vskilet
/
nixos-config
forked from nyanloutre/nixos-config
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
nixos-config/systems/LoutreOS/services.nix

304 lines
8.4 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
with lib;
let
domaine = "nyanlout.re";
sendMail = to: subject: message: pkgs.writeShellScriptBin "mail.sh" ''
${pkgs.system-sendmail}/bin/sendmail ${to} <<EOF
From: root@nyanlout.re
Subject: ${subject}
${message}
EOF
'';
login_mail_alert = pkgs.writeShellScriptBin "mail_alert.sh" ''
if [ "$PAM_TYPE" != "close_session" ]; then
${sendMail "paul@nyanlout.re" "SSH Login: $PAM_USER from $PAM_RHOST" "`env`"}/bin/mail.sh
fi
'';
backup_mail_alert = sendMail "paul@nyanlout.re" "ERREUR: Sauvegarde Borg" "Impossible de terminer la sauvegarde. Merci de voir les logs";
in
{
imports = [
../../services/haproxy-acme.nix
../../services/mail-server.nix
../../services/site-musique.nix
../../services/site-max.nix
../../services/auto-pr.nix
../../services/python-ci.nix
../../services/sdtdserver.nix
../../containers/vsftpd.nix
# /mnt/secrets/factorio_secrets.nix
./monitoring.nix
./medias.nix
./web.nix
];
nixpkgs.overlays = [
(import ../../overlays/dogetipbot-telegram.nix)
];
services = {
fail2ban.enable = true;
fstrim.enable = true;
mailserver = {
enable = true;
domaine = domaine;
};
syncthing = {
enable = true;
dataDir = "/var/lib/syncthing";
openDefaultPorts = true;
};
nfs.server = {
enable = true;
exports = ''
/mnt/medias 10.30.0.0/16(ro,no_root_squash)
/exports/steam 10.30.0.0/16(rw,async,no_root_squash)
/var/lib/minecraft 10.30.0.0/16(rw,no_root_squash)
'';
statdPort = 4000;
lockdPort = 4001;
mountdPort = 4002;
};
matrix-synapse = {
enable = true;
enable_registration = true;
server_name = "nyanlout.re";
listeners = [
{ # federation
bind_address = "";
port = 8448;
resources = [
{ compress = true; names = [ "client" "webclient" ]; }
{ compress = false; names = [ "federation" ]; }
];
tls = true;
type = "http";
x_forwarded = false;
}
{ # client
bind_address = "127.0.0.1";
port = 8008;
resources = [
{ compress = true; names = [ "client" "webclient" ]; }
];
tls = false;
type = "http";
x_forwarded = true;
}
];
max_upload_size = "100M";
database_type = "psycopg2";
database_args = {
database = "matrix-synapse";
};
tls_private_key_path = "/var/lib/acme/${domaine}/key.pem";
tls_certificate_path = "/var/lib/acme/${domaine}/fullchain.pem";
url_preview_enabled = true;
logConfig = ''
version: 1
formatters:
journal_fmt:
format: '%(name)s: [%(request)s] %(message)s'
filters:
context:
(): synapse.util.logcontext.LoggingContextFilter
request: ""
handlers:
journal:
class: systemd.journal.JournalHandler
formatter: journal_fmt
filters: [context]
SYSLOG_IDENTIFIER: synapse
root:
level: WARNING
handlers: [journal]
disable_existing_loggers: False
'';
app_service_config_files = [
"/var/lib/matrix-synapse/mautrix-telegram-registration.yaml"
];
};
mautrix-telegram = {
enable = true;
settings = {
homeserver = {
address = "https://matrix.nyanlout.re";
domain = "nyanlout.re";
};
appservice = {
bot_username = "loutrebot";
};
bridge = {
relaybot.authless_portals = false;
permissions = {
"@nyanloutre:nyanlout.re" = "admin";
};
};
};
environmentFile = "/mnt/secrets/mautrix-telegram.env";
serviceDependencies = [ "matrix-synapse.service" ];
};
borgbackup.jobs = {
loutre = {
paths = [
"/var/certs"
"/var/dkim"
"/var/lib/jellyfin"
"/var/lib/gitea"
"/var/lib/grafana"
"/var/lib/jackett"
"/var/lib/matrix-synapse"
"/var/lib/postgresql/.zfs/snapshot/borgsnap"
"/var/lib/radarr"
"/var/lib/sonarr"
"/var/lib/syncthing"
"/var/lib/transmission"
"/mnt/medias/musique"
"/mnt/medias/torrent/lidarr"
"/mnt/medias/torrent/musique"
"/var/sieve"
"/var/vmail"
];
repo = "/mnt/backup/borg";
encryption = {
mode = "repokey-blake2";
passCommand = "cat /mnt/secrets/borgbackup_loutre_encryption_pass";
};
startAt = "weekly";
prune.keep = {
within = "1d";
weekly = 4;
monthly = 12;
};
preHook = "${pkgs.zfs}/bin/zfs snapshot loutrepool/var/postgresql@borgsnap";
postHook = ''
${pkgs.zfs}/bin/zfs destroy loutrepool/var/postgresql@borgsnap
if [[ $exitStatus == 0 ]]; then
${pkgs.rclone}/bin/rclone --config /mnt/secrets/rclone_loutre.conf sync -v $BORG_REPO BackupStorage:loutre
else
${backup_mail_alert}/bin/mail.sh
fi
'';
};
};
borgbackup.repos = {
diskstation = {
authorizedKeys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDllbxON66dBju7sMnhX8/E0VRo3+PDYvDsHP0/FK+h8JHol4+pouLmI7KIDKYOJmSuom283OqnyZOMqk+RShTwWIFm9hOd2R9aj45Zrd9jPW2APOCec/Epgogj0bwBnc0l2v6qxkxaBMgL5DnAQ+E00uvL1UQpK8c8j4GGiPlkWJD6Kf+pxmnfH1TIm+J2XCwl0oeCkSK/Frd8eM+wCraMSzoaGiEcfMz2jK8hxDWjDxX7epU0ELF22BVCuyN8cYRoFTnV88E38PlaqsOqD5ePkxk425gDh7j/C06f8QKgnasVH2diixo92kYSd7i/RmfeXDDwAD5xqUvODczEuIdt root@DiskStation" ];
path = "/mnt/backup_loutre/diskstation_borg";
user = "synology";
};
};
auto-pr.enable = true;
sdtdserver.enable = false;
factorio = {
enable = false;
autosave-interval = 10;
game-name = "Shame";
public = true;
username = "nyanloutre";
};
minecraft-server = {
enable = false;
jvmOpts = "-Xms512m -Xmx3072m";
eula = true;
declarative = true;
openFirewall = true;
whitelist = {
nyanloutre = "db0669ea-e332-4ca3-8d50-f5d1458f5822";
Hautension = "f05677f4-be5a-47df-ad77-21c739180aa2";
LordDarkKiwi = "79290cfc-0b00-484f-9c94-ab0786402de6";
Madahin = "f5f747e3-fac2-43e8-9b9b-a67dc2f368ff";
Hopegcx = "4497f759-2210-48db-8764-307d33011442";
wyrd68 = "127a3021-cdc1-419f-9010-4651df9ae3af";
sparsyateloutre = "d2ff63c1-4e9f-4b21-9bfc-decce5d987b3";
};
serverProperties = {
difficulty = 2;
gamemode = 0;
max-players = 50;
motd = "Hi Mark !";
white-list = true;
};
};
};
systemd.services.dogetipbot-telegram = {
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
script = "${pkgs.dogetipbot-telegram}/bin/dogetipbot-telegram --block-io-api-key $BLOCK_IO_API_KEY --block-io-pin $BLOCK_IO_PIN --telegram-api-key $TELEGRAM_API_KEY --network DOGE";
enable = true;
serviceConfig = {
EnvironmentFile = "/mnt/secrets/dogetipbot-telegram_env";
DynamicUser = true;
};
};
systemd.services.matrix-synapse = {
serviceConfig = {
MemoryHigh = "3G";
MemoryMax = "5G";
};
};
users.groups.acme.members = [ "matrix-synapse" ];
security.pam.services.sshd.text = pkgs.lib.mkDefault( pkgs.lib.mkAfter "session optional ${pkgs.pam}/lib/security/pam_exec.so seteuid ${login_mail_alert}/bin/mail_alert.sh" );
networking = {
wireguard.interfaces = {
wg0 = {
ips = [ "192.168.20.1/24" ];
privateKeyFile = "/mnt/secrets/wireguard/wg0.privatekey";
listenPort = 51820;
allowedIPsAsRoutes = true;
peers = [
{
allowedIPs = [ "192.168.20.2/32" ];
publicKey = "b/SXiqo+GPdNOc54lyEVeUBc6B5AbVMKh+g5EZPGzlE=";
}
];
};
};
nat.internalInterfaces = [ "wg0" ];
nat.internalIPs = [ "192.168.20.0/24" ];
firewall.allowedTCPPorts = [
8448 # Matrix federation
20 21 # FTP
];
firewall.allowedTCPPortRanges = [
{ from = 64000; to = 65535; } # FTP
];
firewall.allowedUDPPorts = [
config.networking.wireguard.interfaces.wg0.listenPort
];
};
}
Reference in New Issue View Git Blame Copy Permalink