diff --git a/flake.lock b/flake.lock index 2124742..50881ba 100644 --- a/flake.lock +++ b/flake.lock @@ -669,6 +669,42 @@ "type": "github" } }, + "nixlib": { + "locked": { + "lastModified": 1736643958, + "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixos-generators": { + "inputs": { + "nixlib": "nixlib", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1769813415, + "narHash": "sha256-nnVmNNKBi1YiBNPhKclNYDORoHkuKipoz7EtVnXO50A=", + "owner": "nix-community", + "repo": "nixos-generators", + "rev": "8946737ff703382fda7623b9fab071d037e897d5", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-generators", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1775423009, @@ -771,6 +807,7 @@ "hyprland-plugins": "hyprland-plugins", "nix-homebrew": "nix-homebrew", "nixcord": "nixcord", + "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs", "nixvim": "nixvim", "sops-nix": "sops-nix", diff --git a/flake.nix b/flake.nix index d58e4e4..8f807bb 100644 --- a/flake.nix +++ b/flake.nix @@ -5,6 +5,11 @@ # monorepo w/ recipes ("derivations") nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixos-generators = { + url = "github:nix-community/nixos-generators"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + # declarative Configs home-manager = { url = "github:nix-community/home-manager/master"; @@ -79,6 +84,7 @@ nixvim, hyprland, sops-nix, + nixos-generators, ... }@inputs: let @@ -169,5 +175,37 @@ system = "x86_64-darwin"; isDarwin = true; }; + + # NEW: flashable image for cyper-controller + packages.x86_64-linux.cyper-controller-image = nixos-generators.nixosGenerate { + system = "x86_64-linux"; + format = "raw-efi"; + specialArgs = { + inherit inputs primaryUser self; + hostName = "cyper-controller"; + isDarwin = false; + isServer = true; + }; + modules = [ + { nixpkgs.hostPlatform = "x86_64-linux"; } + { networking.hostName = "cyper-controller"; } + ./hosts/cyper-controller/configuration.nix + ./nixos + inputs.sops-nix.nixosModules.sops + inputs.home-manager.nixosModules.home-manager + { + home-manager = { + extraSpecialArgs = { + inherit inputs primaryUser self; + hostName = "cyper-controller"; + isDarwin = false; + isServer = true; + }; + users.${primaryUser} = import ./home; + backupFileExtension = "backup"; + }; + } + ]; + }; }; } diff --git a/hosts/cyper-controller/configuration.nix b/hosts/cyper-controller/configuration.nix index 8006aaf..40d3e47 100644 --- a/hosts/cyper-controller/configuration.nix +++ b/hosts/cyper-controller/configuration.nix @@ -6,7 +6,7 @@ ../../nixos/roles/postgresql.nix ../../nixos/roles/wyl.nix ../../nixos/roles/adguard.nix - ../../nixos/roles/unifi.nix +# ../../nixos/roles/unifi.nix ../../nixos/roles/searxng.nix ../../nixos/roles/filebrowser.nix ../../nixos/roles/gitea.nix diff --git a/hosts/cyper-controller/hardware-configuration.nix b/hosts/cyper-controller/hardware-configuration.nix index 8b4ed8d..4262b8f 100644 --- a/hosts/cyper-controller/hardware-configuration.nix +++ b/hosts/cyper-controller/hardware-configuration.nix @@ -2,6 +2,7 @@ config, lib, modulesPath, + primaryUser, ... }: @@ -21,13 +22,14 @@ kernelModules = [ "kvm-intel" ]; extraModulePackages = [ ]; }; + fileSystems = { - "/" = { + "/" = lib.mkForce { device = "/dev/disk/by-label/NIXROOT"; fsType = "ext4"; }; - "/boot" = { + "/boot" = lib.mkForce { device = "/dev/disk/by-label/NIXBOOT"; fsType = "vfat"; options = [ @@ -37,8 +39,47 @@ }; # TODO: Add External Devices as by-label with no necessity for boot + "/storage/internal" = { + device = "/dev/disk/by-label/STORAGE"; + fsType = "btrfs"; + options = [ + "compress=zstd" + "noatime" + "nofail" + ]; + }; + + "/storage/fast" = { + device = "/dev/disk/by-label/FAST"; + fsType = "ext4"; + options = [ + "nofail" + "noatime" + "x-systemd.automount" + "x-systemd.idle-timeout=60" + ]; + }; + + "/storage/backup" = { + device = "/dev/disk/by-label/BACKUP"; + fsType = "ext4"; + options = [ + "nofail" + "noatime" + "x-systemd.automount" + "x-systemd.idle-timeout=60" + ]; + }; + }; + systemd.tmpfiles.rules = [ + "d /storage 0755 ${primaryUser} users -" + "d /storage/internal 0755 ${primaryUser} users -" + "d /storage/fast 0755 ${primaryUser} users -" + "d /storage/backup 0755 ${primaryUser} users -" + ]; + swapDevices = [ { device = "/swapfile"; diff --git a/nixos/default.nix b/nixos/default.nix index fe0b97e..f8a62c5 100644 --- a/nixos/default.nix +++ b/nixos/default.nix @@ -51,6 +51,34 @@ }; }; + virtualisation = lib.mkIf isServer { + vmVariant = { + virtualisation = { + forwardPorts = [ + { + from = "host"; + host.port = 2222; + guest.port = 22; + } + ]; + qemu.networkingOptions = [ + "-device virtio-net-pci,netdev=net0" + "-netdev user,id=net0,net=10.0.2.0/24,dhcpstart=10.0.2.15" + ]; + }; + + systemd.network.networks."10-ethernet" = lib.mkForce { + matchConfig.Name = "ens*"; + networkConfig = { + Address = "10.0.2.15/24"; + Gateway = "10.0.2.2"; + DNS = "8.8.8.8"; + DHCP = "no"; + }; + }; + }; + }; + documentation = { enable = true; doc.enable = false; diff --git a/nixos/roles/adguard.nix b/nixos/roles/adguard.nix index daaf1b0..d1211cd 100644 --- a/nixos/roles/adguard.nix +++ b/nixos/roles/adguard.nix @@ -50,7 +50,7 @@ in }; dhcp = { - enabled = false; + enabled = true; interface_name = primaryInterface; local_domain_name = "lan"; dhcpv4 = { diff --git a/nixos/roles/filebrowser.nix b/nixos/roles/filebrowser.nix index ff3ae5d..0a45ce0 100644 --- a/nixos/roles/filebrowser.nix +++ b/nixos/roles/filebrowser.nix @@ -4,16 +4,13 @@ enable = true; settings = { - port = 8080; + port = 10000; address = "0.0.0.0"; baseURL = "/filebrowser"; root = "/storage"; }; - # If you want the port opened in the firewall: openFirewall = true; }; - #networking.firewall.allowedTCPPorts = [ 8080 ]; - } diff --git a/nixos/roles/gitea.nix b/nixos/roles/gitea.nix index acf4265..233676d 100644 --- a/nixos/roles/gitea.nix +++ b/nixos/roles/gitea.nix @@ -13,7 +13,7 @@ let stripRoot = false; }; - domain = "192.168.2.31"; # swap to git.cyperpunk.de for prod + domain = "git.cyperpunk.de"; # swap to git.cyperpunk.de for prod httpPort = 9000; sshPort = 12222; in @@ -95,7 +95,7 @@ in HTTP_PORT = httpPort; SSH_PORT = sshPort; SSH_LISTEN_PORT = sshPort; - ROOT_URL = "http://${domain}:${toString httpPort}/"; + ROOT_URL = "https://${domain}/"; DISABLE_SSH = false; START_SSH_SERVER = true; }; diff --git a/nixos/roles/matrix.nix b/nixos/roles/matrix.nix index 5d4ccc8..ea2437d 100644 --- a/nixos/roles/matrix.nix +++ b/nixos/roles/matrix.nix @@ -6,8 +6,8 @@ let in { networking.firewall.allowedTCPPorts = [ + 8008 8448 - 8080 ]; sops.secrets = { @@ -18,74 +18,35 @@ in }; }; - services = { - matrix-synapse = { - enable = true; - settings = { - server_name = "cyperpunk.de"; - public_baseurl = "http://matrix.cyperpunk.de"; - enable_registration = false; # TODO: disable - enable_registration_without_verfication = true; - trusted_key_servers = [ { server_name = "matrix.org"; } ]; - suppress_key_server_warning = true; - registration_shared_secret_path = config.sops.secrets.matrix_registration_secret.path; - macaroon_secret_key = "$__file{${config.sops.secrets.matrix_macaroon_secret.path}}"; - listeners = [ - { - port = 8008; - bind_addresses = [ "127.0.0.1" ]; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ - { - names = [ - "client" - "federation" - ]; - compress = false; - } - ]; - } - ]; - }; - }; - - nginx = { - enable = true; - virtualHosts = { - "matrix.cyperpunk.de" = { - locations."/" = { - proxyPass = "http://127.0.0.1:${toString (builtins.elemAt config.services.matrix-synapse.settings.listeners 0).port}"; - proxyWebsockets = true; - extraConfig = '' - proxy_set_header Host matrix.cyperpunk.de; - ''; - }; - }; - "cinny" = { - listen = [ + services.matrix-synapse = { + enable = true; + settings = { + server_name = "cyperpunk.de"; + public_baseurl = "http://matrix.cyperpunk.de"; + enable_registration = false; # TODO: disable + enable_registration_without_verfication = true; + trusted_key_servers = [ { server_name = "matrix.org"; } ]; + suppress_key_server_warning = true; + registration_shared_secret_path = config.sops.secrets.matrix_registration_secret.path; + macaroon_secret_key = "$__file{${config.sops.secrets.matrix_macaroon_secret.path}}"; + listeners = [ + { + port = 8008; + bind_addresses = [ "0.0.0.0" ]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ { - addr = "0.0.0.0"; - port = 8080; + names = [ + "client" + "federation" + ]; + compress = false; } ]; - locations."/" = { - alias = "${pkgs.cinny}/"; - extraConfig = '' - try_files $uri $uri/ /index.html; - ''; - }; - }; - "${serverIP}" = { - locations = { - "/_matrix/" = { - proxyPass = "http://127.0.0.1:${toString (builtins.elemAt config.services.matrix-synapse.settings.listeners 0).port}"; - proxyWebsockets = true; - }; - }; - }; - }; + } + ]; }; }; } diff --git a/nixos/roles/monitoring.nix b/nixos/roles/monitoring.nix index ca6e1da..a2d3791 100644 --- a/nixos/roles/monitoring.nix +++ b/nixos/roles/monitoring.nix @@ -35,10 +35,10 @@ in }; settings = { server = { - domain = serverIP; # "grafana.cyperpunk.de"; + domain = "www.cyperpunk.de"; # serverIP; # "grafana.cyperpunk.de"; http_port = 2342; - http_addr = "127.0.0.1"; - root_url = "http://${serverIP}/grafana/"; + http_addr = "0.0.0.0"; + root_url = "http://www.cyperpunk.de/grafana/"; serve_from_sub_path = true; }; security = { @@ -51,20 +51,6 @@ in }; }; - # nginx reverse proxy - nginx = { - enable = true; - virtualHosts."${serverIP}" = { - locations."/grafana/" = { - proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}"; - proxyWebsockets = true; - extraConfig = '' - proxy_set_header Host ${serverIP}; - ''; - }; - }; - }; - # TODO: Computers should register themselves prometheus = { enable = true; @@ -133,9 +119,7 @@ in }; networking.firewall.allowedTCPPorts = [ - 80 - 443 - # TODO: Remove + 2342 9001 3100 ]; diff --git a/nixos/roles/vaultwarden.nix b/nixos/roles/vaultwarden.nix index a9d615c..dbe3142 100644 --- a/nixos/roles/vaultwarden.nix +++ b/nixos/roles/vaultwarden.nix @@ -17,13 +17,12 @@ in backupDir = "/var/local/vaultwarden/backup"; config = { - DOMAIN = "http://${ip}:${toString port}"; + DOMAIN = "https://vault.cyperpunk.de"; # "http://${ip}:${toString port}"; ROCKET_ADDRESS = "0.0.0.0"; ROCKET_PORT = port; ROCKET_LOG = "critical"; SIGNUPS_ALLOWED = true; WEBSOCKET_ENABLED = true; - ROCKET_TLS = "{certs=\"/var/lib/vaultwarden/ssl/cert.pem\",key=\"/var/lib/vaultwarden/ssl/key.pem\"}"; }; }; @@ -34,39 +33,21 @@ in networking.firewall.allowedTCPPorts = [ port ]; - systemd.services.vaultwarden-backup-rotate = { - description = "Rotate old Vaultwarden backups"; - serviceConfig = { - Type = "oneshot"; - ExecStart = "${pkgs.findutils}/bin/find /var/lib/vaultwarden/backup -mtime +30 -delete"; + systemd = { + services.vaultwarden-backup-rotate = { + description = "Rotate old Vaultwarden backups"; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.findutils}/bin/find /var/lib/vaultwarden/backup -mtime +30 -delete"; + }; }; - }; - systemd.timers.vaultwarden-backup-rotate = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "daily"; - Persistent = true; + timers.vaultwarden-backup-rotate = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "daily"; + Persistent = true; + }; }; }; - - # TODO: Remove for proper TLS Setup - systemd.services.vaultwarden-gen-cert = { - description = "Generate self-signed cert for Vaultwarden"; - before = [ "vaultwarden.service" ]; - wantedBy = [ "vaultwarden.service" ]; - serviceConfig.Type = "oneshot"; - script = '' - mkdir -p /var/lib/vaultwarden/ssl - if [ ! -f /var/lib/vaultwarden/ssl/cert.pem ]; then - ${pkgs.openssl}/bin/openssl req -x509 -newkey rsa:4096 -nodes \ - -keyout /var/lib/vaultwarden/ssl/key.pem \ - -out /var/lib/vaultwarden/ssl/cert.pem \ - -days 3650 \ - -subj "/CN=${ip}" \ - -addext "subjectAltName=IP:${ip}" - chown -R vaultwarden:vaultwarden /var/lib/vaultwarden/ssl - fi - ''; - }; }