Sovran_Systems/Sovran_SystemsOS
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity
Files
fdca8770960fc5f67ce3a2d609838a806fe70ba5
Sovran_SystemsOS/configuration.nix
naturallaw77 10b0ac6cea initial retooling
2026-03-27 14:29:26 -05:00

585 lines
16 KiB
Nix
Raw Blame History

{ config, pkgs, lib, ... }:
<<<<<<< HEAD
{
imports = [
./modules/modules.nix
];
# ── Boot ────────────────────────────────────────────────────
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.efi.efiSysMountPoint = "/boot/efi";
boot.kernelPackages = pkgs.linuxPackages_latest;
# ── Filesystems ──────────────────────────────────<E29480><E29480>──────────
fileSystems."/run/media/Second_Drive" = {
device = "LABEL=BTCEcoandBackup";
fsType = "ext4";
options = [ "nofail" ];
};
fileSystems."/boot/efi".options = [ "umask=0077" "defaults" ];
# ── Nix Settings ────────────────────────────────────────────
nix.settings = {
experimental-features = [ "nix-command" "flakes" ];
download-buffer-size = 524288000;
};
# ── Networking ──────────────────────────────────────────────
networking.hostName = "nixos";
networking.networkmanager.enable = true;
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ 80 443 8448 3051 ];
networking.firewall.allowedUDPPorts = [ 80 443 8448 3051 ];
networking.firewall.allowedUDPPortRanges = [
{ from = 49152; to = 65535; }
];
# ── Locale / Time ──────────────────────────────────────────
time.timeZone = "America/Los_Angeles";
i18n.defaultLocale = "en_US.UTF-8";
# ── Desktop ────────────────────────────────────────────────
services.xserver.enable = true;
services.displayManager.gdm.enable = true;
services.displayManager.gdm.autoSuspend = false;
services.desktopManager.gnome.enable = true;
services.xserver.xkb = { layout = "us"; variant = ""; };
services.printing.enable = true;
systemd.enableEmergencyMode = false;
# ── Audio ──────────────────────────────────────────────────
services.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
# ── Users ──────────────────────────────────────────────────
users.users.free = {
isNormalUser = true;
description = "free";
extraGroups = [ "networkmanager" ];
};
services.displayManager.autoLogin.enable = true;
services.displayManager.autoLogin.user = "free";
# ── Flatpak ────────────────────────────────────────────────
services.flatpak.enable = true;
=======
let
personalization = import ./modules/personalization.nix;
in
{
imports =
[
./modules/modules.nix
];
# Bootloader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.efi.efiSysMountPoint = "/boot/efi";
boot.kernelPackages = pkgs.linuxPackages_latest;
# Enable Automount without Fail for Internal Drive.
fileSystems."/run/media/Second_Drive" = {
device = "LABEL=BTCEcoandBackup";
fsType = "ext4";
options = [ "nofail" ];
};
fileSystems."/boot/efi".options = [ "umask=0077" "defaults" ];
nix.settings = {
experimental-features = [ "nix-command" "flakes" ];
download-buffer-size = 524288000;
};
networking.hostName = "nixos"; # Define your hostname.
# Enable networking
networking.networkmanager.enable = true;
# Set your time zone.
time.timeZone = "America/Los_Angeles";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
# Enable the X11 windowing system.
services.xserver.enable = true;
# Enable the GNOME Desktop Environment.
services.displayManager.gdm.enable = true;
services.desktopManager.gnome.enable = true;
# Configure keymap in X11
services.xserver.xkb = {
layout = "us";
variant = "";
};
# Enable CUPS to print documents.
services.printing.enable = true;
# Systemd Settings
systemd.enableEmergencyMode = false;
# Enable sound with pipewire.
services.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
users.users = {
free = {
isNormalUser = true;
description = "free";
extraGroups = [ "networkmanager" ];
};
};
# Enable automatic login for the user.
services.displayManager.autoLogin.enable = true;
services.displayManager.autoLogin.user = "free";
# Allow Flatpak
services.flatpak.enable = true;
>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
systemd.services.flatpak-repo = {
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
path = [ pkgs.flatpak ];
<<<<<<< HEAD
script = ''
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
'';
};
# ── Packages ───────────────────────────────────────────────
nixpkgs.config.allowUnfree = true;
nixpkgs.config.permittedInsecurePackages = [ "jitsi-meet-1.0.8043" ];
environment.systemPackages = with pkgs; [
git wget fish htop btop
gnomeExtensions.transparent-top-bar-adjustable-transparency
gnomeExtensions.systemd-manager
gnomeExtensions.dash-to-dock
gnomeExtensions.vitals
gnomeExtensions.pop-shell
gnomeExtensions.just-perfection
gnomeExtensions.appindicator
gnomeExtensions.date-menu-formatter
gnome-tweaks papirus-icon-theme
ranger fastfetch gedit openssl pwgen
aspell aspellDicts.en lm_sensors
hunspell hunspellDicts.en_US
synadm brave dua bitwarden-desktop
gparted pv unzip parted screen zenity
libargon2 gnome-terminal libreoffice-fresh
dig firefox element-desktop wp-cli axel
lk-jwt-service livekit-libwebrtc livekit-cli livekit
matrix-synapse
];
# ── Shell ──────────────────────────────────────────────────
programs.nixvim = {
enable = true;
colorschemes.catppuccin.enable = true;
plugins.lualine.enable = true;
};
programs.bash.promptInit = "fish";
programs.fish = { enable = true; promptInit = "fastfetch"; };
# ── PostgreSQL base ────────────────────────────────────────
services.postgresql = {
enable = true;
authentication = lib.mkForce ''
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
'';
};
# ── Agenix ─────────────────────────────────────────────────
age.identityPaths = [ "/root/.ssh/agenix/agenix-secret-keys" ];
age.secrets.matrix_reg_secret = {
file = ./secrets/matrix_reg_secret.age;
mode = "0440";
owner = "matrix-synapse";
group = "matrix-synapse";
};
# ── Backups ────────────────────────────────────────────────
services.rsnapshot = {
enable = true;
extraConfig = ''
=======
script = ''
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
'';
};
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
nixpkgs.config.permittedInsecurePackages = [
"jitsi-meet-1.0.8043"
];
# List packages installed
environment.systemPackages = with pkgs; [
git
wget
fish
htop
btop
gnomeExtensions.transparent-top-bar-adjustable-transparency
gnomeExtensions.systemd-manager
gnomeExtensions.dash-to-dock
gnomeExtensions.vitals
gnomeExtensions.pop-shell
gnomeExtensions.just-perfection
gnomeExtensions.appindicator
gnomeExtensions.date-menu-formatter
gnome-tweaks
papirus-icon-theme
ranger
fastfetch
gedit
matrix-synapse
openssl
pwgen
aspell
aspellDicts.en
lm_sensors
hunspell
hunspellDicts.en_US
synadm
brave
dua
bitwarden-desktop
gparted
pv
unzip
parted
screen
zenity
libargon2
gnome-terminal
libreoffice-fresh
dig
firefox
element-desktop
wp-cli
axel
lk-jwt-service
livekit-libwebrtc
livekit-cli
livekit
];
programs.nixvim = {
enable = true;
colorschemes.catppuccin.enable = true;
plugins.lualine.enable = true;
};
programs.bash.promptInit = "fish";
programs.fish = {
enable = true;
promptInit = "fastfetch";
};
####### CADDY #######
services.caddy = {
enable = true;
user = "caddy";
group = "root";
email = "${personalization.caddy_email_for_acme}";
virtualHosts = {
"${personalization.wordpress_url}" = {
extraConfig = ''
encode gzip zstd
root * /var/lib/www/wordpress
php_fastcgi unix//run/phpfpm/mypool.sock
file_server browse
'';
};
"${personalization.nextcloud_url}" = {
extraConfig = ''
encode gzip zstd
root * /var/lib/www/nextcloud
php_fastcgi unix//run/phpfpm/mypool.sock {
trusted_proxies private_ranges
}
file_server
redir /.well-known/carddav /remote.php/dav/ 301
redir /.well-known/caldav /remote.php/dav/ 301
header {
Strict-Transport-Security max-age=31536000;
}
'';
};
"${personalization.matrix_url}" = {
extraConfig = ''
reverse_proxy /_matrix/* http://localhost:8008
reverse_proxy /_synapse/client/* http://localhost:8008
'';
};
"${personalization.matrix_url}:8448" = {
extraConfig = ''
reverse_proxy http://localhost:8008
'';
};
"${personalization.btcpayserver_url}" = {
extraConfig = ''
reverse_proxy http://localhost:23000
encode gzip zstd
'';
};
"https://${personalization.vaultwarden_url}" = {
extraConfig = ''
reverse_proxy http://localhost:8777
encode gzip zstd
'';
};
":3051" = {
extraConfig = ''
reverse_proxy :3050
encode gzip zstd
'';
};
};
};
###### AGENIX ######
age.identityPaths = [ "/root/.ssh/agenix/agenix-secret-keys" ];
age.secrets.matrix_reg_secret = {
file = /var/lib/agenix-secrets/matrix_reg_secret.age;
mode = "770";
owner = "matrix-synapse";
group = "matrix-synapse";
};
###### CREATE DATABASE (WORDPRESS, MATRIX_SYNAPSE, AND NEXTCLOUD) #######
services.postgresql = {
enable = true;
};
services.postgresql.authentication = lib.mkForce ''
# Generated file; do not edit!
# TYPE DATABASE USER ADDRESS METHOD
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
'';
services.mysql = {
enable = true;
package = pkgs.mariadb;
};
services.postgresql.initialScript = pkgs.writeText "begin-init.sql" ''
CREATE ROLE "ncusr" WITH LOGIN PASSWORD '${personalization.nextclouddb}';
CREATE DATABASE "nextclouddb" WITH OWNER "ncusr"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD '${personalization.matrixdb}';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
''
;
services.mysql.initialScript = pkgs.writeText "wordpress-init.sql" ''
CREATE DATABASE wordpressdb;
CREATE USER 'wpusr'@'localhost' IDENTIFIED BY '${personalization.wordpressdb}';
GRANT ALL ON wordpressdb.* TO 'wpusr'@'localhost';
FLUSH PRIVILEGES;
''
;
####### KEEP AWAKE for DISPLAY and HEADLESS #######
services.displayManager.gdm.autoSuspend = false;
####### BACKUP TO INTERNAL DRIVE #######
services.rsnapshot = {
enable = true;
extraConfig = ''
>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
snapshot_root /run/media/Second_Drive/BTCEcoandBackup/NixOS_Snapshot_Backup
retain hourly 5
retain daily 5
backup /home/ localhost/
backup /var/lib/ localhost/
backup /etc/nixos/ localhost/
backup /etc/nix-bitcoin-secrets/ localhost/
<<<<<<< HEAD
'';
cronIntervals = {
daily = "50 21 * * *";
hourly = "0 * * * *";
};
};
# Cron (base system crons only)
services.cron = {
enable = true;
systemCronJobs = [
"*/15 * * * * root /run/current-system/sw/bin/bash /var/lib/njalla/njalla.sh"
"*/15 * * * * root /run/current-system/sw/bin/bash /var/lib/external_ip/external_ip.sh"
"0 0 * * 0 docker-user yes | /run/current-system/sw/bin/docker system prune -a"
];
};
# Tor
services.tor = { enable = true; client.enable = true; torsocks.enable = true; };
services.privoxy.enableTor = true;
# SSH
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "yes";
};
};
# Fail2Ban
services.fail2ban = {
enable = true;
ignoreIP = [ "127.0.0.0/8" "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "8.8.8.8" ];
};
# Garbage Collection
nix.gc = { automatic = true; dates = "weekly"; options = "--delete-older-than 7d"; };
system.stateVersion = "22.05";
=======
'';
cronIntervals = {
daily = "50 21 * * *";
hourly = "0 * * * *";
};
};
####### CRON #######
services.cron = {
enable = true;
systemCronJobs = [
"*/5 * * * * caddy /run/current-system/sw/bin/php -f /var/lib/www/nextcloud/cron.php"
"*/15 * * * * root /run/current-system/sw/bin/bash /var/lib/njalla/njalla.sh"
"*/15 * * * * root /run/current-system/sw/bin/bash /var/lib/external_ip/external_ip.sh"
"0 0 * * 0 docker-user yes | /run/current-system/sw/bin/docker system prune -a"
];
};
####### TOR #######
services.tor = {
enable = true;
client.enable = true;
torsocks.enable = true;
};
services.privoxy.enableTor = true;
####### Enable the SSH #######
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "yes";
};
};
#######FailtoBan#######
services.fail2ban = {
enable = true;
ignoreIP = [
"127.0.0.0/8"
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
"8.8.8.8"
];
};
####### Open ports in the firewall #######
networking.firewall.allowedTCPPorts = [ 80 443 5349 8448 3051 ];
networking.firewall.allowedUDPPorts = [ 80 443 5349 8448 3051 ];
networking.firewall.allowedUDPPortRanges = [
{ from=49152; to=65535; } # TURN relay
];
networking.firewall.enable = true;
####### AUTO COLLECT GARABAGE #######
nix.gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 7d";
};
system.stateVersion = "22.05";
>>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
}
Reference in New Issue View Git Blame Copy Permalink