martials/nixos-configuration
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: martials:main
Branches Tags
martials:main martials:keycloak-realmfiles
..
compare: martials:keycloak-realmfiles
Branches Tags
martials:main martials:keycloak-realmfiles

1 Commits
main ... keycloak-r

Author SHA1 Message Date
Martin Berg Alstad
d72e7b957a [pi4] Added Forgejo client to realmFile 2025-10-04 11:47:54 +00:00
26 changed files with 318 additions and 517 deletions
Expand all files Collapse all files

2
.sops.yaml
View File

@@ -2,7 +2,6 @@ keys:
- &thinkpad age1j66v6z6hlsgqjfv5fz7fldm5q9jay4j5v5du6ymfda6hv40nsqesg89g7p - &thinkpad age1j66v6z6hlsgqjfv5fz7fldm5q9jay4j5v5du6ymfda6hv40nsqesg89g7p
- &desktop age1fxr5s6d6ar0xy5pr63kpq93tk7jha5k96jcxnyquj6s2mw8mmcpss8w29w - &desktop age1fxr5s6d6ar0xy5pr63kpq93tk7jha5k96jcxnyquj6s2mw8mmcpss8w29w
- &pi4 age1xlnprpvshv93eerthxzg6cahklsfc4efh8dd6u8dte9u6cl0u5qsz48qlt - &pi4 age1xlnprpvshv93eerthxzg6cahklsfc4efh8dd6u8dte9u6cl0u5qsz48qlt
- &nidaros age1sf8tspnmyj2cn6gmzdfuh2vt00tmeqa0vf23rn5s44s9avafsd7sz6wgql
creation_rules: creation_rules:
- path_regex: shared/secrets/secrets.yaml$ - path_regex: shared/secrets/secrets.yaml$
key_groups: key_groups:
@@ -10,4 +9,3 @@ creation_rules:
- *thinkpad - *thinkpad
- *desktop - *desktop
- *pi4 - *pi4
- *nidaros

39
flake.lock generated
View File

@@ -119,26 +119,6 @@
"type": "github" "type": "github"
} }
}, },
"home-manager-unstable": {
"inputs": {
"nixpkgs": [
"nixpkgs-unstable"
]
},
"locked": {
"lastModified": 1760662441,
"narHash": "sha256-mlDqR1Ntgs9uYYEAUR1IhamKBO0lxoNS4zGLzEZaY0A=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "722792af097dff5790f1a66d271a47759f477755",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": { "home-manager_2": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -226,11 +206,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1759439645, "lastModified": 1757020766,
"narHash": "sha256-oiAyQaRilPk525Z5aTtTNWNzSrcdJ7IXM0/PL3CGlbI=", "narHash": "sha256-PLoSjHRa2bUbi1x9HoXgTx2AiuzNXs54c8omhadyvp0=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "879bd460b3d3e8571354ce172128fbcbac1ed633", "rev": "fe83bbdde2ccdc2cb9573aa846abe8363f79a97a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -276,7 +256,6 @@
"inputs": { "inputs": {
"catppuccin": "catppuccin", "catppuccin": "catppuccin",
"home-manager": "home-manager", "home-manager": "home-manager",
"home-manager-unstable": "home-manager-unstable",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_2",
"nixpkgs-stable": "nixpkgs-stable", "nixpkgs-stable": "nixpkgs-stable",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
@@ -337,11 +316,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1759444170, "lastModified": 1756614537,
"narHash": "sha256-b5ShONncU4Gf39QtaL5OySC9G2o612rTE/TCwx3kMeM=", "narHash": "sha256-qyszmZO9CEKAlj5NBQo1AIIADm5Fgqs5ZggW1sU1TVo=",
"owner": "Gerg-L", "owner": "Gerg-L",
"repo": "spicetify-nix", "repo": "spicetify-nix",
"rev": "e13267e8f3eb1664329fcb78a43b38b985f96f6f", "rev": "374eb5d97092b97f7aaafd58a2012943b388c0df",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -371,11 +350,11 @@
"nixpkgs": "nixpkgs_4" "nixpkgs": "nixpkgs_4"
}, },
"locked": { "locked": {
"lastModified": 1759584043, "lastModified": 1757142986,
"narHash": "sha256-YCuCmg9nRLrtTz7Zex94C8kYzh8hoSzPOA72kMLpuxM=", "narHash": "sha256-HB01usaR5wg5LK3lV6S7Za2x4AfKrNceOnun/mlpChk=",
"owner": "0xc000022070", "owner": "0xc000022070",
"repo": "zen-browser-flake", "repo": "zen-browser-flake",
"rev": "176555a4128ce90461354142ab85c7f536bfd267", "rev": "ed4bfefc49ef23e55b4f6e39d2e297a79f5ab2df",
"type": "github" "type": "github"
}, },
"original": { "original": {

91
flake.nix
View File

@@ -19,11 +19,6 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
home-manager-unstable = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
# #
# ========= Utilities ========= # ========= Utilities =========
# #
@@ -48,9 +43,7 @@
{ {
self, self,
nixpkgs, nixpkgs,
nixpkgs-unstable,
home-manager, home-manager,
home-manager-unstable,
... ...
}@inputs: }@inputs:
let let
@@ -66,9 +59,61 @@
"aarch64-linux" "aarch64-linux"
]; ];
systems = import ./systems.nix { # ========== Extend lib with lib.custom ==========
inherit common; # NOTE: This approach allows lib.custom to propagate into hm
# see: https://github.com/nix-community/home-manager/pull/3454
customLib = (_self: _super: { custom = import ./lib { inherit (nixpkgs) lib; }; });
lib = nixpkgs.lib.extend customLib;
libHm = home-manager.lib.extend customLib;
systems = builtins.map (config: defaultAttrs // config) [
{
hostName = "desktop";
nvidia.enable = true;
ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMSzXyTuQyTrWsfORQbvgrqt/33+hfSUDXeMg6D1T2wz";
}
{
hostName = "thinkpad";
ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILNlHKE/BD8kKfhJD7GBk1A3whZf3gTjk9VEgGAj3qsH";
}
{
hostName = "pi4";
system = "aarch64-linux";
wayland.enable = false;
ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJE9m7YiITe1sDqSZ7Pa8luIw3WToLsypixZEqE4wCQE";
address.private = common.localIpAddr 188;
}
{
hostName = "homelab";
wayland.enable = false;
ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIARDv5nRlfPDXdV+Db4FaqeSJZ3/3MO0frYGzuVeqYAl";
address.private = common.localIpAddr 231;
address.tailnet = common.tailnetAddr "admin";
}
];
defaultAttrs = {
hostName = builtins.abort "hostName is required";
system = "x86_64-linux";
username = common.username;
version = common.system.version;
wayland.enable = true;
nvidia.enable = false;
}; };
knownSystems = [
{
# Samsung S23 FE
hostName = "localhost-y4maoyqm";
ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII7SSjiqnjif1Kko60iXVTKJ7a1/lRlR8TFNtoclNcnQ";
}
{
# OnePlus 8
hostName = "localhost-4izgka9k";
ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALtulVgLrUEpKnpfPFQTHjaEXTxs2Q818NC18eLx0bj";
}
];
in in
{ {
# #
@@ -80,26 +125,18 @@
# #
# ========= Host Configurations ========= # ========= Host Configurations =========
# #
nixosConfigurations = builtins.mapAttrs ( nixosConfigurations = builtins.listToAttrs (
hostName: builtins.map (
{ {
hostName,
system, system,
username, username,
nixos,
... ...
}@systemConfig: }@systemConfig:
let {
pkgs = if nixos.channel == "stable" then nixpkgs else nixpkgs-unstable; name = hostName;
hm = if nixos.channel == "stable" then home-manager else home-manager-unstable; value = nixpkgs.lib.nixosSystem {
# ========== Extend lib with lib.custom ==========
# NOTE: This approach allows lib.custom to propagate into hm
# see: https://github.com/nix-community/home-manager/pull/3454
customLib = (_self: _super: { custom = import ./lib { inherit (pkgs) lib; }; });
lib = pkgs.lib.extend customLib;
libHm = hm.lib.extend customLib;
in
pkgs.lib.nixosSystem {
inherit system; inherit system;
specialArgs = { specialArgs = {
inherit inherit
@@ -108,15 +145,15 @@
common common
theme theme
lib lib
hostName
systemConfig systemConfig
systems systems
knownSystems
; ;
isDarwin = false; isDarwin = false;
}; };
modules = [ modules = [
./hosts/${hostName} ./hosts/${hostName}
hm.nixosModules.home-manager home-manager.nixosModules.home-manager
{ {
home-manager = { home-manager = {
# Backups conflicting files in case of error # Backups conflicting files in case of error
@@ -153,8 +190,10 @@
]; ];
} }
]; ];
};
} }
) systems; ) systems
);
# #
# ========= Formatting ========= # ========= Formatting =========

2
hosts/desktop/home-manager/default.nix
View File

@@ -9,4 +9,6 @@
./hyprpaper.nix ./hyprpaper.nix
./settings.nix ./settings.nix
]; ];
programs.git.signing.key = "706F53DD087A91DE";
} }

6
hosts/nidaros/boot.nix
View File

@@ -1,6 +0,0 @@
{
boot.loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
}

17
hosts/nidaros/default.nix
View File

@@ -1,17 +0,0 @@
{ lib, ... }:
{
imports = with lib.custom; [
(relativeToBase "modules")
./boot.nix
./forgejo.nix
./hardware.nix
./keycloak.nix
./podman.nix
./postgres.nix
./security
];
# Removed at 25.11
programs.nh.flake = lib.mkForce null;
}

88
hosts/nidaros/forgejo.nix
View File

@@ -1,88 +0,0 @@
{
config,
pkgs,
lib,
common,
...
}:
let
domain = "beta.code.${common.domain}";
passwordKey = "forgejo/admin-pass";
runnerTokenKey = "forgejo/runner-token";
in
{
services = {
forgejo = {
enable = true;
package = pkgs.forgejo;
database.type = "postgres";
# Enable support for Git Large File Storage
lfs.enable = true;
settings = {
server = {
DOMAIN = domain;
ROOT_URL = "https://${domain}/";
HTTP_PORT = 8002;
};
service.DISABLE_REGISTRATION = true;
actions = {
ENABLED = true;
DEFAULT_ACTIONS_URL = "github";
};
# TODO set up mailer
};
};
gitea-actions-runner = {
package = pkgs.forgejo-actions-runner;
instances.default = {
enable = true;
name = "monolith";
url = "https://${domain}";
hostPackages = with pkgs; [
bash
coreutils
curl
gawk
gitMinimal
gnused
nodejs
wget
podman
podman-compose
];
# Obtaining the path to the runner token file may differ
# tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
tokenFile = config.sops.secrets.${runnerTokenKey}.path;
labels = [
"docker:docker://node:22-bullseye"
"native:host"
];
};
};
};
sops.secrets =
let
user = config.systemd.services.forgejo.serviceConfig.User;
in
{
${passwordKey}.owner = user;
${runnerTokenKey}.owner = user;
};
# Create a single admin user / update password if exists
systemd.services.forgejo.preStart =
let
adminCmd = "${lib.getExe config.services.forgejo.package} admin user";
pwd = config.sops.secrets.${passwordKey};
user = "martin"; # Note, Forgejo doesn't allow creation of an account named "admin"
email = "git@${common.domain}";
in
''
${adminCmd} create --admin --email "${email}" --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
## Alter an existing user. Will prompt new password on login
# ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
'';
}

53
hosts/nidaros/hardware.nix
View File

@@ -1,53 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"nvme"
"usb_storage"
"usbhid"
"sd_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/dfade67a-9cbe-4002-990a-2cd22b8e57fa";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/66F7-BE0A";
fsType = "vfat";
options = [
"fmask=0077"
"dmask=0077"
];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

7
hosts/nidaros/home-manager/default.nix
View File

@@ -1,7 +0,0 @@
{ lib, ... }:
{
imports = with lib.custom; [
(relativeToBase "home-manager")
];
}

27
hosts/nidaros/keycloak.nix
View File

@@ -1,27 +0,0 @@
{ config, common, ... }:
let
port = 8081;
domain = "iam.${common.domain}";
dbPassKey = "keycloak/database-pass";
in
{
services = {
keycloak = {
enable = true;
settings = {
hostname = "https://${domain}";
http-port = port;
http-enabled = true;
};
database = {
type = "postgresql";
createLocally = true;
port = config.services.postgresql.settings.port;
passwordFile = config.sops.secrets.${dbPassKey}.path;
};
initialAdminPassword = "changeme";
};
};
sops.secrets.${dbPassKey} = { };
}

23
hosts/nidaros/podman.nix
View File

@@ -1,23 +0,0 @@
{ pkgs, ... }:
{
virtualisation = {
# Enable common container config files in /etc/containers
containers.enable = true;
podman = {
enable = true;
# Create a `docker` alias for podman, to use it as a drop-in replacement
dockerCompat = true;
# Required for containers under podman-compose to be able to talk to each other.
defaultNetwork.settings.dns_enabled = true;
};
};
# Useful other development tools
environment.systemPackages = with pkgs; [
podman-tui # status of containers in the terminal
podman-compose # start group of containers for dev
];
}

13
hosts/nidaros/postgres.nix
View File

@@ -1,13 +0,0 @@
{ pkgs, ... }:
{
services.postgresql = {
enable = true;
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser url auth-method
local all all trust
# ipv4
host all all 127.0.0.1/32 trust
'';
};
}

22
hosts/nidaros/security/default.nix
View File

@@ -1,22 +0,0 @@
{ systemConfig, ... }:
{
imports = [
./firewall.nix
];
security.sudo.extraRules = [
{
users = [ systemConfig.username ];
runAs = "ALL:ALL";
commands = [
{
command = "ALL";
options = [ "NOPASSWD" ];
}
];
}
];
services.pcscd.enable = true;
}

17
hosts/nidaros/security/firewall.nix
View File

@@ -1,17 +0,0 @@
{ common, ... }:
{
networking = {
firewall = {
enable = true;
allowedTCPPorts = [
80
443
];
extraInputRules = ''
ip saddr ${common.localIpRange} accept
'';
};
nftables.enable = true;
};
}

4
hosts/pi4/default.nix
View File

@@ -7,10 +7,10 @@
./boot.nix ./boot.nix
./caddy.nix ./caddy.nix
./ddclient.nix ./ddclient.nix
# ./forgejo.nix ./forgejo.nix
./hardware.nix ./hardware.nix
./headscale.nix ./headscale.nix
# ./home-assitant.nix ./home-assitant.nix
./keycloak.nix ./keycloak.nix
./mailserver.nix ./mailserver.nix
./nextcloud.nix ./nextcloud.nix

2
hosts/pi4/home-manager/default.nix
View File

@@ -4,4 +4,6 @@
imports = with lib.custom; [ imports = with lib.custom; [
(relativeToBase "home-manager") (relativeToBase "home-manager")
]; ];
programs.git.signing.key = "E3FA0E995C0D0E5E";
} }

104
hosts/pi4/keycloak.nix
View File

@@ -1,8 +1,14 @@
{ config, common, ... }: {
config,
common,
pkgs,
...
}:
let let
port = 8086; port = 8086;
domain = "beta.auth.${common.domain}"; domain = "beta.auth.${common.domain}";
dbPassKey = "keycloak/database-pass"; dbPassKey = "keycloak/database-pass";
forgejoClientSecretKey = "keycloak/realms/forgejo/client/secret";
in in
{ {
@@ -21,6 +27,97 @@ in
passwordFile = config.sops.secrets.${dbPassKey}.path; passwordFile = config.sops.secrets.${dbPassKey}.path;
}; };
initialAdminPassword = "changeme"; initialAdminPassword = "changeme";
realmFiles = [
# (
# let
# name = "Default";
# in
# pkgs.writeText "${name}.json" (
# builtins.toJSON {
# realm = name;
# enabled = true;
# clients = [
# rec {
# enabled = true;
# clientId = "forgejo";
# name = "Forgejo Beta";
# description = "";
# rootUrl = "https://${config.services.forgejo.settings.server.DOMAIN}";
# adminUrl = rootUrl;
# baseUrl = rootUrl;
# surrogateAuthRequired = false;
# alwaysDisplayInConsole = true;
# clientAuthenticatorType = "client-secret";
# # secret = readFile config.sops.secrets.${forgejoClientSecretKey}.path;
# redirectUris = [ "${rootUrl}/*" ];
# webOrigins = [ rootUrl ];
# notBefore = 0;
# bearerOnly = false;
# consentRequired = false;
# standardFlowEnabled = true;
# implicitFlowEnabled = false;
# directAccessGrantsEnabled = false;
# serviceAccountsEnabled = false;
# publicClient = false;
# frontchannelLogout = true;
# protocol = "openid-connect";
# attributes = {
# "realm_client" = "false";
# "oidc.ciba.grant.enabled" = "false";
# "client.secret.creation.time" = "1758824229";
# "backchannel.logout.session.required" = "true";
# "standard.token.exchange.enabled" = "false";
# "frontchannel.logout.session.required" = "true";
# "display.on.consent.screen" = "false";
# "oauth2.device.authorization.grant.enabled" = "false";
# "backchannel.logout.revoke.offline.tokens" = "false";
# };
# authenticationFlowBindingOverrides = { };
# fullScopeAllowed = true;
# nodeReRegistrationTimeout = -1;
# defaultClientScopes = [
# "web-origins"
# "offline_access"
# "profile"
# "roles"
# "basic"
# "email"
# ];
# optionalClientScopes = [
# "acr"
# "address"
# "phone"
# "organization"
# "microprofile-jwt"
# ];
# access = {
# view = true;
# configure = true;
# manage = true;
# };
# }
# ];
# users = [
# {
# enabled = true;
# firstName = "Christian";
# lastName = "Bauer";
# username = "cbauer";
# email = "cbauer@localhost";
# credentials = [
# {
# type = "password";
# temporary = false;
# value = "changeme";
# }
# ];
# }
# ];
# }
# )
# )
];
}; };
nginx.virtualHosts.${domain} = { nginx.virtualHosts.${domain} = {
@@ -29,5 +126,8 @@ in
locations."/".proxyPass = "http://localhost:${toString port}"; locations."/".proxyPass = "http://localhost:${toString port}";
}; };
}; };
sops.secrets.${dbPassKey} = { }; sops.secrets = {
${dbPassKey} = { };
${forgejoClientSecretKey} = { };
};
} }

6
hosts/pi4/nginx.nix
View File

@@ -15,9 +15,7 @@ let
inherit locations; inherit locations;
}; };
homelab = "http://${common.localIpAddr 231}"; homelab = "http://${common.localIpAddr 231}";
nidaros = "http://${common.localIpAddr 228}"; homelabProxy = proxyTo homelab; # TODO get homelab local ip from systems
homelabProxy = proxyTo homelab; # TODO get local ip from systems attrSet
nidarosProxy = proxyTo nidaros;
redirect = subdomain: { redirect = subdomain: {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@@ -40,7 +38,6 @@ in
"kitchenowl.${domain}" = redirect "grocery"; "kitchenowl.${domain}" = redirect "grocery";
# Gitea # Gitea
"code.${domain}" = homelabProxy 3000; "code.${domain}" = homelabProxy 3000;
"beta.code.${domain}" = nidarosProxy 8002;
# Nextcloud # Nextcloud
"nextcloud.${domain}" = proxyLocations { "nextcloud.${domain}" = proxyLocations {
"/".proxyPass = "${homelab}:11000"; "/".proxyPass = "${homelab}:11000";
@@ -88,7 +85,6 @@ in
# Donetick # Donetick
"chore.${domain}" = homelabProxy 2021; "chore.${domain}" = homelabProxy 2021;
"recurring-events-api.${domain}" = homelabProxy 8095; "recurring-events-api.${domain}" = homelabProxy 8095;
"iam.${domain}" = nidarosProxy 8081;
}; };
}; };

2
hosts/thinkpad/home-manager/default.nix
View File

@@ -9,4 +9,6 @@
./hyprland ./hyprland
./zen ./zen
]; ];
programs.git.signing.key = "848D71DE0590C199";
} }

6
justfile
View File

@@ -69,11 +69,11 @@ generate-ssh:
# Generate a new age key from an existing ssh key (without passphrase) # Generate a new age key from an existing ssh key (without passphrase)
generate-age-from-ssh: generate-age-from-ssh:
mkdir -p ~/.config/sops/age mkdir -p ~/.config/sops/age
nix run nixpkgs#ssh-to-age --experimental-features 'nix-command flakes' -- -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt nix run nixpkgs#ssh-to-age -- -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt
# Get a public age key from an existing age private key # Get a public age key from an existing age private key
get-public-age-key: get-public-age-key:
nix shell nixpkgs#age --experimental-features 'nix-command flakes' -c age-keygen -y ~/.config/sops/age/keys.txt nix shell nixpkgs#age -c age-keygen -y ~/.config/sops/age/keys.txt
# Get the public ssh key from the current user # Get the public ssh key from the current user
get-public-ssh-key: get-public-ssh-key:
@@ -81,7 +81,7 @@ get-public-ssh-key:
# Edit the SOPS secrets file # Edit the SOPS secrets file
edit-secrets: edit-secrets:
nix run nixpkgs#sops --experimental-features 'nix-command flakes' -- shared/secrets/secrets.yaml nix run nixpkgs#sops -- shared/secrets/secrets.yaml
# Hash a string using the mkpasswd command # Hash a string using the mkpasswd command
hash PASS: hash PASS:

14
shared/base/home-manager/development/git.nix
View File

@@ -1,9 +1,4 @@
{ { pkgs, common, ... }:
pkgs,
common,
systemConfig,
...
}:
{ {
home.packages = with pkgs; [ home.packages = with pkgs; [
@@ -28,14 +23,9 @@
p = "push"; p = "push";
}; };
signing = { signing.signByDefault = true;
signByDefault = true;
key = systemConfig.git.signing.key;
};
extraConfig = { extraConfig = {
init.defaultBranch = "main";
advice.defaultBranchName = false;
pull.rebase = true; pull.rebase = true;
push.autoSetupRemote = true; push.autoSetupRemote = true;
safe.directory = "/etc/nixos"; safe.directory = "/etc/nixos";

18
shared/base/home-manager/ssh.nix
View File

@@ -5,24 +5,28 @@
common, common,
... ...
}: }:
with builtins;
{ {
programs.ssh = { programs.ssh = {
enable = true; enable = true;
matchBlocks = builtins.mapAttrs ( matchBlocks = listToAttrs (
hostName: system: map (system: {
name = system.hostName;
value =
let let
_hostName = hostName =
if (system ? address && system.address ? tailnet) then if (system ? address && system.address ? tailnet) then
system.address.tailnet system.address.tailnet
else else
common.tailnetAddr hostName; common.tailnetAddr system.hostName;
in in
{ {
port = 22; port = 22;
user = systemConfig.username; user = systemConfig.username;
hostname = _hostName; hostname = hostName;
} };
) systems; }) systems
);
}; };
} }

4
shared/base/modules/networking.nix
View File

@@ -1,4 +1,4 @@
{ pkgs, hostName, ... }: { pkgs, systemConfig, ... }:
{ {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
@@ -7,7 +7,7 @@
networking = { networking = {
networkmanager.enable = true; networkmanager.enable = true;
hostName = hostName; hostName = systemConfig.hostName;
}; };
programs.ssh.enableAskPassword = false; programs.ssh.enableAskPassword = false;

26
shared/base/modules/security/ssh.nix
View File

@@ -1,15 +1,33 @@
# /nix/store/<hash>/etc/ssh/ssh_config & /nix/store/<hash>/etc/ssh/authorized_keys # /nix/store/<hash>/etc/ssh/ssh_config & /nix/store/<hash>/etc/ssh/authorized_keys
{ {
lib,
systemConfig, systemConfig,
systems, systems,
knownSystems,
common,
... ...
}: }:
with builtins;
let
allSystems = knownSystems ++ systems;
in
{ {
programs.ssh.knownHosts = builtins.mapAttrs (hostName: system: { programs.ssh.knownHosts = listToAttrs (
map (system: {
name = system.hostName;
value = {
extraHostNames = [
(
if (system ? address && system.address ? tailnet) then
system.address.tailnet
else
common.tailnetAddr system.hostName
)
];
publicKey = system.ssh.publicKey; publicKey = system.ssh.publicKey;
}) systems; };
}) allSystems
);
users.users.${systemConfig.username}.openssh.authorizedKeys.keys = ( users.users.${systemConfig.username}.openssh.authorizedKeys.keys = (
lib.mapAttrsToList (_hostName: system: system.ssh.publicKey) systems map (system: system.ssh.publicKey) allSystems
); );
} }

63
shared/secrets/secrets.yaml
View File

@@ -1,55 +1,50 @@
cloudflare: cloudflare:
api-token: ENC[AES256_GCM,data:vmmPUCCJJPa1ElN9njBHKjESGrE34oycJIjTmZfScN+zI3VpYeNi0A==,iv:P3m6zrFMdPSiPJn5sdCTw/2vr+R4s98tycyO7I/qKZU=,tag:zuqrLvkjV7v5iO5tA+Rq+A==,type:str] api-token: ENC[AES256_GCM,data:UfTphnoN4REAue0bP5JKPfgvq36Jlxndl7dD46BKwg7ygW2Mj4mm4w==,iv:vS223ZAqACt1ZHJHCeztCVm+BghMhVYJfTuvBlySf+o=,tag:mxf6jL7/ItsxPOHb7S5upQ==,type:str]
forgejo: forgejo:
admin-pass: ENC[AES256_GCM,data:7QSF0usRgM59fTV8pf3pJdDA,iv:51Eud+ge4AXVOUNubXaY6hPYAbEL8Ue+aGlnWoJUO1g=,tag:VYtxk39yJ1NS8V3EMvZFAw==,type:str] admin-pass: ENC[AES256_GCM,data:RGTOw0Yo5rJGEVLGsQgyk9Wc,iv:SuN770eAgFIVd4pJ6vmPIvVCMqTW/2sBUYUbqym2cHo=,tag:YlyNR/fFchdBwzCuIsWGMA==,type:str]
#ENC[AES256_GCM,data:QcBVOZQp1IZIICQMvYxn9NrbifM7iSvxslZWsuA6nfL/lw4=,iv:hZ0tRwf3GNCQ1+lolOdIEgXhAN2N4W4V9jV9hsDJ0iA=,tag:4TsivDKERKez8GPYPqzGaw==,type:comment] #ENC[AES256_GCM,data:oMpYBQ30sdCTtgxEZvYxTd9oi9QM0bYp5NisMdQHYT/nF2k=,iv:H9/g7XttJScVXV38+yHdbgWNFDhBYyudjK5BKHTt5wo=,tag:FNfkKfkKWDBUAXiGXkDchw==,type:comment]
runner-token: ENC[AES256_GCM,data:w2yAo3cgEm7sjnobIgPmc80THJY+RKawcKuE4wlWTzmxa+2RSObW/baEKPNI4g==,iv:E024Qu9rEc8hdW0seAwkGEB8cX+sEvQ+IPJ0vGU0Mxk=,tag:zgNidYP/zUGwSf456Fbu2w==,type:str] runner-token: ENC[AES256_GCM,data:xbULBWrqosktW7XHViLH7Sk76upH31RFQNsBcXWWN7bpRadF3tpBA/hksMyEdg==,iv:v3vzUb5wsWeKWRYWT+ks4ZWGXQRhZ+td3N3bpuwoVc8=,tag:rEVoEw/QOSs8puujsRBxXQ==,type:str]
keycloak: keycloak:
database-pass: ENC[AES256_GCM,data:DkJPELSSrFDb4CkKCP3l+yWy,iv:y8U+31rPGDygl8HSnKyzgSGjZ7KiIw5nFA6C349nHFc=,tag:7IiU+GJAjHJjNHg//2TjYw==,type:str] database-pass: ENC[AES256_GCM,data:+1lXS/wmBg/klmRqmSW3bZiZ,iv:iFYNIrBzYPBwjusHlPJj6EKDmGgGFmDLhiL+SEq6gHE=,tag:8CoF/94nyhaTHpkij59NGQ==,type:str]
password-hash: ENC[AES256_GCM,data:vauLFR3MW4gkQdSxZiGEp+0ZN2mZH+xPGZmwqR8BgLIRBmjx6Ufq3rQwtefEwJDGTw+/fvOeaUFtj1bphKnyTf0448D2L+Uytg==,iv:45l7Vvr0ycDQScADihDuou9FJrdUgC5PxOmsIqB2J0U=,tag:/KBo0CcGYsrmkGxOR8QqTQ==,type:str] realms:
forgejo:
client:
secret: ENC[AES256_GCM,data:CkjdtBemZd+JryPNoLA6MsGJKvYeoziOITJlZG1YhPA=,iv:yXi55RDYiwfwFde8W0EiNuo5T+ZNuuJdTOT2ydEpIXc=,tag:epXzDVifVGdasN6uHqmV+g==,type:str]
password-hash: ENC[AES256_GCM,data:FsGHBAw/z4tcBRObVlo//UotWHyHns0+vdJVgt2lfGiIfQG+1I60g2Tzgv/O+gz3oz41NIwAYf61SR9AfXhpnc1AxiZRlCBwMQ==,iv:oiJndSVZQ+00UPz0TuJXV+T8x9mtecrNDUaablOGffU=,tag:wQuow7C8KqelJOE9KqCxMA==,type:str]
mailserver: mailserver:
password-hash: ENC[AES256_GCM,data:zQ242cSWVoGgN92oo1NSGkfUGpQ1vnwbAunFH18fwj36FgtrMgpFNKVhijB4az4LOQPYafat9XAoOpDc,iv:e7I3l0SLIoQbQs2fvFG3iyfiFP5zfo1egebkZMcaADM=,tag:jUww/lsREg4tbzqk9j7eUA==,type:str] password-hash: ENC[AES256_GCM,data:H5PlCVuwUxIjtWbNsxb/ROkY2KiNhSwvWDvTLBfR596ijRTkaH0xtltsvHiiNHmfKERfcAXKO9EyGNHc,iv:qev1fs0PPydz8cm9D7hLp6ULgUEQJm+E0Pg86bor1to=,tag:zFnJ23NDCXeur+kvNSQV6w==,type:str]
nextcloud: nextcloud:
admin-pass: ENC[AES256_GCM,data:K/rdgJ3sp96RoLsTIvcWjA==,iv:E7P+kvX1FnY09EyLdRtLw+pQEuAQKpnxsY7qOpOQJXA=,tag:XPbHOnwIN3HZrkZSuaIhvg==,type:str] admin-pass: ENC[AES256_GCM,data:RBuuNc7J/CCJXG8n73B5cw==,iv:uKNj40SdJn6LbZoV1i9fq+5TGmRDPYVhCxAUghV4vqs=,tag:wUHBPo5T+2tyjsQFlUXDEQ==,type:str]
sops: sops:
age: age:
- recipient: age1j66v6z6hlsgqjfv5fz7fldm5q9jay4j5v5du6ymfda6hv40nsqesg89g7p - recipient: age1j66v6z6hlsgqjfv5fz7fldm5q9jay4j5v5du6ymfda6hv40nsqesg89g7p
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRMXVLK0Z3ZXBnUm9DR09v YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyMHl6emFJdE4rVGduT2V1
Q3JTODkrbkcvS0I0WUF1NWkwdGpjSEgxUTJjCmowUUNYRTUyVjBMQlM4TjF1cGxG Y1hFdlRxVHJ1NlV0R2JRZm5SMVVzVmpRQlM0CjhUN0dqajNpQXg4a29Ca1VLMDJ1
dGZHZm5hU2FYa2JMbWIvbVYwOVNkR28KLS0tIGVwVlJMTjYrSjlYRlphSkZhTTJI UmpsMFRJd254TlpGNzdDV2ZQTU9icDAKLS0tIG0wSVppUmU5TVdlMHhsQ3pMNDhJ
T0dGQW9rRTUzRytYcGVjRW9wTExvUDQKKM8nkeIHJ7RKj1/8Qvmvck+dkln+bWEn TFkrWitpb3h3UDhFNUN5Yi80YXlLbjQKxdG0m3CZ+elvzSNC9+aD15AOejkT5hJR
dsob0NlalJQGqNOeM7vib4MV/CAjP4Sq7nU4u9PQ3r/Y1FZ6Tg1l3Q== hhjtn+aUF8JvAIgggLqE1qU1XYIkbzk5//TWz5FaKeszinv9x8plvA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1fxr5s6d6ar0xy5pr63kpq93tk7jha5k96jcxnyquj6s2mw8mmcpss8w29w - recipient: age1fxr5s6d6ar0xy5pr63kpq93tk7jha5k96jcxnyquj6s2mw8mmcpss8w29w
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0QzlmM1hBU21iWkFWRTlz YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzRGNSYjM2Qkx5M294QWVS
NXFEWjdlMzNpa1hmWFNnWHhwUGE2RGphK1JnCnUzYWt6NE5HK1RKeTc0YXdab254 ZkJzR0VuTzdOR1FIc2c2bWx0akVPZVB0T1hvCmxuMjZWWlVmSUhKUys0QlMxMDV3
Y1NYMUdaNFlMVVcyeEQzelZiU3ZQdHcKLS0tIExmcFk3akN6K3NZWVZtdmgvUjU5 ZCt1ZjJNZlV5K0Zpd3NGcldhWDFDcjgKLS0tIG9mSHA1Um5Hb2NtVm5XRFdvVHVT
bms3SG1hdDJsLzdDZmgycDM1cjJVbDAKnF+v5T1deA4z2er2hk4G2Kk56KapEgI+ NHp1WThrcU1hOEI5RExCbVlnV2VYNlEKV4DSgHYs/zhF34h14RX2rvVXNo2uxCpD
n2e4yi4A5Uv0oJG2lp8ya1PZeK5z4LFi3HnYqNsCZtjzG6hsAVmvLQ== uUiwU4and1T5Q09MOjqdbs2e7QM+VjKB4P/w34KkcqXTkJeR/IBF/g==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1xlnprpvshv93eerthxzg6cahklsfc4efh8dd6u8dte9u6cl0u5qsz48qlt - recipient: age1xlnprpvshv93eerthxzg6cahklsfc4efh8dd6u8dte9u6cl0u5qsz48qlt
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRaVJxOGsrR2tkME9md0Qz YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1c3p0N0c2RGJZMmxzcUgw
c0xDMDBVYWhBMzBRRWZybXN6THIwbXl4em1RCmoxenJKYVBMNThtNzFaS1NLS2l3 bHZhcnlnWlczSGJRMVJRNitqVmV6YThIRWlBCitWUzVCN25JbzhJeG9haEVORUk5
bXBnMlEvZklSZ1hnTCtDSFhSYUVOMlUKLS0tIEFJdCt2S0dBMmZic29ReGxZK0Ji QmhIc0R0c0diNmNPc0dYM2YyNVdScVUKLS0tIG1waU1QYXNVMXU4bC9rNUxwUDIz
WkNIdzh5cERpN0JpMzVRME54bmdleXMKr6+azEKtBSSk+RzMRjrmedIEDnkr5rBY SGdNMnVlQlNEeVJkWmZEM1FRT2JJMGMKbZ/znJM6tFhzhHariRXMLgH/4CRZZKrb
/gWNWadyu6zGHGnaEsHy4ikQx3++tGfB6O3MjN2mncKLCICO6vCSYg== YtmSdeL/Pd5YIecCpjDHDn4vQ0TBAmLaX+zVbNbRKmMZoY7777ywfA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1sf8tspnmyj2cn6gmzdfuh2vt00tmeqa0vf23rn5s44s9avafsd7sz6wgql lastmodified: "2025-09-30T16:56:04Z"
enc: | mac: ENC[AES256_GCM,data:BFdEyBs/0hhgldAKVJ/E9gldpU8nyvNuRPP/Ye/ke3aqk+oWvcXJn9oOX47sFwaDQAlrM4E97/baygzIJFH+jkOPZYhlAxLA31KumB+d5WQedPP+yWrHfzwQCIIs6ye9Hl6VljVkMP8OMjGD+oNrm2XqfUkBL+Y3Mxpi0zdksFc=,iv:WXGVtK9EBIS2F1JNr3Nk0hy2fUsNlKkhpRJFR5u/H9U=,tag:JouBIk5rK5ZDdTvw2WWW1g==,type:str]
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmb0xmcDNqS0V0N3hGbjNK
anRIWElhWDBUbFd2TFpsMVNZTTBqZEtzTVZvCklvSEJ0dWNwYnR5NkNZVnJRTFhL
MVZDdWE4bEhSdVlpRTRDTlRWYmJaeU0KLS0tIEp2NjVUVFBPME1VNFVuQ3FSdVBY
YldpMnlOQWpvQ3NNVkJ3a043WGwybWsKnvMrgShgLuorobePyJii5AbZZ9L37Zwc
OjLaX7UhBx/gLUjDXKUJML0iulCWjPCrCdcd+UD2/Rk7t1G3SSMlQw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-10-18T12:57:58Z"
mac: ENC[AES256_GCM,data:eDvOR6u6/hPIAqQG2ryIj70B3Tix6RHbQQtNzsjZPgRvrCjgByioi7PhzPYPLKtp80mtYWH/SUQ8IAsRS6TAdiJRDbbdbQYuWtg187pZ3xj2QP50C8AzGnI/EI3z3/ZMmwFY4MtJzKaZh6K6PLU3uk87Adg/x5H5P7wIqf37gqk=,iv:zC+EuMVwBmC5icNpI29/ZJQLx8kijwLLT7D8NClbHOM=,tag:VssTqTZ7AZKPQKIaO66SvQ==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.10.2 version: 3.10.2

51
systems.nix
View File

@@ -1,51 +0,0 @@
{ common, ... }:
# TODO add type, desktop, server, ...?
let
defaultConfig = {
system = "x86_64-linux";
username = common.username;
version = common.system.version;
wayland.enable = true;
nvidia.enable = false;
nixos.channel = "stable"; # stable | unstable
};
in
builtins.mapAttrs (_hostName: systemConfig: defaultConfig // systemConfig) {
desktop = {
nvidia.enable = true;
ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMSzXyTuQyTrWsfORQbvgrqt/33+hfSUDXeMg6D1T2wz";
git.signing.key = "706F53DD087A91DE";
};
thinkpad = {
ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILNlHKE/BD8kKfhJD7GBk1A3whZf3gTjk9VEgGAj3qsH";
git.signing.key = "848D71DE0590C199";
};
pi4 = {
system = "aarch64-linux";
wayland.enable = false;
ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJE9m7YiITe1sDqSZ7Pa8luIw3WToLsypixZEqE4wCQE";
address.private = common.localIpAddr 188;
git.signing.key = "E3FA0E995C0D0E5E";
};
homelab = {
ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIARDv5nRlfPDXdV+Db4FaqeSJZ3/3MO0frYGzuVeqYAl";
address.private = common.localIpAddr 231;
address.tailnet = common.tailnetAddr "admin";
};
nidaros = {
wayland.enable = false;
ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILw1iNuPnX9NGt+UAvBDzkk26d1e4nF+XX2FMm+IRWtt";
address.private = common.localIpAddr 228;
git.signing.key = "4E323F914029E976";
nixos.channel = "unstable";
version = "25.11";
};
# Samsung S23 FE
localhost-y4maoyqm = {
ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII7SSjiqnjif1Kko60iXVTKJ7a1/lRlR8TFNtoclNcnQ";
};
# OnePlus 8
localhost-4izgka9k = {
ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALtulVgLrUEpKnpfPFQTHjaEXTxs2Q818NC18eLx0bj";
};
}