diff --git a/modules/hosts/nixos/bigboy/default.nix b/modules/hosts/nixos/bigboy/default.nix index da78f5d..02ae2d2 100644 --- a/modules/hosts/nixos/bigboy/default.nix +++ b/modules/hosts/nixos/bigboy/default.nix @@ -82,6 +82,7 @@ pulse.enable = true; }; printing.enable = true; # Enable CUPS + smartd.enable = true; xserver = { enable = true; xkb = { diff --git a/modules/hosts/nixos/default.nix b/modules/hosts/nixos/default.nix index 16436c4..3ce89b9 100644 --- a/modules/hosts/nixos/default.nix +++ b/modules/hosts/nixos/default.nix @@ -12,6 +12,7 @@ iftop inetutils iotop + mosquitto neofetch python3 smartmontools @@ -73,7 +74,6 @@ services = { openssh.enable = true; - smartd.enable = true; }; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; diff --git a/modules/hosts/nixos/hetznix01/default.nix b/modules/hosts/nixos/hetznix01/default.nix index 0be1fcb..3e073d8 100644 --- a/modules/hosts/nixos/hetznix01/default.nix +++ b/modules/hosts/nixos/hetznix01/default.nix @@ -26,11 +26,15 @@ 22 # ssh 25 # SMTP (unencrypted) 80 # http to local Nginx + 143 # imap 443 # https to local Nginx 465 # SMTP with TLS 587 # SMTP with STARTTLS + 993 # imaps + 1883 # mqtt 8333 # Bitcoin Core 8448 # Matrix Synapse + 8883 # mqtt over tls 9735 # LND ]; # firewall.allowedUDPPorts = [ ... ]; @@ -47,6 +51,19 @@ services = { fail2ban.enable = true; logrotate.enable = true; + ntopng = { + enable = true; + interfaces = [ + "enp1s0" + "tailscale0" + ]; + }; + openssh.settings = { + # require public key authentication for better security + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = "no"; + }; postgresql = { enable = true; package = pkgs.postgresql_16; @@ -97,6 +114,7 @@ openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvLaPTfG3r+bcbI6DV4l69UgJjnwmZNCQk79HXyf1Pt gene@rainbow-planet" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIp42X5DZ713+bgbOO+GXROufUFdxWo7NjJbGQ285x3N gene.liverman@ltnglobal.com" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICxSBXdng/+esUXN/uLHQ0l9SgHS5EI9Z8UbqxLMNpK5 gene@newt" ]; }; } diff --git a/modules/hosts/nixos/hetznix01/hardware-configuration.nix b/modules/hosts/nixos/hetznix01/hardware-configuration.nix index c2cbb3b..67a3557 100644 --- a/modules/hosts/nixos/hetznix01/hardware-configuration.nix +++ b/modules/hosts/nixos/hetznix01/hardware-configuration.nix @@ -13,6 +13,16 @@ boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; + fileSystems."pack1828" = { + device = "/dev/disk/by-id/scsi-0HC_Volume_102600992"; + fsType = "ext4"; + options = [ + "discard" + "nofail" + "defaults" + ]; + }; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/modules/hosts/nixos/hetznix01/post-install/default.nix b/modules/hosts/nixos/hetznix01/post-install/default.nix index 57430f2..0164d74 100644 --- a/modules/hosts/nixos/hetznix01/post-install/default.nix +++ b/modules/hosts/nixos/hetznix01/post-install/default.nix @@ -1,21 +1,25 @@ -{ config, username, ... }: let +{ config, lib, pkgs, username, ... }: let domain = "technicalissues.us"; in { imports = [ ../../../common/linux/lets-encrypt.nix ../../../common/linux/restic.nix ./matrix-synapse.nix + ./mosquitto.nix ./nginx.nix ]; mailserver = { enable = true; enableImap = false; - enableImapSsl = false; + enableImapSsl = true; + enableSubmission = false; + enableSubmissionSsl = true; fqdn = "mail.alt.${domain}"; domains = [ "alt.${domain}" "indianspringsbsa.org" + "pack1828.org" ]; forwards = { "webmaster@indianspringsbsa.org" = "gene+indianspringsbsa.org@geneliverman.com"; @@ -31,6 +35,81 @@ in { }; services = { + collabora-online = { + enable = true; + port = 9980; # default + settings = { + # Rely on reverse proxy for SSL + ssl = { + enable = false; + termination = true; + }; + + # Listen on loopback interface only, and accept requests from ::1 + net = { + listen = "loopback"; + post_allow.host = ["::1"]; + }; + + # Restrict loading documents from WOPI Host nextcloud.example.com + storage.wopi = { + "@allow" = true; + host = [ "https://cloud.pack1828.org" ]; + }; + + # Set FQDN of server + server_name = "collabora.pack1828.org"; + }; + }; + nextcloud = { + enable = true; + hostName = "cloud.pack1828.org"; + package = pkgs.nextcloud31; # Need to manually increment with every major upgrade. + appstoreEnable = true; + autoUpdateApps.enable = true; + config = { + adminuser = username; + adminpassFile = config.sops.secrets.nextcloud_admin_pass.path; + dbtype = "pgsql"; + }; + configureRedis = true; + database.createLocally = true; + extraApps = with config.services.nextcloud.package.packages.apps; { + # List of apps we want to install and are already packaged in + # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json + inherit + richdocuments # Collabora Online for Nextcloud - https://apps.nextcloud.com/apps/richdocuments + ; + }; + extraAppsEnable = true; + home = "/pack1828/nextcloud"; + https = true; + maxUploadSize = "3G"; # Increase the PHP maximum file upload size + phpOptions."opcache.interned_strings_buffer" = "16"; # Suggested by Nextcloud's health check. + settings = { + default_phone_region = "US"; + # https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#enabledpreviewproviders + enabledPreviewProviders = [ + "OC\\Preview\\BMP" + "OC\\Preview\\GIF" + "OC\\Preview\\JPEG" + "OC\\Preview\\Krita" + "OC\\Preview\\MarkDown" + "OC\\Preview\\MP3" + "OC\\Preview\\OpenDocument" + "OC\\Preview\\PNG" + "OC\\Preview\\TXT" + "OC\\Preview\\XBitmap" + + "OC\\Preview\\HEIC" + "OC\\Preview\\Movie" + ]; + log_type = "file"; + maintenance_window_start = 5; + overwriteProtocol = "https"; + "profile.enabled" = true; + }; + }; plausible = { enable = true; adminUser = { @@ -93,6 +172,7 @@ in { }; matrix_homeserver_signing_key.owner = config.users.users.matrix-synapse.name; mqtt_recorder_pass.restartUnits = ["mosquitto.service"]; + nextcloud_admin_pass.owner = config.users.users.nextcloud.name; owntracks_basic_auth = { owner = config.users.users.nginx.name; restartUnits = ["nginx.service"]; @@ -105,6 +185,34 @@ in { }; }; + systemd.services = { + nextcloud-config-collabora = let + inherit (config.services.nextcloud) occ; + + wopi_url = "http://[::1]:${toString config.services.collabora-online.port}"; + public_wopi_url = "https://collabora.pack1828.org"; + wopi_allowlist = lib.concatStringsSep "," [ + "127.0.0.1" + "::1" + "5.161.244.95" + "2a01:4ff:f0:977c::1" + ]; + in { + wantedBy = ["multi-user.target"]; + after = ["nextcloud-setup.service" "coolwsd.service"]; + requires = ["coolwsd.service"]; + script = '' + ${occ}/bin/nextcloud-occ config:app:set richdocuments wopi_url --value ${lib.escapeShellArg wopi_url} + ${occ}/bin/nextcloud-occ config:app:set richdocuments public_wopi_url --value ${lib.escapeShellArg public_wopi_url} + ${occ}/bin/nextcloud-occ config:app:set richdocuments wopi_allowlist --value ${lib.escapeShellArg wopi_allowlist} + ${occ}/bin/nextcloud-occ richdocuments:setup + ''; + serviceConfig = { + Type = "oneshot"; + }; + }; + }; + # Enable common container config files in /etc/containers virtualisation.containers.enable = true; virtualisation = { diff --git a/modules/hosts/nixos/hetznix01/post-install/mosquitto.nix b/modules/hosts/nixos/hetznix01/post-install/mosquitto.nix new file mode 100644 index 0000000..6aa8c5a --- /dev/null +++ b/modules/hosts/nixos/hetznix01/post-install/mosquitto.nix @@ -0,0 +1,102 @@ +{ config, ... }: { + services.mosquitto = { + enable = true; + bridges = { + liamcottle = { + addresses = [{ + address = "mqtt.meshtastic.liamcottle.net"; + port = 1883; + }]; + topics = [ + "msh/# out 1 \"\"" + ]; + settings = { + remote_username = "uplink"; + remote_password = "uplink"; + cleansession = true; + keepalive_interval = 160; + notifications = false; + start_type = "automatic"; + }; + }; + meshtastic = { + addresses = [{ + address = "mqtt.meshtastic.org"; + port = 1883; + }]; + topics = [ + "msh/# out 1 \"\"" + ]; + settings = { + remote_username = "meshdev"; + remote_password = "large4cats"; + #bridge_protocol_version = "mqttv311"; + cleansession = true; + keepalive_interval = 160; + notifications = false; + start_type = "automatic"; + }; + }; + homeassistant = { + addresses = [{ + address = "homeasistant-lc.atlas-snares.ts.net"; + port = 1883; + }]; + topics = [ + "msh/US/2/e/LongFast/!a386c80 out 1 \"\"" + "msh/US/2/e/LongFast/!b03bcb24 out 1 \"\"" + "msh/US/2/e/LongFast/!b03dbe58 out 1 \"\"" + "msh/US/2/e/LongFast/!4370b0c6 out 1 \"\"" + ]; + settings = { + remote_username = "meshtastic_user"; + remote_password = "meshtastic_user"; + cleansession = true; + keepalive_interval = 160; + notifications = false; + start_type = "automatic"; + }; + }; + }; + listeners = let + mqtt_users = { + genebean = { + acl = [ + "readwrite msh/#" + ]; + hashedPasswordFile = config.sops.secrets.mosquitto_genebean.path; + }; + mountain_mesh = { + acl = [ + "readwrite msh/#" + ]; + hashedPasswordFile = config.sops.secrets.mosquitto_mountain_mesh.path; + }; + }; + in [ + { + users = mqtt_users; + settings.allow_anonymous = false; + } + { + port = 8883; + users = mqtt_users; + settings = let + certDir = config.security.acme.certs."mqtt.technicalissues.us".directory; + in { + allow_anonymous = false; + keyfile = certDir + "/key.pem"; + certfile = certDir + "/cert.pem"; + cafile = certDir + "/chain.pem"; + }; + } + ]; + }; + + sops.secrets = { + mosquitto_genebean.owner = config.users.users.mosquitto.name; + mosquitto_mountain_mesh.owner = config.users.users.mosquitto.name; + }; + + users.users.mosquitto.extraGroups = [ "nginx" ]; +} diff --git a/modules/hosts/nixos/hetznix01/post-install/nginx.nix b/modules/hosts/nixos/hetznix01/post-install/nginx.nix index ee34024..6116c40 100644 --- a/modules/hosts/nixos/hetznix01/post-install/nginx.nix +++ b/modules/hosts/nixos/hetznix01/post-install/nginx.nix @@ -99,6 +99,28 @@ in { proxyWebsockets = true; }; }; + "cloud.pack1828.org" = { + enableACME = true; + acmeRoot = null; + forceSSL = true; + }; + "collabora.pack1828.org" = { + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/" = { + proxyPass = "http://[::1]:${toString config.services.collabora-online.port}"; + proxyWebsockets = true; # collabora uses websockets + }; + }; + "location.${domain}" = { + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:3003"; + }; + }; "matrix.${domain}" = { listen = [ { port = http_port; addr = "0.0.0.0"; } @@ -130,6 +152,12 @@ in { "/_synapse/client".proxyPass = "http://[::1]:8008"; }; }; + "mqtt.${domain}" = { + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/".return = "301 https://beanbag.technicalissues.us"; + }; "ot.${domain}" = { enableACME = true; acmeRoot = null; @@ -138,6 +166,14 @@ in { # OwnTracks Frontend container locations."/".proxyPass = "http://127.0.0.1:8082"; }; + "pack1828.org" = { + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/" = { + return = "307 https://cloud.pack1828.org"; + }; + }; "recorder.${domain}" = { enableACME = true; acmeRoot = null; diff --git a/modules/hosts/nixos/hetznix01/secrets.yaml b/modules/hosts/nixos/hetznix01/secrets.yaml index c5f194c..e82940e 100644 --- a/modules/hosts/nixos/hetznix01/secrets.yaml +++ b/modules/hosts/nixos/hetznix01/secrets.yaml @@ -2,8 +2,14 @@ local_git_config: ENC[AES256_GCM,data:BulcGoJ85+BA3maqbMewUdaNOl3feaJMq/4yZL8Y8S local_private_env: ENC[AES256_GCM,data:OFcCaE9/hpd6JIoUTTxg0pEFL3rkUE3G+JzP/wjFXpa/AJa2Rr0Kv42Pu+iwgPMWgcpp50ChjVxGvbceNQ==,iv:I2LyWwvdMdE4wKLb3udLVMu3jFsvYR1ruZvaVt9GG7c=,tag:tBPmlNr0iNdLRU1GIRV2mg==,type:str] matrix_secrets_yaml: ENC[AES256_GCM,data:6DLtAZIYBlL7iQVS/FBeUEhHyAOFZ5JRNqFBqi59GVh7cP0Hp8RBWxKpWAH2eUPYqUqUGCKrSSH3sJqzV+vasSR62tcltV7+13+q+rZVCZNCEf21EwQ5aaxgR3yG4n3YUPqLsCQB6UnWn0tF5HO0ofjYkya0pQ/nX9TBiiqIcPcd4NovbTtf+S0G0VptqyXAuRvJoKCx42ft9IBfV9tF1QsXLemKYlI10hN5l/MgJHwVbwH5xXR2kLKvnlpAyIoST/uJhswQV9DyK9cnl09ZM9ztcXhveBzv6uDW+pme8lFL99SMtMJcbSzxYW/pt+GJgYd1NiaoPbayWM72jdpH0hf2zWchxnIJIyL3H6EzIjD8BE9GnMP7ujQwBZGNZITRSg==,iv:cDtuOhv2v6CZcwiMM3oqjmajIl7D8Im+LkfarcjTM/w=,tag:e7zRQBYslJqESOGN3c4/aw==,type:str] matrix_homeserver_signing_key: ENC[AES256_GCM,data:+RflNxFfS2w9LbavT7YnCQIhJWI49kN7pOa9/dH0BpDWxKQaLE4ZYBYq0ikAgcHaF3+rBL3f6KxUacw=,iv:6+nZzuxBUwjM74XHCD89YWfyuMRcoIwQlHLiNN4NWdc=,tag:91yigynRz6QdEd4rF7d/9g==,type:str] +mosquitto_mountain_mesh: ENC[AES256_GCM,data:LczPsPtAgkTTGcG3KYXMkfeA67e81Q5zJ5Nb8JcSosvvUwJRUi6yDcV/0wsYbMxeWDMrE/p+2KFRI48BVcUbY/LXqyFu5iNbX5IJXxzrexXXSTnOLa2PEamESzQlWI0ZS+K0Q48/5v9ekNVOkPgNQQ==,iv:jfa0QKOp8fyieUYTbMnBJ18VZwPO2CVnYQECHLNCyPI=,tag:9YZU82XQUmLJAFK+AiZ/Vw==,type:str] +mosquitto_genebean: ENC[AES256_GCM,data:QzLpyXST+hlmCq7SIpkxra5jiA3JTWPgGV/NPBoeC+yESpiXQOnWzzSiNS09l3xGmjvTLR4dGUeTD1CUl4FwUsMT15MWjWHYNAfuoywy50i7xCCKPwERDxniar7Ykq7o0rz2UkNlW0X7uLQar+rn6g==,iv:ECt5oAh2R1a+RFEk5lEsDFEj2+4Z/D4Q7ezK1iTsS6k=,tag:4tLFjqezUFW8hA8udyPkiw==,type:str] mqtt_recorder_pass: ENC[AES256_GCM,data:N44nv2mk5zguWXNHdKsxhoKUjiduD1hzsAb6,iv:aLudKuUBTPXgtAF33exELH/PESD0CqoDaydeqdhcmbA=,tag:3lhrqO8jxJiRHWZjWSRa0g==,type:str] +nextcloud_admin_pass: ENC[AES256_GCM,data:dite1z9lAQg4geuoDvXnveJP0iI/ouEe,iv:VT17WjQdS8T1qIxwyjdLy2VNpP5tv7KXhY+twpotiaQ=,tag:5DQLvRI87BamUutSUnvncA==,type:str] owntracks_basic_auth: ENC[AES256_GCM,data:GX1U1uf7+erE+g9GzhXK5ED2QicfcbpRCwpJDw6Zr9X2FtdMYleH5mhLxw==,iv:PflRq+P50+oFf4wv5wwlY6V9bApGuJ3tlYTvJZ5mg0E=,tag:VHBY5qv7rX74DGURsYaWpw==,type:str] +pack1828_gene_liverman_pass: ENC[AES256_GCM,data:f1sO6ZKbg6wsPtAE0X5g0vqvEToBG4Ps+f0GiAK7ThDHna4UDHc0MlEbLsRb+C/WtKfDMFm2EfbfFIks,iv:jy7gt4mGXjsUXbuW8ml/tkc6AEOnkfflP7rtD6pU4JU=,tag:ccS0VfRd5yT/i+ic/N2Suw==,type:str] +pack1828_dawn_liverman_pass: ENC[AES256_GCM,data:reJDYGed0VBGoZ48FMPhWFBn7zM42uFcMaBy2569JS4kKZ9AqFFVJKstmyj3U81hE7aG2hxaLOT0sGQA,iv:tfXu7jCuuAcR7kxVb8Lfj/tKhwpZ/gTY9xwmWOy/kPA=,tag:qHOdjvz8yGChumP5D7q25w==,type:str] +pack1828_steve_mclendon_pass: ENC[AES256_GCM,data:js6im7Uobhgh8TM/R6pAQeBOWbqMmmVu+y+0yG/W0QRAtjxqy2gwYdtu0PBf7ZbXoDvqLWBj9tYiH5T2,iv:dmGmkNrkcWfGv/bgpf/TowDVb7sG3Oqq26iJqfMfE74=,tag:W7TmUvOM+ApkJ4EXDqmRLw==,type:str] plausible_admin_pass: ENC[AES256_GCM,data:nMGHMTp3YsDGP3YA9qmZqRCBA5BonS7SaLo=,iv:gN9qu+35DHiJVKh8vHF6KAwrFqgfdNNCC0+q3L/mBGg=,tag:XKlzT4Bp9IIKTSAmjDhd1Q==,type:str] plausible_secret_key_base: ENC[AES256_GCM,data:6Co3VO9Ocmd6cppRpm763jjpRE9yCb75FnrrvCD5XtQPoq6c7ZnCPfSPzWF7jOv6e0g+ghao015myEe3pmNlPcx55KE4LpPwNGHdGbFHmNsGiIDrDUC3Hw==,iv:0FXSF//7FAGrQKiMOfHFoWE539MzCnz7xUTHxxatTCI=,tag:cKMFwyLYScKVM3v+6hvwzg==,type:str] tailscale_key: ENC[AES256_GCM,data:Bl00WuIrLvxmt7aNsoXC6G7XFls7waZMzdfo/MsEOZl/i3wHwrjrmgwd3V4GkaJ42UjrC1OLobrkuLves4w=,iv:tlCu0EWgvhvs1ANdtQr7KWHJ2RjpHniUm/rFC4L/MHs=,tag:+8eov9w+SPGZPnjMdrN8gA==,type:str] @@ -22,8 +28,8 @@ sops: WkI4ejBaODI0d0tjWHpTT3VWTXNyaXcKMDtvHN4gcZqBNslyC+NwYW05zgs8QuPV W6EktAz+xu6kx5BJbli5GkUFmj52AtEGIqZ1Sr4a0pKQACC87XcTQA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-29T04:40:44Z" - mac: ENC[AES256_GCM,data:94kylK+CFinvS2tjvu9vIanSjyVGkzu4IfDWvXvzxazR2U61IXuuaykPF3iDFKA9bC2cV4symPLmx7hAHFdN87mycOvkprUQzJTXORLdPjW90piaMvlETOH/lrjDq7R0TeIFfwj1hOrj0HrCg8tR6g49agl8uO/HoZQUtarZAf0=,iv:azMsvPUrR95r+dEWlBFilTdh+Zx26FNVcECX315njkI=,tag:DFZSHW3zq7ZD2KliTjL31A==,type:str] + lastmodified: "2025-06-09T00:02:18Z" + mac: ENC[AES256_GCM,data:/gbUCnVDQ9FSpm/nwqM/b9DfQ5hCcsTG5DEHF9dKYRQq64rOrCTfusrbCj89WAbabJVHWijDWrI/al5ZtHz1q/i3QXSP81cjabugtGcwdtrl6vpQn+K/Uf6t8N65fIvJG1JcepR4CgguVdTmVU5aOCWnB+Ai9PlbPa6p2OE32k8=,iv:E2YXecvKQ6qsezSyKi4771UqqVsQ2buN+4wzT2hAyO8=,tag:ajCENU3pJEmWa7k93vixvQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.9.4 diff --git a/modules/hosts/nixos/kiosk-entryway/default.nix b/modules/hosts/nixos/kiosk-entryway/default.nix index c0727d1..a45603f 100644 --- a/modules/hosts/nixos/kiosk-entryway/default.nix +++ b/modules/hosts/nixos/kiosk-entryway/default.nix @@ -68,6 +68,7 @@ "textfile" ]; }; + smartd.enable = true; }; sops = { diff --git a/modules/hosts/nixos/nixnas1/default.nix b/modules/hosts/nixos/nixnas1/default.nix index 7146c5c..8cd4bbf 100644 --- a/modules/hosts/nixos/nixnas1/default.nix +++ b/modules/hosts/nixos/nixnas1/default.nix @@ -58,6 +58,7 @@ restic.backups.daily.paths = [ # "/storage/foo" ]; + smartd.enable = true; zfs.autoScrub.enable = true; }; diff --git a/modules/hosts/nixos/nixnuc/default.nix b/modules/hosts/nixos/nixnuc/default.nix index dc792bb..13e91e7 100644 --- a/modules/hosts/nixos/nixnuc/default.nix +++ b/modules/hosts/nixos/nixnuc/default.nix @@ -522,6 +522,7 @@ in { "/var/backup/postgresql" "/var/lib/prometheus2" ]; + smartd.enable = true; syncthing = { enable = true; dataDir = "/orico/syncthing"; diff --git a/modules/hosts/nixos/rainbow-planet/default.nix b/modules/hosts/nixos/rainbow-planet/default.nix index 4b3fb86..ac2179d 100644 --- a/modules/hosts/nixos/rainbow-planet/default.nix +++ b/modules/hosts/nixos/rainbow-planet/default.nix @@ -125,6 +125,7 @@ irqbalance.enable = true; printing.enable = true; # Enable CUPS resolved.enable = true; + smartd.enable = true; tailscale = { enable = true; authKeyFile = config.sops.secrets.tailscale_key.path;