+m3-ares

2024-12-06 07:16:50 +01:00
parent 50332e55e8
commit 12a3620712
17 changed files with 637 additions and 3 deletions
--- a/hosts/m3-ares/services/containers/default.nix
+++ b/hosts/m3-ares/services/containers/default.nix
@ -0,0 +1,4 @@
+{
+  imports = [
+  ];
+}
--- a/hosts/m3-ares/services/default.nix
+++ b/hosts/m3-ares/services/default.nix
@ -0,0 +1,34 @@
+{
+  imports = [
+    ./containers
+    ./n8n.nix
+    ./postgres.nix
+    ./restic.nix
+    ./sound.nix
+    ./udev.nix
+    #./wireguard.nix
+  ];
+  services = {
+    hypridle.enable = true;
+    printing.enable = true;
+    gvfs.enable = true;
+    trezord.enable = true;
+    gnome.gnome-keyring.enable = true;
+    qdrant.enable = true;
+    avahi = {
+      enable = true;
+      nssmdns4 = true;
+      publish = {
+        addresses = true;
+        workstation = true;
+        userServices = true;
+      };
+    };
+  };
+  systemd.sleep.extraConfig = ''
+    AllowSuspend=no
+    AllowHibernation=no
+    AllowHybridSleep=no
+    AllowSuspendThenHibernate=no
+  '';
+}
--- a/hosts/m3-ares/services/n8n.nix
+++ b/hosts/m3-ares/services/n8n.nix
@ -0,0 +1,11 @@
+{
+  services.n8n = {
+    enable = true;
+    openFirewall = true;
+  };
+  systemd.services.n8n = {
+    environment = {
+      N8N_SECURE_COOKIE = "false";
+    };
+  };
+}
--- a/hosts/m3-ares/services/postgres.nix
+++ b/hosts/m3-ares/services/postgres.nix
@ -0,0 +1,22 @@
+{pkgs, ...}: {
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_17;
+    extraPlugins = with pkgs.postgresql17Packages; [
+      pgvector
+    ];
+    authentication = ''
+      local all all trust
+      host all all 127.0.0.1/32 trust
+      host all all ::1/128 trust
+
+      host all all 10.88.0.0/16 trust
+      host all all 19.89.0.0/16 trust
+    '';
+    initialScript = pkgs.writeText "initialScript.sql" ''
+      CREATE USER n8n WITH PASSWORD 'n8n';
+      CREATE DATABASE n8n;
+      GRANT ALL PRIVILEGES ON DATABASE n8n TO n8n;
+    '';
+  };
+}
--- a/hosts/m3-ares/services/restic.nix
+++ b/hosts/m3-ares/services/restic.nix
@ -0,0 +1,25 @@
+{
+  services.restic.backups = {
+    skynet = {
+      repository = "/mnt/skynet-bkg/m3-nix";
+      passwordFile = "/etc/nixos/restic-pass";
+      initialize = true;
+      paths = ["/home/m3tam3re"];
+      exclude = [
+        "/home/m3tam3re/.cache"
+        "/home/m3tam3re/Bilder/"
+        "/home/m3tam3re/Videos/"
+        "/home/m3tam3re/Downloads"
+        "/home/m3tam3re/Library"
+        "/home/m3tam3re/Projekte"
+        "/home/m3tam3re/Sync"
+        "/home/m3tam3re/.local/share/Trash"
+      ];
+      timerConfig = {
+        OnCalendar = "09:30";
+        RandomizedDelaySec = "2h";
+        Persistent = true;
+      };
+    };
+  };
+}
--- a/hosts/m3-ares/services/sound.nix
+++ b/hosts/m3-ares/services/sound.nix
@ -0,0 +1,14 @@
+{pkgs, ...}: {
+  environment.systemPackages = with pkgs; [
+    speechd
+  ];
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+    jack.enable = false;
+    wireplumber.enable = true;
+  };
+}
--- a/hosts/m3-ares/services/tailscale.nix
+++ b/hosts/m3-ares/services/tailscale.nix
@ -0,0 +1,40 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  services.tailscale = {
+    enable = true;
+    useRoutingFeatures = "client";
+  };
+
+  systemd.services.tailscale-autoconnect = {
+    description = "Automatic connection to Tailscale";
+
+    # make sure tailscale is running before trying to connect to tailscale
+    after = ["network-pre.target" "tailscale.service"];
+    wants = ["network-pre.target" "tailscale.service"];
+    wantedBy = ["multi-user.target"];
+
+    # set this service as a oneshot job
+    serviceConfig = {
+      Type = "oneshot";
+      EnvironmentFile = "${config.age.secrets.tailscale-key.path}";
+    };
+
+    # have the job run this shell script
+    script = with pkgs; ''
+      # wait for tailscaled to settle
+      sleep 2
+
+      # check if we are already authenticated to tailscale
+      status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
+      if [ $status = "Running" ]; then # if so, then do nothing
+        exit 0
+      fi
+
+      # otherwise authenticate with tailscale
+      ${tailscale}/bin/tailscale up --exit-node 100.88.96.77 --authkey $TAILSCALE_KEY
+    '';
+  };
+}
--- a/hosts/m3-ares/services/udev.nix
+++ b/hosts/m3-ares/services/udev.nix
@ -0,0 +1,8 @@
+{pkgs, ...}: {
+  services.udev.extraRules = ''
+    SUBSYSTEM=="usb", MODE="0666
+  '';
+  environment.systemPackages = with pkgs; [
+    zsa-udev-rules
+  ];
+}
--- a/hosts/m3-ares/services/wireguard.nix
+++ b/hosts/m3-ares/services/wireguard.nix
@ -0,0 +1,25 @@
+{config, ...}: {
+  networking.wg-quick.interfaces = {
+    DE = {
+      configFile = config.age.secrets.wg-DE.path;
+      autostart = false;
+    };
+    NL = {
+      configFile = config.age.secrets.wg-NL.path;
+      autostart = false;
+    };
+    NO = {
+      configFile = config.age.secrets.wg-NO.path;
+      autostart = true;
+    };
+    US = {
+      configFile = config.age.secrets.wg-US.path;
+      autostart = false;
+    };
+    BR = {
+      configFile = config.age.secrets.wg-BR.path;
+      autostart = false;
+    };
+  };
+  services.resolved.enable = true;
+}