format && add nix-serve for caching

2026-01-07 15:29:28 +01:00
parent 13b08066ce
commit 56ffeaf5a0
26 changed files with 296 additions and 149 deletions
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -12,6 +12,10 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - uses: cachix/install-nix-action@v31
+        with:
+          extra_nix_config: |
+            extra-trusted-public-keys = localhost:TiRpr2LzamX/MCKBUmFlZ8inWz94QWGL88fMEHg9Kgc=
+            extra-substituters = http://localhost:5000
      - uses: actions/checkout@v4
      - name: Install SSH key
        uses: shimataro/ssh-key-action@v2
--- a/flake.nix
+++ b/flake.nix
@@ -86,6 +86,7 @@
          }:
          {
            imports = [
+              agenix.nixosModules.default
              ./hosts/${name}/configuration.nix
              ./hosts/${name}/hardware-configuration.nix
            ]
@@ -125,7 +126,10 @@
          default = pkgs.mkShell {
            # The Nix packages provided in the environment
            # Add any you need here
-            packages = with pkgs; [ colmena.packages.${pkgs.system}.colmena ];
+            packages = with pkgs; [
+              colmena.packages.${pkgs.stdenv.system}.colmena
+              agenix.packages.${pkgs.stdenv.system}.agenix
+            ];

            # Set any environment variables for your dev shell
            env = { };
--- a/hosts/sin/copyparty.nix
+++ b/hosts/sin/copyparty.nix
@@ -1,4 +1,9 @@
-{ inputs, pkgs, config, ... }:
+{
+  inputs,
+  pkgs,
+  config,
+  ...
+}:
 {
  imports = [ inputs.copyparty.nixosModules.default ];
  nixpkgs.overlays = [ inputs.copyparty.overlays.default ];
--- a/hosts/sin/coredns/default.nix
+++ b/hosts/sin/coredns/default.nix
@@ -1,4 +1,5 @@
-{...}: {
+{ ... }:
+{
  services.coredns = {
    enable = false;
    config = ''
@@ -8,7 +9,7 @@
        cache
        file ${./db.homelab.local}
      }
-      
+
      . {
        forward . 8.8.8.8
        log
--- a/hosts/sin/flake.nix
+++ b/hosts/sin/flake.nix
@@ -14,7 +14,15 @@
  };

  # Flake outputs
-    outputs = inputs@{ self, nixpkgs, disko, unstable, agenix, ... }:
+  outputs =
+    inputs@{
+      self,
+      nixpkgs,
+      disko,
+      unstable,
+      agenix,
+      ...
+    }:
    let
      # The systems supported for this flake
      supportedSystems = [
@@ -22,9 +30,14 @@
      ];

      # Helper to provide system-specific attributes
-      forEachSupportedSystem = f: nixpkgs.lib.genAttrs supportedSystems (system: f {
-        pkgs = import nixpkgs { inherit system; };
-      });
+      forEachSupportedSystem =
+        f:
+        nixpkgs.lib.genAttrs supportedSystems (
+          system:
+          f {
+            pkgs = import nixpkgs { inherit system; };
+          }
+        );
    in
    {
      nixosConfigurations.zimablade = nixpkgs.lib.nixosSystem {
@@ -40,15 +53,21 @@
        };
      };

-      devShells = forEachSupportedSystem ({ pkgs }: {
-        default = pkgs.mkShell {
-          # The Nix packages provided in the environment
-          # Add any you need here
-          packages = with pkgs; [ pkgs.disko nixos-anywhere ];
+      devShells = forEachSupportedSystem (
+        { pkgs }:
+        {
+          default = pkgs.mkShell {
+            # The Nix packages provided in the environment
+            # Add any you need here
+            packages = with pkgs; [
+              pkgs.disko
+              nixos-anywhere
+            ];

-          # Add any shell logic you want executed any time the environment is activated
-          shellHook = '''';
-        };
-      });
+            # Add any shell logic you want executed any time the environment is activated
+            shellHook = '''';
+          };
+        }
+      );
    };
 }
--- a/hosts/sin/glances.nix
+++ b/hosts/sin/glances.nix
@@ -1,4 +1,5 @@
-{...}: {
+{ ... }:
+{
  services.glances = {
    enable = true;
    openFirewall = true;
--- a/hosts/sin/hardware-configuration.nix
+++ b/hosts/sin/hardware-configuration.nix
@@ -1,26 +1,39 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp0s21f0u3u4.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-}
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "ahci"
+    "xhci_pci"
+    "usb_storage"
+    "usbhid"
+    "sd_mod"
+    "sdhci_pci"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s21f0u3u4.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/sin/homepage.nix
+++ b/hosts/sin/homepage.nix
@@ -116,6 +116,8 @@
                url = "udp://minecraft.shobu.fr:25565";
              };
            };
+          }
+          {
            "reclamation" = {
              description = "bring back your world to life";
              widget = {
@@ -123,7 +125,6 @@
                url = "udp://minecraft.shobu.fr:43001";
              };
            };
-
          }
        ];
      }
--- a/hosts/sin/jellyfin.nix
+++ b/hosts/sin/jellyfin.nix
@@ -1,6 +1,8 @@
-{pkgs, inputs, ...}: let
+{ pkgs, inputs, ... }:
+let
  unstable = import inputs.unstable { system = pkgs.system; };
-in {
+in
+{
  nixpkgs.config.packageOverrides = pkgs: {
    vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
  };
@@ -27,24 +29,49 @@ in {
    extraGroups = [ "jellyfin" ];
  };

-  users.users.sonarr.extraGroups = ["jellyfin" "radarr" "transmission" "starr"];
-  users.users.radarr.extraGroups = ["jellyfin" "sonarr" "transmission" "starr"];
-  users.users.bazarr.extraGroups = ["jellyfin" "sonarr" "transmission" "starr" "radarr"];
-  users.users.lidarr.extraGroups = ["jellyfin" "starr" "transmission"];
-  
-  users.users.shobu.extraGroups = [ "jellyfin" "starr" "transmission" "radarr" "sonarr" ];
+  users.users.sonarr.extraGroups = [
+    "jellyfin"
+    "radarr"
+    "transmission"
+    "starr"
+  ];
+  users.users.radarr.extraGroups = [
+    "jellyfin"
+    "sonarr"
+    "transmission"
+    "starr"
+  ];
+  users.users.bazarr.extraGroups = [
+    "jellyfin"
+    "sonarr"
+    "transmission"
+    "starr"
+    "radarr"
+  ];
+  users.users.lidarr.extraGroups = [
+    "jellyfin"
+    "starr"
+    "transmission"
+  ];
+
+  users.users.shobu.extraGroups = [
+    "jellyfin"
+    "starr"
+    "transmission"
+    "radarr"
+    "sonarr"
+  ];

-  
  users.groups = {
-    starr = {};
+    starr = { };
  };
-  
+
  services = {
    jellyfin = {
      enable = true;
      openFirewall = true;
    };
- 
+
    sonarr = {
      enable = true;
      openFirewall = true;
@@ -68,7 +95,7 @@ in {
      openFirewall = true;
      package = unstable.lidarr;
    };
-    
+
    jellyseerr = {
      enable = true;
      openFirewall = true;
--- a/hosts/sin/luks-btrfs-raid.nix
+++ b/hosts/sin/luks-btrfs-raid.nix
@@ -1,4 +1,5 @@
-{...}: {
+{ ... }:
+{
  disko.devices = {
    disk = {
      # Devices will be mounted and formatted in alphabetical order, and btrfs can only mount raids
@@ -102,7 +103,7 @@
                    "/nix" = {
                      mountpoint = "/nix";
                      mountOptions = [ "compress=zstd:3" ];
-                    }; 
+                    };

                    "/data" = {
                      mountpoint = "/mnt/data";
--- a/hosts/sin/matrix.nix
+++ b/hosts/sin/matrix.nix
@@ -1,4 +1,4 @@
-{pkgs, config, ...}:
+{ pkgs, config, ... }:
 {
  users.users = {
    postgres = {
@@ -26,7 +26,10 @@
    '';
  };

-  networking.firewall.allowedTCPPorts = [ 8008 8448 ];
+  networking.firewall.allowedTCPPorts = [
+    8008
+    8448
+  ];

  services.matrix-synapse = {
    enable = true;
@@ -39,13 +42,16 @@
      listeners = [
        {
          port = 8008;
-          bind_addresses = ["0.0.0.0"];
+          bind_addresses = [ "0.0.0.0" ];
          type = "http";
          tls = false;
          x_forwarded = true;
          resources = [
            {
-              names = [ "client" "federation" ];
+              names = [
+                "client"
+                "federation"
+              ];
              compress = true;
            }
          ];
--- a/hosts/sin/secrets.nix
+++ b/hosts/sin/secrets.nix
@@ -1,4 +1,5 @@
-{...}: {
+{ ... }:
+{
  age.secrets = {
    # captcha = {
    #   file = ./secrets/matrix_captcha.age;
--- a/hosts/thea/configuration.nix
+++ b/hosts/thea/configuration.nix
@@ -2,20 +2,27 @@
 # your system. Help is available in the configuration.nix(5) man page, on
 # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).

-{ config, lib, pkgs, nodes, ... }:let
+{
+  config,
+  lib,
+  pkgs,
+  nodes,
+  ...
+}:
+let
  sin-address = "192.168.1.14";
 in

 {
-  imports =
-    [
-      ./nginx.nix
-      # ./striped
-      # ./cybercoffee
-      ./ollama.nix
-      ./minecraft.nix
-      # ./shares.nix
-    ];
+  imports = [
+    ./nginx.nix
+    # ./striped
+    # ./cybercoffee
+    ./ollama.nix
+    ./minecraft.nix
+    ./secrets
+    ./nix-serve.nix
+  ];

  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
@@ -29,7 +36,7 @@ in
    # nameservers = [ "10.0.0.4" ];

    # dhcpcd.extraConfig = "nohook resolv.conf";
-    
+
    firewall = {
      allowedTCPPorts = [ nodes.sin.config.services.gitea.settings.server.SSH_PORT ];
    };
@@ -37,18 +44,23 @@ in
      enable = true;
      internalInterfaces = [ "enp1s0" ];
      externalInterface = "enp1s0";
-      forwardPorts = [ {
-        # TODO refactor this in the gitea/n100 module
-        sourcePort = nodes.sin.config.services.gitea.settings.server.SSH_PORT;
-        proto = "tcp";
-        destination = "${sin-address}:22";  
-      } ];
+      forwardPorts = [
+        {
+          # TODO refactor this in the gitea/n100 module
+          sourcePort = nodes.sin.config.services.gitea.settings.server.SSH_PORT;
+          proto = "tcp";
+          destination = "${sin-address}:22";
+        }
+      ];
    };
  };

  time.timeZone = "Europe/Paris";

-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
  nixpkgs.config.allowUnfree = true;

  users.users.n100 = {
@@ -57,16 +69,19 @@ in
    packages = with pkgs; [
    ];

-    openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKsu+4S+BHmypQTq2IR9y+ihvbF7sXbBznKtIjVAeHJ1 shobu@nixos" ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKsu+4S+BHmypQTq2IR9y+ihvbF7sXbBznKtIjVAeHJ1 shobu@nixos"
+    ];
  };

  users.users.root = {
-    openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKsu+4S+BHmypQTq2IR9y+ihvbF7sXbBznKtIjVAeHJ1 shobu@nixos" ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKsu+4S+BHmypQTq2IR9y+ihvbF7sXbBznKtIjVAeHJ1 shobu@nixos"
+    ];
  };

-
  environment.systemPackages = with pkgs; [
-    lunarvim 
+    lunarvim
    wget
    httpie
    tmux
@@ -112,4 +127,3 @@ in
  system.stateVersion = "24.11"; # Did you read the comment?

 }
-
--- a/hosts/thea/cybercoffee/default.nix
+++ b/hosts/thea/cybercoffee/default.nix
@@ -1,4 +1,4 @@
-{pkgs, ...}:
+{ pkgs, ... }:
 {
  imports = [
    ./halflife.nix
--- a/hosts/thea/cybercoffee/halflife.nix
+++ b/hosts/thea/cybercoffee/halflife.nix
@@ -1,2 +1 @@
-
-{...}: {}
+{ ... }: { }
--- a/hosts/thea/flake.nix
+++ b/hosts/thea/flake.nix
@@ -12,23 +12,24 @@
  };

  # Flake outputs
-  outputs = inputs@{
-    self,
-    nixpkgs,
-    nix-minecraft,
-    shoblog-front,
-    striped-front,
-    striped-back,
-    ...
-  }:
-  {
-    nixosConfigurations.n100 = nixpkgs.lib.nixosSystem {
-      system = "x86_64-linux";
-      specialArgs = { inherit inputs; };
-      modules = [
-        ./configuration.nix
-        ./hardware-configuration.nix
-      ];
+  outputs =
+    inputs@{
+      self,
+      nixpkgs,
+      nix-minecraft,
+      shoblog-front,
+      striped-front,
+      striped-back,
+      ...
+    }:
+    {
+      nixosConfigurations.n100 = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        specialArgs = { inherit inputs; };
+        modules = [
+          ./configuration.nix
+          ./hardware-configuration.nix
+        ];
+      };
    };
-  };
 }
--- a/hosts/thea/hardware-configuration.nix
+++ b/hosts/thea/hardware-configuration.nix
@@ -1,47 +1,61 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:

 {
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];

-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" "sdhci_pci" ];
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "ahci"
+    "sd_mod"
+    "sdhci_pci"
+  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];

-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc";
-      fsType = "btrfs";
-      options = [ "subvol=root" ];
-    };
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc";
+    fsType = "btrfs";
+    options = [ "subvol=root" ];
+  };

-  fileSystems."/nix" =
-    { device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc";
-      fsType = "btrfs";
-      options = [ "subvol=nix" ];
-    };
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc";
+    fsType = "btrfs";
+    options = [ "subvol=nix" ];
+  };

-  fileSystems."/home" =
-    { device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc";
-      fsType = "btrfs";
-      options = [ "subvol=home" ];
-    };
+  fileSystems."/home" = {
+    device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc";
+    fsType = "btrfs";
+    options = [ "subvol=home" ];
+  };

-  fileSystems."/swap" =
-    { device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc";
-      fsType = "btrfs";
-      options = [ "subvol=swap" ];
-    };
+  fileSystems."/swap" = {
+    device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc";
+    fsType = "btrfs";
+    options = [ "subvol=swap" ];
+  };

-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/D1B9-8019";
-      fsType = "vfat";
-      options = [ "fmask=0077" "dmask=0077" ];
-    };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/D1B9-8019";
+    fsType = "vfat";
+    options = [
+      "fmask=0077"
+      "dmask=0077"
+    ];
+  };

  swapDevices = [ ];

--- a/hosts/thea/nix-serve.nix
+++ b/hosts/thea/nix-serve.nix
@@ -0,0 +1,12 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+{
+  services.nix-serve = {
+    enable = true;
+    secretKeyFile = config.age.secrets.cache-privkey.path;
+  };
+}
--- a/hosts/thea/ollama.nix
+++ b/hosts/thea/ollama.nix
@@ -1,4 +1,5 @@
-{inputs, ...}: {
+{ inputs, ... }:
+{
  # virtualisation.docker = {
  #   enable = true;
  #   storageDriver = "btrfs";
--- a/hosts/thea/ressources/cache/pubkey.pem
+++ b/hosts/thea/ressources/cache/pubkey.pem
@@ -0,0 +1 @@
+localhost:TiRpr2LzamX/MCKBUmFlZ8inWz94QWGL88fMEHg9Kgc=
--- a/hosts/thea/secrets/cache-privkey.age
+++ b/hosts/thea/secrets/cache-privkey.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 EVanKw DJoF2jaBg5Z2tF8NOqAXbNK3pODj8vEmgQ2bs3iaV0I
+rO+6V0JmPnygEqsnblNwhZBHmsAjLaWgdNd/l2veeYg
+-> ssh-ed25519 /uqj4A WW3yjXkYtKbXrANeNCctcNZTNg31LAm3wpaVCXsroA4
+fF1mt83MNX5aHpukk2t0vE49wEwiqOlRxMoAxouYJVQ
+--- cHVG1C71ko8ZNUMRoaLkw6zmAAjVvPaS5j/hr/P7Xoc
+Áq <EFBFBD>c6ªXHNm5.0šÌ<EFBFBD>²ô-âa¶Ä—!¦k]áÚi§‘Bæ†ÚŠù÷]”ãÖR2›èñ†ñj_ƒ²QzHºDCá‹²¡!¨dÿË°bUB®¥îµS›€=fwÿÌ›
+›ËÁsö†ò<E280A0>Ä0)¢Á”*€ªKÙÅO¾ÂÈî§Ð½
--- a/hosts/thea/secrets/default.nix
+++ b/hosts/thea/secrets/default.nix
@@ -0,0 +1,9 @@
+{ ... }:
+{
+  age.secrets = {
+    cache-privkey = {
+      file = ./cache-privkey.age;
+      mode = "700";
+    };
+  };
+}
--- a/hosts/thea/shares.nix
+++ b/hosts/thea/shares.nix
@@ -1,4 +1,5 @@
-{...}: let
+{ ... }:
+let
  sin-address = "192.168.1.14";
 in
 {
--- a/hosts/thea/striped/back.nix
+++ b/hosts/thea/striped/back.nix
@@ -1,11 +1,12 @@
-{inputs, ...}:
+{ inputs, ... }:
 let
  striped-back = inputs.striped-back;
-in {
+in
+{
  imports = [
    striped-back.nixosModules.default
  ];
-  
+
  services.striped-back-api = {
    enable = true;

@@ -17,7 +18,7 @@ in {
    socket.enable = true;

    settings.django = {
-      allowed-hosts = ["striped-api.shobu.fr"];
+      allowed-hosts = [ "striped-api.shobu.fr" ];
      debug = true;
      databases = {
        default = {
--- a/hosts/thea/striped/default.nix
+++ b/hosts/thea/striped/default.nix
@@ -1,4 +1,5 @@
-{striped-back, striped-front, ...}:{
+{ striped-back, striped-front, ... }:
+{
  imports = [
    ./back.nix
  ];
--- a/modules/gitea/sin/default.nix
+++ b/modules/gitea/sin/default.nix
@@ -1,6 +1,8 @@
-{lib, ...}: let
+{ lib, ... }:
+let
  ssh_port = 24658;
-in {
+in
+{
  services = {
    gitea = {
      enable = true;
@@ -16,7 +18,7 @@ in {
        };
        actions = {
          ENABLED = true;
-        };      
+        };
      };
    };
  };
				`@@ -0,0 +1 @@`
				`localhost:TiRpr2LzamX/MCKBUmFlZ8inWz94QWGL88fMEHg9Kgc=`