Merge branch 'main' of https://gitea.xeovalyte.dev/xeovalyte/nix

Merge

flake.nix

@@ -69,26 +69,31 @@
       };
     };
 
+    # pm01vm01 Configuration
     nixosConfigurations = {
-      vnix-ctr = nixpkgs.lib.nixosSystem {
+      pm01vm01 = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         specialArgs = { inherit inputs; };
         modules = [
-          ({ config, pkgs, ... }: {
+          ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
-            nixpkgs.overlays = [ overlay-unstable ];
-            networking.hostName = "vnix-ctn01";
-          })
 
-          ./hosts/vnix-ctr
+          ./hosts/pm01vm01
-          home-manager.nixosModules.home-manager
-          {
-            home-manager.useGlobalPkgs = true;
-            home-manager.extraSpecialArgs = { inherit inputs nix-colors; };
-            home-manager.users.xeovalyte.imports = [ ./hosts/vnix-ctr/home.nix ];
-          }
         ];
       };
     };
+
+    homeConfigurations = {
+      "xeovalyte@pm01vm01" = home-manager.lib.homeManagerConfiguration {
+        pkgs = nixpkgs.legacyPackages.x86_64-linux;
+        extraSpecialArgs = { inherit inputs nix-colors; };
+        modules = [
+          ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
+        
+          ./hosts/pm01vm01/home.nix
+        ];
+      };
+    };
+
   };
 }
 

homelab/.gitignore

@@ -0,0 +1,2 @@
+secrets/
+.env

homelab/README.md

@@ -0,0 +1,13 @@
+# Create proxy network
+`docker network create proxy`
+
+# Configure caddy cloudflare
+Find instructions on [caddy-dns cloudflare](https://github.com/caddy-dns/cloudflare)
+
+# Services
+| Name | Use | Domain | Auth |
+| --- | --- | --- | --- |
+| Adguard | DNS | https://adguard.timo.bmrs.nl/ | local | 
+| Caddy | Reverse proxy | - | - |
+| Forgejo | Git | https://git.timo.bmrs.nl/ | Openid |
+| Ldap | User directory | https://ldap.timo.bmrs.nl/ | - |

homelab/adguard/docker-compose.yml

@@ -0,0 +1,21 @@
+services:
+  adguardhome:
+    image: adguard/adguardhome:latest
+    container_name: adguardhome
+    restart: unless-stopped
+    ports:
+      - 53:53/tcp
+      - 53:53/udp
+      # - 80:3000 # Only use during setup
+    volumes:
+      - work:/opt/adguardhome/work
+      - conf:/opt/adguardhome/conf
+
+volumes:
+  work:
+  conf:
+
+networks:
+  default:
+    name: proxy
+    external: true

homelab/authelia/.gitignore

@@ -0,0 +1 @@
+keys/

homelab/authelia/README.md

@@ -0,0 +1,2 @@
+- Follow [This](https://www.authelia.com/configuration/identity-providers/openid-connect/provider/) guide for generating keys
+- Store the keys in the /keys directory

homelab/authelia/docker-compose.yml

@@ -0,0 +1,44 @@
+services:
+  authelia:
+    image: authelia/authelia:latest
+    container_name: authelia
+    restart: unless-stopped
+    depends_on:
+      - lldap
+    volumes:
+      - ./config/configuration.yml:/config/configuration.yml
+      - ./config/keys:/keys
+      - data_authelia:/config
+    environment:
+      X_AUTHELIA_CONFIG_FILTERS: template
+      JWT_SECRET: ${AUTHELIA_JWT_SECRET}
+      SESSION_SECRET: ${AUTHELIA_SESSION_SECRET}
+      STORAGE_ENCRYPTION_KEY: ${AUTHELIA_STORAGE_ENCRYPTION_KEY}
+      AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD: ${LLDAP_ADMIN_PASSWORD}
+      HMAC_SECRET: ${AUTHELIA_HMAC_SECRET}
+      CLIENT_SECRET_FORGEJO: ${AUTHELIA_CLIENT_SECRET_FORGEJO}
+      CLIENT_ID_FORGEJO: ${AUTHELIA_CLIENT_ID_FORGEJO}
+      CLIENT_SECRET_PAPERLESS: ${AUTHELIA_CLIENT_SECRET_PAPERLESS}
+      CLIENT_ID_PAPERLESS: ${AUTHELIA_CLIENT_ID_PAPERLESS}
+
+  lldap:
+    image: lldap/lldap:latest
+    container_name: lldap
+    restart: unless-stopped
+    volumes:
+      - data_lldap:/data
+    environment:
+      LLDAP_JWT_SECRET: ${LLDAP_JWT_SECRET}
+      LLDAP_KEY_SEED: ${LLDAP_KEY_SEED}
+      LLDAP_LDAP_BASE_DN: dc=bmrs,dc=nl
+      LLDAP_LDAP_USER_PASS: ${LLDAP_ADMIN_PASSWORD}
+
+volumes:
+  data_lldap:
+  data_authelia:
+
+networks:
+  default:
+    name: proxy
+    external: true
+

homelab/caddy/Dockerfile

@@ -0,0 +1,8 @@
+FROM caddy:2.8-builder AS builder
+
+RUN xcaddy build \
+  --with github.com/caddy-dns/cloudflare
+
+FROM caddy:2.8
+
+COPY --from=builder /usr/bin/caddy /usr/bin/caddy

homelab/caddy/README.md

@@ -0,0 +1,2 @@
+# Caddy reverse proxy
+Follow [this](https://github.com/caddy-dns/cloudflare) to obtain secrets

homelab/caddy/caddyfiles/Caddyfile

@@ -0,0 +1,21 @@
+localhost {
+	respond "Hello world!"
+}
+
+
+*.timo.bmrs.nl timo.bmrs.nl {
+	tls {
+		dns cloudflare {
+			zone_token {env.CF_ZONE_TOKEN}
+			api_token {env.CF_API_TOKEN}
+		}
+		resolvers 1.1.1.1
+	}
+
+	forward_auth authelia:9091 {
+		uri /api/authz/forward-auth
+		copy_headers Remote-User Remote-Groups Remote-Email Remote-Name		
+	}
+
+	import routes/*
+}

homelab/caddy/caddyfiles/routes/adguard

@@ -0,0 +1,4 @@
+@adguard host adguard.timo.bmrs.nl
+handle @adguard {
+	reverse_proxy adguardhome:3000
+}

homelab/caddy/caddyfiles/routes/authelia

@@ -0,0 +1,9 @@
+@ldap host ldap.timo.bmrs.nl
+handle @ldap {
+	reverse_proxy lldap:17170
+}
+
+@authelia host auth.timo.bmrs.nl
+handle @authelia {
+	reverse_proxy authelia:9091
+}

homelab/caddy/caddyfiles/routes/dozzle

@@ -0,0 +1,9 @@
+@dozzle host dozzle.timo.bmrs.nl
+handle @dozzle {
+	forward_auth authelia:9091 {
+		uri /api/authz/forward-auth
+		copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
+	}
+
+	reverse_proxy dozzle:8080
+}

homelab/caddy/caddyfiles/routes/forgejo

@@ -0,0 +1,4 @@
+@forgejo host git.timo.bmrs.nl
+handle @forgejo {
+	reverse_proxy forgejo:3000
+}

homelab/caddy/caddyfiles/routes/homeassistant

@@ -0,0 +1,4 @@
+@homeassistant host homeassistant.timo.bmrs.nl
+handle @homeassistant {
+	reverse_proxy homeassistant:8123
+}

homelab/caddy/caddyfiles/routes/homepage

@@ -0,0 +1,4 @@
+@homepage host home.timo.bmrs.nl
+handle @homepage {
+	reverse_proxy homepage:3000
+}

homelab/caddy/caddyfiles/routes/immich

@@ -0,0 +1,4 @@
+@immich host immich.timo.bmrs.nl
+handle @immich {
+	reverse_proxy immich:2283
+}

homelab/caddy/caddyfiles/routes/nextcloud

@@ -0,0 +1,12 @@
+@nextcloud host cloud.timo.bmrs.nl
+handle @nextcloud {
+	redir /.well-known/carddav /remote.php/dav/ 301
+    redir /.well-known/caldav /remote.php/dav/ 301
+
+	reverse_proxy nextcloud:80
+}
+
+@office host office.timo.bmrs.nl
+handle @office {
+	reverse_proxy nextcloud-office:9980
+}

homelab/caddy/caddyfiles/routes/paperless-ngx

@@ -0,0 +1,4 @@
+@paperless-ngx host paperless.timo.bmrs.nl
+handle @paperless-ngx {
+	reverse_proxy paperless-ngx:8000
+}

homelab/caddy/caddyfiles/routes/searxng

@@ -0,0 +1,4 @@
+@searxng host search.timo.bmrs.nl
+handle @searxng {
+	reverse_proxy searxng:8080
+}

homelab/caddy/caddyfiles/routes/uptime-kuma

@@ -0,0 +1,4 @@
+@uptime-kuma host uptime.timo.bmrs.nl
+handle @uptime-kuma {
+	reverse_proxy uptime-kuma:3001
+}

homelab/caddy/caddyfiles/routes/vaultwarden

@@ -0,0 +1,4 @@
+@vaultwarden host bitwarden.timo.bmrs.nl
+handle @vaultwarden {
+	reverse_proxy vaultwarden:80
+}

homelab/caddy/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   caddy:
-    image: caddy:2.8
+    build: .
     container_name: caddy
     restart: unless-stopped
     cap_add:
@@ -10,10 +10,24 @@ services:
       - 443:443
       - 443:443/udp
     volumes:
-      - caddy_data:/data
+      - data:/data
-      - caddy_config:/config
+      - config:/config
       - ./caddyfiles:/etc/caddy/
+    environment:
+      CF_ZONE_TOKEN: ${CF_ZONE_TOKEN}
+      CF_API_TOKEN: ${CF_API_TOKEN}
+    networks:
+      proxy:
+        aliases:
+          - auth.timo.bmrs.nl
+          - cloud.timo.bmrs.nl
+          - office.timo.bmrs.nl
 
 volumes:
-  caddy_data:
+  data:
-  caddy_config:
+  config:
+
+networks:
+  proxy:
+    name: proxy
+    external: true

homelab/dozzle/docker-compose.yml

@@ -0,0 +1,15 @@
+services:
+  dozzle:
+    image: amir20/dozzle:latest
+    container_name: dozzle
+    restart: unless-stopped
+    volumes:
+      - /run/user/1000/docker.sock:/var/run/docker.sock:ro
+    environment:
+      DOZZLE_ENABLE_ACTIONS: true
+      DOZZLE_AUTH_PROVIDER: forward-proxy
+
+networks:
+  default:
+    external: true
+    name: proxy

homelab/forgejo/docker-compose.yml

@@ -0,0 +1,40 @@
+services:
+  forgejo:
+    image: codeberg.org/forgejo/forgejo:9
+    container_name: forgejo
+    restart: unless-stopped
+    depends_on:
+      - db
+    ports:
+      - 222:22
+    volumes:
+      - data:/data
+      - ./config/app.ini:/etc/forgejo/app.ini
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro 
+    environment:
+      FORGEJO__database__DB_TYPE: postgres
+      FORGEJO__database__HOST: "forgejo-db"
+      FORGEJO__database__NAME: forgejo
+      FORGEJO__database__USER: forgejo
+      FORGEJO__database__PASSWD: ${DB_PASSWORD}
+  
+  db:
+    image: postgres:14
+    container_name: forgejo-db
+    restart: unless-stopped
+    volumes:
+      - data_db:/var/lib/postgresql/data
+    environment:
+      POSTGRES_USER: forgejo
+      POSTGRES_PASSWORD: ${DB_PASSWORD}
+      POSTGES_DB: forgejo
+
+volumes:
+  data:
+  data_db:
+
+networks:
+  default:
+    name: proxy
+    external: true

homelab/homeassistant/config/configuration.yaml

@@ -0,0 +1,15 @@
+# Loads default set of integrations. Do not remove.
+default_config:
+
+# Load frontend themes from the themes folder
+frontend:
+  themes: !include_dir_merge_named themes
+
+automation: !include automations.yaml
+script: !include scripts.yaml
+scene: !include scenes.yaml
+
+http:
+  use_x_forwarded_for: true
+  trusted_proxies:
+    - 172.18.0.0/24

homelab/homeassistant/docker-compose.yml

@@ -0,0 +1,17 @@
+services:
+  homeassistant:
+    image: ghcr.io/home-assistant/home-assistant:stable
+    container_name: homeassistant
+    restart: unless-stopped
+    volumes:
+      - config:/config
+      - ./config/configuration.yaml:/config/configuration.yaml
+      - /etc/localtime:/etc/localtime:ro
+
+volumes:
+  config:
+
+networks:
+  default:
+    name: proxy
+    external: true

homelab/homepage/config/.gitignore

@@ -0,0 +1 @@
+logs/

homelab/homepage/config/bookmarks.yaml

@@ -0,0 +1,3 @@
+---
+# For configuration options and examples, please see:
+# https://gethomepage.dev/configs/bookmarks

homelab/homepage/config/docker.yaml

@@ -0,0 +1,10 @@
+---
+# For configuration options and examples, please see:
+# https://gethomepage.dev/configs/docker/
+
+# my-docker:
+#   host: 127.0.0.1
+#   port: 2375
+
+docker:
+  socket: /var/run/docker.sock

homelab/homepage/config/kubernetes.yaml

@@ -0,0 +1,2 @@
+---
+# sample kubernetes config

homelab/homepage/config/services.yaml

@@ -0,0 +1,56 @@
+---
+# For configuration options and examples, please see:
+# https://gethomepage.dev/configs/services
+
+- Primary Services:
+    - Adguard:
+        href: https://adguard.timo.bmrs.nl/
+        description: DNS
+        icon: adguard-home
+        server: docker
+        container: adguardhome
+        widget:
+            type: adguard
+            url: http://adguardhome:3000
+            username: xeovalyte
+            password: {{HOMEPAGE_VAR_ADGUARD_PASSWORD}}
+
+    - Forgejo:
+        href: https://git.timo.bmrs.nl/
+        description: Git
+        icon: forgejo
+        server: docker
+        container: forgejo
+
+    - Uptime Kuma:
+        href: https://uptime.timo.bmrs.nl/
+        description: Uptime monitoring
+        icon: uptime-kuma
+        server: docker
+        container: uptime-kuma
+
+    - Vaultwarden:
+        href: https://bitwarden.timo.bmrs.nl/
+        description: Password manager
+        icon: bitwarden
+        server: docker
+        container: vaultwarden
+
+- Backend Services:
+    - Authelia:
+        description: SSO
+        icon: authelia
+        server: docker
+        container: authelia
+    
+    - Caddy:
+        description: Reverse proxy
+        icon: caddy
+        server: docker
+        container: caddy
+
+    - LLDAP:
+        description: Active directory
+        href: https://ldap.timo.bmrs.nl/
+        server: docker
+        container: lldap

homelab/homepage/config/settings.yaml

@@ -0,0 +1,21 @@
+---
+# For configuration options and examples, please see:
+# https://gethomepage.dev/configs/settings
+
+providers:
+  openweathermap: openweathermapapikey
+  weatherapi: weatherapiapikey
+
+title: Xeovalyte's Dashboard
+color: slate
+
+headerStyle: boxedWidgets
+
+layout:
+  Primary Services:
+    style: row
+    columns: 3
+
+  Backend Services:
+    style: row
+    columns: 4

homelab/homepage/config/widgets.yaml

@@ -0,0 +1,12 @@
+---
+# For configuration options and examples, please see:
+# https://gethomepage.dev/configs/service-widgets
+
+- resources:
+    cpu: true
+    memory: true
+    disk: /
+
+- search:
+    provider: duckduckgo
+    target: _blank

homelab/homepage/docker-compose.yml

@@ -0,0 +1,19 @@
+services:
+  homepage:
+    image: ghcr.io/gethomepage/homepage:latest
+    container_name: homepage
+    restart: unless-stopped
+    volumes:
+      - ./config:/app/config
+      - logs:/app/config/logs
+      - /run/user/1000/docker.sock:/var/run/docker.sock
+    environment:
+      HOMEPAGE_VAR_ADGUARD_PASSWORD: $ADGUARD_PASSWORD
+
+volumes:
+  logs:
+
+networks:
+  default:
+    name: proxy
+    external: true

homelab/immich/docker-compose.yml

@@ -0,0 +1,78 @@
+services:
+  immich:
+    image: ghcr.io/immich-app/immich-server:release
+    container_name: immich
+    restart: unless-stopped
+    volumes:
+      - data:/usr/src/app/upload
+      - /etc/localtime:/etc/localtime:ro
+    environment:
+      DB_HOSTNAME: "immich-db"
+    env_file:
+      - .env
+    depends_on:
+      - redis
+      - db
+
+  immich-machine-learning:
+    image: ghcr.io/immich-app/immich-machine-learning:release
+    container_name: immich-machine-learning
+    restart: unless-stopped
+    volumes:
+      - cache:/cache
+    env_file:
+      - .env
+
+  redis:
+    image: docker.io/redis:6.2-alpine@sha256:2ba50e1ac3a0ea17b736ce9db2b0a9f6f8b85d4c27d5f5accc6a416d8f42c6d5
+    container_name: immich-redis
+    restart: unless-stopped
+    healthcheck:
+      test: redis-cli ping || exit 1
+    volumes:
+      - data_redis:/data
+
+  db:
+    image: docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0
+    container_name: immich-db
+    restart: unless-stopped
+    volumes:
+      # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
+      - data_db:/var/lib/postgresql/data
+    healthcheck:
+      test: pg_isready --dbname='${DB_DATABASE_NAME}' --username='${DB_USERNAME}' || exit 1; Chksum="$$(psql --dbname='${DB_DATABASE_NAME}' --username='${DB_USERNAME}' --tuples-only --no-align --command='SELECT COALESCE(SUM(checksum_failures), 0) FROM pg_stat_database')"; echo "checksum failure count is $$Chksum"; [ "$$Chksum" = '0' ] || exit 1
+      interval: 5m
+      start_interval: 30s
+      start_period: 5m
+    command:
+      [
+        'postgres',
+        '-c',
+        'shared_preload_libraries=vectors.so',
+        '-c',
+        'search_path="$$user", public, vectors',
+        '-c',
+        'logging_collector=on',
+        '-c',
+        'max_wal_size=2GB',
+        '-c',
+        'shared_buffers=512MB',
+        '-c',
+        'wal_compression=on',
+      ]
+    environment:
+      POSTGRES_PASSWORD: ${DB_PASSWORD}
+      POSTGRES_USER: ${DB_USERNAME}
+      POSTGRES_DB: ${DB_DATABASE_NAME}
+      POSTGRES_INITDB_ARGS: '--data-checksums'
+
+volumes:
+  data:
+  data_db:
+  data_redis:
+  cache:
+
+networks:
+  default:
+    name: proxy
+    external: true

homelab/nextcloud/docker-compose.yml

@@ -0,0 +1,54 @@
+services:
+  nextcloud:
+    image: nextcloud:apache
+    container_name: nextcloud
+    restart: unless-stopped
+    volumes:
+      - data:/var/www/html
+    environment:
+      POSTGRES_HOST: nextcloud-db
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+      POSTGRES_DB: nextcloud
+      POSTGRES_USER: nextcloud
+      REDIS_HOST: nextcloud-redis
+      TRUSTED_PROXIES: "172.23.0.0/24"
+    depends_on:
+      - db
+      - redis
+
+  db:
+    image: postgres:16
+    container_name: nextcloud-db
+    restart: unless-stopped
+    volumes:
+      - data_db:/var/lib/postgresql/data
+    environment:
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+      POSTGRES_DB: nextcloud
+      POSTGRES_USER: nextcloud
+
+  redis:
+    image: redis:alpine
+    container_name: nextcloud-redis
+    restart: unless-stopped
+    volumes:
+      - data_redis:/data
+
+  office:
+    image: collabora/code
+    container_name: nextcloud-office
+    restart: unless-stopped
+    environment:
+      DOMAIN: "cloud.timo.bmrs.nl"
+      extra_params: "--o:ssl.enable=false --o:ssl.termination=true"
+
+
+volumes:
+  data:
+  data_db:
+  data_redis:
+
+networks:
+  default:
+    name: proxy
+    external: true

homelab/paperless-ngx/README.md

@@ -0,0 +1,3 @@
+# Paperless NGX
+- Create super user: `docker compose exec paperless-ngx python3 manage.py createsuperuser`
+- Follow [Paperless wiki](https://www.authelia.com/integration/openid-connect/paperless/) for configuring oauth

homelab/paperless-ngx/docker-compose.yml

@@ -0,0 +1,50 @@
+services:
+  paperless-ngx:
+    image: ghcr.io/paperless-ngx/paperless-ngx:latest
+    container_name: paperless-ngx
+    restart: unless-stopped
+    depends_on:
+      - broker
+      - db
+    volumes:
+      - data:/usr/src/paperless/data
+      - media:/usr/src/paperless/media
+    environment:
+      PAPERLESS_REDIS: redis://paperless-ngx-broker:6379
+      PAPERLESS_DBHOST: paperless-ngx-db
+      PAPERLESS_DBPASS: ${POSTGRES_PASSWORD}
+      PAPERLESS_URL: https://paperless.timo.bmrs.nl
+
+      PAPERLESS_DISABLE_REGULAR_LOGIN: true
+      PAPERLESS_APPS: allauth.socialaccount.providers.openid_connect
+      PAPERLESS_SOCIALACCOUNT_PROVIDERS: ${PAPERLESS_SOCIALACCOUNT_PROVIDERS}
+
+  broker:
+    image: docker.io/library/redis:7
+    container_name: paperless-ngx-broker
+    restart: unless-stopped
+    volumes:
+      - data_redis:/data
+
+  db:
+    image: docker.io/library/postgres:16
+    container_name: paperless-ngx-db
+    restart: unless-stopped
+    volumes:
+      - data_db:/var/lib/postgresql/data
+    environment:
+      POSTGRES_DB: paperless
+      POSTGRES_USER: paperless
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+
+
+volumes:
+  data:
+  data_db:
+  data_redis:
+  media:
+
+networks:
+  default:
+    name: proxy
+    external: true

homelab/searxng/config/uwsgi.ini

@@ -0,0 +1,54 @@
+[uwsgi]
+# Who will run the code
+uid = searxng
+gid = searxng
+
+# Number of workers (usually CPU count)
+# default value: %k (= number of CPU core, see Dockerfile)
+workers = %k
+
+# Number of threads per worker
+# default value: 4 (see Dockerfile)
+threads = 4
+
+# The right granted on the created socket
+chmod-socket = 666
+
+# Plugin to use and interpreter config
+single-interpreter = true
+master = true
+plugin = python3
+lazy-apps = true
+enable-threads = 4
+
+# Module to import
+module = searx.webapp
+
+# Virtualenv and python path
+pythonpath = /usr/local/searxng/
+chdir = /usr/local/searxng/searx/
+
+# automatically set processes name to something meaningful
+auto-procname = true
+
+# Disable request logging for privacy
+disable-logging = true
+log-5xx = true
+
+# Set the max size of a request (request-body excluded)
+buffer-size = 8192
+
+# No keep alive
+# See https://github.com/searx/searx-docker/issues/24
+add-header = Connection: close
+
+# Follow SIGTERM convention
+# See https://github.com/searxng/searxng/issues/3427
+die-on-term
+
+# uwsgi serves the static files
+static-map = /static=/usr/local/searxng/searx/static
+# expires set to one day
+static-expires = /* 86400
+static-gzip-all = True
+offload-threads = 4

homelab/searxng/docker-compose.yml

@@ -0,0 +1,15 @@
+services:
+  searxng:
+    image: searxng/searxng
+    container_name: searxng
+    restart: unless-stopped
+    volumes:
+      - ./config:/etc/searxng
+    environment:
+      BASE_URL: "https://search.timo.bmrs.nl/"
+      SEARXNG_SECRET: "PO8rO5ZW7K67sroemisMS8wpiq5pXEHecvXzGs4CdAgTQIQvAI09m65vFKGVVkZW"
+
+networks:
+  default:
+    external: true
+    name: proxy

homelab/uptime-kuma/docker-compose.yml

@@ -0,0 +1,15 @@
+services:
+  uptime-kuma:
+    image: louislam/uptime-kuma:1
+    container_name: uptime-kuma
+    restart: unless-stopped
+    volumes:
+      - data:/app/data
+
+volumes:
+  data:
+
+networks:
+  default:
+    name: proxy
+    external: true

homelab/vaultwarden/docker-compose.yml

@@ -0,0 +1,17 @@
+services:
+  vaultwarden:
+    image: vaultwarden/server:latest
+    container_name: vaultwarden
+    restart: unless-stopped
+    volumes:
+      - data:/data
+    environment:
+      SIGNUPS_ALLOWED: "true"
+
+volumes:
+  data:
+
+networks:
+  default:
+    name: proxy
+    external: true

hosts/desktop/home.nix

@@ -19,6 +19,13 @@
         Define the host of the machine
       '';
     };
+
+    headless = lib.mkOption {
+      type = with lib.types; bool;
+      description = ''
+        Is this machine headless?
+      '';
+    };
   };
 
   config = {
@@ -28,6 +35,7 @@
     };
 
     host = "xv-desktop";
+    headless = false;
 
     home.packages = with pkgs; [
        unstable.prismlauncher

hosts/laptop/home.nix

@@ -13,6 +13,7 @@
     ../../modules/home/cli/common
     ../../modules/home/cli/develop.nix
     ../../modules/home/cli/ssh.nix
+    ../../modules/home/cli/yazi.nix
   ];
 
 
@@ -23,6 +24,13 @@
         Define the host of the machine
       '';
     };
+
+    headless = lib.mkOption {
+      type = with lib.types; bool;
+      description = ''
+        Is this machine headless?
+      '';
+    };
   };
 
   config = {
@@ -32,6 +40,7 @@
     };
 
     host = "xv-laptop";
+    headless = false;
 
     home.packages = with pkgs; [
       # Desktop Applications
@@ -43,12 +52,7 @@
       unstable.vesktop
       unstable.blender
       loupe
-      unstable.bottles
+      unstable.rnote
-
-      # Systemverilog
-      unstable.gtkwave
-      unstable.verilator
-      gnumake
 
       # Office
       libreoffice
@@ -62,11 +66,23 @@
 
       # Development
       unstable.drawio
+
+      # Scripts
+      (import ../../modules/scripts/save_image.nix { inherit pkgs; })
     ];
 
     # Enable home-manager
     programs.home-manager.enable = true;
 
+    # Enable default applications
+    xdg.mimeApps = {
+      enable = true;
+      defaultApplications = {
+        "application/pdf" = "firefox.desktop";
+        "application/rnote" = "rnote.desktop";
+      };
+    };
+
     home.stateVersion = "24.05";
   };
 

hosts/pm01vm01/default.nix

@@ -0,0 +1,48 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+
+    # CLI
+    ../../modules/system/cli/common.nix
+    ../../modules/system/cli/docker.nix
+
+    # Hardware
+    ../../modules/system/hardware/firewall.nix
+    ../../modules/system/hardware/garbage-collection.nix
+    ../../modules/system/hardware/locale.nix
+  ];
+
+  nix.settings = {
+    experimental-features = [ "nix-command" "flakes" ];
+
+    substituters = [
+      "https://nix-community.cachix.org"
+    ];
+  };
+
+  # Bootloader.
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.systemd-boot.enable = true;
+
+  networking.hostName = "pm01vm01"; # Define your hostname.
+
+  users.users.xeovalyte = {
+    isNormalUser = true;
+    description = "Timo Boomers";
+    extraGroups = [ "networkmanager" "wheel" ];
+  };
+
+  # Enable ssh
+  services.openssh.enable = true;
+
+  # Forward ports
+  networking.firewall = {
+    allowedTCPPorts = [ 80 443 53 ];
+    allowedUDPPorts = [ 53 ];
+  };
+
+  system.stateVersion = "24.05";
+
+}

hosts/pm01vm01/hardware-configuration.nix

@@ -0,0 +1,37 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ohci_pci" "ehci_pci" "virtio_pci" "ahci" "usbhid" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/47301fe6-a7db-4ffd-854a-beddd53b6d99";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/6A5B-F811";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s8.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/pm01vm01/home.nix

@@ -0,0 +1,48 @@
+{ pkgs, lib, config, ... }:
+
+{
+  imports = [
+    # Gui
+    ../../modules/home/gui/theming.nix
+  
+    # CLI
+    ../../modules/home/cli/common
+    ../../modules/home/cli/yazi.nix
+  ];
+
+
+  options = {
+    host = lib.mkOption {
+      type = with lib.types; str;
+      description = ''
+        Define the host of the machine
+      '';
+    };
+
+    headless = lib.mkOption {
+      type = with lib.types; bool;
+      description = ''
+        Is this machine headless?
+      '';
+    };
+  };
+
+  config = {
+    home = {
+      username = "xeovalyte";
+      homeDirectory = "/home/xeovalyte";
+    };
+
+    host = "pm01vm01";
+    headless = true;
+
+    home.packages = with pkgs; [
+    ];
+
+    # Enable home-manager
+    programs.home-manager.enable = true;
+
+    home.stateVersion = "24.05";
+  };
+
+}

modules/home/cli/common/helix.nix

@@ -6,8 +6,20 @@
     unstable.svls
     unstable.nil
     unstable.nixpkgs-fmt
+    unstable.vale-ls
+    unstable.vale
   ];
 
+  home.file.".config/vale/.vale.ini".text = ''
+    StylesPath = ~/.local/share/vale/styles
+
+    MinAlertLevel = suggestion
+    Packages = Readability
+
+    [*]
+    BasedOnStyles = Vale
+  '';
+
   programs.helix = {
     enable = true;
     package = pkgs.unstable.helix;
@@ -31,6 +43,11 @@
         command = "svls";
       };
 
+      # Vale
+      language-server.vale = {
+        command = "vale-ls";
+      };
+
       language = [
         {
           name = "verilog";
@@ -40,6 +57,18 @@
           name = "nix";
           language-servers = [ "svls" ];
         }
+        {
+          name = "html";
+          language-servers = [ "vscode-html-language-server" "tailwindcss-ls" ];
+        }
+        {
+          name = "css";
+          language-servers = [ "vscode-html-language-server" "tailwindcss-ls" ];
+        }
+        {
+          name = "markdown";
+          language-servers = [ "vale" ];
+        }
       ];
     };
     themes = {

modules/home/cli/yazi.nix

@@ -0,0 +1,20 @@
+{ pkgs, ... }:
+
+{
+  programs.yazi = {
+    enable = true;
+    enableZshIntegration = true;
+    settings = {
+      opener = {
+        open = [
+          { run = "xdg-open $@"; desc = "xdg"; orphan = true; }
+        ];
+      };
+      open = {
+        prepend_rules = [
+          { name = "*.rnote"; use = "open"; }
+        ];
+      };
+    };
+  };
+}

modules/home/gui/common/firefox.nix

@@ -26,7 +26,7 @@
       DisableFirefoxAccounts = true;
       DisableAccounts = true;
       DontCheckDefaultBrowser = true;
-      DisplayBookmarksToolbar = "never";
+      DisplayBookmarksToolbar = "newpage";
       ExtensionSettings = {
         "nl-NL@dictionaries.addons.mozilla.org" = {
           install_url = "https://addons.mozilla.org/firefox/downloads/latest/woordenboek-nederlands/latest.xpi";
@@ -44,6 +44,10 @@
           install_url = "https://addons.mozilla.org/firefox/downloads/latest/pwas-for-firefox/latest.xpi";
           installation_mode = "force_installed";
         };
+        "markdown-viewer@outofindex.com" = {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/markdown-viewer-chrome/latest.xpi";
+          installation_mode = "force_installed";
+        };
       };
     };
     profiles.xeovalyte = {

modules/home/gui/hyprland/kanshi.nix

@@ -0,0 +1,24 @@
+{ pkgs, ... }:
+
+{
+  services.kanshi = {
+    enable = true;
+    systemdTarget = "hyprland-session.target";
+    profiles = {
+      undocked = {
+        outputs = [
+          {
+            criteria = "eDP-1";
+          }
+        ];
+      };
+      docked = {
+        outputs = [
+          {
+            criteria = "eDP-9";
+          }
+        ];
+      };
+    };
+  };
+}

modules/home/gui/theming.nix

@@ -5,20 +5,14 @@ let
   gtkThemeFromScheme;
 in
 {
-  options = {
-    guiTheming.enable = lib.mkEnableOption "Enable GTK and QT theming";
-  };
-
   imports = [
     nix-colors.homeManagerModules.default
   ];
 
   config = {
-    guiTheming.enable = lib.mkDefault true;
-
     colorScheme = nix-colors.colorSchemes.da-one-sea;
 
-    gtk = lib.mkIf config.guiTheming.enable {
+    gtk = lib.mkIf (config.headless == false) {
       enable = true;
       theme = {
         name = "${config.colorScheme.slug}";
@@ -30,7 +24,7 @@ in
       };
     };
 
-    qt = lib.mkIf config.guiTheming.enable {
+    qt = lib.mkIf (config.headless == false) {
       enable = true;
       platformTheme.name = "gtk";
       style = {
@@ -39,7 +33,7 @@ in
       };
     };
 
-    home.pointerCursor = lib.mkIf config.guiTheming.enable {
+    home.pointerCursor = lib.mkIf (config.headless == false) {
       package = pkgs.phinger-cursors;
       name = "phinger-cursors-dark";
       size = 24;

modules/home/gui/thunderbird.nix

@@ -35,29 +35,29 @@
       thunderbird.enable = true;
       thunderbird.profiles = [ "default" ];
     };
-    # tudelft = {
+    tudelft = {
-    #   imap = {
+      imap = {
-    #     host = "outlook.office365.com";
+        host = "outlook.office365.com";
-    #     port = 993;
+        port = 993;
-    #     tls = {
+        tls = {
-    #       enable = true;
+          enable = true;
-    #     };
+        };
-    #   };
+      };
-    #   smtp =  {
+      smtp =  {
-    #     host = "smtp-a.tudelft.nl";
+        host = "smtp.office365.com";
-    #     port = 465;
+        port = 587;
-    #     tls = {
+        tls = {
-    #       enable = true;
+          enable = true;
-    #       useStartTls = false;
+          useStartTls = false;
-    #     };
+        };
-    #   };
+      };
-    #   address = "tboomers@tudelft.nl";
+      address = "tboomers@tudelft.nl";
-    #   realName = "Timo Boomers";
+      realName = "Timo Boomers";
-    #   userName = "tboomers@tudelft.nl";
+      userName = "tboomers@tudelft.nl";
-    #   primary = false;
+      primary = false;
-    #   thunderbird.enable = true;
+      thunderbird.enable = true;
-    #   thunderbird.profiles = [ "default" ];
+      thunderbird.profiles = [ "default" ];
-    # };
+    };
     xeovalyte = {
       imap = {
         host = "mail.xeovalyte.dev";

modules/scripts/save_image.nix

@@ -0,0 +1,25 @@
+{ pkgs, ... }:
+
+pkgs.writeShellScriptBin "saveimage" ''
+  # Check if an argument is provided
+  if [ -z "$1" ]; then
+    echo "Usage: $0 <filename>"
+    exit 1
+  fi
+
+  # Create the assets directory if it doesn't exist
+  mkdir -p assets
+
+  # Set the output path in the assets directory
+  OUTPUT_PATH="assets/$1.png"
+
+  # Save the clipboard image to the specified file in assets directory
+  wl-paste --type image/png > "$OUTPUT_PATH"
+
+  # Check if the file was successfully saved
+  if [ $? -eq 0 ]; then
+    echo "Image saved to $OUTPUT_PATH"
+  else
+    echo "Failed to save the image"
+  fi
+''

modules/system/cli/common.nix

@@ -7,6 +7,7 @@
     fastfetch
     btop
     git
+    yazi
   ];
 
   environment.pathsToLink = [ "/share/zsh" ];

modules/system/cli/docker.nix

@@ -1,4 +1,4 @@
-{ ... }:
+{ pkgs, ... }:
 
 {
   virtualisation.docker = {
@@ -10,4 +10,13 @@
   };
 
   users.users.xeovalyte.extraGroups = [ "docker" ];
+
+  security.wrappers = {
+    docker-rootlesskit = {
+      owner = "root";
+      group = "root";
+      capabilities = "cap_net_bind_service+ep";
+      source = "${pkgs.rootlesskit}/bin/rootlesskit";
+    };
+  };
 }

modules/system/hardware/firewall.nix

@@ -3,7 +3,7 @@
 {
   networking.firewall = {
     enable = true;
-    allowedTCPPorts = [ 53317 3000 24800 ];
+    allowedTCPPorts = [ ];
-    allowedUDPPorts = [ 53317 24800 ];
+    allowedUDPPorts = [ ];
   };
 }