diff --git a/bin/nixos-operations-script.sh b/bin/nixos-operations-script.sh index 77ac4f1..50d39bd 100755 --- a/bin/nixos-operations-script.sh +++ b/bin/nixos-operations-script.sh @@ -8,6 +8,7 @@ hostname=$(/run/current-system/sw/bin/hostname) # The name of the host to build flakeDir="${FLAKE_DIR}" # Path to the flake file (and optionally the hostname) update=false # Whether to update and commmit flake.lock user=$(/run/current-system/sw/bin/whoami) # Which user account to use for git commands +buildHost="" # Which host to use to generate the build (defaults to the local host) remainingArgs="" # All remaining arguments that haven't yet been processed (will be passed to nixos-rebuild) function usage() { @@ -34,16 +35,21 @@ function usage() { POSITIONAL_ARGS=() while [[ $# -gt 0 ]]; do case "$1" in + --build-host) + buildHost="$2" + shift + shift + ;; --flake|-f) flakeDir="$2" shift shift ;; --hostname|-h) - hostname="$2" - shift - shift - ;; + hostname="$2" + shift + shift + ;; --update|--upgrade|-U) update=true shift @@ -89,6 +95,12 @@ fi options="--flake ${flakeDir}#${hostname} ${remainingArgs} --use-remote-sudo --log-format multiline-with-logs" +if [[ -n "${buildHost}" && $operation != "build" && $operation != *"dry"* ]]; then + echo "Remote build detected, running this operation first: nixos-rebuild build ${options} --build-host $buildHost" + /run/current-system/sw/bin/nixos-rebuild build $options --build-host $buildHost + echo "Remote build complete!" +fi + echo "Running this operation: nixos-rebuild ${operation} ${options}" /run/current-system/sw/bin/nixos-rebuild $operation $options diff --git a/flake.lock b/flake.lock index e006022..724f72a 100644 --- a/flake.lock +++ b/flake.lock @@ -267,11 +267,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1729802774, - "narHash": "sha256-pssdzH1vOnTWvoGwfy3OfqY2oA6tKAHLGJFm5FeXYCI=", + "lastModified": 1729804049, + "narHash": "sha256-3CBk8Ntrilw4ju41mIkW2q34zxBxQxJPqd8lcF5yvV8=", "owner": "8bitbuddhist", "repo": "nixos-hardware", - "rev": "52323ec811f4c94b2f32ba1c83d86f0594977dc8", + "rev": "097c476b076300e0f44e2a804ad472ca3da395d4", "type": "github" }, "original": { diff --git a/hosts/Hevana/default.nix b/hosts/Hevana/default.nix index 75bfd22..fd3f7b8 100644 --- a/hosts/Hevana/default.nix +++ b/hosts/Hevana/default.nix @@ -8,18 +8,19 @@ let # Where to store service files services-root = "/storage/services"; - # Credentials for interacting with the Namecheap API - namecheapCredentials = { - "NAMECHEAP_API_USER_FILE" = "${pkgs.writeText "namecheap-api-user" '' - ${config.secrets.networking.namecheap.api.user} + # Credentials for interacting with the Porkbun API + porkbunCredentials = { + "PORKBUN_API_KEY_FILE" = "${pkgs.writeText "porkbun-api-key" '' + ${config.secrets.networking.porkbun.api.apiKey} ''}"; - "NAMECHEAP_API_KEY_FILE" = "${pkgs.writeText "namecheap-api-key" '' - ${config.secrets.networking.namecheap.api.key} + "PORKBUN_SECRET_API_KEY_FILE" = "${pkgs.writeText "porkbun-secret-api-key" '' + ${config.secrets.networking.porkbun.api.secretKey} ''}"; }; # List of subdomains to add to the TLS certificate subdomains = with config.secrets.services; [ + dav.url forgejo.url gremlin-lab.url jellyfin.url @@ -75,15 +76,15 @@ in defaultEmail = config.secrets.users.aires.email; certs = { "${config.secrets.networking.domains.primary}" = { - dnsProvider = "namecheap"; + dnsProvider = "porkbun"; extraDomainNames = subdomains; webroot = null; # Required in order to prevent a failed assertion - credentialFiles = namecheapCredentials; + credentialFiles = porkbunCredentials; }; "${config.secrets.networking.domains.blog}" = { - dnsProvider = "namecheap"; + dnsProvider = "porkbun"; webroot = null; # Required in order to prevent a failed assertion - credentialFiles = namecheapCredentials; + credentialFiles = porkbunCredentials; }; }; }; @@ -111,11 +112,6 @@ in home = "${services-root}/forgejo"; url = config.secrets.services.forgejo.url; }; - home-assistant = { - enable = false; - home = "${services-root}/home-assistant"; - url = config.secrets.services.home-assistant.url; - }; jellyfin = { enable = true; home = "${services-root}/jellyfin"; @@ -209,6 +205,12 @@ in ram = 4096; }; }; + webdav = { + enable = false; + home = "${services-root}/webdav"; + url = config.secrets.services.webdav.url; + users = config.secrets.services.webdav.users; + }; }; users.aires = { diff --git a/hosts/Khanda/default.nix b/hosts/Khanda/default.nix index 8707f94..e78761d 100644 --- a/hosts/Khanda/default.nix +++ b/hosts/Khanda/default.nix @@ -51,6 +51,7 @@ in autoUpgrade = { enable = true; configDir = config.secrets.nixConfigFolder; + extraFlags = "--build-host hevana"; onCalendar = "weekly"; user = config.users.users.aires.name; }; @@ -71,6 +72,7 @@ in "com.github.tchx84.Flatseal" "com.github.wwmm.easyeffects" "md.obsidian.Obsidian" + "org.chromium.Chromium" "org.keepassxc.KeePassXC" "org.mozilla.firefox" ]; diff --git a/hosts/Shura/default.nix b/hosts/Shura/default.nix index 17bdb5e..b31f726 100644 --- a/hosts/Shura/default.nix +++ b/hosts/Shura/default.nix @@ -14,7 +14,7 @@ in system.stateVersion = stateVersion; networking.hostName = hostName; - custom-fonts.Freight-Pro.enable = true; + custom-fonts.Freight-Pro.enable = config.aux.system.users.gremlin.enable; aux.system = { apps = { @@ -42,7 +42,6 @@ in gpu.amd.enable = true; packages = with pkgs; [ - boinc # Boinc client keepassxc # Use native instead of Flatpak due to weird performance issues ]; @@ -90,6 +89,7 @@ in "com.github.tchx84.Flatseal" "com.github.wwmm.easyeffects" "md.obsidian.Obsidian" + "org.chromium.Chromium" "org.mozilla.firefox" ]; diff --git a/modules/common.nix b/modules/common.nix index 854a2d7..b8e498b 100644 --- a/modules/common.nix +++ b/modules/common.nix @@ -48,12 +48,6 @@ # Install ZSH for all users zsh.enable = true; - # Enable NH, an alternative nixos-rebuild frontend. - # https://github.com/viperML/nh - nh = { - enable = true; - flake = "${config.secrets.nixConfigFolder}"; - }; # Configure nano nano.nanorc = '' set tabsize 4 diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix index 338ee07..0d47e9a 100644 Binary files a/modules/secrets/default.nix and b/modules/secrets/default.nix differ diff --git a/modules/services/airsonic.nix b/modules/services/airsonic.nix deleted file mode 100644 index 31af51f..0000000 --- a/modules/services/airsonic.nix +++ /dev/null @@ -1,71 +0,0 @@ -{ - pkgs, - config, - lib, - ... -}: -let - cfg = config.aux.system.services.airsonic; -in -{ - options = { - aux.system.services.airsonic = { - enable = lib.mkEnableOption "Enables Airsonic Advanced media streaming service."; - home = lib.mkOption { - default = "/var/lib/airsonic"; - type = lib.types.str; - description = "Where to store Airsonic's files"; - }; - url = lib.mkOption { - default = ""; - type = lib.types.str; - description = "The complete URL where Airsonic is hosted."; - example = "https://forgejo.example.com"; - }; - }; - }; - - config = lib.mkIf cfg.enable { - aux.system.users.media.enable = true; - users.users.airsonic.extraGroups = [ "media" ]; - - services = { - nginx.virtualHosts."${cfg.url}" = { - useACMEHost = pkgs.util.getDomainFromURL cfg.url; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:4040"; - proxyWebsockets = true; - extraConfig = '' - # Taken from https://airsonic.github.io/docs/proxy/nginx/ - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header Host $host; - proxy_max_temp_file_size 0; - proxy_ssl_server_name on; - ''; - }; - }; - - airsonic = { - enable = true; - war = "${ - (pkgs.callPackage ../../packages/airsonic-advanced.nix { inherit lib; }) - }/webapps/airsonic.war"; - port = 4040; - jre = pkgs.jdk17; - jvmOptions = [ - "-Dserver.use-forward-headers=true" - "-Xmx4G" # Increase Java heap size to 4GB - ]; - } // lib.optionalAttrs (cfg.home != "") { home = cfg.home; }; - }; - - systemd.services = { - airsonic.unitConfig.RequiresMountsFor = cfg.home; - nginx.wants = [ config.systemd.services.airsonic.name ]; - }; - }; -} diff --git a/modules/services/home-assistant.nix b/modules/services/home-assistant.nix deleted file mode 100644 index 03cd5e8..0000000 --- a/modules/services/home-assistant.nix +++ /dev/null @@ -1,83 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: - -let - cfg = config.aux.system.services.home-assistant; -in -{ - options = { - aux.system.services.home-assistant = { - enable = lib.mkEnableOption "Enables Home Assistant."; - home = lib.mkOption { - default = "/etc/home-assistant"; - type = lib.types.str; - description = "Where to store Home Assistant's files"; - example = "/home/home-assistant"; - }; - url = lib.mkOption { - default = ""; - type = lib.types.str; - description = "The complete URL where Home Assistant is hosted."; - example = "https://home-assistant.example.com"; - }; - }; - - }; - - config = lib.mkIf cfg.enable { - services = { - home-assistant = { - enable = true; - # opt-out from declarative configuration management - lovelaceConfig = null; - # configure the path to your config directory - configDir = cfg.home; - # specify list of components required by your configuration - extraComponents = [ - "default_config" - "esphome" - "eufy" - "govee_light_local" - "met" - "radio_browser" - "tplink" - ]; - extraPackages = python3Packages: with python3Packages; [ numpy ]; - config.http = { - server_host = "::1"; - trusted_proxies = [ "::1" ]; - use_x_forwarded_for = true; - }; - }; - nginx.virtualHosts."${cfg.url}" = { - useACMEHost = pkgs.util.getDomainFromURL cfg.url; - forceSSL = true; - locations."/" = { - proxyPass = "http://[::1]:8123"; - proxyWebsockets = true; - extraConfig = '' - # Security / XSS Mitigation Headers - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-Content-Type-Options "nosniff"; - - proxy_ssl_server_name on; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - - proxy_buffering off; - ''; - }; - }; - }; - - systemd.services = { - home-assistant.unitConfig.RequiresMountsFor = cfg.home; - nginx.wants = [ config.systemd.services.home-assistant.name ]; - }; - }; -} diff --git a/modules/services/webdav.nix b/modules/services/webdav.nix new file mode 100644 index 0000000..2e6dde1 --- /dev/null +++ b/modules/services/webdav.nix @@ -0,0 +1,68 @@ +{ + pkgs, + config, + lib, + ... +}: +let + cfg = config.aux.system.services.webdav; + + port = 6065; # Internal port to run the server on +in +{ + options = { + aux.system.services.webdav = { + enable = lib.mkEnableOption "Enables Webdav server."; + home = lib.mkOption { + default = "/var/lib/webdav"; + type = lib.types.str; + description = "Where to store Webdav's files"; + example = "/home/webdav"; + }; + url = lib.mkOption { + default = ""; + type = lib.types.str; + description = "The complete URL where Webdav is hosted."; + example = "https://dav.example.com"; + }; + users = lib.mkOption { + default = [ ]; + type = lib.types.listOf lib.types.attrs; + description = "List of user accounts to create."; + example = lib.literalExpression "[ { username = \"user\"; password = \"pass\"; } ]"; + }; + }; + }; + + config = lib.mkIf cfg.enable { + services = { + webdav = { + enable = true; + settings = { + address = "127.0.0.1"; + port = port; + scope = cfg.home; + users = cfg.users; + }; + }; + + nginx.virtualHosts."${cfg.url}" = { + useACMEHost = pkgs.util.getDomainFromURL cfg.url; + forceSSL = true; + locations."/".extraConfig = '' + proxy_pass http://127.0.0.1:${builtins.toString port}; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header REMOTE-HOST $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_redirect off; + ''; + }; + }; + + systemd.services = { + webdav.unitConfig.RequiresMountsFor = cfg.home; + nginx.wants = [ config.systemd.services.webdav.name ]; + }; + }; +} diff --git a/modules/users/aires/default.nix b/modules/users/aires/default.nix index 8cecc94..10013d6 100644 --- a/modules/users/aires/default.nix +++ b/modules/users/aires/default.nix @@ -76,8 +76,12 @@ in userName = config.secrets.users.aires.firstName; userEmail = config.secrets.users.aires.email; extraConfig = { - safe.directory = "${config.secrets.nixConfigFolder}/.git"; + core.editor = config.aux.system.editor; + merge.conflictStyle = "zdiff3"; + pull.ff = "only"; push.autoSetupRemote = "true"; + safe.directory = "${config.secrets.nixConfigFolder}/.git"; + submodule.recurse = true; }; }; diff --git a/modules/users/root/default.nix b/modules/users/root/default.nix index a8c6062..cfc3fc6 100644 --- a/modules/users/root/default.nix +++ b/modules/users/root/default.nix @@ -1,20 +1,10 @@ -{ config, lib, ... }: +{ ... }: { - # Give root user access to run remote builds home-manager.users.root = { home.stateVersion = "24.05"; - programs = { - git.extraConfig = { - safe.directory = "${config.secrets.nixConfigFolder}/.git"; - }; - ssh = { - enable = true; - matchBlocks = config.secrets.users.root.sshConfig; - }; - zsh = { - oh-my-zsh.theme = "kardan"; - shellAliases.nos = "nixos-operations-script"; - }; + programs.zsh = { + oh-my-zsh.theme = "kardan"; + shellAliases.nos = "nixos-operations-script"; }; }; } diff --git a/packages/airsonic-advanced.nix b/packages/airsonic-advanced.nix deleted file mode 100644 index 3208420..0000000 --- a/packages/airsonic-advanced.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ - lib, - stdenv, - fetchurl, - nixosTests, -}: - -stdenv.mkDerivation rec { - pname = "airsonic-advanced"; - version = "11.1.4-SNAPSHOT.20240628143437"; - - src = fetchurl { - url = "https://github.com/kagemomiji/airsonic-advanced/releases/download/${version}/airsonic.war"; - sha256 = "fde2c921e26cf536405118c5114a2f42fe87ff0a019852f21c80f4c68a2431ee"; - }; - - buildCommand = '' - mkdir -p "$out/webapps" - cp "$src" "$out/webapps/airsonic.war" - ''; - - passthru.tests = { - airsonic-starts = nixosTests.airsonic; - }; - - meta = { - description = "Free, web-based media streamer providing ubiquitous access to your music."; - homepage = "https://github.com/kagemomiji/airsonic-advanced/"; - sourceProvenance = [ lib.sourceTypes.binaryBytecode ]; - license = lib.licenses.gpl3; - platforms = lib.platforms.all; - }; -}