmbLNSAOBAstaGQJuSL40TWZ1oPA5i1qUEhunNcJ+Sgtp6XP69qY34T/AeJvHRyw5M5LfN0g+4ka9k06NPBhbpHFASz4M8nabQ0iM63++xcapnw/8gk+EPhYVKW86SsyTa9ur+tt6oDWEKNaOhgscX44LexY7jKdeBRt3GaObtBJtVLBRx3Z2aRXgjgnKGqS40mGRiSkqb2DShspI1l8DV2RrPiuwdBzXVQjWRc0KXmJrcgXX9uoPSxihxwaUQyvmITOV1Y+NEuek4gRkVNOxjoG7RGnaYvYzxEQVoI5TwZC2/DCrAUgCv8DQawkcpEiWnBq7Q5VnpmFx5juVQ/I0G8byOkPXgRUOk9 openpgp:0xAB524BBC" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCACVI2dL4AmOdcb7RSl3JZpfK33NhqrYFfWfXMYow5SPJ9VPteOp5kVvKUuSbGH3chjpttYC/ueQJJhFagiKmkeftQTslIw6C009wUExGpJwRotHqISXv2ctURGURKy2FF848whd7xZJzdj49ZJ6S+SCbRFZvVWfT2dP/JwTiWW1mbEaWKyOgrixH6wSKt9ECumjX9KjqSWGw+k3yLJxIhdqiZAjNv4soJs1mQYdIlFCXCuznzoZIQBexZPQCx0j9HjczPz1feMLWkrHzEMexNjsBE2uA6yXLbH1wa8xCJ4VOeD7u9JqVY579AsicD62G+qIgw0B2zmyz7xTrdPv+061zmYn6qYr8EXGTk4dVgedZp8M1XzZ1PVoeeftPFcClXC7zCGyCR2uzJbQLzlaTwZrdghAiS9UhMRuKpNgZy2zDWw4MqdojrF5bndPkoijlXWYrPYBFED5OU1mpwzpanYgldowJC/Ixjwi+Hmse2q4XgZ+egfuotBqPfqB+bWsCa5GNiJWGdLP69uBSsXubGnqLwvE0FAQ2GHb+SEoZKFy/QV9GzOLlVrGlgK5YFgKJD+Q1nn1QRycXt1oMVC/AtR/NshOGanhdvIRpPATGmaxLVXSY093vyAOW4MPrS00fPAXzAfJUwIuWcloFfLMo5Jitj5rpE1s6FX8xrl4upQ== paul@nyanlout.re" ];
+  };
+  
+  users.extraUsers.victor =
+  { uid = 1111;
+    isNormalUser = true;
+    description = "Victor SENE";
+    extraGroups = [ "wheel" "networkmanager" ];
+    openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCaCc2qcQsd/VPDX1K97zJ/MjObWnTfRkA98xeNnVTeGoMmbf/fW1KszB+3IYCngCKLhliotHEXkqOK24vMLZ9ylVPTIPLNY5OWLFRQSOU/OykP8r4ikDWmMOwI+tqkoBknTUZdA1MN1JmkpE1cWL8vRJ7mnwl/p7xCMHV19N5+UdoIx3bFsm0CCUMIYSaIefoD3tpIzmgVqBkIH4FSmNwvXHwcXhhOTGqXbTJYC/GY2mI0AFvZI3T61ReV325ms7QRQlElXP8Rv8lpjr57VISNjKsPPNvifLjy10RjIS8iNioN6fJ0XBCfKOmm37VX86aFkAgWdpzxGojprOXnViwZEWSegnvKGx8FNx3gB54zF76e6koWS+qnYf9UTdogO6uXhXZb7AoMC9XD0/l6Egh8HzPWAUZtLx74zhB8ufoKmzqOp4YrCK8Cu4N/1UTFyPUoeSCZJdcE/9iqldym06mOi4rDV5cKCzs+Q0bVP8+x8SZ9ajYUH7l4sxjDHtHiyAYniWIxGPO5NazCfx7J+1GGzbtV0HuBwE/U20z+nBy+WZ4MowQTNb2E2uhq4OgQASx7uTKtyhnfT09A3toHZVerfH8ET8YEVnwdYMCA0GHYMOZ48h1ORdE+OLyqRlxjYTCB17Kc2icSL3iv8Yd66vQagy3A+C8OhZP1rdc15bEZnw== openpgp:0x28DF0235" ];
+   };
+
+  users.extraGroups.medias =
+  {
+    gid = 498;
+    members = [ "slimserver" "radarr" "sonarr" "emby" "transmission" "lidarr" ];
+  };
+}