xun/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

.

Browse source
This commit is contained in:
xunuwu 2025-01-18 11:55:45 +01:00
parent bfbc1cb84b
commit 269e56b5c6
Signed by: xun
SSH key fingerprint: SHA256:Uot/1WoAjWAeqLOHA5vYy4phhVydsH7jCPmBjaPZfgI
7 changed files with 169 additions and 157 deletions
Download patch file Download diff file Expand all files Collapse all files

8
.sops.yaml
View file

@ -6,22 +6,22 @@ keys:
- &hopper age15mgf89h220puhz48rjpwxwu4n2h4edur60w6cd8gku2hh4e5kqpsghvnyw - &hopper age15mgf89h220puhz48rjpwxwu4n2h4edur60w6cd8gku2hh4e5kqpsghvnyw
creation_rules: creation_rules:
- path_regex: home/secrets - path_regex: home/profiles/secrets
key_groups: key_groups:
- age: - age:
- *xun - *xun
- path_regex: systemProfiles/secrets/global - path_regex: sys/profiles/secrets/global
key_groups: key_groups:
- age: - age:
- *xun - *xun
- *nixdesk - *nixdesk
- *hopper - *hopper
- path_regex: systemProfiles/secrets/nixdesk - path_regex: sys/proofiles/secrets/nixdesk
key_groups: key_groups:
- age: - age:
- *xun - *xun
- *nixdesk - *nixdesk
- path_regex: systemProfiles/secrets/hopper - path_regex: sys/profiles/secrets/hopper
key_groups: key_groups:
- age: - age:
- *xun - *xun

84
flake.lock generated
View file

@ -144,22 +144,6 @@
} }
}, },
"flake-compat_2": { "flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_3": {
"locked": { "locked": {
"lastModified": 1696426674, "lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
@ -173,7 +157,7 @@
"url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz" "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
} }
}, },
"flake-compat_4": { "flake-compat_3": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1696426674, "lastModified": 1696426674,
@ -265,24 +249,6 @@
} }
}, },
"flake-utils_3": { "flake-utils_3": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_4": {
"inputs": { "inputs": {
"systems": [ "systems": [
"stylix", "stylix",
@ -631,7 +597,7 @@
"nixvim": { "nixvim": {
"inputs": { "inputs": {
"devshell": "devshell", "devshell": "devshell",
"flake-compat": "flake-compat_3", "flake-compat": "flake-compat_2",
"flake-parts": "flake-parts_2", "flake-parts": "flake-parts_2",
"git-hooks": "git-hooks", "git-hooks": "git-hooks",
"home-manager": "home-manager_2", "home-manager": "home-manager_2",
@ -659,7 +625,7 @@
}, },
"nuschtosSearch": { "nuschtosSearch": {
"inputs": { "inputs": {
"flake-utils": "flake-utils_3", "flake-utils": "flake-utils_2",
"ixx": "ixx", "ixx": "ixx",
"nixpkgs": [ "nixpkgs": [
"nvim-nix", "nvim-nix",
@ -681,28 +647,6 @@
"type": "github" "type": "github"
} }
}, },
"nvfetcher": {
"inputs": {
"flake-compat": "flake-compat_2",
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1732501185,
"narHash": "sha256-Z0BpHelaGQsE5VD9hBsBHsvMU9h+Xt0kfkDJyFivZOU=",
"owner": "berberman",
"repo": "nvfetcher",
"rev": "bdb14eab6fe9cefc29efe01e60c3a3f616d6b62a",
"type": "github"
},
"original": {
"owner": "berberman",
"repo": "nvfetcher",
"type": "github"
}
},
"nvim-nix": { "nvim-nix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -733,7 +677,6 @@
"nix-index-database": "nix-index-database", "nix-index-database": "nix-index-database",
"nixos-wsl": "nixos-wsl", "nixos-wsl": "nixos-wsl",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nvfetcher": "nvfetcher",
"nvim-nix": "nvim-nix", "nvim-nix": "nvim-nix",
"sobercookie": "sobercookie", "sobercookie": "sobercookie",
"sops-nix": "sops-nix", "sops-nix": "sops-nix",
@ -788,15 +731,15 @@
"base16-helix": "base16-helix", "base16-helix": "base16-helix",
"base16-vim": "base16-vim", "base16-vim": "base16-vim",
"firefox-gnome-theme": "firefox-gnome-theme", "firefox-gnome-theme": "firefox-gnome-theme",
"flake-compat": "flake-compat_4", "flake-compat": "flake-compat_3",
"flake-utils": "flake-utils_4", "flake-utils": "flake-utils_3",
"git-hooks": "git-hooks_2", "git-hooks": "git-hooks_2",
"gnome-shell": "gnome-shell", "gnome-shell": "gnome-shell",
"home-manager": "home-manager_3", "home-manager": "home-manager_3",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"systems": "systems_3", "systems": "systems_2",
"tinted-foot": "tinted-foot", "tinted-foot": "tinted-foot",
"tinted-kitty": "tinted-kitty", "tinted-kitty": "tinted-kitty",
"tinted-tmux": "tinted-tmux", "tinted-tmux": "tinted-tmux",
@ -846,21 +789,6 @@
"type": "github" "type": "github"
} }
}, },
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"tinted-foot": { "tinted-foot": {
"flake": false, "flake": false,
"locked": { "locked": {

4
flake.nix
View file

@ -57,8 +57,8 @@
nixos-wsl.url = "github:nix-community/NixOS-WSL/main"; nixos-wsl.url = "github:nix-community/NixOS-WSL/main";
nixos-wsl.inputs.nixpkgs.follows = "nixpkgs"; nixos-wsl.inputs.nixpkgs.follows = "nixpkgs";
nvfetcher.url = "github:berberman/nvfetcher"; # nvfetcher.url = "github:berberman/nvfetcher";
nvfetcher.inputs.nixpkgs.follows = "nixpkgs"; # nvfetcher.inputs.nixpkgs.follows = "nixpkgs";
vpn-confinement.url = "github:Maroka-chan/VPN-Confinement"; vpn-confinement.url = "github:Maroka-chan/VPN-Confinement";

4
readme.txt
View file

@ -3,3 +3,7 @@ config files for my puters
nixdesk - main desktop nixdesk - main desktop
hopper - server hopper - server
kidney - wsl kidney - wsl
TODO
firewall things within my tailnet with networking.firewall.interfaces.tailscale0

1
shells/default.nix
View file

@ -7,6 +7,7 @@
just just
home-manager home-manager
sops sops
nvfetcher
]; ];
}; };
} }

103
sys/machines/hopper/lab/default.nix
View file

@ -13,6 +13,7 @@
slskdUiPort = 23488; slskdUiPort = 23488;
caddyLocal = 8562; caddyLocal = 8562;
ncPort = 46523; ncPort = 46523;
adguardWebPort = 23489;
kanidmPort = 8300; kanidmPort = 8300;
in { in {
imports = [ imports = [
@ -55,6 +56,7 @@ in {
wireguardConfigFile = config.sops.secrets.wireguard.path; wireguardConfigFile = config.sops.secrets.wireguard.path;
accessibleFrom = [ accessibleFrom = [
"192.168.0.0/24" "192.168.0.0/24"
# "127.0.0.1"
]; ];
# Forwarded to my vpn, for making things accessible from outside # Forwarded to my vpn, for making things accessible from outside
@ -78,10 +80,10 @@ in {
passthrough = [ passthrough = [
caddyPort caddyPort
slskdUiPort slskdUiPort
80 # caddy
1900 # jellyfin discovery 1900 # jellyfin discovery
7359 # jellyfin discovery 7359 # jellyfin discovery
config.services.transmission.settings.rpc-port # 9001
80 # homepage
]; ];
in (l.map (x: { in (l.map (x: {
from = x; from = x;
@ -129,16 +131,31 @@ in {
}; };
slskd = { slskd = {
useACMEHost = null; useACMEHost = null;
hostName = ":${toString slskdUiPort}"; hostName = "slskd.hopper.xun.host:80";
extraConfig = '' extraConfig = ''
reverse_proxy localhost:${toString config.services.slskd.settings.web.port} reverse_proxy localhost:${toString config.services.slskd.settings.web.port}
''; '';
}; };
transmission = {
useACMEHost = null;
hostName = "transmission.hopper.xun.host:80";
extraConfig = ''
reverse_proxy localhost:${toString config.services.transmission.settings.rpc-port}
'';
};
dash = { dash = {
useACMEHost = null; useACMEHost = null;
hostName = ":80"; hostName = "dash.hopper.xun.host:80";
extraConfig = "reverse_proxy localhost:${toString config.services.homepage-dashboard.listenPort}"; extraConfig = "reverse_proxy localhost:${toString config.services.homepage-dashboard.listenPort}";
}; };
# prometheus = {
# useACMEHost = null;
# hostName = "prometheus.hopper.xun.host:80";
# extraConfig = ''
# reverse_proxy ${toString config.vpnNamespaces."wg".bridgeAddress}:9001
# '';
# };
other = { other = {
hostName = ":${toString caddyPort}"; hostName = ":${toString caddyPort}";
extraConfig = '' extraConfig = ''
@ -147,6 +164,15 @@ in {
} }
''; '';
}; };
otherPriv = {
useACMEHost = null;
hostName = ":80";
extraConfig = ''
respond 404 {
body "uhh that doesnt exist, i hope this isnt my fault.."
}
'';
};
}; };
}; };
@ -162,22 +188,26 @@ in {
resources = { resources = {
cpu = true; cpu = true;
disk = "/"; disk = "/";
uptime = "";
units = "metric";
cputemp = true;
memory = true; memory = true;
network = true;
}; };
} }
]; ];
services = [ services = [
{ {
"Obtaining" = [ "Downloading" = [
{ {
"transmission" = { "transmission" = {
href = "http://${config.networking.hostName}:9091"; href = "http://transmission.hopper.xun.host";
icon = "transmission"; icon = "transmission";
}; };
} }
{ {
"slskd" = { "slskd" = {
href = "http://${config.networking.hostName}:23488"; href = "http://slskd.hopper.xun.host";
icon = "slskd"; icon = "slskd";
}; };
} }
@ -187,10 +217,28 @@ in {
"Services" = [ "Services" = [
{ {
"jellyfin" = { "jellyfin" = {
href = "https://jellyfin.xunuwu.xyz"; href = "https://jellyfin.${domain}";
icon = "jellyfin"; icon = "jellyfin";
}; };
} }
{
"adguard home" = {
href = "http://${config.networking.hostName}:${toString config.services.adguardhome.port}";
icon = "adguard-home";
};
}
{
"prometheus" = {
href = "http://${config.networking.hostName}:${toString config.services.prometheus.port}";
icon = "prometheus";
};
}
{
"kanidm" = {
href = "https://kanidm.${domain}";
icon = "kanidm";
};
}
]; ];
} }
]; ];
@ -201,9 +249,7 @@ in {
vpnNamespace = "wg"; vpnNamespace = "wg";
}; };
services.jellyfin = { services.jellyfin.enable = true;
enable = true;
};
services.prometheus = { services.prometheus = {
enable = true; enable = true;
@ -310,7 +356,7 @@ in {
InaccessiblePaths = lib.mkForce []; InaccessiblePaths = lib.mkForce [];
}; };
}; };
boot.kernel.sysctl."fs.inotify.max_user_watches" = 524288; boot.kernel.sysctl."fs.inotify.max_user_watches" = 99999999;
services.kanidm = { services.kanidm = {
package = pkgs.kanidm_1_4.override {enableSecretProvisioning = true;}; package = pkgs.kanidm_1_4.override {enableSecretProvisioning = true;};
enableServer = true; enableServer = true;
@ -338,5 +384,38 @@ in {
}; };
}; };
services.adguardhome = {
enable = true;
mutableSettings = false;
port = adguardWebPort;
# host = "100.115.105.144";
settings = {
dhcp.enabled = false;
dns = {
# port = adguardDnsPort;
upstream_dns = [
"quic://dns.nextdns.io"
"https://cloudflare-dns.com/dns-query"
"tls://unfiltered.adguard-dns.com"
"https://dns10.quad9.net/dns-query"
];
bind_hosts = ["100.115.105.144"];
bootstrap_dns = ["1.1.1.1" "8.8.8.8"];
};
filtering = {
rewrites = [
{
domain = "*.hopper.xun.host";
answer = "100.115.105.144";
}
{
domain = "hopper.xun.host";
answer = "100.115.105.144";
}
];
};
};
};
## TODO: add forgejo ## TODO: add forgejo
} }

122
sys/profiles/secrets/hopper/default.nix
View file

@ -7,14 +7,14 @@ in {
format = "binary"; format = "binary";
sopsFile = ./wireguard; sopsFile = ./wireguard;
}; };
grafana-pass = { # grafana-pass = {
format = "binary"; # format = "binary";
sopsFile = ./grafana-pass; # sopsFile = ./grafana-pass;
}; # };
wireguard-config = { # wireguard-config = {
format = "binary"; # format = "binary";
sopsFile = ./wireguard-config; # sopsFile = ./wireguard-config;
}; # };
slskd = { slskd = {
format = "binary"; format = "binary";
@ -25,26 +25,26 @@ in {
format = "binary"; format = "binary";
sopsFile = ./cloudflare; sopsFile = ./cloudflare;
}; };
jackett = { # jackett = {
format = "binary"; # format = "binary";
sopsFile = ./jackett; # sopsFile = ./jackett;
restartUnits = ["podman-qbittorrent.service"]; # restartUnits = ["podman-qbittorrent.service"];
}; # };
betanin = { # betanin = {
format = "binary"; # format = "binary";
sopsFile = ./betanin; # sopsFile = ./betanin;
restartUnits = ["podman-betanin.service"]; # restartUnits = ["podman-betanin.service"];
}; # };
transmission = { transmission = {
format = "binary"; format = "binary";
sopsFile = ./transmission; sopsFile = ./transmission;
}; };
authentik = { # authentik = {
format = "binary"; # format = "binary";
sopsFile = ./authentik; # sopsFile = ./authentik;
}; # };
"kanidm/admin_pass" = { "kanidm/admin_pass" = {
sopsFile = ./kanidm.yaml; sopsFile = ./kanidm.yaml;
@ -71,45 +71,45 @@ in {
# }; # };
# authelia # authelia
authelia_lldap_password = { # authelia_lldap_password = {
format = "yaml"; # format = "yaml";
sopsFile = ./authelia.yaml; # sopsFile = ./authelia.yaml;
key = "lldap_password"; # key = "lldap_password";
# owner = autheliaUser; # # owner = autheliaUser;
}; # };
authelia_jwt_secret = { # authelia_jwt_secret = {
format = "yaml"; # format = "yaml";
sopsFile = ./authelia.yaml; # sopsFile = ./authelia.yaml;
key = "jwt_secret"; # key = "jwt_secret";
# owner = autheliaUser; # # owner = autheliaUser;
}; # };
authelia_session_secret = { # authelia_session_secret = {
format = "yaml"; # format = "yaml";
sopsFile = ./authelia.yaml; # sopsFile = ./authelia.yaml;
key = "session_secret"; # key = "session_secret";
#owner = autheliaUser; # #owner = autheliaUser;
}; # };
authelia_encryption_key = { # authelia_encryption_key = {
format = "yaml"; # format = "yaml";
sopsFile = ./authelia.yaml; # sopsFile = ./authelia.yaml;
key = "encryption_key"; # key = "encryption_key";
#owner = autheliaUser; # #owner = autheliaUser;
}; # };
authelia_storage_password = { # authelia_storage_password = {
format = "yaml"; # format = "yaml";
sopsFile = ./authelia.yaml; # sopsFile = ./authelia.yaml;
key = "storage_password"; # key = "storage_password";
#owner = autheliaUser; # #owner = autheliaUser;
}; # };
brawlstars-api-key = { # brawlstars-api-key = {
format = "binary"; # format = "binary";
sopsFile = ./brawlstars; # sopsFile = ./brawlstars;
}; # };
wakapi = { # wakapi = {
format = "binary"; # format = "binary";
sopsFile = ./wakapi; # sopsFile = ./wakapi;
mode = "004"; # mode = "004";
}; # };
}; };
} }