martials/nixos-configuration
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: martials:d614495a2c9b35bb3838836e4449a715391756e1
Branches Tags
martials:main
..
compare: martials:main
Branches Tags
martials:main

17 Commits
d614495a2c ... main

Author SHA1 Message Date
Martin Berg Alstad
3e718fadfc [pi4] Containerize Actual service 2025-06-23 19:18:40 +00:00
Martin Berg Alstad
763ee6312a ♻️ [pi4] Refactor firewall with variables 2025-06-23 18:17:08 +00:00
Martin Berg Alstad
5704ebe712 [pi4] Initial Actual Budget service 2025-06-23 18:07:09 +00:00
Martin Berg Alstad
70b5d5fd4d [pi4] Nginx reload on change instead of restart 2025-06-23 17:47:35 +00:00
Martin Berg Alstad
c29acb0902 [pi4] Headscale config with Postgres 2025-06-23 17:42:15 +00:00
Martin Berg Alstad
a545b4a45c 🔧 [pi4] Update Forgejo deprecated setting 2025-06-10 16:41:54 +00:00
Martin Berg Alstad
c839811b9f 🐛 [pi4] Fix wrong nginx config for headscale 2025-06-10 16:41:02 +00:00
Martin Berg Alstad
2812e85976 🚑 [pi4] Redirect from www. to 2025-06-08 21:41:29 +00:00
Martin Berg Alstad
3835c3a1a6 🚸 [pi4] Don't change password in forgejo 2025-06-08 21:37:07 +00:00
Martin Berg Alstad
a277e8f3ed [pi4] Fix nginx config with TLS 2025-06-08 21:34:06 +00:00
Martin Berg Alstad
eb8c857940 🚨 [shared] Migrate Yazi from manager to mgr 2025-06-03 21:50:42 +02:00
Martin Berg Alstad
b3e6222cac [pi4] Added initial Nginx config 2025-06-03 19:36:14 +00:00
Martin Berg Alstad
575452512a 📦 [desktop] Set Linux kernel to 6.14 2025-06-03 18:55:26 +02:00
Martin Berg Alstad
5cc4c6479c 📦 [shared] Update dependencies 2025-06-03 18:55:02 +02:00
Martin Berg Alstad
724fe6767e ♻️ [shared] Refactor system configs 2025-06-02 21:02:33 +02:00
Martin Berg Alstad
b74e5aab62 [pi4] Added initial Simple mailserver config 2025-06-02 17:44:41 +00:00
Martin Berg Alstad
be02be6bf2 ♻️ [pi4] Rename default_phone_region and other minor changes in Nextcloud 2025-05-31 16:04:19 +00:00
19 changed files with 596 additions and 141 deletions
Expand all files Collapse all files

234
flake.lock generated
View File

@ -9,11 +9,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1736090999, "lastModified": 1744557573,
"narHash": "sha256-B5CJuHqfJrzPa7tObK0H9669/EClSHpa/P7B9EuvElU=", "narHash": "sha256-XAyj0iDuI51BytJ1PwN53uLpzTDdznPDQFG4RwihlTQ=",
"owner": "aylur", "owner": "aylur",
"repo": "ags", "repo": "ags",
"rev": "5527c3c07d92c11e04e7fd99d58429493dba7e3c", "rev": "3ed9737bdbc8fc7a7c7ceef2165c9109f336bff6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -31,11 +31,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1735172721, "lastModified": 1742571008,
"narHash": "sha256-rtEAwGsHSppnkR3Qg3eRJ6Xh/F84IY9CrBBLzYabalY=", "narHash": "sha256-5WgfJAeBpxiKbTR/gJvxrGYfqQRge5aUDcGKmU1YZ1Q=",
"owner": "aylur", "owner": "aylur",
"repo": "astal", "repo": "astal",
"rev": "6c84b64efc736e039a8a10774a4a1bf772c37aa2", "rev": "dc0e5d37abe9424c53dcbd2506a4886ffee6296e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -44,6 +44,43 @@
"type": "github" "type": "github"
} }
}, },
"astal_2": {
"inputs": {
"nixpkgs": [
"hyprpanel",
"nixpkgs"
]
},
"locked": {
"lastModified": 1748416910,
"narHash": "sha256-FEQcs58HL8Fe4i7XlqVEUwthjxwvRvgX15gTTfW17sU=",
"owner": "aylur",
"repo": "astal",
"rev": "c1bd89a47c81c66ab5fc6872db5a916c0433fb89",
"type": "github"
},
"original": {
"owner": "aylur",
"repo": "astal",
"type": "github"
}
},
"blobs": {
"flake": false,
"locked": {
"lastModified": 1604995301,
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"type": "gitlab"
}
},
"catppuccin": { "catppuccin": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
@ -62,16 +99,80 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1747046372,
"narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"git-hooks": {
"inputs": {
"flake-compat": [
"simple-nixos-mailserver",
"flake-compat"
],
"gitignore": "gitignore",
"nixpkgs": [
"simple-nixos-mailserver",
"nixpkgs"
]
},
"locked": {
"lastModified": 1742649964,
"narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"simple-nixos-mailserver",
"git-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"grayjay": { "grayjay": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2"
}, },
"locked": { "locked": {
"lastModified": 1748262720, "lastModified": 1748772835,
"narHash": "sha256-b9SRqnglNtyWE+ivBcIyyGybrDN1uy9zEy2D6X284bo=", "narHash": "sha256-p/hGSN1DOU/pELQi5PTds8eL+czjmb/0RvwvLm7nGC8=",
"owner": "rishabh5321", "owner": "rishabh5321",
"repo": "grayjay-flake", "repo": "grayjay-flake",
"rev": "b523be9dba411e9e7e5f36f71676dddede93c664", "rev": "998cbc285d936a45daf07414d03db3f60c133caa",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -87,11 +188,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1748226808, "lastModified": 1748665073,
"narHash": "sha256-GaBRgxjWO1bAQa8P2+FDxG4ANBVhjnSjBms096qQdxo=", "narHash": "sha256-RMhjnPKWtCoIIHiuR9QKD7xfsKb3agxzMfJY8V9MOew=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "83665c39fa688bd6a1f7c43cf7997a70f6a109f9", "rev": "282e1e029cb6ab4811114fc85110613d72771dea",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -125,14 +226,15 @@
"hyprpanel": { "hyprpanel": {
"inputs": { "inputs": {
"ags": "ags", "ags": "ags",
"astal": "astal_2",
"nixpkgs": "nixpkgs_3" "nixpkgs": "nixpkgs_3"
}, },
"locked": { "locked": {
"lastModified": 1748203813, "lastModified": 1748962037,
"narHash": "sha256-VCwlSYJjXFhQSdwjk7FdeyALIzknOM1TavCDt3KLgB8=", "narHash": "sha256-MkrOyZ6CqTzzmlfmvkPiezy51hG96xqucrR38xQpK/0=",
"owner": "Jas-SinghFSU", "owner": "Jas-SinghFSU",
"repo": "HyprPanel", "repo": "HyprPanel",
"rev": "12d6960e198cf5107aed84a4b21e95c826d43dad", "rev": "8422c6b80526f8289a30b93cb5b354d9f007141d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -157,13 +259,29 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-stable": { "nixpkgs-25_05": {
"locked": { "locked": {
"lastModified": 1748162331, "lastModified": 1747610100,
"narHash": "sha256-rqc2RKYTxP3tbjA+PB3VMRQNnjesrT0pEofXQTrMsS8=", "narHash": "sha256-rpR5ZPMkWzcnCcYYo3lScqfuzEw5Uyfh+R0EKZfroAc=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334", "rev": "ca49c4304acf0973078db0a9d200fd2bae75676d",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1748889542,
"narHash": "sha256-Hb4iMhIbjX45GcrgOp3b8xnyli+ysRPqAgZ/LZgyT5k=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "10d7f8d34e5eb9c0f9a0485186c1ca691d2c5922",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -175,11 +293,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1748026106, "lastModified": 1748693115,
"narHash": "sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o=", "narHash": "sha256-StSrWhklmDuXT93yc3GrTlb0cKSS0agTAxMGjLKAsY8=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "063f43f2dbdef86376cc29ad646c45c46e93234c", "rev": "910796cabe436259a29a72e8d3f5e180fc6dfacc",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -191,11 +309,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1748026106, "lastModified": 1748693115,
"narHash": "sha256-6m1Y3/4pVw1RWTsrkAK2VMYSzG4MMIj7sqUy7o8th1o=", "narHash": "sha256-StSrWhklmDuXT93yc3GrTlb0cKSS0agTAxMGjLKAsY8=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "063f43f2dbdef86376cc29ad646c45c46e93234c", "rev": "910796cabe436259a29a72e8d3f5e180fc6dfacc",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -207,11 +325,11 @@
}, },
"nixpkgs_3": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1736344531, "lastModified": 1748370509,
"narHash": "sha256-8YVQ9ZbSfuUk2bUf2KRj60NRraLPKPS0Q4QFTbc+c2c=", "narHash": "sha256-QlL8slIgc16W5UaI3w7xHQEP+Qmv/6vSNTpoZrrSlbk=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "bffc22eb12172e6db3c5dde9e3e5628f8e3e7912", "rev": "4faa5f5321320e49a78ae7848582f684d64783e9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -223,11 +341,11 @@
}, },
"nixpkgs_4": { "nixpkgs_4": {
"locked": { "locked": {
"lastModified": 1748162331, "lastModified": 1748889542,
"narHash": "sha256-rqc2RKYTxP3tbjA+PB3VMRQNnjesrT0pEofXQTrMsS8=", "narHash": "sha256-Hb4iMhIbjX45GcrgOp3b8xnyli+ysRPqAgZ/LZgyT5k=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334", "rev": "10d7f8d34e5eb9c0f9a0485186c1ca691d2c5922",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -238,6 +356,22 @@
} }
}, },
"nixpkgs_5": { "nixpkgs_5": {
"locked": {
"lastModified": 1747179050,
"narHash": "sha256-qhFMmDkeJX9KJwr5H32f1r7Prs7XbQWtO0h3V0a0rFY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "adaa24fbf46737f3f1b5497bf64bae750f82942e",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_6": {
"locked": { "locked": {
"lastModified": 1743448293, "lastModified": 1743448293,
"narHash": "sha256-bmEPmSjJakAp/JojZRrUvNcDX2R5/nuX6bm+seVaGhs=", "narHash": "sha256-bmEPmSjJakAp/JojZRrUvNcDX2R5/nuX6bm+seVaGhs=",
@ -262,11 +396,35 @@
"nixpkgs": "nixpkgs_4", "nixpkgs": "nixpkgs_4",
"nixpkgs-stable": "nixpkgs-stable", "nixpkgs-stable": "nixpkgs-stable",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
"simple-nixos-mailserver": "simple-nixos-mailserver",
"sops-nix": "sops-nix", "sops-nix": "sops-nix",
"spicetify-nix": "spicetify-nix", "spicetify-nix": "spicetify-nix",
"zen-browser": "zen-browser" "zen-browser": "zen-browser"
} }
}, },
"simple-nixos-mailserver": {
"inputs": {
"blobs": "blobs",
"flake-compat": "flake-compat",
"git-hooks": "git-hooks",
"nixpkgs": "nixpkgs_5",
"nixpkgs-25_05": "nixpkgs-25_05"
},
"locked": {
"lastModified": 1747965231,
"narHash": "sha256-BW3ktviEhfCN/z3+kEyzpDKAI8qFTwO7+S0NVA0C90o=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "53007af63fade28853408370c4c600a63dd97f41",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"ref": "nixos-25.05",
"repo": "nixos-mailserver",
"type": "gitlab"
}
},
"sops-nix": { "sops-nix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -295,11 +453,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1748147548, "lastModified": 1748752728,
"narHash": "sha256-9IaAQkgyF4PFtVyui8vF6oJah0iVcO9DaOefjdTMthE=", "narHash": "sha256-en008ncPUQjVx2i3PbM4RWeZkD9DNbJwIy0epppXe2o=",
"owner": "Gerg-L", "owner": "Gerg-L",
"repo": "spicetify-nix", "repo": "spicetify-nix",
"rev": "f0595e3b59260457042450749eaec00a5a47db35", "rev": "0e03de40d5128eb2ad600c98f57cf5db2cdf3240",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -326,14 +484,14 @@
"zen-browser": { "zen-browser": {
"inputs": { "inputs": {
"home-manager": "home-manager_2", "home-manager": "home-manager_2",
"nixpkgs": "nixpkgs_5" "nixpkgs": "nixpkgs_6"
}, },
"locked": { "locked": {
"lastModified": 1748229380, "lastModified": 1748920570,
"narHash": "sha256-ulYljT6A8/v9QsMWnTsDYxa1/bG/22Ufy+KfrN4jA74=", "narHash": "sha256-m7EshkqPxa3IxN/qwxP1LlMlRdn37aiK0hghDieho8A=",
"owner": "0xc000022070", "owner": "0xc000022070",
"repo": "zen-browser-flake", "repo": "zen-browser-flake",
"rev": "14207b0fc7caba6b6a9c7a9aecf7f901435daa93", "rev": "ff5bf0bcf588e8c1d0f5fcd635b0c8e1cce8aee5",
"type": "github" "type": "github"
}, },
"original": { "original": {

10
flake.nix
View File

@ -31,6 +31,7 @@
catppuccin.url = "github:catppuccin/nix"; catppuccin.url = "github:catppuccin/nix";
# Bar # Bar
hyprpanel.url = "github:Jas-SinghFSU/HyprPanel"; hyprpanel.url = "github:Jas-SinghFSU/HyprPanel";
simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-25.05";
# Spotify # Spotify
spicetify-nix = { spicetify-nix = {
url = "github:Gerg-L/spicetify-nix"; url = "github:Gerg-L/spicetify-nix";
@ -47,6 +48,7 @@
self, self,
nixpkgs, nixpkgs,
home-manager, home-manager,
simple-nixos-mailserver,
... ...
}@inputs: }@inputs:
let let
@ -72,13 +74,11 @@
systems = builtins.map (config: defaultAttrs // config) [ systems = builtins.map (config: defaultAttrs // config) [
{ {
hostName = "desktop"; hostName = "desktop";
system = "x86_64-linux";
nvidia.enable = true; nvidia.enable = true;
ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMSzXyTuQyTrWsfORQbvgrqt/33+hfSUDXeMg6D1T2wz"; ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMSzXyTuQyTrWsfORQbvgrqt/33+hfSUDXeMg6D1T2wz";
} }
{ {
hostName = "thinkpad"; hostName = "thinkpad";
system = "x86_64-linux";
ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILNlHKE/BD8kKfhJD7GBk1A3whZf3gTjk9VEgGAj3qsH"; ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILNlHKE/BD8kKfhJD7GBk1A3whZf3gTjk9VEgGAj3qsH";
} }
{ {
@ -86,16 +86,20 @@
system = "aarch64-linux"; system = "aarch64-linux";
wayland.enable = false; wayland.enable = false;
ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJE9m7YiITe1sDqSZ7Pa8luIw3WToLsypixZEqE4wCQE"; ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJE9m7YiITe1sDqSZ7Pa8luIw3WToLsypixZEqE4wCQE";
address.private = common.localIpAddr 188;
} }
{ {
hostName = "homelab"; hostName = "homelab";
system = "x86_64-linux";
wayland.enable = false; wayland.enable = false;
ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIARDv5nRlfPDXdV+Db4FaqeSJZ3/3MO0frYGzuVeqYAl"; ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIARDv5nRlfPDXdV+Db4FaqeSJZ3/3MO0frYGzuVeqYAl";
address.private = common.localIpAddr 231;
address.tailnet = common.tailnetAddr "admin";
} }
]; ];
defaultAttrs = { defaultAttrs = {
hostName = builtins.abort "hostName is required";
system = "x86_64-linux";
username = common.username; username = common.username;
version = common.system.version; version = common.system.version;
wayland.enable = true; wayland.enable = true;

2
hosts/desktop/default.nix
View File

@ -11,5 +11,5 @@
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelPackages = pkgs.linuxPackages_6_14;
} }

42
hosts/pi4/actual.nix Normal file
View File

@ -0,0 +1,42 @@
{ config, common, ... }:
let
domain = "beta.budget.${common.domain}";
in
{
networking.nat = {
enable = true;
internalInterfaces = [ "ve-*" ];
externalInterface = "wlan0";
# Lazy IPv6 connectivity for the container
enableIPv6 = true;
};
containers.actual = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.10.188";
localAddress = "192.168.10.11";
config =
{ ... }:
{
services = {
actual = {
enable = true;
settings = {
port = 8084;
loginMethod = "password";
};
};
};
system.stateVersion = common.system.version;
};
};
services.nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://${config.containers.actual.localAddress}:8084";
proxyWebsockets = true;
};
};
}

46
hosts/pi4/caddy.nix
View File

@ -4,11 +4,13 @@ let
in in
{ {
services.caddy = { services.caddy = {
enable = true; enable = false;
email = "cert@${domain}"; email = "cert@${domain}";
virtualHosts = virtualHosts =
let let
reverseProxy = port: "reverse_proxy localhost:${builtins.toString port}"; localProxy = proxyTo "localhost";
homelabProxy = proxyTo "192.168.10.231";
proxyTo = ip: port: "reverse_proxy ${ip}:${builtins.toString port}";
redirect = subdomain: "redir https://${subdomain}.${domain}{uri}"; redirect = subdomain: "redir https://${subdomain}.${domain}{uri}";
in in
{ {
@ -23,62 +25,66 @@ in
''; '';
# Gitea # Gitea
"code.${domain}".extraConfig = '' "code.${domain}".extraConfig = ''
${reverseProxy 3000} ${homelabProxy 3000}
'';
# Forgejo
"beta.code.${domain}".extraConfig = ''
${localProxy 8001}
''; '';
# Nextcloud # Nextcloud
"nextcloud.${domain}".extraConfig = '' "nextcloud.${domain}".extraConfig = ''
redir /.well-known/carddav /remote.php/dav 301 redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301 redir /.well-known/caldav /remote.php/dav 301
${reverseProxy 11000} ${homelabProxy 11000}
''; '';
# Kitchenowl # Kitchenowl
"grocery.${domain}".extraConfig = '' "grocery.${domain}".extraConfig = ''
${reverseProxy 800} ${homelabProxy 800}
''; '';
# Actual Budget # Actual Budget
"budget.${domain}".extraConfig = '' "budget.${domain}".extraConfig = ''
${reverseProxy 5006} ${homelabProxy 5006}
''; '';
# Uptime Kuma # Uptime Kuma
"status.${domain}".extraConfig = '' "status.${domain}".extraConfig = ''
${reverseProxy 3001} ${homelabProxy 3001}
''; '';
# Headscale # Headscale
"vpn.${domain}".extraConfig = '' "vpn.${domain}".extraConfig = ''
reverse_proxy /web* localhost:8084 reverse_proxy /web* 192.168.10.231:8084
reverse_proxy * localhost:8082 reverse_proxy * 192.168.10.231:8082
''; '';
# Headscale SmartDNS # Headscale SmartDNS
"dns.${domain}".extraConfig = '' "dns.${domain}".extraConfig = ''
${reverseProxy 8082} ${homelabProxy 8082}
''; '';
# FreshRSS # FreshRSS
"rss.${domain}".extraConfig = '' "rss.${domain}".extraConfig = ''
${reverseProxy 8085} ${homelabProxy 8085}
''; '';
# Ente backend # Ente backend
"api.ente.${domain}".extraConfig = '' "api.ente.${domain}".extraConfig = ''
${reverseProxy 8083} ${homelabProxy 8083}
''; '';
# Ente Photos frontend # Ente Photos frontend
"ente.${domain}".extraConfig = '' "ente.${domain}".extraConfig = ''
${reverseProxy 3003} ${homelabProxy 3003}
''; '';
# Ente Auth frontend # Ente Auth frontend
"mfa.${domain}".extraConfig = '' "mfa.${domain}".extraConfig = ''
${reverseProxy 3004} ${homelabProxy 3004}
''; '';
# Homepage / portfolio # Homepage / portfolio
"${domain}".extraconfig = '' "${domain}".extraConfig = ''
${reverseProxy 4321} ${homelabProxy 4321}
''; '';
# Yamtrack # Yamtrack
"track.${domain}".extraConfig = '' "track.${domain}".extraConfig = ''
${reverseProxy 8090} ${homelabProxy 8090}
''; '';
# Postal # Donetick
"mail.${domain}".extraConfig = '' "chore.${domain}".extraConfig = ''
${reverseProxy 5000} ${homelabProxy 2021}
''; '';
}; };
}; };

6
hosts/pi4/default.nix
View File

@ -3,11 +3,17 @@
{ {
imports = with lib.custom; [ imports = with lib.custom; [
(relativeToBase "modules") (relativeToBase "modules")
./actual.nix
./boot.nix ./boot.nix
./caddy.nix
./forgejo.nix ./forgejo.nix
./hardware.nix ./hardware.nix
./headscale.nix
./mailserver.nix
./nextcloud.nix ./nextcloud.nix
./nginx.nix
./podman.nix ./podman.nix
./postgres.nix
./security ./security
]; ];
} }

25
hosts/pi4/forgejo.nix
View File

@ -2,21 +2,34 @@
config, config,
pkgs, pkgs,
lib, lib,
systemConfig,
common, common,
... ...
}: }:
let let
cfg = config.services.forgejo;
srv = cfg.settings.server;
domain = "beta.code.${common.domain}"; domain = "beta.code.${common.domain}";
passwordKey = "forgejo/admin-pass"; passwordKey = "forgejo/admin-pass";
runnerTokenKey = "forgejo/runner-token"; runnerTokenKey = "forgejo/runner-token";
in in
{ {
services = { services = {
nginx.virtualHosts.${domain} = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString srv.HTTP_PORT}";
serverAliases = [ "beta.git.${common.domain}" ];
};
forgejo = { forgejo = {
enable = true; enable = true;
database.type = "postgres"; database.type = "postgres";
# Enable support for Git Large File Storage # Enable support for Git Large File Storage
lfs.enable = true; lfs.enable = true;
secrets.mailer.PASSWD = config.sops.secrets."mailserver/password-hash".path;
settings = { settings = {
server = { server = {
DOMAIN = domain; DOMAIN = domain;
@ -34,14 +47,14 @@ in
# Sending emails is completely optional # Sending emails is completely optional
# You can send a test email from the web UI at: # You can send a test email from the web UI at:
# Profile Picture > Site Administration > Configuration > Mailer Configuration # Profile Picture > Site Administration > Configuration > Mailer Configuration
mailer = { mailer = lib.mkIf config.mailserver.enable {
ENABLED = true; ENABLED = true;
SMTP_ADDR = "mail.${common.domain}"; PROTOCOL = "smtps";
SMTP_ADDR = config.mailserver.fqdn;
FROM = "noreply-forgejo@${common.domain}"; FROM = "noreply-forgejo@${common.domain}";
USER = "noreply@${common.domain}"; USER = "${systemConfig.username}@${common.domain}";
}; };
}; };
#mailerPasswordFile = config.sops.secrets."forgejo/mailer-password".path;
}; };
gitea-actions-runner = { gitea-actions-runner = {
package = pkgs.forgejo-actions-runner; package = pkgs.forgejo-actions-runner;
@ -75,7 +88,7 @@ in
in in
'' ''
${adminCmd} create --admin --email "${email}" --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true ${adminCmd} create --admin --email "${email}" --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
## Alter an existing user ## Alter an existing user. Will prompt new password on login
${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true # ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
''; '';
} }

66
hosts/pi4/headscale.nix Normal file
View File

@ -0,0 +1,66 @@
{
config,
common,
...
}:
let
cfg = config.services.headscale;
domain = "beta.vpn.${common.domain}";
dnsDomain = "secure.${common.domain}";
in
{
networking.firewall = {
trustedInterfaces = [ config.services.tailscale.interfaceName ];
allowedUDPPorts = [ config.services.tailscale.port ];
};
services = {
headscale = {
enable = true;
address = "0.0.0.0";
port = 8083;
settings = {
database = {
postgres = {
host = "/run/postgresql";
name = "headscale";
port = config.services.postgresql.settings.port;
user = cfg.user;
};
type = "postgres";
};
dns = {
base_domain = dnsDomain;
magic_dns = true;
};
logtail.enabled = false;
server_url = "https://${domain}";
};
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.headscale.port}";
proxyWebsockets = true;
};
};
postgresql =
let
psql = cfg.settings.database.postgres;
in
{
ensureDatabases = [ psql.name ];
ensureUsers = [
{
name = psql.user;
ensureDBOwnership = true;
}
];
};
};
}

44
hosts/pi4/mailserver.nix Normal file
View File

@ -0,0 +1,44 @@
{
config,
inputs,
common,
systemConfig,
...
}:
let
passwordHashKey = "mailserver/password-hash";
in
{
imports = [
inputs.simple-nixos-mailserver.nixosModule
];
mailserver = {
enable = true;
# stateVersion = 1; TODO uncomment on 25.11
fqdn = "mail.${common.domain}";
domains = [
common.domain
];
# A list of all login accounts. To create the password hashes, use
# nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
loginAccounts = {
"${systemConfig.username}@${common.domain}" = {
hashedPasswordFile = config.sops.secrets.${passwordHashKey}.path;
};
};
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
# down nginx and opens port 80.
certificateScheme = "acme-nginx";
};
networking.firewall.allowedTCPPorts = [
25
465
587
];
sops.secrets.${passwordHashKey}.neededForUsers = true;
}

30
hosts/pi4/nextcloud.nix
View File

@ -1,12 +1,22 @@
# https://mich-murphy.com/configure-nextcloud-nixos/ # https://mich-murphy.com/configure-nextcloud-nixos/
{ pkgs, config, ... }: {
pkgs,
config,
common,
...
}:
let let
adminPass = "nextcloud/admin-pass"; adminPassKey = "nextcloud/admin-pass";
domain = "beta.nextcloud.martials.no"; domain = "beta.nextcloud.${common.domain}";
dbname = "nextcloud"; dbname = "nextcloud";
dbuser = dbname; dbuser = dbname;
in in
{ {
security.acme = {
acceptTerms = true;
certs.${config.services.nextcloud.hostName}.email = "acme@${common.domain}";
};
services = { services = {
nextcloud = { nextcloud = {
enable = true; enable = true;
@ -14,14 +24,13 @@ in
autoUpdateApps.enable = true; autoUpdateApps.enable = true;
config = { config = {
adminpassFile = config.sops.secrets.${adminPass}.path; adminpassFile = config.sops.secrets.${adminPassKey}.path;
dbtype = "pgsql"; dbtype = "pgsql";
dbname = dbname; dbname = dbname;
dbuser = dbuser; dbuser = dbuser;
# default directory for postgresql, ensures automatic setup of db # default directory for postgresql, ensures automatic setup of db
dbhost = "/run/postgresql"; dbhost = "/run/postgresql";
adminuser = "admin"; adminuser = "admin";
defaultPhoneRegion = "NO";
}; };
extraApps = { extraApps = {
@ -37,18 +46,23 @@ in
hostName = domain; hostName = domain;
https = true; https = true;
maxUploadSize = "0"; maxUploadSize = "0"; # No max limit
package = pkgs.nextcloud31; package = pkgs.nextcloud31;
settings = { settings = {
default_phone_region = "NO";
trusted_domains = [ trusted_domains = [
domain domain
]; ];
}; };
}; };
nginx.virtualHosts.${config.services.nextcloud.hostName} = {
forceSSL = true;
enableACME = true;
};
postgresql = { postgresql = {
enable = true;
ensureDatabases = [ dbname ]; ensureDatabases = [ dbname ];
ensureUsers = [ ensureUsers = [
{ {
@ -66,7 +80,7 @@ in
}; };
}; };
sops.secrets.${adminPass}.neededForUsers = true; sops.secrets.${adminPassKey}.neededForUsers = true;
# ensure postgresql db is started with nextcloud # ensure postgresql db is started with nextcloud
systemd.services."nextcloud-setup" = { systemd.services."nextcloud-setup" = {

93
hosts/pi4/nginx.nix Normal file
View File

@ -0,0 +1,93 @@
{
common,
...
}:
let
domain = common.domain;
proxyTo = address: port: {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "${address}:${builtins.toString port}";
};
proxyLocations = locations: {
enableACME = true;
forceSSL = true;
inherit locations;
};
homelab = "http://${common.localIpAddr 231}";
homelabProxy = proxyTo homelab; # TODO get homelab local ip from systems
redirect = subdomain: {
enableACME = true;
forceSSL = true;
globalRedirect = if subdomain == "" then domain else "${subdomain}.${domain}";
};
in
{
services.nginx = {
enable = true;
enableReload = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
# Beta is currently stable
"www.${domain}" = redirect "";
"beta.${domain}" = redirect "";
"git.${domain}" = redirect "code";
"kitchenowl.${domain}" = redirect "grocery";
# Gitea
"code.${domain}" = homelabProxy 3000;
# Nextcloud
"nextcloud.${domain}" = proxyLocations {
"/".proxyPass = "${homelab}:11000";
"/.well-known/carddav".return = "301 /remote.php/dav";
"/.well-known/caldav".return = "301 /remote.php/dav";
};
# Kitchenowl
"grocery.${domain}" = homelabProxy 800;
# Actual budget
"budget.${domain}" = homelabProxy 5006;
# Uptime Kuma
"status.${domain}" = homelabProxy 3001;
# Headscale
"vpn.${domain}" = proxyLocations {
"/web".proxyPass = "${homelab}:8084";
"/" = {
proxyPass = "${homelab}:8082";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_redirect http:// https://;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
'';
};
};
# Headscale SmartDNS
"dns.${domain}" = homelabProxy 8082;
# FreshRSS
"rss.${domain}" = homelabProxy 8085;
# Ente backend
"api.ente.${domain}" = homelabProxy 8083;
# Ente Photos frontend
"ente.${domain}" = homelabProxy 3003;
# Ente Auth frontend
"mfa.${domain}" = homelabProxy 3004;
# Homepage / portfolio
"${domain}" = homelabProxy 4321;
# Yamtrack
"track.${domain}" = homelabProxy 8090;
# Donetick
"chore.${domain}" = homelabProxy 2021;
};
};
security.acme = {
acceptTerms = true;
defaults.email = "acme@${domain}";
};
}

11
hosts/pi4/postgres.nix Normal file
View File

@ -0,0 +1,11 @@
{ pkgs, ... }:
{
services.postgresql = {
enable = true;
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all trust
'';
};
}

11
hosts/pi4/security/firewall.nix
View File

@ -1,3 +1,5 @@
{ common, ... }:
{ {
networking = { networking = {
firewall = { firewall = {
@ -6,13 +8,8 @@
80 80
443 443
]; ];
trustedInterfaces = [ "tailscale0" ]; extraInputRules = ''
extraInputRules = ip saddr ${common.localIpRange} accept
let
localIPv4Range = "192.168.10.0/24";
in
''
ip saddr ${localIPv4Range} accept
''; '';
}; };
nftables.enable = true; nftables.enable = true;

9
shared/base/home-manager/ssh.nix
View File

@ -15,13 +15,16 @@ with builtins;
name = system.hostName; name = system.hostName;
value = value =
let let
# TODO rename desktop to homelab hostName =
hostName = if system.hostName == "homelab" then "admin" else system.hostName; if (system ? address && system.address ? tailnet) then
system.address.tailnet
else
common.tailnetAddr system.hostName;
in in
{ {
port = 22; port = 22;
user = systemConfig.username; user = systemConfig.username;
hostname = "${hostName}.dns.${common.domain}"; hostname = hostName;
}; };
}) systems }) systems
); );

8
shared/base/modules/security/ssh.nix
View File

@ -8,7 +8,6 @@
}: }:
with builtins; with builtins;
let let
domain = "dns.${common.domain}";
allSystems = knownSystems ++ systems; allSystems = knownSystems ++ systems;
in in
{ {
@ -17,7 +16,12 @@ in
name = system.hostName; name = system.hostName;
value = { value = {
extraHostNames = [ extraHostNames = [
"${system.hostName}.${domain}" (
if (system ? address && system.address ? tailnet) then
system.address.tailnet
else
common.tailnetAddr system.hostName
)
]; ];
publicKey = system.ssh.publicKey; publicKey = system.ssh.publicKey;
}; };

5
shared/common.nix
View File

@ -14,6 +14,11 @@ rec {
}; };
domain = "martials.no"; domain = "martials.no";
tailnetDomain = "dns.${domain}";
localIpPrefix = "192.168.10.";
localIpRange = "${localIpPrefix}0/24";
localIpAddr = subAddr: "${localIpPrefix}${builtins.toString subAddr}";
tailnetAddr = host: "${host}.${tailnetDomain}";
keymaps = { keymaps = {
layout = "gb,no"; layout = "gb,no";

4
shared/desktop/home-manager/shell/yazi/default.nix
View File

@ -14,7 +14,7 @@
enable = true; enable = true;
enableFishIntegration = true; enableFishIntegration = true;
keymap = { keymap = {
manager.prepend_keymap = [ mgr.prepend_keymap = [
{ {
run = "hidden toggle"; run = "hidden toggle";
on = [ "<C-h>" ]; on = [ "<C-h>" ];
@ -23,7 +23,7 @@
]; ];
}; };
settings = { settings = {
manager = { mgr = {
ratio = [ ratio = [
2 2
4 4

15
shared/desktop/modules/hardware/graphics/nvidia.nix
View File

@ -30,20 +30,7 @@ lib.mkIf systemConfig.nvidia.enable {
finegrained = false; finegrained = false;
}; };
# https://discourse.nixos.org/t/nvidia-dgpu-prime-offload-mode-amd-igpu-wayland/63194/3 package = config.boot.kernelPackages.nvidiaPackages.latest;
package = config.boot.kernelPackages.nvidiaPackages.mkDriver {
version = "570.133.07";
# this is the third one it will complain is wrong
sha256_64bit = "sha256-LUPmTFgb5e9VTemIixqpADfvbUX1QoTT2dztwI3E3CY=";
# unused
sha256_aarch64 = "sha256-2l8N83Spj0MccA8+8R1uqiXBS0Ag4JrLPjrU3TaXHnM=";
# this is the second one it will complain is wrong
openSha256 = "sha256-9l8N83Spj0MccA8+8R1uqiXBS0Ag4JrLPjrU3TaXHnM=";
# this is the first one it will complain is wrong
settingsSha256 = "sha256-XMk+FvTlGpMquM8aE8kgYK2PIEszUZD2+Zmj2OpYrzU=";
# unused
persistencedSha256 = "sha256-4l8N83Spj0MccA8+8R1uqiXBS0Ag4JrLPjrU3TaXHnM=";
};
}; };
}; };

6
shared/secrets/secrets.yaml
View File

@ -3,6 +3,8 @@ forgejo:
#ENC[AES256_GCM,data:oMpYBQ30sdCTtgxEZvYxTd9oi9QM0bYp5NisMdQHYT/nF2k=,iv:H9/g7XttJScVXV38+yHdbgWNFDhBYyudjK5BKHTt5wo=,tag:FNfkKfkKWDBUAXiGXkDchw==,type:comment] #ENC[AES256_GCM,data:oMpYBQ30sdCTtgxEZvYxTd9oi9QM0bYp5NisMdQHYT/nF2k=,iv:H9/g7XttJScVXV38+yHdbgWNFDhBYyudjK5BKHTt5wo=,tag:FNfkKfkKWDBUAXiGXkDchw==,type:comment]
runner-token: ENC[AES256_GCM,data:xbULBWrqosktW7XHViLH7Sk76upH31RFQNsBcXWWN7bpRadF3tpBA/hksMyEdg==,iv:v3vzUb5wsWeKWRYWT+ks4ZWGXQRhZ+td3N3bpuwoVc8=,tag:rEVoEw/QOSs8puujsRBxXQ==,type:str] runner-token: ENC[AES256_GCM,data:xbULBWrqosktW7XHViLH7Sk76upH31RFQNsBcXWWN7bpRadF3tpBA/hksMyEdg==,iv:v3vzUb5wsWeKWRYWT+ks4ZWGXQRhZ+td3N3bpuwoVc8=,tag:rEVoEw/QOSs8puujsRBxXQ==,type:str]
password-hash: ENC[AES256_GCM,data:FsGHBAw/z4tcBRObVlo//UotWHyHns0+vdJVgt2lfGiIfQG+1I60g2Tzgv/O+gz3oz41NIwAYf61SR9AfXhpnc1AxiZRlCBwMQ==,iv:oiJndSVZQ+00UPz0TuJXV+T8x9mtecrNDUaablOGffU=,tag:wQuow7C8KqelJOE9KqCxMA==,type:str] password-hash: ENC[AES256_GCM,data:FsGHBAw/z4tcBRObVlo//UotWHyHns0+vdJVgt2lfGiIfQG+1I60g2Tzgv/O+gz3oz41NIwAYf61SR9AfXhpnc1AxiZRlCBwMQ==,iv:oiJndSVZQ+00UPz0TuJXV+T8x9mtecrNDUaablOGffU=,tag:wQuow7C8KqelJOE9KqCxMA==,type:str]
mailserver:
password-hash: ENC[AES256_GCM,data:H5PlCVuwUxIjtWbNsxb/ROkY2KiNhSwvWDvTLBfR596ijRTkaH0xtltsvHiiNHmfKERfcAXKO9EyGNHc,iv:qev1fs0PPydz8cm9D7hLp6ULgUEQJm+E0Pg86bor1to=,tag:zFnJ23NDCXeur+kvNSQV6w==,type:str]
nextcloud: nextcloud:
admin-pass: ENC[AES256_GCM,data:RBuuNc7J/CCJXG8n73B5cw==,iv:uKNj40SdJn6LbZoV1i9fq+5TGmRDPYVhCxAUghV4vqs=,tag:wUHBPo5T+2tyjsQFlUXDEQ==,type:str] admin-pass: ENC[AES256_GCM,data:RBuuNc7J/CCJXG8n73B5cw==,iv:uKNj40SdJn6LbZoV1i9fq+5TGmRDPYVhCxAUghV4vqs=,tag:wUHBPo5T+2tyjsQFlUXDEQ==,type:str]
sops: sops:
@ -34,7 +36,7 @@ sops:
SGdNMnVlQlNEeVJkWmZEM1FRT2JJMGMKbZ/znJM6tFhzhHariRXMLgH/4CRZZKrb SGdNMnVlQlNEeVJkWmZEM1FRT2JJMGMKbZ/znJM6tFhzhHariRXMLgH/4CRZZKrb
YtmSdeL/Pd5YIecCpjDHDn4vQ0TBAmLaX+zVbNbRKmMZoY7777ywfA== YtmSdeL/Pd5YIecCpjDHDn4vQ0TBAmLaX+zVbNbRKmMZoY7777ywfA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-05-31T15:36:05Z" lastmodified: "2025-06-23T17:39:10Z"
mac: ENC[AES256_GCM,data:Um09D7CR5+c4L6bTdRvz1Cy5qHthlKfLfH6k9Z2NTuD2QY9Ua4kXV8byvXiP+GrrKgzV11c0a3Hk7zaQoutXmwatnaOJRT9EH3FIEADLGAFwbsSAgV7ZJ+oamZnIw/XSW/LGpwvPrX5gaTnc7jJJ3V3+tWqgBUmL4wNb2SigglM=,iv:wAXaPUs20wqh7cn8ZmFI7XLlaOYLkjtcVRm1sosO9U4=,tag:FwfNbEf+YoQBHsYBw5k6mw==,type:str] mac: ENC[AES256_GCM,data:+6X13vyCteJKZFo6RMI4rCo/gizcJO828xTL/gspgZemHcnqaf1P6nIntE5flin7IsfkxqoH8k25Xqzp6TLddsw8oYGA7fyDX7l28wFoxASTaZu2KChqGeRsEuVjuQGIAHKbB/4aI003NPT48l+uePOMNwUzlBrRnRYE5MMgQRI=,iv:UefKr2KL0+py7soUGjS0Onql/cAO+mXpvzJKJjtRppU=,tag:qcvB7rrdDRC3EfgjonM6uw==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.10.2 version: 3.10.2