Compare commits
7 commits
22399a23b3
...
fba9237dba
Author | SHA1 | Date | |
---|---|---|---|
Tigor Hutasuhut | fba9237dba | ||
Tigor Hutasuhut | 735e7eab63 | ||
Tigor Hutasuhut | f888cb350c | ||
Tigor Hutasuhut | ec500d01a7 | ||
Tigor Hutasuhut | 73f22bea6a | ||
Tigor Hutasuhut | 2c91ce9e07 | ||
Tigor Hutasuhut | 2a3c822b56 |
|
@ -5,7 +5,8 @@
|
||||||
|
|
||||||
{
|
{
|
||||||
imports =
|
imports =
|
||||||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
[
|
||||||
|
(modulesPath + "/installer/scan/not-detected.nix")
|
||||||
];
|
];
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
|
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
|
||||||
|
@ -14,19 +15,21 @@
|
||||||
boot.extraModulePackages = [ ];
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
fileSystems."/" =
|
fileSystems."/" =
|
||||||
{ device = "/dev/disk/by-uuid/439a1beb-1443-495b-9891-012605819803";
|
{
|
||||||
|
device = "/dev/disk/by-uuid/439a1beb-1443-495b-9891-012605819803";
|
||||||
fsType = "ext4";
|
fsType = "ext4";
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/boot" =
|
fileSystems."/boot" =
|
||||||
{ device = "/dev/disk/by-uuid/47A1-0296";
|
{
|
||||||
|
device = "/dev/disk/by-uuid/47A1-0296";
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
options = [ "fmask=0022" "dmask=0022" ];
|
options = [ "fmask=0022" "dmask=0022" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems."/nas" = {
|
fileSystems."/nas" = {
|
||||||
device = "/dev/disk/by-label/WD_RED_4T_1";
|
device = "/dev/disk/by-label/WD_RED_4T_1";
|
||||||
fsType = "ext4";
|
fsType = "ext4";
|
||||||
};
|
};
|
||||||
|
|
||||||
swapDevices = [ ];
|
swapDevices = [ ];
|
||||||
|
@ -36,7 +39,24 @@
|
||||||
# still possible to use this option, but it's recommended to use it in conjunction
|
# still possible to use this option, but it's recommended to use it in conjunction
|
||||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||||
networking.useDHCP = lib.mkDefault true;
|
networking.useDHCP = lib.mkDefault true;
|
||||||
# networking.interfaces.enp9s0.useDHCP = lib.mkDefault true;
|
networking.defaultGateway = "192.168.100.1";
|
||||||
|
networking.interfaces.enp9s0 = {
|
||||||
|
useDHCP = false;
|
||||||
|
ipv4.addresses = [
|
||||||
|
{
|
||||||
|
address = "192.168.100.3";
|
||||||
|
prefixLength = 24;
|
||||||
|
}
|
||||||
|
{
|
||||||
|
address = "192.168.100.4";
|
||||||
|
prefixLength = 24;
|
||||||
|
}
|
||||||
|
{
|
||||||
|
address = "192.168.100.5";
|
||||||
|
prefixLength = 24;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||||
|
|
|
@ -1,32 +1,80 @@
|
||||||
{ config, pkgs, unstable, ... }:
|
{ config, pkgs, lib, unstable, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.profile.neovim;
|
||||||
|
inherit (lib) mkIf;
|
||||||
|
repository = "git@github.com:tigorlazuardi/nvim.git";
|
||||||
|
nvimCloneDir = "${config.home.homeDirectory}/nvim";
|
||||||
|
in
|
||||||
{
|
{
|
||||||
home.file.".config/nvim" = {
|
config = mkIf cfg.enable {
|
||||||
source = ./.;
|
systemd.user.services.clone-nvim = {
|
||||||
recursive = true;
|
Unit = {
|
||||||
|
Description = "Clone neovim configuration if not exists";
|
||||||
|
Wants = [ "network-online.target" ];
|
||||||
|
After = [ "nss-lookup.target" ];
|
||||||
|
StartLimitIntervalSec = 300;
|
||||||
|
StartLimitBurst = 10;
|
||||||
|
};
|
||||||
|
Service =
|
||||||
|
let
|
||||||
|
git = "${pkgs.git}/bin/git";
|
||||||
|
bash = "${pkgs.bash}/bin/bash";
|
||||||
|
ping = "${pkgs.unixtools.ping}/bin/ping";
|
||||||
|
host = "github.com";
|
||||||
|
sleep = "${pkgs.coreutils}/bin/sleep";
|
||||||
|
script = pkgs.writeScriptBin "clone-nvim.sh" ''
|
||||||
|
#${bash}
|
||||||
|
|
||||||
|
if [ -d "${nvimCloneDir}" ]; then
|
||||||
|
exit 0;
|
||||||
|
fi
|
||||||
|
|
||||||
|
until ${ping} -c 1 ${host}; do
|
||||||
|
${sleep} 1;
|
||||||
|
done
|
||||||
|
|
||||||
|
${git} clone ${repository} ${nvimCloneDir}
|
||||||
|
'';
|
||||||
|
path = "${script}/bin/clone-nvim.sh";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
Type = "simple";
|
||||||
|
ExecStart = path;
|
||||||
|
Restart = "on-failure";
|
||||||
|
RemainAfterExit = "yes";
|
||||||
|
};
|
||||||
|
Install = {
|
||||||
|
WantedBy = [ "default.target" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
xdg.configFile.nvim = {
|
||||||
|
source = config.lib.file.mkOutOfStoreSymlink "${config.home.homeDirectory}/nvim";
|
||||||
|
recursive = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
sops.secrets."copilot" = {
|
||||||
|
path = "${config.home.homeDirectory}/.config/github-copilot/hosts.json";
|
||||||
|
};
|
||||||
|
|
||||||
|
home.packages = with pkgs; [
|
||||||
|
stylua
|
||||||
|
lua-language-server
|
||||||
|
docker-compose-language-service
|
||||||
|
emmet-ls
|
||||||
|
silicon # For code screenshots
|
||||||
|
|
||||||
|
###### Golang development tools ######
|
||||||
|
gomodifytags
|
||||||
|
gotests
|
||||||
|
iferr
|
||||||
|
curl
|
||||||
|
cargo
|
||||||
|
nixpkgs-fmt
|
||||||
|
nil
|
||||||
|
|
||||||
|
gcc
|
||||||
|
python3
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
sops.secrets."copilot" = {
|
|
||||||
path = "${config.home.homeDirectory}/.config/github-copilot/hosts.json";
|
|
||||||
};
|
|
||||||
|
|
||||||
home.packages = with pkgs; [
|
|
||||||
stylua
|
|
||||||
lua-language-server
|
|
||||||
docker-compose-language-service
|
|
||||||
emmet-ls
|
|
||||||
silicon # For code screenshots
|
|
||||||
|
|
||||||
###### Golang development tools ######
|
|
||||||
gomodifytags
|
|
||||||
gotests
|
|
||||||
iferr
|
|
||||||
curl
|
|
||||||
cargo
|
|
||||||
nixpkgs-fmt
|
|
||||||
nil
|
|
||||||
|
|
||||||
gcc
|
|
||||||
python3
|
|
||||||
];
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -29,4 +29,21 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
services.mpris-proxy.enable = config.profile.mpris-proxy.enable;
|
services.mpris-proxy.enable = config.profile.mpris-proxy.enable;
|
||||||
|
|
||||||
|
sops.secrets =
|
||||||
|
let
|
||||||
|
sopsFile = ../secrets/ssh.yaml;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
"ssh/id_ed25519/public" = {
|
||||||
|
inherit sopsFile;
|
||||||
|
path = "${config.home.homeDirectory}/.ssh/id_ed25519.pub";
|
||||||
|
mode = "0444";
|
||||||
|
};
|
||||||
|
"ssh/id_ed25519/private" = {
|
||||||
|
inherit sopsFile;
|
||||||
|
path = "${config.home.homeDirectory}/.ssh/id_ed25519";
|
||||||
|
mode = "0400";
|
||||||
|
};
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -19,6 +19,11 @@
|
||||||
default = "eth0";
|
default = "eth0";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
neovim.enable = lib.mkOption {
|
||||||
|
type = lib.types.bool;
|
||||||
|
default = true;
|
||||||
|
};
|
||||||
|
|
||||||
user = {
|
user = {
|
||||||
name = lib.mkOption {
|
name = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
|
|
|
@ -1,11 +1,11 @@
|
||||||
{ lib, ... }:
|
{ lib, ... }:
|
||||||
|
let
|
||||||
|
inherit (lib) mkEnableOption;
|
||||||
|
in
|
||||||
{
|
{
|
||||||
options.profile.docker = {
|
options.profile.docker = {
|
||||||
enable = lib.mkEnableOption "docker";
|
enable = lib.mkEnableOption "docker";
|
||||||
caddy.enable = lib.mkOption {
|
caddy.enable = mkEnableOption "caddy docker";
|
||||||
type = lib.types.bool;
|
|
||||||
default = true;
|
|
||||||
};
|
|
||||||
kavita.enable = lib.mkEnableOption "kavita docker";
|
kavita.enable = lib.mkEnableOption "kavita docker";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -4,5 +4,6 @@
|
||||||
enable = lib.mkEnableOption "podman";
|
enable = lib.mkEnableOption "podman";
|
||||||
caddy.enable = lib.mkEnableOption "caddy podman";
|
caddy.enable = lib.mkEnableOption "caddy podman";
|
||||||
kavita.enable = lib.mkEnableOption "kavita podman";
|
kavita.enable = lib.mkEnableOption "kavita podman";
|
||||||
|
pihole.enable = lib.mkEnableOption "pihole podman";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -24,6 +24,11 @@
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
podman = {
|
podman = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
pihole.enable = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
docker = {
|
||||||
|
enable = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
|
|
|
@ -1,4 +1,10 @@
|
||||||
runner_token: ENC[AES256_GCM,data:OA1qGIY46bNcjHDms3XZhpa40J9WRexNXsnK0Lm1WWIUbvKOCp6GG2v2599ysQ==,iv:ftNbVJYJR+2UozxMLcYZh5HH+O1KRMvUAKQc9/UAunI=,tag:F++kseVO3yD3jt6+vVTJ5Q==,type:str]
|
forgejo:
|
||||||
|
runners:
|
||||||
|
global: ENC[AES256_GCM,data:LuYqYDMgaq+L94JL5tGTlOhm7x98jpb7n6o5jYVKdN/9Z/5LA10lmwdDDsBYuA==,iv:UkLz8qW/C2M2XomRz+Oc+d4LIioxyh2pPgBaiY6x4N8=,tag:k0xRH8+gMoM4DbITXn1SfA==,type:str]
|
||||||
|
user_tokens:
|
||||||
|
tigor:
|
||||||
|
#ENC[AES256_GCM,data:5IEV/X4fpfydhdSw7LYOLMFZYqD/Kp96Zyp/YXnvFzVh8GluX4+9qGgsdWAsFgLlPXDRAi1ViA==,iv:v1OmczINHtT+AtdXMBjstmGejV62nhQ/T9aIoJG8DR8=,tag:b4Xg3ybhrxy70n/UB5D7nQ==,type:comment]
|
||||||
|
push_docker_image_token: ENC[AES256_GCM,data:jMTz+c3IEcpqRkYLZyrUWLWLIw0AOdDk7LsIDvjCW3rKxTiOOmb1wg==,iv:OjZArNhCCKZkngGjYbCQVYJkQww9K5b4ehUXxsdOqdU=,tag:EViefKbS+II+MXWqLE7rKw==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -14,8 +20,8 @@ sops:
|
||||||
NGg4aFJsSHNPdTcwQ2ZMdmJscm5iNzgKRLrTAenr9q3r1dGPEyuxNhsQp8+20rCk
|
NGg4aFJsSHNPdTcwQ2ZMdmJscm5iNzgKRLrTAenr9q3r1dGPEyuxNhsQp8+20rCk
|
||||||
IKbsjenq/QTMQc+pMz/0oypVFUYNljmOfTWvvnjdJNsYHektNMkmNA==
|
IKbsjenq/QTMQc+pMz/0oypVFUYNljmOfTWvvnjdJNsYHektNMkmNA==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2024-06-13T12:44:00Z"
|
lastmodified: "2024-06-15T09:16:06Z"
|
||||||
mac: ENC[AES256_GCM,data:x8MHb/bcXqQHOUfLIOjnk1ivCs+ubLKm6L0gzrI3ZbLaQRieKvY2THSDjmyF2OAe5x9stjCY5ZOb7t3Y7EXG5sgiwvSwqcZKUY3k4SEkJtO6MJmLE39UGphHPZXQD4Jez+PWfrbZXf4lk9hsnW20wHZgePq+w6mW003uN88ZPzw=,iv:gOZJIXcT2GGTcxonKPtjxZewjFDHU0FW0xT8Sfzz10o=,tag:keHB371hNXD90rqgZjfeaw==,type:str]
|
mac: ENC[AES256_GCM,data:583xIAMkXyVNEkGeM2LM7CLRsypeeJ6Fpt3HxNw7jVmB3PFB/KKwcyhw4UDjNM2xsIjgGMjuAGc3SBI7zubfy9YotrP6m+NOw+8lC9JZbBQIaHIOPTgpeUJLHGveNe2SEBYfbhCjQid+EAWW92oRddZoGyrh2OWq33FgRvTM00A=,iv:/6mZEm2jyJ1cxOQ1mUoGHu6oZjWGknllKYF9/uV80Ao=,tag:oCYlwgXZuin7uBUeRjnOlw==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.8.1
|
version: 3.8.1
|
||||||
|
|
22
secrets/pihole.yaml
Normal file
22
secrets/pihole.yaml
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
pihole:
|
||||||
|
env: ENC[AES256_GCM,data:JLpWZwnefbu0mauukndehWjrsqjvnGdqKYev+UwqP3EoqG88o6c9,iv:u5iaBCjQdga/+O+/IN6dt86ElOO4sferh/BOnS/AXZw=,tag:4oRuUQJ8g11DkYGkRt6EPg==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1kruum2varzua7w5n6n52vhwyek2arc685rhcwt0u7k2jf5mecsjslkl9ll
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoWFhuaFp4Zm5idmFXUGRO
|
||||||
|
RG9YbzV3WUdJcHRFWlpISE5GNzVRZEpILzFvCjJUQlFqeWFsNU15Y1pINWgvc2wz
|
||||||
|
OU82L3ZPdW9GY1dyaXV4dndIUmNGRzQKLS0tIGpYMGZQeFJMMlhYUGR5c3lkbng2
|
||||||
|
VlpjTVo3NlIzR0QrVGZNdWdORjVMVmMKIrSq+w9oB3UdOxGNbwabXrpgPSfys+zo
|
||||||
|
M79xEqCUZ30jmfpPvL2VUiD25Bq/iWyj3x8d1xVGxQqUOg23AMb9mA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-06-16T17:29:06Z"
|
||||||
|
mac: ENC[AES256_GCM,data:e4VrmU1OtVuTxIz56NIumSoLTN2PDCYk5+f8UhPZyTF9rH/hz78LxhbPEPLy4TqQpxZZw/cH8wUUTNXUsYRdlbeL+IIbsEcwzjEBWZCSu38gMj/bNhBNwKU/oAWoKHdAQJYxYe3xnyji1xMLZofDVGQv2i46AI1TMXjFBU9Lz6Q=,iv:ILLCVVWxEKgVqCLHGuDmVINdgh0T3oYimdBIeWvQ7PE=,tag:7yvr0eEciG8yOVrHk1eGeg==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.8.1
|
24
secrets/ssh.yaml
Normal file
24
secrets/ssh.yaml
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
ssh:
|
||||||
|
id_ed25519:
|
||||||
|
public: ENC[AES256_GCM,data:JmFWFRSIvgL4gzEwezyijkc11ll9GueYY2lxxmkPMqSz7zGnAcQ9+mQIU97MDyPp9eCQVPOIDDrWM8ct7+ji7Sxg25H80XlsvoKmawT8sPdzQ60DAumAdqNal3I=,iv:UivMLLFFCkIFcL8mCxIDPdDWlluxqhjpO7asnF8OUSg=,tag:zOeEALrhmHwSpmtiCX5mWg==,type:str]
|
||||||
|
private: ENC[AES256_GCM,data:kv5Qlt1yib7nhBj4z8CIuqNc7xmFCZgybZx41yMoeRGQimUy1Z++YaYRg5YKYmIIXSodsmFLrrR5zuIiysLn/5fI9eLsPYNiInerqTtE5SwHH6hwya/GX6gfh9bnakvWAd8J+jp2pgrCLDTT1V5TSL+t8APSs3pvMsmSfd+ojRrTFs7omY75gE91FAjlub/SmnDnlQHQMbBdfYhFY3zgiHzsSBD0SvHjiE3c6t3YsqS2CDxape78Z64+kJzTgL0dMiIAwzMZB3BH2ufnVMwi7FWYxA/dkqj2tFJLTwHaJQZgr/ou1oOng+MstLfpL/45toyDsjNzJe4dChDOdNzAmP8ZFdL2uXqSTy1biK03ifaGxDMaiDARFMUOEZNA1V3+RkariSfO129/0izAjtttlITughRMV3JRsvs81uIETVBp+S9kljsT1TIdlCNWspo8gvBI41DN4bnLFQCFip0HRGhC4F3oq49A/CV94An8IdwwwQwoxsaNeilJDwNnQDVdChhYoDa8ynvA00F+xJmh,iv:oKWlw2I9mXTdY2oq++rxA8IbOlfSHuB7QwilD1Q7Xas=,tag:zhhsiJ91XdBnR85MYG8+WQ==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1kruum2varzua7w5n6n52vhwyek2arc685rhcwt0u7k2jf5mecsjslkl9ll
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFeDU3eEwrNGljcmFueHFU
|
||||||
|
NEtrdVF5MU9ueTNDeTlCdmRPSFpnNFJDZTBzCnk4NU9ZcEc0YkhGcnNQVktNMDR2
|
||||||
|
a3dHTWV4RmNINlA1ZVhzSU9xNGtWVzQKLS0tIDF4dnRlQUo3OTJjNzFiYmlGVThE
|
||||||
|
M2pJUzhSUDFRWGtjdnNCZmlMT2puZlEKBxDLcxTU0E81lqqPQ75N5Et69Z1Dwac6
|
||||||
|
n3+oBzhhJoOhYagmp/Zm3FVh3kcHGoCe6pyDnrZSka/zO3kkZKigng==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-06-17T09:01:59Z"
|
||||||
|
mac: ENC[AES256_GCM,data:i2MCNIJ8LVspz878zTH7QrXOAA/8+G4xFhYGRoWmzCzRIHYAXsTDDU4ATgZM3rSqCWgvO/3ynKbGmiDN2z5tYreB8KDRk92WVuCqaJSfdnYulvgf1346+9NxbMbJnAi34evUcPj7QJTooRF0vGCIAk8zOCu75TIB8acVwFB+viY=,iv:9+rfk7QqLjNH0FZ617A2Y1vciwBBYlm54S2o1G93kb4=,tag:qz55kt+IFQDBt6vWK+v6Cw==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.8.1
|
|
@ -1,9 +1,11 @@
|
||||||
{ config, lib, ... }:
|
{ config, lib, ... }:
|
||||||
let
|
let
|
||||||
cfg = config.profile.docker;
|
cfg = config.profile.docker;
|
||||||
|
username = config.profile.user.name;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
|
users.users.${username}.extraGroups = [ "docker" ];
|
||||||
virtualisation.docker.enable = true;
|
virtualisation.docker.enable = true;
|
||||||
virtualisation.docker.autoPrune.enable = true;
|
virtualisation.docker.autoPrune.enable = true;
|
||||||
virtualisation.oci-containers.backend = "docker";
|
virtualisation.oci-containers.backend = "docker";
|
||||||
|
|
|
@ -1,9 +1,11 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
let
|
let
|
||||||
cfg = config.profile.android;
|
cfg = config.profile.android;
|
||||||
|
username = config.profile.user.name;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
|
users.users.${username}.extraGroups = [ "adbusers" ];
|
||||||
programs.adb.enable = true;
|
programs.adb.enable = true;
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
androidenv.androidPkgs_9_0.platform-tools
|
androidenv.androidPkgs_9_0.platform-tools
|
||||||
|
|
|
@ -11,5 +11,6 @@
|
||||||
{
|
{
|
||||||
enable = cfg.enable;
|
enable = cfg.enable;
|
||||||
allowedTCPPorts = cfg.allowedTCPPorts;
|
allowedTCPPorts = cfg.allowedTCPPorts;
|
||||||
|
allowedUDPPorts = [ 53 ];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,9 +1,11 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
let
|
let
|
||||||
cfg = config.profile.printing;
|
cfg = config.profile.printing;
|
||||||
|
username = config.profile.user.name;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
|
users.users.${username}.extraGroups = [ "lp" ];
|
||||||
services.printing = {
|
services.printing = {
|
||||||
enable = true;
|
enable = true;
|
||||||
drivers = [ pkgs.brlaser ]; # Brother Laser Printer
|
drivers = [ pkgs.brlaser ]; # Brother Laser Printer
|
||||||
|
|
|
@ -1,9 +1,11 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
let
|
let
|
||||||
cfg = config.profile.scanner;
|
cfg = config.profile.scanner;
|
||||||
|
username = config.profile.user.name;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
|
users.users.${username}.extraGroups = [ "scanner" ];
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
skanlite
|
skanlite
|
||||||
];
|
];
|
||||||
|
|
|
@ -1,9 +1,11 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
let
|
let
|
||||||
cfg = config.profile.podman;
|
cfg = config.profile.podman;
|
||||||
|
username = config.profile.user.name;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
|
users.users.${username}.extraGroups = [ "podman" ];
|
||||||
# services.caddy.enable = true;
|
# services.caddy.enable = true;
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
dive # look into docker image layers
|
dive # look into docker image layers
|
||||||
|
@ -11,6 +13,7 @@ in
|
||||||
podman-compose # start group of containers for dev
|
podman-compose # start group of containers for dev
|
||||||
];
|
];
|
||||||
|
|
||||||
|
systemd.timers."podman-auto-update".enable = true;
|
||||||
virtualisation.containers.enable = true;
|
virtualisation.containers.enable = true;
|
||||||
virtualisation.oci-containers.backend = "podman";
|
virtualisation.oci-containers.backend = "podman";
|
||||||
virtualisation.podman = {
|
virtualisation.podman = {
|
||||||
|
@ -21,7 +24,7 @@ in
|
||||||
defaultNetwork.settings.dns_enabled = true;
|
defaultNetwork.settings.dns_enabled = true;
|
||||||
};
|
};
|
||||||
# https://madison-technologies.com/take-your-nixos-container-config-and-shove-it/
|
# https://madison-technologies.com/take-your-nixos-container-config-and-shove-it/
|
||||||
networking.firewall.interfaces.podman1 = {
|
networking.firewall.interfaces."podman[0-9]+" = {
|
||||||
allowedUDPPorts = [ 53 ]; # this needs to be there so that containers can look eachother's names up over DNS
|
allowedUDPPorts = [ 53 ]; # this needs to be there so that containers can look eachother's names up over DNS
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -30,5 +33,6 @@ in
|
||||||
imports = [
|
imports = [
|
||||||
./caddy.nix
|
./caddy.nix
|
||||||
./kavita.nix
|
./kavita.nix
|
||||||
|
./pihole.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
90
system/podman/pihole.nix
Normal file
90
system/podman/pihole.nix
Normal file
|
@ -0,0 +1,90 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
let
|
||||||
|
name = "pihole";
|
||||||
|
podman = config.profile.podman;
|
||||||
|
pihole = podman.pihole;
|
||||||
|
inherit (lib) mkIf;
|
||||||
|
gateway = "10.1.1.1";
|
||||||
|
subnet = "10.1.1.0/29";
|
||||||
|
ip = "10.1.1.3";
|
||||||
|
ip-range = "10.1.1.3/29";
|
||||||
|
image = "pihole/pihole:latest";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
config = mkIf (podman.enable && pihole.enable) {
|
||||||
|
services.caddy.virtualHosts."pihole.tigor.web.id".extraConfig = ''
|
||||||
|
@root path /
|
||||||
|
redir @root /admin
|
||||||
|
reverse_proxy ${ip}:80
|
||||||
|
'';
|
||||||
|
|
||||||
|
sops.secrets."pihole/env" = {
|
||||||
|
sopsFile = ../../secrets/pihole.yaml;
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
systemd.services.create-kavita-network = {
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
RemainAfterExit = true;
|
||||||
|
};
|
||||||
|
wantedBy = [ "podman-pihole.service" ];
|
||||||
|
script = ''${pkgs.podman}/bin/podman network exists ${name} || ${pkgs.podman}/bin/podman network create --gateway=${gateway} --subnet=${subnet} --ip-range=${ip-range} ${name}'';
|
||||||
|
};
|
||||||
|
|
||||||
|
environment.etc."pihole/custom.list" = {
|
||||||
|
# Copy file instead of symlink
|
||||||
|
mode = "0400";
|
||||||
|
|
||||||
|
# Creates a pihole custom.list file with the following pattern:
|
||||||
|
#
|
||||||
|
# custom.list:
|
||||||
|
# 192.168.100.5 {domain_name_1}
|
||||||
|
# 192.168.100.5 {domain_name_2}
|
||||||
|
#
|
||||||
|
# For each domain defined in services.caddy.virtualHosts
|
||||||
|
text =
|
||||||
|
let
|
||||||
|
inherit (lib) strings attrsets;
|
||||||
|
in
|
||||||
|
''${strings.concatStringsSep "\n" (
|
||||||
|
attrsets.mapAttrsToList (name: _: "192.168.100.5 ${strings.removePrefix "https://" name}") config.services.caddy.virtualHosts
|
||||||
|
)}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
virtualisation.oci-containers.containers.pihole = {
|
||||||
|
inherit image;
|
||||||
|
environment = {
|
||||||
|
TZ = "Asia/Jakarta";
|
||||||
|
PIHOLE_DNS_ = "192.168.100.5";
|
||||||
|
DHCP_ACTIVE = "true";
|
||||||
|
DHCP_START = "192.168.100.20";
|
||||||
|
DHCP_END = "192.168.100.254";
|
||||||
|
DHCP_ROUTER = "192.168.100.1";
|
||||||
|
DNS_BOGUS_PRIV = "false";
|
||||||
|
DNS_FQDN_REQUIRED = "false";
|
||||||
|
};
|
||||||
|
ports = [
|
||||||
|
"192.168.100.4:53:53/udp"
|
||||||
|
"67:67/udp"
|
||||||
|
];
|
||||||
|
volumes = [
|
||||||
|
"pihole-etc:/etc/pihole"
|
||||||
|
"pihole-dnsmasq:/etc/dnsmasq.d"
|
||||||
|
"/etc/pihole/custom.list:/etc/pihole/custom.list"
|
||||||
|
];
|
||||||
|
environmentFiles = [
|
||||||
|
config.sops.secrets."pihole/env".path
|
||||||
|
];
|
||||||
|
extraOptions = [
|
||||||
|
"--ip=${ip}"
|
||||||
|
"--network=${name}"
|
||||||
|
"--cap-add=NET_ADMIN"
|
||||||
|
"--cap-add=NET_BIND_SERVICE"
|
||||||
|
"--cap-add=NET_RAW"
|
||||||
|
"--cap-add=SYS_NICE"
|
||||||
|
"--cap-add=CHOWN"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -31,7 +31,7 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
sops.secrets."runner_token" = {
|
sops.secrets."forgejo/runners/global" = {
|
||||||
sopsFile = ../../secrets/forgejo.yaml;
|
sopsFile = ../../secrets/forgejo.yaml;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -42,8 +42,15 @@ in
|
||||||
enable = true;
|
enable = true;
|
||||||
name = config.networking.hostName;
|
name = config.networking.hostName;
|
||||||
url = config.services.forgejo.settings.server.ROOT_URL;
|
url = config.services.forgejo.settings.server.ROOT_URL;
|
||||||
tokenFile = config.sops.secrets."runner_token".path;
|
tokenFile = config.sops.secrets."forgejo/runners/global".path;
|
||||||
settings = {
|
settings = {
|
||||||
|
runner = {
|
||||||
|
capacity = 2;
|
||||||
|
timeout = "1h";
|
||||||
|
};
|
||||||
|
cache = {
|
||||||
|
enabled = true;
|
||||||
|
};
|
||||||
container = {
|
container = {
|
||||||
privileged = true;
|
privileged = true;
|
||||||
# docker_host = "unix:///var/run/docker.sock";
|
# docker_host = "unix:///var/run/docker.sock";
|
||||||
|
|
|
@ -5,13 +5,13 @@ let
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
networking.resolvconf.useLocalResolver = true;
|
networking.resolvconf.useLocalResolver = false;
|
||||||
|
networking.nameservers = [ "192.168.100.5" ];
|
||||||
services.stubby = {
|
services.stubby = {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = pkgs.stubby.passthru.settingsExample // {
|
settings = pkgs.stubby.passthru.settingsExample // {
|
||||||
listen_addresses = [
|
listen_addresses = [
|
||||||
"0.0.0.0@53"
|
"192.168.100.5"
|
||||||
"0::0"
|
|
||||||
];
|
];
|
||||||
upstream_recursive_servers = [
|
upstream_recursive_servers = [
|
||||||
{
|
{
|
||||||
|
|
|
@ -7,7 +7,7 @@ in
|
||||||
users.users.${user} = {
|
users.users.${user} = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
description = fullName;
|
description = fullName;
|
||||||
extraGroups = [ "networkmanager" "wheel" "docker" "adbusers" "scanner" "lp" "podman" ];
|
extraGroups = [ "networkmanager" "wheel" ];
|
||||||
shell = pkgs.zsh;
|
shell = pkgs.zsh;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue