From 0252a728d940f853ae284f8c923c597159db8807 Mon Sep 17 00:00:00 2001 From: Daniel Patterson Date: Sat, 10 May 2025 00:34:47 +0100 Subject: [PATCH] Ranni --- flake.lock | 17 ++ flake.nix | 28 ++- hosts/ranni/configuration.nix | 253 +++++++++++++++++++++++++ hosts/ranni/hardware-configuration.nix | 53 ++++++ modules/default.nix | 2 + secrets/secrets.nix | 4 +- 6 files changed, 354 insertions(+), 3 deletions(-) create mode 100644 hosts/ranni/configuration.nix create mode 100644 hosts/ranni/hardware-configuration.nix diff --git a/flake.lock b/flake.lock index bd44495..02982f1 100644 --- a/flake.lock +++ b/flake.lock @@ -430,6 +430,22 @@ "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1746557022, + "narHash": "sha256-QkNoyEf6TbaTW5UZYX0OkwIJ/ZMeKSSoOMnSDPQuol0=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "1d3aeb5a193b9ff13f63f4d9cc169fb88129f860", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1717432640, @@ -504,6 +520,7 @@ "i3utils": "i3utils", "nixgl": "nixgl", "nixpkgs": "nixpkgs_3", + "nixpkgs-stable": "nixpkgs-stable", "zen-browser": "zen-browser", "zig": "zig" } diff --git a/flake.nix b/flake.nix index dfebab0..7e5ce38 100644 --- a/flake.nix +++ b/flake.nix @@ -4,6 +4,8 @@ inputs = { nixpkgs.url = "nixpkgs/nixos-unstable"; + nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11"; + agenix.url = "github:ryantm/agenix"; agenix.inputs.nixpkgs.follows = "nixpkgs"; @@ -30,6 +32,7 @@ outputs = { nixpkgs, + nixpkgs-stable, agenix, devenv, golink, @@ -80,10 +83,19 @@ hostSystem = { hostname, headless, + np, }: - lib.nixosSystem { + np.lib.nixosSystem { inherit system; - inherit pkgs; + pkgs = import np { + inherit system; + config.allowUnfree = true; + overlays = overlays; + config.permittedInsecurePackages = [ + "electron-25.9.0" + "jujutsu-0.23.0" + ]; + }; modules = [ {nixpkgs.overlays = overlays;} @@ -112,30 +124,42 @@ dingbox = hostSystem { hostname = "dingbox"; headless = false; + np = nixpkgs; }; elderbug = hostSystem { hostname = "elderbug"; headless = false; + np = nixpkgs; }; miniding = hostSystem { hostname = "miniding"; headless = false; + np = nixpkgs; }; pingbox = hostSystem { hostname = "pingbox"; headless = false; + np = nixpkgs; }; dingserver = hostSystem { hostname = "dingserver"; headless = true; + np = nixpkgs; }; bigding = hostSystem { hostname = "bigding"; headless = true; + np = nixpkgs; }; sidon = hostSystem { hostname = "sidon"; headless = false; + np = nixpkgs; + }; + ranni = hostSystem { + hostname = "ranni"; + headless = false; + np = nixpkgs-stable; }; }; homeConfigurations = { diff --git a/hosts/ranni/configuration.nix b/hosts/ranni/configuration.nix new file mode 100644 index 0000000..47948f4 --- /dev/null +++ b/hosts/ranni/configuration.nix @@ -0,0 +1,253 @@ +{ + config, + pkgs, + lib, + ... +}: let + mkVHost = baseUrl: { + service, + port, + }: { + name = "${service}.${baseUrl}"; + value = { + listenAddresses = ["100.91.249.54"]; + extraConfig = '' + tls { + dns porkbun { + api_key {env.PORKBUN_API_KEY} + api_secret_key {env.PORKBUN_SECRET_KEY} + } + } + + reverse_proxy localhost:${builtins.toString port} + ''; + }; + }; + + mkVHosts = baseUrl: hosts: builtins.listToAttrs (builtins.map (mkVHost baseUrl) hosts); + + zfsCompatibleKernelPackages = + lib.filterAttrs ( + name: kernelPackages: + (builtins.match "linux_[0-9]+_[0-9]+" name) + != null + && (builtins.tryEval kernelPackages).success + && (!kernelPackages.${config.boot.zfs.package.kernelModuleAttribute}.meta.broken) + ) + pkgs.linuxKernel.packages; + + latestKernelPackage = lib.last ( + lib.sort (a: b: (lib.versionOlder a.kernel.version b.kernel.version)) ( + builtins.attrValues zfsCompatibleKernelPackages + ) + ); +in { + imports = [ + ../common + ./hardware-configuration.nix + + (import ../../modules).ranni + ]; + + boot.kernelPackages = lib.mkForce latestKernelPackage; + + boot.loader.systemd-boot.enable = false; + boot.loader.grub = { + enable = true; + efiSupport = false; + devices = ["/dev/disk/by-id/ata-ST4000NM0245-1Z2107_ZC1A059L" "/dev/disk/by-id/ata-ST4000NM0245-1Z2107_ZC19X508"]; + copyKernels = true; + }; + boot.supportedFilesystems = ["zfs"]; + boot.swraid.enable = true; + boot.kernelParams = ["boot.shell_on_fail"]; + + networking = { + hostName = "ranni"; + hostId = "00000001"; + + useDHCP = false; + + interfaces."enp0s31f6" = { + ipv4.addresses = [ + { + address = "95.216.12.238"; + # Hetzner requires /32, see: + # https://docs.hetzner.com/robot/dedicated-server/network/net-config-debian-ubuntu/#ipv4. + # NixOS automatically sets up a route to the gateway + # (but only because we set "networking.defaultGateway.interface" below), see + # https://github.com/NixOS/nixops/pull/1032#issuecomment-2763497444 + prefixLength = 32; + } + ]; + + ipv6.addresses = [ + { + address = "2a01:4f9:2a:d05::1"; + prefixLength = 64; + } + ]; + }; + + defaultGateway = { + address = "95.216.12.193"; + # Interface must be given for Hetzner networking to work, see comment above. + interface = "enp0s31f6"; + }; + + defaultGateway6 = { + address = "fe80::1"; + interface = "enp0s31f6"; + }; + + nameservers = [ + # cloudflare + "1.1.1.1" + "2606:4700:4700::1111" + "2606:4700:4700::1001" + # google + "8.8.8.8" + "2001:4860:4860::8888" + "2001:4860:4860::8844" + ]; + + firewall = { + allowedTCPPorts = [80 8448 443]; + allowedTCPPortRanges = [ + { + from = 12500; + to = 12515; + } + ]; + allowedUDPPortRanges = [ + { + from = 12500; + to = 12515; + } + ]; + interfaces = { + "tailscale0" = { + allowedUDPPorts = [41641]; + }; + }; + }; + }; + + services.tailscale.permitCertUid = "caddy"; + + services.syncthing = { + settings = { + gui = { + insecureSkipHostcheck = true; + }; + }; + guiAddress = "localhost:8387"; + }; + + users.groups."media".name = "media"; + + # age.secrets = { + # caddy_porkbun_api_env.file = ../../secrets/caddy_porkbun_api_env.age; + # }; + + # services.sabnzbd = { + # enable = true; + # group = "media"; + # }; + + # services.radarr = { + # enable = true; + # group = "media"; + # }; + + # services.caddy = { + # enable = true; + # enableReload = false; + # environmentFile = config.age.secrets.caddy_porkbun_api_env.path; + # package = pkgs.caddy.withPlugins { + # plugins = ["github.com/caddy-dns/porkbun@v0.2.1"]; + # hash = "sha256-X8QbRc2ahW1B5niV8i3sbfpe1OPYoaQ4LwbfeaWvfjg="; + # }; + # logFormat = "level INFO"; + # virtualHosts = + # (mkVHosts "broccoli.town" [ + # { + # service = "radarr"; + # port = 7878; + # } + # { + # service = "sonarr"; + # port = 8989; + # } + # { + # service = "sab"; + # port = 8085; + # } + # { + # service = "transmission"; + # port = 9091; + # } + # ]) + # // { + # "danielpatterson.dev" = { + # extraConfig = '' + # header { + # proof proven.lol/de4a14 + # } + # root * /srv/site/danielpatterson.dev + # encode zstd gzip + # file_server + # ''; + # }; + # "movies.danielpatterson.dev" = { + # extraConfig = '' + # reverse_proxy localhost:8096 + # ''; + # }; + # "git.broccoli.town" = { + # extraConfig = '' + # reverse_proxy localhost:3030 + # ''; + # }; + # }; + # }; + + # containers.radarr = { + # autoStart = false; + # bindMounts = { + # "/data" = { + # hostPath = "/var/media"; + # mountPoint = "/data"; + # isReadOnly = false; + # }; + # }; + # forwardPorts = [ + # { + # containerPort = 7878; + # hostPort = 7979; + # } + # ]; + # config = {config, pkgs, lib, ...}: { + # services.radarr = { + # enable = true; + # }; + # }; + # }; + + # services.sonarr = { + # enable = true; + # group = "media"; + # }; + + # services.prowlarr = { + # enable = true; + # }; + + environment.systemPackages = with pkgs; [ + helix + kitty # For terminfo + lazygit + ]; + + system.stateVersion = "24.11"; # Did you read the comment? +} diff --git a/hosts/ranni/hardware-configuration.nix b/hosts/ranni/hardware-configuration.nix new file mode 100644 index 0000000..518fd62 --- /dev/null +++ b/hosts/ranni/hardware-configuration.nix @@ -0,0 +1,53 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = ["ahci" "sd_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = ["kvm-intel"]; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "root_pool/root/nixos"; + fsType = "zfs"; + }; + + fileSystems."/home" = { + device = "root_pool/home"; + fsType = "zfs"; + }; + + fileSystems."/var/lib/postgres" = { + device = "root_pool/postgres"; + fsType = "zfs"; + }; + + fileSystems."/boot/efi" = { + device = "/dev/disk/by-uuid/555A-CAFA"; + fsType = "vfat"; + options = ["fmask=0022" "dmask=0022"]; + }; + + swapDevices = []; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.eth0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + boot.swraid.enable = true; +} diff --git a/modules/default.nix b/modules/default.nix index d678497..afbcdb6 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -25,4 +25,6 @@ pingbox = { }; + + ranni = {}; } diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 7166ad4..9168ec4 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -14,7 +14,9 @@ let system3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMzy0KqakqljVqgA4lvfTt65cikgPOKFvBXF0WS0LxGP root@pingbox"; # bigding system4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINxzzoExkmb0kP+6OS2omcoa8xe1ETc+FAhU5gBuBUDR root@bigding"; - systems = [system1 system2 system3 system4]; + # ranni + system5 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII8aTDf4ue+ug3acFaN/3oU2UddC2WKFdj/QV/78b5jB root@ranni"; + systems = [system1 system2 system3 system4 system5]; in { "rclone_password1.age".publicKeys = users ++ [system2 system4]; "rclone_password2.age".publicKeys = users ++ [system2 system4];