xeovalyte/nix
1
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'main' of ssh://gitea.xeovalyte.dev:2222/xeovalyte/nix

Browse Source
This commit is contained in:
Timo Boomers 2025-05-02 08:57:28 +02:00
commit bde66ffbe2
Signed by: xeovalyte
SSH Key Fingerprint: SHA256:kSQDrQDmKzljJzfGYcd3m9RqHi4h8rSwkZ3sQ9kBURo
24 changed files with 906 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.sops.yaml Normal file
View File

@ -0,0 +1,7 @@
keys:
- &v-th-ctr-01 age1cs2p7tgk9356tjmet6526k3ghwq9we82nz6z7qggqns656paku6sx30tkg
creation_rules:
- path_regex: secrets/deploy.yaml$
key_groups:
- age:
- *v-th-ctr-01

8
dockerfiles/caddy.Dockerfile Normal file
View File

@ -0,0 +1,8 @@
FROM caddy:2.8-builder AS builder
RUN xcaddy build \
--with github.com/caddy-dns/transip
FROM caddy:2.8
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

67
flake.lock generated
View File

@ -303,11 +303,11 @@
"rust-overlay": "rust-overlay" "rust-overlay": "rust-overlay"
}, },
"locked": { "locked": {
"lastModified": 1745579354, "lastModified": 1745752145,
"narHash": "sha256-+Yf7JrKIKMgKDi+zHvuTOJ8Raf7NNZINgBzFaOzYD3U=", "narHash": "sha256-SRvolJBy9oRUdfik/xtcsguQtcDHrkzq1yf5NbsLBhY=",
"owner": "lilyinstarlight", "owner": "lilyinstarlight",
"repo": "nixos-cosmic", "repo": "nixos-cosmic",
"rev": "41a1bf337bbd69e304ffbd7390293082336e8ebb", "rev": "0ba6c63681ae317d122a5e76bc2bf556737a53d0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -334,11 +334,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1745391562, "lastModified": 1745526057,
"narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=", "narHash": "sha256-ITSpPDwvLBZBnPRS2bUcHY3gZSwis/uTe255QgMtTLA=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7", "rev": "f771eb401a46846c1aebd20552521b233dd7e18b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -381,11 +381,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1745391562, "lastModified": 1745526057,
"narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=", "narHash": "sha256-ITSpPDwvLBZBnPRS2bUcHY3gZSwis/uTe255QgMtTLA=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7", "rev": "f771eb401a46846c1aebd20552521b233dd7e18b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -395,6 +395,22 @@
} }
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": {
"lastModified": 1744868846,
"narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1743703532, "lastModified": 1743703532,
"narHash": "sha256-s1KLDALEeqy+ttrvqV3jx9mBZEvmthQErTVOAzbjHZs=", "narHash": "sha256-s1KLDALEeqy+ttrvqV3jx9mBZEvmthQErTVOAzbjHZs=",
@ -421,6 +437,7 @@
"nixpkgs-stable" "nixpkgs-stable"
], ],
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
"sops-nix": "sops-nix",
"stylix": "stylix" "stylix": "stylix"
} }
}, },
@ -432,11 +449,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1745548521, "lastModified": 1745721366,
"narHash": "sha256-xyliq8oS5OnzXjHRGr92RtmrtYI/dflf2gSEo0wMFjc=", "narHash": "sha256-dm93104HXjKWzkrr7yAPtxpbllOSzrwFFruc+rKQHSg=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "eb0afb4ac0720d55c29e88eb29432103d73ae11d", "rev": "621131c9e281d1047bf8937547ed77e97c464aba",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -445,6 +462,24 @@
"type": "github" "type": "github"
} }
}, },
"sops-nix": {
"inputs": {
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1745310711,
"narHash": "sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "5e3e92b16d6fdf9923425a8d4df7496b2434f39c",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"stylix": { "stylix": {
"inputs": { "inputs": {
"base16": "base16", "base16": "base16",
@ -457,18 +492,18 @@
"git-hooks": "git-hooks", "git-hooks": "git-hooks",
"gnome-shell": "gnome-shell", "gnome-shell": "gnome-shell",
"home-manager": "home-manager_2", "home-manager": "home-manager_2",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_3",
"systems": "systems", "systems": "systems",
"tinted-foot": "tinted-foot", "tinted-foot": "tinted-foot",
"tinted-kitty": "tinted-kitty", "tinted-kitty": "tinted-kitty",
"tinted-tmux": "tinted-tmux" "tinted-tmux": "tinted-tmux"
}, },
"locked": { "locked": {
"lastModified": 1744152965, "lastModified": 1745750068,
"narHash": "sha256-LWUeN1+bH3k46fwtIv0bNgtmkqB0UduyX7T2i+230n0=", "narHash": "sha256-LbbioU14KbJpXE0DKcPJaW6W2lB8ayHE4YddupfvU+c=",
"owner": "danth", "owner": "danth",
"repo": "stylix", "repo": "stylix",
"rev": "8748db082ca15d32243c86e5d785d5dfc8a65719", "rev": "ed3f7d9ecbf2c95cc4fe633f648cb776385efd86",
"type": "github" "type": "github"
}, },
"original": { "original": {

4
flake.nix
View File

@ -22,9 +22,11 @@
nixos-cosmic = { nixos-cosmic = {
url = "github:lilyinstarlight/nixos-cosmic"; url = "github:lilyinstarlight/nixos-cosmic";
}; };
sops-nix.url = "github:Mic92/sops-nix";
}; };
outputs = inputs@{ self, nixpkgs, nixpkgs-unstable, home-manager, nix-colors, stylix, nixos-cosmic, ... }: outputs = inputs@{ self, nixpkgs, nixpkgs-unstable, home-manager, nix-colors, stylix, nixos-cosmic, sops-nix, ... }:
let let
system = "x86_64-linux"; system = "x86_64-linux";
overlay-unstable = final: prev: { overlay-unstable = final: prev: {

13
hosts/ti-clt-dsk01/default.nix
View File

@ -77,7 +77,18 @@
nix.settings.trusted-users = [ "root" "xeovalyte" ]; nix.settings.trusted-users = [ "root" "xeovalyte" ];
networking.hosts = { networking.hosts = {
"192.168.100.118" = [ "timo.bmrs.nl" "www.timo.bmrs.nl" "homeassistant.timo.bmrs.nl" "adguard.timo.bmrs.nl" "git.timo.bmrs.nl" "auth.timo.bmrs.nl" "ldap.timo.bmrs.nl" "dozzle.timo.bmrs.nl" "home.timo.bmrs.nl" "immich.timo.bmrs.nl" "paperless.timo.bmrs.nl" "search.timo.bmrs.nl" ]; "192.168.100.118" = [
"tbmrs.nl"
"auth.tbmrs.nl"
"git.tbmrs.nl"
"photos.tbmrs.nl"
"home.tbmrs.nl"
"uptime.tbmrs.nl"
"share.tbmrs.nl"
"vault.local.tbmrs.nl"
"paperless.local.tbmrs.nl"
"monitor.local.tbmrs.nl"
];
}; };
services.openssh.enable = true; services.openssh.enable = true;

31
hosts/v-th-ctr-01/configuration.nix Normal file
View File

@ -0,0 +1,31 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ modulesPath, ... }:
{
imports = [
# Include the default incus configuration.
"${modulesPath}/virtualisation/lxc-container.nix"
# Include the container-specific autogenerated configuration.
];
networking = {
dhcpcd.enable = false;
useDHCP = false;
useHostResolvConf = false;
};
systemd.network = {
enable = true;
networks."50-eth0" = {
matchConfig.Name = "eth0";
networkConfig = {
DHCP = "ipv4";
IPv6AcceptRA = true;
};
linkConfig.RequiredForOnline = "routable";
};
};
}

9
hosts/v-th-ctr-01/default.nix
View File

@ -56,14 +56,19 @@
networking.firewall = { networking.firewall = {
enable = true; enable = true;
allowedTCPPorts = [ 80 443 53 ]; allowedTCPPorts = [ 1080 1443 1053 ];
allowedUDPPorts = [ 80 443 53 ]; allowedUDPPorts = [ 1080 1443 1053 ];
};
networking.hosts = {
"127.0.0.1" = [ "tbmrs.nl" ];
}; };
users.users.deploy = { users.users.deploy = {
isNormalUser = true; isNormalUser = true;
description = "Deploy"; description = "Deploy";
extraGroups = [ "networkmanager" "wheel" "dialout" ]; extraGroups = [ "networkmanager" "wheel" "dialout" ];
linger = true;
}; };
nix.settings.trusted-users = [ "root" "deploy" ]; nix.settings.trusted-users = [ "root" "deploy" ];

18
hosts/v-th-ctr-01/home.nix
View File

@ -23,10 +23,11 @@
applications.ssh.enable = true; applications.ssh.enable = true;
applications.thunderbird.enable = false; applications.thunderbird.enable = false;
applications.yazi.enable = true; applications.yazi.enable = true;
applications.zellij.enable = false; applications.zellij.enable = true;
services.nextcloud-sync.enable = false; services.nextcloud-sync.enable = false;
services.podman.enable = true; services.podman.enable = true;
services.sops.enable = true;
theming.fonts.enable = false; theming.fonts.enable = false;
theming.stylix.enable = false; theming.stylix.enable = false;
@ -36,12 +37,25 @@
desktop-environments.hyprland.enable = false; desktop-environments.hyprland.enable = false;
containers = { containers = {
network.enable = true;
nginx.enable = true; nginx.enable = true;
caddy.enbale = true; caddy.enable = true;
kanidm.enable = true;
forgejo.enable = true;
immich.enable = true;
homepage.enable = true;
uptime-kuma.enable = true;
pingvin-share.enable = true;
vaultwarden.enable = true;
paperless-ngx.enable = true;
beszel.enable = true;
}; };
}; };
home.packages = with pkgs; [ home.packages = with pkgs; [
unstable.helix
lazygit
]; ];
# Enable home-manager # Enable home-manager

41
modules/home/applications/zellij.nix
View File

@ -1,9 +1,38 @@
{ config, lib, ... }: { config, lib, pkgs, ... }:
with lib; with lib;
let let
cfg = config.settings.applications.zellij; cfg = config.settings.applications.zellij;
sesh = pkgs.writeScriptBin "sesh" ''
#! /usr/bin/env sh
# Taken from https://github.com/zellij-org/zellij/issues/884#issuecomment-1851136980
# select a directory using zoxide
ZOXIDE_RESULT=$(${pkgs.zoxide}/bin/zoxide query --interactive)
# checks whether a directory has been selected
if [[ -z "$ZOXIDE_RESULT" ]]; then
# if there was no directory, select returns without executing
exit 0
fi
# extracts the directory name from the absolute path
SESSION_TITLE=$(echo "$ZOXIDE_RESULT" | sed 's#.*/##')
# get the list of sessions
SESSION_LIST=$(zellij list-sessions -n | awk '{print $1}')
# checks if SESSION_TITLE is in the session list
if echo "$SESSION_LIST" | grep -q "^$SESSION_TITLE$"; then
# if so, attach to existing session
zellij attach "$SESSION_TITLE"
else
# if not, create a new session
echo "Creating new session $SESSION_TITLE and CD $ZOXIDE_RESULT"
cd $ZOXIDE_RESULT
zellij attach -c "$SESSION_TITLE"
fi
'';
in { in {
options = { options = {
settings.applications.zellij.enable = lib.mkOption { settings.applications.zellij.enable = lib.mkOption {
@ -19,6 +48,15 @@ in {
enable = true; enable = true;
}; };
programs.zoxide = {
enable = true;
enableZshIntegration = true;
};
home.packages = [
sesh
];
home.file.zellij = { home.file.zellij = {
target = ".config/zellij/config.kdl"; target = ".config/zellij/config.kdl";
text = '' text = ''
@ -26,6 +64,7 @@ in {
keybinds { keybinds {
normal { normal {
bind "Ctrl e" { ToggleFloatingPanes; SwitchToMode "normal"; } bind "Ctrl e" { ToggleFloatingPanes; SwitchToMode "normal"; }
bind "Ctrl d" { Detach; }
bind "Alt 1" { GoToTab 1; } bind "Alt 1" { GoToTab 1; }
bind "Alt 2" { GoToTab 2; } bind "Alt 2" { GoToTab 2; }
bind "Alt 3" { GoToTab 3; } bind "Alt 3" { GoToTab 3; }

56
modules/home/containers/beszel.nix Normal file
View File

@ -0,0 +1,56 @@
{ config, lib, ... }:
with lib;
let
cfg = config.settings.containers.beszel;
in {
options = {
settings.containers.beszel.enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Enable Beszel container
'';
};
};
config = mkIf cfg.enable {
settings.services.sops.enable = true;
services.podman.containers.beszel = {
image = "henrygd/beszel:latest";
network = "proxy";
volumes = [
"%h/containers/beszel/data:/beszel_data"
"%h/containers/beszel/socket:/beszel_socket"
];
environment = {
DISABLE_PASSWORD_AUTH = false;
USER_CREATION = true;
};
};
services.podman.containers.beszel-agent = {
image = "henrygd/beszel-agent:latest";
network = "proxy";
volumes = [
"%h/containers/beszel/socket:/beszel_socket"
"/run/user/1000/podman/podman.sock:/var/run/podman.sock:ro"
"${config.sops.secrets."containers/beszel/key".path}:/run/secrets/key"
];
user = 1000;
userNS = "keep-id";
environment = {
LISTEN = "/beszel_socket/beszel.sock";
KEY_FILE = "/run/secrets/key";
DOCKER_HOST = "unix:///var/run/podman.sock";
};
};
sops.secrets = {
"containers/beszel/key" = { };
};
};
}

73
modules/home/containers/caddy.nix
View File

@ -17,20 +17,83 @@ in {
config = mkIf cfg.enable { config = mkIf cfg.enable {
services.podman.containers.caddy = { services.podman.containers.caddy = {
image = "ghcr.io/iarekylew00t/caddy-cloudflare:latest"; image = "localhost/tboomers/caddy-custom:latest";
network = "proxy";
ports = [ ports = [
"1080:80" "1080:80"
"1443:8443" "1443:443"
]; ];
volumes = [ volumes = [
"~/containers/caddy/Caddyfile:/etc/caddy/Caddyfile" "%h/containers/caddy/Caddyfile:/etc/caddy/Caddyfile"
"%h/containers/caddy/acme_key:/etc/caddy/acme_key"
"%h/containers/caddy/data:/data"
]; ];
}; };
home.file."containers/caddy/Caddyfile".text = '' home.file."containers/caddy/Caddyfile".text = ''
localhost *.tbmrs.nl, tbmrs.nl {
tls {
dns transip xeovalyte /etc/caddy/acme_key
resolvers 1.1.1.1
}
response "Hello, world!" @root host tbmrs.nl
handle @root {
respond "Hello there"
}
@kanidm host auth.tbmrs.nl
handle @kanidm {
reverse_proxy https://auth.tbmrs.nl
}
@forgejo host git.tbmrs.nl
handle @forgejo {
reverse_proxy forgejo:3000
}
@immich host photos.tbmrs.nl
handle @immich {
reverse_proxy immich-server:2283
}
@homepage host home.tbmrs.nl
handle @homepage {
reverse_proxy homepage:3000
}
@uptime-kuma host uptime.tbmrs.nl
handle @uptime-kuma {
reverse_proxy uptime-kuma:3001
}
@pingvin-share host share.tbmrs.nl
handle @pingvin-share {
reverse_proxy pingvin-share:3000
}
}
*.local.tbmrs.nl {
tls {
dns transip xeovalyte /etc/caddy/acme_key
resolvers 1.1.1.1
}
@vaultwarden host vault.local.tbmrs.nl
handle @vaultwarden {
reverse_proxy vaultwarden:80
}
@paperless-ngx host paperless.local.tbmrs.nl
handle @paperless-ngx {
reverse_proxy paperless-ngx:8000
}
@beszel host monitor.local.tbmrs.nl
handle @beszel {
reverse_proxy beszel:8090
}
}
''; '';
}; };
} }

32
modules/home/containers/forgejo.nix Normal file
View File

@ -0,0 +1,32 @@
{ config, lib, ... }:
with lib;
let
cfg = config.settings.containers.forgejo;
in {
options = {
settings.containers.forgejo.enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Enable forgejo container
'';
};
};
config = mkIf cfg.enable {
services.podman.containers.forgejo = {
image = "codeberg.org/forgejo/forgejo:11";
network = "proxy";
volumes = [
"%h/containers/forgejo/data:/data"
];
environment = {
FORGEJO__service__ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
FORGEJO__service__SHOW_REGISTRATION_BUTTON = false;
FORGEJO__service__ENABLE_PASSWORD_SIGNIN_FORM = false;
};
};
};
}

130
modules/home/containers/homepage.nix Normal file
View File

@ -0,0 +1,130 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.settings.containers.homepage;
in {
options = {
settings.containers.homepage.enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Enable homepage container
'';
};
};
config = mkIf cfg.enable {
services.podman.containers.homepage = {
image = "ghcr.io/gethomepage/homepage:latest";
network = "proxy";
volumes = [
"%h/containers/homepage/config:/app/config"
"%h/containers/homepage/config/settings.yaml:/app/config/settings.yaml"
"%h/containers/homepage/config/services.yaml:/app/config/services.yaml"
"%h/containers/homepage/config/docker.yaml:/app/config/docker.yaml"
"/run/user/1000/podman/podman.sock:/var/run/podman.sock:ro"
];
environment = {
HOMEPAGE_ALLOWED_HOSTS = "home.tbmrs.nl";
};
};
home.file."containers/homepage/config/settings.yaml".source = (pkgs.formats.yaml { }).generate "settings" {
title = "Timo's Server";
description = "server from Timo";
theme = "dark";
color = "slate";
};
home.file."containers/homepage/config/services.yaml".source = (pkgs.formats.yaml { }).generate "services" [
{
"Infra" = [
{
"Kanidm" = {
href = "https://auth.tbmrs.nl";
description = "Oauth2 and ldap provider";
icon = "kanidm";
server = "podman";
container = "kanidm";
};
}
{
"Uptime Kuma" = {
href = "https://uptime.tbmrs.nl";
description = "Uptime and status";
icon = "uptime-kuma";
server = "podman";
container = "uptime-kuma";
};
}
{
"Beszel" = {
href = "https://monitor.local.tbmrs.nl";
description = "Server monitoring";
icon = "beszel";
server = "podman";
container = "beszel";
};
}
];
}
{
"Services" = [
{
"Forgejo" = {
href = "https://git.tbmrs.nl";
description = "Git server";
icon = "forgejo";
server = "podman";
container = "forgejo";
};
}
{
"Immich" = {
href = "https://photos.tbmrs.nl";
description = "Photo's and videos";
icon = "immich";
server = "podman";
container = "immich-server";
};
}
{
"Pingvin" = {
href = "https://share.tbmrs.nl";
description = "File sharing";
icon = "pingvin-share";
server = "podman";
container = "pingvin-share";
};
}
{
"Vaultwarden" = {
href = "https://vault.local.tbmrs.nl";
description = "Password management";
icon = "vaultwarden";
server = "podman";
container = "vaultwarden";
};
}
{
"Paperless" = {
href = "https://paperless.local.tbmrs.nl";
description = "Documents management";
icon = "paperless-ngx";
server = "podman";
container = "paperless-ngx";
};
}
];
}
];
home.file."containers/homepage/config/docker.yaml".source = (pkgs.formats.yaml {}).generate "docker" {
podman = {
socket = "/var/run/podman.sock";
};
};
};
}

75
modules/home/containers/immich.nix Normal file
View File

@ -0,0 +1,75 @@
{ config, lib, ... }:
with lib;
let
cfg = config.settings.containers.immich;
in {
options = {
settings.containers.immich.enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Enable immich container
'';
};
};
config = mkIf cfg.enable {
services.podman.containers.immich-server = {
image = "ghcr.io/immich-app/immich-server:release";
network = "proxy";
volumes = [
"%h/containers/immich/upload:/usr/src/app/upload"
"/etc/localtime:/etc/localtime:ro"
];
extraConfig = {
Unit = {
After = [
"podman-immich-redis.service"
"podman-immich-database.service"
];
Requires = [
"podman-immich-redis.service"
"podman-immich-database.service"
];
};
};
environment = {
DB_PASSWORD = "changeme";
DB_USERNAME = "postgres";
DB_DATABASE_NAME = "immich";
DB_HOSTNAME = "immich-database";
REDIS_HOSTNAME = "immich-redis";
};
};
services.podman.containers.immich-machine-learning = {
image = "ghcr.io/immich-app/immich-machine-learning:release";
network = "proxy";
volumes = [
"%h/containers/immich/model-cache:/cache"
];
};
services.podman.containers.immich-redis = {
image = "docker.io/valkey/valkey:8-bookworm@sha256:42cba146593a5ea9a622002c1b7cba5da7be248650cbb64ecb9c6c33d29794b1";
network = "proxy";
};
services.podman.containers.immich-database = {
image = "docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:739cdd626151ff1f796dc95a6591b55a714f341c737e27f045019ceabf8e8c52";
network = "proxy";
volumes = [
"%h/containers/immich/database-data:/var/lib/postgresql/data"
];
environment = {
POSTGRES_PASSWORD = "changeme";
POSTGRES_USER = "postgres";
POSTGRES_DB = "immich";
POSTGRES_INITDB_ARGS = "--data-checksums";
};
exec = ''postgres -c shared_preload_libraries=vectors.so -c 'search_path="$$user", public, vectors' -c logging_collector=on -c max_wal_size=2GB -c shared_buffers=512MB -c wal_compression=on'';
};
};
}

40
modules/home/containers/kanidm.nix Normal file
View File

@ -0,0 +1,40 @@
{ config, lib, ... }:
with lib;
let
cfg = config.settings.containers.nginx;
in {
options = {
settings.containers.kanidm.enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Enable kanidm container
'';
};
};
config = mkIf cfg.enable {
services.podman.containers.kanidm = {
image = "kanidm/server:latest";
network = "proxy";
networkAlias = [
"auth.tbmrs.nl"
];
volumes = [
"%h/containers/kanidm/data:/data"
"%h/containers/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/wildcard_.tbmrs.nl:/data/keys"
];
environment = {
KANIDM_VERSION = "2";
KANIDM_BINDADDRESS = "[::]:443";
KANIDM_DB_PATH = "/data/kanidm.db";
KANIDM_TLS_CHAIN = "/data/keys/wildcard_.tbmrs.nl.crt";
KANIDM_TLS_KEY = "/data/keys/wildcard_.tbmrs.nl.key";
KANIDM_DOMAIN = "auth.tbmrs.nl";
KANIDM_ORIGIN = "https://auth.tbmrs.nl";
};
};
};
}

24
modules/home/containers/network.nix Normal file
View File

@ -0,0 +1,24 @@
{ config, lib, ... }:
with lib;
let
cfg = config.settings.containers.nginx;
in {
options = {
settings.containers.network.enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Enable network
'';
};
};
config = mkIf cfg.enable {
services.podman.networks.proxy = {
description = "Container network for the proxy";
autoStart = true;
};
};
}

97
modules/home/containers/paperless-ngx.nix Normal file
View File

@ -0,0 +1,97 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.settings.containers.paperless-ngx;
in {
options = {
settings.containers.paperless-ngx.enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Enable Paperless NGX container
'';
};
};
config = mkIf cfg.enable {
settings.services.sops.enable = true;
services.podman.containers.paperless-ngx = {
image = "ghcr.io/paperless-ngx/paperless-ngx:latest";
network = "proxy";
volumes = [
"%h/containers/paperless-ngx/data:/usr/src/paperless/data"
"%h/containers/paperless-ngx/media:/usr/src/paperless/media"
"%h/containers/paperless-ngx/export:/usr/src/paperless/export"
"%h/containers/paperless-ngx/consume:/usr/src/paperless/consume"
"${config.sops.secrets."containers/paperless-ngx/db-password".path}:/run/secrets/db-password"
"${config.sops.secrets."containers/paperless-ngx/secret".path}:/run/secrets/secret"
"${config.sops.secrets."containers/paperless-ngx/openid-providers".path}:/run/secrets/openid-providers"
];
environment = {
PAPERLESS_REDIS = "redis://paperless-ngx-broker:6379";
PAPERLESS_DBHOST = "paperless-ngx-db";
PAPERLESS_URL = "https://paperless.local.tbmrs.nl";
PAPERLESS_DBPASS_FILE = "/run/secrets/db-password";
PAPERLESS_SECRET_KEY_FILE = "/run/secrets/secret";
PAPERLESS_DISABLE_REGULAR_LOGIN = false;
PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
PAPERLESS_SOCIALACCOUNT_PROVIDERS_FILE = "/run/secrets/openid-providers";
PAPERLESS_SOCIAL_ACCOUNT_SYNC_GROUPS = true;
};
extraConfig = {
Unit = {
After = [
"sops-nix.service"
"podman-paperless-ngx-db.service"
"podman-paperless-ngx-broker.service"
];
Requires = [
"podman-paperless-ngx-db.service"
"podman-paperless-ngx-broker.service"
];
};
};
};
services.podman.containers.paperless-ngx-db = {
image = "docker.io/library/postgres:17";
network = "proxy";
volumes = [
"%h/containers/paperless-ngx/db-data:/var/lib/postgresql/data"
"${config.sops.secrets."containers/paperless-ngx/db-password".path}:/run/secrets/db-password"
];
environment = {
POSTGRES_DB = "paperless";
POSTGRES_USER = "paperless";
POSTGRES_PASSWORD_FILE = "/run/secrets/db-password";
};
extraConfig = {
Unit = {
After = [
"sops-nix.service"
];
};
};
};
services.podman.containers.paperless-ngx-broker = {
image = "docker.io/library/redis:7";
network = "proxy";
volumes = [
"%h/containers/paperless-ngx/redis-data:/data"
];
};
sops.secrets = {
"containers/paperless-ngx/db-password" = { };
"containers/paperless-ngx/secret" = { };
"containers/paperless-ngx/openid-providers" = { };
};
};
}

73
modules/home/containers/pingvin-share.nix Normal file
View File

@ -0,0 +1,73 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.settings.containers.pingvin-share;
in {
options = {
settings.containers.pingvin-share.enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Enable Pingvin share container
'';
};
};
config = mkIf cfg.enable {
settings.services.sops.enable = true;
services.podman.containers.pingvin-share = {
image = "ghcr.io/stonith404/pingvin-share";
network = "proxy";
volumes = [
"%h/containers/pingvin-share/data:/opt/app/backend/data"
# "%h/containers/pingvin-share/config.yaml:/opt/app/config.yaml"
"${config.sops.templates."container-pingvin.yaml".path}:/opt/app/config.yaml"
];
environment = {
TRUST_PROXY = true;
};
userNS = "keep-id";
extraConfig = {
Unit = {
After = [
"sops-nix.service"
];
};
};
};
sops.templates = {
"container-pingvin.yaml" = {
content = /*yaml*/ ''
general:
secureCookies: "true"
appUrl: https://share.tbmrs.nl
showHomePage: "false"
share:
allowRegistration: "true"
maxSize: "10000000000"
oauth:
disablePassword: "false"
oidc-enabled: "true"
oidc-discoveryUri: "https://auth.tbmrs.nl/oauth2/openid/pingvin/.well-known/openid-configuration"
oidc-clientId: pingvin
oidc-clientSecret: "${config.sops.placeholder."containers/pingvin-share/oidc-secret"}"
initUser:
enabled: "true"
username: "admin"
email: "admin@example.com"
password: "my-secure-password"
isAdmin: true
ldapDN: ""
'';
};
};
sops.secrets = {
"containers/pingvin-share/oidc-secret" = { };
};
};
}

27
modules/home/containers/uptime-kuma.nix Normal file
View File

@ -0,0 +1,27 @@
{ config, lib, ... }:
with lib;
let
cfg = config.settings.containers.uptime-kuma;
in {
options = {
settings.containers.uptime-kuma.enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Enable uptime kuma container
'';
};
};
config = mkIf cfg.enable {
services.podman.containers.uptime-kuma = {
image = "louislam/uptime-kuma:1";
network = "proxy";
volumes = [
"%h/containers/uptime-kuma/data:/app/data"
];
};
};
}

31
modules/home/containers/vaultwarden.nix Normal file
View File

@ -0,0 +1,31 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.settings.containers.vaultwarden;
in {
options = {
settings.containers.vaultwarden.enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Enable Vaultwarden container
'';
};
};
config = mkIf cfg.enable {
services.podman.containers.vaultwarden = {
image = "ghcr.io/dani-garcia/vaultwarden:latest";
network = "proxy";
volumes = [
"%h/containers/vaultwarden/data:/data"
];
environment = {
DOMAIN = "https://vault.local.tbmrs.nl";
SIGNUPS_ALLOWED = true;
};
};
};
}

14
modules/home/default.nix
View File

@ -17,13 +17,25 @@
./services/nextcloud.nix ./services/nextcloud.nix
./services/podman.nix ./services/podman.nix
./services/sops.nix
./theming/fonts.nix ./theming/fonts.nix
./theming/stylix.nix ./theming/stylix.nix
./desktop-environments/hyprland/default.nix ./desktop-environments/hyprland/default.nix
./containers/nginx.nix ./containers/network.nix
./containers/caddy.nix ./containers/caddy.nix
./containers/kanidm.nix
./containers/nginx.nix
./containers/forgejo.nix
./containers/immich.nix
./containers/homepage.nix
./containers/uptime-kuma.nix
./containers/pingvin-share.nix
./containers/vaultwarden.nix
./containers/paperless-ngx.nix
./containers/beszel.nix
]; ];
} }

34
modules/home/services/sops.nix Normal file
View File

@ -0,0 +1,34 @@
{ lib, config, inputs, pkgs, ... }:
with lib;
let
cfg = config.settings.services.sops;
in {
options = {
settings.services.sops.enable = lib.mkOption {
type = lib.types.bool;
description = ''
Enable sops secret management
'';
default = false;
};
};
imports = [
inputs.sops-nix.homeManagerModules.sops
];
config = mkIf cfg.enable {
home.packages = with pkgs; [
sops
age
];
sops = {
age.keyFile = "/home/${config.home.username}/.config/sops/age/keys.txt"; # must have no password!
defaultSopsFile = ../../../secrets/deploy.yaml;
};
};
}

1
modules/system/applications/common.nix
View File

@ -22,6 +22,7 @@ in {
btop btop
git git
yazi yazi
zoxide
just just
]; ];

30
secrets/deploy.yaml Normal file
View File

@ -0,0 +1,30 @@
example-key: ENC[AES256_GCM,data:zQ4Sb+IOxM/JB/0KZQ==,iv:SgpzREfqbgBgd8psV7Optl4nDpMmDBDsitGQZLLSAL0=,tag:mZ48ExMkupiuMqJvgoIK+g==,type:str]
containers:
pingvin-share:
oidc-secret: ENC[AES256_GCM,data:jO5fvIK/1XnFweqKvedPMED0xvsqErjDP+eT7wAwXFuREbS6KakwY7pUzi20wdI0,iv:SnnmXiZoawpZV83483esQ1TIaFTACiIUcA6hcoXsw0I=,tag:cC/ftyj8jlK1re/rX4IiEw==,type:str]
beszel:
key: ENC[AES256_GCM,data:rRtx8Jx/aHOqeRa9dlyc42/62UwwqhkiLDLnZCM65rpW5nL5cQG2dS81YOMVPrE7Sa/cHlE3bvxqETaxMmsJGYukjmZph8skpF0qukCDe4Q=,iv:OS/+jF4MtwPdijXPpG2pgpJQTYyer9bms97B+kO8XhI=,tag:va7jCSGrXp2YKBlYzLI39g==,type:str]
paperless-ngx:
db-password: ENC[AES256_GCM,data:H21HVshmFuWJ5qNIrjm0VMGHEsT7cCvScgamU+CAaNZ6j5ux/r4xiF9zP7Qh40sKTOvyoWGTcHGPHE5ClpGuQA==,iv:tDIRfThBOfHr+gGRqywlHAk/x4MkhHRFsJEp5nnlGPA=,tag:XbYKD90l3u93Ur4VOqOn6w==,type:str]
secret: ENC[AES256_GCM,data:+1hriBiSbt+zUjEkBTEM90PFNlxfNwRAmz8wHyeyOnq6ThI+PtlDu83sunBFL2FUYJX0N4h3R4FvJBUkrPr0NQ==,iv:zzhFaoLnskspp1S291KABLZITgcof63cjShnsZrlAmw=,tag:+aafTLgZVBWeclQLQvVlQg==,type:str]
openid-providers: ENC[AES256_GCM,data:bpUnVFvvMUTkjApqkWi8gcVXgvaM8d/bcuoiQgco/UJZBQqbSEQys8BSb9yaSx8HAIZEcWjpb4N5FEb3P1uH8de4Nq7nlAg+GdDuS4WjInF5KOWQY9p0T4HfnMJyfx7zIiWW7nPSaxPNtMNZxQiXnW8oJr1fmz/O49T4egw1tdxWj6CO4d+T6aRKBsS26Ie1HYJ6BTT1B6qiIgiBpAvXh558nduk3tIz1blTCeV9XpnZgKlj45mS+g6+Eqqj0ATI7CC5y5CEVaMs1rC0NzlVm7/rEV4dBpVlmHtN5KE4aRMiH3YUYnJ5Nbo7EVfPQ7xkEPRmIOtXzXut8Hpml3QkFhdvHH5ZbworFrwL+LHm4GpHbUyCGc6OkWZ9+/mILos3o4BaI0qLQRchoGddvx5dOJyn5lJj3AfRgLB8zu9JSXZDre/LHovcJwpzmOip09mmjk7CGjea2f8wDnnX2HRXlM9alUbwlvXU69+MhTJBmqWe4kCBB8riz5gHRg2lQRMnMg64roPv7C7B1VoHANISDA3LHG4hocXknO69rBnjTjIYJNblDEtTztSTJdQvYb2102gFrxg4Grxu6/gQcXTbe4DScqUmIhebk98Nc7xlca9l+FGzmFB8cbznFFiaLE3wRK3G7g540+GOPoyXXxTGp3l5cOi6VE8cDd+HK5KDBnlgFecR/5QCRw40e9qvmCSttaxDCme+YrFHW248jgVwWvsNiFT5bBR4phS5c0VjrHdcy+1zY3R6GsnmXMfonIYHcq8apMhqVCdqHAzV2Qij4/RIyqCQoOeX86fi/pdDCvtMEbYt2nVqITmmxgOFRk4GSbLcjkbKG0SPVQWjGGXNkB/MfhUsvHG7E00IrAt1DgFEzqSar4Ildd7D4MzURJZxWNqoES0IhyVcxOgweCTakXM9QHqt,iv:ba2bri2F/B6Sp3HfpXVWZ/WMVFOPF4+DyAtdS56yNqQ=,tag:1uW6iDXiZm0vXUjmJPBchw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1cs2p7tgk9356tjmet6526k3ghwq9we82nz6z7qggqns656paku6sx30tkg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZ3BnZ3JoT3l2RmQrSzJV
aUk4MEV1aUxKUXBhLyt4T1FBT0pyWTdxYmpFCkdlMm9qYUxtR0UvblhJSlVaMno4
NGtUcVZSaUprZ2lEeVpPaUFNcGlxSFUKLS0tIEcydm1tR0xxM2JpYzZBblBXSUZF
bGpsMnpoQWlxbmlobVdVSjU2ZWp1dGMKql+6ZqtuixZ9TJgJMaTOFsB0gsLLvuqE
ZQikUHunrP8d5n/TvzL4VyIF2Oqy+cjTnjX/9fcqsjB6w3oY4qDXkg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-30T13:11:24Z"
mac: ENC[AES256_GCM,data:JA1T9q0otjshJWyb8fingvD0CmYyTKdhvNMI3RVoZaMEAwBV4AwMCftG9zWMOgof4NcG4EhdOI7KG7qhctpo25K9j5IhaY8GA/p7BStBopuowTTUZecWHxXy4OFEtuW1PXBGrkgfkupV+RZfeisoa1gGFhQ2tW+fOqtoTFFCLHA=,iv:CM5zgvA2krzLHGiVeiSTVzcswwk9+QJmNCr+3hqw+To=,tag:H0x1UasoXNb38+Cq0CP0YA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.4