431e145992
- Introduced new configuration files for Linode host, including hardware configuration, toggles, and WireGuard settings. - Updated flake.nix to include the new images.nix file for Linode image generation. - Adjusted SSH key paths and secrets management for WireGuard to ensure proper integration with the new host setup. - Enhanced firewall rules and NAT configuration for WireGuard to improve security and connectivity.
204 lines
5.8 KiB
Nix
204 lines
5.8 KiB
Nix
{
|
|
lib,
|
|
config,
|
|
inputs,
|
|
...
|
|
}:
|
|
let
|
|
filterNames = file: file != "librewolf.nix";
|
|
in
|
|
{
|
|
imports =
|
|
inputs.self.lib.autoImport ./apps filterNames
|
|
++ inputs.self.lib.autoImport ./dev filterNames
|
|
++ inputs.self.lib.autoImport ./scripts filterNames
|
|
++ inputs.self.lib.autoImport ./servers filterNames
|
|
++ inputs.self.lib.autoImport ./services filterNames
|
|
++ inputs.self.lib.autoImport ./shell filterNames
|
|
++ inputs.self.lib.autoImport ./network filterNames
|
|
++ [
|
|
./factories/mkscript.nix
|
|
./nix/build.nix
|
|
./users/nixremote.nix
|
|
];
|
|
options.my = {
|
|
localhost = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "127.0.0.1";
|
|
description = "The localhost address.";
|
|
};
|
|
localhost6 = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "::1";
|
|
description = "The localhost ipv6 address.";
|
|
};
|
|
secureHost = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = true;
|
|
description = "Whether this is a secure host that should use SOPS,";
|
|
};
|
|
domain = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "servidos.lat";
|
|
description = "The domain name.";
|
|
};
|
|
ips = lib.mkOption {
|
|
type = lib.types.attrsOf lib.types.str;
|
|
default = {
|
|
router = "192.168.100.1";
|
|
server = "192.168.100.15";
|
|
miniserver = "192.168.1.100";
|
|
workstation = "192.168.100.18";
|
|
vps = "51.222.141.104";
|
|
wg-vps = "10.77.0.1";
|
|
wg-server = "10.77.0.2";
|
|
wg-friend1 = "10.8.0.2";
|
|
wg-friends = "10.8.0.0";
|
|
};
|
|
description = "Set of IP's for all my computers.";
|
|
};
|
|
interfaces = lib.mkOption {
|
|
type = lib.types.attrsOf lib.types.str;
|
|
default = {
|
|
server = "enp0s31f6";
|
|
miniserver = "enp2s0";
|
|
workstation = "enp5s0";
|
|
linode = "eth0";
|
|
};
|
|
description = "Set of network interface names for all my computers.";
|
|
};
|
|
mainServer = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "miniserver";
|
|
description = "The hostname of the main server.";
|
|
};
|
|
postgresSocket = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "/run/postgresql";
|
|
description = "The PostgreSQL socket path.";
|
|
};
|
|
containerSocket = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "/var/run/docker.sock";
|
|
description = "The docker/podman socket path.";
|
|
};
|
|
containerData = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "/var/lib/docker-configs";
|
|
description = "The docker/podman socket path.";
|
|
};
|
|
smtpemail = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "stunner6399@gmail.com";
|
|
description = "localhost smtp email";
|
|
};
|
|
email = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "danilo.reyes.251@proton.me";
|
|
description = "localhost smtp email";
|
|
};
|
|
timeZone = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = "America/Mexico_City";
|
|
description = "Timezone";
|
|
};
|
|
enableContainers = lib.mkEnableOption "container services (Docker/Podman)";
|
|
enableProxy = lib.mkEnableOption "nginx reverse proxy for services";
|
|
};
|
|
config = {
|
|
assertions =
|
|
# PostgreSQL dependency assertions
|
|
inputs.self.lib.mkPostgresDependencies config [
|
|
{
|
|
service = "nextcloud";
|
|
name = "Nextcloud";
|
|
}
|
|
{
|
|
service = "vaultwarden";
|
|
name = "Vaultwarden";
|
|
}
|
|
{
|
|
service = "firefly-iii";
|
|
name = "Firefly III";
|
|
}
|
|
{
|
|
service = "mealie";
|
|
name = "Mealie";
|
|
}
|
|
{
|
|
service = "shiori";
|
|
name = "Shiori";
|
|
}
|
|
{
|
|
service = "ryot";
|
|
name = "Ryot";
|
|
}
|
|
{
|
|
service = "synapse";
|
|
name = "Matrix Synapse";
|
|
}
|
|
{
|
|
service = "gitea";
|
|
name = "Gitea";
|
|
}
|
|
]
|
|
++
|
|
# Other assertions
|
|
[
|
|
{
|
|
assertion =
|
|
config.my.enableProxy
|
|
-> (builtins.any (s: s.enableProxy or false) (builtins.attrValues config.my.servers));
|
|
message = "enableProxy is true but no services have enableProxy enabled";
|
|
}
|
|
{
|
|
assertion =
|
|
config.my.enableContainers
|
|
|| !(builtins.any (opt: opt) [
|
|
config.my.servers.ryot.enable
|
|
config.my.servers.lidarr.enable
|
|
config.my.servers.prowlarr.enable
|
|
config.my.servers.maloja.enable
|
|
config.my.servers.multi-scrobbler.enable
|
|
config.my.servers.flame.enable
|
|
config.my.servers.flameSecret.enable
|
|
config.my.servers.metube.enable
|
|
config.my.servers.go-vod.enable
|
|
config.my.servers.tranga.enable
|
|
config.my.servers.drpp.enable
|
|
config.my.servers.plex-discord-bot.enable
|
|
]);
|
|
message = "Container services are enabled but enableContainers is false";
|
|
}
|
|
];
|
|
virtualisation = {
|
|
containers.enable = true;
|
|
oci-containers.backend = "podman";
|
|
podman = lib.mkIf config.my.enableContainers {
|
|
enable = true;
|
|
dockerCompat = true;
|
|
dockerSocket.enable = true;
|
|
defaultNetwork.settings.dns_enabled = true;
|
|
autoPrune = {
|
|
enable = true;
|
|
flags = [ "--all" ];
|
|
dates = "weekly";
|
|
};
|
|
};
|
|
};
|
|
security.acme = lib.mkIf config.services.nginx.enable {
|
|
acceptTerms = true;
|
|
defaults.email = config.my.email;
|
|
};
|
|
services.nginx = {
|
|
enable = config.my.enableProxy;
|
|
clientMaxBodySize = "4096m";
|
|
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
|
|
recommendedTlsSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedProxySettings = true;
|
|
};
|
|
};
|
|
}
|