Bos55/nix-config
2
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

Sync

Browse source
This commit is contained in:
Tibo De Peuter 2024-11-10 20:15:47 +01:00
parent c1025627ae
commit cef3a949fe
Signed by: tdpeuter
GPG key ID: 38297DE43F75FFE2
40 changed files with 3401 additions and 158 deletions
Download patch file Download diff file Expand all files Collapse all files

41
hosts/ACE/default.nix Normal file
View file

@ -0,0 +1,41 @@
{ pkgs, ... }:
{
config = {
homelab = {
services.actions.enable = true;
virtualisation.guest.enable = true;
};
networking = {
hostName = "ACE";
hostId = "aaaa4100";
domain = "depeuter.dev";
useDHCP = false;
enableIPv6 = true;
defaultGateway = {
address = "192.168.0.1";
interface = "ens18";
};
interfaces.ens18 = {
ipv4.addresses = [
{
address = "192.168.0.41";
prefixLength = 24;
}
];
};
nameservers = [
"1.1.1.1" # Cloudflare
"1.0.0.1" # Cloudflare
];
};
system.stateVersion = "24.05";
};
}

81
hosts/Binnenpost/default.nix Normal file
View file

@ -0,0 +1,81 @@
{ pkgs, ... }:
{
config = {
environment = {
etc."nixos/tailscale-authkey".text = ''
tskey-auth-k1tfJLTnGB11CNTRL-HhnegtfNzQ3G8h71SC2DR38PFXwseQiu
'';
systemPackages = with pkgs; [
ethtool
];
};
homelab = {
apps = {
speedtest.enable = true;
technitiumDNS.enable = true;
};
virtualisation.guest.enable = true;
};
networking = {
hostName = "Binnenpost";
hostId = "aaaa1001";
domain = "depeuter.dev";
useDHCP = false;
enableIPv6 = true;
defaultGateway = {
address = "192.168.0.1";
interface = "ens18";
};
# Open ports in the firewall.
firewall = {
enable = true;
};
interfaces.ens18 = {
ipv4.addresses = [
{
address = "192.168.0.89";
prefixLength = 24;
}
];
};
nameservers = [
"1.1.1.1" # Cloudflare
"1.0.0.1" # Cloudflare
];
};
services = {
networkd-dispatcher = {
enable = true;
rules."50-tailscale" = {
onState = ["routable"];
script = ''
${pkgs.ethtool}/bin/ethtool -K ens18 rx-udp-gro-forwarding on rx-gro-list off
'';
};
};
tailscale = {
enable = true;
useRoutingFeatures = "server";
authKeyFile = "/etc/nixos/tailscale-authkey";
extraUpFlags = [
"--advertise-routes=192.168.0.0/24"
"--exit-node"
];
};
};
system.stateVersion = "24.05";
};
}

65
hosts/Development/default.nix Normal file
View file

@ -0,0 +1,65 @@
{ config, pkgs, lib, system, ... }:
{
config = {
homelab = {
apps.arr = {
qbittorrent.enable = true;
};
virtualisation.guest.enable = true;
};
networking = {
hostId = "aaaa9100";
domain = "roxanne.depeuter.dev";
useDHCP = false;
enableIPv6 = true;
defaultGateway = {
address = "192.168.0.1";
interface = "ens18";
};
# Open ports in the firewall.
firewall = {
enable = true;
};
interfaces.ens18 = {
ipv4.addresses = [
{
address = "192.168.0.91";
prefixLength = 24;
}
];
};
nameservers = [
"1.1.1.1" # Cloudflare
"1.0.0.1" # Cloudflare
];
};
system.stateVersion = "24.05";
virtualisation.oci-containers.containers = {
pgadmin = {
image = "dpage/pgadmin4:8.11.0";
ports = [
"30056:80/tcp"
];
environment = {
# NOTE Required
# The email address used when setting up the initial administrator account to login to pgAdmin.
PGADMIN_DEFAULT_EMAIL = "kmtl.hugo+pgadmin@gmail.com";
# NOTE Required
# The password used when setting up the initial administrator account to login to pgAdmin.
PGADMIN_DEFAULT_PASSWORD = "ChangeMe";
};
autoStart = true;
};
};
};
}

38
hosts/Gitea/default.nix Normal file
View file

@ -0,0 +1,38 @@
{ config, pkgs, lib, system, ... }:
{
config = {
homelab = {
apps.gitea.enable = true;
virtualisation.guest.enable = true;
};
networking = {
hostId = "aaaa1500";
domain = "depeuter.dev";
enableIPv6 = true;
useDHCP = false;
defaultGateway = {
address = "192.168.0.1";
interface = "ens18";
};
interfaces.ens18 = {
ipv4.addresses = [
{
address = "192.168.0.24";
prefixLength = 24;
}
];
};
nameservers = [
"1.1.1.1" # Cloudflare
"1.0.0.1" # Cloudflare
];
};
system.stateVersion = "24.05";
};
}

233
hosts/Ingress/default.nix Normal file
View file

@ -0,0 +1,233 @@
{ config, pkgs, modulesPath, lib, system, ... }:
{
config = {
homelab.virtualisation.guest.enable = true;
networking = {
hostName = "Ingress";
hostId = "aaaa1000";
domain = "depeuter.dev";
enableIPv6 = true;
useDHCP = false;
defaultGateway = {
address = "192.168.0.1";
interface = "ens18";
};
interfaces.ens18 = {
ipv4.addresses = [
{
address = "192.168.0.10";
prefixLength = 24;
}
];
};
nameservers = [
"1.1.1.1" # Cloudflare
"1.0.0.1" # Cloudflare
];
firewall = {
enable = true;
allowedTCPPorts = [
80 # HTTP
443 # HTTPS
];
};
};
security.acme = {
acceptTerms = true;
defaults = {
inherit (config.services.nginx) group;
dnsPropagationCheck = true;
dnsProvider = "cloudflare";
dnsResolver = "1.1.1.1:53";
email = "tibo.depeuter@telenet.be";
credentialFiles = {
CLOUDFLARE_DNS_API_TOKEN_FILE = "/var/lib/secrets/depeuter-dev-cloudflare-api-token";
};
reloadServices = [ "nginx" ];
};
certs = {
"depeuter.dev" = {
domain = "depeuter.dev";
extraDomainNames = [ "*.depeuter.dev" ];
};
"cloud.depeuter.dev" = { };
"git.depeuter.dev" = { };
"jelly.depeuter.dev" = { };
"vault.depeuter.dev" = { };
};
};
# List services that you want to enable.
services = {
# Enable Nginx as a reverse proxy
nginx = {
enable = true;
# Use recommended settings
# recommendedGzipSettings = true;
# recommendedOptimisation = true;
# recommendedProxySettings = true;
# recommendedTlsSettings = true;
# Only allow PFS-enabled ciphers with AES256
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
upstreams.docservice.servers."192.168.0.14:8080" = {};
appendHttpConfig = ''
map $http_x_forwarded_proto $the_scheme {
default $http_x_forwarded_proto;
"" $scheme;
}
map $http_x_forwarded_host $the_host {
default $http_x_forwarded_host;
"" $host;
}
map $http_upgrade $proxy_connection {
default upgrade;
"" close;
}
'';
# Define hosts
virtualHosts = {
# Disable automatic routing.
"default" = {
locations."/".return = "301 https://youtu.be/dQw4w9WgXcQ";
default = true;
};
"cloud.depeuter.dev" = {
enableACME = true;
forceSSL = true;
locations = {
"/" = {
proxyPass = "http://192.168.0.14";
extraConfig = ''
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
fastcgi_request_buffering off;
'';
};
"/office/" = {
proxyPass = "http://192.168.0.14:8080/";
priority = 500;
recommendedProxySettings = false;
extraConfig = ''
proxy_http_version 1.1;
'';
};
};
extraConfig = ''
client_max_body_size 10G;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Forwarded-Host $the_host/office;
proxy_set_header X-Forwarded-Proto $the_scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
'';
};
"calendar.depeuter.dev".locations."/".return = "301 https://cloud.depeuter.dev/apps/calendar";
"tasks.depeuter.dev".locations."/".return = "301 https://cloud.depeuter.dev/apps/tasks";
"notes.depeuter.dev".locations."/".return = "301 https://cloud.depeuter.dev/apps/notes";
"jelly.depeuter.dev" = {
enableACME = true;
forceSSL = true;
locations = {
"/" = {
proxyPass = "http://192.168.0.94:8096";
extraConfig = ''
# Proxy main Jellyfin traffic
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
'';
};
"/socket" = {
proxyPass = "http://192.168.0.91:8096";
extraConfig = ''
# Proxy Jellyfin Websockets traffic
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
'';
};
};
extraConfig = ''
client_max_body_size 20M;
# Security / XSS Mitigation Headers
# NOTE: X-Frame-Options may cause issues with the webOS app
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
# Permissions policy. May cause issues with some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
# NOTE: The default CSP headers may cause issues with the webOS app
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
'';
};
"git.depeuter.dev" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://192.168.0.24:3000";
extraConfig = ''
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 512M;
keepalive_timeout 600s;
proxy_buffers 4 256k; # Number and size of buffers for reading response
proxy_buffer_size 256k; # Buffer for the first part of the response
proxy_busy_buffers_size 256k; # Max size of busy buffers
proxy_http_version 1.1;
proxy_read_timeout 600s;
proxy_temp_file_write_size 256k; # Size of temp file for large responses
'';
};
"vault.depeuter.dev" = {
enableACME = true;
forceSSL = true;
locations = {
"/".proxyPass = "http://192.168.0.22:10102";
"~ ^/admin".return = 403;
};
};
};
};
};
system.stateVersion = "24.05";
};
}

32
hosts/Isabel/dashboard/config/bookmarks.yaml Normal file
View file

@ -0,0 +1,32 @@
- Office:
- Zoho Mail:
- icon: zohomail
href: https://mail.zoho.eu
- Network:
- Cloudlfare:
- icon: cloudflare
href: https://dash.cloudflare.com
- Pulsetic:
- href: https://status.depeuter.dev
icon: https://pulsetic.com/favicon-196x196.png
- Telenet Internet usage:
- icon: https://static.telenet.be/assets/favicon/favicon.ico
href: https://www2.telenet.be/nl/klantenservice/raadpleeg-je-internetverbruik/
- Telenet Modem:
- icon: https://static.telenet.be/assets/favicon/favicon.ico
# href: https://mijn.telenet.be/mijntelenet/rgw/settings.do?identifier=u381160&action=showAdvancedSettings
href: https://www2.telenet.be/residential/nl/mijn-telenet/je-thuisnetwerk#/mainnavitem=hgw/mainnavitemid=item-1/subnavitem=modem_general
- TransIP:
- icon: https://www.transip.eu/cache-60c9b25f/img/transip-new/favicons/favicon.png
href: https://www.transip.eu/cp/
- Homemade:
- AI-Transparency:
- href: https://ai-transparency.depeuter.dev
icon: https://ai-transparency.depeuter.dev/img/transparency.png
- Down-message:
- href: https://down.depeuter.dev
icon: https://down.depeuter.dev/assets/icon.jpg
- Portfolio:
- href: https://tibo.depeuter.dev
icon: https://tibo.depeuter.dev/assets/owl_circuit.png

30
hosts/Isabel/dashboard/config/services.yaml Normal file
View file

@ -0,0 +1,30 @@
- Networking:
- AXE5400 Tri-Band Wi-Fi 6E Router:
description: Router
href: https://tplinkwifi.net
ping: http://192.168.0.1
icon: tp-link
- Traefik Isabel:
description: Reverse proxy manager
href: https://traefik.isabel.depeuter.dev/dashboard/#
ping: https://traefik.isabel.depeuter.dev/dashboard/#
icon: traefik
widget:
type: traefik
url: https://traefik.isabel.depeuter.dev
- Traefik Niko:
description: Reverse proxy manager
href: https://traefik.niko.depeuter.dev/dashboard/#
ping: https://traefik.niko.depeuter.dev/dashboard/#
- Technitium DNS Isabel:
description: DNS server
href: https://dns.Isabel.depeuter.dev
ping: http://192.168.0.13:53
icon: technitium
- Technitium DNS Niko:
description: DNS server
href: https://dns.niko.depeuter.dev
ping: http://192.168.0.30:53
icon: technitium

255
hosts/Isabel/default.nix Normal file
View file

@ -0,0 +1,255 @@
{ config, pkgs, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
];
# Use the systemd-boot EFI boot loader.
boot.loader = {
systemd-boot.enable = true;
efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot/efi";
};
};
console = {
font = "Lat2-Terminus16";
keyMap = "us";
};
# List packages installed in the system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
];
environment.etc = {
"homepage/bookmarks.yaml".text = ''
- Office:
- Zoho Mail:
- icon: zohomail
href: https://mail.zoho.eu
- Network:
- Cloudlfare:
- icon: cloudflare
href: https://dash.cloudflare.com
- TransIP:
- icon: https://www.transip.eu/cache-60c9b25f/img/transip-new/favicons/favicon.png
href: https://www.transip.eu/cp/
- Telenet Internet usage:
- icon: https://static.telenet.be/assets/favicon/favicon.ico
href: https://www2.telenet.be/nl/klantenservice/raadpleeg-je-internetverbruik/
- Telenet Modem:
- icon: https://static.telenet.be/assets/favicon/favicon.ico
# href: https://mijn.telenet.be/mijntelenet/rgw/settings.do?identifier=u381160&action=showAdvancedSettings
href: https://www2.telenet.be/residential/nl/mijn-telenet/je-thuisnetwerk#/mainnavitem=hgw/mainnavitemid=item-1/subnavitem=modem_general
- Pulsetic:
- href: https://status.depeuter.dev
icon: https://pulsetic.com/favicon-196x196.png
- Homemade:
- AI-Transparency:
- href: https://ai-transparency.depeuter.dev
icon: https://ai-transparency.depeuter.dev/img/transparency.png
- Down-message:
- href: https://down.depeuter.dev
icon: https://down.depeuter.dev/assets/icon.jpg
- Portfolio:
- href: https://tibo.depeuter.dev
icon: https://tibo.depeuter.dev/assets/owl_circuit.png
'';
"homepage/services.yaml".text = ''
- Networking:
- Traefik Isabel:
description: Reverse proxy manager
href: https://traefik.isabel.depeuter.dev/dashboard/#
ping: https://traefik.isabel.depeuter.dev/dashboard/#
icon: traefik
widget:
type: traefik
url: https://traefik.isabel.depeuter.dev
- Traefik Niko:
description: Reverse proxy manager
href: https://traefik.niko.depeuter.dev/dashboard/#
ping: https://traefik.niko.depeuter.dev/dashboard/#
icon: traefik
widget:
type: traefik
url: https://traefik.niko.depeuter.dev
'';
"homepage/settings.yaml".text = ''
---
# For configuration options and examples, please see:
# https://gethomepage.dev/en/configs/settings
providers:
openweathermap: openweathermapapikey
weatherapi: weatherapiapikey
'';
};
homelab.apps.technitiumDNS.enable = true;
# Select internationalisation properties.
i18n.defaultLocale = "en_GB.utf8";
networking = {
hostName = "Hugo-Isabel";
domain = "depeuter.dev";
enableIPv6 = true;
# Open ports in the firewall.
firewall = {
enable = true;
};
networkmanager.enable = true;
};
# List services that you want to enable:
services = {
tailscale = {
enable = true;
useRoutingFeatures = "server";
authKeyFile = "/etc/nixos/tailscale-authkey";
extraUpFlags = [
"--advertise-routes=192.168.0.0/24"
"--exit-node"
];
};
# Fix DNS issues. See:
# https://github.com/tailscale/tailscale/issues/4254
# resolved.enable = true;
};
system.stateVersion = "24.05";
security.sudo = {
enable = true;
};
virtualisation = {
docker = {
enable = true;
autoPrune.enable = true;
};
oci-containers = {
backend = "docker";
containers = {
reverse-proxy = {
hostname = "traefik";
image = "traefik:v3.0";
cmd = [
"--api.insecure=true"
# Add Docker provider
"--providers.docker=true"
"--providers.docker.exposedByDefault=false"
# Add web entrypoint
"--entrypoints.web.address=:80/tcp"
"--entrypoints.web.http.redirections.entrypoint.to=websecure"
"--entrypoints.web.http.redirections.entrypoint.scheme=https"
# Add websecure entrypoint
"--entrypoints.websecure.address=:443/tcp"
"--entrypoints.websecure.http.tls=true"
"--entrypoints.websecure.http.tls.certResolver=letsencrypt"
"--entrypoints.websecure.http.tls.domains[0].main=depeuter.dev"
"--entrypoints.websecure.http.tls.domains[0].sans=*.depeuter.dev"
"--entrypoints.websecure.http.tls.domains[1].sans=*.isabel.depeuter.dev"
"--entrypoints.websecure.http.tls.domains[2].sans=*.jelly.depeuter.dev"
# Certificates
"--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
"--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
"--certificatesresolvers.letsencrypt.acme.email=tibo.depeuter@telenet.be"
"--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
# Additional routes
];
ports = [
"80:80/tcp"
"443:443/tcp"
# "8080:8080/tcp" # The Web UI (enabled by --api.insecure=true)
];
environment = {
# TODO Hide this!
"CLOUDFLARE_DNS_API_TOKEN" = "6Vz64Op_a6Ls1ljGeBxFoOVfQ-yB-svRbf6OyPv2";
};
environmentFiles = [
];
volumes = [
"/var/run/docker.sock:/var/run/docker.sock:ro" # So that Traefik can listen to the Docker events
"letsencrypt:/letsencrypt"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.traefik.rule" = "Host(`traefik.isabel.depeuter.dev`)";
"traefik.http.services.traefik.loadbalancer.server.port" = "8080";
};
autoStart = true;
};
feishin = {
hostname = "feishin";
image = "ghcr.io/jeffvli/feishin:0.7.1";
ports = [
# "9180:9180/tcp" # Web player (HTTP)
];
environment = {
# pre defined server name
SERVER_NAME = "Hugo";
# When true AND name/type/url are set, only username/password can be toggled
SERVER_LOCK = "true";
# navidrome also works
SERVER_TYPE = "jellyfin";
# http://address:port
SERVER_URL= "https://jelly.depeuter.dev";
TZ = config.time.timeZone;
};
labels = {
"traefik.enable" = "true";
"traefik.http.routers.feishin.rule" = "Host(`music.depeuter.dev`)";
"traefik.http.services.feishin.loadbalancer.server.port" = "9180";
"traefik.tls.options.default.minVersion" = "VersionTLS13";
};
autoStart = true;
};
dashboard = {
hostname = "dashboard";
image = "ghcr.io/gethomepage/homepage:v0.9.3";
ports = [
# "3000:3000/tcp"
];
volumes = [
"/etc/homepage:/app/config" # Make sure your local config directory exists
"/var/run/docker.sock:/var/run/docker.sock:ro" # optional, for docker integrations
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.dashboard.rule" = "Host(`dash.depeuter.dev`)";
"traefik.http.services.dashboard.loadbalancer.server.port" = "3000";
"traefik.tls.options.default.minVersion" = "VersionTLS13";
};
autoStart = true;
};
prometheus = {
hostname = "prometheus";
image = "prom/prometheus:v2.45.6";
ports = [
# "127.0.0.1:9090:9090/tcp"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.prometheus.rule" = "Host(`prometheus.isabel.depeuter.dev`)";
"traefik.http.services.prometheus.loadbalancer.server.port" = "9090";
"traefik.tls.options.default.minVersion" = "VersionTLS13";
};
autoStart = true;
};
};
};
};
}

39
hosts/Isabel/hardware-configuration.nix Normal file
View file

@ -0,0 +1,39 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "xhci_pci" "ahci" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-label/NIX-ROOT";
fsType = "ext4";
};
fileSystems."/boot/efi" =
{ device = "/dev/disk/by-label/NIX-BOOT";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-label/SWAP"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens3.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

169
hosts/Niko/default.nix
View file

@ -6,6 +6,11 @@
./hardware-configuration.nix
];
homelab = {
apps.technitiumDNS.enable = true;
users.deploy.enable = true;
};
# Use the systemd-boot EFI boot loader.
boot.loader = {
systemd-boot.enable = true;
@ -23,11 +28,7 @@
# List packages installed in the system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
curl
git
tmux
vim
wget
cifs-utils
];
hardware = {
@ -58,16 +59,6 @@
'';
};
nix = {
package = pkgs.nixFlakes;
extraOptions = ''
experimental-features = nix-command flakes
'';
settings.trusted-users = [
config.users.users.admin.name
];
};
nixpkgs.config.allowUnfree = true;
# List services that you want to enable:
@ -88,15 +79,6 @@
user = config.users.users.jellyfin-mpv-shim.name;
};
openssh = {
# Enable the OpenSSH daemon.
enable = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "no";
};
};
tailscale = {
enable = true;
useRoutingFeatures = "server";
@ -114,71 +96,18 @@
sound.enable = true;
# Set your time zone.
time.timeZone = "Europe/Brussels";
users = {
# Define users groups
groups = {
# The group used to deploy rebuilds without password authentication
deploy = { };
};
# Define a user account. Don't forget to set a password with 'passwd'.
users = {
admin = {
description = "System Administrator";
isNormalUser = true;
extraGroups = [
config.users.groups.wheel.name # Enable 'sudo' for the user.
config.users.groups.deploy.name
];
initialPassword = "ChangeMe";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPrG+ldRBdCeHEXrsy/qHXIJYg8xQXVuiUR0DxhFjYNg"
];
};
jellyfin-mpv-shim = {
description = "Jellyfin MPV Shim User";
isNormalUser = true;
extraGroups = [
config.users.groups.audio.name
config.users.groups.video.name
];
packages = with pkgs; [
jellyfin-mpv-shim
mpv
socat
];
};
};
};
security.sudo = {
enable = true;
extraRules = [
{
groups = [ config.users.groups.deploy.name ];
commands = [
{
command = "/nix/store/*/bin/switch-to-configuration";
options = [ "NOPASSWD" ];
}
{
command = "/run/current-system/sw/bin/nix-store";
options = [ "NOPASSWD" ];
}
{
command = ''/bin/sh -c "readlink -e /nix/var/nix/profiles/system || readlink -e /run/current-system"'';
options = [ "NOPASSWD" ];
}
{
command = "${config.system.build.nixos-rebuild}/bin/nixos-rebuild";
options = [ "NOPASSWD" ];
}
];
}
# Define a user account. Don't forget to set a password with 'passwd'.
users.users.jellyfin-mpv-shim = {
description = "Jellyfin MPV Shim User";
isNormalUser = true;
extraGroups = [
config.users.groups.audio.name
config.users.groups.video.name
];
packages = with pkgs; [
jellyfin-mpv-shim
mpv
socat
];
};
@ -229,6 +158,7 @@
# "8080:8080/tcp" # The Web UI (enabled by --api.insecure=true)
];
environment = {
# TODO Hide this!
"CLOUDFLARE_DNS_API_TOKEN" = "6Vz64Op_a6Ls1ljGeBxFoOVfQ-yB-svRbf6OyPv2";
};
environmentFiles = [
@ -244,67 +174,6 @@
};
autoStart = true;
};
technitium-dns = {
hostname = "technitium-dns";
image = "technitium/dns-server:12.1";
ports = [
# "5380:5380/tcp" #DNS web console (HTTP)
# "53443:53443/tcp" #DNS web console (HTTPS)
"53:53/udp" #DNS service
"53:53/tcp" #DNS service
# "853:853/udp" #DNS-over-QUIC service
# "853:853/tcp" #DNS-over-TLS service
# "443:443/udp" #DNS-over-HTTPS service (HTTP/3)
# "443:443/tcp" #DNS-over-HTTPS service (HTTP/1.1, HTTP/2)
# "80:80/tcp" #DNS-over-HTTP service (use with reverse proxy or certbot certificate renewal)
# "8053:8053/tcp" #DNS-over-HTTP service (use with reverse proxy)
# "67:67/udp" #DHCP service
];
environment = {
# The primary domain name used by this DNS Server to identify itself.
DNS_SERVER_DOMAIN = config.networking.hostName;
# DNS Server will use IPv6 for querying whenever possible with this option enabled.
DNS_SERVER_PREFER_IPV6 = "true";
# The TCP port number for the DNS web console over HTTP protocol.
# DNS_SERVER_WEB_SERVICE_HTTP_PORT=5380
# The TCP port number for the DNS web console over HTTPS protocol.
# DNS_SERVER_WEB_SERVICE_HTTPS_PORT=53443
# Enables HTTPS for the DNS web console.
# DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS=false
# Enables self signed TLS certificate for the DNS web console.
# DNS_SERVER_WEB_SERVICE_USE_SELF_SIGNED_CERT=false
# Enables DNS server optional protocol DNS-over-HTTP on TCP port 8053 to be used with a TLS terminating reverse proxy like nginx.
# DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=false
# Recursion options: Allow, Deny, AllowOnlyForPrivateNetworks, UseSpecifiedNetworks.
#nDNS_SERVER_RECURSION=AllowOnlyForPrivateNetworks
# Comma separated list of IP addresses or network addresses to deny recursion. Valid only for `UseSpecifiedNetworks` recursion option.
# DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24
# Comma separated list of IP addresses or network addresses to allow recursion. Valid only for `UseSpecifiedNetworks` recursion option.
# DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24
# Sets the DNS server to block domain names using Blocked Zone and Block List Zone.
DNS_SERVER_ENABLE_BLOCKING = "false";
# Specifies if the DNS Server should respond with TXT records containing a blocked domain report for TXT type requests.
# DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=false
# A comma separated list of block list URLs.
# DNS_SERVER_BLOCK_LIST_URLS=
#Comma separated list of forwarder addresses.
DNS_SERVER_FORWARDERS="195.130.130.2,195.130.131.2";
# Forwarder protocol options: Udp, Tcp, Tls, Https, HttpsJson.
# DNS_SERVER_FORWARDER_PROTOCOL=Tcp
# Enable this option to use local time instead of UTC for logging.
# DNS_SERVER_LOG_USING_LOCAL_TIME=true
};
volumes = [
"dns:/etc/dns"
];
labels = {
"traefik.enable" = "true";
"traefik.http.routers.technitium-dns.rule" = "Host(`dns.niko.depeuter.dev`)";
"traefik.http.services.technitium-dns.loadbalancer.server.port" = "5380";
"traefik.tls.options.default.minVersion" = "VersionTLS13";
};
autoStart = true;
};
};
};
};

16
hosts/Niko/hardware-configuration.nix
View file

@ -29,14 +29,14 @@
fsType = "vfat";
};
# "/data/photos" = {
# device = "//192.168.0.11/CANVAS";
# fsType = "cifs";
# options = let
# # this line prevents hanging on network split
# automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
# in ["${automount_opts},credentials=/etc/nixos/smb-secrets"];
# };
"/media/photos" = {
device = "//192.168.0.11/CANVAS";
fsType = "cifs";
options = let
# This line prevents hanging on network split
automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s,user,users";
in ["${automount_opts},credentials=/etc/nixos/smb-secrets,uid=1002,gid=100"];
};
};
swapDevices = [

98
hosts/ProductionGPU/default.nix Normal file
View file

@ -0,0 +1,98 @@
{ config, pkgs, lib, system, ... }:
{
config = {
homelab = {
apps.jellyfin.enable = true;
virtualisation.guest.enable = true;
};
networking = {
hostId = "aaaa2200";
domain = "roxanne.depeuter.dev";
useDHCP = false;
enableIPv6 = true;
defaultGateway = {
address = "192.168.0.1";
interface = "enp6s18";
};
# Open ports in the firewall.
firewall = {
enable = true;
};
interfaces.enp6s18 = {
ipv4.addresses = [
{
address = "192.168.0.94";
prefixLength = 24;
}
];
};
nameservers = [
"1.1.1.1" # Cloudflare
"1.0.0.1" # Cloudflare
];
};
system.stateVersion = "unstable";
### Nvidia GPU support ###
services.xserver.videoDrivers = [ "nvidia" ];
# virtualisation.docker.package = pkgs.nvidia-docker;
nixpkgs.config = {
allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"nvidia-x11"
"nvidia-settings"
"nvidia-persistenced"
];
# enable vaapi on OS-level
# packageOverrides = pkgs: {
# vaapiIntel = pkgs.vaapiIntel.override {
# enableHybridCodec = true;
# };
# };
};
hardware = {
opengl = {
enable = true;
# driSupport = true;
# driSupport32Bit = true;
extraPackages = with pkgs; [
# intel-media-driver
# intel-vaapi-driver # previously vaapiIntel
# vaapiVdpau
# intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
# unstable.vpl-gpu-rt # QSV on 11th gen or newer
# intel-media-sdk # QSV up to 11th gen
];
};
nvidia = {
package = config.boot.kernelPackages.nvidiaPackages.stable;
# Whether to enable kernel modesetting when using the NVIDIA proprietary driver.
modesetting.enable = true;
# powerManagement = {
# enable = false;
# finegrained = false;
# };
open = false;
nvidiaSettings = false;
# Whether to enable nvidia-persistenced a update for NVIDIA GPU headless mode, i.e. It ensures all GPUs stay awake even during headless mode .
# nvidiaPersistenced = true;
};
nvidia-container-toolkit.enable = true;
};
};
}

36
hosts/Template/default.nix Normal file
View file

@ -0,0 +1,36 @@
{ config, pkgs, lib, system, ... }:
{
config = {
homelab.virtualisation.guest.enable = true;
networking = {
# TODO hostName = "nixos";
# TODO hostId = "aaaa9000";
domain = "depeuter.dev";
enableIPv6 = true;
useDHCP = false;
defaultGateway = {
address = "192.168.0.1";
interface = "ens18";
};
interfaces.ens18 = {
ipv4.addresses = [
{
address = "192.168.0.90";
prefixLength = 24;
}
];
};
nameservers = [
"1.1.1.1" # Cloudflare
"1.0.0.1" # Cloudflare
];
};
system.stateVersion = "24.05";
};
}

48
hosts/Testing/default.nix Normal file
View file

@ -0,0 +1,48 @@
{ config, pkgs, lib, system, ... }:
{
config = {
homelab = {
virtualisation = {
containers.enable = true;
guest.enable = true;
};
};
networking = {
hostName = "Testing";
hostId = "aaaa9200";
domain = "roxanne.depeuter.dev";
useDHCP = false;
enableIPv6 = true;
defaultGateway = {
address = "192.168.0.1";
interface = "ens18";
};
# Open ports in the firewall.
firewall = {
enable = true;
};
interfaces.ens18 = {
ipv4.addresses = [
{
address = "192.168.0.92";
prefixLength = 24;
}
];
};
nameservers = [
"1.1.1.1" # Cloudflare
"1.0.0.1" # Cloudflare
];
};
system.stateVersion = "24.05";
};
}

38
hosts/Vaultwarden/default.nix Normal file
View file

@ -0,0 +1,38 @@
{ config, pkgs, lib, system, ... }:
{
config = {
homelab = {
apps.vaultwarden.enable = true;
virtualisation.guest.enable = true;
};
networking = {
hostId = "aaaa1300";
domain = "depeuter.dev";
enableIPv6 = true;
useDHCP = false;
defaultGateway = {
address = "192.168.0.1";
interface = "ens18";
};
interfaces.ens18 = {
ipv4.addresses = [
{
address = "192.168.0.22";
prefixLength = 24;
}
];
};
nameservers = [
"1.1.1.1" # Cloudflare
"1.0.0.1" # Cloudflare
];
};
system.stateVersion = "24.05";
};
}