From 46cd9d594b5266b8710b31d4a3451158a2ac39c4 Mon Sep 17 00:00:00 2001 From: Andre Date: Tue, 2 Jul 2024 09:29:33 -0400 Subject: [PATCH 1/3] Update flake.lock for OpenSSH fix --- flake.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index 905b58b..a32831c 100644 --- a/flake.lock +++ b/flake.lock @@ -28,11 +28,11 @@ ] }, "locked": { - "lastModified": 1719733833, - "narHash": "sha256-6h2EqZU9bL9rHlXE+2LCBgnDImejzbS+4dYsNDDFlkY=", + "lastModified": 1719864345, + "narHash": "sha256-e4Pw+30vFAxuvkSTaTypd9zYemB/QlWcH186dsGT+Ms=", "owner": "nix-community", "repo": "disko", - "rev": "d185770ea261fb5cf81aa5ad1791b93a7834d12c", + "rev": "544a80a69d6e2da04e4df7ec8210a858de8c7533", "type": "github" }, "original": { @@ -158,11 +158,11 @@ ] }, "locked": { - "lastModified": 1719677234, - "narHash": "sha256-qO9WZsj/0E6zcK4Ht1y/iJ8XfwbBzq7xdqhBh44OP/M=", + "lastModified": 1719827439, + "narHash": "sha256-tneHOIv1lEavZ0vQ+rgz67LPNCgOZVByYki3OkSshFU=", "owner": "nix-community", "repo": "home-manager", - "rev": "36317d4d38887f7629876b0e43c8d9593c5cc48d", + "rev": "59ce796b2563e19821361abbe2067c3bb4143a7d", "type": "github" }, "original": { @@ -268,11 +268,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1719681865, - "narHash": "sha256-Lp+l1IsREVbz8WM35OJYZz8sAH0XOjrZWUXVB5bJ2qg=", + "lastModified": 1719895800, + "narHash": "sha256-xNbjISJTFailxass4LmdWeV4jNhAlmJPwj46a/GxE6M=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "a59f00f5ac65b19382617ba00f360f8bc07ed3ac", + "rev": "6e253f12b1009053eff5344be5e835f604bb64cd", "type": "github" }, "original": { @@ -316,11 +316,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1719506693, - "narHash": "sha256-C8e9S7RzshSdHB7L+v9I51af1gDM5unhJ2xO1ywxNH8=", + "lastModified": 1719848872, + "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b2852eb9365c6de48ffb0dc2c9562591f652242a", + "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8", "type": "github" }, "original": { From cf04193e5c85050a3466a7eefe66161c4436f17c Mon Sep 17 00:00:00 2001 From: Andre Date: Tue, 2 Jul 2024 10:02:12 -0400 Subject: [PATCH 2/3] Create installer script --- bin/install-nixos.sh | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100755 bin/install-nixos.sh diff --git a/bin/install-nixos.sh b/bin/install-nixos.sh new file mode 100755 index 0000000..bfc1ded --- /dev/null +++ b/bin/install-nixos.sh @@ -0,0 +1,43 @@ +#!/usr/bin/env bash +# Script to install a brand new NixOS installation. +# Formats the drive provided, then runs nixos-install. + +set -e + +# Configuration parameters +ask_root_password=true # Prompt for a root user password +flakeDir="." # Where the flake.nix file is stored +boot_drive="/dev/disk/by-uuid/whatever" # The drive to install the bootloader to +root_drive="/dev/disk/by-id/whatever" # The partition to install NixOS to + +if [ "$(id -u)" != "0" ]; then + echo "This script must be run as root" 1>&2 + exit 1 +fi + +cryptsetup --allow-discards --label=nixos-crypt --type=luks2 luksFormat $root_drive +cryptsetup luksOpen $root_drive nixos-crypt +mount /dev/mapper/nixos-crypt /mnt +mkfs.btrfs -L nixos /mnt +btrfs subvolume create /mnt/@ +btrfs subvolume create /mnt/@home +btrfs subvolume create /mnt/@log +btrfs subvolume create /mnt/@nix +btrfs subvolume create /mnt/@swap +umount /mnt + +mount -o subvol=@ $root_drive /mnt +mkdir -p /mnt/{boot,home,var/log,nix,swap} +mount $boot_drive /mnt/boot +mount -o subvol=@home $root_drive /mnt/home +mount -o subvol=@log $root_drive /var/log +mount -o subvol=@nix $root_drive /mnt/nix +mount -o subvol=@swap $root_drive /mnt/swap + +# Create swapfile +btrfs filesystem mkswapfile --size $(free -h --si | grep Mem: | awk '{print $2}') --uuid clear /mnt/swap/swapfile + +nixos-install --verbose --root /mnt --flake $flakeDir $( (( ask_root_password == false )) && echo "--no-root-password" ) + +exit 0 + From a74cc6a140356c926bb2746c56182ef33a7a4cde Mon Sep 17 00:00:00 2001 From: Andre Date: Tue, 2 Jul 2024 10:02:46 -0400 Subject: [PATCH 3/3] Add Haven's services to Dimaga --- hosts/Dimaga/default.nix | 132 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 124 insertions(+), 8 deletions(-) diff --git a/hosts/Dimaga/default.nix b/hosts/Dimaga/default.nix index 4f4e1f7..f73cc5d 100644 --- a/hosts/Dimaga/default.nix +++ b/hosts/Dimaga/default.nix @@ -8,6 +8,28 @@ let # Do not change this value! This tracks when NixOS was installed on your system. stateVersion = "24.11"; + + start-services = pkgs.writeShellScriptBin "start-services" ( + builtins.readFile ../Haven/start-haven.sh + ); + + services-root = "/storage/services"; + + subdomains = [ + config.secrets.services.airsonic.url + config.secrets.services.cache.url + config.secrets.services.forgejo.url + config.secrets.services.gremlin-lab.url + ]; + + namecheapCredentials = { + "NAMECHEAP_API_USER_FILE" = "${pkgs.writeText "namecheap-api-user" '' + ${config.secrets.networking.namecheap.api.user} + ''}"; + "NAMECHEAP_API_KEY_FILE" = "${pkgs.writeText "namecheap-api-key" '' + ${config.secrets.networking.namecheap.api.key} + ''}"; + }; in { imports = [ ./hardware-configuration.nix ]; @@ -28,6 +50,7 @@ in apps = { development.enable = true; + tmux.enable = true; #media.enable = true; #office.enable = true; #recording.enable = true; @@ -38,7 +61,7 @@ in # Enable Secure Boot support. bootloader = { enable = true; - #secureboot.enable = true; + secureboot.enable = true; tpm2.enable = true; }; @@ -58,17 +81,113 @@ in }; }; + packages = [ + start-services + pkgs.htop + ]; + # Change how long old generations are kept for. - retentionPeriod = "14d"; + retentionPeriod = "monthly"; services = { - autoUpgrade = { + acme = { enable = true; + defaultEmail = config.secrets.users.aires.email; + certs = { + "${config.secrets.networking.primaryDomain}" = { + dnsProvider = "namecheap"; + extraDomainNames = subdomains; + webroot = null; # Required in order to prevent a failed assertion + credentialFiles = namecheapCredentials; + }; + "${config.secrets.networking.blogDomain}" = { + dnsProvider = "namecheap"; + webroot = null; # Required in order to prevent a failed assertion + credentialFiles = namecheapCredentials; + }; + }; + }; + apcupsd = { + enable = true; + configText = builtins.readFile ../Haven/etc/apcupsd.conf; + }; + airsonic = { + enable = true; + home = "${services-root}/airsonic-advanced"; + domain = config.secrets.networking.primaryDomain; + url = config.secrets.services.airsonic.url; + }; + autoUpgrade = { + enable = false; # Don't update the system... + pushUpdates = true; # ...but do push updates remotely. configDir = config.secrets.nixConfigFolder; onCalendar = "daily"; user = config.users.users.aires.name; }; - virtualization.enable = true; + boinc.enable = true; + cache = { + enable = false; # Disable for now + secretKeyFile = "${services-root}/nix-cache/cache-priv-key.pem"; + }; + duplicacy-web = { + enable = true; + autostart = false; + environment = "/storage/backups/settings/Haven"; + }; + forgejo = { + enable = true; + home = "${services-root}/forgejo"; + domain = config.secrets.networking.primaryDomain; + url = config.secrets.services.forgejo.url; + actions = { + enable = true; + token = config.secrets.services.forgejo.runner-token; + }; + }; + msmtp.enable = true; + nginx = { + enable = true; + autostart = false; + virtualHosts = { + "${config.secrets.networking.primaryDomain}" = { + default = true; + enableACME = true; # Enable Let's Encrypt + locations."/" = { + # Catchall vhost, will redirect users to Forgejo + return = "301 https://${config.secrets.services.forgejo.url}"; + }; + }; + "${config.secrets.networking.blogDomain}" = { + useACMEHost = config.secrets.networking.blogDomain; + forceSSL = true; + root = "${services-root}/nginx/sites/${config.secrets.networking.blogDomain}"; + }; + "${config.secrets.services.gremlin-lab.url}" = { + useACMEHost = config.secrets.networking.primaryDomain; + forceSSL = true; + locations."/" = { + proxyPass = "http://${config.secrets.services.gremlin-lab.ip}"; + proxyWebsockets = true; + extraConfig = "proxy_ssl_server_name on;"; + }; + }; + }; + }; + ssh = { + enable = true; + ports = [ config.secrets.hosts.haven.ssh.port ]; + }; + virtualization = { + host = { + enable = true; + user = "aires"; + vmBuilds = { + enable = true; + cores = 3; + ram = 4096; + }; + }; + }; }; ui = { @@ -83,8 +202,6 @@ in # Define Flatpak packages to install. packages = [ "com.github.tchx84.Flatseal" - "com.github.wwmm.easyeffects" - "md.obsidian.Obsidian" "org.keepassxc.KeePassXC" "org.mozilla.firefox" ]; @@ -96,8 +213,7 @@ in services = { syncthing = { enable = true; - autostart = true; - enableTray = false; + autostart = false; }; }; };