2023-07-28 17:12:53 -07:00
|
|
|
{ config, pkgs, lib, ... }:
|
|
|
|
|
|
|
|
|
|
|
|
let
|
2023-07-28 18:59:32 -07:00
|
|
|
personalization = import ./modules/personalization.nix;
|
2023-07-28 17:12:53 -07:00
|
|
|
|
|
|
|
|
|
|
|
custom-php = pkgs.php81.buildEnv {
|
2023-12-16 18:25:50 -08:00
|
|
|
extensions = { enabled, all }: enabled ++ (with all; [ bz2 apcu redis imagick memcached ]);
|
2023-07-28 17:12:53 -07:00
|
|
|
extraConfig = ''
|
|
|
|
display_errors = On
|
|
|
|
display_startup_errors = On
|
|
|
|
max_execution_time = 6000
|
|
|
|
max_input_time = 3000
|
|
|
|
memory_limit = 8G;
|
|
|
|
opcache.enable=1;
|
|
|
|
opcache.memory_consumption=512;
|
|
|
|
opcache_revalidate_freq = 240;
|
|
|
|
opcache.max_accelerated_files=4000;
|
|
|
|
auto_prepend_file = '/var/lib/www/wordpress/wordfence-waf.php'
|
2024-01-04 20:34:16 -08:00
|
|
|
post_max_size = 3G
|
|
|
|
upload_max_filesize = 3G
|
2023-07-28 17:12:53 -07:00
|
|
|
opcache.interned_strings_buffer = 32
|
|
|
|
apc.enable_cli=1
|
2023-09-05 08:27:04 -07:00
|
|
|
redis.session.locking_enabled=1
|
|
|
|
redis.session.lock_retries=-1
|
|
|
|
redis.session.lock_wait_time=10000
|
|
|
|
|
2023-07-28 17:12:53 -07:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
in
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
imports =
|
|
|
|
|
|
|
|
[
|
2023-07-28 19:03:24 -07:00
|
|
|
|
2023-07-28 17:12:53 -07:00
|
|
|
./modules/modules.nix
|
|
|
|
|
|
|
|
];
|
|
|
|
|
|
|
|
# Bootloader.
|
|
|
|
boot.loader.systemd-boot.enable = true;
|
|
|
|
boot.loader.efi.canTouchEfiVariables = true;
|
|
|
|
boot.loader.efi.efiSysMountPoint = "/boot/efi";
|
|
|
|
boot.kernelPackages = pkgs.linuxPackages_latest;
|
|
|
|
|
|
|
|
# Enable Automount without Fail for Internal Drive.
|
|
|
|
fileSystems."/run/media/Second_Drive" = {
|
|
|
|
device = "LABEL=BTCEcoandBackup";
|
|
|
|
fsType = "ext4";
|
|
|
|
options = [ "nofail" ];
|
|
|
|
};
|
|
|
|
|
2024-01-29 13:14:16 -08:00
|
|
|
fileSystems."/boot/efi".options = [ "umask=0077" "defaults" ];
|
|
|
|
|
2023-12-16 19:07:01 -08:00
|
|
|
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
2023-07-28 17:12:53 -07:00
|
|
|
|
|
|
|
networking.hostName = "nixos"; # Define your hostname.
|
|
|
|
|
|
|
|
# Enable networking
|
|
|
|
networking.networkmanager.enable = true;
|
|
|
|
|
|
|
|
# Set your time zone.
|
|
|
|
time.timeZone = "America/Los_Angeles";
|
|
|
|
|
|
|
|
# Select internationalisation properties.
|
|
|
|
i18n.defaultLocale = "en_US.UTF-8";
|
|
|
|
|
|
|
|
# Enable the X11 windowing system.
|
|
|
|
services.xserver.enable = true;
|
|
|
|
|
|
|
|
# Enable the GNOME Desktop Environment.
|
|
|
|
services.xserver.displayManager.gdm.enable = true;
|
|
|
|
services.xserver.desktopManager.gnome.enable = true;
|
|
|
|
|
|
|
|
# Configure keymap in X11
|
|
|
|
services.xserver = {
|
|
|
|
layout = "us";
|
|
|
|
xkbVariant = "";
|
|
|
|
};
|
|
|
|
|
|
|
|
# Enable CUPS to print documents.
|
|
|
|
services.printing.enable = true;
|
|
|
|
|
|
|
|
# Systemd Settings
|
|
|
|
systemd.enableEmergencyMode = false;
|
|
|
|
|
|
|
|
# Enable sound with pipewire.
|
|
|
|
sound.enable = true;
|
|
|
|
hardware.pulseaudio.enable = false;
|
|
|
|
security.rtkit.enable = true;
|
|
|
|
services.pipewire = {
|
|
|
|
enable = true;
|
|
|
|
alsa.enable = true;
|
|
|
|
alsa.support32Bit = true;
|
|
|
|
pulse.enable = true;
|
|
|
|
};
|
|
|
|
|
|
|
|
users.users = {
|
|
|
|
free = {
|
|
|
|
isNormalUser = true;
|
|
|
|
description = "free";
|
|
|
|
extraGroups = [ "networkmanager" ];
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
####### PHP user for PHPFPM #######
|
|
|
|
php = {
|
|
|
|
isSystemUser = true;
|
|
|
|
createHome = false;
|
|
|
|
uid = 7777;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
users.users.php.group = "php";
|
|
|
|
users.groups.php = {};
|
|
|
|
|
|
|
|
# Enable automatic login for the user.
|
|
|
|
services.xserver.displayManager.autoLogin.enable = true;
|
|
|
|
services.xserver.displayManager.autoLogin.user = "free";
|
|
|
|
|
|
|
|
# Workaround for GNOME autologin: https://github.com/NixOS/nixpkgs/issues/103746#issuecomment-945091229
|
|
|
|
systemd.services."getty@tty1".enable = true;
|
|
|
|
systemd.services."autovt@tty1".enable = true;
|
|
|
|
|
|
|
|
# Allow Flatpak
|
|
|
|
services.flatpak.enable = true;
|
|
|
|
|
|
|
|
# Allow unfree packages
|
|
|
|
nixpkgs.config.allowUnfree = true;
|
|
|
|
|
|
|
|
# List packages installed in system profile. To search, run:
|
|
|
|
# $ nix search wget
|
|
|
|
environment.systemPackages = with pkgs; [
|
2024-03-01 17:45:55 -08:00
|
|
|
(callPackage ./modules/systemd-manager_sovran_systems.nix {})
|
2023-07-28 17:12:53 -07:00
|
|
|
git
|
|
|
|
wget
|
|
|
|
librewolf
|
|
|
|
fish
|
|
|
|
htop
|
|
|
|
gnomeExtensions.dash-to-dock
|
|
|
|
gnomeExtensions.transparent-top-bar-adjustable-transparency
|
|
|
|
gnomeExtensions.vitals
|
|
|
|
gnomeExtensions.pop-shell
|
|
|
|
gnomeExtensions.just-perfection
|
|
|
|
gnomeExtensions.appindicator
|
2023-12-06 11:30:21 -08:00
|
|
|
#gnomeExtensions.date-menu-formatter
|
2023-07-28 17:12:53 -07:00
|
|
|
gnome.gnome-tweaks
|
|
|
|
papirus-icon-theme
|
|
|
|
ranger
|
2024-03-01 18:36:55 -08:00
|
|
|
sparrow
|
2023-07-28 17:12:53 -07:00
|
|
|
bisq-desktop
|
|
|
|
neofetch
|
2024-01-02 11:37:04 -08:00
|
|
|
gedit
|
2023-07-28 17:12:53 -07:00
|
|
|
matrix-synapse
|
|
|
|
openssl
|
|
|
|
pwgen
|
|
|
|
aspell
|
|
|
|
aspellDicts.en
|
|
|
|
lm_sensors
|
|
|
|
hunspell
|
|
|
|
hunspellDicts.en_US
|
|
|
|
custom-php
|
|
|
|
matrix-synapse-tools.synadm
|
|
|
|
brave
|
|
|
|
ncdu_2
|
|
|
|
bitwarden
|
|
|
|
gparted
|
|
|
|
pv
|
|
|
|
unzip
|
|
|
|
parted
|
|
|
|
screen
|
|
|
|
gnome.zenity
|
|
|
|
libargon2
|
|
|
|
gnome.gnome-terminal
|
2023-08-10 17:09:16 -07:00
|
|
|
libreoffice-fresh
|
2023-08-25 20:32:52 -07:00
|
|
|
dig
|
2023-09-11 10:22:16 -07:00
|
|
|
nextcloud-client
|
2023-11-21 14:27:14 -08:00
|
|
|
ungoogled-chromium
|
2024-04-10 16:30:55 -07:00
|
|
|
libreoffice-fresh
|
2023-07-28 17:12:53 -07:00
|
|
|
|
|
|
|
];
|
|
|
|
|
2023-12-11 15:38:10 -08:00
|
|
|
nixpkgs.config.permittedInsecurePackages = [ "electron-25.9.0" ];
|
2023-07-28 17:12:53 -07:00
|
|
|
|
|
|
|
|
|
|
|
programs.bash.promptInit = "fish";
|
|
|
|
programs.fish = {
|
|
|
|
enable = true;
|
|
|
|
promptInit = "neofetch";
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
####### PHPFMP #######
|
|
|
|
services.phpfpm.pools = {
|
|
|
|
mypool = {
|
|
|
|
user = "caddy";
|
|
|
|
group = "php";
|
|
|
|
phpPackage = custom-php;
|
|
|
|
settings = {
|
|
|
|
"pm" = "dynamic";
|
|
|
|
"pm.max_children" = 75;
|
|
|
|
"pm.start_servers" = 10;
|
|
|
|
"pm.min_spare_servers" = 5;
|
|
|
|
"pm.max_spare_servers" = 20;
|
|
|
|
"pm.max_requests" = 500;
|
|
|
|
"clear_env" = "no";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
####### CADDY #######
|
|
|
|
services.caddy = {
|
|
|
|
enable = true;
|
|
|
|
package = pkgs.caddy;
|
|
|
|
user = "caddy";
|
|
|
|
group = "root";
|
2024-01-29 13:18:45 -08:00
|
|
|
email = "${personalization.caddy_email_for_acme}";
|
2024-01-29 13:14:16 -08:00
|
|
|
|
2023-07-28 17:12:53 -07:00
|
|
|
virtualHosts = {
|
|
|
|
"${personalization.wordpress_url}" = {
|
|
|
|
extraConfig = ''
|
|
|
|
encode gzip zstd
|
|
|
|
root * /var/lib/www/wordpress
|
|
|
|
php_fastcgi unix//run/phpfpm/mypool.sock
|
|
|
|
file_server browse
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
"${personalization.nextcloud_url}" = {
|
|
|
|
extraConfig = ''
|
|
|
|
encode gzip zstd
|
|
|
|
root * /var/lib/www/nextcloud
|
|
|
|
php_fastcgi unix//run/phpfpm/mypool.sock
|
|
|
|
file_server
|
|
|
|
redir /.well-known/carddav /remote.php/carddav 301
|
|
|
|
redir /.well-known/caldav /remote.php/caldav 301
|
|
|
|
header {
|
|
|
|
Strict-Transport-Security max-age=31536000;
|
|
|
|
}
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
"${personalization.matrix_url}" = {
|
|
|
|
extraConfig = ''
|
|
|
|
reverse_proxy /_matrix/* http://localhost:8008
|
|
|
|
reverse_proxy /_synapse/client/* http://localhost:8008
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
"${personalization.matrix_url}:8448" = {
|
|
|
|
extraConfig = ''
|
|
|
|
reverse_proxy http://localhost:8008
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
"${personalization.btcpayserver_url}" = {
|
|
|
|
extraConfig = ''
|
|
|
|
reverse_proxy http://localhost:23000
|
|
|
|
encode gzip zstd
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
"https://${personalization.vaultwarden_url}" = {
|
|
|
|
extraConfig = ''
|
|
|
|
reverse_proxy http://localhost:8777
|
|
|
|
encode gzip zstd
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
":3051" = {
|
|
|
|
extraConfig = ''
|
|
|
|
reverse_proxy :3050
|
|
|
|
encode gzip zstd
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
###### CREATE DATABASE (WORDPRESS, MATRIX_SYNAPSE, AND NEXTCLOUD) #######
|
|
|
|
services.postgresql = {
|
|
|
|
enable = true;
|
|
|
|
};
|
|
|
|
|
2023-12-28 18:40:16 -08:00
|
|
|
|
2023-07-28 17:12:53 -07:00
|
|
|
services.postgresql.authentication = lib.mkForce ''
|
|
|
|
# Generated file; do not edit!
|
|
|
|
# TYPE DATABASE USER ADDRESS METHOD
|
|
|
|
local all all trust
|
|
|
|
host all all 127.0.0.1/32 trust
|
|
|
|
host all all ::1/128 trust
|
|
|
|
'';
|
|
|
|
|
|
|
|
|
|
|
|
services.mysql = {
|
|
|
|
enable = true;
|
|
|
|
};
|
|
|
|
|
2023-12-28 18:40:16 -08:00
|
|
|
|
2023-07-28 17:12:53 -07:00
|
|
|
services.postgresql.initialScript = pkgs.writeText "begin-init.sql" ''
|
|
|
|
CREATE ROLE "ncusr" WITH LOGIN PASSWORD '${personalization.age.secrets.nextclouddb.file}';
|
|
|
|
CREATE DATABASE "nextclouddb" WITH OWNER "ncusr"
|
|
|
|
TEMPLATE template0
|
|
|
|
LC_COLLATE = "C"
|
|
|
|
LC_CTYPE = "C";
|
|
|
|
|
|
|
|
|
|
|
|
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD '${personalization.age.secrets.matrixdb.file}';
|
|
|
|
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
|
|
|
|
TEMPLATE template0
|
|
|
|
LC_COLLATE = "C"
|
|
|
|
LC_CTYPE = "C";
|
|
|
|
|
|
|
|
''
|
|
|
|
;
|
|
|
|
|
|
|
|
services.mysql.initialScript = pkgs.writeText "wordpress-init.sql" ''
|
|
|
|
CREATE DATABASE wordpressdb;
|
|
|
|
GRANT ALL ON *.* TO 'wpusr'@'localhost' IDENTIFIED BY '${personalization.age.secrets.wordpressdb.file}';
|
|
|
|
FLUSH PRIVILEGES;
|
|
|
|
''
|
|
|
|
;
|
|
|
|
|
|
|
|
|
|
|
|
####### KEEP AWAKE for DISPLAY and HEADLESS #######
|
|
|
|
services.xserver.displayManager.gdm.autoSuspend = false;
|
|
|
|
|
|
|
|
|
|
|
|
####### BACKUP TO INTERNAL DRIVE #######
|
|
|
|
services.rsnapshot = {
|
|
|
|
enable = true;
|
|
|
|
extraConfig = ''
|
|
|
|
snapshot_root /run/media/Second_Drive/BTCEcoandBackup/NixOS_Snapshot_Backup
|
2024-02-05 18:44:40 -08:00
|
|
|
retain hourly 5
|
|
|
|
retain daily 5
|
2023-07-28 17:12:53 -07:00
|
|
|
backup /home/ localhost/
|
|
|
|
backup /var/lib/ localhost/
|
|
|
|
backup /etc/nixos/ localhost/
|
|
|
|
backup /etc/nix-bitcoin-secrets/ localhost/
|
2023-12-28 18:40:16 -08:00
|
|
|
'';
|
2023-07-28 17:12:53 -07:00
|
|
|
cronIntervals = {
|
|
|
|
daily = "50 21 * * *";
|
|
|
|
hourly = "0 * * * *";
|
2023-12-28 18:40:16 -08:00
|
|
|
};
|
|
|
|
};
|
2023-07-28 17:12:53 -07:00
|
|
|
|
|
|
|
|
|
|
|
####### CRON #######
|
|
|
|
services.cron = {
|
|
|
|
enable = true;
|
|
|
|
systemCronJobs = [
|
|
|
|
"*/5 * * * * caddy /run/current-system/sw/bin/php -f /var/lib/www/nextcloud/cron.php"
|
2024-01-27 18:17:26 -08:00
|
|
|
"*/15 * * * * root /run/current-system/sw/bin/bash /var/lib/njalla/njalla.sh"
|
|
|
|
"*/15 * * * * root /run/current-system/sw/bin/bash /var/lib/external_ip/external_ip.sh"
|
2023-07-28 17:12:53 -07:00
|
|
|
];
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
####### TOR #######
|
|
|
|
services.tor = {
|
|
|
|
enable = true;
|
|
|
|
client.enable = true;
|
|
|
|
torsocks.enable = true;
|
|
|
|
};
|
2023-12-28 18:40:16 -08:00
|
|
|
|
2023-07-28 17:12:53 -07:00
|
|
|
services.privoxy.enableTor = true;
|
|
|
|
|
|
|
|
|
|
|
|
####### Enable the OpenSSH daemon #######
|
|
|
|
services.openssh = {
|
|
|
|
enable = true;
|
|
|
|
settings = {
|
|
|
|
PasswordAuthentication = false;
|
|
|
|
KbdInteractiveAuthentication = false;
|
|
|
|
PermitRootLogin = "yes";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2023-12-28 18:40:16 -08:00
|
|
|
|
2023-07-28 17:12:53 -07:00
|
|
|
#######FailtoBan#######
|
|
|
|
services.fail2ban = {
|
|
|
|
enable = true;
|
|
|
|
ignoreIP = [
|
|
|
|
"127.0.0.0/8"
|
|
|
|
"10.0.0.0/8"
|
|
|
|
"172.16.0.0/12"
|
|
|
|
"192.168.0.0/16"
|
|
|
|
"8.8.8.8"
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
####### Open ports in the firewall #######
|
|
|
|
networking.firewall.allowedTCPPorts = [ 80 443 5349 8448 3050 3051 ];
|
|
|
|
networking.firewall.allowedUDPPorts = [ 80 443 5349 8448 3050 3051 ];
|
|
|
|
networking.firewall.allowedUDPPortRanges = [
|
|
|
|
{ from=49152; to=65535; } # TURN relay
|
|
|
|
];
|
|
|
|
|
2023-12-28 18:40:16 -08:00
|
|
|
|
2023-07-28 17:12:53 -07:00
|
|
|
networking.firewall.enable = true;
|
|
|
|
|
|
|
|
|
|
|
|
####### AUTO COLLECT GARABAGE #######
|
|
|
|
nix.gc = {
|
|
|
|
automatic = true;
|
|
|
|
dates = "weekly";
|
|
|
|
options = "--delete-older-than 7d";
|
|
|
|
};
|
|
|
|
|
2023-12-28 18:40:16 -08:00
|
|
|
|
2023-07-28 17:12:53 -07:00
|
|
|
system.stateVersion = "22.05";
|
|
|
|
|
|
|
|
}
|