added stuff

2024-04-09 23:11:33 +02:00 · 2024-04-09 23:11:33 +02:00 · 236b8c2a6b
commit 236b8c2a6b
parent 937f28770d
907 changed files with 70990 additions and 0 deletions
--- a/nyx/hosts/helios/default.nix
+++ b/nyx/hosts/helios/default.nix
@ -0,0 +1,9 @@
+{
+  imports = [
+    ./fs
+    ./modules
+
+    ./system.nix
+    ./nftables.nix
+  ];
+}
--- a/nyx/hosts/helios/fs/default.nix
+++ b/nyx/hosts/helios/fs/default.nix
@ -0,0 +1,13 @@
+{
+  imports = [./external.nix];
+  config = {
+    fileSystems."/" = {
+      device = "/dev/disk/by-uuid/783e926f-acd7-4684-a7b3-f5b1ecefa11b";
+      fsType = "ext4";
+    };
+
+    swapDevices = [
+      {device = "/dev/disk/by-uuid/d1d77f8e-7c77-40c9-a5e8-59d962f4d397";}
+    ];
+  };
+}
--- a/nyx/hosts/helios/fs/external.nix
+++ b/nyx/hosts/helios/fs/external.nix
@ -0,0 +1,6 @@
+{
+  fileSystems."/srv/storage" = {
+    device = "/dev/disk/by-uuid/19ea8fad-b930-4a48-99e1-04633b2142f8";
+    fsType = "ext4";
+  };
+}
--- a/nyx/hosts/helios/modules/default.nix
+++ b/nyx/hosts/helios/modules/default.nix
@ -0,0 +1,8 @@
+{
+  imports = [
+    ./device.nix
+    ./system.nix
+    ./usrEnv.nix
+    ./services.nix
+  ];
+}
--- a/nyx/hosts/helios/modules/device.nix
+++ b/nyx/hosts/helios/modules/device.nix
@ -0,0 +1,10 @@
+{
+  config.modules.device = {
+    type = "server";
+    cpu.type = "amd";
+    gpu.type = null;
+    hasBluetooth = false;
+    hasSound = false;
+    hasTPM = false;
+  };
+}
--- a/nyx/hosts/helios/modules/services.nix
+++ b/nyx/hosts/helios/modules/services.nix
@ -0,0 +1,39 @@
+{
+  config.modules.system.services = {
+    nextcloud.enable = true;
+    mailserver.enable = true;
+    vaultwarden.enable = true;
+    forgejo.enable = true;
+    searxng.enable = true;
+    reposilite.enable = true;
+
+    social = {
+      mastodon.enable = true;
+      matrix.enable = true;
+    };
+
+    bincache = {
+      harmonia.enable = true;
+    };
+
+    networking = {
+      headscale.enable = true;
+      wireguard.enable = true;
+    };
+
+    monitoring = {
+      grafana.enable = true;
+      prometheus.enable = true;
+      loki.enable = true;
+      uptime-kuma.enable = true;
+    };
+
+    database = {
+      mysql.enable = false;
+      mongodb.enable = false;
+      redis.enable = true;
+      postgresql.enable = true;
+      garage.enable = true;
+    };
+  };
+}
--- a/nyx/hosts/helios/modules/system.nix
+++ b/nyx/hosts/helios/modules/system.nix
@ -0,0 +1,44 @@
+{pkgs, ...}: {
+  config.modules.system = {
+    mainUser = "notashelf";
+    fs = ["vfat" "exfat" "ext4"];
+    video.enable = false;
+    sound.enable = false;
+    bluetooth.enable = false;
+    printing.enable = false;
+
+    boot = {
+      secureBoot = false;
+      kernel = pkgs.linuxPackages_latest;
+      loader = "grub";
+      enableKernelTweaks = true;
+      initrd.enableTweaks = true;
+      loadRecommendedModules = true;
+      tmpOnTmpfs = false;
+    };
+
+    virtualization = {
+      enable = true;
+      qemu.enable = true;
+      docker.enable = true;
+    };
+
+    networking = {
+      optimizeTcp = false;
+      tarpit.enable = true;
+      nftables.enable = true;
+      tailscale = {
+        enable = true;
+        isServer = true;
+        isClient = false;
+      };
+    };
+
+    programs = {
+      git.signingKey = "";
+
+      cli.enable = true;
+      gui.enable = false;
+    };
+  };
+}
--- a/nyx/hosts/helios/modules/usrEnv.nix
+++ b/nyx/hosts/helios/modules/usrEnv.nix
@ -0,0 +1,5 @@
+{
+  config.modules.usrEnv = {
+    useHomeManager = true;
+  };
+}
--- a/nyx/hosts/helios/nftables.nix
+++ b/nyx/hosts/helios/nftables.nix
@ -0,0 +1,47 @@
+{lib, ...}: let
+  inherit (lib) entryBetween;
+in {
+  networking.nftables.rules = {
+    inet.filter.input = {
+      # endlessh
+      endlessh = entryBetween ["basic-icmp6" "basic-icmp" "ping6" "ping"] ["default"] {
+        protocol = "tcp";
+        field = "dport";
+        value = [22];
+        policy = "accept";
+      };
+
+      # this allows nginx to respond to the domain challenges without passing each service through the firewall
+      https = entryBetween ["basic-icmp6" "basic-icmp" "ping6" "ping"] ["default"] {
+        protocol = "tcp";
+        field = "dport";
+        value = [443];
+        policy = "accept";
+      };
+
+      headscale = entryBetween ["basic-icmp6" "basic-icmp" "ping6" "ping"] ["default"] {
+        protocol = "udp";
+        field = "dport";
+        value = [8344];
+        policy = "accept";
+      };
+
+      # NOTE: snm has an option to enable firewall ports by default, but my nftables abstractions
+      # do not allow for us to use that option, so we'll just open the ports manually
+      # I could probably add an entry that propagates the tcpPorts option to the firewall
+      # but that doesn not seem like a very good option since we'll not be able to control policies
+      simple-nixos-mailserver = entryBetween ["basic-icmp6" "basic-icmp" "ping6" "ping"] ["default"] {
+        protocol = "tcp";
+        field = "dport";
+        value = [
+          25 # smtp
+          80 # used for acme-nginx domain challenges
+          143 # imap
+          993 # imapSsl
+          465 # smtpSsl
+        ];
+        policy = "accept";
+      };
+    };
+  };
+}
--- a/nyx/hosts/helios/system.nix
+++ b/nyx/hosts/helios/system.nix
@ -0,0 +1,25 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  config = {
+    networking.domain = "notashelf.dev";
+    services.smartd.enable = lib.mkForce false;
+
+    boot = {
+      growPartition = !config.boot.initrd.systemd.enable;
+      loader.grub = {
+        enable = true;
+        useOSProber = lib.mkForce false;
+        efiSupport = lib.mkForce false;
+        enableCryptodisk = false;
+        theme = null;
+        backgroundColor = null;
+        splashImage = null;
+        device = lib.mkForce "/dev/disk/by-label/nixos";
+        forceInstall = true;
+      };
+    };
+  };
+}