sam/nixos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: sam:master
Branches Tags
sam:master
sam:cloudnix
sam:development
sam:metrics-server
sam:nixvim
sam:bitcoin
sam:docker
sam:docker-entrypoint
sam:incus
sam:lxd
sam:nebula
sam:overseer
sam:disko
sam:change-decrypt-key
sam:media
sam:impermanence
sam:fileserver-host
sam:sops
sam:modules
..
compare: sam:metrics-server
Branches Tags
sam:master
sam:cloudnix
sam:development
sam:metrics-server
sam:nixvim
sam:bitcoin
sam:docker
sam:docker-entrypoint
sam:incus
sam:lxd
sam:nebula
sam:overseer
sam:disko
sam:change-decrypt-key
sam:media
sam:impermanence
sam:fileserver-host
sam:sops
sam:modules

No commits in common. "master" and "metrics-server" have entirely different histories.
master ... metrics-se

75 changed files with 607 additions and 2754 deletions
Show stats Expand all files Collapse all files

20
.tmux.conf
View file

@ -1,20 +0,0 @@
# improve colors
set -g default-terminal 'screen-256color
# remap leader key to ctrl-s
set -g prefix2 C-s
# vim keymaps for switching panes
setw -g mode-keys vi
bind-key h select-pane -L
bind-key j select-pane -D
bind-key k select-pane -U
bind-key l select-pane -R
bind-key r C-h select-window -t :-
bind-key r C-h select-window -t :+
# plugins
set -g @plugin 'tmux-plugins/tpm'
set -g @plugin 'Nybkox/tmux-kanagawa'
run '~/.tmux/plugins/tpm/tpm'

132
bin/auto-update-nixos
View file

@ -8,85 +8,73 @@ flakeDir="${FLAKE_DIR}" # Path to the flake file (and op
update=false # Whether to update flake.lock (false by default)
user=$(/run/current-system/sw/bin/whoami) # Which user account to use for git commands (defaults to whoever called the script)
reboot=false
remote=false
remainingArgs="" # All remaining arguments that haven't yet been processed (will be passed to nixos-rebuild)
remainingArgs="" # All remaining arguments that haven't yet been processed (will be passed to nixos-rebuild)
function usage() {
echo "nixos-rebuild Operations Script (NOS) updates your system and your flake.lock file by pulling the latest versions."
echo ""
echo "Running the script with no parameters performs the following operations:"
echo " 1. Pull the latest version of the config"
echo " 2. Update your flake.lock file"
echo " 3. Commit any changes back to the repository"
echo " 4. Run 'nixos-rebuild switch'."
echo ""
echo "Advanced usage: nixos-upgrade-script.sh [-o|--operation operation] [-f|--flake path-to-flake] [extra nixos-rebuild parameters]"
echo "Options:"
echo " -h, --help Show this help screen."
echo " -o, --operation The nixos-rebuild operation to perform."
echo " -f, --flake <path> The path to your flake.nix file (and optionally, the hostname to build)."
echo " -U, --update Update and commit flake.lock."
echo " -R, --build-host <user@host> Attempt build on remote host."
echo " -r, --reboot Reboots system is there is a kernel or init update"
echo " -u, --user Which user account to run git commands under."
echo ""
exit 2
echo "nixos-rebuild Operations Script (NOS) updates your system and your flake.lock file by pulling the latest versions."
echo ""
echo "Running the script with no parameters performs the following operations:"
echo " 1. Pull the latest version of the config"
echo " 2. Update your flake.lock file"
echo " 3. Commit any changes back to the repository"
echo " 4. Run 'nixos-rebuild switch'."
echo ""
echo "Advanced usage: nixos-upgrade-script.sh [-o|--operation operation] [-f|--flake path-to-flake] [extra nixos-rebuild parameters]"
echo "Options:"
echo " -h, --help Show this help screen."
echo " -o, --operation The nixos-rebuild operation to perform."
echo " -f, --flake <path> The path to your flake.nix file (and optionally, the hostname to build)."
echo " -U, --update Update and commit flake.lock."
echo " -u, --user Which user account to run git commands under."
echo ""
exit 2
}
# Argument processing logic shamelessly stolen from https://stackoverflow.com/questions/192249/how-do-i-parse-command-line-arguments-in-bash
POSITIONAL_ARGS=()
while [[ $# -gt 0 ]]; do
case "$1" in
--flake | -f)
flakeDir="$2"
shift
shift
;;
--operation | -o)
operation="$2"
shift
shift
;;
--user | -u)
user="$2"
shift
shift
;;
--build-host | -R)
remote=true
host="$2"
shift
shift
;;
--update | --upgrade | -U)
update=true
shift
;;
--reboot | -r)
reboot=true
shift
;;
--help | -h)
usage
exit 0
;;
*)
POSITIONAL_ARGS+=("$1") # save positional arg
shift
;;
esac
--flake|-f)
flakeDir="$2"
shift
shift
;;
--update|--upgrade|-U)
update=true
shift
;;
--reboot|-r)
reboot=true
shift
;;
--operation|-o)
operation="$2"
shift
shift
;;
--user|-u)
user="$2"
shift
shift
;;
--help|-h)
usage
exit 0
;;
*)
POSITIONAL_ARGS+=("$1") # save positional arg
shift
;;
esac
done
remainingArgs=${POSITIONAL_ARGS[@]}
set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
if [ -z "${flakeDir}" ]; then
echo "Flake directory not specified. Use '--flake <path>' or set \$FLAKE_DIR."
exit 1
echo "Flake directory not specified. Use '--flake <path>' or set \$FLAKE_DIR."
exit 1
fi
# wait for wifi networks to come online.
sleep 10
cd $flakeDir
current_branch=$(git branch --show-current)
@ -97,22 +85,16 @@ echo "Pulling the latest version of the repository..."
/run/wrappers/bin/sudo -u $user git pull
if [ $update = true ]; then
echo "Updating flake.lock..."
/run/wrappers/bin/sudo -u $user nix flake update --commit-lock-file && /run/wrappers/bin/sudo -u $user git push
echo "Updating flake.lock..."
/run/wrappers/bin/sudo -u $user nix flake update --commit-lock-file && /run/wrappers/bin/sudo -u $user git push
else
echo "Skipping 'nix flake update'..."
echo "Skipping 'nix flake update'..."
fi
options="--flake $flakeDir $remainingArgs --use-remote-sudo"
echo "Running this operation: nixos-rebuild $operation $options"
if [ $remote = true ]; then
echo "Attempting remote build..."
/run/wrappers/bin/sudo -u root /run/current-system/sw/bin/nixos-rebuild $operation $options --build-host "$host"
else
/run/wrappers/bin/sudo -u root /run/current-system/sw/bin/nixos-rebuild $operation $options
fi
/run/wrappers/bin/sudo -u root /run/current-system/sw/bin/nixos-rebuild $operation $options
echo "Checking if reboot is necessary"
reboot_diff=$(diff <(readlink /run/booted-system/{initrd,kernel,kernel-modules}) <(readlink /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules}))

136
flake.lock generated
View file

@ -108,12 +108,12 @@
},
"flake-compat": {
"locked": {
"lastModified": 1733328505,
"narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
"rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
"revCount": 69,
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"revCount": 57,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.1.0/01948eb7-9cba-704f-bbf3-3fa956735b52/source.tar.gz"
"url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
},
"original": {
"type": "tarball",
@ -170,11 +170,11 @@
]
},
"locked": {
"lastModified": 1738453229,
"narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=",
"lastModified": 1736143030,
"narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd",
"rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
"type": "github"
},
"original": {
@ -271,11 +271,11 @@
]
},
"locked": {
"lastModified": 1737465171,
"narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=",
"lastModified": 1735882644,
"narHash": "sha256-3FZAG+pGt3OElQjesCAWeMkQ7C/nB1oTHLRQ8ceP110=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17",
"rev": "a5a961387e75ae44cc20f0a57ae463da5e959656",
"type": "github"
},
"original": {
@ -351,11 +351,11 @@
]
},
"locked": {
"lastModified": 1739757849,
"narHash": "sha256-Gs076ot1YuAAsYVcyidLKUMIc4ooOaRGO0PqTY7sBzA=",
"lastModified": 1736373539,
"narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "9d3d080aec2a35e05a15cedd281c2384767c2cfe",
"rev": "bd65bc3cde04c16755955630b344bc9e35272c56",
"type": "github"
},
"original": {
@ -373,11 +373,11 @@
]
},
"locked": {
"lastModified": 1739570999,
"narHash": "sha256-eCc0/Q4bPpe4/AS+uzIrHLJcR6BxPQ69q2kD0/Qe6rU=",
"lastModified": 1736373539,
"narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "254d47082e23dbf72fdeca1da6fe1da420f478d8",
"rev": "bd65bc3cde04c16755955630b344bc9e35272c56",
"type": "github"
},
"original": {
@ -389,11 +389,11 @@
},
"impermanence": {
"locked": {
"lastModified": 1737831083,
"narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=",
"lastModified": 1736688610,
"narHash": "sha256-1Zl9xahw399UiZSJ9Vxs1W4WRFjO1SsNdVZQD4nghz0=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170",
"rev": "c64bed13b562fc3bb454b48773d4155023ac31b7",
"type": "github"
},
"original": {
@ -450,26 +450,6 @@
"type": "github"
}
},
"minimal-tmux": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1730695632,
"narHash": "sha256-JtbuSxWFR94HiUdQL9uIm2V/kwGz0gbVbqvYWmEncbc=",
"owner": "niksingh710",
"repo": "minimal-tmux-status",
"rev": "d7188c1aeb1c7dd03230982445b7360f5e230131",
"type": "github"
},
"original": {
"owner": "niksingh710",
"repo": "minimal-tmux-status",
"type": "github"
}
},
"nix-bitcoin": {
"inputs": {
"extra-container": "extra-container",
@ -480,11 +460,11 @@
"nixpkgs-unstable": "nixpkgs-unstable"
},
"locked": {
"lastModified": 1739709805,
"narHash": "sha256-8/OuhPELneYOtncScsPrAwmlzBNSAFotoTKd6JxU6OA=",
"lastModified": 1734508046,
"narHash": "sha256-JN/PFBOVqWKc76zSdOunYoG5Q0m8W4zfrEh3V4EOIuk=",
"owner": "fort-nix",
"repo": "nix-bitcoin",
"rev": "bff10a66e50f6a3387b3e5acbbdf2519c624e8bc",
"rev": "33dbb41d581b86decf421cb3835c426d557e0e9c",
"type": "github"
},
"original": {
@ -521,16 +501,15 @@
]
},
"locked": {
"lastModified": 1739553546,
"narHash": "sha256-L4ou3xfOr17EAe836djRoQ7auVkYOREMtiQa82wVGqU=",
"lastModified": 1736370755,
"narHash": "sha256-iWcjToBpx4PUd74uqvIGAfqqVfyrvRLRauC/SxEKIF0=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "353846417f985e74fdc060555f17939e4472ea2c",
"rev": "57733bd1dc81900e13438e5b4439239f1b29db0e",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "nix-darwin-24.11",
"repo": "nix-darwin",
"type": "github"
}
@ -559,11 +538,11 @@
},
"nix-secrets": {
"locked": {
"lastModified": 1740164526,
"narHash": "sha256-lpKNY9qLoIT1XbLzeY+tmkV1DjQQ3mWYWjko+necYhM=",
"lastModified": 1737144574,
"narHash": "sha256-g0B0+UkiRusGm5QkGC6uHa7Ybq6J7RgeF4aa/nrCeLg=",
"ref": "refs/heads/master",
"rev": "ddf31a3a72504f36577ec341fbc84aa8f3dd3318",
"revCount": 283,
"rev": "471fa5ee6f6d12f02c0e06a6fd595b7646139da4",
"revCount": 211,
"type": "git",
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
},
@ -605,11 +584,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1739451785,
"narHash": "sha256-3ebRdThRic9bHMuNi2IAA/ek9b32bsy8F5R4SvGTIog=",
"lastModified": 1734126203,
"narHash": "sha256-0XovF7BYP50rTD2v4r55tR5MuBLet7q4xIz6Rgh3BBU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "1128e89fd5e11bb25aedbfc287733c6502202ea9",
"rev": "71a6392e367b08525ee710a93af2e80083b5b3e2",
"type": "github"
},
"original": {
@ -621,11 +600,11 @@
},
"nixpkgs-unstable_2": {
"locked": {
"lastModified": 1739866667,
"narHash": "sha256-EO1ygNKZlsAC9avfcwHkKGMsmipUk1Uc0TbrEZpkn64=",
"lastModified": 1736883708,
"narHash": "sha256-uQ+NQ0/xYU0N1CnXsa2zghgNaOPxWpMJXSUJJ9W7140=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "73cf49b8ad837ade2de76f87eb53fc85ed5d4680",
"rev": "eb62e6aa39ea67e0b8018ba8ea077efe65807dc8",
"type": "github"
},
"original": {
@ -653,11 +632,11 @@
},
"nixpkgs_3": {
"locked": {
"lastModified": 1740162160,
"narHash": "sha256-SSYxFhqCOb3aiPb6MmN68yEzBIltfom8IgRz7phHscM=",
"lastModified": 1737097711,
"narHash": "sha256-Zql7TDxEMAOASLSu0wBlfM5SIY+4Pz2R/k17O/asCYc=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "11415c7ae8539d6292f2928317ee7a8410b28bb9",
"rev": "3cbc78cfa611511c04f47c4932509f9dbdf4381a",
"type": "github"
},
"original": {
@ -669,11 +648,11 @@
},
"nixpkgs_4": {
"locked": {
"lastModified": 1739866667,
"narHash": "sha256-EO1ygNKZlsAC9avfcwHkKGMsmipUk1Uc0TbrEZpkn64=",
"lastModified": 1736883708,
"narHash": "sha256-uQ+NQ0/xYU0N1CnXsa2zghgNaOPxWpMJXSUJJ9W7140=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "73cf49b8ad837ade2de76f87eb53fc85ed5d4680",
"rev": "eb62e6aa39ea67e0b8018ba8ea077efe65807dc8",
"type": "github"
},
"original": {
@ -698,11 +677,11 @@
"treefmt-nix": "treefmt-nix_2"
},
"locked": {
"lastModified": 1739623149,
"narHash": "sha256-9hyreNdQtQaFzWAx38CHiKHFQ8vAc/J2/kXeT7Nwy6s=",
"lastModified": 1736598792,
"narHash": "sha256-G6/9vT12RAxkNWQPEX9p8tTx/i8jJcmISpbVDGbEPGc=",
"owner": "nix-community",
"repo": "nixvim",
"rev": "6b2c62b91a10a773e705f55e8b34a19c8b1f3728",
"rev": "2004ff4547f11d25da78f393fe797dde2b831ce7",
"type": "github"
},
"original": {
@ -719,11 +698,11 @@
"treefmt-nix": "treefmt-nix_3"
},
"locked": {
"lastModified": 1740190061,
"narHash": "sha256-hhOK+U42wxh5PQr3GUdNR6i/xgjv6e+dq+AefaleGu4=",
"lastModified": 1737107600,
"narHash": "sha256-pBF7pAmSRlmmObXbS71v0YM5sEC4/4HvesFV3oz2xQU=",
"owner": "nix-community",
"repo": "NUR",
"rev": "c730bf6c124d3bbb66ee6aac920d5ad7f0e15759",
"rev": "b65350213a768bdf4d2da001537a6635edcd562a",
"type": "github"
},
"original": {
@ -742,11 +721,11 @@
]
},
"locked": {
"lastModified": 1738508923,
"narHash": "sha256-4DaDrQDAIxlWhTjH6h/+xfG05jt3qDZrZE/7zDLQaS4=",
"lastModified": 1735854821,
"narHash": "sha256-Iv59gMDZajNfezTO0Fw6LHE7uKAShxbvMidmZREit7c=",
"owner": "NuschtOS",
"repo": "search",
"rev": "86e2038290859006e05ca7201425ea5b5de4aecb",
"rev": "836908e3bddd837ae0f13e215dd48767aee355f0",
"type": "github"
},
"original": {
@ -787,7 +766,6 @@
"home-manager": "home-manager",
"impermanence": "impermanence",
"lnbits": "lnbits",
"minimal-tmux": "minimal-tmux",
"nix-bitcoin": "nix-bitcoin",
"nix-colors": "nix-colors",
"nix-secrets": "nix-secrets",
@ -805,11 +783,11 @@
]
},
"locked": {
"lastModified": 1739262228,
"narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
"lastModified": 1737107480,
"narHash": "sha256-GXUE9+FgxoZU8v0p6ilBJ8NH7k8nKmZjp/7dmMrCv3o=",
"owner": "mic92",
"repo": "sops-nix",
"rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
"rev": "4c4fb93f18b9072c6fa1986221f9a3d7bf1fe4b6",
"type": "github"
},
"original": {
@ -907,11 +885,11 @@
]
},
"locked": {
"lastModified": 1738953846,
"narHash": "sha256-yrK3Hjcr8F7qS/j2F+r7C7o010eVWWlm4T1PrbKBOxQ=",
"lastModified": 1736154270,
"narHash": "sha256-p2r8xhQZ3TYIEKBoiEhllKWQqWNJNoT9v64Vmg4q8Zw=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "4f09b473c936d41582dd744e19f34ec27592c5fd",
"rev": "13c913f5deb3a5c08bb810efd89dc8cb24dd968b",
"type": "github"
},
"original": {

29
flake.nix
View file

@ -59,11 +59,6 @@
url = "git+ssh://git@git.bitlab21.com/sam/nix-secrets.git";
inputs = {};
};
minimal-tmux = {
url = "github:niksingh710/minimal-tmux-status";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = {
@ -123,7 +118,7 @@
merlin = nixpkgs.lib.nixosSystem {
inherit specialArgs;
modules = [
./hosts/merlin
./hosts/nebula
home-manager.nixosModules.home-manager
{
home-manager.extraSpecialArgs = specialArgs;
@ -135,28 +130,6 @@
modules = [
./hosts/citadel
home-manager.nixosModules.home-manager
{
home-manager.extraSpecialArgs = specialArgs;
}
];
};
cloudnix = nixpkgs.lib.nixosSystem {
inherit specialArgs;
modules = [
./hosts/cloudnix
home-manager.nixosModules.home-manager
{
home-manager.extraSpecialArgs = specialArgs;
}
];
};
iso = nixpkgs.lib.nixosSystem {
inherit specialArgs;
modules = [
./hosts/iso
home-manager.nixosModules.home-manager
{
home-manager.extraSpecialArgs = specialArgs;

11
home/cloudnix.nix
View file

@ -1,11 +0,0 @@
{
...
}: {
imports = [
./users/admin
./common/core
./common/optional/git.nix
./common/optional/sops.nix
];
}

1
home/common/core/default.nix
View file

@ -4,7 +4,6 @@
inputs.nix-colors.homeManagerModules.default
./zsh.nix
./nixvim
./tmux.nix
];
nixpkgs.overlays = [

25
home/common/core/tmux.nix
View file

@ -1,25 +0,0 @@
{
pkgs,
inputs,
...
}: {
programs.tmux = {
enable = true;
clock24 = true;
extraConfig = ''
# vim keymaps for switching panes
setw -g mode-keys vi
bind-key h select-pane -L
bind-key j select-pane -D
bind-key k select-pane -U
bind-key l select-pane -R
bind-key -r C-h select-window -t :-
bind-key -r C-h select-window -t :+
'';
plugins = [
{ plugin = inputs.minimal-tmux.packages.${pkgs.system}.default; }
pkgs.tmuxPlugins.yank
];
};
}

2
home/common/optional/desktop/common/default.nix
View file

@ -26,9 +26,9 @@
pkgs.hunspellDicts.en_US
pkgs.set_wm_class
pkgs.xorg.xkill
pkgs.krita
pkgs.R
pkgs.gimp
pkgs.gajim
pkgs.vlc
];
}

36
home/common/optional/desktop/common/firefox.nix
View file

@ -5,6 +5,7 @@
...
}: let
user = config.home.username;
bitcoinNodeIp = configVars.networking.addresses.bitcoin-node.ip;
dockerContainerIp = configVars.networking.addresses.docker.ip;
in {
programs.firefox = {
@ -21,8 +22,14 @@ in {
{
template = "https://search.nixos.org/packages";
params = [
{ name = "type"; value = "packages"; }
{ name = "query"; value = "{searchTerms}"; }
{
name = "type";
value = "packages";
}
{
name = "query";
value = "{searchTerms}";
}
];
}
];
@ -36,7 +43,7 @@ in {
definedAliases = ["@nw"];
};
"Searx" = {
urls = [{template = "http://searx.lan/?q={searchTerms}";}];
urls = [{template = "http://${dockerContainerIp}:8855/?q={searchTerms}";}];
iconUpdateURL = "https://docs.searxng.org/_static/searxng-wordmark.svg";
updateInterval = 24 * 60 * 60 * 1000; # every day
definedAliases = ["@searx"];
@ -53,27 +60,11 @@ in {
bookmarks = [
{
name = "Jellyfin";
url = "http://jellyfin.lan";
}
{
name = "Pihole";
url = "http://dns.lan/admin";
}
{
name = "Searx";
url = "http://searx.lan";
url = "http://${dockerContainerIp}:8096";
}
{
name = "Mempool";
url = "http://mempool.lan";
}
{
name = "Grafana";
url = "http://grafana.lan";
}
{
name = "Prometheus";
url = "http://metrics.lan";
url = "http://${bitcoinNodeIp}:4080";
}
{
name = "Nixos Package Search";
@ -89,7 +80,7 @@ in {
"identity.fxaccounts.enabled" = false;
"signon.rememberSignons" = false;
"browser.compactmode.show" = true;
"browser.startup.homepage" = "http://searx.lan";
"browser.startup.homepage" = "http://${dockerContainerIp}:8855";
"browser.search.defaultenginename" = "Searx";
"browser.search.order.1" = "Searx";
};
@ -100,6 +91,7 @@ in {
bitwarden
sponsorblock
darkreader
vimium
privacy-badger
zotero-connector
];

2
home/common/optional/desktop/dwm/sxhkdrc.nix
View file

@ -15,7 +15,7 @@
XF86AudioMicMute
pamixer --default-source --toggle-mute && dunstify-volume-notification && pkill -RTMIN+10 dwmblocks && exit 1
control + F9
XF86Messenger
dunstify-battery-notification
control + F8

8
home/common/optional/notes.nix
View file

@ -3,8 +3,7 @@ let
user = config.home.username;
in
{
home.activation.getNotes = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
touch /tmp/notes
home.activation.get-notes = lib.hm.dag.entryAfter [ "installPackages" ] ''
notes_dir=/home/${user}/.local/share/notes
remote=git@git.bitlab21.com:sam/notes
if [ -d "$notes_dir" ];
@ -14,9 +13,6 @@ in
else
mkdir -p "$notes_dir" && PATH="${pkgs.git}/bin:${pkgs.openssh}/bin:$PATH" git clone "$remote" "$notes_dir"
fi
'';
home.activation.foo = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
touch /tmp/foo
exit 0
'';
}

11
home/merlin.nix
View file

@ -1,11 +0,0 @@
{
...
}: {
imports = [
./users/admin
./common/core
./common/optional/git.nix
./common/optional/sops.nix
];
}

13
home/users/admin/default.nix
View file

@ -1,4 +1,4 @@
{ outputs, ... }:
{ config, pkgs, lib, outputs, ... }:
{
home.username = "admin";
@ -7,16 +7,6 @@
imports = [
] ++ (builtins.attrValues outputs.homeManagerModules); # import all homeManagerModules?
programs.ssh = {
enable = true;
matchBlocks = {
"git.bitlab21.com" = {
identitiesOnly = true;
identityFile = ["~/.ssh/deploy_key-ssh-ed25519"];
};
};
};
home.packages = [
];
@ -27,7 +17,6 @@
];
home.sessionVariables = {
EDITOR = "nvim";
};
programs.home-manager.enable = true;

48
hosts/citadel/default.nix
View file

@ -11,11 +11,13 @@
fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence
dev = "/dev/nvme0n1"; # depends on target hardware
encrypted = true; # currrently only applies to btrfs
btrfsMountDevice = "/dev/mapper/crypted";
btrfsMountDevice =
if encrypted
then "/dev/mapper/crypted"
else "/dev/root_vg/root";
user = "sam";
impermanence = true;
piholeIp = configVars.networking.addresses.pihole.ip;
merlinIp = configVars.networking.addresses.merlin.ip;
gatewayIp = configVars.networking.addresses.gateway.ip;
in {
imports = [
@ -46,11 +48,9 @@ in {
../common/optional/pipewire.nix
../common/optional/openssh.nix
../common/optional/dwm.nix
../common/optional/fileserver/nfs-client/media.nix
../common/optional/fileserver/nfs-client/photos.nix
../common/optional/fileserver/nfs-client/personal.nix
../common/optional/nfs-mounts/media.nix
../common/optional/nfs-mounts/homeshare.nix
../common/optional/nfs-mounts/photos.nix
../common/optional/printing.nix
../common/optional/backlight.nix
../common/optional/xmodmap-arrow-remaps.nix
@ -58,21 +58,19 @@ in {
../common/optional/gaming.nix
../common/optional/powersave.nix
../common/optional/restic-backup.nix
../common/optional/distributed-builds/local-machine.nix
# This machine is used for remote building
../common/optional/distributed-builds/remote-builder-machine.nix
# ../../modules/nixos
outputs.nixosModules.nixosAutoUpgrade
];
boot = {
supportedFilesystems = ["nfs"];
blacklistedKernelModules = ["snd_hda_intel" "snd_soc_skl"];
kernelModules = ["iwlwifi"];
initrd.kernelModules = ["thinkpad-acpi" "acpi-call" "nfs"];
# BUG: Using older linux kernel because of build errors
# see https://github.com/NixOS/nixpkgs/issues/375605
# kernelPackages = pkgs.linuxPackagesFor pkgs.linux_latest;
kernelPackages = pkgs.linuxKernel.packages.linux_6_12;
initrd.kernelModules = ["thinkpad-acpi" "acpi-call"];
kernelPackages = pkgs.linuxPackagesFor pkgs.linux_latest;
extraModulePackages = [
config.boot.kernelPackages.acpi_call
];
@ -94,7 +92,6 @@ in {
enable = true;
persistent = true;
reboot = false;
remote = "remotebuild@${merlinIp}";
pushUpdates = false;
configDir = "/etc/nixos";
onCalendar = "*-*-* 08:00:00";
@ -107,8 +104,15 @@ in {
xkb.options = "caps:swapescape";
dpi = 196;
upscaleDefaultCursor = true;
# FIXME this doesnt work for some reason
# displayManager.sessionCommands = pkgs.writeShellScriptBin "key-remaps" ''
# ${pkgs.xorg.xmodmap}/bin/xmodmap -e "keycode 64 = Mode_switch"
# ${pkgs.xorg.xmodmap}/bin/xmodmap -e "keycode 43 = h H Left H"
# ${pkgs.xorg.xmodmap}/bin/xmodmap -e "keycode 44 = j J Down J"
# ${pkgs.xorg.xmodmap}/bin/xmodmap -e "keycode 45 = k K Up K"
# ${pkgs.xorg.xmodmap}/bin/xmodmap -e "keycode 46 = l L Right L"
# '';
};
# enable oom killer when system ram drops below 5% free
earlyoom = {
enable = true;
@ -161,6 +165,18 @@ in {
powerManagement.finegrained = true;
open = false;
nvidiaSettings = true;
# # FIXME issue with stable nvidia driver and latest linux kernel
# # use mkDriver to specify newer nvidia driver that is compatible
# # see: https://github.com/NixOS/nixpkgs/issues/341844#issuecomment-2351075413
# # and https://discourse.nixos.org/t/builder-for-nvidia-x11-550-78-6-10-drv-failed-with-exit-code-2/49360/32
# package = config.boot.kernelPackages.nvidiaPackages.mkDriver {
# version = "555.58.02";
# sha256_64bit = "sha256-xctt4TPRlOJ6r5S54h5W6PT6/3Zy2R4ASNFPu8TSHKM=";
# sha256_aarch64 = "sha256-wb20isMrRg8PeQBU96lWJzBMkjfySAUaqt4EgZnhyF8=";
# openSha256 = "sha256-8hyRiGB+m2hL3c9MDA/Pon+Xl6E788MZ50WrrAGUVuY=";
# settingsSha256 = "sha256-ZpuVZybW6CFN/gz9rx+UJvQ715FZnAOYfHn5jt5Z2C8=";
# persistencedSha256 = "sha256-a1D7ZZmcKFWfPjjH1REqPM5j/YLWKnbkP9qfRyIyxAw=";
# };
};
# https://bbs.archlinux.org/viewtopic.php?id=297276 for NVreg_EnableGpuFirmware fix
# https://discourse.nixos.org/t/how-to-use-nvidia-prime-offload-to-run-the-x-server-on-the-integrated-board/9091/15

109
hosts/cloudnix/default.nix
View file

@ -1,109 +0,0 @@
{
configVars,
outputs,
lib,
...
}: let
user = "admin";
merlinIp = configVars.networking.addresses.merlin.ip;
cloudnixIp = configVars.networking.addresses.cloudnix.ip;
btrfsMountDevice = "/dev/disk/by-uuid/2aec8052-68fc-4bac-9b8d-c10b9b659ad8";
in {
imports = [
# Create users for this host
../common/users/${user}
# Import core options
./hardware-configuration.nix
../common/core
# Impermanence
../common/optional/persistence.nix
(import ../common/disks/btrfs/impermanence.nix {
btrfsMountDevice = btrfsMountDevice;
lib = lib;
})
# Import optional options
../common/optional/persistence.nix
../common/optional/openssh.nix
../common/optional/distributed-builds/local-machine.nix
# ../common/optional/nixos-containers/semitamaps.nix
# ../common/optional/nixos-containers/vaultwarden.nix
# ../common/optional/nixos-containers/xmpp.nix
../common/optional/fail2ban.nix
../common/optional/restic-backup.nix
../common/optional/forgejo.nix
outputs.nixosModules.nixosAutoUpgrade
];
services.restic.backups = {
daily = {
paths = [
"/persist/"
];
exclude = [
];
};
};
boot = {
loader = {
efi.canTouchEfiVariables = false;
grub = {
enable = true;
devices = ["/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_57492184"];
};
};
};
services = {
earlyoom = {
enable = true;
freeMemThreshold = 5; # <%5 free
};
};
system.services.nixosAutoUpgrade = {
enable = true;
persistent = true;
remote = "remotebuild@${merlinIp}";
reboot = false;
pushUpdates = false;
configDir = "/etc/nixos";
onCalendar = "*-*-* 06:00:00";
user = "admin";
};
environment.persistence."/persist" = {
directories = [
"/var/lib/tailscale"
];
};
# enable tailscale
services.tailscale.enable = true;
networking = {
hostName = "cloudnix";
nameservers = ["8.8.8.8"];
firewall.enable = true;
};
systemd.network.networks."10-wan" = {
networkConfig.DHCP = "no";
address = [
"${cloudnixIp}/32"
];
routes = [
{ routeConfig = { Destination = "172.31.1.1"; }; }
{ routeConfig = { Gateway = "172.31.1.1"; GatewayOnLink = true; }; }
];
};
services.libinput.enable = true;
}

61
hosts/cloudnix/hardware-configuration.nix
View file

@ -1,61 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/2aec8052-68fc-4bac-9b8d-c10b9b659ad8";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/.swapvol" =
{ device = "/dev/disk/by-uuid/2aec8052-68fc-4bac-9b8d-c10b9b659ad8";
fsType = "btrfs";
options = [ "subvol=swap" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/1DE3-CACA";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/2aec8052-68fc-4bac-9b8d-c10b9b659ad8";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
fileSystems."/persist" =
{ device = "/dev/disk/by-uuid/2aec8052-68fc-4bac-9b8d-c10b9b659ad8";
fsType = "btrfs";
options = [ "subvol=persist" ];
};
swapDevices = [
{
device = "/.swapvol/swapfile";
size = 2 * 1024;
}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

36
hosts/common/disks/basic.nix
View file

@ -1,36 +0,0 @@
{
device ? throw "Must define a device, e.g. /dev/sda",
fsModule ? "Must specify submodule"
}:
{
disko.devices = {
disk = {
main = {
type = "disk";
inherit device;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
start = "1M";
end = "128M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = ["umask=0077"];
};
};
root = {
size = "100%";
content = import "${fsModule}";
};
};
};
};
};
};
}

57
hosts/common/disks/btrfs/legacy.nix
View file

@ -1,57 +0,0 @@
{
disko.devices = {
disk = {
main = {
type = "disk";
device = "/dev/sda";
content = {
type = "gpt";
partitions = {
BOOT = {
size = "1M";
type = "EF02";
priority = 1;
};
ESP = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = ["umask=0077"];
};
};
root = {
size = "100%";
content = {
type = "btrfs";
extraArgs = ["-f"];
subvolumes = {
"/root" = {
mountpoint = "/";
};
"/persist" = {
mountOptions = ["subvol=persist"];
mountpoint = "/persist";
};
"/nix" = {
mountOptions = ["subvol=nix" "noatime"];
mountpoint = "/nix";
};
"/swap" = {
mountOptions = ["noatime"];
mountpoint = "/.swapvol";
};
};
};
};
};
};
};
};
};
}

1
hosts/common/disks/btrfs/persist.nix
View file

@ -19,6 +19,7 @@
"/swap" = {
mountOptions = [ "noatime" ];
mountpoint = "/.swapvol";
swap.swapfile.size = "8192M";
};
};
}

9
hosts/common/disks/default.nix
View file

@ -1,8 +1,11 @@
{ device, fsType, encrypted, impermanence, ... }:
let
fsModule = if impermanence then ./${fsType}/persist.nix else ./${fsType}/standard.nix;
basic = import ./basic.nix { inherit device; fsModule = fsModule; };
basic = import ./${fsType}/basic.nix { inherit device; };
lvm = import ./lvm.nix { inherit device; fsModule = fsModule; };
luks = import ./luks.nix { inherit device; fsModule = fsModule; };
in
if fsType == "btrfs" && encrypted then luks
else basic
if fsType == "ext4" then basic
else if fsType == "btrfs" && encrypted then luks
else if fsType == "btrfs" then lvm
else null

0
hosts/common/disks/ext4/ext4.nix → hosts/common/disks/ext4/basic.nix
View file

31
hosts/common/optional/docker-containers/arrstack.nix → hosts/common/optional/arion-containers/arrstack.nix
View file

@ -1,4 +1,5 @@
{config, ...}: let
{config, ...}:
let
openVpnPwd = config.sops.secrets."software/proton/openvpn_password".path;
openVpnUser = config.sops.secrets."software/proton/openvpn_user".path;
in {
@ -7,18 +8,6 @@ in {
"software/proton/openvpn_user" = {};
};
networking = {
firewall = {
enable = true;
allowedTCPPorts = [
6887
];
allowedUDPPorts = [
6887
];
};
};
virtualisation.arion = {
backend = "podman-socket";
projects.arrstack = {
@ -30,7 +19,7 @@ in {
"6887:6887/udp" # qbittorrent torrenting port
];
image = "qmcgaw/gluetun";
capabilities = {NET_ADMIN = true;};
capabilities = { NET_ADMIN = true; };
container_name = "glutun";
restart = "always";
volumes = [
@ -42,7 +31,6 @@ in {
VPN_SERVICE_PROVIDER = "protonvpn";
VPN_TYPE = "openvpn";
SERVER_COUNTRIES = "Switzerland";
VPN_PORT_FORWARDING = "on";
};
devices = ["/dev/net/tun:/dev/net/tun"];
};
@ -53,17 +41,18 @@ in {
restart = "always";
volumes = [
"/srv/docker/media-server/arrstack/qbittorrent:/config"
"/media/media/downloads:/downloads"
"/media/media:/media"
];
environment = {
TZ = "Europe/London";
WEBUI_PORT = 8076;
TORRENTING_PORT = 6887;
PUID = 1000;
PGID = 1000;
TZ="Europe/London";
WEBUI_PORT=8076;
TORRENTING_PORT=6887;
PUID=1000;
PGID=1000;
};
network_mode = "service:gluetun";
};
};
};
};

32
hosts/common/optional/arion-containers/jellyfin.nix Normal file
View file

@ -0,0 +1,32 @@
{
virtualisation.arion = {
backend = "podman-socket";
projects.jellyfin = {
settings = {
services.jellyfin.service = {
ports = [
"8096:8096"
];
container_name = "jellyfin";
image = "lscr.io/linuxserver/jellyfin:latest";
restart = "always";
volumes = [
"/srv/docker/media-server/jellyfin/config:/config"
"/media/media/tv:/data/tvshows:ro"
"/media/media/movies:/data/movies:ro"
"/media/media/music/music_data:/data/music:ro"
"/media/media/youtube:/data/youtube:ro"
"/media/media/podcasts:/data/podcasts:ro"
"/srv/docker/media-server/jellyfin/config/custom-cont-init.d:/custom-cont-init.d:ro"
];
environment = {
PUID = "1000";
PGID = "1000";
DOCKER_MODS="linuxserver/mods:jellyfin-opencl-intel";
};
devices = ["/dev/dri:/dev/dri"];
};
};
};
};
}

0
hosts/common/optional/docker-containers/photoprism.nix → hosts/common/optional/arion-containers/photoprism.nix
View file

0
hosts/common/optional/docker-containers/pihole.nix → hosts/common/optional/arion-containers/pihole.nix
View file

31
hosts/common/optional/arion-containers/semitamaps-tileserver.nix Normal file
View file

@ -0,0 +1,31 @@
{
virtualisation.arion = {
backend = "podman-socket";
projects.semitamaps-tileserver = {
settings = {
services.tileserver-gl.service = {
ports = [
"8080:8080"
];
container_name = "tileserver-gl";
image = "maptiler/tileserver-gl";
restart = "always";
volumes = [
"/data/semitamaps-data/tileserver-gl/data:/data"
];
command = "-c /data/config.json --public_url https://tiles.semitamaps.com/";
};
services.mbgl-renderer.service = {
ports = [
"8081:80"
];
container_name = "mbgl-renderer";
image = "mbgl-renderer";
restart = "always";
};
};
};
};
}

43
hosts/common/optional/distributed-builds/local-machine.nix
View file

@ -3,28 +3,29 @@ let
remoteMachineIp = configVars.networking.addresses.remote-builder.ip;
in
{
# nix.distributedBuilds = true;
# nix.settings.builders-use-substitutes = true;
# nix.settings.max-jobs = 0;
# nix.settings.trusted-substituters = ["ssh://${remoteMachineIp}"];
# nix.settings.substituters = ["ssh://${remoteMachineIp}"];
#
# nix.buildMachines = [
# {
# hostName = "remotebuild@${remoteMachineIp}";
# speedFactor = 1;
# maxJobs = 10;
# sshKey = "/root/.ssh/remotebuild";
# system = pkgs.stdenv.hostPlatform.system;
# supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
# }
# ];
nix.distributedBuilds = true;
nix.settings.builders-use-substitutes = true;
nix.settings.max-jobs = 0;
nix.settings.trusted-substituters = ["ssh://${remoteMachineIp}"];
nix.settings.substituters = ["ssh://${remoteMachineIp}"];
programs.ssh.knownHosts = {
"merlin" = {
publicKey = "${remoteMachineIp} ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFSGyrQvwa7gj0tG/EX3siWzGT9badUkD0yw0YGkcNeQ";
};
};
nix.buildMachines = [
{
hostName = "remotebuild@${remoteMachineIp}";
speedFactor = 1;
maxJobs = 10;
sshKey = "/root/.ssh/remotebuild";
system = pkgs.stdenv.hostPlatform.system;
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
}
];
# TODO: set known host here when have static ip on main server
# programs.ssh.knownHosts = {
# "merlin" = {
# publicKey = "server pubkey";
# };
# };
programs.ssh.extraConfig = ''
Host ${remoteMachineIp}

17
hosts/common/optional/docker-containers/baikal.nix
View file

@ -1,17 +0,0 @@
{
config.virtualisation.oci-containers = {
backend = "podman";
containers = {
baikal = {
image = "ckulka/baikal:nginx";
ports = [
"6734:80"
];
volumes = [
"/srv/docker/baikal/config:/var/www/baikal/config"
"/srv/docker/baikal/data:/var/www/baikal/Specific"
];
};
};
};
}

31
hosts/common/optional/docker-containers/jellyfin.nix
View file

@ -1,31 +0,0 @@
{
config.virtualisation.oci-containers = {
backend = "podman";
containers = {
jellyfin = {
image = "lscr.io/linuxserver/jellyfin:latest";
ports = [
"8096:8096"
];
volumes = [
"/srv/docker/media-server/jellyfin/config:/config"
"/media/media/tv:/data/tvshows:ro"
"/media/media/movies:/data/movies:ro"
"/media/media/music/music_data:/data/music:ro"
"/media/media/youtube:/data/youtube:ro"
"/media/media/podcasts:/data/podcasts:ro"
"/srv/docker/media-server/jellyfin/config/custom-cont-init.d:/custom-cont-init.d:ro"
];
environment = {
PUID = "1000";
PGID = "1000";
DOCKER_MODS = "linuxserver/mods:jellyfin-opencl-intel";
NVIDIA_VISIBLE_DEVICES = "all";
};
extraOptions = [
"--device=nvidia.com/gpu=all"
];
};
};
};
}

32
hosts/common/optional/docker-containers/searxng.nix
View file

@ -1,32 +0,0 @@
{configVars, ...}:
let
# configVars = import ../../../../vars {inherit inputs};
piholeIp = configVars.networking.addresses.pihole.ip;
in
{
virtualisation.arion = {
backend = "podman-socket";
projects.searxng = {
settings = {
services.redis.service = {
container_name = "redis";
image = "redis:alpine";
restart = "always";
command = [ "redis-server" "--save" "" "--appendonly" "no" ];
tmpfs = [ "/var/lib/redis" ];
capabilities = { ALL = false; SETGID = true; SETUID = true; DAC_OVERRIDE = true; };
};
services.searxng.service = {
container_name = "searxng";
image = "searxng/searxng:latest";
restart = "always";
ports = [ "8855:8080" ];
dns = [ piholeIp ];
volumes = [ "/srv/docker/searxng-docker/searxng:/etc/searxng:rw" ];
capabilities = { ALL = false; CHOWN = true; SETGID = true; SETUID = true; DAC_OVERRIDE = true; };
};
};
};
};
}

25
hosts/common/optional/docker-containers/semitamaps-tileserver.nix
View file

@ -1,25 +0,0 @@
{
config.virtualisation.oci-containers = {
backend = "podman";
containers = {
tileserver-gl = {
image = "maptiler/tileserver-gl";
ports = [
"8080:8080"
];
volumes = [
"/data/semitamaps-data/tileserver-gl/data:/data"
];
};
mbgl-renderer = {
image = "mbgl-renderer";
ports = [
"8081:80"
];
volumes = [
"/data/semitamaps-data/tileserver-gl/data:/data"
];
};
};
};
}

29
hosts/common/optional/docker-containers/syncthing.nix
View file

@ -1,29 +0,0 @@
{
virtualisation.arion = {
backend = "podman-socket";
projects.syncthing = {
settings = {
services.syncthing.service = {
ports = [
"8384:8384"
"22000:22000/tcp"
"22000:22000/udp"
"21027:21027/udp"
];
container_name = "syncthing";
image = "lscr.io/linuxserver/syncthing:latest";
restart = "always";
environment = {
PUID = "1000";
GUID = "1000";
};
volumes = [
"/srv/docker/syncthing/appdata/config:/config"
"/srv/docker/syncthing/data:/data"
];
};
};
};
};
}

34
hosts/common/optional/fail2ban.nix
View file

@ -1,34 +0,0 @@
{pkgs, ...}: {
environment.systemPackages = [pkgs.fail2ban];
environment.etc = {
"fail2ban/filter.d/nginx-bruteforce.conf".text = ''
[Definition]
failregex = ^<HOST>.*(GET|POST).* (404|444|403|400) .*$
'';
};
services.fail2ban = {
enable = true;
maxretry = 5;
ignoreIP = [
];
bantime-increment = {
enable = true;
multipliers = "1 2 4 8 16 32 64";
maxtime = "168h";
};
jails = {
nginx-spam.settings = {
filter = "nginx-bruteforce";
action = "iptables-allports";
logpath = "/var/log/nginx/access.log";
backend = "auto";
findtime = 600;
bantime = 600;
maxretry = 10;
};
};
};
}

27
hosts/common/optional/fileserver-nfs-mount.nix Normal file
View file

@ -0,0 +1,27 @@
{...}:
{
fileSystems."/exports" = {
device = "/dev/vdb1";
fsType = "ext4";
};
services.nfs.server = {
enable = true;
# fixed rpc.statd port; for firewall
lockdPort = 4001;
mountdPort = 4002;
statdPort = 4000;
extraNfsdConfig = '''';
exports = ''
/exports *(rw,insecure,all_squash)
'';
};
# open nfs ports
networking.firewall = {
enable = true;
# for NFSv3; view with `rpcinfo -p`
allowedTCPPorts = [ 111 2049 4000 4001 4002 20048 ];
allowedUDPPorts = [ 111 2049 4000 4001 4002 20048 ];
};
}

10
hosts/common/optional/fileserver/nfs-client/media.nix
View file

@ -1,10 +0,0 @@
{configVars, pkgs, ...}: let
fileserverIp = configVars.networking.addresses.fileserver.ip;
in {
environment.systemPackages = [pkgs.nfs-utils];
fileSystems."/media/media" = {
device = "${fileserverIp}:/srv/export/media";
fsType = "nfs";
options = ["noatime" "_netdev"];
};
}

10
hosts/common/optional/fileserver/nfs-client/personal.nix
View file

@ -1,10 +0,0 @@
{configVars, pkgs, ...}: let
fileserverIp = configVars.networking.addresses.fileserver.ip;
in {
environment.systemPackages = [pkgs.nfs-utils];
fileSystems."/media/personal" = {
device = "${fileserverIp}:/srv/export/personal";
fsType = "nfs";
options = ["noatime" "_netdev"];
};
}

10
hosts/common/optional/fileserver/nfs-client/photos.nix
View file

@ -1,10 +0,0 @@
{configVars, pkgs, ...}: let
fileserverIp = configVars.networking.addresses.fileserver.ip;
in {
environment.systemPackages = [pkgs.nfs-utils];
fileSystems."/media/photos" = {
device = "${fileserverIp}:/srv/export/photos";
fsType = "nfs";
options = ["noatime" "_netdev"];
};
}

42
hosts/common/optional/fileserver/nfs-server/homeshare.nix
View file

@ -1,42 +0,0 @@
{configVars, ...}:
let
homeshareDataLocation = configVars.locations.homeshareDataLocation;
subnetIp = configVars.networking.addresses.subnet.ip;
in {
fileSystems."/srv/export/photos" = {
device = "${homeshareDataLocation}/photos";
options = [ "bind" ];
};
fileSystems."/srv/export/personal" = {
device = "${homeshareDataLocation}/personal";
options = [ "bind" ];
};
fileSystems."/srv/export/media" = {
device = "${homeshareDataLocation}/media";
options = [ "bind" ];
};
services.nfs.server = {
enable = true;
# fixed rpc.statd port; for firewall
lockdPort = 4001;
mountdPort = 4002;
statdPort = 4000;
extraNfsdConfig = '''';
exports = ''
/srv/export/photos ${subnetIp}/24(rw,sync,no_subtree_check)
/srv/export/media ${subnetIp}/24(rw,sync,no_subtree_check)
/srv/export/personal ${subnetIp}/24(rw,sync,no_subtree_check)
'';
};
# open nfs ports
networking.firewall = {
enable = true;
# for NFSv3; view with `rpcinfo -p`
allowedTCPPorts = [ 111 2049 4000 4001 4002 20048 ];
allowedUDPPorts = [ 111 2049 4000 4001 4002 20048 ];
};
}

57
hosts/common/optional/forgejo.nix
View file

@ -1,57 +0,0 @@
{
pkgs,
configVars,
lib,
...
}: let
forgejoDomain = configVars.domains.forgejo;
forgejoPort = configVars.networking.addresses.forgejo.port;
in {
imports = [./nginx/forgejo.nix];
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/forgejo"
];
};
users.groups.git = {
gid = 1009;
};
users.users.git = {
isNormalUser = true;
home = "/var/lib/forgejo";
uid = 1009;
extraGroups = ["git"];
};
services.openssh = {
authorizedKeysFiles = lib.mkForce [ "/var/lib/forgejo/.ssh/authorized_keys" ];
};
services.forgejo = {
enable = true;
package = pkgs.forgejo;
database.type = "sqlite3";
lfs.enable = true;
user = "git";
group = "git";
settings = {
server = {
RUN_USER = "git";
DOMAIN = "git.${forgejoDomain}";
ROOT_URL = "https://git.${forgejoDomain}/";
HTTP_PORT = forgejoPort;
SSH_USER = "git";
};
service.DISABLE_REGISTRATION = false;
actions = {
ENABLED = true;
DEFAULT_ACTIONS_URL = "github";
};
};
};
}

9
hosts/common/optional/nfs-mounts/homeshare.nix Normal file
View file

@ -0,0 +1,9 @@
{
fileSystems."/media/homeshare" = {
device = "10.0.10.30:/mnt/homeshare";
fsType = "nfs";
options = [ "noatime" "_netdev" ];
};
}

9
hosts/common/optional/nfs-mounts/media.nix Normal file
View file

@ -0,0 +1,9 @@
{configVars, ...}: let
mediaDataMountPoint = configVars.locations.mediaDataMountPoint;
in {
fileSystems.${mediaDataMountPoint} = {
device = "10.0.10.30:/mnt/media";
fsType = "nfs";
options = ["noatime" "_netdev"];
};
}

9
hosts/common/optional/nfs-mounts/photos.nix Normal file
View file

@ -0,0 +1,9 @@
{configVars, ...}: let
photosDataMountPoint = configVars.locations.photosDataMountPoint;
in {
fileSystems.${photosDataMountPoint} = {
device = "10.0.10.30:/mnt/photos";
fsType = "nfs";
options = ["noatime" "_netdev" "ro"];
};
}

27
hosts/common/optional/nginx/forgejo.nix
View file

@ -1,27 +0,0 @@
{configVars, ...}: let
email = configVars.email.user;
domain = configVars.domains.forgejo;
forgejoIp = configVars.networking.addresses.forgejo.localAddress;
forgejoPort = configVars.networking.addresses.forgejo.port;
in {
networking.firewall.allowedTCPPorts = [80 443];
security.acme = {
acceptTerms = true;
defaults.email = email;
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."git.${domain}" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
client_max_body_size 1024M;
'';
locations."/" = {
proxyPass = "http://${forgejoIp}:${toString forgejoPort}";
};
};
};
}

20
hosts/common/optional/nginx/semitamaps.nix
View file

@ -1,20 +0,0 @@
{configVars, ...}: let
email = configVars.email.user;
domain = configVars.domains.xmpp;
in {
security.acme = {
acceptTerms = true;
defaults.email = email;
};
networking.firewall.allowedTCPPorts = [80 443];
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."${domain}" = {
enableACME = true;
forceSSL = true;
root = "/srv/hello/";
};
};
}

24
hosts/common/optional/nginx/vaultwarden.nix
View file

@ -1,24 +0,0 @@
{configVars, ...}: let
email = configVars.email.user;
domain = configVars.domains.vaultwarden;
vaultwardenIp = configVars.networking.addresses.vaultwarden.localAddress;
vaultwardenPort = configVars.networking.addresses.vaultwarden.port;
in {
networking.firewall.allowedTCPPorts = [80 443];
security.acme = {
acceptTerms = true;
defaults.email = email;
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."password.${domain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://${vaultwardenIp}:${toString vaultwardenPort}";
};
};
};
}

92
hosts/common/optional/nginx/xmpp.nix
View file

@ -1,92 +0,0 @@
{configVars, ...}: let
email = configVars.email.user;
xmppDomain = configVars.domains.xmpp;
xmppIp = configVars.networking.addresses.xmpp.localAddress;
xmppPort = configVars.networking.addresses.xmpp.ports.xmpp-http;
in {
networking.firewall.allowedTCPPorts = [80 443];
users.groups.www-data = {
gid = 33;
};
users.users.nginx = {
isSystemUser = true;
uid = 60;
extraGroups = ["www-data"];
};
systemd.tmpfiles.rules = [
"d /var/www/${xmppDomain} 0777 root root"
];
services.httpd.virtualHosts."root" = {
hostName = "${xmppDomain}";
documentRoot = "/var/www/${xmppDomain}";
};
security.acme = {
acceptTerms = true;
defaults.email = email;
certs = {
"${xmppDomain}" = {
webroot = "/var/www/${xmppDomain}";
email = email;
extraDomainNames = [
"chat.${xmppDomain}"
];
group = "www-data";
};
};
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."chat.${xmppDomain}" = {
# enableACME = true;
forceSSL = true;
extraConfig = ''
client_max_body_size 10G;
'';
sslCertificate = "/var/lib/acme/${xmppDomain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${xmppDomain}/key.pem";
locations = {
"/" = {
proxyPass = "http://${xmppIp}:${toString xmppPort}";
extraConfig = ''
proxy_set_header Host "${xmppDomain}";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
tcp_nodelay on;
'';
};
"/xmpp-websocket" = {
proxyPass = "http://${xmppIp}:${toString xmppPort}/xmpp-websocket";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Connection "Upgrade";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host "${xmppDomain}";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900s;
'';
};
"/upload/" = {
extraConfig = ''
proxy_buffering off;
proxy_set_header Host $host;
# pass PUT requests to mod_http_upload for processing
if ($request_method = PUT) {
proxy_pass http://${xmppIp}:${toString xmppPort};
}
alias /var/lib/prosody/http_upload; # storage path of mod_http_upload. NGINX will serve these files to the clients.
'';
};
};
};
};
}

10
hosts/common/optional/nixos-containers/backup-server.nix
View file

@ -65,16 +65,6 @@ in {
pkgs.apacheHttpd
];
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;

18
hosts/common/optional/nixos-containers/baseddata-worker.nix
View file

@ -17,14 +17,6 @@ in {
];
};
services.restic.backups = {
daily = {
paths = [
baseddataData
];
};
};
networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0";
@ -295,16 +287,6 @@ in {
};
};
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;

76
hosts/common/optional/nixos-containers/docker.nix
View file

@ -2,8 +2,6 @@
pkgs,
lib,
inputs,
config,
outputs,
configVars,
...
}: let
@ -11,7 +9,8 @@
containerIp = configVars.networking.addresses.docker.ip;
gatewayIp = configVars.networking.addresses.gateway.ip;
dockerContainerData = configVars.locations.dockerContainerData;
homeshareDataLocation = configVars.locations.homeshareDataLocation;
mediaDataMountPoint = configVars.locations.mediaDataMountPoint;
photosDataMountPoint = configVars.locations.photosDataMountPoint;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
arion = inputs.arion;
sops-nix = inputs.sops-nix;
@ -25,6 +24,8 @@ in {
paths = [
dockerContainerData
];
exclude = [
];
};
};
@ -45,18 +46,6 @@ in {
];
extraFlags = ["--private-users-ownership=chown"];
allowedDevices = [
{
node = "/dev/nvidia0";
modifier = "rwm";
}
{
node = "/dev/nvidiactl";
modifier = "rwm";
}
{
node = "/dev/nvidia-uvm";
modifier = "rwm";
}
{
node = "/dev/fuse";
modifier = "rwm";
@ -90,11 +79,7 @@ in {
nixpkgs = pkgs.path;
bindMounts = {
"/media/photos" = {
hostPath = "${homeshareDataLocation}/photos";
isReadOnly = false;
};
"/run/opengl-driver/lib" = {
hostPath = "/run/opengl-driver/lib";
hostPath = photosDataMountPoint;
isReadOnly = false;
};
"/dev/dri" = {
@ -102,7 +87,7 @@ in {
isReadOnly = false;
};
"/media/media" = {
hostPath = "${homeshareDataLocation}/media";
hostPath = mediaDataMountPoint;
isReadOnly = false;
};
"/srv/docker" = {
@ -123,12 +108,7 @@ in {
secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml";
in {
nixpkgs.overlays = [
outputs.overlays.unstable-packages
];
networking = {
enableIPv6 = false;
defaultGateway = "${gatewayIp}";
interfaces.eth0.ipv4.addresses = [
{
@ -144,26 +124,6 @@ in {
useHostResolvConf = lib.mkForce false;
};
hardware.graphics = {
enable = true;
};
nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) [
"nvidia-x11"
"nvidia-settings"
"nvidia-persistenced"
];
services.xserver.videoDrivers = ["nvidia"];
hardware.nvidia = {
modesetting.enable = true;
powerManagement.enable = false;
open = false;
nvidiaSettings = false;
package = config.boot.kernelPackages.nvidiaPackages.stable;
};
services.resolved.enable = true;
sops = {
@ -178,12 +138,9 @@ in {
imports = [
arion.nixosModules.arion
sops-nix.nixosModules.sops
../docker-containers/arrstack.nix
../docker-containers/jellyfin.nix
../docker-containers/photoprism.nix
../docker-containers/syncthing.nix
../docker-containers/baikal.nix
(import ../docker-containers/searxng.nix {configVars = configVars;})
../arion-containers/arrstack.nix
../arion-containers/jellyfin.nix
../arion-containers/photoprism.nix
];
environment.systemPackages = [
@ -193,13 +150,10 @@ in {
pkgs.dive
pkgs.podman-tui
pkgs.podman-compose
pkgs.unstable.nvidia-container-toolkit
];
virtualisation = {
containers.cdi.dynamic.nvidia.enable = true;
podman = {
enableNvidia = true;
enable = true;
dockerSocket.enable = true;
defaultNetwork.settings.dns_enabled = true;
@ -209,6 +163,18 @@ in {
networking.firewall.interfaces."podman+".allowedUDPPorts = [53];
systemd.services.podman-autostart = {
enable = true;
after = ["podman.service"];
wantedBy = ["multi-user.target"];
description = "Automatically start containers with --restart=always tag";
serviceConfig = {
Type = "idle";
ExecStartPre = ''${pkgs.coreutils}/bin/sleep 1'';
ExecStart = ''/run/current-system/sw/bin/podman start --all --filter restart-policy=always'';
};
};
services.prometheus = {
exporters = {
node = {

119
hosts/common/optional/nixos-containers/forgejo.nix
View file

@ -1,119 +0,0 @@
{
pkgs,
lib,
configVars,
inputs,
...
}: let
containerName = "forgejo";
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
hostAddress = configVars.networking.addresses.forgejo.hostAddress;
localAddress = configVars.networking.addresses.forgejo.localAddress;
forgejoPort = configVars.networking.addresses.forgejo.port;
forgejoDomain = configVars.domains.forgejo;
cloudnixIp = configVars.networking.addresses.cloudnix.ip;
sops-nix = inputs.sops-nix;
in {
networking = {
nat = {
enable = true;
internalInterfaces = ["ve-+"];
externalInterface = "enp1s0";
};
};
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/nixos-containers/${containerName}"
];
};
imports = [../nginx/forgejo.nix];
containers."${containerName}" = {
autoStart = true;
privateNetwork = true;
hostAddress = hostAddress;
localAddress = localAddress;
nixpkgs = pkgs.path;
bindMounts = {
"/etc/ssh/ssh_host_ed25519_key" = {
hostPath = "/etc/ssh/ssh_host_ed25519_key";
isReadOnly = true;
};
};
config = {
pkgs,
lib,
...
}: let
secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml";
in {
networking = {
defaultGateway = cloudnixIp;
firewall = {
enable = true;
allowedTCPPorts = [
forgejoPort
];
};
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
sops = {
defaultSopsFile = "${secretsFile}";
validateSopsFiles = false;
age = {
sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
};
};
imports = [
sops-nix.nixosModules.sops
];
environment.systemPackages = [
pkgs.vim
pkgs.git
pkgs.lsof
];
services.forgejo = {
enable = true;
package = pkgs.forgejo;
database.type = "sqlite3";
lfs.enable = true;
settings = {
server = {
DOMAIN = "git.${forgejoDomain}";
ROOT_URL = "https://git.${forgejoDomain}/";
HTTP_PORT = forgejoPort;
};
service.DISABLE_REGISTRATION = false;
actions = {
ENABLED = true;
DEFAULT_ACTIONS_URL = "github";
};
};
};
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
users.users = {
root = {
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
};
};
system.stateVersion = "24.05";
};
};
}

111
hosts/common/optional/nixos-containers/jellyfin.nix
View file

@ -1,111 +0,0 @@
{
pkgs,
lib,
configVars,
...
}: let
containerName = "jellyfin";
containerIp = "10.0.10.44"; #configVars.networking.addresses.jellyfin.ip;
gatewayIp = configVars.networking.addresses.gateway.ip;
homeshareDataLocation = configVars.locations.homeshareDataLocation;
jellyfinContainerData = configVars.locations.jellyfinContainerData;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
in {
networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0";
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/nixos-containers/${containerName}"
];
};
containers."${containerName}" = {
autoStart = true;
privateNetwork = true;
hostBridge = "br0";
nixpkgs = pkgs.path;
allowedDevices = [
{
node = "/dev/nvidia0";
modifier = "rwm";
}
{
node = "/dev/nvidiactl";
modifier = "rwm";
}
{
node = "/dev/dri/card1";
modifier = "rwm";
}
{
node = "/dev/dri/renderD128";
modifier = "rwm";
}
];
bindMounts = {
"/media/media" = {
hostPath = "${homeshareDataLocation}/media";
isReadOnly = true;
};
"/var/lib/jellyfin" = {
hostPath = "${jellyfinContainerData}";
isReadOnly = false;
};
};
config = {
pkgs,
lib,
...
}: {
networking = {
defaultGateway = "${gatewayIp}";
interfaces.eth0.ipv4.addresses = [
{
"address" = "${containerIp}";
"prefixLength" = 24;
}
];
firewall = {
enable = true;
allowedTCPPorts = [
];
};
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
imports = [
];
environment.systemPackages = [
pkgs.vim
pkgs.git
];
services.jellyfin = {
enable = true;
openFirewall = true;
user = "jellyfin";
};
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
users.users = {
root = {
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
};
};
system.stateVersion = "24.05";
};
};
}

205
hosts/common/optional/nixos-containers/metrics-server.nix
View file

@ -2,27 +2,12 @@
pkgs,
lib,
configVars,
inputs,
...
}: let
containerName = "metrics-server";
containerIp = configVars.networking.addresses.metrics-server.ip;
notifybotJid = configVars.xmpp.notifybotJid;
receiverJid = configVars.xmpp.personalAccount;
dockerContainerIp = configVars.networking.addresses.docker.ip;
smWorkerIp = configVars.networking.addresses.sm-worker.ip;
merlinIp = configVars.networking.addresses.merlin.ip;
bdWorker = configVars.networking.addresses.bd-worker.ip;
pihole = configVars.networking.addresses.pihole.ip;
bitcoinNode = configVars.networking.addresses.bitcoin-node.ip;
postres = configVars.networking.addresses.postgres.ip;
backupServer = configVars.networking.addresses.backup-server.ip;
sops-nix = inputs.sops-nix;
http_endpoints = configVars.metrics-server.blackbox.http_endpoints;
semitaIp = configVars.networking.addresses.semita.ip;
gatewayIp = configVars.networking.addresses.gateway.ip;
metricsServerContainerData = configVars.locations.metricsServerContainerData;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
@ -36,6 +21,8 @@ in {
paths = [
metricsServerContainerData
];
exclude = [
];
};
};
@ -57,10 +44,6 @@ in {
hostPath = metricsServerContainerData;
isReadOnly = false;
};
"/etc/ssh/ssh_host_ed25519_key" = {
hostPath = "/etc/ssh/ssh_host_ed25519_key";
isReadOnly = true;
};
};
config = {
@ -68,10 +51,7 @@ in {
lib,
config,
...
}: let
secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml";
in {
}: {
networking = {
defaultGateway = "${gatewayIp}";
interfaces.eth0.ipv4.addresses = [
@ -85,33 +65,14 @@ in {
allowedTCPPorts = [
config.services.prometheus.port
config.services.grafana.port
config.services.prometheus.exporters.blackbox.port
9199 #xmpp listen port
];
};
useHostResolvConf = lib.mkForce false;
};
sops = {
defaultSopsFile = "${secretsFile}";
validateSopsFiles = false;
age = {
sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
};
secrets = {
"software/restic-passphrase" = {};
"software/restic-exporter-credentials" = {};
"comms/xmpp/notifybot/password" = {
mode = "0644";
};
};
};
services.resolved.enable = true;
imports = [
sops-nix.nixosModules.sops
];
environment.systemPackages = [
@ -119,49 +80,9 @@ in {
pkgs.git
];
services.grafana = {
enable = true;
settings.server = {
http_port = 2342;
http_addr = "0.0.0.0";
};
};
# main prometheus service
services.prometheus = {
enable = true;
webExternalUrl = "http://${containerIp}:9001";
port = 9001;
alertmanagers = [
{
scheme = "http";
path_prefix = "/";
static_configs = [
{
targets = [
"0.0.0.0:9093"
];
}
];
}
];
ruleFiles = [
"${pkgs.writeText
"alert_rule.yml"
''
groups:
- name: blackbox_alert
rules:
- alert: EndpointDown
expr: probe_success{job="blackbox"} == 0
for: 1m
labels:
severity: critical
annotations:
summary: "Endpoint {{ $labels.instance }} down"
description: "An endpoint has been down for more than 1 minute."
''}"
];
scrapeConfigs = [
{
job_name = "node_exporter";
@ -169,123 +90,27 @@ in {
{
targets = [
"${dockerContainerIp}:9100"
"${smWorkerIp}:9100"
"${merlinIp}:9100"
"${bdWorker}:9100"
"${pihole}:9100"
"${bitcoinNode}:9100"
"${postres}:9100"
"${backupServer}:9100"
"${semitaIp}:9100"
];
}
];
}
{
job_name = "restic-exporter";
static_configs = [
{
targets = [
"0.0.0.0:8001"
];
}
];
}
{
job_name = "blackbox";
scrape_interval = "30s";
scrape_timeout = "15s";
metrics_path = "/probe";
params.module = ["http_basic"];
relabel_configs = [
{
source_labels = ["__address__"];
target_label = "__param_target";
}
{
source_labels = ["__param_target"];
target_label = "instance";
}
{
target_label = "__address__";
replacement = "${config.services.prometheus.exporters.blackbox.listenAddress}:${toString config.services.prometheus.exporters.blackbox.port}";
}
];
static_configs = [
{targets = http_endpoints;}
];
}
];
};
# setup alertmanager
services.prometheus.xmpp-alerts = {
services.grafana = {
enable = true;
settings = {
jid = notifybotJid;
password_command = "cat ${config.sops.secrets."comms/xmpp/notifybot/password".path}";
to_jid = receiverJid;
listen_address = "0.0.0.0";
listen_port = 9199;
};
};
services.prometheus.alertmanager = {
webExternalUrl = "http://${containerIp}:9093";
enable = true;
openFirewall = true;
port = 9093;
configText = ''
global:
resolve_timeout: 1m
route:
group_by: ['...']
repeat_interval: 1h
receiver: 'xmpp-alerts'
receivers:
- name: 'xmpp-alerts'
webhook_configs:
- url: 'http://0.0.0.0:9199/alert'
'';
port = 2342;
addr = "0.0.0.0";
};
# prometheus exporters
services.prometheus.exporters = {
blackbox = {
enable = true;
configFile = pkgs.writeText "blackbox-conf.yaml" ''
modules:
http_basic:
prober: http
timeout: 5s
http:
preferred_ip_protocol: ip4
valid_http_versions: ["HTTP/1.1", "HTTP/2"]
method: GET
# fail_if_ssl: false
# fail_if_not_ssl: true
# tls_config:
# insecure_skip_verify: true
tcp_connect:
prober: tcp
tcp:
preferred_ip_protocol: ip4
'';
};
node = {
enable = true;
enabledCollectors = ["systemd"];
port = 9002;
};
restic = {
enable = true;
repository = "";
environmentFile = config.sops.secrets."software/restic-exporter-credentials".path;
passwordFile = config.sops.secrets."software/restic-passphrase".path;
refreshInterval = 10800; # refresh every 3 hours
port = 8001;
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
port = 9002;
};
};
};

64
hosts/common/optional/nixos-containers/nix-bitcoin.nix
View file

@ -10,7 +10,6 @@
containerIp = configVars.networking.addresses.bitcoin-node.ip;
mempoolPort = configVars.networking.addresses.bitcoin-node.services.mempool.port;
bitcoinNodeContainerData = configVars.locations.bitcoinNodeContainerData;
bitcoindData = configVars.locations.bitcoindData;
gatewayIp = configVars.networking.addresses.gateway.ip;
allowip = configVars.networking.addresses.bitcoin-node.services.bitcoind.allowip;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
@ -22,7 +21,7 @@ in {
bitcoinNodeContainerData
];
exclude = [
"${bitcoindData}"
"${bitcoinNodeContainerData}/bitcoind"
"${bitcoinNodeContainerData}/electrs"
];
};
@ -49,10 +48,6 @@ in {
hostPath = bitcoinNodeContainerData;
isReadOnly = false;
};
"/var/lib/bitcoind" = {
hostPath = bitcoindData;
isReadOnly = false;
};
};
config = {
@ -62,7 +57,7 @@ in {
}: {
imports = [
inputs.nix-bitcoin.nixosModules.default
# inputs.lnbits.nixosModules.default
inputs.lnbits.nixosModules.default
];
environment.systemPackages = with pkgs; [
vim
@ -80,13 +75,14 @@ in {
firewall = {
enable = true;
allowedTCPPorts = [
# 80
# 443
80
443
22
config.containers.bitcoin-node.config.services.bitcoind.rpc.port
config.containers.bitcoin-node.config.services.mempool.frontend.port
config.containers.bitcoin-node.config.services.electrs.port
# config.containers.bitcoin-node.config.services.rtl.port
# config.containers.bitcoin-node.config.services.lnd.port
config.containers.bitcoin-node.config.services.rtl.port
config.containers.bitcoin-node.config.services.lnd.port
];
};
useHostResolvConf = lib.mkForce false;
@ -143,7 +139,7 @@ in {
};
};
lnd = {
enable = false;
enable = true;
lndconnect = {
enable = true;
onion = true;
@ -155,44 +151,34 @@ in {
'';
};
rtl = {
enable = false;
enable = true;
nodes.lnd.enable = true;
address = "0.0.0.0";
};
# lnbits = {
# enable = false;
# openFirewall = true;
# host = "0.0.0.0";
# port = 8231;
# env = {
# LNBITS_ADMIN_UI = "true";
# LNBITS_BACKEND_WALLET_CLASS = "LndRestWallet";
# LND_REST_ENDPOINT = "https://127.0.0.1:8080";
# LND_REST_CERT = "/etc/nix-bitcoin-secrets/lnd-cert";
# LND_REST_MACAROON = "/var/lib/lnbits/admin.macaroon";
# AUTH_ALLOWED_METHODS = "user-id-only, username-password";
# };
# };
lnbits = {
enable = true;
openFirewall = true;
host = "0.0.0.0";
port = 8231;
env = {
LNBITS_ADMIN_UI = "true";
LNBITS_BACKEND_WALLET_CLASS = "LndRestWallet";
LND_REST_ENDPOINT = "https://127.0.0.1:8080";
LND_REST_CERT = "/etc/nix-bitcoin-secrets/lnd-cert";
LND_REST_MACAROON = "/var/lib/lnbits/admin.macaroon";
AUTH_ALLOWED_METHODS = "user-id-only, username-password";
};
};
};
# Add custom systemd overrides for above services
# systemd.services.lnbits.after = ["lnd.service"];
systemd.services.lnbits.after = ["lnd.service"];
nix-bitcoin.onionServices = {
bitcoind.enable = true;
electrs.enable = true;
mempool-frontend.enable = true;
# lnd.public = true;
};
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
lnd.public = true;
};
services.openssh = {

26
hosts/common/optional/nixos-containers/pihole.nix
View file

@ -16,6 +16,16 @@ in {
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0";
services.restic.backups = {
daily = {
paths = [
piholeContainerData
];
exclude = [
];
};
};
environment.persistence."/persist" = {
hideMounts = true;
directories = [
@ -68,19 +78,17 @@ in {
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = false;
services.resolved.enable = true;
imports = [
arion.nixosModules.arion
../docker-containers/pihole.nix
../arion-containers/pihole.nix
];
environment.systemPackages = [
pkgs.vim
pkgs.git
pkgs.arion
pkgs.lsof
pkgs.podman-compose
];
virtualisation = {
@ -94,16 +102,6 @@ in {
networking.firewall.interfaces."podman+".allowedUDPPorts = [53];
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;

10
hosts/common/optional/nixos-containers/postgres.nix
View file

@ -123,16 +123,6 @@ in {
# EOF
# '';
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;

170
hosts/common/optional/nixos-containers/reverse-proxy.nix
View file

@ -1,170 +0,0 @@
{
pkgs,
lib,
configVars,
inputs,
...
}: let
containerName = "reverse-proxy";
containerIp = configVars.networking.addresses.reverse-proxy.ip;
gatewayIp = configVars.networking.addresses.gateway.ip;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
sops-nix = inputs.sops-nix;
dockerContainerIp = configVars.networking.addresses.docker.ip;
bdWorker = configVars.networking.addresses.bd-worker.ip;
pihole = configVars.networking.addresses.pihole.ip;
bitcoinNode = configVars.networking.addresses.bitcoin-node.ip;
metricsServer = configVars.networking.addresses.metrics-server.ip;
in {
networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0";
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/nixos-containers/${containerName}"
];
};
containers."${containerName}" = {
enableTun = true;
autoStart = true;
privateNetwork = true;
hostBridge = "br0";
nixpkgs = pkgs.path;
bindMounts = {
"/etc/ssh/ssh_host_ed25519_key" = {
hostPath = "/etc/ssh/ssh_host_ed25519_key";
isReadOnly = true;
};
};
config = {
pkgs,
lib,
config,
...
}: let
secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml";
in {
sops = {
defaultSopsFile = "${secretsFile}";
validateSopsFiles = false;
age = {
sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
};
};
sops.secrets = {
"ssl_keys/lan-selfsigned.crt" = {
mode = "0644";
};
"ssl_keys/lan-selfsigned.key" = {
mode = "0644";
};
};
networking = {
defaultGateway = "${gatewayIp}";
interfaces.eth0.ipv4.addresses = [
{
"address" = "${containerIp}";
"prefixLength" = 24;
}
];
firewall = {
enable = true;
allowedTCPPorts = [
80
443
];
};
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
imports = [
sops-nix.nixosModules.sops
];
environment.systemPackages = [
pkgs.vim
pkgs.git
pkgs.nginx
];
services.nginx = {
enable = true;
virtualHosts = {
"jellyfin.lan" = {
forceSSL = true;
sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}";
sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}";
locations."/".proxyPass = "http://${dockerContainerIp}:8096";
};
"mempool.lan" = {
forceSSL = true;
sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}";
sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}";
locations."/".proxyPass = "http://${bitcoinNode}:4080";
extraConfig = ''
proxy_set_header Host mempool.lan;
'';
};
"grafana.lan" = {
forceSSL = true;
sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}";
sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}";
locations."/".proxyPass = "http://${metricsServer}:2342";
extraConfig = ''
proxy_set_header Host grafana.lan;
'';
};
"metrics.lan" = {
forceSSL = true;
sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}";
sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}";
locations."/".proxyPass = "http://${metricsServer}:9001";
};
"searx.lan" = {
forceSSL = true;
sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}";
sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}";
locations."/".proxyPass = "http://${dockerContainerIp}:8855";
};
"dns.lan" = {
forceSSL = true;
sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}";
sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}";
locations."/".proxyPass = "http://${pihole}:80";
};
"prefect.lan" = {
forceSSL = true;
sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}";
sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}";
locations."/".proxyPass = "http://${bdWorker}:4200";
};
};
};
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
users.users = {
root = {
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
};
};
system.stateVersion = "24.05";
};
};
}

21
hosts/common/optional/nixos-containers/semitamaps-worker.nix
View file

@ -24,14 +24,6 @@ in {
];
};
services.restic.backups = {
daily = {
paths = [
semitamapsData
];
};
};
containers."${containerName}" = {
enableTun = true;
@ -101,14 +93,13 @@ in {
imports = [
sops-nix.nixosModules.sops
arion.nixosModules.arion
../docker-containers/semitamaps-tileserver.nix
../arion-containers/semitamaps-tileserver.nix
];
environment.systemPackages = [
pkgs.vim
pkgs.git
pkgs.arion
pkgs.podman-compose
pkgs.jdk
];
@ -137,16 +128,6 @@ in {
};
};
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;

126
hosts/common/optional/nixos-containers/semitamaps.nix
View file

@ -1,126 +0,0 @@
{
pkgs,
lib,
configVars,
...
}: let
containerName = "semitamaps";
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
hostAddress = configVars.networking.addresses.semitamaps.hostAddress;
localAddress = configVars.networking.addresses.semitamaps.localAddress;
workingDirectory = "/var/www/semitamaps";
in {
systemd.tmpfiles.rules = [
"d /var/run/sockets 0660 www-data www-data -"
];
networking = {
nat = {
enable = true;
internalInterfaces = ["ve-+"];
externalInterface = "enp1s0";
};
};
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/nixos-containers/${containerName}"
];
};
imports = [
../nginx/semitamaps.nix
];
containers."${containerName}" = {
autoStart = true;
privateNetwork = true;
hostAddress = hostAddress;
localAddress = localAddress;
nixpkgs = pkgs.path;
bindMounts = {
"/etc/ssh/ssh_host_ed25519_key" = {
hostPath = "/etc/ssh/ssh_host_ed25519_key";
isReadOnly = true;
};
"/var/run/sockets" = {
hostPath = "/var/run/sockets";
isReadOnly = false;
};
};
config = {
pkgs,
lib,
...
}: {
networking = {
firewall = {
enable = true;
rejectPackets = true;
allowedTCPPorts = [
80
443
];
};
useHostResolvConf = lib.mkForce false;
};
systemd.tmpfiles.rules = [
"d ${workingDirectory} 0750 www-data www-data"
"d ${workingDirectory}/.venv 0750 www-data www-data"
"d ${workingDirectory}/public/uploads 0775 www-data www-data"
];
services.resolved.enable = true;
environment.systemPackages = [
pkgs.vim
pkgs.git
];
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
systemd.services.semitamaps = {
wantedBy = ["multi-user.target"];
after = ["network.target"];
description = "Deploys and serves semitamaps";
environment = {
};
serviceConfig = {
WorkingDirectory = "${workingDirectory}";
ExecStartPre = pkgs.writeShellScript "semitamaps-prestart" ''
set -e
GITCMD="${pkgs.openssh}/bin/ssh -i /etc/ssh/ssh_host_ed25519_key"
if [ ! -d ${workingDirectory}/.git ]; then
export GIT_SSH_COMMAND=$GITCMD
${pkgs.git}/bin/git clone git@git.bitlab21.com:sam/semitamaps.com.git ${workingDirectory}
fi
${pkgs.poetry}/bin/poetry install
'';
ExecStart = pkgs.writeShellScript "semitamaps-start" ''
.venv/bin/python .venv/bin/uvicorn --workers 4 --uds /var/run/sockets/semitamaps.sock app:app
'';
Restart = "on-failure";
};
};
programs.ssh.knownHosts = {
"git.bitlab21.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALNd2BGf64heYjWT9yt0fVmngepiHRIMsL7au/MRteg";
};
users.users = {
root = {
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
};
};
system.stateVersion = "24.05";
};
};
}

110
hosts/common/optional/nixos-containers/vaultwarden.nix
View file

@ -1,110 +0,0 @@
{
pkgs,
lib,
configVars,
inputs,
...
}: let
containerName = "vaultwarden";
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
hostAddress = configVars.networking.addresses.vaultwarden.hostAddress;
localAddress = configVars.networking.addresses.vaultwarden.localAddress;
vaultwardenPort = configVars.networking.addresses.vaultwarden.port;
cloudnixIp = configVars.networking.addresses.cloudnix.ip;
sops-nix = inputs.sops-nix;
in {
networking = {
nat = {
enable = true;
internalInterfaces = ["ve-+"];
externalInterface = "enp1s0";
};
};
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/nixos-containers/${containerName}"
];
};
imports = [../nginx/vaultwarden.nix];
containers."${containerName}" = {
autoStart = true;
privateNetwork = true;
hostAddress = hostAddress;
localAddress = localAddress;
nixpkgs = pkgs.path;
bindMounts = {
"/etc/ssh/ssh_host_ed25519_key" = {
hostPath = "/etc/ssh/ssh_host_ed25519_key";
isReadOnly = true;
};
};
config = {
pkgs,
lib,
...
}: let
secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml";
in {
networking = {
defaultGateway = cloudnixIp;
firewall = {
enable = true;
allowedTCPPorts = [
vaultwardenPort
];
};
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
sops = {
defaultSopsFile = "${secretsFile}";
validateSopsFiles = false;
age = {
sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
};
};
imports = [
sops-nix.nixosModules.sops
];
environment.systemPackages = [
pkgs.vim
pkgs.git
pkgs.lsof
];
services.vaultwarden = {
enable = true;
dbBackend = "sqlite";
config = {
ROCKET_ADDRESS = "0.0.0.0";
ROCKET_PORT = vaultwardenPort;
ROCKET_LOG = "critical";
};
};
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
users.users = {
root = {
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
};
};
system.stateVersion = "24.05";
};
};
}

281
hosts/common/optional/nixos-containers/xmpp.nix
View file

@ -1,281 +0,0 @@
{
pkgs,
lib,
configVars,
inputs,
...
}: let
containerName = "xmpp";
xmppDomain = configVars.domains.xmpp;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
hostAddress = configVars.networking.addresses.xmpp.hostAddress;
externalIp = configVars.networking.addresses.cloudnix.ip;
localAddress = configVars.networking.addresses.xmpp.localAddress;
sops-nix = inputs.sops-nix;
xmppPorts = configVars.networking.addresses.xmpp.ports;
xmppUDPPorts =
[
xmppPorts.coturn
xmppPorts.coturn-tls
]
++ lib.range xmppPorts.coturn-min-udp xmppPorts.coturn-max-udp;
xmppTCPPorts = [
xmppPorts.coturn
xmppPorts.coturn-tls
xmppPorts.xmpp-https
xmppPorts.xmpp-http
xmppPorts.xmpp-s2s
xmppPorts.xmpp-c2s
xmppPorts.xmpp-c2s-legacy-tls
xmppPorts.xmpp-s2s-tls
];
in {
networking = {
nat = {
enable = true;
internalInterfaces = ["ve-+"];
externalInterface = "enp1s0";
};
firewall = {
enable = true;
allowedTCPPorts = xmppTCPPorts;
allowedUDPPorts = xmppUDPPorts;
};
};
imports = [
../nginx/xmpp.nix
];
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/nixos-containers/${containerName}"
];
};
systemd.tmpfiles.rules = [
"d /var/lib/prosody 0750"
];
containers."${containerName}" = {
autoStart = true;
privateNetwork = true;
hostAddress = hostAddress;
localAddress = localAddress;
nixpkgs = pkgs.path;
bindMounts = {
"/etc/ssh/ssh_host_ed25519_key" = {
hostPath = "/etc/ssh/ssh_host_ed25519_key";
isReadOnly = true;
};
"/var/lib/prosody" = {
hostPath = "/var/lib/prosody";
isReadOnly = false;
};
"/var/lib/acme/${xmppDomain}/" = {
hostPath = "/var/lib/acme/${xmppDomain}/";
isReadOnly = false;
};
};
forwardPorts =
lib.map (port: {
protocol = "tcp";
containerPort = port;
hostPort = port;
})
xmppTCPPorts
++ lib.map (port: {
protocol = "udp";
containerPort = port;
hostPort = port;
})
xmppUDPPorts;
config = {
pkgs,
lib,
config,
...
}: let
secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml";
in {
users.groups.www-data = {
gid = 33;
};
users.users.prosody = {
isSystemUser = true;
uid = 149;
extraGroups = ["www-data"];
};
users.users.turnserver = {
isSystemUser = true;
uid = 249;
extraGroups = ["www-data"];
};
networking = {
firewall = {
enable = true;
rejectPackets = true;
allowedTCPPorts = xmppTCPPorts ++ [80 443];
allowedUDPPorts = xmppUDPPorts;
};
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
sops = {
defaultSopsFile = "${secretsFile}";
validateSopsFiles = false;
age = {
sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
};
secrets = {
"software/coturn/static-auth-secret" = {
mode = "0644";
};
};
};
imports = [
sops-nix.nixosModules.sops
];
environment.systemPackages = [
pkgs.vim
pkgs.git
pkgs.prosody
pkgs.coturn
];
sops.templates."prosody_secrets.lua" = {
mode = "444";
content = ''
turn_external_secret = "${config.sops.placeholder."software/coturn/static-auth-secret"}";
'';
};
services.prosody = {
enable = true;
package = pkgs.prosody.override {
withCommunityModules = [
"turn_external"
"conversejs"
"admin_web"
"external_services"
"http_altconnect"
];
};
extraModules = [
"server_contact_info"
"http_file_share"
"external_services"
"turn_external"
"conversejs"
"admin_web"
"http"
"websocket"
"http_altconnect"
];
allowRegistration = true;
extraConfig = ''
Include "${config.sops.templates."prosody_secrets.lua".path}"
registration_invite_only = true;
allow_user_invites = true;
cross_domain_bosh = true;
cross_domain_websocket = true;
turn_external_host = "turn.${xmppDomain}";
turn_external_port = ${toString xmppPorts.coturn};
http_default_host = "${xmppDomain}";
certificates = "certs"
consider_websocket_secure = true
external_services = {
{
port="${toString xmppPorts.coturn}";
transport="tcp";
type="stun";
host="turn.${xmppDomain}"
};
{
port="${toString xmppPorts.coturn}";
transport="udp";
type="turn";
host="turn.${xmppDomain}"
};
}
s2s_direct_tls_ports = { ${toString xmppPorts.xmpp-s2s-tls} }
legacy_ssl_ports = { ${toString xmppPorts.xmpp-c2s-legacy-tls} }
legacy_ssl_ssl = {
certificate = "/var/lib/acme/${xmppDomain}/cert.pem";
key = "/var/lib/acme/${xmppDomain}/key.pem";
}
contact_info = {
admin = { "mailto:admin@${xmppDomain}", "xmpp:admin@${xmppDomain}" };
}
'';
modules.bosh = true;
s2sRequireEncryption = true;
c2sRequireEncryption = true;
s2sSecureAuth = false;
admins = ["root@${xmppDomain}"];
ssl.cert = "/var/lib/acme/${xmppDomain}/fullchain.pem";
ssl.key = "/var/lib/acme/${xmppDomain}/key.pem";
httpFileShare.domain = "upload.${xmppDomain}";
virtualHosts."${xmppDomain}" = {
enabled = true;
ssl.cert = "/var/lib/acme/${xmppDomain}/fullchain.pem";
ssl.key = "/var/lib/acme/${xmppDomain}/key.pem";
extraConfig = ''
http_external_url = "https://chat.${xmppDomain}/"
invites_page = "https://chat.${xmppDomain}/register?t={invite.token}"
http_paths = {
invites_page = "/invite";
invites_register_web = "/register";
}
disco_items = {
{ "upload.${xmppDomain}.com" },
{ "rooms.${xmppDomain}.com" },
{ "turn.${xmppDomain}.com" },
}
'';
domain = "${xmppDomain}";
};
muc = [
{
domain = "conference.${xmppDomain}";
}
];
uploadHttp = {
domain = "https://upload.${xmppDomain}";
uploadFileSizeLimit = "1000000000"; # 1 gb file-size limit
uploadExpireAfter = "31557600"; # files deleted after 1 year
};
};
services.coturn = {
enable = true;
realm = "turn.${xmppDomain}";
use-auth-secret = true;
static-auth-secret-file = config.sops.secrets."software/coturn/static-auth-secret".path;
tls-listening-port = xmppPorts.coturn-tls;
cert = "/var/lib/acme/${xmppDomain}/cert.pem";
pkey = "/var/lib/acme/${xmppDomain}/key.pem";
min-port = xmppPorts.coturn-min-udp;
max-port = xmppPorts.coturn-max-udp;
extraConfig = ''
external-ip = ${externalIp}/${localAddress}
log = /var/log/turnserver.log
verbose
'';
};
system.stateVersion = "24.05";
};
};
}

4
hosts/common/optional/persistence.nix
View file

@ -4,15 +4,17 @@
hideMounts = true;
directories = [
"/etc/nixos"
"/srv"
"/var/log"
"/var/lib/nixos"
"/var/lib/systemd/coredump"
"/etc/NetworkManager/system-connections"
"/var/lib/flatpak"
"/run/secrets-for-users"
];
files = [
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/machine-id"
];
};
}

61
hosts/common/optional/print-server.nix
View file

@ -1,61 +0,0 @@
{pkgs, configVars, ...}: let
subnetIp = configVars.networking.addresses.subnet.ip;
in {
networking.firewall = {
allowedTCPPorts = [631];
allowedUDPPorts = [631];
};
services = {
udev.packages = [pkgs.sane-airscan];
ipp-usb.enable = true;
saned = {
enable = true;
extraConfig = "${subnetIp}/24";
};
printing = {
enable = true;
drivers = [pkgs.hplip];
browsing = true;
defaultShared = true;
listenAddresses = ["*:631"];
allowFrom = ["all"];
extraConf = ''
DefaultPaperSize A4
'';
};
avahi = {
enable = true;
nssmdns = true;
openFirewall = true;
publish = {
enable = true;
userServices = true;
};
};
};
hardware = {
sane = {
enable = true;
extraBackends = [pkgs.sane-airscan pkgs.hplipWithPlugin];
openFirewall = true;
};
printers = {
ensurePrinters = [
{
name = "HP_Envy_6000";
location = "Home";
deviceUri = "usb://HP/ENVY%206000%20series?serial=TH0B93F08W&interface=1";
# deviceUri = "usb://Dell/1250c%20Color%20Printer?serial=YNP023240";
model = "HP/hp-deskjet_plus_6000_series.ppd.gz";
ppdOptions = {
PageSize = "A4";
};
}
];
ensureDefaultPrinter = "HP_Envy_6000";
};
};
}

14
hosts/common/optional/printing.nix
View file

@ -15,28 +15,22 @@ in {
enable = true;
nssmdns4 = true;
openFirewall = true;
publish = {
enable = true;
addresses = true;
userServices = true;
};
};
};
hardware = {
sane = {
enable = true;
extraBackends = [pkgs.sane-airscan pkgs.hplipWithPlugin];
extraBackends = [pkgs.sane-airscan];
netConf = "${serverIp}";
openFirewall = true;
};
printers = {
ensurePrinters = [
{
name = "HP_ENVY_6000";
description = "Network printer hosted on merlin";
location = "home";
deviceUri = "ipp://${serverIp}/printers/HP_Envy_6000";
description = "Network printer hosted on bob";
location = "bob";
deviceUri = "ipp://bob/printers/HP_ENVY_6000_series";
model = "everywhere";
ppdOptions = {
PageSize = "A4";

35
hosts/common/users/admin/default.nix
View file

@ -1,31 +1,31 @@
{
pkgs,
inputs,
config,
lib,
...
}: let
{ pkgs, inputs, config, lib, ... }:
let
ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
username = "admin";
pubKeys = lib.filesystem.listFilesRecursive ../keys;
pubKeys = lib.filesystem.listFilesRecursive (../keys);
hostname = config.networking.hostName;
sopsHashedPasswordFile = config.sops.secrets."passwords/${username}".path;
sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/${username}".path;
secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml";
in {
in
{
users.users.${username} = {
isNormalUser = true;
shell = pkgs.zsh;
shell = pkgs.zsh; # default shell
hashedPasswordFile = sopsHashedPasswordFile;
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
extraGroups = [
"wheel"
] ++ ifTheyExist [
"docker"
"lxc"
"git"
"podman"
];
};
environment.persistence."/persist" = {
directories = [
"/home/${username}"
packages = with pkgs; [
];
};
@ -44,16 +44,13 @@ in {
mode = "0644";
owner = "${username}";
};
"github-access-token" = {
mode = "0655";
};
};
programs.zsh.enable = true;
programs.fuse.userAllowOther = true;
home-manager = {
extraSpecialArgs = {inherit inputs;};
extraSpecialArgs = { inherit inputs; };
users = {
${username} = import ../../../../home/${hostname}.nix;
};

20
hosts/common/users/media/default.nix
View file

@ -21,6 +21,7 @@ in {
extraGroups = [
"scanner"
"lp"
"wheel"
];
packages = with pkgs; [
@ -30,9 +31,22 @@ in {
};
environment.persistence."/persist" = {
directories = [
"/home/${username}"
];
hideMounts = true;
users.${username} = {
directories = [
"Sync"
"Keep"
".ssh"
".config"
".mozilla"
".local"
".zotero"
".var"
".steam"
];
files = [
];
};
};
sops.secrets = {

1
hosts/common/users/sam/default.nix
View file

@ -133,7 +133,6 @@ in {
environment.persistence."/persist" = {
directories = [
"/home/${username}"
"/var/lib/tailscale"
];
};

9
hosts/iso/default.nix
View file

@ -1,9 +0,0 @@
{modulesPath, pkgs, lib, ...}: let
in {
imports = [(modulesPath + "/installer/cd-dvd/installation-cd-minimal.nix")];
environment.systemPackages = [
pkgs.openssl
pkgs.ccrypt
];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

186
hosts/merlin/default.nix
View file

@ -1,72 +1,32 @@
{
inputs,
configVars,
lib,
config,
outputs,
...
}: let
{ inputs, ... }:
let
# Disko setup
fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence
dev = "/dev/disk/by-id/wwn-0x5001b448b5f7cc7f";
dev = "/dev/disk/by-id/ata-QEMU_HARDDISK_QM00005";
encrypted = false; # currrently only applies to btrfs
btrfsMountDevice = "/dev/disk/by-id/wwn-0x5001b448b5f7cc7f-part2";
impermanence = true;
impermanence = false;
user = "admin";
in
{
imports =
[
# Create users for this host
../common/users/${user}
homeshareDataLocation = configVars.locations.homeshareDataLocation;
# Root disk configuration
inputs.disko.nixosModules.disko
(import ../common/disks { device = dev; impermanence = impermanence; fsType = fsType; encrypted = encrypted; })
piholeIp = configVars.networking.addresses.pihole.ip;
gatewayIp = configVars.networking.addresses.gateway.ip;
merlinIp = configVars.networking.addresses.merlin.ip;
in {
imports = [
# Create users for this host
../common/users/admin
# Import core options
./hardware-configuration.nix
../common/core
# Disk configuration
inputs.disko.nixosModules.disko
(import ../common/disks {
device = dev;
impermanence = impermanence;
fsType = fsType;
encrypted = encrypted;
})
# Import optional options
../common/optional/openssh.nix
../common/optional/docker
../common/optional/docker/postgres.nix
# Impermanence
../common/optional/persistence.nix
(import ../common/disks/btrfs/impermanence.nix {
btrfsMountDevice = btrfsMountDevice;
lib = lib;
})
# Import core options
./hardware-configuration.nix
../common/core
# Import optional options
../common/optional/openssh.nix
../common/optional/restic-backup.nix
../common/optional/docker.nix
../common/optional/nix-ld.nix
../common/optional/fileserver/nfs-server/homeshare.nix
../common/optional/print-server.nix
# Nixos containers
../common/optional/nixos-containers/docker.nix
../common/optional/nixos-containers/baseddata-worker.nix
../common/optional/nixos-containers/pihole.nix
../common/optional/nixos-containers/semitamaps-worker.nix
../common/optional/nixos-containers/nix-bitcoin.nix
../common/optional/nixos-containers/postgres.nix
../common/optional/nixos-containers/baseddata-worker.nix
../common/optional/nixos-containers/backup-server.nix
../common/optional/nixos-containers/metrics-server.nix
../common/optional/nixos-containers/reverse-proxy.nix
# This machine is used for remote building
../common/optional/distributed-builds/remote-builder-machine.nix
outputs.nixosModules.nixosAutoUpgrade
];
];
boot = {
loader = {
@ -76,109 +36,17 @@ in {
};
};
fileSystems."/mnt/main-ssd" = {
device = "/dev/disk/by-uuid/ba884006-e813-4b67-9fe6-62aea08b3b59";
fsType = "ext4";
};
fileSystems."/mnt/btcnode" = {
device = "/dev/disk/by-uuid/1dc56ec7-322f-44be-b6ad-79360fdfef93";
fsType = "btrfs";
};
services = {
earlyoom = {
enable = true;
freeMemThreshold = 3;
};
};
networking = {
hostName = "merlin";
nameservers = ["${piholeIp}" "${gatewayIp}" "8.8.8.8"];
defaultGateway = "${gatewayIp}";
useDHCP = false;
networkmanager.enable = true;
enableIPv6 = false;
bridges = {
br0 = {
interfaces = ["eth0"];
};
};
interfaces.br0 = {
ipv4.addresses = [
{
"address" = "${merlinIp}";
"prefixLength" = 24;
}
];
};
};
environment.persistence."/persist" = {
directories = [
"/etc/zpool"
"/var/lib/tailscale"
];
};
services.restic.backups = {
daily = {
paths = [
homeshareDataLocation
];
};
};
# Enable OpenGL
hardware.graphics = {
enable = true;
};
# enable tailscale
services.tailscale.useRoutingFeatures = "server";
services.tailscale.enable = true;
nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) [
"nvidia-x11"
"nvidia-settings"
"nvidia-persistenced"
];
# Load nvidia driver
services.xserver.videoDrivers = ["nvidia"];
hardware.nvidia = {
modesetting.enable = true;
powerManagement.enable = false;
open = false;
nvidiaSettings = false;
package = config.boot.kernelPackages.nvidiaPackages.stable;
};
system.services.nixosAutoUpgrade = {
enable = true;
persistent = false;
reboot = true;
pushUpdates = true;
configDir = "/etc/nixos";
onCalendar = "*-*-* 03:00:00";
user = "admin";
};
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
boot.supportedFilesystems = ["zfs"];
boot.supportedFilesystems = [ "zfs" ];
boot.zfs.forceImportRoot = false;
networking.hostId = "18aec5d7";
boot.zfs.extraPools = ["deepzfs" "nvme-zpool"];
boot.zfs.extraPools = [ "zspeed" ];
services.libinput.enable = true;
}

3
hosts/merlin/hardware-configuration.nix
View file

@ -4,6 +4,9 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];

41
hosts/semita/default.nix
View file

@ -18,7 +18,6 @@
impermanence = true;
piholeIp = configVars.networking.addresses.pihole.ip;
gatewayIp = configVars.networking.addresses.gateway.ip;
merlinIp = configVars.networking.addresses.merlin.ip;
semitaIp = configVars.networking.addresses.semita.ip;
in {
imports = [
@ -49,22 +48,37 @@ in {
../common/optional/pipewire.nix
../common/optional/openssh.nix
../common/optional/dwm.nix
../common/optional/printing.nix
# ../common/optional/printing.nix
../common/optional/docker.nix
../common/optional/nix-ld.nix
../common/optional/gaming.nix
../common/optional/restic-backup.nix
../common/optional/fileserver/nfs-client/media.nix
../common/optional/fileserver/nfs-client/photos.nix
../common/optional/fileserver/nfs-client/personal.nix
# nfs mounts
../common/optional/nfs-mounts/media.nix
../common/optional/nfs-mounts/homeshare.nix
../common/optional/nfs-mounts/photos.nix
../common/optional/distributed-builds/local-machine.nix
# nixos-containers
../common/optional/nixos-containers/nix-bitcoin.nix
../common/optional/nixos-containers/postgres.nix
../common/optional/nixos-containers/baseddata-worker.nix
../common/optional/nixos-containers/semitamaps-worker.nix
../common/optional/nixos-containers/backup-server.nix
../common/optional/nixos-containers/docker.nix
# ../common/optional/nixos-containers/pihole.nix
../common/optional/nixos-containers/metrics-server.nix
# # Build nix derivations on remote machine
# ../common/optional/distributed-builds/local-machine.nix
outputs.nixosModules.nixosAutoUpgrade
];
services.tailscale.useRoutingFeatures = "server";
fileSystems."/mnt/main-ssd" = {
device = "/dev/disk/by-uuid/ba884006-e813-4b67-9fe6-62aea08b3b59";
fsType = "ext4";
};
boot = {
blacklistedKernelModules = ["snd_hda_intel" "snd_soc_skl"];
@ -88,12 +102,21 @@ in {
};
};
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
system.services.nixosAutoUpgrade = {
enable = true;
persistent = true;
remote = "remotebuild@${merlinIp}";
reboot = false;
pushUpdates = false;
pushUpdates = true;
configDir = "/etc/nixos";
onCalendar = "*-*-* 06:00:00";
user = "sam";

67
hosts/sparky/default.nix
View file

@ -1,19 +1,35 @@
{
inputs,
config,
lib,
configVars,
outputs,
pkgs,
...
}: let
btrfsMountDevice = "/dev/root_vg/root";
merlinIp = configVars.networking.addresses.merlin.ip;
# Disko setup
fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence
dev = "/dev/sda"; # depends on target hardware
encrypted = false; # currrently only applies to btrfs
btrfsMountDevice =
if encrypted
then "/dev/mapper/crypted"
else "/dev/root_vg/root";
impermanence = true;
piholeIp = configVars.networking.addresses.pihole.ip;
gatewayIp = configVars.networking.addresses.gateway.ip;
in {
imports = [
# Create users for this host
../common/users/media
./hardware-configuration.nix
# Disk configuration
inputs.disko.nixosModules.disko
(import ../common/disks {
device = dev;
impermanence = impermanence;
fsType = fsType;
encrypted = encrypted;
})
# Impermanence
(import ../common/disks/btrfs/impermanence.nix {
@ -28,12 +44,21 @@ in {
# Import optional options
../common/optional/openssh.nix
../common/optional/persistence.nix
../common/optional/fileserver/nfs-client/media.nix
../common/optional/nfs-mounts/media.nix
../common/optional/gaming.nix
../common/optional/printing.nix
../common/optional/distributed-builds/local-machine.nix
outputs.nixosModules.nixosAutoUpgrade
];
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
timeout = 3;
};
};
boot.kernelParams = ["i915.enable_psr=0"];
networking = {
hostName = "sparky";
networkmanager.enable = true;
@ -41,23 +66,30 @@ in {
nameservers = ["${piholeIp}" "${gatewayIp}" "8.8.8.8"];
};
nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) [
# Add additional package names here
"nvidia-x11"
"nvidia-settings"
"nvidia-persistenced"
];
services.displayManager.defaultSession = "cinnamon";
services.libinput.enable = true;
system.services.nixosAutoUpgrade = {
enable = true;
persistent = true;
remote = "remotebuild@${merlinIp}";
reboot = false;
pushUpdates = false;
configDir = "/etc/nixos";
onCalendar = "*-*-* 06:00:00";
user = "root";
onCalendar = "*-*-* 07:00:00";
user = "media";
};
services.xserver = {
enable = true;
videoDrivers = ["modesetting"];
videoDrivers = ["nvidia"];
displayManager.lightdm.enable = true;
exportConfiguration = true;
deviceSection = ''
@ -67,4 +99,19 @@ in {
};
};
# Enable OpenGL
hardware.opengl = {
enable = true;
driSupport32Bit = true;
};
# Load nvidia driver
hardware.nvidia = {
# https://nixos.wiki/wiki/Nvidia
modesetting.enable = true;
powerManagement.enable = false;
open = false;
nvidiaSettings = true;
package = config.boot.kernelPackages.nvidiaPackages.stable;
};
}

84
hosts/sparky/hardware-configuration.nix
View file

@ -1,76 +1,24 @@
{ config, lib, pkgs, ... }:
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/7e660e53-6c56-4679-ab25-3a2b1eacaebd";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/persist" =
{ device = "/dev/disk/by-uuid/7e660e53-6c56-4679-ab25-3a2b1eacaebd";
fsType = "btrfs";
options = [ "subvol=persist" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/7e660e53-6c56-4679-ab25-3a2b1eacaebd";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
fileSystems."/.swapvol" =
{ device = "/dev/disk/by-uuid/7e660e53-6c56-4679-ab25-3a2b1eacaebd";
fsType = "btrfs";
options = [ "subvol=swap" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/3DC4-7CCE";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [
{
device = "/.swapvol/swapfile";
size = 2 * 1024;
}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# Add hardware support for intel gpus as specified here: https://nixos.wiki/wiki/Jellyfin
nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override {enableHybridCodec = true;};
};
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver
intel-vaapi-driver
vaapiVdpau
libvdpau-va-gl
intel-compute-runtime
# only available on unstable
unstable.vpl-gpu-rt
intel-media-sdk
];
};
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
timeout = 3;
};
};
boot.kernelParams = ["i915.enable_psr=0"];
}

18
modules/nixos/nixosAutoUpgrade.nix
View file

@ -25,11 +25,6 @@ in
description = "Automatically reboots the system if there is a kernel or systemd update.";
default = false;
};
remote = lib.mkOption {
type = lib.types.str;
description = "Attempts build on remote host <user@host>.";
default = "";
};
onCalendar = lib.mkOption {
default = "daily";
type = lib.types.str;
@ -70,19 +65,18 @@ in
systemd = {
services."nixos-upgrade" = {
serviceConfig = {
Type = "simple";
Type = "oneshot";
User = "root";
};
path = ["/run/current-system/sw"];
unitConfig.RequiresMountsFor = cfg.configDir;
script = lib.strings.concatStrings [
"${auto-update-nixos}/bin/auto-update-nixos --operation ${cfg.operation} "
(if cfg.configDir != "" then "--flake ${cfg.configDir} " else "")
(if cfg.user != "" then "--user ${cfg.user} " else "")
(if cfg.pushUpdates then "--update " else "")
(if cfg.reboot then "--reboot " else "")
(if cfg.remote != "" then "--build-host ${cfg.remote} " else "")
cfg.extraFlags
(lib.mkIf (cfg.configDir != "") "--flake ${cfg.configDir} ").content
(lib.mkIf (cfg.user != "") "--user ${cfg.user} ").content
(lib.mkIf (cfg.pushUpdates) "--update ").content
(lib.mkIf (cfg.reboot) "--reboot ").content
(lib.mkIf (cfg.extraFlags != "") cfg.extraFlags).content
];
};
timers."nixos-upgrade" = {

57
scripts/bootstrap.sh
View file

@ -40,48 +40,41 @@ trap cleanup EXIT
# Create the directory for target host keys
install -d -m755 "$temp$persist/etc/ssh"
# Extract ssh keys from secrets
echo "Extracting ssh keys"
ssh_private_key=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"ssh_keys""\"][""\"$hostname""\"][""\"id_ed25519""\"]' ~/.local/share/src/nix-secrets/secrets.yaml")
echo "$ssh_private_key" > $temp$persist/etc/ssh/ssh_host_ed25519_key
ssh_pub_key=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"ssh_keys""\"][""\"$hostname""\"][""\"id_ed25519.pub""\"]' ~/.local/share/src/nix-secrets/secrets.yaml")
echo "$ssh_pub_key" > $temp$persist/etc/ssh/ssh_host_ed25519_key.pub
# Create ssh keys
echo "Creating '$hostname' ssh keys"
ssh-keygen -t ed25519 -f "$temp$persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N ""
# # Extract luks key from secrets
# luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"$hostname""\"]' ~/.local/share/src/nix-secrets/secrets.yaml")
# echo "$luks_secret" > /tmp/luks_secret.key
# Extract luks key from secrets
luks_secret=$(nix-shell -p sops --run "SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt sops -d --extract '[""\"luks_passphrase""\"][""\"$hostname""\"]' ~/.local/share/src/nix-secrets/secrets.yaml")
echo "$luks_secret" > /tmp/luks_secret.key
# # Create ssh keys
# echo "Creating '$hostname' ssh keys"
# ssh-keygen -t ed25519 -f "$temp$persist/etc/ssh/ssh_host_ed25519_key" -C root@"$hostname" -N ""
# Generate age key from target host and user public ssh key
echo "Generating age key from target host and user ssh key"
HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp$persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age")
echo -e "Host age key:\n$HOST_AGE_KEY\n"
# # Generate age key from target host and user public ssh key
# echo "Generating age key from target host and user ssh key"
# HOST_AGE_KEY=$(nix-shell -p ssh-to-age --run "cat $temp$persist/etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age")
# echo -e "Host age key:\n$HOST_AGE_KEY\n"
# Update .sops.yaml with new age key:
SOPS_FILE="$HOME/.local/share/src/nix-secrets/.sops.yaml"
sed -i "{
# Remove any * and & entries for this host
/[*&]$hostname/ d;
# Inject a new age: entry
# n matches the first line following age: and p prints it, then we transform it while reusing the spacing
/age:/{n; p; s/\(.*- \*\).*/\1$hostname/};
# Inject a new hosts: entry
/&hosts:/{n; p; s/\(.*- &\).*/\1$hostname $HOST_AGE_KEY/}
}" "$SOPS_FILE"
# # Update .sops.yaml with new age key:
# SOPS_FILE="$HOME/.local/share/src/nix-secrets/.sops.yaml"
# sed -i "{
# # Remove any * and & entries for this host
# /[*&]$hostname/ d;
# # Inject a new age: entry
# # n matches the first line following age: and p prints it, then we transform it while reusing the spacing
# /age:/{n; p; s/\(.*- \*\).*/\1$hostname/};
# # Inject a new hosts: entry
# /&hosts:/{n; p; s/\(.*- &\).*/\1$hostname $HOST_AGE_KEY/}
# }" "$SOPS_FILE"
# # Commit and push changes to sops file
# just update-sops-secrets && just update-flake-secrets && just update-flake
# Commit and push changes to sops file
just update-sops-secrets && just update-flake-secrets && just update-flake
# Copy current nix config over to target
echo "copying current nix config to host"
cp -pr . "$temp$persist/etc/nixos"
# Install Nixos to target
SHELL=/bin/sh nix run github:nix-community/nixos-anywhere/1.6.0 -- --extra-files "$temp" --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"
echo $?
SHELL=/bin/sh nix run github:nix-community/nixos-anywhere/1.3.0 -- --extra-files "$temp" --disk-encryption-keys /tmp/luks_secret.key /tmp/luks_secret.key --flake .#"$config" root@"$ip" -i "$HOME/.ssh/id_ed25519"
[ $? != 0 ] && echo "Error installing Nixos" && exit 1
## Delete keys from local known_hosts
echo "Deleting host from known_hosts"

16
vars/default.nix
View file

@ -3,25 +3,19 @@
inherit (inputs.nix-secrets)
networking
email
metrics-server
xmpp
domains
;
locations = {
mediaDataMountPoint = "/media/media";
photosDataMountPoint = "/media/photos";
personalDataMountPoint = "/media/personal";
homeshareDataLocation = "/mnt/main-ssd/homeshare";
metricsServerContainerData = "/mnt/main-ssd/metrics-server";
dockerContainerData = "/mnt/main-ssd/docker";
piholeContainerData = "/mnt/main-ssd/docker/pihole";
baseddataData = "/mnt/main-ssd/baseddata-data";
bitcoinNodeContainerData = "/mnt/main-ssd/nix-bitcoin";
bitcoindData = "/mnt/btcnode/bitcoind";
backupContainerData = "/mnt/deepzfs/backup";
postgresContainerData = "/mnt/nvme-zpool/postgresql";
semitamapsData = "/mnt/nvme-zpool/semitamaps-data";
jellyfinContainerData = "/mnt/main-ssd/jellyfin";
backupContainerData = "/mnt/main-ssd/backup";
postgresContainerData = "/mnt/main-ssd/postgresql";
semitamapsData = "/mnt/main-ssd/semitamaps-data";
baseddataData = "/mnt/main-ssd/baseddata-data";
};
}