Merge pull request #517 from genebean/stuff

Stuff that piled up on hetznix01

modules/hosts/nixos/bigboy/default.nix

@@ -82,6 +82,7 @@
       pulse.enable = true;
     };
     printing.enable = true; # Enable CUPS
+    smartd.enable = true;
     xserver = {
       enable = true;
       xkb = {

modules/hosts/nixos/default.nix

@@ -12,6 +12,7 @@
       iftop
       inetutils
       iotop
+      mosquitto
       neofetch
       python3
       smartmontools
@@ -73,7 +74,6 @@
 
   services = {
     openssh.enable = true;
-    smartd.enable = true;
   };
 
   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

modules/hosts/nixos/hetznix01/default.nix

@@ -26,11 +26,15 @@
       22   # ssh
       25   # SMTP (unencrypted)
       80   # http to local Nginx
+      143  # imap
       443  # https to local Nginx
       465  # SMTP with TLS
       587  # SMTP with STARTTLS
+      993  # imaps
+      1883 # mqtt
       8333 # Bitcoin Core
       8448 # Matrix Synapse
+      8883 # mqtt over tls
       9735 # LND
     ];
     # firewall.allowedUDPPorts = [ ... ];
@@ -47,6 +51,19 @@
   services = {
     fail2ban.enable = true;
     logrotate.enable = true;
+    ntopng = {
+      enable = true;
+      interfaces = [
+        "enp1s0"
+        "tailscale0"
+      ];
+    };
+    openssh.settings = {
+      # require public key authentication for better security
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+      PermitRootLogin = "no";
+    };
     postgresql = {
       enable = true;
       package = pkgs.postgresql_16;
@@ -97,6 +114,7 @@
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvLaPTfG3r+bcbI6DV4l69UgJjnwmZNCQk79HXyf1Pt gene@rainbow-planet"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIp42X5DZ713+bgbOO+GXROufUFdxWo7NjJbGQ285x3N gene.liverman@ltnglobal.com"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICxSBXdng/+esUXN/uLHQ0l9SgHS5EI9Z8UbqxLMNpK5 gene@newt"
     ];
   };
 }

modules/hosts/nixos/hetznix01/hardware-configuration.nix

@@ -13,6 +13,16 @@
   boot.kernelModules = [ ];
   boot.extraModulePackages = [ ];
 
+  fileSystems."pack1828" = {
+    device = "/dev/disk/by-id/scsi-0HC_Volume_102600992";
+    fsType = "ext4";
+    options = [
+      "discard"
+      "nofail"
+      "defaults"
+    ];
+  };
+
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
 

modules/hosts/nixos/hetznix01/post-install/default.nix

@@ -1,21 +1,25 @@
-{ config, username, ... }: let
+{ config, lib, pkgs, username, ... }: let
   domain = "technicalissues.us";
 in {
   imports = [
     ../../../common/linux/lets-encrypt.nix
     ../../../common/linux/restic.nix
     ./matrix-synapse.nix
+    ./mosquitto.nix
     ./nginx.nix
   ];
 
   mailserver = {
     enable = true;
     enableImap = false;
-    enableImapSsl = false;
+    enableImapSsl = true;
+    enableSubmission = false;
+    enableSubmissionSsl = true;
     fqdn = "mail.alt.${domain}";
     domains = [
       "alt.${domain}"
       "indianspringsbsa.org"
+      "pack1828.org"
     ];
     forwards = {
       "webmaster@indianspringsbsa.org" = "gene+indianspringsbsa.org@geneliverman.com";
@@ -31,6 +35,81 @@ in {
   };
 
   services = {
+    collabora-online = {
+      enable = true;
+      port = 9980; # default
+      settings = {
+        # Rely on reverse proxy for SSL
+        ssl = {
+          enable = false;
+          termination = true;
+        };
+
+        # Listen on loopback interface only, and accept requests from ::1
+        net = {
+          listen = "loopback";
+          post_allow.host = ["::1"];
+        };
+
+        # Restrict loading documents from WOPI Host nextcloud.example.com
+        storage.wopi = {
+          "@allow" = true;
+          host = [ "https://cloud.pack1828.org" ];
+        };
+
+        # Set FQDN of server
+        server_name = "collabora.pack1828.org";
+      };
+    };
+    nextcloud = {
+      enable = true;
+      hostName = "cloud.pack1828.org";
+      package = pkgs.nextcloud31; # Need to manually increment with every major upgrade.
+      appstoreEnable = true;
+      autoUpdateApps.enable = true;
+      config = {
+        adminuser = username;
+        adminpassFile = config.sops.secrets.nextcloud_admin_pass.path;
+        dbtype = "pgsql";
+      };
+      configureRedis = true;
+      database.createLocally = true;
+      extraApps = with config.services.nextcloud.package.packages.apps; {
+        # List of apps we want to install and are already packaged in
+        # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json
+        inherit
+          richdocuments # Collabora Online for Nextcloud - https://apps.nextcloud.com/apps/richdocuments
+          ;
+      };
+      extraAppsEnable = true;
+      home = "/pack1828/nextcloud";
+      https = true;
+      maxUploadSize = "3G"; # Increase the PHP maximum file upload size
+      phpOptions."opcache.interned_strings_buffer" = "16"; # Suggested by Nextcloud's health check.
+      settings = {
+        default_phone_region = "US";
+        # https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#enabledpreviewproviders
+        enabledPreviewProviders = [
+          "OC\\Preview\\BMP"
+          "OC\\Preview\\GIF"
+          "OC\\Preview\\JPEG"
+          "OC\\Preview\\Krita"
+          "OC\\Preview\\MarkDown"
+          "OC\\Preview\\MP3"
+          "OC\\Preview\\OpenDocument"
+          "OC\\Preview\\PNG"
+          "OC\\Preview\\TXT"
+          "OC\\Preview\\XBitmap"
+
+          "OC\\Preview\\HEIC"
+          "OC\\Preview\\Movie"
+        ];
+        log_type = "file";
+        maintenance_window_start = 5;
+        overwriteProtocol = "https";
+        "profile.enabled" = true;
+      };
+    };
     plausible = {
       enable = true;
       adminUser = {
@@ -93,6 +172,7 @@ in {
       };
       matrix_homeserver_signing_key.owner = config.users.users.matrix-synapse.name;
       mqtt_recorder_pass.restartUnits = ["mosquitto.service"];
+      nextcloud_admin_pass.owner = config.users.users.nextcloud.name;
       owntracks_basic_auth = {
         owner = config.users.users.nginx.name;
         restartUnits = ["nginx.service"];
@@ -105,6 +185,34 @@ in {
     };
   };
 
+  systemd.services = {
+    nextcloud-config-collabora = let
+      inherit (config.services.nextcloud) occ;
+
+      wopi_url = "http://[::1]:${toString config.services.collabora-online.port}";
+      public_wopi_url = "https://collabora.pack1828.org";
+      wopi_allowlist = lib.concatStringsSep "," [
+        "127.0.0.1"
+        "::1"
+        "5.161.244.95"
+        "2a01:4ff:f0:977c::1"
+      ];
+    in {
+      wantedBy = ["multi-user.target"];
+      after = ["nextcloud-setup.service" "coolwsd.service"];
+      requires = ["coolwsd.service"];
+      script = ''
+        ${occ}/bin/nextcloud-occ config:app:set richdocuments wopi_url --value ${lib.escapeShellArg wopi_url}
+        ${occ}/bin/nextcloud-occ config:app:set richdocuments public_wopi_url --value ${lib.escapeShellArg public_wopi_url}
+        ${occ}/bin/nextcloud-occ config:app:set richdocuments wopi_allowlist --value ${lib.escapeShellArg wopi_allowlist}
+        ${occ}/bin/nextcloud-occ richdocuments:setup
+      '';
+      serviceConfig = {
+        Type = "oneshot";
+      };
+    };
+  };
+
   # Enable common container config files in /etc/containers
   virtualisation.containers.enable = true;
   virtualisation = {

modules/hosts/nixos/hetznix01/post-install/mosquitto.nix

@@ -0,0 +1,102 @@
+{ config, ... }: {
+  services.mosquitto = {
+    enable = true;
+    bridges = {
+      liamcottle = {
+        addresses = [{
+          address = "mqtt.meshtastic.liamcottle.net";
+          port = 1883;
+        }];
+        topics = [
+          "msh/# out 1 \"\""
+        ];
+        settings = {
+          remote_username = "uplink";
+          remote_password = "uplink";
+          cleansession = true;
+          keepalive_interval = 160;
+          notifications = false;
+          start_type = "automatic";
+        };
+      };
+      meshtastic = {
+        addresses = [{
+          address = "mqtt.meshtastic.org";
+          port = 1883;
+        }];
+        topics = [
+          "msh/# out 1 \"\""
+        ];
+        settings = {
+          remote_username = "meshdev";
+          remote_password = "large4cats";
+          #bridge_protocol_version = "mqttv311";
+          cleansession = true;
+          keepalive_interval = 160;
+          notifications = false;
+          start_type = "automatic";
+        };
+      };
+      homeassistant = {
+        addresses = [{
+          address = "homeasistant-lc.atlas-snares.ts.net";
+          port = 1883;
+        }];
+        topics = [
+          "msh/US/2/e/LongFast/!a386c80 out 1 \"\""
+          "msh/US/2/e/LongFast/!b03bcb24 out 1 \"\""
+          "msh/US/2/e/LongFast/!b03dbe58 out 1 \"\""
+          "msh/US/2/e/LongFast/!4370b0c6 out 1 \"\""
+        ];
+        settings = {
+          remote_username = "meshtastic_user";
+          remote_password = "meshtastic_user";
+          cleansession = true;
+          keepalive_interval = 160;
+          notifications = false;
+          start_type = "automatic";
+        };
+      };
+    };
+    listeners = let
+      mqtt_users = {
+        genebean = {
+          acl = [
+            "readwrite msh/#"
+          ];
+          hashedPasswordFile = config.sops.secrets.mosquitto_genebean.path;
+        };
+        mountain_mesh = {
+          acl = [
+            "readwrite msh/#"
+          ];
+          hashedPasswordFile = config.sops.secrets.mosquitto_mountain_mesh.path;
+        };
+      };
+    in [
+      {
+        users = mqtt_users;
+        settings.allow_anonymous = false;
+      }
+      {
+        port = 8883;
+        users = mqtt_users;
+        settings = let
+           certDir = config.security.acme.certs."mqtt.technicalissues.us".directory;
+        in {
+          allow_anonymous = false;
+          keyfile = certDir + "/key.pem";
+          certfile = certDir + "/cert.pem";
+          cafile = certDir + "/chain.pem";
+        };
+      }
+    ];
+  };
+
+  sops.secrets = {
+    mosquitto_genebean.owner = config.users.users.mosquitto.name;
+    mosquitto_mountain_mesh.owner = config.users.users.mosquitto.name;
+  };
+
+  users.users.mosquitto.extraGroups = [ "nginx" ];
+}

modules/hosts/nixos/hetznix01/post-install/nginx.nix

@@ -99,6 +99,28 @@ in {
           proxyWebsockets = true;
         };
       };
+      "cloud.pack1828.org" = {
+        enableACME = true;
+        acmeRoot = null;
+        forceSSL = true;
+      };
+      "collabora.pack1828.org" = {
+        enableACME = true;
+        acmeRoot = null;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://[::1]:${toString config.services.collabora-online.port}";
+          proxyWebsockets = true; # collabora uses websockets
+        };
+      };
+      "location.${domain}" = {
+        enableACME = true;
+        acmeRoot = null;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://localhost:3003";
+        };
+      };
       "matrix.${domain}" = {
         listen = [
           { port = http_port; addr = "0.0.0.0"; }
@@ -130,6 +152,12 @@ in {
           "/_synapse/client".proxyPass = "http://[::1]:8008";
         };
       };
+      "mqtt.${domain}" = {
+        enableACME = true;
+        acmeRoot = null;
+        forceSSL = true;
+        locations."/".return = "301 https://beanbag.technicalissues.us";
+      };
       "ot.${domain}" = {
         enableACME = true;
         acmeRoot = null;
@@ -138,6 +166,14 @@ in {
         # OwnTracks Frontend container
         locations."/".proxyPass = "http://127.0.0.1:8082";
       };
+      "pack1828.org" = {
+        enableACME = true;
+        acmeRoot = null;
+        forceSSL = true;
+        locations."/" = {
+          return = "307 https://cloud.pack1828.org";
+        };
+      };
       "recorder.${domain}" = {
         enableACME = true;
         acmeRoot = null;

modules/hosts/nixos/hetznix01/secrets.yaml

@@ -2,8 +2,14 @@ local_git_config: ENC[AES256_GCM,data:BulcGoJ85+BA3maqbMewUdaNOl3feaJMq/4yZL8Y8S
 local_private_env: ENC[AES256_GCM,data:OFcCaE9/hpd6JIoUTTxg0pEFL3rkUE3G+JzP/wjFXpa/AJa2Rr0Kv42Pu+iwgPMWgcpp50ChjVxGvbceNQ==,iv:I2LyWwvdMdE4wKLb3udLVMu3jFsvYR1ruZvaVt9GG7c=,tag:tBPmlNr0iNdLRU1GIRV2mg==,type:str]
 matrix_secrets_yaml: ENC[AES256_GCM,data:6DLtAZIYBlL7iQVS/FBeUEhHyAOFZ5JRNqFBqi59GVh7cP0Hp8RBWxKpWAH2eUPYqUqUGCKrSSH3sJqzV+vasSR62tcltV7+13+q+rZVCZNCEf21EwQ5aaxgR3yG4n3YUPqLsCQB6UnWn0tF5HO0ofjYkya0pQ/nX9TBiiqIcPcd4NovbTtf+S0G0VptqyXAuRvJoKCx42ft9IBfV9tF1QsXLemKYlI10hN5l/MgJHwVbwH5xXR2kLKvnlpAyIoST/uJhswQV9DyK9cnl09ZM9ztcXhveBzv6uDW+pme8lFL99SMtMJcbSzxYW/pt+GJgYd1NiaoPbayWM72jdpH0hf2zWchxnIJIyL3H6EzIjD8BE9GnMP7ujQwBZGNZITRSg==,iv:cDtuOhv2v6CZcwiMM3oqjmajIl7D8Im+LkfarcjTM/w=,tag:e7zRQBYslJqESOGN3c4/aw==,type:str]
 matrix_homeserver_signing_key: ENC[AES256_GCM,data:+RflNxFfS2w9LbavT7YnCQIhJWI49kN7pOa9/dH0BpDWxKQaLE4ZYBYq0ikAgcHaF3+rBL3f6KxUacw=,iv:6+nZzuxBUwjM74XHCD89YWfyuMRcoIwQlHLiNN4NWdc=,tag:91yigynRz6QdEd4rF7d/9g==,type:str]
+mosquitto_mountain_mesh: ENC[AES256_GCM,data:LczPsPtAgkTTGcG3KYXMkfeA67e81Q5zJ5Nb8JcSosvvUwJRUi6yDcV/0wsYbMxeWDMrE/p+2KFRI48BVcUbY/LXqyFu5iNbX5IJXxzrexXXSTnOLa2PEamESzQlWI0ZS+K0Q48/5v9ekNVOkPgNQQ==,iv:jfa0QKOp8fyieUYTbMnBJ18VZwPO2CVnYQECHLNCyPI=,tag:9YZU82XQUmLJAFK+AiZ/Vw==,type:str]
+mosquitto_genebean: ENC[AES256_GCM,data:QzLpyXST+hlmCq7SIpkxra5jiA3JTWPgGV/NPBoeC+yESpiXQOnWzzSiNS09l3xGmjvTLR4dGUeTD1CUl4FwUsMT15MWjWHYNAfuoywy50i7xCCKPwERDxniar7Ykq7o0rz2UkNlW0X7uLQar+rn6g==,iv:ECt5oAh2R1a+RFEk5lEsDFEj2+4Z/D4Q7ezK1iTsS6k=,tag:4tLFjqezUFW8hA8udyPkiw==,type:str]
 mqtt_recorder_pass: ENC[AES256_GCM,data:N44nv2mk5zguWXNHdKsxhoKUjiduD1hzsAb6,iv:aLudKuUBTPXgtAF33exELH/PESD0CqoDaydeqdhcmbA=,tag:3lhrqO8jxJiRHWZjWSRa0g==,type:str]
+nextcloud_admin_pass: ENC[AES256_GCM,data:dite1z9lAQg4geuoDvXnveJP0iI/ouEe,iv:VT17WjQdS8T1qIxwyjdLy2VNpP5tv7KXhY+twpotiaQ=,tag:5DQLvRI87BamUutSUnvncA==,type:str]
 owntracks_basic_auth: ENC[AES256_GCM,data:GX1U1uf7+erE+g9GzhXK5ED2QicfcbpRCwpJDw6Zr9X2FtdMYleH5mhLxw==,iv:PflRq+P50+oFf4wv5wwlY6V9bApGuJ3tlYTvJZ5mg0E=,tag:VHBY5qv7rX74DGURsYaWpw==,type:str]
+pack1828_gene_liverman_pass: ENC[AES256_GCM,data:f1sO6ZKbg6wsPtAE0X5g0vqvEToBG4Ps+f0GiAK7ThDHna4UDHc0MlEbLsRb+C/WtKfDMFm2EfbfFIks,iv:jy7gt4mGXjsUXbuW8ml/tkc6AEOnkfflP7rtD6pU4JU=,tag:ccS0VfRd5yT/i+ic/N2Suw==,type:str]
+pack1828_dawn_liverman_pass: ENC[AES256_GCM,data:reJDYGed0VBGoZ48FMPhWFBn7zM42uFcMaBy2569JS4kKZ9AqFFVJKstmyj3U81hE7aG2hxaLOT0sGQA,iv:tfXu7jCuuAcR7kxVb8Lfj/tKhwpZ/gTY9xwmWOy/kPA=,tag:qHOdjvz8yGChumP5D7q25w==,type:str]
+pack1828_steve_mclendon_pass: ENC[AES256_GCM,data:js6im7Uobhgh8TM/R6pAQeBOWbqMmmVu+y+0yG/W0QRAtjxqy2gwYdtu0PBf7ZbXoDvqLWBj9tYiH5T2,iv:dmGmkNrkcWfGv/bgpf/TowDVb7sG3Oqq26iJqfMfE74=,tag:W7TmUvOM+ApkJ4EXDqmRLw==,type:str]
 plausible_admin_pass: ENC[AES256_GCM,data:nMGHMTp3YsDGP3YA9qmZqRCBA5BonS7SaLo=,iv:gN9qu+35DHiJVKh8vHF6KAwrFqgfdNNCC0+q3L/mBGg=,tag:XKlzT4Bp9IIKTSAmjDhd1Q==,type:str]
 plausible_secret_key_base: ENC[AES256_GCM,data:6Co3VO9Ocmd6cppRpm763jjpRE9yCb75FnrrvCD5XtQPoq6c7ZnCPfSPzWF7jOv6e0g+ghao015myEe3pmNlPcx55KE4LpPwNGHdGbFHmNsGiIDrDUC3Hw==,iv:0FXSF//7FAGrQKiMOfHFoWE539MzCnz7xUTHxxatTCI=,tag:cKMFwyLYScKVM3v+6hvwzg==,type:str]
 tailscale_key: ENC[AES256_GCM,data:Bl00WuIrLvxmt7aNsoXC6G7XFls7waZMzdfo/MsEOZl/i3wHwrjrmgwd3V4GkaJ42UjrC1OLobrkuLves4w=,iv:tlCu0EWgvhvs1ANdtQr7KWHJ2RjpHniUm/rFC4L/MHs=,tag:+8eov9w+SPGZPnjMdrN8gA==,type:str]
@@ -22,8 +28,8 @@ sops:
             WkI4ejBaODI0d0tjWHpTT3VWTXNyaXcKMDtvHN4gcZqBNslyC+NwYW05zgs8QuPV
             W6EktAz+xu6kx5BJbli5GkUFmj52AtEGIqZ1Sr4a0pKQACC87XcTQA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-29T04:40:44Z"
-    mac: ENC[AES256_GCM,data:94kylK+CFinvS2tjvu9vIanSjyVGkzu4IfDWvXvzxazR2U61IXuuaykPF3iDFKA9bC2cV4symPLmx7hAHFdN87mycOvkprUQzJTXORLdPjW90piaMvlETOH/lrjDq7R0TeIFfwj1hOrj0HrCg8tR6g49agl8uO/HoZQUtarZAf0=,iv:azMsvPUrR95r+dEWlBFilTdh+Zx26FNVcECX315njkI=,tag:DFZSHW3zq7ZD2KliTjL31A==,type:str]
+    lastmodified: "2025-06-09T00:02:18Z"
+    mac: ENC[AES256_GCM,data:/gbUCnVDQ9FSpm/nwqM/b9DfQ5hCcsTG5DEHF9dKYRQq64rOrCTfusrbCj89WAbabJVHWijDWrI/al5ZtHz1q/i3QXSP81cjabugtGcwdtrl6vpQn+K/Uf6t8N65fIvJG1JcepR4CgguVdTmVU5aOCWnB+Ai9PlbPa6p2OE32k8=,iv:E2YXecvKQ6qsezSyKi4771UqqVsQ2buN+4wzT2hAyO8=,tag:ajCENU3pJEmWa7k93vixvQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.4

modules/hosts/nixos/kiosk-entryway/default.nix

@@ -68,6 +68,7 @@
         "textfile"
       ];
     };
+    smartd.enable = true;
   };
 
   sops = {

modules/hosts/nixos/nixnas1/default.nix

@@ -58,6 +58,7 @@
     restic.backups.daily.paths = [
       # "/storage/foo"
     ];
+    smartd.enable = true;
     zfs.autoScrub.enable = true;
   };
 

modules/hosts/nixos/nixnuc/default.nix

@@ -522,6 +522,7 @@ in {
       "/var/backup/postgresql"
       "/var/lib/prometheus2"
     ];
+    smartd.enable = true;
     syncthing = {
       enable = true;
       dataDir = "/orico/syncthing";

modules/hosts/nixos/rainbow-planet/default.nix

@@ -125,6 +125,7 @@
     irqbalance.enable = true;
     printing.enable = true; # Enable CUPS
     resolved.enable = true;
+    smartd.enable = true;
     tailscale = {
       enable = true;
       authKeyFile = config.sops.secrets.tailscale_key.path;