commit 56d73fe526985ddf99f238d3ca8b8cf06ae6131e · aylac.top/nixcfg-own-knot

+21 -21

flake.lock

···

       73
       73
        
               "nixpkgs": "nixpkgs"

     

       74
       74
        
             },

     

       75
       75
        
             "locked": {

     

       76
       76
       -
               "lastModified": 1755558529,

     

       77
       77
       -
               "narHash": "sha256-Q7eOM63Ky+Mb7HS5+eSxn2UOQSFAK82v2K1pL2pEiIw=",

     

       76
       76
       +
               "lastModified": 1755732626,

     

       77
       77
       +
               "narHash": "sha256-qLAElW0E2QmcrKAbLPjFdueAOpjp3HmlxaOQf4R4jas=",

     

       78
       78
        
               "owner": "9001",

     

       79
       79
        
               "repo": "copyparty",

     

       80
       80
       -
               "rev": "c51371c71d0449e3d3b223e7a3425f241065cae5",

     

       80
       80
       +
               "rev": "cd8771fa522d1cf645c3c7e0193f07b53d81559c",

     

       81
       81
        
               "type": "github"

     

       82
       82
        
             },

     

       83
       83
        
             "original": {

     
···

       619
       619
        
               ]

     

       620
       620
        
             },

     

       621
       621
        
             "locked": {

     

       622
       622
       -
               "lastModified": 1755618859,

     

       623
       623
       -
               "narHash": "sha256-VGEZMAX/bOKrkg9x5DjXBfjpxm9gvU3kRVps7RKm8mQ=",

     

       622
       622
       +
               "lastModified": 1755739851,

     

       623
       623
       +
               "narHash": "sha256-SC703bnPGOPWSEdZN2J2MkJWQBcUHV4QzuvFPdSVUME=",

     

       624
       624
        
               "owner": "nix-community",

     

       625
       625
        
               "repo": "home-manager",

     

       626
       626
       -
               "rev": "0e0a16b342bcd435ad83c62f4794ce1a4ccff0ea",

     

       626
       626
       +
               "rev": "3c3510e61ca5c15a0f13d73c2232fa2d5478a86c",

     

       627
       627
        
               "type": "github"

     

       628
       628
        
             },

     

       629
       629
        
             "original": {

     
···

       744
       744
        
           },

     

       745
       745
        
           "nixpkgs-unstable": {

     

       746
       746
        
             "locked": {

     

       747
       747
       -
               "lastModified": 1755268003,

     

       748
       748
       -
               "narHash": "sha256-nNaeJjo861wFR0tjHDyCnHs1rbRtrMgxAKMoig9Sj/w=",

     

       747
       747
       +
               "lastModified": 1755577059,

     

       748
       748
       +
               "narHash": "sha256-5hYhxIpco8xR+IpP3uU56+4+Bw7mf7EMyxS/HqUYHQY=",

     

       749
       749
        
               "owner": "NixOS",

     

       750
       750
        
               "repo": "nixpkgs",

     

       751
       751
       -
               "rev": "32f313e49e42f715491e1ea7b306a87c16fe0388",

     

       751
       751
       +
               "rev": "97eb7ee0da337d385ab015a23e15022c865be75c",

     

       752
       752
        
               "type": "github"

     

       753
       753
        
             },

     

       754
       754
        
             "original": {

     
···

       776
       776
        
           },

     

       777
       777
        
           "nixpkgs_3": {

     

       778
       778
        
             "locked": {

     

       779
       779
       -
               "lastModified": 1755186698,

     

       780
       780
       -
               "narHash": "sha256-wNO3+Ks2jZJ4nTHMuks+cxAiVBGNuEBXsT29Bz6HASo=",

     

       779
       779
       +
               "lastModified": 1755615617,

     

       780
       780
       +
               "narHash": "sha256-HMwfAJBdrr8wXAkbGhtcby1zGFvs+StOp19xNsbqdOg=",

     

       781
       781
        
               "owner": "NixOS",

     

       782
       782
        
               "repo": "nixpkgs",

     

       783
       783
       -
               "rev": "fbcf476f790d8a217c3eab4e12033dc4a0f6d23c",

     

       783
       783
       +
               "rev": "20075955deac2583bb12f07151c2df830ef346b4",

     

       784
       784
        
               "type": "github"

     

       785
       785
        
             },

     

       786
       786
        
             "original": {

     
···

       792
       792
        
           },

     

       793
       793
        
           "nixpkgs_4": {

     

       794
       794
        
             "locked": {

     

       795
       795
       -
               "lastModified": 1755186698,

     

       796
       796
       -
               "narHash": "sha256-wNO3+Ks2jZJ4nTHMuks+cxAiVBGNuEBXsT29Bz6HASo=",

     

       795
       795
       +
               "lastModified": 1755615617,

     

       796
       796
       +
               "narHash": "sha256-HMwfAJBdrr8wXAkbGhtcby1zGFvs+StOp19xNsbqdOg=",

     

       797
       797
        
               "owner": "nixos",

     

       798
       798
        
               "repo": "nixpkgs",

     

       799
       799
       -
               "rev": "fbcf476f790d8a217c3eab4e12033dc4a0f6d23c",

     

       799
       799
       +
               "rev": "20075955deac2583bb12f07151c2df830ef346b4",

     

       800
       800
        
               "type": "github"

     

       801
       801
        
             },

     

       802
       802
        
             "original": {

     
···

       812
       812
        
               "nixpkgs": "nixpkgs_4"

     

       813
       813
        
             },

     

       814
       814
        
             "locked": {

     

       815
       815
       -
               "lastModified": 1755615368,

     

       816
       816
       -
               "narHash": "sha256-99dlSdCjn1J1e0115g59nDbjsbGwihJsicjwWmzz0Bo=",

     

       815
       815
       +
               "lastModified": 1755729137,

     

       816
       816
       +
               "narHash": "sha256-eON36fTYYgAL1J/31FZfSyJzt+T9TFOn5p6P8ddyyqA=",

     

       817
       817
        
               "owner": "nix-community",

     

       818
       818
        
               "repo": "NUR",

     

       819
       819
       -
               "rev": "03f3f029e496e5e7456f2870557d5f2e5509022b",

     

       819
       819
       +
               "rev": "c6508c49a36f20ea2d28920d1b5d55a48d072a4a",

     

       820
       820
        
               "type": "github"

     

       821
       821
        
             },

     

       822
       822
        
             "original": {

     
···

       895
       895
        
           "secrets": {

     

       896
       896
        
             "flake": false,

     

       897
       897
        
             "locked": {

     

       898
       898
       -
               "lastModified": 1755717053,

     

       899
       899
       -
               "narHash": "sha256-HzMVkR0wKkr9xF1+LdXO6B4Ke+eZn/B3IEK5479I42k=",

     

       898
       898
       +
               "lastModified": 1755789931,

     

       899
       899
       +
               "narHash": "sha256-4BJKIbWkdajOZxVJhdDROMVtK6WfFbZjNXBt8KRtE18=",

     

       900
       900
        
               "owner": "ayla6",

     

       901
       901
        
               "repo": "secrets",

     

       902
       902
       -
               "rev": "411c9eb074999219404f7b0a0584a8a31687f8fc",

     

       902
       902
       +
               "rev": "145a93b5fd6db45596d4c7607c0ef91a86aee593",

     

       903
       903
        
               "type": "github"

     

       904
       904
        
             },

     

       905
       905
        
             "original": {

+1

hosts/jezebel/secrets.nix

···

       3
       3
        
           tailscaleAuthKey.file = "${self.inputs.secrets}/tailscale/auth.age";

     

       4
       4
        
           resticPassword.file = "${self.inputs.secrets}/restic-passwd.age";

     

       5
       5
        
           rclone.file = "${self.inputs.secrets}/rclone.age";

     

       6
       6
       +
           ntfyAuto.file = "${self.inputs.secrets}/ntfyAuto.age";

     

       6
       7
        
         };

     

       7
       8
        
       }

+4 -4

hosts/morgana/default.nix

···

       38
       38
        
               location = "/data/.swap";

     

       39
       39
        
             };

     

       40
       40
        
       

     

       41
       41
       -
             autoUpgrade = {

     

       42
       42
       -
               enable = true;

     

       43
       43
       -
               operation = "switch";

     

       44
       44
       -
             };

     

       41
       41
       +
             #autoUpgrade = {

     

       42
       42
       +
             #  enable = true;

     

       43
       43
       +
             #  operation = "switch";

     

       44
       44
       +
             #};

     

       45
       45
        
           };

     

       46
       46
        
           desktop.gnome.enable = true;

     

       47
       47
        
           services = {

+1

hosts/morgana/secrets.nix

···

       4
       4
        
           syncthingCert.file = "${self.inputs.secrets}/ayla/syncthing/morgana/cert.age";

     

       5
       5
        
           syncthingKey.file = "${self.inputs.secrets}/ayla/syncthing/morgana/key.age";

     

       6
       6
        
           rclone.file = "${self.inputs.secrets}/rclone.age";

     

       7
       7
       +
           ntfyAuto.file = "${self.inputs.secrets}/ntfyAuto.age";

     

       7
       8
        
         };

     

       8
       9
        
       }

+1 -3

hosts/nanpi/README.md

···

       1
       1
       -
       nanpi is my lenovo ideapad 320-14IKB, it has replaced the red hp one for it's got better specs reasons

     

       2
       2
       -
       

     

       3
       3
       -
       it might have a curse that makes it kill all hard drives it touches so maybe i'm gonna get into some trouble

     

       1
       1
       +
       the third nanpi incarnation

+6 -5

hosts/nanpi/default.nix

···

       8
       8
        
           ./secrets.nix

     

       9
       9
        
           ./services.nix

     

       10
       10
        
           ./glance.nix

     

       11
       11
       +
           ./notifier.nix

     

       11
       12
        
           self.nixosModules.locale-en-gb

     

       12
       13
        
           self.diskoConfigurations.luks-btrfs-subvolumes

     

       13
       14
        
         ];

     
···

       15
       16
        
         networking.hostName = "nanpi";

     

       16
       17
        
         system.stateVersion = "25.05";

     

       17
       18
        
         time.timeZone = "America/Sao_Paulo";

     

       18
       18
       -
         myHardware.lenovo.ideapad."320-14IKB".enable = true;

     

       19
       19
       +
         myHardware.acer.aspire."A315-53".enable = true;

     

       19
       20
        
       

     

       20
       21
        
         myNixOS = {

     

       21
       22
        
           programs = {

     
···

       25
       26
        
           profiles = {

     

       26
       27
        
             base.enable = true;

     

       27
       28
        
             server.enable = true;

     

       28
       28
       -
             autoUpgrade = {

     

       29
       29
       -
               enable = true;

     

       30
       30
       -
               operation = "boot";

     

       31
       31
       -
             };

     

       29
       29
       +
             #autoUpgrade = {

     

       30
       30
       +
             #  enable = true;

     

       31
       31
       +
             #  operation = "boot";

     

       32
       32
       +
             #};

     

       32
       33
        
             backups.enable = true;

     

       33
       34
        
             btrfs = {

     

       34
       35
        
               enable = true;

+6

hosts/nanpi/glance.nix

···

       131
       131
        
                             check-url = "http://${config.mySnippets.tailnet.networkMap.redlib.hostName}:${toString config.mySnippets.tailnet.networkMap.redlib.port}/";

     

       132
       132
        
                             icon = "di:redlib";

     

       133
       133
        
                           }

     

       134
       134
       +
                           {

     

       135
       135
       +
                             title = "Miniflux";

     

       136
       136
       +
                             url = "https://${config.mySnippets.tailnet.networkMap.miniflux.vHost}/";

     

       137
       137
       +
                             check-url = "http://${config.mySnippets.tailnet.networkMap.miniflux.hostName}:${toString config.mySnippets.tailnet.networkMap.miniflux.port}/";

     

       138
       138
       +
                             icon = "di:miniflux";

     

       139
       139
       +
                           }

     

       134
       140
        
                         ];

     

       135
       141
        
                       }

     

       136
       142
        
                     ];

+28

hosts/nanpi/notifier.nix

···

       1
       1
       +
       {

     

       2
       2
       +
         pkgs,

     

       3
       3
       +
         config,

     

       4
       4
       +
         ...

     

       5
       5
       +
       }: let

     

       6
       6
       +
         notifyOnUnplugScript = ''

     

       7
       7
       +
           #!${pkgs.bash}/bin/bash

     

       8
       8
       +
           LOGIN=$(cat "${config.age.secrets.ntfyAuto.path}")

     

       9
       9
       +
       

     

       10
       10
       +
           ${pkgs.curl}/bin/curl -u $LOGIN \

     

       11
       11
       +
           -H "X-Priority: 5" \

     

       12
       12
       +
             -d "ME YOUR CHILD ${config.networking.hostName} WAS UNPLUGGED FROM THE CHARGER HELP ME" \

     

       13
       13
       +
             https://${config.mySnippets.aylac-top.networkMap.ntfy.vHost}/network-status

     

       14
       14
       +
         '';

     

       15
       15
       +
       in {

     

       16
       16
       +
         systemd.services.notify-on-unplug = {

     

       17
       17
       +
           description = "Sends a notification when the computer is unplugged from the charger.";

     

       18
       18
       +
           after = ["network.target"];

     

       19
       19
       +
           serviceConfig = {

     

       20
       20
       +
             Type = "oneshot";

     

       21
       21
       +
             ExecStart = pkgs.writeShellScript "notify-on-unplug" notifyOnUnplugScript;

     

       22
       22
       +
           };

     

       23
       23
       +
         };

     

       24
       24
       +
       

     

       25
       25
       +
         services.udev.extraRules = ''

     

       26
       26
       +
           SUBSYSTEM=="power_supply", ATTR{online}=="0", TAG+="systemd", ENV{SYSTEMD_WANTS}="notify-on-unplug.service"

     

       27
       27
       +
         '';

     

       28
       28
       +
       }

+2

hosts/nanpi/secrets.nix

···

       17
       17
        
             mode = "0400";

     

       18
       18
        
           };

     

       19
       19
        
           autobrr.file = "${self.inputs.secrets}/autobrr.age";

     

       20
       20
       +
           ntfyAuto.file = "${self.inputs.secrets}/ntfyAuto.age";

     

       21
       21
       +
           miniflux.file = "${self.inputs.secrets}/miniflux.age";

     

       20
       22
        
         };

     

       21
       23
        
       }

+21

hosts/nanpi/services.nix

···

       156
       156
        
                 reverse_proxy ${config.mySnippets.tailnet.networkMap.redlib.hostName}:${toString config.mySnippets.tailnet.networkMap.redlib.port}

     

       157
       157
        
               '';

     

       158
       158
        
             };

     

       159
       159
       +
       

     

       160
       160
       +
             "${config.mySnippets.tailnet.networkMap.miniflux.vHost}" = {

     

       161
       161
       +
               extraConfig = ''

     

       162
       162
       +
                 bind tailscale/miniflux

     

       163
       163
       +
                 encode zstd gzip

     

       164
       164
       +
                 reverse_proxy ${config.mySnippets.tailnet.networkMap.miniflux.hostName}:${toString config.mySnippets.tailnet.networkMap.miniflux.port}

     

       165
       165
       +
               '';

     

       166
       166
       +
             };

     

       159
       167
        
           };

     

       160
       168
        
       

     

       161
       169
        
           # it's failing to build because it can't download some stuff

     
···

       214
       222
        
               ENABLE_RSS = "on";

     

       215
       223
        
               REDLIB_DEFAULT_SHOW_NSFW = "on";

     

       216
       224
        
               REDLIB_DEFAULT_USE_HLS = "on";

     

       225
       225
       +
               FULL_URL = "https://${config.mySnippets.tailnet.networkMap.redlib.vHost}";

     

       217
       226
        
             };

     

       218
       227
        
           };

     

       219
       228
        
       

     
···

       234
       243
        
               PORT = "7020";

     

       235
       244
        
             };

     

       236
       245
        
             environmentFile = config.age.secrets.gemini.path;

     

       246
       246
       +
           };

     

       247
       247
       +
       

     

       248
       248
       +
           miniflux = {

     

       249
       249
       +
             enable = true;

     

       250
       250
       +
             adminCredentialsFile = config.age.secrets.miniflux.path;

     

       251
       251
       +
             config = {

     

       252
       252
       +
               BATCH_SIZE = 100;

     

       253
       253
       +
               CLEANUP_FREQUENCY_HOURS = 48;

     

       254
       254
       +
               LISTEN_ADDR = "${config.mySnippets.tailnet.networkMap.miniflux.hostName}:${toString config.mySnippets.tailnet.networkMap.miniflux.port}";

     

       255
       255
       +
               BASE_URL = "https://${config.mySnippets.tailnet.networkMap.miniflux.vHost}";

     

       256
       256
       +
               WEBAUTHN = "enabled";

     

       257
       257
       +
             };

     

       237
       258
        
           };

     

       238
       259
        
       

     

       239
       260
        
           ntfy-sh = {

+22

modules/hardware/acer/aspire/A315-53/default.nix

···

       1
       1
       +
       {

     

       2
       2
       +
         config,

     

       3
       3
       +
         lib,

     

       4
       4
       +
         ...

     

       5
       5
       +
       }: {

     

       6
       6
       +
         options.myHardware.acer.aspire."A315-53".enable =

     

       7
       7
       +
           lib.mkEnableOption "Configuration for the Acer Aspire A315-53.";

     

       8
       8
       +
       

     

       9
       9
       +
         config = lib.mkIf config.myHardware.acer.aspire."A315-53".enable {

     

       10
       10
       +
           myHardware = {

     

       11
       11
       +
             intel = {

     

       12
       12
       +
               cpu.enable = true;

     

       13
       13
       +
               gpu.enable = true;

     

       14
       14
       +
             };

     

       15
       15
       +
       

     

       16
       16
       +
             profiles = {

     

       17
       17
       +
               base.enable = true;

     

       18
       18
       +
               laptop.enable = true;

     

       19
       19
       +
             };

     

       20
       20
       +
           };

     

       21
       21
       +
         };

     

       22
       22
       +
       }

+1

modules/hardware/acer/aspire/default.nix

···

       1
       1
        
       {...}: {

     

       2
       2
        
         imports = [

     

       3
       3
        
           ./A515-52G

     

       4
       4
       +
           ./A315-53

     

       4
       5
        
         ];

     

       5
       6
        
       }

+61 -2

modules/nixos/profiles/backups/default.nix

···

       4
       4
        
         pkgs,

     

       5
       5
        
         ...

     

       6
       6
        
       }: let

     

       7
       7
       +
         # idk how to share this across files :(

     

       8
       8
       +
         mkNotify = {

     

       9
       9
       +
           message,

     

       10
       10
       +
           channel,

     

       11
       11
       +
           priority ? 1,

     

       12
       12
       +
         }: ''

     

       13
       13
       +
           LOGIN=$(cat "${config.age.secrets.ntfyAuto.path}")

     

       14
       14
       +
           ${pkgs.curl}/bin/curl -u $LOGIN \

     

       15
       15
       +
           -H "X-Priority: ${toString priority}" \

     

       16
       16
       +
             -d '${message}' \

     

       17
       17
       +
             https://${config.mySnippets.aylac-top.networkMap.ntfy.vHost}/${channel}

     

       18
       18
       +
         '';

     

       19
       19
       +
       

     

       7
       20
        
         backupDestinationA = "rclone:a_gdrive:/backups/${config.networking.hostName}";

     

       8
       21
        
         mkRepoA = service: "${backupDestinationA}/${service}";

     

       9
       22
        
         #backupDestinationB = "rclone:b_gdrive:/backups/${config.networking.hostName}";

     

       10
       23
        
         #mkRepoB = service: "${backupDestinationB}/${service}";

     

       11
       11
       -
         stop = service: "${pkgs.systemd}/bin/systemctl stop ${service}";

     

       12
       12
       -
         start = service: "${pkgs.systemd}/bin/systemctl start ${service}";

     

       24
       24
       +
       

     

       25
       25
       +
         stop = service: ''

     

       26
       26
       +
           #!${pkgs.bash}/bin/bash

     

       27
       27
       +
           ${mkNotify {

     

       28
       28
       +
             message = "Backing up ${service}, stopping service";

     

       29
       29
       +
             channel = "network-status";

     

       30
       30
       +
           }}

     

       31
       31
       +
           ${pkgs.systemd}/bin/systemctl stop ${service}

     

       32
       32
       +
         '';

     

       33
       33
       +
       

     

       34
       34
       +
         start = service: ''

     

       35
       35
       +
           #!${pkgs.bash}/bin/bash

     

       36
       36
       +
           ${mkNotify {

     

       37
       37
       +
             message = "Back up for ${service} was completed (idk if successfully tho), starting service";

     

       38
       38
       +
             channel = "network-status";

     

       39
       39
       +
           }}

     

       40
       40
       +
           ${pkgs.systemd}/bin/systemctl start ${service}

     

       41
       41
       +
         '';

     

       42
       42
       +
       

     

       43
       43
       +
         prepareNoService = service: ''

     

       44
       44
       +
           #!${pkgs.bash}/bin/bash

     

       45
       45
       +
           ${mkNotify {

     

       46
       46
       +
             message = "Backing up ${service}";

     

       47
       47
       +
             channel = "network-status";

     

       48
       48
       +
           }}

     

       49
       49
       +
         '';

     

       50
       50
       +
       

     

       51
       51
       +
         cleanupNoService = service: ''

     

       52
       52
       +
           #!${pkgs.bash}/bin/bash

     

       53
       53
       +
           ${mkNotify {

     

       54
       54
       +
             message = "Back up for ${service} was completed (idk if successfully tho)";

     

       55
       55
       +
             channel = "network-status";

     

       56
       56
       +
           }}

     

       57
       57
       +
         '';

     

       13
       58
        
       in {

     

       14
       59
        
         options.myNixOS.profiles.backups = {

     

       15
       60
        
           enable = lib.mkEnableOption "automatically back up enabled services to gdrive";

     
···

       224
       269
        
             passwords = lib.mkIf (builtins.elem config.networking.hostName config.mySnippets.syncthing.folders."Passwords".devices) (

     

       225
       270
        
               config.mySnippets.restic

     

       226
       271
        
               // {

     

       272
       272
       +
                 backupCleanupCommand = cleanupNoService "passwords";

     

       273
       273
       +
                 backupPrepareCommand = prepareNoService "passwords";

     

       227
       274
        
                 paths = [config.mySnippets.syncthing.folders."Passwords".path];

     

       228
       275
        
                 repository = mkRepoA "passwords";

     

       229
       276
        
               }

     
···

       242
       289
        
             webdav = lib.mkIf config.services.webdav-server-rs.enable (

     

       243
       290
        
               config.mySnippets.restic

     

       244
       291
        
               // {

     

       292
       292
       +
                 backupCleanupCommand = cleanupNoService "webdav";

     

       293
       293
       +
                 backupPrepareCommand = prepareNoService "webdav";

     

       245
       294
        
                 paths = ["/var/lib/webdav"];

     

       246
       295
        
                 repository = mkRepoA "webdav";

     

       296
       296
       +
               }

     

       297
       297
       +
             );

     

       298
       298
       +
       

     

       299
       299
       +
             miniflux = lib.mkIf config.services.miniflux.enable (

     

       300
       300
       +
               config.mySnippets.restic

     

       301
       301
       +
               // {

     

       302
       302
       +
                 backupCleanupCommand = start "miniflux";

     

       303
       303
       +
                 backupPrepareCommand = stop "miniflux";

     

       304
       304
       +
                 paths = ["/var/lib/miniflux"];

     

       305
       305
       +
                 repository = mkRepoA "miniflux";

     

       247
       306
        
               }

     

       248
       307
        
             );

     

       249
       308
        
           };

+1

modules/nixos/services/default.nix

···

       9
       9
        
           ./qbittorrent

     

       10
       10
        
           ./syncthing

     

       11
       11
        
           ./tailscale

     

       12
       12
       +
           ./monitoring

     

       12
       13
        
         ];

     

       13
       14
        
       }

+69 -1

modules/nixos/services/fail2ban/default.nix

···

       1
       1
        
       {

     

       2
       2
        
         config,

     

       3
       3
        
         lib,

     

       4
       4
       +
         pkgs,

     

       4
       5
        
         ...

     

       5
       5
       -
       }: {

     

       6
       6
       +
       }: let

     

       7
       7
       +
         # idk how to share this across files :(

     

       8
       8
       +
         mkNotify = {

     

       9
       9
       +
           message,

     

       10
       10
       +
           channel,

     

       11
       11
       +
           priority ? 1,

     

       12
       12
       +
         }: ''

     

       13
       13
       +
           LOGIN=$(cat "${config.age.secrets.ntfyAuto.path}")

     

       14
       14
       +
           ${pkgs.curl}/bin/curl -u $LOGIN \

     

       15
       15
       +
           -H "X-Priority: ${toString priority}" \

     

       16
       16
       +
             -d '${message}' \

     

       17
       17
       +
             https://${config.mySnippets.aylac-top.networkMap.ntfy.vHost}/${channel}

     

       18
       18
       +
         '';

     

       19
       19
       +
       in {

     

       6
       20
        
         options.myNixOS.services.fail2ban.enable = lib.mkEnableOption "fail2ban";

     

       7
       21
        
       

     

       8
       22
        
         config = lib.mkIf config.myNixOS.services.fail2ban.enable {

     

       9
       23
        
           environment.etc = {

     

       24
       24
       +
             "fail2ban/action.d/ntfy.conf".text = ''

     

       25
       25
       +
               [Definition]

     

       26
       26
       +
               actionbanned = ${mkNotify {

     

       27
       27
       +
                 message = "Banned <ip> from <jail> at ${config.networking.hostName}";

     

       28
       28
       +
                 channel = "network-status";

     

       29
       29
       +
                 priority = 3;

     

       30
       30
       +
               }}

     

       31
       31
       +
             '';

     

       32
       32
       +
       

     

       10
       33
        
             "fail2ban/filter.d/forgejo.conf".text = ''

     

       11
       34
        
               [Definition]

     

       12
       35
        
               failregex =  .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>

     
···

       39
       62
        
             ignoreIP = ["100.64.0.0/10"];

     

       40
       63
        
             bantime = "24h";

     

       41
       64
        
             bantime-increment.enable = true;

     

       65
       65
       +
             jails = {

     

       66
       66
       +
               forgejo.settings = {

     

       67
       67
       +
                 action = "iptables-allports";

     

       68
       68
       +
                 bantime = 900;

     

       69
       69
       +
                 filter = "forgejo";

     

       70
       70
       +
                 findtime = 3600;

     

       71
       71
       +
                 maxretry = 4;

     

       72
       72
       +
               };

     

       73
       73
       +
       

     

       74
       74
       +
               # HTTP basic-auth failures, 5 tries → 1-day ban

     

       75
       75
       +
               nginx-http-auth = {

     

       76
       76
       +
                 settings = {

     

       77
       77
       +
                   enabled = true;

     

       78
       78
       +
                   maxretry = 5;

     

       79
       79
       +
                   findtime = 300;

     

       80
       80
       +
                   bantime = "24h";

     

       81
       81
       +
                 };

     

       82
       82
       +
               };

     

       83
       83
       +
       

     

       84
       84
       +
               # Generic scanner / bot patterns (wp-login.php, sqladmin, etc.)

     

       85
       85
       +
               nginx-botsearch = {

     

       86
       86
       +
                 settings = {

     

       87
       87
       +
                   enabled = true;

     

       88
       88
       +
                   maxretry = 10;

     

       89
       89
       +
                   findtime = 300;

     

       90
       90
       +
                   bantime = "24h";

     

       91
       91
       +
                 };

     

       92
       92
       +
               };

     

       93
       93
       +
       

     

       94
       94
       +
               vaultwarden = ''

     

       95
       95
       +
                 enabled = true

     

       96
       96
       +
                 filter = vaultwarden

     

       97
       97
       +
                 port = 80,443,${toString config.services.vaultwarden.config.ROCKET_PORT}

     

       98
       98
       +
                 maxretry = 5

     

       99
       99
       +
               '';

     

       100
       100
       +
       

     

       101
       101
       +
               vaultwarden-admin = ''

     

       102
       102
       +
                 enabled = true

     

       103
       103
       +
                 port = 80,443,${toString config.services.vaultwarden.config.ROCKET_PORT}

     

       104
       104
       +
                 filter = vaultwarden-admin

     

       105
       105
       +
                 maxretry = 3

     

       106
       106
       +
                 bantime = 14400

     

       107
       107
       +
                 findtime = 14400

     

       108
       108
       +
               '';

     

       109
       109
       +
             };

     

       42
       110
        
           };

     

       43
       111
        
         };

     

       44
       112
        
       }

+43

modules/nixos/services/monitoring/default.nix

···

       1
       1
       +
       {

     

       2
       2
       +
         config,

     

       3
       3
       +
         pkgs,

     

       4
       4
       +
         ...

     

       5
       5
       +
       }: let

     

       6
       6
       +
         # idk how to share this across files :(

     

       7
       7
       +
         mkNotify = {

     

       8
       8
       +
           message,

     

       9
       9
       +
           channel,

     

       10
       10
       +
           priority ? 1,

     

       11
       11
       +
         }: ''

     

       12
       12
       +
           LOGIN=$(cat "${config.age.secrets.ntfyAuto.path}")

     

       13
       13
       +
           ${pkgs.curl}/bin/curl -u $LOGIN \

     

       14
       14
       +
             -H "X-Priority: ${toString priority}" \

     

       15
       15
       +
             -d '${message}' \

     

       16
       16
       +
             https://${config.mySnippets.aylac-top.networkMap.ntfy.vHost}/${channel}

     

       17
       17
       +
         '';

     

       18
       18
       +
       in {

     

       19
       19
       +
         systemd.services.disk-space-check = {

     

       20
       20
       +
           description = "Check for low disk space";

     

       21
       21
       +
           script = ''

     

       22
       22
       +
             #!${pkgs.bash}/bin/bash

     

       23
       23
       +
             THRESHOLD=80

     

       24
       24
       +
             USAGE=$(df --output=pcent / | tail -n 1 | tr -d ' %')

     

       25
       25
       +
             if [ "$USAGE" -gt "$THRESHOLD" ]; then

     

       26
       26
       +
               ${mkNotify {

     

       27
       27
       +
               message = "CRITICAL: Disk space on / is at $USAGE% on ${config.networking.hostName}";

     

       28
       28
       +
               channel = "network-status";

     

       29
       29
       +
               priority = 5;

     

       30
       30
       +
             }}

     

       31
       31
       +
             fi

     

       32
       32
       +
           '';

     

       33
       33
       +
         };

     

       34
       34
       +
       

     

       35
       35
       +
         systemd.timers.disk-space-check = {

     

       36
       36
       +
           description = "Run disk space check every hour";

     

       37
       37
       +
           wantedBy = ["timers.target"];

     

       38
       38
       +
           timerConfig = {

     

       39
       39
       +
             OnCalendar = "hourly";

     

       40
       40
       +
             Persistent = true;

     

       41
       41
       +
           };

     

       42
       42
       +
         };

     

       43
       43
       +
       }

+1 -1

modules/snippets/restic/default.nix

···

       32
       32
        
                 #OnCalendar = "*-*-* 02,14:00:00";

     

       33
       33
        
                 #OnCalendar = "*-*-* 03:14:00";

     

       34
       34
        
                 Persistent = true;

     

       35
       35
       -
                 RandomizedDelaySec = "600";

     

       35
       35
       +
                 RandomizedDelaySec = "10";

     

       36
       36
        
               };

     

       37
       37
        
             };

     

       38
       38
        
           };

+6

modules/snippets/tailnet/default.nix

···

       110
       110
        
                 port = 6605;

     

       111
       111
        
                 vHost = "redlib.${config.mySnippets.tailnet.name}";

     

       112
       112
        
               };

     

       113
       113
       +
       

     

       114
       114
       +
               miniflux = {

     

       115
       115
       +
                 hostName = "nanpi";

     

       116
       116
       +
                 port = 6540;

     

       117
       117
       +
                 vHost = "miniflux.${config.mySnippets.tailnet.name}";

     

       118
       118
       +
               };

     

       113
       119
        
             };

     

       114
       120
        
           };

     

       115
       121
        
         };