nixos-config/home-server.nix

{ config, lib, pkgs, ... }:

let
  # mkdir /etc/secrets/initrd -p
  # chmod 700 -R /etc/secrets/
  # ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
  hostKeys = [{
    path = "/etc/secrets/initrd/ssh_host_ed25519_key";
    type = "ed25519";
  }];
in with builtins; {
  imports = [
    ./hardware/base.nix
    ./hardware/gpu-intel.nix
    ./desktop/x11.nix
    ./system/server.nix
    ./modules/emailNotify.nix
    ./services/mail.nix
    ./services/restic/home-server.nix
    ./services/samba/home-server.nix
    # ./services/kodi.nix
    ./services/jellyfin.nix
    ./services/etebase.nix
    ./services/mosquitto.nix
    ./services/genie.nix
    ./services/home-assistant.nix
    ./services/watchtower.nix
    ./services/owntracks.nix
    ./services/immich.nix
    ./services/miniflux.nix
    ./services/paperless.nix
    ./services/nextcloud.nix
    ./services/calibre-web.nix
  ];

  age.secrets.cloudflare.file = ./secrets/cloudflare.age;
  age.secrets.hostKey.file = ./secrets/home-server/hostKey.age;

  nixpkgs.config.allowUnfree = true;

  # improve memory performance
  zramSwap.enable = true;
  zramSwap.algorithm = "zstd";
  zramSwap.memoryPercent = 150;

  networking.domain = "home.felschr.com";

  networking.firewall.allowedTCPPorts = [ 80 443 ];
  networking.firewall.allowedUDPPorts = [ 80 443 ];

  security.acme.acceptTerms = true;
  security.acme.defaults.email = "dev@felschr.com";

  services.ddclient = {
    enable = true;
    package = pkgs.ddclient.overrideAttrs (old: rec {
      version = "develop-2022-06-01";
      src = pkgs.fetchFromGitHub {
        owner = "ddclient";
        repo = "ddclient";
        rev = "5382a982cbf4ad8e0c7b7ff682d21554a8785285";
        sha256 = "sha256-LYQ65f1rLa1P/YNhrW7lbyhmViPO7odj7FcDGTS4bOo=";
      };
      preConfigure = ''
        touch Makefile.PL
      '';
      installPhase = "";
      postInstall = old.postInstall or "" + ''
        mv $out/bin/ddclient $out/bin/.ddclient
        makeWrapper $out/bin/.ddclient $out/bin/ddclient \
          --prefix PERL5LIB : $PERL5LIB \
          --argv0 ddclient
      '';
      nativeBuildInputs = with pkgs;
        old.nativeBuildInputs or [ ] ++ [ autoreconfHook makeWrapper ];
    });
    protocol = "cloudflare";
    ssl = true;
    use = "disabled";
    zone = "felschr.com";
    username = "felschr@pm.me";
    passwordFile = config.age.secrets.cloudflare.path;
    domains = [
      "home.felschr.com"
      "cloud.felschr.com"
      "office.felschr.com"
      "media.felschr.com"
      "photos.felschr.com"
      "books.felschr.com"
      "news.felschr.com"
      "mqtt.felschr.com"
      "owntracks.felschr.com"
      "etebase.felschr.com"
      "paperless.felschr.com"
    ];
    extraConfig = with pkgs; ''
      usev6=cmdv6, cmdv6=${
        pkgs.writeScript "get-ipv6" ''
          ${iproute2}/bin/ip --brief addr show enp2s0 mngtmpaddr \
            | ${gawk}/bin/awk '{print $(NF)}' \
            | sed 's/\/.*//'
        ''
      }
      usev4=disabled
    '';
  };

  services.nginx = {
    enable = true;

    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
  };

  programs.zsh.enable = true;

  services.openssh = {
    enable = true;
    kbdInteractiveAuthentication = false;
    passwordAuthentication = false;
    permitRootLogin = "no";
    inherit hostKeys;
  };

  # ssh root@hostname "echo "$(read -s pass; echo \'"$pass"\')" > /crypt-ramfs/passphrase"
  boot.initrd.availableKernelModules = [ "igb" ];
  boot.initrd.network = {
    enable = true;
    ssh = {
      enable = true;
      hostKeys = map (f: f.path) hostKeys;
      authorizedKeys = config.users.users.felschr.openssh.authorizedKeys.keys;
    };
  };

  systemd.emailNotify.enable = true;
  systemd.emailNotify.mailTo = "admin@felschr.com";
  systemd.emailNotify.mailFrom =
    "${config.networking.hostName} <felschr@web.de>";

  # only change this when specified in release notes
  system.stateVersion = "22.11";
}
fix(rpi4): fix initrd ssh 2021-10-23 03:06:06 +02:00			`{ config, lib, pkgs, ... }:`
feat: add initial rpi4 config 2020-09-27 14:27:25 +02:00
fix(rpi4): fix initrd ssh 2021-10-23 03:06:06 +02:00			`let`
			`# mkdir /etc/secrets/initrd -p`
			`# chmod 700 -R /etc/secrets/`
			`# ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key`
			`hostKeys = [{`
			`path = "/etc/secrets/initrd/ssh_host_ed25519_key";`
			`type = "ed25519";`
			`}];`
			`in with builtins; {`
feat: add initial rpi4 config 2020-09-27 14:27:25 +02:00			`imports = [`
feat: migrate home-server to LattePanda 3 Delta 2022-08-03 03:15:06 +02:00			`./hardware/base.nix`
			`./hardware/gpu-intel.nix`
feat(home-server): configure GPU & jellyfin acceleration 2022-08-06 16:05:25 +02:00			`./desktop/x11.nix`
feat: restructure system config Create common system config and derive common server & desktop configs from it. 2022-06-26 13:12:01 +02:00			`./system/server.nix`
feat: setup email notification on systemd failures 2022-05-01 16:42:56 +02:00			`./modules/emailNotify.nix`
			`./services/mail.nix`
refactor: rename server: rpi4 -> home-server 2022-06-26 13:21:56 +02:00			`./services/restic/home-server.nix`
			`./services/samba/home-server.nix`
fix(rpi4): disable kodi 2021-12-11 19:42:30 +01:00			`# ./services/kodi.nix`
feat: add syncthing 2020-10-06 17:41:56 +02:00			`./services/jellyfin.nix`
feat(rpi4): add etebase-server 2021-02-15 21:06:51 +01:00			`./services/etebase.nix`
refactor(mosquitto): split mosquitto out of home-assistant config 2021-12-12 19:20:31 +01:00			`./services/mosquitto.nix`
feat(home-server): enable genie-server 2022-08-12 13:22:32 +02:00			`./services/genie.nix`
feat(rpi4): add home-assistant 2020-10-03 16:32:06 +02:00			`./services/home-assistant.nix`
feat: add watchtower container To handle docker images & containers updates. 2022-09-16 17:09:59 +02:00			`./services/watchtower.nix`
feat(rpi4): add owntracks config 2020-12-02 10:33:12 +01:00			`./services/owntracks.nix`
feat: add immich 2022-08-06 16:07:29 +02:00			`./services/immich.nix`
feat(rpi4): add miniflux 2021-12-11 19:40:53 +01:00			`./services/miniflux.nix`
feat: add paperless 2021-12-22 13:03:14 +01:00			`./services/paperless.nix`
feat: add nextcloud 2021-12-22 17:36:29 +01:00			`./services/nextcloud.nix`
feat: add calibre-web 2022-05-29 17:26:10 +02:00			`./services/calibre-web.nix`
feat: add initial rpi4 config 2020-09-27 14:27:25 +02:00			`];`

fix(secrets): fix more permission issues 2022-05-06 15:48:57 +02:00			`age.secrets.cloudflare.file = ./secrets/cloudflare.age;`
fix(secrets): fix permissions Also moves key references into respective configs where they are used. 2022-05-06 03:16:17 +02:00			`age.secrets.hostKey.file = ./secrets/home-server/hostKey.age;`

feat: add initial rpi4 config 2020-09-27 14:27:25 +02:00			`nixpkgs.config.allowUnfree = true;`

feat(rpi4): enable zram 2022-05-11 19:55:45 +02:00			`# improve memory performance`
			`zramSwap.enable = true;`
			`zramSwap.algorithm = "zstd";`
feat(rpi4): increase zram swap size 2022-05-14 18:10:48 +02:00			`zramSwap.memoryPercent = 150;`
feat(rpi4): enable zram 2022-05-11 19:55:45 +02:00
feat(rpi4): setup acme and cfdyndns 2020-10-03 16:23:36 +02:00			`networking.domain = "home.felschr.com";`

feat: add syncthing 2020-10-06 17:41:56 +02:00			`networking.firewall.allowedTCPPorts = [ 80 443 ];`
feat(rpi4): update config 2021-10-23 03:20:38 +02:00			`networking.firewall.allowedUDPPorts = [ 80 443 ];`
feat(rpi4): setup acme and cfdyndns 2020-10-03 16:23:36 +02:00
chore(flake): update inputs 2022-01-01 02:06:35 +01:00			`security.acme.acceptTerms = true;`
			`security.acme.defaults.email = "dev@felschr.com";`
feat(rpi4): setup acme and cfdyndns 2020-10-03 16:23:36 +02:00
feat(rpi4): switch from cfdyndns to ddclient 2021-11-27 20:12:04 +01:00			`services.ddclient = {`
feat(rpi4): setup acme and cfdyndns 2020-10-03 16:23:36 +02:00			`enable = true;`
fix(home-server): configure ddclient for IPv6 2022-06-04 12:28:32 +02:00			`package = pkgs.ddclient.overrideAttrs (old: rec {`
			`version = "develop-2022-06-01";`
			`src = pkgs.fetchFromGitHub {`
			`owner = "ddclient";`
			`repo = "ddclient";`
			`rev = "5382a982cbf4ad8e0c7b7ff682d21554a8785285";`
			`sha256 = "sha256-LYQ65f1rLa1P/YNhrW7lbyhmViPO7odj7FcDGTS4bOo=";`
			`};`
			`preConfigure = ''`
			`touch Makefile.PL`
			`'';`
			`installPhase = "";`
			`postInstall = old.postInstall or "" + ''`
			`mv $out/bin/ddclient $out/bin/.ddclient`
			`makeWrapper $out/bin/.ddclient $out/bin/ddclient \`
			`--prefix PERL5LIB : $PERL5LIB \`
			`--argv0 ddclient`
			`'';`
			`nativeBuildInputs = with pkgs;`
			`old.nativeBuildInputs or [ ] ++ [ autoreconfHook makeWrapper ];`
			`});`
feat(rpi4): switch from cfdyndns to ddclient 2021-11-27 20:12:04 +01:00			`protocol = "cloudflare";`
			`ssl = true;`
fix(home-server): configure ddclient for IPv6 2022-06-04 12:28:32 +02:00			`use = "disabled";`
feat(rpi4): switch from cfdyndns to ddclient 2021-11-27 20:12:04 +01:00			`zone = "felschr.com";`
			`username = "felschr@pm.me";`
fix(secrets): fix more permission issues 2022-05-06 15:48:57 +02:00			`passwordFile = config.age.secrets.cloudflare.path;`
feat(rpi4): switch from cfdyndns to ddclient 2021-11-27 20:12:04 +01:00			`domains = [`
feat(rpi4): update cfdyndns & acme setup 2021-02-14 23:49:43 +01:00			`"home.felschr.com"`
feat: add nextcloud 2021-12-22 17:36:29 +01:00			`"cloud.felschr.com"`
feat: add collabora office 2022-02-07 23:52:38 +01:00			`"office.felschr.com"`
feat: add media.felschr.com to cfdyndns 2021-05-27 19:42:39 +02:00			`"media.felschr.com"`
feat: add immich 2022-08-06 16:07:29 +02:00			`"photos.felschr.com"`
feat: add calibre-web 2022-05-29 17:26:10 +02:00			`"books.felschr.com"`
feat(rpi4): add miniflux 2021-12-11 19:40:53 +01:00			`"news.felschr.com"`
feat(rpi4): update config 2021-10-23 03:20:38 +02:00			`"mqtt.felschr.com"`
feat(rpi4): update cfdyndns & acme setup 2021-02-14 23:49:43 +01:00			`"owntracks.felschr.com"`
feat(rpi4): add etebase-server 2021-02-15 21:06:51 +01:00			`"etebase.felschr.com"`
feat: add paperless 2021-12-22 13:03:14 +01:00			`"paperless.felschr.com"`
feat(rpi4): update cfdyndns & acme setup 2021-02-14 23:49:43 +01:00			`];`
fix(home-server): configure ddclient for IPv6 2022-06-04 12:28:32 +02:00			`extraConfig = with pkgs; ''`
			`usev6=cmdv6, cmdv6=${`
			`pkgs.writeScript "get-ipv6" ''`
feat: migrate home-server to LattePanda 3 Delta 2022-08-03 03:15:06 +02:00			`${iproute2}/bin/ip --brief addr show enp2s0 mngtmpaddr \`
fix(home-server): configure ddclient for IPv6 2022-06-04 12:28:32 +02:00			`\| ${gawk}/bin/awk '{print $(NF)}' \`
			`\| sed 's/\/.*//'`
			`''`
			`}`
fix(home-server): disable IPv4 ddclient 2022-06-26 13:26:11 +02:00			`usev4=disabled`
fix(home-server): configure ddclient for IPv6 2022-06-04 12:28:32 +02:00			`'';`
feat(rpi4): setup acme and cfdyndns 2020-10-03 16:23:36 +02:00			`};`

feat(rpi4): add home-assistant 2020-10-03 16:32:06 +02:00			`services.nginx = {`
			`enable = true;`

			`recommendedTlsSettings = true;`
			`recommendedOptimisation = true;`
			`recommendedGzipSettings = true;`
			`recommendedProxySettings = true;`
			`};`

feat: add initial rpi4 config 2020-09-27 14:27:25 +02:00			`programs.zsh.enable = true;`

feat(rpi4): switch to key authentication for openssh 2020-10-03 19:13:33 +02:00			`services.openssh = {`
			`enable = true;`
chore(rpi4): switch to new openssh kbd interactive authentication option 2022-02-04 18:40:00 +01:00			`kbdInteractiveAuthentication = false;`
feat(rpi4): switch to key authentication for openssh 2020-10-03 19:13:33 +02:00			`passwordAuthentication = false;`
			`permitRootLogin = "no";`
fix(rpi4): fix initrd ssh 2021-10-23 03:06:06 +02:00			`inherit hostKeys;`
feat(rpi4): switch to key authentication for openssh 2020-10-03 19:13:33 +02:00			`};`

docs(rpi4): add sample command for authenticating initrd via ssh 2021-06-10 12:01:40 +02:00			`# ssh root@hostname "echo "$(read -s pass; echo \'"$pass"\')" > /crypt-ramfs/passphrase"`
fix(home-server): add missing kernel module for initrd networking 2022-08-06 16:03:12 +02:00			`boot.initrd.availableKernelModules = [ "igb" ];`
fix(rpi4): fix initrd ssh 2021-10-23 03:06:06 +02:00			`boot.initrd.network = {`
feat(rpi4): switch to key authentication for openssh 2020-10-03 19:13:33 +02:00			`enable = true;`
fix(rpi4): fix initrd ssh 2021-10-23 03:06:06 +02:00			`ssh = {`
			`enable = true;`
feat(home-server): update hardware & boot configuration To commodate switch to Tow-Boot & new partitioning using scripts/setup-partitions. 2022-05-15 15:45:00 +02:00			`hostKeys = map (f: f.path) hostKeys;`
fix(rpi4): fix initrd ssh 2021-10-23 03:06:06 +02:00			`authorizedKeys = config.users.users.felschr.openssh.authorizedKeys.keys;`
			`};`
feat(rpi4): switch to key authentication for openssh 2020-10-03 19:13:33 +02:00			`};`
feat: add initial rpi4 config 2020-09-27 14:27:25 +02:00
feat: setup email notification on systemd failures 2022-05-01 16:42:56 +02:00			`systemd.emailNotify.enable = true;`
			`systemd.emailNotify.mailTo = "admin@felschr.com";`
			`systemd.emailNotify.mailFrom =`
			`"${config.networking.hostName} <felschr@web.de>";`

feat: add initial rpi4 config 2020-09-27 14:27:25 +02:00			`# only change this when specified in release notes`
chore: update {system,home}.stateVersion to 22.11 2022-12-07 14:47:12 +01:00			`system.stateVersion = "22.11";`
feat: add initial rpi4 config 2020-09-27 14:27:25 +02:00			`}`