From a7a3cbbc7a8f0c0c91f74c4f0dcfc69d9639ca82 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Fri, 8 Aug 2025 16:56:37 +0200 Subject: [PATCH 01/78] Add basic new server config Includes sshd for easy connecting in local virtualized environment. --- flake.lock | 30 +++++------ flake.nix | 12 +++++ hosts/nixos-server-test/default.nix | 51 +++++++++++++++++++ .../hardware-configuration.nix | 31 +++++++++++ modules/sshd.nix | 13 +++++ 5 files changed, 122 insertions(+), 15 deletions(-) create mode 100644 hosts/nixos-server-test/default.nix create mode 100644 hosts/nixos-server-test/hardware-configuration.nix create mode 100644 modules/sshd.nix diff --git a/flake.lock b/flake.lock index 000b4f1..88bab71 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1748372346, - "narHash": "sha256-7y7NZ6uW0GbT0h4gqfD2xvRuJj5IlPGw32oIc9Twga8=", + "lastModified": 1752998173, + "narHash": "sha256-ZlYpBp2WOe03UrpjJGz5KTOL/pp7A452hJO/Vc8C4/0=", "owner": "AdnanHodzic", "repo": "auto-cpufreq", - "rev": "becd5b89963fa54fef3566147f3fd2087f8a5842", + "rev": "562278377ffa96f3c1af49c7b499df028ce8d8bd", "type": "github" }, "original": { @@ -65,11 +65,11 @@ ] }, "locked": { - "lastModified": 1749154018, - "narHash": "sha256-gjN3j7joRvT3a8Zgcylnd4NFsnXeDBumqiu4HmY1RIg=", + "lastModified": 1753592768, + "narHash": "sha256-oV695RvbAE4+R9pcsT9shmp6zE/+IZe6evHWX63f2Qg=", "owner": "nix-community", "repo": "home-manager", - "rev": "7aae0ee71a17b19708b93b3ed448a1a0952bf111", + "rev": "fc3add429f21450359369af74c2375cb34a2d204", "type": "github" }, "original": { @@ -87,11 +87,11 @@ "pre-commit-hooks": "pre-commit-hooks" }, "locked": { - "lastModified": 1746906641, - "narHash": "sha256-b6few4tkqN2TWdrZTwWOjsWxA11rle7y9pcc0/ynuoE=", + "lastModified": 1752585957, + "narHash": "sha256-ogQo/MMNSIM4U4VQMieIrpLhjkgSbev3VR24foJ/h/U=", "owner": "~rycee", "repo": "lazy-apps", - "rev": "0b30a0bf524a661f9657c441d021aaa5724f12ff", + "rev": "3c3ce5001e24b6c12496a5920eee28a96f8d49d6", "type": "sourcehut" }, "original": { @@ -102,11 +102,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1749195551, - "narHash": "sha256-W5GKQHgunda/OP9sbKENBZhMBDNu2QahoIPwnsF6CeM=", + "lastModified": 1754229794, + "narHash": "sha256-yOl7REX6O/1mh+tpscJPKgjK6nmXSMOB1xhmDNAMUZM=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "4602f7e1d3f197b3cb540d5accf5669121629628", + "rev": "a872d985392ee5b19d8409bfcc3f106de2070070", "type": "github" }, "original": { @@ -118,11 +118,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1749086602, - "narHash": "sha256-DJcgJMekoxVesl9kKjfLPix2Nbr42i7cpEHJiTnBUwU=", + "lastModified": 1754028485, + "narHash": "sha256-IiiXB3BDTi6UqzAZcf2S797hWEPCRZOwyNThJIYhUfk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "4792576cb003c994bd7cc1edada3129def20b27d", + "rev": "59e69648d345d6e8fef86158c555730fa12af9de", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 558ac71..8adf2e8 100644 --- a/flake.nix +++ b/flake.nix @@ -90,6 +90,18 @@ ./hosts/backup-raspberrypi ]; }; + + server = nixpkgs.lib.nixosSystem rec { + system = "x86_64-linux"; + + specialArgs = { + inherit inputs outputs; + }; + + modules = [ + ./hosts/nixos-server-test + ]; + }; }; }; } diff --git a/hosts/nixos-server-test/default.nix b/hosts/nixos-server-test/default.nix new file mode 100644 index 0000000..a4421da --- /dev/null +++ b/hosts/nixos-server-test/default.nix @@ -0,0 +1,51 @@ +{ inputs, outputs, config, lib, pkgs, ... }: + +{ + imports = + [ + ../../modules/nix.nix + ../../modules/network-server.nix + ../../modules/locale.nix + ../../modules/server-cli.nix + ../../modules/nix.nix + ../../modules/sshd.nix + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + # Use the GRUB 2 boot loader. + boot = { + loader.grub = { + enable = true; + device = "/dev/vda"; + }; + tmp.useTmpfs = true; + }; + networking.hostName = "nixos-server"; # Define your hostname. + users = { + users = { + julius = { + isNormalUser = true; + uid = 1000; + extraGroups = [ "wheel" "julius" ]; + }; + }; + groups = { + julius = { + gid = 1000; + }; + }; + }; + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "25.05"; # Did you read the comment? +} diff --git a/hosts/nixos-server-test/hardware-configuration.nix b/hosts/nixos-server-test/hardware-configuration.nix new file mode 100644 index 0000000..6dfd7c4 --- /dev/null +++ b/hosts/nixos-server-test/hardware-configuration.nix @@ -0,0 +1,31 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/e46c412a-8b6d-41b8-b53c-65d7a8fc39ed"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/modules/sshd.nix b/modules/sshd.nix new file mode 100644 index 0000000..49af4a5 --- /dev/null +++ b/modules/sshd.nix @@ -0,0 +1,13 @@ +{ + pkgs, + lib, + ... +}: { + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "no"; + }; + }; +} From 82bb877bfbde832ad0cf964a2eb1895ef430369f Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Sat, 9 Aug 2025 10:21:16 +0200 Subject: [PATCH 02/78] Add proxmox-nixos --- flake.lock | 102 +++++++++++++++++++++++++++- flake.nix | 9 +++ hosts/nixos-server-test/default.nix | 6 ++ 3 files changed, 116 insertions(+), 1 deletion(-) diff --git a/flake.lock b/flake.lock index 88bab71..48507a1 100644 --- a/flake.lock +++ b/flake.lock @@ -36,6 +36,21 @@ "type": "github" } }, + "flake-compat_2": { + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "gitignore": { "inputs": { "nixpkgs": [ @@ -148,6 +163,36 @@ "type": "github" } }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1748437600, + "narHash": "sha256-hYKMs3ilp09anGO7xzfGs3JqEgUqFMnZ8GMAqI6/k04=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "7282cb574e0607e65224d33be8241eae7cfe0979", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-25.05", + "type": "indirect" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1723637854, + "narHash": "sha256-med8+5DSWa2UnOqtdICndjDAEjxr5D7zaIiK4pn0Q7c=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c3aa7b8938b17aebd2deecf7be0636000d62a2b9", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" + } + }, "pre-commit-hooks": { "inputs": { "flake-compat": "flake-compat", @@ -172,6 +217,27 @@ "type": "github" } }, + "proxmox-nixos": { + "inputs": { + "flake-compat": "flake-compat_2", + "nixpkgs-stable": "nixpkgs-stable_2", + "nixpkgs-unstable": "nixpkgs-unstable", + "utils": "utils" + }, + "locked": { + "lastModified": 1754428470, + "narHash": "sha256-Sxf8gf+vfGeFaJMW3D+8pwH/+WwYTQOg47Lrm42+kTc=", + "owner": "SaumonNet", + "repo": "proxmox-nixos", + "rev": "6faed2845ef5f0bb05c9519b75097bbe7fb39327", + "type": "github" + }, + "original": { + "owner": "SaumonNet", + "repo": "proxmox-nixos", + "type": "github" + } + }, "root": { "inputs": { "auto-cpufreq": "auto-cpufreq", @@ -179,10 +245,26 @@ "lazy-apps": "lazy-apps", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", - "systems": "systems" + "proxmox-nixos": "proxmox-nixos", + "systems": "systems_2" } }, "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { "locked": { "lastModified": 1689347949, "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", @@ -196,6 +278,24 @@ "repo": "default-linux", "type": "github" } + }, + "utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 8adf2e8..867eeb5 100644 --- a/flake.nix +++ b/flake.nix @@ -17,6 +17,7 @@ url = "sourcehut:~rycee/lazy-apps"; inputs.nixpkgs.follows = "nixpkgs"; }; + proxmox-nixos.url = "github:SaumonNet/proxmox-nixos"; systems.url = "github:nix-systems/default-linux"; }; @@ -28,6 +29,7 @@ nixos-hardware, home-manager, auto-cpufreq, + proxmox-nixos, systems, ... } @ inputs: let @@ -100,6 +102,13 @@ modules = [ ./hosts/nixos-server-test + proxmox-nixos.nixosModules.proxmox-ve + + ({...}: { + nixpkgs.overlays = [ + proxmox-nixos.overlays.${system} + ]; + }) ]; }; }; diff --git a/hosts/nixos-server-test/default.nix b/hosts/nixos-server-test/default.nix index a4421da..c52fb8a 100644 --- a/hosts/nixos-server-test/default.nix +++ b/hosts/nixos-server-test/default.nix @@ -35,6 +35,12 @@ }; }; }; + + services.proxmox-ve = { + enable = true; + ipAddress = "192.168.122.42"; + }; + # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. # Most users should NEVER change this value after the initial install, for any reason, From 8e15acd0c6a4107df3d5f424cf9b0d0631d8160f Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Sun, 10 Aug 2025 23:24:39 +0200 Subject: [PATCH 03/78] Add network bridge config --- hosts/nixos-server-test/default.nix | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/hosts/nixos-server-test/default.nix b/hosts/nixos-server-test/default.nix index c52fb8a..f37aca5 100644 --- a/hosts/nixos-server-test/default.nix +++ b/hosts/nixos-server-test/default.nix @@ -7,7 +7,6 @@ ../../modules/network-server.nix ../../modules/locale.nix ../../modules/server-cli.nix - ../../modules/nix.nix ../../modules/sshd.nix # Include the results of the hardware scan. ./hardware-configuration.nix @@ -39,6 +38,33 @@ services.proxmox-ve = { enable = true; ipAddress = "192.168.122.42"; + + # Make vmbr0 bridge visible in Proxmox web interface + bridges = [ "vmbr0" ]; + }; + + # Actually set up the vmbr0 bridge + systemd.network.networks."10-lan" = { + matchConfig.Name = [ "ens18" ]; + networkConfig = { + Bridge = "vmbr0"; + }; + }; + + systemd.network.netdevs."vmbr0" = { + netdevConfig = { + Name = "vmbr0"; + Kind = "bridge"; + }; + }; + + systemd.network.networks."10-lan-bridge" = { + matchConfig.Name = "vmbr0"; + networkConfig = { + IPv6AcceptRA = true; + DHCP = "ipv4"; + }; + linkConfig.RequiredForOnline = "routable"; }; # This option defines the first version of NixOS you have installed on this particular machine, From f7c3edf779a2691474986f836a185989571c13d9 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Mon, 11 Aug 2025 23:34:35 +0200 Subject: [PATCH 04/78] Actually apply systemd-networkd configuration Also disable networking.* options --- hosts/nixos-server-test/default.nix | 63 ++++++++++++++++++++--------- 1 file changed, 43 insertions(+), 20 deletions(-) diff --git a/hosts/nixos-server-test/default.nix b/hosts/nixos-server-test/default.nix index f37aca5..b92920a 100644 --- a/hosts/nixos-server-test/default.nix +++ b/hosts/nixos-server-test/default.nix @@ -4,7 +4,6 @@ imports = [ ../../modules/nix.nix - ../../modules/network-server.nix ../../modules/locale.nix ../../modules/server-cli.nix ../../modules/sshd.nix @@ -43,28 +42,52 @@ bridges = [ "vmbr0" ]; }; - # Actually set up the vmbr0 bridge - systemd.network.networks."10-lan" = { - matchConfig.Name = [ "ens18" ]; - networkConfig = { - Bridge = "vmbr0"; - }; - }; + networking.useDHCP = false; - systemd.network.netdevs."vmbr0" = { - netdevConfig = { - Name = "vmbr0"; - Kind = "bridge"; - }; - }; + systemd.network = { + enable = true; - systemd.network.networks."10-lan-bridge" = { - matchConfig.Name = "vmbr0"; - networkConfig = { - IPv6AcceptRA = true; - DHCP = "ipv4"; + links."10-wan" = { + matchConfig.Path = "pci-0000:01:00.0"; + linkConfig.Name = "wan"; + }; + + networks."10-wan" = { + matchConfig.Name = "enp1s0"; + networkConfig = { + # start a DHCP Client for IPv4 Addressing/Routing + DHCP = "ipv4"; + # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) + IPv6AcceptRA = true; + }; + # make routing on this interface a dependency for network-online.target + linkConfig.RequiredForOnline = "routable"; + }; + + + # Actually set up the vmbr0 bridge + networks."10-lan" = { + matchConfig.Name = [ "ens18" ]; + networkConfig = { + Bridge = "vmbr0"; + }; + }; + + netdevs."vmbr0" = { + netdevConfig = { + Name = "vmbr0"; + Kind = "bridge"; + }; + }; + + networks."10-lan-bridge" = { + matchConfig.Name = "vmbr0"; + networkConfig = { + IPv6AcceptRA = true; + DHCP = "ipv4"; + }; + linkConfig.RequiredForOnline = "routable"; }; - linkConfig.RequiredForOnline = "routable"; }; # This option defines the first version of NixOS you have installed on this particular machine, From c790a14db1f2bbf0220dfdbcbd02453d4b25b8f3 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Tue, 12 Aug 2025 00:05:42 +0200 Subject: [PATCH 05/78] Migrate bridge config to networking.* --- hosts/nixos-server-test/default.nix | 50 +++-------------------------- 1 file changed, 4 insertions(+), 46 deletions(-) diff --git a/hosts/nixos-server-test/default.nix b/hosts/nixos-server-test/default.nix index b92920a..00afad0 100644 --- a/hosts/nixos-server-test/default.nix +++ b/hosts/nixos-server-test/default.nix @@ -42,52 +42,10 @@ bridges = [ "vmbr0" ]; }; - networking.useDHCP = false; - - systemd.network = { - enable = true; - - links."10-wan" = { - matchConfig.Path = "pci-0000:01:00.0"; - linkConfig.Name = "wan"; - }; - - networks."10-wan" = { - matchConfig.Name = "enp1s0"; - networkConfig = { - # start a DHCP Client for IPv4 Addressing/Routing - DHCP = "ipv4"; - # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) - IPv6AcceptRA = true; - }; - # make routing on this interface a dependency for network-online.target - linkConfig.RequiredForOnline = "routable"; - }; - - - # Actually set up the vmbr0 bridge - networks."10-lan" = { - matchConfig.Name = [ "ens18" ]; - networkConfig = { - Bridge = "vmbr0"; - }; - }; - - netdevs."vmbr0" = { - netdevConfig = { - Name = "vmbr0"; - Kind = "bridge"; - }; - }; - - networks."10-lan-bridge" = { - matchConfig.Name = "vmbr0"; - networkConfig = { - IPv6AcceptRA = true; - DHCP = "ipv4"; - }; - linkConfig.RequiredForOnline = "routable"; - }; + # Actually set up the vmbr0 bridge + networking = { + bridges.vmbr0.interfaces = [ "enp1s0" ]; + interfaces.vmbr0.useDHCP = lib.mkDefault true; }; # This option defines the first version of NixOS you have installed on this particular machine, From 7bce6df38b0e08a495858ca70f96585b2b4894a7 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Tue, 12 Aug 2025 00:39:41 +0200 Subject: [PATCH 06/78] Working bridge configuration using systemd-networkd --- hosts/nixos-server-test/default.nix | 33 ++++++++++++++++++++++++----- 1 file changed, 28 insertions(+), 5 deletions(-) diff --git a/hosts/nixos-server-test/default.nix b/hosts/nixos-server-test/default.nix index 00afad0..9b7f27d 100644 --- a/hosts/nixos-server-test/default.nix +++ b/hosts/nixos-server-test/default.nix @@ -36,16 +36,39 @@ services.proxmox-ve = { enable = true; - ipAddress = "192.168.122.42"; + ipAddress = "192.168.122.71"; # Make vmbr0 bridge visible in Proxmox web interface bridges = [ "vmbr0" ]; }; - # Actually set up the vmbr0 bridge - networking = { - bridges.vmbr0.interfaces = [ "enp1s0" ]; - interfaces.vmbr0.useDHCP = lib.mkDefault true; + networking.useDHCP = false; + + systemd.network = { + enable = true; + + networks."10-lan" = { + matchConfig.Name = [ "enp1s0" ]; + networkConfig = { + Bridge = "vmbr0"; + }; + }; + + netdevs."vmbr0" = { + netdevConfig = { + Name = "vmbr0"; + Kind = "bridge"; + }; + }; + + networks."10-lan-bridge" = { + matchConfig.Name = "vmbr0"; + networkConfig = { + IPv6AcceptRA = true; + DHCP = "ipv4"; + }; + linkConfig.RequiredForOnline = "routable"; + }; }; # This option defines the first version of NixOS you have installed on this particular machine, From 2f19307456d659f10326d4be8ad9e6ab20405c96 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Tue, 12 Aug 2025 02:27:42 +0200 Subject: [PATCH 07/78] Configure proxmox-nixos cache --- hosts/nixos-server-test/default.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/hosts/nixos-server-test/default.nix b/hosts/nixos-server-test/default.nix index 9b7f27d..409e2fa 100644 --- a/hosts/nixos-server-test/default.nix +++ b/hosts/nixos-server-test/default.nix @@ -34,6 +34,15 @@ }; }; + nix.settings = { + substituters = [ + "https://cache.saumon.network/proxmox-nixos" + ]; + trusted-public-keys = [ + "proxmox-nixos:D9RYSWpQQC/msZUWphOY2I5RLH5Dd6yQcaHIuug7dWM=" + ]; + }; + services.proxmox-ve = { enable = true; ipAddress = "192.168.122.71"; From 1038d8a24840dce1d337b3304e7e2fcce52f0490 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Sat, 16 Aug 2025 22:07:11 +0200 Subject: [PATCH 08/78] Add disko --- flake.lock | 33 +++++++++++++++++++++++++++------ flake.nix | 20 ++++++++++++++++++++ 2 files changed, 47 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 48507a1..97db651 100644 --- a/flake.lock +++ b/flake.lock @@ -20,6 +20,26 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1753140376, + "narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=", + "owner": "nix-community", + "repo": "disko", + "rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -117,11 +137,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1754229794, - "narHash": "sha256-yOl7REX6O/1mh+tpscJPKgjK6nmXSMOB1xhmDNAMUZM=", + "lastModified": 1754564048, + "narHash": "sha256-dz303vGuzWjzOPOaYkS9xSW+B93PSAJxvBd6CambXVA=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "a872d985392ee5b19d8409bfcc3f106de2070070", + "rev": "26ed7a0d4b8741fe1ef1ee6fa64453ca056ce113", "type": "github" }, "original": { @@ -133,11 +153,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1754028485, - "narHash": "sha256-IiiXB3BDTi6UqzAZcf2S797hWEPCRZOwyNThJIYhUfk=", + "lastModified": 1754767907, + "narHash": "sha256-8OnUzRQZkqtUol9vuUuQC30hzpMreKptNyET2T9lB6g=", "owner": "nixos", "repo": "nixpkgs", - "rev": "59e69648d345d6e8fef86158c555730fa12af9de", + "rev": "c5f08b62ed75415439d48152c2a784e36909b1bc", "type": "github" }, "original": { @@ -241,6 +261,7 @@ "root": { "inputs": { "auto-cpufreq": "auto-cpufreq", + "disko": "disko", "home-manager": "home-manager", "lazy-apps": "lazy-apps", "nixos-hardware": "nixos-hardware", diff --git a/flake.nix b/flake.nix index 867eeb5..2204722 100644 --- a/flake.nix +++ b/flake.nix @@ -18,6 +18,10 @@ inputs.nixpkgs.follows = "nixpkgs"; }; proxmox-nixos.url = "github:SaumonNet/proxmox-nixos"; + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs"; + }; systems.url = "github:nix-systems/default-linux"; }; @@ -30,6 +34,7 @@ home-manager, auto-cpufreq, proxmox-nixos, + disko, systems, ... } @ inputs: let @@ -111,6 +116,21 @@ }) ]; }; + + kube01 = nixpkgs.lib.nixosSystem rec { + system = "x86_64-linux"; + + specialArgs = { + inherit inputs outputs; + }; + + modules = [ + disko.nixosModules.disko + ./hosts/kube01/disko-config.nix + ./hosts/kube01 + ]; + }; + }; }; } From 21582cbf81003981178f7b7844d326ef348e9461 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Sat, 16 Aug 2025 22:07:27 +0200 Subject: [PATCH 09/78] Add configuration for kubernetes host kube01 --- hosts/kube01/default.nix | 60 +++++++++++++++++++++++++ hosts/kube01/disko-config.nix | 56 +++++++++++++++++++++++ hosts/kube01/hardware-configuration.nix | 24 ++++++++++ modules/k3s.nix | 27 +++++++++++ 4 files changed, 167 insertions(+) create mode 100644 hosts/kube01/default.nix create mode 100644 hosts/kube01/disko-config.nix create mode 100644 hosts/kube01/hardware-configuration.nix create mode 100644 modules/k3s.nix diff --git a/hosts/kube01/default.nix b/hosts/kube01/default.nix new file mode 100644 index 0000000..a19be4d --- /dev/null +++ b/hosts/kube01/default.nix @@ -0,0 +1,60 @@ +{ inputs, outputs, config, lib, pkgs, ... }: + +{ + imports = + [ + ../../modules/nix.nix + ../../modules/network-server.nix + ../../modules/locale.nix + ../../modules/server-cli.nix + ../../modules/sshd.nix + ../../modules/k3s.nix + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + boot = { + loader = { + systemd-boot = { + enable = true; + }; + efi.canTouchEfiVariables = true; + }; + tmp.useTmpfs = true; + }; + + networking.hostName = "kube01"; # Define your hostname. + + users = { + users = { + julius = { + initialPassword = "password"; + isNormalUser = true; + uid = 1000; + extraGroups = [ "wheel" "julius" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOiZXFM8XFkReb9HuGcY5rtPXsGuZ2eDnBBpI0kcHa6c julius@julius-framework" + ]; + }; + }; + groups = { + julius = { + gid = 1000; + }; + }; + }; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "25.05"; # Did you read the comment? +} diff --git a/hosts/kube01/disko-config.nix b/hosts/kube01/disko-config.nix new file mode 100644 index 0000000..24ffe29 --- /dev/null +++ b/hosts/kube01/disko-config.nix @@ -0,0 +1,56 @@ +{ + disko.devices = { + disk = { + vdb = { + type = "disk"; + device = "/dev/sda"; + content = { + type = "gpt"; + partitions = { + ESP = { + priority = 1; + name = "ESP"; + start = "1M"; + end = "128M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; # Override existing partition + # Subvolumes must set a mountpoint in order to be mounted, + # unless their parent is mounted + subvolumes = { + # Subvolume name is different from mountpoint + "/rootfs" = { + mountpoint = "/"; + }; + # Subvolume name is the same as the mountpoint + "/home" = { + mountOptions = [ "compress=zstd" ]; + mountpoint = "/home"; + }; + # Sub(sub)volume doesn't need a mountpoint as its parent is mounted + "/home/julius" = { }; + # Parent is not mounted so the mountpoint must be set + "/nix" = { + mountOptions = [ "compress=zstd" "noatime" ]; + mountpoint = "/nix"; + }; + }; + + mountpoint = "/partition-root"; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/kube01/hardware-configuration.nix b/hosts/kube01/hardware-configuration.nix new file mode 100644 index 0000000..f198f81 --- /dev/null +++ b/hosts/kube01/hardware-configuration.nix @@ -0,0 +1,24 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/modules/k3s.nix b/modules/k3s.nix new file mode 100644 index 0000000..940355e --- /dev/null +++ b/modules/k3s.nix @@ -0,0 +1,27 @@ +{ + pkgs, + lib, + ... +}: { + + services.k3s = { + enable = true; + role = "server"; + clusterInit = true; + token = "verysecrettoken"; + extraFlags = toString ([ + "--write-kubeconfig-mode \"0644\"" + "--disable servicelb" + "--disable traefik" + "--disable local-storage" + ]); + }; + + networking.firewall.allowedTCPPorts = [ + 6443 + ]; + networking.firewall.allowedUDPPorts = [ + 8472 + ]; + +} From 59506dac35118b701d618c7866c0d7ffe72364b3 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Sat, 16 Aug 2025 22:18:20 +0200 Subject: [PATCH 10/78] Move disko configuration to modules --- flake.nix | 1 - hosts/kube01/default.nix | 2 ++ .../kube01/disko-config.nix => modules/disko/efi-full-btrfs.nix | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) rename hosts/kube01/disko-config.nix => modules/disko/efi-full-btrfs.nix (99%) diff --git a/flake.nix b/flake.nix index 2204722..527a41f 100644 --- a/flake.nix +++ b/flake.nix @@ -126,7 +126,6 @@ modules = [ disko.nixosModules.disko - ./hosts/kube01/disko-config.nix ./hosts/kube01 ]; }; diff --git a/hosts/kube01/default.nix b/hosts/kube01/default.nix index a19be4d..53f1ac3 100644 --- a/hosts/kube01/default.nix +++ b/hosts/kube01/default.nix @@ -3,6 +3,8 @@ { imports = [ + ../../modules/disko/efi-full-btrfs.nix + ../../modules/nix.nix ../../modules/network-server.nix ../../modules/locale.nix diff --git a/hosts/kube01/disko-config.nix b/modules/disko/efi-full-btrfs.nix similarity index 99% rename from hosts/kube01/disko-config.nix rename to modules/disko/efi-full-btrfs.nix index 24ffe29..5dcb78c 100644 --- a/hosts/kube01/disko-config.nix +++ b/modules/disko/efi-full-btrfs.nix @@ -1,7 +1,7 @@ { disko.devices = { disk = { - vdb = { + sda = { type = "disk"; device = "/dev/sda"; content = { From 544930ff2d0f4cfdcb1d5b169b669f70c2c70f12 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Sun, 17 Aug 2025 01:34:38 +0200 Subject: [PATCH 11/78] Externalize systemd-boot module --- hosts/kube01/default.nix | 10 +--------- modules/systemd-boot.nix | 15 +++++++++++++++ 2 files changed, 16 insertions(+), 9 deletions(-) create mode 100644 modules/systemd-boot.nix diff --git a/hosts/kube01/default.nix b/hosts/kube01/default.nix index 53f1ac3..e50f156 100644 --- a/hosts/kube01/default.nix +++ b/hosts/kube01/default.nix @@ -4,6 +4,7 @@ imports = [ ../../modules/disko/efi-full-btrfs.nix + ../../modules/systemd-boot.nix ../../modules/nix.nix ../../modules/network-server.nix @@ -15,15 +16,6 @@ ./hardware-configuration.nix ]; - boot = { - loader = { - systemd-boot = { - enable = true; - }; - efi.canTouchEfiVariables = true; - }; - tmp.useTmpfs = true; - }; networking.hostName = "kube01"; # Define your hostname. diff --git a/modules/systemd-boot.nix b/modules/systemd-boot.nix new file mode 100644 index 0000000..02f515d --- /dev/null +++ b/modules/systemd-boot.nix @@ -0,0 +1,15 @@ +{ + ... +}: { + + boot = { + loader = { + systemd-boot = { + enable = true; + }; + efi.canTouchEfiVariables = true; + }; + tmp.useTmpfs = true; + }; + +} From 18b28c2e9d3053d27536cf79a9f8d9d4d67a0660 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Sun, 17 Aug 2025 01:35:09 +0200 Subject: [PATCH 12/78] Add qemu-guest-utils module --- hosts/kube01/default.nix | 1 + modules/qemu-guest.nix | 7 +++++++ 2 files changed, 8 insertions(+) create mode 100644 modules/qemu-guest.nix diff --git a/hosts/kube01/default.nix b/hosts/kube01/default.nix index e50f156..7b69d12 100644 --- a/hosts/kube01/default.nix +++ b/hosts/kube01/default.nix @@ -12,6 +12,7 @@ ../../modules/server-cli.nix ../../modules/sshd.nix ../../modules/k3s.nix + ../../modules/qemu-guest.nix # Include the results of the hardware scan. ./hardware-configuration.nix ]; diff --git a/modules/qemu-guest.nix b/modules/qemu-guest.nix new file mode 100644 index 0000000..97e2081 --- /dev/null +++ b/modules/qemu-guest.nix @@ -0,0 +1,7 @@ +{ + ... +}: { + + services.qemuGuest.enable = true; + +} From 75d4187baa7afe1741fc8f7d2aa73637bc69ab74 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Sun, 17 Aug 2025 01:36:10 +0200 Subject: [PATCH 13/78] Add nixos-server user module --- hosts/kube01/default.nix | 19 +------------------ users/julius/nixos-server.nix | 23 +++++++++++++++++++++++ 2 files changed, 24 insertions(+), 18 deletions(-) create mode 100644 users/julius/nixos-server.nix diff --git a/hosts/kube01/default.nix b/hosts/kube01/default.nix index 7b69d12..2fe7891 100644 --- a/hosts/kube01/default.nix +++ b/hosts/kube01/default.nix @@ -6,6 +6,7 @@ ../../modules/disko/efi-full-btrfs.nix ../../modules/systemd-boot.nix + ../../users/julius/nixos-server.nix ../../modules/nix.nix ../../modules/network-server.nix ../../modules/locale.nix @@ -20,24 +21,6 @@ networking.hostName = "kube01"; # Define your hostname. - users = { - users = { - julius = { - initialPassword = "password"; - isNormalUser = true; - uid = 1000; - extraGroups = [ "wheel" "julius" ]; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOiZXFM8XFkReb9HuGcY5rtPXsGuZ2eDnBBpI0kcHa6c julius@julius-framework" - ]; - }; - }; - groups = { - julius = { - gid = 1000; - }; - }; - }; # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. diff --git a/users/julius/nixos-server.nix b/users/julius/nixos-server.nix new file mode 100644 index 0000000..5802f86 --- /dev/null +++ b/users/julius/nixos-server.nix @@ -0,0 +1,23 @@ +{ + ... +}: { + + users = { + users = { + julius = { + initialPassword = "password"; + isNormalUser = true; + uid = 1000; + group = "julius"; + extraGroups = [ "wheel" ]; + }; + }; + groups = { + julius = { + gid = 1000; + }; + }; + }; + + nix.settings.trusted-users = [ "julius" ]; +} From 31267fa34ca1147e7fe77f144776f953dca69c5f Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Sun, 17 Aug 2025 01:46:17 +0200 Subject: [PATCH 14/78] Add more kube nodes --- flake.nix | 26 +++++++++++++++++ hosts/kube02/default.nix | 36 +++++++++++++++++++++++ hosts/kube02/hardware-configuration.nix | 24 ++++++++++++++++ hosts/kube03/default.nix | 38 +++++++++++++++++++++++++ hosts/kube03/hardware-configuration.nix | 24 ++++++++++++++++ 5 files changed, 148 insertions(+) create mode 100644 hosts/kube02/default.nix create mode 100644 hosts/kube02/hardware-configuration.nix create mode 100644 hosts/kube03/default.nix create mode 100644 hosts/kube03/hardware-configuration.nix diff --git a/flake.nix b/flake.nix index 527a41f..a27ec37 100644 --- a/flake.nix +++ b/flake.nix @@ -130,6 +130,32 @@ ]; }; + kube02 = nixpkgs.lib.nixosSystem rec { + system = "x86_64-linux"; + + specialArgs = { + inherit inputs outputs; + }; + + modules = [ + disko.nixosModules.disko + ./hosts/kube02 + ]; + }; + + kube03 = nixpkgs.lib.nixosSystem rec { + system = "x86_64-linux"; + + specialArgs = { + inherit inputs outputs; + }; + + modules = [ + disko.nixosModules.disko + ./hosts/kube03 + ]; + }; + }; }; } diff --git a/hosts/kube02/default.nix b/hosts/kube02/default.nix new file mode 100644 index 0000000..cf65b75 --- /dev/null +++ b/hosts/kube02/default.nix @@ -0,0 +1,36 @@ +{ inputs, outputs, config, lib, pkgs, ... }: + +{ + imports = + [ + ../../modules/disko/efi-full-btrfs.nix + ../../modules/systemd-boot.nix + + ../../users/julius/nixos-server.nix + ../../modules/nix.nix + ../../modules/network-server.nix + ../../modules/locale.nix + ../../modules/server-cli.nix + ../../modules/sshd.nix + ../../modules/k3s.nix + ../../modules/qemu-guest.nix + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + networking.hostName = "kube02"; # Define your hostname. + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "25.05"; # Did you read the comment? +} diff --git a/hosts/kube02/hardware-configuration.nix b/hosts/kube02/hardware-configuration.nix new file mode 100644 index 0000000..f198f81 --- /dev/null +++ b/hosts/kube02/hardware-configuration.nix @@ -0,0 +1,24 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/kube03/default.nix b/hosts/kube03/default.nix new file mode 100644 index 0000000..8eda858 --- /dev/null +++ b/hosts/kube03/default.nix @@ -0,0 +1,38 @@ +{ inputs, outputs, config, lib, pkgs, ... }: + +{ + imports = + [ + ../../modules/disko/efi-full-btrfs.nix + ../../modules/systemd-boot.nix + + ../../users/julius/nixos-server.nix + ../../modules/nix.nix + ../../modules/network-server.nix + ../../modules/locale.nix + ../../modules/server-cli.nix + ../../modules/sshd.nix + ../../modules/k3s.nix + ../../modules/qemu-guest.nix + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + + networking.hostName = "kube03"; # Define your hostname. + + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "25.05"; # Did you read the comment? +} diff --git a/hosts/kube03/hardware-configuration.nix b/hosts/kube03/hardware-configuration.nix new file mode 100644 index 0000000..f198f81 --- /dev/null +++ b/hosts/kube03/hardware-configuration.nix @@ -0,0 +1,24 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} From 2249b4cc5819ddf8820dca20340e9ff3a2af6007 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Sun, 17 Aug 2025 02:53:39 +0200 Subject: [PATCH 15/78] Configure clustering with k3s --- hosts/kube01/default.nix | 3 +++ hosts/kube02/default.nix | 5 +++++ hosts/kube03/default.nix | 4 ++++ modules/k3s.nix | 3 ++- 4 files changed, 14 insertions(+), 1 deletion(-) diff --git a/hosts/kube01/default.nix b/hosts/kube01/default.nix index 2fe7891..a72dee8 100644 --- a/hosts/kube01/default.nix +++ b/hosts/kube01/default.nix @@ -21,6 +21,9 @@ networking.hostName = "kube01"; # Define your hostname. + services.k3s = { + clusterInit = true; + }; # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. diff --git a/hosts/kube02/default.nix b/hosts/kube02/default.nix index cf65b75..504afef 100644 --- a/hosts/kube02/default.nix +++ b/hosts/kube02/default.nix @@ -20,6 +20,11 @@ networking.hostName = "kube02"; # Define your hostname. + services.k3s = { + serverAddr = "https://kube01:6443"; + clusterInit = false; + }; + # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. # Most users should NEVER change this value after the initial install, for any reason, diff --git a/hosts/kube03/default.nix b/hosts/kube03/default.nix index 8eda858..12884e5 100644 --- a/hosts/kube03/default.nix +++ b/hosts/kube03/default.nix @@ -21,6 +21,10 @@ networking.hostName = "kube03"; # Define your hostname. + services.k3s = { + serverAddr = "https://kube01:6443"; + clusterInit = false; + }; # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. diff --git a/modules/k3s.nix b/modules/k3s.nix index 940355e..2dab28a 100644 --- a/modules/k3s.nix +++ b/modules/k3s.nix @@ -7,7 +7,6 @@ services.k3s = { enable = true; role = "server"; - clusterInit = true; token = "verysecrettoken"; extraFlags = toString ([ "--write-kubeconfig-mode \"0644\"" @@ -19,6 +18,8 @@ networking.firewall.allowedTCPPorts = [ 6443 + 2379 + 2380 ]; networking.firewall.allowedUDPPorts = [ 8472 From db8b0f1d5fd5e87d27159588752351a714623c80 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Mon, 18 Aug 2025 23:12:46 +0200 Subject: [PATCH 16/78] Add srv01.hf as docker host --- flake.nix | 13 ++++++++ hosts/srv01.hf/default.nix | 37 +++++++++++++++++++++++ hosts/srv01.hf/hardware-configuration.nix | 24 +++++++++++++++ 3 files changed, 74 insertions(+) create mode 100644 hosts/srv01.hf/default.nix create mode 100644 hosts/srv01.hf/hardware-configuration.nix diff --git a/flake.nix b/flake.nix index a27ec37..a4ec7a2 100644 --- a/flake.nix +++ b/flake.nix @@ -117,6 +117,19 @@ ]; }; + srv01-hf = nixpkgs.lib.nixosSystem rec { + system = "x86_64-linux"; + + specialArgs = { + inherit inputs outputs; + }; + + modules = [ + disko.nixosModules.disko + ./hosts/srv01.hf + ]; + }; + kube01 = nixpkgs.lib.nixosSystem rec { system = "x86_64-linux"; diff --git a/hosts/srv01.hf/default.nix b/hosts/srv01.hf/default.nix new file mode 100644 index 0000000..d341361 --- /dev/null +++ b/hosts/srv01.hf/default.nix @@ -0,0 +1,37 @@ +{ inputs, outputs, config, lib, pkgs, ... }: + +{ + imports = + [ + ../../modules/disko/efi-full-btrfs.nix + ../../modules/systemd-boot.nix + + ../../users/julius/nixos-server.nix + ../../modules/nix.nix + ../../modules/network-server.nix + ../../modules/locale.nix + ../../modules/server-cli.nix + ../../modules/sshd.nix + ../../modules/qemu-guest.nix + ../../modules/docker.nix + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + + networking.hostName = "srv01-hf"; # Define your hostname. + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "25.05"; # Did you read the comment? +} diff --git a/hosts/srv01.hf/hardware-configuration.nix b/hosts/srv01.hf/hardware-configuration.nix new file mode 100644 index 0000000..d152a40 --- /dev/null +++ b/hosts/srv01.hf/hardware-configuration.nix @@ -0,0 +1,24 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} From c4ec22b3806ab2b925a970c201ef8ceb6d79baef Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Mon, 18 Aug 2025 23:40:53 +0200 Subject: [PATCH 17/78] Change bootloader to grub for srv01-hf --- hosts/srv01.hf/default.nix | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/hosts/srv01.hf/default.nix b/hosts/srv01.hf/default.nix index d341361..868a71b 100644 --- a/hosts/srv01.hf/default.nix +++ b/hosts/srv01.hf/default.nix @@ -4,7 +4,6 @@ imports = [ ../../modules/disko/efi-full-btrfs.nix - ../../modules/systemd-boot.nix ../../users/julius/nixos-server.nix ../../modules/nix.nix @@ -18,6 +17,13 @@ ./hardware-configuration.nix ]; + boot = { + loader.grub = { + enable = true; + device = "/dev/sda"; + }; + tmp.useTmpfs = true; + }; networking.hostName = "srv01-hf"; # Define your hostname. From a8f632ed50515b179401751a0cb48fe9d7bc56c0 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Tue, 19 Aug 2025 01:39:43 +0200 Subject: [PATCH 18/78] Enable hybrid boot for disko module --- hosts/srv01.hf/default.nix | 7 ------- modules/disko/efi-full-btrfs.nix | 9 +++++++-- 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/hosts/srv01.hf/default.nix b/hosts/srv01.hf/default.nix index 868a71b..a7a3540 100644 --- a/hosts/srv01.hf/default.nix +++ b/hosts/srv01.hf/default.nix @@ -17,13 +17,6 @@ ./hardware-configuration.nix ]; - boot = { - loader.grub = { - enable = true; - device = "/dev/sda"; - }; - tmp.useTmpfs = true; - }; networking.hostName = "srv01-hf"; # Define your hostname. diff --git a/modules/disko/efi-full-btrfs.nix b/modules/disko/efi-full-btrfs.nix index 5dcb78c..59e8b26 100644 --- a/modules/disko/efi-full-btrfs.nix +++ b/modules/disko/efi-full-btrfs.nix @@ -7,16 +7,21 @@ content = { type = "gpt"; partitions = { + MBR = { + type = "EF02"; # for grub MBR + size = "1M"; + priority = 1; # Needs to be first partition + }; ESP = { priority = 1; name = "ESP"; - start = "1M"; - end = "128M"; + size = "500M"; type = "EF00"; content = { type = "filesystem"; format = "vfat"; mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; }; }; root = { From 6989f4be08aeae7ad1e97f61fe38db49322b65ae Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Tue, 19 Aug 2025 16:44:48 +0200 Subject: [PATCH 19/78] Add static network configuration to srv01-hf --- hosts/srv01.hf/default.nix | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/hosts/srv01.hf/default.nix b/hosts/srv01.hf/default.nix index a7a3540..19d5ca9 100644 --- a/hosts/srv01.hf/default.nix +++ b/hosts/srv01.hf/default.nix @@ -17,6 +17,25 @@ ./hardware-configuration.nix ]; + systemd.network = { + enable = true; + networks."10-wan" = { + matchConfig.Name = "ens18"; + networkConfig.DHCP = "no"; + address = [ + "77.90.17.93/24" + "2a06:de00:100:63::2/64" + ]; + routes = [ + { Gateway = "77.90.17.1"; } + { Gateway = "2a06:de00:100::1"; GatewayOnLink = true; } + ]; + dns = [ "9.9.9.9" ]; + }; + }; + + # Disable classic networking configuration + networking.useDHCP = lib.mkForce false; networking.hostName = "srv01-hf"; # Define your hostname. From 962ee20628dfcfab60a3244238923957257c8539 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Tue, 19 Aug 2025 17:00:45 +0200 Subject: [PATCH 20/78] Enable auto-update on srv01-hf --- hosts/srv01.hf/default.nix | 1 + modules/auto-upgrade.nix | 15 +++++++++++++++ 2 files changed, 16 insertions(+) create mode 100644 modules/auto-upgrade.nix diff --git a/hosts/srv01.hf/default.nix b/hosts/srv01.hf/default.nix index 19d5ca9..193fe35 100644 --- a/hosts/srv01.hf/default.nix +++ b/hosts/srv01.hf/default.nix @@ -13,6 +13,7 @@ ../../modules/sshd.nix ../../modules/qemu-guest.nix ../../modules/docker.nix + ../../modules/auto-upgrade.nix # Include the results of the hardware scan. ./hardware-configuration.nix ]; diff --git a/modules/auto-upgrade.nix b/modules/auto-upgrade.nix new file mode 100644 index 0000000..5ed134e --- /dev/null +++ b/modules/auto-upgrade.nix @@ -0,0 +1,15 @@ +{ + inputs, + ... +}: { + system.autoUpgrade = { + enable = true; + flags = [ + "--recreate-lock-file" # Deprecated, but will hopefully be reintroduced + "-L" + ]; + flake = inputs.self.outPath; + dates = "02:00"; + randomizedDelaySec = "45min"; + }; +} From ea01c0abf388cb37d7f99db8e0da0d8a165204b4 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Mon, 25 Aug 2025 09:46:56 +0200 Subject: [PATCH 21/78] Add nixremote user for remote building --- hosts/srv01.hf/default.nix | 1 + users/nixremote.nix | 12 ++++++++++++ 2 files changed, 13 insertions(+) create mode 100644 users/nixremote.nix diff --git a/hosts/srv01.hf/default.nix b/hosts/srv01.hf/default.nix index 193fe35..63062a8 100644 --- a/hosts/srv01.hf/default.nix +++ b/hosts/srv01.hf/default.nix @@ -6,6 +6,7 @@ ../../modules/disko/efi-full-btrfs.nix ../../users/julius/nixos-server.nix + ../../users/nixremote.nix ../../modules/nix.nix ../../modules/network-server.nix ../../modules/locale.nix diff --git a/users/nixremote.nix b/users/nixremote.nix new file mode 100644 index 0000000..78eac6a --- /dev/null +++ b/users/nixremote.nix @@ -0,0 +1,12 @@ +{ + ... +}: { + users.users = { + nixremote = { + isNormalUser = true; + uid = 1100; + group = "users"; + expires = "1970-01-01"; + } + }; +} From aa4d1f11c923302fd37347ed55b04e0498daf082 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Wed, 17 Sep 2025 00:03:34 +0200 Subject: [PATCH 22/78] Add rebootWindow for auto upgrades --- modules/auto-upgrade.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/auto-upgrade.nix b/modules/auto-upgrade.nix index 5ed134e..4d1a468 100644 --- a/modules/auto-upgrade.nix +++ b/modules/auto-upgrade.nix @@ -11,5 +11,10 @@ flake = inputs.self.outPath; dates = "02:00"; randomizedDelaySec = "45min"; + allowReboot = true; + rebootWindow = { + lower = "01:00"; + upper = "05:00"; + }; }; } From 3c17de5929beee77eabc5b05309563b086b30aee Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Wed, 17 Sep 2025 00:04:01 +0200 Subject: [PATCH 23/78] Make nixremote trusted and not expire --- users/nixremote.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/users/nixremote.nix b/users/nixremote.nix index 78eac6a..b0075cb 100644 --- a/users/nixremote.nix +++ b/users/nixremote.nix @@ -6,7 +6,8 @@ isNormalUser = true; uid = 1100; group = "users"; - expires = "1970-01-01"; - } + }; }; + + nix.settings.trusted-users = [ "nixremote" ]; } From 739b50349c9d7f3f76329fdcaf56fb7ff957a487 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Wed, 17 Sep 2025 00:05:36 +0200 Subject: [PATCH 24/78] Set oci-backend to docker This can be used to start containers declaratively. Use docker when it is enabled for this. --- modules/docker.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/modules/docker.nix b/modules/docker.nix index b9f7aa1..d216ec2 100644 --- a/modules/docker.nix +++ b/modules/docker.nix @@ -4,8 +4,11 @@ ... }: { - virtualisation.docker = { - enable = true; + virtualisation = { + docker = { + enable = true; + }; + oci-containers.backend = "docker"; }; } From eee7d2ddcf5e404abb779b4ac6626325b43721ba Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Wed, 17 Sep 2025 23:51:27 +0200 Subject: [PATCH 25/78] Add secret management with agenix --- flake.lock | 113 +++++++++++++++++++++++++++++++------ flake.nix | 14 ++++- hosts/srv01.hf/default.nix | 1 + hosts/srv01.hf/secrets.nix | 7 +++ 4 files changed, 116 insertions(+), 19 deletions(-) create mode 100644 hosts/srv01.hf/secrets.nix diff --git a/flake.lock b/flake.lock index 97db651..8a290db 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,28 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": [], + "home-manager": "home-manager", + "nixpkgs": [ + "nixpkgs" + ], + "systems": "systems" + }, + "locked": { + "lastModified": 1754433428, + "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=", + "owner": "ryantm", + "repo": "agenix", + "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, "auto-cpufreq": { "inputs": { "nixpkgs": [ @@ -7,11 +30,11 @@ ] }, "locked": { - "lastModified": 1752998173, - "narHash": "sha256-ZlYpBp2WOe03UrpjJGz5KTOL/pp7A452hJO/Vc8C4/0=", + "lastModified": 1758056808, + "narHash": "sha256-7I4duKo9OdQ7sldgjoYBlpZ+xykszDj/IVz5hlJOaeg=", "owner": "AdnanHodzic", "repo": "auto-cpufreq", - "rev": "562278377ffa96f3c1af49c7b499df028ce8d8bd", + "rev": "9f86acc38dca4299b70ea55ae6c52902da5c903c", "type": "github" }, "original": { @@ -27,11 +50,11 @@ ] }, "locked": { - "lastModified": 1753140376, - "narHash": "sha256-7lrVrE0jSvZHrxEzvnfHFE/Wkk9DDqb+mYCodI5uuB8=", + "lastModified": 1757508292, + "narHash": "sha256-7lVWL5bC6xBIMWWDal41LlGAG+9u2zUorqo3QCUL4p4=", "owner": "nix-community", "repo": "disko", - "rev": "545aba02960caa78a31bd9a8709a0ad4b6320a5c", + "rev": "146f45bee02b8bd88812cfce6ffc0f933788875a", "type": "github" }, "original": { @@ -96,15 +119,36 @@ "home-manager": { "inputs": { "nixpkgs": [ + "agenix", "nixpkgs" ] }, "locked": { - "lastModified": 1753592768, - "narHash": "sha256-oV695RvbAE4+R9pcsT9shmp6zE/+IZe6evHWX63f2Qg=", + "lastModified": 1745494811, + "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", "owner": "nix-community", "repo": "home-manager", - "rev": "fc3add429f21450359369af74c2375cb34a2d204", + "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager_2": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1757808926, + "narHash": "sha256-K6PEI5PYY94TVMH0mX3MbZNYFme7oNRKml/85BpRRAo=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "f21d9167782c086a33ad53e2311854a8f13c281e", "type": "github" }, "original": { @@ -137,11 +181,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1754564048, - "narHash": "sha256-dz303vGuzWjzOPOaYkS9xSW+B93PSAJxvBd6CambXVA=", + "lastModified": 1757943327, + "narHash": "sha256-w6cDExPBqbq7fTLo4dZ1ozDGeq3yV6dSN4n/sAaS6OM=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "26ed7a0d4b8741fe1ef1ee6fa64453ca056ce113", + "rev": "67a709cfe5d0643dafd798b0b613ed579de8be05", "type": "github" }, "original": { @@ -153,11 +197,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1754767907, - "narHash": "sha256-8OnUzRQZkqtUol9vuUuQC30hzpMreKptNyET2T9lB6g=", + "lastModified": 1758070117, + "narHash": "sha256-uLwwHFCZnT1c3N3biVe/0hCkag2GSrf9+M56+Okf+WY=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c5f08b62ed75415439d48152c2a784e36909b1bc", + "rev": "e9b7f2ff62b35f711568b1f0866243c7c302028d", "type": "github" }, "original": { @@ -260,14 +304,32 @@ }, "root": { "inputs": { + "agenix": "agenix", "auto-cpufreq": "auto-cpufreq", "disko": "disko", - "home-manager": "home-manager", + "home-manager": "home-manager_2", "lazy-apps": "lazy-apps", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", "proxmox-nixos": "proxmox-nixos", - "systems": "systems_2" + "secrets": "secrets", + "systems": "systems_3" + } + }, + "secrets": { + "flake": false, + "locked": { + "lastModified": 1758144826, + "narHash": "sha256-iP17+7kzDVsMa66W1RmAx6LQzQVCSYj7QemyhuZMUFQ=", + "ref": "refs/heads/main", + "rev": "8ed4ae40d7b203880e368f5822260f0cd2ed0229", + "revCount": 2, + "type": "git", + "url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git" + }, + "original": { + "type": "git", + "url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git" } }, "systems": { @@ -286,6 +348,21 @@ } }, "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_3": { "locked": { "lastModified": 1689347949, "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", @@ -302,7 +379,7 @@ }, "utils": { "inputs": { - "systems": "systems" + "systems": "systems_2" }, "locked": { "lastModified": 1710146030, diff --git a/flake.nix b/flake.nix index a4ec7a2..fab5bf0 100644 --- a/flake.nix +++ b/flake.nix @@ -22,7 +22,17 @@ url = "github:nix-community/disko"; inputs.nixpkgs.follows = "nixpkgs"; }; - + agenix = { + url = "github:ryantm/agenix"; + inputs = { + nixpkgs.follows = "nixpkgs"; + darwin.follows = ""; + }; + }; + secrets = { + url = "git+ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git"; + flake = false; + }; systems.url = "github:nix-systems/default-linux"; }; @@ -34,6 +44,7 @@ home-manager, auto-cpufreq, proxmox-nixos, + agenix, disko, systems, ... @@ -126,6 +137,7 @@ modules = [ disko.nixosModules.disko + agenix.nixosModules.default ./hosts/srv01.hf ]; }; diff --git a/hosts/srv01.hf/default.nix b/hosts/srv01.hf/default.nix index 63062a8..1cea677 100644 --- a/hosts/srv01.hf/default.nix +++ b/hosts/srv01.hf/default.nix @@ -4,6 +4,7 @@ imports = [ ../../modules/disko/efi-full-btrfs.nix + ./secrets.nix ../../users/julius/nixos-server.nix ../../users/nixremote.nix diff --git a/hosts/srv01.hf/secrets.nix b/hosts/srv01.hf/secrets.nix new file mode 100644 index 0000000..9b8fb86 --- /dev/null +++ b/hosts/srv01.hf/secrets.nix @@ -0,0 +1,7 @@ +{ inputs, ... }: +{ + age.secrets = { + teleport-ca_pin.file = "${inputs.secrets}/secrets/teleport/ca_pin"; + teleport-join_token.file = "${inputs.secrets}/secrets/srv01-hf/teleport_auth_token"; + }; +} From abf81609e426ae6cc101439b8825a34e54f60dfe Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Thu, 18 Sep 2025 01:07:36 +0200 Subject: [PATCH 26/78] Add ssh connection settings to nix-private repo for auto-upgrade --- modules/auto-upgrade.nix | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/modules/auto-upgrade.nix b/modules/auto-upgrade.nix index 4d1a468..3dc9849 100644 --- a/modules/auto-upgrade.nix +++ b/modules/auto-upgrade.nix @@ -1,5 +1,6 @@ { inputs, + pkgs, ... }: { system.autoUpgrade = { @@ -17,4 +18,20 @@ upper = "05:00"; }; }; + + # Also needs access to the nix-private repo which contains the encrypted secrets + programs.ssh = { + extraConfig = " + Host git.jfreudenberger.de + Port 222 + User git + IdentityFile /etc/ssh/ssh_host_ed25519_key + "; + knownHostsFiles = [ + (pkgs.writeText "forgejo.keys" ''[git.jfreudenberger.de]:222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+uqIeb9+AoqwD0Z6xLKI2dsRoS9Qh/VwboYfGpBJd+ +[git.jfreudenberger.de]:222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8GDSt4LsCzOoIZkqZRLgXyTLyHoJu62cFFP88i8GpSadyV6mJPkK5p2mgBzN/BM9I/G2VWfvqdM8Fy/7p3S8kDhmmkOk1AK7C/+qaQKsKcQauJuzNXlwMHG1Ivath80TO9PIQc9jYakP9xl8SACd5bwkvfEm3rS5awZ8T2hWgnsgO8pFHFOFmFnVbujXZk58FVTCxpgyPqjFv76JSYxpHk1VtiQ52jScsreOImEOWWg88f9IM9etWcshuxte4zudaqc2KjjAB6pYMuVj7O6cwMXKjCUxTzyomWjr2JoEruIslifbZ6bJGgswg5ENJSKURuMPgTuGM6Nrjp75V/yFD +[git.jfreudenberger.de]:222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOS447cAWRZgHPs6MOoRS6/J66oY753QPiM7BI63/qNDd5qrCan153dJd5lBGwDR0vMWiV/0cmzuACfP5QS1Lv8= + '') + ]; + }; } From fadfd47e3f265e4382f302f7449e211ef878507e Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Thu, 18 Sep 2025 01:11:06 +0200 Subject: [PATCH 27/78] Configure teleport on srv01-hf --- hosts/srv01.hf/default.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/hosts/srv01.hf/default.nix b/hosts/srv01.hf/default.nix index 1cea677..f8a2c5b 100644 --- a/hosts/srv01.hf/default.nix +++ b/hosts/srv01.hf/default.nix @@ -15,11 +15,21 @@ ../../modules/sshd.nix ../../modules/qemu-guest.nix ../../modules/docker.nix + ../../modules/teleport.nix ../../modules/auto-upgrade.nix # Include the results of the hardware scan. ./hardware-configuration.nix ]; + services.openssh.openFirewall = false; + services.teleport = { + enable = true; + settings.teleport = { + ca_pin = config.age.secrets."teleport-ca_pin".path; + auth_token = config.age.secrets."teleport-join_token".path; + }; + }; + systemd.network = { enable = true; networks."10-wan" = { From cfc8f986b7e9a6680039358f03789f35395e5e22 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Thu, 18 Sep 2025 01:11:57 +0200 Subject: [PATCH 28/78] Add portainer_agent module and configure srv01-hf for it --- hosts/srv01.hf/default.nix | 3 +++ hosts/srv01.hf/secrets.nix | 1 + modules/portainer_agent.nix | 21 +++++++++++++++++++++ 3 files changed, 25 insertions(+) create mode 100644 modules/portainer_agent.nix diff --git a/hosts/srv01.hf/default.nix b/hosts/srv01.hf/default.nix index f8a2c5b..feb2183 100644 --- a/hosts/srv01.hf/default.nix +++ b/hosts/srv01.hf/default.nix @@ -16,6 +16,7 @@ ../../modules/qemu-guest.nix ../../modules/docker.nix ../../modules/teleport.nix + ../../modules/portainer_agent.nix ../../modules/auto-upgrade.nix # Include the results of the hardware scan. ./hardware-configuration.nix @@ -30,6 +31,8 @@ }; }; + virtualisation.oci-containers.containers.portainer_agent.environmentFiles = [ config.age.secrets."portainer-join_token".path ]; + systemd.network = { enable = true; networks."10-wan" = { diff --git a/hosts/srv01.hf/secrets.nix b/hosts/srv01.hf/secrets.nix index 9b8fb86..8697e77 100644 --- a/hosts/srv01.hf/secrets.nix +++ b/hosts/srv01.hf/secrets.nix @@ -3,5 +3,6 @@ age.secrets = { teleport-ca_pin.file = "${inputs.secrets}/secrets/teleport/ca_pin"; teleport-join_token.file = "${inputs.secrets}/secrets/srv01-hf/teleport_auth_token"; + portainer-join_token.file = "${inputs.secrets}/secrets/srv01-hf/portainer_join_token"; }; } diff --git a/modules/portainer_agent.nix b/modules/portainer_agent.nix new file mode 100644 index 0000000..8bebd6c --- /dev/null +++ b/modules/portainer_agent.nix @@ -0,0 +1,21 @@ +{ + ... +}: { + virtualisation.oci-containers.containers = { + portainer_agent = { + image = "portainer/agent:2.33.1"; + volumes = [ + "/var/run/docker.sock:/var/run/docker.sock" + "/var/lib/docker/volumes:/var/lib/docker/volumes" + "/:/host" + ]; + environment = { + EDGE = "1"; + CAP_HOST_MANAGEMENT = "1"; + }; + extraOptions = [ + ''--mount=type=volume,source=portainer_agent,target=/data,volume-driver=local'' + ]; + }; + }; +} From 0b336f6058bd1aad6c4057d0b6cd6e8a05cb97be Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Thu, 18 Sep 2025 01:12:18 +0200 Subject: [PATCH 29/78] Update flake.lock --- flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index 8a290db..9a46a8b 100644 --- a/flake.lock +++ b/flake.lock @@ -319,11 +319,11 @@ "secrets": { "flake": false, "locked": { - "lastModified": 1758144826, - "narHash": "sha256-iP17+7kzDVsMa66W1RmAx6LQzQVCSYj7QemyhuZMUFQ=", + "lastModified": 1758149260, + "narHash": "sha256-Pgw5Krmc27t+7On6fwHJWx0nuoLRu0XqwN5MHaZ5kys=", "ref": "refs/heads/main", - "rev": "8ed4ae40d7b203880e368f5822260f0cd2ed0229", - "revCount": 2, + "rev": "50fd7d5277505cbb3235aae9719d3b8b0c7fe692", + "revCount": 5, "type": "git", "url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git" }, From 0fd83d282223222121ae65e0b9144f0eaae3f39d Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Thu, 25 Sep 2025 11:35:06 +0200 Subject: [PATCH 30/78] Add configuration of proxmox binary cache into flake hint --- flake.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/flake.nix b/flake.nix index fab5bf0..7f638f1 100644 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,15 @@ { description = "NixOS configuration of Julius Freudenberger"; + nixConfig = { + extra-substituters = [ + "https://cache.saumon.network/proxmox-nixos" + ]; + extra-trusted-public-keys = [ + "proxmox-nixos:D9RYSWpQQC/msZUWphOY2I5RLH5Dd6yQcaHIuug7dWM=" + ]; + }; + inputs = { #nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; From b0bf41a8263327f03138d07094a513b512143a0c Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Mon, 29 Sep 2025 17:05:03 +0200 Subject: [PATCH 31/78] portainer_agent: 2.33.1 -> 2.33.2 --- modules/portainer_agent.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/portainer_agent.nix b/modules/portainer_agent.nix index 8bebd6c..408834b 100644 --- a/modules/portainer_agent.nix +++ b/modules/portainer_agent.nix @@ -3,7 +3,7 @@ }: { virtualisation.oci-containers.containers = { portainer_agent = { - image = "portainer/agent:2.33.1"; + image = "portainer/agent:2.33.2"; volumes = [ "/var/run/docker.sock:/var/run/docker.sock" "/var/lib/docker/volumes:/var/lib/docker/volumes" From 9c3769ed3900bc95299d93428e5cec70c113807a Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Mon, 29 Sep 2025 17:08:04 +0200 Subject: [PATCH 32/78] Update flake.lock --- flake.lock | 45 +++++++++++++++++++++++---------------------- 1 file changed, 23 insertions(+), 22 deletions(-) diff --git a/flake.lock b/flake.lock index 9a46a8b..40c760f 100644 --- a/flake.lock +++ b/flake.lock @@ -30,15 +30,16 @@ ] }, "locked": { - "lastModified": 1758056808, - "narHash": "sha256-7I4duKo9OdQ7sldgjoYBlpZ+xykszDj/IVz5hlJOaeg=", + "lastModified": 1757911848, + "narHash": "sha256-YkT8N8VFISStPADblSg1aCI0BP1TJ2koA5QqfJ7t12U=", "owner": "AdnanHodzic", "repo": "auto-cpufreq", - "rev": "9f86acc38dca4299b70ea55ae6c52902da5c903c", + "rev": "c2ff712325dd919b3ee7c7e5354d67fb841618d0", "type": "github" }, "original": { "owner": "AdnanHodzic", + "ref": "c2ff712325dd919b3ee7c7e5354d67fb841618d0", "repo": "auto-cpufreq", "type": "github" } @@ -50,11 +51,11 @@ ] }, "locked": { - "lastModified": 1757508292, - "narHash": "sha256-7lVWL5bC6xBIMWWDal41LlGAG+9u2zUorqo3QCUL4p4=", + "lastModified": 1758287904, + "narHash": "sha256-IGmaEf3Do8o5Cwp1kXBN1wQmZwQN3NLfq5t4nHtVtcU=", "owner": "nix-community", "repo": "disko", - "rev": "146f45bee02b8bd88812cfce6ffc0f933788875a", + "rev": "67ff9807dd148e704baadbd4fd783b54282ca627", "type": "github" }, "original": { @@ -144,11 +145,11 @@ ] }, "locked": { - "lastModified": 1757808926, - "narHash": "sha256-K6PEI5PYY94TVMH0mX3MbZNYFme7oNRKml/85BpRRAo=", + "lastModified": 1758463745, + "narHash": "sha256-uhzsV0Q0I9j2y/rfweWeGif5AWe0MGrgZ/3TjpDYdGA=", "owner": "nix-community", "repo": "home-manager", - "rev": "f21d9167782c086a33ad53e2311854a8f13c281e", + "rev": "3b955f5f0a942f9f60cdc9cacb7844335d0f21c3", "type": "github" }, "original": { @@ -181,11 +182,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1757943327, - "narHash": "sha256-w6cDExPBqbq7fTLo4dZ1ozDGeq3yV6dSN4n/sAaS6OM=", + "lastModified": 1758663926, + "narHash": "sha256-6CFdj7Xs616t1W4jLDH7IohAAvl5Dyib3qEv/Uqw1rk=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "67a709cfe5d0643dafd798b0b613ed579de8be05", + "rev": "170ff93c860b2a9868ed1e1102d4e52cb3d934e1", "type": "github" }, "original": { @@ -197,11 +198,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1758070117, - "narHash": "sha256-uLwwHFCZnT1c3N3biVe/0hCkag2GSrf9+M56+Okf+WY=", + "lastModified": 1758791193, + "narHash": "sha256-F8WmEwFoHsnix7rt290R0rFXNJiMbClMZyIC/e+HYf0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "e9b7f2ff62b35f711568b1f0866243c7c302028d", + "rev": "25e53aa156d47bad5082ff7618f5feb1f5e02d01", "type": "github" }, "original": { @@ -289,11 +290,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1754428470, - "narHash": "sha256-Sxf8gf+vfGeFaJMW3D+8pwH/+WwYTQOg47Lrm42+kTc=", + "lastModified": 1758650077, + "narHash": "sha256-ZeRtJimtk0Faiq7DPZEQNGipda3TaR4QXp0TAzu934Q=", "owner": "SaumonNet", "repo": "proxmox-nixos", - "rev": "6faed2845ef5f0bb05c9519b75097bbe7fb39327", + "rev": "ce8768f43b4374287cd8b88d8fa9c0061e749d9a", "type": "github" }, "original": { @@ -319,11 +320,11 @@ "secrets": { "flake": false, "locked": { - "lastModified": 1758149260, - "narHash": "sha256-Pgw5Krmc27t+7On6fwHJWx0nuoLRu0XqwN5MHaZ5kys=", + "lastModified": 1758149597, + "narHash": "sha256-qUkhfFBEuDJ7nP6jcdBZzGBBhLKnXYxumBQI75DGcFc=", "ref": "refs/heads/main", - "rev": "50fd7d5277505cbb3235aae9719d3b8b0c7fe692", - "revCount": 5, + "rev": "8404f6877e25b8cbf3f504ef1926034e8c401dbe", + "revCount": 6, "type": "git", "url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git" }, From 7ae69de706daed306eecd1ea62c382ecdadc60d5 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Mon, 8 Dec 2025 19:29:16 +0100 Subject: [PATCH 33/78] Add user to kvm group --- users/julius/nixos.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/users/julius/nixos.nix b/users/julius/nixos.nix index a424826..81c9e60 100644 --- a/users/julius/nixos.nix +++ b/users/julius/nixos.nix @@ -6,7 +6,7 @@ }: { users.users.julius = { isNormalUser = true; - extraGroups = [ "wheel" "networkmanager" "docker" "libvirtd" ]; + extraGroups = [ "wheel" "networkmanager" "docker" "libvirtd" "kvm" ]; shell = pkgs.zsh; }; From 5fd7eb5ee2d23616e0bcb8820caee6f2efe1049c Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Wed, 24 Dec 2025 02:14:10 +0100 Subject: [PATCH 34/78] Remove phpstorm --- modules/gui-coding.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/gui-coding.nix b/modules/gui-coding.nix index 33056ef..e195a05 100644 --- a/modules/gui-coding.nix +++ b/modules/gui-coding.nix @@ -6,7 +6,6 @@ environment.systemPackages = with pkgs; [ jetbrains.idea-ultimate jetbrains.pycharm-professional - jetbrains.phpstorm vscodium-fhs zed-editor.fhs From 55292a69f45e39ff9f26959344bf04ffa4a54719 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Wed, 24 Dec 2025 23:20:37 +0100 Subject: [PATCH 35/78] Update to 25.11 --- flake.lock | 93 ++++++++++++++++++++++++----------------- flake.nix | 4 +- modules/gui-coding.nix | 4 +- modules/i3.nix | 2 +- modules/laptop.nix | 8 ++-- modules/typesetting.nix | 2 +- 6 files changed, 64 insertions(+), 49 deletions(-) diff --git a/flake.lock b/flake.lock index 40c760f..a5e3b36 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1754433428, - "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=", + "lastModified": 1762618334, + "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=", "owner": "ryantm", "repo": "agenix", - "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d", + "rev": "fcdea223397448d35d9b31f798479227e80183f6", "type": "github" }, "original": { @@ -30,16 +30,15 @@ ] }, "locked": { - "lastModified": 1757911848, - "narHash": "sha256-YkT8N8VFISStPADblSg1aCI0BP1TJ2koA5QqfJ7t12U=", + "lastModified": 1765042799, + "narHash": "sha256-G7UJDUNcuHm1n2EuA+2iKPNISSWoUgqk85ktncJoelo=", "owner": "AdnanHodzic", "repo": "auto-cpufreq", - "rev": "c2ff712325dd919b3ee7c7e5354d67fb841618d0", + "rev": "2e5c725be0a7da2c749a345e09f3df3b9ef8c209", "type": "github" }, "original": { "owner": "AdnanHodzic", - "ref": "c2ff712325dd919b3ee7c7e5354d67fb841618d0", "repo": "auto-cpufreq", "type": "github" } @@ -51,11 +50,11 @@ ] }, "locked": { - "lastModified": 1758287904, - "narHash": "sha256-IGmaEf3Do8o5Cwp1kXBN1wQmZwQN3NLfq5t4nHtVtcU=", + "lastModified": 1766150702, + "narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=", "owner": "nix-community", "repo": "disko", - "rev": "67ff9807dd148e704baadbd4fd783b54282ca627", + "rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378", "type": "github" }, "original": { @@ -82,11 +81,11 @@ }, "flake-compat_2": { "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "lastModified": 1747046372, + "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", "owner": "edolstra", "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", "type": "github" }, "original": { @@ -145,16 +144,16 @@ ] }, "locked": { - "lastModified": 1758463745, - "narHash": "sha256-uhzsV0Q0I9j2y/rfweWeGif5AWe0MGrgZ/3TjpDYdGA=", + "lastModified": 1766529401, + "narHash": "sha256-OJAjJcW6ZADEzTBrvOTZanbgC8ObEWveObujtpazEbg=", "owner": "nix-community", "repo": "home-manager", - "rev": "3b955f5f0a942f9f60cdc9cacb7844335d0f21c3", + "rev": "aaf46506426cc8c53719dd20de660fc856a5561e", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-25.05", + "ref": "release-25.11", "repo": "home-manager", "type": "github" } @@ -167,11 +166,11 @@ "pre-commit-hooks": "pre-commit-hooks" }, "locked": { - "lastModified": 1752585957, - "narHash": "sha256-ogQo/MMNSIM4U4VQMieIrpLhjkgSbev3VR24foJ/h/U=", + "lastModified": 1764660538, + "narHash": "sha256-kEWb9Hc2OxdLhJ1pRdW7zRZ57Mul3/Jpy3vyhQ8Yq6o=", "owner": "~rycee", "repo": "lazy-apps", - "rev": "3c3ce5001e24b6c12496a5920eee28a96f8d49d6", + "rev": "4ddc92c77213f8ed3ddef1868f4a19002afa728a", "type": "sourcehut" }, "original": { @@ -182,11 +181,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1758663926, - "narHash": "sha256-6CFdj7Xs616t1W4jLDH7IohAAvl5Dyib3qEv/Uqw1rk=", + "lastModified": 1764440730, + "narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "170ff93c860b2a9868ed1e1102d4e52cb3d934e1", + "rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3", "type": "github" }, "original": { @@ -198,20 +197,35 @@ }, "nixpkgs": { "locked": { - "lastModified": 1758791193, - "narHash": "sha256-F8WmEwFoHsnix7rt290R0rFXNJiMbClMZyIC/e+HYf0=", + "lastModified": 1766473571, + "narHash": "sha256-5G1NDO2PulBx1RoaA6U1YoUDX0qZslpPxv+n5GX6Qto=", "owner": "nixos", "repo": "nixpkgs", - "rev": "25e53aa156d47bad5082ff7618f5feb1f5e02d01", + "rev": "76701a179d3a98b07653e2b0409847499b2a07d3", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-25.05", + "ref": "nixos-25.11", "repo": "nixpkgs", "type": "github" } }, + "nixpkgs-libvncserver": { + "locked": { + "lastModified": 1750111231, + "narHash": "sha256-3a7Tha/RwYlzH/v3PJrG7+HjOj4c6YOv2K8sqdGsHVQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "e6f23dc08d3624daab7094b701aa3954923c6bbb", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "rev": "e6f23dc08d3624daab7094b701aa3954923c6bbb", + "type": "indirect" + } + }, "nixpkgs-stable": { "locked": { "lastModified": 1730741070, @@ -230,11 +244,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1748437600, - "narHash": "sha256-hYKMs3ilp09anGO7xzfGs3JqEgUqFMnZ8GMAqI6/k04=", + "lastModified": 1761016216, + "narHash": "sha256-G/iC4t/9j/52i/nm+0/4ybBmAF4hzR8CNHC75qEhjHo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7282cb574e0607e65224d33be8241eae7cfe0979", + "rev": "481cf557888e05d3128a76f14c76397b7d7cc869", "type": "github" }, "original": { @@ -245,11 +259,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1723637854, - "narHash": "sha256-med8+5DSWa2UnOqtdICndjDAEjxr5D7zaIiK4pn0Q7c=", + "lastModified": 1761114652, + "narHash": "sha256-f/QCJM/YhrV/lavyCVz8iU3rlZun6d+dAiC3H+CDle4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c3aa7b8938b17aebd2deecf7be0636000d62a2b9", + "rev": "01f116e4df6a15f4ccdffb1bcd41096869fb385c", "type": "github" }, "original": { @@ -285,16 +299,17 @@ "proxmox-nixos": { "inputs": { "flake-compat": "flake-compat_2", + "nixpkgs-libvncserver": "nixpkgs-libvncserver", "nixpkgs-stable": "nixpkgs-stable_2", "nixpkgs-unstable": "nixpkgs-unstable", "utils": "utils" }, "locked": { - "lastModified": 1758650077, - "narHash": "sha256-ZeRtJimtk0Faiq7DPZEQNGipda3TaR4QXp0TAzu934Q=", + "lastModified": 1764188113, + "narHash": "sha256-Oq4aCjczgnFQqFNWZ6Ablg6x9579CO8tyBktYDYiZEs=", "owner": "SaumonNet", "repo": "proxmox-nixos", - "rev": "ce8768f43b4374287cd8b88d8fa9c0061e749d9a", + "rev": "3be878a84866b9ef9214b8ea6f53630f47f4b192", "type": "github" }, "original": { @@ -383,11 +398,11 @@ "systems": "systems_2" }, "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", "owner": "numtide", "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 7f638f1..a0d1393 100644 --- a/flake.nix +++ b/flake.nix @@ -12,10 +12,10 @@ inputs = { #nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11"; nixos-hardware.url = "github:NixOS/nixos-hardware/master"; home-manager = { - url = "github:nix-community/home-manager/release-25.05"; + url = "github:nix-community/home-manager/release-25.11"; inputs.nixpkgs.follows = "nixpkgs"; }; auto-cpufreq = { diff --git a/modules/gui-coding.nix b/modules/gui-coding.nix index e195a05..223f2b6 100644 --- a/modules/gui-coding.nix +++ b/modules/gui-coding.nix @@ -4,8 +4,8 @@ ... }: { environment.systemPackages = with pkgs; [ - jetbrains.idea-ultimate - jetbrains.pycharm-professional + jetbrains.idea + jetbrains.pycharm vscodium-fhs zed-editor.fhs diff --git a/modules/i3.nix b/modules/i3.nix index dcefbd7..80fcb57 100644 --- a/modules/i3.nix +++ b/modules/i3.nix @@ -18,7 +18,7 @@ lightlocker xautolock # lock screen after some time i3status # provide information to i3bar - i3-gaps # i3 with gaps + i3 # i3 with gaps nitrogen # set wallpaper acpi # battery information arandr # screen layout manager diff --git a/modules/laptop.nix b/modules/laptop.nix index 73f9fa6..49e7492 100644 --- a/modules/laptop.nix +++ b/modules/laptop.nix @@ -6,10 +6,10 @@ boot.kernelPackages = pkgs.linuxKernel.packages.linux_zen; - services.logind = { - lidSwitch = "suspend-then-hibernate"; - lidSwitchDocked = "suspend-then-hibernate"; - powerKey = "ignore"; + services.logind.settings.Login = { + HandleLidSwitch= "suspend-then-hibernate"; + HandleLidSwitchDocked = "suspend-then-hibernate"; + HandlePowerKey = "ignore"; }; programs.auto-cpufreq.enable = true; diff --git a/modules/typesetting.nix b/modules/typesetting.nix index 56ba34e..b4e321f 100644 --- a/modules/typesetting.nix +++ b/modules/typesetting.nix @@ -5,7 +5,7 @@ }: { environment.systemPackages = with pkgs; [ typst - typstfmt + typstyle texliveFull From 7574b6bfa4e13db21887135f5946a28d4a45940e Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Wed, 24 Dec 2025 23:20:51 +0100 Subject: [PATCH 36/78] Update devshells to 25.11 --- devshells/java17-maven/flake.lock | 8 ++++---- devshells/java17-maven/flake.nix | 2 +- devshells/java21-maven/flake.lock | 8 ++++---- devshells/java21-maven/flake.nix | 2 +- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/devshells/java17-maven/flake.lock b/devshells/java17-maven/flake.lock index ae71305..b4da842 100644 --- a/devshells/java17-maven/flake.lock +++ b/devshells/java17-maven/flake.lock @@ -22,16 +22,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1736684107, - "narHash": "sha256-vH5mXxEvZeoGNkqKoCluhTGfoeXCZ1seYhC2pbMN0sg=", + "lastModified": 1766473571, + "narHash": "sha256-5G1NDO2PulBx1RoaA6U1YoUDX0qZslpPxv+n5GX6Qto=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "635e887b48521e912a516625eee7df6cf0eba9c1", + "rev": "76701a179d3a98b07653e2b0409847499b2a07d3", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-24.11", + "ref": "nixos-25.11", "repo": "nixpkgs", "type": "github" } diff --git a/devshells/java17-maven/flake.nix b/devshells/java17-maven/flake.nix index 106308a..169ccb2 100644 --- a/devshells/java17-maven/flake.nix +++ b/devshells/java17-maven/flake.nix @@ -1,6 +1,6 @@ { description = "A basic flake with a shell"; - inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; + inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; inputs.systems.url = "github:nix-systems/default"; inputs.flake-utils = { url = "github:numtide/flake-utils"; diff --git a/devshells/java21-maven/flake.lock b/devshells/java21-maven/flake.lock index 72a721c..b4da842 100644 --- a/devshells/java21-maven/flake.lock +++ b/devshells/java21-maven/flake.lock @@ -22,16 +22,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1734435836, - "narHash": "sha256-kMBQ5PRiFLagltK0sH+08aiNt3zGERC2297iB6vrvlU=", + "lastModified": 1766473571, + "narHash": "sha256-5G1NDO2PulBx1RoaA6U1YoUDX0qZslpPxv+n5GX6Qto=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4989a246d7a390a859852baddb1013f825435cee", + "rev": "76701a179d3a98b07653e2b0409847499b2a07d3", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixpkgs-unstable", + "ref": "nixos-25.11", "repo": "nixpkgs", "type": "github" } diff --git a/devshells/java21-maven/flake.nix b/devshells/java21-maven/flake.nix index 79f8a2c..943795f 100644 --- a/devshells/java21-maven/flake.nix +++ b/devshells/java21-maven/flake.nix @@ -1,6 +1,6 @@ { description = "A basic flake with a shell"; - inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; + inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; inputs.systems.url = "github:nix-systems/default"; inputs.flake-utils = { url = "github:numtide/flake-utils"; From f772e6054e1eee84ea96fe33ea4b56e9aae238f8 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Fri, 2 Jan 2026 19:52:36 +0100 Subject: [PATCH 37/78] Enable software tpm for libvirt --- modules/virtualization.nix | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/modules/virtualization.nix b/modules/virtualization.nix index b1cde0f..fb232cc 100644 --- a/modules/virtualization.nix +++ b/modules/virtualization.nix @@ -3,12 +3,13 @@ lib, ... }: { - environment.systemPackages = with pkgs; [ - virt-manager - ]; - virtualisation = { - libvirtd.enable = true; + libvirtd = { + enable = true; + qemu.swtpm.enable = true; + }; spiceUSBRedirection.enable = true; }; + + programs.virt-manager.enable = true; } From d4e4ecf9a9e3a8ed69de377c60122c4e610ee9ae Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Sun, 4 Jan 2026 22:17:30 +0100 Subject: [PATCH 38/78] Disallow ping on servers --- modules/network-server.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/network-server.nix b/modules/network-server.nix index 99645e8..017b1b0 100644 --- a/modules/network-server.nix +++ b/modules/network-server.nix @@ -5,5 +5,6 @@ }: { networking = { useDHCP = true; + firewall.allowPing = false; }; } From ed21c242620c6348fb9ce5555a08925791ed256b Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Sun, 4 Jan 2026 22:17:40 +0100 Subject: [PATCH 39/78] Enable ipv6 in docker --- modules/docker.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/docker.nix b/modules/docker.nix index d216ec2..2c88d1a 100644 --- a/modules/docker.nix +++ b/modules/docker.nix @@ -7,6 +7,10 @@ virtualisation = { docker = { enable = true; + daemon.settings = { + ipv6 = true; + ip6tables = true; + }; }; oci-containers.backend = "docker"; }; From cb0408abd4528d5792844c9a97e3d61cbaa1c23a Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Sun, 4 Jan 2026 22:20:20 +0100 Subject: [PATCH 40/78] Add modules for traefik and arcane --- modules/arcane.nix | 64 ++++++++++++++ modules/traefik.nix | 197 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 261 insertions(+) create mode 100644 modules/arcane.nix create mode 100644 modules/traefik.nix diff --git a/modules/arcane.nix b/modules/arcane.nix new file mode 100644 index 0000000..160088f --- /dev/null +++ b/modules/arcane.nix @@ -0,0 +1,64 @@ +{ + config, + lib, + ... +}: +let + cfg = config.services.arcane; +in { + options.services.arcane = { + enable = lib.mkEnableOption "arcane, a modern Docker management UI"; + appUrl = lib.mkOption { + description = "External URL arcane will be reachable from, without protocol"; + type = lib.types.str; + }; + secretFile = lib.mkOption { + description = '' + Agenix secret containing the following needed environment variables in dotenv notation: + - ENCRYPTION_KEY + - JWT_SECRET + - OIDC_CLIENT_ID + - OIDC_CLIENT_SECRET + - OIDC_ISSUER_URL + - OIDC_ADMIN_CLAIM + - OIDC_ADMIN_VALUE + ''; + }; + }; + + config = lib.mkIf cfg.enable { + virtualisation.oci-containers.containers = { + arcane = { + image = "ghcr.io/getarcaneapp/arcane:v1.11.2"; + volumes = [ + "/var/run/docker.sock:/var/run/docker.sock" + ]; + environment = { + APP_URL = "https://${cfg.appUrl}"; + PUID = "1000"; + PGID = "1000"; + LOG_LEVEL = "info"; + LOG_JSON = "false"; + OIDC_ENABLED = "true"; + OIDC_SCOPES = "openid email profile groups"; + DATABASE_URL = "file:data/arcane.db?_pragma=journal_mode(WAL)&_pragma=busy_timeout(2500)&_txlock=immediate"; + }; + environmentFiles = [ + cfg.secretFile.path + ]; + networks = [ + "traefik" + ]; + labels = { + "traefik.enable" = "true"; + "traefik.http.routers.arcane.middlewares" = "arcane-oidc-auth@file"; + "traefik.http.routers.arcane.rule" = "Host(`${cfg.appUrl}`)"; + "traefik.http.services.arcane.loadbalancer.server.port" = "3552"; + }; + extraOptions = [ + ''--mount=type=volume,source=arcane-data,target=/app/data,volume-driver=local'' + ]; + }; + }; + }; +} diff --git a/modules/traefik.nix b/modules/traefik.nix new file mode 100644 index 0000000..04dedfc --- /dev/null +++ b/modules/traefik.nix @@ -0,0 +1,197 @@ +{ + pkgs, + config, + lib, + ... +}: +let + + cfg = config.services.traefik-docker; + + mapOidcClientNameToEnv = stringToReplace: lib.replaceString "-" "_" (lib.toUpper stringToReplace); + + traefik-mtls-config = (pkgs.formats.yaml { }).generate "traefik-mtls-config" { + tls.options.default.clientAuth = { + caFiles = "caFiles/root_ca.crt"; + clientAuthType = "VerifyClientCertIfGiven"; + }; + }; + +in { + + options.services.traefik-docker = { + enable = lib.mkEnableOption "traefik web server hosted as OCI container"; + dashboardUrl = lib.mkOption { + description = "External URL the traefik dashboard will be reachable from, without protocol"; + type = lib.types.str; + }; + dnsSecrets = lib.mkOption { + description = "Secrets for DNS providers."; + type = lib.types.listOf lib.types.anything; + }; + mTLSCaCertSecret = lib.mkOption { + description = "Agenix secret containing the CA file to verify client certificates against."; + }; + oidcAuthProviderUrl = lib.mkOption { + description = "Provider URL of OIDC auth provider."; + type = lib.types.str; + }; + oidcClients = lib.mkOption { + example = '' + immich = { + scopes = [ + "openid" + "email" + "profile" + ]; + enableBypassUsingClientCertificate = true; + usePkce = true; + }; + ''; + description = "Attribute set of OIDC clients with their configurations."; + type = lib.types.attrsOf ( + lib.types.submodule { + options = { + secret = lib.mkOption { + description = ''Agenix secret containing the following needed environment variables in dotenv notation: + - _OIDC_AUTH_SECRET + - _OIDC_AUTH_PROVIDER_CLIENT_ID + - _OIDC_CLIENT_SECRET + ''; + }; + scopes = lib.mkOption { + default = [ "openid" ]; + example = [ "openid" "email" "profile" "groups" ]; + description = "OIDC scopes to request from auth provider."; + type = lib.types.listOf lib.types.str; + }; + usePkce = lib.mkOption { + default = true; + description = "Whether to enable PKCE for this provider."; + type = lib.types.bool; + }; + enableBypassUsingClientCertificate = lib.mkOption { + default = false; + description = "Whether to allow bypassing OIDC protection when a verified client certificate is presented."; + type = lib.types.bool; + }; + }; + } + ); + }; + }; + + config = lib.mkIf cfg.enable { + virtualisation.oci-containers.containers = { + traefik = { + image = "traefik:v3.6.6"; + cmd = [ + "--providers.docker=true" + "--providers.docker.exposedByDefault=false" + "--providers.docker.network=traefik" + "--providers.file.directory=/dynamic-config" + "--log.level=DEBUG" + "--api=true" + "--ping=true" + "--entrypoints.web.address=:80" + "--entrypoints.websecure.address=:443" + "--entrypoints.websecure.transport.respondingTimeouts.readTimeout=600s" + "--entrypoints.websecure.transport.respondingTimeouts.idleTimeout=600s" + "--entrypoints.websecure.transport.respondingTimeouts.writeTimeout=600s" + "--entrypoints.web.http.redirections.entrypoint.to=websecure" + "--entrypoints.websecure.asDefault=true" + "--entrypoints.websecure.http.middlewares=strip-mtls-headers@docker,pass-tls-client-cert@docker" + "--entrypoints.websecure.http.tls.certresolver=letsencrypt" + "--certificatesresolvers.letsencrypt.acme.storage=/certs/acme.json" + "--certificatesresolvers.letsencrypt.acme.dnschallenge=true" + "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=netcup" + "--experimental.plugins.traefik-oidc-auth.modulename=github.com/sevensolutions/traefik-oidc-auth" + "--experimental.plugins.traefik-oidc-auth.version=v0.17.0" + ]; + autoStart = true; + ports = [ + "80:80" + "443:443" + ]; + networks = [ + "traefik" + ]; + environment = { + OIDC_AUTH_PROVIDER_URL = cfg.oidcAuthProviderUrl; + }; + environmentFiles = lib.forEach cfg.dnsSecrets (secret: secret.path) ++ (lib.mapAttrsToList (oidcClientName: oidcClientConfig: oidcClientConfig.secret.path) cfg.oidcClients); + labels = { + "traefik.enable" = "true"; + "traefik.http.routers.dashboard.rule" = "Host(`${cfg.dashboardUrl}`)"; + "traefik.http.routers.dashboard.service" = "dashboard@internal"; + "traefik.http.routers.dashboard.middlewares" = "traefik-dashboard-oidc-auth@file"; + "traefik.http.routers.api.rule" = "Host(`${cfg.dashboardUrl}`) && (PathPrefix(`/api`) || PathPrefix(`/oidc/callback`))"; + "traefik.http.routers.api.service" = "api@internal"; + "traefik.http.routers.api.middlewares" = "traefik-dashboard-oidc-auth@file"; + "traefik.http.middlewares.strip-mtls-headers.headers.customrequestheaders.X-Forwarded-Tls-Client-Cert" = ""; + "traefik.http.middlewares.pass-tls-client-cert.passtlsclientcert.pem" = "true"; + }; + volumes = let + oidc-config = lib.mapAttrs' ( + oidcClientName: oidcClientConfig: + lib.nameValuePair "${oidcClientName}-oidc-auth" { + plugin.traefik-oidc-auth = { + LogLevel = "INFO"; + Secret = ''{{ env "${mapOidcClientNameToEnv oidcClientName}_OIDC_AUTH_SECRET" }}''; + Provider = { + Url = ''{{ env "OIDC_AUTH_PROVIDER_URL" }}''; + ClientId = ''{{ env "${mapOidcClientNameToEnv oidcClientName}_OIDC_AUTH_PROVIDER_CLIENT_ID" }}''; + ClientSecret = ''{{ env "${mapOidcClientNameToEnv oidcClientName}_OIDC_AUTH_PROVIDER_CLIENT_SECRET" }}''; + UsePkce = oidcClientConfig.usePkce; + }; + Scopes = oidcClientConfig.scopes; + LoginUrl = ''{{ env "OIDC_AUTH_PROVIDER_URL" }}''; + } // (lib.attrsets.optionalAttrs oidcClientConfig.enableBypassUsingClientCertificate { + BypassAuthenticationRule = "HeaderRegexp(`X-Forwarded-Tls-Client-Cert`, `.+`)"; + }); + } + ) cfg.oidcClients; + traefik-oidc-authentication-config = (pkgs.formats.yaml {}).generate "traefik-oidc-auth" { + http.middlewares = oidc-config; + }; + in [ + "/var/run/docker.sock:/var/run/docker.sock" + "${traefik-oidc-authentication-config}:/dynamic-config/traefik-oidc-auth.yaml:ro" + "${traefik-mtls-config}:/dynamic-config/traefik-mtls.yaml:ro" + "${cfg.mTLSCaCertSecret.path}:/caFiles/root_ca.crt:ro" + ]; + extraOptions = [ + ''--mount=type=volume,source=certs,target=/certs,volume-driver=local'' + "--add-host=host.docker.internal:host-gateway" + "--health-cmd=wget --spider --quiet http://localhost:8080/ping" + "--health-interval=10s" + "--health-timeout=5s" + "--health-retries=3" + "--health-start-period=5s" + ]; + }; + }; + + systemd.services."docker-traefik" = { + after = [ + "docker-network-traefik.service" + ]; + requires = [ + "docker-network-traefik.service" + ]; + }; + + systemd.services."docker-network-traefik" = { + path = [ pkgs.docker ]; + serviceConfig = { + Type = "oneshot"; + }; + script = '' + docker network inspect traefik || docker network create traefik --ipv4 --ipv6 --subnet=172.18.0.0/16 --gateway=172.18.0.1 + ''; + }; + + networking.firewall.extraCommands = "iptables -t nat -I PREROUTING -s 172.18.0.0/16 -d 172.18.0.0/16 -j MASQUERADE"; + + }; +} From 5115744f46566fc17b7b1e2220d69752ba0befe6 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Sun, 4 Jan 2026 22:22:53 +0100 Subject: [PATCH 41/78] Test traefik, arcane and immich on vServer --- hosts/srv01.hf/default.nix | 41 ++++++++++++++++++++++++++++++++++++++ hosts/srv01.hf/secrets.nix | 6 ++++++ 2 files changed, 47 insertions(+) diff --git a/hosts/srv01.hf/default.nix b/hosts/srv01.hf/default.nix index feb2183..74c82c0 100644 --- a/hosts/srv01.hf/default.nix +++ b/hosts/srv01.hf/default.nix @@ -17,6 +17,8 @@ ../../modules/docker.nix ../../modules/teleport.nix ../../modules/portainer_agent.nix + ../../modules/arcane.nix + ../../modules/traefik.nix ../../modules/auto-upgrade.nix # Include the results of the hardware scan. ./hardware-configuration.nix @@ -33,6 +35,45 @@ virtualisation.oci-containers.containers.portainer_agent.environmentFiles = [ config.age.secrets."portainer-join_token".path ]; + services.traefik-docker = { + enable = true; + dashboardUrl = "traefik.juliusfr.eu"; + dnsSecrets = [ + config.age.secrets."netcup-dns" + ]; + mTLSCaCertSecret = config.age.secrets."step-ca-crt"; + oidcAuthProviderUrl = "https://login.juliusfr.eu"; + oidcClients = { + traefik-dashboard = { + secret = config.age.secrets."traefik-oidc-auth"; + }; + immich = { + secret = config.age.secrets."immich-oidc-auth"; + scopes = [ + "openid" + "email" + "profile" + ]; + enableBypassUsingClientCertificate = true; + }; + arcane = { + secret = config.age.secrets."arcane-oidc-auth"; + scopes = [ + "openid" + "email" + "profile" + "groups" + ]; + }; + }; + }; + + services.arcane = { + enable = true; + appUrl = "arcane.juliusfr.eu"; + secretFile = config.age.secrets."arcane-secrets"; + }; + systemd.network = { enable = true; networks."10-wan" = { diff --git a/hosts/srv01.hf/secrets.nix b/hosts/srv01.hf/secrets.nix index 8697e77..8dc2205 100644 --- a/hosts/srv01.hf/secrets.nix +++ b/hosts/srv01.hf/secrets.nix @@ -4,5 +4,11 @@ teleport-ca_pin.file = "${inputs.secrets}/secrets/teleport/ca_pin"; teleport-join_token.file = "${inputs.secrets}/secrets/srv01-hf/teleport_auth_token"; portainer-join_token.file = "${inputs.secrets}/secrets/srv01-hf/portainer_join_token"; + netcup-dns.file = "${inputs.secrets}/secrets/dns-management/netcup"; + traefik-oidc-auth.file = "${inputs.secrets}/secrets/srv01-hf/traefik-oidc-auth"; + immich-oidc-auth.file = "${inputs.secrets}/secrets/srv01-hf/immich-oidc-auth"; + arcane-oidc-auth.file = "${inputs.secrets}/secrets/srv01-hf/arcane-oidc-auth"; + arcane-secrets.file = "${inputs.secrets}/secrets/srv01-hf/arcane-secrets"; + step-ca-crt.file = "${inputs.secrets}/secrets/step-ca/step-ca-crt"; }; } From b65effa878a9c705048a8eb3fb88a99c81931bd8 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Sun, 4 Jan 2026 22:23:15 +0100 Subject: [PATCH 42/78] Update flake.lock --- flake.lock | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/flake.lock b/flake.lock index a5e3b36..95ea622 100644 --- a/flake.lock +++ b/flake.lock @@ -144,11 +144,11 @@ ] }, "locked": { - "lastModified": 1766529401, - "narHash": "sha256-OJAjJcW6ZADEzTBrvOTZanbgC8ObEWveObujtpazEbg=", + "lastModified": 1767280655, + "narHash": "sha256-YmaYMduV5ko8zURUT1VLGDbVC1L/bxHS0NsiPoZ6bBM=", "owner": "nix-community", "repo": "home-manager", - "rev": "aaf46506426cc8c53719dd20de660fc856a5561e", + "rev": "d49d2543f02dbd789ed032188c84570d929223cb", "type": "github" }, "original": { @@ -181,11 +181,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1764440730, - "narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=", + "lastModified": 1767185284, + "narHash": "sha256-ljDBUDpD1Cg5n3mJI81Hz5qeZAwCGxon4kQW3Ho3+6Q=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3", + "rev": "40b1a28dce561bea34858287fbb23052c3ee63fe", "type": "github" }, "original": { @@ -197,11 +197,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1766473571, - "narHash": "sha256-5G1NDO2PulBx1RoaA6U1YoUDX0qZslpPxv+n5GX6Qto=", + "lastModified": 1767325753, + "narHash": "sha256-yA/CuWyqm+AQo2ivGy6PlYrjZBQm7jfbe461+4HF2fo=", "owner": "nixos", "repo": "nixpkgs", - "rev": "76701a179d3a98b07653e2b0409847499b2a07d3", + "rev": "64049ca74d63e971b627b5f3178d95642e61cedd", "type": "github" }, "original": { @@ -335,11 +335,11 @@ "secrets": { "flake": false, "locked": { - "lastModified": 1758149597, - "narHash": "sha256-qUkhfFBEuDJ7nP6jcdBZzGBBhLKnXYxumBQI75DGcFc=", + "lastModified": 1767139729, + "narHash": "sha256-mkmK7wiIqwmcrU+bljxzDPqh9Ya1ITqIlBmdxYxh3nI=", "ref": "refs/heads/main", - "rev": "8404f6877e25b8cbf3f504ef1926034e8c401dbe", - "revCount": 6, + "rev": "27a126bd56c16215f80c014b8fd0b28b53605897", + "revCount": 17, "type": "git", "url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git" }, From a70450af2aef5313c447c3ac6872fe5b48cffd46 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Fri, 9 Jan 2026 22:01:10 +0100 Subject: [PATCH 43/78] Add Remote-User authentication from mTLS with headers --- modules/traefik.nix | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/modules/traefik.nix b/modules/traefik.nix index 04dedfc..92b1204 100644 --- a/modules/traefik.nix +++ b/modules/traefik.nix @@ -75,6 +75,27 @@ in { description = "Whether to allow bypassing OIDC protection when a verified client certificate is presented."; type = lib.types.bool; }; + useClaimsFromUserInfo = lib.mkOption { + default = false; + description = "When enabled, an additional request to the provider's userinfo_endpoint is made to validate the token and to retrieve additional claims. The userinfo claims are merged directly into the token claims, with userinfo values overriding token values for non-security-critical claims."; + type = lib.types.bool; + }; + headers = lib.mkOption { + default = []; + description = "Headers to be added to the upstream request. Templating is possible. Documentation can be found here: https://traefik-oidc-auth.sevensolutions.cc/docs/getting-started/middleware-configuration"; + type = lib.types.listOf (lib.types.submodule { + options = { + Name = lib.mkOption { + description = "The name of the header which should be added to the upstream request."; + type = lib.types.str; + }; + Value = lib.mkOption { + description = "The value of the header, which can use Go-Templates."; + type = lib.types.str; + }; + }; + }); + }; }; } ); @@ -90,7 +111,7 @@ in { "--providers.docker.exposedByDefault=false" "--providers.docker.network=traefik" "--providers.file.directory=/dynamic-config" - "--log.level=DEBUG" + "--log.level=INFO" "--api=true" "--ping=true" "--entrypoints.web.address=:80" @@ -143,11 +164,14 @@ in { ClientId = ''{{ env "${mapOidcClientNameToEnv oidcClientName}_OIDC_AUTH_PROVIDER_CLIENT_ID" }}''; ClientSecret = ''{{ env "${mapOidcClientNameToEnv oidcClientName}_OIDC_AUTH_PROVIDER_CLIENT_SECRET" }}''; UsePkce = oidcClientConfig.usePkce; + UseClaimsFromUserInfo = oidcClientConfig.useClaimsFromUserInfo; }; Scopes = oidcClientConfig.scopes; LoginUrl = ''{{ env "OIDC_AUTH_PROVIDER_URL" }}''; } // (lib.attrsets.optionalAttrs oidcClientConfig.enableBypassUsingClientCertificate { BypassAuthenticationRule = "HeaderRegexp(`X-Forwarded-Tls-Client-Cert`, `.+`)"; + }) // (lib.attrsets.optionalAttrs ((lib.length oidcClientConfig.headers) > 0) { + Headers = oidcClientConfig.headers; }); } ) cfg.oidcClients; From cba8dea9c769288092da98f9a620381ed7f214e9 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Fri, 9 Jan 2026 22:02:18 +0100 Subject: [PATCH 44/78] Add firefly to test Remote-User authentication --- flake.lock | 8 ++++---- hosts/srv01.hf/default.nix | 11 +++++++++++ hosts/srv01.hf/secrets.nix | 1 + 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index 95ea622..f504243 100644 --- a/flake.lock +++ b/flake.lock @@ -335,11 +335,11 @@ "secrets": { "flake": false, "locked": { - "lastModified": 1767139729, - "narHash": "sha256-mkmK7wiIqwmcrU+bljxzDPqh9Ya1ITqIlBmdxYxh3nI=", + "lastModified": 1767562869, + "narHash": "sha256-7wNzIr1psnPLI29vUZgWEN0Tks3GFhQwsQ9P9kDkYyY=", "ref": "refs/heads/main", - "rev": "27a126bd56c16215f80c014b8fd0b28b53605897", - "revCount": 17, + "rev": "960f3efa0589a2b5314dfd55e14685432832b2fd", + "revCount": 18, "type": "git", "url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git" }, diff --git a/hosts/srv01.hf/default.nix b/hosts/srv01.hf/default.nix index 74c82c0..f4889bd 100644 --- a/hosts/srv01.hf/default.nix +++ b/hosts/srv01.hf/default.nix @@ -65,6 +65,17 @@ "groups" ]; }; + firefly = { + secret = config.age.secrets."firefly-oidc-auth"; + scopes = [ + "openid" + "email" + ]; + useClaimsFromUserInfo = true; + headers = [ + { Name = "FFIII-User"; Value = "{{`{{ .claims.email }}`}}"; } + ]; + }; }; }; diff --git a/hosts/srv01.hf/secrets.nix b/hosts/srv01.hf/secrets.nix index 8dc2205..3289c1c 100644 --- a/hosts/srv01.hf/secrets.nix +++ b/hosts/srv01.hf/secrets.nix @@ -9,6 +9,7 @@ immich-oidc-auth.file = "${inputs.secrets}/secrets/srv01-hf/immich-oidc-auth"; arcane-oidc-auth.file = "${inputs.secrets}/secrets/srv01-hf/arcane-oidc-auth"; arcane-secrets.file = "${inputs.secrets}/secrets/srv01-hf/arcane-secrets"; + firefly-oidc-auth.file = "${inputs.secrets}/secrets/srv01-hf/firefly-oidc-auth"; step-ca-crt.file = "${inputs.secrets}/secrets/step-ca/step-ca-crt"; }; } From 24cf657f9ce076e35f2ba36004e48802e20651ae Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Sun, 18 Jan 2026 22:34:11 +0100 Subject: [PATCH 45/78] Add virtiofsd to enable shared folder to qemu --- modules/virtualization.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/virtualization.nix b/modules/virtualization.nix index fb232cc..4eb21ce 100644 --- a/modules/virtualization.nix +++ b/modules/virtualization.nix @@ -6,7 +6,10 @@ virtualisation = { libvirtd = { enable = true; - qemu.swtpm.enable = true; + qemu = { + swtpm.enable = true; + vhostUserPackages = [ pkgs.virtiofsd ]; + }; }; spiceUSBRedirection.enable = true; }; From 7adb75ed324e0c03aa52f2c30ff1d442d641a899 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Sun, 8 Feb 2026 12:11:20 +0100 Subject: [PATCH 46/78] Add pangolin module --- modules/pangolin.nix | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 modules/pangolin.nix diff --git a/modules/pangolin.nix b/modules/pangolin.nix new file mode 100644 index 0000000..3da3c9e --- /dev/null +++ b/modules/pangolin.nix @@ -0,0 +1,43 @@ +{ + pkgs-unstable, + ... +}: { + + services = { + pangolin = { + enable = true; + package = pkgs-unstable.fosrl-pangolin; + openFirewall = true; + settings = { + app = { + save_logs = true; + log_failed_attempts = true; + }; + domains = { + domain1 = { + prefer_wildcard_cert = true; + }; + }; + flags = { + disable_signup_without_invite = true; + disable_user_create_org = true; + }; + }; + }; + }; + +} + +# Settings needed on the host +# +# services = { +# pangolin = { +# dnsProvider = ""; +# baseDomain = ""; +# letsEncryptEmail = ""; +# environmentFile = config.age.secrets."".path; +# }; +# traefik = { +# environmentFiles = [ config.age.secrets."".path ]; +# }; +# }; From 074a55335197e69ebaf40ebce4aceb1dcf7a8828 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Sun, 8 Feb 2026 12:17:00 +0100 Subject: [PATCH 47/78] Add newt module --- modules/newt.nix | 72 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 modules/newt.nix diff --git a/modules/newt.nix b/modules/newt.nix new file mode 100644 index 0000000..1f8dafd --- /dev/null +++ b/modules/newt.nix @@ -0,0 +1,72 @@ +{ + pkgs, + config, + lib, + ... +}: +let + + cfg = config.services.newt-docker; + +in { + + options.services.newt-docker = { + enable = lib.mkEnableOption "Newt, user space tunnel client for Pangolin"; + pangolinEndpoint = lib.mkOption { + description = "External URL of the Pangolin instance"; + type = lib.types.str; + }; + connectionSecret = lib.mkOption { + description = "Secrets for Pangolin authentication."; + type = lib.types.anything; + }; + }; + + config = lib.mkIf cfg.enable { + virtualisation.oci-containers.containers = { + newt = { + image = "fosrl/newt:1.9.0"; + autoStart = true; + networks = [ + "pangolin" + ]; + environment = { + PANGOLIN_ENDPOINT = cfg.pangolinEndpoint; + DOCKER_SOCKET = "/var/run/docker.sock"; + }; + environmentFiles = [ cfg.connectionSecret.path ]; + volumes = [ + "/var/run/docker.sock:/var/run/docker.sock:ro" + ]; + extraOptions = [ + "--add-host=host.docker.internal:host-gateway" + ]; + }; + }; + + systemd.services."docker-pangolin" = { + after = [ + "docker-network-pangolin.service" + ]; + requires = [ + "docker-network-pangolin.service" + ]; + }; + + systemd.services."docker-network-pangolin" = { + path = [ pkgs.docker ]; + serviceConfig = { + Type = "oneshot"; + }; + script = '' + docker network inspect pangolin || docker network create pangolin --ipv4 --ipv6 --subnet=172.18.0.0/16 --gateway=172.18.0.1 + ''; + }; + + networking.firewall.extraCommands = '' + iptables -A INPUT -p icmp --source 100.89.128.0/24 -j ACCEPT + iptables -A INPUT -p tcp --source 172.18.0.0/12 --dport 22 -j ACCEPT + ''; + + }; +} From e890501a0a2107aaa4478e2ceb26e69144b5e7d6 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Sun, 8 Feb 2026 12:25:30 +0100 Subject: [PATCH 48/78] Add dockhand module --- hosts/srv01.hf/secrets.nix | 8 ++----- modules/dockhand.nix | 46 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+), 6 deletions(-) create mode 100644 modules/dockhand.nix diff --git a/hosts/srv01.hf/secrets.nix b/hosts/srv01.hf/secrets.nix index 3289c1c..a328f24 100644 --- a/hosts/srv01.hf/secrets.nix +++ b/hosts/srv01.hf/secrets.nix @@ -5,11 +5,7 @@ teleport-join_token.file = "${inputs.secrets}/secrets/srv01-hf/teleport_auth_token"; portainer-join_token.file = "${inputs.secrets}/secrets/srv01-hf/portainer_join_token"; netcup-dns.file = "${inputs.secrets}/secrets/dns-management/netcup"; - traefik-oidc-auth.file = "${inputs.secrets}/secrets/srv01-hf/traefik-oidc-auth"; - immich-oidc-auth.file = "${inputs.secrets}/secrets/srv01-hf/immich-oidc-auth"; - arcane-oidc-auth.file = "${inputs.secrets}/secrets/srv01-hf/arcane-oidc-auth"; - arcane-secrets.file = "${inputs.secrets}/secrets/srv01-hf/arcane-secrets"; - firefly-oidc-auth.file = "${inputs.secrets}/secrets/srv01-hf/firefly-oidc-auth"; - step-ca-crt.file = "${inputs.secrets}/secrets/step-ca/step-ca-crt"; + pangolin.file = "${inputs.secrets}/secrets/srv01-hf/pangolin"; + newt.file = "${inputs.secrets}/secrets/srv01-hf/newt"; }; } diff --git a/modules/dockhand.nix b/modules/dockhand.nix new file mode 100644 index 0000000..7eeaf8e --- /dev/null +++ b/modules/dockhand.nix @@ -0,0 +1,46 @@ +{ + config, + lib, + ... +}: +let + cfg = config.services.dockhand; +in { + options.services.dockhand = { + enable = lib.mkEnableOption "dockhand, a powerful, intuitive Docker platform"; + appUrl = lib.mkOption { + description = "External URL dockhand will be reachable from, without protocol"; + type = lib.types.str; + }; + }; + + config = lib.mkIf cfg.enable { + virtualisation.oci-containers.containers = { + dockhand = { + image = "fnsys/dockhand:v1.0.12"; + volumes = [ + "/var/run/docker.sock:/var/run/docker.sock" + ]; + environment = { + PUID = "1000"; + PGID = "1000"; + }; + networks = [ + "pangolin" + ]; + labels = { + "pangolin.public-resources.dockhand.name" = "dockhand"; + "pangolin.public-resources.dockhand.full-domain" = cfg.appUrl; + "pangolin.public-resources.dockhand.protocol" = "http"; + "pangolin.public-resources.dockhand.auth.sso-enabled" = "true"; + "pangolin.public-resources.dockhand.auth.auto-login-idp" = "1"; + "pangolin.public-resources.dockhand.targets[0].method" = "http"; + }; + extraOptions = [ + ''--mount=type=volume,source=dockhand-data,target=/app/data,volume-driver=local'' + ''--group-add=131'' # docker group + ]; + }; + }; + }; +} From fd6810bd5935642af977156ccb05dcc4720e1440 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Sun, 8 Feb 2026 12:25:48 +0100 Subject: [PATCH 49/78] Migrate srv01-hf to pangolin and dockhand --- flake.nix | 12 +++---- hosts/srv01.hf/default.nix | 66 ++++++++++++-------------------------- 2 files changed, 26 insertions(+), 52 deletions(-) diff --git a/flake.nix b/flake.nix index a0d1393..7220354 100644 --- a/flake.nix +++ b/flake.nix @@ -11,7 +11,7 @@ }; inputs = { - #nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11"; nixos-hardware.url = "github:NixOS/nixos-hardware/master"; home-manager = { @@ -48,7 +48,7 @@ outputs = { self, nixpkgs, - #nixpkgs-unstable, + nixpkgs-unstable, nixos-hardware, home-manager, auto-cpufreq, @@ -81,10 +81,6 @@ system = "x86_64-linux"; specialArgs = { - #pkgs-unstable = import nixpkgs-unstable { - # inherit system; - # config.allowUnfree = true; - #}; inherit inputs outputs username; }; @@ -142,6 +138,10 @@ specialArgs = { inherit inputs outputs; + pkgs-unstable = import nixpkgs-unstable { + inherit system; + config.allowUnfree = true; + }; }; modules = [ diff --git a/hosts/srv01.hf/default.nix b/hosts/srv01.hf/default.nix index f4889bd..cbfa9e5 100644 --- a/hosts/srv01.hf/default.nix +++ b/hosts/srv01.hf/default.nix @@ -17,8 +17,9 @@ ../../modules/docker.nix ../../modules/teleport.nix ../../modules/portainer_agent.nix - ../../modules/arcane.nix - ../../modules/traefik.nix + ../../modules/pangolin.nix + ../../modules/newt.nix + ../../modules/dockhand.nix ../../modules/auto-upgrade.nix # Include the results of the hardware scan. ./hardware-configuration.nix @@ -35,54 +36,27 @@ virtualisation.oci-containers.containers.portainer_agent.environmentFiles = [ config.age.secrets."portainer-join_token".path ]; - services.traefik-docker = { - enable = true; - dashboardUrl = "traefik.juliusfr.eu"; - dnsSecrets = [ - config.age.secrets."netcup-dns" - ]; - mTLSCaCertSecret = config.age.secrets."step-ca-crt"; - oidcAuthProviderUrl = "https://login.juliusfr.eu"; - oidcClients = { - traefik-dashboard = { - secret = config.age.secrets."traefik-oidc-auth"; - }; - immich = { - secret = config.age.secrets."immich-oidc-auth"; - scopes = [ - "openid" - "email" - "profile" - ]; - enableBypassUsingClientCertificate = true; - }; - arcane = { - secret = config.age.secrets."arcane-oidc-auth"; - scopes = [ - "openid" - "email" - "profile" - "groups" - ]; - }; - firefly = { - secret = config.age.secrets."firefly-oidc-auth"; - scopes = [ - "openid" - "email" - ]; - useClaimsFromUserInfo = true; - headers = [ - { Name = "FFIII-User"; Value = "{{`{{ .claims.email }}`}}"; } - ]; - }; + services = { + pangolin = { + dnsProvider = "netcup"; + baseDomain = "juliusfr.eu"; + letsEncryptEmail = "contact@jfreudenberger.de"; + environmentFile = config.age.secrets."pangolin".path; + }; + traefik = { + environmentFiles = [ config.age.secrets."netcup-dns".path ]; }; }; - services.arcane = { + services.newt-docker = { enable = true; - appUrl = "arcane.juliusfr.eu"; - secretFile = config.age.secrets."arcane-secrets"; + pangolinEndpoint = "https://pangolin.juliusfr.eu"; + connectionSecret = config.age.secrets."newt"; + }; + + services.dockhand = { + enable = true; + appUrl = "dockhand.juliusfr.eu"; }; systemd.network = { From c9216f6468a4c8053f1420be90f8392558b2dcef Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Sun, 8 Feb 2026 12:28:32 +0100 Subject: [PATCH 50/78] Update flake.lock --- flake.lock | 79 ++++++++++++++++++++++++++++-------------------------- 1 file changed, 41 insertions(+), 38 deletions(-) diff --git a/flake.lock b/flake.lock index f504243..d4e6d06 100644 --- a/flake.lock +++ b/flake.lock @@ -30,11 +30,11 @@ ] }, "locked": { - "lastModified": 1765042799, - "narHash": "sha256-G7UJDUNcuHm1n2EuA+2iKPNISSWoUgqk85ktncJoelo=", + "lastModified": 1769608722, + "narHash": "sha256-yWUG0Emd9EuqIZ8jQ6fxqf7USw7Gtcqb4+sBhn+S+Wg=", "owner": "AdnanHodzic", "repo": "auto-cpufreq", - "rev": "2e5c725be0a7da2c749a345e09f3df3b9ef8c209", + "rev": "a11a98c46bf6a77d0c2e0ea8d87acef78507cae5", "type": "github" }, "original": { @@ -50,11 +50,11 @@ ] }, "locked": { - "lastModified": 1766150702, - "narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=", + "lastModified": 1769524058, + "narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=", "owner": "nix-community", "repo": "disko", - "rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378", + "rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d", "type": "github" }, "original": { @@ -144,11 +144,11 @@ ] }, "locked": { - "lastModified": 1767280655, - "narHash": "sha256-YmaYMduV5ko8zURUT1VLGDbVC1L/bxHS0NsiPoZ6bBM=", + "lastModified": 1769580047, + "narHash": "sha256-tNqCP/+2+peAXXQ2V8RwsBkenlfWMERb+Uy6xmevyhM=", "owner": "nix-community", "repo": "home-manager", - "rev": "d49d2543f02dbd789ed032188c84570d929223cb", + "rev": "366d78c2856de6ab3411c15c1cb4fb4c2bf5c826", "type": "github" }, "original": { @@ -181,11 +181,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1767185284, - "narHash": "sha256-ljDBUDpD1Cg5n3mJI81Hz5qeZAwCGxon4kQW3Ho3+6Q=", + "lastModified": 1769302137, + "narHash": "sha256-QEDtctEkOsbx8nlFh4yqPEOtr4tif6KTqWwJ37IM2ds=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "40b1a28dce561bea34858287fbb23052c3ee63fe", + "rev": "a351494b0e35fd7c0b7a1aae82f0afddf4907aa8", "type": "github" }, "original": { @@ -197,11 +197,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1767325753, - "narHash": "sha256-yA/CuWyqm+AQo2ivGy6PlYrjZBQm7jfbe461+4HF2fo=", + "lastModified": 1769598131, + "narHash": "sha256-e7VO/kGLgRMbWtpBqdWl0uFg8Y2XWFMdz0uUJvlML8o=", "owner": "nixos", "repo": "nixpkgs", - "rev": "64049ca74d63e971b627b5f3178d95642e61cedd", + "rev": "fa83fd837f3098e3e678e6cf017b2b36102c7211", "type": "github" }, "original": { @@ -221,9 +221,10 @@ "type": "github" }, "original": { - "id": "nixpkgs", + "owner": "NixOS", + "repo": "nixpkgs", "rev": "e6f23dc08d3624daab7094b701aa3954923c6bbb", - "type": "indirect" + "type": "github" } }, "nixpkgs-stable": { @@ -244,32 +245,34 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1761016216, - "narHash": "sha256-G/iC4t/9j/52i/nm+0/4ybBmAF4hzR8CNHC75qEhjHo=", + "lastModified": 1769318308, + "narHash": "sha256-Mjx6p96Pkefks3+aA+72lu1xVehb6mv2yTUUqmSet6Q=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "481cf557888e05d3128a76f14c76397b7d7cc869", + "rev": "1cd347bf3355fce6c64ab37d3967b4a2cb4b878c", "type": "github" }, "original": { - "id": "nixpkgs", - "ref": "nixos-25.05", - "type": "indirect" + "owner": "NixOS", + "ref": "nixos-25.11", + "repo": "nixpkgs", + "type": "github" } }, "nixpkgs-unstable": { "locked": { - "lastModified": 1761114652, - "narHash": "sha256-f/QCJM/YhrV/lavyCVz8iU3rlZun6d+dAiC3H+CDle4=", - "owner": "NixOS", + "lastModified": 1769861584, + "narHash": "sha256-Tu85RXpHMAWmsltAEKsG1IB7JfNGbekeHh2CSR0/xG8=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "01f116e4df6a15f4ccdffb1bcd41096869fb385c", + "rev": "015e5f32a6258dc210b8e02fb47d86983959e243", "type": "github" }, "original": { - "id": "nixpkgs", - "ref": "nixos-unstable", - "type": "indirect" + "owner": "nixos", + "ref": "pull/483348/merge", + "repo": "nixpkgs", + "type": "github" } }, "pre-commit-hooks": { @@ -301,15 +304,14 @@ "flake-compat": "flake-compat_2", "nixpkgs-libvncserver": "nixpkgs-libvncserver", "nixpkgs-stable": "nixpkgs-stable_2", - "nixpkgs-unstable": "nixpkgs-unstable", "utils": "utils" }, "locked": { - "lastModified": 1764188113, - "narHash": "sha256-Oq4aCjczgnFQqFNWZ6Ablg6x9579CO8tyBktYDYiZEs=", + "lastModified": 1769870714, + "narHash": "sha256-wjwCj70iiFXoAasQto+3jTaA4wCMOAs/rdX+nsmtBrQ=", "owner": "SaumonNet", "repo": "proxmox-nixos", - "rev": "3be878a84866b9ef9214b8ea6f53630f47f4b192", + "rev": "c1f79f104930347a0b84abbca0d42884063a8c09", "type": "github" }, "original": { @@ -327,6 +329,7 @@ "lazy-apps": "lazy-apps", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable", "proxmox-nixos": "proxmox-nixos", "secrets": "secrets", "systems": "systems_3" @@ -335,11 +338,11 @@ "secrets": { "flake": false, "locked": { - "lastModified": 1767562869, - "narHash": "sha256-7wNzIr1psnPLI29vUZgWEN0Tks3GFhQwsQ9P9kDkYyY=", + "lastModified": 1769426267, + "narHash": "sha256-OBHSfMHZ+sWEtigOxTfIGnkZLPOz2P7VR8+KA2KY89g=", "ref": "refs/heads/main", - "rev": "960f3efa0589a2b5314dfd55e14685432832b2fd", - "revCount": 18, + "rev": "ebefef468e16eb692df0a3d54352c94a56110a97", + "revCount": 20, "type": "git", "url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git" }, From 9813193c7d2a8265fc2b1cb895f6067b68f6afa6 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Sun, 8 Feb 2026 12:30:44 +0100 Subject: [PATCH 51/78] Remove kube server configurations --- flake.nix | 39 ----------------------- hosts/kube01/default.nix | 41 ------------------------ hosts/kube01/hardware-configuration.nix | 24 -------------- hosts/kube02/default.nix | 41 ------------------------ hosts/kube02/hardware-configuration.nix | 24 -------------- hosts/kube03/default.nix | 42 ------------------------- hosts/kube03/hardware-configuration.nix | 24 -------------- 7 files changed, 235 deletions(-) delete mode 100644 hosts/kube01/default.nix delete mode 100644 hosts/kube01/hardware-configuration.nix delete mode 100644 hosts/kube02/default.nix delete mode 100644 hosts/kube02/hardware-configuration.nix delete mode 100644 hosts/kube03/default.nix delete mode 100644 hosts/kube03/hardware-configuration.nix diff --git a/flake.nix b/flake.nix index 7220354..1c26073 100644 --- a/flake.nix +++ b/flake.nix @@ -151,45 +151,6 @@ ]; }; - kube01 = nixpkgs.lib.nixosSystem rec { - system = "x86_64-linux"; - - specialArgs = { - inherit inputs outputs; - }; - - modules = [ - disko.nixosModules.disko - ./hosts/kube01 - ]; - }; - - kube02 = nixpkgs.lib.nixosSystem rec { - system = "x86_64-linux"; - - specialArgs = { - inherit inputs outputs; - }; - - modules = [ - disko.nixosModules.disko - ./hosts/kube02 - ]; - }; - - kube03 = nixpkgs.lib.nixosSystem rec { - system = "x86_64-linux"; - - specialArgs = { - inherit inputs outputs; - }; - - modules = [ - disko.nixosModules.disko - ./hosts/kube03 - ]; - }; - }; }; } diff --git a/hosts/kube01/default.nix b/hosts/kube01/default.nix deleted file mode 100644 index a72dee8..0000000 --- a/hosts/kube01/default.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ inputs, outputs, config, lib, pkgs, ... }: - -{ - imports = - [ - ../../modules/disko/efi-full-btrfs.nix - ../../modules/systemd-boot.nix - - ../../users/julius/nixos-server.nix - ../../modules/nix.nix - ../../modules/network-server.nix - ../../modules/locale.nix - ../../modules/server-cli.nix - ../../modules/sshd.nix - ../../modules/k3s.nix - ../../modules/qemu-guest.nix - # Include the results of the hardware scan. - ./hardware-configuration.nix - ]; - - - networking.hostName = "kube01"; # Define your hostname. - - services.k3s = { - clusterInit = true; - }; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how - # to actually do that. - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "25.05"; # Did you read the comment? -} diff --git a/hosts/kube01/hardware-configuration.nix b/hosts/kube01/hardware-configuration.nix deleted file mode 100644 index f198f81..0000000 --- a/hosts/kube01/hardware-configuration.nix +++ /dev/null @@ -1,24 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/hosts/kube02/default.nix b/hosts/kube02/default.nix deleted file mode 100644 index 504afef..0000000 --- a/hosts/kube02/default.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ inputs, outputs, config, lib, pkgs, ... }: - -{ - imports = - [ - ../../modules/disko/efi-full-btrfs.nix - ../../modules/systemd-boot.nix - - ../../users/julius/nixos-server.nix - ../../modules/nix.nix - ../../modules/network-server.nix - ../../modules/locale.nix - ../../modules/server-cli.nix - ../../modules/sshd.nix - ../../modules/k3s.nix - ../../modules/qemu-guest.nix - # Include the results of the hardware scan. - ./hardware-configuration.nix - ]; - - networking.hostName = "kube02"; # Define your hostname. - - services.k3s = { - serverAddr = "https://kube01:6443"; - clusterInit = false; - }; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how - # to actually do that. - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "25.05"; # Did you read the comment? -} diff --git a/hosts/kube02/hardware-configuration.nix b/hosts/kube02/hardware-configuration.nix deleted file mode 100644 index f198f81..0000000 --- a/hosts/kube02/hardware-configuration.nix +++ /dev/null @@ -1,24 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/hosts/kube03/default.nix b/hosts/kube03/default.nix deleted file mode 100644 index 12884e5..0000000 --- a/hosts/kube03/default.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ inputs, outputs, config, lib, pkgs, ... }: - -{ - imports = - [ - ../../modules/disko/efi-full-btrfs.nix - ../../modules/systemd-boot.nix - - ../../users/julius/nixos-server.nix - ../../modules/nix.nix - ../../modules/network-server.nix - ../../modules/locale.nix - ../../modules/server-cli.nix - ../../modules/sshd.nix - ../../modules/k3s.nix - ../../modules/qemu-guest.nix - # Include the results of the hardware scan. - ./hardware-configuration.nix - ]; - - - networking.hostName = "kube03"; # Define your hostname. - - services.k3s = { - serverAddr = "https://kube01:6443"; - clusterInit = false; - }; - - # This option defines the first version of NixOS you have installed on this particular machine, - # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. - # Most users should NEVER change this value after the initial install, for any reason, - # even if you've upgraded your system to a new NixOS release. - # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, - # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how - # to actually do that. - # This value being lower than the current NixOS release does NOT mean your system is - # out of date, out of support, or vulnerable. - # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, - # and migrated your data accordingly. - # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "25.05"; # Did you read the comment? -} diff --git a/hosts/kube03/hardware-configuration.nix b/hosts/kube03/hardware-configuration.nix deleted file mode 100644 index f198f81..0000000 --- a/hosts/kube03/hardware-configuration.nix +++ /dev/null @@ -1,24 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} From a6e1430a3eafb641b755478e8cde6dbb088de629 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Sun, 22 Feb 2026 17:20:48 +0100 Subject: [PATCH 52/78] Add fira fonts --- modules/fonts.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/fonts.nix b/modules/fonts.nix index 55a3e97..6a3cbd9 100644 --- a/modules/fonts.nix +++ b/modules/fonts.nix @@ -8,6 +8,7 @@ font-awesome terminus_font dlrg-fonts + fira ]; } From fbb86d2d5338e6e0bcac007f629eabd068a5f6f0 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Fri, 2 Jan 2026 21:39:06 +0100 Subject: [PATCH 53/78] Add initial home-manager configuration --- flake.nix | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/flake.nix b/flake.nix index 1c26073..b8f0325 100644 --- a/flake.nix +++ b/flake.nix @@ -152,5 +152,24 @@ }; }; + + homeConfigurations = { + jufr2 = let + username = "jufr2"; + system = "x86_64-linux"; + pkgs = nixpkgs.legacyPackages.${system}; + in + home-manager.lib.homeManagerConfiguration { + inherit pkgs; + + modules = [ + home/core.nix + home/neovim/default.nix + home/zsh/default.nix + ]; + + }; + }; + }; } From 0f163aee34eb40663d764c32e7865750188d4296 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Fri, 2 Jan 2026 21:48:34 +0100 Subject: [PATCH 54/78] Add nix config to home-manager configuration --- flake.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/flake.nix b/flake.nix index b8f0325..eaf41de 100644 --- a/flake.nix +++ b/flake.nix @@ -164,6 +164,7 @@ modules = [ home/core.nix + modules/nix.nix home/neovim/default.nix home/zsh/default.nix ]; From bdd7bd301e880fb411500eabde5c5083e0b5d5f8 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Fri, 2 Jan 2026 22:15:57 +0100 Subject: [PATCH 55/78] Explicitly set nix package to use --- modules/nix.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/nix.nix b/modules/nix.nix index 1329a34..8813371 100644 --- a/modules/nix.nix +++ b/modules/nix.nix @@ -5,6 +5,7 @@ }: { # do garbage collection weekly to keep disk usage low nix = { + package = pkgs.nix; settings = { experimental-features = ["nix-command" "flakes"]; }; From 378d7f3051597e8343ab6072a9a698845e4db12b Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Fri, 9 Jan 2026 22:05:52 +0100 Subject: [PATCH 56/78] Add username in extraSpecialArgs --- flake.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/flake.nix b/flake.nix index eaf41de..893619b 100644 --- a/flake.nix +++ b/flake.nix @@ -162,6 +162,10 @@ home-manager.lib.homeManagerConfiguration { inherit pkgs; + extraSpecialArgs = { + inherit username; + }; + modules = [ home/core.nix modules/nix.nix From 9e81d66be2340ff3dc4d375efc81ab3b4a818ebd Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Fri, 9 Jan 2026 22:06:46 +0100 Subject: [PATCH 57/78] Add genericLinux target for homemanager --- flake.nix | 3 +++ home/targets/genericLinux.nix | 7 +++++++ 2 files changed, 10 insertions(+) create mode 100644 home/targets/genericLinux.nix diff --git a/flake.nix b/flake.nix index 893619b..c465062 100644 --- a/flake.nix +++ b/flake.nix @@ -168,6 +168,9 @@ modules = [ home/core.nix + + home/targets/genericLinux.nix + modules/nix.nix home/neovim/default.nix home/zsh/default.nix diff --git a/home/targets/genericLinux.nix b/home/targets/genericLinux.nix new file mode 100644 index 0000000..061ab31 --- /dev/null +++ b/home/targets/genericLinux.nix @@ -0,0 +1,7 @@ +{ + ... +}: { + + targets.genericLinux.enable = true; + +} From 8aad0b7e49fce498539f18b1edfa5bbd83393f3e Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Fri, 9 Jan 2026 22:21:21 +0100 Subject: [PATCH 58/78] Add essential cli tools to home-manager --- flake.nix | 1 + home/cli.nix | 24 ++++++++++++++++++++++++ 2 files changed, 25 insertions(+) create mode 100644 home/cli.nix diff --git a/flake.nix b/flake.nix index c465062..8b183d5 100644 --- a/flake.nix +++ b/flake.nix @@ -174,6 +174,7 @@ modules/nix.nix home/neovim/default.nix home/zsh/default.nix + home/cli.nix ]; }; diff --git a/home/cli.nix b/home/cli.nix new file mode 100644 index 0000000..301cffc --- /dev/null +++ b/home/cli.nix @@ -0,0 +1,24 @@ +{ + pkgs, + lib, + config, + ... +}: { + home.packages = with pkgs; [ + wget + curl + git + neofetch + tealdeer + + pdfgrep + pdftk + p7zip + ]; + + programs = { + htop.enable = true; + git.enable = true; + bat.enable = true; + }; +} From 535afa836a8a371b6745e4c1d08597ca92931d99 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Sun, 22 Feb 2026 17:22:33 +0100 Subject: [PATCH 59/78] Disable git configuration through home-manager --- home/cli.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/home/cli.nix b/home/cli.nix index 301cffc..5c089dd 100644 --- a/home/cli.nix +++ b/home/cli.nix @@ -18,7 +18,6 @@ programs = { htop.enable = true; - git.enable = true; bat.enable = true; }; } From e8deca29832dbb88c9f0ed7fe4494aeb0098094b Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Sun, 22 Feb 2026 17:46:32 +0100 Subject: [PATCH 60/78] Move devshells into main flake.nix --- devshells/java17-maven/flake.lock | 64 ---------------------- devshells/java17-maven/flake.nix | 21 ------- devshells/java21-maven/flake.lock | 64 ---------------------- devshells/java21-maven/flake.nix | 21 ------- devshells/php8/flake.lock | 64 ---------------------- devshells/php8/flake.nix | 30 ---------- devshells/texlive-with-pygments/flake.lock | 64 ---------------------- devshells/texlive-with-pygments/flake.nix | 21 ------- flake.nix | 25 ++++++++- 9 files changed, 24 insertions(+), 350 deletions(-) delete mode 100644 devshells/java17-maven/flake.lock delete mode 100644 devshells/java17-maven/flake.nix delete mode 100644 devshells/java21-maven/flake.lock delete mode 100644 devshells/java21-maven/flake.nix delete mode 100644 devshells/php8/flake.lock delete mode 100644 devshells/php8/flake.nix delete mode 100644 devshells/texlive-with-pygments/flake.lock delete mode 100644 devshells/texlive-with-pygments/flake.nix diff --git a/devshells/java17-maven/flake.lock b/devshells/java17-maven/flake.lock deleted file mode 100644 index b4da842..0000000 --- a/devshells/java17-maven/flake.lock +++ /dev/null @@ -1,64 +0,0 @@ -{ - "nodes": { - "flake-utils": { - "inputs": { - "systems": [ - "systems" - ] - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1766473571, - "narHash": "sha256-5G1NDO2PulBx1RoaA6U1YoUDX0qZslpPxv+n5GX6Qto=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "76701a179d3a98b07653e2b0409847499b2a07d3", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-25.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs", - "systems": "systems" - } - }, - "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/devshells/java17-maven/flake.nix b/devshells/java17-maven/flake.nix deleted file mode 100644 index 169ccb2..0000000 --- a/devshells/java17-maven/flake.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ - description = "A basic flake with a shell"; - inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; - inputs.systems.url = "github:nix-systems/default"; - inputs.flake-utils = { - url = "github:numtide/flake-utils"; - inputs.systems.follows = "systems"; - }; - - outputs = - { nixpkgs, flake-utils, ... }: - flake-utils.lib.eachDefaultSystem ( - system: - let - pkgs = nixpkgs.legacyPackages.${system}; - in - { - devShells.default = pkgs.mkShell { packages = with pkgs; [ maven jdk17 ]; }; - } - ); -} diff --git a/devshells/java21-maven/flake.lock b/devshells/java21-maven/flake.lock deleted file mode 100644 index b4da842..0000000 --- a/devshells/java21-maven/flake.lock +++ /dev/null @@ -1,64 +0,0 @@ -{ - "nodes": { - "flake-utils": { - "inputs": { - "systems": [ - "systems" - ] - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1766473571, - "narHash": "sha256-5G1NDO2PulBx1RoaA6U1YoUDX0qZslpPxv+n5GX6Qto=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "76701a179d3a98b07653e2b0409847499b2a07d3", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-25.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs", - "systems": "systems" - } - }, - "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/devshells/java21-maven/flake.nix b/devshells/java21-maven/flake.nix deleted file mode 100644 index 943795f..0000000 --- a/devshells/java21-maven/flake.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ - description = "A basic flake with a shell"; - inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; - inputs.systems.url = "github:nix-systems/default"; - inputs.flake-utils = { - url = "github:numtide/flake-utils"; - inputs.systems.follows = "systems"; - }; - - outputs = - { nixpkgs, flake-utils, ... }: - flake-utils.lib.eachDefaultSystem ( - system: - let - pkgs = nixpkgs.legacyPackages.${system}; - in - { - devShells.default = pkgs.mkShell { packages = with pkgs; [ maven jdk21 ]; }; - } - ); -} diff --git a/devshells/php8/flake.lock b/devshells/php8/flake.lock deleted file mode 100644 index ae71305..0000000 --- a/devshells/php8/flake.lock +++ /dev/null @@ -1,64 +0,0 @@ -{ - "nodes": { - "flake-utils": { - "inputs": { - "systems": [ - "systems" - ] - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1736684107, - "narHash": "sha256-vH5mXxEvZeoGNkqKoCluhTGfoeXCZ1seYhC2pbMN0sg=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "635e887b48521e912a516625eee7df6cf0eba9c1", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs", - "systems": "systems" - } - }, - "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/devshells/php8/flake.nix b/devshells/php8/flake.nix deleted file mode 100644 index 146dfe4..0000000 --- a/devshells/php8/flake.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ - description = "A basic flake with a shell"; - inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; - inputs.systems.url = "github:nix-systems/default"; - inputs.flake-utils = { - url = "github:numtide/flake-utils"; - inputs.systems.follows = "systems"; - }; - - outputs = - { nixpkgs, flake-utils, ... }: - flake-utils.lib.eachDefaultSystem ( - system: - let - pkgs = nixpkgs.legacyPackages.${system}; - in - { - devShells.default = pkgs.mkShell { packages = with pkgs; [ (php81.buildEnv { - extensions = ({ enabled, all }: enabled ++ (with all; [ - xdebug - ])); - extraConfig = '' - xdebug.mode=debug - ''; - }) - php81Packages.composer - ]; }; - } - ); -} diff --git a/devshells/texlive-with-pygments/flake.lock b/devshells/texlive-with-pygments/flake.lock deleted file mode 100644 index cd08dba..0000000 --- a/devshells/texlive-with-pygments/flake.lock +++ /dev/null @@ -1,64 +0,0 @@ -{ - "nodes": { - "flake-utils": { - "inputs": { - "systems": [ - "systems" - ] - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1739624908, - "narHash": "sha256-f84lBmLl4tkDp1ZU5LBTSFzlxXP4926DVW3KnXrke10=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "a60651b217d2e529729cbc7d989c19f3941b9250", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs", - "systems": "systems" - } - }, - "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/devshells/texlive-with-pygments/flake.nix b/devshells/texlive-with-pygments/flake.nix deleted file mode 100644 index 3a6635e..0000000 --- a/devshells/texlive-with-pygments/flake.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ - description = "Flake for TeXlive with python pygments"; - inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; - inputs.systems.url = "github:nix-systems/default"; - inputs.flake-utils = { - url = "github:numtide/flake-utils"; - inputs.systems.follows = "systems"; - }; - - outputs = - { nixpkgs, flake-utils, ... }: - flake-utils.lib.eachDefaultSystem ( - system: - let - pkgs = nixpkgs.legacyPackages.${system}; - in - { - devShells.default = pkgs.mkShell { packages = with pkgs; [ texliveFull python3Packages.pygments ]; }; - } - ); -} diff --git a/flake.nix b/flake.nix index 8b183d5..d322177 100644 --- a/flake.nix +++ b/flake.nix @@ -60,8 +60,9 @@ } @ inputs: let inherit (self) outputs; lib = nixpkgs.lib; + eachSystem = lib.genAttrs (import systems); forEachSystem = f: lib.genAttrs (import systems) (system: f pkgsFor.${system}); - pkgsFor = lib.genAttrs (import systems) ( + pkgsFor = eachSystem ( system: import nixpkgs { inherit system; @@ -180,5 +181,27 @@ }; }; + devShells = eachSystem (system: + let + pkgs = nixpkgs.legacyPackages.${system}; + in { + java11-maven = pkgs.mkShell { packages = with pkgs; [ maven jdk11 ]; }; + java17-maven = pkgs.mkShell { packages = with pkgs; [ maven jdk17 ]; }; + java21-maven = pkgs.mkShell { packages = with pkgs; [ maven jdk21 ]; }; + texlive-with-pygments = pkgs.mkShell { packages = with pkgs; [ texliveFull python3Packages.pygments ]; }; + php8 = pkgs.mkShell { packages = with pkgs; [ + (php82.buildEnv { + extensions = ({ enabled, all }: enabled ++ (with all; [ + xdebug + ])); + extraConfig = '' + xdebug.mode=debug + ''; + }) + php82Packages.composer + ];}; + } + ); + }; } From f50a34b7c2a5892130922eb78546dafc570f101a Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Sun, 22 Feb 2026 17:52:05 +0100 Subject: [PATCH 61/78] Add gui apps in home-manager profile --- home/gui.nix | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 home/gui.nix diff --git a/home/gui.nix b/home/gui.nix new file mode 100644 index 0000000..e1627fe --- /dev/null +++ b/home/gui.nix @@ -0,0 +1,24 @@ +{ + pkgs, + lib, + config, + ... +}: { + home.packages = with pkgs; [ + jetbrains.idea + teams-for-linux + mate.engrampa + zotero + deezer-enhanced + ]; + + programs = { + firefox.enable = true; + keepassxc = { + enable = true; + autostart = true; + }; + }; + + xdg.autostart.enable = true; +} From ba39a00af7ef733c16c51db6946e0ba433858a53 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Sun, 22 Feb 2026 17:52:20 +0100 Subject: [PATCH 62/78] Add java versions as extraDependencies in home-manager --- home/java-dev.nix | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 home/java-dev.nix diff --git a/home/java-dev.nix b/home/java-dev.nix new file mode 100644 index 0000000..c4c5adc --- /dev/null +++ b/home/java-dev.nix @@ -0,0 +1,17 @@ +{ + pkgs, + lib, + config, + ... +}: { + home.packages = with pkgs; [ + maven + gradle + ]; + + home.extraDependencies = with pkgs; [ + jdk11 + jdk17 + jdk21 + ]; +} From 9e11d4bf7f2c8d63dc598d85c7ff75b699d00170 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Sun, 22 Feb 2026 17:53:19 +0100 Subject: [PATCH 63/78] Include new home-manager modules --- flake.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/flake.nix b/flake.nix index d322177..6615b6c 100644 --- a/flake.nix +++ b/flake.nix @@ -176,6 +176,10 @@ home/neovim/default.nix home/zsh/default.nix home/cli.nix + home/gui.nix + home/java-dev.nix + + home/direnv/default.nix ]; }; From b4abb274908764304fe9da203788d5f168016de2 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Wed, 11 Mar 2026 22:49:50 +0100 Subject: [PATCH 64/78] Use unstable gerbil in pangolin module --- modules/pangolin.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/modules/pangolin.nix b/modules/pangolin.nix index 3da3c9e..55e5fed 100644 --- a/modules/pangolin.nix +++ b/modules/pangolin.nix @@ -1,5 +1,8 @@ { pkgs-unstable, + utils, + config, + lib, ... }: { @@ -26,6 +29,13 @@ }; }; + systemd.services.gerbil.serviceConfig.ExecStart = lib.mkForce (utils.escapeSystemdExecArgs [ + (lib.getExe pkgs-unstable.fosrl-gerbil) + "--reachableAt=http://localhost:${toString config.services.gerbil.port}" + "--generateAndSaveKeyTo=${toString config.services.pangolin.dataDir}/config/key" + "--remoteConfig=http://localhost:3001/api/v1/gerbil/get-config" + ]); + } # Settings needed on the host From b3ec023cad94df520d2ed4ddc659cdd90fcbd91b Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Wed, 11 Mar 2026 22:51:29 +0100 Subject: [PATCH 65/78] Fix service naming in newt module --- modules/newt.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/newt.nix b/modules/newt.nix index 1f8dafd..5f7a8f4 100644 --- a/modules/newt.nix +++ b/modules/newt.nix @@ -44,16 +44,16 @@ in { }; }; - systemd.services."docker-pangolin" = { + systemd.services."docker-newt" = { after = [ - "docker-network-pangolin.service" + "docker-network-newt.service" ]; requires = [ - "docker-network-pangolin.service" + "docker-network-newt.service" ]; }; - systemd.services."docker-network-pangolin" = { + systemd.services."docker-network-newt" = { path = [ pkgs.docker ]; serviceConfig = { Type = "oneshot"; From b441618575d8ebf986fc0b60e6310384aca54b0b Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Wed, 11 Mar 2026 22:53:54 +0100 Subject: [PATCH 66/78] Add fail2ban to sshd module --- modules/sshd.nix | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/modules/sshd.nix b/modules/sshd.nix index 49af4a5..551c0d4 100644 --- a/modules/sshd.nix +++ b/modules/sshd.nix @@ -3,11 +3,17 @@ lib, ... }: { - services.openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PermitRootLogin = "no"; + services = { + openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "no"; + }; + }; + fail2ban = { + enable = true; + bantime = "1h"; }; }; } From 179f615ad4fc0eca1ac3a14f37e551b06efcc01e Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Wed, 11 Mar 2026 22:55:25 +0100 Subject: [PATCH 67/78] Remove texlive from system closure --- modules/typesetting.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/modules/typesetting.nix b/modules/typesetting.nix index b4e321f..272b263 100644 --- a/modules/typesetting.nix +++ b/modules/typesetting.nix @@ -7,8 +7,6 @@ typst typstyle - texliveFull - pandoc zotero From edbde9800623dc6bb2c6e6a3f7485755e80cb5c2 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Wed, 11 Mar 2026 23:13:30 +0100 Subject: [PATCH 68/78] Remove firewall rules for wireguard and set rpfilter to loose --- modules/network-client.nix | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/modules/network-client.nix b/modules/network-client.nix index 4efdecd..a72a9f3 100644 --- a/modules/network-client.nix +++ b/modules/network-client.nix @@ -13,19 +13,7 @@ firewall = { # if packets are still dropped, they will show up in dmesg logReversePathDrops = true; - # wireguard trips rpfilter up - extraCommands = '' - iptables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 1194 -j RETURN - ip6tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 1194 -j RETURN - iptables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 1194 -j RETURN - ip6tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 1194 -j RETURN - ''; - extraStopCommands = '' - iptables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 1194 -j RETURN || true - ip6tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 1194 -j RETURN || true - iptables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 1194 -j RETURN || true - ip6tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 1194 -j RETURN || true - ''; + checkReversePath = "loose"; }; }; } From 7d11cef3f803dea8446f707054a8afa66e764450 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Wed, 11 Mar 2026 23:13:59 +0100 Subject: [PATCH 69/78] rofirefox: set main program --- pkgs/rofirefox/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/rofirefox/default.nix b/pkgs/rofirefox/default.nix index 2030d4f..66805e2 100644 --- a/pkgs/rofirefox/default.nix +++ b/pkgs/rofirefox/default.nix @@ -37,6 +37,7 @@ meta = with lib; { platforms = platforms.all; + mainProgram = "rofirefox"; }; } From a525d2bffa67fa44613683fbe7fbd3ca630e86ef Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Fri, 27 Mar 2026 01:21:16 +0100 Subject: [PATCH 70/78] Add intel-cpu module --- modules/intel-cpu.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 modules/intel-cpu.nix diff --git a/modules/intel-cpu.nix b/modules/intel-cpu.nix new file mode 100644 index 0000000..7e037c3 --- /dev/null +++ b/modules/intel-cpu.nix @@ -0,0 +1,12 @@ +{ + pkgs, + ... +}: { + hardware.graphics = { + enable = true; + extraPackages = with pkgs; [ + intel-media-driver # Enable Hardware Acceleration + vpl-gpu-rt # Enable QSV + ]; + }; +} From f2b2e26ba9858d02c7ce0a81f8bb4c83ff1ebc5d Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Fri, 27 Mar 2026 01:29:56 +0100 Subject: [PATCH 71/78] Add sample for opkssh module Module will not be added here as usernames, principals and the client id have to be specified directly. Setting them via age secrets is not possible. --- modules/opkssh.sample.nix | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 modules/opkssh.sample.nix diff --git a/modules/opkssh.sample.nix b/modules/opkssh.sample.nix new file mode 100644 index 0000000..55c8383 --- /dev/null +++ b/modules/opkssh.sample.nix @@ -0,0 +1,18 @@ +{ + ... +}: { + services.opkssh = { + enable = true; + providers = { + pocket-id = { + issuer = "https://example.com"; + clientId = ""; + lifetime = "12h"; + }; + }; + authorizations = [ + { user = ""; principal = ""; issuer = "https://example.com"; } + ]; + }; +} + From 13ca1dc20569c188f9e879ef547a69323171272a Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Fri, 27 Mar 2026 01:36:29 +0100 Subject: [PATCH 72/78] Add config for busch Busch is the proxmox host used for various vms, which will be defined through terraform or similar. --- flake.nix | 5 +- .../{nixos-server-test => busch}/default.nix | 27 +++-- hosts/busch/disko.nix | 107 ++++++++++++++++++ hosts/busch/hardware-configuration.nix | 22 ++++ .../hardware-configuration.nix | 31 ----- 5 files changed, 151 insertions(+), 41 deletions(-) rename hosts/{nixos-server-test => busch}/default.nix (83%) create mode 100644 hosts/busch/disko.nix create mode 100644 hosts/busch/hardware-configuration.nix delete mode 100644 hosts/nixos-server-test/hardware-configuration.nix diff --git a/flake.nix b/flake.nix index 6615b6c..04be147 100644 --- a/flake.nix +++ b/flake.nix @@ -115,7 +115,7 @@ ]; }; - server = nixpkgs.lib.nixosSystem rec { + busch = nixpkgs.lib.nixosSystem rec { system = "x86_64-linux"; specialArgs = { @@ -123,7 +123,8 @@ }; modules = [ - ./hosts/nixos-server-test + ./hosts/busch + disko.nixosModules.disko proxmox-nixos.nixosModules.proxmox-ve ({...}: { diff --git a/hosts/nixos-server-test/default.nix b/hosts/busch/default.nix similarity index 83% rename from hosts/nixos-server-test/default.nix rename to hosts/busch/default.nix index 409e2fa..bf64cb7 100644 --- a/hosts/nixos-server-test/default.nix +++ b/hosts/busch/default.nix @@ -3,10 +3,16 @@ { imports = [ + ./disko.nix + ../../modules/nix.nix + ../../modules/auto-upgrade.nix ../../modules/locale.nix ../../modules/server-cli.nix ../../modules/sshd.nix + ${inputs.secrets}/modules/opkssh.nix + + ../../modules/intel-cpu.nix # Include the results of the hardware scan. ./hardware-configuration.nix ]; @@ -14,11 +20,10 @@ boot = { loader.grub = { enable = true; - device = "/dev/vda"; }; tmp.useTmpfs = true; }; - networking.hostName = "nixos-server"; # Define your hostname. + networking.hostName = "busch"; # Define your hostname. users = { users = { julius = { @@ -43,12 +48,18 @@ ]; }; - services.proxmox-ve = { - enable = true; - ipAddress = "192.168.122.71"; + services = { + proxmox-ve = { + enable = true; + ipAddress = "192.168.7.252"; - # Make vmbr0 bridge visible in Proxmox web interface - bridges = [ "vmbr0" ]; + # Make vmbr0 bridge visible in Proxmox web interface + bridges = [ "vmbr0" ]; + }; + openiscsi = { + enable = true; + name = "busch"; + }; }; networking.useDHCP = false; @@ -57,7 +68,7 @@ enable = true; networks."10-lan" = { - matchConfig.Name = [ "enp1s0" ]; + matchConfig.Name = [ "enp0s25" ]; networkConfig = { Bridge = "vmbr0"; }; diff --git a/hosts/busch/disko.nix b/hosts/busch/disko.nix new file mode 100644 index 0000000..5563eae --- /dev/null +++ b/hosts/busch/disko.nix @@ -0,0 +1,107 @@ +{ + disko.devices = { + disk = { + disk1 = { + type = "disk"; + device = "/dev/disk/by-id/ata-Samsung_SSD_850_PRO_256GB_S251NX0H423575T"; + content = { + type = "gpt"; + partitions = { + MBR = { + type = "EF02"; # for grub MBR + size = "1M"; + priority = 1; # Needs to be first partition + }; + ESP = { + priority = 1; + name = "ESP"; + size = "2G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "umask=0077" ]; + }; + }; + crypt_p1 = { + size = "100%"; + content = { + type = "luks"; + name = "p1"; + settings = { + allowDiscards = true; + }; + }; + }; + }; + }; + }; + disk2 = { + type = "disk"; + device = "/dev/disk/by-id/ata-Samsung_SSD_850_PRO_256GB_S251NXAG833792N"; + content = { + type = "gpt"; + partitions = { + MBR = { + type = "EF02"; # for grub MBR + size = "1M"; + priority = 1; # Needs to be first partition + }; + ESP = { + priority = 1; + name = "ESP"; + size = "2G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot-fallback"; + mountOptions = [ "umask=0077" ]; + }; + }; + crypt_p2 = { + size = "100%"; + content = { + type = "luks"; + name = "p2"; + settings = { + allowDiscards = true; + }; + content = { + type = "btrfs"; + extraArgs = [ + "-d raid1" + "-m raid1" + "/dev/mapper/p1" + ]; + subvolumes = { + "/rootfs" = { + mountpoint = "/"; + }; + "/home" = { + mountOptions = [ "compress=zstd" ]; + mountpoint = "/home"; + }; + "/nix" = { + mountOptions = [ "compress=zstd" "noatime" ]; + mountpoint = "/nix"; + }; + "/pve-cluster" = { + mountOptions = [ "compress=zstd" ]; + mountpoint = "/var/lib/pve-cluster"; + }; + "/swap" = { + mountpoint = "/.swapvol"; + swap.swapfile.size = "32G"; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/busch/hardware-configuration.nix b/hosts/busch/hardware-configuration.nix new file mode 100644 index 0000000..2de4340 --- /dev/null +++ b/hosts/busch/hardware-configuration.nix @@ -0,0 +1,22 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "ehci_pci" "mpt3sas" "usbhid" "usb_storage" "sr_mod" ]; + boot.initrd.kernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + boot.kernelParams = [ "intel_iommu=on" "iommu=pt" "vfio-pci.ids=1000:0087" ]; + + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/nixos-server-test/hardware-configuration.nix b/hosts/nixos-server-test/hardware-configuration.nix deleted file mode 100644 index 6dfd7c4..0000000 --- a/hosts/nixos-server-test/hardware-configuration.nix +++ /dev/null @@ -1,31 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/e46c412a-8b6d-41b8-b53c-65d7a8fc39ed"; - fsType = "ext4"; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} From 502fecdd4e17e50e4222bca94182a716af937b36 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Fri, 27 Mar 2026 01:38:42 +0100 Subject: [PATCH 73/78] Switch from zen kernel to latest kernel for laptops Due to build failure at least in release 25.11. --- modules/laptop.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/laptop.nix b/modules/laptop.nix index 49e7492..9a95899 100644 --- a/modules/laptop.nix +++ b/modules/laptop.nix @@ -4,7 +4,7 @@ ... }: { - boot.kernelPackages = pkgs.linuxKernel.packages.linux_zen; + boot.kernelPackages = pkgs.linuxPackages_latest; services.logind.settings.Login = { HandleLidSwitch= "suspend-then-hibernate"; From 0aff64102df098f647dd721588b1dff9401bef87 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Fri, 27 Mar 2026 01:39:38 +0100 Subject: [PATCH 74/78] Update flake.lock --- flake.lock | 52 ++++++++++++++++++++++++++-------------------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/flake.lock b/flake.lock index d4e6d06..3348a05 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1762618334, - "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=", + "lastModified": 1770165109, + "narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=", "owner": "ryantm", "repo": "agenix", - "rev": "fcdea223397448d35d9b31f798479227e80183f6", + "rev": "b027ee29d959fda4b60b57566d64c98a202e0feb", "type": "github" }, "original": { @@ -30,11 +30,11 @@ ] }, "locked": { - "lastModified": 1769608722, - "narHash": "sha256-yWUG0Emd9EuqIZ8jQ6fxqf7USw7Gtcqb4+sBhn+S+Wg=", + "lastModified": 1772058043, + "narHash": "sha256-m1cmQgb6tBcHkndKZ8BSsw6PRNJMG89FZwoYVOuKi34=", "owner": "AdnanHodzic", "repo": "auto-cpufreq", - "rev": "a11a98c46bf6a77d0c2e0ea8d87acef78507cae5", + "rev": "5d600d710bb2aa331e1a4370e08476bcdea1cab5", "type": "github" }, "original": { @@ -50,11 +50,11 @@ ] }, "locked": { - "lastModified": 1769524058, - "narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=", + "lastModified": 1773889306, + "narHash": "sha256-PAqwnsBSI9SVC2QugvQ3xeYCB0otOwCacB1ueQj2tgw=", "owner": "nix-community", "repo": "disko", - "rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d", + "rev": "5ad85c82cc52264f4beddc934ba57f3789f28347", "type": "github" }, "original": { @@ -144,11 +144,11 @@ ] }, "locked": { - "lastModified": 1769580047, - "narHash": "sha256-tNqCP/+2+peAXXQ2V8RwsBkenlfWMERb+Uy6xmevyhM=", + "lastModified": 1774559029, + "narHash": "sha256-deix7yg3j6AhjMPnFDCmWB3f83LsajaaULP5HH2j34k=", "owner": "nix-community", "repo": "home-manager", - "rev": "366d78c2856de6ab3411c15c1cb4fb4c2bf5c826", + "rev": "a0bb0d11514f92b639514220114ac8063c72d0a3", "type": "github" }, "original": { @@ -181,11 +181,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1769302137, - "narHash": "sha256-QEDtctEkOsbx8nlFh4yqPEOtr4tif6KTqWwJ37IM2ds=", + "lastModified": 1774465523, + "narHash": "sha256-4v7HPm63Q90nNn4fgkgKsjW1AH2Klw7XzPtHJr562nM=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "a351494b0e35fd7c0b7a1aae82f0afddf4907aa8", + "rev": "de895be946ad1d8aafa0bb6dfc7e7e0e9e466a29", "type": "github" }, "original": { @@ -197,11 +197,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1769598131, - "narHash": "sha256-e7VO/kGLgRMbWtpBqdWl0uFg8Y2XWFMdz0uUJvlML8o=", + "lastModified": 1774388614, + "narHash": "sha256-tFwzTI0DdDzovdE9+Ras6CUss0yn8P9XV4Ja6RjA+nU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "fa83fd837f3098e3e678e6cf017b2b36102c7211", + "rev": "1073dad219cb244572b74da2b20c7fe39cb3fa9e", "type": "github" }, "original": { @@ -261,16 +261,16 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1769861584, - "narHash": "sha256-Tu85RXpHMAWmsltAEKsG1IB7JfNGbekeHh2CSR0/xG8=", + "lastModified": 1774386573, + "narHash": "sha256-4hAV26quOxdC6iyG7kYaZcM3VOskcPUrdCQd/nx8obc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "015e5f32a6258dc210b8e02fb47d86983959e243", + "rev": "46db2e09e1d3f113a13c0d7b81e2f221c63b8ce9", "type": "github" }, "original": { "owner": "nixos", - "ref": "pull/483348/merge", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -338,11 +338,11 @@ "secrets": { "flake": false, "locked": { - "lastModified": 1769426267, - "narHash": "sha256-OBHSfMHZ+sWEtigOxTfIGnkZLPOz2P7VR8+KA2KY89g=", + "lastModified": 1774571252, + "narHash": "sha256-NU/vfItTMSjaRTXe0UDzbWR8UnhkBUFU47OpqEpxKb4=", "ref": "refs/heads/main", - "rev": "ebefef468e16eb692df0a3d54352c94a56110a97", - "revCount": 20, + "rev": "7965907ae885d77acb3c4ecc11cee096a12af868", + "revCount": 25, "type": "git", "url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git" }, From ae00442324618b91440066e3a54a5e2b06e6de84 Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Fri, 27 Mar 2026 02:19:40 +0100 Subject: [PATCH 75/78] Add quotation for importing private module --- hosts/busch/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/busch/default.nix b/hosts/busch/default.nix index bf64cb7..199d471 100644 --- a/hosts/busch/default.nix +++ b/hosts/busch/default.nix @@ -10,7 +10,7 @@ ../../modules/locale.nix ../../modules/server-cli.nix ../../modules/sshd.nix - ${inputs.secrets}/modules/opkssh.nix + "${inputs.secrets}/modules/opkssh.nix" ../../modules/intel-cpu.nix # Include the results of the hardware scan. From 86bec559e6f02c8c5c51ef5bf117cceece7b3a8d Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Sun, 29 Mar 2026 21:00:09 +0200 Subject: [PATCH 76/78] Add busch-main-docker server --- flake.nix | 14 +++++++ hosts/busch-main-docker/default.nix | 42 +++++++++++++++++++ .../hardware-configuration.nix | 17 ++++++++ modules/disko/legacy-full-ext4.nix | 28 +++++++++++++ 4 files changed, 101 insertions(+) create mode 100644 hosts/busch-main-docker/default.nix create mode 100644 hosts/busch-main-docker/hardware-configuration.nix create mode 100644 modules/disko/legacy-full-ext4.nix diff --git a/flake.nix b/flake.nix index 04be147..0d1fcc0 100644 --- a/flake.nix +++ b/flake.nix @@ -135,6 +135,20 @@ ]; }; + busch-main-docker = nixpkgs.lib.nixosSystem rec { + system = "x86_64-linux"; + + specialArgs = { + inherit inputs outputs; + }; + + modules = [ + ./hosts/busch-main-docker + disko.nixosModules.disko + agenix.nixosModules.default + ]; + }; + srv01-hf = nixpkgs.lib.nixosSystem rec { system = "x86_64-linux"; diff --git a/hosts/busch-main-docker/default.nix b/hosts/busch-main-docker/default.nix new file mode 100644 index 0000000..42b93a4 --- /dev/null +++ b/hosts/busch-main-docker/default.nix @@ -0,0 +1,42 @@ +{ inputs, outputs, config, lib, pkgs, ... }: + +{ + imports = + [ + ../../modules/disko/legacy-full-ext4.nix + + ../../users/julius/nixos-server.nix + ../../modules/nix.nix + ../../modules/auto-upgrade.nix + ../../modules/locale.nix + ../../modules/server-cli.nix + ../../modules/sshd.nix + ../../modules/docker.nix + "${inputs.secrets}/modules/opkssh.nix" + + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + # Use the GRUB 2 boot loader. + boot = { + loader.grub = { + enable = true; + }; + tmp.useTmpfs = true; + }; + networking.hostName = "docker-main"; # Define your hostname. + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "25.05"; # Did you read the comment? +} diff --git a/hosts/busch-main-docker/hardware-configuration.nix b/hosts/busch-main-docker/hardware-configuration.nix new file mode 100644 index 0000000..54932ff --- /dev/null +++ b/hosts/busch-main-docker/hardware-configuration.nix @@ -0,0 +1,17 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/modules/disko/legacy-full-ext4.nix b/modules/disko/legacy-full-ext4.nix new file mode 100644 index 0000000..3cb3094 --- /dev/null +++ b/modules/disko/legacy-full-ext4.nix @@ -0,0 +1,28 @@ +{ + disko.devices = { + disk = { + sda = { + type = "disk"; + device = "/dev/sda"; + content = { + type = "gpt"; + partitions = { + MBR = { + type = "EF02"; # for grub MBR + size = "1M"; + priority = 1; # Needs to be first partition + }; + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; +} From 85c7dab07852be6c73c77621e0440d5fbca3474f Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Sun, 29 Mar 2026 21:01:28 +0200 Subject: [PATCH 77/78] Add opkssh module to srv01.hf --- hosts/srv01.hf/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/srv01.hf/default.nix b/hosts/srv01.hf/default.nix index cbfa9e5..f88e962 100644 --- a/hosts/srv01.hf/default.nix +++ b/hosts/srv01.hf/default.nix @@ -21,6 +21,7 @@ ../../modules/newt.nix ../../modules/dockhand.nix ../../modules/auto-upgrade.nix + "${inputs.secrets}/modules/opkssh.nix" # Include the results of the hardware scan. ./hardware-configuration.nix ]; From 62334a00dd0b83d86e2838beecce4ac7412c1eef Mon Sep 17 00:00:00 2001 From: JuliusFreudenberger Date: Sun, 29 Mar 2026 21:12:46 +0200 Subject: [PATCH 78/78] Add terraform module Terraform is used to manage the VMs on the Proxmox host `busch`. --- terraform/.envrc | 1 + terraform/.gitignore | 42 +++++++++++ terraform/busch/.terraform.lock.hcl | 24 +++++++ terraform/busch/main.tf | 46 ++++++++++++ terraform/busch/modules/proxmox-vm/main.tf | 66 ++++++++++++++++++ .../busch/modules/proxmox-vm/variables.tf | 64 +++++++++++++++++ terraform/busch/plan | Bin 0 -> 10451 bytes terraform/busch/variables.tf | 10 +++ 8 files changed, 253 insertions(+) create mode 100644 terraform/.envrc create mode 100644 terraform/.gitignore create mode 100644 terraform/busch/.terraform.lock.hcl create mode 100644 terraform/busch/main.tf create mode 100644 terraform/busch/modules/proxmox-vm/main.tf create mode 100644 terraform/busch/modules/proxmox-vm/variables.tf create mode 100644 terraform/busch/plan create mode 100644 terraform/busch/variables.tf diff --git a/terraform/.envrc b/terraform/.envrc new file mode 100644 index 0000000..2c8269e --- /dev/null +++ b/terraform/.envrc @@ -0,0 +1 @@ +use flake ../#opentofu diff --git a/terraform/.gitignore b/terraform/.gitignore new file mode 100644 index 0000000..8a7f7b7 --- /dev/null +++ b/terraform/.gitignore @@ -0,0 +1,42 @@ +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log +crash.*.log + +# Exclude all .tfvars files, which are likely to contain sensitive data, such as +# password, private keys, and other secrets. These should not be part of version +# control as they are data points which are potentially sensitive and subject +# to change depending on the environment. +*.tfvars +*.tfvars.json + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tofu +override.tf.json +override.tofu.json +*_override.tf +*_override.tofu +*_override.tf.json +*_override.tofu.json + +# Ignore transient lock info files created by tofu apply +.terraform.tfstate.lock.info + +# Include override files you do wish to add to version control using negated pattern +# !example_override.tf +# !example_override.tofu + +# Include tfplan files to ignore the plan output of command: tofu plan -out=tfplan +# example: *tfplan* + +# Ignore CLI configuration files +.terraformrc +terraform.rc diff --git a/terraform/busch/.terraform.lock.hcl b/terraform/busch/.terraform.lock.hcl new file mode 100644 index 0000000..6ce99f5 --- /dev/null +++ b/terraform/busch/.terraform.lock.hcl @@ -0,0 +1,24 @@ +# This file is maintained automatically by "tofu init". +# Manual edits may be lost in future updates. + +provider "registry.opentofu.org/telmate/proxmox" { + version = "3.0.2-rc07" + constraints = "3.0.2-rc07" + hashes = [ + "h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=", + "zh:2ee860cd0a368b3eaa53f4a9ea46f16dab8a97929e813ea6ef55183f8112c2ca", + "zh:415965fd915bae2040d7f79e45f64d6e3ae61149c10114efeac1b34687d7296c", + "zh:6584b2055df0e32062561c615e3b6b2c291ca8c959440adda09ef3ec1e1436bd", + "zh:65dcfad71928e0a8dd9befc22524ed686be5020b0024dc5cca5184c7420eeb6b", + "zh:7253dc29bd265d33f2791ac4f779c5413f16720bb717de8e6c5fcb2c858648ea", + "zh:7ec8993da10a47606670f9f67cfd10719a7580641d11c7aa761121c4a2bd66fb", + "zh:999a3f7a9dcf517967fc537e6ec930a8172203642fb01b8e1f78f908373db210", + "zh:a50e6df7280eb6584a5fd2456e3f5b6df13b2ec8a7fa4605511e438e1863be42", + "zh:b25b329a1e42681c509d027fee0365414f0cc5062b65690cfc3386aab16132ae", + "zh:c028877fdb438ece48f7bc02b65bbae9ca7b7befbd260e519ccab6c0cbb39f26", + "zh:cf0eaa3ea9fcc6d62793637947f1b8d7c885b6ad74695ab47e134e4ff132190f", + "zh:d5ade3fae031cc629b7c512a7b60e46570f4c41665e88a595d7efd943dde5ab2", + "zh:f388c15ad1ecfc09e7361e3b98bae9b627a3a85f7b908c9f40650969c949901c", + "zh:f415cc6f735a3971faae6ac24034afdb9ee83373ef8de19a9631c187d5adc7db", + ] +} diff --git a/terraform/busch/main.tf b/terraform/busch/main.tf new file mode 100644 index 0000000..966ec14 --- /dev/null +++ b/terraform/busch/main.tf @@ -0,0 +1,46 @@ +terraform { + required_providers { + proxmox = { + source = "telmate/proxmox" + version = "3.0.2-rc07" + } + } +} + +provider "proxmox" { + pm_api_url = var.proxmox_api_url + pm_api_token_id = var.proxmox_token_id + pm_api_token_secret = var.proxmox_token_secret + pm_tls_insecure = true +} + +module "truenas" { + source = "./modules/proxmox-vm" + + name = "truenas" + target_node = "busch" + vmid = 100 + memory = 8192 + cpu_cores = 2 + disk_storage = "local" + disk_size = "32G" + iso_path = "local:iso/TrueNAS-SCALE-25.10.2.1.iso" + startup_order = 1 + + mapped_pcie_devices = ["HBA"] +} + +module "nixos-docker" { + source = "./modules/proxmox-vm" + + name = "nixos-docker" + target_node = "busch" + vmid = 101 + memory = 4096 + cpu_cores = 2 + disk_storage = "truenas-lvm" + disk_size = "64G" + iso_path = "local:iso/latest-nixos-minimal-x86_64-linux.iso" + startup_order = 2 + startup_delay = 240 +} diff --git a/terraform/busch/modules/proxmox-vm/main.tf b/terraform/busch/modules/proxmox-vm/main.tf new file mode 100644 index 0000000..89ddcf3 --- /dev/null +++ b/terraform/busch/modules/proxmox-vm/main.tf @@ -0,0 +1,66 @@ +terraform { + required_providers { + proxmox = { + source = "telmate/proxmox" + version = "3.0.2-rc07" + } + } +} + +resource "proxmox_vm_qemu" "truenas" { + name = var.name + description = var.description + target_node = var.target_node + vmid = var.vmid + machine = length(var.mapped_pcie_devices) == 0 ? "pc" : "q35" + memory = var.memory + balloon = 1024 + scsihw = "virtio-scsi-pci" + boot = "order=scsi0;ide0" + start_at_node_boot = true + + cpu { + cores = var.cpu_cores + sockets = 1 + } + + disks { + scsi { + scsi0 { + disk { + storage = var.disk_storage + size = var.disk_size + } + } + } + ide { + ide0 { + cdrom { + iso = var.iso_path + } + } + } + } + + network { + id = 0 + bridge = "vmbr0" + model = "virtio" + } + + dynamic "pci" { + for_each = { for device in var.mapped_pcie_devices : index(var.mapped_pcie_devices, device) => device } + + content { + id = pci.key + mapping_id = pci.value + pcie = true + } + } + + startup_shutdown { + order = var.startup_order + startup_delay = var.startup_delay + } + +} diff --git a/terraform/busch/modules/proxmox-vm/variables.tf b/terraform/busch/modules/proxmox-vm/variables.tf new file mode 100644 index 0000000..fe75fcd --- /dev/null +++ b/terraform/busch/modules/proxmox-vm/variables.tf @@ -0,0 +1,64 @@ +variable "vmid" { + description = "ID of the VM to create" + type = string +} + +variable "name" { + description = "Name of the VM to create" + type = string +} + +variable "description" { + description = "Description of the VM to create" + type = string + default = null + nullable = true +} + +variable "target_node" { + description = "Name of the target node to create the VM on" + type = string +} + +variable "memory" { + description = "Memory to allocate for the VM" + type = string +} + +variable "cpu_cores" { + description = "Number of CPU cores to allocate for the VM" + type = number +} + +variable "disk_storage" { + description = "Name of the storage to store the disk on" + type = string + default = "local" +} + +variable "disk_size" { + description = "Size of the primary disk" + type = string +} + +variable "iso_path" { + description = "Path of the ISO to use to install an OS" + type = string +} + +variable "startup_order" { + description = "Order number of the VM in the startup chain" + type = number +} + +variable "startup_delay" { + description = "Startup delay in seconds" + type = number + default = -1 +} + +variable "mapped_pcie_devices" { + description = "PCI mappings" + type = list(string) + default = [] +} diff --git a/terraform/busch/plan b/terraform/busch/plan new file mode 100644 index 0000000000000000000000000000000000000000..2532f9d9b806ff918140f23ff1419387f0feefbf GIT binary patch literal 10451 zcmeI2Wl)^U_OAzr5L|=1Yp_6qySux)4emjLy9W>M8r*|hfFZcMyZa?)pL2Gy?>W2f zt-4=s)qlM;H9a5RRo&Cw>-nwKEhh;9i4K5$dA8s@v;e;tGyo3ZXkurjZ=3rAsVQ%0O{CmsM+M_8b+r^6%ML z-=^jznRdzvaQAev*v~0YWH(l?Sv4pZROx7!G?mnDHCc10$O$YaSo-x~JwNQ>%6wA~ zLS5mdbAT<3Zc#Oc>yE8eN;uUM7QiNkqwVqAB=p+e`6ekjnsgpQC7rRb$tiyiBQCPdSLJd!EI zf*IC@jtz=qKazq^Fy~7Erb+Rtu`gsOK1f{Xlz*nmLovY%AXpKye)fc^)nLu9E^xSp z&rt~mA1D08nhnC~r4g72(Q`%1Rl^z70qZu9II0B1UW^&Wy|CMO|UADz8OkCr%= z$cQ{&Q%Z>hX9D(9LfK{DbfKyMPDvRJhSlKcobw^k-!)t3BrSqRl z-ltxj1aPKa>uqT#Hwb>Va^MqMhBI%0>t?A~-P85ivC*@i_bs4gw^U{_c8SsNlG;X=<_EJ7D~4b z*svnBN;eI-v2Y*lgMi}dKH&5zi!=V1>)0QL!NilFi0j{N)b$x4)yw03?9*_s$on=n zMAN^T8v*`ZDVx%oEO+3!JKi61;wg8;2(@@c=XLea&6aV^cVqI02ZkdMWKDxGgeGB0 z{5H}Xgk+oNqRkwTMZBl(L4Ed1cRxQJV#w2PY~_6se#pxVO68laC$#NJZ+A@QUx)* z>e{83DAleB7ggiPNFkS!{!m>i-whkkbBjPybaB%J4kdupIPlDu&1dSQ5v6W57uYr$ zph~y1$(T(kwQ=dD7ip2KM|0N|P$hRvo;J_|l7Sh(+!=5Rj_(U-)4X6toW|JH)A8z9 zCu;XPJX-XW#4uDwl|q6fikuG+4(_cPt!}4fH;=`5-mRKTjubX>&lEQq*Sx?dp3@0C zWmxOZ30Y#UYt$4?OxT567imx3O>-XRUJTITVY2iw0Dk zgz>!UcS1$1wojX?l2{UqnS=eQ*GV?6Xl5bigX( z!QdoZPTjfZsZ_98@aS|oStX@%47y=Zao|s9JToMPC3;2j1~>$!T6pyqp#s@2MpCES z@R+j&3K_ilC*R;WlZ5q?l($)z zq%#9uCXf)0L2<50-%o6sKDtcAxnA4)H}6t6c${gC+i;0Cn~w{E@D44GnCBv@S=i)~ zGCWwH{hN>=opxXEflU3H-p_Kh8_=AG8qPnHe{>0V@!zkVe6y@Qcx$7;nzilgeC@U1 zxG&vjK38T^HeNb88l9mWoskfeVJucrI58^WKHt7TKK5niYv2znBSrynf%T3Yqmx69 z^4Fx`=|5J8@Qx_cM1rqdh~y`jMYUN>ht)SoyR_GoY=e??WIQ_uS_BkqEev`$Xn}}5dZc@UM;`o?k#dE4L*(VK+g33z8(io zxo#1$9qr|$O3s?CRaR*0R_W~6S*OTRE`*jGW5^qZiOm zYr^NV*1c)Nq&uMvIhL&be$RQsrB*Vxbc^ki`);q#+dl8Am6>dX4+#1dUPTuMQ{9QY zigy?9yC4VZ+N^mDV~Ac8e9_W|Fv`mLIayIG3%JYu6s;*UULC)ISpd z0ME~Ik}$A#bjdLIumHdi1^^)UUzG*SKa_=oqrRi@zokXE>Y~GZ1B%bFuD!qMAO*F0 z-OR3k>d@v|NUZrfd#xA2YuJxubf|hK{OaR3KF4&ONHa~2cPpnyNMVbc-ug~L_|qa( zA=SzObkiy55*)4q^1#GyQ(Sc7u393t!C2z}3t~=c&cQKZ0>-3UlNvp@Dy>R#Nh~@U z_At+pa_q)Ij?@cOVKL5mE=xIQ&yeUX5l-nw{@E@Rw$Mf#CAYOwww31c%ji`2zbM)nq^#_4ObxU+Y=a23wrNf*Jq2yuf=wz5=q;M z(+E`$o^tmv?m{T2AT<(ELWD9`!L7n>6p|^6nD_9gqC(hcDpcYYEtKD~4@d-ZH$d*{ zS(O+Fs^7D%Afg!%29ZON?N!*iUxl)bCR9`TkG|`vTE(CKMj#j1FeQ-#yO~>#@h-l5 zmqwsbF6)OKND<}iE*ccR-~Prz=s~s9^+OtyzVi|c4Rn28iKSi)_oSgo4^w&!$(eF%Q^|BgpLo3PH&HSsK%QDd?Y~pIF8nGeimt;Q|g; zQ3fkec&b5cM!;`WP3v+-14=XrZ!v}Y#r0bgY*=s3W>UNTiIRaDf*HAt%?ocdzQ8i; zAggN9&Dnf{GfYV(cIX_q+Yl0qEQ*a)EQF^s`qDf6)@BDADXZ43%(kwK@lyA!i?QC2 zF~hfwNAYBr?=}T}CGVN=8qyd?0XkZqO0YIN_j`c+cKzJx=(H}D?y|Ozd%GB8R^CL- z#_J6d$i~_PmGaU+xvQ$81jFdy+42G*>VyoI=e?^gQZ0;dN`JcbT_O5D2SK`1s`!mD zJ&~5D(99+~p>8}fjKLr-O2_Rv=CAQ%7GjiWfvANuo$^Z!DQY&uulZf!Sc54%cHE|t zg5}COakgb}J-}B|hCnLBG6{GRrXtsr*Vnv?mCtAhb)d9i?nhs6&W-5$2Cr!;Ko$=JnBBBbEa{E9}8V-;!?CEl99^H-^;#D zvJp_U+O~$qYw%MFxG8nd=opSt8EVqBbV|(DIg<}YZ#Y+6Fo2tqn4W!scwFHQN_zYd zvRZ~puUw66`~ip1cLVYr24{k}Z1g5vH5Wg_5(%Y+%-1w3&haX5c&#?5@+I(8lo_WH z>^prP#}TGZ906Le&-}|tSe0U@BD)ZS<+0LtltZY1zbqu9(CHtdgqgu}1bW^wYCIwo(@+>A<~kIYaG=o#u5L zwO5Y1LiPc4)Ip;6lW`Tfy7n#egDag52mTm%H!e#xZP-!4r!sQw=~-@19J$t?=(r#5 zmn%A1dfzinC@?E~mIw=8fF)HnhAYM$PTRnvsWWxdp-)-I&aQ4=9CSy;N3I;djQXd6wEZ! zV4g%K7KL9I9MfG4sauZNGBx0vVgcQZT&xDa0tLIz9O95@^A|d~YvF5_CFeK?%iJs+ zq*12r3)VEPow}!Qg^{oB8aT<9V%?euVxAfU-<*?dGmGDwMe-WnsmZ__;1L_rXi>FN zrs$8$=$gWyF4K4ob4ZXAK!FJm6FdHtYJywmESyuSn9$x zVWtkMFN-3Hwl`nX9>R|DlIbB~GcxPMLGYb?N!(z|99Db#G*u~-^kCG5FgCE;**jd1 zKp?_pv?y*G7-0mE;z1E?b^hwq1=2>m*WsY%pA)Axf)n5CQ$g)xjCL>&z`*ZYJuV3f zT5lNh&#{BN7CQvErzRxz?f4ABw43M<5Z<#Nwa7l$DcYu{ZXJa@&9q7GHDA>4O&s2D z-_O6l-|Sl48*0Ak+t#h$Wp8!6OS4&TCY)XiV_maxQ(S)B&b;iSylnAmTC(*?f97dz zo?Y~5u9&IczS-U$WxGFNJl))VB>ph}KqReG$cPNCM?s9;0y7ZT@nG}KZ%z$z82JTWbmx- z#s@JGNE;IB9+R6qK}N33QVs%gbblX&hMZNCTn`HNKw{x=fq`-GoDDCYep^d zN&}(AV9p_GKnLAb}wPpm8VvV~87=zV^ga1S|O6Y~;VxB4W?5cO24(qJ}t zxqY}{7j%B(Vh%WSS%L^0O$hR<*MlI>^sHD~WDD#!MUZZ8V!NTcFGO>_Q`MaX zjwwt2636>-s-?aylAUMLhx)pGLCVEFvI<(ZZ8OD zWW^NkB!fH@u1;jf=nFn>1jD8qLH$kHwz4;GqL%ExW|8314M)%Mcx`xnSV=jiV{x6gxEu-*R`^ANMFcR*=m^d$=L35OHa zfoxN(KPEhEx+8VEV}8106VfWk2I#eeB#6bOCTccB{C4Ml4-cApin>*_Xa3;rbDTaL zpz8vF)R2TPz~VfwaBfk0_=T1&AZIJ(Fc{gP39?KNsvKR(du9jrlPQXUM3|?xk$TKj z&tA4#S(hu!BAJn?AJ@JJ|1!RVKGm2ZY93s5E?m@A7^SW_@0x2(LT4xNARWW{1!#<3 zZwcgjpk*E%{Su#+W7@W>Pfw10+QElt*j+O+&N$aSM&4&%H~0=1@1+=V3{4c%hGaBE z(4NwM0w74KNQ{n!k!#f#e30U9RrqpyrJ>HNN@sm(-iEJ)NC3lctO;#sfK9}9f7D1^iVYh>06=eVqQdZ`RC>0vuRHl%6Sdj8sU0kELI? zAMD8XWop;l@u0RCueS63sY8uZhMkS$$Q`{TBg5I5k+7O~HBSYj%;1nDFt%-ADYukC zUE*v!bpmT}XUL6D3e89=%rehKNHzKTd_*d&@AJ4N8~ss2pmK(+ zj_vHyu%zVIo^GVXcLb+>_|xrrj@;~JHEoecNZ!tbqH}OMJY;%^$%x8Q(cFA?@{$sr zCTxjP%Q%TUf%wu5C|tPsj&%ENU0?D9f22E7NRfdtZAt}r;+q|R8(R!;vrYa)beOwQ z?MoD4O)EKJ8r;abaOS&ubHDfW#Ds96M`hK?NrJ~$k#qJC{UH0aW4U#^s!zAxIp2LX zZ7`wjQXh5Ex1~*CbG|$$%W<4}WMgxfgjB!Jcnl)U^jX|UeYiVyXcM>f(K=-Woy`;C1!>zKOvtVGs^LJ{l-wZ@$z~-HBusbS0&;aY z%h#zn`{b$|^smqOZtGT9UxTB>IB!}x*4=FJqQ$&UH&&VfL=QL!`i!Dyal0`$un^%J zrrV}FXKy}wkwpOT(ZR|T!78c?`$OSEA_!yGnu<&6$h3KN`~Ah9`GYSBsHWD|p>pCZ zSl`Benwaj)EgY;)@CHG*_wlDZ`8nr#W3X6!vy*R;ljN_Y8|f${)juMjGQe5B<8){&1UlwNGQsO;h=PF3 ztHXL})tjC*3G>qCBgos!!iyRD+!~k3mD2QxYoafO{y$Q7Qj_435-8RT#&V1A+GhM^=|m78luJ)(t})*)^_?l zzaRT>s1J{`C=FJ%_v)mQ-6ghuiv#ran20MIbbwnln%mEmn-&V9TDA~&bgmL#29z_4 zZ;do|k5S`<@Jz7jyfd@coxe91YEC&|)R-|T_qjRp%8Jo>8N?q$ipYFM33wUc?91oB zS0M<0ACir^tE~gQk*%SnG4Ov|)1HclHl)C!fS`r`XLjOpWlXmBtAVwD}s^(Xuf~FJ2&<1 zrrzU57R)Hg{P}LRE+Yg!&jajORFtGfx(MJ&Msd~OdeU^fQH5s0kQi1qL?_ic?SCLZ z4d9R&0b^j^lB}{xlZsHHqjc$r%^Pkqn?>5}nw83Sxr_)KQSa&v#;z!D#g)MlG$_l_x4$PlJdX=2LR3?|8A|3{mokY zk6S4%t}}9i2|4iCJ5*lAZlwd_!2BB21(LwfLJl=KG=KlCs_ZmZ0qd}tw3%AdFA3V+ z+#ss`InyVN^woMCyMvi+4`6(H-kw-m$X*}i-SJla(-A`di ze;N5a?Q)T```Sm$`_V*ac=X>hTj*-YSx2Cgv5mgN{{)c#2_XMZ z1IS-s^{-|2Ke6Ng=h%VqTkNnka{8&KEF5hAyl@e^r65=M@_Df{nKGqn1vv$fubuYW zFg`7Aat5eR8u+h`-9BU7_B2u74$Kw_Gtqb6<_QlJ>1p3J-csjr7WLdg3EyHg-eNQv zH=02k%70wUkIe@CXz4bv(D;S{|8i9Ghh(aA?5Q_?34J$zE17;ue+EZmAW+}L7HG|2 z^&*xS%nYsmE&YuqMj~-V5n)c6GqQ;ZU0kG8Fb1;0bgwFdgkN_>u1ZEjgbBOjB*&l^ zZMx!ZEJAc*LG2oHJhg9$PL^y=th=iNy+Vy!=|<}a*fo)uv6^lAOy^bV3ks5qTj=f& zlc$ZjOXr{TuPxk6gG#vRnWqmEJ=8_$Wc!BdN`uHN<}dMvE?KR^hPrHAxCqrB~a zujh)W{V?w~@7Xh-^^3Dzm#;3i*UwKV_fI$ZLXOaxdI|T1`XX$p=4$Ig8SG6(X5%|* zUGHLHJw_tcS{fGR5yU?OX+V`!V|o&yA~_rEoW)S2>`su~m~Xb;S*$ZChE^}jOSMLT z3$YMefH8FMgrhs1Q0bsAHqn|}>N((;86os_sJIQc%TG+?XC)HodCB0%=)6k6jC&tN zM8yPGfnMswTMP_zgkXI;_VdOH=PpLIQ5k5~O+51sRQH_o*C}(n^S8yTUqPRV^ z?yZ8lq`c1xY5A>#E;@xS1C3u!x)6dREttXNTQF3s`kOe;;}Qks66*YkIJtQ8^kT>$ zOQ?OSJibj8ARv+;8Kn3{wa5WI;Qb)1pQ*$y@_HRaPFfy{s5H(8w0)}8MY1wxWMYvL z?n(#z@j-mHR}mUNm^4-+WwOvhjUbis1L-@{KMv^`K*?6r*39ztYS0}~1%aByzT4j? ziSAQ(ttR4i2`n1*2e*_#`N=I>SNccEv%xPb!s)AYu`ap+QOdN0Q^_KEdOQj`+4HJm zBPe`pg@?K|$+xu-)q-@b@6Kw z`7=oTY1o)QUHtcI!CyW7n!Ei>I{!2T?B6~8NA~^I-LLZeCqw_VmEYa{ZTk0DufIye zpVIzMlfwP2lfQZWzwYo)ZTY8B;Q!|OUlQQ2<(I$f>+k?~4bG1n{@Kk&}daDOUji@Gp<>%f@mg|M}~G0YDAtB>(^b literal 0 HcmV?d00001 diff --git a/terraform/busch/variables.tf b/terraform/busch/variables.tf new file mode 100644 index 0000000..a352dd7 --- /dev/null +++ b/terraform/busch/variables.tf @@ -0,0 +1,10 @@ +variable "proxmox_api_url" { + description = "API URL, typically ends with `/api2/json`" +} + +variable "proxmox_token_id" { + description = "Token ID" +} +variable "proxmox_token_secret" { + description = "Token Secret" +}