sin_serhao/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: sin_serhao:test
Branches Tags
sin_serhao:master sin_serhao:test sin_serhao:authelia sin_serhao:disk sin_serhao:test-deploy
..
compare: sin_serhao:disk
Branches Tags
sin_serhao:test sin_serhao:master sin_serhao:authelia sin_serhao:disk sin_serhao:test-deploy

2 Commits
test ... disk

Author SHA1 Message Date
sin serhao
07ae2f1996 luks
All checks were successful
/ perform flake analysis (push) Successful in 36s
Details
2026-01-15 14:09:07 +01:00
sin serhao
679e8e2781 single disk array
All checks were successful
/ perform flake analysis (push) Successful in 40s
Details
2026-01-15 10:32:07 +01:00
25 changed files with 238 additions and 658 deletions
Expand all files Collapse all files

275
flake.lock generated
View File

@@ -21,22 +21,6 @@
"type": "github"
}
},
"blobs": {
"flake": false,
"locked": {
"lastModified": 1604995301,
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"type": "gitlab"
}
},
"colmena": {
"inputs": {
"flake-compat": "flake-compat",
@@ -65,11 +49,11 @@
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1769889994,
"narHash": "sha256-uEn3WcpPHe3sMJMgIJ0XW3f4/+TRzZpNgv4vu5/gjmA=",
"lastModified": 1767637959,
"narHash": "sha256-+gBU5Cj9QNpHLQ5PHJoWNQft7TMsBM6X+tDQg+/B2P0=",
"owner": "9001",
"repo": "copyparty",
"rev": "9b436eb52e5cfe7a0a8e59dd9f1a37351f3a2abd",
"rev": "038af507772593b904b5c3efc306f89cbdf2b6fb",
"type": "github"
},
"original": {
@@ -107,11 +91,11 @@
]
},
"locked": {
"lastModified": 1769524058,
"narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=",
"lastModified": 1766150702,
"narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=",
"owner": "nix-community",
"repo": "disko",
"rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d",
"rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378",
"type": "github"
},
"original": {
@@ -155,11 +139,11 @@
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1761588595,
"narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",
"lastModified": 1747046372,
"narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
"type": "github"
},
"original": {
@@ -198,51 +182,39 @@
"type": "github"
}
},
"git-hooks": {
"flake-utils_3": {
"inputs": {
"flake-compat": [
"simple-mailserver",
"flake-compat"
],
"gitignore": "gitignore",
"nixpkgs": [
"simple-mailserver",
"nixpkgs"
]
"systems": "systems_2"
},
"locked": {
"lastModified": 1763988335,
"narHash": "sha256-QlcnByMc8KBjpU37rbq5iP7Cp97HvjRP0ucfdh+M4Qc=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "50b9238891e388c9fdc6a5c49e49c42533a1b5ce",
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"gitignore": {
"flake-utils_4": {
"inputs": {
"nixpkgs": [
"simple-mailserver",
"git-hooks",
"nixpkgs"
]
"systems": "systems_3"
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
@@ -291,15 +263,35 @@
"nix-minecraft": {
"inputs": {
"flake-compat": "flake-compat_2",
"nixpkgs": "nixpkgs_4",
"systems": "systems_2"
"flake-utils": "flake-utils_3",
"nixpkgs": "nixpkgs_4"
},
"locked": {
"lastModified": 1770000653,
"narHash": "sha256-QO/twGynxjOSUDtxbqJLshc/Q5/wImLH5O6KV2p9eoE=",
"lastModified": 1767147099,
"narHash": "sha256-395ehjdAtaqCbKmx+PhKAqnkYLvTtAzq2qzFG9qaGDw=",
"owner": "Infinidoge",
"repo": "nix-minecraft",
"rev": "6a2ddb643aaf7949caa6158e718c5efc3dda7dc1",
"rev": "01f571579edd64433f97c4294137fbc366deef4b",
"type": "github"
},
"original": {
"owner": "Infinidoge",
"repo": "nix-minecraft",
"type": "github"
}
},
"nix-minecraft_2": {
"inputs": {
"flake-compat": "flake-compat_3",
"flake-utils": "flake-utils_4",
"nixpkgs": "nixpkgs_6"
},
"locked": {
"lastModified": 1767147099,
"narHash": "sha256-395ehjdAtaqCbKmx+PhKAqnkYLvTtAzq2qzFG9qaGDw=",
"owner": "Infinidoge",
"repo": "nix-minecraft",
"rev": "01f571579edd64433f97c4294137fbc366deef4b",
"type": "github"
},
"original": {
@@ -357,11 +349,11 @@
},
"nixpkgs_4": {
"locked": {
"lastModified": 1769461804,
"narHash": "sha256-msG8SU5WsBUfVVa/9RPLaymvi5bI8edTavbIq3vRlhI=",
"lastModified": 1748929857,
"narHash": "sha256-lcZQ8RhsmhsK8u7LIFsJhsLh/pzR9yZ8yqpTzyGdj+Q=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "bfc1b8a4574108ceef22f02bafcf6611380c100d",
"rev": "c2a03962b8e24e669fb37b7df10e7c79531ff1a4",
"type": "github"
},
"original": {
@@ -373,21 +365,51 @@
},
"nixpkgs_5": {
"locked": {
"lastModified": 1770136044,
"narHash": "sha256-tlFqNG/uzz2++aAmn4v8J0vAkV3z7XngeIIB3rM3650=",
"lastModified": 1767313136,
"narHash": "sha256-16KkgfdYqjaeRGBaYsNrhPRRENs0qzkQVUooNHtoy2w=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e576e3c9cf9bad747afcddd9e34f51d18c855b4e",
"rev": "ac62194c3917d5f474c1a844b6fd6da2db95077d",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.11",
"ref": "nixos-25.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_6": {
"locked": {
"lastModified": 1748929857,
"narHash": "sha256-lcZQ8RhsmhsK8u7LIFsJhsLh/pzR9yZ8yqpTzyGdj+Q=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "c2a03962b8e24e669fb37b7df10e7c79531ff1a4",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_7": {
"locked": {
"lastModified": 1767364772,
"narHash": "sha256-fFUnEYMla8b7UKjijLnMe+oVFOz6HjijGGNS1l7dYaQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "16c7794d0a28b5a37904d55bcca36003b9109aaa",
"type": "github"
},
"original": {
"id": "nixpkgs",
"type": "indirect"
}
},
"nixpkgs_8": {
"locked": {
"lastModified": 1737062831,
"narHash": "sha256-Tbk1MZbtV2s5aG+iM99U8FqwxU/YNArMcWAv6clcsBc=",
@@ -401,23 +423,7 @@
"url": "https://flakehub.com/f/NixOS/nixpkgs/0.1.%2A.tar.gz"
}
},
"nixpkgs_7": {
"locked": {
"lastModified": 1764374374,
"narHash": "sha256-naS7hg/D1yLKSZoENx9gvsPLFiNEOTcqamJSu0OEvCA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6a49303095abc094ee77dc243a9e351b642e8e75",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_8": {
"nixpkgs_9": {
"locked": {
"lastModified": 1736549401,
"narHash": "sha256-ibkQrMHxF/7TqAYcQE+tOnIsSEzXmMegzyBWza6uHKM=",
@@ -433,6 +439,26 @@
"type": "github"
}
},
"reclamation": {
"inputs": {
"nix-minecraft": "nix-minecraft_2",
"nixpkgs": "nixpkgs_7",
"utils": "utils"
},
"locked": {
"lastModified": 1767786101,
"narHash": "sha256-ENlpYr2V5u0/Enq07nIHfzetqmS95aydQYIM6sISVUc=",
"ref": "refs/heads/master",
"rev": "b71acff364b7b5eb3e1b68915aeb379053b86c94",
"revCount": 10,
"type": "git",
"url": "https://git.shobu.fr/sin_serhao/reclamation"
},
"original": {
"type": "git",
"url": "https://git.shobu.fr/sin_serhao/reclamation"
}
},
"root": {
"inputs": {
"agenix": "agenix",
@@ -441,15 +467,15 @@
"disko": "disko",
"nix-minecraft": "nix-minecraft",
"nixpkgs": "nixpkgs_5",
"reclamation": "reclamation",
"shoblog-front": "shoblog-front",
"simple-mailserver": "simple-mailserver",
"testing-grounds": "testing-grounds",
"unstable": "unstable"
}
},
"shoblog-front": {
"inputs": {
"nixpkgs": "nixpkgs_6"
"nixpkgs": "nixpkgs_8"
},
"locked": {
"lastModified": 1752594581,
@@ -465,27 +491,6 @@
"type": "gitlab"
}
},
"simple-mailserver": {
"inputs": {
"blobs": "blobs",
"flake-compat": "flake-compat_3",
"git-hooks": "git-hooks",
"nixpkgs": "nixpkgs_7"
},
"locked": {
"lastModified": 1766321686,
"narHash": "sha256-icOWbnD977HXhveirqA10zoqvErczVs3NKx8Bj+ikHY=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "7d433bf89882f61621f95082e90a4ab91eb0bdd3",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"type": "gitlab"
}
},
"stable": {
"locked": {
"lastModified": 1750133334,
@@ -532,9 +537,39 @@
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"testing-grounds": {
"inputs": {
"nixpkgs": "nixpkgs_8"
"nixpkgs": "nixpkgs_9"
},
"locked": {
"lastModified": 1755527993,
@@ -552,11 +587,11 @@
},
"unstable": {
"locked": {
"lastModified": 1769789167,
"narHash": "sha256-kKB3bqYJU5nzYeIROI82Ef9VtTbu4uA3YydSk/Bioa8=",
"lastModified": 1767640445,
"narHash": "sha256-UWYqmD7JFBEDBHWYcqE6s6c77pWdcU/i+bwD6XxMb8A=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "62c8382960464ceb98ea593cb8321a2cf8f9e3e5",
"rev": "9f0c42f8bc7151b8e7e5840fb3bd454ad850d8c5",
"type": "github"
},
"original": {
@@ -565,6 +600,24 @@
"repo": "nixpkgs",
"type": "github"
}
},
"utils": {
"inputs": {
"systems": "systems_4"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",

63
flake.nix
View File

@@ -3,23 +3,26 @@
# Flake inputs
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
colmena.url = "github:zhaofengli/colmena";
# commons
agenix.url = "github:ryantm/agenix";
# sin inputs
# zimablade inputs
disko.url = "github:nix-community/disko";
disko.inputs.nixpkgs.follows = "nixpkgs";
copyparty.url = "github:9001/copyparty";
simple-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
# thea inputs
# sin inputs
nix-minecraft.url = "github:Infinidoge/nix-minecraft";
testing-grounds.url = "gitlab:shobu13/testing-grounds";
reclamation.url = "git+https://git.shobu.fr/sin_serhao/reclamation";
shoblog-front.url = "gitlab:shobu13/shoblog";
# striped-front.url = "git+ssh://git@gitlab.com/striped1/striped-front";
# striped-back.url = "git+ssh://git@gitlab.com/striped1/striped-back";
copyparty.url = "github:9001/copyparty";
};
@@ -41,6 +44,7 @@
# striped-back,
nix-minecraft,
testing-grounds,
reclamation,
copyparty,
...
}:
@@ -61,42 +65,24 @@
);
in
{
nixosConfigurations = rec {
nixosConfigurations = {
sin = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
disko.nixosModules.disko
agenix.nixosModules.default
./hosts/sin/configuration.nix
./hosts/sin/hardware-configuration.nix
]
++ [
# modules
./modules/gitea/sin
];
specialArgs = {
inherit inputs;
};
};
thea = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
system = "x86_64-linux";
modules = [
disko.nixosModules.disko
agenix.nixosModules.default
./hosts/thea/configuration.nix
./hosts/thea/hardware-configuration.nix
./hosts/sin/configuration.nix
./hosts/sin/hardware-configuration.nix
]
++ [
# modules
./modules/gitea/thea
./modules/gitea/sin
];
specialArgs = {
inherit inputs;
nodes = {inherit sin;};
};
inherit inputs;
};
};
};
colmenaHive = colmena.lib.makeHive {
@@ -129,9 +115,7 @@
./modules/gitea/${name}
];
deployment.targetHost = "git.shobu.fr";
# deployment.targetHost = "192.168.1.12";
deployment.targetHost = "192.168.1.12";
};
sin =
@@ -153,10 +137,7 @@
./modules/gitea/${name}
];
deployment.targetHost = "git.shobu.fr";
deployment.targetPort = 24658;
# deployment.targetHost = "192.168.1.14";
deployment.targetHost = "192.168.1.14";
deployment.allowLocalDeployment = true;
};
};

3
hosts/sin/configuration.nix
View File

@@ -17,7 +17,6 @@
./secrets.nix
./coredns
./copyparty.nix
./trilium.nix
];
boot.initrd.kernelModules = [ "usb_storage" ];
@@ -44,8 +43,6 @@
3000 # gitea
config.services.trilium-server.port
53
];

41
hosts/sin/copyparty.nix
View File

@@ -27,48 +27,11 @@
shr = "/shares";
};
accounts = {
serhao = {
passwordFile = config.age.secrets.copyparty-serhao.path;
};
};
volumes = {
"/movies" = {
path = "/mnt/mediacenter/media/movies";
access = {
r = "*";
};
};
"/shows" = {
path = "/mnt/mediacenter/media/shows";
access = {
r = "*";
};
};
"/musics" = {
path = "/mnt/mediacenter/media/musics";
access = {
r = "*";
};
};
"/mediacenter" = {
"/media" = {
path = "/mnt/mediacenter/media";
access = {
rw = ["serhao"];
};
flags = {
e2d = true;
};
};
"/data" = {
path = "/mnt/data";
access = {
rwd = ["serhao"];
};
flags = {
e2d = true;
r = "*";
};
};
};

2
hosts/sin/homepage.nix
View File

@@ -122,7 +122,7 @@
description = "bring back your world to life";
widget = {
type = "minecraft";
url = "udp://minecraft.shobu.fr:25665";
url = "udp://minecraft.shobu.fr:43001";
};
};
}

45
hosts/sin/jellyfin.nix
View File

@@ -2,15 +2,19 @@
let
unstable = import inputs.unstable { system = pkgs.system; };
in
{systemd.services.jellyfin.environment.LIBVA_DRIVER_NAME = "iHD"; # or i965 for older GPUs
environment.sessionVariables = { LIBVA_DRIVER_NAME = "iHD"; };
{
nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
};
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
intel-ocl # Generic OpenCL support
# For Broadwell and newer (ca. 2014+), use with LIBVA_DRIVER_NAME=iHD:
intel-media-driver
intel-vaapi-driver
vaapiVdpau
intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
vpl-gpu-rt # QSV on 11th gen or newer
intel-media-sdk # QSV up to 11th gen
];
};
@@ -50,12 +54,6 @@ in
"transmission"
];
users.users.whisparr.extraGroups = [
"jellyfin"
"starr"
"transmission"
];
users.users.shobu.extraGroups = [
"jellyfin"
"starr"
@@ -78,27 +76,15 @@ in
enable = true;
openFirewall = true;
group = "starr";
settings = {
authentication.AuthenticationMethod = "external";
authentication.AuthenticationType = "enabled";
};
};
radarr = {
enable = true;
openFirewall = true;
group = "starr";
settings = {
authentication.AuthenticationMethod = "external";
authentication.AuthenticationType = "enabled";
};
};
prowlarr = {
enable = true;
openFirewall = true;
settings = {
authentication.AuthenticationMethod = "external";
authentication.AuthenticationType = "enabled";
};
};
bazarr = {
enable = true;
@@ -107,18 +93,7 @@ in
lidarr = {
enable = true;
openFirewall = true;
settings = {
authentication.AuthenticationMethod = "external";
authentication.AuthenticationType = "enabled";
};
};
whisparr = {
enable = true;
openFirewall = true;
settings = {
authentication.AuthenticationMethod = "external";
authentication.AuthenticationType = "enabled";
};
package = unstable.lidarr;
};
jellyseerr = {

10
hosts/sin/luks-btrfs-raid.nix
View File

@@ -7,7 +7,7 @@
# and the actual btrfs raid on the second disk, and the name of these entries matters!
system = {
type = "disk";
device = "/dev/sdb";
device = "/dev/mmcblk0";
content = {
type = "gpt";
partitions = {
@@ -42,10 +42,6 @@
"/root" = {
mountpoint = "/";
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [ "compress=zstd:3" ];
};
};
};
};
@@ -78,6 +74,10 @@
mountpoint = "/mnt/fs";
mountOptions = [ "compress=zstd:3" ];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [ "compress=zstd:3" ];
};
"/data" = {
mountpoint = "/mnt/data";

37
hosts/sin/mailserver.nix
View File

@@ -1,37 +0,0 @@
{
inputs,
config,
lib,
...
}:
let
inherit (lib)
mkDefault
;
in
{
imports = [
inputs.simple-mailserver.default
];
security.acme = {
acceptTerms = mkDefault true;
certs.${config.mailserver.fqdn} = {
};
};
mailserver = {
enable = true;
stateVersion = 3;
fqdn = "mail.shobu.fr";
domains = [ "shobu.fr" ];
x509.useACMEHost = config.mailserver.fqdn;
loginAccounts = {
"auth@shobu.fr" = {
password = "$y$j9T$aLAZYUOUrc2jxcNYGy1qt/$B1ZdufZtzJJmnLYIYW11nk1BwIIy1Xkjxb7lx3ge/Z3";
};
};
};
}

17
hosts/sin/secrets.nix
View File

@@ -10,22 +10,5 @@
file = ./secrets/airvpn_wireguard_key_env.age;
mode = "700";
};
copyparty-serhao = {
file = ./secrets/copyparty-serhao.age;
mode = "700";
owner = "copyparty";
};
authelia-jwt = {
file = ./secrets/authelia-jwt.age;
mode = "700";
};
authelia-encryption = {
file = ./secrets/authelia-encryption.age;
mode = "700";
};
authelia-session = {
file = ./secrets/authelia-session.age;
mode = "700";
};
};
}

7
hosts/sin/secrets/authelia-encryption.age
View File

@@ -1,7 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 /uqj4A L95rgX9APIgoMvkplZIYgMQDhKBOsPGOw/maymMhiks
LNfa/YBCd84iknAMk4wbQps4KMXCvrhPp2d9KkhJWHI
-> ssh-ed25519 NoSl6Q G/y6DUFTyV6Jy6KHo8yc+xxtu3aJtTOF3Ldmxq3FmyE
FOExj321S/VIPQ/qdvZBcJ930HI/GsjDVjJp9WMSXLA
--- iIpq/CWng+4+kQbvJQb/qgejr/eza94wCkegEJ2dvno
ÿNôU*1=DÔOˆ£W6]_â©Kà=©Þký¦_ù˜Ýøɇ™tmË•ãw°

7
hosts/sin/secrets/authelia-jwt.age
View File

@@ -1,7 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 /uqj4A i6SPCzjkGrPMjhC9NQDdYTk3fzXoD4OSQdhS1togN0A
Lqus8sROz1O4EepauPwC4RX/qH+SnDiL2H5iZGtAhXo
-> ssh-ed25519 NoSl6Q LxV4a5HiB6qfPjbba75dkVVECzaqrMjksMXHh53JbGQ
x4POzurz+J2mymT81M+cu69Iv/MeiYt+JvaRteinm5Q
--- OFqooyZ2HPBxP756PqpgJAyVOTkqhJ0LhEQsLJBZUtE
—>»&Ȇw·\D„Au{õz{CˆÁ~á$_ˆ9»¢ZZ<5A>U^„ÎÊL!(lnпÂó‰Üv{fdº ß l¢,<2C>|<7C>Ü.¤çH«¤³êVaù¥ÍÓˆ™PêwOo

7
hosts/sin/secrets/authelia-session.age
View File

@@ -1,7 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 /uqj4A eff535EaT7gEZOacWx9raBJMdd4PPd9+y6Y3eOt1wBI
5P4aefjWVJ4L11ff+Cg8j3gQ58I+agDPUMFWiCaL/sQ
-> ssh-ed25519 NoSl6Q 3+EZtaiiZQk7JK6zCNo/nUSSRAJzf8nal2X1sFkYmxo
f5gzpiOtCbYdiV7vOxfZvJPRmRruTbHg6T8g0r5JRgc
--- BBL3wE2eSmHVI4tlhq+5fy84cauw6P6G69nFXuObLKE
êéæí @[¡SÓcñ<C3B1>SyÉŠ‡<; í†<C3AD>Ë茟<C592><C5B8>§(°Æž1\Yjȯ½½4åõ Ýȹ.3>Â[Èq¢Jh 8í·šÕVt”øX[Ì~[(#^_5€§<E282AC>

7
hosts/sin/secrets/copyparty-serhao.age
View File

@@ -1,7 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 BoEq8A O6x9n4kvpqLucX7NuNeD2SsMmvT5n6aVYwo4nQt21H8
R+4g1QuXtxovyv5Mav+mAhgGjOcGQW4q17FSBtzXZQo
-> ssh-ed25519 NoSl6Q iKPipXfIGWxUobXF/9CSRhc/zKgmKKWWZhDTDgX0jWA
LB4TFCdbEG0VToYzTWdFedd0duF5PKlCnpBs4nBbLAQ
--- D7VE3Mwgx9ehk5rNuHm62S5ggQBm9wJodZa61jLEVsY
8ÔîÐÄÒë`S«šéT¯Fª9&(½Ú²Á‡¸=~Ïáš­où».XŽ¶ž7ðV&'Øøå ÒÔ¸‹%ã î

9
hosts/sin/trilium.nix
View File

@@ -1,9 +0,0 @@
{ ... }:
{
services.trilium-server = {
enable = true;
port = 12783;
host = "0.0.0.0";
noAuthentication = true;
};
}

126
hosts/thea/authelia.nix
View File

@@ -1,126 +0,0 @@
{
pkgs,
config,
lib,
...
}:
let
cfg = config.services.authelia.instances.main;
dataDir = "/var/lib/authelia-${cfg.name}";
authelia-snippets = pkgs.callPackage ./lib/autheliaSnippets.nix { inherit pkgs; };
in
{
services.authelia.instances = {
main = {
enable = true;
secrets = {
jwtSecretFile = config.age.secrets.authelia-jwt.path;
storageEncryptionKeyFile = config.age.secrets.authelia-encryption.path;
sessionSecretFile = config.age.secrets.authelia-session.path;
};
settings = {
theme = "light";
log.level = "debug";
authentication_backend = {
file = {
path = dataDir + "/users.yml";
};
};
storage = {
local = {
path = dataDir + "/db.sqlite3";
};
};
session = {
cookies = [
{
domain = "shobu.fr";
authelia_url = "https://auth.shobu.fr";
default_redirection_url = "https://shobu.fr";
}
];
};
notifier = {
filesystem = {
filename = "${dataDir}/notification.txt";
};
};
access_control = {
default_policy = "deny";
rules = [
# {
# domain = "radarr.shobu.fr";
# policy = "bypass";
# }
{
domain = "*.shobu.fr";
policy = "one_factor";
}
];
};
server = {
endpoints = {
authz = {
auth-request = {
implementation = "AuthRequest";
};
};
};
};
};
};
};
# systemd.tmpfiles.rules = lib.mkIf cfg.enable [
# "d '${dataDir}' 0700 ${cfg.user} ${cfg.group} - -"
# ];
age.secrets = {
authelia-jwt = {
owner = cfg.user;
file = ./secrets/authelia-jwt.age;
mode = "700";
};
authelia-encryption = {
owner = cfg.user;
file = ./secrets/authelia-encryption.age;
mode = "700";
};
authelia-session = {
owner = cfg.user;
file = ./secrets/authelia-session.age;
mode = "700";
};
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."auth.shobu.fr" =
let
upstream = "http://thea:9091";
in
{
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = upstream;
extraConfig = ''
error_log /var/log/nginx/debug_authelia.log debug;
include ${authelia-snippets.proxy};
set $upstream ${upstream};
'';
};
locations."/api/verify" = {
proxyPass = upstream;
};
locations."/api/authz" = {
proxyPass = upstream;
};
};
};
}

13
hosts/thea/configuration.nix
View File

@@ -16,11 +16,11 @@ in
{
imports = [
./nginx.nix
# ./striped
# ./cybercoffee
./ollama.nix
./minecraft.nix
./secrets
./authelia.nix
./nix-serve.nix
];
# Use the systemd-boot EFI boot loader.
@@ -37,14 +37,7 @@ in
# dhcpcd.extraConfig = "nohook resolv.conf";
firewall = {
allowedTCPPorts = [
nodes.sin.config.services.gitea.settings.server.SSH_PORT
]
++ [
# minecraft ad hoc server ports
25665
25675
];
allowedTCPPorts = [ nodes.sin.config.services.gitea.settings.server.SSH_PORT ];
};
nat = {
enable = true;

2
hosts/thea/hardware-configuration.nix
View File

@@ -49,7 +49,7 @@
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/2CF4-0109";
device = "/dev/disk/by-uuid/D1B9-8019";
fsType = "vfat";
options = [
"fmask=0077"

81
hosts/thea/lib/autheliaSnippets.nix
View File

@@ -1,81 +0,0 @@
{ pkgs }:
{
proxy = pkgs.writeText "proxy.conf" ''
## Headers
# proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-URI $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $remote_addr;
'';
authelia-location = pkgs.writeText "authelia-location.conf" ''
set $upstream_authelia http://192.168.1.12:9091/api/authz/auth-request;
## Virtual endpoint created by nginx to forward auth requests.
location /internal/authelia/authz {
## Essential Proxy Configuration
internal;
proxy_pass $upstream_authelia;
## Headers
## The headers starting with X-* are required.
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Content-Length "";
proxy_set_header Connection "";
## Basic Proxy Configuration
proxy_pass_request_body off;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 4 32k;
client_body_buffer_size 128k;
## Advanced Proxy Configuration
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
}
'';
authelia-authrequest = pkgs.writeText "authelia-authrequest.conf" ''
## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
auth_request /internal/authelia/authz;
## Save the upstream metadata response headers from Authelia to variables.
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name;
auth_request_set $email $upstream_http_remote_email;
## Inject the metadata response headers from the variables into the request made to the backend.
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Email $email;
proxy_set_header Remote-Name $name;
## Configure the redirection when the authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method'
## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url
## value to determine the redirection URL here. It's much simpler and compatible with the mutli-cookie domain easily.
## Modern Method: Set the $redirection_url to the Location header of the response to the Authz endpoint.
auth_request_set $redirection_url $upstream_http_location;
## Modern Method: When there is a 401 response code from the authz endpoint redirect to the $redirection_url.
error_page 401 =302 $redirection_url;
## Legacy Method: Set $target_url to the original requested URL.
## This requires http_set_misc module, replace 'set_escape_uri' with 'set' if you don't have this module.
# set_escape_uri $target_url $scheme://$http_host$request_uri;
## Legacy Method: When there is a 401 response code from the authz endpoint redirect to the portal with the 'rd'
## URL parameter set to $target_url. This requires users update 'auth.shobu.fr/' with their external authelia URL.
# error_page 401 =302 https://auth.shobu.fr/?rd=$target_url;
'';
}

33
hosts/thea/minecraft.nix
View File

@@ -9,10 +9,7 @@ let
url = "file:///${inputs.testing-grounds.modpack}/pack.toml";
packHash = "sha256-+taYj4uroLNxM4Nia3n+5P1Y/g6dzE6Iq13TsZgk4mU=";
};
gregpack = pkgs.fetchPackwizModpack {
url = "https://raw.githubusercontent.com/GregTechCEu/GregTech-Modern-Community-Pack/refs/heads/main/pack.toml";
packHash = "sha256-SE86gP15H/Aug6vTLmMxHuxF2/+iLmCI/wQlON1xasM=";
};
reclamation = inputs.reclamation.packages.${pkgs.stdenv.system};
in
{
imports = [ inputs.nix-minecraft.nixosModules.minecraft-servers ];
@@ -23,6 +20,28 @@ in
eula = true;
openFirewall = true;
servers.reclamation = {
enable = false;
package = pkgs.fabricServers.fabric;
symlinks = {
"mods" = "${reclamation.modpack}/mods";
"FTBLang" = "${reclamation.modpack}/FTBLang";
"defaultconfigs" = "${reclamation.modpack}/defaultconfigs";
"ressourcepacks" = "${reclamation.modpack}/ressourcepacks";
"config" = "${reclamation.modpack}/config";
"kubejs" = "${reclamation.modpack}/kubejs";
"patchouli_books" = "${reclamation.modpack}/patchouli_books";
"server.dat" = "${reclamation.modpack}/server.dat";
};
serverProperties = {
server-port = 43001;
motd = "all hail the gorgon v3.14";
allow-flight = true;
};
};
servers.testing-grounds = {
enable = true;
@@ -39,10 +58,4 @@ in
};
};
};
networking.firewall.allowedTCPPorts = [
25865 # autismcraft
25665 # reclamation
25675 # reclamation
];
}

83
hosts/thea/nginx.nix
View File

@@ -1,14 +1,8 @@
{
inputs,
pkgs,
lib,
...
}:
{ inputs, ... }:
let
# striped-front = inputs.striped-front;
sin-address = "192.168.1.14";
authelia-snippets = pkgs.callPackage ./lib/autheliaSnippets.nix { inherit pkgs; };
in
{
@@ -23,92 +17,35 @@ in
recommendedProxySettings = true;
recommendedTlsSettings = true;
typesHashMaxSize = 512;
mapHashMaxSize = 512;
virtualHosts =
let
mkVHost = host: port: {
"${host}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://${sin-address}:${port}";
};
};
};
mkStarr = host: port: {
"${host}" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
include ${authelia-snippets.authelia-location};
'';
locations."/api" = {
proxyPass = "http://${sin-address}:${port}";
proxyWebsockets = true;
extraConfig = ''
proxy_ssl_server_name on;
'';
};
locations."/" = {
proxyPass = "http://${sin-address}:${port}";
proxyWebsockets = true;
extraConfig = ''
include ${authelia-snippets.proxy};
include ${authelia-snippets.authelia-authrequest};
proxy_ssl_server_name on;
proxy_read_timeout 4800s;
'';
};
};
};
withAuthelia =
vhost: location:
(builtins.mapAttrs (
name: value:
(lib.recursiveUpdate value {
extraConfig = (if value ? extraConfig then value.extraConfig else "") + ''
include ${authelia-snippets.authelia-location};
'';
locations."${location}".extraConfig =
(
if value.locations."${location}" ? extraConfig then
value.locations."${location}".extraConfig
else
""
)
+ ''
include ${authelia-snippets.proxy};
include ${authelia-snippets.authelia-authrequest};
'';
})
) vhost);
withWebsockets =
vhost: location:
(builtins.mapAttrs (
name: value:
(lib.recursiveUpdate value {
locations."${location}".proxyWebsockets = true;
})
) vhost);
in
(
(withWebsockets (mkVHost "jellyfin.shobu.fr" "8096") "/")
mkStarr "jellyfin.shobu.fr" "8096"
// mkStarr "radarr.shobu.fr" "7878"
// mkStarr "sonarr.shobu.fr" "8989"
// mkStarr "prowlarr.shobu.fr" "9696"
// mkStarr "bazarr.shobu.fr" "6767"
// mkStarr "jellyseerr.shobu.fr" "5055"
// mkStarr "fileshelter.shobu.fr" "5091"
// mkStarr "lidarr.shobu.fr" "8686"
// mkStarr "whisparr.shobu.fr" "6969"
// mkVHost "jellyseerr.shobu.fr" "5055"
// mkVHost "transmission.shobu.fr" "9091"
// mkVHost "zimablade-admin.shobu.fr" "61208"
// (withWebsockets (withAuthelia (mkVHost "trilium.shobu.fr" "12783") "/") "/")
// mkStarr "transmission.shobu.fr" "9091"
// mkStarr "zimablade-admin.shobu.fr" "61208"
// {
"shobu.fr" = {
enableACME = true;
@@ -171,18 +108,10 @@ in
enableACME = true;
forceSSL = true;
extraConfig = ''
# include ${authelia-snippets.authelia-location};
# error_log /var/log/nginx/debug_files.log debug;
'';
locations."/" = {
proxyPass = "http://${sin-address}:8086";
extraConfig = ''
# include ${authelia-snippets.proxy};
# include ${authelia-snippets.authelia-authrequest};
proxy_set_header X-Real-IP $remote_addr;
client_max_body_size 100M;
'';
};
};

10
hosts/thea/secrets/authelia-encryption.age
View File

@@ -1,10 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 /uqj4A 9cZH/SlDpiluz2O3wCxRcBhmt3L5eN24I0HHwiJDWRU
VVZaJlB4QzxBPcaN3MjCemjptEbqSUMD8VVtKyGezH8
-> ssh-ed25519 70Re8Q ZFEQxmnm+dFKSXcQAc0KxkewCB59J5FyL1Ob/uEEtVg
fRdEZpIytxjUeSKPieIzvZaAn5Mikjp28HlZhKwzS7M
-> ssh-ed25519 QvCxGg ifsqXBKO0mqE1RuJ44Y7qDJ7lyci8iyz+J1xFgO38jI
MkhMTZ+RttBFFMkbIaSCSQiExR1gf4OyFWHXIsx+QYQ
--- nnMlLyQjixpBkx+bSU5I364IP3KnZ0qnmMPueBcRHpU
ë˜<EFBFBD>6TX—ÕÞ ÌfÁ““É
®?Z7M<37>T<EFBFBD>Å|ÚQf

BIN
hosts/thea/secrets/authelia-jwt.age
View File

Binary file not shown.

9
hosts/thea/secrets/authelia-session.age
View File

@@ -1,9 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 /uqj4A yxpGM3pJxfnM/5q9+NzdfG2kBjjNex6bdyUeZEBKjnI
UO6ovn2cFeNi6SbcGpfF71/OAyQccyG+l6aZXubUal8
-> ssh-ed25519 70Re8Q GW40lmeg6Lj7ntZswT0/hWZFpYBWoV3CMq4pdo+Ncgc
oWTYuM/s3G7EKPWPQpHbXo9Tpzgn7YlYVQHYGn4xKS8
-> ssh-ed25519 QvCxGg pKLpxtuMIa0xPXoaeb4WeQWVEINRE/j4nrxDB1J9BUI
1azpt5MImTiDSF+Ts9EvUCdWMeVG7lErUHSBQfMiip4
--- IOOR8Us6zlZhJm0V4X3IlbkHSdtR3GLLxEfa4i+lqv0
ó P¬¥rhé"BFãŽÌŸtÌ€ê¤{¾(öB`q“Óø"AµnN_ ™f*ÏŒºvPpj&{)ìŠØ@ÃkF«Ú]<Aš*Á<><EFBFBD>´WTm”ƪD‡,Ý1E­™”¦³eѨ·O¢š

3
hosts/thea/secrets/default.nix
View File

@@ -1,3 +0,0 @@
{ ... }:
{
}

6
modules/gitea/thea/virtualisation.nix
View File

@@ -1,4 +1,4 @@
{ nodes, pkgs, ... }:
{ nodes, pkgs, ... }:
{
systemd.sockets.podman.socketConfig.Symlinks = [
"/run/docker.sock"
@@ -16,10 +16,6 @@
};
};
environment.systemPackages = with pkgs; [
podman-compose
];
virtualisation.oci-containers.containers =
let
runner_config = pkgs.writeTextFile {