dachxy/nix-conf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: netbird

Browse source
This commit is contained in:
danny 2026-01-08 14:21:53 +08:00
parent 53b83b3471
commit ea118b7995
64 changed files with 1088 additions and 665 deletions
Download patch file Download diff file Expand all files Collapse all files

607
flake.lock generated
View file

File diff suppressed because it is too large Load diff

9
flake.nix
View file

@ -41,7 +41,7 @@
neovim-nightly-overlay.url = "github:nix-community/neovim-nightly-overlay";
lanzaboote = {
url = "github:nix-community/lanzaboote/v0.4.2";
url = "github:nix-community/lanzaboote/v1.0.0";
inputs.nixpkgs.follows = "nixpkgs";
};
@ -112,12 +112,6 @@
inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
};
actual-budget-server = {
url = "git+file:///home/danny/projects/actual-budget-flake";
# url = "github:dachxy/actual-budget-flake";
inputs.nixpkgs.follows = "nixpkgs";
};
mail-server = {
url = "github:dachxy/nix-mail-server";
inputs.nixpkgs.follows = "nixpkgs";
@ -234,6 +228,7 @@
inputs.attic.nixosModules.atticd
inputs.mail-server.nixosModules.default
inputs.niri.nixosModules.niri
inputs.lanzaboote.nixosModules.lanzaboote
./options
# ==== Private Configuration ==== #

9
home/options/sunsetr.nix
View file

@ -1,4 +1,9 @@
{ config, lib, ... }:
{
config,
lib,
pkgs,
...
}:
let
inherit (lib)
mkIf
@ -11,7 +16,7 @@ in
{
options.services.sunsetr = {
enable = mkEnableOption "Enable sunsetr.";
package = mkPackageOption "sunsetr";
package = mkPackageOption pkgs "sunsetr" { };
};
config = mkIf cfg.enable {

11
home/scripts/remoteRebuild.nix
View file

@ -13,11 +13,13 @@ let
--sudo --ask-sudo-password $@'';
in
pkgs.writeShellScriptBin "rRebuild" ''
NOTIFY="''\${NOTIFY:-0}"
TARGET=$1
BUILD=$2
shift
shift
set -euo pipefail
shift 2
${
if shouldNotify then
@ -25,6 +27,11 @@ pkgs.writeShellScriptBin "rRebuild" ''
export NTFY_TITLE="🎯 $TARGET built by 🏗 ''\${BUILD:-${hostName}}"
export NTFY_TAGS="gear"
if [ "$NOTIFY" -eq 0 ] ; then
${rebuildCommand}
exit 0
fi
if ${rebuildCommand}
then
ntfy pub system-build " Build success" > /dev/null 2>&1

2
home/user/shell.nix
View file

@ -1,10 +1,12 @@
{
lib,
osConfig,
config,
pkgs,
...
}:
let
inherit (lib) mkForce;
remoteRebuld = import ../scripts/remoteRebuild.nix { inherit osConfig config pkgs; };
in
{

1
system/dev/dn-lap/default.nix
View file

@ -23,6 +23,7 @@ in
./sops
./utility
./virtualisation
./network
];
users.users."${username}".openssh.authorizedKeys.keys = [

5
system/dev/dn-lap/network/default.nix Normal file
View file

@ -0,0 +1,5 @@
{
imports = [
../../../modules/netbird-client.nix
];
}

6
system/dev/dn-lap/sops/secret.yaml
View file

@ -1,5 +1,7 @@
wireguard:
wg0.conf: ENC[AES256_GCM,data:9wegrw4ZbY+T/gNYi0gt4n6Db1/rRpsiqVbQr8QoYTwOiWBjKO2PGTTM5aK3khk5t2pYOTSqEBn5+5J/JYZpQ6nvJMcqn0+31KMuMT9/0akxOm112Tj31vOdBwRvSQVLBzmQtPABgMlV36lRtpVU71lwiNO4M33ygzL/tm7EMt0e75Nr9CZkGI7BGtnATBzbj3ysftsbFPF2iIgZ9fej4I78rJ1HavAsAgcrxksWAJjFZyFGWinkW4eiwDKlqBvRUW0tE8TF897ZmX90UnwXwjtyJcyJH6nzwrRDJgxR7uyRL/HIusmVZHCNSlo8dSaxAROXOw5ULjmQpXzzPAVUxw==,iv:FCv2ADYZXflBYuI9B9xvUSAYX8+v2Qf9EJjZ/TX27sA=,tag:caR4HS3yYrjNP1IzxgoOXA==,type:str]
netbird:
wt0-setupKey: ENC[AES256_GCM,data:bj3w7lGMJ0ZPQpGF0nKuhPKNWb04xVr6wNqoFGNzPnEJ+Q+b,iv:0helVFJqu4TNFY6LTG7LpD3tqsArwJHWH2XnlpPKEZk=,tag:yGrExGSmliHXxKAHqiHK/g==,type:str]
sops:
age:
- recipient: age1uvsvf5ljaezh5wze32p685kfentyle0l2mvysc67yvgct2h4850qqph9lv
@ -20,7 +22,7 @@ sops:
V09NYXpBYXBtYWdBajJubmVFL2loY0EKJdYKQHPriOT0eouvRUiCyqLSTzugUZxl
BFTwfCez1/K2ERKQkKsMfIARbHaI2SRyDxM2O1IJ+DOIJ2383K6Gvw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-12-19T12:39:58Z"
mac: ENC[AES256_GCM,data:tTvNyD6Lekc0RUIr9CpCjhWl2Gb9pHRubeoTrwceUCkm074EjYIzvqwiX5fzt6Cc5/H/k8NWJZBAoI3tOeCrXpo1Lbb0fCjGqxTldGN44pLR/5q9bdAxLom3EEqKiBBryVxqAkkm1a98UXPtnh+oDyaFsqTbS65LolEtFEbV/3U=,iv:J0gMlpWc9TVSCRxcdUnlXtNnmahvbc12EsLeFB4BJlY=,tag:h0EaNQ/sl+3sU9+g4ohjtw==,type:str]
lastmodified: "2026-01-06T08:39:04Z"
mac: ENC[AES256_GCM,data:xPMGZ7SUVih97hWeeARhoZVn4B8D/lNzLuxRRkQEG5PqdtXHwH9HVIHz6AG3Pc72aRKroGF0E2sidJU7WxIUde4IuoktecHq2e2e+tVLZWg50Y/keG7SMR5MamapCiYxK88a9vG4a8PYytSOFvF5DUUjKGkFJZOaelK+ydOPbek=,iv:lh+dwiBl26sEYpvXx6HtUwKs2Mz5F0hRKD4q2q1jlkI=,tag:+gDW5nRmBkjCryFTudyqMA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

3
system/dev/dn-pre7780/common/boot.nix
View file

@ -3,7 +3,7 @@
...
}:
{
boot.kernelPackages = pkgs.linuxPackages_6_17;
boot.kernelPackages = pkgs.linuxPackages_latest;
fileSystems."/mnt/ssd" = {
device = "/dev/disk/by-label/DN-SSD";
@ -19,6 +19,7 @@
"uid=1000"
"dmask=000"
"fmask=000"
"exec"
];
};

2
system/dev/dn-pre7780/default.nix
View file

@ -44,6 +44,7 @@ in
../public/dn
../public/dn/ntfy.nix
./expr
./network
./common
./games
./home
@ -53,6 +54,7 @@ in
./virtualisation
../../modules/shells/noctalia
../../modules/sunshine.nix
../../modules/secure-boot.nix
];
# Live Sync D

1
system/dev/dn-pre7780/expr/default.nix
View file

@ -1,6 +1,5 @@
{
imports = [
# ./netbird.nix
# ./osx-kvm.nix
];
}

65
system/dev/dn-pre7780/expr/netbird.nix
View file

@ -1,65 +0,0 @@
{
domain,
idpSecret,
dataStoreEncryptionKey,
coturnPassFile,
...
}:
let
port = 51820;
in
{
services.netbird = {
server = {
enable = true;
domain = "netbird.${domain}";
enableNginx = true;
management = {
oidcConfigEndpoint = "https://keycloak.net.dn/realms/master/.well-known/openid-configuration";
settings = {
DataStoreEncryptionKey = {
_secret = dataStoreEncryptionKey;
};
TURNConfig = {
Secret = {
_secret = idpSecret;
};
};
IdpManagerConfig = {
ClientConfig = {
ClientID = "netbird-backend";
ClientSecret = {
_secret = idpSecret;
};
};
};
};
};
coturn = {
user = "netbird";
passwordFile = coturnPassFile;
enable = true;
};
dashboard.settings = {
USE_AUTH0 = false;
AUTH_AUTHORITY = "https://keycloak.net.dn/realms/master";
AUTH_CLIENT_ID = "netbird";
AUTH_AUDIENCE = "netbird";
AUTH_SUPPORTED_SCOPES = "openid profile email offline_access api";
};
};
clients.default = {
inherit port;
openFirewall = true;
name = "netbird";
interface = "wt0";
hardened = true;
dns-resolver.address = "10.0.0.1";
};
};
services.nginx.virtualHosts."netbird.${domain}" = {
enableACME = true;
forceSSL = true;
};
}

3
system/dev/dn-pre7780/games/default.nix
View file

@ -1,6 +1,7 @@
{
imports = [
../../../modules/gaming.nix
./game.nix
./shadps4.nix
./minecraft.nix
];
}

12
system/dev/dn-pre7780/games/minecraft.nix Normal file
View file

@ -0,0 +1,12 @@
{ pkgs, ... }:
{
home-manager.sharedModules = [
{
home.packages = with pkgs; [
prismlauncher
lsfg-vk
lsfg-vk-ui
];
}
];
}

0
system/dev/dn-pre7780/games/game.nix → system/dev/dn-pre7780/games/shadps4.nix
View file

6
system/dev/dn-pre7780/network/default.nix Normal file
View file

@ -0,0 +1,6 @@
{
imports = [
../../../modules/netbird-client.nix
# ../../../modules/wireguard.nix
];
}

3
system/dev/dn-pre7780/services/default.nix
View file

@ -3,8 +3,7 @@
../../../modules/postgresql.nix
# ./mail.nix
./nginx.nix
./wireguard.nix
# ./pangolin.nix
# ./nextcloud.nix
# ./netbird.nix
];
}

11
system/dev/dn-pre7780/services/netbird.nix
View file

@ -1,11 +0,0 @@
{ config, ... }:
{
imports = [
(import ../expr/netbird.nix {
domain = "pre7780.dn";
coturnPassFile = config.sops.secrets."netbird/coturn/password".path;
idpSecret = config.sops.secrets."netbird/oidc/secret".path;
dataStoreEncryptionKey = config.sops.secrets."netbird/dataStoreKey".path;
})
];
}

48
system/dev/dn-pre7780/services/pangolin.nix Normal file
View file

@ -0,0 +1,48 @@
{ config, lib, ... }:
let
inherit (lib) mkForce;
secrets = config.sops.secrets;
domain = "net.dn";
in
{
sops.secrets = {
"pangolin/env" = { };
"pangolin/traefik" = {
key = "acme/pdns";
};
};
services.pangolin = {
enable = true;
openFirewall = true;
dashboardDomain = "auth.${domain}";
baseDomain = domain;
environmentFile = secrets."pangolin/env".path;
letsEncryptEmail = "danny@net.dn";
dnsProvider = "pdns";
settings = {
app = {
save_logs = true;
};
domains = {
};
traefik.prefer_wildcard_cert = true;
};
};
services.traefik = {
staticConfigOptions = {
certificatesResolvers.letsencrypt.acme = {
caServer = mkForce "https://ca.net.dn/acme/acme/directory";
dnsChallenge = {
provider = "pdns";
resolvers = [ "10.0.0.1:53" ];
};
};
};
environmentFiles = [ secrets."pangolin/traefik".path ];
};
}

5
system/dev/dn-pre7780/services/wireguard.nix
View file

@ -1,5 +0,0 @@
{
imports = [
../../../modules/wireguard.nix
];
}

13
system/dev/dn-pre7780/sops/secret.yaml
View file

@ -1,11 +1,12 @@
wireguard:
wg0.conf: ENC[AES256_GCM,data:ozySeNEvkiLt9TGrZCrlJWKT5gcSlZ9T8AeXGO97SPgxI394eCQ/LOkVFl7AykhZvs7YkxMpZzAZxc0oNdTYuDlqfrNr0pqTUJmpX+5PVRmDb5z2MJvERktVkJ4LSvVodoYznDwT/y9q199AFKf3t4EoWuRyR/il6P8HuGVHXrKRYUrwuB4nuq1SIByY+8D2gzohFB/s6pSOPYy6/xCt0Nm+x0wmcdrlyOb0S+4WXlcou2ll98o9q2YDdVBKeW4jyUjFqXM2XzD0JXpAi9ZFlyzxyYNwa4oMYATyCBCH4BNHqe850QHEoCaOovioEdDH/tluB2X/891ixqzURypzbg==,iv:3Q5xOgGcg8/DIwHt4fHsQGtN8f2hGpVDtf47PcwW62I=,tag:SbJqhWi3+h1O5ZIOayDrUw==,type:str]
netbird:
wt0-setupKey: ENC[AES256_GCM,data:166VX+rgzxhar+GFKxA5d8G3/9ewISdv2hUSwvbggyyjwwvE,iv:w8p4gDP6U0ZONX59t2dnglTC9S2dW2TX5A4OoCzRuzM=,tag:zf3jvlERJtM+osBd4ZQjMA==,type:str]
dovecot:
openldap: ENC[AES256_GCM,data:U3YYreEqoh+F0Mrli52jgQowrUqIUPmdQps=,iv:vTjHBFsue+89GOCDigVIktgGSZNZv8A2e3GM80o6TXc=,tag:GGh+hsT+yV/I12meXxflbQ==,type:str]
nextcloud:
adminPassword: ENC[AES256_GCM,data:69NrA/iP0sfrkdv8ahv7I+ZY,iv:/TXTs0fZw64HELdGr5CzgToO2L2G2mCNdN4Zexz8p+o=,tag:p2hNTxv1xdYmEJ6ZAO3w3Q==,type:str]
whiteboard: ENC[AES256_GCM,data:qcZOLX1qJyciKm+4uuOVIopZXG70Jg9Grc07SCjG5ww9DK0myzdqlfWeZKdTsOyTBLMyCE9K7lC5rtBFeSv3ZeqkAUXTQt9QiAN05+tTpHk=,iv:v6fgSz/eh8MZANSbLbeSrKVOdX09pHYZ599BK8Ug2Lo=,tag:JTezfqrInm82K3gB0zpniw==,type:str]
signaling.conf: ENC[AES256_GCM,data:Ede61FM7k3VQHt4hO7O4UOE0p5nHk8lYsqaNWh8ZxfdGRJoMoLJYFcJs8nemAj1AGCh1Ep4ehtgQGcFfILUcek280m4paSIfaE2cwsI+1F+diXn98YmsmiR3swryw518gmfTZ7DrHlns7EWr/Udflz91F5+CKAuPNKtsYRSkB4KmJmEc4k2ioPus7hHEz/edLqA4mob/DuRXrWmFkDtlEj4I9aS5CJpyeDrsYoticnp5/QCWBnpxN2itqvbwjspid085Us7p4wbrM7Di/gPjj0D84Hw4biOLWSHm1oMRXqXIBP3ntPvvKJ2sKy7czcbeIGeJAIwEctStG7hqLAv3bfxiMn8DQ8eNp/xWw6tnwYklS4KCBJbDUucGvNcSx41JLCm+TShxaPIv/l6y+Z7Hkvri1WW2WSRvRsMFFEy3PrZLu0GstESYyARBrVdJ+OdaEtt3tthYLCUQcTT5xd484TTEyF9z3d5CBPC62BXZBdFRyEPD696nXV0ztVTBz2oWCmD6jHL0v+nTn3sojTDet0vmPo6o6cE0RqX6G/oVx+Y9l52QirFxOaNALk3R1l/lvXhDhlrAp8EldGhfnZf8y7X2HoC/XHQud9pA0N89Xrgp/Ak+9d+tRtmr4icLNVtwBg91md9P1tCyqPTUGR3JHc1KtmDHVI3NqgekUAmHrNRE5m633fchV2sTYSOfvdtL,iv:/xlMQoexPA9rXIlMd7bTQY1ojHuprBX/5quVSnNslvI=,tag:geAR+vPBmDB37/oSnnpqSA==,type:str]
openldap:
adminPassword: ENC[AES256_GCM,data:jEGuzgs5QTWfdyJenC3t3g==,iv:StfFOcvbDapnma6eAlpaGiBWnqiD3I/wfQsMBzufol0=,tag:892q7N4KrsSQoZYGy6CQrA==,type:str]
lam:
@ -18,15 +19,13 @@ acme:
pdns: ENC[AES256_GCM,data:eKnahc8HWboYCUpBuEUrdCMhN8A2N2VN0wrmzcyU2OfMeQaswIYSWV4sBzUbj/pono8PaVxK1FBKsn+Ycd4Y6tcxsAkbPfnPkOsbe0FJpz4t9RFLJBLw3U0YTE/TaURiDYipHnvPGYgyq3AziH/xa4WXZxLHGI0x+a/y3PpWy37rT87DWUT2kktPshdO7Mbwn7nSC78WByXmyaUMkT74Sc0FNmCgfijrHk/ATXGb,iv:y3eRZXFbqqf4VuuqHHYdIoiEa1zqRU1XIlEqooJ28lU=,tag:2bIALJFGZyIZT7fyo/y5Nw==,type:str]
cloudflare:
secret: ENC[AES256_GCM,data:Ktk7BtyjaDeOc4Okflz/ZBYpJ7Uy1SeEBV6ofWcToZsvCDT6aTVxGrAKEHIE/eknvnyWOFeSQv/z/Q==,iv:x2ymbLwa1E2FzdomISeyhchya5bowgieO/XuOnoi81w=,tag:Nj+1DRnbvcwiLiEeu2WaRQ==,type:str]
netbird:
oidc:
secret: ENC[AES256_GCM,data:hSVMUEBL0kCvRLD3zd57SLhNIAFOR4eaJPcIIIIUJng=,iv:VhfseftQNlXSDCWuaYQUIklMUCkUbChyWbJl3qgD75M=,tag:vbqov0VgA0XNZfzcr3FZgA==,type:str]
dataStoreKey: ENC[AES256_GCM,data:vV2wgo5qFS+DC1NmOjVddZW9HAsRMpUFH+t/70iQ3A5YXkhbWoCeSxZDyAg=,iv:tKqh28qj8gqHfcb44Ej731w6NKi29X4iEwIOQ4ZcCzA=,tag:ObAxVrUctm6pbmXSQw7j5w==,type:str]
crowdsec:
lapi.yaml: ENC[AES256_GCM,data:BpDlz/liFYVZTA66TMWDifGfT4R9l0W9/LOU33rrPVC4YKeFbB1gIxqkUOEDl8fxsou5Jx/MQivyz90lE8yxbcGV/Zzx4ZJaHN+jz6mfM6mADEWp/nUcfO9tECijOhPPYt/8aE3py38NlFZuafZ2CwdL7RmDX7YCjpiIYxXaIjSv61WPD1SLkOkusnoA7bJZ2xmJ/dfEMXEA4LCCOfGQ,iv:922rrz94pD3/R1kGlQyIFkoq/fRSyxaIQ5qllldQMCY=,tag:AAPlwiQP4KMzHZmcMH76AQ==,type:str]
capi.yaml: ENC[AES256_GCM,data:UuBESeHfKEPSIzP7RPNES0BVWwJsmPqLP3QJbAeAcm6eQ3sRzUSrVxY8A2yoiLD2lnuJPy2BbYHJpBR7VSfs7oUCc7LljgAp1uB2GH1y8YE46xJLo0TDp873bZJdcsO00ozsbtmWlGWJm7HLrzIUEe0mAjBzZeXe1WDJByGeVqupNLwpXSMaos2ktHjXA6hTGAdE5iIxBAXI6qjldWjRnlqE,iv:hZ2nUaOipU7Top0vsn23yU0XWP9SKcoj85xFo5hD/mU=,tag:32E2o+FOJXM9aMnLQA6KYA==,type:str]
consoleToken: ENC[AES256_GCM,data:Q6QWWwcvLd8+ddwPMBzyB+X4gh8I53qSLA==,iv:JD48L59nQYttglAfuKL/lNBzWgBfj01rkIeP8pqmo70=,tag:6cxsQViDGuzjScKkBuO4Bw==,type:str]
rspamd: ENC[AES256_GCM,data:8DryYdMyhzBqwqcbYUQ=,iv:5w21u3xqshRSf8IJbG16/Gf6AC2Zw6VnI3MOchN+w8A=,tag:OiiYUDT69SZObgOh1qCL0g==,type:str]
pangolin:
env: ENC[AES256_GCM,data:f5Pq+DE9PeRyOKeygREuovlqOMhe/bmTOrBA7Px3Oq+pWG5kGwnxqDdP/PwawJAskQPC9LN+QP6hIPNrJbPyxtk87hoRMb/3X0ggOw==,iv:yqqQizPwf3EfCelczf/7piH9kYiAwGLTtassvQ8oXNs=,tag:UzVuKIS8WZNAHgpLkzc9XA==,type:str]
sops:
age:
- recipient: age1uvsvf5ljaezh5wze32p685kfentyle0l2mvysc67yvgct2h4850qqph9lv
@ -38,7 +37,7 @@ sops:
MEdmWkFwNXZoR1ZVRnQ0aWlkYzZwSmsK0EFecUIdqlDKX08oRCoDQQ3QCX1wzb8w
lghDJhWlfuKr+X24GoE4UK04aJVLqVMRRI4BJW+LQXeHS+dWKu3mQA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-12-19T12:39:37Z"
mac: ENC[AES256_GCM,data:JSwphdjAfZcLSuctzruwVjBQXhbQKnEda93KlrH8eoSJcFXBRCMz0v+HY2nBlrC9lwp9vgT3HnGmR6hIPi48UtyxYcGOJy33OY4M1it0WGE2r8Ikg++5cBUtacK4QdwuMCADhNT5ZHs5T7UUX0GMLeqAtrcJ3FKt+4+catsOvnE=,iv:7ZTi86IkbScizZlOCk+uXDyWzrFDsLRuLuzjUFsMFR0=,tag:3/i7BZ8XYALj7RYj4dIUgA==,type:str]
lastmodified: "2026-01-07T08:17:20Z"
mac: ENC[AES256_GCM,data:M9hBNU2KetaGEhJnYW10nWEWetFWs9c5gPN/0W6UIOsP2Y9E2d8J09Ary9O9z6TjjxqkS+H15SQfo6bjuc19jSwtdQ/scqy9nV1H0pOEHzWj8zG/bzC71WmwhZbx4+1cK83HYS9pJhzbO+5tbOK75GwJscXAhXKDzzNBmTW2Y3U=,iv:qozD5Z2uiI5vFApsRVkjiXLOPATs3VV0PDk5szX+mrc=,tag:WpM+Ab9U2q9GR0qvyMZO8w==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

11
system/dev/dn-pre7780/sops/sops-conf.nix
View file

@ -7,17 +7,6 @@ in
secrets = {
"lam/env" = { };
"netbird/oidc/secret" = mkIf config.services.netbird.server.dashboard.enable {
owner = "netbird";
};
"netbird/coturn/password" = mkIf config.services.netbird.server.coturn.enable {
owner = "turnserver";
key = "netbird/oidc/secret";
};
"netbird/dataStoreKey" = mkIf config.services.netbird.server.management.enable {
owner = "netbird";
};
"acme/pdns" = mkIf (hasAttr "acme" config.users.users) {
owner = "acme";
};

1
system/dev/dn-server/common/backup.nix
View file

@ -67,6 +67,7 @@ in
"roundcube"
"grafana"
"crowdsec"
"netbird"
];
location = "${backupPath}/postgresql";
};

2
system/dev/dn-server/default.nix
View file

@ -17,11 +17,9 @@ in
"maps.rspamd.com"
"cdn-hub.crowdsec.net"
"api.crowdsec.net"
"mx1.daccc.info"
"mx1.dnywe.com"
];
allowedIPs = [
"10.0.0.0/24"
"127.0.0.1"
# CrowdSec
"52.51.161.146"

1
system/dev/dn-server/network/default.nix
View file

@ -3,5 +3,6 @@
./nginx.nix
./services.nix
./step-ca.nix
./wireguard.nix
];
}

8
system/dev/dn-server/network/nginx.nix
View file

@ -64,14 +64,6 @@
locations."/".proxyPass = "http://10.0.0.130:8001/phone.html";
};
"ca.net.dn" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "https://10.0.0.1:8443/";
};
};
};
};
}

61
system/dev/dn-server/network/services.nix
View file

@ -6,8 +6,9 @@
}:
let
inherit (config.systemConf) username security;
inherit (lib) concatStringsSep;
inherit (lib) concatStringsSep mkForce optionalString;
inherit (helper.nftables) mkElementsStatement;
netbirdCfg = config.services.netbird;
ethInterface = "enp0s31f6";
sshPorts = [ 30072 ];
@ -23,19 +24,16 @@ let
restrict = "10.0.0.128/25";
};
kube = {
ip = "10.10.0.1/24";
range = "10.10.0.0/24";
infra = {
ip = "10.10.0.2/32";
interface = "wg1";
port = 51821;
masterIP = "10.10.0.1";
masterHostname = "api-kube.${config.networking.domain}";
masterAPIServerPort = 6443;
range = "10.10.0.0/24";
};
allowedSSHIPs = concatStringsSep ", " [
"122.117.215.55"
"192.168.100.1/24"
"100.64.0.0/16"
personal.range
];
@ -168,6 +166,13 @@ let
];
in
{
systemConf.security.allowedIPs = [
"10.10.0.0/24"
"10.0.0.0/24"
];
services.resolved.enable = mkForce false;
networking = {
nat = {
enable = true;
@ -175,7 +180,6 @@ in
externalInterface = ethInterface;
internalInterfaces = [
personal.interface
kube.interface
];
};
@ -183,15 +187,12 @@ in
allowedUDPPorts = [
53
personal.port
kube.port
25565
kube.masterAPIServerPort
5359
];
allowedTCPPorts = sshPorts ++ [
53
25565
kube.masterAPIServerPort
5359
];
};
@ -235,9 +236,10 @@ in
tcp dport { ${sshPortsString} } jump ssh-filter
iifname { ${ethInterface}, ${personal.interface}, ${kube.interface} } udp dport { ${toString personal.port}, ${toString kube.port} } accept
iifname ${personal.interface} ip saddr ${personal.ip} jump wg-subnet
iifname ${kube.interface} ip saddr ${kube.ip} jump kube-filter
iifname { ${ethInterface}, ${personal.interface} } udp dport { ${toString personal.port} } accept
iifname ${infra.interface} ip saddr ${infra.range} accept
iifname ${personal.interface} ip saddr ${personal.range} jump wg-subnet
iifname ${netbirdCfg.clients.wt0.interface} accept
drop
}
@ -251,6 +253,11 @@ in
udp dport 53 accept
tcp dport 53 accept
# Allow UDP hole punching
${optionalString (
netbirdCfg.clients ? wt0
) ''udp sport ${toString netbirdCfg.clients.wt0.port} accept''}
meta skuid ${toString config.users.users.systemd-timesync.uid} accept
ct state vmap { invalid : drop, established : accept, related : accept }
@ -273,16 +280,11 @@ in
meta l4proto { icmp, ipv6-icmp } accept
iifname ${personal.interface} ip saddr ${personal.ip} jump wg-subnet
iifname ${kube.interface} ip saddr ${kube.ip} jump kube-filter
iifname ${infra.interface} ip saddr ${infra.ip} accept
counter
}
chain kube-filter {
ip saddr ${kube.ip} ip daddr ${kube.ip} accept
counter drop
}
chain wg-subnet {
ip saddr ${personal.full} accept
ip saddr ${personal.restrict} ip daddr ${personal.range} accept
@ -309,19 +311,10 @@ in
inherit (r) publicKey allowedIPs;
}) (fullRoute ++ meshRoute);
};
${kube.interface} = {
ips = [ kube.ip ];
listenPort = kube.port;
privateKeyFile = config.sops.secrets."wireguard/privateKey".path;
peers = [ ];
};
};
};
extraHosts = "${kube.masterIP} ${kube.masterHostname}";
};
services = {
dbus.enable = true;
blueman.enable = true;
@ -349,7 +342,7 @@ in
openssh = {
enable = true;
ports = sshPorts;
ports = mkForce sshPorts;
settings = {
PasswordAuthentication = false;
UseDns = false;
@ -385,9 +378,7 @@ in
pdns-recursor = {
enable = true;
forwardZones = {
"${config.networking.domain}." = "127.0.0.1:5359";
"pre7780.dn." = "127.0.0.1:5359";
"test.local." = "127.0.0.1:5359";
"dn." = "127.0.0.1:5359";
};
forwardZonesRecurse = {
# ==== Rspamd DNS ==== #
@ -514,7 +505,7 @@ in
"uptime.${config.networking.domain}" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:3001";
locations."/".proxyPass = "http://127.0.0.1:3001";
};
};

8
system/dev/dn-server/network/step-ca.nix
View file

@ -80,4 +80,12 @@ Bq-3sY8n13Dv0E6yx2hVIAlzLj3aE29LC4A2j81vW5MtpaM27lMpg.cwlqZ-8l1iZNeeS9.idRpRJ9zB
openFirewall = true;
intermediatePasswordFile = config.sops.secrets."step_ca/password".path;
};
services.nginx.virtualHosts."ca.net.dn" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "https://10.0.0.1:8443/";
};
};
}

5
system/dev/dn-server/network/wireguard.nix Normal file
View file

@ -0,0 +1,5 @@
{ config, ... }:
{
sops.secrets."wireguard/wg1.conf" = { };
networking.wg-quick.interfaces.wg1.configFile = config.sops.secrets."wireguard/wg1.conf".path;
}

8
system/dev/dn-server/options/network.nix
View file

@ -5,7 +5,12 @@
...
}:
let
inherit (lib) mkOption types concatStringsSep;
inherit (lib)
mkOption
types
concatStringsSep
unique
;
cfg = config.systemConf.security;
in
{
@ -14,6 +19,7 @@ in
type = with types; listOf str;
description = "Domains that allowed to query dns.";
default = [ ];
apply = v: unique v;
};
rules = {
setName = mkOption {

2
system/dev/dn-server/security/fail2ban.nix
View file

@ -4,6 +4,8 @@
extraAllowList = [
"10.0.0.0/24"
"122.117.215.55"
# Netbird
"100.104.0.0/16"
];
})
];

6
system/dev/dn-server/services/default.nix
View file

@ -3,11 +3,15 @@
imports = [
./actual-budget.nix
./bitwarden.nix
# ./docmost.nix
./minecraft-server.nix
./mail-server.nix
./nextcloud.nix
./paperless-ngx.nix
./metrics.nix
./forgejo.nix
./keycloak.nix
./netbird.nix
./hideTTY.nix
# (import ../../../modules/opencloud.nix {
# fqdn = "opencloud.net.dn";
# envFile = config.sops.secrets."opencloud".path;

72
system/dev/dn-server/services/forgejo.nix Normal file
View file

@ -0,0 +1,72 @@
{ lib, config, ... }:
let
cfg = config.services.forgejo;
srv = cfg.settings.server;
domain = "git.dnywe.com";
mailServer = "mx1.net.dn";
forgejoOwner = {
owner = "forgejo";
mode = "400";
};
in
{
sops.secrets = {
"forgejo/mailer/password" = forgejoOwner;
"forgejo/server/secretKey" = forgejoOwner;
};
networking.firewall.allowedTCPPorts = [ srv.HTTP_PORT ];
services.postgresqlBackup.databases = [ cfg.database.name ];
systemd.services.forgejo.preStart =
let
adminCmd = "${lib.getExe cfg.package} admin user";
pwd = config.sops.secrets."forgejo/mailer/password";
user = "forgejo";
in
''
${adminCmd} create --admin --email "noreply@${srv.DOMAIN}" --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
'';
services.openssh.settings.AllowUsers = [ cfg.user ];
services.forgejo = {
enable = true;
database.type = "postgres";
lfs.enable = true;
settings = {
server = {
DOMAIN = domain;
ROOT_URL = "https://${srv.DOMAIN}";
HTTP_PORT = 32006;
SSH_PORT = lib.head config.services.openssh.ports;
# ==== OpenID Connect ==== #
ENABLE_OPENID_SIGNIN = true;
WHITELISTED_URIS = "https://${config.services.keycloak.settings.hostname}/*";
};
services.DISABLE_REGISTRATION = true;
actions = {
ENABLE = true;
DEFAULT_ACTION_URL = "github";
};
mailer = {
ENABLED = true;
SMTP_ADDR = mailServer;
SMTP_PORT = 587;
FROM = "noreply@${srv.DOMAIN}";
USER = "noreply@${srv.DOMAIN}";
};
};
secrets = {
mailer.PASSWD = config.sops.secrets."forgejo/mailer/password".path;
server.SECRET_KEY = config.sops.secrets."forgejo/server/secretKey".path;
};
};
}

13
system/dev/dn-server/services/hideTTY.nix Normal file
View file

@ -0,0 +1,13 @@
{ ... }:
{
systemd.services.hideTTY = {
description = "Auto turn off monitor ";
wantedBy = [ "multi-user.target" ];
script = ''
echo 1 > /sys/class/graphics/fb0/blank
'';
serviceConfig = {
Type = "oneshot";
};
};
}

17
system/dev/dn-server/services/keycloak.nix Normal file
View file

@ -0,0 +1,17 @@
# NOTE: This is keycloak partial overwrite for `mail-server.nix`.
{ lib, config, ... }:
let
inherit (lib) mkForce;
domain = "dnywe.com";
cfg = config.services.keycloak;
in
{
services.keycloak = {
settings = {
hostname = mkForce "login.${domain}";
};
};
# Disable nginx reverse proxy
services.nginx.virtualHosts."${cfg.settings.hostname}" = mkForce { };
}

49
system/dev/dn-server/services/mail-server.nix
View file

@ -1,9 +1,25 @@
{ config, lib, ... }:
{
config,
lib,
...
}:
let
inherit (lib) mkForce;
inherit (config.systemConf) username;
in
{
systemConf.security.allowedDomains = [
"registry-1.docker.io"
"auth.docker.io"
"login.docker.com"
"auth.docker.com"
"production.cloudflare.docker.com"
"docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage"
"api.docker.com"
"cdn.segment.com"
"api.segment.io"
];
mail-server =
let
domain = "net.dn";
@ -81,29 +97,16 @@ in
};
};
services.openldap.settings.attrs.olcLogLevel = mkForce "config";
services.postfix.settings.main = {
# internal_mail_filter_classes = [ "bounce" ];
virtualisation.oci-containers.containers.phpLDAPadmin = {
environment = {
LDAP_ALLOW_GUEST = "true";
LOG_LEVEL = "debug";
LDAP_LOGGING = "true";
};
};
services.rspamd = {
locals."logging.conf".text = ''
level = "debug";
'';
locals."settings.conf".text = ''
bounce {
id = "bounce";
priority = high;
ip = "127.0.0.1";
selector = 'smtp_from.regexp("/^$/").last';
apply {
BOUNCE = -25.0;
}
symbols [ "BOUNCE" ]
}
'';
services.openldap.settings = {
attrs.olcLogLevel = mkForce "config";
# children."cn=schema".includes = extraSchemas;
};
}

4
system/dev/dn-server/services/metrics.nix
View file

@ -63,7 +63,7 @@ in
job_name = "powerdns_recursor";
static_configs = [
{
targets = [ "localhost:${toString config.services.pdns-recursor.api.port}" ];
targets = [ "127.0.0.1:${toString config.services.pdns-recursor.api.port}" ];
labels = {
machine = "${hostName}";
};
@ -87,7 +87,7 @@ in
static_configs = [
{
targets = [
"localhost:${toString config.services.crowdsec.settings.general.prometheus.listen_port}"
"127.0.0.1:${toString config.services.crowdsec.settings.general.prometheus.listen_port}"
];
labels = {
machine = "${hostName}";

40
system/dev/dn-server/services/minecraft-server.nix Normal file
View file

@ -0,0 +1,40 @@
{ pkgs, ... }:
let
modpack = pkgs.fetchPackwizModpack {
url = "https://git.dnywe.com/dachxy/shader-retired-modpack/raw/branch/main/pack.toml";
packHash = "sha256-NPMS8j5NXbtbsso8R4s4lhx5L7rQJdek62G2Im3JdmM=";
};
in
{
systemConf.security.allowedDomains = [
"api.mojang.com"
"textures.minecraft.net"
"session.minecraft.net"
"login.microsoftonline.com"
];
services.minecraft-servers = {
enable = true;
eula = true;
};
services.minecraft-servers.servers.shader-retired = {
enable = true;
autoStart = true;
openFirewall = true;
package = pkgs.fabric-server;
symlinks = {
"mods" = "${modpack}/mods";
};
serverProperties = {
server-port = 25565;
difficulty = 3;
gamemode = "survival";
max-player = 20;
modt = "Bro!!!!";
accepts-flight = true;
accepts-transfers = true;
hardcore = false;
};
};
}

119
system/dev/dn-server/services/netbird.nix Normal file
View file

@ -0,0 +1,119 @@
{ config, lib, ... }:
let
inherit (lib) mkForce;
domain = "dnywe.com";
# Virtual Domain
vDomain = "vnet.dn";
proxyIP = "10.10.0.1";
cfg = config.services.netbird;
srv = cfg.server;
# TODO: Change realm to master
realm = "netbird";
in
{
sops.secrets."netbird/wt0-setupKey" = {
owner = cfg.clients.wt0.user.name;
mode = "400";
};
systemConf.security.allowedDomains = [
"login.dnywe.com"
"pkgs.netbird.io"
"${srv.domain}"
];
imports = [
(import ../../../modules/netbird-server.nix {
inherit realm vDomain;
domain = "netbird.${domain}";
oidcURL = "https://${config.services.keycloak.settings.hostname}";
enableNginx = false;
oidcType = "keycloak";
})
];
services.netbird = {
ui.enable = mkForce false;
clients.wt0 = {
port = 51830;
openFirewall = true;
autoStart = true;
environment = {
NB_MANAGEMENT_URL = "https://${srv.domain}";
};
login = {
enable = true;
setupKeyFile = config.sops.secrets."netbird/wt0-setupKey".path;
};
};
server.management = {
disableSingleAccountMode = false;
singleAccountModeDomain = vDomain;
metricsPort = 32009;
turnDomain = mkForce "coturn.${domain}";
extraOptions = [ "--user-delete-from-idp" ];
};
server.coturn.enable = mkForce false;
};
networking.firewall.allowedTCPPorts = [ 32011 ];
# ==== Proxy By Caddy & CDN ==== #
services.nginx.appendHttpConfig = ''
set_real_ip_from ${proxyIP};
real_ip_header X-Forwarded-For;
real_ip_recursive on;
'';
services.nginx.virtualHosts."netbird.local" = {
locations = {
"/" = {
root = cfg.server.dashboard.finalDrv;
tryFiles = "$uri $uri.html $uri/ =404";
};
"/404.html".extraConfig = ''
internal;
'';
"/api" = {
extraConfig = ''
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
'';
proxyPass = "http://127.0.0.1:${builtins.toString srv.management.port}";
};
"/management.ManagementService/".extraConfig = ''
client_body_timeout 1d;
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
grpc_pass grpc://127.0.0.1:${builtins.toString srv.management.port};
grpc_read_timeout 1d;
grpc_send_timeout 1d;
grpc_socket_keepalive on;
'';
"/signalexchange.SignalExchange/".extraConfig = ''
client_body_timeout 1d;
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
grpc_pass grpc://127.0.0.1:${builtins.toString srv.signal.port};
grpc_read_timeout 1d;
grpc_send_timeout 1d;
grpc_socket_keepalive on;
'';
};
extraConfig = ''
error_page 404 /404.html;
'';
};
}

147
system/dev/dn-server/services/nextcloud.nix
View file

@ -1,19 +1,156 @@
{ config, ... }:
{
config,
pkgs,
lib,
...
}:
let
inherit (lib) mkIf mkDefault mkAfter;
inherit (config.sops) secrets;
spreedCfg = config.services.nextcloud-spreed-signaling;
nextcloudCfg = config.services.nextcloud;
turnDomain = "coturn.dnywe.com";
domain = "net.dn";
in
{
sops.secrets = {
"nextcloud/smtpPassword" = {
owner = "nextcloud";
group = "nextcloud";
};
"nextcloud/adminPassword" = { };
"nextcloud/whiteboard" = {
owner = "nextcloud";
};
"nextcloud/spreed/turnPassword" = {
key = "netbird/coturn/password";
owner = spreedCfg.user;
};
"nextcloud/spreed/turnSecret" = {
key = "netbird/oidc/secret";
owner = spreedCfg.user;
};
"nextcloud/spreed/hashkey" = {
owner = spreedCfg.user;
};
"nextcloud/spreed/blockkey" = {
owner = spreedCfg.user;
};
"nextcloud/spreed/internalsecret" = {
owner = spreedCfg.user;
};
"nextcloud/spreed/backendsecret" = {
owner = spreedCfg.user;
};
};
imports = [
(import ../../../modules/nextcloud.nix {
hostname = "nextcloud.net.dn";
adminpassFile = config.sops.secrets."nextcloud/adminPassword".path;
hostname = "nextcloud.${domain}";
adminpassFile = secrets."nextcloud/adminPassword".path;
trusted-proxies = [ "10.0.0.0/24" ];
whiteboardSecrets = [
config.sops.secrets."nextcloud/whiteboard".path
secrets."nextcloud/whiteboard".path
];
})
];
services.nextcloud = {
extraApps = {
inherit (config.services.nextcloud.package.packages.apps) music;
inherit (config.services.nextcloud.package.packages.apps) music spreed;
user_migration = pkgs.fetchNextcloudApp {
url = "https://github.com/nextcloud-releases/user_migration/releases/download/v9.0.0/user_migration-v9.0.0.tar.gz";
sha256 = "sha256-WiEEAazuj8kh5o+URs22uoNWANXcXQYLTaoABMU6rFo=";
license = "agpl3Plus";
};
cospend = pkgs.fetchNextcloudApp {
url = "https://github.com/julien-nc/cospend-nc/releases/download/v3.2.0/cospend-3.2.0.tar.gz";
sha256 = "sha256-mclcZDNmvpYX/2q7azyiTLSCiTYvk7ILeqtb/8+0ADQ=";
license = "agpl3Plus";
};
};
appstoreEnable = false;
settings = {
mail_smtpauth = true;
mail_smtphost = "mx1.${domain}";
mail_smtpname = "nextcloud";
mail_smtpmode = "smtp";
mail_smtpauthtype = "LOGIN";
mail_domain = "net.dn";
mail_smtpport = 465;
mail_smtpsecure = "ssl";
mail_from_address = "nextcloud";
};
secrets = {
mail_smtppassword = secrets."nextcloud/smtpPassword".path;
};
};
# ==== Nextcloud Talk ==== #
services.nextcloud-spreed-signaling = {
enable = true;
configureNginx = true;
hostName = "talk.${domain}";
backends.default = {
urls = [ "https://${nextcloudCfg.hostName}" ];
secretFile = secrets."nextcloud/spreed/backendsecret".path;
};
settings = {
http.listen = "127.0.0.1:31008";
turn = {
servers = [ "turn:${turnDomain}:3478?transport=udp" ];
secretFile = secrets."nextcloud/spreed/turnPassword".path;
apikeyFile = secrets."nextcloud/spreed/turnSecret".path;
};
clients.internalsecretFile = secrets."nextcloud/spreed/internalsecret".path;
sessions = {
hashkeyFile = secrets."nextcloud/spreed/hashkey".path;
blockkeyFile = secrets."nextcloud/spreed/blockkey".path;
};
nats.url = [ "nats://127.0.0.1:4222" ];
};
};
services.nats = mkIf nextcloudCfg.enable {
enable = true;
settings = {
host = "127.0.0.1";
};
};
services.nginx.virtualHosts.${spreedCfg.hostName} = {
enableACME = true;
forceSSL = true;
};
# ==== Secruity ==== #
services.fail2ban = {
jails = {
nextcloud.settings = {
backend = "systemd";
journalmatch = "SYSLOG_IDENTIFIER=Nextcloud";
enabled = true;
port = 443;
protocol = "tcp";
filter = "nextcloud";
maxretry = 3;
bantime = 86400;
findtime = 43200;
};
};
};
environment.etc = {
"fail2ban/filter.d/nextcloud.local".text = mkDefault (mkAfter ''
[Definition]
failregex = ^.*"remoteAddr":"(?P<host><HOST>)".*"message":"Login failed:
^.*"remoteAddr":"(?P<host><HOST>)".*"message":"Two-factor challenge failed:
^.*"remoteAddr":"(?P<host><HOST>)".*"message":"Trusted domain error
'');
};
}

29
system/dev/dn-server/sops/secret.yaml
View file

File diff suppressed because one or more lines are too long

4
system/dev/dn-server/sops/sops-conf.nix
View file

@ -5,10 +5,6 @@ in
{
sops.secrets = {
"wireguard/privateKey" = { };
"nextcloud/adminPassword" = { };
"nextcloud/whiteboard" = {
owner = "nextcloud";
};
"step_ca/password" = { };
vaultwarden = { };
"oauth/password" = { };

8
system/dev/skydrive-lap/default.nix
View file

@ -10,11 +10,11 @@ in
systemConf = {
inherit hostname username;
domain = "net.dn";
hyprland.enable = true;
# hyprland.enable = true;
niri.enable = true;
face = pkgs.fetchurl {
url = "https://files.net.dn/skydrive.jpg";
url = "https://git.dnywe.com/dachxy/skydrive-avatar/raw/branch/main/skydrive.jpg";
hash = "sha256-aMjl6VL1Zy+r3ElfFyhFOlJKWn42JOnAFfBXF+GPB/Q=";
curlOpts = "-k";
};
};
@ -22,9 +22,9 @@ in
../../modules/presets/basic.nix
./common
./games
./services
./sops
./utility
./network
];
users.users.root.openssh.authorizedKeys.keys = [

6
system/dev/skydrive-lap/network/default.nix Normal file
View file

@ -0,0 +1,6 @@
{ ... }:
{
imports = [
./netbird.nix
];
}

17
system/dev/skydrive-lap/network/netbird.nix Normal file
View file

@ -0,0 +1,17 @@
{ self, ... }:
let
serverCfg = self.nixosConfigurations.dn-server.config;
domain = serverCfg.services.netbird.server.domain;
in
{
services.netbird = {
clients.wt0 = {
openFirewall = true;
autoStart = true;
port = 51820;
environment = {
NB_MANAGEMENT_URL = "https://${domain}";
};
};
};
}

5
system/dev/skydrive-lap/services/default.nix
View file

@ -1,5 +0,0 @@
{
imports = [
./wireguard.nix
];
}

5
system/dev/skydrive-lap/services/wireguard.nix
View file

@ -1,5 +0,0 @@
{
imports = [
../../../modules/wireguard.nix
];
}

4
system/modules/actual/default.nix
View file

@ -39,7 +39,7 @@ in
forceSSL = true;
locations."/api/".proxyPass =
"http://localhost:${toString config.services.actual-budget-api.listenPort}/";
locations."/".proxyPass = "http://localhost:${toString config.services.actual.settings.port}";
"http://127.0.0.1:${toString config.services.actual-budget-api.listenPort}/";
locations."/".proxyPass = "http://127.0.0.1:${toString config.services.actual.settings.port}";
};
}

2
system/modules/cockpit.nix
View file

@ -28,6 +28,6 @@ in
services.nginx.virtualHosts."${domain}" = mkIf enableNginx {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:${toString config.services.cockpit.port}";
locations."/".proxyPass = "http://127.0.0.1:${toString config.services.cockpit.port}";
};
}

6
system/modules/docmost.nix
View file

@ -46,10 +46,10 @@ in
if (fqdn != null) then
"${if https then "https" else "http"}://${fqdn}"
else
"http://localhost:${toString port}"
"http://127.0.0.1:${toString port}"
}";
DATABASE_URL = "postgresql://docmost@docmost?schema=public&host=/var/run/postgresql";
REDIS_URL = "redis://localhost:${toString config.services.redis.servers.docmost.port}";
REDIS_URL = "redis://127.0.0.1:${toString config.services.redis.servers.docmost.port}";
}
// extraConf
);
@ -77,7 +77,7 @@ in
enableACME = lib.mkIf https true;
forceSSL = lib.mkIf https true;
locations."/" = {
proxyPass = "http://localhost:${toString port}";
proxyPass = "http://127.0.0.1:${toString port}";
proxyWebsockets = true;
};
};

4
system/modules/fail2ban.nix
View file

@ -1,5 +1,5 @@
{
extreAllowList ? [ ],
extraAllowList ? [ ],
...
}:
{
@ -9,7 +9,7 @@
ignoreIP = [
"192.168.0.0/16"
]
++ extreAllowList;
++ extraAllowList;
bantime = "24h";
bantime-increment = {
enable = true;

2
system/modules/gc.nix
View file

@ -11,7 +11,7 @@
optimise.automatic = true;
gc = {
automatic = true;
dates = [ "03:15" ];
dates = "weekly";
options = "--delete-older-than 7d";
};
};

31
system/modules/netbird-client.nix Normal file
View file

@ -0,0 +1,31 @@
{
self,
config,
...
}:
let
serverCfg = self.nixosConfigurations.dn-server.config;
cfg = config.services.netbird;
domain = serverCfg.services.netbird.server.domain;
in
{
sops.secrets."netbird/wt0-setupKey" = {
owner = cfg.clients.wt0.user.name;
mode = "400";
};
services.netbird = {
clients.wt0 = {
openFirewall = true;
autoStart = true;
port = 51820;
environment = {
NB_MANAGEMENT_URL = "https://${domain}";
};
login = {
enable = true;
setupKeyFile = config.sops.secrets."netbird/wt0-setupKey".path;
};
};
};
}

123
system/modules/netbird-server.nix Normal file
View file

@ -0,0 +1,123 @@
{
domain,
oidcURL,
vDomain ? null,
enableNginx ? false,
oidcType ? "keycloak",
realm ? "netbird",
}:
{
lib,
config,
...
}:
let
inherit (lib) mkIf mkForce;
inherit (config.sops) secrets;
cfg = config.services.netbird;
srv = cfg.server;
dnsDomain = if vDomain == null then domain else vDomain;
in
{
sops.secrets = {
"netbird/oidc/secret" = { };
"netbird/turn/secret" = {
key = "netbird/oidc/secret";
};
"netbird/turn/password" = {
key = "netbird/coturn/password";
};
"netbird/coturn/password" = mkIf config.services.netbird.server.coturn.enable {
owner = "turnserver";
};
"netbird/dataStoreKey" = { };
};
services.postgresql = {
enable = true;
ensureDatabases = [ "netbird" ];
ensureUsers = [
{
name = "netbird";
ensureDBOwnership = true;
}
];
};
systemd.services.netbird-management.environment = {
NETBIRD_STORE_ENGINE_POSTGRES_DSN = "host=/var/run/postgresql user=netbird dbname=netbird";
};
services.netbird = {
ui.enable = true;
server = {
inherit domain enableNginx;
enable = true;
# ==== Signal ==== #
signal.enable = true;
# ==== Management ==== #
management = {
inherit dnsDomain;
# === turn === #
oidcConfigEndpoint = "${oidcURL}/realms/${realm}/.well-known/openid-configuration";
settings = {
StoreConfig.Engine = "postgres";
DataStoreEncryptionKey = {
_secret = secrets."netbird/dataStoreKey".path;
};
TURNConfig = {
Secret._secret = secrets."netbird/turn/secret".path;
Turns = mkForce [
{
Proto = "udp";
URI = "turn:${srv.management.turnDomain}:3478";
Username = "netbird";
Password._secret = secrets."netbird/turn/password".path;
}
];
};
IdpManagerConfig = {
ManagerType = oidcType;
ClientConfig = {
TokenEndpoint = "${oidcURL}/realms/${realm}/protocol/openid-connect/token";
ClientID = "netbird-backend";
ClientSecret = {
_secret = secrets."netbird/oidc/secret".path;
};
};
ExtraConfig = {
AdminEndpoint = "${oidcURL}/admin/realms/${realm}";
};
};
DeviceAuthorizationFlow.ProviderConfig = {
Audience = "netbird-client";
ClientID = "netbird-client";
};
PKCEAuthorizationFlow.ProviderConfig = {
Audience = "netbird-client";
ClientID = "netbird-client";
};
};
};
# ==== Dashboard ==== #
dashboard.settings = {
AUTH_AUTHORITY = "${oidcURL}/realms/${realm}";
AUTH_CLIENT_ID = "netbird-client";
AUTH_AUDIENCE = "netbird-client";
AUTH_SUPPORTED_SCOPES = "openid profile email offline_access api";
};
# ==== Coturn (STUN/TURN) ==== #
coturn = {
enable = true;
passwordFile = secrets."netbird/coturn/password".path;
useAcmeCertificates = enableNginx;
};
};
};
}

38
system/modules/nextcloud.nix
View file

@ -47,10 +47,42 @@ in
];
};
systemd.services."phpfpm-nextcloud".postStart = mkIf config.services.nextcloud.enable ''
${config.services.nextcloud.occ}/bin/nextcloud-occ config:app:set recognize node_binary --value '${lib.getExe pkgs.nodejs_22}'
${config.services.nextcloud.occ}/bin/nextcloud-occ config:app:set recognize tensorflow.purejs --value 'true'
systemd.services.nextcloud-config-recognize =
let
inherit (config.services.nextcloud) occ;
in
{
wantedBy = [ "multi-user.target" ];
after = [
"nextcloud-setup.service"
];
script = ''
${occ}/bin/nextcloud-occ config:app:set recognize node_binary --value '${lib.getExe pkgs.nodejs_22}'
${occ}/bin/nextcloud-occ config:app:set recognize tensorflow.purejs --value 'true'
'';
serviceConfig = {
Type = "oneshot";
};
};
# Disable Other login method for nextcloud
# Admin can login through adding `?direct=1` to url param
systemd.services.nextcloud-config-oidc =
let
inherit (config.services.nextcloud) occ;
in
{
wantedBy = [ "multi-user.target" ];
after = [
"nextcloud-setup.service"
];
script = ''
${occ}/bin/nextcloud-occ config:app:set --type=string --value=0 user_oidc allow_multiple_user_backends
'';
serviceConfig = {
Type = "oneshot";
};
};
services.nextcloud = {
enable = true;

2
system/modules/paperless-ngx.nix
View file

@ -31,6 +31,6 @@ in
services.nginx.virtualHosts."${domain}" = mkIf configureNginx {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:${toString config.services.paperless.port}";
locations."/".proxyPass = "http://127.0.0.1:${toString config.services.paperless.port}";
};
}

9
system/modules/presets/minimal.nix
View file

@ -1,4 +1,7 @@
{ ... }:
{ lib, ... }:
let
inherit (lib) mkForce;
in
{
imports = [
../environment.nix
@ -18,5 +21,9 @@
../sops-nix.nix
../gc.nix
../security.nix
../systemd-resolv.nix
];
# Disable man cache
documentation.man.generateCaches = mkForce false;
}

4
system/modules/prometheus.nix
View file

@ -33,7 +33,7 @@ in
job_name = "master-server";
static_configs = [
(optionalAttrs selfMonitor {
targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ];
})
];
}
@ -47,7 +47,7 @@ in
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.prometheus.port}";
proxyPass = "http://127.0.0.1:${toString config.services.prometheus.port}";
};
};
}

3
system/modules/secure-boot.nix
View file

@ -8,7 +8,8 @@
loader.systemd-boot.enable = lib.mkForce false;
lanzaboote = {
enable = true;
pkiBundle = "/var/lib/sbctl/";
autoGenerateKeys.enable = true;
pkiBundle = "/var/lib/sbctl";
};
};
}

2
system/modules/services.nix
View file

@ -27,7 +27,7 @@ in
ports = [ 22 ];
settings = {
PasswordAuthentication = lib.mkDefault false;
AllowUsers = lib.mkDefault [ username ];
AllowUsers = [ username ];
UseDns = lib.mkDefault false;
PermitRootLogin = lib.mkDefault "no";
};

16
system/modules/shells/noctalia/default.nix
View file

@ -65,6 +65,14 @@ in
};
calendar = {
cards = [
{
enabled = true;
id = "banner-card";
}
{
enabled = true;
id = "calendar-card";
}
{
enabled = true;
id = "timer-card";
@ -73,14 +81,6 @@ in
enabled = true;
id = "weather-card";
}
{
enabled = true;
id = "calendar-header-card";
}
{
enabled = true;
id = "calendar-month-card";
}
];
};
changelog = {

17
system/modules/systemd-resolv.nix Normal file
View file

@ -0,0 +1,17 @@
{ ... }:
{
networking.nameservers = [
"1.1.1.1#one.one.one.one"
"1.0.0.1#one.one.one.one"
];
services.resolved = {
enable = true;
llmnr = "false";
fallbackDns = [
"1.1.1.1#one.one.one.one"
"1.0.0.1#one.one.one.one"
];
domains = [ "~." ];
};
}

2
system/modules/vaultwarden.nix
View file

@ -34,7 +34,7 @@
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
proxyWebsockets = true;
};
};

16
system/modules/wireguard.nix
View file

@ -22,8 +22,8 @@ let
watchDog = pkgs.writeShellScriptBin "wg0-watchdog" ''
TARGET_CONF="$1"
PING_INTERVAL=1
PING_TIMEOUT=1
PING_INTERVAL=10
PING_TIMEOUT=10
PING_COUNT=1
set -euo pipefail
@ -37,7 +37,7 @@ let
notify() {
users=$(loginctl list-users --json=short | jq -r '.[].user')
for user in $users; do
systemctl --machine=danny@.host --user start wg0-notify-user
systemctl --machine="$user@.host" --user start wg0-notify-user
done
}
@ -46,13 +46,11 @@ let
}
check_health() {
ping -c "$PING_COUNT" -W "$PING_TIMEOUT" $1 >/dev/null 2>&1
return $?
ping -c "$PING_COUNT" -W "$PING_TIMEOUT" "$1" >/dev/null 2>&1
}
is_wg_active() {
systemctl is-active wg-quick-wg0.service >/dev/null 2>&1
return $?
}
start_wg() {
@ -105,15 +103,17 @@ in
};
systemd.services.wg0-watchdog = {
wantedBy = [ "wg-quick-wg0.service" ];
after = [ "wg-quick-wg0.service" ];
wantedBy = [ "multi-user.target" ];
path = with pkgs; [
jq
iputils
];
serviceConfig = {
ExecStart = "${getExe watchDog} \"${config.sops.secrets."wireguard/wg0.conf".path}\"";
RestartSec = 5;
TimeoutStopSec = 0;
CapabilityBoundingSet = "CAP_NET_RAW";
AmbientCapabilities = "CAP_NET_RAW";
};
};