upRootNutrition/dotfiles
upRootNutrition/dotfiles
1
0
Fork 0
mirror of https://gitlab.com/upRootNutrition/dotfiles.git synced 2025-12-06 21:17:14 -06:00
Code Issues Projects 1 Releases Packages Wiki Activity Actions

test: microVM test

Browse source
This commit is contained in:
Nick 2025-11-04 03:30:52 -06:00
parent bd1d74997d
commit f15baf7ccb
21 changed files with 405 additions and 529 deletions
Download patch file Download diff file Expand all files Collapse all files

27
flake.lock generated
View file

@ -1376,6 +1376,7 @@
"pre-commit-hooks-nix": "pre-commit-hooks-nix", "pre-commit-hooks-nix": "pre-commit-hooks-nix",
"sops-nix": "sops-nix", "sops-nix": "sops-nix",
"systems": "systems_5", "systems": "systems_5",
"treefmt-nix": "treefmt-nix_3",
"upRootNutrition": "upRootNutrition", "upRootNutrition": "upRootNutrition",
"waybar": "waybar", "waybar": "waybar",
"wpaperd": "wpaperd", "wpaperd": "wpaperd",
@ -1566,6 +1567,26 @@
} }
}, },
"treefmt-nix_3": { "treefmt-nix_3": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1761311587,
"narHash": "sha256-Msq86cR5SjozQGCnC6H8C+0cD4rnx91BPltZ9KK613Y=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "2eddae033e4e74bf581c2d1dfa101f9033dbd2dc",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"treefmt-nix_4": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs_7" "nixpkgs": "nixpkgs_7"
}, },
@ -1583,7 +1604,7 @@
"type": "github" "type": "github"
} }
}, },
"treefmt-nix_4": { "treefmt-nix_5": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs_8" "nixpkgs": "nixpkgs_8"
}, },
@ -1607,7 +1628,7 @@
"mkElmDerivation": "mkElmDerivation", "mkElmDerivation": "mkElmDerivation",
"nixpkgs": "nixpkgs_6", "nixpkgs": "nixpkgs_6",
"nixpkgs-stable": "nixpkgs-stable_3", "nixpkgs-stable": "nixpkgs-stable_3",
"treefmt-nix": "treefmt-nix_3" "treefmt-nix": "treefmt-nix_4"
}, },
"locked": { "locked": {
"lastModified": 1761538643, "lastModified": 1761538643,
@ -1746,7 +1767,7 @@
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"treefmt-nix": "treefmt-nix_4" "treefmt-nix": "treefmt-nix_5"
}, },
"locked": { "locked": {
"lastModified": 1760778041, "lastModified": 1760778041,

5
flake.nix
View file

@ -17,6 +17,10 @@
url = "github:hercules-ci/flake-parts"; url = "github:hercules-ci/flake-parts";
inputs.nixpkgs-lib.follows = "nixpkgs"; inputs.nixpkgs-lib.follows = "nixpkgs";
}; };
treefmt-nix = {
url = "github:numtide/treefmt-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
systems.url = "github:nix-systems/x86_64-linux"; systems.url = "github:nix-systems/x86_64-linux";
home-manager = { home-manager = {
url = "github:nix-community/home-manager"; url = "github:nix-community/home-manager";
@ -87,6 +91,7 @@
inputs.flake-parts.lib.mkFlake { inherit inputs; } { inputs.flake-parts.lib.mkFlake { inherit inputs; } {
imports = [ imports = [
inputs.pre-commit-hooks-nix.flakeModule inputs.pre-commit-hooks-nix.flakeModule
inputs.treefmt-nix.flakeModule
./lib ./lib
./modules ./modules
./parts ./parts

42
modules/config/default.nix
View file

@ -71,10 +71,23 @@ let
email = genOptions stringType "address"; email = genOptions stringType "address";
sops = genOptions stringType "path"; sops = genOptions stringType "path";
paths = genOptions stringType "path"; paths = genOptions stringType "path";
varPaths = genOptions stringType "path";
mntPaths = genOptions stringType "path";
secretPaths = genOptions stringType "path";
ports = genOptions intType "port"; ports = genOptions intType "port";
interface = {
id = stringType;
mac = stringType;
idUser = stringType;
macUser = stringType;
ip = stringType;
gate = stringType;
ssh = intType;
};
ssl = { ssl = {
cert = stringType; cert = stringType;
key = stringType; key = stringType;
path = stringType;
}; };
}; };
}; };
@ -259,15 +272,26 @@ in
}; };
instancesFunctions = { instancesFunctions =
domain0 = "cloudbert.fun"; let
domain1 = "uprootnutrition.com"; vm = "vm-";
servicePath = "/mnt/media/NAS1"; var = "/var/lib";
sopsPath = "/var/lib/secrets"; in
sslPath = "/var/lib/acme"; {
varLib = "/var/lib"; domain0 = "cloudbert.fun";
dummy = ""; domain1 = "uprootnutrition.com";
}; idPrefix = vm;
userPrefix = "user${vm}";
emailNoReply = "noreply";
servicePath = "/mnt/media/NAS1";
mntPath = "/mnt/storage";
varLib = var;
varPath = var;
sslPath = "${var}/acme";
sopsPath = "${var}/secrets";
secretPath = "${var}/secrets";
dummy = "";
};
themesFunctions = { themesFunctions = {
brogrammer = "brogrammer"; brogrammer = "brogrammer";

4
modules/config/instances/config/acme.nix
View file

@ -3,6 +3,7 @@ let
inherit (moduleFunctions.instancesFunctions) inherit (moduleFunctions.instancesFunctions)
sslPath sslPath
sopsPath sopsPath
secretPath
; ;
label = "Acme"; label = "Acme";
@ -14,6 +15,9 @@ in
paths = { paths = {
path0 = sslPath; path0 = sslPath;
}; };
secretPaths = {
path0 = secretPath;
};
sops = { sops = {
path0 = "${sopsPath}/${name}"; path0 = "${sopsPath}/${name}";
}; };

3
modules/config/instances/config/caddy.nix
View file

@ -17,7 +17,6 @@ in
port0 = 80; port0 = 80;
port1 = 443; port1 = 443;
port2 = 8443; port2 = 8443;
port3 = 8444; # Nextcloud port3 = 8445; # Opencloud
port4 = 8445; # Opencloud
}; };
} }

45
modules/config/instances/config/forgejo.nix
View file

@ -2,25 +2,28 @@
let let
inherit (moduleFunctions.instancesFunctions) inherit (moduleFunctions.instancesFunctions)
domain1 domain1
servicePath idPrefix
userPrefix
varPath
mntPath
secretPath
sslPath sslPath
sopsPath emailNoReply
; ;
label = "Forgejo";
name = "forgejo"; name = "forgejo";
label = "Forgejo";
subdomain = "source"; subdomain = "source";
domain = "${subdomain}.${domain1}"; domain = "${subdomain}.${domain1}";
secrets = "${secretPath}/${name}";
ssl = "${sslPath}/${domain}";
in in
{ {
label = label;
name = name; name = name;
label = label;
short = label; short = label;
email = { email = {
address0 = "noreply@${domain1}"; address0 = "${emailNoReply}@${domain1}";
};
sops = {
path0 = "${sopsPath}/${name}";
}; };
domains = { domains = {
url0 = domain; url0 = domain;
@ -31,14 +34,30 @@ in
"forge" "forge"
"git" "git"
]; ];
paths = {
path0 = "${servicePath}/${label}";
};
ports = { ports = {
port0 = 3033; port0 = 3033;
}; };
interface = {
id = "${idPrefix}-${name}";
mac = "02:00:00:00:00:50";
idUser = "${userPrefix}-${name}";
macUser = "02:00:00:00:00:02";
ip = "192.168.50.50";
gate = "192.168.50.1";
ssh = 2200;
};
ssl = { ssl = {
cert = "${sslPath}/${subdomain}.${domain1}/fullchain.pem"; path = ssl;
key = "${sslPath}/${subdomain}.${domain1}/key.pem"; cert = "${ssl}/fullchain.pem";
key = "${ssl}/key.pem";
};
varPaths = {
path0 = "${varPath}/${name}";
};
mntPaths = {
path0 = "${mntPath}/${name}";
};
secretPaths = {
path0 = secrets;
}; };
} }

44
modules/config/instances/config/nextcloud.nix
View file

@ -1,44 +0,0 @@
{ moduleFunctions }:
let
inherit (moduleFunctions.instancesFunctions)
domain0
servicePath
sslPath
sopsPath
;
label = "Nextcloud";
name = "nextcloud";
domain = "${name}.${domain0}";
in
{
label = label;
name = name;
short = "Next";
email = {
address0 = "noreply@${name}.${domain0}";
};
sops = {
path0 = "${sopsPath}/${name}";
};
domains = {
url0 = domain;
};
subdomain = name;
tags = [
name
"next"
"cloud"
"calendar"
];
paths = {
path0 = "${servicePath}/${label}";
};
ports = {
port0 = 8354; # Nextcloud
};
ssl = {
cert = "${sslPath}/${name}.${domain0}/fullchain.pem";
key = "${sslPath}/${name}.${domain0}/key.pem";
};
}

46
modules/nixos/default.nix
View file

@ -15,7 +15,6 @@ in
plymouth plymouth
sddm sddm
searx searx
syncthing
wireGuard wireGuard
; ;
}; };
@ -46,28 +45,28 @@ in
ceres = { ceres = {
imports = builtins.attrValues { imports = builtins.attrValues {
inherit (modules) inherit (modules)
acmeCeres # acmeCeres
audiobookshelf # audiobookshelf
caddyCeres # caddyCeres
comfyui # comfyui
filesorter # filesorter
firefly-iii # firefly-iii
forgejo # forgejo
glance # glance
jellyfin # jellyfin
logrotate # logrotate
mastodon # mastodon
minecraft # microvm
ollamaCeres # minecraft
postgresCeres # ollamaCeres
projectSite # postgresCeres
prompter # projectSite
sambaCeres # prompter
searx # sambaCeres
syncthing # searx
vaultwarden # vaultwarden
website # website
zookeeper # zookeeper
; ;
}; };
}; };
@ -78,6 +77,7 @@ in
acmeEris acmeEris
caddyEris caddyEris
logrotate logrotate
microvm
# opencloud # opencloud
sambaEris sambaEris
postgresEris postgresEris

6
modules/nixos/microvm/default.nix Normal file
View file

@ -0,0 +1,6 @@
{ flake, ... }:
{
imports = [
flake.inputs.microvm.nixosModules.host
];
}

86
modules/nixos/services/acme/acmeCeres/default.nix
View file

@ -15,12 +15,6 @@ let
dns1 = instances.web.dns.provider1; dns1 = instances.web.dns.provider1;
dns0Path = "dns/${dns0}"; dns0Path = "dns/${dns0}";
dns1Path = "dns/${dns1}"; dns1Path = "dns/${dns1}";
instanceName = service: (instances.${service}.subdomain);
dnsConfig = provider: dns: {
dnsProvider = dns;
directory = instances.acme.paths.path0;
environmentFile = config.sops.secrets.${provider}.path;
};
in in
{ {
security.acme = { security.acme = {
@ -29,60 +23,33 @@ in
email = email.address0; email = email.address0;
server = "https://acme-v02.api.letsencrypt.org/directory"; server = "https://acme-v02.api.letsencrypt.org/directory";
}; };
certs = builtins.listToAttrs ( certs =
(map let
(service: { dnsConfig = provider: dns: directory: {
name = "${instanceName service}.${domain0}"; dnsProvider = dns;
value = dnsConfig dns0Path dns0; environmentFile = config.sops.secrets.${provider}.path;
}) };
[ in
instances.audiobookshelf.name {
instances.glance.name "${instances.audiobookshelf.domains.url0}" = dnsConfig dns0Path dns0;
instances.jellyfin.name "${instances.glance.domains.url0}" = dnsConfig dns0Path dns0;
instances.minecraft.name "${instances.jellyfin.domains.url0}" = dnsConfig dns0Path dns0;
instances.ollama.name "${instances.ollama.domains.url0}" = dnsConfig dns0Path dns0;
instances.searx.name "${instances.searx.domains.url0}" = dnsConfig dns0Path dns0;
instances.syncthing.name "${instances.syncthing.domains.url0}" = dnsConfig dns0Path dns0;
instances.vaultwarden.name "${instances.vaultwarden.domains.url0}" = dnsConfig dns0Path dns0;
instances.prompter.name "${instances.prompter.domains.url0}" = dnsConfig dns0Path dns0;
instances.comfyui.name "${instances.comfyui.domains.url0}" = dnsConfig dns0Path dns0;
instances.firefly-iii.name "${instances.firefly-iii.domains.url0}" = dnsConfig dns0Path dns0;
instances.nextcloud.name "${instances.opencloud.domains.url0}" = dnsConfig dns0Path dns0;
instances.opencloud.name "${instances.forgejo.domains.url0}" = dnsConfig dns0Path dns0;
] "${instances.mastodon.domains.url0}" = dnsConfig dns0Path dns0;
) "${domain0}" = dnsConfig dns0Path dns0;
++ (map "${domain1}" = dnsConfig dns0Path dns0;
(service: { "${domain4}" = dnsConfig dns1Path dns1;
name = "${instanceName service}.${domain1}"; };
value = dnsConfig dns0Path dns0;
})
[
instances.forgejo.name
instances.mastodon.name
instances.peertube.name
]
)
++ (map
(name: {
name = name;
value = dnsConfig dns0Path dns0;
})
[
domain0
domain1
]
)
++ (map
(name: {
name = name;
value = dnsConfig dns1Path dns1;
})
[
domain4
]
)
);
}; };
sops = sops =
let let
dnsList = [ dnsList = [
@ -117,5 +84,4 @@ in
"Z ${service.sops.path0} 755 ${service.name} ${service.name} -" "Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
]; ];
}; };
} }

1
modules/nixos/services/acme/acmeEris/default.nix
View file

@ -33,7 +33,6 @@ in
value = dnsConfig dns0Path dns0; value = dnsConfig dns0Path dns0;
}) })
[ [
# instances.nextcloud.name
# instances.opencloud.name # instances.opencloud.name
] ]
) )

19
modules/nixos/services/caddy/caddyCeres/default.nix
View file

@ -5,7 +5,6 @@ let
domain0 = instances.web.domains.url0; domain0 = instances.web.domains.url0;
service = instances.caddy; service = instances.caddy;
nextcloud = instances.nextcloud;
opencloud = instances.opencloud; opencloud = instances.opencloud;
in in
{ {
@ -18,18 +17,12 @@ in
encode zstd gzip encode zstd gzip
''; '';
}; };
"${nextcloud.domains.url0}" = { # "${opencloud.domains.url0}" = {
extraConfig = '' # extraConfig = ''
reverse_proxy http://${devices.eris.ip.address0}:${builtins.toString service.ports.port3} # reverse_proxy http://${devices.eris.ip.address0}:${builtins.toString service.ports.port4}
tls ${nextcloud.ssl.cert} ${nextcloud.ssl.key} # tls ${opencloud.ssl.cert} ${opencloud.ssl.key}
''; # '';
}; # };
"${opencloud.domains.url0}" = {
extraConfig = ''
reverse_proxy http://${devices.eris.ip.address0}:${builtins.toString service.ports.port4}
tls ${opencloud.ssl.cert} ${opencloud.ssl.key}
'';
};
}; };
}; };
users.users.${service.name}.extraGroups = [ users.users.${service.name}.extraGroups = [

283
modules/nixos/services/forgejo/default.nix
View file

@ -1,84 +1,197 @@
{ {
flake, flake,
config,
pkgs,
... ...
}: }:
let let
inherit (flake.config.machines.devices) ceres; inherit (flake.config.people) user0;
inherit (flake.config.services) inherit (flake.config.services.instances)
instances forgejo
smtp
web
; ;
service = instances.forgejo; service = forgejo;
localhost = instances.web.localhost.address0; host = forgejo.domains.url0;
host = service.domains.url0; secrets = service.secretPaths.path0;
localhost = web.localhost.address1;
caddy = instances.caddy; sshPort = 22;
postgres = instances.postgresql;
syncthing = instances.syncthing;
backupPath = "${instances.syncthing.paths.path1}/${service.name}";
in in
{ {
services = { microvm = {
forgejo = { vms = {
enable = true; forgejo = {
database.type = "postgres"; autostart = true;
lfs.enable = true; config =
secrets = { { config, pkgs, ... }:
mailer.PASSWD = config.sops.secrets."${service.name}-smtp".path; {
database.PASSWD = config.sops.secrets."${service.name}-database".path; system.stateVersion = "25.05";
}; time.timeZone = "America/Winnipeg";
dump = {
interval = "5:00";
type = "zip";
file = "forgejo-backup";
enable = true;
backupDir = backupPath;
};
settings = {
server = {
DOMAIN = host;
ROOT_URL = "https://${host}/";
HTTP_PORT = service.ports.port0;
};
# If you need to start from scratch, don't forget to turn this off again
service.DISABLE_REGISTRATION = true;
actions = {
ENABLED = true;
DEFAULT_ACTIONS_URL = "github";
};
mirror = {
ENABLED = true;
};
mailer = {
ENABLED = true;
SMTP_ADDR = instances.smtp.hostname;
FROM = instances.smtp.email.address1;
USER = instances.smtp.email.address1;
PROTOCOL = "${instances.smtp.name}+${instances.smtp.records.record1}";
SMTP_PORT = instances.smtp.ports.port1;
SEND_AS_PLAIN_TEXT = true;
USE_CLIENT_CERT = false;
};
};
};
caddy = {
virtualHosts = {
"${host}" = {
extraConfig = ''
reverse_proxy ${localhost}:${toString service.ports.port0}
tls ${service.ssl.cert} ${service.ssl.key} users.users.root = {
''; openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys;
}; };
services = {
forgejo = {
enable = true;
database.type = "postgres";
lfs.enable = true;
secrets = {
mailer.PASSWD = "${secrets}/${service.name}-smtp";
database.PASSWD = "${secrets}/${service.name}-database";
};
dump = {
interval = "5:00";
type = "zip";
file = "forgejo-backup";
enable = true;
};
settings = {
server = {
DOMAIN = host;
ROOT_URL = "https://${host}/";
HTTP_PORT = service.ports.port0;
HTTP_ADDR = localhost;
};
# If you need to start from scratch, don't forget to turn this off again
service.DISABLE_REGISTRATION = false;
actions = {
ENABLED = true;
DEFAULT_ACTIONS_URL = "github";
};
mirror.ENABLED = true;
mailer = {
ENABLED = true;
SMTP_ADDR = smtp.hostname;
FROM = smtp.email.address1;
USER = smtp.email.address1;
PROTOCOL = "${smtp.name}+${smtp.records.record1}";
SMTP_PORT = smtp.ports.port1;
SEND_AS_PLAIN_TEXT = true;
USE_CLIENT_CERT = false;
};
};
};
openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "prohibit-password";
};
};
};
systemd = {
tmpfiles.rules = [
"d ${secrets} 0755 ${service.name} ${service.name} -"
];
services.forgejo-dump = {
serviceConfig = {
ExecStartPost = "${pkgs.nushell}/bin/nu -c 'ls ${service.varPaths.path0}/dump | where name =~ forgejo-backup and modified < ((date now) - 7day) | each { rm $in.name }'";
};
};
network = {
enable = true;
networks."10-enp" = {
matchConfig.Name = "enp0s4";
addresses = [ { Address = "${service.interface.ip}/24"; } ];
routes = [
{
Destination = "${localhost}/0";
Gateway = service.interface.gate;
}
];
dns = [ service.interface.gate ];
};
};
};
networking.firewall.allowedTCPPorts = [
sshPort
service.ports.port0
];
microvm = {
vcpu = 2;
mem = 3096;
hypervisor = "qemu";
interfaces = [
{
type = "tap";
id = service.interface.id;
mac = service.interface.mac;
}
{
type = "user";
id = service.interface.idUser;
mac = service.interface.macUser;
}
];
shares = [
{
mountPoint = "/nix/.ro-store";
proto = "virtiofs";
source = "/nix/store";
tag = "read_only_nix_store";
}
{
mountPoint = service.varPaths.path0;
proto = "virtiofs";
source = service.mntPaths.path0;
tag = "${service.name}_data";
}
{
mountPoint = service.secretPaths.path0;
proto = "virtiofs";
source = service.secretPaths.path0;
tag = "${service.name}_secrets";
}
{
mountPoint = service.ssl.path;
proto = "virtiofs";
source = service.ssl.path;
tag = "acme_certs";
}
];
forwardPorts = [
{
from = "host";
host.port = service.interface.ssh;
guest.port = sshPort;
}
];
};
};
}; };
}; };
}; };
services.caddy.virtualHosts."${host}" = {
extraConfig = ''
reverse_proxy ${service.interface.ip}:${toString service.ports.port0}
tls ${service.ssl.cert} ${service.ssl.key}
'';
};
sops = sops =
let let
sopsPath = secret: { sopsPath = secret: {
path = "${service.sops.path0}/${service.name}-${secret}"; path = "${secrets}/${service.name}-${secret}";
owner = service.name; owner = "root";
mode = "600"; mode = "600";
}; };
in in
@ -95,42 +208,4 @@ in
] ]
); );
}; };
fileSystems."/var/lib/${service.name}" = {
device = service.paths.path0;
fsType = "none";
options = [
"bind"
];
depends = [
ceres.storage0.mount
];
};
systemd.services = {
forgejo-dump = {
serviceConfig = {
ExecStartPost = "${pkgs.nushell}/bin/nu -c 'ls ${backupPath} | where name =~ forgejo-backup and modified < ((date now) - 7day) | each { rm $in.name }'";
};
};
};
systemd.tmpfiles.rules = [
"Z ${service.paths.path0} 755 ${service.name} ${service.name} -"
"Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
];
users.users.${service.name}.extraGroups = [
caddy.name
postgres.name
syncthing.name
];
networking = {
firewall = {
allowedTCPPorts = [
service.ports.port0
];
};
};
} }

163
modules/nixos/services/nextcloud/default.nix
View file

@ -1,163 +0,0 @@
{
flake,
config,
pkgs,
...
}:
let
inherit (flake.config.people) user0;
inherit (flake.config.people.users.${user0}) name;
inherit (flake.config.services.instances)
nextcloud
nginx
caddy
smtp
web
;
service = nextcloud;
localhost = web.localhost.address0;
host = service.domains.url0;
in
{
services = {
nextcloud = {
appstoreEnable = true;
autoUpdateApps.enable = true;
configureRedis = true;
enable = true;
hostName = host;
https = true;
package = pkgs.nextcloud31;
phpOptions."opcache.interned_strings_buffer" = "24";
extraAppsEnable = true;
extraApps = {
inherit (pkgs.nextcloud31Packages.apps)
contacts
calendar
deck
;
};
config = {
adminpassFile = config.sops.secrets."${service.name}-pass".path;
adminuser = name;
dbtype = "pgsql";
};
database = {
createLocally = true;
};
settings = {
default_phone_region = "CA";
log_type = "file";
mail_domain = host;
mail_from_address = "noreply";
mail_sendmailmode = smtp.name;
mail_smtpmode = smtp.name;
mail_smtphost = smtp.hostname;
mail_smtpport = smtp.ports.port1;
mail_smtpsecure = "";
mail_smtptimeout = 30;
mail_smtpauth = 1;
mail_smtpname = smtp.email.address0;
mail_smtppassword = config.sops.secrets."${service.name}-smtp".path;
maintenance_window_start = 4;
overwriteprotocol = "https";
trusted_proxies = [
localhost
web.localhost.address1
];
security.headers = {
Strict-Transport-Security = "max-age=15552000; includeSubDomains";
X-XSS-Protection = "1; mode=block";
X-Content-Type-Options = "nosniff";
X-Frame-Options = "SAMEORIGIN";
Referrer-Policy = "strict-origin-when-cross-origin";
};
};
};
nginx = {
enable = true;
virtualHosts.${host} = {
listen = [
{
addr = localhost;
port = nginx.ports.port0;
}
];
forceSSL = false;
onlySSL = false;
addSSL = false;
};
};
caddy = {
virtualHosts = {
":${toString caddy.ports.port3}" = {
extraConfig = ''
header {
# Enable XSS protection and block instead of sanitizing
X-XSS-Protection "1; mode=block"
# Enable HSTS with 6 month duration
Strict-Transport-Security "max-age=15552000; includeSubDomains"
# Additional security headers
X-Content-Type-Options "nosniff"
X-Frame-Options "SAMEORIGIN"
Referrer-Policy "strict-origin-when-cross-origin"
# Remove server identification
-Server
}
reverse_proxy http://${localhost}:${toString nginx.ports.port0}
'';
};
};
};
};
sops =
let
sopsPath = secret: {
path = "${service.sops.path0}/${service.name}-${secret}";
owner = service.name;
mode = "600";
};
in
{
secrets = builtins.listToAttrs (
map
(secret: {
name = "${service.name}-${secret}";
value = sopsPath secret;
})
[
"pass"
"smtp"
]
);
};
systemd = {
tmpfiles.rules = [
"Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
];
};
users.users.${service.name} = {
packages = with pkgs; [
php
];
extraGroups = [
"caddy"
"nginx"
"postgres"
];
};
networking = {
firewall = {
allowedTCPPorts = [
nginx.ports.port0
service.ports.port0
caddy.ports.port3
];
};
};
}

28
parts/config/devshells.nix
View file

@ -1,28 +0,0 @@
{ pkgs, config, ... }:
{
devShells = {
default = pkgs.mkShell {
packages = builtins.attrValues {
inherit (pkgs)
age
gitmoji-cli
graphviz
imv
just
nixfmt
just-lsp
litemdview
nil
openssl
pqiv
sops
ssh-to-age
taplo
vscode-langservers-extracted
watchexec
;
};
shellHook = "${config.pre-commit.installationScript}";
};
};
}

7
parts/config/pre-commit.nix
View file

@ -1,7 +0,0 @@
{
pre-commit.settings.hooks = {
nixfmt-rfc-style.enable = true;
commitizen.enable = true;
# statix.enable = true;
};
}

62
parts/default.nix
View file

@ -1,20 +1,48 @@
{ {
perSystem = { perSystem =
pkgs, {
lib, pkgs,
config, lib,
self', config,
... self',
}: let ...
configPath = ./config; }:
{
devShells = {
default = pkgs.mkShell {
packages = builtins.attrValues {
inherit (pkgs)
age
gitmoji-cli
graphviz
imv
just
nixfmt
just-lsp
litemdview
nil
openssl
pqiv
sops
ssh-to-age
taplo
vscode-langservers-extracted
watchexec
;
};
shellHook = "${config.pre-commit.installationScript}";
};
};
devshellImports = let pre-commit.settings.hooks = {
files = builtins.attrNames (builtins.readDir configPath); nixfmt-rfc-style.enable = true;
in commitizen.enable = true;
map };
(name: configPath + "/${name}")
(builtins.filter (name: builtins.match ".*\\.nix$" name != null) files); treefmt.programs.nixfmt = {
in { enable = true;
imports = devshellImports; width = 200;
}; };
};
} }

1
profiles/user0/default.nix
View file

@ -29,7 +29,6 @@ in
"minecraft" "minecraft"
"netdev" "netdev"
"networkmanager" "networkmanager"
"nextcloud"
"ollama" "ollama"
"opencloud" "opencloud"
"plugdev" "plugdev"

20
profiles/user0/files/misc/justfile.nix
View file

@ -16,20 +16,6 @@ let
hostname = config.networking.hostName; hostname = config.networking.hostName;
deviceLogic = if hostname == mars.name then deimos else mars; deviceLogic = if hostname == mars.name then deimos else mars;
vpnServers = [
"CA363"
"CA220"
"CA358"
"CA627"
];
vpnCommands = lib.concatStrings (
lib.imap0 (i: server: ''
vpn${toString i}:
sudo systemctl start wg-quick-Proton-${server}.service
'') vpnServers
);
in in
{ {
text = text =
@ -73,12 +59,12 @@ in
serverRemote: serverRemote:
ssh ${instances.web.remotehost.address0} ssh ${instances.web.remotehost.address0}
forgejo:
ssh root@${instances.forgejo.interface.ip}
${deviceLogic.name}: ${deviceLogic.name}:
ssh ${deviceLogic.ip.address0} ssh ${deviceLogic.ip.address0}
vpnoff:
sudo systemctl stop wg-quick-Proton-*.service
${vpnCommands}
''; '';
} }

10
secrets/secrets.yaml
View file

@ -23,12 +23,6 @@ vaultwarden:
dns: dns:
namecheap: ENC[AES256_GCM,data:Afxyf4cHvdnPIXYoPN3viBOzzqUOeRs3YjQ5ugerlnL9H4iSf/iAsxyzHYysOgZ/9xc0OWt6G6A7cEZHW4i82MX1+mLbvWN5ir1iHL73RtesC14=,iv:3XMTQ4TNL7iXPYFLSa+BapSgqILYuM6ZaQLMQZSJ2pc=,tag:PO69wRhCoey+CwPgnOOR6A==,type:str] namecheap: ENC[AES256_GCM,data:Afxyf4cHvdnPIXYoPN3viBOzzqUOeRs3YjQ5ugerlnL9H4iSf/iAsxyzHYysOgZ/9xc0OWt6G6A7cEZHW4i82MX1+mLbvWN5ir1iHL73RtesC14=,iv:3XMTQ4TNL7iXPYFLSa+BapSgqILYuM6ZaQLMQZSJ2pc=,tag:PO69wRhCoey+CwPgnOOR6A==,type:str]
cloudflare: ENC[AES256_GCM,data:H0ODjZvDZpaicYwM1qX1V05iaiCsJMUo5aIZYVzQ2bGvsVA+nQYKy7i1qCNbG796WmBOvUJOo1XJHsceTyfGB7rQpgs103RA0CXmc9WfvU74tsER+sVbnCxsGrG1kvyZvD80ACsx53s6j9nXkZO2m7uZgdM8LbEEaj/CVOMDg39YWWKwug==,iv:EALcT+2ES7q/4zEwUXDsyrDzSZnUCsYtYZLIU3xNJQs=,tag:RTyPzUpMcrQtDT4UKn4SNw==,type:str] cloudflare: ENC[AES256_GCM,data:H0ODjZvDZpaicYwM1qX1V05iaiCsJMUo5aIZYVzQ2bGvsVA+nQYKy7i1qCNbG796WmBOvUJOo1XJHsceTyfGB7rQpgs103RA0CXmc9WfvU74tsER+sVbnCxsGrG1kvyZvD80ACsx53s6j9nXkZO2m7uZgdM8LbEEaj/CVOMDg39YWWKwug==,iv:EALcT+2ES7q/4zEwUXDsyrDzSZnUCsYtYZLIU3xNJQs=,tag:RTyPzUpMcrQtDT4UKn4SNw==,type:str]
nextcloud-pass: ENC[AES256_GCM,data:BJWpsEtnezl67vQWwV9WSdpPAYLg3eOXAZ301A382GE=,iv:+1LrBtbjCBcVC7m/fSbXzPnBxbVmpv+2opPoxEfcgjY=,tag:ArMw4yv+Zt6Lhm7CaS5hMg==,type:str]
nextcloud-user0: ENC[AES256_GCM,data:yUZruPJ4s2Svvh6Q0f4C4lgcKCcWJDMw8CpT8cXv3m4=,iv:wo9Cl1OsJY6UOvrJw/UHxtcBKykaYQ69Mue7QYyBXRY=,tag:83XvKKJ9V2aBhznzBkzNEQ==,type:str]
nextcloud-user1: ENC[AES256_GCM,data:6EsbSeWWftPjZQM=,iv:LTcx6fx55d3+SepFIoy/6cBdbgaauDeo0gvq9ACCtHA=,tag:uzoATR3ZL2Uk5z6aMiD/yw==,type:str]
nextcloud-user2: ENC[AES256_GCM,data:axrWMmouq5gwqdGL,iv:BPHEn47z2g7gocKO4g5vV4ZSGb+AMA3vGYheAy1zR5Q=,tag:QOWg4fdKxMhGk2qRehH2EQ==,type:str]
nextcloud-user3: ENC[AES256_GCM,data:g6ldEdtBuEmPAQYAQfaO,iv:6fElE2vZh9l/KgJuNevklpIlZZdqGHgwhnOzq1n3ojE=,tag:T0Q1IkdVTeW2T1FmGnjz8A==,type:str]
nextcloud-smtp: ENC[AES256_GCM,data:8cS/5Fnj/x1/Oikn3EQxlOCLzRJRf4PWx5C0dm2qzY0=,iv:izKI66ndRt56LfjKUQeC1SZBOFf8m4rO6kk6oVneQZA=,tag:oiSMzflj2jeE6QC1KEDBlg==,type:str]
claude-api-key: ENC[AES256_GCM,data:QzGJPBnqx4PrDjNvGeyjl0B/W9pkBS4YWK/lrDK4sx0/eBbwMk2qvi03wOhVfvz71UVRpDIZ0F3eVtB8h8Nr94Ha/8IlFQtKxrh60XIzUs/GLB2jKZursZny8IjqZMrt9YHFOphqAWawB33g,iv:XKPqQ0sGukhy0bPXATYwjJMAfSkXdeanc4kULb5TWmA=,tag:vmH+pzU5qoOF5W0fhVfhDA==,type:str] claude-api-key: ENC[AES256_GCM,data:QzGJPBnqx4PrDjNvGeyjl0B/W9pkBS4YWK/lrDK4sx0/eBbwMk2qvi03wOhVfvz71UVRpDIZ0F3eVtB8h8Nr94Ha/8IlFQtKxrh60XIzUs/GLB2jKZursZny8IjqZMrt9YHFOphqAWawB33g,iv:XKPqQ0sGukhy0bPXATYwjJMAfSkXdeanc4kULb5TWmA=,tag:vmH+pzU5qoOF5W0fhVfhDA==,type:str]
searx-key: ENC[AES256_GCM,data:kzKWa4xCKDEWocyMmK8FWyAqHM7BuJ1f63XFfO8Dtig=,iv:Vs27/ri4nBzJ/A0LnxsCZD/kYraFZ6tD63VhUqYFwx8=,tag:8gx+j7RenuRzjj0AY5v8uQ==,type:str] searx-key: ENC[AES256_GCM,data:kzKWa4xCKDEWocyMmK8FWyAqHM7BuJ1f63XFfO8Dtig=,iv:Vs27/ri4nBzJ/A0LnxsCZD/kYraFZ6tD63VhUqYFwx8=,tag:8gx+j7RenuRzjj0AY5v8uQ==,type:str]
wireguard-CA363: ENC[AES256_GCM,data:iGiAjP5Dbw0kXR3iM50YTS8jBXODNr//W/0OPMAiu1GVC5m8StgsC5uaYEU=,iv:wffyNFWZ36vUjUVMCwo7w16pWWDvnPOUli3tIa/M3S4=,tag:yu7Xl+Ehg1uhzQ3rONSCbA==,type:str] wireguard-CA363: ENC[AES256_GCM,data:iGiAjP5Dbw0kXR3iM50YTS8jBXODNr//W/0OPMAiu1GVC5m8StgsC5uaYEU=,iv:wffyNFWZ36vUjUVMCwo7w16pWWDvnPOUli3tIa/M3S4=,tag:yu7Xl+Ehg1uhzQ3rONSCbA==,type:str]
@ -65,7 +59,7 @@ sops:
bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD
aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig== aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-11-01T07:44:35Z" lastmodified: "2025-11-04T04:09:51Z"
mac: ENC[AES256_GCM,data:a2/GQdFc4tWSOJcKfGeA2sg/f3thnU115kX29xCGHSFLboXKs+i1VJrnCf40aytLySdsuTv2m/7nUPuSEHUrooRRcFSBmCE4lS3Zdbk4PWhN9+3JmffzlVDiEwIbd8DqenrO9WwuiKgJej5sWm99NBCWJICY+NQYq3cUjm3KYNU=,iv:4aJ0EmDISECfQrWgC8OnTUmSzLm23c5QPUPnx6mv3Xw=,tag:zIj0PY44pzVt0IRfBmuJGw==,type:str] mac: ENC[AES256_GCM,data:n2zidnFq3K+SEeXQylmN44Y7v6oGiuatFh/rgaNvIeJONYpk/+IJ7C3ykhFAsjlwpBj8t6T/D7vhKTNMVozebvwCJ7yRfQoxBx7MsZgV+9M/3rVBt1uuzAK5IJ71ep6nlAnWxpJ+28HJIh2bgjhyvTHj/dEkUhSfCo7l2TrjHzc=,iv:TLdNBMQLkQBYwzdQmUuJOVtvSNLJJsRhdcRWcB1ikLA=,tag:i4wSRgjNpwugf0vso8KUng==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.11.0 version: 3.11.0

32
systems/ceres/config/filesystem.nix
View file

@ -13,20 +13,20 @@ let
in in
{ {
fileSystems = fileSystems =
let # let
storageDrives = [ # storageDrives = [
"storage0" # "storage0"
]; # ];
storageMounts = storage: { # storageMounts = storage: {
name = "${ceres.${storage}.mount}"; # name = "${ceres.${storage}.mount}";
value = { # value = {
device = ceres.${storage}.device; # device = ceres.${storage}.device;
fsType = "ext4"; # fsType = "ext4";
options = ceres.${storage}.options; # options = ceres.${storage}.options;
}; # };
}; # };
in # in
{ {
"/" = { "/" = {
device = "/dev/disk/by-uuid/de4e681b-0667-4bf8-8d6e-c50894aa41cd"; device = "/dev/disk/by-uuid/de4e681b-0667-4bf8-8d6e-c50894aa41cd";
@ -36,8 +36,8 @@ in
device = "/dev/disk/by-uuid/C68D-B1C0"; device = "/dev/disk/by-uuid/C68D-B1C0";
fsType = "vfat"; fsType = "vfat";
}; };
} };
// (builtins.listToAttrs (map storageMounts storageDrives)); # // (builtins.listToAttrs (map storageMounts storageDrives));
swapDevices = [ swapDevices = [
{ device = "/dev/disk/by-uuid/259fcc06-912c-4bd3-b781-8f77449e935a"; } { device = "/dev/disk/by-uuid/259fcc06-912c-4bd3-b781-8f77449e935a"; }
@ -45,7 +45,7 @@ in
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"Z ${config.home-manager.users.${user0}.home.homeDirectory} 0755 ${user0} users -" "Z ${config.home-manager.users.${user0}.home.homeDirectory} 0755 ${user0} users -"
"Z ${ceres.storage0.mount} 2775 root root -" # "Z ${ceres.storage0.mount} 2775 root root -"
]; ];
services.udisks2.enable = true; services.udisks2.enable = true;