thunderbottom/flakes
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: add modules to bicboye

Browse Source 
* change interface name from `enp6s0` to `enp2s0`
* add arr suite + ntfy deployment, monitoring
* add keys for ssh access
* add default_server configuration to nginx for security

Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
This commit is contained in:
Chinmay D. Pai 2024-09-02 19:19:09 +05:30
parent 7520c9a86d
commit 8f4c7fe4cc
Signed by: thunderbottom
GPG Key ID: 75507BE256F40CED
1 changed files with 77 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
systems/x86_64-linux/bicboye/default.nix
View File

@ -1,4 +1,5 @@
{ {
config,
lib, lib,
pkgs, pkgs,
userdata, userdata,
@ -12,14 +13,11 @@
networking = { networking = {
hostName = "bicboye"; hostName = "bicboye";
useDHCP = lib.mkDefault false; useDHCP = lib.mkDefault false;
interfaces.enp6s0 = { interfaces.enp2s0 = {
useDHCP = lib.mkDefault true; useDHCP = lib.mkDefault true;
wakeOnLan.enable = true; wakeOnLan.enable = true;
}; };
firewall.allowedTCPPorts = [ firewall.allowedTCPPorts = [80 443];
80
443
];
}; };
# Enable weekly btrfs auto-scrub. # Enable weekly btrfs auto-scrub.
@ -35,33 +33,93 @@
# TODO: move to module # TODO: move to module
security.acme.defaults.email = "chinmaydpai@gmail.com"; security.acme.defaults.email = "chinmaydpai@gmail.com";
security.dhparams = {
enable = true;
params.nginx = {};
};
services.nginx = { services.nginx = {
enable = true; enable = true;
recommendedProxySettings = true; recommendedProxySettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
sslDhparam = config.security.dhparams.params.nginx.path;
# Disable default_server access and return HTTP 444.
appendHttpConfig = ''
server {
listen 80 http2 default_server;
listen 443 ssl http2 default_server;
ssl_reject_handshake on;
return 444;
}
'';
}; };
snowflake = { snowflake = {
stateVersion = "24.05"; stateVersion = "24.05";
extraPackages = with pkgs; [
nmap
recyclarr
];
core.docker.enable = true; core.docker.enable = true;
core.docker.storageDriver = "btrfs"; core.docker.storageDriver = "btrfs";
core.security.sysctl.enable = lib.mkForce false; core.security.sysctl.enable = lib.mkForce false;
networking.networkManager.enable = true; networking.networkManager.enable = true;
networking.resolved.enable = true;
hardware.initrd-luks = { hardware.initrd-luks = {
enable = true; enable = true;
authorizedKeys = [ authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG3PeMbehJBkmv8Ee7xJimTzXoSdmAnxhBatHSdS+saM" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG3PeMbehJBkmv8Ee7xJimTzXoSdmAnxhBatHSdS+saM"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOyY8ZkhwWiqJCiTqXvHnLpXQb1qWwSZAoqoSWJI1ogP" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOyY8ZkhwWiqJCiTqXvHnLpXQb1qWwSZAoqoSWJI1ogP"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJQWA+bAwpm9ca5IhC6q2BsxeQH4WAiKyaht48b7/xkN"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJnFvU6nBXEuZF08zRLFfPpxYjV3o0UayX0zTPbDb7C"
]; ];
availableKernelModules = ["r8169"]; availableKernelModules = ["r8169"];
}; };
monitoring = {
enable = true;
grafana = {
domain = "lens.deku.moe";
adminPasswordFile = userdata.secrets.monitoring.grafana.password;
};
victoriametrics.extraPrometheusConfig = [
{
job_name = "unpoller";
static_configs = [
{
targets = ["127.0.0.1:${toString config.services.prometheus.exporters.unpoller.port}"];
}
];
}
{
job_name = "router";
static_configs = [
{
targets = ["192.168.69.1:9100"];
}
];
relabel_configs = [
{
source_labels = ["__address__"];
target_label = "instance";
regex = "([^:]+)(:[0-9]+)?";
replacement = "openwrt";
}
];
}
];
};
services = { services = {
arr.enable = true;
gitea = { gitea = {
enable = true; enable = true;
domain = "git.deku.moe"; domain = "git.deku.moe";
@ -75,6 +133,11 @@
adminTokenFile = userdata.secrets.services.miniflux.password; adminTokenFile = userdata.secrets.services.miniflux.password;
}; };
ntfy-sh = {
enable = true;
domain = "ntfy.deku.moe";
};
paperless = { paperless = {
enable = true; enable = true;
domain = "docs.deku.moe"; domain = "docs.deku.moe";
@ -93,7 +156,13 @@
package = pkgs.maych-in; package = pkgs.maych-in;
domain = "maych.in"; domain = "maych.in";
}; };
unifi-controller.enable = true; unifi-controller = {
enable = true;
unpoller = {
enable = true;
passwordFile = userdata.secrets.services.unifi-unpoller.password;
};
};
}; };
user = { user = {
@ -105,6 +174,8 @@
extraAuthorizedKeys = [ extraAuthorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG3PeMbehJBkmv8Ee7xJimTzXoSdmAnxhBatHSdS+saM" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG3PeMbehJBkmv8Ee7xJimTzXoSdmAnxhBatHSdS+saM"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOyY8ZkhwWiqJCiTqXvHnLpXQb1qWwSZAoqoSWJI1ogP" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOyY8ZkhwWiqJCiTqXvHnLpXQb1qWwSZAoqoSWJI1ogP"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJQWA+bAwpm9ca5IhC6q2BsxeQH4WAiKyaht48b7/xkN"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJnFvU6nBXEuZF08zRLFfPpxYjV3o0UayX0zTPbDb7C"
]; ];
}; };
}; };