arch/infra
arch/infra
1
0
Fork 0
Code Actions Packages Activity
infra/krops/nas/configuration.nix
Gabriel Simmer 3ab2dec4ae
All checks were successful
Lint / lint (push) Successful in 9s
Details
Minor tweaks to gitea runners
2023-07-19 11:59:28 +01:00

271 lines
6.8 KiB
Nix
Raw Blame History

{ config, pkgs, ... }:
{
disabledModules = [ "services/misc/n8n.nix" ];
imports =
[ # Include the results of the hardware scan.
./hardware.nix
<home-manager/nixos>
<n8n.nix>
];
nix = {
settings = {
auto-optimise-store = true;
experimental-features = ["nix-command" "flakes"];
};
};
boot = {
tmp.cleanOnBoot = true;
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
supportedFilesystems = ["zfs"];
kernelModules = [ "coretemp" "kvm-amd" "it87" ];
zfs.extraPools = ["Primary"];
};
services = {
zfs.autoScrub.enable = true;
tailscale.enable = true;
openssh.enable = true;
xserver.videoDrivers = [ "nvidia" ];
n8n = {
enable = true;
openFirewall = true;
webhookUrl = "https://vancouver.scorpion-ghost.ts.net/n8n/";
settings = {
editorBaseUrl = "https://vancouver.scorpion-ghost.ts.net/n8n/";
};
};
nfs.server.enable = true;
samba-wsdd.enable = true;
samba = {
enable = true;
securityType = "user";
extraConfig = ''
workgroup = WORKGROUP
server string = smbnix
netbios name = smbnix
security = user
#use sendfile = yes
#max protocol = smb2
# note: localhost is the ipv6 localhost ::1
hosts allow = 100. 192.168.50. 127.0.0.1 localhost
hosts deny = 0.0.0.0/0
guest account = nobody
map to guest = bad user
'';
shares = {
media = {
path = "/Primary/media";
browseable = "yes";
"read only" = "no";
"guest ok" = "yes";
"create mask" = "0644";
"directory mask" = "0755";
};
becki = {
path = "/Primary/becki";
browseable = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"admin users" = "becki";
};
shared = {
path = "/Primary/shared";
browseable = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
};
gabriel = {
path = "/Primary/gabriel";
browseable = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"admin users" = "gsimmer";
};
};
};
plex = {
enable = true;
openFirewall = true;
};
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedBrotliSettings = true;
recommendedZstdSettings = true;
recommendedOptimisation = true;
# We can only proxy one port with Tailscale Funnel so we abuse locations instead.
virtualHosts."vancouver.gmem.ca" = {
default = true;
enableACME = false;
forceSSL = false;
locations."/" = {
root = "/var/www/";
extraConfig = ''
error_page 404 /404.html;
'';
};
locations."/git/" = {
proxyWebsockets = false; # needed if you need to use WebSocket
extraConfig =
''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
proxyPass = "http://127.0.0.1:8973/";
};
locations."/n8n/" = {
proxyPass = "http://127.0.0.1:5678/";
proxyWebsockets = true; # needed if you need to use WebSocket
extraConfig =
''
proxy_pass_header Authorization;
'';
};
};
};
gitea = {
enable = true;
stateDir = "/Primary/gitea";
package = pkgs.forgejo;
settings = {
server = {
ROOT_URL = "https://vancouver.scorpion-ghost.ts.net/git/";
HTTP_PORT = 8973;
};
service = {
DISABLE_REGISTRATION = true;
COOKIE_SECURE = true;
};
actions = {
ENABLED = true;
};
federation = {
ENABLED = true;
};
};
};
gitea-actions-runner = {
instances = {
vancouver = {
name = "vancouver";
enable = true;
labels = [
"debian-latest:docker://node:18-bullseye"
"nix:docker://nixos/nix"
];
url = "https://vancouver.scorpion-ghost.ts.net/git";
token = "";
};
};
};
};
networking = {
hostId = "e1e29bf4";
hostName = "vancouver";
domain = "gmem.ca";
firewall = {
trustedInterfaces = ["tailscale0"];
checkReversePath = "loose";
enable = false;
};
nftables.enable = true;
};
environment.systemPackages = with pkgs; [
vim
wget
git
htop
tailscale
home-manager
lm_sensors
screen
nix-output-monitor
cifs-utils
# atuin
];
time.timeZone = "Europe/London";
nixpkgs.config.allowUnfree = true;
hardware = {
opengl.enable = true;
nvidia.modesetting.enable = true;
pulseaudio.enable = false;
};
programs = {
zsh.enable = true;
fish.enable = true;
};
environment.shells = with pkgs; [ zsh fish ];
users.users = {
gsimmer = {
shell = pkgs.fish;
isNormalUser = true;
home = "/Primary/gabriel";
extraGroups = [ "wheel" "libvirtd" "qemu-libvirtd" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAICCc6k8tl2ahB3HtjpGK403Wkk+nQKgIhSgdBXxmXdsEAAAABHNzaDo="
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMO7u+6hBN3XJfRFZCxADyLJfI8zGO2pj9AxkF0FecSR8GFuzP77wyUzmHosQcxe/P/N1TeNdfIDCatogqft9w4="
];
};
becki = {
shell = pkgs.fish;
isNormalUser = true;
home = "/Primary/becki";
};
root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr"
];
};
home-manager.users.gsimmer = { pkgs, ... }: {
programs.git = {
userName = "Gabriel Simmer";
userEmail = "git@gmem.ca";
};
programs.bash.enable = false;
home.stateVersion = "23.05";
};
virtualisation = {
docker = {
enable = true;
rootless = {
enable = true;
setSocketVariable = true;
};
};
libvirtd.enable = true;
};
sound.enable = true;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
};
system.stateVersion = "23.05";
}
View git blame Copy permalink