diff --git a/flake.lock b/flake.lock index c106215..5318aa3 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,48 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1754433428, + "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=", + "owner": "ryantm", + "repo": "agenix", + "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1744478979, + "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "43975d782b418ebf4969e9ccba82466728c2851b", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -17,6 +60,27 @@ } }, "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1745494811, + "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { "inputs": { "nixpkgs": [ "nixpkgs" @@ -39,40 +103,55 @@ "nixos-wsl": { "inputs": { "flake-compat": "flake-compat", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1744290088, - "narHash": "sha256-/X9XVEl0EiyisNbF5srrxXRSVoRqdwExuqyspYqqEjQ=", + "lastModified": 1760536587, + "narHash": "sha256-wfWqt+igns/VazjPLkyb4Z/wpn4v+XIjUeI3xY/1ENg=", "owner": "nix-community", "repo": "NixOS-WSL", - "rev": "60b4904a1390ac4c89e93d95f6ed928975e525ed", + "rev": "f98ee1de1fa36eca63c67b600f5d617e184e82ea", "type": "github" }, "original": { "owner": "nix-community", - "ref": "main", "repo": "NixOS-WSL", "type": "github" } }, "nixpkgs": { "locked": { - "lastModified": 1742937945, - "narHash": "sha256-lWc+79eZRyvHp/SqMhHTMzZVhpxkRvthsP1Qx6UCq0E=", + "lastModified": 1754028485, + "narHash": "sha256-IiiXB3BDTi6UqzAZcf2S797hWEPCRZOwyNThJIYhUfk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d02d88f8de5b882ccdde0465d8fa2db3aa1169f7", + "rev": "59e69648d345d6e8fef86158c555730fa12af9de", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-24.11", + "ref": "nixos-25.05", "repo": "nixpkgs", "type": "github" } }, "nixpkgs_2": { + "locked": { + "lastModified": 1760524057, + "narHash": "sha256-EVAqOteLBFmd7pKkb0+FIUyzTF61VKi7YmvP1tw4nEw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "544961dfcce86422ba200ed9a0b00dd4b1486ec5", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1746141548, "narHash": "sha256-IgBWhX7A2oJmZFIrpRuMnw5RAufVnfvOgHWgIdds+hc=", @@ -90,9 +169,25 @@ }, "root": { "inputs": { - "home-manager": "home-manager", + "agenix": "agenix", + "home-manager": "home-manager_2", "nixos-wsl": "nixos-wsl", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_3" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index 1a9ba43..1b23f21 100644 --- a/flake.nix +++ b/flake.nix @@ -2,8 +2,8 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; - nixos-wsl.url = "github:nix-community/NixOS-WSL/main"; - + nixos-wsl.url = "github:nix-community/NixOS-WSL"; + agenix.url = "github:ryantm/agenix"; home-manager = { url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; @@ -20,7 +20,7 @@ formatter.${system} = nixpkgs.legacyPackages.${system}.nixfmt-tree; nixosConfigurations = { - wsl = nixpkgs.lib.nixosSystem { + "wsl" = nixpkgs.lib.nixosSystem { specialArgs = { inherit inputs outputs; }; @@ -30,6 +30,30 @@ modules = [ ./hosts/wsl/configuration.nix inputs.nixos-wsl.nixosModules.default + inputs.agenix.nixosModules.default + inputs.home-manager.nixosModules.default + { + home-manager = { + useGlobalPkgs = true; + useUserPackages = true; + users = { + nixos = import ./home/nixos/home.nix; + }; + }; + } + ]; + }; + + "homelab" = nixpkgs.lib.nixosSystem { + specialArgs = { + inherit inputs outputs; + }; + + inherit system; + + modules = [ + ./hosts/homelab/configuration.nix + inputs.agenix.nixosModules.default inputs.home-manager.nixosModules.default { home-manager = { diff --git a/home/nixos/home.nix b/home/nixos/home.nix index 695c54d..6705808 100644 --- a/home/nixos/home.nix +++ b/home/nixos/home.nix @@ -1,10 +1,5 @@ { config, pkgs, ... }: { - # Home Manager needs a bit of information about you and the paths it should - # manage. - home.username = "nixos"; - home.homeDirectory = "/home/nixos"; - # This value determines the Home Manager release that your configuration is # compatible with. This helps avoid breakage when a new Home Manager release # introduces backwards incompatible changes. @@ -67,7 +62,7 @@ # /etc/profiles/per-user/nixos/etc/profile.d/hm-session-vars.sh # home.sessionVariables = { - # EDITOR = "emacs"; + EDITOR = "nvim"; }; # Let Home Manager install and manage itself. @@ -141,6 +136,7 @@ ]; }; + programs.git = { enable = true; userName = "ktkk"; @@ -151,6 +147,7 @@ }; }; }; + programs.direnv = { enable = true; }; diff --git a/hosts/homelab/configuration.nix b/hosts/homelab/configuration.nix new file mode 100644 index 0000000..25839a2 --- /dev/null +++ b/hosts/homelab/configuration.nix @@ -0,0 +1,32 @@ +{ + pkgs, + outputs, + inputs, + lib, + ... +}: +{ + imports = [ + ./hardware-configuration.nix + ../shared + ../../modules/forgejo + ../../modules/nginx + ../../modules/grafana + ]; + + boot.loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + + time.timeZone = "Europe/Brussels"; + + networking = { + hostName = "homelab"; + + firewall.allowedTCPPorts = [ + 80 + 443 + ]; + }; +} diff --git a/hosts/homelab/hardware-configuration.nix b/hosts/homelab/hardware-configuration.nix new file mode 100644 index 0000000..412262d --- /dev/null +++ b/hosts/homelab/hardware-configuration.nix @@ -0,0 +1,40 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/b743f428-9a9a-46e9-a536-7197b89e71c6"; + fsType = "ext4"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/358C-11CA"; + fsType = "vfat"; + options = [ "fmask=0077" "dmask=0077" ]; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/77c5668b-fb30-4864-ad93-5357fb8363b4"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp5s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/shared/default.nix b/hosts/shared/default.nix index b76e0e7..536a74a 100644 --- a/hosts/shared/default.nix +++ b/hosts/shared/default.nix @@ -6,14 +6,22 @@ ... }: { + nixpkgs.config.allowUnfree = true; + environment.systemPackages = with pkgs; [ + inputs.agenix.packages."${system}".default home-manager neovim git tree wget + tmux ]; + users.users."nixos" = { + isNormalUser = true; + }; + programs.direnv = { enable = true; }; @@ -24,8 +32,9 @@ networking = { firewall = { - allowedTCPPorts = [ 22 ]; enable = true; + + allowedTCPPorts = [ 22 ]; }; }; diff --git a/hosts/wsl/configuration.nix b/hosts/wsl/configuration.nix index ac89bb3..45bc997 100644 --- a/hosts/wsl/configuration.nix +++ b/hosts/wsl/configuration.nix @@ -7,7 +7,6 @@ }: { imports = [ - ../../modules/grafana ../shared ]; diff --git a/modules/forgejo/default.nix b/modules/forgejo/default.nix new file mode 100644 index 0000000..9aa69d3 --- /dev/null +++ b/modules/forgejo/default.nix @@ -0,0 +1,44 @@ +{ pkgs, config, ... }: +{ + services.nginx.virtualHosts.${config.services.forgejo.settings.server.DOMAIN} = { + forceSSL = true; + enableACME = true; + + extraConfig = '' + client_max_body_size 512M; + ''; + + locations."/" = { + proxyPass = "http://${toString config.services.forgejo.settings.server.ROOT_URL}:${toString config.services.forgejo.settings.server.HTTP_PORT}"; + + proxyWebsockets = true; + + extraConfig = '' + proxy_pass_header Authorization; + ''; + }; + }; + + services.forgejo = { + enable = true; + + database.type = "postgres"; + + lfs.enable = true; + + settings = { + server = { + DOMAIN = "git.katkak.dev"; + ROOT_URL = "127.0.0.1"; + HTTP_PORT = 3000; + }; + + service.DISABLE_REGISTRATION = true; + + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "github"; + }; + }; + }; +} diff --git a/modules/grafana/default.nix b/modules/grafana/default.nix index af2840a..de6c330 100644 --- a/modules/grafana/default.nix +++ b/modules/grafana/default.nix @@ -1,13 +1,21 @@ { pkgs, config, ... }: { + services.nginx.virtualHosts.${config.services.grafana.settings.server.domain} = { + locations."/" = { + proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}"; + + proxyWebsockets = true; + }; + }; + services.grafana = { enable = true; settings = { server = { + domain = "grafana.katkak.dev"; http_addr = "127.0.0.1"; http_port = 2342; - domain = "grafana.pele"; }; }; @@ -22,21 +30,17 @@ }; }; - services.nginx.virtualHosts.${config.services.grafana.settings.server.domain} = { - locations."/" = { - proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}"; - proxyWebsockets = true; - }; - }; - services.prometheus = { enable = true; + port = 9001; exporters = { node = { enable = true; + enabledCollectors = [ "systemd" ]; + port = 9002; }; }; @@ -44,6 +48,7 @@ scrapeConfigs = [ { job_name = "nixos"; + static_configs = [ { targets = [ diff --git a/modules/nginx/default.nix b/modules/nginx/default.nix new file mode 100644 index 0000000..8ce4f5b --- /dev/null +++ b/modules/nginx/default.nix @@ -0,0 +1,43 @@ +{ pkgs, config, ... }: +{ + # These ports need to be open for acme + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + + services.nginx = { + enable = true; + + recommendedProxySettings = true; + recommendedTlsSettings = true; + }; + + age.secrets.acme = { + file = ../../secrets/acme.age; + owner = "acme"; + group = "acme"; + }; + + security.acme = { + acceptTerms = true; + + defaults = { + group = config.services.nginx.group; + + dnsProvider = "cloudflare"; + + email = "dezuttereluka@gmail.com"; + + credentialFiles = { + "CLOUDFLARE_DNS_API_TOKEN_FILE" = config.age.secrets.acme.path; + }; + }; + + certs = { + "katkak.dev" = { + extraDomainNames = [ "*.katkak.dev" ]; + }; + }; + }; +} diff --git a/secrets/acme.age b/secrets/acme.age new file mode 100644 index 0000000..8404126 --- /dev/null +++ b/secrets/acme.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 Sx3nIg B3GVZwTAE7FS5EiTaVwXM+6WierwBvdQmIQyb7wRWjQ +SH0XI9bGYe53fFxU2e0mjMNJsXGodDgYtBPmrBCdQfc +-> ssh-ed25519 M7s3oA rBDzxpuxZC5OWQH/SoiGDUKZEgR25GeqhtERmHqkh1g +1cfOKvp9S+CKwbkirfLg3rwB3eQrxW6oFpoa5DBfnXk +--- fZYGCWbZOMyhTk2HA1woA+mF17td3EcmY3lB58zcKzg +ŗGD;DFZPlk#|K u0ҥ6 smEBSr&+j4D #8 \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..2b8e1a7 --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,7 @@ +let + wsl = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAO0tSdhGRmrfdDTMAvrIOmE2po8yIMJHmcGsTv30bmx"; + homelab = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID5EJk+SpGvAErMl/145ZchmGVRGACjgk8RjQOi5kcQi"; +in +{ + "acme.age".publicKeys = [ homelab wsl ]; +}