From bdb4ad8160557fa71321f30c995495216fc17ce0 Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Wed, 1 Oct 2025 16:33:55 +0200 Subject: [PATCH 01/19] Updates --- modules/apps/arr/default.nix | 2 +- modules/apps/jellyfin/default.nix | 24 +++++++++--------------- modules/services/actions/default.nix | 2 +- 3 files changed, 11 insertions(+), 17 deletions(-) diff --git a/modules/apps/arr/default.nix b/modules/apps/arr/default.nix index 3b05429..e2c0df5 100644 --- a/modules/apps/arr/default.nix +++ b/modules/apps/arr/default.nix @@ -343,7 +343,7 @@ in { port = 7878; in lib.mkIf cfg.radarr.enable { hostname = "radarr"; - image = "ghcr.io/hotio/radarr:release-5.28.0.10205"; + image = "ghcr.io/hotio/radarr:testing-5.28.0.10205"; autoStart = true; ports = lib.mkIf cfg.radarr.exposePorts [ "${toString port}:${toString port}/tcp" diff --git a/modules/apps/jellyfin/default.nix b/modules/apps/jellyfin/default.nix index 5b4081a..011f56b 100644 --- a/modules/apps/jellyfin/default.nix +++ b/modules/apps/jellyfin/default.nix @@ -4,6 +4,7 @@ let cfg = config.homelab.apps.jellyfin; networkName = "jellyfin"; + inherit (config.homelab.fileSystems) media; UID = 3008; GID = config.users.groups.media.gid; @@ -12,6 +13,11 @@ in { config = lib.mkIf cfg.enable { homelab = { + fileSystems.media.video = { + enable = true; + permissions = [ "read" ]; + }; + users = { apps.enable = true; media.enable = true; @@ -32,18 +38,6 @@ in { ]; }; - "/srv/video" = { - device = "192.168.0.11:/mnt/SMALL/MEDIA/VIDEO"; - fsType = "nfs"; - options = [ - "ro" - "nfsvers=4.2" - "async" "soft" - "timeo=100" "retry=50" "actimeo=1800" "lookupcache=all" - "nosuid" "tcp" - ]; - }; - "/srv/homevideo" = { device = "192.168.0.11:/mnt/BIG/MEDIA/HOMEVIDEO/ARCHIVE"; fsType = "nfs"; @@ -101,7 +95,7 @@ in { virtualisation.oci-containers.containers = { jellyfin = { hostname = "jellyfin"; - image = "jellyfin/jellyfin:10.10.0"; + image = "jellyfin/jellyfin:10.10.7"; user = "${toString UID}:${toString GID}"; autoStart = true; ports = [ @@ -117,7 +111,7 @@ in { "cache:/cache" "/srv/audio:/media/audio" - "/srv/video:/media/video" + "${media.video.hostPath}:/media/video" "/srv/homevideo:/media/homevideo" "/srv/photo:/media/photo" ]; @@ -144,7 +138,7 @@ in { feishinPort = "9180"; in { hostname = "feishin"; - image = "ghcr.io/jeffvli/feishin:0.7.1"; + image = "ghcr.io/jeffvli/feishin:0.19.0"; autoStart = true; ports = [ "${feishinPort}:9180/tcp" # Web player (HTTP) diff --git a/modules/services/actions/default.nix b/modules/services/actions/default.nix index 338b963..ea6b025 100644 --- a/modules/services/actions/default.nix +++ b/modules/services/actions/default.nix @@ -44,6 +44,6 @@ in { ]; }; }; - }; } + From da3157c8188b08a6b4d4147ea2e3138d4a71608c Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Wed, 1 Oct 2025 16:34:55 +0200 Subject: [PATCH 02/19] feat(penpot): Add module --- modules/apps/penpot/default.nix | 220 ++++++++++++++++++++++++++++++++ 1 file changed, 220 insertions(+) create mode 100644 modules/apps/penpot/default.nix diff --git a/modules/apps/penpot/default.nix b/modules/apps/penpot/default.nix new file mode 100644 index 0000000..0ec01cd --- /dev/null +++ b/modules/apps/penpot/default.nix @@ -0,0 +1,220 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.homelab.apps.penpot; + + networkName = "penpot"; + UID = config.users.users.apps.uid; + GID = config.users.groups.apps.gid; + + version = "2.5.4"; + + srvPath = "/srv/penpot"; + assetsPath = "/opt/data/assets"; + + PENPOT_FLAGS = "enable-smtp enable-prepl-server disable-secure-session-cookies disable-onboarding disable-registration"; + # Max body size (30MiB); Used for plain requests, should never be + # greater than multi-part size + PENPOT_HTTP_SERVER_MAX_BODY_SIZE = "31457280"; + # Max multipart body size (350MiB) + PENPOT_HTTP_SERVER_MAX_MULTIPART_BODY_SIZE = "367001600"; + + dbName = "penpot"; + dbUser = "penpot"; + dbPass = "penpot"; + + docker = config.virtualisation.oci-containers.containers; +in { + options.homelab.apps.penpot.enable = lib.mkEnableOption "Penpot using Docker"; + + config = lib.mkIf cfg.enable { + homelab = { + users.apps.enable = true; + virtualisation.containers.enable = true; + }; + + fileSystems."${srvPath}" = { + device = "192.168.0.11:/mnt/SMALL/CONFIG/PENPOT"; + fsType = "nfs"; + options = [ + "rw" + "nfsvers=4.2" + "sync" "hard" "timeo=600" + "retrans=2" + "_netdev" + "nosuid" "tcp" + ]; + }; + + # Make sure the Docker network exists. + systemd.services."docker-${networkName}-create-network" = lib.mkIf cfg.enable { + description = "Create Docker network for ${networkName}"; + requiredBy = [ + "docker-penpot-frontend.service" + "docker-penpot-backend.service" + "docker-penpot-exporter.service" + "docker-penpot-postgres.service" + "docker-penpot-redis.service" + ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + if ! ${pkgs.docker}/bin/docker network ls | grep -q ${networkName}; then + ${pkgs.docker}/bin/docker network create ${networkName} + fi + ''; + }; + + virtualisation.oci-containers.containers = let + frontendPort = 8080; + redisUri = "redis://${docker.penpot-redis.hostname}/0"; + in { + penpot-frontend = { + hostname = "penpot-frontend"; + image = "penpotapp/frontend:${version}"; + # user = "${toString UID}:${toString GID}"; + user = "0:${toString GID}"; + ports = [ + # "9001:${toString frontendPort}/tcp" + ]; + extraOptions = [ + "--network=${networkName}" + ]; + environment = { + inherit PENPOT_FLAGS; + inherit PENPOT_HTTP_SERVER_MAX_BODY_SIZE; + inherit PENPOT_HTTP_SERVER_MAX_MULTIPART_BODY_SIZE; + }; + volumes = [ + "${srvPath}:${assetsPath}" + ]; + dependsOn = [ + docker.penpot-backend.hostname + docker.penpot-exporter.hostname + ]; + labels = { + "traefik.enable" = "true"; + "traefik.http.routers.penpot.rule" = "Host(`penpot.depeuter.dev`)"; + "traefik.http.services.penpot.loadbalancer.server.port" = toString frontendPort; + "traefik.tls.options.default.minVersion" = "VersionTLS13"; + }; + autoStart = true; + }; + penpot-backend = { + hostname = "penpot-backend"; + image = "penpotapp/backend:latest"; + # user = "${toString UID}:${toString GID}"; + user = "0:${toString GID}"; + extraOptions = [ + "--network=${networkName}" + ]; + environmentFiles = [ + /home/admin/.penpot.secret + ]; + environment = { + inherit PENPOT_FLAGS; + inherit PENPOT_HTTP_SERVER_MAX_BODY_SIZE; + inherit PENPOT_HTTP_SERVER_MAX_MULTIPART_BODY_SIZE; + + PENPOT_PUBLIC_URI = "https://penpot.depeuter.dev"; + + ## Database connection parameters. Don't touch them unless you are using custom + ## postgresql connection parameters. + + PENPOT_DATABASE_URI = "postgresql://${docker.penpot-postgres.hostname}/${dbName}"; + PENPOT_DATABASE_USERNAME = dbUser; + PENPOT_DATABASE_PASSWORD = dbPass; + + ## Redis is used for the websockets notifications. Don't touch unless the redis + ## container has different parameters or different name. + + PENPOT_REDIS_URI = redisUri; + + ## Default configuration for assets storage: using filesystem based with all files + ## stored in a docker volume. + + PENPOT_ASSETS_STORAGE_BACKEND = "assets-fs"; + PENPOT_STORAGE_ASSETS_FS_DIRECTORY = assetsPath; + + ## Telemetry. When enabled, a periodical process will send anonymous data about this + ## instance. Telemetry data will enable us to learn how the application is used, + ## based on real scenarios. If you want to help us, please leave it enabled. You can + ## audit what data we send with the code available on github. + + PENPOT_TELEMETRY_ENABLED = "false"; + PENPOT_TELEMETRY_REFERER = "compose"; + + # PENPOT_SMTP_HOST = "smtp.gmail.com"; + # PENPOT_SMTP_PORT = "465"; + # PENPOT_SMTP_USERNAME: "kmtl.hugo@gmail.com"; + # PENPOT_SMTP_PASSWORD: + # PENPOT_SMTP_TLS: true + }; + volumes = [ + "${srvPath}:${assetsPath}" + ]; + dependsOn = [ + docker.penpot-postgres.hostname + docker.penpot-redis.hostname + ]; + autoStart = true; + }; + penpot-exporter = { + hostname = "penpot-exporter"; + image = "penpotapp/exporter:latest"; + extraOptions = [ + "--network=${networkName}" + ]; + environment = { + # Don't touch it; this uses an internal docker network to + # communicate with the frontend. + PENPOT_PUBLIC_URI = "http://${docker.penpot-frontend.hostname}:${toString frontendPort}"; + + ## Redis is used for the websockets notifications. + PENPOT_REDIS_URI = redisUri; + }; + dependsOn = [ + docker.penpot-redis.hostname + ]; + autoStart = true; + }; + penpot-postgres = { + hostname = "penpot-postgres"; + image = "postgres:15"; + extraOptions = [ + "--network=${networkName}" + "--health-cmd='pg_isready -U ${dbUser}'" + "--health-interval=2s" + "--health-retries=5" + "--health-timeout=10s" + "--health-start-period=2s" + ]; + environment = { + POSTGRES_INITDB_ARGS = "--data-checksums"; + POSTGRES_DB = dbName; + POSTGRES_USER = dbUser; + POSTGRES_PASSWORD = dbPass; + }; + volumes = [ + "penpot_postgres_v15:/var/lib/postgresql/data" + ]; + autoStart = true; + }; + penpot-redis = { + hostname = "penpot-redis"; + image = "redis:7.2"; + extraOptions = [ + "--network=${networkName}" + "--health-cmd='redis-cli ping | grep PONG'" + "--health-interval=1s" + "--health-retries=5" + "--health-timeout=3s" + "--health-start-period=3s" + ]; + autoStart = true; + }; + }; + }; +} From f1ba0a98e846ff62d03c2f2310e67704dae14800 Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Wed, 1 Oct 2025 16:33:55 +0200 Subject: [PATCH 03/19] Updates --- flake.lock | 12 ++--- flake.nix | 8 ++- hosts/Ingress/default.nix | 34 ++++++++++-- hosts/Niko/default.nix | 77 +++------------------------- hosts/ProductionGPU/default.nix | 8 +-- hosts/Testing/default.nix | 5 +- modules/apps/arr/default.nix | 2 +- modules/apps/freshrss/default.nix | 27 ++++++++-- modules/apps/gitea/default.nix | 4 +- modules/apps/jellyfin/default.nix | 24 ++++----- modules/default.nix | 1 + modules/services/actions/default.nix | 2 +- 12 files changed, 95 insertions(+), 109 deletions(-) diff --git a/flake.lock b/flake.lock index e3284fd..78e4127 100644 --- a/flake.lock +++ b/flake.lock @@ -20,11 +20,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1735291276, - "narHash": "sha256-NYVcA06+blsLG6wpAbSPTCyLvxD/92Hy4vlY9WxFI1M=", + "lastModified": 1756787288, + "narHash": "sha256-rw/PHa1cqiePdBxhF66V7R+WAP8WekQ0mCDG4CFqT8Y=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "634fd46801442d760e09493a794c4f15db2d0cbb", + "rev": "d0fc30899600b9b3466ddb260fd83deb486c32f1", "type": "github" }, "original": { @@ -62,11 +62,11 @@ ] }, "locked": { - "lastModified": 1722363685, - "narHash": "sha256-XCf2PIAT6lH7BwytgioPmVf/wkzXjSKScC4KzcZgb64=", + "lastModified": 1738591040, + "narHash": "sha256-4WNeriUToshQ/L5J+dTSWC5OJIwT39SEP7V7oylndi8=", "owner": "gytis-ivaskevicius", "repo": "flake-utils-plus", - "rev": "6b10f51ff73a66bb29f3bc8151a59d217713f496", + "rev": "afcb15b845e74ac5e998358709b2b5fe42a948d1", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 44d63c2..7701f3a 100644 --- a/flake.nix +++ b/flake.nix @@ -32,18 +32,24 @@ }; hosts = { - Niko.modules = [ ./hosts/Niko ]; + # Physical hosts + Niko.modules = [ ./hosts/Niko ]; + # Virtual machines + + # Single-service Ingress.modules = [ ./hosts/Ingress ]; Gitea.modules = [ ./hosts/Gitea ]; Vaultwarden.modules = [ ./hosts/Vaultwarden ]; + # Production multi-service Binnenpost.modules = [ ./hosts/Binnenpost ]; Production.modules = [ ./hosts/Production ]; ProductionGPU.modules = [ ./hosts/ProductionGPU ]; ProductionArr.modules = [ ./hosts/ProductionArr ]; ACE.modules = [ ./hosts/ACE ]; + # Others Template.modules = [ ./hosts/Template ]; Development.modules = [ ./hosts/Development ]; Testing.modules = [ ./hosts/Testing ]; diff --git a/hosts/Ingress/default.nix b/hosts/Ingress/default.nix index 63e3ced..68cdcfe 100644 --- a/hosts/Ingress/default.nix +++ b/hosts/Ingress/default.nix @@ -59,6 +59,7 @@ prefixLength = 24; }; "cloud.depeuter.dev" = { }; "git.depeuter.dev" = { }; + "home.depeuter.dev" = { }; "jelly.depeuter.dev" = { }; "vault.depeuter.dev" = { }; }; @@ -136,10 +137,27 @@ prefixLength = 24; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ''; }; - "calendar.depeuter.dev".locations."/".return = "301 https://cloud.depeuter.dev/apps/calendar"; + "calendar.depeuter.dev" = { + useACMEHost = "depeuter.dev"; + locations."/".return = "301 https://cloud.depeuter.dev/apps/calendar"; + }; "tasks.depeuter.dev".locations."/".return = "301 https://cloud.depeuter.dev/apps/tasks"; "notes.depeuter.dev".locations."/".return = "301 https://cloud.depeuter.dev/apps/notes"; + "home.depeuter.dev" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://192.168.0.21:8123"; + extraConfig = '' + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + ''; + }; + }; + "jelly.depeuter.dev" = { enableACME = true; forceSSL = true; @@ -176,7 +194,7 @@ prefixLength = 24; }; }; extraConfig = '' - client_max_body_size 20M; + client_max_body_size 512M; # Security / XSS Mitigation Headers # NOTE: X-Frame-Options may cause issues with the webOS app @@ -206,7 +224,7 @@ prefixLength = 24; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; - client_max_body_size 512M; + client_max_body_size 10G; keepalive_timeout 600s; proxy_buffers 4 256k; # Number and size of buffers for reading response proxy_buffer_size 256k; # Buffer for the first part of the response @@ -220,10 +238,18 @@ prefixLength = 24; enableACME = true; forceSSL = true; locations = { - "/".proxyPass = "http://192.168.0.22:10102"; + "/" = { + proxyPass = "http://192.168.0.22:10102"; + proxyWebSockets = true; + }; "~ ^/admin".return = 403; }; }; + "rss.depeuter.dev" = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://192.168.92:${toString config.homelab.apps.freshrss.port}"; + }; }; }; }; diff --git a/hosts/Niko/default.nix b/hosts/Niko/default.nix index 57dbc27..910f325 100644 --- a/hosts/Niko/default.nix +++ b/hosts/Niko/default.nix @@ -7,7 +7,10 @@ ]; homelab = { - apps.technitiumDNS.enable = true; + apps = { + technitiumDNS.enable = true; + traefik.enable = true; + }; users.deploy.enable = true; }; @@ -34,12 +37,11 @@ hardware = { enableRedistributableFirmware = true; enableAllFirmware = true; - pulseaudio.enable = true; - opengl.enable = true; + graphics.enable = true; }; # Select internationalisation properties. - i18n.defaultLocale = "en_GB.utf8"; + i18n.defaultLocale = "en_GB.UTF-8"; networking = { hostName = "Niko"; @@ -79,6 +81,8 @@ user = config.users.users.jellyfin-mpv-shim.name; }; + pulseaudio.enable = true; + tailscale = { enable = true; useRoutingFeatures = "server"; @@ -94,8 +98,6 @@ # resolved.enable = true; }; - sound.enable = true; - # Define a user account. Don't forget to set a password with 'passwd'. users.users.jellyfin-mpv-shim = { description = "Jellyfin MPV Shim User"; @@ -114,67 +116,4 @@ systemd.services."cage-tty1".serviceConfig.Restart = "always"; system.stateVersion = "24.05"; - - virtualisation = { - # Enable Android emulator - # waydroid.enable = true; - - docker = { - enable = true; - autoPrune.enable = true; - }; - - oci-containers = { - backend = "docker"; - containers = { - reverse-proxy = { - hostname = "traefik"; - image = "traefik:v3.0"; - cmd = [ - "--api.insecure=true" - # Add Docker provider - "--providers.docker=true" - "--providers.docker.exposedByDefault=false" - # Add web entrypoint - "--entrypoints.web.address=:80/tcp" - "--entrypoints.web.http.redirections.entrypoint.to=websecure" - "--entrypoints.web.http.redirections.entrypoint.scheme=https" - # Add websecure entrypoint - "--entrypoints.websecure.address=:443/tcp" - "--entrypoints.websecure.http.tls=true" - "--entrypoints.websecure.http.tls.certResolver=letsencrypt" - "--entrypoints.websecure.http.tls.domains[0].main=depeuter.dev" - "--entrypoints.websecure.http.tls.domains[0].sans=*.depeuter.dev" - "--entrypoints.websecure.http.tls.domains[1].sans=*.niko.depeuter.dev" - # Certificates - "--certificatesresolvers.letsencrypt.acme.dnschallenge=true" - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare" - "--certificatesresolvers.letsencrypt.acme.email=tibo.depeuter@telenet.be" - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" - ]; - ports = [ - "80:80/tcp" - "443:443/tcp" - # "8080:8080/tcp" # The Web UI (enabled by --api.insecure=true) - ]; - environment = { - # TODO Hide this! - "CLOUDFLARE_DNS_API_TOKEN" = "6Vz64Op_a6Ls1ljGeBxFoOVfQ-yB-svRbf6OyPv2"; - }; - environmentFiles = [ - ]; - volumes = [ - "/var/run/docker.sock:/var/run/docker.sock:ro" # So that Traefik can listen to the Docker events - "letsencrypt:/letsencrypt" - ]; - labels = { - "traefik.enable" = "true"; - "traefik.http.routers.traefik.rule" = "Host(`traefik.niko.depeuter.dev`)"; - "traefik.http.services.traefik.loadbalancer.server.port" = "8080"; - }; - autoStart = true; - }; - }; - }; - }; } diff --git a/hosts/ProductionGPU/default.nix b/hosts/ProductionGPU/default.nix index 75e48e7..fa9ca8c 100644 --- a/hosts/ProductionGPU/default.nix +++ b/hosts/ProductionGPU/default.nix @@ -17,7 +17,7 @@ defaultGateway = { address = "192.168.0.1"; - interface = "enp6s18"; + interface = "ens18"; }; # Open ports in the firewall. @@ -25,7 +25,7 @@ enable = true; }; - interfaces.enp6s18 = { + interfaces.ens18 = { ipv4.addresses = [ { address = "192.168.0.94"; @@ -40,7 +40,7 @@ ]; }; - system.stateVersion = "unstable"; + system.stateVersion = "24.11"; ### Nvidia GPU support ### @@ -64,7 +64,7 @@ }; hardware = { - opengl = { + graphics = { enable = true; # driSupport = true; # driSupport32Bit = true; diff --git a/hosts/Testing/default.nix b/hosts/Testing/default.nix index 2da6563..cc353f6 100644 --- a/hosts/Testing/default.nix +++ b/hosts/Testing/default.nix @@ -3,7 +3,10 @@ { config = { homelab = { - apps.freshrss.enable = true; + apps = { + freshrss.enable = true; + traefik.enable = true; + }; virtualisation.guest.enable = true; }; diff --git a/modules/apps/arr/default.nix b/modules/apps/arr/default.nix index 3b05429..e2c0df5 100644 --- a/modules/apps/arr/default.nix +++ b/modules/apps/arr/default.nix @@ -343,7 +343,7 @@ in { port = 7878; in lib.mkIf cfg.radarr.enable { hostname = "radarr"; - image = "ghcr.io/hotio/radarr:release-5.28.0.10205"; + image = "ghcr.io/hotio/radarr:testing-5.28.0.10205"; autoStart = true; ports = lib.mkIf cfg.radarr.exposePorts [ "${toString port}:${toString port}/tcp" diff --git a/modules/apps/freshrss/default.nix b/modules/apps/freshrss/default.nix index f2ea7ba..4f4456f 100644 --- a/modules/apps/freshrss/default.nix +++ b/modules/apps/freshrss/default.nix @@ -27,7 +27,7 @@ in { "rw" "auto" "nfsvers=4.2" - "sync" "hard" "timeo=600" + "async" "soft" "timeo=600" "retrans=2" "_netdev" "nosuid" @@ -53,24 +53,41 @@ in { virtualisation.oci-containers.containers.freshrss = { hostname = "freshrss"; - image = "freshrss/freshrss:1.24.0"; + image = "freshrss/freshrss:1.25.0"; autoStart = true; user = "0:33"; ports = [ - "${toString port}:${toString port}/tcp" + "${toString port}:80/tcp" ]; extraOptions = [ "--network=${networkName}" ]; environment = { TZ = config.time.timeZone; - CRON_TIME = "3,18,33,48"; # Alternatively, configure cron inside container. - LISTEN = "0.0.0.0:${toString port}"; + CRON_MIN = "3,18,33,48"; # Alternatively, configure cron inside container. + SERVER_DNS = "rss.depeuter.dev"; + TRUSTED_PROXY = "172.16.0.1/12 192.168.0.1/16"; }; volumes = [ "/srv/freshrss/www/freshrss/data:/var/www/FreshRSS/data" "/srv/freshrss/www/freshrss/extensions:/var/www/FreshRSS/extensions" ]; + labels = { + "traefik.enable" = "true"; + + "traefik.http.middlewares.freshrssM1.compress" = "true"; + "traefik.http.middlewares.freshrssM2.headers.browserXssFilter" = "true"; + "traefik.http.middlewares.freshrssM2.headers.forceSTSHeader" = "true"; + "traefik.http.middlewares.freshrssM2.headers.frameDeny" = "true"; + "traefik.http.middlewares.freshrssM2.headers.referrerPolicy" = "no-referrer-when-downgrade"; + "traefik.http.middlewares.freshrssM2.headers.stsSeconds" = "31536000"; + "traefik.http.routers.freshrss.entryPoints" = "websecure"; + "traefik.http.routers.freshrss.tls" = "true"; + + "traefik.http.services.freshrss.loadbalancer.server.port" = "80"; + "traefik.http.routers.freshrss.middlewares" = "freshrssM1,freshrssM2"; + "traefik.http.routers.freshrss.rule" = "Host(`rss.depeuter.dev`)"; + }; }; }; } diff --git a/modules/apps/gitea/default.nix b/modules/apps/gitea/default.nix index 02f60cd..0361bd5 100644 --- a/modules/apps/gitea/default.nix +++ b/modules/apps/gitea/default.nix @@ -124,7 +124,7 @@ in { gitea = { hostname = "gitea"; - image = "codeberg.org/forgejo/forgejo:8.0.3-rootless"; + image = "codeberg.org/forgejo/forgejo:11.0.1-rootless"; autoStart = true; user = "${toString UID}:${toString GID}"; ports = [ @@ -576,7 +576,7 @@ in { #FORGEJO__picture__AVATAR_RENDERED_SIZE_FACTOR = "2"; # Maximum allowed file size for uploaded avatars. # This is to limit the amount of RAM used when resizing the image. - #FORGEJO__picture__AVATAR_MAX_FILE_SIZE = "1048576"; + FORGEJO__picture__AVATAR_MAX_FILE_SIZE = "1048576"; # If the uploaded file is not larger than this byte size, the image will be used as is, without resizing/converting. #FORGEJO__picture__AVATAR_MAX_ORIGIN_SIZE = "262144"; # Chinese users can choose "duoshuo" diff --git a/modules/apps/jellyfin/default.nix b/modules/apps/jellyfin/default.nix index 5b4081a..011f56b 100644 --- a/modules/apps/jellyfin/default.nix +++ b/modules/apps/jellyfin/default.nix @@ -4,6 +4,7 @@ let cfg = config.homelab.apps.jellyfin; networkName = "jellyfin"; + inherit (config.homelab.fileSystems) media; UID = 3008; GID = config.users.groups.media.gid; @@ -12,6 +13,11 @@ in { config = lib.mkIf cfg.enable { homelab = { + fileSystems.media.video = { + enable = true; + permissions = [ "read" ]; + }; + users = { apps.enable = true; media.enable = true; @@ -32,18 +38,6 @@ in { ]; }; - "/srv/video" = { - device = "192.168.0.11:/mnt/SMALL/MEDIA/VIDEO"; - fsType = "nfs"; - options = [ - "ro" - "nfsvers=4.2" - "async" "soft" - "timeo=100" "retry=50" "actimeo=1800" "lookupcache=all" - "nosuid" "tcp" - ]; - }; - "/srv/homevideo" = { device = "192.168.0.11:/mnt/BIG/MEDIA/HOMEVIDEO/ARCHIVE"; fsType = "nfs"; @@ -101,7 +95,7 @@ in { virtualisation.oci-containers.containers = { jellyfin = { hostname = "jellyfin"; - image = "jellyfin/jellyfin:10.10.0"; + image = "jellyfin/jellyfin:10.10.7"; user = "${toString UID}:${toString GID}"; autoStart = true; ports = [ @@ -117,7 +111,7 @@ in { "cache:/cache" "/srv/audio:/media/audio" - "/srv/video:/media/video" + "${media.video.hostPath}:/media/video" "/srv/homevideo:/media/homevideo" "/srv/photo:/media/photo" ]; @@ -144,7 +138,7 @@ in { feishinPort = "9180"; in { hostname = "feishin"; - image = "ghcr.io/jeffvli/feishin:0.7.1"; + image = "ghcr.io/jeffvli/feishin:0.19.0"; autoStart = true; ports = [ "${feishinPort}:9180/tcp" # Web player (HTTP) diff --git a/modules/default.nix b/modules/default.nix index 5d901bc..1a000c3 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,6 +1,7 @@ { imports = [ ./apps + ./fileSystems ./services ./virtualisation diff --git a/modules/services/actions/default.nix b/modules/services/actions/default.nix index 338b963..ea6b025 100644 --- a/modules/services/actions/default.nix +++ b/modules/services/actions/default.nix @@ -44,6 +44,6 @@ in { ]; }; }; - }; } + From 12015f8589f83882fca484c70814925c02f888b3 Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Sat, 4 Oct 2025 19:59:03 +0200 Subject: [PATCH 04/19] feat(sops): Setup sops --- .sops.yaml | 8 ++++++++ flake.nix | 10 ++++++++-- secrets/secrets.yaml | 19 +++++++++++++++++++ users/admin/default.nix | 13 ++++++++++--- 4 files changed, 45 insertions(+), 5 deletions(-) create mode 100644 .sops.yaml create mode 100644 secrets/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..8d0d445 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,8 @@ +keys: + - &tdpeuter_Tibo-NixTop age1qzutny0mqpcccqw6myyfntu6wcskruu9ghzvt6r4te7afkqwnguq05ex37 + +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *tdpeuter_Tibo-NixTop diff --git a/flake.nix b/flake.nix index 7701f3a..446f4ce 100644 --- a/flake.nix +++ b/flake.nix @@ -5,6 +5,10 @@ nixpkgs.url = "nixpkgs/nixos-unstable"; flake-utils.url = "github:numtide/flake-utils"; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; utils = { url = "github:gytis-ivaskevicius/flake-utils-plus"; inputs.flake-utils.follows = "flake-utils"; @@ -13,11 +17,11 @@ outputs = inputs@{ self, nixpkgs, - flake-utils, utils, + flake-utils, sops-nix, utils, ... }: let - system = "x86_64-linux"; + system = utils.lib.system.x86_64-linux; in utils.lib.mkFlake { inherit self inputs; @@ -28,6 +32,8 @@ modules = [ ./modules ./users + + sops-nix.nixosModules.sops ]; }; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml new file mode 100644 index 0000000..e17dab1 --- /dev/null +++ b/secrets/secrets.yaml @@ -0,0 +1,19 @@ +users: + admin: + authorized_keys: + NixOS: ENC[AES256_GCM,data:sj2hkUkWp628KuXp+AnncLdawHpxb9fH1ZHnIisP0x9Tght9+/X2sWHpuMSeqi2i/R8B+Wgte66QkuwAOB0j+oB9N+66EhehmWZlK5hD/22p,iv:z18U+LvAQgPDfBBewE3lJmWZd0NGCPwJIe/h3tupuZc=,tag:ZJar3spO66JbDXygdTHh2w==,type:str] +sops: + age: + - recipient: age1qzutny0mqpcccqw6myyfntu6wcskruu9ghzvt6r4te7afkqwnguq05ex37 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjUSt2REk2Mmd0bk9ubjJk + dXFiY2JNR1dyZW9qTUdzaWZhY3c3amVwQzA0CkZHNVpZVjhsWXhVQVNaR0xONzhh + Y0lQaWNaNmpYYVdrRnZIZUhvUFUzcWMKLS0tIDAvSmF0VmpxcnZEQStXUjNCUE5Z + RnA2Lzk2WHFxOEh6dHN0aGhVSVpLTW8KA7IOvGDMBtgo4pe0Sw3Lol243xCDAJ4i + PhcJFiUObVRFZN7ISlULnOlTO3pT9jWvvmC5rDZWId3PQ8qjPvnOUg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-10-04T17:33:22Z" + mac: ENC[AES256_GCM,data:I7I7uDFEWfw9+4KROtjHMVhaxYrVK5QmLfFZShSajF0A2Zxu9lg+fDGiMHk40JC5zD31P70QS/ipye1mBGQbCbLEA7uBUhNzZ7G1g58cIXF6vSGmt0fovm0MVSxEJ44r05fx6uT4OJu5BYVxYSlG84gTj9rCFXxxcBJMrh+6yaI=,iv:c1vudsp9bg0Pc2ddRyvWn6Tf0LhqNuEjxG9D4PpHqxs=,tag:K/1PSHhrTdsNPcPmRv/2Ew==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/users/admin/default.nix b/users/admin/default.nix index 552909b..bc3ccc7 100644 --- a/users/admin/default.nix +++ b/users/admin/default.nix @@ -2,6 +2,8 @@ let cfg = config.homelab.users.admin; + + owner = config.users.users.admin.name; in { options.homelab.users.admin.enable = lib.mkEnableOption "user System Administrator"; @@ -10,6 +12,12 @@ in { config.users.users.admin.name ]; + sops.secrets."users/admin/authorized_keys" = { + format = "yaml"; + sopsFile = ../../secrets/secrets.yaml; + inherit owner; + }; + users.users.admin = { description = "System Administrator"; isNormalUser = true; @@ -17,9 +25,8 @@ in { config.users.groups.wheel.name # Enable 'sudo' for the user. ]; initialPassword = "ChangeMe"; - openssh.authorizedKeys.keys = [ - # TODO ChangeMe - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPrG+ldRBdCeHEXrsy/qHXIJYg8xQXVuiUR0DxhFjYNg" + openssh.authorizedKeys.keyFiles = [ + /run/secrets/users/admin/authorized_keys ]; packages = with pkgs; [ curl From a37c5ae83a4beb84e46d04bac7bb0ba9bde9a12d Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Sat, 4 Oct 2025 20:21:59 +0200 Subject: [PATCH 05/19] fix(sops): Add Tibo-NixFat --- .sops.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.sops.yaml b/.sops.yaml index 8d0d445..02cc451 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,8 +1,10 @@ keys: + - &tdpeuter_Tibo-NixFatDesk age1fva6s64s884z0q2w7de024sp69ucvqu0pg9shrhhqsn3ewlpjfpsh6md7y - &tdpeuter_Tibo-NixTop age1qzutny0mqpcccqw6myyfntu6wcskruu9ghzvt6r4te7afkqwnguq05ex37 creation_rules: - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ key_groups: - age: + - *tdpeuter_Tibo-NixFatDesk - *tdpeuter_Tibo-NixTop From 4ab3848c830a2a1254e78189909cd316011f5817 Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Sat, 4 Oct 2025 20:25:09 +0200 Subject: [PATCH 06/19] fix(Development): Replace authorized_keys --- users/admin/default.nix | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/users/admin/default.nix b/users/admin/default.nix index bc3ccc7..4038266 100644 --- a/users/admin/default.nix +++ b/users/admin/default.nix @@ -2,8 +2,6 @@ let cfg = config.homelab.users.admin; - - owner = config.users.users.admin.name; in { options.homelab.users.admin.enable = lib.mkEnableOption "user System Administrator"; @@ -12,12 +10,6 @@ in { config.users.users.admin.name ]; - sops.secrets."users/admin/authorized_keys" = { - format = "yaml"; - sopsFile = ../../secrets/secrets.yaml; - inherit owner; - }; - users.users.admin = { description = "System Administrator"; isNormalUser = true; @@ -25,8 +17,9 @@ in { config.users.groups.wheel.name # Enable 'sudo' for the user. ]; initialPassword = "ChangeMe"; - openssh.authorizedKeys.keyFiles = [ - /run/secrets/users/admin/authorized_keys + openssh.authorizedKeys.keys = [ + # HomeLab > NixOS > admin > ssh + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWIOOEqTy8cWKpENVbzD4p7bsQgQb/Dgpzk8i0dZ00T" ]; packages = with pkgs; [ curl From 81a07af1521169a7ffac5e0850a0e236d9580248 Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Sat, 4 Oct 2025 20:26:01 +0200 Subject: [PATCH 07/19] nix flake update --- flake.lock | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 78e4127..ca6e418 100644 --- a/flake.lock +++ b/flake.lock @@ -20,11 +20,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1756787288, - "narHash": "sha256-rw/PHa1cqiePdBxhF66V7R+WAP8WekQ0mCDG4CFqT8Y=", + "lastModified": 1759381078, + "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d0fc30899600b9b3466ddb260fd83deb486c32f1", + "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee", "type": "github" }, "original": { @@ -37,9 +37,30 @@ "inputs": { "flake-utils": "flake-utils", "nixpkgs": "nixpkgs", + "sops-nix": "sops-nix", "utils": "utils" } }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1759188042, + "narHash": "sha256-f9QC2KKiNReZDG2yyKAtDZh0rSK2Xp1wkPzKbHeQVRU=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "9fcfabe085281dd793589bdc770a2e577a3caa5d", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, From 297a6df29e56fd72e4888fad295a4683659c9e6f Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Sat, 11 Oct 2025 15:40:43 +0200 Subject: [PATCH 08/19] feat: Add gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..485dee6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.idea From b2e904306b299e96fdd316857ead0ac351c5a4c1 Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Sat, 11 Oct 2025 15:41:13 +0200 Subject: [PATCH 09/19] feat(traefik): Add external services --- hosts/Binnenpost/default.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/hosts/Binnenpost/default.nix b/hosts/Binnenpost/default.nix index d78e2da..561fbe1 100644 --- a/hosts/Binnenpost/default.nix +++ b/hosts/Binnenpost/default.nix @@ -16,6 +16,7 @@ apps = { speedtest.enable = true; technitiumDNS.enable = true; + traefik.enable = true; }; virtualisation.guest.enable = true; }; @@ -76,6 +77,14 @@ }; }; + virtualisation.oci-containers.containers.traefik.labels = { + "traefik.http.routers.roxanne.rule" = "Host(`roxanne.depeuter.dev`)"; + "traefik.http.services.roxanne.loadbalancer.server.url" = "https://192.168.0.13:8006"; + + "traefik.http.routers.hugo.rule" = "Host(`hugo.depeuter.dev`)"; + "traefik.http.services.hugo.loadbalancer.server.url" = "https://192.168.0.11:444"; + }; + system.stateVersion = "24.05"; }; } From 2c195bf8077c90b2330ba6d43e3de1b5048bfa92 Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Mon, 13 Oct 2025 20:35:46 +0200 Subject: [PATCH 10/19] chore(arr): Use functions --- modules/apps/arr/default.nix | 178 +++++++---------------------------- 1 file changed, 35 insertions(+), 143 deletions(-) diff --git a/modules/apps/arr/default.nix b/modules/apps/arr/default.nix index e2c0df5..7b530c3 100644 --- a/modules/apps/arr/default.nix +++ b/modules/apps/arr/default.nix @@ -12,7 +12,16 @@ let PGID = toString config.users.groups.media.gid; UMASK = "002"; in { - options.homelab.apps.arr = { + options.homelab.apps.arr = let + mkAppOption = appName: { + enable = lib.mkEnableOption "${appName} using Docker"; + exposePorts = lib.mkOption { + type = lib.types.bool; + description = "Expose ${appName} port"; + default = cfg.exposePorts; + }; + }; + in { enable = lib.mkEnableOption "Arr Stack using Docker"; exposePorts = lib.mkOption { type = lib.types.bool; @@ -21,46 +30,11 @@ in { default = ! config.homelab.apps.traefik.enable; }; - bazarr = { - enable = lib.mkEnableOption "Bazarr using Docker"; - exposePorts = lib.mkOption { - type = lib.types.bool; - description = "Expose Bazarr port"; - default = cfg.exposePorts; - }; - }; - prowlarr = { - enable = lib.mkEnableOption "Prowlarr using Docker"; - exposePorts = lib.mkOption { - type = lib.types.bool; - description = "Expose Prowlarr port"; - default = cfg.exposePorts; - }; - }; - qbittorrent = { - enable = lib.mkEnableOption "qBittorrent using Docker"; - exposePorts = lib.mkOption { - type = lib.types.bool; - description = "Expose qBittorrent port"; - default = cfg.exposePorts; - }; - }; - radarr = { - enable = lib.mkEnableOption "Radarr using Docker"; - exposePorts = lib.mkOption { - type = lib.types.bool; - description = "Expose Radarr port"; - default = cfg.exposePorts; - }; - }; - sonarr = { - enable = lib.mkEnableOption "Sonarr using Docker"; - exposePorts = lib.mkOption { - type = lib.types.bool; - description = "Expose Sonarr port"; - default = cfg.exposePorts; - }; - }; + bazarr = mkAppOption "Bazarr"; + prowlarr = mkAppOption "Prowlarr"; + qbittorrent = mkAppOption "qBittorrent"; + radarr = mkAppOption "Radarr"; + sonarr = mkAppOption "Sonarr"; }; config = { @@ -87,9 +61,9 @@ in { virtualisation.containers.enable = lib.mkIf inUse true; }; - fileSystems = lib.mkIf inUse { - "/srv/bazarr-backup" = lib.mkIf cfg.bazarr.enable { - device = "192.168.0.11:/mnt/BIG/BACKUP/BAZARR"; + fileSystems = let + mkFileSystem = device: { + inherit device; fsType = "nfs"; options = [ "rw" @@ -102,75 +76,14 @@ in { ]; }; - "/srv/prowlarr-backup" = lib.mkIf cfg.prowlarr.enable { - device = "192.168.0.11:/mnt/BIG/BACKUP/PROWLARR"; - fsType = "nfs"; - options = [ - "rw" - "auto" - "nfsvers=4.2" - "rsize=1048576" "wsize=1048576" - "hard" - "timeo=600" "retrans=2" - "_netdev" "nosuid" "tcp" - ]; - }; - - "/srv/qbittorrent" = lib.mkIf cfg.qbittorrent.enable { - device = "192.168.0.11:/mnt/SMALL/CONFIG/QBITTORRENT"; - fsType = "nfs"; - options = [ - "rw" - "auto" - "nfsvers=4.2" - "rsize=1048576" "wsize=1048576" - "hard" - "timeo=600" "retrans=2" - "_netdev" "nosuid" "tcp" - ]; - }; - - "/srv/radarr-backup" = lib.mkIf cfg.radarr.enable { - device = "192.168.0.11:/mnt/BIG/BACKUP/RADARR"; - fsType = "nfs"; - options = [ - "rw" - "auto" - "nfsvers=4.2" - "rsize=1048576" "wsize=1048576" - "hard" - "timeo=600" "retrans=2" - "_netdev" "nosuid" "tcp" - ]; - }; - - "/srv/sonarr-backup" = lib.mkIf cfg.sonarr.enable { - device = "192.168.0.11:/mnt/BIG/BACKUP/SONARR"; - fsType = "nfs"; - options = [ - "rw" - "auto" - "nfsvers=4.2" - "rsize=1048576" "wsize=1048576" - "hard" - "timeo=600" "retrans=2" - "_netdev" "nosuid" "tcp" - ]; - }; - - "/srv/torrent" = { - device = "192.168.0.11:/mnt/SMALL/MEDIA/TORRENT"; - fsType = "nfs"; - options = [ - "rw" - "auto" - "nfsvers=4.2" - "rsize=1048576" "wsize=1048576" - "hard" - "timeo=600" "retrans=2" - "_netdev" "nosuid" "tcp" - ]; - }; + hugoBackup = "192.168.0.11:/mnt/BIG/BACKUP"; + in lib.mkIf inUse { + "/srv/bazarr-backup" = lib.mkIf cfg.bazarr.enable (mkFileSystem "${hugoBackup}/BAZARR"); + "/srv/prowlarr-backup" = lib.mkIf cfg.bazarr.enable (mkFileSystem "${hugoBackup}/PROWLARR"); + "/srv/qbittorrent" = lib.mkIf cfg.qbittorrent.enable (mkFileSystem "192.168.0.11:/mnt/SMALL/CONFIG/QBITTORRENT"); + "/srv/radarr-backup" = lib.mkIf cfg.radarr.enable (mkFileSystem "${hugoBackup}/RADARR"); + "/srv/sonarr-backup" = lib.mkIf cfg.sonarr.enable (mkFileSystem "${hugoBackup}/SONARR"); + "/srv/torrent" = mkFileSystem "192.168.0.11:/mnt/SMALL/MEDIA/TORRENT"; }; # Make sure the Docker network exists. @@ -195,45 +108,24 @@ in { }; # Create a user for each app. - users.users = { - bazarr = lib.mkIf cfg.bazarr.enable { - uid = lib.mkForce 3003; + users.users = let + mkUser = uid: { + uid = lib.mkForce uid; isSystemUser = true; group = config.users.groups.media.name; home = "/var/empty"; shell = null; }; - prowlarr = lib.mkIf cfg.prowlarr.enable { - uid = lib.mkForce 3004; - isSystemUser = true; - group = config.users.groups.media.name; - home = "/var/empty"; - shell = null; - }; - qbittorrent = lib.mkIf cfg.qbittorrent.enable { - uid = lib.mkForce 3005; - isSystemUser = true; - group = config.users.groups.media.name; + in { + bazarr = lib.mkIf cfg.bazarr.enable (mkUser 3003); + prowlarr = lib.mkIf cfg.prowlarr.enable (mkUser 3004); + qbittorrent = lib.mkIf cfg.qbittorrent.enable (mkUser 3005) // { extraGroups = [ config.users.groups.apps.name ]; - home = "/var/empty"; - shell = null; - }; - radarr = lib.mkIf cfg.radarr.enable { - uid = lib.mkForce 3006; - isSystemUser = true; - group = config.users.groups.media.name; - home = "/var/empty"; - shell = null; - }; - sonarr = lib.mkIf cfg.sonarr.enable { - uid = lib.mkForce 3007; - isSystemUser = true; - group = config.users.groups.media.name; - home = "/var/empty"; - shell = null; }; + radarr = lib.mkIf cfg.radarr.enable (mkUser 3006); + sonarr = lib.mkIf cfg.sonarr.enable (mkUser 3007); }; virtualisation.oci-containers.containers = let From 652a9da0778b163f401ecc501087d6da45f1ad39 Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Sat, 18 Oct 2025 17:09:08 +0200 Subject: [PATCH 11/19] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/7df7ff7d8e00218376575f0acdcc5d66741351ee?narHash=sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs%3D' (2025-10-02) → 'github:NixOS/nixpkgs/544961dfcce86422ba200ed9a0b00dd4b1486ec5?narHash=sha256-EVAqOteLBFmd7pKkb0%2BFIUyzTF61VKi7YmvP1tw4nEw%3D' (2025-10-15) • Updated input 'sops-nix': 'github:Mic92/sops-nix/9fcfabe085281dd793589bdc770a2e577a3caa5d?narHash=sha256-f9QC2KKiNReZDG2yyKAtDZh0rSK2Xp1wkPzKbHeQVRU%3D' (2025-09-29) → 'github:Mic92/sops-nix/ab8d56e85b8be14cff9d93735951e30c3e86a437?narHash=sha256-8mN3kqyqa2PKY0wwZ2UmMEYMcxvNTwLaOrrDsw6Qi4E%3D' (2025-10-13) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index ca6e418..67df8c4 100644 --- a/flake.lock +++ b/flake.lock @@ -20,11 +20,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1759381078, - "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=", + "lastModified": 1760524057, + "narHash": "sha256-EVAqOteLBFmd7pKkb0+FIUyzTF61VKi7YmvP1tw4nEw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee", + "rev": "544961dfcce86422ba200ed9a0b00dd4b1486ec5", "type": "github" }, "original": { @@ -48,11 +48,11 @@ ] }, "locked": { - "lastModified": 1759188042, - "narHash": "sha256-f9QC2KKiNReZDG2yyKAtDZh0rSK2Xp1wkPzKbHeQVRU=", + "lastModified": 1760393368, + "narHash": "sha256-8mN3kqyqa2PKY0wwZ2UmMEYMcxvNTwLaOrrDsw6Qi4E=", "owner": "Mic92", "repo": "sops-nix", - "rev": "9fcfabe085281dd793589bdc770a2e577a3caa5d", + "rev": "ab8d56e85b8be14cff9d93735951e30c3e86a437", "type": "github" }, "original": { From 6deb36d92061cbb5c359a9c2c6c84a07f69882d3 Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Sat, 18 Oct 2025 18:59:17 +0200 Subject: [PATCH 12/19] chore(ssh): Update keys --- hosts/Gitea/default.nix | 7 +++++++ hosts/Vaultwarden/default.nix | 7 +++++++ users/admin/default.nix | 20 +++++++++++++------- users/backup/default.nix | 7 +------ 4 files changed, 28 insertions(+), 13 deletions(-) diff --git a/hosts/Gitea/default.nix b/hosts/Gitea/default.nix index 5b2492f..c6c9b43 100644 --- a/hosts/Gitea/default.nix +++ b/hosts/Gitea/default.nix @@ -5,6 +5,13 @@ homelab = { apps.gitea.enable = true; virtualisation.guest.enable = true; + + users.admin = { + enable = true; + authorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFrp6aM62Bf7bj1YM5AlAWuNrANU3N5e8+LtbbpmZPKS" + ]; + }; }; networking = { diff --git a/hosts/Vaultwarden/default.nix b/hosts/Vaultwarden/default.nix index d8115bc..5ded575 100644 --- a/hosts/Vaultwarden/default.nix +++ b/hosts/Vaultwarden/default.nix @@ -9,6 +9,13 @@ name = "Hugo's Vault"; }; virtualisation.guest.enable = true; + + users.admin = { + enable = true; + authorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJnihoyozOCnm6T9OzL2xoMeMZckBYR2w43us68ABA93" + ]; + }; }; networking = { diff --git a/users/admin/default.nix b/users/admin/default.nix index 4038266..dc01c81 100644 --- a/users/admin/default.nix +++ b/users/admin/default.nix @@ -3,24 +3,30 @@ let cfg = config.homelab.users.admin; in { - options.homelab.users.admin.enable = lib.mkEnableOption "user System Administrator"; + options.homelab.users.admin = { + enable = lib.mkEnableOption "user System Administrator"; + authorizedKeys = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ + # HomeLab > NixOS > admin > ssh + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWIOOEqTy8cWKpENVbzD4p7bsQgQb/Dgpzk8i0dZ00T" + ]; + }; + }; config = lib.mkIf cfg.enable { nix.settings.trusted-users = [ - config.users.users.admin.name + config.users.users.gh0st.name ]; - users.users.admin = { + users.users.gh0st = { description = "System Administrator"; isNormalUser = true; extraGroups = [ config.users.groups.wheel.name # Enable 'sudo' for the user. ]; initialPassword = "ChangeMe"; - openssh.authorizedKeys.keys = [ - # HomeLab > NixOS > admin > ssh - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWIOOEqTy8cWKpENVbzD4p7bsQgQb/Dgpzk8i0dZ00T" - ]; + openssh.authorizedKeys.keys = cfg.authorizedKeys; packages = with pkgs; [ curl git diff --git a/users/backup/default.nix b/users/backup/default.nix index 8181d02..acae033 100644 --- a/users/backup/default.nix +++ b/users/backup/default.nix @@ -13,13 +13,8 @@ in { "docker" # Allow access to the docker socket. ]; openssh.authorizedKeys.keys = [ - # TODO ChangeMe - - # Tibo-NixFat - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPrG+ldRBdCeHEXrsy/qHXIJYg8xQXVuiUR0DxhFjYNg" - # Hugo - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDAxR813vqq5zbu1NHrIybu5Imlu3k0rDCGxHiuGEhPoVV9c5FpnKNGLCi3ctm15ZcVBX4HcponYsKRBsCzM2pI4uXjxhHkLzbss5LttFuSzv5v/QHfLW1bvyJEMBEPxguGqAydAeWrBFdI9uHBEXeb325uKxMKBZHYvvpyAQ115c1wKy1bL8BfR0LTkhsFqexRvI86q59AVrAU/KFf6RXO0T9QA6H/vyWLlIPc7Ta+tSWwQ68bMmS5Pwn8q58tOAOAd6Lpt4TqUDJSppPjLEPKyKC6ShwMdEjwmwpEG0hxfsvaU8XERyQbSbEE9sLHRA2LoEdtMx3J8nzX3AwYUNspsqIv6NQZksnVqJ8OfL45ngUFcSJ6kBsUvCZfzEUGUTJ6Js0v84NOIXxNG/ZfPsk6ArXm3dvj2TYeK8llO6wpJnMMyztmmiODWoj9tepZSij44IgVM5wdWYIK/RZoYTsCQbmvJFfB8jhyJnf/7F19Vo5+LwhmCOsQh/KEK0F1DVc= admin@Hugo" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICms6vjhE9kOlqV5GBPGInwUHAfCSVHLI2Gtzee0VXPh" ]; }; }; From ca7875dee906334815393f10920a3d7ab8780108 Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Wed, 4 Feb 2026 09:25:45 +0100 Subject: [PATCH 13/19] feat: Move URLs to vars --- hosts/Ingress/default.nix | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/hosts/Ingress/default.nix b/hosts/Ingress/default.nix index 68cdcfe..9268714 100644 --- a/hosts/Ingress/default.nix +++ b/hosts/Ingress/default.nix @@ -80,7 +80,7 @@ prefixLength = 24; # Only allow PFS-enabled ciphers with AES256 sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; - upstreams.docservice.servers."192.168.0.14:8080" = {}; + upstreams.docservice.servers."${nextcloud.host}:${toString nextcloud.officePort}" = {}; appendHttpConfig = '' map $http_x_forwarded_proto $the_scheme { @@ -107,19 +107,24 @@ prefixLength = 24; default = true; }; - "cloud.depeuter.dev" = { + "cloud.depeuter.dev" = let + nextcloud = { + host = "192.168.0.14"; + officePort = 8080; + }; + in { enableACME = true; forceSSL = true; locations = { "/" = { - proxyPass = "http://192.168.0.14"; + proxyPass = "http://${nextcloud.host}"; extraConfig = '' add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; fastcgi_request_buffering off; ''; }; "/office/" = { - proxyPass = "http://192.168.0.14:8080/"; + proxyPass = "http://${nextcloud.host}:${toString nextcloud.officePort}/"; priority = 500; recommendedProxySettings = false; extraConfig = '' @@ -137,12 +142,6 @@ prefixLength = 24; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ''; }; - "calendar.depeuter.dev" = { - useACMEHost = "depeuter.dev"; - locations."/".return = "301 https://cloud.depeuter.dev/apps/calendar"; - }; - "tasks.depeuter.dev".locations."/".return = "301 https://cloud.depeuter.dev/apps/tasks"; - "notes.depeuter.dev".locations."/".return = "301 https://cloud.depeuter.dev/apps/notes"; "home.depeuter.dev" = { enableACME = true; @@ -158,12 +157,17 @@ prefixLength = 24; }; }; - "jelly.depeuter.dev" = { + "jelly.depeuter.dev" = let + jellyfin = { + host = "192.168.0.94"; + port = 8096; + }; + in { enableACME = true; forceSSL = true; locations = { "/" = { - proxyPass = "http://192.168.0.94:8096"; + proxyPass = "http://${jellyfin.host}:${jellyfin.port}"; extraConfig = '' # Proxy main Jellyfin traffic proxy_set_header Host $host; @@ -178,7 +182,7 @@ prefixLength = 24; ''; }; "/socket" = { - proxyPass = "http://192.168.0.91:8096"; + proxyPass = "http://${jellyfin.host}:${jellyfin.port}"; extraConfig = '' # Proxy Jellyfin Websockets traffic proxy_http_version 1.1; From d38c53762a90e1e7993586661c2a338e0b8ca1e6 Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Wed, 4 Feb 2026 20:23:56 +0100 Subject: [PATCH 14/19] chore: Change Nextcloud IP --- hosts/Ingress/default.nix | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/hosts/Ingress/default.nix b/hosts/Ingress/default.nix index 9268714..c0a3ac9 100644 --- a/hosts/Ingress/default.nix +++ b/hosts/Ingress/default.nix @@ -68,7 +68,12 @@ prefixLength = 24; # List services that you want to enable. services = { # Enable Nginx as a reverse proxy - nginx = { + nginx = let + nextcloud = { + host = "192.168.0.23"; + officePort = 8080; + }; + in { enable = true; # Use recommended settings @@ -107,12 +112,7 @@ prefixLength = 24; default = true; }; - "cloud.depeuter.dev" = let - nextcloud = { - host = "192.168.0.14"; - officePort = 8080; - }; - in { + "cloud.depeuter.dev" = { enableACME = true; forceSSL = true; locations = { @@ -167,7 +167,7 @@ prefixLength = 24; forceSSL = true; locations = { "/" = { - proxyPass = "http://${jellyfin.host}:${jellyfin.port}"; + proxyPass = "http://${jellyfin.host}:${toString jellyfin.port}"; extraConfig = '' # Proxy main Jellyfin traffic proxy_set_header Host $host; @@ -182,7 +182,7 @@ prefixLength = 24; ''; }; "/socket" = { - proxyPass = "http://${jellyfin.host}:${jellyfin.port}"; + proxyPass = "http://${jellyfin.host}:${toString jellyfin.port}"; extraConfig = '' # Proxy Jellyfin Websockets traffic proxy_http_version 1.1; @@ -244,7 +244,7 @@ prefixLength = 24; locations = { "/" = { proxyPass = "http://192.168.0.22:10102"; - proxyWebSockets = true; + proxyWebsockets = true; }; "~ ^/admin".return = 403; }; From 5582384f01de990f4476d77c954787f04b0171c1 Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Fri, 6 Feb 2026 09:20:43 +0100 Subject: [PATCH 15/19] feat: Add homepage module --- hosts/Development/default.nix | 4 ++ modules/apps/default.nix | 1 + modules/apps/homepage/default.nix | 79 +++++++++++++++++++++++++++++++ 3 files changed, 84 insertions(+) create mode 100644 modules/apps/homepage/default.nix diff --git a/hosts/Development/default.nix b/hosts/Development/default.nix index b2237b7..fda8e57 100644 --- a/hosts/Development/default.nix +++ b/hosts/Development/default.nix @@ -5,6 +5,10 @@ homelab = { apps = { bind9.enable = true; + homepage = { + enable = true; + exposePort = true; + }; traefik.enable = true; plex.enable = true; }; diff --git a/modules/apps/default.nix b/modules/apps/default.nix index 7c8b8f8..f62dca7 100644 --- a/modules/apps/default.nix +++ b/modules/apps/default.nix @@ -6,6 +6,7 @@ ./changedetection ./freshrss ./gitea + ./homepage ./jellyfin ./plex ./speedtest diff --git a/modules/apps/homepage/default.nix b/modules/apps/homepage/default.nix new file mode 100644 index 0000000..b34f32f --- /dev/null +++ b/modules/apps/homepage/default.nix @@ -0,0 +1,79 @@ +{ config, lib, ... }: + +let + cfg = config.homelab.apps.homepage; + + PUID = toString config.users.users.homepage.uid; + PGID = toString config.users.groups.apps.gid; + + homepage-config = "/srv/homepage-config"; + + proxyNet = config.homelab.apps.traefik.sharedNetworkName; +in { + options.homelab.apps.homepage = { + enable = lib.mkEnableOption "homepage"; + port = lib.mkOption { + type = lib.types.int; + default = 3000; + description = "homepage WebUI port"; + }; + exposePort = lib.mkEnableOption "expose homepage port"; + }; + + config = lib.mkIf cfg.enable { + homelab = { + users.apps.enable = true; + virtualisation.containers.enable = true; + }; + + users.users.homepage = { + uid = lib.mkForce 3018; + isSystemUser = true; + group = config.users.groups.apps.name; + home = "/var/empty"; + shell = null; + }; + + fileSystems."${homepage-config}" = { + device = "192.168.0.11:/mnt/SMALL/CONFIG/HOMEPAGE"; + fsType = "nfs"; + options = [ + "rw" + "auto" + "nfsvers=4.2" + "async" "soft" "timeo=100" "retry=50" "actimeo=1800" "lookupcache=all" + "nosuid" "tcp" + ]; + }; + + virtualisation.oci-containers.containers.homepage = let + host = "homepage.${config.networking.domain}"; + in { + hostname = "homepage"; + image = "ghcr.io/gethomepage/homepage:v1.10.1"; + autoStart = true; + user = "${toString PUID}:${toString PGID}"; + ports = lib.mkIf cfg.exposePort [ + "${toString cfg.port}:3000/tcp" + ]; + networks = [ + proxyNet + ]; + volumes = [ + "${homepage-config}:/app/config" + # "/var/run/docker.sock:/var/run/docker.sock:ro" # For docker integrations + ]; + labels = { + "traefik.enable" = "true"; + "traefik.docker.network" = proxyNet; + "traefik.http.routers.homepage.rule" = "Host(`${host}`)"; + "traefik.http.services.homepage.loadbalancer.server.port" = toString cfg.port; + }; + environment = { + inherit PUID PGID; + + HOMEPAGE_ALLOWED_HOSTS = "${host},192.168.0.91:3000"; + }; + }; + }; +} From c04bce06b66b588ad2d3a67c3e1f64f63c963263 Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Fri, 6 Feb 2026 14:15:19 +0100 Subject: [PATCH 16/19] feat: Test Action Including commits: * chore: Disable test workflow * Determine hosts * Build each host * Add NixOS to build step as well * More specific hostnames * fix json elements * try different way * Debug matrix * run on push * use var directly * fix mappings * fix mappings * add toolcache * Change names and ordere * Debugging * Debugging extra step * Debugging needs outputs * Debugging needs outputs hosts * Preserve quotes * printf escaped * Using EOF * test * escape? * without json parse * hardcoding * change build command * Testing --- .github/workflows/build.yml | 43 +++++++++++++++++++++++++++++++++++++ .github/workflows/test.yml | 17 +++++++++++++++ .gitignore | 1 + 3 files changed, 61 insertions(+) create mode 100644 .github/workflows/build.yml create mode 100644 .github/workflows/test.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..74d6457 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,43 @@ +name: "Build" +on: + pull_request: + push: + +jobs: + determine-hosts: + name: "Determining hosts to build" + runs-on: ubuntu-latest + container: catthehacker/ubuntu:act-24.04 + outputs: + hosts: ${{ steps.hosts.outputs.hostnames }} + steps: + - uses: actions/checkout@v5 + - uses: https://github.com/cachix/install-nix-action@v31 + with: + nix_path: nixpkgs=channel:nixos-unstable + - name: "Determine hosts" + id: hosts + run: | + hostnames="$(nix eval .#nixosConfigurations --apply builtins.attrNames --json)" + printf "hostnames=%s\n" "${hostnames}" >> "${GITHUB_OUTPUT}" + + build: + runs-on: ubuntu-latest + container: catthehacker/ubuntu:act-24.04 + needs: determine-hosts + strategy: + matrix: + hostname: [ + Development, + Testing + ] + + steps: + - uses: actions/checkout@v5 + - uses: https://github.com/cachix/install-nix-action@v31 + with: + nix_path: nixpkgs=channel:nixos-unstable + - name: "Build host" + run: | + nix build ".#nixosConfigurations.${{ matrix.hostname }}.config.system.build.toplevel" --verbose + diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 0000000..8cb0f4b --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,17 @@ +name: "Test" +on: + pull_request: + push: +jobs: + tests: + if: false + runs-on: ubuntu-latest + container: + image: catthehacker/ubuntu:act-latest + steps: + - uses: actions/checkout@v5 + - uses: https://github.com/cachix/install-nix-action@v31 + with: + nix_path: nixpkgs=channel:nixos-unstable + - name: "My custom step" + run: nix run nixpkgs#hello diff --git a/.gitignore b/.gitignore index 485dee6..8daf605 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ .idea +result From 47245b2b965c3eeeb4edd8f25d02405cfd425b08 Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Thu, 5 Mar 2026 20:17:50 +0100 Subject: [PATCH 17/19] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/544961dfcce86422ba200ed9a0b00dd4b1486ec5?narHash=sha256-EVAqOteLBFmd7pKkb0%2BFIUyzTF61VKi7YmvP1tw4nEw%3D' (2025-10-15) → 'github:NixOS/nixpkgs/80bdc1e5ce51f56b19791b52b2901187931f5353?narHash=sha256-QKyJ0QGWBn6r0invrMAK8dmJoBYWoOWy7lN%2BUHzW1jc%3D' (2026-03-04) • Updated input 'sops-nix': 'github:Mic92/sops-nix/ab8d56e85b8be14cff9d93735951e30c3e86a437?narHash=sha256-8mN3kqyqa2PKY0wwZ2UmMEYMcxvNTwLaOrrDsw6Qi4E%3D' (2025-10-13) → 'github:Mic92/sops-nix/1d9b98a29a45abe9c4d3174bd36de9f28755e3ff?narHash=sha256-hmIvE/slLKEFKNEJz27IZ8BKlAaZDcjIHmkZ7GCEjfw%3D' (2026-03-02) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 67df8c4..da5c167 100644 --- a/flake.lock +++ b/flake.lock @@ -20,11 +20,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1760524057, - "narHash": "sha256-EVAqOteLBFmd7pKkb0+FIUyzTF61VKi7YmvP1tw4nEw=", + "lastModified": 1772624091, + "narHash": "sha256-QKyJ0QGWBn6r0invrMAK8dmJoBYWoOWy7lN+UHzW1jc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "544961dfcce86422ba200ed9a0b00dd4b1486ec5", + "rev": "80bdc1e5ce51f56b19791b52b2901187931f5353", "type": "github" }, "original": { @@ -48,11 +48,11 @@ ] }, "locked": { - "lastModified": 1760393368, - "narHash": "sha256-8mN3kqyqa2PKY0wwZ2UmMEYMcxvNTwLaOrrDsw6Qi4E=", + "lastModified": 1772495394, + "narHash": "sha256-hmIvE/slLKEFKNEJz27IZ8BKlAaZDcjIHmkZ7GCEjfw=", "owner": "Mic92", "repo": "sops-nix", - "rev": "ab8d56e85b8be14cff9d93735951e30c3e86a437", + "rev": "1d9b98a29a45abe9c4d3174bd36de9f28755e3ff", "type": "github" }, "original": { From 5a031b48ed6931460084244f1a395397ecafbcb9 Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Thu, 5 Mar 2026 20:26:33 +0100 Subject: [PATCH 18/19] fix(vaultwarden): Update image - fix webui not loading --- modules/apps/vaultwarden/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/apps/vaultwarden/default.nix b/modules/apps/vaultwarden/default.nix index 4510299..907dda4 100644 --- a/modules/apps/vaultwarden/default.nix +++ b/modules/apps/vaultwarden/default.nix @@ -13,12 +13,12 @@ in { description = "Vaultwarden WebUI port"; }; domain = lib.mkOption { - type = lib.types.string; + type = lib.types.str; example = "https://vault.depeuter.dev"; description = "Domain to configure Vaultwarden on"; }; name = lib.mkOption { - type = lib.types.string; + type = lib.types.str; example = "Hugo's Vault"; description = "Service name to use for invitations and mail"; }; @@ -77,7 +77,7 @@ in { dataDir = "/data"; in { hostname = "vaultwarden"; - image = "vaultwarden/server:1.34.3-alpine"; + image = "vaultwarden/server:1.35.4-alpine"; autoStart = true; ports = [ "${toString cfg.port}:80/tcp" From 3648b4d5359e67ca5689ec70f7d1e978f1926945 Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Tue, 17 Mar 2026 21:44:54 +0100 Subject: [PATCH 19/19] meta: add AI agent rules and skills Create a modular, context-aware style guide for AI code assistants. - Add nixos-architecture skill for .nix file generation and networking patterns - Add dns-management rule to enforce Bind9 SOA serial increments - Add cicd-networking rule for direct-IP runner authentication - Add git-workflow rule to enforce conventional and atomic commits --- .agent/rules/ci-cd-networking-constraints.md | 13 ++++++ .agent/rules/dns-management.md | 14 ++++++ .agent/rules/git-workflow.md | 21 +++++++++ .agent/skills/nixos-architecture/SKILL.md | 47 ++++++++++++++++++++ 4 files changed, 95 insertions(+) create mode 100644 .agent/rules/ci-cd-networking-constraints.md create mode 100644 .agent/rules/dns-management.md create mode 100644 .agent/rules/git-workflow.md create mode 100644 .agent/skills/nixos-architecture/SKILL.md diff --git a/.agent/rules/ci-cd-networking-constraints.md b/.agent/rules/ci-cd-networking-constraints.md new file mode 100644 index 0000000..89c1866 --- /dev/null +++ b/.agent/rules/ci-cd-networking-constraints.md @@ -0,0 +1,13 @@ +--- +name: cicd-networking +description: Networking constraints for CI/CD workflow files (Gitea/GitHub Actions). +globs: [".github/workflows/.yml", ".github/workflows/.yaml", ".gitea/workflows/.yml", ".gitea/workflows/.yaml"] +--- + +# Bos55 CI/CD Networking Constraints + +When generating or modifying CI/CD workflows, strictly follow these networking practices: + +1. **IP-Based Login for Reliability** + - When CI runners (like Gitea Actions) need to interact with internal services for authentication or deployment, always use direct IP addresses (e.g., `192.168.0.25`) for machine-to-machine login steps. + - **Why?** This bypasses potential DNS resolution issues or delays within the isolated runner environment, ensuring maximum robustness during automated CI/CD runs. diff --git a/.agent/rules/dns-management.md b/.agent/rules/dns-management.md new file mode 100644 index 0000000..e8e6a7b --- /dev/null +++ b/.agent/rules/dns-management.md @@ -0,0 +1,14 @@ +--- +name: dns-management +description: Hard constraints for modifying Bind9 DNS zone files. +globs: ["db.", ".zone"] +--- + +# Bos55 DNS Management Constraints + +When modifying or generating Bind9 zone files, you MUST strictly adhere to the following rules: + +1. **Serial Increment (CRITICAL)** + - Every single time you modify a Bind9 zone file (e.g., `db.depeuter.dev`), you MUST increment the Serial number in the SOA record. Failure to do so will cause DNS propagation to fail. +2. **Domain Name Specificity** + - Prefer a single, well-defined explicit domain (e.g., `nix-cache.depeuter.dev`) instead of creating multiple aliases or using magic values. Keep records clean and explicit. diff --git a/.agent/rules/git-workflow.md b/.agent/rules/git-workflow.md new file mode 100644 index 0000000..6d41ee2 --- /dev/null +++ b/.agent/rules/git-workflow.md @@ -0,0 +1,21 @@ +--- +name: git-workflow +description: Rules for generating Git commit messages and managing branch workflows. +globs: ["COMMIT_EDITMSG", ".git/*"] +--- + +# Git Workflow Constraints + +When generating commit messages, reviewing code for a commit, or planning a branch workflow, strictly follow these standards: + +1. **Commit Formatting** + - **Conventional Commits**: You MUST format all commit messages using conventional prefixes: `feat:`, `fix:`, `docs:`, `refactor:`, `ci:`, `meta:`. + - **Clarity**: Ensure the message clearly explains *what* changed and *why*. +2. **Atomic Commits** + - Group changes by a single logical concern. + - NEVER mix documentation updates, core infrastructure code, and style guide changes in the same commit. + - Ensure that the generated commit is easily revertible without breaking unrelated features. +3. **Branching Workflow** + - Always assume changes will be pushed to a feature branch to create a Pull Request. + - Do not suggest or generate commands that push directly to the main branch. + diff --git a/.agent/skills/nixos-architecture/SKILL.md b/.agent/skills/nixos-architecture/SKILL.md new file mode 100644 index 0000000..2eb63bf --- /dev/null +++ b/.agent/skills/nixos-architecture/SKILL.md @@ -0,0 +1,47 @@ +--- +name: bos55-nix-architecture +description: Implementation patterns for NixOS configurations, networking, and service modules. +globs: [".nix", "hosts/**/", "modules//*", "secrets//*"] +--- + +# NixOS Architecture Skill + +When generating or modifying NixOS configuration files for the Bos55 project, strictly adhere to the following architectural patterns: + +## 1. Minimal Hardcoding & Dynamic Discovery + +- **Local IP Ownership**: Define IPv4/IPv6 addresses **only** within their respective host configuration files (e.g., `hosts//default.nix`). Do not use global IP mapping modules. +- **Inter-Host Discovery**: Resolve a host's IP or port by evaluating its configuration at build time. Never hardcode another host's IP. + **Pattern Example**: + ``` + let + bcConfig = inputs.self.nixosConfigurations.BinaryCache.config; + bcIp = (pkgs.lib.head bcConfig.networking.interfaces.ens18.ipv4.addresses).address; + in "http://${bcIp}:8080" + ``` +- **Unified Variables**: Use local variables (e.g., `let dbName = "attic"; in ...`) for shared values between host services and containers to ensure consistency. + +## 2. Modular Service Encapsulation + +- **Self-Contained Modules**: Service modules (`modules/services//default.nix`) must manage their own configurations. Prefer `lib.mkOption` over hardcoded strings for domains, ports, and credentials. +- **Firewall Responsibility**: Open ports (e.g., TCP 8080, SSH 22) directly within the service module based on its own options. Do not open service ports manually in host files. +- **Remote Builders**: Define `nix.settings.trusted-users`, `builder` user, and SSH rules directly within the service module if it supports remote building (e.g., Attic). + +## 3. Networking & Connectivity + +- **Container-to-Host**: Host services must connect to companion containers using the container name, not the bridge IP or `localhost`. +- **Host Resolution**: Map the container name to `127.0.0.1` using `networking.extraHosts` in the host service module to route traffic seamlessly. +- **Domain Deferral**: Client modules must defer their default domain settings to the server module's defined domain option. + +## 4. Secrets Management + +- **Sops-Nix Exclusivity**: Manage all secrets via `sops-nix`. +- **Centralized Config**: Rely on `modules/common/default.nix` for fleet-wide settings like `defaultSopsFile` and `age.keyFile`. +- **References**: Always reference credentials dynamically using `config.sops.secrets."path/to/secret".path`. + +## 5. Security & Documentation + +- **Supply Chain Protection**: Always verify and lock Nix flake inputs. Use fixed-output derivations for external resource downloads. +- **Assumptions Documentation**: Clearly document environment assumptions (e.g., Proxmox virtualization, Tailscale networking, and specific IP ranges) in host or service READMEs. +- **Project Structure**: Maintain the strict separation of `hosts/`, `modules/`, `users/`, and `secrets/` to ensure clear ownership and security boundaries. +