s0me1newithhand7s/reNixos
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

viola: upstream

Browse source 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
This commit is contained in:
s0me1newithhand7s 2026-03-25 18:48:47 +03:00
parent bcb7f2dcb0
commit 793b14918a
34 changed files with 1320 additions and 326 deletions
Download patch file Download diff file Expand all files Collapse all files

9
viola/boot/kernel.nix
View file

@ -9,9 +9,14 @@
"vm.dirty_writeback_centisecs" = 100;
"vm.vfs_cache_pressure" = 50;
"vm.max_map_count" = 1048576;
"net.ipv6.conf.all.disable_ipv6" = 1;
"net.ipv6.conf.default.disable_ipv6" = 1;
"net.ipv6.conf.lo.disable_ipv6" = 1;
};
};
# kernelPackages = self.inputs.nix-cachyos-kernel.legacyPackages.x86_64-linux.linuxPackages-cachyos-server-lto;
extraModulePackages = with config.boot.kernelPackages; [
rtl8821ce
yt6801
@ -34,6 +39,8 @@
"kernel.watchdog=0"
"oops=panic"
"ipv6.disable=1"
];
blacklistedKernelModules = [
@ -71,6 +78,6 @@
btrfs = true;
};
consoleLogLevel = 0;
consoleLogLevel = 7;
};
}

14
viola/default.nix
View file

@ -23,7 +23,6 @@
"${self}/viola/i18n/locales.nix"
"${self}/viola/networking/dhcp.nix"
"${self}/viola/networking/firewall.nix"
"${self}/viola/networking/hostname.nix"
"${self}/viola/networking/networkmanager.nix"
@ -64,16 +63,26 @@
"${self}/viola/services/forgejo.nix"
"${self}/viola/services/postgresql.nix"
"${self}/viola/services/vaultwarden.nix"
"${self}/viola/services/privatebin.nix"
"${self}/viola/services/woodpecker.nix"
"${self}/viola/services/stalwart.nix"
"${self}/viola/services/homepage.nix"
"${self}/viola/services/redis.nix"
"${self}/viola/services/zitadel.nix"
"${self}/viola/services/garage.nix"
"${self}/viola/services/traefik.nix"
"${self}/viola/services/resolved.nix"
"${self}/viola/services/alloy.nix"
"${self}/viola/services/grafana.nix"
"${self}/viola/services/loki.nix"
"${self}/viola/services/tempo.nix"
"${self}/viola/services/mimir.nix"
"${self}/viola/services/sws.nix"
"${self}/viola/services/alertmanager.nix"
"${self}/viola/sops/age.nix"
"${self}/viola/sops/defaults.nix"
"${self}/viola/sops/secrets.nix"
"${self}/viola/sops/templates.nix"
"${self}/hand7s/stylix/base16Scheme.nix"
"${self}/hand7s/stylix/cursor.nix"
@ -85,6 +94,7 @@
"${self}/viola/system/stateVersion.nix"
"${self}/viola/systemd/oomd.nix"
"${self}/viola/systemd/tmpfiles/rules.nix"
"${self}/viola/systemd/slices/system-slice.nix"
"${self}/viola/systemd/slices/user-slice.nix"
"${self}/viola/systemd/slices/root-slice.nix"

2
viola/disko/disk.nix
View file

@ -2,7 +2,7 @@
disko = {
devices = {
disk = {
main = {
"main" = {
device = "/dev/disk/by-id/ata-EAGET_SSD_256GB_EAGET20250505V00003";
type = "disk";
content = {

1
viola/environment/variables.nix
View file

@ -1,7 +1,6 @@
{config, ...}: {
environment = {
variables = {
AMD_VULKAN_ICD = "RADV";
HOSTNAME = config.networking.hostName;
QT_QPA_PLATFORM = "wayland";
SDL_VIDEODRIVER = "wayland";

2
viola/home-manager/users.nix
View file

@ -4,12 +4,10 @@
"hand7s" = {
imports = [
"${self}/hand7s/"
self.inputs.agenix.homeManagerModules.default
self.inputs.spicetify-nix.homeManagerModules.default
self.inputs.hyprland.homeManagerModules.default
self.inputs.chaotic.homeManagerModules.default
self.inputs.sops-nix.homeManagerModules.sops
self.inputs.nix-index-database.homeModules.nix-index
];
};

10
viola/networking/dhcp.nix
View file

@ -1,10 +0,0 @@
{lib, ...}: {
networking = {
useDHCP = lib.mkDefault true;
dhcpcd = {
enable = true;
persistent = false;
wait = "any";
};
};
}

56
viola/networking/firewall.nix
View file

@ -1,56 +0,0 @@
_: {
networking = {
firewall = {
allowPing = true;
enable = true;
checkReversePath = false;
allowedUDPPorts = [
80
8080
8443
8980
53350
53351
53353
# mc
25565
# mail
24
25
110
143
465
587
993
995
4190
];
allowedTCPPorts = [
80
8080
8443
8980
53350
53351
53353
# mc
25565
# mail
24
25
110
143
465
587
993
995
4190
];
};
};
}

7
viola/networking/hosts.nix
View file

@ -1,7 +0,0 @@
_: {
networking = {
hosts = {
# nope
};
};
}

31
viola/networking/interfaces.nix
View file

@ -1,31 +0,0 @@
_: {
networking = {
firewall = {
interfaces = {
wt0 = {
allowedUDPPorts = [
25
6969
8080
8443
8980
53350
53351
53352
];
allowedTCPPorts = [
25
6969
8080
8443
8980
53350
53351
53352
];
};
};
};
};
}

27
viola/services/alertmanager.nix Normal file
View file

@ -0,0 +1,27 @@
_: {
services = {
prometheus = {
alertmanager = {
enable = true;
configuration = {
route = {
receiver = "null";
group_by = [
"alertname"
"job"
];
group_wait = "30s";
group_interval = "5m";
repeat_interval = "12h";
};
receivers = [
{
name = "null";
}
];
};
};
};
};
}

93
viola/services/alloy.nix Normal file
View file

@ -0,0 +1,93 @@
{pkgs, ...}: {
services = {
alloy = {
enable = true;
configPath = pkgs.writeText "alloy-config.alloy" ''
loki.source.journal "system" {
forward_to = [loki.process.production.receiver]
relabel_rules = loki.relabel.journal.rules
labels = {
host = "viola",
job = "systemd",
}
}
loki.relabel "journal" {
forward_to = []
rule {
source_labels = ["__journal__systemd_unit"]
target_label = "unit"
}
}
loki.write "local" {
endpoint {
url = "http://127.0.0.1:3100/loki/api/v1/push"
}
}
loki.process "production" {
forward_to = [loki.write.local.receiver]
stage.match {
selector = `{service_name=~"(alloy|forgejo|grafana|loki|microbin|mimir|stalwart|postgresql|redis|stalwart|static-web-server|tempo|traefik|vaultwarden|woodpecker|zitadel)\\.service"}`
action = "keep"
}
}
prometheus.exporter.unix "node" {
enable_collectors = [
"cpu", "diskstats", "filesystem",
"loadavg", "meminfo", "netdev",
"systemd", "time", "uname",
]
}
prometheus.scrape "node" {
targets = prometheus.exporter.unix.node.targets
forward_to = [prometheus.remote_write.mimir.receiver]
scrape_interval = "30s"
job_name = "node"
}
prometheus.scrape "alloy" {
targets = [{"__address__" = "127.0.0.1:12345"}]
forward_to = [prometheus.remote_write.mimir.receiver]
job_name = "alloy"
}
prometheus.remote_write "mimir" {
endpoint {
url = "http://127.0.0.1:9009/api/v1/push"
}
}
otelcol.receiver.otlp "default" {
grpc {
endpoint = "0.0.0.0:4317"
}
http {
endpoint = "0.0.0.0:4318"
}
output {
traces = [otelcol.exporter.otlp.tempo.input]
logs = [otelcol.exporter.loki.local.input]
}
}
otelcol.exporter.otlp "tempo" {
client {
endpoint = "http://127.0.0.1:4317"
}
}
otelcol.exporter.loki "local" {
forward_to = [loki.write.local.receiver]
}
'';
};
};
}

19
viola/services/firewalld.nix Normal file
View file

@ -0,0 +1,19 @@
_: {
services = {
firewalld = {
enable = false;
zones = {
"eno1" = {
interfaces = [
"ens1"
];
services = [
"sunshine"
];
};
};
};
};
}

18
viola/services/forgejo.nix
View file

@ -5,7 +5,7 @@ _: {
database = {
type = "postgres";
port = "${dbport}";
host = "localhost";
};
settings = {
@ -19,9 +19,9 @@ _: {
repository = {
DEFAULT_PRIVATE = "last";
PREFERRED_LICENSES = "MIT";
DISABLE_HTTP_GIT = true;
DISABLE_HTTP_GIT = false;
USE_COMPAT_SSH_URI = true;
GO_GET_CLONE_URL_PROTOCOL = "ssh";
GO_GET_CLONE_URL_PROTOCOL = "http";
DEFAULT_BRANCH = "master";
};
@ -47,6 +47,11 @@ _: {
MERGES = "always";
};
opentelemetry = {
EXPORTER = "otlp";
ENDPOINT = "http://127.0.0.1:4318";
};
badges = {
ENABLED = false;
};
@ -90,6 +95,13 @@ _: {
service = {
DISABLE_REGISTRATION = true;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
};
oauth2_client = {
ENABLE_AUTO_REGISTER = true;
ACCOUNT_LINKING = "auto";
USERNAME = "preferred_username";
};
"service.explore" = {

23
viola/services/garage.nix
View file

@ -5,7 +5,28 @@
package = pkgs.garage;
logLevel = "error";
settings = {
# nope
replication_factor = 1;
consistency_mode = "consistent";
use_local_tz = true;
rpc_bind_addr = "[::]:3901";
rpc_public_addr = "127.0.0.1:3901";
"s3_api" = {
s3_region = "garage";
api_bind_addr = "[::]:3900";
root_domain = ".s3.garage.localhost";
};
"s3_web" = {
bind_addr = "[::]:3902";
root_domain = ".web.garage.localhost";
index = "index.html";
};
"k2v_api" = {
api_bind_addr = "[::]:3904";
};
};
};
};

137
viola/services/grafana.nix Normal file
View file

@ -0,0 +1,137 @@
{
config,
lib,
pkgs,
...
}: {
services = {
grafana = {
enable = true;
declarativePlugins = with pkgs.grafanaPlugins; [
grafana-lokiexplore-app
grafana-exploretraces-app
grafana-metricsdrilldown-app
grafana-pyroscope-app
redis-datasource
redis-explorer-app
volkovlabs-rss-datasource
];
settings = {
log = {
level = "info";
mode = "console";
};
security = {
secret_key = config.sops.secrets."grafanaKey".path;
};
server = {
http_addr = "0.0.0.0";
http_port = 3030;
domain = "grafana.hand7s.org";
root_url = "https://grafana.hand7s.org";
};
"auth.generic_oauth" = {
enabled = true;
name = "Zitadel";
icon = "signin";
scopes = "openid profile email offline_access urn:zitadel:iam:org:project:id:zitadel:aud";
client_id = "";
client_secret = "";
auth_url = "https://zitadel.hand7s.org/oauth/v2/authorize";
token_url = "http://zitadel.hand7s.org:8443/oauth/v2/token";
api_url = "http://zitadel.hand7s.org:8443/oidc/v1/userinfo";
tls_skip_verify_insecure = true;
allow_assign_grafana_admin = true;
role_attribute_strict = true;
skip_org_role_sync = false;
use_pkce = true;
role_attribute_path = ''"urn:zitadel:iam:org:project:roles"."grafana-admin" && 'GrafanaAdmin' || 'Viewer' '';
};
"auth" = {
disable_login_form = true;
signout_redirect_url = "https://zitadel.hand7s.org/oidc/v1/end_session";
};
};
provision = {
enable = true;
datasources = {
settings = {
datasources =
[
{
name = "Loki-LGTM";
type = "loki";
url = "http://127.0.0.1:3100";
isDefault = false;
jsonData = {
derivedFields = [
{
name = "traceID";
matcherRegex = "traceID=(\\w+)";
url = "http://127.0.0.1:3200";
datasourceUid = "tempo";
}
];
};
}
{
name = "Mimir-LGTM";
type = "prometheus";
url = "http://127.0.0.1:9009/prometheus";
isDefault = true;
}
{
name = "Tempo-LGTM";
type = "tempo";
uid = "tempo";
url = "http://127.0.0.1:3200";
jsonData = {
lokiSearch = {
datasourceUid = "loki";
};
serviceMap = {
datasourceUid = "mimir";
};
nodeGraph = {
enabled = true;
};
};
}
]
++ lib.forEach [
"forgejo"
"loki"
"mimir"
"stalwart"
"traefik"
"zitadel"
] (
name: {
name = "Redis-${name}";
type = "redis-datasource";
url = "unix:/run/redis-${name}/redis.sock";
secureJsonData = {
password = name;
};
}
);
};
};
};
};
};
}

118
viola/services/homepage.nix
View file

@ -2,6 +2,7 @@ _: {
services = {
homepage-dashboard = {
enable = true;
allowedHosts = "localhost:8080,127.0.0.1:8080,192.168.1.144:8080,100.109.71.194:8080,home.hand7s.org";
listenPort = 8080;
settings = {
@ -11,50 +12,83 @@ _: {
background = "https://w.wallhaven.cc/full/1q/wallhaven-1q87xv.png";
color = "violet";
headerStyle = "boxed";
layout = [
{
Dev = {
iconsOnly = true;
};
}
];
};
bookmarks = [
{
Dev = [
{
GitHub = [
{
abbr = "GH";
href = "https://github.com/";
}
];
}
{
Forgejo = [
{
abbr = "Forge";
href = "https://git.hand7s.org/";
}
];
}
{
PivateBin = [
{
abbr = "PB";
href = "https://bin.hand7s.org/";
}
];
}
];
}
];
services = [
{
"Local-only" = [
{
"Vaultwarden" = {
icon = "vaultwarden";
href = "https://pass.hand7s.org";
description = "vaultwarden";
};
}
{
"Syncthing" = {
icon = "syncthing";
href = "https://sync.hand7s.org";
description = "syncing";
};
}
{
"OpenWRT" = {
icon = "openwrt";
href = "https://luci.hand7s.org";
description = "router";
};
}
];
}
{
"Local-host" = [
{
"Grafana" = {
icon = "grafana";
href = "https://grafana.hand7s.org";
description = "observability";
};
}
{
"Forgejo" = {
icon = "gitea";
href = "https://git.hand7s.org";
description = "git";
};
}
{
"Woodpecker" = {
icon = "woodpecker-ci";
href = "https://woodpecker.hand7s.org/";
description = "cicd";
};
}
{
"Stalwart" = {
icon = "stalwart";
href = "https://mail.hand7s.org";
description = "mail";
};
}
{
"Zitadel" = {
icon = "zitadel";
href = "https://zitadel.hand7s.org";
description = "idp";
};
}
];
}
];
widgets = [
@ -73,6 +107,14 @@ _: {
};
}
{
search = {
provider = "perplexity";
target = "_blank";
focus = false;
};
}
{
resources = {
cpu = true;

127
viola/services/loki.nix Normal file
View file

@ -0,0 +1,127 @@
{
pkgs,
lib,
...
}: {
services = {
loki = {
enable = true;
configuration = {
auth_enabled = false;
server = {
http_listen_port = 3100;
grpc_listen_port = 9097;
};
common = {
replication_factor = 1;
path_prefix = "/var/lib/loki";
ring = {
instance_addr = "127.0.0.1";
kvstore = {
store = "inmemory";
};
};
};
schema_config = {
configs = [
{
from = "2025-01-01";
store = "tsdb";
object_store = "filesystem";
schema = "v13";
index = {
prefix = "index_";
period = "24h";
};
}
];
};
storage_config = {
filesystem = {
directory = "/var/lib/loki/chunks";
};
};
chunk_store_config = {
chunk_cache_config = {
redis = {
endpoint = "127.0.0.1:6385";
password = "loki";
db = 0;
timeout = "500ms";
expiration = "24h";
};
};
};
compactor = {
working_directory = "/var/lib/loki/compactor";
retention_enabled = true;
delete_request_store = "filesystem";
};
limits_config = {
reject_old_samples = true;
reject_old_samples_max_age = "168h";
retention_period = "720h";
};
query_range = {
cache_results = true;
results_cache = {
cache = {
redis = {
endpoint = "127.0.0.1:6385";
password = "loki";
db = 0;
timeout = "500ms";
expiration = "1h";
};
};
};
};
ruler = {
enable_api = true;
alertmanager_url = "http://127.0.0.1:9093";
storage = {
type = "local";
local = {
directory = "${pkgs.writeTextDir "fake/homelab.yaml" (lib.generators.toYAML {} {
groups = [
{
name = "homelab";
interval = "1m";
rules = [
{
alert = "HostDown";
expr = ''absent_over_time({host="viola"}[10m])'';
for = "10m";
labels = {severity = "critical";};
annotations = {
summary = "Host viola not sending logs";
};
}
{
alert = "OOMKiller";
expr = ''count_over_time({host="viola"} |= "Out of memory: Killed process" [5m]) > 0'';
labels = {severity = "warning";};
annotations = {
summary = "OOM killer fired on viola";
};
}
];
}
];
})}";
};
};
};
};
};
};
}

18
viola/services/microbin.nix Normal file
View file

@ -0,0 +1,18 @@
{config, ...}: {
services = {
microbin = {
enable = true;
passwordFile = toString config.sops.secrets.microbinPass;
settings = {
MICROBIN_PORT = 8080;
MICROBIN_BIND = "[::]";
MICROBIN_PUBLIC_PATH = "bin.hand7s.org";
MICROBIN_READONLY = true;
MICROBIN_ENABLE_BURN_AFTER = true;
MICROBIN_DEFAULT_BURN_AFTER = 100;
MICROBIN_DEFAULT_EXPIRY = "1week";
MICROBIN_QR = true;
};
};
};
}

124
viola/services/mimir.nix Normal file
View file

@ -0,0 +1,124 @@
{
lib,
pkgs,
...
}: {
services = {
mimir = {
enable = true;
configuration = {
multitenancy_enabled = false;
target = "all";
server = {
http_listen_port = 9009;
};
common = {
storage = {
backend = "filesystem";
filesystem = {
dir = "/var/lib/mimir";
};
};
};
blocks_storage = {
backend = "filesystem";
filesystem = {
dir = "/var/lib/mimir/blocks";
};
tsdb = {
dir = "/var/lib/mimir/tsdb";
};
};
compactor = {
data_dir = "/var/lib/mimir/compactor";
};
ingester = {
ring = {
instance_addr = "127.0.0.1";
replication_factor = 1;
kvstore = {
store = "memberlist";
};
};
};
store_gateway = {
sharding_ring = {
replication_factor = 1;
};
};
ruler = {
alertmanager_url = "http://127.0.0.1:9093";
};
ruler_storage = {
backend = "local";
local = {
directory = "${pkgs.writeTextDir "anonymous/homelab.yml" (lib.generators.toYAML {} {
groups = [
{
name = "homelab";
interval = "1m";
rules = [
{
alert = "HighDiskUsage";
expr = ''
(1 - node_btrfs_device_unused_bytes / node_btrfs_device_size_bytes) * 100 > 85
'';
for = "5m";
labels = {severity = "warning";};
annotations = {
summary = "High disk usage on {{ $labels.instance }}";
};
}
{
alert = "HighMemoryUsage";
expr = ''
(1 - node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes) * 100 > 90
'';
for = "5m";
labels = {severity = "warning";};
annotations = {
summary = "High memory usage on {{ $labels.instance }}";
};
}
{
alert = "HighCpuUsage";
expr = ''
100 - (avg by (instance) (rate(node_cpu_seconds_total{mode="idle"}[5m])) * 100) > 80
'';
for = "5m";
labels = {severity = "warning";};
annotations = {
summary = "High CPU usage on {{ $labels.instance }}";
};
}
{
alert = "ServiceDown";
expr = ''
node_systemd_unit_state{state="active"} == 0
'';
for = "2m";
labels = {severity = "critical";};
annotations = {
summary = "Service {{ $labels.name }} is down on {{ $labels.instance }}";
};
}
];
}
];
})}";
};
};
};
};
};
}

2
viola/services/openssh.nix
View file

@ -5,7 +5,7 @@
allowSFTP = true;
openFirewall = true;
ports = [
47345
6969
];
settings = {

6
viola/services/postgresql.nix
View file

@ -44,12 +44,8 @@ _: {
"zitadel"
];
initialScript = ""; # nope
authentication = ""; #nope
settings = {
port = "${dbport}";
port = "????";
};
};
};

43
viola/services/privatebin.nix
View file

@ -1,43 +0,0 @@
_: {
services = {
privatebin = {
enable = true;
enableNginx = true;
virtualHost = "bin.hand7s.org";
settings = {
main = {
name = "hand7s bin";
discussion = false;
qrcode = false;
compression = "none";
defaultformatter = "plaintext";
fileupload = false;
languageselection = false;
password = true;
sizelimit = 10 * 1000 * 1000;
template = "bootstrap5";
};
expire = {
default = "1week";
clone = false;
};
formatter_options = {
markdown = "Markdown";
plaintext = "Plain Text";
syntaxhighlighting = "Source Code";
};
traffic = {
limit = 5;
};
purge = {
limit = 0;
batchsize = 10;
};
};
};
};
}

156
viola/services/redis.nix
View file

@ -5,47 +5,11 @@
servers = {
"forgejo" = {
enable = true;
port = "${cacheport1}";
port = 6381;
logLevel = "warning";
databases = 16;
maxclients = 10000;
requirePass = "${cachepass1}";
settings = {
stop-writes-on-bgsave-error = "yes";
rdbcompression = "yes";
rdbchecksum = "yes";
maxmemory = "1GB";
maxmemory-policy = "volatile-lru";
maxmemory-samples = 3;
};
save = [
[
900
1
]
[
300
10
]
[
60
1000
]
];
};
"woodpecker" = {
enable = false;
port = "${cacheport2}";
logLevel = "warning";
databases = 16;
maxclients = 10000;
requirePass = "${cachepass2}";
requirePass = "forgejo";
settings = {
stop-writes-on-bgsave-error = "yes";
@ -77,11 +41,11 @@
"stalwart" = {
enable = true;
port = "${cacheport3}";
port = 6382;
logLevel = "warning";
databases = 16;
maxclients = 10000;
requirePass = "${cachepass3}";
requirePass = lib.hashString "md5" "stalwart";
settings = {
stop-writes-on-bgsave-error = "yes";
@ -113,11 +77,11 @@
"zitadel" = {
enable = true;
port = "${cacheport4}";
port = 6383;
logLevel = "warning";
databases = 16;
maxclients = 10000;
requirePass = "${cachepass4}";
requirePass = lib.hashString "md5" "zitadel";
settings = {
stop-writes-on-bgsave-error = "yes";
@ -146,6 +110,114 @@
]
];
};
"traefik" = {
enable = true;
port = 6384;
logLevel = "warning";
databases = 16;
maxclients = 10000;
requirePass = lib.hashString "md5" "traefik";
settings = {
stop-writes-on-bgsave-error = "yes";
rdbcompression = "yes";
rdbchecksum = "yes";
maxmemory = "1GB";
maxmemory-policy = "volatile-lru";
maxmemory-samples = 3;
};
save = [
[
900
1
]
[
300
10
]
[
60
1000
]
];
};
"loki" = {
enable = true;
port = 6385;
logLevel = "warning";
databases = 16;
maxclients = 10000;
requirePass = lib.hashString "md5" "loki";
settings = {
stop-writes-on-bgsave-error = "yes";
rdbcompression = "yes";
rdbchecksum = "yes";
maxmemory = "1GB";
maxmemory-policy = "allkeys-lru";
maxmemory-samples = 3;
};
save = [
[
900
1
]
[
300
10
]
[
60
1000
]
];
};
"mimir" = {
enable = true;
port = 6386;
logLevel = "warning";
databases = 16;
maxclients = 10000;
requirePass = lib.hashString "md5" "mimir";
settings = {
stop-writes-on-bgsave-error = "yes";
rdbcompression = "yes";
rdbchecksum = "yes";
maxmemory = "1GB";
maxmemory-policy = "allkeys-lru";
maxmemory-samples = 3;
};
save = [
[
900
1
]
[
300
10
]
[
60
1000
]
];
};
};
};
};

39
viola/services/resolved.nix Normal file
View file

@ -0,0 +1,39 @@
_: {
services = {
resolved = {
enable = true;
dnsovertls = "true";
dnssec = "true";
llmnr = "true";
domains = [
"~."
];
fallbackDns = [
# cf dns
"1.1.1.1"
"1.0.0.1"
"2606:4700:4700::1111"
"2606:4700:4700::1001"
# google dns
"8.8.8.8"
"8.8.4.4"
"2001:4860:4860::8888"
"2001:4860:4860::8844"
# q9 dns
"9.9.9.9"
"149.112.112.112"
"2620:fe::fe"
"2620:fe::9"
# open dns
"208.67.222.222"
"208.67.220.220"
"2620:119:35::35"
"2620:119:53::53"
];
};
};
}

161
viola/services/stalwart.nix
View file

@ -1,87 +1,118 @@
_: {
{config, ...}: {
services = {
stalwart-mail = {
stalwart = {
enable = true;
settings = {
acme = {
"cloudflare" = {
default = true;
challenge = "dns-01";
provider = "cloudflare";
origin = "hand7s.org";
secret = "${mail_secret}";
contact = [
"me@hand7s.org"
];
email = "me@hand7s.org";
directory = "https://acme-staging-v02.api.letsencrypt.org/directory";
domains = [
"mail.hand7s.org"
];
};
};
server = {
hostname = "mail.hand7s.org";
allowed-ip = [
"127.0.0.1"
"100.109.201.146"
"192.168.1.0/24"
];
auto-ban = {
enable = false;
unban-after = "1h";
};
proxy = {
trusted-networks = [
"127.0.0.0/8"
"::1"
"100.109.213.170/16"
"100.109.201.146"
];
};
hostname = "mail.hand7s.org";
proxy-networks = [
"127.0.0.1/32"
"100.109.201.146"
];
listener = {
"lmtp" = {
bind = "[::]:24";
bind = "0.0.0.0:24";
protocol = "lmtp";
};
"smtp" = {
bind = "[::]:25";
bind = "0.0.0.0:25";
protocol = "smtp";
proxy-protocol = true;
};
"pop3" = {
bind = "[::]:110";
bind = "0.0.0.0:110";
protocol = "pop3";
proxy-protocol = true;
};
"imap" = {
bind = "[::]:143";
bind = "0.0.0.0:143";
protocol = "imap";
proxy-protocol = true;
tls = {
enable = true;
implicit = false;
certificate = "default";
};
};
"submissions" = {
bind = "[::]:465";
bind = "0.0.0.0:465";
protocol = "smtp";
proxy-protocol = true;
tls = {
certificate = "default";
implicit = true;
enable = true;
};
};
"submission" = {
bind = "[::]:587";
bind = "0.0.0.0:587";
protocol = "smtp";
proxy-protocol = true;
tls = {
enable = true;
implicit = false;
certificate = "default";
};
};
"imaptls" = {
bind = "[::]:993";
protocol = "smtp";
bind = "0.0.0.0:993";
protocol = "imap";
proxy-protocol = true;
tls = {
certificate = "default";
implicit = true;
enable = true;
};
};
"pop3s" = {
bind = "[::]:995";
bind = "0.0.0.0:995";
protocol = "pop3";
proxy-protocol = true;
tls = {
certificate = "default";
implicit = true;
enable = true;
};
};
"sieve" = {
bind = "[::]:4190";
bind = "0.0.0.0:4190";
proxy-protocol = true;
protocol = "managesieve";
};
"management" = {
protocol = "http";
bind = [
"127.0.0.1:8980"
"0.0.0.0:8980"
];
};
};
@ -102,18 +133,54 @@ _: {
};
store = {
# nope
# i'm not redacting my main config
# here to show it here
# refer to stalwart mail
# ty
"postgresql" = {
type = "postgresql";
host = "localhost";
timeout = "15s";
tls = {
enable = false;
allow-invalid-certs = false;
};
pool = {
max-connections = 10;
};
};
"redis" = {
type = "redis";
redis-type = "single";
urls = ''redis+unix:///run/redis-stalwart/redis.sock?password=${config.services."stalwart".settings.requirePass}'';
timeout = "180s";
};
};
oauth = {
"zitadel" = {
type = "oidc";
issuer = "http://zitadel.hand7s.org:8443/.well-known/openid-configuration";
tls-allow-invalid-certs = true;
};
};
directory = {
"zitadel" = {
type = "oidc";
timeout = "1s";
issuer = "http://zitadel.hand7s.org:8443/.well-known/openid-configuration";
tls-allow-invalid-certs = true;
};
};
authentication = {
fallback-admin = {
user = "admin";
secret = "admin";
};
directories = [
"zitadel"
];
oauth = [
"zitadel"
];
};
tracer = {
@ -123,6 +190,14 @@ _: {
level = "debug";
};
otlp = {
enable = true;
type = "open-telemetry";
endpoint = "http://127.0.0.1:4317";
transport = "grpc";
level = "info";
};
console = {
enable = true;
type = "console";

9
viola/services/sws.nix Normal file
View file

@ -0,0 +1,9 @@
_: {
services = {
static-web-server = {
enable = true;
listen = "0.0.0.0:8180";
root = "/home/hand7s/site";
};
};
}

90
viola/services/tempo.nix Normal file
View file

@ -0,0 +1,90 @@
_: {
services = {
tempo = {
enable = true;
settings = {
server = {
http_listen_port = 3200;
grpc_listen_port = 9096;
};
distributor = {
receivers = {
otlp = {
protocols = {
grpc = {
endpoint = "0.0.0.0:4317";
};
http = {
endpoint = "0.0.0.0:4318";
};
};
};
};
};
ingester = {
lifecycler = {
ring = {
replication_factor = 1;
};
};
};
storage = {
trace = {
backend = "local";
local = {
path = "/var/lib/tempo/blocks";
};
block = {
version = "vParquet4";
};
wal = {
path = "/var/lib/tempo/wal";
};
};
};
compactor = {
compaction = {
block_retention = "720h";
};
};
metrics_generator = {
registry = {
external_labels = {
source = "tempo";
};
};
storage = {
path = "/var/lib/tempo/generator";
remote_write = [
{
url = "http://127.0.0.1:9009/api/v1/push";
}
];
};
};
overrides = {
defaults = {
metrics_generator = {
processors = [
"service-graphs"
"span-metrics"
"local-blocks"
];
};
};
};
};
};
};
}

197
viola/services/traefik.nix Normal file
View file

@ -0,0 +1,197 @@
{config, ...}: {
services = {
traefik = {
enable = true;
environmentFiles = [
config.sops.templates."traefik.env".path
];
dynamicConfigOptions = {
http = {
routers = {
"home" = {
rule = "Host(`home.hand7s.org`)";
service = "home-svc";
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = "*.hand7s.org";
}
];
};
entryPoints = [
"websecure"
];
};
"pass" = {
rule = "Host(`pass.hand7s.org`)";
service = "pass-svc";
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = "*.hand7s.org";
}
];
};
entryPoints = [
"websecure"
];
};
"luci" = {
rule = "Host(`luci.hand7s.org`)";
service = "luci-svc";
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = "*.hand7s.org";
}
];
};
entryPoints = [
"websecure"
];
};
"sync" = {
rule = "Host(`sync.hand7s.org`)";
service = "sync-svc";
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = "*.hand7s.org";
}
];
};
};
entryPoints = [
"websecure"
];
};
services = {
"home-svc" = {
loadBalancer = {
servers = [
{
url = "http://127.0.0.1:8080";
}
];
};
};
"pass-svc" = {
loadBalancer = {
servers = [
{
url = "http://127.0.0.1:53353";
}
];
};
};
"sync-svc" = {
loadBalancer = {
servers = [
{
url = "http://127.0.0.1:80";
}
];
};
};
"luci-svc" = {
loadBalancer = {
servers = [
{
url = "http://192.168.1.2";
}
];
};
};
};
};
};
staticConfigOptions = {
api = {
dashboard = true;
};
tracing = {
otlp = {
grpc = {
endpoint = "127.0.0.1:4317";
insecure = true;
};
};
};
certificatesResolvers = {
"cloudflare" = {
acme = {
email = "litvinovb0@gmail.com";
storage = "${config.services.traefik.dataDir}/acme.json";
dnsChallenge = {
provider = "cloudflare";
resolvers = [
"1.1.1.1:53"
"8.8.8.8:53"
];
};
};
};
};
log = {
level = "INFO";
};
entryPoints = {
"web" = {
address = ":80";
http = {
redirections = {
entryPoint = {
to = "websecure";
scheme = "https";
};
};
};
};
"websecure" = {
address = ":443";
http = {
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = [
"*.hand7s.org"
];
}
];
};
};
};
};
};
};
};
}

12
viola/services/vaultwarden.nix
View file

@ -1,12 +0,0 @@
_: {
services = {
vaultwarden = {
enable = true;
dbBackend = "postgresql";
config = {
# holy private thing
# im NOT sharing it here
};
};
};
}

41
viola/services/woodpecker.nix
View file

@ -1,19 +1,40 @@
_: {
{lib, ...}: {
services = {
woodpecker-server = {
enable = false;
enable = true;
environment = {
WOODPECKER_OPEN = "true";
WOODPECKER_OPEN = toString true;
WOODPECKER_ADMINS = "s0me1newithhand7s";
WOODPECKER_DATABASE_DRIVER = "postgres";
WOODPECKER_DATABASE_DATASOURCE = "${pqsql_socket}";
WOODPECKER_SERVER_ADDR = "${ciport1}";
WOODPECKER_GRPC_ADDR = "${ciport1}";
WOODPECKER_HOST = "https://cicd.hand7s.org";
WOODPECKER_SERVER_ADDR = ":53351";
WOODPECKER_GRPC_ADDR = ":53352";
WOODPECKER_HOST = "https://woodpecker.hand7s.org";
WOODPECKER_FORGEJO = "true";
WOODPECKER_AGENT_SECRET = lib.hashString "md5" "woodpeckerAgent";
WOODPECKER_FORGEJO = toString true;
WOODPECKER_FORGEJO_URL = "https://git.hand7s.org";
WOODPECKER_FORGEJO_CLIENT = "${cisecret1}";
FORGEJO_SECRET = "${cisecret2}";
WOODPECKER_FORGEJO_CLIENT = lib.hashString "md5" "replaceme1";
WOODPECKER_FORGEJO_SECRET = lib.hashString "md5" "replaceme2";
};
};
woodpecker-agents = {
agents = {
"podman" = {
enable = true;
extraGroups = [
"podman"
];
environment = {
WOODPECKER_AGENT_SECRET = lib.hashString "md5" "woodpeckerAgent";
WOODPECKER_SERVER = "localhost:53352";
WOODPECKER_MAX_WORKFLOWS = "4";
WOODPECKER_BACKEND = "docker";
DOCKER_HOST = "unix:///var/run/podman/podman.sock";
};
};
};
};
};

28
viola/services/zitadel.nix
View file

@ -3,7 +3,6 @@
zitadel = {
enable = true;
tlsMode = "external";
masterKeyFile = config.sops.secrets.zitadelMasterKey;
steps = {
FirstInstance = {
@ -24,7 +23,7 @@
PreferredLanguage = "en";
Email = {
Address = "me@hand7s.org";
Address = "admin@hand7s.org";
Verified = true;
};
};
@ -38,8 +37,17 @@
ExternalDomain = "zitadel.hand7s.org";
ExternalSecure = true;
Machine = {
MachineID = {
Type = "static";
Static = {
MachineID = 1;
};
};
};
Log = {
Level = "debug";
Level = "info";
};
Telemetry = {
@ -48,15 +56,7 @@
Database = {
postgres = {
Host = "${dbhost}";
Port = "${dbport}";
Database = "zitadel";
User = {
Username = "zitadel";
SSL = {
Mode = "disable";
};
};
Host = "localhost";
};
};
@ -64,8 +64,8 @@
Connectors = {
Redis = {
Enabled = true;
Addr = "${cahceaddress}";
Password = "${cahcepass}";
Addr = "localhost:6383";
Password = config.services.stalwart-mail.settings.requirePass;
PoolSize = "900";
PoolTimeout = "1800s";
};

9
viola/systemd/tmpfiles/rules.nix Normal file
View file

@ -0,0 +1,9 @@
_: {
systemd = {
tmpfiles = {
rules = [
# chaos
];
};
};
}

9
viola/users/users/hand7s.nix
View file

@ -8,8 +8,17 @@ _: {
initialHashedPassword = "$6$ckgRhNWmJgSwOUpJ$kfeAdokd5fa76HWbTmWN2YXx4M/PQVOTJku1ODbqbBhEkUFiLftdaJFRnNXfIM3Jtz0ShoRMSVCB7mDkxDrdi/";
extraGroups = [
"wheel"
"networkmanager"
"docker"
];
openssh = {
authorizedKeys = {
keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDp2IIdR5jV1HyG4aiRX7SfTNrXDhCx5rTiFU40qkOKq litvinovb0@gmail.com"
];
};
};
};
};
};

8
viola/virtualisation/docker.nix
View file

@ -1,9 +1,11 @@
_: {
virtualisation = {
docker = {
enable = true;
rootless = {
podman = {
enable = true;
defaultNetwork = {
settings = {
dns_enabled = true;
};
};
};
};