sin_serhao/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: sin_serhao:authelia
Branches Tags
sin_serhao:master sin_serhao:authelia sin_serhao:disk sin_serhao:test-deploy
..
compare: sin_serhao:406be9b81abd0303e599e376f86c4ae1e916c225
Branches Tags
sin_serhao:master sin_serhao:authelia sin_serhao:disk sin_serhao:test-deploy

1 Commits
authelia ... 406be9b81a

Author SHA1 Message Date
shobu
406be9b81a store path to docker exec and correct key in gitea runner conf
Some checks failed
/ perform flake analysis (push) Successful in 1m18s
Details
/ build hive configuration (push) Failing after 1m15s
Details
2025-12-24 17:56:00 +01:00
40 changed files with 287 additions and 868 deletions
Expand all files Collapse all files

21
.gitea/workflows/deploy.yaml
View File

@@ -5,33 +5,14 @@ on:
jobs: jobs:
deploy: deploy:
container:
volumes:
- /nix/store:/var/nix/hosted-store
permissions: permissions:
contents: read contents: read
id-token: write id-token: write
name: build hive configuration name: build hive configuration
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- uses: actions/checkout@v4
- name: setup
env:
CACHE_PRIVKEY: ${{secrets.CACHE_PRIVKEY}}
shell: bash
run: |
mkdir -p /var/secrets/
echo "$CACHE_PRIVKEY" >> /var/secrets/cache_privkey
mkdir -p /etc/nix
cp ./scripts/upload-to-cache.sh /etc/nix/
chmod +x /etc/nix/upload-to-cache.sh
- uses: cachix/install-nix-action@v31 - uses: cachix/install-nix-action@v31
with: - uses: actions/checkout@v4
extra_nix_config: |
extra-trusted-public-keys = localhost:TiRpr2LzamX/MCKBUmFlZ8inWz94QWGL88fMEHg9Kgc=
extra-substituters = "local?store=/var/nix/hosted-store&priority=20"
secret-key-files = /var/secrets/cache_privkey
post-build-hook = /etc/nix/upload-to-cache.sh
- name: Install SSH key - name: Install SSH key
uses: shimataro/ssh-key-action@v2 uses: shimataro/ssh-key-action@v2
with: with:

30
flake.lock generated
View File

@@ -49,11 +49,11 @@
"nixpkgs": "nixpkgs_3" "nixpkgs": "nixpkgs_3"
}, },
"locked": { "locked": {
"lastModified": 1768336726, "lastModified": 1762095388,
"narHash": "sha256-Os4qn0S0bv7MauXGz16ozyOYZuMrA2FJuXNjDnr5yps=", "narHash": "sha256-7Q8LtcvKWHbP8znARRTOY2tpU5WoV6FHwp5TZJOI8Us=",
"owner": "9001", "owner": "9001",
"repo": "copyparty", "repo": "copyparty",
"rev": "c46cd7f57a8ae3b121866485c91ec078c4dd970e", "rev": "ac085b8149ff50e03d260128596dd130ed1c7cae",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -91,11 +91,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1766150702, "lastModified": 1762276996,
"narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=", "narHash": "sha256-TtcPgPmp2f0FAnc+DMEw4ardEgv1SGNR3/WFGH0N19M=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378", "rev": "af087d076d3860760b3323f6b583f4d828c1ac17",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -233,11 +233,11 @@
"nixpkgs": "nixpkgs_4" "nixpkgs": "nixpkgs_4"
}, },
"locked": { "locked": {
"lastModified": 1767838769, "lastModified": 1762826586,
"narHash": "sha256-KCLU6SUU80tEBKIVZsBrSjRYX6kn1eVIYI3fEEqOp24=", "narHash": "sha256-KlPcXOxxyv+KNcf7yNFQ4DGVFbOpITqHfvMcAUYrL7E=",
"owner": "Infinidoge", "owner": "Infinidoge",
"repo": "nix-minecraft", "repo": "nix-minecraft",
"rev": "4da21f019f6443f513f16af7f220ba4db1cdfc04", "rev": "1a4fa22ec6e9f2ece24fca273352463b75f6f7c0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -311,11 +311,11 @@
}, },
"nixpkgs_5": { "nixpkgs_5": {
"locked": { "locked": {
"lastModified": 1767313136, "lastModified": 1762756533,
"narHash": "sha256-16KkgfdYqjaeRGBaYsNrhPRRENs0qzkQVUooNHtoy2w=", "narHash": "sha256-HiRDeUOD1VLklHeOmaKDzf+8Hb7vSWPVFcWwaTrpm+U=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "ac62194c3917d5f474c1a844b6fd6da2db95077d", "rev": "c2448301fb856e351aab33e64c33a3fc8bcf637d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -452,11 +452,11 @@
}, },
"unstable": { "unstable": {
"locked": { "locked": {
"lastModified": 1768127708, "lastModified": 1762596750,
"narHash": "sha256-1Sm77VfZh3mU0F5OqKABNLWxOuDeHIlcFjsXeeiPazs=", "narHash": "sha256-rXXuz51Bq7DHBlfIjN7jO8Bu3du5TV+3DSADBX7/9YQ=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "ffbc9f8cbaacfb331b6017d5a5abb21a492c9a38", "rev": "b6a8526db03f735b89dd5ff348f53f752e7ddc8e",
"type": "github" "type": "github"
}, },
"original": { "original": {

170
flake.nix
View File

@@ -18,31 +18,32 @@
nix-minecraft.url = "github:Infinidoge/nix-minecraft"; nix-minecraft.url = "github:Infinidoge/nix-minecraft";
testing-grounds.url = "gitlab:shobu13/testing-grounds"; testing-grounds.url = "gitlab:shobu13/testing-grounds";
shoblog-front.url = "gitlab:shobu13/shoblog"; shoblog-front.url = "gitlab:shobu13/shoblog";
# striped-front.url = "git+ssh://git@gitlab.com/striped1/striped-front";
# striped-back.url = "git+ssh://git@gitlab.com/striped1/striped-back";
copyparty.url = "github:9001/copyparty"; copyparty.url = "github:9001/copyparty";
}; };
# Flake outputs # Flake outputs
outputs = outputs = inputs@{
inputs@{ self,
self,
nixpkgs,
unstable,
colmena,
nixpkgs, agenix,
unstable,
colmena,
agenix, disko,
disko, shoblog-front,
# striped-front,
shoblog-front, # striped-back,
# striped-front, nix-minecraft,
# striped-back, testing-grounds,
nix-minecraft, copyparty,
testing-grounds, ...
copyparty,
...
}: }:
let let
# The systems supported for this flake # The systems supported for this flake
@@ -51,41 +52,16 @@
]; ];
# Helper to provide system-specific attributes # Helper to provide system-specific attributes
forEachSupportedSystem = forEachSupportedSystem = f: inputs.nixpkgs.lib.genAttrs supportedSystems (system: f {
f: pkgs = import inputs.nixpkgs { inherit system; };
inputs.nixpkgs.lib.genAttrs supportedSystems ( });
system:
f {
pkgs = import inputs.nixpkgs { inherit system; };
}
);
in in
{ {
nixosConfigurations = {
sin = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
disko.nixosModules.disko
agenix.nixosModules.default
./hosts/sin/configuration.nix
./hosts/sin/hardware-configuration.nix
]
++ [
# modules
./modules/gitea/sin
];
specialArgs = {
inherit inputs;
};
};
};
colmenaHive = colmena.lib.makeHive { colmenaHive = colmena.lib.makeHive {
meta = { meta = {
nixpkgs = import nixpkgs { nixpkgs = import nixpkgs {
system = "x86_64-linux"; system = "x86_64-linux";
overlays = [ ]; overlays = [];
}; };
specialArgs = { specialArgs = {
@@ -93,75 +69,49 @@
}; };
}; };
thea = thea = {name, nodes, pkgs, ...}: {
{ imports = [
name, ./hosts/${name}/configuration.nix
nodes, ./hosts/${name}/hardware-configuration.nix
pkgs, ] ++ [
... # modules
}: ./modules/gitea/${name}
{ ];
imports = [
agenix.nixosModules.default
./hosts/${name}/configuration.nix
./hosts/${name}/hardware-configuration.nix
]
++ [
# modules
./modules/gitea/${name}
];
deployment.targetHost = "192.168.1.12"; deployment.targetHost = "192.168.1.12";
}; };
sin = sin = {name, nodes, pkgs, ...}: {
{ imports = [
name, disko.nixosModules.disko
nodes, agenix.nixosModules.default
pkgs, ./hosts/${name}/configuration.nix
... ./hosts/${name}/hardware-configuration.nix
}: ] ++ [
{ # modules
imports = [ ./modules/gitea/${name}
disko.nixosModules.disko ];
agenix.nixosModules.default
./hosts/${name}/configuration.nix
./hosts/${name}/hardware-configuration.nix
]
++ [
# modules
./modules/gitea/${name}
];
deployment.targetHost = "192.168.1.14"; deployment.targetHost = "192.168.1.14";
deployment.allowLocalDeployment = true; };
};
}; };
devShells = forEachSupportedSystem ( devShells = forEachSupportedSystem ({ pkgs }: {
{ pkgs }: default = pkgs.mkShell {
{ # The Nix packages provided in the environment
default = pkgs.mkShell { # Add any you need here
# The Nix packages provided in the environment packages = with pkgs; [ colmena.packages.${pkgs.system}.colmena ];
# Add any you need here
packages = with pkgs; [
colmena.packages.${pkgs.stdenv.system}.colmena
agenix.packages.${pkgs.stdenv.system}.agenix
];
# Set any environment variables for your dev shell # Set any environment variables for your dev shell
env = { }; env = { };
# Add any shell logic you want executed any time the environment is activated # Add any shell logic you want executed any time the environment is activated
shellHook = ''''; shellHook = ''
}; '';
} };
); });
packages = forEachSupportedSystem ( packages = forEachSupportedSystem ({pkgs}: {
{ pkgs }: inherit (colmena.packages."${pkgs.system}") colmena;
{ });
inherit (colmena.packages."${pkgs.system}") colmena;
}
);
}; };
} }

1
hosts/sin/configuration.nix
View File

@@ -17,7 +17,6 @@
./secrets.nix ./secrets.nix
./coredns ./coredns
./copyparty.nix ./copyparty.nix
# ./trilium.nix
]; ];
boot.initrd.kernelModules = [ "usb_storage" ]; boot.initrd.kernelModules = [ "usb_storage" ];

48
hosts/sin/copyparty.nix
View File

@@ -1,9 +1,4 @@
{ { inputs, pkgs, config, ... }:
inputs,
pkgs,
config,
...
}:
{ {
imports = [ inputs.copyparty.nixosModules.default ]; imports = [ inputs.copyparty.nixosModules.default ];
nixpkgs.overlays = [ inputs.copyparty.overlays.default ]; nixpkgs.overlays = [ inputs.copyparty.overlays.default ];
@@ -27,48 +22,11 @@
shr = "/shares"; shr = "/shares";
}; };
accounts = {
serhao = {
passwordFile = config.age.secrets.copyparty-serhao.path;
};
};
volumes = { volumes = {
"/movies" = { "/media" = {
path = "/mnt/mediacenter/media/movies";
access = {
r = "*";
};
};
"/shows" = {
path = "/mnt/mediacenter/media/shows";
access = {
r = "*";
};
};
"/musics" = {
path = "/mnt/mediacenter/media/musics";
access = {
r = "*";
};
};
"/mediacenter" = {
path = "/mnt/mediacenter/media"; path = "/mnt/mediacenter/media";
access = { access = {
rw = ["serhao"]; r = "*";
};
flags = {
e2d = true;
};
};
"/data" = {
path = "/mnt/data";
access = {
rwd = ["serhao"];
};
flags = {
e2d = true;
}; };
}; };
}; };

5
hosts/sin/coredns/default.nix
View File

@@ -1,5 +1,4 @@
{ ... }: {...}: {
{
services.coredns = { services.coredns = {
enable = false; enable = false;
config = '' config = ''
@@ -9,7 +8,7 @@
cache cache
file ${./db.homelab.local} file ${./db.homelab.local}
} }
. { . {
forward . 8.8.8.8 forward . 8.8.8.8
log log

45
hosts/sin/flake.nix
View File

@@ -14,15 +14,7 @@
}; };
# Flake outputs # Flake outputs
outputs = outputs = inputs@{ self, nixpkgs, disko, unstable, agenix, ... }:
inputs@{
self,
nixpkgs,
disko,
unstable,
agenix,
...
}:
let let
# The systems supported for this flake # The systems supported for this flake
supportedSystems = [ supportedSystems = [
@@ -30,14 +22,9 @@
]; ];
# Helper to provide system-specific attributes # Helper to provide system-specific attributes
forEachSupportedSystem = forEachSupportedSystem = f: nixpkgs.lib.genAttrs supportedSystems (system: f {
f: pkgs = import nixpkgs { inherit system; };
nixpkgs.lib.genAttrs supportedSystems ( });
system:
f {
pkgs = import nixpkgs { inherit system; };
}
);
in in
{ {
nixosConfigurations.zimablade = nixpkgs.lib.nixosSystem { nixosConfigurations.zimablade = nixpkgs.lib.nixosSystem {
@@ -53,21 +40,15 @@
}; };
}; };
devShells = forEachSupportedSystem ( devShells = forEachSupportedSystem ({ pkgs }: {
{ pkgs }: default = pkgs.mkShell {
{ # The Nix packages provided in the environment
default = pkgs.mkShell { # Add any you need here
# The Nix packages provided in the environment packages = with pkgs; [ pkgs.disko nixos-anywhere ];
# Add any you need here
packages = with pkgs; [
pkgs.disko
nixos-anywhere
];
# Add any shell logic you want executed any time the environment is activated # Add any shell logic you want executed any time the environment is activated
shellHook = ''''; shellHook = '''';
}; };
} });
);
}; };
} }

3
hosts/sin/glances.nix
View File

@@ -1,5 +1,4 @@
{ ... }: {...}: {
{
services.glances = { services.glances = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;

65
hosts/sin/hardware-configuration.nix
View File

@@ -1,39 +1,26 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ { config, lib, pkgs, modulesPath, ... }:
config,
lib, {
pkgs, imports =
modulesPath, [ (modulesPath + "/installer/scan/not-detected.nix")
... ];
}:
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci" ];
{ boot.initrd.kernelModules = [ ];
imports = [ boot.kernelModules = [ "kvm-intel" ];
(modulesPath + "/installer/scan/not-detected.nix") boot.extraModulePackages = [ ];
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
boot.initrd.availableKernelModules = [ # (the default) this is the recommended approach. When using systemd-networkd it's
"ahci" # still possible to use this option, but it's recommended to use it in conjunction
"xhci_pci" # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
"usb_storage" networking.useDHCP = lib.mkDefault true;
"usbhid" # networking.interfaces.enp0s21f0u3u4.useDHCP = lib.mkDefault true;
"sd_mod" # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
"sdhci_pci"
]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
boot.initrd.kernelModules = [ ]; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
boot.kernelModules = [ "kvm-intel" ]; }
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s21f0u3u4.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

9
hosts/sin/homepage.nix
View File

@@ -117,15 +117,6 @@
}; };
}; };
} }
{
"reclamation" = {
description = "bring back your world to life";
widget = {
type = "minecraft";
url = "udp://minecraft.shobu.fr:25665";
};
};
}
]; ];
} }
{ {

68
hosts/sin/jellyfin.nix
View File

@@ -1,8 +1,6 @@
{ pkgs, inputs, ... }: {pkgs, inputs, ...}: let
let
unstable = import inputs.unstable { system = pkgs.system; }; unstable = import inputs.unstable { system = pkgs.system; };
in in {
{
nixpkgs.config.packageOverrides = pkgs: { nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
}; };
@@ -29,63 +27,28 @@ in
extraGroups = [ "jellyfin" ]; extraGroups = [ "jellyfin" ];
}; };
users.users.sonarr.extraGroups = [ users.users.sonarr.extraGroups = ["jellyfin" "radarr" "transmission" "starr"];
"jellyfin" users.users.radarr.extraGroups = ["jellyfin" "sonarr" "transmission" "starr"];
"radarr" users.users.bazarr.extraGroups = ["jellyfin" "sonarr" "transmission" "starr" "radarr"];
"transmission" users.users.lidarr.extraGroups = ["jellyfin" "starr" "transmission"];
"starr"
]; users.users.shobu.extraGroups = [ "jellyfin" "starr" "transmission" "radarr" "sonarr" ];
users.users.radarr.extraGroups = [
"jellyfin"
"sonarr"
"transmission"
"starr"
];
users.users.bazarr.extraGroups = [
"jellyfin"
"sonarr"
"transmission"
"starr"
"radarr"
];
users.users.lidarr.extraGroups = [
"jellyfin"
"starr"
"transmission"
];
users.users.whisparr.extraGroups = [
"jellyfin"
"starr"
"transmission"
];
users.users.shobu.extraGroups = [
"jellyfin"
"starr"
"transmission"
"radarr"
"sonarr"
];
users.groups = { users.groups = {
starr = { }; starr = {};
}; };
services = { services = {
jellyfin = { jellyfin = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
}; };
sonarr = { sonarr = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
group = "starr"; group = "starr";
settings = {
authentication.AuthenticationMethod = "external";
authentication.AuthenticationType = "enabled";
};
}; };
radarr = { radarr = {
enable = true; enable = true;
@@ -103,12 +66,9 @@ in
lidarr = { lidarr = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
package = unstable.lidarr;
}; };
whisparr = {
enable = true;
openFirewall = true;
};
jellyseerr = { jellyseerr = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;

45
hosts/sin/luks-btrfs-raid.nix
View File

@@ -1,5 +1,4 @@
{ ... }: {...}: {
{
disko.devices = { disko.devices = {
disk = { disk = {
# Devices will be mounted and formatted in alphabetical order, and btrfs can only mount raids # Devices will be mounted and formatted in alphabetical order, and btrfs can only mount raids
@@ -7,7 +6,7 @@
# and the actual btrfs raid on the second disk, and the name of these entries matters! # and the actual btrfs raid on the second disk, and the name of these entries matters!
system = { system = {
type = "disk"; type = "disk";
device = "/dev/sdb"; device = "/dev/mmcblk0";
content = { content = {
type = "gpt"; type = "gpt";
partitions = { partitions = {
@@ -42,10 +41,6 @@
"/root" = { "/root" = {
mountpoint = "/"; mountpoint = "/";
}; };
"/nix" = {
mountpoint = "/nix";
mountOptions = [ "compress=zstd:3" ];
};
}; };
}; };
}; };
@@ -54,17 +49,39 @@
}; };
}; };
data = { data1 = {
type = "disk"; type = "disk";
device = "/dev/sda"; device = "/dev/sda";
content = { content = {
type = "gpt"; type = "gpt";
partitions = { partitions = {
crypt_p = { crypt_p1 = {
size = "100%"; size = "100%";
content = { content = {
type = "luks"; type = "luks";
name = "p_data"; name = "p_data1"; # device-mapper name when decrypted
# Remove settings.keyFile if you want to use interactive password entry
settings = {
allowDiscards = true;
keyFile = "/dev/disk/by-uuid/2021-07-11-12-33-27-00";
keyFileSize = 4096;
};
};
};
};
};
};
data2 = {
type = "disk";
device = "/dev/sdb";
content = {
type = "gpt";
partitions = {
crypt_p2 = {
size = "100%";
content = {
type = "luks";
name = "p_data2";
# Remove settings.keyFile if you want to use interactive password entry # Remove settings.keyFile if you want to use interactive password entry
settings = { settings = {
allowDiscards = true; allowDiscards = true;
@@ -73,11 +90,19 @@
}; };
content = { content = {
type = "btrfs"; type = "btrfs";
extraArgs = [
"-d raid0"
"/dev/mapper/p_data1" # Use decrypted mapped device, same name as defined in disk1
];
subvolumes = { subvolumes = {
"/" = { "/" = {
mountpoint = "/mnt/fs"; mountpoint = "/mnt/fs";
mountOptions = [ "compress=zstd:3" ]; mountOptions = [ "compress=zstd:3" ];
}; };
"/nix" = {
mountpoint = "/nix";
mountOptions = [ "compress=zstd:3" ];
};
"/data" = { "/data" = {
mountpoint = "/mnt/data"; mountpoint = "/mnt/data";

14
hosts/sin/matrix.nix
View File

@@ -1,4 +1,4 @@
{ pkgs, config, ... }: {pkgs, config, ...}:
{ {
users.users = { users.users = {
postgres = { postgres = {
@@ -26,10 +26,7 @@
''; '';
}; };
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [ 8008 8448 ];
8008
8448
];
services.matrix-synapse = { services.matrix-synapse = {
enable = true; enable = true;
@@ -42,16 +39,13 @@
listeners = [ listeners = [
{ {
port = 8008; port = 8008;
bind_addresses = [ "0.0.0.0" ]; bind_addresses = ["0.0.0.0"];
type = "http"; type = "http";
tls = false; tls = false;
x_forwarded = true; x_forwarded = true;
resources = [ resources = [
{ {
names = [ names = [ "client" "federation" ];
"client"
"federation"
];
compress = true; compress = true;
} }
]; ];

20
hosts/sin/secrets.nix
View File

@@ -1,5 +1,4 @@
{ ... }: {...}: {
{
age.secrets = { age.secrets = {
# captcha = { # captcha = {
# file = ./secrets/matrix_captcha.age; # file = ./secrets/matrix_captcha.age;
@@ -10,22 +9,5 @@
file = ./secrets/airvpn_wireguard_key_env.age; file = ./secrets/airvpn_wireguard_key_env.age;
mode = "700"; mode = "700";
}; };
copyparty-serhao = {
file = ./secrets/copyparty-serhao.age;
mode = "700";
owner = "copyparty";
};
authelia-jwt = {
file = ./secrets/authelia-jwt.age;
mode = "700";
};
authelia-encryption = {
file = ./secrets/authelia-encryption.age;
mode = "700";
};
authelia-session = {
file = ./secrets/authelia-session.age;
mode = "700";
};
}; };
} }

7
hosts/sin/secrets/authelia-encryption.age
View File

@@ -1,7 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 /uqj4A L95rgX9APIgoMvkplZIYgMQDhKBOsPGOw/maymMhiks
LNfa/YBCd84iknAMk4wbQps4KMXCvrhPp2d9KkhJWHI
-> ssh-ed25519 NoSl6Q G/y6DUFTyV6Jy6KHo8yc+xxtu3aJtTOF3Ldmxq3FmyE
FOExj321S/VIPQ/qdvZBcJ930HI/GsjDVjJp9WMSXLA
--- iIpq/CWng+4+kQbvJQb/qgejr/eza94wCkegEJ2dvno
ÿNôU*1=DÔOˆ£W6]_â©Kà=©Þký¦_ù˜Ýøɇ™tmË•ãw°

7
hosts/sin/secrets/authelia-jwt.age
View File

@@ -1,7 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 /uqj4A i6SPCzjkGrPMjhC9NQDdYTk3fzXoD4OSQdhS1togN0A
Lqus8sROz1O4EepauPwC4RX/qH+SnDiL2H5iZGtAhXo
-> ssh-ed25519 NoSl6Q LxV4a5HiB6qfPjbba75dkVVECzaqrMjksMXHh53JbGQ
x4POzurz+J2mymT81M+cu69Iv/MeiYt+JvaRteinm5Q
--- OFqooyZ2HPBxP756PqpgJAyVOTkqhJ0LhEQsLJBZUtE
—>»&Ȇw·\D„Au{õz{CˆÁ~á$_ˆ9»¢ZZ<5A>U^„ÎÊL!(lnпÂó‰Üv{fdº ß l¢,<2C>|<7C>Ü.¤çH«¤³êVaù¥ÍÓˆ™PêwOo

7
hosts/sin/secrets/authelia-session.age
View File

@@ -1,7 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 /uqj4A eff535EaT7gEZOacWx9raBJMdd4PPd9+y6Y3eOt1wBI
5P4aefjWVJ4L11ff+Cg8j3gQ58I+agDPUMFWiCaL/sQ
-> ssh-ed25519 NoSl6Q 3+EZtaiiZQk7JK6zCNo/nUSSRAJzf8nal2X1sFkYmxo
f5gzpiOtCbYdiV7vOxfZvJPRmRruTbHg6T8g0r5JRgc
--- BBL3wE2eSmHVI4tlhq+5fy84cauw6P6G69nFXuObLKE
êéæí @[¡SÓcñ<C3B1>SyÉŠ‡<; í†<C3AD>Ë茟<C592><C5B8>§(°Æž1\Yjȯ½½4åõ Ýȹ.3>Â[Èq¢Jh 8í·šÕVt”øX[Ì~[(#^_5€§<E282AC>

7
hosts/sin/secrets/copyparty-serhao.age
View File

@@ -1,7 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 BoEq8A O6x9n4kvpqLucX7NuNeD2SsMmvT5n6aVYwo4nQt21H8
R+4g1QuXtxovyv5Mav+mAhgGjOcGQW4q17FSBtzXZQo
-> ssh-ed25519 NoSl6Q iKPipXfIGWxUobXF/9CSRhc/zKgmKKWWZhDTDgX0jWA
LB4TFCdbEG0VToYzTWdFedd0duF5PKlCnpBs4nBbLAQ
--- D7VE3Mwgx9ehk5rNuHm62S5ggQBm9wJodZa61jLEVsY
8ÔîÐÄÒë`S«šéT¯Fª9&(½Ú²Á‡¸=~Ïáš­où».XŽ¶ž7ðV&'Øøå ÒÔ¸‹%ã î

45
hosts/sin/transmission.nix
View File

@@ -1,9 +1,4 @@
{ { config, nixpkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
{ {
users.users."starr" = { users.users."starr" = {
@@ -20,22 +15,22 @@
transmission.gid = 989; transmission.gid = 989;
}; };
# systemd.services = { systemd.services = {
# docker-transmission-network = { docker-transmission-network = {
# after = [ after = [
# "network.target" "network.target"
# "docker-gluetun.service" "docker-gluetun.service"
# "docker-transmission.service" "docker-transmission.service"
# ]; ];
# wantedBy = [ wantedBy = [
# "docker-gluetun.service" "docker-gluetun.service"
# "docker-transmission.service" "docker-transmission.service"
# ]; ];
# serviceConfig = { serviceConfig = {
# ExecStart = "${lib.getExe pkgs.docker} network create docker-transmission; exit 0"; ExecStart = "${lib.getExe nixpkgs.docker} network create docker-transmission";
# }; };
# }; };
# }; };
virtualisation.oci-containers = virtualisation.oci-containers =
let let
@@ -45,7 +40,7 @@
backend = "docker"; backend = "docker";
containers = { containers = {
gluetun = { gluetun = {
image = "qmcgaw/gluetun"; image = "qmcgasw/gluetun";
environment = { environment = {
VPN_SERVICE_PROVIDER = "airvpn"; VPN_SERVICE_PROVIDER = "airvpn";
VPN_TYPE = "wireguard"; VPN_TYPE = "wireguard";
@@ -61,7 +56,7 @@
extraOptions = [ extraOptions = [
"--cap-add=NET_ADMIN" "--cap-add=NET_ADMIN"
"--device=/dev/net/tun" "--device=/dev/net/tun"
# "--network=docker-transmission" "--network=docker-transmission"
]; ];
ports = [ ports = [
"13277:13277" "13277:13277"
@@ -82,7 +77,7 @@
"gluetun" "gluetun"
]; ];
extraOptions = [ extraOptions = [
"--network=container:gluetun" "--network=docker-transmission"
]; ];
environment = { environment = {
PUID = toString config.users.users.transmission.uid; PUID = toString config.users.users.transmission.uid;

1
hosts/sin/trilium.nix
View File

@@ -1 +0,0 @@
{ ... }: { }

126
hosts/thea/authelia.nix
View File

@@ -1,126 +0,0 @@
{
pkgs,
config,
lib,
...
}:
let
cfg = config.services.authelia.instances.main;
dataDir = "/var/lib/authelia-${cfg.name}";
authelia-snippets = pkgs.callPackage ./lib/autheliaSnippets.nix { inherit pkgs; };
in
{
services.authelia.instances = {
main = {
enable = true;
secrets = {
jwtSecretFile = config.age.secrets.authelia-jwt.path;
storageEncryptionKeyFile = config.age.secrets.authelia-encryption.path;
sessionSecretFile = config.age.secrets.authelia-session.path;
};
settings = {
theme = "light";
log.level = "debug";
authentication_backend = {
file = {
path = dataDir + "/users.yml";
};
};
storage = {
local = {
path = dataDir + "/db.sqlite3";
};
};
session = {
cookies = [
{
domain = "shobu.fr";
authelia_url = "https://auth.shobu.fr";
default_redirection_url = "https://shobu.fr";
}
];
};
notifier = {
filesystem = {
filename = "${dataDir}/notification.txt";
};
};
access_control = {
default_policy = "deny";
rules = [
{
domain = "radarr.shobu.fr";
policy = "bypass";
}
{
domain = "*.shobu.fr";
policy = "one_factor";
}
];
};
server = {
endpoints = {
authz = {
auth-request = {
implementation = "AuthRequest";
};
};
};
};
};
};
};
# systemd.tmpfiles.rules = lib.mkIf cfg.enable [
# "d '${dataDir}' 0700 ${cfg.user} ${cfg.group} - -"
# ];
age.secrets = {
authelia-jwt = {
owner = cfg.user;
file = ./secrets/authelia-jwt.age;
mode = "700";
};
authelia-encryption = {
owner = cfg.user;
file = ./secrets/authelia-encryption.age;
mode = "700";
};
authelia-session = {
owner = cfg.user;
file = ./secrets/authelia-session.age;
mode = "700";
};
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."auth.shobu.fr" =
let
upstream = "http://thea:9091";
in
{
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = upstream;
extraConfig = ''
error_log /var/log/nginx/debug_authelia.log debug;
include ${authelia-snippets.proxy};
set $upstream ${upstream};
'';
};
locations."/api/verify" = {
proxyPass = upstream;
};
locations."/api/authz" = {
proxyPass = upstream;
};
};
};
}

68
hosts/thea/configuration.nix
View File

@@ -2,26 +2,20 @@
# your system. Help is available in the configuration.nix(5) man page, on # your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{ { config, lib, pkgs, nodes, ... }:let
config,
lib,
pkgs,
nodes,
...
}:
let
sin-address = "192.168.1.14"; sin-address = "192.168.1.14";
in in
{ {
imports = [ imports =
./nginx.nix [
# ./cybercoffee ./nginx.nix
./ollama.nix # ./striped
./minecraft.nix # ./cybercoffee
./secrets ./ollama.nix
./authelia.nix ./minecraft.nix
]; # ./shares.nix
];
# Use the systemd-boot EFI boot loader. # Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
@@ -35,38 +29,26 @@ in
# nameservers = [ "10.0.0.4" ]; # nameservers = [ "10.0.0.4" ];
# dhcpcd.extraConfig = "nohook resolv.conf"; # dhcpcd.extraConfig = "nohook resolv.conf";
firewall = { firewall = {
allowedTCPPorts = [ allowedTCPPorts = [ nodes.sin.config.services.gitea.settings.server.SSH_PORT ];
nodes.sin.config.services.gitea.settings.server.SSH_PORT
]
++ [
# minecraft ad hoc server ports
25665
25675
];
}; };
nat = { nat = {
enable = true; enable = true;
internalInterfaces = [ "enp1s0" ]; internalInterfaces = [ "enp1s0" ];
externalInterface = "enp1s0"; externalInterface = "enp1s0";
forwardPorts = [ forwardPorts = [ {
{ # TODO refactor this in the gitea/n100 module
# TODO refactor this in the gitea/n100 module sourcePort = nodes.sin.config.services.gitea.settings.server.SSH_PORT;
sourcePort = nodes.sin.config.services.gitea.settings.server.SSH_PORT; proto = "tcp";
proto = "tcp"; destination = "${sin-address}:22";
destination = "${sin-address}:22"; } ];
}
];
}; };
}; };
time.timeZone = "Europe/Paris"; time.timeZone = "Europe/Paris";
nix.settings.experimental-features = [ nix.settings.experimental-features = [ "nix-command" "flakes" ];
"nix-command"
"flakes"
];
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
users.users.n100 = { users.users.n100 = {
@@ -75,19 +57,16 @@ in
packages = with pkgs; [ packages = with pkgs; [
]; ];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKsu+4S+BHmypQTq2IR9y+ihvbF7sXbBznKtIjVAeHJ1 shobu@nixos" ];
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKsu+4S+BHmypQTq2IR9y+ihvbF7sXbBznKtIjVAeHJ1 shobu@nixos"
];
}; };
users.users.root = { users.users.root = {
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKsu+4S+BHmypQTq2IR9y+ihvbF7sXbBznKtIjVAeHJ1 shobu@nixos" ];
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKsu+4S+BHmypQTq2IR9y+ihvbF7sXbBznKtIjVAeHJ1 shobu@nixos"
];
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
lunarvim lunarvim
wget wget
httpie httpie
tmux tmux
@@ -133,3 +112,4 @@ in
system.stateVersion = "24.11"; # Did you read the comment? system.stateVersion = "24.11"; # Did you read the comment?
} }

2
hosts/thea/cybercoffee/default.nix
View File

@@ -1,4 +1,4 @@
{ pkgs, ... }: {pkgs, ...}:
{ {
imports = [ imports = [
./halflife.nix ./halflife.nix

3
hosts/thea/cybercoffee/halflife.nix
View File

@@ -1 +1,2 @@
{ ... }: { }
{...}: {}

37
hosts/thea/flake.nix
View File

@@ -12,24 +12,23 @@
}; };
# Flake outputs # Flake outputs
outputs = outputs = inputs@{
inputs@{ self,
self, nixpkgs,
nixpkgs, nix-minecraft,
nix-minecraft, shoblog-front,
shoblog-front, striped-front,
striped-front, striped-back,
striped-back, ...
... }:
}: {
{ nixosConfigurations.n100 = nixpkgs.lib.nixosSystem {
nixosConfigurations.n100 = nixpkgs.lib.nixosSystem { system = "x86_64-linux";
system = "x86_64-linux"; specialArgs = { inherit inputs; };
specialArgs = { inherit inputs; }; modules = [
modules = [ ./configuration.nix
./configuration.nix ./hardware-configuration.nix
./hardware-configuration.nix ];
];
};
}; };
};
} }

74
hosts/thea/hardware-configuration.nix
View File

@@ -1,61 +1,47 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ { config, lib, pkgs, modulesPath, ... }:
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = [ imports =
(modulesPath + "/installer/scan/not-detected.nix") [ (modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" "sdhci_pci" ];
"xhci_pci"
"ahci"
"sd_mod"
"sdhci_pci"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = { fileSystems."/" =
device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc"; { device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=root" ]; options = [ "subvol=root" ];
}; };
fileSystems."/nix" = { fileSystems."/nix" =
device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc"; { device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=nix" ]; options = [ "subvol=nix" ];
}; };
fileSystems."/home" = { fileSystems."/home" =
device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc"; { device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=home" ]; options = [ "subvol=home" ];
}; };
fileSystems."/swap" = { fileSystems."/swap" =
device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc"; { device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=swap" ]; options = [ "subvol=swap" ];
}; };
fileSystems."/boot" = { fileSystems."/boot" =
device = "/dev/disk/by-uuid/D1B9-8019"; { device = "/dev/disk/by-uuid/D1B9-8019";
fsType = "vfat"; fsType = "vfat";
options = [ options = [ "fmask=0077" "dmask=0077" ];
"fmask=0077" };
"dmask=0077"
];
};
swapDevices = [ ]; swapDevices = [ ];

81
hosts/thea/lib/autheliaSnippets.nix
View File

@@ -1,81 +0,0 @@
{ pkgs }:
{
proxy = pkgs.writeText "proxy.conf" ''
## Headers
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-URI $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $remote_addr;
'';
authelia-location = pkgs.writeText "authelia-location.conf" ''
set $upstream_authelia http://192.168.1.12:9091/api/authz/auth-request;
## Virtual endpoint created by nginx to forward auth requests.
location /internal/authelia/authz {
## Essential Proxy Configuration
internal;
proxy_pass $upstream_authelia;
## Headers
## The headers starting with X-* are required.
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Content-Length "";
proxy_set_header Connection "";
## Basic Proxy Configuration
proxy_pass_request_body off;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 4 32k;
client_body_buffer_size 128k;
## Advanced Proxy Configuration
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
}
'';
authelia-authrequest = pkgs.writeText "authelia-authrequest.conf" ''
## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
auth_request /internal/authelia/authz;
## Save the upstream metadata response headers from Authelia to variables.
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name;
auth_request_set $email $upstream_http_remote_email;
## Inject the metadata response headers from the variables into the request made to the backend.
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Email $email;
proxy_set_header Remote-Name $name;
## Configure the redirection when the authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method'
## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url
## value to determine the redirection URL here. It's much simpler and compatible with the mutli-cookie domain easily.
## Modern Method: Set the $redirection_url to the Location header of the response to the Authz endpoint.
auth_request_set $redirection_url $upstream_http_location;
## Modern Method: When there is a 401 response code from the authz endpoint redirect to the $redirection_url.
error_page 401 =302 $redirection_url;
## Legacy Method: Set $target_url to the original requested URL.
## This requires http_set_misc module, replace 'set_escape_uri' with 'set' if you don't have this module.
# set_escape_uri $target_url $scheme://$http_host$request_uri;
## Legacy Method: When there is a 401 response code from the authz endpoint redirect to the portal with the 'rd'
## URL parameter set to $target_url. This requires users update 'auth.shobu.fr/' with their external authelia URL.
# error_page 401 =302 https://auth.shobu.fr/?rd=$target_url;
'';
}

19
hosts/thea/minecraft.nix
View File

@@ -1,18 +1,9 @@
{ {pkgs, inputs, ...}:
pkgs,
inputs,
lib,
...
}:
let let
modpack = pkgs.fetchPackwizModpack { modpack = pkgs.fetchPackwizModpack {
url = "file:///${inputs.testing-grounds.modpack}/pack.toml"; url = "file:///${inputs.testing-grounds.modpack}/pack.toml";
packHash = "sha256-+taYj4uroLNxM4Nia3n+5P1Y/g6dzE6Iq13TsZgk4mU="; packHash = "sha256-+taYj4uroLNxM4Nia3n+5P1Y/g6dzE6Iq13TsZgk4mU=";
}; };
gregpack = pkgs.fetchPackwizModpack {
url = "https://raw.githubusercontent.com/GregTechCEu/GregTech-Modern-Community-Pack/refs/heads/main/pack.toml";
packHash = "sha256-SE86gP15H/Aug6vTLmMxHuxF2/+iLmCI/wQlON1xasM=";
};
in in
{ {
imports = [ inputs.nix-minecraft.nixosModules.minecraft-servers ]; imports = [ inputs.nix-minecraft.nixosModules.minecraft-servers ];
@@ -39,10 +30,4 @@ in
}; };
}; };
}; };
networking.firewall.allowedTCPPorts = [
25865 # autismcraft
25665 # reclamation
25675 # reclamation
];
} }

62
hosts/thea/nginx.nix
View File

@@ -1,9 +1,8 @@
{ inputs, pkgs, ... }: { inputs, ... }:
let let
# striped-front = inputs.striped-front; # striped-front = inputs.striped-front;
sin-address = "192.168.1.14"; sin-address = "192.168.1.14";
authelia-snippets = pkgs.callPackage ./lib/autheliaSnippets.nix { inherit pkgs; };
in in
{ {
@@ -38,61 +37,16 @@ in
in in
( (
mkStarr "jellyfin.shobu.fr" "8096" mkStarr "jellyfin.shobu.fr" "8096"
# // mkStarr "radarr.shobu.fr" "7878" // mkStarr "radarr.shobu.fr" "7878"
// mkStarr "sonarr.shobu.fr" "8989" // mkStarr "sonarr.shobu.fr" "8989"
// mkStarr "prowlarr.shobu.fr" "9696" // mkStarr "prowlarr.shobu.fr" "9696"
// mkStarr "bazarr.shobu.fr" "6767" // mkStarr "bazarr.shobu.fr" "6767"
// mkStarr "lidarr.shobu.fr" "8686"
// mkStarr "whisparr.shobu.fr" "6969"
// mkStarr "jellyseerr.shobu.fr" "5055" // mkStarr "jellyseerr.shobu.fr" "5055"
// mkStarr "fileshelter.shobu.fr" "5091"
// mkStarr "lidarr.shobu.fr" "8686"
// mkStarr "transmission.shobu.fr" "9091" // mkStarr "transmission.shobu.fr" "9091"
// mkStarr "zimablade-admin.shobu.fr" "61208" // mkStarr "zimablade-admin.shobu.fr" "61208"
// { // {
"radarr.shobu.fr" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
include ${authelia-snippets.authelia-location};
error_log /var/log/nginx/debug_radarr.log debug;
'';
locations."/" = {
proxyPass = "http://${sin-address}:7878";
proxyWebsockets = true;
extraConfig = ''
include ${authelia-snippets.proxy};
include ${authelia-snippets.authelia-authrequest};
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# From https://gist.github.com/R0GGER/916183fca41f02df1471a6f455e5869f
# HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
add_header Strict-Transport-Security "max-age=63072000; preload" always;
add_header Referrer-Policy strict-origin-when-cross-origin;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options SAMEORIGIN;
add_header Content-Security-Policy upgrade-insecure-requests;
add_header Permissions-Policy interest-cohort=();
add_header Expect-CT 'enforce; max-age=604800';
more_set_headers 'Server: Proxy';
more_clear_headers 'X-Powered-By';
proxy_ssl_server_name on;
'';
};
locations."/api" = {
proxyPass = "http://${sin-address}:7878";
proxyWebsockets = true;
extraConfig = ''
proxy_ssl_server_name on;
'';
};
};
"shobu.fr" = { "shobu.fr" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@@ -154,18 +108,10 @@ in
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
extraConfig = ''
# include ${authelia-snippets.authelia-location};
# error_log /var/log/nginx/debug_files.log debug;
'';
locations."/" = { locations."/" = {
proxyPass = "http://${sin-address}:8086"; proxyPass = "http://${sin-address}:8086";
extraConfig = '' extraConfig = ''
# include ${authelia-snippets.proxy};
# include ${authelia-snippets.authelia-authrequest};
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
client_max_body_size 100M;
''; '';
}; };
}; };

3
hosts/thea/ollama.nix
View File

@@ -1,5 +1,4 @@
{ inputs, ... }: {inputs, ...}: {
{
# virtualisation.docker = { # virtualisation.docker = {
# enable = true; # enable = true;
# storageDriver = "btrfs"; # storageDriver = "btrfs";

10
hosts/thea/secrets/authelia-encryption.age
View File

@@ -1,10 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 /uqj4A 9cZH/SlDpiluz2O3wCxRcBhmt3L5eN24I0HHwiJDWRU
VVZaJlB4QzxBPcaN3MjCemjptEbqSUMD8VVtKyGezH8
-> ssh-ed25519 70Re8Q ZFEQxmnm+dFKSXcQAc0KxkewCB59J5FyL1Ob/uEEtVg
fRdEZpIytxjUeSKPieIzvZaAn5Mikjp28HlZhKwzS7M
-> ssh-ed25519 QvCxGg ifsqXBKO0mqE1RuJ44Y7qDJ7lyci8iyz+J1xFgO38jI
MkhMTZ+RttBFFMkbIaSCSQiExR1gf4OyFWHXIsx+QYQ
--- nnMlLyQjixpBkx+bSU5I364IP3KnZ0qnmMPueBcRHpU
ë˜<EFBFBD>6TX—ÕÞ ÌfÁ““É
®?Z7M<37>T<EFBFBD>Å|ÚQf

BIN
hosts/thea/secrets/authelia-jwt.age
View File

Binary file not shown.

9
hosts/thea/secrets/authelia-session.age
View File

@@ -1,9 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 /uqj4A yxpGM3pJxfnM/5q9+NzdfG2kBjjNex6bdyUeZEBKjnI
UO6ovn2cFeNi6SbcGpfF71/OAyQccyG+l6aZXubUal8
-> ssh-ed25519 70Re8Q GW40lmeg6Lj7ntZswT0/hWZFpYBWoV3CMq4pdo+Ncgc
oWTYuM/s3G7EKPWPQpHbXo9Tpzgn7YlYVQHYGn4xKS8
-> ssh-ed25519 QvCxGg pKLpxtuMIa0xPXoaeb4WeQWVEINRE/j4nrxDB1J9BUI
1azpt5MImTiDSF+Ts9EvUCdWMeVG7lErUHSBQfMiip4
--- IOOR8Us6zlZhJm0V4X3IlbkHSdtR3GLLxEfa4i+lqv0
ó P¬¥rhé"BFãŽÌŸtÌ€ê¤{¾(öB`q“Óø"AµnN_ ™f*ÏŒºvPpj&{)ìŠØ@ÃkF«Ú]<Aš*Á<><EFBFBD>´WTm”ƪD‡,Ý1E­™”¦³eѨ·O¢š

3
hosts/thea/secrets/default.nix
View File

@@ -1,3 +0,0 @@
{ ... }:
{
}

3
hosts/thea/shares.nix
View File

@@ -1,5 +1,4 @@
{ ... }: {...}: let
let
sin-address = "192.168.1.14"; sin-address = "192.168.1.14";
in in
{ {

9
hosts/thea/striped/back.nix
View File

@@ -1,12 +1,11 @@
{ inputs, ... }: {inputs, ...}:
let let
striped-back = inputs.striped-back; striped-back = inputs.striped-back;
in in {
{
imports = [ imports = [
striped-back.nixosModules.default striped-back.nixosModules.default
]; ];
services.striped-back-api = { services.striped-back-api = {
enable = true; enable = true;
@@ -18,7 +17,7 @@ in
socket.enable = true; socket.enable = true;
settings.django = { settings.django = {
allowed-hosts = [ "striped-api.shobu.fr" ]; allowed-hosts = ["striped-api.shobu.fr"];
debug = true; debug = true;
databases = { databases = {
default = { default = {

3
hosts/thea/striped/default.nix
View File

@@ -1,5 +1,4 @@
{ striped-back, striped-front, ... }: {striped-back, striped-front, ...}:{
{
imports = [ imports = [
./back.nix ./back.nix
]; ];

8
modules/gitea/sin/default.nix
View File

@@ -1,8 +1,6 @@
{ lib, ... }: {lib, ...}: let
let
ssh_port = 24658; ssh_port = 24658;
in in {
{
services = { services = {
gitea = { gitea = {
enable = true; enable = true;
@@ -18,7 +16,7 @@ in
}; };
actions = { actions = {
ENABLED = true; ENABLED = true;
}; };
}; };
}; };
}; };

6
modules/gitea/thea/virtualisation.nix
View File

@@ -16,10 +16,6 @@
}; };
}; };
environment.systemPackages = with pkgs; [
podman-compose
];
virtualisation.oci-containers.containers = virtualisation.oci-containers.containers =
let let
runner_config = pkgs.writeTextFile { runner_config = pkgs.writeTextFile {
@@ -28,7 +24,7 @@
container: container:
network: "host" network: "host"
valid_volumes: valid_volumes:
- "/var/nix/hosted-store" - "/nix/store:/nix/store"
''; '';
}; };
in in

11
scripts/upload-to-cache.sh
View File

@@ -1,11 +0,0 @@
#!/bin/sh
set -eu
set -f
if ! nix --version; then
exit 0
fi
export IFS=' '
echo "Uploading paths" $OUT_PATHS
exec nix copy --to "ssh://root@localhost" $OUT_PATHS