From 6c771f07c268dd92709a9a37b4dacaaec9455ba1 Mon Sep 17 00:00:00 2001 From: naturallaw77 Date: Fri, 28 Jul 2023 17:12:53 -0700 Subject: [PATCH] updated all files to make nixos rebuild pure --- configuration.nix | 436 ++++++++++++++++++++++++++++++++++++++ flake.lock | 18 +- flake.nix | 2 +- modules/configuration.nix | 14 ++ modules/modules.nix | 4 +- 5 files changed, 462 insertions(+), 12 deletions(-) create mode 100644 configuration.nix diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..2f3b50b --- /dev/null +++ b/configuration.nix @@ -0,0 +1,436 @@ +{ config, pkgs, lib, ... }: + + +let + personalization = import ./personalization.nix; + + + custom-php = pkgs.php81.buildEnv { + extensions = { enabled, all }: enabled ++ (with all; [ apcu redis imagick memcached ]); + extraConfig = '' + display_errors = On + display_startup_errors = On + max_execution_time = 6000 + max_input_time = 3000 + memory_limit = 8G; + opcache.enable=1; + opcache.memory_consumption=512; + opcache_revalidate_freq = 240; + opcache.max_accelerated_files=4000; + auto_prepend_file = '/var/lib/www/wordpress/wordfence-waf.php' + post_max_size = 2048M + upload_max_filesize = 2048M + opcache.interned_strings_buffer = 32 + apc.enable_cli=1 + ''; + }; + +in + +{ + + imports = + + [ + ./hardware-configuration.nix + ./modules/modules.nix + + ]; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.loader.efi.efiSysMountPoint = "/boot/efi"; + boot.kernelPackages = pkgs.linuxPackages_latest; + + # Enable Automount without Fail for Internal Drive. + fileSystems."/run/media/Second_Drive" = { + device = "LABEL=BTCEcoandBackup"; + fsType = "ext4"; + options = [ "nofail" ]; + }; + + nix = { + package = pkgs.nixUnstable; + extraOptions = '' + experimental-features = nix-command flakes + ''; + }; + + networking.hostName = "nixos"; # Define your hostname. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + + # Enable networking + networking.networkmanager.enable = true; + + # Set your time zone. + time.timeZone = "America/Los_Angeles"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + # Enable the X11 windowing system. + services.xserver.enable = true; + + # Enable the GNOME Desktop Environment. + services.xserver.displayManager.gdm.enable = true; + services.xserver.desktopManager.gnome.enable = true; + + # Configure keymap in X11 + services.xserver = { + layout = "us"; + xkbVariant = ""; + }; + + # Enable CUPS to print documents. + services.printing.enable = true; + + # Systemd Settings + systemd.enableEmergencyMode = false; + + # Enable sound with pipewire. + sound.enable = true; + hardware.pulseaudio.enable = false; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + }; + + users.users = { + free = { + isNormalUser = true; + description = "free"; + extraGroups = [ "networkmanager" ]; + }; + + +####### PHP user for PHPFPM ####### + php = { + isSystemUser = true; + createHome = false; + uid = 7777; + }; + }; + + users.users.php.group = "php"; + users.groups.php = {}; + + + + # Enable automatic login for the user. + services.xserver.displayManager.autoLogin.enable = true; + services.xserver.displayManager.autoLogin.user = "free"; + + # Workaround for GNOME autologin: https://github.com/NixOS/nixpkgs/issues/103746#issuecomment-945091229 + systemd.services."getty@tty1".enable = true; + systemd.services."autovt@tty1".enable = true; + + # Allow Flatpak + services.flatpak.enable = true; + + # Allow unfree packages + nixpkgs.config.allowUnfree = true; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + git + wget + librewolf + fish + htop + gnomeExtensions.dash-to-dock + gnomeExtensions.transparent-top-bar-adjustable-transparency + gnomeExtensions.vitals + gnomeExtensions.pop-shell + gnomeExtensions.just-perfection + gnomeExtensions.appindicator + gnomeExtensions.systemd-manager + gnomeExtensions.date-menu-formatter + gnome.gnome-tweaks + papirus-icon-theme + ranger + bisq-desktop + neofetch + gnome.gedit + matrix-synapse + openssl + pwgen + aspell + aspellDicts.en + lm_sensors + hunspell + hunspellDicts.en_US + custom-php + matrix-synapse-tools.synadm + brave + ncdu_2 + bitwarden + gparted + pv + unzip + parted + screen + gnome.zenity + libargon2 + gnome.gnome-terminal + + ]; + + nixpkgs.config.permittedInsecurePackages = [ + ]; + + + programs.bash.promptInit = "fish"; + programs.fish = { + enable = true; + promptInit = "neofetch"; + }; + + +####### PHPFMP ####### + services.phpfpm.pools = { + mypool = { + user = "caddy"; + group = "php"; + phpPackage = custom-php; + settings = { + "pm" = "dynamic"; + "pm.max_children" = 75; + "pm.start_servers" = 10; + "pm.min_spare_servers" = 5; + "pm.max_spare_servers" = 20; + "pm.max_requests" = 500; + "clear_env" = "no"; + }; + }; + }; + + #networking.enableIPv6 = false; + +####### CADDY ####### + services.caddy = { + enable = true; + package = pkgs.caddy; + user = "caddy"; + group = "root"; + email = "${personalization.caddy_email_for_zerossl}"; + acmeCA = "https://acme.zerossl.com/v2/DV90"; + virtualHosts = { + "${personalization.wordpress_url}" = { + extraConfig = '' + encode gzip zstd + root * /var/lib/www/wordpress + php_fastcgi unix//run/phpfpm/mypool.sock + file_server browse + ''; + }; + + "www.${personalization.wordpress_url}" = { + extraConfig = '' + encode gzip zstd + root * /var/lib/www/wordpress + php_fastcgi unix//run/phpfpm/mypool.sock + file_server browse + ''; + }; + + "${personalization.nextcloud_url}" = { + extraConfig = '' + encode gzip zstd + root * /var/lib/www/nextcloud + php_fastcgi unix//run/phpfpm/mypool.sock + file_server + redir /.well-known/carddav /remote.php/carddav 301 + redir /.well-known/caldav /remote.php/caldav 301 + header { + Strict-Transport-Security max-age=31536000; + } + ''; + }; + + "${personalization.matrix_url}" = { + extraConfig = '' + reverse_proxy /_matrix/* http://localhost:8008 + reverse_proxy /_synapse/client/* http://localhost:8008 + ''; + }; + + "${personalization.matrix_url}:8448" = { + extraConfig = '' + reverse_proxy http://localhost:8008 + ''; + }; + + "${personalization.btcpayserver_url}" = { + extraConfig = '' + reverse_proxy http://localhost:23000 + encode gzip zstd + ''; + }; + + "https://${personalization.vaultwarden_url}" = { + extraConfig = '' + reverse_proxy http://localhost:8777 + encode gzip zstd + ''; + }; + + ":3051" = { + extraConfig = '' + reverse_proxy :3050 + encode gzip zstd + tls internal + ''; + }; + + "https://${personalization.onlyoffice_url}" = { + extraConfig = '' + reverse_proxy http://localhost:8000 + ''; + }; + }; + }; + + +###### CREATE DATABASE (WORDPRESS, MATRIX_SYNAPSE, AND NEXTCLOUD) ####### + services.postgresql = { + enable = true; + package = pkgs.postgresql_14; + }; + + services.postgresql.authentication = lib.mkForce '' + # Generated file; do not edit! + # TYPE DATABASE USER ADDRESS METHOD + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + ''; + + + services.mysql = { + enable = true; + package = pkgs.mariadb_1011; + }; + + services.postgresql.initialScript = pkgs.writeText "begin-init.sql" '' + CREATE ROLE "ncusr" WITH LOGIN PASSWORD '${personalization.age.secrets.nextclouddb.file}'; + CREATE DATABASE "nextclouddb" WITH OWNER "ncusr" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + + + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD '${personalization.age.secrets.matrixdb.file}'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + + '' + ; + + services.mysql.initialScript = pkgs.writeText "wordpress-init.sql" '' + CREATE DATABASE wordpressdb; + GRANT ALL ON *.* TO 'wpusr'@'localhost' IDENTIFIED BY '${personalization.age.secrets.wordpressdb.file}'; + FLUSH PRIVILEGES; + '' + ; + + + +####### KEEP AWAKE for DISPLAY and HEADLESS ####### + services.xserver.displayManager.gdm.autoSuspend = false; + + + +####### BACKUP TO INTERNAL DRIVE ####### + services.rsnapshot = { + enable = true; + extraConfig = '' +snapshot_root /run/media/Second_Drive/BTCEcoandBackup/NixOS_Snapshot_Backup +retain hourly 12 +retain daily 12 +backup /home/ localhost/ +backup /var/lib/ localhost/ +backup /etc/nixos/ localhost/ +backup /etc/nix-bitcoin-secrets/ localhost/ + ''; + cronIntervals = { + daily = "50 21 * * *"; + hourly = "0 * * * *"; + }; + }; + + + +####### CRON ####### + services.cron = { + enable = true; + systemCronJobs = [ + "*/5 * * * * caddy /run/current-system/sw/bin/php -f /var/lib/www/nextcloud/cron.php" + "*/15 * * * * root /var/lib/njalla/njalla.sh" + "*/15 * * * * root /var/lib/external_ip/external_ip.sh" + ]; + }; + + +####### TOR ####### + services.tor = { + enable = true; + client.enable = true; + torsocks.enable = true; + }; + services.privoxy.enableTor = true; + + + + +####### Enable the OpenSSH daemon ####### + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = "yes"; + }; + }; + programs.ssh.agentTimeout = "3m"; + +#######FailtoBan####### + services.fail2ban = { + enable = true; + ignoreIP = [ + "127.0.0.0/8" + "10.0.0.0/8" + "172.16.0.0/12" + "192.168.0.0/16" + "8.8.8.8" + ]; + }; + + +####### Open ports in the firewall ####### + networking.firewall.allowedTCPPorts = [ 80 443 5349 8448 3050 3051 ]; + networking.firewall.allowedUDPPorts = [ 80 443 5349 8448 3050 3051 ]; + networking.firewall.allowedUDPPortRanges = [ + { from=49152; to=65535; } # TURN relay + ]; + + # Or disable the firewall altogether. + networking.firewall.enable = true; + + +####### AUTO COLLECT GARABAGE ####### + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 7d"; + }; + + system.stateVersion = "22.05"; + +} diff --git a/flake.lock b/flake.lock index 97f2121..5d1ff4f 100644 --- a/flake.lock +++ b/flake.lock @@ -26,11 +26,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1690294654, - "narHash": "sha256-UVcL4yjNXLyvt3OujWGupqOf6U3ZjTwQ3G96pJ8z0EM=", + "lastModified": 1690570683, + "narHash": "sha256-zA16hT9ZoD6H1bqZACPsn9+GU49YQPfv2k5bez/Q4eU=", "owner": "emmanuelrosa", "repo": "erosanix", - "rev": "47a95b69e0fc3e1076c20f77aceb8c0cdab719a6", + "rev": "302c6ce1c46727a0a999d7c6bc750a0f8b275a9c", "type": "github" }, "original": { @@ -175,11 +175,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1688151534, - "narHash": "sha256-Pl+YbDyHEOzTuLfNTIqN7j+c3pBaPrS6dk9f3sKTz74=", + "lastModified": 1690318695, + "narHash": "sha256-Ca8Er9gNMNvTg15FdIXp7cdoRlqztsmG+dC0ZKZ8R1c=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "cf1b7c4d5c027837e71d284a838fbeb05b3fcb7f", + "rev": "17d98b5b7c8bbeaf1e0a4140d125c7e797882f3b", "type": "github" }, "original": { @@ -207,11 +207,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1690272529, - "narHash": "sha256-MakzcKXEdv/I4qJUtq/k/eG+rVmyOZLnYNC2w1mB59Y=", + "lastModified": 1690367991, + "narHash": "sha256-2VwOn1l8y6+cu7zjNE8MgeGJNNz1eat1HwHrINeogFA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ef99fa5c5ed624460217c31ac4271cfb5cb2502c", + "rev": "c9cf0708f00fbe553319258e48ca89ff9a413703", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index e92cec2..33e4b2c 100644 --- a/flake.nix +++ b/flake.nix @@ -28,7 +28,7 @@ imports = [ - ./modules/modules.nix + ./configuration.nix nix-bitcoin.nixosModules.default diff --git a/modules/configuration.nix b/modules/configuration.nix index 625d361..fa8d0a4 100644 --- a/modules/configuration.nix +++ b/modules/configuration.nix @@ -24,8 +24,22 @@ let apc.enable_cli=1 ''; }; + in + { + + imports = + + [ + ./hardware-configuration.nix + ./modules/modules.nix + + ]; + + + + # Bootloader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; diff --git a/modules/modules.nix b/modules/modules.nix index e9e1b1f..37c1184 100644 --- a/modules/modules.nix +++ b/modules/modules.nix @@ -3,13 +3,13 @@ { imports = [ - ./configuration.nix + ./synapse.nix ./coturn.nix ./bitcoinecosystem.nix ./vaultwarden.nix ./onlyoffice.nix ./Sovran_SystemsOS_File_Fixes_And_New_Services.nix - /etc/nixos/hardware-configuration.nix + ]; } \ No newline at end of file