xun/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

simplify some things and remove some unused code

Browse source
This commit is contained in:
xunuwu 2025-01-12 15:16:01 +01:00
parent 931efc7518
commit 6cf86a3827
Signed by: xun
SSH key fingerprint: SHA256:Uot/1WoAjWAeqLOHA5vYy4phhVydsH7jCPmBjaPZfgI
144 changed files with 251 additions and 3912 deletions
Download patch file Download diff file Expand all files Collapse all files

223
nix/machines/default.nix
View file

@ -7,46 +7,30 @@
config,
...
}: let
inherit (inputs.nixpkgs.lib) nixosSystem;
specialArgs = {
inherit inputs self;
};
source = inputs.haumea.lib.load {
inputs = {inherit inputs lib;};
src = "${self}/nix";
};
systemProfiles = source.systemProfiles;
in {
flake.colmena = {
meta = {
nixpkgs = import inputs.nixpkgs {
system = "x86_64-linux";
};
inherit specialArgs;
};
kidney = {
deployment = {
allowLocalDeployment = true;
};
imports = lib.flatten [
flake.nixosConfigurations = {
kidney = nixosSystem {
modules = [
./kidney
(with systemProfiles; [
core.tools
core.users
core.locale
programs.tools
programs.zsh
programs.home-manager
hardware.graphics
../systemProfiles/core/tools.nix
../systemProfiles/core/users.nix
../systemProfiles/core/locale.nix
services.flatpak
services.xdg-portals
../systemProfiles/programs/tools.nix
../systemProfiles/programs/zsh.nix
../systemProfiles/programs/home-manager.nix
../systemProfiles/hardware/graphics.nix
nix.default
nix.gc
])
../systemProfiles/services/flatpak.nix
../systemProfiles/services/xdg-portals.nix
../systemProfiles/nix/default.nix
../systemProfiles/nix/gc.nix
{
home-manager = {
users.xun.imports = homeImports."xun@kidney";
@ -54,83 +38,72 @@ in {
};
}
];
inherit specialArgs;
};
nixdesk = {
deployment = {
allowLocalDeployment = true;
targetUser = "xun";
targetHost = "nixdesk.local";
};
imports = lib.flatten [
nixdesk = nixosSystem {
modules = [
./nixdesk
inputs.stylix.nixosModules.stylix
(with systemProfiles; [
secrets.default
secrets.nixdesk.default
../systemProfiles/secrets/default.nix
../systemProfiles/secrets/nixdesk/default.nix
core.security
core.users
core.ssh
core.locale
nix.default
programs.zsh
core.tools
core.compat
core.boot
core.docs
core.gvfs
../systemProfiles/core/security.nix
../systemProfiles/core/users.nix
../systemProfiles/core/ssh.nix
../systemProfiles/core/locale.nix
../systemProfiles/nix/default.nix
../systemProfiles/programs/zsh.nix
../systemProfiles/core/tools.nix
../systemProfiles/core/compat.nix
../systemProfiles/core/boot.nix
../systemProfiles/core/docs.nix
../systemProfiles/core/gvfs.nix
nix.gc
../systemProfiles/nix/gc.nix
hardware.graphics
hardware.steam-hardware
hardware.bluetooth
hardware.qmk
../systemProfiles/hardware/graphics.nix
../systemProfiles/hardware/steam-hardware.nix
../systemProfiles/hardware/bluetooth.nix
../systemProfiles/hardware/qmk.nix
network.networkd
network.avahi
network.localsend
network.tailscale
network.goldberg
../systemProfiles/network/networkd.nix
../systemProfiles/network/avahi.nix
../systemProfiles/network/localsend.nix
../systemProfiles/network/tailscale.nix
../systemProfiles/network/goldberg.nix
desktop.ly
desktop.awesome
desktop.sway
#desktop.hyprland
../systemProfiles/desktop/sway.nix
programs.dconf
programs.fonts
programs.home-manager
# programs.qt
programs.adb
programs.kanidm
programs.openrgb
programs.tools
programs.thunar
programs.corectrl
../systemProfiles/programs/dconf.nix
../systemProfiles/programs/fonts.nix
../systemProfiles/programs/home-manager.nix
# ../systemProfiles/programs/qt.nix
../systemProfiles/programs/adb.nix
../systemProfiles/programs/kanidm.nix
../systemProfiles/programs/openrgb.nix
../systemProfiles/programs/tools.nix
../systemProfiles/programs/thunar.nix
../systemProfiles/programs/corectrl.nix
services.default
services.pipewire
services.flatpak
../systemProfiles/services/default.nix
../systemProfiles/services/pipewire.nix
../systemProfiles/services/flatpak.nix
services.syncthing
services.virt.waydroid
services.virt.virt-manager
services.sunshine
#network.wifi
#services.ollama
desktop.x11.nosleep
../systemProfiles/services/syncthing.nix
../systemProfiles/services/virt/waydroid.nix
../systemProfiles/services/virt/virt-manager.nix
../systemProfiles/services/sunshine.nix
# ../systemProfiles/network/wifi.nix
themes.dark
# themes.xundark
../systemProfiles/themes/dark.nix
programs.gamemode
programs.gamescope
programs.steam
programs.RE.default
])
../systemProfiles/programs/gamemode.nix
../systemProfiles/programs/gamescope.nix
../systemProfiles/programs/steam.nix
../systemProfiles/programs/RE/default.nix
{
home-manager = {
@ -140,58 +113,30 @@ in {
};
}
];
inherit specialArgs;
};
hopper = {
deployment = {
targetUser = "xun";
targetHost = "hopper.local";
};
imports = lib.flatten [
hopper = nixosSystem {
modules = [
./hopper
(with systemProfiles; [
secrets.default
secrets.hopper.default
../systemProfiles/secrets/default.nix
../systemProfiles/secrets/hopper/default.nix
core.security
core.locale
core.tools
core.ssh
core.deploy
nix.default # TODO slim this down
../systemProfiles/core/security.nix
../systemProfiles/core/locale.nix
../systemProfiles/core/tools.nix
../systemProfiles/core/ssh.nix
../systemProfiles/core/deploy.nix
../systemProfiles/nix/default.nix # TODO slim this down
network.tailscale
network.avahi
network.networkd
# services.syncthing # TODO make syncthing not rely on having "xun" user
#network.avahi
#network.networkd
#network.tailscale
#services.syncthing
])
../systemProfiles/network/tailscale.nix
../systemProfiles/network/avahi.nix
../systemProfiles/network/networkd.nix
# services.syncthing # TODO make syncthing not rely on having "xun" user
];
};
liveiso = {
deployment.targetHost = null;
imports = lib.flatten [
./liveiso
(with systemProfiles; [
nix.default
core.security
services.default
])
];
inherit specialArgs;
};
};
flake.nixosConfigurations = let
l = inputs.nixpkgs.lib;
in
builtins.mapAttrs (_: v:
l.nixosSystem {
inherit specialArgs;
modules = v.imports;
}) (l.filterAttrs (n: _: n != "meta") self.colmena);
}

1
nix/machines/hopper/default.nix
View file

@ -3,7 +3,6 @@
common-cpu-intel
inputs.vpn-confinement.nixosModules.default
inputs.authentik-nix.nixosModules.default
./hardware.nix
./newlab.nix

305
nix/machines/hopper/lab.nix
View file

@ -1,305 +0,0 @@
## TODO look into sops-nix placeholders
## reference: https://github.com/javigomezo/nixos/blob/b3ebe8d570ea9b37aea8bb3a343f6e16e054e322/services/network/authelia/user_database.nix
{
pkgs,
inputs,
config,
lib,
...
}: let
domain = "xunuwu.xyz";
caddyPort = 8336;
autheliaPort = 24637;
in {
## TODO use impermanence
## TODO setup fail2ban mayb
imports = [inputs.vpn-confinement.nixosModules.default];
security.acme = {
acceptTerms = true;
certs.${domain} = {
domain = "*.${domain}";
dnsProvider = "cloudflare";
email = "xunuwu@gmail.com";
reloadServices = ["caddy.service"];
credentialFiles.CF_DNS_API_TOKEN_FILE = config.sops.secrets.cloudflare.path;
extraDomainNames = [domain];
};
};
vpnNamespaces."wg" = {
enable = true;
wireguardConfigFile = config.sops.secrets.wireguard-config.path;
accessibleFrom = [
"192.168.0.0/24"
];
# Forwarded to my vpn, for making things accessible from outside
openVPNPorts = [
{
port = caddyPort;
protocol = "tcp";
}
];
# From inside of the vpn namespace to outside of it, for making things inside accessible to LAN
portMappings = [
{
to = caddyPort;
from = caddyPort;
}
{
to = 7359; # Jellyfin auto-discovery
from = 7359;
}
{
to = 1900; # Jellyfin auto-discovery, TODO check if this actually works and dont forward these if it doesnt
from = 1900;
}
];
};
networking.firewall = {
allowedTCPPorts = [config.services.navidrome.settings.Port];
allowedUDPPorts = [1900 7359]; # Jellyfin auto-discovery
};
systemd.services.caddy.vpnConfinement = {
enable = true;
vpnNamespace = "wg";
};
services.caddy = {
enable = true;
# extraConfig = let
# gensub = x: "${x}.${domain}:${toString caddyPort}";
# tls = "tls /var/lib/acme/${domain}/cert.pem /var/lib/acme/${domain}/key.pem";
# rpPort = port: "reverse_proxy localhost:${toString port}";
# in ''
# ${gensub "navidrome"} {
# ${tls}
# ${rpPort config.services.navidrome.settings.Port}
# }
# '';
virtualHosts = let
authelia = "localhost:${toString autheliaPort}";
in
builtins.mapAttrs (n: v:
{
useACMEHost = domain;
hostName = "${n}.${domain}:${toString caddyPort}";
}
// v) {
navidrome.extraConfig = ''
reverse_proxy localhost:${toString config.services.navidrome.settings.Port}
'';
auth.extraConfig = "reverse_proxy ${authelia}";
#jellyfin.extraConfig = "reverse_proxy localhost:8096"; # TODO tmp off since i dont have proper auth yet
other = {
hostName = ":${toString caddyPort}";
extraConfig = ''
respond 404 {
body "no such route you dummy"
}
'';
};
};
};
systemd.services.navidrome = {
vpnConfinement = {
enable = true;
vpnNamespace = "wg";
};
serviceConfig = {
PrivateTmp = true;
NoNewPrivileges = true;
RestrictSUIDSGID = true;
ProtectProc = "invisible";
};
};
## TODO might be unnecessary with authelia but specifying a custom PasswordEncryptionKey is recommended
services.navidrome = {
enable = true;
settings = {
Address = "localhost";
MusicFolder = "/media/library/music";
ReverseProxyWhitelist = "0.0.0.0/0"; # cant be accessed from outside since the navidrome port isnt mapped to outside of the wireguard namespace
};
};
systemd.services.authelia-main = {
vpnConfinement = {
enable = true;
vpnNamespace = "wg";
};
# serviceConfig.LoadCredential = [
# "users.yaml:${}"
# ];
};
services.authelia.instances.main = {
enable = true;
secrets = {
jwtSecretFile = config.sops.secrets.authelia_jwt_secret.path;
storageEncryptionKeyFile = config.sops.secrets.authelia_encryption_key.path;
sessionSecretFile = config.sops.secrets.authelia_session_secret.path;
};
settings = {
# might change this to info in the future, for now its nice seeing debug messages if something goes wrong
log.level = "debug";
access_control = {
default_policy = "deny";
rules = [
{
domain = "*.${domain}";
policy = "one_factor"; # using totp requires me to set up smtp support :(
}
];
};
theme = "auto";
default_2fa_method = "totp";
## use ldap backend, not yaml file
## https://www.authelia.com/configuration/first-factor/ldap/
# default_redirection_url = "https://auth.${domain}/";
notifier.filesystem.filename = "/tmp/authelia-notifier.txt"; ## TODO change this to something reasonable
authentication_backend = {
password_reset.disable = true;
file.path = pkgs.writers.writeYAML "users.yaml" {
users.xun = {
disabled = false;
displayname = "xun";
password = "$argon2id$v=19$m=65536,t=3,p=4$cwYrForToKZn7+urMrSXuQ$PStkqPlo/7/GZ+hMsJXfOyZ0WijNtuZpaHWyZUuBWBY";
email = "xunuwu@gmail.com";
groups = ["admin"];
};
};
};
storage.postgres = {
address = "unix:///run/postgresql";
database = "authelia-main";
# this isnt used, ensureDBOwnership allows us to auth to postgres using unix users
username = "authelia-main";
password = "unused";
};
session.cookies = [
{
domain = domain;
authelia_url = "https://auth.${domain}";
default_redirection_url = "https://invalid.${domain}"; # TODO replace with overview thing mayb
}
];
## TODO: https://www.authelia.com/integration/proxies/forwarded-headers/#cloudflare
server = {
address = "127.0.0.1:${toString autheliaPort}";
endpoints.authz.forward-auth.implementation = "ForwardAuth";
};
};
};
services.postgresql = let
databases = ["authelia-main"];
in {
enable = true;
ensureDatabases = databases;
ensureUsers = lib.singleton {
name = "authelia-main";
ensureDBOwnership = true;
};
};
systemd.services.jellyfin.vpnConfinement = {
enable = true;
vpnNamespace = "wg";
};
services.jellyfin = {
enable = true;
};
services.prometheus = {
enable = true;
port = 9001;
extraFlags = ["--storage.tsdb.retention.time=30d"];
scrapeConfigs = [
{
job_name = config.networking.hostName;
static_configs = [
{
targets = ["127.0.0.1:${toString config.services.prometheus.exporters.node.port}"];
}
];
}
];
};
services.prometheus.exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
};
};
# services.grafana = {
# enable = true;
# domain = "grafana.hopper";
# addr = "127.0.0.1";
# security = {
# adminUser = "admin";
# adminPasswordFile = config.sops.secrets.grafana-pass.path;
# };
# };
## TODO: add forgejo
## ignore this its cringe and ill prob remove it later idk, its also pasted from someone else, idk who tho ##
systemd.services.vpn-test-service = {
enable = true;
vpnConfinement = {
enable = true;
vpnNamespace = "wg";
};
script = "${pkgs.writeShellApplication {
name = "vpn-test";
runtimeInputs = with pkgs; [util-linux unixtools.ping coreutils curl bash libressl netcat-gnu openresolv dig];
text = ''
cd "$(mktemp -d)"
# DNS information
dig google.com
# Print resolv.conf
echo "/etc/resolv.conf contains:"
cat /etc/resolv.conf
# Query resolvconf
# echo "resolvconf output:"
# resolvconf -l
# echo ""
# Get ip
echo "Getting IP:"
curl -s ipinfo.io
echo -ne "DNS leak test:"
curl -s https://raw.githubusercontent.com/macvk/dnsleaktest/b03ab54d574adbe322ca48cbcb0523be720ad38d/dnsleaktest.sh -o dnsleaktest.sh
chmod +x dnsleaktest.sh
./dnsleaktest.sh
'';
}}/bin/vpn-test";
};
}

18
nix/machines/liveiso/default.nix
View file

@ -1,18 +0,0 @@
{pkgs, ...}: {
imports = [
./tools.nix
./sway.nix
];
environment.systemPackages = with pkgs; [
firefox
];
isoImage.edition = "sway-custom";
networking.hostName = "liveiso";
nixpkgs.hostPlatform = "x86_64-linux";
system.stateVersion = "23.11";
}

17
nix/machines/liveiso/sway.nix
View file

@ -1,17 +0,0 @@
{modulesPath, ...}: {
imports = [
"${modulesPath}/installer/cd-dvd/installation-cd-graphical-base.nix"
];
programs.sway = {
enable = true;
};
services.displayManager = {
sddm.enable = true;
autoLogin = {
enable = true;
user = "nixos";
};
};
}

7
nix/machines/liveiso/tools.nix
View file

@ -1,7 +0,0 @@
{pkgs, ...}: {
environment.systemPackages = with pkgs; [
neovim
parted
gparted
];
}

94
nix/machines/nixdesk/jellyfin.nix
View file

@ -1,94 +0,0 @@
{config, ...}: {
security.acme = {
acceptTerms = true;
defaults = {
email = "xunuwu@gmail.com";
reloadServices = ["podman-caddy.service"];
};
certs = {
"xun.cam" = {
dnsProvider = "cloudflare";
credentialFiles = {
CF_DNS_API_TOKEN_FILE = config.sops.secrets.cloudflare.path;
};
extraDomainNames = ["jellyfin.desktop.xun.cam"];
};
};
};
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
dockerSocket.enable = true;
};
systemd.tmpfiles.rules = [
"d /media/config/caddy/data 0750 root root -"
"d /media/config/caddy/config 0750 root root -"
"d /media/config/jellyfin/config 0750 root root -"
"d /media/config/jellyfin/cache 0750 root root -"
"d /media/library 0750 root root -"
];
virtualisation.oci-containers = {
backend = "podman";
containers = {
gluetun = {
image = "qmcgaw/gluetun:v3";
volumes = [
"${config.sops.secrets.wireguard.path}:/gluetun/wireguard/wg0.conf"
];
ports = [
## This bypasses the firewall
## use 127.0.0.1:XXXX:XXXX if you only want it to be accessible locally
"8096:8096" # jellyfin local network
"60926:60926" # jellyfin
];
environment = {
VPN_SERVICE_PROVIDER = "airvpn";
VPN_TYPE = "wireguard";
SERVER_COUNTRIES = "Netherlands";
FIREWALL_VPN_INPUT_PORTS = "60926";
};
extraOptions = [
"--cap-add=NET_ADMIN"
"--device=/dev/net/tun:/dev/net/tun"
];
};
jellyfin = {
image = "jellyfin/jellyfin";
volumes = [
"/media/config/jellyfin/config:/config"
"/media/config/jellyfin/cache:/cache"
"/media/library:/library"
];
dependsOn = ["gluetun"];
extraOptions = [
"--network=container:gluetun"
"--device=/dev/dri:/dev/dri"
];
};
caddy = {
image = "caddy";
volumes = [
"${builtins.toFile "Caddyfile" ''
https://jellyfin.desktop.xun.cam:60926 {
tls /etc/ssl/certs/xun.cam/cert.pem /etc/ssl/certs/xun.cam/key.pem
reverse_proxy localhost:8096
}
''}:/etc/caddy/Caddyfile"
"/var/lib/acme/xun.cam:/etc/ssl/certs/xun.cam"
"/media/config/caddy/data:/data"
"/media/config/caddy/config:/config"
];
dependsOn = ["gluetun"];
extraOptions = [
"--network=container:gluetun"
];
};
};
};
}