mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

cleanup

Browse Source
This commit is contained in:
mjallen18
2025-03-19 20:19:38 -05:00
parent 6b43ce5ddd
commit e0713e0ba0
18 changed files with 353 additions and 205 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.sops.yaml
View File

@@ -1,4 +1,4 @@
# See https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml # See https://github.com/Mic92/dotfiles/blob/d6114726d859df36ccaa32891c4963ae5717ef7f/nixos/.sops.yaml
keys: keys:
- &matt age157jemphjzg6zmk373vpccuguyw6e75qnkqmz8pcnn2yue85p939swqqhy0 - &matt age157jemphjzg6zmk373vpccuguyw6e75qnkqmz8pcnn2yue85p939swqqhy0
- &matt_pi4 age13g9a4d4jrvckfddpgn8sm4kjtzajr67le56pfdg78ktr5pd09phq32j89u - &matt_pi4 age13g9a4d4jrvckfddpgn8sm4kjtzajr67le56pfdg78ktr5pd09phq32j89u

2
flake.lock generated
View File

@@ -810,7 +810,7 @@
"sops-nix": { "sops-nix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs-stable" "nixpkgs-unstable"
] ]
}, },
"locked": { "locked": {

348
flake.nix
View File

@@ -2,111 +2,211 @@
description = "flake for matt-nixos"; description = "flake for matt-nixos";
inputs = { inputs = {
#####################################################
# Desktop #
#####################################################
# nixpgs # nixpgs
nixpkgs-unstable = { desktop-nixpkgs = {
url = "github:NixOS/nixpkgs/nixos-unstable"; url = "github:NixOS/nixpkgs/nixos-unstable";
}; };
# nixpkgs-unstable-small
nixpkgs-unstable-small = {
url = "github:NixOS/nixpkgs/nixos-unstable-small";
};
# nixpgs
nixpkgs-stable = {
url = "github:NixOS/nixpkgs/nixos-24.11";
};
# Authentik
authentik-nix = {
url = "github:nix-community/authentik-nix";
inputs.nixpkgs.follows = "nixpkgs-stable";
};
# Chaotic-nix # Chaotic-nix
chaotic = { desktop-chaotic = {
url = "github:chaotic-cx/nyx/nyxpkgs-unstable"; url = "github:chaotic-cx/nyx/nyxpkgs-unstable";
}; };
# Impermenance # cosmic launcher
impermanence = { desktop-cosmic = {
url = "github:nix-community/impermanence"; url = "github:lilyinstarlight/nixos-cosmic";
inputs.nixpkgs.follows = "desktop-nixpkgs";
}; };
# Home Manager # Home Manager
home-manager = { desktop-home-manager = {
url = "github:nix-community/home-manager"; url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs-unstable"; inputs.nixpkgs.follows = "desktop-nixpkgs";
}; };
home-manager-stable = { # Impermenance
url = "github:nix-community/home-manager/release-24.11"; desktop-impermanence = {
inputs.nixpkgs.follows = "nixpkgs-stable"; url = "github:nix-community/impermanence";
}; };
# Lanzaboote # Lanzaboote
lanzaboote = { desktop-lanzaboote = {
url = "github:nix-community/lanzaboote/v0.4.2"; url = "github:nix-community/lanzaboote/v0.4.2";
inputs.nixpkgs.follows = "nixpkgs-unstable"; inputs.nixpkgs.follows = "desktop-nixpkgs";
}; };
# Nix hardware # Nix hardware
nixos-hardware.url = "github:NixOS/nixos-hardware/master"; desktop-nixos-hardware = {
url = "github:NixOS/nixos-hardware/master";
# Sops-nix inputs.nixpkgs.follows = "desktop-nixpkgs";
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs-stable";
}; };
crowdsec = { # Sops-nix
desktop-sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "desktop-nixpkgs";
};
# steam rom manager
desktop-steam-rom-manager = {
url = "github:mjallen18/nix-steam-rom-manager";
inputs.nixpkgs.follows = "desktop-nixpkgs";
inputs.home-manager.follows = "desktop-home-manager";
};
#####################################################
# NAS #
#####################################################
# nixpgs
nas-nixpkgs = {
url = "github:NixOS/nixpkgs/nixos-unstable";
};
# Authentik
nas-authentik-nix = {
url = "github:nix-community/authentik-nix";
inputs.nixpkgs.follows = "nas-nixpkgs";
};
# crowdsec
nas-crowdsec = {
url = "git+https://codeberg.org/kampka/nix-flake-crowdsec.git"; url = "git+https://codeberg.org/kampka/nix-flake-crowdsec.git";
inputs.nixpkgs.follows = "nixpkgs-stable"; inputs.nixpkgs.follows = "nixpkgs-stable";
}; };
#Apple # Home Manager
nix-darwin = { nas-home-manager = {
url = "github:LnL7/nix-darwin"; url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nas-nixpkgs";
};
# Impermenance
nas-impermanence = {
url = "github:nix-community/impermanence";
};
# Nix hardware
nas-nixos-hardware = {
url = "github:NixOS/nixos-hardware/master";
inputs.nixpkgs.follows = "nas-nixpkgs";
};
# Sops-nix
nas-sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs-unstable"; inputs.nixpkgs.follows = "nixpkgs-unstable";
}; };
#####################################################
# Steamdeck #
#####################################################
# nixpgs
steamdeck-nixpkgs = {
url = "github:NixOS/nixpkgs/nixos-unstable";
};
# Joviain for steamdeck # Joviain for steamdeck
jovian = { steamdeck-jovian = {
url = "github:Jovian-Experiments/Jovian-NixOS"; url = "github:Jovian-Experiments/Jovian-NixOS";
inputs.nixpkgs.follows = "nixpkgs-unstable"; inputs.nixpkgs.follows = "steamdeck-nixpkgs";
}; };
steam-rom-manager = { # Chaotic-nix
url = "github:mjallen18/nix-steam-rom-manager"; steamdeck-chaotic = {
inputs.nixpkgs.follows = "nixpkgs-unstable"; url = "github:chaotic-cx/nyx/nyxpkgs-unstable";
inputs.home-manager.follows = "home-manager";
}; };
cosmic = { # Impermenance
url = "github:lilyinstarlight/nixos-cosmic"; steamdeck-impermanence = {
inputs.nixpkgs.follows = "nixpkgs-unstable"; url = "github:nix-community/impermanence";
};
# Home Manager
steamdeck-home-manager = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "steamdeck-nixpkgs";
};
# Lanzaboote
steamdeck-lanzaboote = {
url = "github:nix-community/lanzaboote/v0.4.2";
inputs.nixpkgs.follows = "steamdeck-nixpkgs";
};
# Sops-nix
steamdeck-sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "steamdeck-nixpkgs";
};
# Nix hardware
steamdeck-nixos-hardware = {
url = "github:NixOS/nixos-hardware/master";
inputs.nixpkgs.follows = "steamdeck-nixpkgs";
};
#####################################################
# MacBook #
#####################################################
#Apple
nix-darwin = {
url = "github:LnL7/nix-darwin";
inputs.nixpkgs.follows = "desktop-nixpkgs";
}; };
}; };
outputs = outputs =
{ {
self, self,
nixpkgs-unstable,
nixpkgs-unstable-small, # Desktop
nixpkgs-stable, desktop-nixpkgs,
chaotic, desktop-chaotic,
lanzaboote, desktop-cosmic,
impermanence, desktop-home-manager,
home-manager, desktop-impermanence,
home-manager-stable, desktop-lanzaboote,
nixos-hardware, desktop-nixos-hardware,
nix-darwin, desktop-sops-nix,
cosmic, desktop-steam-rom-manager,
authentik-nix,
sops-nix, # NAS
crowdsec, nas-nixpkgs,
jovian, nas-authentik-nix,
steam-rom-manager, nas-crowdsec,
nas-home-manager,
nas-impermanence,
nas-nixos-hardware,
nas-sops-nix,
# Pi4
pi4-nixpkgs,
pi4-home-manager,
pi4-impermanence,
pi4-nixos-hardware,
pi4-sops-nix,
# Steamdeck
steamdeck-nixpkgs,
steamdeck-chaotic,
steamdeck-home-manager,
steamdeck-impermanence,
steamdeck-jovian,
steamdeck-lanzaboote,
steamdeck-nixos-hardware,
steamdeck-sops-nix,
steamdeck-steam-rom-manager,
# MacBook
nix-darwin
}@inputs: }@inputs:
let let
inherit (self) outputs; inherit (self) outputs;
@@ -116,18 +216,18 @@
nixosConfigurations = { nixosConfigurations = {
# Desktop # Desktop
"matt-nixos" = nixpkgs-unstable.lib.nixosSystem { "matt-nixos" = desktop-nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = { specialArgs = {
inherit inputs outputs; inherit inputs outputs;
}; };
modules = [ modules = [
impermanence.nixosModules.impermanence desktop-impermanence.nixosModules.impermanence
lanzaboote.nixosModules.lanzaboote desktop-lanzaboote.nixosModules.lanzaboote
./hosts/desktop/configuration.nix ./hosts/desktop/configuration.nix
./share/impermanence ./share/impermanence
chaotic.nixosModules.default desktop-chaotic.nixosModules.default
home-manager.nixosModules.home-manager desktop-home-manager.nixosModules.home-manager
{ {
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
@@ -136,8 +236,8 @@
{ {
imports = [ imports = [
./hosts/desktop/home.nix ./hosts/desktop/home.nix
steam-rom-manager.homeManagerModules.default desktop-steam-rom-manager.homeManagerModules.default
sops-nix.homeManagerModules.sops desktop-sops-nix.homeManagerModules.sops
]; ];
}; };
home-manager.users.root = home-manager.users.root =
@@ -145,34 +245,34 @@
{ {
imports = [ imports = [
./share/root-user ./share/root-user
sops-nix.homeManagerModules.sops desktop-sops-nix.homeManagerModules.sops
]; ];
}; };
home-manager.backupFileExtension = "backup"; home-manager.backupFileExtension = "backup";
} }
nixos-hardware.nixosModules.common-cpu-amd desktop-nixos-hardware.nixosModules.common-cpu-amd
nixos-hardware.nixosModules.common-gpu-amd desktop-nixos-hardware.nixosModules.common-gpu-amd
nixos-hardware.nixosModules.common-hidpi desktop-nixos-hardware.nixosModules.common-hidpi
nixos-hardware.nixosModules.common-pc desktop-nixos-hardware.nixosModules.common-pc
sops-nix.nixosModules.sops desktop-sops-nix.nixosModules.sops
# cosmic.nixosModules.default # desktop-cosmic.nixosModules.default
]; ];
}; };
# NAS # NAS
"jallen-nas" = nixpkgs-stable.lib.nixosSystem { "jallen-nas" = nas-nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = { specialArgs = {
inherit inputs outputs; inherit inputs outputs;
}; };
modules = [ modules = [
impermanence.nixosModules.impermanence nas-impermanence.nixosModules.impermanence
./hosts/nas/configuration.nix ./hosts/nas/configuration.nix
./hosts/nas/impermanence.nix ./hosts/nas/impermanence.nix
home-manager-stable.nixosModules.home-manager nas-home-manager.nixosModules.home-manager
{ {
home-manager.useGlobalPkgs = false; home-manager.useGlobalPkgs = false;
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
@@ -181,7 +281,7 @@
{ {
imports = [ imports = [
./hosts/nas/home.nix ./hosts/nas/home.nix
sops-nix.homeManagerModules.sops nas-sops-nix.homeManagerModules.sops
]; ];
}; };
home-manager.users.root = home-manager.users.root =
@@ -189,42 +289,42 @@
{ {
imports = [ imports = [
./share/root-user ./share/root-user
sops-nix.homeManagerModules.sops nas-sops-nix.homeManagerModules.sops
]; ];
}; };
home-manager.backupFileExtension = "backup"; home-manager.backupFileExtension = "backup";
} }
authentik-nix.nixosModules.default nas-authentik-nix.nixosModules.default
sops-nix.nixosModules.sops nas-sops-nix.nixosModules.sops
crowdsec.nixosModules.crowdsec nas-crowdsec.nixosModules.crowdsec
crowdsec.nixosModules.crowdsec-firewall-bouncer nas-crowdsec.nixosModules.crowdsec-firewall-bouncer
( (
{ ... }: { ... }:
{ {
nixpkgs.overlays = [ crowdsec.overlays.default ]; nixpkgs.overlays = [ nas-crowdsec.overlays.default ];
} }
) )
nixos-hardware.nixosModules.common-pc nas-nixos-hardware.nixosModules.common-pc
nixos-hardware.nixosModules.common-cpu-amd nas-nixos-hardware.nixosModules.common-cpu-amd
nixos-hardware.nixosModules.common-hidpi nas-nixos-hardware.nixosModules.common-hidpi
]; ];
}; };
# Pi4 # Pi4
"pi4" = nixpkgs-unstable.lib.nixosSystem { "pi4" = pi4-nixpkgs.lib.nixosSystem {
system = "aarch64-linux"; system = "aarch64-linux";
modules = [ modules = [
nixos-hardware.nixosModules.raspberry-pi-4 pi4-nixos-hardware.nixosModules.raspberry-pi-4
impermanence.nixosModules.impermanence pi4-impermanence.nixosModules.impermanence
./hosts/pi4/configuration.nix ./hosts/pi4/configuration.nix
sops-nix.nixosModules.sops pi4-sops-nix.nixosModules.sops
home-manager.nixosModules.home-manager pi4-home-manager.nixosModules.home-manager
{ {
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
@@ -233,17 +333,17 @@
]; ];
}; };
"steamdeck" = nixpkgs-unstable.lib.nixosSystem { "steamdeck" = steamdeck-nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = { specialArgs = {
inherit inputs outputs; inherit inputs outputs;
}; };
modules = [ modules = [
impermanence.nixosModules.impermanence steamdeck-impermanence.nixosModules.impermanence
lanzaboote.nixosModules.lanzaboote steamdeck-lanzaboote.nixosModules.lanzaboote
./hosts/deck/configuration.nix ./hosts/deck/configuration.nix
./share/impermanence ./share/impermanence
home-manager.nixosModules.home-manager steamdeck-home-manager.nixosModules.home-manager
{ {
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
@@ -252,41 +352,41 @@
{ {
imports = [ imports = [
./hosts/deck/home.nix ./hosts/deck/home.nix
steam-rom-manager.homeManagerModules.default steamdeck-steam-rom-manager.homeManagerModules.default
]; ];
}; };
home-manager.backupFileExtension = "backup"; home-manager.backupFileExtension = "backup";
} }
nixos-hardware.nixosModules.common-cpu-amd steamdeck-nixos-hardware.nixosModules.common-cpu-amd
nixos-hardware.nixosModules.common-gpu-amd steamdeck-nixos-hardware.nixosModules.common-gpu-amd
nixos-hardware.nixosModules.common-hidpi steamdeck-nixos-hardware.nixosModules.common-hidpi
nixos-hardware.nixosModules.common-pc steamdeck-nixos-hardware.nixosModules.common-pc
sops-nix.nixosModules.sops steamdeck-sops-nix.nixosModules.sops
jovian.nixosModules.jovian steamdeck-jovian.nixosModules.jovian
chaotic.nixosModules.default steamdeck-chaotic.nixosModules.default
]; ];
}; };
# home assistant # home assistant
"jallen-hass" = nixpkgs-unstable.lib.nixosSystem { # "jallen-hass" = nixpkgs-unstable.lib.nixosSystem {
system = "x86_64-linux"; # system = "x86_64-linux";
modules = [ # modules = [
impermanence.nixosModules.impermanence # impermanence.nixosModules.impermanence
./hosts/homeassistant/configuration.nix # ./hosts/homeassistant/configuration.nix
sops-nix.nixosModules.sops # sops-nix.nixosModules.sops
home-manager.nixosModules.home-manager # home-manager.nixosModules.home-manager
{ # {
home-manager.useGlobalPkgs = true; # home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true; # home-manager.useUserPackages = true;
home-manager.users.hass-admin = import ./hosts/homeassistant/home.nix; # home-manager.users.hass-admin = import ./hosts/homeassistant/home.nix;
} # }
]; # ];
}; # };
}; };
darwinConfigurations = { darwinConfigurations = {
@@ -294,7 +394,7 @@
system = "aarch64-darwin"; system = "aarch64-darwin";
modules = [ modules = [
./hosts/mac/configuration.nix ./hosts/mac/configuration.nix
home-manager.darwinModules.home-manager desktop-home-manager.darwinModules.home-manager
{ {
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
@@ -307,7 +407,7 @@
# Improved build-all app # Improved build-all app
apps.x86_64-linux.build-all = apps.x86_64-linux.build-all =
let let
pkgs = nixpkgs-unstable.legacyPackages.x86_64-linux; pkgs = nas-nixpkgs.legacyPackages.x86_64-linux;
in in
{ {
type = "app"; type = "app";
@@ -395,7 +495,7 @@
# You could also provide a separate script that only lists systems # You could also provide a separate script that only lists systems
apps.x86_64-linux.list-systems = apps.x86_64-linux.list-systems =
let let
pkgs = nixpkgs-unstable.legacyPackages.x86_64-linux; pkgs = nas-nixpkgs.legacyPackages.x86_64-linux;
in in
{ {
type = "app"; type = "app";

5
hosts/deck/configuration.nix
View File

@@ -108,6 +108,11 @@
vulkan-loader vulkan-loader
]; ];
nix-index = {
enable = true;
enableBashIntegration = true;
enableZshIntegration = true;
};
}; };
services = { services = {

2
hosts/deck/home.nix
View File

@@ -86,8 +86,6 @@ in
}; };
}; };
programs.command-not-found.enable = true;
home.packages = with pkgs; [ home.packages = with pkgs; [
age age
apple-cursor apple-cursor

5
hosts/desktop/configuration.nix
View File

@@ -67,6 +67,11 @@ in
programs = { programs = {
gamemode.enable = true; gamemode.enable = true;
coolercontrol.enable = true; coolercontrol.enable = true;
nix-index = {
enable = true;
enableBashIntegration = true;
enableZshIntegration = true;
};
}; };
# Configure environment # Configure environment

1
hosts/desktop/home.nix
View File

@@ -47,7 +47,6 @@ in
fish.enable = false; fish.enable = false;
mangohud.enable = true; mangohud.enable = true;
java.enable = true; java.enable = true;
command-not-found.enable = true;
home-manager.enable = true; home-manager.enable = true;
zsh = { zsh = {

15
hosts/nas/apps/nextcloud/default.nix
View File

@@ -1,10 +1,10 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
let let
adminpass = config.sops.secrets."jallen-nas/nextcloud/adminpassword".path; adminpass = config.sops.secrets."jallen-nas/nextcloud/adminpassword".path;
smtppassword = "egzo mltu kkoc hrfe";#builtins.readFile config.sops.secrets."jallen-nas/nextcloud/smtppassword".path; secretsFile = config.sops.secrets."jallen-nas/nextcloud/smtp_settings".path;
nextcloudUserId = config.users.users.nix-apps.uid; nextcloudUserId = config.users.users.nix-apps.uid;
nextcloudGroupId = config.users.groups.jallen-nas.gid; nextcloudGroupId = config.users.groups.jallen-nas.gid;
nextcloudPackage = pkgs.unstable.nextcloud30; nextcloudPackage = pkgs.unstable.nextcloud31;
in in
{ {
containers.nextcloud = { containers.nextcloud = {
@@ -60,6 +60,7 @@ in
configureRedis = true; configureRedis = true;
enableImagemagick = true; enableImagemagick = true;
https = true; https = true;
secretFile = secretsFile;
config = { config = {
adminuser = "mjallen"; adminuser = "mjallen";
@@ -85,16 +86,6 @@ in
trusted_proxies = [ "10.0.1.18" ]; trusted_proxies = [ "10.0.1.18" ];
maintenance_window_start = 6; maintenance_window_start = 6;
default_phone_region = "US"; default_phone_region = "US";
mail_from_address = "matt.l.jallen";
mail_smtpmode = "smtp";
mail_sendmailmode = "smtp";
mail_domain = "gmail.com";
mail_smtpauth = 1;
mail_smtpname = "matt.l.jallen";
mail_smtppassword = smtppassword;
mail_smtpsecure = "ssl";
mail_smtphost = "smtp.gmail.com";
mail_smtpport = 465;
enable_previews = true; enable_previews = true;
enabledPreviewProviders = [ enabledPreviewProviders = [
"OC\\Preview\\PNG" "OC\\Preview\\PNG"

2
hosts/nas/apps/ollama/default.nix
View File

@@ -45,7 +45,7 @@ in
}; };
services.open-webui = { services.open-webui = {
enable = true; enable = false;
host = "0.0.0.0"; host = "0.0.0.0";
port = 8888; port = 8888;
openFirewall = true; openFirewall = true;

19
hosts/nas/apps/paperless/default.nix
View File

@@ -7,10 +7,8 @@ let
paperlessPort = 28981; paperlessPort = 28981;
paperlessUserId = config.users.users.nix-apps.uid; paperlessUserId = config.users.users.nix-apps.uid;
paperlessGroupId = config.users.groups.jallen-nas.gid; paperlessGroupId = config.users.groups.jallen-nas.gid;
paperlessSecret = config.sops.templates."paperless-secret".content; paperlessEnv = config.sops.templates."paperless.env".path;
clientId = config.sops.templates."paperless-client-id".content; paperlessPkg = pkgs.paperless-ngx;
clientSecret = config.sops.templates."paperless-client-secret".content;
paperlessPkg = pkgs.stable.paperless-ngx;
in in
{ {
containers.paperless = { containers.paperless = {
@@ -35,13 +33,7 @@ in
user = "paperless"; user = "paperless";
address = "0.0.0.0"; address = "0.0.0.0";
passwordFile = "/var/lib/paperless/paperless-password"; passwordFile = "/var/lib/paperless/paperless-password";
settings = { environmentFile = paperlessEnv;
PAPERLESS_URL = "https://paperless.jallen.dev";
PAPERLESS_SECRET = paperlessSecret;
PAPERLESS_ENABLE_ALLAUTH = true;
PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
PAPERLESS_SOCIALACCOUNT_PROVIDERS = ''{"openid_connect":{"OAUTH_PKCE_ENABLED":true,"APPS":[{"provider_id":"authentik","name":"authentik","client_id":"${clientId}","secret":"${clientSecret}","settings":{"server_url":"https://authentik.mjallen.dev/application/o/paperless/.well-known/openid-configuration"}}]}}'';
};
}; };
# Create required users and groups # Create required users and groups
@@ -87,6 +79,11 @@ in
hostPath = "/media/nas/ssd/nix-app-data/paperless"; hostPath = "/media/nas/ssd/nix-app-data/paperless";
isReadOnly = false; isReadOnly = false;
}; };
secrets = {
hostPath = "/run/secrets/jallen-nas/paperless";
isReadOnly = true;
mountPoint = "/run/secrets/jallen-nas/paperless";
};
}; };
}; };

6
hosts/nas/configuration.nix
View File

@@ -93,6 +93,7 @@
qrencode qrencode
rcon rcon
sbctl sbctl
sops
speedtest-cli speedtest-cli
tailscale tailscale
tigervnc tigervnc
@@ -117,6 +118,11 @@
enable = true; enable = true;
nvidiaSupport = true; nvidiaSupport = true;
}; };
nix-index = {
enable = true;
enableBashIntegration = true;
enableZshIntegration = true;
};
}; };
hardware.fancontrol = { hardware.fancontrol = {

1
hosts/nas/home.nix
View File

@@ -61,7 +61,6 @@ in
programs = { programs = {
home-manager.enable = true; home-manager.enable = true;
command-not-found.enable = true;
fish.enable = false; fish.enable = false;
mangohud.enable = true; mangohud.enable = true;
java.enable = true; java.enable = true;

3
hosts/nas/nix-serve.nix
View File

@@ -67,7 +67,4 @@
RandomizedDelaySec = "1h"; # Spread load RandomizedDelaySec = "1h"; # Spread load
}; };
}; };
# Monitor the cache service
services.prometheus.exporters.node.enabledCollectors = [ "systemd" ];
} }

60
hosts/nas/sops.nix
View File

@@ -1,6 +1,6 @@
{ config, ... }: { config, ... }:
let let
user = "admin"; user = "nix-apps";
in in
{ {
# Permission modes are in octal representation (same as chmod), # Permission modes are in octal representation (same as chmod),
@@ -19,7 +19,7 @@ in
# It is recommended to get the group name from `config.users.users.<?name>.group` to avoid misconfiguration # It is recommended to get the group name from `config.users.users.<?name>.group` to avoid misconfiguration
sops = { sops = {
defaultSopsFile = ../../secrets/secrets.yaml; defaultSopsFile = ../../secrets/secrets.yaml;
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# ------------------------------ # ------------------------------
# Secrets # Secrets
@@ -34,7 +34,12 @@ in
"wifi" = { }; "wifi" = { };
"jallen-nas/ups_password" = { "jallen-nas/ups_password" = {
mode = "0777"; mode = "0777";
# restartUnits = [ "ups stuff lol" ]; restartUnits = [
"upsdrv.service"
"upsd.service"
"ups-killpower.service"
"upsmon.service"
];
}; };
"jallen-nas/collabora" = { "jallen-nas/collabora" = {
restartUnits = [ "podman-collabora.service" ]; restartUnits = [ "podman-collabora.service" ];
@@ -46,13 +51,22 @@ in
restartUnits = [ "podman-mariadb.service" ]; restartUnits = [ "podman-mariadb.service" ];
}; };
"jallen-nas/nextcloud/dbpassword" = { "jallen-nas/nextcloud/dbpassword" = {
restartUnits = [ "podman-nextcloud.service" ]; mode = "0650";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
restartUnits = [ "container@nextcloud.service" ];
}; };
"jallen-nas/nextcloud/adminpassword" = { "jallen-nas/nextcloud/adminpassword" = {
restartUnits = [ "podman-nextcloud.service" ]; mode = "0650";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
restartUnits = [ "container@nextcloud.service" ];
}; };
"jallen-nas/nextcloud/smtppassword" = { "jallen-nas/nextcloud/smtp_settings" = {
restartUnits = [ "podman-nextcloud.service" ]; mode = "0650";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
restartUnits = [ "container@nextcloud.service" ];
}; };
"jallen-nas/manyfold/secretkeybase" = { "jallen-nas/manyfold/secretkeybase" = {
restartUnits = [ "podman-manyfold.service" ]; restartUnits = [ "podman-manyfold.service" ];
@@ -87,18 +101,12 @@ in
"jallen-nas/paperless/secret" = { "jallen-nas/paperless/secret" = {
restartUnits = [ "container@paperless.service" ]; restartUnits = [ "container@paperless.service" ];
}; };
secrets."jallen-nas/paperless/authentik-client-id" = { "jallen-nas/paperless/authentik-client-id" = {
restartUnits = [ "container@paperless.service" ]; restartUnits = [ "container@paperless.service" ];
}; };
"jallen-nas/paperless/authentik-client-secret" = { "jallen-nas/paperless/authentik-client-secret" = {
restartUnits = [ "container@paperless.service" ]; restartUnits = [ "container@paperless.service" ];
}; };
"jallen-nas/nextcloud/dbpassword" = {
mode = "0777";
};
"jallen-nas/nextcloud/adminpassword" = {
mode = "0777";
};
"ssh-keys-public/jallen-nas-root" = { "ssh-keys-public/jallen-nas-root" = {
path = "/root/.ssh/id_ed25519.pub"; path = "/root/.ssh/id_ed25519.pub";
mode = "0600"; mode = "0600";
@@ -136,19 +144,21 @@ in
mode = "0600"; mode = "0600";
}; };
}; };
templates = { templates = {
"nextcloud-smtp".content = '' "paperless.env" = {
${config.sops.secrets."jallen-nas/nextcloud/smtppassword"} content = ''
''; PAPERLESS_URL = "https://paperless.jallen.dev"
"paperless-secret".content = '' PAPERLESS_SECRET = ${config.sops.placeholder."jallen-nas/paperless/secret"}
${config.sops.secrets."jallen-nas/paperless/secret".path} PAPERLESS_ENABLE_ALLAUTH = true
''; PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect"
"paperless-client-id".content = '' PAPERLESS_SOCIALACCOUNT_PROVIDERS = {"openid_connect":{"OAUTH_PKCE_ENABLED":true,"APPS":[{"provider_id":"authentik","name":"authentik","client_id":"${config.sops.placeholder."jallen-nas/paperless/authentik-client-id"}","secret":"${config.sops.placeholder."jallen-nas/paperless/authentik-client-secret"}","settings":{"server_url":"https://authentik.mjallen.dev/application/o/paperless/.well-known/openid-configuration"}}]}}
${config.sops.secrets."jallen-nas/paperless/authentik-client-id".path}
'';
"paperless-client-secret".content = ''
${config.sops.secrets."jallen-nas/paperless/authentik-client-secret".path}
''; '';
mode = "0650";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
restartUnits = [ "container@paperless.service" ];
};
}; };
}; };
} }

11
hosts/pi4/configuration.nix
View File

@@ -8,7 +8,7 @@ let
user = "matt"; user = "matt";
password = "$y$j9T$EkPXmsmIMFFZ.WRrBYCxS1$P0kwo6e4.WM5DsqUcEqWC3MrZp5KfCjxffraMFZWu06"; password = "$y$j9T$EkPXmsmIMFFZ.WRrBYCxS1$P0kwo6e4.WM5DsqUcEqWC3MrZp5KfCjxffraMFZWu06";
SSID = "Joey's Jungle 5G"; SSID = "Joey's Jungle 5G";
SSIDpassword = ""; # config.sops.templates."wifi-password".content; wifiSecrets = config.sops.secrets."wifi-password".path;
interface = "wlan0"; interface = "wlan0";
timezone = "America/Chicago"; timezone = "America/Chicago";
hostname = "pi4"; hostname = "pi4";
@@ -82,7 +82,8 @@ in
hostName = hostname; hostName = hostname;
wireless = { wireless = {
enable = false; enable = false;
networks."${SSID}".psk = SSIDpassword; secretsFile = wifiSecrets;
networks."${SSID}".psk = "ext:PSK";
interfaces = [ interface ]; interfaces = [ interface ];
}; };
@@ -124,6 +125,12 @@ in
services.openssh.enable = true; services.openssh.enable = true;
programs.nix-index = {
enable = true;
enableBashIntegration = true;
enableZshIntegration = true;
};
users = { users = {
mutableUsers = false; mutableUsers = false;
users."${user}" = { users."${user}" = {

45
hosts/pi4/home.nix
View File

@@ -25,12 +25,47 @@ in
home.username = "matt"; home.username = "matt";
home.homeDirectory = "/home/matt"; home.homeDirectory = "/home/matt";
home.stateVersion = "23.11"; home.stateVersion = "23.11";
programs.home-manager.enable = true;
sops = {
age.keyFile = "/home/admin/.config/sops/age/keys.txt";
defaultSopsFile = "/etc/nixos/secrets/secrets.yaml";
validateSopsFiles = false;
secrets = {
"ssh-keys-public/pi4" = {
path = "/home/admin/.ssh/id_ed25519.pub";
mode = "0644";
};
"ssh-keys-private/pi4" = {
path = "/home/admin/.ssh/id_ed25519";
mode = "0600";
};
"ssh-keys-public/desktop-nixos" = {
path = "/home/admin/.ssh/authorized_keys";
mode = "0600";
};
"ssh-keys-public/desktop-nixos-root" = {
path = "/home/admin/.ssh/authorized_keys2";
mode = "0600";
};
"ssh-keys-public/desktop-windows" = {
path = "/home/admin/.ssh/authorized_keys3";
mode = "0600";
};
"ssh-keys-public/macbook-macos" = {
path = "/home/admin/.ssh/authorized_keys4";
mode = "0600";
};
};
};
programs = { programs = {
fish.enable = false; fish.enable = false;
mangohud.enable = true; mangohud.enable = true;
java.enable = true; java.enable = true;
home-manager.enable = true;
zsh = { zsh = {
enable = true; enable = true;
@@ -45,15 +80,13 @@ in
plugins = [ "git" ]; plugins = [ "git" ];
theme = "fishy"; theme = "fishy";
}; };
};
};
programs.git = { git = {
enable = true; enable = true;
userName = "mjallen18"; userName = "mjallen18";
userEmail = "matt.l.jallen@gmail.com"; userEmail = "matt.l.jallen@gmail.com";
aliases = gitAliases; aliases = gitAliases;
}; };
};
programs.command-not-found.enable = true; };
} }

15
hosts/pi4/sops.nix
View File

@@ -1,10 +1,11 @@
{ config, ... }: { ... }:
{ {
sops.defaultSopsFile = ../../secrets/secrets.yaml; sops = {
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; defaultSopsFile = ../../secrets/secrets.yaml;
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets."wifi" = { }; secrets = {
sops.templates."wifi-password".content = '' "wifi" = { };
${config.sops.secrets."wifi".path} };
''; };
} }

6
secrets/secrets.yaml
View File

@@ -11,7 +11,7 @@ jallen-nas:
nextcloud: nextcloud:
dbpassword: ENC[AES256_GCM,data:Xu92h2psR4jAJDM=,iv:UsJD1zq9Uy0Exxk58nkyPGyI8m2BOuvr2DK843h5pSk=,tag:k4MvHT8BoahCf9ZxQw8ovA==,type:str] dbpassword: ENC[AES256_GCM,data:Xu92h2psR4jAJDM=,iv:UsJD1zq9Uy0Exxk58nkyPGyI8m2BOuvr2DK843h5pSk=,tag:k4MvHT8BoahCf9ZxQw8ovA==,type:str]
adminpassword: ENC[AES256_GCM,data:y4PXSbrAAw3A6cg=,iv:10Dm3IYqKJz2FNRteauuYSKXCHE2IKHv4ytidUvblXA=,tag:OAsZ69s4g2p0JEenLbkXdA==,type:str] adminpassword: ENC[AES256_GCM,data:y4PXSbrAAw3A6cg=,iv:10Dm3IYqKJz2FNRteauuYSKXCHE2IKHv4ytidUvblXA=,tag:OAsZ69s4g2p0JEenLbkXdA==,type:str]
smtppassword: ENC[AES256_GCM,data:AIn3HJ3oX90nzcmSLSIeizqL1w==,iv:EyIgk3mxJ1Pn9Gff6ia6c2ekreSFGUWDbLrtC/meMyI=,tag:LvkT98sSOVDV+mxMyJKnbQ==,type:str] smtp_settings: ENC[AES256_GCM,data:JCbXCQwJtTFgHeLTIJ2ZNWwOreZV3uKWl9qNvE9uQcOULToZDWLQoOGyuGzl7Xlb2yyLiaYYlOFRV9bbbfjBljz+4I9b6cw0dNdhaKg3CpUzdFqRq3dvi4zCy/HEf1Rp/ccU92JelYkfP9S3yNdYq3i+52kr98g5F722ktDC79RiRtJJ44CRff5NBYnDJdGa5OWBf7yPW/5xsX7oqaDI/3yzYTbPGImnQkYfG0GUFP3tRVul0EM++0UoOTcKXEUvolAc0Ij672ONYm+ZqJp8wckouZu2Gae1AK0DficffiZfy4jI1obJPPkQYzoPBWSr7UU9s8PC7zsx2o8OklWZu2LqFxzd1J59qCfIhHrbz2N8OeJhwD+nySrKj1jPdz5amXJT1b4xHE4/YJg7LJmsAYmbEH6OH4928CqYLLwJcaZeVZ6EmeDT,iv:GLy1n7lun9OaOgQJw607moJQwWf4PuD9kUONJOjXuXQ=,tag:AqRJnISyoRkA6I/prZoQpg==,type:str]
onlyoffice-key: ENC[AES256_GCM,data:htJ+CEyeHgdxbOGKT5SFPaQeFYw0vw==,iv:J/yl1vYx4As8TwpgNYkeiZZixXzHMFeF0/D3zY+MmIc=,tag:wdc8hRLs+qWpVhwGsvSqZg==,type:str] onlyoffice-key: ENC[AES256_GCM,data:htJ+CEyeHgdxbOGKT5SFPaQeFYw0vw==,iv:J/yl1vYx4As8TwpgNYkeiZZixXzHMFeF0/D3zY+MmIc=,tag:wdc8hRLs+qWpVhwGsvSqZg==,type:str]
manyfold: manyfold:
secretkeybase: ENC[AES256_GCM,data:b+fgTrtnZcp34DOQ0dtKc6bX6/dm9j0o3QJr,iv:e4hOwgTFCXVokGqhwKsYHt5IQgtaKcMmEqvDoMly5aI=,tag:E8gFiOuozA4T1mmcgXfbDg==,type:str] secretkeybase: ENC[AES256_GCM,data:b+fgTrtnZcp34DOQ0dtKc6bX6/dm9j0o3QJr,iv:e4hOwgTFCXVokGqhwKsYHt5IQgtaKcMmEqvDoMly5aI=,tag:E8gFiOuozA4T1mmcgXfbDg==,type:str]
@@ -135,8 +135,8 @@ sops:
TWRvYVZ5eklJQU81SzBVZ1BBbENuTkEKwMTa1cAH3sNm2npVhQ/dDl5M7Q8T3vOx TWRvYVZ5eklJQU81SzBVZ1BBbENuTkEKwMTa1cAH3sNm2npVhQ/dDl5M7Q8T3vOx
9slEt5EVUgqaJVhVr9AM9aAhghWJa5i5+Eh628C6p53XFxrO+6zUYA== 9slEt5EVUgqaJVhVr9AM9aAhghWJa5i5+Eh628C6p53XFxrO+6zUYA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-19T20:25:49Z" lastmodified: "2025-03-19T23:13:06Z"
mac: ENC[AES256_GCM,data:/zHLzU9mnf5wJTzQ6xxyBKTOLmVrn68F3V+B8rJz/nFLjGfFxlLvkTLdYfgJ0RDR71wqe/s2Y3cqsMqb09X+YAxL/COJfTNaF+CF73Yhyxjm5bWlPLKzWQkx78awBKh0bldgcUMZoqpaKBT5N5FjQoRrkQX2tILbLkuwLZglUW8=,iv:a7JlujcKqrUxF7PSeHfpIAt3GKRk+MI2zbtLMO0N4dY=,tag:AKuFkKDcqaYQbtZF2YVWUA==,type:str] mac: ENC[AES256_GCM,data:9T5Q5sPNGfYgJ53RHMsWCTRCszfu9JYBQGsSAR6JrREt5gnl9XALknUqhs1+NjOanRguX4C0R1d7XDCMMZi8WU4+TiQk1MzlEMS5CDX4YGKm/hUY2e1PqW9FU2mjMqsgmh1ak7B51q6mNdOShtxvRjaLf8TLY4Aps6Z0XsnPZgE=,iv:VyYeNwCN3k6czVZ3Pw829W2ezQ1hONe9gDrodTEggWE=,tag:pkHvPBH4DT2z7l8kEz7LrQ==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.4 version: 3.9.4