From f51c7e426762c1a55a4a3b3f7d9c12f9d3f108cd Mon Sep 17 00:00:00 2001
From: Timo Boomers <me+gitea@xeovalyte.dev>
Date: Tue, 20 May 2025 16:36:44 +0200
Subject: [PATCH] added basic raspi config

---
 README.md                            | 62 +++++++++++++++++++++++
 hosts/p-th-rpi-01/configuration.nix  | 69 ++++++++++++++++++++++++++
 hosts/p-th-rpi-01/home.nix           | 74 ++++++++++++++++++++++++++++
 hosts/ti-clt-dsk01/configuration.nix | 23 +++++++++
 hosts/ti-clt-dsk01/home.nix          |  1 +
 5 files changed, 229 insertions(+)
 create mode 100644 hosts/p-th-rpi-01/configuration.nix
 create mode 100644 hosts/p-th-rpi-01/home.nix

diff --git a/README.md b/README.md
index ea8195a..e3c0d02 100644
--- a/README.md
+++ b/README.md
@@ -3,6 +3,7 @@
 ## New system install guide
 
 ### 1. Install Nixos with ISO
+
 [Nixos download](https://nixos.org/download)
 
 ### 2. Copy hardware configuration to hosts directory
@@ -10,14 +11,75 @@
 ### 3. Generate ssh-keys
 
 **Archserver**
+
 1. `ssh-keygen -f ~/.ssh/archserver`
 2. `ssh-copy-id -i ~/.ssh/archserver 192.168.1.20`
 
 **Gitea**
+
 1. `ssh-keygen -f ~/.ssh/gitea -t ed25519 -C "me+gitea@xeovalyte.dev"`
 2. Upload to [Gitea](https://gitea.xeovalyt.dev)
 3. Verify ssh key (follow instructions on Gitea)
 
 ### 4. Add SSH keys
+
 1. `ssh-add ~/.ssh/gitea`
 2. `ssh-add ~/.ssh/archserver`
+
+## Homelab
+
+List over services
+
+| Service        | Description          | Link                                                                   |
+| -------------- | -------------------- | ---------------------------------------------------------------------- |
+| Caddy          | Reverse proxy        | -                                                                      |
+| Kanidm         | Openid provider      | [auth.tbmrs.nl](https://auth.tbmrs.nl)                                 |
+| Forgejo        | Git provider         | [git.tbmrs.nl](https://git.tbmrs.nl)                                   |
+| Immich         | Photo and videos     | [photos.tbmrs.nl](https://photos.tbmrs.nl)                             |
+| Homepage       | Dashboard            | [home.tbmrs.nl](https://home.tbmrs.nl)                                 |
+| Uptime Kuma    | Uptime monitor       | [uptime.tbmrs.nl](https://uptime.tbmrs.nl)                             |
+| Pingvin share  | Sharing of files     | [share.tbmrs.nl](https://share.tbmrs.nl)                               |
+| Vaultwarden    | Password manager     | [vault.local.tbmrs.nl](https://vault.local.tbmrs.nl)                   |
+| Paperless NGX  | Documents management | [paperless.local.tbmrs.nl](https://paperless.local.tbmrs.nl)           |
+| Beszel         | Resource usage       | [monitor.local.tbmrs.nl](https://monitor.local.tbmrs.nl)               |
+| Dufs           | File manager         | [files.tbmrs.nl](https://files.tbmrs.nl)                               |
+| Syncthing      | File syncing         | [syncthing.local.tbmrs.nl](https://syncthing.local.tbmrs.nl)           |
+| Home Assistant | Home automation      | [home-assistant.local.tbmrs.nl](https://home-assistant.local.tbmrs.nl) |
+| Karakeep       | Bookmarking          | [karakeep.local.tbmrs.nl](https://karakeep.local.tbmrs.nl)             |
+| Vikunja        | Tasks management     | [vikunja.local.tbmrs.nl](https://vikunja.local.tbmrs.nl)               |
+| Stalwart       | Mailserver           | [mail.tbmrs.nl](https://mail.tbmrs.nl)                                 |
+
+### Openid commands
+
+#### Configure new openid client
+
+From: [Kanidm Docs](https://kanidm.github.io/kanidm/master/integrations/oauth2/examples.html)
+
+Replace `<service>` with the name of the service.
+
+1. Create a new Kanidm group, and add your regular account to it:
+
+```bash
+$ kanidm group create <service>_users
+$ kanidm group add-members <service>_users your_username
+```
+
+2. Create a new OAuth2 application configuration in Kanidm, configure the redirect URL, and scope access to the group:
+
+```bash
+$ kanidm system oauth2 create <service> <servicename> <service_login_url>
+$ kanidm system oauth2 add-redirect-url <service> <redirect_url>
+$ kanidm system oauth2 update-scope-map <service> <service>_users email openid profile groups
+```
+
+3. (Optional) Disable PKCE
+
+```bash
+$ kanidm system oauth2 warning-insecure-client-disable-pkce <service>
+```
+
+4. Get the OAuth2 client secret from Kanidm
+
+```bash
+$ kanidm system oauth2 show-basic-secret <service>
+```
diff --git a/hosts/p-th-rpi-01/configuration.nix b/hosts/p-th-rpi-01/configuration.nix
new file mode 100644
index 0000000..e914941
--- /dev/null
+++ b/hosts/p-th-rpi-01/configuration.nix
@@ -0,0 +1,69 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ modulesPath, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    # Include the container-specific autogenerated configuration.
+    ../../modules/system/default.nix
+  ];
+
+  settings = {
+    hostname = "p-th-rpi-01";
+    display-manager = "none";
+    desktop-environments = {
+      cosmic.enable = false;
+      hyprland.enable = false;
+      gnome.enable = false;
+    };
+    applications = {
+      common.enable = true;
+      steam.enable = false;
+      thunar.enable = false;
+    };
+    services = {
+      docker.enable = false;
+      podman.enable = true;
+      quickemu.enable = false;
+      sunshine.enable = false;
+      garbage-collection.enable = true;
+      incus.enable = false;
+      ssh.enable = true;
+    };
+    hardware = {
+      fprint.enable = false;
+      printing.enable = false;
+      bluetooth.enable = false;
+      firewall.enable = true;
+      locale.enable = true;
+      nvidia.enable = false;
+    };
+  };
+
+  users.users.deploy = {
+    isNormalUser = true;
+    description = "Deploy";
+    extraGroups = [ "networkmanager" "wheel" "dialout" ];
+    linger = true;
+  };
+
+  # networking
+  networking = {
+    dhcpcd.enable = false;
+    useDHCP = false;
+    useHostResolvConf = false;
+  };
+
+  networking.hosts = {
+    "127.0.0.1" = [ "tbmrs.nl" ];
+  };
+
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [ 1080 1443 1053 ];
+    allowedUDPPorts = [ 1080 1443 1053 ];
+  };
+}
diff --git a/hosts/p-th-rpi-01/home.nix b/hosts/p-th-rpi-01/home.nix
new file mode 100644
index 0000000..6e9d5a8
--- /dev/null
+++ b/hosts/p-th-rpi-01/home.nix
@@ -0,0 +1,74 @@
+{ pkgs, ... }:
+
+{
+  imports = [
+    # Modules
+    ../../modules/home/default.nix
+  ];
+
+  config = {
+    home = {
+      username = "deploy";
+      homeDirectory = "/home/deploy";
+    };
+
+    settings = {
+      applications.common.enable = false;
+      applications.alacritty.enable = false;
+      applications.devenv.enable = false;
+      applications.firefox.enable = false;
+      applications.git.enable = false;
+      applications.helix.enable = true;
+      applications.zsh.enable = true;
+      applications.ssh.enable = true;
+      applications.thunderbird.enable = false;
+      applications.yazi.enable = true;
+      applications.zellij.enable = true;
+      applications.wezterm.enable = false;
+
+      services.nextcloud-sync.enable = false;
+      services.podman.enable = true;
+      services.sops.enable = true;
+
+      theming.fonts.enable = false;
+      theming.stylix.enable = false;
+      theming.stylix.wallpaper = "wallpaper-2.png";
+      theming.stylix.theme = "da-one-ocean";
+
+      desktop-environments.hyprland.enable = false;
+
+      containers = {
+        network.enable = true;
+
+        nginx.enable = false;
+        caddy.enable = true;
+        kanidm.enable = false;
+        forgejo.enable = false;
+        immich.enable = false;
+        homepage.enable = false;
+        uptime-kuma.enable = false;
+        pingvin-share.enable = false;
+        vaultwarden.enable = false;
+        paperless-ngx.enable = false;
+        beszel.enable = false;
+        storage.enable = false;
+        homeassistant.enable = false;
+        karakeep.enable = false;
+        vikunja.enable = false;
+        stalwart.enable = false;
+        linkding.enable = false;
+        static.enable = true;
+      };
+    };
+
+    home.packages = with pkgs; [
+      unstable.helix
+      lazygit
+    ];
+
+    # Enable home-manager
+    programs.home-manager.enable = true;
+
+    home.stateVersion = "24.05";
+  };
+}
diff --git a/hosts/ti-clt-dsk01/configuration.nix b/hosts/ti-clt-dsk01/configuration.nix
index c090f37..7f5b943 100644
--- a/hosts/ti-clt-dsk01/configuration.nix
+++ b/hosts/ti-clt-dsk01/configuration.nix
@@ -54,6 +54,29 @@
 
 	# Networking
 	networking.interfaces.enp7s0.wakeOnLan.enable = true;
+  networking.hosts = {
+    "192.168.100.118" = [
+      "tbmrs.nl"
+      "auth.tbmrs.nl"
+      "git.tbmrs.nl"
+      "photos.tbmrs.nl"
+      "home.tbmrs.nl"
+      "uptime.tbmrs.nl"
+      "share.tbmrs.nl"
+      "files.tbmrs.nl"
+      "mail.tbmrs.nl"
+      "vault.local.tbmrs.nl"
+      "paperless.local.tbmrs.nl"
+      "monitor.local.tbmrs.nl"
+      "syncthing.local.tbmrs.nl"
+      "home-assistant.local.tbmrs.nl"
+      "karakeep.local.tbmrs.nl"
+      "vikunja.local.tbmrs.nl"
+      "linkding.local.tbmrs.nl"
+    ];
+  };
+
+
 
   # state version
   system.stateVersion = "24.11";
diff --git a/hosts/ti-clt-dsk01/home.nix b/hosts/ti-clt-dsk01/home.nix
index fa8b3d7..63c289e 100644
--- a/hosts/ti-clt-dsk01/home.nix
+++ b/hosts/ti-clt-dsk01/home.nix
@@ -49,6 +49,7 @@
       unstable.prismlauncher
       unstable.vesktop
       unstable.webcord
+      unstable.legcord
       unstable.rnote
       unstable.inkscape
       unstable.gimp