diff --git a/homes/x86_64-linux/admin@nas/default.nix b/homes/x86_64-linux/admin@nas/default.nix index 5764e0e..ac213bb 100755 --- a/homes/x86_64-linux/admin@nas/default.nix +++ b/homes/x86_64-linux/admin@nas/default.nix @@ -2,8 +2,6 @@ { home.username = "admin"; - # mjallen.home.enable = true; - mjallen = { shell-aliases = { enable = true; @@ -73,14 +71,4 @@ }; }; - # services.nixai = { - # enable = true; - # mcp = { - # enable = true; - # # Optional: custom socket path (uses `$HOME` expansion) - # socketPath = "$HOME/.local/share/nixai/mcp.sock"; - # }; - # # Optional: integrate with VS Code - # vscodeIntegration = true; - # }; } diff --git a/modules/nixos/attic/default.nix b/modules/nixos/attic/default.nix new file mode 100644 index 0000000..eca8160 --- /dev/null +++ b/modules/nixos/attic/default.nix @@ -0,0 +1,132 @@ +{ + config, + lib, + pkgs, + namespace, + ... +}: +with lib; +let + cfg = config.${namespace}.services.attic; +in +{ + imports = [ ./options.nix ]; + + config = mkIf cfg.enable { + services.atticd = { + enable = true; + environmentFile = cfg.environmentFile; + settings = { + listen = "${cfg.listenAddress}:${toString cfg.port}"; + }; + }; + + # Open firewall for attic if enabled + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.port ]; + allowedUDPPorts = [ cfg.port ]; + }; + + # Include the attic watch-store service and rebuild cache services + systemd.services = { + attic-watch-store = { + enable = true; + description = "watch store for cache"; + serviceConfig = { + Type = "simple"; + User = "admin"; + Group = "jallen-nas"; + WorkingDirectory = "/etc/nixos"; + StandardOutput = "journal+console"; + StandardError = "journal+console"; + Restart = "always"; + RestartSec = "5"; + }; + path = with pkgs; [ + bash + attic-client + ]; + script = '' + #!/usr/bin/env bash + attic watch-store nas-cache + ''; + }; + + nix-rebuild-cache-desktop = { + enable = true; + description = "Rebuild desktop NixOS configurations for cache"; + serviceConfig = { + Type = "oneshot"; + User = "admin"; + Group = "jallen-nas"; + WorkingDirectory = "/etc/nixos"; + StandardOutput = "journal+console"; + StandardError = "journal+console"; + Restart = "no"; + TimeoutStartSec = "2h"; + }; + path = with pkgs; [ + nix + git + coreutils + gnugrep + gnused + openssh + ]; + script = '' + #!/usr/bin/env bash + if [ -d .git ]; then + git pull || echo "Warning: Could not pull latest changes" + fi + echo "Starting build of matt-nixos at $(date)" + if nix flake update desktop-nixpkgs desktop-chaotic desktop-home-manager desktop-impermanence desktop-lanzaboote desktop-nixos-hardware desktop-sops-nix desktop-steam-rom-manager nixpkgs-unstable nixpkgs-stable nix-darwin; then + echo "matt-nixos flake updated successfully at $(date)" + else + echo "matt-nixos failed to build at $(date)" + fi + if nix build .\#nixosConfigurations.matt-nixos.config.system.build.toplevel --no-link; then + echo "matt-nixos built successfully at $(date)" + git add . + git commit -m "Desktop Updates $(date)" + else + echo "matt-nixos failed to build at $(date)" + git reset --hard + fi + ''; + }; + }; + + # Include timers for cache rebuilds + systemd.timers = { + nix-rebuild-cache-desktop = { + description = "Timer for rebuilding desktop NixOS configurations cache"; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "weekly"; + Persistent = true; + RandomizedDelaySec = "24h"; + }; + }; + }; + + # Configure distributed builds + nix = { + settings.builders-use-substitutes = true; + distributedBuilds = true; + buildMachines = [ + { + hostName = "pi5.local"; + system = "aarch64-linux"; + maxJobs = 4; + sshUser = "matt"; + supportedFeatures = [ + "nixos-test" + "benchmark" + "big-parallel" + "kvm" + ]; + } + ]; + }; + }; +} diff --git a/modules/nixos/attic/options.nix b/modules/nixos/attic/options.nix new file mode 100644 index 0000000..086c275 --- /dev/null +++ b/modules/nixos/attic/options.nix @@ -0,0 +1,31 @@ +{ lib, namespace, ... }: +with lib; +{ + options.${namespace}.services.attic = { + enable = mkEnableOption "attic binary cache daemon"; + + port = mkOption { + type = types.port; + default = 9012; + description = "Port for attic cache daemon"; + }; + + openFirewall = mkOption { + type = types.bool; + default = true; + description = "Whether to open firewall for attic"; + }; + + environmentFile = mkOption { + type = types.nullOr types.path; + default = null; + description = "Path to environment file containing attic secrets"; + }; + + listenAddress = mkOption { + type = types.str; + default = "[::1]"; + description = "Address to listen on"; + }; + }; +} diff --git a/modules/nixos/authentik/default.nix b/modules/nixos/authentik/default.nix new file mode 100644 index 0000000..ec0770b --- /dev/null +++ b/modules/nixos/authentik/default.nix @@ -0,0 +1,47 @@ +{ + config, + lib, + namespace, + ... +}: +with lib; +let + cfg = config.${namespace}.services.authentik; +in +{ + imports = [ ./options.nix ]; + + config = mkIf cfg.enable { + services.authentik = { + enable = true; + environmentFile = cfg.environmentFile; + settings = { + port = cfg.port; + }; + }; + + # Open firewall for authentik if enabled + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.port ]; + allowedUDPPorts = [ cfg.port ]; + }; + + # Ensure PostgreSQL is configured for authentik + services.postgresql = { + enable = mkDefault true; + ensureDatabases = [ "authentik" ]; + ensureUsers = [ + { + name = "authentik"; + ensureDBOwnership = true; + } + ]; + }; + + # Ensure Redis is configured for authentik + services.redis.servers.authentik = { + enable = mkDefault true; + port = mkDefault 6379; + }; + }; +} diff --git a/modules/nixos/authentik/options.nix b/modules/nixos/authentik/options.nix new file mode 100644 index 0000000..20825c6 --- /dev/null +++ b/modules/nixos/authentik/options.nix @@ -0,0 +1,31 @@ +{ lib, namespace, ... }: +with lib; +{ + options.${namespace}.services.authentik = { + enable = mkEnableOption "authentik identity provider"; + + port = mkOption { + type = types.port; + default = 9000; + description = "Port for authentik web interface"; + }; + + openFirewall = mkOption { + type = types.bool; + default = true; + description = "Whether to open firewall for authentik"; + }; + + environmentFile = mkOption { + type = types.nullOr types.path; + default = null; + description = "Path to environment file containing authentik secrets"; + }; + + dataDir = mkOption { + type = types.str; + default = "/var/lib/authentik"; + description = "Data directory for authentik"; + }; + }; +} diff --git a/modules/nixos/code-server/default.nix b/modules/nixos/code-server/default.nix new file mode 100644 index 0000000..3a3a3cc --- /dev/null +++ b/modules/nixos/code-server/default.nix @@ -0,0 +1,37 @@ +{ + config, + lib, + namespace, + ... +}: +with lib; +let + cfg = config.${namespace}.services.code-server; +in +{ + imports = [ ./options.nix ]; + + config = mkIf cfg.enable { + # Configure the standard NixOS code-server service + services.code-server = { + enable = true; + port = cfg.port; + user = cfg.user; + group = cfg.group; + host = cfg.host; + auth = cfg.auth; + disableTelemetry = cfg.disableTelemetry; + disableUpdateCheck = cfg.disableUpdateCheck; + extraEnvironment = cfg.extraEnvironment; + } + // optionalAttrs (cfg.hashedPassword != null) { + hashedPassword = cfg.hashedPassword; + }; + + # Open firewall for code-server if enabled + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.port ]; + allowedUDPPorts = [ cfg.port ]; + }; + }; +} diff --git a/modules/nixos/code-server/options.nix b/modules/nixos/code-server/options.nix new file mode 100644 index 0000000..507136b --- /dev/null +++ b/modules/nixos/code-server/options.nix @@ -0,0 +1,70 @@ +{ lib, namespace, ... }: +with lib; +{ + options.${namespace}.services.code-server = { + enable = mkEnableOption "code-server with enhanced configuration"; + + port = mkOption { + type = types.port; + default = 4444; + description = "Port for code-server"; + }; + + openFirewall = mkOption { + type = types.bool; + default = true; + description = "Whether to open firewall for code-server"; + }; + + user = mkOption { + type = types.str; + default = "admin"; + description = "User to run code-server as"; + }; + + group = mkOption { + type = types.str; + default = "users"; + description = "Group to run code-server as"; + }; + + host = mkOption { + type = types.str; + default = "0.0.0.0"; + description = "Host to bind code-server to"; + }; + + auth = mkOption { + type = types.enum [ + "none" + "password" + ]; + default = "none"; + description = "Authentication method for code-server"; + }; + + hashedPassword = mkOption { + type = types.nullOr types.str; + default = null; + description = "Hashed password for code-server authentication"; + }; + + extraEnvironment = mkOption { + type = types.attrsOf types.str; + default = { }; + description = "Extra environment variables for code-server"; + }; + + disableTelemetry = mkOption { + type = types.bool; + default = true; + description = "Whether to disable telemetry"; + }; + + disableUpdateCheck = mkOption { + type = types.bool; + default = true; + description = "Whether to disable update checks"; + }; + }; +} diff --git a/modules/nixos/crowdsec/default.nix b/modules/nixos/crowdsec/default.nix index 52efce2..2d73bc5 100755 --- a/modules/nixos/crowdsec/default.nix +++ b/modules/nixos/crowdsec/default.nix @@ -58,11 +58,9 @@ in [ "${script}/bin/register-bouncer" ]; }; - networking = { - firewall = { - allowedTCPPorts = [ cfg.port ]; - allowedUDPPorts = [ cfg.port ]; - }; + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.port ]; + allowedUDPPorts = [ cfg.port ]; }; }; } diff --git a/modules/nixos/crowdsec/options.nix b/modules/nixos/crowdsec/options.nix index 02f8c3c..cd14b72 100644 --- a/modules/nixos/crowdsec/options.nix +++ b/modules/nixos/crowdsec/options.nix @@ -5,23 +5,33 @@ with lib; enable = mkEnableOption "crowdsec service"; port = mkOption { - type = types.int; + type = types.port; default = 9898; + description = "Port for crowdsec API"; + }; + + openFirewall = mkOption { + type = types.bool; + default = true; + description = "Whether to open firewall for crowdsec"; }; apiAddress = mkOption { type = types.str; default = "127.0.0.1"; + description = "API address for crowdsec"; }; apiKey = mkOption { type = types.str; default = ""; + description = "API key for crowdsec bouncer"; }; dataDir = mkOption { type = types.str; default = ""; + description = "Data directory for crowdsec"; }; }; } diff --git a/modules/nixos/glances/default.nix b/modules/nixos/glances/default.nix new file mode 100644 index 0000000..307e57e --- /dev/null +++ b/modules/nixos/glances/default.nix @@ -0,0 +1,63 @@ +{ + config, + lib, + pkgs, + namespace, + ... +}: +with lib; +let + cfg = config.${namespace}.services.glances; +in +{ + imports = [ ./options.nix ]; + + config = mkIf cfg.enable { + # Open firewall for glances if enabled + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.port ]; + allowedUDPPorts = [ cfg.port ]; + }; + + # Install glances package + environment.systemPackages = with pkgs; [ + glances + ]; + + # Configure systemd service for glances + systemd.services.glances-server = { + description = "Glances system monitoring web server"; + enable = true; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + path = with pkgs; [ + bash + glances + ]; + + script = '' + glances -w --bind ${cfg.bindAddress} --port ${toString cfg.port} + ''; + + serviceConfig = { + Type = "simple"; + User = "glances"; + Group = "glances"; + Restart = "always"; + RestartSec = "5"; + StandardOutput = "journal"; + StandardError = "journal"; + }; + }; + + # Create glances user and group + users.users.glances = { + isSystemUser = true; + group = "glances"; + description = "Glances monitoring user"; + }; + + users.groups.glances = { }; + }; +} diff --git a/modules/nixos/glances/options.nix b/modules/nixos/glances/options.nix new file mode 100644 index 0000000..4517cc7 --- /dev/null +++ b/modules/nixos/glances/options.nix @@ -0,0 +1,25 @@ +{ lib, namespace, ... }: +with lib; +{ + options.${namespace}.services.glances = { + enable = mkEnableOption "glances system monitoring service"; + + port = mkOption { + type = types.port; + default = 61208; + description = "Port for glances web interface"; + }; + + openFirewall = mkOption { + type = types.bool; + default = true; + description = "Whether to open firewall for glances"; + }; + + bindAddress = mkOption { + type = types.str; + default = "0.0.0.0"; + description = "Address to bind glances web server to"; + }; + }; +} diff --git a/modules/nixos/lubelogger/default.nix b/modules/nixos/lubelogger/default.nix index 3615c57..2e17e8a 100644 --- a/modules/nixos/lubelogger/default.nix +++ b/modules/nixos/lubelogger/default.nix @@ -15,7 +15,7 @@ in virtualisation.oci-containers.containers.lubelogger = { autoStart = true; image = "ghcr.io/hargata/lubelogger"; - ports = [ "6754:8080" ]; + ports = [ "${toString cfg.port}:8080" ]; volumes = [ "/media/nas/main/nix-app-data/lubelogger:/App/data" "/media/nas/main/nix-app-data/lubelogger/keys:/root/.aspnet/DataProtection-Keys" @@ -29,5 +29,11 @@ in TZ = "America/Chicago"; }; }; + + # Open firewall for lubelogger if enabled + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.port ]; + allowedUDPPorts = [ cfg.port ]; + }; }; } diff --git a/modules/nixos/lubelogger/options.nix b/modules/nixos/lubelogger/options.nix index f4b73db..9fff7c3 100644 --- a/modules/nixos/lubelogger/options.nix +++ b/modules/nixos/lubelogger/options.nix @@ -3,5 +3,17 @@ with lib; { options.${namespace}.services.lubelogger = { enable = mkEnableOption "enable lubelogger"; + + port = mkOption { + type = types.port; + default = 6754; + description = "Port for lubelogger web interface"; + }; + + openFirewall = mkOption { + type = types.bool; + default = true; + description = "Whether to open firewall for lubelogger"; + }; }; } diff --git a/modules/nixos/netbootxyz/default.nix b/modules/nixos/netbootxyz/default.nix new file mode 100644 index 0000000..ad11b82 --- /dev/null +++ b/modules/nixos/netbootxyz/default.nix @@ -0,0 +1,57 @@ +{ + config, + lib, + namespace, + ... +}: +with lib; +let + cfg = config.${namespace}.services.netbootxyz; +in +{ + imports = [ ./options.nix ]; + + config = mkIf cfg.enable { + # Open firewall for netbootxyz if enabled + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ + cfg.httpPort + cfg.httpsPort + ]; + allowedUDPPorts = [ + cfg.httpPort + cfg.httpsPort + ]; + }; + + # Create data directory + systemd.tmpfiles.rules = [ + "d ${cfg.dataDir} 0755 root root -" + ]; + + # Configure netbootxyz as a container service + virtualisation.oci-containers = { + backend = "podman"; + containers.netbootxyz = { + image = "ghcr.io/netbootxyz/netbootxyz:latest"; + ports = [ + "${toString cfg.httpPort}:3000" + "${toString cfg.httpsPort}:3001" + ]; + volumes = [ + "${cfg.dataDir}:/app/src/config" + ]; + environment = { + MENU_VERSION = "2.0.76"; + PORT_RANGE = "30000:30010"; + }; + extraOptions = [ + "--restart=unless-stopped" + ]; + }; + }; + + # Enable podman for oci-containers + virtualisation.podman.enable = true; + }; +} diff --git a/modules/nixos/netbootxyz/options.nix b/modules/nixos/netbootxyz/options.nix new file mode 100644 index 0000000..38fba54 --- /dev/null +++ b/modules/nixos/netbootxyz/options.nix @@ -0,0 +1,31 @@ +{ lib, namespace, ... }: +with lib; +{ + options.${namespace}.services.netbootxyz = { + enable = mkEnableOption "netbootxyz network boot service"; + + httpPort = mkOption { + type = types.port; + default = 4000; + description = "HTTP port for netbootxyz"; + }; + + httpsPort = mkOption { + type = types.port; + default = 4080; + description = "HTTPS port for netbootxyz"; + }; + + openFirewall = mkOption { + type = types.bool; + default = true; + description = "Whether to open firewall for netbootxyz"; + }; + + dataDir = mkOption { + type = types.str; + default = "/var/lib/netbootxyz"; + description = "Data directory for netbootxyz"; + }; + }; +} diff --git a/modules/nixos/protonmail-bridge/default.nix b/modules/nixos/protonmail-bridge/default.nix new file mode 100644 index 0000000..ef08890 --- /dev/null +++ b/modules/nixos/protonmail-bridge/default.nix @@ -0,0 +1,65 @@ +{ + config, + lib, + pkgs, + namespace, + ... +}: +with lib; +let + cfg = config.${namespace}.services.protonmail-bridge; +in +{ + imports = [ ./options.nix ]; + + config = mkIf cfg.enable { + # Open firewall for protonmail bridge if enabled + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ + cfg.smtpPort + cfg.imapPort + ]; + allowedUDPPorts = [ + cfg.smtpPort + cfg.imapPort + ]; + }; + + # Install protonmail-bridge package + environment.systemPackages = with pkgs; [ + protonmail-bridge + gnome-keyring + gnupg + pass + ]; + + # Configure systemd user service for protonmail-bridge + systemd.user.services.protonmail-bridge = { + description = "Protonmail Bridge"; + enable = true; + environment = { + GNUPGHOME = "%h/.gnupg"; + PASSWORD_STORE_DIR = "%h/.password-store"; + }; + script = "${pkgs.protonmail-bridge}/bin/protonmail-bridge --noninteractive"; + path = with pkgs; [ + gnome-keyring + gnupg + pass + protonmail-bridge + ]; + wantedBy = [ "default.target" ]; + after = [ "gpg-agent.service" ]; + }; + + # Enable gnome keyring for password storage + security.pam.services.login.enableGnomeKeyring = true; + services.gnome.gnome-keyring.enable = true; + + # Configure gpg-agent + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + }; +} diff --git a/modules/nixos/protonmail-bridge/options.nix b/modules/nixos/protonmail-bridge/options.nix new file mode 100644 index 0000000..4d55687 --- /dev/null +++ b/modules/nixos/protonmail-bridge/options.nix @@ -0,0 +1,31 @@ +{ lib, namespace, ... }: +with lib; +{ + options.${namespace}.services.protonmail-bridge = { + enable = mkEnableOption "protonmail bridge service"; + + smtpPort = mkOption { + type = types.port; + default = 1025; + description = "SMTP port for protonmail bridge"; + }; + + imapPort = mkOption { + type = types.port; + default = 1143; + description = "IMAP port for protonmail bridge"; + }; + + openFirewall = mkOption { + type = types.bool; + default = true; + description = "Whether to open firewall for protonmail bridge"; + }; + + user = mkOption { + type = types.str; + default = "admin"; + description = "User to run protonmail bridge as"; + }; + }; +} diff --git a/modules/nixos/restic/default.nix b/modules/nixos/restic/default.nix new file mode 100644 index 0000000..f42570a --- /dev/null +++ b/modules/nixos/restic/default.nix @@ -0,0 +1,33 @@ +{ + config, + lib, + namespace, + ... +}: +with lib; +let + cfg = config.${namespace}.services.restic; +in +{ + imports = [ ./options.nix ]; + + config = mkIf cfg.enable { + # Configure the standard NixOS restic server service + services.restic.server = { + enable = true; + dataDir = cfg.dataDir; + prometheus = cfg.prometheus; + listenAddress = "${cfg.listenAddress}:${toString cfg.port}"; + extraFlags = cfg.extraFlags; + } + // optionalAttrs (cfg.htpasswdFile != null) { + htpasswd-file = cfg.htpasswdFile; + }; + + # Open firewall for restic server if enabled + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.port ]; + allowedUDPPorts = [ cfg.port ]; + }; + }; +} diff --git a/modules/nixos/restic/options.nix b/modules/nixos/restic/options.nix new file mode 100644 index 0000000..f126515 --- /dev/null +++ b/modules/nixos/restic/options.nix @@ -0,0 +1,49 @@ +{ lib, namespace, ... }: +with lib; +{ + options.${namespace}.services.restic = { + enable = mkEnableOption "restic server with enhanced configuration"; + + port = mkOption { + type = types.port; + default = 8008; + description = "Port for restic server"; + }; + + openFirewall = mkOption { + type = types.bool; + default = true; + description = "Whether to open firewall for restic server"; + }; + + dataDir = mkOption { + type = types.str; + default = "/var/lib/restic"; + description = "Data directory for restic server"; + }; + + listenAddress = mkOption { + type = types.str; + default = "0.0.0.0"; + description = "Address to bind restic server to"; + }; + + prometheus = mkOption { + type = types.bool; + default = true; + description = "Whether to enable prometheus metrics"; + }; + + htpasswdFile = mkOption { + type = types.nullOr types.str; + default = null; + description = "Path to htpasswd file for authentication"; + }; + + extraFlags = mkOption { + type = types.listOf types.str; + default = [ ]; + description = "Extra flags to pass to restic server"; + }; + }; +} diff --git a/packages/ha-anycubic/default.nix b/packages/homeassistant/ha-anycubic/default.nix similarity index 100% rename from packages/ha-anycubic/default.nix rename to packages/homeassistant/ha-anycubic/default.nix diff --git a/packages/ha-bambulab/default.nix b/packages/homeassistant/ha-bambulab/default.nix similarity index 100% rename from packages/ha-bambulab/default.nix rename to packages/homeassistant/ha-bambulab/default.nix diff --git a/packages/ha-gehome/default.nix b/packages/homeassistant/ha-gehome/default.nix similarity index 100% rename from packages/ha-gehome/default.nix rename to packages/homeassistant/ha-gehome/default.nix diff --git a/packages/ha-icloud3/default.nix b/packages/homeassistant/ha-icloud3/default.nix similarity index 100% rename from packages/ha-icloud3/default.nix rename to packages/homeassistant/ha-icloud3/default.nix diff --git a/packages/ha-mail-and-packages/default.nix b/packages/homeassistant/ha-mail-and-packages/default.nix similarity index 100% rename from packages/ha-mail-and-packages/default.nix rename to packages/homeassistant/ha-mail-and-packages/default.nix diff --git a/packages/ha-nanokvm/default.nix b/packages/homeassistant/ha-nanokvm/default.nix similarity index 100% rename from packages/ha-nanokvm/default.nix rename to packages/homeassistant/ha-nanokvm/default.nix diff --git a/packages/ha-openhasp/default.nix b/packages/homeassistant/ha-openhasp/default.nix similarity index 100% rename from packages/ha-openhasp/default.nix rename to packages/homeassistant/ha-openhasp/default.nix diff --git a/packages/ha-overseerr/default.nix b/packages/homeassistant/ha-overseerr/default.nix similarity index 100% rename from packages/ha-overseerr/default.nix rename to packages/homeassistant/ha-overseerr/default.nix diff --git a/packages/ha-petlibro/default.nix b/packages/homeassistant/ha-petlibro/default.nix similarity index 100% rename from packages/ha-petlibro/default.nix rename to packages/homeassistant/ha-petlibro/default.nix diff --git a/packages/ha-wyzeapi/default.nix b/packages/homeassistant/ha-wyzeapi/default.nix similarity index 100% rename from packages/ha-wyzeapi/default.nix rename to packages/homeassistant/ha-wyzeapi/default.nix diff --git a/packages/homeassistant-api/default.nix b/packages/homeassistant/homeassistant-api/default.nix similarity index 100% rename from packages/homeassistant-api/default.nix rename to packages/homeassistant/homeassistant-api/default.nix diff --git a/packages/magicattr/default.nix b/packages/python/magicattr/default.nix similarity index 100% rename from packages/magicattr/default.nix rename to packages/python/magicattr/default.nix diff --git a/packages/pipewire-python/default.nix b/packages/python/pipewire-python/default.nix similarity index 100% rename from packages/pipewire-python/default.nix rename to packages/python/pipewire-python/default.nix diff --git a/packages/pyoverseerr/default.nix b/packages/python/pyoverseerr/default.nix similarity index 100% rename from packages/pyoverseerr/default.nix rename to packages/python/pyoverseerr/default.nix diff --git a/packages/python-nanokvm/default.nix b/packages/python/python-nanokvm/default.nix similarity index 100% rename from packages/python-nanokvm/default.nix rename to packages/python/python-nanokvm/default.nix diff --git a/packages/python-steam/default.nix b/packages/python/python-steam/default.nix similarity index 100% rename from packages/python-steam/default.nix rename to packages/python/python-steam/default.nix diff --git a/packages/wyzeapy/default.nix b/packages/python/wyzeapy/default.nix similarity index 100% rename from packages/wyzeapy/default.nix rename to packages/python/wyzeapy/default.nix diff --git a/packages/open-remote-ssh/default.nix b/packages/system/open-remote-ssh/default.nix similarity index 100% rename from packages/open-remote-ssh/default.nix rename to packages/system/open-remote-ssh/default.nix diff --git a/packages/uart-wifi/default.nix b/packages/system/uart-wifi/default.nix similarity index 100% rename from packages/uart-wifi/default.nix rename to packages/system/uart-wifi/default.nix diff --git a/systems/x86_64-linux/nas/apps.nix b/systems/x86_64-linux/nas/apps.nix index 97189d1..23f40a9 100755 --- a/systems/x86_64-linux/nas/apps.nix +++ b/systems/x86_64-linux/nas/apps.nix @@ -98,6 +98,62 @@ }; tdarr.enable = true; + + authentik = { + enable = true; + port = 9000; + environmentFile = "/run/secrets/jallen-nas/authentik-env"; + }; + + attic = { + enable = true; + port = 9012; + listenAddress = "[::]"; + environmentFile = "/run/secrets/jallen-nas/attic-key"; + }; + + protonmail-bridge = { + enable = true; + smtpPort = 1025; + imapPort = 1143; + user = "admin"; + }; + + netbootxyz = { + enable = true; + httpPort = 4000; + httpsPort = 4080; + dataDir = "/media/nas/main/nix-app-data/netbootxyz"; + }; + + glances = { + enable = true; + port = 61208; + bindAddress = "0.0.0.0"; + }; + + code-server = { + enable = true; + port = 4444; + user = "admin"; + group = "jallen-nas"; + host = "0.0.0.0"; + auth = "none"; + hashedPassword = "$y$j9T$EkPXmsmIMFFZ.WRrBYCxS1$P0kwo6e4.WM5DsqUcEqWC3MrZp5KfCjxffraMFZWu06"; + extraEnvironment = { + PROXY_DOMAIN = "code.mjallen.dev"; + }; + }; + + restic = { + enable = true; + port = 8008; + dataDir = "/media/nas/main/backup/restic"; + prometheus = true; + listenAddress = "0.0.0.0"; + htpasswdFile = "/media/nas/main/backup/restic/.htpasswd"; + extraFlags = [ "--no-auth" ]; + }; }; }; } diff --git a/systems/x86_64-linux/nas/default.nix b/systems/x86_64-linux/nas/default.nix index 5d41c01..a17d4c3 100755 --- a/systems/x86_64-linux/nas/default.nix +++ b/systems/x86_64-linux/nas/default.nix @@ -3,7 +3,6 @@ # https://search.nixos.org/options and in the NixOS manual (`nixos-help`). { - config, pkgs, namespace, ... @@ -67,52 +66,6 @@ firewall = { enable = true; allowPing = true; - allowedTCPPorts = [ - 8008 # restic - 9000 # authentik - 2342 # grafana - 51820 # wireguard - 1025 - 1143 - 10200 - 10300 - 8127 - 9980 # onlyoffice - 4000 # netbootxyz - 4080 # netbootxyz - 3000 # gitea - 2222 # gitea ssh - 3300 - 9898 - 6754 # lubelogger - 2283 # immich - 4444 # code-server - 9012 - 8192 - ]; - allowedUDPPorts = [ - 8008 # restic - 9000 # authentik - 2342 # grafana - 51820 # wireguard - 1025 - 1143 - 10200 - 10300 - 8127 - 9980 # onlyoffice - 4000 # netbootxyz - 4080 # netbootxyz - 3000 # gitea - 2222 # gitea ssh - 3300 - 9898 - 6754 # lubelogger - 2283 # immich - 4444 # code-server - 9012 - 8192 - ]; trustedInterfaces = [ "tailscale0" ]; }; }; @@ -143,7 +96,6 @@ ffmpeg ipset llama-cpp - # inputs.nas-nixai.packages.x86_64-linux.nixai networkmanagerapplet nut packagekit @@ -167,48 +119,6 @@ enable = true; nvidiaSupport = true; }; - - msmtp = { - enable = false; - accounts = { - default = { - auth = true; - tls_starttls = false; - host = "smtp.gmail.com"; - user = "matt.l.jallen"; - from = "matt.l.jallen@gmail.com"; - passwordeval = "cat ${config.sops.secrets."jallen-nas/gitea/mail-key".path}"; - }; - }; - defaults = { - port = 465; - tls = true; - }; - }; - }; - - hardware.fancontrol = { - enable = false; - config = '' - # Configuration file generated by pwmconfig, changes will be lost - # hwmon6/temp9_input -- chipset temp? - # hwmon2/temp1_input -- cpu temp? - # hwmon6/pwm5 -- chipset fan? - # hwmon6/pwm2, hwmon6/pwm3 -- cpu fans? - # hwmon6/pwm4 -- case fans? - - INTERVAL=10 - DEVPATH=hwmon2=devices/pci0000:00/0000:00:18.3 hwmon6=devices/platform/nct6775.656 - DEVNAME=hwmon2=k10temp hwmon6=nct6798 - FCTEMPS=hwmon6/pwm5=hwmon6/temp9_input hwmon6/pwm2=hwmon2/temp1_input hwmon6/pwm3=hwmon2/temp1_input hwmon6/pwm4=hwmon2/temp1_input - FCFANS=hwmon6/pwm5=hwmon6/fan5_input hwmon6/pwm2=hwmon6/fan2_input hwmon6/pwm3=hwmon6/fan3_input hwmon6/pwm4=hwmon6/fan4_input - MINTEMP=hwmon6/pwm5=20 hwmon6/pwm2=20 hwmon6/pwm3=20 hwmon6/pwm4=20 - MAXTEMP=hwmon6/pwm5=60 hwmon6/pwm2=90 hwmon6/pwm3=90 hwmon6/pwm4=90 - MINSTART=hwmon6/pwm5=16 hwmon6/pwm2=90 hwmon6/pwm3=45 hwmon6/pwm4=60 - MINSTOP=hwmon6/pwm5=14 hwmon6/pwm2=0 hwmon6/pwm3=30 hwmon6/pwm4=45 - MINPWM=hwmon6/pwm5=14 hwmon6/pwm2=0 hwmon6/pwm3=0 hwmon6/pwm4=0 - MAXPWM=hwmon6/pwm5=255 hwmon6/pwm2=255 hwmon6/pwm3=255 hwmon6/pwm4=255 - ''; }; # Additional virtualization beyond what's in development module diff --git a/systems/x86_64-linux/nas/grafana.nix b/systems/x86_64-linux/nas/grafana.nix index cfdf51f..b4f5898 100755 --- a/systems/x86_64-linux/nas/grafana.nix +++ b/systems/x86_64-linux/nas/grafana.nix @@ -82,5 +82,8 @@ in }; }; # Open firewall ports for Grafana - networking.firewall.allowedTCPPorts = [ 9999 ]; + networking.firewall = { + allowedTCPPorts = [ 9999 ]; + allowedUDPPorts = [ 9999 ]; + }; } diff --git a/systems/x86_64-linux/nas/nix-serve.nix b/systems/x86_64-linux/nas/nix-serve.nix index b369d6e..c8865af 100755 --- a/systems/x86_64-linux/nas/nix-serve.nix +++ b/systems/x86_64-linux/nas/nix-serve.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ pkgs, ... }: { # "https://cache.mjallen.dev" # "cache.mjallen.dev-1:IzFmKCd8/gggI6lcCXsW65qQwiCLGFFN9t9s2iw7Lvc=" @@ -10,14 +10,6 @@ openFirewall = true; }; - services.atticd = { - enable = true; - environmentFile = config.sops.secrets."jallen-nas/attic-key".path; - settings = { - listen = "[::]:9012"; - }; - }; - # Improved systemd service with better error handling systemd = { services = { diff --git a/systems/x86_64-linux/nas/services.nix b/systems/x86_64-linux/nas/services.nix index 6c1e224..b150929 100755 --- a/systems/x86_64-linux/nas/services.nix +++ b/systems/x86_64-linux/nas/services.nix @@ -8,21 +8,6 @@ in # Services configs services = { - code-server = { - enable = true; - disableTelemetry = true; - disableUpdateCheck = true; - user = "admin"; - group = "jallen-nas"; - host = "0.0.0.0"; - port = 4444; - auth = "none"; - hashedPassword = "$y$j9T$EkPXmsmIMFFZ.WRrBYCxS1$P0kwo6e4.WM5DsqUcEqWC3MrZp5KfCjxffraMFZWu06"; - extraEnvironment = { - PROXY_DOMAIN = "code.mjallen.dev"; - }; - }; - minecraft-server = { enable = false; eula = true; @@ -127,11 +112,6 @@ in ]; }; - authentik = { - enable = true; - environmentFile = config.sops.secrets."jallen-nas/authentik-env".path; - }; - # nixai = { # enable = true; # mcp = { @@ -168,33 +148,6 @@ in }; }; - restic.server = { - enable = true; - dataDir = "/media/nas/main/backup/restic"; - prometheus = true; - listenAddress = "0.0.0.0:8008"; - htpasswd-file = "/media/nas/main/backup/restic/.htpasswd"; - }; - }; - - systemd.user.services = { - protonmail-bridge = { - description = "Protonmail Bridge"; - enable = true; - environment = { - GNUPGHOME = "%h/.gnupg"; - PASSWORD_STORE_DIR = "%h/.password-store"; - }; - script = "${pkgs.protonmail-bridge}/bin/protonmail-bridge --noninteractive"; - path = [ - pkgs.gnome-keyring - pkgs.gnupg - pkgs.pass - pkgs.protonmail-bridge - ]; - wantedBy = [ "default.target" ]; - after = [ "gpg-agent.service" ]; - }; }; # TODO move to normal samba settings @@ -298,17 +251,6 @@ in ''; }; - glances-server = { - path = [ - pkgs.bash - pkgs.glances - ]; - script = '' - glances -w - ''; - wantedBy = [ "multi-user.target" ]; - }; - hd-idle = { enable = false; environment = {