diff --git a/flake.nix b/flake.nix index 03785a8..415695a 100644 --- a/flake.nix +++ b/flake.nix @@ -13,17 +13,18 @@ outputs = inputs@{ self, nixpkgs, home-manager, microvm, ... }: let + hostName = "nixos"; system = "x86_64-linux"; username = "tbarnouin"; in { nixosConfigurations = { - nixos = nixpkgs.lib.nixosSystem { + ${hostName} = nixpkgs.lib.nixosSystem { inherit system; modules = [ ./configuration.nix { - networking.hostName = "nixos"; + networking.hostName = hostName; } home-manager.nixosModules.home-manager { @@ -33,12 +34,12 @@ } microvm.nixosModules.host { - microvm = { + microvm = { autostart = [ "nginx" ]; vms = { - nginx = { + nginx = { flake = self; updateFlake = "git+file:///etc/nixos"; }; @@ -46,7 +47,7 @@ }; } ]; - + specialArgs = { inherit inputs; inherit username; diff --git a/services/authentik/default.nix b/services/authentik/default.nix new file mode 100644 index 0000000..40ec81f --- /dev/null +++ b/services/authentik/default.nix @@ -0,0 +1,14 @@ +{ inputs, config, lib, authentik-nix, ... }: +let + cfg = config.services.vm_authentik; +in +{ + options.services.vm_authentik = { + enable = lib.mkEnableOption "Enable minimal config"; + }; + config = lib.mkIf cfg.enable { + networking = { + firewall.allowedTCPPorts = [ 9000 9300 9443 ]; + }; + }; +} diff --git a/services/default.nix b/services/default.nix index 706b899..227cded 100644 --- a/services/default.nix +++ b/services/default.nix @@ -2,6 +2,13 @@ { imports = [ ./nginx + ./gitea + ./redis + ./jellyfin + ./nextcloud + ./grafana + ./authentik + ./postgresql ./minimalConfig ]; } diff --git a/services/gitea/default.nix b/services/gitea/default.nix new file mode 100644 index 0000000..61add6f --- /dev/null +++ b/services/gitea/default.nix @@ -0,0 +1,32 @@ +{ config, pkgs, lib, ... }: +let + cfg = config.services.vm_gitea; +in +{ + options.services.vm_gitea = { + enable = lib.mkEnableOption "Enable minimal config"; + db_ip = lib.mkOption { + type = lib.types.str; + description = "Gitea database IP address"; + }; + }; + config = lib.mkIf cfg.enable { + services.gitea = { + enable = true; + user = "tbarnouin"; + settings = { + server.HTTP_PORT = 3000; + server.ROOT_URL = "http://${config.services.vm.vm_ip}/"; + service.DISABLE_REGISTRATION = true; + }; + database = { + createDatabase = false; + type = "postgres"; + host = "${cfg.db_ip}"; + user = "gitea"; + passwordFile = "/run/secrets/gitea/gitea-dbpass"; + }; + }; + networking.firewall.allowedTCPPorts = [ 3000 ]; + }; +} diff --git a/services/grafana/default.nix b/services/grafana/default.nix new file mode 100644 index 0000000..42f9c9b --- /dev/null +++ b/services/grafana/default.nix @@ -0,0 +1,151 @@ +{ lib, config, pkgs, ... }: +let + cfg = config.services.vm_grafana; +in +{ + options.services.vm_grafana = { + enable = lib.mkEnableOption "Enable minimal config"; + proxy_ip = lib.mkOption { + type = lib.types.str; + description = "The Nginx proxy IP address"; + }; + }; + config = lib.mkIf cfg.enable { + services.rsyslogd.enable = true; + services.grafana = { + enable = true; + settings = { + server = { + protocol = "http"; + http_addr = "${config.services.vm.vm_ip}"; + http_port = 3000; + domain = "logs.le43.eu"; + root_url = "https://logs.le43.eu"; + serve_from_sub_path = false; + }; + }; + }; + services.prometheus = { + enable = true; + port = 9001; + scrapeConfigs = [ + { + job_name = "grafana"; + static_configs = [{ + targets = [ "127.0.0.1:9002" ]; + }]; + } + { + job_name = "nginx"; + static_configs = [{ + targets = [ "${cfg.proxy_ip}:9002" ]; + }]; + } + ]; + exporters = { + node = { + enable = true; + enabledCollectors = [ "systemd" ]; + port = 9002; + }; + }; + }; + services.loki = { + enable = true; + configuration = { + server.http_listen_port = 3100; + server.grpc_listen_port = 9096; + auth_enabled = false; + ingester = { + lifecycler = { + address = "127.0.0.1"; + ring = { + kvstore = { + store = "inmemory"; + }; + replication_factor = 1; + }; + }; + chunk_idle_period = "1h"; + max_chunk_age = "1h"; + chunk_target_size = 999999; + chunk_retain_period = "30s"; + }; + schema_config = { + configs = [{ + from = "2022-06-06"; + store = "boltdb-shipper"; + object_store = "filesystem"; + schema = "v13"; + index = { + prefix = "index_"; + period = "24h"; + }; + }]; + }; + storage_config = { + boltdb_shipper = { + active_index_directory = "/var/lib/loki/boltdb-shipper-active"; + cache_location = "/var/lib/loki/boltdb-shipper-cache"; + cache_ttl = "24h"; + }; + + filesystem = { + directory = "/var/lib/loki/chunks"; + }; + }; + + limits_config = { + reject_old_samples = true; + reject_old_samples_max_age = "168h"; + allow_structured_metadata = false; + }; + + table_manager = { + retention_deletes_enabled = false; + retention_period = "0s"; + }; + compactor = { + working_directory = "/var/lib/loki"; + compactor_ring = { + kvstore = { + store = "inmemory"; + }; + }; + }; + }; + }; + services.promtail = { + enable = true; + configuration = { + server = { + http_listen_port = 3101; + grpc_listen_port = 9095; + }; + positions = { + filename = "/tmp/positions.yaml"; + }; + clients = [{ + url = "http://127.0.0.1:3100/loki/api/v1/push"; + }]; + scrape_configs = [{ + job_name = "journal"; + journal = { + max_age = "12h"; + labels = { + job = "systemd-journal"; + host = "localhost"; + }; + }; + relabel_configs = [{ + source_labels = [ "__journal__systemd_unit" ]; + target_label = "unit"; + }]; + }]; + }; + }; + + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [ 3000 3100 3101 9001 ]; + }; +} diff --git a/services/jellyfin/default.nix b/services/jellyfin/default.nix new file mode 100644 index 0000000..8bf8012 --- /dev/null +++ b/services/jellyfin/default.nix @@ -0,0 +1,25 @@ +{ lib, config, pkgs, ... }: +let + cfg = config.services.vm_jellyfin; +in +{ + options.services.vm_jellyfin = { + enable = lib.mkEnableOption "Enable minimal config"; + }; + config = lib.mkIf cfg.enable { + environment.systemPackages = [ pkgs.cifs-utils ]; + services.jellyfin = { + enable = true; + user = "tbarnouin"; + openFirewall = true; + }; + fileSystems."/mnt/media" = { + device = "192.168.1.125:/DATA"; + fsType = "nfs"; + options = [ + "x-systemd.automount" + "noauto" + ]; + }; + }; +} diff --git a/services/nextcloud/default.nix b/services/nextcloud/default.nix new file mode 100644 index 0000000..c478702 --- /dev/null +++ b/services/nextcloud/default.nix @@ -0,0 +1,78 @@ +{ lib, config, pkgs, ... }: +let + cfg = config.services.vm_nextcloud; +in +{ + options.services.vm_nextcloud = { + enable = lib.mkEnableOption "Enable minimal config"; + proxy_ip = lib.mkOption { + type = lib.types.str; + description = "The Nginx proxy IP address"; + }; + db_ip = lib.mkOption { + type = lib.types.str; + description = "Gitea database IP address"; + }; + }; + config = lib.mkIf cfg.enable { + environment.etc = { + "fail2ban/filter.d/nextcloud.conf".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' + [Definition] + _groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*) + failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Login failed: + ^\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Two-factor challenge failed: + ^\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Trusted domain error. + datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" + ''); + }; + services = { + fail2ban = { + jails = { + nextcloud = '' + backend = auto + enabled = true + port = http,https + filter = nextcloud + maxretry = 3 + bantime = 86400 + findtime = 43200 + logpath = /var/lib/nextcloud/data/nextcloud.log + ''; + }; + }; + nextcloud = { + enable = true; + hostName = "${config.services.vm.vm_ip}"; + home = "/var/lib/nextcloud"; + maxUploadSize = "10240M"; + caching.redis = true; + configureRedis = true; + database.createLocally = false; + phpOptions = { + "opcache.interned_strings_buffer" = "16"; + "opcache.memory_consumption" = "512"; + }; + settings = { + trusted_proxies = [ "${cfg.proxy_ip}" ]; + trusted_domains = [ "${cfg.proxy_ip}" ]; + overwriteprotocol = "http"; + overwrite.cli.url = "http://${cfg.proxy_ip}/cloud/"; + "overwritehost" = "${cfg.proxy_ip}"; + "overwritewebroot" = "/cloud"; + htaccess.RewriteBase = "/cloud"; + log_type = "file"; + }; + config = { + dbhost = "${cfg.db_ip}:5432"; + dbname = "nextcloud"; + dbuser = "nextcloud"; + dbtype = "pgsql"; + dbpassFile = "/run/secrets/nextcloud/nextcloud-dbpass"; + adminuser = "tbarnouin"; + adminpassFile = "/run/secrets/nextcloud/nextcloud-adminpass"; + }; + }; + }; + networking.firewall.allowedTCPPorts = [ 80 ]; + }; +} diff --git a/services/postgresql/default.nix b/services/postgresql/default.nix new file mode 100644 index 0000000..235e2b0 --- /dev/null +++ b/services/postgresql/default.nix @@ -0,0 +1,39 @@ +{ lib, config, pkgs, ... }: +let + cfg = config.services.vm_postgresql; +in +{ + options.services.vm_postgresql = { + enable = lib.mkEnableOption "Enable minimal config"; + }; + config = lib.mkIf cfg.enable { + services.postgresql = { + enable = true; + enableTCPIP = true; + settings.port = 5432; + ensureDatabases = [ "gitea" "nextcloud" ]; + ensureUsers = [ + { + name = "gitea"; + ensureDBOwnership = true; + } + { + name = "nextcloud"; + ensureDBOwnership = true; + } + ]; + authentication = pkgs.lib.mkOverride 10 '' + #type database user origin-address auth-method + # IPv4 local connections: + local all all trust + host gitea gitea 192.168.122.3/24 trust + host nextcloud nextcloud 192.168.122.7/24 trust + ''; + initialScript = pkgs.writeText "init-sql-script" '' + alter user gitea with password 'gitea'; + alter user nextcloud with password 'nextcloud'; + ''; + }; + networking.firewall.allowedTCPPorts = [ 5432 ]; + }; +} diff --git a/services/redis/default.nix b/services/redis/default.nix new file mode 100644 index 0000000..5dc54b4 --- /dev/null +++ b/services/redis/default.nix @@ -0,0 +1,23 @@ +{ config, pkgs, lib, ... }: +let + cfg = config.services.vm_redis; +in +{ + options.services.vm_redis = { + enable = lib.mkEnableOption "Enable minimal config"; + }; + config = lib.mkIf cfg.enable { + services.redis = { + vmOverCommit = true; + servers.redis = { + enable = true; + port = 6379; + bind = "0.0.0.0"; + settings = { + protected-mode = "no"; + }; + }; + }; + networking.firewall.allowedTCPPorts = [ 6379 ]; + }; +} diff --git a/systems/default.nix b/systems/default.nix index 0dd4d64..11d68d3 100644 --- a/systems/default.nix +++ b/systems/default.nix @@ -68,8 +68,8 @@ in matchConfig.Type = "ether"; networkConfig = { Address = ["${cfg.vm_ip}/24"]; - Gateway = "192.168.122.1"; - DNS = ["192.168.122.1"]; + Gateway = "192.168.1.254"; + DNS = ["192.168.1.254"]; IPv6AcceptRA = true; DHCP = "no"; };