Sovran_SystemsOS/configuration.nix

479 lines
13 KiB
Nix
Raw Normal View History

2024-10-24 06:18:52 -07:00
{ config, pkgs, lib, ... }:
let
2023-07-28 18:59:32 -07:00
personalization = import ./modules/personalization.nix;
2024-08-03 13:55:01 -07:00
custom-php = pkgs.php83.buildEnv {
2023-12-16 18:25:50 -08:00
extensions = { enabled, all }: enabled ++ (with all; [ bz2 apcu redis imagick memcached ]);
extraConfig = ''
display_errors = On
display_startup_errors = On
2024-08-03 15:17:24 -07:00
max_execution_time = 10000
max_input_time = 3000
2024-08-06 16:00:18 -07:00
memory_limit = 1G;
opcache.enable=1;
opcache.memory_consumption=512;
opcache_revalidate_freq = 240;
2024-11-07 10:21:52 -08:00
opcache.max_accelerated_files=20000;
2024-08-03 15:17:24 -07:00
post_max_size = 3G
upload_max_filesize = 3G
2024-11-07 10:21:52 -08:00
opcache.interned_strings_buffer = 64
2023-09-05 08:27:04 -07:00
redis.session.locking_enabled=1
redis.session.lock_retries=-1
redis.session.lock_wait_time=10000
'';
};
in
{
imports =
[
2023-07-28 19:03:24 -07:00
./modules/modules.nix
];
# Bootloader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.efi.efiSysMountPoint = "/boot/efi";
boot.kernelPackages = pkgs.linuxPackages_latest;
# Enable Automount without Fail for Internal Drive.
fileSystems."/run/media/Second_Drive" = {
device = "LABEL=BTCEcoandBackup";
fsType = "ext4";
options = [ "nofail" ];
2024-08-31 23:30:23 -07:00
};
fileSystems."/boot/efi".options = [ "umask=0077" "defaults" ];
2023-12-16 19:07:01 -08:00
nix.settings.experimental-features = [ "nix-command" "flakes" ];
networking.hostName = "nixos"; # Define your hostname.
# Enable networking
networking.networkmanager.enable = true;
# Set your time zone.
time.timeZone = "America/Los_Angeles";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
# Enable the X11 windowing system.
services.xserver.enable = true;
# Enable the GNOME Desktop Environment.
services.xserver.displayManager.gdm.enable = true;
services.xserver.desktopManager.gnome.enable = true;
# Configure keymap in X11
services.xserver.xkb = {
layout = "us";
variant = "";
};
# Enable CUPS to print documents.
services.printing.enable = true;
# Systemd Settings
systemd.enableEmergencyMode = false;
# Enable sound with pipewire.
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
users.users = {
free = {
isNormalUser = true;
description = "free";
extraGroups = [ "networkmanager" ];
};
####### PHP user for PHPFPM #######
php = {
isSystemUser = true;
createHome = false;
uid = 7777;
};
};
users.users.php.group = "php";
users.groups.php = {};
# Enable automatic login for the user.
services.displayManager.autoLogin.enable = true;
services.displayManager.autoLogin.user = "free";
# Workaround for GNOME autologin: https://github.com/NixOS/nixpkgs/issues/103746#issuecomment-945091229
systemd.services."getty@tty1".enable = true;
systemd.services."autovt@tty1".enable = true;
# Allow Flatpak
services.flatpak.enable = true;
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
nixpkgs.config.permittedInsecurePackages = [
"jitsi-meet-1.0.8043"
];
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
2024-03-01 17:45:55 -08:00
(callPackage ./modules/systemd-manager_sovran_systems.nix {})
(callPackage ./modules/nextcloud_hpbs_default.nix {})
git
wget
fish
htop
2024-05-16 13:25:30 -07:00
btop
gnomeExtensions.dash-to-dock
gnomeExtensions.transparent-top-bar-adjustable-transparency
gnomeExtensions.vitals
gnomeExtensions.pop-shell
gnomeExtensions.just-perfection
gnomeExtensions.appindicator
2024-04-17 14:25:08 -07:00
gnomeExtensions.date-menu-formatter
2024-08-06 16:25:45 -07:00
gnomeExtensions.espresso
gnome-tweaks
papirus-icon-theme
ranger
2024-11-27 10:35:33 -08:00
bisq2
2024-03-01 18:36:55 -08:00
sparrow
neofetch
2024-01-02 11:37:04 -08:00
gedit
matrix-synapse
openssl
pwgen
aspell
aspellDicts.en
lm_sensors
hunspell
hunspellDicts.en_US
custom-php
matrix-synapse-tools.synadm
brave
2024-05-16 13:25:30 -07:00
dua
2024-07-19 22:40:29 -07:00
bitwarden-desktop
gparted
pv
unzip
parted
screen
zenity
libargon2
gnome-terminal
libreoffice-fresh
2023-08-25 20:32:52 -07:00
dig
2023-09-11 10:22:16 -07:00
nextcloud-client
firefox
element-desktop
2024-08-17 05:42:33 -07:00
helix
];
2024-08-31 20:28:23 -07:00
programs.nixvim = {
enable = true;
2024-08-31 23:30:23 -07:00
colorschemes.catppuccin.enable = true;
plugins.lualine.enable = true;
2024-08-31 20:28:23 -07:00
};
programs.bash.promptInit = "fish";
2024-08-31 23:30:23 -07:00
programs.fish = {
enable = true;
promptInit = "neofetch";
};
####### PHPFMP #######
services.phpfpm.pools = {
mypool = {
user = "caddy";
group = "php";
phpPackage = custom-php;
settings = {
"pm" = "dynamic";
"pm.max_children" = 75;
"pm.start_servers" = 10;
"pm.min_spare_servers" = 5;
"pm.max_spare_servers" = 20;
"pm.max_requests" = 500;
"clear_env" = "no";
};
};
};
####### CADDY #######
services.caddy = {
enable = true;
package = pkgs.caddy;
user = "caddy";
group = "root";
2024-01-29 13:18:45 -08:00
email = "${personalization.caddy_email_for_acme}";
virtualHosts = {
"${personalization.wordpress_url}" = {
extraConfig = ''
encode gzip zstd
root * /var/lib/www/wordpress
php_fastcgi unix//run/phpfpm/mypool.sock
file_server browse
'';
};
"${personalization.nextcloud_url}" = {
2024-08-31 23:30:23 -07:00
extraConfig = ''
encode gzip zstd
root * /var/lib/www/nextcloud
2024-11-04 00:49:24 -08:00
php_fastcgi unix//run/phpfpm/mypool.sock {
trusted_proxies private_ranges
}
2024-08-31 23:30:23 -07:00
file_server
redir /.well-known/carddav /remote.php/dav/ 301
redir /.well-known/caldav /remote.php/dav/ 301
header {
Strict-Transport-Security max-age=31536000;
}
'';
};
"${personalization.matrix_url}" = {
extraConfig = ''
reverse_proxy /_matrix/* http://localhost:8008
reverse_proxy /_synapse/client/* http://localhost:8008
'';
};
"${personalization.matrix_url}:8448" = {
extraConfig = ''
reverse_proxy http://localhost:8008
'';
};
"${personalization.btcpayserver_url}" = {
extraConfig = ''
reverse_proxy http://localhost:23000
encode gzip zstd
'';
};
"https://${personalization.vaultwarden_url}" = {
extraConfig = ''
reverse_proxy http://localhost:8777
encode gzip zstd
'';
};
":3051" = {
extraConfig = ''
reverse_proxy :3050
encode gzip zstd
'';
};
};
};
2024-12-16 17:31:07 -08:00
###### AGENIX #######
age.identityPaths = [ "/root/.ssh/agenix/agenix-secret-keys" ];
age.secrets.matrix_reg_secret = {
file = /var/lib/agenix-secrets/matrix_reg_secret.age;
mode = "770";
owner = "matrix-synapse";
group = "matrix-synapse";
};
age.secrets.matrixdb = {
file = /var/lib/agenix-secrets/matrixdb.age;
mode = "770";
owner = "postgres";
group = "postgres";
};
age.secrets.nexclouddb = {
file = /var/lib/agenix-secrets/nextclouddb.age;
mode = "770";
owner = "postgres";
group = "postgres";
};
2024-12-16 17:39:12 -08:00
age.secrets.wordpressdb = {
file = /var/lib/agenix-secrets/wordpressdb.age;
2024-12-16 17:31:07 -08:00
mode = "770";
owner = "mysql";
group = "mysql";
};
###### CREATE DATABASE (WORDPRESS, MATRIX_SYNAPSE, AND NEXTCLOUD) #######
services.postgresql = {
2024-08-31 23:30:23 -07:00
enable = true;
};
services.postgresql.authentication = lib.mkForce ''
# Generated file; do not edit!
# TYPE DATABASE USER ADDRESS METHOD
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
'';
services.mysql = {
2024-08-31 23:30:23 -07:00
enable = true;
package = pkgs.mariadb;
};
services.postgresql.initialScript = pkgs.writeText "begin-init.sql" ''
2024-12-16 17:31:07 -08:00
CREATE ROLE "ncusr" WITH LOGIN PASSWORD '${config.age.secrets.nextclouddb.path}';
CREATE DATABASE "nextclouddb" WITH OWNER "ncusr"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
2024-12-16 17:31:07 -08:00
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD '${config.age.secrets.matrixdb.path}';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
''
;
services.mysql.initialScript = pkgs.writeText "wordpress-init.sql" ''
CREATE DATABASE wordpressdb;
2024-12-16 17:31:07 -08:00
GRANT ALL ON *.* TO 'wpusr'@'localhost' IDENTIFIED BY '${config.age.secrets.wordpressdb.path}';
FLUSH PRIVILEGES;
''
;
####### KEEP AWAKE for DISPLAY and HEADLESS #######
services.xserver.displayManager.gdm.autoSuspend = false;
2024-08-06 16:00:18 -07:00
systemd.sleep.extraConfig = ''
AllowSuspend=no
AllowHibernation=no
AllowHybridSleep=no
AllowSuspendThenHibernate=no
'';
####### BACKUP TO INTERNAL DRIVE #######
services.rsnapshot = {
enable = true;
extraConfig = ''
snapshot_root /run/media/Second_Drive/BTCEcoandBackup/NixOS_Snapshot_Backup
2024-02-05 18:44:40 -08:00
retain hourly 5
retain daily 5
backup /home/ localhost/
backup /var/lib/ localhost/
backup /etc/nixos/ localhost/
backup /etc/nix-bitcoin-secrets/ localhost/
'';
2024-08-31 23:30:23 -07:00
cronIntervals = {
daily = "50 21 * * *";
hourly = "0 * * * *";
};
};
####### CRON #######
services.cron = {
enable = true;
systemCronJobs = [
"*/5 * * * * caddy /run/current-system/sw/bin/php -f /var/lib/www/nextcloud/cron.php"
2024-01-27 18:17:26 -08:00
"*/15 * * * * root /run/current-system/sw/bin/bash /var/lib/njalla/njalla.sh"
"*/15 * * * * root /run/current-system/sw/bin/bash /var/lib/external_ip/external_ip.sh"
];
};
####### TOR #######
services.tor = {
enable = true;
2024-08-31 23:30:23 -07:00
client.enable = true;
torsocks.enable = true;
};
services.privoxy.enableTor = true;
####### Enable the OpenSSH daemon #######
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "yes";
};
};
#######FailtoBan#######
services.fail2ban = {
enable = true;
ignoreIP = [
"127.0.0.0/8"
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
"8.8.8.8"
];
};
####### Open ports in the firewall #######
networking.firewall.allowedTCPPorts = [ 80 443 5349 8448 3050 3051 ];
networking.firewall.allowedUDPPorts = [ 80 443 5349 8448 3050 3051 ];
2024-08-31 23:30:23 -07:00
networking.firewall.allowedUDPPortRanges = [
2024-08-31 23:30:23 -07:00
{ from=49152; to=65535; } # TURN relay
];
networking.firewall.enable = true;
####### AUTO COLLECT GARABAGE #######
nix.gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 7d";
};
system.stateVersion = "22.05";
}