JuliusFreudenberger/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'test-new-server-setup'

Browse source
This commit is contained in:
JuliusFreudenberger 2026-03-29 21:15:28 +02:00
commit d7b1521b29
59 changed files with 1900 additions and 411 deletions
Download patch file Download diff file Expand all files Collapse all files

64
devshells/java17-maven/flake.lock generated
View file

@ -1,64 +0,0 @@
{
"nodes": {
"flake-utils": {
"inputs": {
"systems": [
"systems"
]
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1736684107,
"narHash": "sha256-vH5mXxEvZeoGNkqKoCluhTGfoeXCZ1seYhC2pbMN0sg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "635e887b48521e912a516625eee7df6cf0eba9c1",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.11",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs",
"systems": "systems"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

21
devshells/java17-maven/flake.nix
View file

@ -1,21 +0,0 @@
{
description = "A basic flake with a shell";
inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
inputs.systems.url = "github:nix-systems/default";
inputs.flake-utils = {
url = "github:numtide/flake-utils";
inputs.systems.follows = "systems";
};
outputs =
{ nixpkgs, flake-utils, ... }:
flake-utils.lib.eachDefaultSystem (
system:
let
pkgs = nixpkgs.legacyPackages.${system};
in
{
devShells.default = pkgs.mkShell { packages = with pkgs; [ maven jdk17 ]; };
}
);
}

64
devshells/java21-maven/flake.lock generated
View file

@ -1,64 +0,0 @@
{
"nodes": {
"flake-utils": {
"inputs": {
"systems": [
"systems"
]
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1734435836,
"narHash": "sha256-kMBQ5PRiFLagltK0sH+08aiNt3zGERC2297iB6vrvlU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "4989a246d7a390a859852baddb1013f825435cee",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs",
"systems": "systems"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

21
devshells/java21-maven/flake.nix
View file

@ -1,21 +0,0 @@
{
description = "A basic flake with a shell";
inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
inputs.systems.url = "github:nix-systems/default";
inputs.flake-utils = {
url = "github:numtide/flake-utils";
inputs.systems.follows = "systems";
};
outputs =
{ nixpkgs, flake-utils, ... }:
flake-utils.lib.eachDefaultSystem (
system:
let
pkgs = nixpkgs.legacyPackages.${system};
in
{
devShells.default = pkgs.mkShell { packages = with pkgs; [ maven jdk21 ]; };
}
);
}

64
devshells/php8/flake.lock generated
View file

@ -1,64 +0,0 @@
{
"nodes": {
"flake-utils": {
"inputs": {
"systems": [
"systems"
]
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1736684107,
"narHash": "sha256-vH5mXxEvZeoGNkqKoCluhTGfoeXCZ1seYhC2pbMN0sg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "635e887b48521e912a516625eee7df6cf0eba9c1",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.11",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs",
"systems": "systems"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

30
devshells/php8/flake.nix
View file

@ -1,30 +0,0 @@
{
description = "A basic flake with a shell";
inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
inputs.systems.url = "github:nix-systems/default";
inputs.flake-utils = {
url = "github:numtide/flake-utils";
inputs.systems.follows = "systems";
};
outputs =
{ nixpkgs, flake-utils, ... }:
flake-utils.lib.eachDefaultSystem (
system:
let
pkgs = nixpkgs.legacyPackages.${system};
in
{
devShells.default = pkgs.mkShell { packages = with pkgs; [ (php81.buildEnv {
extensions = ({ enabled, all }: enabled ++ (with all; [
xdebug
]));
extraConfig = ''
xdebug.mode=debug
'';
})
php81Packages.composer
]; };
}
);
}

64
devshells/texlive-with-pygments/flake.lock generated
View file

@ -1,64 +0,0 @@
{
"nodes": {
"flake-utils": {
"inputs": {
"systems": [
"systems"
]
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1739624908,
"narHash": "sha256-f84lBmLl4tkDp1ZU5LBTSFzlxXP4926DVW3KnXrke10=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a60651b217d2e529729cbc7d989c19f3941b9250",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.11",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs",
"systems": "systems"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

21
devshells/texlive-with-pygments/flake.nix
View file

@ -1,21 +0,0 @@
{
description = "Flake for TeXlive with python pygments";
inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
inputs.systems.url = "github:nix-systems/default";
inputs.flake-utils = {
url = "github:numtide/flake-utils";
inputs.systems.follows = "systems";
};
outputs =
{ nixpkgs, flake-utils, ... }:
flake-utils.lib.eachDefaultSystem (
system:
let
pkgs = nixpkgs.legacyPackages.${system};
in
{
devShells.default = pkgs.mkShell { packages = with pkgs; [ texliveFull python3Packages.pygments ]; };
}
);
}

255
flake.lock generated
View file

@ -1,5 +1,28 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": [],
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1770165109,
"narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=",
"owner": "ryantm",
"repo": "agenix",
"rev": "b027ee29d959fda4b60b57566d64c98a202e0feb",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"auto-cpufreq": {
"inputs": {
"nixpkgs": [
@ -7,11 +30,11 @@
]
},
"locked": {
"lastModified": 1752998173,
"narHash": "sha256-ZlYpBp2WOe03UrpjJGz5KTOL/pp7A452hJO/Vc8C4/0=",
"lastModified": 1772058043,
"narHash": "sha256-m1cmQgb6tBcHkndKZ8BSsw6PRNJMG89FZwoYVOuKi34=",
"owner": "AdnanHodzic",
"repo": "auto-cpufreq",
"rev": "562278377ffa96f3c1af49c7b499df028ce8d8bd",
"rev": "5d600d710bb2aa331e1a4370e08476bcdea1cab5",
"type": "github"
},
"original": {
@ -20,6 +43,26 @@
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1773889306,
"narHash": "sha256-PAqwnsBSI9SVC2QugvQ3xeYCB0otOwCacB1ueQj2tgw=",
"owner": "nix-community",
"repo": "disko",
"rev": "5ad85c82cc52264f4beddc934ba57f3789f28347",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
@ -36,6 +79,21 @@
"type": "github"
}
},
"flake-compat_2": {
"locked": {
"lastModified": 1747046372,
"narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
@ -61,20 +119,41 @@
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1753592768,
"narHash": "sha256-oV695RvbAE4+R9pcsT9shmp6zE/+IZe6evHWX63f2Qg=",
"lastModified": 1745494811,
"narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "fc3add429f21450359369af74c2375cb34a2d204",
"rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-25.05",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1774559029,
"narHash": "sha256-deix7yg3j6AhjMPnFDCmWB3f83LsajaaULP5HH2j34k=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "a0bb0d11514f92b639514220114ac8063c72d0a3",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-25.11",
"repo": "home-manager",
"type": "github"
}
@ -87,11 +166,11 @@
"pre-commit-hooks": "pre-commit-hooks"
},
"locked": {
"lastModified": 1752585957,
"narHash": "sha256-ogQo/MMNSIM4U4VQMieIrpLhjkgSbev3VR24foJ/h/U=",
"lastModified": 1764660538,
"narHash": "sha256-kEWb9Hc2OxdLhJ1pRdW7zRZ57Mul3/Jpy3vyhQ8Yq6o=",
"owner": "~rycee",
"repo": "lazy-apps",
"rev": "3c3ce5001e24b6c12496a5920eee28a96f8d49d6",
"rev": "4ddc92c77213f8ed3ddef1868f4a19002afa728a",
"type": "sourcehut"
},
"original": {
@ -102,11 +181,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1755330281,
"narHash": "sha256-aJHFJWP9AuI8jUGzI77LYcSlkA9wJnOIg4ZqftwNGXA=",
"lastModified": 1774465523,
"narHash": "sha256-4v7HPm63Q90nNn4fgkgKsjW1AH2Klw7XzPtHJr562nM=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "3dac8a872557e0ca8c083cdcfc2f218d18e113b0",
"rev": "de895be946ad1d8aafa0bb6dfc7e7e0e9e466a29",
"type": "github"
},
"original": {
@ -118,20 +197,36 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1755471983,
"narHash": "sha256-axUoWcm4cNQ36jOlnkD9D40LTfSQgk8ExfHSRm3rTtg=",
"lastModified": 1774388614,
"narHash": "sha256-tFwzTI0DdDzovdE9+Ras6CUss0yn8P9XV4Ja6RjA+nU=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "48f4c982de68d966421d2b6f1ddbeb6227cc5ceb",
"rev": "1073dad219cb244572b74da2b20c7fe39cb3fa9e",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-25.05",
"ref": "nixos-25.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-libvncserver": {
"locked": {
"lastModified": 1750111231,
"narHash": "sha256-3a7Tha/RwYlzH/v3PJrG7+HjOj4c6YOv2K8sqdGsHVQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e6f23dc08d3624daab7094b701aa3954923c6bbb",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e6f23dc08d3624daab7094b701aa3954923c6bbb",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1730741070,
@ -148,6 +243,38 @@
"type": "github"
}
},
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1769318308,
"narHash": "sha256-Mjx6p96Pkefks3+aA+72lu1xVehb6mv2yTUUqmSet6Q=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "1cd347bf3355fce6c64ab37d3967b4a2cb4b878c",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1774386573,
"narHash": "sha256-4hAV26quOxdC6iyG7kYaZcM3VOskcPUrdCQd/nx8obc=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "46db2e09e1d3f113a13c0d7b81e2f221c63b8ce9",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat",
@ -172,17 +299,89 @@
"type": "github"
}
},
"proxmox-nixos": {
"inputs": {
"flake-compat": "flake-compat_2",
"nixpkgs-libvncserver": "nixpkgs-libvncserver",
"nixpkgs-stable": "nixpkgs-stable_2",
"utils": "utils"
},
"locked": {
"lastModified": 1769870714,
"narHash": "sha256-wjwCj70iiFXoAasQto+3jTaA4wCMOAs/rdX+nsmtBrQ=",
"owner": "SaumonNet",
"repo": "proxmox-nixos",
"rev": "c1f79f104930347a0b84abbca0d42884063a8c09",
"type": "github"
},
"original": {
"owner": "SaumonNet",
"repo": "proxmox-nixos",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"auto-cpufreq": "auto-cpufreq",
"home-manager": "home-manager",
"disko": "disko",
"home-manager": "home-manager_2",
"lazy-apps": "lazy-apps",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"systems": "systems"
"nixpkgs-unstable": "nixpkgs-unstable",
"proxmox-nixos": "proxmox-nixos",
"secrets": "secrets",
"systems": "systems_3"
}
},
"secrets": {
"flake": false,
"locked": {
"lastModified": 1774571252,
"narHash": "sha256-NU/vfItTMSjaRTXe0UDzbWR8UnhkBUFU47OpqEpxKb4=",
"ref": "refs/heads/main",
"rev": "7965907ae885d77acb3c4ecc11cee096a12af868",
"revCount": 25,
"type": "git",
"url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git"
},
"original": {
"type": "git",
"url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
@ -196,6 +395,24 @@
"repo": "default-linux",
"type": "github"
}
},
"utils": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",

151
flake.nix
View file

@ -1,12 +1,21 @@
{
description = "NixOS configuration of Julius Freudenberger";
nixConfig = {
extra-substituters = [
"https://cache.saumon.network/proxmox-nixos"
];
extra-trusted-public-keys = [
"proxmox-nixos:D9RYSWpQQC/msZUWphOY2I5RLH5Dd6yQcaHIuug7dWM="
];
};
inputs = {
#nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
home-manager = {
url = "github:nix-community/home-manager/release-25.05";
url = "github:nix-community/home-manager/release-25.11";
inputs.nixpkgs.follows = "nixpkgs";
};
auto-cpufreq = {
@ -17,24 +26,43 @@
url = "sourcehut:~rycee/lazy-apps";
inputs.nixpkgs.follows = "nixpkgs";
};
proxmox-nixos.url = "github:SaumonNet/proxmox-nixos";
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
agenix = {
url = "github:ryantm/agenix";
inputs = {
nixpkgs.follows = "nixpkgs";
darwin.follows = "";
};
};
secrets = {
url = "git+ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git";
flake = false;
};
systems.url = "github:nix-systems/default-linux";
};
outputs = {
self,
nixpkgs,
#nixpkgs-unstable,
nixpkgs-unstable,
nixos-hardware,
home-manager,
auto-cpufreq,
proxmox-nixos,
agenix,
disko,
systems,
...
} @ inputs: let
inherit (self) outputs;
lib = nixpkgs.lib;
eachSystem = lib.genAttrs (import systems);
forEachSystem = f: lib.genAttrs (import systems) (system: f pkgsFor.${system});
pkgsFor = lib.genAttrs (import systems) (
pkgsFor = eachSystem (
system:
import nixpkgs {
inherit system;
@ -54,10 +82,6 @@
system = "x86_64-linux";
specialArgs = {
#pkgs-unstable = import nixpkgs-unstable {
# inherit system;
# config.allowUnfree = true;
#};
inherit inputs outputs username;
};
@ -90,6 +114,113 @@
./hosts/backup-raspberrypi
];
};
busch = nixpkgs.lib.nixosSystem rec {
system = "x86_64-linux";
specialArgs = {
inherit inputs outputs;
};
modules = [
./hosts/busch
disko.nixosModules.disko
proxmox-nixos.nixosModules.proxmox-ve
({...}: {
nixpkgs.overlays = [
proxmox-nixos.overlays.${system}
];
})
];
};
busch-main-docker = nixpkgs.lib.nixosSystem rec {
system = "x86_64-linux";
specialArgs = {
inherit inputs outputs;
};
modules = [
./hosts/busch-main-docker
disko.nixosModules.disko
agenix.nixosModules.default
];
};
srv01-hf = nixpkgs.lib.nixosSystem rec {
system = "x86_64-linux";
specialArgs = {
inherit inputs outputs;
pkgs-unstable = import nixpkgs-unstable {
inherit system;
config.allowUnfree = true;
};
};
modules = [
disko.nixosModules.disko
agenix.nixosModules.default
./hosts/srv01.hf
];
};
};
homeConfigurations = {
jufr2 = let
username = "jufr2";
system = "x86_64-linux";
pkgs = nixpkgs.legacyPackages.${system};
in
home-manager.lib.homeManagerConfiguration {
inherit pkgs;
extraSpecialArgs = {
inherit username;
};
modules = [
home/core.nix
home/targets/genericLinux.nix
modules/nix.nix
home/neovim/default.nix
home/zsh/default.nix
home/cli.nix
home/gui.nix
home/java-dev.nix
home/direnv/default.nix
];
};
};
devShells = eachSystem (system:
let
pkgs = nixpkgs.legacyPackages.${system};
in {
java11-maven = pkgs.mkShell { packages = with pkgs; [ maven jdk11 ]; };
java17-maven = pkgs.mkShell { packages = with pkgs; [ maven jdk17 ]; };
java21-maven = pkgs.mkShell { packages = with pkgs; [ maven jdk21 ]; };
texlive-with-pygments = pkgs.mkShell { packages = with pkgs; [ texliveFull python3Packages.pygments ]; };
php8 = pkgs.mkShell { packages = with pkgs; [
(php82.buildEnv {
extensions = ({ enabled, all }: enabled ++ (with all; [
xdebug
]));
extraConfig = ''
xdebug.mode=debug
'';
})
php82Packages.composer
];};
}
);
};
}

23
home/cli.nix Normal file
View file

@ -0,0 +1,23 @@
{
pkgs,
lib,
config,
...
}: {
home.packages = with pkgs; [
wget
curl
git
neofetch
tealdeer
pdfgrep
pdftk
p7zip
];
programs = {
htop.enable = true;
bat.enable = true;
};
}

24
home/gui.nix Normal file
View file

@ -0,0 +1,24 @@
{
pkgs,
lib,
config,
...
}: {
home.packages = with pkgs; [
jetbrains.idea
teams-for-linux
mate.engrampa
zotero
deezer-enhanced
];
programs = {
firefox.enable = true;
keepassxc = {
enable = true;
autostart = true;
};
};
xdg.autostart.enable = true;
}

17
home/java-dev.nix Normal file
View file

@ -0,0 +1,17 @@
{
pkgs,
lib,
config,
...
}: {
home.packages = with pkgs; [
maven
gradle
];
home.extraDependencies = with pkgs; [
jdk11
jdk17
jdk21
];
}

7
home/targets/genericLinux.nix Normal file
View file

@ -0,0 +1,7 @@
{
...
}: {
targets.genericLinux.enable = true;
}

42
hosts/busch-main-docker/default.nix Normal file
View file

@ -0,0 +1,42 @@
{ inputs, outputs, config, lib, pkgs, ... }:
{
imports =
[
../../modules/disko/legacy-full-ext4.nix
../../users/julius/nixos-server.nix
../../modules/nix.nix
../../modules/auto-upgrade.nix
../../modules/locale.nix
../../modules/server-cli.nix
../../modules/sshd.nix
../../modules/docker.nix
"${inputs.secrets}/modules/opkssh.nix"
# Include the results of the hardware scan.
./hardware-configuration.nix
];
# Use the GRUB 2 boot loader.
boot = {
loader.grub = {
enable = true;
};
tmp.useTmpfs = true;
};
networking.hostName = "docker-main"; # Define your hostname.
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
# to actually do that.
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "25.05"; # Did you read the comment?
}

17
hosts/busch-main-docker/hardware-configuration.nix Normal file
View file

@ -0,0 +1,17 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

107
hosts/busch/default.nix Normal file
View file

@ -0,0 +1,107 @@
{ inputs, outputs, config, lib, pkgs, ... }:
{
imports =
[
./disko.nix
../../modules/nix.nix
../../modules/auto-upgrade.nix
../../modules/locale.nix
../../modules/server-cli.nix
../../modules/sshd.nix
"${inputs.secrets}/modules/opkssh.nix"
../../modules/intel-cpu.nix
# Include the results of the hardware scan.
./hardware-configuration.nix
];
# Use the GRUB 2 boot loader.
boot = {
loader.grub = {
enable = true;
};
tmp.useTmpfs = true;
};
networking.hostName = "busch"; # Define your hostname.
users = {
users = {
julius = {
isNormalUser = true;
uid = 1000;
extraGroups = [ "wheel" "julius" ];
};
};
groups = {
julius = {
gid = 1000;
};
};
};
nix.settings = {
substituters = [
"https://cache.saumon.network/proxmox-nixos"
];
trusted-public-keys = [
"proxmox-nixos:D9RYSWpQQC/msZUWphOY2I5RLH5Dd6yQcaHIuug7dWM="
];
};
services = {
proxmox-ve = {
enable = true;
ipAddress = "192.168.7.252";
# Make vmbr0 bridge visible in Proxmox web interface
bridges = [ "vmbr0" ];
};
openiscsi = {
enable = true;
name = "busch";
};
};
networking.useDHCP = false;
systemd.network = {
enable = true;
networks."10-lan" = {
matchConfig.Name = [ "enp0s25" ];
networkConfig = {
Bridge = "vmbr0";
};
};
netdevs."vmbr0" = {
netdevConfig = {
Name = "vmbr0";
Kind = "bridge";
};
};
networks."10-lan-bridge" = {
matchConfig.Name = "vmbr0";
networkConfig = {
IPv6AcceptRA = true;
DHCP = "ipv4";
};
linkConfig.RequiredForOnline = "routable";
};
};
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
# to actually do that.
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "25.05"; # Did you read the comment?
}

107
hosts/busch/disko.nix Normal file
View file

@ -0,0 +1,107 @@
{
disko.devices = {
disk = {
disk1 = {
type = "disk";
device = "/dev/disk/by-id/ata-Samsung_SSD_850_PRO_256GB_S251NX0H423575T";
content = {
type = "gpt";
partitions = {
MBR = {
type = "EF02"; # for grub MBR
size = "1M";
priority = 1; # Needs to be first partition
};
ESP = {
priority = 1;
name = "ESP";
size = "2G";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
crypt_p1 = {
size = "100%";
content = {
type = "luks";
name = "p1";
settings = {
allowDiscards = true;
};
};
};
};
};
};
disk2 = {
type = "disk";
device = "/dev/disk/by-id/ata-Samsung_SSD_850_PRO_256GB_S251NXAG833792N";
content = {
type = "gpt";
partitions = {
MBR = {
type = "EF02"; # for grub MBR
size = "1M";
priority = 1; # Needs to be first partition
};
ESP = {
priority = 1;
name = "ESP";
size = "2G";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot-fallback";
mountOptions = [ "umask=0077" ];
};
};
crypt_p2 = {
size = "100%";
content = {
type = "luks";
name = "p2";
settings = {
allowDiscards = true;
};
content = {
type = "btrfs";
extraArgs = [
"-d raid1"
"-m raid1"
"/dev/mapper/p1"
];
subvolumes = {
"/rootfs" = {
mountpoint = "/";
};
"/home" = {
mountOptions = [ "compress=zstd" ];
mountpoint = "/home";
};
"/nix" = {
mountOptions = [ "compress=zstd" "noatime" ];
mountpoint = "/nix";
};
"/pve-cluster" = {
mountOptions = [ "compress=zstd" ];
mountpoint = "/var/lib/pve-cluster";
};
"/swap" = {
mountpoint = "/.swapvol";
swap.swapfile.size = "32G";
};
};
};
};
};
};
};
};
};
};
}

22
hosts/busch/hardware-configuration.nix Normal file
View file

@ -0,0 +1,22 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "ehci_pci" "mpt3sas" "usbhid" "usb_storage" "sr_mod" ];
boot.initrd.kernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.kernelParams = [ "intel_iommu=on" "iommu=pt" "vfio-pci.ids=1000:0087" ];
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

98
hosts/srv01.hf/default.nix Normal file
View file

@ -0,0 +1,98 @@
{ inputs, outputs, config, lib, pkgs, ... }:
{
imports =
[
../../modules/disko/efi-full-btrfs.nix
./secrets.nix
../../users/julius/nixos-server.nix
../../users/nixremote.nix
../../modules/nix.nix
../../modules/network-server.nix
../../modules/locale.nix
../../modules/server-cli.nix
../../modules/sshd.nix
../../modules/qemu-guest.nix
../../modules/docker.nix
../../modules/teleport.nix
../../modules/portainer_agent.nix
../../modules/pangolin.nix
../../modules/newt.nix
../../modules/dockhand.nix
../../modules/auto-upgrade.nix
"${inputs.secrets}/modules/opkssh.nix"
# Include the results of the hardware scan.
./hardware-configuration.nix
];
services.openssh.openFirewall = false;
services.teleport = {
enable = true;
settings.teleport = {
ca_pin = config.age.secrets."teleport-ca_pin".path;
auth_token = config.age.secrets."teleport-join_token".path;
};
};
virtualisation.oci-containers.containers.portainer_agent.environmentFiles = [ config.age.secrets."portainer-join_token".path ];
services = {
pangolin = {
dnsProvider = "netcup";
baseDomain = "juliusfr.eu";
letsEncryptEmail = "contact@jfreudenberger.de";
environmentFile = config.age.secrets."pangolin".path;
};
traefik = {
environmentFiles = [ config.age.secrets."netcup-dns".path ];
};
};
services.newt-docker = {
enable = true;
pangolinEndpoint = "https://pangolin.juliusfr.eu";
connectionSecret = config.age.secrets."newt";
};
services.dockhand = {
enable = true;
appUrl = "dockhand.juliusfr.eu";
};
systemd.network = {
enable = true;
networks."10-wan" = {
matchConfig.Name = "ens18";
networkConfig.DHCP = "no";
address = [
"77.90.17.93/24"
"2a06:de00:100:63::2/64"
];
routes = [
{ Gateway = "77.90.17.1"; }
{ Gateway = "2a06:de00:100::1"; GatewayOnLink = true; }
];
dns = [ "9.9.9.9" ];
};
};
# Disable classic networking configuration
networking.useDHCP = lib.mkForce false;
networking.hostName = "srv01-hf"; # Define your hostname.
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
# to actually do that.
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "25.05"; # Did you read the comment?
}

24
hosts/srv01.hf/hardware-configuration.nix Normal file
View file

@ -0,0 +1,24 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

11
hosts/srv01.hf/secrets.nix Normal file
View file

@ -0,0 +1,11 @@
{ inputs, ... }:
{
age.secrets = {
teleport-ca_pin.file = "${inputs.secrets}/secrets/teleport/ca_pin";
teleport-join_token.file = "${inputs.secrets}/secrets/srv01-hf/teleport_auth_token";
portainer-join_token.file = "${inputs.secrets}/secrets/srv01-hf/portainer_join_token";
netcup-dns.file = "${inputs.secrets}/secrets/dns-management/netcup";
pangolin.file = "${inputs.secrets}/secrets/srv01-hf/pangolin";
newt.file = "${inputs.secrets}/secrets/srv01-hf/newt";
};
}

64
modules/arcane.nix Normal file
View file

@ -0,0 +1,64 @@
{
config,
lib,
...
}:
let
cfg = config.services.arcane;
in {
options.services.arcane = {
enable = lib.mkEnableOption "arcane, a modern Docker management UI";
appUrl = lib.mkOption {
description = "External URL arcane will be reachable from, without protocol";
type = lib.types.str;
};
secretFile = lib.mkOption {
description = ''
Agenix secret containing the following needed environment variables in dotenv notation:
- ENCRYPTION_KEY
- JWT_SECRET
- OIDC_CLIENT_ID
- OIDC_CLIENT_SECRET
- OIDC_ISSUER_URL
- OIDC_ADMIN_CLAIM
- OIDC_ADMIN_VALUE
'';
};
};
config = lib.mkIf cfg.enable {
virtualisation.oci-containers.containers = {
arcane = {
image = "ghcr.io/getarcaneapp/arcane:v1.11.2";
volumes = [
"/var/run/docker.sock:/var/run/docker.sock"
];
environment = {
APP_URL = "https://${cfg.appUrl}";
PUID = "1000";
PGID = "1000";
LOG_LEVEL = "info";
LOG_JSON = "false";
OIDC_ENABLED = "true";
OIDC_SCOPES = "openid email profile groups";
DATABASE_URL = "file:data/arcane.db?_pragma=journal_mode(WAL)&_pragma=busy_timeout(2500)&_txlock=immediate";
};
environmentFiles = [
cfg.secretFile.path
];
networks = [
"traefik"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.arcane.middlewares" = "arcane-oidc-auth@file";
"traefik.http.routers.arcane.rule" = "Host(`${cfg.appUrl}`)";
"traefik.http.services.arcane.loadbalancer.server.port" = "3552";
};
extraOptions = [
''--mount=type=volume,source=arcane-data,target=/app/data,volume-driver=local''
];
};
};
};
}

37
modules/auto-upgrade.nix Normal file
View file

@ -0,0 +1,37 @@
{
inputs,
pkgs,
...
}: {
system.autoUpgrade = {
enable = true;
flags = [
"--recreate-lock-file" # Deprecated, but will hopefully be reintroduced
"-L"
];
flake = inputs.self.outPath;
dates = "02:00";
randomizedDelaySec = "45min";
allowReboot = true;
rebootWindow = {
lower = "01:00";
upper = "05:00";
};
};
# Also needs access to the nix-private repo which contains the encrypted secrets
programs.ssh = {
extraConfig = "
Host git.jfreudenberger.de
Port 222
User git
IdentityFile /etc/ssh/ssh_host_ed25519_key
";
knownHostsFiles = [
(pkgs.writeText "forgejo.keys" ''[git.jfreudenberger.de]:222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+uqIeb9+AoqwD0Z6xLKI2dsRoS9Qh/VwboYfGpBJd+
[git.jfreudenberger.de]:222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8GDSt4LsCzOoIZkqZRLgXyTLyHoJu62cFFP88i8GpSadyV6mJPkK5p2mgBzN/BM9I/G2VWfvqdM8Fy/7p3S8kDhmmkOk1AK7C/+qaQKsKcQauJuzNXlwMHG1Ivath80TO9PIQc9jYakP9xl8SACd5bwkvfEm3rS5awZ8T2hWgnsgO8pFHFOFmFnVbujXZk58FVTCxpgyPqjFv76JSYxpHk1VtiQ52jScsreOImEOWWg88f9IM9etWcshuxte4zudaqc2KjjAB6pYMuVj7O6cwMXKjCUxTzyomWjr2JoEruIslifbZ6bJGgswg5ENJSKURuMPgTuGM6Nrjp75V/yFD
[git.jfreudenberger.de]:222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOS447cAWRZgHPs6MOoRS6/J66oY753QPiM7BI63/qNDd5qrCan153dJd5lBGwDR0vMWiV/0cmzuACfP5QS1Lv8=
'')
];
};
}

61
modules/disko/efi-full-btrfs.nix Normal file
View file

@ -0,0 +1,61 @@
{
disko.devices = {
disk = {
sda = {
type = "disk";
device = "/dev/sda";
content = {
type = "gpt";
partitions = {
MBR = {
type = "EF02"; # for grub MBR
size = "1M";
priority = 1; # Needs to be first partition
};
ESP = {
priority = 1;
name = "ESP";
size = "500M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
root = {
size = "100%";
content = {
type = "btrfs";
extraArgs = [ "-f" ]; # Override existing partition
# Subvolumes must set a mountpoint in order to be mounted,
# unless their parent is mounted
subvolumes = {
# Subvolume name is different from mountpoint
"/rootfs" = {
mountpoint = "/";
};
# Subvolume name is the same as the mountpoint
"/home" = {
mountOptions = [ "compress=zstd" ];
mountpoint = "/home";
};
# Sub(sub)volume doesn't need a mountpoint as its parent is mounted
"/home/julius" = { };
# Parent is not mounted so the mountpoint must be set
"/nix" = {
mountOptions = [ "compress=zstd" "noatime" ];
mountpoint = "/nix";
};
};
mountpoint = "/partition-root";
};
};
};
};
};
};
};
}

28
modules/disko/legacy-full-ext4.nix Normal file
View file

@ -0,0 +1,28 @@
{
disko.devices = {
disk = {
sda = {
type = "disk";
device = "/dev/sda";
content = {
type = "gpt";
partitions = {
MBR = {
type = "EF02"; # for grub MBR
size = "1M";
priority = 1; # Needs to be first partition
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
};
}

9
modules/docker.nix
View file

@ -4,8 +4,15 @@
...
}: {
virtualisation.docker = {
virtualisation = {
docker = {
enable = true;
daemon.settings = {
ipv6 = true;
ip6tables = true;
};
};
oci-containers.backend = "docker";
};
}

46
modules/dockhand.nix Normal file
View file

@ -0,0 +1,46 @@
{
config,
lib,
...
}:
let
cfg = config.services.dockhand;
in {
options.services.dockhand = {
enable = lib.mkEnableOption "dockhand, a powerful, intuitive Docker platform";
appUrl = lib.mkOption {
description = "External URL dockhand will be reachable from, without protocol";
type = lib.types.str;
};
};
config = lib.mkIf cfg.enable {
virtualisation.oci-containers.containers = {
dockhand = {
image = "fnsys/dockhand:v1.0.12";
volumes = [
"/var/run/docker.sock:/var/run/docker.sock"
];
environment = {
PUID = "1000";
PGID = "1000";
};
networks = [
"pangolin"
];
labels = {
"pangolin.public-resources.dockhand.name" = "dockhand";
"pangolin.public-resources.dockhand.full-domain" = cfg.appUrl;
"pangolin.public-resources.dockhand.protocol" = "http";
"pangolin.public-resources.dockhand.auth.sso-enabled" = "true";
"pangolin.public-resources.dockhand.auth.auto-login-idp" = "1";
"pangolin.public-resources.dockhand.targets[0].method" = "http";
};
extraOptions = [
''--mount=type=volume,source=dockhand-data,target=/app/data,volume-driver=local''
''--group-add=131'' # docker group
];
};
};
};
}

1
modules/fonts.nix
View file

@ -8,6 +8,7 @@
font-awesome
terminus_font
dlrg-fonts
fira
];
}

5
modules/gui-coding.nix
View file

@ -4,9 +4,8 @@
...
}: {
environment.systemPackages = with pkgs; [
jetbrains.idea-ultimate
jetbrains.pycharm-professional
jetbrains.phpstorm
jetbrains.idea
jetbrains.pycharm
vscodium-fhs
zed-editor.fhs

2
modules/i3.nix
View file

@ -18,7 +18,7 @@
lightlocker
xautolock # lock screen after some time
i3status # provide information to i3bar
i3-gaps # i3 with gaps
i3 # i3 with gaps
nitrogen # set wallpaper
acpi # battery information
arandr # screen layout manager

12
modules/intel-cpu.nix Normal file
View file

@ -0,0 +1,12 @@
{
pkgs,
...
}: {
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver # Enable Hardware Acceleration
vpl-gpu-rt # Enable QSV
];
};
}

28
modules/k3s.nix Normal file
View file

@ -0,0 +1,28 @@
{
pkgs,
lib,
...
}: {
services.k3s = {
enable = true;
role = "server";
token = "verysecrettoken";
extraFlags = toString ([
"--write-kubeconfig-mode \"0644\""
"--disable servicelb"
"--disable traefik"
"--disable local-storage"
]);
};
networking.firewall.allowedTCPPorts = [
6443
2379
2380
];
networking.firewall.allowedUDPPorts = [
8472
];
}

10
modules/laptop.nix
View file

@ -4,12 +4,12 @@
...
}: {
boot.kernelPackages = pkgs.linuxKernel.packages.linux_zen;
boot.kernelPackages = pkgs.linuxPackages_latest;
services.logind = {
lidSwitch = "suspend-then-hibernate";
lidSwitchDocked = "suspend-then-hibernate";
powerKey = "ignore";
services.logind.settings.Login = {
HandleLidSwitch= "suspend-then-hibernate";
HandleLidSwitchDocked = "suspend-then-hibernate";
HandlePowerKey = "ignore";
};
programs.auto-cpufreq.enable = true;

14
modules/network-client.nix
View file

@ -13,19 +13,7 @@
firewall = {
# if packets are still dropped, they will show up in dmesg
logReversePathDrops = true;
# wireguard trips rpfilter up
extraCommands = ''
iptables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 1194 -j RETURN
ip6tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 1194 -j RETURN
iptables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 1194 -j RETURN
ip6tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 1194 -j RETURN
'';
extraStopCommands = ''
iptables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 1194 -j RETURN || true
ip6tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 1194 -j RETURN || true
iptables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 1194 -j RETURN || true
ip6tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 1194 -j RETURN || true
'';
checkReversePath = "loose";
};
};
}

1
modules/network-server.nix
View file

@ -5,5 +5,6 @@
}: {
networking = {
useDHCP = true;
firewall.allowPing = false;
};
}

72
modules/newt.nix Normal file
View file

@ -0,0 +1,72 @@
{
pkgs,
config,
lib,
...
}:
let
cfg = config.services.newt-docker;
in {
options.services.newt-docker = {
enable = lib.mkEnableOption "Newt, user space tunnel client for Pangolin";
pangolinEndpoint = lib.mkOption {
description = "External URL of the Pangolin instance";
type = lib.types.str;
};
connectionSecret = lib.mkOption {
description = "Secrets for Pangolin authentication.";
type = lib.types.anything;
};
};
config = lib.mkIf cfg.enable {
virtualisation.oci-containers.containers = {
newt = {
image = "fosrl/newt:1.9.0";
autoStart = true;
networks = [
"pangolin"
];
environment = {
PANGOLIN_ENDPOINT = cfg.pangolinEndpoint;
DOCKER_SOCKET = "/var/run/docker.sock";
};
environmentFiles = [ cfg.connectionSecret.path ];
volumes = [
"/var/run/docker.sock:/var/run/docker.sock:ro"
];
extraOptions = [
"--add-host=host.docker.internal:host-gateway"
];
};
};
systemd.services."docker-newt" = {
after = [
"docker-network-newt.service"
];
requires = [
"docker-network-newt.service"
];
};
systemd.services."docker-network-newt" = {
path = [ pkgs.docker ];
serviceConfig = {
Type = "oneshot";
};
script = ''
docker network inspect pangolin || docker network create pangolin --ipv4 --ipv6 --subnet=172.18.0.0/16 --gateway=172.18.0.1
'';
};
networking.firewall.extraCommands = ''
iptables -A INPUT -p icmp --source 100.89.128.0/24 -j ACCEPT
iptables -A INPUT -p tcp --source 172.18.0.0/12 --dport 22 -j ACCEPT
'';
};
}

1
modules/nix.nix
View file

@ -5,6 +5,7 @@
}: {
# do garbage collection weekly to keep disk usage low
nix = {
package = pkgs.nix;
settings = {
experimental-features = ["nix-command" "flakes"];
};

18
modules/opkssh.sample.nix Normal file
View file

@ -0,0 +1,18 @@
{
...
}: {
services.opkssh = {
enable = true;
providers = {
pocket-id = {
issuer = "https://example.com";
clientId = "";
lifetime = "12h";
};
};
authorizations = [
{ user = "<username>"; principal = "<email>"; issuer = "https://example.com"; }
];
};
}

53
modules/pangolin.nix Normal file
View file

@ -0,0 +1,53 @@
{
pkgs-unstable,
utils,
config,
lib,
...
}: {
services = {
pangolin = {
enable = true;
package = pkgs-unstable.fosrl-pangolin;
openFirewall = true;
settings = {
app = {
save_logs = true;
log_failed_attempts = true;
};
domains = {
domain1 = {
prefer_wildcard_cert = true;
};
};
flags = {
disable_signup_without_invite = true;
disable_user_create_org = true;
};
};
};
};
systemd.services.gerbil.serviceConfig.ExecStart = lib.mkForce (utils.escapeSystemdExecArgs [
(lib.getExe pkgs-unstable.fosrl-gerbil)
"--reachableAt=http://localhost:${toString config.services.gerbil.port}"
"--generateAndSaveKeyTo=${toString config.services.pangolin.dataDir}/config/key"
"--remoteConfig=http://localhost:3001/api/v1/gerbil/get-config"
]);
}
# Settings needed on the host
#
# services = {
# pangolin = {
# dnsProvider = "";
# baseDomain = "";
# letsEncryptEmail = "";
# environmentFile = config.age.secrets."".path;
# };
# traefik = {
# environmentFiles = [ config.age.secrets."".path ];
# };
# };

21
modules/portainer_agent.nix Normal file
View file

@ -0,0 +1,21 @@
{
...
}: {
virtualisation.oci-containers.containers = {
portainer_agent = {
image = "portainer/agent:2.33.2";
volumes = [
"/var/run/docker.sock:/var/run/docker.sock"
"/var/lib/docker/volumes:/var/lib/docker/volumes"
"/:/host"
];
environment = {
EDGE = "1";
CAP_HOST_MANAGEMENT = "1";
};
extraOptions = [
''--mount=type=volume,source=portainer_agent,target=/data,volume-driver=local''
];
};
};
}

7
modules/qemu-guest.nix Normal file
View file

@ -0,0 +1,7 @@
{
...
}: {
services.qemuGuest.enable = true;
}

19
modules/sshd.nix Normal file
View file

@ -0,0 +1,19 @@
{
pkgs,
lib,
...
}: {
services = {
openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "no";
};
};
fail2ban = {
enable = true;
bantime = "1h";
};
};
}

15
modules/systemd-boot.nix Normal file
View file

@ -0,0 +1,15 @@
{
...
}: {
boot = {
loader = {
systemd-boot = {
enable = true;
};
efi.canTouchEfiVariables = true;
};
tmp.useTmpfs = true;
};
}

221
modules/traefik.nix Normal file
View file

@ -0,0 +1,221 @@
{
pkgs,
config,
lib,
...
}:
let
cfg = config.services.traefik-docker;
mapOidcClientNameToEnv = stringToReplace: lib.replaceString "-" "_" (lib.toUpper stringToReplace);
traefik-mtls-config = (pkgs.formats.yaml { }).generate "traefik-mtls-config" {
tls.options.default.clientAuth = {
caFiles = "caFiles/root_ca.crt";
clientAuthType = "VerifyClientCertIfGiven";
};
};
in {
options.services.traefik-docker = {
enable = lib.mkEnableOption "traefik web server hosted as OCI container";
dashboardUrl = lib.mkOption {
description = "External URL the traefik dashboard will be reachable from, without protocol";
type = lib.types.str;
};
dnsSecrets = lib.mkOption {
description = "Secrets for DNS providers.";
type = lib.types.listOf lib.types.anything;
};
mTLSCaCertSecret = lib.mkOption {
description = "Agenix secret containing the CA file to verify client certificates against.";
};
oidcAuthProviderUrl = lib.mkOption {
description = "Provider URL of OIDC auth provider.";
type = lib.types.str;
};
oidcClients = lib.mkOption {
example = ''
immich = {
scopes = [
"openid"
"email"
"profile"
];
enableBypassUsingClientCertificate = true;
usePkce = true;
};
'';
description = "Attribute set of OIDC clients with their configurations.";
type = lib.types.attrsOf (
lib.types.submodule {
options = {
secret = lib.mkOption {
description = ''Agenix secret containing the following needed environment variables in dotenv notation:
- <clientName>_OIDC_AUTH_SECRET
- <clientName>_OIDC_AUTH_PROVIDER_CLIENT_ID
- <clientName>_OIDC_CLIENT_SECRET
'';
};
scopes = lib.mkOption {
default = [ "openid" ];
example = [ "openid" "email" "profile" "groups" ];
description = "OIDC scopes to request from auth provider.";
type = lib.types.listOf lib.types.str;
};
usePkce = lib.mkOption {
default = true;
description = "Whether to enable PKCE for this provider.";
type = lib.types.bool;
};
enableBypassUsingClientCertificate = lib.mkOption {
default = false;
description = "Whether to allow bypassing OIDC protection when a verified client certificate is presented.";
type = lib.types.bool;
};
useClaimsFromUserInfo = lib.mkOption {
default = false;
description = "When enabled, an additional request to the provider's userinfo_endpoint is made to validate the token and to retrieve additional claims. The userinfo claims are merged directly into the token claims, with userinfo values overriding token values for non-security-critical claims.";
type = lib.types.bool;
};
headers = lib.mkOption {
default = [];
description = "Headers to be added to the upstream request. Templating is possible. Documentation can be found here: https://traefik-oidc-auth.sevensolutions.cc/docs/getting-started/middleware-configuration";
type = lib.types.listOf (lib.types.submodule {
options = {
Name = lib.mkOption {
description = "The name of the header which should be added to the upstream request.";
type = lib.types.str;
};
Value = lib.mkOption {
description = "The value of the header, which can use Go-Templates.";
type = lib.types.str;
};
};
});
};
};
}
);
};
};
config = lib.mkIf cfg.enable {
virtualisation.oci-containers.containers = {
traefik = {
image = "traefik:v3.6.6";
cmd = [
"--providers.docker=true"
"--providers.docker.exposedByDefault=false"
"--providers.docker.network=traefik"
"--providers.file.directory=/dynamic-config"
"--log.level=INFO"
"--api=true"
"--ping=true"
"--entrypoints.web.address=:80"
"--entrypoints.websecure.address=:443"
"--entrypoints.websecure.transport.respondingTimeouts.readTimeout=600s"
"--entrypoints.websecure.transport.respondingTimeouts.idleTimeout=600s"
"--entrypoints.websecure.transport.respondingTimeouts.writeTimeout=600s"
"--entrypoints.web.http.redirections.entrypoint.to=websecure"
"--entrypoints.websecure.asDefault=true"
"--entrypoints.websecure.http.middlewares=strip-mtls-headers@docker,pass-tls-client-cert@docker"
"--entrypoints.websecure.http.tls.certresolver=letsencrypt"
"--certificatesresolvers.letsencrypt.acme.storage=/certs/acme.json"
"--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
"--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=netcup"
"--experimental.plugins.traefik-oidc-auth.modulename=github.com/sevensolutions/traefik-oidc-auth"
"--experimental.plugins.traefik-oidc-auth.version=v0.17.0"
];
autoStart = true;
ports = [
"80:80"
"443:443"
];
networks = [
"traefik"
];
environment = {
OIDC_AUTH_PROVIDER_URL = cfg.oidcAuthProviderUrl;
};
environmentFiles = lib.forEach cfg.dnsSecrets (secret: secret.path) ++ (lib.mapAttrsToList (oidcClientName: oidcClientConfig: oidcClientConfig.secret.path) cfg.oidcClients);
labels = {
"traefik.enable" = "true";
"traefik.http.routers.dashboard.rule" = "Host(`${cfg.dashboardUrl}`)";
"traefik.http.routers.dashboard.service" = "dashboard@internal";
"traefik.http.routers.dashboard.middlewares" = "traefik-dashboard-oidc-auth@file";
"traefik.http.routers.api.rule" = "Host(`${cfg.dashboardUrl}`) && (PathPrefix(`/api`) || PathPrefix(`/oidc/callback`))";
"traefik.http.routers.api.service" = "api@internal";
"traefik.http.routers.api.middlewares" = "traefik-dashboard-oidc-auth@file";
"traefik.http.middlewares.strip-mtls-headers.headers.customrequestheaders.X-Forwarded-Tls-Client-Cert" = "";
"traefik.http.middlewares.pass-tls-client-cert.passtlsclientcert.pem" = "true";
};
volumes = let
oidc-config = lib.mapAttrs' (
oidcClientName: oidcClientConfig:
lib.nameValuePair "${oidcClientName}-oidc-auth" {
plugin.traefik-oidc-auth = {
LogLevel = "INFO";
Secret = ''{{ env "${mapOidcClientNameToEnv oidcClientName}_OIDC_AUTH_SECRET" }}'';
Provider = {
Url = ''{{ env "OIDC_AUTH_PROVIDER_URL" }}'';
ClientId = ''{{ env "${mapOidcClientNameToEnv oidcClientName}_OIDC_AUTH_PROVIDER_CLIENT_ID" }}'';
ClientSecret = ''{{ env "${mapOidcClientNameToEnv oidcClientName}_OIDC_AUTH_PROVIDER_CLIENT_SECRET" }}'';
UsePkce = oidcClientConfig.usePkce;
UseClaimsFromUserInfo = oidcClientConfig.useClaimsFromUserInfo;
};
Scopes = oidcClientConfig.scopes;
LoginUrl = ''{{ env "OIDC_AUTH_PROVIDER_URL" }}'';
} // (lib.attrsets.optionalAttrs oidcClientConfig.enableBypassUsingClientCertificate {
BypassAuthenticationRule = "HeaderRegexp(`X-Forwarded-Tls-Client-Cert`, `.+`)";
}) // (lib.attrsets.optionalAttrs ((lib.length oidcClientConfig.headers) > 0) {
Headers = oidcClientConfig.headers;
});
}
) cfg.oidcClients;
traefik-oidc-authentication-config = (pkgs.formats.yaml {}).generate "traefik-oidc-auth" {
http.middlewares = oidc-config;
};
in [
"/var/run/docker.sock:/var/run/docker.sock"
"${traefik-oidc-authentication-config}:/dynamic-config/traefik-oidc-auth.yaml:ro"
"${traefik-mtls-config}:/dynamic-config/traefik-mtls.yaml:ro"
"${cfg.mTLSCaCertSecret.path}:/caFiles/root_ca.crt:ro"
];
extraOptions = [
''--mount=type=volume,source=certs,target=/certs,volume-driver=local''
"--add-host=host.docker.internal:host-gateway"
"--health-cmd=wget --spider --quiet http://localhost:8080/ping"
"--health-interval=10s"
"--health-timeout=5s"
"--health-retries=3"
"--health-start-period=5s"
];
};
};
systemd.services."docker-traefik" = {
after = [
"docker-network-traefik.service"
];
requires = [
"docker-network-traefik.service"
];
};
systemd.services."docker-network-traefik" = {
path = [ pkgs.docker ];
serviceConfig = {
Type = "oneshot";
};
script = ''
docker network inspect traefik || docker network create traefik --ipv4 --ipv6 --subnet=172.18.0.0/16 --gateway=172.18.0.1
'';
};
networking.firewall.extraCommands = "iptables -t nat -I PREROUTING -s 172.18.0.0/16 -d 172.18.0.0/16 -j MASQUERADE";
};
}

4
modules/typesetting.nix
View file

@ -5,9 +5,7 @@
}: {
environment.systemPackages = with pkgs; [
typst
typstfmt
texliveFull
typstyle
pandoc

14
modules/virtualization.nix
View file

@ -3,12 +3,16 @@
lib,
...
}: {
environment.systemPackages = with pkgs; [
virt-manager
];
virtualisation = {
libvirtd.enable = true;
libvirtd = {
enable = true;
qemu = {
swtpm.enable = true;
vhostUserPackages = [ pkgs.virtiofsd ];
};
};
spiceUSBRedirection.enable = true;
};
programs.virt-manager.enable = true;
}

1
pkgs/rofirefox/default.nix
View file

@ -37,6 +37,7 @@
meta = with lib; {
platforms = platforms.all;
mainProgram = "rofirefox";
};
}

1
terraform/.envrc Normal file
View file

@ -0,0 +1 @@
use flake ../#opentofu

42
terraform/.gitignore vendored Normal file
View file

@ -0,0 +1,42 @@
# Local .terraform directories
**/.terraform/*
# .tfstate files
*.tfstate
*.tfstate.*
# Crash log files
crash.log
crash.*.log
# Exclude all .tfvars files, which are likely to contain sensitive data, such as
# password, private keys, and other secrets. These should not be part of version
# control as they are data points which are potentially sensitive and subject
# to change depending on the environment.
*.tfvars
*.tfvars.json
# Ignore override files as they are usually used to override resources locally and so
# are not checked in
override.tf
override.tofu
override.tf.json
override.tofu.json
*_override.tf
*_override.tofu
*_override.tf.json
*_override.tofu.json
# Ignore transient lock info files created by tofu apply
.terraform.tfstate.lock.info
# Include override files you do wish to add to version control using negated pattern
# !example_override.tf
# !example_override.tofu
# Include tfplan files to ignore the plan output of command: tofu plan -out=tfplan
# example: *tfplan*
# Ignore CLI configuration files
.terraformrc
terraform.rc

24
terraform/busch/.terraform.lock.hcl generated Normal file
View file

@ -0,0 +1,24 @@
# This file is maintained automatically by "tofu init".
# Manual edits may be lost in future updates.
provider "registry.opentofu.org/telmate/proxmox" {
version = "3.0.2-rc07"
constraints = "3.0.2-rc07"
hashes = [
"h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=",
"zh:2ee860cd0a368b3eaa53f4a9ea46f16dab8a97929e813ea6ef55183f8112c2ca",
"zh:415965fd915bae2040d7f79e45f64d6e3ae61149c10114efeac1b34687d7296c",
"zh:6584b2055df0e32062561c615e3b6b2c291ca8c959440adda09ef3ec1e1436bd",
"zh:65dcfad71928e0a8dd9befc22524ed686be5020b0024dc5cca5184c7420eeb6b",
"zh:7253dc29bd265d33f2791ac4f779c5413f16720bb717de8e6c5fcb2c858648ea",
"zh:7ec8993da10a47606670f9f67cfd10719a7580641d11c7aa761121c4a2bd66fb",
"zh:999a3f7a9dcf517967fc537e6ec930a8172203642fb01b8e1f78f908373db210",
"zh:a50e6df7280eb6584a5fd2456e3f5b6df13b2ec8a7fa4605511e438e1863be42",
"zh:b25b329a1e42681c509d027fee0365414f0cc5062b65690cfc3386aab16132ae",
"zh:c028877fdb438ece48f7bc02b65bbae9ca7b7befbd260e519ccab6c0cbb39f26",
"zh:cf0eaa3ea9fcc6d62793637947f1b8d7c885b6ad74695ab47e134e4ff132190f",
"zh:d5ade3fae031cc629b7c512a7b60e46570f4c41665e88a595d7efd943dde5ab2",
"zh:f388c15ad1ecfc09e7361e3b98bae9b627a3a85f7b908c9f40650969c949901c",
"zh:f415cc6f735a3971faae6ac24034afdb9ee83373ef8de19a9631c187d5adc7db",
]
}

46
terraform/busch/main.tf Normal file
View file

@ -0,0 +1,46 @@
terraform {
required_providers {
proxmox = {
source = "telmate/proxmox"
version = "3.0.2-rc07"
}
}
}
provider "proxmox" {
pm_api_url = var.proxmox_api_url
pm_api_token_id = var.proxmox_token_id
pm_api_token_secret = var.proxmox_token_secret
pm_tls_insecure = true
}
module "truenas" {
source = "./modules/proxmox-vm"
name = "truenas"
target_node = "busch"
vmid = 100
memory = 8192
cpu_cores = 2
disk_storage = "local"
disk_size = "32G"
iso_path = "local:iso/TrueNAS-SCALE-25.10.2.1.iso"
startup_order = 1
mapped_pcie_devices = ["HBA"]
}
module "nixos-docker" {
source = "./modules/proxmox-vm"
name = "nixos-docker"
target_node = "busch"
vmid = 101
memory = 4096
cpu_cores = 2
disk_storage = "truenas-lvm"
disk_size = "64G"
iso_path = "local:iso/latest-nixos-minimal-x86_64-linux.iso"
startup_order = 2
startup_delay = 240
}

66
terraform/busch/modules/proxmox-vm/main.tf Normal file
View file

@ -0,0 +1,66 @@
terraform {
required_providers {
proxmox = {
source = "telmate/proxmox"
version = "3.0.2-rc07"
}
}
}
resource "proxmox_vm_qemu" "truenas" {
name = var.name
description = var.description
target_node = var.target_node
vmid = var.vmid
machine = length(var.mapped_pcie_devices) == 0 ? "pc" : "q35"
memory = var.memory
balloon = 1024
scsihw = "virtio-scsi-pci"
boot = "order=scsi0;ide0"
start_at_node_boot = true
cpu {
cores = var.cpu_cores
sockets = 1
}
disks {
scsi {
scsi0 {
disk {
storage = var.disk_storage
size = var.disk_size
}
}
}
ide {
ide0 {
cdrom {
iso = var.iso_path
}
}
}
}
network {
id = 0
bridge = "vmbr0"
model = "virtio"
}
dynamic "pci" {
for_each = { for device in var.mapped_pcie_devices : index(var.mapped_pcie_devices, device) => device }
content {
id = pci.key
mapping_id = pci.value
pcie = true
}
}
startup_shutdown {
order = var.startup_order
startup_delay = var.startup_delay
}
}

64
terraform/busch/modules/proxmox-vm/variables.tf Normal file
View file

@ -0,0 +1,64 @@
variable "vmid" {
description = "ID of the VM to create"
type = string
}
variable "name" {
description = "Name of the VM to create"
type = string
}
variable "description" {
description = "Description of the VM to create"
type = string
default = null
nullable = true
}
variable "target_node" {
description = "Name of the target node to create the VM on"
type = string
}
variable "memory" {
description = "Memory to allocate for the VM"
type = string
}
variable "cpu_cores" {
description = "Number of CPU cores to allocate for the VM"
type = number
}
variable "disk_storage" {
description = "Name of the storage to store the disk on"
type = string
default = "local"
}
variable "disk_size" {
description = "Size of the primary disk"
type = string
}
variable "iso_path" {
description = "Path of the ISO to use to install an OS"
type = string
}
variable "startup_order" {
description = "Order number of the VM in the startup chain"
type = number
}
variable "startup_delay" {
description = "Startup delay in seconds"
type = number
default = -1
}
variable "mapped_pcie_devices" {
description = "PCI mappings"
type = list(string)
default = []
}

BIN
terraform/busch/plan Normal file
View file

Binary file not shown.

10
terraform/busch/variables.tf Normal file
View file

@ -0,0 +1,10 @@
variable "proxmox_api_url" {
description = "API URL, typically ends with `/api2/json`"
}
variable "proxmox_token_id" {
description = "Token ID"
}
variable "proxmox_token_secret" {
description = "Token Secret"
}

23
users/julius/nixos-server.nix Normal file
View file

@ -0,0 +1,23 @@
{
...
}: {
users = {
users = {
julius = {
initialPassword = "password";
isNormalUser = true;
uid = 1000;
group = "julius";
extraGroups = [ "wheel" ];
};
};
groups = {
julius = {
gid = 1000;
};
};
};
nix.settings.trusted-users = [ "julius" ];
}

2
users/julius/nixos.nix
View file

@ -6,7 +6,7 @@
}: {
users.users.julius = {
isNormalUser = true;
extraGroups = [ "wheel" "networkmanager" "docker" "libvirtd" ];
extraGroups = [ "wheel" "networkmanager" "docker" "libvirtd" "kvm" ];
shell = pkgs.zsh;
};

13
users/nixremote.nix Normal file
View file

@ -0,0 +1,13 @@
{
...
}: {
users.users = {
nixremote = {
isNormalUser = true;
uid = 1100;
group = "users";
};
};
nix.settings.trusted-users = [ "nixremote" ];
}