diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml index ef3c51d..7073126 100644 --- a/.gitea/workflows/deploy.yaml +++ b/.gitea/workflows/deploy.yaml @@ -12,6 +12,10 @@ jobs: runs-on: ubuntu-22.04 steps: - uses: cachix/install-nix-action@v31 + with: + extra_nix_config: | + extra-trusted-public-keys = localhost:TiRpr2LzamX/MCKBUmFlZ8inWz94QWGL88fMEHg9Kgc= + extra-substituters = http://localhost:5000 - uses: actions/checkout@v4 - name: Install SSH key uses: shimataro/ssh-key-action@v2 diff --git a/flake.nix b/flake.nix index d8cb6a9..2263888 100644 --- a/flake.nix +++ b/flake.nix @@ -86,6 +86,7 @@ }: { imports = [ + agenix.nixosModules.default ./hosts/${name}/configuration.nix ./hosts/${name}/hardware-configuration.nix ] @@ -125,7 +126,10 @@ default = pkgs.mkShell { # The Nix packages provided in the environment # Add any you need here - packages = with pkgs; [ colmena.packages.${pkgs.system}.colmena ]; + packages = with pkgs; [ + colmena.packages.${pkgs.stdenv.system}.colmena + agenix.packages.${pkgs.stdenv.system}.agenix + ]; # Set any environment variables for your dev shell env = { }; diff --git a/hosts/sin/copyparty.nix b/hosts/sin/copyparty.nix index faba3c3..7531189 100644 --- a/hosts/sin/copyparty.nix +++ b/hosts/sin/copyparty.nix @@ -1,4 +1,9 @@ -{ inputs, pkgs, config, ... }: +{ + inputs, + pkgs, + config, + ... +}: { imports = [ inputs.copyparty.nixosModules.default ]; nixpkgs.overlays = [ inputs.copyparty.overlays.default ]; diff --git a/hosts/sin/coredns/default.nix b/hosts/sin/coredns/default.nix index a30d4f4..a47dfea 100644 --- a/hosts/sin/coredns/default.nix +++ b/hosts/sin/coredns/default.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ services.coredns = { enable = false; config = '' @@ -8,7 +9,7 @@ cache file ${./db.homelab.local} } - + . { forward . 8.8.8.8 log diff --git a/hosts/sin/flake.nix b/hosts/sin/flake.nix index 4a322f5..32ee19f 100644 --- a/hosts/sin/flake.nix +++ b/hosts/sin/flake.nix @@ -14,7 +14,15 @@ }; # Flake outputs - outputs = inputs@{ self, nixpkgs, disko, unstable, agenix, ... }: + outputs = + inputs@{ + self, + nixpkgs, + disko, + unstable, + agenix, + ... + }: let # The systems supported for this flake supportedSystems = [ @@ -22,9 +30,14 @@ ]; # Helper to provide system-specific attributes - forEachSupportedSystem = f: nixpkgs.lib.genAttrs supportedSystems (system: f { - pkgs = import nixpkgs { inherit system; }; - }); + forEachSupportedSystem = + f: + nixpkgs.lib.genAttrs supportedSystems ( + system: + f { + pkgs = import nixpkgs { inherit system; }; + } + ); in { nixosConfigurations.zimablade = nixpkgs.lib.nixosSystem { @@ -40,15 +53,21 @@ }; }; - devShells = forEachSupportedSystem ({ pkgs }: { - default = pkgs.mkShell { - # The Nix packages provided in the environment - # Add any you need here - packages = with pkgs; [ pkgs.disko nixos-anywhere ]; + devShells = forEachSupportedSystem ( + { pkgs }: + { + default = pkgs.mkShell { + # The Nix packages provided in the environment + # Add any you need here + packages = with pkgs; [ + pkgs.disko + nixos-anywhere + ]; - # Add any shell logic you want executed any time the environment is activated - shellHook = ''''; - }; - }); + # Add any shell logic you want executed any time the environment is activated + shellHook = ''''; + }; + } + ); }; } diff --git a/hosts/sin/glances.nix b/hosts/sin/glances.nix index 9964f68..6c70397 100644 --- a/hosts/sin/glances.nix +++ b/hosts/sin/glances.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ services.glances = { enable = true; openFirewall = true; diff --git a/hosts/sin/hardware-configuration.nix b/hosts/sin/hardware-configuration.nix index 14be96b..5bbe091 100644 --- a/hosts/sin/hardware-configuration.nix +++ b/hosts/sin/hardware-configuration.nix @@ -1,26 +1,39 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp0s21f0u3u4.useDHCP = lib.mkDefault true; - # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ + "ahci" + "xhci_pci" + "usb_storage" + "usbhid" + "sd_mod" + "sdhci_pci" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s21f0u3u4.useDHCP = lib.mkDefault true; + # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/sin/homepage.nix b/hosts/sin/homepage.nix index 4bd238c..aed66a9 100644 --- a/hosts/sin/homepage.nix +++ b/hosts/sin/homepage.nix @@ -116,6 +116,8 @@ url = "udp://minecraft.shobu.fr:25565"; }; }; + } + { "reclamation" = { description = "bring back your world to life"; widget = { @@ -123,7 +125,6 @@ url = "udp://minecraft.shobu.fr:43001"; }; }; - } ]; } diff --git a/hosts/sin/jellyfin.nix b/hosts/sin/jellyfin.nix index 9d49965..70dc311 100644 --- a/hosts/sin/jellyfin.nix +++ b/hosts/sin/jellyfin.nix @@ -1,6 +1,8 @@ -{pkgs, inputs, ...}: let +{ pkgs, inputs, ... }: +let unstable = import inputs.unstable { system = pkgs.system; }; -in { +in +{ nixpkgs.config.packageOverrides = pkgs: { vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; }; @@ -27,24 +29,49 @@ in { extraGroups = [ "jellyfin" ]; }; - users.users.sonarr.extraGroups = ["jellyfin" "radarr" "transmission" "starr"]; - users.users.radarr.extraGroups = ["jellyfin" "sonarr" "transmission" "starr"]; - users.users.bazarr.extraGroups = ["jellyfin" "sonarr" "transmission" "starr" "radarr"]; - users.users.lidarr.extraGroups = ["jellyfin" "starr" "transmission"]; - - users.users.shobu.extraGroups = [ "jellyfin" "starr" "transmission" "radarr" "sonarr" ]; + users.users.sonarr.extraGroups = [ + "jellyfin" + "radarr" + "transmission" + "starr" + ]; + users.users.radarr.extraGroups = [ + "jellyfin" + "sonarr" + "transmission" + "starr" + ]; + users.users.bazarr.extraGroups = [ + "jellyfin" + "sonarr" + "transmission" + "starr" + "radarr" + ]; + users.users.lidarr.extraGroups = [ + "jellyfin" + "starr" + "transmission" + ]; + + users.users.shobu.extraGroups = [ + "jellyfin" + "starr" + "transmission" + "radarr" + "sonarr" + ]; - users.groups = { - starr = {}; + starr = { }; }; - + services = { jellyfin = { enable = true; openFirewall = true; }; - + sonarr = { enable = true; openFirewall = true; @@ -68,7 +95,7 @@ in { openFirewall = true; package = unstable.lidarr; }; - + jellyseerr = { enable = true; openFirewall = true; diff --git a/hosts/sin/luks-btrfs-raid.nix b/hosts/sin/luks-btrfs-raid.nix index 692e320..1dccbbb 100644 --- a/hosts/sin/luks-btrfs-raid.nix +++ b/hosts/sin/luks-btrfs-raid.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ disko.devices = { disk = { # Devices will be mounted and formatted in alphabetical order, and btrfs can only mount raids @@ -102,7 +103,7 @@ "/nix" = { mountpoint = "/nix"; mountOptions = [ "compress=zstd:3" ]; - }; + }; "/data" = { mountpoint = "/mnt/data"; diff --git a/hosts/sin/matrix.nix b/hosts/sin/matrix.nix index 7db1e86..056fe09 100644 --- a/hosts/sin/matrix.nix +++ b/hosts/sin/matrix.nix @@ -1,4 +1,4 @@ -{pkgs, config, ...}: +{ pkgs, config, ... }: { users.users = { postgres = { @@ -26,7 +26,10 @@ ''; }; - networking.firewall.allowedTCPPorts = [ 8008 8448 ]; + networking.firewall.allowedTCPPorts = [ + 8008 + 8448 + ]; services.matrix-synapse = { enable = true; @@ -39,13 +42,16 @@ listeners = [ { port = 8008; - bind_addresses = ["0.0.0.0"]; + bind_addresses = [ "0.0.0.0" ]; type = "http"; tls = false; x_forwarded = true; resources = [ { - names = [ "client" "federation" ]; + names = [ + "client" + "federation" + ]; compress = true; } ]; diff --git a/hosts/sin/secrets.nix b/hosts/sin/secrets.nix index 46e3056..d9136c9 100644 --- a/hosts/sin/secrets.nix +++ b/hosts/sin/secrets.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ age.secrets = { # captcha = { # file = ./secrets/matrix_captcha.age; diff --git a/hosts/thea/configuration.nix b/hosts/thea/configuration.nix index c693dce..dcd78a7 100644 --- a/hosts/thea/configuration.nix +++ b/hosts/thea/configuration.nix @@ -2,20 +2,27 @@ # your system. Help is available in the configuration.nix(5) man page, on # https://search.nixos.org/options and in the NixOS manual (`nixos-help`). -{ config, lib, pkgs, nodes, ... }:let +{ + config, + lib, + pkgs, + nodes, + ... +}: +let sin-address = "192.168.1.14"; in { - imports = - [ - ./nginx.nix - # ./striped - # ./cybercoffee - ./ollama.nix - ./minecraft.nix - # ./shares.nix - ]; + imports = [ + ./nginx.nix + # ./striped + # ./cybercoffee + ./ollama.nix + ./minecraft.nix + ./secrets + ./nix-serve.nix + ]; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; @@ -29,7 +36,7 @@ in # nameservers = [ "10.0.0.4" ]; # dhcpcd.extraConfig = "nohook resolv.conf"; - + firewall = { allowedTCPPorts = [ nodes.sin.config.services.gitea.settings.server.SSH_PORT ]; }; @@ -37,18 +44,23 @@ in enable = true; internalInterfaces = [ "enp1s0" ]; externalInterface = "enp1s0"; - forwardPorts = [ { - # TODO refactor this in the gitea/n100 module - sourcePort = nodes.sin.config.services.gitea.settings.server.SSH_PORT; - proto = "tcp"; - destination = "${sin-address}:22"; - } ]; + forwardPorts = [ + { + # TODO refactor this in the gitea/n100 module + sourcePort = nodes.sin.config.services.gitea.settings.server.SSH_PORT; + proto = "tcp"; + destination = "${sin-address}:22"; + } + ]; }; }; time.timeZone = "Europe/Paris"; - nix.settings.experimental-features = [ "nix-command" "flakes" ]; + nix.settings.experimental-features = [ + "nix-command" + "flakes" + ]; nixpkgs.config.allowUnfree = true; users.users.n100 = { @@ -57,16 +69,19 @@ in packages = with pkgs; [ ]; - openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKsu+4S+BHmypQTq2IR9y+ihvbF7sXbBznKtIjVAeHJ1 shobu@nixos" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKsu+4S+BHmypQTq2IR9y+ihvbF7sXbBznKtIjVAeHJ1 shobu@nixos" + ]; }; users.users.root = { - openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKsu+4S+BHmypQTq2IR9y+ihvbF7sXbBznKtIjVAeHJ1 shobu@nixos" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKsu+4S+BHmypQTq2IR9y+ihvbF7sXbBznKtIjVAeHJ1 shobu@nixos" + ]; }; - environment.systemPackages = with pkgs; [ - lunarvim + lunarvim wget httpie tmux @@ -112,4 +127,3 @@ in system.stateVersion = "24.11"; # Did you read the comment? } - diff --git a/hosts/thea/cybercoffee/default.nix b/hosts/thea/cybercoffee/default.nix index b566bbd..96c2cf2 100644 --- a/hosts/thea/cybercoffee/default.nix +++ b/hosts/thea/cybercoffee/default.nix @@ -1,4 +1,4 @@ -{pkgs, ...}: +{ pkgs, ... }: { imports = [ ./halflife.nix diff --git a/hosts/thea/cybercoffee/halflife.nix b/hosts/thea/cybercoffee/halflife.nix index 87a1e7a..c915eb0 100644 --- a/hosts/thea/cybercoffee/halflife.nix +++ b/hosts/thea/cybercoffee/halflife.nix @@ -1,2 +1 @@ - -{...}: {} +{ ... }: { } diff --git a/hosts/thea/flake.nix b/hosts/thea/flake.nix index 5e9c4f0..120b68d 100644 --- a/hosts/thea/flake.nix +++ b/hosts/thea/flake.nix @@ -12,23 +12,24 @@ }; # Flake outputs - outputs = inputs@{ - self, - nixpkgs, - nix-minecraft, - shoblog-front, - striped-front, - striped-back, - ... - }: - { - nixosConfigurations.n100 = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = { inherit inputs; }; - modules = [ - ./configuration.nix - ./hardware-configuration.nix - ]; + outputs = + inputs@{ + self, + nixpkgs, + nix-minecraft, + shoblog-front, + striped-front, + striped-back, + ... + }: + { + nixosConfigurations.n100 = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { inherit inputs; }; + modules = [ + ./configuration.nix + ./hardware-configuration.nix + ]; + }; }; - }; } diff --git a/hosts/thea/hardware-configuration.nix b/hosts/thea/hardware-configuration.nix index 0e45db5..38f8201 100644 --- a/hosts/thea/hardware-configuration.nix +++ b/hosts/thea/hardware-configuration.nix @@ -1,47 +1,61 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" "sdhci_pci" ]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "sd_mod" + "sdhci_pci" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc"; - fsType = "btrfs"; - options = [ "subvol=root" ]; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc"; + fsType = "btrfs"; + options = [ "subvol=root" ]; + }; - fileSystems."/nix" = - { device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc"; - fsType = "btrfs"; - options = [ "subvol=nix" ]; - }; + fileSystems."/nix" = { + device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc"; + fsType = "btrfs"; + options = [ "subvol=nix" ]; + }; - fileSystems."/home" = - { device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc"; - fsType = "btrfs"; - options = [ "subvol=home" ]; - }; + fileSystems."/home" = { + device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc"; + fsType = "btrfs"; + options = [ "subvol=home" ]; + }; - fileSystems."/swap" = - { device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc"; - fsType = "btrfs"; - options = [ "subvol=swap" ]; - }; + fileSystems."/swap" = { + device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc"; + fsType = "btrfs"; + options = [ "subvol=swap" ]; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/D1B9-8019"; - fsType = "vfat"; - options = [ "fmask=0077" "dmask=0077" ]; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/D1B9-8019"; + fsType = "vfat"; + options = [ + "fmask=0077" + "dmask=0077" + ]; + }; swapDevices = [ ]; diff --git a/hosts/thea/nix-serve.nix b/hosts/thea/nix-serve.nix new file mode 100644 index 0000000..80429eb --- /dev/null +++ b/hosts/thea/nix-serve.nix @@ -0,0 +1,12 @@ +{ + pkgs, + config, + lib, + ... +}: +{ + services.nix-serve = { + enable = true; + secretKeyFile = config.age.secrets.cache-privkey.path; + }; +} diff --git a/hosts/thea/ollama.nix b/hosts/thea/ollama.nix index ef9d47c..7f52176 100644 --- a/hosts/thea/ollama.nix +++ b/hosts/thea/ollama.nix @@ -1,4 +1,5 @@ -{inputs, ...}: { +{ inputs, ... }: +{ # virtualisation.docker = { # enable = true; # storageDriver = "btrfs"; diff --git a/hosts/thea/ressources/cache/pubkey.pem b/hosts/thea/ressources/cache/pubkey.pem new file mode 100644 index 0000000..5ac2d2f --- /dev/null +++ b/hosts/thea/ressources/cache/pubkey.pem @@ -0,0 +1 @@ +localhost:TiRpr2LzamX/MCKBUmFlZ8inWz94QWGL88fMEHg9Kgc= diff --git a/hosts/thea/secrets/cache-privkey.age b/hosts/thea/secrets/cache-privkey.age new file mode 100644 index 0000000..d75c4d0 --- /dev/null +++ b/hosts/thea/secrets/cache-privkey.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 EVanKw DJoF2jaBg5Z2tF8NOqAXbNK3pODj8vEmgQ2bs3iaV0I +rO+6V0JmPnygEqsnblNwhZBHmsAjLaWgdNd/l2veeYg +-> ssh-ed25519 /uqj4A WW3yjXkYtKbXrANeNCctcNZTNg31LAm3wpaVCXsroA4 +fF1mt83MNX5aHpukk2t0vE49wEwiqOlRxMoAxouYJVQ +--- cHVG1C71ko8ZNUMRoaLkw6zmAAjVvPaS5j/hr/P7Xoc +qc6XHNm5.0̐-a !k]iBڊ]R2 j_QzHDCዲ!d˰bUBS=fw̛ +s0)*KOн \ No newline at end of file diff --git a/hosts/thea/secrets/default.nix b/hosts/thea/secrets/default.nix new file mode 100644 index 0000000..92e5a26 --- /dev/null +++ b/hosts/thea/secrets/default.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + age.secrets = { + cache-privkey = { + file = ./cache-privkey.age; + mode = "700"; + }; + }; +} diff --git a/hosts/thea/shares.nix b/hosts/thea/shares.nix index 18cbd14..b87072a 100644 --- a/hosts/thea/shares.nix +++ b/hosts/thea/shares.nix @@ -1,4 +1,5 @@ -{...}: let +{ ... }: +let sin-address = "192.168.1.14"; in { diff --git a/hosts/thea/striped/back.nix b/hosts/thea/striped/back.nix index cd9fc9f..b057387 100644 --- a/hosts/thea/striped/back.nix +++ b/hosts/thea/striped/back.nix @@ -1,11 +1,12 @@ -{inputs, ...}: +{ inputs, ... }: let striped-back = inputs.striped-back; -in { +in +{ imports = [ striped-back.nixosModules.default ]; - + services.striped-back-api = { enable = true; @@ -17,7 +18,7 @@ in { socket.enable = true; settings.django = { - allowed-hosts = ["striped-api.shobu.fr"]; + allowed-hosts = [ "striped-api.shobu.fr" ]; debug = true; databases = { default = { diff --git a/hosts/thea/striped/default.nix b/hosts/thea/striped/default.nix index e7dfa5b..f6b6443 100644 --- a/hosts/thea/striped/default.nix +++ b/hosts/thea/striped/default.nix @@ -1,4 +1,5 @@ -{striped-back, striped-front, ...}:{ +{ striped-back, striped-front, ... }: +{ imports = [ ./back.nix ]; diff --git a/modules/gitea/sin/default.nix b/modules/gitea/sin/default.nix index 95ec1de..db87c3a 100644 --- a/modules/gitea/sin/default.nix +++ b/modules/gitea/sin/default.nix @@ -1,6 +1,8 @@ -{lib, ...}: let +{ lib, ... }: +let ssh_port = 24658; -in { +in +{ services = { gitea = { enable = true; @@ -16,7 +18,7 @@ in { }; actions = { ENABLED = true; - }; + }; }; }; };