Compare commits

..

1 commit

Author SHA1 Message Date
65976c76c7
meta(rules): Add project-specific rules and skills
Some checks failed
Build / Determining hosts to build (push) Failing after 10m11s
Build / build (Development) (push) Has been cancelled
Build / build (Testing) (push) Has been cancelled
2026-03-17 20:13:02 +01:00
17 changed files with 16 additions and 260 deletions

View file

@ -47,7 +47,6 @@
Ingress.modules = [ ./hosts/Ingress ];
Gitea.modules = [ ./hosts/Gitea ];
Vaultwarden.modules = [ ./hosts/Vaultwarden ];
BinaryCache.modules = [ ./hosts/BinaryCache ];
# Production multi-service
Binnenpost.modules = [ ./hosts/Binnenpost ];

View file

@ -1,49 +0,0 @@
{ config, pkgs, lib, system, ... }:
let
hostIp = "192.168.0.25";
in {
config = {
homelab = {
services.attic = {
enable = true;
enableRemoteBuilder = true;
openFirewall = true;
};
virtualisation.guest.enable = true;
};
networking = {
hostName = "BinaryCache";
hostId = "100002500";
domain = "depeuter.dev";
useDHCP = false;
enableIPv6 = true;
defaultGateway = {
address = "192.168.0.1";
interface = "ens18";
};
interfaces.ens18 = {
ipv4.addresses = [
{
address = hostIp;
prefixLength = 24;
}
];
};
nameservers = [
"1.1.1.1" # Cloudflare
"1.0.0.1" # Cloudflare
];
};
# Sops configuration for this host is now handled by the common module
system.stateVersion = "24.05";
};
}

View file

@ -1,4 +1,4 @@
{ config, inputs, pkgs, ... }:
{ pkgs, ... }:
{
config = {
@ -83,14 +83,6 @@
"traefik.http.routers.hugo.rule" = "Host(`hugo.depeuter.dev`)";
"traefik.http.services.hugo.loadbalancer.server.url" = "https://192.168.0.11:444";
"traefik.http.routers.attic.rule" = "Host(`${inputs.self.nixosConfigurations.BinaryCache.config.homelab.services.attic.domain}`)";
"traefik.http.services.attic.loadbalancer.server.url" =
let
bcConfig = inputs.self.nixosConfigurations.BinaryCache.config;
bcIp = (pkgs.lib.head bcConfig.networking.interfaces.ens18.ipv4.addresses).address;
bcPort = bcConfig.homelab.services.attic.port;
in "http://${bcIp}:${toString bcPort}";
};
system.stateVersion = "24.05";

View file

@ -3,7 +3,6 @@
{
config = {
homelab = {
networking.hostIp = "192.168.0.91";
apps = {
bind9.enable = true;
homepage = {
@ -14,7 +13,6 @@
plex.enable = true;
};
virtualisation.guest.enable = true;
users.deploy.enable = true;
};
networking = {
@ -38,7 +36,7 @@
interfaces.ens18 = {
ipv4.addresses = [
{
address = config.homelab.networking.hostIp;
address = "192.168.0.91";
prefixLength = 24;
}
];
@ -61,8 +59,7 @@
environment = {
# NOTE Required
# The email address used when setting up the initial administrator account to login to pgAdmin.
# TODO Hugo: Populate 'pgadmin_email' in sops.
PGADMIN_DEFAULT_EMAIL = config.sops.placeholder.pgadmin_email or "pgadmin-admin@example.com";
PGADMIN_DEFAULT_EMAIL = "kmtl.hugo+pgadmin@gmail.com";
# NOTE Required
# The password used when setting up the initial administrator account to login to pgAdmin.
PGADMIN_DEFAULT_PASSWORD = "ChangeMe";

View file

@ -165,7 +165,7 @@ providers:
# Certificates
"--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
"--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
"--certificatesresolvers.letsencrypt.acme.email=${config.sops.placeholder.acme_email or "acme-email@example.com"}"
"--certificatesresolvers.letsencrypt.acme.email=tibo.depeuter@telenet.be"
"--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
# Additional routes
@ -176,8 +176,8 @@ providers:
# "8080:8080/tcp" # The Web UI (enabled by --api.insecure=true)
];
environment = {
# TODO Hugo: Populate 'cloudflare_dns_token' in sops.
"CLOUDFLARE_DNS_API_TOKEN" = config.sops.placeholder.cloudflare_dns_token or "CLOUDFLARE_TOKEN_PLACEHOLDER";
# TODO Hide this!
"CLOUDFLARE_DNS_API_TOKEN" = "6Vz64Op_a6Ls1ljGeBxFoOVfQ-yB-svRbf6OyPv2";
};
environmentFiles = [
];

View file

@ -1,6 +1,6 @@
$TTL 604800
@ IN SOA ns1 admin (
16 ; Serial
15 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
@ -40,9 +40,6 @@ sonarr IN A 192.168.0.33
; Development VM
plex IN A 192.168.0.91
; Binary Cache (via Binnenpost proxy)
nix-cache IN A 192.168.0.89
; Catchalls
*.production IN A 192.168.0.31
*.development IN A 192.168.0.91

View file

@ -496,8 +496,7 @@ in {
#FORGEJO__mailer__CLIENT_KEY_FILE = "custom/mailer/key.pem";
# Mail from address, RFC 5322. This can be just an email address, or the
# `"Name" <email@example.com>` format.
# TODO Hugo: Populate 'gitea_mailer_from' in sops.
FORGEJO__mailer__FROM = config.sops.placeholder.gitea_mailer_from or "git@example.com";
FORGEJO__mailer__FROM = ''"${title}" <git@depeuter.dev>'';
# Sometimes it is helpful to use a different address on the envelope. Set this to use
# ENVELOPE_FROM as the from on the envelope. Set to `<>` to send an empty address.
#FORGEJO__mailer__ENVELOPE_FROM = "";

View file

@ -72,7 +72,7 @@ in {
# Certificates
"--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
"--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
"--certificatesresolvers.letsencrypt.acme.email=${config.sops.placeholder.acme_email or "acme-email@example.com"}"
"--certificatesresolvers.letsencrypt.acme.email=tibo.depeuter@telenet.be"
"--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
];
volumes = [

View file

@ -344,7 +344,6 @@ in {
# ORG_CREATION_USERS=none
## A comma-separated list means only those users can create orgs:
# ORG_CREATION_USERS=admin1@example.com,admin2@example.com
# TODO Hugo: Redact org creation users if needed.
## Invitations org admins to invite users, even when signups are disabled
# INVITATIONS_ALLOWED=true
@ -591,7 +590,7 @@ in {
## To make sure the email links are pointing to the correct host, set the DOMAIN variable.
## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
SMTP_HOST = "smtp.gmail.com";
SMTP_FROM = config.sops.placeholder.vaultwarden_smtp_from or "vaultwarden@example.com";
SMTP_FROM = "vault@depeuter.dev";
SMTP_FROM_NAME = cfg.name;
# SMTP_USERNAME=username
# SMTP_PASSWORD=password

View file

@ -1,14 +1,8 @@
{
imports = [
./secrets.nix
./substituters.nix
];
config = {
homelab = {
services.openssh.enable = true;
users.admin.enable = true;
common.substituters.enable = true;
};
nix.settings.experimental-features = [
@ -18,10 +12,5 @@
# Set your time zone.
time.timeZone = "Europe/Brussels";
sops = {
defaultSopsFile = ../../secrets/secrets.yaml;
age.keyFile = "/var/lib/sops-nix/key.txt";
};
};
}

View file

@ -1,18 +0,0 @@
{ config, lib, ... }:
{
sops.secrets = {
# -- User Public Keys (Anti-Fingerprinting) --
"user_keys_admin" = { neededForUsers = true; };
"user_keys_deploy" = { neededForUsers = true; };
"user_keys_backup" = { neededForUsers = true; };
# -- Infrastructure Metadata --
# Hugo TODO: Populate these in your .sops.yaml / secrets file
"acme_email" = {};
"cloudflare_dns_token" = {};
"pgadmin_email" = {};
"gitea_mailer_from" = {};
"vaultwarden_smtp_from" = {};
};
}

View file

@ -1,28 +0,0 @@
{ config, lib, pkgs, inputs, ... }:
let
cfg = config.homelab.common.substituters;
in {
options.homelab.common.substituters = {
enable = lib.mkEnableOption "Binary cache substituters";
domain = lib.mkOption {
type = lib.types.str;
default = inputs.self.nixosConfigurations.BinaryCache.config.homelab.services.attic.domain;
description = "The domain name of the binary cache.";
};
publicKey = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = "The public key of the Attic cache (e.g., 'homelab:...')";
};
};
config = lib.mkIf cfg.enable {
nix.settings = {
substituters = [
"https://${cfg.domain}"
];
trusted-public-keys = lib.optional (cfg.publicKey != null) cfg.publicKey;
};
};
}

View file

@ -1,119 +0,0 @@
{ config, lib, pkgs, ... }:
let
cfg = config.homelab.services.attic;
in {
options.homelab.services.attic = {
enable = lib.mkEnableOption "Attic binary cache server";
domain = lib.mkOption {
type = lib.types.str;
default = "nix-cache.depeuter.dev";
description = "The domain name for the Attic server.";
};
port = lib.mkOption {
type = lib.types.port;
default = 8080;
description = "The port Attic server listens on.";
};
databaseName = lib.mkOption {
type = lib.types.str;
default = "attic";
description = "The name of the PostgreSQL database.";
};
dbContainerName = lib.mkOption {
type = lib.types.str;
default = "attic-db";
description = "The name of the PostgreSQL container.";
};
storagePath = lib.mkOption {
type = lib.types.str;
default = "/var/lib/atticd/storage";
description = "The path where Attic store's its blobs.";
};
openFirewall = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Whether to open the firewall port for Attic.";
};
enableRemoteBuilder = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Whether to enable remote build capabilities on this host.";
};
};
config = lib.mkIf cfg.enable {
sops.secrets = {
"attic/db-password" = { };
"attic/server-token-secret" = { };
};
services.atticd = {
enable = true;
environmentFile = config.sops.secrets."attic/server-token-secret".path;
settings = {
listen = "[::]:${toString cfg.port}";
allowed-hosts = [ cfg.domain ];
api-endpoint = "https://${cfg.domain}/";
database.url = "postgresql://${cfg.databaseName}@${cfg.dbContainerName}:5432/${cfg.databaseName}";
storage = {
type = "local";
path = cfg.storagePath;
};
chunking = {
min-size = 16384; # 16 KiB
avg-size = 65536; # 64 KiB
max-size = 262144; # 256 KiB
};
};
};
homelab.virtualisation.containers.enable = true;
virtualisation.oci-containers.containers."${cfg.dbContainerName}" = {
image = "postgres:15-alpine";
autoStart = true;
# We still map it to host for Attic (running on host) to connect to it via bridge IP or name
# if we set up networking/DNS correctly.
ports = [
"5432:5432/tcp"
];
environment = {
POSTGRES_USER = cfg.databaseName;
POSTGRES_PASSWORD_FILE = config.sops.secrets."attic/db-password".path;
POSTGRES_DB = cfg.databaseName;
};
volumes = [
"attic-db:/var/lib/postgresql/data"
];
};
# Map the container name to localhost if Attic is on the host
networking.extraHosts = ''
127.0.0.1 ${cfg.dbContainerName}
'';
networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ cfg.port ];
# Remote build host configuration
nix.settings.trusted-users = lib.mkIf cfg.enableRemoteBuilder [ "root" "@wheel" "builder" ];
users.users.builder = lib.mkIf cfg.enableRemoteBuilder {
isNormalUser = true;
group = "builder";
openssh.authorizedKeys.keys = [
# Placeholders - user should provide actual keys
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFrp6aM62Bf7bj1YM5AlAWuNrANU3N5e8+LtbbpmZPKS"
];
};
users.groups.builder = lib.mkIf cfg.enableRemoteBuilder {};
# Only open SSH if remote builder is enabled
services.openssh.ports = lib.mkIf cfg.enableRemoteBuilder [ 22 ];
networking.firewall.allowedTCPPorts = lib.mkIf cfg.enableRemoteBuilder [ 22 ];
};
}

View file

@ -1,7 +1,6 @@
{
imports = [
./actions
./attic
./openssh
];
}

View file

@ -26,9 +26,7 @@ in {
config.users.groups.wheel.name # Enable 'sudo' for the user.
];
initialPassword = "ChangeMe";
openssh.authorizedKeys.keyFiles = [
config.sops.secrets.user_keys_admin.path
];
openssh.authorizedKeys.keys = cfg.authorizedKeys;
packages = with pkgs; [
curl
git

View file

@ -12,8 +12,9 @@ in {
extraGroups = [
"docker" # Allow access to the docker socket.
];
openssh.authorizedKeys.keyFiles = [
config.sops.secrets.user_keys_backup.path
openssh.authorizedKeys.keys = [
# Hugo
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICms6vjhE9kOlqV5GBPGInwUHAfCSVHLI2Gtzee0VXPh"
];
};
};

View file

@ -15,8 +15,8 @@ in {
isSystemUser = true;
home = "/var/empty";
shell = pkgs.bashInteractive;
openssh.authorizedKeys.keyFiles = [
config.sops.secrets.user_keys_deploy.path
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPrG+ldRBdCeHEXrsy/qHXIJYg8xQXVuiUR0DxhFjYNg"
];
};
};