tigor/NixOS
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: tigor:544ea1236dd87bd27aac54170f11ff42eb404ae1
Branches Tags
tigor:main
...
compare: tigor:6c09df8fa0147c3dd3b928b89d449b2db02f4051
Branches Tags
tigor:main

10 commits
544ea1236d ... 6c09df8fa0

Author SHA1 Message Date
Tigor Hutasuhut 6c09df8fa0 forgejo: setup 2024-06-13 18:59:18 +07:00
Tigor Hutasuhut 39433f7488 smb: update secrets 2024-06-13 16:41:25 +07:00
Tigor Hutasuhut 9925102b5f samba: fix mounting permission 2024-06-13 16:40:43 +07:00
Tigor Hutasuhut 6b0f2316fa homeserver: fix samba user setting 2024-06-13 16:29:19 +07:00
Tigor Hutasuhut 5d27259205 homeserver: enabled samba 2024-06-13 16:08:33 +07:00
Tigor Hutasuhut 0713245e6e caddy: moved reverse proxy config to secrets 2024-06-13 14:04:10 +07:00
Tigor Hutasuhut 507b91bc52 system: added services config 2024-06-13 13:52:45 +07:00
Tigor Hutasuhut 906d35e44d sops: added new secret file for caddy 2024-06-13 13:28:08 +07:00
Tigor Hutasuhut ae1fa920b5 fort: update profile 2024-06-13 11:03:23 +07:00
Tigor Hutasuhut 46f4a0ee48 finally resovled container options 2024-06-13 00:50:38 +07:00
23 changed files with 267 additions and 24 deletions
Show stats Expand all files Collapse all files

5
.sops.yaml Normal file
View file

@ -0,0 +1,5 @@
creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
key_groups:
- age:
- age1kruum2varzua7w5n6n52vhwyek2arc685rhcwt0u7k2jf5mecsjslkl9ll

10
hardware-configuration/castle.nix
View file

@ -7,7 +7,7 @@
]; ];
sops.secrets."smb/secrets" = { sops.secrets."smb/secrets" = {
owner = config.users.users.tigor.name; owner = config.profile.user.name;
}; };
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
@ -15,10 +15,10 @@
boot.kernelModules = [ "kvm-amd" ]; boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
system.fsPackages = [ pkgs.bindfs ]; system.fsPackages = [ pkgs.bindfs pkgs.cifs-utils ];
fileSystems."/nas" = fileSystems."/nas" =
{ {
device = "//192.168.100.5/wd_red_1"; device = "//192.168.100.5/nas";
fsType = "cifs"; fsType = "cifs";
options = [ options = [
"_netdev" "_netdev"
@ -27,8 +27,8 @@
"x-systemd.idle-timeout=60" "x-systemd.idle-timeout=60"
"x-systemd.device-timeout=5s" "x-systemd.device-timeout=5s"
"x-systemd.mount-timeout=5s" "x-systemd.mount-timeout=5s"
"uid=1000" "uid=${toString config.profile.user.uid}"
"gid=100" "gid=${toString config.profile.user.gid}"
"credentials=${config.sops.secrets."smb/secrets".path}" "credentials=${config.sops.secrets."smb/secrets".path}"
]; ];
}; };

1
options/default.nix
View file

@ -5,6 +5,7 @@
./hyprland.nix ./hyprland.nix
./docker.nix ./docker.nix
./podman.nix ./podman.nix
./services.nix
]; ];
options.profile = { options.profile = {

1
options/docker.nix
View file

@ -6,5 +6,6 @@
type = lib.types.bool; type = lib.types.bool;
default = true; default = true;
}; };
kavita.enable = lib.mkEnableOption "kavita docker";
}; };
} }

1
options/podman.nix
View file

@ -6,5 +6,6 @@
type = lib.types.bool; type = lib.types.bool;
default = true; default = true;
}; };
kavita.enable = lib.mkEnableOption "kavita docker";
}; };
} }

13
options/services.nix Normal file
View file

@ -0,0 +1,13 @@
{ lib, ... }:
let
inherit (lib) mkEnableOption;
in
{
options.profile.services = {
caddy.enable = mkEnableOption "caddy";
cockpit.enable = mkEnableOption "cockpit";
forgejo.enable = mkEnableOption "forgejo";
kavita.enable = mkEnableOption "kavita";
samba.enable = mkEnableOption "samba";
};
}

14
profiles/fort.nix
View file

@ -48,5 +48,19 @@
brightnessctl.enable = true; brightnessctl.enable = true;
keyboard.language.japanese = true; keyboard.language.japanese = true;
mpris-proxy.enable = true;
kitty.enable = true;
neovide.enable = true;
spotify.enable = true;
vscode.enable = true;
jellyfin.enable = false;
mpv.enable = true;
go.enable = true;
chromium.enable = true;
bitwarden.enable = true;
dbeaver.enable = true;
microsoft-edge.enable = true;
nextcloud.enable = false;
}; };
} }

19
profiles/homeserver.nix
View file

@ -17,17 +17,28 @@
audio.enable = false; audio.enable = false;
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
podman = {
enable = false;
};
openssh.enable = true; openssh.enable = true;
go.enable = true; go.enable = true;
networking.firewall.enable = true; networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
cockpit.enable = false; cockpit.enable = true;
docker = { docker = {
enable = false;
caddy.enable = false;
kavita.enable = false;
};
podman = {
enable = true; enable = true;
caddy.enable = false;
kavita.enable = true;
};
services = {
caddy.enable = true; caddy.enable = true;
cockpit.enable = true;
forgejo.enable = true;
kavita.enable = true;
samba.enable = true;
}; };
}; };
} }

22
secrets/caddy_reverse_proxy.yaml Normal file
View file

@ -0,0 +1,22 @@
forgejo: ENC[AES256_GCM,data:w/qGCqEsbzhgCmGiy4pqvwjEbIWhOIPjQyQyNtbiBzadrFxG6+cxFQJ1gY/q9tENuogKoVdCtKdHYONM6gs+yd3+/Xk=,iv:u5P7so4J3OeHmnf33ss2X7f8GAA04I0/mw1/MUy6C3Y=,tag:nYhY/ecas7dPYP6FwEnOsg==,type:str]
cockpit: ENC[AES256_GCM,data:5/ztOP1mJwKlcLS0RLqbre2nMOphIg59+/Dqz3njZW7jDJm37gMdgaPpY+eA5IWBMW7gZNCcVA==,iv:mmGsqA7U3rzhZ40BUReMlDaKxzKsDTw0mSZzcpu2QB4=,tag:jwmqiMGbENjX4B8GbPHcjw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1kruum2varzua7w5n6n52vhwyek2arc685rhcwt0u7k2jf5mecsjslkl9ll
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhK1lrMkJlNmJwK3ZvSjhz
VnFQa2xMdEt0dU9pRlQxbWZIT09ObVI2cUNBCkx2UnBQOTFRYkhXR0pyWGgxdVIr
R3NvZDBTU3lIY3RHZkxKRDQzRWhmYUUKLS0tIDJtNFc2VzRNQVdxZ0kxME91Um9p
OTBPaGdUZ1ZueUlKMVlhOHBreFV6OVEKBhcqTTA9Vufnn/WAhR5zb08Nsn48zmD2
+bdJf+0B68Z57Q/47fNjvXclqLdDCWToTlIjOTnzVH2oXOWKQQxj6g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-13T06:44:09Z"
mac: ENC[AES256_GCM,data:S0/He8nAYp524SIteg1bd7aa4b7OJ2jshP/x+m9Grt+9fI8ZN42XpcW/u7JA6xV2eAJ7ZS4YBt965V6ttJu/Ric0xRzdG/evK9zrG0CFcoY8Di9eBU/KqBSyXxO7E/ZYamp9AQpkO9KzsSBYYStkZe4FjPy/5o4bSCjkLOIPO1w=,iv:OR42uFaNxMHAdaq1JZLz4B+cPZPJw5TP97W+rbHckK0=,tag:BXKF4WSHDZ63eyzNNBR2JA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

6
secrets/secrets.yaml
View file

@ -1,7 +1,7 @@
gnome-keyring: gnome-keyring:
tigor: ENC[AES256_GCM,data:fUJzIUburewNo6eSLdk0d4RJuL0XIWc=,iv:4pVbLT91IoS6XDEOd9jg4GQkVpQxYNasUeqv2otMgT8=,tag:aSFQKgu7N4p/73omC0wqNw==,type:str] tigor: ENC[AES256_GCM,data:fUJzIUburewNo6eSLdk0d4RJuL0XIWc=,iv:4pVbLT91IoS6XDEOd9jg4GQkVpQxYNasUeqv2otMgT8=,tag:aSFQKgu7N4p/73omC0wqNw==,type:str]
smb: smb:
secrets: ENC[AES256_GCM,data:DKG6wjW/gBLX4cqisodnCX5OO6vVMQFerlAzlvW434xLQjHfn/SyTr3D/8GOSsMO,iv:4Qqdg2bDzNeCNeLifySfxwN/rA+qcAG0JSjt8ByFG/o=,tag:ALOoJ7h3EtjRIHskBfIouA==,type:str] secrets: ENC[AES256_GCM,data:2XiBlll1fhr2N7CYfMmqVR6INm5j1B0dUhhLUDUmHH/Med0XzWrqh+0Fme7CTt3mdnbIO+AOe0U=,iv:jhWoP97kyGwDicB0CV2B0ppNB8JlFrajsnhvJsUv7FE=,tag:Alo0zX0AqbjziGflNFvepw==,type:str]
spotify: spotify:
username: ENC[AES256_GCM,data:7uYX5Co=,iv:zc03i9P/nX6hIe/SfUulH2T3BkxD/1xiqG2izmaJbho=,tag:/djGWrxvsG9L5x3vHc9TwQ==,type:str] username: ENC[AES256_GCM,data:7uYX5Co=,iv:zc03i9P/nX6hIe/SfUulH2T3BkxD/1xiqG2izmaJbho=,tag:/djGWrxvsG9L5x3vHc9TwQ==,type:str]
password: ENC[AES256_GCM,data:Yf2NCLuXVd28kPCHLLc=,iv:Ip4tAMOW5h8TPKavB7pTMt/ojtCq1wxw3Syhey4dGQI=,tag:b2FGiXAo66S6goiH43NQBA==,type:str] password: ENC[AES256_GCM,data:Yf2NCLuXVd28kPCHLLc=,iv:Ip4tAMOW5h8TPKavB7pTMt/ojtCq1wxw3Syhey4dGQI=,tag:b2FGiXAo66S6goiH43NQBA==,type:str]
@ -23,8 +23,8 @@ sops:
UFFON2V5UWp1UUpETzZNSnVJdk5GcWsKupkOEN8OI/EOeu4Kkjo/SNhxMw2pa/gs UFFON2V5UWp1UUpETzZNSnVJdk5GcWsKupkOEN8OI/EOeu4Kkjo/SNhxMw2pa/gs
DzlsQRvytwCvAtr7zqHJvS6oeWlyjbirAHlpSzNS4QcqtbtK3mHC/Q== DzlsQRvytwCvAtr7zqHJvS6oeWlyjbirAHlpSzNS4QcqtbtK3mHC/Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-12T16:32:51Z" lastmodified: "2024-06-13T09:09:57Z"
mac: ENC[AES256_GCM,data:dHh4kDSHDQAKLgGaW2TjBH09pEdpPSnNLvFb/EqfHWhUuXqjniFGOsR/KkhoYP2aVfQXBoRUyDvC0cspD6//wSqZuWNAwfVhP20XUQ6fNRaV/3RIU4Btp641Mg+wE3RkwANspkF9o5CD0wicDxNoirf60qPTWnD9ABmBPvd6bdI=,iv:nTg9WWP4WnnCmvMb91h8RH4ZS1Jh9xRmawF5k+IzEbw=,tag:B0uncQm5J9T2Q/ZwVrbjug==,type:str] mac: ENC[AES256_GCM,data:Ovi5vtxADk/vb899WuaU8uWCsM/zN7jTWF47ivJxbgtGlIbQQWeI9eY0s+VaPSdGSshJCP4RYasoJBeL0CiZ64wdLtwsDqfbAB6k8LtS/YRY/hDVGvUG+5GDP+I12q5xbHzJbjiKFN4yLRuK9WVyBQp7TRr484zkdjDDkApoC6w=,iv:FCc/9Xq4xsKQ+Hwi4VpCY8/F4+zHezv42wWpSaGsrjc=,tag:m+dnpB6LjzSvf7cgugEk7g==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1

3
system/default.nix
View file

@ -4,7 +4,8 @@
profile-path profile-path
hardware-configuration hardware-configuration
./modules ./modules
# ./podman ./services
./podman
./docker ./docker
./programs.nix ./programs.nix
./user.nix ./user.nix

1
system/docker/default.nix
View file

@ -11,5 +11,6 @@ in
imports = [ imports = [
./caddy.nix ./caddy.nix
./kavita.nix
]; ];
} }

32
system/docker/kavita.nix Normal file
View file

@ -0,0 +1,32 @@
{ config, lib, ... }:
let
user = config.profile.user;
docker = config.profile.docker;
volume = "/nas/kavita";
image = "lscr.io/linuxserver/kavita:latest";
gid = toString user.gid;
uid = toString user.uid;
in
{
config = lib.mkIf (docker.enable && docker.kavita.enable) {
system.activationScripts.docker-kavita = ''
mkdir -p ${volume}
chown -R ${user.name}:${gid} ${volume}
'';
virtualisation.oci-containers.containers.kavita = {
inherit image;
environment = {
PUID = uid;
PGID = gid;
TZ = "Asia/Jakarta";
};
ports = [ "5000:5000" ];
autoStart = true;
volumes = [
"${volume}/config:/config"
"${volume}/library:/library"
];
};
};
}

1
system/modules/default.nix
View file

@ -7,7 +7,6 @@
./bluetooth.nix ./bluetooth.nix
./boot_loader.nix ./boot_loader.nix
./brightnessctl.nix ./brightnessctl.nix
./cockpit.nix
./flatpak.nix ./flatpak.nix
./font.nix ./font.nix
./gnome.nix ./gnome.nix

4
system/modules/sops.nix
View file

@ -1,6 +1,6 @@
{ pkgs, ... }: { config, pkgs, ... }:
let let
owner = "tigor"; owner = config.profile.user.name;
in in
{ {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [

4
system/podman/caddy.nix
View file

@ -31,10 +31,6 @@ in
extraOptions = [ extraOptions = [
"--network=caddy" "--network=caddy"
]; ];
labels = {
"caddy" = "cockpit.tigor.web.id";
"caddy.reverse_proxy" = "hosts.container.internal:9090";
};
}; };
}; };
}; };

2
system/podman/default.nix
View file

@ -4,6 +4,7 @@ let
in in
{ {
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
# services.caddy.enable = true;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
dive # look into docker image layers dive # look into docker image layers
podman-tui # status of containers in the terminal podman-tui # status of containers in the terminal
@ -28,5 +29,6 @@ in
imports = [ imports = [
./caddy.nix ./caddy.nix
./kavita.nix
]; ];
} }

49
system/podman/kavita.nix Normal file
View file

@ -0,0 +1,49 @@
{ config, lib, pkgs, ... }:
let
user = config.profile.user;
podman = config.profile.podman;
volume = "/nas/kavita";
image = "lscr.io/linuxserver/kavita:latest";
gid = toString user.gid;
uid = toString user.uid;
gateway = "10.1.1.1";
subnet = "10.1.1.0/24";
ip = "10.1.1.3";
ip-range = "10.1.1.3/25";
in
{
config = lib.mkIf (podman.enable && podman.kavita.enable) {
services.caddy.virtualHosts."kavita.tigor.web.id".extraConfig = ''
reverse_proxy ${ip}:5000
'';
systemd.services.create-kavita-network = with config.virtualisation.oci-containers; {
serviceConfig.Type = "oneshot";
wantedBy = [ "${backend}-kavita.service" ];
script = ''${pkgs.podman}/bin/podman network exists kavita || ${pkgs.podman}/bin/podman network create --gateway=${gateway} --subnet=${subnet} --ip-range=${ip-range} kavita'';
};
system.activationScripts.docker-kavita = ''
mkdir -p ${volume}
chown -R ${user.name}:${gid} ${volume}
'';
virtualisation.oci-containers.containers.kavita = {
inherit image;
environment = {
PUID = uid;
PGID = gid;
TZ = "Asia/Jakarta";
};
extraOptions = [
"--network=kavita"
"--ip=${ip}"
];
autoStart = true;
volumes = [
"${volume}/config:/config"
"${volume}/library:/library"
];
};
};
}

15
system/services/caddy.nix Normal file
View file

@ -0,0 +1,15 @@
{ config, lib, ... }:
let
cfg = config.profile.services.caddy;
inherit (lib) mkIf;
in
{
config = mkIf cfg.enable {
services.caddy = {
enable = true;
extraConfig = ''
import /etc/caddy/sites-enabled/*
'';
};
};
}

11
system/modules/cockpit.nix → system/services/cockpit.nix
View file

@ -1,13 +1,16 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
cfg = config.profile.cockpit; cfg = config.profile.services.cockpit;
inherit (lib) mkIf;
in in
{ {
config = lib.mkIf cfg.enable { config = mkIf cfg.enable {
environment.systemPackages = lib.mkIf config.profile.podman.enable [ environment.systemPackages = mkIf config.profile.podman.enable [
(pkgs.callPackage ../packages/cockpit-podman.nix { }) (pkgs.callPackage ../packages/cockpit-podman.nix { })
]; ];
services.udisks2.enable = true; services.caddy.virtualHosts."cockpit.tigor.web.id".extraConfig = ''
reverse_proxy 0.0.0.0:9090
'';
services.cockpit = { services.cockpit = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;

9
system/services/default.nix Normal file
View file

@ -0,0 +1,9 @@
{ ... }:
{
imports = [
./caddy.nix
./cockpit.nix
./forgejo.nix
./samba.nix
];
}

32
system/services/forgejo.nix Normal file
View file

@ -0,0 +1,32 @@
{ config, lib, ... }:
let
cfg = config.profile.services.forgejo;
inherit (lib) mkIf;
in
{
config = mkIf cfg.enable {
services.caddy.virtualHosts."git.tigor.web.id".extraConfig = ''
reverse_proxy * unix//run/forgejo/forgejo.sock
'';
services.forgejo = {
enable = true;
settings = {
server = {
PROTOCOL = "http+unix";
SSH_PORT = 2222;
DOMAIN = "git.tigor.web.id";
HTTP_PORT = 443;
ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}:${toString config.services.forgejo.settings.server.HTTP_PORT}";
};
service = {
DISABLE_REGISTRATION = true;
};
session.COOKIE_SECURE = true;
};
};
networking.firewall.allowedTCPPorts = [ config.services.forgejo.settings.server.SSH_PORT ];
};
}

36
system/services/samba.nix Normal file
View file

@ -0,0 +1,36 @@
{ config, lib, ... }:
let
cfg = config.profile.services.samba;
user = config.profile.user;
inherit (lib) mkIf;
in
{
config = mkIf cfg.enable {
services.samba = {
enable = true;
securityType = "user";
openFirewall = true;
extraConfig = ''
workgroup = WORKGROUP
server string = smbnix
netbios name = smbnix
security = user
guest account = ${user.name}
'';
shares = {
nas = {
path = "/nas";
browsable = "yes";
"read only" = "no";
"guest ok" = "yes";
"create mask" = "0777";
"directory mask" = "0777";
};
};
};
services.samba-wsdd = {
enable = true;
openFirewall = true;
};
};
}