erwin/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Wiki Activity Actions

Compare commits

base: erwin:6fd1466e1f922f5db07caddba8af7c9be6757db8
Branches Tags
erwin:main
..
compare: erwin:3428449501492848bca95e9f7d0e223d2802d66d
Branches Tags
erwin:main

8 commits
6fd1466e1f ... 3428449501

Author SHA1 Message Date
Erwin Boskma
3428449501
odin: Fix incus OIDC issuer URL 2024-01-22 20:30:43 +01:00
Erwin Boskma
7e3c07ff1b
unifi: Wait on any interface to be online 2024-01-22 20:30:20 +01:00
Erwin Boskma
1e6a46e2a5
Update parameters for caddy-with-plugins 2024-01-22 20:29:55 +01:00
Erwin Boskma
7c4967b4d8
machines: Fix folder for ci 2024-01-22 20:28:54 +01:00
Erwin Boskma
72030e6c69
gitea: Move machine-specific module to machine config 2024-01-22 20:27:45 +01:00
Erwin Boskma
4f9b088afb
valkyrie: Move machine-specific modules to machine config 2024-01-22 20:05:24 +01:00
Erwin Boskma
5cf877e9ba
frigate: Move machine-specific module to machine config 2024-01-22 19:53:38 +01:00
Erwin Boskma
09efae9138
flake.lock: Update 
Flake lock file updates:

• Updated input 'disko':
    'github:nix-community/disko/0033adc6e3f1ed076f3ed1c637ef1dfe6bef6733' (2024-01-18)
  → 'github:nix-community/disko/9fcdf3375e01e2938a49df103af9fd21bd0f89d9' (2024-01-22)
• Updated input 'emacs-overlay':
    'github:nix-community/emacs-overlay/dc3dafe421095791e2dacf2b03e1686365160d35' (2024-01-19)
  → 'github:nix-community/emacs-overlay/83731bc2f68f485e843534da607f374f75b4f0bd' (2024-01-22)
• Updated input 'emacs-overlay/nixpkgs-stable':
    'github:NixOS/nixpkgs/8bf65f17d8070a0a490daf5f1c784b87ee73982c' (2024-01-17)
  → 'github:NixOS/nixpkgs/1b64fc1287991a9cce717a01c1973ef86cb1af0b' (2024-01-20)
• Updated input 'home-manager':
    'github:nix-community/home-manager/b84191db127c16a92cbdf7f7b9969d58bb456699' (2024-01-17)
  → 'github:nix-community/home-manager/2d47379ad591bcb14ca95a90b6964b8305f6c913' (2024-01-21)
• Updated input 'microvm':
    'github:astro/microvm.nix/ca69f1cf1cad946ccd04e476cc3822ae7088267d' (2024-01-19)
  → 'github:astro/microvm.nix/f07dd64526ee203d25329c517eec3b697860fa6b' (2024-01-21)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/842d9d80cfd4560648c785f8a4e6f3b096790e19' (2024-01-17)
  → 'github:nixos/nixpkgs/612f97239e2cc474c13c9dafa0df378058c5ad8d' (2024-01-21)
• Updated input 'pre-commit-hooks':
    'github:cachix/pre-commit-hooks.nix/ffa9a5b90b0acfaa03b1533b83eaf5dead819a05' (2024-01-14)
  → 'github:cachix/pre-commit-hooks.nix/f56597d53fd174f796b5a7d3ee0b494f9e2285cc' (2024-01-20)
• Updated input 'rust-overlay':
    'github:oxalica/rust-overlay/47cac072a313d9cce884b9ea418d2bf712fa23dd' (2024-01-19)
  → 'github:oxalica/rust-overlay/e36f66bb10b09f5189dc3b1706948eaeb9a1c555' (2024-01-22)
• Updated input 'sops':
    'github:Mic92/sops-nix/87755331580fdf23df7e39b46d63ac88236bf42c' (2024-01-15)
  → 'github:Mic92/sops-nix/ae171b54e76ced88d506245249609f8c87305752' (2024-01-21)
 2024-01-22 11:10:09 +01:00
19 changed files with 430 additions and 756 deletions
Show stats Expand all files Collapse all files

54
flake.lock generated
View file

@ -124,11 +124,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1705540973, "lastModified": 1705890365,
"narHash": "sha256-kNt/qAEy7ueV7NKbVc8YMHWiQAAgrir02MROYNI8fV0=", "narHash": "sha256-MObB+fipA/2Ai3uMuNouxcwz0cqvELPpJ+hfnhSaUeA=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "0033adc6e3f1ed076f3ed1c637ef1dfe6bef6733", "rev": "9fcdf3375e01e2938a49df103af9fd21bd0f89d9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -148,11 +148,11 @@
"nixpkgs-stable": "nixpkgs-stable_2" "nixpkgs-stable": "nixpkgs-stable_2"
}, },
"locked": { "locked": {
"lastModified": 1705654402, "lastModified": 1705913685,
"narHash": "sha256-wuH6YbgKtwPTdtMtNuW41FjkHhIwAsxQwMPoIzsMy4A=", "narHash": "sha256-Npj1tB5lkYTAAQ0QAQMm505sluFJaX9ZBCM0SksZZ/Q=",
"owner": "nix-community", "owner": "nix-community",
"repo": "emacs-overlay", "repo": "emacs-overlay",
"rev": "dc3dafe421095791e2dacf2b03e1686365160d35", "rev": "83731bc2f68f485e843534da607f374f75b4f0bd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -414,11 +414,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1705535278, "lastModified": 1705879479,
"narHash": "sha256-V5+XKfNbiY0bLKLQlH+AXyhHttEL7XcZBH9iSbxxexA=", "narHash": "sha256-ZIohbyly1KOe+8I3gdyNKgVN/oifKdmeI0DzMfytbtg=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "b84191db127c16a92cbdf7f7b9969d58bb456699", "rev": "2d47379ad591bcb14ca95a90b6964b8305f6c913",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -438,11 +438,11 @@
"spectrum": "spectrum" "spectrum": "spectrum"
}, },
"locked": { "locked": {
"lastModified": 1705623173, "lastModified": 1705802752,
"narHash": "sha256-jecaj1Rr6SKswbXSCPfFtYtnzePGFGiF59bw6jGm6Gs=", "narHash": "sha256-0EY+M5vnXcm/0bQQo9Yu2k+NF69qoLdpa6Vb2ARa1Zw=",
"owner": "astro", "owner": "astro",
"repo": "microvm.nix", "repo": "microvm.nix",
"rev": "ca69f1cf1cad946ccd04e476cc3822ae7088267d", "rev": "f07dd64526ee203d25329c517eec3b697860fa6b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -586,11 +586,11 @@
}, },
"nixpkgs-stable_2": { "nixpkgs-stable_2": {
"locked": { "locked": {
"lastModified": 1705458851, "lastModified": 1705774713,
"narHash": "sha256-uQvEhiv33Zj/Pv364dTvnpPwFSptRZgVedDzoM+HqVg=", "narHash": "sha256-j6ADaDH9XiumUzkTPlFyCBcoWYhO83lfgiSqEJF2zcs=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "8bf65f17d8070a0a490daf5f1c784b87ee73982c", "rev": "1b64fc1287991a9cce717a01c1973ef86cb1af0b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -634,11 +634,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1705496572, "lastModified": 1705856552,
"narHash": "sha256-rPIe9G5EBLXdBdn9ilGc0nq082lzQd0xGGe092R/5QE=", "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "842d9d80cfd4560648c785f8a4e6f3b096790e19", "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -689,11 +689,11 @@
"nixpkgs-stable": "nixpkgs-stable_3" "nixpkgs-stable": "nixpkgs-stable_3"
}, },
"locked": { "locked": {
"lastModified": 1705229514, "lastModified": 1705757126,
"narHash": "sha256-itILy0zimR/iyUGq5Dgg0fiW8plRDyxF153LWGsg3Cw=", "narHash": "sha256-Eksr+n4Q8EYZKAN0Scef5JK4H6FcHc+TKNHb95CWm+c=",
"owner": "cachix", "owner": "cachix",
"repo": "pre-commit-hooks.nix", "repo": "pre-commit-hooks.nix",
"rev": "ffa9a5b90b0acfaa03b1533b83eaf5dead819a05", "rev": "f56597d53fd174f796b5a7d3ee0b494f9e2285cc",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -762,11 +762,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1705630663, "lastModified": 1705889935,
"narHash": "sha256-f+kcR17ZtwMyCEtNAfpD0Mv6qObNKoJ41l+6deoaXi8=", "narHash": "sha256-77KPBK5e0ACNzIgJDMuptTtEqKvHBxTO3ksqXHHVO+4=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "47cac072a313d9cce884b9ea418d2bf712fa23dd", "rev": "e36f66bb10b09f5189dc3b1706948eaeb9a1c555",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -783,11 +783,11 @@
"nixpkgs-stable": "nixpkgs-stable_4" "nixpkgs-stable": "nixpkgs-stable_4"
}, },
"locked": { "locked": {
"lastModified": 1705356877, "lastModified": 1705805983,
"narHash": "sha256-274jL1cH64DcXUXebVMZBRUsTs3FvFlPIPkCN/yhSnI=", "narHash": "sha256-HluB9w7l75I4kK25uO4y6baY4fcDm2Rho0WI1DN2Hmc=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "87755331580fdf23df7e39b46d63ac88236bf42c", "rev": "ae171b54e76ced88d506245249609f8c87305752",
"type": "github" "type": "github"
}, },
"original": { "original": {

4
machines/default.nix
View file

@ -1,6 +1,6 @@
inputs: { inputs: {
ci = { ci = {
config = import ./drone/configuration.nix inputs; config = import ./ci/configuration.nix inputs;
deploy = { deploy = {
# host = "10.0.0.202"; # host = "10.0.0.202";
host = "ci.barn-beaver.ts.net"; host = "ci.barn-beaver.ts.net";
@ -24,7 +24,7 @@ inputs: {
gitea = { gitea = {
config = import ./gitea/configuration.nix inputs; config = import ./gitea/configuration.nix inputs;
deploy = { deploy = {
# host = "10.0.0.201"; # host = "10.0.0.203";
host = "gitea.barn-beaver.ts.net"; host = "gitea.barn-beaver.ts.net";
sshUser = "erwin"; sshUser = "erwin";
buildOn = "local"; buildOn = "local";

7
machines/frigate/configuration.nix
View file

@ -7,6 +7,8 @@
../../users/root ../../users/root
../../users/erwin ../../users/erwin
./frigate
]; ];
eboskma = { eboskma = {
@ -14,9 +16,6 @@
enable = true; enable = true;
server = true; server = true;
}; };
services = {
frigate.enable = true;
};
nix-common = { nix-common = {
enable = true; enable = true;
remote-builders = true; remote-builders = true;
@ -43,6 +42,8 @@
systemd.network = { systemd.network = {
enable = true; enable = true;
wait-online.anyInterface = true;
networks = { networks = {
"40-eth0" = { "40-eth0" = {
matchConfig = { matchConfig = {

15
modules/frigate/config.yml → machines/frigate/frigate/config.yml
View file

@ -36,7 +36,7 @@ objects:
track: track:
- person - person
- cat - cat
# - car - car
birdseye: birdseye:
enabled: True enabled: True
@ -79,14 +79,17 @@ cameras:
record: record:
events: events:
required_zones: required_zones:
- oprit - erf
snapshots: snapshots:
required_zones: required_zones:
- oprit - erf
zones: zones:
oprit: erf:
coordinates: 0,480,640,480,640,480,640,259,513,255,323,254,211,254,144,353,79,325,33,286,0,289 coordinates: 0,480,640,480,640,480,640,259,513,255,323,254,211,254,144,353,79,325,0,325
objects: objects:
- person - person
# - car
- cat - cat
oprit:
coordinates: 28,279,0,282,0,325,91,324
objects:
- car

150
machines/frigate/frigate/default.nix Normal file
View file

@ -0,0 +1,150 @@
{ pkgs, config, lib, ... }:
with lib;
{
virtualisation.oci-containers.containers = {
frigate = {
autoStart = true;
image = "ghcr.io/blakeblackshear/frigate:0.12.1";
ports = [
"1984:1984" # go2rtc
"5000:5000" # Frigate
"8554:8554" # RTSP feeds
"8555:8555/tcp" # WebRTC over tcp
"8555:8555/udp" # WebRTC over udp
];
volumes = [
"/etc/localtime:/etc/localtime:ro"
"${./config.yml}:/config/config.yml:ro"
"${pkgs.go2rtc}/bin/go2rtc:/config/go2rtc"
"/data/frigate:/media/frigate"
];
extraOptions = [
"--device"
"/dev/dri/renderD128"
"--device"
"/dev/apex_0"
"--shm-size=128m"
"--mount"
"type=tmpfs,target=/tmp/cache,tmpfs-size=1G"
"--cap-add"
"CAP_PERFMON"
];
environment = {
LIBVA_DRIVER_NAME = "iHD";
};
environmentFiles = [
config.sops.secrets.frigate.path
];
};
};
# services.frigate = {
# enable = true;
# hostname = "frigate.datarift.nl";
# settings = {
# mqtt = {
# enabled = true;
# host = "mqtt.datarift.nl";
# port = 1883;
# user = "frigate";
# password = "{FRIGATE_MQTT_PASSWORD}";
# };
# detectors = {
# coral = {
# type = "edgetpu";
# device = "pci";
# };
# };
# birdseye = {
# enabled = false;
# };
# ffmpeg = {
# hwaccel_args = "preset-vaapi";
# output_args = {
# record = "preset-record-generic-audio-aac";
# };
# };
# detect = {
# width = 640;
# height = 480;
# };
# objects = {
# track = [ "person" "cat" ];
# };
# record = {
# enabled = true;
# retain = {
# days = 4;
# };
# events = {
# retain = {
# default = 14;
# };
# };
# };
# snapshots = { };
# go2rtc = {
# streams = {
# deurbel = [
# "rtsp://hass:{FRIGATE_DOORBELL_PASSWORD}@10.0.0.31/h264Preview_01_main"
# "ffmpeg:deurbel#audio=opus"
# ];
# deurbel_sub = [
# "rtsp://hass:{FRIGATE_DOORBELL_PASSWORD}@10.0.0.31/h264Preview_01_sub"
# ];
# };
# webrtc = {
# candidates = [
# "10.0.0.205:8555"
# "stun:8555"
# ];
# };
# };
# cameras = {
# deurbel = {
# ffmpeg = {
# inputs = [
# {
# path = "rtsp://127.0.0.1:8554/deurbel?video=copy&audio=aac";
# input_args = "preset-rtsp-restream";
# roles = [ "record" ];
# }
# {
# path = "rtsp://127.0.0.1:8554/deurbel_sub?video=copy";
# input_args = "preset-rtsp-restream";
# roles = [ "detect" ];
# }
# ];
# };
# record = {
# events = {
# required_zones = [ "oprit" ];
# };
# };
# snapshots = {
# required_zones = [ "oprit" ];
# };
# zones = {
# oprit = {
# coordinates = "0,480,640,480,640,480,640,259,513,255,323,254,211,254,144,353,79,325,33,286,0,289";
# objects = [ "person" "cat" ];
# };
# };
# };
# };
# };
# };
# systemd.services.frigate.serviceConfig.EnvironmentFile = config.sops.secrets.frigate.path;
}

13
machines/gitea/backup.nix
View file

@ -1,13 +1,11 @@
{ pkgs, config, lib, ... }: { pkgs, config, lib, ... }:
with lib; with lib;
let let
giteaCfg = config.services.gitea;
borgJob = name: { borgJob = name: {
environment = { environment = {
BORG_RSH = "ssh -i ${config.sops.secrets.gitea_backup_ssh_key.path}"; BORG_RSH = "ssh -i ${config.sops.secrets.gitea_backup_ssh_key.path}";
}; };
repo = "ssh://zh2088@zh2088.rsync.net/./backups/gitea/${name}"; repo = "ssh://zh2088@zh2088.rsync.net/./backups/forgejo/${name}";
compression = "zstd,10"; compression = "zstd,10";
startAt = "*-*-* 2,6,10,14,18,22:30:00"; startAt = "*-*-* 2,6,10,14,18,22:30:00";
extraInitArgs = "--make-parent-dirs"; extraInitArgs = "--make-parent-dirs";
@ -29,11 +27,14 @@ let
}; };
in in
{ {
services.borgbackup.jobs = mkIf giteaCfg.enable { services = {
repos = borgJob "gitea" // { borgbackup.jobs = {
paths = [ "/var/lib" ]; repos = borgJob "forgejo" // {
paths = [ "/var/lib/forgejo/dump" ];
};
}; };
}; };
environment.systemPackages = [ pkgs.borgbackup ]; environment.systemPackages = [ pkgs.borgbackup ];
} }

5
machines/gitea/configuration.nix
View file

@ -6,6 +6,8 @@
../../users/root ../../users/root
../../users/erwin ../../users/erwin
./backup.nix ./backup.nix
./forgejo
]; ];
eboskma = { eboskma = {
@ -13,7 +15,6 @@
enable = true; enable = true;
server = true; server = true;
}; };
gitea.enable = true;
nix-common = { nix-common = {
enable = true; enable = true;
remote-builders = true; remote-builders = true;
@ -28,7 +29,7 @@
system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev; system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
networking = { networking = {
hostName = "ci"; hostName = "gitea";
useDHCP = false; useDHCP = false;
useHostResolvConf = false; useHostResolvConf = false;
networkmanager.enable = false; networkmanager.enable = false;

108
machines/gitea/forgejo/default.nix Normal file
View file

@ -0,0 +1,108 @@
{ pkgs
, config
, lib
, ...
}:
with lib; let
forgejoCfg = config.services.forgejo;
in
{
services.forgejo = {
enable = true;
user = "git";
lfs = {
enable = true;
};
database = {
type = "postgres";
socket = "/run/postgresql";
passwordFile = config.sops.secrets.gitea_db_password.path;
createDatabase = false;
name = "git";
user = "git";
};
dump = {
enable = true;
interval = "*-*-* 2,6,10,14,18,22:00:00";
type = "tar.zst";
};
settings = {
DEFAULT = {
APP_NAME = "Datarift Git";
};
security = {
PASSWORD_HASH_ALGO = "argon2";
DISABLE_GIT_HOOKS = false;
};
log.LEVEL = "Warn";
database = {
LOG_SQL = false;
};
repository = {
ENABLE_PUSH_CREATE_USER = true;
ENABLE_PUSH_CREATE_ORG = true;
};
server = {
DOMAIN = "git.datarift.nl";
ROOT_URL = "https://git.datarift.nl/";
};
service = {
DEFAULT_KEEP_EMAIL_PRIVATE = true;
DISABLE_REGISTRATION = true;
};
picture = {
ENABLE_FEDERATED_AVATAR = true;
};
session = {
PROVIDER = "db";
SAME_SITE = "strict";
COOKIE_SECURE = true;
};
webhook = {
ALLOWED_HOST_LIST = "external,10.0.0.202/32,ci.datarift.nl,10.0.0.210/32";
};
# Experimental Actions
actions = {
ENABLED = true;
};
};
};
networking.firewall.allowedTCPPorts = [ 3000 ];
users.users.git = {
description = "Forgejo service user";
home = forgejoCfg.stateDir;
useDefaultShell = true;
group = "forgejo";
isSystemUser = true;
};
services.postgresql = {
enable = true;
# Explicitly specify version here, because upgrading is a manual process that involves dumping and restoring databases:
# https://nixos.org/manual/nixos/unstable/index.html#module-services-postgres-upgrading
package = pkgs.postgresql_14;
ensureDatabases = [ "git" ];
ensureUsers = [
{
name = "git";
ensureDBOwnership = true;
}
];
};
}

2
machines/nix-cache/configuration.nix
View file

@ -118,7 +118,7 @@
package = caddy-with-plugins.lib.caddyWithPackages { package = caddy-with-plugins.lib.caddyWithPackages {
inherit (pkgs) caddy buildGoModule; inherit (pkgs) caddy buildGoModule;
plugins = [ "github.com/caddy-dns/cloudflare@74f004e1c1ab9056288f0baf3cd4b0039d6c77f3" ]; plugins = [ "github.com/caddy-dns/cloudflare@74f004e1c1ab9056288f0baf3cd4b0039d6c77f3" ];
vendorSha256 = "UYNFkGK4A7DJSmin4nCo9rUD60gx80e9YZodn7uEcUM="; vendorHash = "sha256-UYNFkGK4A7DJSmin4nCo9rUD60gx80e9YZodn7uEcUM=";
}; };
email = "erwin@datarift.nl"; email = "erwin@datarift.nl";

4
machines/odin/virtualisation.nix
View file

@ -104,8 +104,8 @@
config = { config = {
"oidc.client.id" = "incus"; "oidc.client.id" = "incus";
"oidc.issuer" = "https://id.datarift.nl/realms/datarift/.well-known/openid-configuration"; "oidc.issuer" = "https://id.datarift.nl/realms/datarift";
"core.https_address" = "[::]:8443"; "core.https_address" = ":8443";
}; };
}; };
}; };

2
machines/proxy/configuration.nix
View file

@ -21,7 +21,7 @@
package = caddy-with-plugins.lib.caddyWithPackages { package = caddy-with-plugins.lib.caddyWithPackages {
inherit (pkgs) caddy buildGoModule; inherit (pkgs) caddy buildGoModule;
plugins = [ "github.com/caddy-dns/cloudflare@74f004e1c1ab9056288f0baf3cd4b0039d6c77f3" ]; plugins = [ "github.com/caddy-dns/cloudflare@74f004e1c1ab9056288f0baf3cd4b0039d6c77f3" ];
vendorSha256 = "UYNFkGK4A7DJSmin4nCo9rUD60gx80e9YZodn7uEcUM="; vendorHash = "sha256-UYNFkGK4A7DJSmin4nCo9rUD60gx80e9YZodn7uEcUM=";
}; };
}; };
tailscale.enable = true; tailscale.enable = true;

2
machines/unifi/configuration.nix
View file

@ -53,6 +53,8 @@
systemd.network = { systemd.network = {
enable = true; enable = true;
wait-online.anyInterface = true;
networks = { networks = {
"40-eth0" = { "40-eth0" = {
matchConfig = { matchConfig = {

40
machines/valkyrie/adguard/default.nix Normal file
View file

@ -0,0 +1,40 @@
{ config
, lib
, ...
}:
with lib; let
cfg = config.eboskma.adguard;
in
{
options.eboskma.adguard = {
upstreams = mkOption {
description = "Upstream DNS servers";
type = types.listOf types.str;
example = [
"http://1.1.1.1"
"tls://1.1.1.1"
"1.1.1.1"
];
};
};
config = {
services.adguardhome = {
enable = true;
openFirewall = true;
settings = {
dns = {
upstream_dns = cfg.upstreams;
};
};
};
# This is necessary to bind a raw socket for DHCP
systemd.services.adguardhome.serviceConfig.AmbientCapabilities = [ "CAP_NET_RAW" ];
networking.firewall = {
allowedUDPPorts = [ 53 67 ];
};
};
}

7
machines/valkyrie/configuration.nix
View file

@ -5,6 +5,9 @@
../../users/root ../../users/root
../../users/erwin ../../users/erwin
./adguard
./unbound
]; ];
eboskma = { eboskma = {
@ -13,7 +16,6 @@
server = true; server = true;
}; };
adguard = { adguard = {
enable = true;
upstreams = [ upstreams = [
"127.0.0.1:5335" "127.0.0.1:5335"
]; ];
@ -22,7 +24,6 @@
enable = true; enable = true;
remote-builders = true; remote-builders = true;
}; };
unbound.enable = true;
tailscale.enable = true; tailscale.enable = true;
}; };
@ -48,6 +49,8 @@
systemd.network = { systemd.network = {
enable = true; enable = true;
wait-online.anyInterface = true;
networks = { networks = {
"40-eth0" = { "40-eth0" = {
matchConfig = { matchConfig = {

69
machines/valkyrie/unbound/default.nix Normal file
View file

@ -0,0 +1,69 @@
{
services.unbound = {
enable = true;
localControlSocketPath = "/run/unbound/unbound.ctl";
settings = {
server = {
# Setting logfile to an empty string outputs to stderr
log-queries = false;
verbosity = 1;
port = 5335;
do-ip4 = true;
do-ip6 = true;
do-udp = true;
do-tcp = true;
prefer-ip6 = true;
hide-identity = true;
hide-version = true;
# Trust glue only if it is within the server's authority
harden-glue = true;
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped = true;
harden-referral-path = true;
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id = false;
# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size = 1472;
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch = true;
prefetch-key = true;
# This attempts to reduce latency by serving the outdated record before
# updating it instead of the other way around. Alternative is to increase
# cache-min-ttl to e.g. 3600.
cache-min-ttl = 0;
serve-expired = true;
rrset-cache-size = "256m";
msg-cache-size = "128m";
msg-cache-slabs = 4;
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads = 2;
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf = "1m";
# Ensure privacy of local IP ranges
private-address = [
"192.168.0.0/16"
"169.254.0.0/16"
"172.16.0.0/12"
"10.0.0.0/8"
"fd00::/8"
"fe80::/10"
];
};
};
};
}

364
modules/adguard/default.nix
View file

@ -1,364 +0,0 @@
{ config
, lib
, ...
}:
with lib; let
cfg = config.eboskma.adguard;
in
{
options.eboskma.adguard = {
enable = mkEnableOption "adguard";
upstreams = mkOption {
description = "Upstream DNS servers";
type = types.listOf types.str;
example = [
"http://1.1.1.1"
"tls://1.1.1.1"
"1.1.1.1"
];
};
};
config = mkIf cfg.enable {
services.adguardhome = {
enable = true;
openFirewall = true;
settings = { };
# settings = {
# auth_attempts = 5;
# block_auth_min = 15;
# clients = {
# persistent = [
# {
# name = "xiaomi-fan";
# ids = [ "5a:b6:23:35:1c:76" ];
# blocked_services = [
# "9gag"
# "amazon"
# "cloudflare"
# "dailymotion"
# "discord"
# "disneyplus"
# "ebay"
# "epic_games"
# "facebook"
# "hulu"
# "imgur"
# "instagram"
# "mail_ru"
# "netflix"
# "ok"
# "origin"
# "pinterest"
# "qq"
# "reddit"
# "skype"
# "snapchat"
# "spotify"
# "steam"
# "telegram"
# "tiktok"
# "tinder"
# "twitch"
# "twitter"
# "viber"
# "vimeo"
# "vk"
# "wechat"
# "weibo"
# "whatsapp"
# "youtube"
# ];
# filtering_enabled = true;
# ignore_querylog = false;
# ignore_statistics = false;
# parental_enabled = true;
# safe_search = {
# bing = false;
# duckduckgo = false;
# enabled = false;
# google = false;
# pixabay = false;
# yandex = false;
# youtube = false;
# };
# safebrowsing_enabled = true;
# tags = [ "device_other" ];
# upstreams = [ ];
# use_global_blocked_services = false;
# use_global_settings = true;
# }
# ];
# runtime_sources = {
# arp = true;
# dhcp = true;
# hosts = true;
# rdns = true;
# whois = true;
# };
# };
# debug_pprof = false;
# dhcp = {
# dhcpv4 = {
# gateway_ip = "10.0.0.1";
# icmp_timeout_msec = 1000;
# lease_duration = 86400;
# options = [ ];
# range_end = "10.0.0.200";
# range_start = "10.0.0.150";
# subnet_mask = "255.255.255.0";
# };
# dhcpv6 = {
# lease_duration = 86400;
# ra_allow_slaac = false;
# ra_slaac_only = false;
# range_start = "";
# };
# interface_name = "eth0";
# enabled = true;
# local_domain_name = "lan";
# };
# dns = {
# aaaa_disabled = false;
# all_servers = true;
# allowed_clients = [ ];
# anonymize_client_ip = false;
# bind_hosts = [ "0.0.0.0" ];
# blocked_hosts = [ "version.bind" "id.server" "hostname.bind" ];
# blocked_response_ttl = 10;
# blocked_services = [ "vk" "mail_ru" "pinterest" "tinder" "wechat" "ok" "qq" "snapchat" "weibo" "9gag" ];
# blocking_ipv4 = "";
# blocking_ipv6 = "";
# blocking_mode = "default";
# bogus_nxdomain = [ ];
# bootstrap_dns = [ ];
# bootstrap_prefer_ipv6 = false;
# cache_optimistic = false;
# cache_size = null;
# cache_time = 30;
# cache_ttl_max = 0;
# cache_ttl_min = 0;
# disallowed_clients = [ ];
# dns64_prefixes = [ ];
# edns_client_subnet = {
# custom_ip = "";
# enabled = true;
# use_custom = false;
# };
# enable_dnssec = true;
# fastest_addr = false;
# fastest_timeout = "1s";
# filtering_enabled = true;
# filters_update_interval = 24;
# handle_ddr = true;
# ipset = [ ];
# ipset_file = "";
# local_ptr_upstreams = [ ];
# max_goroutines = 0;
# parental_block_host = "family-block.dns.adguard.com";
# parental_cache_size = 1048576;
# parental_enabled = false;
# port = 53;
# private_networks = [ ];
# protection_disabled_until = null;
# protection_enabled = true;
# ratelimit = 20;
# ratelimit_whitelist = [ ];
# refuse_any = true;
# rewrites = [
# {
# answer = "10.0.0.254";
# domain = "track.datarift.nl";
# }
# {
# answer = "10.0.0.2";
# domain = "ca.datarift.nl";
# }
# {
# answer = "10.0.0.252";
# domain = "pve.datarift.nl";
# }
# {
# answer = "10.0.0.251";
# domain = "git.datarift.nl";
# }
# {
# answer = "10.0.0.251";
# domain = "minio.datarift.nl";
# }
# {
# answer = "10.0.0.251";
# domain = "home.datarift.nl";
# }
# {
# answer = "10.0.0.251";
# domain = "drone.datarift.nl";
# }
# {
# answer = "10.0.0.100";
# domain = "vidz.datarift.nl";
# }
# {
# answer = "10.0.0.4";
# domain = "loki.datarift.nl";
# }
# {
# answer = "10.0.0.251";
# domain = "minio-admin.datarift.nl";
# }
# {
# answer = "192.168.4.32";
# domain = "vaultserver.horus.nu";
# }
# {
# answer = "10.0.0.254";
# domain = "mqtt.datarift.nl";
# }
# {
# answer = "10.0.0.251";
# domain = "frigate.datarift.nl";
# }
# {
# answer = "192.168.4.130";
# domain = "containers.internal.horus.nu";
# }
# {
# answer = "192.168.4.121";
# domain = "repohost.bedum.horus.nu";
# }
# {
# answer = "192.168.4.150";
# domain = "teamcity.horus.nu";
# }
# {
# answer = "2a02:a441:c959:1:52ef:4c5d:ffac:25bc";
# domain = "frigate.datarift.nl";
# }
# ];
# safe_search = {
# bing = true;
# duckduckgo = true;
# enabled = false;
# google = true;
# pixabay = true;
# yandex = true;
# youtube = true;
# };
# safebrowsing_block_host = "standard-block.dns.adguard.com";
# safebrowsing_cache_size = 1048576;
# safebrowsing_enabled = false;
# safesearch_cache_size = 1048576;
# serve_http3 = false;
# trusted_proxies = [ "127.0.0.0/8" "::1/128" ];
# upstream_dns = cfg.upstreams;
# upstream_dns_file = "";
# upstream_timeout = "10s";
# use_dns64 = false;
# use_http3_upstreams = false;
# use_private_ptr_resolvers = true;
# };
# filters = [
# {
# enabled = true;
# id = 1;
# name = "AdGuard DNS filter";
# url = "https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt";
# }
# {
# enabled = true;
# id = 2;
# name = "AdAway";
# url = "https://adaway.org/hosts.txt";
# }
# {
# enabled = true;
# id = 1586463155;
# name = "dbl.oisd.nl";
# url = "https://dbl.oisd.nl/";
# }
# ];
# http_proxy = "";
# language = "";
# log_compress = false;
# log_file = "";
# log_localtime = false;
# log_max_age = 3;
# log_max_backups = 0;
# log_max_size = 100;
# os = {
# group = "";
# rlimit_nofile = 0;
# user = "";
# };
# querylog = {
# enabled = true;
# file_enabled = true;
# ignored = [ ];
# interval = "168h";
# size_memory = 1000;
# };
# schema_version = 20;
# statistics = {
# enabled = true;
# ignored = [ ];
# interval = "168h";
# };
# theme = "auto";
# tls = {
# allow_unencrypted_doh = false;
# certificate_chain = "";
# certificate_path = "";
# dnscrypt_config_file = "";
# enabled = false;
# force_https = false;
# port_dns_over_quic = 784;
# port_dns_over_tls = 853;
# port_dnscrypt = 0;
# port_https = 443;
# private_key = "";
# private_key_path = "";
# server_name = "";
# strict_sni_check = false;
# };
# user_rules = [
# "@@||msmetrics.ws.sonos.com^$important"
# "@@||trafficdeposit.com^$important"
# "@@||omropfryslan.bbvms.com^$important"
# "@@||cdn.riverhit.com^$important"
# "@@||kpngroup.emsecure.net^$important"
# "@@||chtbl.com^$important"
# "@@||*^$client='TV'"
# "||mozilla.cloudflare-dns.com^$important"
# "||use-application-dns.net^$important"
# "@@||widget.fitanalytics.com^$important"
# "@@||cdn.bluebillywig.com^$important"
# "@@||bert.org^$important"
# "||prod-pre.fns.tunein.com^$important"
# "#||mi.com^$dnsrewrite=NOERROR;A;10.0.0.4"
# "#||xiaomi.com^$dnsrewrite=NOERROR;A;10.0.0.4"
# "@@||aa.tweakers.nl^$important"
# "@@||ab.tweakers.nl^$important"
# "||zip^"
# ];
# users = [
# {
# name = "erwin";
# password = "$2b$12$bcE.EzNPhKmtDlgkej83xeAE/ADmAczt.iaElp6v4QT8DBlbVBgb.";
# }
# ];
# verbose = false;
# web_session_ttl = 720;
# whitelist_filters = [ ];
# };
};
# This is necessary to bind a raw socket for DHCP
systemd.services.adguardhome.serviceConfig.AmbientCapabilities = [ "CAP_NET_RAW" ];
networking.firewall = {
allowedUDPPorts = [ 53 67 ];
};
};
}

156
modules/frigate/default.nix
View file

@ -1,156 +0,0 @@
{ pkgs, config, lib, ... }:
with lib;
let
cfg = config.eboskma.services.frigate;
in
{
options.eboskma.services.frigate = { enable = mkEnableOption "frigate"; };
config = mkIf cfg.enable {
virtualisation.oci-containers.containers = {
frigate = {
autoStart = true;
image = "ghcr.io/blakeblackshear/frigate:0.12.1";
ports = [
"1984:1984" # go2rtc
"5000:5000" # Frigate
"8554:8554" # RTSP feeds
"8555:8555/tcp" # WebRTC over tcp
"8555:8555/udp" # WebRTC over udp
];
volumes = [
"/etc/localtime:/etc/localtime:ro"
"${./config.yml}:/config/config.yml:ro"
"${pkgs.go2rtc}/bin/go2rtc:/config/go2rtc"
"/data/frigate:/media/frigate"
];
extraOptions = [
"--device"
"/dev/dri/renderD128"
"--device"
"/dev/apex_0"
"--shm-size=128m"
"--mount"
"type=tmpfs,target=/tmp/cache,tmpfs-size=1G"
"--cap-add"
"CAP_PERFMON"
];
environment = {
LIBVA_DRIVER_NAME = "iHD";
};
environmentFiles = [
config.sops.secrets.frigate.path
];
};
};
# services.frigate = {
# enable = true;
# hostname = "frigate.datarift.nl";
# settings = {
# mqtt = {
# enabled = true;
# host = "mqtt.datarift.nl";
# port = 1883;
# user = "frigate";
# password = "{FRIGATE_MQTT_PASSWORD}";
# };
# detectors = {
# coral = {
# type = "edgetpu";
# device = "pci";
# };
# };
# birdseye = {
# enabled = false;
# };
# ffmpeg = {
# hwaccel_args = "preset-vaapi";
# output_args = {
# record = "preset-record-generic-audio-aac";
# };
# };
# detect = {
# width = 640;
# height = 480;
# };
# objects = {
# track = [ "person" "cat" ];
# };
# record = {
# enabled = true;
# retain = {
# days = 4;
# };
# events = {
# retain = {
# default = 14;
# };
# };
# };
# snapshots = { };
# go2rtc = {
# streams = {
# deurbel = [
# "rtsp://hass:{FRIGATE_DOORBELL_PASSWORD}@10.0.0.31/h264Preview_01_main"
# "ffmpeg:deurbel#audio=opus"
# ];
# deurbel_sub = [
# "rtsp://hass:{FRIGATE_DOORBELL_PASSWORD}@10.0.0.31/h264Preview_01_sub"
# ];
# };
# webrtc = {
# candidates = [
# "10.0.0.205:8555"
# "stun:8555"
# ];
# };
# };
# cameras = {
# deurbel = {
# ffmpeg = {
# inputs = [
# {
# path = "rtsp://127.0.0.1:8554/deurbel?video=copy&audio=aac";
# input_args = "preset-rtsp-restream";
# roles = [ "record" ];
# }
# {
# path = "rtsp://127.0.0.1:8554/deurbel_sub?video=copy";
# input_args = "preset-rtsp-restream";
# roles = [ "detect" ];
# }
# ];
# };
# record = {
# events = {
# required_zones = [ "oprit" ];
# };
# };
# snapshots = {
# required_zones = [ "oprit" ];
# };
# zones = {
# oprit = {
# coordinates = "0,480,640,480,640,480,640,259,513,255,323,254,211,254,144,353,79,325,33,286,0,289";
# objects = [ "person" "cat" ];
# };
# };
# };
# };
# };
# };
# systemd.services.frigate.serviceConfig.EnvironmentFile = config.sops.secrets.frigate.path;
};
}

106
modules/gitea/default.nix
View file

@ -1,106 +0,0 @@
{ pkgs
, config
, lib
, ...
}:
with lib; let
cfg = config.eboskma.gitea;
giteaCfg = config.services.gitea;
in
{
options.eboskma.gitea = { enable = mkEnableOption "gitea"; };
config = mkIf cfg.enable {
services.gitea = {
enable = true;
package = pkgs.forgejo;
user = "git";
appName = "Datarift Git";
lfs = {
enable = true;
};
database = {
type = "postgres";
socket = "/run/postgresql";
passwordFile = "/run/secrets/gitea_db_password";
createDatabase = false;
user = "git";
};
settings = {
security = {
PASSWORD_HASH_ALGO = "argon2";
DISABLE_GIT_HOOKS = false;
};
log.LEVEL = "Warn";
database = {
LOG_SQL = false;
};
repository = {
ENABLE_PUSH_CREATE_USER = true;
ENABLE_PUSH_CREATE_ORG = true;
};
server = {
DOMAIN = "git.datarift.nl";
ROOT_URL = "https://git.datarift.nl/";
};
service = {
DEFAULT_KEEP_EMAIL_PRIVATE = true;
DISABLE_REGISTRATION = true;
};
picture = {
ENABLE_FEDERATED_AVATAR = true;
};
session = {
PROVIDER = "db";
SAME_SITE = "strict";
COOKIE_SECURE = true;
};
webhook = {
ALLOWED_HOST_LIST = "external,10.0.0.202/32,ci.datarift.nl";
};
# Experimental Gitea Actions
actions = {
ENABLED = true;
};
};
};
networking.firewall.allowedTCPPorts = [ 3000 ];
users.users.git = {
description = "Gitea service user";
home = giteaCfg.stateDir;
useDefaultShell = true;
group = "gitea";
isSystemUser = true;
};
services.postgresql = {
enable = true;
# Explicitly specify version here, because upgrading is a manual process that involves dumping and restoring databases:
# https://nixos.org/manual/nixos/unstable/index.html#module-services-postgres-upgrading
package = pkgs.postgresql_14;
ensureDatabases = [ "gitea" ];
ensureUsers = [
{
name = "git";
ensurePermissions = {
"DATABASE gitea" = "ALL PRIVILEGES";
};
}
];
};
};
}

78
modules/unbound/default.nix
View file

@ -1,78 +0,0 @@
{ config, lib, ... }:
with lib;
let
cfg = config.eboskma.unbound;
in
{
options.eboskma.unbound = { enable = mkEnableOption "unbound DNS"; };
config = mkIf cfg.enable {
services.unbound = {
enable = true;
localControlSocketPath = "/run/unbound/unbound.ctl";
settings = {
server = {
# Setting logfile to an empty string outputs to stderr
log-queries = false;
verbosity = 1;
port = 5335;
do-ip4 = true;
do-ip6 = true;
do-udp = true;
do-tcp = true;
prefer-ip6 = true;
hide-identity = true;
hide-version = true;
# Trust glue only if it is within the server's authority
harden-glue = true;
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped = true;
harden-referral-path = true;
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id = false;
# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size = 1472;
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch = true;
prefetch-key = true;
# This attempts to reduce latency by serving the outdated record before
# updating it instead of the other way around. Alternative is to increase
# cache-min-ttl to e.g. 3600.
cache-min-ttl = 0;
serve-expired = true;
rrset-cache-size = "256m";
msg-cache-size = "128m";
msg-cache-slabs = 4;
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads = 2;
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf = "1m";
# Ensure privacy of local IP ranges
private-address = [
"192.168.0.0/16"
"169.254.0.0/16"
"172.16.0.0/12"
"10.0.0.0/8"
"fd00::/8"
"fe80::/10"
];
};
};
};
};
}