Bladesy/nixos-config
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Bladesy:e6e509d3066e8f8cc5a64db753557b1f2095fc7e
Branches Tags
Bladesy:master
Bladesy:feature/divide-modules
..
compare: Bladesy:2803965bb1272dc9509d938bc2d267bfda21b57a
Branches Tags
Bladesy:feature/divide-modules
Bladesy:master

29 Commits
e6e509d306 ... 2803965bb1

Author SHA1 Message Date
Bladesy
2803965bb1 feat: add sv1 web services 2025-01-26 12:23:44 +00:00
Bladesy
39043efd37 feat: enable websockets support on jellyfin 2025-01-05 20:24:26 +00:00
Bladesy
3b78176d1e fix: correct sb1 idle-timeout mount option 2025-01-02 00:48:43 +00:00
Bladesy
507194e35b fix: remove double quotes from secret sb1-credentials and reformat sb1 mount options 2025-01-02 00:38:21 +00:00
Bladesy
5dddb763fb fix: test sb1 mount with new options and without secrets 2025-01-02 00:23:33 +00:00
Bladesy
03a427740c fix: add cifs-utils package to sv1 2025-01-01 23:54:46 +00:00
Bladesy
2e8acf636a fix: correct library.secrets path 2025-01-01 22:44:04 +00:00
Bladesy
a73ed533e0 fix: add config parameter to sv1 2025-01-01 22:40:55 +00:00
Bladesy
00872d2086 feat: add sb1 to sv1 2025-01-01 22:36:57 +00:00
Bladesy
5f37f63af2 fix: close port 8096 and explicitly specify persistent directory permissions 2024-12-20 23:54:19 +00:00
Bladesy
f9839cf485 fix: open port 8096 for jellyfin 2024-12-19 23:50:00 +00:00
Bladesy
cf90449047 fix: set gitea and jellyfin directory permissions 2024-12-19 23:38:14 +00:00
Bladesy
59e4df3e02 feat: add jellyfin service to sv1 2024-12-19 16:25:03 +00:00
Bladesy
5491683867 fix: disable gitea registration 2024-12-18 21:34:29 +00:00
Bladesy
33719aee21 fix: override gitea public url 2024-12-18 20:19:54 +00:00
Bladesy
e7b194948b feat: persist gitea 2024-12-17 22:27:43 +00:00
Bladesy
2b2f5b223d chore: remove commented-out lines 2024-12-17 22:22:12 +00:00
Bladesy
71a43ffb43 feat: update gitea name 2024-12-17 22:07:19 +00:00
Bladesy
5da4049240 fix: use explicit subdomain 2024-12-17 22:04:19 +00:00
Bladesy
9a5408da00 fix: add wildcard domain in one place only 2024-12-17 22:02:01 +00:00
Bladesy
bf18e63d69 fix: check that explicit subdomains as aliases can be used in the cert 2024-12-17 21:58:51 +00:00
Bladesy
1d40e39940 fix: check if a all subdomains are caught by default 2024-12-17 21:56:17 +00:00
Bladesy
1f4068967a fix: add *.dylanblades.com domain to dylanblades.com cert 2024-12-17 21:53:59 +00:00
Bladesy
9f10891081 fix: set useACMEHost of gitea.dylanblades.com to dylanblades.com 2024-12-17 21:48:24 +00:00
Bladesy
6c4d35c9fe fix: centralise with one ssl certificate 2024-12-17 21:42:32 +00:00
Bladesy
80d4030a4c feat: add ssl to nginx on sv1 2024-12-17 21:18:00 +00:00
Bladesy
1b44c0e3ab fix: allow tcp ports 80 and 443 on sv1 2024-12-17 20:58:53 +00:00
Bladesy
2002c2895a feat: update gitea settings and add nginx reverse proxy for gitea to sv1 2024-12-17 17:31:14 +00:00
Bladesy
07750838d0 feat: add gitea service to sv1 2024-12-16 19:51:18 +00:00
7 changed files with 179 additions and 4 deletions
Show Stats Expand all files Collapse all files

7
.sops.yaml Normal file
View File

@ -0,0 +1,7 @@
keys:
- &sv1 age1zr5m64rzl8r5pk5cnwcfycc8ze09lx4xqa6s0cpkf24gwwxxpy2sltfsug
creation_rules:
- path_regex: library/secrets/.*.yaml
key_groups:
- age:
- *sv1

1
library/default.nix
View File

@ -3,4 +3,5 @@
nixosSystems = lib.callFragment ./nixosSystems.nix {};
sshKeys = lib.callFragment ./sshKeys.nix {};
secrets = lib.callFragment ./secrets {};
}

3
library/secrets/default.nix Normal file
View File

@ -0,0 +1,3 @@
{
sb1 = ./sb1.yaml;
}

22
library/secrets/sb1.yaml Normal file
View File

@ -0,0 +1,22 @@
sb1-username: ENC[AES256_GCM,data:c5Myt2AdnA==,iv:q36larVwGrBiCHBaUu54QdJggeL22QzOwkfiJfQjsVE=,tag:qsVj/akHjHZwjvnvaJRBEw==,type:str]
sb1-password: ENC[AES256_GCM,data:766xhD3hcwFM9pyu53uYMg==,iv:HYtfnUvl46N/z5UUTIz337rq/kAHJcvgAcMbVnluik0=,tag:1oSSB1UqQIWmh7PJGO+YfQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1zr5m64rzl8r5pk5cnwcfycc8ze09lx4xqa6s0cpkf24gwwxxpy2sltfsug
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdlpSYXhOdndtS0Y0QTRz
N2pxczhIQVBWSnV1dnY3WDVVRlErYnh4OWdnClRUSjVXeWMrTmxWVEVGT0V6YUMr
V2ovSVhpcmRIN3ljWUx0cmJnSnBzMzAKLS0tIHBNalN3emcrbjZZcytoVFgyQTh2
elREcXRxeGdVTW1TZGtKelVURkdlWW8KSWpXIAL0Vb1a3un8WIcjMNbIbR41VcK2
604AZYjooB6OzX2sOkGOOAIvB17S2nesL/nQUobWkM8bQSuH/TgR5g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-01-01T22:35:24Z"
mac: ENC[AES256_GCM,data:PH0lfE79d1ZuE0YyMZuWhpZNu1OHh+9JMNbr66RJoRRPpLa134Y6mQE+PzZXOZ0PR2mT+VOrkNhNRhzEhr79oScM0d3ahBfKVY8VcNpvP34Llb9PQWPAZpQ5moa9o6g850bLrXl3XolLPEMpZg4BVa5EzFjo9BXNbuSY/zoW2x0=,iv:my+mb+qbjDs3iHdmaEptylgHbNu7a6zwHx2NEhlwi1Q=,tag:YfEYhl4QOulNbKALLB8ylg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

143
modules/sv1.nix
View File

@ -1,11 +1,13 @@
{
lib,
config,
pkgs,
...
}: {
imports = with lib.nixosModules; [
disko
impermanence
sops
];
disko.devices.disk.NixOS = {
@ -98,6 +100,34 @@
fileSystems = {
"/persist".neededForBoot = true;
"/var/log".neededForBoot = true;
"/mnt/sb1" = {
device = "//u424050.your-storagebox.de/backup";
fsType = "cifs";
options = [
"x-systemd.automount"
"noauto"
"x-systemd.idle-timeout=60"
"x-systemd.device-timeout=5s"
"x-systemd.mount-timeout=5s"
"credentials=${config.sops.templates.sb1-credentials.path}"
];
};
};
sops = {
gnupg.sshKeyPaths = [];
age = {
sshKeyPaths = [];
keyFile = "/persist/sops.age";
};
secrets = {
sb1-username.sopsFile = lib.secrets.sb1;
sb1-password.sopsFile = lib.secrets.sb1;
};
templates.sb1-credentials.content = ''
username=${config.sops.placeholder.sb1-username}
password=${config.sops.placeholder.sb1-password}
'';
};
boot = {
@ -152,6 +182,19 @@
networking = {
hostName = "sv1";
networkmanager.enable = true;
firewall.allowedTCPPorts = [
80
443
];
};
security.acme = {
acceptTerms = true;
defaults.email = "acme.evict519@simplelogin.com";
certs."dylanblades.com".extraDomainNames = [
"gitea.dylanblades.com"
"jellyfin.dylanblades.com"
];
};
time.timeZone = "Europe/London";
@ -179,18 +222,114 @@
};
};
services.openssh = {
services = {
openssh = {
enable = true;
settings.PermitRootLogin = "without-password";
};
gitea = {
enable = true;
useWizard = true;
appName = "Gitea";
settings = {
service.DISABLE_REGISTRATION = true;
server = {
DOMAIN = "gitea.dylanblades.com";
ROOT_URL = "https://gitea.dylanblades.com/";
};
ui.DEFAULT_THEME = "gitea-dark";
};
};
jellyfin.enable = true;
nginx = {
enable = true;
virtualHosts = {
"dylanblades.com" = {
forceSSL = true;
enableACME = true;
root = pkgs.my-site;
};
"gitea.dylanblades.com" = {
forceSSL = true;
useACMEHost = "dylanblades.com";
locations."/" = {
proxyPass = "http://localhost:3000";
extraConfig = ''
client_max_body_size 512M;
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};
"jellyfin.dylanblades.com" = {
forceSSL = true;
useACMEHost = "dylanblades.com";
locations = {
"/" = {
proxyPass = "http://localhost:8096";
extraConfig = ''
client_max_body_size 20M;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_buffering off;
'';
};
"/socket" = {
proxyPass = "http://localhost:8096";
extraConfig = ''
client_max_body_size 20M;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
'';
};
};
};
};
};
};
nixpkgs.overlays = [lib.overlays.pkgs];
environment = {
persistence."/persist" = {
hideMounts = true;
directories = ["/var/lib/nixos"];
directories = [
{
directory = "/var/lib/nixos";
user = "root";
group = "root";
mode = "u=rwx,g=rx,o=rx";
}
{
directory = "/var/lib/gitea";
user = "gitea";
group = "gitea";
mode = "u=rwx,g=rx,o=";
}
{
directory = "/var/lib/jellyfin";
user = "jellyfin";
group = "jellyfin";
mode = "u=rwx,g=rx,o=";
}
];
};
systemPackages = with pkgs; [
cifs-utils
git
my-vim
];

1
packages/default.nix
View File

@ -1,3 +1,4 @@
{pkgs}: {
my-vim = pkgs.callPackage ./my-vim {};
my-site = pkgs.callPackage ./my-site {};
}

2
packages/my-site/default.nix Normal file
View File

@ -0,0 +1,2 @@
{writeTextDir}:
writeTextDir "index.html" "my-site"