mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

nix-sops

Browse Source
This commit is contained in:
mjallen18
2024-08-07 18:41:09 -05:00
parent 26cc1b223f
commit 0fc00e2d29
26 changed files with 683 additions and 202 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
hosts/nas/apps.nix
View File

@@ -12,7 +12,10 @@
beszel-agent.enable = true;
collabora.enable = true;
collabora = {
enable = true;
environmentFiles = [ config.sops.secrets."jallen-nas/collabora".path ];
};
deluge.enable = true;
@@ -22,11 +25,18 @@
jellyseerr.enable = true;
mariadb.enable = true;
mariadb = {
enable = true;
environmentFiles = [
config.sops.secrets."jallen-nas/mariadb/db_pass".path
config.sops.secrets."jallen-nas/mariadb/root_pass".path
];
};
mealie = {
enable = true;
baseUrl = "https://mealie.mjallen.dev";
port = "9001";
maxConcurrency = "4";
maxWorkers = "4";
allowSignup = "false";
@@ -35,7 +45,8 @@
nextcloud = {
enable = true;
httpPort = "9981";
httpsPort = "9443";
httpsPort = "9943";
redisSock = "/var/run/redis-nextcloud/redis.sock";
};
ollama.enable = true;
@@ -46,8 +57,6 @@
radarr.enable = true;
redis.enable = true;
sabnzbd.enable = true;
sonarr.enable = true;

63
hosts/nas/configuration.nix
View File

@@ -12,7 +12,7 @@
}:
let
user = "admin";
password = "$y$j9T$EkPXmsmIMFFZ.WRrBYCxS1$P0kwo6e4.WM5DsqUcEqWC3MrZp5KfCjxffraMFZWu06";
passwordFile = config.sops.secrets."jallen-nas/admin_password".path;
in
{
imports = [
@@ -25,9 +25,15 @@ in
./ups.nix
./samba.nix
./services.nix
./sops.nix
../default.nix
];
nix.settings.experimental-features = [
"nix-command"
"flakes"
];
# Cockpit
services.cockpit = {
enable = true;
@@ -78,42 +84,39 @@ in
};
systemPackages = with pkgs; [
vim
wget
nano
efibootmgr
sbctl
pciutils
vulkan-tools
clinfo
glances
python3
nix-ld
authentik
binutils
gcc
cryptsetup
clinfo
cmake
duperemove
efibootmgr
ffmpeg
gcc
glances
htop
lm_sensors
nano
ninja
nix-inspect
nix-ld
nmon
nodejs-18_x
nut
nmon
pass
protonvpn-cli
protonmail-bridge
pass
cockpit
packagekit
# gnome.gnome-packagekit
unstable.nix-inspect
unstable.gpt4all
lm_sensors
htop
pass
pciutils
protonmail-bridge
protonvpn-cli
python3
sbctl
speedtest-cli
tailscale
tpm2-tools
tpm2-tss
cryptsetup
duperemove
speedtest-cli
vim
vulkan-tools
wget
];
};
@@ -158,7 +161,7 @@ in
"nix-apps"
"jallen-nas"
]; # Enable sudo for the user.
initialHashedPassword = password;
hashedPasswordFile = passwordFile;
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
# macBook
@@ -192,7 +195,7 @@ in
"docker"
"podman"
]; # Enable sudo for the user.
hashedPassword = password;
hashedPasswordFile = passwordFile;
};
groups.nut.name = "nut";
@@ -202,7 +205,7 @@ in
isSystemUser = true;
createHome = true;
home = "/var/lib/nut";
hashedPassword = password;
hashedPasswordFile = passwordFile;
};
};

38
hosts/nas/impermanence.nix Normal file
View File

@@ -0,0 +1,38 @@
{
pkgs,
lib,
LT,
config,
utils,
inputs,
...
}@args:
{
# Set up impernance configuration for things like bluetooth
# In this configuration with /etc and /var/log being persistent, only directories outside of that need to be done here. See hardware configuration for all mountpoints.
environment.persistence."/nix/persist/system" = {
hideMounts = true;
directories = [
"/var/lib/bluetooth"
"/var/lib/nixos"
"/var/lib/systemd/coredump"
"/etc/NetworkManager/system-connections"
"/etc/secureboot"
{
directory = "/var/lib/colord";
user = "colord";
group = "colord";
mode = "u=rwx,g=rx,o=";
}
];
files = [
{
file = "/etc/nix/id_rsa";
parentDirectory = {
mode = "u=rwx,g=,o=";
};
}
];
};
}

5
hosts/nas/networking.nix
View File

@@ -10,12 +10,12 @@ let
hostname = "jallen-nas";
ipAddress = "10.0.1.18";
gateway = "10.0.1.1";
password = "kR8v&3Qd";
allowedPorts = [
2342
3493
61208
9090
9000
# config.services.tailscale.port
# 22
];
@@ -44,9 +44,10 @@ in
wireless = {
enable = true;
environmentFile = config.sops.secrets."wifi".path;
networks = {
"Joey's Jungle 5G" = {
psk = password;
psk = "@PSK@";
};
};
};

36
hosts/nas/services.nix
View File

@@ -127,10 +127,11 @@ in
};
tailscale = {
enable = false;
enable = true;
openFirewall = true;
useRoutingFeatures = "client";
extraUpFlags = [ "--advertise-exit-node" ];
authKeyFile = "/media/nas/ssd/nix-app-data/tailscale/auth";
};
btrfs = {
@@ -153,6 +154,39 @@ in
"/media/nas/main/isos"
];
};
authentik = {
enable = true;
environmentFile = "/media/nas/ssd/nix-app-data/authentik/.env";
};
postgresql = {
enable = true;
package = pkgs.postgresql_16;
dataDir = "/media/nas/ssd/nix-app-data/postgresql";
ensureDatabases = [ "authentik" ];
ensureUsers = [
{
name = "authentik";
ensureDBOwnership = true;
}
];
};
redis = {
servers = {
authentik = {
enable = true;
port = 6379;
};
nextcloud = {
enable = true;
port = 6380;
};
};
};
};
systemd.user.services = {

23
hosts/nas/sops.nix Normal file
View File

@@ -0,0 +1,23 @@
{
...
}:
{
sops.defaultSopsFile = ../../secrets/secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets."jallen-nas/admin_password" = {};
sops.secrets."jallen-nas/admin_password".neededForUsers = true;
sops.secrets."wifi" = {};
sops.secrets."jallen-nas/collabora" = {
restartUnits = [ "podman-collabora.service" ];
};
sops.secrets."jallen-nas/mariadb/db_pass" = {
restartUnits = [ "podman-mariadb.service" ];
};
sops.secrets."jallen-nas/mariadb/root_pass" = {
restartUnits = [ "podman-mariadb.service" ];
};
}