configurations of hq services
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

configuration.nix 7.7KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272
  1. # Edit this configuration file to define what should be installed on
  2. # your system. Help is available in the configuration.nix(5) man page
  3. # and in the NixOS manual (accessible by running ‘nixos-help’).
  4. { config, pkgs, ... }:
  5. let
  6. ympdPort = 8080;
  7. mpdVhost = "mpd.hq.c3d2.de";
  8. in {
  9. imports = [ # Include the results of the hardware scan.
  10. ./hardware-configuration.nix
  11. ../../lib
  12. ../../lib/admins.nix
  13. ../../lib/hq.nix
  14. ../../lib/yggdrasil.nix
  15. ./mpdConsole.nix
  16. ];
  17. c3d2 = {
  18. users = {
  19. emery = true;
  20. k-ot = true;
  21. };
  22. isInHq = true;
  23. mapHqHosts = true;
  24. hq = {
  25. interface = "eno1";
  26. enableMpdProxy = true;
  27. };
  28. enableHail = true;
  29. };
  30. # Use the systemd-boot EFI boot loader.
  31. boot.loader.systemd-boot.enable = true;
  32. boot.loader.efi.canTouchEfiVariables = true;
  33. boot.kernelPackages = pkgs.linuxPackages_4_19;
  34. networking.hostName = "pulsebert"; # Define your hostname.
  35. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
  36. # Configure network proxy if necessary
  37. # networking.proxy.default = "http://user:password@proxy:port/";
  38. # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
  39. # Select internationalisation properties.
  40. i18n = {
  41. consoleFont = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
  42. consoleKeyMap = "us";
  43. defaultLocale = "en_US.UTF-8";
  44. };
  45. # List packages installed in system profile. To search, run:
  46. # $ nix search wget
  47. environment.systemPackages = with pkgs; [
  48. # specific printer drivers for our printers
  49. epson-escpr
  50. splix
  51. # utilities
  52. nix-index
  53. usbutils
  54. tmux
  55. vim
  56. git
  57. openssl
  58. # NCurses Music Player Client (Plus Plus)
  59. # a commandline front-end client for mpd
  60. # 2019-01-21 mag vater gern gleich einen schoenen lokalen Verwaltung fuer MPD haben.
  61. # ncmpcpp
  62. home-manager
  63. mumble
  64. ncpamixer
  65. ffmpeg
  66. ];
  67. # Some programs need SUID wrappers, can be configured further or are
  68. # started in user sessions.
  69. # programs.mtr.enable = true;
  70. # programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
  71. # List services that you want to enable:
  72. # Enable the OpenSSH daemon.
  73. services.openssh.enable = true;
  74. # X11 Forwarding for mumble...
  75. programs.ssh.forwardX11 = true;
  76. services.openssh.forwardX11 = true;
  77. # Open ports in the firewall.
  78. networking.firewall.allowedTCPPorts = [
  79. 4713 # PulseAudio
  80. 631 # cups
  81. 80
  82. 443 # Web/ympd
  83. 5000 # shairport
  84. config.services.mpd.network.port
  85. ];
  86. networking.firewall.allowedUDPPorts = [ 631 ];
  87. networking.firewall.extraCommands = ''
  88. iptables -I INPUT -p udp --dport mdns -d 224.0.0.251 -j ACCEPT # zeroconf
  89. iptables -I OUTPUT -p udp --dport mdns -d 224.0.0.251 -j ACCEPT # zeroconf
  90. ''; # networking.firewall.allowedUDPPorts = [ ... ];
  91. # Or disable the firewall altogether.
  92. # networking.firewall.enable = false;
  93. # Enable CUPS to print documents.
  94. services.printing = {
  95. enable = true;
  96. browsing = true;
  97. listenAddresses = [ "*:631" ];
  98. defaultShared = true;
  99. # logLevel = "debug";
  100. drivers = [ pkgs.gutenprint pkgs.hplip pkgs.splix ];
  101. extraConf =
  102. ''
  103. DefaultAuthType Basic
  104. <Location />
  105. Order allow,deny
  106. Allow ALL
  107. </Location>
  108. <Location /admin>
  109. Order allow,deny
  110. Allow ALL
  111. </Location>
  112. <Location /admin/conf>
  113. AuthType Basic
  114. Require user @SYSTEM
  115. Order allow,deny
  116. Allow ALL
  117. </Location>
  118. <Policy default>
  119. <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
  120. Require user @OWNER @SYSTEM
  121. Order deny,allow
  122. </Limit>
  123. <Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
  124. AuthType Basic
  125. Require user @SYSTEM
  126. Order deny,allow
  127. </Limit>
  128. <Limit Cancel-Job CUPS-Authenticate-Job>
  129. Require user @OWNER @SYSTEM
  130. Order deny,allow
  131. </Limit>
  132. <Limit All>
  133. Order deny,allow
  134. </Limit>
  135. </Policy>
  136. '';
  137. };
  138. # Enable sound.
  139. sound.enable = true;
  140. hardware.pulseaudio.enable = true;
  141. # PulseAudio as-a-Service
  142. hardware.pulseaudio.systemWide = true;
  143. hardware.pulseaudio.tcp.anonymousClients.allowedIpRanges = [
  144. "127.0.0.0/8" "::1/128"
  145. "172.22.99.0/24" "2a02:8106:208:5201:58::/64"
  146. ];
  147. hardware.pulseaudio.tcp.enable = true;
  148. hardware.pulseaudio.zeroconf.publish.enable = true;
  149. # tell Avahi to publish CUPS and PulseAudio
  150. services.avahi = {
  151. enable = true;
  152. publish.enable = true;
  153. publish.userServices = true;
  154. };
  155. # Enable Audio streaming for Mac clients
  156. services.shairport-sync.enable = true;
  157. # Enable the X11 windowing system.
  158. # services.xserver.enable = true;
  159. # services.xserver.layout = "us";
  160. # services.xserver.xkbOptions = "eurosign:e";
  161. # Enable touchpad support.
  162. # services.xserver.libinput.enable = true;
  163. # Enable the KDE Desktop Environment.
  164. # services.xserver.displayManager.sddm.enable = true;
  165. # services.xserver.desktopManager.plasma5.enable = true;
  166. security.pam.enableSSHAgentAuth = true;
  167. security.sudo = {
  168. enable = true;
  169. wheelNeedsPassword = false;
  170. };
  171. users.users.k-ot.extraGroups = [ "wheel" ];
  172. # This value determines the NixOS release with which your system is to be
  173. # compatible, in order to avoid breaking some software such as database
  174. # servers. You should change this only after NixOS release notes say you
  175. # should.
  176. system.stateVersion = "18.09"; # Did you read the comment?
  177. # vater hoerte, dass menschen im space gern mpd fuer das abspielen von musik erwarten wuerden
  178. #### https://nixos.org/nixos/options.html#services.mpd.enable
  179. # See ../../mpd.nix
  180. services.mpd = {
  181. enable = true;
  182. dbFile = null;
  183. musicDirectory = "/mnt/storage/Music";
  184. playlistDirectory = "/home/k-ot/Playlists";
  185. network.listenAddress = "any";
  186. extraConfig = ''
  187. audio_output {
  188. type "pulse"
  189. name "/proc"
  190. }
  191. '';
  192. };
  193. services.caddy = {
  194. enable = true;
  195. agree = true;
  196. # TODO: add auth?
  197. config = ''
  198. ${mpdVhost} {
  199. proxy / localhost:${toString ympdPort}
  200. }
  201. :80 {
  202. redir https://${mpdVhost}{uri}
  203. }
  204. '';
  205. };
  206. fileSystems."/mnt/storage" = {
  207. #device = "storage-ng.hq.c3d2.de:/mnt/zroot/storage/rpool";
  208. #device = "storage-ng.hq.c3d2.de:/c3d2/rpool";
  209. device =
  210. "172.22.99.13:6789,172.22.99.15:6789,172.22.99.16:6789:/c3d2/rpool";
  211. fsType = "ceph";
  212. options = [
  213. "rw"
  214. "relatime"
  215. "name=public"
  216. "secret=AQDgER1chJcMORAAK1ysRTN59B5x/MyniwVXFQ=="
  217. "acl"
  218. "wsize=16777216"
  219. "_netdev"
  220. ];
  221. };
  222. # MPD music playing daemon with webinterface
  223. services.ympd = {
  224. enable = true;
  225. webPort = toString ympdPort;
  226. };
  227. nixpkgs.config.packageOverrides = pkgs: with pkgs; {
  228. ympd = ympd.overrideAttrs (oldAttrs: {
  229. src = fetchFromGitHub {
  230. owner = "c3d2";
  231. repo = "ympd";
  232. rev = "feature/somafm_browser";
  233. sha256 = "17x3jfys6gxghz5yp0gvd39ylvzfm59qxg75hwc5a52rj1n2jpb1";
  234. };
  235. });
  236. };
  237. programs.bash.shellAliases = {
  238. mpv = "mpv --no-vid";
  239. };
  240. users.users.emery.cryptHomeLuks = "/home/emery.luks.img";
  241. }