diff --git a/containers.nix b/containers.nix deleted file mode 100644 index 9fbf5cf..0000000 --- a/containers.nix +++ /dev/null @@ -1,94 +0,0 @@ -{ - containers = { - bind = { - image = "sameersbn/bind:latest"; - ports = - [ "0.0.0.0:53:53/tcp" "0.0.0.0:53:53/udp" "0.0.0.0:5053:10000/tcp" ]; - volumes = [ "/home/sezycei/srv/containerdata/bind/bind:/data" ]; - environmentFiles = [ /home/sezycei/srv/containerdata/bind/.env ]; - }; - jellyfin = { - image = "linuxserver/jellyfin"; - ports = [ "0.0.0.0:8096:8096" "0.0.0.0:8920:8920" ]; - volumes = [ - "/home/sezycei/srv/containerdata/jellyfin/config:/config" - "/home/torrent/data/completed:/data/unsorted" - "/home/torrent/data/TV:/data/tvshows" - "/home/torrent/data/Movies:/data/movies" - "/home/torrent/data/transcode:/data/transcode" - "/home/torrent/data/Music:/data/music" - ]; - environment = { - PGID = "1000"; - PUID = "1000"; - TZ = "America/Chicago"; - UMASK_SET = "022"; - }; - }; - legit = { - image = "docker.matri.cx/legit"; - ports = [ "0.0.0.0:5121:8080" ]; - volumes = [ - "/home/sezycei/srv/containerdata/legit/static:/static" - "/home/sezycei/srv/containerdata/legit/templates:/templates" - "/home/sezycei/srv/containerdata/legit/legit.yml:/legit.yml" - "/home/sezycei/srv/containerdata/legit/repos:/var/www/git" - ]; - environment = { }; - }; - murmur = { - image = "goofball222/murmur"; - ports = [ "0.0.0.0:64738:64738" "0.0.0.0:64738:64738/udp" ]; - volumes = [ - "/home/sezycei/srv/containerdata/registry/registry/data:/var/lib/registry" - "/home/sezycei/srv/containerdata/registry/registry/certs:/certs" - "/home/sezycei/srv/containerdata/registry/registry/auth:/auth" - ]; - environment = { }; - }; - nginx = { - image = "nginx:alpine"; - ports = [ "0.0.0.0:80:80" "0.0.0.0:443:443" "0.0.0.0:20222:20222" ]; - volumes = [ - "/home/sezycei/srv/web/www:/var/www/" - "/home/sezycei/srv/web/configuration/nginx.conf:/etc/nginx/nginx.conf" - "/home/sezycei/srv/web/configuration/htpasswd:/etc/nginx/htpasswd" - "/home/sezycei/srv/web/configuration/htpasswd-dock:/etc/nginx/htpasswd-dock" - "/home/sezycei/srv/web/configuration/sites-available:/etc/nginx/sites-enabled" - "/home/sezycei/srv/web/ssl/letsencrypt:/etc/letsencrypt" - "/home/sezycei/srv/web/ssl/dhparam.pem:/etc/ssl/certs/dhparam.pem" - ]; - environment = { }; - }; - purr = { - image = "docker.matri.cx/purr"; - ports = [ "0.0.0.0:5195:3000" ]; - volumes = [ - "/home/sezycei/dev/purr/data/Purr.sqlite:/app/data/Purr.sqlite" - "/home/sezycei/dev/purr/config.dhall:/app/config.dhall" - ]; - environment = { }; - }; - registry = { - image = "registry:2"; - ports = [ "0.0.0.0:3001:5000" ]; - volumes = [ - "/home/sezycei/srv/containerdata/registry/registry/data:/var/lib/registry" - "/home/sezycei/srv/containerdata/registry/registry/certs:/certs" - "/home/sezycei/srv/containerdata/registry/registry/auth:/auth" - ]; - environment = { }; - }; - transmission = { - image = "haugene/transmission-openvpn"; - ports = [ "0.0.0.0:9091:9091" ]; - volumes = [ - "/home/sezycei/srv/scripts/transmission/settings.json:/etc/transmission-daemon/settings.json" - "/etc/localtime:/etc/localtime:ro" - "/home/torrent/data:/data" - ]; - environmentFiles = [ /home/sezycei/srv/containerdata/transmission/.env ]; - extraOptions = [ "--cap-add=NET_ADMIN" "--privileged" ]; - }; - }; -} diff --git a/flake.lock b/flake.lock index 8adbe27..5f0c66a 100644 --- a/flake.lock +++ b/flake.lock @@ -22,91 +22,6 @@ "type": "github" } }, - "attic": { - "inputs": { - "crane": "crane", - "flake-compat": "flake-compat", - "flake-utils": "flake-utils", - "nixpkgs": [ - "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable" - }, - "locked": { - "lastModified": 1686620679, - "narHash": "sha256-Ck/r3f+W9mOn3cHn5ii/fogBiJtosFnDaOQveaJ0zVU=", - "owner": "zhaofengli", - "repo": "attic", - "rev": "4fedffe6a1020edfcfa7bef18d21321d4983b3a7", - "type": "github" - }, - "original": { - "owner": "zhaofengli", - "repo": "attic", - "type": "github" - } - }, - "crane": { - "inputs": { - "flake-compat": [ - "attic", - "flake-compat" - ], - "flake-utils": [ - "attic", - "flake-utils" - ], - "nixpkgs": [ - "attic", - "nixpkgs" - ], - "rust-overlay": "rust-overlay" - }, - "locked": { - "lastModified": 1677892403, - "narHash": "sha256-/Wi0L1spSWLFj+UQxN3j0mPYMoc7ZoAujpUF/juFVII=", - "owner": "ipetkov", - "repo": "crane", - "rev": "105e27adb70a9890986b6d543a67761cbc1964a2", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "repo": "crane", - "type": "github" - } - }, - "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1673956053, - "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-utils": { - "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, "home-manager": { "inputs": { "nixpkgs": [ @@ -143,55 +58,11 @@ "type": "indirect" } }, - "nixpkgs-stable": { - "locked": { - "lastModified": 1685004253, - "narHash": "sha256-AbVL1nN/TDicUQ5wXZ8xdLERxz/eJr7+o8lqkIOVuaE=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "3e01645c40b92d29f3ae76344a6d654986a91a91", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-23.05", - "repo": "nixpkgs", - "type": "github" - } - }, "root": { "inputs": { "agenix": "agenix", - "attic": "attic", "nixpkgs": "nixpkgs" } - }, - "rust-overlay": { - "inputs": { - "flake-utils": [ - "attic", - "crane", - "flake-utils" - ], - "nixpkgs": [ - "attic", - "crane", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1675391458, - "narHash": "sha256-ukDKZw922BnK5ohL9LhwtaDAdCsJL7L6ScNEyF1lO9w=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "383a4acfd11d778d5c2efcf28376cbd845eeaedf", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 9576ca7..49b208c 100644 --- a/flake.nix +++ b/flake.nix @@ -1,31 +1,20 @@ { inputs = { - nixpkgs.url = "nixpkgs/nixos-23.05"; agenix = { url = "github:ryantm/agenix"; inputs.nixpkgs.follows = "nixpkgs"; inputs.darwin.follows = ""; }; + nixpkgs.url = "nixpkgs/nixos-23.05"; }; outputs = { self, nixpkgs, agenix, ... }@attrs: let - containerDef = import ./containers.nix; - serviceContainers = containerDef.containers; - pkgs = import nixpkgs { inherit system; }; + shell = import ./shell.nix { inherit agenix pkgs; }; system = "x86_64-linux"; in { - devShell.x86_64-linux = pkgs.mkShell { - buildInputs = [ - agenix.packages.x86_64-linux.default - (pkgs.nixos { }).nixos-rebuild - pkgs.terraform - ]; - shellHook = '' - alias deploy="nixos-rebuild switch --target-host root@matri.cx --build-host root@matri.cx --flake .#eve-psr-nix0" - ''; - }; + devShell.x86_64-linux = shell.dev; formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt; @@ -38,88 +27,24 @@ imports = [ agenix.nixosModules.default - ./hardware-configuration.nix + + ./system/containers.nix + ./system/hardware-configuration.nix + ./system/nix-configuration.nix + ./system/security.nix + ./system/services.nix + ./system/system.nix + ./system/virtualisation.nix + + ./user/users.nix ]; - nix = { - buildMachines = [ ]; - distributedBuilds = false; - settings = { - auto-optimise-store = false; # https://github.com/NixOS/nix/issues/7273 - experimental-features = [ "nix-command" "flakes" ]; - }; - }; - - boot = { - loader.systemd-boot.enable = true; - loader.efi.canTouchEfiVariables = true; - }; - - time.timeZone = "America/Chicago"; - networking = { - hostName = "eve-psr-nix0"; - firewall = { - allowedTCPPorts = [ 22 80 443 3034 ]; - allowedUDPPorts = [ 22 80 443 ]; - }; - }; - - environment.systemPackages = with pkgs; [ git pciutils vim wget ]; - - services = { - openssh = { - enable = true; - }; - - hydra = { - enable = true; - hydraURL = "https://hydra.matri.cx"; - listenHost = "192.168.0.130"; - port = 3034; - - extraConfig = '' - using_frontend_proxy = 1 - base_uri = "https://hydra.matri.cx" - ''; - - useSubstitutes = true; - - notificationSender = "hydra@matri.cx"; - buildMachinesFiles = [ ]; - }; - }; - - virtualisation = { - oci-containers = { - backend = "podman"; - containers = serviceContainers; - }; - }; - - security.sudo.wheelNeedsPassword = false; - users = { - users = { - sezycei = { - isNormalUser = true; - passwordFile = self.nixosConfigurations.eve-psr-nix0.config.age.secrets.sezycei.path; - extraGroups = [ "wheel" ]; - packages = with pkgs; [ - byobu - tmux - stack - ]; - }; - torrent = { - isNormalUser = true; - }; - }; - }; - age = { secrets = { keys.file = ./secrets/keys.age; sezycei.file = ./secrets/sezycei.age; }; + identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; }; system.stateVersion = "22.11"; diff --git a/secrets.nix b/secrets.nix index fb2ed5b..7c19b8b 100644 --- a/secrets.nix +++ b/secrets.nix @@ -4,15 +4,9 @@ let all = [ james eve-psr-nix0 ]; in { - "secrets/attic_token.age" = { - publicKeys = all; - }; "secrets/keys.age" = { publicKeys = all; }; - "secrets/minio_root.age" = { - publicKeys = all; - }; "secrets/sezycei.age" = { publicKeys = all; }; diff --git a/shell.nix b/shell.nix new file mode 100644 index 0000000..66a84da --- /dev/null +++ b/shell.nix @@ -0,0 +1,12 @@ +{ agenix, pkgs, ... }: { + dev = pkgs.mkShell { + buildInputs = [ + agenix.packages.x86_64-linux.default + (pkgs.nixos { }).nixos-rebuild + pkgs.terraform + ]; + shellHook = '' + alias deploy="nixos-rebuild switch --target-host root@matri.cx --build-host root@matri.cx --flake .#eve-psr-nix0" + ''; + }; +} diff --git a/system/containers.nix b/system/containers.nix new file mode 100644 index 0000000..76e6204 --- /dev/null +++ b/system/containers.nix @@ -0,0 +1,96 @@ +{ + virtualisation.oci-containers = { + containers = { + bind = { + image = "sameersbn/bind:latest"; + ports = + [ "0.0.0.0:53:53/tcp" "0.0.0.0:53:53/udp" "0.0.0.0:5053:10000/tcp" ]; + volumes = [ "/home/sezycei/srv/containerdata/bind/bind:/data" ]; + environmentFiles = [ /home/sezycei/srv/containerdata/bind/.env ]; + }; + jellyfin = { + image = "linuxserver/jellyfin"; + ports = [ "0.0.0.0:8096:8096" "0.0.0.0:8920:8920" ]; + volumes = [ + "/home/sezycei/srv/containerdata/jellyfin/config:/config" + "/home/torrent/data/completed:/data/unsorted" + "/home/torrent/data/TV:/data/tvshows" + "/home/torrent/data/Movies:/data/movies" + "/home/torrent/data/transcode:/data/transcode" + "/home/torrent/data/Music:/data/music" + ]; + environment = { + PGID = "1000"; + PUID = "1000"; + TZ = "America/Chicago"; + UMASK_SET = "022"; + }; + }; + legit = { + image = "docker.matri.cx/legit"; + ports = [ "0.0.0.0:5121:8080" ]; + volumes = [ + "/home/sezycei/srv/containerdata/legit/static:/static" + "/home/sezycei/srv/containerdata/legit/templates:/templates" + "/home/sezycei/srv/containerdata/legit/legit.yml:/legit.yml" + "/home/sezycei/srv/containerdata/legit/repos:/var/www/git" + ]; + environment = { }; + }; + murmur = { + image = "goofball222/murmur"; + ports = [ "0.0.0.0:64738:64738" "0.0.0.0:64738:64738/udp" ]; + volumes = [ + "/home/sezycei/srv/containerdata/registry/registry/data:/var/lib/registry" + "/home/sezycei/srv/containerdata/registry/registry/certs:/certs" + "/home/sezycei/srv/containerdata/registry/registry/auth:/auth" + ]; + environment = { }; + }; + nginx = { + image = "nginx:alpine"; + ports = [ "0.0.0.0:80:80" "0.0.0.0:443:443" "0.0.0.0:20222:20222" ]; + volumes = [ + "/home/sezycei/srv/web/www:/var/www/" + "/home/sezycei/srv/web/configuration/nginx.conf:/etc/nginx/nginx.conf" + "/home/sezycei/srv/web/configuration/htpasswd:/etc/nginx/htpasswd" + "/home/sezycei/srv/web/configuration/htpasswd-dock:/etc/nginx/htpasswd-dock" + "/home/sezycei/srv/web/configuration/sites-available:/etc/nginx/sites-enabled" + "/home/sezycei/srv/web/ssl/letsencrypt:/etc/letsencrypt" + "/home/sezycei/srv/web/ssl/dhparam.pem:/etc/ssl/certs/dhparam.pem" + ]; + environment = { }; + }; + purr = { + image = "docker.matri.cx/purr"; + ports = [ "0.0.0.0:5195:3000" ]; + volumes = [ + "/home/sezycei/dev/purr/data/Purr.sqlite:/app/data/Purr.sqlite" + "/home/sezycei/dev/purr/config.dhall:/app/config.dhall" + ]; + environment = { }; + }; + registry = { + image = "registry:2"; + ports = [ "0.0.0.0:3001:5000" ]; + volumes = [ + "/home/sezycei/srv/containerdata/registry/registry/data:/var/lib/registry" + "/home/sezycei/srv/containerdata/registry/registry/certs:/certs" + "/home/sezycei/srv/containerdata/registry/registry/auth:/auth" + ]; + environment = { }; + }; + transmission = { + image = "haugene/transmission-openvpn"; + ports = [ "0.0.0.0:9091:9091" ]; + volumes = [ + "/home/sezycei/srv/scripts/transmission/settings.json:/etc/transmission-daemon/settings.json" + "/etc/localtime:/etc/localtime:ro" + "/home/torrent/data:/data" + ]; + environmentFiles = [ /home/sezycei/srv/containerdata/transmission/.env ]; + extraOptions = [ "--cap-add=NET_ADMIN" "--privileged" ]; + }; + }; + }; +} diff --git a/hardware-configuration.nix b/system/hardware-configuration.nix similarity index 100% rename from hardware-configuration.nix rename to system/hardware-configuration.nix diff --git a/system/nix-configuration.nix b/system/nix-configuration.nix new file mode 100644 index 0000000..cf1731e --- /dev/null +++ b/system/nix-configuration.nix @@ -0,0 +1,11 @@ +{ ... }: +{ + nix = { + buildMachines = [ ]; + distributedBuilds = false; + settings = { + auto-optimise-store = false; # https://github.com/NixOS/nix/issues/7273 + experimental-features = [ "nix-command" "flakes" ]; + }; + }; +} diff --git a/system/security.nix b/system/security.nix new file mode 100644 index 0000000..146012f --- /dev/null +++ b/system/security.nix @@ -0,0 +1,4 @@ +{ ... }: +{ + security.sudo.wheelNeedsPassword = false; +} diff --git a/system/services.nix b/system/services.nix new file mode 100644 index 0000000..112ba24 --- /dev/null +++ b/system/services.nix @@ -0,0 +1,25 @@ +{ ... }: +{ + services = { + openssh = { + enable = true; + }; + + hydra = { + enable = true; + hydraURL = "https://hydra.matri.cx"; + listenHost = "192.168.0.130"; + port = 3034; + + extraConfig = '' + using_frontend_proxy = 1 + base_uri = "https://hydra.matri.cx" + ''; + + useSubstitutes = true; + + notificationSender = "hydra@matri.cx"; + buildMachinesFiles = [ ]; + }; + }; +} diff --git a/system/system.nix b/system/system.nix new file mode 100644 index 0000000..b696de2 --- /dev/null +++ b/system/system.nix @@ -0,0 +1,19 @@ +{ pkgs, ... }: +{ + boot = { + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = true; + }; + + environment.systemPackages = with pkgs; [ git pciutils vim wget ]; + + networking = { + hostName = "eve-psr-nix0"; + firewall = { + allowedTCPPorts = [ 22 80 443 3034 ]; + allowedUDPPorts = [ 22 80 443 ]; + }; + }; + + time.timeZone = "America/Chicago"; +} diff --git a/system/virtualisation.nix b/system/virtualisation.nix new file mode 100644 index 0000000..f2cbe66 --- /dev/null +++ b/system/virtualisation.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + virtualisation = { + oci-containers = { + backend = "podman"; + }; + }; +} diff --git a/user/users.nix b/user/users.nix new file mode 100644 index 0000000..b68a7f4 --- /dev/null +++ b/user/users.nix @@ -0,0 +1,18 @@ +{ config, pkgs, ... }: +{ + users.users = { + sezycei = { + isNormalUser = true; + passwordFile = config.age.secrets.sezycei.path; + extraGroups = [ "wheel" ]; + packages = with pkgs; [ + byobu + tmux + stack + ]; + }; + torrent = { + isNormalUser = true; + }; + }; +}