nolan/nixos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updates.

Browse source
This commit is contained in:
Nolan Darilek 2025-02-14 13:01:44 -06:00
parent 838941b56b
commit a5f06924da
11 changed files with 123 additions and 57 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
flake.lock generated
View file

@ -169,11 +169,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1737751639, "lastModified": 1738816619,
"narHash": "sha256-ZEbOJ9iT72iwqXsiEMbEa8wWjyFvRA9Ugx8utmYbpz4=", "narHash": "sha256-5yRlg48XmpcX5b5HesdGMOte+YuCy9rzQkJz+imcu6I=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "dfad538f751a5aa5d4436d9781ab27a6128ec9d4", "rev": "2eccff41bab80839b1d25b303b53d339fbb07087",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -216,11 +216,11 @@
}, },
"nixpkgsUnstable": { "nixpkgsUnstable": {
"locked": { "locked": {
"lastModified": 1737885589, "lastModified": 1739446958,
"narHash": "sha256-Zf0hSrtzaM1DEz8//+Xs51k/wdSajticVrATqDrfQjg=", "narHash": "sha256-+/bYK3DbPxMIvSL4zArkMX0LQvS7rzBKXnDXLfKyRVc=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "852ff1d9e153d8875a83602e03fdef8a63f0ecf8", "rev": "2ff53fe64443980e139eaa286017f53f88336dd0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -244,11 +244,11 @@
}, },
"nixpkgs_3": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1738023785, "lastModified": 1739357830,
"narHash": "sha256-BPHmb3fUwdHkonHyHi1+x89eXB3kA1jffIpwPVJIVys=", "narHash": "sha256-9xim3nJJUFbVbJCz48UP4fGRStVW5nv4VdbimbKxJ3I=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "2b4230bf03deb33103947e2528cac2ed516c5c89", "rev": "0ff09db9d034a04acd4e8908820ba0b410d7a33a",
"type": "github" "type": "github"
}, },
"original": { "original": {

3
hosts/hub/apps/actual.nix
View file

@ -10,6 +10,9 @@
ports = [ ports = [
"5006:5006" "5006:5006"
]; ];
environment = {
ACTUAL_LOGIN_METHOD = "header";
};
volumes = [ "/var/lib/actual:/data" ]; volumes = [ "/var/lib/actual:/data" ];
}; };

9
hosts/hub/apps/audiobookshelf.nix
View file

@ -8,5 +8,12 @@
reverse_proxy localhost:8000 reverse_proxy localhost:8000
''; '';
}; };
environment.systemPackages = with pkgs; [ audible-cli ]; environment.systemPackages = with pkgs; [
audible-cli
ffmpeg
lame
jq
mp4v2
mediainfo
];
} }

73
hosts/hub/apps/dev.nix
View file

@ -1,42 +1,81 @@
{ pkgs, config, ... }:
let
name = "dev";
domain = "dev.thewordnerd.info";
appName = "Nolan's Projects";
in
{ {
age.secrets."${name}_runner_linux".file = ../../../secrets/${name}_runner_linux.age;
services = { services = {
postgresql = { postgresql = {
ensureDatabases = [ "dev" ]; ensureDatabases = [ name ];
ensureUsers = [ ensureUsers = [
{ {
name = "dev"; name = name;
ensureDBOwnership = true; ensureDBOwnership = true;
} }
]; ];
}; };
authelia.instances.main.settings.access_control.rules = [ authelia.instances.main.settings.access_control.rules = [
{ {
domain = "dev.thewordnerd.info"; domain = domain;
policy = "bypass"; policy = "bypass";
} }
]; ];
caddy.virtualHosts.${domain}.extraConfig = ''
forward_auth localhost:9091 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
reverse_proxy ${name}:3000
'';
gitea-actions-runner = {
package = pkgs.unstable.forgejo-runner;
instances."${name}-linux" = {
name = "Linux";
enable = true;
url = "https://${domain}";
labels = [
"ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-22.04"
"native:host"
];
tokenFile = config.age.secrets."${name}_runner_linux".path;
};
};
}; };
containers.dev = { environment.systemPackages = with pkgs; [ unstable.forgejo-runner ];
networking.firewall.trustedInterfaces = [ "br-+" ];
containers."${name}" = {
autoStart = true; autoStart = true;
privateNetwork = true; privateNetwork = true;
hostAddress = "192.168.0.1"; hostAddress = "192.168.0.1";
localAddress = "192.168.0.2"; localAddress = "192.168.0.2";
config = config =
let
hostPkgs = pkgs;
in
{ {
config,
pkgs,
lib, lib,
... ...
}: }:
{ {
services.gitea = { services.forgejo = {
enable = true; enable = true;
appName = "Nolan's projects"; package = hostPkgs.unstable.forgejo;
settings = { settings = {
DEFAULT = {
APP_NAME = appName;
};
server = { server = {
ROOT_URL = "https://dev.thewordnerd.info"; ROOT_URL = "https://${domain}";
DOMAIN = "dev.thewordnerd.info"; DOMAIN = domain;
DISABLE_SSH = true; DISABLE_SSH = true;
LANDING_PAGE = "explore"; LANDING_PAGE = "explore";
}; };
@ -55,8 +94,8 @@
lfs.enable = true; lfs.enable = true;
database = { database = {
type = "postgres"; type = "postgres";
name = "dev"; name = name;
user = "dev"; user = name;
socket = "/run/postgresql"; socket = "/run/postgresql";
createDatabase = false; createDatabase = false;
}; };
@ -67,7 +106,7 @@
}; };
services.resolved.enable = true; services.resolved.enable = true;
environment.sessionVariables = { environment.sessionVariables = {
PATH = [ "${pkgs.gitea}/bin" ]; PATH = [ "${pkgs.forgejo}/bin" ];
GITEA_WORK_DIR = "/var/lib/gitea"; GITEA_WORK_DIR = "/var/lib/gitea";
}; };
}; };
@ -77,12 +116,4 @@
}; };
}; };
}; };
services.caddy.virtualHosts."dev.thewordnerd.info".extraConfig = ''
forward_auth localhost:9091 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
reverse_proxy dev:3000
'';
} }

35
hosts/hub/apps/nextcloud.nix
View file

@ -32,12 +32,18 @@
configureRedis = true; configureRedis = true;
maxUploadSize = "16G"; maxUploadSize = "16G";
# autoUpdateApps.enable = true; # autoUpdateApps.enable = true;
notify_push.enable = true; notify_push = {
enable = true;
bendDomainToLocalhost = true;
};
webfinger = true; webfinger = true;
settings = { settings = {
overwriteprotocol = "https"; overwriteprotocol = "https";
trusted_proxies = [ "192.168.0.1" ]; trusted_proxies = [
"192.168.0.1"
];
default_phone_region = "US"; default_phone_region = "US";
# loglevel = 0;
}; };
config = { config = {
dbtype = "pgsql"; dbtype = "pgsql";
@ -46,10 +52,6 @@
}; };
phpOptions."opcache.interned_strings_buffer" = "23"; phpOptions."opcache.interned_strings_buffer" = "23";
}; };
onlyoffice = {
enable = true;
hostname = "onlyoffice.thewordnerd.info";
};
resolved.enable = true; resolved.enable = true;
}; };
programs.nix-ld.enable = true; programs.nix-ld.enable = true;
@ -57,12 +59,19 @@
firewall.allowedTCPPorts = [ 80 ]; firewall.allowedTCPPorts = [ 80 ];
useHostResolvConf = lib.mkForce false; useHostResolvConf = lib.mkForce false;
}; };
virtualisation.podman = { virtualisation.docker.enable = true;
enable = true; users.users.nextcloud.extraGroups = [ "docker" ];
dockerCompat = true; environment.systemPackages = [
dockerSocket.enable = true; (pkgs.writeScriptBin "occ" ''
}; #!${pkgs.bash}/bin/bash
exec nextcloud-occ "$@"
'')
];
}; };
# https://discourse.nixos.org/t/podman-docker-in-nixos-container-ideally-in-unprivileged-one/22909/12
additionalCapabilities = [
''all" --system-call-filter="add_key keyctl bpf" --capability="all''
];
bindMounts = { bindMounts = {
"/run/postgresql" = { "/run/postgresql" = {
hostPath = "/run/postgresql"; hostPath = "/run/postgresql";
@ -74,4 +83,8 @@
reverse_proxy nextcloud reverse_proxy nextcloud
header Strict-Transport-Security max-age=31536000; header Strict-Transport-Security max-age=31536000;
''; '';
services.caddy.virtualHosts."collabora.thewordnerd.info".extraConfig = ''
reverse_proxy nextcloud:9980
'';
} }

11
hosts/hub/apps/ollama.nix
View file

@ -1,7 +1,6 @@
{ {
services.ollama.enable = true; services.ollama = {
services.caddy.virtualHosts."https://ollama.tailc50184.ts.net".extraConfig = '' enable = true;
bind tailscale/ollama host = "0.0.0.0";
reverse_proxy http://localhost:11434 };
''; }
}

16
hosts/hub/default.nix
View file

@ -26,6 +26,7 @@
./apps/actual.nix ./apps/actual.nix
./apps/adguard.nix ./apps/adguard.nix
./apps/audiobookshelf.nix ./apps/audiobookshelf.nix
./apps/ollama.nix
]; ];
boot.loader.grub = { boot.loader.grub = {
@ -116,6 +117,15 @@
443 443
]; ];
services.caddy.virtualHosts."thewordnerd.info".extraConfig =
''redir https://www.thewordnerd.info{uri}'';
services.caddy.virtualHosts."www.thewordnerd.info".extraConfig = ''
file_server
root * /var/www/thewordnerd.info
header /.well-known/matrix/* content-type application/json
'';
services.caddy.virtualHosts."users.thewordnerd.info".extraConfig = services.caddy.virtualHosts."users.thewordnerd.info".extraConfig =
''reverse_proxy localhost:17170''; ''reverse_proxy localhost:17170'';
@ -139,12 +149,6 @@
} }
''; '';
services.caddy.virtualHosts."www.thewordnerd.info".extraConfig = ''
file_server
root * /var/www/thewordnerd.info
header /.well-known/matrix/* content-type application/json
'';
# This option defines the first version of NixOS you have installed on this particular machine, # This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
# #

2
pkgs/caddy/flake.nix
View file

@ -23,7 +23,7 @@
packages = { packages = {
default = pkgs.caddy.withPlugins { default = pkgs.caddy.withPlugins {
plugins = [ "github.com/tailscale/caddy-tailscale@f21c01b660c896bdd6bacc37178dc00d9af282b4" ]; plugins = [ "github.com/tailscale/caddy-tailscale@f21c01b660c896bdd6bacc37178dc00d9af282b4" ];
hash = "sha256-zrL1wrWXbXnBrWHSnuNaoO2Q7R9GL3/DfUtS5vTqono="; hash = "sha256-WCyobNu2We2q/wP8H3C3pwxmXQ4cqybsNKL3nOSHrFo=";
}; };
}; };
} }

1
roles/authelia.nix
View file

@ -49,7 +49,6 @@
authentication_backend = { authentication_backend = {
password_reset.disable = false; password_reset.disable = false;
refresh_interval = "1m"; refresh_interval = "1m";
ldap = { ldap = {
implementation = "custom"; implementation = "custom";
address = "ldap://localhost:3890"; address = "ldap://localhost:3890";

6
secrets/dev_runner_linux.age Normal file
View file

@ -0,0 +1,6 @@
age-encryption.org/v1
-> ssh-ed25519 5X7MKw OFZLirNVsQ5klS+bNgG9frnbZbRw0cje5xPUV9WiBSs
q31jUX8SNN8tYEx666oBFmRHWCqbskLFb3ya4V5NKlQ
--- beVB7IjgzaVWLSJ3XMRQ870aK7dwswvQF91k/DM3dz4
Êžª”ÿpɇS;÷§]Üê7£çDž¥_x¸y­x„³ |ߦ÷d†—xÄÒØám<C3A1>Úìà—+
A[yµ³¥ð>)%­¶ÀÁoÐg

6
secrets/secrets.nix
View file

@ -5,7 +5,10 @@ let
flynode = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOhYhgpzyqIbSX779o6TI9yZA1qvha+SUfrdHwndj69I"; flynode = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOhYhgpzyqIbSX779o6TI9yZA1qvha+SUfrdHwndj69I";
in in
{ {
"nolan.age".publicKeys = [ nolan flynode ]; "nolan.age".publicKeys = [
nolan
flynode
];
"ldap.age".publicKeys = [ hub ]; "ldap.age".publicKeys = [ hub ];
"jwt.age".publicKeys = [ hub ]; "jwt.age".publicKeys = [ hub ];
"authelia_session.age".publicKeys = [ hub ]; "authelia_session.age".publicKeys = [ hub ];
@ -15,4 +18,5 @@ in
hub hub
garden garden
]; ];
"dev_runner_linux.age".publicKeys = [ hub ];
} }