emenel/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

server

Browse source
This commit is contained in:
Matt Nish-Lapidus 2025-04-13 14:46:32 -04:00
parent 375c19ff26
commit 23e3b9d76b
7 changed files with 136 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.sops.yaml
View file

@ -1,5 +1,6 @@
keys: keys:
- &emenel_eddie age10k8v6pfm3p7cmsgn6wu5ufpcquqgpvqh76l23xf326et55dacc0qlr8fe8 - &emenel_eddie age10k8v6pfm3p7cmsgn6wu5ufpcquqgpvqh76l23xf326et55dacc0qlr8fe8
- &root_services-nixos age1eg4u9d90r64a7gesg778cgx8pkcxkh4wjkddz299u6lelpc6yypsgza06c
creation_rules: creation_rules:
- path_regex: secrets.yaml$ - path_regex: secrets.yaml$
key_groups: key_groups:

12
flake.lock generated
View file

@ -90,11 +90,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1744535716, "lastModified": 1744564581,
"narHash": "sha256-GUYB6p5v1RlI9gpaqh2E0a0dxikhta5UqZpE4/IwuGQ=", "narHash": "sha256-3oYyf8uwhgjvHqa82QqYJJcdertKL/WGYM4cXREKE3o=",
"owner": "nix-community", "owner": "nix-community",
"repo": "emacs-overlay", "repo": "emacs-overlay",
"rev": "147f6b98f17b0d66866eb8923a6ae6fe9c23b65e", "rev": "1997c83d637f2ab52651826d90099e1e1561bab7",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -967,11 +967,11 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1744309437, "lastModified": 1744440957,
"narHash": "sha256-QZnNHM823am8apCqKSPdtnzPGTy2ZB4zIXOVoBp5+W0=", "narHash": "sha256-FHlSkNqFmPxPJvy+6fNLaNeWnF1lZSgqVCl/eWaJRc4=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "f9ebe33a928b5d529c895202263a5ce46bdf12f7", "rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d",
"type": "github" "type": "github"
}, },
"original": { "original": {

5
hosts/eddie/configuration.nix
View file

@ -346,6 +346,11 @@
]; ];
}; };
security.sudo = {
enable = true;
wheelNeedsPassword = false;
};
security.polkit.enable = true; security.polkit.enable = true;
security.rtkit.enable = true; security.rtkit.enable = true;
security.pam.services.swaylock = { }; security.pam.services.swaylock = { };

67
hosts/emenel-services/configuration.nix
View file

@ -2,19 +2,61 @@
imports = with nix-config.nixosModules; [ imports = with nix-config.nixosModules; [
./hardware-configuration.nix ./hardware-configuration.nix
./networking.nix # generated at runtime by nixos-infect
./disko-config.nix ./disko-config.nix
forgejo forgejo
]; ];
nixpkgs = {
config = {
allowUnfree = true;
};
overlays = builtins.attrValues nix-config.overlays ++ [
inputs.nh.overlays.default
];
};
nix = {
settings = {
experimental-features = [
"nix-command"
"flakes"
];
substituters = [
"https://nix-community.cachix.org"
"https://cache.garnix.io"
];
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
];
};
channel.enable = false; # remove nix-channel related tools & configs, we use flakes instead.
};
sops = {
age.keyFile = "/home/emenel/.config/sops/age/keys.txt"; # must have no password!
age.generateKey = true;
defaultSopsFile = ./secrets.yaml;
secrets = {
forgejo_emenel = {};
};
};
# Set your time zone.
time.timeZone = "America/Toronto";
# Select internationalisation properties.
i18n.defaultLocale = "en_CA.UTF-8";
boot.tmp.cleanOnBoot = true; boot.tmp.cleanOnBoot = true;
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
zramSwap.enable = true; zramSwap.enable = true;
networking.hostName = "services-nixos"; networking.hostName = "services-nixos";
networking.domain = ""; networking.domain = "";
networking.useDHCP = true;
services.openssh.enable = true; services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbzcaEyzlGJkDL8EMcVmrAWRlyYtilTjpIR2VGxkMHo'' ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvtBCUQEi7r6mXdaULEaMMvGH1IWZBX9tXpjbIECar2'' ];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
wget wget
@ -24,9 +66,9 @@
rsync rsync
gnupg gnupg
util-linux util-linux
git
]; ];
users.users.emenel = { users.users.emenel = {
openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbzcaEyzlGJkDL8EMcVmrAWRlyYtilTjpIR2VGxkMHo'' ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvtBCUQEi7r6mXdaULEaMMvGH1IWZBX9tXpjbIECar2'' ]; openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbzcaEyzlGJkDL8EMcVmrAWRlyYtilTjpIR2VGxkMHo'' ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvtBCUQEi7r6mXdaULEaMMvGH1IWZBX9tXpjbIECar2'' ];
@ -43,6 +85,25 @@
]; ];
}; };
security.sudo = {
enable = true;
wheelNeedsPassword = false;
};
programs.nh = {
enable = true;
clean = {
enable = true;
dates = "daily";
extraArgs = "--keep 4";
};
flake = "/home/emenel/source/nixos-config";
package = pkgs.nh;
};
system.stateVersion = "25.05"; # Did you read the comment? system.stateVersion = "25.05"; # Did you read the comment?

16
hosts/emenel-services/secrets.yaml Normal file
View file

@ -0,0 +1,16 @@
forgejo_emenel: ENC[AES256_GCM,data:MRVA7m6FK3wZR7cUVAUq+m7LutgRjyCyfrZ27AnUWstTTiTXX8XyjmF+o3aZZDTNSd8KGhYjLInkJ8Yfu50k+YEkQbbb5Icy,iv:HpV+6+fYndqEkOcXV1CsbVfwOBNy9jcXMjtZWs9+x0o=,tag:io0/0X6sTD0s2Hp8S1zEUQ==,type:str]
sops:
age:
- recipient: age10k8v6pfm3p7cmsgn6wu5ufpcquqgpvqh76l23xf326et55dacc0qlr8fe8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYU3V0dndPTnhpenhaQVYv
aDV2eVl4Ujd1MjRkZUtXY1Q5RW1laHhncWp3CnlEQTlZb3NhUEVuaVBHVWNzbTQv
QmZNWE90aWx3d21lWk4waFFobGEzUFEKLS0tIERLQXM3V0pRVkNEbFpCeU9nZ3lE
cjFEbnNkZ1pTeTVWaVZMem1hQkpaZTQKTVytdDtekDO9fTDSS5kYLFQv2UaBpOaw
4oaCbr4w7ipWImITphpQ0F5t6dxWSQ6cIpdXIf9eT3eVSVlBBC/wyw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-13T17:11:18Z"
mac: ENC[AES256_GCM,data:qIQl4PKsIRG7+3M/OSp1VhUfs/T/3ORSr9bt29T5BahCBElrfEa+t2QBizO4gPxFJzFJN/sMZBXuobLP4qyNaV3/ECQ1qiipUYPA4ocZZYd9vkb5HjkzlDDiFyOwflUmq6Nt4n6/g46L4KA5LF2W/STczskaGfkbRpS1OJA0MBo=,iv:VWj7+cRjrQIKJGhgvrXAe/rUFlx4ZCpF+O3H1O6t9zQ=,tag:8mTG8hK/zYKlxTxfKQkapQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.1

44
modules/system/forgejo.nix
View file

@ -9,7 +9,51 @@
server = { server = {
HTTP_PORT = 12345; HTTP_PORT = 12345;
}; };
service.DISABLE_REGISTRATION = true;
actions = {
ENABLED = true;
DEFAULT_ACTIONS_URL = "github";
};
# mailer = {
# ENABLED = true;
# SMTP_ADDR = "mail.example.com";
# FROM = "noreply@${srv.DOMAIN}";
# USER = "noreply@${srv.DOMAIN}";
# };
}; };
# mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path;
}; };
# gitea-actions-runner = {
# package = pkgs.forgejo-actions-runner;
# instances.default = {
# enable = true;
# name = "monolith";
# url = "https://git.example.com";
# # Obtaining the path to the runner token file may differ
# # tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
# tokenFile = config.age.secrets.forgejo-runner-token.path;
# labels = [
# "ubuntu-latest:docker://node:16-bullseye"
# "ubuntu-22.04:docker://node:16-bullseye"
# "ubuntu-20.04:docker://node:16-bullseye"
# "ubuntu-18.04:docker://node:16-buster"
# ## optionally provide native execution on the host:
# # "native:host"
# ];
# };
# };
}; };
# sops.secrets.forgejo-admin-password.owner = "forgejo";
# systemd.services.forgejo.preStart = let
# adminCmd = "${lib.getExe pkgs.forgejo} admin user";
# pwd = config.sops.secrets.forgejo-admin-password;
# user = "emenel"; # Note, Forgejo doesn't allow creation of an account named "admin"
# in ''
# ${adminCmd} create --admin --email "root@localhost" --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
# ## uncomment this line to change an admin user which was already created
# # ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
# '';
} }

1
modules/system/sops-config.nix
View file

@ -41,6 +41,5 @@ password=${config.sops.placeholder.filez}
source = config.sops.templates."media-server-secrets".path; source = config.sops.templates."media-server-secrets".path;
}; };
}; };
}; };
} }