alex/nixos-configs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: alex:5e84d0147b9e79d986270c0c942a136556bc7ade
Branches Tags
alex:main
..
compare: alex:32acd3a55c9ae662ea68da67b9b42e096f9a34e1
Branches Tags
alex:main

39 Commits
5e84d0147b ... 32acd3a55c

Author SHA1 Message Date
Alexander Heldt
32acd3a55c tadpole: Specify ssh port for gitea 2024-08-31 17:16:38 +02:00
Alexander Heldt
10b8f99193 pinwheel: Add git url preference for git.ppp.pm 2024-08-31 16:34:20 +02:00
Alexander Heldt
25043c3856 pinwheel: Add ssh keys for git.ppp.pm 2024-08-31 16:33:13 +02:00
Alexander Heldt
3180842d6a pinwheel: Add secrets for git.ppp.pm 2024-08-31 16:31:46 +02:00
Alexander Heldt
4ef27e43d7 pinwheel: Use tailscale DNS for ssh to backwards 2024-08-31 16:21:29 +02:00
Alexander Heldt
27e1f8306a tadpole: Use standard SSH port for gitea 2024-08-31 16:21:17 +02:00
Alexander Heldt
e5c0fe3ff9 backwards: Add transmission module 2024-08-31 15:49:56 +02:00
Alexander Heldt
d15e13c81d backwards: Backup sync to external drive with restic 2024-08-31 15:49:56 +02:00
Alexander Heldt
6478356950 backwards: Add secret for restic 2024-08-31 15:44:50 +02:00
Alexander Heldt
3ba136a6a9 backwards: Set user/groups for jellyfin 2024-08-31 15:44:36 +02:00
Alexander Heldt
95100dd59a backwards: Set jellyfin data directory 2024-08-31 15:44:22 +02:00
Alexander Heldt
5ced04694f backwards: Add media filesystem mount 2024-08-31 13:30:54 +02:00
Alexander Heldt
331d4b52a0 backwards: Set syncthing GUI password 2024-08-31 12:58:04 +02:00
Alexander Heldt
9b98cdfe38 backwards: Add enable option to syncthing module 2024-08-31 12:58:03 +02:00
Alexander Heldt
0a43eed112 backwards/pinwheel: Share books via syncthing 2024-08-31 12:57:02 +02:00
Alexander Heldt
9bb2b487dd backwards/pinwheel: Share work via syncthing 2024-08-31 12:52:54 +02:00
Alexander Heldt
f65f680042 backwards/pinwheel: Share personal via syncthing 2024-08-31 12:52:53 +02:00
Alexander Heldt
e07f67cced backwards: Set GUI address for syncthing 2024-08-31 12:31:08 +02:00
Alexander Heldt
65191feb6e backwards/pinwheel: Share org via syncthing 2024-08-31 12:17:58 +02:00
Alexander Heldt
f6b485078a backwards: Share org with phone via syncthing 2024-08-31 12:14:19 +02:00
Alexander Heldt
2b6bbc6cab backwards: Add 7zip 2024-08-31 12:04:06 +02:00
Alexander Heldt
0be938f697 backwards: Add swanstation emulator to retroarch 2024-08-31 12:04:06 +02:00
Alexander Heldt
d331614d31 backwards: Share phone-gps with phone in syncthing 2024-08-31 12:04:06 +02:00
Alexander Heldt
eb3b497e02 Add backwards to shared syncthing devices 2024-08-31 11:55:19 +02:00
Alexander Heldt
c360bfe68b backwards: Add secrets for syncthing 2024-08-31 11:53:59 +02:00
Alexander Heldt
6a9a63f52a backwards: Add syncthing module 2024-08-31 11:46:05 +02:00
Alexander Heldt
f4c54aaa02 backwards: Update hardware.graphics attributes 2024-08-31 11:25:04 +02:00
Alexander Heldt
8c39b26916 backwards: Update gnome attributes 2024-08-31 11:24:44 +02:00
Alexander Heldt
6021e1cf1d backwards: Add tailscale module 2024-08-31 11:16:01 +02:00
Alexander Heldt
69034fb515 pinwheel: Clean up tailscale module 2024-08-30 21:22:56 +02:00
Alexander Heldt
438353deab pinwheel: Enable rerere in git 2024-08-30 21:21:42 +02:00
Alexander Heldt
4b6990dd2e Update flake inputs 2024-08-30 21:13:29 +02:00
Alexander Heldt
fa9d9dc44e pinwheel: Clean /tmp on boot 2024-08-30 21:09:35 +02:00
Alexander Heldt
c4bab62de4 tadpole: Add webfinger for gitea 2024-08-30 21:09:35 +02:00
Alexander Heldt
0d5b7fe3f5 tadpole: Extract cert for gitea 2024-08-30 20:49:30 +02:00
Alexander Heldt
4567ba0614 tadpole: Add certs module 2024-08-30 20:47:33 +02:00
Alexander Heldt
a1c93b2165 tadpole: Disable registration in gitea 2024-08-29 20:53:26 +02:00
Alexander Heldt
4ff44969a3 tadpole: Enable gitea 2024-08-29 20:52:32 +02:00
Alexander Heldt
0e5dcd0f71 tadpole: Add gitea module 2024-08-29 20:52:32 +02:00
28 changed files with 417 additions and 68 deletions
Expand all files Collapse all files

36
flake.lock generated
View File

@@ -54,11 +54,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1723946515, "lastModified": 1725037990,
"narHash": "sha256-b/OHNTfJl16JSLpGMDSoiGliqc13MmUUEu78GqS++Sg=", "narHash": "sha256-7ZwhCJQ8/BvP5UDSOe9PUzrDlDePxfyDrkEYuuZZJJ8=",
"owner": "nix-community", "owner": "nix-community",
"repo": "emacs-overlay", "repo": "emacs-overlay",
"rev": "c34c8d77f326f42d43d5912c33e8802a96d29cd0", "rev": "45405f34d10260753298ff244a9b9c36e04b2e11",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -113,11 +113,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1723399884, "lastModified": 1724435763,
"narHash": "sha256-97wn0ihhGqfMb8WcUgzzkM/TuAxce2Gd20A8oiruju4=", "narHash": "sha256-UNky3lJNGQtUEXT2OY8gMxejakSWPTfWKvpFkpFlAfM=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "086f619dd991a4d355c07837448244029fc2d9ab", "rev": "c2cd2a52e02f1dfa1c88f95abeb89298d46023be",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -153,11 +153,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1723753423, "lastModified": 1724689275,
"narHash": "sha256-ULsoflnTS634565jqT1IXwHzISwcphLBq+YJYL7/p/Y=", "narHash": "sha256-wpxC7XiZ9maYZA4BSLKGXc+pn2fwaiq2Ybu5kNjl1ao=",
"owner": "viperML", "owner": "viperML",
"repo": "nh", "repo": "nh",
"rev": "24d7b24f567ef3345ac267f61579df291e42bd71", "rev": "a922eada049854019c5d1bbc82383f7095773e5c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -183,11 +183,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1723310128, "lastModified": 1724878143,
"narHash": "sha256-IiH8jG6PpR4h9TxSGMYh+2/gQiJW9MwehFvheSb5rPc=", "narHash": "sha256-UjpKo92iZ25M05kgSOw/Ti6VZwpgdlOa73zHj8OcaDk=",
"owner": "nixos", "owner": "nixos",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "c54cf53e022b0b3c1d3b8207aa0f9b194c24f0cf", "rev": "95c3dfe6ef2e96ddc1ccdd7194e3cda02ca9a8ef",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -199,11 +199,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1723637854, "lastModified": 1724819573,
"narHash": "sha256-med8+5DSWa2UnOqtdICndjDAEjxr5D7zaIiK4pn0Q7c=", "narHash": "sha256-GnR7/ibgIH1vhoy8cYdmXE6iyZqKqFxQSVkFgosBh6w=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "c3aa7b8938b17aebd2deecf7be0636000d62a2b9", "rev": "71e91c409d1e654808b2621f28a327acfdad8dc2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -215,11 +215,11 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1723688146, "lastModified": 1724855419,
"narHash": "sha256-sqLwJcHYeWLOeP/XoLwAtYjr01TISlkOfz+NG82pbdg=", "narHash": "sha256-WXHSyOF4nBX0cvHN3DfmEMcLOVdKH6tnMk9FQ8wTNRc=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "c3d4ac725177c030b1e289015989da2ad9d56af0", "rev": "ae2fc9e0e42caaf3f068c1bfdc11c71734125e06",
"type": "github" "type": "github"
}, },
"original": { "original": {

1
hosts/backwards/configuration.nix
View File

@@ -3,6 +3,7 @@
imports = imports =
[ [
../../config-manager/default.nix ../../config-manager/default.nix
../../shared-modules/syncthing.nix
./hardware-configuration.nix ./hardware-configuration.nix
./modules ./modules
]; ];

5
hosts/backwards/home.nix
View File

@@ -13,7 +13,10 @@
home.username = "alex"; home.username = "alex";
home.homeDirectory = "/home/alex"; home.homeDirectory = "/home/alex";
home.packages = [ pkgs.vim ]; home.packages = [
pkgs.vim
pkgs.p7zip
];
home.stateVersion = "24.05"; home.stateVersion = "24.05";
}; };

3
hosts/backwards/modules/default.nix
View File

@@ -12,6 +12,9 @@ in
ssh.enable = true; ssh.enable = true;
git.enable = true; git.enable = true;
syncthing.enable = true;
restic.enable = true;
transmission.enable = true;
}; };
}; };
} }

1
hosts/backwards/modules/games/default.nix
View File

@@ -6,6 +6,7 @@
cores = [ cores = [
pkgs.libretro.snes9x pkgs.libretro.snes9x
pkgs.libretro.genesis-plus-gx pkgs.libretro.genesis-plus-gx
pkgs.libretro.swanstation
]; ];
}) })
]; ];

12
hosts/backwards/modules/gnome/default.nix
View File

@@ -1,6 +1,13 @@
{ ... }: { ... }:
{ {
services = { services = {
displayManager = {
autoLogin = {
enable = true;
user = "alex";
};
};
xserver = { xserver = {
enable = true; enable = true;
@@ -14,11 +21,6 @@
}; };
displayManager = { displayManager = {
autoLogin = {
enable = true;
user = "alex";
};
gdm.enable = true; gdm.enable = true;
}; };
}; };

34
hosts/backwards/modules/jellyfin/default.nix
View File

@@ -1,25 +1,39 @@
{ pkgs, ... }: { pkgs, ... }:
{ {
fileSystems."/home/alex/media" = {
device = "/dev/disk/by-uuid/ad4acc0f-172c-40f8-8473-777c957e8764";
fsType = "ext4";
options = [ "nofail" ];
};
# 1. enable vaapi on OS-level # 1. enable vaapi on OS-level
nixpkgs.config.packageOverrides = pkgs: { nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
}; };
hardware.opengl = { hardware = {
enable = true; graphics = {
extraPackages = with pkgs; [ enable = true;
intel-media-driver
intel-vaapi-driver # previously vaapiIntel extraPackages = with pkgs; [
vaapiVdpau intel-media-driver
libvdpau-va-gl intel-vaapi-driver # previously vaapiIntel
intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in) vaapiVdpau
vpl-gpu-rt # QSV on 11th gen or newer libvdpau-va-gl
]; intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
vpl-gpu-rt # QSV on 11th gen or newer
];
};
}; };
services.jellyfin = { services.jellyfin = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
user = "alex";
group = "users";
dataDir = "/home/alex/media/jellyfin";
}; };
environment.systemPackages = [ environment.systemPackages = [

51
hosts/backwards/modules/restic/default.nix Normal file
View File

@@ -0,0 +1,51 @@
{ lib, config, ... }:
let
enabled = config.mod.restic.enable;
in
{
options = {
mod.restic = {
enable = lib.mkEnableOption "Enable restic";
};
};
config = lib.mkIf enabled {
fileSystems."/home/alex/backup" = {
device = "/dev/disk/by-uuid/34601701-65e6-4b2c-ac4d-8bef3dfd743f";
fsType = "ext4";
options = [ "nofail" ];
};
services = {
restic.backups = {
"sync-to-external" = {
initialize = true;
user = "alex";
passwordFile = config.age.secrets.restic-password.path;
paths = [ "/home/alex/sync" ];
repository = "/home/alex/backup";
timerConfig = {
OnCalendar = "*-*-* 0/12:00:00"; # Every 12th hour, i.e. twice a day
Persistent = true;
};
pruneOpts = [
"--keep-daily 1"
"--keep-weekly 7"
"--keep-yearly 12"
];
};
};
};
age = {
secrets = {
"restic-password".file = ../../../../secrets/backwards/restic-password.age;
};
};
};
}

105
hosts/backwards/modules/syncthing/default.nix Normal file
View File

@@ -0,0 +1,105 @@
{ lib, config, ... }:
let
enabled = config.mod.syncthing.enable;
in
{
options = {
mod.syncthing = {
enable = lib.mkEnableOption "Enable syncthing module";
};
};
config = lib.mkIf enabled {
services.syncthing = {
enable = true;
openDefaultPorts = true;
cert = config.age.secrets.syncthing-cert.path;
key = config.age.secrets.syncthing-key.path;
user = "alex";
group = "users";
dataDir = "/home/alex/sync";
guiAddress = "0.0.0.0:8384";
settings = {
gui = {
user = "syncthing";
password = "$2a$12$J/h/JOUiW24ZXsLYLEl2kOZUS1LftxANi0OlZxLy8Dst3/jpBd0v2";
insecureSkipHostcheck = false;
};
devices = {
phone.id = config.lib.syncthing.phone;
pinwheel.id = config.lib.syncthing.pinwheel;
};
folders = {
org = {
path = "/home/alex/sync/org";
devices = [ "phone" "pinwheel" ];
versioning = {
type = "staggered";
params = {
maxage = "2592000"; # 30 days
};
};
};
personal = {
path = "/home/alex/sync/personal";
devices = [ "pinwheel" ];
versioning = {
type = "staggered";
params = {
maxAge = "2592000"; # 30 days
};
};
};
work = {
path = "/home/alex/sync/work";
devices = [ "pinwheel" ];
versioning = {
type = "staggered";
params = {
maxAge = "2592000"; # 30 days
};
};
};
books = {
path = "/home/alex/sync/books";
devices = [ "pinwheel" ];
versioning = {
type = "staggered";
params = {
maxAge = "2592000"; # 30 days
};
};
};
"phone-gps" = {
path = "/home/alex/sync/phone-gps";
devices = [ "phone" ];
versioning = {
type = "staggered";
params = {
maxage = "2592000"; # 30 days
};
};
};
};
};
};
age = {
secrets = {
"syncthing-cert".file = ../../../../secrets/backwards/syncthing-cert.age;
"syncthing-key".file = ../../../../secrets/backwards/syncthing-key.age;
};
};
};
}

9
hosts/backwards/modules/tailscale/default.nix Normal file
View File

@@ -0,0 +1,9 @@
{ ... }:
{
services.tailscale.enable = true;
networking.firewall = {
checkReversePath = "loose";
allowedUDPPorts = [ 41641 ];
};
}

42
hosts/backwards/modules/transmission/default.nix Normal file
View File

@@ -0,0 +1,42 @@
{ pkgs, lib, config, ... }:
let
enabled = config.mod.transmission.enable;
in
{
options = {
mod.transmission = {
enable = lib.mkEnableOption "enable transmission module";
};
};
config = lib.mkIf enabled {
services = {
transmission = {
enable = true;
package = pkgs.transmission_4;
openFirewall = true;
openRPCPort = true;
user = "alex";
group = "users";
home = "/home/alex/media/ts-home";
downloadDirPermissions = "775";
settings = {
rpc-bind-address = "0.0.0.0";
rpc-port = 9191;
incomplete-dir-enabled = false;
download-dir = "/home/alex/media/downloads";
rpc-authentication-required = true;
rpc-whitelist-enabled = false;
rpc-username = "transmission";
rpc-password = "{55d884e4042db67313da49e05d7089a368eb64b3Br.3X.Xi";
};
};
};
};
}

2
hosts/pinwheel/modules/boot/default.nix
View File

@@ -27,6 +27,8 @@ in
boot = { boot = {
kernelPackages = pkgs.linuxPackages_latest; kernelPackages = pkgs.linuxPackages_latest;
tmp.cleanOnBoot = true;
kernel = { kernel = {
sysctl = { sysctl = {
"fs.inotify.max_user_instances" = 1024; # default: 128 "fs.inotify.max_user_instances" = 1024; # default: 128

4
hosts/pinwheel/modules/git/default.nix
View File

@@ -17,6 +17,10 @@ in
includes = [ includes = [
{ path = ./gitconfig; } { path = ./gitconfig; }
]; ];
extraConfig = {
rerere.enable = true;
};
}; };
home.packages = [ pkgs.tig ]; home.packages = [ pkgs.tig ];

2
hosts/pinwheel/modules/git/gitconfig
View File

@@ -11,3 +11,5 @@
[url "git@codeberg.org:"] [url "git@codeberg.org:"]
insteadOf = https://codeberg.org/ insteadOf = https://codeberg.org/
[url "gitea@git.ppp.pm:"]
insteadOf = https://git.ppp.pm/

22
hosts/pinwheel/modules/ssh/default.nix
View File

@@ -5,8 +5,8 @@
enable = true; enable = true;
matchBlocks = { matchBlocks = {
"backwards.local" = { "backwards" = {
hostname = "192.168.50.202"; hostname = "backwards";
user = "alex"; user = "alex";
identityFile = "/home/alex/.ssh/alex.pinwheel-backwards"; identityFile = "/home/alex/.ssh/alex.pinwheel-backwards";
port = 1122; port = 1122;
@@ -48,6 +48,11 @@
hostname = "codeberg.org"; hostname = "codeberg.org";
identityFile = "/home/alex/.ssh/alex.pinwheel-codeberg.org"; identityFile = "/home/alex/.ssh/alex.pinwheel-codeberg.org";
}; };
"git.ppp.pm" = {
hostname = "git.ppp.pm";
identityFile = "/home/alex/.ssh/alex.pinwheel-git.ppp.pm";
};
}; };
}; };
@@ -106,6 +111,19 @@
group = "users"; group = "users";
}; };
"alex.pinwheel-git.ppp.pm" = {
file = ../../../../secrets/pinwheel/alex.pinwheel-git.ppp.pm.age;
path = "/home/alex/.ssh/alex.pinwheel-git.ppp.pm.org";
owner = "alex";
group = "users";
};
"alex.pinwheel-git.ppp.pm.pub" = {
file = ../../../../secrets/pinwheel/alex.pinwheel-git.ppp.pm.pub.age;
path = "/home/alex/.ssh/alex.pinwheel-git.ppp.pm.pub";
owner = "alex";
group = "users";
};
"alex.pinwheel-andromeda" = { "alex.pinwheel-andromeda" = {
file = ../../../../secrets/pinwheel/alex.pinwheel-andromeda.age; file = ../../../../secrets/pinwheel/alex.pinwheel-andromeda.age;
path = "/home/alex/.ssh/alex.pinwheel-andromeda"; path = "/home/alex/.ssh/alex.pinwheel-andromeda";

9
hosts/pinwheel/modules/syncthing/default.nix
View File

@@ -15,13 +15,14 @@
settings = { settings = {
devices = { devices = {
phone.id = config.lib.syncthing.phone; phone.id = config.lib.syncthing.phone;
backwards.id = config.lib.syncthing.backwards;
sombrero.id = config.lib.syncthing.sombrero; sombrero.id = config.lib.syncthing.sombrero;
}; };
folders = { folders = {
org = { org = {
path = "/home/alex/sync/org"; path = "/home/alex/sync/org";
devices = [ "sombrero" "phone" ]; devices = [ "sombrero" "phone" "backwards" ];
versioning = { versioning = {
type = "staggered"; type = "staggered";
params = { params = {
@@ -32,7 +33,7 @@
personal = { personal = {
path = "/home/alex/sync/personal"; path = "/home/alex/sync/personal";
devices = [ "sombrero" ]; devices = [ "sombrero" "backwards" ];
versioning = { versioning = {
type = "staggered"; type = "staggered";
params = { params = {
@@ -43,7 +44,7 @@
work = { work = {
path = "/home/alex/sync/work"; path = "/home/alex/sync/work";
devices = [ "sombrero" ]; devices = [ "sombrero" "backwards" ];
versioning = { versioning = {
type = "staggered"; type = "staggered";
params = { params = {
@@ -54,7 +55,7 @@
books = { books = {
path = "/home/alex/sync/books"; path = "/home/alex/sync/books";
devices = [ "sombrero" ]; devices = [ "sombrero" "backwards" ];
versioning = { versioning = {
type = "staggered"; type = "staggered";
params = { params = {

1
hosts/pinwheel/modules/tailscale/default.nix
View File

@@ -6,5 +6,4 @@
checkReversePath = "loose"; checkReversePath = "loose";
allowedUDPPorts = [ 41641 ]; allowedUDPPorts = [ 41641 ];
}; };
} }

18
hosts/tadpole/modules/certs/default.nix Normal file
View File

@@ -0,0 +1,18 @@
{ ... }:
{
security.acme = {
certs = {
"ppp.pm" = {
webroot = "/var/lib/acme/acme-challenge/";
email = "p@ppp.pm";
group = "nginx";
};
"git.ppp.pm" = {
webroot = "/var/lib/acme/acme-challenge/";
email = "p@ppp.pm";
group = "nginx";
};
};
};
}

5
hosts/tadpole/modules/default.nix
View File

@@ -15,7 +15,10 @@ in
gitea = { gitea = {
enable = true; enable = true;
domain = "git.ppp.pm"; baseDomain = "ppp.pm";
webfingerEnable = true;
webfingerAccounts = [ "p@ppp.pm" ];
}; };
pppdotpm-site.enable = true; pppdotpm-site.enable = true;

100
hosts/tadpole/modules/gitea/default.nix
View File

@@ -1,7 +1,7 @@
{ lib, config, ... }: { pkgs, lib, config, ... }:
let let
enable = config.mod.gitea.enable; conf = config.mod.gitea;
domain = config.mod.gitea.domain; gitDomain = "git.${conf.baseDomain}";
nginxEnable = config.mod.nginx.enable; nginxEnable = config.mod.nginx.enable;
in in
@@ -10,28 +10,61 @@ in
mod.gitea = { mod.gitea = {
enable = lib.mkEnableOption "Enable gitea"; enable = lib.mkEnableOption "Enable gitea";
domain = lib.mkOption { baseDomain = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = ""; default = "";
description = "The domain that nginx will use as a virtual host"; description = ''
The base domain that will be used to
- create https://git.<base domain> which will host the frontend of gitea
- host the webfinger
Note: A cert is required for this domain and "git.<base domain>".
'';
};
webfingerEnable = lib.mkEnableOption "Enable webfinger pointing to gitea";
webfingerAccounts = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [];
description = "The accounts that should be listed";
}; };
}; };
}; };
config = lib.mkIf (enable && nginxEnable) { config = lib.mkIf (conf.enable && nginxEnable) {
assertions = [
{
assertion = conf.baseDomain != "";
message = "Option 'mod.gitea.baseDomain' cannot be empty";
}
{
assertion = builtins.hasAttr gitDomain config.security.acme.certs;
message = "There is no cert configured for ${gitDomain} used by gitea";
}
{
assertion = conf.webfingerEnable && builtins.hasAttr conf.baseDomain config.security.acme.certs;
message = "There is no cert configured for ${conf.baseDomain} used by webfinger";
}
{
assertion = conf.webfingerEnable && conf.webfingerAccounts != [];
message = "Option 'mod.gitea.webfingerAccounts' cannot be empty";
}
];
services.gitea = { services.gitea = {
enable = true; enable = true;
settings = { settings = {
service = { service = {
DISABLE_REGISTRATION = false; DISABLE_REGISTRATION = true;
}; };
server = { server = {
DOMAIN = domain; DOMAIN = gitDomain;
ROOT_URL = "https://${domain}"; ROOT_URL = "https://${gitDomain}";
SSH_PORT = 1122; # See `ssh` module SSH_PORT = 1122; # see `ssh` module
}; };
database = { database = {
@@ -46,16 +79,51 @@ in
}; };
services.nginx = { services.nginx = {
virtualHosts."${domain}" = { virtualHosts."${conf.baseDomain}" =
forceSSL = true; let
enableACME = true; mkWebfinger = account:
pkgs.writeTextDir (lib.escapeURL "acct:${account}") (lib.generators.toJSON {} {
subject = "acct:${account}";
links = [{
rel = "http://openid.net/specs/connect/1.0/issuer";
href = "https://${gitDomain}";
}];
});
locations."/" = { webfingerRoot = pkgs.symlinkJoin {
proxyPass = "http://0.0.0:3000"; name = "${gitDomain}-webfinger";
proxyWebsockets = true; paths = builtins.map mkWebfinger conf.webfingerAccounts;
}; };
in
lib.mkIf conf.webfingerEnable {
forceSSL = true;
useACMEHost = conf.baseDomain;
locations."/.well-known/webfinger" = {
root = webfingerRoot;
extraConfig = ''
add_header Access-Control-Allow-Origin "*";
default_type "application/jrd+json";
types { application/jrd+json json; }
if ($arg_resource) {
rewrite ^(.*)$ /$arg_resource break;
}
return 400;
'';
};
};
virtualHosts."${gitDomain}" = {
forceSSL = true;
useACMEHost = gitDomain;
locations."/" = {
proxyPass = "http://0.0.0:3000";
proxyWebsockets = true;
}; };
}; };
};
age.secrets = { age.secrets = {
"gitea-dbpassword".file = ../../../../secrets/tadpole/gitea-dbpassword.age; "gitea-dbpassword".file = ../../../../secrets/tadpole/gitea-dbpassword.age;

10
hosts/tadpole/modules/ppp.pm-site/default.nix
View File

@@ -14,16 +14,6 @@ in
}; };
config = lib.mkIf (enabled && nginxEnabled) { config = lib.mkIf (enabled && nginxEnabled) {
security.acme = {
certs = {
"ppp.pm" = {
webroot = "/var/lib/acme/acme-challenge/";
email = "p@ppp.pm";
group = "nginx";
};
};
};
services.pppdotpm-site = { services.pppdotpm-site = {
enable = true; enable = true;
domain = "ppp.pm"; domain = "ppp.pm";

7
secrets/backwards/restic-password.age Normal file
View File

@@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 Pu0HWg qnig6bOOnHbsTQ7AJfS0l6TUT7gPM3VreutamO5NfCs
ZBX0HcsOKq2QrGRCJygwol/T2NWyvxGbqYpb5mfl5FQ
-> ssh-ed25519 +oNaHQ SgIEVphkOUqNzvPkoAQDS6wvDiHvcSNCLj46Qf1Lqyo
HisQ0xxj1Qz79rmFdt0jda8D4hDWE+/d6zuA17fLsgk
--- UabMTXlGzIEj1guev4NyFyoXvP41i7oN1TMDKo517zs
}<7D>p<EFBFBD>)<29><EFBFBD><E2BFAB><EFBFBD>B<EFBFBD><42><EFBFBD><EFBFBD><EFBFBD>T<1D>x<>r0<72><30>7#<23>y<EFBFBD><32><D4A4>;Z.&<26>]!<21><>e(<28><>qvPQ돠?Y<>y<EFBFBD>$?<3F><>X<EFBFBD>2<EFBFBD><32>݀-&<26>A

BIN
secrets/backwards/syncthing-cert.age Normal file
View File

Binary file not shown.

BIN
secrets/backwards/syncthing-key.age Normal file
View File

Binary file not shown.

BIN
secrets/pinwheel/alex.pinwheel-git.ppp.pm.age Normal file
View File

Binary file not shown.

BIN
secrets/pinwheel/alex.pinwheel-git.ppp.pm.pub.age Normal file
View File

Binary file not shown.

5
secrets/secrets.nix
View File

@@ -22,6 +22,8 @@ in {
"pinwheel/alex.pinwheel-andromeda.pub.age".publicKeys = [ pinwheel alex ]; "pinwheel/alex.pinwheel-andromeda.pub.age".publicKeys = [ pinwheel alex ];
"pinwheel/alex.pinwheel-codeberg.org.age".publicKeys = [ pinwheel alex ]; "pinwheel/alex.pinwheel-codeberg.org.age".publicKeys = [ pinwheel alex ];
"pinwheel/alex.pinwheel-codeberg.org.pub.age".publicKeys = [ pinwheel alex ]; "pinwheel/alex.pinwheel-codeberg.org.pub.age".publicKeys = [ pinwheel alex ];
"pinwheel/alex.pinwheel-git.ppp.pm.age".publicKeys = [ pinwheel alex ];
"pinwheel/alex.pinwheel-git.ppp.pm.pub.age".publicKeys = [ pinwheel alex ];
"pinwheel/work-gitconfig.age".publicKeys = [ pinwheel alex ]; "pinwheel/work-gitconfig.age".publicKeys = [ pinwheel alex ];
"pinwheel/work-github-token.age".publicKeys = [ pinwheel alex ]; "pinwheel/work-github-token.age".publicKeys = [ pinwheel alex ];
@@ -31,6 +33,9 @@ in {
"backwards/root.backwards.age".publicKeys = [ backwards alex ]; "backwards/root.backwards.age".publicKeys = [ backwards alex ];
"backwards/root.backwards.pub.age".publicKeys = [ backwards alex ]; "backwards/root.backwards.pub.age".publicKeys = [ backwards alex ];
"backwards/syncthing-cert.age".publicKeys = [ backwards alex ];
"backwards/syncthing-key.age".publicKeys = [ backwards alex ];
"backwards/restic-password.age".publicKeys = [ backwards alex ];
"backwards/alex.backwards-codeberg.org.age".publicKeys = [ backwards alex ]; "backwards/alex.backwards-codeberg.org.age".publicKeys = [ backwards alex ];
"backwards/alex.backwards-codeberg.org.pub.age".publicKeys = [ backwards alex ]; "backwards/alex.backwards-codeberg.org.pub.age".publicKeys = [ backwards alex ];
"backwards/wpa_supplicant.conf.age".publicKeys = [ backwards alex ]; "backwards/wpa_supplicant.conf.age".publicKeys = [ backwards alex ];

1
shared-modules/syncthing.nix
View File

@@ -4,6 +4,7 @@
phone = "HCL2CKI-SA3NWOT-PMJZNFP-I7QETYE-JOKZHXN-TSI74FV-ZA6RDO2-QQMXPAP"; phone = "HCL2CKI-SA3NWOT-PMJZNFP-I7QETYE-JOKZHXN-TSI74FV-ZA6RDO2-QQMXPAP";
sombrero = "DIKHOMV-QGZV3DR-FXQZH45-I5J5R4R-JJZS5BA-XNNW5C7-QSSU3XV-KVC4MAQ"; sombrero = "DIKHOMV-QGZV3DR-FXQZH45-I5J5R4R-JJZS5BA-XNNW5C7-QSSU3XV-KVC4MAQ";
pinwheel = "AKS5L2A-NFCG5GV-3U5SSSZ-PLOX6BQ-ZL5ALXI-D7OK4KE-R2JPWRJ-B6AQJQ7"; pinwheel = "AKS5L2A-NFCG5GV-3U5SSSZ-PLOX6BQ-ZL5ALXI-D7OK4KE-R2JPWRJ-B6AQJQ7";
backwards = "XRSQ4NZ-LHCZS6H-R3A75S5-W4FH7F4-3DGA5X2-SOPYWOP-A2WRKGC-IPXH4AM";
}; };
}; };
} }