From d8024663635fc71cff6496a653e3450f15cabffa Mon Sep 17 00:00:00 2001 From: tootbrute Date: Thu, 10 Apr 2025 13:45:57 +0800 Subject: [PATCH] first commit --- README.md | 33 ++++++ configuration.nix | 211 ++++++++++++++++++++++++++++++++++++ hardware-configuration.nix | 62 +++++++++++ rebuild.sh | 3 + services/calibre-web.nix | 26 +++++ services/fail2ban.nix | 21 ++++ services/glances.nix | 10 ++ services/immich.nix | 9 ++ services/jellyfin.nix | 15 +++ services/nextcloud-reset.sh | 6 + services/nextcloud.nix | 42 +++++++ services/transmission.nix | 11 ++ ssh_keys.nix | 1 + upgrade.sh | 3 + 14 files changed, 453 insertions(+) create mode 100644 README.md create mode 100644 configuration.nix create mode 100644 hardware-configuration.nix create mode 100755 rebuild.sh create mode 100644 services/calibre-web.nix create mode 100644 services/fail2ban.nix create mode 100644 services/glances.nix create mode 100644 services/immich.nix create mode 100644 services/jellyfin.nix create mode 100755 services/nextcloud-reset.sh create mode 100644 services/nextcloud.nix create mode 100644 services/transmission.nix create mode 100644 ssh_keys.nix create mode 100755 upgrade.sh diff --git a/README.md b/README.md new file mode 100644 index 0000000..7ace3df --- /dev/null +++ b/README.md @@ -0,0 +1,33 @@ +# NixOS - Knossos + +Test system. +- Learning Nix.Trying to get TSDProxy working so I can have a config I can drop onto any network. + +## Goals +- ZFS root file system +- Tailscale --> VPS --> domain name +- Need an auth system + +## System Information +``` + ▗▄▄▄ ▗▄▄▄▄ ▄▄▄▖ tootbrute@knossos + ▜███▙ ▜███▙ ▟███▛ ------------- + ▜███▙ ▜███▙▟███▛ OS: NixOS 24.11 (Vicuna) x86_64 + ▜███▙ ▜██████▛ Host: 10115 (IdeaCenter Q190) + ▟█████████████████▙ ▜████▛ ▟▙ Kernel: Linux 6.6.84 + ▟███████████████████▙ ▜███▙ ▟██▙ Uptime: 20 hours, 42 mins + ▄▄▄▄▖ ▜███▙ ▟███▛ Packages: 621 (nix-system) + ▟███▛ ▜██▛ ▟███▛ Shell: bash 5.2.37 + ▟███▛ ▜▛ ▟███▛ Terminal: /dev/pts/0 +▟███████████▛ ▟██████████▙ CPU: Intel(R) Core(TM) i3-2365M (4) @ 1.40 GHz +▜██████████▛ ▟███████████▛ GPU: Intel 2nd Generation Core Processor Family Integrated Graphics Controller @ 1.00 GHz [Integrated] + ▟███▛ ▟▙ ▟███▛ Memory: 4.46 GiB / 7.66 GiB (58%) + ▟███▛ ▟██▙ ▟███▛ Swap: 0 B / 4.00 GiB (0%) + ▟███▛ ▜███▙ ▝▀▀▀▀ Disk (/): 2.00 MiB / 888.65 GiB (0%) - zfs + ▜██▛ ▜███▙ ▜██████████████████▛ Local IP (wlp3s0): 192.168.15.218/24 + ▜▛ ▟████▙ ▜████████████████▛ Locale: en_US.UTF-8 + ▟██████▙ ▜███▙ + ▟███▛▜███▙ ▜███▙ + ▟███▛ ▜███▙ ▜███▙ + ▝▀▀▀ ▀▀▀▀▘ ▀▀▀▘ +``` diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..7e33a9d --- /dev/null +++ b/configuration.nix @@ -0,0 +1,211 @@ +{ config, pkgs, ... }: +# NixOS Homelab +# =================== +# The goal of this build is to get a basic good setup in NixOS that +# does similiar things to something like Yunohost but in a +# declarative fashion. +# +# Comments or suggestions to https://fedi.arkadi.one/@tootbrute + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ./services/jellyfin.nix + ./services/calibre-web.nix + ./services/glances.nix + ./services/fail2ban.nix + ]; + # Bootloader. + boot.loader.systemd-boot.enable = true; + + # ZFS SSH Remote Unlock, ethernet only + # https://wiki.nixos.org/wiki/ZFS + boot = { + initrd.network = { + enable = true; + ssh = { + enable = true; + port = 2222; + hostKeys = [ /boot/host_ecdsa_key ]; + authorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfnE4JwpIyghoFYurZLjFkzc5G4l1FeS76yYITg9wUB elias@tux" #little hp - tux + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0Q/NC0RHEUjx2WHrZPw0xnCjOCFv5uz53099lknZmG elias@fedora" #desktop + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL3Ihu9CsCL17FuHl6EqyMDT5BPjh8GlLTWHM+Y1D1I7 elias@bluenix" #bluenix + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILv96m1nCz3D0lzjzeGa+n4m3krEyl7KZ0tstjIZdTkq elias@bluefin" #acer + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK8zlxSVOTCnAgb4U5vkC3ietH3Jd9gLE+FA6UOZp64J elias@arkadi.one" #arkadi + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVWt9UsavFfdwQzklW/zSlwGwQXaDvFk+MdzsCp0gnp tootbrute@tutanota.com" #greynix + ]; + # to login: ssh -p 2222 root@192.168.15.180 "zfs load-key -a && killall zfs" + }; + }; +}; + +#above can i simplify this list of authorizedKeys? +# example: https://discourse.nixos.org/t/unlock-encrypted-zfs-via-ssh-on-boot/40582 +# authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users); + + # ZFS + services.zfs.autoScrub.enable = true; + + # Housekeeping: Garbage collection + nix.gc.automatic = true; + nix.optimise.automatic = true; + + # Networking + networking.hostName = "knossos"; # Define your hostname. + networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + networking.hostId = "0631374f"; # for ZFS + + # Enable networking + #networking.networkmanager.enable = true; + + # Set your time zone. + time.timeZone = "Asia/Taipei"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + i18n.extraLocaleSettings = { + LC_ADDRESS = "zh_TW.UTF-8"; + LC_IDENTIFICATION = "zh_TW.UTF-8"; + LC_MEASUREMENT = "zh_TW.UTF-8"; + LC_MONETARY = "zh_TW.UTF-8"; + LC_NAME = "zh_TW.UTF-8"; + LC_NUMERIC = "zh_TW.UTF-8"; + LC_PAPER = "zh_TW.UTF-8"; + LC_TELEPHONE = "zh_TW.UTF-8"; + LC_TIME = "zh_TW.UTF-8"; + }; + +nix.settings.experimental-features = [ "nix-command" "flakes" ]; + +#fix later + # Configure keymap in X11 +# services.xserver = { + # xkb.layout = "us"; + # xkb.Variant = ""; + # }; + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.elias = { + isNormalUser = true; + description = "Tootbrute"; + extraGroups = [ "networkmanager" "wheel" "docker"]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCbK2VQVSzh/e6qrq66iQnrXGET2JeQsyP+lKhUntlMqTiqMjUAT2cmjIOpspde/VsR60E88FjHpmy1dxrWtvldcLvUXmfjB2Id8zkj28gqPlLlMGyzQQ8M1hokVySFR3sBQESNsow67zg4zgdZESsNplSoxzrGg10Yowo3U6pLv6o/OjrfHeZaeFphEpgjQ+jdNkMS6sAPUKkzCg4zh+24M5cYNSvbXEv1OmSOUq4kZGL96xDt+Ke0rZnew/NBW7m5umh49q4Q0SPwbTf02UFMjAEPBKWREWvjBbreEN9AHytcaWk340bdX5UAsO1W8oA0qj1hrHrsEIw8n9WxoVzTDJrLW1zDFWWQ1L6xKoaawtcpDqg2lmcjaMIwEFvj7HSgn7/Y/UfTV5Gyhed968VqNlC4v4vEXQ5a44T5PFQLmo80PZ6xka4Rsa46n1vIFSdVu3JDr81s3U5pO3QxJMykUzY9Cs7jtQ/AeV9n4Bu6fm1gJzi2G/72SxJJ8OV4BU= elias@socrates" #acer at school + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfnE4JwpIyghoFYurZLjFkzc5G4l1FeS76yYITg9wUB elias@tux" #little hp - tux + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0Q/NC0RHEUjx2WHrZPw0xnCjOCFv5uz53099lknZmG elias@fedora" #desktop + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL3Ihu9CsCL17FuHl6EqyMDT5BPjh8GlLTWHM+Y1D1I7 elias@bluenix" #bluenix + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILv96m1nCz3D0lzjzeGa+n4m3krEyl7KZ0tstjIZdTkq elias@bluefin" #acer + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK8zlxSVOTCnAgb4U5vkC3ietH3Jd9gLE+FA6UOZp64J elias@arkadi.one" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVWt9UsavFfdwQzklW/zSlwGwQXaDvFk+MdzsCp0gnp tootbrute@tutanota.com" #greynix + ]; + linger = true; + packages = with pkgs; []; + }; + + # SSH Login Message + users.motd = " + + || + || + || //` `||''|, .|''|, ('''' ('''' .|''|, ('''' + ||<< || || || || `'') `'') || || `'') + .|| \\. .|| ||. `|..|' `...' `...' `|..|' `...' + +"; + + # Disable sudo password for the wheel group + security.sudo.wheelNeedsPassword = false; + + # Enable automatic login for the user. + #services.getty.autologinUser = "elias"; + + # Allow unfree packages + nixpkgs.config.allowUnfree = true; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + wget + fastfetch + htop + btop + curl + wget + restic + git + neovim + + tmux #like screen + wiper #like ncdu + systemctl-tui #systemd tui + diskonaut #see how much space is used + + tcpdump #for wireguard test + + ]; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + + # Tailscale + services.tailscale = { + enable = true; + #permitCertUid = "caddy"; + }; + + # Cron + services.cron.enable = true; + services.cron.systemCronJobs = [ + "00 * * * * root curl https://hc-ping.com/0bbb3afb-196a-4d12-894f-599099029cfc" + ]; + + # Docker + # maybe I don't need? haven't used Docker yet + virtualisation = { + docker = { + enable = true; + autoPrune = { + enable = true; + dates = "weekly"; + }; + rootless = { + enable = true; + setSocketVariable = true; + }; + }; + }; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + networking.firewall = { + # enable the firewall + enable = true; + + # allow all ports from your Tailscale network + trustedInterfaces = [ "tailscale0" ]; + #or allow you to SSH in over the public internet + allowedTCPPorts = [ 22 80 443 ]; + + # allow the Tailscale UDP port through the firewall + allowedUDPPorts = [ config.services.tailscale.port ]; + + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "24.11"; # Did you read the comment? + +} diff --git a/hardware-configuration.nix b/hardware-configuration.nix new file mode 100644 index 0000000..d740759 --- /dev/null +++ b/hardware-configuration.nix @@ -0,0 +1,62 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; + boot.initrd.kernelModules = [ "r8169" ]; #added for remote unlock, wifi is rtl8188ee, r8169 eth + boot.kernelModules = [ "kvm-intel" ]; + boot.kernelParams = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "zpool/root"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; + + fileSystems."/nix" = + { device = "zpool/nix"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; + + fileSystems."/var" = + { device = "zpool/var"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; + + fileSystems."/home" = + { device = "zpool/home"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/6D49-27BC"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + swapDevices = + [ { device = "/dev/disk/by-id/ata-ST1000LM014-1EJ164_W3810DEF-part2"; + randomEncryption = true; + }]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/rebuild.sh b/rebuild.sh new file mode 100755 index 0000000..d8b87db --- /dev/null +++ b/rebuild.sh @@ -0,0 +1,3 @@ +#!/run/current-system/sw/bin/bash +sudo nixos-rebuild switch -I nixos-config=/home/elias/nixos-config/configuration.nix + diff --git a/services/calibre-web.nix b/services/calibre-web.nix new file mode 100644 index 0000000..dc599f9 --- /dev/null +++ b/services/calibre-web.nix @@ -0,0 +1,26 @@ +{ config, pkgs, ... }: +{ + + # Calibre-Web + # more options: https://mynixos.com/nixpkgs/options/services.calibre-web + services.calibre-web= { + enable = true; + listen = { + ip = "0.0.0.0"; + port = 8083; + }; + openFirewall = true; + options = { + enableBookUploading = true; + enableBookConversion = true; + # No " " around absolute path + # Make sure a calibre library .db file is in this folder + # Example file: https://github.com/janeczku/calibre-web/raw/master/library/metadata.db + calibreLibrary =/home/elias/books; + }; + }; + +#Using Caddy on VPS. Don't need this. +services.nginx.enable = false; + +} diff --git a/services/fail2ban.nix b/services/fail2ban.nix new file mode 100644 index 0000000..144660d --- /dev/null +++ b/services/fail2ban.nix @@ -0,0 +1,21 @@ +{ config, pkgs, ... }: +{ + + services.fail2ban = { + enable = true; + # Ban IP after 5 failures + maxretry = 5; + ignoreIP = [ + # Whitelist some subnets + "100.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" + ]; + bantime = "24h"; # Ban IPs for one day on the first ban + bantime-increment = { + enable = true; # Enable increment of bantime after each violation + formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; + #multipliers = "1 2 4 8 16 32 64"; + maxtime = "168h"; # Do not ban for more than 1 week + overalljails = true; # Calculate the bantime based on all the violations + }; + }; +} diff --git a/services/glances.nix b/services/glances.nix new file mode 100644 index 0000000..2ae1507 --- /dev/null +++ b/services/glances.nix @@ -0,0 +1,10 @@ +{ config, pkgs, ... }: +{ + + services.glances = { + enable = true; + port = 61208; + openFirewall = true; + }; + +} diff --git a/services/immich.nix b/services/immich.nix new file mode 100644 index 0000000..9cb86e9 --- /dev/null +++ b/services/immich.nix @@ -0,0 +1,9 @@ +{ config, pkgs, ... }: +{ + + services.immich = { + enable = true; + port = 2283; + }; + +} diff --git a/services/jellyfin.nix b/services/jellyfin.nix new file mode 100644 index 0000000..0313b62 --- /dev/null +++ b/services/jellyfin.nix @@ -0,0 +1,15 @@ +{ config, pkgs, ... }: +{ + + services.jellyfin = { + enable = true; + openFirewall = true; + }; + + environment.systemPackages = [ + pkgs.jellyfin + pkgs.jellyfin-web + pkgs.jellyfin-ffmpeg + ]; + +} diff --git a/services/nextcloud-reset.sh b/services/nextcloud-reset.sh new file mode 100755 index 0000000..66d5e2e --- /dev/null +++ b/services/nextcloud-reset.sh @@ -0,0 +1,6 @@ +#!/run/current-system/sw/bin/bash +sudo systemctl stop postgresql +sudo systemctl stop nextcloud-setup +sudo rm -rf /var/lib/nextcloud +sudo rm -rf /var/lib/postgresql + diff --git a/services/nextcloud.nix b/services/nextcloud.nix new file mode 100644 index 0000000..af800ba --- /dev/null +++ b/services/nextcloud.nix @@ -0,0 +1,42 @@ +{ config, pkgs, ... }: +{ +services.nextcloud = { + enable = true; + configureRedis = true; + package = pkgs.nextcloud30; + hostName = "nextcloud.knossos"; + datadir = "/var/lib/nextcloud/"; + settings = { + overwriteprotocol = "https"; + trusted_proxies = [ "localhost" "127.0.0.1" "100.122.246.61" ]; + #trusted_domains = [ "knossos.zebra-rudd.ts.net" ]; + }; + config = { + dbtype = "pgsql"; + dbuser = "nextcloud"; + dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself + dbname = "nextcloud"; + adminpassFile = "/var/nextcloud-admin-pass"; + adminuser = "admin"; + }; +}; + +services.postgresql = { + enable = true; + ensureDatabases = [ "nextcloud" ]; + ensureUsers = [ + { name = "nextcloud"; + ensureDBOwnership = true; + } + ]; +}; + +# ensure that postgres is running *before* running the setup +systemd.services."nextcloud-setup" = { + requires = ["postgresql.service"]; + after = ["postgresql.service"]; +}; + +services.nginx.virtualHosts."nextcloud.knossos".listen = [ { addr = "127.0.0.1"; port = 8009; } ]; + +} diff --git a/services/transmission.nix b/services/transmission.nix new file mode 100644 index 0000000..db46574 --- /dev/null +++ b/services/transmission.nix @@ -0,0 +1,11 @@ +{ config, pkgs, ... }: +{ +# https://mynixos.com/nixpkgs/options/services.transmission + + + services.transmission { + enable = true; + openFirewall = true; + }; + +} diff --git a/ssh_keys.nix b/ssh_keys.nix new file mode 100644 index 0000000..85d6b3f --- /dev/null +++ b/ssh_keys.nix @@ -0,0 +1 @@ +"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfnE4JwpIyghoFYurZLjFkzc5G4l1FeS76yYITg9wUB elias@tux" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0Q/NC0RHEUjx2WHrZPw0xnCjOCFv5uz53099lknZmG elias@fedora" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL3Ihu9CsCL17FuHl6EqyMDT5BPjh8GlLTWHM+Y1D1I7 elias@bluenix" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILv96m1nCz3D0lzjzeGa+n4m3krEyl7KZ0tstjIZdTkq elias@bluefin" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK8zlxSVOTCnAgb4U5vkC3ietH3Jd9gLE+FA6UOZp64J elias@arkadi.one" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVWt9UsavFfdwQzklW/zSlwGwQXaDvFk+MdzsCp0gnp tootbrute@tutanota.com" diff --git a/upgrade.sh b/upgrade.sh new file mode 100755 index 0000000..83ebb7e --- /dev/null +++ b/upgrade.sh @@ -0,0 +1,3 @@ +#!/run/current-system/sw/bin/bash +sudo nixos-rebuild switch -I nixos-config=/home/elias/nixos-config/configuration.nix --upgrade +