jana/server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

switch to cap based home configs

Browse source
This commit is contained in:
Jana Dönszelmann 2026-01-20 16:57:10 +01:00
parent 50ee9aac83
commit 49b6f5bde0
No known key found for this signature in database
64 changed files with 2064 additions and 1779 deletions
Download patch file Download diff file Expand all files Collapse all files

53
hosts/fili/configuration.nix Normal file
View file

@ -0,0 +1,53 @@
_: {
imports = [
./hardware-configuration.nix
./storage.nix
./networking.nix
./services
];
custom.machine = {
type = "server";
capabilities = [
"cli"
];
};
networking.nameservers = [
"1.1.1.1"
"9.9.9.9"
];
networking = {
hostName = "fili";
networkmanager.enable = true;
};
nix.settings = {
# users that can interact with nix
trusted-users = [
"jana"
"root"
];
};
boot.initrd = {
supportedFilesystems = [ "nfs" ];
kernelModules = [ "nfs" ];
};
# use systemd-boot as bootloader
boot.loader.systemd-boot.enable = true;
# secrets
sops.age.keyFile = "/sops/sops-key.txt";
sops.defaultSopsFormat = "dotenv";
users.extraUsers.jana.extraGroups = [
"storage"
"syncthing"
"jellyfin"
"media"
"nginx"
];
}

49
hosts/fili/hardware-configuration.nix Normal file
View file

@ -0,0 +1,49 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/ccc13e67-82d6-4dd1-b627-8eed8d28a200";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/2BF5-CEBD";
fsType = "vfat";
};
swapDevices = [ { device = "/dev/disk/by-uuid/eb6ee273-11d1-4f11-8230-45be75fe036f"; } ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

12
hosts/fili/networking.nix Normal file
View file

@ -0,0 +1,12 @@
_: {
networking.useDHCP = false;
networking.interfaces.ens18.ipv4.addresses = [
{
address = "192.168.178.59";
prefixLength = 24;
}
];
networking.defaultGateway = "192.168.178.1";
networking.networkmanager.enable = true;
networking.firewall.enable = false;
}

6
hosts/fili/services/auth/default.nix Normal file
View file

@ -0,0 +1,6 @@
_: {
imports = [
./oauth2-proxy.nix
./pocketid.nix
];
}

47
hosts/fili/services/auth/oauth2-proxy.nix Normal file
View file

@ -0,0 +1,47 @@
{
config,
secrets,
...
}:
{
sops.secrets.oauth2-proxy = {
sopsFile = "${secrets}/oauth2-proxy.env";
};
services.oauth2-proxy = {
enable = true;
provider = "oidc";
scope = "openid profile email groups";
clientID = "38aa51e2-783e-48f0-a4b9-440e269f1217";
oidcIssuerUrl = "https://auth.donsz.nl";
reverseProxy = true;
proxyPrefix = "/oauth2";
keyFile = config.sops.secrets.oauth2-proxy.path;
email.domains = [ "*" ];
cookie = {
domain = "donsz.nl";
refresh = "1h";
secure = true;
};
extraConfig = {
whitelist-domain = [ "*.donsz.nl" ];
insecure-oidc-allow-unverified-email = true;
};
nginx.domain = "oauth2.donsz.nl";
};
services.nginx.virtualHosts."oauth2.donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/".return = "301 https://oauth2.donsz.nl/oauth2/sign_in";
};
}

57
hosts/fili/services/auth/pocketid.nix Normal file
View file

@ -0,0 +1,57 @@
{ config, secrets, ... }:
{
sops.secrets.pocketid = {
owner = config.services.pocket-id.user;
sopsFile = "${secrets}/pocketid.env";
};
services.nginx.virtualHosts."auth.donsz.nl" = {
forceSSL = true;
enableACME = true;
extraConfig = ''
proxy_busy_buffers_size 512k;
proxy_buffers 4 512k;
proxy_buffer_size 256k;
'';
locations."/".proxyPass = "http://[::1]:${toString config.services.pocket-id.settings.PORT}";
};
services.pocket-id = {
enable = true;
user = "pocket-id";
environmentFile = config.sops.secrets.pocketid.path;
settings = {
PORT = 1411;
TRUST_PROXY = true;
APP_URL = "https://auth.donsz.nl";
ALLOW_USER_SIGNUPS = "withToken";
UI_CONFIG_DISABLED = true;
ALLOW_OWN_ACCOUNT_EDIT = true;
DB_PROVIDER = "postgres";
DB_CONNECTION_STRING = "postgres://pocketid:pocketid@localhost:5432/pocketid";
KEYS_STORAGE = "database";
METRICS_ENABLED = false;
TRACING_ENABLED = false;
ANALYTICS_DISABLED = true;
SESSION_DURATION = 1440;
SMTP_HOST = "smtp.fastmail.com";
SMTP_PORT = "587";
SMTP_FROM = "auth@donsz.nl";
SMTP_USER = "pocketid-auth";
SMTP_TLS = "starttls";
EMAIL_LOGIN_NOTIFICATION_ENABLED = true;
EMAIL_API_KEY_EXPIRATION_ENABLED = true;
EMAIL_ONE_TIME_ACCESS_AS_ADMIN_ENABLED = true;
ACCENT_COLOR = "#c66995";
LOG_LEVEL = "debug";
};
};
}

79
hosts/fili/services/databases.nix Normal file
View file

@ -0,0 +1,79 @@
{ pkgs, ... }:
{
services.postgresql = rec {
package = pkgs.postgresql_15;
enable = true;
enableTCPIP = true;
authentication = pkgs.lib.mkOverride 10 ''
# allow local logins
local all all trust
# loopback (v4/v6)
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
# and from podman
host all all 10.88.0.0/16 trust
# and from vms
host all all 10.0.0.0/24 trust
# and the local network
host all all 192.168.0.0/24 trust
'';
settings = {
listen_addresses = "*";
};
ensureUsers = [
{
name = "matrix";
ensureDBOwnership = true;
}
{
name = "recipes";
ensureDBOwnership = true;
}
{
name = "sleep";
ensureDBOwnership = true;
}
{
name = "houses";
ensureDBOwnership = true;
}
{
name = "dnote";
ensureDBOwnership = true;
}
{
name = "forgejo";
ensureDBOwnership = true;
}
{
name = "pocketid";
ensureDBOwnership = true;
}
];
ensureDatabases = map (i: i.name) ensureUsers;
};
services.mysql = {
enable = true;
package = pkgs.mariadb;
settings = {
mysqld = {
bind-address = "0.0.0.0";
};
};
};
networking = {
firewall.allowedTCPPorts = [
# postgres
5432
# mariadb
3306
];
};
}

15
hosts/fili/services/default.nix Normal file
View file

@ -0,0 +1,15 @@
_: {
imports = [
./nginx.nix
./databases.nix
./matrix-synapse.nix
./forgejo.nix
./obsidian-sync.nix
./metrics.nix
./factorio
./media
./websites
./auth
];
}

136
hosts/fili/services/factorio/default.nix Normal file
View file

@ -0,0 +1,136 @@
{
lib,
pkgs,
config,
secrets,
...
}:
let
factorioVersion =
version: sha:
pkgs.factorio-headless.overrideAttrs (_: {
inherit version;
src = pkgs.fetchurl {
url = "https://factorio.com/get-download/${version}/headless/linux64";
name = "factorio-headless-${version}.tar.xz";
sha256 = sha;
};
});
getMods =
modDir:
let
modList = lib.pipe modDir [
builtins.readDir
(lib.filterAttrs (k: v: v == "regular"))
(lib.mapAttrsToList (k: v: k))
(builtins.filter (lib.hasSuffix ".zip"))
];
validPath =
modFileName:
builtins.path {
path = modDir + "/${modFileName}";
name = lib.strings.sanitizeDerivationName modFileName;
};
modToDrv =
modFileName:
pkgs.runCommand "copy-factorio-mods" { } ''
mkdir $out
ln -s '${validPath modFileName}' $out/'${modFileName}'
''
// {
deps = [ ];
};
in
builtins.map modToDrv modList;
factorioContainer = name: factorio-config: {
"factorio-${name}" = {
autoStart = true;
bindMounts = {
"/var/lib/factorio" = {
hostPath = "/factorio/${name}";
isReadOnly = false;
};
"/run/secrets" = {
hostPath = "/run/secrets";
isReadOnly = true;
};
"/etc/resolv.conf" = {
hostPath = "/etc/resolv.conf";
isReadOnly = true;
};
};
privateUsers = "no";
config =
{
config,
pkgs,
lib,
...
}:
{
systemd.services.factorio.serviceConfig.User = "factorio";
services.factorio = factorio-config // {
enable = true;
openFirewall = true;
game-name = name;
saveName = name;
stateDirName = "factorio";
};
nixpkgs.config = {
allowUnfree = true;
};
system.stateVersion = "23.11";
networking = {
firewall.enable = false;
};
};
};
};
in
{
users.groups.factorio = { };
users.users.factorio = {
isSystemUser = true;
group = "factorio";
extraGroups = [ "storage" ];
};
sops.secrets.factorio = {
sopsFile = "${secrets}/factorio.json";
format = "json";
key = "";
owner = "factorio";
};
containers =
factorioContainer "tawney" {
autosave-interval = 20;
admins = [
"jonay2000"
"computerdruid"
"pineapple"
];
extraSettingsFile = config.sops.secrets.factorio.path;
# mods = getMods .factorio-mods/tawney;
package = factorioVersion "2.0.69" "sha256-I1FHuz7WtfCmmTiTxskv3+U1upWrhmBG9R+GUoS1c0E=";
port = 20001;
}
// factorioContainer "snek" {
autosave-interval = 20;
admins = [
"jonay2000"
"computerdruid"
"pineapple"
"koragendum"
];
extraSettingsFile = config.sops.secrets.factorio.path;
mods = getMods ./factorio-mods/snek;
package = factorioVersion "2.0.69" "sha256-I1FHuz7WtfCmmTiTxskv3+U1upWrhmBG9R+GUoS1c0E=";
port = 20002;
};
}

BIN
hosts/fili/services/factorio/factorio-mods/snek/VehicleSnap_2.0.2.zip Normal file
View file

Binary file not shown.

BIN
hosts/fili/services/factorio/factorio-mods/snek/factoryplanner_2.0.30.zip Normal file
View file

Binary file not shown.

BIN
hosts/fili/services/factorio/factorio-mods/snek/flib_0.16.3.zip Normal file
View file

Binary file not shown.

BIN
hosts/fili/services/factorio/factorio-mods/snek/valerian-planets_1.0.2.zip Normal file
View file

Binary file not shown.

BIN
hosts/fili/services/factorio/factorio-mods/snek/visible-planets_1.4.8.zip Normal file
View file

Binary file not shown.

167
hosts/fili/services/forgejo.nix Normal file
View file

@ -0,0 +1,167 @@
{
pkgs,
config,
flakes,
secrets,
...
}:
{
sops.secrets.forgejo = {
sopsFile = "${secrets}/forgejo.yaml";
key = "email_password";
format = "yaml";
};
users = {
groups = {
forgejo = { };
forgejo-runner = { };
};
users.forgejo = {
isSystemUser = true;
group = "forgejo";
extraGroups = [ "storage" ];
};
users.forgejo-runner = {
isSystemUser = true;
group = "forgejo-runner";
};
};
services.nginx.virtualHosts."git.donsz.nl" = {
forceSSL = true;
enableACME = true;
extraConfig = ''
client_max_body_size 512M;
'';
locations."/" = {
proxyPass = "http://[::1]:13121";
extraConfig = ''
rewrite ^/user/login.*$ /user/oauth2/pocketid last;
'';
};
};
services.forgejo = {
enable = true;
lfs.enable = true;
user = "forgejo";
group = "forgejo";
repositoryRoot = "/storage/storage/git";
database = {
type = "postgres";
name = "forgejo";
createDatabase = false;
};
settings = {
DEFAULT = {
APP_NAME = "jana's git server";
APP_SLOGAN = "meow!";
};
server = {
DOMAIN = "git.donsz.nl";
ROOT_URL = "https://git.donsz.nl/";
HTTP_PORT = 13121;
};
service = {
DISABLE_REGISTRATION = false;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
SHOW_REGISTRATION_BUTTON = false;
ENABLE_PASSWORD_SIGNIN_FORM = false;
};
openid = {
ENABLE_OPENID_SIGNUP = true;
};
oauth2_client = {
REGISTER_EMAIL_CONFIRM = false;
ENABLE_AUTO_REGISTRATION = true;
UPDATE_AVATAR = true;
ACCOUNT_LINKING = "auto";
};
actions = {
ENABLED = true;
DEFAULT_ACTIONS_URL = "github";
};
repository = {
DEFAULT_PRIVATE = "private";
DISABLE_HTTP_GIT = true;
};
mailer = {
ENABLED = true;
SMTP_ADDR = "smtp.fastmail.com";
FROM = "git@donsz.nl";
USER = "git@donsz.nl";
PASSWD = config.sops.secrets.forgejo.path;
};
};
};
sops.secrets.forgejo-runner = {
sopsFile = "${secrets}/forgejo-runner.env";
};
nix = {
settings = {
trusted-users = [
"forgejo-runner"
];
trusted-public-keys = [
"jana.cachix.org-1:LN0lzHx7QH1RBoDn3+psi4HOEAXW3EqRa/u0ncQ1XBE="
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
];
substituters = [
"https://jana.cachix.org/"
"https://cache.nixos.org/"
];
trusted-substituters = [
"https://jana.cachix.org/"
"https://cache.nixos.org/"
];
};
};
services.gitea-actions-runner = {
package = pkgs.forgejo-runner;
instances.fili = {
enable = true;
name = "forgejo-runner-01";
tokenFile = config.sops.secrets.forgejo-runner.path;
url = "https://git.donsz.nl/";
labels = [
"nix:host"
"docker:docker://node:16-bullseye"
"ubuntu-latest:docker://node:16-bullseye"
];
settings = { };
hostPackages = with pkgs; [
# default ones
bash
coreutils
curl
gawk
gitMinimal
gnused
nodejs
wget
# used in deployments
flakes.colmena.defaultPackage."x86_64-linux"
lix
openssh
];
};
};
virtualisation.docker = {
daemon.settings = {
fixed-cidr-v6 = "fd00::/80";
ipv6 = true;
};
};
networking.firewall.trustedInterfaces = [ "br-+" ];
}

101
hosts/fili/services/matrix-synapse.nix Normal file
View file

@ -0,0 +1,101 @@
_:
let
server_name = "jdonszelmann.nl";
domain = "matrix.${server_name}";
port = 11001;
in
{
services.nginx.virtualHosts.${domain} = {
enableACME = true;
forceSSL = true;
locations."/_matrix" = {
proxyPass = "http://[::1]:${toString port}";
proxyWebsockets = true;
};
locations."/_synapse/client" = {
proxyPass = "http://[::1]:${toString port}";
proxyWebsockets = true;
};
};
services.nginx.virtualHosts.${server_name} = {
enableACME = true;
forceSSL = true;
locations."/.well-known/matrix/client".extraConfig = ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${
builtins.toJSON {
"m.homeserver".base_url = "https://${domain}";
"m.identity_server" = { };
}
}';
'';
locations."/.well-known/matrix/server".extraConfig = ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON { "m.server" = "${domain}:443"; }}';
'';
};
services.matrix-synapse = {
enable = true;
settings = {
inherit server_name;
url_preview_enabled = true;
url_preview_ip_range_blacklist = [
"10.0.0.0/8"
"100.64.0.0/10"
"127.0.0.0/8"
"169.254.0.0/16"
"172.16.0.0/12"
"192.0.0.0/24"
"192.0.2.0/24"
"192.168.0.0/16"
"192.88.99.0/24"
"198.18.0.0/15"
"198.51.100.0/24"
"2001:db8::/32"
"203.0.113.0/24"
"224.0.0.0/4"
"::1/128"
"fc00::/7"
"fe80::/10"
"fec0::/10"
"ff00::/8"
];
};
extras = [
"url-preview"
];
settings.listeners = [
{
inherit port;
bind_addresses = [ "::1" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = [
"client"
"federation"
];
compress = true;
}
];
}
];
settings.registration_shared_secret = "eaU6JgZloozOfFU0tdkYh50CQBs8us0WzTuaaoGDWfwzGPwvABBSVXuqJHh5Pijx";
settings.database = {
name = "psycopg2";
args = {
database = "matrix";
user = "matrix";
};
};
};
}

54
hosts/fili/services/media/autobrr.nix Normal file
View file

@ -0,0 +1,54 @@
{ config, secrets, ... }:
{
sops.secrets.autobrr = {
sopsFile = "${secrets}/autobrr.yaml";
key = "key";
format = "yaml";
};
services.nginx = {
virtualHosts."autobrr.donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
proxyPass = "http://${config.services.autobrr.settings.host}:${toString config.services.autobrr.settings.port}";
};
};
};
# oauth access to the service
services.oauth2-proxy.nginx.virtualHosts."autobrr.donsz.nl" = {
allowed_groups = [ "torrent" ];
};
# vpnNamespaces.mullvad.portMappings = [
# {
# from = config.services.autobrr.settings.port;
# to = config.services.autobrr.settings.port;
# }
# ];
# vpnNamespaces.mullvad.openVPNPorts = [
# {
# # irc port
# port = 7021;
# protocol = "both";
# }
# ];
# systemd.services.autobrr.vpnConfinement = {
# enable = true;
# vpnNamespace = "mullvad";
# };
services.autobrr = {
enable = true;
settings = {
logLevel = "DEBUG";
checkForUpdates = false;
host = "localhost";
port = 11012;
};
secretFile = config.sops.secrets.autobrr.path;
};
}

12
hosts/fili/services/media/default.nix Normal file
View file

@ -0,0 +1,12 @@
_: {
imports = [
./overseerr.nix
./radarr.nix
./sonarr.nix
./torrent.nix
./jackett.nix
./jellyfin.nix
./autobrr.nix
./vpn.nix
];
}

36
hosts/fili/services/media/jackett.nix Normal file
View file

@ -0,0 +1,36 @@
{ config, ... }:
{
services.nginx = {
virtualHosts."jackett.donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.jackett.port}";
};
};
};
# vpnNamespaces.mullvad.portMappings = [
# {
# from = config.services.jackett.port;
# to = config.services.jackett.port;
# }
# ];
# systemd.services.autobrr.vpnConfinement = {
# enable = true;
# vpnNamespace = "mullvad";
# };
services.oauth2-proxy.nginx.virtualHosts."jackett.donsz.nl" = {
allowed_groups = [ "torrent" ];
};
services.jackett = {
enable = true;
group = "jellyfin";
user = "jellyfin";
port = 11013;
};
}

150
hosts/fili/services/media/jellyfin.nix Normal file
View file

@ -0,0 +1,150 @@
{
pkgs,
config,
...
}:
let
jellyfin-config = ''
{
"includeCorsCredentials": false,
"multiserver": false,
"themes": [
{
"name": "Apple TV",
"id": "appletv",
"color": "#bcbcbc"
}, {
"name": "Blue Radiance",
"id": "blueradiance",
"color": "#011432"
}, {
"name": "Dark",
"id": "dark",
"color": "#202020",
"default": true
}, {
"name": "Light",
"id": "light",
"color": "#303030"
}, {
"name": "Purple Haze",
"id": "purplehaze",
"color": "#000420"
}, {
"name": "WMC",
"id": "wmc",
"color": "#0c2450"
}
],
"menuLinks": [
{
"name": "Link SSO Account",
"icon": "add_link",
"url": "https://media.donsz.nl/SSOViews/linking"
}
],
"servers": [],
"plugins": [
"playAccessValidation/plugin",
"experimentalWarnings/plugin",
"htmlAudioPlayer/plugin",
"htmlVideoPlayer/plugin",
"photoPlayer/plugin",
"comicsPlayer/plugin",
"bookPlayer/plugin",
"youtubePlayer/plugin",
"backdropScreensaver/plugin",
"pdfPlayer/plugin",
"logoScreensaver/plugin",
"sessionPlayer/plugin",
"chromecastPlayer/plugin",
"syncPlay/plugin"
]
}
'';
in
{
environment.systemPackages = [
pkgs.jellyfin
pkgs.jellyfin-web
pkgs.jellyfin-ffmpeg
];
services.nginx.virtualHosts."media.donsz.nl" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8096";
extraConfig = ''
proxy_buffering off;
'';
};
locations."/socket" = {
inherit (config.services.nginx.virtualHosts."media.donsz.nl".locations."/")
proxyPass
;
proxyWebsockets = true;
};
};
users.groups.jellyfin = { };
users.users.jellyfin = {
isSystemUser = true;
group = "jellyfin";
extraGroups = [ "storage" ];
};
services.nginx.virtualHosts."media.donsz.nl".locations."/web/config.json".extraConfig = ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${jellyfin-config}';
'';
services.jellyfin = {
enable = true;
openFirewall = true;
user = "jellyfin";
group = "jellyfin";
};
# Only set this if you're using intel-vaapi-driver (see below):
nixpkgs.config.packageOverrides = pkgs: {
intel-vaapi-driver = pkgs.intel-vaapi-driver.override { enableHybridCodec = true; };
};
systemd.services.jellyfin.environment.LIBVA_DRIVER_NAME = "iHD"; # or i965, see below
environment.sessionVariables = {
LIBVA_DRIVER_NAME = "iHD";
}; # ditto
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
intel-ocl
intel-media-driver
# intel-media-sdk
];
};
# hardware.graphics = {
# enable = true;
# package = pkgs.intel-media-driver;
# };
# systemd.services.jellyfin = {
# # if EncoderAppPath is manually set in the web UI, it can never be updated through --ffmpeg
# preStart = "test ! -e /var/lib/jellyfin/config/encoding.xml || sed -i '/<EncoderAppPath>/d' /var/lib/jellyfin/config/encoding.xml";
# serviceConfig = {
# # allow access to GPUs for hardware transcoding
# DeviceAllow = lib.mkForce "char-drm";
# BindPaths = lib.mkForce "/dev/dri";
# # to allow restarting from web ui
# Restart = lib.mkForce "always";
# Slice = "mediaplayback.slice";
# };
# };
}

27
hosts/fili/services/media/overseerr.nix Normal file
View file

@ -0,0 +1,27 @@
{ ... }:
let
port = 11002;
in
{
services.nginx.virtualHosts."req.donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
proxyPass = "http://[::1]:${toString port}";
};
};
virtualisation.oci-containers.containers = {
overseerr = {
image = "ghcr.io/fallenbagel/jellyseerr:preview-seerr";
environment = {
};
extraOptions = [ "--network=host" ];
volumes = [
"/var/lib/microvms/rr/storage/data/overseerr:/app/config"
];
};
};
}

29
hosts/fili/services/media/radarr.nix Normal file
View file

@ -0,0 +1,29 @@
{ pkgs, ... }:
{
services.nginx = {
virtualHosts."radarr.donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
proxyPass = "http://[::1]:7878";
};
};
};
services.oauth2-proxy.nginx.virtualHosts."radarr.donsz.nl" = {
allowed_groups = [ "torrent" ];
};
services.radarr = {
enable = true;
group = "jellyfin";
user = "jellyfin";
environmentFiles = [
(pkgs.writeText "env" ''
RADARR__AUTH__METHOD="External"
'')
];
};
}

29
hosts/fili/services/media/sonarr.nix Normal file
View file

@ -0,0 +1,29 @@
{ pkgs, ... }:
{
services.nginx = {
virtualHosts."sonarr.donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
proxyPass = "http://[::1]:8989";
};
};
};
services.oauth2-proxy.nginx.virtualHosts."sonarr.donsz.nl" = {
allowed_groups = [ "torrent" ];
};
services.sonarr = {
enable = true;
group = "jellyfin";
user = "jellyfin";
environmentFiles = [
(pkgs.writeText "env" ''
SONARR__AUTH__METHOD="External"
'')
];
};
}

73
hosts/fili/services/media/torrent.nix Normal file
View file

@ -0,0 +1,73 @@
{ pkgs, ... }:
{
vpnNamespaces.mullvad.portMappings = [
{
from = 9091;
to = 9091;
} # UI Port.
{
from = 5432;
to = 5432;
} # DB Port.
];
vpnNamespaces.mullvad.openVPNPorts = [
{
port = 50909;
protocol = "both";
}
];
services.nginx = {
virtualHosts."dl.donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
proxyPass = "http://192.168.15.1:9091";
};
};
};
services.oauth2-proxy.nginx.virtualHosts."dl.donsz.nl" = {
allowed_groups = [ "torrent" ];
};
systemd.services.transmission.vpnConfinement = {
enable = true;
vpnNamespace = "mullvad";
};
services.transmission = {
enable = true;
package = pkgs.transmission_4;
webHome = pkgs.stdenv.mkDerivation {
name = "flood-modified";
version = "1.0";
src = pkgs.flood-for-transmission;
installPhase = ''
mkdir -p $out
cp -r ./* $out
cp ./config.json.defaults $out/config.json
'';
};
home = "/var/lib/transmission";
user = "jellyfin";
group = "jellyfin";
settings = {
download-dir = "/storage/storage/torrents";
incomplete-dir-enabled = false;
incomplete-dir = "/storage/storage/torrents";
rpc-bind-address = "192.168.15.1";
rpc-host-whitelist-enabled = false;
rpc-whitelist-enabled = false;
rpc-port = 9091;
peer-port = 50909;
cache-size-mb = 2048;
preallocation = 1;
};
};
}

16
hosts/fili/services/media/vpn.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, secrets, ... }:
{
sops.secrets.mullvad = {
sopsFile = "${secrets}/mullvad.yaml";
owner = "root";
format = "yaml";
};
vpnNamespaces.mullvad = {
enable = true;
wireguardConfigFile = config.sops.secrets.mullvad.path;
accessibleFrom = [
"192.168.0.0/16"
];
};
}

371
hosts/fili/services/metrics.nix Normal file
View file

@ -0,0 +1,371 @@
{
pkgs,
config,
secrets,
...
}:
let
lib = pkgs.lib;
in
{
services.prometheus = {
enable = true;
globalConfig = {
scrape_interval = "15s";
};
scrapeConfigs =
map
(
{ name, value }:
{
job_name = name;
static_configs = [
{
targets = [
"${config.services.prometheus.exporters.${name}.listenAddress}:${
toString config.services.prometheus.exporters.${name}.port
}"
];
}
];
}
)
(
builtins.filter (
{ value, ... }: (builtins.tryEval value).success && (builtins.isAttrs value) && value.enable
) (lib.attrsToList config.services.prometheus.exporters)
);
};
services.prometheus.exporters = {
node = {
enable = true;
port = 9001;
listenAddress = "127.0.0.1";
enabledCollectors = [
"cpu"
"filesystem"
"loadavg"
"systemd"
];
disabledCollectors = [ "rapl" ];
extraFlags = [
"--collector.ethtool"
"--collector.softirqs"
"--collector.tcpstat"
];
};
process = {
enable = true;
listenAddress = "127.0.0.1";
port = 9256;
};
smartctl = {
enable = true;
port = 9633;
listenAddress = "127.0.0.1";
};
postgres = {
enable = true;
port = 9634;
listenAddress = "127.0.0.1";
runAsLocalSuperUser = true;
};
};
services.loki = {
enable = true;
configuration = {
auth_enabled = false;
server = {
http_listen_port = 3100;
grpc_listen_port = 9096;
};
common = {
instance_addr = "127.0.0.1";
path_prefix = "/tmp/loki";
storage = {
filesystem = {
chunks_directory = "/tmp/loki/chunks";
rules_directory = "/tmp/loki/rules";
};
};
replication_factor = 1;
ring = {
kvstore = {
store = "inmemory";
};
};
};
query_range = {
results_cache = {
cache = {
embedded_cache = {
enabled = true;
max_size_mb = 100;
};
};
};
};
limits_config = {
allow_structured_metadata = false;
reject_old_samples = true;
reject_old_samples_max_age = "120d";
retention_period = "120d";
};
schema_config = {
configs = [
{
from = "2020-10-24";
store = "tsdb";
object_store = "filesystem";
schema = "v13";
index = {
prefix = "index_";
period = "24h";
};
}
{
from = "2024-07-11";
store = "tsdb";
object_store = "filesystem";
schema = "v13";
index = {
prefix = "index_";
period = "24h";
};
}
];
};
ruler = {
alertmanager_url = "http://localhost:9093";
};
analytics.reporting_enabled = false;
};
};
systemd.services.promtail.serviceConfig.User = lib.mkForce "nginx";
services.promtail = {
enable = true;
configuration = {
server = {
http_listen_port = 3031;
grpc_listen_port = 0;
};
positions = {
filename = "/tmp/positions.yaml";
};
clients = [
{
url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
}
];
scrape_configs = [
{
job_name = "nginx";
static_configs = [
{
targets = [ "localhost" ];
labels = {
job = "nginx";
host = "fili";
__path__ = "/var/log/nginx/json_access.log";
};
}
];
pipeline_stages = [
{
json = {
expressions = {
msec = "msec";
connection = "connection";
connection_requests = "connection_requests";
pid = "pid";
request_id = "request_id";
request_length = "request_length";
remote_addr = "remote_addr";
remote_user = "remote_user";
remote_port = "remote_port";
time_local = "time_local";
time_iso8601 = "time_iso8601";
request = "request";
request_uri = "request_uri";
args = "args";
status = "status";
body_bytes_sent = "body_bytes_sent";
bytes_sent = "bytes_sent";
http_referer = "http_referer";
http_user_agent = "http_user_agent";
http_x_forwarded_for = "http_x_forwarded_for";
http_host = "http_host";
server_name = "server_name";
request_time = "request_time";
upstream = "upstream";
upstream_connect_time = "upstream_connect_time";
upstream_header_time = "upstream_header_time";
upstream_response_time = "upstream_response_time";
upstream_response_length = "upstream_response_length";
upstream_cache_status = "upstream_cache_status";
ssl_protocol = "ssl_protocol";
ssl_cipher = "ssl_cipher";
scheme = "scheme";
request_method = "request_method";
server_protocol = "server_protocol";
pipe = "pipe";
gzip_ratio = "gzip_ratio";
http_cf_ray = "http_cf_ray";
};
};
}
{
timestamp = {
source = "msec";
format = "Unix";
};
}
# {
# geoip = {
# db = "/var/lib/geoip-databases/GeoLite2-City.mmdb";
# source = "remote_addr";
# db_type = "city";
# };
# }
# {
# pack = {
# labels = [ "geoip_country_name" ];
# };
# }
];
}
{
job_name = "journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = "fili";
};
};
relabel_configs = [
{
source_labels = [ "__journal__systemd_unit" ];
target_label = "unit";
}
];
}
];
};
};
services.grafana = {
enable = true;
settings = {
server = {
domain = "metrics.donsz.nl";
http_port = 2342;
http_addr = "127.0.0.1";
};
"auth.anonymous".enabled' = true;
};
provision = {
enable = true;
datasources = {
settings.datasources = [
{
type = "prometheus";
name = "Prometheus";
url = "http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}";
}
{
name = "Loki";
type = "loki";
url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}";
}
];
};
};
};
sops.secrets.geoip = {
sopsFile = "${secrets}/geoip.yaml";
key = "key";
format = "yaml";
};
services.geoipupdate = {
enable = true;
settings = {
LicenseKey = config.sops.secrets.geoip.path;
AccountID = 1247225;
DatabaseDirectory = "/var/lib/geoip-databases";
EditionIDs = [
"GeoLite2-ASN"
"GeoLite2-City"
"GeoLite2-Country"
];
};
};
services.nginx.virtualHosts.${config.services.grafana.settings.server.domain} = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass =
"http://${config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}";
};
services.nginx.package = pkgs.nginxStable.override (oldAttrs: {
modules = with pkgs.nginxModules; [ geoip2 ];
buildInputs = oldAttrs.buildInputs ++ [ pkgs.libmaxminddb ];
});
services.nginx.commonHttpConfig = ''
autoindex_localtime on;
geoip2 /var/lib/geoip-databases/GeoLite2-Country.mmdb {
$geoip2_data_country_iso_code country iso_code;
}
log_format json_analytics escape=json '{'
'"msec": "$msec", ' # request unixtime in seconds with a milliseconds resolution
'"connection": "$connection", ' # connection serial number
'"connection_requests": "$connection_requests", ' # number of requests made in connection
'"pid": "$pid", ' # process pid
'"request_id": "$request_id", ' # the unique request id
'"request_length": "$request_length", ' # request length (including headers and body)
'"remote_addr": "$remote_addr", ' # client IP
'"remote_user": "$remote_user", ' # client HTTP username
'"remote_port": "$remote_port", ' # client port
'"time_local": "$time_local", '
'"time_iso8601": "$time_iso8601", ' # local time in the ISO 8601 standard format
'"request": "$request", ' # full path no arguments if the request
'"request_uri": "$request_uri", ' # full path and arguments if the request
'"args": "$args", ' # args
'"status": "$status", ' # response status code
'"body_bytes_sent": "$body_bytes_sent", ' # the number of body bytes exclude headers sent to a client
'"bytes_sent": "$bytes_sent", ' # the number of bytes sent to a client
'"http_referer": "$http_referer", ' # HTTP referer
'"http_user_agent": "$http_user_agent", ' # user agent
'"http_x_forwarded_for": "$http_x_forwarded_for", ' # http_x_forwarded_for
'"http_host": "$http_host", ' # the request Host: header
'"server_name": "$server_name", ' # the name of the vhost serving the request
'"request_time": "$request_time", ' # request processing time in seconds with msec resolution
'"upstream": "$upstream_addr", ' # upstream backend server for proxied requests
'"upstream_connect_time": "$upstream_connect_time", ' # upstream handshake time incl. TLS
'"upstream_header_time": "$upstream_header_time", ' # time spent receiving upstream headers
'"upstream_response_time": "$upstream_response_time", ' # time spend receiving upstream body
'"upstream_response_length": "$upstream_response_length", ' # upstream response length
'"upstream_cache_status": "$upstream_cache_status", ' # cache HIT/MISS where applicable
'"ssl_protocol": "$ssl_protocol", ' # TLS protocol
'"ssl_cipher": "$ssl_cipher", ' # TLS cipher
'"scheme": "$scheme", ' # http or https
'"request_method": "$request_method", ' # request method
'"server_protocol": "$server_protocol", ' # request protocol, like HTTP/1.1 or HTTP/2.0
'"pipe": "$pipe", ' # "p" if request was pipelined, "." otherwise
'"gzip_ratio": "$gzip_ratio", '
'"http_cf_ray": "$http_cf_ray", '
'"geoip_country_code": "$geoip2_data_country_iso_code"'
'}';
access_log /var/log/nginx/json_access.log json_analytics;
'';
}

22
hosts/fili/services/nginx.nix Normal file
View file

@ -0,0 +1,22 @@
{ pkgs, config, ... }:
{
services.nginx = {
enable = true;
statusPage = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
clientMaxBodySize = "499m";
logError = "stderr debug";
};
networking.firewall.allowedTCPPorts = [
80
443
];
security.acme.defaults.email = "jana@donsz.nl";
security.acme.acceptTerms = true;
}

56
hosts/fili/services/obsidian-sync.nix Normal file
View file

@ -0,0 +1,56 @@
{
pkgs,
config,
secrets,
...
}:
let
port = 5984;
in
{
sops.secrets.obsidian-sync = {
sopsFile = "${secrets}/obsidian-sync.ini";
format = "ini";
owner = "couchdb";
};
services.couchdb = {
enable = true;
inherit port;
package = pkgs.couchdb3;
configFile = config.sops.secrets.obsidian-sync.path;
extraConfig = {
chttpd = {
require_valid_user = true;
enable_cors = true;
max_http_request_size = 4294967296;
};
chttpd_auth.require_valid_user = true;
httpd = {
WWW-Authenticate = ''Basic realm="couchdb"'';
enable_cors = true;
};
couchdb.max_document_size = 50000000;
cors = {
credentials = true;
headers = "accept, authorization, content-type, origin, referer";
methods = "GET,PUT,POST,HEAD,DELETE";
max_age = 3600;
origins = "app://obsidian.md,capacitor://localhost,http://localhost,https://localhost,capacitor://obsidian.donsz.nl,http://obsidian.donsz.nl,https://obsidian.donsz.nl";
};
};
};
services.nginx.virtualHosts."obsidian.donsz.nl" = {
forceSSL = true;
enableACME = true;
extraConfig = ''
client_max_body_size 512M;
'';
locations."/".proxyPass = "http://localhost:${toString port}";
};
}

14
hosts/fili/services/websites/compiler-construction-2021.nix Normal file
View file

@ -0,0 +1,14 @@
{ pkgs, flakes, ... }:
{
services.nginx = {
virtualHosts."compiler-construction-2021.donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
root = flakes.compiler-construction-2021.packages.${pkgs.system}.website;
};
};
};
}

12
hosts/fili/services/websites/default.nix Normal file
View file

@ -0,0 +1,12 @@
_: {
imports = [
./reviewqueue.nix
./homepage.nix
./totpal.nix
./harmonica-tabs.nix
./mapf.nix
./compiler-construction-2021.nix
./mapfm-poster.nix
./money-is-fckn-gay.nix
];
}

29
hosts/fili/services/websites/harmonica-tabs.nix Normal file
View file

@ -0,0 +1,29 @@
{ pkgs, flakes, ... }:
{
services.nginx = {
virtualHosts."harmonica.donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
proxyPass = "http://[::1]:42424";
};
};
};
systemd.services.harmonica-tabs = {
description = "harmonica tabs";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
restartIfChanged = true;
serviceConfig = {
DynamicUser = true;
ExecStart = "${flakes.harmonica.packages.${pkgs.system}.default}/bin/services";
WorkingDirectory = "${flakes.harmonica.packages.${pkgs.system}.default}";
Restart = "always";
};
};
}

48
hosts/fili/services/websites/homepage.nix Normal file
View file

@ -0,0 +1,48 @@
{ flakes, pkgs, ... }:
{
services.nginx = {
virtualHosts."donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
root = "${flakes.homepage.packages.${pkgs.system}.website}";
};
};
virtualHosts."blog.donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/".return = "301 https://donsz.nl/blog";
};
virtualHosts."gay.donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
root = "${flakes.homepage.packages.${pkgs.system}.website-gay}";
};
};
virtualHosts."jana.is.fckn.gay" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
root = "${flakes.homepage.packages.${pkgs.system}.website-gay}";
};
};
virtualHosts."jdonszelmann.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
root = "${flakes.homepage.packages.${pkgs.system}.website}";
};
};
};
}

51
hosts/fili/services/websites/mapf.nix Normal file
View file

@ -0,0 +1,51 @@
{
config,
flakes,
pkgs,
secrets,
...
}:
{
sops.secrets.mapf = {
sopsFile = "${secrets}/mapf-prod.env";
};
services.nginx = {
virtualHosts."mapf.donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
proxyPass = "http://[::1]:8080";
};
};
};
systemd.services.mapf-server =
let
package = flakes.mapf.packages.${pkgs.system}.default;
in
{
description = "mapf-server";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
DynamicUser = "yes";
ExecStart = "${package}/mapf_server_bin";
Restart = "on-failure";
RestartSec = "5s";
EnvironmentFile = config.sops.secrets.mapf.path;
WorkingDirectory = "${package}";
};
environment = {
MAPF_TEMPLATEFOLDER = "${package}/templates";
MAPF_DBUSER = "mapfprod";
MAPF_DBPASSWORD = "";
MAPF_DBPORT = "3306";
MAPF_DBHOST = "localhost";
MAPF_DBDATABASE = "mapfprod";
};
};
}

26
hosts/fili/services/websites/mapfm-poster.nix Normal file
View file

@ -0,0 +1,26 @@
{ pkgs, ... }:
{
services.nginx.virtualHosts."mapfm-poster.donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
root = pkgs.stdenv.mkDerivation rec {
pname = "research-project-poster";
version = "2021-06-27";
src = pkgs.fetchFromGitHub {
owner = "jdonszelmann";
repo = "research-project";
rev = "f1c0c5d839197f825b555780271781281ba10ac3";
sha256 = "sha256-YJxcLRABU3yRS/U/XNLpTIXtve0cFfnwPKr+1oY0HeY=";
};
installPhase = ''
mkdir -p $out
cp -r assets/final_poster/* $out
'';
};
};
};
}

86
hosts/fili/services/websites/money-is-fckn-gay.nix Normal file
View file

@ -0,0 +1,86 @@
{
pkgs,
flakes,
...
}:
let
mifg-config = api-url: api-port: public-url: service-name: {
nginx = {
virtualHosts."${api-url}" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:${toString api-port}";
proxyWebsockets = true;
};
};
virtualHosts."${public-url}" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
root = flakes.mifg.packages.${pkgs.system}.frontend.override {
api_base_url = "https://${api-url}";
};
tryFiles = "$uri $uri/ /index.html";
};
};
};
service = {
description = "money is fckn gay";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
restartIfChanged = true;
serviceConfig = {
ExecStart = "${flakes.mifg.packages.${pkgs.system}.backend}/bin/backend";
Restart = "always";
# EnvironmentFile = "/run/secrets/reviewqueue";
StateDirectory = "${service-name}";
};
environment = {
MIFG_DATABASE_LOCATION = "/var/lib/${service-name}/db.sqlite";
MIFG_FRONTEND_ORIGIN = "https://${public-url}";
MIFG_PORT = toString api-port;
LD_LIBRARY_PATH =
with pkgs;
lib.makeLibraryPath [
openssl
sqlite
];
};
};
};
real = (mifg-config "api.money.is.fckn.gay" 11009 "money.is.fckn.gay" "money");
staging = (mifg-config "api.money-staging.donsz.nl" 11010 "money-staging.donsz.nl" "money-staging");
lib = pkgs.lib;
in
{
services.nginx = lib.mkMerge [
real.nginx
staging.nginx
];
systemd.services.money = real.service;
systemd.services.money-staging = lib.mkMerge [
staging.service
{
serviceConfig.ExecStartPre = "${(pkgs.writeShellScriptBin "setup-staging" ''
REAL_DB_LOCATION="/var/lib/money/"
STAGING_DB_LOCATION="/var/lib/money-staging/"
echo "$REAL_DB_LOCATION"
echo "$STAGING_DB_LOCATION"
mkdir -p $STAGING_DB_LOCATION
cp -r $REAL_DB_LOCATION/* $STAGING_DB_LOCATION
'')}/bin/setup-staging";
}
];
}

50
hosts/fili/services/websites/reviewqueue.nix Normal file
View file

@ -0,0 +1,50 @@
{
pkgs,
flakes,
secrets,
...
}:
{
sops.secrets.reviewqueue = {
sopsFile = "${secrets}/reviewqueue.env";
};
services.nginx = {
virtualHosts."queue.donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:3000";
proxyWebsockets = true;
};
};
};
systemd.services.reviewqueue = {
description = "Review Queue";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
restartIfChanged = true;
serviceConfig = {
ExecStart = "${flakes.reviewqueue.packages.${pkgs.system}.default}/bin/reviewqueue";
Restart = "always";
EnvironmentFile = "/run/secrets/reviewqueue";
StateDirectory = "reviewqueue";
};
environment = {
DB_PATH = "/var/lib/reviewqueue/db.sqlite";
LD_LIBRARY_PATH =
with pkgs;
lib.makeLibraryPath [
openssl
sqlite
];
};
};
}

25
hosts/fili/services/websites/totpal.nix Normal file
View file

@ -0,0 +1,25 @@
{ flakes, pkgs, ... }:
let
totpal = flakes.totpal.packages.${pkgs.system}.default;
in
{
services.nginx = {
virtualHosts."totpal.donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
proxyPass = "http://[::1]:2442";
};
};
};
systemd.services.totpal = {
description = "totpal";
serviceConfig = {
Type = "simple";
ExecStart = "${totpal}/bin/totpal";
};
};
}

51
hosts/fili/storage.nix Normal file
View file

@ -0,0 +1,51 @@
{
config,
lib,
pkgs,
modulesPath,
...
}:
let
directory = "/storage";
storage = "${directory}/storage";
in
{
boot.swraid.enable = true;
boot.swraid.mdadmConf = ''
ARRAY /dev/md0 metadata=1.2 name=fili:0 UUID=0796fee2:0d9f2908:24af61b0:1250fa0e
'';
# todo: email notifications (through PROGRAM)
fileSystems.storage = {
mountPoint = "${storage}";
device = "/dev/md0";
fsType = "btrfs";
options = [
"compress=zstd"
];
};
# for vpn in containers
fileSystems."/tmp/net_cls" = {
device = "net_cls";
fsType = "cgroup";
options = [ "net_cls" ];
};
# don't allow execute permissions for "other" people
# (not root user and not in storage group)
# to effectively disallow people outside the storage group
# to access /storage
systemd.tmpfiles.rules = [
"d ${directory} 0777 root ${config.users.groups.storage.name}"
];
users.groups.storage = {
name = "storage";
members = [ config.users.users.jana.name ];
};
networking.firewall.allowedTCPPorts = [
2049
];
}