coolneng
/
zion
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update to NixOS 24.05

This commit is contained in:
coolneng 2024-07-16 18:05:48 +02:00
parent 3e87eec0eb
commit 8a901e7871
Signed by: coolneng
GPG Key ID: 9893DA236405AF57
7 changed files with 106 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
configuration.nix
View File

@ -1,4 +1,10 @@
{ config, inputs, pkgs, lib, ... }: {
config,
inputs,
pkgs,
lib,
...
}:
with pkgs; with pkgs;
@ -28,7 +34,10 @@ with pkgs;
users.users.coolneng = { users.users.coolneng = {
isNormalUser = true; isNormalUser = true;
home = "/home/coolneng"; home = "/home/coolneng";
extraGroups = [ "wheel" "docker" ]; extraGroups = [
"wheel"
"docker"
];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
# panacea # panacea
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW coolneng@panacea" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRqINHR7/zc+c3/PuR+NeSsBHXXzBiEtFWSK6QaxQTW coolneng@panacea"
@ -64,7 +73,10 @@ with pkgs;
nix = { nix = {
settings = { settings = {
auto-optimise-store = true; auto-optimise-store = true;
experimental-features = [ "nix-command" "flakes" ]; experimental-features = [
"nix-command"
"flakes"
];
}; };
gc = { gc = {
automatic = true; automatic = true;
@ -79,8 +91,14 @@ with pkgs;
}; };
# Use same version of nixpkgs for nix-shell # Use same version of nixpkgs for nix-shell
nix.nixPath = let path = toString ./.; nix.nixPath =
in [ "nixpkgs=${inputs.nixpkgs}" "nixos-config=${path}/configuration.nix" ]; let
path = toString ./.;
in
[
"nixpkgs=${inputs.nixpkgs}"
"nixos-config=${path}/configuration.nix"
];
# Configure fish shell # Configure fish shell
programs.fish.enable = true; programs.fish.enable = true;
@ -158,11 +176,6 @@ with pkgs;
owner = "mosquitto"; owner = "mosquitto";
group = "mosquitto"; group = "mosquitto";
}; };
secrets.nightscout = {
file = secrets/nightscout.age;
owner = "coolneng";
group = "podman";
};
secrets.facebook = { secrets.facebook = {
file = secrets/facebook.age; file = secrets/facebook.age;
owner = "matrix-as-facebook"; owner = "matrix-as-facebook";
@ -180,8 +193,10 @@ with pkgs;
system.autoUpgrade = { system.autoUpgrade = {
enable = true; enable = true;
flake = "/home/coolneng/system"; flake = "/home/coolneng/system";
flags = flags = [
[ "--update-input agenix --update-input nixpkgs" "--commit-lock-file" ]; "--update-input agenix --update-input nixpkgs"
"--commit-lock-file"
];
}; };
# Limit the memory and CPU use of Nix # Limit the memory and CPU use of Nix

2
flake.nix
View File

@ -2,7 +2,7 @@
description = "System configuration for zion"; description = "System configuration for zion";
inputs = { inputs = {
nixpkgs.url = "nixpkgs/nixos-23.11"; nixpkgs.url = "nixpkgs/nixos-24.05";
nixpkgs-unstable.url = "nixpkgs/nixos-unstable"; nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
agenix = { agenix = {
url = "github:ryantm/agenix"; url = "github:ryantm/agenix";

14
modules/containers.nix
View File

@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }: {
config,
lib,
pkgs,
...
}:
{ {
# Podman setup # Podman setup
@ -15,8 +20,7 @@
containers = { containers = {
# Openbooks configuration # Openbooks configuration
openbooks = { openbooks = {
image = image = "evanbuss/openbooks@sha256:16609c3da954715f8f98b5de6c838146914ae700b2a700b4d9aad8b23c9217da";
"evanbuss/openbooks@sha256:16609c3da954715f8f98b5de6c838146914ae700b2a700b4d9aad8b23c9217da";
ports = [ "127.0.0.1:9000:80" ]; ports = [ "127.0.0.1:9000:80" ];
cmd = [ cmd = [
"--name" "--name"
@ -30,8 +34,7 @@
}; };
# Prometheus MQTT integration # Prometheus MQTT integration
mqtt2prometheus = { mqtt2prometheus = {
image = image = "hikhvar/mqtt2prometheus@sha256:ad133b8cef2d82c5573864598b1c8361753adc7e4ac53da28bc9b6afdf05aeaf";
"hikhvar/mqtt2prometheus@sha256:ad133b8cef2d82c5573864598b1c8361753adc7e4ac53da28bc9b6afdf05aeaf";
ports = [ "127.0.0.1:9641:9641" ]; ports = [ "127.0.0.1:9641:9641" ];
volumes = [ "/vault/mqtt2prometheus/config.yaml:/config.yaml" ]; volumes = [ "/vault/mqtt2prometheus/config.yaml:/config.yaml" ];
}; };
@ -68,4 +71,5 @@
[ /vault/mongodb ]; [ /vault/mongodb ];
systemd.services.podman-mqtt2prometheus.unitConfig.RequiresMountsFor = systemd.services.podman-mqtt2prometheus.unitConfig.RequiresMountsFor =
[ /vault/mqtt2prometheus ]; [ /vault/mqtt2prometheus ];
systemd.services.podman-mqtt2prometheus.unitConfig.RequiresMountsFor = [ /vault/mqtt2prometheus ];
} }

57
modules/datasync.nix
View File

@ -1,4 +1,10 @@
{ config, pkgs, lib, ... }: { {
config,
pkgs,
lib,
...
}:
{
# Syncthing configuration # Syncthing configuration
services.syncthing = { services.syncthing = {
@ -13,38 +19,48 @@
progressUpdateIntervalS = -1; progressUpdateIntervalS = -1;
}; };
devices = { devices = {
panacea.id = panacea.id = "VEGVHKF-P4FT3BD-4T3ML7J-65URQOU-3XKNMI5-6LGWSCI-BIQZOUE-RKQ6PQX";
"VEGVHKF-P4FT3BD-4T3ML7J-65URQOU-3XKNMI5-6LGWSCI-BIQZOUE-RKQ6PQX"; caravanserai.id = "WETYK5O-DNMS75S-XJ76CZH-Z6JBQDX-YXLJ7AA-5PLZ4DI-HA6QNDI-BFUU7QM";
caravanserai.id =
"MIRF73R-S7AV47R-VLWZUK2-TFCVQPV-FRYCPND-Y4VR3W2-ZAIQXZD-JAEQCAD";
}; };
folders = { folders = {
Documents = { Documents = {
id = "wusdj-bfjkr"; id = "wusdj-bfjkr";
type = "receiveonly"; type = "receiveonly";
path = "/vault/syncthing/Documents"; path = "/vault/syncthing/Documents";
devices = [ "panacea" "caravanserai" ]; devices = [
"panacea"
"caravanserai"
];
}; };
Notes = { Notes = {
id = "kafhz-bfmzm"; id = "kafhz-bfmzm";
type = "receiveonly"; type = "receiveonly";
path = "/vault/syncthing/Notes"; path = "/vault/syncthing/Notes";
devices = [ "panacea" "caravanserai" ]; devices = [
"panacea"
"caravanserai"
];
}; };
Music = { Music = {
id = "2aqt7-vpprc"; id = "2aqt7-vpprc";
type = "receiveonly"; type = "receiveonly";
path = "/vault/syncthing/Music"; path = "/vault/syncthing/Music";
devices = [ "panacea" "caravanserai" ]; devices = [
"panacea"
"caravanserai"
];
}; };
Photos = { Photos = {
id = "mjibc-ustcg"; id = "mjibc-ustcg";
type = "receiveonly"; type = "receiveonly";
path = "/vault/syncthing/Photos"; path = "/vault/syncthing/Photos";
devices = [ "panacea" "caravanserai" ]; devices = [
"panacea"
"caravanserai"
];
}; };
Projects = { Projects = {
@ -58,28 +74,40 @@
id = "m2007j20cg_vc7r-photos"; id = "m2007j20cg_vc7r-photos";
type = "receiveonly"; type = "receiveonly";
path = "/vault/syncthing/Photos/Phone"; path = "/vault/syncthing/Photos/Phone";
devices = [ "panacea" "caravanserai" ]; devices = [
"panacea"
"caravanserai"
];
}; };
Files = { Files = {
id = "tsk52-u6rbk"; id = "tsk52-u6rbk";
type = "receiveonly"; type = "receiveonly";
path = "/vault/syncthing/Files"; path = "/vault/syncthing/Files";
devices = [ "panacea" "caravanserai" ]; devices = [
"panacea"
"caravanserai"
];
}; };
Phone-screenshots = { Phone-screenshots = {
id = "pp70r-pbr70"; id = "pp70r-pbr70";
type = "receiveonly"; type = "receiveonly";
path = "/vault/syncthing/Photos/Phone-screenshots"; path = "/vault/syncthing/Photos/Phone-screenshots";
devices = [ "panacea" "caravanserai" ]; devices = [
"panacea"
"caravanserai"
];
}; };
Audio = { Audio = {
id = "tarrs-5mxck"; id = "tarrs-5mxck";
type = "receiveonly"; type = "receiveonly";
path = "/vault/syncthing/Audio"; path = "/vault/syncthing/Audio";
devices = [ "panacea" "caravanserai" ]; devices = [
"panacea"
"caravanserai"
];
}; };
}; };
}; };
@ -111,8 +139,7 @@
}; };
# Start services after ZFS mount # Start services after ZFS mount
systemd.services.syncthing.unitConfig.RequiresMountsFor = systemd.services.syncthing.unitConfig.RequiresMountsFor = [ /vault/syncthing ];
[ /vault/syncthing ];
systemd.services.radicale.unitConfig.RequiresMountsFor = [ /vault/radicale ]; systemd.services.radicale.unitConfig.RequiresMountsFor = [ /vault/radicale ];
} }

12
modules/information.nix
View File

@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }: {
config,
lib,
pkgs,
...
}:
{ {
# Miniflux configuration # Miniflux configuration
@ -7,8 +12,7 @@
adminCredentialsFile = config.age.secrets.miniflux.path; adminCredentialsFile = config.age.secrets.miniflux.path;
config = { config = {
BASE_URL = "https://rss.coolneng.duckdns.org"; BASE_URL = "https://rss.coolneng.duckdns.org";
RUN_MIGRATIONS = "1"; DISABLE_HSTS = 1;
DISABLE_HSTS = "1";
}; };
}; };
@ -23,7 +27,7 @@
"pm" = "ondemand"; "pm" = "ondemand";
"pm.max_children " = 4; "pm.max_children " = 4;
"pm.max_requests" = 32; "pm.max_requests" = 32;
"env[WALLABAG_DATA]" = "/var/lib/wallabag"; "env[WALLABAG_DATA]" = config.environment.variables.WALLABAG_DATA;
}; };
phpEnv."PATH" = lib.makeBinPath [ pkgs.php ]; phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
}; };

30
modules/networking.nix
View File

@ -1,8 +1,15 @@
{ config, pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
let wireguard_port = 1194; let
wireguard_port = 1194;
in { in
{
# Enable systemd-networkd # Enable systemd-networkd
networking = { networking = {
hostName = "zion"; hostName = "zion";
@ -19,7 +26,10 @@ in {
matchConfig.Name = "end0"; matchConfig.Name = "end0";
address = [ "192.168.13.2/24" ]; address = [ "192.168.13.2/24" ];
gateway = [ "192.168.13.1" ]; gateway = [ "192.168.13.1" ];
dns = [ "1.1.1.1" "9.9.9.9" ]; dns = [
"1.1.1.1"
"9.9.9.9"
];
networkConfig.DNSSEC = "no"; networkConfig.DNSSEC = "no";
}; };
@ -76,7 +86,7 @@ in {
# caravanserai # caravanserai
{ {
wireguardPeerConfig = { wireguardPeerConfig = {
PublicKey = "eeKfAgMisM3K4ZOErev05RJ9LS2NLqL4x9jyi4XhM1Q="; PublicKey = "mCsTj09H7lfDDs8vMQkJOlItHtHQ6MPUyfGO5ZjBbVs=";
AllowedIPs = [ "10.8.0.3/32" ]; AllowedIPs = [ "10.8.0.3/32" ];
}; };
} }
@ -121,15 +131,11 @@ in {
settings = { settings = {
listen_addresses = [ "127.0.0.1:43" ]; listen_addresses = [ "127.0.0.1:43" ];
sources.public-resolvers = { sources.public-resolvers = {
urls = [ urls = [ "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md" ];
"https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
];
cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md"; cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
minisign_key = minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
"RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
}; };
blocked_names.blocked_names_file = blocked_names.blocked_names_file = "/var/lib/dnscrypt-proxy/blocklist.txt";
"/var/lib/dnscrypt-proxy/blocklist.txt";
}; };
}; };

3
modules/webstack.nix
View File

@ -5,10 +5,9 @@
services.nginx = { services.nginx = {
enable = true; enable = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
recommendedGzipSettings = true; recommendedZstdSettings = true;
recommendedProxySettings = true; recommendedProxySettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedBrotliSettings = true;
clientMaxBodySize = "0"; clientMaxBodySize = "0";
sslCiphers = sslCiphers =
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128"; "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";