mira/nixos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nixos/auxin/configuration.nix
ArgentumCation ac1ce583f1 (common) ceph stuff?
2024-10-01 00:16:29 -04:00

392 lines
10 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{ config
, lib
, pkgs
, ...
}:
let
ports = [
111 # RPC?
2049 # NFS
22 # SSH
22000 # syncthing
2222 # Gitea SSH
2377
25565 # Minecraft
3001 # Gitea(->3000)
4001 # Lockd
4002 # Mountd
443 # HTTPS
445 # SMB
7359 # jellyfin (dlna?)
7946
80 # HTTP
8080 # qbittorrent
8089 # traefik (->8080)
8096 # Jellyfin
8191 # flaresolverr
8420 # Website (->4321)
8842 # Crowdsec (-> 8842)
8888 # Kodi
9000 # Portainer (-> 9443)
3300 # Ceph monitors
6789 # Ceph monitors
6800 # Ceph OSD
];
in
{
imports = [
# Include the results of the hardware scan.
# ./hardware-configuration.nix
];
nixpkgs = {
config = {
kodi.enableAdvancedLauncher = true;
pulseaudio = true;
};
};
networking = {
# hostName = "auxin"; # Define your hostname.
nameservers = [ "192.168.1.1" ];
firewall = {
enable = true;
allowedUDPPorts = ports;
allowedTCPPorts = ports;
};
defaultGateway = {
address = "192.168.1.1";
};
};
environment.systemPackages = with pkgs; [
alacritty
czkawka
gcc
go
hyperfine
sof-firmware
jellyfin-media-player
lazydocker
gamescope
lazygit
nil
dig
nmap
seaweedfs
nodePackages.nodejs
nodePackages.pnpm
];
# Define a user account. Don't forget to set a password with passwd.
users = {
groups.ceph = { };
users = {
# mesh = { isNormalUser = true; extraGroups = [ "wheel" "docker" ]; };
ceph = { isNormalUser = true; extraGroups = [ "wheel" "ceph" ]; };
dockremap = {
isSystemUser = true;
uid = 100000;
group = "dockremap";
subUidRanges = [
{
startUid = 100000;
count = 65536;
}
];
subGidRanges = [
{
startGid = 100000;
count = 65536;
}
];
};
};
};
programs = {
fuse.userAllowOther = true;
steam = {
gamescopeSession.enable = true;
enable = true;
remotePlay.openFirewall = true;
dedicatedServer.openFirewall = true;
localNetworkGameTransfers.openFirewall = true;
};
nh = {
enable = true;
clean.enable = true;
clean.extraArgs = "--keep-since 4d --keep 3";
flake = "/etc/nixos/";
};
gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
zsh.enable = true;
neovim = {
enable = true;
configure = {
customRC = ''
set number relativenumber
'';
};
defaultEditor = true;
};
};
services = {
# ceph = {
# global.fsid = "7c57bbc5-fdbf-4023-bc45-2e708ebc8e3e";
# osd = {
# enable = true;
# daemons = [ "0" ];
# };
# mon = {
# enable = false;
# extraConfig = {
# "mon initial members" = "auxin";
# "mon host" = "192.168.1.153";
# };
# };
# };
nfs = {
idmapd.settings = {
Mapping = {
"Nobody-User" = lib.mkForce "dockremap";
"Nobody-Group" = lib.mkForce "dockremap";
};
};
server = {
enable = true;
mountdPort = 4002;
lockdPort = 4001;
exports = ''
/raid/swarm 192.168.1.0/24(rw,sync,all_squash,anonuid=100000,anongid=100000)
'';
};
};
gvfs.enable = true;
xrdp = {
enable = true;
openFirewall = true;
};
x2goserver.enable = true;
k3s = {
enable = false;
role = "server";
token = "uwubernetes"; # TODO: change this
extraFlags = toString [
"--write-kubeconfig-mode \"0644\""
"--cluster-init"
# "--disable localstorage"
];
};
# Enable the X11 windowing system.
xserver = {
enable = true;
desktopManager.xfce.enable = false;
# Kodi
desktopManager.kodi = {
enable = true;
package = pkgs.kodi.withPackages (pkgs:
with pkgs; [
jellyfin
jellycon
sendtokodi
sponsorblock
steam-library
youtube
libretro
libretro-mgba
steam-controller
steam-launcher
visualization-matrix
visualization-spectrum
visualization-waveform
inputstream-adaptive
]);
};
};
displayManager.sddm = {
enable = true;
settings = {
Autologin = {
Session = "kodi.desktop";
User = "mira";
};
};
};
btrbk = { }; # TODO:
caddy = { }; # TODO:
ceph = { }; # TODO:
fail2ban = {
enable = true;
ignoreIP = [
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
];
bantime-increment.enable = true;
};
samba-wsdd = {
enable = true;
openFirewall = true;
};
# TODO: check security settings
samba = {
enable = true;
settings = {
public = {
path = "/";
browseable = "yes";
"guest ok" = "yes";
"read only" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "dockremap";
"force group" = "dockremap";
};
};
};
pipewire = {
enable = false;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
audio.enable = true;
# If you want to use JACK applications, uncomment this
#jack.enable = true;
};
};
virtualisation.docker = {
storageDriver = "overlay2";
enableOnBoot = true;
enable = true;
autoPrune.enable = true;
extraOptions = "--userns-remap=default";
liveRestore = false; # NOTE: Incompatible with swarm
};
# TODO:
powerManagement.enable = lib.mkForce
false;
systemd = {
targets = {
sleep.enable = false;
suspend.enable = false;
};
timers."qbittorrent-healthcheck" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*/5 * * * *";
Unit = "qbittorrent-healthcheck";
};
};
services = {
"qbittorrent-healthcheck" = {
script = ''
${pkgs.docker}/bin/docker exec qbittorrent ping -c 1 -w 5 -I protonwire0 8.8.8.8 || ${pkgs.docker}/bin/docker restart qbittorrent
'';
serviceConfig = {
Type = "oneshot";
User = "root";
};
};
docker = {
unitConfig = {
RequiresMountsFor = "/raid";
};
wantedBy = [ "graphical.target" ];
};
sshdAlert = {
enable = true;
unitConfig = {
Requires = "sshd.service";
};
serviceConfig = {
User = "dockremap";
ExecStart = ''
${pkgs.curl}/bin/curl --request POST --url https://discord.com/api/webhooks/1235751608046846012/CU7tz271Z3Rbq9mPV0_rB5RBCRDhLKhGH14ebBm-TePpWFqKKJaCRYVMHYTJsIaSq2H- --header 'Content-Type: application/json' --data '{"username": "Auxin SSH status","avatar_url": "https://pbs.twimg.com/media/GMPtuovaQAAQ7Qr?format=png&name=large","content": "SSHD is Running!"}'
'';
};
wantedBy = [ "multi-user.target" ];
};
ceph-mon = {
enable = true;
description = "Ceph cluster monitor daemon";
unitConfig = {
partOf = "ceph-mon.target";
# # According to:
# # http://www.freedesktop.org/wiki/Software/systemd/NetworkTarget
# # these can be removed once ceph-mon will dynamically change network
# # configuration.
after = [ "network-online.target" "local-fs.target" "time-sync.target" ];
before = [ "remote-fs-pre.target" "ceph-mon.target" ];
wants = [ "network-online.target" "local-fs.target" "time-sync.target" "remote-fs-pre.target" "ceph-mon.target" ];
};
serviceConfig = {
# Environment=CLUSTER=ceph
# EnvironmentFile=-/etc/default/ceph
# ExecReload=/bin/kill -HUP $MAINPID
ExecStart="/run/current/system/sw/bin/ceph-mon -f --cluster ceph --id auxin --setuser ceph --setgroup ceph";
# LimitNOFILE=1048576
# LimitNPROC=1048576
# LockPersonality=true
# MemoryDenyWriteExecute=true
# # Need NewPrivileges via `sudo smartctl`
NoNewPrivileges = false;
# # We need access to block devices to check the health of the disk backing the
# # monitor DB store. It can be set to `true` if you're not interested in that
# # feature.
PrivateDevices=false;
# PrivateTmp=true
# ProtectControlGroups=true
# ProtectHome=true
# ProtectHostname=true
# ProtectKernelLogs=true
# ProtectKernelModules=true
# ProtectKernelTunables=true
# ProtectSystem=full
# Restart=on-failure
# RestartSec=10
# RestrictSUIDSGID=true
# StartLimitBurst=5
# StartLimitInterval=30min
# TasksMax=infinity
};
wantedBy = [ "ceph-mon.target" ];
};
# ceph-mesh = {
# enable = true;
# description = "Ceph OSD Bindings";
# unitConfig = {
# After = "local-fs.target";
# Wants = "local-fs.target";
# };
# serviceConfig = {
# Type = "oneshot";
# KillMode = "none";
# Environment = "CEPH_VOLUME_TIMEOUT=10000 PATH=$PATH:/run/current-system/sw/bin/";
# ExecStart = "/bin/sh -c 'timeout $CEPH_VOLUME_TIMEOUT /run/current-system/sw/bin/ceph-volume lvm activate --all --no-systemd'";
# TimeoutSec = 0;
# };
# wantedBy = [ "multi-user.target" ];
# };
};
};
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
system = {
# copySystemConfiguration = true; # NOTE: Doesn't work with flakes
stateVersion = "23.11"; # NOTE: Don't fuck with this
};
}
Reference in a new issue View git blame Copy permalink