4o1x5/infrastructure
4o1x5/infrastructure
Archived
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

default

Browse source
This commit is contained in:
2005 2024-05-29 17:15:20 +02:00
commit 0bd4baf3d1
64 changed files with 2025 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
configs/default.nix Normal file
View file

@ -0,0 +1,39 @@
{ pkgs, ... }: {
environment.systemPackages = with pkgs; [
zip
btop
unzip
neovim
w3m
git
];
programs.zsh.enable = true;
users.users.root.shell = pkgs.zsh;
home-manager.root.pink = {
programs.zsh = {
enable = true;
shellAliases = {
# docker
dc = "docker compose";
dco = "docker container";
dn = "docker network";
dv = "docker volume";
};
loginExtra = ''
PROMPT="[%M] %~ "
'';
antidote = {
enable = true;
plugins = [
"marlonrichert/zsh-autocomplete"
"zsh-users/zsh-syntax-highlighting"
];
};
};
};
}

10
configs/docker.nix Normal file
View file

@ -0,0 +1,10 @@
{ pkgs, ... }: {
environment.systemPackages = with pkgs; [
docker-compose
];
virtualisation.docker = {
enable = true;
enableOnBoot = false;
};
}

238
flake.lock Normal file
View file

@ -0,0 +1,238 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": "nixpkgs",
"systems": "systems"
},
"locked": {
"lastModified": 1716561646,
"narHash": "sha256-UIGtLO89RxKt7RF2iEgPikSdU53r6v/6WYB0RW3k89I=",
"owner": "ryantm",
"repo": "agenix",
"rev": "c2fc0762bbe8feb06a2e59a364fa81b3a57671c9",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1705309234,
"narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703113217,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1716729592,
"narHash": "sha256-Y3bOjoh2cFBqZN0Jw1zUdyr7tjygyxl2bD/QY73GZP0=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "2c78a57c544dd19b07442350727ced097e1aa6e6",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-23.11",
"repo": "home-manager",
"type": "github"
}
},
"i2pd-exporter": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1716319699,
"narHash": "sha256-Q4cyjCDMa7QOKiJz6ya1ah0qW14uVNuJX0uQjcUo+oc=",
"ref": "refs/heads/master",
"rev": "5a0eeb2dbb107d3f35b10f10dd64bd3204254ebd",
"revCount": 8,
"type": "git",
"url": "https://git.4o1x5.dev/4o1x5/i2pd-exporter"
},
"original": {
"type": "git",
"url": "https://git.4o1x5.dev/4o1x5/i2pd-exporter"
}
},
"microvm": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
],
"spectrum": "spectrum"
},
"locked": {
"lastModified": 1716754174,
"narHash": "sha256-L2Vni6dGDFWXWwY0rqkQWtZXt+qYQKUZr+Fj+EpI97Q=",
"owner": "astro",
"repo": "microvm.nix",
"rev": "fa4262c3c9197e7d62185858907f2e5acff3258d",
"type": "github"
},
"original": {
"owner": "astro",
"repo": "microvm.nix",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1703013332,
"narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1716633019,
"narHash": "sha256-xim1b5/HZYbWaZKyI7cn9TJCM6ewNVZnesRr00mXeS4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9d29cd266cebf80234c98dd0b87256b6be0af44e",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"home-manager": "home-manager_2",
"i2pd-exporter": "i2pd-exporter",
"microvm": "microvm",
"nixpkgs": "nixpkgs_2"
}
},
"spectrum": {
"flake": false,
"locked": {
"lastModified": 1708358594,
"narHash": "sha256-e71YOotu2FYA67HoC/voJDTFsiPpZNRwmiQb4f94OxQ=",
"ref": "refs/heads/main",
"rev": "6d0e73864d28794cdbd26ab7b37259ab0e1e044c",
"revCount": 614,
"type": "git",
"url": "https://spectrum-os.org/git/spectrum"
},
"original": {
"type": "git",
"url": "https://spectrum-os.org/git/spectrum"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

116
flake.nix Normal file
View file

@ -0,0 +1,116 @@
{
description = "4o1x5 infrastructure/homelab";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
home-manager = {
url = "github:nix-community/home-manager/release-23.11";
inputs.nixpkgs.follows = "nixpkgs";
};
i2pd-exporter = {
url = "git+https://git.4o1x5.dev/4o1x5/i2pd-exporter";
inputs.nixpkgs.follows = "nixpkgs";
};
microvm = {
url = "github:astro/microvm.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
agenix.url = "github:ryantm/agenix";
};
outputs =
{ self
, nixpkgs
, home-manager
, i2pd-exporter
, microvm
, agenix
}:
let
system = "x86_64-linux";
in
{
nixosConfigurations = {
pink = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
./hosts/pink/root.nix
./root.nix
i2pd-exporter.nixosModules.default
home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
}
];
};
carbon = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
./hosts/carbon/root.nix
./root.nix
./secrets/carbon.nix
agenix.nixosModules.default
home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
}
({ pkgs, ... }: {
ixpkgs.overlays = [
(self: super: {
inadyn = super.inadyn.overrideAttrs
(oldAttrs: rec {
src = pkgs.fetchFromGitHub
{
owner = "troglobit";
repo = "inadyn";
rev = "7d576c4d00d312597c2b9c06c00529d2dde5ac89";
hash = "sha256-EJ9/MZhz/Gjj2RCMRDkwuKRatig/t1wAqQRqOcHA2gc=";
};
});
})
];
})
];
};
lime = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
({ pkgs, ... }: {
nixpkgs.overlays = [
(self: super: {
inadyn = super.inadyn.overrideAttrs
(oldAttrs: rec {
src = pkgs.fetchFromGitHub
{
owner = "troglobit";
repo = "inadyn";
rev = "7d576c4d00d312597c2b9c06c00529d2dde5ac89";
hash = "sha256-EJ9/MZhz/Gjj2RCMRDkwuKRatig/t1wAqQRqOcHA2gc=";
};
});
})
];
})
./hosts/lime/root.nix
./root.nix
./secrets/lime.nix
agenix.nixosModules.default
home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
}
];
};
};
};
}

42
hosts/carbon/hardware-configuration.nix Normal file
View file

@ -0,0 +1,42 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "/dev/disk/by-uuid/f6788d24-084f-497d-a4f0-d42baa139ddf";
fsType = "ext4";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/E3E1-9724";
fsType = "vfat";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/332e974a-b0c1-4d39-a6a3-7aacdc4d754d"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

56
hosts/carbon/root.nix Normal file
View file

@ -0,0 +1,56 @@
{ pkgs, ... }: {
#
imports = [
./hardware-configuration.nix
# other services
#./services/matrix.nix
./services/forgejo.nix
# routes (other servers)
./services/routes/owncast.nix
./services/routes/openproject.nix
./services/routes/hydra.nix
./services/routes/csengo.nix
./services/routes/matrix.nix
#./services/ai.nix
# essentials
./services/postgresql.nix
./services/nginx.nix
./services/firewall.nix
# privacy services
./services/privacy/libreddit.nix
#./services/privacy/safetwitch.nix
#./services/privacy/piped.nix
./services/privacy/breezewiki.nix
./services/privacy/gothub.nix
# ./services/privacy/nitter.nix not maintained anymore
./services/privacy/anonymousoverflow.nix
./services/privacy/binternet.nix
./services/privacy/quetre.nix
./services/privacy/rimgo.nix
#./services/privacy/libretranslate.nix
./services/privacy/libremdb.nix
./services/privacy/librey.nix
./services/privacy/dumb.nix
#./services/privacy/searxng.nix
# monitoring
./services/monitoring/exporters/node.nix
./services/monitoring/exporters/smartctl.nix
];
networking.hostName = "carbon";
networking.domain = "4o1x5.dev";
# Bootloader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
}

18
hosts/carbon/services/ai.nix Normal file
View file

@ -0,0 +1,18 @@
{ pkgs, config, ... }:
let
ollamaPort = "4827";
in
{
services.ollama.listenAddress = "0.0.0.0:${ollamaPort}";
services.ollama.environmentVariables = {
"CUDA_VISIBLE_DEVICES" = "GPU-cf2321f0-d34b-ec9b-31e9-8c0c69e1444a";
OLLAMA_LLM_LIBRARY = "gpu";
};
services.ollama.enable = true;
services.ollama.acceleration = "cuda";
}

17
hosts/carbon/services/firewall.nix Normal file
View file

@ -0,0 +1,17 @@
{ pkgs, ... }: {
networking.firewall = {
enable = true;
allowedTCPPorts = [
443
80
];
allowedUDPPorts = [
443
80
];
};
}

45
hosts/carbon/services/forgejo.nix Normal file
View file

@ -0,0 +1,45 @@
{ pkgs, config, ... }:
{
services.forgejo = {
enable = true;
settings = {
server = {
DOMAIN = "git.4o1x5.dev";
ROOT_URL = "https://git.${config.networking.domain}/";
DISABLE_REGISTRATION = true;
DISABLE_SSH = true;
};
DEFAULT.APP_NAME = "2005's git server";
actions.ENABLED = true;
};
database = {
type = "postgres";
createDatabase = true;
};
};
services.nginx = {
virtualHosts = {
"git.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = " http://127.0.0.1:3000";
};
};
};
};
services.gitea-actions-runner.instances = {
root = {
enable = true;
url = "https://git.${config.networking.domain}";
tokenFile = config.age.secrets.forgejo-runner.path;
labels = [
"debian-latest:docker://node:18-bullseye"
"ubuntu-latest:docker://node:18-bullseye"
];
name = config.networking.domain;
};
};
}

8
hosts/carbon/services/monitoring/exporters/node.nix Normal file
View file

@ -0,0 +1,8 @@
{ pkgs, ... }: {
services.prometheus.exporters.node = {
enable = true;
port = 9001;
openFirewall = true;
enabledCollectors = [ "systemd" ];
};
}

16
hosts/carbon/services/monitoring/exporters/smartctl.nix Normal file
View file

@ -0,0 +1,16 @@
{ pkgs, ... }: {
services.prometheus.exporters.smartctl = {
enable = true;
openFirewall = true;
devices = [ "/dev/sda" ];
};
services.smartd = {
enable = true;
notifications.wall.enable = true;
devices = [
{
device = "/dev/sda";
}
];
};
}

40
hosts/carbon/services/nginx.nix Normal file
View file

@ -0,0 +1,40 @@
{ pkgs, inputs, config, ... }:
{
services.nginx = {
enable = true;
virtualHosts = {
"www.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
root = pkgs.callPackage ../services/website/default.nix { };
};
};
"${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
root = pkgs.callPackage ../services/website/default.nix { };
};
extraConfig = ''
error_page 404 /404.html;
deny 3.1.202.244;
deny 170.64.219.93;
deny 91.215.85.43;
client_max_body_size 900M;
'';
};
};
};
security.acme = {
acceptTerms = true;
defaults.email = "admin+acme@4o1x5.dev";
};
}

5
hosts/carbon/services/postgresql.nix Normal file
View file

@ -0,0 +1,5 @@
{ pkgs, ... }: {
services.postgresql.enable = true;
}

28
hosts/carbon/services/privacy/anonymousoverflow.nix Normal file
View file

@ -0,0 +1,28 @@
{ pkgs, config, ... }: {
virtualisation.oci-containers.containers = {
anonymousoverflow = {
image = "ghcr.io/httpjamesm/anonymousoverflow:release";
ports = [
"7344:8080"
];
environment = {
APP_URL = "https://.anonymousoverflow.4o1x5.dev";
# TODO add JTW_SIGNING_KEY to work
};
};
};
services.nginx = {
virtualHosts = {
"anonymousoverflow.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = " http://127.0.0.1:7344";
};
};
};
};
}

24
hosts/carbon/services/privacy/binternet.nix Normal file
View file

@ -0,0 +1,24 @@
{ pkgs, config, ... }: {
virtualisation.oci-containers.containers = {
binternet = {
image = "ghcr.io/ahwxorg/binternet:latest";
ports = [
"7382:80"
];
};
};
services.nginx = {
virtualHosts = {
"binternet.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = " http://127.0.0.1:7382";
};
};
};
};
}

25
hosts/carbon/services/privacy/breezewiki.nix Normal file
View file

@ -0,0 +1,25 @@
{ pkgs, config, ... }: {
virtualisation.oci-containers.containers = {
breezewiki = {
image = "quay.io/pussthecatorg/breezewiki:latest";
ports = [
"1584:10416"
];
};
};
services.nginx = {
virtualHosts = {
"breezewiki.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = " http://127.0.0.1:1584";
};
};
};
};
}

25
hosts/carbon/services/privacy/dumb.nix Normal file
View file

@ -0,0 +1,25 @@
{ pkgs, config, ... }: {
virtualisation.oci-containers.containers = {
dumb = {
image = "ghcr.io/rramiachraf/dumb:latest";
ports = [
"8332:5555"
];
};
};
services.nginx = {
virtualHosts = {
"dumb.${config.networking.domain}" =
{
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = " http://127.0.0.1:8332";
};
};
};
};
}

37
hosts/carbon/services/privacy/gothub.nix Normal file
View file

@ -0,0 +1,37 @@
{ pkgs, config, ... }: {
virtualisation.oci-containers.containers = {
gothub = {
image = "codeberg.org/gothub/gothub:latest";
ports = [
"4032:3000"
];
environment = {
DOCKER = "true";
GOTHUB_SETUP_COMPLETE = "true";
GOTHUB_PROXYING_ENABLED = "true";
GOTHUB_IP_LOGGED = "false";
GOTHUB_REQUEST_URL_LOGGED = "true";
GOTHUB_USER_AGENT_LOGGED = "true";
GOTHUB_DIAGNOSTIC_INFO_LOGGED = "false";
GOTHUB_INSTANCE_PRIVACY_POLICY = "https://4o1x5.dev/privacy-policy";
GOTHUB_INSTANCE_COUNTRY = "Hungary";
GOTHUB_INSTANCE_PROVIDER = "Telekom";
GOTHUB_INSTANCE_CLOUDFLARE = "false";
};
};
};
services.nginx = {
virtualHosts = {
"gothub.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = " http://127.0.0.1:4032";
};
};
};
};
}

23
hosts/carbon/services/privacy/libreddit.nix Normal file
View file

@ -0,0 +1,23 @@
{ pkgs, config, ... }: {
services.libreddit = {
enable = true;
address = "127.0.0.1";
port = 3672;
};
services.nginx = {
virtualHosts = {
# Privacy services
"libreddit.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = " http://127.0.0.1:3672";
};
};
};
};
}

33
hosts/carbon/services/privacy/libremdb.nix Normal file
View file

@ -0,0 +1,33 @@
{ pkgs, config, ... }: {
virtualisation.oci-containers.containers = {
libremdb = {
image = "quay.io/pussthecatorg/libremdb:latest";
ports = [
"7345:3000"
];
environment = {
NEXT_PUBLIC_URL = "https://libremdb.${config.networking.domain}";
AXIOS_USER_AGENT = "Mozilla/5.0 (X11; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0";
AXIOS_ACCEPT = "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8";
NEXT_TELEMETRY_DISABLED = "1";
USE_REDIS = "false";
NEXT_PUBLIC_INSTANCE_NAME = "libremdb.${config.networking.domain}";
};
};
};
services.nginx = {
virtualHosts = {
"libremdb.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = " http://127.0.0.1:7345";
};
};
};
};
}

43
hosts/carbon/services/privacy/librey.nix Normal file
View file

@ -0,0 +1,43 @@
{ pkgs, config, ... }: {
virtualisation.oci-containers.containers = {
librey = {
image = "ghcr.io/ahwxorg/librey:latest";
ports = [
"3345:8080"
];
environment = {
CONFIG_GOOGLE_DOMAIN = "com";
CONFIG_LANGUAGE = "en";
CONFIG_NUMBER_OF_RESULTS = "10";
CONFIG_INVIDIOUS_INSTANCE = "https://yt.ahwx.org";
CONFIG_DISABLE_BITTORRENT_SEARCH = "false";
CONFIG_HIDDEN_SERVICE_SEARCH = "true";
CONFIG_INSTANCE_FALLBACK = "true";
CONFIG_RATE_LIMIT_COOLDOWN = "25";
CONFIG_CACHE_TIME = "20";
CONFIG_DISABLE_API = "false";
CONFIG_TEXT_SEARCH_ENGINE = "auto";
CURLOPT_PROXY_ENABLED = "false";
CURLOPT_PROXY = "192.0.2.53:8388";
CURLOPT_PROXYTYPE = "CURLPROXY_HTTP";
CURLOPT_USERAGENT = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:116.0) Gecko/20100101 Firefox/116.0";
CURLOPT_FOLLOWLOCATION = "true";
};
};
};
services.nginx = {
virtualHosts = {
"librey.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = " http://127.0.0.1:3345";
};
};
};
};
}

33
hosts/carbon/services/privacy/piped.nix Normal file
View file

@ -0,0 +1,33 @@
{ pkgs, config, ... }: {
# TODO fix
services.piped = {
enable = true;
domain = "piped.${config.networking.domain}";
backend = {
port = 5632;
database = {
# TODO fix
#TODO SECRET
host = "127.0.0.1";
username = "piped-backend";
passwordFile = ./piped;
database = "piped-backend";
createLocally = false;
};
};
};
services.postgresql = {
enable = true;
enableTCPIP = true;
ensureDatabases = [ "piped-backend" ];
ensureUsers = [
{
name = "piped-backend";
ensureDBOwnership = true;
}
];
};
}

43
hosts/carbon/services/privacy/quetre.nix Normal file
View file

@ -0,0 +1,43 @@
{ pkgs, config, ... }: {
virtualisation.oci-containers.containers = {
quetre = {
image = "quay.io/pussthecatorg/quetre:latest";
extraOptions = [
"--network=host"
];
environment = {
NODE_ENV = "production";
PORT = "2355";
CACHE_PERIOD = "24h";
REDIS_URL = "localhost:3442";
REDIS_TTL = "3600";
};
};
};
services.redis.servers = {
quetre = {
port = 3442;
enable = true;
};
};
services.nginx = {
virtualHosts = {
"quetre.${config.networking.domain}" =
{
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = " http://127.0.0.1:2355";
};
};
};
};
}

51
hosts/carbon/services/privacy/rimgo.nix Normal file
View file

@ -0,0 +1,51 @@
{ pkgs, config, ... }: {
virtualisation.oci-containers.containers = {
rimgo = {
image = "codeberg.org/rimgo/rimgo:latest";
ports = [
"4312:3000"
];
environment = {
ADDRESS = "0.0.0.0";
PORT = "3000";
FIBER_PREFORK = "false";
# Link to a privacy policy (optional)
PRIVACY_POLICY = "https://4o1x5.dev/privacy-policy";
# Explain how this data is used/why it is collected (optional)
PRIVACY_MESSAGE = "Read my privacy policy on my website";
# Country where instance is located. Leave blank if running on Tor without clearnet.
PRIVACY_COUNTRY = "HU";
# Hosting provider or ISP name. Leave blank if running on Tor without clearnet.
PRIVACY_PROVIDER = "Telekom";
# Set to true if you use Cloudflare (using Cloudflare only as DNS (gray cloud icon), set to false)
PRIVACY_CLOUDFLARE = "false";
PRIVACY_NOT_COLLECTED = "false";
# IP address
PRIVACY_IP = "true";
# Request URL
PRIVACY_URL = "true";
# Device Type (User agent)
PRIVACY_DEVICE = "false";
PRIVACY_DIAGNOSTICS = "false";
};
};
};
services.nginx = {
virtualHosts = {
"rimgo.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = " http://127.0.0.1:4312";
};
};
};
};
}

55
hosts/carbon/services/privacy/safetwitch.nix Normal file
View file

@ -0,0 +1,55 @@
{ pkgs, config, ... }:
{
virtualisation.oci-containers.containers = {
# TODO fix routing
safe-twitch-frontend = {
image = "codeberg.org/safetwitch/safetwitch:latest";
ports = [
"8280:8280"
];
environment = {
SAFETWITCH_BACKEND_DOMAIN = "sf.${config.networking.domain}";
SAFETWITCH_INSTANCE_DOMAIN = "safetwitch.${config.networking.domain}";
SAFETWITCH_HTTPS = "true";
SAFETWITCH_DEFAULT_LOCALE = "en";
SAFETWITCH_FALLBACK_LOCALE = "en";
};
};
safetwitch-backend = {
image = "codeberg.org/safetwitch/safetwitch-backend:latest";
ports = [
"7100:7100"
];
environment = {
URL = "sf.${config.networking.domain}";
PORT = "7100";
};
};
};
services.nginx = {
virtualHosts = {
"safetwitch.${config.networking.domain}" =
{
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = " http://127.0.0.1:8280";
};
};
"sf.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = " http://127.0.0.1:7100";
};
};
};
};
}

36
hosts/carbon/services/privacy/searxng.nix Normal file
View file

@ -0,0 +1,36 @@
{ pkgs, config, ... }: {
virtualisation.oci-containers.containers = {
searxng = {
image = "docker.io/searxng/searxng:latest";
ports = [
"3345:3000"
];
# TODO implement limiter
#volumes = [
# "/home/carbon/searxng.yml:/etc/searxng:rw"
#];
};
};
services.redis.servers = {
searxng = {
port = 3442;
enable = true;
};
};
services.nginx = {
virtualHosts = {
"librey.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = " http://127.0.0.1:3345";
};
};
};
};
}

29
hosts/carbon/services/routes/csengo.nix Normal file
View file

@ -0,0 +1,29 @@
{ pkgs, config, ... }: {
services.nginx = {
virtualHosts = {
"csengo.${config.networking.domain}" =
{
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = " http://32.54.31.99:8422";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
locations."/api" = {
proxyPass = " http://32.54.31.99:5333";
extraConfig = ''
rewrite /api/(.*) /$1 break;
'';
};
};
};
};
}

22
hosts/carbon/services/routes/hydra.nix Normal file
View file

@ -0,0 +1,22 @@
{ pkgs, config, ... }: {
services.nginx = {
virtualHosts = {
"hydra.${config.networking.domain}" =
{
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = " http://32.54.31.99:6732";
};
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};
};
}

39
hosts/carbon/services/routes/matrix.nix Normal file
View file

@ -0,0 +1,39 @@
{ pkgs, config, ... }:
let
fqdn = "${config.networking.domain}";
baseUrl = "https://${fqdn}";
clientConfig."m.homeserver".base_url = "https://matrix.${fqdn}";
serverConfig."m.server" = "${fqdn}:443";
mkWellKnown = data: ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in
{
services.nginx = {
virtualHosts = {
"matrix.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = " http://32.54.31.241:8008";
};
extraConfig = ''
client_max_body_size 9000M;
'';
};
"${fqdn}" = {
# well known paths for matrix
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
locations."/_matrix".proxyPass = "http://32.54.31.241:8008";
locations."/_synapse".proxyPass = "http://32.54.31.241:8008";
locations."= /.well-known/matrix/client" .extraConfig = mkWellKnown clientConfig;
};
};
};
}

24
hosts/carbon/services/routes/openproject.nix Normal file
View file

@ -0,0 +1,24 @@
{ pkgs, config, ... }: {
services.nginx = {
virtualHosts = {
"openproject.${config.networking.domain}" =
{
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = " http://32.54.31.99:8080";
};
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
'';
};
};
};
}

26
hosts/carbon/services/routes/owncast.nix Normal file
View file

@ -0,0 +1,26 @@
{ pkgs, config, ... }: {
services.nginx = {
virtualHosts = {
"live.${config.networking.domain}" =
{
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = " http://32.54.31.241:3413";
};
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
'';
};
};
};
}

20
hosts/carbon/services/website/default.nix Normal file
View file

@ -0,0 +1,20 @@
{ pkgs }:
pkgs.stdenv.mkDerivation rec {
name = "website";
version = "0.1.25";
src = /home/grape/code/4o1x5/website;
buildInputs = [ pkgs.hugo ];
dontConfigure = true;
buildPhase = ''
cp -r $src/* .
${pkgs.hugo}/bin/hugo
'';
installPhase = ''
mkdir -p $out
cp -r public/* $out/
'';
}

35
hosts/lime/hardware-configuration.nix Normal file
View file

@ -0,0 +1,35 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "sd_mod" "sr_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/16777af0-cb7b-470c-a172-d1761e6a8a12";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/57420b12-9218-4110-9fb2-22ca3171f6a0"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

31
hosts/lime/root.nix Normal file
View file

@ -0,0 +1,31 @@
{ config, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
./services/firewall.nix
#./services/loki.nix
./services/mumble.nix
#./services/ddns-updater.nix
#./services/ai.nix
./services/postgresql.nix
./services/matrix.nix
./services/owncast.nix
# monitoring
./services/monitoring/exporters/node.nix
./services/monitoring/exporters/smartctl.nix
];
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
boot.loader.grub.useOSProber = true;
networking.hostName = "lime";
networking.domain = "4o1x5.dev";
}

29
hosts/lime/services/ai.nix Normal file
View file

@ -0,0 +1,29 @@
{ pkgs, ... }: {
environment.systemPackages = with pkgs; [
ollama
];
services.ollama.listenAddress = "0.0.0.0:4827";
services.ollama.environmentVariables = {
#"CUDA_VISIBLE_DEVICES" = "GPU-cf2321f0-d34b-ec9b-31e9-8c0c69e1444a";
OLLAMA_LLM_LIBRARY = "gpu";
};
services.ollama.enable = true;
#services.ollama.acceleration = "cuda";
# virtualisation.oci-containers.containers = {
# webui = {
# image = "ghcr.io/ollama-webui/ollama-webui:main";
# ports = [
# "5121:8080"
# ];
# volumes = [
# "/home/carbon/ollamawebui:/app/backend/data"
# ];
# };
# };
}

12
hosts/lime/services/ddns-updater.nix Normal file
View file

@ -0,0 +1,12 @@
{ pkgs, config, ... }: {
services.inadyn = {
enable = true;
# TODO fix
settings.provider.porkbun = {
username = config.age.secrets.porkbun-user.path;
password = config.age.secrets.porkbun.path;
ssl = true;
};
};
}

31
hosts/lime/services/firewall.nix Normal file
View file

@ -0,0 +1,31 @@
{ pkgs, ... }: {
networking.firewall = {
enable = false;
allowedTCPPorts = [
25565
22
222
4827
2222
9001
1141
# matrix
8008
];
allowedUDPPorts = [
25565
22
222
2222
4827
1141
5121 # olama
9001
# matrix
8008
];
};
}

45
hosts/lime/services/loki.nix Normal file
View file

@ -0,0 +1,45 @@
{ pkgs, ... }: {
#
services.loki = {
enable = false;
configuration = {
auth_enabled = false;
server = {
http_listen_port = 3100;
};
ingester = {
lifecycler = {
address = "0.0.0.0";
ring = {
kvstore.store = "inmemory";
replication_factor = 1;
};
};
chunk_idle_period = "15m";
};
schema_config.configs = [
{
from = "2020-02-25";
store = "boltdb";
object_store = "filesystem";
schema = "v11";
index = {
prefix = "index_";
period = "24h";
};
}
];
storage_config = {
boltdb.directory = "/tmp/loki/index";
};
limits_config = {
enforce_metric_name = false;
reject_old_samples = true;
reject_old_samples_max_age = "500h";
};
chunk_store_config.max_look_back_period = "0s";
};
};
}

43
hosts/lime/services/matrix.nix Normal file
View file

@ -0,0 +1,43 @@
{ pkgs, config, ... }:
let
baseUrl = "https://${config.networking.domain}";
in
{
services.matrix-synapse = {
enable = true;
settings = {
server_name = config.networking.domain;
public_baseurl = baseUrl;
enable_registration = false;
trusted_key_servers = [{ server_name = "matrix.org"; }
{
server_name = "tchncs.de";
}];
suppress_key_server_warning = true;
enable_registration_without_verification = true;
max_upload_size = "9861M";
listeners = [
{
port = 8008;
bind_addresses = [ "0.0.0.0" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [{
names = [ "client" "federation" ];
compress = true;
}];
}
];
server_notices = {
system_mxid_localpart = "server";
system_mxid_display_name = "Server Notices";
room_name = "Server Notices";
room_topic = "Notices about 4o1x5.dev";
auto_join = true;
};
};
};
}

8
hosts/lime/services/monitoring/exporters/node.nix Normal file
View file

@ -0,0 +1,8 @@
{ pkgs, ... }: {
services.prometheus.exporters.node = {
enable = true;
port = 9001;
openFirewall = true;
enabledCollectors = [ "systemd" ];
};
}

18
hosts/lime/services/monitoring/exporters/smartctl.nix Normal file
View file

@ -0,0 +1,18 @@
{ pkgs, ... }: {
services.prometheus.exporters.smartctl = {
enable = true;
openFirewall = true;
devices = [ "/dev/sda" ];
};
services.smartd = {
enable = true;
notifications.wall.enable = true;
devices = [
{
device = "/dev/sda";
}
];
};
}

28
hosts/lime/services/mumble.nix Normal file
View file

@ -0,0 +1,28 @@
{ pkgs, ... }: {
#
services.murmur = {
enable = true;
openFirewall = true;
bandwidth = 1300000;
welcometext = ''<b><span style=" color: #fad000">Welcome to 4o1x5.dev server<br/>Enjoy your stay.</span></b>'';
};
# Musicbot
services.botamusique.enable = true;
services.botamusique.settings = {
server = {
certificate = "/etc/botamusique.pem";
};
bot = {
channel = "/music";
name = "Zenebona";
comment = "szia";
admin = "penge;dmk";
stereo = true;
when_nobody_in_channel = "pause_resume";
bitrate = 1300000;
};
commands.command_symbol = ".:@:;:4:!:1";
};
}

10
hosts/lime/services/owncast.nix Normal file
View file

@ -0,0 +1,10 @@
{ pkgs, ... }: {
services.owncast = {
enable = true;
openFirewall = true;
listen = "0.0.0.0";
port = 3413;
};
}

14
hosts/lime/services/postgresql.nix Normal file
View file

@ -0,0 +1,14 @@
{ pkgs, ... }: {
services.postgresql.enable = true;
services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
'';
}

40
hosts/pink/hardware-configuration.nix Normal file
View file

@ -0,0 +1,40 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "/dev/disk/by-uuid/c5780502-0721-40d7-a41a-477120247835";
fsType = "ext4";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/1DF7-6D92";
fsType = "vfat";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

36
hosts/pink/root.nix Normal file
View file

@ -0,0 +1,36 @@
{ config, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
# SERVICES
./services/firewall.nix
./services/dns.nix
./services/endlessh.nix
./services/i2pd.nix
./services/hydra.nix
# monitoring
./services/monitoring/prometheus.nix
./services/monitoring/grafana.nix
./services/monitoring/exporters/node.nix
./services/monitoring/exporters/smartctl.nix
];
# Bootloader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "pink";
networking.domain = "stuff.local";
users.users.pink = {
isNormalUser = true;
description = "pink";
extraGroups = [ "networkmanager" "wheel" ];
packages = with pkgs; [ ];
};
}

19
hosts/pink/services/dns.nix Normal file
View file

@ -0,0 +1,19 @@
{ pkgs, config, ... }: {
services.adguardhome = {
enable = true;
openFirewall = true;
settings = {
#bind_port = 4000;
upstream_dns = [
"194.242.2.2"
"9.9.9.9"
"1.1.1.1"
];
};
# todo add blocklist
# https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/pro.plus.txt
};
}

17
hosts/pink/services/endlessh.nix Normal file
View file

@ -0,0 +1,17 @@
{ pkgs, ... }: {
services.endlessh-go = {
enable = true;
extraOptions = [
"-max_clients=200"
"-geoip_supplier=ip-api"
];
port = 2333;
openFirewall = true;
prometheus = {
enable = true;
port = 4212;
listenAddress = "127.0.0.1";
};
};
}

43
hosts/pink/services/firewall.nix Normal file
View file

@ -0,0 +1,43 @@
{ pkgs, config, ... }: {
networking.firewall = {
enable = true;
allowedTCPPorts = [
22 #ssh
# pihole
53
1444
# prometheus
9090
8080
config.services.i2pd.port
8422 # csengoclient
5333 # csengoserver
5432
];
allowedUDPPorts = [
22 # ssh
# pihole
53
1444
# prometheus
9090
8080
8422 # csengoclient
5333 # csengoserver
5432
config.services.i2pd.port
];
};
}

19
hosts/pink/services/hydra.nix Normal file
View file

@ -0,0 +1,19 @@
{ pkgs, config, ... }: {
services.hydra = {
enable = true;
hydraURL = "https://hydra.${config.networking.domain}"; # externally visible URL
notificationSender = "hydra@localhost"; #
# a standalone hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines
buildMachinesFiles = [ ];
# you will probably also want, otherwise *everything* will be built from scratch
useSubstitutes = true;
port = 6732;
};
networking.firewall = {
allowedTCPPorts = [ config.services.hydra.port ];
allowedUDPPorts = [ config.services.hydra.port ];
};
}

35
hosts/pink/services/i2pd.nix Normal file
View file

@ -0,0 +1,35 @@
{ pkgs, lib, config, ... }: {
services.i2pd = {
enable = false;
port = 9732;
enableIPv6 = true;
floodfill = true;
};
#i2pcontrol
services.i2pd.proto.i2pControl = {
enable = true;
port = 7659;
name = "i2pcontrol";
address = "0.0.0.0";
};
services.i2pd.proto.http = {
enable = true;
};
# todo proxy
# todo privacy respecting services
# todo reseed export
# need to create a nginx proxy that proxies the reseed file
services.prometheus.exporters.i2pd = {
enable = false;
port = 3321;
openFirewall = true;
routerAddress = "https://127.0.0.1:${toString config.services.i2pd.proto.i2pControl.port}";
routerPassword = "itoopie";
};
}

6
hosts/pink/services/monitoring/exporters/node.nix Normal file
View file

@ -0,0 +1,6 @@
{ pkgs, ... }: {
services.prometheus.exporters.node = {
enable = true;
port = 9001;
};
}

15
hosts/pink/services/monitoring/exporters/smartctl.nix Normal file
View file

@ -0,0 +1,15 @@
{ pkgs, ... }: {
services.prometheus.exporters.smartctl = {
enable = true;
devices = [ "/dev/sda" ];
};
services.smartd = {
enable = true;
notifications.wall.enable = true;
devices = [
{
device = "/dev/sda";
}
];
};
}

29
hosts/pink/services/monitoring/grafana.nix Normal file
View file

@ -0,0 +1,29 @@
{ pkgs, config, ... }:
let
grafanaPort = 3033;
in
{
services.grafana = {
enable = true;
settings.server = {
http_port = grafanaPort;
http_addr = "0.0.0.0";
};
provision = {
enable = true;
datasources.settings.datasources = [
{
name = "prometheus";
type = "prometheus";
url = "http://127.0.0.1:${toString config.services.prometheus.port}";
isDefault = true;
}
];
};
};
networking.firewall = {
allowedTCPPorts = [ grafanaPort ];
allowedUDPPorts = [ grafanaPort ];
};
}

79
hosts/pink/services/monitoring/prometheus.nix Normal file
View file

@ -0,0 +1,79 @@
{ pkgs, config, ... }:
let
lime = "32.54.31.241";
carbon = "32.54.31.180";
in
{
services.prometheus = {
enable = true;
scrapeConfigs = [
{
job_name = "node";
scrape_interval = "5s";
static_configs = [
{
targets = [ "localhost:9001" ];
labels = { alias = "node.pink.local"; };
}
{
targets = [ "${carbon}:9001" ];
labels = { alias = "node.carbon.local"; };
}
{
targets = [ "${lime}:9001" ];
labels = { alias = "node.lime.local"; };
}
{
targets = [ "32.54.31.172:9001" ];
labels = { alias = "node.strix.local"; };
}
];
}
{
job_name = "smartmontools";
scrape_interval = "5s";
static_configs = [
{
targets = [ "localhost:9633" ];
labels = { alias = "smartctl.pink.local"; };
}
{
targets = [ "${lime}:9633" ];
labels = { alias = "smartctl.lime.local"; };
}
{
targets = [ "${carbon}:9633" ];
labels = { alias = "smartctl.carbon.local"; };
}
];
}
{
job_name = "endlessh";
scrape_interval = "5s";
static_configs = [
{
targets = [ "localhost:${toString config.services.endlessh-go.prometheus.port}" ];
labels = { alias = "endlessh.pink.local"; };
}
];
}
{
job_name = "i2p";
scrape_interval = "5s";
static_configs = [
{
targets = [ "localhost:${toString config.services.prometheus.exporters.i2pd.port}" ];
labels = { alias = "i2pd.pink.local"; };
}
];
}
];
};
}

62
root.nix Normal file
View file

@ -0,0 +1,62 @@
{ pkgs, ... }: {
home-manager.users.root = {
programs.zsh = {
enable = true;
initExtra = ''
PROMPT="[%M] %~ "
'';
antidote = {
enable = true;
plugins = [
"marlonrichert/zsh-autocomplete"
"zsh-users/zsh-syntax-highlighting"
];
};
};
};
home-manager.users.root.home.stateVersion = "23.11";
networking.networkmanager.enable = true;
# Set your time zone.
time.timeZone = "Europe/Budapest";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
i18n.extraLocaleSettings = {
LC_ADDRESS = "hu_HU.UTF-8";
LC_IDENTIFICATION = "hu_HU.UTF-8";
LC_MEASUREMENT = "hu_HU.UTF-8";
LC_MONETARY = "hu_HU.UTF-8";
LC_NAME = "hu_HU.UTF-8";
LC_NUMERIC = "hu_HU.UTF-8";
LC_PAPER = "hu_HU.UTF-8";
LC_TELEPHONE = "hu_HU.UTF-8";
LC_TIME = "hu_HU.UTF-8";
};
services.xserver = {
layout = "us";
};
users.users."root".openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC2I8OcbOP85iszYjK12GrNJ5jTF4Kh3XHzALOr2Mk6Y5uCbOQOtsGq64rfm8lY+MPS6PGQlRy00UJUgbp6RV2rbOkBurUCJ4LkvMqukfU32H1IIe2h7fAdCMlBv5wNbtbX+Tx6LsRCvfivNmg/GJ+a4PsTm1TxzAFh2SPNu/iA44GPyho0rCtCKGgGsaux2vqI2PuGceXgHhjqdRw4lmmLeBuR/oWzOc6R27AcZtKRofeQS0bB8WdsWBLTFT37hqiWsIUEGNxPGP1D5diGhgZ9dNFPw5rH48j5VPwE72c2z+DQVdHdUYq23MCvy/6P98yvKUxLZFQuHaat0291cyOjVkaq3TBUPokeUi4JwGZCYs3081HQ/l7p1/3rMdB0DJS3SOlQ9k0ibHhZ/pG9n9CWVka8ImpSymdXcc1Vw5a/cN8rNynsju80ycast2RldY50lq1tnANqnR6T77arFtPMldnZrVt3jVlw6dQnhfZp+bbYSSF2+98pjtewvp/aMNqXpcTJz4+cgr3uopVwJ73qFgP4fgllhZdlW0ArpdzC4OEqbcpFCI+f3ThIafwQKpngYDonejz2dRz5VmQ8fy+zHvPu32XWnQfmMX8pZKAsHysewtDA+5CTBfWI5aZFQspdNkqRIKKzEMpxB4hWFH3HEoKjBo9NiS0ilaFyN//2lw== pear@rog-strix"
];
services.openssh = {
enable = true;
allowSFTP = true;
openFirewall = true;
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
};
nix.settings.experimental-features = [ "nix-command" "flakes" ];
nixpkgs.config.allowUnfree = true;
system.stateVersion = "23.11";
}

8
secrets/anonymousoverflow.age Normal file
View file

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 VxAJjg 7I7xNPaCZPE1JUdjgAWeSpLBiuCPcHOmEsYi10zClxY
tHU+7llwklkoxrucgV2eOfG4gSGMaL2lJth3e+1Nkvg
-> ssh-ed25519 pw11Hg NOFrYZt4SnJ8pcR4SvyoaRwQHY/CCnFiLBlDXjoN9iw
ezmF8oYZTmGc5SULU/aImcAbpNMchXKIhzhPywi0+L0
--- hp8XULTiIl3wXkiJHq63G45VnxBM4i88yVOz+SkUSFk
6âzªõ
¸“gÔyõ®zƒ<EFBFBD>ôJ»xÀä™I %÷ý§#ç™ò”×­êó 6A1ûĽp8Ò™ ~ÿ‹š

3
secrets/carbon.nix Normal file
View file

@ -0,0 +1,3 @@
{ pkgs, ... }: {
age.secrets.forgejo-runner.file = ./forgejo-runner.age;
}

7
secrets/forgejo-runner.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 VxAJjg FCHQ8R8lunZeC1W5GgHRuXOzKebT3H7+WgmkfC1MhHI
Yh11JHjmuMCNl4cGpJYgYEHxfGSPtCaE5WNvEldh+FE
-> ssh-ed25519 pw11Hg bwbMaWmmWy5N9DlvWbLc8Np1ZsVyvFBFzKuc+AC46G0
mMk+gUs+HDVF7Ud36JUZYrocc4rlDpjcmIlG6Zov34A
--- G5mTwB+gZ3fJx1OyFbHnvYpYmjDJEAjKJAPd9LXBHHQ
î`H@G—§ƒ¸cÊóê>|€gã­Ðý”’@ò/ 9Òb°° mMx,}¶»gE¾"ìw4§Jä³^«ù‡úž

5
secrets/lime.nix Normal file
View file

@ -0,0 +1,5 @@
{ pkgs, ... }: {
age.secrets.porkbun.file = ./porkbun.age;
age.secrets.porkbun-user.file = ./porkbun-user.age;
}

7
secrets/porkbun-user.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 VxAJjg SAzffPLeKmWwiPBrxqb8b1lSjnvX0xXGoErceOwrfz8
qOu9fsxq0yneo5Wx0S6sJriYl9I+0geuD85ZVK8LEUg
-> ssh-ed25519 2+o3cg ODYd9WzF/r4ScnLNmnxne3NiuqlAQ4E3koozu4EKBQE
iiLf5yuAnGDTSFXLTbxm0PsQQBjnoFPVS7rh9v91GzY
--- BT5nFRlqsSubodxJI5M1+xE8yD/vzSHkvUTKhwOScWQ
<EFBFBD>ˉôÀ©(1ÝOßþÉ¥vfÜ"(r<>Ÿ¸ï$5)Ðb;©t1†‹‹°

BIN
secrets/porkbun.age Normal file
View file

Binary file not shown.

18
secrets/secrets.nix Normal file
View file

@ -0,0 +1,18 @@
let
grape = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFJwT2EBbcTCeB9KJrAlsE15EwyldWCiGodjSLeJu6Cz grape@strix";
users = [ grape ];
carbon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGgB3WAu0WWaRog795SwgM2vUXXB1/oosIhXRZ9kPZ+P";
lime = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPiO7+7mFkXQ5jYNSmGErC+C6js0CvSWw0Pe9NAtuL1W";
systems = [ carbon ];
in
{
"synapse.age".publicKeys = [ grape carbon ];
"anonymousoverflow.age".publicKeys = [ grape carbon ];
"forgejo-runner.age".publicKeys = [ grape carbon ];
"porkbun.age".publicKeys = [ grape lime ];
"porkbun-user.age".publicKeys = [ grape lime ];
}

7
secrets/synapse.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 VxAJjg rj/YumbJppvgqWezT5U/Mt8O8Pb7FyjHIB37akQZMGo
PR+7pNN1bzh8X5DhDDgKNdyvsuysn5VAOkfvwy37j/Y
-> ssh-ed25519 pw11Hg gKvZHPXnvV8hk3CByniFT4BpGsrUxK7hLBE2UAlwmlw
oNKGVQwqKXLmA5gZudnuSCLPToC7gOL7lNu3DhW9bA8
--- nUHssI5El0LVBdGhwFOFA/7kM3SmW76Rfg+rg0OAmHw
y已刃ネqセ降包YWム$w]葫┰vOfX#トY愧!ハコ