Bladesy/nixos-config
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Bladesy:2803965bb1272dc9509d938bc2d267bfda21b57a
Branches Tags
Bladesy:master
Bladesy:feature/divide-modules
..
compare: Bladesy:e6e509d3066e8f8cc5a64db753557b1f2095fc7e
Branches Tags
Bladesy:feature/divide-modules
Bladesy:master

No commits in common. "2803965bb1272dc9509d938bc2d267bfda21b57a" and "e6e509d3066e8f8cc5a64db753557b1f2095fc7e" have entirely different histories.
2803965bb1 ... e6e509d306

7 changed files with 4 additions and 179 deletions
Show Stats Expand all files Collapse all files

7
.sops.yaml
View File

@ -1,7 +0,0 @@
keys:
- &sv1 age1zr5m64rzl8r5pk5cnwcfycc8ze09lx4xqa6s0cpkf24gwwxxpy2sltfsug
creation_rules:
- path_regex: library/secrets/.*.yaml
key_groups:
- age:
- *sv1

1
library/default.nix
View File

@ -3,5 +3,4 @@
nixosSystems = lib.callFragment ./nixosSystems.nix {}; nixosSystems = lib.callFragment ./nixosSystems.nix {};
sshKeys = lib.callFragment ./sshKeys.nix {}; sshKeys = lib.callFragment ./sshKeys.nix {};
secrets = lib.callFragment ./secrets {};
} }

3
library/secrets/default.nix
View File

@ -1,3 +0,0 @@
{
sb1 = ./sb1.yaml;
}

22
library/secrets/sb1.yaml
View File

@ -1,22 +0,0 @@
sb1-username: ENC[AES256_GCM,data:c5Myt2AdnA==,iv:q36larVwGrBiCHBaUu54QdJggeL22QzOwkfiJfQjsVE=,tag:qsVj/akHjHZwjvnvaJRBEw==,type:str]
sb1-password: ENC[AES256_GCM,data:766xhD3hcwFM9pyu53uYMg==,iv:HYtfnUvl46N/z5UUTIz337rq/kAHJcvgAcMbVnluik0=,tag:1oSSB1UqQIWmh7PJGO+YfQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1zr5m64rzl8r5pk5cnwcfycc8ze09lx4xqa6s0cpkf24gwwxxpy2sltfsug
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdlpSYXhOdndtS0Y0QTRz
N2pxczhIQVBWSnV1dnY3WDVVRlErYnh4OWdnClRUSjVXeWMrTmxWVEVGT0V6YUMr
V2ovSVhpcmRIN3ljWUx0cmJnSnBzMzAKLS0tIHBNalN3emcrbjZZcytoVFgyQTh2
elREcXRxeGdVTW1TZGtKelVURkdlWW8KSWpXIAL0Vb1a3un8WIcjMNbIbR41VcK2
604AZYjooB6OzX2sOkGOOAIvB17S2nesL/nQUobWkM8bQSuH/TgR5g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-01-01T22:35:24Z"
mac: ENC[AES256_GCM,data:PH0lfE79d1ZuE0YyMZuWhpZNu1OHh+9JMNbr66RJoRRPpLa134Y6mQE+PzZXOZ0PR2mT+VOrkNhNRhzEhr79oScM0d3ahBfKVY8VcNpvP34Llb9PQWPAZpQ5moa9o6g850bLrXl3XolLPEMpZg4BVa5EzFjo9BXNbuSY/zoW2x0=,iv:my+mb+qbjDs3iHdmaEptylgHbNu7a6zwHx2NEhlwi1Q=,tag:YfEYhl4QOulNbKALLB8ylg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

143
modules/sv1.nix
View File

@ -1,13 +1,11 @@
{ {
lib, lib,
config,
pkgs, pkgs,
... ...
}: { }: {
imports = with lib.nixosModules; [ imports = with lib.nixosModules; [
disko disko
impermanence impermanence
sops
]; ];
disko.devices.disk.NixOS = { disko.devices.disk.NixOS = {
@ -100,34 +98,6 @@
fileSystems = { fileSystems = {
"/persist".neededForBoot = true; "/persist".neededForBoot = true;
"/var/log".neededForBoot = true; "/var/log".neededForBoot = true;
"/mnt/sb1" = {
device = "//u424050.your-storagebox.de/backup";
fsType = "cifs";
options = [
"x-systemd.automount"
"noauto"
"x-systemd.idle-timeout=60"
"x-systemd.device-timeout=5s"
"x-systemd.mount-timeout=5s"
"credentials=${config.sops.templates.sb1-credentials.path}"
];
};
};
sops = {
gnupg.sshKeyPaths = [];
age = {
sshKeyPaths = [];
keyFile = "/persist/sops.age";
};
secrets = {
sb1-username.sopsFile = lib.secrets.sb1;
sb1-password.sopsFile = lib.secrets.sb1;
};
templates.sb1-credentials.content = ''
username=${config.sops.placeholder.sb1-username}
password=${config.sops.placeholder.sb1-password}
'';
}; };
boot = { boot = {
@ -182,19 +152,6 @@
networking = { networking = {
hostName = "sv1"; hostName = "sv1";
networkmanager.enable = true; networkmanager.enable = true;
firewall.allowedTCPPorts = [
80
443
];
};
security.acme = {
acceptTerms = true;
defaults.email = "acme.evict519@simplelogin.com";
certs."dylanblades.com".extraDomainNames = [
"gitea.dylanblades.com"
"jellyfin.dylanblades.com"
];
}; };
time.timeZone = "Europe/London"; time.timeZone = "Europe/London";
@ -222,114 +179,18 @@
}; };
}; };
services = { services.openssh = {
openssh = {
enable = true; enable = true;
settings.PermitRootLogin = "without-password"; settings.PermitRootLogin = "without-password";
}; };
gitea = {
enable = true;
useWizard = true;
appName = "Gitea";
settings = {
service.DISABLE_REGISTRATION = true;
server = {
DOMAIN = "gitea.dylanblades.com";
ROOT_URL = "https://gitea.dylanblades.com/";
};
ui.DEFAULT_THEME = "gitea-dark";
};
};
jellyfin.enable = true;
nginx = {
enable = true;
virtualHosts = {
"dylanblades.com" = {
forceSSL = true;
enableACME = true;
root = pkgs.my-site;
};
"gitea.dylanblades.com" = {
forceSSL = true;
useACMEHost = "dylanblades.com";
locations."/" = {
proxyPass = "http://localhost:3000";
extraConfig = ''
client_max_body_size 512M;
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};
"jellyfin.dylanblades.com" = {
forceSSL = true;
useACMEHost = "dylanblades.com";
locations = {
"/" = {
proxyPass = "http://localhost:8096";
extraConfig = ''
client_max_body_size 20M;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_buffering off;
'';
};
"/socket" = {
proxyPass = "http://localhost:8096";
extraConfig = ''
client_max_body_size 20M;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
'';
};
};
};
};
};
};
nixpkgs.overlays = [lib.overlays.pkgs]; nixpkgs.overlays = [lib.overlays.pkgs];
environment = { environment = {
persistence."/persist" = { persistence."/persist" = {
hideMounts = true; hideMounts = true;
directories = [ directories = ["/var/lib/nixos"];
{
directory = "/var/lib/nixos";
user = "root";
group = "root";
mode = "u=rwx,g=rx,o=rx";
}
{
directory = "/var/lib/gitea";
user = "gitea";
group = "gitea";
mode = "u=rwx,g=rx,o=";
}
{
directory = "/var/lib/jellyfin";
user = "jellyfin";
group = "jellyfin";
mode = "u=rwx,g=rx,o=";
}
];
}; };
systemPackages = with pkgs; [ systemPackages = with pkgs; [
cifs-utils
git git
my-vim my-vim
]; ];

1
packages/default.nix
View File

@ -1,4 +1,3 @@
{pkgs}: { {pkgs}: {
my-vim = pkgs.callPackage ./my-vim {}; my-vim = pkgs.callPackage ./my-vim {};
my-site = pkgs.callPackage ./my-site {};
} }

2
packages/my-site/default.nix
View File

@ -1,2 +0,0 @@
{writeTextDir}:
writeTextDir "index.html" "my-site"