upRootNutrition/dotfiles
1
0
Fork 0
mirror of https://gitlab.com/upRootNutrition/dotfiles.git synced 2025-08-09 05:14:41 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: upRootNutrition:d73b1c5abe2da061aae8d3fdac3829106a8492a1
Branches Tags
upRootNutrition:main
..
compare: upRootNutrition:5c1d3e635673069becf784e376704d2941295120
Branches Tags
upRootNutrition:main

21 commits
d73b1c5abe ... 5c1d3e6356

Author SHA1 Message Date
Nick
5c1d3e6356 feat: glance test 2025-07-03 21:25:03 -05:00
Nick
50644ccbd4 feat: glance test 2025-07-03 21:06:18 -05:00
Nick
1fdf9e3d5e feat: glance test 2025-07-03 21:01:55 -05:00
Nick
76aa17f2fb feat: glance test 2025-07-03 20:56:06 -05:00
Nick
10fa322a83 feat: glance test 2025-07-03 20:49:41 -05:00
Nick
f21952ba05 feat: glance test 2025-07-03 20:42:37 -05:00
Nick
008a38b808 feat: glance test 2025-07-03 20:41:40 -05:00
Nick
0e431fe4b1 feat: glance test 2025-07-03 20:35:35 -05:00
Nick
6e7ef9901c feat: glance test 2025-07-03 20:30:31 -05:00
Nick
547bc9d43e feat: glance test 2025-07-03 20:28:42 -05:00
Nick
4b255e7f26 feat: glance test 2025-07-03 20:25:51 -05:00
Nick
edadd32d3a feat: glance test 2025-07-03 20:25:06 -05:00
Nick
8118b90e55 feat: glance test 2025-07-03 20:21:14 -05:00
Nick
d2550deac3 feat: glance test 2025-07-03 20:16:56 -05:00
Nick
c667b34f37 feat: glance test 2025-07-03 20:12:21 -05:00
Nick
021eda06aa feat: added glance to caddy 2025-07-03 20:11:18 -05:00
Nick
2205231563 feat: added glance to caddy 2025-07-03 20:03:37 -05:00
Nick
187e067118 feat: added glance to caddy 2025-07-03 19:49:48 -05:00
Nick
d306321c8a feat: wireguard test 2025-07-03 19:43:04 -05:00
Nick
44865ba36c feat: wireguard test 2025-07-03 19:40:32 -05:00
Nick
4344fa207a feat: removed some bunk services 2025-07-03 19:19:12 -05:00
14 changed files with 131 additions and 146 deletions
Download patch file Download diff file Expand all files Collapse all files

3
modules/config/devices/config/deimos.nix
View file

@ -14,6 +14,9 @@ in
ip = { ip = {
address0 = deimosIP; address0 = deimosIP;
}; };
wireguard = {
ip0 = "10.100.0.3";
};
boot = { boot = {
options = ownerWriteOthersReadMask; options = ownerWriteOthersReadMask;
}; };

35
modules/config/instances/config/podgrab.nix
View file

@ -1,35 +0,0 @@
{ moduleFunctions }:
let
inherit (moduleFunctions.instancesFunctions)
domain0
servicePath
sslPath
sopsPath
;
label = "Podgrab";
name = "podgrab";
subdomain = "podcasts";
domain = "${subdomain}.${domain0}";
in
{
label = label;
name = name;
sops = {
path0 = "${sopsPath}/${name}";
};
domains = {
url0 = domain;
};
subdomain = name;
paths = {
path0 = "${servicePath}/${label}";
};
ports = {
port0 = 4242;
};
ssl = {
cert = "${sslPath}/${name}.${domain0}/fullchain.pem";
key = "${sslPath}/${name}.${domain0}/key.pem";
};
}

0
modules/home/cli/utilities/dig/default.nix Normal file → Executable file
View file

0
modules/home/cli/utilities/ipTables/default.nix Normal file → Executable file
View file

7
modules/nixos/default.nix
View file

@ -10,7 +10,6 @@ in
mullvad mullvad
syncthing syncthing
ollama ollama
glance
plasma plasma
sddm sddm
hypr hypr
@ -32,7 +31,6 @@ in
sddm sddm
flatpak flatpak
espanso espanso
glance
; ;
}; };
}; };
@ -52,17 +50,18 @@ in
acme acme
audiobookshelf audiobookshelf
caddy caddy
forgejo
glance
jellyfin jellyfin
logrotate logrotate
mastodon mastodon
minecraft minecraft
ollama ollama
website
postgresql postgresql
samba samba
searx searx
vaultwarden vaultwarden
forgejo website
; ;
}; };
}; };

10
modules/nixos/services/acme/default.nix
View file

@ -32,15 +32,15 @@ in
value = dnsConfig; value = dnsConfig;
}) })
[ [
"audiobookshelf"
"glance"
"jellyfin" "jellyfin"
"minecraft" "minecraft"
"ollama"
"nextcloud" "nextcloud"
"syncthing" "ollama"
"searx" "searx"
"podgrab" "syncthing"
"vaultwarden" "vaultwarden"
"audiobookshelf"
] ]
) )
++ (map ++ (map
@ -49,9 +49,9 @@ in
value = dnsConfig; value = dnsConfig;
}) })
[ [
"peertube"
"forgejo" "forgejo"
"mastodon" "mastodon"
"peertube"
] ]
) )
++ (map ++ (map

8
modules/nixos/services/glance/config/server.nix
View file

@ -1,10 +1,14 @@
{ flake, service, ... }: { flake, configHelpers, ... }:
let let
inherit (flake.config.people) user0; inherit (flake.config.people) user0;
inherit (flake.config.machines.devices) ceres;
in in
{ {
assets-path = "/home/${user0}/Files/Projects/dotfiles/modules/nixos/services/glance/assets"; assets-path = "/home/${user0}/Files/Projects/dotfiles/modules/nixos/services/glance/assets";
port = service.ports.port0; # host = configHelpers.host;
# host = configHelpers.localhost;
host = ceres.wireguard.ip0;
port = configHelpers.service.ports.port0;
# auth = { # auth = {
# secret-key = config.sops.secrets."${service.name}-key".path; # secret-key = config.sops.secrets."${service.name}-key".path;
# users.${user0}.password = config.sops.secrets."${service.name}-${user0}-pass".path; # users.${user0}.password = config.sops.secrets."${service.name}-${user0}-pass".path;

48
modules/nixos/services/glance/default.nix
View file

@ -1,10 +1,20 @@
{ config, flake, ... }: { config, flake, ... }:
let let
inherit (flake.config.services.instances) glance jellyfin; inherit (flake.config.services.instances)
glance
jellyfin
web
;
inherit (flake.config.machines.devices) ceres mars deimos;
configHelpers = {
service = glance; service = glance;
hostname = config.networking.hostName;
localhost = web.localhost.address1;
host = configHelpers.service.domains.url0;
};
configPath = ./config; configPath = ./config;
configImports = { configImports = {
server = import (configPath + /server.nix) { inherit flake service; }; server = import (configPath + /server.nix) { inherit flake configHelpers; };
branding = import (configPath + /branding.nix); branding = import (configPath + /branding.nix);
theme = import (configPath + /theme.nix); theme = import (configPath + /theme.nix);
pages = import (configPath + /pages.nix) { inherit config flake; }; pages = import (configPath + /pages.nix) { inherit config flake; };
@ -16,11 +26,32 @@ in
enable = true; enable = true;
settings = configImports; settings = configImports;
}; };
caddy = {
virtualHosts = {
"${configHelpers.host}" = {
extraConfig = ''
@allowed_ips {
remote_ip ${mars.wireguard.ip0} ${deimos.wireguard.ip0}
}
handle @allowed_ips {
redir /.well-known/carddav /remote.php/dav/ 301
redir /.well-known/caldav /remote.php/dav/ 301
reverse_proxy ${ceres.wireguard.ip0}:${toString configHelpers.service.ports.port0}
}
handle {
respond "Access Denied" 403
}
tls ${configHelpers.service.ssl.cert} ${configHelpers.service.ssl.key}
'';
};
};
};
}; };
sops = sops =
let let
sopsPath = secret: { sopsPath = secret: {
path = "/run/secrets/${service.name}-${secret}"; path = "/run/secrets/${configHelpers.service.name}-${secret}";
owner = "root"; owner = "root";
group = "root"; group = "root";
mode = "644"; mode = "644";
@ -30,7 +61,7 @@ in
secrets = builtins.listToAttrs ( secrets = builtins.listToAttrs (
map map
(secret: { (secret: {
name = "${service.name}-${secret}"; name = "${configHelpers.service.name}-${secret}";
value = sopsPath secret; value = sopsPath secret;
}) })
[ [
@ -41,15 +72,10 @@ in
); );
}; };
systemd.tmpfiles.rules = [
# "Z ${service.paths.path0} 755 ${service.name} ${service.name} -"
# "Z ${service.sops.path0} 755 root root -"
];
networking = { networking = {
firewall = { firewall = {
allowedTCPPorts = [ interfaces.wg0.allowedTCPPorts = [
service.ports.port0 configHelpers.service.ports.port0
]; ];
}; };
}; };

77
modules/nixos/services/podgrab/default.nix
View file

@ -1,77 +0,0 @@
{ config, flake, ... }:
let
inherit (flake.config.services.instances) podgrab web;
inherit (flake.config.machines.devices) ceres;
service = podgrab;
localhost = web.localhost.address0;
host = service.domains.url0;
in
{
services = {
podgrab = {
enable = true;
port = service.ports.port0;
passwordFile = config.sops.secrets."${service.name}-pass".path;
dataDirectory = service.paths.path0;
};
caddy = {
virtualHosts = {
"${host}" = {
extraConfig = ''
redir /.well-known/carddav /remote.php/dav/ 301
redir /.well-known/caldav /remote.php/dav/ 301
reverse_proxy ${localhost}:${toString service.ports.port0}
tls ${service.ssl.cert} ${service.ssl.key}
'';
};
};
};
};
sops =
let
sopsPath = secret: {
path = "${service.sops.path0}/password.env";
owner = service.name;
mode = "600";
};
in
{
secrets = builtins.listToAttrs (
map
(secret: {
name = "${service.name}-${secret}";
value = sopsPath secret;
})
[
"pass"
]
);
};
fileSystems."/var/lib/${service.name}" = {
device = service.paths.path0;
fsType = "none";
options = [
"bind"
];
depends = [
ceres.storage0.mount
];
};
systemd.tmpfiles.rules = [
"Z ${service.paths.path0} 0755 ${service.name} ${service.name} -"
"Z ${service.sops.path0} 0755 ${service.name} ${service.name} -"
];
networking = {
firewall = {
allowedTCPPorts = [
service.ports.port0
];
};
};
}

4
modules/nixos/services/searx/default.nix
View file

@ -5,7 +5,7 @@
... ...
}: }:
let let
inherit (flake.config.machines.devices) ceres mars; inherit (flake.config.machines.devices) ceres mars deimos;
inherit (flake.config.services.instances) searx web; inherit (flake.config.services.instances) searx web;
configHelpers = { configHelpers = {
service = searx; service = searx;
@ -47,7 +47,7 @@ in
"${configHelpers.host}" = { "${configHelpers.host}" = {
extraConfig = '' extraConfig = ''
@allowed_ips { @allowed_ips {
remote_ip ${mars.wireguard.ip0} remote_ip ${mars.wireguard.ip0} ${deimos.wireguard.ip0}
} }
handle @allowed_ips { handle @allowed_ips {

6
secrets/secrets.yaml
View file

@ -40,6 +40,8 @@ wireguard-phone-private: ENC[AES256_GCM,data:hm6KoNseaalt+/SYCkCW0w4sRzzpNNMjhda
wireguard-phone-public: ENC[AES256_GCM,data:gGMAIg3T6dOmo1z2c6oZ8Sgnylp0wjpADRWRyBCAEhmlJp1PVj+d478TO08=,iv:A4DV7zPKXwVF2nyFySyrmfdExoo3LrbiYt6PYa4/WcQ=,tag:wY4fYv1wXE0tYonrLoHpGQ==,type:str] wireguard-phone-public: ENC[AES256_GCM,data:gGMAIg3T6dOmo1z2c6oZ8Sgnylp0wjpADRWRyBCAEhmlJp1PVj+d478TO08=,iv:A4DV7zPKXwVF2nyFySyrmfdExoo3LrbiYt6PYa4/WcQ=,tag:wY4fYv1wXE0tYonrLoHpGQ==,type:str]
wireguard-mars-private: ENC[AES256_GCM,data:pUkR29PgGhHeR3d6fFJDs0bwASaC/RqUTsJe+vYs+P2skIGivkRzhi3LRBE=,iv:JK7O28r73V3NiVGikMIZunJtrdtp4jOGPi2quLYSkWY=,tag:nSHqfnZhiLrm7JuZuJtc7Q==,type:str] wireguard-mars-private: ENC[AES256_GCM,data:pUkR29PgGhHeR3d6fFJDs0bwASaC/RqUTsJe+vYs+P2skIGivkRzhi3LRBE=,iv:JK7O28r73V3NiVGikMIZunJtrdtp4jOGPi2quLYSkWY=,tag:nSHqfnZhiLrm7JuZuJtc7Q==,type:str]
wireguard-mars-public: ENC[AES256_GCM,data:fA37Ev7WL2vsgG/PE4YMFHclbhjHqCgNCOiF5J9L5UD8YuGCHUbpTV7A+w4=,iv:K9W/IZatUL+HZ5k9FGjmA4+He4xTO3IAswqpbelfhPw=,tag:FC5kiMD/pdtNjQxklDvfrA==,type:str] wireguard-mars-public: ENC[AES256_GCM,data:fA37Ev7WL2vsgG/PE4YMFHclbhjHqCgNCOiF5J9L5UD8YuGCHUbpTV7A+w4=,iv:K9W/IZatUL+HZ5k9FGjmA4+He4xTO3IAswqpbelfhPw=,tag:FC5kiMD/pdtNjQxklDvfrA==,type:str]
wireguard-deimos-private: ENC[AES256_GCM,data:A/LbG/kTjT0xa93Y31RXfM6D9ibHHjuaZ0TIFr8/zn2l7AD7NfmpgZXuPII=,iv:tK9Iyll/GXPXNsMXJKpNKSxMqeHLqSgCfQTSM8+NOVU=,tag:yfJP9hjR/6DXgKtFKqR5Zw==,type:str]
wireguard-deimos-public: ENC[AES256_GCM,data:ZhcnUafVzrPtEP19TgnsEl6Edwjxbkeb2N+Rg7V1O7zArhcc+Owk/l6iHU4=,iv:UcKBnz/4sGyLM/lQJo7e3G0qWAWlTtRNl5K1e3oT1sw=,tag:BbjZcjl98X9aoCTD+hfhgg==,type:str]
glance-jellyfin: ENC[AES256_GCM,data:ozdDKgAWkA88J2j8RtiOP/aQPAt/neUOSlAZF20g510=,iv:x+VhYlnA9F/VPrzVcma4/oPelCc8kjWoTZvOs4L9Uqo=,tag:crdSDjr8Y5GH/JAF6t8Yeg==,type:str] glance-jellyfin: ENC[AES256_GCM,data:ozdDKgAWkA88J2j8RtiOP/aQPAt/neUOSlAZF20g510=,iv:x+VhYlnA9F/VPrzVcma4/oPelCc8kjWoTZvOs4L9Uqo=,tag:crdSDjr8Y5GH/JAF6t8Yeg==,type:str]
kanboard-smtp: ENC[AES256_GCM,data:eOIEGwJZlvbJaTfDRU3IFQ==,iv:Jex01WlHG3uxqUnTSF+v1BgnNcIu4cS9OwHBCFl1m28=,tag:3Eld1FkI6AftlCyC3419BA==,type:str] kanboard-smtp: ENC[AES256_GCM,data:eOIEGwJZlvbJaTfDRU3IFQ==,iv:Jex01WlHG3uxqUnTSF+v1BgnNcIu4cS9OwHBCFl1m28=,tag:3Eld1FkI6AftlCyC3419BA==,type:str]
podgrab-pass: ENC[AES256_GCM,data:DVmJDb4VqcZDKNcedSaRA5dqKOzx1tSzDiK3i23+a6v3nK+4Kh7n8EA=,iv:SiiUjJLHkCOO1VKCmubftKx06laFqNv79tIPnkVYrJU=,tag:kdkT+03DemlNAsuzps8fnw==,type:str] podgrab-pass: ENC[AES256_GCM,data:DVmJDb4VqcZDKNcedSaRA5dqKOzx1tSzDiK3i23+a6v3nK+4Kh7n8EA=,iv:SiiUjJLHkCOO1VKCmubftKx06laFqNv79tIPnkVYrJU=,tag:kdkT+03DemlNAsuzps8fnw==,type:str]
@ -56,7 +58,7 @@ sops:
bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD
aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig== aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-01T08:55:49Z" lastmodified: "2025-07-04T00:40:18Z"
mac: ENC[AES256_GCM,data:2m5iKDV7yIkYIL2bq9+7sFD2Nf8K1Z7mB6EKE3U+nFurOTxgUE0W10kV3BJoPoD78t5xjdbbmIt+NpmH9D41oE4lSPlOdTZujEpT0EcuNBVwz4MDBR/N7GRk74Etq1kJQ2f/NInhh8eH4xZDCQHR8BKxSX1RCd/0yWqrEbpfWrk=,iv:7gI48Urn0xFJwx3l3IzBT7KLTf4FlIf5p5Y/6Pms3ZA=,tag:QdA9cuKvFbXfT7kMbth5hQ==,type:str] mac: ENC[AES256_GCM,data:N2BwAzga2/Ig96p49rqNhhZ2udYWt7mQ9JD8DFXuxa3HOh3gtx7FWeWpGjvLnLWCgGcT4R61RKmgZQZRADNxYPE3vtdpPOFz0XvgcYSDlwslzBdSsVc08sh77P0LDgZsCzE1MxYynQ6nzFcc6gW5sorInLarsHoCCBC+Z5YpOVg=,iv:H6d3VrERM02/1zI5boFemEpMYD3greYZRqlSpBqROzM=,tag:TEakUvOlKoZYo/XPS6HVnA==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.10.2 version: 3.10.2

16
systems/ceres/config/wireguard.nix
View file

@ -1,8 +1,8 @@
{ config, flake, ... }: { config, flake, ... }:
let let
inherit (flake.config.services.instances) wireGuard searx; inherit (flake.config.services) instances;
inherit (flake.config.machines.devices) mars ceres; inherit (flake.config.machines.devices) mars deimos ceres;
service = wireGuard; service = instances.wireGuard;
in in
{ {
networking = { networking = {
@ -14,9 +14,6 @@ in
service.ports.port0 service.ports.port0
service.ports.port1 service.ports.port1
]; ];
interfaces.wg0.allowedTCPPorts = [
searx.ports.port0
];
}; };
nat = { nat = {
@ -32,10 +29,17 @@ in
listenPort = service.ports.port1; listenPort = service.ports.port1;
privateKeyFile = config.sops.secrets."${service.name}-private".path; privateKeyFile = config.sops.secrets."${service.name}-private".path;
peers = [ peers = [
# if you need to create a new key pair
# wg genkey | save --raw --force privatekey
# open privatekey | wg pubkey | save --raw --force publickey
{ {
publicKey = "9zfRPxkxTLHM9tABC8lIaDMrzdjcF2l1mtG82uqGKUQ="; publicKey = "9zfRPxkxTLHM9tABC8lIaDMrzdjcF2l1mtG82uqGKUQ=";
allowedIPs = [ "${mars.wireguard.ip0}/32" ]; allowedIPs = [ "${mars.wireguard.ip0}/32" ];
} }
{
publicKey = "hKbvOlvKdWAlq45rfV3ggwOI8xqiqVWweXV+2GQx/0I=";
allowedIPs = [ "${deimos.wireguard.ip0}/32" ];
}
]; ];
}; };
}; };

56
systems/deimos/config/wireguard.nix Executable file
View file

@ -0,0 +1,56 @@
{ config, flake, ... }:
let
inherit (flake.config.services.instances) wireGuard web;
inherit (flake.config.services) instances;
inherit (flake.config.machines.devices) ceres deimos;
service = wireGuard;
in
{
networking = {
hosts = {
${ceres.wireguard.ip0} = [
instances.searx.domains.url0
instances.glance.domains.url0
];
};
wireguard.interfaces = {
wg0 = {
ips = [ "${deimos.wireguard.ip0}/32" ];
privateKeyFile = config.sops.secrets."${service.name}-deimos-private".path;
peers = [
{
publicKey = "fs58+Kz+eG9qAXvvMB2NkW+wa88yP61uam4HHWaBJVw=";
allowedIPs = [
"${ceres.wireguard.ip0}/32"
"${web.localhost.address4}/24"
];
endpoint = "${web.remotehost.address0}:${builtins.toString service.ports.port1}";
persistentKeepalive = 25;
}
];
};
};
};
sops =
let
sopsPath = secret: {
path = "${service.sops.path0}/${service.name}-${secret}-pass";
owner = "root";
mode = "600";
};
in
{
secrets = builtins.listToAttrs (
map
(secret: {
name = "${service.name}-${secret}";
value = sopsPath secret;
})
[
"deimos-private"
"deimos-public"
]
);
};
}

5
systems/mars/config/wireguard.nix
View file

@ -8,7 +8,10 @@ in
{ {
networking = { networking = {
hosts = { hosts = {
${ceres.wireguard.ip0} = [ instances.searx.domains.url0 ]; ${ceres.wireguard.ip0} = [
instances.searx.domains.url0
instances.glance.domains.url0
];
}; };
wireguard.interfaces = { wireguard.interfaces = {
wg0 = { wg0 = {