dp/nixcfg
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Activity

Ranni

Browse Source
This commit is contained in:
Daniel Patterson
2025-05-10 00:34:47 +01:00
parent 03011c7617
commit 0252a728d9
6 changed files with 354 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
flake.lock generated
View File

@@ -430,6 +430,22 @@
"url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz"
} }
}, },
"nixpkgs-stable": {
"locked": {
"lastModified": 1746557022,
"narHash": "sha256-QkNoyEf6TbaTW5UZYX0OkwIJ/ZMeKSSoOMnSDPQuol0=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "1d3aeb5a193b9ff13f63f4d9cc169fb88129f860",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-24.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1717432640, "lastModified": 1717432640,
@@ -504,6 +520,7 @@
"i3utils": "i3utils", "i3utils": "i3utils",
"nixgl": "nixgl", "nixgl": "nixgl",
"nixpkgs": "nixpkgs_3", "nixpkgs": "nixpkgs_3",
"nixpkgs-stable": "nixpkgs-stable",
"zen-browser": "zen-browser", "zen-browser": "zen-browser",
"zig": "zig" "zig": "zig"
} }

28
flake.nix
View File

@@ -4,6 +4,8 @@
inputs = { inputs = {
nixpkgs.url = "nixpkgs/nixos-unstable"; nixpkgs.url = "nixpkgs/nixos-unstable";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11";
agenix.url = "github:ryantm/agenix"; agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "nixpkgs"; agenix.inputs.nixpkgs.follows = "nixpkgs";
@@ -30,6 +32,7 @@
outputs = { outputs = {
nixpkgs, nixpkgs,
nixpkgs-stable,
agenix, agenix,
devenv, devenv,
golink, golink,
@@ -80,10 +83,19 @@
hostSystem = { hostSystem = {
hostname, hostname,
headless, headless,
np,
}: }:
lib.nixosSystem { np.lib.nixosSystem {
inherit system; inherit system;
inherit pkgs; pkgs = import np {
inherit system;
config.allowUnfree = true;
overlays = overlays;
config.permittedInsecurePackages = [
"electron-25.9.0"
"jujutsu-0.23.0"
];
};
modules = [ modules = [
{nixpkgs.overlays = overlays;} {nixpkgs.overlays = overlays;}
@@ -112,30 +124,42 @@
dingbox = hostSystem { dingbox = hostSystem {
hostname = "dingbox"; hostname = "dingbox";
headless = false; headless = false;
np = nixpkgs;
}; };
elderbug = hostSystem { elderbug = hostSystem {
hostname = "elderbug"; hostname = "elderbug";
headless = false; headless = false;
np = nixpkgs;
}; };
miniding = hostSystem { miniding = hostSystem {
hostname = "miniding"; hostname = "miniding";
headless = false; headless = false;
np = nixpkgs;
}; };
pingbox = hostSystem { pingbox = hostSystem {
hostname = "pingbox"; hostname = "pingbox";
headless = false; headless = false;
np = nixpkgs;
}; };
dingserver = hostSystem { dingserver = hostSystem {
hostname = "dingserver"; hostname = "dingserver";
headless = true; headless = true;
np = nixpkgs;
}; };
bigding = hostSystem { bigding = hostSystem {
hostname = "bigding"; hostname = "bigding";
headless = true; headless = true;
np = nixpkgs;
}; };
sidon = hostSystem { sidon = hostSystem {
hostname = "sidon"; hostname = "sidon";
headless = false; headless = false;
np = nixpkgs;
};
ranni = hostSystem {
hostname = "ranni";
headless = false;
np = nixpkgs-stable;
}; };
}; };
homeConfigurations = { homeConfigurations = {

253
hosts/ranni/configuration.nix Normal file
View File

@@ -0,0 +1,253 @@
{
config,
pkgs,
lib,
...
}: let
mkVHost = baseUrl: {
service,
port,
}: {
name = "${service}.${baseUrl}";
value = {
listenAddresses = ["100.91.249.54"];
extraConfig = ''
tls {
dns porkbun {
api_key {env.PORKBUN_API_KEY}
api_secret_key {env.PORKBUN_SECRET_KEY}
}
}
reverse_proxy localhost:${builtins.toString port}
'';
};
};
mkVHosts = baseUrl: hosts: builtins.listToAttrs (builtins.map (mkVHost baseUrl) hosts);
zfsCompatibleKernelPackages =
lib.filterAttrs (
name: kernelPackages:
(builtins.match "linux_[0-9]+_[0-9]+" name)
!= null
&& (builtins.tryEval kernelPackages).success
&& (!kernelPackages.${config.boot.zfs.package.kernelModuleAttribute}.meta.broken)
)
pkgs.linuxKernel.packages;
latestKernelPackage = lib.last (
lib.sort (a: b: (lib.versionOlder a.kernel.version b.kernel.version)) (
builtins.attrValues zfsCompatibleKernelPackages
)
);
in {
imports = [
../common
./hardware-configuration.nix
(import ../../modules).ranni
];
boot.kernelPackages = lib.mkForce latestKernelPackage;
boot.loader.systemd-boot.enable = false;
boot.loader.grub = {
enable = true;
efiSupport = false;
devices = ["/dev/disk/by-id/ata-ST4000NM0245-1Z2107_ZC1A059L" "/dev/disk/by-id/ata-ST4000NM0245-1Z2107_ZC19X508"];
copyKernels = true;
};
boot.supportedFilesystems = ["zfs"];
boot.swraid.enable = true;
boot.kernelParams = ["boot.shell_on_fail"];
networking = {
hostName = "ranni";
hostId = "00000001";
useDHCP = false;
interfaces."enp0s31f6" = {
ipv4.addresses = [
{
address = "95.216.12.238";
# Hetzner requires /32, see:
# https://docs.hetzner.com/robot/dedicated-server/network/net-config-debian-ubuntu/#ipv4.
# NixOS automatically sets up a route to the gateway
# (but only because we set "networking.defaultGateway.interface" below), see
# https://github.com/NixOS/nixops/pull/1032#issuecomment-2763497444
prefixLength = 32;
}
];
ipv6.addresses = [
{
address = "2a01:4f9:2a:d05::1";
prefixLength = 64;
}
];
};
defaultGateway = {
address = "95.216.12.193";
# Interface must be given for Hetzner networking to work, see comment above.
interface = "enp0s31f6";
};
defaultGateway6 = {
address = "fe80::1";
interface = "enp0s31f6";
};
nameservers = [
# cloudflare
"1.1.1.1"
"2606:4700:4700::1111"
"2606:4700:4700::1001"
# google
"8.8.8.8"
"2001:4860:4860::8888"
"2001:4860:4860::8844"
];
firewall = {
allowedTCPPorts = [80 8448 443];
allowedTCPPortRanges = [
{
from = 12500;
to = 12515;
}
];
allowedUDPPortRanges = [
{
from = 12500;
to = 12515;
}
];
interfaces = {
"tailscale0" = {
allowedUDPPorts = [41641];
};
};
};
};
services.tailscale.permitCertUid = "caddy";
services.syncthing = {
settings = {
gui = {
insecureSkipHostcheck = true;
};
};
guiAddress = "localhost:8387";
};
users.groups."media".name = "media";
# age.secrets = {
# caddy_porkbun_api_env.file = ../../secrets/caddy_porkbun_api_env.age;
# };
# services.sabnzbd = {
# enable = true;
# group = "media";
# };
# services.radarr = {
# enable = true;
# group = "media";
# };
# services.caddy = {
# enable = true;
# enableReload = false;
# environmentFile = config.age.secrets.caddy_porkbun_api_env.path;
# package = pkgs.caddy.withPlugins {
# plugins = ["github.com/caddy-dns/porkbun@v0.2.1"];
# hash = "sha256-X8QbRc2ahW1B5niV8i3sbfpe1OPYoaQ4LwbfeaWvfjg=";
# };
# logFormat = "level INFO";
# virtualHosts =
# (mkVHosts "broccoli.town" [
# {
# service = "radarr";
# port = 7878;
# }
# {
# service = "sonarr";
# port = 8989;
# }
# {
# service = "sab";
# port = 8085;
# }
# {
# service = "transmission";
# port = 9091;
# }
# ])
# // {
# "danielpatterson.dev" = {
# extraConfig = ''
# header {
# proof proven.lol/de4a14
# }
# root * /srv/site/danielpatterson.dev
# encode zstd gzip
# file_server
# '';
# };
# "movies.danielpatterson.dev" = {
# extraConfig = ''
# reverse_proxy localhost:8096
# '';
# };
# "git.broccoli.town" = {
# extraConfig = ''
# reverse_proxy localhost:3030
# '';
# };
# };
# };
# containers.radarr = {
# autoStart = false;
# bindMounts = {
# "/data" = {
# hostPath = "/var/media";
# mountPoint = "/data";
# isReadOnly = false;
# };
# };
# forwardPorts = [
# {
# containerPort = 7878;
# hostPort = 7979;
# }
# ];
# config = {config, pkgs, lib, ...}: {
# services.radarr = {
# enable = true;
# };
# };
# };
# services.sonarr = {
# enable = true;
# group = "media";
# };
# services.prowlarr = {
# enable = true;
# };
environment.systemPackages = with pkgs; [
helix
kitty # For terminfo
lazygit
];
system.stateVersion = "24.11"; # Did you read the comment?
}

53
hosts/ranni/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,53 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["ahci" "sd_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
fileSystems."/" = {
device = "root_pool/root/nixos";
fsType = "zfs";
};
fileSystems."/home" = {
device = "root_pool/home";
fsType = "zfs";
};
fileSystems."/var/lib/postgres" = {
device = "root_pool/postgres";
fsType = "zfs";
};
fileSystems."/boot/efi" = {
device = "/dev/disk/by-uuid/555A-CAFA";
fsType = "vfat";
options = ["fmask=0022" "dmask=0022"];
};
swapDevices = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eth0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
boot.swraid.enable = true;
}

2
modules/default.nix
View File

@@ -25,4 +25,6 @@
pingbox = { pingbox = {
}; };
ranni = {};
} }

4
secrets/secrets.nix
View File

@@ -14,7 +14,9 @@ let
system3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMzy0KqakqljVqgA4lvfTt65cikgPOKFvBXF0WS0LxGP root@pingbox"; system3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMzy0KqakqljVqgA4lvfTt65cikgPOKFvBXF0WS0LxGP root@pingbox";
# bigding # bigding
system4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINxzzoExkmb0kP+6OS2omcoa8xe1ETc+FAhU5gBuBUDR root@bigding"; system4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINxzzoExkmb0kP+6OS2omcoa8xe1ETc+FAhU5gBuBUDR root@bigding";
systems = [system1 system2 system3 system4]; # ranni
system5 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII8aTDf4ue+ug3acFaN/3oU2UddC2WKFdj/QV/78b5jB root@ranni";
systems = [system1 system2 system3 system4 system5];
in { in {
"rclone_password1.age".publicKeys = users ++ [system2 system4]; "rclone_password1.age".publicKeys = users ++ [system2 system4];
"rclone_password2.age".publicKeys = users ++ [system2 system4]; "rclone_password2.age".publicKeys = users ++ [system2 system4];