nix
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Many many changes

This commit is contained in:
niten 2024-05-21 23:16:02 -07:00
parent 893b7e812e
commit 8e184394f2
31 changed files with 7463 additions and 1443 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
config/domain-config/fudo.org.nix
View File

@ -14,7 +14,8 @@ let
domain = config.fudo.domains."${localDomain}";
authentikHost = "legatus";
authentikImage = "ghcr.io/goauthentik/server:2023.10.7";
authentikVersion = "2024.2.3";
authentikImage = "ghcr.io/goauthentik/server:${authentikVersion}";
primaryNameserver = "germany";
@ -87,7 +88,7 @@ in {
ldapBindPwFile = domainSecrets."ldap-bind.passwd";
saslDomain = "FUDO.ORG";
authentikOutpostToken = domainSecrets."authentik-ldap.token";
inherit servedDomains;
inherit servedDomains authentikVersion;
dkimRecord = ''
mail._domainkey IN TXT ( "v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwoCgHwsfuu0lhj9Ayj4ntoy0bdcGBNsV46qoKbd8E8FKsJF5rL4EoytwXEFcKJwT3E+o3/BsZGi9J5irtjlfIhnxnPlhVRS3R/834NDSQyuwGTxAfhPOklhA0cTYA+4x2oGwAuraz+On2REDeSymMccXFDsTugEHVvn6qaeqkJwIDAQAB" );'';
}))
@ -97,6 +98,8 @@ in {
systemd.services = { lemmy.after = [ "postgresql.service" ]; };
services = {
tailscale.enable = true;
immichContainer = mkIf (hostname == immichHost) {
enable = true;
images = let immichVersion = "v1.94.1";

5
config/domain-config/fudo.org/mail-server.nix
View File

@ -1,6 +1,6 @@
{ primaryMailserver, primaryDomain, authentikServer, servedDomains, ldapBase
, ldapBindDn, ldapBindPwFile, dkimRecord, saslDomain, authentikOutpostToken, ...
}:
, ldapBindDn, ldapBindPwFile, dkimRecord, saslDomain, authentikOutpostToken
, authentikVersion, ... }:
{ config, lib, pkgs, ... }:
@ -94,6 +94,7 @@ in {
bind-dn = ldapBindDn;
bind-password-file = ldapBindPwFile;
};
images.ldap-proxy = "ghcr.io/goauthentik/ldap:${authentikVersion}";
aliases = let admins = config.instance.local-admins;
in {
alias-users = {

57
config/domain-config/sea.fudo.org.nix
View File

@ -6,6 +6,7 @@ let
hostSecrets = config.fudo.secrets.host-secrets."${hostname}";
domainName = "sea.fudo.org";
domainSecrets = config.fudo.secrets.files.domain-secrets."${domainName}";
frigateExternalHost = "sea-cam.fudo.link";
frigateHost = "zbox";
@ -14,7 +15,11 @@ let
pkgs.lib.passwd.stablerandom-passwd-file "frigate-mqtt-passwd"
config.instance.build-seed;
immichHost = "toothless";
immichHost = "cartus";
immichMlHost = "toothless";
immichVersion = "v1.105.1";
mabelHost = "zbox";
in {
imports = [ ./sea.fudo.org/8bitdo.nix ];
@ -22,6 +27,18 @@ in {
config = {
fudo = {
services = {
mabel = {
enable = true;
verbose = true;
mabel-host = mabelHost;
matrix = {
domain = "fudo.im";
username = "mabel";
token-file = domainSecrets."mabel-matrix.token";
channel = "#thecitadel:fudo.im";
};
};
metrics = {
private-network = true;
grafana.oauth = {
@ -39,37 +56,53 @@ in {
acl = [ "frigate/#" ];
};
};
zones."sea.fudo.org".aliases = {
zones."${domainName}".aliases = {
chat = "nostromo";
frigate = "zbox";
immich = immichHost;
immich-ml = immichMlHost;
};
};
services = {
tailscale.enable = true;
immichContainer = mkIf (hostname == immichHost) {
enable = true;
images = let immichVersion = "v1.94.1";
images = let pgVectoVersion = "v0.2.1";
in {
immich = "ghcr.io/immich-app/immich-server:${immichVersion}";
immich-ml =
"ghcr.io/immich-app/immich-machine-learning:${immichVersion}";
redis = "redis:6.2-alpine";
postgresql = "tensorchord/pgvecto-rs:pg14-v0.1.11";
postgresql = "tensorchord/pgvecto-rs:pg14-${pgVectoVersion}";
};
};
nginx = mkIf (hostname == immichHost) {
immichMlContainer = mkIf (hostname == immichMlHost) {
enable = true;
hostnames = [ "immich-ml.${domainName}" "immich-ml.fudo.ninja" ];
port = 3923;
immich-version = immichVersion;
};
nginx = {
enable = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts."immich.${domainName}".locations."/" = {
proxyPass = "http://${immichHost}.${domainName}:${
virtualHosts = {
"immich.${domainName}".locations."/" = mkIf (hostname == immichHost) {
proxyPass = "http://127.0.0.1:${
toString config.services.immichContainer.port
}/";
recommendedProxySettings = true;
};
"pics.fudo.ninja".locations."/" = mkIf (hostname == immichHost) {
proxyPass = "http://127.0.0.1:${
toString config.services.immichContainer.port
}/";
recommendedProxySettings = true;
};
};
};
frigateContainer = mkIf (config.instance.hostname == frigateHost) {
@ -82,13 +115,13 @@ in {
default = cam == "cam-driveway";
streams = {
low =
"rtsp://frigate:{FRIGATE_RTSP_PASSWORD}@${cam}.sea.fudo.org:554/cam/realmonitor?channel=1&subtype=0";
"rtsp://frigate:{FRIGATE_RTSP_PASSWORD}@${cam}.${domainName}:554/cam/realmonitor?channel=1&subtype=0";
high =
"rtsp://frigate:{FRIGATE_RTSP_PASSWORD}@${cam}.sea.fudo.org:554/cam/realmonitor?channel=1&subtype=0";
"rtsp://frigate:{FRIGATE_RTSP_PASSWORD}@${cam}.${domainName}:554/cam/realmonitor?channel=1&subtype=0";
};
});
camera-password-file =
config.fudo.secrets.files.domain-secrets."sea.fudo.org".seattle-camera-password;
config.fudo.secrets.files.domain-secrets."${domainName}".seattle-camera-password;
mqtt = {
host = config.fudo.services.mqtt.mqtt-hostname;
port = config.fudo.services.mqtt.private.port;

73
config/hardware/cartus.nix Normal file
View File

@ -0,0 +1,73 @@
{ config, lib, pkgs, ... }:
{
system.stateVersion = "23.11";
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
initrd = {
availableKernelModules =
[ "xhci_pci" "ahci" "usbhid" "sd_mod" "rtsx_usb_sdmmc" ];
kernelModules = [ ];
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
fileSystems = {
"/" = {
device = "cartus-root";
fsType = "tmpfs";
options = [ "mode=755" "noexec" ];
};
"/boot" = {
device = "/dev/disk/by-label/CARTUS-BOOT";
fsType = "vfat";
options = [ "noexec" "noatime" ];
};
"/state" = {
device = "/dev/disk/by-label/cartus-data";
fsType = "btrfs";
options = [ "noatime" "compress=zstd" "noexec" "subvol=@state" ];
};
"/nix" = {
device = "/dev/disk/by-label/cartus-data";
fsType = "btrfs";
options = [ "noatime" "compress=zstd" "subvol=@nix" ];
};
"/var/log" = {
device = "/dev/disk/by-label/cartus-data";
fsType = "btrfs";
options = [ "noatime" "compress=zstd" "noexec" "subvol=@log" ];
};
"/var/lib/tailscale" = {
device = "/dev/disk/by-label/cartus-data";
fsType = "btrfs";
options = [ "noatime" "compress=zstd" "noexec" "subvol=@tailscale" ];
};
"/var/lib/containers" = {
device = "/dev/disk/by-label/cartus-data";
fsType = "btrfs";
options = [ "noatime" "compress=zstd" "noexec" "subvol=@containers" ];
};
};
hardware = {
bluetooth.enable = false;
cpu.intel.updateMicrocode = true;
};
services.xserver.videoDrivers = [ "intel" ];
nix.settings.max-jobs = lib.mkDefault 4;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
}

6
config/hardware/germany.nix
View File

@ -89,6 +89,12 @@ in {
options = [ "subvol=@container-data" "noatime" "compress=zstd" "noexec" ];
};
"/var/lib/tailscale" = {
device = "/dev/disk/by-label/germany-data";
fsType = "btrfs";
options = [ "subvol=@tailscale" "noatime" "compress=zstd" "noexec" ];
};
## BROKEN!
# "/store" = {
# device = lib.concatStringsSep ":" [

6
config/hardware/jazz.nix
View File

@ -53,6 +53,12 @@
fsType = "btrfs";
options = [ "subvol=@log" "noatime" "compress=zstd" "noexec" ];
};
"/var/lib/tailscale" = {
device = "/dev/disk/by-label/jazz-data";
fsType = "btrfs";
options = [ "noatime" "compress=zstd" "noexec" "subvol=@tailscale" ];
};
};
swapDevices = [{ device = "/dev/disk/by-label/jazz-swap"; }];

6
config/hardware/lambda.nix
View File

@ -71,6 +71,12 @@ in {
fsType = "btrfs";
options = [ "noatime" "compress=zstd" "noexec" "subvol=@log" ];
};
"/var/lib/tailscale" = {
device = "/dev/mapper/lambda-unlocked";
fsType = "btrfs";
options = [ "noatime" "compress=zstd" "noexec" "subvol=@tailscale" ];
};
};
swapDevices = [{

11
config/hardware/legatus.nix
View File

@ -58,12 +58,11 @@ with lib; {
options = [ "subvol=@container-data" "noatime" "compress=zstd" "noexec" ];
};
# "/var/lib/acme" = {
# device = "/dev/disk/by-label/system";
# fsType = "btrfs";
# options =
# [ "subvol=@acme" "compress=zstd" "noatime" "nodiratime" "noexec" ];
# };
"/var/lib/tailscale" = {
device = "/dev/disk/by-label/legatus-data";
fsType = "btrfs";
options = [ "subvol=@tailscale" "noatime" "compress=zstd" "noexec" ];
};
};
swapDevices = [{ device = "/dev/disk/by-label/legatus-swap"; }];

6
config/hardware/system3.nix
View File

@ -67,6 +67,12 @@ in {
fsType = "btrfs";
options = [ "subvol=@home" "compress=zstd" "noatime" ];
};
"/var/lib/tailscale" = {
device = "/dev/disk/by-label/system3-data";
fsType = "btrfs";
options = [ "noatime" "compress=zstd" "noexec" "subvol=@tailscale" ];
};
};
swapDevices = [{ device = "/dev/disk/by-label/system3-swap"; }];

14
config/hardware/toothless.nix
View File

@ -53,6 +53,18 @@
fsType = "btrfs";
options = [ "subvol=@log" "noatime" "compress=zstd" "noexec" ];
};
"/var/lib/tailscale" = {
device = "/dev/disk/by-label/toothless-data";
fsType = "btrfs";
options = [ "noatime" "compress=zstd" "noexec" "subvol=@tailscale" ];
};
"/var/lib/containers" = {
device = "/dev/disk/by-label/toothless-data";
fsType = "btrfs";
options = [ "noatime" "compress=zstd" "noexec" "subvol=@containers" ];
};
};
swapDevices = [{ device = "/dev/disk/by-label/toothless-swap"; }];
@ -66,7 +78,7 @@
useDHCP = false;
macvlans = {
intif0 = {
interface = "enp42s0";
interface = "enp6s0";
mode = "bridge";
};
};

6
config/hardware/wormhole0.nix
View File

@ -66,6 +66,12 @@ with lib; {
options =
[ "subvol=@var" "compress=zstd" "noatime" "nodiratime" "noexec" ];
};
"/var/lib/tailscale" = {
device = "/dev/disk/by-label/wormhole0-data";
fsType = "btrfs";
options = [ "noatime" "compress=zstd" "noexec" "subvol=@tailscale" ];
};
};
swapDevices = [{ device = "/dev/disk/by-label/wormhole0-swap"; }];

6
config/hardware/zbox.nix
View File

@ -60,6 +60,12 @@
fsType = "btrfs";
options = [ "noatime" "compress=zstd" "noexec" ];
};
"/var/lib/tailscale" = {
device = "/dev/disk/by-label/zbox-data";
fsType = "btrfs";
options = [ "noatime" "compress=zstd" "noexec" "subvol=@tailscale" ];
};
};
swapDevices = [{ device = "/dev/disk/by-label/zbox-swap"; }];

44
config/host-config/cartus.nix Normal file
View File

@ -0,0 +1,44 @@
{ config, lib, pkgs, ... }:
with lib;
let
stateDir = "/state";
hostname = "cartus";
siteName = config.fudo.hosts."${hostname}".site;
in {
config = {
networking = {
interfaces.enp3s0 = {
ipv4.addresses = [{
address = pkgs.lib.getHostIpv4 hostname;
prefixLength = pkgs.lib.getSiteV4PrefixLength siteName;
}];
};
firewall.enable = false;
defaultGateway = {
address = pkgs.lib.getSiteGatewayV4 siteName;
interface = "enp3s0";
};
};
virtualisation = {
arion.backend = "podman-socket";
podman = {
enable = true;
autoPrune.enable = true;
dockerSocket.enable = true;
dockerCompat = true;
defaultNetwork.settings = {
dns_enabled = true;
network_dns_servers = [ "1.1.1.1" "8.8.4.4" ];
};
};
};
services.immichContainer = {
state-directory = "/state/immich/state";
store-directory = "/state/immich/store";
};
};
}

7
config/host-config/fimbria.nix
View File

@ -14,6 +14,7 @@ let
in {
config = {
networking = {
enableIPv6 = true;
interfaces = {
enp1s0.useDHCP = true;
intif0 = {
@ -31,7 +32,6 @@ in {
};
};
};
enableIPv6 = false;
firewall = {
# Until it becomes the gateway, this is necessary
@ -40,7 +40,9 @@ in {
allowedUDPPorts = [ 25565 34197 ];
};
nat.forwardPorts = [
nat = {
enableIPv6 = true;
forwardPorts = [
# Minecraft
{
destination = "10.0.0.12:25555";
@ -60,6 +62,7 @@ in {
}
];
};
};
virtualisation = {
podman = {

11
config/host-config/limina.nix
View File

@ -142,17 +142,6 @@ in {
};
auth.kerberos.state-directory = "/state/services/heimdal-kdc";
# wireguard-gateway = {
# enable = true;
# network = "10.0.200.0/24";
# peers = {
# niten-phone = {
# public-key = "";
# assigned-ip = "10.0.200.2";
# };
# };
# };
};
};

38
config/host-config/nostromo.nix
View File

@ -80,26 +80,26 @@ in {
fudo = let host-secrets = config.fudo.secrets.host-secrets."${hostname}";
in {
secrets.host-secrets.${hostname} = {
pricebot-auth-token = {
source-file =
config.fudo.secrets.files.service-secrets.nostromo."pricebot-auth.token";
target-file = "/run/services/pricebot/auth.token";
user = "root";
};
};
# secrets.host-secrets.${hostname} = {
# pricebot-auth-token = {
# source-file =
# config.fudo.secrets.files.service-secrets.nostromo."pricebot-auth.token";
# target-file = "/run/services/pricebot/auth.token";
# user = "root";
# };
# };
pricebot = {
enable = true;
mattermost-url = "https://chat.fudo.org";
mattermost-auth-token-file = host-secrets.pricebot-auth-token.target-file;
monitors = {
btc = {
mattermost-channel-id = "f7iem9t3qbbczjyuq4waj1s3ua";
notify-user = "niten";
};
};
};
# pricebot = {
# enable = true;
# mattermost-url = "https://chat.fudo.org";
# mattermost-auth-token-file = host-secrets.pricebot-auth-token.target-file;
# monitors = {
# btc = {
# mattermost-channel-id = "f7iem9t3qbbczjyuq4waj1s3ua";
# notify-user = "niten";
# };
# };
# };
services = {
logging.loki.state-directory = "/state/services/loki";

54
config/host-config/spark.nix
View File

@ -1,45 +1,27 @@
{ config, lib, pkgs, ... }:
with lib;
let state-dir = "/state";
let stateDir = "/state";
hostname = ""
primaryIp = pkgs.lib.getHostIpv4 ""
in {
config = {
networking = {
interfaces.enp3s0 = {
ipv4.addresses = [{
address = primaryIp;
prefixLength = pkgs.lib.getHostIpv4 hostname;
}];
};
firewall.enable = false;
defaultGateway = {
};
};
fudo = {
slynk.enable = true;
wallfly.location = "office";
};
networking = {
interfaces = { intif0.useDHCP = true; };
firewall.enable = false;
};
i18n.inputMethod = {
#enabled = "fcitx5";
#fcitx5.addons = with pkgs; [ fcitx5-chinese-addons fcitx5-rime ];
};
systemd.tmpfiles.rules = [
"d ${state-dir}/lib/cups 755 root root - -"
"d ${state-dir}/services/yggdrasil 700 root root - -"
];
fileSystems = {
"/var/lib/cups" = {
device = "${state-dir}/lib/cups";
options = [ "bind" ];
};
# "/var/lib/private/yggdrasil" = {
# device = "${state-dir}/services/yggdrasil";
# options = [ "bind" ];
# };
};
services = {
yggdrasil = {
enable = true;
persistentKeys = true;
group = "wheel";
wallfly.location = "family_room";
};
};
}

58
config/host-config/system3.nix
View File

@ -6,66 +6,10 @@ let
inherit (config.instance) hostname;
vmConfig = { pkgs, lib, ... }: {
config = {
containers.tester = {
autoStart = true;
# localAddress = "10.0.0.14";
additionalCapabilities = [ "CAP_NET_ADMIN" ];
# privateNetwork = true;
macvlans = [ "enp7s0" ];
#hostBridge = "tester0";
#hostAddress = "10.0.0.14";
#privateNetwork = true;
config = {
imports = [ pkgs.moduleRegistry.authoritativeDns ];
services.openssh.enable = true;
users = let groupName = config.users.users.niten.group;
in {
users.niten = config.users.users.niten;
groups."${groupName}" = config.users.groups."${groupName}";
};
services.authoritative-dns = {
enable = true;
identity = "ns.sea.fudo.org";
listen-ips = [ "10.0.0.14" ];
state-directory = "/var/lib/nsd";
timestamp = toString config.instance.build-timestamp;
domains = {
"sea.fudo.org" = { zone = config.fudo.zones."sea.fudo.org"; };
};
};
networking = {
defaultGateway = pkgs.lib.getHostGatewayV4 hostname;
firewall = {
enable = true;
allowedTCPPorts = [ 22 53 ];
allowedUDPPorts = [ 53 ];
};
# interfaces.eth0 = {
# ipv4.addresses = [{
# address = "10.0.0.14";
# prefixLength = 24;
# }];
# };
interfaces.mv-enp7s0.ipv4.addresses = [{
address = "10.0.0.14";
prefixLength = 24;
}];
};
};
};
};
};
in {
imports = [ vmConfig ];
config = {
fudo = {
slynk.enable = true;
wallfly.location = "office";

19
config/host-config/toothless.nix
View File

@ -29,10 +29,7 @@ in {
'';
services = {
immichContainer = {
state-directory = "/state/immich/state";
store-directory = "/state/immich/store";
};
immichMlContainer.state-directory = "/state/immich/ml-cache";
};
fudo = {
@ -79,12 +76,26 @@ in {
};
};
hardware = {
nvidia = {
nvidiaSettings = true;
package = config.boot.kernelPackages.nvidiaPackages.production;
};
opengl = {
enable = true;
driSupport32Bit = true;
};
};
services.xserver.videoDrivers = [ "nvidia" ];
virtualisation = {
podman = {
enable = true;
autoPrune.enable = true;
dockerSocket.enable = true;
dockerCompat = true;
enableNvidia = true;
defaultNetwork.settings = {
dns_enabled = true;
network_dns_servers = [ "1.1.1.1" "8.8.4.4" ];

29
config/host-config/toothless/immich-ml.nix Normal file
View File

@ -0,0 +1,29 @@
{ config, lib, pkgs, ... }:
{
config = {
virtualisation.arion.projects.immich-ml.settings = let
image = { ... }: {
project.name = "immich-ml";
services = {
immich-ml = {
service = {
image =
"ghcr.io/immich-app/immich-machine-learning:${immichVersion}-cuda";
restart = "always";
ports = [ "${toString cfg.port}:3003" ];
volumes = [ "${cfg.state-directory}:/cache" ];
};
};
};
rawConfig = {
deploy.resources.reservations.devices = [{
driver = "nvidia";
count = 1;
capabilities = [ "gpu" ];
}];
};
};
in { imports = [ image ]; };
};
}

7
config/host-config/wormhole0.nix
View File

@ -164,6 +164,13 @@ in {
};
};
"home.sea.fudo.ninja" = {
locations."/" = {
proxyPass = "http://localhost:${toString homeAssistantPort}";
proxyWebsockets = true;
};
};
"node-red.sea.fudo.org" = {
locations."/" = {
proxyPass = "http://localhost:${toString nodeRedPort}";

11
config/host-config/zbox.nix
View File

@ -78,12 +78,21 @@ in {
recommendedOptimisation = true;
recommendedProxySettings = true;
virtualHosts."frigate.sea.fudo.org" = {
virtualHosts = {
"frigate.sea.fudo.org" = {
locations."/" = {
proxyPass = "http://localhost:5000";
proxyWebsockets = true;
};
};
"cam.sea.fudo.ninja" = {
locations."/" = {
proxyPass = "http://localhost:5000";
proxyWebsockets = true;
};
};
};
};
};

12
config/profile-config/common.nix
View File

@ -33,18 +33,26 @@ in {
config = {
fudo = { hosts."${hostname}".local-networks = [ "::1/128" ]; };
system.autoUpgrade.enable = false;
system = {
autoUpgrade.enable = false;
# copySystemConfiguration = true;
};
nix = {
package = pkgs.nixFlakes;
extraOptions = ''
experimental-features = nix-command flakes
'';
optimise = {
automatic = true;
dates = [ "weekly" ];
};
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 7d";
options = "--delete-older-than 14d";
};
settings.auto-optimise-store = true;
};
hardware.enableAllFirmware = true;

2
config/service/authoritative-dns.nix
View File

@ -275,8 +275,6 @@ in {
imports = [ hostModule containerModule ];
config = mkIf cfg.enable {
systemd.tmpfiles.rules = [ "d ${cfg.state-directory} 700 root root - -" ];
fileSystems."/var/lib/nsd" = mkIf (isNull cfg.container) {
device = cfg.state-directory;
options = [ "bind" ];

103
config/service/mabel.nix Normal file
View File

@ -0,0 +1,103 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.fudo.services.mabel;
hostname = config.instance.hostname;
isMqtt = config.fudo.services.mqtt.enable;
isMabel = hostname == cfg.mabel-host;
hostSecrets = config.fudo.secrets.host-secrets."${hostname}";
mqtt-password-file =
pkgs.lib.passwd.stablerandom-passwd-file "mabel-mqtt-passwd"
config.instance.build-seed;
in {
options.fudo.services.mabel = with types; {
enable = mkEnableOption "Enable Mabel camera monitor.";
verbose = mkEnableOption "Enable verbose output.";
mabel-host = mkOption {
type = str;
description = "Host on which to run Mabel.";
};
mqtt = {
username = mkOption {
type = str;
description = "User as which to connect to MQTT server.";
default = "mabel-bot";
};
};
matrix = {
domain = mkOption {
type = str;
description = "Matrix domain on which to connect.";
};
username = mkOption {
type = str;
description = "User as which to connect to Matrix.";
};
token-file = mkOption {
type = str;
description = "Authentication for connecting to Matrix.";
};
channel = mkOption {
type = str;
description = "Channel on which to send notifications.";
};
};
};
config = mkIf cfg.enable {
fudo = {
secrets.host-secrets."${hostname}" = {
mabel-mqtt-passwd = mkIf isMabel {
source-file = mqtt-password-file;
target-file = "/run/mabel-mqtt/passwd";
};
mabel-matrix-token = mkIf isMabel {
source-file = cfg.matrix.token-file;
target-file = "/run/mabel/matrix.token";
};
};
services.mqtt = mkIf isMqtt {
private = {
enable = true;
users."${cfg.mqtt.username}" = {
password-file = mqtt-password-file;
acl = [ "read frigate/#" ];
};
};
};
};
services.mabel = mkIf isMabel {
enable = true;
verbose = cfg.verbose;
mqtt = {
host = config.fudo.services.mqtt.mqtt-hostname;
port = config.fudo.services.mqtt.private.port;
username = cfg.mqtt.username;
password-file = hostSecrets.mabel-mqtt-passwd.target-file;
};
matrix = {
domain = cfg.matrix.domain;
username = cfg.matrix.username;
password-file = hostSecrets.mabel-matrix-token.target-file;
channel-alias = cfg.matrix.channel;
};
};
};
}

22
config/service/nexus.nix
View File

@ -12,18 +12,12 @@ let
site = config.fudo.sites."${siteName}";
hostNexusDomainList = host:
let
domainName = config.fudo.hosts."${host}".domain;
domain = config.fudo.domains."${domainName}";
siteName = config.fudo.hosts."${host}".site;
site = config.fudo.sites."${siteName}";
in unique (domain.nexus.domains ++ site.nexus.domains);
unique (domain.nexus.public-domains ++ site.nexus.public-domains
++ domain.nexus.private-domains ++ site.nexus.private-domains
++ domain.nexus.tailscale-domains ++ site.nexus.tailscale-domains);
isEmpty = lst: lst == [ ];
localNexusDomains = getAttrs (hostNexusDomainList hostname)
(listKeys config.fudo.nexus.domains);
isServer = let
servers = concatMap (domainOpts: domainOpts.servers)
(attrValues config.fudo.nexus.domains);
@ -140,7 +134,15 @@ in {
enable = enableClient;
inherit hostname;
verbose = true;
domains = unique (domain.nexus.domains ++ site.nexus.domains);
domains = let
genDomains = type: domains:
genAttrs (unique domains) (_: { inherit type; });
in (genDomains "public"
(domain.nexus.public-domains ++ site.nexus.public-domains))
// (genDomains "private"
(domain.nexus.private-domains ++ site.nexus.private-domains))
// (genDomains "tailscale"
(domain.nexus.tailscale-domains ++ site.nexus.tailscale-domains));
hmac-key-file = hostSecrets.nexus-key.target-file;
servers = let localDomains = hostNexusDomainList hostname;
in map ({ domain, alias, ... }: "${alias}.${domain}")

1
config/services.nix
View File

@ -13,6 +13,7 @@
./service/lemmy.nix
./service/local-network.nix
./service/logging.nix
./service/mabel.nix
./service/mail-server.nix
./service/metrics.nix
./service/mqtt.nix

52
config/site-config/seattle.nix
View File

@ -14,29 +14,29 @@ in {
wallfly-presence.enable = true;
tattler = let snooper-host = "wormhole0";
in {
enable = true;
verbose = true;
event-topics = [ "suanni/events/motion" ];
inherit snooper-host;
};
# tattler = let snooper-host = "wormhole0";
# in {
# enable = true;
# verbose = true;
# event-topics = [ "suanni/events/motion" ];
# inherit snooper-host;
# };
suanni = let
listener = "nostromo";
objectifier = "nostromo";
in {
enable = true;
event-listener.host = listener;
objectifier.host = objectifier;
synology = {
host = "cargo.sea.fudo.org";
port = 5001;
username = "suanni";
password-file =
config.fudo.secrets.files.service-passwords."${listener}".suanni-synology;
};
};
# suanni = let
# listener = "nostromo";
# objectifier = "nostromo";
# in {
# enable = true;
# event-listener.host = listener;
# objectifier.host = objectifier;
# synology = {
# host = "cargo.sea.fudo.org";
# port = 5001;
# username = "suanni";
# password-file =
# config.fudo.secrets.files.service-passwords."${listener}".suanni-synology;
# };
# };
};
zones."sea.fudo.org" = {
@ -108,9 +108,15 @@ in {
];
after = [ config.fudo.secrets.secret-target ];
serviceConfig = {
ExecStartPre = "${pkgs.coreutils}/bin/test -f /etc/krb5.keytab";
ExecStartPre = pkgs.writeShellScript "await-keytab.sh" ''
while [ ! -f /etc/krb5.keytab ]; do
sleep 5
done
exit 0
'';
ExecStart = "${pkgs.coreutils}/bin/true";
TimeoutStartSec = "360";
Type = "oneshot";
RemainAfterExit = true;
Restart = "on-failure";
RestartSec = "2";

8089
flake.lock
View File

File diff suppressed because it is too large Load Diff

81
flake.nix
View File

@ -2,7 +2,8 @@
description = "Fudo Host Configuration";
inputs = {
nixpkgs.url = "git+https://fudo.dev/nix/nixpkgs.git";
nixpkgs.url =
"nixpkgs/nixos-23.11"; # "git+https://fudo.dev/nix/nixpkgs.git";
fudo-home = {
url = "git+https://fudo.dev/nix/home.git";
@ -11,31 +12,31 @@
};
# This MUST be a clean git repo, because we use the timestamp.
fudo-entities = {
url = "git+https://fudo.dev/nix/entities.git";
fudo-entities.url = "git+https://fudo.dev/nix/entities.git";
fudo-lib.url = "git+https://fudo.dev/nix/lib.git";
fudo-pkgs.url = "git+https://fudo.dev/nix/pkgs.git";
fudo-secrets = {
url = "path:/secrets";
inputs.nixpkgs.follows = "nixpkgs";
};
fudo-lib = { url = "git+https://fudo.dev/nix/lib.git"; };
# chute = {
# url = "git+https://fudo.dev/chute/chute.git?ref=stable";
# inputs.nixpkgs.follows = "nixpkgs";
# };
fudo-pkgs = { url = "git+https://fudo.dev/nix/pkgs.git"; };
# chuteUnstable = {
# url = "git+https://fudo.dev/chute/chute.git?ref=master";
# inputs.nixpkgs.follows = "nixpkgs";
# };
fudo-secrets.url = "path:/secrets";
chute = {
url = "git+https://fudo.dev/chute/chute.git?ref=stable";
inputs.nixpkgs.follows = "nixpkgs";
};
chuteUnstable = {
url = "git+https://fudo.dev/chute/chute.git?ref=master";
inputs.nixpkgs.follows = "nixpkgs";
};
pricebot = {
url = "git+https://fudo.dev/public/pricebot.git";
inputs.nixpkgs.follows = "nixpkgs";
};
# pricebot = {
# url = "git+https://fudo.dev/public/pricebot.git";
# inputs.nixpkgs.follows = "nixpkgs";
# };
nixpkgsUnstable.url = "nixpkgs/nixos-unstable";
@ -69,6 +70,11 @@
inputs.nixpkgs.follows = "nixpkgs";
};
mabel = {
url = "git+https://fudo.dev/public/mabel.git";
inputs.nixpkgs.follows = "nixpkgs";
};
arion = {
url = "github:hercules-ci/arion";
inputs.nixpkgs.follows = "nixpkgs";
@ -143,6 +149,14 @@
};
};
immich-ml-container = {
url = "git+https://fudo.dev/public/immich-ml-container.git";
inputs = {
arion.follows = "arion";
nixpkgs.follows = "nixpkgs";
};
};
authoritative-dns = {
url = "git+https://fudo.dev/public/authoritative-dns.git";
inputs.nixpkgs.follows = "nixpkgs";
@ -162,15 +176,17 @@
url = "git+https://git.informis.land/informis/textfiles.git";
flake = false;
};
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
};
outputs = { self, nixpkgs, fudo-home, fudo-lib, fudo-entities, fudo-pkgs
, fudo-secrets, chute, chuteUnstable, nixpkgsUnstable, pricebot, wallfly
, objectifier, nexus, suanni, snooper, tattler, lemmy-docker
, tesla-mate-container, mastodon-container, authentik-container
, nextcloud-container, textfiles, matrix-module, mail-server
, authoritative-dns, frigate-container, grafana-module, lemmy-container
, immich-container, ... }@inputs:
, fudo-secrets, nixpkgsUnstable, wallfly, objectifier, nexus, suanni
, snooper, tattler, lemmy-docker, tesla-mate-container, mastodon-container
, authentik-container, nextcloud-container, textfiles, matrix-module
, mail-server, authoritative-dns, frigate-container, grafana-module
, lemmy-container, immich-container, immich-ml-container, mabel
, nixos-hardware, ... }@inputs:
with nixpkgs.lib;
let
fudo-nixos-hosts = filterAttrs (hostname: hostOpts: hostOpts.nixos-system)
@ -208,7 +224,10 @@
chute = chute.packages.${arch}.chute;
chuteUnstable = chuteUnstable.packages.${arch}.chute;
})
(final: prev: { pkgsUnstable = unstable; })
(final: prev: {
pkgsUnstable = unstable;
inherit nixos-hardware;
})
(final: prev: {
signal-desktop = unstable.signal-desktop;
factorio-experimental = unstable.factorio-experimental;
@ -236,7 +255,7 @@
fudo-secrets.nixosModules.default
fudo-lib.nixosModules.default
fudo-entities.nixosModule
pricebot.nixosModules.default
# pricebot.nixosModules.default
wallfly.nixosModule
objectifier.nixosModules.default
suanni.nixosModules.default
@ -254,6 +273,8 @@
grafana-module.nixosModules.default
lemmy-container.nixosModules.default
immich-container.nixosModules.default
immich-ml-container.nixosModules.default
mabel.nixosModules.default
nexus.nixosModules.nexus-client
nexus.nixosModules.nexus-server
@ -265,6 +286,8 @@
(config-dir + "/profile-config/${hostOpts.profile}.nix")
(config-dir + "/domain-config/${hostOpts.domain}.nix")
(config-dir + "/site-config/${hostOpts.site}.nix")
(import ./hardware-modules.nix nixos-hardware.nixosModules hostname)
];
config = let pkgs = pkgs-for hostOpts.arch;

17
hardware-modules.nix Normal file
View File

@ -0,0 +1,17 @@
hardwareModules: hostname:
{ ... }:
with hardwareModules;
{
imports = if (hostname == "system3") then [
common-cpu-amd
common-gpu-amd
common-pc-ssd
] else if (hostname == "jazz") then [
common-cpu-amd
common-gpu-amd
common-pc-ssd
] else
[ ];
}