From 67823cbed67e77814496f6b24b03643e0fcbdbd3 Mon Sep 17 00:00:00 2001 From: Nolan Darilek Date: Wed, 18 Dec 2024 18:19:37 -0600 Subject: [PATCH] Initial commit. --- .gitignore | 2 + base.nix | 21 ++ boot-iso.sh | 3 + espeakup.nix | 41 ++++ flake.lock | 298 +++++++++++++++++++++++ flake.nix | 102 ++++++++ hosts/flynode/default.nix | 69 ++++++ hosts/flynode/hardware-configuration.nix | 55 +++++ hosts/hub/apps/dev.nix | 84 +++++++ hosts/hub/apps/nextcloud.nix | 72 ++++++ hosts/hub/default.nix | 137 +++++++++++ hosts/hub/hardware-configuration.nix | 53 ++++ hosts/nixbox/default.nix | 64 +++++ hosts/nixbox/hardware-configuration.nix | 39 +++ iso.nix | 37 +++ make-iso.sh | 3 + roles/authelia.nix | 110 +++++++++ roles/caddy.nix | 10 + roles/espeakup.nix | 5 + roles/flatpak.nix | 7 + roles/games.nix | 18 ++ roles/gnome.nix | 19 ++ roles/gui.nix | 35 +++ roles/k3s.nix | 26 ++ roles/lldap.nix | 25 ++ roles/mate.nix | 19 ++ roles/media-pc.nix | 18 ++ roles/minio.nix | 6 + roles/networkmanager.nix | 3 + roles/nginx.nix | 17 ++ roles/nix-ld.nix | 8 + roles/non-virtual.nix | 7 + roles/pipewire.nix | 14 ++ roles/podman.nix | 7 + roles/portunus.nix | 14 ++ roles/postgres.nix | 20 ++ roles/tailscale.nix | 5 + roles/traefik.nix | 39 +++ roles/vscode-remote.nix | 12 + roles/zfs.nix | 27 ++ secrets/authelia_session.age | 5 + secrets/authelia_storage.age | 5 + secrets/cloudflare_api.age | Bin 0 -> 309 bytes secrets/jwt.age | 6 + secrets/ldap.age | 5 + secrets/nolan.age | 5 + secrets/secrets.nix | 16 ++ users/nolan/default.nix | 37 +++ users/nolan/desktop-minimal.nix | 21 ++ users/nolan/desktop.nix | 56 +++++ users/root.nix | 7 + 51 files changed, 1714 insertions(+) create mode 100644 .gitignore create mode 100644 base.nix create mode 100755 boot-iso.sh create mode 100644 espeakup.nix create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 hosts/flynode/default.nix create mode 100644 hosts/flynode/hardware-configuration.nix create mode 100644 hosts/hub/apps/dev.nix create mode 100644 hosts/hub/apps/nextcloud.nix create mode 100644 hosts/hub/default.nix create mode 100644 hosts/hub/hardware-configuration.nix create mode 100644 hosts/nixbox/default.nix create mode 100644 hosts/nixbox/hardware-configuration.nix create mode 100644 iso.nix create mode 100755 make-iso.sh create mode 100644 roles/authelia.nix create mode 100644 roles/caddy.nix create mode 100644 roles/espeakup.nix create mode 100644 roles/flatpak.nix create mode 100644 roles/games.nix create mode 100644 roles/gnome.nix create mode 100644 roles/gui.nix create mode 100644 roles/k3s.nix create mode 100644 roles/lldap.nix create mode 100644 roles/mate.nix create mode 100644 roles/media-pc.nix create mode 100644 roles/minio.nix create mode 100644 roles/networkmanager.nix create mode 100644 roles/nginx.nix create mode 100644 roles/nix-ld.nix create mode 100644 roles/non-virtual.nix create mode 100644 roles/pipewire.nix create mode 100644 roles/podman.nix create mode 100644 roles/portunus.nix create mode 100644 roles/postgres.nix create mode 100644 roles/tailscale.nix create mode 100644 roles/traefik.nix create mode 100644 roles/vscode-remote.nix create mode 100644 roles/zfs.nix create mode 100644 secrets/authelia_session.age create mode 100644 secrets/authelia_storage.age create mode 100644 secrets/cloudflare_api.age create mode 100644 secrets/jwt.age create mode 100644 secrets/ldap.age create mode 100644 secrets/nolan.age create mode 100644 secrets/secrets.nix create mode 100644 users/nolan/default.nix create mode 100644 users/nolan/desktop-minimal.nix create mode 100644 users/nolan/desktop.nix create mode 100644 users/root.nix diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1b8d10d --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +*.iso +result diff --git a/base.nix b/base.nix new file mode 100644 index 0000000..f4bb7d6 --- /dev/null +++ b/base.nix @@ -0,0 +1,21 @@ +{ pkgs, ... }: + +{ + services.openssh.enable = true; + security.sudo.wheelNeedsPassword = false; + users.mutableUsers = false; + nixpkgs.config.allowUnfree = true; + + environment.systemPackages = with pkgs; [ + file + vim + curl + wget + git + git-crypt + tmux + psmisc + ]; + + environment.variables.EDITOR = "vim"; +} diff --git a/boot-iso.sh b/boot-iso.sh new file mode 100755 index 0000000..bf259cf --- /dev/null +++ b/boot-iso.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +qemu-system-x86_64 -nographic -smp 4 -m 2048 -audiodev pa,id=Sound -device intel-hda -device hda-output,audiodev=Sound -cdrom result/iso/nixos-*.iso \ No newline at end of file diff --git a/espeakup.nix b/espeakup.nix new file mode 100644 index 0000000..fd10730 --- /dev/null +++ b/espeakup.nix @@ -0,0 +1,41 @@ +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.services.espeakup; + inherit (lib) + mkEnableOption + mkIf + mkPackageOption + mkOption + types + ; +in +{ + options.services.espeakup = { + enable = mkEnableOption "Espeakup screen reader"; + package = mkPackageOption pkgs "espeakup" { }; + defaultVoice = mkOption { + type = types.str; + default = "en-gb"; + description = "Default voice for espeakup"; + }; + }; + + config = mkIf cfg.enable { + boot.kernelModules = [ "speakup_soft" ]; + systemd.packages = [ pkgs.espeakup ]; + systemd.services.espeakup = { + wantedBy = [ "sound.target" ]; + environment = { + default_voice = cfg.defaultVoice; + }; + serviceConfig = { + ExecStartPre = ""; + }; + }; + }; +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..5d373b6 --- /dev/null +++ b/flake.lock @@ -0,0 +1,298 @@ +{ + "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1723293904, + "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=", + "owner": "ryantm", + "repo": "agenix", + "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "blobs": { + "flake": false, + "locked": { + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700795494, + "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703113217, + "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733951536, + "narHash": "sha256-Zb5ZCa7Xj+0gy5XVXINTSr71fCfAv+IKtmIXNrykT54=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "1318c3f3b068cdcea922fa7c1a0a1f0c96c22f5f", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-24.11", + "repo": "home-manager", + "type": "github" + } + }, + "nixos-hardware": { + "locked": { + "lastModified": 1733861262, + "narHash": "sha256-+jjPup/ByS0LEVIrBbt7FnGugJgLeG9oc+ivFASYn2U=", + "owner": "NixOS", + "repo": "nixos-hardware", + "rev": "cf737e2eba82b603f54f71b10cb8fd09d22ce3f5", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "master", + "repo": "nixos-hardware", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1703013332, + "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-24_05": { + "locked": { + "lastModified": 1717144377, + "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "805a384895c696f802a9bf5bf4720f37385df547", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-24.05", + "type": "indirect" + } + }, + "nixpkgsUnstable": { + "locked": { + "lastModified": 1733759999, + "narHash": "sha256-463SNPWmz46iLzJKRzO3Q2b0Aurff3U1n0nYItxq7jU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a73246e2eef4c6ed172979932bc80e1404ba2d56", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1733808091, + "narHash": "sha256-KWwINTQelKOoQgrXftxoqxmKFZb9pLVfnRvK270nkVk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a0f3e10d94359665dba45b71b4227b0aeb851f8e", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1717602782, + "narHash": "sha256-pL9jeus5QpX5R+9rsp3hhZ+uplVHscNJh8n8VpqscM0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e8057b67ebf307f01bdcc8fba94d94f75039d1f6", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" + } + }, + "root": { + "inputs": { + "agenix": "agenix", + "home-manager": "home-manager_2", + "nixos-hardware": "nixos-hardware", + "nixpkgs": "nixpkgs_2", + "nixpkgsUnstable": "nixpkgsUnstable", + "simple-nixos-mailserver": "simple-nixos-mailserver" + } + }, + "simple-nixos-mailserver": { + "inputs": { + "blobs": "blobs", + "flake-compat": "flake-compat", + "nixpkgs": "nixpkgs_3", + "nixpkgs-24_05": "nixpkgs-24_05", + "utils": "utils" + }, + "locked": { + "lastModified": 1718084203, + "narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=", + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "rev": "29916981e7b3b5782dc5085ad18490113f8ff63b", + "type": "gitlab" + }, + "original": { + "owner": "simple-nixos-mailserver", + "ref": "nixos-24.05", + "repo": "nixos-mailserver", + "type": "gitlab" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "utils": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1709126324, + "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "d465f4819400de7c8d874d50b982301f28a84605", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..6e44ca5 --- /dev/null +++ b/flake.nix @@ -0,0 +1,102 @@ +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; + nixpkgsUnstable.url = "github:NixOS/nixpkgs/nixos-unstable"; + nixos-hardware.url = "github:NixOS/nixos-hardware/master"; + home-manager = { + url = "github:nix-community/home-manager/release-24.11"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + agenix.url = "github:ryantm/agenix"; + simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05"; + }; + + outputs = + { + nixpkgs, + nixpkgsUnstable, + home-manager, + nixos-hardware, + agenix, + simple-nixos-mailserver, + ... + }: + let + system = "x86_64-linux"; + overlayUnstable = final: prev: { + unstable = import nixpkgsUnstable { + inherit system; + config.allowUnfree = true; + }; + }; + in + { + nixosConfigurations = { + nixbox = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + agenix.nixosModules.default + { + environment.systemPackages = [ agenix.packages.${system}.default ]; + } + ( + { config, pkgs, ... }: + { + nixpkgs.overlays = [ overlayUnstable ]; + } + ) + home-manager.nixosModules.home-manager + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + } + ./hosts/nixbox + ]; + }; + flynode = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + agenix.nixosModules.default + { + environment.systemPackages = [ agenix.packages.${system}.default ]; + } + ( + { config, pkgs, ... }: + { + nixpkgs.overlays = [ overlayUnstable ]; + } + ) + nixos-hardware.nixosModules.lenovo-thinkpad-z13-gen1 + home-manager.nixosModules.home-manager + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + } + ./hosts/flynode + ]; + }; + thewordnerd = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + agenix.nixosModules.default + { + environment.systemPackages = [ agenix.packages.${system}.default ]; + } + ( + { config, pkgs, ... }: + { + nixpkgs.overlays = [ overlayUnstable ]; + } + ) + home-manager.nixosModules.home-manager + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + } + simple-nixos-mailserver.nixosModule + ./hosts/hub + ]; + }; + }; + }; +} diff --git a/hosts/flynode/default.nix b/hosts/flynode/default.nix new file mode 100644 index 0000000..c4474a7 --- /dev/null +++ b/hosts/flynode/default.nix @@ -0,0 +1,69 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + imports = [ + ./hardware-configuration.nix + ../../roles/zfs.nix + ../../base.nix + ../../users/root.nix + ../../users/nolan/desktop.nix + ../../roles/espeakup.nix + ../../roles/networkmanager.nix + ../../roles/nix-ld.nix + ../../roles/tailscale.nix + ../../roles/podman.nix + ../../roles/mate.nix + ../../roles/flatpak.nix + ../../roles/games.nix + ]; + + boot.loader.grub = { + enable = true; + zfsSupport = true; + efiSupport = true; + efiInstallAsRemovable = true; + mirroredBoots = [ + { + devices = [ "nodev" ]; + path = "/boot"; + } + ]; + }; + + networking = { + hostName = "flynode"; + hostId = "9dfa34d8"; + }; + + time.timeZone = "America/Chicago"; + + i18n.defaultLocale = "en_US.UTF-8"; + console.keyMap = "us"; + + # Enable the Flakes feature and the accompanying new nix command-line tool + nix.settings.experimental-features = [ + "nix-command" + "flakes" + ]; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "24.05"; # Did you read the comment? +} diff --git a/hosts/flynode/hardware-configuration.nix b/hosts/flynode/hardware-configuration.nix new file mode 100644 index 0000000..d0378b7 --- /dev/null +++ b/hosts/flynode/hardware-configuration.nix @@ -0,0 +1,55 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "zpool/root"; + fsType = "zfs"; + }; + + fileSystems."/nix" = + { device = "zpool/nix"; + fsType = "zfs"; + }; + + fileSystems."/var" = + { device = "zpool/var"; + fsType = "zfs"; + }; + + fileSystems."/home" = + { device = "zpool/home"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/0642-E087"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/c9a2faf8-4e35-4946-a70f-c84d0fa359df"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/hub/apps/dev.nix b/hosts/hub/apps/dev.nix new file mode 100644 index 0000000..c6d576a --- /dev/null +++ b/hosts/hub/apps/dev.nix @@ -0,0 +1,84 @@ +{ + services = { + postgresql = { + ensureDatabases = [ "dev" ]; + ensureUsers = [ + { + name = "dev"; + ensureDBOwnership = true; + } + ]; + }; + authelia.instances.main.settings.access_control.rules = [ + { + domain = "dev.thewordnerd.info"; + policy = "bypass"; + } + ]; + }; + + containers.dev = { + autoStart = true; + privateNetwork = true; + hostAddress = "192.168.0.1"; + localAddress = "192.168.0.2"; + config = + { + config, + pkgs, + lib, + ... + }: + { + services.gitea = { + enable = true; + appName = "Nolan's projects"; + settings = { + server = { + ROOT_URL = "https://dev.thewordnerd.info"; + DOMAIN = "dev.thewordnerd.info"; + DISABLE_SSH = true; + LANDING_PAGE = "explore"; + }; + service = { + DISABLE_REGISTRATION = true; + # ENABLE_REVERSE_PROXY_AUTHENTICATION = true; + # ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = true; + }; + security = { + REVERSE_PROXY_AUTHENTICATION_USER = "Remote-User"; + REVERSE_PROXY_AUTHENTICATION_EMAIL = "Remote-Email"; + REVERSE_PROXY_AUTHENTICATION_FULL_NAME = "Remote-Name"; + REVERSE_PROXY_TRUSTED_PROXIES = "192.168.0.0/24"; + }; + }; + lfs.enable = true; + database = { + type = "postgres"; + name = "dev"; + user = "dev"; + socket = "/run/postgresql"; + createDatabase = false; + }; + }; + networking = { + firewall.allowedTCPPorts = [ 3000 ]; + useHostResolvConf = lib.mkForce false; + }; + services.resolved.enable = true; + }; + bindMounts = { + "/run/postgresql/.s.PGSQL.5432" = { + hostPath = "/run/postgresql/.s.PGSQL.5432"; + }; + }; + }; + + services.caddy.virtualHosts."dev.thewordnerd.info".extraConfig = '' + forward_auth localhost:9091 { + uri /api/authz/forward-auth + copy_headers Remote-User Remote-Groups Remote-Email Remote-Name + } + reverse_proxy dev:3000 + ''; +} diff --git a/hosts/hub/apps/nextcloud.nix b/hosts/hub/apps/nextcloud.nix new file mode 100644 index 0000000..6a2ca7e --- /dev/null +++ b/hosts/hub/apps/nextcloud.nix @@ -0,0 +1,72 @@ +{ + services.postgresql = { + ensureDatabases = [ "nextcloud" ]; + ensureUsers = [ + { + name = "nextcloud"; + ensureDBOwnership = true; + } + ]; + }; + + containers.nextcloud = { + autoStart = true; + privateNetwork = true; + hostAddress = "192.168.0.1"; + localAddress = "192.168.0.3"; + config = + { + config, + pkgs, + lib, + ... + }: + { + environment.etc."nextcloud-admin-pass".text = "admin"; + nixpkgs.config.allowUnfree = true; + services = { + nextcloud = { + enable = true; + hostName = "nextcloud.thewordnerd.info"; + package = pkgs.nextcloud30; + configureRedis = true; + maxUploadSize = "16G"; + autoUpdateApps.enable = true; + notify_push.enable = true; + webfinger = true; + settings = { + overwriteprotocol = "https"; + trusted_proxies = [ "192.168.0.1" ]; + default_phone_region = "US"; + }; + config = { + dbtype = "pgsql"; + dbhost = "/run/postgresql"; + adminpassFile = "/etc/nextcloud-admin-pass"; + }; + }; + onlyoffice = { + enable = true; + hostname = "onlyoffice.thewordnerd.info"; + }; + resolved.enable = true; + }; + networking = { + firewall.allowedTCPPorts = [ 80 ]; + useHostResolvConf = lib.mkForce false; + }; + virtualisation.podman = { + enable = true; + dockerCompat = true; + dockerSocket.enable = true; + }; + }; + bindMounts = { + "/run/postgresql/.s.PGSQL.5432" = { + hostPath = "/run/postgresql/.s.PGSQL.5432"; + }; + }; + }; + + services.caddy.virtualHosts."nextcloud.thewordnerd.info".extraConfig = ''reverse_proxy nextcloud''; +} diff --git a/hosts/hub/default.nix b/hosts/hub/default.nix new file mode 100644 index 0000000..add4ca3 --- /dev/null +++ b/hosts/hub/default.nix @@ -0,0 +1,137 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ config, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ../../roles/zfs.nix + ../../base.nix + ../../users/root.nix + ../../roles/tailscale.nix + ../../roles/lldap.nix + ../../roles/authelia.nix + ../../roles/podman.nix + ../../roles/minio.nix + ../../roles/caddy.nix + ../../roles/vscode-remote.nix + ../../roles/postgres.nix + ./apps/dev.nix + ./apps/nextcloud.nix + ]; + + boot.loader.grub = { + enable = true; + zfsSupport = true; + efiSupport = true; + efiInstallAsRemovable = true; + mirroredBoots = [ + { + devices = [ "nodev" ]; + path = "/boot"; + } + ]; + }; + + networking = { + hostName = "thewordnerd"; + hostId = "91312b0a"; + nat = { + enable = true; + internalInterfaces = [ "ve-+" ]; + externalInterface = "enp5s0"; + enableIPv6 = true; + }; + }; + + services.openssh.openFirewall = false; + + time.timeZone = "America/Chicago"; + + i18n.defaultLocale = "en_US.UTF-8"; + console.keyMap = "us"; + + # Enable the Flakes feature and the accompanying new nix command-line tool + nix.settings.experimental-features = [ + "nix-command" + "flakes" + ]; + + age.secrets.cloudflareApi.file = ../../secrets/cloudflare_api.age; + security.acme = { + acceptTerms = true; + defaults.email = "nolan@thewordnerd.info"; + certs."thewordnerd.info" = { + domain = "*.thewordnerd.info"; + dnsProvider = "cloudflare"; + environmentFile = config.age.secrets.cloudflareApi.path; + }; + certs."hub.thewordnerd.info" = { + dnsProvider = "cloudflare"; + environmentFile = config.age.secrets.cloudflareApi.path; + }; + }; + + age.secrets.ldap.file = ../../secrets/ldap.age; + mailserver = { + enable = true; + fqdn = "thewordnerd.info"; + domains = [ + "thewordnerd.info" + "lightsout.games" + ]; + ldap = { + enable = true; + uris = [ "ldap://localhost:3890" ]; + bind = { + dn = "uid=service,ou=people,dc=thewordnerd,dc=info"; + passwordFile = config.age.secrets.ldap.path; + }; + searchBase = "ou=people,dc=thewordnerd,dc=info"; + }; + certificateScheme = "acme"; + enableManageSieve = true; + fullTextSearch = { + enable = true; + # index new email as they arrive + autoIndex = true; + # this only applies to plain text attachments, binary attachments are never indexed + indexAttachments = true; + enforced = "body"; + }; + }; + + services.caddy.virtualHosts."users.thewordnerd.info".extraConfig = + ''reverse_proxy localhost:17170''; + + services.caddy.virtualHosts."auth.thewordnerd.info".extraConfig = '' + reverse_proxy localhost:9091 + ''; + + services.caddy.virtualHosts."www.thewordnerd.info".extraConfig = '' + file_server + root * /var/www/thewordnerd.info + header /.well-known/matrix/* content-type application/json + ''; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "24.11"; # Did you read the comment? +} diff --git a/hosts/hub/hardware-configuration.nix b/hosts/hub/hardware-configuration.nix new file mode 100644 index 0000000..f5be4cb --- /dev/null +++ b/hosts/hub/hardware-configuration.nix @@ -0,0 +1,53 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "zpool/root"; + fsType = "zfs"; + }; + + fileSystems."/nix" = + { device = "zpool/nix"; + fsType = "zfs"; + }; + + fileSystems."/var" = + { device = "zpool/var"; + fsType = "zfs"; + }; + + fileSystems."/home" = + { device = "zpool/home"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/8ADD-D5B1"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp5s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/nixbox/default.nix b/hosts/nixbox/default.nix new file mode 100644 index 0000000..efbbfa2 --- /dev/null +++ b/hosts/nixbox/default.nix @@ -0,0 +1,64 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + imports = [ + ./hardware-configuration.nix + ../../base.nix + ../../users/root.nix + ../../users/nolan/desktop-minimal.nix + ../../roles/espeakup.nix + ../../roles/networkmanager.nix + ../../roles/tailscale.nix + ../../roles/minio.nix + ../../roles/vscode-remote.nix + ../../roles/mate.nix + ../../roles/media-pc.nix + ]; + + services.minio = { + enable = true; + }; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "nixbox"; + + time.timeZone = "America/Chicago"; + + i18n.defaultLocale = "en_US.UTF-8"; + console.keyMap = "us"; + + # Enable the Flakes feature and the accompanying new nix command-line tool + nix.settings.experimental-features = [ + "nix-command" + "flakes" + ]; + + services.mediaPC = { + enable = true; + autoLoginUser = "nolan"; + }; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "24.05"; # Did you read the comment? +} diff --git a/hosts/nixbox/hardware-configuration.nix b/hosts/nixbox/hardware-configuration.nix new file mode 100644 index 0000000..b981b65 --- /dev/null +++ b/hosts/nixbox/hardware-configuration.nix @@ -0,0 +1,39 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/a0df6959-f878-48d0-aabe-5f46915c1921"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/7EEE-698D"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp89s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlo1.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/iso.nix b/iso.nix new file mode 100644 index 0000000..70b8b28 --- /dev/null +++ b/iso.nix @@ -0,0 +1,37 @@ +{ config, pkgs, ... }: + +{ + imports = [ + + + # Provide an initial copy of the NixOS channel so that the user + # doesn't need to run "nix-channel --update" first. + + ./espeakup.nix + ]; + + # Added to support `-nographic` for text console access via qemu + boot.kernelParams = [ "console=ttyS0,115200" ]; + + # System-wide Pipewire for Espeakup + sound.enable = true; + services.pipewire = { + enable = true; + systemWide = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + }; + + services.espeakup.enable = true; + + # Set up SSH access + systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ]; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPk6C4eOYzTZ8XOuUA2tErGnSTLS/l9kRDl9+5Ql+m7VtaH/KRFbu6x+C0QAIKOrRcQOjpGYUjL1aIn0HCcoEW2PSihDmOHC+W8cy8ucScy4fPI5KpFFqTZU336Fje+NS4n587gcoaa5LjKcr2KZy/ljgzl4eNSRIqy85khfH4puxsj7LwTIqsZoqDhtD/jSqaKP1C2wuYSsijLF85UnRcT9jErnL757yUv/4xb4Is+gB0zan9GiBXRca4lzb0mY8rmMXmKhc2lm/mu8ogZRdYX5R2JP1AukzYGSdOFs4iUauihgvakuou9AugD2CC+ygYIEbWkUjwKfT9nRN93Qi9 id_rsa" + ]; + + # Not sure if this does anything, but may make the system easier to find on + # the network + services.avahi.enable = true; +} diff --git a/make-iso.sh b/make-iso.sh new file mode 100755 index 0000000..a64d04b --- /dev/null +++ b/make-iso.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +nix-build '' -A config.system.build.isoImage -I nixos-config=iso.nix \ No newline at end of file diff --git a/roles/authelia.nix b/roles/authelia.nix new file mode 100644 index 0000000..200b7ae --- /dev/null +++ b/roles/authelia.nix @@ -0,0 +1,110 @@ +{ config, ... }: + +{ + age.secrets = { + ldap = { + mode = "440"; + group = "authelia-main"; + }; + jwt = { + file = ../secrets/jwt.age; + owner = "authelia-main"; + group = "authelia-main"; + mode = "440"; + }; + autheliaSession = { + file = ../secrets/authelia_session.age; + owner = "authelia-main"; + group = "authelia-main"; + mode = "440"; + }; + autheliaStorageEncryptionKey = { + file = ../secrets/authelia_storage.age; + owner = "authelia-main"; + group = "authelia-main"; + mode = "440"; + }; + }; + services = { + postgresql = { + ensureDatabases = [ "authelia" ]; + ensureUsers = [ + { + name = "authelia"; + ensureDBOwnership = true; + } + ]; + }; + authelia.instances.main = { + enable = true; + secrets = { + jwtSecretFile = config.age.secrets.jwt.path; + sessionSecretFile = config.age.secrets.autheliaSession.path; + storageEncryptionKeyFile = config.age.secrets.autheliaStorageEncryptionKey.path; + }; + environmentVariables = { + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.age.secrets.ldap.path; + }; + settings = { + authentication_backend = { + password_reset.disable = false; + refresh_interval = "1m"; + + ldap = { + implementation = "custom"; + address = "ldap://localhost:3890"; + timeout = "5s"; + start_tls = false; + base_dn = "dc=thewordnerd,dc=info"; + additional_users_dn = "ou=people"; + users_filter = "(&({username_attribute}={input})(objectClass=person))"; + additional_groups_dn = "ou=groups"; + groups_filter = "(member={dn})"; + user = "uid=service,ou=people,dc=thewordnerd,dc=info"; + attributes = { + username = "uid"; + display_name = "displayName"; + group_name = "cn"; + mail = "mail"; + }; + }; + }; + storage = { + postgres = { + address = "/run/postgresql"; + database = "authelia"; + username = "authelia"; + password = "trusted"; + }; + }; + access_control = { + rules = [ + { + domain = "*.thewordnerd.info"; + policy = "one_factor"; + } + ]; + }; + session = { + cookies = [ + { + domain = "thewordnerd.info"; + authelia_url = "https://auth.thewordnerd.info"; + } + ]; + }; + notifier = { + filesystem = { + filename = "/tmp/authelia.txt"; + }; + }; + server.endpoints.authz.forward-auth.implementation = "ForwardAuth"; + }; + }; + caddy.globalConfig = '' + servers { + trusted_proxies static 192.168.0.1 + } + ''; + }; +} diff --git a/roles/caddy.nix b/roles/caddy.nix new file mode 100644 index 0000000..b20d1c9 --- /dev/null +++ b/roles/caddy.nix @@ -0,0 +1,10 @@ +{ + services.caddy = { + enable = true; + email = "nolan@thewordnerd.info"; + }; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; +} diff --git a/roles/espeakup.nix b/roles/espeakup.nix new file mode 100644 index 0000000..612bb39 --- /dev/null +++ b/roles/espeakup.nix @@ -0,0 +1,5 @@ +{ + imports = [ ../espeakup.nix ]; + + services.espeakup.enable = true; +} diff --git a/roles/flatpak.nix b/roles/flatpak.nix new file mode 100644 index 0000000..5014f01 --- /dev/null +++ b/roles/flatpak.nix @@ -0,0 +1,7 @@ +{ + services.flatpak.enable = true; + xdg.portal.enable = true; + environment.profileRelativeSessionVariables.PATH = [ + "$HOME/.local/share/flatpak/exports/bin" + ]; +} \ No newline at end of file diff --git a/roles/games.nix b/roles/games.nix new file mode 100644 index 0000000..ec084be --- /dev/null +++ b/roles/games.nix @@ -0,0 +1,18 @@ +{ pkgs, ... }: + +{ + imports = [ + ./nix-ld.nix + ]; + + programs.steam = { + enable = true; + remotePlay.openFirewall = true; + localNetworkGameTransfers.openFirewall = true; + }; + + environment.systemPackages = with pkgs; [ + steam-tui + steamcmd + ]; +} diff --git a/roles/gnome.nix b/roles/gnome.nix new file mode 100644 index 0000000..5fcf467 --- /dev/null +++ b/roles/gnome.nix @@ -0,0 +1,19 @@ +{ pkgs, ... }: + +{ + + imports = [ + ./gui.nix + ]; + + services = { + xserver.desktopManager.gnome.enable = true; + gnome.gnome-browser-connector.enable = true; + }; + + programs.gnome-terminal.enable = true; + environment.gnome.excludePackages = with pkgs; [ + gnome-console + gnome-tour + ]; +} diff --git a/roles/gui.nix b/roles/gui.nix new file mode 100644 index 0000000..ee1f73e --- /dev/null +++ b/roles/gui.nix @@ -0,0 +1,35 @@ +{ pkgs, ... }: + +{ + + imports = [ + ./pipewire.nix + ./non-virtual.nix + ]; + + services = { + orca = { + enable = true; + package = pkgs.unstable.orca; + }; + xserver = { + enable = true; + xkb.layout = "us"; + displayManager.lightdm = { + enable = true; + greeters.gtk = { + extraConfig = '' + a11y-states = +reader + reader = orca + ''; + }; + }; + excludePackages = [ pkgs.xterm ]; + }; + }; + + users.users.lightdm.extraGroups = [ + "pipewire" + "pulse-access" + ]; +} diff --git a/roles/k3s.nix b/roles/k3s.nix new file mode 100644 index 0000000..e2fbb26 --- /dev/null +++ b/roles/k3s.nix @@ -0,0 +1,26 @@ +{ config, pkgs, ... }: + +{ + networking.firewall = { + allowedTCPPorts = [ + 6443 # k3s: required so that pods can reach the API server (running on port 6443 by default) + # 2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration + # 2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration + ]; + # allowedUDPPorts = [ + # 8472 # k3s, flannel: required if using multi-node for inter-node networking + # ]; + }; + services.k3s = { + enable = true; + role = "server"; + }; + environment.systemPackages = [ pkgs.nfs-utils ]; + services.openiscsi = { + enable = true; + name = "${config.networking.hostName}-initiatorhost"; + }; + systemd.tmpfiles.rules = [ + "L+ /usr/local/bin - - - - /run/current-system/sw/bin/" + ]; +} diff --git a/roles/lldap.nix b/roles/lldap.nix new file mode 100644 index 0000000..b8c2207 --- /dev/null +++ b/roles/lldap.nix @@ -0,0 +1,25 @@ +{ + services = { + postgresql = { + ensureDatabases = [ "lldap" ]; + ensureUsers = [ + { + name = "lldap"; + ensureDBOwnership = true; + } + ]; + }; + lldap = { + enable = true; + settings = { + ldap_user_email = "nolan@thewordnerd.info"; + ldap_base_dn = "dc=thewordnerd,dc=info"; + http_url = "https://users.thewordnerd.info"; + database_url = "postgres://lldap@localhost/lldap"; + }; + }; + }; + networking.firewall.interfaces."ve-+".allowedTCPPorts = [ + 3890 + ]; +} diff --git a/roles/mate.nix b/roles/mate.nix new file mode 100644 index 0000000..2e376fc --- /dev/null +++ b/roles/mate.nix @@ -0,0 +1,19 @@ +{ pkgs, ... }: + +{ + + imports = [ + ./gui.nix + ]; + + hardware.bluetooth.enable = true; + services = { + xserver.desktopManager.mate.enable = true; + blueman.enable = true; + }; + + programs.nm-applet = { + enable = true; + indicator = false; + }; +} diff --git a/roles/media-pc.nix b/roles/media-pc.nix new file mode 100644 index 0000000..f8ec3d1 --- /dev/null +++ b/roles/media-pc.nix @@ -0,0 +1,18 @@ +{ config, lib, ... }: + +{ + options.services.mediaPC = { + enable = lib.mkEnableOption "Media PC"; + autoLoginUser = lib.mkOption { + type = lib.types.str; + description = "User to autologin as"; + }; + }; + + config = lib.mkIf config.services.mediaPC.enable { + programs.firefox = { + enable = true; + # package = pkgs.firefox.override { nativeMessagingHosts = [ pkgs.gnome-browser-connector ]; }; + }; + }; +} diff --git a/roles/minio.nix b/roles/minio.nix new file mode 100644 index 0000000..38dd103 --- /dev/null +++ b/roles/minio.nix @@ -0,0 +1,6 @@ +{ pkgs, ... }: + +{ + services.minio.enable = true; + environment.systemPackages = with pkgs; [ minio-client ]; +} diff --git a/roles/networkmanager.nix b/roles/networkmanager.nix new file mode 100644 index 0000000..f29d881 --- /dev/null +++ b/roles/networkmanager.nix @@ -0,0 +1,3 @@ +{ + networking.networkmanager.enable = true; +} diff --git a/roles/nginx.nix b/roles/nginx.nix new file mode 100644 index 0000000..dffe1e6 --- /dev/null +++ b/roles/nginx.nix @@ -0,0 +1,17 @@ +{ + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + }; + security.acme = { + acceptTerms = true; + defaults.email = "nolan@thewordnerd.info"; + }; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; +} diff --git a/roles/nix-ld.nix b/roles/nix-ld.nix new file mode 100644 index 0000000..f3a4221 --- /dev/null +++ b/roles/nix-ld.nix @@ -0,0 +1,8 @@ +{ pkgs, ... }: + +{ + programs.nix-ld = { + enable = true; + package = pkgs.nix-ld-rs; + }; +} diff --git a/roles/non-virtual.nix b/roles/non-virtual.nix new file mode 100644 index 0000000..e74f8e0 --- /dev/null +++ b/roles/non-virtual.nix @@ -0,0 +1,7 @@ +{ pkgs, ... }: +{ + environment.systemPackages = with pkgs; [ + usbutils + pciutils + ]; +} diff --git a/roles/pipewire.nix b/roles/pipewire.nix new file mode 100644 index 0000000..4f3a1a3 --- /dev/null +++ b/roles/pipewire.nix @@ -0,0 +1,14 @@ +{ + hardware.pulseaudio.enable = false; + + security.rtkit.enable = true; + + services.pipewire = { + enable = true; + systemWide = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + jack.enable = true; + }; +} diff --git a/roles/podman.nix b/roles/podman.nix new file mode 100644 index 0000000..d7453a9 --- /dev/null +++ b/roles/podman.nix @@ -0,0 +1,7 @@ +{ + virtualisation.podman = { + enable = true; + dockerCompat = true; + dockerSocket.enable = true; + }; +} diff --git a/roles/portunus.nix b/roles/portunus.nix new file mode 100644 index 0000000..fdc3611 --- /dev/null +++ b/roles/portunus.nix @@ -0,0 +1,14 @@ +{ + services = { + portunus = { + enable = true; + domain = "users.thewordnerd.info"; + ldap = { + suffix = "dc=thewordnerd,dc=info"; + }; + }; + }; + networking.firewall.interfaces."ve-+".allowedTCPPorts = [ + 389 + ]; +} diff --git a/roles/postgres.nix b/roles/postgres.nix new file mode 100644 index 0000000..51a6b75 --- /dev/null +++ b/roles/postgres.nix @@ -0,0 +1,20 @@ +{ pkgs, ... }: + +{ + services.postgresql = { + enable = true; + identMap = '' + # ArbitraryMapName systemUser DBUser + superuser_map root postgres + superuser_map postgres postgres + # Let other names login as themselves + superuser_map /^(.*)$ \1 + ''; + authentication = pkgs.lib.mkOverride 10 '' + local all postgres peer map=superuser_map + local sameuser all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + ''; + }; +} diff --git a/roles/tailscale.nix b/roles/tailscale.nix new file mode 100644 index 0000000..ccd9e7a --- /dev/null +++ b/roles/tailscale.nix @@ -0,0 +1,5 @@ +{ config, lib, pkgs, ... }: + +{ + services.tailscale.enable = true; +} \ No newline at end of file diff --git a/roles/traefik.nix b/roles/traefik.nix new file mode 100644 index 0000000..c608714 --- /dev/null +++ b/roles/traefik.nix @@ -0,0 +1,39 @@ +{ config, ... }: + +{ + services.traefik = { + enable = true; + staticConfigOptions = { + providers = { + docker = { }; + }; + entryPoints = { + web = { + address = ":80"; + asDefault = true; + http.redirections.entrypoint = { + to = "websecure"; + scheme = "https"; + }; + }; + + websecure = { + address = ":443"; + asDefault = true; + http.tls.certResolver = "letsencrypt"; + }; + }; + + certificatesResolvers.letsencrypt.acme = { + email = "nolan@thewordnerd.info"; + storage = "${config.services.traefik.dataDir}/acme.json"; + httpChallenge.entryPoint = "web"; + }; + }; + }; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + users.users.traefik.extraGroups = [ "podman" ]; +} diff --git a/roles/vscode-remote.nix b/roles/vscode-remote.nix new file mode 100644 index 0000000..ecd2da3 --- /dev/null +++ b/roles/vscode-remote.nix @@ -0,0 +1,12 @@ +{ pkgs, ... }: + +{ + imports = [ + ./nix-ld.nix + ]; + + environment.systemPackages = with pkgs; [ + nil + nixfmt-rfc-style + ]; +} diff --git a/roles/zfs.nix b/roles/zfs.nix new file mode 100644 index 0000000..5d88f8a --- /dev/null +++ b/roles/zfs.nix @@ -0,0 +1,27 @@ +{ + services.zfs.autoScrub.enable = true; + + services.sanoid = { + enable = true; + templates.backup = { + hourly = 36; + daily = 30; + monthly = 12; + yearly = 1; + autoprune = true; + autosnap = true; + }; + + datasets."zpool/root" = { + useTemplate = [ "backup" ]; + }; + + datasets."zpool/home" = { + useTemplate = [ "backup" ]; + }; + + datasets."zpool/var" = { + useTemplate = [ "backup" ]; + }; + }; +} diff --git a/secrets/authelia_session.age b/secrets/authelia_session.age new file mode 100644 index 0000000..df00fb3 --- /dev/null +++ b/secrets/authelia_session.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 5X7MKw K1n77De40xbtpteiDbcEGDI2pxp7yXE5gCRfMIqfpR0 +j0aimYoTMmi6fvF9q8czuWcxf1GDHy1C7w9F3JFjQ+8 +--- 0+nNt0VIn4aaFh8l5bDDgDcYzFk3d7VRPdnUWemrofA +?Pȡ"xkFETHXT>w.df[E*qښ3[opKXA0 \ No newline at end of file diff --git a/secrets/authelia_storage.age b/secrets/authelia_storage.age new file mode 100644 index 0000000..544effd --- /dev/null +++ b/secrets/authelia_storage.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 5X7MKw UUTkDtqwfmdl0Ac7qFKrMYbTpD6V9l+WpvqR0PrWEE4 +6uQTrBqGVG7qvRpJ4tQFBL4p3fLqs/4jAdAG21bzFJw +--- JD9/tI+EThIt3exh4MFyhYhmuBdLpQFe7Y1KqJD4euo +ci)hT2mU<#л |-qPpƒWF". ۀ^QKGbU~b \ No newline at end of file diff --git a/secrets/cloudflare_api.age b/secrets/cloudflare_api.age new file mode 100644 index 0000000000000000000000000000000000000000..9664cae5914cd67ee24b8234e4d527b86e1f39e7 GIT binary patch literal 309 zcmV-50m}YiXJsvAZewzJaCB*JZZ2C`HbrAYOiXewRbgjRXGBv%W=nHOIX6>pG*~!KXln{BEiE8sXG1n~S9D8RN^dr8 zS~YnxVo70WWo>7AHf1nXRa#9=PdP(aLTgS}S}+P!ik{R8&8A3h5IBe1x>2qoqp^}W za2$zapmz|*5*wcTfjfEeIi1_(-|9v&V#}PJE^R!1;g|hn(aNrr{9uiL5bq1og_baU zkekDh3*z5>}(==oO3guFHCwoU1`*PXIc^k32hN{(>g7 HLmS^8Ai;S0 literal 0 HcmV?d00001 diff --git a/secrets/jwt.age b/secrets/jwt.age new file mode 100644 index 0000000..b3a3fa4 --- /dev/null +++ b/secrets/jwt.age @@ -0,0 +1,6 @@ +age-encryption.org/v1 +-> ssh-ed25519 5X7MKw QqTrVxbTZn4qYGBYiBy1YtLGbgOWQ+Jz6s/uY7vfrDY +y70KrtxpcydHq44puJ+vlyHerrw2sOzGegEaEZmHo2E +--- K9qJiVT5wv9b4H3p19wDsboH9plQi+0r2yHATfYDaes +';̠` + -uDަgG]GɫmX9!^ua^#$y \ No newline at end of file diff --git a/secrets/ldap.age b/secrets/ldap.age new file mode 100644 index 0000000..136d628 --- /dev/null +++ b/secrets/ldap.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 5X7MKw 28VQn9+R9TgBPlelo6l0EiA2bSE7nZ9/PwnkIZmJE28 +6Q5VK2vfBj6/mOo50sADbT1518foTU9bKvUIoN1B4iY +--- tDmsyfEmqI3MTv+68SqOudje1QppvOL8foHTLgJIh5M +Gnb^Cؗ!EZhgW <{j%_ i/V}l,%1* \ No newline at end of file diff --git a/secrets/nolan.age b/secrets/nolan.age new file mode 100644 index 0000000..3c9d623 --- /dev/null +++ b/secrets/nolan.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 WXu6hQ xPIs0RMmg8qzbe5u0fkmd52vwUWtPFbp8OT+PWKfBmk +AlgW3FNZMZZKQP2WBxBtkz/fkn7D36jH6RQqQqPTFLQ +--- Fbjl6JMOoyxErJQ2vxx/JiZyjMK7aoWFqIH3WMZxbrk +>2[\R!VlC/v5iFbNɇo}t\|0F;2{qp2Ћ*B.JAC7? [ y%xڠ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..336777e --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,16 @@ +let + nolan = "ssh-rsa + AAAAB3NzaC1yc2EAAAADAQABAAABAQDPk6C4eOYzTZ8XOuUA2tErGnSTLS/l9kRDl9+5Ql+m7VtaH/KRFbu6x+C0QAIKOrRcQOjpGYUjL1aIn0HCcoEW2PSihDmOHC+W8cy8ucScy4fPI5KpFFqTZU336Fje+NS4n587gcoaa5LjKcr2KZy/ljgzl4eNSRIqy85khfH4puxsj7LwTIqsZoqDhtD/jSqaKP1C2wuYSsijLF85UnRcT9jErnL757yUv/4xb4Is+gB0zan9GiBXRca4lzb0mY8rmMXmKhc2lm/mu8ogZRdYX5R2JP1AukzYGSdOFs4iUauihgvakuou9AugD2CC+ygYIEbWkUjwKfT9nRN93Qi9 + id_rsa"; + nixbox = "ssh-ed25519 + AAAAC3NzaC1lZDI1NTE5AAAAIPChjQ4PCvOkknZitrMS89GVjyxIbb/TPfczOWZ+rY6C"; + hub = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHygBPmz5T8IH/D60CiA5mOlKFTtYnk8JaK6cB+RJ4rk"; +in +{ + "nolan.age".publicKeys = [ nixbox ]; + "ldap.age".publicKeys = [ hub ]; + "jwt.age".publicKeys = [ hub ]; + "authelia_session.age".publicKeys = [ hub ]; + "authelia_storage.age".publicKeys = [ hub ]; + "cloudflare_api.age".publicKeys = [ hub ]; +} diff --git a/users/nolan/default.nix b/users/nolan/default.nix new file mode 100644 index 0000000..b393374 --- /dev/null +++ b/users/nolan/default.nix @@ -0,0 +1,37 @@ +{ + users.users.nolan = { + description = "Nolan Darilek"; + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPk6C4eOYzTZ8XOuUA2tErGnSTLS/l9kRDl9+5Ql+m7VtaH/KRFbu6x+C0QAIKOrRcQOjpGYUjL1aIn0HCcoEW2PSihDmOHC+W8cy8ucScy4fPI5KpFFqTZU336Fje+NS4n587gcoaa5LjKcr2KZy/ljgzl4eNSRIqy85khfH4puxsj7LwTIqsZoqDhtD/jSqaKP1C2wuYSsijLF85UnRcT9jErnL757yUv/4xb4Is+gB0zan9GiBXRca4lzb0mY8rmMXmKhc2lm/mu8ogZRdYX5R2JP1AukzYGSdOFs4iUauihgvakuou9AugD2CC+ygYIEbWkUjwKfT9nRN93Qi9 id_rsa" + ]; + extraGroups = [ + "wheel" + "networkmanager" + "pipewire" + "pulse-access" + ]; + }; + + home-manager.users.nolan = { + home.stateVersion = "24.05"; + programs = { + bash.enable = true; + direnv = { + enable = true; + nix-direnv.enable = true; + }; + git = { + enable = true; + lfs.enable = true; + userName = "Nolan Darilek"; + userEmail = "nolan@thewordnerd.info"; + extraConfig = { + pull = { + rebase = true; + }; + }; + }; + }; + }; +} diff --git a/users/nolan/desktop-minimal.nix b/users/nolan/desktop-minimal.nix new file mode 100644 index 0000000..a89ed5f --- /dev/null +++ b/users/nolan/desktop-minimal.nix @@ -0,0 +1,21 @@ +{ pkgs, config, ... }: + +{ + imports = [ ./default.nix ]; + + age.secrets.nolan.file = ../../secrets/nolan.age; + + users.users.nolan = { + hashedPasswordFile = config.age.secrets.nolan.path; + packages = with pkgs; [ wget ]; + }; + + home-manager.users.nolan = { + programs = { + firefox = { + enable = true; + package = pkgs.firefox.override { nativeMessagingHosts = [ pkgs.gnome-browser-connector ]; }; + }; + }; + }; +} diff --git a/users/nolan/desktop.nix b/users/nolan/desktop.nix new file mode 100644 index 0000000..b2f4c3e --- /dev/null +++ b/users/nolan/desktop.nix @@ -0,0 +1,56 @@ +{ pkgs, ... }: + +{ + imports = [ ./desktop-minimal.nix ]; + + users.users.nolan = { + packages = with pkgs; [ + keepassxc + podman-desktop + devpod + unstable.fractal + element-desktop + discord + spotify + thunderbird + slack + zoom + nil + nixfmt-rfc-style + ]; + }; + + programs.firefox.nativeMessagingHosts.gsconnect = true; + + programs.kdeconnect = { + enable = true; + package = pkgs.gnomeExtensions.gsconnect; + }; + + home-manager.users.nolan = { + services = { + kdeconnect = { + enable = true; + indicator = true; + }; + nextcloud-client.enable = true; + }; + programs = { + git = { + extraConfig = { + credential.helper = "${pkgs.git.override { withLibsecret = true; }}/bin/git-credential-libsecret"; + }; + }; + obs-studio = { + enable = true; + plugins = with pkgs.obs-studio-plugins; [ + obs-pipewire-audio-capture + ]; + }; + vscode = { + enable = true; + package = pkgs.unstable.vscode.fhs; + }; + }; + }; +} diff --git a/users/root.nix b/users/root.nix new file mode 100644 index 0000000..8d5c05e --- /dev/null +++ b/users/root.nix @@ -0,0 +1,7 @@ +{ config, pkgs, ... }: + +{ + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPk6C4eOYzTZ8XOuUA2tErGnSTLS/l9kRDl9+5Ql+m7VtaH/KRFbu6x+C0QAIKOrRcQOjpGYUjL1aIn0HCcoEW2PSihDmOHC+W8cy8ucScy4fPI5KpFFqTZU336Fje+NS4n587gcoaa5LjKcr2KZy/ljgzl4eNSRIqy85khfH4puxsj7LwTIqsZoqDhtD/jSqaKP1C2wuYSsijLF85UnRcT9jErnL757yUv/4xb4Is+gB0zan9GiBXRca4lzb0mY8rmMXmKhc2lm/mu8ogZRdYX5R2JP1AukzYGSdOFs4iUauihgvakuou9AugD2CC+ygYIEbWkUjwKfT9nRN93Qi9 id_rsa" + ]; +} \ No newline at end of file