Compare commits
45 commits
b469af3d5b
...
ad8d362fb7
Author | SHA1 | Date | |
---|---|---|---|
ad8d362fb7 | |||
9d3259431b | |||
9cede5484c | |||
eef403378c | |||
6633832dc5 | |||
b2c02339db | |||
1285c65914 | |||
5bf6776a9d | |||
a353ac79c3 | |||
476a143db5 | |||
479e6101b2 | |||
57144478d8 | |||
aabfd99313 | |||
76e06c3f36 | |||
a4d82d41a3 | |||
bb0a7dbec8 | |||
f50bc4375c | |||
33af35a9b1 | |||
e9f291bbd8 | |||
a8f46b1129 | |||
23338c113e | |||
d1d3792f50 | |||
a5275a9956 | |||
3f049217a6 | |||
48c57e4d37 | |||
133c8f51c5 | |||
74956d41fb | |||
b42b5f6bfa | |||
60b0188a56 | |||
85d3690295 | |||
c6abe4faa0 | |||
72d58de2a7 | |||
e6e138a872 | |||
aa34bbe1e1 | |||
31ea05cae1 | |||
852f5d6605 | |||
2efe3afc66 | |||
2888aca418 | |||
6603a33b90 | |||
d229383930 | |||
8068e1b4f5 | |||
164f8c9ec8 | |||
1f5a60e642 | |||
806729ec03 | |||
9a36f5bae9 |
20 changed files with 599 additions and 150 deletions
17
.forgejo/workflows/update.yml
Normal file
17
.forgejo/workflows/update.yml
Normal file
|
@ -0,0 +1,17 @@
|
|||
on:
|
||||
schedule:
|
||||
- cron: '0 2 * * *'
|
||||
jobs:
|
||||
lockfile:
|
||||
runs-on: docker
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: https://github.com/DeterminateSystems/nix-installer-action@main
|
||||
- run: 'git config --unset-all extensions.worktreeconfig'
|
||||
- run: 'nix flake update --commit-lock-file --commit-lockfile-summary "flake.lock: Update"'
|
||||
env:
|
||||
GIT_AUTHOR_NAME: Chris Dombroski
|
||||
GIT_AUTHOR_EMAIL: cdombroski@gmail.com
|
||||
GIT_COMMITTER_NAME: Chris Dombroski
|
||||
GIT_COMMITTER_EMAIL: cdombroski@gmail.com
|
||||
- run: 'git push'
|
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -1,2 +1,3 @@
|
|||
.direnv/
|
||||
result
|
||||
*.swp
|
||||
|
|
28
.sops.yaml
Normal file
28
.sops.yaml
Normal file
|
@ -0,0 +1,28 @@
|
|||
keys:
|
||||
- &admin_cdombroski age15va8dthvmn30ymex0kkrrk034aq25drmsx4mkmf480a8uq4tvcyqw5s4uk
|
||||
- &system_smolboi age1qmv6x6zwxhaks86nqtsvck56ucdyc9fakgp59a30afl95p6vp4aqyf22hp
|
||||
- &system_zeus age1y06hfa8ctp3tr7g2rukmst4cl064hxaqfsx8w0yq4tgmcrv7qvksct7mnl
|
||||
- &system_orangepihole age12g2kuerwhpyd4t0jrynfc0wlj66rltyp34lsca4y5llmly8jppcq5ug3kc
|
||||
creation_rules:
|
||||
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
|
||||
key_groups:
|
||||
- age:
|
||||
- *admin_cdombroski
|
||||
- *system_smolboi
|
||||
- *system_zeus
|
||||
- *system_orangepihole
|
||||
- path_regex: secrets/smolboi/[^/]+\.(yaml|json|env|ini)$
|
||||
key_groups:
|
||||
- age:
|
||||
- *admin_cdombroski
|
||||
- *system_smolboi
|
||||
- path_regex: secrets/zeus/[^/]+\.(yaml|json|env|ini)$
|
||||
key_groups:
|
||||
- age:
|
||||
- *admin_cdombroski
|
||||
- *system_zeus
|
||||
- path_regex: secrets/orangepihole/[^/]+\.(yaml|json|env|ini)$
|
||||
key_groups:
|
||||
- age:
|
||||
- *admin_cdombroski
|
||||
- *system_orangepihole
|
54
flake.lock
54
flake.lock
|
@ -61,11 +61,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1712386041,
|
||||
"narHash": "sha256-dA82pOMQNnCJMAsPG7AXG35VmCSMZsJHTFlTHizpKWQ=",
|
||||
"lastModified": 1714043624,
|
||||
"narHash": "sha256-Xn2r0Jv95TswvPlvamCC46wwNo8ALjRCMBJbGykdhcM=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "d6bb9f934f2870e5cbc5b94c79e9db22246141ff",
|
||||
"rev": "86853e31dc1b62c6eeed11c667e8cdd0285d4411",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -91,13 +91,29 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"nixpkgs-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1713725259,
|
||||
"narHash": "sha256-9ZR/Rbx5/Z/JZf5ehVNMoz/s5xjpP0a22tL6qNvLt5E=",
|
||||
"lastModified": 1713638189,
|
||||
"narHash": "sha256-q7APLfB6FmmSMI1Su5ihW9IwntBsk2hWNXh8XtSdSIk=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "a5e4bbcb4780c63c79c87d29ea409abf097de3f7",
|
||||
"rev": "74574c38577914733b4f7a775dd77d24245081dd",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "release-23.11",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1713995372,
|
||||
"narHash": "sha256-fFE3M0vCoiSwCX02z8VF58jXFRj9enYUSTqjyHAjrds=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "dd37924974b9202f8226ed5d74a252a9785aedf8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -111,7 +127,29 @@
|
|||
"deploy-rs": "deploy-rs",
|
||||
"flake-utils": "flake-utils",
|
||||
"home-manager": "home-manager",
|
||||
"nixpkgs": "nixpkgs_2"
|
||||
"nixpkgs": "nixpkgs_2",
|
||||
"sops-nix": "sops-nix"
|
||||
}
|
||||
},
|
||||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-stable": "nixpkgs-stable"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1713892811,
|
||||
"narHash": "sha256-uIGmA2xq41vVFETCF1WW4fFWFT2tqBln+aXnWrvjGRE=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "f1b0adc27265274e3b0c9b872a8f476a098679bd",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems": {
|
||||
|
|
17
flake.nix
17
flake.nix
|
@ -8,8 +8,12 @@
|
|||
url = github:nix-community/home-manager/release-23.11;
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
sops-nix = {
|
||||
url = "github:Mic92/sops-nix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
outputs = inputs@{ self, nixpkgs, flake-utils, home-manager, deploy-rs, ... }:
|
||||
};
|
||||
outputs = inputs@{ self, nixpkgs, flake-utils, home-manager, deploy-rs, sops-nix, ... }:
|
||||
let
|
||||
pkgs = import nixpkgs { system = "x86_64-linux"; };
|
||||
aarch64Pkgs = import nixpkgs { system = "aarch64-linux"; };
|
||||
|
@ -32,6 +36,7 @@
|
|||
nixosConfigurations = {
|
||||
smolboi = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
specialArgs = { inherit inputs; };
|
||||
modules = [
|
||||
./systems/smolboi/configuration.nix
|
||||
home-manager.nixosModules.home-manager
|
||||
|
@ -41,8 +46,14 @@
|
|||
}
|
||||
];
|
||||
};
|
||||
zeus = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
specialArgs = { inherit inputs; };
|
||||
modules = [ ./systems/zeus/configuration.nix ];
|
||||
};
|
||||
orangepihole = nixpkgs.lib.nixosSystem {
|
||||
system = "aarch64-linux";
|
||||
specialArgs = { inherit inputs; };
|
||||
modules = [ ./systems/orangepihole/configuration.nix ];
|
||||
};
|
||||
};
|
||||
|
@ -54,6 +65,10 @@
|
|||
hostname = "smolboi";
|
||||
profiles.system.path = deployPkgs.deploy-rs.lib.activate.nixos self.nixosConfigurations.smolboi;
|
||||
};
|
||||
zeus = {
|
||||
hostname = "zeus";
|
||||
profiles.system.path = deployPkgs.deploy-rs.lib.activate.nixos self.nixosConfigurations.zeus;
|
||||
};
|
||||
orangepihole = {
|
||||
hostname = "orangepihole";
|
||||
profiles.system.path = deployAarch64Pkgs.deploy-rs.lib.activate.nixos self.nixosConfigurations.orangepihole;
|
||||
|
|
3
modules/aarch64-emu.nix
Normal file
3
modules/aarch64-emu.nix
Normal file
|
@ -0,0 +1,3 @@
|
|||
{...}: {
|
||||
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
|
||||
}
|
3
modules/common.nix
Normal file
3
modules/common.nix
Normal file
|
@ -0,0 +1,3 @@
|
|||
{...}: {
|
||||
imports = builtins.map (n: toString ./common + "/${n}") (builtins.attrNames (builtins.removeAttrs (builtins.readDir ./common) [(builtins.unsafeGetAttrPos "_" {_ = null;}).file]));
|
||||
}
|
5
modules/common/common.nix
Normal file
5
modules/common/common.nix
Normal file
|
@ -0,0 +1,5 @@
|
|||
{...}: {
|
||||
time.timeZone = "America/New_York";
|
||||
i18n.defaultLocale = "en_US.UTF-8";
|
||||
programs.vim.defaultEditor = true;
|
||||
}
|
26
modules/common/msmtp.nix
Normal file
26
modules/common/msmtp.nix
Normal file
|
@ -0,0 +1,26 @@
|
|||
{ config, ... }: {
|
||||
sops.secrets."gmail/password" = {};
|
||||
programs.msmtp = {
|
||||
enable = true;
|
||||
accounts.default = {
|
||||
auth = true;
|
||||
tls = true;
|
||||
host = "smtp.gmail.com";
|
||||
port = 587;
|
||||
from = "${config.networking.hostName}@notification.icanttype.org";
|
||||
user = "cdombroski";
|
||||
passwordeval = "cat ${config.sops.secrets."gmail/password".path}";
|
||||
};
|
||||
defaults.aliases = "/etc/aliases";
|
||||
};
|
||||
|
||||
environment.etc = {
|
||||
"aliases" = {
|
||||
text = ''
|
||||
root: cdombroski@gmail.com
|
||||
'';
|
||||
mode = "0644";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
19
modules/common/nix.nix
Normal file
19
modules/common/nix.nix
Normal file
|
@ -0,0 +1,19 @@
|
|||
{pkgs, ...}: {
|
||||
environment.systemPackages = with pkgs; [
|
||||
git
|
||||
nix-output-monitor
|
||||
];
|
||||
nix = {
|
||||
settings.experimental-features = [ "nix-command" "flakes" ];
|
||||
gc = {
|
||||
automatic = true;
|
||||
options = "--delete-older-than 30d";
|
||||
dates = "weekly";
|
||||
};
|
||||
optimise.automatic = true;
|
||||
};
|
||||
system.autoUpgrade = {
|
||||
enable = true;
|
||||
flake = "git+https://git.icanttype.org/cdombroski/nix-configs.git";
|
||||
};
|
||||
}
|
7
modules/common/sops.nix
Normal file
7
modules/common/sops.nix
Normal file
|
@ -0,0 +1,7 @@
|
|||
{ inputs, ... } : {
|
||||
imports = [ inputs.sops-nix.nixosModules.sops ];
|
||||
sops.defaultSopsFile = ../../secrets/secret.yaml;
|
||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
|
||||
sops.age.generateKey = true;
|
||||
}
|
6
modules/common/sshd.nix
Normal file
6
modules/common/sshd.nix
Normal file
|
@ -0,0 +1,6 @@
|
|||
{...}: {
|
||||
services.openssh.enable = true;
|
||||
users.users.root.openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEApZvmNao6HvjOI3NQ96+Hu+N4MTw20KSvrx7ml8/PD4zb5GXo2sXRROHy0VclIXBEPKPKq93QGCMhfCR0jvr2tSib5CwrCMDnjjRxGJV36jhCE1mOV6TKis1MDdigg/7NSVf+eszUW4ed6CSDNFu3ooVZSwdf4Tja2672ROk1W59rDbfgs0Et7pRNnmWM1q+sTbD0eRbY9+0DXBhx5u4OVjp6eNNmO59WGErVvAAjOnZR3rw2LSX7MDrtzeCe1sdR/28WGPIIUVL8eCorlhzPB6PfrTL1Y/fbWAOGdvs6h+wTPX3ivTlrs8J5AXERCymp/CXIA1mwVjnM9zOklFhun+VvCNNJsZPSM62jrHfD4bP11y1kSt87TORGW517nWdS80oUY6MwxRcN2salwWzZA0sVjIHmvc4FkAuPHhdlMQpkym9fpFfR9taWlxU2NMP/+Quj3NaAPKksPvUGwos8lP8Z+QF5ljedNZFsC5/S0u6Fqoa26zRTnVki4KhfGPyKHXIUp9kNV7PRz4oRizHibUfp05xVMACtVIn+pQU7CaQEJCdYfLpo9gMDZ+6ZanmQX0vCUEyiaimrF/eSCkzjBtqSKMRHLd6ADEFEDxSr5nfaqgkddQVkQiBvngCnKwYcKfINA5mYIIFJZyLxpki03SHT6qGT541iHT3OX9F4MBc="
|
||||
];
|
||||
}
|
8
modules/networkd-base.nix
Normal file
8
modules/networkd-base.nix
Normal file
|
@ -0,0 +1,8 @@
|
|||
{...}: {
|
||||
systemd.network.enable = true;
|
||||
networking.useNetworkd = true;
|
||||
services.resolved = {
|
||||
enable = true;
|
||||
fallbackDns = [ "8.8.8.8" ];
|
||||
};
|
||||
}
|
6
modules/smartd.nix
Normal file
6
modules/smartd.nix
Normal file
|
@ -0,0 +1,6 @@
|
|||
{...}: {
|
||||
services.smartd = {
|
||||
enable = true;
|
||||
defaults.monitored = "-a -o on -s (S/../.././02|L/../../7/04)";
|
||||
};
|
||||
}
|
49
secrets/secret.yaml
Normal file
49
secrets/secret.yaml
Normal file
|
@ -0,0 +1,49 @@
|
|||
gmail:
|
||||
password: ENC[AES256_GCM,data:rCL2RzU1INRT5KOyl1JriQ==,iv:jhFDcNHgIJnZTBN9msECQWvy75IH1wO5IFAxqR4Ugng=,tag:cK+A4Os/9xchpNjpb2KAbQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age15va8dthvmn30ymex0kkrrk034aq25drmsx4mkmf480a8uq4tvcyqw5s4uk
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRbEdQaDZhUVdIMUFjSVlK
|
||||
WUF6NDU2SnUrRHNQUmNRKzVKV0NtYnljMjNJCkdIbGNvZVN5Mkl1Uk5qclZNcnBJ
|
||||
MlBEbUlUdFIxM0krRnZ2ZWgwVThpYXMKLS0tIDVxZjRMUjBQM2oySmJFR2RnSWpT
|
||||
TnprMkgzckJRUmF4VkJjMGJIWWdQbmcKr82c2dd+xN+aNA7dnH0ewD/Y3Ed8/qcE
|
||||
JP5U19gTNah/DmeKB0X0J+iX5akjxNAfe2LmgYGJseLqqaIj9uyatg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1qmv6x6zwxhaks86nqtsvck56ucdyc9fakgp59a30afl95p6vp4aqyf22hp
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJRUpyOFJSeS9XN0NWUDI5
|
||||
QS9nZDVOWGlRNmZXa0ZnSGNIMGtMTDV5TDBBCkkwcHBtcjVRLzhiejhreWxXS2Fj
|
||||
dWpRaXByS1hlWCs4U2tQdCtWOWpSRzQKLS0tIFhheWxDNjNxOGlsdzNyN1FUblNa
|
||||
ZEMrUmhYUXhZVStjRlhVYVB2U25PRW8KMruYhZ46Yf2K/DiUu6SUWMAWmCqKE6dm
|
||||
ijtyMzEI5JLlQs8NfbujlGx9giVtUD9tHiNcNim2cb5m49nriaIuTg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1y06hfa8ctp3tr7g2rukmst4cl064hxaqfsx8w0yq4tgmcrv7qvksct7mnl
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0WjBBMnRERWsyUkQ5WCt6
|
||||
Tndvdml0UFlnS3RRY0FyT2thYkpDYmZFeTA4ClY5QXN1SWFxYWsydm55QmZIaldT
|
||||
WFI4VC9CdjFqOUdWeDhOcDIveDN4ZjgKLS0tIEI0c3Y0SnlJTGl0T3JjSlRpYVpF
|
||||
MW4rYXM5SFg2T1dRN2FBelRVQTBvMXcK32StTJfp44BepZ4pAZbZQJ0qZxF/FkZd
|
||||
xhzpwvzG0ztrRA3uQy5tEhNYuge4hyn2gNV4lgT13RJSngXULXVt+A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age12g2kuerwhpyd4t0jrynfc0wlj66rltyp34lsca4y5llmly8jppcq5ug3kc
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1eFJSeVJQSjRmZ1cyUGRt
|
||||
SXF3bUdLZjIrb1JHMzFQeVpaTFVxNk02b2lJCkVSUysyQVlNajNjNzhmUFhjTk1s
|
||||
bzQ2VVU0RXhVNnYwTEhzRlRMK2NyK0kKLS0tIFdzN0xIOHM0YnRqaDBHRXBqeWJs
|
||||
OFd1RTNYcGJGSXJOaFpnbjR6YzhjQzAKUZxz47g2MKCVTS1gGJ7p6XCubBu+/CUM
|
||||
IPQ9uBaW99BB9W9JuIih34/qMVxd/1EHDVk3IDiNB3F3bM8f2LL1yA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-04-26T17:48:10Z"
|
||||
mac: ENC[AES256_GCM,data:H2ZvNgVmtUgeNOvXGWxLFC6t8sCzingICyD6Raj42FIYRVaFLbrVblhESVrCYM2LclehBlSS9ceCk6+B/zaYyd5iE8ENzgz287S6t6RfZR9kfWFrtOJ4RINyGDKIFQ4mlt7+QB83DeW7jONeIRbrdI2Imx7fhXes3uHDc51wjGQ=,iv:PDiijPXwGneoo/QQBovxpoT5b0EBpgAGpExnrQ8lfvQ=,tag:PveY9JhZxpMHIbFHLGoSgA==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
|
@ -4,6 +4,8 @@
|
|||
imports =
|
||||
[ # Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
../../modules/common.nix
|
||||
../../modules/networkd-base.nix
|
||||
];
|
||||
|
||||
boot.loader.grub.enable = false;
|
||||
|
@ -12,9 +14,7 @@
|
|||
|
||||
networking = {
|
||||
hostName = "orangepihole"; # Define your hostname.
|
||||
useNetworkd = true;
|
||||
};
|
||||
systemd.network.enable = true;
|
||||
systemd.network.networks."40-end0" = {
|
||||
matchConfig.Name = "end0";
|
||||
address = [ "10.42.69.2/24" "fd72:3dd5:21ae:3c97::2/64" ];
|
||||
|
@ -28,17 +28,16 @@
|
|||
DNS = "10.42.69.2";
|
||||
EmitRouter = true;
|
||||
Router = "10.42.69.1";
|
||||
SendOption = [ "15:string:icanttype.org" "119:string:icanttype.org" ];
|
||||
};
|
||||
networkConfig.IPv6SendRA = true;
|
||||
ipv6SendRAConfig.RouterLifetimeSec = 0;
|
||||
ipv6SendRAConfig.EmitDNS = false;
|
||||
ipv6Prefixes = [ { ipv6PrefixConfig.Prefix = "fd72:3dd5:21ae:3c97::/64"; } ];
|
||||
};
|
||||
time.timeZone = "America/New_York";
|
||||
|
||||
zramSwap.enable = true;
|
||||
swapDevices = [ {device="/swapfile"; size=1024;}];
|
||||
services.resolved.enable = true;
|
||||
services.unbound = {
|
||||
enable = true;
|
||||
settings = {
|
||||
|
@ -66,23 +65,19 @@
|
|||
'';
|
||||
};
|
||||
};
|
||||
users.users.root.openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEApZvmNao6HvjOI3NQ96+Hu+N4MTw20KSvrx7ml8/PD4zb5GXo2sXRROHy0VclIXBEPKPKq93QGCMhfCR0jvr2tSib5CwrCMDnjjRxGJV36jhCE1mOV6TKis1MDdigg/7NSVf+eszUW4ed6CSDNFu3ooVZSwdf4Tja2672ROk1W59rDbfgs0Et7pRNnmWM1q+sTbD0eRbY9+0DXBhx5u4OVjp6eNNmO59WGErVvAAjOnZR3rw2LSX7MDrtzeCe1sdR/28WGPIIUVL8eCorlhzPB6PfrTL1Y/fbWAOGdvs6h+wTPX3ivTlrs8J5AXERCymp/CXIA1mwVjnM9zOklFhun+VvCNNJsZPSM62jrHfD4bP11y1kSt87TORGW517nWdS80oUY6MwxRcN2salwWzZA0sVjIHmvc4FkAuPHhdlMQpkym9fpFfR9taWlxU2NMP/+Quj3NaAPKksPvUGwos8lP8Z+QF5ljedNZFsC5/S0u6Fqoa26zRTnVki4KhfGPyKHXIUp9kNV7PRz4oRizHibUfp05xVMACtVIn+pQU7CaQEJCdYfLpo9gMDZ+6ZanmQX0vCUEyiaimrF/eSCkzjBtqSKMRHLd6ADEFEDxSr5nfaqgkddQVkQiBvngCnKwYcKfINA5mYIIFJZyLxpki03SHT6qGT541iHT3OX9F4MBc="
|
||||
];
|
||||
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
git
|
||||
vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
|
||||
wget
|
||||
];
|
||||
|
||||
services.openssh.enable = true;
|
||||
|
||||
networking.firewall.enable = false;
|
||||
networking.firewall = {
|
||||
allowedUDPPorts = [ 53 67 68 ];
|
||||
allowedTCPPorts = [ 53 ];
|
||||
};
|
||||
|
||||
system.stateVersion = "23.11"; # Did you read the comment?
|
||||
system.autoUpgrade.allowReboot = false;
|
||||
nix.buildMachines = [ {
|
||||
hostName = "zeus";
|
||||
systems = [ "x86_64-linux" "aarch64-linux" ];
|
||||
|
@ -93,9 +88,5 @@
|
|||
}];
|
||||
nix.distributedBuilds = true;
|
||||
nix.extraOptions = "builders-use-substitutes = true";
|
||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||
nix.gc.automatic = true;
|
||||
nix.gc.options = "--delete-older-than 7d";
|
||||
nix.optimise.automatic = true;
|
||||
}
|
||||
|
||||
|
|
|
@ -1,27 +1,20 @@
|
|||
# Edit this configuration file to define what should be installed on
|
||||
# your system. Help is available in the configuration.nix(5) man page, on
|
||||
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
|
||||
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ # Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
../../modules/common.nix
|
||||
../../modules/aarch64-emu.nix
|
||||
../../modules/smartd.nix
|
||||
];
|
||||
|
||||
# Use the systemd-boot EFI boot loader.
|
||||
boot = {
|
||||
blacklistedKernelModules = [ "k10temp" ];
|
||||
extraModulePackages = with config.boot.kernelPackages; [ zenpower ];
|
||||
kernelParams = [ "amd_pstate=passive" ];
|
||||
loader.systemd-boot.enable = true;
|
||||
loader.efi.canTouchEfiVariables = true;
|
||||
plymouth = {
|
||||
enable = false;
|
||||
theme = "breeze";
|
||||
};
|
||||
binfmt.emulatedSystems = [ "aarch64-linux" ];
|
||||
binfmt.registrations.appimage = {
|
||||
wrapInterpreterInShell = false;
|
||||
interpreter = "${pkgs.appimage-run}/bin/appimage-run";
|
||||
|
@ -36,23 +29,9 @@
|
|||
|
||||
networking = {
|
||||
hostName = "smolboi"; # Define your hostname.
|
||||
# Pick only one of the below networking options.
|
||||
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
|
||||
networkmanager.enable = true; # Easiest to use and most distros use this by default.
|
||||
firewall.allowedTCPPorts = [ 22000 ];
|
||||
};
|
||||
nix = {
|
||||
settings = {
|
||||
experimental-features = [ "nix-command" "flakes" ];
|
||||
sandbox = true;
|
||||
};
|
||||
gc = {
|
||||
automatic = true;
|
||||
options = "--delete-older-than 30d";
|
||||
dates = "weekly";
|
||||
};
|
||||
optimise.automatic = true;
|
||||
};
|
||||
nixpkgs.config = {
|
||||
allowUnfree = true;
|
||||
permittedInsecurePackages = [
|
||||
|
@ -78,22 +57,7 @@
|
|||
};
|
||||
};
|
||||
|
||||
# Set your time zone.
|
||||
time.timeZone = "America/New_York";
|
||||
|
||||
# Configure network proxy if necessary
|
||||
# networking.proxy.default = "http://user:password@proxy:port/";
|
||||
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
|
||||
|
||||
# Select internationalisation properties.
|
||||
i18n.defaultLocale = "en_US.UTF-8";
|
||||
# console = {
|
||||
# font = "Lat2-Terminus16";
|
||||
# keyMap = "us";
|
||||
# useXkbConfig = true; # use xkb.options in tty.
|
||||
# };
|
||||
|
||||
# Enable the X11 windowing system.
|
||||
services = {
|
||||
xserver = {
|
||||
enable = true;
|
||||
|
@ -104,11 +68,6 @@
|
|||
desktopManager.plasma5.enable = true;
|
||||
};
|
||||
|
||||
# Configure keymap in X11
|
||||
# services.xserver.xkb.layout = "us";
|
||||
# services.xserver.xkb.options = "eurosign:e,caps:escape";
|
||||
|
||||
# Enable CUPS to print documents.
|
||||
printing = {
|
||||
enable = true;
|
||||
drivers = [ pkgs.gutenprint ];
|
||||
|
@ -128,7 +87,6 @@
|
|||
hardware.openrgb.enable = true;
|
||||
resolved.enable = true;
|
||||
btrfs.autoScrub.enable = true;
|
||||
openssh.enable = true;
|
||||
};
|
||||
hardware = {
|
||||
sane = {
|
||||
|
@ -138,35 +96,15 @@
|
|||
bluetooth.enable = true;
|
||||
};
|
||||
|
||||
# Enable sound.
|
||||
security = {
|
||||
rtkit.enable = true;
|
||||
};
|
||||
# hardware.pulseaudio.enable = true;
|
||||
|
||||
# Enable touchpad support (enabled default in most desktopManager).
|
||||
# services.xserver.libinput.enable = true;
|
||||
|
||||
# Define a user account. Don't forget to set a password with ‘passwd’.
|
||||
# users.users.alice = {
|
||||
# isNormalUser = true;
|
||||
# extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
|
||||
# packages = with pkgs; [
|
||||
# firefox
|
||||
# tree
|
||||
# ];
|
||||
# };
|
||||
users.users.root.openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEApZvmNao6HvjOI3NQ96+Hu+N4MTw20KSvrx7ml8/PD4zb5GXo2sXRROHy0VclIXBEPKPKq93QGCMhfCR0jvr2tSib5CwrCMDnjjRxGJV36jhCE1mOV6TKis1MDdigg/7NSVf+eszUW4ed6CSDNFu3ooVZSwdf4Tja2672ROk1W59rDbfgs0Et7pRNnmWM1q+sTbD0eRbY9+0DXBhx5u4OVjp6eNNmO59WGErVvAAjOnZR3rw2LSX7MDrtzeCe1sdR/28WGPIIUVL8eCorlhzPB6PfrTL1Y/fbWAOGdvs6h+wTPX3ivTlrs8J5AXERCymp/CXIA1mwVjnM9zOklFhun+VvCNNJsZPSM62jrHfD4bP11y1kSt87TORGW517nWdS80oUY6MwxRcN2salwWzZA0sVjIHmvc4FkAuPHhdlMQpkym9fpFfR9taWlxU2NMP/+Quj3NaAPKksPvUGwos8lP8Z+QF5ljedNZFsC5/S0u6Fqoa26zRTnVki4KhfGPyKHXIUp9kNV7PRz4oRizHibUfp05xVMACtVIn+pQU7CaQEJCdYfLpo9gMDZ+6ZanmQX0vCUEyiaimrF/eSCkzjBtqSKMRHLd6ADEFEDxSr5nfaqgkddQVkQiBvngCnKwYcKfINA5mYIIFJZyLxpki03SHT6qGT541iHT3OX9F4MBc="
|
||||
];
|
||||
users.users.cdombroski = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ];
|
||||
uid = 1000;
|
||||
};
|
||||
|
||||
# List packages installed in system profile. To search, run:
|
||||
# $ nix search wget
|
||||
environment = {
|
||||
systemPackages = with pkgs; [
|
||||
vim-full # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
|
||||
|
@ -176,16 +114,12 @@
|
|||
chromium
|
||||
skanlite
|
||||
htop
|
||||
git
|
||||
kate
|
||||
cifs-utils
|
||||
];
|
||||
pathsToLink = [ "/share/bash-completion" ];
|
||||
};
|
||||
|
||||
# Some programs need SUID wrappers, can be configured further or are
|
||||
# started in user sessions.
|
||||
# programs.mtr.enable = true;
|
||||
programs = {
|
||||
gnupg.agent = {
|
||||
enable = true;
|
||||
|
@ -215,25 +149,11 @@
|
|||
};
|
||||
gamescope.enable = true;
|
||||
};
|
||||
# List services that you want to enable:
|
||||
zramSwap = {
|
||||
enable = true;
|
||||
writebackDevice = "/dev/disk/by-partuuid/e8f5eaf8-46ca-40de-854a-f6dfe964b92d";
|
||||
};
|
||||
|
||||
# Enable the OpenSSH daemon.
|
||||
# services.openssh.enable = true;
|
||||
|
||||
# Open ports in the firewall.
|
||||
# networking.firewall.allowedTCPPorts = [ ... ];
|
||||
# networking.firewall.allowedUDPPorts = [ ... ];
|
||||
# Or disable the firewall altogether.
|
||||
networking.firewall.enable = false;
|
||||
|
||||
# Copy the NixOS configuration file and link it from the resulting system
|
||||
# (/run/current-system/configuration.nix). This is useful in case you
|
||||
# accidentally delete configuration.nix.
|
||||
|
||||
fileSystems = {
|
||||
"/".options = [ "compress=lzo" "autodefrag" "discard=async" "defaults" ];
|
||||
"/nix".options = [ "compress=lzo" "autodefrag" "discard=async" "noatime" "defaults" ];
|
||||
|
@ -241,22 +161,6 @@
|
|||
"/home".options = [ "compress=lzo" "autodefrag" "discard=async" "defaults" ];
|
||||
};
|
||||
|
||||
# This option defines the first version of NixOS you have installed on this particular machine,
|
||||
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
|
||||
#
|
||||
# Most users should NEVER change this value after the initial install, for any reason,
|
||||
# even if you've upgraded your system to a new NixOS release.
|
||||
#
|
||||
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
|
||||
# so changing it will NOT upgrade your system.
|
||||
#
|
||||
# This value being lower than the current NixOS release does NOT mean your system is
|
||||
# out of date, out of support, or vulnerable.
|
||||
#
|
||||
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
|
||||
# and migrated your data accordingly.
|
||||
#
|
||||
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
|
||||
system.stateVersion = "23.11"; # Did you read the comment?
|
||||
}
|
||||
|
||||
|
|
|
@ -75,32 +75,6 @@
|
|||
# '')
|
||||
];
|
||||
|
||||
systemd.user = {
|
||||
services = {
|
||||
autoupgrade = {
|
||||
Service = {
|
||||
WorkingDirectory = "/home/cdombroski/work/nix-configs";
|
||||
Type = "oneshot";
|
||||
ExecStart = "${pkgs.writeShellScript "upgrade-system" ''
|
||||
${pkgs.nix}/bin/nix flake update
|
||||
${pkgs.git}/bin/git add .
|
||||
${pkgs.git}/bin/git commit -m "update flake"
|
||||
${pkgs.git}/bin/git push
|
||||
${pkgs.deploy-rs}/bin/deploy
|
||||
''}";
|
||||
};
|
||||
};
|
||||
};
|
||||
timers = {
|
||||
autoupgrade = {
|
||||
Timer = {
|
||||
OnCalendar = "daily";
|
||||
};
|
||||
Install.WantedBy = [ "timers.target" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
nixpkgs.config = {
|
||||
allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
|
||||
"discord"
|
||||
|
|
290
systems/zeus/configuration.nix
Normal file
290
systems/zeus/configuration.nix
Normal file
|
@ -0,0 +1,290 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ # Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
../../modules/common.nix
|
||||
../../modules/aarch64-emu.nix
|
||||
../../modules/networkd-base.nix
|
||||
../../modules/smartd.nix
|
||||
];
|
||||
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.zfsSupport = true;
|
||||
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
|
||||
boot.loader.grub.devices = [ "/dev/sda" "/dev/sdb" "/dev/sdc" "/dev/sdd" "/dev/sde" "/dev/sdf" ];
|
||||
|
||||
networking.hostName = "zeus"; # Define your hostname.
|
||||
networking.hostId = "9e95b576";
|
||||
systemd.network.netdevs = {
|
||||
bond0 = {
|
||||
netdevConfig = {
|
||||
Name = "bond0";
|
||||
Kind = "bond";
|
||||
};
|
||||
bondConfig = {
|
||||
Mode = "active-backup";
|
||||
};
|
||||
};
|
||||
lan-shim = {
|
||||
netdevConfig = {
|
||||
Name = "lan-shim";
|
||||
Kind = "macvlan";
|
||||
MACAddress = "3e:53:37:25:08:ef";
|
||||
};
|
||||
macvlanConfig = {
|
||||
Mode = "bridge";
|
||||
};
|
||||
};
|
||||
wg0 = {
|
||||
netdevConfig = {
|
||||
Name = "wg0";
|
||||
Kind = "wireguard";
|
||||
};
|
||||
wireguardConfig = {
|
||||
PrivateKeyFile = "/etc/nixos/wireguard.priv";
|
||||
ListenPort = 51821;
|
||||
};
|
||||
wireguardPeers = [{
|
||||
wireguardPeerConfig = {
|
||||
PublicKey = "ZT+n0XONAZ6dkiIJR+2bmTT9y7WTxDNdnZo5S7b8vxE=";
|
||||
AllowedIPs = [ "10.98.0.0/31" ];
|
||||
PresharedKeyFile = "/etc/nixos/wireguard.psk";
|
||||
PersistentKeepalive = 25;
|
||||
Endpoint = "remote.kow.is:51821";
|
||||
};
|
||||
}];
|
||||
};
|
||||
};
|
||||
systemd.network.networks = {
|
||||
"00-bondage" = {
|
||||
name = "en*";
|
||||
networkConfig.Bond = "bond0";
|
||||
};
|
||||
bond0 = {
|
||||
name = "bond0";
|
||||
networkConfig.MACVLAN = "lan-shim";
|
||||
};
|
||||
lan-shim = {
|
||||
name = "lan-shim";
|
||||
address = [ "10.42.69.100/24" "fd72:3dd5:21ae:3c97:101b:87ff:fe86:5f01/64" ];
|
||||
dns = [ "10.42.69.2" ];
|
||||
domains = [ "icanttype.org" ];
|
||||
gateway = [ "10.42.69.1" ];
|
||||
};
|
||||
wg0 = {
|
||||
name = "wg0";
|
||||
address = [ "10.98.0.0/31" "fd72:3dd5:21ae:ff1a::1/64" ];
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
virtualisation = {
|
||||
containers.enable = true;
|
||||
podman = {
|
||||
enable = true;
|
||||
dockerCompat = true;
|
||||
defaultNetwork.settings.dns_enabled = true;
|
||||
};
|
||||
oci-containers.containers = {
|
||||
dockerproxy = {
|
||||
image = "ghcr.io/tecnativa/docker-socket-proxy:latest";
|
||||
volumes = [ "/var/run/podman/podman.sock:/var/run/docker.sock:ro" ];
|
||||
environment = {
|
||||
CONTAINERS="1";
|
||||
POST="0";
|
||||
};
|
||||
extraOptions = [ "--pull=newer" "--network=www"];
|
||||
};
|
||||
swag = {
|
||||
image = "lscr.io/linuxserver/swag:2.9.0-ls292";
|
||||
volumes = [ "swag-config:/config" ];
|
||||
environment = {
|
||||
TZ="America/New_York";
|
||||
URL="icanttype.org";
|
||||
VALIDATION="dns";
|
||||
SUBDOMAINS="wildcard";
|
||||
DNSPLUGIN="cloudflare";
|
||||
DOCKER_HOST="dockerproxy";
|
||||
DOCKER_MODS="linuxserver/mods:swag-dashboard|linuxserver/mods:swag-auto-proxy|linuxserver/mods:universal-docker|linuxserver/mods:universal-cloudflared";
|
||||
CF_ZONE_ID="4e68852334290a922718696a0986e75a";
|
||||
CF_ACCOUNT_ID="5c1c252b9d9a9af6ea3a5de8590f36fa";
|
||||
CF_API_TOKEN="mRfY8ubtFUxzVuehI6WFipSQFIcstCNds7RF5FTQ";
|
||||
CF_TUNNEL_NAME="icanttype.org";
|
||||
CF_TUNNEL_PASSWORD="iZh4UYxVSo3S2H3XwwboM2z@mJEqYJkQ5yMTfd5p";
|
||||
FILE__CF_TUNNEL_CONFIG="/config/tunnelconfig.yml";
|
||||
EMAIL="cdombroski@gmail.com";
|
||||
};
|
||||
ports = [ "80:80" "443:443" ];
|
||||
extraOptions = [ "--pull=newer" "--network=www" "--cap-add" "NET_ADMIN" "--network-alias=icanttype.org" ];
|
||||
};
|
||||
jellyfin = {
|
||||
image = "lscr.io/linuxserver/jellyfin:latest";
|
||||
volumes = [ "jellyfin-config:/config" "/video-data/media:/data/media" ];
|
||||
environment.TZ="America/New_York";
|
||||
labels.swag = "enable";
|
||||
ports = [ "1900:1900/udp" "7359:7359/udp" ];
|
||||
extraOptions = [ "--pull=newer" "--network=www" ];
|
||||
};
|
||||
zwave-js-ui = {
|
||||
image = "docker.io/zwavejs/zwave-js-ui:latest";
|
||||
volumes = [ "zwave-config:/usr/src/app/store" ];
|
||||
environment.TZ = "America/New_York";
|
||||
labels = { swag = "enable"; swag_url = "zwave.icanttype.org"; };
|
||||
extraOptions = [ "--pull=newer" "--network=www" "--device=/dev/ttyACM0:/dev/zwave" ];
|
||||
};
|
||||
homeassistant = {
|
||||
image = "lscr.io/linuxserver/homeassistant:latest";
|
||||
volumes = [ "homeassistant-config:/config" ];
|
||||
environment.TZ = "America/New_York";
|
||||
labels.swag = "enable";
|
||||
extraOptions = [ "--pull=newer" "--network=www" "--network=lan" ];
|
||||
};
|
||||
postgres = {
|
||||
image = "docker.io/library/postgres:15";
|
||||
volumes = [ "postgres-15:/var/lib/postgresql/data" ];
|
||||
extraOptions = [ "--pull=newer" "--network=www" ];
|
||||
};
|
||||
calibre = {
|
||||
image = "lscr.io/linuxserver/calibre:latest";
|
||||
volumes = [ "calibre-config:/config" "/video-data:/data" ];
|
||||
environment.TZ = "America/New_York";
|
||||
labels.swag = "enable";
|
||||
extraOptions = [ "--pull=newer" "--network=www" ];
|
||||
};
|
||||
calibre-web = {
|
||||
image = "lscr.io/linuxserver/calibre-web:latest";
|
||||
volumes = [ "calibre-web-config:/config" "/video-data:/data" ];
|
||||
environment.TZ = "America/New_York";
|
||||
labels.swag = "enable";
|
||||
extraOptions = [ "--pull=newer" "--network=www" ];
|
||||
};
|
||||
flaresolverr = {
|
||||
image = "ghcr.io/flaresolverr/flaresolverr:latest";
|
||||
environment.LOG_LEVEL = "info";
|
||||
extraOptions = [ "--pull=newer" "--network=www" ];
|
||||
};
|
||||
qbittorrent = {
|
||||
image = "lscr.io/linuxserver/qbittorrent:latest";
|
||||
volumes = [ "qbittorrent-config:/config" "/video-data/torrent:/data/torrent" ];
|
||||
environment = {
|
||||
TZ = "America/New_York";
|
||||
UMASK_SET = "000";
|
||||
DELUGE_LOGLEVEL = "error";
|
||||
};
|
||||
labels.swag = "enable";
|
||||
ports = [ "34996:34996" "34996:34996/udp" ];
|
||||
extraOptions = [ "--pull=newer" "--network=www" ];
|
||||
};
|
||||
prowlarr = {
|
||||
image = "lscr.io/linuxserver/prowlarr:latest";
|
||||
volumes = [ "prowlarr-config:/config" ];
|
||||
environment.TZ = "America/New_York";
|
||||
labels.swag = "enable";
|
||||
extraOptions = [ "--pull=newer" "--network=www" ];
|
||||
};
|
||||
readarr = {
|
||||
image = "lscr.io/linuxserver/readarr:develop";
|
||||
volumes = [ "readarr-config:/config" "/video-data:/data" ];
|
||||
environment.TZ = "America/New_York";
|
||||
labels.swag = "enable";
|
||||
extraOptions = [ "--pull=newer" "--network=www" ];
|
||||
};
|
||||
radarr = {
|
||||
image = "lscr.io/linuxserver/radarr:latest";
|
||||
volumes = [ "radarr-config:/config" "/video-data:/data" ];
|
||||
environment.TZ = "America/New_York";
|
||||
labels.swag = "enable";
|
||||
extraOptions = [ "--pull=newer" "--network=www" ];
|
||||
};
|
||||
sonarr = {
|
||||
image = "lscr.io/linuxserver/sonarr:latest";
|
||||
volumes = [ "sonarr-config:/config" "/video-data:/data" ];
|
||||
environment.TZ = "America/New_York";
|
||||
labels.swag = "enable";
|
||||
extraOptions = [ "--pull=newer" "--network=www" ];
|
||||
};
|
||||
static = {
|
||||
image = "docker.io/library/nginx:alpine";
|
||||
volumes = [ "/srv/docker/nginx/static:/usr/share/nginx/html:ro" "/srv/docker/nginx/config/static/default.conf:/etc/nginx/config.d/default.conf:ro" ];
|
||||
labels = {
|
||||
swag = "enable";
|
||||
swag_url = "www.icanttype.org";
|
||||
};
|
||||
extraOptions = [ "--pull=newer" "--network=www" ];
|
||||
};
|
||||
forgejo = {
|
||||
image = "codeberg.org/forgejo/forgejo:7";
|
||||
volumes = [ "forgejo-data:/data" "/etc/localtime:/etc/localtime:ro" ];
|
||||
labels = {
|
||||
swag = "enable";
|
||||
swag_url = "git.icanttype.org";
|
||||
swag_port = "3000";
|
||||
};
|
||||
ports = [ "10022:22" ];
|
||||
extraOptions = [ "--pull=newer" "--network=www" ];
|
||||
};
|
||||
docker_dind = {
|
||||
image = "docker.io/library/docker:dind";
|
||||
cmd = [ "dockerd" "-H" "tcp://0.0.0.0:2375" "--tls=false" ];
|
||||
extraOptions = [ "--pull=newer" "--privileged" "--network=www" ];
|
||||
};
|
||||
runner = {
|
||||
image = "code.forgejo.org/forgejo/runner:3.4.1";
|
||||
dependsOn = [ "docker_dind" ];
|
||||
environment.DOCKER_HOST = "tcp://docker_dind:2375";
|
||||
volumes = [ "forgejo-runner:/data" ];
|
||||
cmd = [ "forgejo-runner" "daemon" ];
|
||||
extraOptions = [ "--pull=newer" "--network=www" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
networking.firewall = {
|
||||
interfaces."podman+" = {
|
||||
allowedUDPPorts = [ 53 ];
|
||||
allowedTCPPorts = [ 53 ];
|
||||
};
|
||||
allowedUDPPorts = [ 137 138 ];
|
||||
allowedTCPPorts = [ 139 445 ];
|
||||
};
|
||||
|
||||
users.users.nixremote = {
|
||||
description = "User for remote builds";
|
||||
isNormalUser = true;
|
||||
uid = 1100;
|
||||
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH7rvqA2VG9kOPHBNgfna0YA+jEjIR6ZAKrdgWVWQjCV root@orangepihole" ];
|
||||
};
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
|
||||
dive
|
||||
podman-tui
|
||||
docker-compose
|
||||
wireguard-tools
|
||||
];
|
||||
|
||||
services.samba.enable = true;
|
||||
services.samba.shares = {
|
||||
media = {
|
||||
path = "/video-data";
|
||||
browseable = "yes";
|
||||
"read only" = "no";
|
||||
"guest ok" = "yes";
|
||||
};
|
||||
};
|
||||
services.zfs.autoScrub.enable = true;
|
||||
services.zfs.zed.settings = {
|
||||
ZED_EMAIL_ADDR = [ "root" ];
|
||||
ZED_EMAIL_PROG = "${pkgs.msmtp}/bin/msmtp";
|
||||
ZED_EMAIL_OPTS = "@ADDRESS@";
|
||||
ZED_NOTIFY_INTERVAL_SECS = 3600;
|
||||
ZED_NOTIFY_VERBOSE = true;
|
||||
ZED_USE_ENCLOSURE_LEDS = true;
|
||||
ZED_SCRUB_AFTER_RESILVER = true;
|
||||
};
|
||||
services.zfs.zed.enableMail = false;
|
||||
|
||||
system.stateVersion = "23.11"; # Did you read the comment?
|
||||
zramSwap.enable = true;
|
||||
}
|
||||
|
59
systems/zeus/hardware-configuration.nix
Normal file
59
systems/zeus/hardware-configuration.nix
Normal file
|
@ -0,0 +1,59 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ohci_pci" "ehci_pci" "sata_nv" "sd_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-amd" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "zroot/root";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "zboot/boot";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/home" =
|
||||
{ device = "zroot/home";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/nix" =
|
||||
{ device = "zroot/nix";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var" =
|
||||
{ device = "zroot/var";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/video-data" =
|
||||
{ device = "rpool/video-data";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
swapDevices =
|
||||
[ { device = "/dev/disk/by-uuid/aecf6400-9c9f-43f9-8c57-08f3c8a633e7"; }
|
||||
{ device = "/dev/disk/by-uuid/3fca7d18-441c-4f39-adad-ffd882b1f210"; }
|
||||
];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
# still possible to use this option, but it's recommended to use it in conjunction
|
||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||
networking.useDHCP = lib.mkDefault false;
|
||||
|
||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
}
|
Loading…
Reference in a new issue