Sovran_Systems/Sovran_SystemsOS
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

updated all files to make nixos rebuild pure

Browse Source
This commit is contained in:
naturallaw77 2023-07-28 17:12:53 -07:00
parent f0e7ad2514
commit 6c771f07c2
5 changed files with 462 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

436
configuration.nix Normal file
View File

@ -0,0 +1,436 @@
{ config, pkgs, lib, ... }:
let
personalization = import ./personalization.nix;
custom-php = pkgs.php81.buildEnv {
extensions = { enabled, all }: enabled ++ (with all; [ apcu redis imagick memcached ]);
extraConfig = ''
display_errors = On
display_startup_errors = On
max_execution_time = 6000
max_input_time = 3000
memory_limit = 8G;
opcache.enable=1;
opcache.memory_consumption=512;
opcache_revalidate_freq = 240;
opcache.max_accelerated_files=4000;
auto_prepend_file = '/var/lib/www/wordpress/wordfence-waf.php'
post_max_size = 2048M
upload_max_filesize = 2048M
opcache.interned_strings_buffer = 32
apc.enable_cli=1
'';
};
in
{
imports =
[
./hardware-configuration.nix
./modules/modules.nix
];
# Bootloader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.efi.efiSysMountPoint = "/boot/efi";
boot.kernelPackages = pkgs.linuxPackages_latest;
# Enable Automount without Fail for Internal Drive.
fileSystems."/run/media/Second_Drive" = {
device = "LABEL=BTCEcoandBackup";
fsType = "ext4";
options = [ "nofail" ];
};
nix = {
package = pkgs.nixUnstable;
extraOptions = ''
experimental-features = nix-command flakes
'';
};
networking.hostName = "nixos"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# Enable networking
networking.networkmanager.enable = true;
# Set your time zone.
time.timeZone = "America/Los_Angeles";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
# Enable the X11 windowing system.
services.xserver.enable = true;
# Enable the GNOME Desktop Environment.
services.xserver.displayManager.gdm.enable = true;
services.xserver.desktopManager.gnome.enable = true;
# Configure keymap in X11
services.xserver = {
layout = "us";
xkbVariant = "";
};
# Enable CUPS to print documents.
services.printing.enable = true;
# Systemd Settings
systemd.enableEmergencyMode = false;
# Enable sound with pipewire.
sound.enable = true;
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
users.users = {
free = {
isNormalUser = true;
description = "free";
extraGroups = [ "networkmanager" ];
};
####### PHP user for PHPFPM #######
php = {
isSystemUser = true;
createHome = false;
uid = 7777;
};
};
users.users.php.group = "php";
users.groups.php = {};
# Enable automatic login for the user.
services.xserver.displayManager.autoLogin.enable = true;
services.xserver.displayManager.autoLogin.user = "free";
# Workaround for GNOME autologin: https://github.com/NixOS/nixpkgs/issues/103746#issuecomment-945091229
systemd.services."getty@tty1".enable = true;
systemd.services."autovt@tty1".enable = true;
# Allow Flatpak
services.flatpak.enable = true;
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
git
wget
librewolf
fish
htop
gnomeExtensions.dash-to-dock
gnomeExtensions.transparent-top-bar-adjustable-transparency
gnomeExtensions.vitals
gnomeExtensions.pop-shell
gnomeExtensions.just-perfection
gnomeExtensions.appindicator
gnomeExtensions.systemd-manager
gnomeExtensions.date-menu-formatter
gnome.gnome-tweaks
papirus-icon-theme
ranger
bisq-desktop
neofetch
gnome.gedit
matrix-synapse
openssl
pwgen
aspell
aspellDicts.en
lm_sensors
hunspell
hunspellDicts.en_US
custom-php
matrix-synapse-tools.synadm
brave
ncdu_2
bitwarden
gparted
pv
unzip
parted
screen
gnome.zenity
libargon2
gnome.gnome-terminal
];
nixpkgs.config.permittedInsecurePackages = [
];
programs.bash.promptInit = "fish";
programs.fish = {
enable = true;
promptInit = "neofetch";
};
####### PHPFMP #######
services.phpfpm.pools = {
mypool = {
user = "caddy";
group = "php";
phpPackage = custom-php;
settings = {
"pm" = "dynamic";
"pm.max_children" = 75;
"pm.start_servers" = 10;
"pm.min_spare_servers" = 5;
"pm.max_spare_servers" = 20;
"pm.max_requests" = 500;
"clear_env" = "no";
};
};
};
#networking.enableIPv6 = false;
####### CADDY #######
services.caddy = {
enable = true;
package = pkgs.caddy;
user = "caddy";
group = "root";
email = "${personalization.caddy_email_for_zerossl}";
acmeCA = "https://acme.zerossl.com/v2/DV90";
virtualHosts = {
"${personalization.wordpress_url}" = {
extraConfig = ''
encode gzip zstd
root * /var/lib/www/wordpress
php_fastcgi unix//run/phpfpm/mypool.sock
file_server browse
'';
};
"www.${personalization.wordpress_url}" = {
extraConfig = ''
encode gzip zstd
root * /var/lib/www/wordpress
php_fastcgi unix//run/phpfpm/mypool.sock
file_server browse
'';
};
"${personalization.nextcloud_url}" = {
extraConfig = ''
encode gzip zstd
root * /var/lib/www/nextcloud
php_fastcgi unix//run/phpfpm/mypool.sock
file_server
redir /.well-known/carddav /remote.php/carddav 301
redir /.well-known/caldav /remote.php/caldav 301
header {
Strict-Transport-Security max-age=31536000;
}
'';
};
"${personalization.matrix_url}" = {
extraConfig = ''
reverse_proxy /_matrix/* http://localhost:8008
reverse_proxy /_synapse/client/* http://localhost:8008
'';
};
"${personalization.matrix_url}:8448" = {
extraConfig = ''
reverse_proxy http://localhost:8008
'';
};
"${personalization.btcpayserver_url}" = {
extraConfig = ''
reverse_proxy http://localhost:23000
encode gzip zstd
'';
};
"https://${personalization.vaultwarden_url}" = {
extraConfig = ''
reverse_proxy http://localhost:8777
encode gzip zstd
'';
};
":3051" = {
extraConfig = ''
reverse_proxy :3050
encode gzip zstd
tls internal
'';
};
"https://${personalization.onlyoffice_url}" = {
extraConfig = ''
reverse_proxy http://localhost:8000
'';
};
};
};
###### CREATE DATABASE (WORDPRESS, MATRIX_SYNAPSE, AND NEXTCLOUD) #######
services.postgresql = {
enable = true;
package = pkgs.postgresql_14;
};
services.postgresql.authentication = lib.mkForce ''
# Generated file; do not edit!
# TYPE DATABASE USER ADDRESS METHOD
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
'';
services.mysql = {
enable = true;
package = pkgs.mariadb_1011;
};
services.postgresql.initialScript = pkgs.writeText "begin-init.sql" ''
CREATE ROLE "ncusr" WITH LOGIN PASSWORD '${personalization.age.secrets.nextclouddb.file}';
CREATE DATABASE "nextclouddb" WITH OWNER "ncusr"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD '${personalization.age.secrets.matrixdb.file}';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
''
;
services.mysql.initialScript = pkgs.writeText "wordpress-init.sql" ''
CREATE DATABASE wordpressdb;
GRANT ALL ON *.* TO 'wpusr'@'localhost' IDENTIFIED BY '${personalization.age.secrets.wordpressdb.file}';
FLUSH PRIVILEGES;
''
;
####### KEEP AWAKE for DISPLAY and HEADLESS #######
services.xserver.displayManager.gdm.autoSuspend = false;
####### BACKUP TO INTERNAL DRIVE #######
services.rsnapshot = {
enable = true;
extraConfig = ''
snapshot_root /run/media/Second_Drive/BTCEcoandBackup/NixOS_Snapshot_Backup
retain hourly 12
retain daily 12
backup /home/ localhost/
backup /var/lib/ localhost/
backup /etc/nixos/ localhost/
backup /etc/nix-bitcoin-secrets/ localhost/
'';
cronIntervals = {
daily = "50 21 * * *";
hourly = "0 * * * *";
};
};
####### CRON #######
services.cron = {
enable = true;
systemCronJobs = [
"*/5 * * * * caddy /run/current-system/sw/bin/php -f /var/lib/www/nextcloud/cron.php"
"*/15 * * * * root /var/lib/njalla/njalla.sh"
"*/15 * * * * root /var/lib/external_ip/external_ip.sh"
];
};
####### TOR #######
services.tor = {
enable = true;
client.enable = true;
torsocks.enable = true;
};
services.privoxy.enableTor = true;
####### Enable the OpenSSH daemon #######
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "yes";
};
};
programs.ssh.agentTimeout = "3m";
#######FailtoBan#######
services.fail2ban = {
enable = true;
ignoreIP = [
"127.0.0.0/8"
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
"8.8.8.8"
];
};
####### Open ports in the firewall #######
networking.firewall.allowedTCPPorts = [ 80 443 5349 8448 3050 3051 ];
networking.firewall.allowedUDPPorts = [ 80 443 5349 8448 3050 3051 ];
networking.firewall.allowedUDPPortRanges = [
{ from=49152; to=65535; } # TURN relay
];
# Or disable the firewall altogether.
networking.firewall.enable = true;
####### AUTO COLLECT GARABAGE #######
nix.gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 7d";
};
system.stateVersion = "22.05";
}

18
flake.lock generated
View File

@ -26,11 +26,11 @@
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2"
}, },
"locked": { "locked": {
"lastModified": 1690294654, "lastModified": 1690570683,
"narHash": "sha256-UVcL4yjNXLyvt3OujWGupqOf6U3ZjTwQ3G96pJ8z0EM=", "narHash": "sha256-zA16hT9ZoD6H1bqZACPsn9+GU49YQPfv2k5bez/Q4eU=",
"owner": "emmanuelrosa", "owner": "emmanuelrosa",
"repo": "erosanix", "repo": "erosanix",
"rev": "47a95b69e0fc3e1076c20f77aceb8c0cdab719a6", "rev": "302c6ce1c46727a0a999d7c6bc750a0f8b275a9c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -175,11 +175,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1688151534, "lastModified": 1690318695,
"narHash": "sha256-Pl+YbDyHEOzTuLfNTIqN7j+c3pBaPrS6dk9f3sKTz74=", "narHash": "sha256-Ca8Er9gNMNvTg15FdIXp7cdoRlqztsmG+dC0ZKZ8R1c=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "cf1b7c4d5c027837e71d284a838fbeb05b3fcb7f", "rev": "17d98b5b7c8bbeaf1e0a4140d125c7e797882f3b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -207,11 +207,11 @@
}, },
"nixpkgs_4": { "nixpkgs_4": {
"locked": { "locked": {
"lastModified": 1690272529, "lastModified": 1690367991,
"narHash": "sha256-MakzcKXEdv/I4qJUtq/k/eG+rVmyOZLnYNC2w1mB59Y=", "narHash": "sha256-2VwOn1l8y6+cu7zjNE8MgeGJNNz1eat1HwHrINeogFA=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "ef99fa5c5ed624460217c31ac4271cfb5cb2502c", "rev": "c9cf0708f00fbe553319258e48ca89ff9a413703",
"type": "github" "type": "github"
}, },
"original": { "original": {

2
flake.nix
View File

@ -28,7 +28,7 @@
imports = [ imports = [
./modules/modules.nix ./configuration.nix
nix-bitcoin.nixosModules.default nix-bitcoin.nixosModules.default

14
modules/configuration.nix
View File

@ -24,8 +24,22 @@ let
apc.enable_cli=1 apc.enable_cli=1
''; '';
}; };
in in
{ {
imports =
[
./hardware-configuration.nix
./modules/modules.nix
];
# Bootloader. # Bootloader.
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;

4
modules/modules.nix
View File

@ -3,13 +3,13 @@
{ {
imports = [ imports = [
./configuration.nix
./synapse.nix ./synapse.nix
./coturn.nix ./coturn.nix
./bitcoinecosystem.nix ./bitcoinecosystem.nix
./vaultwarden.nix ./vaultwarden.nix
./onlyoffice.nix ./onlyoffice.nix
./Sovran_SystemsOS_File_Fixes_And_New_Services.nix ./Sovran_SystemsOS_File_Fixes_And_New_Services.nix
/etc/nixos/hardware-configuration.nix
]; ];
} }