vskilet/nixos-config
1
0
Fork 0
forked from nyanloutre/nixos-config
Code Issues Pull Requests Releases Wiki Activity

Refactoring LoutreOS

Browse Source
This commit is contained in:
nyanloutre 2018-09-04 14:05:06 +02:00
parent 3792a3a19e
commit 8de365b923
3 changed files with 377 additions and 347 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
systems/LoutreOS/configuration.nix
View File

@ -5,37 +5,35 @@
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
imports = [
./hardware-configuration.nix
./users.nix
./services.nix
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
boot.supportedFilesystems = [ "zfs" ];
supportedFilesystems = [ "zfs" ];
services.zfs.autoSnapshot.enable = true;
services.zfs.autoScrub.enable = true;
tmpOnTmpfs = true;
};
networking.hostName = "loutreos"; # Define your hostname.
networking.hostId = "7e66e347";
services.zfs = {
autoSnapshot.enable = true;
autoScrub.enable = true;
};
# Select internationalisation properties.
# i18n = {
# consoleFont = "Lat2-Terminus16";
# consoleKeyMap = "en";
# defaultLocale = "en_US.UTF-8";
# };
networking = {
hostName = "loutreos"; # Define your hostname.
hostId = "7e66e347";
};
# Set your time zone.
time.timeZone = "Europe/Paris";
# List packages installed in system profile. To search by name, run:
# $ nix-env -qaP | grep wget
nixpkgs.overlays = [
(import ../../overlays/riot-web.nix)
(import ../../overlays/sudo.nix)
@ -86,30 +84,23 @@
environment.variables = { EDITOR = "nvim"; };
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.bash.enableCompletion = true;
# programs.mtr.enable = true;
# programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
services.openssh = {
enable = true;
permitRootLogin = "no";
passwordAuthentication = false;
};
# List services that you want to enable:
# Enable the OpenSSH daemon.
services.openssh.enable = true;
services.openssh.permitRootLogin = "no";
services.openssh.passwordAuthentication = false;
networking.firewall.allowedTCPPorts = [ ];
networking.firewall.allowedUDPPorts = [ ];
networking.firewall.enable = true;
networking.firewall = {
allowedTCPPorts = [ ];
allowedUDPPorts = [ ];
enable = true;
};
security.sudo.wheelNeedsPassword = false;
system.autoUpgrade.enable = true;
systemd.services.nixos-upgrade.path = with pkgs; [ gzip gnutar xz.bin config.nix.package.out ];
services.fstrim.enable = true;
nix.gc.automatic = true;
nix.gc.options = "--delete-older-than 15d";

178
systems/LoutreOS/services.nix
View File

@ -10,12 +10,7 @@ let
max_port = 52348;
musique_port = 52349;
ekleog_matrix_0_33 = pkgs.fetchgit {
url = "https://github.com/Ekleog/nixpkgs.git";
rev = "fe1fa933d168faec56767a9bd1daa0d47070bdf0";
sha256 = "02nlcs46ijjkwl8i521555gpd0w2if87p9bmdn2s5g728pz8mh27";
};
ekleog_matrix_0_33_pkgs = import ekleog_matrix_0_33 {};
unstable = import <nixos-unstable> {};
in
{
@ -26,15 +21,25 @@ in
../../services/site-max.nix
];
services.fail2ban.enable = true;
services = {
services.smartd.enable = true;
services.smartd.notifications.mail.enable = true;
services.smartd.notifications.mail.recipient = "paul@nyanlout.re";
fail2ban.enable = true;
services.haproxy-acme.enable = true;
services.haproxy-acme.domaine = domaine;
services.haproxy-acme.services = {
smartd = {
enable = true;
defaults.monitored = "-a -o on -s (S/../.././02|L/../../7/04)";
notifications.mail = {
enable = true;
recipient = "paul@nyanlout.re";
};
};
fstrim.enable = true;
haproxy-acme = {
enable = true;
domaine = domaine;
services = {
"grafana.${domaine}" = { ip = "127.0.0.1"; port = 3000; auth = true; };
"emby.${domaine}" = { ip = "127.0.0.1"; port = 8096; auth = false; };
"radarr.${domaine}" = { ip = "127.0.0.1"; port = 7878; auth = true; extraAcls = "acl API url_beg /api\n"; aclBool = "!AUTH_OK !API"; };
@ -48,15 +53,21 @@ in
"pgmanage.${domaine}" = { ip = "127.0.0.1"; port = pgmanage_port; auth = true; };
"gitea.${domaine}" = { ip = "127.0.0.1"; port = 3001; auth = false; };
};
};
services.mailserver.enable = true;
services.mailserver.domaine = domaine;
mailserver = {
enable = true;
domaine = domaine;
};
services.influxdb.enable = true;
services.influxdb.dataDir = "/var/db/influxdb";
influxdb = {
enable = true;
dataDir = "/var/db/influxdb";
};
services.telegraf.enable = true;
services.telegraf.extraConfig = {
telegraf = {
enable = true;
extraConfig = {
inputs = {
zfs = { poolMetrics = true; };
net = { interfaces = [ "eno1" "eno2" "eno3" "eno4" ]; };
@ -118,19 +129,17 @@ in
influxdb = { database = "telegraf"; urls = [ "http://localhost:8086" ]; };
};
};
};
services.udev.extraRules = ''
udev.extraRules = ''
KERNEL=="ipmi*", MODE="660", OWNER="telegraf"
'';
security.sudo.extraRules = [
{ commands = [ { command = "${pkgs.smartmontools}/bin/smartctl"; options = [ "NOPASSWD" ]; } ]; users = [ "telegraf" ]; }
];
services.grafana.enable = true;
services.grafana.addr = "127.0.0.1";
services.grafana.dataDir = "/var/lib/grafana";
services.grafana.extraOptions = {
grafana = {
enable = true;
addr = "127.0.0.1";
dataDir = "/var/lib/grafana";
extraOptions = {
SERVER_ROOT_URL = "https://grafana.${domaine}";
SMTP_ENABLED = "true";
SMTP_FROM_ADDRESS = "grafana@${domaine}";
@ -141,18 +150,25 @@ in
AUTH_ANONYMOUS_ORG_ROLE = "Admin";
AUTH_BASIC_ENABLED = "false";
};
};
services.emby.enable = true;
services.emby.dataDir = "/var/lib/emby/ProgramData-Server";
emby = {
enable = true;
dataDir = "/var/lib/emby/ProgramData-Server";
};
services.slimserver.enable = true;
services.slimserver.dataDir = "/var/lib/slimserver";
slimserver = {
enable = true;
dataDir = "/var/lib/slimserver";
};
services.syncthing.enable = true;
services.syncthing.dataDir = "/var/lib/syncthing";
services.syncthing.openDefaultPorts = true;
syncthing = {
enable = true;
dataDir = "/var/lib/syncthing";
openDefaultPorts = true;
};
services.nfs.server = {
nfs.server = {
enable = true;
exports = ''
/mnt/medias 192.168.0.0/24(ro,no_root_squash)
@ -163,32 +179,38 @@ in
mountdPort = 4002;
};
services.transmission.enable = true;
services.transmission.home = "/var/lib/transmission";
services.transmission.settings = {
transmission = {
enable = true;
home = "/var/lib/transmission";
settings = {
rpc-bind-address = "127.0.0.1";
rpc-host-whitelist = "*";
rpc-whitelist-enabled = false;
};
};
services.radarr.enable = true;
services.sonarr.enable = true;
services.jackett.enable = true;
radarr.enable = true;
sonarr.enable = true;
jackett.enable = true;
services.searx.enable = true;
searx.enable = true;
services.nginx.enable = true;
services.nginx.virtualHosts = {
nginx = {
enable = true;
virtualHosts = {
"riot" = {
listen = [ { addr = "127.0.0.1"; port = riot_port; } ];
locations = { "/" = { root = pkgs.riot-web; }; };
};
};
};
services.postgresql.enable = true;
services.matrix-synapse = {
postgresql.enable = true;
/*
matrix-synapse = {
enable = true;
package = ekleog_matrix_0_33_pkgs.matrix-synapse;
package = unstable.matrix-synapse;
enable_registration = true;
server_name = "nyanlout.re";
listeners = [
@ -247,19 +269,18 @@ in
disable_existing_loggers: False
'';
};
*/
systemd.services.matrix-synapse.serviceConfig = {
MemoryHigh = "3G";
MemoryMax = "4G";
};
services.pgmanage.enable = true;
services.pgmanage.port = pgmanage_port;
services.pgmanage.connections = {
pgmanage = {
enable = true;
port = pgmanage_port;
connections = {
localhost = "hostaddr=127.0.0.1 port=5432 dbname=postgres";
};
};
services.borgbackup.jobs = {
/*
borgbackup.jobs = {
loutre = {
paths = [
"/var/certs"
@ -299,8 +320,9 @@ in
'';
};
};
*/
services.borgbackup.repos = {
borgbackup.repos = {
diskstation = {
authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDllbxON66dBju7sMnhX8/E0VRo3+PDYvDsHP0/FK+h8JHol4+pouLmI7KIDKYOJmSuom283OqnyZOMqk+RShTwWIFm9hOd2R9aj45Zrd9jPW2APOCec/Epgogj0bwBnc0l2v6qxkxaBMgL5DnAQ+E00uvL1UQpK8c8j4GGiPlkWJD6Kf+pxmnfH1TIm+J2XCwl0oeCkSK/Frd8eM+wCraMSzoaGiEcfMz2jK8hxDWjDxX7epU0ELF22BVCuyN8cYRoFTnV88E38PlaqsOqD5ePkxk425gDh7j/C06f8QKgnasVH2diixo92kYSd7i/RmfeXDDwAD5xqUvODczEuIdt root@DiskStation" ];
path = "/mnt/backup_loutre/diskstation_borg";
@ -308,17 +330,19 @@ in
};
};
services.gitea = {
gitea = {
enable = true;
cookieSecure = true;
httpPort = 3001;
rootUrl = "https://gitea.nyanlout.re/";
database.type = "postgres";
database.port = 5432;
database.passwordFile = "/mnt/secrets/gitea_database_passwordFile";
database = {
type = "postgres";
port = 5432;
passwordFile = "/mnt/secrets/gitea_database_passwordFile";
};
};
services.vsftpd = {
vsftpd = {
enable = true;
forceLocalLoginsSSL = true;
forceLocalDataSSL = true;
@ -332,13 +356,18 @@ in
'';
};
services.site-musique.enable = true;
services.site-musique.port = musique_port;
services.site-musique.domaine = "musique-meyenheim.fr";
site-musique = {
enable = true;
port = musique_port;
domaine = "musique-meyenheim.fr";
};
services.site-max.enable = true;
services.site-max.port = max_port;
services.site-max.domaine = "maxspiegel.fr";
site-max = {
enable = true;
port = max_port;
domaine = "maxspiegel.fr";
};
};
/*
systemd.services.dogetipbot-telegram = {
@ -352,8 +381,19 @@ in
Group = "nogroup";
};
};
systemd.services.matrix-synapse = {
serviceConfig = {
MemoryHigh = "3G";
MemoryMax = "5G";
};
};
*/
security.sudo.extraRules = [
{ commands = [ { command = "${pkgs.smartmontools}/bin/smartctl"; options = [ "NOPASSWD" ]; } ]; users = [ "telegraf" ]; }
];
networking.firewall.allowedTCPPorts = [
111 2049 4000 4001 4002 # NFS
3483 9000 9090 # Slimserver

3
systems/LoutreOS/users.nix
View File

@ -34,8 +34,7 @@
};
};
users.extraGroups.medias =
{
users.extraGroups.medias = {
gid = 498;
members = [ "slimserver" "radarr" "sonarr" "emby" "transmission" ];
};