JuliusFreudenberger/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: JuliusFreudenberger:ac39ed944d17fb1bdaa65edd538381bcd66d5029
Branches Tags
JuliusFreudenberger:main
JuliusFreudenberger:sway
...
compare: JuliusFreudenberger:d7b1521b294cc585eb0a86cde4489b2fd57dfb51
Branches Tags
JuliusFreudenberger:main
JuliusFreudenberger:sway

80 commits
ac39ed944d ... d7b1521b29

Author SHA1 Message Date
JuliusFreudenberger
d7b1521b29 Merge branch 'test-new-server-setup' 2026-03-29 21:15:28 +02:00
JuliusFreudenberger
62334a00dd Add terraform module 
Terraform is used to manage the VMs on the Proxmox host `busch`.
 2026-03-29 21:12:46 +02:00
JuliusFreudenberger
85c7dab078 Add opkssh module to srv01.hf 2026-03-29 21:01:28 +02:00
JuliusFreudenberger
86bec559e6 Add busch-main-docker server 2026-03-29 21:00:09 +02:00
JuliusFreudenberger
ae00442324 Add quotation for importing private module 2026-03-27 02:19:40 +01:00
JuliusFreudenberger
0aff64102d Update flake.lock 2026-03-27 01:39:38 +01:00
JuliusFreudenberger
502fecdd4e Switch from zen kernel to latest kernel for laptops 
Due to build failure at least in release 25.11.
 2026-03-27 01:38:42 +01:00
JuliusFreudenberger
13ca1dc205 Add config for busch 
Busch is the proxmox host used for various vms, which will be defined
through terraform or similar.
 2026-03-27 01:36:29 +01:00
JuliusFreudenberger
f2b2e26ba9 Add sample for opkssh module 
Module will not be added here as usernames, principals and the client id
have to be specified directly.
Setting them via age secrets is not possible.
 2026-03-27 01:29:56 +01:00
JuliusFreudenberger
a525d2bffa Add intel-cpu module 2026-03-27 01:21:16 +01:00
JuliusFreudenberger
7d11cef3f8 rofirefox: set main program 2026-03-11 23:13:59 +01:00
JuliusFreudenberger
edbde98006 Remove firewall rules for wireguard and set rpfilter to loose 2026-03-11 23:13:30 +01:00
JuliusFreudenberger
179f615ad4 Remove texlive from system closure 2026-03-11 22:55:25 +01:00
JuliusFreudenberger
b441618575 Add fail2ban to sshd module 2026-03-11 22:53:54 +01:00
JuliusFreudenberger
b3ec023cad Fix service naming in newt module 2026-03-11 22:51:29 +01:00
JuliusFreudenberger
b4abb27490 Use unstable gerbil in pangolin module 2026-03-11 22:49:50 +01:00
JuliusFreudenberger
9e11d4bf7f Include new home-manager modules 2026-02-22 17:53:31 +01:00
JuliusFreudenberger
ba39a00af7 Add java versions as extraDependencies in home-manager 2026-02-22 17:53:31 +01:00
JuliusFreudenberger
f50a34b7c2 Add gui apps in home-manager profile 2026-02-22 17:53:31 +01:00
JuliusFreudenberger
e8deca2983 Move devshells into main flake.nix 2026-02-22 17:53:31 +01:00
JuliusFreudenberger
535afa836a Disable git configuration through home-manager 2026-02-22 17:53:31 +01:00
JuliusFreudenberger
8aad0b7e49 Add essential cli tools to home-manager 2026-02-22 17:53:31 +01:00
JuliusFreudenberger
9e81d66be2 Add genericLinux target for homemanager 2026-02-22 17:53:31 +01:00
JuliusFreudenberger
378d7f3051 Add username in extraSpecialArgs 2026-02-22 17:53:31 +01:00
JuliusFreudenberger
bdd7bd301e Explicitly set nix package to use 2026-02-22 17:53:31 +01:00
JuliusFreudenberger
0f163aee34 Add nix config to home-manager configuration 2026-02-22 17:53:31 +01:00
JuliusFreudenberger
fbb86d2d53 Add initial home-manager configuration 2026-02-22 17:53:31 +01:00
JuliusFreudenberger
a6e1430a3e Add fira fonts 2026-02-22 17:20:48 +01:00
JuliusFreudenberger
9813193c7d Remove kube server configurations 2026-02-08 12:30:44 +01:00
JuliusFreudenberger
c9216f6468 Update flake.lock 2026-02-08 12:28:32 +01:00
JuliusFreudenberger
fd6810bd59 Migrate srv01-hf to pangolin and dockhand 2026-02-08 12:28:02 +01:00
JuliusFreudenberger
e890501a0a Add dockhand module 2026-02-08 12:25:30 +01:00
JuliusFreudenberger
074a553351 Add newt module 2026-02-08 12:17:00 +01:00
JuliusFreudenberger
7adb75ed32 Add pangolin module 2026-02-08 12:11:20 +01:00
JuliusFreudenberger
24cf657f9c Add virtiofsd to enable shared folder to qemu 2026-01-18 22:34:11 +01:00
JuliusFreudenberger
cba8dea9c7 Add firefly to test Remote-User authentication 2026-01-09 22:03:01 +01:00
JuliusFreudenberger
a70450af2a Add Remote-User authentication from mTLS with headers 2026-01-09 22:01:10 +01:00
JuliusFreudenberger
b65effa878 Update flake.lock 2026-01-04 22:23:15 +01:00
JuliusFreudenberger
5115744f46 Test traefik, arcane and immich on vServer 2026-01-04 22:22:53 +01:00
JuliusFreudenberger
cb0408abd4 Add modules for traefik and arcane 2026-01-04 22:20:20 +01:00
JuliusFreudenberger
ed21c24262 Enable ipv6 in docker 2026-01-04 22:17:40 +01:00
JuliusFreudenberger
d4e4ecf9a9 Disallow ping on servers 2026-01-04 22:17:30 +01:00
JuliusFreudenberger
f772e6054e Enable software tpm for libvirt 2026-01-02 19:52:36 +01:00
JuliusFreudenberger
7574b6bfa4 Update devshells to 25.11 2025-12-24 23:20:51 +01:00
JuliusFreudenberger
55292a69f4 Update to 25.11 2025-12-24 23:20:37 +01:00
JuliusFreudenberger
5fd7eb5ee2 Remove phpstorm 2025-12-24 02:14:10 +01:00
JuliusFreudenberger
7ae69de706 Add user to kvm group 2025-12-08 19:29:16 +01:00
JuliusFreudenberger
9c3769ed39 Update flake.lock 2025-09-29 17:08:04 +02:00
JuliusFreudenberger
b0bf41a826 portainer_agent: 2.33.1 -> 2.33.2 2025-09-29 17:05:03 +02:00
JuliusFreudenberger
0fd83d2822 Add configuration of proxmox binary cache into flake hint 2025-09-25 11:35:06 +02:00
JuliusFreudenberger
0b336f6058 Update flake.lock 2025-09-18 01:12:18 +02:00
JuliusFreudenberger
cfc8f986b7 Add portainer_agent module and configure srv01-hf for it 2025-09-18 01:11:57 +02:00
JuliusFreudenberger
fadfd47e3f Configure teleport on srv01-hf 2025-09-18 01:11:06 +02:00
JuliusFreudenberger
abf81609e4 Add ssh connection settings to nix-private repo for auto-upgrade 2025-09-18 01:07:36 +02:00
JuliusFreudenberger
eee7d2ddcf Add secret management with agenix 2025-09-17 23:51:27 +02:00
JuliusFreudenberger
739b50349c Set oci-backend to docker 
This can be used to start containers declaratively.
Use docker when it is enabled for this.
 2025-09-17 00:05:36 +02:00
JuliusFreudenberger
3c17de5929 Make nixremote trusted and not expire 2025-09-17 00:04:01 +02:00
JuliusFreudenberger
aa4d1f11c9 Add rebootWindow for auto upgrades 2025-09-17 00:03:34 +02:00
JuliusFreudenberger
ea01c0abf3 Add nixremote user for remote building 2025-08-25 09:49:00 +02:00
JuliusFreudenberger
962ee20628 Enable auto-update on srv01-hf 2025-08-19 17:00:45 +02:00
JuliusFreudenberger
6989f4be08 Add static network configuration to srv01-hf 2025-08-19 16:56:26 +02:00
JuliusFreudenberger
a8f632ed50 Enable hybrid boot for disko module 2025-08-19 01:39:43 +02:00
JuliusFreudenberger
c4ec22b380 Change bootloader to grub for srv01-hf 2025-08-18 23:40:53 +02:00
JuliusFreudenberger
db8b0f1d5f Add srv01.hf as docker host 2025-08-18 23:12:46 +02:00
JuliusFreudenberger
6099134974 Update flake.lock 2025-08-18 23:06:56 +02:00
JuliusFreudenberger
2249b4cc58 Configure clustering with k3s 2025-08-17 02:53:39 +02:00
JuliusFreudenberger
31267fa34c Add more kube nodes 2025-08-17 01:46:17 +02:00
JuliusFreudenberger
75d4187baa Add nixos-server user module 2025-08-17 01:36:10 +02:00
JuliusFreudenberger
18b28c2e9d Add qemu-guest-utils module 2025-08-17 01:35:09 +02:00
JuliusFreudenberger
544930ff2d Externalize systemd-boot module 2025-08-17 01:34:38 +02:00
JuliusFreudenberger
59506dac35 Move disko configuration to modules 2025-08-16 22:24:55 +02:00
JuliusFreudenberger
21582cbf81 Add configuration for kubernetes host kube01 2025-08-16 22:07:27 +02:00
JuliusFreudenberger
1038d8a248 Add disko 2025-08-16 22:07:11 +02:00
JuliusFreudenberger
2f19307456 Configure proxmox-nixos cache 2025-08-12 02:27:42 +02:00
JuliusFreudenberger
7bce6df38b Working bridge configuration using systemd-networkd 2025-08-12 00:39:41 +02:00
JuliusFreudenberger
c790a14db1 Migrate bridge config to networking.* 2025-08-12 00:05:42 +02:00
JuliusFreudenberger
f7c3edf779 Actually apply systemd-networkd configuration 
Also disable networking.* options
 2025-08-11 23:36:08 +02:00
JuliusFreudenberger
8e15acd0c6 Add network bridge config 2025-08-10 23:24:39 +02:00
JuliusFreudenberger
82bb877bfb Add proxmox-nixos 2025-08-09 10:21:16 +02:00
JuliusFreudenberger
a7a3cbbc7a Add basic new server config 
Includes sshd for easy connecting in local virtualized environment.
 2025-08-08 16:56:37 +02:00
59 changed files with 1900 additions and 411 deletions
Download patch file Download diff file Expand all files Collapse all files

64
devshells/java17-maven/flake.lock generated
View file

@ -1,64 +0,0 @@
{
"nodes": {
"flake-utils": {
"inputs": {
"systems": [
"systems"
]
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1736684107,
"narHash": "sha256-vH5mXxEvZeoGNkqKoCluhTGfoeXCZ1seYhC2pbMN0sg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "635e887b48521e912a516625eee7df6cf0eba9c1",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.11",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs",
"systems": "systems"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

21
devshells/java17-maven/flake.nix
View file

@ -1,21 +0,0 @@
{
description = "A basic flake with a shell";
inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
inputs.systems.url = "github:nix-systems/default";
inputs.flake-utils = {
url = "github:numtide/flake-utils";
inputs.systems.follows = "systems";
};
outputs =
{ nixpkgs, flake-utils, ... }:
flake-utils.lib.eachDefaultSystem (
system:
let
pkgs = nixpkgs.legacyPackages.${system};
in
{
devShells.default = pkgs.mkShell { packages = with pkgs; [ maven jdk17 ]; };
}
);
}

64
devshells/java21-maven/flake.lock generated
View file

@ -1,64 +0,0 @@
{
"nodes": {
"flake-utils": {
"inputs": {
"systems": [
"systems"
]
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1734435836,
"narHash": "sha256-kMBQ5PRiFLagltK0sH+08aiNt3zGERC2297iB6vrvlU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "4989a246d7a390a859852baddb1013f825435cee",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs",
"systems": "systems"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

21
devshells/java21-maven/flake.nix
View file

@ -1,21 +0,0 @@
{
description = "A basic flake with a shell";
inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
inputs.systems.url = "github:nix-systems/default";
inputs.flake-utils = {
url = "github:numtide/flake-utils";
inputs.systems.follows = "systems";
};
outputs =
{ nixpkgs, flake-utils, ... }:
flake-utils.lib.eachDefaultSystem (
system:
let
pkgs = nixpkgs.legacyPackages.${system};
in
{
devShells.default = pkgs.mkShell { packages = with pkgs; [ maven jdk21 ]; };
}
);
}

64
devshells/php8/flake.lock generated
View file

@ -1,64 +0,0 @@
{
"nodes": {
"flake-utils": {
"inputs": {
"systems": [
"systems"
]
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1736684107,
"narHash": "sha256-vH5mXxEvZeoGNkqKoCluhTGfoeXCZ1seYhC2pbMN0sg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "635e887b48521e912a516625eee7df6cf0eba9c1",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.11",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs",
"systems": "systems"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

30
devshells/php8/flake.nix
View file

@ -1,30 +0,0 @@
{
description = "A basic flake with a shell";
inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
inputs.systems.url = "github:nix-systems/default";
inputs.flake-utils = {
url = "github:numtide/flake-utils";
inputs.systems.follows = "systems";
};
outputs =
{ nixpkgs, flake-utils, ... }:
flake-utils.lib.eachDefaultSystem (
system:
let
pkgs = nixpkgs.legacyPackages.${system};
in
{
devShells.default = pkgs.mkShell { packages = with pkgs; [ (php81.buildEnv {
extensions = ({ enabled, all }: enabled ++ (with all; [
xdebug
]));
extraConfig = ''
xdebug.mode=debug
'';
})
php81Packages.composer
]; };
}
);
}

64
devshells/texlive-with-pygments/flake.lock generated
View file

@ -1,64 +0,0 @@
{
"nodes": {
"flake-utils": {
"inputs": {
"systems": [
"systems"
]
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1739624908,
"narHash": "sha256-f84lBmLl4tkDp1ZU5LBTSFzlxXP4926DVW3KnXrke10=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a60651b217d2e529729cbc7d989c19f3941b9250",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.11",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs",
"systems": "systems"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

21
devshells/texlive-with-pygments/flake.nix
View file

@ -1,21 +0,0 @@
{
description = "Flake for TeXlive with python pygments";
inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
inputs.systems.url = "github:nix-systems/default";
inputs.flake-utils = {
url = "github:numtide/flake-utils";
inputs.systems.follows = "systems";
};
outputs =
{ nixpkgs, flake-utils, ... }:
flake-utils.lib.eachDefaultSystem (
system:
let
pkgs = nixpkgs.legacyPackages.${system};
in
{
devShells.default = pkgs.mkShell { packages = with pkgs; [ texliveFull python3Packages.pygments ]; };
}
);
}

255
flake.lock generated
View file

@ -1,5 +1,28 @@
{ {
"nodes": { "nodes": {
"agenix": {
"inputs": {
"darwin": [],
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1770165109,
"narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=",
"owner": "ryantm",
"repo": "agenix",
"rev": "b027ee29d959fda4b60b57566d64c98a202e0feb",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"auto-cpufreq": { "auto-cpufreq": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -7,11 +30,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1748372346, "lastModified": 1772058043,
"narHash": "sha256-7y7NZ6uW0GbT0h4gqfD2xvRuJj5IlPGw32oIc9Twga8=", "narHash": "sha256-m1cmQgb6tBcHkndKZ8BSsw6PRNJMG89FZwoYVOuKi34=",
"owner": "AdnanHodzic", "owner": "AdnanHodzic",
"repo": "auto-cpufreq", "repo": "auto-cpufreq",
"rev": "becd5b89963fa54fef3566147f3fd2087f8a5842", "rev": "5d600d710bb2aa331e1a4370e08476bcdea1cab5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -20,6 +43,26 @@
"type": "github" "type": "github"
} }
}, },
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1773889306,
"narHash": "sha256-PAqwnsBSI9SVC2QugvQ3xeYCB0otOwCacB1ueQj2tgw=",
"owner": "nix-community",
"repo": "disko",
"rev": "5ad85c82cc52264f4beddc934ba57f3789f28347",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -36,6 +79,21 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_2": {
"locked": {
"lastModified": 1747046372,
"narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"gitignore": { "gitignore": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -61,20 +119,41 @@
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"agenix",
"nixpkgs" "nixpkgs"
] ]
}, },
"locked": { "locked": {
"lastModified": 1749154018, "lastModified": 1745494811,
"narHash": "sha256-gjN3j7joRvT3a8Zgcylnd4NFsnXeDBumqiu4HmY1RIg=", "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "7aae0ee71a17b19708b93b3ed448a1a0952bf111", "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "release-25.05", "repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1774559029,
"narHash": "sha256-deix7yg3j6AhjMPnFDCmWB3f83LsajaaULP5HH2j34k=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "a0bb0d11514f92b639514220114ac8063c72d0a3",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-25.11",
"repo": "home-manager", "repo": "home-manager",
"type": "github" "type": "github"
} }
@ -87,11 +166,11 @@
"pre-commit-hooks": "pre-commit-hooks" "pre-commit-hooks": "pre-commit-hooks"
}, },
"locked": { "locked": {
"lastModified": 1746906641, "lastModified": 1764660538,
"narHash": "sha256-b6few4tkqN2TWdrZTwWOjsWxA11rle7y9pcc0/ynuoE=", "narHash": "sha256-kEWb9Hc2OxdLhJ1pRdW7zRZ57Mul3/Jpy3vyhQ8Yq6o=",
"owner": "~rycee", "owner": "~rycee",
"repo": "lazy-apps", "repo": "lazy-apps",
"rev": "0b30a0bf524a661f9657c441d021aaa5724f12ff", "rev": "4ddc92c77213f8ed3ddef1868f4a19002afa728a",
"type": "sourcehut" "type": "sourcehut"
}, },
"original": { "original": {
@ -102,11 +181,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1749195551, "lastModified": 1774465523,
"narHash": "sha256-W5GKQHgunda/OP9sbKENBZhMBDNu2QahoIPwnsF6CeM=", "narHash": "sha256-4v7HPm63Q90nNn4fgkgKsjW1AH2Klw7XzPtHJr562nM=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "4602f7e1d3f197b3cb540d5accf5669121629628", "rev": "de895be946ad1d8aafa0bb6dfc7e7e0e9e466a29",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -118,20 +197,36 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1749086602, "lastModified": 1774388614,
"narHash": "sha256-DJcgJMekoxVesl9kKjfLPix2Nbr42i7cpEHJiTnBUwU=", "narHash": "sha256-tFwzTI0DdDzovdE9+Ras6CUss0yn8P9XV4Ja6RjA+nU=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "4792576cb003c994bd7cc1edada3129def20b27d", "rev": "1073dad219cb244572b74da2b20c7fe39cb3fa9e",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "nixos",
"ref": "nixos-25.05", "ref": "nixos-25.11",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs-libvncserver": {
"locked": {
"lastModified": 1750111231,
"narHash": "sha256-3a7Tha/RwYlzH/v3PJrG7+HjOj4c6YOv2K8sqdGsHVQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e6f23dc08d3624daab7094b701aa3954923c6bbb",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e6f23dc08d3624daab7094b701aa3954923c6bbb",
"type": "github"
}
},
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1730741070, "lastModified": 1730741070,
@ -148,6 +243,38 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1769318308,
"narHash": "sha256-Mjx6p96Pkefks3+aA+72lu1xVehb6mv2yTUUqmSet6Q=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "1cd347bf3355fce6c64ab37d3967b4a2cb4b878c",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1774386573,
"narHash": "sha256-4hAV26quOxdC6iyG7kYaZcM3VOskcPUrdCQd/nx8obc=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "46db2e09e1d3f113a13c0d7b81e2f221c63b8ce9",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"pre-commit-hooks": { "pre-commit-hooks": {
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
@ -172,17 +299,89 @@
"type": "github" "type": "github"
} }
}, },
"proxmox-nixos": {
"inputs": {
"flake-compat": "flake-compat_2",
"nixpkgs-libvncserver": "nixpkgs-libvncserver",
"nixpkgs-stable": "nixpkgs-stable_2",
"utils": "utils"
},
"locked": {
"lastModified": 1769870714,
"narHash": "sha256-wjwCj70iiFXoAasQto+3jTaA4wCMOAs/rdX+nsmtBrQ=",
"owner": "SaumonNet",
"repo": "proxmox-nixos",
"rev": "c1f79f104930347a0b84abbca0d42884063a8c09",
"type": "github"
},
"original": {
"owner": "SaumonNet",
"repo": "proxmox-nixos",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix",
"auto-cpufreq": "auto-cpufreq", "auto-cpufreq": "auto-cpufreq",
"home-manager": "home-manager", "disko": "disko",
"home-manager": "home-manager_2",
"lazy-apps": "lazy-apps", "lazy-apps": "lazy-apps",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"systems": "systems" "nixpkgs-unstable": "nixpkgs-unstable",
"proxmox-nixos": "proxmox-nixos",
"secrets": "secrets",
"systems": "systems_3"
}
},
"secrets": {
"flake": false,
"locked": {
"lastModified": 1774571252,
"narHash": "sha256-NU/vfItTMSjaRTXe0UDzbWR8UnhkBUFU47OpqEpxKb4=",
"ref": "refs/heads/main",
"rev": "7965907ae885d77acb3c4ecc11cee096a12af868",
"revCount": 25,
"type": "git",
"url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git"
},
"original": {
"type": "git",
"url": "ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git"
} }
}, },
"systems": { "systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_3": {
"locked": { "locked": {
"lastModified": 1689347949, "lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
@ -196,6 +395,24 @@
"repo": "default-linux", "repo": "default-linux",
"type": "github" "type": "github"
} }
},
"utils": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

151
flake.nix
View file

@ -1,12 +1,21 @@
{ {
description = "NixOS configuration of Julius Freudenberger"; description = "NixOS configuration of Julius Freudenberger";
nixConfig = {
extra-substituters = [
"https://cache.saumon.network/proxmox-nixos"
];
extra-trusted-public-keys = [
"proxmox-nixos:D9RYSWpQQC/msZUWphOY2I5RLH5Dd6yQcaHIuug7dWM="
];
};
inputs = { inputs = {
#nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
nixos-hardware.url = "github:NixOS/nixos-hardware/master"; nixos-hardware.url = "github:NixOS/nixos-hardware/master";
home-manager = { home-manager = {
url = "github:nix-community/home-manager/release-25.05"; url = "github:nix-community/home-manager/release-25.11";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
auto-cpufreq = { auto-cpufreq = {
@ -17,24 +26,43 @@
url = "sourcehut:~rycee/lazy-apps"; url = "sourcehut:~rycee/lazy-apps";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
proxmox-nixos.url = "github:SaumonNet/proxmox-nixos";
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
agenix = {
url = "github:ryantm/agenix";
inputs = {
nixpkgs.follows = "nixpkgs";
darwin.follows = "";
};
};
secrets = {
url = "git+ssh://git@git.jfreudenberger.de/JuliusFreudenberger/nix-private.git";
flake = false;
};
systems.url = "github:nix-systems/default-linux"; systems.url = "github:nix-systems/default-linux";
}; };
outputs = { outputs = {
self, self,
nixpkgs, nixpkgs,
#nixpkgs-unstable, nixpkgs-unstable,
nixos-hardware, nixos-hardware,
home-manager, home-manager,
auto-cpufreq, auto-cpufreq,
proxmox-nixos,
agenix,
disko,
systems, systems,
... ...
} @ inputs: let } @ inputs: let
inherit (self) outputs; inherit (self) outputs;
lib = nixpkgs.lib; lib = nixpkgs.lib;
eachSystem = lib.genAttrs (import systems);
forEachSystem = f: lib.genAttrs (import systems) (system: f pkgsFor.${system}); forEachSystem = f: lib.genAttrs (import systems) (system: f pkgsFor.${system});
pkgsFor = lib.genAttrs (import systems) ( pkgsFor = eachSystem (
system: system:
import nixpkgs { import nixpkgs {
inherit system; inherit system;
@ -54,10 +82,6 @@
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = { specialArgs = {
#pkgs-unstable = import nixpkgs-unstable {
# inherit system;
# config.allowUnfree = true;
#};
inherit inputs outputs username; inherit inputs outputs username;
}; };
@ -90,6 +114,113 @@
./hosts/backup-raspberrypi ./hosts/backup-raspberrypi
]; ];
}; };
busch = nixpkgs.lib.nixosSystem rec {
system = "x86_64-linux";
specialArgs = {
inherit inputs outputs;
};
modules = [
./hosts/busch
disko.nixosModules.disko
proxmox-nixos.nixosModules.proxmox-ve
({...}: {
nixpkgs.overlays = [
proxmox-nixos.overlays.${system}
];
})
];
};
busch-main-docker = nixpkgs.lib.nixosSystem rec {
system = "x86_64-linux";
specialArgs = {
inherit inputs outputs;
};
modules = [
./hosts/busch-main-docker
disko.nixosModules.disko
agenix.nixosModules.default
];
};
srv01-hf = nixpkgs.lib.nixosSystem rec {
system = "x86_64-linux";
specialArgs = {
inherit inputs outputs;
pkgs-unstable = import nixpkgs-unstable {
inherit system;
config.allowUnfree = true;
};
};
modules = [
disko.nixosModules.disko
agenix.nixosModules.default
./hosts/srv01.hf
];
};
}; };
homeConfigurations = {
jufr2 = let
username = "jufr2";
system = "x86_64-linux";
pkgs = nixpkgs.legacyPackages.${system};
in
home-manager.lib.homeManagerConfiguration {
inherit pkgs;
extraSpecialArgs = {
inherit username;
};
modules = [
home/core.nix
home/targets/genericLinux.nix
modules/nix.nix
home/neovim/default.nix
home/zsh/default.nix
home/cli.nix
home/gui.nix
home/java-dev.nix
home/direnv/default.nix
];
};
};
devShells = eachSystem (system:
let
pkgs = nixpkgs.legacyPackages.${system};
in {
java11-maven = pkgs.mkShell { packages = with pkgs; [ maven jdk11 ]; };
java17-maven = pkgs.mkShell { packages = with pkgs; [ maven jdk17 ]; };
java21-maven = pkgs.mkShell { packages = with pkgs; [ maven jdk21 ]; };
texlive-with-pygments = pkgs.mkShell { packages = with pkgs; [ texliveFull python3Packages.pygments ]; };
php8 = pkgs.mkShell { packages = with pkgs; [
(php82.buildEnv {
extensions = ({ enabled, all }: enabled ++ (with all; [
xdebug
]));
extraConfig = ''
xdebug.mode=debug
'';
})
php82Packages.composer
];};
}
);
}; };
} }

23
home/cli.nix Normal file
View file

@ -0,0 +1,23 @@
{
pkgs,
lib,
config,
...
}: {
home.packages = with pkgs; [
wget
curl
git
neofetch
tealdeer
pdfgrep
pdftk
p7zip
];
programs = {
htop.enable = true;
bat.enable = true;
};
}

24
home/gui.nix Normal file
View file

@ -0,0 +1,24 @@
{
pkgs,
lib,
config,
...
}: {
home.packages = with pkgs; [
jetbrains.idea
teams-for-linux
mate.engrampa
zotero
deezer-enhanced
];
programs = {
firefox.enable = true;
keepassxc = {
enable = true;
autostart = true;
};
};
xdg.autostart.enable = true;
}

17
home/java-dev.nix Normal file
View file

@ -0,0 +1,17 @@
{
pkgs,
lib,
config,
...
}: {
home.packages = with pkgs; [
maven
gradle
];
home.extraDependencies = with pkgs; [
jdk11
jdk17
jdk21
];
}

7
home/targets/genericLinux.nix Normal file
View file

@ -0,0 +1,7 @@
{
...
}: {
targets.genericLinux.enable = true;
}

42
hosts/busch-main-docker/default.nix Normal file
View file

@ -0,0 +1,42 @@
{ inputs, outputs, config, lib, pkgs, ... }:
{
imports =
[
../../modules/disko/legacy-full-ext4.nix
../../users/julius/nixos-server.nix
../../modules/nix.nix
../../modules/auto-upgrade.nix
../../modules/locale.nix
../../modules/server-cli.nix
../../modules/sshd.nix
../../modules/docker.nix
"${inputs.secrets}/modules/opkssh.nix"
# Include the results of the hardware scan.
./hardware-configuration.nix
];
# Use the GRUB 2 boot loader.
boot = {
loader.grub = {
enable = true;
};
tmp.useTmpfs = true;
};
networking.hostName = "docker-main"; # Define your hostname.
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
# to actually do that.
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "25.05"; # Did you read the comment?
}

17
hosts/busch-main-docker/hardware-configuration.nix Normal file
View file

@ -0,0 +1,17 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

107
hosts/busch/default.nix Normal file
View file

@ -0,0 +1,107 @@
{ inputs, outputs, config, lib, pkgs, ... }:
{
imports =
[
./disko.nix
../../modules/nix.nix
../../modules/auto-upgrade.nix
../../modules/locale.nix
../../modules/server-cli.nix
../../modules/sshd.nix
"${inputs.secrets}/modules/opkssh.nix"
../../modules/intel-cpu.nix
# Include the results of the hardware scan.
./hardware-configuration.nix
];
# Use the GRUB 2 boot loader.
boot = {
loader.grub = {
enable = true;
};
tmp.useTmpfs = true;
};
networking.hostName = "busch"; # Define your hostname.
users = {
users = {
julius = {
isNormalUser = true;
uid = 1000;
extraGroups = [ "wheel" "julius" ];
};
};
groups = {
julius = {
gid = 1000;
};
};
};
nix.settings = {
substituters = [
"https://cache.saumon.network/proxmox-nixos"
];
trusted-public-keys = [
"proxmox-nixos:D9RYSWpQQC/msZUWphOY2I5RLH5Dd6yQcaHIuug7dWM="
];
};
services = {
proxmox-ve = {
enable = true;
ipAddress = "192.168.7.252";
# Make vmbr0 bridge visible in Proxmox web interface
bridges = [ "vmbr0" ];
};
openiscsi = {
enable = true;
name = "busch";
};
};
networking.useDHCP = false;
systemd.network = {
enable = true;
networks."10-lan" = {
matchConfig.Name = [ "enp0s25" ];
networkConfig = {
Bridge = "vmbr0";
};
};
netdevs."vmbr0" = {
netdevConfig = {
Name = "vmbr0";
Kind = "bridge";
};
};
networks."10-lan-bridge" = {
matchConfig.Name = "vmbr0";
networkConfig = {
IPv6AcceptRA = true;
DHCP = "ipv4";
};
linkConfig.RequiredForOnline = "routable";
};
};
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
# to actually do that.
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "25.05"; # Did you read the comment?
}

107
hosts/busch/disko.nix Normal file
View file

@ -0,0 +1,107 @@
{
disko.devices = {
disk = {
disk1 = {
type = "disk";
device = "/dev/disk/by-id/ata-Samsung_SSD_850_PRO_256GB_S251NX0H423575T";
content = {
type = "gpt";
partitions = {
MBR = {
type = "EF02"; # for grub MBR
size = "1M";
priority = 1; # Needs to be first partition
};
ESP = {
priority = 1;
name = "ESP";
size = "2G";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
crypt_p1 = {
size = "100%";
content = {
type = "luks";
name = "p1";
settings = {
allowDiscards = true;
};
};
};
};
};
};
disk2 = {
type = "disk";
device = "/dev/disk/by-id/ata-Samsung_SSD_850_PRO_256GB_S251NXAG833792N";
content = {
type = "gpt";
partitions = {
MBR = {
type = "EF02"; # for grub MBR
size = "1M";
priority = 1; # Needs to be first partition
};
ESP = {
priority = 1;
name = "ESP";
size = "2G";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot-fallback";
mountOptions = [ "umask=0077" ];
};
};
crypt_p2 = {
size = "100%";
content = {
type = "luks";
name = "p2";
settings = {
allowDiscards = true;
};
content = {
type = "btrfs";
extraArgs = [
"-d raid1"
"-m raid1"
"/dev/mapper/p1"
];
subvolumes = {
"/rootfs" = {
mountpoint = "/";
};
"/home" = {
mountOptions = [ "compress=zstd" ];
mountpoint = "/home";
};
"/nix" = {
mountOptions = [ "compress=zstd" "noatime" ];
mountpoint = "/nix";
};
"/pve-cluster" = {
mountOptions = [ "compress=zstd" ];
mountpoint = "/var/lib/pve-cluster";
};
"/swap" = {
mountpoint = "/.swapvol";
swap.swapfile.size = "32G";
};
};
};
};
};
};
};
};
};
};
}

22
hosts/busch/hardware-configuration.nix Normal file
View file

@ -0,0 +1,22 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "ehci_pci" "mpt3sas" "usbhid" "usb_storage" "sr_mod" ];
boot.initrd.kernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.kernelParams = [ "intel_iommu=on" "iommu=pt" "vfio-pci.ids=1000:0087" ];
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

98
hosts/srv01.hf/default.nix Normal file
View file

@ -0,0 +1,98 @@
{ inputs, outputs, config, lib, pkgs, ... }:
{
imports =
[
../../modules/disko/efi-full-btrfs.nix
./secrets.nix
../../users/julius/nixos-server.nix
../../users/nixremote.nix
../../modules/nix.nix
../../modules/network-server.nix
../../modules/locale.nix
../../modules/server-cli.nix
../../modules/sshd.nix
../../modules/qemu-guest.nix
../../modules/docker.nix
../../modules/teleport.nix
../../modules/portainer_agent.nix
../../modules/pangolin.nix
../../modules/newt.nix
../../modules/dockhand.nix
../../modules/auto-upgrade.nix
"${inputs.secrets}/modules/opkssh.nix"
# Include the results of the hardware scan.
./hardware-configuration.nix
];
services.openssh.openFirewall = false;
services.teleport = {
enable = true;
settings.teleport = {
ca_pin = config.age.secrets."teleport-ca_pin".path;
auth_token = config.age.secrets."teleport-join_token".path;
};
};
virtualisation.oci-containers.containers.portainer_agent.environmentFiles = [ config.age.secrets."portainer-join_token".path ];
services = {
pangolin = {
dnsProvider = "netcup";
baseDomain = "juliusfr.eu";
letsEncryptEmail = "contact@jfreudenberger.de";
environmentFile = config.age.secrets."pangolin".path;
};
traefik = {
environmentFiles = [ config.age.secrets."netcup-dns".path ];
};
};
services.newt-docker = {
enable = true;
pangolinEndpoint = "https://pangolin.juliusfr.eu";
connectionSecret = config.age.secrets."newt";
};
services.dockhand = {
enable = true;
appUrl = "dockhand.juliusfr.eu";
};
systemd.network = {
enable = true;
networks."10-wan" = {
matchConfig.Name = "ens18";
networkConfig.DHCP = "no";
address = [
"77.90.17.93/24"
"2a06:de00:100:63::2/64"
];
routes = [
{ Gateway = "77.90.17.1"; }
{ Gateway = "2a06:de00:100::1"; GatewayOnLink = true; }
];
dns = [ "9.9.9.9" ];
};
};
# Disable classic networking configuration
networking.useDHCP = lib.mkForce false;
networking.hostName = "srv01-hf"; # Define your hostname.
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
# to actually do that.
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "25.05"; # Did you read the comment?
}

24
hosts/srv01.hf/hardware-configuration.nix Normal file
View file

@ -0,0 +1,24 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

11
hosts/srv01.hf/secrets.nix Normal file
View file

@ -0,0 +1,11 @@
{ inputs, ... }:
{
age.secrets = {
teleport-ca_pin.file = "${inputs.secrets}/secrets/teleport/ca_pin";
teleport-join_token.file = "${inputs.secrets}/secrets/srv01-hf/teleport_auth_token";
portainer-join_token.file = "${inputs.secrets}/secrets/srv01-hf/portainer_join_token";
netcup-dns.file = "${inputs.secrets}/secrets/dns-management/netcup";
pangolin.file = "${inputs.secrets}/secrets/srv01-hf/pangolin";
newt.file = "${inputs.secrets}/secrets/srv01-hf/newt";
};
}

64
modules/arcane.nix Normal file
View file

@ -0,0 +1,64 @@
{
config,
lib,
...
}:
let
cfg = config.services.arcane;
in {
options.services.arcane = {
enable = lib.mkEnableOption "arcane, a modern Docker management UI";
appUrl = lib.mkOption {
description = "External URL arcane will be reachable from, without protocol";
type = lib.types.str;
};
secretFile = lib.mkOption {
description = ''
Agenix secret containing the following needed environment variables in dotenv notation:
- ENCRYPTION_KEY
- JWT_SECRET
- OIDC_CLIENT_ID
- OIDC_CLIENT_SECRET
- OIDC_ISSUER_URL
- OIDC_ADMIN_CLAIM
- OIDC_ADMIN_VALUE
'';
};
};
config = lib.mkIf cfg.enable {
virtualisation.oci-containers.containers = {
arcane = {
image = "ghcr.io/getarcaneapp/arcane:v1.11.2";
volumes = [
"/var/run/docker.sock:/var/run/docker.sock"
];
environment = {
APP_URL = "https://${cfg.appUrl}";
PUID = "1000";
PGID = "1000";
LOG_LEVEL = "info";
LOG_JSON = "false";
OIDC_ENABLED = "true";
OIDC_SCOPES = "openid email profile groups";
DATABASE_URL = "file:data/arcane.db?_pragma=journal_mode(WAL)&_pragma=busy_timeout(2500)&_txlock=immediate";
};
environmentFiles = [
cfg.secretFile.path
];
networks = [
"traefik"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.arcane.middlewares" = "arcane-oidc-auth@file";
"traefik.http.routers.arcane.rule" = "Host(`${cfg.appUrl}`)";
"traefik.http.services.arcane.loadbalancer.server.port" = "3552";
};
extraOptions = [
''--mount=type=volume,source=arcane-data,target=/app/data,volume-driver=local''
];
};
};
};
}

37
modules/auto-upgrade.nix Normal file
View file

@ -0,0 +1,37 @@
{
inputs,
pkgs,
...
}: {
system.autoUpgrade = {
enable = true;
flags = [
"--recreate-lock-file" # Deprecated, but will hopefully be reintroduced
"-L"
];
flake = inputs.self.outPath;
dates = "02:00";
randomizedDelaySec = "45min";
allowReboot = true;
rebootWindow = {
lower = "01:00";
upper = "05:00";
};
};
# Also needs access to the nix-private repo which contains the encrypted secrets
programs.ssh = {
extraConfig = "
Host git.jfreudenberger.de
Port 222
User git
IdentityFile /etc/ssh/ssh_host_ed25519_key
";
knownHostsFiles = [
(pkgs.writeText "forgejo.keys" ''[git.jfreudenberger.de]:222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+uqIeb9+AoqwD0Z6xLKI2dsRoS9Qh/VwboYfGpBJd+
[git.jfreudenberger.de]:222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8GDSt4LsCzOoIZkqZRLgXyTLyHoJu62cFFP88i8GpSadyV6mJPkK5p2mgBzN/BM9I/G2VWfvqdM8Fy/7p3S8kDhmmkOk1AK7C/+qaQKsKcQauJuzNXlwMHG1Ivath80TO9PIQc9jYakP9xl8SACd5bwkvfEm3rS5awZ8T2hWgnsgO8pFHFOFmFnVbujXZk58FVTCxpgyPqjFv76JSYxpHk1VtiQ52jScsreOImEOWWg88f9IM9etWcshuxte4zudaqc2KjjAB6pYMuVj7O6cwMXKjCUxTzyomWjr2JoEruIslifbZ6bJGgswg5ENJSKURuMPgTuGM6Nrjp75V/yFD
[git.jfreudenberger.de]:222 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOS447cAWRZgHPs6MOoRS6/J66oY753QPiM7BI63/qNDd5qrCan153dJd5lBGwDR0vMWiV/0cmzuACfP5QS1Lv8=
'')
];
};
}

61
modules/disko/efi-full-btrfs.nix Normal file
View file

@ -0,0 +1,61 @@
{
disko.devices = {
disk = {
sda = {
type = "disk";
device = "/dev/sda";
content = {
type = "gpt";
partitions = {
MBR = {
type = "EF02"; # for grub MBR
size = "1M";
priority = 1; # Needs to be first partition
};
ESP = {
priority = 1;
name = "ESP";
size = "500M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
root = {
size = "100%";
content = {
type = "btrfs";
extraArgs = [ "-f" ]; # Override existing partition
# Subvolumes must set a mountpoint in order to be mounted,
# unless their parent is mounted
subvolumes = {
# Subvolume name is different from mountpoint
"/rootfs" = {
mountpoint = "/";
};
# Subvolume name is the same as the mountpoint
"/home" = {
mountOptions = [ "compress=zstd" ];
mountpoint = "/home";
};
# Sub(sub)volume doesn't need a mountpoint as its parent is mounted
"/home/julius" = { };
# Parent is not mounted so the mountpoint must be set
"/nix" = {
mountOptions = [ "compress=zstd" "noatime" ];
mountpoint = "/nix";
};
};
mountpoint = "/partition-root";
};
};
};
};
};
};
};
}

28
modules/disko/legacy-full-ext4.nix Normal file
View file

@ -0,0 +1,28 @@
{
disko.devices = {
disk = {
sda = {
type = "disk";
device = "/dev/sda";
content = {
type = "gpt";
partitions = {
MBR = {
type = "EF02"; # for grub MBR
size = "1M";
priority = 1; # Needs to be first partition
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
};
}

11
modules/docker.nix
View file

@ -4,8 +4,15 @@
... ...
}: { }: {
virtualisation.docker = { virtualisation = {
enable = true; docker = {
enable = true;
daemon.settings = {
ipv6 = true;
ip6tables = true;
};
};
oci-containers.backend = "docker";
}; };
} }

46
modules/dockhand.nix Normal file
View file

@ -0,0 +1,46 @@
{
config,
lib,
...
}:
let
cfg = config.services.dockhand;
in {
options.services.dockhand = {
enable = lib.mkEnableOption "dockhand, a powerful, intuitive Docker platform";
appUrl = lib.mkOption {
description = "External URL dockhand will be reachable from, without protocol";
type = lib.types.str;
};
};
config = lib.mkIf cfg.enable {
virtualisation.oci-containers.containers = {
dockhand = {
image = "fnsys/dockhand:v1.0.12";
volumes = [
"/var/run/docker.sock:/var/run/docker.sock"
];
environment = {
PUID = "1000";
PGID = "1000";
};
networks = [
"pangolin"
];
labels = {
"pangolin.public-resources.dockhand.name" = "dockhand";
"pangolin.public-resources.dockhand.full-domain" = cfg.appUrl;
"pangolin.public-resources.dockhand.protocol" = "http";
"pangolin.public-resources.dockhand.auth.sso-enabled" = "true";
"pangolin.public-resources.dockhand.auth.auto-login-idp" = "1";
"pangolin.public-resources.dockhand.targets[0].method" = "http";
};
extraOptions = [
''--mount=type=volume,source=dockhand-data,target=/app/data,volume-driver=local''
''--group-add=131'' # docker group
];
};
};
};
}

1
modules/fonts.nix
View file

@ -8,6 +8,7 @@
font-awesome font-awesome
terminus_font terminus_font
dlrg-fonts dlrg-fonts
fira
]; ];
} }

5
modules/gui-coding.nix
View file

@ -4,9 +4,8 @@
... ...
}: { }: {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
jetbrains.idea-ultimate jetbrains.idea
jetbrains.pycharm-professional jetbrains.pycharm
jetbrains.phpstorm
vscodium-fhs vscodium-fhs
zed-editor.fhs zed-editor.fhs

2
modules/i3.nix
View file

@ -18,7 +18,7 @@
lightlocker lightlocker
xautolock # lock screen after some time xautolock # lock screen after some time
i3status # provide information to i3bar i3status # provide information to i3bar
i3-gaps # i3 with gaps i3 # i3 with gaps
nitrogen # set wallpaper nitrogen # set wallpaper
acpi # battery information acpi # battery information
arandr # screen layout manager arandr # screen layout manager

12
modules/intel-cpu.nix Normal file
View file

@ -0,0 +1,12 @@
{
pkgs,
...
}: {
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver # Enable Hardware Acceleration
vpl-gpu-rt # Enable QSV
];
};
}

28
modules/k3s.nix Normal file
View file

@ -0,0 +1,28 @@
{
pkgs,
lib,
...
}: {
services.k3s = {
enable = true;
role = "server";
token = "verysecrettoken";
extraFlags = toString ([
"--write-kubeconfig-mode \"0644\""
"--disable servicelb"
"--disable traefik"
"--disable local-storage"
]);
};
networking.firewall.allowedTCPPorts = [
6443
2379
2380
];
networking.firewall.allowedUDPPorts = [
8472
];
}

10
modules/laptop.nix
View file

@ -4,12 +4,12 @@
... ...
}: { }: {
boot.kernelPackages = pkgs.linuxKernel.packages.linux_zen; boot.kernelPackages = pkgs.linuxPackages_latest;
services.logind = { services.logind.settings.Login = {
lidSwitch = "suspend-then-hibernate"; HandleLidSwitch= "suspend-then-hibernate";
lidSwitchDocked = "suspend-then-hibernate"; HandleLidSwitchDocked = "suspend-then-hibernate";
powerKey = "ignore"; HandlePowerKey = "ignore";
}; };
programs.auto-cpufreq.enable = true; programs.auto-cpufreq.enable = true;

14
modules/network-client.nix
View file

@ -13,19 +13,7 @@
firewall = { firewall = {
# if packets are still dropped, they will show up in dmesg # if packets are still dropped, they will show up in dmesg
logReversePathDrops = true; logReversePathDrops = true;
# wireguard trips rpfilter up checkReversePath = "loose";
extraCommands = ''
iptables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 1194 -j RETURN
ip6tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --sport 1194 -j RETURN
iptables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 1194 -j RETURN
ip6tables -t mangle -I nixos-fw-rpfilter -p udp -m udp --dport 1194 -j RETURN
'';
extraStopCommands = ''
iptables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 1194 -j RETURN || true
ip6tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --sport 1194 -j RETURN || true
iptables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 1194 -j RETURN || true
ip6tables -t mangle -D nixos-fw-rpfilter -p udp -m udp --dport 1194 -j RETURN || true
'';
}; };
}; };
} }

1
modules/network-server.nix
View file

@ -5,5 +5,6 @@
}: { }: {
networking = { networking = {
useDHCP = true; useDHCP = true;
firewall.allowPing = false;
}; };
} }

72
modules/newt.nix Normal file
View file

@ -0,0 +1,72 @@
{
pkgs,
config,
lib,
...
}:
let
cfg = config.services.newt-docker;
in {
options.services.newt-docker = {
enable = lib.mkEnableOption "Newt, user space tunnel client for Pangolin";
pangolinEndpoint = lib.mkOption {
description = "External URL of the Pangolin instance";
type = lib.types.str;
};
connectionSecret = lib.mkOption {
description = "Secrets for Pangolin authentication.";
type = lib.types.anything;
};
};
config = lib.mkIf cfg.enable {
virtualisation.oci-containers.containers = {
newt = {
image = "fosrl/newt:1.9.0";
autoStart = true;
networks = [
"pangolin"
];
environment = {
PANGOLIN_ENDPOINT = cfg.pangolinEndpoint;
DOCKER_SOCKET = "/var/run/docker.sock";
};
environmentFiles = [ cfg.connectionSecret.path ];
volumes = [
"/var/run/docker.sock:/var/run/docker.sock:ro"
];
extraOptions = [
"--add-host=host.docker.internal:host-gateway"
];
};
};
systemd.services."docker-newt" = {
after = [
"docker-network-newt.service"
];
requires = [
"docker-network-newt.service"
];
};
systemd.services."docker-network-newt" = {
path = [ pkgs.docker ];
serviceConfig = {
Type = "oneshot";
};
script = ''
docker network inspect pangolin || docker network create pangolin --ipv4 --ipv6 --subnet=172.18.0.0/16 --gateway=172.18.0.1
'';
};
networking.firewall.extraCommands = ''
iptables -A INPUT -p icmp --source 100.89.128.0/24 -j ACCEPT
iptables -A INPUT -p tcp --source 172.18.0.0/12 --dport 22 -j ACCEPT
'';
};
}

1
modules/nix.nix
View file

@ -5,6 +5,7 @@
}: { }: {
# do garbage collection weekly to keep disk usage low # do garbage collection weekly to keep disk usage low
nix = { nix = {
package = pkgs.nix;
settings = { settings = {
experimental-features = ["nix-command" "flakes"]; experimental-features = ["nix-command" "flakes"];
}; };

18
modules/opkssh.sample.nix Normal file
View file

@ -0,0 +1,18 @@
{
...
}: {
services.opkssh = {
enable = true;
providers = {
pocket-id = {
issuer = "https://example.com";
clientId = "";
lifetime = "12h";
};
};
authorizations = [
{ user = "<username>"; principal = "<email>"; issuer = "https://example.com"; }
];
};
}

53
modules/pangolin.nix Normal file
View file

@ -0,0 +1,53 @@
{
pkgs-unstable,
utils,
config,
lib,
...
}: {
services = {
pangolin = {
enable = true;
package = pkgs-unstable.fosrl-pangolin;
openFirewall = true;
settings = {
app = {
save_logs = true;
log_failed_attempts = true;
};
domains = {
domain1 = {
prefer_wildcard_cert = true;
};
};
flags = {
disable_signup_without_invite = true;
disable_user_create_org = true;
};
};
};
};
systemd.services.gerbil.serviceConfig.ExecStart = lib.mkForce (utils.escapeSystemdExecArgs [
(lib.getExe pkgs-unstable.fosrl-gerbil)
"--reachableAt=http://localhost:${toString config.services.gerbil.port}"
"--generateAndSaveKeyTo=${toString config.services.pangolin.dataDir}/config/key"
"--remoteConfig=http://localhost:3001/api/v1/gerbil/get-config"
]);
}
# Settings needed on the host
#
# services = {
# pangolin = {
# dnsProvider = "";
# baseDomain = "";
# letsEncryptEmail = "";
# environmentFile = config.age.secrets."".path;
# };
# traefik = {
# environmentFiles = [ config.age.secrets."".path ];
# };
# };

21
modules/portainer_agent.nix Normal file
View file

@ -0,0 +1,21 @@
{
...
}: {
virtualisation.oci-containers.containers = {
portainer_agent = {
image = "portainer/agent:2.33.2";
volumes = [
"/var/run/docker.sock:/var/run/docker.sock"
"/var/lib/docker/volumes:/var/lib/docker/volumes"
"/:/host"
];
environment = {
EDGE = "1";
CAP_HOST_MANAGEMENT = "1";
};
extraOptions = [
''--mount=type=volume,source=portainer_agent,target=/data,volume-driver=local''
];
};
};
}

7
modules/qemu-guest.nix Normal file
View file

@ -0,0 +1,7 @@
{
...
}: {
services.qemuGuest.enable = true;
}

19
modules/sshd.nix Normal file
View file

@ -0,0 +1,19 @@
{
pkgs,
lib,
...
}: {
services = {
openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "no";
};
};
fail2ban = {
enable = true;
bantime = "1h";
};
};
}

15
modules/systemd-boot.nix Normal file
View file

@ -0,0 +1,15 @@
{
...
}: {
boot = {
loader = {
systemd-boot = {
enable = true;
};
efi.canTouchEfiVariables = true;
};
tmp.useTmpfs = true;
};
}

221
modules/traefik.nix Normal file
View file

@ -0,0 +1,221 @@
{
pkgs,
config,
lib,
...
}:
let
cfg = config.services.traefik-docker;
mapOidcClientNameToEnv = stringToReplace: lib.replaceString "-" "_" (lib.toUpper stringToReplace);
traefik-mtls-config = (pkgs.formats.yaml { }).generate "traefik-mtls-config" {
tls.options.default.clientAuth = {
caFiles = "caFiles/root_ca.crt";
clientAuthType = "VerifyClientCertIfGiven";
};
};
in {
options.services.traefik-docker = {
enable = lib.mkEnableOption "traefik web server hosted as OCI container";
dashboardUrl = lib.mkOption {
description = "External URL the traefik dashboard will be reachable from, without protocol";
type = lib.types.str;
};
dnsSecrets = lib.mkOption {
description = "Secrets for DNS providers.";
type = lib.types.listOf lib.types.anything;
};
mTLSCaCertSecret = lib.mkOption {
description = "Agenix secret containing the CA file to verify client certificates against.";
};
oidcAuthProviderUrl = lib.mkOption {
description = "Provider URL of OIDC auth provider.";
type = lib.types.str;
};
oidcClients = lib.mkOption {
example = ''
immich = {
scopes = [
"openid"
"email"
"profile"
];
enableBypassUsingClientCertificate = true;
usePkce = true;
};
'';
description = "Attribute set of OIDC clients with their configurations.";
type = lib.types.attrsOf (
lib.types.submodule {
options = {
secret = lib.mkOption {
description = ''Agenix secret containing the following needed environment variables in dotenv notation:
- <clientName>_OIDC_AUTH_SECRET
- <clientName>_OIDC_AUTH_PROVIDER_CLIENT_ID
- <clientName>_OIDC_CLIENT_SECRET
'';
};
scopes = lib.mkOption {
default = [ "openid" ];
example = [ "openid" "email" "profile" "groups" ];
description = "OIDC scopes to request from auth provider.";
type = lib.types.listOf lib.types.str;
};
usePkce = lib.mkOption {
default = true;
description = "Whether to enable PKCE for this provider.";
type = lib.types.bool;
};
enableBypassUsingClientCertificate = lib.mkOption {
default = false;
description = "Whether to allow bypassing OIDC protection when a verified client certificate is presented.";
type = lib.types.bool;
};
useClaimsFromUserInfo = lib.mkOption {
default = false;
description = "When enabled, an additional request to the provider's userinfo_endpoint is made to validate the token and to retrieve additional claims. The userinfo claims are merged directly into the token claims, with userinfo values overriding token values for non-security-critical claims.";
type = lib.types.bool;
};
headers = lib.mkOption {
default = [];
description = "Headers to be added to the upstream request. Templating is possible. Documentation can be found here: https://traefik-oidc-auth.sevensolutions.cc/docs/getting-started/middleware-configuration";
type = lib.types.listOf (lib.types.submodule {
options = {
Name = lib.mkOption {
description = "The name of the header which should be added to the upstream request.";
type = lib.types.str;
};
Value = lib.mkOption {
description = "The value of the header, which can use Go-Templates.";
type = lib.types.str;
};
};
});
};
};
}
);
};
};
config = lib.mkIf cfg.enable {
virtualisation.oci-containers.containers = {
traefik = {
image = "traefik:v3.6.6";
cmd = [
"--providers.docker=true"
"--providers.docker.exposedByDefault=false"
"--providers.docker.network=traefik"
"--providers.file.directory=/dynamic-config"
"--log.level=INFO"
"--api=true"
"--ping=true"
"--entrypoints.web.address=:80"
"--entrypoints.websecure.address=:443"
"--entrypoints.websecure.transport.respondingTimeouts.readTimeout=600s"
"--entrypoints.websecure.transport.respondingTimeouts.idleTimeout=600s"
"--entrypoints.websecure.transport.respondingTimeouts.writeTimeout=600s"
"--entrypoints.web.http.redirections.entrypoint.to=websecure"
"--entrypoints.websecure.asDefault=true"
"--entrypoints.websecure.http.middlewares=strip-mtls-headers@docker,pass-tls-client-cert@docker"
"--entrypoints.websecure.http.tls.certresolver=letsencrypt"
"--certificatesresolvers.letsencrypt.acme.storage=/certs/acme.json"
"--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
"--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=netcup"
"--experimental.plugins.traefik-oidc-auth.modulename=github.com/sevensolutions/traefik-oidc-auth"
"--experimental.plugins.traefik-oidc-auth.version=v0.17.0"
];
autoStart = true;
ports = [
"80:80"
"443:443"
];
networks = [
"traefik"
];
environment = {
OIDC_AUTH_PROVIDER_URL = cfg.oidcAuthProviderUrl;
};
environmentFiles = lib.forEach cfg.dnsSecrets (secret: secret.path) ++ (lib.mapAttrsToList (oidcClientName: oidcClientConfig: oidcClientConfig.secret.path) cfg.oidcClients);
labels = {
"traefik.enable" = "true";
"traefik.http.routers.dashboard.rule" = "Host(`${cfg.dashboardUrl}`)";
"traefik.http.routers.dashboard.service" = "dashboard@internal";
"traefik.http.routers.dashboard.middlewares" = "traefik-dashboard-oidc-auth@file";
"traefik.http.routers.api.rule" = "Host(`${cfg.dashboardUrl}`) && (PathPrefix(`/api`) || PathPrefix(`/oidc/callback`))";
"traefik.http.routers.api.service" = "api@internal";
"traefik.http.routers.api.middlewares" = "traefik-dashboard-oidc-auth@file";
"traefik.http.middlewares.strip-mtls-headers.headers.customrequestheaders.X-Forwarded-Tls-Client-Cert" = "";
"traefik.http.middlewares.pass-tls-client-cert.passtlsclientcert.pem" = "true";
};
volumes = let
oidc-config = lib.mapAttrs' (
oidcClientName: oidcClientConfig:
lib.nameValuePair "${oidcClientName}-oidc-auth" {
plugin.traefik-oidc-auth = {
LogLevel = "INFO";
Secret = ''{{ env "${mapOidcClientNameToEnv oidcClientName}_OIDC_AUTH_SECRET" }}'';
Provider = {
Url = ''{{ env "OIDC_AUTH_PROVIDER_URL" }}'';
ClientId = ''{{ env "${mapOidcClientNameToEnv oidcClientName}_OIDC_AUTH_PROVIDER_CLIENT_ID" }}'';
ClientSecret = ''{{ env "${mapOidcClientNameToEnv oidcClientName}_OIDC_AUTH_PROVIDER_CLIENT_SECRET" }}'';
UsePkce = oidcClientConfig.usePkce;
UseClaimsFromUserInfo = oidcClientConfig.useClaimsFromUserInfo;
};
Scopes = oidcClientConfig.scopes;
LoginUrl = ''{{ env "OIDC_AUTH_PROVIDER_URL" }}'';
} // (lib.attrsets.optionalAttrs oidcClientConfig.enableBypassUsingClientCertificate {
BypassAuthenticationRule = "HeaderRegexp(`X-Forwarded-Tls-Client-Cert`, `.+`)";
}) // (lib.attrsets.optionalAttrs ((lib.length oidcClientConfig.headers) > 0) {
Headers = oidcClientConfig.headers;
});
}
) cfg.oidcClients;
traefik-oidc-authentication-config = (pkgs.formats.yaml {}).generate "traefik-oidc-auth" {
http.middlewares = oidc-config;
};
in [
"/var/run/docker.sock:/var/run/docker.sock"
"${traefik-oidc-authentication-config}:/dynamic-config/traefik-oidc-auth.yaml:ro"
"${traefik-mtls-config}:/dynamic-config/traefik-mtls.yaml:ro"
"${cfg.mTLSCaCertSecret.path}:/caFiles/root_ca.crt:ro"
];
extraOptions = [
''--mount=type=volume,source=certs,target=/certs,volume-driver=local''
"--add-host=host.docker.internal:host-gateway"
"--health-cmd=wget --spider --quiet http://localhost:8080/ping"
"--health-interval=10s"
"--health-timeout=5s"
"--health-retries=3"
"--health-start-period=5s"
];
};
};
systemd.services."docker-traefik" = {
after = [
"docker-network-traefik.service"
];
requires = [
"docker-network-traefik.service"
];
};
systemd.services."docker-network-traefik" = {
path = [ pkgs.docker ];
serviceConfig = {
Type = "oneshot";
};
script = ''
docker network inspect traefik || docker network create traefik --ipv4 --ipv6 --subnet=172.18.0.0/16 --gateway=172.18.0.1
'';
};
networking.firewall.extraCommands = "iptables -t nat -I PREROUTING -s 172.18.0.0/16 -d 172.18.0.0/16 -j MASQUERADE";
};
}

4
modules/typesetting.nix
View file

@ -5,9 +5,7 @@
}: { }: {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
typst typst
typstfmt typstyle
texliveFull
pandoc pandoc

14
modules/virtualization.nix
View file

@ -3,12 +3,16 @@
lib, lib,
... ...
}: { }: {
environment.systemPackages = with pkgs; [
virt-manager
];
virtualisation = { virtualisation = {
libvirtd.enable = true; libvirtd = {
enable = true;
qemu = {
swtpm.enable = true;
vhostUserPackages = [ pkgs.virtiofsd ];
};
};
spiceUSBRedirection.enable = true; spiceUSBRedirection.enable = true;
}; };
programs.virt-manager.enable = true;
} }

1
pkgs/rofirefox/default.nix
View file

@ -37,6 +37,7 @@
meta = with lib; { meta = with lib; {
platforms = platforms.all; platforms = platforms.all;
mainProgram = "rofirefox";
}; };
} }

1
terraform/.envrc Normal file
View file

@ -0,0 +1 @@
use flake ../#opentofu

42
terraform/.gitignore vendored Normal file
View file

@ -0,0 +1,42 @@
# Local .terraform directories
**/.terraform/*
# .tfstate files
*.tfstate
*.tfstate.*
# Crash log files
crash.log
crash.*.log
# Exclude all .tfvars files, which are likely to contain sensitive data, such as
# password, private keys, and other secrets. These should not be part of version
# control as they are data points which are potentially sensitive and subject
# to change depending on the environment.
*.tfvars
*.tfvars.json
# Ignore override files as they are usually used to override resources locally and so
# are not checked in
override.tf
override.tofu
override.tf.json
override.tofu.json
*_override.tf
*_override.tofu
*_override.tf.json
*_override.tofu.json
# Ignore transient lock info files created by tofu apply
.terraform.tfstate.lock.info
# Include override files you do wish to add to version control using negated pattern
# !example_override.tf
# !example_override.tofu
# Include tfplan files to ignore the plan output of command: tofu plan -out=tfplan
# example: *tfplan*
# Ignore CLI configuration files
.terraformrc
terraform.rc

24
terraform/busch/.terraform.lock.hcl generated Normal file
View file

@ -0,0 +1,24 @@
# This file is maintained automatically by "tofu init".
# Manual edits may be lost in future updates.
provider "registry.opentofu.org/telmate/proxmox" {
version = "3.0.2-rc07"
constraints = "3.0.2-rc07"
hashes = [
"h1:zp5hpQJQ4t4zROSLqdltVpBO+Riy9VugtfFbpyTw1aM=",
"zh:2ee860cd0a368b3eaa53f4a9ea46f16dab8a97929e813ea6ef55183f8112c2ca",
"zh:415965fd915bae2040d7f79e45f64d6e3ae61149c10114efeac1b34687d7296c",
"zh:6584b2055df0e32062561c615e3b6b2c291ca8c959440adda09ef3ec1e1436bd",
"zh:65dcfad71928e0a8dd9befc22524ed686be5020b0024dc5cca5184c7420eeb6b",
"zh:7253dc29bd265d33f2791ac4f779c5413f16720bb717de8e6c5fcb2c858648ea",
"zh:7ec8993da10a47606670f9f67cfd10719a7580641d11c7aa761121c4a2bd66fb",
"zh:999a3f7a9dcf517967fc537e6ec930a8172203642fb01b8e1f78f908373db210",
"zh:a50e6df7280eb6584a5fd2456e3f5b6df13b2ec8a7fa4605511e438e1863be42",
"zh:b25b329a1e42681c509d027fee0365414f0cc5062b65690cfc3386aab16132ae",
"zh:c028877fdb438ece48f7bc02b65bbae9ca7b7befbd260e519ccab6c0cbb39f26",
"zh:cf0eaa3ea9fcc6d62793637947f1b8d7c885b6ad74695ab47e134e4ff132190f",
"zh:d5ade3fae031cc629b7c512a7b60e46570f4c41665e88a595d7efd943dde5ab2",
"zh:f388c15ad1ecfc09e7361e3b98bae9b627a3a85f7b908c9f40650969c949901c",
"zh:f415cc6f735a3971faae6ac24034afdb9ee83373ef8de19a9631c187d5adc7db",
]
}

46
terraform/busch/main.tf Normal file
View file

@ -0,0 +1,46 @@
terraform {
required_providers {
proxmox = {
source = "telmate/proxmox"
version = "3.0.2-rc07"
}
}
}
provider "proxmox" {
pm_api_url = var.proxmox_api_url
pm_api_token_id = var.proxmox_token_id
pm_api_token_secret = var.proxmox_token_secret
pm_tls_insecure = true
}
module "truenas" {
source = "./modules/proxmox-vm"
name = "truenas"
target_node = "busch"
vmid = 100
memory = 8192
cpu_cores = 2
disk_storage = "local"
disk_size = "32G"
iso_path = "local:iso/TrueNAS-SCALE-25.10.2.1.iso"
startup_order = 1
mapped_pcie_devices = ["HBA"]
}
module "nixos-docker" {
source = "./modules/proxmox-vm"
name = "nixos-docker"
target_node = "busch"
vmid = 101
memory = 4096
cpu_cores = 2
disk_storage = "truenas-lvm"
disk_size = "64G"
iso_path = "local:iso/latest-nixos-minimal-x86_64-linux.iso"
startup_order = 2
startup_delay = 240
}

66
terraform/busch/modules/proxmox-vm/main.tf Normal file
View file

@ -0,0 +1,66 @@
terraform {
required_providers {
proxmox = {
source = "telmate/proxmox"
version = "3.0.2-rc07"
}
}
}
resource "proxmox_vm_qemu" "truenas" {
name = var.name
description = var.description
target_node = var.target_node
vmid = var.vmid
machine = length(var.mapped_pcie_devices) == 0 ? "pc" : "q35"
memory = var.memory
balloon = 1024
scsihw = "virtio-scsi-pci"
boot = "order=scsi0;ide0"
start_at_node_boot = true
cpu {
cores = var.cpu_cores
sockets = 1
}
disks {
scsi {
scsi0 {
disk {
storage = var.disk_storage
size = var.disk_size
}
}
}
ide {
ide0 {
cdrom {
iso = var.iso_path
}
}
}
}
network {
id = 0
bridge = "vmbr0"
model = "virtio"
}
dynamic "pci" {
for_each = { for device in var.mapped_pcie_devices : index(var.mapped_pcie_devices, device) => device }
content {
id = pci.key
mapping_id = pci.value
pcie = true
}
}
startup_shutdown {
order = var.startup_order
startup_delay = var.startup_delay
}
}

64
terraform/busch/modules/proxmox-vm/variables.tf Normal file
View file

@ -0,0 +1,64 @@
variable "vmid" {
description = "ID of the VM to create"
type = string
}
variable "name" {
description = "Name of the VM to create"
type = string
}
variable "description" {
description = "Description of the VM to create"
type = string
default = null
nullable = true
}
variable "target_node" {
description = "Name of the target node to create the VM on"
type = string
}
variable "memory" {
description = "Memory to allocate for the VM"
type = string
}
variable "cpu_cores" {
description = "Number of CPU cores to allocate for the VM"
type = number
}
variable "disk_storage" {
description = "Name of the storage to store the disk on"
type = string
default = "local"
}
variable "disk_size" {
description = "Size of the primary disk"
type = string
}
variable "iso_path" {
description = "Path of the ISO to use to install an OS"
type = string
}
variable "startup_order" {
description = "Order number of the VM in the startup chain"
type = number
}
variable "startup_delay" {
description = "Startup delay in seconds"
type = number
default = -1
}
variable "mapped_pcie_devices" {
description = "PCI mappings"
type = list(string)
default = []
}

BIN
terraform/busch/plan Normal file
View file

Binary file not shown.

10
terraform/busch/variables.tf Normal file
View file

@ -0,0 +1,10 @@
variable "proxmox_api_url" {
description = "API URL, typically ends with `/api2/json`"
}
variable "proxmox_token_id" {
description = "Token ID"
}
variable "proxmox_token_secret" {
description = "Token Secret"
}

23
users/julius/nixos-server.nix Normal file
View file

@ -0,0 +1,23 @@
{
...
}: {
users = {
users = {
julius = {
initialPassword = "password";
isNormalUser = true;
uid = 1000;
group = "julius";
extraGroups = [ "wheel" ];
};
};
groups = {
julius = {
gid = 1000;
};
};
};
nix.settings.trusted-users = [ "julius" ];
}

2
users/julius/nixos.nix
View file

@ -6,7 +6,7 @@
}: { }: {
users.users.julius = { users.users.julius = {
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" "networkmanager" "docker" "libvirtd" ]; extraGroups = [ "wheel" "networkmanager" "docker" "libvirtd" "kvm" ];
shell = pkgs.zsh; shell = pkgs.zsh;
}; };

13
users/nixremote.nix Normal file
View file

@ -0,0 +1,13 @@
{
...
}: {
users.users = {
nixremote = {
isNormalUser = true;
uid = 1100;
group = "users";
};
};
nix.settings.trusted-users = [ "nixremote" ];
}