commit 0d1473f370c435bcb3d7aa05707a256970eae3db Author: Gustavo "Guz" L. de Mello Date: Sat Jun 15 18:29:36 2024 -0300 feat: initial commit, migrate main config from dot013/.nix diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..7e2165c --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +*.*~ +*.iso +Session.vim diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..d00a72f --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,11 @@ +keys: + - &primary age1sseqwwa7fc0ftry8njyuagdg28fkmtdwmj6m7p3etjsj83suee3shfzjyz +creation_rules: + - path_regex: secrets/spacestation.yaml$ + key_groups: + - age: + - *primary + - path_regex: secrets/spacestation.lesser.json$ + key_groups: + - age: + - *primary diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..e491cad --- /dev/null +++ b/configuration.nix @@ -0,0 +1,81 @@ +{ config +, lib +, inputs +, pkgs +, ... +}: { + imports = [ + ./hardware-configuration.nix + inputs.dot013-environment.nixosModules.default + ./services + ./modules + ./secrets.nix + ]; + + programs.nh.enable = true; + programs.nh.flake = "/home/guz/nix"; + + profiles.locale.enable = true; + + home-manager.extraSpecialArgs = { inherit inputs; }; + users.users."guz" = { + shell = pkgs.zsh; + hashedPasswordFile = builtins.toString config.sops.secrets."guz/password".path; + home = "/home/guz"; + isNormalUser = true; + extraGroups = [ "wheel" "networkmanager" "plugdev" ]; + }; + home-manager.users."guz" = import ./homes/guz.nix; + + dot013.environment.enable = true; + dot013.environment.interception-tools.enable = false; + + programs.gnupg.agent = { + enable = true; + pinentryPackage = pkgs.pinentry-gnome3; + settings = { + default-cache-ttl = 3600 * 24; + }; + }; + + environment.systemPackages = with pkgs; [ + git + libinput + ]; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + nix.package = pkgs.nixVersions.nix_2_21; + + networking = { + networkmanager.enable = true; + hostName = "spacestation"; + wireless.enable = false; + dhcpcd.enable = true; + defaultGateway = "192.168.1.1"; + interfaces."eno1".ipv4.addresses = [ + { + address = "192.168.1.10"; + prefixLength = 24; + } + ]; + }; + + services.openssh.enable = true; + + security.rtkit.enable = true; + + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # Allow unfree packages + nixpkgs.config.allowUnfree = true; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.11"; # Did you read the comment? +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..d8d157c --- /dev/null +++ b/flake.lock @@ -0,0 +1,142 @@ +{ + "nodes": { + "dot013-environment": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1718398180, + "narHash": "sha256-jru21A3VkuAZNMauZe8DrdiotIdu1SfUNtksI1PxwUk=", + "owner": "dot013", + "repo": "environment", + "rev": "7f4cfd9924d6abcc23fafe1d48fd1e849c6448a4", + "type": "github" + }, + "original": { + "owner": "dot013", + "repo": "environment", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1718243258, + "narHash": "sha256-abBpj2VU8p6qlRzTU8o22q68MmOaZ4v8zZ4UlYl5YRU=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "8d5e27b4807d25308dfe369d5a923d87e7dbfda3", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "nix-index-database": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1718458449, + "narHash": "sha256-FcX3/lTbb+WIW783b18SPudPYhdmmNLQADf4S3SsZos=", + "owner": "Mic92", + "repo": "nix-index-database", + "rev": "963639a87fb7f746d45f14b8ab429d2c52dbb396", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "nix-index-database", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1718318537, + "narHash": "sha256-4Zu0RYRcAY/VWuu6awwq4opuiD//ahpc2aFHg2CWqFY=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "e9ee548d90ff586a6471b4ae80ae9cfcbceb3420", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1717880976, + "narHash": "sha256-BRvSCsKtDUr83NEtbGfHLUOdDK0Cgbezj2PtcHnz+sQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "4913a7c3d8b8d00cb9476a6bd730ff57777f740c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1718318537, + "narHash": "sha256-4Zu0RYRcAY/VWuu6awwq4opuiD//ahpc2aFHg2CWqFY=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "e9ee548d90ff586a6471b4ae80ae9cfcbceb3420", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "dot013-environment": "dot013-environment", + "home-manager": "home-manager", + "nix-index-database": "nix-index-database", + "nixpkgs": "nixpkgs_2", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1718137936, + "narHash": "sha256-psA+1Q5fPaK6yI3vzlLINNtb6EeXj111zQWnZYyJS9c=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "c279dec105dd53df13a5e57525da97905cc0f0d6", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..f39d431 --- /dev/null +++ b/flake.nix @@ -0,0 +1,41 @@ +{ + description = ".homelab"; + + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + + home-manager = { + url = "github:nix-community/home-manager"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + nix-index-database = { + url = "github:Mic92/nix-index-database"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + dot013-environment.url = "github:dot013/environment"; + }; + outputs = + { nixpkgs + , home-manager + , ... + } @ inputs: { + nixosConfigurations = { + spacestation = nixpkgs.lib.nixosSystem { + specialArgs = { + inherit inputs; + }; + modules = [ + inputs.home-manager.nixosModules.default + ./configuration.nix + ]; + }; + }; + }; +} diff --git a/hardware-configuration.nix b/hardware-configuration.nix new file mode 100644 index 0000000..2a50d82 --- /dev/null +++ b/hardware-configuration.nix @@ -0,0 +1,42 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config +, lib +, pkgs +, modulesPath +, ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" "sdhci_acpi" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/26878c61-60d2-4ac9-967f-30faffc0f21f"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/ACCB-816C"; + fsType = "vfat"; + }; + + swapDevices = [ + { device = "/dev/disk/by-uuid/878a189a-e5df-4e1c-92d5-df6f77ff53bb"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eno1.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/homes/guz.nix b/homes/guz.nix new file mode 100644 index 0000000..eac4602 --- /dev/null +++ b/homes/guz.nix @@ -0,0 +1,17 @@ +{ config +, pkgs +, inputs +, lib +, ... +}: { + imports = [ + inputs.dot013-environment.homeManagerModule + ]; + + programs.home-manager.enable = true; + + home.username = "guz"; + home.homeDirectory = "/home/guz"; + + home.stateVersion = "23.11"; # DO NOT CHANGE +} diff --git a/modules/adguardhome.nix b/modules/adguardhome.nix new file mode 100644 index 0000000..d38c2c1 --- /dev/null +++ b/modules/adguardhome.nix @@ -0,0 +1,62 @@ +{ config +, lib +, ... +}: +let + cfg = config.services.adguardhome; +in +{ + imports = [ ]; + options.services.adguardhome = with lib; + with lib.types; { + dns.filters = mkOption { + type = attrsOf (submodule ({ lib, ... }: { + options = { + name = mkOption { + type = nullOr str; + default = null; + }; + url = mkOption { + type = str; + }; + enabled = mkOption { + type = bool; + default = true; + }; + }; + })); + default = { }; + }; + dns.rewrites = mkOption { + type = attrsOf str; + default = { }; + }; + }; + config = with lib; + mkIf cfg.enable { + networking.firewall.allowedTCPPorts = [ 53 ]; + networking.firewall.allowedUDPPorts = [ 53 51820 ]; + + services.adguardhome = { + settings = { + filtering.rewrites = builtins.attrValues (builtins.mapAttrs + (from: to: { + domain = from; + answer = to; + }) + cfg.dns.rewrites); + filters = attrValues (mapAttrs + (id: list: { + name = + if isNull list.name + then id + else list.name; + ID = id; + url = list.url; + enabled = list.enabled; + }) + cfg.dns.filters); + }; + }; + }; +} diff --git a/modules/default.nix b/modules/default.nix new file mode 100644 index 0000000..b9d187b --- /dev/null +++ b/modules/default.nix @@ -0,0 +1,9 @@ +{ ... }: { + imports = [ + ./adguardhome.nix + ./forgejo + ./locales.nix + ./nh + ./tailscale.nix + ]; +} diff --git a/modules/forgejo/default.nix b/modules/forgejo/default.nix new file mode 100644 index 0000000..99c1c24 --- /dev/null +++ b/modules/forgejo/default.nix @@ -0,0 +1,205 @@ +{ config +, lib +, pkgs +, utils +, ... +}: +let + cfg = config.services.forgejo; + yamlFormat = pkgs.formats.yaml { }; + users = builtins.attrValues (builtins.mapAttrs + (username: info: { + name = + if isNull info.name + then username + else info.name; + email = info.email; + password = info.password; + admin = info.admin; + }) + cfg.users); + initList = l: lib.strings.concatStringsSep "," l; +in +{ + imports = [ ]; + options.services.forgejo = with lib; + with lib.types; { + handleUndeclaredUsers = mkOption { + type = bool; + default = false; + }; + users = mkOption { + type = attrsOf (submodule ({ config + , lib + , ... + }: + with lib; + with lib.types; { + options = { + name = mkOption { + type = nullOr (either str path); + default = null; + }; + password = mkOption { + type = either str path; + }; + email = mkOption { + type = either str path; + }; + admin = mkOption { + type = bool; + default = false; + }; + }; + })); + default = { }; + }; + actions = { + enable = mkOption { + type = bool; + default = cfg.enable; + }; + token = mkOption { + type = str; + }; + url = mkOption { + type = str; + default = "http://localhost:${toString cfg.settings.server.HTTP_PORT}"; + }; + labels = mkOption { + type = listOf str; + default = [ + /* + Remember to install git on these images so actions/checkout can work, + without it, the actions tries to use the /api/v3/repos/{user}/{repo}/tarball/{ref} + api endpoint, which Gitea/Forgejo doesn't has. + */ + "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest-slim" + "ubuntu-latest-full:docker://gitea/runner-images:ubuntu-latest" + ]; + }; + }; + }; + config = with lib; + mkIf cfg.enable { + networking.firewall.allowedTCPPorts = mkIf cfg.settings.actions.ENABLED [ + cfg.settings.server.HTTP_PORT + ]; + networking.firewall.allowedUDPPorts = mkIf cfg.settings.actions.ENABLED [ + cfg.settings.server.HTTP_PORT + ]; + + users.users."${cfg.user}" = { + home = cfg.stateDir; + useDefaultShell = true; + group = cfg.group; + isSystemUser = true; + extraGroups = [ "wheel" "networkmanager" ]; + }; + users.groups."${cfg.group}" = { }; + + services.forgejo = { + user = mkDefault "git"; + group = mkDefault cfg.user; + settings = { + DEFAULT = { + APP_NAME = mkDefault "Forgejo: Beyond coding. We forge."; + }; + actions = { + ENABLED = mkDefault cfg.actions.enable; + DEFAULT_ACTIONS_URL = mkDefault "http://localhost:${toString cfg.settings.server.HTTP_PORT}"; + }; + repository = { + DEFAULT_REPO_UNITS = mkDefault (initList [ + "repo.code" + ]); + DISABLED_REPO_UNITS = mkIf (!cfg.actions.enable) (mkDefault (initList [ + "repo.actions" + ])); + }; + service = { + # DISABLE_REGISTRARION = mkDefault true; + }; + }; + }; + + virtualisation.docker.enable = mkIf cfg.actions.enable (mkDefault true); + services.gitea-actions-runner = mkIf cfg.actions.enable { + package = + if config.services.gitea.enable + then pkgs.gitea-actions-runner + else pkgs.forgejo-actions-runner; + instances."forgejo${toString cfg.settings.server.HTTP_PORT}" = { + enable = mkDefault true; + token = mkDefault cfg.actions.token; + name = mkDefault "${cfg.settings.DEFAULT.APP_NAME} - Actions"; + url = cfg.actions.url; + labels = mkDefault cfg.actions.labels; + settings = { + runner = { + insecure = true; + }; + }; + }; + }; + + systemd.services."forgejo-users-setup" = with builtins; { + script = '' + function gum() { ${pkgs.gum}/bin/gum "$@"; } + function forgejo() { + # local config_file="${toString cfg.stateDir}/custom/conf/app.ini"; + # touch $config_file + ${cfg.package}/bin/gitea \ + --work-path ${cfg.stateDir} \ + "$@" + } + function fjuser() { forgejo admin user "$@"; } + function awk() { ${pkgs.gawk}/bin/awk "$@"; } + + handle_undeclared_users="${ + if cfg.handleUndeclaredUsers + then "true" + else "false" + }"; + + declared_users=(${toString (map (user: "${ + if isPath user.name + then "$(cat ${toString user.name})" + else user.name + }") + users)}); + + ${readFile ./user-handler.sh} + + ${toString (map (user: '' + set-user "${ + if isPath user.name + then "$(cat ${toString user.name})" + else user.name + }" "${ + if isPath user.email + then "$(cat ${toString user.email})" + else user.email + }" "${ + if isPath user.password + then "$(cat ${toString user.password})" + else user.password + }" \ + "${ + if user.admin + then "true" + else "false" + }" + '') + users)} + ''; + wantedBy = [ "multi-user.target" ]; + after = [ "forgejo.service" ]; + serviceConfig = { + Type = "oneshot"; + User = cfg.user; + Group = cfg.group; + }; + }; + }; +} diff --git a/modules/forgejo/user-handler.sh b/modules/forgejo/user-handler.sh new file mode 100644 index 0000000..e69de29 diff --git a/modules/locales.nix b/modules/locales.nix new file mode 100644 index 0000000..ac1dbb0 --- /dev/null +++ b/modules/locales.nix @@ -0,0 +1,65 @@ +{ config +, lib +, ... +}: +let + cfg = config.profiles.locale; +in +{ + imports = [ ]; + options.profiles.locale = with lib; + with lib.types; { + enable = mkEnableOption ""; + locale = mkOption { + type = str; + default = "en_US.UTF-8"; + }; + extraLocales = mkOption { + type = attrsOf str; + default = rec { + LC_ADDRESS = "pt_BR.UTF-8"; + LC_IDENTIFICATION = LC_ADDRESS; + LC_MEASUREMENT = LC_ADDRESS; + LC_MONETARY = LC_ADDRESS; + LC_NAME = LC_ADDRESS; + LC_NUMERIC = LC_ADDRESS; + LC_PAPER = LC_ADDRESS; + LC_TELEPHONE = LC_ADDRESS; + LC_TIME = LC_ADDRESS; + }; + }; + keymap.layout = mkOption { + type = str; + default = "br"; + }; + keymap.variant = mkOption { + type = str; + default = ""; + }; + keymap.console = mkOption { + type = str; + default = "br-abnt2"; + }; + timeZone = mkOption { + type = str; + default = "America/Sao_Paulo"; + }; + }; + config = { + i18n = { + defaultLocale = cfg.locale; + extraLocaleSettings = cfg.extraLocales; + }; + + services.xserver = { + xkb.layout = cfg.keymap.layout; + xkb.variant = cfg.keymap.variant; + }; + + console.keyMap = cfg.keymap.console; + + time = { + timeZone = cfg.timeZone; + }; + }; +} diff --git a/modules/nh/default.nix b/modules/nh/default.nix new file mode 100644 index 0000000..e4626ad --- /dev/null +++ b/modules/nh/default.nix @@ -0,0 +1,27 @@ +{ config +, lib +, pkgs +, ... +}: +let + cfg = config.programs.nh; + wrapper = pkgs.writeShellScriptBin "nh" '' + function alejandra() { ${pkgs.alejandra}/bin/alejandra "$@"; } + function git() { ${pkgs.git}/bin/git "$@"; } + function lazygit() { ${pkgs.lazygit}/bin/lazygit "$@"; } + function nh() { ${pkgs.nh}/bin/nh "$@"; } + function shellharden() { ${pkgs.shellharden}/bin/shellharden "$@"; } + + FLAKE_DIR=${toString cfg.flake} + + ${builtins.readFile ./wrapper.sh} + ''; +in +{ + options.programs.nh = with lib; with lib.types; { }; + config = with lib; + mkIf cfg.enable { + programs.nh.package = wrapper; + programs.nh.clean.enable = mkDefault true; + }; +} diff --git a/modules/nh/wrapper.sh b/modules/nh/wrapper.sh new file mode 100644 index 0000000..ab336cc --- /dev/null +++ b/modules/nh/wrapper.sh @@ -0,0 +1,154 @@ +function set_colors() { + COLOR_CYAN='\033[0;35m' + COLOR_RED='\033[0;31m' + COLOR_YELLOW='\033[1;33m' + COLOR_NC='\033[0m' +} +function set_labels() { + set_colors + function echo_info() { + if [ -t 1 ]; then + echo -e "${COLOR_CYAN}INFO:${COLOR_NC} $@"; + else + echo -e "INFO: $@"; + fi + } + function echo_warn() { + if [ -t 1 ]; then + echo -e "${COLOR_YELLOW}WARN:${COLOR_NC} $@"; + else + echo -e "WARN: $@"; + fi + } + function echo_error() { + if [ -t 1 ]; then + echo -e "${COLOR_RED}ERRO:${COLOR_NC} $@"; + else + echo -e "ERRO: $@"; + fi + } +} +set_labels + +function decrypt_lesser_secrets() { + set -e + pushd "$FLAKE_DIR" > /dev/null + + for f in ./secrets/*.lesser.*; do + local filename="$(basename -- "$f")" + local extension="${filename##*.}" + local filename="${filename%.*}" + local subextenstion="${filename##*.}" + + if [[ "$subextenstion" == "decrypted" ]]; then + echo_warn "$PREFIX - File already decrypted! file=$f" + else + echo_info "$PREFIX - Decrypting lesser secret file. file=$f" + sops --output "./secrets/$filename.decrypted.$extension" -d "$f" + fi + done + + echo_info "$PREFIX - Adding decrypted secret files" + git add ./secrets/*.decrypted.* + + popd > /dev/null +} + +function remove_decrypted_secrets() { + set -e + pushd "$FLAKE_DIR" > /dev/null + + echo_info "$PREFIX - Removing descrypted files" + for f in "$FLAKE_DIR"/secrets/*.decrypted.*; do + echo_info "$PREFIX - Removing descrypted files. file=$f" + git reset "$f" + rm "$f" + done + + popd > /dev/null +} + +function format_files() { + set -e + pushd "$FLAKE_DIR" > /dev/null + + echo_info "$PREFIX - Formatting *.nix files" + alejandra . &>/dev/null \ + || (alejandra . ; \ + echo_error - "$PREFIX - Failed to format files" \ + && exit 1) + + echo_info "$PREFIX - Formatting *.sh files" + find "$FLAKE_DIR" -type f -name "*.sh" -execdir shellharden --replace {} \; + + popd > /dev/null +} + +function build_os() { + set -e + pushd "$FLAKE_DIR" > /dev/null + + echo_info "$PREFIX - Building NixOS" + nh os switch "$@" "$FLAKE_DIR" \ + || (echo_error "$PREFIX - Failed to build NixOS" \ + && remove_decrypted_secrets \ + && exit 1) + + popd > /dev/null +} + +case "$1" in + "os") + case "$2" in + "switch") + PREFIX="nh os switch" + + decrypt_lesser_secrets + format_files + + shift 2 + build_os "$@" + + remove_decrypted_secrets + ;; + *) echo_error "\"$2\" subcommand does not exist" + ;; + esac + ;; + "edit") + pushd "$FLAKE_DIR" > /dev/null + + "$EDITOR" . + + popd > /dev/null + ;; + "sync") + pushd "$FLAKE_DIR" > /dev/null + + lazygit + + popd > /dev/null + ;; + "secrets") + PREFIX="nh secrets" + case "$2" in + "-d"|"--decrypt") decrypt_lesser_secrets + ;; + "-r"|"--remove") remove_decrypted_secrets + ;; + esac + ;; + "format") + pushd "$FLAKE_DIR" > /dev/null + + format_files + + popd > /dev/null + ;; + "--") + shift 1 + nh "$@" + ;; + *) echo_error "\"$1\" command does not exist" + ;; +esac diff --git a/modules/tailscale.nix b/modules/tailscale.nix new file mode 100644 index 0000000..a32536b --- /dev/null +++ b/modules/tailscale.nix @@ -0,0 +1,62 @@ +{ config +, lib +, ... +}: +let + cfg = config.services.tailscale; +in +{ + imports = [ ]; + options.services.tailscale = with lib; + with lib.types; { + exitNode = mkOption { + type = bool; + default = false; + }; + tailnetName = mkOption { + type = str; + }; + tailnetUrl = mkOption { + type = str; + default = "${config.services.tailscale.tailnetName}.ts.net"; + }; + deviceUrl = mkOption { + type = str; + default = "${config.networking.hostName}.${config.services.tailscale.tailnetUrl}"; + }; + deviceIp = mkOption { + type = str; + }; + }; + config = with lib; + mkIf cfg.enable { + services.tailscale = { + extraUpFlags = [ + ( + if cfg.exitNode + then "--advertise-exit-node" + else null + ) + ( + if cfg.exitNode + then "--exit-node" + else null + ) + ]; + useRoutingFeatures = mkDefault ( + if cfg.exitNode + then "server" + else "client" + ); + }; + + systemd.services."tailscaled" = mkIf config.services.caddy.enable (mkDefault { + serviceConfig = { + Environment = [ "TS_PERMIT_CERT_UID=caddy" ]; + }; + }); + + boot.kernel.sysctl."net.ipv4.ip_forward" = mkIf cfg.exitNode (mkDefault 1); + boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = mkIf cfg.exitNode (mkDefault 1); + }; +} diff --git a/secrets.nix b/secrets.nix new file mode 100644 index 0000000..7f4149c --- /dev/null +++ b/secrets.nix @@ -0,0 +1,54 @@ +{ + config, + inputs, + lib, + pkgs, + ... +}: let + lesser-secrets = with builtins; + fromJSON (readFile ./secrets/spacestation.lesser.decrypted.json); + jsonType = pkgs.formats.json {}; +in { + imports = [ + inputs.sops-nix.nixosModules.sops + ]; + options.spacestation-secrets = with lib; + with lib.types; { + lesser = mkOption { + type = submodule ({...}: { + freeformType = jsonType.type; + options = {}; + }); + default = lesser-secrets; + }; + }; + config = with lib; { + environment.systemPackages = with pkgs; [ + sops + ]; + + sops.defaultSopsFile = ./secrets/spacestation.yaml; + sops.defaultSopsFormat = "yaml"; + + sops.secrets."guz/password" = { + owner = config.users.users."guz".name; + }; + + sops.secrets."muse/secrets" = {}; + + sops.secrets."forgejo/user1/name" = mkIf config.services.forgejo.enable { + owner = config.services.forgejo.user; + }; + sops.secrets."forgejo/user1/password" = mkIf config.services.forgejo.enable { + owner = config.services.forgejo.user; + }; + sops.secrets."forgejo/user1/email" = mkIf config.services.forgejo.enable { + owner = config.services.forgejo.user; + }; + sops.secrets."forgejo/git-password" = mkIf config.services.forgejo.enable { + owner = config.services.forgejo.user; + }; + + sops.age.keyFile = "/home/guz/.config/sops/age/keys.txt"; + }; +} diff --git a/secrets/spacestation.lesser.json b/secrets/spacestation.lesser.json new file mode 100644 index 0000000..2995f35 --- /dev/null +++ b/secrets/spacestation.lesser.json @@ -0,0 +1,80 @@ +{ + "tailnet-name": "ENC[AES256_GCM,data:f9T+/IRApqThgMlE,iv:LufRlHxdon5mahAi1+jwbhTqcOZh2bdnUubfEL6QFg0=,tag:KmJ4E0EggzQh8ZCm2fLeGw==,type:str]", + "device-ip": "ENC[AES256_GCM,data:Ed6hS/9F52UGVLpAyw==,iv:sg9iVEmZxA2lNJoc0xwLRyDzoF1Cy48wp9CQf3zOOzQ=,tag:77RYGvjgw0QdZUsPcqVTvA==,type:str]", + "homelab-domain": "ENC[AES256_GCM,data:IQAkzgxJL4WsOqJ0RA==,iv:COJSPyCP33ZJJXz1blr4CTH3DfZ9oH/Em72VWlGWtO0=,tag:sLj91nAgVtvDiRcVzqgIsg==,type:str]", + "services": { + "adguard": { + "domain": "ENC[AES256_GCM,data:QquWEbgpXY13UMV9BTXplQ5LhSgv,iv:0AstA5oaS8714QME3QK0/aiv9Khqk1bLCcFdCEPn+IA=,tag:XXIWjIjHQ0gZFSFBHU49Ag==,type:str]", + "port": "ENC[AES256_GCM,data:4JC+Dg==,iv:jACiG3MB0u8mKFhghBN3VzLBGkUYeCC58fGOuLePJ+M=,tag:Lz4Q8U24aOfjIA4tK6yZwg==,type:float]" + }, + "dashdot": { + "domain": "ENC[AES256_GCM,data:eHFlKb+63lJDkQ1UdJywFWQNTC3a,iv:T0G0Is1goSBXyfyfnDm/YcgVm4acYfVXQOgcXVWdk/Q=,tag:0EF2AJgWIUHhm6+9USecsA==,type:str]", + "port": "ENC[AES256_GCM,data:T7LPwQ==,iv:AP7nnvV0NQWwnkBxOyIyFF3FS+BGMflxmr0UXnFOTvg=,tag:yaYsMrdXL9puSrLPnOfKdw==,type:float]" + }, + "ferdium-server": { + "domain": "ENC[AES256_GCM,data:wFFgzZoSZoejlXA5c0J9gg6sULwDZCc7KuvZiQ==,iv:Lbgt3FbalVLTEHwBviUPwt1tObnlVEyCVBp8YEFG6rw=,tag:n3UywY7WvdkfHG68kcE7aQ==,type:str]", + "port": "ENC[AES256_GCM,data:qAmD2g==,iv:BAuRv4tbmAf7uan2JBKIr9430tp235YBdrxNaMSrgtw=,tag:H6aYpnONS+MQh7z1IGuy7w==,type:float]" + }, + "forgejo": { + "domain": "ENC[AES256_GCM,data:DJDExE7VVmAk4ZLhOkTfD2wBY5i1,iv:tnOgrKCpglvDyk75mnmeoiz2trmD3r3wCL2etHmALC4=,tag:rAiEK9U48cR1q+W7Zbkhvg==,type:str]", + "port": "ENC[AES256_GCM,data:ydSACw==,iv:0RWRLLCU8YyYmOmTawns2Iy+ABiBFbBqgQ10+buZNt0=,tag:3QW0NzbKeUkcfYh/5my3fA==,type:float]", + "actions-token": "ENC[AES256_GCM,data:eNZtfpBt0ZjgLrykGKGEL3gtKCHHE+UWaDATgi0QHBGj7ZZX7ROuKQ==,iv:J8wmqFVmi8sarGupw/F4PP20HdaGTrxC4pF8GERwZxs=,tag:wZve5TI4/NpacMpHtpBnoA==,type:str]", + "actions-labels": [ + "ENC[AES256_GCM,data:QFgl5alecI2Ecc6hTisc1orcvOE5dmdoNf3gwN5HWeq40B65NhsmXcZuTpkALEE8gm42mLfq4Wtb8xvnBQ==,iv:Cktpy6ot7T9PVoertFmkznateg1GuI82j2/niAlTcP8=,tag:KJspmDE0OUCWI3sFY/5J4Q==,type:str]", + "ENC[AES256_GCM,data:7vnIpQXr6k+I5/1siptl6OEkSJj3FFRFXOEd5yv+c5pIzJU6CilcdTOHo+7Yp1E2IvKFla7MqcWZ0OjSAg==,iv:lPhi+CC8xJgvW5WR6C9OAbfEzXl8ueQOSl4JWKk9Zmo=,tag:5xY+AtNUWn+D3L4G3PmkpQ==,type:str]", + "ENC[AES256_GCM,data:KybqnMcU6ON30jLPHHdKB8oc2clxwV7otpUfinlm/YCWgvLZpsjFPnm/eu9hjKLfcwPEsWqi,iv:mmhWpJLzLJJJ8eJkNQtVLYudNG+wgIFoIEvc0o9KP7I=,tag:YB/x4AF+jrC1i0q/LhtnCw==,type:str]", + "ENC[AES256_GCM,data:ewFeb0pgS7t7ugV1rvEqQHkZ3UfHf7BdPXh9rIZAmyAG04E53EFYFcjuLLlZKnsu,iv:Dc+8zlv0bKkNbmMYgUXOrBkolOKJLrasen2KfUjwyoc=,tag:TUmz6hvwS3jbxvSfq3ajTQ==,type:str]" + ] + }, + "homarr": { + "domain": "ENC[AES256_GCM,data:IsFYq/sZtCgrCGuEFJCFZ8Yn3st4ILg=,iv:Iexxw/OcbjIuVz5VtY/170yAc/h3fLqNw5BJGiyROdg=,tag:PTYsnvq2Cr+M8MaHvMiJjw==,type:str]", + "port": "ENC[AES256_GCM,data:c0D1FA==,iv:tWr+ryzFU65X58YAKXPhJe+P+CN0hhJ0FY4K9sAJr8I=,tag:e4GetvqSzqZ/vhhyxyZQVQ==,type:float]" + }, + "jellyfin": { + "domain": "ENC[AES256_GCM,data:0XAqHmiw/9e3sIqMUk28sZ/2BBWafw==,iv:0auXERqDZFVVWpS2Y6b4jgqZHGv3tF7b83i6UTOBUNg=,tag:Xlgf6hyMKpfR2uEa/aUjsg==,type:str]", + "port": "ENC[AES256_GCM,data:E9A2Lw==,iv:J8GYwoLI/C7yc5fFu0Z6Qu7YPxHXvlyY5d36cWmm9Eg=,tag:fus1uxQxObj7mS3e7U4yTg==,type:float]" + }, + "jellyseerr": { + "domain": "ENC[AES256_GCM,data:yWRvgk6vGt+VIuOA7RiwHQBfjftLbDpq,iv:acbAerP79Fq7hRhpnifQ876CI+gavGe3sQvM7RIalBw=,tag:CXHKHgKTLeJeyKko8dr1Qg==,type:str]", + "port": "ENC[AES256_GCM,data:TTvqPg==,iv:Mu+T9LJ626BWB/xt/KHb6PGX2oAWd4h4f34oz1RirHQ=,tag:5zYrwtZD13ljcFFNlvwWJA==,type:float]" + }, + "jellystat": { + "domain": "ENC[AES256_GCM,data:JuOqn1eRSwgSmxGpI+cl8+rFPnTN+Wk=,iv:Wmp1jU2vaCZUaiAv/f6TQXdukWWHp1qr7Ay3YPbzDAA=,tag:pGc6PgHNR/uC5fkwXmTZ7w==,type:str]", + "port": "ENC[AES256_GCM,data:VLEiaQ==,iv:aN+vIsVK/snhGfjvmhsAcuGu06peqaa4uKJri14bgL4=,tag:A/vBY3vGS/PzlqtqFRpclg==,type:float]", + "db_password": "ENC[AES256_GCM,data:PSns4kHm0502Reo0iEOP,iv:VKULz9m+HAZqwI2QyKUAQ2x9977Qfj3j4sz9TzSssIA=,tag:EaFlN8gIVtBCeEGsCRG9UQ==,type:str]" + }, + "prowlarr": { + "domain": "ENC[AES256_GCM,data:cfeDhy+TD6SVUEgKlCNo0/NkWw5GZg==,iv:X3AXVcWPYJXUSdtkHH/Kkv2+fuztL3/f/ZOFu0iW4hs=,tag:gwxL14I8UUH1K0OEQrLgfQ==,type:str]", + "port": "ENC[AES256_GCM,data:sn6HCA==,iv:ghIKe2IeTBtCQfLN9mLrVYbb2cii1cb+UKFL0DtiNWc=,tag:2X40jOxNbLR0FboTa4xONg==,type:float]" + }, + "qbittorrent": { + "domain": "ENC[AES256_GCM,data:U2QUvsdFxhwLJO89QlFa37WxdDA2,iv:vbO9lc7jovM5KrU9n57h8PmSZxZSvSMIEZ1Sqe+L+ew=,tag:TYB9djUpDoYFmJ1qylE97w==,type:str]", + "port": "ENC[AES256_GCM,data:EYXJ/Q==,iv:ByiAPEg8n0p0ZZWkSssrpdEYl8NMqrGsFLcFwiyttQ4=,tag:b5hzfPPWj/N3ZtzNEe/2xQ==,type:float]" + }, + "radarr": { + "domain": "ENC[AES256_GCM,data:tbuhPJRqWNs47GofrHLrIPr8JI0=,iv:UpotCjNr4070MsBIlkTTtliekHegOJe976xjrc3So3s=,tag:yeu1lL3ldIYZ/FMzb4igbw==,type:str]", + "port": "ENC[AES256_GCM,data:e/JFRg==,iv:4EH69nzM2buQ3v56+tVUSjaYDlhfevA5fStA5FpSwxE=,tag:Maw8kdf3eF0dQeDOjVrDrw==,type:float]" + }, + "sonarr": { + "domain": "ENC[AES256_GCM,data:ElXSeC+fok18BtlzsQujUkWhVRg=,iv:bK91RHb66zGpmVf2qjDSWTLbSDm/hwmrhbcZ8+870RQ=,tag:T2aHrofrlqK6qhMHy8Xg5w==,type:str]", + "port": "ENC[AES256_GCM,data:5gAdwQ==,iv:6h+9iJWLjG8/s8+KVyVbCBL3T1tfpQdA0kBHY8/nuDM=,tag:/eY4dmkppBCj/ZucyLyFvA==,type:float]" + } + }, + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1sseqwwa7fc0ftry8njyuagdg28fkmtdwmj6m7p3etjsj83suee3shfzjyz", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnL3dCY1VLMmoxRFRmS0Ir\nV0ppTnI0RE5ZMjcvRGNPWkNxWFdJYTBDTG00ClRGQkh1UStGTmc0RE5aNy9nL3FI\nbHJIa3hLR0ZkTjd6WkFzOFkzeFdMNUEKLS0tIDBidk93Qy9LenFlSGZ2aEpuTUFt\nWVM2eS9UdXAvbzE4eEdKMjVEM3RLdm8KKeIhk+YOKVL9Y19lLyb6/Pxv8rbewK2e\nLm96jx+LOMOCFcQGxuFKWqQbTB4br/cPvRKSY5jFmFWqVg7pCPTAzQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-05-21T18:13:55Z", + "mac": "ENC[AES256_GCM,data:P+tqLu/mY+qadDeyDwEYf/Mwv2tJOBEghvkBhRzLguaynCk4pLhy40P+eIvd8/DWfERW/CAnOH038kJRO9zG5qZiYKZgTB1MVFACnpPoF4Ek1a0+eSmQfiHBBLd45fvExfyYo3XLi6e0ZNZYiQOSL++WqBPGcSAz0N2bhxnPqFE=,iv:b7xEGJybByQwl2FfIdC3q2UVuDgOTHrVPPqZe/w8cmc=,tag:upZP6dukO70Qm5hb3odTWg==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/secrets/spacestation.yaml b/secrets/spacestation.yaml new file mode 100644 index 0000000..e24c150 --- /dev/null +++ b/secrets/spacestation.yaml @@ -0,0 +1,38 @@ +guz: + password: ENC[AES256_GCM,data:zlO5xSFho7TXjFv62lgFir9SAgn+UE6XjdNEvIAgmQG9oDkthfgxO84wYdI0mQDwRIIs2PmSdBRfo0DPc3hji+ySCrItolPL8g==,iv:MZfhTxwfcbmXh5C6DkQhnY9NQGdE8zEwwvFOHQiUgKY=,tag:JjJN2bYcSXNN3ueGj5RNLg==,type:str] +network: + ip: ENC[AES256_GCM,data:AkbNOQLXRKLYjU2ywg==,iv:xqdTPCUYiT/cPe2zAbBJ7fUiEMViW9LZND4j0DdydLY=,tag:tq6nA5fGH4/mAvF6InUFgQ==,type:str] + localIp: ENC[AES256_GCM,data:PK8THL9NW//2sal1,iv:9h3f255rIgedYToVaUGuQ9RzD33V8sczRWsZe+rTyC0=,tag:OoJbes6k0FqxXzGQ8ZG0aA==,type:str] +forgejo: + git-password: ENC[AES256_GCM,data:SDyFBCwTxnZ1E6R/8HZCBIBj4AREYfqWrgzSEQ6SA3BDGPFsHghiVmF+Jt4omdzUQSoCCblMBsAx0NQBbBJrCbEoBWtybRM7Cg==,iv:KbtjXW1F8YJeapVpEkf8AdXhojmhOQKxG8nCZv7vW4k=,tag:odrL53KeKLVD5AoQB14veA==,type:str] + user1: + name: ENC[AES256_GCM,data:UL3g,iv:+ftGx57fhzN06DuLItxZTc7lXX2g4MhqrEqnDjk4Aug=,tag:ZNpwWuPYhBzDjRQBKikCDA==,type:str] + password: ENC[AES256_GCM,data:KXx9Kv9f9UP3sAU=,iv:bCBv+IEieR+RGjgjXLKMLlsqoBOLLYjvT167QIxxFmA=,tag:dPNUcrBrE66xDlFJltmIKg==,type:str] + email: ENC[AES256_GCM,data:iZjmn511sSRggO+ptkYZAeGKAFIMeV8R,iv:sBigXBpdYlj7zk7evE8IbQEa/YRVoCh2S/PFihx8VRU=,tag:XNSS+RFC8ChzZ/EzcQoDvg==,type:str] +nextcloud: + user1: + name: ENC[AES256_GCM,data:VJ2K,iv:RbCyfKweGteghP1X2II3WXQ6xjAqBz1PvFA+w6r6WA8=,tag:dRDTMXdvTFzS7xl9L1xbVA==,type:str] + password: ENC[AES256_GCM,data:u2F2aBuVt7CByfZcUA==,iv:YvRX13U/f6UTs4bvnwEMiNJydzaCM0etkRo/Uh7hf/Y=,tag:aqG10k2p0i8LAqWRQ92xjQ==,type:str] + email: ENC[AES256_GCM,data:J/xFtIs3+sUeHll0VPkpRX1dEwpX9RxH,iv:SikaNGysgIVXJgp4zKLkPrhuNN9lZa0nXmB5bTUdbOQ=,tag:CIiVsYRkig4H6j94293qbw==,type:str] +muse: + secrets: ENC[AES256_GCM,data:Kz9nq9uxrwjlbg38F8M0a7s0wuSpnZ42iGT6NOQa9LyEVr07PRHeqxAtAloPEX7gmAlTKyHY9hmkA/yUxrkioiaEd6PW5rF5Fq7wKSEYhyh9kUnwAf6NdQhFBj2UMnfWHpz50WQ27msJ2UzgJKzXQ24GYAXGlQwgyHkixpYPQ63t873YUNPaa53mx7STh7vRk//o940aP+Uar4OnMEdTGrmPqWLluR5/eVyNnDANhGWcCg626uZS26nZFO+gyrWJk2e1RsSVmzfjcIyaVkdTaEj1RQRUGxn/AS3FvqfGJ7tF9tWSaZ1PY2U2IdQv9usfa9m4Y6bRcoGN,iv:L4Y2F88NCSiB/KNL9HQ/49QRQwj2HfKuBEs8jsqpfR8=,tag://7BxypNznXIpWP2Mfvseg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1sseqwwa7fc0ftry8njyuagdg28fkmtdwmj6m7p3etjsj83suee3shfzjyz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkeGg1UzNkV0g1U0J4cUhr + dS9lZ1c0c0sxQzJjanRNSVBmQ09rQ1R2S0RRCmhzalFnWUNISis0K1JHSmcyN2cx + QWhQWFMxdmxKL1FkYU1PdmFHL1BoQncKLS0tIFN4MFRZTW5mUDI5T1Mra2tMS0Qz + amRmVkVoS2RqeEs3OXZVeTlsZUVEV28K1WcbGJHT8LMah5b7NN1psiucTl1OfZYO + 4T3RDSQMB3qj1TGQSdixjwRRKbMGtL3LXnvkNd+caVi5Z9OkF1O9Yg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-11T14:18:33Z" + mac: ENC[AES256_GCM,data:VbvpmpSadpIQVwGWOa2A9VLn1+k8V8t95lgDhuv49NFkX7LnJQ4YPoSXINfDw52oaBL0nb4BtICpifCLY7kVtSTVDRHmXhmpXLz/8axNUQZtcHviUU+QlTYuyghxr0y+1ZMlVH4gOqCkoSYwfjN3/c8KR5ukf47lIxwoogXyLKo=,iv:4OYVcV2PUx7N+QHyA7wp0307+VM1yZcBH7PNDONn+qU=,tag:8El/gNZGnNEVD8k5aMRc/w==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/services/adguardhome.nix b/services/adguardhome.nix new file mode 100644 index 0000000..c9bc6c8 --- /dev/null +++ b/services/adguardhome.nix @@ -0,0 +1,60 @@ +{ config +, lib +, pkgs +, ... +}: +let + secrets = config.spacestation-secrets.lesser; + deviceIp = config.services.tailscale.deviceIp; +in +{ + imports = [ + ../modules/adguardhome.nix + ]; + services.adguardhome = { + enable = true; + dns.rewrites = { + "*.${secrets.homelab-domain}" = deviceIp; + "${secrets.homelab-domain}" = deviceIp; + }; + openFirewall = true; + port = secrets.services.adguard.port; + dns.filters = { + "Hagezi's Multi PRO" = { + url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/pro.txt"; + }; + "Hagezi's Badware Hoster" = { + url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/hoster.txt"; + }; + "Hagezi's DNS Bypass blocking" = { + url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/doh-vpn-proxy-bypass.txt"; + }; + "Hagezi's Dynamic DNS blocking" = { + url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/dyndns.txt"; + }; + "Hagezi's Gambling" = { + url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/gambling.txt"; + }; + "Hagezi's Native - LG webOS" = { + url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/native.lgwebos.txt"; + }; + "Hagezi's Native - Tiktok (Agressive)" = { + url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/hosts/native.tiktok.extended.txt"; + }; + "Hagezi's Native - Microsoft/Windows" = { + url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/native.winoffice.txt"; + }; + "Hagezi's Pop-up Ads" = { + url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/popupads.txt"; + }; + "Hagezi's TIF" = { + url = "https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/tif.txt"; + }; + }; + settings.user_rules = [ + "@@||tumblr.com^$important" + "@@||wordpress.com^$important" + "@@||tailscale.com^$important" + ]; + }; +} diff --git a/services/containers/default.nix b/services/containers/default.nix new file mode 100644 index 0000000..6a444d3 --- /dev/null +++ b/services/containers/default.nix @@ -0,0 +1,11 @@ +{ ... }: { + imports = [ + ./prata-music.nix + ]; + virtualisation = { + docker.enable = true; + oci-containers = { + backend = "docker"; + }; + }; +} diff --git a/services/containers/prata-music.nix b/services/containers/prata-music.nix new file mode 100644 index 0000000..d1424d6 --- /dev/null +++ b/services/containers/prata-music.nix @@ -0,0 +1,17 @@ +{ config +, lib +, pkgs +, ... +}: { + imports = [ ]; + virtualisation.oci-containers.containers.prata-music = { + image = "codetheweb/muse:latest"; + autoStart = true; + volumes = [ + "/var/lib/muse/data:/data" + ]; + environmentFiles = [ + (/. + config.sops.secrets."muse/secrets".path) + ]; + }; +} diff --git a/services/default.nix b/services/default.nix new file mode 100644 index 0000000..0d4ef32 --- /dev/null +++ b/services/default.nix @@ -0,0 +1,8 @@ +{ ... }: { + imports = [ + ./adguardhome.nix + ./containers + ./forgejo.nix + ./tailscale.nix + ]; +} diff --git a/services/forgejo.nix b/services/forgejo.nix new file mode 100644 index 0000000..898a68c --- /dev/null +++ b/services/forgejo.nix @@ -0,0 +1,37 @@ +{ config +, lib +, pkgs +, ... +}: +let + secrets = config.spacestation-secrets.lesser; +in +{ + imports = [ + ../modules/forgejo + ]; + services.forgejo = { + enable = true; + actions = { + enable = true; + token = secrets.services.forgejo.actions-token; + url = "http://192.168.1.10:${toString secrets.services.forgejo.port}"; + labels = secrets.services.forgejo.actions-labels; + }; + users = { + user1 = { + name = /. + config.sops.secrets."forgejo/user1/name".path; + password = /. + config.sops.secrets."forgejo/user1/password".path; + email = /. + config.sops.secrets."forgejo/user1/email".path; + admin = true; + }; + }; + settings = { + server = { + HTTP_PORT = secrets.services.forgejo.port; + DOMAIN = secrets.services.forgejo.domain; + ROOT_URL = "https://${secrets.services.forgejo.domain}"; + }; + }; + }; +} diff --git a/services/tailscale.nix b/services/tailscale.nix new file mode 100644 index 0000000..a638b59 --- /dev/null +++ b/services/tailscale.nix @@ -0,0 +1,20 @@ +{ config +, lib +, pkgs +, ... +}: +let + secrets = config.spacestation-secrets.lesser; +in +{ + imports = [ + ../modules/tailscale.nix + ]; + services.tailscale = { + enable = true; + useRoutingFeatures = "both"; + exitNode = true; + tailnetName = secrets.tailnet-name; + deviceIp = secrets.device-ip; + }; +}