capytal/spacestation
1
0
Fork 0
mirror of http://code.capytal.cc/dot013/spacestation.git synced 2026-01-15 23:46:13 -03:00
Code Issues Activity

feat: initial commit, migrate main config from dot013/.nix

Browse Source
This commit is contained in:
Gustavo "Guz" L. de Mello
2024-06-15 18:29:36 -03:00
commit 0d1473f370
24 changed files with 1246 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored Normal file
View File

@@ -0,0 +1,3 @@
*.*~
*.iso
Session.vim

11
.sops.yaml Normal file
View File

@@ -0,0 +1,11 @@
keys:
- &primary age1sseqwwa7fc0ftry8njyuagdg28fkmtdwmj6m7p3etjsj83suee3shfzjyz
creation_rules:
- path_regex: secrets/spacestation.yaml$
key_groups:
- age:
- *primary
- path_regex: secrets/spacestation.lesser.json$
key_groups:
- age:
- *primary

81
configuration.nix Normal file
View File

@@ -0,0 +1,81 @@
{ config
, lib
, inputs
, pkgs
, ...
}: {
imports = [
./hardware-configuration.nix
inputs.dot013-environment.nixosModules.default
./services
./modules
./secrets.nix
];
programs.nh.enable = true;
programs.nh.flake = "/home/guz/nix";
profiles.locale.enable = true;
home-manager.extraSpecialArgs = { inherit inputs; };
users.users."guz" = {
shell = pkgs.zsh;
hashedPasswordFile = builtins.toString config.sops.secrets."guz/password".path;
home = "/home/guz";
isNormalUser = true;
extraGroups = [ "wheel" "networkmanager" "plugdev" ];
};
home-manager.users."guz" = import ./homes/guz.nix;
dot013.environment.enable = true;
dot013.environment.interception-tools.enable = false;
programs.gnupg.agent = {
enable = true;
pinentryPackage = pkgs.pinentry-gnome3;
settings = {
default-cache-ttl = 3600 * 24;
};
};
environment.systemPackages = with pkgs; [
git
libinput
];
nix.settings.experimental-features = [ "nix-command" "flakes" ];
nix.package = pkgs.nixVersions.nix_2_21;
networking = {
networkmanager.enable = true;
hostName = "spacestation";
wireless.enable = false;
dhcpcd.enable = true;
defaultGateway = "192.168.1.1";
interfaces."eno1".ipv4.addresses = [
{
address = "192.168.1.10";
prefixLength = 24;
}
];
};
services.openssh.enable = true;
security.rtkit.enable = true;
# Bootloader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.11"; # Did you read the comment?
}

142
flake.lock generated Normal file
View File

@@ -0,0 +1,142 @@
{
"nodes": {
"dot013-environment": {
"inputs": {
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1718398180,
"narHash": "sha256-jru21A3VkuAZNMauZe8DrdiotIdu1SfUNtksI1PxwUk=",
"owner": "dot013",
"repo": "environment",
"rev": "7f4cfd9924d6abcc23fafe1d48fd1e849c6448a4",
"type": "github"
},
"original": {
"owner": "dot013",
"repo": "environment",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1718243258,
"narHash": "sha256-abBpj2VU8p6qlRzTU8o22q68MmOaZ4v8zZ4UlYl5YRU=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "8d5e27b4807d25308dfe369d5a923d87e7dbfda3",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"nix-index-database": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1718458449,
"narHash": "sha256-FcX3/lTbb+WIW783b18SPudPYhdmmNLQADf4S3SsZos=",
"owner": "Mic92",
"repo": "nix-index-database",
"rev": "963639a87fb7f746d45f14b8ab429d2c52dbb396",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "nix-index-database",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1718318537,
"narHash": "sha256-4Zu0RYRcAY/VWuu6awwq4opuiD//ahpc2aFHg2CWqFY=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "e9ee548d90ff586a6471b4ae80ae9cfcbceb3420",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1717880976,
"narHash": "sha256-BRvSCsKtDUr83NEtbGfHLUOdDK0Cgbezj2PtcHnz+sQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "4913a7c3d8b8d00cb9476a6bd730ff57777f740c",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1718318537,
"narHash": "sha256-4Zu0RYRcAY/VWuu6awwq4opuiD//ahpc2aFHg2CWqFY=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "e9ee548d90ff586a6471b4ae80ae9cfcbceb3420",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"dot013-environment": "dot013-environment",
"home-manager": "home-manager",
"nix-index-database": "nix-index-database",
"nixpkgs": "nixpkgs_2",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1718137936,
"narHash": "sha256-psA+1Q5fPaK6yI3vzlLINNtb6EeXj111zQWnZYyJS9c=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "c279dec105dd53df13a5e57525da97905cc0f0d6",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

41
flake.nix Normal file
View File

@@ -0,0 +1,41 @@
{
description = ".homelab";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
home-manager = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs";
};
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
nix-index-database = {
url = "github:Mic92/nix-index-database";
inputs.nixpkgs.follows = "nixpkgs";
};
dot013-environment.url = "github:dot013/environment";
};
outputs =
{ nixpkgs
, home-manager
, ...
} @ inputs: {
nixosConfigurations = {
spacestation = nixpkgs.lib.nixosSystem {
specialArgs = {
inherit inputs;
};
modules = [
inputs.home-manager.nixosModules.default
./configuration.nix
];
};
};
};
}

42
hardware-configuration.nix Normal file
View File

@@ -0,0 +1,42 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config
, lib
, pkgs
, modulesPath
, ...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" "sdhci_acpi" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/26878c61-60d2-4ac9-967f-30faffc0f21f";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/ACCB-816C";
fsType = "vfat";
};
swapDevices = [
{ device = "/dev/disk/by-uuid/878a189a-e5df-4e1c-92d5-df6f77ff53bb"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

17
homes/guz.nix Normal file
View File

@@ -0,0 +1,17 @@
{ config
, pkgs
, inputs
, lib
, ...
}: {
imports = [
inputs.dot013-environment.homeManagerModule
];
programs.home-manager.enable = true;
home.username = "guz";
home.homeDirectory = "/home/guz";
home.stateVersion = "23.11"; # DO NOT CHANGE
}

62
modules/adguardhome.nix Normal file
View File

@@ -0,0 +1,62 @@
{ config
, lib
, ...
}:
let
cfg = config.services.adguardhome;
in
{
imports = [ ];
options.services.adguardhome = with lib;
with lib.types; {
dns.filters = mkOption {
type = attrsOf (submodule ({ lib, ... }: {
options = {
name = mkOption {
type = nullOr str;
default = null;
};
url = mkOption {
type = str;
};
enabled = mkOption {
type = bool;
default = true;
};
};
}));
default = { };
};
dns.rewrites = mkOption {
type = attrsOf str;
default = { };
};
};
config = with lib;
mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ 53 ];
networking.firewall.allowedUDPPorts = [ 53 51820 ];
services.adguardhome = {
settings = {
filtering.rewrites = builtins.attrValues (builtins.mapAttrs
(from: to: {
domain = from;
answer = to;
})
cfg.dns.rewrites);
filters = attrValues (mapAttrs
(id: list: {
name =
if isNull list.name
then id
else list.name;
ID = id;
url = list.url;
enabled = list.enabled;
})
cfg.dns.filters);
};
};
};
}

9
modules/default.nix Normal file
View File

@@ -0,0 +1,9 @@
{ ... }: {
imports = [
./adguardhome.nix
./forgejo
./locales.nix
./nh
./tailscale.nix
];
}

205
modules/forgejo/default.nix Normal file
View File

@@ -0,0 +1,205 @@
{ config
, lib
, pkgs
, utils
, ...
}:
let
cfg = config.services.forgejo;
yamlFormat = pkgs.formats.yaml { };
users = builtins.attrValues (builtins.mapAttrs
(username: info: {
name =
if isNull info.name
then username
else info.name;
email = info.email;
password = info.password;
admin = info.admin;
})
cfg.users);
initList = l: lib.strings.concatStringsSep "," l;
in
{
imports = [ ];
options.services.forgejo = with lib;
with lib.types; {
handleUndeclaredUsers = mkOption {
type = bool;
default = false;
};
users = mkOption {
type = attrsOf (submodule ({ config
, lib
, ...
}:
with lib;
with lib.types; {
options = {
name = mkOption {
type = nullOr (either str path);
default = null;
};
password = mkOption {
type = either str path;
};
email = mkOption {
type = either str path;
};
admin = mkOption {
type = bool;
default = false;
};
};
}));
default = { };
};
actions = {
enable = mkOption {
type = bool;
default = cfg.enable;
};
token = mkOption {
type = str;
};
url = mkOption {
type = str;
default = "http://localhost:${toString cfg.settings.server.HTTP_PORT}";
};
labels = mkOption {
type = listOf str;
default = [
/*
Remember to install git on these images so actions/checkout can work,
without it, the actions tries to use the /api/v3/repos/{user}/{repo}/tarball/{ref}
api endpoint, which Gitea/Forgejo doesn't has.
*/
"ubuntu-latest:docker://gitea/runner-images:ubuntu-latest-slim"
"ubuntu-latest-full:docker://gitea/runner-images:ubuntu-latest"
];
};
};
};
config = with lib;
mkIf cfg.enable {
networking.firewall.allowedTCPPorts = mkIf cfg.settings.actions.ENABLED [
cfg.settings.server.HTTP_PORT
];
networking.firewall.allowedUDPPorts = mkIf cfg.settings.actions.ENABLED [
cfg.settings.server.HTTP_PORT
];
users.users."${cfg.user}" = {
home = cfg.stateDir;
useDefaultShell = true;
group = cfg.group;
isSystemUser = true;
extraGroups = [ "wheel" "networkmanager" ];
};
users.groups."${cfg.group}" = { };
services.forgejo = {
user = mkDefault "git";
group = mkDefault cfg.user;
settings = {
DEFAULT = {
APP_NAME = mkDefault "Forgejo: Beyond coding. We forge.";
};
actions = {
ENABLED = mkDefault cfg.actions.enable;
DEFAULT_ACTIONS_URL = mkDefault "http://localhost:${toString cfg.settings.server.HTTP_PORT}";
};
repository = {
DEFAULT_REPO_UNITS = mkDefault (initList [
"repo.code"
]);
DISABLED_REPO_UNITS = mkIf (!cfg.actions.enable) (mkDefault (initList [
"repo.actions"
]));
};
service = {
# DISABLE_REGISTRARION = mkDefault true;
};
};
};
virtualisation.docker.enable = mkIf cfg.actions.enable (mkDefault true);
services.gitea-actions-runner = mkIf cfg.actions.enable {
package =
if config.services.gitea.enable
then pkgs.gitea-actions-runner
else pkgs.forgejo-actions-runner;
instances."forgejo${toString cfg.settings.server.HTTP_PORT}" = {
enable = mkDefault true;
token = mkDefault cfg.actions.token;
name = mkDefault "${cfg.settings.DEFAULT.APP_NAME} - Actions";
url = cfg.actions.url;
labels = mkDefault cfg.actions.labels;
settings = {
runner = {
insecure = true;
};
};
};
};
systemd.services."forgejo-users-setup" = with builtins; {
script = ''
function gum() { ${pkgs.gum}/bin/gum "$@"; }
function forgejo() {
# local config_file="${toString cfg.stateDir}/custom/conf/app.ini";
# touch $config_file
${cfg.package}/bin/gitea \
--work-path ${cfg.stateDir} \
"$@"
}
function fjuser() { forgejo admin user "$@"; }
function awk() { ${pkgs.gawk}/bin/awk "$@"; }
handle_undeclared_users="${
if cfg.handleUndeclaredUsers
then "true"
else "false"
}";
declared_users=(${toString (map (user: "${
if isPath user.name
then "$(cat ${toString user.name})"
else user.name
}")
users)});
${readFile ./user-handler.sh}
${toString (map (user: ''
set-user "${
if isPath user.name
then "$(cat ${toString user.name})"
else user.name
}" "${
if isPath user.email
then "$(cat ${toString user.email})"
else user.email
}" "${
if isPath user.password
then "$(cat ${toString user.password})"
else user.password
}" \
"${
if user.admin
then "true"
else "false"
}"
'')
users)}
'';
wantedBy = [ "multi-user.target" ];
after = [ "forgejo.service" ];
serviceConfig = {
Type = "oneshot";
User = cfg.user;
Group = cfg.group;
};
};
};
}

0
modules/forgejo/user-handler.sh Normal file
View File

65
modules/locales.nix Normal file
View File

@@ -0,0 +1,65 @@
{ config
, lib
, ...
}:
let
cfg = config.profiles.locale;
in
{
imports = [ ];
options.profiles.locale = with lib;
with lib.types; {
enable = mkEnableOption "";
locale = mkOption {
type = str;
default = "en_US.UTF-8";
};
extraLocales = mkOption {
type = attrsOf str;
default = rec {
LC_ADDRESS = "pt_BR.UTF-8";
LC_IDENTIFICATION = LC_ADDRESS;
LC_MEASUREMENT = LC_ADDRESS;
LC_MONETARY = LC_ADDRESS;
LC_NAME = LC_ADDRESS;
LC_NUMERIC = LC_ADDRESS;
LC_PAPER = LC_ADDRESS;
LC_TELEPHONE = LC_ADDRESS;
LC_TIME = LC_ADDRESS;
};
};
keymap.layout = mkOption {
type = str;
default = "br";
};
keymap.variant = mkOption {
type = str;
default = "";
};
keymap.console = mkOption {
type = str;
default = "br-abnt2";
};
timeZone = mkOption {
type = str;
default = "America/Sao_Paulo";
};
};
config = {
i18n = {
defaultLocale = cfg.locale;
extraLocaleSettings = cfg.extraLocales;
};
services.xserver = {
xkb.layout = cfg.keymap.layout;
xkb.variant = cfg.keymap.variant;
};
console.keyMap = cfg.keymap.console;
time = {
timeZone = cfg.timeZone;
};
};
}

27
modules/nh/default.nix Normal file
View File

@@ -0,0 +1,27 @@
{ config
, lib
, pkgs
, ...
}:
let
cfg = config.programs.nh;
wrapper = pkgs.writeShellScriptBin "nh" ''
function alejandra() { ${pkgs.alejandra}/bin/alejandra "$@"; }
function git() { ${pkgs.git}/bin/git "$@"; }
function lazygit() { ${pkgs.lazygit}/bin/lazygit "$@"; }
function nh() { ${pkgs.nh}/bin/nh "$@"; }
function shellharden() { ${pkgs.shellharden}/bin/shellharden "$@"; }
FLAKE_DIR=${toString cfg.flake}
${builtins.readFile ./wrapper.sh}
'';
in
{
options.programs.nh = with lib; with lib.types; { };
config = with lib;
mkIf cfg.enable {
programs.nh.package = wrapper;
programs.nh.clean.enable = mkDefault true;
};
}

154
modules/nh/wrapper.sh Normal file
View File

@@ -0,0 +1,154 @@
function set_colors() {
COLOR_CYAN='\033[0;35m'
COLOR_RED='\033[0;31m'
COLOR_YELLOW='\033[1;33m'
COLOR_NC='\033[0m'
}
function set_labels() {
set_colors
function echo_info() {
if [ -t 1 ]; then
echo -e "${COLOR_CYAN}INFO:${COLOR_NC} $@";
else
echo -e "INFO: $@";
fi
}
function echo_warn() {
if [ -t 1 ]; then
echo -e "${COLOR_YELLOW}WARN:${COLOR_NC} $@";
else
echo -e "WARN: $@";
fi
}
function echo_error() {
if [ -t 1 ]; then
echo -e "${COLOR_RED}ERRO:${COLOR_NC} $@";
else
echo -e "ERRO: $@";
fi
}
}
set_labels
function decrypt_lesser_secrets() {
set -e
pushd "$FLAKE_DIR" > /dev/null
for f in ./secrets/*.lesser.*; do
local filename="$(basename -- "$f")"
local extension="${filename##*.}"
local filename="${filename%.*}"
local subextenstion="${filename##*.}"
if [[ "$subextenstion" == "decrypted" ]]; then
echo_warn "$PREFIX - File already decrypted! file=$f"
else
echo_info "$PREFIX - Decrypting lesser secret file. file=$f"
sops --output "./secrets/$filename.decrypted.$extension" -d "$f"
fi
done
echo_info "$PREFIX - Adding decrypted secret files"
git add ./secrets/*.decrypted.*
popd > /dev/null
}
function remove_decrypted_secrets() {
set -e
pushd "$FLAKE_DIR" > /dev/null
echo_info "$PREFIX - Removing descrypted files"
for f in "$FLAKE_DIR"/secrets/*.decrypted.*; do
echo_info "$PREFIX - Removing descrypted files. file=$f"
git reset "$f"
rm "$f"
done
popd > /dev/null
}
function format_files() {
set -e
pushd "$FLAKE_DIR" > /dev/null
echo_info "$PREFIX - Formatting *.nix files"
alejandra . &>/dev/null \
|| (alejandra . ; \
echo_error - "$PREFIX - Failed to format files" \
&& exit 1)
echo_info "$PREFIX - Formatting *.sh files"
find "$FLAKE_DIR" -type f -name "*.sh" -execdir shellharden --replace {} \;
popd > /dev/null
}
function build_os() {
set -e
pushd "$FLAKE_DIR" > /dev/null
echo_info "$PREFIX - Building NixOS"
nh os switch "$@" "$FLAKE_DIR" \
|| (echo_error "$PREFIX - Failed to build NixOS" \
&& remove_decrypted_secrets \
&& exit 1)
popd > /dev/null
}
case "$1" in
"os")
case "$2" in
"switch")
PREFIX="nh os switch"
decrypt_lesser_secrets
format_files
shift 2
build_os "$@"
remove_decrypted_secrets
;;
*) echo_error "\"$2\" subcommand does not exist"
;;
esac
;;
"edit")
pushd "$FLAKE_DIR" > /dev/null
"$EDITOR" .
popd > /dev/null
;;
"sync")
pushd "$FLAKE_DIR" > /dev/null
lazygit
popd > /dev/null
;;
"secrets")
PREFIX="nh secrets"
case "$2" in
"-d"|"--decrypt") decrypt_lesser_secrets
;;
"-r"|"--remove") remove_decrypted_secrets
;;
esac
;;
"format")
pushd "$FLAKE_DIR" > /dev/null
format_files
popd > /dev/null
;;
"--")
shift 1
nh "$@"
;;
*) echo_error "\"$1\" command does not exist"
;;
esac

62
modules/tailscale.nix Normal file
View File

@@ -0,0 +1,62 @@
{ config
, lib
, ...
}:
let
cfg = config.services.tailscale;
in
{
imports = [ ];
options.services.tailscale = with lib;
with lib.types; {
exitNode = mkOption {
type = bool;
default = false;
};
tailnetName = mkOption {
type = str;
};
tailnetUrl = mkOption {
type = str;
default = "${config.services.tailscale.tailnetName}.ts.net";
};
deviceUrl = mkOption {
type = str;
default = "${config.networking.hostName}.${config.services.tailscale.tailnetUrl}";
};
deviceIp = mkOption {
type = str;
};
};
config = with lib;
mkIf cfg.enable {
services.tailscale = {
extraUpFlags = [
(
if cfg.exitNode
then "--advertise-exit-node"
else null
)
(
if cfg.exitNode
then "--exit-node"
else null
)
];
useRoutingFeatures = mkDefault (
if cfg.exitNode
then "server"
else "client"
);
};
systemd.services."tailscaled" = mkIf config.services.caddy.enable (mkDefault {
serviceConfig = {
Environment = [ "TS_PERMIT_CERT_UID=caddy" ];
};
});
boot.kernel.sysctl."net.ipv4.ip_forward" = mkIf cfg.exitNode (mkDefault 1);
boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = mkIf cfg.exitNode (mkDefault 1);
};
}

54
secrets.nix Normal file
View File

@@ -0,0 +1,54 @@
{
config,
inputs,
lib,
pkgs,
...
}: let
lesser-secrets = with builtins;
fromJSON (readFile ./secrets/spacestation.lesser.decrypted.json);
jsonType = pkgs.formats.json {};
in {
imports = [
inputs.sops-nix.nixosModules.sops
];
options.spacestation-secrets = with lib;
with lib.types; {
lesser = mkOption {
type = submodule ({...}: {
freeformType = jsonType.type;
options = {};
});
default = lesser-secrets;
};
};
config = with lib; {
environment.systemPackages = with pkgs; [
sops
];
sops.defaultSopsFile = ./secrets/spacestation.yaml;
sops.defaultSopsFormat = "yaml";
sops.secrets."guz/password" = {
owner = config.users.users."guz".name;
};
sops.secrets."muse/secrets" = {};
sops.secrets."forgejo/user1/name" = mkIf config.services.forgejo.enable {
owner = config.services.forgejo.user;
};
sops.secrets."forgejo/user1/password" = mkIf config.services.forgejo.enable {
owner = config.services.forgejo.user;
};
sops.secrets."forgejo/user1/email" = mkIf config.services.forgejo.enable {
owner = config.services.forgejo.user;
};
sops.secrets."forgejo/git-password" = mkIf config.services.forgejo.enable {
owner = config.services.forgejo.user;
};
sops.age.keyFile = "/home/guz/.config/sops/age/keys.txt";
};
}

80
secrets/spacestation.lesser.json Normal file
View File

@@ -0,0 +1,80 @@
{
"tailnet-name": "ENC[AES256_GCM,data:f9T+/IRApqThgMlE,iv:LufRlHxdon5mahAi1+jwbhTqcOZh2bdnUubfEL6QFg0=,tag:KmJ4E0EggzQh8ZCm2fLeGw==,type:str]",
"device-ip": "ENC[AES256_GCM,data:Ed6hS/9F52UGVLpAyw==,iv:sg9iVEmZxA2lNJoc0xwLRyDzoF1Cy48wp9CQf3zOOzQ=,tag:77RYGvjgw0QdZUsPcqVTvA==,type:str]",
"homelab-domain": "ENC[AES256_GCM,data:IQAkzgxJL4WsOqJ0RA==,iv:COJSPyCP33ZJJXz1blr4CTH3DfZ9oH/Em72VWlGWtO0=,tag:sLj91nAgVtvDiRcVzqgIsg==,type:str]",
"services": {
"adguard": {
"domain": "ENC[AES256_GCM,data:QquWEbgpXY13UMV9BTXplQ5LhSgv,iv:0AstA5oaS8714QME3QK0/aiv9Khqk1bLCcFdCEPn+IA=,tag:XXIWjIjHQ0gZFSFBHU49Ag==,type:str]",
"port": "ENC[AES256_GCM,data:4JC+Dg==,iv:jACiG3MB0u8mKFhghBN3VzLBGkUYeCC58fGOuLePJ+M=,tag:Lz4Q8U24aOfjIA4tK6yZwg==,type:float]"
},
"dashdot": {
"domain": "ENC[AES256_GCM,data:eHFlKb+63lJDkQ1UdJywFWQNTC3a,iv:T0G0Is1goSBXyfyfnDm/YcgVm4acYfVXQOgcXVWdk/Q=,tag:0EF2AJgWIUHhm6+9USecsA==,type:str]",
"port": "ENC[AES256_GCM,data:T7LPwQ==,iv:AP7nnvV0NQWwnkBxOyIyFF3FS+BGMflxmr0UXnFOTvg=,tag:yaYsMrdXL9puSrLPnOfKdw==,type:float]"
},
"ferdium-server": {
"domain": "ENC[AES256_GCM,data:wFFgzZoSZoejlXA5c0J9gg6sULwDZCc7KuvZiQ==,iv:Lbgt3FbalVLTEHwBviUPwt1tObnlVEyCVBp8YEFG6rw=,tag:n3UywY7WvdkfHG68kcE7aQ==,type:str]",
"port": "ENC[AES256_GCM,data:qAmD2g==,iv:BAuRv4tbmAf7uan2JBKIr9430tp235YBdrxNaMSrgtw=,tag:H6aYpnONS+MQh7z1IGuy7w==,type:float]"
},
"forgejo": {
"domain": "ENC[AES256_GCM,data:DJDExE7VVmAk4ZLhOkTfD2wBY5i1,iv:tnOgrKCpglvDyk75mnmeoiz2trmD3r3wCL2etHmALC4=,tag:rAiEK9U48cR1q+W7Zbkhvg==,type:str]",
"port": "ENC[AES256_GCM,data:ydSACw==,iv:0RWRLLCU8YyYmOmTawns2Iy+ABiBFbBqgQ10+buZNt0=,tag:3QW0NzbKeUkcfYh/5my3fA==,type:float]",
"actions-token": "ENC[AES256_GCM,data:eNZtfpBt0ZjgLrykGKGEL3gtKCHHE+UWaDATgi0QHBGj7ZZX7ROuKQ==,iv:J8wmqFVmi8sarGupw/F4PP20HdaGTrxC4pF8GERwZxs=,tag:wZve5TI4/NpacMpHtpBnoA==,type:str]",
"actions-labels": [
"ENC[AES256_GCM,data:QFgl5alecI2Ecc6hTisc1orcvOE5dmdoNf3gwN5HWeq40B65NhsmXcZuTpkALEE8gm42mLfq4Wtb8xvnBQ==,iv:Cktpy6ot7T9PVoertFmkznateg1GuI82j2/niAlTcP8=,tag:KJspmDE0OUCWI3sFY/5J4Q==,type:str]",
"ENC[AES256_GCM,data:7vnIpQXr6k+I5/1siptl6OEkSJj3FFRFXOEd5yv+c5pIzJU6CilcdTOHo+7Yp1E2IvKFla7MqcWZ0OjSAg==,iv:lPhi+CC8xJgvW5WR6C9OAbfEzXl8ueQOSl4JWKk9Zmo=,tag:5xY+AtNUWn+D3L4G3PmkpQ==,type:str]",
"ENC[AES256_GCM,data:KybqnMcU6ON30jLPHHdKB8oc2clxwV7otpUfinlm/YCWgvLZpsjFPnm/eu9hjKLfcwPEsWqi,iv:mmhWpJLzLJJJ8eJkNQtVLYudNG+wgIFoIEvc0o9KP7I=,tag:YB/x4AF+jrC1i0q/LhtnCw==,type:str]",
"ENC[AES256_GCM,data:ewFeb0pgS7t7ugV1rvEqQHkZ3UfHf7BdPXh9rIZAmyAG04E53EFYFcjuLLlZKnsu,iv:Dc+8zlv0bKkNbmMYgUXOrBkolOKJLrasen2KfUjwyoc=,tag:TUmz6hvwS3jbxvSfq3ajTQ==,type:str]"
]
},
"homarr": {
"domain": "ENC[AES256_GCM,data:IsFYq/sZtCgrCGuEFJCFZ8Yn3st4ILg=,iv:Iexxw/OcbjIuVz5VtY/170yAc/h3fLqNw5BJGiyROdg=,tag:PTYsnvq2Cr+M8MaHvMiJjw==,type:str]",
"port": "ENC[AES256_GCM,data:c0D1FA==,iv:tWr+ryzFU65X58YAKXPhJe+P+CN0hhJ0FY4K9sAJr8I=,tag:e4GetvqSzqZ/vhhyxyZQVQ==,type:float]"
},
"jellyfin": {
"domain": "ENC[AES256_GCM,data:0XAqHmiw/9e3sIqMUk28sZ/2BBWafw==,iv:0auXERqDZFVVWpS2Y6b4jgqZHGv3tF7b83i6UTOBUNg=,tag:Xlgf6hyMKpfR2uEa/aUjsg==,type:str]",
"port": "ENC[AES256_GCM,data:E9A2Lw==,iv:J8GYwoLI/C7yc5fFu0Z6Qu7YPxHXvlyY5d36cWmm9Eg=,tag:fus1uxQxObj7mS3e7U4yTg==,type:float]"
},
"jellyseerr": {
"domain": "ENC[AES256_GCM,data:yWRvgk6vGt+VIuOA7RiwHQBfjftLbDpq,iv:acbAerP79Fq7hRhpnifQ876CI+gavGe3sQvM7RIalBw=,tag:CXHKHgKTLeJeyKko8dr1Qg==,type:str]",
"port": "ENC[AES256_GCM,data:TTvqPg==,iv:Mu+T9LJ626BWB/xt/KHb6PGX2oAWd4h4f34oz1RirHQ=,tag:5zYrwtZD13ljcFFNlvwWJA==,type:float]"
},
"jellystat": {
"domain": "ENC[AES256_GCM,data:JuOqn1eRSwgSmxGpI+cl8+rFPnTN+Wk=,iv:Wmp1jU2vaCZUaiAv/f6TQXdukWWHp1qr7Ay3YPbzDAA=,tag:pGc6PgHNR/uC5fkwXmTZ7w==,type:str]",
"port": "ENC[AES256_GCM,data:VLEiaQ==,iv:aN+vIsVK/snhGfjvmhsAcuGu06peqaa4uKJri14bgL4=,tag:A/vBY3vGS/PzlqtqFRpclg==,type:float]",
"db_password": "ENC[AES256_GCM,data:PSns4kHm0502Reo0iEOP,iv:VKULz9m+HAZqwI2QyKUAQ2x9977Qfj3j4sz9TzSssIA=,tag:EaFlN8gIVtBCeEGsCRG9UQ==,type:str]"
},
"prowlarr": {
"domain": "ENC[AES256_GCM,data:cfeDhy+TD6SVUEgKlCNo0/NkWw5GZg==,iv:X3AXVcWPYJXUSdtkHH/Kkv2+fuztL3/f/ZOFu0iW4hs=,tag:gwxL14I8UUH1K0OEQrLgfQ==,type:str]",
"port": "ENC[AES256_GCM,data:sn6HCA==,iv:ghIKe2IeTBtCQfLN9mLrVYbb2cii1cb+UKFL0DtiNWc=,tag:2X40jOxNbLR0FboTa4xONg==,type:float]"
},
"qbittorrent": {
"domain": "ENC[AES256_GCM,data:U2QUvsdFxhwLJO89QlFa37WxdDA2,iv:vbO9lc7jovM5KrU9n57h8PmSZxZSvSMIEZ1Sqe+L+ew=,tag:TYB9djUpDoYFmJ1qylE97w==,type:str]",
"port": "ENC[AES256_GCM,data:EYXJ/Q==,iv:ByiAPEg8n0p0ZZWkSssrpdEYl8NMqrGsFLcFwiyttQ4=,tag:b5hzfPPWj/N3ZtzNEe/2xQ==,type:float]"
},
"radarr": {
"domain": "ENC[AES256_GCM,data:tbuhPJRqWNs47GofrHLrIPr8JI0=,iv:UpotCjNr4070MsBIlkTTtliekHegOJe976xjrc3So3s=,tag:yeu1lL3ldIYZ/FMzb4igbw==,type:str]",
"port": "ENC[AES256_GCM,data:e/JFRg==,iv:4EH69nzM2buQ3v56+tVUSjaYDlhfevA5fStA5FpSwxE=,tag:Maw8kdf3eF0dQeDOjVrDrw==,type:float]"
},
"sonarr": {
"domain": "ENC[AES256_GCM,data:ElXSeC+fok18BtlzsQujUkWhVRg=,iv:bK91RHb66zGpmVf2qjDSWTLbSDm/hwmrhbcZ8+870RQ=,tag:T2aHrofrlqK6qhMHy8Xg5w==,type:str]",
"port": "ENC[AES256_GCM,data:5gAdwQ==,iv:6h+9iJWLjG8/s8+KVyVbCBL3T1tfpQdA0kBHY8/nuDM=,tag:/eY4dmkppBCj/ZucyLyFvA==,type:float]"
}
},
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1sseqwwa7fc0ftry8njyuagdg28fkmtdwmj6m7p3etjsj83suee3shfzjyz",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnL3dCY1VLMmoxRFRmS0Ir\nV0ppTnI0RE5ZMjcvRGNPWkNxWFdJYTBDTG00ClRGQkh1UStGTmc0RE5aNy9nL3FI\nbHJIa3hLR0ZkTjd6WkFzOFkzeFdMNUEKLS0tIDBidk93Qy9LenFlSGZ2aEpuTUFt\nWVM2eS9UdXAvbzE4eEdKMjVEM3RLdm8KKeIhk+YOKVL9Y19lLyb6/Pxv8rbewK2e\nLm96jx+LOMOCFcQGxuFKWqQbTB4br/cPvRKSY5jFmFWqVg7pCPTAzQ==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2024-05-21T18:13:55Z",
"mac": "ENC[AES256_GCM,data:P+tqLu/mY+qadDeyDwEYf/Mwv2tJOBEghvkBhRzLguaynCk4pLhy40P+eIvd8/DWfERW/CAnOH038kJRO9zG5qZiYKZgTB1MVFACnpPoF4Ek1a0+eSmQfiHBBLd45fvExfyYo3XLi6e0ZNZYiQOSL++WqBPGcSAz0N2bhxnPqFE=,iv:b7xEGJybByQwl2FfIdC3q2UVuDgOTHrVPPqZe/w8cmc=,tag:upZP6dukO70Qm5hb3odTWg==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.8.1"
}
}

38
secrets/spacestation.yaml Normal file
View File

@@ -0,0 +1,38 @@
guz:
password: ENC[AES256_GCM,data:zlO5xSFho7TXjFv62lgFir9SAgn+UE6XjdNEvIAgmQG9oDkthfgxO84wYdI0mQDwRIIs2PmSdBRfo0DPc3hji+ySCrItolPL8g==,iv:MZfhTxwfcbmXh5C6DkQhnY9NQGdE8zEwwvFOHQiUgKY=,tag:JjJN2bYcSXNN3ueGj5RNLg==,type:str]
network:
ip: ENC[AES256_GCM,data:AkbNOQLXRKLYjU2ywg==,iv:xqdTPCUYiT/cPe2zAbBJ7fUiEMViW9LZND4j0DdydLY=,tag:tq6nA5fGH4/mAvF6InUFgQ==,type:str]
localIp: ENC[AES256_GCM,data:PK8THL9NW//2sal1,iv:9h3f255rIgedYToVaUGuQ9RzD33V8sczRWsZe+rTyC0=,tag:OoJbes6k0FqxXzGQ8ZG0aA==,type:str]
forgejo:
git-password: ENC[AES256_GCM,data:SDyFBCwTxnZ1E6R/8HZCBIBj4AREYfqWrgzSEQ6SA3BDGPFsHghiVmF+Jt4omdzUQSoCCblMBsAx0NQBbBJrCbEoBWtybRM7Cg==,iv:KbtjXW1F8YJeapVpEkf8AdXhojmhOQKxG8nCZv7vW4k=,tag:odrL53KeKLVD5AoQB14veA==,type:str]
user1:
name: ENC[AES256_GCM,data:UL3g,iv:+ftGx57fhzN06DuLItxZTc7lXX2g4MhqrEqnDjk4Aug=,tag:ZNpwWuPYhBzDjRQBKikCDA==,type:str]
password: ENC[AES256_GCM,data:KXx9Kv9f9UP3sAU=,iv:bCBv+IEieR+RGjgjXLKMLlsqoBOLLYjvT167QIxxFmA=,tag:dPNUcrBrE66xDlFJltmIKg==,type:str]
email: ENC[AES256_GCM,data:iZjmn511sSRggO+ptkYZAeGKAFIMeV8R,iv:sBigXBpdYlj7zk7evE8IbQEa/YRVoCh2S/PFihx8VRU=,tag:XNSS+RFC8ChzZ/EzcQoDvg==,type:str]
nextcloud:
user1:
name: ENC[AES256_GCM,data:VJ2K,iv:RbCyfKweGteghP1X2II3WXQ6xjAqBz1PvFA+w6r6WA8=,tag:dRDTMXdvTFzS7xl9L1xbVA==,type:str]
password: ENC[AES256_GCM,data:u2F2aBuVt7CByfZcUA==,iv:YvRX13U/f6UTs4bvnwEMiNJydzaCM0etkRo/Uh7hf/Y=,tag:aqG10k2p0i8LAqWRQ92xjQ==,type:str]
email: ENC[AES256_GCM,data:J/xFtIs3+sUeHll0VPkpRX1dEwpX9RxH,iv:SikaNGysgIVXJgp4zKLkPrhuNN9lZa0nXmB5bTUdbOQ=,tag:CIiVsYRkig4H6j94293qbw==,type:str]
muse:
secrets: ENC[AES256_GCM,data:Kz9nq9uxrwjlbg38F8M0a7s0wuSpnZ42iGT6NOQa9LyEVr07PRHeqxAtAloPEX7gmAlTKyHY9hmkA/yUxrkioiaEd6PW5rF5Fq7wKSEYhyh9kUnwAf6NdQhFBj2UMnfWHpz50WQ27msJ2UzgJKzXQ24GYAXGlQwgyHkixpYPQ63t873YUNPaa53mx7STh7vRk//o940aP+Uar4OnMEdTGrmPqWLluR5/eVyNnDANhGWcCg626uZS26nZFO+gyrWJk2e1RsSVmzfjcIyaVkdTaEj1RQRUGxn/AS3FvqfGJ7tF9tWSaZ1PY2U2IdQv9usfa9m4Y6bRcoGN,iv:L4Y2F88NCSiB/KNL9HQ/49QRQwj2HfKuBEs8jsqpfR8=,tag://7BxypNznXIpWP2Mfvseg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1sseqwwa7fc0ftry8njyuagdg28fkmtdwmj6m7p3etjsj83suee3shfzjyz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkeGg1UzNkV0g1U0J4cUhr
dS9lZ1c0c0sxQzJjanRNSVBmQ09rQ1R2S0RRCmhzalFnWUNISis0K1JHSmcyN2cx
QWhQWFMxdmxKL1FkYU1PdmFHL1BoQncKLS0tIFN4MFRZTW5mUDI5T1Mra2tMS0Qz
amRmVkVoS2RqeEs3OXZVeTlsZUVEV28K1WcbGJHT8LMah5b7NN1psiucTl1OfZYO
4T3RDSQMB3qj1TGQSdixjwRRKbMGtL3LXnvkNd+caVi5Z9OkF1O9Yg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-11T14:18:33Z"
mac: ENC[AES256_GCM,data:VbvpmpSadpIQVwGWOa2A9VLn1+k8V8t95lgDhuv49NFkX7LnJQ4YPoSXINfDw52oaBL0nb4BtICpifCLY7kVtSTVDRHmXhmpXLz/8axNUQZtcHviUU+QlTYuyghxr0y+1ZMlVH4gOqCkoSYwfjN3/c8KR5ukf47lIxwoogXyLKo=,iv:4OYVcV2PUx7N+QHyA7wp0307+VM1yZcBH7PNDONn+qU=,tag:8El/gNZGnNEVD8k5aMRc/w==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

60
services/adguardhome.nix Normal file
View File

@@ -0,0 +1,60 @@
{ config
, lib
, pkgs
, ...
}:
let
secrets = config.spacestation-secrets.lesser;
deviceIp = config.services.tailscale.deviceIp;
in
{
imports = [
../modules/adguardhome.nix
];
services.adguardhome = {
enable = true;
dns.rewrites = {
"*.${secrets.homelab-domain}" = deviceIp;
"${secrets.homelab-domain}" = deviceIp;
};
openFirewall = true;
port = secrets.services.adguard.port;
dns.filters = {
"Hagezi's Multi PRO" = {
url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/pro.txt";
};
"Hagezi's Badware Hoster" = {
url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/hoster.txt";
};
"Hagezi's DNS Bypass blocking" = {
url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/doh-vpn-proxy-bypass.txt";
};
"Hagezi's Dynamic DNS blocking" = {
url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/dyndns.txt";
};
"Hagezi's Gambling" = {
url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/gambling.txt";
};
"Hagezi's Native - LG webOS" = {
url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/native.lgwebos.txt";
};
"Hagezi's Native - Tiktok (Agressive)" = {
url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/hosts/native.tiktok.extended.txt";
};
"Hagezi's Native - Microsoft/Windows" = {
url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/native.winoffice.txt";
};
"Hagezi's Pop-up Ads" = {
url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/popupads.txt";
};
"Hagezi's TIF" = {
url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/tif.txt";
};
};
settings.user_rules = [
"@@||tumblr.com^$important"
"@@||wordpress.com^$important"
"@@||tailscale.com^$important"
];
};
}

11
services/containers/default.nix Normal file
View File

@@ -0,0 +1,11 @@
{ ... }: {
imports = [
./prata-music.nix
];
virtualisation = {
docker.enable = true;
oci-containers = {
backend = "docker";
};
};
}

17
services/containers/prata-music.nix Normal file
View File

@@ -0,0 +1,17 @@
{ config
, lib
, pkgs
, ...
}: {
imports = [ ];
virtualisation.oci-containers.containers.prata-music = {
image = "codetheweb/muse:latest";
autoStart = true;
volumes = [
"/var/lib/muse/data:/data"
];
environmentFiles = [
(/. + config.sops.secrets."muse/secrets".path)
];
};
}

8
services/default.nix Normal file
View File

@@ -0,0 +1,8 @@
{ ... }: {
imports = [
./adguardhome.nix
./containers
./forgejo.nix
./tailscale.nix
];
}

37
services/forgejo.nix Normal file
View File

@@ -0,0 +1,37 @@
{ config
, lib
, pkgs
, ...
}:
let
secrets = config.spacestation-secrets.lesser;
in
{
imports = [
../modules/forgejo
];
services.forgejo = {
enable = true;
actions = {
enable = true;
token = secrets.services.forgejo.actions-token;
url = "http://192.168.1.10:${toString secrets.services.forgejo.port}";
labels = secrets.services.forgejo.actions-labels;
};
users = {
user1 = {
name = /. + config.sops.secrets."forgejo/user1/name".path;
password = /. + config.sops.secrets."forgejo/user1/password".path;
email = /. + config.sops.secrets."forgejo/user1/email".path;
admin = true;
};
};
settings = {
server = {
HTTP_PORT = secrets.services.forgejo.port;
DOMAIN = secrets.services.forgejo.domain;
ROOT_URL = "https://${secrets.services.forgejo.domain}";
};
};
};
}

20
services/tailscale.nix Normal file
View File

@@ -0,0 +1,20 @@
{ config
, lib
, pkgs
, ...
}:
let
secrets = config.spacestation-secrets.lesser;
in
{
imports = [
../modules/tailscale.nix
];
services.tailscale = {
enable = true;
useRoutingFeatures = "both";
exitNode = true;
tailnetName = secrets.tailnet-name;
deviceIp = secrets.device-ip;
};
}