jahanson/mochi
1
0
Fork 0
Code Issues 1 Pull requests 2 Projects Releases Packages Wiki Activity Actions

Compare commits

base: jahanson:main
Branches Tags
jahanson:main
jahanson:renovate/ghcr.io-koush-scrypted-0.x
jahanson:renovate/docker.io-ollama-ollama-0.x
jahanson:qbittorrent
jahanson:talos-pxe-bootstrap
jahanson:update_flake_lock_action
jahanson:renovate/lock-file-maintenance
..
compare: jahanson:talos-pxe-bootstrap
Branches Tags
jahanson:renovate/ghcr.io-koush-scrypted-0.x
jahanson:renovate/docker.io-ollama-ollama-0.x
jahanson:main
jahanson:qbittorrent
jahanson:talos-pxe-bootstrap
jahanson:update_flake_lock_action
jahanson:renovate/lock-file-maintenance

1 commit
main ... talos-pxe-

Author SHA1 Message Date
Joseph Hanson
c009df2813
Initial commit -- Talos PXE Bootstrap scripts 
Takes talhelper `talconfig.yaml` and downloads the assets, then
generates ignition and matchbox configuration based on your machines
defined in `talconfig.yaml`.
 2024-08-21 16:33:35 -05:00
217 changed files with 3250 additions and 23545 deletions
Show stats Expand all files Collapse all files

36
.archive/flake.nix
View file

@ -1,36 +0,0 @@
{
"durincore" = mkNixosConfig {
# T470 Thinkpad Intel i7-6600U
# Backup Nix dev laptop
hostname = "durincore";
system = "x86_64-linux";
hardwareModules = [
./nixos/profiles/hw-thinkpad-t470.nix
inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t470s
];
profileModules = [
./nixos/profiles/role-workstation.nix
./nixos/profiles/role-dev.nix
{home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix;}
];
};
"legiondary" = mkNixosConfig {
# Legion 15arh05h AMD/Nvidia Ryzen 7 4800H
# Nix dev/gaming laptop
hostname = "legiondary";
system = "x86_64-linux";
hardwareModules = [
inputs.nixos-hardware.nixosModules.lenovo-legion-15arh05h
./nixos/profiles/hw-legion-15arh05h.nix
disko.nixosModules.disko
(import ./nixos/profiles/disko-nixos.nix {disks = ["/dev/nvme0n1"];})
];
profileModules = [
./nixos/profiles/role-dev.nix
./nixos/profiles/role-gaming.nix
./nixos/profiles/role-workstation.nix
{home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix;}
];
};
}

83
.archive/home/modules/programs/de/gnome/default.nix
View file

@ -1,83 +0,0 @@
# Adjusted manually from generated output of dconf2nix
# https://github.com/gvolpe/dconf2nix
{
lib,
pkgs,
osConfig,
...
}:
with lib.hm.gvariant; {
config = lib.mkIf osConfig.mySystem.de.gnome.enable {
# add user packages
home.packages = with pkgs; [
dconf2nix
];
# worked out from dconf2nix
# `dconf dump / | dconf2nix > dconf.nix`
# can also dconf watch
dconf.settings = {
"org/gnome/mutter" = {
edge-tiling = true;
workspaces-only-on-primary = false;
};
"org/gnome/settings-daemon/plugins/media-keys" = {
home = ["<Super>e"];
};
"org/gnome/desktop/wm/preferences" = {
workspace-names = [
"sys"
"talk"
"web"
"edit"
"run"
];
button-layout = "appmenu:minimize,close";
};
"org/gnome/shell" = {
disabled-extensions = [
"apps-menu@gnome-shell-extensions.gcampax.github.com"
"light-style@gnome-shell-extensions.gcampax.github.com"
"places-menu@gnome-shell-extensions.gcampax.github.com"
"drive-menu@gnome-shell-extensions.gcampax.github.com"
"window-list@gnome-shell-extensions.gcampax.github.com"
"workspace-indicator@gnome-shell-extensions.gcampax.github.com"
];
enabled-extensions = [
"appindicatorsupport@rgcjonas.gmail.com"
"caffeine@patapon.info"
"dash-to-dock@micxgx.gmail.com"
"gsconnect@andyholmes.github.io"
"Vitals@CoreCoding.com"
"sp-tray@sp-tray.esenliyim.github.com"
];
favorite-apps = [
"com.mitchellh.ghostty.desktop"
"vivaldi-stable.desktop"
"obsidian.desktop"
"code.desktop"
"vesktop.desktop"
];
};
"org/gnome/nautilus/preferences" = {
default-folder-viewer = "list-view";
};
"org/gnome/nautilus/icon-view" = {
default-zoom-level = "small";
};
"org/gnome/desktop/interface" = {
color-scheme = "prefer-dark";
};
"org/gnome/desktop/peripherals/touchpad" = {
tap-to-click = false;
};
"org/gnome/desktop/interface" = {
clock-format = "12h";
show-battery-percentage = true;
};
"org/gnome/settings-daemon/plugins/power" = {
ambient-enabled = false;
};
};
};
}

51
.archive/hosts/durincore/default.nix
View file

@ -1,51 +0,0 @@
{...}: {
config = {
networking.hostId = "ad4380db";
networking.hostName = "durincore";
# Kernel mods
boot = {
initrd = {
availableKernelModules = [
"xhci_pci"
"nvme"
"usb_storage"
"sd_mod"
];
kernelModules = [];
};
kernelModules = ["kvm-intel"];
extraModulePackages = [];
};
fileSystems = {
"/" = {
device = "rpool/root";
fsType = "zfs";
};
"/home" = {
device = "rpool/home";
fsType = "zfs";
};
"/boot" = {
device = "/dev/disk/by-uuid/F1B9-CA7C";
fsType = "vfat";
options = [
"fmask=0077"
"dmask=0077"
];
};
};
swapDevices = [];
# System settings and services.
mySystem = {
system.motd.networkInterfaces = [
"enp0s31f6"
"wlp4s0"
];
};
};
}

16
.archive/hosts/gandalf/config/disks.nix
View file

@ -1,16 +0,0 @@
[
"/dev/disk/by-id/ata-Seagate_IronWolfPro_ZA240NX10001-2ZH100_7TF002RA"
"/dev/disk/by-id/nvme-Samsung_SSD_960_EVO_250GB_S3ESNX0K308438J"
"/dev/disk/by-id/scsi-350000c0f02f0830c"
"/dev/disk/by-id/scsi-350000c0f01e7d190"
"/dev/disk/by-id/scsi-350000c0f01ea443c"
"/dev/disk/by-id/scsi-350000c0f01f8230c"
"/dev/disk/by-id/scsi-35000c500586e5057"
"/dev/disk/by-id/scsi-35000c500624a0ddb"
"/dev/disk/by-id/scsi-35000c500624a1a8b"
"/dev/disk/by-id/scsi-35000cca046135ad8"
"/dev/disk/by-id/scsi-35000cca04613722c"
"/dev/disk/by-id/scsi-35000cca0461810f8"
"/dev/disk/by-id/scsi-35000cca04618b930"
"/dev/disk/by-id/scsi-35000cca04618cec4"
]

48
.archive/hosts/gandalf/config/incus-preseed.nix
View file

@ -1,48 +0,0 @@
{...}: {
config = {
"core.https_address" = "10.1.1.15:8445"; # Need quotes around key
};
networks = [
{
config = {
"ipv4.address" = "auto"; # Need quotes around key
"ipv6.address" = "auto"; # Need quotes around key
};
description = "";
name = "incusbr0";
type = "";
project = "default";
}
];
storage_pools = [
{
config = {
source = "eru/incus";
};
description = "";
name = "default";
driver = "zfs";
}
];
profiles = [
{
config = {};
description = "";
devices = {
eth0 = {
name = "eth0";
network = "incusbr0";
type = "nic";
};
root = {
path = "/";
pool = "default";
type = "disk";
};
};
name = "default";
}
];
projects = [];
cluster = null;
}

185
.archive/hosts/gandalf/default.nix
View file

@ -1,185 +0,0 @@
# Do not modify this file! It was generated by 'nixos-generate-config'
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
inputs,
...
}:
# let
# sanoidConfig = import ./config/sanoid.nix { };
# disks = import ./config/disks.nix;
# smartdDevices = map (device: { inherit device; }) disks;
# in
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
inputs.disko.nixosModules.disko
(import ../../profiles/disko-nixos.nix {disks = ["/dev/sda"];})
];
boot = {
initrd = {
availableKernelModules = [
"ehci_pci"
"ahci"
"mpt3sas"
"isci"
"usbhid"
"usb_storage"
"sd_mod"
];
kernelModules = ["nfs"];
supportedFilesystems = ["nfs"];
};
kernelModules = [
"kvm-intel"
"vfio"
"vfio_iommu_type1"
"vfio_pci"
"vfio_virqfd"
];
extraModulePackages = [];
kernelParams = [
"iommu=pt"
"intel_iommu=on"
"zfs.zfs_arc_max=107374182400"
]; # 100GB
};
swapDevices = [];
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAGSFTSVPt43PBpSMSF1dGTzN2JbxztDZUml7g4+PnWe CSI-Driver@talos"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBROTzSefJGJeCNUgNLbE5l4sHHg2fHUO4sCwqvP+zAd root@Gollum"
];
# Network settings
networking = {
hostName = "gandalf";
hostId = "e2fc95cd";
useDHCP = false; # needed for bridge
networkmanager.enable = true;
firewall.enable = false;
nftables.enable = false;
interfaces = {
"enp130s0f0".useDHCP = true;
"eno1".useDHCP = true;
};
};
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# VSCode Compatibility Settings
programs.nix-ld.enable = true;
services.vscode-server = {
enable = true;
};
# Home Manager
home-manager.users.jahanson = {
# Git settings
# TODO: Move to config module.
programs.git = {
enable = true;
userName = "Joseph Hanson";
userEmail = "joe@veri.dev";
extraConfig = {
core.autocrlf = "input";
init.defaultBranch = "main";
pull.rebase = true;
rebase.autoStash = true;
};
};
};
# sops
sops = {
secrets = {
"borg/repository/passphrase" = {
sopsFile = ./secrets.sops.yaml;
};
"syncthing/publicCert" = {
sopsFile = ./secrets.sops.yaml;
owner = "jahanson";
mode = "400";
restartUnits = ["syncthing.service"];
};
"syncthing/privateKey" = {
sopsFile = ./secrets.sops.yaml;
owner = "jahanson";
mode = "400";
restartUnits = ["syncthing.service"];
};
};
};
services = {
# Smart daemon for monitoring disk health.
smartd = {
# devices = smartdDevices;
# Short test every day at 2:00 AM and long test every Sunday at 4:00 AM.
defaults.monitored = "-a -o on -s (S/../.././02|L/../../7/04)";
};
# ZFS Exporter
prometheus.exporters.zfs.enable = true;
# samba = {
# enable = true;
# settings = import ./config/samba-config.nix { };
# openFirewall = true;
# };
};
# System settings and services.
mySystem = {
purpose = "Production";
system = {
motd.networkInterfaces = [
"enp130s0f0"
"eno1"
];
# Incus
# incus = {
# enable = true;
# preseed = import ./config/incus-preseed.nix { };
# webuiport = 8445;
# };
# ZFS
zfs.enable = true;
# zfs.mountPoolsAtBoot = [ "eru" ];
# NFS
nfs.enable = true;
};
services = {
libvirt-qemu.enable = true;
podman.enable = true;
# Syncthing
syncthing = {
enable = true;
user = "jahanson";
publicCertPath = config.sops.secrets."syncthing/publicCert".path;
privateKeyPath = config.sops.secrets."syncthing/privateKey".path;
};
# # Scrutiny
# scrutiny = {
# enable = true;
# devices = disks;
# extraCapabilities = [ "SYS_RAWIO" ];
# containerVolumeLocation = "/eru/containers/volumes/scrutiny";
# port = 8585;
# };
# Sanoid
# sanoid = {
# enable = true;
# inherit (sanoidConfig.outputs) templates datasets;
# };
};
};
}

65
.archive/hosts/gandalf/secrets.sops.yaml
View file

@ -1,65 +0,0 @@
lego:
dnsimple:
token: ENC[AES256_GCM,data:xWFVA0xhifz+odHKmGaGswT6fZ4G70clfS8AzbWnxc18JF4e75dcG6BhiA==,iv:B4pNvag4nSrw1LwL/OGyXdEcw0gZeBFBBcNzqlimjYc=,tag:ta8l7XqbQqLO+ll8Wr+mug==,type:str]
borg:
repository:
passphrase: ENC[AES256_GCM,data:qyqATupWXH5Gjx7t1660mvC1YUU=,iv:GhEbT8x5+SNXcF3b3ITk+3Dsv5PxzR56JSEufxQUBio=,tag:qWanlk8ox2uoFtyK7aiMcg==,type:str]
syncthing:
publicCert: ENC[AES256_GCM,data:q8EYRAkpwrTF8dodEH84ycDAhADLZ1uJvnArn698bueLgxtP4FHgsAHJXADtLj5/KBVJRNSBMl592wNLF9UVg0OM2b+KnMaLcVH6VHlpTQIzQBjVRjjlfU/uUfvDWXcXvfKdkS3RvDMDtR9vD3MRjdLIqjKY+7swmP2L2+WWyMXsZ3dgFvxpzH/yDekklxj8c0QVb+YJV858nNPvTKc8wkbcovsQiIQICmHhxAVU3Y51pjFXYTDaMGS/RkL47JYjYDpkCdetqe0R1wePlz5t7wbNSlg1u9d4xVtcW3yoqLErBI4ArleA/PPNflSzpx6WVLYXZ9T0BzYvDObt5VfpZ7zhNBTzXD0cvQZKyUWD6yY17JcJ+zQQiQqajSnhg8Iv4E/rwy0pRUM+YCBX2D7SiLpnlqYvHHAT8zMHpq0x/iw0t6h4ypxVVr9MU2LxfFxTbfgabJB94nxr/lk0/ONGq+gCxf3K0NOW5n6IDCB3o75KIqIG631E7F6WK2EmXF4KgS8EQEJVWWj4GKcB5dKGI+/jz3MUB4JXVLhME3X3ReDQbkZjr2OmIs6KbxuxWR5TSEj5G/sTXRxpqdKkE/aVfQMYoj7LCP4+HdM6NGP+irOSMSSC4PoHJPYtVDLluNKE+K/4w1MUK0m6EzdNrfHggY/0oS7UF5VCLrHZCNkI7CAIyVoR0A3kOMYhWjwIxDoQCSA1E/kJqYaB0dChL451xXKjvMkPQajZHK9kU/tRTcaAFgAwdLR8SYDpvN7eb1Zf6Cc4g0qP7BKA4FIqBjS+0bNobgO6oiH4TmsmIseLvevnhT0nRu3t/Lmuf2nFxAOlXyvHEp/6ulMIY+aOVcLRpi/5UjbL4rQTddHS0Y/54ofZcnD/yXiUafJAYzk/vmM3RTCj1qzmT8olw2n092LiQ7SjCIIs5PAIqWsq0O/YnyJlE7t83UcfES23DrLjc7ewcskSqG3GsPVp6qCz7/9nFgS7Sr6yHRMKGTCHSzGVlxXP4bHsDfe+DZc0R9ll67AjfErLDVlrwHOo2dpiXWcZD0Rs86h0dVCYSUE=,iv:0b7Jpbp4AXt7ngAZo5J5Fah8LByfmBRJwXQiGU5E0aY=,tag:he2qKsX5ne7tMRyc1EVFGw==,type:str]
privateKey: ENC[AES256_GCM,data:2BzXadahdEIAyllwmBLYeiNciPaQ0Ds/MJ450hX361SzNOkSsV/Wpbhr1plG6MyTc72BmD8C++5hlSCrD1O3C8mpKFNKV7om7NEJ36DSnpHlKFwmTvoQQw7cscBpZokWlgBlsRbbnrWWaac+k9tQp2pOfPscwKWMkULxR/59TsvLO5b0tZp8G5uL+Ah00x0eVtqqE/o2mQ7YpH80sgv3qHGKImyflMugvd8CKm6R2pYEN6K3Aw+N8ReVSoKXu7oaoxutHzLjuEMYlXJa1UnbE/8uajhIwXy5XcAHHywrPl4vDm9Jer+7fn8qqslBDD13bSiwuh0+LtB6QS72pg70sHPK/uuNcAbMcJ00Bwx1IsuLah3I2r3yZdh+co5qxcG6,iv:HWAhyDTP8cryZusGyemzr11Ax821aEl/a3O/wXMbPNY=,tag:uK3mGe/bvsmmCGjidKp77g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBla1U3d01iTzIxZE9SNFZL
UTJZVDFhN3FUaGxCQkxQQlRwMzZPbTVZQkVFCm85eXQvZUNQVWtISTFCYVh0ZUxP
ZE9MRnF4aDZoSGtXNUg3by92S2FYNVkKLS0tIHJta016cmNPNFhTSVdrc2dDRmx0
MlNlMHhxQk5wUThFYTZyVjIraXJGYVUKMvTxkSUbaxDj2yy+XpFLyjNeGQkXTLfV
onQ8JwVJ3ZP94O/hBlLsa8/akggDatKVKoDKZI3UrypNA5tWQr4uwQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUUHpzUy9EaCtKRTRMNi8y
bHcvMlhWSDMyRGk5eHhLV1dMMEU2L0MrbFRRCjJnWjZVazdDbmZiaWlLZm95blFa
Um5qZFBXcEg2cTN0aDYxd2FlT1RuVzgKLS0tIDBpZHZ1bDhUWXZKS2prYnlnaVFB
cEVhTnMvTENleDlzRERZc0JnVEtBcmMKSFePvV4GOeD297tSpKy6Xb+XNfNhjSHM
j3X3tA+Q0W1H17RijW1h4dyj5qzQsrSf7DSpIxXqwzamEVV40Z3nHA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nkpq8lr09vamgvf8cvzemqjyr3ex8w7azfupdr2gverz9j5zgemsv99t0z
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXMlVTWFkwcXhBOWJCL0ds
TXUxOHNmclRKczRJYzVOMFdMNG5Qb2sxeDJ3CklNa3MzbXc5ZGZSeHk4d3hmWnNo
dnFVOTB6QUxUTDQya0ZneWZiM0lyUjAKLS0tIFdoVlg0Unl0aDB0VjRQMit0Mmkr
YjVJejg0RVB1U2Rybk1iM1RraXIwbWsKRaqoxEytcx4JhoHFYeL0QBtOhGrqrZjn
z090Ml8zukXq/UVnWlt8GwIf9yKkDSixNywZJZF58/9omOpoHagv7Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBMHNsaTRqb0hkdUFhV1VO
QzBHekV3c1VJTVQ5VUNqWnJFSWJlM1JWTUZRCk55bFVrRUxFV2Vpb0Rvc0pZRGN4
ZThTMWd0SGFoYVZ3cG9TNGZKd1hpd0kKLS0tIEpLTzlBN3FuaXhCQ1ErZG1LaGgx
cDNDdDNteVI1ZHBtZUdtSEVxN3RtaFUKntQ9CvSB8BUrJctW3Rj7dxWwgIPGrdVP
hLsD6xe4LHoG/hChRamhQOnI0AvubkeXWMWhLU11NT5KFspEsmIlXA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwaTM3RzAyUG4zTFk5WFB0
anFsNG9QY1p1NTRObFVQL3pLL0V4cm13RnhJCjh4MGhZaHI0WXVoWHY3M3dwRDYw
QXpIRjlkZEUydThQVXZxSFI0MjMwVFUKLS0tIGFiYmE5UTQ0NnM5dktZbGZPcmE1
REM5NHVzUy9rRkNQL3hjU0lRQklXeFUKhcDEgKFwhoGWPS6JDsgvFeb52H0N6Foh
10hkCG4eftdrfT1r0Fxcr4LD1oHgOZN61Kfvr0t4UqoEOnLMxOPM/Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-09T06:33:41Z"
mac: ENC[AES256_GCM,data:Eb/ss98+IxI2RL3Iu7VHIYko7YOiPZhkIUAYF5UNAwyNZsqjiPKtxFejjtuixTzCVuKejSZBkYTCcd5QI9SquQhh9TloTg9lsEI94+vMn7hiJW816rsllx+cvaKM/MVYOaVX1R50QKpzjsjT1hZR8XVQUm1s3pmwaZi9KSesc18=,iv:RtODAtOjuTcWJzCJoHRXj9tp3lC5XYG0+upBPnAas1g=,tag:pOES1vOW7u9tSHkWaPJ1ag==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4

70
.archive/hosts/legiondary/default.nix
View file

@ -1,70 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
networking.hostId = "2132e3bf";
networking.hostName = "legiondary";
boot = {
initrd.availableKernelModules = [
"xhci_pci"
"nvme"
"ahci"
"usb_storage"
"usbhid"
"sd_mod"
];
initrd.kernelModules = [];
kernelModules = ["kvm-amd"];
extraModulePackages = [];
};
fileSystems = {
"/" = {
device = "zroot/root";
fsType = "zfs";
};
"/nix" = {
device = "zroot/nix";
fsType = "zfs";
};
"/var" = {
device = "zroot/var";
fsType = "zfs";
};
"/home" = {
device = "zroot/home";
fsType = "zfs";
};
};
# fileSystems."/boot" =
# { device = "/dev/disk/by-uuid/E532-B74A";
# fsType = "vfat";
# options = [ "fmask=0022" "dmask=0022" ];
# };
swapDevices = [];
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# System settings and services.
mySystem = {
purpose = "Development";
system.motd.networkInterfaces = [
"eno1"
"wlp4s0"
];
};
}

57
.archive/modules/nixos/containers/unifi/default.nix
View file

@ -1,57 +0,0 @@
{
lib,
config,
...
}:
with lib; let
app = "unifi";
# renovate: depName=goofball222/unifi datasource=github-releases
version = "8.4.62";
cfg = config.mySystem.services.${app};
appFolder = "/eru/containers/volumes/${app}";
in
# persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}";
{
options.mySystem.services.${app} = {
enable = mkEnableOption "${app}";
};
config = mkIf cfg.enable {
networking.firewall.interfaces = {
enp130s0f0 = {
allowedTCPPorts = [8443];
};
podman0 = {
allowedTCPPorts = [
8080
8443
8880
8843
];
allowedUDPPorts = [3478];
};
};
virtualisation.oci-containers.containers.${app} = {
image = "ghcr.io/goofball222/unifi:${version}";
autoStart = true;
ports = [
"3478:3478/udp" # STUN
"8080:8080" # inform controller
"8443:8443" # https
"8880:8880" # HTTP portal redirect
"8843:8843" # HTTPS portal redirect
];
environment = {
TZ = "America/Chicago";
RUNAS_UID0 = "false";
PGID = "102";
PUID = "999";
};
volumes = [
"${appFolder}/cert:/usr/lib/unifi/cert"
"${appFolder}/data:/usr/lib/unifi/data"
"${appFolder}/logs:/usr/lib/unifi/logs"
];
};
};
}

6
.archive/modules/nixos/de/default.nix
View file

@ -1,6 +0,0 @@
{
imports = [
./gnome.nix
./kde.nix
];
}

115
.archive/modules/nixos/de/gnome.nix
View file

@ -1,115 +0,0 @@
{
lib,
config,
pkgs,
...
}: let
cfg = config.mySystem.de.gnome;
in {
options = {
mySystem.de.gnome = {
enable =
lib.mkEnableOption "GNOME"
// {
default = false;
};
systrayicons =
lib.mkEnableOption "Enable systray icons"
// {
default = true;
};
gsconnect =
lib.mkEnableOption "Enable gsconnect (KDEConnect for GNOME)"
// {
default = true;
};
};
};
config = lib.mkIf cfg.enable {
# Ref: https://nixos.wiki/wiki/GNOME
# GNOME plz
services = {
displayManager = {
defaultSession = "gnome";
autoLogin = {
enable = false;
user = "jahanson"; # TODO move to config overlay
};
};
xserver = {
enable = true;
xkb.layout = "us"; # `localctl` will give you
displayManager = {
gdm.enable = true;
};
desktopManager = {
# GNOME
gnome.enable = true;
};
};
udev.packages = lib.optionals cfg.systrayicons [pkgs.gnome.gnome-settings-daemon]; # support appindicator
};
# systyray icons
# extra pkgs and extensions
environment = {
systemPackages = with pkgs;
[
wl-clipboard # ls ~/Downloads | wl-copy or wl-paste > clipboard.txt
playerctl # gsconnect play/pause command
pamixer # gcsconnect volume control
gnome.gnome-tweaks
gnome.dconf-editor
# This installs the extension packages, but
# dont forget to enable them per-user in dconf settings -> "org/gnome/shell"
gnomeExtensions.vitals
gnomeExtensions.caffeine
gnomeExtensions.dash-to-dock
]
++ optionals cfg.systrayicons [pkgs.gnomeExtensions.appindicator];
};
# enable gsconnect
# this method also opens the firewall ports required when enable = true
programs.kdeconnect = lib.mkIf cfg.gsconnect {
enable = true;
package = pkgs.gnomeExtensions.gsconnect;
};
# GNOME connection to browsers - requires flag on browser as well
services.gnome.gnome-browser-connector.enable = lib.any (user: user.programs.firefox.enable) (
lib.attrValues config.home-manager.users
);
# And dconf
programs.dconf.enable = true;
# Exclude default GNOME packages that dont interest me.
environment.gnome.excludePackages =
(with pkgs; [
gnome-photos
gnome-tour
gedit # text editor
])
++ (with pkgs.gnome; [
cheese # webcam tool
gnome-music
gnome-terminal
epiphany # web browser
geary # email reader
evince # document viewer
gnome-characters
totem # video player
tali # poker game
iagno # go game
hitori # sudoku game
atomix # puzzle game
]);
};
}

70
.archive/modules/nixos/de/kde.nix
View file

@ -1,70 +0,0 @@
{
lib,
config,
pkgs,
...
}: let
cfg = config.mySystem.de.kde;
flameshotOverride = pkgs.unstable.flameshot.override {enableWlrSupport = true;};
in {
options = {
mySystem.de.kde = {
enable =
lib.mkEnableOption "KDE"
// {
default = false;
};
};
};
config = lib.mkIf cfg.enable {
# Ref: https://wiki.nixos.org/wiki/KDE
# KDE
services = {
displayManager = {
sddm = {
enable = true;
wayland = {
enable = true;
};
};
};
desktopManager.plasma6.enable = true;
};
security = {
# realtime process priority
rtkit.enable = true;
# KDE Wallet PAM integration for unlocking the default wallet on login
pam.services."sddm".kwallet.enable = true;
};
# enable pipewire for sound
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
};
# extra pkgs and extensions
environment = {
systemPackages = with pkgs; [
wl-clipboard # ls ~/Downloads | wl-copy or wl-paste > clipboard.txt
playerctl # gsconnect play/pause command
vorta # Borg backup tool
flameshotOverride # screenshot tool
libsForQt5.qt5.qtbase # for vivaldi compatibility
kdePackages.discover # KDE software center -- mainly for flatpak updates
];
};
# enable kdeconnect
# this method also opens the firewall ports required when enable = true
programs.kdeconnect = {
enable = true;
};
};
}

33
.archive/modules/nixos/services/vault/default.nix
View file

@ -1,33 +0,0 @@
{
config,
lib,
pkgs,
...
}: let
cfg = config.mySystem.services.vault;
in {
options.mySystem.services.vault = {
enable = lib.mkEnableOption "vault";
address = lib.mkOption {
type = lib.types.str;
default = "127.0.0.1:8200";
description = "Address of the Vault server";
example = "127.0.0.1:8200";
};
};
config = lib.mkIf cfg.enable {
services.vault = {
enable = true;
package = pkgs.unstable.vault;
address = cfg.address;
dev = false;
storageBackend = "raft";
extraConfig = ''
api_addr = "http://127.0.0.1:8200"
cluster_addr = "http://127.0.0.1:8201"
ui = true
'';
};
};
}

14
.archive/modules/nixos/services/vault/resources/vault-config.hcl
View file

@ -1,14 +0,0 @@
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = true
}
storage "raft" {
path = "/var/lib/vault/data"
node_id = "node1"
}
disable_mlock = true
api_addr = "http://localhost:8200"
cluster_addr = "http://localhost:8201"
ui = true

59
.archive/profiles/disko-telchar.nix
View file

@ -1,59 +0,0 @@
{
disko.devices = {
disk = {
main = {
type = "disk";
device = "/dev/disk/by-diskseq/1";
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
start = "1M";
end = "128M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
size = "100%";
content = {
type = "btrfs";
extraArgs = ["-f"]; # Override existing partition
# Subvolumes must set a mountpoint in order to be mounted,
# unless their parent is mounted
subvolumes = {
# Subvolume name is different from mountpoint
"/rootfs" = {
mountpoint = "/";
};
# Subvolume name is the same as the mountpoint
"/home" = {
mountOptions = ["compress=zstd"];
mountpoint = "/home";
};
# Sub(sub)volume doesn't need a mountpoint as its parent is mounted
"/home/user" = {};
# Parent is not mounted so the mountpoint must be set
"/nix" = {
mountOptions = [
"compress=zstd"
"noatime"
];
mountpoint = "/nix";
};
};
mountpoint = "/partition-root";
};
};
};
};
};
};
};
}

8
.editorconfig
View file

@ -2,15 +2,7 @@ root = true
[*]
end_of_line = lf
insert_final_newline = true
indent_style = space
indent_size = 2
charset = utf-8
trim_trailing_whitespace = true
[*.{yaml,yml,json5}]
indent_style = space
indent_size = 2
[*.md]
indent_size = 4
trim_trailing_whitespace = false

59
.forgejo/workflows/build.yaml
View file

@ -1,13 +1,13 @@
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: "Build"
on:
pull_request:
push:
branches:
- main
paths:
- ".forgejo/workflows/build.yaml"
- "flake.lock"
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
@ -20,14 +20,14 @@ jobs:
fail-fast: false
matrix:
include:
- system: varda
os: native-aarch64
- system: telchar
os: native-x86_64
- system: gandalf
os: native-x86_64
- system: telperion
os: native-x86_64
- system: shadowfax
os: native-x86_64
# - system: varda
# os: native-x86_64
runs-on: ${{ matrix.os }}
env:
PATH: ${{ format('{0}:{1}', '/run/current-system/sw/bin', env.PATH) }}
@ -37,7 +37,7 @@ jobs:
with:
fetch-depth: 0
- name: Set up Cachix
uses: https://github.com/cachix/cachix-action@v16
uses: https://github.com/cachix/cachix-action@v15
if: ${{ !github.event.pull_request.head.repo.fork }}
with:
name: hsndev
@ -46,8 +46,55 @@ jobs:
- name: Garbage collect build dependencies
run: nix-collect-garbage
- name: Build previous ${{ matrix.system }} system
shell: bash
run: |
nix build git+https://git.hsn.dev/jahanson/mochi#top.${{ matrix.system }} \
-v --log-format raw --profile ./profile
- name: Build new ${{ matrix.system }} system
shell: bash
run: |
nix build ".#top.${{ matrix.system }}" --profile ./profile --fallback -v \
> >(tee stdout.log) 2> >(tee /tmp/nix-build-err.log >&2)
- name: Check for build failure
if: failure()
run: |
drv=$(grep "For full logs, run" /tmp/nix-build-err.log | grep -oE "/nix/store/.*.drv")
if [ -n $drv ]; then
nix log $drv
echo $drv
fi
exit 1
- name: Diff profile
id: diff
run: |
nix profile diff-closures --profile ./profile
delimiter="$(openssl rand -hex 16)"
echo "diff<<${delimiter}" >> "${GITHUB_OUTPUT}"
nix profile diff-closures --profile ./profile | perl -pe 's/\e\[[0-9;]*m(?:\e\[K)?//g' >> "${GITHUB_OUTPUT}"
echo "${delimiter}" >> "${GITHUB_OUTPUT}"
# - name: Comment report in pr
# uses: https://github.com/marocchino/sticky-pull-request-comment@v2
# with:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# header: ".#top.${{ matrix.system }}"
# message: |
# ### Report for `${{ matrix.system }}`
# <summary> Version changes </summary> <br>
# <pre> ${{ steps.diff.outputs.diff }} </pre>
# - name: Push to Cachix
# if: success()
# env:
# CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
# run: nix build ".#top.${{ matrix.system }}" --json | jq -r .[].drvPath | cachix push hsndev
nix-build-success:
if: ${{ always() }}
needs:
- nix-build
name: Nix Build Successful
runs-on: docker
steps:
- if: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }}
name: Check matrix status
run: exit 1

5
.gitignore vendored
View file

@ -1,13 +1,8 @@
**/*.tmp.sops.yaml
**/*.sops.tmp.yaml
**/*sync-conflict*
age.key
result*
.decrypted~*
.direnv
.kube
.github
.profile
.idea
.secrets
.op

27
.pre-commit-config.yaml
View file

@ -9,12 +9,10 @@ repos:
- --config-file
- .yamllint.yaml
id: yamllint
exclude: "borgmatic-template.yaml"
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v5.0.0
rev: v4.6.0
hooks:
- id: trailing-whitespace
exclude: "borgmatic-template.yaml"
- id: end-of-file-fixer
- id: fix-byte-order-marker
- id: mixed-line-ending
@ -27,15 +25,14 @@ repos:
hooks:
- id: remove-crlf
- id: remove-tabs
exclude: (Makefile|Caddyfile)
# - repo: https://github.com/zricethezav/gitleaks
# rev: v8.23.3
# hooks:
# - id: gitleaks
# - repo: https://github.com/yuvipanda/pre-commit-hook-ensure-sops
# rev: v1.1
# hooks:
# - id: sops-encryption
# # Uncomment to exclude all markdown files from encryption
# # exclude: *.\.md
# files: .*secrets.*
exclude: (Makefile)
- repo: https://github.com/zricethezav/gitleaks
rev: v8.18.4
hooks:
- id: gitleaks
- repo: https://github.com/yuvipanda/pre-commit-hook-ensure-sops
rev: v1.1
hooks:
- id: sops-encryption
# Uncomment to exclude all markdown files from encryption
# exclude: *.\.md

4
.prettierrc
View file

@ -1,4 +0,0 @@
{
"quoteProps": "preserve",
"trailingComma": "none"
}

25
.sops.yaml
View file

@ -10,19 +10,24 @@
keys:
- users:
- &jahanson age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
- &jahanson age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
- hosts:
- &shadowfax age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
- &telchar age1nkpq8lr09vamgvf8cvzemqjyr3ex8w7azfupdr2gverz9j5zgemsv99t0z
- &telperion age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
- &varda age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
- &durincore age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
- &gandalf age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
- &legiondary age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
- &telperion age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
- &varda age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
- &telchar age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
creation_rules:
- path_regex: .*\.sops\.yaml$
key_groups:
- age:
- *jahanson
- *shadowfax
- *telchar
- *telperion
- *varda
- *durincore
- *gandalf
- *jahanson
- *legiondary
- *telchar
- *telperion
- *varda

3
.vscode/extensions.json vendored
View file

@ -1,6 +1,9 @@
{
"recommendations": [
"jnoortheen.nix-ide",
"mikestead.dotenv",
"redhat.ansible",
"redhat.vscode-yaml",
"signageos.signageos-vscode-sops",
"pkief.material-icon-theme",
"ms-vscode-remote.remote-ssh"

52
.vscode/settings.json vendored
View file

@ -1,46 +1,10 @@
{
"editor.fontFamily": "CaskaydiaMono Nerd Font Mono",
"files.associations": {
"*.json5": "jsonc"
},
"editor.hover.delay": 1500,
"editor.bracketPairColorization.enabled": true,
"editor.guides.bracketPairs": true,
"editor.guides.bracketPairsHorizontal": true,
"editor.guides.highlightActiveBracketPair": true,
"files.trimTrailingWhitespace": true,
"sops.defaults.ageKeyFile": "age.key",
"nix.enableLanguageServer": true,
"nix.serverPath": "nixd",
"nix.formatterPath": "alejandra",
"nix.serverSettings": {
"nixd": {
"formatting": {
"command": ["alejandra"]
},
"options": {
"nixos": {
"expr": "(builtins.getFlake \"/home/jahanson/projects/mochi\").nixosConfigurations.shadowfax.options"
}
}
},
"nix": {
"binary": "nix",
"maxMemoryMB": null,
"flake": {
"autoEvalInputs": true,
"autoArchive": true,
"nixpkgsInputName": "nixpkgs"
}
}
},
"[jsonc]": {
"editor.defaultFormatter": "esbenp.prettier-vscode"
},
"sops.binPath": "/run/current-system/sw/bin/sops",
"editor.formatOnSave": true,
"bashIde.explainshellEndpoint": "http://localhost:5000",
"bashIde.shellcheckPath": "/run/current-system/sw/bin/shellcheck",
"bashIde.shfmt.path": "/run/current-system/sw/bin/shfmt",
"mise.binPath": "/etc/profiles/per-user/jahanson/bin/mise"
"editor.fontFamily": "FiraCode Nerd Font",
"editor.hover.delay": 1500,
"editor.bracketPairColorization.enabled": true,
"editor.guides.bracketPairs": true,
"editor.guides.bracketPairsHorizontal": true,
"editor.guides.highlightActiveBracketPair": true,
"files.trimTrailingWhitespace": true,
"sops.defaults.ageKeyFile": "age.key",
}

35
README.md
View file

@ -2,30 +2,23 @@
## Goals
- [ ] Learn nix
- [ ] Services I want to separate from my kubernetes cluster I will use Nix.
- [ ] Approval-based update automation for flakes.
- [ ] Expand usage to other shell environments such as WSL, etc
- [ ] keep it simple, use trusted boring tools
- [ ] Learn nix
- [ ] Services I want to separate from my kubernetes cluster I will use Nix.
- [ ] Approval-based update automation for flakes.
- [ ] Expand usage to other shell environments such as WSL, etc
- [ ] keep it simple, use trusted boring tools
## TODO
- [x] Forgejo Actions
- [ ] Bring over hosts
- [x] Varda (forgejo)
- [x] Thinkpad T470
- [x] Legion 15 AMD/Nvidia
- [x] Telperion (network services)
- [ ] Gandalf (NixNAS)
- [x] Forgejo Actions
- [ ] Bring over hosts
- [x] Varda (forgejo)
- [x] Thinkpad T470
- [x] Legion 15 AMD/Nvidia
- [x] Telperion (network services)
- [ ] Gandalf (NixNAS)
## Links & References
- [truxnell/dotfiles](https://github.com//truxnell/nix-config/)
- [billimek/dotfiles](https://github.com/billimek/dotfiles/)
## Upgrading the borgmatic template for reference
```sh
borgmatic config generate --source nixos/hosts/shadowfax/config/borgmatic/borgmatic-template.yaml --destination nixos/hosts/shadowfax/config/borgmatic/borgmatic-t
emplate.yaml --overwrite
```
- [truxnell/dotfiles](https://github.com//truxnell/nix-config/)
- [billimek/dotfiles](https://github.com/billimek/dotfiles/)

1484
flake.lock generated
View file

File diff suppressed because it is too large Load diff

429
flake.nix
View file

@ -1,202 +1,22 @@
{
description = "My NixOS flake";
outputs = {
self,
nixpkgs,
nixpkgs-unstable,
sops-nix,
home-manager,
disko,
lix-module,
vscode-server,
nvf,
...
} @ inputs: let
forAllSystems = nixpkgs.lib.genAttrs [
"aarch64-linux"
"x86_64-linux"
];
in rec {
# Use nixpkgs-fmt for 'nix fmt'
formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixfmt-rfc-style);
# setup devshells against shell.nix
# devShells = forAllSystems (pkgs: import ./shell.nix { inherit pkgs; });
# extend lib with my custom functions
lib = nixpkgs.lib.extend (
final: prev: {
inherit inputs;
myLib = import ./nixos/lib {
inherit inputs;
lib = final;
};
}
);
nixosConfigurations = let
inherit inputs;
# Import overlays for building nixosconfig with them.
overlays = import ./nixos/overlays {inherit inputs;};
# generate a base nixos configuration with the specified overlays, hardware modules, and any AerModules applied
mkNixosConfig = {
hostname,
system ? "x86_64-linux",
nixpkgs ? inputs.nixpkgs,
disabledModules ? [],
hardwareModules ? [],
# basemodules is the base of the entire machine building
# here we import all the modules and setup home-manager
baseModules ? [
sops-nix.nixosModules.sops
home-manager.nixosModules.home-manager
nvf.nixosModules.default
./nixos/profiles/global.nix # all machines get a global profile
./nixos/modules/nixos # all machines get nixos modules
./nixos/hosts/${hostname} # load this host's config folder for machine-specific config
{
inherit disabledModules;
home-manager = {
useUserPackages = true;
useGlobalPkgs = true;
extraSpecialArgs = {
inherit inputs hostname system;
};
};
}
],
profileModules ? [],
}: let
pkgs = import nixpkgs {
inherit system;
overlays = builtins.attrValues overlays;
config = {
allowUnfree = true;
allowUnfreePredicate = _: true;
};
};
in
nixpkgs.lib.nixosSystem {
inherit system lib;
modules = baseModules ++ hardwareModules ++ profileModules;
specialArgs = {
inherit self inputs nixpkgs;
myPkgs = lib.myLib.mkMyPkgs pkgs;
};
inherit pkgs;
};
in {
"shadowfax" = mkNixosConfig {
# Pro WS WRX80E-SAGE SE WIFI - AMD Ryzen Threadripper PRO 3955WX 16-Cores
# Workloads server
hostname = "shadowfax";
system = "x86_64-linux";
disabledModules = [
"services/web-servers/minio.nix"
"services/web-servers/caddy/default.nix"
];
hardwareModules = [
lix-module.nixosModules.default
./nixos/profiles/hw-threadripperpro.nix
];
profileModules = [
vscode-server.nixosModules.default
"${nixpkgs-unstable}/nixos/modules/services/web-servers/minio.nix"
"${nixpkgs-unstable}/nixos/modules/services/web-servers/caddy/default.nix"
./nixos/profiles/role-dev.nix
./nixos/profiles/role-server.nix
{home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix;}
];
};
"telchar" = mkNixosConfig {
# Framework 16 Ryzen 7 7840HS - Radeon 780M Graphics
# Hyprland first, QEMU Windows second
hostname = "telchar";
system = "x86_64-linux";
hardwareModules = [
inputs.nixos-hardware.nixosModules.framework-16-7040-amd
./nixos/profiles/hw-framework-16-7840hs.nix
disko.nixosModules.disko
(import ./nixos/profiles/disko/simple-efi.nix)
lix-module.nixosModules.default
];
profileModules = [
./nixos/profiles/role-dev.nix
./nixos/profiles/role-workstation.nix
{home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix;}
];
};
"telperion" = mkNixosConfig {
# HP-S01 Intel G5900
# Network services server
hostname = "telperion";
system = "x86_64-linux";
hardwareModules = [
./nixos/profiles/hw-hp-s01.nix
disko.nixosModules.disko
(import ./nixos/profiles/disko-nixos.nix {disks = ["/dev/nvme0n1"];})
];
profileModules = [
./nixos/profiles/role-server.nix
{home-manager.users.jahanson = ./nixos/home/jahanson/server.nix;}
];
};
"varda" = mkNixosConfig {
# Arm64 cax21 @ Hetzner
# forgejo server
hostname = "varda";
system = "aarch64-linux";
hardwareModules = [
./nixos/profiles/hw-hetzner-cax.nix
];
profileModules = [
./nixos/profiles/role-server.nix
{home-manager.users.jahanson = ./nixos/home/jahanson/server.nix;}
];
};
};
# Convenience output that aggregates the outputs for home, nixos.
# Also used in ci to build targets generally.
top = let
nixtop = nixpkgs.lib.genAttrs (builtins.attrNames inputs.self.nixosConfigurations) (
attr: inputs.self.nixosConfigurations.${attr}.config.system.build.toplevel
);
in
nixtop;
};
nixConfig.extra-substituters = [
"https://hsndev.cachix.org"
"https://nix-community.cachix.org"
"https://numtide.cachix.org"
"https://hyprland.cachix.org"
];
nixConfig.extra-trusted-public-keys = [
"hsndev.cachix.org-1:vN1/XGBZtMLnTFYDmTLDrullgZHSUYY3Kqt+Yg/C+tE="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="
"hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
];
inputs = {
# Nixpkgs and unstable
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs-master.url = "github:nixos/nixpkgs/master";
# Lix - Substitution of the Nix package manager, focused on correctness, usability, and growth and committed to doing right by its community.
# https://git.lix.systems/lix-project/lix
lix-module = {
url = "https://git.lix.systems/lix-project/nixos-module/archive/2.92.0.tar.gz";
url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.0.tar.gz";
inputs.nixpkgs.follows = "nixpkgs";
};
# impermanence
# https://github.com/nix-community/impermanence
impermanence.url = "github:nix-community/impermanence";
# Nix User Repository: User contributed nix packages
nur.url = "github:nix-community/NUR";
@ -213,7 +33,7 @@
# home-manager - Manage user configuration with nix
# https://github.com/nix-community/home-manager
home-manager = {
url = "github:nix-community/home-manager/release-24.11";
url = "github:nix-community/home-manager/release-24.05";
inputs.nixpkgs.follows = "nixpkgs";
};
@ -231,6 +51,13 @@
inputs.nixpkgs.follows = "nixpkgs";
};
# nix-index database
# https://github.com/nix-community/nix-index-database
nix-index-database = {
url = "github:nix-community/nix-index-database";
inputs.nixpkgs.follows = "nixpkgs";
};
# nix-inspect - inspect nix derivations usingn a TUI interface
# https://github.com/bluskript/nix-inspect
nix-inspect = {
@ -239,12 +66,12 @@
};
# talhelper - A tool to help creating Talos kubernetes cluster
# https://github.com/budimanjojo/talhelper
talhelper = {
url = "github:budimanjojo/talhelper";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
# NixVirt for qemu & libvirt
# https://github.com/AshleyYakeley/NixVirt
nixvirt-git = {
@ -252,48 +79,192 @@
inputs.nixpkgs.follows = "nixpkgs";
};
# vscode-server - NixOS module for running vscode-server
vscode-server.url = "github:nix-community/nixos-vscode-server";
# nix-minecraft - Minecraft server management
# https://github.com/infinidoge/nix-minecraft
nix-minecraft = {
url = "github:Infinidoge/nix-minecraft";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
# Hyprland
hyprland = {
url = "github:hyprwm/Hyprland";
inputs.nixpkgs.follows = "nixpkgs";
};
# Hyprlock
hyprlock = {
url = "github:hyprwm/hyprlock";
inputs.nixpkgs.follows = "nixpkgs";
};
# Hyprland plugins
hyprland-plugins = {
url = "github:hyprwm/hyprland-plugins";
inputs.hyprland.follows = "hyprland";
};
# Hyprland AGS (Application Grouping System)
ags.url = "github:Aylur/ags/v1";
# nvf - A highly modular, extensible and distro-agnostic Neovim configuration framework for Nix/NixOS.
nvf.url = "github:notashelf/nvf";
# Zen Browser
zen-browser.url = "github:0xc000022070/zen-browser-flake";
# Buildbot for Nix
buildbot-nix = {
url = "github:nix-community/buildbot-nix";
};
# Ghostty 👻 - Awesome terminal that uses GPU acceleration
# ghostty - 👻
ghostty = {
url = "github:ghostty-org/ghostty/v1.1.2";
url = "git+ssh://git@github.com/ghostty-org/ghostty";
};
};
outputs =
{ self, nixpkgs, sops-nix, home-manager, nix-vscode-extensions, impermanence, disko, talhelper, lix-module, ghostty, ... } @ inputs:
let
forAllSystems = nixpkgs.lib.genAttrs [
"aarch64-linux"
"x86_64-linux"
];
in
rec {
# Use nixpkgs-fmt for 'nix fmt'
formatter = forAllSystems (system: nixpkgs.legacyPackages."${system}".nixpkgs-fmt);
# setup devshells against shell.nix
# devShells = forAllSystems (pkgs: import ./shell.nix { inherit pkgs; });
# extend lib with my custom functions
lib = nixpkgs.lib.extend (
final: prev: {
inherit inputs;
myLib = import ./nixos/lib { inherit inputs; lib = final; };
}
);
nixosConfigurations =
let
inherit inputs;
# Import overlays for building nixosconfig with them.
overlays = import ./nixos/overlays { inherit inputs; };
# generate a base nixos configuration with the specified overlays, hardware modules, and any AerModules applied
mkNixosConfig =
{ hostname
, system ? "x86_64-linux"
, nixpkgs ? inputs.nixpkgs
, hardwareModules ? [ ]
# basemodules is the base of the entire machine building
# here we import all the modules and setup home-manager
, baseModules ? [
sops-nix.nixosModules.sops
home-manager.nixosModules.home-manager
impermanence.nixosModules.impermanence
./nixos/profiles/global.nix # all machines get a global profile
./nixos/modules/nixos # all machines get nixos modules
./nixos/hosts/${hostname} # load this host's config folder for machine-specific config
{
home-manager = {
useUserPackages = true;
useGlobalPkgs = true;
extraSpecialArgs = {
inherit inputs hostname system;
};
};
}
]
, profileModules ? [ ]
}:
nixpkgs.lib.nixosSystem {
inherit system lib;
modules = baseModules ++ hardwareModules ++ profileModules;
specialArgs = { inherit self inputs nixpkgs; };
# Add our overlays
pkgs = import nixpkgs {
inherit system;
overlays = builtins.attrValues overlays;
config = {
allowUnfree = true;
allowUnfreePredicate = _: true;
};
};
};
in
{
"durincore" = mkNixosConfig {
# T470 Thinkpad Intel i7-6600U
# Nix dev laptop
hostname = "durincore";
system = "x86_64-linux";
hardwareModules = [
./nixos/profiles/hw-thinkpad-t470.nix
inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t470s
];
profileModules = [
./nixos/profiles/role-workstation.nix
./nixos/profiles/role-dev.nix
{ home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
];
};
"legiondary" = mkNixosConfig {
# Legion 15arh05h AMD/Nvidia Ryzen 7 4800H
# Nix dev/gaming laptop
hostname = "legiondary";
system = "x86_64-linux";
hardwareModules = [
inputs.nixos-hardware.nixosModules.lenovo-legion-15arh05h
./nixos/profiles/hw-legion-15arh05h.nix
disko.nixosModules.disko
(import ./nixos/profiles/disko-nixos.nix { disks = [ "/dev/nvme0n1" ]; })
];
profileModules = [
./nixos/profiles/role-dev.nix
./nixos/profiles/role-gaming.nix
./nixos/profiles/role-workstation.nix
{ home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
];
};
"telchar" = mkNixosConfig {
# Framework 16 Ryzen 7 7840HS - Radeon 780M Graphics
# Nix dev laptop
hostname = "telchar";
system = "x86_64-linux";
hardwareModules = [
inputs.nixos-hardware.nixosModules.framework-16-7040-amd
./nixos/profiles/hw-framework-16-7840hs.nix
disko.nixosModules.disko
(import ./nixos/profiles/disko-nixos.nix { disks = [ "/dev/nvme0n1" ]; })
lix-module.nixosModules.default
];
profileModules = [
./nixos/profiles/role-dev.nix
./nixos/profiles/role-workstation.nix
{ home-manager.users.jahanson = ./nixos/home/jahanson/workstation.nix; }
];
};
"varda" = mkNixosConfig {
# Arm64 cax21 @ Hetzner
# forgejo server
hostname = "varda";
system = "aarch64-linux";
hardwareModules = [
./nixos/profiles/hw-hetzner-cax.nix
];
profileModules = [
./nixos/profiles/role-server.nix
{ home-manager.users.jahanson = ./nixos/home/jahanson/server.nix; }
];
};
"telperion" = mkNixosConfig {
# HP-S01 Intel G5900
# Network services server
hostname = "telperion";
system = "x86_64-linux";
hardwareModules = [
./nixos/profiles/hw-hp-s01.nix
disko.nixosModules.disko
(import ./nixos/profiles/disko-nixos.nix { disks = [ "/dev/nvme0n1" ]; })
];
profileModules = [
./nixos/profiles/role-server.nix
{ home-manager.users.jahanson = ./nixos/home/jahanson/server.nix; }
];
};
"gandalf" = mkNixosConfig {
# X9DRi-LN4+/X9DR3-LN4+ - Intel(R) Xeon(R) CPU E5-2650 v2
# NAS
hostname = "gandalf";
system = "x86_64-linux";
hardwareModules = [
lix-module.nixosModules.default
./nixos/profiles/hw-supermicro.nix
];
profileModules = [
./nixos/profiles/role-server.nix
{ home-manager.users.jahanson = ./nixos/home/jahanson/server.nix; }
];
};
};
# Convenience output that aggregates the outputs for home, nixos.
# Also used in ci to build targets generally.
top =
let
nixtop = nixpkgs.lib.genAttrs
(builtins.attrNames inputs.self.nixosConfigurations)
(attr: inputs.self.nixosConfigurations.${attr}.config.system.build.toplevel);
in
nixtop;
};
}

27
nixos/home/jahanson/global.nix
View file

@ -1,8 +1,6 @@
{ pkgs, config, ... }:
with config;
{
pkgs,
config,
...
}: {
imports = [
../modules
];
@ -22,13 +20,6 @@
EDITOR = "vim";
};
# Home Manager
## Tasks, env, and secrets management.
programs.mise = {
enable = true;
package = pkgs.unstable.mise;
};
home = {
# Install these packages for my user
packages = with pkgs; [
@ -53,8 +44,8 @@
dbus
direnv
git
nix-index
python3
pipx
fzf
ripgrep
lsd
@ -63,7 +54,7 @@
# terminal file managers
nnn
ranger
unstable.yazi-unwrapped
yazi
# networking tools
iperf3
@ -77,13 +68,9 @@
# system tools
sysstat
lm_sensors # for `sensors` command
ethtool # modify network interface settings or firmware
ethtool
pciutils # lspci
usbutils # lsusb
lshw # lshw
# filesystem tools
gptfdisk # sgdisk
# system call monitoring
strace # system call monitoring
@ -100,10 +87,6 @@
# nix tools
nvd
# backup tools
unstable.rclone
unstable.restic
];
};
};

3
nixos/home/jahanson/server.nix
View file

@ -1,4 +1,5 @@
{...}: {
{ ... }:
{
imports = [
./global.nix
];

73
nixos/home/jahanson/workstation.nix
View file

@ -1,50 +1,57 @@
{pkgs, ...}: {
{ pkgs, config, ... }:
with config;
{
imports = [
./global.nix
];
config = {
# Custom Home Manager Configuration
myHome = {
de.hyprland.enable = true;
programs = {
firefox.enable = true;
thunderbird.enable = true;
};
shell = {
git = {
enable = true;
username = "Joseph Hanson";
email = "joe@veri.dev";
signingKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIDSAmssproxG+KsVn2DfuteBAemHrmmAFzCtldpKl4J";
};
myHome = {
programs.firefox.enable = true;
programs.thunderbird.enable = true;
shell = {
wezterm.enable = true;
git = {
enable = true;
username = "Joseph Hanson";
email = "joe@veri.dev";
signingKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIDSAmssproxG+KsVn2DfuteBAemHrmmAFzCtldpKl4J";
};
};
};
# Home Manager Configuration
home = {
# Install these packages for my user
packages = with pkgs; [
# apps
# parsec-bin
solaar # open source manager for logitech unifying receivers
home = {
# Install these packages for my user
packages = with pkgs;
[
#apps
discord
flameshot
jetbrains.datagrip
obsidian
parsec-bin
solaar
talosctl
termius
unstable.bruno
# unstable.fractal
unstable.obsidian
unstable.fractal
unstable.httpie
unstable.jetbrains.datagrip
unstable.jetbrains.rust-rover
unstable.seabird
unstable.talosctl # overlay override
unstable.mods
unstable.peazip
unstable.telegram-desktop
unstable.tidal-hifi
# unstable.xpipe
# unstable.vesktop # gpu issues. Using the flatpak version solves this issue.
vlc
yt-dlp
# cli
brightnessctl
# dev utils
minio-client # S3 management
pre-commit # Pre-commit tasks for git
shellcheck # shell script linting
unstable.act # run GitHub actions locally
unstable.nodePackages_latest.prettier # code formatter
unstable.tailspin # logfile highlighter
];
};
};
}

5
nixos/home/modules/de/default.nix
View file

@ -1,5 +0,0 @@
{...}: {
imports = [
./hyprland.nix
];
}

91
nixos/home/modules/de/hyprland.nix
View file

@ -1,91 +0,0 @@
{
lib,
config,
pkgs,
inputs,
...
}:
with lib; let
cfg = config.myHome.de.hyprland;
in {
options.myHome.de.hyprland.enable = mkEnableOption "Hyprland";
imports = [inputs.ags.homeManagerModules.default];
config = mkIf cfg.enable {
# Downloads the Theme Resources
home.packages = with pkgs; [
andromeda-gtk-theme
flat-remix-icon-theme
bibata-cursors
];
# 'Installs' (sym-links) the Theme Resources
home.file = {
".themes/Andromeda".source = "${pkgs.andromeda-gtk-theme}/share/themes/Andromeda";
".icons/Flat-Remix-Blue-Dark".source = "${pkgs.flat-remix-icon-theme}/share/icons/Flat-Remix-Blue-Dark";
".icons/Bibata-Modern-Ice".source = "${pkgs.bibata-cursors}/share/icons/Bibata-Modern-Ice";
};
# Theme settings
gtk = {
enable = true;
# Some apps just need the good ol' ini files.
gtk3.extraConfig = {
gtk-application-prefer-dark-theme = 1;
gtk-theme-name = "Andromeda";
gtk-icon-theme-name = "Flat-Remix-Blue-Dark";
gtk-font-name = "Fira Code Semi-Bold 14";
gtk-cursor-theme-name = "Bibata-Modern-Ice";
gtk-cursor-theme-size = 24;
gtk-toolbar-style = "GTK_TOOLBAR_ICONS";
gtk-toolbar-icon-size = "GTK_ICON_SIZE_LARGE_TOOLBAR";
gtk-button-images = 1;
gtk-menu-images = 1;
gtk-enable-event-sounds = 1;
gtk-enable-input-feedback-sounds = 0;
gtk-xft-antialias = 1;
gtk-xft-hinting = 1;
gtk-xft-hintstyle = "hintslight";
gtk-xft-rgba = "rgb";
};
gtk4.extraConfig = {
gtk-application-prefer-dark-theme = "1";
gtk-theme-name = "Andromeda";
gtk-icon-theme-name = "Flat-Remix-Blue-Dark";
gtk-font-name = "Fira Code Semi-Bold 14";
gtk-cursor-theme-name = "Bibata-Modern-Ice";
gtk-cursor-theme-size = 24;
gtk-toolbar-style = "GTK_TOOLBAR_ICONS";
gtk-toolbar-icon-size = "GTK_ICON_SIZE_LARGE_TOOLBAR";
gtk-button-images = 1;
gtk-menu-images = 1;
gtk-enable-event-sounds = 1;
gtk-enable-input-feedback-sounds = 0;
gtk-xft-antialias = 1;
gtk-xft-hinting = 1;
gtk-xft-hintstyle = "hintslight";
gtk-xft-rgba = "rgb";
};
};
# Wayland and apps pull from dconf since we're using the gtk portal.
dconf.settings = {
"org/gnome/desktop/interface" = {
color-scheme = "prefer-dark";
cursor-size = 24;
cursor-theme = "Bibata-Modern-Ice";
gtk-theme = "Andromeda";
icon-theme = "Flat-Remix-Blue-Dark";
};
};
programs.ags = {
enable = true;
# I don't want Home Manager to manage these config files.
# Just setup the programs.
configDir = null;
extraPackages = with pkgs; [
gtksourceview
webkitgtk_6_0
accountsservice
];
};
};
}

5
nixos/home/modules/default.nix
View file

@ -1,6 +1,6 @@
{lib, ...}: {
{ lib, ... }: {
imports = [
./de
./shell
./programs
./security
@ -32,4 +32,5 @@
allowUnfree = true;
};
};
}

2
nixos/home/modules/programs/browsers/default.nix
View file

@ -1,4 +1,4 @@
{...}: {
{ ... }: {
imports = [
./firefox
];

45
nixos/home/modules/programs/browsers/firefox/default.nix
View file

@ -1,25 +1,32 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.myHome.programs.firefox;
in {
in
{
options.myHome.programs.firefox.enable = mkEnableOption "Firefox";
config = mkIf cfg.enable {
programs.firefox = {
enable = true;
package = pkgs.firefox.override {
extraPolicies = {
DontCheckDefaultBrowser = true;
DisablePocket = true;
};
config = mkIf cfg.enable
{
programs.firefox = {
enable = true;
package = pkgs.firefox.override
{
extraPolicies = {
DontCheckDefaultBrowser = true;
DisablePocket = true;
# See nixpkgs' firefox/wrapper.nix to check which options you can use
nativeMessagingHosts = [
# Gnome shell native connector
pkgs.gnome-browser-connector
# plasma connector
# plasma5Packages.plasma-browser-integration
];
};
};
policies = import ./policies.nix;
profiles.default = import ./profile-default.nix { inherit pkgs; };
};
policies = import ./policies.nix;
profiles.default = import ./profile-default.nix {inherit pkgs;};
};
};
}

6
nixos/home/modules/programs/browsers/firefox/policies.nix
View file

@ -8,9 +8,9 @@
Fingerprinting = true;
};
DisablePocket = true;
DisableFirefoxAccounts = true;
DisableAccounts = true;
DisableFirefoxScreenshots = true;
# DisableFirefoxAccounts = true;
# DisableAccounts = true;
# DisableFirefoxScreenshots = true;
# OverrideFirstRunPage = "";
OverridePostUpdatePage = "";
DontCheckDefaultBrowser = true;

16
nixos/home/modules/programs/browsers/firefox/profile-default.nix
View file

@ -1,4 +1,5 @@
{pkgs}: {
{ pkgs }:
{
id = 0;
name = "default";
isDefault = true;
@ -10,21 +11,22 @@
# 2 => the last page viewed in Firefox
# 3 => previous session windows and tabs
"browser.startup.page" = "3";
"browser.send_pings" = false;
# Do not track
"privacy.donottrackheader.enabled" = "true";
"privacy.donottrackheader.value" = 1;
"browser.display.use_system_colors" = "true";
"browser.display.use_document_colors" = "false";
"devtools.theme" = "dark";
"extensions.pocket.enabled" = false;
};
extensions = with pkgs.nur.repos.rycee.firefox-addons; [
ublock-origin
privacy-badger
link-cleaner
refined-github
kagi-search
languagetool
onepassword-password-manager
streetpass-for-mastodon
dearrow
sponsorblock
];
}

2
.archive/home/modules/programs/de/default.nix → nixos/home/modules/programs/de/default.nix
View file

@ -1,4 +1,4 @@
{...}: {
{ ... }: {
imports = [
./gnome
];

49
nixos/home/modules/programs/de/gnome/default.nix Normal file
View file

@ -0,0 +1,49 @@
# Adjusted manually from generated output of dconf2nix
# https://github.com/gvolpe/dconf2nix
{ lib, pkgs, osConfig, ... }:
with lib.hm.gvariant; {
config = lib.mkIf osConfig.mySystem.de.gnome.enable {
# add user packages
home.packages = with pkgs; [
dconf2nix
];
# worked out from dconf2nix
# `dconf dump / | dconf2nix > dconf.nix`
# can also dconf watch
dconf.settings = {
"org/gnome/mutter" = {
edge-tiling = true;
workspaces-only-on-primary = false;
};
"org/gnome/settings-daemon/plugins/media-keys" = {
home = [ "<Super>e" ];
};
"org/gnome/desktop/wm/preferences" = {
workspace-names = [ "sys" "talk" "web" "edit" "run" ];
button-layout = "appmenu:minimize,close";
};
"org/gnome/shell" = {
disabled-extensions = [ "apps-menu@gnome-shell-extensions.gcampax.github.com" "light-style@gnome-shell-extensions.gcampax.github.com" "places-menu@gnome-shell-extensions.gcampax.github.com" "drive-menu@gnome-shell-extensions.gcampax.github.com" "window-list@gnome-shell-extensions.gcampax.github.com" "workspace-indicator@gnome-shell-extensions.gcampax.github.com" ];
enabled-extensions = [ "appindicatorsupport@rgcjonas.gmail.com" "caffeine@patapon.info" "dash-to-dock@micxgx.gmail.com" "gsconnect@andyholmes.github.io" "Vitals@CoreCoding.com" "sp-tray@sp-tray.esenliyim.github.com" ];
favorite-apps = [ "com.mitchellh.ghostty.desktop" "vivaldi-stable.desktop" "obsidian.desktop" "code.desktop" "discord.desktop" ];
};
"org/gnome/nautilus/preferences" = {
default-folder-viewer = "list-view";
};
"org/gnome/nautilus/icon-view" = {
default-zoom-level = "small";
};
"org/gnome/desktop/interface" = {
color-scheme = "prefer-dark";
};
"org/gnome/desktop/peripherals/touchpad" = {
tap-to-click = false;
};
"org/gnome/desktop/interface" = {
clock-format = "12h";
show-battery-percentage = true;
};
};
};
}

3
nixos/home/modules/programs/default.nix
View file

@ -1,6 +1,7 @@
{...}: {
{ ... }: {
imports = [
./browsers
./de
./thunderbird
];
}

13
nixos/home/modules/programs/thunderbird/default.nix
View file

@ -1,9 +1,5 @@
{
config,
pkgs,
lib,
...
}: let
{ config, pkgs, lib, ... }:
let
cfg = config.myHome.programs.thunderbird;
policies = {
@ -24,14 +20,15 @@
};
};
};
in {
in
{
options.myHome.programs.thunderbird.enable = lib.mkEnableOption "Thunderbird";
config = lib.mkIf cfg.enable {
programs.thunderbird = {
enable = true;
package = pkgs.thunderbird-128.override (old: {
extraPolicies = (old.extrapPolicies or {}) // policies;
extraPolicies = (old.extrapPolicies or { }) // policies;
});
profiles.default.isDefault = true;

2
nixos/home/modules/security/default.nix
View file

@ -1,4 +1,4 @@
{...}: {
{ ... }: {
imports = [
./ssh
];

11
nixos/home/modules/security/ssh/default.nix
View file

@ -1,16 +1,13 @@
{
config,
lib,
...
}:
{ config, lib, ... }:
with lib; let
cfg = config.myHome.security.ssh;
in {
in
{
options.myHome.security.ssh = {
enable = mkEnableOption "ssh";
matchBlocks = mkOption {
type = types.attrs;
default = {};
default = { };
};
};

39
nixos/home/modules/shell/atuind/default.nix
View file

@ -1,33 +1,30 @@
{
config,
pkgs,
lib,
...
}:
{ config, pkgs, lib, ... }:
with lib; let
cfg = config.myHome.shell.atuind;
in {
in
{
options.myHome.shell.atuind = {
enable = mkEnableOption "atuind";
};
config = mkMerge [
(mkIf cfg.enable {
systemd.user.services.atuind = {
Install = {
WantedBy = ["default.target"];
systemd.user.services.atuind =
{
Install = {
WantedBy = [ "default.target" ];
};
Unit = {
After = [ "network.target" ];
};
Service = {
Environment = "ATUIN_LOG=info";
ExecStart = "${pkgs.unstable.atuin}/bin/atuin daemon";
# Remove the socket file if the daemon is not running.
# Unexpected shutdowns may have left this file here.
ExecStartPre="/run/current-system/sw/bin/bash -c '! pgrep atuin && /run/current-system/sw/bin/rm -f ~/.local/share/atuin/atuin.sock'";
};
};
Unit = {
After = ["network.target"];
};
Service = {
Environment = "ATUIN_LOG=info";
ExecStart = "${pkgs.unstable.atuin}/bin/atuin daemon";
# Remove the socket file if the daemon is not running.
# Unexpected shutdowns may have left this file here.
ExecStartPre = "/run/current-system/sw/bin/bash -c '! pgrep atuin && /run/current-system/sw/bin/rm -f ~/.local/share/atuin/atuin.sock'";
};
};
})
];
}

2
nixos/home/modules/shell/default.nix
View file

@ -1,4 +1,4 @@
{...}: {
{ ... }: {
imports = [
./atuind
./fish

52
nixos/home/modules/shell/fish/default.nix
View file

@ -1,13 +1,9 @@
{
config,
pkgs,
lib,
...
}:
{ config, pkgs, lib, ... }:
with lib; let
inherit (config.myHome) username homeDirectory;
cfg = config.myHome.shell.fish;
in {
in
{
options.myHome.shell.fish = {
enable = mkEnableOption "fish";
};
@ -25,26 +21,14 @@ in {
lt = "${pkgs.lsd}/bin/lsd --tree";
lla = "${pkgs.lsd}/bin/lsd -la";
tm = "tmux attach -t (basename $PWD) || tmux new -s (basename $PWD)";
lsusb = "cyme --headings --tree --hide-buses";
x = "exit";
ncdu = "ncdu --color dark";
};
shellAbbrs = {
nrs = "sudo nixos-rebuild switch --flake . --show-trace --accept-flake-config";
nfc = "nix flake check --show-trace --accept-flake-config";
nrs = "sudo nixos-rebuild switch --flake .";
nvdiff = "nvd diff /run/current-system result";
};
functions = {
nix-which = {
body = ''
set -l cmd $argv[1]
nix-locate --whole-name --type x --type s "$cmd"
'';
};
};
interactiveShellInit = ''
# Erase fish_mode_prompt function
functions -e fish_mode_prompt
@ -63,12 +47,10 @@ in {
end
end
# Krew
set -q KREW_ROOT; and set -gx PATH $PATH $KREW_ROOT/.krew/bin; or set -gx PATH $PATH $HOME/.krew/bin
# Paths are in reverse priority order
update_path /opt/homebrew/opt/postgresql@16/bin
update_path /opt/homebrew/bin
update_path ${homeDirectory}/.krew/bin
update_path /nix/var/nix/profiles/default/bin
update_path /run/current-system/sw/bin
update_path /etc/profiles/per-user/${username}/bin
@ -77,20 +59,10 @@ in {
update_path ${homeDirectory}/go/bin
update_path ${homeDirectory}/.cargo/bin
update_path ${homeDirectory}/.local/bin
update_path ${homeDirectory}/.npm-packages/bin
set -gx EDITOR "vim"
if test (hostname) = "telchar"
set -gx VISUAL "code"
end
set -gx SSH_ASKPASS_REQUIRE "prefer" # This is for git to use the ssh-askpass
set -gx ATUIN_SYNC_ADDRESS "https://sh.hsn.dev"
# Mise https://mise.jdx.dev
mise activate fish | source
# One Password cli
if test -e ~/.config/op/plugins.sh
source ~/.config/op/plugins.sh
@ -99,19 +71,7 @@ in {
set -gx LSCOLORS "Gxfxcxdxbxegedabagacad"
set -gx LS_COLORS 'di=01;34:ln=01;36:pi=33:so=01;35:bd=01;33:cd=33:or=31:ex=01;32:*.7z=01;31:*.bz2=01;31:*.gz=01;31:*.lz=01;31:*.lzma=01;31:*.lzo=01;31:*.rar=01;31:*.tar=01;31:*.tbz=01;31:*.tgz=01;31:*.xz=01;31:*.zip=01;31:*.zst=01;31:*.zstd=01;31:*.bmp=01;35:*.tiff=01;35:*.tif=01;35:*.TIFF=01;35:*.gif=01;35:*.jpeg=01;35:*.jpg=01;35:*.png=01;35:*.webp=01;35:*.pot=01;35:*.pcb=01;35:*.gbr=01;35:*.scm=01;35:*.xcf=01;35:*.spl=01;35:*.stl=01;35:*.dwg=01;35:*.ply=01;35:*.apk=01;31:*.deb=01;31:*.rpm=01;31:*.jad=01;31:*.jar=01;31:*.crx=01;31:*.xpi=01;31:*.avi=01;35:*.divx=01;35:*.m2v=01;35:*.m4v=01;35:*.mkv=01;35:*.MOV=01;35:*.mov=01;35:*.mp4=01;35:*.mpeg=01;35:*.mpg=01;35:*.sample=01;35:*.wmv=01;35:*.3g2=01;35:*.3gp=01;35:*.gp3=01;35:*.webm=01;35:*.flv=01;35:*.ogv=01;35:*.f4v=01;35:*.3ga=01;35:*.aac=01;35:*.m4a=01;35:*.mp3=01;35:*.mp4a=01;35:*.oga=01;35:*.ogg=01;35:*.opus=01;35:*.s3m=01;35:*.sid=01;35:*.wma=01;35:*.flac=01;35:*.alac=01;35:*.mid=01;35:*.midi=01;35:*.pcm=01;35:*.wav=01;35:*.ass=01;33:*.srt=01;33:*.ssa=01;33:*.sub=01;33:*.git=01;33:*.ass=01;33:*README=33:*README.rst=33:*README.md=33:*LICENSE=33:*COPYING=33:*INSTALL=33:*COPYRIGHT=33:*AUTHORS=33:*HISTORY=33:*CONTRIBUTOS=33:*PATENTS=33:*VERSION=33:*NOTICE=33:*CHANGES=33:*CHANGELOG=33:*log=33:*.txt=33:*.md=33:*.markdown=33:*.nfo=33:*.org=33:*.pod=33:*.rst=33:*.tex=33:*.texttile=33:*.bib=35:*.json=35:*.jsonl=35:*.jsonnet=35:*.libsonnet=35:*.rss=35:*.xml=35:*.fxml=35:*.toml=35:*.yaml=35:*.yml=35:*.dtd=35:*.cbr=35:*.cbz=35:*.chm=35:*.pdf=35:*.PDF=35:*.epub=35:*.awk=35:*.bash=35:*.bat=35:*.BAT=35:*.sed=35:*.sh=35:*.zsh=35:*.vim=35:*.py=35:*.ipynb=35:*.rb=35:*.gemspec=35:*.pl=35:*.PL=35:*.t=35:*.msql=35:*.mysql=35:*.pgsql=35:*.sql=35:*.r=35:*.R=35:*.cljw=35:*.scala=35:*.sc=35:*.dart=35:*.asm=35:*.cl=35:*.lisp=35:*.rkt=35:*.el=35:*.elc=35:*.eln=35:*.lua=35:*.c=35:*.C=35:*.h=35:*.H=35:*.tcc=35:*.c++=35:*.h++=35:*.hpp=35:*.hxx=35:*ii.=35:*.m=35:*.M=35:*.cc=35:*.cs=35:*.cp=35:*.cpp=35:*.cxx=35:*.go=35:*.f=35:*.F=35:*.nim=35:*.nimble=35:*.s=35:*.S=35:*.rs=35:*.scpt=35:*.swift=35:*.vala=35:*.vapi=35:*.hs=35:*.lhs=35:*.zig=35:*.v=35:*.pyc=35:*.tf=35:*.tfstate=35:*.tfvars=35:*.css=35:*.less=35:*.sass=35:*.scss=35:*.htm=35:*.html=35:*.jhtm=35:*.mht=35:*.eml=35:*.coffee=35:*.java=35:*.js=35:*.mjs=35:*.jsm=35:*.jsp=35:*.rasi=35:*.php=35:*.twig=35:*.vb=35:*.vba=35:*.vbs=35:*.Dockerfile=35:*.dockerignore=35:*.Makefile=35:*.MANIFEST=35:*.am=35:*.in=35:*.hin=35:*.scan=35:*.m4=35:*.old=35:*.out=35:*.SKIP=35:*.diff=35:*.patch=35:*.tmpl=35:*.j2=35:*PKGBUILD=35:*config=35:*.conf=35:*.service=31:*.@.service=31:*.socket=31:*.swap=31:*.device=31:*.mount=31:*.automount=31:*.target=31:*.path=31:*.timer=31:*.snapshot=31:*.allow=31:*.swp=31:*.swo=31:*.tmp=31:*.pid=31:*.state=31:*.lock=31:*.lockfile=31:*.pacnew=31:*.un=31:*.orig=31:'
set -l connection_type
# Disable atuin up arrow and ctrl-r keybindings when running in a tty
if test -z "$DISPLAY" && test -z "$WAYLAND_DISPLAY" && test -z "$SSH_CLIENT"
atuin init fish --disable-up-arrow --disable-ctrl-r | source
else
atuin init fish | source
end
# Ghostty shell integration for Bash. This must be at the top of your fish!!!
if set -q GHOSTTY_RESOURCES_DIR
source "$GHOSTTY_RESOURCES_DIR/shell-integration/fish/vendor_conf.d/ghostty-shell-integration.fish"
end
atuin init fish | source
'';
};

13
nixos/home/modules/shell/git/default.nix
View file

@ -1,11 +1,8 @@
{
pkgs,
config,
lib,
...
}: let
{ pkgs, config, lib, ... }:
let
cfg = config.myHome.shell.git;
in {
in
{
options.myHome.shell.git = {
enable = lib.mkEnableOption "git";
username = lib.mkOption {
@ -59,8 +56,6 @@ in {
"*.decrypted.*"
# Python virtualenvs
".venv"
# Aider Chat
".aider*"
];
};
};

14
nixos/home/modules/shell/starship/default.nix
View file

@ -1,14 +1,12 @@
{
lib,
config,
...
{ lib
, config
, ...
}:
with lib; let
cfg = config.myHome.shell.starship;
in {
options.myHome.shell.starship = {
enable = mkEnableOption "starship";
};
in
{
options.myHome.shell.starship = { enable = mkEnableOption "starship"; };
config = mkIf cfg.enable {
programs.starship = {

10
nixos/home/modules/shell/wezterm/default.nix
View file

@ -1,12 +1,8 @@
{
config,
pkgs,
lib,
...
}:
{ config, pkgs, lib, ... }:
with lib; let
cfg = config.myHome.shell.wezterm;
in {
in
{
options.myHome.shell.wezterm = {
enable = mkEnableOption "wezterm";
configPath = mkOption {

44
nixos/hosts/durincore/default.nix Normal file
View file

@ -0,0 +1,44 @@
{ ... }: {
config = {
networking.hostId = "ad4380db";
networking.hostName = "durincore";
# Kernel mods
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ];
kernelModules = [ ];
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
fileSystems = {
"/" =
{
device = "rpool/root";
fsType = "zfs";
};
"/home" =
{
device = "rpool/home";
fsType = "zfs";
};
"/boot" =
{
device = "/dev/disk/by-uuid/F1B9-CA7C";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
};
swapDevices = [ ];
# System settings and services.
mySystem = {
system.motd.networkInterfaces = [ "enp0s31f6" "wlp4s0" ];
};
};
}

11
nixos/hosts/gandalf/config/samba-config.nix Normal file
View file

@ -0,0 +1,11 @@
{ ... }:
''
workgroup = WORKGROUP
server string = gandalf
netbios name = gandalf
security = user
# note: localhost is the ipv6 localhost ::1
hosts allow = 0.0.0.0/0
guest account = nobody
map to guest = bad user
''

12
.archive/hosts/gandalf/config/samba-config.nix → nixos/hosts/gandalf/config/samba-shares.nix
View file

@ -1,14 +1,4 @@
{...}: {
global = {
"workgroup" = "WORKGROUP";
"server string" = "gandalf";
"netbios name" = "gandalf";
"security" = "user";
# note: localhost is the ipv6 localhost ::1
"hosts allow" = "0.0.0.0/0";
"guest account" = "nobody";
"map to guest" = "bad user";
};
{ ... }: {
xen = {
path = "/eru/xen-backups";
browseable = "yes";

3
.archive/hosts/gandalf/config/sanoid.nix → nixos/hosts/gandalf/config/sanoid.nix
View file

@ -1,4 +1,5 @@
{...}: {
{ ... }:
{
outputs = {
# ZFS automated snapshots
templates = {

132
nixos/hosts/gandalf/default.nix Normal file
View file

@ -0,0 +1,132 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, modulesPath, inputs, ... }:
let
sanoidConfig = import ./config/sanoid.nix { };
in
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
inputs.disko.nixosModules.disko
(import ../../profiles/disko-nixos.nix { disks = [ "/dev/sda" ]; })
];
boot = {
initrd = {
availableKernelModules = [ "ehci_pci" "ahci" "mpt3sas" "isci" "usbhid" "usb_storage" "sd_mod" ];
kernelModules = [ "nfs" ];
supportedFilesystems = [ "nfs" ];
};
kernelModules = [ "kvm-intel" "vfio" "vfio_iommu_type1" "vfio_pci" "vfio_virqfd" ];
extraModulePackages = [ ];
kernelParams = [ "iommu=pt" "intel_iommu=on" "zfs.zfs_arc_max=107374182400" ]; # 100GB
};
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAGSFTSVPt43PBpSMSF1dGTzN2JbxztDZUml7g4+PnWe CSI-Driver@talos"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO/W445gX2IINRbE6crIMwgN6Ks8LTzAXR86pS9xp335 root@Sting"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBROTzSefJGJeCNUgNLbE5l4sHHg2fHUO4sCwqvP+zAd root@Gollum"
];
# Network settings
networking = {
hostName = "gandalf";
hostId = "e2fc95cd";
useDHCP = false; # needed for bridge
networkmanager.enable = true;
# TODO: Add ports specifically.
firewall.enable = false;
interfaces = {
"enp130s0f0".useDHCP = true;
"enp130s0f1".useDHCP = true;
};
# For VMs
bridges = {
"br0" = {
interfaces = [ "enp130s0f1" ];
};
};
};
swapDevices = [ ];
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
sops = {
secrets = {
"lego/dnsimple/token" = {
mode = "0444";
sopsFile = ./secrets.sops.yaml;
};
"borg/repository/passphrase" = {
sopsFile = ./secrets.sops.yaml;
};
};
};
# no de
services = {
xserver = {
enable = false;
displayManager.gdm.enable = false;
desktopManager.gnome.enable = false;
};
};
# System settings and services.
mySystem = {
purpose = "Production";
system = {
motd.networkInterfaces = [ "enp130s0f0" "enp130s0f1" ];
# ZFS
zfs.enable = true;
zfs.mountPoolsAtBoot = [ "eru" ];
# NFS
nfs.enable = true;
# Samba
samba = {
enable = true;
shares = import ./config/samba-shares.nix { };
extraConfig = import ./config/samba-config.nix { };
};
resticBackup = {
local.enable = false;
remote.enable = false;
local.noWarning = true;
remote.noWarning = true;
};
# Borg
borgbackup = {
enable = true;
paths = [ "/eru/containers/volumes/unifi/" ];
exclude = [ ];
repo = "ssh://t3zvn0dd@t3zvn0dd.repo.borgbase.com/./repo";
repoKeyPath = config.sops.secrets."borg/repository/passphrase".path;
};
};
services = {
podman.enable = true;
libvirt-qemu.enable = true;
# Sanoid
sanoid = {
enable = true;
inherit (sanoidConfig.outputs) templates datasets;
};
# Unifi & Lego-Auto
unifi.enable = true;
lego-auto = {
enable = true;
dnsimpleTokenPath = "${config.sops.secrets."lego/dnsimple/token".path}";
domains = "gandalf.jahanson.tech";
email = "joe@veri.dev";
provider = "dnsimple";
};
};
};
}

80
nixos/hosts/gandalf/secrets.sops.yaml Normal file
View file

@ -0,0 +1,80 @@
lego:
dnsimple:
token: ENC[AES256_GCM,data:CfRFhGE8AyZfO9RzoXXTfm8kstvx+Fuy53o9ulYNZiufzzSQ4KzwYIoCRw==,iv:HEC8hRpmk7YDI7RHj29ZAeFKyPgsWTHw1sxjdZuhcrw=,tag:7RhEhZ9GkyBE9PJRe+gD+Q==,type:str]
borg:
repository:
passphrase: ENC[AES256_GCM,data:lt0Rq269GoBuLNw9fxwuMAmtYjE=,iv:57IFde6EX7myLSCvYXkkbSulr8S7JPYoThWBsPLH0Yw=,tag:NwlpouurYF+2qmw2T3De8A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUZVhNdGh2c3dpYWU2TDNJ
M2Vyb29jQ2xHMXBKVk10dkhWVUFmVkpmV2tnCjF5ZnBBcGtkZjFYbU0zQXNNRCti
QzVKOGR2OUQvRXVvOXZlb1I0V00rcWsKLS0tIElHeHhkSmt5UkZhTjk1dkFSbUp0
M1BiUzZkU0pDbHVQNC9yQ3pzSU5INm8KcRB4uY0PHnDfc4bJZwqkK/S7FbEXuxEu
ot9oVR4sZBs7Uhi5Ixz7Kmk9dBJ+E9dWPxDeYhYo3V0Tq77h1vVOyg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNalVRWXVGN0hqZDdYUDVZ
TVRwVHJsTEJoTVIzenFuY0dnTWs1bnRHZnhzCnNPTnJ1Uk92aVRaMlA4VTRYbXNh
MW5ycEUzUVk0RW1Iby9kWjQ1cTVXWDgKLS0tIDdVaTcvNm9Ca2hTMzBlSGZVUnZN
a2U1ZjIwRWx1bWp6TktablBqMUduUmMKCFT9vPMu/fob5SQG1004925OB1KNhsUm
obph/984DUTQxk6IvnJ7fPrnFwL5yY1azdybjPlwGw6o5SmwKpxWBQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2RjUvSFJqNGxieVZiVE9q
NjB4RHcraXk5TnJtN1RSNXZSMlEwbjgxaUZVCjRxUGUwTjBFSU9nTHpRbWpmVkRQ
cllyei9URXYyRGgrTGdjWXRSZmpRYnMKLS0tIHNQOXpkZnI5b200d0JiSVI2N1BU
MS9MRW5ocGRMWXdBL0E5N00zbGZzVFEKxeMB0/opzFTnlSBK1vEsLqQ0qIDhOuw5
S+g8eYTVXSIs/3TMUnOJxDezAG2l00vyWryPw2sGOnqgZCnF9VB/mw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvbzJDWHhIT2tSekxpWmFR
cVFocEl6N0VWM2FYVC9FeE9zeG0wYUhnazJRCllsdlFVZXR0YTA2T2h0ZUVienpQ
MmhJVTkwd1Q4VjNVaWxkL0lVTEVLemsKLS0tIHVqMHhQaW55MHBsVmc5TjJjT1Jy
RXdOeXk0NFJuL1ZKTUt3dXdkdlpLenMKmlQ0k9CmSWQ7MqueMbmd/TqYyQiDFZ0G
FPtUIFWxxPY79vsEHq3kxyz4CGMUv7tYx00OK6niLgLZUStd/3Bxmw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWTk5S2VkQmNnNjIwQ05y
TkR2MjdnY1pGMVZpT2dadE5icjIvRWtnT2pVClRCcTVHa3BaMGRDWTgzNE5zQzBq
MWRWWi83b0k3OUo5WXhHTVRZSmovMWMKLS0tIFF4UlNtNVFkd3phTzd6R2FuY0Js
VWpzZTdXSWpiV2tRbnc5VlVWM3FCak0KQGy+ZWdvEh09y9z1Dj3GTVyeAJ5notCH
ujbOfaly8e9E2g4uOxISxyFe39xlOZd6zEInZ5qiKPrZz37ASChBkA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrZDNFa0U4MWs0dmVkZXhi
V3JjdXIrTTdkamkzRW1jU0wzNnluQ0lJbmpNCkcxNUNwc3ZxMXJreXBxNUlaR0xN
RmFDZ3RIaVU5aCttS3Q5dWo0QUovVDgKLS0tIEVJQm1xWE80OVRyWUxkMzFXRHBp
RlJTZjgzQ3pDVHRPQ2dFbHBqdzA3N0EKGBFnnJMqUrbaIviqpX4CP4Ps45Lk/Yyn
fpVxSlwjOHNDwQ4ojUjv11FRo9WHUTGACFniUtvYc0oaLNygNgf8+Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBodERMdDN4cVRiS0tVck5h
N3RySnRtSXJHZEthRWZNcENrNXY4bHNHa0R3Cm1HL0lzWnpocWhXNDV3RFRxL1ZG
dWlCQWtzMEZlRnNML2NrOUVPSVRTcHMKLS0tIEsrbk5VOUZhbDFRRHRuWW56TjE1
V1d0d1lKb3hyYVQ4elBIZ0hnU3FTbnMKiWERjAwlJRPK+PILCBV03uyNVnNgolA8
PS0vbIDVNiX0pIrRlM2sVivZwqajjTB3XROXMmbIKpQxDMjvpHgqJA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-27T04:50:25Z"
mac: ENC[AES256_GCM,data:IKLC9N4FvfV+eWFoVZa5ijyBdiQuNdXAE4Z/pQNhns+qTuMpuz9QLeQGysow8zCqg9z5WHPa+U10uBIJg0P6Bq2CkBTJ2/75axsQgqc+BPuY4cUfppbYqQaSzB831b3XMHei9m/IPXNoh277jk0E9A0mOzHu4YsBEEzyf5nESn4=,iv:dOIgrQD0eDB1lqTWoDoLXnDZTWJLf5m9a948Wabfc6I=,tag:MWoIe5UpTqZCDDJMcg0swA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

63
nixos/hosts/legiondary/default.nix Normal file
View file

@ -0,0 +1,63 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
networking.hostId = "2132e3bf";
networking.hostName = "legiondary";
boot = {
initrd.availableKernelModules = [ "xhci_pci" "nvme" "ahci" "usb_storage" "usbhid" "sd_mod" ];
initrd.kernelModules = [ ];
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
};
fileSystems =
{
"/" =
{
device = "zroot/root";
fsType = "zfs";
};
"/nix" =
{
device = "zroot/nix";
fsType = "zfs";
};
"/var" =
{
device = "zroot/var";
fsType = "zfs";
};
"/home" =
{
device = "zroot/home";
fsType = "zfs";
};
};
# fileSystems."/boot" =
# { device = "/dev/disk/by-uuid/E532-B74A";
# fsType = "vfat";
# options = [ "fmask=0022" "dmask=0022" ];
# };
swapDevices = [ ];
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# System settings and services.
mySystem = {
purpose = "Development";
system.motd.networkInterfaces = [ "eno1" "wlp4s0" ];
};
}

14
nixos/hosts/shadowfax/config/Caddyfile
View file

@ -1,14 +0,0 @@
redeye.hsn.dev {
log {
output file /var/log/caddy/redeye.hsn.dev.log
}
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
reverse_proxy {
transport http {
tls_insecure_skip_verify
}
to http://127.0.0.1:11080
}
}

1456
nixos/hosts/shadowfax/config/borgmatic/borgmatic-template.yaml
View file

File diff suppressed because it is too large Load diff

12
nixos/hosts/shadowfax/config/borgmatic/default.nix
View file

@ -1,12 +0,0 @@
{lib, ...}:
# Includes all files with .nix suffix in the current directory except default.nix
let
dir = ./.;
files = lib.filterAttrs (
name: type:
type == "regular" && name != "default.nix" && lib.hasSuffix ".nix" name
) (builtins.readDir dir);
imports = map (name: "${dir}/${name}") (builtins.attrNames files);
in {
imports = imports;
}

40
nixos/hosts/shadowfax/config/borgmatic/jellyfin.nix
View file

@ -1,40 +0,0 @@
{
config,
pkgs,
...
}: {
mySystem.services.borgmatic = {
configurations.jellyfin = {
source_directories = [
"/nahar/containers/volumes/jellyfin"
];
repositories = [
{
label = "local";
path = "/eru/borg/jellyfin";
}
{
label = "remote";
path = "ssh://uy5oy4m3@uy5oy4m3.repo.borgbase.com/./repo";
}
];
ssh_command = "${pkgs.openssh}/bin/ssh -i ${config.sops.secrets."borgmatic/jellyfin/append_key".path}";
encryption_passcommand = ''${pkgs.coreutils-full}/bin/cat ${config.sops.secrets."borgmatic/jellyfin/encryption_passphrase".path}'';
# Retention settings
keep_daily = 14;
exclude_patterns = [
"*/Cache/*"
];
zfs = {
zfs_command = "${pkgs.zfs}/bin/zfs";
mount_command = "${pkgs.util-linux}/bin/mount";
umount_command = "${pkgs.util-linux}/bin/umount";
};
};
};
}

40
nixos/hosts/shadowfax/config/borgmatic/plex.nix
View file

@ -1,40 +0,0 @@
{
config,
pkgs,
...
}: {
mySystem.services.borgmatic = {
configurations.plex = {
source_directories = [
"/nahar/containers/volumes/plex"
];
repositories = [
{
label = "local";
path = "/eru/borg/plex";
}
{
label = "remote";
path = "ssh://kvq39z04@kvq39z04.repo.borgbase.com/./repo";
}
];
ssh_command = "${pkgs.openssh}/bin/ssh -i ${config.sops.secrets."borgmatic/plex/append_key".path}";
encryption_passcommand = ''${pkgs.coreutils-full}/bin/cat ${config.sops.secrets."borgmatic/plex/encryption_passphrase".path}'';
# Retention settings
keep_daily = 14;
exclude_patterns = [
"*/Cache/*"
];
zfs = {
zfs_command = "${pkgs.zfs}/bin/zfs";
mount_command = "${pkgs.util-linux}/bin/mount";
umount_command = "${pkgs.util-linux}/bin/umount";
};
};
};
}

32
nixos/hosts/shadowfax/config/disks.nix
View file

@ -1,32 +0,0 @@
[
# zroot
"/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNM0W406409E"
# nahar
"/dev/nvme0"
"/dev/nvme1"
"/dev/nvme2"
"/dev/nvme3"
"/dev/nvme4"
"/dev/nvme5"
# moria
"/dev/disk/by-id/scsi-35000cca23bc8a504"
"/dev/disk/by-id/scsi-35000cca23bd29918"
"/dev/disk/by-id/scsi-35000cca23bd29970"
"/dev/disk/by-id/scsi-35000cca2524cc70c"
"/dev/disk/by-id/scsi-35000cca2524e03f4"
"/dev/disk/by-id/scsi-35000cca2525680dc"
"/dev/disk/by-id/scsi-35000cca25256b484"
# eru
"/dev/disk/by-id/scsi-350000c0f02f0830c" # unused
"/dev/disk/by-id/scsi-350000c0f01e7d190" # unused
"/dev/disk/by-id/scsi-350000c0f01ea443c"
"/dev/disk/by-id/scsi-350000c0f01f8230c"
"/dev/disk/by-id/scsi-35000c500586e5057"
"/dev/disk/by-id/scsi-35000c500624a0ddb"
"/dev/disk/by-id/scsi-35000c500624a1a8b"
"/dev/disk/by-id/scsi-35000cca046135ad8"
"/dev/disk/by-id/scsi-35000cca04613722c"
"/dev/disk/by-id/scsi-35000cca0461810f8"
"/dev/disk/by-id/scsi-35000cca04618b930"
"/dev/disk/by-id/scsi-35000cca04618cec4"
]

48
nixos/hosts/shadowfax/config/incus-preseed.nix
View file

@ -1,48 +0,0 @@
{...}: {
config = {
"core.https_address" = "10.1.1.61:8443"; # Need quotes around key
};
networks = [
{
config = {
"ipv4.address" = "auto"; # Need quotes around key
"ipv6.address" = "auto"; # Need quotes around key
};
description = "";
name = "incusbr0";
type = "";
project = "default";
}
];
storage_pools = [
{
config = {
source = "nahar/incus";
};
description = "";
name = "default";
driver = "zfs";
}
];
profiles = [
{
config = {};
description = "";
devices = {
eth0 = {
name = "eth0";
network = "incusbr0";
type = "nic";
};
root = {
path = "/";
pool = "default";
type = "disk";
};
};
name = "default";
}
];
projects = [];
cluster = null;
}

41
nixos/hosts/shadowfax/config/sanoid.nix
View file

@ -1,41 +0,0 @@
{...}: {
outputs = {
# ZFS automated snapshots
templates = {
"production" = {
autoprune = true;
autosnap = true;
hourly = 24;
daily = 7;
monthly = 12;
};
};
datasets = {
"nahar/qbittorrent" = {
useTemplate = ["production"];
recursive = true;
};
"nahar/sabnzbd" = {
useTemplate = ["production"];
recursive = true;
};
"nahar/containers/volumes/jellyfin" = {
useTemplate = ["production"];
recursive = true;
};
"nahar/containers/volumes/plex" = {
useTemplate = ["production"];
recursive = true;
};
"nahar/containers/volumes/scrutiny" = {
useTemplate = ["production"];
recursive = true;
};
"nahar/containers/volumes/scrypted" = {
useTemplate = ["production"];
recursive = true;
};
};
};
}

46
nixos/hosts/shadowfax/config/soft-serve.nix
View file

@ -1,46 +0,0 @@
{...}: {
name = "Soft Serve";
log = {
format = "text";
time_format = "2006-01-02 15:04:05";
};
ssh = {
listen_addr = ":23231";
public_url = "ssh://10.1.1.61:23231";
key_path = "ssh/soft_serve_host_ed25519";
client_key_path = "ssh/soft_serve_client_ed25519";
max_timeout = 0;
idle_timeout = 600;
};
git = {
listen_addr = ":9418";
public_url = "git://10.1.1.61";
max_timeout = 0;
idle_timeout = 3;
max_connections = 32;
};
http = {
listen_addr = ":23232";
tls_key_path = null;
tls_cert_path = null;
public_url = "http://10.1.1.61:23232";
};
stats = {
enabled = false;
listen_addr = "10.1.1.61:23233";
};
db = {
driver = "sqlite";
data_source = "soft-serve.db?_pragma=busy_timeout(5000)&_pragma=foreign_keys(1)";
};
lfs = {
enabled = true;
ssh_enabled = false;
};
jobs = {
mirror_pull = "@every 10m";
};
initial_admin_keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcLI5qN69BuoLp8p7nTYKoLdsBNmZB31OerZ63Car1g jahanson@telchar"
];
}

230
nixos/hosts/shadowfax/config/sops-secrets.nix
View file

@ -1,230 +0,0 @@
{...}: {
secrets = {
# Minio
"minio" = {
sopsFile = ../secrets.sops.yaml;
owner = "minio";
group = "minio";
mode = "400";
restartUnits = ["minio.service"];
};
# Syncthing
"syncthing/publicCert" = {
sopsFile = ../secrets.sops.yaml;
owner = "jahanson";
mode = "400";
restartUnits = ["syncthing.service"];
};
"syncthing/privateKey" = {
sopsFile = ../secrets.sops.yaml;
owner = "jahanson";
mode = "400";
restartUnits = ["syncthing.service"];
};
# Prowlarr
"arr/prowlarr/apiKey" = {
sopsFile = ../secrets.sops.yaml;
owner = "prowlarr";
mode = "400";
restartUnits = ["prowlarr.service"];
};
"arr/prowlarr/postgres/dbName" = {
sopsFile = ../secrets.sops.yaml;
owner = "prowlarr";
mode = "400";
restartUnits = ["prowlarr.service"];
};
"arr/prowlarr/postgres/user" = {
sopsFile = ../secrets.sops.yaml;
owner = "prowlarr";
mode = "400";
restartUnits = ["prowlarr.service"];
};
"arr/prowlarr/postgres/password" = {
sopsFile = ../secrets.sops.yaml;
owner = "prowlarr";
mode = "400";
restartUnits = ["prowlarr.service"];
};
"arr/prowlarr/postgres/host" = {
sopsFile = ../secrets.sops.yaml;
owner = "prowlarr";
mode = "400";
restartUnits = ["prowlarr.service"];
};
# Sonarr
"arr/sonarr/1080p/apiKey" = {
sopsFile = ../secrets.sops.yaml;
owner = "sonarr";
mode = "400";
restartUnits = ["sonarr-tv1080p.service"];
};
"arr/sonarr/1080p/postgres/dbName" = {
sopsFile = ../secrets.sops.yaml;
owner = "sonarr";
mode = "400";
restartUnits = ["sonarr-tv1080p.service"];
};
"arr/sonarr/1080p/postgres/user" = {
sopsFile = ../secrets.sops.yaml;
owner = "sonarr";
mode = "400";
restartUnits = ["sonarr-tv1080p.service"];
};
"arr/sonarr/1080p/postgres/password" = {
sopsFile = ../secrets.sops.yaml;
owner = "sonarr";
mode = "400";
restartUnits = ["sonarr-tv1080p.service"];
};
"arr/sonarr/1080p/postgres/host" = {
sopsFile = ../secrets.sops.yaml;
owner = "sonarr";
mode = "400";
restartUnits = ["sonarr-tv1080p.service"];
};
"arr/sonarr/1080p/extraEnvVars" = {
sopsFile = ../secrets.sops.yaml;
owner = "sonarr";
mode = "400";
restartUnits = ["sonarr-tv1080p.service"];
};
"arr/sonarr/anime/apiKey" = {
sopsFile = ../secrets.sops.yaml;
owner = "sonarr";
mode = "400";
restartUnits = ["sonarr-anime.service"];
};
"arr/sonarr/anime/postgres/dbName" = {
sopsFile = ../secrets.sops.yaml;
owner = "sonarr";
mode = "400";
restartUnits = ["sonarr-anime.service"];
};
"arr/sonarr/anime/postgres/user" = {
sopsFile = ../secrets.sops.yaml;
owner = "sonarr";
mode = "400";
restartUnits = ["sonarr-anime.service"];
};
"arr/sonarr/anime/postgres/password" = {
sopsFile = ../secrets.sops.yaml;
owner = "sonarr";
mode = "400";
restartUnits = ["sonarr-anime.service"];
};
"arr/sonarr/anime/postgres/host" = {
sopsFile = ../secrets.sops.yaml;
owner = "sonarr";
mode = "400";
restartUnits = ["sonarr-anime.service"];
};
"arr/sonarr/anime/extraEnvVars" = {
sopsFile = ../secrets.sops.yaml;
owner = "sonarr";
mode = "400";
restartUnits = ["sonarr-anime.service"];
};
# Radarr
"arr/radarr/1080p/apiKey" = {
sopsFile = ../secrets.sops.yaml;
owner = "radarr";
mode = "400";
restartUnits = ["radarr-movies1080p.service"];
};
"arr/radarr/1080p/postgres/dbName" = {
sopsFile = ../secrets.sops.yaml;
owner = "radarr";
mode = "400";
restartUnits = ["radarr-movies1080p.service"];
};
"arr/radarr/1080p/postgres/user" = {
sopsFile = ../secrets.sops.yaml;
owner = "radarr";
mode = "400";
restartUnits = ["radarr-movies1080p.service"];
};
"arr/radarr/1080p/postgres/password" = {
sopsFile = ../secrets.sops.yaml;
owner = "radarr";
mode = "400";
restartUnits = ["radarr-movies1080p.service"];
};
"arr/radarr/1080p/postgres/host" = {
sopsFile = ../secrets.sops.yaml;
owner = "radarr";
mode = "400";
restartUnits = ["radarr-movies1080p.service"];
};
"arr/radarr/1080p/extraEnvVars" = {
sopsFile = ../secrets.sops.yaml;
owner = "radarr";
mode = "400";
restartUnits = ["radarr-movies1080p.service"];
};
"arr/radarr/anime/apiKey" = {
sopsFile = ../secrets.sops.yaml;
owner = "radarr";
mode = "400";
restartUnits = ["radarr-anime.service"];
};
"arr/radarr/anime/postgres/dbName" = {
sopsFile = ../secrets.sops.yaml;
owner = "radarr";
mode = "400";
restartUnits = ["radarr-anime.service"];
};
"arr/radarr/anime/postgres/user" = {
sopsFile = ../secrets.sops.yaml;
owner = "radarr";
mode = "400";
restartUnits = ["radarr-anime.service"];
};
"arr/radarr/anime/postgres/password" = {
sopsFile = ../secrets.sops.yaml;
owner = "radarr";
mode = "400";
restartUnits = ["radarr-anime.service"];
};
"arr/radarr/anime/postgres/host" = {
sopsFile = ../secrets.sops.yaml;
owner = "radarr";
mode = "400";
restartUnits = ["radarr-anime.service"];
};
"arr/radarr/anime/extraEnvVars" = {
sopsFile = ../secrets.sops.yaml;
owner = "radarr";
mode = "400";
restartUnits = ["radarr-anime.service"];
};
# Unpackerr
"arr/unpackerr/extraEnvVars" = {
sopsFile = ../secrets.sops.yaml;
owner = "unpackerr";
mode = "400";
restartUnits = ["unpackerr.service"];
};
# Borgmatic
"borgmatic/plex/encryption_passphrase" = {
sopsFile = ../secrets.sops.yaml;
mode = "400";
restartUnits = ["borgmatic.service"];
};
"borgmatic/plex/append_key" = {
sopsFile = ../secrets.sops.yaml;
mode = "400";
restartUnits = ["borgmatic.service"];
};
"borgmatic/jellyfin/encryption_passphrase" = {
sopsFile = ../secrets.sops.yaml;
mode = "400";
restartUnits = ["borgmatic.service"];
};
"borgmatic/jellyfin/append_key" = {
sopsFile = ../secrets.sops.yaml;
mode = "400";
restartUnits = ["borgmatic.service"];
};
};
}

390
nixos/hosts/shadowfax/default.nix
View file

@ -1,390 +0,0 @@
{
config,
inputs,
pkgs,
...
}: let
sanoidConfig = import ./config/sanoid.nix {};
disks = import ./config/disks.nix;
smartdDevices = map (device: {inherit device;}) disks;
pushoverNotify = pkgs.writeShellApplication {
name = "pushover-notify";
runtimeInputs = with pkgs; [
curl
jo
jq
];
excludeShellChecks = ["SC2154"];
text = ''
${builtins.readFile ./scripts/pushover-notify.sh}
'';
};
refreshSeries = pkgs.writeShellApplication {
name = "refresh-series";
runtimeInputs = with pkgs; [
curl
jq
];
excludeShellChecks = ["SC2154"];
text = ''
${builtins.readFile ./scripts/refresh-series.sh}
'';
};
in {
imports = [
inputs.disko.nixosModules.disko
(import ../../profiles/disko-nixos.nix {
disks = ["/dev/sda|/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNM0W406409E"];
})
./config/borgmatic
inputs.nix-minecraft.nixosModules.minecraft-servers
];
environment = {
sessionVariables = {
# Wayland and Chromium/Electron apps.
NIXOS_OZONE_WL = "1";
};
# System packages
systemPackages = with pkgs; [
inputs.zen-browser.packages."${system}".default # beta
inputs.ghostty.packages."${system}".default # terminal
pavucontrol # Pulseaudio volume control
zulu
# dev
uv
# fun
fastfetch
prismlauncher # Minecraft launcher
# Scripts
pushoverNotify
refreshSeries
];
};
users.users.root.openssh.authorizedKeys.keys = [];
# Network settings
networking = {
hostName = "shadowfax";
hostId = "a885fabe";
};
# Home Manager
home-manager.users.jahanson = {
# Git settings
# TODO: Move to config module.
programs.git = {
enable = true;
userName = "Joseph Hanson";
userEmail = "joe@veri.dev";
extraConfig = {
core.autocrlf = "input";
init.defaultBranch = "main";
pull.rebase = true;
rebase.autoStash = true;
};
};
};
# enable docker socket at /run/docker.sock
virtualisation.podman.dockerSocket.enable = true;
programs = {
# 1Password cli
_1password.enable = true;
_1password-gui.enable = true;
# Mosh
mosh = {
enable = true;
openFirewall = true;
};
# VSCode Compatibility Settings
nix-ld.enable = true;
};
# Open ports in the firewall.
networking.firewall = {
allowedTCPPorts = [
# Caddy
80 # http
443 # https
179 # BGP
2019 # caddy admin api
# Minio
9000 # console web interface
9001 # api interface
# Soft-serve
23231 # SSH
23232 # HTTP
9418 # Git
# scrypted
45005
];
};
services = {
# Minecraft
minecraft-servers = {
enable = true;
eula = true;
openFirewall = true;
dataDir = "/nahar/minecraft";
servers.fabric = {
enable = true;
# Specify the custom minecraft server package
package = pkgs.fabricServers.fabric-1_21_4;
symlinks = {
mods = pkgs.linkFarmFromDrvs "mods" (
builtins.attrValues {
Fabric-API = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/ZNwYCTsk/fabric-api-0.118.0%2B1.21.4.jar";
sha512 = "1e0d31b6663dc2c7be648f3a5a9cf7b698b9a0fd0f7ae16d1d3f32d943d7c5205ff63a4f81b0c4e94a8997482cce026b7ca486e99d9ce35ac069aeb29b02a30d";
};
}
);
};
};
};
# Minio
minio = {
enable = true;
dataDir = ["/eru/minio"];
rootCredentialsFile = config.sops.secrets."minio".path;
};
# Netdata
netdata = {
enable = true;
};
# Prometheus exporters
prometheus.exporters = {
# Node Exporter - port 9100
node.enable = true;
# ZFS Exporter - port 9134
zfs.enable = true;
};
# Smart daemon for monitoring disk health.
smartd = {
devices = smartdDevices;
# Short test every day at 2:00 AM and long test every Sunday at 4:00 AM.
defaults.monitored = "-a -o on -s (S/../.././02|L/../../7/04)";
};
# Soft Serve - SSH git server
soft-serve = {
enable = true;
settings = import ./config/soft-serve.nix {};
package = pkgs.unstable.soft-serve;
};
sunshine = {
enable = true;
autoStart = true;
capSysAdmin = true; # only needed for Wayland
openFirewall = true;
package = pkgs.unstable.sunshine;
};
# Tailscale
tailscale = {
enable = true;
openFirewall = true;
};
# VSCode Compatibility Settings
vscode-server.enable = true;
xserver.videoDrivers = ["nvidia"];
};
# sops
sops = import ./config/sops-secrets.nix {};
# System settings and services.
mySystem = {
## Desktop Environment
# Hyprland
de.hyprland.enable = true;
# VS Code
editor.vscode.enable = true;
# Containers
containers = {
jellyfin.enable = true;
jellyseerr.enable = true;
ollama.enable = true;
plex.enable = true;
scrypted.enable = true;
};
purpose = "Production";
# Services
services = {
borgmatic.enable = true;
# Misc
libvirt-qemu.enable = true;
podman.enable = true;
# Prowlarr
prowlarr = {
enable = true;
package = pkgs.unstable.prowlarr;
dataDir = "/nahar/prowlarr";
port = 9696;
openFirewall = true;
hardening = true;
apiKeyFile = config.sops.secrets."arr/prowlarr/apiKey".path;
};
# Radarr
radarr = {
enable = true;
instances = {
movies1080p = {
enable = true;
package = pkgs.unstable.radarr;
dataDir = "/nahar/radarr/1080p";
extraEnvVarFile = config.sops.secrets."arr/radarr/1080p/extraEnvVars".path;
moviesDir = "/moria/media/Movies";
user = "radarr";
group = "kah";
port = 7878;
openFirewall = true;
hardening = true;
apiKeyFile = config.sops.secrets."arr/radarr/1080p/apiKey".path;
};
moviesAnime = {
enable = true;
package = pkgs.unstable.radarr;
dataDir = "/nahar/radarr/anime";
extraEnvVarFile = config.sops.secrets."arr/radarr/anime/extraEnvVars".path;
moviesDir = "/moria/media/Anime/Movies";
user = "radarr";
group = "kah";
port = 7879;
openFirewall = true;
hardening = true;
apiKeyFile = config.sops.secrets."arr/radarr/anime/apiKey".path;
};
};
};
# Sonarr
sonarr = {
enable = true;
instances = {
tv1080p = {
enable = true;
package = pkgs.unstable.sonarr;
dataDir = "/nahar/sonarr/1080p";
extraEnvVarFile = config.sops.secrets."arr/sonarr/1080p/extraEnvVars".path;
tvDir = "/moria/media/TV";
user = "sonarr";
group = "kah";
port = 8989;
openFirewall = true;
hardening = true;
apiKeyFile = config.sops.secrets."arr/sonarr/1080p/apiKey".path;
};
anime = {
enable = true;
package = pkgs.unstable.sonarr;
dataDir = "/nahar/sonarr/anime";
extraEnvVarFile = config.sops.secrets."arr/sonarr/anime/extraEnvVars".path;
tvDir = "/moria/media/Anime/Shows";
user = "sonarr";
group = "kah";
port = 8990;
openFirewall = true;
hardening = true;
apiKeyFile = config.sops.secrets."arr/sonarr/anime/apiKey".path;
};
};
};
# Sabnzbd
sabnzbd = {
enable = true;
package = pkgs.unstable.sabnzbd;
configFile = "/nahar/sabnzbd/sabnzbd.ini";
port = 8457;
user = "sabnzbd";
group = "kah";
# Security hardening.
dataDir = "/nahar/sabnzbd";
downloadsDir = "/eru/media/sabnzbd";
hardening = true;
openFirewall = true;
};
# Unpackerr
unpackerr = {
enable = true;
package = pkgs.unstable.unpackerr;
configFile = "/tmp/unpackerr/config.yaml";
extraEnvVarsFile = config.sops.secrets."arr/unpackerr/extraEnvVars".path;
user = "unpackerr";
group = "kah";
};
# Sanoid
sanoid = {
enable = true;
inherit (sanoidConfig.outputs) templates datasets;
};
# Scrutiny
scrutiny = {
enable = true;
devices = disks;
extraCapabilities = [
"SYS_RAWIO"
"SYS_ADMIN"
];
containerVolumeLocation = "/nahar/containers/volumes/scrutiny";
port = 8585;
};
# Syncthing
syncthing = {
enable = false;
user = "jahanson";
publicCertPath = config.sops.secrets."syncthing/publicCert".path;
privateKeyPath = config.sops.secrets."syncthing/privateKey".path;
};
# qBittorrent
qbittorrent = {
enable = true;
package = pkgs.unstable.qbittorrent.override {guiSupport = false;};
user = "qbittorrent";
group = "kah";
dataDir = "/nahar/qbittorrent";
downloadsDir = "/eru/media/qb/downloads";
webuiPort = 8456;
openFirewall = true;
hardening = true;
qbittorrentPort = 50413;
};
zfs-nightly-snap.enable = true;
};
# System
system = {
incus = {
enable = true;
preseed = import ./config/incus-preseed.nix {};
};
motd.networkInterfaces = ["bond0"];
nfs.enable = true;
zfs.enable = true;
zfs.mountPoolsAtBoot = [
"eru"
"moria"
"nahar"
];
};
};
}

89
nixos/hosts/shadowfax/scripts/pushover-notify.sh
View file

@ -1,89 +0,0 @@
# shellcheck disable=SC2154,2148
# User defined variables for pushover
PUSHOVER_USER_KEY="${PUSHOVER_USER_KEY:-required}"
PUSHOVER_TOKEN="${PUSHOVER_TOKEN:-required}"
PUSHOVER_PRIORITY="${PUSHOVER_PRIORITY:-"-2"}"
PUSHOVER_TITLE="${sonarr_eventtype} - Title unset"
PUSHOVER_MESSAGE="${sonarr_eventtype} - Message unset"
PUSHOVER_URL="${sonarr_eventtype} - url unset"
PUSHOVER_URL_TITLE="${sonarr_eventtype} - url title unset"
if [[ "${sonarr_eventtype:-}" == "Test" ]]; then
PUSHOVER_PRIORITY="1"
printf -v PUSHOVER_TITLE \
"Test Notification"
printf -v PUSHOVER_MESSAGE \
"Howdy this is a test notification from %s" \
"${sonarr_instancename:-Sonarr}"
printf -v PUSHOVER_URL \
"%s" \
"${sonarr_applicationurl:-localhost}"
printf -v PUSHOVER_URL_TITLE \
"Open %s" \
"${sonarr_instancename:-Sonarr}"
fi
if [[ "${sonarr_eventtype:-}" == "Download" ]]; then
printf -v PUSHOVER_TITLE \
"Episode %s" \
"$([[ "${sonarr_isupgrade}" == "True" ]] && echo "Upgraded" || echo "Downloaded")"
printf -v PUSHOVER_MESSAGE \
"<b>%s (S%02dE%02d)</b><small>\n%s</small><small>\n\n<b>Quality:</b> %s</small><small>\n<b>Client:</b> %s</small>" \
"${sonarr_series_title}" \
"${sonarr_episodefile_seasonnumber}" \
"${sonarr_episodefile_episodenumbers}" \
"${sonarr_episodefile_episodetitles}" \
"${sonarr_episodefile_quality:-Unknown}" \
"${sonarr_download_client:-Unknown}"
printf -v PUSHOVER_URL \
"%s/series/%s" \
"${sonarr_applicationurl:-localhost}" \
"${sonarr_series_titleslug}"
printf -v PUSHOVER_URL_TITLE \
"View series in %s" \
"${sonarr_instancename:-Sonarr}"
fi
if [[ "${sonarr_eventtype:-}" == "ManualInteractionRequired" ]]; then
PUSHOVER_PRIORITY="1"
printf -v PUSHOVER_TITLE \
"Episode import requires intervention"
printf -v PUSHOVER_MESSAGE \
"<b>%s</b><small>\n<b>Client:</b> %s</small>" \
"${sonarr_series_title}" \
"${sonarr_download_client:-Unknown}"
printf -v PUSHOVER_URL \
"%s/activity/queue" \
"${sonarr_applicationurl:-localhost}"
printf -v PUSHOVER_URL_TITLE \
"View queue in %s" \
"${sonarr_instancename:-Sonarr}"
fi
json_data=$(
jo \
token="${PUSHOVER_TOKEN}" \
user="${PUSHOVER_USER_KEY}" \
title="${PUSHOVER_TITLE}" \
message="${PUSHOVER_MESSAGE}" \
url="${PUSHOVER_URL}" \
url_title="${PUSHOVER_URL_TITLE}" \
priority="${PUSHOVER_PRIORITY}" \
html="1"
)
status_code=$(
curl \
--silent \
--write-out "%{http_code}" \
--output /dev/null \
--request POST \
--header "Content-Type: application/json" \
--data-binary "${json_data}" \
"https://api.pushover.net/1/messages.json"
)
printf "pushover notification returned with HTTP status code %s and payload: %s\n" \
"${status_code}" \
"$(echo "${json_data}" | jq --compact-output)" >&2

19
nixos/hosts/shadowfax/scripts/refresh-series.sh
View file

@ -1,19 +0,0 @@
# shellcheck disable=SC2154,2148
CURL_CMD=(curl -fsSL --header "X-Api-Key: ${SONARR__AUTH__APIKEY:-}")
SONARR_API_URL="http://localhost:${SONARR__SERVER__PORT:-}/api/v3"
if [[ "${sonarr_eventtype:-}" == "Grab" ]]; then
tba=$("${CURL_CMD[@]}" "${SONARR_API_URL}/episode?seriesId=${sonarr_series_id:-}" | jq --raw-output '
[.[] | select((.title == "TBA") or (.title == "TBD"))] | length
')
if ((tba > 0)); then
echo "INFO: Refreshing series ${sonarr_series_id:-} due to TBA/TBD episodes found"
"${CURL_CMD[@]}" \
--request POST \
--header "Content-Type: application/json" \
--data-binary '{"name": "RefreshSeries", "seriesId": '"${sonarr_series_id:-}"'}' \
"${SONARR_API_URL}/command" &>/dev/null
fi
fi

120
nixos/hosts/shadowfax/secrets.sops.yaml
View file

@ -1,120 +0,0 @@
syncthing:
publicCert: ENC[AES256_GCM,data:qPtXFKL8BrUNMmuF4YOKNAmcL3USnTrMMAahnHCaBFyTNNrSa8zktRG0gryBUvsFTYqwcP6r/FFq5bEpjq6mGPJ942LrYSvv5nqRDnvhEJs3X6wiZfriq2Dyps+2MLqcWjU0tsj+M3IfkOGIry0XSP5EkWFgBJxB3HbRlwqA2ZDAnSOT1OWQbFOl4dYQ7gkssMDyVfrfMoiaw33Q9ttHhLswJIbMK/p1wSWPsEY20ZHEa4fSq06Eks0vUYCmDIrSiFr/fNF5veLO8LAnojJkSm87ZDkX+tAMa7/ZI96fZssHbJHU4dHrsbTlpVyG8AOQ7M9D0cMaH7WjJlV3fn5gAM8xgMjj9YcC3zMFSfBMeVyJF36l0G3jhY+1BO7omqqWY3lwEx/clt/HJ+q6K8z4/uyTfBsuMGPakkDXmplV6j23hwz9jzd/tCMh7/jVFyiwdSf9Ykykf0Qh8af4v1RVzcwbcBnpb4pjMic16WvBWpogt4lTu0o0u9NAMZX/Nu99pxDES7+DLKAIDOoIZwxAYWPY+zTlVusMrbuQ+yvnv1koAi0VJl5n2DpKKxPKKxMYcKN3SqMQ7TX8img3OUIsIje43kbLFnpWwdoBwdKov0PZzBHcH/9SgsBD/aepT1iRkg1Fe6c3EiOF3wKwXBpwuPq61s7+d7ESvOL3sVFEuo6fXhN0aGJK77VnZKqYERjlEOkETjSMNP6ZH1A86YQBFWRXHub1KrhNcZUbTdxuT3UD+gNvoD52InsodblYyDtmSqeEVix9m25buWeurmzSBngPr3L8xxlYt1gRrHZ/4yy2EQPWFo/oMTjqnd1YtcRkNtOzSl7zcXmV0KnY3yAyyyTlwe08PY2rRJ4JUqYS5C3fnv0yQgb7MrYH1Ysau14TOX2WTrTpklPL4zwPz/hVL9hVIeByNshQQZm7KsZXjBGzC8XXRu/3HWNXYXLItHwgNgtVkd8WuYe+bF+u86h1UTDABf4w2tfGVVA6/HqwPQcmdbhQZ+mPHSTbuVcMPLN8MNEK/B1JtBlQID9ybMcbON+pik70d3d+blI=,iv:Ut7rbEVIc2p095rzq9Y6ZS6npa0+atBRLrBjN3mQ6zM=,tag:g1krDi5xhOwr9FfXFQ4mMw==,type:str]
privateKey: ENC[AES256_GCM,data:CFW8XMhLaGFHYqo3+v+4Q8hemV44/Pps/0hBaz8eMwbv5GI34dkSmQ8jh2VY+bRhfGX6sWGXlxBKB44qiTP+jCs4rgBu+AA0j3F4b4/hH/Qj8XoflGMHCfBwsTwYm9vb7Ith3H4F5Fbcv1Dva6mOw3CA65lTfKlxF/NVyj9/cAnqjF0T90jaRYpFN9pLrwkAVBeydc+sofnReFOeI7/IFupxtPKkOaR9wGZK82KQj3+7sXEBgL0HekX677ENBqE4fZHUbe9AKbCe1I4k1RtL9DqANnjTED+ktochzuQ1cUeSnBHtbYD6GDVPisIkJc3Y2a6kmTh5YVF/u8zXMN4n0zwTX+QPA4xms0NCa/528YCSY8VfOfvk9mhQbpmdIob6,iv:gaILRQxX/0poYQedDYZXzL9/ojzIY7BQ+M68HMxD4go=,tag:D0X9OA7ohL5Z8zPsXPdybw==,type:str]
restic:
plex:
resticUri: ENC[AES256_GCM,data:INfsXRDS0oTwxmbUeuns2GtguB+OJvE1UC5uKjR9dqY7tZo9gS7Byjf7RrBhcq3SAAV1yPFnT1F5IZXrwgyBp1h4,iv:nsvINjznTn0PYrCO3sLaOMwSJeZV5gvDTefNKksgep4=,tag:KeA4+WW9+dV7XjScbDzCVg==,type:str]
resticPassword: ENC[AES256_GCM,data:+U4xZIzo7HbuF+MmZAJhj6+ekO4=,iv:GznZk8Ga4w7Zqx6QoXq/SUn1uURLxW9fMN89zTq7BNI=,tag:IuBFTTS0awiVILNx7Z3iLA==,type:str]
minio: ENC[AES256_GCM,data:EqFhTRqb5fY7IKZSis71i6aN6Llv2EAQxKjBrmoJKRLKFfQUVzHBgGXse42nd9KD2hirGsBiPgvuXulTw1z+bPmh4EVPaq2uR4fva5g4LA==,iv:4Ru3cHsw2Vyw6mtCoNECMVP/r5toYJ/BBvNNa0m3DK8=,tag:pFtHhgX1WgzRYNe87Zh6dw==,type:str]
postgres:
host: ENC[AES256_GCM,data:NkAc3BN09j4=,iv:M52sslgEY9QXcsG5Z+snGFZ7vt4IWiT6uqowoUUk78I=,tag:n/SXxbBuX2+vZknk/gBs5g==,type:str]
port: ENC[AES256_GCM,data:eVFfWA==,iv:sYcdDt9Vw/M0lM7LCVb8wHbwgQ62OfwM+MahvbcG4vs=,tag:uo63B0+r1GOv52bqzeiMZw==,type:int]
pushover:
userKey: ENC[AES256_GCM,data:efCy551JEtPagnRGHkNCKHT+r0yJ/5bqyGTsdeGOdw==,iv:DDAfy3EDSGHo0r5TapW6yjo7XMpVESYYtnUQLBPMg2I=,tag:9ws7n3hlhM4+++aIxOspYg==,type:str]
borgmatic:
plex:
encryption_passphrase: ENC[AES256_GCM,data:+PVidwqMgGuZJE0a9TyLda75viaodnZtEPA6nQWNp1KMR7zHQVBjtRojLuRh5Sd78Q==,iv:zJFecISN0l4r2QKfqAw3sds+l5eBHp+wapE+TDUgX3E=,tag:cy4HWmoJw0ygRhaAQ45zwQ==,type:str]
append_key: ENC[AES256_GCM,data:ht+OoijAcc8BnuAIoZ0K3kfvzlXYgmi61OHOpaR/H8YpadsMgruym2E2VIAibVhrAt0JamHQ8wEps1/Ur7GPRyQgZmq8dUlEJwVFyD31kOFjJDH3r7hZIMuJopAKYEHxuJ0PANqZO4mHbVd6rnnSvb5oOzACst0oKAoqarmjzVKSfRfRCxSP0df6WhuU4/bMq6u8L4FjMXbrYWbeK77tMdv4eEAHEM6SIuMXOad/AKvgYXIUYmhjohsBXfWQ+gENEVQEpYV48bc/zTC6j4RZI335iZQZq39sg5VWMnSsQtQT+UVzsHBbOYZbzC/FyjUKBNduYoniBQFuswf8IbDgwIcEd8eSRhTGWMOATOdy6MtVstXqZhc9YEHytFrAd6biTt7DHAVUTu9ZqqkyouiuGc8f4kdimGz8kSb3ltKUqN7qTACVHjFXNY5PkdHAy5brKiHp0lPyTiHFQYxabeyPD6VfeDNthK40IzmrIbXJynxNbfOfP3lkmDJ3iD5zM0anU8xcNtRu+1NA9k70GGEvgwTdUbpP+Myicn6u,iv:BAyqOh13D2kRyhKf6qX/gEeRMlmhiR4jD+VrRhKejn8=,tag:GGu1hK8t74cnKbP0dNL6vw==,type:str]
jellyfin:
encryption_passphrase: ENC[AES256_GCM,data:G7xk+FGsjV7BxwvBGozXcj0n00EjBhDw+Yea4Wf8fmXl,iv:goylWvW4OLWxi3rIyQ5FbmnNtHSuP93Mnb/P4dCes7c=,tag:UiVw9Q0iTw0TxG4hFzg4SA==,type:str]
append_key: ENC[AES256_GCM,data:1XPDRh3HtKZbgdXf/YyrIWwvuIsTRADtRea+0G0as5vKfMyrqv60IKvCSDqjlZNhUvtmAMFZS/y5AexLB2qNZNM2qjFvbwr1C2WJw9J1fkpcc2mYRrH2XaghFhwLKuD5PCo4jVztOOMGwXzKcwG5BKr0jm+FiffvoUlB8rlEgIihwmDDf00g4sBAvDpjVQdqxNgc14VALzUiuu4X55xIHW/tQk5R84PDfTR++41EvjDxFQau5TxA3xVeQK/skOSRo4RZRE8vF1I3Dc7njVBMK/PyV0iKLJydfK9Ql33ZwDQmHdt+aw/pPlaPWfMAPzLxbdGuOtUaGQijQmELKQP11101QKHDk2q7LYXfGw62VAqb7W1SJYPczZzdzqyFb4NULykAQOhHGW9I8esRCYn0t4Y5vBEYaPjyBuAJz8ClG4zhxwJPAAQBkntIId0Xjk9NjZDeNKqAXpgs3CDIOJYtGUmtA1Am/B/22/VLl9adheEnTtkYlSTRM8/u5RoiA3utipMFJcdkssmBudH8BvXbJFJChoh3qUDD3Gnz,iv:CZyuBaiKMxNaOlFu/OYFmHOeEVWBNJ3rUIBpV/Oh4GQ=,tag:EX5yoC+KRf6IkVm+7d+Qiw==,type:str]
arr:
prowlarr:
apiKey: ENC[AES256_GCM,data:7NKS0QWc/5MIBbasmHHz/EN8wF4ILmsxBQpfZL3J2fs7,iv:WctX4v9GFkseJ+Vqk3U2l5qrgWCcw1Bv3N6RQuwQ1HY=,tag:7FxfWn5ydXu1Pp/B82TOSQ==,type:str]
postgres:
host: ENC[AES256_GCM,data:++C/D+s30hs=,iv:P0HIuGzVypgxfYmhcNodMXbEufPdrlO/nuQwHZ60kxY=,tag:qHzYYmFaeBXyty6ga6sfQw==,type:str]
dbName: ENC[AES256_GCM,data:8t6Ms7cVgSMzN4Vn4w==,iv:mh1nOUuVllIMlj+lhuvXIQqTZ5VCcaU3jj3nOGxAsGs=,tag:OZVFFM2YMENHN3pf9uF+5Q==,type:str]
user: ENC[AES256_GCM,data:ji+57XLFMus=,iv:xC+EuVBs9wzZG+leFnAIZCKbxFwtMmSwqhJgVl4SRak=,tag:o7SqVcv33zukUOJ31ORAgw==,type:str]
password: ENC[AES256_GCM,data:aSiZR0cTtevhD6s0f6+24qILUmfH5OCBUQ==,iv:xPqiNf9N2Mm6Z7lvcB9xsTjgiJ1tren04pM4rOjRc2A=,tag:NSGr7kedaVgqyM5qwKM40w==,type:str]
sonarr:
1080p:
apiKey: ENC[AES256_GCM,data:h2vPlVVkdOScJg0uvs5yv/WK9NpotcF70bD65gTR8TdY,iv:T6F/u4jFt1k+jaLO0epq5nkTr2c1FvtrEfxadNuQLVU=,tag:GNVgD4oAI1OdBrHlXFlYIA==,type:str]
postgres:
host: ENC[AES256_GCM,data:8DruSnH9MBs=,iv:WBgn1seW8Tgy8CLB7mv+BgojNk20LUqqVyS+o3aFtWQ=,tag:bNqeKmcXb95167YHIZD8Kw==,type:str]
dbName: ENC[AES256_GCM,data:s/XMwlVu648dmAA=,iv:sUtQxqGmpNM7f2Atwm1b5TPj63nynZPIJfHFe2XCjz4=,tag:NTYMuvlBuWDWyUAHPrKlow==,type:str]
user: ENC[AES256_GCM,data:OF1jJTDj,iv:u20mF60SJevMeIQAjnIzCbIIKKFqJ95+mG3f5zfX+iI=,tag:BZK7NhoLWDJss/tnf0ZHtQ==,type:str]
password: ENC[AES256_GCM,data:2IWE6CK9bOQ9Zhjfkw9WOkwElKtLRiJRKQ==,iv:ySSML6PKNq0JbhcSwQ0rxSEAD+h74u0X5ncfIWbh0KY=,tag:R2nnvakD8SEyEn2GjgkgXg==,type:str]
extraEnvVars: ENC[AES256_GCM,data:H6ZGRWsRyZ635t2eELbvz2QvCy47wiN59ViytOxX9SebXC2b4cfvGpGJi1RIOlkcz59BUYUizK58sUNbgMeFn178xVkT24mOXYu5VkO/4n5WuY2zWN9gbnL6RWnrQZw=,iv:RLroNHNseCQeYuNdad9KiFjrKkZI44gP4E/Uj73R3qg=,tag:++t7TZvUEDAiU3Smgffitg==,type:str]
anime:
apiKey: ENC[AES256_GCM,data:/1GRSCBEgm+MFQRoIddchoe1290/A1hvVCNmp1hfsSGS,iv:GOeXBu7uKklK6KE8RvpewzBaySdoKonVo4rApadoIzw=,tag:EinKbUl+X92plkp9p3AXOA==,type:str]
postgres:
host: ENC[AES256_GCM,data:hvZGv3MQ0JU=,iv:HFs62YuhV0uypvBGA2kfAlorwWbjRr6M5/VJwx2LVC0=,tag:c7B6eco64WzvC0Uo44q76g==,type:str]
dbName: ENC[AES256_GCM,data:aT4STqdwfQ/kRlYQ,iv:XUyJPrqkDaLt5TmJl1+u8xZitY7x1wI2BpykmYQivjA=,tag:YSyzENEHcrv0y4GTYdW7QA==,type:str]
user: ENC[AES256_GCM,data:Io5JmxNKuJ33MRgS,iv:DXLRl2ZSRNkdTXRY3UzL0zxM+1m3xpdJgaWZqbl6Vok=,tag:rD/HrAOUF2LJDc13blJyRA==,type:str]
password: ENC[AES256_GCM,data:whbjCtd6TOxPKWwvL7L1lKcxr8tEZEx7YTdJNQUtcw==,iv:n3YBj1HSLo1EJ+XnuRXsn9wWXIAaIe4zwkfFLaKx53M=,tag:gtENwItQT6dgr0fBrEipaQ==,type:str]
extraEnvVars: ENC[AES256_GCM,data:MYQWHBE8bcttmXhh3HDir1zBJq1t1W4Xik7JnyEVmHKdXQu/GPUvbQLctGIXC9psD7x5lk6xMwg2WxSFLHcGFhadDHnm8rla9wFCSh0VlTyWekvKZ+XZPuhcDFxfYVA=,iv:3HzZU/1wJEXizscc7rSLLmJqe/FMiwqu+RiqvCBxBtY=,tag:3OXclcolF4WgW0Hu2FDojg==,type:str]
radarr:
1080p:
apiKey: ENC[AES256_GCM,data:w4VmflaV51T17tp2Zwa+2Ifm1FfPgVRxLmWomhsHe5wa,iv:xYvuQL2u7GwDxAWpohAJTuX5tmvxwxo6xS4Uz/9MXOc=,tag:uVVxdY0QreC1ZA+LWpKTmg==,type:str]
postgres:
host: ENC[AES256_GCM,data:wFG60E/SiJg=,iv:glgvp1UsgO16tXjfSBKaQsMSzekMiWFLG1ptcgS00Gs=,tag:LhA3+kQzMF7IsCZEPaEeGg==,type:str]
dbName: ENC[AES256_GCM,data:/AWMN9BQw7vDvg8=,iv:CwUt1tur+xdrd+egaVs1ETr9ueWyrb4rpiLWTHtkFuo=,tag:EmYEZJw3j4/D98KXzcLpFw==,type:str]
user: ENC[AES256_GCM,data:K4OFAbH9,iv:O2HHLVNC7YUtD/BQWSjUaz/tFdd0O9tYkqTy03/M08c=,tag:Qrwq6x/oxLd/1CjtPXSNJA==,type:str]
password: ENC[AES256_GCM,data:QYHNzqggnZ0v9byc41txTX5FcLPjSLZP+Q==,iv:dbrnn9btZd6b/KhnE3nbpljqkjr75PFrBERuju4wvv0=,tag:6/COq83YDfYkpLwW+S6avw==,type:str]
extraEnvVars: ENC[AES256_GCM,data:IF6EntbTjCs51DjVfWRJQ7JYLat+ade0bVVyDPxBJXzUJAsGIg2wxsMOCBZONs/VJgh+lUmlYuuCj5Vfy37YTOaFRdSEBEYkHL+iwThHV29nAV2GJyn/E6Fau+Hpj6A=,iv:ysLb5Em4hg+RAkqotLhJ0p29yribQjv5SK87HkfWMcI=,tag:zM40WAugV73e2QorCw1eVQ==,type:str]
anime:
apiKey: ENC[AES256_GCM,data:pQsxmcLwAOfPlwJIARgsgqObW0weoNfgeX7xNZ8nRLZ1,iv:IjyJdeONnrzcBQj6VScf5mO6IAGGaxLFn00avZchQ30=,tag:z9xqycT/Y9FnZ+qbXjLW1Q==,type:str]
postgres:
host: ENC[AES256_GCM,data:rmPRKNCDNuY=,iv:+b/NQZS7mPF1t8DlcuI3MXZwX7BcOIb0hiVANXCdfSk=,tag:1YqGTRl0LUz4vqy+SCM1HQ==,type:str]
dbName: ENC[AES256_GCM,data:/y8nkutIioMtH7Q=,iv:AcNHukerGYCxW7i3tvXbK1a3cy88623tF2xE2CQhrsA=,tag:YqllmENzjiKzMyLCMhZu/w==,type:str]
user: ENC[AES256_GCM,data:XUHlPPiaeUEJM/ii,iv:VHL5CoBf9/dnaFUav3EOwoRlBYt7pQ1b9fhpBN+UJDs=,tag:CZNf0Ix10Us4iS//Fth4wg==,type:str]
password: ENC[AES256_GCM,data:Fp13YKpwv9rWhLirbX6k9YG+5w7AWA==,iv:M18dOvzRHt9WXA7ThmOUGTE8o3lTXR6rzwYRbO2x7ns=,tag:alAzOfQCJ8d44S960aT2Bw==,type:str]
extraEnvVars: ENC[AES256_GCM,data:HxYI/7VKvP5jheDHg78SY5WL7R8i9tO2nmmOfJQTyz30tHMFucJJ490AovKXxmnUy8NXv0EFIHt6hP5zCUW8cqGf8rKb/aY6pzpga9uBNStM8yzk1K34qVT2VjAMtLk=,iv:wBZfS8gh8dmKYcB2Uba3Hdak2NRZgqUceumgqf97nCY=,tag:dvQEIHFhdyjYof0a6NHMfw==,type:str]
unpackerr:
extraEnvVars: ENC[AES256_GCM,data:/M7qxzcp5VO1nJfmOg/LKE+o0oqGgx8ohLCBqwsBzAaCcAe+L5PZb9J0Avgf7dFIeYXHXtkPXZNUYo04btsFqCizRrPBa/MxdSp6Wc7vLONaJXx/3PSJI3GgFR4AB0aeGEW4HaodLs6K35JqE7FV9NdX4Sy+O/s4TK5s9EAebVfkTIuaBA685L0JPUUHxdzuyMpMP9C7RoZ7XyoToiVxVJi7cBeXwuevTZJwCY9+p+RjiUcNrHt+HNjSPZMUpYo1d1CAJaAmy10kE3yydjYo+9vZwEpdoKVXlw3pio5rVpGLV5nlk5Mv+XHeZ8h6Ic8LLoDcy616oCmn5Vp0B6spElgSBx1tNjwF902ku+8rteh6931EHdNoD/APhg1h1/u9kBLZfxQ0v6DK3kSYfETW/8X2Y/V7bvSaiYhKjHdOYBxXkmIlpTBR50FPBLQ=,iv:I5jHRJFTZWawfwndvNrjPNLldrZyABynfXKUZMFeZiA=,tag:RnEebZ1LpfJWPiNTxT4ZVA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTbXJYbUNJaEkzQlJqU1Zx
Zzc1M0RxMFdMQXpIekwwMmhlMWo5d3BRZ2pBCjQzdTd4ZklNUTJYa2c0QW56NVQw
UzBja3pRV3MxSGlROURML0VLTVdKTmMKLS0tIDAzTzJacU9UVTJNakRrWWhPeUM3
OStNbWNzS0V3SXIvNEVWZDVPb245OTQKeFrwTJHVxc13tv0LWU3h+8nZiedbC3II
pOJlGu1+iAssnu6p2eEefH7Urwlr7Qsa2G55G+l31hzZsFzuL1yLwA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlSXRDRSs2MDBaNG5SV0ds
cmRKM0FDbHZnQVZ1R256SlZzUHpwZmZGU0VjCnJVWGQ5WTE0Z2MvVHM2Q3VYZDNM
Zm15RkVidlFEWkduYVM0TU12YXdWRDQKLS0tIFF0WHM5UytOY0tZSTZNb3ZTbXAr
S1Z2blBqSWI3cWJOb1JSZUhKcW1GNnMK5EVQb2zVqHdBWQWmmEze7kWSXf7NEt34
PnA0DiGCHnHm+UQg6Hw9/duYo71oQ163AbPBxD5hrCOoPgViVKFEHA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nkpq8lr09vamgvf8cvzemqjyr3ex8w7azfupdr2gverz9j5zgemsv99t0z
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQZ2FpckhNendHNU5yVWRm
OVNqcmZyckdGTmhuU1psTjA1YzZyU0ZLcG5FCjArMjBGT0pOU05xY1V0aVMwc2ND
eUVjdkh4a2o2VGMvakZUMk1GTE1CZGMKLS0tIHpVMmdNN1V4OXpLdVpEUWg1QjAz
L0hmYy9kSktvdmxLcGcvVDlFNGRiYjQKCwUhrXyEWzyFQvmKPnnjQyF/n5SF5yiT
42Vh1REycPIWlegr6/j5bF+tFOPT9Wb/Hnmc6FPKjQt5Hwgt+Buhmg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBESk8vMlpueWVZUW9ndysw
REc1Qm4vRU5QcjVzOVBBTlNjaFNpSjE3eTNRClZjaVJLZkNOZW9zZUdxRGxJQXNO
WjQ0eE9Ua1JPMkNINnVmcXI5SzZSalUKLS0tIEk0emhxdmJjRDJQYVU1cVRSejYz
V25uTVF4Z2RZeEZpMTlxOERaMnRtVG8KHQrPSRD07W0pTH1ynePwXRxXPWn8n9sZ
Gxu327fptOKoKjDXrLduoHFuO0m9WJcXYP6v9rtVmrTDhU/Ntye3UQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6OStleHcyMHlUTW5wN2dl
cHRCMmFmM0tMRzVmYStlUU1mdzYzMkR3Q0JVCjNTeTE2WFZiMzJScWdFMEticHoy
RDd1VVpnU3FVNjdNOWR6L2VqZ25RYnMKLS0tIEdQL2lFS1hINlV2SEZvWkJVQTEx
aHY2Wjl0b1FVbG53elRxNWpqcWRrbE0KjAvjOqSEQF2286Bj2jF25BoKuD4OLoHY
U4pqq52per87pnJs4gBkRS8DNoSbRq9JwyTwzKz2BZgPJvVDGXDTOA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-09T06:33:41Z"
mac: ENC[AES256_GCM,data:MX6qN7VW6B2zR6O2n3znHt8DvB8GuaSjT15OPEc+T4aoXZ6g+OgOCQez8Yyd8B4Nv6joKJrQUKIM4sMSAmQ8bwwvXx1YTUKQxJ05MKGGorZYuZCOvhmsOnhRYJGVt40XZiIMIYDvl+uRjkG4NSBOoYdWF7qldphjTNzXrc5Qcnc=,iv:Xj3cCr6p+cmc41FVhxiiNfjhOKY1rlpT9zUR43hSvGo=,tag:FTVX4awkq5UDXGIAgSbZsA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4

124
nixos/hosts/telchar/default.nix
View file

@ -1,88 +1,58 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, modulesPath, ... }:
{
pkgs,
inputs,
...
}: {
imports = [];
swapDevices = [];
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
networking.hostId = "4488bd1a";
networking.hostName = "telchar";
boot = {
initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usbhid" "usb_storage" "sd_mod" ];
initrd.kernelModules = [ ];
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
};
fileSystems = {
"/" = {
device = "zroot/root";
fsType = "zfs";
};
"/nix" = {
device = "zroot/nix";
fsType = "zfs";
};
"/var" = {
device = "zroot/var";
fsType = "zfs";
};
"/home" = {
device = "zroot/home";
fsType = "zfs";
};
};
swapDevices = [ ];
virtualisation.docker.enable = true;
# System packages
environment = {
sessionVariables = {
# Wayland and Chromium/Electron apps.
NIXOS_OZONE_WL = "1";
};
systemPackages = with pkgs; [
# myPkgs.modrinth-app-unwrapped
inputs.zen-browser.packages."${system}".default # beta
inputs.ghostty.packages."${system}".default # terminal
dconf-editor
fastfetch
gtk3
nodejs_22
pavucontrol # Pulseaudio volume control
vesktop # Discord custom client
zulu # Java OpenJDK
];
};
services = {
# Tailscale
tailscale = {
enable = true;
openFirewall = true;
};
# Pipewire and Pulseaudio
pipewire = {
enable = true;
alsa.enable = true;
pulse.enable = true;
extraConfig.pipewire = {
"10-clock-rate" = {
"context.properties" = {
"default.clock.rate" = 48000;
};
};
"10-clock-quantum" = {
"context.properties" = {
"default.clock.quantum" = 1024;
};
};
};
};
blueman.enable = true;
};
## System settings and services.
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# System settings and services.
mySystem = {
purpose = "Development";
#services.syncthing = {
# enable = false;
# user = "jahanson";
# publicCertPath = config.sops.secrets."syncthing/publicCert".path;
# privateKeyPath = config.sops.secrets."syncthing/privateKey".path;
#};
## Desktop Environment
## Gnome
# de.gnome.enable = true;
## KDE
# de.kde.enable = true;
## Hyprland
de.hyprland.enable = true;
## Games
# games.steam.enable = true;
## System config
system = {
motd.networkInterfaces = ["wlp1s0"];
motd.networkInterfaces = [ "wlp1s0" ];
fingerprint-reader-on-laptop-lid.enable = true;
borg.pika-backup.enable = true;
};
framework_wifi_swap.enable = true;
security._1password.enable = true;
framework_wifi_swap.enable = true;
};
}

59
nixos/hosts/telchar/secrets.sops.yaml
View file

@ -1,59 +0,0 @@
syncthing:
publicCert: ENC[AES256_GCM,data:eqTuzoyuzVC5ZITeipdlHWH+o+xPMPQeiwwGkUdQPIEvjhPWQoHeodwPWOXGDQyFwJfD+77bphWTTVImdTNKJbbtjP/oneQRZPLsQThPNHXcOMDjhzhyBVaOrKhn1eZy849Q4MNBArbQn0470Sn8tkpL2SyiwxKeyel7MFIkZpoCPRt0T4lkF3GW0M+CcR83jqagR4dBX8aEj0VReRPYtoqTfHH9SBWM00unzWzG4XGO+MzoFLyBl9SU9cANv+K21xzsChUxUCGgKCr7Fe7400M+U+G3pepI6SJ/VxuTTC063i0oZVmVMafdGYTbM7lsVGj/53PJzLiQOW9EZt+YiYNvPc49F9EpCYYXIbdTKb71NaP4bpgRKaWHx1cUnqfVo9zPqc9cAxEUEEGajwdCkcLNR7P+6Ws/SEKPcaxjoYeGqRPls8IaXFNqq86okIQ90wtR2BPr60tTR2tW22DAxHHngpGYPyl7D2TsjS3ok/E9kicQD2nl9P9VWZDzWN+3HhCYtMxrgb2qK8KYWRd6yAEmexU9Tc6Mh6gKRRhLBfSsDsE1hbo4TxqROtZwFpq7YAn7vvieQ7Pfz98fLjciInlDwmWTgp7Vkd7YLoMTBlzsNFXpxct5Gx24rNHMp13TUtfg9+mNvMoxIHFq5cR6GZonvPlTC278hiowgjkRTlQ+jgsQjgUeusy49/ytB9SNmSrTbtcOakepH3H1H7usedKbJBXcpGfohqd53xHs2dkno+lCg/kGzgkthbGgmTUsz/84x2ep0mVQC0RUQf3lyDeXko9szk683kR+aPw+UTi1q0X6A1u9A1PIKnB0+WpHQSfAcMjytJx9qYkvJ4drP99Y5olHn+JORKhKE80sHabpST6uVR6Ym6epjJop1MkFfD8Kh/NmsuDgz8kP9j/2sYJuusG5/DhX2vua4D2TCB2yby4uLCnXwazbzq+3A1F2FOPn2ynUZAnrKTNEBl/FfHLoIoHUl5rnlaIfz6VuSUWx6LafX0GZ+XTnGIfEv534/C1zc8b3BupbHNz44kNd8BVb+s6gqw==,iv:A2PVFa4J0JPsBh8LU1Z9KqgQGKWqO4hJ/cRTeznJY3Y=,tag:5gumadR51zYVscNt9SE3Jw==,type:str]
privateKey: ENC[AES256_GCM,data:qHNpyCmJ/2vM3COwzOqI2Wi4TQRHAI672URYPa7y5irtlBJoRy+hlBvHF+0+gAHRtx9cgFkspKBmxiC8M0VBYULBjVlYxlUySluRnZ9P1rv6Qj0Lv1T6kOrdGaL9VjEI4SWfYmA1/sFALxyZpCDm8oHhUPZfs1+Qd5U3nupLIyNsTO5aKT63MfjSTkLrrlnkQGW7B7Eyia+A/OVhAXaGMaXcKnCIUo7H+t2zSTeUQ6hgTkxE/sHxSyspvB9M2MHF0CtwwLlsyTNj9MtDE7NWwFxt2Hd7AXL5Ho5PhOrgwxp9FSFocdR4j6BPTYTMMgwFcMNOBb5ORveijp6qVA+KUNMBwezYp/TQnaC1DPMdcuh567SxRnstICIsSh1l/5RL,iv:z6DuPK51dBnJCyVI5wSqEqSLdqEXVnxlGakBBr07aYw=,tag:rjaVe4SrVghdG1zqiU1o1A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRNVh6c3BaZHdMLzZ4NE9G
YWQxVTluVE4xWTRwZFdnOHVLZUwxeTBnMWlnCmpRNkVaL1dxSVlvTmExa1B2U1k0
V3ZQTUcvMldFZlhJaW5GNVdPakx0ZFUKLS0tIGVkb1A1TlppZjJ4TU83Q1Vld2V4
U3IzaWFmZC9oc1ZRZitwb3V2UXRFb3MKyViC3mT4RW11E6XmVVztMmJgm2NP9JX9
Bf0jGvYhO7Etg5O05NwTAy1WZLB68hqTHAJ2tMJD2934sJicWfg/kg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBudTg0ZElzdndiSGowNUxk
cmRDTS9ZTW9DVHB1dlNYZU0yOFdqdkRVUzNNCjJaY01ISklDQjc4YkVtSyt2UlFm
cWJGazNwdklDdTJvOE5ZUWl0VVZpV2cKLS0tIFVRQll0d3lKSTNZZk80YlNhQzlE
TXU1WE5wUWdhUnhRemhNYllHK2gyQzAKPuT00v8c2W1iSCx4nAG4XzCz317D3jql
ANYcLgmd47N8Jj+jssAPgoG9Oavj4II2NmXpLGKSDyAPtdrTqowAXg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nkpq8lr09vamgvf8cvzemqjyr3ex8w7azfupdr2gverz9j5zgemsv99t0z
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAreExpaEI4YmxLTE5jcTVT
dkExSlMzQmJVMVpCcklwRjBGWE1ZZWZjOGpBClVSOEtoUTlGVkIrN2J4U0ppSDdY
MmFoNnlzWCtOMDg1NWxQVk1QRzBVazAKLS0tIFdiNFJsWXZLTGpRTVNmRlRJWFQx
dUZVMXhMYWlNdGZBY01ZTGxsK1RIa2MKY5F4BSYaeSo7rFUc8DJ8HUGCkUSHwR+/
XTKp2FkXD38hFOC1jWtityqEF8vCMA/m567nw0adTCFl5S4vegpy1w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4WHRxYk82ekZpVUtxVVZZ
WFRXR3NZMkt6R2FnSGh3bG96NHRub0EwU3k4CkNmcHdRT3BWTjRVdllGQmtqSHN0
T0wzV0xpWkY1UXNFSWtsTHVZTFdEMDQKLS0tICtpbS8zQTFXbllpOWl0Q3lyVjFR
WHpJNFAyeGtPUG1lRWdKMFdqNkNWeEkK0DcfsEUECFhSXPQvsmKx5gVdHyZMb5lr
XoKOFrrjJ+NtqxfyAuqKmt6TxpPvzgBLdnbmQ0CTG7qb86O3o88tKA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDcHB3RVlyaldnaUJqOVpF
WDd2d2RKUmR0VnU2SEVvZWR0dnVPZklweTFrCmhhb1VYaW5PM2VaamZtWURQOGhH
UlBCV2J5d2xYNjN2RkF2QmxjMHcwNzgKLS0tIGFZY3NhWHhYZzBzVGROZ1ZXckdQ
QnoxZlAwRjQwQ0hQc2xrV2E3ZWJLL1UKwrILkzbDJlUdIN9un0RTGNXPzmlddo7r
ThuBWigFXDscsIHkwbhqfWPJy4YGcVnhYE9bfTV8k3AWAljWl6kL7w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-09T06:33:41Z"
mac: ENC[AES256_GCM,data:VoNIfkIOFC5EZ7s0Zd4SD0RGLxyGmZ7VDIMz4c19Bp62zsvo2xeXp1z2Q/UFIt3EX8Tr1txRWawDmbImTYNb7Tzk/QvE8NZswDnRGpMloo3aAHT6acalm5z0To7jvsCZnLyR+3cwH9RGuMx76CNbyDrpSbrPawFjj1LAfsiXyvo=,iv:sOU7iOlkHKWRuKSpb6+JVoac/L4lDd2cILV+uoKzOnc=,tag:GTwHnF8X9+TSm7ZjWQI+zQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4

21
nixos/hosts/telperion/config/Caddyfile
View file

@ -1,21 +0,0 @@
telperion.meerkat-dab.ts.net {
log {
output file /var/log/caddy/telperion.meerkat-dab.ts.net.log
}
reverse_proxy {
transport http {
tls_insecure_skip_verify
}
fail_duration 10s
health_interval 5s
health_timeout 2s
health_uri /
lb_policy client_ip_hash
lb_try_duration 5s
lb_try_interval 250ms
max_fails 1
unhealthy_status 5xx
to https://legion.meerkat-dab.ts.net:8006
to https://rosie.meerkat-dab.ts.net:8006
}
}

51
nixos/hosts/telperion/config/bind.nix
View file

@ -1,26 +1,27 @@
{config, ...}: ''
include "${config.sops.secrets."bind/rndc-keys/externaldns".path}";
acl trusted {
10.33.44.0/24; # LAN
10.1.1.0/24; # Servers
10.1.2.0/24; # Trusted
10.1.3.0/24; # IoT
10.1.4.0/24; # Video
};
zone "jahanson.tech." {
type master;
file "${config.sops.secrets."bind/zones/jahanson.tech".path}";
journal "${config.services.bind.directory}/db.jahanson.tech.jnl";
allow-transfer {
key "externaldns";
};
update-policy {
grant externaldns zonesub ANY;
};
allow-query {
trusted;
};
};
{config, ...}:
''
include "${config.sops.secrets."bind/rndc-keys/externaldns".path}";
acl trusted {
10.33.44.0/24; # LAN
10.1.1.0/24; # Servers
10.1.2.0/24; # Trusted
10.1.3.0/24; # IoT
10.1.4.0/24; # Video
};
zone "jahanson.tech." {
type master;
file "${config.sops.secrets."bind/zones/jahanson.tech".path}";
journal "${config.services.bind.directory}/db.jahanson.tech.jnl";
allow-transfer {
key "externaldns";
};
update-policy {
grant externaldns zonesub ANY;
};
allow-query {
trusted;
};
};
''

89
nixos/hosts/telperion/config/haproxy.nix
View file

@ -1,38 +1,53 @@
{...}: ''
global
log /dev/log local0
log /dev/log local1 notice
daemon
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option redispatch
retries 3
timeout http-request 10s
timeout queue 20s
timeout connect 10s
timeout client 1h
timeout server 1h
timeout http-keep-alive 10s
timeout check 10s
frontend k8s_theshire_apiserver
bind *:6443
mode tcp
option tcplog
default_backend k8s_theshire_controlplane
backend k8s_theshire_controlplane
option httpchk GET /healthz
http-check expect status 200
mode tcp
option ssl-hello-chk
balance roundrobin
server bilbo 10.1.1.62:6443 check
server frodo 10.1.1.63:6443 check
server sam 10.1.1.64:6443 check
{ ... }:
''
global
log /dev/log local0
log /dev/log local1 notice
daemon
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option redispatch
retries 3
timeout http-request 10s
timeout queue 20s
timeout connect 10s
timeout client 1h
timeout server 1h
timeout http-keep-alive 10s
timeout check 10s
frontend k8s_homelab_apiserver
bind *:6443
mode tcp
option tcplog
default_backend k8s_homelab_controlplane
frontend k8s_erebor_apiserver
bind *:6444
mode tcp
option tcplog
default_backend k8s_erebor_controlplane
backend k8s_homelab_controlplane
option httpchk GET /healthz
http-check expect status 200
mode tcp
option ssl-hello-chk
balance roundrobin
server shadowfax 10.1.1.61:6443 check
backend k8s_erebor_controlplane
option httpchk GET /healthz
http-check expect status 200
mode tcp
option ssl-hello-chk
balance roundrobin
server nenya 10.1.1.81:6443 check
server vilya 10.1.1.82:6443 check
server narya 10.1.1.83:6443 check
''

84
nixos/hosts/telperion/default.nix
View file

@ -1,31 +1,21 @@
# Do not modify this file! It was generated by `nixos-generate-config`
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, modulesPath, ... }:
{
config,
lib,
modulesPath,
pkgs,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
networking.hostId = "ce196a02";
networking.hostName = "telperion";
boot = {
initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"nvme"
"usbhid"
"usb_storage"
"sd_mod"
];
initrd.kernelModules = [];
kernelModules = ["kvm-intel"];
extraModulePackages = [];
initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
initrd.kernelModules = [ ];
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
fileSystems = {
"/" = {
@ -49,11 +39,9 @@
};
};
swapDevices = [];
swapDevices = [ ];
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# Until I can figure out why the tftp port is not opening, disable the firewall.
networking.firewall.enable = false;
sops = {
# Mounts unencrypted sops values at /run/secrets/rndc_keys accessible by root only by default.
@ -74,36 +62,18 @@
};
};
};
networking.firewall.allowedTCPPorts = [
80
443
2019
];
services = {
# Caddy
caddy = {
enable = true;
package = pkgs.unstable.caddy;
extraConfig = builtins.readFile ./config/Caddyfile;
logFormat = lib.mkForce "level INFO";
};
# Tailscale
tailscale = {
enable = true;
openFirewall = true;
permitCertUid = builtins.toString config.users.users.caddy.uid;
};
};
# System settings and services.
mySystem = {
purpose = "Production";
system = {
motd.networkInterfaces = [
"enp2s0"
"wlp3s0"
];
motd.networkInterfaces = [ "enp2s0" "wlp3s0" ];
resticBackup = {
local.enable = false;
remote.enable = false;
local.noWarning = true;
remote.noWarning = true;
};
};
services = {
@ -116,30 +86,24 @@
bind = {
enable = true;
extraConfig = import ./config/bind.nix {inherit config;};
extraConfig = import ./config/bind.nix { inherit config; };
};
haproxy = {
enable = true;
config = import ./config/haproxy.nix {inherit config;};
tcpPorts = [
6443
6444
50000
];
config = import ./config/haproxy.nix { inherit config; };
tcpPorts = [ 6443 6444 50000 ];
};
matchbox = {
enable = true;
# /var/lib/matchbox/{profiles,groups,ignition,cloud,generic}
dataPath = "/opt/talbox/data";
# /var/lib/matchbox/assets
assetPath = "/opt/talbox/assets";
dataPath = "/var/lib/matchbox";
assetPath = "/nas/matchbox/assets";
};
dnsmasq = {
enable = true;
tftpRoot = "/opt/talbox";
tftpRoot = "/srv/tftp";
bootAsset = "http://10.1.1.57:8086/boot.ipxe";
};
};

86
nixos/hosts/telperion/secrets.sops.yaml
View file

@ -1,63 +1,81 @@
1password-credentials.json: ENC[AES256_GCM,data:LhPG3XyCRZobdAN77ATiEy+A3d8P+1E0+lS8JXbvY55v/qhXk0xNUMb1KsBjGazsj6jq2j4u0dq55KmTDWckC5C7MIUzI69bbHrEtQ8c/XgBo5ulmsaMgkRNjsXMJ6h318/M5XC5wd/MhWz+80eWvnVu7PI5E0Ar77W+KeoGwCiaZ7oQGoE+e5TJpNlOhtiMNfjtmUzx7L7D2JNB9LhA21Y6LcLToGVm06KguHMPZAK//3fBbJfw7nbY7MHJ5tYCu20pUF2eJWnRcB11QDqPIOszJ/tKZ9JQtXd8DBmXKgrjeOaq0Y8XIgTo0co5gcfriQQ7SC/m0MWE4LkoGOpmbdw+hZhqfIVOl5+IXwXkH2EMn86gJTBxdgtPXz6EPkuPSNamO+uh5L9vjodFcCKZVZnW/QvhzxYaRErB5hbSJ1PrPIRcJsnOkDcIcBtW4b3qvjJtewvX33RDd7qEIoqd71jNOEyxeZgidpUCyfA9bHLVb367DcwbCB5jZ488ZvcjbcEXuvPkQfZ6xR49vuijff03thN+Ob3kQI7ofcasqbRO0eKYEQQapDaTz9IbraRf1z3JgQ+o/Brh8LHxEBgMQA/GwDGz4n/wnMczylH2O/ODsjkI76kYk7qLR9Z+8WT9tazrcPrBs/scuJSHu5Sl6c8K07HN9W0jPnD8dAP4J5Pl+lxpS66SDVfGImYwjuQjfDF+RY7A/UP0iPxdklkfLVQ0Yu4Pa+8Y10YAXY8UG1NQW51REobTGIEF6El6/pzfNElqAdFG4+5JNZF1/4IXWPVJQly1VstUY9D4f+0Z+7X/eAdz7VxWjI8hOSGH+jPbylXe7eNQZdhDZ2PNfoqGNsgLZfT6AcBtLR8eHZlAY9O139YsSzPqae7CRP4TqX0KwUQHiZ1OWh+zG/OFUEPV/IiaGi+aUcfZzzz6mVrXXsyFosDtaqf3HYPcMuhJ8YiTY5g1/OK3EUDR6CBOENJf/iMjC03OBqf5xll5Bzw68pcX2rR8kkTmJx9mWE6SRxqOpVOxNZQaK2O1NrJxBQrR4/b/Vd5Sct+VvT24Kh3eue7+LhKIzJzh499sJ4PgNJ1plbRDzKpfj2qH704xj7YzqsKPcKIq+VHQQakQ3VdAOoMzo7RXchVh2BDTp0I4GljUOoOh9sv2DIrjmpnN5KWwAk7gl1zkcc/DPEqa6UN8z6WVlTIC4pHGm68IyRl0HV34owyLEezGcoidIu7t+AwZZrD4SRHFPFCoFd6ubbcr2/7xZgRaKqGU/82hUEjR/SrxRQpjeN9Vf2PAAGDbVsZGC9f+pthMamlD10oZzfamf9DliYdF2aNH6/IR6IPVBTbUoLuBDbqJH0lPtgLDqmpoS4t5cGvmmlGgjm4I9prrV5Ogz0ct30L1XW+KfxT5alnGZsx46ZaW6hlgmkGqiUUHhUuxW0GT+16UxOQLE/sZVgg=,iv:wPy/dePJ4x0IdPyB7ChN0B2msEAMcAuM69liIOaumZE=,tag:0CA6RZZ8mkDM9gCCDevM5A==,type:str]
1password-credentials.json: ENC[AES256_GCM,data:odK6x2TscY1WNCOaPBSfo2ln7hsa5UopakUpOgB4ci64p4LGIwTTDnSiq8+UXkrDndQ7tSqtr9RUvB+AwwYOuh1KBAwWmlZN7agtxUYc1wvMdQv8WPDfhqe9m0FNP5gyTaohcjBdBddZlv7izScVePUQUdG04dGYqUg6mQ/gmPtJy27hil8GivvxRN6FnFtkgoyfE+ZLfkTuMdeL4cxai4j+UeGc5XgmsrBLrW5udeDw2hktGXEBp2vMC6t+D7uzZ7DeLBDiHRbBZBeo+krnVdPsLxU3yFF/hC8vWVbkT7Wt/UhB0+X8SWvhYOvc3KW+NfyHcU0SONhQCM4iOkk/1qvcaDHy7idqexKxOtfQaZtuHW0vB3icgbxTO9usFxOxUPe63yXHUg+UDKSN4UGCF10eLoZKaV7zO76BkTFXQLl2Q+dytaxEKathhW4fS5lUBpuxXNDXuIxMiUIclXwVWVDpL7qchTJCopWwwDRaeHrUPev+pQptEsDLYpZeuf27hPjCMiOWkxt2kg2eKPjJ8AUtI8N3OlFPCyAurLgLSrFj0Wzm24LJLKsjs1if2y2jb/pR4MPdgnHgNnHS8VQ9JVprVyuw9C/wDhVV7yW+D4tlJ/d7AXaJq/dkO8XnwCEVPyFr9bUMB076z+tleYgvv9rHkdQMaqHr5HCHAtuYfM4f0Zpfr9alJ4wxCsj+MAn/PLGxjNd/hQQY+oYRpzBne2mUoxhRt3ZjnGH8LUBFSlz+e0+PB0anS3oV3XZUt0XuwGpNIxp4LsRFgmDC2qoMKZ2X7/DfTdmb3te0YbYNUUeHxlQ5AImzU6Lj1qw/clD7ViS82Rjc/WCavg9J7U7CdDbzhtv6xCxbyd3j1r8Wi4XLAXy4ZdcdvCEyYDHwJeExY8pp/jvS3CqSrlC/PyBUemloIQ+jSQiRYDv26XpRKbJ9Yd8fJ4ANPCMuvXU21iXtxHIRwopTo87hWqqSaORFcyVOmCxJJpa/TXL5fdd4ISy6CSqZXZCCIfiVxq4fBkqSoya4XMXQQq9Ki5xwLf1bDhaT3v7okP87A9d/j9Vru2RIZtRT71jVKvwDvJhLAfYuXyIUfQh5cvIw4/HlAZzP5vi1w5KlIJGf1uVVhvTl7p23/Gi9LAX3/P75dbK+x4VYOyqjMowER3jxk9m6GyFDl7iuceNh1bIpgPN1s4QOba7N2Tex5oa/aJJKOLYE4GYDtom5auDP6Xqa/Nd4NaDyd5oVuXcP7Lp7tDu9sIW5rhGaVYKU7jhzALN9HjfmAen+cZ50oy8L3IYKlS/91qzGughYDOjK4qeQ2XrMxySnCPja7ElV4gxmB3X73nxN+N0ZLEDhAGIS1FOaOammDjK2Pj/3vA5+S2hO3GYLh9glNgRnIGlNUVtw3My9H1mYIc4eP+LGGXz1KPnQMQWRtXZHH4d4fsOyhk+CE8as7WtyO7M=,iv:RkYdMs72Nq7dwHScKZeXMNSJ53ztTXCb3lkhrr9K2oE=,tag:XDdPfd+Be9nSAbvate52AQ==,type:str]
bind:
rndc-keys:
main: ENC[AES256_GCM,data:HETQLs4FDXeZINlCSnGYqF6Mntd7EurCRSyf5NIAz2Qmq87IAj2TbvesC8PnIBXMul5Uj8ggDym4xO6Qcoq6KQNfCtVOI/TaA3JYZbIOmNWZR82LsWwO77hd2kx8U+E9K6kFtBbV,iv:WGmWjcW1RkOWSoBjrbkyQkDbI6yYB7hakOrmXo4Q6eA=,tag:CfAe/x+HOu7tf0ZY4HIB/Q==,type:str]
externaldns: ENC[AES256_GCM,data:5kIBIpRYdGmBZBvwWSIufUzAs2Z+9scgMQOMHtDLFgcQ8OFKYbKlOQ2+G7exo/YfrD8QQfbPjHD/ScQbbs0SyFYhx9ivX2vizyV82uYqZ1hODKBsMHCuEvWMNydopbT5/vobKCnAER2T,iv:AA1uUmyTxfovgRnvktRQxmu2Bj5mStWd7MRrvUaI6LE=,tag:NPGhBf5yBbTPD63QnBA9PA==,type:str]
main: ENC[AES256_GCM,data:X0HTyNmqH1epIVNkXMyFlavqAodDw92Gs2sK54USNv0mWIwmk8NEb69x/Od8TAwDZw63k0lEAymyj/hBfkpav9yKT1M1hGxr09xjWsR/DTAM9tFv140cvnMEon0ZbXVXp4ou24jP,iv:7AsoCrxf8CyPiyWYfHZsGE0Qw/wutCVvCEiRdUdmIHA=,tag:oJi4BTDrD3FLEQuYeDR3dA==,type:str]
externaldns: ENC[AES256_GCM,data:WhH4vAR4Q4iTXq2fT+Z8kOXkwnneNV4bXWYytov62DFDSnYwsvWIbol5MvYIwXM+gEbQ/k/uk62MSFx26T34881EGJmH7KXWr7ji273D8oKAp0Fw6jOt2NZT6XkBwhWEIathUOwNdN6E,iv:SepdyBzYga7s03ppSppiBB/wTbTrL/y70aa/B/m02r4=,tag:vWqlZLx+FvstJjgRj4mjWg==,type:str]
zones:
jahanson.tech: ENC[AES256_GCM,data:HGvI3MRQHHwFW+ElBQJNuItKP+fi59ZXepjzY4IoRZ3mBDEORBMTreCk6i+HlM2GouVhJo028Ilkl6P/i17O1LchTUcK+NZOkJukIdd/WQknusZOxoQKhRYloyDGa2IYe4YzQDtRd3vrPdHffEkZcRvd7KF7EAYROMmWk6OSfasf1ta3iHQe6xm93Ql8EY1o6oqhjlS31w5XDOMaNvFkJF7pD+C2OQ6pGORYxv0ePH6gDr56FBPI1sZStDQtFFSrJEDKyuR+yrjhpg/fHnxa6XIRASSBSrOIrITE5VACZpuXB3hcUT/4BA+5P0GDayDuZv7ODw6NUPqBxgpgypfaUZjNwJl+MaUPbkFaRECZexbEwvNCl9/xEruBKlbhl2jL4CKLGKaNOSukYq3Gskcqc3qkvQCWEucmMguShSBv7QOq3l1sWOlbHxEQgvdLrZ4cRI0bUQCxk5xO7LRgodf8ACOZVrdHInsARuvX7r2mzGrYA7a6qPXpJOhE7Rai7mg1RQdabJ4i5nd0GSJV9WWrGH9/0yw5uj9f6nwEWuK23gkxK+2B7B+nt703WbDfDmnWNjaxHHz++IBxWiNLUFPGVt9GNx3VpMV70Y9PY5VmL4O8L7Fc+3TcTz+bG0pbWrO6MpwKdieWxmeLLn/blFGzd0acQUtV4UCv3lYjqofCDbfS8S/ADE93bcuxxnsVDwoVVnmWSOsXkERvtrZ9VggeXODZCwPhSbUXXYyF/KNmChbpdJDBbfTPjlWPqy1423SCi6TTX5xCNAbl1JL/2aTVCGOgQ2+QfSKzjbjSsp77ZzCQNWVMOenvSYgb4D98QfDOcukVs0ewa06CxLBEycjq2T6XR8+3/JMPDElmDVfdaOscW6QcpJXJEeWRU0kujHWoaZbmclgnmhPMcoMa5fuC0/p0+/DVOOn4ZINGGdAGy57NVUOOtyLYZn1J1F2EZAXRITRfxHNjHLLsuj8q9iCs7so80LUHejfKjqer8TGLLT948Vs3+Im/iB7dE7k1QmFxVd2lArNFFlPj7QsLtbM7sT6Kj8YRjiSoGer0AQVjkKewSIxnUH+n825Hc0efBFBYDCAN36LwF12FNB5+nTnI0fKIvV/N,iv:GYlqE0pT3vaNufSoM/RZNTW4j5IZHUkKj3KUdmc6ZjU=,tag:89rtkSyISHDzhDtF1VTuzg==,type:str]
jahanson.tech: ENC[AES256_GCM,data:XqOX6lbCubPEi1pXgIEXW0qyD2+iJXNugTPdQOB/yCm4AX1mMiANAV51FBDb9f+QQ+q1EDqGz/83VKggoIvHSZCOW3dkNWR2uy82uO8C59sbsLrR5AzTTnZN2zlaIjW2q42I838mKfO7MfYXutwQbTpepr/Brtbldm+HRjxugJJMDFvBqSlylSnFA+jeWq7RNRP1+ZxGULO8I2BTPqdRVyRHcIWjyQABTctDcDgDLMpPxrMBTtmC2/CFH5pIT3w6gbrYRwYFZh7fNprOYRRPOkGHMZK6ccMCpm2uRR4b5daB1MidqJUsX999ma2TEmsUJSQZr6mS2r/QvwZ2R9QziIkBxh91vCg6HMaHl8/ISlryZVlkWNY1P2jgCMw0jJ58NxeBVAjVWw3iL+i9JU/q51r8J3nZHi5ql90JMaVdYWw8I2GLYWDHQnES9srEXtJwJNLzE69lQuL8ARmey4gt8Q9snen0v3RJVFb466nPKvH51TjIAr3FB2L8NY3RumD4eYl05L5JdNcFVuqmsYdoWQSQdZz23BxRM/QKT2qKjrhxfZuQW1naNDg3qbx5+bLGHlG6m8wRdtkR5SXWQc5a7LG2eURY9T7vy8yxMWzjd5LPMFLd7JlUSjwXw9YBhYTafGuc2TUESs8DCO/hU2zjAn1KM+rmc2T4aF3HexJwt7b7HBmMrDWObdtj09ycV10tp1Z57ZMz18aJdIbaZKopERN25FzIKiTlytiZiWsesLo6mUbsgb7bmjGGjBEDbp9P7ozgZv5H+aR5Y7POl9EG3gfERPsa1nF1qlloOrYT/GX8pUNhXAxH6QfX7WF+ANiMB/L/X4L0/XufV7shCWfQwogZ3t7ARGHr3dIOyx1ABus+M2QUZyI94jHTn+/J6aaxL8qsDGDZ6383Gk/CHa57BklRUrZZYVs9jzDe7+12gDfID/eP+nnKuohwCY1KcHL5QCRUg8KN1ZIyH1FYz489l/qKFG1nO33iJv/l6opWjIv98EM88ckA7zxU1+UgjxNiBo0EGJPw1erwTwUzehTnj303HuTGbtGjgE/vK8M+rCCpL9L0YAFQyXqeuqQs6yM3PHCyKfvThCAnwnTIGn2mZcyu/GGGOO9Hse/islh4cYldxC8psKNfNlf6qT43MOf+gDJ2GKU2kzU5tivlNqXbgAs=,iv:8SWNl65v24W504eG64L65rDmvqrkF5VJhufN3u/wRG4=,tag:oapDfnOAPyPDiJrxGHtiJA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSSS9JWTZPak52ZFloYTZq
N3Ewa2hrbUZmZ0Y2aVpzaTZjN1hzWTlqRmg0CkdIZk9IMDdWQ2xsYmdHcGM3WmVk
cnVXVkprbXlQeDdzSkEvbW9SSE1aU3cKLS0tIHpuQUY1TmdKbGpZQ3N5Vk5LdzBC
VVp6Q1ZNR3gycSsxU3Q3SGtNUDN4cEUKDXO3QyNQfXqn587meoAZqraGMl4ASeOf
rVJDGWkNhne1YFdAfvbiY6pD7RDxscwiRFqDofH/t0EfN4vwrzIx3Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrSEZKOUJTTjE4YTRQUnFW
bzhMcjlSVTRNRWNkSmZSbU5ITFFTbURFbGpJCnpndFR1OVJvWnBOMVovdVVGWkZ4
Wk9xa29kekgxRnlqbFg4YzN0OE9ZYUUKLS0tIGsxeUhWdU5NaTE3cHpYNXF2OUlK
eGNyTXdqWFNvZ0NVOCsvaG55dUdaMEkKW9SxqP6Jpn72VAwPhn3laO1OE+gYzLvb
10NfaR+2P0EJZ3nwc0sLKmPmSzcRiE9etGtNGFiLgoUNkQ3lnwXj6A==
-----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzSzIwRUNKSnczYm1Eaklo
dzlSckxLT1FHc3diSy8rRXBIRTJKUVpkaXdVCkhHSXN3Z0FZLzQ3TFpiUWFZS0FZ
QnVHTEVKVHNXWkdvRTF2WFJlRUIvNEkKLS0tIHo0OXZMQ0xkUWZyZExEWHhiZnRm
SXBpaUNvWFByMis3dFlCLytRdEpIOTQKDBKJ+gvF84j2KOfPniyjJbmrh7GxgF3m
DLhPHMaRkaQkWZaLTxijyAXv680X2vCFdBjRPA1fQMz55/2m9OdnPQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTTF2TjJ0WGJaTUFIWE9s
S1NHQmRiQUVjSGJLQXZ2VUUrclorT3dIOXprCnQwOUorNXFzNG1DbG8wRW83QTdC
a2ZpZnM5Vit6bk1SaXRSZnZZT1g4ZzQKLS0tIFd4RVR2LzdvVG5nVzBiKzBPL1p2
eFJWOGx3Z240clRQN3dNa0Ztb2hrUk0KunfKdWPTZD32KagC+VXmAQDxJAoElHAp
mo8a0GGdeVuJiUneJlZ2KYuLkseCyn0HC5qQMUIT8HZJ2bb+RH0vDg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHNmg2R3V2b2ZLWGdWSGRp
bGpuWndqd0twcGdkT0xTWEV4MjR0MllhVG1JCnM2ZnFWcHEvb1U4S2xuRzdhMmFP
b2pickR4ZER6MWZHUExyTUw5c1VXR1EKLS0tIEtndm02blQxUlVEeko2SUxrUG9Y
am1ZWVlFdm5HNWlhWkFQa3JLV0RCUGsKvlCCLWWui9UVDvI5P6qvSHFGWcbLByFC
nX7x8fWBxaqF3wK32ndmVMBO6jlPVXcv6NsjpdRpbDxx1iMxFqc2+g==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3ZHAxMVNsK3U1ZlJnaEJj
eTNhZzRidW9HQ3Jrck0zNmxPYXcvVUtJRTJFClFiMGNuYnEzbVNJNExVSkZ3dVJy
MHlRdG1uNHhZb3daNW03bVJrOGZmNmsKLS0tIER3RUg0TDRQT09jdy9xNzF6OUtq
VHR4NjUxZGpRYzNKaHhlVTdJQXBmTlkKHgqnACFlEusz0/W+I/O2smr/SV2Oiw9Y
wCqCyVfB+kGrfgq08e8ki8NXv3PDT637BU3kXFaOTQhzSE0aCpD8qw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nkpq8lr09vamgvf8cvzemqjyr3ex8w7azfupdr2gverz9j5zgemsv99t0z
- recipient: age1vsqx6kukrfhrwdy4sujnra5gsswzuh0cfcfdh0d9qjrkts8hl5aqnjx32m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrRjhpUXlNUmYvVTE1eklI
OEx4VWNSMXFuTWxIZWZTZUU2TFBYNEZUa1E0CjRzL1ZWc1VlZ1pxa3gyREUwZE1I
SnBNTVBQZTU3T3hHNEd1TlVYUkZmUVEKLS0tIG1SV3JUM2tlVVh5Z3B3ak5CNnhF
TVhFWnVON3hCVE8xVGRTR2FoNUF6ckEKA3Zy1LJoc+Ij+6nwMyyZ0yVycfpJEtSD
icqaVJyssOaraf/GjWC03bLWUaIbGg6khBVBvsetS0m83wPeOwkmYQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvTXJWQThMaDZNajBFOVRT
NEpJK3RvbzRKUXE0NWpRQVA0aWJSYVNxWkhNCk1nWHVaYmZNQkdQZFJIOTZKTWxC
RXpOaHc4dzNBZ0txcFhtbjVVSjhDbXMKLS0tIDkwSnFTTjBZZE5hZTdXeTI1Q2F6
Skw3OUt4SVlrQ0M0d0h3KzNubjZ6SDgKiEvuO+RqygeSSzeUlQJSPuzNY4tbzKso
bt/fSCV4ulFTvjybD9lfA9dclHGM/IRA9obCQd8RsCBQuXo9cuWnjA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRVk9jNkx5WGFpZjFvdFVz
VVVwZ2lLU2lxZWp2bWd0cGhJd2kzQUJFWXdRCkFoOTJtRk9OMEtmamdOL2thc2dw
bURQRWNwRzBVVm82b1pKUm9ueTNDMHMKLS0tIHMxdGVQVzhjQ29zYXljUmNoTW1W
clJScGVoRU00Z0VxWWtSMmZPU3VwR1UKB7+fV7RD9MoiOzgVmTtWyPG+9G9i/VYk
4AK2BSXVJuz8Zhh82+xh04vh28/mT61WVWPMWfVryPuPELLo56HNOg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVZkQ0NzVGMWJ4Tk9vYnZC
dmo5U2FJa0pOUmt1K09MWFdRamNnaUgwbEM0CnhKRmMyN0RYMG5Uc3ArQVZhVFZX
RHQ3SU1TUnQ1SlhvZGp6emFOV1FuVE0KLS0tIE1oQjQ1dUhTMVBaTnZIeVpVNmxp
cnk3ckEyWkdhWkpkQlhJTHlsaGFTNDAK79D2C2RZql38hBJOBnqhOOdb7Z7EJNgj
aWfivACOM//hsPCZK+9YFpXJ08Nb6iBlNKzYsTW7qJ+Ue9M9i9JShA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1OHBQZDNvSDBVK0dReDZa
Ykpkd3lEWG9zKzRIaHlNL095V3BaM0hPNm5RCi9pYzN0QVlHeVRtTFdQbjlaTWJp
MlcyeDlpTGx1bkdJN245Y2xwaXc1TjgKLS0tIFN5U2xXK2RDcWpNRXBQa0hOVE9n
cW52OFA2UVR6bnJhcWd2bms4VE8rNlEK8M0dEF85yzzkV1otG0a++a/TDw6n4zcN
YGbRLQTRfwmXgvX0cjU2lSU9tEtdSvHFHNcTLLOo+tbGNg2K45moDg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdHRRVEY1dmR2WjM3YVhk
dFZ6UmUxUTJKR3RKMUM0UXVaMUJwMzJRTmpnCjJtdjgwNnphOU5EdUxkSUp6UkQy
cS92MGdlTExVbWJIWGlGVVFla001MGcKLS0tIHF6c3MxR1V3N2szeXlNdWhUaGpW
WWRlTHl1MWFmU293NGJyRVNRTE1RWWMKu5nK98591T0Z4rHIHxCY7mqBW/CF6abl
3/ygImXkb15Ws4b4mcN67vk3omg9CB6s0SHfFk1GAu6CiN7MufHQ+Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-09T06:33:41Z"
mac: ENC[AES256_GCM,data:UaQJeAhm6uIBAG6b/3UQvjTUPaOOVipwCxVJS6PqhGU1xcOL+/9jxh1ULpF5rXArhzLgTSCOIAEj5d7eMkDZVaBtvcdRyEWSqc1J4dD4I/kjFZBW6D6pews9YV4guVIDA49Sc6zFAl8NNzZW116FuUpqPfbBr0HjPWDVP665ZJY=,iv:VDoiyZGFrt3GtUqlFCvcQCPb7u7MukcWyzCKJ0rZ0Qo=,tag:FnV0+6DGc4WZ2oyPCQrrpA==,type:str]
lastmodified: "2024-07-15T23:16:58Z"
mac: ENC[AES256_GCM,data:pmZjxv+vcznnamHNvOL7sr8wrejmcqo6D/NpizVo7TPo6cs59vTQ2fXmM0zlfJs81wZVe8cMcv2LXITSmjpZOsrhYuzMpPsc9HGzdwfOXVTfdVDYWVwNd4LsXMW40rqUbZyVtp8zAOW4eF5iY0H+acPxMcBbogoQKOU94a0NqzU=,iv:vFcpIrA9KRMawLCbMqWbKcGFPBcMp3mQRIgje5dV5S8=,tag:iuEaP9jjhhvjMjChvaoBCQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4
version: 3.8.1

81
nixos/hosts/varda/default.nix
View file

@ -1,19 +1,8 @@
{
pkgs,
config,
...
}: {
imports = [./resources/prune-backup.nix];
{ ... }: {
imports = [ ];
networking.hostId = "cdab8473";
networking.hostName = "varda"; # Define your hostname.
# Add required CIFS support
environment.systemPackages = with pkgs; [
cifs-utils
minio-client
];
fileSystems = {
"/" = {
device = "rpool/root";
@ -29,75 +18,17 @@
device = "/dev/disk/by-uuid/8091-E7F2";
fsType = "vfat";
};
"/mnt/storagebox" = {
device = "//u370253-sub2.your-storagebox.de/u370253-sub2";
fsType = "cifs";
options = let
automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s,user,vers=3";
in [
"${automount_opts},credentials=${config.sops.secrets.sambaCredentials.path},uid=994,gid=993" # evaluated and deployed from another machine
];
};
};
swapDevices = [];
# sops
sops = {
secrets = {
"sambaCredentials" = {
sopsFile = ./secrets.sops.yaml;
};
"security/acme/env" = {
sopsFile = ./secrets.sops.yaml;
};
};
};
programs = {
# Mosh
mosh = {
enable = true;
openFirewall = true;
};
};
services = {
zfs = {
# This helps a lot when upgrading
expandOnBoot = "all";
autoScrub.enable = true;
trim.enable = true;
};
};
# ACME (Let's Encrypt) Configuration
security.acme = {
acceptTerms = true;
defaults.email = "admin@${config.networking.domain}";
certs.${config.networking.domain} = {
extraDomainNames = [
"${config.networking.domain}"
"*.${config.networking.domain}"
];
dnsProvider = "dnsimple";
dnsResolver = "1.1.1.1:53";
credentialsFile = config.sops.secrets."security/acme/env".path;
};
};
swapDevices = [ ];
# System settings and services.
mySystem = {
purpose = "Production";
system.motd.networkInterfaces = ["enp1s0"];
system.motd.networkInterfaces = [ "enp1s0" ];
security.acme.enable = true;
services = {
forgejo = {
enable = true;
package = pkgs.unstable.forgejo;
};
forgejo.enable = true;
nginx.enable = true;
};
};

23
nixos/hosts/varda/resources/prune-backup.nix
View file

@ -1,23 +0,0 @@
{pkgs, ...}: let
cleanupScript = pkgs.writeShellScriptBin "cleanup-backups.sh" (
builtins.readFile ./prune-backups.sh
);
in {
systemd.timers.cleanup-backups = {
wantedBy = ["timers.target"];
timerConfig = {
OnCalendar = "daily";
Persistent = true;
};
};
systemd.services.cleanup-backups = {
script = "${cleanupScript}/bin/cleanup-backups.sh";
serviceConfig = {
Type = "oneshot";
User = "forgejo";
StandardOutput = "journal+console";
StandardError = "journal+console";
};
};
}

19
nixos/hosts/varda/resources/prune-backups.sh
View file

@ -1,19 +0,0 @@
# Set the backup directory
BACKUP_DIR="/mnt/storagebox/forgejo/backup"
KEEP_NUM=7
echo "Starting backup cleanup process..."
echo "Keeping the $KEEP_NUM most recent backups in $BACKUP_DIR"
# Find all backup files, sort by modification time (newest first),
# skip the first KEEP_NUM, and delete the rest
find "$BACKUP_DIR" -type f -name "forgejo-dump-*" -print0 |
sort -z -t_ -k2 -r |
tail -z -n +$((KEEP_NUM + 1)) |
while IFS= read -r -d '' file; do
echo "Deleting: $file"
rm -f "$file"
done
echo "Cleanup complete. Deleted all but the $KEEP_NUM most recent backups."

60
nixos/hosts/varda/secrets.sops.yaml
View file

@ -1,60 +0,0 @@
sambaCredentials: ENC[AES256_GCM,data:0caF4cBW5TSn36pZQmcjHbM9nrFGF55HmPVD4HMea1Ul7A3y1HHz0Pgl4rrYzdg=,iv:OCme9i0tHhDbypits5TKfsGXnblYqBPouhwSVeu5q+M=,tag:F9zub18fB0zZh5ssHal+Gw==,type:str]
security:
acme:
env: ENC[AES256_GCM,data:LMrK8IIpx1d5Jl60VHDdwVLm4lyFDSELX1pF9wvFrNY0OJZ1EuHQ7Jgtf1wZ/cNy3XYFRxD9lEuNPJd0UN4vCw==,iv:2WEiipdYcsPX4frAvO7Iyp8zKWtydYlaPPKBd/1SFDM=,tag:G0Va5OcgSEO5E+m8jxsrFA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJZjRIRWd5TnRJekYwNFNU
SVRrYUNRandCbTZuN1FlbTQ3cUJPVmx6L0hvCnN3ZXo4TVVqT3d0ZUVBdHAzNVdx
TmlDZkpxekV0R2ZTejhlMERqeGlpY0kKLS0tIEVjNENWd1FYMyt0YzZDVGRQZGRD
WG9sZWpoVmsrTUdnM1l3R044UUJmVGcKiYd6OSj0vPSGpfWDNBeAYMDp9W7Yvmip
rqqt+Y9/ovF/yd1hDrM8nWru0W299u+ftSvwi/phxkmTBvK20U7Gtw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSRmFJZFV3Qmx5NW96ZW5Z
Ykl4VDN2NGZGVmtJZWxIQXpoTlpqajdvYnd3CmlwWGErTDNBdHhHeTlXQWYrdmNu
U0h6cG9sVXY0S1IvQlFNREV0TVk4U1EKLS0tIGhWT0UrMDNYTmlxSkdHRUYyNmhk
NUphaExURXRsMVRVVTI0cVBxVWNDakkKbUZ1BOpKbi/Qs32bMhKa2YN2YFHaDlug
ywpwdGaa7IGNZbwN1bKJVNDGBOGXxX+rSqueK4c1AXwGtG3HfAVApg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nkpq8lr09vamgvf8cvzemqjyr3ex8w7azfupdr2gverz9j5zgemsv99t0z
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4OVNLRkF2S0RyT3p4a2tT
eURkOGkzTFcxajh5eHRFajlkYmdHQ2xBaVgwCkNqTm1Pem8yVWJUSEYvdnhTbjZN
R2h1RG4vMytUZmlFYzlKSXMva2tnYmsKLS0tIDVlT2dsRDRNQUZ1NklvT2Y1YnR6
Y1JkSXBEN1NhUUxUODhDS2J5eTVac0UKPR1qGMm94p2sKwXmCHygxZt8mfXJ3hCS
El5vgLXuzuE/qNB2g88j7bNOBN9g2Mxs2eLNdUEWj8tyahJ4BOTtWw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByOWQ5WGdrNWpNWEFpa0Zq
UTRRYkJMOWZJcWtxNmRpTWpxOE82bVVaYkFzCnNGWkdaaXhySkk2NlJ1YlpsckFQ
S3dITHhkNDkxb1VIZDNlQkd1enBvSU0KLS0tIDRGMklHTzNHUE8zUUNaK3l4dnF0
MHlIU3c4V0ZxeDlrTHlMeHpHaFRNYWsKmYaSicrgNvozfO6miBqvBr8voQlkOioZ
dzBkLr/0de+WBm85GzhuTDpYb0cvzzxwoUlNyxDMjSSSGzLpc/dqxw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1NU9nSVpRMnNwQWpIekdT
b3R1NFhWYitNRFppT1FudlBNK1NZa0l1RlZBCmd5b0x6YThOTUhHN01pMUQvYm9Q
L0FUdVdRaHczRW1BbDNoYi9NeW4zdE0KLS0tIHJuWHFvSnRoSFZNUTUwaU9DRXJ3
UHdRbDBBeXFwR0Vtc1h1N05mN0pVZzgKxLuY/RNLkhPpPDGDkO3yqbelCGng/qm1
9Yo97TlLq4zyw1cu2z0Fvcid3ZJt107+NN/2DZ4o8eXSnBSVXUcktw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-09T17:15:11Z"
mac: ENC[AES256_GCM,data:8nCX56znsRy2y1NmkCBJ5e/szd8CTJ1BIbNew40hdT50EruedQTmQWrOhql+na3ZDSWOfPHwufgX6hFwA6UHuOYZCswsS0ST2vtV1Y/f7Y0i20q7jAxslDxUt8MT94Z+WunZ7OgZn+3DVCSVkwtc3VqLT/gcATaA3KgbHTsiEFQ=,iv:PSkQC6oIlKAkwyVrwHJBLNVnhGVkSkVhtOyoV0FwPdY=,tag:bszELdBw3HnK9g5rPaocMQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4

76
nixos/lib/default.nix
View file

@ -1,20 +1,10 @@
{lib, ...}:
with lib; rec {
firstOrDefault = first: default:
if first != null
then first
else default;
existsOrDefault = x: set: default:
if builtins.hasAttr x set
then builtins.getAttr x set
else default;
{ lib, ... }:
# Create custom package set
mkMyPkgs = pkgs: {
borgmatic = pkgs.callPackage ../../nixos/packages/borgmatic {};
mods = pkgs.callPackage ../../nixos/packages/charm-mods {};
# modrinth-app-unwrapped = pkgs.callPackage ../../nixos/packages/modrinth {};
};
with lib;
rec {
firstOrDefault = first: default: if first != null then first else default;
existsOrDefault = x: set: default: if builtins.hasAttr x set then builtins.getAttr x set else default;
# main service builder
mkService = options: (
@ -22,50 +12,32 @@ with lib; rec {
user = existsOrDefault "user" options "568";
group = existsOrDefault "group" options "568";
# enableBackups =
# (lib.attrsets.hasAttrByPath ["persistence" "folder"] options)
# && (lib.attrsets.attrByPath ["persistence" "enable"] true options);
enableBackups = (lib.attrsets.hasAttrByPath [ "persistence" "folder" ] options)
&& (lib.attrsets.attrByPath [ "persistence" "enable" ] true options);
# Security options for containers
containerExtraOptions =
lib.optionals (lib.attrsets.attrByPath ["container" "caps" "privileged"] false options) [
"--privileged"
]
++ lib.optionals (lib.attrsets.attrByPath ["container" "caps" "readOnly"] false options) [
"--read-only"
]
++ lib.optionals (lib.attrsets.attrByPath ["container" "caps" "tmpfs"] false options) [
(map (folders: "--tmpfs=${folders}") tmpfsFolders)
]
++ lib.optionals (lib.attrsets.attrByPath ["container" "caps" "noNewPrivileges"] false options) [
"--security-opt=no-new-privileges"
]
++ lib.optionals (lib.attrsets.attrByPath ["container" "caps" "dropAll"] false options) [
"--cap-drop=ALL"
];
in {
containerExtraOptions = lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "privileged" ] false options) [ "--privileged" ]
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "readOnly" ] false options) [ "--read-only" ]
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "tmpfs" ] false options) [ (map (folders: "--tmpfs=${folders}") tmpfsFolders) ]
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "noNewPrivileges" ] false options) [ "--security-opt=no-new-privileges" ]
++ lib.optionals (lib.attrsets.attrByPath [ "container" "caps" "dropAll" ] false options) [ "--cap-drop=ALL" ]
;
in
{
virtualisation.oci-containers.containers.${options.app} = mkIf options.container.enable {
image = "${options.container.image}";
user = "${user}:${group}";
environment =
{
TZ = options.timeZone;
}
// options.container.env;
environmentFiles = lib.attrsets.attrByPath ["container" "envFiles"] [] options;
volumes =
["/etc/localtime:/etc/localtime:ro"]
++ lib.optionals (lib.attrsets.hasAttrByPath ["container" "persistentFolderMount"] options) [
environment = {
TZ = options.timeZone;
} // options.container.env;
environmentFiles = lib.attrsets.attrByPath [ "container" "envFiles" ] [ ] options;
volumes = [ "/etc/localtime:/etc/localtime:ro" ] ++
lib.optionals (lib.attrsets.hasAttrByPath [ "container" "persistentFolderMount" ] options) [
"${options.persistence.folder}:${options.container.persistentFolderMount}:rw"
]
++ lib.attrsets.attrByPath ["container" "volumes"] [] options;
] ++ lib.attrsets.attrByPath [ "container" "volumes" ] [ ] options;
extraOptions = containerExtraOptions;
};
systemd.tmpfiles.rules = lib.optionals (lib.attrsets.hasAttrByPath [
"persistence"
"folder"
]
options) ["d ${options.persistence.folder} 0750 ${user} ${group} -"];
systemd.tmpfiles.rules = lib.optionals (lib.attrsets.hasAttrByPath [ "persistence" "folder" ] options) [ "d ${options.persistence.folder} 0750 ${user} ${group} -" ];
}
);
}

56
nixos/modules/nixos/containers/backrest/default.nix Normal file
View file

@ -0,0 +1,56 @@
{ lib, config, ... }:
with lib;
let
app = "backrest";
image = "garethgeorge/backrest:v1.1.0";
user = "568"; #string
group = "568"; #string
port = 9898; #int
cfg = config.mySystem.services.${app};
appFolder = "/var/lib/${app}";
# persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}";
in
{
options.mySystem.services.${app} =
{
enable = mkEnableOption "${app}";
addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; };
};
config = mkIf cfg.enable {
# ensure folder exist and has correct owner/group
systemd.tmpfiles.rules = [
"d ${appFolder}/config 0750 ${user} ${group} -"
"d ${appFolder}/data 0750 ${user} ${group} -"
"d ${appFolder}/cache 0750 ${user} ${group} -"
];
virtualisation.oci-containers.containers.${app} = {
image = "${image}";
user = "${user}:${group}";
environment = {
BACKREST_PORT = "9898";
BACKREST_DATA = "/data";
BACKREST_CONFIG = "/config/config.json";
XDG_CACHE_HOME = "/cache";
};
volumes = [
"${appFolder}/nixos/config:/config:rw"
"${appFolder}/nixos/data:/data:rw"
"${appFolder}/nixos/cache:/cache:rw"
"${config.mySystem.nasFolder}/backup/nixos/nixos:/repos:rw"
"/etc/localtime:/etc/localtime:ro"
];
};
services.nginx.virtualHosts."${app}.${config.networking.domain}" = {
useACMEHost = config.networking.domain;
forceSSL = true;
locations."^~ /" = {
proxyPass = "http://${app}:${builtins.toString port}";
extraConfig = "resolver 10.88.0.1;";
};
};
};
}

9
nixos/modules/nixos/containers/default.nix
View file

@ -1,10 +1,7 @@
{
imports = [
./jellyfin
./jellyseerr
./ollama
./plex
./scrutiny
./scrypted
./backrest
./lego-auto
./unifi
];
}

136
nixos/modules/nixos/containers/jellyfin/default.nix
View file

@ -1,136 +0,0 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
app = "jellyfin";
cfg = config.mySystem.containers.${app};
group = "kah";
image = "ghcr.io/jellyfin/jellyfin:${version}";
user = "kah";
# renovate: depName=ghcr.io/jellyfin/jellyfin datasource=docker
version = "10.10.6";
volumeLocation = "/nahar/containers/volumes/jellyfin";
in {
# Options
options.mySystem.containers.${app} = {
enable = mkEnableOption "${app}";
openFirewall =
mkEnableOption "Open firewall for ${app}"
// {
default = true;
};
};
# Implementation
config = mkIf cfg.enable {
# Systemd service for container
systemd.services.${app} = {
description = "Jellyfin Media Server";
wantedBy = ["multi-user.target"];
after = ["network.target"];
serviceConfig = {
ExecStartPre = "${pkgs.writeShellScript "jellyfin-start-pre" ''
set -o errexit
set -o nounset
set -o pipefail
${pkgs.podman}/bin/podman rm -f ${app} || true
rm -f /run/${app}.ctr-id
''}";
ExecStart = ''
${pkgs.podman}/bin/podman run \
--rm \
--name=${app} \
--user="${toString config.users.users."${user}".uid}:${
toString config.users.groups."${group}".gid
}" \
--device='nvidia.com/gpu=all' \
--log-driver=journald \
--cidfile=/run/${app}.ctr-id \
--cgroups=no-conmon \
--sdnotify=conmon \
--volume="${volumeLocation}:/config:rw" \
--volume="/moria/media:/media:rw" \
--volume="tmpfs:/cache:rw" \
--volume="tmpfs:/transcode:rw" \
--volume="tmpfs:/tmp:rw" \
--env=TZ=America/Chicago \
--env=DOTNET_SYSTEM_IO_DISABLEFILELOCKING=true \
--env=JELLYFIN_FFmpeg__probesize=50000000 \
--env=JELLYFIN_FFmpeg__analyzeduration=50000000 \
--env=JELLYFIN_PublishedServerUrl=http://10.1.1.61:8096 \
-p 8096:8096 \
-p 8920:8920 \
-p 1900:1900/udp \
-p 7359:7359/udp \
${image}
'';
ExecStop = "${pkgs.podman}/bin/podman stop --ignore --cidfile=/run/${app}.ctr-id";
ExecStopPost = "${pkgs.podman}/bin/podman rm --force --ignore --cidfile=/run/${app}.ctr-id";
Type = "simple";
Restart = "always";
};
};
# Firewall
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [
8096 # HTTP web interface
8920 # HTTPS web interface
];
allowedUDPPorts = [
1900 # DLNA discovery
7359 # Jellyfin auto-discovery
];
};
# TODO add nginx proxy
# services.nginx.virtualHosts."${app}.${config.networking.domain}" = {
# useACMEHost = config.networking.domain;
# forceSSL = true;
# locations."^~ /" = {
# proxyPass = "http://${app}:${builtins.toString port}";
# extraConfig = "resolver 10.88.0.1;";
# };
# };
## TODO add to homepage
# mySystem.services.homepage.media = mkIf cfg.addToHomepage [
# {
# Plex = {
# icon = "${app}.svg";
# href = "https://${app}.${config.mySystem.domain}";
# description = "Media streaming service";
# container = "${app}";
# widget = {
# type = "tautulli";
# url = "https://tautulli.${config.mySystem.domain}";
# key = "{{HOMEPAGE_VAR_TAUTULLI__API_KEY}}";
# };
# };
# }
# ];
# TODO add gatus monitor
# mySystem.services.gatus.monitors = [
# {
# name = app;
# group = "media";
# url = "https://${app}.${config.mySystem.domain}/web/";
# interval = "1m";
# conditions = [
# "[CONNECTED] == true"
# "[STATUS] == 200"
# "[RESPONSE_TIME] < 50"
# ];
# }
# ];
};
}

61
nixos/modules/nixos/containers/jellyfin/secrets.sops.yaml
View file

@ -1,61 +0,0 @@
restic:
jellyfin:
env: ENC[AES256_GCM,data:aau+5TFpye6u/e6Xnlg=,iv:ooDueH38Xukvvh+XORfW4giR+TaeVZEwK+EQnxFMKE8=,tag:u5JaeiGFi4e7gk3Bb1JLsw==,type:str]
password: ENC[AES256_GCM,data:0tkviPFQsP9wAVcbxspwOdN7eT352pibr/gjSoVmmL77xw==,iv:H2R8HofrrUkTqPuGDkt4xkOhvi16/kdT2/GjvSY5HQg=,tag:atT5aBQgmxBeUsMd5IYXIQ==,type:str]
template: ENC[AES256_GCM,data:9P8G2rwOTMAj0PkHVGEouSLd9h2FrUxakYWQa4BMt6LiHxgwzlAVe9QSJFOr1di+HmfK+3Y2dG27pz/WW1J5OArD,iv:smq5UTpzJJ2GlfCkwjA0q4jl3XJo0M8KhBecXIqipx0=,tag:RA0UpqoBSLgwlHK5Lz9VEA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhZ0hkNVA5TXN4UmpZdG1z
dGEwUExxcnc4M01TV2hYTHprRTBDek1iMmpFCjhOT01lblB2aVpuRVZXZEJxeGJY
cGNqWEVUMmlmVzlScng3TCtqSkxUL3MKLS0tIG9wWlVIYnRjOU1ZZ0pEdTFWWE4x
SFh5Tzc5SytvU0ZYbENDT2E4Y1doNHMKT5qjHInpLf8qEc+6FRM2hpQcbOJPFR15
65UbBv00T6K8s8/ltNzwDUtjufIbtyOXjY+QrPGVm1lhFOXRYEBLWw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSSDJNYnd6NTFOaXJ0QUpU
M1BCeHo0QmczQXN2ZEc1cXhsbTVaZzlkNDBFCjcwVnhvaC9KRjVzRjVTY3E0Q0RR
QUxRRGdPcEkxWmVPVVNxcXFBNVFDWW8KLS0tIGFBUlh1ZVJvd1dXc2NEM25sd0Fa
YWwyUS9LZnJyMEY4VzB0czFoWURSZEUKBg5zxFww39sHfH78p9WnkIcXyvq6VyIQ
f1/zFRkuM8X3iuqOpNjjqThey1HKkvTzH18st5YLciDC6SV299JqZQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nkpq8lr09vamgvf8cvzemqjyr3ex8w7azfupdr2gverz9j5zgemsv99t0z
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2dStpS3Uyb21NWFBJa2hV
VTJnSk9iV1ZMNkZnc3JId3hhbE1sSk5LSzJVCnZSeUJBTjNGVkhTYkpGZGZudDUz
RXc2VFVJNkM3bGpGMUlxc0s1Q2J4Mk0KLS0tIFFsMkdOWnQzeFlmYStaWWlYSHEz
SUdtQTc5OVB5eklpVWFxRTNBUFhsVXcKX5xNh9jnOllbRaMyzjh/70ohLcO8BeU5
hTWmdnTgclbVaFBOPTPY6CCXNnBuvqjdi+ok9QULDE9cvtLUpstbWQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaaTlQaWt5QTFHVE9yS3lH
MVd5RmI2TVZaVGpodEFvOUhDLzg2Qjl3dDE0CllGWHhGTExVbDJydlhMclQ3RFBz
V2V1a3NTMG80Ykt2eHUwUW9aMXFMYzgKLS0tIHpJeFR3ZEJxWkg5Y2RQR0NUNUND
RERQbjlZNDJEUWVTd3d6YytVbUt5TzgKksgSnaMHY/wBVZyXBgrxsfxZABNDyuA3
8kgYBqd8p3g0OyW5h2UzDh7F7oweHhbljdL4CNlGDJ713ZlBggfsaQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYY0VXRm5SRTZYQ0JWK3JM
TW9POGhRVGZ2b0t4SGVEaUczaFBlaDlsc2p3CkhEb2JBTnNFdzl0RHM3aW5jaHFN
dzl6ellHY2prNk1xeUUwMVE4WVdiYmMKLS0tIDM4YVdMeFpyb0kzRmdLUXduWXdI
KyswMHA3VDNkV1g1bEhhcUlNdHlFVW8K8fuwy7OtIoybFpaBBsZlxO40XUhDaxDR
W9xy0wVJplCNWDDN0Ff93hEXaYVcF/B3V3EdouzAbdycVTrtXhiO2g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-09T06:33:40Z"
mac: ENC[AES256_GCM,data:MZx07lkc3i1nJicWlUofCr4gq05g/BYGx3949DSILeAWegrsTQXh8zqBWpultONgABPdYgIb/JwJClMmKQ+p37u+6aTklwZfW+su3tOYwknkPogHSxTFaLW0Yxzy4CvM2VNiFDNuvZT8LjCminBKpjJebYq+HCjNQn6Y9/dPyXI=,iv:LXwamgr7uE0dfKoRJC9IGvzZ+HmRXw8cdVoXG2DuuxM=,tag:tsJo/PFZLGcEoa02nXNbXg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4

86
nixos/modules/nixos/containers/jellyseerr/default.nix
View file

@ -1,86 +0,0 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
app = "jellyseerr";
cfg = config.mySystem.containers.${app};
group = "kah";
image = "ghcr.io/fallenbagel/jellyseerr:${version}";
user = "jellyseerr";
# renovate: depName=ghcr.io/fallenbagel/jellyseerr datasource=docker
version = "2.5.0";
volumeLocation = "/nahar/containers/volumes/jellyseerr";
in {
# Options
options.mySystem.containers.${app} = {
enable = mkEnableOption "${app}";
openFirewall =
mkEnableOption "Open firewall for ${app}"
// {
default = true;
};
};
# Implementation
config = mkIf cfg.enable {
# User configuration
users = mkIf (user == "jellyseerr") {
users.jellyseerr = {
inherit group;
isSystemUser = true;
};
};
# Systemd service for container
systemd.services.${app} = {
description = "Jellyseerr media request and discovery manager for Jellyfin";
wantedBy = ["multi-user.target"];
after = ["network.target"];
serviceConfig = {
ExecStartPre = "${pkgs.writeShellScript "jellyseerr-start-pre" ''
set -o errexit
set -o nounset
set -o pipefail
${pkgs.podman}/bin/podman rm -f ${app} || true
rm -f /run/${app}.ctr-id
''}";
ExecStart = ''
${pkgs.podman}/bin/podman run \
--rm \
--name=${app} \
--user="${toString config.users.users."${user}".uid}:${
toString config.users.groups."${group}".gid
}" \
--log-driver=journald \
--cidfile=/run/${app}.ctr-id \
--cgroups=no-conmon \
--sdnotify=conmon \
--volume="${volumeLocation}:/app/config:rw" \
--volume="/moria/media:/media:rw" \
--volume="tmpfs:/cache:rw" \
--volume="tmpfs:/transcode:rw" \
--volume="tmpfs:/tmp:rw" \
--env=TZ=America/Chicago \
-p 5055:5055 \
${image}
'';
ExecStop = "${pkgs.podman}/bin/podman stop --ignore --cidfile=/run/${app}.ctr-id";
ExecStopPost = "${pkgs.podman}/bin/podman rm --force --ignore --cidfile=/run/${app}.ctr-id";
Type = "simple";
Restart = "always";
};
};
# Firewall
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [
5055 # HTTP web interface
];
};
};
}

48
.archive/modules/nixos/containers/lego-auto/default.nix → nixos/modules/nixos/containers/lego-auto/default.nix
View file

@ -1,17 +1,15 @@
{
lib,
config,
...
}:
with lib; let
{ lib, config, ... }:
with lib;
let
app = "lego-auto";
image = "ghcr.io/bjw-s/lego-auto:v0.3.0";
user = "999"; # string
group = "102"; # string
port = 9898; # int
user = "999"; #string
group = "102"; #string
port = 9898; #int
cfg = config.mySystem.services.${app};
appFolder = "/eru/containers/volumes/${app}";
in {
in
{
options.mySystem.services.${app} = {
enable = mkEnableOption "${app}";
dnsimpleTokenPath = mkOption {
@ -45,24 +43,20 @@ in {
extraOptions = [
"--dns=1.1.1.1"
];
environment =
{
TZ = "America/Chicago";
LA_DATADIR = "/cert";
LA_CACHEDIR = "/cert/.cache";
LA_EMAIL = cfg.email;
LA_DOMAINS = cfg.domains;
LA_PROVIDER = cfg.provider;
}
// lib.optionalAttrs (cfg.provider == "dnsimple") {
DNSIMPLE_OAUTH_TOKEN_FILE = "/config/dnsimple-token";
};
environment = {
TZ = "America/Chicago";
LA_DATADIR = "/cert";
LA_CACHEDIR = "/cert/.cache";
LA_EMAIL = cfg.email;
LA_DOMAINS = cfg.domains;
LA_PROVIDER = cfg.provider;
} // lib.optionalAttrs (cfg.provider == "dnsimple") {
DNSIMPLE_OAUTH_TOKEN_FILE = "/config/dnsimple-token";
};
volumes =
[
"${appFolder}/cert:/cert"
]
++ optionals (cfg.provider == "dnsimple") ["${cfg.dnsimpleTokenPath}:/config/dnsimple-token"];
volumes = [
"${appFolder}/cert:/cert"
] ++ optionals (cfg.provider == "dnsimple") [ "${cfg.dnsimpleTokenPath}:/config/dnsimple-token" ];
};
};
}

135
nixos/modules/nixos/containers/ollama/default.nix
View file

@ -1,135 +0,0 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
app = "ollama";
# renovate: depName=docker.io/ollama/ollama datasource=docker
version = "0.5.13";
image = "docker.io/ollama/ollama:${version}";
cfg = config.mySystem.containers.${app};
in {
# Options
options.mySystem.containers.${app} = {
enable = mkEnableOption "${app}";
# TODO add to homepage
# addToHomepage = mkEnableOption "Add ${app} to homepage" // {
# default = true;
# };
openFirewall =
mkEnableOption "Open firewall for ${app}"
// {
default = true;
};
};
# Implementation
config = mkIf cfg.enable {
# Systemd service for container
systemd.services.${app} = {
description = "Ollama";
wantedBy = ["multi-user.target"];
after = ["network.target"];
serviceConfig = {
ExecStartPre = "${pkgs.writeShellScript "ollama-start-pre" ''
set -o errexit
set -o nounset
set -o pipefail
${pkgs.podman}/bin/podman rm -f ${app} || true
rm -f /run/${app}.ctr-id
''}";
ExecStart = ''
${pkgs.podman}/bin/podman run \
--rm \
--name=${app} \
--user=568:568 \
--device='nvidia.com/gpu=all' \
--log-driver=journald \
--cidfile=/run/${app}.ctr-id \
--cgroups=no-conmon \
--sdnotify=conmon \
--volume="/nahar/containers/volumes/ollama:/.ollama:rw" \
--volume="/nahar/ollama/models:/models:rw" \
--volume="tmpfs:/cache:rw" \
--volume="tmpfs:/tmp:rw" \
--env=TZ=America/Chicago \
--env=OLLAMA_HOST=0.0.0.0 \
--env=OLLAMA_ORIGINS=* \
--env=OLLAMA_MODELS=/models \
--env=OLLAMA_KEEP_ALIVE=24h \
-p 11434:11434 \
${image}
'';
ExecStop = "${pkgs.podman}/bin/podman stop --ignore --cidfile=/run/${app}.ctr-id";
ExecStopPost = "${pkgs.podman}/bin/podman rm --force --ignore --cidfile=/run/${app}.ctr-id";
Type = "simple";
Restart = "always";
};
};
# Firewall
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [
11434 # HTTP web interface
];
allowedUDPPorts = [];
};
# TODO add nginx proxy
# services.nginx.virtualHosts."${app}.${config.networking.domain}" = {
# useACMEHost = config.networking.domain;
# forceSSL = true;
# locations."^~ /" = {
# proxyPass = "http://${app}:${builtins.toString port}";
# extraConfig = "resolver 10.88.0.1;";
# };
# };
## TODO add to homepage
# mySystem.services.homepage.media = mkIf cfg.addToHomepage [
# {
# Plex = {
# icon = "${app}.svg";
# href = "https://${app}.${config.mySystem.domain}";
# description = "Media streaming service";
# container = "${app}";
# widget = {
# type = "tautulli";
# url = "https://tautulli.${config.mySystem.domain}";
# key = "{{HOMEPAGE_VAR_TAUTULLI__API_KEY}}";
# };
# };
# }
# ];
# TODO add gatus monitor
# mySystem.services.gatus.monitors = [
# {
# name = app;
# group = "media";
# url = "https://${app}.${config.mySystem.domain}/web/";
# interval = "1m";
# conditions = [
# "[CONNECTED] == true"
# "[STATUS] == 200"
# "[RESPONSE_TIME] < 50"
# ];
# }
# ];
# TODO add restic backup
# services.restic.backups = config.lib.mySystem.mkRestic {
# inherit app user;
# excludePaths = [ "Backups" ];
# paths = [ appFolder ];
# inherit appFolder;
# };
};
}

127
nixos/modules/nixos/containers/plex/default.nix
View file

@ -1,127 +0,0 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
app = "plex";
cfg = config.mySystem.containers.${app};
group = "kah";
image = "ghcr.io/onedr0p/plex:${version}";
user = "kah";
# renovate: depName=ghcr.io/onedr0p/plex datasource=docker versioning=loose
version = "1.41.5.9522-a96edc606";
volumeLocation = "/nahar/containers/volumes/plex";
in {
# Options
options.mySystem.containers.${app} = {
enable = mkEnableOption "${app}";
openFirewall =
mkEnableOption "Open firewall for ${app}"
// {
default = true;
};
};
# Implementation
config = mkIf cfg.enable {
# Systemd service for container
systemd.services.${app} = {
description = "Plex Media Server";
wantedBy = ["multi-user.target"];
after = ["network.target"];
serviceConfig = {
ExecStartPre = "${pkgs.writeShellScript "plex-start-pre" ''
set -o errexit
set -o nounset
set -o pipefail
${pkgs.podman}/bin/podman rm -f ${app} || true
rm -f /run/${app}.ctr-id
''}";
ExecStart = ''
${pkgs.podman}/bin/podman run \
--rm \
--name=${app} \
--device='nvidia.com/gpu=all' \
--log-driver=journald \
--cidfile=/run/${app}.ctr-id \
--cgroups=no-conmon \
--sdnotify=conmon \
--user="${toString config.users.users."${user}".uid}:${
toString config.users.groups."${group}".gid
}" \
--volume="${volumeLocation}:/config:rw" \
--volume="/moria/media:/media:rw" \
--volume="tmpfs:/config/Library/Application Support/Plex Media Server/Logs:rw" \
--volume="tmpfs:/tmp:rw" \
--volume="tmpfs:/transcode:rw" \
--env=TZ=America/Chicago \
--env=PLEX_ADVERTISE_URL=https://10.1.1.61:32400 \
--env=PLEX_NO_AUTH_NETWORKS=10.1.1.0/24 \
# nvidia-container-runtime mounts the nvidia libraries here.
--env=LD_LIBRARY_PATH=/usr/local/nvidia/lib:/usr/local/nvidia/lib64 \
-p 32400:32400 \
${image}
'';
ExecStop = "${pkgs.podman}/bin/podman stop --ignore --cidfile=/run/${app}.ctr-id";
ExecStopPost = "${pkgs.podman}/bin/podman rm --force --ignore --cidfile=/run/${app}.ctr-id";
Type = "simple";
Restart = "always";
};
};
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [
32400 # Primary Plex port
];
};
# TODO add nginx proxy
# services.nginx.virtualHosts."${app}.${config.networking.domain}" = {
# useACMEHost = config.networking.domain;
# forceSSL = true;
# locations."^~ /" = {
# proxyPass = "http://${app}:${builtins.toString port}";
# extraConfig = "resolver 10.88.0.1;";
# };
# };
## TODO add to homepage
# mySystem.services.homepage.media = mkIf cfg.addToHomepage [
# {
# Plex = {
# icon = "${app}.svg";
# href = "https://${app}.${config.mySystem.domain}";
# description = "Media streaming service";
# container = "${app}";
# widget = {
# type = "tautulli";
# url = "https://tautulli.${config.mySystem.domain}";
# key = "{{HOMEPAGE_VAR_TAUTULLI__API_KEY}}";
# };
# };
# }
# ];
# TODO add gatus monitor
# mySystem.services.gatus.monitors = [
# {
# name = app;
# group = "media";
# url = "https://${app}.${config.mySystem.domain}/web/";
# interval = "1m";
# conditions = [
# "[CONNECTED] == true"
# "[STATUS] == 200"
# "[RESPONSE_TIME] < 50"
# ];
# }
# ];
};
}

93
nixos/modules/nixos/containers/scrutiny/default.nix
View file

@ -1,93 +0,0 @@
{
lib,
config,
...
}:
with lib; let
app = "scrutiny";
# renovate: depName=AnalogJ/scrutiny datasource=github-releases
version = "v0.8.1";
cfg = config.mySystem.services.${app};
in {
options.mySystem.services.${app} = {
enable = mkEnableOption "${app}";
# Port to expose the web ui on.
port = mkOption {
type = types.int;
default = 8080;
description = ''
Port to expose the web ui on.
'';
example = 8080;
};
# Location where the container will store its data.
containerVolumeLocation = mkOption {
type = types.str;
default = "/mnt/data/containers/${app}";
description = ''
The location where the container will store its data.
'';
example = "/mnt/data/containers/${app}";
};
# podman equivalent:
# --device /dev/disk/by-id/nvme-XXXXXXXXXXXXXXXXXXXXXXXXXXXX
devices = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Devices to monitor on Scrutiny.
'';
example = [
"/dev/disk/by-id/nvme-XXXXXXXXXXXXXXXXXXXXXXXXXXXX"
];
};
# podman equivalent:
# --cap-add SYS_RAWIO
extraCapabilities = mkOption {
type = types.listOf types.str;
default = [
"SYS_RAWIO"
];
description = ''
Extra capabilities to add to the container.
'';
example = [
"SYS_RAWIO"
];
};
};
config = mkIf cfg.enable {
# TODO: Add automatic restarting of the container when disks.nix changes.
# - https://github.com/nix-community/home-manager/issues/3865#issuecomment-1631998032
# - https://github.com/NixOS/nixpkgs/blob/6f6c45b5134a8ee2e465164811e451dcb5ad86e3/nixos/modules/virtualisation/oci-containers.nix
virtualisation.oci-containers.containers.${app} = {
image = "ghcr.io/analogj/scrutiny:${version}-omnibus";
autoStart = true;
ports = [
"${toString cfg.port}:8080" # web ui
"8086:8086" # influxdb2
];
environment = {
TZ = "America/Chicago";
};
volumes = [
"${cfg.containerVolumeLocation}:/opt/scrutiny/config"
"${cfg.containerVolumeLocation}/influxdb2:/opt/scrutiny/influxdb"
"/run/udev:/run/udev:ro"
];
# Merge the devices and extraCapabilities into the extraOptions property
# using the --device and --cap-add flags
extraOptions =
(map (disk: "--device=${toString disk}") cfg.devices)
++ (map (cap: "--cap-add=${cap}") cfg.extraCapabilities);
};
};
}

139
nixos/modules/nixos/containers/scrypted/default.nix
View file

@ -1,139 +0,0 @@
{
lib,
config,
pkgs,
...
}:
with lib; let
app = "scrypted";
# renovate: depName=ghcr.io/koush/scrypted datasource=docker versioning=docker
version = "v0.138.12-noble-nvidia";
image = "ghcr.io/koush/scrypted:${version}";
cfg = config.mySystem.containers.${app};
in {
# Options
options.mySystem.containers.${app} = {
enable = mkEnableOption "${app}";
# TODO add to homepage
# addToHomepage = mkEnableOption "Add ${app} to homepage" // {
# default = true;
# };
openFirewall =
mkEnableOption "Open firewall for ${app}"
// {
default = true;
};
};
# Implementation
config = mkIf cfg.enable {
# Systemd service for container
systemd.services.${app} = {
description = "Scrypted Home Security";
wantedBy = ["multi-user.target"];
after = ["network.target"];
serviceConfig = {
ExecStartPre = "${pkgs.writeShellScript "scrypted-start-pre" ''
set -o errexit
set -o nounset
set -o pipefail
${pkgs.podman}/bin/podman rm -f ${app} || true
rm -f /run/${app}.ctr-id
''}";
ExecStart = ''
${pkgs.podman}/bin/podman run \
--rm \
--name=${app} \
--device=/dev/bus/usb \
--device='nvidia.com/gpu=all' \
--log-driver=journald \
--cidfile=/run/${app}.ctr-id \
--cgroups=no-conmon \
--sdnotify=conmon \
--volume="/nahar/containers/volumes/scrypted:/server/volume:rw" \
--volume="/nahar/scrypted/:/recordings:rw" \
--volume="tmpfs:/.cache:rw" \
--volume="tmpfs:/.npm:rw" \
--volume="tmpfs:/tmp:rw" \
--env=TZ=America/Chicago \
--env=LD_LIBRARY_PATH=/usr/local/nvidia/lib:/usr/local/nvidia/lib64 \
--network=host \
${image}
'';
ExecStop = "${pkgs.podman}/bin/podman stop --ignore --cidfile=/run/${app}.ctr-id";
ExecStopPost = "${pkgs.podman}/bin/podman rm --force --ignore --cidfile=/run/${app}.ctr-id";
Type = "simple";
Restart = "always";
};
};
# Firewall
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [
11080 # Main Scrypted interface
10443 # HTTPS interface
8554 # RTSP server
33961 # Homekit
];
allowedUDPPorts = [
10443 # HTTPS interface
8554 # RTSP server
];
};
# TODO add nginx proxy
# services.nginx.virtualHosts."${app}.${config.networking.domain}" = {
# useACMEHost = config.networking.domain;
# forceSSL = true;
# locations."^~ /" = {
# proxyPass = "http://${app}:${builtins.toString port}";
# extraConfig = "resolver 10.88.0.1;";
# };
# };
## TODO add to homepage
# mySystem.services.homepage.media = mkIf cfg.addToHomepage [
# {
# Plex = {
# icon = "${app}.svg";
# href = "https://${app}.${config.mySystem.domain}";
# description = "Media streaming service";
# container = "${app}";
# widget = {
# type = "tautulli";
# url = "https://tautulli.${config.mySystem.domain}";
# key = "{{HOMEPAGE_VAR_TAUTULLI__API_KEY}}";
# };
# };
# }
# ];
# TODO add gatus monitor
# mySystem.services.gatus.monitors = [
# {
# name = app;
# group = "media";
# url = "https://${app}.${config.mySystem.domain}/web/";
# interval = "1m";
# conditions = [
# "[CONNECTED] == true"
# "[STATUS] == 200"
# "[RESPONSE_TIME] < 50"
# ];
# }
# ];
# TODO add restic backup
# services.restic.backups = config.lib.mySystem.mkRestic {
# inherit app user;
# excludePaths = [ "Backups" ];
# paths = [ appFolder ];
# inherit appFolder;
# };
};
}

44
nixos/modules/nixos/containers/unifi/default.nix Normal file
View file

@ -0,0 +1,44 @@
{ lib, config, ... }:
with lib;
let
app = "unifi";
# renovate: depName=goofball222/unifi datasource=github-releases
version = "8.3.32";
cfg = config.mySystem.services.${app};
appFolder = "/eru/containers/volumes/${app}";
# persistentFolder = "${config.mySystem.persistentFolder}/var/lib/${appFolder}";
in
{
options.mySystem.services.${app} = {
enable = mkEnableOption "${app}";
};
config = mkIf cfg.enable {
networking.firewall.interfaces.podman0 = {
allowedTCPPorts = [ 8080 8443 8880 8843 ];
allowedUDPPorts = [ 3478 ];
};
virtualisation.oci-containers.containers.${app} = {
image = "ghcr.io/goofball222/unifi:${version}";
autoStart = true;
ports = [
"3478:3478/udp" # STUN
"8080:8080" # inform controller
"8443:8443" # https
"8880:8880" # HTTP portal redirect
"8843:8843" # HTTPS portal redirect
];
environment = {
TZ = "America/Chicago";
RUNAS_UID0 = "false";
PGID = "102";
PUID = "999";
};
volumes = [
"${appFolder}/cert:/usr/lib/unifi/cert"
"${appFolder}/data:/usr/lib/unifi/data"
"${appFolder}/logs:/usr/lib/unifi/logs"
];
};
};
}

2
nixos/modules/nixos/de/default.nix
View file

@ -1,7 +1,5 @@
{
imports = [
./gnome.nix
./hyprland.nix
./kde.nix
];
}

80
nixos/modules/nixos/de/gnome.nix
View file

@ -1,34 +1,21 @@
{
lib,
config,
pkgs,
...
}: let
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.mySystem.de.gnome;
in {
in
{
options = {
mySystem.de.gnome = {
enable =
lib.mkEnableOption "GNOME"
// {
default = false;
};
systrayicons =
lib.mkEnableOption "Enable systray icons"
// {
default = true;
};
gsconnect =
lib.mkEnableOption "Enable gsconnect (KDEConnect for GNOME)"
// {
default = true;
};
enable = mkEnableOption "GNOME" // { default = false; };
systrayicons = mkEnableOption "Enable systray icons" // { default = true; };
gsconnect = mkEnableOption "Enable gsconnect (KDEConnect for GNOME)" // { default = true; };
};
};
config = lib.mkIf cfg.enable {
config = mkIf cfg.enable {
# Ref: https://nixos.wiki/wiki/GNOME
# GNOME plz
services = {
displayManager = {
defaultSession = "gnome";
@ -51,40 +38,41 @@ in {
};
};
udev.packages = lib.optionals cfg.systrayicons [pkgs.gnome.gnome-settings-daemon]; # support appindicator
udev.packages = optionals cfg.systrayicons [ pkgs.gnome.gnome-settings-daemon ]; # support appindicator
};
# systyray icons
# extra pkgs and extensions
environment = {
systemPackages = with pkgs;
[
wl-clipboard # ls ~/Downloads | wl-copy or wl-paste > clipboard.txt
playerctl # gsconnect play/pause command
pamixer # gcsconnect volume control
gnome.gnome-tweaks
gnome.dconf-editor
systemPackages = with pkgs; [
wl-clipboard # ls ~/Downloads | wl-copy or wl-paste > clipboard.txt
playerctl # gsconnect play/pause command
pamixer # gcsconnect volume control
gnome.gnome-tweaks
gnome.dconf-editor
# This installs the extension packages, but
# dont forget to enable them per-user in dconf settings -> "org/gnome/shell"
gnomeExtensions.vitals
gnomeExtensions.caffeine
gnomeExtensions.dash-to-dock
]
++ optionals cfg.systrayicons [pkgs.gnomeExtensions.appindicator];
# This installs the extension packages, but
# dont forget to enable them per-user in dconf settings -> "org/gnome/shell"
gnomeExtensions.vitals
gnomeExtensions.caffeine
gnomeExtensions.dash-to-dock
]
++ optionals cfg.systrayicons [ pkgs.gnomeExtensions.appindicator ];
};
# enable gsconnect
# this method also opens the firewall ports required when enable = true
programs.kdeconnect = lib.mkIf cfg.gsconnect {
enable = true;
package = pkgs.gnomeExtensions.gsconnect;
};
programs.kdeconnect = mkIf
cfg.gsconnect
{
enable = true;
package = pkgs.gnomeExtensions.gsconnect;
};
# GNOME connection to browsers - requires flag on browser as well
services.gnome.gnome-browser-connector.enable = lib.any (user: user.programs.firefox.enable) (
lib.attrValues config.home-manager.users
);
services.gnome.gnome-browser-connector.enable = lib.any
(user: user.programs.firefox.enable)
(lib.attrValues config.home-manager.users);
# And dconf
programs.dconf.enable = true;
@ -111,4 +99,6 @@ in {
atomix # puzzle game
]);
};
}

146
nixos/modules/nixos/de/hyprland.nix
View file

@ -1,146 +0,0 @@
{
lib,
config,
pkgs,
inputs,
...
}: let
cfg = config.mySystem.de.hyprland;
hypr-pkgs = inputs.hyprland.inputs.nixpkgs.legacyPackages.${pkgs.stdenv.hostPlatform.system};
in {
options = {
mySystem.de.hyprland = {
enable =
lib.mkEnableOption "Hyprland"
// {
default = false;
};
};
};
config = lib.mkIf cfg.enable {
# We need all hyprland packages to follow the same MESA version
hardware = {
graphics = {
package = hypr-pkgs.mesa.drivers;
};
};
# Hyprland nixpkgs system packages
environment.systemPackages = with pkgs; [
# Hyprland
cava # Audio visualizer
cliphist # Clipboard history
duf # du tui - Disk Usage
greetd.tuigreet # TUI login manager
grim # Screenshot tool
hypridle # Hyprland idle daemon
inputs.ags.packages.${pkgs.stdenv.hostPlatform.system}.ags # AGS
inxi # System information tool
libva-utils # to view graphics capabilities
loupe # Screenshot tool
nvtopPackages.full # Video card monitoring
nwg-displays # Display manager for Hyprland
nwg-look # GTK settings editor, designed for Wayland.
pamixer # Volume control
pyprland # Python bindings for Hyprland
rofi-wayland # Window switcher and run dialog
slurp # Select a region in Wayland
swappy # Snapshot editor, designed for Wayland.
swaynotificationcenter
swww # Wallpaper daemon for wayland
wallust # Generate and change colors schemes on the fly.
waybar # Wayland top bar
wl-clipboard # Pipe to and from the clipboard
wlogout
wlr-randr # Wayland screen management
wofi # Rofi for Wayland
yad # Display dialog boxes from shell scripts
(mpv.override {scripts = [mpvScripts.mpris];})
# XDG things
xdg-user-dirs
xdg-utils
# GTK things
gnome-system-monitor
bc
baobab
glib
# Qt things
gsettings-qt
libsForQt5.qtstyleplugin-kvantum # Kvantum theme engine
# bar
libappindicator
libnotify
busybox
];
# Enabling Hyprlock to unlock the system
security = {
pam.services.hyprlock = {};
polkit.enable = true;
};
# Hyprland nixpkgs program modules
programs = {
# Hyprland DE
hyprland = {
enable = true;
package = inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.hyprland;
portalPackage =
inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.xdg-desktop-portal-hyprland;
withUWSM = true;
};
dconf.enable = true;
seahorse.enable = true;
ssh = {
enableAskPassword = true;
askPassword = "${pkgs.seahorse}/libexec/seahorse/ssh-askpass";
};
fuse.userAllowOther = true;
## Additional programs for the overall Hyprland experience
hyprlock = {
enable = true;
package = inputs.hyprlock.packages.${pkgs.stdenv.hostPlatform.system}.hyprlock;
};
nm-applet.indicator = true; # Compatability; Application indicator for NetworkManager
thunar.enable = true;
thunar.plugins = with pkgs.xfce; [
exo
mousepad
thunar-archive-plugin
thunar-volman
tumbler
];
gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
};
# Hyprland nixpkgs service modules
services = {
greetd = {
enable = true;
vt = 3;
settings = {
default_session = {
user = "jahanson";
command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd='uwsm start select'"; # start Hyprland with a TUI login manager
};
};
};
gnome.gnome-keyring.enable = true;
};
# Fonts
fonts.packages = with pkgs; [
fira-code
font-awesome
jetbrains-mono
noto-fonts
noto-fonts-cjk-sans
terminus_font
victor-mono
unstable.nerd-fonts.jetbrains-mono
unstable.nerd-fonts.fira-code
unstable.nerd-fonts.fantasque-sans-mono
];
};
}

70
nixos/modules/nixos/de/kde.nix
View file

@ -1,70 +0,0 @@
{
lib,
config,
pkgs,
...
}: let
cfg = config.mySystem.de.kde;
flameshotOverride = pkgs.unstable.flameshot.override {enableWlrSupport = true;};
in {
options = {
mySystem.de.kde = {
enable =
lib.mkEnableOption "KDE"
// {
default = false;
};
};
};
config = lib.mkIf cfg.enable {
# Ref: https://wiki.nixos.org/wiki/KDE
# KDE
services = {
displayManager = {
sddm = {
enable = true;
wayland = {
enable = true;
};
};
};
desktopManager.plasma6.enable = true;
};
security = {
# realtime process priority
rtkit.enable = true;
# KDE Wallet PAM integration for unlocking the default wallet on login
pam.services."sddm".kwallet.enable = true;
};
# enable pipewire for sound
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
};
# extra pkgs and extensions
environment = {
systemPackages = with pkgs; [
wl-clipboard # ls ~/Downloads | wl-copy or wl-paste > clipboard.txt
playerctl # gsconnect play/pause command
vorta # Borg backup tool
flameshotOverride # screenshot tool
libsForQt5.qt5.qtbase # for vivaldi compatibility
kdePackages.discover # KDE software center -- mainly for flatpak updates
];
};
# enable kdeconnect
# this method also opens the firewall ports required when enable = true
programs.kdeconnect = {
enable = true;
};
};
}

11
nixos/modules/nixos/default.nix
View file

@ -1,9 +1,6 @@
{ lib, config, ... }:
with lib;
{
lib,
config,
...
}:
with lib; {
imports = [
./containers
./de
@ -55,13 +52,13 @@ with lib; {
monitoring.prometheus.scrapeConfigs = mkOption {
type = lib.types.listOf lib.types.attrs;
description = "Prometheus scrape targets";
default = [];
default = [ ];
};
};
config = {
systemd.tmpfiles.rules = [
"d ${config.mySystem.persistentFolder} 777 - - -" # The - disables automatic cleanup, so the file wont be removed after a period
"d ${config.mySystem.persistentFolder} 777 - - -" #The - disables automatic cleanup, so the file wont be removed after a period
];
};
}

1
nixos/modules/nixos/editor/default.nix
View file

@ -1,6 +1,5 @@
{
imports = [
./nvim.nix
./vim.nix
./vscode.nix
];

199
nixos/modules/nixos/editor/nvim.nix
View file

@ -1,199 +0,0 @@
{
config,
lib,
...
}:
with lib; let
cfg = config.mySystem.editor.nvim;
in {
options.mySystem.editor.nvim.enable = mkEnableOption "nvim";
config = mkIf cfg.enable {
# Enable nvim and configure plugins/settings
# Uses nvf https://github.com/NotAShelf/nvf to configure nvim on nix.
programs.nvf = {
enable = true;
settings.vim = {
keymaps = [
{
mode = "n";
key = "<leader>rp";
action = ":lua require('precognition').peek()<CR>";
desc = "Peek recognition";
}
];
viAlias = false;
vimAlias = true;
lsp = {
enable = true;
formatOnSave = true;
lspsaga.enable = false;
trouble.enable = true;
lspSignature.enable = true;
otter-nvim.enable = true;
lsplines.enable = true;
nvim-docs-view.enable = true;
};
languages = {
enableLSP = true;
enableFormat = true;
enableTreesitter = true;
enableExtraDiagnostics = true;
nix.enable = true;
markdown.enable = true;
bash.enable = true;
css.enable = true;
html.enable = true;
sql.enable = true;
ts.enable = true;
go.enable = true;
lua.enable = true;
zig.enable = true;
python.enable = true;
rust = {
enable = true;
crates.enable = true;
};
astro.enable = true;
nu.enable = true;
csharp.enable = true;
tailwind.enable = true;
};
visuals = {
nvim-scrollbar.enable = true;
nvim-web-devicons.enable = true;
nvim-cursorline.enable = true;
cinnamon-nvim.enable = true;
fidget-nvim.enable = true;
highlight-undo.enable = true;
indent-blankline.enable = true;
cellular-automaton.enable = true;
};
statusline = {
lualine = {
enable = true;
theme = "catppuccin";
};
};
theme = {
enable = true;
name = "catppuccin";
style = "mocha";
transparent = false;
};
autopairs.nvim-autopairs.enable = true;
autocomplete.nvim-cmp.enable = true;
snippets.luasnip.enable = true;
filetree.neo-tree.enable = true;
tabline.nvimBufferline.enable = true;
treesitter.context.enable = true;
binds = {
whichKey.enable = true;
cheatsheet.enable = true;
};
telescope.enable = true;
git = {
enable = true;
gitsigns = {
enable = true;
codeActions.enable = false;
};
};
minimap = {
minimap-vim.enable = false;
codewindow.enable = true;
};
dashboard = {
dashboard-nvim.enable = false;
alpha.enable = true;
};
notify = {
nvim-notify.enable = true;
};
projects = {
project-nvim.enable = true;
};
utility = {
vim-wakatime.enable = true;
icon-picker.enable = true;
surround.enable = true;
diffview-nvim.enable = true;
yanky-nvim.enable = false;
motion = {
hop.enable = true;
leap.enable = true;
precognition = {
enable = true;
setupOpts.startVisible = false;
};
};
images = {
image-nvim.enable = false;
};
};
notes = {
mind-nvim.enable = true;
todo-comments.enable = true;
};
terminal = {
toggleterm = {
enable = true;
lazygit.enable = true;
};
};
ui = {
borders.enable = true;
noice.enable = true;
colorizer.enable = true;
modes-nvim.enable = false;
illuminate.enable = true;
breadcrumbs = {
enable = true;
navbuddy.enable = true;
};
smartcolumn = {
enable = true;
setupOpts.custom_colorcolumn = {
nix = "110";
ruby = "120";
java = "130";
go = ["90" "130"];
};
};
fastaction.enable = true;
};
assistant = {
copilot = {
enable = true;
cmp.enable = true;
};
};
session = {
nvim-session-manager.enable = false;
};
comments = {
comment-nvim.enable = true;
};
presence = {
neocord.enable = false;
};
};
};
};
}

29
nixos/modules/nixos/editor/vim.nix
View file

@ -1,36 +1,25 @@
# /home/jahanson/projects/mochi/nixos/modules/nixos/editor/vim.nix
{
config,
lib,
...
}:
with lib; let
{ config, lib, ... }:
with lib;
let
cfg = config.mySystem.editor.vim;
users = ["jahanson"];
in {
users = [ "jahanson" ];
in
{
options.mySystem.editor.vim.enable = mkEnableOption "vim";
config = mkIf cfg.enable {
# Enable vim and set as default editor
programs.vim.enable = true;
programs.vim.defaultEditor = true;
# Visual mode off and syntax highlighting on
home-manager.users =
mapAttrs
home-manager.users = mapAttrs
(user: _: {
home.file.".vimrc".text = ''
set mouse-=a
syntax on
'';
})
(
listToAttrs (
map (u: {
name = u;
value = {};
})
users
)
);
(listToAttrs (map (u: { name = u; value = { }; }) users));
};
}

Some files were not shown because too many files have changed in this diff Show more