sin_serhao/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: sin_serhao:authelia
Branches Tags
sin_serhao:master sin_serhao:authelia sin_serhao:disk sin_serhao:test-deploy
..
compare: sin_serhao:cda4de62b6ceaea943bffdda3a2547fa1fceb5ae
Branches Tags
sin_serhao:master sin_serhao:authelia sin_serhao:disk sin_serhao:test-deploy

9 Commits
authelia ... cda4de62b6

Author SHA1 Message Date
shobu
cda4de62b6 old nix
Some checks failed
/ Build Nix targets (push) Successful in 25s
Details
/ build hive configuration (push) Failing after 3m29s
Details
2025-11-12 04:47:59 +01:00
shobu
d6e8d81ef0 old nix
Some checks failed
/ Build Nix targets (push) Successful in 26s
Details
/ build hive configuration (push) Failing after 19s
Details
2025-11-12 04:46:23 +01:00
shobu
e1d2f10b6a old nix
Some checks failed
/ Build Nix targets (push) Successful in 27s
Details
/ build hive configuration (push) Failing after 3m35s
Details
2025-11-12 04:35:54 +01:00
shobu
668c8de2e7 test
Some checks failed
/ Build Nix targets (push) Successful in 26s
Details
/ build hive configuration (push) Failing after 3m37s
Details
2025-11-12 04:31:00 +01:00
shobu
82e03ed59b test
Some checks failed
/ Build Nix targets (push) Successful in 27s
Details
/ build hive configuration (push) Failing after 15s
Details
2025-11-12 04:28:08 +01:00
shobu
d41b153dbb fix prev
Some checks failed
/ Build Nix targets (push) Successful in 26s
Details
/ build hive configuration (push) Failing after 3m34s
Details
2025-11-12 04:19:37 +01:00
shobu
c901116678 test
Some checks failed
/ Build Nix targets (push) Successful in 44s
Details
/ build hive configuration (push) Failing after 19s
Details
2025-11-12 04:15:22 +01:00
shobu
26ac144938 directly run the nix-develop repo
Some checks failed
/ Build Nix targets (push) Successful in 30s
Details
/ build hive configuration (push) Failing after 3m52s
Details
2025-11-12 00:30:41 +01:00
shobu
10bcea2d77 remove cachix usage
Some checks failed
/ Build Nix targets (push) Successful in 31s
Details
/ build hive configuration (push) Failing after 1m40s
Details
2025-11-12 00:19:14 +01:00
45 changed files with 645 additions and 1206 deletions
Expand all files Collapse all files

15
.gitea/workflows/analysis.yaml
View File

@@ -1,15 +0,0 @@
on: [push]
jobs:
analysis:
permissions:
contents: read
id-token: write
name: perform flake analysis
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- uses: DeterminateSystems/nix-installer-action@main
- uses: DeterminateSystems/magic-nix-cache-action@main
- name: Check Nix flake inputs
uses: http://github.com/DeterminateSystems/flake-checker-action@main

14
.gitea/workflows/analysis.yml Normal file
View File

@@ -0,0 +1,14 @@
on: [push]
jobs:
build:
name: Build Nix targets
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- uses: http://github.com/cachix/install-nix-action@v18
- uses: http://github.com/cachix/cachix-action@v12
with:
name: statix
- name: Check Nix flake inputs
uses: http://github.com/DeterminateSystems/flake-checker-action@main

43
.gitea/workflows/deploy.yaml
View File

@@ -1,43 +0,0 @@
on:
push:
branches:
- master
jobs:
deploy:
container:
volumes:
- /nix/store:/var/nix/hosted-store
permissions:
contents: read
id-token: write
name: build hive configuration
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- name: setup
env:
CACHE_PRIVKEY: ${{secrets.CACHE_PRIVKEY}}
shell: bash
run: |
mkdir -p /var/secrets/
echo "$CACHE_PRIVKEY" >> /var/secrets/cache_privkey
mkdir -p /etc/nix
cp ./scripts/upload-to-cache.sh /etc/nix/
chmod +x /etc/nix/upload-to-cache.sh
- uses: cachix/install-nix-action@v31
with:
extra_nix_config: |
extra-trusted-public-keys = localhost:TiRpr2LzamX/MCKBUmFlZ8inWz94QWGL88fMEHg9Kgc=
extra-substituters = "local?store=/var/nix/hosted-store&priority=20"
secret-key-files = /var/secrets/cache_privkey
post-build-hook = /etc/nix/upload-to-cache.sh
- name: Install SSH key
uses: shimataro/ssh-key-action@v2
with:
key: ${{ secrets.SSH_KEY }}
known_hosts: ${{ secrets.KNOWN_HOSTS }}
- uses: http://github.com/cachix/cachix-action@v16
with:
name: colmena
- run: nix run .#colmena apply

17
.gitea/workflows/deploy.yml Normal file
View File

@@ -0,0 +1,17 @@
on:
push:
branches:
- master
- test-deploy
jobs:
build:
name: build hive configuration
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v5
- uses: cachix/install-nix-action@v31
with:
install_url: https://releases.nixos.org/nix/nix-2.20.0/install
- uses: https://github.com/nicknovitski/nix-develop@v1
- run: colmena apply

178
flake.lock generated
View File

@@ -49,11 +49,11 @@
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1768336726,
"narHash": "sha256-Os4qn0S0bv7MauXGz16ozyOYZuMrA2FJuXNjDnr5yps=",
"lastModified": 1762095388,
"narHash": "sha256-7Q8LtcvKWHbP8znARRTOY2tpU5WoV6FHwp5TZJOI8Us=",
"owner": "9001",
"repo": "copyparty",
"rev": "c46cd7f57a8ae3b121866485c91ec078c4dd970e",
"rev": "ac085b8149ff50e03d260128596dd130ed1c7cae",
"type": "github"
},
"original": {
@@ -91,11 +91,11 @@
]
},
"locked": {
"lastModified": 1766150702,
"narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=",
"lastModified": 1762276996,
"narHash": "sha256-TtcPgPmp2f0FAnc+DMEw4ardEgv1SGNR3/WFGH0N19M=",
"owner": "nix-community",
"repo": "disko",
"rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378",
"rev": "af087d076d3860760b3323f6b583f4d828c1ac17",
"type": "github"
},
"original": {
@@ -233,11 +233,11 @@
"nixpkgs": "nixpkgs_4"
},
"locked": {
"lastModified": 1767838769,
"narHash": "sha256-KCLU6SUU80tEBKIVZsBrSjRYX6kn1eVIYI3fEEqOp24=",
"lastModified": 1762826586,
"narHash": "sha256-KlPcXOxxyv+KNcf7yNFQ4DGVFbOpITqHfvMcAUYrL7E=",
"owner": "Infinidoge",
"repo": "nix-minecraft",
"rev": "4da21f019f6443f513f16af7f220ba4db1cdfc04",
"rev": "1a4fa22ec6e9f2ece24fca273352463b75f6f7c0",
"type": "github"
},
"original": {
@@ -311,11 +311,11 @@
},
"nixpkgs_5": {
"locked": {
"lastModified": 1767313136,
"narHash": "sha256-16KkgfdYqjaeRGBaYsNrhPRRENs0qzkQVUooNHtoy2w=",
"lastModified": 1762756533,
"narHash": "sha256-HiRDeUOD1VLklHeOmaKDzf+8Hb7vSWPVFcWwaTrpm+U=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ac62194c3917d5f474c1a844b6fd6da2db95077d",
"rev": "c2448301fb856e351aab33e64c33a3fc8bcf637d",
"type": "github"
},
"original": {
@@ -340,6 +340,36 @@
}
},
"nixpkgs_7": {
"locked": {
"lastModified": 1744440957,
"narHash": "sha256-FHlSkNqFmPxPJvy+6fNLaNeWnF1lZSgqVCl/eWaJRc4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_8": {
"locked": {
"lastModified": 1744463964,
"narHash": "sha256-LWqduOgLHCFxiTNYi3Uj5Lgz0SR+Xhw3kr/3Xd0GPTM=",
"rev": "2631b0b7abcea6e640ce31cd78ea58910d31e650",
"revCount": 782401,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.1.782401%2Brev-2631b0b7abcea6e640ce31cd78ea58910d31e650/01962c8a-63c4-7abd-a3df-63a17b548cc7/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/NixOS/nixpkgs/0.1.%2A.tar.gz"
}
},
"nixpkgs_9": {
"locked": {
"lastModified": 1736549401,
"narHash": "sha256-ibkQrMHxF/7TqAYcQE+tOnIsSEzXmMegzyBWza6uHKM=",
@@ -355,6 +385,56 @@
"type": "github"
}
},
"pyproject-build-systems": {
"inputs": {
"nixpkgs": [
"striped-back",
"nixpkgs"
],
"pyproject-nix": [
"striped-back",
"pyproject-nix"
],
"uv2nix": [
"striped-back",
"uv2nix"
]
},
"locked": {
"lastModified": 1744599653,
"narHash": "sha256-nysSwVVjG4hKoOjhjvE6U5lIKA8sEr1d1QzEfZsannU=",
"owner": "pyproject-nix",
"repo": "build-system-pkgs",
"rev": "7dba6dbc73120e15b558754c26024f6c93015dd7",
"type": "github"
},
"original": {
"owner": "pyproject-nix",
"repo": "build-system-pkgs",
"type": "github"
}
},
"pyproject-nix": {
"inputs": {
"nixpkgs": [
"striped-back",
"nixpkgs"
]
},
"locked": {
"lastModified": 1743438845,
"narHash": "sha256-1GSaoubGtvsLRwoYwHjeKYq40tLwvuFFVhGrG8J9Oek=",
"owner": "pyproject-nix",
"repo": "pyproject.nix",
"rev": "8063ec98edc459571d042a640b1c5e334ecfca1e",
"type": "github"
},
"original": {
"owner": "pyproject-nix",
"repo": "pyproject.nix",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
@@ -364,6 +444,8 @@
"nix-minecraft": "nix-minecraft",
"nixpkgs": "nixpkgs_5",
"shoblog-front": "shoblog-front",
"striped-back": "striped-back",
"striped-front": "striped-front",
"testing-grounds": "testing-grounds",
"unstable": "unstable"
}
@@ -402,6 +484,45 @@
"type": "github"
}
},
"striped-back": {
"inputs": {
"nixpkgs": "nixpkgs_7",
"pyproject-build-systems": "pyproject-build-systems",
"pyproject-nix": "pyproject-nix",
"uv2nix": "uv2nix"
},
"locked": {
"lastModified": 1748719386,
"narHash": "sha256-nyXHemXPEKnqIVIYIorSbt64zRwMvijyGQGCW3zUUkc=",
"ref": "refs/heads/master",
"rev": "bdfd6f1f4aac6a00ae4509f14b3a63c84d169edf",
"revCount": 8,
"type": "git",
"url": "ssh://git@gitlab.com/striped1/striped-back"
},
"original": {
"type": "git",
"url": "ssh://git@gitlab.com/striped1/striped-back"
}
},
"striped-front": {
"inputs": {
"nixpkgs": "nixpkgs_8"
},
"locked": {
"lastModified": 1748718798,
"narHash": "sha256-KUxbrUjRfuKjkJZLzKr11WEXLfPs38YrW/CMG6XbnbY=",
"ref": "refs/heads/master",
"rev": "a553f10147dad9e41829f67b247817a079f6f671",
"revCount": 11,
"type": "git",
"url": "ssh://git@gitlab.com/striped1/striped-front"
},
"original": {
"type": "git",
"url": "ssh://git@gitlab.com/striped1/striped-front"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
@@ -434,7 +555,7 @@
},
"testing-grounds": {
"inputs": {
"nixpkgs": "nixpkgs_7"
"nixpkgs": "nixpkgs_9"
},
"locked": {
"lastModified": 1755527993,
@@ -452,11 +573,11 @@
},
"unstable": {
"locked": {
"lastModified": 1768127708,
"narHash": "sha256-1Sm77VfZh3mU0F5OqKABNLWxOuDeHIlcFjsXeeiPazs=",
"lastModified": 1762596750,
"narHash": "sha256-rXXuz51Bq7DHBlfIjN7jO8Bu3du5TV+3DSADBX7/9YQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ffbc9f8cbaacfb331b6017d5a5abb21a492c9a38",
"rev": "b6a8526db03f735b89dd5ff348f53f752e7ddc8e",
"type": "github"
},
"original": {
@@ -465,6 +586,31 @@
"repo": "nixpkgs",
"type": "github"
}
},
"uv2nix": {
"inputs": {
"nixpkgs": [
"striped-back",
"nixpkgs"
],
"pyproject-nix": [
"striped-back",
"pyproject-nix"
]
},
"locked": {
"lastModified": 1744797880,
"narHash": "sha256-gt9JBkYjZAEvGwCG7RMAAAr0j2RsaRmOMj/vV0briXk=",
"owner": "pyproject-nix",
"repo": "uv2nix",
"rev": "3583e037163491ecd833f1d5d3eedf3869543c5d",
"type": "github"
},
"original": {
"owner": "pyproject-nix",
"repo": "uv2nix",
"type": "github"
}
}
},
"root": "root",

88
flake.nix
View File

@@ -18,14 +18,15 @@
nix-minecraft.url = "github:Infinidoge/nix-minecraft";
testing-grounds.url = "gitlab:shobu13/testing-grounds";
shoblog-front.url = "gitlab:shobu13/shoblog";
striped-front.url = "git+ssh://git@gitlab.com/striped1/striped-front";
striped-back.url = "git+ssh://git@gitlab.com/striped1/striped-back";
copyparty.url = "github:9001/copyparty";
};
# Flake outputs
outputs =
inputs@{
outputs = inputs@{
self,
nixpkgs,
@@ -37,8 +38,8 @@
disko,
shoblog-front,
# striped-front,
# striped-back,
striped-front,
striped-back,
nix-minecraft,
testing-grounds,
copyparty,
@@ -51,41 +52,16 @@
];
# Helper to provide system-specific attributes
forEachSupportedSystem =
f:
inputs.nixpkgs.lib.genAttrs supportedSystems (
system:
f {
forEachSupportedSystem = f: inputs.nixpkgs.lib.genAttrs supportedSystems (system: f {
pkgs = import inputs.nixpkgs { inherit system; };
}
);
});
in
{
nixosConfigurations = {
sin = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
disko.nixosModules.disko
agenix.nixosModules.default
./hosts/sin/configuration.nix
./hosts/sin/hardware-configuration.nix
]
++ [
# modules
./modules/gitea/sin
];
specialArgs = {
inherit inputs;
};
};
};
colmenaHive = colmena.lib.makeHive {
meta = {
nixpkgs = import nixpkgs {
system = "x86_64-linux";
overlays = [ ];
overlays = [];
};
specialArgs = {
@@ -93,20 +69,11 @@
};
};
thea =
{
name,
nodes,
pkgs,
...
}:
{
thea = {name, nodes, pkgs, ...}: {
imports = [
agenix.nixosModules.default
./hosts/${name}/configuration.nix
./hosts/${name}/hardware-configuration.nix
]
++ [
] ++ [
# modules
./modules/gitea/${name}
];
@@ -114,54 +81,33 @@
deployment.targetHost = "192.168.1.12";
};
sin =
{
name,
nodes,
pkgs,
...
}:
{
sin = {name, nodes, pkgs, ...}: {
imports = [
disko.nixosModules.disko
agenix.nixosModules.default
./hosts/${name}/configuration.nix
./hosts/${name}/hardware-configuration.nix
]
++ [
] ++ [
# modules
./modules/gitea/${name}
];
deployment.targetHost = "192.168.1.14";
deployment.allowLocalDeployment = true;
};
};
devShells = forEachSupportedSystem (
{ pkgs }:
{
devShells = forEachSupportedSystem ({ pkgs }: {
default = pkgs.mkShell {
# The Nix packages provided in the environment
# Add any you need here
packages = with pkgs; [
colmena.packages.${pkgs.stdenv.system}.colmena
agenix.packages.${pkgs.stdenv.system}.agenix
];
packages = with pkgs; [ colmena.packages.${pkgs.system}.colmena ];
# Set any environment variables for your dev shell
env = { };
# Add any shell logic you want executed any time the environment is activated
shellHook = '''';
shellHook = ''
'';
};
}
);
packages = forEachSupportedSystem (
{ pkgs }:
{
inherit (colmena.packages."${pkgs.system}") colmena;
}
);
});
};
}

21
hosts/sin/configuration.nix
View File

@@ -2,7 +2,6 @@
modulesPath,
lib,
pkgs,
config,
...
}:
{
@@ -17,7 +16,6 @@
./secrets.nix
./coredns
./copyparty.nix
# ./trilium.nix
];
boot.initrd.kernelModules = [ "usb_storage" ];
@@ -53,25 +51,18 @@
time.timeZone = "Europe/Paris";
nix.settings.experimental-features = [
"nix-command"
"flakes"
];
nix.settings.experimental-features = [ "nix-command" "flakes" ];
nixpkgs.config.allowUnfree = true;
users.users = {
zimablade = {
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKsu+4S+BHmypQTq2IR9y+ihvbF7sXbBznKtIjVAeHJ1 shobu@nixos"
];
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKsu+4S+BHmypQTq2IR9y+ihvbF7sXbBznKtIjVAeHJ1 shobu@nixos" ];
};
shobu = {
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKsu+4S+BHmypQTq2IR9y+ihvbF7sXbBznKtIjVAeHJ1 shobu@nixos"
];
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKsu+4S+BHmypQTq2IR9y+ihvbF7sXbBznKtIjVAeHJ1 shobu@nixos" ];
};
};
@@ -80,12 +71,10 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKsu+4S+BHmypQTq2IR9y+ihvbF7sXbBznKtIjVAeHJ1 shobu@nixos"
];
environment.systemPackages =
map lib.lowPrio [
environment.systemPackages = map lib.lowPrio [
pkgs.curl
pkgs.gitMinimal
]
++ (with pkgs; [
] ++ (with pkgs; [
helix
httpie
btop

53
hosts/sin/copyparty.nix
View File

@@ -1,74 +1,27 @@
{
inputs,
pkgs,
config,
...
}:
{
{inputs, pkgs, ...}: {
imports = [ inputs.copyparty.nixosModules.default ];
nixpkgs.overlays = [ inputs.copyparty.overlays.default ];
environment.systemPackages = [ pkgs.copyparty ];
services.copyparty = {
enable = true;
group = "starr";
settings = {
p = [ 8086 ];
e2dsa = true;
e2ts = true;
z = true;
qr = true;
xff-hdr = "X-Real-IP";
xff-src = "lan";
rproxy = 1;
http-only = true;
og = true;
shr = "/shares";
};
accounts = {
serhao = {
passwordFile = config.age.secrets.copyparty-serhao.path;
};
};
volumes = {
"/movies" = {
path = "/mnt/mediacenter/media/movies";
access = {
r = "*";
};
};
"/shows" = {
path = "/mnt/mediacenter/media/shows";
access = {
r = "*";
};
};
"/musics" = {
path = "/mnt/mediacenter/media/musics";
access = {
r = "*";
};
};
"/mediacenter" = {
"/media" = {
path = "/mnt/mediacenter/media";
access = {
rw = ["serhao"];
};
flags = {
e2d = true;
};
};
"/data" = {
path = "/mnt/data";
access = {
rwd = ["serhao"];
};
flags = {
e2d = true;
r = "*";
};
};
};

3
hosts/sin/coredns/default.nix
View File

@@ -1,5 +1,4 @@
{ ... }:
{
{...}: {
services.coredns = {
enable = false;
config = ''

31
hosts/sin/flake.nix
View File

@@ -14,15 +14,7 @@
};
# Flake outputs
outputs =
inputs@{
self,
nixpkgs,
disko,
unstable,
agenix,
...
}:
outputs = inputs@{ self, nixpkgs, disko, unstable, agenix, ... }:
let
# The systems supported for this flake
supportedSystems = [
@@ -30,14 +22,9 @@
];
# Helper to provide system-specific attributes
forEachSupportedSystem =
f:
nixpkgs.lib.genAttrs supportedSystems (
system:
f {
forEachSupportedSystem = f: nixpkgs.lib.genAttrs supportedSystems (system: f {
pkgs = import nixpkgs { inherit system; };
}
);
});
in
{
nixosConfigurations.zimablade = nixpkgs.lib.nixosSystem {
@@ -53,21 +40,15 @@
};
};
devShells = forEachSupportedSystem (
{ pkgs }:
{
devShells = forEachSupportedSystem ({ pkgs }: {
default = pkgs.mkShell {
# The Nix packages provided in the environment
# Add any you need here
packages = with pkgs; [
pkgs.disko
nixos-anywhere
];
packages = with pkgs; [ pkgs.disko nixos-anywhere ];
# Add any shell logic you want executed any time the environment is activated
shellHook = '''';
};
}
);
});
};
}

3
hosts/sin/glances.nix
View File

@@ -1,5 +1,4 @@
{ ... }:
{
{...}: {
services.glances = {
enable = true;
openFirewall = true;

21
hosts/sin/hardware-configuration.nix
View File

@@ -1,27 +1,14 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [
"ahci"
"xhci_pci"
"usb_storage"
"usbhid"
"sd_mod"
"sdhci_pci"
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];

19
hosts/sin/homepage.nix
View File

@@ -1,12 +1,12 @@
{ inputs, pkgs, ... }:
{
{inputs, pkgs, ...}: {
services.homepage-dashboard = {
enable = true;
openFirewall = true;
allowedHosts = "dashboard.shobu.fr";
settings = {
title = "Shobu's homelab dashboard";
description = "a dashboard of free and awesome bullshit";
description = "a dashboard of free and wesome bullshit";
startUrl = "https://dashboard.shobu.fr";
base = "https://dashboard.shobu.fr";
headerStyle = "boxed";
@@ -16,7 +16,7 @@
};
layout = [
{ "resources" = { }; }
{"resources" = {};}
{
"about me stuff" = {
tab = "Public";
@@ -44,7 +44,7 @@
widgets = [
{
greeting = {
text = "Welcome on my services and links dashboard, make yourself home. :3";
text = "Welcome on my services and links dashboard, make yourself home.";
};
}
{
@@ -117,15 +117,6 @@
};
};
}
{
"reclamation" = {
description = "bring back your world to life";
widget = {
type = "minecraft";
url = "udp://minecraft.shobu.fr:25665";
};
};
}
];
}
{

58
hosts/sin/jellyfin.nix
View File

@@ -1,8 +1,6 @@
{ pkgs, inputs, ... }:
let
{pkgs, inputs, ...}: let
unstable = import inputs.unstable { system = pkgs.system; };
in
{
in {
nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
};
@@ -29,47 +27,16 @@ in
extraGroups = [ "jellyfin" ];
};
users.users.sonarr.extraGroups = [
"jellyfin"
"radarr"
"transmission"
"starr"
];
users.users.radarr.extraGroups = [
"jellyfin"
"sonarr"
"transmission"
"starr"
];
users.users.bazarr.extraGroups = [
"jellyfin"
"sonarr"
"transmission"
"starr"
"radarr"
];
users.users.lidarr.extraGroups = [
"jellyfin"
"starr"
"transmission"
];
users.users.sonarr.extraGroups = ["jellyfin" "radarr" "transmission" "starr"];
users.users.radarr.extraGroups = ["jellyfin" "sonarr" "transmission" "starr"];
users.users.bazarr.extraGroups = ["jellyfin" "sonarr" "transmission" "starr" "radarr"];
users.users.lidarr.extraGroups = ["jellyfin" "starr" "transmission"];
users.users.whisparr.extraGroups = [
"jellyfin"
"starr"
"transmission"
];
users.users.shobu.extraGroups = [ "jellyfin" "starr" "transmission" "radarr" "sonarr" ];
users.users.shobu.extraGroups = [
"jellyfin"
"starr"
"transmission"
"radarr"
"sonarr"
];
users.groups = {
starr = { };
starr = {};
};
services = {
@@ -82,10 +49,6 @@ in
enable = true;
openFirewall = true;
group = "starr";
settings = {
authentication.AuthenticationMethod = "external";
authentication.AuthenticationType = "enabled";
};
};
radarr = {
enable = true;
@@ -103,10 +66,7 @@ in
lidarr = {
enable = true;
openFirewall = true;
};
whisparr = {
enable = true;
openFirewall = true;
package = unstable.lidarr;
};
jellyseerr = {

45
hosts/sin/luks-btrfs-raid.nix
View File

@@ -1,5 +1,4 @@
{ ... }:
{
{...}: {
disko.devices = {
disk = {
# Devices will be mounted and formatted in alphabetical order, and btrfs can only mount raids
@@ -7,7 +6,7 @@
# and the actual btrfs raid on the second disk, and the name of these entries matters!
system = {
type = "disk";
device = "/dev/sdb";
device = "/dev/mmcblk0";
content = {
type = "gpt";
partitions = {
@@ -42,10 +41,6 @@
"/root" = {
mountpoint = "/";
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [ "compress=zstd:3" ];
};
};
};
};
@@ -54,17 +49,39 @@
};
};
data = {
data1 = {
type = "disk";
device = "/dev/sda";
content = {
type = "gpt";
partitions = {
crypt_p = {
crypt_p1 = {
size = "100%";
content = {
type = "luks";
name = "p_data";
name = "p_data1"; # device-mapper name when decrypted
# Remove settings.keyFile if you want to use interactive password entry
settings = {
allowDiscards = true;
keyFile = "/dev/disk/by-uuid/2021-07-11-12-33-27-00";
keyFileSize = 4096;
};
};
};
};
};
};
data2 = {
type = "disk";
device = "/dev/sdb";
content = {
type = "gpt";
partitions = {
crypt_p2 = {
size = "100%";
content = {
type = "luks";
name = "p_data2";
# Remove settings.keyFile if you want to use interactive password entry
settings = {
allowDiscards = true;
@@ -73,11 +90,19 @@
};
content = {
type = "btrfs";
extraArgs = [
"-d raid0"
"/dev/mapper/p_data1" # Use decrypted mapped device, same name as defined in disk1
];
subvolumes = {
"/" = {
mountpoint = "/mnt/fs";
mountOptions = [ "compress=zstd:3" ];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [ "compress=zstd:3" ];
};
"/data" = {
mountpoint = "/mnt/data";

14
hosts/sin/matrix.nix
View File

@@ -1,4 +1,4 @@
{ pkgs, config, ... }:
{pkgs, config, ...}:
{
users.users = {
postgres = {
@@ -26,10 +26,7 @@
'';
};
networking.firewall.allowedTCPPorts = [
8008
8448
];
networking.firewall.allowedTCPPorts = [ 8008 8448 ];
services.matrix-synapse = {
enable = true;
@@ -42,16 +39,13 @@
listeners = [
{
port = 8008;
bind_addresses = [ "0.0.0.0" ];
bind_addresses = ["0.0.0.0"];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = [
"client"
"federation"
];
names = [ "client" "federation" ];
compress = true;
}
];

21
hosts/sin/ollama.nix
View File

@@ -1,21 +0,0 @@
{ inputs, ... }:
{
# virtualisation.docker = {
# enable = true;
# storageDriver = "btrfs";
# };
services.ollama = {
enable = true;
openFirewall = true;
loadModels = [ ];
acceleration = "cuda";
};
services.open-webui = {
enable = true;
openFirewall = true;
host = "0.0.0.0";
port = 8050;
};
}

20
hosts/sin/secrets.nix
View File

@@ -1,5 +1,4 @@
{ ... }:
{
{...}: {
age.secrets = {
# captcha = {
# file = ./secrets/matrix_captcha.age;
@@ -10,22 +9,5 @@
file = ./secrets/airvpn_wireguard_key_env.age;
mode = "700";
};
copyparty-serhao = {
file = ./secrets/copyparty-serhao.age;
mode = "700";
owner = "copyparty";
};
authelia-jwt = {
file = ./secrets/authelia-jwt.age;
mode = "700";
};
authelia-encryption = {
file = ./secrets/authelia-encryption.age;
mode = "700";
};
authelia-session = {
file = ./secrets/authelia-session.age;
mode = "700";
};
};
}

7
hosts/sin/secrets/authelia-encryption.age
View File

@@ -1,7 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 /uqj4A L95rgX9APIgoMvkplZIYgMQDhKBOsPGOw/maymMhiks
LNfa/YBCd84iknAMk4wbQps4KMXCvrhPp2d9KkhJWHI
-> ssh-ed25519 NoSl6Q G/y6DUFTyV6Jy6KHo8yc+xxtu3aJtTOF3Ldmxq3FmyE
FOExj321S/VIPQ/qdvZBcJ930HI/GsjDVjJp9WMSXLA
--- iIpq/CWng+4+kQbvJQb/qgejr/eza94wCkegEJ2dvno
ÿNôU*1=DÔOˆ£W6]_â©Kà=©Þký¦_ù˜Ýøɇ™tmË•ãw°

7
hosts/sin/secrets/authelia-jwt.age
View File

@@ -1,7 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 /uqj4A i6SPCzjkGrPMjhC9NQDdYTk3fzXoD4OSQdhS1togN0A
Lqus8sROz1O4EepauPwC4RX/qH+SnDiL2H5iZGtAhXo
-> ssh-ed25519 NoSl6Q LxV4a5HiB6qfPjbba75dkVVECzaqrMjksMXHh53JbGQ
x4POzurz+J2mymT81M+cu69Iv/MeiYt+JvaRteinm5Q
--- OFqooyZ2HPBxP756PqpgJAyVOTkqhJ0LhEQsLJBZUtE
—>»&Ȇw·\D„Au{õz{CˆÁ~á$_ˆ9»¢ZZ<5A>U^„ÎÊL!(lnпÂó‰Üv{fdº ß l¢,<2C>|<7C>Ü.¤çH«¤³êVaù¥ÍÓˆ™PêwOo

7
hosts/sin/secrets/authelia-session.age
View File

@@ -1,7 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 /uqj4A eff535EaT7gEZOacWx9raBJMdd4PPd9+y6Y3eOt1wBI
5P4aefjWVJ4L11ff+Cg8j3gQ58I+agDPUMFWiCaL/sQ
-> ssh-ed25519 NoSl6Q 3+EZtaiiZQk7JK6zCNo/nUSSRAJzf8nal2X1sFkYmxo
f5gzpiOtCbYdiV7vOxfZvJPRmRruTbHg6T8g0r5JRgc
--- BBL3wE2eSmHVI4tlhq+5fy84cauw6P6G69nFXuObLKE
êéæí @[¡SÓcñ<C3B1>SyÉŠ‡<; í†<C3AD>Ë茟<C592><C5B8>§(°Æž1\Yjȯ½½4åõ Ýȹ.3>Â[Èq¢Jh 8í·šÕVt”øX[Ì~[(#^_5€§<E282AC>

7
hosts/sin/secrets/copyparty-serhao.age
View File

@@ -1,7 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 BoEq8A O6x9n4kvpqLucX7NuNeD2SsMmvT5n6aVYwo4nQt21H8
R+4g1QuXtxovyv5Mav+mAhgGjOcGQW4q17FSBtzXZQo
-> ssh-ed25519 NoSl6Q iKPipXfIGWxUobXF/9CSRhc/zKgmKKWWZhDTDgX0jWA
LB4TFCdbEG0VToYzTWdFedd0duF5PKlCnpBs4nBbLAQ
--- D7VE3Mwgx9ehk5rNuHm62S5ggQBm9wJodZa61jLEVsY
8ÔîÐÄÒë`S«šéT¯Fª9&(½Ú²Á‡¸=~Ïáš­où».XŽ¶ž7ðV&'Øøå ÒÔ¸‹%ã î

32
hosts/sin/transmission.nix
View File

@@ -1,10 +1,4 @@
{
config,
pkgs,
lib,
...
}:
{
{config, ...}: {
users.users."starr" = {
extraGroups = [ "transmission" ];
@@ -20,28 +14,9 @@
transmission.gid = 989;
};
# systemd.services = {
# docker-transmission-network = {
# after = [
# "network.target"
# "docker-gluetun.service"
# "docker-transmission.service"
# ];
# wantedBy = [
# "docker-gluetun.service"
# "docker-transmission.service"
# ];
# serviceConfig = {
# ExecStart = "${lib.getExe pkgs.docker} network create docker-transmission; exit 0";
# };
# };
# };
virtualisation.oci-containers =
let
virtualisation.oci-containers = let
peerport = "63369";
in
{
in {
backend = "docker";
containers = {
gluetun = {
@@ -61,7 +36,6 @@
extraOptions = [
"--cap-add=NET_ADMIN"
"--device=/dev/net/tun"
# "--network=docker-transmission"
];
ports = [
"13277:13277"

1
hosts/sin/trilium.nix
View File

@@ -1 +0,0 @@
{ ... }: { }

126
hosts/thea/authelia.nix
View File

@@ -1,126 +0,0 @@
{
pkgs,
config,
lib,
...
}:
let
cfg = config.services.authelia.instances.main;
dataDir = "/var/lib/authelia-${cfg.name}";
authelia-snippets = pkgs.callPackage ./lib/autheliaSnippets.nix { inherit pkgs; };
in
{
services.authelia.instances = {
main = {
enable = true;
secrets = {
jwtSecretFile = config.age.secrets.authelia-jwt.path;
storageEncryptionKeyFile = config.age.secrets.authelia-encryption.path;
sessionSecretFile = config.age.secrets.authelia-session.path;
};
settings = {
theme = "light";
log.level = "debug";
authentication_backend = {
file = {
path = dataDir + "/users.yml";
};
};
storage = {
local = {
path = dataDir + "/db.sqlite3";
};
};
session = {
cookies = [
{
domain = "shobu.fr";
authelia_url = "https://auth.shobu.fr";
default_redirection_url = "https://shobu.fr";
}
];
};
notifier = {
filesystem = {
filename = "${dataDir}/notification.txt";
};
};
access_control = {
default_policy = "deny";
rules = [
{
domain = "radarr.shobu.fr";
policy = "bypass";
}
{
domain = "*.shobu.fr";
policy = "one_factor";
}
];
};
server = {
endpoints = {
authz = {
auth-request = {
implementation = "AuthRequest";
};
};
};
};
};
};
};
# systemd.tmpfiles.rules = lib.mkIf cfg.enable [
# "d '${dataDir}' 0700 ${cfg.user} ${cfg.group} - -"
# ];
age.secrets = {
authelia-jwt = {
owner = cfg.user;
file = ./secrets/authelia-jwt.age;
mode = "700";
};
authelia-encryption = {
owner = cfg.user;
file = ./secrets/authelia-encryption.age;
mode = "700";
};
authelia-session = {
owner = cfg.user;
file = ./secrets/authelia-session.age;
mode = "700";
};
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."auth.shobu.fr" =
let
upstream = "http://thea:9091";
in
{
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = upstream;
extraConfig = ''
error_log /var/log/nginx/debug_authelia.log debug;
include ${authelia-snippets.proxy};
set $upstream ${upstream};
'';
};
locations."/api/verify" = {
proxyPass = upstream;
};
locations."/api/authz" = {
proxyPass = upstream;
};
};
};
}

46
hosts/thea/configuration.nix
View File

@@ -2,25 +2,19 @@
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{
config,
lib,
pkgs,
nodes,
...
}:
let
{ config, lib, pkgs, nodes, ... }:let
sin-address = "192.168.1.14";
in
{
imports = [
imports =
[
./nginx.nix
# ./striped
# ./cybercoffee
./ollama.nix
./minecraft.nix
./secrets
./authelia.nix
# ./shares.nix
];
# Use the systemd-boot EFI boot loader.
@@ -37,36 +31,24 @@ in
# dhcpcd.extraConfig = "nohook resolv.conf";
firewall = {
allowedTCPPorts = [
nodes.sin.config.services.gitea.settings.server.SSH_PORT
]
++ [
# minecraft ad hoc server ports
25665
25675
];
allowedTCPPorts = [ nodes.sin.config.services.gitea.settings.server.SSH_PORT ];
};
nat = {
enable = true;
internalInterfaces = [ "enp1s0" ];
externalInterface = "enp1s0";
forwardPorts = [
{
forwardPorts = [ {
# TODO refactor this in the gitea/n100 module
sourcePort = nodes.sin.config.services.gitea.settings.server.SSH_PORT;
proto = "tcp";
destination = "${sin-address}:22";
}
];
} ];
};
};
time.timeZone = "Europe/Paris";
nix.settings.experimental-features = [
"nix-command"
"flakes"
];
nix.settings.experimental-features = [ "nix-command" "flakes" ];
nixpkgs.config.allowUnfree = true;
users.users.n100 = {
@@ -75,17 +57,14 @@ in
packages = with pkgs; [
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKsu+4S+BHmypQTq2IR9y+ihvbF7sXbBznKtIjVAeHJ1 shobu@nixos"
];
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKsu+4S+BHmypQTq2IR9y+ihvbF7sXbBznKtIjVAeHJ1 shobu@nixos" ];
};
users.users.root = {
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKsu+4S+BHmypQTq2IR9y+ihvbF7sXbBznKtIjVAeHJ1 shobu@nixos"
];
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKsu+4S+BHmypQTq2IR9y+ihvbF7sXbBznKtIjVAeHJ1 shobu@nixos" ];
};
environment.systemPackages = with pkgs; [
lunarvim
wget
@@ -133,3 +112,4 @@ in
system.stateVersion = "24.11"; # Did you read the comment?
}

2
hosts/thea/cybercoffee/default.nix
View File

@@ -1,4 +1,4 @@
{ pkgs, ... }:
{pkgs, ...}:
{
imports = [
./halflife.nix

3
hosts/thea/cybercoffee/halflife.nix
View File

@@ -1 +1,2 @@
{ ... }: { }
{...}: {}

3
hosts/thea/flake.nix
View File

@@ -12,8 +12,7 @@
};
# Flake outputs
outputs =
inputs@{
outputs = inputs@{
self,
nixpkgs,
nix-minecraft,

44
hosts/thea/hardware-configuration.nix
View File

@@ -1,60 +1,46 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"sd_mod"
"sdhci_pci"
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc";
fileSystems."/" =
{ device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc";
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
fileSystems."/home" = {
device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc";
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/swap" = {
device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc";
fileSystems."/swap" =
{ device = "/dev/disk/by-uuid/09c733e4-b0df-4416-977b-50d9feb225fc";
fsType = "btrfs";
options = [ "subvol=swap" ];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/D1B9-8019";
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/D1B9-8019";
fsType = "vfat";
options = [
"fmask=0077"
"dmask=0077"
];
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices = [ ];

81
hosts/thea/lib/autheliaSnippets.nix
View File

@@ -1,81 +0,0 @@
{ pkgs }:
{
proxy = pkgs.writeText "proxy.conf" ''
## Headers
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-URI $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $remote_addr;
'';
authelia-location = pkgs.writeText "authelia-location.conf" ''
set $upstream_authelia http://192.168.1.12:9091/api/authz/auth-request;
## Virtual endpoint created by nginx to forward auth requests.
location /internal/authelia/authz {
## Essential Proxy Configuration
internal;
proxy_pass $upstream_authelia;
## Headers
## The headers starting with X-* are required.
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Content-Length "";
proxy_set_header Connection "";
## Basic Proxy Configuration
proxy_pass_request_body off;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 4 32k;
client_body_buffer_size 128k;
## Advanced Proxy Configuration
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
}
'';
authelia-authrequest = pkgs.writeText "authelia-authrequest.conf" ''
## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
auth_request /internal/authelia/authz;
## Save the upstream metadata response headers from Authelia to variables.
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name;
auth_request_set $email $upstream_http_remote_email;
## Inject the metadata response headers from the variables into the request made to the backend.
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Email $email;
proxy_set_header Remote-Name $name;
## Configure the redirection when the authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method'
## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url
## value to determine the redirection URL here. It's much simpler and compatible with the mutli-cookie domain easily.
## Modern Method: Set the $redirection_url to the Location header of the response to the Authz endpoint.
auth_request_set $redirection_url $upstream_http_location;
## Modern Method: When there is a 401 response code from the authz endpoint redirect to the $redirection_url.
error_page 401 =302 $redirection_url;
## Legacy Method: Set $target_url to the original requested URL.
## This requires http_set_misc module, replace 'set_escape_uri' with 'set' if you don't have this module.
# set_escape_uri $target_url $scheme://$http_host$request_uri;
## Legacy Method: When there is a 401 response code from the authz endpoint redirect to the portal with the 'rd'
## URL parameter set to $target_url. This requires users update 'auth.shobu.fr/' with their external authelia URL.
# error_page 401 =302 https://auth.shobu.fr/?rd=$target_url;
'';
}

17
hosts/thea/minecraft.nix
View File

@@ -1,18 +1,9 @@
{
pkgs,
inputs,
lib,
...
}:
{pkgs, inputs, ...}:
let
modpack = pkgs.fetchPackwizModpack {
url = "file:///${inputs.testing-grounds.modpack}/pack.toml";
packHash = "sha256-+taYj4uroLNxM4Nia3n+5P1Y/g6dzE6Iq13TsZgk4mU=";
};
gregpack = pkgs.fetchPackwizModpack {
url = "https://raw.githubusercontent.com/GregTechCEu/GregTech-Modern-Community-Pack/refs/heads/main/pack.toml";
packHash = "sha256-SE86gP15H/Aug6vTLmMxHuxF2/+iLmCI/wQlON1xasM=";
};
in
{
imports = [ inputs.nix-minecraft.nixosModules.minecraft-servers ];
@@ -39,10 +30,4 @@ in
};
};
};
networking.firewall.allowedTCPPorts = [
25865 # autismcraft
25665 # reclamation
25675 # reclamation
];
}

86
hosts/thea/nginx.nix
View File

@@ -1,17 +1,11 @@
{ inputs, pkgs, ... }:
{inputs, ...}:
let
# striped-front = inputs.striped-front;
striped-front = inputs.striped-front;
sin-address = "192.168.1.14";
authelia-snippets = pkgs.callPackage ./lib/autheliaSnippets.nix { inherit pkgs; };
in
{
in {
networking.firewall.allowedTCPPorts = [
80
443
8448
];
networking.firewall.allowedTCPPorts = [ 80 443 8448 ];
services.nginx = {
enable = true;
@@ -38,61 +32,16 @@ in
in
(
mkStarr "jellyfin.shobu.fr" "8096"
# // mkStarr "radarr.shobu.fr" "7878"
// mkStarr "radarr.shobu.fr" "7878"
// mkStarr "sonarr.shobu.fr" "8989"
// mkStarr "prowlarr.shobu.fr" "9696"
// mkStarr "bazarr.shobu.fr" "6767"
// mkStarr "lidarr.shobu.fr" "8686"
// mkStarr "whisparr.shobu.fr" "6969"
// mkStarr "jellyseerr.shobu.fr" "5055"
// mkStarr "fileshelter.shobu.fr" "5091"
// mkStarr "lidarr.shobu.fr" "8686"
// mkStarr "transmission.shobu.fr" "9091"
// mkStarr "zimablade-admin.shobu.fr" "61208"
// {
"radarr.shobu.fr" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
include ${authelia-snippets.authelia-location};
error_log /var/log/nginx/debug_radarr.log debug;
'';
locations."/" = {
proxyPass = "http://${sin-address}:7878";
proxyWebsockets = true;
extraConfig = ''
include ${authelia-snippets.proxy};
include ${authelia-snippets.authelia-authrequest};
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# From https://gist.github.com/R0GGER/916183fca41f02df1471a6f455e5869f
# HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
add_header Strict-Transport-Security "max-age=63072000; preload" always;
add_header Referrer-Policy strict-origin-when-cross-origin;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options SAMEORIGIN;
add_header Content-Security-Policy upgrade-insecure-requests;
add_header Permissions-Policy interest-cohort=();
add_header Expect-CT 'enforce; max-age=604800';
more_set_headers 'Server: Proxy';
more_clear_headers 'X-Powered-By';
proxy_ssl_server_name on;
'';
};
locations."/api" = {
proxyPass = "http://${sin-address}:7878";
proxyWebsockets = true;
extraConfig = ''
proxy_ssl_server_name on;
'';
};
};
"shobu.fr" = {
enableACME = true;
forceSSL = true;
@@ -128,12 +77,12 @@ in
'';
};
};
# "striped.shobu.fr" = {
# enableACME = true;
# forceSSL = true;
"striped.shobu.fr" = {
enableACME = true;
forceSSL = true;
# root = "${striped-front.packages.x86_64-linux.default}/dist";
# };
root = "${striped-front.packages.x86_64-linux.default}/dist";
};
"dashboard.shobu.fr" = {
enableACME = true;
forceSSL = true;
@@ -154,19 +103,8 @@ in
enableACME = true;
forceSSL = true;
extraConfig = ''
# include ${authelia-snippets.authelia-location};
# error_log /var/log/nginx/debug_files.log debug;
'';
locations."/" = {
proxyPass = "http://${sin-address}:8086";
extraConfig = ''
# include ${authelia-snippets.proxy};
# include ${authelia-snippets.authelia-authrequest};
proxy_set_header X-Real-IP $remote_addr;
client_max_body_size 100M;
'';
};
};
# "matrix.shobu.fr" = {

3
hosts/thea/ollama.nix
View File

@@ -1,5 +1,4 @@
{ inputs, ... }:
{
{inputs, ...}: {
# virtualisation.docker = {
# enable = true;
# storageDriver = "btrfs";

10
hosts/thea/secrets/authelia-encryption.age
View File

@@ -1,10 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 /uqj4A 9cZH/SlDpiluz2O3wCxRcBhmt3L5eN24I0HHwiJDWRU
VVZaJlB4QzxBPcaN3MjCemjptEbqSUMD8VVtKyGezH8
-> ssh-ed25519 70Re8Q ZFEQxmnm+dFKSXcQAc0KxkewCB59J5FyL1Ob/uEEtVg
fRdEZpIytxjUeSKPieIzvZaAn5Mikjp28HlZhKwzS7M
-> ssh-ed25519 QvCxGg ifsqXBKO0mqE1RuJ44Y7qDJ7lyci8iyz+J1xFgO38jI
MkhMTZ+RttBFFMkbIaSCSQiExR1gf4OyFWHXIsx+QYQ
--- nnMlLyQjixpBkx+bSU5I364IP3KnZ0qnmMPueBcRHpU
ë˜<EFBFBD>6TX—ÕÞ ÌfÁ““É
®?Z7M<37>T<EFBFBD>Å|ÚQf

BIN
hosts/thea/secrets/authelia-jwt.age
View File

Binary file not shown.

9
hosts/thea/secrets/authelia-session.age
View File

@@ -1,9 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 /uqj4A yxpGM3pJxfnM/5q9+NzdfG2kBjjNex6bdyUeZEBKjnI
UO6ovn2cFeNi6SbcGpfF71/OAyQccyG+l6aZXubUal8
-> ssh-ed25519 70Re8Q GW40lmeg6Lj7ntZswT0/hWZFpYBWoV3CMq4pdo+Ncgc
oWTYuM/s3G7EKPWPQpHbXo9Tpzgn7YlYVQHYGn4xKS8
-> ssh-ed25519 QvCxGg pKLpxtuMIa0xPXoaeb4WeQWVEINRE/j4nrxDB1J9BUI
1azpt5MImTiDSF+Ts9EvUCdWMeVG7lErUHSBQfMiip4
--- IOOR8Us6zlZhJm0V4X3IlbkHSdtR3GLLxEfa4i+lqv0
ó P¬¥rhé"BFãŽÌŸtÌ€ê¤{¾(öB`q“Óø"AµnN_ ™f*ÏŒºvPpj&{)ìŠØ@ÃkF«Ú]<Aš*Á<><EFBFBD>´WTm”ƪD‡,Ý1E­™”¦³eѨ·O¢š

3
hosts/thea/secrets/default.nix
View File

@@ -1,3 +0,0 @@
{ ... }:
{
}

3
hosts/thea/shares.nix
View File

@@ -1,5 +1,4 @@
{ ... }:
let
{...}: let
sin-address = "192.168.1.14";
in
{

7
hosts/thea/striped/back.nix
View File

@@ -1,8 +1,7 @@
{ inputs, ... }:
{inputs, ...}:
let
striped-back = inputs.striped-back;
in
{
in {
imports = [
striped-back.nixosModules.default
];
@@ -18,7 +17,7 @@ in
socket.enable = true;
settings.django = {
allowed-hosts = [ "striped-api.shobu.fr" ];
allowed-hosts = ["striped-api.shobu.fr"];
debug = true;
databases = {
default = {

3
hosts/thea/striped/default.nix
View File

@@ -1,5 +1,4 @@
{ striped-back, striped-front, ... }:
{
{striped-back, striped-front, ...}:{
imports = [
./back.nix
];

6
modules/gitea/sin/default.nix
View File

@@ -1,8 +1,6 @@
{ lib, ... }:
let
{lib, ...}: let
ssh_port = 24658;
in
{
in {
services = {
gitea = {
enable = true;

52
modules/gitea/thea/default.nix
View File

@@ -1,56 +1,12 @@
{
nodes,
inputs,
pkgs,
...
}:
let
{nodes, ...}:let
sin-address = "192.168.1.14";
unstable = import inputs.unstable { system = pkgs.system; };
in
{
in{
imports = [
./virtualisation.nix
];
networking.nat.forwardPorts = [
{
networking.nat.forwardPorts = [{
sourcePort = nodes.sin.config.services.gitea.settings.server.SSH_PORT;
proto = "tcp";
destination = "${sin-address}:22";
}
];
services.gitea-actions-runner.package = unstable.gitea-actions-runner;
# services.gitea-actions-runner.instances = {
# "gitea.shobu.fr-runner" = {
# enable = true;
# name = "gitea.shobu.fr-runner";
# url = nodes.sin.config.services.gitea.settings.server.ROOT_URL;
# token = "uEDPBW6Z9oItAKRtloVwis0LkPbD4OmV2w5esOhW";
# labels = [
# "ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04"
# ];
# settings = {
# cache = {
# # Enable cache server to use actions/cache.
# enabled = true;
# # The directory to store the cache data.
# # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
# dir = "";
# # The host of the cache server.
# # It's not for the address to listen, but the address to connect from job containers.
# # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
# host = "";
# # The port of the cache server.
# # 0 means to use a random available port.
# port = 0;
# # The external cache server URL. Valid only when enable is true.
# # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
# # The URL should generally end with "/".
# external_server = "";
# };
# };
# };
# };
}];
}

15
modules/gitea/thea/virtualisation.nix
View File

@@ -1,5 +1,4 @@
{ nodes, pkgs, ... }:
{
{nodes, pkgs, ...}: {
systemd.sockets.podman.socketConfig.Symlinks = [
"/run/docker.sock"
];
@@ -16,23 +15,15 @@
};
};
environment.systemPackages = with pkgs; [
podman-compose
];
virtualisation.oci-containers.containers =
let
virtualisation.oci-containers.containers = let
runner_config = pkgs.writeTextFile {
name = "config.yml";
text = ''
container:
network: "host"
valid_volumes:
- "/var/nix/hosted-store"
'';
};
in
{
in {
gitea-runner = {
image = "gitea/act_runner@sha256:8477d5b61b655caad4449888bae39f1f34bebd27db56cb15a62dccb3dcf3a944";
autoStart = true;

11
scripts/upload-to-cache.sh
View File

@@ -1,11 +0,0 @@
#!/bin/sh
set -eu
set -f
if ! nix --version; then
exit 0
fi
export IFS=' '
echo "Uploading paths" $OUT_PATHS
exec nix copy --to "ssh://root@localhost" $OUT_PATHS