tigor/NixOS
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: tigor:6c09df8fa0147c3dd3b928b89d449b2db02f4051
Branches Tags
tigor:main
..
compare: tigor:544ea1236dd87bd27aac54170f11ff42eb404ae1
Branches Tags
tigor:main

No commits in common. "6c09df8fa0147c3dd3b928b89d449b2db02f4051" and "544ea1236dd87bd27aac54170f11ff42eb404ae1" have entirely different histories.
6c09df8fa0 ... 544ea1236d

23 changed files with 24 additions and 267 deletions
Show stats Expand all files Collapse all files

5
.sops.yaml
View file

@ -1,5 +0,0 @@
creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
key_groups:
- age:
- age1kruum2varzua7w5n6n52vhwyek2arc685rhcwt0u7k2jf5mecsjslkl9ll

10
hardware-configuration/castle.nix
View file

@ -7,7 +7,7 @@
]; ];
sops.secrets."smb/secrets" = { sops.secrets."smb/secrets" = {
owner = config.profile.user.name; owner = config.users.users.tigor.name;
}; };
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
@ -15,10 +15,10 @@
boot.kernelModules = [ "kvm-amd" ]; boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
system.fsPackages = [ pkgs.bindfs pkgs.cifs-utils ]; system.fsPackages = [ pkgs.bindfs ];
fileSystems."/nas" = fileSystems."/nas" =
{ {
device = "//192.168.100.5/nas"; device = "//192.168.100.5/wd_red_1";
fsType = "cifs"; fsType = "cifs";
options = [ options = [
"_netdev" "_netdev"
@ -27,8 +27,8 @@
"x-systemd.idle-timeout=60" "x-systemd.idle-timeout=60"
"x-systemd.device-timeout=5s" "x-systemd.device-timeout=5s"
"x-systemd.mount-timeout=5s" "x-systemd.mount-timeout=5s"
"uid=${toString config.profile.user.uid}" "uid=1000"
"gid=${toString config.profile.user.gid}" "gid=100"
"credentials=${config.sops.secrets."smb/secrets".path}" "credentials=${config.sops.secrets."smb/secrets".path}"
]; ];
}; };

1
options/default.nix
View file

@ -5,7 +5,6 @@
./hyprland.nix ./hyprland.nix
./docker.nix ./docker.nix
./podman.nix ./podman.nix
./services.nix
]; ];
options.profile = { options.profile = {

1
options/docker.nix
View file

@ -6,6 +6,5 @@
type = lib.types.bool; type = lib.types.bool;
default = true; default = true;
}; };
kavita.enable = lib.mkEnableOption "kavita docker";
}; };
} }

1
options/podman.nix
View file

@ -6,6 +6,5 @@
type = lib.types.bool; type = lib.types.bool;
default = true; default = true;
}; };
kavita.enable = lib.mkEnableOption "kavita docker";
}; };
} }

13
options/services.nix
View file

@ -1,13 +0,0 @@
{ lib, ... }:
let
inherit (lib) mkEnableOption;
in
{
options.profile.services = {
caddy.enable = mkEnableOption "caddy";
cockpit.enable = mkEnableOption "cockpit";
forgejo.enable = mkEnableOption "forgejo";
kavita.enable = mkEnableOption "kavita";
samba.enable = mkEnableOption "samba";
};
}

14
profiles/fort.nix
View file

@ -48,19 +48,5 @@
brightnessctl.enable = true; brightnessctl.enable = true;
keyboard.language.japanese = true; keyboard.language.japanese = true;
mpris-proxy.enable = true;
kitty.enable = true;
neovide.enable = true;
spotify.enable = true;
vscode.enable = true;
jellyfin.enable = false;
mpv.enable = true;
go.enable = true;
chromium.enable = true;
bitwarden.enable = true;
dbeaver.enable = true;
microsoft-edge.enable = true;
nextcloud.enable = false;
}; };
} }

19
profiles/homeserver.nix
View file

@ -17,28 +17,17 @@
audio.enable = false; audio.enable = false;
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
podman = {
enable = false;
};
openssh.enable = true; openssh.enable = true;
go.enable = true; go.enable = true;
networking.firewall.enable = true; networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
cockpit.enable = true; cockpit.enable = false;
docker = { docker = {
enable = false;
caddy.enable = false;
kavita.enable = false;
};
podman = {
enable = true; enable = true;
caddy.enable = false;
kavita.enable = true;
};
services = {
caddy.enable = true; caddy.enable = true;
cockpit.enable = true;
forgejo.enable = true;
kavita.enable = true;
samba.enable = true;
}; };
}; };
} }

22
secrets/caddy_reverse_proxy.yaml
View file

@ -1,22 +0,0 @@
forgejo: ENC[AES256_GCM,data:w/qGCqEsbzhgCmGiy4pqvwjEbIWhOIPjQyQyNtbiBzadrFxG6+cxFQJ1gY/q9tENuogKoVdCtKdHYONM6gs+yd3+/Xk=,iv:u5P7so4J3OeHmnf33ss2X7f8GAA04I0/mw1/MUy6C3Y=,tag:nYhY/ecas7dPYP6FwEnOsg==,type:str]
cockpit: ENC[AES256_GCM,data:5/ztOP1mJwKlcLS0RLqbre2nMOphIg59+/Dqz3njZW7jDJm37gMdgaPpY+eA5IWBMW7gZNCcVA==,iv:mmGsqA7U3rzhZ40BUReMlDaKxzKsDTw0mSZzcpu2QB4=,tag:jwmqiMGbENjX4B8GbPHcjw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1kruum2varzua7w5n6n52vhwyek2arc685rhcwt0u7k2jf5mecsjslkl9ll
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhK1lrMkJlNmJwK3ZvSjhz
VnFQa2xMdEt0dU9pRlQxbWZIT09ObVI2cUNBCkx2UnBQOTFRYkhXR0pyWGgxdVIr
R3NvZDBTU3lIY3RHZkxKRDQzRWhmYUUKLS0tIDJtNFc2VzRNQVdxZ0kxME91Um9p
OTBPaGdUZ1ZueUlKMVlhOHBreFV6OVEKBhcqTTA9Vufnn/WAhR5zb08Nsn48zmD2
+bdJf+0B68Z57Q/47fNjvXclqLdDCWToTlIjOTnzVH2oXOWKQQxj6g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-13T06:44:09Z"
mac: ENC[AES256_GCM,data:S0/He8nAYp524SIteg1bd7aa4b7OJ2jshP/x+m9Grt+9fI8ZN42XpcW/u7JA6xV2eAJ7ZS4YBt965V6ttJu/Ric0xRzdG/evK9zrG0CFcoY8Di9eBU/KqBSyXxO7E/ZYamp9AQpkO9KzsSBYYStkZe4FjPy/5o4bSCjkLOIPO1w=,iv:OR42uFaNxMHAdaq1JZLz4B+cPZPJw5TP97W+rbHckK0=,tag:BXKF4WSHDZ63eyzNNBR2JA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

6
secrets/secrets.yaml
View file

@ -1,7 +1,7 @@
gnome-keyring: gnome-keyring:
tigor: ENC[AES256_GCM,data:fUJzIUburewNo6eSLdk0d4RJuL0XIWc=,iv:4pVbLT91IoS6XDEOd9jg4GQkVpQxYNasUeqv2otMgT8=,tag:aSFQKgu7N4p/73omC0wqNw==,type:str] tigor: ENC[AES256_GCM,data:fUJzIUburewNo6eSLdk0d4RJuL0XIWc=,iv:4pVbLT91IoS6XDEOd9jg4GQkVpQxYNasUeqv2otMgT8=,tag:aSFQKgu7N4p/73omC0wqNw==,type:str]
smb: smb:
secrets: ENC[AES256_GCM,data:2XiBlll1fhr2N7CYfMmqVR6INm5j1B0dUhhLUDUmHH/Med0XzWrqh+0Fme7CTt3mdnbIO+AOe0U=,iv:jhWoP97kyGwDicB0CV2B0ppNB8JlFrajsnhvJsUv7FE=,tag:Alo0zX0AqbjziGflNFvepw==,type:str] secrets: ENC[AES256_GCM,data:DKG6wjW/gBLX4cqisodnCX5OO6vVMQFerlAzlvW434xLQjHfn/SyTr3D/8GOSsMO,iv:4Qqdg2bDzNeCNeLifySfxwN/rA+qcAG0JSjt8ByFG/o=,tag:ALOoJ7h3EtjRIHskBfIouA==,type:str]
spotify: spotify:
username: ENC[AES256_GCM,data:7uYX5Co=,iv:zc03i9P/nX6hIe/SfUulH2T3BkxD/1xiqG2izmaJbho=,tag:/djGWrxvsG9L5x3vHc9TwQ==,type:str] username: ENC[AES256_GCM,data:7uYX5Co=,iv:zc03i9P/nX6hIe/SfUulH2T3BkxD/1xiqG2izmaJbho=,tag:/djGWrxvsG9L5x3vHc9TwQ==,type:str]
password: ENC[AES256_GCM,data:Yf2NCLuXVd28kPCHLLc=,iv:Ip4tAMOW5h8TPKavB7pTMt/ojtCq1wxw3Syhey4dGQI=,tag:b2FGiXAo66S6goiH43NQBA==,type:str] password: ENC[AES256_GCM,data:Yf2NCLuXVd28kPCHLLc=,iv:Ip4tAMOW5h8TPKavB7pTMt/ojtCq1wxw3Syhey4dGQI=,tag:b2FGiXAo66S6goiH43NQBA==,type:str]
@ -23,8 +23,8 @@ sops:
UFFON2V5UWp1UUpETzZNSnVJdk5GcWsKupkOEN8OI/EOeu4Kkjo/SNhxMw2pa/gs UFFON2V5UWp1UUpETzZNSnVJdk5GcWsKupkOEN8OI/EOeu4Kkjo/SNhxMw2pa/gs
DzlsQRvytwCvAtr7zqHJvS6oeWlyjbirAHlpSzNS4QcqtbtK3mHC/Q== DzlsQRvytwCvAtr7zqHJvS6oeWlyjbirAHlpSzNS4QcqtbtK3mHC/Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-13T09:09:57Z" lastmodified: "2024-06-12T16:32:51Z"
mac: ENC[AES256_GCM,data:Ovi5vtxADk/vb899WuaU8uWCsM/zN7jTWF47ivJxbgtGlIbQQWeI9eY0s+VaPSdGSshJCP4RYasoJBeL0CiZ64wdLtwsDqfbAB6k8LtS/YRY/hDVGvUG+5GDP+I12q5xbHzJbjiKFN4yLRuK9WVyBQp7TRr484zkdjDDkApoC6w=,iv:FCc/9Xq4xsKQ+Hwi4VpCY8/F4+zHezv42wWpSaGsrjc=,tag:m+dnpB6LjzSvf7cgugEk7g==,type:str] mac: ENC[AES256_GCM,data:dHh4kDSHDQAKLgGaW2TjBH09pEdpPSnNLvFb/EqfHWhUuXqjniFGOsR/KkhoYP2aVfQXBoRUyDvC0cspD6//wSqZuWNAwfVhP20XUQ6fNRaV/3RIU4Btp641Mg+wE3RkwANspkF9o5CD0wicDxNoirf60qPTWnD9ABmBPvd6bdI=,iv:nTg9WWP4WnnCmvMb91h8RH4ZS1Jh9xRmawF5k+IzEbw=,tag:B0uncQm5J9T2Q/ZwVrbjug==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1

3
system/default.nix
View file

@ -4,8 +4,7 @@
profile-path profile-path
hardware-configuration hardware-configuration
./modules ./modules
./services # ./podman
./podman
./docker ./docker
./programs.nix ./programs.nix
./user.nix ./user.nix

1
system/docker/default.nix
View file

@ -11,6 +11,5 @@ in
imports = [ imports = [
./caddy.nix ./caddy.nix
./kavita.nix
]; ];
} }

32
system/docker/kavita.nix
View file

@ -1,32 +0,0 @@
{ config, lib, ... }:
let
user = config.profile.user;
docker = config.profile.docker;
volume = "/nas/kavita";
image = "lscr.io/linuxserver/kavita:latest";
gid = toString user.gid;
uid = toString user.uid;
in
{
config = lib.mkIf (docker.enable && docker.kavita.enable) {
system.activationScripts.docker-kavita = ''
mkdir -p ${volume}
chown -R ${user.name}:${gid} ${volume}
'';
virtualisation.oci-containers.containers.kavita = {
inherit image;
environment = {
PUID = uid;
PGID = gid;
TZ = "Asia/Jakarta";
};
ports = [ "5000:5000" ];
autoStart = true;
volumes = [
"${volume}/config:/config"
"${volume}/library:/library"
];
};
};
}

11
system/services/cockpit.nix → system/modules/cockpit.nix
View file

@ -1,16 +1,13 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
cfg = config.profile.services.cockpit; cfg = config.profile.cockpit;
inherit (lib) mkIf;
in in
{ {
config = mkIf cfg.enable { config = lib.mkIf cfg.enable {
environment.systemPackages = mkIf config.profile.podman.enable [ environment.systemPackages = lib.mkIf config.profile.podman.enable [
(pkgs.callPackage ../packages/cockpit-podman.nix { }) (pkgs.callPackage ../packages/cockpit-podman.nix { })
]; ];
services.caddy.virtualHosts."cockpit.tigor.web.id".extraConfig = '' services.udisks2.enable = true;
reverse_proxy 0.0.0.0:9090
'';
services.cockpit = { services.cockpit = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;

1
system/modules/default.nix
View file

@ -7,6 +7,7 @@
./bluetooth.nix ./bluetooth.nix
./boot_loader.nix ./boot_loader.nix
./brightnessctl.nix ./brightnessctl.nix
./cockpit.nix
./flatpak.nix ./flatpak.nix
./font.nix ./font.nix
./gnome.nix ./gnome.nix

4
system/modules/sops.nix
View file

@ -1,6 +1,6 @@
{ config, pkgs, ... }: { pkgs, ... }:
let let
owner = config.profile.user.name; owner = "tigor";
in in
{ {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [

4
system/podman/caddy.nix
View file

@ -31,6 +31,10 @@ in
extraOptions = [ extraOptions = [
"--network=caddy" "--network=caddy"
]; ];
labels = {
"caddy" = "cockpit.tigor.web.id";
"caddy.reverse_proxy" = "hosts.container.internal:9090";
};
}; };
}; };
}; };

2
system/podman/default.nix
View file

@ -4,7 +4,6 @@ let
in in
{ {
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
# services.caddy.enable = true;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
dive # look into docker image layers dive # look into docker image layers
podman-tui # status of containers in the terminal podman-tui # status of containers in the terminal
@ -29,6 +28,5 @@ in
imports = [ imports = [
./caddy.nix ./caddy.nix
./kavita.nix
]; ];
} }

49
system/podman/kavita.nix
View file

@ -1,49 +0,0 @@
{ config, lib, pkgs, ... }:
let
user = config.profile.user;
podman = config.profile.podman;
volume = "/nas/kavita";
image = "lscr.io/linuxserver/kavita:latest";
gid = toString user.gid;
uid = toString user.uid;
gateway = "10.1.1.1";
subnet = "10.1.1.0/24";
ip = "10.1.1.3";
ip-range = "10.1.1.3/25";
in
{
config = lib.mkIf (podman.enable && podman.kavita.enable) {
services.caddy.virtualHosts."kavita.tigor.web.id".extraConfig = ''
reverse_proxy ${ip}:5000
'';
systemd.services.create-kavita-network = with config.virtualisation.oci-containers; {
serviceConfig.Type = "oneshot";
wantedBy = [ "${backend}-kavita.service" ];
script = ''${pkgs.podman}/bin/podman network exists kavita || ${pkgs.podman}/bin/podman network create --gateway=${gateway} --subnet=${subnet} --ip-range=${ip-range} kavita'';
};
system.activationScripts.docker-kavita = ''
mkdir -p ${volume}
chown -R ${user.name}:${gid} ${volume}
'';
virtualisation.oci-containers.containers.kavita = {
inherit image;
environment = {
PUID = uid;
PGID = gid;
TZ = "Asia/Jakarta";
};
extraOptions = [
"--network=kavita"
"--ip=${ip}"
];
autoStart = true;
volumes = [
"${volume}/config:/config"
"${volume}/library:/library"
];
};
};
}

15
system/services/caddy.nix
View file

@ -1,15 +0,0 @@
{ config, lib, ... }:
let
cfg = config.profile.services.caddy;
inherit (lib) mkIf;
in
{
config = mkIf cfg.enable {
services.caddy = {
enable = true;
extraConfig = ''
import /etc/caddy/sites-enabled/*
'';
};
};
}

9
system/services/default.nix
View file

@ -1,9 +0,0 @@
{ ... }:
{
imports = [
./caddy.nix
./cockpit.nix
./forgejo.nix
./samba.nix
];
}

32
system/services/forgejo.nix
View file

@ -1,32 +0,0 @@
{ config, lib, ... }:
let
cfg = config.profile.services.forgejo;
inherit (lib) mkIf;
in
{
config = mkIf cfg.enable {
services.caddy.virtualHosts."git.tigor.web.id".extraConfig = ''
reverse_proxy * unix//run/forgejo/forgejo.sock
'';
services.forgejo = {
enable = true;
settings = {
server = {
PROTOCOL = "http+unix";
SSH_PORT = 2222;
DOMAIN = "git.tigor.web.id";
HTTP_PORT = 443;
ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}:${toString config.services.forgejo.settings.server.HTTP_PORT}";
};
service = {
DISABLE_REGISTRATION = true;
};
session.COOKIE_SECURE = true;
};
};
networking.firewall.allowedTCPPorts = [ config.services.forgejo.settings.server.SSH_PORT ];
};
}

36
system/services/samba.nix
View file

@ -1,36 +0,0 @@
{ config, lib, ... }:
let
cfg = config.profile.services.samba;
user = config.profile.user;
inherit (lib) mkIf;
in
{
config = mkIf cfg.enable {
services.samba = {
enable = true;
securityType = "user";
openFirewall = true;
extraConfig = ''
workgroup = WORKGROUP
server string = smbnix
netbios name = smbnix
security = user
guest account = ${user.name}
'';
shares = {
nas = {
path = "/nas";
browsable = "yes";
"read only" = "no";
"guest ok" = "yes";
"create mask" = "0777";
"directory mask" = "0777";
};
};
};
services.samba-wsdd = {
enable = true;
openFirewall = true;
};
};
}