pvlx/homelab
1
0
Fork 0
mirror of https://github.com/pvlnes/homelab.git synced 2026-04-05 18:01:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

upd nixos conf

Browse Source
This commit is contained in:
Pavel 2026-03-11 19:51:37 +03:00
parent 634d976a43
commit b5256d79fa
1 changed files with 65 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
nixos/configuration.nix
View File

@ -18,10 +18,15 @@
"net.ipv6.conf.default.disable_ipv6" = 1; "net.ipv6.conf.default.disable_ipv6" = 1;
"net.ipv6.conf.lo.disable_ipv6" = 1; "net.ipv6.conf.lo.disable_ipv6" = 1;
}; };
hardware.enableRedistributableFirmware = true;
boot.extraModulePackages = with config.boot.kernelPackages; [
r8125
];
boot.kernelModules = [ "r8169" ];
networking.hostName = "homelab"; # Define your hostname. networking.hostName = "homelab"; # Define your hostname.
networking.networkmanager.wifi.powersave = false; networking.networkmanager.wifi.powersave = false;
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. networking.wireless.enable = false; # Enables wireless support via wpa_supplicant.
# Configure network proxy if necessary # Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.default = "http://user:password@proxy:port/";
@ -51,15 +56,68 @@
# My Services # My Services
services.caddy.enable = true; services.caddy.enable = true;
services.caddy.configFile = "/opt/homelab/services/caddy/Caddyfile"; services.caddy.configFile = "/opt/homelab/services/caddy/Caddyfile";
systemd.tmpfiles.rules = [
"d /var/log/caddy 0750 caddy caddy -"
];
services.fail2ban.jails.sshd = {
enabled = true;
settings = {
port = "ssh"; # or "22"
backend = "systemd";
maxretry = 5;
findtime = "10m";
bantime = "12h";
};
};
services.fail2ban = {
enable = true;
#LAN
ignoreIP = [
"127.0.0.1/8"
"192.168.1.0/24"
];
jails.vaultwarden = ''
enabled = true
filter = vaultwarden
logpath = /var/log/caddy/access.log
backend = auto
port = http,https
bantime = 1h
findtime = 10m
maxretry = 5
'';
};
environment.etc."fail2ban/filter.d/vaultwarden.conf".text = ''
[Definition]
# Vaultwarden login endpoint
failregex = ^.*"remote_ip":"<HOST>".*"host":"vault\.sesur\.dev".*"uri":"\/identity\/connect\/token".*"status":(400|401).*$
ignoreregex =
'';
# Disable suspend of my homelab. Added when my server every ~15 minutes suspend.
services.logind.settings.Login = {
HandlePowerKey = "poweroff";
HandleSuspendKey = "ignore";
HandleHibernateKey = "ignore";
HandleLidSwitch = "ignore";
IdleAction = "ignore";
};
# Hard block at systemd level (cannot suspend even if requested)
systemd.targets.sleep.enable = false;
systemd.targets.suspend.enable = false;
systemd.targets.hibernate.enable = false;
systemd.targets.hybrid-sleep.enable = false;
# Enable the X11 windowing system. # Enable the X11 windowing system.
services.xserver.enable = true; services.xserver.enable = false;
# Enable the GNOME Desktop Environment. # Enable the GNOME Desktop Environment.
services.xserver.displayManager.gdm.enable = true; services.xserver.displayManager.gdm.enable = false;
services.xserver.desktopManager.gnome.enable = true; services.xserver.desktopManager.gnome.enable = false;
services.xserver.displayManager.gdm.autoSuspend = false; services.xserver.displayManager.gdm.autoSuspend = false;
# Configure keymap in X11 # Configure keymap in X11
@ -115,6 +173,7 @@
btop btop
dig dig
curl curl
pciutils
git git
pkgs.inetutils pkgs.inetutils
pkgs.lsof pkgs.lsof
@ -173,7 +232,7 @@
# Open ports in the firewall. # Open ports in the firewall.
networking.firewall.allowedTCPPorts = [22 80 443 53 9999 ]; networking.firewall.allowedTCPPorts = [22 80 443 53 ];
networking.firewall.allowedUDPPorts = [ 53 ]; networking.firewall.allowedUDPPorts = [ 53 ];
# networking.firewall.allowedUDPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether. # Or disable the firewall altogether.