# ssh-keygen -f /etc/ssh/ssh_host_ed25519_key # ssh-keygen -f ~/.ssh/.containers # edit secrets file # agenix -e secret.age { inputs, config, lib, pkgs, pkgs-unstable, ... }: { containers = { nextcloud = { privateNetwork = true; hostAddress = "192.168.12.40"; localAddress = "192.168.12.71/24"; hostBridge = "br0"; autoStart = false; bindMounts = { "/etc/ssh/ssh_host_ed25519_key".isReadOnly = true; "/var/www" = { hostPath = "/home/wayne/dev/whd"; isReadOnly = false; }; }; config = { config, pkgs, ... }: { networking.firewall.allowedTCPPorts = [ 80 ]; imports = [ inputs.agenix.nixosModules.default ]; age = { identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; secrets."nextcloud" = { file = ../secrets/nextcloud.age; mode = "770"; owner = "nextcloud"; group = "nextcloud"; }; }; services.openssh = { enable = true; ports = [ 22 ]; settings = { PasswordAuthentication = true; AllowUsers = [ "wayne" ]; # Allows all users by default. Can be [ "user1" "user2" ] UseDns = true; X11Forwarding = false; PermitRootLogin = "no"; # "yes", "without-password", "prohibit-password", "forced-commands-only", "no" }; }; services.nextcloud = { enable = true; package = pkgs.nextcloud30; hostName = "nextcloud"; https = false; database.createLocally = true; configureRedis = true; autoUpdateApps.enable = true; maxUploadSize = "16G"; extraAppsEnable = true; appstoreEnable = true; extraApps = with config.services.nextcloud.package.packages.apps; { # List of apps we want to install and are already packaged in # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json inherit calendar contacts mail notes onlyoffice tasks qownnotesapi; # Custom app installation example. # cookbook = pkgs.fetchNextcloudApp rec { # url = # "https://github.com/nextcloud/cookbook/releases/download/v0.10.2/Cookbook-0.10.2.tar.gz"; # sha256 = "sha256-XgBwUr26qW6wvqhrnhhhhcN4wkI+eXDHnNSm1HDbP6M="; # }; }; enableImagemagick = true; settings = { default_phone_region = "US"; trusted_domains = [ "localhost" "launchpad" "192.168.12.40" "192.168.12.71" ]; }; config = { dbtype = "pgsql"; adminuser = "nextcloud"; adminpassFile = config.age.secrets.nextcloud.path; }; }; system.stateVersion = "24.05"; }; }; livebook = { autoStart = false; privateNetwork = true; hostBridge = "br0"; localAddress = "192.168.12.72/24"; bindMounts = { "/etc/ssh/ssh_host_ed25519_key".isReadOnly = true; }; config = { config, pkgs, ... }: { networking.firewall.allowedTCPPorts = [ 80 ]; imports = [ inputs.agenix.nixosModules.default ]; age = { identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; secrets."whayes" = { file = ../secrets/whayes.age; mode = "770"; owner = "wayne"; group = "wayne"; }; }; services.livebook = { enableUserService = true; environment = { LIVEBOOK_PORT = 20123; LIVEBOOK_PASSWORD = config.age.secrets.whayes.path; }; # See note below about security environmentFile = "/var/lib/livebook.env"; extraPackages = with pkgs; [ gcc gnumake ]; }; system.stateVersion = "24.05"; }; }; grocy = { autoStart = false; privateNetwork = true; hostBridge = "br0"; localAddress = "192.168.12.73/24"; bindMounts = { "/etc/ssh/ssh_host_ed25519_key".isReadOnly = true; }; config = { config, pkgs, ... }: { networking.firewall.allowedTCPPorts = [ 80 ]; imports = [ inputs.agenix.nixosModules.default ]; age = { identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; secrets."whayes" = { file = ../secrets/whayes.age; mode = "770"; owner = "wayne"; group = "wayne"; }; }; services.grocy = { enable = true; hostName = "grocy"; settings = { currency = "USD"; culture = "en"; }; nginx = { enableSSL = false; }; phpfpm = { settings = { catch_workers_output = true; "listen.owner" = "nginx"; "php_admin_flag[log_errors]" = true; "php_admin_value[error_log]" = "stderr"; pm = "dynamic"; "pm.max_children" = "32"; "pm.max_requests" = "500"; "pm.max_spare_servers" = "4"; "pm.min_spare_servers" = "2"; "pm.start_servers" = "2"; }; }; }; system.stateVersion = "24.05"; }; }; onlyoffice = { autoStart = false; privateNetwork = true; hostBridge = "br0"; localAddress = "192.168.12.74/24"; bindMounts = { "/etc/ssh/ssh_host_ed25519_key".isReadOnly = true; }; config = { config, lib, pkgs, ... }: { networking.firewall.allowedTCPPorts = [ 80 ]; nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "corefonts" ]; fonts.packages = with pkgs; [ corefonts ]; imports = [ inputs.agenix.nixosModules.default ]; age = { identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; secrets."onlyoffice" = { file = ../secrets/onlyoffice-jwt.age; mode = "770"; owner = "onlyoffice"; group = "onlyoffice"; }; }; services.onlyoffice = { enable = true; port = 8000; hostname = "onlyoffice"; package = pkgs.onlyoffice-documentserver; jwtSecretFile = config.age.secrets.onlyoffice.path; enableExampleServer = true; examplePort = 8001; }; system.stateVersion = "24.05"; }; }; laravel = { privateNetwork = true; hostAddress = "192.168.12.40"; localAddress = "192.168.12.75/24"; hostBridge = "br0"; autoStart = false; bindMounts = { "/var/www" = { hostPath = "/home/wayne/dev/laravel"; isReadOnly = false; }; }; config = { config, pkgs, ... }: { networking.firewall = { enable = false; allowedTCPPorts = [ 80 5173 ]; allowedTCPPortRanges = [ { from = 8000; to = 9000; } ]; # allowedUDPPorts = [ 53 ]; }; networking = { enableIPv6 = false; extraHosts = '' 140.82.116.6 api.github.com ''; }; services.nginx = { enable = false; package = pkgs.nginx; # user = "www-data"; virtualHosts.localhost = { root = "/var/www/site"; locations."~ \\.php$".extraConfig = '' fastcgi_pass unix:${config.services.phpfpm.pools.mypool.socket}; fastcgi_index index.php; ''; locations."/robots.txt" = { extraConfig = '' rewrite ^/(.*) $1; return 200 "User-agent: *\nDisallow: /"; ''; }; }; }; services.mysql = { enable = true; package = pkgs.mariadb; user = "mysql"; # configFile = ''''; }; services.phpfpm = { phpPackage = pkgs.php83; pools.mypool = { user = "nobody"; settings = { "pm" = "dynamic"; "listen.owner" = config.services.nginx.user; "pm.max_children" = 5; "pm.start_servers" = 2; "pm.min_spare_servers" = 1; "pm.max_spare_servers" = 3; "pm.max_requests" = 500; }; }; }; # programs.zsh.enable = true; users = { groups = { www-data = {}; mysql = {}; }; users = { wayne = { isNormalUser = true; description = "Wayne Hayes"; extraGroups = [ "networkmanager" "wheel" "wayne" "www-data" "nginx" ]; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6q75AXShVjzWerPFU3l0YXIKViNF4eyragL+RQIRwdNDMzW34GgxFhtyLsmRB2jsykf4gx76zSyJoii0K4uhS761w5oDXz9mqHnBzJutDTyltLyfgLsFKY8V2sOtSracWx4y6QrtmBR3MKV642kg5mufVEmCMVxBU9oVpIOJUSW+XNYBawaSkl5SjDMLI7flj0v9Hb2dZqjQigDM1+UHxTzcMoZnR6hAzoZpPNMGyZXtrgEotNywNdpxCqRV9T/KvKHSIVYc1umiDXc+5fyRo9v7CzvYY3MvRKWbgUfTVQRmR2kqwsGAsV5W+PEUb8qqmTjPVXusKxKlpGgYfsvIZOv0LgOvQMemga8psFIS9F4YQ1xuc092bKi1LteC+ZlabMLRMux6Wbhjci+v9wnLfTyBQc6wr3wDFJoELKyaLnI7Cn0KHn0k+BiYCCr2TjKrz9XztL490vprYtvVumNFZ3rxewGnZSn/2czaFfQgnXt+9xQGWWo9TJGE5jq1jThnsIbH3G9JIQ1WhomMq6DDRhGMX2ZKDk/M9/fk0XN5nvQyJNmbiHy5srW/VANx8R9jjsVkvX29MXeK6dzpR4ImywXggpYMeHB6moy06cJUu5WoR8aLS/rO5LbZM2j14AMQ2ZK79QfUJSdloA1/HHlmnx7YtzZOebD6BCR7xgasGRw== wayne"]; packages = with pkgs; []; # shell = pkgs.zsh; }; }; }; environment.systemPackages = with pkgs; [ php83 php83Packages.composer nodejs_22 vim git ]; system.stateVersion = "24.05"; }; }; mailpit = { privateNetwork = true; hostAddress = "192.168.12.40"; localAddress = "192.168.12.76/24"; hostBridge = "br0"; autoStart = false; # bindMounts = { # "/var/www" = { # hostPath = "/home/wayne/dev/laravel"; # isReadOnly = false; # }; # }; config = { config, pkgs, pkgs-unstable, ... }: { networking.firewall = { enable = false; allowedTCPPorts = [ 1025 8025 ]; }; networking = { enableIPv6 = false; }; services.nginx = { enable = false; package = pkgs.nginx; # user = "www-data"; virtualHosts.localhost = { root = "/var/www/site"; locations."~ \\.php$".extraConfig = '' fastcgi_pass unix:${config.services.phpfpm.pools.mypool.socket}; fastcgi_index index.php; ''; locations."/robots.txt" = { extraConfig = '' rewrite ^/(.*) $1; return 200 "User-agent: *\nDisallow: /"; ''; }; }; }; # services.mailpit = { # instances = { # vmail = { # max = 100; # smtp = "127.0.0.1:1025"; # listen = "127.0.0.1:8025"; # database = "mailpit.db"; # }; # }; # }; _module.args.pkgs-unstable = import inputs.nixpkgs-unstable { inherit (pkgs.stdenv.hostPlatform) system; inherit (config.nixpkgs) config; }; environment.systemPackages = (with pkgs; [ vim ]) ++ (with pkgs-unstable; [ mailpit ]); system.stateVersion = "24.11"; }; }; webserver = { privateNetwork = true; hostAddress = "192.168.12.40"; localAddress = "192.168.12.76/24"; hostBridge = "br0"; autoStart = false; allowedDevices = [ { modifier = "rw"; node = "/dev/net/tun"; } ]; bindMounts = { "/var/www" = { hostPath = "/home/wayne/dev/whd/live"; isReadOnly = false; }; }; # Testing to see if this even works # forwardPorts = [ # { hostPort = 8080; containerPort = 80; protocol = "tcp";} # { hostPort = 2222; containerPort = 22; protocol = "tcp";} # ]; config = { config, pkgs, pkgs-unstable, ... }: { networking.firewall = { enable = true; allowedTCPPorts = [ 22 80 443 1025 3000 3001 41641 8025 8080 2222 3306 ]; }; networking = { enableIPv6 = false; }; users = { groups = { www-data = {}; mysql = {}; php = {}; }; users = { wayne = { isNormalUser = true; description = "Wayne Hayes"; extraGroups = [ "networkmanager" "wheel" "wayne" "www-data" "nginx" "php" ]; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6q75AXShVjzWerPFU3l0YXIKViNF4eyragL+RQIRwdNDMzW34GgxFhtyLsmRB2jsykf4gx76zSyJoii0K4uhS761w5oDXz9mqHnBzJutDTyltLyfgLsFKY8V2sOtSracWx4y6QrtmBR3MKV642kg5mufVEmCMVxBU9oVpIOJUSW+XNYBawaSkl5SjDMLI7flj0v9Hb2dZqjQigDM1+UHxTzcMoZnR6hAzoZpPNMGyZXtrgEotNywNdpxCqRV9T/KvKHSIVYc1umiDXc+5fyRo9v7CzvYY3MvRKWbgUfTVQRmR2kqwsGAsV5W+PEUb8qqmTjPVXusKxKlpGgYfsvIZOv0LgOvQMemga8psFIS9F4YQ1xuc092bKi1LteC+ZlabMLRMux6Wbhjci+v9wnLfTyBQc6wr3wDFJoELKyaLnI7Cn0KHn0k+BiYCCr2TjKrz9XztL490vprYtvVumNFZ3rxewGnZSn/2czaFfQgnXt+9xQGWWo9TJGE5jq1jThnsIbH3G9JIQ1WhomMq6DDRhGMX2ZKDk/M9/fk0XN5nvQyJNmbiHy5srW/VANx8R9jjsVkvX29MXeK6dzpR4ImywXggpYMeHB6moy06cJUu5WoR8aLS/rO5LbZM2j14AMQ2ZK79QfUJSdloA1/HHlmnx7YtzZOebD6BCR7xgasGRw== wayne"]; packages = with pkgs; []; }; php = { isSystemUser = true; group = "php"; }; }; }; services.tailscale = { enable = true; package = pkgs.tailscale; interfaceName = "tailscale0"; openFirewall = true; port = 41641; useRoutingFeatures = "server"; }; services.openssh = { enable = true; ports = [ 22 ]; settings = { PasswordAuthentication = true; AllowUsers = [ "wayne" ]; # Allows all users by default. Can be [ "user1" "user2" ] UseDns = true; X11Forwarding = false; PermitRootLogin = "no"; # "yes", "without-password", "prohibit-password", "forced-commands-only", "no" }; }; # services.mysql = { # enable = false; # package = pkgs.mariadb; # user = "mysql"; # # configFile = ''''; # }; services.nginx = { enable = true; package = pkgs.nginx; virtualHosts.localhost = { root = "/var/www/public"; extraConfig = '' index index.php, index.html; ''; # locations."/".extraConfig = '' add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'; add_header 'Access-Control-Allow-Methods' 'GET, POST, HEAD, OPTIONS'; add_header 'Accept' 'application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8'; index index.php index.html; try_files $uri $uri/ /index.php; ''; locations."~ \\.php$".extraConfig = '' fastcgi_pass unix:${config.services.phpfpm.pools.mypool.socket}; fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; # fastcgi_param APPLICATION_ENV development; # fastcgi_intercept_errors off; # fastcgi_buffer_size 16k; # fastcgi_buffers 4 16k; ''; locations."~ \\.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map|woff|woff2)$".extraConfig = '' try_files $uri /index.php$request_uri; expires 7d; # Cache-Control policy borrowed from `.htaccess` ''; locations."/robots.txt" = { extraConfig = '' rewrite ^/(.*) $1; return 200 "User-agent: *\nDisallow: /"; ''; }; }; }; services.phpfpm = { phpPackage = pkgs.php83; pools.mypool = { user = "nobody"; settings = { "pm" = "dynamic"; "listen.owner" = config.services.nginx.user; "pm.max_children" = 32; "pm.start_servers" = 2; "pm.min_spare_servers" = 1; "pm.max_spare_servers" = 3; "pm.max_requests" = 500; }; }; phpOptions = '' extension=${pkgs.php83Extensions.xdebug}/lib/php/extensions/xdebug.so ''; extraConfig = '' ''; }; _module.args.pkgs-unstable = import inputs.nixpkgs-unstable { inherit (pkgs.stdenv.hostPlatform) system; inherit (config.nixpkgs) config; }; environment.systemPackages = ( with pkgs; [ vim git php83 php83Extensions.xdebug nodejs_22 nodePackages.npm nodePackages.browser-sync ]) ++ (with pkgs-unstable; [ mailpit ]); system.stateVersion = "24.05"; }; }; }; }