Compare commits
3 Commits
74c7f696d8
...
1bb464f966
| Author | SHA1 | Date | |
|---|---|---|---|
| 1bb464f966 | |||
| ba570ec51a | |||
| c5efc2db4d |
@ -11,6 +11,8 @@
|
||||
./pc
|
||||
];
|
||||
|
||||
nix.flakes.enable = true;
|
||||
|
||||
system.stateVersion = "21.11";
|
||||
|
||||
networking.useDHCP = false;
|
||||
|
||||
@ -85,7 +85,7 @@ YDQ8z9v+DMO6iwyIDRiU
|
||||
</ca>
|
||||
|
||||
disable-occ
|
||||
auth-user-pass /run/secrets/pia-login.conf
|
||||
auth-user-pass /run/agenix/pia-login.conf
|
||||
'';
|
||||
autoStart = true;
|
||||
# up = "echo nameserver $nameserver | ${pkgs.openresolv}/sbin/resolvconf -m 0 -a $dev";
|
||||
|
||||
@ -12,5 +12,6 @@
|
||||
./gitea.nix
|
||||
./privatebin/privatebin.nix
|
||||
./radio.nix
|
||||
./samba.nix
|
||||
];
|
||||
}
|
||||
88
common/server/samba.nix
Normal file
88
common/server/samba.nix
Normal file
@ -0,0 +1,88 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
config = lib.mkIf config.services.samba.enable {
|
||||
services.samba = {
|
||||
openFirewall = true;
|
||||
package = pkgs.sambaFull; # printer sharing
|
||||
securityType = "user";
|
||||
|
||||
# should this be on?
|
||||
nsswins = true;
|
||||
|
||||
extraConfig = ''
|
||||
workgroup = HOME
|
||||
server string = smbnix
|
||||
netbios name = smbnix
|
||||
security = user
|
||||
use sendfile = yes
|
||||
min protocol = smb2
|
||||
guest account = nobody
|
||||
map to guest = bad user
|
||||
|
||||
# printing
|
||||
load printers = yes
|
||||
printing = cups
|
||||
printcap name = cups
|
||||
'';
|
||||
|
||||
shares = {
|
||||
public = {
|
||||
path = "/data/samba/Public";
|
||||
browseable = "yes";
|
||||
"read only" = "no";
|
||||
"guest ok" = "yes";
|
||||
"create mask" = "0644";
|
||||
"directory mask" = "0755";
|
||||
"force user" = "googlebot";
|
||||
"force group" = "public_data";
|
||||
};
|
||||
private = {
|
||||
path = "/data/samba/Private";
|
||||
browseable = "yes";
|
||||
"read only" = "no";
|
||||
"guest ok" = "no";
|
||||
"create mask" = "0644";
|
||||
"directory mask" = "0755";
|
||||
"force user" = "googlebot";
|
||||
"force group" = "users";
|
||||
};
|
||||
printers = {
|
||||
comment = "All Printers";
|
||||
path = "/var/spool/samba";
|
||||
public = "yes";
|
||||
browseable = "yes";
|
||||
# to allow user 'guest account' to print.
|
||||
"guest ok" = "yes";
|
||||
writable = "no";
|
||||
printable = "yes";
|
||||
"create mode" = 0700;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Windows discovery of samba server
|
||||
services.samba-wsdd = {
|
||||
enable = true;
|
||||
|
||||
# are these needed?
|
||||
workgroup = "HOME";
|
||||
hoplimit = 3;
|
||||
discovery = true;
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [ 5357 ];
|
||||
networking.firewall.allowedUDPPorts = [ 3702 ];
|
||||
|
||||
# Printer discovery
|
||||
# (is this needed?)
|
||||
services.avahi.enable = true;
|
||||
services.avahi.nssmdns = true;
|
||||
|
||||
# printer sharing
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /var/spool/samba 1777 root root -"
|
||||
];
|
||||
|
||||
users.groups.public_data = {};
|
||||
};
|
||||
}
|
||||
71
flake.nix
71
flake.nix
@ -36,25 +36,64 @@
|
||||
nixosConfigurations =
|
||||
let
|
||||
nixpkgs = inputs.nixpkgs;
|
||||
|
||||
modules = [
|
||||
./common
|
||||
inputs.simple-nixos-mailserver.nixosModule
|
||||
inputs.agenix.nixosModule
|
||||
inputs.dailybuild_modules.nixosModule
|
||||
inputs.archivebox.nixosModule
|
||||
({ lib, ... }: {
|
||||
config.environment.systemPackages = [ inputs.agenix.defaultPackage.${system} ];
|
||||
|
||||
# because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
|
||||
options.inputs = lib.mkOption { default = inputs; };
|
||||
options.currentSystem = lib.mkOption { default = system; };
|
||||
})
|
||||
];
|
||||
|
||||
mkVpnContainer = container_config: {
|
||||
ephemeral = true;
|
||||
autoStart = true;
|
||||
bindMounts = {
|
||||
"/var/lib" = {
|
||||
hostPath = "/var/lib/";
|
||||
isReadOnly = false;
|
||||
};
|
||||
"/run/agenix" = {
|
||||
hostPath = "/run/agenix";
|
||||
isReadOnly = true;
|
||||
};
|
||||
"/dev/fuse" = {
|
||||
hostPath = "/dev/fuse";
|
||||
isReadOnly = false;
|
||||
};
|
||||
};
|
||||
enableTun = true;
|
||||
privateNetwork = true;
|
||||
hostAddress = "172.16.100.1";
|
||||
localAddress = "172.16.100.2";
|
||||
|
||||
config = { config, pkgs, lib, ... }: {
|
||||
imports = modules ++ [container_config];
|
||||
|
||||
networking.firewall.enable = lib.mkForce false;
|
||||
pia.enable = true;
|
||||
|
||||
# run it's own DNS resolver
|
||||
networking.useHostResolvConf = false;
|
||||
services.resolved.enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
mkSystem = system: nixpkgs: path:
|
||||
nixpkgs.lib.nixosSystem {
|
||||
inherit system;
|
||||
modules = [
|
||||
path
|
||||
./common
|
||||
inputs.simple-nixos-mailserver.nixosModule
|
||||
inputs.agenix.nixosModule
|
||||
inputs.dailybuild_modules.nixosModule
|
||||
inputs.archivebox.nixosModule
|
||||
({ lib, ... }: {
|
||||
config.environment.systemPackages = [ inputs.agenix.defaultPackage.${system} ];
|
||||
|
||||
# because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
|
||||
options.inputs = lib.mkOption { default = inputs; };
|
||||
options.currentSystem = lib.mkOption { default = system; };
|
||||
})
|
||||
];
|
||||
# specialArgs = {};
|
||||
modules = [path] ++ modules;
|
||||
|
||||
specialArgs = {
|
||||
inherit mkVpnContainer;
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
|
||||
@ -13,8 +13,6 @@
|
||||
};
|
||||
};
|
||||
|
||||
nix.flakes.enable = true;
|
||||
|
||||
system.autoUpgrade.enable = true;
|
||||
|
||||
networking.interfaces.eth0.useDHCP = true;
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
{ config, pkgs, lib, mkVpnContainer, ... }:
|
||||
|
||||
let
|
||||
mta-sts-web = {
|
||||
@ -18,8 +18,6 @@ in {
|
||||
|
||||
# 5synsrjgvfzywruomjsfvfwhhlgxqhyofkzeqt2eisyijvjvebnu2xyd.onion
|
||||
|
||||
nix.flakes.enable = true;
|
||||
|
||||
firmware.x86_64.enable = true;
|
||||
bios = {
|
||||
enable = true;
|
||||
@ -50,19 +48,19 @@ in {
|
||||
listenWeb = 443;
|
||||
enableWebHttps = true;
|
||||
# dataDirs
|
||||
serviceEnvironmentFile = "/run/secrets/peertube-init";
|
||||
serviceEnvironmentFile = "/run/agenix/peertube-init";
|
||||
# settings
|
||||
database = {
|
||||
createLocally = true;
|
||||
passwordFile = "/run/secrets/peertube-db-pw";
|
||||
passwordFile = "/run/agenix/peertube-db-pw";
|
||||
};
|
||||
redis = {
|
||||
createLocally = true;
|
||||
passwordFile = "/run/secrets/peertube-redis-pw";
|
||||
passwordFile = "/run/agenix/peertube-redis-pw";
|
||||
};
|
||||
smtp = {
|
||||
createLocally = false;
|
||||
passwordFile = "/run/secrets/peertube-smtp";
|
||||
passwordFile = "/run/agenix/peertube-smtp";
|
||||
};
|
||||
};
|
||||
services.nginx.virtualHosts."tube.neet.space" = {
|
||||
@ -81,7 +79,7 @@ in {
|
||||
|
||||
services.searx = {
|
||||
enable = true;
|
||||
environmentFile = "/run/secrets/searx";
|
||||
environmentFile = "/run/agenix/searx";
|
||||
settings = {
|
||||
server.port = 43254;
|
||||
server.secret_key = "@SEARX_SECRET_KEY@";
|
||||
@ -123,57 +121,12 @@ in {
|
||||
};
|
||||
|
||||
# wrap radio in a VPN
|
||||
containers.vpn-continer = {
|
||||
ephemeral = true;
|
||||
autoStart = true;
|
||||
bindMounts = {
|
||||
"/var/lib" = {
|
||||
hostPath = "/var/lib/";
|
||||
isReadOnly = false;
|
||||
};
|
||||
"/run/secrets" = {
|
||||
hostPath = "/run/secrets";
|
||||
isReadOnly = true;
|
||||
};
|
||||
"/dev/fuse" = {
|
||||
hostPath = "/dev/fuse";
|
||||
isReadOnly = false;
|
||||
};
|
||||
};
|
||||
enableTun = true;
|
||||
privateNetwork = true;
|
||||
hostAddress = "172.16.100.1";
|
||||
localAddress = "172.16.100.2";
|
||||
|
||||
config = {
|
||||
imports = [
|
||||
../../common
|
||||
config.inputs.agenix.nixosModules.age
|
||||
];
|
||||
|
||||
# because nixos specialArgs doesn't work for containers... need to pass in inputs a different way
|
||||
options.inputs = lib.mkOption { default = config.inputs; };
|
||||
options.currentSystem = lib.mkOption { default = config.currentSystem; };
|
||||
|
||||
config = {
|
||||
pia.enable = true;
|
||||
nixpkgs.pkgs = pkgs;
|
||||
|
||||
networking.firewall.enable = false;
|
||||
|
||||
# run it's own DNS resolver
|
||||
networking.useHostResolvConf = false;
|
||||
services.resolved.enable = true;
|
||||
|
||||
services.radio = {
|
||||
enable = true;
|
||||
host = "radio.neet.space";
|
||||
};
|
||||
};
|
||||
containers.vpn-container = mkVpnContainer {
|
||||
services.radio = {
|
||||
enable = true;
|
||||
host = "radio.neet.space";
|
||||
};
|
||||
};
|
||||
# load the secret on behalf of the container
|
||||
age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
|
||||
|
||||
services.drastikbot = {
|
||||
enable = true;
|
||||
@ -250,7 +203,7 @@ in {
|
||||
];
|
||||
loginAccounts = {
|
||||
"jeremy@runyan.org" = {
|
||||
hashedPasswordFile = "/run/secrets/email-pw";
|
||||
hashedPasswordFile = "/run/agenix/email-pw";
|
||||
aliases = [
|
||||
"@neet.space" "@neet.cloud" "@neet.dev"
|
||||
"@runyan.org" "@runyan.rocks"
|
||||
@ -283,7 +236,7 @@ in {
|
||||
hostName = "neet.cloud";
|
||||
config.dbtype = "sqlite";
|
||||
config.adminuser = "jeremy";
|
||||
config.adminpassFile = "/run/secrets/nextcloud-pw";
|
||||
config.adminpassFile = "/run/agenix/nextcloud-pw";
|
||||
autoUpdateApps.enable = true;
|
||||
};
|
||||
age.secrets.nextcloud-pw = {
|
||||
@ -300,7 +253,7 @@ in {
|
||||
enable = true;
|
||||
ip = "192.168.99.1";
|
||||
domain = "tun.neet.dev";
|
||||
passwordFile = "/run/secrets/iodine";
|
||||
passwordFile = "/run/agenix/iodine";
|
||||
};
|
||||
age.secrets.iodine.file = ../../secrets/iodine.age;
|
||||
networking.firewall.allowedUDPPorts = [ 53 ];
|
||||
|
||||
@ -5,8 +5,6 @@
|
||||
./hardware-configuration.nix
|
||||
];
|
||||
|
||||
nix.flakes.enable = true;
|
||||
|
||||
efi.enable = true;
|
||||
|
||||
networking.hostName = "nat";
|
||||
|
||||
@ -7,8 +7,6 @@
|
||||
|
||||
# wt6nczjfvtba6pvjt2qtevwjpq4gcbz46bwjz4hboehgecyqmzqgwnqd.onion
|
||||
|
||||
nix.flakes.enable = true;
|
||||
|
||||
firmware.x86_64.enable = true;
|
||||
bios = {
|
||||
enable = true;
|
||||
|
||||
@ -9,8 +9,6 @@
|
||||
./nvidia.nix
|
||||
];
|
||||
|
||||
nix.flakes.enable = true;
|
||||
|
||||
firmware.x86_64.enable = true;
|
||||
efi.enable = true;
|
||||
|
||||
|
||||
@ -9,8 +9,6 @@
|
||||
|
||||
boot.kernelPackages = pkgs.linuxPackages_5_12;
|
||||
|
||||
nix.flakes.enable = true;
|
||||
|
||||
firmware.x86_64.enable = true;
|
||||
efi.enable = true;
|
||||
|
||||
|
||||
@ -8,8 +8,6 @@
|
||||
|
||||
# nsw2zwifzyl42mbhabayjo42b2kkq3wd3dqyl6efxsz6pvmgm5cup5ad.onion
|
||||
|
||||
nix.flakes.enable = true;
|
||||
|
||||
networking.hostName = "s0";
|
||||
|
||||
boot.loader.grub.enable = false;
|
||||
@ -26,4 +24,13 @@
|
||||
users.users.googlebot.packages = with pkgs; [
|
||||
bcachefs-tools
|
||||
];
|
||||
|
||||
services.samba.enable = true;
|
||||
|
||||
services.plex = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
dataDir = "/data/plex";
|
||||
};
|
||||
users.users.${config.services.plex.user}.extraGroups = [ "public_data" ];
|
||||
}
|
||||
|
||||
@ -33,7 +33,12 @@
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
swapDevices = [
|
||||
{
|
||||
device = "/dev/mmcblk1p2";
|
||||
randomEncryption.enable = true;
|
||||
}
|
||||
];
|
||||
|
||||
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
|
||||
# Per-interface useDHCP will be mandatory in the future, so this generated config
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user