1
0
Fork 0

Merge branch 'main' of ssh://code.8bitbuddhism.com/aires/nix-configuration

This commit is contained in:
Aires 2024-10-28 11:14:58 -04:00
commit cc4ae86525
13 changed files with 117 additions and 232 deletions

View file

@ -8,6 +8,7 @@ hostname=$(/run/current-system/sw/bin/hostname) # The name of the host to build
flakeDir="${FLAKE_DIR}" # Path to the flake file (and optionally the hostname)
update=false # Whether to update and commmit flake.lock
user=$(/run/current-system/sw/bin/whoami) # Which user account to use for git commands
buildHost="" # Which host to use to generate the build (defaults to the local host)
remainingArgs="" # All remaining arguments that haven't yet been processed (will be passed to nixos-rebuild)
function usage() {
@ -34,16 +35,21 @@ function usage() {
POSITIONAL_ARGS=()
while [[ $# -gt 0 ]]; do
case "$1" in
--build-host)
buildHost="$2"
shift
shift
;;
--flake|-f)
flakeDir="$2"
shift
shift
;;
--hostname|-h)
hostname="$2"
shift
shift
;;
hostname="$2"
shift
shift
;;
--update|--upgrade|-U)
update=true
shift
@ -89,6 +95,12 @@ fi
options="--flake ${flakeDir}#${hostname} ${remainingArgs} --use-remote-sudo --log-format multiline-with-logs"
if [[ -n "${buildHost}" && $operation != "build" && $operation != *"dry"* ]]; then
echo "Remote build detected, running this operation first: nixos-rebuild build ${options} --build-host $buildHost"
/run/current-system/sw/bin/nixos-rebuild build $options --build-host $buildHost
echo "Remote build complete!"
fi
echo "Running this operation: nixos-rebuild ${operation} ${options}"
/run/current-system/sw/bin/nixos-rebuild $operation $options

View file

@ -267,11 +267,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1729802774,
"narHash": "sha256-pssdzH1vOnTWvoGwfy3OfqY2oA6tKAHLGJFm5FeXYCI=",
"lastModified": 1729804049,
"narHash": "sha256-3CBk8Ntrilw4ju41mIkW2q34zxBxQxJPqd8lcF5yvV8=",
"owner": "8bitbuddhist",
"repo": "nixos-hardware",
"rev": "52323ec811f4c94b2f32ba1c83d86f0594977dc8",
"rev": "097c476b076300e0f44e2a804ad472ca3da395d4",
"type": "github"
},
"original": {

View file

@ -8,18 +8,19 @@ let
# Where to store service files
services-root = "/storage/services";
# Credentials for interacting with the Namecheap API
namecheapCredentials = {
"NAMECHEAP_API_USER_FILE" = "${pkgs.writeText "namecheap-api-user" ''
${config.secrets.networking.namecheap.api.user}
# Credentials for interacting with the Porkbun API
porkbunCredentials = {
"PORKBUN_API_KEY_FILE" = "${pkgs.writeText "porkbun-api-key" ''
${config.secrets.networking.porkbun.api.apiKey}
''}";
"NAMECHEAP_API_KEY_FILE" = "${pkgs.writeText "namecheap-api-key" ''
${config.secrets.networking.namecheap.api.key}
"PORKBUN_SECRET_API_KEY_FILE" = "${pkgs.writeText "porkbun-secret-api-key" ''
${config.secrets.networking.porkbun.api.secretKey}
''}";
};
# List of subdomains to add to the TLS certificate
subdomains = with config.secrets.services; [
dav.url
forgejo.url
gremlin-lab.url
jellyfin.url
@ -75,15 +76,15 @@ in
defaultEmail = config.secrets.users.aires.email;
certs = {
"${config.secrets.networking.domains.primary}" = {
dnsProvider = "namecheap";
dnsProvider = "porkbun";
extraDomainNames = subdomains;
webroot = null; # Required in order to prevent a failed assertion
credentialFiles = namecheapCredentials;
credentialFiles = porkbunCredentials;
};
"${config.secrets.networking.domains.blog}" = {
dnsProvider = "namecheap";
dnsProvider = "porkbun";
webroot = null; # Required in order to prevent a failed assertion
credentialFiles = namecheapCredentials;
credentialFiles = porkbunCredentials;
};
};
};
@ -111,11 +112,6 @@ in
home = "${services-root}/forgejo";
url = config.secrets.services.forgejo.url;
};
home-assistant = {
enable = false;
home = "${services-root}/home-assistant";
url = config.secrets.services.home-assistant.url;
};
jellyfin = {
enable = true;
home = "${services-root}/jellyfin";
@ -209,6 +205,12 @@ in
ram = 4096;
};
};
webdav = {
enable = false;
home = "${services-root}/webdav";
url = config.secrets.services.webdav.url;
users = config.secrets.services.webdav.users;
};
};
users.aires = {

View file

@ -51,6 +51,7 @@ in
autoUpgrade = {
enable = true;
configDir = config.secrets.nixConfigFolder;
extraFlags = "--build-host hevana";
onCalendar = "weekly";
user = config.users.users.aires.name;
};
@ -71,6 +72,7 @@ in
"com.github.tchx84.Flatseal"
"com.github.wwmm.easyeffects"
"md.obsidian.Obsidian"
"org.chromium.Chromium"
"org.keepassxc.KeePassXC"
"org.mozilla.firefox"
];

View file

@ -14,7 +14,7 @@ in
system.stateVersion = stateVersion;
networking.hostName = hostName;
custom-fonts.Freight-Pro.enable = true;
custom-fonts.Freight-Pro.enable = config.aux.system.users.gremlin.enable;
aux.system = {
apps = {
@ -42,7 +42,6 @@ in
gpu.amd.enable = true;
packages = with pkgs; [
boinc # Boinc client
keepassxc # Use native instead of Flatpak due to weird performance issues
];
@ -90,6 +89,7 @@ in
"com.github.tchx84.Flatseal"
"com.github.wwmm.easyeffects"
"md.obsidian.Obsidian"
"org.chromium.Chromium"
"org.mozilla.firefox"
];

View file

@ -48,12 +48,6 @@
# Install ZSH for all users
zsh.enable = true;
# Enable NH, an alternative nixos-rebuild frontend.
# https://github.com/viperML/nh
nh = {
enable = true;
flake = "${config.secrets.nixConfigFolder}";
};
# Configure nano
nano.nanorc = ''
set tabsize 4

Binary file not shown.

View file

@ -1,71 +0,0 @@
{
pkgs,
config,
lib,
...
}:
let
cfg = config.aux.system.services.airsonic;
in
{
options = {
aux.system.services.airsonic = {
enable = lib.mkEnableOption "Enables Airsonic Advanced media streaming service.";
home = lib.mkOption {
default = "/var/lib/airsonic";
type = lib.types.str;
description = "Where to store Airsonic's files";
};
url = lib.mkOption {
default = "";
type = lib.types.str;
description = "The complete URL where Airsonic is hosted.";
example = "https://forgejo.example.com";
};
};
};
config = lib.mkIf cfg.enable {
aux.system.users.media.enable = true;
users.users.airsonic.extraGroups = [ "media" ];
services = {
nginx.virtualHosts."${cfg.url}" = {
useACMEHost = pkgs.util.getDomainFromURL cfg.url;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:4040";
proxyWebsockets = true;
extraConfig = ''
# Taken from https://airsonic.github.io/docs/proxy/nginx/
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header Host $host;
proxy_max_temp_file_size 0;
proxy_ssl_server_name on;
'';
};
};
airsonic = {
enable = true;
war = "${
(pkgs.callPackage ../../packages/airsonic-advanced.nix { inherit lib; })
}/webapps/airsonic.war";
port = 4040;
jre = pkgs.jdk17;
jvmOptions = [
"-Dserver.use-forward-headers=true"
"-Xmx4G" # Increase Java heap size to 4GB
];
} // lib.optionalAttrs (cfg.home != "") { home = cfg.home; };
};
systemd.services = {
airsonic.unitConfig.RequiresMountsFor = cfg.home;
nginx.wants = [ config.systemd.services.airsonic.name ];
};
};
}

View file

@ -1,83 +0,0 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.aux.system.services.home-assistant;
in
{
options = {
aux.system.services.home-assistant = {
enable = lib.mkEnableOption "Enables Home Assistant.";
home = lib.mkOption {
default = "/etc/home-assistant";
type = lib.types.str;
description = "Where to store Home Assistant's files";
example = "/home/home-assistant";
};
url = lib.mkOption {
default = "";
type = lib.types.str;
description = "The complete URL where Home Assistant is hosted.";
example = "https://home-assistant.example.com";
};
};
};
config = lib.mkIf cfg.enable {
services = {
home-assistant = {
enable = true;
# opt-out from declarative configuration management
lovelaceConfig = null;
# configure the path to your config directory
configDir = cfg.home;
# specify list of components required by your configuration
extraComponents = [
"default_config"
"esphome"
"eufy"
"govee_light_local"
"met"
"radio_browser"
"tplink"
];
extraPackages = python3Packages: with python3Packages; [ numpy ];
config.http = {
server_host = "::1";
trusted_proxies = [ "::1" ];
use_x_forwarded_for = true;
};
};
nginx.virtualHosts."${cfg.url}" = {
useACMEHost = pkgs.util.getDomainFromURL cfg.url;
forceSSL = true;
locations."/" = {
proxyPass = "http://[::1]:8123";
proxyWebsockets = true;
extraConfig = ''
# Security / XSS Mitigation Headers
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
proxy_ssl_server_name on;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_buffering off;
'';
};
};
};
systemd.services = {
home-assistant.unitConfig.RequiresMountsFor = cfg.home;
nginx.wants = [ config.systemd.services.home-assistant.name ];
};
};
}

View file

@ -0,0 +1,68 @@
{
pkgs,
config,
lib,
...
}:
let
cfg = config.aux.system.services.webdav;
port = 6065; # Internal port to run the server on
in
{
options = {
aux.system.services.webdav = {
enable = lib.mkEnableOption "Enables Webdav server.";
home = lib.mkOption {
default = "/var/lib/webdav";
type = lib.types.str;
description = "Where to store Webdav's files";
example = "/home/webdav";
};
url = lib.mkOption {
default = "";
type = lib.types.str;
description = "The complete URL where Webdav is hosted.";
example = "https://dav.example.com";
};
users = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.attrs;
description = "List of user accounts to create.";
example = lib.literalExpression "[ { username = \"user\"; password = \"pass\"; } ]";
};
};
};
config = lib.mkIf cfg.enable {
services = {
webdav = {
enable = true;
settings = {
address = "127.0.0.1";
port = port;
scope = cfg.home;
users = cfg.users;
};
};
nginx.virtualHosts."${cfg.url}" = {
useACMEHost = pkgs.util.getDomainFromURL cfg.url;
forceSSL = true;
locations."/".extraConfig = ''
proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
'';
};
};
systemd.services = {
webdav.unitConfig.RequiresMountsFor = cfg.home;
nginx.wants = [ config.systemd.services.webdav.name ];
};
};
}

View file

@ -76,8 +76,12 @@ in
userName = config.secrets.users.aires.firstName;
userEmail = config.secrets.users.aires.email;
extraConfig = {
safe.directory = "${config.secrets.nixConfigFolder}/.git";
core.editor = config.aux.system.editor;
merge.conflictStyle = "zdiff3";
pull.ff = "only";
push.autoSetupRemote = "true";
safe.directory = "${config.secrets.nixConfigFolder}/.git";
submodule.recurse = true;
};
};

View file

@ -1,20 +1,10 @@
{ config, lib, ... }:
{ ... }:
{
# Give root user access to run remote builds
home-manager.users.root = {
home.stateVersion = "24.05";
programs = {
git.extraConfig = {
safe.directory = "${config.secrets.nixConfigFolder}/.git";
};
ssh = {
enable = true;
matchBlocks = config.secrets.users.root.sshConfig;
};
zsh = {
oh-my-zsh.theme = "kardan";
shellAliases.nos = "nixos-operations-script";
};
programs.zsh = {
oh-my-zsh.theme = "kardan";
shellAliases.nos = "nixos-operations-script";
};
};
}

View file

@ -1,33 +0,0 @@
{
lib,
stdenv,
fetchurl,
nixosTests,
}:
stdenv.mkDerivation rec {
pname = "airsonic-advanced";
version = "11.1.4-SNAPSHOT.20240628143437";
src = fetchurl {
url = "https://github.com/kagemomiji/airsonic-advanced/releases/download/${version}/airsonic.war";
sha256 = "fde2c921e26cf536405118c5114a2f42fe87ff0a019852f21c80f4c68a2431ee";
};
buildCommand = ''
mkdir -p "$out/webapps"
cp "$src" "$out/webapps/airsonic.war"
'';
passthru.tests = {
airsonic-starts = nixosTests.airsonic;
};
meta = {
description = "Free, web-based media streamer providing ubiquitous access to your music.";
homepage = "https://github.com/kagemomiji/airsonic-advanced/";
sourceProvenance = [ lib.sourceTypes.binaryBytecode ];
license = lib.licenses.gpl3;
platforms = lib.platforms.all;
};
}