diff --git a/configuration.nix b/configuration.nix index f5e39e1..6e81eaf 100644 --- a/configuration.nix +++ b/configuration.nix @@ -1,4 +1,10 @@ -{ config, inputs, pkgs, lib, ... }: +{ + config, + inputs, + pkgs, + lib, + ... +}: with pkgs; @@ -28,7 +34,10 @@ with pkgs; users.users.coolneng = { isNormalUser = true; home = "/home/coolneng"; - extraGroups = [ "wheel" "docker" ]; + extraGroups = [ + "wheel" + "docker" + ]; openssh.authorizedKeys.keys = [ # panacea "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW coolneng@panacea" @@ -64,7 +73,10 @@ with pkgs; nix = { settings = { auto-optimise-store = true; - experimental-features = [ "nix-command" "flakes" ]; + experimental-features = [ + "nix-command" + "flakes" + ]; }; gc = { automatic = true; @@ -79,8 +91,14 @@ with pkgs; }; # Use same version of nixpkgs for nix-shell - nix.nixPath = let path = toString ./.; - in [ "nixpkgs=${inputs.nixpkgs}" "nixos-config=${path}/configuration.nix" ]; + nix.nixPath = + let + path = toString ./.; + in + [ + "nixpkgs=${inputs.nixpkgs}" + "nixos-config=${path}/configuration.nix" + ]; # Configure fish shell programs.fish.enable = true; @@ -158,11 +176,6 @@ with pkgs; owner = "mosquitto"; group = "mosquitto"; }; - secrets.nightscout = { - file = secrets/nightscout.age; - owner = "coolneng"; - group = "podman"; - }; secrets.facebook = { file = secrets/facebook.age; owner = "matrix-as-facebook"; @@ -180,8 +193,10 @@ with pkgs; system.autoUpgrade = { enable = true; flake = "/home/coolneng/system"; - flags = - [ "--update-input agenix --update-input nixpkgs" "--commit-lock-file" ]; + flags = [ + "--update-input agenix --update-input nixpkgs" + "--commit-lock-file" + ]; }; # Limit the memory and CPU use of Nix diff --git a/flake.nix b/flake.nix index 59a7ec6..dda7d93 100644 --- a/flake.nix +++ b/flake.nix @@ -2,7 +2,7 @@ description = "System configuration for zion"; inputs = { - nixpkgs.url = "nixpkgs/nixos-23.11"; + nixpkgs.url = "nixpkgs/nixos-24.05"; nixpkgs-unstable.url = "nixpkgs/nixos-unstable"; agenix = { url = "github:ryantm/agenix"; diff --git a/modules/containers.nix b/modules/containers.nix index 1ff1bf1..00f6d89 100644 --- a/modules/containers.nix +++ b/modules/containers.nix @@ -1,4 +1,9 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: { # Podman setup @@ -15,8 +20,7 @@ containers = { # Openbooks configuration openbooks = { - image = - "evanbuss/openbooks@sha256:16609c3da954715f8f98b5de6c838146914ae700b2a700b4d9aad8b23c9217da"; + image = "evanbuss/openbooks@sha256:16609c3da954715f8f98b5de6c838146914ae700b2a700b4d9aad8b23c9217da"; ports = [ "127.0.0.1:9000:80" ]; cmd = [ "--name" @@ -30,8 +34,7 @@ }; # Prometheus MQTT integration mqtt2prometheus = { - image = - "hikhvar/mqtt2prometheus@sha256:ad133b8cef2d82c5573864598b1c8361753adc7e4ac53da28bc9b6afdf05aeaf"; + image = "hikhvar/mqtt2prometheus@sha256:ad133b8cef2d82c5573864598b1c8361753adc7e4ac53da28bc9b6afdf05aeaf"; ports = [ "127.0.0.1:9641:9641" ]; volumes = [ "/vault/mqtt2prometheus/config.yaml:/config.yaml" ]; }; @@ -68,4 +71,5 @@ [ /vault/mongodb ]; systemd.services.podman-mqtt2prometheus.unitConfig.RequiresMountsFor = [ /vault/mqtt2prometheus ]; + systemd.services.podman-mqtt2prometheus.unitConfig.RequiresMountsFor = [ /vault/mqtt2prometheus ]; } diff --git a/modules/datasync.nix b/modules/datasync.nix index 8381fb4..885d9b1 100644 --- a/modules/datasync.nix +++ b/modules/datasync.nix @@ -1,4 +1,10 @@ -{ config, pkgs, lib, ... }: { +{ + config, + pkgs, + lib, + ... +}: +{ # Syncthing configuration services.syncthing = { @@ -13,38 +19,48 @@ progressUpdateIntervalS = -1; }; devices = { - panacea.id = - "VEGVHKF-P4FT3BD-4T3ML7J-65URQOU-3XKNMI5-6LGWSCI-BIQZOUE-RKQ6PQX"; - caravanserai.id = - "MIRF73R-S7AV47R-VLWZUK2-TFCVQPV-FRYCPND-Y4VR3W2-ZAIQXZD-JAEQCAD"; + panacea.id = "VEGVHKF-P4FT3BD-4T3ML7J-65URQOU-3XKNMI5-6LGWSCI-BIQZOUE-RKQ6PQX"; + caravanserai.id = "WETYK5O-DNMS75S-XJ76CZH-Z6JBQDX-YXLJ7AA-5PLZ4DI-HA6QNDI-BFUU7QM"; }; folders = { Documents = { id = "wusdj-bfjkr"; type = "receiveonly"; path = "/vault/syncthing/Documents"; - devices = [ "panacea" "caravanserai" ]; + devices = [ + "panacea" + "caravanserai" + ]; }; Notes = { id = "kafhz-bfmzm"; type = "receiveonly"; path = "/vault/syncthing/Notes"; - devices = [ "panacea" "caravanserai" ]; + devices = [ + "panacea" + "caravanserai" + ]; }; Music = { id = "2aqt7-vpprc"; type = "receiveonly"; path = "/vault/syncthing/Music"; - devices = [ "panacea" "caravanserai" ]; + devices = [ + "panacea" + "caravanserai" + ]; }; Photos = { id = "mjibc-ustcg"; type = "receiveonly"; path = "/vault/syncthing/Photos"; - devices = [ "panacea" "caravanserai" ]; + devices = [ + "panacea" + "caravanserai" + ]; }; Projects = { @@ -58,28 +74,40 @@ id = "m2007j20cg_vc7r-photos"; type = "receiveonly"; path = "/vault/syncthing/Photos/Phone"; - devices = [ "panacea" "caravanserai" ]; + devices = [ + "panacea" + "caravanserai" + ]; }; Files = { id = "tsk52-u6rbk"; type = "receiveonly"; path = "/vault/syncthing/Files"; - devices = [ "panacea" "caravanserai" ]; + devices = [ + "panacea" + "caravanserai" + ]; }; Phone-screenshots = { id = "pp70r-pbr70"; type = "receiveonly"; path = "/vault/syncthing/Photos/Phone-screenshots"; - devices = [ "panacea" "caravanserai" ]; + devices = [ + "panacea" + "caravanserai" + ]; }; Audio = { id = "tarrs-5mxck"; type = "receiveonly"; path = "/vault/syncthing/Audio"; - devices = [ "panacea" "caravanserai" ]; + devices = [ + "panacea" + "caravanserai" + ]; }; }; }; @@ -111,8 +139,7 @@ }; # Start services after ZFS mount - systemd.services.syncthing.unitConfig.RequiresMountsFor = - [ /vault/syncthing ]; + systemd.services.syncthing.unitConfig.RequiresMountsFor = [ /vault/syncthing ]; systemd.services.radicale.unitConfig.RequiresMountsFor = [ /vault/radicale ]; } diff --git a/modules/information.nix b/modules/information.nix index cd64081..7c95563 100644 --- a/modules/information.nix +++ b/modules/information.nix @@ -1,4 +1,9 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: { # Miniflux configuration @@ -7,8 +12,7 @@ adminCredentialsFile = config.age.secrets.miniflux.path; config = { BASE_URL = "https://rss.coolneng.duckdns.org"; - RUN_MIGRATIONS = "1"; - DISABLE_HSTS = "1"; + DISABLE_HSTS = 1; }; }; @@ -23,7 +27,7 @@ "pm" = "ondemand"; "pm.max_children " = 4; "pm.max_requests" = 32; - "env[WALLABAG_DATA]" = "/var/lib/wallabag"; + "env[WALLABAG_DATA]" = config.environment.variables.WALLABAG_DATA; }; phpEnv."PATH" = lib.makeBinPath [ pkgs.php ]; }; diff --git a/modules/networking.nix b/modules/networking.nix index a8555c5..628abc8 100644 --- a/modules/networking.nix +++ b/modules/networking.nix @@ -1,8 +1,15 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: -let wireguard_port = 1194; +let + wireguard_port = 1194; -in { +in +{ # Enable systemd-networkd networking = { hostName = "zion"; @@ -19,7 +26,10 @@ in { matchConfig.Name = "end0"; address = [ "192.168.13.2/24" ]; gateway = [ "192.168.13.1" ]; - dns = [ "1.1.1.1" "9.9.9.9" ]; + dns = [ + "1.1.1.1" + "9.9.9.9" + ]; networkConfig.DNSSEC = "no"; }; @@ -76,7 +86,7 @@ in { # caravanserai { wireguardPeerConfig = { - PublicKey = "eeKfAgMisM3K4ZOErev05RJ9LS2NLqL4x9jyi4XhM1Q="; + PublicKey = "mCsTj09H7lfDDs8vMQkJOlItHtHQ6MPUyfGO5ZjBbVs="; AllowedIPs = [ "10.8.0.3/32" ]; }; } @@ -121,15 +131,11 @@ in { settings = { listen_addresses = [ "127.0.0.1:43" ]; sources.public-resolvers = { - urls = [ - "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" - ]; + urls = [ "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" ]; cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md"; - minisign_key = - "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; + minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"; }; - blocked_names.blocked_names_file = - "/var/lib/dnscrypt-proxy/blocklist.txt"; + blocked_names.blocked_names_file = "/var/lib/dnscrypt-proxy/blocklist.txt"; }; }; diff --git a/modules/webstack.nix b/modules/webstack.nix index 76dda20..ae2423c 100644 --- a/modules/webstack.nix +++ b/modules/webstack.nix @@ -5,10 +5,9 @@ services.nginx = { enable = true; recommendedTlsSettings = true; - recommendedGzipSettings = true; + recommendedZstdSettings = true; recommendedProxySettings = true; recommendedOptimisation = true; - recommendedBrotliSettings = true; clientMaxBodySize = "0"; sslCiphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";