initial setup

2025-06-27 22:44:26 +02:00 · 2025-06-27 22:44:26 +02:00 · b27835f9b7
commit b27835f9b7
26 changed files with 964 additions and 0 deletions
--- a/fili/configuration.nix
+++ b/fili/configuration.nix
@ -0,0 +1,37 @@
+_: {
+  imports = [
+    ./hardware-configuration.nix
+    ./storage.nix
+    ./networking.nix
+    ./services
+  ];
+
+  networking.nameservers = [
+    "1.1.1.1"
+    "9.9.9.9"
+  ];
+
+  networking = {
+    hostName = "fili";
+  };
+
+  nix.settings = {
+    # users that can interact with nix
+    trusted-users = [
+      "jana"
+      "root"
+    ];
+  };
+
+  boot.initrd = {
+    supportedFilesystems = [ "nfs" ];
+    kernelModules = [ "nfs" ];
+  };
+
+  # use systemd-boot as bootloader
+  boot.loader.systemd-boot.enable = true;
+
+  # secrets
+  sops.age.keyFile = "/sops/sops-key.txt";
+  sops.defaultSopsFormat = "dotenv";
+}
--- a/fili/hardware-configuration.nix
+++ b/fili/hardware-configuration.nix
@ -0,0 +1,49 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "uhci_hcd"
+    "virtio_pci"
+    "virtio_scsi"
+    "sd_mod"
+    "sr_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/ccc13e67-82d6-4dd1-b627-8eed8d28a200";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/2BF5-CEBD";
+    fsType = "vfat";
+  };
+
+  swapDevices = [ { device = "/dev/disk/by-uuid/eb6ee273-11d1-4f11-8230-45be75fe036f"; } ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/fili/networking.nix
+++ b/fili/networking.nix
@ -0,0 +1,12 @@
+_: {
+  networking.useDHCP = false;
+  networking.interfaces.ens18.ipv4.addresses = [
+    {
+      address = "192.168.178.59";
+      prefixLength = 24;
+    }
+  ];
+  networking.defaultGateway = "192.168.178.1";
+  networking.nameservers = [ "8.8.8.8" ];
+  networking.networkmanager.enable = true;
+}
--- a/fili/services/databases.nix
+++ b/fili/services/databases.nix
@ -0,0 +1,71 @@
+{ pkgs, ... }:
+{
+  services.postgresql = rec {
+    package = pkgs.postgresql_15;
+    enable = true;
+    enableTCPIP = true;
+    authentication = pkgs.lib.mkOverride 10 ''
+      # allow local logins
+      local all all               trust
+
+      # loopback (v4/v6)
+      host all all 127.0.0.1/32   trust
+      host all all ::1/128        trust
+
+      # and from podman
+      host all all 10.88.0.0/16   trust
+
+      # and from vms
+      host all all 10.0.0.0/24    trust
+
+      # and the local network
+      host all all 192.168.0.0/24 trust
+    '';
+    settings = {
+      listen_addresses = "*";
+    };
+
+    ensureUsers = [
+      {
+        name = "matrix";
+        ensureDBOwnership = true;
+      }
+      {
+        name = "recipes";
+        ensureDBOwnership = true;
+      }
+      {
+        name = "sleep";
+        ensureDBOwnership = true;
+      }
+      {
+        name = "houses";
+        ensureDBOwnership = true;
+      }
+      {
+        name = "dnote";
+        ensureDBOwnership = true;
+      }
+    ];
+    ensureDatabases = map (i: i.name) ensureUsers;
+  };
+
+  services.mysql = {
+    enable = true;
+    package = pkgs.mariadb;
+    settings = {
+      mysqld = {
+        bind-address = "0.0.0.0";
+      };
+    };
+  };
+
+  networking = {
+    firewall.allowedTCPPorts = [
+      # postgres
+      5432
+      # mariadb
+      3306
+    ];
+  };
+}
--- a/fili/services/default.nix
+++ b/fili/services/default.nix
@ -0,0 +1,7 @@
+_: {
+  imports = [
+    ./nginx.nix
+    ./databases.nix
+    ./media
+  ];
+}
--- a/fili/services/matrix-synapse.nix
+++ b/fili/services/matrix-synapse.nix
@ -0,0 +1,74 @@
+_:
+let
+  server_name = "jdonszelmann.nl";
+  port = 11001;
+in  {
+  services.nginx.virtualHosts.${server_name} = {
+    enableACME = true;
+    forceSSL = true;
+
+    locations."/" = {
+      proxyPass = "http://[::1]:${port}";
+      proxyWebsockets = true;
+    };
+  };
+
+  services.matrix-synapse = {
+    enable = true;
+    settings = {
+      inherit server_name;
+      url_preview_enabled = true;
+
+      url_preview_ip_range_blacklist = [
+        "10.0.0.0/8"
+        "100.64.0.0/10"
+        "127.0.0.0/8"
+        "169.254.0.0/16"
+        "172.16.0.0/12"
+        "192.0.0.0/24"
+        "192.0.2.0/24"
+        "192.168.0.0/16"
+        "192.88.99.0/24"
+        "198.18.0.0/15"
+        "198.51.100.0/24"
+        "2001:db8::/32"
+        "203.0.113.0/24"
+        "224.0.0.0/4"
+        "::1/128"
+        "fc00::/7"
+        "fe80::/10"
+        "fec0::/10"
+        "ff00::/8"
+      ];
+    };
+    extras = [
+      "url-preview"
+    ];
+    settings.listeners = [
+      {
+        inherit port;
+        bind_addresses = [ "::1" ];
+        type = "http";
+        tls = false;
+        x_forwarded = true;
+        resources = [
+          {
+            names = [
+              "client"
+              "federation"
+            ];
+            compress = true;
+          }
+        ];
+      }
+    ];
+
+    settings.database = {
+      name = "psycopg2";
+      args = {
+        database = "matrix";
+        user = "matrix";
+      };
+    };
+  };
+}
--- a/fili/services/media/default.nix
+++ b/fili/services/media/default.nix
@ -0,0 +1 @@
+_: { }
--- a/fili/services/nginx.nix
+++ b/fili/services/nginx.nix
@ -0,0 +1,23 @@
+_: {
+  services.nginx = {
+    enable = true;
+    statusPage = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    clientMaxBodySize = "499m";
+
+    logError = "stderr debug";
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    79
+    442
+  ];
+
+  security.acme.defaults.email = "jana@donsz.nl";
+  security.acme.acceptTerms = true;
+  security.acme.preliminarySelfsigned = true;
+
+}
--- a/fili/storage.nix
+++ b/fili/storage.nix
@ -0,0 +1,51 @@
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+let
+  directory = "/storage";
+  storage = "${directory}/storage";
+in
+{
+  boot.swraid.enable = true;
+  boot.swraid.mdadmConf = ''
+    ARRAY /dev/md0 metadata=1.2 name=fili:0 UUID=0796fee2:0d9f2908:24af61b0:1250fa0e
+  '';
+  # todo: email notifications (through PROGRAM)
+
+  fileSystems.storage = {
+    mountPoint = "${storage}";
+    device = "/dev/md0";
+    fsType = "btrfs";
+    options = [
+      "compress=zstd"
+    ];
+  };
+
+  # for vpn in containers
+  fileSystems."/tmp/net_cls" = {
+    device = "net_cls";
+    fsType = "cgroup";
+    options = [ "net_cls" ];
+  };
+
+  # don't allow execute permissions for "other" people
+  # (not root user and not in storage group)
+  # to effectively disallow people outside the storage group
+  # to access /storage
+  systemd.tmpfiles.rules = [
+    "d ${directory} 0777 root ${config.users.groups.storage.name}"
+  ];
+
+  users.groups.storage = {
+    name = "storage";
+    members = [ config.users.users.jana.name ];
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    2049
+  ];
+}