Sync

2024-11-10 20:15:47 +01:00 · 2024-11-10 20:15:47 +01:00 · cef3a949fe
commit cef3a949fe
parent c1025627ae
40 changed files with 3401 additions and 158 deletions
--- a/hosts/Niko/default.nix
+++ b/hosts/Niko/default.nix
@ -6,6 +6,11 @@
    ./hardware-configuration.nix
  ];

+  homelab = {
+    apps.technitiumDNS.enable = true;
+    users.deploy.enable = true;
+  };
+
  # Use the systemd-boot EFI boot loader.
  boot.loader = {
    systemd-boot.enable = true;
@ -23,11 +28,7 @@
  # List packages installed in the system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
-    curl
-    git
-    tmux
-    vim
-    wget
+    cifs-utils
  ];

  hardware = {
@ -58,16 +59,6 @@
    '';
  };

-  nix = {
-    package = pkgs.nixFlakes;
-    extraOptions = ''
-      experimental-features = nix-command flakes
-    '';
-    settings.trusted-users = [
-      config.users.users.admin.name
-    ];
-  };
-
  nixpkgs.config.allowUnfree = true;

  # List services that you want to enable:
@ -88,15 +79,6 @@
      user = config.users.users.jellyfin-mpv-shim.name;
    };

-    openssh = {
-      # Enable the OpenSSH daemon.
-      enable = true;
-      settings = {
-        PasswordAuthentication = false;
-        PermitRootLogin = "no";
-      };
-    };
-
    tailscale = {
      enable = true;
      useRoutingFeatures = "server";
@ -114,71 +96,18 @@

  sound.enable = true;

-  # Set your time zone.
-  time.timeZone = "Europe/Brussels";
-
-  users = {
-    # Define users groups
-    groups = {
-      # The group used to deploy rebuilds without password authentication
-      deploy = { };
-    };
-
-    # Define a user account. Don't forget to set a password with 'passwd'.
-    users = {
-      admin = {
-        description = "System Administrator";
-        isNormalUser = true;
-        extraGroups = [
-          config.users.groups.wheel.name # Enable 'sudo' for the user.
-          config.users.groups.deploy.name
-        ];
-        initialPassword = "ChangeMe";
-        openssh.authorizedKeys.keys = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPrG+ldRBdCeHEXrsy/qHXIJYg8xQXVuiUR0DxhFjYNg"
-        ];
-      };
-
-      jellyfin-mpv-shim = {
-        description = "Jellyfin MPV Shim User";
-        isNormalUser = true;
-        extraGroups = [
-          config.users.groups.audio.name
-          config.users.groups.video.name
-        ];
-        packages = with pkgs; [
-          jellyfin-mpv-shim
-          mpv
-          socat
-        ];
-      };
-    };
-  };
-
-  security.sudo = {
-    enable = true;
-    extraRules = [
-      {
-        groups = [ config.users.groups.deploy.name ];
-        commands = [
-          {
-            command = "/nix/store/*/bin/switch-to-configuration";
-            options = [ "NOPASSWD" ];
-          }
-          {
-            command = "/run/current-system/sw/bin/nix-store";
-            options = [ "NOPASSWD" ];
-          }
-          {
-            command = ''/bin/sh -c "readlink -e /nix/var/nix/profiles/system || readlink -e /run/current-system"'';
-            options = [ "NOPASSWD" ];
-          }
-          {
-            command = "${config.system.build.nixos-rebuild}/bin/nixos-rebuild";
-            options = [ "NOPASSWD" ];
-          }
-        ];
-      }
+  # Define a user account. Don't forget to set a password with 'passwd'.
+  users.users.jellyfin-mpv-shim = {
+    description = "Jellyfin MPV Shim User";
+    isNormalUser = true;
+    extraGroups = [
+      config.users.groups.audio.name
+      config.users.groups.video.name
+    ];
+    packages = with pkgs; [
+      jellyfin-mpv-shim
+      mpv
+      socat
    ];
  };

@ -229,6 +158,7 @@
            # "8080:8080/tcp" # The Web UI (enabled by --api.insecure=true)
          ];
          environment = {
+            # TODO Hide this!
            "CLOUDFLARE_DNS_API_TOKEN" = "6Vz64Op_a6Ls1ljGeBxFoOVfQ-yB-svRbf6OyPv2";
          };
          environmentFiles = [
@ -244,67 +174,6 @@
          };
          autoStart = true;
        };
-        technitium-dns = {
-          hostname = "technitium-dns";
-          image = "technitium/dns-server:12.1";
-          ports = [
-            # "5380:5380/tcp"   #DNS web console (HTTP)
-            # "53443:53443/tcp" #DNS web console (HTTPS)
-            "53:53/udp"       #DNS service
-            "53:53/tcp"       #DNS service
-            # "853:853/udp"     #DNS-over-QUIC service
-            # "853:853/tcp"     #DNS-over-TLS service
-            # "443:443/udp"     #DNS-over-HTTPS service (HTTP/3)
-            # "443:443/tcp"     #DNS-over-HTTPS service (HTTP/1.1, HTTP/2)
-            # "80:80/tcp"       #DNS-over-HTTP service (use with reverse proxy or certbot certificate renewal)
-            # "8053:8053/tcp"   #DNS-over-HTTP service (use with reverse proxy)
-            # "67:67/udp"       #DHCP service
-          ];
-          environment = {
-            # The primary domain name used by this DNS Server to identify itself.
-            DNS_SERVER_DOMAIN = config.networking.hostName;
-            # DNS Server will use IPv6 for querying whenever possible with this option enabled.
-            DNS_SERVER_PREFER_IPV6 = "true";
-            # The TCP port number for the DNS web console over HTTP protocol.
-            # DNS_SERVER_WEB_SERVICE_HTTP_PORT=5380
-            # The TCP port number for the DNS web console over HTTPS protocol.
-            # DNS_SERVER_WEB_SERVICE_HTTPS_PORT=53443
-            # Enables HTTPS for the DNS web console.
-            # DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS=false
-            # Enables self signed TLS certificate for the DNS web console.
-            # DNS_SERVER_WEB_SERVICE_USE_SELF_SIGNED_CERT=false
-            # Enables DNS server optional protocol DNS-over-HTTP on TCP port 8053 to be used with a TLS terminating reverse proxy like nginx.
-            # DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=false
-            # Recursion options: Allow, Deny, AllowOnlyForPrivateNetworks, UseSpecifiedNetworks.
-            #nDNS_SERVER_RECURSION=AllowOnlyForPrivateNetworks
-            # Comma separated list of IP addresses or network addresses to deny recursion. Valid only for `UseSpecifiedNetworks` recursion option.
-            # DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24
-            # Comma separated list of IP addresses or network addresses to allow recursion. Valid only for `UseSpecifiedNetworks` recursion option.
-            # DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24
-            # Sets the DNS server to block domain names using Blocked Zone and Block List Zone.
-            DNS_SERVER_ENABLE_BLOCKING = "false";
-            # Specifies if the DNS Server should respond with TXT records containing a blocked domain report for TXT type requests.
-            # DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=false
-            # A comma separated list of block list URLs.
-            # DNS_SERVER_BLOCK_LIST_URLS=
-            #Comma separated list of forwarder addresses.
-            DNS_SERVER_FORWARDERS="195.130.130.2,195.130.131.2";
-            # Forwarder protocol options: Udp, Tcp, Tls, Https, HttpsJson.
-            # DNS_SERVER_FORWARDER_PROTOCOL=Tcp
-            # Enable this option to use local time instead of UTC for logging.
-            # DNS_SERVER_LOG_USING_LOCAL_TIME=true
-          };
-          volumes = [
-            "dns:/etc/dns"
-          ];
-          labels = {
-            "traefik.enable" = "true";
-            "traefik.http.routers.technitium-dns.rule" = "Host(`dns.niko.depeuter.dev`)";
-            "traefik.http.services.technitium-dns.loadbalancer.server.port" = "5380";
-            "traefik.tls.options.default.minVersion" = "VersionTLS13";
-          };
-          autoStart = true;
-        };
      };
    };
  };