alex/nixos-configs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: alex:32acd3a55c9ae662ea68da67b9b42e096f9a34e1
Branches Tags
alex:main
..
compare: alex:5e84d0147b9e79d986270c0c942a136556bc7ade
Branches Tags
alex:main

2 Commits
32acd3a55c ... 5e84d0147b

Author SHA1 Message Date
Alexander Heldt
5e84d0147b tadpole: Enable gitea 2024-08-29 20:30:32 +02:00
Alexander Heldt
69b4b1cd21 tadpole: Add gitea module 2024-08-29 20:30:32 +02:00
28 changed files with 68 additions and 417 deletions
Expand all files Collapse all files

36
flake.lock generated
View File

@@ -54,11 +54,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1725037990,
"narHash": "sha256-7ZwhCJQ8/BvP5UDSOe9PUzrDlDePxfyDrkEYuuZZJJ8=",
"lastModified": 1723946515,
"narHash": "sha256-b/OHNTfJl16JSLpGMDSoiGliqc13MmUUEu78GqS++Sg=",
"owner": "nix-community",
"repo": "emacs-overlay",
"rev": "45405f34d10260753298ff244a9b9c36e04b2e11",
"rev": "c34c8d77f326f42d43d5912c33e8802a96d29cd0",
"type": "github"
},
"original": {
@@ -113,11 +113,11 @@
]
},
"locked": {
"lastModified": 1724435763,
"narHash": "sha256-UNky3lJNGQtUEXT2OY8gMxejakSWPTfWKvpFkpFlAfM=",
"lastModified": 1723399884,
"narHash": "sha256-97wn0ihhGqfMb8WcUgzzkM/TuAxce2Gd20A8oiruju4=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "c2cd2a52e02f1dfa1c88f95abeb89298d46023be",
"rev": "086f619dd991a4d355c07837448244029fc2d9ab",
"type": "github"
},
"original": {
@@ -153,11 +153,11 @@
]
},
"locked": {
"lastModified": 1724689275,
"narHash": "sha256-wpxC7XiZ9maYZA4BSLKGXc+pn2fwaiq2Ybu5kNjl1ao=",
"lastModified": 1723753423,
"narHash": "sha256-ULsoflnTS634565jqT1IXwHzISwcphLBq+YJYL7/p/Y=",
"owner": "viperML",
"repo": "nh",
"rev": "a922eada049854019c5d1bbc82383f7095773e5c",
"rev": "24d7b24f567ef3345ac267f61579df291e42bd71",
"type": "github"
},
"original": {
@@ -183,11 +183,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1724878143,
"narHash": "sha256-UjpKo92iZ25M05kgSOw/Ti6VZwpgdlOa73zHj8OcaDk=",
"lastModified": 1723310128,
"narHash": "sha256-IiH8jG6PpR4h9TxSGMYh+2/gQiJW9MwehFvheSb5rPc=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "95c3dfe6ef2e96ddc1ccdd7194e3cda02ca9a8ef",
"rev": "c54cf53e022b0b3c1d3b8207aa0f9b194c24f0cf",
"type": "github"
},
"original": {
@@ -199,11 +199,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1724819573,
"narHash": "sha256-GnR7/ibgIH1vhoy8cYdmXE6iyZqKqFxQSVkFgosBh6w=",
"lastModified": 1723637854,
"narHash": "sha256-med8+5DSWa2UnOqtdICndjDAEjxr5D7zaIiK4pn0Q7c=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "71e91c409d1e654808b2621f28a327acfdad8dc2",
"rev": "c3aa7b8938b17aebd2deecf7be0636000d62a2b9",
"type": "github"
},
"original": {
@@ -215,11 +215,11 @@
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1724855419,
"narHash": "sha256-WXHSyOF4nBX0cvHN3DfmEMcLOVdKH6tnMk9FQ8wTNRc=",
"lastModified": 1723688146,
"narHash": "sha256-sqLwJcHYeWLOeP/XoLwAtYjr01TISlkOfz+NG82pbdg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ae2fc9e0e42caaf3f068c1bfdc11c71734125e06",
"rev": "c3d4ac725177c030b1e289015989da2ad9d56af0",
"type": "github"
},
"original": {

1
hosts/backwards/configuration.nix
View File

@@ -3,7 +3,6 @@
imports =
[
../../config-manager/default.nix
../../shared-modules/syncthing.nix
./hardware-configuration.nix
./modules
];

5
hosts/backwards/home.nix
View File

@@ -13,10 +13,7 @@
home.username = "alex";
home.homeDirectory = "/home/alex";
home.packages = [
pkgs.vim
pkgs.p7zip
];
home.packages = [ pkgs.vim ];
home.stateVersion = "24.05";
};

3
hosts/backwards/modules/default.nix
View File

@@ -12,9 +12,6 @@ in
ssh.enable = true;
git.enable = true;
syncthing.enable = true;
restic.enable = true;
transmission.enable = true;
};
};
}

1
hosts/backwards/modules/games/default.nix
View File

@@ -6,7 +6,6 @@
cores = [
pkgs.libretro.snes9x
pkgs.libretro.genesis-plus-gx
pkgs.libretro.swanstation
];
})
];

12
hosts/backwards/modules/gnome/default.nix
View File

@@ -1,13 +1,6 @@
{ ... }:
{
services = {
displayManager = {
autoLogin = {
enable = true;
user = "alex";
};
};
xserver = {
enable = true;
@@ -21,6 +14,11 @@
};
displayManager = {
autoLogin = {
enable = true;
user = "alex";
};
gdm.enable = true;
};
};

16
hosts/backwards/modules/jellyfin/default.nix
View File

@@ -1,20 +1,12 @@
{ pkgs, ... }:
{
fileSystems."/home/alex/media" = {
device = "/dev/disk/by-uuid/ad4acc0f-172c-40f8-8473-777c957e8764";
fsType = "ext4";
options = [ "nofail" ];
};
# 1. enable vaapi on OS-level
nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
};
hardware = {
graphics = {
hardware.opengl = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver
intel-vaapi-driver # previously vaapiIntel
@@ -24,16 +16,10 @@
vpl-gpu-rt # QSV on 11th gen or newer
];
};
};
services.jellyfin = {
enable = true;
openFirewall = true;
user = "alex";
group = "users";
dataDir = "/home/alex/media/jellyfin";
};
environment.systemPackages = [

51
hosts/backwards/modules/restic/default.nix
View File

@@ -1,51 +0,0 @@
{ lib, config, ... }:
let
enabled = config.mod.restic.enable;
in
{
options = {
mod.restic = {
enable = lib.mkEnableOption "Enable restic";
};
};
config = lib.mkIf enabled {
fileSystems."/home/alex/backup" = {
device = "/dev/disk/by-uuid/34601701-65e6-4b2c-ac4d-8bef3dfd743f";
fsType = "ext4";
options = [ "nofail" ];
};
services = {
restic.backups = {
"sync-to-external" = {
initialize = true;
user = "alex";
passwordFile = config.age.secrets.restic-password.path;
paths = [ "/home/alex/sync" ];
repository = "/home/alex/backup";
timerConfig = {
OnCalendar = "*-*-* 0/12:00:00"; # Every 12th hour, i.e. twice a day
Persistent = true;
};
pruneOpts = [
"--keep-daily 1"
"--keep-weekly 7"
"--keep-yearly 12"
];
};
};
};
age = {
secrets = {
"restic-password".file = ../../../../secrets/backwards/restic-password.age;
};
};
};
}

105
hosts/backwards/modules/syncthing/default.nix
View File

@@ -1,105 +0,0 @@
{ lib, config, ... }:
let
enabled = config.mod.syncthing.enable;
in
{
options = {
mod.syncthing = {
enable = lib.mkEnableOption "Enable syncthing module";
};
};
config = lib.mkIf enabled {
services.syncthing = {
enable = true;
openDefaultPorts = true;
cert = config.age.secrets.syncthing-cert.path;
key = config.age.secrets.syncthing-key.path;
user = "alex";
group = "users";
dataDir = "/home/alex/sync";
guiAddress = "0.0.0.0:8384";
settings = {
gui = {
user = "syncthing";
password = "$2a$12$J/h/JOUiW24ZXsLYLEl2kOZUS1LftxANi0OlZxLy8Dst3/jpBd0v2";
insecureSkipHostcheck = false;
};
devices = {
phone.id = config.lib.syncthing.phone;
pinwheel.id = config.lib.syncthing.pinwheel;
};
folders = {
org = {
path = "/home/alex/sync/org";
devices = [ "phone" "pinwheel" ];
versioning = {
type = "staggered";
params = {
maxage = "2592000"; # 30 days
};
};
};
personal = {
path = "/home/alex/sync/personal";
devices = [ "pinwheel" ];
versioning = {
type = "staggered";
params = {
maxAge = "2592000"; # 30 days
};
};
};
work = {
path = "/home/alex/sync/work";
devices = [ "pinwheel" ];
versioning = {
type = "staggered";
params = {
maxAge = "2592000"; # 30 days
};
};
};
books = {
path = "/home/alex/sync/books";
devices = [ "pinwheel" ];
versioning = {
type = "staggered";
params = {
maxAge = "2592000"; # 30 days
};
};
};
"phone-gps" = {
path = "/home/alex/sync/phone-gps";
devices = [ "phone" ];
versioning = {
type = "staggered";
params = {
maxage = "2592000"; # 30 days
};
};
};
};
};
};
age = {
secrets = {
"syncthing-cert".file = ../../../../secrets/backwards/syncthing-cert.age;
"syncthing-key".file = ../../../../secrets/backwards/syncthing-key.age;
};
};
};
}

9
hosts/backwards/modules/tailscale/default.nix
View File

@@ -1,9 +0,0 @@
{ ... }:
{
services.tailscale.enable = true;
networking.firewall = {
checkReversePath = "loose";
allowedUDPPorts = [ 41641 ];
};
}

42
hosts/backwards/modules/transmission/default.nix
View File

@@ -1,42 +0,0 @@
{ pkgs, lib, config, ... }:
let
enabled = config.mod.transmission.enable;
in
{
options = {
mod.transmission = {
enable = lib.mkEnableOption "enable transmission module";
};
};
config = lib.mkIf enabled {
services = {
transmission = {
enable = true;
package = pkgs.transmission_4;
openFirewall = true;
openRPCPort = true;
user = "alex";
group = "users";
home = "/home/alex/media/ts-home";
downloadDirPermissions = "775";
settings = {
rpc-bind-address = "0.0.0.0";
rpc-port = 9191;
incomplete-dir-enabled = false;
download-dir = "/home/alex/media/downloads";
rpc-authentication-required = true;
rpc-whitelist-enabled = false;
rpc-username = "transmission";
rpc-password = "{55d884e4042db67313da49e05d7089a368eb64b3Br.3X.Xi";
};
};
};
};
}

2
hosts/pinwheel/modules/boot/default.nix
View File

@@ -27,8 +27,6 @@ in
boot = {
kernelPackages = pkgs.linuxPackages_latest;
tmp.cleanOnBoot = true;
kernel = {
sysctl = {
"fs.inotify.max_user_instances" = 1024; # default: 128

4
hosts/pinwheel/modules/git/default.nix
View File

@@ -17,10 +17,6 @@ in
includes = [
{ path = ./gitconfig; }
];
extraConfig = {
rerere.enable = true;
};
};
home.packages = [ pkgs.tig ];

2
hosts/pinwheel/modules/git/gitconfig
View File

@@ -11,5 +11,3 @@
[url "git@codeberg.org:"]
insteadOf = https://codeberg.org/
[url "gitea@git.ppp.pm:"]
insteadOf = https://git.ppp.pm/

22
hosts/pinwheel/modules/ssh/default.nix
View File

@@ -5,8 +5,8 @@
enable = true;
matchBlocks = {
"backwards" = {
hostname = "backwards";
"backwards.local" = {
hostname = "192.168.50.202";
user = "alex";
identityFile = "/home/alex/.ssh/alex.pinwheel-backwards";
port = 1122;
@@ -48,11 +48,6 @@
hostname = "codeberg.org";
identityFile = "/home/alex/.ssh/alex.pinwheel-codeberg.org";
};
"git.ppp.pm" = {
hostname = "git.ppp.pm";
identityFile = "/home/alex/.ssh/alex.pinwheel-git.ppp.pm";
};
};
};
@@ -111,19 +106,6 @@
group = "users";
};
"alex.pinwheel-git.ppp.pm" = {
file = ../../../../secrets/pinwheel/alex.pinwheel-git.ppp.pm.age;
path = "/home/alex/.ssh/alex.pinwheel-git.ppp.pm.org";
owner = "alex";
group = "users";
};
"alex.pinwheel-git.ppp.pm.pub" = {
file = ../../../../secrets/pinwheel/alex.pinwheel-git.ppp.pm.pub.age;
path = "/home/alex/.ssh/alex.pinwheel-git.ppp.pm.pub";
owner = "alex";
group = "users";
};
"alex.pinwheel-andromeda" = {
file = ../../../../secrets/pinwheel/alex.pinwheel-andromeda.age;
path = "/home/alex/.ssh/alex.pinwheel-andromeda";

9
hosts/pinwheel/modules/syncthing/default.nix
View File

@@ -15,14 +15,13 @@
settings = {
devices = {
phone.id = config.lib.syncthing.phone;
backwards.id = config.lib.syncthing.backwards;
sombrero.id = config.lib.syncthing.sombrero;
};
folders = {
org = {
path = "/home/alex/sync/org";
devices = [ "sombrero" "phone" "backwards" ];
devices = [ "sombrero" "phone" ];
versioning = {
type = "staggered";
params = {
@@ -33,7 +32,7 @@
personal = {
path = "/home/alex/sync/personal";
devices = [ "sombrero" "backwards" ];
devices = [ "sombrero" ];
versioning = {
type = "staggered";
params = {
@@ -44,7 +43,7 @@
work = {
path = "/home/alex/sync/work";
devices = [ "sombrero" "backwards" ];
devices = [ "sombrero" ];
versioning = {
type = "staggered";
params = {
@@ -55,7 +54,7 @@
books = {
path = "/home/alex/sync/books";
devices = [ "sombrero" "backwards" ];
devices = [ "sombrero" ];
versioning = {
type = "staggered";
params = {

1
hosts/pinwheel/modules/tailscale/default.nix
View File

@@ -6,4 +6,5 @@
checkReversePath = "loose";
allowedUDPPorts = [ 41641 ];
};
}

18
hosts/tadpole/modules/certs/default.nix
View File

@@ -1,18 +0,0 @@
{ ... }:
{
security.acme = {
certs = {
"ppp.pm" = {
webroot = "/var/lib/acme/acme-challenge/";
email = "p@ppp.pm";
group = "nginx";
};
"git.ppp.pm" = {
webroot = "/var/lib/acme/acme-challenge/";
email = "p@ppp.pm";
group = "nginx";
};
};
};
}

5
hosts/tadpole/modules/default.nix
View File

@@ -15,10 +15,7 @@ in
gitea = {
enable = true;
baseDomain = "ppp.pm";
webfingerEnable = true;
webfingerAccounts = [ "p@ppp.pm" ];
domain = "git.ppp.pm";
};
pppdotpm-site.enable = true;

92
hosts/tadpole/modules/gitea/default.nix
View File

@@ -1,7 +1,7 @@
{ pkgs, lib, config, ... }:
{ lib, config, ... }:
let
conf = config.mod.gitea;
gitDomain = "git.${conf.baseDomain}";
enable = config.mod.gitea.enable;
domain = config.mod.gitea.domain;
nginxEnable = config.mod.nginx.enable;
in
@@ -10,61 +10,28 @@ in
mod.gitea = {
enable = lib.mkEnableOption "Enable gitea";
baseDomain = lib.mkOption {
domain = lib.mkOption {
type = lib.types.str;
default = "";
description = ''
The base domain that will be used to
- create https://git.<base domain> which will host the frontend of gitea
- host the webfinger
Note: A cert is required for this domain and "git.<base domain>".
'';
};
webfingerEnable = lib.mkEnableOption "Enable webfinger pointing to gitea";
webfingerAccounts = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [];
description = "The accounts that should be listed";
description = "The domain that nginx will use as a virtual host";
};
};
};
config = lib.mkIf (conf.enable && nginxEnable) {
assertions = [
{
assertion = conf.baseDomain != "";
message = "Option 'mod.gitea.baseDomain' cannot be empty";
}
{
assertion = builtins.hasAttr gitDomain config.security.acme.certs;
message = "There is no cert configured for ${gitDomain} used by gitea";
}
{
assertion = conf.webfingerEnable && builtins.hasAttr conf.baseDomain config.security.acme.certs;
message = "There is no cert configured for ${conf.baseDomain} used by webfinger";
}
{
assertion = conf.webfingerEnable && conf.webfingerAccounts != [];
message = "Option 'mod.gitea.webfingerAccounts' cannot be empty";
}
];
config = lib.mkIf (enable && nginxEnable) {
services.gitea = {
enable = true;
settings = {
service = {
DISABLE_REGISTRATION = true;
DISABLE_REGISTRATION = false;
};
server = {
DOMAIN = gitDomain;
ROOT_URL = "https://${gitDomain}";
DOMAIN = domain;
ROOT_URL = "https://${domain}";
SSH_PORT = 1122; # see `ssh` module
SSH_PORT = 1122; # See `ssh` module
};
database = {
@@ -79,44 +46,9 @@ in
};
services.nginx = {
virtualHosts."${conf.baseDomain}" =
let
mkWebfinger = account:
pkgs.writeTextDir (lib.escapeURL "acct:${account}") (lib.generators.toJSON {} {
subject = "acct:${account}";
links = [{
rel = "http://openid.net/specs/connect/1.0/issuer";
href = "https://${gitDomain}";
}];
});
webfingerRoot = pkgs.symlinkJoin {
name = "${gitDomain}-webfinger";
paths = builtins.map mkWebfinger conf.webfingerAccounts;
};
in
lib.mkIf conf.webfingerEnable {
virtualHosts."${domain}" = {
forceSSL = true;
useACMEHost = conf.baseDomain;
locations."/.well-known/webfinger" = {
root = webfingerRoot;
extraConfig = ''
add_header Access-Control-Allow-Origin "*";
default_type "application/jrd+json";
types { application/jrd+json json; }
if ($arg_resource) {
rewrite ^(.*)$ /$arg_resource break;
}
return 400;
'';
};
};
virtualHosts."${gitDomain}" = {
forceSSL = true;
useACMEHost = gitDomain;
enableACME = true;
locations."/" = {
proxyPass = "http://0.0.0:3000";

10
hosts/tadpole/modules/ppp.pm-site/default.nix
View File

@@ -14,6 +14,16 @@ in
};
config = lib.mkIf (enabled && nginxEnabled) {
security.acme = {
certs = {
"ppp.pm" = {
webroot = "/var/lib/acme/acme-challenge/";
email = "p@ppp.pm";
group = "nginx";
};
};
};
services.pppdotpm-site = {
enable = true;
domain = "ppp.pm";

7
secrets/backwards/restic-password.age
View File

@@ -1,7 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 Pu0HWg qnig6bOOnHbsTQ7AJfS0l6TUT7gPM3VreutamO5NfCs
ZBX0HcsOKq2QrGRCJygwol/T2NWyvxGbqYpb5mfl5FQ
-> ssh-ed25519 +oNaHQ SgIEVphkOUqNzvPkoAQDS6wvDiHvcSNCLj46Qf1Lqyo
HisQ0xxj1Qz79rmFdt0jda8D4hDWE+/d6zuA17fLsgk
--- UabMTXlGzIEj1guev4NyFyoXvP41i7oN1TMDKo517zs
}<7D>p<EFBFBD>)<29><EFBFBD><E2BFAB><EFBFBD>B<EFBFBD><42><EFBFBD><EFBFBD><EFBFBD>T<1D>x<>r0<72><30>7#<23>y<EFBFBD><32><D4A4>;Z.&<26>]!<21><>e(<28><>qvPQ돠?Y<>y<EFBFBD>$?<3F><>X<EFBFBD>2<EFBFBD><32>݀-&<26>A

BIN
secrets/backwards/syncthing-cert.age
View File

Binary file not shown.

BIN
secrets/backwards/syncthing-key.age
View File

Binary file not shown.

BIN
secrets/pinwheel/alex.pinwheel-git.ppp.pm.age
View File

Binary file not shown.

BIN
secrets/pinwheel/alex.pinwheel-git.ppp.pm.pub.age
View File

Binary file not shown.

5
secrets/secrets.nix
View File

@@ -22,8 +22,6 @@ in {
"pinwheel/alex.pinwheel-andromeda.pub.age".publicKeys = [ pinwheel alex ];
"pinwheel/alex.pinwheel-codeberg.org.age".publicKeys = [ pinwheel alex ];
"pinwheel/alex.pinwheel-codeberg.org.pub.age".publicKeys = [ pinwheel alex ];
"pinwheel/alex.pinwheel-git.ppp.pm.age".publicKeys = [ pinwheel alex ];
"pinwheel/alex.pinwheel-git.ppp.pm.pub.age".publicKeys = [ pinwheel alex ];
"pinwheel/work-gitconfig.age".publicKeys = [ pinwheel alex ];
"pinwheel/work-github-token.age".publicKeys = [ pinwheel alex ];
@@ -33,9 +31,6 @@ in {
"backwards/root.backwards.age".publicKeys = [ backwards alex ];
"backwards/root.backwards.pub.age".publicKeys = [ backwards alex ];
"backwards/syncthing-cert.age".publicKeys = [ backwards alex ];
"backwards/syncthing-key.age".publicKeys = [ backwards alex ];
"backwards/restic-password.age".publicKeys = [ backwards alex ];
"backwards/alex.backwards-codeberg.org.age".publicKeys = [ backwards alex ];
"backwards/alex.backwards-codeberg.org.pub.age".publicKeys = [ backwards alex ];
"backwards/wpa_supplicant.conf.age".publicKeys = [ backwards alex ];

1
shared-modules/syncthing.nix
View File

@@ -4,7 +4,6 @@
phone = "HCL2CKI-SA3NWOT-PMJZNFP-I7QETYE-JOKZHXN-TSI74FV-ZA6RDO2-QQMXPAP";
sombrero = "DIKHOMV-QGZV3DR-FXQZH45-I5J5R4R-JJZS5BA-XNNW5C7-QSSU3XV-KVC4MAQ";
pinwheel = "AKS5L2A-NFCG5GV-3U5SSSZ-PLOX6BQ-ZL5ALXI-D7OK4KE-R2JPWRJ-B6AQJQ7";
backwards = "XRSQ4NZ-LHCZS6H-R3A75S5-W4FH7F4-3DGA5X2-SOPYWOP-A2WRKGC-IPXH4AM";
};
};
}