From e0713e0ba0735ebe20dbdbe9e3cee282c0faa4fe Mon Sep 17 00:00:00 2001 From: mjallen18 Date: Wed, 19 Mar 2025 20:19:38 -0500 Subject: [PATCH] cleanup --- .sops.yaml | 2 +- flake.lock | 2 +- flake.nix | 348 +++++++++++++++++---------- hosts/deck/configuration.nix | 5 + hosts/deck/home.nix | 2 - hosts/desktop/configuration.nix | 5 + hosts/desktop/home.nix | 1 - hosts/nas/apps/nextcloud/default.nix | 15 +- hosts/nas/apps/ollama/default.nix | 2 +- hosts/nas/apps/paperless/default.nix | 19 +- hosts/nas/configuration.nix | 6 + hosts/nas/home.nix | 1 - hosts/nas/nix-serve.nix | 3 - hosts/nas/sops.nix | 62 +++-- hosts/pi4/configuration.nix | 11 +- hosts/pi4/home.nix | 53 +++- hosts/pi4/sops.nix | 15 +- secrets/secrets.yaml | 6 +- 18 files changed, 353 insertions(+), 205 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 7b406bc..79358f4 100755 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,4 +1,4 @@ -# See https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml +# See https://github.com/Mic92/dotfiles/blob/d6114726d859df36ccaa32891c4963ae5717ef7f/nixos/.sops.yaml keys: - &matt age157jemphjzg6zmk373vpccuguyw6e75qnkqmz8pcnn2yue85p939swqqhy0 - &matt_pi4 age13g9a4d4jrvckfddpgn8sm4kjtzajr67le56pfdg78ktr5pd09phq32j89u diff --git a/flake.lock b/flake.lock index f1620b4..0ed6b97 100755 --- a/flake.lock +++ b/flake.lock @@ -810,7 +810,7 @@ "sops-nix": { "inputs": { "nixpkgs": [ - "nixpkgs-stable" + "nixpkgs-unstable" ] }, "locked": { diff --git a/flake.nix b/flake.nix index 77af5c4..4c9eea6 100755 --- a/flake.nix +++ b/flake.nix @@ -2,111 +2,211 @@ description = "flake for matt-nixos"; inputs = { + + ##################################################### + # Desktop # + ##################################################### + # nixpgs - nixpkgs-unstable = { + desktop-nixpkgs = { url = "github:NixOS/nixpkgs/nixos-unstable"; }; - # nixpkgs-unstable-small - nixpkgs-unstable-small = { - url = "github:NixOS/nixpkgs/nixos-unstable-small"; - }; - - # nixpgs - nixpkgs-stable = { - url = "github:NixOS/nixpkgs/nixos-24.11"; - }; - - # Authentik - authentik-nix = { - url = "github:nix-community/authentik-nix"; - inputs.nixpkgs.follows = "nixpkgs-stable"; - }; - # Chaotic-nix - chaotic = { + desktop-chaotic = { url = "github:chaotic-cx/nyx/nyxpkgs-unstable"; }; - # Impermenance - impermanence = { - url = "github:nix-community/impermanence"; + # cosmic launcher + desktop-cosmic = { + url = "github:lilyinstarlight/nixos-cosmic"; + inputs.nixpkgs.follows = "desktop-nixpkgs"; }; # Home Manager - home-manager = { + desktop-home-manager = { url = "github:nix-community/home-manager"; - inputs.nixpkgs.follows = "nixpkgs-unstable"; + inputs.nixpkgs.follows = "desktop-nixpkgs"; }; - home-manager-stable = { - url = "github:nix-community/home-manager/release-24.11"; - inputs.nixpkgs.follows = "nixpkgs-stable"; + # Impermenance + desktop-impermanence = { + url = "github:nix-community/impermanence"; }; # Lanzaboote - lanzaboote = { + desktop-lanzaboote = { url = "github:nix-community/lanzaboote/v0.4.2"; - inputs.nixpkgs.follows = "nixpkgs-unstable"; + inputs.nixpkgs.follows = "desktop-nixpkgs"; }; # Nix hardware - nixos-hardware.url = "github:NixOS/nixos-hardware/master"; - - # Sops-nix - sops-nix = { - url = "github:Mic92/sops-nix"; - inputs.nixpkgs.follows = "nixpkgs-stable"; + desktop-nixos-hardware = { + url = "github:NixOS/nixos-hardware/master"; + inputs.nixpkgs.follows = "desktop-nixpkgs"; }; - crowdsec = { + # Sops-nix + desktop-sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "desktop-nixpkgs"; + }; + + # steam rom manager + desktop-steam-rom-manager = { + url = "github:mjallen18/nix-steam-rom-manager"; + inputs.nixpkgs.follows = "desktop-nixpkgs"; + inputs.home-manager.follows = "desktop-home-manager"; + }; + + ##################################################### + # NAS # + ##################################################### + + # nixpgs + nas-nixpkgs = { + url = "github:NixOS/nixpkgs/nixos-unstable"; + }; + + # Authentik + nas-authentik-nix = { + url = "github:nix-community/authentik-nix"; + inputs.nixpkgs.follows = "nas-nixpkgs"; + }; + + # crowdsec + nas-crowdsec = { url = "git+https://codeberg.org/kampka/nix-flake-crowdsec.git"; inputs.nixpkgs.follows = "nixpkgs-stable"; }; - #Apple - nix-darwin = { - url = "github:LnL7/nix-darwin"; + # Home Manager + nas-home-manager = { + url = "github:nix-community/home-manager"; + inputs.nixpkgs.follows = "nas-nixpkgs"; + }; + + # Impermenance + nas-impermanence = { + url = "github:nix-community/impermanence"; + }; + + # Nix hardware + nas-nixos-hardware = { + url = "github:NixOS/nixos-hardware/master"; + inputs.nixpkgs.follows = "nas-nixpkgs"; + }; + + # Sops-nix + nas-sops-nix = { + url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs-unstable"; }; + ##################################################### + # Steamdeck # + ##################################################### + + # nixpgs + steamdeck-nixpkgs = { + url = "github:NixOS/nixpkgs/nixos-unstable"; + }; + # Joviain for steamdeck - jovian = { + steamdeck-jovian = { url = "github:Jovian-Experiments/Jovian-NixOS"; - inputs.nixpkgs.follows = "nixpkgs-unstable"; + inputs.nixpkgs.follows = "steamdeck-nixpkgs"; }; - steam-rom-manager = { - url = "github:mjallen18/nix-steam-rom-manager"; - inputs.nixpkgs.follows = "nixpkgs-unstable"; - inputs.home-manager.follows = "home-manager"; + # Chaotic-nix + steamdeck-chaotic = { + url = "github:chaotic-cx/nyx/nyxpkgs-unstable"; }; - cosmic = { - url = "github:lilyinstarlight/nixos-cosmic"; - inputs.nixpkgs.follows = "nixpkgs-unstable"; + # Impermenance + steamdeck-impermanence = { + url = "github:nix-community/impermanence"; + }; + + # Home Manager + steamdeck-home-manager = { + url = "github:nix-community/home-manager"; + inputs.nixpkgs.follows = "steamdeck-nixpkgs"; + }; + + # Lanzaboote + steamdeck-lanzaboote = { + url = "github:nix-community/lanzaboote/v0.4.2"; + inputs.nixpkgs.follows = "steamdeck-nixpkgs"; + }; + + # Sops-nix + steamdeck-sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "steamdeck-nixpkgs"; + }; + + # Nix hardware + steamdeck-nixos-hardware = { + url = "github:NixOS/nixos-hardware/master"; + inputs.nixpkgs.follows = "steamdeck-nixpkgs"; + }; + + ##################################################### + # MacBook # + ##################################################### + + #Apple + nix-darwin = { + url = "github:LnL7/nix-darwin"; + inputs.nixpkgs.follows = "desktop-nixpkgs"; }; }; outputs = { self, - nixpkgs-unstable, - nixpkgs-unstable-small, - nixpkgs-stable, - chaotic, - lanzaboote, - impermanence, - home-manager, - home-manager-stable, - nixos-hardware, - nix-darwin, - cosmic, - authentik-nix, - sops-nix, - crowdsec, - jovian, - steam-rom-manager, + + # Desktop + desktop-nixpkgs, + desktop-chaotic, + desktop-cosmic, + desktop-home-manager, + desktop-impermanence, + desktop-lanzaboote, + desktop-nixos-hardware, + desktop-sops-nix, + desktop-steam-rom-manager, + + # NAS + nas-nixpkgs, + nas-authentik-nix, + nas-crowdsec, + nas-home-manager, + nas-impermanence, + nas-nixos-hardware, + nas-sops-nix, + + # Pi4 + pi4-nixpkgs, + pi4-home-manager, + pi4-impermanence, + pi4-nixos-hardware, + pi4-sops-nix, + + # Steamdeck + steamdeck-nixpkgs, + steamdeck-chaotic, + steamdeck-home-manager, + steamdeck-impermanence, + steamdeck-jovian, + steamdeck-lanzaboote, + steamdeck-nixos-hardware, + steamdeck-sops-nix, + steamdeck-steam-rom-manager, + + # MacBook + nix-darwin }@inputs: let inherit (self) outputs; @@ -116,18 +216,18 @@ nixosConfigurations = { # Desktop - "matt-nixos" = nixpkgs-unstable.lib.nixosSystem { + "matt-nixos" = desktop-nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { inherit inputs outputs; }; modules = [ - impermanence.nixosModules.impermanence - lanzaboote.nixosModules.lanzaboote + desktop-impermanence.nixosModules.impermanence + desktop-lanzaboote.nixosModules.lanzaboote ./hosts/desktop/configuration.nix ./share/impermanence - chaotic.nixosModules.default - home-manager.nixosModules.home-manager + desktop-chaotic.nixosModules.default + desktop-home-manager.nixosModules.home-manager { home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; @@ -136,8 +236,8 @@ { imports = [ ./hosts/desktop/home.nix - steam-rom-manager.homeManagerModules.default - sops-nix.homeManagerModules.sops + desktop-steam-rom-manager.homeManagerModules.default + desktop-sops-nix.homeManagerModules.sops ]; }; home-manager.users.root = @@ -145,34 +245,34 @@ { imports = [ ./share/root-user - sops-nix.homeManagerModules.sops + desktop-sops-nix.homeManagerModules.sops ]; }; home-manager.backupFileExtension = "backup"; } - nixos-hardware.nixosModules.common-cpu-amd - nixos-hardware.nixosModules.common-gpu-amd - nixos-hardware.nixosModules.common-hidpi - nixos-hardware.nixosModules.common-pc + desktop-nixos-hardware.nixosModules.common-cpu-amd + desktop-nixos-hardware.nixosModules.common-gpu-amd + desktop-nixos-hardware.nixosModules.common-hidpi + desktop-nixos-hardware.nixosModules.common-pc - sops-nix.nixosModules.sops + desktop-sops-nix.nixosModules.sops - # cosmic.nixosModules.default + # desktop-cosmic.nixosModules.default ]; }; # NAS - "jallen-nas" = nixpkgs-stable.lib.nixosSystem { + "jallen-nas" = nas-nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { inherit inputs outputs; }; modules = [ - impermanence.nixosModules.impermanence + nas-impermanence.nixosModules.impermanence ./hosts/nas/configuration.nix ./hosts/nas/impermanence.nix - home-manager-stable.nixosModules.home-manager + nas-home-manager.nixosModules.home-manager { home-manager.useGlobalPkgs = false; home-manager.useUserPackages = true; @@ -181,7 +281,7 @@ { imports = [ ./hosts/nas/home.nix - sops-nix.homeManagerModules.sops + nas-sops-nix.homeManagerModules.sops ]; }; home-manager.users.root = @@ -189,42 +289,42 @@ { imports = [ ./share/root-user - sops-nix.homeManagerModules.sops + nas-sops-nix.homeManagerModules.sops ]; }; home-manager.backupFileExtension = "backup"; } - authentik-nix.nixosModules.default + nas-authentik-nix.nixosModules.default - sops-nix.nixosModules.sops + nas-sops-nix.nixosModules.sops - crowdsec.nixosModules.crowdsec - crowdsec.nixosModules.crowdsec-firewall-bouncer + nas-crowdsec.nixosModules.crowdsec + nas-crowdsec.nixosModules.crowdsec-firewall-bouncer ( { ... }: { - nixpkgs.overlays = [ crowdsec.overlays.default ]; + nixpkgs.overlays = [ nas-crowdsec.overlays.default ]; } ) - nixos-hardware.nixosModules.common-pc - nixos-hardware.nixosModules.common-cpu-amd - nixos-hardware.nixosModules.common-hidpi + nas-nixos-hardware.nixosModules.common-pc + nas-nixos-hardware.nixosModules.common-cpu-amd + nas-nixos-hardware.nixosModules.common-hidpi ]; }; # Pi4 - "pi4" = nixpkgs-unstable.lib.nixosSystem { + "pi4" = pi4-nixpkgs.lib.nixosSystem { system = "aarch64-linux"; modules = [ - nixos-hardware.nixosModules.raspberry-pi-4 - impermanence.nixosModules.impermanence + pi4-nixos-hardware.nixosModules.raspberry-pi-4 + pi4-impermanence.nixosModules.impermanence ./hosts/pi4/configuration.nix - sops-nix.nixosModules.sops + pi4-sops-nix.nixosModules.sops - home-manager.nixosModules.home-manager + pi4-home-manager.nixosModules.home-manager { home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; @@ -233,17 +333,17 @@ ]; }; - "steamdeck" = nixpkgs-unstable.lib.nixosSystem { + "steamdeck" = steamdeck-nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { inherit inputs outputs; }; modules = [ - impermanence.nixosModules.impermanence - lanzaboote.nixosModules.lanzaboote + steamdeck-impermanence.nixosModules.impermanence + steamdeck-lanzaboote.nixosModules.lanzaboote ./hosts/deck/configuration.nix ./share/impermanence - home-manager.nixosModules.home-manager + steamdeck-home-manager.nixosModules.home-manager { home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; @@ -252,41 +352,41 @@ { imports = [ ./hosts/deck/home.nix - steam-rom-manager.homeManagerModules.default + steamdeck-steam-rom-manager.homeManagerModules.default ]; }; home-manager.backupFileExtension = "backup"; } - nixos-hardware.nixosModules.common-cpu-amd - nixos-hardware.nixosModules.common-gpu-amd - nixos-hardware.nixosModules.common-hidpi - nixos-hardware.nixosModules.common-pc + steamdeck-nixos-hardware.nixosModules.common-cpu-amd + steamdeck-nixos-hardware.nixosModules.common-gpu-amd + steamdeck-nixos-hardware.nixosModules.common-hidpi + steamdeck-nixos-hardware.nixosModules.common-pc - sops-nix.nixosModules.sops + steamdeck-sops-nix.nixosModules.sops - jovian.nixosModules.jovian + steamdeck-jovian.nixosModules.jovian - chaotic.nixosModules.default + steamdeck-chaotic.nixosModules.default ]; }; # home assistant - "jallen-hass" = nixpkgs-unstable.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - impermanence.nixosModules.impermanence - ./hosts/homeassistant/configuration.nix - sops-nix.nixosModules.sops + # "jallen-hass" = nixpkgs-unstable.lib.nixosSystem { + # system = "x86_64-linux"; + # modules = [ + # impermanence.nixosModules.impermanence + # ./hosts/homeassistant/configuration.nix + # sops-nix.nixosModules.sops - home-manager.nixosModules.home-manager - { - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - home-manager.users.hass-admin = import ./hosts/homeassistant/home.nix; - } - ]; - }; + # home-manager.nixosModules.home-manager + # { + # home-manager.useGlobalPkgs = true; + # home-manager.useUserPackages = true; + # home-manager.users.hass-admin = import ./hosts/homeassistant/home.nix; + # } + # ]; + # }; }; darwinConfigurations = { @@ -294,7 +394,7 @@ system = "aarch64-darwin"; modules = [ ./hosts/mac/configuration.nix - home-manager.darwinModules.home-manager + desktop-home-manager.darwinModules.home-manager { home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; @@ -307,7 +407,7 @@ # Improved build-all app apps.x86_64-linux.build-all = let - pkgs = nixpkgs-unstable.legacyPackages.x86_64-linux; + pkgs = nas-nixpkgs.legacyPackages.x86_64-linux; in { type = "app"; @@ -395,7 +495,7 @@ # You could also provide a separate script that only lists systems apps.x86_64-linux.list-systems = let - pkgs = nixpkgs-unstable.legacyPackages.x86_64-linux; + pkgs = nas-nixpkgs.legacyPackages.x86_64-linux; in { type = "app"; diff --git a/hosts/deck/configuration.nix b/hosts/deck/configuration.nix index 24196cd..ca11fd0 100755 --- a/hosts/deck/configuration.nix +++ b/hosts/deck/configuration.nix @@ -108,6 +108,11 @@ vulkan-loader ]; + nix-index = { + enable = true; + enableBashIntegration = true; + enableZshIntegration = true; + }; }; services = { diff --git a/hosts/deck/home.nix b/hosts/deck/home.nix index d166ad3..dec0c86 100755 --- a/hosts/deck/home.nix +++ b/hosts/deck/home.nix @@ -86,8 +86,6 @@ in }; }; - programs.command-not-found.enable = true; - home.packages = with pkgs; [ age apple-cursor diff --git a/hosts/desktop/configuration.nix b/hosts/desktop/configuration.nix index 51fd816..fdc1b63 100755 --- a/hosts/desktop/configuration.nix +++ b/hosts/desktop/configuration.nix @@ -67,6 +67,11 @@ in programs = { gamemode.enable = true; coolercontrol.enable = true; + nix-index = { + enable = true; + enableBashIntegration = true; + enableZshIntegration = true; + }; }; # Configure environment diff --git a/hosts/desktop/home.nix b/hosts/desktop/home.nix index 0ef7030..a83141f 100755 --- a/hosts/desktop/home.nix +++ b/hosts/desktop/home.nix @@ -47,7 +47,6 @@ in fish.enable = false; mangohud.enable = true; java.enable = true; - command-not-found.enable = true; home-manager.enable = true; zsh = { diff --git a/hosts/nas/apps/nextcloud/default.nix b/hosts/nas/apps/nextcloud/default.nix index 5c0f596..8467810 100755 --- a/hosts/nas/apps/nextcloud/default.nix +++ b/hosts/nas/apps/nextcloud/default.nix @@ -1,10 +1,10 @@ { config, pkgs, ... }: let adminpass = config.sops.secrets."jallen-nas/nextcloud/adminpassword".path; - smtppassword = "egzo mltu kkoc hrfe";#builtins.readFile config.sops.secrets."jallen-nas/nextcloud/smtppassword".path; + secretsFile = config.sops.secrets."jallen-nas/nextcloud/smtp_settings".path; nextcloudUserId = config.users.users.nix-apps.uid; nextcloudGroupId = config.users.groups.jallen-nas.gid; - nextcloudPackage = pkgs.unstable.nextcloud30; + nextcloudPackage = pkgs.unstable.nextcloud31; in { containers.nextcloud = { @@ -60,6 +60,7 @@ in configureRedis = true; enableImagemagick = true; https = true; + secretFile = secretsFile; config = { adminuser = "mjallen"; @@ -85,16 +86,6 @@ in trusted_proxies = [ "10.0.1.18" ]; maintenance_window_start = 6; default_phone_region = "US"; - mail_from_address = "matt.l.jallen"; - mail_smtpmode = "smtp"; - mail_sendmailmode = "smtp"; - mail_domain = "gmail.com"; - mail_smtpauth = 1; - mail_smtpname = "matt.l.jallen"; - mail_smtppassword = smtppassword; - mail_smtpsecure = "ssl"; - mail_smtphost = "smtp.gmail.com"; - mail_smtpport = 465; enable_previews = true; enabledPreviewProviders = [ "OC\\Preview\\PNG" diff --git a/hosts/nas/apps/ollama/default.nix b/hosts/nas/apps/ollama/default.nix index efdf5d7..b4ef361 100755 --- a/hosts/nas/apps/ollama/default.nix +++ b/hosts/nas/apps/ollama/default.nix @@ -45,7 +45,7 @@ in }; services.open-webui = { - enable = true; + enable = false; host = "0.0.0.0"; port = 8888; openFirewall = true; diff --git a/hosts/nas/apps/paperless/default.nix b/hosts/nas/apps/paperless/default.nix index 5ef0d0e..7271e65 100755 --- a/hosts/nas/apps/paperless/default.nix +++ b/hosts/nas/apps/paperless/default.nix @@ -7,10 +7,8 @@ let paperlessPort = 28981; paperlessUserId = config.users.users.nix-apps.uid; paperlessGroupId = config.users.groups.jallen-nas.gid; - paperlessSecret = config.sops.templates."paperless-secret".content; - clientId = config.sops.templates."paperless-client-id".content; - clientSecret = config.sops.templates."paperless-client-secret".content; - paperlessPkg = pkgs.stable.paperless-ngx; + paperlessEnv = config.sops.templates."paperless.env".path; + paperlessPkg = pkgs.paperless-ngx; in { containers.paperless = { @@ -35,13 +33,7 @@ in user = "paperless"; address = "0.0.0.0"; passwordFile = "/var/lib/paperless/paperless-password"; - settings = { - PAPERLESS_URL = "https://paperless.jallen.dev"; - PAPERLESS_SECRET = paperlessSecret; - PAPERLESS_ENABLE_ALLAUTH = true; - PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect"; - PAPERLESS_SOCIALACCOUNT_PROVIDERS = ''{"openid_connect":{"OAUTH_PKCE_ENABLED":true,"APPS":[{"provider_id":"authentik","name":"authentik","client_id":"${clientId}","secret":"${clientSecret}","settings":{"server_url":"https://authentik.mjallen.dev/application/o/paperless/.well-known/openid-configuration"}}]}}''; - }; + environmentFile = paperlessEnv; }; # Create required users and groups @@ -87,6 +79,11 @@ in hostPath = "/media/nas/ssd/nix-app-data/paperless"; isReadOnly = false; }; + secrets = { + hostPath = "/run/secrets/jallen-nas/paperless"; + isReadOnly = true; + mountPoint = "/run/secrets/jallen-nas/paperless"; + }; }; }; diff --git a/hosts/nas/configuration.nix b/hosts/nas/configuration.nix index 76e09e4..a432238 100755 --- a/hosts/nas/configuration.nix +++ b/hosts/nas/configuration.nix @@ -93,6 +93,7 @@ qrencode rcon sbctl + sops speedtest-cli tailscale tigervnc @@ -117,6 +118,11 @@ enable = true; nvidiaSupport = true; }; + nix-index = { + enable = true; + enableBashIntegration = true; + enableZshIntegration = true; + }; }; hardware.fancontrol = { diff --git a/hosts/nas/home.nix b/hosts/nas/home.nix index 276d0f9..435c7a5 100755 --- a/hosts/nas/home.nix +++ b/hosts/nas/home.nix @@ -61,7 +61,6 @@ in programs = { home-manager.enable = true; - command-not-found.enable = true; fish.enable = false; mangohud.enable = true; java.enable = true; diff --git a/hosts/nas/nix-serve.nix b/hosts/nas/nix-serve.nix index 2b1b6a9..90fd32f 100755 --- a/hosts/nas/nix-serve.nix +++ b/hosts/nas/nix-serve.nix @@ -67,7 +67,4 @@ RandomizedDelaySec = "1h"; # Spread load }; }; - - # Monitor the cache service - services.prometheus.exporters.node.enabledCollectors = [ "systemd" ]; } \ No newline at end of file diff --git a/hosts/nas/sops.nix b/hosts/nas/sops.nix index bc83816..497748b 100755 --- a/hosts/nas/sops.nix +++ b/hosts/nas/sops.nix @@ -1,6 +1,6 @@ { config, ... }: let - user = "admin"; + user = "nix-apps"; in { # Permission modes are in octal representation (same as chmod), @@ -19,7 +19,7 @@ in # It is recommended to get the group name from `config.users.users..group` to avoid misconfiguration sops = { defaultSopsFile = ../../secrets/secrets.yaml; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; # ------------------------------ # Secrets @@ -34,7 +34,12 @@ in "wifi" = { }; "jallen-nas/ups_password" = { mode = "0777"; - # restartUnits = [ "ups stuff lol" ]; + restartUnits = [ + "upsdrv.service" + "upsd.service" + "ups-killpower.service" + "upsmon.service" + ]; }; "jallen-nas/collabora" = { restartUnits = [ "podman-collabora.service" ]; @@ -46,13 +51,22 @@ in restartUnits = [ "podman-mariadb.service" ]; }; "jallen-nas/nextcloud/dbpassword" = { - restartUnits = [ "podman-nextcloud.service" ]; + mode = "0650"; + owner = config.users.users."${user}".name; + group = config.users.users."${user}".group; + restartUnits = [ "container@nextcloud.service" ]; }; "jallen-nas/nextcloud/adminpassword" = { - restartUnits = [ "podman-nextcloud.service" ]; + mode = "0650"; + owner = config.users.users."${user}".name; + group = config.users.users."${user}".group; + restartUnits = [ "container@nextcloud.service" ]; }; - "jallen-nas/nextcloud/smtppassword" = { - restartUnits = [ "podman-nextcloud.service" ]; + "jallen-nas/nextcloud/smtp_settings" = { + mode = "0650"; + owner = config.users.users."${user}".name; + group = config.users.users."${user}".group; + restartUnits = [ "container@nextcloud.service" ]; }; "jallen-nas/manyfold/secretkeybase" = { restartUnits = [ "podman-manyfold.service" ]; @@ -87,18 +101,12 @@ in "jallen-nas/paperless/secret" = { restartUnits = [ "container@paperless.service" ]; }; - secrets."jallen-nas/paperless/authentik-client-id" = { + "jallen-nas/paperless/authentik-client-id" = { restartUnits = [ "container@paperless.service" ]; }; "jallen-nas/paperless/authentik-client-secret" = { restartUnits = [ "container@paperless.service" ]; }; - "jallen-nas/nextcloud/dbpassword" = { - mode = "0777"; - }; - "jallen-nas/nextcloud/adminpassword" = { - mode = "0777"; - }; "ssh-keys-public/jallen-nas-root" = { path = "/root/.ssh/id_ed25519.pub"; mode = "0600"; @@ -136,19 +144,21 @@ in mode = "0600"; }; }; + templates = { - "nextcloud-smtp".content = '' - ${config.sops.secrets."jallen-nas/nextcloud/smtppassword"} - ''; - "paperless-secret".content = '' - ${config.sops.secrets."jallen-nas/paperless/secret".path} - ''; - "paperless-client-id".content = '' - ${config.sops.secrets."jallen-nas/paperless/authentik-client-id".path} - ''; - "paperless-client-secret".content = '' - ${config.sops.secrets."jallen-nas/paperless/authentik-client-secret".path} - ''; + "paperless.env" = { + content = '' + PAPERLESS_URL = "https://paperless.jallen.dev" + PAPERLESS_SECRET = ${config.sops.placeholder."jallen-nas/paperless/secret"} + PAPERLESS_ENABLE_ALLAUTH = true + PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect" + PAPERLESS_SOCIALACCOUNT_PROVIDERS = {"openid_connect":{"OAUTH_PKCE_ENABLED":true,"APPS":[{"provider_id":"authentik","name":"authentik","client_id":"${config.sops.placeholder."jallen-nas/paperless/authentik-client-id"}","secret":"${config.sops.placeholder."jallen-nas/paperless/authentik-client-secret"}","settings":{"server_url":"https://authentik.mjallen.dev/application/o/paperless/.well-known/openid-configuration"}}]}} + ''; + mode = "0650"; + owner = config.users.users."${user}".name; + group = config.users.users."${user}".group; + restartUnits = [ "container@paperless.service" ]; + }; }; }; } diff --git a/hosts/pi4/configuration.nix b/hosts/pi4/configuration.nix index cee62d8..b8abc40 100755 --- a/hosts/pi4/configuration.nix +++ b/hosts/pi4/configuration.nix @@ -8,7 +8,7 @@ let user = "matt"; password = "$y$j9T$EkPXmsmIMFFZ.WRrBYCxS1$P0kwo6e4.WM5DsqUcEqWC3MrZp5KfCjxffraMFZWu06"; SSID = "Joey's Jungle 5G"; - SSIDpassword = ""; # config.sops.templates."wifi-password".content; + wifiSecrets = config.sops.secrets."wifi-password".path; interface = "wlan0"; timezone = "America/Chicago"; hostname = "pi4"; @@ -82,7 +82,8 @@ in hostName = hostname; wireless = { enable = false; - networks."${SSID}".psk = SSIDpassword; + secretsFile = wifiSecrets; + networks."${SSID}".psk = "ext:PSK"; interfaces = [ interface ]; }; @@ -124,6 +125,12 @@ in services.openssh.enable = true; + programs.nix-index = { + enable = true; + enableBashIntegration = true; + enableZshIntegration = true; + }; + users = { mutableUsers = false; users."${user}" = { diff --git a/hosts/pi4/home.nix b/hosts/pi4/home.nix index 5727d3d..1b4ae0c 100755 --- a/hosts/pi4/home.nix +++ b/hosts/pi4/home.nix @@ -25,12 +25,47 @@ in home.username = "matt"; home.homeDirectory = "/home/matt"; home.stateVersion = "23.11"; - programs.home-manager.enable = true; + + sops = { + age.keyFile = "/home/admin/.config/sops/age/keys.txt"; + defaultSopsFile = "/etc/nixos/secrets/secrets.yaml"; + validateSopsFiles = false; + secrets = { + "ssh-keys-public/pi4" = { + path = "/home/admin/.ssh/id_ed25519.pub"; + mode = "0644"; + }; + "ssh-keys-private/pi4" = { + path = "/home/admin/.ssh/id_ed25519"; + mode = "0600"; + }; + "ssh-keys-public/desktop-nixos" = { + path = "/home/admin/.ssh/authorized_keys"; + mode = "0600"; + }; + + "ssh-keys-public/desktop-nixos-root" = { + path = "/home/admin/.ssh/authorized_keys2"; + mode = "0600"; + }; + + "ssh-keys-public/desktop-windows" = { + path = "/home/admin/.ssh/authorized_keys3"; + mode = "0600"; + }; + + "ssh-keys-public/macbook-macos" = { + path = "/home/admin/.ssh/authorized_keys4"; + mode = "0600"; + }; + }; + }; programs = { fish.enable = false; mangohud.enable = true; java.enable = true; + home-manager.enable = true; zsh = { enable = true; @@ -45,15 +80,13 @@ in plugins = [ "git" ]; theme = "fishy"; }; + + git = { + enable = true; + userName = "mjallen18"; + userEmail = "matt.l.jallen@gmail.com"; + aliases = gitAliases; + }; }; }; - - programs.git = { - enable = true; - userName = "mjallen18"; - userEmail = "matt.l.jallen@gmail.com"; - aliases = gitAliases; - }; - - programs.command-not-found.enable = true; } diff --git a/hosts/pi4/sops.nix b/hosts/pi4/sops.nix index d091512..9ef696c 100755 --- a/hosts/pi4/sops.nix +++ b/hosts/pi4/sops.nix @@ -1,10 +1,11 @@ -{ config, ... }: +{ ... }: { - sops.defaultSopsFile = ../../secrets/secrets.yaml; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops = { + defaultSopsFile = ../../secrets/secrets.yaml; + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - sops.secrets."wifi" = { }; - sops.templates."wifi-password".content = '' - ${config.sops.secrets."wifi".path} - ''; + secrets = { + "wifi" = { }; + }; + }; } diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index cfbdf9b..62d4f45 100755 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -11,7 +11,7 @@ jallen-nas: nextcloud: dbpassword: ENC[AES256_GCM,data:Xu92h2psR4jAJDM=,iv:UsJD1zq9Uy0Exxk58nkyPGyI8m2BOuvr2DK843h5pSk=,tag:k4MvHT8BoahCf9ZxQw8ovA==,type:str] adminpassword: ENC[AES256_GCM,data:y4PXSbrAAw3A6cg=,iv:10Dm3IYqKJz2FNRteauuYSKXCHE2IKHv4ytidUvblXA=,tag:OAsZ69s4g2p0JEenLbkXdA==,type:str] - smtppassword: ENC[AES256_GCM,data:AIn3HJ3oX90nzcmSLSIeizqL1w==,iv:EyIgk3mxJ1Pn9Gff6ia6c2ekreSFGUWDbLrtC/meMyI=,tag:LvkT98sSOVDV+mxMyJKnbQ==,type:str] + smtp_settings: ENC[AES256_GCM,data:JCbXCQwJtTFgHeLTIJ2ZNWwOreZV3uKWl9qNvE9uQcOULToZDWLQoOGyuGzl7Xlb2yyLiaYYlOFRV9bbbfjBljz+4I9b6cw0dNdhaKg3CpUzdFqRq3dvi4zCy/HEf1Rp/ccU92JelYkfP9S3yNdYq3i+52kr98g5F722ktDC79RiRtJJ44CRff5NBYnDJdGa5OWBf7yPW/5xsX7oqaDI/3yzYTbPGImnQkYfG0GUFP3tRVul0EM++0UoOTcKXEUvolAc0Ij672ONYm+ZqJp8wckouZu2Gae1AK0DficffiZfy4jI1obJPPkQYzoPBWSr7UU9s8PC7zsx2o8OklWZu2LqFxzd1J59qCfIhHrbz2N8OeJhwD+nySrKj1jPdz5amXJT1b4xHE4/YJg7LJmsAYmbEH6OH4928CqYLLwJcaZeVZ6EmeDT,iv:GLy1n7lun9OaOgQJw607moJQwWf4PuD9kUONJOjXuXQ=,tag:AqRJnISyoRkA6I/prZoQpg==,type:str] onlyoffice-key: ENC[AES256_GCM,data:htJ+CEyeHgdxbOGKT5SFPaQeFYw0vw==,iv:J/yl1vYx4As8TwpgNYkeiZZixXzHMFeF0/D3zY+MmIc=,tag:wdc8hRLs+qWpVhwGsvSqZg==,type:str] manyfold: secretkeybase: ENC[AES256_GCM,data:b+fgTrtnZcp34DOQ0dtKc6bX6/dm9j0o3QJr,iv:e4hOwgTFCXVokGqhwKsYHt5IQgtaKcMmEqvDoMly5aI=,tag:E8gFiOuozA4T1mmcgXfbDg==,type:str] @@ -135,8 +135,8 @@ sops: TWRvYVZ5eklJQU81SzBVZ1BBbENuTkEKwMTa1cAH3sNm2npVhQ/dDl5M7Q8T3vOx 9slEt5EVUgqaJVhVr9AM9aAhghWJa5i5+Eh628C6p53XFxrO+6zUYA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-03-19T20:25:49Z" - mac: ENC[AES256_GCM,data:/zHLzU9mnf5wJTzQ6xxyBKTOLmVrn68F3V+B8rJz/nFLjGfFxlLvkTLdYfgJ0RDR71wqe/s2Y3cqsMqb09X+YAxL/COJfTNaF+CF73Yhyxjm5bWlPLKzWQkx78awBKh0bldgcUMZoqpaKBT5N5FjQoRrkQX2tILbLkuwLZglUW8=,iv:a7JlujcKqrUxF7PSeHfpIAt3GKRk+MI2zbtLMO0N4dY=,tag:AKuFkKDcqaYQbtZF2YVWUA==,type:str] + lastmodified: "2025-03-19T23:13:06Z" + mac: ENC[AES256_GCM,data:9T5Q5sPNGfYgJ53RHMsWCTRCszfu9JYBQGsSAR6JrREt5gnl9XALknUqhs1+NjOanRguX4C0R1d7XDCMMZi8WU4+TiQk1MzlEMS5CDX4YGKm/hUY2e1PqW9FU2mjMqsgmh1ak7B51q6mNdOShtxvRjaLf8TLY4Aps6Z0XsnPZgE=,iv:VyYeNwCN3k6czVZ3Pw829W2ezQ1hONe9gDrodTEggWE=,tag:pkHvPBH4DT2z7l8kEz7LrQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.4