coolneng/zion
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: coolneng:master
Branches Tags
coolneng:master
..
compare: coolneng:b962fe61837a9d6050a176e271b8025f5764935f
Branches Tags
coolneng:master

2 Commits
master ... b962fe6183

Author SHA1 Message Date
coolneng
b962fe6183 Specify ZFS datasets dependencies for each service 2023-06-08 18:54:46 +02:00
coolneng
9f3dedaa08 Upgrade to NixOS 23.05 and SSD boot 2023-06-08 18:54:03 +02:00
36 changed files with 736 additions and 982 deletions
Expand all files Collapse all files

1
.dir-locals.el Normal file
View File

@@ -0,0 +1 @@
((nil . ((ssh-deploy-root-remote . "/ssh:zion:/home/coolneng/system"))))

2
Makefile
View File

@@ -1,7 +1,7 @@
DIR=$(HOME)/Projects/zion DIR=$(HOME)/Projects/zion
switch: switch:
nixos-rebuild switch --no-reexec --target-host root@zion \ nixos-rebuild switch --fast --target-host root@zion \
--build-host root@zion --flake path://$(DIR)#zion --build-host root@zion --flake path://$(DIR)#zion
.DEFAULT_GOAL := switch .DEFAULT_GOAL := switch

141
configuration.nix
View File

@@ -1,51 +1,20 @@
{ { config, inputs, pkgs, lib, ... }:
config,
inputs,
pkgs,
lib,
...
}:
with pkgs; with pkgs;
{ {
# Kernel configuration
boot = {
blacklistedKernelModules = [
"btusb"
"bluetooth"
];
kernelParams = [
"zfs.zfs_arc_max=8589934592"
"zfs.zfs_arc_min=1073741824"
];
supportedFilesystems = [ "zfs" ];
zfs = {
requestEncryptionCredentials = false;
extraPools = [ "vault" ];
};
};
# Secure boot using lanzaboote
boot.loader = {
efi.canTouchEfiVariables = true;
systemd-boot = {
enable = true;
configurationLimit = 50;
editor = false;
};
timeout = 3;
};
# Declare system packages # Declare system packages
environment.systemPackages = [ environment.systemPackages = [
libraspberrypi libraspberrypi
htop htop
neovim neovim
git git
inputs.agenix.packages.${config.nixpkgs.localSystem.system}.default inputs.agenix.packages.aarch64-linux.default
]; ];
# Enable zswap
zramSwap.enable = true;
# Configure basic SSH access # Configure basic SSH access
services.openssh = { services.openssh = {
enable = true; enable = true;
@@ -62,15 +31,12 @@ with pkgs;
users.users.coolneng = { users.users.coolneng = {
isNormalUser = true; isNormalUser = true;
home = "/home/coolneng"; home = "/home/coolneng";
extraGroups = [ extraGroups = [ "wheel" "docker" ];
"wheel"
"docker"
];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
# panacea # panacea
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW coolneng@panacea" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW coolneng@panacea"
# caravanserai # caravanserai
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIX0poiPhFLFh88fhpLFX7n1oCevVRyTxe9ZvGmjPq8n zion" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTBWNtNp+vI2So4vISZX/yQv754ZzXqobFgUP3zk4FY zion"
]; ];
shell = "${fish}/bin/fish"; shell = "${fish}/bin/fish";
}; };
@@ -85,6 +51,12 @@ with pkgs;
time.timeZone = "Europe/Brussels"; time.timeZone = "Europe/Brussels";
services.timesyncd.enable = true; services.timesyncd.enable = true;
# Enable ZFS support
boot.supportedFilesystems = [ "zfs" ];
# Don't import encrypted datasets
boot.zfs.requestEncryptionCredentials = false;
# Scrub zpool monthly # Scrub zpool monthly
services.zfs.autoScrub = { services.zfs.autoScrub = {
enable = true; enable = true;
@@ -95,12 +67,7 @@ with pkgs;
nix = { nix = {
settings = { settings = {
auto-optimise-store = true; auto-optimise-store = true;
trusted-users = [ experimental-features = [ "nix-command" "flakes" ];
"root"
"coolneng"
];
lazy-trees = true;
eval-cores = 2;
}; };
gc = { gc = {
automatic = true; automatic = true;
@@ -111,42 +78,33 @@ with pkgs;
keep-outputs = true keep-outputs = true
keep-derivations = true keep-derivations = true
gc-keep-outputs = true gc-keep-outputs = true
experimental-features = nix-command flakes
''; '';
}; };
# Use same version of nixpkgs for nix-shell # Use same version of nixpkgs for nix-shell
nix.nixPath = nix.nixPath = let path = toString ./.;
let in [ "nixpkgs=${inputs.nixpkgs}" "nixos-config=${path}/configuration.nix" ];
path = toString ./.;
in
[
"nixpkgs=${inputs.nixpkgs}"
"nixos-config=${path}/configuration.nix"
];
# Configure fish shell # Configure fish shell
programs.fish.enable = true; programs.fish.enable = true;
users.users.root = { users.users.root = {
shell = "${fish}/bin/fish"; shell = "${fish}/bin/fish";
openssh.authorizedKeys.keys = config.users.users.coolneng.openssh.authorizedKeys.keys; openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW coolneng@panacea"
];
}; };
# Keep logs for a month # Keep logs for a week
services.journald.extraConfig = "MaxRetentionSec=4week"; services.journald.extraConfig = "MaxRetentionSec=1week";
# Increase inotify limits and maximum buffer size # Increase inotify limits
boot.kernel.sysctl = { boot.kernel.sysctl = { "fs.inotify.max_user_watches" = 204800; };
"fs.inotify.max_user_watches" = 204800;
"net.core.rmem_max" = 2500000;
"net.core.wmem_max" = 2500000;
};
# MOTD message # MOTD message
programs.fish.interactiveShellInit = "${./scripts/motd.sh}"; programs.fish.interactiveShellInit = "${./scripts/motd.sh}";
# NixOS version # NixOS version
system.stateVersion = "24.11"; system.stateVersion = "22.05";
# Specify secrets # Specify secrets
age = { age = {
@@ -162,6 +120,7 @@ with pkgs;
owner = "gitea"; owner = "gitea";
group = "gitea"; group = "gitea";
}; };
secrets.ddclient.file = secrets/ddclient.age;
secrets.miniflux = { secrets.miniflux = {
file = secrets/miniflux.age; file = secrets/miniflux.age;
owner = "miniflux"; owner = "miniflux";
@@ -185,6 +144,8 @@ with pkgs;
}; };
secrets.telegram = { secrets.telegram = {
file = secrets/telegram.age; file = secrets/telegram.age;
owner = "matrix-as-telegram";
group = "matrix-as-telegram";
}; };
secrets.mqtt-sender = { secrets.mqtt-sender = {
file = secrets/mqtt-sender.age; file = secrets/mqtt-sender.age;
@@ -196,46 +157,10 @@ with pkgs;
owner = "mosquitto"; owner = "mosquitto";
group = "mosquitto"; group = "mosquitto";
}; };
secrets.facebook = { secrets.nightscout = {
file = secrets/facebook.age; file = secrets/nightscout.age;
}; owner = "coolneng";
secrets.signal = { group = "podman";
file = secrets/signal.age;
};
secrets.inadyn-duckdns = {
file = secrets/inadyn-duckdns.age;
owner = "inadyn";
group = "inadyn";
};
secrets.inadyn-porkbun = {
file = secrets/inadyn-porkbun.age;
owner = "inadyn";
group = "inadyn";
};
secrets.inadyn-porkbun-secret = {
file = secrets/inadyn-porkbun-secret.age;
owner = "inadyn";
group = "inadyn";
};
secrets.acme-duckdns = {
file = secrets/acme-duckdns.age;
owner = "acme";
group = "nginx";
};
secrets.acme-porkbun = {
file = secrets/acme-porkbun.age;
owner = "acme";
group = "nginx";
};
secrets.microbin = {
file = secrets/microbin.age;
owner = "63026";
group = "63026";
};
secrets.readeck = {
file = secrets/readeck.age;
owner = "63026";
group = "63026";
}; };
identityPaths = [ "/etc/ssh/id_ed25519" ]; identityPaths = [ "/etc/ssh/id_ed25519" ];
}; };
@@ -243,9 +168,10 @@ with pkgs;
# Auto-upgrade the system # Auto-upgrade the system
system.autoUpgrade = { system.autoUpgrade = {
enable = true; enable = true;
allowReboot = true;
flake = "/home/coolneng/system"; flake = "/home/coolneng/system";
flags = [ flags = [
"--update-input"
"agenix"
"--update-input" "--update-input"
"nixpkgs" "nixpkgs"
"--commit-lock-file" "--commit-lock-file"
@@ -277,6 +203,7 @@ with pkgs;
./modules/periodic.nix ./modules/periodic.nix
./modules/communication.nix ./modules/communication.nix
./modules/information.nix ./modules/information.nix
./modules/device.nix
./modules/containers.nix ./modules/containers.nix
]; ];

268
flake.lock generated
View File

@@ -6,15 +6,14 @@
"home-manager": "home-manager", "home-manager": "home-manager",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ]
"systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1762618334, "lastModified": 1684153753,
"narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=", "narHash": "sha256-PVbWt3qrjYAK+T5KplFcO+h7aZWfEj1UtyoKlvcDxh0=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "fcdea223397448d35d9b31f798479227e80183f6", "rev": "db5637d10f797bb251b94ef9040b237f4702cde3",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -31,11 +30,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1744478979, "lastModified": 1673295039,
"narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "43975d782b418ebf4969e9ccba82466728c2851b", "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -45,63 +44,6 @@
"type": "github" "type": "github"
} }
}, },
"determinate": {
"inputs": {
"determinate-nixd-aarch64-darwin": "determinate-nixd-aarch64-darwin",
"determinate-nixd-aarch64-linux": "determinate-nixd-aarch64-linux",
"determinate-nixd-x86_64-linux": "determinate-nixd-x86_64-linux",
"nix": "nix",
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1766177528,
"narHash": "sha256-Bl+p766mM7qNCZtMqmTz13RuUbOMKsFa+/vnGYoxgPk=",
"rev": "b159c082f0f9bdefa6c386189a13c5fa0734d8d8",
"revCount": 317,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/3.15.0/019b3865-57a1-7d80-98c5-962fac29c404/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/DeterminateSystems/determinate/%2A"
}
},
"determinate-nixd-aarch64-darwin": {
"flake": false,
"locked": {
"narHash": "sha256-vDaEQ5T4eA7kEPREmm68IVWGR6zT0aDL5slZxA6dkSc=",
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/macOS"
},
"original": {
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/macOS"
}
},
"determinate-nixd-aarch64-linux": {
"flake": false,
"locked": {
"narHash": "sha256-Hf4JsIv5G3IR0Q0RHGLSNdmDzFv97sVQQKwzY6A0vV4=",
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/aarch64-linux"
},
"original": {
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/aarch64-linux"
}
},
"determinate-nixd-x86_64-linux": {
"flake": false,
"locked": {
"narHash": "sha256-J+J4E02XpEl0ZkpzMbUmGCf6S4yk0gYCYmiGzZ058ik=",
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/x86_64-linux"
},
"original": {
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/x86_64-linux"
}
},
"devshell": { "devshell": {
"locked": { "locked": {
"lastModified": 1642188268, "lastModified": 1642188268,
@@ -118,22 +60,6 @@
} }
}, },
"flake-compat": { "flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1641205782, "lastModified": 1641205782,
@@ -149,53 +75,6 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"determinate",
"nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1748821116,
"narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=",
"rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1",
"revCount": 377,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/hercules-ci/flake-parts/0.1.377%2Brev-49f0870db23e8c1ca0b5259734a02cd9e1e371a1/01972f28-554a-73f8-91f4-d488cc502f08/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/hercules-ci/flake-parts/0.1"
}
},
"git-hooks-nix": {
"inputs": {
"flake-compat": "flake-compat",
"gitignore": [
"determinate",
"nix"
],
"nixpkgs": [
"determinate",
"nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1747372754,
"narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=",
"rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46",
"revCount": 1026,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/cachix/git-hooks.nix/0.1.1026%2Brev-80479b6ec16fefd9c1db3ea13aeb038c60530f46/0196d79a-1b35-7b8e-a021-c894fb62163d/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/cachix/git-hooks.nix/0.1.941"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -204,11 +83,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1745494811, "lastModified": 1682203081,
"narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -217,31 +96,10 @@
"type": "github" "type": "github"
} }
}, },
"nix": {
"inputs": {
"flake-parts": "flake-parts",
"git-hooks-nix": "git-hooks-nix",
"nixpkgs": "nixpkgs",
"nixpkgs-23-11": "nixpkgs-23-11",
"nixpkgs-regression": "nixpkgs-regression"
},
"locked": {
"lastModified": 1766174426,
"narHash": "sha256-0ZofAQZNgg5nfIKsVb7g4It6ufmIyLtfFRPOf+6WRkk=",
"rev": "15d6091194b5b90d292e8d6283db77f09c303b1e",
"revCount": 24285,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.15.0/019b3854-cca6-7298-a91c-0fd8551a7270/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/DeterminateSystems/nix-src/%2A"
}
},
"nix-matrix-appservices": { "nix-matrix-appservices": {
"inputs": { "inputs": {
"devshell": "devshell", "devshell": "devshell",
"flake-compat": "flake-compat_2", "flake-compat": "flake-compat",
"nixlib": "nixlib", "nixlib": "nixlib",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
@@ -278,118 +136,56 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1764440730, "lastModified": 1684899633,
"narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=", "narHash": "sha256-NtwerXX8UFsoNy6k+DukJMriWtEjQtMU/Urbff2O2Dg=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3", "rev": "4cc688ee711159b9bcb5a367be44007934e1a49d",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "master",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"type": "github" "type": "github"
} }
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1761597516, "lastModified": 1685865905,
"narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=", "narHash": "sha256-XJZ/o17eOd2sEsGif+/MQBnfa2DKmndWgJyc7CWajFc=",
"rev": "daf6dc47aa4b44791372d6139ab7b25269184d55", "owner": "NixOS",
"revCount": 811874, "repo": "nixpkgs",
"type": "tarball", "rev": "e7603eba51f2c7820c0a182c6bbb351181caa8e7",
"url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2505.811874%2Brev-daf6dc47aa4b44791372d6139ab7b25269184d55/019a3494-3498-707e-9086-1fb81badc7fe/source.tar.gz" "type": "github"
}, },
"original": { "original": {
"type": "tarball", "id": "nixpkgs",
"url": "https://flakehub.com/f/NixOS/nixpkgs/0.2505" "ref": "nixos-23.05",
"type": "indirect"
} }
}, },
"nixpkgs-23-11": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1717159533, "lastModified": 1685931219,
"narHash": "sha256-oamiKNfr2MS6yH64rUn99mIZjc45nGJlj9eGth/3Xuw=", "narHash": "sha256-8EWeOZ6LKQfgAjB/USffUSELPRjw88A+xTcXnOUvO5M=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446", "rev": "7409480d5c8584a1a83c422530419efe4afb0d19",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "id": "nixpkgs",
"repo": "nixpkgs", "ref": "nixos-unstable",
"rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446", "type": "indirect"
"type": "github"
}
},
"nixpkgs-regression": {
"locked": {
"lastModified": 1643052045,
"narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1765772535,
"narHash": "sha256-aq+dQoaPONOSjtFIBnAXseDm9TUhIbe215TPmkfMYww=",
"rev": "09b8fda8959d761445f12b55f380d90375a1d6bb",
"revCount": 911985,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.911985%2Brev-09b8fda8959d761445f12b55f380d90375a1d6bb/019b25ab-7c11-79e0-a0b0-c94d455b7190/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/DeterminateSystems/nixpkgs-weekly/0.1"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1766201043,
"narHash": "sha256-eplAP+rorKKd0gNjV3rA6+0WMzb1X1i16F5m5pASnjA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b3aad468604d3e488d627c0b43984eb60e75e782",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.11",
"repo": "nixpkgs",
"type": "github"
} }
}, },
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
"determinate": "determinate",
"nix-matrix-appservices": "nix-matrix-appservices", "nix-matrix-appservices": "nix-matrix-appservices",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_3" "nixpkgs": "nixpkgs",
} "nixpkgs-unstable": "nixpkgs-unstable"
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
} }
} }
}, },

31
flake.nix
View File

@@ -1,48 +1,43 @@
{ {
description = "System configuration for zion"; description = "System configuration for zion";
nixConfig = {
extra-substituters = "https://install.determinate.systems";
extra-trusted-public-keys = ''
cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM=
'';
};
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; nixpkgs.url = "nixpkgs/nixos-23.05";
determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/*"; nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
agenix = { agenix = {
url = "github:ryantm/agenix"; url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
nixos-hardware.url = "github:NixOS/nixos-hardware/master"; nixos-hardware.url = "github:NixOS/nixos-hardware";
nix-matrix-appservices = { nix-matrix-appservices = {
url = "gitlab:coffeetables/nix-matrix-appservices"; url = "gitlab:coffeetables/nix-matrix-appservices";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
}; };
outputs = outputs = { self, nixpkgs, nixpkgs-unstable, agenix, nixos-hardware
{ self, nixpkgs, ... }@inputs: , nix-matrix-appservices, ... }@inputs:
let let
system = "x86_64-linux"; system = "aarch64-linux";
pkgs = import pkgs { inherit system; }; pkgs = import pkgs { inherit system; };
pkgs-unstable = import inputs.nixpkgs-unstable { inherit system; };
lib = nixpkgs.lib; lib = nixpkgs.lib;
in in {
{
nixosConfigurations.zion = lib.nixosSystem { nixosConfigurations.zion = lib.nixosSystem {
inherit system; inherit system;
modules = [ modules = [
(import ./configuration.nix) (import ./configuration.nix)
inputs.agenix.nixosModules.age agenix.nixosModules.age
inputs.nixos-hardware.nixosModules.aoostar-r1-n100 nixos-hardware.nixosModules.raspberry-pi-4
inputs.determinate.nixosModules.default nix-matrix-appservices.nixosModule
]; ];
specialArgs = { specialArgs = {
inherit inputs; inherit inputs;
inherit pkgs-unstable;
}; };
}; };

139
modules/communication.nix
View File

@@ -1,9 +1,4 @@
{ { config, lib, pkgs, ... }:
config,
lib,
pkgs,
...
}:
with pkgs; with pkgs;
@@ -16,8 +11,7 @@ let
conn_max_lifetime = -1; conn_max_lifetime = -1;
}; };
in in {
{
# Matrix server configuration # Matrix server configuration
services.dendrite = { services.dendrite = {
enable = true; enable = true;
@@ -34,32 +28,22 @@ in
# HACK Inherit postgres connection string for the rest of the DBs # HACK Inherit postgres connection string for the rest of the DBs
app_service_api = { app_service_api = {
inherit database; inherit database;
}; config_files = [
media_api = { "/var/lib/matrix-as-facebook/facebook-registration.yaml"
inherit database; "/var/lib/matrix-as-signal/signal-registration.yaml"
}; "/var/lib/matrix-as-telegram/telegram-registration.yaml"
room_server = {
inherit database;
};
push_server = {
inherit database;
};
mscs = {
inherit database;
mscs = [
"msc2836"
"msc2946"
]; ];
}; };
sync_api = { media_api = { inherit database; };
inherit database; room_server = { inherit database; };
}; push_server = { inherit database; };
key_server = { mscs = {
inherit database;
};
federation_api = {
inherit database; inherit database;
mscs = [ "msc2836" "msc2946" ];
}; };
sync_api = { inherit database; };
key_server = { inherit database; };
federation_api = { inherit database; };
user_api = { user_api = {
account_database = database; account_database = database;
device_database = database; device_database = database;
@@ -74,30 +58,87 @@ in
/var/lib/matrix-as-telegram /var/lib/matrix-as-telegram
]; ];
# Matrix bridges
services.matrix-appservices = {
homeserver = "dendrite";
homeserverDomain = "coolneng.duckdns.org";
homeserverURL = "https://matrix.coolneng.duckdns.org";
addRegistrationFiles = true;
services = {
telegram = {
port = 8118;
format = "mautrix-python";
package = mautrix-telegram;
serviceConfig.EnvironmentFile = config.age.secrets.telegram.path;
settings = {
homeserver.software = "standard";
telegram = {
api_id = "$API_ID";
api_hash = "$API_HASH";
};
bridge = {
permissions."@coolneng:coolneng.duckdns.org" = "admin";
backfill.normal_groups = true;
};
};
};
facebook = {
port = 8228;
format = "mautrix-python";
package = mautrix-facebook;
settings.homeserver.software = "standard";
};
signal = {
port = 8338;
format = "mautrix-python";
package = latest-mautrix-signal;
serviceConfig = {
StateDirectory = [ "matrix-as-signal" "signald" ];
JoinNamespaceOf = "signald.service";
SupplementaryGroups = [ "signald" ];
};
settings = {
homeserver.software = "standard";
signal = {
socket_path = config.services.signald.socketPath;
outgoing_attachment_dir = "/var/lib/signald/tmp";
};
};
};
};
};
# Additional settings for mautrix-signal
services.signald = {
enable = true;
user = "matrix-as-signal";
};
systemd.services.matrix-as-signal = {
requires = [ "signald.service" ];
after = [ "signald.service" ];
unitConfig.JoinsNamespaceOf = "signald.service";
path = [ ffmpeg ];
};
# Enable voice messages for facebook
systemd.services.matrix-as-facebook.path = [ ffmpeg ];
# MQTT configuration # MQTT configuration
services.mosquitto = { services.mosquitto = {
enable = true; enable = true;
dataDir = "/vault/mosquitto"; dataDir = "/vault/mosquitto";
logType = [ logType = [ "websockets" "error" "warning" "notice" "information" ];
"websockets"
"error"
"warning"
"notice"
"information"
];
logDest = [ "syslog" ]; logDest = [ "syslog" ];
listeners = [ listeners = [{
{ users.homeostasis = {
users.homeostasis = { acl = [ "write #" ];
acl = [ "write #" ]; hashedPasswordFile = config.age.secrets.mqtt-sender.path;
hashedPasswordFile = config.age.secrets.mqtt-sender.path; };
}; users.prometheus = {
users.prometheus = { acl = [ "read #" ];
acl = [ "read #" ]; hashedPasswordFile = config.age.secrets.mqtt-receiver.path;
hashedPasswordFile = config.age.secrets.mqtt-receiver.path; };
}; }];
}
];
}; };
} }

69
modules/containers.nix
View File

@@ -1,9 +1,4 @@
{ { config, lib, pkgs, ... }:
config,
lib,
pkgs,
...
}:
{ {
# Podman setup # Podman setup
@@ -20,49 +15,49 @@
containers = { containers = {
# Openbooks configuration # Openbooks configuration
openbooks = { openbooks = {
image = "evanbuss/openbooks@sha256:4fa9188885368c2303b7dc527d48b3159aaa7022010e29b3ed96842018793590"; image =
"evanbuss/openbooks@sha256:16609c3da954715f8f98b5de6c838146914ae700b2a700b4d9aad8b23c9217da";
ports = [ "127.0.0.1:9000:80" ]; ports = [ "127.0.0.1:9000:80" ];
cmd = [ cmd = [ "--name" "bradar" "--searchbot" "searchook" "--persist" ];
"--name"
"bradar"
"--searchbot"
"searchook"
"--persist"
"--tls"
"false"
];
}; };
# Prometheus MQTT integration # Prometheus MQTT integration
mqtt2prometheus = { mqtt2prometheus = {
image = "hikhvar/mqtt2prometheus@sha256:8e166d36feaa5ddcad703eef3a2c5167a154d6eef306a40fe6509861580c0714"; image =
"hikhvar/mqtt2prometheus@sha256:ad133b8cef2d82c5573864598b1c8361753adc7e4ac53da28bc9b6afdf05aeaf";
ports = [ "127.0.0.1:9641:9641" ]; ports = [ "127.0.0.1:9641:9641" ];
volumes = [ "/vault/mqtt2prometheus/config.yaml:/config.yaml" ]; volumes = [ "/vault/mqtt2prometheus/config.yaml:/config.yaml" ];
}; };
# Podcast synchronization # CGM repository
opodsync = { nightscout = {
image = "ganeshlab/opodsync@sha256:32626b732fe38687a5dfd703d515136e413c4b16f286b38656718ad03f0d94c1"; image =
ports = [ "127.0.0.1:9090:8080" ]; "nightscout/cgm-remote-monitor@sha256:ce522a9fe9b1373f576329e48349a622c8a9b6177c93dc2771152df36dd90876";
volumes = [ "/vault/opodsync:/var/www/server/data" ]; environmentFiles = [ config.age.secrets.nightscout.path ];
extraOptions = [ "--pod=cgm-repo" ];
dependsOn = [ "mongodb" ];
}; };
# Photo gallery # CGM repository database
pigallery2 = { mongodb = {
image = "bpatrik/pigallery2@sha256:c936e4504cfe7158198542a8db794b24afb0301155d89e911f13bd04e0b406c2"; image =
ports = [ "127.0.0.1:9191:80" ]; "mongo:4.4.9@sha256:0837a92d01bcc8c750a8d692ed4df33f0befd07ef261b23e7d9feda04bacd3eb";
volumes = [ volumes = [ "/vault/mongodb:/data/db" ];
"/vault/pigallery2/config:/app/data/config" extraOptions = [ "--pod=cgm-repo" ];
"/vault/pigallery2/db:/app/data/db"
"/vault/pigallery2/tmp:/app/data/tmp"
"/vault/syncthing/Photos:/app/data/images"
];
cmd = [
"-e"
"NODE_ENV=production"
];
}; };
}; };
}; };
}; };
# Allow networking between Cgm-Repo and MongoDB
systemd.services.create-cgm-repo-pod = {
serviceConfig.Type = "oneshot";
wantedBy = [ "podman-mongodb.service" ];
script = with pkgs; ''
${podman}/bin/podman pod exists cgm-repo || ${podman}/bin/podman pod create -n cgm-repo -p '127.0.0.1:1337:1337'
'';
};
# Start services after ZFS mount # Start services after ZFS mount
systemd.services.podman-mqtt2prometheus.unitConfig.RequiresMountsFor = [ /vault/mqtt2prometheus ]; systemd.services.podman-mongodb.unitConfig.RequiresMountsFor =
[ /vault/mongodb ];
systemd.services.podman-mqtt2prometheus.unitConfig.RequiresMountsFor =
[ /vault/mqtt2prometheus ];
} }

152
modules/datasync.nix
View File

@@ -1,10 +1,4 @@
{ { config, pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
{
# Syncthing configuration # Syncthing configuration
services.syncthing = { services.syncthing = {
@@ -13,102 +7,67 @@
guiAddress = "0.0.0.0:8384"; guiAddress = "0.0.0.0:8384";
dataDir = "/vault/syncthing"; dataDir = "/vault/syncthing";
key = config.age.secrets.syncthing.path; key = config.age.secrets.syncthing.path;
settings = { devices = {
extraOptions.options = { panacea.id =
maxFolderConcurrency = 4; "NF4SYEJ-RSGPDEF-CDEYC3A-JWZMKNC-KG4FVQP-CZ5HRFY-XM22BZD-N7B6VAH";
progressUpdateIntervalS = -1; caravanserai.id =
"MIRF73R-S7AV47R-VLWZUK2-TFCVQPV-FRYCPND-Y4VR3W2-ZAIQXZD-JAEQCAD";
};
folders = {
Documents = {
id = "wusdj-bfjkr";
type = "receiveonly";
path = "/vault/syncthing/Documents";
devices = [ "panacea" "caravanserai" ];
}; };
devices = {
panacea.id = "VEGVHKF-P4FT3BD-4T3ML7J-65URQOU-3XKNMI5-6LGWSCI-BIQZOUE-RKQ6PQX"; Notes = {
caravanserai.id = "XQAXYEU-FWLAFZM-GTZYDGH-AIRBEXI-4CZD365-JUBTHDA-GOXXOYV-E5LEYQE"; id = "kafhz-bfmzm";
type = "receiveonly";
path = "/vault/syncthing/Notes";
devices = [ "panacea" "caravanserai" ];
}; };
folders = {
Documents = {
id = "wusdj-bfjkr";
type = "receiveonly";
path = "/vault/syncthing/Documents";
devices = [
"panacea"
"caravanserai"
];
};
Notes = { Music = {
id = "kafhz-bfmzm"; id = "2aqt7-vpprc";
type = "receiveonly"; type = "receiveonly";
path = "/vault/syncthing/Notes"; path = "/vault/syncthing/Music";
devices = [ devices = [ "panacea" "caravanserai" ];
"panacea" };
"caravanserai"
];
};
Music = { Photos = {
id = "2aqt7-vpprc"; id = "mjibc-ustcg";
type = "receiveonly"; type = "receiveonly";
path = "/vault/syncthing/Music"; path = "/vault/syncthing/Photos";
devices = [ devices = [ "panacea" "caravanserai" ];
"panacea" };
"caravanserai"
];
};
Photos = { Projects = {
id = "mjibc-ustcg"; id = "cjhmu-avy9v";
type = "receiveonly"; type = "receiveonly";
path = "/vault/syncthing/Photos"; path = "/vault/syncthing/Projects";
devices = [ devices = [ "panacea" ];
"panacea" };
"caravanserai"
];
};
Projects = { Phone = {
id = "cjhmu-avy9v"; id = "m2007j20cg_vc7r-photos";
type = "receiveonly"; type = "receiveonly";
path = "/vault/syncthing/Projects"; path = "/vault/syncthing/Photos/Phone";
devices = [ "panacea" ]; devices = [ "panacea" "caravanserai" ];
}; };
Phone = { Files = {
id = "m2007j20cg_vc7r-photos"; id = "tsk52-u6rbk";
type = "receiveonly"; type = "receiveonly";
path = "/vault/syncthing/Photos/Phone"; path = "/vault/syncthing/Files";
devices = [ devices = [ "panacea" "caravanserai" ];
"panacea" };
"caravanserai"
];
};
Files = { Phone-screenshots = {
id = "tsk52-u6rbk"; id = "pp70r-pbr70";
type = "receiveonly"; type = "receiveonly";
path = "/vault/syncthing/Files"; path = "/vault/syncthing/Photos/Phone-screenshots";
devices = [ devices = [ "panacea" "caravanserai" ];
"panacea"
"caravanserai"
];
};
Phone-screenshots = {
id = "pp70r-pbr70";
type = "receiveonly";
path = "/vault/syncthing/Photos/Phone-screenshots";
devices = [
"panacea"
"caravanserai"
];
};
Audio = {
id = "tarrs-5mxck";
type = "receiveonly";
path = "/vault/syncthing/Audio";
devices = [
"panacea"
"caravanserai"
];
};
}; };
}; };
}; };
@@ -139,7 +98,8 @@
}; };
# Start services after ZFS mount # Start services after ZFS mount
systemd.services.syncthing.unitConfig.RequiresMountsFor = [ /vault/syncthing ]; systemd.services.syncthing.unitConfig.RequiresMountsFor =
[ /vault/syncthing ];
systemd.services.radicale.unitConfig.RequiresMountsFor = [ /vault/radicale ]; systemd.services.radicale.unitConfig.RequiresMountsFor = [ /vault/radicale ];
} }

40
modules/device.nix Normal file
View File

@@ -0,0 +1,40 @@
{ config, lib, pkgs, ... }:
with pkgs;
{
# A bunch of boot parameters needed for optimal runtime on RPi 4B
boot.kernelPackages = linuxPackages_rpi4;
boot.kernelParams = [
"zfs.zfs_arc_max=134217728"
"console=TTYAMA0,115200"
"console=tty1"
"8250.nr_uarts=1"
"iomem=relaxed"
"strict-devmem=0"
];
# Enable SATA-HAT GPIO features
boot.loader = {
grub.enable = false;
generic-extlinux-compatible.enable = lib.mkForce false;
raspberryPi = {
enable = true;
version = 4;
firmwareConfig = ''
iomem=relaxed
strict-devmem=0
dtoverlay=w1-gpio
'';
};
};
boot.kernelModules = [ "pwm_bcm2835" "w1-gpio" "w1-therm" ];
# Load PWM hardware timers
hardware.raspberry-pi."4".pwm0.enable = true;
# Enable I2C
hardware.raspberry-pi."4".i2c1.enable = true;
}

14
modules/devops.nix
View File

@@ -1,10 +1,4 @@
{ { config, pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
{
# Set up Gitea with LFS support # Set up Gitea with LFS support
services.gitea = { services.gitea = {
enable = true; enable = true;
@@ -21,10 +15,10 @@
settings = { settings = {
server = { server = {
DISABLE_SSH = true; DISABLE_SSH = true;
DOMAIN = "git.psydnd.org"; DOMAIN = "git.coolneng.duckdns.org";
ROOT_URL = "https://git.psydnd.org"; ROOTURL = "https://git.coolneng.duckdns.org";
}; };
service.DISABLE_REGISTRATION = true; ui.DEFAULT_THEME = "arc-green";
session.COOKIE_SECURE = true; session.COOKIE_SECURE = true;
actions.ENABLED = true; actions.ENABLED = true;
}; };

141
modules/hardware-configuration.nix
View File

@@ -4,55 +4,130 @@
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
imports = imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "sd_mod" ]; boot.initrd.availableKernelModules = [ "xhci_pci" "usb_storage" ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" = {
{ device = "sysion/stateful/root"; device = "sysion/root";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/nix" = fileSystems."/nix" = {
{ device = "sysion/ephemeral/nix"; device = "sysion/root/nix";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/tmp" = fileSystems."/home" = {
{ device = "sysion/ephemeral/tmp"; device = "sysion/home";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/home/coolneng" = fileSystems."/boot" = {
{ device = "sysion/stateful/home"; device = "/dev/disk/by-uuid/06AD-825C";
fsType = "zfs"; fsType = "vfat";
}; };
fileSystems."/boot" = fileSystems."/var/lib/prometheus2" = {
{ device = "/dev/disk/by-uuid/C332-4650"; device = "vault/state_directories/prometheus";
fsType = "vfat"; fsType = "zfs";
options = [ "fmask=0022" "dmask=0022" ]; };
};
fileSystems."/var/lib/gitea" = {
device = "vault/state_directories/gitea";
fsType = "zfs";
};
fileSystems."/var/lib/matrix-as-facebook" = {
device = "vault/state_directories/matrix-as-facebook";
fsType = "zfs";
};
fileSystems."/var/lib/signald" = {
device = "vault/state_directories/signald";
fsType = "zfs";
};
fileSystems."/var/lib/matrix-as-signal" = {
device = "vault/state_directories/matrix-as-signal";
fsType = "zfs";
};
fileSystems."/vault" = {
device = "vault";
fsType = "zfs";
};
fileSystems."/var/lib/matrix-as-telegram" = {
device = "vault/state_directories/matrix-as-telegram";
fsType = "zfs";
};
fileSystems."/vault/backups" = {
device = "vault/backups";
fsType = "zfs";
};
fileSystems."/vault/mosquitto" = {
device = "vault/mosquitto";
fsType = "zfs";
};
fileSystems."/vault/radicale" = {
device = "vault/radicale";
fsType = "zfs";
};
fileSystems."/vault/git" = {
device = "vault/git";
fsType = "zfs";
};
fileSystems."/vault/syncthing" = {
device = "vault/syncthing";
fsType = "zfs";
};
fileSystems."/vault/backups/zion" = {
device = "vault/backups/zion";
fsType = "zfs";
};
fileSystems."/vault/backups/monolith" = {
device = "vault/backups/monolith";
fsType = "zfs";
};
fileSystems."/var/lib/wallabag" = {
device = "vault/state_directories/wallabag";
fsType = "zfs";
};
fileSystems."/var/lib/containers/storage/overlay" = {
device = "/var/lib/containers/storage/overlay";
fsType = "none";
options = [ "bind" ];
};
swapDevices = swapDevices =
[ { device = "/dev/disk/by-uuid/d388feef-a651-4dae-8161-f666136de240"; } [{ device = "/dev/disk/by-uuid/835f9dd4-cc27-4443-b5e1-381c2f4b2afc"; }];
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction # still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true; networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s0.useDHCP = lib.mkDefault true; # networking.interfaces.cni-podman0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true; # networking.interfaces.end0.useDHCP = lib.mkDefault true;
# networking.interfaces.veth25ee5d84.useDHCP = lib.mkDefault true;
# networking.interfaces.veth6e46f8d7.useDHCP = lib.mkDefault true;
# networking.interfaces.veth8506af14.useDHCP = lib.mkDefault true;
# networking.interfaces.wg0.useDHCP = lib.mkDefault true; # networking.interfaces.wg0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true; # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
} }

48
modules/information.nix
View File

@@ -1,44 +1,34 @@
{ { config, lib, pkgs, ... }:
config,
lib,
pkgs,
...
}:
{ {
# Miniflux configuration # Miniflux configuration
services.miniflux = { services.miniflux = {
enable = true; enable = true;
adminCredentialsFile = config.age.secrets.miniflux.path; adminCredentialsFile = config.age.secrets.miniflux.path;
}; config = {
BASE_URL = "https://rss.coolneng.duckdns.org";
# Microbin configuration RUN_MIGRATIONS = "1";
services.microbin = { DISABLE_HSTS = "1";
enable = true;
passwordFile = config.age.secrets.microbin.path;
settings = {
MICROBIN_PORT = 9091;
MICROBIN_PUBLIC_PATH = "https://bin.psydnd.org";
MICROBIN_QR = true;
MICROBIN_WIDE = true;
}; };
}; };
# Readeck configuration # Php-fpm pool for Wallabag
services.readeck = { services.phpfpm.pools.wallabag = {
enable = true; user = "nginx";
group = "nginx";
settings = { settings = {
server = { "listen.owner" = config.services.nginx.user;
host = "127.0.0.1"; "listen.group" = config.services.nginx.group;
port = 9092; "listen.mode" = 600;
allowed_hosts = [ "read.psydnd.org" ]; "pm" = "ondemand";
trusted_proxies = [ "127.0.0.1" ]; "pm.max_children " = 4;
environmentFile = config.age.secrets.readeck.path; "pm.max_requests" = 32;
}; "env[WALLABAG_DATA]" = "/var/lib/wallabag";
}; };
phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
}; };
# NOTE Load credentials using environment variables # Set environment variable pointing to wallabag configuration directory
systemd.services.readeck.serviceConfig.EnvironmentFile = config.age.secrets.readeck.path; environment.variables.WALLABAG_DATA = "/var/lib/wallabag";
} }

57
modules/monitoring.nix
View File

@@ -1,9 +1,4 @@
{ { config, lib, pkgs, ... }:
config,
lib,
pkgs,
...
}:
with pkgs; with pkgs;
@@ -51,39 +46,55 @@ with pkgs;
services.prometheus = { services.prometheus = {
enable = true; enable = true;
port = 9001; port = 9001;
retentionTime = "10y"; retentionTime = "1y";
extraFlags = [ "--web.enable-admin-api" ];
exporters = { exporters = {
node = { node = {
enable = true; enable = true;
enabledCollectors = [ "systemd" ]; enabledCollectors = [ "systemd" ];
port = 9002; port = 9002;
}; };
zfs.enable = true;
wireguard.enable = true;
postgres.enable = true; postgres.enable = true;
smartctl.enable = true; smartctl.enable = true;
dnsmasq.enable = true;
nginx = {
enable = true;
scrapeUri = "http://localhost:8282/nginx_status";
};
}; };
scrapeConfigs = [ scrapeConfigs = [{
{ job_name = "zion";
job_name = "zion"; static_configs = [{
static_configs = [ targets = [
{ "localhost:${toString config.services.prometheus.exporters.node.port}"
targets = [ "localhost:${toString config.services.prometheus.exporters.zfs.port}"
"localhost:${toString config.services.prometheus.exporters.node.port}" "localhost:${
"localhost:${toString config.services.prometheus.exporters.postgres.port}" toString config.services.prometheus.exporters.wireguard.port
"localhost:${toString config.services.prometheus.exporters.smartctl.port}" }"
"localhost:9641" # MQTT2Prometheus "localhost:${
]; toString config.services.prometheus.exporters.postgres.port
} }"
"localhost:${
toString config.services.prometheus.exporters.smartctl.port
}"
"localhost:${
toString config.services.prometheus.exporters.dnsmasq.port
}"
"localhost:${
toString config.services.prometheus.exporters.nginx.port
}"
"localhost:9641"
]; ];
} }];
]; }];
}; };
# Grafana configuration # Grafana configuration
services.grafana = { services.grafana = {
enable = true; enable = true;
settings.server = { settings.server = {
domain = "grafana.psydnd.org"; domain = "grafana.coolneng.duckdns.org";
http_port = 9009; http_port = 9009;
http_addr = "127.0.0.1"; http_addr = "127.0.0.1";
}; };

139
modules/networking.nix
View File

@@ -1,19 +1,12 @@
{ { config, pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
let let wireguard_port = 1194;
wireguard_port = 1194;
in in {
{
# Enable systemd-networkd # Enable systemd-networkd
networking = { networking = {
hostName = "zion"; hostName = "zion";
hostId = "760bfad7"; hostId = "4e74ea68";
useDHCP = false; useDHCP = false;
useNetworkd = true; useNetworkd = true;
dhcpcd.enable = false; dhcpcd.enable = false;
@@ -22,40 +15,32 @@ in
# Assign a static IP # Assign a static IP
systemd.network.networks."24-home" = { systemd.network.networks."24-home" = {
name = "enp2s0"; name = "end0";
matchConfig.Name = "enp2s0"; matchConfig.Name = "end0";
address = [ "192.168.128.2/23" ]; address = [ "192.168.13.2/24" ];
gateway = [ "192.168.128.1" ]; gateway = [ "192.168.13.1" ];
dns = [ dns = [ "192.168.13.2" ];
"127.0.0.1"
"::1"
];
networkConfig.DNSSEC = "no"; networkConfig.DNSSEC = "no";
}; };
# Dynamic DNS configuration # Enable zeroconf
services.inadyn = { services.avahi = {
enable = true; enable = true;
interval = "*:0/30"; nssmdns = true;
settings.provider."duckdns" = { openFirewall = true;
hostname = "coolneng.duckdns.org"; publish = {
include = config.age.secrets.inadyn-duckdns.path; enable = true;
userServices = true;
}; };
}; };
# Dynamic DNS configuration for Porkbun # Dynamic DNS configuration
# NOTE Temporary workaround until Inadyn fixes the Porkbun module services.ddclient = {
services.oink = {
enable = true; enable = true;
apiKeyFile = config.age.secrets.inadyn-porkbun.path; quiet = true;
secretApiKeyFile = config.age.secrets.inadyn-porkbun-secret.path; protocol = "duckdns";
settings.interval = 1800; domains = [ "coolneng.duckdns.org" ];
domains = [ passwordFile = config.age.secrets.ddclient.path;
{
domain = "psydnd.org";
subdomain = "";
}
];
}; };
# Firewall configuration # Firewall configuration
@@ -75,9 +60,6 @@ in
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${ iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${
config.systemd.network.networks."24-home".name config.systemd.network.networks."24-home".name
} -j MASQUERADE } -j MASQUERADE
ip6tables -t nat -A POSTROUTING -s fd00::0/128 -o ${
config.systemd.network.networks."24-home".name
} -j MASQUERADE
''; '';
}; };
@@ -94,27 +76,17 @@ in
wireguardPeers = [ wireguardPeers = [
# panacea # panacea
{ {
PublicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38="; wireguardPeerConfig = {
AllowedIPs = [ PublicKey = "XMkTztU2Y8hw6Fu/2o4Gszij+EmNacvFMXuZyHS1n38=";
"10.8.0.2/32" AllowedIPs = [ "10.8.0.2/32" ];
"fd00::2/128" };
];
} }
# caravanserai # caravanserai
{ {
PublicKey = "mCsTj09H7lfDDs8vMQkJOlItHtHQ6MPUyfGO5ZjBbVs="; wireguardPeerConfig = {
AllowedIPs = [ PublicKey = "eeKfAgMisM3K4ZOErev05RJ9LS2NLqL4x9jyi4XhM1Q=";
"10.8.0.3/32" AllowedIPs = [ "10.8.0.3/32" ];
"fd00::3/128" };
];
}
# kathreftis
{
PublicKey = "qfHtv6LSZjtxvH46d8pysr+/yPo2tV9cZumgIpxBNF4=";
AllowedIPs = [
"10.8.0.4/32"
"fd00::4/128"
];
} }
]; ];
}; };
@@ -122,25 +94,12 @@ in
systemd.network.networks."wg0" = { systemd.network.networks."wg0" = {
matchConfig.Name = "wg0"; matchConfig.Name = "wg0";
networkConfig = { networkConfig = {
Address = [ Address = "10.8.0.1/24";
"10.8.0.1/24" IPForward = true;
"fd00::1/128" IPMasquerade = "ipv4";
];
IPv4Forwarding = true;
IPv6Forwarding = true;
}; };
}; };
# Disable systemd-resolved DNS stub
services.resolved = {
enable = true;
llmnr = "false";
extraConfig = ''
MulticastDNS=yes
DNSStubListener=no
'';
};
# DNS server with ad-block # DNS server with ad-block
services.dnsmasq = { services.dnsmasq = {
enable = true; enable = true;
@@ -149,40 +108,16 @@ in
bogus-priv = true; bogus-priv = true;
no-resolv = true; no-resolv = true;
listen-address = [ listen-address = [ "127.0.0.1" "192.168.13.2" "10.8.0.1" ];
"127.0.0.1"
"192.168.128.2"
"10.8.0.1"
"::1"
"fd00::1"
];
bind-interfaces = true; bind-interfaces = true;
server = [ "127.0.0.1#43" ]; server = [ "51.158.108.203" "137.220.55.93" ];
cache-size = 10000; cache-size = 10000;
local-ttl = 300; local-ttl = 300;
conf-file = "${pkgs.dnsmasq}/share/dnsmasq/trust-anchors.conf"; conf-file = "/var/lib/dnsmasq/dnsmasq.blacklist.txt";
dnssec = false;
address = "/psydnd.org/192.168.128.2";
};
};
# Encrypted DNS address = "/coolneng.duckdns.org/192.168.13.2";
services.dnscrypt-proxy = {
enable = true;
upstreamDefaults = true;
settings = {
listen_addresses = [
"127.0.0.1:43"
"[::1]:43"
];
sources.public-resolvers = {
urls = [ "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" ];
cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
};
blocked_names.blocked_names_file = "/var/lib/dnscrypt-proxy/blocklist.txt";
}; };
}; };

56
modules/periodic.nix
View File

@@ -1,16 +1,10 @@
{ { config, lib, pkgs, ... }:
config,
lib,
pkgs,
...
}:
let let
stateDir = "/var/lib/dnscrypt-proxy"; stateDir = "/var/lib/dnsmasq";
blocklist = "${stateDir}/blocklist.txt"; blocklist = "${stateDir}/dnsmasq.blacklist.txt";
in in {
{
# PostgreSQL daily backups # PostgreSQL daily backups
services.postgresqlBackup = { services.postgresqlBackup = {
enable = true; enable = true;
@@ -20,21 +14,51 @@ in
}; };
# Fetch hosts-blocklists daily # Fetch hosts-blocklists daily
# TODO Download the list if the file doesn't exist the first time # FIXME Download the list if the file doesn't exist the first time
systemd.services.download-dns-blocklist = { systemd.services.download-dns-blocklist = {
description = "Download hosts-blocklists"; description = "Download hosts-blocklists";
wantedBy = [ "default.target" ]; wantedBy = [ "default.target" ];
path = with pkgs; [ path = with pkgs; [ curl coreutils ];
curl
coreutils
];
script = '' script = ''
curl -L https://download.dnscrypt.info/blacklists/domains/mybase.txt -o ${blocklist} curl -L https://github.com/notracking/hosts-blocklists/raw/master/dnsmasq/dnsmasq.blacklist.txt -o ${blocklist}
sed "/cainiao/d" -i ${blocklist}
''; '';
serviceConfig.Type = "oneshot"; serviceConfig.Type = "oneshot";
postStop = ''
chown -R dnsmasq ${stateDir}
'';
requiredBy = [ "dnsmasq.service" ];
after = [ "wireguard-wg0.service" ];
startAt = "02:00:00"; startAt = "02:00:00";
}; };
# Enable SATA HAT fans
systemd.services.sata-hat = {
description = "Enable software support for SATA Hat";
wantedBy = [ "default.target" ];
script = ''
${pkgs.bash}/bin/bash -c "/home/coolneng/system/scripts/SATA-hat.sh on"
'';
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
ExecStop = ''
${pkgs.bash}/bin/bash -c "/home/coolneng/system/scripts/SATA-hat.sh off"
'';
};
};
# Idle HDDs when not used
systemd.services.hd-idle = {
description = "Idle HDDs when not in use";
wantedBy = [ "default.target" ];
path = with pkgs; [ hd-idle ];
script = "${pkgs.hd-idle}/bin/hd-idle";
serviceConfig.Type = "simple";
requires = [ "sata-hat.service" ];
after = [ "vault.mount" ];
};
# Push zion changes to git daily # Push zion changes to git daily
systemd.user.services.zion-push = { systemd.user.services.zion-push = {
description = "Push zion changes to git"; description = "Push zion changes to git";

179
modules/webstack.nix
View File

@@ -1,21 +1,17 @@
# Web services configuration # Web services configuration
{ { config, pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
{
# Reverse proxy configuration # Reverse proxy configuration
services.nginx = { services.nginx = {
enable = true; enable = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
recommendedBrotliSettings = true; recommendedGzipSettings = true;
recommendedProxySettings = true; recommendedProxySettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedBrotliSettings = true;
clientMaxBodySize = "0"; clientMaxBodySize = "0";
sslCiphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128"; sslCiphers =
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
sslProtocols = "TLSv1.2 TLSv1.3"; sslProtocols = "TLSv1.2 TLSv1.3";
sslDhparam = "/var/lib/dhparams/nginx.pem"; sslDhparam = "/var/lib/dhparams/nginx.pem";
commonHttpConfig = '' commonHttpConfig = ''
@@ -34,12 +30,17 @@
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
''; '';
virtualHosts = { virtualHosts = {
# Old domain being redirected
"coolneng.duckdns.org" = { "coolneng.duckdns.org" = {
useACMEHost = "coolneng.duckdns.org"; enableACME = true;
forceSSL = true; forceSSL = true;
# Redirect from legacy subdirectory URL to subdomain
locations = { locations = {
"/".return = "301 https://psydnd.org$request_uri"; "/radicale/".return = "301 https://radicale.coolneng.duckdns.org";
"/syncthing/".return = "301 https://sync.coolneng.duckdns.org";
"/gitea/".extraConfig =
"rewrite ^/gitea/(.*)$ https://git.coolneng.duckdns.org/$1 last;";
"/miniflux/".extraConfig =
"rewrite ^/miniflux/(.*)$ https://rss.coolneng.duckdns.org/$1 last;";
# Delegation for Matrix # Delegation for Matrix
"/.well-known/" = { "/.well-known/" = {
alias = "${../well-known}" + "/"; alias = "${../well-known}" + "/";
@@ -51,19 +52,8 @@
}; };
}; };
}; };
# Redirect subdomains "radicale.coolneng.duckdns.org" = {
"~^(?<subdomain>.+)\.coolneng\.duckdns\.org$" = { enableACME = true;
useACMEHost = "coolneng.duckdns.org";
forceSSL = true;
locations."/".return = "301 https://$subdomain.psydnd.org$request_uri";
};
# Current domain
"psydnd.org" = {
useACMEHost = "psydnd.org";
forceSSL = true;
};
"radicale.psydnd.org" = {
useACMEHost = "psydnd.org";
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
proxyPass = "http://localhost:5232/"; proxyPass = "http://localhost:5232/";
@@ -73,33 +63,32 @@
''; '';
}; };
}; };
"sync.psydnd.org" = { "sync.coolneng.duckdns.org" = {
useACMEHost = "psydnd.org"; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/".proxyPass = "http://localhost:8384/"; locations."/".proxyPass = "http://localhost:8384/";
}; };
"git.psydnd.org" = { "git.coolneng.duckdns.org" = {
useACMEHost = "psydnd.org"; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
proxyPass = "http://localhost:3000/"; proxyPass = "http://localhost:3000/";
extraConfig = '' extraConfig = ''
${config.services.nginx.commonHttpConfig} ${config.services.nginx.commonHttpConfig}
# Disable embedding as a frame, except from the same origin # Disable embedding as a frame, except from the same origin
add_header Content-Security-Policy "frame-src git.psydnd.org; frame-ancestors git.psydnd.org"; add_header Content-Security-Policy "frame-src git.coolneng.duckdns.org; frame-ancestors git.coolneng.duckdns.org";
''; '';
}; };
}; };
"rss.psydnd.org" = { "rss.coolneng.duckdns.org" = {
useACMEHost = "psydnd.org"; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/".proxyPass = "http://localhost:8080/"; locations."/".proxyPass = "http://localhost:8080/";
}; };
"matrix.psydnd.org" = { "matrix.coolneng.duckdns.org" = {
useACMEHost = "psydnd.org"; enableACME = true;
forceSSL = true; forceSSL = true;
listen = [ listen = [
# IPv4
{ {
addr = "0.0.0.0"; addr = "0.0.0.0";
port = 8448; port = 8448;
@@ -110,32 +99,48 @@
port = 443; port = 443;
ssl = true; ssl = true;
} }
# IPv6
{
addr = "[::]";
port = 8448;
ssl = true;
}
{
addr = "[::]";
port = 443;
ssl = true;
}
]; ];
locations."~ ^(/_matrix|/_synapse/client)".proxyPass = "http://localhost:8008"; locations."~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://localhost:8008";
extraConfig = ''
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
}; };
"element.psydnd.org" = { "element.coolneng.duckdns.org" = {
useACMEHost = "psydnd.org"; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/".root = pkgs.element-web.override { locations."/".root = pkgs.element-web.override {
conf.default_server_config = { conf.default_server_config = {
"m.homeserver"."base_url" = "https://matrix.psydnd.org"; "m.homeserver"."base_url" = "https://matrix.coolneng.duckdns.org";
"m.identity_server"."base_url" = "https://vector.im"; "m.identity_server"."base_url" = "https://vector.im";
}; };
}; };
}; };
"books.psydnd.org" = { "wallabag.coolneng.duckdns.org" = {
useACMEHost = "psydnd.org"; enableACME = true;
forceSSL = true;
root = "${pkgs.wallabag}/web";
locations = {
"/".tryFiles = "$uri /app.php$is_args$args";
"/assets".root = "${config.environment.variables.WALLABAG_DATA}/web";
"~ ^/app.php(/|$)" = {
fastcgiParams = {
SCRIPT_FILENAME = "${pkgs.wallabag}/web/$fastcgi_script_name";
DOCUMENT_ROOT = "${pkgs.wallabag}/web";
};
extraConfig = ''
fastcgi_pass unix:${config.services.phpfpm.pools.wallabag.socket};
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include ${pkgs.nginx}/conf/fastcgi_params;
internal;
'';
};
};
};
"books.coolneng.duckdns.org" = {
enableACME = true;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
proxyPass = "http://localhost:9000/"; proxyPass = "http://localhost:9000/";
@@ -146,33 +151,35 @@
''; '';
}; };
}; };
"grafana.psydnd.org" = { "grafana.coolneng.duckdns.org" = {
useACMEHost = "psydnd.org"; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
proxyPass = "http://localhost:9009/"; proxyPass = "http://localhost:9009/";
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
"podcast.psydnd.org" = { "/nginx_status/" = {
useACMEHost = "psydnd.org"; listen = [{
forceSSL = true; addr = "127.0.0.1";
locations."/".proxyPass = "http://localhost:9090/"; port = 8282;
}];
extraConfig = ''
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
'';
}; };
"bin.psydnd.org" = { "nightscout.coolneng.duckdns.org" = {
useACMEHost = "psydnd.org"; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/".proxyPass = "http://localhost:9091/"; locations."/" = {
}; proxyPass = "http://localhost:1337";
"read.psydnd.org" = { extraConfig = ''
useACMEHost = "psydnd.org"; proxy_set_header X-Forwarded-For $remote_addr;
forceSSL = true; '';
locations."/".proxyPass = "http://localhost:9092/"; };
};
"photos.psydnd.org" = {
useACMEHost = "psydnd.org";
forceSSL = true;
locations."/".proxyPass = "http://localhost:9191/";
}; };
}; };
}; };
@@ -180,36 +187,19 @@
# ACME certs configuration # ACME certs configuration
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults = { defaults.email = "akasroua@gmail.com";
email = "akasroua@disroot.org";
group = "nginx";
};
certs = {
"coolneng.duckdns.org" = {
domain = "*.coolneng.duckdns.org";
dnsProvider = "duckdns";
environmentFile = config.age.secrets.acme-duckdns.path;
};
"psydnd.org" = {
domain = "psydnd.org";
extraDomainNames = [ "*.psydnd.org" ];
dnsProvider = "porkbun";
environmentFile = config.age.secrets.acme-porkbun.path;
};
};
}; };
# Generate dhparams # Generate dhparams
security.dhparams = { security.dhparams = {
enable = true; enable = true;
defaultBitSize = 4096; params.nginx.bits = 2048;
params.nginx.bits = 4096;
}; };
# PostgreSQL databases configuration # PostgreSQL databases configuration
services.postgresql = { services.postgresql = {
enable = true; enable = true;
package = pkgs.postgresql_16; package = pkgs.postgresql_15;
authentication = lib.mkForce '' authentication = lib.mkForce ''
# Generated file; do not edit! # Generated file; do not edit!
# TYPE DATABASE USER ADDRESS METHOD # TYPE DATABASE USER ADDRESS METHOD
@@ -219,7 +209,7 @@
''; '';
settings = { settings = {
max_connections = "300"; max_connections = "300";
shared_buffers = "1024MB"; shared_buffers = "512MB";
}; };
}; };
@@ -230,9 +220,10 @@
"miniflux.service" "miniflux.service"
"radicale.service" "radicale.service"
"dendrite.service" "dendrite.service"
"grafana.service" "phpfpm-wallabag.service"
"systemd-tmpfiles-setup.service"
"podman-openbooks.service" "podman-openbooks.service"
"podman-mqtt2prometheus.service" "podman-mqtt2prometheus.service"
"podman-opodsync.service" "podman-nightscout.service"
]; ];
} }

68
scripts/SATA-hat.sh Executable file
View File

@@ -0,0 +1,68 @@
#!/bin/sh
BASE_PATH=/sys/class
GPIO_PATH="$BASE_PATH"/gpio
PWM_PATH="$BASE_PATH"/pwm/pwmchip0
# GPIO pins
CPU_FAN=12
# Values
LOW=0
HIGH=1
export_pin() {
if [ ! -e $GPIO_PATH/gpio"$1" ]; then
echo "$1" >$GPIO_PATH/export
fi
}
unexport_pin() {
if [ -e $GPIO_PATH/gpio"$1" ]; then
echo "$1" >$GPIO_PATH/unexport
fi
}
set_gpio() {
export_pin "$1"
echo "out" >$GPIO_PATH/gpio"$1"/direction
echo "$2" >$GPIO_PATH/gpio"$1"/value
if [ "$3" = "clean" ]; then
unexport_pin "$1"
fi
}
enable_pwm_channel() {
echo "$1" >$PWM_PATH/export
echo 40000 >$PWM_PATH/pwm"$1"/period
echo 30000 >$PWM_PATH/pwm"$1"/duty_cycle
echo 1 >$PWM_PATH/pwm"$1"/enable
}
set_pwm() {
if [ "$1" = "clean" ]; then
echo 1 >$PWM_PATH/unexport
else
enable_pwm_channel 1
fi
}
turn_on() {
set_gpio $CPU_FAN $HIGH
set_pwm
}
turn_off() {
set_gpio $CPU_FAN $LOW clean
set_pwm clean
}
trap turn_off INT
if [ "$1" = "on" ]; then
turn_on
else
turn_off
fi
exit 0

66
scripts/install.sh
View File

@@ -1,66 +0,0 @@
#!/bin/sh
partition_disk() {
parted "$DISK" -- mklabel gpt
parted "$DISK" -- mkpart ESP fat32 1MiB 1025MiB
parted "$DISK" -- mkpart linux-swap 1025MiB 17409MiB
parted "$DISK" -- mkpart primary 17409MiB 100%
parted "$DISK" -- set 1 boot on
mkfs.fat -F32 -n BOOT "$DISK"p1
mkswap "$DISK"p2
swapon "$DISK"p2
}
zfs_setup() {
zpool import -f vault
zpool create -f -o ashift=12 -o autotrim=on -O acltype=posixacl -O relatime=on \
-O xattr=sa -O dnodesize=legacy -O normalization=formD -O mountpoint=none \
-O canmount=off -O devices=off -R /mnt -O compression=zstd "$POOL_NAME" "$DISK"p3
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false "$POOL_NAME"/ephemeral
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false "$POOL_NAME"/ephemeral/nix
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false -o sync=disabled -o setuid=off "$POOL_NAME"/ephemeral/tmp
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false "$POOL_NAME"/stateful
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=true "$POOL_NAME"/stateful/home
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=false "$POOL_NAME"/stateful/root
}
mount_datasets() {
mount -t zfs sysion/stateful/root /mnt
mkdir -p /mnt/boot
mount "$DISK"p1 /mnt/boot
mkdir -p /mnt/home/coolneng
mount -t zfs sysion/stateful/home /mnt/home/coolneng
mkdir -p /mnt/nix
mount -t zfs sysion/ephemeral/nix /mnt/nix
mkdir -p /mnt/tmp
mount -t zfs sysion/ephemeral/tmp /mnt/tmp
}
install_system() {
nixos-generate-config --root /mnt
mv /mnt/etc/nixos/hardware-configuration.nix modules/hardware-configuration.nix
nix-shell -p git --command "nixos-install --root /mnt --flake .#zion"
}
usage() {
echo "Usage: install.sh <disk>"
echo "disk: full path to the disk (e.g. /dev/sda)"
exit 1
}
if [ $# != 1 ]; then
usage
fi
DISK="$1"
POOL_NAME="sysion"
echo "Let's start by partitioning the disk"
partition_disk
echo "Starting up the ZFS machinery"
zfs_setup
echo "Mounting the horse"
mount_datasets
echo "Lift off to the NixOS planet"
install_system
echo "All ready, time to rejoice"

49
scripts/motd.sh
View File

@@ -20,31 +20,36 @@ echo "============================================================
- System uptime.......: $upDays days $upHours hours $upMins minutes $upSecs seconds - System uptime.......: $upDays days $upHours hours $upMins minutes $upSecs seconds
============================================================" ============================================================"
services=( services=(
"syncthing.service" "syncthing.service"
"radicale.service" "radicale.service"
"miniflux.service" "miniflux.service"
"gitea.service" "phpfpm-wallabag.service"
"dendrite.service" "gitea.service"
"nginx.service" "dendrite.service"
"dnsmasq.service" "matrix-as-telegram.service"
"dnscrypt-proxy.service" "matrix-as-facebook.service"
"podman-openbooks.service" "matrix-as-signal.service"
"mosquitto.service" "signald.service"
"podman-mqtt2prometheus.service" "nginx.service"
"prometheus.service" "dnsmasq.service"
"grafana.service" "podman-openbooks.service"
"mosquitto.service"
"podman-mqtt2prometheus.service"
"prometheus.service"
"grafana.service"
"podman-nightscout.service"
) )
for var in "${services[@]}"; do for var in "${services[@]}"; do
if [[ -z $var ]]; then if [[ -z $var ]]; then
printf "\n" printf "\n"
else else
if systemctl -q is-active "${var}"; then if systemctl -q is-active "${var}"; then
printf "%-40s [\e[32mOK\e[39m]\n" "$var" printf "%-40s [\e[32mOK\e[39m]\n" "$var"
else else
printf "%-40s [\e[31mFAIL\e[39m]\n" "$var" printf "%-40s [\e[31mFAIL\e[39m]\n" "$var"
fi fi
fi fi
done done
echo "============================================================" echo "============================================================"

BIN
secrets/acme-duckdns.age
View File

Binary file not shown.

5
secrets/acme-porkbun.age
View File

@@ -1,5 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 iUaRGg 7JImhL2Wo/eJEwUGP+NhEf36yq5gHO9q1GYhY2HaMAY
eAMhD0sqHQS+aayBpOsY8+081i72QAhJCFbBe0//uwU
--- 4K8cXsDuWZrmWNJ+rz166ej9o/gLFc7CfJuzAsG0BxA
|.<2E><><EFBFBD> f<><66>f<EFBFBD>=<1D>-<2D>X$P<>:

8
secrets/ddclient.age Normal file
View File

@@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 iUaRGg mRkPNMBvRfbwb3GjcWWJ42RiJn4wxMdczvL2OJFagkY
jCqCSE2MMx74ZvXabmyHfI4jC6lwhtgrTSqjAflUksw
-> vH/-grease []_Tx" cZfV JHS /x/
SK1DATphyeQv8pjoNXTlQrRKQwn8oItd6xrhSic7fmxzmuKTQiPE
--- ObilbWkclfLnmjVql03OamXitnFgYnzfoZ04oq3XO1k
<EFBFBD>iy<13>݌1k{<7B><>OJ3<1F>H<EFBFBD>N<><4E><11><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>%y<><1D><> <0C><>JA<4A>8<EFBFBD><38>
'<27>N<EFBFBD><4E>%<25><><EFBFBD><EFBFBD><EFBFBD>L@<12>6 &<26><>

BIN
secrets/facebook.age
View File

Binary file not shown.

6
secrets/inadyn-duckdns.age
View File

@@ -1,6 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 iUaRGg XMrsd1RQcDq/SpFtqpB4Gj1keCvJsMB+VA58qZirYA4
tf8NQzoEYJXlKBjtX4ZplaPQv51RCW9yHulvKZB8c8g
--- 5wZntAZCQ4pGYrgDFd63w6Y+Taaatcw5z0tDSvShi30
<EFBFBD><EFBFBD>4<EFBFBD><EFBFBD><EFBFBD>Ɖq3<EFBFBD>&
><0E>4<EFBFBD><34>J<EFBFBD>?<3F><0F><> QW<51>jZ<:'<<16>x(<28>Y<16>i<EFBFBD>ZDO#<23>w<7F><77>R<EFBFBD><52><EFBFBD>O@2<>cAj (f<><66><EFBFBD><EFBFBD>M<EFBFBD><4D><EFBFBD>

5
secrets/inadyn-porkbun-secret.age
View File

@@ -1,5 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 iUaRGg paS5BxWWicriSLAZyCBKd2xylLAp4/LcHmogO7me8yQ
MWW/Pkvn+4G4YeYXY9ZPXC92TbcFXQMyHJ2ltFzXpZs
--- ZdFfQ7tHfEo+u/0MmigCNh6OIxkd2bimRN30rMUs1ks
<EFBFBD>9<EFBFBD>7Y<EFBFBD>$B<>sX<0E>ʽb<CABD>O'J<><4A>S'<27>5!<21><>UMʯ-v<>m<EFBFBD><6D><EFBFBD><EFBFBD><EFBFBD>8%|R,<2C>~I<><14><>G<EFBFBD><47>VQE<0E>0D<30>:Qv<<1E><>)<29> <0B><>%fc<66><63>XZչ 7+yB

BIN
secrets/inadyn-porkbun.age
View File

Binary file not shown.

BIN
secrets/microbin.age
View File

Binary file not shown.

BIN
secrets/nightscout.age Normal file
View File

Binary file not shown.

BIN
secrets/readeck.age
View File

Binary file not shown.

17
secrets/secrets.nix
View File

@@ -1,11 +1,12 @@
let let
zion = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW"; zion =
in "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW";
{ in {
"wireguard.age".publicKeys = [ zion ]; "wireguard.age".publicKeys = [ zion ];
"syncthing.age".publicKeys = [ zion ]; "syncthing.age".publicKeys = [ zion ];
"msmtp.age".publicKeys = [ zion ]; "msmtp.age".publicKeys = [ zion ];
"gitea.age".publicKeys = [ zion ]; "gitea.age".publicKeys = [ zion ];
"ddclient.age".publicKeys = [ zion ];
"miniflux.age".publicKeys = [ zion ]; "miniflux.age".publicKeys = [ zion ];
"git.age".publicKeys = [ zion ]; "git.age".publicKeys = [ zion ];
"dendrite.age".publicKeys = [ zion ]; "dendrite.age".publicKeys = [ zion ];
@@ -13,13 +14,5 @@ in
"telegram.age".publicKeys = [ zion ]; "telegram.age".publicKeys = [ zion ];
"mqtt-sender.age".publicKeys = [ zion ]; "mqtt-sender.age".publicKeys = [ zion ];
"mqtt-receiver.age".publicKeys = [ zion ]; "mqtt-receiver.age".publicKeys = [ zion ];
"facebook.age".publicKeys = [ zion ]; "nightscout.age".publicKeys = [ zion ];
"signal.age".publicKeys = [ zion ];
"inadyn-duckdns.age".publicKeys = [ zion ];
"inadyn-porkbun.age".publicKeys = [ zion ];
"inadyn-porkbun-secret.age".publicKeys = [ zion ];
"acme-duckdns.age".publicKeys = [ zion ];
"acme-porkbun.age".publicKeys = [ zion ];
"microbin.age".publicKeys = [ zion ];
"readeck.age".publicKeys = [ zion ];
} }

8
secrets/signal.age
View File

@@ -1,8 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 iUaRGg J/gZDBtDsIzjCzO1y2vXgxl8YuvWJgcpk+8KMOp63kg
1XF9JFAIscHWFJMTctZOxVIBYhYliUFays5gwjZt6hs
-> vM4\2y\'-grease
bj9VKIuH0l1v5X8N2v4p+u3VySDKjj3WAyVZ7f+wmy16wncrNyMtiUZ+ELBWfqXd
XOyeGZoKBHwd8lOgkZ+va0BEkBJs9piX
--- K2uN9JxuqPQpAxjQ+6dgsqhsq50nTkLsw8QGJprE5hQ
H<EFBFBD><EFBFBD><EFBFBD>S<>:<3A>eJ4}'<27><><EFBFBD>T<EFBFBD><54>˦ <0B><>[<5B>'<27>M<EFBFBD><4D><EFBFBD>9<><07><>E6_<36><12><><EFBFBD><1D><><EFBFBD>_<EFBFBD><5F><EFBFBD><EFBFBD>yPM8''<27>'<15>F<><46><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Rڡ"<22>ݏ<EFBFBD>X<EFBFBD><58><EFBFBD><EFBFBD>;<3B><>4<EFBFBD>J/>k<1C>5<EFBFBD><<15><>:<3A>M<EFBFBD>lK$<24>ӟq<D39F>S<EFBFBD><53><EFBFBD><EFBFBD>#<23>Ō<04>j<EFBFBD>X)<29><>v<EFBFBD><76><EFBFBD>–<EFBFBD>Ou<4F><75>J<>P<EFBFBD><12><>~

BIN
secrets/telegram.age
View File

Binary file not shown.

5
secrets/wallabag-postgres.age
View File

@@ -1,5 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 iUaRGg zWm4+j3/IRqd3uZqGzXVcHvs+urNrvDMOceWKbpl018
HlIKCFYt7n3iKZav5i0YiB4awRMJML0XUowX8sKKH2c
--- ysvYVxgK1OeqCk8KdNF+uWsaQ9EzVRku7nw37aUAW3A
c<EFBFBD><EFBFBD>b<EFBFBD>W|bU<62>B"<22><04>Ե<EFBFBD><D4B5><EFBFBD><EFBFBD><EFBFBD><03><>U<EFBFBD>

BIN
secrets/wallabag.age
View File

Binary file not shown.

2
well-known/matrix/client
View File

@@ -1,5 +1,5 @@
{ {
"m.homeserver": { "m.homeserver": {
"base_url": "https://matrix.psydnd.org" "base_url": "https://matrix.coolneng.duckdns.org"
} }
} }

2
well-known/matrix/server
View File

@@ -1 +1 @@
{ "m.server": "matrix.psydnd.org:443" } { "m.server": "matrix.coolneng.duckdns.org:443" }