dachxy/nix-conf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

update: fixed issues and update flake inputs

Browse source
This commit is contained in:
danny 2025-12-29 16:03:31 +08:00
parent 4b6183f0ec
commit b3c5ad2880
80 changed files with 3307 additions and 2059 deletions
Download patch file Download diff file Expand all files Collapse all files

6
system/dev/dn-server/common/backup.nix
View file

@ -61,6 +61,12 @@ in
"nextcloud"
"vaultwarden"
"paperless"
"keycloak"
"pdns"
"powerdnsadmin"
"roundcube"
"grafana"
"crowdsec"
];
location = "${backupPath}/postgresql";
};

7
system/dev/dn-server/default.nix
View file

@ -9,8 +9,6 @@ in
{
systemConf = {
inherit hostname username;
domain = "net.dn";
hyprland.enable = false;
security = {
allowedDomains = [
"github.com"
@ -25,6 +23,9 @@ in
allowedIPs = [
"10.0.0.0/24"
"127.0.0.1"
# CrowdSec
"52.51.161.146"
"34.250.8.127"
];
allowedIPv6 = [
"ff02::/16"
@ -45,7 +46,7 @@ in
'';
imports = [
../public/dn/default.nix
../public/dn
./common
./home
./network

34
system/dev/dn-server/home/default.nix
View file

@ -1,34 +1,20 @@
{
inputs,
config,
pkgs,
...
}:
let
inherit (config.systemConf) username;
in
{
home-manager = {
users."${username}" = {
imports = [
../../../../home/user/config.nix
../../../../home/user/direnv.nix
../../../../home/user/environment.nix
../../../../home/user/nvf
../../../../home/user/shell.nix
../../../../home/user/yazi.nix
{
home.packages = with pkgs; [
inputs.ghostty.packages.${system}.default
];
}
# Git
(import ../../../../home/user/git.nix {
inherit username;
email = "danny10132024@gmail.com";
})
];
};
home-manager.users."${username}" = {
imports = [
../../../../home/user/config.nix
../../../../home/user/direnv.nix
../../../../home/user/environment.nix
../../../../home/user/nvf
../../../../home/user/shell.nix
../../../../home/user/yazi.nix
../../../../home/user/ghostty.nix
];
};
}

9
system/dev/dn-server/network/services.nix
View file

@ -159,6 +159,12 @@ let
publicKey = "5th0G9c7vHrhcByvPJAbrn2LXjLPqDEMsHzda0FGUTQ=";
allowedIPs = [ "10.0.0.148/32" ];
}
# DN Win
{
dns = "win";
publicKey = "LuKw1w879a3kRaBK+faToVmb9uLhbj6tf/DstgMMJzQ=";
allowedIPs = [ "10.0.0.149/32" ];
}
];
in
{
@ -424,7 +430,8 @@ in
# python
''
import cachelib
BIND_ADDRESS = "127.0.0.1"
PORT = 8081
SESSION_TYPE = 'cachelib'
SESSION_CACHELIB = cachelib.simple.SimpleCache()
SQLALCHEMY_DATABASE_URI = 'postgresql://powerdnsadmin@/powerdnsadmin?host=localhost'

2
system/dev/dn-server/nix/default.nix
View file

@ -1,5 +1,5 @@
{
imports = [
./atticd.nix
# ./atticd.nix
];
}

2
system/dev/dn-server/security/default.nix
View file

@ -1,6 +1,6 @@
{
imports = [
./fail2ban.nix
./crowdsec.nix
# ./crowdsec.nix
];
}

51
system/dev/dn-server/services/metrics.nix
View file

@ -7,7 +7,7 @@
}:
let
inherit (helper.grafana) mkDashboard;
inherit (lib) optionalAttrs;
inherit (lib) optionalAttrs optional;
inherit (config.networking) hostName;
datasourceTemplate = [
@ -78,28 +78,33 @@ in
}
];
})
(optionalAttrs config.services.crowdsec.settings.general.prometheus.enabled {
job_name = "crowdsec";
static_configs = [
{
targets = [
"localhost:${toString config.services.crowdsec.settings.general.prometheus.listen_port}"
];
labels = {
machine = "${hostName}";
};
}
];
relabel_configs = [
{
source_labels = [ "__address__" ];
target_label = "instance";
regex = "(.*):[0-9]+";
replacement = "CrowdSec - \${1}";
}
];
})
];
]
++ (optional
(config.services.crowdsec.enable && config.services.crowdsec.settings.general.prometheus.enabled)
[
{
job_name = "crowdsec";
static_configs = [
{
targets = [
"localhost:${toString config.services.crowdsec.settings.general.prometheus.listen_port}"
];
labels = {
machine = "${hostName}";
};
}
];
relabel_configs = [
{
source_labels = [ "__address__" ];
target_label = "instance";
regex = "(.*):[0-9]+";
replacement = "CrowdSec - \${1}";
}
];
}
]
);
})
(import ../../../modules/grafana.nix {

10
system/dev/dn-server/sops/secret.yaml
View file

@ -11,15 +11,15 @@ ldap:
env: ENC[AES256_GCM,data:XmIz9JEswvK1jVmTsTgdDZJXeK7j8E/b6nF+uuZpvpoe5/IogjMrzcWi3EB1i44z1Dxgoim8QM8ZtczY,iv:1jK/J2qfKODrbrNpSHl110jPvbNLl0zI//laowerJOc=,tag:tkBVxDC8Ebn3Aac+LATQFA==,type:str]
oauth:
password: ENC[AES256_GCM,data:lzS/OtqHb/24IJnOKxMBQA==,iv:BI1n7Jjklye6WM2ss7jpaGgokrJpAG2Ipil7VrY30XM=,tag:i3OByJ6LDwvAsS5CTrEQig==,type:str]
adminEnv: ENC[AES256_GCM,data:LECZ1/KtaEB7kUN6zNDUr08g2SVtGhWEvy2QA9jzU3vJ1U8NDnPXjfDkkH1bIw==,iv:pPz7J+DdF7zkqzFlevoeYQGZnA2PQDoRYcpOaOeHN3A=,tag:e0iVPSZQ1V3aWYtKpGnBGg==,type:str]
adminEnv: ENC[AES256_GCM,data:tF7ECUxG5QeNIvx3IFpTtY7NnSXROGHi48jGXZNgJVX5cABNIYBUqYW9/p2KbA==,iv:7oNmOBEs0b9mB6Ay7IULH2AumQOdIyQ+hDHm5kV6lTY=,tag:jkfA6D8CKg1jC21dS7Sumw==,type:str]
powerdns-admin:
secret: ENC[AES256_GCM,data:M5hD8B7kikseQJZCWUIlc7OJcQn0nwnx0QOSQe+Mf8TaztvyFfSfxv0vowNsx0MyGef4teuK+DW9/UTbRFEHeg==,iv:xaSgzhqMU9+ud1xfXLVkg3v2xcmIo35BOhml5VfHKBI=,tag:L1v95+HsIqNjVA1LGNbEJQ==,type:str]
salt: ENC[AES256_GCM,data:Vtn3/gJlElrFkPwoa05wlxVL/Sk4lNLghp1gi6o4V5A=,iv:/lRVfNOpERS963+9JNf8wATIY9FcicT8xQ9Cbw2by/s=,tag:x5WiNa56l7y3CKwbaamLLA==,type:str]
salt: ENC[AES256_GCM,data:rs4tZrVF4kb6/97wjQA2Npb2QeS6vjN3L1zRgmM=,iv:c0VTEtnahMSfs/PqeFQxYpDstLxPKaW1RyXMc6SQJu8=,tag:dXHUO2KJvP5Sz22Gv6ws/w==,type:str]
powerdns: ENC[AES256_GCM,data:d4qzUAjyHUxLynvP6vSxCzrihfb/X3KYHeRA/w+CButld7ulxL9W6PerhvNcJytgfJDQINvcgnMKjijJ/vC7VeO9p7ZyArh4/PWZwgiJ,iv:orfh5F4uCYq2IplG0Y7Q/RcSqIm5Xyzn3ejzPsm+/0k=,tag:YqfvBlJRpkmMy29z3wyJ1g==,type:str]
rspamd-trainer: ENC[AES256_GCM,data:EqWVADi7zr6AUZL5mlN1/xbpjuRIS3Zn,iv:M/xk7LywcRiKQM9LrnTnCKu3OS/YBf23CRkxh4ll1+c=,tag:4lH3hhMxWIzEUExJOt/41Q==,type:str]
rspamd: ENC[AES256_GCM,data:qEXHXdcvk24pAHEl6MI=,iv:L5tmoTu5Qk5sxDj3EmWfc39AHwRTT4T4gB1O2EsTQkY=,tag:vIhAOnEpWxtP0eU4stkQww==,type:str]
acme:
env: ENC[AES256_GCM,data:gHoAyc6+LK7jrTfrIlPJx+RNe90xTpVVykDEfor3+ifRDRCPfxLmfj1nWylRp7r3N/Ha8AlElvNPmn4mVMsM2OsXmZoYoO+YOVq1zShXHI3A2dHgzJGxaCu/zuf2AWefEsBDWhjbGxWUpjjcEh6mOgvuh0HHGdW0uq6EL5LqDZiPMGdYNdJLEuy6s9pdQt69mVWAwGVA9eTvbnG0W91/35SUeOSs+la+YRCSPQ==,iv:QebJyJ1+6dYQulVkDdkFx34KkiH9xzsX+C3TYDdIMkw=,tag:h7Oxt04PqkFDdb7ZuyVnlQ==,type:str]
env: ENC[AES256_GCM,data:DQaHr13K3faeyQk/05sVmmZRNvEbjmMP8y3nES1vyFO+oNX9nyyWcy5YEAO5tjRTxi/yM1ISlhbXWct4iRwAkvnhtoFRK/jpAfDv+W3J1LotaRxiPWSXUs5lS7uS0DpveRwQVv6qEl3Cs8vitHAJfRCKJoYv5HTJyvOnoWqHbnk=,iv:co3V0vu2c26NKHuoNoRv7td8qu6m0NTlvkr3EJBQGvM=,tag:leTY/DGg85Pm8gsAHah29Q==,type:str]
postsrsd:
secret: ENC[AES256_GCM,data:JZNwSymEjIFb8h3gnvFajxSaNYRxjA/NUruA4WX+uSqX0ufVcbVWgxQTr7U=,iv:ydGnCESCLbwyGKc+5witXDkT3OgW27LKen7PkqUL6mU=,tag:M3RGI6LgU5n2e6ZiXxTFfQ==,type:str]
grafana:
@ -70,7 +70,7 @@ sops:
OFloWEFuTC9GTXJsMG5NNktmdmIrY1kK0yN0ae0xNaydujV5lt2FiwXdyursG0DK
9i/B3TTAm9csDMMSTSFbiAUJDzG7kIqn++JU/cxvsGScSnhMqjEK/g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-11-24T10:30:46Z"
mac: ENC[AES256_GCM,data:yBegCnXXKimHlZ5UcPL6O9VbhdpASMd09t7m2fxLFGYgHXYFsuRda8puVpe9EiukNRJzhkWZRjJUHI+nE2cdibx5Ewaom8lbe8pKB1A7qrVSXjU+f5HTMjUdB+ACAcGlErc0wniekwSQj2LfIYknYm2nVz2M5VeDbYxz7F5PAO0=,iv:vMdsGEe1ZPQdNtSXhtwC0StiuhBVViCuBGTURep37UM=,tag:mB2kZZcrGnmChQQRc4wvTA==,type:str]
lastmodified: "2025-12-29T05:31:41Z"
mac: ENC[AES256_GCM,data:7vRB92qX6NPYafjpTY0wS23bq5Jn57xkWamJZ2ZgD4/2rW+qRilmO6sqaZEktWr7q2jQzgSvdgZsgbuhkxoqQXrTVP7osjr8qQ20jL9OXLxSgPQry2QqNBqlSdjEUov/bygJA0oI46K8pdk6OrT07Few/nXMrvUixFAGGUsKmJc=,iv:Gd5X70COnDL4Ntps/bedF92uUH6hCosDj2dsbF0KQHw=,tag:O3vq/kFnay5le7F1Q2heJQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0