mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

nix-sops

Browse Source
This commit is contained in:
mjallen18
2024-08-07 18:41:09 -05:00
parent 26cc1b223f
commit 0fc00e2d29
26 changed files with 683 additions and 202 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
.sops.yaml Normal file
View File

@@ -0,0 +1,15 @@
# This example uses YAML anchors which allows reuse of multiple keys
# without having to repeat yourself.
# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
# for a more complex example.
keys:
- &matt age157jemphjzg6zmk373vpccuguyw6e75qnkqmz8pcnn2yue85p939swqqhy0
- &desktop age1jv8ap5zwa49ftv0gg7wqf5ps0e68uuwxe2fekjsn0zkyql964unqyc58rf
- &jallen-nas age1mn2afyp9my7y7hcyzum0wdwt49zufnkt8swnyy8pj30cwzs4zvgsthj0lt
creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
key_groups:
- age:
- *matt
- *desktop
- *jallen-nas

434
flake.lock generated
View File

@@ -1,21 +1,62 @@
{
"nodes": {
"authentik-nix": {
"inputs": {
"authentik-src": "authentik-src",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils",
"napalm": "napalm",
"nixpkgs": "nixpkgs",
"poetry2nix": "poetry2nix"
},
"locked": {
"lastModified": 1722673481,
"narHash": "sha256-IWNFRDPVo1mDd0TzHsrweTVkcC0vZblkO3eo5h3lthQ=",
"owner": "nix-community",
"repo": "authentik-nix",
"rev": "9067dd09db38130c400bc7a392339f757fa5ff45",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "authentik-nix",
"type": "github"
}
},
"authentik-src": {
"flake": false,
"locked": {
"lastModified": 1722437664,
"narHash": "sha256-MtnBndHJmrp7NLIUO2/8SMy/9RKXyoTmh3X19P6KOtI=",
"owner": "goauthentik",
"repo": "authentik",
"rev": "d6904b6aa1440f98f8061c3d12f7358c21b5ae2d",
"type": "github"
},
"original": {
"owner": "goauthentik",
"ref": "version/2024.6.2",
"repo": "authentik",
"type": "github"
}
},
"chaotic": {
"inputs": {
"compare-to": "compare-to",
"flake-schemas": "flake-schemas",
"home-manager": "home-manager",
"jovian": "jovian",
"nixpkgs": "nixpkgs",
"systems": "systems",
"nixpkgs": "nixpkgs_2",
"systems": "systems_3",
"yafas": "yafas"
},
"locked": {
"lastModified": 1722269440,
"narHash": "sha256-eUzqnxgHIfxGcXk0SwXwP011uQ41WOEHX+gg1uPSkcE=",
"lastModified": 1722771754,
"narHash": "sha256-NXE43sBXHB5kto5dSH9afFUxug7W8bBZg75UHbydX5E=",
"owner": "chaotic-cx",
"repo": "nyx",
"rev": "a383380ec33f66ef92c4e815260271f6ad7cf286",
"rev": "69263a943d93c7af4429924ef66f3f64e5555089",
"type": "github"
},
"original": {
@@ -41,16 +82,17 @@
},
"cosmic": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": "nixpkgs_2",
"nixpkgs-stable": "nixpkgs-stable"
"flake-compat": "flake-compat_2",
"nixpkgs": "nixpkgs_3",
"nixpkgs-stable": "nixpkgs-stable",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1722449994,
"narHash": "sha256-xcpJE83RMrMPcfmoSScTs8yxGGIexOaHCt2lb3rKzzU=",
"lastModified": 1722811556,
"narHash": "sha256-tqmK+5gBOBogsoFY/0t8y+7VQGfoIddsWtb5brM7tyI=",
"owner": "lilyinstarlight",
"repo": "nixos-cosmic",
"rev": "7bccbcaafaf1e1e8077c0440c9e2defc8f5a2a75",
"rev": "c0a1d2525807a87ea27cb5ff8d2026e1792d2da0",
"type": "github"
},
"original": {
@@ -122,6 +164,22 @@
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1717312683,
@@ -137,7 +195,7 @@
"type": "github"
}
},
"flake-compat_2": {
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1696426674,
@@ -153,7 +211,7 @@
"type": "github"
}
},
"flake-compat_3": {
"flake-compat_4": {
"locked": {
"lastModified": 1688025799,
"narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=",
@@ -169,6 +227,24 @@
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1719745305,
"narHash": "sha256-xwgjVUpqSviudEkpQnioeez1Uo2wzrsMaJKJClh+Bls=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "c3c5ecc05edc7dafba779c6c1a61cd08ac6583e9",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
@@ -205,7 +281,25 @@
},
"flake-utils": {
"inputs": {
"systems": "systems_2"
"systems": "systems"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_4"
},
"locked": {
"lastModified": 1710146030,
@@ -251,11 +345,11 @@
]
},
"locked": {
"lastModified": 1722119539,
"narHash": "sha256-2kU90liMle0vKR8exJx1XM4hZh9CdNgZGHCTbeA9yzY=",
"lastModified": 1722462338,
"narHash": "sha256-ss0G8t8RJVDewA3MyqgAlV951cWRK6EtVhVKEZ7J5LU=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "d0240a064db3987eb4d5204cf2400bc4452d9922",
"rev": "6e090576c4824b16e8759ebca3958c5b09659ee8",
"type": "github"
},
"original": {
@@ -292,11 +386,11 @@
]
},
"locked": {
"lastModified": 1722407237,
"narHash": "sha256-wcpVHUc2nBSSgOM7UJSpcRbyus4duREF31xlzHV5T+A=",
"lastModified": 1722630065,
"narHash": "sha256-QfM/9BMRkCmgWzrPDK+KbgJOUlSJnfX4OvsUupEUZvA=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "58cef3796271aaeabaed98884d4abaab5d9d162d",
"rev": "afc892db74d65042031a093adb6010c4c3378422",
"type": "github"
},
"original": {
@@ -322,7 +416,7 @@
},
"jovian": {
"inputs": {
"nix-github-actions": "nix-github-actions",
"nix-github-actions": "nix-github-actions_2",
"nixpkgs": [
"chaotic",
"nixpkgs"
@@ -345,14 +439,14 @@
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat_2",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils",
"flake-compat": "flake-compat_3",
"flake-parts": "flake-parts_2",
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nixpkgs-unstable"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
"rust-overlay": "rust-overlay_2"
},
"locked": {
"lastModified": 1718178907,
@@ -385,6 +479,31 @@
"type": "github"
}
},
"napalm": {
"inputs": {
"flake-utils": [
"authentik-nix",
"flake-utils"
],
"nixpkgs": [
"authentik-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1717929455,
"narHash": "sha256-BiI5xWygriOJuNISnGAeL0KYxrEMnjgpg+7wDskVBhI=",
"owner": "nix-community",
"repo": "napalm",
"rev": "e1babff744cd278b56abe8478008b4a9e23036cf",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "napalm",
"type": "github"
}
},
"nci": {
"inputs": {
"crane": "crane_2",
@@ -395,7 +514,7 @@
"nixpkgs"
],
"parts": "parts",
"rust-overlay": "rust-overlay_2",
"rust-overlay": "rust-overlay_3",
"treefmt": "treefmt"
},
"locked": {
@@ -414,14 +533,14 @@
},
"nix-darwin": {
"inputs": {
"nixpkgs": "nixpkgs_3"
"nixpkgs": "nixpkgs_4"
},
"locked": {
"lastModified": 1722445220,
"narHash": "sha256-PW5FRqLhqg0xGpPjY2Poa464tyBQiyKd0tQGZ0HnMiU=",
"lastModified": 1722609272,
"narHash": "sha256-Kkb+ULEHVmk07AX+OhwyofFxBDpw+2WvsXguUS2m6e4=",
"owner": "LnL7",
"repo": "nix-darwin",
"rev": "7e08a9dd34314fb8051c28b231a68726c54daa7b",
"rev": "f7142b8024d6b70c66fd646e1d099d3aa5bfec49",
"type": "github"
},
"original": {
@@ -431,6 +550,28 @@
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"authentik-nix",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703863825,
"narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nix-github-actions_2": {
"inputs": {
"nixpkgs": [
"chaotic",
@@ -456,7 +597,7 @@
"nix-inspect": {
"inputs": {
"nci": "nci",
"nixpkgs": "nixpkgs_4",
"nixpkgs": "nixpkgs_5",
"parts": "parts_2"
},
"locked": {
@@ -475,9 +616,9 @@
},
"nixos-apple-silicon": {
"inputs": {
"flake-compat": "flake-compat_3",
"nixpkgs": "nixpkgs_5",
"rust-overlay": "rust-overlay_3"
"flake-compat": "flake-compat_4",
"nixpkgs": "nixpkgs_6",
"rust-overlay": "rust-overlay_4"
},
"locked": {
"lastModified": 1717784003,
@@ -511,11 +652,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1722062969,
"narHash": "sha256-QOS0ykELUmPbrrUGmegAUlpmUFznDQeR4q7rFhl8eQg=",
"lastModified": 1720542800,
"narHash": "sha256-ZgnNHuKV6h2+fQ5LuqnUaqZey1Lqqt5dTUAiAnqH0QQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b73c2221a46c13557b1b3be9c2070cc42cf01eb3",
"rev": "feb2849fdeb70028c70d73b848214b00d324a497",
"type": "github"
},
"original": {
@@ -525,13 +666,25 @@
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1717284937,
"narHash": "sha256-lIbdfCsf8LMFloheeE6N31+BMIeixqyQWbSr2vk79EQ=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/eb9ceca17df2ea50a250b6b27f7bf6ab0186f198.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/eb9ceca17df2ea50a250b6b27f7bf6ab0186f198.tar.gz"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1722221733,
"narHash": "sha256-sga9SrrPb+pQJxG1ttJfMPheZvDOxApFfwXCFO0H9xw=",
"lastModified": 1722519197,
"narHash": "sha256-VEdJmVU2eLFtLqCjTYJd1J7+Go8idAcZoT11IewFiRg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "12bf09802d77264e441f48e25459c10c93eada2e",
"rev": "05405724efa137a0b899cce5ab4dde463b4fd30b",
"type": "github"
},
"original": {
@@ -559,11 +712,11 @@
},
"nixpkgs-stable_3": {
"locked": {
"lastModified": 1722221733,
"narHash": "sha256-sga9SrrPb+pQJxG1ttJfMPheZvDOxApFfwXCFO0H9xw=",
"lastModified": 1722651103,
"narHash": "sha256-IRiJA0NVAoyaZeKZluwfb2DoTpBAj+FLI0KfybBeDU0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "12bf09802d77264e441f48e25459c10c93eada2e",
"rev": "a633d89c6dc9a2a8aae11813a62d7c58b2c0cc51",
"type": "github"
},
"original": {
@@ -573,13 +726,29 @@
"type": "github"
}
},
"nixpkgs-unstable": {
"nixpkgs-stable_4": {
"locked": {
"lastModified": 1722185531,
"narHash": "sha256-veKR07psFoJjINLC8RK4DiLniGGMgF3QMlS4tb74S6k=",
"lastModified": 1721524707,
"narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "52ec9ac3b12395ad677e8b62106f0b98c1f8569d",
"rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1722630782,
"narHash": "sha256-hMyG9/WlUi0Ho9VkRrrez7SeNlDzLxalm9FwY7n/Noo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d04953086551086b44b6f3c6b7eeb26294f207da",
"type": "github"
},
"original": {
@@ -591,11 +760,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1722185531,
"narHash": "sha256-veKR07psFoJjINLC8RK4DiLniGGMgF3QMlS4tb74S6k=",
"lastModified": 1722630782,
"narHash": "sha256-hMyG9/WlUi0Ho9VkRrrez7SeNlDzLxalm9FwY7n/Noo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "52ec9ac3b12395ad677e8b62106f0b98c1f8569d",
"rev": "d04953086551086b44b6f3c6b7eeb26294f207da",
"type": "github"
},
"original": {
@@ -606,6 +775,22 @@
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1722421184,
"narHash": "sha256-/DJBI6trCeVnasdjUo9pbnodCLZcFqnVZiLUfqLH4jA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9f918d616c5321ad374ae6cb5ea89c9e04bf3e58",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_4": {
"locked": {
"lastModified": 1718149104,
"narHash": "sha256-Ds1QpobBX2yoUDx9ZruqVGJ/uQPgcXoYuobBguyKEh8=",
@@ -619,7 +804,7 @@
"type": "indirect"
}
},
"nixpkgs_4": {
"nixpkgs_5": {
"locked": {
"lastModified": 1709961763,
"narHash": "sha256-6H95HGJHhEZtyYA3rIQpvamMKAGoa8Yh2rFV29QnuGw=",
@@ -635,7 +820,7 @@
"type": "github"
}
},
"nixpkgs_5": {
"nixpkgs_6": {
"locked": {
"lastModified": 1716293225,
"narHash": "sha256-pU9ViBVE3XYb70xZx+jK6SEVphvt7xMTbm6yDIF4xPs=",
@@ -651,6 +836,22 @@
"type": "github"
}
},
"nixpkgs_7": {
"locked": {
"lastModified": 1721466660,
"narHash": "sha256-pFSxgSZqZ3h+5Du0KvEL1ccDZBwu4zvOil1zzrPNb3c=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6e14bbce7bea6c4efd7adfa88a40dac750d80100",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"parts": {
"inputs": {
"nixpkgs-lib": [
@@ -694,6 +895,34 @@
"type": "github"
}
},
"poetry2nix": {
"inputs": {
"flake-utils": [
"authentik-nix",
"flake-utils"
],
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"authentik-nix",
"nixpkgs"
],
"systems": "systems_2",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1719549552,
"narHash": "sha256-efvBV+45uQA6r7aov48H6MhvKp1QUIyIX5gh9oueUzs=",
"owner": "nix-community",
"repo": "poetry2nix",
"rev": "4fd045cdb85f2a0173021a4717dc01d92d7ab2b2",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "poetry2nix",
"type": "github"
}
},
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
@@ -764,6 +993,7 @@
},
"root": {
"inputs": {
"authentik-nix": "authentik-nix",
"chaotic": "chaotic",
"cosmic": "cosmic",
"home-manager": "home-manager_2",
@@ -775,10 +1005,32 @@
"nixos-apple-silicon": "nixos-apple-silicon",
"nixos-hardware": "nixos-hardware",
"nixpkgs-stable": "nixpkgs-stable_3",
"nixpkgs-unstable": "nixpkgs-unstable"
"nixpkgs-unstable": "nixpkgs-unstable",
"sops-nix": "sops-nix"
}
},
"rust-overlay": {
"inputs": {
"nixpkgs": [
"cosmic",
"nixpkgs"
]
},
"locked": {
"lastModified": 1722738111,
"narHash": "sha256-cWD5pCs9AYb+512/yCx9D0Pl5KcmyuXHeJpsDw/D1vs=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "27ec296d93cb4b2d03e8cbd019b1b4cde8c34280",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"rust-overlay_2": {
"inputs": {
"flake-utils": [
"lanzaboote",
@@ -803,7 +1055,7 @@
"type": "github"
}
},
"rust-overlay_2": {
"rust-overlay_3": {
"flake": false,
"locked": {
"lastModified": 1710123130,
@@ -819,7 +1071,7 @@
"type": "github"
}
},
"rust-overlay_3": {
"rust-overlay_4": {
"flake": false,
"locked": {
"lastModified": 1686795910,
@@ -859,7 +1111,55 @@
"type": "github"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": "nixpkgs_7",
"nixpkgs-stable": "nixpkgs-stable_4"
},
"locked": {
"lastModified": 1722114803,
"narHash": "sha256-s6YhI8UHwQvO4cIFLwl1wZ1eS5Cuuw7ld2VzUchdFP0=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "eb34eb588132d653e4c4925d862f1e5a227cc2ab",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"id": "systems",
"type": "indirect"
}
},
"systems_3": {
"locked": {
"lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
@@ -874,7 +1174,7 @@
"type": "github"
}
},
"systems_2": {
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
@@ -911,6 +1211,28 @@
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"authentik-nix",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1718522839,
"narHash": "sha256-ULzoKzEaBOiLRtjeY3YoGFJMwWSKRYOic6VNw2UyTls=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "68eb1dc333ce82d0ab0c0357363ea17c31ea1f81",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"yafas": {
"inputs": {
"flake-schemas": [

16
flake.nix
View File

@@ -9,6 +9,9 @@
# Nix Inspect
nix-inspect.url = "github:bluskript/nix-inspect";
# Authentik
authentik-nix.url = "github:nix-community/authentik-nix";
# Chaotic-nix
chaotic.url = "github:chaotic-cx/nyx/nyxpkgs-unstable";
@@ -31,6 +34,9 @@
# Nix hardware
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
# Sops-nix
sops-nix.url = "github:Mic92/sops-nix";
#Apple
nixos-apple-silicon.url = "github:mjallen18/nixos-apple-silicon";
nix-darwin.url = "github:LnL7/nix-darwin";
@@ -53,6 +59,8 @@
home-manager-stable,
nix-inspect,
cosmic,
authentik-nix,
sops-nix,
}@inputs:
let
inherit (self) outputs;
@@ -85,6 +93,8 @@
nixos-hardware.nixosModules.common-hidpi
nixos-hardware.nixosModules.common-pc
sops-nix.nixosModules.sops
cosmic.nixosModules.default
];
};
@@ -96,7 +106,9 @@
inherit inputs outputs;
};
modules = [
impermanence.nixosModules.impermanence
./hosts/nas/configuration.nix
./hosts/nas/impermanence.nix
home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
@@ -104,6 +116,10 @@
home-manager.users.admin = import ./hosts/nas/home.nix;
}
authentik-nix.nixosModules.default
sops-nix.nixosModules.sops
nixos-hardware.nixosModules.common-pc
nixos-hardware.nixosModules.common-cpu-amd
nixos-hardware.nixosModules.common-hidpi

4
hosts/default.nix
View File

@@ -2,6 +2,8 @@
config,
lib,
pkgs,
inputs,
globals,
...
}:
let
@@ -96,6 +98,8 @@ in
environment.systemPackages = with pkgs; [ pinentry-curses ];
# users.mutableUsers = lib.mkDefault false;
# Security config
security = {

6
hosts/desktop/configuration.nix
View File

@@ -54,7 +54,7 @@ in
displayManager.defaultSession = "gnome";
# Enable Flatpak
flatpak.enable = false;
flatpak.enable = true;
# disable plasma
displayManager.sddm.enable = false;
@@ -149,6 +149,8 @@ in
apps.discover-wrapped.enable = false;
nix.settings.trusted-users = [ "root" "matt" ];
services = {
# Enable Desktop Environment.
displayManager = {
@@ -161,7 +163,7 @@ in
desktopManager.plasma6.enable = lib.mkDefault true;
# Enable Flatpak
flatpak.enable = lib.mkDefault false;
flatpak.enable = lib.mkDefault true;
};
# xdg.portal.extraPortals = [ pkgs.xdg-desktop-portal-kde ];

9
hosts/desktop/home.nix
View File

@@ -19,9 +19,9 @@
shellAliases = {
ll = "ls -alh";
update = "sudo nixos-rebuild switch";
update = "sudo nixos-rebuild switch --max-jobs 10";
update-flake = "sudo nix flake update ~/nix-config";
update-specialisation = "sudo nixos-rebuild switch --specialisation";
update-specialisation = "sudo nixos-rebuild switch --specialisation --max-jobs 10";
nas-update = "nixos-rebuild switch --use-remote-sudo --target-host admin@jallen-nas.local --build-host localhost --flake ~/nix-config#jallen-nas";
nas-ssh = "ssh admin@jallen-nas.local";
};
@@ -55,6 +55,7 @@
home.packages = with pkgs; [
# gamescope # using chaotic git version
# gamescope-wsi # using chaotic git version
age
bottles
chromium
deadnix
@@ -67,6 +68,7 @@
goverlay
heroic
home-manager
jq
libreoffice-qt6-fresh
lm_sensors
lutris
@@ -88,8 +90,11 @@
python312Packages.pytest
python312Packages.pytest-cov
python312Packages.pyaml
sops
spotify
ssh-to-pgp
tree
vesktop
virt-manager
vmware-horizon-client
vorta

19
hosts/nas/apps.nix
View File

@@ -12,7 +12,10 @@
beszel-agent.enable = true;
collabora.enable = true;
collabora = {
enable = true;
environmentFiles = [ config.sops.secrets."jallen-nas/collabora".path ];
};
deluge.enable = true;
@@ -22,11 +25,18 @@
jellyseerr.enable = true;
mariadb.enable = true;
mariadb = {
enable = true;
environmentFiles = [
config.sops.secrets."jallen-nas/mariadb/db_pass".path
config.sops.secrets."jallen-nas/mariadb/root_pass".path
];
};
mealie = {
enable = true;
baseUrl = "https://mealie.mjallen.dev";
port = "9001";
maxConcurrency = "4";
maxWorkers = "4";
allowSignup = "false";
@@ -35,7 +45,8 @@
nextcloud = {
enable = true;
httpPort = "9981";
httpsPort = "9443";
httpsPort = "9943";
redisSock = "/var/run/redis-nextcloud/redis.sock";
};
ollama.enable = true;
@@ -46,8 +57,6 @@
radarr.enable = true;
redis.enable = true;
sabnzbd.enable = true;
sonarr.enable = true;

63
hosts/nas/configuration.nix
View File

@@ -12,7 +12,7 @@
}:
let
user = "admin";
password = "$y$j9T$EkPXmsmIMFFZ.WRrBYCxS1$P0kwo6e4.WM5DsqUcEqWC3MrZp5KfCjxffraMFZWu06";
passwordFile = config.sops.secrets."jallen-nas/admin_password".path;
in
{
imports = [
@@ -25,9 +25,15 @@ in
./ups.nix
./samba.nix
./services.nix
./sops.nix
../default.nix
];
nix.settings.experimental-features = [
"nix-command"
"flakes"
];
# Cockpit
services.cockpit = {
enable = true;
@@ -78,42 +84,39 @@ in
};
systemPackages = with pkgs; [
vim
wget
nano
efibootmgr
sbctl
pciutils
vulkan-tools
clinfo
glances
python3
nix-ld
authentik
binutils
gcc
cryptsetup
clinfo
cmake
duperemove
efibootmgr
ffmpeg
gcc
glances
htop
lm_sensors
nano
ninja
nix-inspect
nix-ld
nmon
nodejs-18_x
nut
nmon
pass
protonvpn-cli
protonmail-bridge
pass
cockpit
packagekit
# gnome.gnome-packagekit
unstable.nix-inspect
unstable.gpt4all
lm_sensors
htop
pass
pciutils
protonmail-bridge
protonvpn-cli
python3
sbctl
speedtest-cli
tailscale
tpm2-tools
tpm2-tss
cryptsetup
duperemove
speedtest-cli
vim
vulkan-tools
wget
];
};
@@ -158,7 +161,7 @@ in
"nix-apps"
"jallen-nas"
]; # Enable sudo for the user.
initialHashedPassword = password;
hashedPasswordFile = passwordFile;
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
# macBook
@@ -192,7 +195,7 @@ in
"docker"
"podman"
]; # Enable sudo for the user.
hashedPassword = password;
hashedPasswordFile = passwordFile;
};
groups.nut.name = "nut";
@@ -202,7 +205,7 @@ in
isSystemUser = true;
createHome = true;
home = "/var/lib/nut";
hashedPassword = password;
hashedPasswordFile = passwordFile;
};
};

38
hosts/nas/impermanence.nix Normal file
View File

@@ -0,0 +1,38 @@
{
pkgs,
lib,
LT,
config,
utils,
inputs,
...
}@args:
{
# Set up impernance configuration for things like bluetooth
# In this configuration with /etc and /var/log being persistent, only directories outside of that need to be done here. See hardware configuration for all mountpoints.
environment.persistence."/nix/persist/system" = {
hideMounts = true;
directories = [
"/var/lib/bluetooth"
"/var/lib/nixos"
"/var/lib/systemd/coredump"
"/etc/NetworkManager/system-connections"
"/etc/secureboot"
{
directory = "/var/lib/colord";
user = "colord";
group = "colord";
mode = "u=rwx,g=rx,o=";
}
];
files = [
{
file = "/etc/nix/id_rsa";
parentDirectory = {
mode = "u=rwx,g=,o=";
};
}
];
};
}

5
hosts/nas/networking.nix
View File

@@ -10,12 +10,12 @@ let
hostname = "jallen-nas";
ipAddress = "10.0.1.18";
gateway = "10.0.1.1";
password = "kR8v&3Qd";
allowedPorts = [
2342
3493
61208
9090
9000
# config.services.tailscale.port
# 22
];
@@ -44,9 +44,10 @@ in
wireless = {
enable = true;
environmentFile = config.sops.secrets."wifi".path;
networks = {
"Joey's Jungle 5G" = {
psk = password;
psk = "@PSK@";
};
};
};

36
hosts/nas/services.nix
View File

@@ -127,10 +127,11 @@ in
};
tailscale = {
enable = false;
enable = true;
openFirewall = true;
useRoutingFeatures = "client";
extraUpFlags = [ "--advertise-exit-node" ];
authKeyFile = "/media/nas/ssd/nix-app-data/tailscale/auth";
};
btrfs = {
@@ -153,6 +154,39 @@ in
"/media/nas/main/isos"
];
};
authentik = {
enable = true;
environmentFile = "/media/nas/ssd/nix-app-data/authentik/.env";
};
postgresql = {
enable = true;
package = pkgs.postgresql_16;
dataDir = "/media/nas/ssd/nix-app-data/postgresql";
ensureDatabases = [ "authentik" ];
ensureUsers = [
{
name = "authentik";
ensureDBOwnership = true;
}
];
};
redis = {
servers = {
authentik = {
enable = true;
port = 6379;
};
nextcloud = {
enable = true;
port = 6380;
};
};
};
};
systemd.user.services = {

23
hosts/nas/sops.nix Normal file
View File

@@ -0,0 +1,23 @@
{
...
}:
{
sops.defaultSopsFile = ../../secrets/secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets."jallen-nas/admin_password" = {};
sops.secrets."jallen-nas/admin_password".neededForUsers = true;
sops.secrets."wifi" = {};
sops.secrets."jallen-nas/collabora" = {
restartUnits = [ "podman-collabora.service" ];
};
sops.secrets."jallen-nas/mariadb/db_pass" = {
restartUnits = [ "podman-mariadb.service" ];
};
sops.secrets."jallen-nas/mariadb/root_pass" = {
restartUnits = [ "podman-mariadb.service" ];
};
}

2
hosts/pi4/configuration.nix
View File

@@ -106,8 +106,6 @@ in
};
};
virtualisation.docker.enable = true;
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#

3
modules/apps/collabora/default.nix
View File

@@ -23,12 +23,13 @@ in
volumes = [
# ...
];
environmentFiles = cfg.environmentFiles;
environment = {
PUID = cfg.puid;
PGID = cfg.pgid;
TZ = cfg.timeZone;
username = cfg.username;
password = cfg.password;
# password = cfg.password; # get from env file
domain = "office.mjallen.dev";
aliasgroup1 = "https://cloud\.mjallen\.dev:443";
aliasgroup2 = "https://cloud\.mjallen\.dev:443";

6
modules/apps/collabora/options.nix
View File

@@ -44,9 +44,9 @@ with lib;
default = "mjallen";
};
password = mkOption {
type = types.str;
default = "BogieDudie1";
environmentFiles = mkOption {
type = with types; listOf path;
default = [];
};
dontGenSslCert = mkOption {

56
modules/apps/deluge/default.nix
View File

@@ -13,36 +13,34 @@ in
config = mkIf cfg.enable {
systemd.services.deluge-docker = {
path = [
pkgs.bash
pkgs.docker
virtualisation.oci-containers.containers."${cfg.name}" = {
autoStart = cfg.autoStart;
image = cfg.image;
ports = [
"${toString cfg.port1}:8112"
"${toString cfg.port2}:8118"
"${toString cfg.port3}:58846"
"${toString cfg.port4}:58966"
];
script = ''
set -e
exec docker run \
--rm \
--cap-add=NET_ADMIN \
--name=${cfg.name} \
-e PUID=${cfg.puid} \
-e PGID=${cfg.pgid} \
-e TZ=${cfg.timeZone} \
-p 8112:8112 \
-p 8118:8118 \
-p 58846:58846 \
-p 58946:58966 \
-v '${cfg.configPath}:/config' \
-v '${cfg.moviesPath}:/data/downloads' \
-v '${cfg.tvPath}:/data/downloads-icomplete' \
-v /etc/localtime:/etc/localtime:ro \
-e VPN_ENABLED=yes \
-e VPN_PROV=custom \
-e VPN_CLIENT=openvpn \
-e LAN_NETWORK=10.0.1.0/24 \
-e NAME_SERVERS=1.1.1.1 \
${cfg.image}:latest
'';
wantedBy = [ "multi-user.target" ];
extraOptions = [
"--cap-add=NET_ADMIN"
];
volumes = [
"${cfg.configPath}:/config"
"${cfg.moviesPath}:/data/downloads"
"${cfg.tvPath}:/data/downloads-icomplete"
"/etc/localtime:/etc/localtime:ro"
];
environment = {
PUID = cfg.puid;
PGID = cfg.pgid;
TZ = cfg.timeZone;
VPN_ENABLED = "yes";
VPN_PROV = "custom";
VPN_CLIENT = "openvpn";
LAN_NETWORK = "10.0.1.0/24";
NAME_SERVERS = "1.1.1.1";
};
};
};
}

20
modules/apps/deluge/options.nix
View File

@@ -14,6 +14,26 @@ with lib;
default = "deluge";
};
port1 = mkOption {
type = types.str;
default = "8112";
};
port2 = mkOption {
type = types.str;
default = "8118";
};
port3 = mkOption {
type = types.str;
default = "58846";
};
port4 = mkOption {
type = types.str;
default = "58966";
};
image = mkOption {
type = types.str;
default = "binhex/arch-delugevpn";

5
modules/apps/mariadb/default.nix
View File

@@ -17,14 +17,15 @@ in
image = cfg.image;
ports = [ "${cfg.port}:3306" ];
volumes = [ "${cfg.configPath}:/config" ];
environmentFiles = cfg.environmentFiles;
environment = {
PUID = cfg.puid;
PGID = cfg.pgid;
TZ = cfg.timeZone;
MYSQL_ROOT_PASSWORD = cfg.rootPassword;
# MYSQL_ROOT_PASSWORD = cfg.rootPassword; # get from env file
MYSQL_DATABASE = cfg.databaseName;
MYSQL_USER = cfg.databaseUser;
MYSQL_PASSWORD = cfg.databasePassword;
# MYSQL_PASSWORD = cfg.databasePassword; # get from env file
};
};
};

11
modules/apps/mariadb/options.nix
View File

@@ -44,11 +44,6 @@ with lib;
default = "America/Chicago";
};
rootPassword = mkOption {
type = types.str;
default = "BogieDudie1";
};
databaseName = mkOption {
type = types.str;
default = "jallen_nextcloud";
@@ -59,9 +54,9 @@ with lib;
default = "nextcloud";
};
databasePassword = mkOption {
type = types.str;
default = "BogieDudie1";
environmentFiles = mkOption {
type = with types; listOf path;
default = [];
};
};
}

4
modules/apps/nextcloud/default.nix
View File

@@ -22,14 +22,12 @@ in
volumes = [
"${cfg.configPath}:/config"
"${cfg.dataPath}:/data"
"${cfg.redisSock}:/var/redis/redis.sock"
];
environment = {
PUID = cfg.puid;
PGID = cfg.pgid;
TZ = cfg.timeZone;
REDIS_HOST = "10.0.1.18";
REDIS_PORT = "6379";
REDIS_HOST_PASSWORD = "BogieDudie1";
};
};
};

5
modules/apps/nextcloud/options.nix
View File

@@ -39,6 +39,11 @@ with lib;
default = "/media/nas/main/nextcloud";
};
redisSock = mkOption {
type = types.str;
default = "";
};
puid = mkOption {
type = types.str;
default = "911";

26
modules/apps/redis/default.nix
View File

@@ -1,26 +0,0 @@
{
lib,
pkgs,
config,
...
}:
with lib;
let
cfg = config.nas-apps.redis;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
virtualisation.oci-containers.containers."${cfg.name}" = {
autoStart = cfg.autoStart;
image = cfg.image;
cmd = [
"redis-server"
"--requirepass"
"BogieDudie1"
];
ports = [ "6379:6379" ];
};
};
}

27
modules/apps/redis/options.nix
View File

@@ -1,27 +0,0 @@
{ lib, ... }:
with lib;
{
options.nas-apps.redis = {
enable = mkEnableOption "redis docker service";
autoStart = mkOption {
type = types.bool;
default = true;
};
name = mkOption {
type = types.str;
default = "redis";
};
image = mkOption {
type = types.str;
default = "redis";
};
cmd = mkOption {
type = types.str;
default = "redis-server --requirepass BogieDudie1";
};
};
}

1
modules/default.nix
View File

@@ -17,7 +17,6 @@
./apps/open-webui
./apps/orca-slicer
./apps/radarr
./apps/redis
./apps/sabnzbd
./apps/sonarr
./apps/swag

49
secrets/secrets.yaml Normal file
View File

@@ -0,0 +1,49 @@
#ENC[AES256_GCM,data:HkOno2ohMSLs46g=,iv:7KHzoElBP/GMIVubcIBya42SoFKVyt/+YRIxkgRE3Cw=,tag:U87dYHrKu/qqbLf5r7XEiA==,type:comment]
wifi: ENC[AES256_GCM,data:Rs+4Km4DogO7XatA,iv:JUv9HkNWsv/l4Fli5sFeUeYuWG1Yju95G59FJ/Q5W50=,tag:gRFCG4d5OBMRx1QayRV8Zg==,type:str]
jallen-nas:
admin_password: ENC[AES256_GCM,data:RGb0UQkLhqfBWflIc5r8yWgYvc0EZuM49uhnXH1r6o9d7Ya7eAoTn2DHdWmYnd9/LpTXPmLF07Nf8s1+/odYx8RBmaji56yWbQ==,iv:dGlvZtZFB8jsI33Qkmmb3iHTXqpVWfbd0EfNK0uX3i4=,tag:z6THeY0UmG64VwOdwnL/AA==,type:str]
collabora: ENC[AES256_GCM,data:A01H7FzgSplAEn0dsENgllyWza4=,iv:L9bPHKdeIHn7caYn78XOkdmuSk1RIuSVcIW5HFQL8PY=,tag:h0kiClGAwGB6iP327flWew==,type:str]
mariadb:
root_pass: ENC[AES256_GCM,data:YLPfEG4/6FeCnrKdfXv9z4hHwtpM/KtBCYqlm4IUvA==,iv:pc9Ljasy76bfkmFRJ4M+wfEtjXBUD7Kb0S0WQZhCmOs=,tag:Wk/7gpKidirhRqw4+Pu96g==,type:str]
db_pass: ENC[AES256_GCM,data:zC+BPQ5EvQAyK/ZSReBmuOtluYg4ZePKA7U=,iv:WarwZCPlpcLMjZLCs1SjKE9vZ1udZ13aNuziX2ReHJo=,tag:oT8slCgO8w8Iam2Of4HyfA==,type:str]
redis_nextcloud: ENC[AES256_GCM,data:BIQOGBdYh5KefMk=,iv:jeVj1PZG0RsCwal0zMg4zT16r23tCWcfRVGg4kdqdQo=,tag:VfPR6ygR1CeT0RU+DVM0pA==,type:str]
desktop:
matt_password: ENC[AES256_GCM,data:z/Jjzr+/PREpNEQsAVl4soeKAwW3sdteIqjhZT2txQDiR0FvGvEBoE/aYCM9NS7XSCgTeTuOqgBGfq4xDLc5/ZBAl7KoGHmKIQ==,iv:qVONkw8PDI2ydqybqGIU2XFq4+qC1BeXnfwxbxbWBww=,tag:eYOD2EoBn9XMiYOaBDFlRw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age157jemphjzg6zmk373vpccuguyw6e75qnkqmz8pcnn2yue85p939swqqhy0
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwVUNkY2tOS2NBWk9ZdExr
VHIvVDRYN2l2Smxzb1pYY1VGdisrZnpsUWhNCjhQdGg4OGo0dDJhTzh2LzcxTThh
NHRvRHVscE96VXpjQTM5U3lndys1WUEKLS0tICtOVDdEV0hUTldHRktBNURIOTRa
eU80cmFjTnlQZnhqVk0zQjZ0blhoY0EKnrNm0BY1ePJjeKGcXqir02+DB1VfqQxh
7ZXHouXdzv/K11tun59BuBy6VEgwGX2GmVDVpAs1r/d/GEZ4IyFccA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jv8ap5zwa49ftv0gg7wqf5ps0e68uuwxe2fekjsn0zkyql964unqyc58rf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWWC91OXMwRmY0V0I1cTlN
K2RSKytQaEdSN1plUElaMDc0MU9FY2ZNTVg4CkFReVJVeW40dUU0NVpiMXpmWGJZ
M2RGSWNWSnBFWlJ2SWNLa0Jtd0tPYzAKLS0tIGpZd2ZlU2NUOVdBUE1oaHZmdHky
ZjhvZWE3N2xIOUoyaXhtTGRpaHhEN2MKAvMYbkWVVM4oXxrZfUUOnmb2pU1eO8Ia
HGMNfpo/LDcGbk4BJKWbFPOJnJeCzMH5/IL2Z+ZhxnnK11j57y/88g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mn2afyp9my7y7hcyzum0wdwt49zufnkt8swnyy8pj30cwzs4zvgsthj0lt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNbUEyMVYvZ3VtUndST01p
dHIvMklKVkRFZGZXR2ozZTI5aVJlbUJobFN3CktoWHc3M0phN0tiMm9WbXVPajcz
c3VqRkRFSWpycVNyalFOaWpISnp4a2cKLS0tIGlCQXBaaVhiSDdvdEJtMzkzd1BX
UGhsN2N0Mjl3UEJvUVlGRlJiN05WaUkKW37lU4G4CLTo6JoHC2OyhKsG/FuO+BiN
pzlVJwzRnmAqwklRbc6RMbQLl2EQrp6KQcgYsUxCMH9OQ/9WJ98dxQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-07T21:24:21Z"
mac: ENC[AES256_GCM,data:79381C9vRsWWD5MNmsqjm86/KqvXmOvCzcpN0bvBtu3jHr1EOPmWwmstfnsZiRLo1r9SxJECyuYsrRilpPY1yorURipp3vGtHRVKLb1YZmN1LtoA0yVAPD49YACGTWU4ogdiRkrfAqDfI9sRshHK98axHv72Q7FZJFnsJ6QpPak=,iv:hFtp5t+m9Hsh5zUsA3RA7uTPJ5fEZ7PD04gBfAq0dYA=,tag:tK3zCY3YWEurDIkegH+U2g==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

2
share/nvidia/default.nix
View File

@@ -59,8 +59,6 @@ in
};
# Virtualisation
virtualisation.docker.enableNvidia = cfg.enableNvidiaDocker;
hardware.nvidia-container-toolkit.enable = cfg.enableNvidiaDocker;
};
}