CrazyChaoz/NixOS-Configuration
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: CrazyChaoz:6ede343e56010240e6d5d9f3533a0a16a576f172
Branches Tags
CrazyChaoz:master
..
compare: CrazyChaoz:fb39daf4480a5ee3efa1fac05d620668e2efa2c5
Branches Tags
CrazyChaoz:master

No commits in common. "6ede343e56010240e6d5d9f3533a0a16a576f172" and "fb39daf4480a5ee3efa1fac05d620668e2efa2c5" have entirely different histories.
6ede343e56 ... fb39daf448

1 changed files with 47 additions and 160 deletions
Download patch file Download diff file Expand all files Collapse all files

191
heimserver/configuration.nix
View file

@ -20,22 +20,20 @@
time.timeZone = "Europe/Vienna";
# Bootloader and kernel
boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
kernelParams = [
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelParams = [
"vga=791"
"nomodeset"
];
kernel.sysctl = {
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
# "net.bridge.bridge-nf-call-iptables" = 1;
# "net.bridge.bridge-nf-call-ip6tables" = 1;
};
supportedFilesystems = [ "zfs" ];
zfs.forceImportRoot = false;
};
boot.supportedFilesystems = [ "zfs" ];
boot.zfs.forceImportRoot = false;
hardware.graphics.enable = true;
hardware.nvidia.open = true;
@ -48,6 +46,8 @@
keyMap = "de";
# useXkbConfig = true; # use xkb.options in tty.
};
# i18n.defaultLocale = "en_US.UTF-8";
# Networking
networking = {
hostName = "heimserver";
@ -60,17 +60,15 @@
}
];
defaultGateway = "192.168.69.1";
#nameservers = [ "127.0.0.1" ];
#nameservers = [ "1.1.1.1" ];
firewall.enable = true;
firewall.allowedTCPPorts = [
22
25
53
80
443
587
2222 # forgejo ssh
8084 # forgejo frontend
8184 # forgejo frontend
8123 # homeassistant
5580 # homeassistant matter
2283 # immich
@ -80,13 +78,11 @@
8554 # frigate rtsp
8555 # frigate rtsp
2055 # ntopng sink
8088 # ntopng frontend
8083 # adguardhome frontend
8085 # scrutiny frontend
8089 # wud frontend
8087 # paperless frontend
8090 # mail
8091 # mail jmap
8182 # ntopng frontend
8183 # adguardhome frontend
8185 # scrutiny frontend
8186 # wud frontend
8187 # paperless frontend
8080 # homepage
];
firewall.allowedUDPPorts = [
@ -103,14 +99,6 @@
];
};
users.users."stalwart-mail".extraGroups = [
"acme"
];
users.users."nginx".extraGroups = [
"acme"
];
users.users.immich.extraGroups = [
"video"
"render"
@ -155,30 +143,7 @@
security.acme = {
acceptTerms = true;
defaults.email = "mail@kempinger.xyz";
defaults.webroot = "/var/lib/acme/acme-challenge/";
certs."kempinger.at" = {
domain = "kempinger.at";
extraDomainNames = [
"git.kempinger.at"
];
reloadServices = [
"nginx"
];
};
certs."webadmin.kempinger.at" = {
domain = "webadmin.kempinger.at";
extraDomainNames = [
"mta-sts.kempinger.at"
"autoconfig.kempinger.at"
"autodiscover.kempinger.at"
"mail.kempinger.at"
"imap.kempinger.at"
"mx1.kempinger.at"
];
};
certs."bilder.kempinger.at" = {
domain = "bilder.kempinger.at";
};
certs."kempinger.at".domain = "*.kempinger.at";
};
#services.resolved.enable = true;
@ -198,30 +163,15 @@
};
virtualHosts."kempinger.at" = {
root = "/srv/website/public_html";
locations."/".index = "index.html";
forceSSL = true;
useACMEHost = "kempinger.at";
locations."/.well-known/".root = "/var/lib/acme/acme-challenge/";
};
virtualHosts."webadmin.kempinger.at" = {
forceSSL = true;
useACMEHost = "webadmin.kempinger.at";
#acmeRoot = null;
serverAliases = [
"mta-sts.kempinger.at"
"autoconfig.kempinger.at"
"autodiscover.kempinger.at"
"mail.kempinger.at"
"imap.kempinger.at"
"mx1.kempinger.at"
];
locations."/" = {
proxyPass = "http://127.0.0.1:8090";
index = "index.html";
};
forceSSL = true;
enableACME = true;
};
virtualHosts.${config.services.forgejo.settings.server.DOMAIN} = {
forceSSL = true;
useACMEHost = "kempinger.at";
enableACME = true;
extraConfig = ''
client_max_body_size 512M;
'';
@ -229,8 +179,8 @@
"http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}";
};
virtualHosts."bilder.kempinger.at" = {
enableACME = true;
forceSSL = true;
useACMEHost = "bilder.kempinger.at";
locations."/" = {
proxyPass = "http://[::1]:${toString config.services.immich.port}";
proxyWebsockets = true;
@ -255,7 +205,7 @@
DOMAIN = "git.kempinger.at";
# You need to specify this to remove the port from URLs in the web UI.
ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}/";
HTTP_PORT = 8084;
HTTP_PORT = 8184;
DISABLE_SSH = false;
SSH_PORT = 2222;
START_SSH_SERVER = true;
@ -397,6 +347,8 @@
};
};
#services.matter-server.enable = true;
virtualisation.oci-containers = {
backend = "podman";
containers.homeassistant = {
@ -488,8 +440,8 @@
"/var/run/podman/podman.sock:/var/run/docker.sock"
];
environment = {
WUD_SERVER_PORT = "8089";
WUD_TRIGGER_COMMAND_LOCAL_CMD = "echo \${display_name} can be updated to \${update_kind_remote_value}";
WUD_SERVER_PORT = "8186";
WUD_TRIGGER_COMMAND_LOCAL_CMD="echo \${display_name} can be updated to \${update_kind_remote_value}";
};
extraOptions = [
"--network=host"
@ -499,7 +451,7 @@
services.ntopng = {
enable = true;
httpPort = 8088;
httpPort = 8182;
interfaces = [ "tcp://0.0.0.0:5556" ];
extraConfig = ''
--dns-mode 1
@ -508,9 +460,6 @@
services.influxdb2 = {
enable = true;
settings = {
http-bind-address = ":8086";
};
# provision = {
# enable = true;
@ -541,7 +490,7 @@
services.scrutiny = {
enable = true;
settings.web.listen.port = 8085;
settings.web.listen.port = 8185;
influxdb.enable = true;
collector.schedule = "hourly";
settings.web.influxdb = {
@ -555,14 +504,14 @@
enable = true;
# You can select any ip and port, just make sure to open firewalls where needed
host = "0.0.0.0";
port = 8083;
port = 8183;
};
services.paperless = {
enable = true;
consumptionDirIsPublic = true;
address = "0.0.0.0";
port = 8087;
port = 8187;
settings = {
PAPERLESS_CONSUMER_IGNORE_PATTERN = [
".DS_STORE/*"
@ -576,6 +525,7 @@
};
};
services.homepage-dashboard = {
enable = true;
listenPort = 8080;
@ -678,7 +628,7 @@
icon = "forgejo.png";
widget = {
type = "gitea"; # Forgejo uses Gitea API
url = "http://192.168.69.69:8084";
url = "http://192.168.69.69:8184";
key = "{{HOMEPAGE_VAR_FORGEJO_TOKEN}}"; # Create in Forgejo settings
# Shows: repository count, issue count, pull requests
};
@ -690,12 +640,12 @@
"Network & Monitoring" = [
{
"AdGuard Home" = {
href = "http://192.168.69.69:8083";
href = "http://192.168.69.69:8183";
description = "DNS filtering & ad blocking";
icon = "adguard-home.png";
widget = {
type = "adguard";
url = "http://192.168.69.69:8083";
url = "http://192.168.69.69:8183";
username = "{{HOMEPAGE_VAR_ADGUARD_USER}}";
password = "{{HOMEPAGE_VAR_ADGUARD_PASS}}";
# Shows: queries blocked, % blocked, queries processed
@ -717,29 +667,29 @@
}
{
"Scrutiny" = {
href = "http://192.168.69.69:8085";
href = "http://192.168.69.69:8185";
description = "S.M.A.R.T Monitoring";
icon = "scrutiny.png";
widget = {
type = "scrutiny";
url = "http://192.168.69.69:8085";
url = "http://192.168.69.69:8185";
};
};
}
{
"Whats Up Docker" = {
href = "http://192.168.69.69:8089";
href = "http://192.168.69.69:8186";
description = "Docker Image Updates";
icon = "whats-up-docker.png";
widget = {
type = "whatsupdocker";
url = "http://192.168.69.69:8089";
url = "http://192.168.69.69:8186";
};
};
}
{
"ntopng" = {
href = "http://192.168.69.69:8088";
href = "http://192.168.69.69:8182";
description = "Network traffic analysis";
icon = "ntopng.png";
# No official widget, but could use iframe or custom API
@ -837,69 +787,6 @@
environmentFile = "/var/lib/homepage-dashboard/secrets.env";
};
services.stalwart = {
enable = true;
openFirewall = true;
settings = {
server = {
hostname = "mx1.kempinger.at";
tls = {
enable = true;
implicit = true;
};
listener = {
smtp = {
protocol = "smtp";
bind = "192.168.69.69:25";
};
submissions = {
bind = "192.168.69.69:587";
protocol = "smtp";
tls.implicit = true;
};
imaps = {
bind = "[::]:993";
protocol = "imap";
tls.implicit = true;
};
jmap = {
bind = "0.0.0.0:8091";
url = "https://mail.kempinger.at";
protocol = "http";
};
management = {
bind = [ "127.0.0.1:8090" ];
protocol = "http";
};
};
};
resolver.type = "custom";
resolver.custom = [ "udp://127.0.0.1:53" ];
certificate."default" = {
cert = "%{file:${config.security.acme.certs."webadmin.kempinger.at".directory}/fullchain.pem}%";
private-key = "%{file:${config.security.acme.certs."webadmin.kempinger.at".directory}/key.pem}%";
};
lookup.default = {
hostname = "mx1.kempinger.at";
domain = "kempinger.at";
};
session.rcpt.directory = "'internal'";
directory."imap".lookup.domains = [ "kempinger.at" ];
# authentication.fallback-admin = {
# user = "admin";
# secret = "bcrypt-hash";
# };
};
};
services.snowflake-proxy = {
enable = true;
capacity = 50;
};
nixpkgs.config.allowUnfree = true;
# nixpkgs.overlays = [