harry123/nix-config
1
0
Fork 0
mirror of https://github.com/harryssecret/homelab-nix.git synced 2025-02-23 06:43:57 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

first commit

Browse source
This commit is contained in:
Harry 2024-07-08 19:11:59 +02:00
commit d746960980
8 changed files with 507 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
.sops.yaml Normal file
View file

@ -0,0 +1,9 @@
keys:
- &admin_cypherpunk age1c8kr95dc7cqq34qyjgpnsgfgyntqnt5rlrq2c025ehp32f8h3sjqkf8k3s
- &server_cypherpunk age1k9297jq43kjmqcau62rt7pz0fc8uqkyshpm6kvw2tky4997r6flqmx8cce
creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env)$
key_groups:
- age:
- *admin_cypherpunk
- *server_cypherpunk

104
configuration.nix Normal file
View file

@ -0,0 +1,104 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{
config,
lib,
pkgs,
...
}:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
"${(import ./nix/sources.nix).sops-nix}/modules/sops"
./server-configuration.nix
];
# Use the GRUB 2 boot loader.
boot = {
loader.grub = {
enable = true;
device = "/dev/sda";
};
kernelParams = [ "console=ttyS0" ];
};
networking.hostName = "hypervirtualworld"; # Define your hostname.
# Set your time zone.
time.timeZone = lib.mkDefault "Europe/Paris";
# Select internationalisation properties.
i18n.defaultLocale = "fr_FR.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "fr";
};
services.qemuGuest.enable = true;
services.cloud-init.network.enable = true;
# Define a user account. Don't forget to set a password with passwd.
users.users.cypherpunk = {
isNormalUser = true;
extraGroups = [
"wheel"
"docker"
"dialout"
]; # Enable sudo for the user.
packages = with pkgs; [ btop ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA8sdToNavEQv7PTMJ97HIGM6UlChwGS3x9O8hFilzui harryh@ik.me"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/pj2uTGRHkYwP/EqIfgHP+MQavBuDMnWMXtOedkwIQ harryh@ik.me"
];
};
# List packages installed in system profile. To search, run:
environment.systemPackages = with pkgs; [
neovim
curl
git
];
# enable docker
virtualisation.docker = {
enable = true;
};
# configure openssh
services.openssh = {
enable = true;
# require public key authentication for better security
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
settings.PermitRootLogin = "no";
};
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
system.copySystemConfiguration = true;
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
#
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
# to actually do that.
#
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
#
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
#
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "24.05"; # Did you read the comment?
}

42
hardware-configuration.nix Normal file
View file

@ -0,0 +1,42 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/62b25445-dfe7-4b49-83bc-c479335c1a78";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

1
nix Symbolic link
View file

@ -0,0 +1 @@
/home/cypherpunk/nix/

34
secrets/example.yaml Normal file
View file

@ -0,0 +1,34 @@
slskd:
username: ENC[AES256_GCM,data:iBBZDMMXqmc=,iv:AgFj1FIZqqJrlwWWGcb9M3GzsSGi2rZAw2FEffzVAM8=,tag:4g9dWLXbrzRmeohKRYmx5w==,type:str]
password: ENC[AES256_GCM,data:VtTXofstN6Auz3SO,iv:bMU3HLCsSh8ZZftmH5kEbYZoFtNIeqtTM9fUgCYLxhc=,tag:YwFIr/eqHAHXdtgqUguMMQ==,type:str]
searx:
secret_key: ENC[AES256_GCM,data:Aiy95HoQTPzqkL6LPrW1Ya/NyIEPEFlFoOkIV+6DUWM=,iv:TJk+EcNHXPzSto/QiaenH369PG5LLYt4JoEAhdksPNc=,tag:GjSR5dMNKKEif7hQmeEV8w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1c8kr95dc7cqq34qyjgpnsgfgyntqnt5rlrq2c025ehp32f8h3sjqkf8k3s
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxS3dXcEkycEltZ1JRbC8z
cFkwRDViUlFCTXlsTnhHMERBYkI5M1FtclNBCkljTm5iY0RZazd4RW1Rb1hpQVN4
SDU5Zkw5L0VPZEt6Lys2a3BYdWIvTncKLS0tIEFkYys1VjRrK1pDUHZtL09GeDE5
emdUNFBOcDdYSmZ0S1hmMmFzck1LTFEKnMvK7JDqojKElSzlMJbYwiq5/2NTAaPI
FFDqrrLfJ3qn7IZmuFQapIpSyWB9v4sSZqdPu23TK2GEy8wWweJQjw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1k9297jq43kjmqcau62rt7pz0fc8uqkyshpm6kvw2tky4997r6flqmx8cce
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByeGZxa1haT0NMTG01cXZH
TjVVSENSMThKaWhCQ0l5c1BRQnZycmdHekVnClkzWjhZKy94RjFyYjJQeXo4bDZI
am14WGoyNEMrMzNGbndnWUdjbCtoK1EKLS0tIENNV3NwRGY1M0U3M0ZnTjhtU05N
MEZhN2dYUXZpWEpydlRNMU9FSnpRTXMK9w4bgI/kAAQB/FXwt7k7xcQAFKEfaCVD
ZoBG7/wPfpvmk73gLf7xHrrKG0N90mVVSVtVjP+R6bs4B50bAuQtRA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-07T13:15:54Z"
mac: ENC[AES256_GCM,data:A4ELPQIvjgPjcZvRbOsY0aMyxBJxuJaxAsYJ096Zzt957O/jco/ixaNOCNyLYgyN9eynuf+eW4NrYMAmCmFytkO3hCclys3vpTm81U35MPbfxEmE+p7ikyu7p8klskFS8olRIQZKL6TvE4vCOMXFvGxvq7GiOLDkb27IbAroVB0=,iv:73OEcyqz6HOVcKIA3ROncVClDd9h6p2kcfGesTANfC4=,tag:7Gp9RGzLDslBvJJKJLXITA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

9
secrets/searx.env Normal file
View file

@ -0,0 +1,9 @@
SECRET_KEY=ENC[AES256_GCM,data:Tz1+TBc07+S+1s65OsXglFD6AWPk9so5LoABfRQFt/0=,iv:DBCDFrDBjn2/H6ycvDGjABpBvDSP/P52C9313K7F2VE=,tag:dqtWCP2r9mF3pfB7XKNKHQ==,type:str]
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4ZDJhNXFzcXdDODF3KzlK\nb2V2ZmNleitiZHhTZlRyQXBjLzcvV3hZRTIwCnV3Qy9WMU93MlV2RUFoWmdPZkFF\nQW5BWCtRVkF4cDVUUXE4VjNNY2ZvUEUKLS0tIEJFcWc5Y3pRZDVnMVBJdFhmU1FO\nSHd0bVRGZFFPWG1QUXl3aWlIdVRGdTQK2Z/iidiGms+sZJkZa+WBgVO370xW+ZOr\nulDZFCZ6HFBjNDUWwk5+WPVMsT2yKSScFdEcFDh1xjMta8v6ufKnQg==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_0__map_recipient=age1c8kr95dc7cqq34qyjgpnsgfgyntqnt5rlrq2c025ehp32f8h3sjqkf8k3s
sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDUzBZQ0FwK0NmdlVnZWVS\nRmZyTjkwMWJXOE5UWnZHeUUva2ZKU3dFY0FRClRlTnJtZ1VwZE1SSkNZR1ZmaGxh\nLzBxbVI2ZjVhNm0yU1I5Rm9pTGpaajAKLS0tIGZ5ZlRJM0p5WXBqemNvYlFGcVhD\na0RoSWcvZkxkejc4b3FlSG45RUdHWEkKMcs10Bu0Box9DL9Jr/U6lqmzybQvI8uh\nomBSFIoXcf+Nbeo/cQWAT4WdjwWSbfyYX6is7K10E2fPc9+Bv+ZCMw==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_1__map_recipient=age1k9297jq43kjmqcau62rt7pz0fc8uqkyshpm6kvw2tky4997r6flqmx8cce
sops_lastmodified=2024-07-08T16:04:38Z
sops_mac=ENC[AES256_GCM,data:jbs/oz2xndHP8c5iyZFodh/AiT6A7q72KvKbb7UBzTfnhkl9TzdrsHVowSLZrK8Lv2JeReehLSLK5W4B3UPPQM5975Ycxa2wtA2sinkm6n3e8BN4qB3ia8PLpsfXi4WbKSvkYX/jojQmXEZLrxSFOzu2N3+P5Bqx19D89mY2O80=,iv:woWu6lZ1er3DB/aRmfeJSzt4SrR6IBYmZ0pCgFeFy2E=,tag:k/xzSdMakgf5qvzrnsvXPg==,type:str]
sops_unencrypted_suffix=_unencrypted
sops_version=3.8.1

10
secrets/slskd.env Normal file
View file

@ -0,0 +1,10 @@
SLSKD_SLSK_USERNAME=ENC[AES256_GCM,data:ndRuxcaBnFQ=,iv:5Yw/OR9yIZ4f2Ih+l/eLYQrYWx1/mmAZeWS+uq63/AA=,tag:/3TZ2kmsPBcEZZ/o5Q7qMw==,type:str]
SLSKD_SLSK_PASSWORD=ENC[AES256_GCM,data:UCeJInKY+fjP03w+,iv:pEp8lm8os6W67uRoyzohA08GPeQtUs+I2nJP/N4Qj7o=,tag:KFznti99iojUANNOLRNfjg==,type:str]
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4OVhrM2dscXFPSy8zK3E0\neWpKY1pncCsxeGNOUmRJQlRCaUtnWFFpcDJnCk1YRGEvZnFESVBhYmdiVWVNbnZw\nci94SEozZlVJVmZ4bmxpRGpoN0R4Z0UKLS0tIFVVSnc1R05MeVhQSnROMnFXS1Uw\nYld3TklmVmN0V1JhaldRcndBYzJ2K0EKmIZHSF/UJiS8bfjBns8x+dSXeg0C1Hzs\nda/d+EA8fuasS9uL59MSGkrWbDMuYvfi79kyR5KvEhIVofM+PuTbdg==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_0__map_recipient=age1c8kr95dc7cqq34qyjgpnsgfgyntqnt5rlrq2c025ehp32f8h3sjqkf8k3s
sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBLzh4R0ttM3RSdytnVElR\nZTRpZ2s0eTRNWFIwazZaTExXNW1kRWxqUVdrCnJsVE5ZeUpnczJoTGdZL0huNXFq\ndy94bUdkcXpnTmFDK0dwSktlTFF0SnMKLS0tIGVJNFZpNUswWnJWZzRkNVhIVzRX\nbmxyaWZlQmRSSkhXcnIvN0hMQno0TzgKw7/0A1XNMO5kFNZrQ9ook6JCWKHX52C/\nB0FeBiB3BhH3VUgG8H8z2fiyaCQbMRXEi0MjzajWbc+n7WgnlkhDTg==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_1__map_recipient=age1k9297jq43kjmqcau62rt7pz0fc8uqkyshpm6kvw2tky4997r6flqmx8cce
sops_lastmodified=2024-07-08T12:01:54Z
sops_mac=ENC[AES256_GCM,data:2C8abKsoaQhoL/jUWJOFuPKHvpZq8TcIy8XcxcsvCVhpLaoFeK8E0i9BCnpUQTFHE4NJF6pIvrGBWMirUlf20QTmxywdcuUL9sqNahNGPFSCEGhpyQyNCcqlX7qVn6rGgBjfRDcGHIKPWFco83vKDWz9cDtLGbsl8z9Pi3e9jwY=,iv:2A60YeXfz5idgfa4Ps8qtFRz+deAd9Cocgt9x0lH/LQ=,tag:ioAdk22Bz8/SqL1ookQLFg==,type:str]
sops_unencrypted_suffix=_unencrypted
sops_version=3.8.1

298
server-configuration.nix Normal file
View file

@ -0,0 +1,298 @@
{
config,
lib,
pkgs,
...
}:
let
ip = "192.168.1.207";
driveMountPoint = "/mnt/hdd1";
authentik-version = "2024.2.3";
authentik-nix-src = builtins.fetchTarball {
url = "https://github.com/nix-community/authentik-nix/archive/version/${authentik-version}.tar.gz";
sha256 = "15b9a2csd2m3vwhj3xc24nrqnj1hal60jrd69splln0ynbnd9ki4";
};
authentik-nix = import authentik-nix-src;
in
{
# mounting external hard drives !
fileSystems."/mnt/hdd1" = {
device = "/dev/disk/by-uuid/008e5b16-5620-4fd5-a506-ef8d9bdec0c7";
fsType = "ext4";
options = [
"defaults"
"nofail"
"rw"
];
};
# setting up networking!!
networking = {
interfaces = {
ens18.ipv4.addresses = [
{
address = ip;
prefixLength = 24;
}
];
};
defaultGateway = "192.168.1.1";
nameservers = [
"1.1.1.1"
"1.0.0.1"
];
nftables.enable = true;
# firewall rules
firewall = {
enable = true;
allowedTCPPorts = [ 22 5030 8080 9091 ];
allowedUDPPorts = [ ];
};
};
# enable samba
services.samba = {
enable = true;
securityType = "user";
openFirewall = true;
extraConfig = ''
workgroup = WORKGROUP
server string = hyperserver
netbios name = hyperserver
security = user
'';
shares = {
music = {
path = "${driveMountPoint}/Music";
browseable = "yes";
"read only" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "cypherpunk";
};
ebooks = {
path = "${driveMountPoint}/Ebooks";
browseable = "yes";
"read only" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"force user" = "cypherpunk";
};
};
};
imports = [ authentik-nix.nixosModules.default ];
sops.age.sshKeyPaths = [ "/home/cypherpunk/.ssh/id_ed25519" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
sops.secrets."searx.env" = {
sopsFile = ./secrets/searx.env;
format = "dotenv";
};
sops.secrets."slskd.env" = {
sopsFile = ./secrets/slskd.env;
format = "dotenv";
};
environment.systemPackages = with pkgs; [
jellyfin
jellyfin-web
jellyfin-ffmpeg
transmission
sonarr
radarr
prowlarr
readarr
jellyseerr
homepage-dashboard
slskd
niv # for using sops-nix
];
services.jellyfin = {
enable = true;
openFirewall = true;
user = "cypherpunk";
};
services.sonarr = {
enable = true;
openFirewall = true;
};
services.radarr = {
enable = true;
openFirewall = true;
};
services.readarr = {
enable = true;
openFirewall = true;
};
services.slskd = {
enable = true;
openFirewall = true;
environmentFile = config.sops.secrets."slskd.env".path;
domain = null;
settings = {
shares.directories = [ "${driveMountPoint}/Music" ];
soulseek.description = "i luv katz n mewsik";
directories.files.downloads = "${driveMountPoint}/Music/clean";
directories.files.incomplete = "${driveMountPoint}/Music/incomplete";
};
};
services.prowlarr = {
enable = true;
openFirewall = true;
};
services.jellyseerr = {
openFirewall = true;
enable = true;
};
services.transmission = {
enable = true;
openFirewall = true;
openRPCPort = true;
settings = {
rpc-bind-address = "0.0.0.0"; #Bind to own IP
rpc-whitelist-enabled = false;
download-dir = "${driveMountPoint}/Torrents";
};
};
services.searx = {
enable = true;
settings = {
server.secret_key = builtins.toJSON config.sops.secrets."searx.env";
};
};
services.calibre-web = {
enable = true;
openFirewall = true;
options = {
enableBookUploading = true;
};
};
/*
services.authentik = {
enable = true;
};
services.photoprism = {
enable = true;
originalsPath = "/mnt/hdd1/photoprism";
settings = {
PHOTOPRISM_DEFAULT_LOCALE = "fr";
};
};
*/
virtualisation.oci-containers = {
backend = "docker";
containers = {
flaresolverr = {
ports = [ "8181:8181" ];
image = "ghcr.io/flaresolverr/flaresolverr:latest";
environment = {};
};
};
};
services.homepage-dashboard = {
enable = true;
openFirewall = true;
services = [
{
"Divertissement" = [
{
"Jellyfin" = {
icon = "jellyfin";
description = "Permet de regarder ou écouter du contenu.";
href = "http://${ip}:8096/";
};
}
{
"calibre-web" = {
icon = "calibre";
description = "Serveur de livres";
href = "http://${ip}:8083";
};
}
];
}
{
"Téléchargement" = [
{
"Jellyseerr" = {
icon = "jellyseerr";
description = "Moteur de recherche de films/séries";
href = "http://${ip}:5055";
};
}
{
"slskd" = {
description = "Pour télécharger/partager de la musique";
href = "http://${ip}:5030";
};
}
{
"Readarr" = {
description = "Moteur de recherche de livres";
href = "http://${ip}:8787/";
};
}
{
"Prowlarr" = {
icon = "prowlarr";
description = "Indexe les différents sites de téléchargement";
href = "http://${ip}:9696/";
};
}
{
"Sonarr" = {
icon = "sonarr";
description = "Moteur de recherche pour les séries";
href = "http://${ip}:8989";
};
}
{
"Transmission" = {
icon = "transmission";
description = "s'occupe du téléchargement des fichiers";
href = "http://${ip}:9091";
};
}
];
}
{
"Utilitaires" = [
{
"Photoprism" = {
icon = "photoprism";
description = "Sauvegarde de photos";
href = "http://${ip}:2342";
};
}
];
}
];
};
};