2024-05-26 16:45:38 +02:00
|
|
|
{
|
|
|
|
|
inputs,
|
|
|
|
|
config,
|
|
|
|
|
pkgs,
|
|
|
|
|
...
|
|
|
|
|
}:
|
2020-09-27 14:27:25 +02:00
|
|
|
|
2021-10-23 03:06:06 +02:00
|
|
|
let
|
|
|
|
|
# mkdir /etc/secrets/initrd -p
|
|
|
|
|
# chmod 700 -R /etc/secrets/
|
|
|
|
|
# ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
|
2024-05-26 16:45:38 +02:00
|
|
|
hostKeys = [
|
|
|
|
|
{
|
|
|
|
|
path = "/etc/secrets/initrd/ssh_host_ed25519_key";
|
|
|
|
|
type = "ed25519";
|
|
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
in
|
|
|
|
|
{
|
2020-09-27 14:27:25 +02:00
|
|
|
imports = [
|
2023-08-13 00:28:29 +02:00
|
|
|
../hardware/base.nix
|
|
|
|
|
../desktop/x11.nix
|
|
|
|
|
../system/server.nix
|
2023-09-18 19:37:04 +02:00
|
|
|
../virtualisation/containers.nix
|
|
|
|
|
../virtualisation/podman.nix
|
2023-10-04 19:46:50 +02:00
|
|
|
../modules/inadyn.nix
|
2023-08-13 00:28:29 +02:00
|
|
|
../modules/systemdNotify.nix
|
2024-12-08 18:45:10 +01:00
|
|
|
../services/postgres
|
2023-08-13 00:28:29 +02:00
|
|
|
../services/mail.nix
|
2023-12-08 21:53:29 +01:00
|
|
|
../services/lldap.nix
|
2023-12-08 21:58:09 +01:00
|
|
|
../services/authelia.nix
|
2025-01-17 13:34:14 +01:00
|
|
|
../services/forgejo
|
2023-08-13 00:28:29 +02:00
|
|
|
../services/restic/home-server.nix
|
|
|
|
|
../services/samba/home-server.nix
|
|
|
|
|
# ../services/kodi.nix
|
|
|
|
|
../services/jellyfin.nix
|
|
|
|
|
../services/etebase.nix
|
|
|
|
|
../services/website.nix
|
|
|
|
|
../services/wkd.nix
|
|
|
|
|
../services/home-assistant
|
|
|
|
|
../services/matrix
|
|
|
|
|
../services/immich.nix
|
|
|
|
|
../services/miniflux.nix
|
|
|
|
|
../services/paperless.nix
|
|
|
|
|
../services/nextcloud.nix
|
2023-09-29 22:45:34 +02:00
|
|
|
../services/collabora-office.nix
|
2023-08-13 00:28:29 +02:00
|
|
|
../services/calibre-web.nix
|
2020-09-27 14:27:25 +02:00
|
|
|
];
|
|
|
|
|
|
2023-08-13 00:28:29 +02:00
|
|
|
age.secrets.cloudflare.file = ../secrets/cloudflare.age;
|
|
|
|
|
age.secrets.hostKey.file = ../secrets/home-server/hostKey.age;
|
2022-05-06 03:16:17 +02:00
|
|
|
|
2020-09-27 14:27:25 +02:00
|
|
|
nixpkgs.config.allowUnfree = true;
|
|
|
|
|
|
2020-10-03 16:23:36 +02:00
|
|
|
networking.domain = "home.felschr.com";
|
|
|
|
|
|
2024-05-26 16:45:38 +02:00
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
|
|
|
80
|
|
|
|
|
443
|
|
|
|
|
];
|
|
|
|
|
networking.firewall.allowedUDPPorts = [
|
|
|
|
|
80
|
|
|
|
|
443
|
|
|
|
|
];
|
2020-10-03 16:23:36 +02:00
|
|
|
|
2022-01-01 02:06:35 +01:00
|
|
|
security.acme.acceptTerms = true;
|
|
|
|
|
security.acme.defaults.email = "dev@felschr.com";
|
2020-10-03 16:23:36 +02:00
|
|
|
|
2023-10-04 19:46:50 +02:00
|
|
|
services.inadyn.enable = true;
|
|
|
|
|
services.inadyn.provider = "cloudflare.com";
|
|
|
|
|
services.inadyn.username = "felschr.com";
|
|
|
|
|
services.inadyn.passwordFile = config.age.secrets.cloudflare.path;
|
|
|
|
|
services.inadyn.extraConfig = ''
|
|
|
|
|
proxied = false
|
|
|
|
|
'';
|
|
|
|
|
services.inadyn.ipv4.enable = true;
|
|
|
|
|
services.inadyn.ipv4.command = "${pkgs.writeScript "get-ipv4" ''
|
2024-03-07 20:09:36 +01:00
|
|
|
${pkgs.tailscale}/bin/tailscale status --json \
|
|
|
|
|
| ${pkgs.jq}/bin/jq -r '.Self.Addrs[0]' \
|
|
|
|
|
| cut -f1 -d":"
|
2023-10-04 19:46:50 +02:00
|
|
|
''}";
|
|
|
|
|
services.inadyn.ipv6.enable = true;
|
|
|
|
|
services.inadyn.ipv6.command = "${pkgs.writeScript "get-ipv6" ''
|
2024-12-08 18:22:05 +01:00
|
|
|
${pkgs.tailscale}/bin/tailscale status --json \
|
|
|
|
|
| ${pkgs.jq}/bin/jq -r '.Self.Addrs' \
|
|
|
|
|
| grep -o '[0-9a-f:]*::102'
|
2023-10-04 19:46:50 +02:00
|
|
|
''}";
|
|
|
|
|
services.inadyn.domains = [
|
|
|
|
|
"felschr.com"
|
|
|
|
|
"openpgpkey.felschr.com"
|
2023-12-08 21:53:29 +01:00
|
|
|
"ldap.felschr.com"
|
2023-12-08 21:58:09 +01:00
|
|
|
"auth.felschr.com"
|
2025-01-17 13:34:14 +01:00
|
|
|
"git.felschr.com"
|
2023-10-04 19:46:50 +02:00
|
|
|
"home.felschr.com"
|
|
|
|
|
"esphome.felschr.com"
|
|
|
|
|
"matrix.felschr.com"
|
|
|
|
|
"element.felschr.com"
|
|
|
|
|
"cloud.felschr.com"
|
|
|
|
|
"office.felschr.com"
|
|
|
|
|
"media.felschr.com"
|
|
|
|
|
"photos.felschr.com"
|
|
|
|
|
"books.felschr.com"
|
|
|
|
|
"news.felschr.com"
|
|
|
|
|
"etebase.felschr.com"
|
|
|
|
|
"paperless.felschr.com"
|
|
|
|
|
"boards.felschr.com"
|
|
|
|
|
];
|
2020-10-03 16:23:36 +02:00
|
|
|
|
2020-10-03 16:32:06 +02:00
|
|
|
services.nginx = {
|
|
|
|
|
enable = true;
|
|
|
|
|
recommendedTlsSettings = true;
|
|
|
|
|
recommendedOptimisation = true;
|
|
|
|
|
recommendedProxySettings = true;
|
2023-12-10 15:33:27 +01:00
|
|
|
recommendedZstdSettings = true;
|
|
|
|
|
recommendedGzipSettings = true;
|
|
|
|
|
recommendedBrotliSettings = true;
|
2020-10-03 16:32:06 +02:00
|
|
|
};
|
|
|
|
|
|
2020-09-27 14:27:25 +02:00
|
|
|
programs.zsh.enable = true;
|
|
|
|
|
|
2023-09-30 02:36:46 +02:00
|
|
|
programs.ssh.enableAskPassword = false;
|
|
|
|
|
|
2020-10-03 19:13:33 +02:00
|
|
|
services.openssh = {
|
|
|
|
|
enable = true;
|
2023-05-31 17:25:46 +02:00
|
|
|
settings = {
|
|
|
|
|
KbdInteractiveAuthentication = false;
|
|
|
|
|
PasswordAuthentication = false;
|
|
|
|
|
PermitRootLogin = "no";
|
|
|
|
|
};
|
2021-10-23 03:06:06 +02:00
|
|
|
inherit hostKeys;
|
2020-10-03 19:13:33 +02:00
|
|
|
};
|
|
|
|
|
|
2023-12-27 18:03:57 +01:00
|
|
|
services.tailscale.extraUpFlags = [
|
2024-12-08 21:32:57 +01:00
|
|
|
# "--accept-routes" # breaks incoming connections from outside Tailnet
|
2023-12-27 18:03:57 +01:00
|
|
|
"--advertise-tags=tag:felschr-com"
|
|
|
|
|
"--advertise-connector"
|
|
|
|
|
];
|
|
|
|
|
|
2021-06-10 12:01:40 +02:00
|
|
|
# ssh root@hostname "echo "$(read -s pass; echo \'"$pass"\')" > /crypt-ramfs/passphrase"
|
2022-08-06 16:03:12 +02:00
|
|
|
boot.initrd.availableKernelModules = [ "igb" ];
|
2021-10-23 03:06:06 +02:00
|
|
|
boot.initrd.network = {
|
2020-10-03 19:13:33 +02:00
|
|
|
enable = true;
|
2021-10-23 03:06:06 +02:00
|
|
|
ssh = {
|
|
|
|
|
enable = true;
|
2022-05-15 15:45:00 +02:00
|
|
|
hostKeys = map (f: f.path) hostKeys;
|
2021-10-23 03:06:06 +02:00
|
|
|
authorizedKeys = config.users.users.felschr.openssh.authorizedKeys.keys;
|
|
|
|
|
};
|
2020-10-03 19:13:33 +02:00
|
|
|
};
|
2024-06-03 19:45:03 +02:00
|
|
|
# allow automated decryption
|
|
|
|
|
# `echo -n '<LUKS passphrase here>' | clevis encrypt tang '{"url": "http://doctr:9090"}' > home-server-enc.jwe`
|
|
|
|
|
boot.initrd.clevis.enable = true;
|
|
|
|
|
boot.initrd.clevis.useTang = true;
|
|
|
|
|
boot.initrd.clevis.devices."enc".secretFile = ../secrets/clevis/home-server-enc.jwe;
|
2020-09-27 14:27:25 +02:00
|
|
|
|
2023-01-06 19:03:57 +01:00
|
|
|
systemd.notify = {
|
|
|
|
|
enable = true;
|
|
|
|
|
method = "email";
|
|
|
|
|
email.mailTo = "admin@felschr.com";
|
2024-05-26 16:45:38 +02:00
|
|
|
email.mailFrom = "${config.networking.hostName} <${config.programs.msmtp.accounts.default.from}>";
|
2023-01-06 19:03:57 +01:00
|
|
|
};
|
2022-05-01 16:42:56 +02:00
|
|
|
|
2020-09-27 14:27:25 +02:00
|
|
|
# only change this when specified in release notes
|
2024-12-08 18:38:11 +01:00
|
|
|
system.stateVersion = "24.11";
|
2024-06-03 19:53:35 +02:00
|
|
|
|
|
|
|
|
system.autoUpgrade.allowReboot = true;
|
|
|
|
|
system.autoUpgrade.rebootWindow = {
|
|
|
|
|
lower = "03:00";
|
|
|
|
|
upper = "05:00";
|
|
|
|
|
};
|
2020-09-27 14:27:25 +02:00
|
|
|
}
|
