vskilet
/
nixos-config
forked from nyanloutre/nixos-config
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'master' of gitea.nyanlout.re:nyanloutre/nixos-config

This commit is contained in:
nyanloutre 2021-10-14 13:47:51 +02:00
parent 8ee4f91254 ff41ad8eba
commit da8d433e8a
11 changed files with 632 additions and 211 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
flake.lock Normal file
View File

@ -0,0 +1,95 @@
{
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1634115022,
"narHash": "sha256-K9DZMQ47VRrg9gtTPwex5p0E8LnwM/dDkNe7AQW0qj0=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "564cb4d81d4f734dd068684adec5a60077397fe9",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "release-21.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1633971123,
"narHash": "sha256-WmI4NbH1IPGFWVkuBkKoYgOnxgwSfWDgdZplJlQ93vA=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "e4ef597edfd8a0ba5f12362932fc9b1dd01a0aef",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1607522989,
"narHash": "sha256-o/jWhOSAlaK7y2M57OIriRt6whuVVocS/T0mG7fd1TI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e9158eca70ae59e73fae23be5d13d3fa0cfc78b4",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-unstable",
"type": "indirect"
}
},
"root": {
"inputs": {
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
"simple-nixos-mailserver": "simple-nixos-mailserver"
}
},
"simple-nixos-mailserver": {
"inputs": {
"nixpkgs": "nixpkgs_2",
"utils": "utils"
},
"locked": {
"lastModified": 1622967674,
"narHash": "sha256-8RLe6Rqy2rKR/PGDMg/EVsWihsO+DQe/RYmlXdRZkLs=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "5675b122a947b40e551438df6a623efad19fd2e7",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"ref": "nixos-21.05",
"repo": "nixos-mailserver",
"type": "gitlab"
}
},
"utils": {
"locked": {
"lastModified": 1605370193,
"narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5021eac20303a61fafe17224c087f5519baed54d",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

25
flake.nix Normal file
View File

@ -0,0 +1,25 @@
{
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/release-21.05";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-21.05";
};
outputs = { self, nixpkgs, nixpkgs-unstable, simple-nixos-mailserver }: {
nixosConfigurations.loutreos = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
({ pkgs, ... }: {
nix.nixPath = [
"nixpkgs=${nixpkgs}"
];
})
nixpkgs.nixosModules.notDetected
"${nixpkgs-unstable}/nixos/modules/services/audio/navidrome.nix"
simple-nixos-mailserver.nixosModule
./systems/LoutreOS/configuration.nix
];
};
};
}

76
services/mail-server.nix
View File

@ -1,76 +0,0 @@
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.services.mailserver;
in
{
options.services.mailserver = {
enable = mkEnableOption "Mail Server";
domaine = mkOption {
type = types.str;
example = "example.com";
description = "Nom de domaine du serveur de mails";
};
};
imports = [
(builtins.fetchTarball {
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.3.0/nixos-mailserver-v2.3.0.tar.gz";
sha256 = "0lpz08qviccvpfws2nm83n7m2r8add2wvfg9bljx9yxx8107r919";
})
];
config = mkIf cfg.enable {
mailserver = {
enable = true;
fqdn = "mail.${cfg.domaine}";
domains = [ cfg.domaine ];
# A list of all login accounts. To create the password hashes, use
# mkpasswd -m sha-512 "super secret password"
loginAccounts = {
"paul@${cfg.domaine}" = {
hashedPassword = "$6$8wWQbtqVqUoH8$pQKg0bZPcjCbuPvyhjJ1lQy949M/AgfmAye/hDEIVUnCfwtlUxC1yj8CBHpNKeiiXhd8IUqk9r0/IJNvB6okf0";
};
};
# Certificate setup
certificateScheme = 1;
certificateFile = "/var/lib/acme/${cfg.domaine}/fullchain.pem";
keyFile = "/var/lib/acme/${cfg.domaine}/key.pem";
# Enable IMAP and POP3
enableImap = true;
enablePop3 = true;
enableImapSsl = true;
enablePop3Ssl = true;
# Enable the ManageSieve protocol
enableManageSieve = true;
};
services.postfix = {
relayHost = "mailvps.nyanlout.re";
relayPort = 587;
config = {
smtp_tls_cert_file = lib.mkForce "/var/lib/postfix/postfixrelay.crt";
smtp_tls_key_file = lib.mkForce "/var/lib/postfix/postfixrelay.key";
};
};
security.acme.certs = {
"${cfg.domaine}" = {
extraDomains = {
"mail.${cfg.domaine}" = null;
};
postRun = ''
systemctl reload dovecot2.service
'';
};
};
};
}

22
systems/LoutreOS/configuration.nix
View File

@ -4,10 +4,6 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
let
gitRev = "4c45e960e797d660358a11723e736afee3998261";
nixpkgs = fetchTarball "https://github.com/nyanloutre/nixpkgs/archive/${gitRev}.tar.gz";
in
{ {
imports = [ imports = [
../common-cli.nix ../common-cli.nix
@ -27,13 +23,17 @@ in
tmpOnTmpfs = true; tmpOnTmpfs = true;
}; };
nix.nixPath = [ nix = {
"nixpkgs=${nixpkgs}" package = pkgs.nixUnstable;
"nixos-config=/etc/nixos/configuration.nix" extraOptions = ''
]; experimental-features = nix-command flakes
'';
};
documentation.nixos.enable = false;
nixpkgs.config.allowUnfree = false; nixpkgs.config.allowUnfree = false;
nixpkgs.config.allowUnfreePredicate = (pkg: builtins.elem pkg.pname or (builtins.parseDrvName pkg.name).name [ "factorio-headless" "perl5.30.1-slimserver" "minecraft-server" ]); nixpkgs.config.allowUnfreePredicate = (pkg: builtins.elem pkg.pname or (builtins.parseDrvName pkg.name).name [ "factorio-headless" "perl5.32.1-slimserver" "minecraft-server" ]);
services.zfs = { services.zfs = {
autoSnapshot.enable = true; autoSnapshot.enable = true;
@ -131,6 +131,7 @@ in
{ ethernetAddress = "ac:1f:6b:4b:01:15"; hostName = "IPMI"; ipAddress = "10.30.1.1"; } { ethernetAddress = "ac:1f:6b:4b:01:15"; hostName = "IPMI"; ipAddress = "10.30.1.1"; }
{ ethernetAddress = "00:1f:c6:6e:d1:f1"; hostName = "minecraftos"; ipAddress = "10.30.135.35"; } { ethernetAddress = "00:1f:c6:6e:d1:f1"; hostName = "minecraftos"; ipAddress = "10.30.135.35"; }
{ ethernetAddress = "b4:2e:99:ed:24:26"; hostName = "paul-fixe"; ipAddress = "10.30.135.71"; } { ethernetAddress = "b4:2e:99:ed:24:26"; hostName = "paul-fixe"; ipAddress = "10.30.135.71"; }
{ ethernetAddress = "20:47:da:fc:19:98"; hostName = "telephone-nyan"; ipAddress = "10.30.50.2"; }
#ESPHome #ESPHome
{ ethernetAddress = "e0:98:06:85:e9:ce"; hostName = "salonled"; ipAddress = "10.30.40.1"; } { ethernetAddress = "e0:98:06:85:e9:ce"; hostName = "salonled"; ipAddress = "10.30.40.1"; }
@ -172,11 +173,14 @@ in
home = "/home/autossh"; home = "/home/autossh";
createHome = true; createHome = true;
group = "autossh"; group = "autossh";
isSystemUser = true;
}; };
}; };
services.autossh.sessions = [ { extraArguments = "-N -R 0.0.0.0:2222:127.0.0.1:22 loutre@vps772619.ovh.net"; monitoringPort = 20000; name = "backup-ssh-reverse"; user = "autossh"; } ]; services.autossh.sessions = [ { extraArguments = "-N -R 0.0.0.0:2222:127.0.0.1:22 loutre@vps772619.ovh.net"; monitoringPort = 20000; name = "backup-ssh-reverse"; user = "autossh"; } ];
virtualisation.podman.enable = true;
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
system.stateVersion = "18.03"; system.stateVersion = "18.03";

19
systems/LoutreOS/hardware-configuration.nix
View File

@ -4,10 +4,6 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
{ {
imports =
[ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" "sr_mod" ]; boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "nvme" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
@ -157,6 +153,21 @@
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/var/lib/hass" =
{ device = "loutrepool/var/hass";
fsType = "zfs";
};
fileSystems."/mnt/paul-home" =
{ device = "loutrepool/zfs-replicate/paul-fixe/fastaf/home";
fsType = "zfs";
};
fileSystems."/mnt/webdav" =
{ device = "loutrepool/webdav";
fsType = "zfs";
};
swapDevices = swapDevices =
[ [
{ {

41
systems/LoutreOS/medias.nix
View File

@ -5,6 +5,8 @@
transmission = { transmission = {
enable = true; enable = true;
home = "/var/lib/transmission"; home = "/var/lib/transmission";
port = 9091;
group = "medias";
settings = { settings = {
rpc-bind-address = "127.0.0.1"; rpc-bind-address = "127.0.0.1";
rpc-host-whitelist = "*"; rpc-host-whitelist = "*";
@ -18,19 +20,25 @@
sonarr.enable = true; sonarr.enable = true;
jackett.enable = true; jackett.enable = true;
jellyfin.enable = true; jellyfin = {
slimserver = {
enable = true; enable = true;
dataDir = "/var/lib/slimserver"; package = pkgs.jellyfin;
}; };
airsonic = { navidrome = {
enable = true; enable = true;
maxMemory = 500; settings = {
MusicFolder = "/mnt/medias/musique";
ImageCacheSize = 0;
};
}; };
}; };
systemd.services.transmission.serviceConfig = {
BindPaths = [ "/mnt/medias" ];
LimitNOFILE = 1048576;
};
networking = { networking = {
firewall.allowedTCPPorts = [ firewall.allowedTCPPorts = [
config.services.transmission.settings.peer-port config.services.transmission.settings.peer-port
@ -40,4 +48,25 @@
config.services.transmission.settings.peer-port config.services.transmission.settings.peer-port
]; ];
}; };
virtualisation.oci-containers = {
backend = "podman";
containers = {
slimserver = {
image = "docker.io/lmscommunity/logitechmediaserver:stable";
volumes = [
"/mnt/medias/musique:/music:ro"
"/var/lib/slimserver:/config:rw"
"/etc/localtime:/etc/localtime:ro"
];
ports = [
"9000:9000/tcp"
"9090:9090/tcp"
"3483:3483/tcp"
"3483:3483/udp"
];
extraOptions = ["--pull=always"];
};
};
};
} }

10
systems/LoutreOS/monitoring.nix
View File

@ -35,15 +35,9 @@ in
cgroup = [ cgroup = [
{ {
paths = [ paths = [
"/sys/fs/cgroup/memory/system.slice/*" "/sys/fs/cgroup/system.slice/*"
]; ];
files = ["memory.*usage*" "memory.limit_in_bytes"]; files = ["memory.current" "cpu.stat"];
}
{
paths = [
"/sys/fs/cgroup/cpu/system.slice/*"
];
files = ["cpuacct.usage" "cpu.cfs_period_us" "cpu.cfs_quota_us"];
} }
]; ];
ipmi_sensor = { path = "${pkgs.ipmitool}/bin/ipmitool"; }; ipmi_sensor = { path = "${pkgs.ipmitool}/bin/ipmitool"; };

285
systems/LoutreOS/services.nix
View File

@ -14,37 +14,104 @@ let
''; '';
login_mail_alert = pkgs.writeShellScriptBin "mail_alert.sh" '' login_mail_alert = pkgs.writeShellScriptBin "mail_alert.sh" ''
if [ "$PAM_TYPE" != "close_session" ]; then if [ "$PAM_TYPE" != "close_session" ] && [ "$PAM_USER" != "zfspaulfixe" ] && [ "$PAM_USER" != "synology" ] && [ "$PAM_USER" != "rezome" ]; then
${sendMail "paul@nyanlout.re" "SSH Login: $PAM_USER from $PAM_RHOST" "`env`"}/bin/mail.sh ${sendMail "paul@nyanlout.re" "SSH Login: $PAM_USER from $PAM_RHOST" "`env`"}/bin/mail.sh
fi fi
''; '';
backup_mail_alert = sendMail "paul@nyanlout.re" "ERREUR: Sauvegarde Borg" "Impossible de terminer la sauvegarde. Merci de voir les logs"; backup_mail_alert = sendMail "paul@nyanlout.re" "ERREUR: Sauvegarde Borg" "Impossible de terminer la sauvegarde. Merci de voir les logs";
unstable = import <nixos-unstable> { };
in in
{ {
imports = [ imports = [
../../services/mail-server.nix
../../services/python-ci.nix ../../services/python-ci.nix
../../services/sdtdserver.nix ../../services/sdtdserver.nix
../../containers/vsftpd.nix # ../../containers/vsftpd.nix
# /mnt/secrets/factorio_secrets.nix # /mnt/secrets/factorio_secrets.nix
./monitoring.nix ./monitoring.nix
./medias.nix ./medias.nix
./web.nix ./web.nix
]; ];
security.acme.certs = {
"${domaine}" = {
extraDomainNames = [
"mail.${domaine}"
];
postRun = ''
systemctl reload dovecot2.service
'';
};
};
mailserver = {
enable = true;
fqdn = "mail.${domaine}";
domains = [ domaine ];
# A list of all login accounts. To create the password hashes, use
# mkpasswd -m sha-512 "super secret password"
loginAccounts = {
"paul@${domaine}" = {
hashedPassword = "$6$8wWQbtqVqUoH8$pQKg0bZPcjCbuPvyhjJ1lQy949M/AgfmAye/hDEIVUnCfwtlUxC1yj8CBHpNKeiiXhd8IUqk9r0/IJNvB6okf0";
};
"claire@${domaine}" = {
hashedPassword = "$6$Y.vlWP9./DX$NEQQOLzYftbHOvXDkKdBYFAjzIjh8mlpomDuQRq6qkkZijrdy/p6jSbrpBLhoWwVmj4j1OWekHU1f4C9xCNJk.";
};
};
# Certificate setup
certificateScheme = 1;
certificateFile = "/var/lib/acme/${domaine}/fullchain.pem";
keyFile = "/var/lib/acme/${domaine}/key.pem";
# Enable IMAP and POP3
enableImap = true;
enablePop3 = true;
enableImapSsl = true;
enablePop3Ssl = true;
# Enable the ManageSieve protocol
enableManageSieve = true;
};
services = { services = {
postfix = {
relayHost = "mailvps.nyanlout.re";
relayPort = 587;
config = {
smtp_tls_cert_file = lib.mkForce "/var/lib/postfix/postfixrelay.crt";
smtp_tls_key_file = lib.mkForce "/var/lib/postfix/postfixrelay.key";
};
};
rspamd.workers.controller.extraConfig = ''
secure_ip = ["127.0.0.1", "10.30.135.71"];
'';
redis.enable = true;
logrotate = {
enable = true;
paths = {
nginx = {
path = "/var/log/nginx/*.log";
user = config.services.nginx.user;
group = config.services.nginx.group;
keep = 7;
extraConfig = ''
compress
'';
};
};
};
fail2ban.enable = true; fail2ban.enable = true;
fstrim.enable = true; fstrim.enable = true;
mailserver = {
enable = true;
domaine = domaine;
};
syncthing = { syncthing = {
enable = true; enable = true;
dataDir = "/var/lib/syncthing"; dataDir = "/var/lib/syncthing";
@ -161,14 +228,18 @@ in
"/var/lib/postgresql/.zfs/snapshot/borgsnap" "/var/lib/postgresql/.zfs/snapshot/borgsnap"
"/var/lib/radarr" "/var/lib/radarr"
"/var/lib/sonarr" "/var/lib/sonarr"
"/var/lib/syncthing"
"/var/lib/transmission" "/var/lib/transmission"
"/mnt/medias/musique" "/mnt/medias/musique"
"/mnt/medias/torrent/lidarr" "/mnt/medias/torrent/lidarr"
"/mnt/medias/torrent/musique" "/mnt/medias/torrent/musique"
"/mnt/paul-home/paul"
"/var/sieve" "/var/sieve"
"/var/vmail" "/var/vmail"
]; ];
exclude = [
"/var/lib/radarr/.config/Radarr/radarr.db-wal"
"/var/lib/radarr/.config/Radarr/radarr.db-shm"
];
repo = "/mnt/backup/borg"; repo = "/mnt/backup/borg";
encryption = { encryption = {
mode = "repokey-blake2"; mode = "repokey-blake2";
@ -181,10 +252,11 @@ in
monthly = 12; monthly = 12;
}; };
preHook = "${pkgs.zfs}/bin/zfs snapshot loutrepool/var/postgresql@borgsnap"; preHook = "${pkgs.zfs}/bin/zfs snapshot loutrepool/var/postgresql@borgsnap";
readWritePaths = [ "/var/lib/postfix/queue/maildrop" ];
postHook = '' postHook = ''
${pkgs.zfs}/bin/zfs destroy loutrepool/var/postgresql@borgsnap ${pkgs.zfs}/bin/zfs destroy loutrepool/var/postgresql@borgsnap
if [[ $exitStatus == 0 ]]; then if [[ $exitStatus == 0 ]]; then
${pkgs.rclone}/bin/rclone --config /mnt/secrets/rclone_loutre.conf sync -v $BORG_REPO BackupStorage:loutre ${pkgs.rclone}/bin/rclone --config /mnt/secrets/rclone_loutre.conf sync -v $BORG_REPO BackupStorage:default
else else
${backup_mail_alert}/bin/mail.sh ${backup_mail_alert}/bin/mail.sh
fi fi
@ -198,6 +270,11 @@ in
path = "/mnt/backup_loutre/diskstation_borg"; path = "/mnt/backup_loutre/diskstation_borg";
user = "synology"; user = "synology";
}; };
minecraft-rezome = {
authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc1nGsSesW96k0DPMSt/chjvCrYmfgPgHG1hdUYB5x0pZPdOJaVRIlETWdoFlO+ViviC518B3TF7Qc3oJXPZMchJQl684Nukbc312juf+j9z/KT3dqD8YvKX6o5ynx1Dyq52ftrfkBAEAvzE0OfRljUPbwGBOM0dGRD4R1jbiHquTXpITlbgGTZymbwr4Jr9W9atgf5kHMiX7xOqMZcasDtUE8g+AG4ysHdpjOrBOUM9QeRbVP1bxEFP8xjqOOoET5tbkwektP4B2jaf+EHBPUy2lkwjVEKT6MaSlkJx/wMvUWp25kG9mrXgwUw1bgfOeZIsK6ztcki3l92BJQD9ip shame@minecraft.rezom.eu" ];
path = "/mnt/backup_loutre/minecraft_rezome";
user = "rezome";
};
}; };
sdtdserver.enable = false; sdtdserver.enable = false;
@ -246,8 +323,13 @@ in
}; };
influxdb = null; influxdb = null;
config = null; config = null;
dhcp = null;
frontend = null; frontend = null;
history = null; history = null;
http = {
use_x_forwarded_for = true;
trusted_proxies = [ "127.0.0.1" ];
};
logbook = null; logbook = null;
map = null; map = null;
mobile_app = null; mobile_app = null;
@ -260,6 +342,7 @@ in
"10.40.249.1".name = "Bureau"; "10.40.249.1".name = "Bureau";
"10.40.249.2".name = "Cuisine"; "10.40.249.2".name = "Cuisine";
}; };
zha = null;
esphome = null; esphome = null;
light = [ light = [
{ {
@ -321,6 +404,12 @@ in
broadcast_address = "10.30.255.255"; broadcast_address = "10.30.255.255";
} }
]; ];
device_tracker = [
{
platform = "ping";
hosts = { telephone_paul = "10.30.50.2"; };
}
];
scene = [ scene = [
{ {
name = "Movie"; name = "Movie";
@ -377,7 +466,27 @@ in
]; ];
automation = let automation = let
min_sun_elevation = 4; min_sun_elevation = 4;
switch_chambre = {
domain = "zha";
platform = "device";
device_id = "3329ecdcad244e5e8fc0f4b96d52ffe1";
};
switch_entree = {
domain = "zha";
platform = "device";
device_id = "7cd814190ec543dba76a7aa7e7996c41";
};
remote = {
domain = "zha";
platform = "device";
device_id = "d1230b76264e483388a8fdaad4f44143";
};
in [ in [
# ENTREE
{ {
alias = "Aziz lumière"; alias = "Aziz lumière";
trigger = [ trigger = [
@ -387,11 +496,6 @@ in
value_template = "{{ state.attributes.elevation }}"; value_template = "{{ state.attributes.elevation }}";
below = min_sun_elevation; below = min_sun_elevation;
} }
{
platform = "state";
entity_id = "person.paul";
to = "home";
}
]; ];
condition = [ condition = [
{ {
@ -399,6 +503,7 @@ in
entity_id = "person.paul"; entity_id = "person.paul";
state = "home"; state = "home";
} }
# Sun below max elevation
{ {
condition = "template"; condition = "template";
value_template = "{{ state_attr('sun.sun', 'elevation') < ${toString min_sun_elevation} }}"; value_template = "{{ state_attr('sun.sun', 'elevation') < ${toString min_sun_elevation} }}";
@ -409,23 +514,162 @@ in
}; };
} }
{ {
alias = "Adios"; alias = "Aziz lumière switch";
trigger = { trigger = {
platform = "state"; type = "remote_button_short_press";
entity_id = "person.paul"; subtype = "turn_on";
to = "not_home"; } // switch_entree;
action = {
scene = "scene.home";
}; };
}
{
alias = "Adios";
trigger = [
{
platform = "state";
entity_id = "person.paul";
to = "not_home";
}
({
type = "remote_button_short_press";
subtype = "turn_off";
} // switch_entree)
];
action = [ action = [
{ {
service = "light.turn_off"; service = "light.turn_off";
entity_id = "all"; entity_id = "all";
} }
{ {
service = "media_player.media_pause"; service = "media_player.turn_off";
entity_id = "all"; entity_id = "all";
} }
]; ];
} }
# REMOTE
{
alias = "Button toggle";
trigger = {
type = "remote_button_short_press";
subtype = "turn_on";
} // remote;
action = {
choose = {
conditions = {
condition = "template";
value_template = ''
{% set domain = 'light' %}
{% set state = 'off' %}
{{ states[domain] | count == states[domain] | selectattr('state','eq',state) | list | count }}
'';
};
sequence = {
scene = "scene.home";
};
};
default = {
service = "light.turn_off";
entity_id = "all";
};
};
}
{
alias = "Button scene movie";
trigger = {
type = "remote_button_short_press";
subtype = "right";
} // remote;
action = {
scene = "scene.movie";
};
}
{
alias = "Button scene home";
trigger = {
type = "remote_button_short_press";
subtype = "left";
} // remote;
action = {
scene = "scene.home";
};
}
{
alias = "Button light up";
trigger = {
type = "remote_button_short_press";
subtype = "dim_up";
} // remote;
action = {
service = "light.turn_on";
entity_id = "light.salon";
data = {
brightness_step = 25;
};
};
}
{
alias = "Button light down";
trigger = {
type = "remote_button_short_press";
subtype = "dim_down";
} // remote;
action = {
service = "light.turn_on";
entity_id = "light.salon";
data = {
brightness_step = -25;
};
};
}
# CHAMBRE
{
alias = "Button scene night";
trigger = {
type = "remote_button_short_press";
subtype = "turn_on";
} // switch_chambre;
action = {
scene = "scene.night";
};
}
{
alias = "Button scene dodo";
trigger = {
type = "remote_button_short_press";
subtype = "turn_off";
} // switch_chambre;
action = {
service = "light.turn_off";
entity_id = "all";
};
}
{
alias = "Button scene lumière chambre ON";
trigger = {
type = "remote_button_long_press";
subtype = "dim_up";
} // switch_chambre;
action = {
service = "light.turn_on";
entity_id = "light.chambre";
};
}
{
alias = "Button scene lumière chambre OFF";
trigger = {
type = "remote_button_long_press";
subtype = "dim_down";
} // switch_chambre;
action = {
service = "light.turn_off";
entity_id = "light.chambre";
};
}
]; ];
}; };
}; };
@ -492,7 +736,6 @@ in
# ''; # '';
users.groups.nginx.members = [ "matrix-synapse" ]; users.groups.nginx.members = [ "matrix-synapse" ];
security.acme.certs."nyanlout.re".allowKeysForGroup = true;
security.pam.services.sshd.text = pkgs.lib.mkDefault( pkgs.lib.mkAfter "session optional ${pkgs.pam}/lib/security/pam_exec.so seteuid ${login_mail_alert}/bin/mail_alert.sh" ); security.pam.services.sshd.text = pkgs.lib.mkDefault( pkgs.lib.mkAfter "session optional ${pkgs.pam}/lib/security/pam_exec.so seteuid ${login_mail_alert}/bin/mail_alert.sh" );

34
systems/LoutreOS/users.nix
View File

@ -1,12 +1,12 @@
{ config, pkgs, ... }: { lib, config, pkgs, ... }:
{ {
users.extraUsers = { users.users = {
paul = { paul = {
uid = 1000; uid = 1000;
isNormalUser = true; isNormalUser = true;
description = "Paul TREHIOU"; description = "Paul TREHIOU";
extraGroups = [ "wheel" "medias" ]; extraGroups = [ "wheel" "medias" "transmission" ];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAF7VlzHzgg70uFbRFtVTS34qNBke/RD36mRENAsa33RxztxrqMsIDscAD/d6CTe6HDy7MCGzJnWCJSXj5iOQFM4RRMvKNEgCKPHqfhmfVvO4YZuMjNB0ufVf6zhJL4Hy43STf7NIWrenGemUP+OvVSwN/ujgl2KKw4KJZt25/h/7JjlCgsZm4lWg4xcjoiKL701W2fbEoU73XKdbRTgTvKoeK1CGxdAPFefFDFcv/mtJ7d+wIxw9xODcLcA66Bu94WGMdpyEAJc4nF8IOy4pW8AzllDi0qNEZGCQ5+94upnLz0knG1ue9qU2ScAkW1/5rIJTHCVtBnmbLNSAOBAstaGQJuSL40TWZ1oPA5i1qUEhunNcJ+Sgtp6XP69qY34T/AeJvHRyw5M5LfN0g+4ka9k06NPBhbpHFASz4M8nabQ0iM63++xcapnw/8gk+EPhYVKW86SsyTa9ur+tt6oDWEKNaOhgscX44LexY7jKdeBRt3GaObtBJtVLBRx3Z2aRXgjgnKGqS40mGRiSkqb2DShspI1l8DV2RrPiuwdBzXVQjWRc0KXmJrcgXX9uoPSxihxwaUQyvmITOV1Y+NEuek4gRkVNOxjoG7RGnaYvYzxEQVoI5TwZC2/DCrAUgCv8DQawkcpEiWnBq7Q5VnpmFx5juVQ/I0G8byOkPXgRUOk9 openpgp:0xAB524BBC" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAF7VlzHzgg70uFbRFtVTS34qNBke/RD36mRENAsa33RxztxrqMsIDscAD/d6CTe6HDy7MCGzJnWCJSXj5iOQFM4RRMvKNEgCKPHqfhmfVvO4YZuMjNB0ufVf6zhJL4Hy43STf7NIWrenGemUP+OvVSwN/ujgl2KKw4KJZt25/h/7JjlCgsZm4lWg4xcjoiKL701W2fbEoU73XKdbRTgTvKoeK1CGxdAPFefFDFcv/mtJ7d+wIxw9xODcLcA66Bu94WGMdpyEAJc4nF8IOy4pW8AzllDi0qNEZGCQ5+94upnLz0knG1ue9qU2ScAkW1/5rIJTHCVtBnmbLNSAOBAstaGQJuSL40TWZ1oPA5i1qUEhunNcJ+Sgtp6XP69qY34T/AeJvHRyw5M5LfN0g+4ka9k06NPBhbpHFASz4M8nabQ0iM63++xcapnw/8gk+EPhYVKW86SsyTa9ur+tt6oDWEKNaOhgscX44LexY7jKdeBRt3GaObtBJtVLBRx3Z2aRXgjgnKGqS40mGRiSkqb2DShspI1l8DV2RrPiuwdBzXVQjWRc0KXmJrcgXX9uoPSxihxwaUQyvmITOV1Y+NEuek4gRkVNOxjoG7RGnaYvYzxEQVoI5TwZC2/DCrAUgCv8DQawkcpEiWnBq7Q5VnpmFx5juVQ/I0G8byOkPXgRUOk9 openpgp:0xAB524BBC"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCACVI2dL4AmOdcb7RSl3JZpfK33NhqrYFfWfXMYow5SPJ9VPteOp5kVvKUuSbGH3chjpttYC/ueQJJhFagiKmkeftQTslIw6C009wUExGpJwRotHqISXv2ctURGURKy2FF848whd7xZJzdj49ZJ6S+SCbRFZvVWfT2dP/JwTiWW1mbEaWKyOgrixH6wSKt9ECumjX9KjqSWGw+k3yLJxIhdqiZAjNv4soJs1mQYdIlFCXCuznzoZIQBexZPQCx0j9HjczPz1feMLWkrHzEMexNjsBE2uA6yXLbH1wa8xCJ4VOeD7u9JqVY579AsicD62G+qIgw0B2zmyz7xTrdPv+061zmYn6qYr8EXGTk4dVgedZp8M1XzZ1PVoeeftPFcClXC7zCGyCR2uzJbQLzlaTwZrdghAiS9UhMRuKpNgZy2zDWw4MqdojrF5bndPkoijlXWYrPYBFED5OU1mpwzpanYgldowJC/Ixjwi+Hmse2q4XgZ+egfuotBqPfqB+bWsCa5GNiJWGdLP69uBSsXubGnqLwvE0FAQ2GHb+SEoZKFy/QV9GzOLlVrGlgK5YFgKJD+Q1nn1QRycXt1oMVC/AtR/NshOGanhdvIRpPATGmaxLVXSY093vyAOW4MPrS00fPAXzAfJUwIuWcloFfLMo5Jitj5rpE1s6FX8xrl4upQ== paul@nyanlout.re" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCACVI2dL4AmOdcb7RSl3JZpfK33NhqrYFfWfXMYow5SPJ9VPteOp5kVvKUuSbGH3chjpttYC/ueQJJhFagiKmkeftQTslIw6C009wUExGpJwRotHqISXv2ctURGURKy2FF848whd7xZJzdj49ZJ6S+SCbRFZvVWfT2dP/JwTiWW1mbEaWKyOgrixH6wSKt9ECumjX9KjqSWGw+k3yLJxIhdqiZAjNv4soJs1mQYdIlFCXCuznzoZIQBexZPQCx0j9HjczPz1feMLWkrHzEMexNjsBE2uA6yXLbH1wa8xCJ4VOeD7u9JqVY579AsicD62G+qIgw0B2zmyz7xTrdPv+061zmYn6qYr8EXGTk4dVgedZp8M1XzZ1PVoeeftPFcClXC7zCGyCR2uzJbQLzlaTwZrdghAiS9UhMRuKpNgZy2zDWw4MqdojrF5bndPkoijlXWYrPYBFED5OU1mpwzpanYgldowJC/Ixjwi+Hmse2q4XgZ+egfuotBqPfqB+bWsCa5GNiJWGdLP69uBSsXubGnqLwvE0FAQ2GHb+SEoZKFy/QV9GzOLlVrGlgK5YFgKJD+Q1nn1QRycXt1oMVC/AtR/NshOGanhdvIRpPATGmaxLVXSY093vyAOW4MPrS00fPAXzAfJUwIuWcloFfLMo5Jitj5rpE1s6FX8xrl4upQ== paul@nyanlout.re"
@ -19,16 +19,38 @@
isNormalUser = true; isNormalUser = true;
description = "Victor SENE"; description = "Victor SENE";
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCaCc2qcQsd/VPDX1K97zJ/MjObWnTfRkA98xeNnVTeGoMmbf/fW1KszB+3IYCngCKLhliotHEXkqOK24vMLZ9ylVPTIPLNY5OWLFRQSOU/OykP8r4ikDWmMOwI+tqkoBknTUZdA1MN1JmkpE1cWL8vRJ7mnwl/p7xCMHV19N5+UdoIx3bFsm0CCUMIYSaIefoD3tpIzmgVqBkIH4FSmNwvXHwcXhhOTGqXbTJYC/GY2mI0AFvZI3T61ReV325ms7QRQlElXP8Rv8lpjr57VISNjKsPPNvifLjy10RjIS8iNioN6fJ0XBCfKOmm37VX86aFkAgWdpzxGojprOXnViwZEWSegnvKGx8FNx3gB54zF76e6koWS+qnYf9UTdogO6uXhXZb7AoMC9XD0/l6Egh8HzPWAUZtLx74zhB8ufoKmzqOp4YrCK8Cu4N/1UTFyPUoeSCZJdcE/9iqldym06mOi4rDV5cKCzs+Q0bVP8+x8SZ9ajYUH7l4sxjDHtHiyAYniWIxGPO5NazCfx7J+1GGzbtV0HuBwE/U20z+nBy+WZ4MowQTNb2E2uhq4OgQASx7uTKtyhnfT09A3toHZVerfH8ET8YEVnwdYMCA0GHYMOZ48h1ORdE+OLyqRlxjYTCB17Kc2icSL3iv8Yd66vQagy3A+C8OhZP1rdc15bEZnw== openpgp:0x28DF0235" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCaCc2qcQsd/VPDX1K97zJ/MjObWnTfRkA98xeNnVTeGoMmbf/fW1KszB+3IYCngCKLhliotHEXkqOK24vMLZ9ylVPTIPLNY5OWLFRQSOU/OykP8r4ikDWmMOwI+tqkoBknTUZdA1MN1JmkpE1cWL8vRJ7mnwl/p7xCMHV19N5+UdoIx3bFsm0CCUMIYSaIefoD3tpIzmgVqBkIH4FSmNwvXHwcXhhOTGqXbTJYC/GY2mI0AFvZI3T61ReV325ms7QRQlElXP8Rv8lpjr57VISNjKsPPNvifLjy10RjIS8iNioN6fJ0XBCfKOmm37VX86aFkAgWdpzxGojprOXnViwZEWSegnvKGx8FNx3gB54zF76e6koWS+qnYf9UTdogO6uXhXZb7AoMC9XD0/l6Egh8HzPWAUZtLx74zhB8ufoKmzqOp4YrCK8Cu4N/1UTFyPUoeSCZJdcE/9iqldym06mOi4rDV5cKCzs+Q0bVP8+x8SZ9ajYUH7l4sxjDHtHiyAYniWIxGPO5NazCfx7J+1GGzbtV0HuBwE/U20z+nBy+WZ4MowQTNb2E2uhq4OgQASx7uTKtyhnfT09A3toHZVerfH8ET8YEVnwdYMCA0GHYMOZ48h1ORdE+OLyqRlxjYTCB17Kc2icSL3iv8Yd66vQagy3A+C8OhZP1rdc15bEZnw== openpgp:0x28DF0235"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1r2ZzVnOlmoNoLgrc3+Lx7whO8mzcwUf2p9DiYAVg2zo2zbfubLVG1BAgFDe7y+2HwJIbGDDMNUaT+FAsv0mHRlfdUMXXF3nVsFPWGovo1ks31O5zUI9IE3qFU5AJ7SPICS4lQYox1o594iS1OcwJ7Iu6pjEQRRG1OLVYSILJ994vtGsDxfz1CZ8b7u9oSwHz0E4pdy6epkFSE/+9WsZl+ziDMigYZfubjzUCzMy2uT5Z6t+r6bW6mcxnmYax/YmrRvL/dTeDE64Qf7nugjB0XOKUOKCPN5dtqYRx0fN9aDSRf4ubmyVaYeKudm9vttGHXjSPVWAvow+jUDOq2cGr victor@sene.ovh" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1r2ZzVnOlmoNoLgrc3+Lx7whO8mzcwUf2p9DiYAVg2zo2zbfubLVG1BAgFDe7y+2HwJIbGDDMNUaT+FAsv0mHRlfdUMXXF3nVsFPWGovo1ks31O5zUI9IE3qFU5AJ7SPICS4lQYox1o594iS1OcwJ7Iu6pjEQRRG1OLVYSILJ994vtGsDxfz1CZ8b7u9oSwHz0E4pdy6epkFSE/+9WsZl+ziDMigYZfubjzUCzMy2uT5Z6t+r6bW6mcxnmYax/YmrRvL/dTeDE64Qf7nugjB0XOKUOKCPN5dtqYRx0fN9aDSRf4ubmyVaYeKudm9vttGHXjSPVWAvow+jUDOq2cGr victor@sene.ovh"
]; ];
};
amandoleen = {
isNormalUser = true;
description = "Amandine <3";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDRu0M10AfF2nS8Ky9JzQ4cDRbcjmR+LLvENohxTJhW4xwAwN/f2I0ObbiJ5PHC3mXi8V5JqnSaYNdIMXuULDxxc1QEa0aeLw4xIrYw1wEOrHvL9DeYvS289sRgWSb/PvyejEHwcBBm4Xf0/nQNQF462C064Ms56cT3YAOhNBA7ubyCAqd0VW8RHc1mZ5b/owzM7SviXrpcIM5QDPVP2051SxrqGbunAnwe5x2kNDeYqicyIik61rpYe+erhkyvL3WdgC7mHnF8VPKx049zIsfK5UmJwI+rI24cDUT9E6B4XZttpdyJK6i7/6NSYm4nrMXQxCF1tofd5yZK5vpYH8Dyiic5ykhB57kr1QCmck70VMmt77uOoMeGZ+IJCY5oZYcR/n04mUwN9mmRsECcr17a8IDQkmPd8PNbjrNRgtVKDVLtw4HyOPCAfdH+XzEGiMxnZfzq0rLEYU3S4RAkLpe2W3C0fWniEWzSnXj76AGcyJcxIVzrIYg4uzTgNhZlb08vO1ytw9QaEY17Po5YFjBD8fT9Z0UijG3WQBm7AmSrcg/OLP6UOghbnlkZFYpC0hYcbX1sTfdfysw9kT/d8BImQvwBzmJ/YRqHmCejZGTkCCmw8i93EYFm3uVFZypcSe50JV9rx9P7yPtWS4QVOg/6ltlvJiGsz45P87qjA9nO/Q== amandoleen"
];
}; };
synology = { synology = {
uid = 1001; uid = 1001;
isNormalUser = true; isNormalUser = true;
isSystemUser = lib.mkForce false;
description = "Synology Diskstation maison"; description = "Synology Diskstation maison";
}; };
rezome = {
description = "Rezome Minecraft backup";
};
zfspaulfixe = {
uid = 1002;
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIQjzpEBNEwJhBTh82K5bJMyPSuHvYJyipaZYVtOZSJIDIRcec9YwMOQuMl9+O5kI36tiataEpmb/y3OWU567DXKp/BtljfVfNSQracKJPt6GJFOz4fKqCqoBh7M06ZGsBHUi/NsKIvw4asJsBuK6uACvxKFt2pSR6fp+/2y/3NH0LpDmDuuYORhciJUBC+RUTCLtVUfzkMAeR2p+M079Ia0rnkEXNFgc75FQon1bQu/0bnbHPweSwnNfRB0XPm6Qgz3sS2Cyhf1/GqgvARs80P4MWuqqZFXhsBTajOHOjCu6fiaylPNXNWfLnahkRzKIOkIy7/yEO+MmMD+V7pjbvSqB7MD1T5wfcPHvHTISM4E+7dw9aPj9+JspkgSSACtIFKsqxkWlq5creUV1syDm2Cd4rBnKrc8yWtAxBSusFWbAr6xtxP6I+ibS4trjNdHHrjMJK9jpbPxdblJJrO3qn6VYC/WzFAxzDDUi5ysGzNdpQLacacne/95gSGXCgIIc= root@paul-fixe"
];
description = "paul-fixe zfs backup user";
};
}; };
users.extraGroups.medias = { users.extraGroups.medias = {

235
systems/LoutreOS/web.nix
View File

@ -48,11 +48,56 @@ in
acceptTerms = true; acceptTerms = true;
}; };
users.groups = {
work = {};
webdav = {};
};
users.users = {
work = {
isSystemUser = true;
group = config.users.groups.work.name;
};
webdav = {
isSystemUser = true;
group = config.users.groups.webdav.name;
};
};
services = { services = {
phpfpm.pools = {
work = {
user = config.users.users.work.name;
phpPackage = pkgs.php.withExtensions ({ all, ... }: with all; [ redis filter ]);
settings = {
"listen.owner" = config.services.nginx.user;
"pm" = "dynamic";
"pm.max_children" = 75;
"pm.start_servers" = 10;
"pm.min_spare_servers" = 5;
"pm.max_spare_servers" = 20;
"pm.max_requests" = 500;
};
};
drive = {
user = config.users.users.webdav.name;
settings = {
"listen.owner" = config.services.nginx.user;
"pm" = "dynamic";
"pm.max_children" = 75;
"pm.start_servers" = 10;
"pm.min_spare_servers" = 5;
"pm.max_spare_servers" = 20;
"pm.max_requests" = 500;
};
phpOptions = ''
output_buffering=off
'';
};
};
nginx = { nginx = {
enable = true; enable = true;
package = pkgs.nginx.override { package = pkgs.nginx.override {
modules = with pkgs.nginxModules; [ rtmp ]; modules = with pkgs.nginxModules; [ dav moreheaders ];
}; };
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;
@ -64,12 +109,9 @@ in
} }
add_header Strict-Transport-Security $hsts_header; add_header Strict-Transport-Security $hsts_header;
add_header Referrer-Policy origin-when-cross-origin; add_header Referrer-Policy origin-when-cross-origin;
error_page 500 502 503 504 https://nyanlout.re/errorpages/50x.html;
''; '';
sso = { sso = {
enable = true; enable = true;
environmentFile = "/mnt/secrets/nginx-sso.env";
configuration = { configuration = {
listen = { listen = {
addr = "127.0.0.1"; addr = "127.0.0.1";
@ -110,34 +152,47 @@ in
}; };
virtualHosts = let virtualHosts = let
base = locations: { base = locations: {
inherit locations; locations = locations // {
"@maintenance" = {
root = "/var/www/errorpages/";
extraConfig = ''
rewrite ^(.*)$ /50x.html break;
'';
};
};
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
extraConfig = ''
error_page 500 502 503 504 = @maintenance;
'';
}; };
simpleReverse = rport: base { simpleReverse = rport: base {
"/" = { "/" = {
proxyPass = "http://127.0.0.1:${toString(rport)}/"; proxyPass = "http://127.0.0.1:${toString(rport)}/";
}; };
}; };
authReverse = rport: base { authReverse = rport: zipAttrsWith (name: vs: if name == "extraConfig" then (concatStrings vs) else elemAt vs 0) [
"/" = { (base {
proxyPass = "http://127.0.0.1:${toString(rport)}/"; "/" = {
proxyPass = "http://127.0.0.1:${toString(rport)}/";
extraConfig = ''
auth_request_set $cookie $upstream_http_set_cookie;
add_header Set-Cookie $cookie;
'';
};
})
{
extraConfig = '' extraConfig = ''
auth_request_set $cookie $upstream_http_set_cookie; include ${nginxSsoAuth};
add_header Set-Cookie $cookie;
''; '';
}; }
} // { ];
extraConfig = ''
include ${nginxSsoAuth};
'';
};
in { in {
"nyanlout.re" = base { "nyanlout.re" = base {
"/" = { "/" = {
alias = "/var/www/site-perso/"; alias = "/var/www/site-perso/";
}; };
"/errorpages/" = { "/maintenance/" = {
alias = "/var/www/errorpages/"; alias = "/var/www/errorpages/";
}; };
"/.well-known/openpgpkey/" = { "/.well-known/openpgpkey/" = {
@ -147,7 +202,7 @@ in
''; '';
}; };
} // { default = true; }; } // { default = true; };
"riot.nyanlout.re" = base { "/" = { root = pkgs.riot-web; }; }; "riot.nyanlout.re" = base { "/" = { root = pkgs.element-web; }; };
"factorio.nyanlout.re" = base { "/" = { root = "/var/www/factorio"; }; }; "factorio.nyanlout.re" = base { "/" = { root = "/var/www/factorio"; }; };
"minecraft.nyanlout.re" = base { "/" = { root = "/var/www/minecraft-overviewer"; }; }; "minecraft.nyanlout.re" = base { "/" = { root = "/var/www/minecraft-overviewer"; }; };
"musique-meyenheim.fr" = base { "musique-meyenheim.fr" = base {
@ -164,11 +219,7 @@ in
"maxspiegel.fr" = base { "/" = { root = "/run/python-ci/nyanloutre/site-max"; }; }; "maxspiegel.fr" = base { "/" = { root = "/run/python-ci/nyanloutre/site-max"; }; };
"stream.nyanlout.re" = base { "stream.nyanlout.re" = base {
"/" = { "/" = {
root = "/var/www/hls/"; proxyPass = "http://10.30.135.71";
extraConfig = ''
add_header Cache-Control no-cache;
add_header Access-Control-Allow-Origin *;
'';
}; };
}; };
"login.nyanlout.re" = simpleReverse config.services.nginx.sso.configuration.listen.port; "login.nyanlout.re" = simpleReverse config.services.nginx.sso.configuration.listen.port;
@ -180,54 +231,79 @@ in
"jackett.nyanlout.re" = authReverse 9117; "jackett.nyanlout.re" = authReverse 9117;
"pgmanage.nyanlout.re" = authReverse config.services.pgmanage.port; "pgmanage.nyanlout.re" = authReverse config.services.pgmanage.port;
"matrix.nyanlout.re" = simpleReverse 8008; "matrix.nyanlout.re" = simpleReverse 8008;
"airsonic.nyanlout.re" = simpleReverse 4040; "emby.nyanlout.re" = recursiveUpdate (simpleReverse 8096) {
"emby.nyanlout.re" = simpleReverse 8096; locations."/" = {
proxyWebsockets = true;
};
};
"ci.nyanlout.re" = simpleReverse 52350; "ci.nyanlout.re" = simpleReverse 52350;
"gitea.nyanlout.re" = simpleReverse config.services.gitea.httpPort; "gitea.nyanlout.re" = simpleReverse config.services.gitea.httpPort;
"musique.nyanlout.re" = simpleReverse config.services.navidrome.settings.Port;
"apart.nyanlout.re" = recursiveUpdate (simpleReverse config.services.home-assistant.port) { "apart.nyanlout.re" = recursiveUpdate (simpleReverse config.services.home-assistant.port) {
locations."/" = { locations."/" = {
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
}; # "work.rezom.eu" = base {
appendConfig = let # "/" = {
rootLocation = config.services.nginx.virtualHosts."stream.nyanlout.re".locations."/".root; # index = "/_h5ai/public/index.php";
in '' # extraConfig = ''
rtmp { # dav_ext_methods PROPFIND OPTIONS;
server { # '';
listen 1935; # };
# "~ ^/(_h5ai/public/index|random).php" = {
# extraConfig = ''
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
# fastcgi_pass unix:${config.services.phpfpm.pools.work.socket};
# include ${pkgs.nginx}/conf/fastcgi_params;
# include ${pkgs.nginx}/conf/fastcgi.conf;
# '';
# };
# } // {
# root = "/mnt/medias/iso_linux";
# extraConfig = ''
# access_log /var/log/nginx/$host.log;
# '';
# };
"drive.nyanlout.re" = base {
"/" = {
index = "/index.php";
extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:${config.services.phpfpm.pools.drive.socket};
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
application live { client_max_body_size 0;
live on; '';
};
exec_push ${pkgs.ffmpeg}/bin/ffmpeg -i rtmp://localhost/$app/$name -async 1 -vsync -1 } // {
-c:v libx264 -c:a aac -b:v 768k -b:a 96k -vf "scale=720:trunc(ow/a/2)*2" -tune zerolatency -preset ultrafast -crf 28 -f flv rtmp://localhost/show/$name_mid root = "/mnt/webdav";
-c:v libx264 -c:a aac -b:v 1024k -b:a 128k -vf "scale=960:trunc(ow/a/2)*2" -tune zerolatency -preset ultrafast -crf 28 -f flv rtmp://localhost/show/$name_high };
-c copy -f flv rtmp://localhost/show/$name_src 2>>${rootLocation}/ffmpeg-$name.log; "rspamd.nyanlout.re" = zipAttrsWith (name: vs: if name == "extraConfig" then (concatStrings vs) else elemAt vs 0) [
} (base {
"/" = {
application show { proxyPass = "http://unix:/run/rspamd/worker-controller.sock";
live on; extraConfig = ''
hls on; auth_request_set $cookie $upstream_http_set_cookie;
add_header Set-Cookie $cookie;
hls_path ${rootLocation}; '';
hls_fragment 3s; };
hls_playlist_length 60s; })
{
hls_variant _mid BANDWIDTH=448000; # Medium bitrate, SD resolution extraConfig = ''
hls_variant _high BANDWIDTH=1152000; # High bitrate, higher-than-SD resolution include ${nginxSsoAuth};
hls_variant _src BANDWIDTH=4096000; # Source bitrate, source resolution '';
}
} }
} ];
''; };
}; };
postgresql = { postgresql = {
enable = true; enable = true;
extraConfig = '' settings = {
full_page_writes = off full_page_writes = false;
''; };
}; };
pgmanage = { pgmanage = {
@ -249,36 +325,31 @@ in
passwordFile = "/var/lib/gitea/custom/conf/database_password"; passwordFile = "/var/lib/gitea/custom/conf/database_password";
}; };
log.level = "Warn"; log.level = "Warn";
extraConfig = '' disableRegistration = true;
[ui] settings = {
DEFAULT_THEME = arc-green ui.DEFAULT_THEME = "arc-green";
};
[service]
DISABLE_REGISTRATION = true
'';
}; };
python-ci.enable = true; python-ci.enable = true;
};
mastodon = { systemd.services.nginx.serviceConfig = {
enable = true; ReadWritePaths = [
localDomain = "social.nyanlout.re"; "/var/www/hls"
configureNginx = true; "/mnt/webdav"
extraConfig = { ];
SMTP_AUTH_METHOD = "none"; };
SMTP_OPENSSL_VERIFY_MODE = "none";
}; systemd.services.phpfpm-work.serviceConfig = {
smtp = { ReadOnlyPaths = "/mnt/medias/iso_linux";
fromAddress = "social@nyanlout.re"; ReadWritePaths = [
user = "social@nyanlout.re"; "/mnt/medias/iso_linux/_h5ai"
authenticate = false; ];
};
mediaPruneTimer = true;
};
}; };
systemd.services.site-musique = let systemd.services.site-musique = let
djangoEnv =(pkgs.python3.withPackages (ps: with ps; [ gunicorn django_2_2 pillow setuptools ])); djangoEnv =(pkgs.python3.withPackages (ps: with ps; [ gunicorn django_3 pillow setuptools ]));
in { in {
description = "Site Django de la musique de Meyenheim"; description = "Site Django de la musique de Meyenheim";
after = [ "network.target" ]; after = [ "network.target" ];
@ -312,4 +383,6 @@ in
wantedBy = [ "sockets.target" ]; wantedBy = [ "sockets.target" ];
listenStreams = [ "/run/site-musique.sock" ]; listenStreams = [ "/run/site-musique.sock" ];
}; };
systemd.services.nginx-sso.serviceConfig.EnvironmentFile = "/mnt/secrets/nginx-sso.env";
} }

1
systems/common-cli.nix
View File

@ -70,6 +70,7 @@
bat bat
molly-guard molly-guard
nix-template nix-template
lz4
# Développement # Développement
openssl openssl