DerGrumpf/cyper-nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: DerGrumpf:8f28d9927e41362994a3b6727830dfa9854e6584
Branches Tags
DerGrumpf:main
..
compare: DerGrumpf:b049e3f5f7bd6142429d8f8e1a27211d0c05441f
Branches Tags
DerGrumpf:main

2 Commits
8f28d9927e ... b049e3f5f7

Author SHA1 Message Date
DerGrumpf
b049e3f5f7 Merge branch 'main' of https://git.cyperpunk.de/DerGrumpf/cyper-nix 2026-04-14 14:46:49 +02:00
DerGrumpf
77ba1cab5f Migrated to NixOS (Oh Happy day!!) 2026-04-14 14:46:35 +02:00
8 changed files with 90 additions and 126 deletions
Expand all files Collapse all files

2
hosts/cyper-controller/configuration.nix
View File

@@ -6,7 +6,7 @@
../../nixos/roles/postgresql.nix
../../nixos/roles/wyl.nix
../../nixos/roles/adguard.nix
../../nixos/roles/unifi.nix
# ../../nixos/roles/unifi.nix
../../nixos/roles/searxng.nix
../../nixos/roles/filebrowser.nix
../../nixos/roles/gitea.nix

41
hosts/cyper-controller/hardware-configuration.nix
View File

@@ -2,6 +2,7 @@
config,
lib,
modulesPath,
primaryUser,
...
}:
@@ -21,6 +22,7 @@
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
fileSystems = {
"/" = lib.mkForce {
device = "/dev/disk/by-label/NIXROOT";
@@ -37,8 +39,47 @@
};
# TODO: Add External Devices as by-label with no necessity for boot
"/storage/internal" = {
device = "/dev/disk/by-label/STORAGE";
fsType = "btrfs";
options = [
"compress=zstd"
"noatime"
"nofail"
];
};
"/storage/fast" = {
device = "/dev/disk/by-label/FAST";
fsType = "ext4";
options = [
"nofail"
"noatime"
"x-systemd.automount"
"x-systemd.idle-timeout=60"
];
};
"/storage/backup" = {
device = "/dev/disk/by-label/BACKUP";
fsType = "ext4";
options = [
"nofail"
"noatime"
"x-systemd.automount"
"x-systemd.idle-timeout=60"
];
};
};
systemd.tmpfiles.rules = [
"d /storage 0755 ${primaryUser} users -"
"d /storage/internal 0755 ${primaryUser} users -"
"d /storage/fast 0755 ${primaryUser} users -"
"d /storage/backup 0755 ${primaryUser} users -"
];
swapDevices = [
{
device = "/swapfile";

2
nixos/roles/adguard.nix
View File

@@ -50,7 +50,7 @@ in
};
dhcp = {
enabled = false;
enabled = true;
interface_name = primaryInterface;
local_domain_name = "lan";
dhcpv4 = {

3
nixos/roles/filebrowser.nix
View File

@@ -10,10 +10,7 @@
root = "/storage";
};
# If you want the port opened in the firewall:
openFirewall = true;
};
#networking.firewall.allowedTCPPorts = [ 8080 ];
}

4
nixos/roles/gitea.nix
View File

@@ -13,7 +13,7 @@ let
stripRoot = false;
};
domain = "192.168.2.31"; # swap to git.cyperpunk.de for prod
domain = "git.cyperpunk.de"; # swap to git.cyperpunk.de for prod
httpPort = 9000;
sshPort = 12222;
in
@@ -95,7 +95,7 @@ in
HTTP_PORT = httpPort;
SSH_PORT = sshPort;
SSH_LISTEN_PORT = sshPort;
ROOT_URL = "http://${domain}:${toString httpPort}/";
ROOT_URL = "https://${domain}/";
DISABLE_SSH = false;
START_SSH_SERVER = true;
};

93
nixos/roles/matrix.nix
View File

@@ -6,8 +6,8 @@ let
in
{
networking.firewall.allowedTCPPorts = [
8008
8448
8080
];
sops.secrets = {
@@ -18,74 +18,35 @@ in
};
};
services = {
matrix-synapse = {
enable = true;
settings = {
server_name = "cyperpunk.de";
public_baseurl = "http://matrix.cyperpunk.de";
enable_registration = false; # TODO: disable
enable_registration_without_verfication = true;
trusted_key_servers = [ { server_name = "matrix.org"; } ];
suppress_key_server_warning = true;
registration_shared_secret_path = config.sops.secrets.matrix_registration_secret.path;
macaroon_secret_key = "$__file{${config.sops.secrets.matrix_macaroon_secret.path}}";
listeners = [
{
port = 8008;
bind_addresses = [ "127.0.0.1" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = [
"client"
"federation"
];
compress = false;
}
];
}
];
};
};
nginx = {
enable = true;
virtualHosts = {
"matrix.cyperpunk.de" = {
locations."/" = {
proxyPass = "http://127.0.0.1:${toString (builtins.elemAt config.services.matrix-synapse.settings.listeners 0).port}";
proxyWebsockets = true;
extraConfig = ''
proxy_set_header Host matrix.cyperpunk.de;
'';
};
};
"cinny" = {
listen = [
services.matrix-synapse = {
enable = true;
settings = {
server_name = "cyperpunk.de";
public_baseurl = "http://matrix.cyperpunk.de";
enable_registration = false; # TODO: disable
enable_registration_without_verfication = true;
trusted_key_servers = [ { server_name = "matrix.org"; } ];
suppress_key_server_warning = true;
registration_shared_secret_path = config.sops.secrets.matrix_registration_secret.path;
macaroon_secret_key = "$__file{${config.sops.secrets.matrix_macaroon_secret.path}}";
listeners = [
{
port = 8008;
bind_addresses = [ "0.0.0.0" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
addr = "0.0.0.0";
port = 8080;
names = [
"client"
"federation"
];
compress = false;
}
];
locations."/" = {
alias = "${pkgs.cinny}/";
extraConfig = ''
try_files $uri $uri/ /index.html;
'';
};
};
"${serverIP}" = {
locations = {
"/_matrix/" = {
proxyPass = "http://127.0.0.1:${toString (builtins.elemAt config.services.matrix-synapse.settings.listeners 0).port}";
proxyWebsockets = true;
};
};
};
};
}
];
};
};
}

24
nixos/roles/monitoring.nix
View File

@@ -35,10 +35,10 @@ in
};
settings = {
server = {
domain = serverIP; # "grafana.cyperpunk.de";
domain = "www.cyperpunk.de"; # serverIP; # "grafana.cyperpunk.de";
http_port = 2342;
http_addr = "127.0.0.1";
root_url = "http://${serverIP}/grafana/";
http_addr = "0.0.0.0";
root_url = "http://www.cyperpunk.de/grafana/";
serve_from_sub_path = true;
};
security = {
@@ -51,20 +51,6 @@ in
};
};
# nginx reverse proxy
nginx = {
enable = true;
virtualHosts."${serverIP}" = {
locations."/grafana/" = {
proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
proxyWebsockets = true;
extraConfig = ''
proxy_set_header Host ${serverIP};
'';
};
};
};
# TODO: Computers should register themselves
prometheus = {
enable = true;
@@ -133,9 +119,7 @@ in
};
networking.firewall.allowedTCPPorts = [
80
443
# TODO: Remove
2342
9001
3100
];

47
nixos/roles/vaultwarden.nix
View File

@@ -17,13 +17,12 @@ in
backupDir = "/var/local/vaultwarden/backup";
config = {
DOMAIN = "http://${ip}:${toString port}";
DOMAIN = "https://vault.cyperpunk.de"; # "http://${ip}:${toString port}";
ROCKET_ADDRESS = "0.0.0.0";
ROCKET_PORT = port;
ROCKET_LOG = "critical";
SIGNUPS_ALLOWED = true;
WEBSOCKET_ENABLED = true;
ROCKET_TLS = "{certs=\"/var/lib/vaultwarden/ssl/cert.pem\",key=\"/var/lib/vaultwarden/ssl/key.pem\"}";
};
};
@@ -34,39 +33,21 @@ in
networking.firewall.allowedTCPPorts = [ port ];
systemd.services.vaultwarden-backup-rotate = {
description = "Rotate old Vaultwarden backups";
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.findutils}/bin/find /var/lib/vaultwarden/backup -mtime +30 -delete";
systemd = {
services.vaultwarden-backup-rotate = {
description = "Rotate old Vaultwarden backups";
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.findutils}/bin/find /var/lib/vaultwarden/backup -mtime +30 -delete";
};
};
};
systemd.timers.vaultwarden-backup-rotate = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "daily";
Persistent = true;
timers.vaultwarden-backup-rotate = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "daily";
Persistent = true;
};
};
};
# TODO: Remove for proper TLS Setup
systemd.services.vaultwarden-gen-cert = {
description = "Generate self-signed cert for Vaultwarden";
before = [ "vaultwarden.service" ];
wantedBy = [ "vaultwarden.service" ];
serviceConfig.Type = "oneshot";
script = ''
mkdir -p /var/lib/vaultwarden/ssl
if [ ! -f /var/lib/vaultwarden/ssl/cert.pem ]; then
${pkgs.openssl}/bin/openssl req -x509 -newkey rsa:4096 -nodes \
-keyout /var/lib/vaultwarden/ssl/key.pem \
-out /var/lib/vaultwarden/ssl/cert.pem \
-days 3650 \
-subj "/CN=${ip}" \
-addext "subjectAltName=IP:${ip}"
chown -R vaultwarden:vaultwarden /var/lib/vaultwarden/ssl
fi
'';
};
}