v/infrastructure
1
0
Fork 0
Code Issues 13 Pull requests 1 Projects Releases Packages Activity Actions

Merge branch 'main' of ssh://git.0x76.dev:42/v/infrastructure

Browse source
This commit is contained in:
Vivian 2023-05-05 17:03:41 +02:00
commit 1d4e75ab68
93 changed files with 2069 additions and 1775 deletions
Download patch file Download diff file Expand all files Collapse all files

2
nixos/hosts/hades/_template/configuration.nix
View file

@ -2,7 +2,7 @@
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{ pkgs, ... }:
{
imports = [ ];

3
nixos/hosts/hades/bastion/configuration.nix
View file

@ -1,5 +1,4 @@
{ config, pkgs, lib, ... }:
{
{ pkgs, lib, ... }: {
networking.interfaces.eth0.useDHCP = true;
# mosh ssh

3
nixos/hosts/hades/bazarr/configuration.nix
View file

@ -1,5 +1,4 @@
{ config, pkgs, ... }:
{
_: {
system.stateVersion = "22.11";
networking.interfaces.eth0.useDHCP = true;

3
nixos/hosts/hades/dns/configuration.nix
View file

@ -1,5 +1,4 @@
{ pkgs, ... }:
{
{ pkgs, ... }: {
imports = [ ];
# This value determines the NixOS release from which the default

12
nixos/hosts/hades/docker-registry-proxy/configuration.nix
View file

@ -1,17 +1,19 @@
{ config, pkgs, lib, ... }:
let vs = config.vault-secrets.secrets; in
{
{ config, ... }:
let vs = config.vault-secrets.secrets;
in {
system.stateVersion = "22.05";
networking.interfaces.eth0.useDHCP = true;
# the registry port and metrics port
networking.firewall.allowedTCPPorts = [ config.services.dockerRegistry.port 5001 ];
networking.firewall.allowedTCPPorts =
[ config.services.dockerRegistry.port 5001 ];
vault-secrets.secrets.docker-registry = { };
# Sets the minio user and password
systemd.services.docker-registry.serviceConfig.EnvironmentFile = "${vs.docker-registry}/environment";
systemd.services.docker-registry.serviceConfig.EnvironmentFile =
"${vs.docker-registry}/environment";
services.dockerRegistry = {
enable = true;

28
nixos/hosts/hades/docker-registry/configuration.nix
View file

@ -1,17 +1,19 @@
{ config, pkgs, lib, ... }:
let vs = config.vault-secrets.secrets; in
{
{ config, ... }:
let vs = config.vault-secrets.secrets;
in {
system.stateVersion = "22.05";
networking.interfaces.eth0.useDHCP = true;
# the registry port and metrics port
networking.firewall.allowedTCPPorts = [ config.services.dockerRegistry.port 5001 ];
networking.firewall.allowedTCPPorts =
[ config.services.dockerRegistry.port 5001 ];
vault-secrets.secrets.docker-registry = { };
# Sets the minio user and password
systemd.services.docker-registry.serviceConfig.EnvironmentFile = "${vs.docker-registry}/environment";
systemd.services.docker-registry.serviceConfig.EnvironmentFile =
"${vs.docker-registry}/environment";
services.dockerRegistry = {
enable = true;
@ -34,15 +36,13 @@ let vs = config.vault-secrets.secrets; in
http.debug.prometheus.enabled = true;
# Webhooks
notifications.endpoints = [
{
name = "keel";
url = "http://10.10.10.17:9300/v1/webhooks/registry";
timeout = "500ms";
treshold = 5;
backoff = "1s";
}
];
notifications.endpoints = [{
name = "keel";
url = "http://10.10.10.17:9300/v1/webhooks/registry";
timeout = "500ms";
treshold = 5;
backoff = "1s";
}];
};
};
}

3
nixos/hosts/hades/jackett/configuration.nix
View file

@ -1,5 +1,4 @@
{ config, pkgs, ... }:
{
_: {
system.stateVersion = "21.05";
networking.interfaces.eth0.useDHCP = true;

29
nixos/hosts/hades/lucy/configuration.nix
View file

@ -3,8 +3,28 @@
# and in the NixOS manual (accessible by running nixos-help).
{ pkgs, ... }:
let
# Redefining the package instead of overriding as overriding GoModules seems broken
# see: https://github.com/NixOS/nixpkgs/issues/86349
nuclei-latest = pkgs.buildGoModule rec {
pname = "nuclei";
version = "2.9.2";
{
src = pkgs.fetchFromGitHub {
owner = "projectdiscovery";
repo = pname;
rev = "1f9a065713924b28b203e2108fc76d7a1ec49068";
hash = "sha256-QiegMoBy0gZMyQl2MRAwR14zXeh8wvVonyETdAzHbj0=";
};
vendorHash = "sha256-0JNwoBqLKH1F/0Tr8o35gCSNT/2plIjIQvZRuzAZ5P8=";
modRoot = "./v2";
subPackages = [ "cmd/nuclei/" ];
doCheck = false;
};
in {
imports = [ ./hardware-configuration.nix ];
# This value determines the NixOS release from which the default
@ -16,12 +36,7 @@
system.stateVersion = "23.05"; # Did you read the comment?
# Additional packages
environment.systemPackages = with pkgs; [
gcc
jq
nuclei
rustup
];
environment.systemPackages = with pkgs; [ gcc go jq rustup nuclei-latest ];
networking.firewall.allowedTCPPorts = [ ];

32
nixos/hosts/hades/lucy/hardware-configuration.nix
View file

@ -1,27 +1,33 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ lib, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.availableKernelModules = [
"uhci_hcd"
"ehci_pci"
"ahci"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/749c02fd-209d-4974-917e-38b749d10ec2";
fsType = "ext4";
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/749c02fd-209d-4974-917e-38b749d10ec2";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/D021-72EB";
fsType = "vfat";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/D021-72EB";
fsType = "vfat";
};
swapDevices = [ ];

5
nixos/hosts/hades/minio/configuration.nix
View file

@ -1,6 +1,5 @@
{ config, pkgs, lib, ... }:
let
vs = config.vault-secrets.secrets;
{ config, pkgs, ... }:
let vs = config.vault-secrets.secrets;
in {
system.stateVersion = "22.11";

1
nixos/hosts/hades/nginx/configuration.nix
View file

@ -28,7 +28,6 @@ in {
security.acme.acceptTerms = true;
security.acme.preliminarySelfsigned = true;
services.nginx = {
enable = true;
recommendedProxySettings = true;

6
nixos/hosts/hades/overseerr/configuration.nix
View file

@ -2,7 +2,7 @@
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{ ... }:
{
imports = [ ];
@ -31,9 +31,7 @@
# LOG_LEVEL = "debug";
TZ = "Europe/Amsterdam";
};
ports = [
"5055:5055"
];
ports = [ "5055:5055" ];
volumes = [ "/var/lib/overseerr/config:/app/config" ];
};
};

2
nixos/hosts/hades/pmm/configuration.nix
View file

@ -2,7 +2,7 @@
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{ pkgs, ... }:
let
datadir = "/var/lib/pmm/config";
container = "meisnate12/plex-meta-manager:latest";

9
nixos/hosts/hades/prowlarr/configuration.nix
View file

@ -1,5 +1,4 @@
{ config, pkgs, ... }:
{
_: {
networking.interfaces.eth0.useDHCP = true;
system.stateVersion = "22.11";
@ -7,7 +6,7 @@
enable = true;
openFirewall = true;
};
virtualisation.podman.enable = true;
virtualisation.oci-containers = {
@ -15,9 +14,7 @@
containers = {
flaresolverr = {
image = "flaresolverr/flaresolverr:v3.1.2";
ports = [
"8191:8191"
];
ports = [ "8191:8191" ];
};
};
};

3
nixos/hosts/hades/radarr/configuration.nix
View file

@ -1,5 +1,4 @@
{ config, pkgs, ... }:
{
_: {
system.stateVersion = "21.05";
networking.interfaces.eth0.useDHCP = true;

167
nixos/hosts/hades/rtorrent/rtorrent.nix
View file

@ -1,116 +1,115 @@
{ config, lib, pkgs, ... }:
{
{ config, lib, pkgs, ... }: {
services.rtorrent = {
enable = true;
port = 54945; # Port Forwarded in mullvad
downloadDir = "/mnt/storage/torrents/r";
package = pkgs.jesec-rtorrent;
configText = let cfg = config.services.rtorrent; in
pkgs.lib.mkForce ''
# rTorrent runtime directory (cfg.basedir) [default: "$HOME/.local/share/rtorrent"]
method.insert = cfg.basedir, private|const|string, (cat,"${cfg.dataDir}/")
configText = let cfg = config.services.rtorrent;
in pkgs.lib.mkForce ''
# rTorrent runtime directory (cfg.basedir) [default: "$HOME/.local/share/rtorrent"]
method.insert = cfg.basedir, private|const|string, (cat,"${cfg.dataDir}/")
# Default download directory (cfg.download) [default: "$(cfg.basedir)/download"]
method.insert = cfg.download, private|const|string, (cat,"${cfg.downloadDir}")
# Default download directory (cfg.download) [default: "$(cfg.basedir)/download"]
method.insert = cfg.download, private|const|string, (cat,"${cfg.downloadDir}")
# RPC Socket
method.insert = cfg.rpcsock, private|const|string, (cat,"${cfg.rpcSocket}")
# RPC Socket
method.insert = cfg.rpcsock, private|const|string, (cat,"${cfg.rpcSocket}")
# Log directory (cfg.logs) [default: "$(cfg.basedir)/log"]
method.insert = cfg.logs, private|const|string, (cat,(cfg.basedir),"log/")
method.insert = cfg.logfile, private|const|string, (cat,(cfg.logs),"rtorrent-",(system.time),".log")
# Log directory (cfg.logs) [default: "$(cfg.basedir)/log"]
method.insert = cfg.logs, private|const|string, (cat,(cfg.basedir),"log/")
method.insert = cfg.logfile, private|const|string, (cat,(cfg.logs),"rtorrent-",(system.time),".log")
# Torrent session directory (cfg.session) [default: "$(cfg.basedir)/.session"]
method.insert = cfg.session, private|const|string, (cat,(cfg.basedir),".session/")
# Torrent session directory (cfg.session) [default: "$(cfg.basedir)/.session"]
method.insert = cfg.session, private|const|string, (cat,(cfg.basedir),".session/")
# Watch (drop to add) directories (cfg.watch) [default: "$(cfg.basedir)/watch"]
method.insert = cfg.watch, private|const|string, (cat,(cfg.basedir),"watch/")
# Watch (drop to add) directories (cfg.watch) [default: "$(cfg.basedir)/watch"]
method.insert = cfg.watch, private|const|string, (cat,(cfg.basedir),"watch/")
# Create directories
fs.mkdir.recursive = (cat,(cfg.basedir))
# Create directories
fs.mkdir.recursive = (cat,(cfg.basedir))
fs.mkdir = (cat,(cfg.download))
fs.mkdir = (cat,(cfg.logs))
fs.mkdir = (cat,(cfg.session))
fs.mkdir = (cat,(cfg.download))
fs.mkdir = (cat,(cfg.logs))
fs.mkdir = (cat,(cfg.session))
fs.mkdir = (cat,(cfg.watch))
fs.mkdir = (cat,(cfg.watch),"/load")
fs.mkdir = (cat,(cfg.watch),"/start")
fs.mkdir = (cat,(cfg.watch))
fs.mkdir = (cat,(cfg.watch),"/load")
fs.mkdir = (cat,(cfg.watch),"/start")
# Drop to "$(cfg.watch)/load" to add torrent
schedule2 = watch_load, 11, 10, ((load.verbose, (cat, (cfg.watch), "load/*.torrent")))
# Drop to "$(cfg.watch)/load" to add torrent
schedule2 = watch_load, 11, 10, ((load.verbose, (cat, (cfg.watch), "load/*.torrent")))
# Drop to "$(cfg.watch)/start" to add torrent and start downloading
schedule2 = watch_start, 10, 10, ((load.start_verbose, (cat, (cfg.watch), "start/*.torrent")))
# Drop to "$(cfg.watch)/start" to add torrent and start downloading
schedule2 = watch_start, 10, 10, ((load.start_verbose, (cat, (cfg.watch), "start/*.torrent")))
# Listening port for incoming peer traffic
network.port_range.set = ${toString cfg.port}-${toString cfg.port}
network.port_random.set = no
# Listening port for incoming peer traffic
network.port_range.set = ${toString cfg.port}-${toString cfg.port}
network.port_random.set = no
# Distributed Hash Table and Peer EXchange
dht.mode.set = disable
dht.port.set = 6881
protocol.pex.set = yes
# Distributed Hash Table and Peer EXchange
dht.mode.set = disable
dht.port.set = 6881
protocol.pex.set = yes
# UDP tracker support
trackers.use_udp.set = yes
# UDP tracker support
trackers.use_udp.set = yes
# Peer settings
throttle.max_uploads.set = 100
throttle.max_uploads.global.set = 250
throttle.min_peers.normal.set = 20
throttle.max_peers.normal.set = 60
throttle.min_peers.seed.set = 30
throttle.max_peers.seed.set = 80
trackers.numwant.set = 80
# Peer settings
throttle.max_uploads.set = 100
throttle.max_uploads.global.set = 250
throttle.min_peers.normal.set = 20
throttle.max_peers.normal.set = 60
throttle.min_peers.seed.set = 30
throttle.max_peers.seed.set = 80
trackers.numwant.set = 80
protocol.encryption.set = allow_incoming,try_outgoing,enable_retry
protocol.encryption.set = allow_incoming,try_outgoing,enable_retry
# Limits for file handle resources, this is optimized for
# an `ulimit` of 1024 (a common default). You MUST leave
# a ceiling of handles reserved for rTorrent's internal needs!
network.max_open_files.set = 600
network.max_open_sockets.set = 300
# Limits for file handle resources, this is optimized for
# an `ulimit` of 1024 (a common default). You MUST leave
# a ceiling of handles reserved for rTorrent's internal needs!
network.max_open_files.set = 600
network.max_open_sockets.set = 300
# Memory resource usage (increase if you have a large number of items loaded,
# and/or the available resources to spend)
pieces.memory.max.set = 1800M
network.xmlrpc.size_limit.set = 32M
# Memory resource usage (increase if you have a large number of items loaded,
# and/or the available resources to spend)
pieces.memory.max.set = 1800M
network.xmlrpc.size_limit.set = 32M
# Basic operational settings
session.path.set = (cat, (cfg.session))
directory.default.set = (cat, (cfg.download))
log.execute = (cat, (cfg.logs), "execute.log")
# Basic operational settings
session.path.set = (cat, (cfg.session))
directory.default.set = (cat, (cfg.download))
log.execute = (cat, (cfg.logs), "execute.log")
# Other operational settings
encoding.add = utf8
system.umask.set = 0027
system.cwd.set = (directory.default)
#schedule2 = low_diskspace, 5, 60, ((close_low_diskspace, 500M))
#pieces.hash.on_completion.set = no
# Other operational settings
encoding.add = utf8
system.umask.set = 0027
system.cwd.set = (directory.default)
#schedule2 = low_diskspace, 5, 60, ((close_low_diskspace, 500M))
#pieces.hash.on_completion.set = no
# HTTP and SSL
network.http.max_open.set = 50
network.http.dns_cache_timeout.set = 25
# HTTP and SSL
network.http.max_open.set = 50
network.http.dns_cache_timeout.set = 25
#network.http.ssl_verify_peer.set = 1
#network.http.ssl_verify_host.set = 1
#network.http.ssl_verify_peer.set = 1
#network.http.ssl_verify_host.set = 1
# Run the rTorrent process as a daemon in the background
system.daemon.set = true
# Run the rTorrent process as a daemon in the background
system.daemon.set = true
# XML-RPC interface
network.scgi.open_local = (cat,(cfg.rpcsock))
schedule = scgi_group,0,0,"execute.nothrow=chown,\":rtorrent\",(cfg.rpcsock)"
schedule = scgi_permission,0,0,"execute.nothrow=chmod,\"g+w,o=\",(cfg.rpcsock)"
# XML-RPC interface
network.scgi.open_local = (cat,(cfg.rpcsock))
schedule = scgi_group,0,0,"execute.nothrow=chown,\":rtorrent\",(cfg.rpcsock)"
schedule = scgi_permission,0,0,"execute.nothrow=chmod,\"g+w,o=\",(cfg.rpcsock)"
# Logging:
# Levels = critical error warn notice info debug
# Groups = connection_* dht_* peer_* rpc_* storage_* thread_* tracker_* torrent_*
print = (cat, "Logging to ", (cfg.logfile))
log.open_file = "log", (cfg.logfile)
log.add_output = "debug", "log"
'';
# Logging:
# Levels = critical error warn notice info debug
# Groups = connection_* dht_* peer_* rpc_* storage_* thread_* tracker_* torrent_*
print = (cat, "Logging to ", (cfg.logfile))
log.open_file = "log", (cfg.logfile)
log.add_output = "debug", "log"
'';
};
}

3
nixos/hosts/hades/sonarr/configuration.nix
View file

@ -1,5 +1,4 @@
{ config, pkgs, ... }:
{
_: {
system.stateVersion = "21.05";
networking.interfaces.eth0.useDHCP = true;

2
nixos/hosts/hades/tautulli/configuration.nix
View file

@ -2,7 +2,7 @@
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{ ... }:
{
imports = [ ];

3
nixos/hosts/hades/unifi/configuration.nix
View file

@ -1,5 +1,4 @@
{ pkgs, lib, ... }:
{
{ pkgs, lib, ... }: {
system.stateVersion = "21.05";
networking.interfaces.eth0.useDHCP = true;

3
nixos/hosts/hades/unpackerr/configuration.nix
View file

@ -1,7 +1,6 @@
{ config, ... }:
let vs = config.vault-secrets.secrets;
in
{
in {
networking.interfaces.eth0.useDHCP = true;
fileSystems."/mnt/storage" = {

2
nixos/hosts/olympus/_template/configuration.nix
View file

@ -2,7 +2,7 @@
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{ pkgs, ... }:
{
imports = [ ];

2
nixos/hosts/olympus/bastion/configuration.nix
View file

@ -2,7 +2,7 @@
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ pkgs, lib, ... }:
{ pkgs, ... }:
let
fix-vscode = pkgs.writeScriptBin "fix-vscode" ''
#!${pkgs.stdenv.shell}

8
nixos/hosts/olympus/bastion/hardware-configuration.nix
View file

@ -1,12 +1,13 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.availableKernelModules =
[ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
@ -16,6 +17,7 @@
fsType = "ext4";
};
swapDevices = [{ device = "/dev/disk/by-uuid/63d90b92-cdde-4795-a3ab-9566ae88f43d"; }];
swapDevices =
[{ device = "/dev/disk/by-uuid/63d90b92-cdde-4795-a3ab-9566ae88f43d"; }];
}

2
nixos/hosts/olympus/bastion/home.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: {
_: {
programs.home-manager.enable = true;
home.username = "victor";
home.homeDirectory = "/home/victor";

48
nixos/hosts/olympus/default.nix
View file

@ -36,6 +36,10 @@
ip6 = "2001:41f0:9639:1:bfe7:3fd9:75de:cbee";
mac = "9E:60:78:ED:81:B4";
nix = false;
exposes.ha = {
domain = "ha.0x76.dev";
port = 8123;
};
};
"nginx" = {
ip = "10.42.42.9";
@ -46,10 +50,19 @@
"kubernetes" = {
ip = "10.42.42.10";
mac = "6E:A5:25:99:FE:68";
exposes = {
www.domain = "0x76.dev";
internal.domain = "internal.xirion.net";
blog.domain = "blog.xirion.net";
};
};
"dex" = {
ip = "10.42.42.11";
mac = "AE:66:7B:FA:15:72";
exposes.dex = {
domain = "dex.0x76.dev";
port = 5556;
};
};
"WoolooTV" = {
ip = "10.42.42.13";
@ -59,6 +72,10 @@
"outline" = {
ip = "10.42.42.14";
mac = "52:13:EB:FD:87:F0";
exposes.outline = {
domain = "outline.0x76.dev";
port = 3000;
};
};
"dns-1" = {
profile = "dns";
@ -75,6 +92,10 @@
"minio" = {
ip = "10.42.42.17";
mac = "0A:06:5E:E7:9A:0C";
exposes.minio = {
domain = "o.0x76.dev";
port = 9000;
};
};
"mailserver" = {
ip = "10.42.42.18";
@ -83,6 +104,12 @@
"victoriametrics" = {
ip = "10.42.42.19";
mac = "9E:91:61:35:84:1F";
exposes = {
grafana = {
domain = "grafana.0x76.dev";
port = 2342;
};
};
};
"unifi" = {
ip = "10.42.42.20";
@ -96,15 +123,27 @@
"gitea" = {
ip = "10.42.42.22";
mac = "DE:5F:B0:83:6F:34";
exposes.git = {
domain = "git.0x76.dev";
port = 3000;
};
};
"hedgedoc" = {
ip = "10.42.42.23";
mac = "86:BC:0C:18:BC:9B";
exposes.md = {
domain = "md.0x76.dev";
port = 3000;
};
};
"zmeura" = {
ip = "10.42.42.24";
mac = "b8:27:eb:d5:e0:f5";
nix = false;
exposes.andreea = {
domain = "andreea.redshifts.xyz";
port = 8008;
};
};
"wireguard" = {
ip = "10.42.42.25";
@ -115,6 +154,10 @@
ip = "10.42.42.27";
mac = "9E:8A:6C:39:27:DE";
nix = false;
exposes.books = {
domain = "books.meowy.tech";
port = 8001;
};
};
"synapse" = {
ip = "10.42.42.28";
@ -134,10 +177,15 @@
"ntfy" = {
ip = "10.42.42.32";
mac = "7A:17:9E:80:72:01";
exposes.ntfy.domain = "ntfy.0x76.dev";
};
"woodpecker" = {
ip = "10.42.42.33";
mac = "1E:24:DA:DB:4A:1A";
exposes.ci = {
domain = "ci.0x76.dev";
port = 8000;
};
};
"nuc" = {
ip = "10.42.42.42";

31
nixos/hosts/olympus/dex/configuration.nix
View file

@ -7,6 +7,7 @@ let
vs = config.vault-secrets.secrets;
db_user = "dex";
db_name = "dex";
inherit (config.meta.exposes.dex) port;
in {
imports = [ ];
@ -18,7 +19,7 @@ in {
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
networking.firewall.allowedTCPPorts = [ 5556 ];
networking.firewall.allowedTCPPorts = [ port ];
services.postgresql = {
enable = true;
@ -47,7 +48,7 @@ in {
database = db_name;
};
};
web.http = "0.0.0.0:5556";
web.http = "0.0.0.0:${toString port}";
connectors = [{
type = "gitea";
@ -61,12 +62,26 @@ in {
};
}];
staticClients = [{
id = "outline";
name = "Outline";
redirectURIs = [ "https://outline.0x76.dev/auth/oidc.callback" ];
secretEnv = "OUTLINE_CLIENT_SECRET";
}];
staticClients = [
{
id = "outline";
name = "Outline";
redirectURIs = [ "https://outline.0x76.dev/auth/oidc.callback" ];
secretEnv = "OUTLINE_CLIENT_SECRET";
}
{
id = "grafana";
name = "Grafana";
redirectURIs = [ "https://grafana.0x76.dev/login/generic_oauth" ];
secretEnv = "GRAFANA_CLIENT_SECRET";
}
{
id = "hedgedoc";
name = "Hedgedoc";
redirectURIs = [ "https://md.0x76.dev/auth/oauth2/callback" ];
secretEnv = "HEDGEDOC_CLIENT_SECRET";
}
];
};
environmentFile = "${vs.dex}/environment";

13
nixos/hosts/olympus/dhcp/configuration.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, flat_hosts, ... }:
{ config, flat_hosts, ... }:
let
inherit (builtins) filter hasAttr;
hostToKea = { hostname, mac, ip, ... }: {
@ -33,6 +33,12 @@ in {
networking.firewall.allowedUDPPorts = [ 67 ];
services.prometheus.exporters.kea = {
enable = true;
openFirewall = true;
controlSocketPaths = [ "/run/kea/kea-dhcp4.socket" ];
};
services.kea.dhcp4 = {
enable = true;
settings = {
@ -43,6 +49,11 @@ in {
interfaces-config.interfaces = [ "eth0" ];
control-socket = {
socket-type = "unix";
socket-name = "/run/kea/kea-dhcp4.socket";
};
lease-database = {
name = "/var/lib/kea/dhcp4.leases";
persist = true;

3
nixos/hosts/olympus/dns/configuration.nix
View file

@ -1,5 +1,4 @@
{ pkgs, ... }:
{
{ pkgs, ... }: {
imports = [ ];
# This value determines the NixOS release from which the default

17
nixos/hosts/olympus/gitea/configuration.nix
View file

@ -5,8 +5,8 @@
{ lib, config, pkgs, ... }:
let
vs = config.vault-secrets.secrets;
in
{
inherit (config.meta.exposes.git) port;
in {
imports = [ ];
# This value determines the NixOS release from which the default
@ -22,7 +22,7 @@ in
environment.noXlibs = lib.mkForce false;
networking.firewall.allowedTCPPorts = [ config.services.gitea.settings.server.HTTP_PORT ];
networking.firewall.allowedTCPPorts = [ port ];
services.openssh.startWhenNeeded = false;
@ -37,10 +37,8 @@ in
};
system.activationScripts.gitea-theme =
let
target_dir = "${config.services.gitea.stateDir}/custom/public/css/";
in
lib.stringAfter [ "var" ] ''
let target_dir = "${config.services.gitea.stateDir}/custom/public/css/";
in lib.stringAfter [ "var" ] ''
mkdir -p ${target_dir}
ln -sf ${pkgs.v.gitea-agatheme} "${target_dir}/theme-agatheme.css"
'';
@ -54,9 +52,7 @@ in
mailerPasswordFile = "${vs.gitea}/mailPassword";
settings = {
actions = {
"ENABLED" = true;
};
actions = { "ENABLED" = true; };
repository = {
"ENABLE_PUSH_CREATE_USER" = true;
"DEFAULT_PUSH_CREATE_PRIVATE" = false;
@ -82,6 +78,7 @@ in
SSH_PORT = 42;
DOMAIN = "git.0x76.dev";
ROOT_URL = "https://git.0x76.dev";
HTTP_PORT = port;
};
session = {
"PROVIDER" = "db";

21
nixos/hosts/olympus/hedgedoc/configuration.nix
View file

@ -6,6 +6,7 @@
let
db_name = "hedgedoc";
db_user = "hedgedoc";
inherit (config.meta.exposes.md) port;
vs = config.vault-secrets.secrets;
in {
imports = [ ];
@ -20,8 +21,7 @@ in {
environment.noXlibs = lib.mkForce false;
networking.firewall.allowedTCPPorts =
[ config.services.hedgedoc.settings.port ];
networking.firewall.allowedTCPPorts = [ port ];
vault-secrets.secrets.hedgedoc = { };
@ -40,7 +40,7 @@ in {
environmentFile = "${vs.hedgedoc}/environment";
settings = {
host = "0.0.0.0";
port = 3000;
inherit port;
sessionSecret = "$SESSION_SECRET";
domain = "md.0x76.dev";
protocolUseSSL = true;
@ -66,7 +66,20 @@ in {
accessKey = "$MINIO_ACCESS_KEY";
secretKey = "$MINIO_SECRET_KEY";
};
email = true;
email = false;
oauth2 = let url = "https://dex.0x76.dev";
in {
providerName = "Dex";
clientID = "hedgedoc";
clientSecret = "$DEX_CLIENT_SECRET";
scope = "openid email profile";
authorizationURL = "${url}/auth";
tokenURL = "${url}/token";
userProfileURL = "${url}/userinfo";
userProfileUsernameAttr = "preferred_username";
userProfileDisplayNameAttr = "name";
userProfileEmailAttr = "email";
};
};
};
}

2
nixos/hosts/olympus/kubernetes/configuration.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, hosts, ... }: {
{ pkgs, ... }: {
# packages for administration tasks
environment.systemPackages = with pkgs; [ kompose kubectl k9s k3s ];

18
nixos/hosts/olympus/mailserver/configuration.nix
View file

@ -3,8 +3,8 @@
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
let vs = config.vault-secrets.secrets; in
{
let vs = config.vault-secrets.secrets;
in {
imports = [ ];
# This value determines the NixOS release from which the default
@ -22,9 +22,7 @@ let vs = config.vault-secrets.secrets; in
10.42.42.6 vault.olympus
'';
vault-secrets.secrets.mailserver = {
services = [ "dovecot2" "postfix" ];
};
vault-secrets.secrets.mailserver = { services = [ "dovecot2" "postfix" ]; };
mailserver = {
enable = true;
@ -36,7 +34,8 @@ let vs = config.vault-secrets.secrets; in
# People
"v@0x76.dev" = {
hashedPasswordFile = "${vs.mailserver}/v@0x76.dev";
aliases = [ "v@meowy.tech" "postmaster@0x76.dev" "postmaster@meowy.tech" ];
aliases =
[ "v@meowy.tech" "postmaster@0x76.dev" "postmaster@meowy.tech" ];
};
"laura@meowy.tech" = {
hashedPasswordFile = "${vs.mailserver}/laura@meowy.tech";
@ -79,7 +78,8 @@ let vs = config.vault-secrets.secrets; in
services.roundcube = {
enable = true;
package = pkgs.roundcube.withPlugins (plugins: [ plugins.persistent_login ]);
package =
pkgs.roundcube.withPlugins (plugins: [ plugins.persistent_login ]);
plugins = [
"archive"
# "enigma"
@ -98,9 +98,7 @@ let vs = config.vault-secrets.secrets; in
'';
};
services.nginx = {
enable = true;
};
services.nginx = { enable = true; };
security.acme.acceptTerms = true;
security.acme.defaults.email = "v@0x76.dev";

3
nixos/hosts/olympus/minecraft/configuration.nix
View file

@ -2,8 +2,7 @@
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ lib, config, pkgs, inputs, ... }:
{
{ lib, pkgs, ... }: {
imports = [ ];
# This value determines the NixOS release from which the default

6
nixos/hosts/olympus/minio/configuration.nix
View file

@ -2,11 +2,11 @@
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }:
{ config, pkgs, ... }:
let
vs = config.vault-secrets.secrets;
listenPort = 9000;
consolePort = 9001;
listenPort = config.meta.exposes.minio.port;
consolePort = listenPort + 1;
in {
imports = [ ];

3
nixos/hosts/olympus/mosquitto/configuration.nix
View file

@ -4,8 +4,7 @@
{ config, pkgs, ... }:
let mosquittoPort = 1883;
in
{
in {
imports = [ ];
# This value determines the NixOS release from which the default

177
nixos/hosts/olympus/nginx/configuration.nix
View file

@ -1,14 +1,5 @@
{ config, pkgs, nodes, ... }:
{ pkgs, ... }:
let
proxy = url: {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = url;
proxyWebsockets = true;
};
};
k8s_proxy = proxy "http://kubernetes.olympus:80/";
clientConfig = {
"m.homeserver" = {
base_url = "https://chat.meowy.tech";
@ -33,6 +24,9 @@ in {
networking.firewall.allowedTCPPorts = [ 80 443 ];
# Generates vhosts for all hosts that have an `exposes` section
services.v.nginx.generateVirtualHosts = true;
services.nginx = {
enable = true;
statusPage = true;
@ -44,106 +38,89 @@ in {
package = pkgs.nginxMainline;
# 0x76.dev
virtualHosts."ha.0x76.dev" = proxy "http://home-assistant.olympus:8123/";
virtualHosts."md.0x76.dev" = proxy "http://hedgedoc.olympus:3000/";
virtualHosts."git.0x76.dev" = proxy "http://gitea.olympus:3000";
virtualHosts."o.0x76.dev" = proxy "http://minio.olympus:9000";
virtualHosts."grafana.0x76.dev" =
proxy "http://victoriametrics.olympus:2342";
virtualHosts."outline.0x76.dev" = proxy "http://outline.olympus:3000";
virtualHosts."ntfy.0x76.dev" = proxy "http://ntfy.olympus:80";
virtualHosts."ci.0x76.dev" = proxy "http://woodpecker.olympus:8000";
virtualHosts."dex.0x76.dev" = proxy "http://dex.olympus:5556";
virtualHosts."pass.0x76.dev" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://vaultwarden.olympus:8222";
proxyWebsockets = true;
# Templated
virtualHosts = {
"pass.0x76.dev" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://vaultwarden.olympus:8222";
proxyWebsockets = true;
};
locations."/notifications/hub/negotiate" = {
proxyPass = "http://vaultwarden.olympus:8222";
proxyWebsockets = true;
};
locations."/notifications/hub" = {
proxyPass = "http://vaultwarden.olympus:3012";
proxyWebsockets = true;
};
};
locations."/notifications/hub/negotiate" = {
proxyPass = "http://vaultwarden.olympus:8222";
proxyWebsockets = true;
};
locations."/notifications/hub" = {
proxyPass = "http://vaultwarden.olympus:3012";
proxyWebsockets = true;
};
};
# Redshifts
virtualHosts."andreea.redshifts.xyz" = proxy "http://zmeura.olympus:8008";
# Meow
virtualHosts."meowy.tech" = {
enableACME = true;
forceSSL = true;
locations."/".extraConfig = ''
add_header Content-Type 'text/html; charset=UTF-8';
return 200 '<h1>meow</h1>';
'';
locations."= /.well-known/matrix/client".extraConfig =
mkWellKnown clientConfig;
locations."= /.well-known/matrix/server".extraConfig =
mkWellKnown serverConfig;
};
virtualHosts."chat.meowy.tech" = {
enableACME = true;
forceSSL = true;
locations."/".extraConfig = ''
return 307 https://element.chat.meowy.tech;
'';
locations."/_matrix".proxyPass = "http://synapse.olympus:8008";
locations."/_synapse/client".proxyPass = "http://synapse.olympus:8008";
locations."/_synapse/admin" = {
# Allow only local and my own IPs
extraConfig = ''
allow 127.0.0.1;
allow 10.42.42.0/23;
allow 192.168.0.0/23;
allow 80.60.83.220;
allow 195.85.167.32/29;
deny all;
# Meow
"meowy.tech" = {
enableACME = true;
forceSSL = true;
locations."/".extraConfig = ''
add_header Content-Type 'text/html; charset=UTF-8';
return 200 '<h1>meow</h1>';
'';
proxyPass = "http://synapse.olympus:8008";
locations."= /.well-known/matrix/client".extraConfig =
mkWellKnown clientConfig;
locations."= /.well-known/matrix/server".extraConfig =
mkWellKnown serverConfig;
};
};
virtualHosts."element.chat.meowy.tech" = {
enableACME = true;
forceSSL = true;
root = pkgs.element-web.override {
conf = {
default_server_config = clientConfig;
show_labs_settings = true;
brand = "chat.meowy.tech";
"chat.meowy.tech" = {
enableACME = true;
forceSSL = true;
locations."/".extraConfig = ''
return 307 https://element.chat.meowy.tech;
'';
locations."/_matrix".proxyPass = "http://synapse.olympus:8008";
locations."/_synapse/client".proxyPass = "http://synapse.olympus:8008";
locations."/_synapse/admin" = {
# Allow only local and my own IPs
extraConfig = ''
allow 127.0.0.1;
allow 10.42.42.0/23;
allow 192.168.0.0/23;
allow 80.60.83.220;
allow 195.85.167.32/29;
deny all;
'';
proxyPass = "http://synapse.olympus:8008";
};
};
};
virtualHosts."cinny.chat.meowy.tech" = {
enableACME = true;
forceSSL = true;
"element.chat.meowy.tech" = {
enableACME = true;
forceSSL = true;
root = pkgs.cinny.override {
conf = {
defaultHomeserver = 0;
allowCustomHomeservers = false;
homeserverList = [ "chat.meowy.tech" ];
root = pkgs.element-web.override {
conf = {
default_server_config = clientConfig;
show_labs_settings = true;
brand = "chat.meowy.tech";
};
};
};
};
virtualHosts."admin.chat.meowy.tech" = {
enableACME = true;
forceSSL = true;
root = pkgs.synapse-admin;
};
virtualHosts."books.meowy.tech" = proxy "http://bookwyrm.olympus:8001";
"cinny.chat.meowy.tech" = {
enableACME = true;
forceSSL = true;
# Kubernetes endpoints
virtualHosts."0x76.dev" = k8s_proxy;
virtualHosts."internal.xirion.net" = k8s_proxy;
virtualHosts."blog.xirion.net" = k8s_proxy;
root = pkgs.cinny.override {
conf = {
defaultHomeserver = 0;
allowCustomHomeservers = false;
homeserverList = [ "chat.meowy.tech" ];
};
};
};
"admin.chat.meowy.tech" = {
enableACME = true;
forceSSL = true;
root = pkgs.synapse-admin;
};
};
};
security.acme.defaults.email = "victorheld12@gmail.com";

5
nixos/hosts/olympus/ntfy/configuration.nix
View file

@ -2,7 +2,7 @@
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{ pkgs, ... }:
{
imports = [ ];
@ -20,7 +20,8 @@
networking.firewall.allowedTCPPorts = [ 80 ];
services.ntfy-sh = let datadir = "/var/lib/ntfy"; in {
services.ntfy-sh = let datadir = "/var/lib/ntfy";
in {
enable = true;
settings = {
base-url = "https://ntfy.0x76.dev";

17
nixos/hosts/olympus/outline/configuration.nix
View file

@ -2,9 +2,11 @@
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
let vs = config.vault-secrets.secrets; in
{
{ config, ... }:
let
vs = config.vault-secrets.secrets;
inherit (config.meta.exposes.outline) port;
in {
imports = [ ];
# This value determines the NixOS release from which the default
@ -16,18 +18,17 @@ let vs = config.vault-secrets.secrets; in
system.stateVersion = "22.11"; # Did you read the comment?
# Additional packages
networking.firewall.allowedTCPPorts = [
config.services.outline.port
];
networking.firewall.allowedTCPPorts = [ port ];
vault-secrets.secrets.outline = {
inherit (config.services.outline) user group;
};
services.outline = {
inherit port;
enable = true;
concurrency = 1;
port = 3000;
redisUrl = "local";
databaseUrl = "local";
publicUrl = "https://outline.0x76.dev";
@ -40,7 +41,7 @@ let vs = config.vault-secrets.secrets; in
uploadBucketName = "outline";
region = "us-east-1"; # fake
};
oidcAuthentication = {
oidcAuthentication = {
displayName = "Dex";
userinfoUrl = "https://dex.0x76.dev/userinfo";
tokenUrl = "https://dex.0x76.dev/token";

113
nixos/hosts/olympus/synapse/configuration.nix
View file

@ -7,8 +7,7 @@ let
vs = config.vault-secrets.secrets;
port = 8008;
metricsPort = 9000;
in
{
in {
imports = [ ];
# This value determines the NixOS release from which the default
@ -53,66 +52,60 @@ in
"${vs.synapse}/email_password" # Also contains the rest of the email config
];
settings =
let log_file = pkgs.writeText "log.yml" ''
version: 1
settings = let
log_file = pkgs.writeText "log.yml" ''
version: 1
formatters:
structured:
class: synapse.logging.TerseJsonFormatter
formatters:
structured:
class: synapse.logging.TerseJsonFormatter
handlers:
file:
class: logging.handlers.TimedRotatingFileHandler
formatter: structured
filename: /var/lib/matrix-synapse/synapse.log
when: midnight
backupCount: 3 # Does not include the current log file.
encoding: utf8
handlers:
file:
class: logging.handlers.TimedRotatingFileHandler
formatter: structured
filename: /var/lib/matrix-synapse/synapse.log
when: midnight
backupCount: 3 # Does not include the current log file.
encoding: utf8
loggers:
synapse:
level: INFO
handlers: [file]
''; in
{
server_name = "meowy.tech";
enable_registration = true;
public_baseurl = "https://chat.meowy.tech";
enable_metrics = true;
max_upload_size = "100M";
registration_requires_token = true;
media_retention = {
remote_media_lifetime = "90d";
};
log_config = "${log_file}";
listeners = [
{
inherit port;
bind_addresses = [ "0.0.0.0" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{
names = [ "client" "federation" ];
compress = true;
}
];
}
{
port = metricsPort;
bind_addresses = [ "0.0.0.0" ];
type = "metrics";
tls = false;
resources = [
{
names = [ "metrics" ];
compress = false;
}
];
}
];
};
loggers:
synapse:
level: INFO
handlers: [file]
'';
in {
server_name = "meowy.tech";
enable_registration = true;
public_baseurl = "https://chat.meowy.tech";
enable_metrics = true;
max_upload_size = "100M";
registration_requires_token = true;
media_retention = { remote_media_lifetime = "90d"; };
log_config = "${log_file}";
listeners = [
{
inherit port;
bind_addresses = [ "0.0.0.0" ];
type = "http";
tls = false;
x_forwarded = true;
resources = [{
names = [ "client" "federation" ];
compress = true;
}];
}
{
port = metricsPort;
bind_addresses = [ "0.0.0.0" ];
type = "metrics";
tls = false;
resources = [{
names = [ "metrics" ];
compress = false;
}];
}
];
};
};
}

4
nixos/hosts/olympus/unifi/configuration.nix
View file

@ -2,7 +2,7 @@
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, ... }:
{ pkgs, lib, ... }:
{
imports = [ ];
@ -22,7 +22,7 @@
services.unifi = {
enable = true;
unifiPackage = pkgs.unifi;
mongodbPackage = pkgs.mongodb-4_2;
mongodbPackage = pkgs.mongodb-4_2;
openFirewall = true;
};
}

2
nixos/hosts/olympus/vault-0/configuration.nix
View file

@ -2,7 +2,7 @@
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, hosts, ... }: {
_: {
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave

52
nixos/hosts/olympus/victoriametrics/configuration.nix
View file

@ -2,12 +2,13 @@
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{ config, ... }:
let
vmPort = 8428;
grafanaDomain = config.meta.exposes.grafana.domain;
grafanaPort = config.meta.exposes.grafana.port;
vs = config.vault-secrets.secrets;
in
{
in {
imports = [ ];
# This value determines the NixOS release from which the default
@ -17,11 +18,7 @@ in
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.11"; # Did you read the comment?
# Additional packages
environment.systemPackages = with pkgs; [ ];
networking.firewall.allowedTCPPorts = [ vmPort config.services.grafana.settings.server.http_port ];
networking.firewall.allowedTCPPorts = [ vmPort grafanaPort ];
networking.firewall.allowedUDPPorts = [ vmPort ];
services.victoriametrics = {
@ -40,14 +37,19 @@ in
scrape_timeout = "30s";
};
scrape_configs = [
{
job_name = "kea";
static_configs = [{
targets = [ "dhcp.olympus:9547" ];
labels.app = "dhcp";
}];
}
{
job_name = "nginx";
static_configs = [
{
targets = [ "nginx.olympus:9113" ];
labels.app = "nginx";
}
];
static_configs = [{
targets = [ "nginx.olympus:9113" ];
labels.app = "nginx";
}];
}
{
job_name = "synapse";
@ -77,12 +79,28 @@ in
enable = true;
settings = {
server = {
domain = "grafana.0x76.dev";
root_url = "https://grafana.0x76.dev";
domain = grafanaDomain;
root_url = "https://${grafanaDomain}";
http_addr = "0.0.0.0";
http_port = 2342;
http_port = grafanaPort;
};
security.admin_password = "$__file{${vs.grafana}/password}";
"auth.generic_oauth" = {
name = "Dex";
icon = "signin";
enabled = true;
allow_sign_up = true;
client_id = "grafana";
client_secret = "$__file{${vs.grafana}/dex_client_secret}";
scopes = toString [ "openid" "profile" "email" "groups" ];
auth_url = "https://dex.0x76.dev/auth";
token_url = "https://dex.0x76.dev/token";
api_url = "https://dex.0x76.dev/userinfo";
skip_org_role_sync = true;
auto_login = true;
};
};
};
}

2
nixos/hosts/olympus/wireguard/configuration.nix
View file

@ -2,7 +2,7 @@
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ lib, config, pkgs, inputs, ... }:
{ lib, config, pkgs, ... }:
let vs = config.vault-secrets.secrets;
in {
imports = [ ];

8
nixos/hosts/olympus/woodpecker/configuration.nix
View file

@ -3,7 +3,9 @@
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
let vs = config.vault-secrets.secrets;
let
inherit (config.meta.exposes.ci) port;
vs = config.vault-secrets.secrets;
in {
imports = [ ];
@ -18,7 +20,7 @@ in {
# Additional packages
environment.systemPackages = with pkgs; [ ];
networking.firewall.allowedTCPPorts = [ 8000 9000 ];
networking.firewall.allowedTCPPorts = [ port 9000 ];
vault-secrets.secrets.woodpecker = {
services = [ "woodpecker-server" "woodpecker-agent-docker" ];
@ -46,7 +48,7 @@ in {
WOODPECKER_GITEA_URL = "https://git.0x76.dev";
WOODPECKER_ADMIN = "v";
WOODPECKER_AUTHENTICATE_PUBLIC_REPOS = "true";
WOODPECKER_SERVER_ADDR = "10.42.42.33:8000";
WOODPECKER_SERVER_ADDR = "10.42.42.33:${toString port}";
};
environmentFile = "${vs.woodpecker}/environment";
};

5
nixos/hosts/thalassa/aoife/configuration.nix
View file

@ -2,9 +2,8 @@
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ pkgs, inputs, ... }: {
{ inputs, ... }: {
imports = [
../../../common/desktop
./hardware-configuration.nix
inputs.nixos-hardware.nixosModules.lenovo-thinkpad-z
./hardware.nix
@ -26,6 +25,8 @@
# Enable Ozone rendering for Chromium and Electron apps.
environment.sessionVariables.NIXOS_OZONE_WL = "1";
# environment.sessionVariables.INFRA_INFO = self; # hosts.${config.networking.domain}.${config.networking.hostName};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave

33
nixos/hosts/thalassa/aoife/hardware-configuration.nix
View file

@ -1,32 +1,30 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ config, lib, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" "sdhci_pci" ];
boot.initrd.availableKernelModules =
[ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/c184866a-9a53-4a9f-9a1f-493792af7ea9";
fsType = "btrfs";
options = [ "subvol=@" ];
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/c184866a-9a53-4a9f-9a1f-493792af7ea9";
fsType = "btrfs";
options = [ "subvol=@" ];
};
fileSystems."/boot/efi" =
{ device = "/dev/disk/by-uuid/5BB8-7503";
fsType = "vfat";
};
fileSystems."/boot/efi" = {
device = "/dev/disk/by-uuid/5BB8-7503";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/bedb5b75-578e-441f-a9eb-2ecff1f4cfca"; }
];
[{ device = "/dev/disk/by-uuid/bedb5b75-578e-441f-a9eb-2ecff1f4cfca"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
@ -36,6 +34,7 @@
# networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
hardware.cpu.amd.updateMicrocode =
lib.mkDefault config.hardware.enableRedistributableFirmware;
# high-resolution display
}

2
nixos/hosts/thalassa/aoife/hardware.nix
View file

@ -5,7 +5,7 @@
services.hardware.bolt.enable = true;
hardware.trackpoint.enable = true;
# hardware.trackpoint.enable = true;
# FS
fileSystems."/".options = [ "compress=zstd" ];

6
nixos/hosts/thalassa/default.nix
View file

@ -1,5 +1,7 @@
{
# "null" = { type = "local"; };
"aoife" = { type = "local"; };
"aoife" = {
type = "local";
mac = "04:7b:cb:b6:2d:88";
};
"eevee" = { type = "local"; };
}

10
nixos/hosts/thalassa/eevee/configuration.nix
View file

@ -2,18 +2,14 @@
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, inputs, ... }: {
imports = [
../../../common/desktop
./hardware-configuration.nix
./hardware.nix
];
{ pkgs, inputs, ... }: {
imports = [ ./hardware-configuration.nix ./hardware.nix ];
# Bootloader.
boot = {
kernelPackages = pkgs.linuxPackages_latest;
initrd = {
kernelModules = [ "nvidia" "nvidia_modeset" "nvidia_uvm" "nvidia_drm" ];
kernelModules = [ "nvidia" "nvidia_modeset" "nvidia_uvm" "nvidia_drm" ];
};
};

33
nixos/hosts/thalassa/eevee/hardware-configuration.nix
View file

@ -1,32 +1,30 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ config, lib, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.availableKernelModules =
[ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/947a98af-9a4e-4811-a2ca-9aa00b319e9c";
fsType = "btrfs";
options = [ "subvol=@" ];
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/947a98af-9a4e-4811-a2ca-9aa00b319e9c";
fsType = "btrfs";
options = [ "subvol=@" ];
};
fileSystems."/boot/efi" =
{ device = "/dev/disk/by-uuid/D883-F146";
fsType = "vfat";
};
fileSystems."/boot/efi" = {
device = "/dev/disk/by-uuid/D883-F146";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/a99402e1-6f2a-4c4b-b69f-aae2fd13ffc0"; }
];
[{ device = "/dev/disk/by-uuid/a99402e1-6f2a-4c4b-b69f-aae2fd13ffc0"; }];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
@ -37,5 +35,6 @@
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
hardware.cpu.intel.updateMicrocode =
lib.mkDefault config.hardware.enableRedistributableFirmware;
}

8
nixos/hosts/thalassa/eevee/home/default.nix
View file

@ -1,10 +1,4 @@
{ lib, config, pkgs, inputs, ... }:
let
tex = pkgs.texlive.combine {
inherit (pkgs.texlive) scheme-full;
dnd-5e-latex-template = { pkgs = [ pkgs.v.dnd-5e-latex-template ]; };
};
in {
_: {
programs.home-manager.enable = true;
home.username = "victor";

2
nixos/hosts/thalassa/eevee/home/theme.nix
View file

@ -1,4 +1,4 @@
{ lib, pkgs, config, ... }:
{ pkgs, config, ... }:
let
theme = "Catppuccin-Pink-Dark";
cursorTheme = config.home.pointerCursor.name;

2
nixos/hosts/thalassa/null/configuration.nix
View file

@ -2,7 +2,7 @@
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, lib, inputs, ... }:
{ pkgs, inputs, ... }:
let
nvidia-offload = pkgs.writeShellScriptBin "nvidia-offload" ''
export __NV_PRIME_RENDER_OFFLOAD=1

50
nixos/hosts/thalassa/null/hardware-configuration.nix
View file

@ -1,40 +1,39 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ config, lib, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "rtsx_pci_sdmmc" ];
boot.initrd.availableKernelModules =
[ "xhci_pci" "ahci" "nvme" "rtsx_pci_sdmmc" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/d4f56e5b-2509-4e63-8324-65a35c71e90c";
fsType = "btrfs";
options = [ "subvol=@" ];
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/d4f56e5b-2509-4e63-8324-65a35c71e90c";
fsType = "btrfs";
options = [ "subvol=@" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/d4f56e5b-2509-4e63-8324-65a35c71e90c";
fsType = "btrfs";
options = [ "subvol=@/nix" ];
};
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/d4f56e5b-2509-4e63-8324-65a35c71e90c";
fsType = "btrfs";
options = [ "subvol=@/nix" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/d4f56e5b-2509-4e63-8324-65a35c71e90c";
fsType = "btrfs";
options = [ "subvol=@home" ];
};
fileSystems."/home" = {
device = "/dev/disk/by-uuid/d4f56e5b-2509-4e63-8324-65a35c71e90c";
fsType = "btrfs";
options = [ "subvol=@home" ];
};
fileSystems."/boot/efi" =
{ device = "/dev/disk/by-uuid/D478-6F66";
fsType = "vfat";
};
fileSystems."/boot/efi" = {
device = "/dev/disk/by-uuid/D478-6F66";
fsType = "vfat";
};
swapDevices = [ ];
@ -48,5 +47,6 @@
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
hardware.cpu.intel.updateMicrocode =
lib.mkDefault config.hardware.enableRedistributableFirmware;
}

2
nixos/hosts/thalassa/null/home/default.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, inputs, texlive, ... }:
{ config, pkgs, inputs, texlive, ... }:
let
tex = pkgs.texlive.combine {
inherit (pkgs.texlive) scheme-full;

2
nixos/hosts/thalassa/null/home/hyprland.nix
View file

@ -1,4 +1,4 @@
{ pkgs, inputs, config, ... }: {
{ pkgs, config, ... }: {
home.file.".config/hypr/hyprpaper.conf".text = ''
ipc = off
preload = ~/cloud/Pictures/Wallpapers-Laptop/wallpaper-nix-pink.png

6
nixos/hosts/thalassa/null/home/neovim.nix
View file

@ -1,4 +1,4 @@
{ inputs, pkgs, lib, ... }: {
{ inputs, pkgs, ... }: {
imports = [ inputs.nixvim.homeManagerModules.nixvim ];
programs.nixvim = {
enable = true;
@ -10,10 +10,10 @@
plugins = {
nix.enable = true;
treesitter = {
treesitter = {
enable = true;
nixGrammars = false;
ensureInstalled = [];
ensureInstalled = [ ];
};
surround.enable = true;
fugitive.enable = true;

2
nixos/hosts/thalassa/null/home/theme.nix
View file

@ -32,7 +32,7 @@ let
mantle = "292c3c";
crust = "232634";
hex = mapAttrs (name: value: "#${value}") colour;
hex = mapAttrs (_name: value: "#${value}") colour;
};
in {
home.file.".xsettingsd".text = ''

23
nixos/hosts/thalassa/null/networking.nix
View file

@ -1,5 +1,4 @@
_:
{
_: {
services.v.dns = {
enable = true;
openFirewall = false;
@ -30,21 +29,11 @@ _:
ca_cert="/etc/ssl/certs/ca-bundle.crt"
'';
};
"Pikachu 5G" = {
psk = "@PIKACHU_PASSWORD@";
};
"sha256('yeet')" = {
psk = "@SHA256_PASSWORD@";
};
"wired" = {
psk = "@WIRED_PASSWORD@";
};
"meowy hotspot" = {
psk = "@HOTSPOT_PASSWORD@";
};
"WiFi Roest" = {
psk = "@WIFI_ROEST_PASSWORD@";
};
"Pikachu 5G" = { psk = "@PIKACHU_PASSWORD@"; };
"sha256('yeet')" = { psk = "@SHA256_PASSWORD@"; };
"wired" = { psk = "@WIRED_PASSWORD@"; };
"meowy hotspot" = { psk = "@HOTSPOT_PASSWORD@"; };
"WiFi Roest" = { psk = "@WIFI_ROEST_PASSWORD@"; };
};
};

8
nixos/hosts/thalassa/null/rescue-boot.nix
View file

@ -11,9 +11,7 @@ let
module = {
system.stateVersion = "22.11";
boot.supportedFilesystems = [ "btrfs" "ext4" ];
environment.systemPackages = with pkgs; [
git
];
environment.systemPackages = with pkgs; [ git ];
};
in {
boot.loader.systemd-boot = {
@ -22,7 +20,9 @@ in {
title Rescue Boot
linux /rescue-kernel
initrd /rescue-initrd
options init=${netboot.config.system.build.toplevel}/init ${toString netboot.config.boot.kernelParams}
options init=${netboot.config.system.build.toplevel}/init ${
toString netboot.config.boot.kernelParams
}
'';
};