diff --git a/flake.nix b/flake.nix index 4dbb568..095c125 100644 --- a/flake.nix +++ b/flake.nix @@ -13,205 +13,200 @@ agenix.url = "github:yaxitech/ragenix"; }; - outputs = inputs @ { - self, - nixpkgs, - home-manager, - microvm, - agenix, - ... - }: let - system = "x86_64-linux"; - username = "tbarnouin"; - proxy_host = "192.168.1.40"; - pgsql_host = "192.168.1.13"; - in { - nixosConfigurations = { - nixmox-curiosity = nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - agenix.nixosModules.default - ./hosts/nixmox-curiosity/configuration.nix - { - networking.hostName = "nixmox-curiosity"; - } - home-manager.nixosModules.home-manager - { - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - home-manager.users.${username} = import ./hosts/nixmox-curiosity/home.nix; - } - microvm.nixosModules.host - { - microvm = { - autostart = []; - vms = {}; - }; - } - ]; - - specialArgs = { - inherit inputs; - inherit username; - inherit proxy_host; - inherit pgsql_host; + outputs = inputs@{ self, nixpkgs, home-manager, microvm, agenix, ... }: + let + system = "x86_64-linux"; + username = "tbarnouin"; + proxy_host = "192.168.1.40"; + pgsql_host = "192.168.1.13"; + in + { + nixosConfigurations = { + nixmox-curiosity = nixpkgs.lib.nixosSystem { inherit system; + modules = [ + agenix.nixosModules.default + ./hosts/nixmox-curiosity/configuration.nix + { + networking.hostName = "nixmox-curiosity"; + } + home-manager.nixosModules.home-manager + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.users.${username} = import ./hosts/nixmox-curiosity/home.nix; + } + microvm.nixosModules.host + { + microvm = { + autostart = []; + vms = {}; + }; + } + ]; + + specialArgs = { + inherit inputs; + inherit username; + inherit proxy_host; + inherit pgsql_host; + inherit system; + }; + }; + nginx = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + agenix.nixosModules.default + "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" + "${inputs.self}/systems/minimalLXCConfig.nix" + "${inputs.self}/services" + { + networking.hostName = "nginx"; + services.vm_nginx = { + enable = true; + }; + } + ]; + }; + onlyoffice = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + agenix.nixosModules.default + "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" + "${inputs.self}/systems/minimalLXCConfig.nix" + "${inputs.self}/services" + { + networking.hostName = "onlyoffice"; + services.vm_onlyoffice = { + enable = true; + pgsql_ip = pgsql_host; + }; + } + ]; + }; +# template = nixpkgs.lib.nixosSystem { +# inherit system; +# modules = [ +# agenix.nixosModules.default +# "${inputs.self}/systems/minimalVMConfig.nix" +# { +# networking.hostName = "nixos"; +# } +# ]; +# }; + jellyfin = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + agenix.nixosModules.default + microvm.nixosModules.microvm + "${inputs.self}/systems/minimalVMConfig.nix" + "${inputs.self}/services" + { + services.vm_jellyfin = { + enable = true; + }; + } + ]; + }; + redis = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + agenix.nixosModules.default + "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" + "${inputs.self}/systems/minimalLXCConfig.nix" + "${inputs.self}/services" + { + networking.hostName = "redis"; + services.vm_redis = { + enable = true; + }; + } + ]; + }; + grafana-lxc = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + agenix.nixosModules.default + "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" + "${inputs.self}/systems/minimalLXCConfig.nix" + "${inputs.self}/services" + { + services.vm_grafana = { + enable = true; + vm_ip = "192.168.1.27"; + proxy_ip = proxy_host; + pgsql_ip = pgsql_host; + }; + } + ]; + }; + grafana = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + agenix.nixosModules.default + microvm.nixosModules.microvm + "${inputs.self}/systems/minimalMicrovmConfig.nix" + "${inputs.self}/services" + { + services.vm_grafana = { + enable = true; + vm_ip = "192.168.1.27"; + proxy_ip = proxy_host; + pgsql_ip = pgsql_host; + }; + services.micro_vm = { + enable = true; + hostname = "grafana"; + vm_ip = "192.168.1.20"; + vm_cpu = 1; + vm_mem = 512; + macAddr = "02:00:00:00:00:20"; + }; + } + ]; + }; + authentik = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + agenix.nixosModules.default + inputs.authentik-nix.nixosModules.default + { + services.authentik = { + enable = true; + environmentFile = "/run/secrets/authentik/authentik-env"; + settings = { + disable_startup_analytics = true; + avatars = "initials"; + }; + }; + services.vm_authentik = { + enable = true; + }; + } + microvm.nixosModules.microvm + "${inputs.self}/systems/minimalMicrovmConfig.nix" + "${inputs.self}/services" + { + microvm = { + volumes = [ + { + mountPoint = "/media"; + image = "/var/lib/microvms/authentik/media.img"; + size = 2048; + } + ]; + }; + services.micro_vm = { + enable = true; + hostname = "authentik"; + vm_ip = "192.168.1.25"; + vm_cpu = 2; + vm_mem = 2048; + macAddr = "02:00:00:00:00:25"; + }; + } + ]; }; }; - nginx = nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - agenix.nixosModules.default - "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" - "${inputs.self}/systems/minimalLXCConfig.nix" - "${inputs.self}/services" - { - networking.hostName = "nginx"; - services.vm_nginx = { - enable = true; - }; - } - ]; - }; - onlyoffice = nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - agenix.nixosModules.default - "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" - "${inputs.self}/systems/minimalLXCConfig.nix" - "${inputs.self}/services" - { - networking.hostName = "onlyoffice"; - services.vm_onlyoffice = { - enable = true; - pgsql_ip = pgsql_host; - }; - } - ]; - }; - # template = nixpkgs.lib.nixosSystem { - # inherit system; - # modules = [ - # agenix.nixosModules.default - # "${inputs.self}/systems/minimalVMConfig.nix" - # { - # networking.hostName = "nixos"; - # } - # ]; - # }; - jellyfin = nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - agenix.nixosModules.default - microvm.nixosModules.microvm - "${inputs.self}/systems/minimalVMConfig.nix" - "${inputs.self}/services" - { - services.vm_jellyfin = { - enable = true; - }; - } - ]; - }; - redis = nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - agenix.nixosModules.default - "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" - "${inputs.self}/systems/minimalLXCConfig.nix" - "${inputs.self}/services" - { - networking.hostName = "redis"; - services.vm_redis = { - enable = true; - }; - } - ]; - }; - grafana-lxc = nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - agenix.nixosModules.default - "${inputs.nixpkgs}/nixos/modules/virtualisation/proxmox-lxc.nix" - "${inputs.self}/systems/minimalLXCConfig.nix" - "${inputs.self}/services" - { - services.vm_grafana = { - enable = true; - vm_ip = "192.168.1.27"; - proxy_ip = proxy_host; - pgsql_ip = pgsql_host; - }; - } - ]; - }; - grafana = nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - agenix.nixosModules.default - microvm.nixosModules.microvm - "${inputs.self}/systems/minimalMicrovmConfig.nix" - "${inputs.self}/services" - { - services.vm_grafana = { - enable = true; - vm_ip = "192.168.1.27"; - proxy_ip = proxy_host; - pgsql_ip = pgsql_host; - }; - services.micro_vm = { - enable = true; - hostname = "grafana"; - vm_ip = "192.168.1.20"; - vm_cpu = 1; - vm_mem = 512; - macAddr = "02:00:00:00:00:20"; - }; - } - ]; - }; - authentik = nixpkgs.lib.nixosSystem { - inherit system; - modules = [ - agenix.nixosModules.default - inputs.authentik-nix.nixosModules.default - { - services.authentik = { - enable = true; - environmentFile = "/run/secrets/authentik/authentik-env"; - settings = { - disable_startup_analytics = true; - avatars = "initials"; - }; - }; - services.vm_authentik = { - enable = true; - }; - } - microvm.nixosModules.microvm - "${inputs.self}/systems/minimalMicrovmConfig.nix" - "${inputs.self}/services" - { - microvm = { - volumes = [ - { - mountPoint = "/media"; - image = "/var/lib/microvms/authentik/media.img"; - size = 2048; - } - ]; - }; - services.micro_vm = { - enable = true; - hostname = "authentik"; - vm_ip = "192.168.1.25"; - vm_cpu = 2; - vm_mem = 2048; - macAddr = "02:00:00:00:00:25"; - }; - } - ]; - }; }; - }; } diff --git a/hosts/nixmox-curiosity/configuration.nix b/hosts/nixmox-curiosity/configuration.nix index a71b9c4..b3d58ff 100644 --- a/hosts/nixmox-curiosity/configuration.nix +++ b/hosts/nixmox-curiosity/configuration.nix @@ -1,15 +1,11 @@ -{ - config, - lib, - pkgs, - ... -}: { - imports = [./hardware-configuration.nix]; +{ config, lib, pkgs, ... }: + +{ imports = [ ./hardware-configuration.nix ]; nix = { settings = { - experimental-features = ["nix-command" "flakes"]; - trusted-users = ["@wheel"]; + experimental-features = [ "nix-command" "flakes" ]; + trusted-users = [ "@wheel" ]; auto-optimise-store = true; }; gc = { @@ -21,9 +17,9 @@ security.sudo.wheelNeedsPassword = false; - networking = { + networking= { useNetworkd = true; - firewall.allowedTCPPorts = [22]; + firewall.allowedTCPPorts = [ 22 ]; }; systemd.network = { @@ -108,4 +104,5 @@ }; system.stateVersion = "24.11"; # Did you read the comment? + } diff --git a/hosts/nixmox-curiosity/hardware-configuration.nix b/hosts/nixmox-curiosity/hardware-configuration.nix index ca9f744..f1d478b 100644 --- a/hosts/nixmox-curiosity/hardware-configuration.nix +++ b/hosts/nixmox-curiosity/hardware-configuration.nix @@ -1,15 +1,13 @@ +{ lib, system, ... }: + { - lib, - system, - ... -}: { boot = { # use latest kernel # kernelPackages = pkgs.linuxPackages_latest; - supportedFilesystems = ["ext4" "btrfs" "xfs" "fat" "vfat" "cifs" "nfs"]; + supportedFilesystems = [ "ext4" "btrfs" "xfs" "fat" "vfat" "cifs" "nfs" ]; growPartition = true; - kernelModules = ["kvm-intel"]; - kernelParams = lib.mkForce []; + kernelModules = [ "kvm-intel" ]; + kernelParams = lib.mkForce [ ]; loader = { grub = { @@ -22,8 +20,8 @@ }; initrd = { - availableKernelModules = ["9p" "9pnet_virtio" "ata_piix" "uhci_hcd" "virtio_blk" "virtio_mmio" "virtio_net" "virtio_pci" "virtio_scsi"]; - kernelModules = ["virtio_balloon" "virtio_console" "virtio_rng"]; + availableKernelModules = [ "9p" "9pnet_virtio" "ata_piix" "uhci_hcd" "virtio_blk" "virtio_mmio" "virtio_net" "virtio_pci" "virtio_scsi" ]; + kernelModules = [ "virtio_balloon" "virtio_console" "virtio_rng" ]; }; tmp.cleanOnBoot = true; @@ -47,6 +45,7 @@ }; }; + services.fstrim = { enable = true; interval = "weekly"; diff --git a/hosts/nixmox-curiosity/home.nix b/hosts/nixmox-curiosity/home.nix index 07adba1..5173e23 100644 --- a/hosts/nixmox-curiosity/home.nix +++ b/hosts/nixmox-curiosity/home.nix @@ -1,8 +1,5 @@ +{ config, pkgs, ... }: { - config, - pkgs, - ... -}: { home = { username = "tbarnouin"; stateVersion = "24.11"; @@ -78,16 +75,17 @@ }; oh-my-zsh = { enable = true; - plugins = [ - "git" - "terraform" - "sudo" - "docker" - "pip" - "python" - "pyenv" - "pipenv" - ]; + plugins = + [ + "git" + "terraform" + "sudo" + "docker" + "pip" + "python" + "pyenv" + "pipenv" + ]; theme = "bira"; }; }; diff --git a/hosts/nixmox-perseverance/configuration.nix b/hosts/nixmox-perseverance/configuration.nix index 2bc1ce2..ed6c2c2 100644 --- a/hosts/nixmox-perseverance/configuration.nix +++ b/hosts/nixmox-perseverance/configuration.nix @@ -1,15 +1,11 @@ -{ - config, - lib, - pkgs, - ... -}: { - imports = [./hardware-configuration.nix]; +{ config, lib, pkgs, ... }: + +{ imports = [ ./hardware-configuration.nix ]; nix = { settings = { - experimental-features = ["nix-command" "flakes"]; - trusted-users = ["@wheel"]; + experimental-features = [ "nix-command" "flakes" ]; + trusted-users = [ "@wheel" ]; auto-optimise-store = true; }; gc = { @@ -21,9 +17,9 @@ security.sudo.wheelNeedsPassword = false; - networking = { + networking= { useNetworkd = true; - firewall.allowedTCPPorts = [22]; + firewall.allowedTCPPorts = [ 22 ]; }; systemd.network = { @@ -108,4 +104,5 @@ }; system.stateVersion = "24.11"; # Did you read the comment? + } diff --git a/hosts/nixmox-perseverance/hardware-configuration.nix b/hosts/nixmox-perseverance/hardware-configuration.nix index ca9f744..08aa2b7 100644 --- a/hosts/nixmox-perseverance/hardware-configuration.nix +++ b/hosts/nixmox-perseverance/hardware-configuration.nix @@ -1,15 +1,13 @@ +{ lib, system, ... }: + { - lib, - system, - ... -}: { boot = { # use latest kernel # kernelPackages = pkgs.linuxPackages_latest; - supportedFilesystems = ["ext4" "btrfs" "xfs" "fat" "vfat" "cifs" "nfs"]; + supportedFilesystems = [ "ext4" "btrfs" "xfs" "fat" "vfat" "cifs" "nfs" ]; growPartition = true; - kernelModules = ["kvm-intel"]; - kernelParams = lib.mkForce []; + kernelModules = [ "kvm-intel" ]; + kernelParams = lib.mkForce [ ]; loader = { grub = { @@ -22,8 +20,8 @@ }; initrd = { - availableKernelModules = ["9p" "9pnet_virtio" "ata_piix" "uhci_hcd" "virtio_blk" "virtio_mmio" "virtio_net" "virtio_pci" "virtio_scsi"]; - kernelModules = ["virtio_balloon" "virtio_console" "virtio_rng"]; + availableKernelModules = [ "9p" "9pnet_virtio" "ata_piix" "uhci_hcd" "virtio_blk" "virtio_mmio" "virtio_net" "virtio_pci" "virtio_scsi" ]; + kernelModules = [ "virtio_balloon" "virtio_console" "virtio_rng" ]; }; tmp.cleanOnBoot = true; diff --git a/hosts/nixmox-perseverance/home.nix b/hosts/nixmox-perseverance/home.nix index 07adba1..5173e23 100644 --- a/hosts/nixmox-perseverance/home.nix +++ b/hosts/nixmox-perseverance/home.nix @@ -1,8 +1,5 @@ +{ config, pkgs, ... }: { - config, - pkgs, - ... -}: { home = { username = "tbarnouin"; stateVersion = "24.11"; @@ -78,16 +75,17 @@ }; oh-my-zsh = { enable = true; - plugins = [ - "git" - "terraform" - "sudo" - "docker" - "pip" - "python" - "pyenv" - "pipenv" - ]; + plugins = + [ + "git" + "terraform" + "sudo" + "docker" + "pip" + "python" + "pyenv" + "pipenv" + ]; theme = "bira"; }; }; diff --git a/secrets.nix b/secrets.nix index b8b0abd..26b78f3 100644 --- a/secrets.nix +++ b/secrets.nix @@ -1,17 +1,19 @@ let - tbarnouin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"; - users = [tbarnouin]; + tbarnouin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos"; + users = [ tbarnouin ]; - forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2NAam+nseSCzJV/1UTyO2LgMjx0xT7/vTOOi5EG9HV root@forgejo-runner"; - grafana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQxvO9vdd2f9aV4F3LEQrrTJaLwLvSLbLtjB9qNxc4z root@grafana"; + forgejo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2NAam+nseSCzJV/1UTyO2LgMjx0xT7/vTOOi5EG9HV root@forgejo-runner"; + grafana = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQxvO9vdd2f9aV4F3LEQrrTJaLwLvSLbLtjB9qNxc4z root@grafana"; onlyoffice = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbnzv2/Or4XdQXLDjIbr7oIDTQEvgSMTX4aiNCQk4tC root@onlyoffice"; - systems = [forgejo grafana]; -in { + systems = [ forgejo grafana ]; +in +{ "secrets/initialPassword.age".publicKeys = users ++ systems; - "services/grafana/secrets/grafana-db.age".publicKeys = [tbarnouin grafana]; - "services/grafana/secrets/grafana-oauth_secret.age".publicKeys = [tbarnouin grafana]; - "services/grafana/secrets/kuma-token.age".publicKeys = [tbarnouin grafana]; - "services/onlyoffice/secrets/office-dbpass.age".publicKeys = [tbarnouin onlyoffice]; - "services/onlyoffice/secrets/office-jwtpass.age".publicKeys = [tbarnouin onlyoffice]; + "services/grafana/secrets/grafana-db.age".publicKeys = [ tbarnouin grafana ]; + "services/grafana/secrets/grafana-oauth_secret.age".publicKeys = [ tbarnouin grafana ]; + "services/grafana/secrets/kuma-token.age".publicKeys = [ tbarnouin grafana ]; + "services/onlyoffice/secrets/office-dbpass.age".publicKeys = [ tbarnouin onlyoffice ]; + "services/onlyoffice/secrets/office-jwtpass.age".publicKeys = [ tbarnouin onlyoffice ]; } + diff --git a/services/authentik/default.nix b/services/authentik/default.nix index 5e92ecd..40ec81f 100644 --- a/services/authentik/default.nix +++ b/services/authentik/default.nix @@ -1,18 +1,14 @@ -{ - inputs, - config, - lib, - authentik-nix, - ... -}: let +{ inputs, config, lib, authentik-nix, ... }: +let cfg = config.services.vm_authentik; -in { +in +{ options.services.vm_authentik = { enable = lib.mkEnableOption "Enable minimal config"; }; config = lib.mkIf cfg.enable { networking = { - firewall.allowedTCPPorts = [9000 9300 9443]; + firewall.allowedTCPPorts = [ 9000 9300 9443 ]; }; }; } diff --git a/services/default.nix b/services/default.nix index 42fe9eb..0b1e474 100644 --- a/services/default.nix +++ b/services/default.nix @@ -1,4 +1,5 @@ -{inputs, ...}: { +{ inputs, ... }: +{ imports = [ ./nginx ./gitea diff --git a/services/gitea/default.nix b/services/gitea/default.nix index eeb68c7..61add6f 100644 --- a/services/gitea/default.nix +++ b/services/gitea/default.nix @@ -1,11 +1,8 @@ -{ - config, - pkgs, - lib, - ... -}: let +{ config, pkgs, lib, ... }: +let cfg = config.services.vm_gitea; -in { +in +{ options.services.vm_gitea = { enable = lib.mkEnableOption "Enable minimal config"; db_ip = lib.mkOption { @@ -30,6 +27,6 @@ in { passwordFile = "/run/secrets/gitea/gitea-dbpass"; }; }; - networking.firewall.allowedTCPPorts = [3000]; + networking.firewall.allowedTCPPorts = [ 3000 ]; }; } diff --git a/services/grafana/default.nix b/services/grafana/default.nix index 5ce3ef1..4afd0f1 100644 --- a/services/grafana/default.nix +++ b/services/grafana/default.nix @@ -1,11 +1,8 @@ -{ - lib, - config, - pkgs, - ... -}: let +{ lib, config, pkgs, ... }: +let cfg = config.services.vm_grafana; -in { +in +{ options.services.vm_grafana = { enable = lib.mkEnableOption "Enable minimal config"; vm_ip = lib.mkOption { @@ -22,16 +19,16 @@ in { }; }; config = lib.mkIf cfg.enable { - age.secrets = { + age.secrets ={ grafana-db = { - file = ./secrets/grafana-db.age; + file = ./secrets/grafana-db.age; owner = "grafana"; }; grafana-oauth_secret = { - file = ./secrets/grafana-oauth_secret.age; + file = ./secrets/grafana-oauth_secret.age; owner = "grafana"; }; - kuma-token.file = ./secrets/kuma-token.age; + kuma-token.file = ./secrets/kuma-token.age; }; services.rsyslogd = { enable = true; @@ -62,22 +59,22 @@ in { serve_from_sub_path = false; }; database = { - type = "postgres"; - host = "${cfg.pgsql_ip}:5432"; - name = "grafana"; - user = "grafana"; + type = "postgres"; + host = "${cfg.pgsql_ip}:5432"; + name = "grafana"; + user = "grafana"; password = "\$__file{${config.age.secrets.grafana-db.path}}"; }; "auth.generic_oauth" = { - enabled = "true"; - name = "authentik"; + enabled = "true"; + name = "authentik"; allow_sign_up = "true"; - client_id = "9HV82G8F92Jcbw4nP8eppMcPpLcAw5uYpejfReLy"; + client_id = "9HV82G8F92Jcbw4nP8eppMcPpLcAw5uYpejfReLy"; client_secret = "\$__file{${config.age.secrets.grafana-oauth_secret.path}}"; - scopes = "openid email profile"; - auth_url = "https://authentik.le43.eu/application/o/authorize/"; - token_url = "https://authentik.le43.eu/application/o/token/"; - api_url = "https://authentik.le43.eu/application/o/userinfo/"; + scopes = "openid email profile"; + auth_url = "https://authentik.le43.eu/application/o/authorize/"; + token_url = "https://authentik.le43.eu/application/o/token/"; + api_url = "https://authentik.le43.eu/application/o/userinfo/"; role_attribute_path = "contains(groups, 'admin') && 'Admin' || contains(groups, 'admin') && 'Editor' || 'Viewer';role_attribute_strict = false"; allow_assign_grafana_admin = "true"; }; @@ -91,125 +88,95 @@ in { job_name = "kuma"; scrape_interval = "30s"; scheme = "http"; - static_configs = [ - { - targets = ["192.168.1.90:3001"]; - } - ]; + static_configs = [{ + targets = [ "192.168.1.90:3001" ]; + }]; basic_auth.username = "tbarnouin"; basic_auth.password_file = config.age.secrets.kuma-token.path; } { job_name = "grafana"; - static_configs = [ - { - targets = ["127.0.0.1:9002"]; - } - ]; + static_configs = [{ + targets = [ "127.0.0.1:9002" ]; + }]; } { job_name = "openmediavault_cadvisor"; - static_configs = [ - { - targets = ["192.168.1.125:8080"]; - } - ]; + static_configs = [{ + targets = [ "192.168.1.125:8080" ]; + }]; } { job_name = "opportunity"; - static_configs = [ - { - targets = ["192.168.1.125:9100"]; - } - ]; + static_configs = [{ + targets = [ "192.168.1.125:9100" ]; + }]; } { job_name = "nginx"; - static_configs = [ - { - targets = ["${cfg.proxy_ip}:9002"]; - } - ]; + static_configs = [{ + targets = [ "${cfg.proxy_ip}:9002" ]; + }]; } { job_name = "redis"; - static_configs = [ - { - targets = ["192.168.1.16:9002"]; - } - ]; + static_configs = [{ + targets = [ "192.168.1.16:9002" ]; + }]; } { job_name = "ingenuity"; - static_configs = [ - { - targets = ["192.168.1.90:9100"]; - } - ]; + static_configs = [{ + targets = [ "192.168.1.90:9100" ]; + }]; } { job_name = "gitea"; - static_configs = [ - { - targets = ["192.168.1.14:9100"]; - } - ]; + static_configs = [{ + targets = [ "192.168.1.14:9100" ]; + }]; } { job_name = "postgresql"; - static_configs = [ - { - targets = ["192.168.1.13:9100"]; - } - ]; + static_configs = [{ + targets = [ "192.168.1.13:9100" ]; + }]; } { job_name = "nextcloud"; - static_configs = [ - { - targets = ["192.168.1.44:9100"]; - } - ]; + static_configs = [{ + targets = [ "192.168.1.44:9100" ]; + }]; } { job_name = "deluge"; - static_configs = [ - { - targets = ["192.168.1.18:9100"]; - } - ]; + static_configs = [{ + targets = [ "192.168.1.18:9100" ]; + }]; } { job_name = "netbox"; - static_configs = [ - { - targets = ["192.168.1.45:9100"]; - } - ]; + static_configs = [{ + targets = [ "192.168.1.45:9100" ]; + }]; } { job_name = "jellyfin"; - static_configs = [ - { - targets = ["192.168.1.42:9100"]; - } - ]; + static_configs = [{ + targets = [ "192.168.1.42:9100" ]; + }]; } { job_name = "authentik-ldap"; - static_configs = [ - { - targets = ["192.168.1.41:9100"]; - } - ]; + static_configs = [{ + targets = [ "192.168.1.41:9100" ]; + }]; } { job_name = "authentik"; - static_configs = [ - { - targets = ["192.168.1.25:9002"]; - } - ]; + static_configs = [{ + targets = [ "192.168.1.25:9002" ]; + }]; } ]; }; @@ -235,18 +202,16 @@ in { chunk_retain_period = "30s"; }; schema_config = { - configs = [ - { - from = "2022-06-06"; - store = "boltdb-shipper"; - object_store = "filesystem"; - schema = "v13"; - index = { - prefix = "index_"; - period = "24h"; - }; - } - ]; + configs = [{ + from = "2022-06-06"; + store = "boltdb-shipper"; + object_store = "filesystem"; + schema = "v13"; + index = { + prefix = "index_"; + period = "24h"; + }; + }]; }; storage_config = { boltdb_shipper = { @@ -290,16 +255,14 @@ in { positions = { filename = "/tmp/positions.yaml"; }; - clients = [ - { - url = "http://127.0.0.1:3100/loki/api/v1/push"; - } - ]; + clients = [{ + url = "http://127.0.0.1:3100/loki/api/v1/push"; + }]; scrape_configs = [ { job_name = "syslog"; syslog = { - listen_address = "0.0.0.0:1514"; + listen_address = "0.0.0.0:1514"; listen_protocol = "tcp"; idle_timeout = "60s"; labels = { @@ -308,27 +271,27 @@ in { }; relabel_configs = [ { - source_labels = ["__syslog_message_hostname"]; + source_labels = [ "__syslog_message_hostname" ]; target_label = "host"; } { - source_labels = ["__syslog_message_hostname"]; + source_labels = [ "__syslog_message_hostname" ]; target_label = "hostname"; } { - source_labels = ["__syslog_message_severity"]; + source_labels = [ "__syslog_message_severity" ]; target_label = "level"; } { - source_labels = ["__syslog_message_app_name"]; + source_labels = [ "__syslog_message_app_name" ]; target_label = "application"; } { - source_labels = ["__syslog_message_facility"]; + source_labels = [ "__syslog_message_facility" ]; target_label = "facility"; } { - source_labels = ["__syslog_connection_hostname"]; + source_labels = [ "__syslog_connection_hostname" ]; target_label = "connection_hostname"; } ]; @@ -338,7 +301,7 @@ in { }; # Open ports in the firewall. - networking.firewall.allowedTCPPorts = [3000 3100 3101 8086 9001 1514 514]; - networking.firewall.allowedUDPPorts = [514]; + networking.firewall.allowedTCPPorts = [ 3000 3100 3101 8086 9001 1514 514 ]; + networking.firewall.allowedUDPPorts = [ 514 ]; }; } diff --git a/services/jellyfin/default.nix b/services/jellyfin/default.nix index 1cbd172..8bf8012 100644 --- a/services/jellyfin/default.nix +++ b/services/jellyfin/default.nix @@ -1,16 +1,13 @@ -{ - lib, - config, - pkgs, - ... -}: let +{ lib, config, pkgs, ... }: +let cfg = config.services.vm_jellyfin; -in { +in +{ options.services.vm_jellyfin = { enable = lib.mkEnableOption "Enable minimal config"; }; config = lib.mkIf cfg.enable { - environment.systemPackages = [pkgs.cifs-utils]; + environment.systemPackages = [ pkgs.cifs-utils ]; services.jellyfin = { enable = true; user = "tbarnouin"; diff --git a/services/minimalConfig/default.nix b/services/minimalConfig/default.nix index 3993631..2d15b80 100644 --- a/services/minimalConfig/default.nix +++ b/services/minimalConfig/default.nix @@ -1,25 +1,20 @@ +{ config, pkgs, lib, inputs, modulesPath, ... }: { - config, - pkgs, - lib, - inputs, - modulesPath, - ... -}: { + imports = [ ./lxc.nix ./vm.nix ]; nix = { - settings.experimental-features = ["nix-command" "flakes"]; - settings.trusted-users = ["root" "@wheel"]; + settings.experimental-features = [ "nix-command" "flakes" ]; + settings.trusted-users = [ "root" "@wheel" ]; }; networking = { firewall = { enable = true; - allowedTCPPorts = [22 9002]; + allowedTCPPorts = [ 22 9002 ]; }; }; @@ -27,7 +22,7 @@ console.keyMap = "fr"; i18n.defaultLocale = "fr_FR.UTF-8"; environment.sessionVariables = rec { - TERM = "xterm-256color"; + TERM = "xterm-256color"; }; nix.gc = { @@ -40,7 +35,7 @@ users = { users.tbarnouin = { isNormalUser = true; - extraGroups = ["wheel"]; + extraGroups = [ "wheel" ]; shell = pkgs.zsh; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos" @@ -63,7 +58,7 @@ }; ohMyZsh = { enable = true; - plugins = ["git"]; + plugins = [ "git" ]; theme = "bira"; }; }; @@ -75,21 +70,21 @@ nixpkgs.config.allowUnfree = true; environment = { localBinInPath = true; - systemPackages = with pkgs; [ - vim - bash - wget - curl - git - htop - tree - dig - ncdu - nmap - iperf3 - netcat-openbsd - ]; - }; + systemPackages = with pkgs; [ + vim + bash + wget + curl + git + htop + tree + dig + ncdu + nmap + iperf3 + netcat-openbsd + ]; + }; services = { openssh = { @@ -115,7 +110,7 @@ exporters = { node = { enable = true; - enabledCollectors = ["systemd"]; + enabledCollectors = [ "systemd" ]; port = 9002; }; }; diff --git a/services/minimalConfig/lxc.nix b/services/minimalConfig/lxc.nix index fe92334..acafe8d 100644 --- a/services/minimalConfig/lxc.nix +++ b/services/minimalConfig/lxc.nix @@ -1,11 +1,8 @@ -{ - lib, - config, - modulesPath, - ... -}: let +{lib, config, modulesPath, ...}: +let cfg = config.services.lxc; -in { +in +{ options.services.lxc = { enable = lib.mkEnableOption "Enable LXC container config"; }; diff --git a/services/minimalConfig/vm.nix b/services/minimalConfig/vm.nix index b504132..96c3ff3 100644 --- a/services/minimalConfig/vm.nix +++ b/services/minimalConfig/vm.nix @@ -1,11 +1,8 @@ -{ - lib, - config, - modulesPath, - ... -}: let +{lib, config, modulesPath, ...}: +let cfg = config.services.vm; -in { +in +{ options.services.vm = { enable = lib.mkEnableOption "Enable LXC container config"; }; diff --git a/services/nextcloud/default.nix b/services/nextcloud/default.nix index 9a653e9..c478702 100644 --- a/services/nextcloud/default.nix +++ b/services/nextcloud/default.nix @@ -1,11 +1,8 @@ -{ - lib, - config, - pkgs, - ... -}: let +{ lib, config, pkgs, ... }: +let cfg = config.services.vm_nextcloud; -in { +in +{ options.services.vm_nextcloud = { enable = lib.mkEnableOption "Enable minimal config"; proxy_ip = lib.mkOption { @@ -56,8 +53,8 @@ in { "opcache.memory_consumption" = "512"; }; settings = { - trusted_proxies = ["${cfg.proxy_ip}"]; - trusted_domains = ["${cfg.proxy_ip}"]; + trusted_proxies = [ "${cfg.proxy_ip}" ]; + trusted_domains = [ "${cfg.proxy_ip}" ]; overwriteprotocol = "http"; overwrite.cli.url = "http://${cfg.proxy_ip}/cloud/"; "overwritehost" = "${cfg.proxy_ip}"; @@ -71,11 +68,11 @@ in { dbuser = "nextcloud"; dbtype = "pgsql"; dbpassFile = "/run/secrets/nextcloud/nextcloud-dbpass"; - adminuser = "tbarnouin"; + adminuser = "tbarnouin"; adminpassFile = "/run/secrets/nextcloud/nextcloud-adminpass"; }; }; }; - networking.firewall.allowedTCPPorts = [80]; + networking.firewall.allowedTCPPorts = [ 80 ]; }; } diff --git a/services/nginx/default.nix b/services/nginx/default.nix index 7942c13..f637385 100644 --- a/services/nginx/default.nix +++ b/services/nginx/default.nix @@ -1,11 +1,8 @@ -{ - config, - pkgs, - lib, - ... -}: let +{ config, pkgs, lib, ... }: +let cfg = config.services.vm_nginx; -in { +in +{ options.services.vm_nginx = { enable = lib.mkEnableOption "Enable minimal config"; }; @@ -149,18 +146,9 @@ in { proxyWebsockets = true; }; }; - "actual.le43.eu" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://192.168.1.125:5006"; - recommendedProxySettings = true; - proxyWebsockets = true; - }; - }; }; }; }; - networking.firewall.allowedTCPPorts = [80 443]; + networking.firewall.allowedTCPPorts = [ 80 443 ]; }; } diff --git a/services/onlyoffice/default.nix b/services/onlyoffice/default.nix index ba91dd4..5540e48 100644 --- a/services/onlyoffice/default.nix +++ b/services/onlyoffice/default.nix @@ -1,11 +1,8 @@ -{ - config, - pkgs, - lib, - ... -}: let +{ config, pkgs, lib, ... }: +let cfg = config.services.vm_onlyoffice; -in { +in +{ options.services.vm_onlyoffice = { enable = lib.mkEnableOption "Enable OnlyOffice service"; pgsql_ip = lib.mkOption { @@ -16,11 +13,11 @@ in { config = lib.mkIf cfg.enable { age.secrets = { office-dbpass = { - file = ./secrets/office-dbpass.age; + file = ./secrets/office-dbpass.age; owner = "onlyoffice"; }; office-jwtpass = { - file = ./secrets/office-jwtpass.age; + file = ./secrets/office-jwtpass.age; owner = "onlyoffice"; }; }; @@ -36,6 +33,6 @@ in { jwtSecretFile = config.age.secrets.office-jwtpass.path; }; }; - networking.firewall.allowedTCPPorts = [80 4369 5432 5672 6379 8000 8080]; + networking.firewall.allowedTCPPorts = [ 80 4369 5432 5672 6379 8000 8080 ]; }; } diff --git a/services/postgresql/default.nix b/services/postgresql/default.nix index 5823ec3..4b4a9dc 100644 --- a/services/postgresql/default.nix +++ b/services/postgresql/default.nix @@ -1,11 +1,8 @@ -{ - lib, - config, - pkgs, - ... -}: let +{ lib, config, pkgs, ... }: +let cfg = config.services.vm_postgresql; -in { +in +{ options.services.vm_postgresql = { enable = lib.mkEnableOption "Enable minimal config"; }; @@ -47,6 +44,6 @@ in { alter user nextcloud with password 'password'; ''; }; - networking.firewall.allowedTCPPorts = [5432]; + networking.firewall.allowedTCPPorts = [ 5432 ]; }; } diff --git a/services/redis/default.nix b/services/redis/default.nix index db56381..5dc54b4 100644 --- a/services/redis/default.nix +++ b/services/redis/default.nix @@ -1,11 +1,8 @@ -{ - config, - pkgs, - lib, - ... -}: let +{ config, pkgs, lib, ... }: +let cfg = config.services.vm_redis; -in { +in +{ options.services.vm_redis = { enable = lib.mkEnableOption "Enable minimal config"; }; @@ -19,8 +16,8 @@ in { settings = { protected-mode = "no"; }; - }; + }; }; - networking.firewall.allowedTCPPorts = [6379]; + networking.firewall.allowedTCPPorts = [ 6379 ]; }; } diff --git a/systems/minimalLXCConfig.nix b/systems/minimalLXCConfig.nix index a2e426c..32cbcb3 100644 --- a/systems/minimalLXCConfig.nix +++ b/systems/minimalLXCConfig.nix @@ -1,20 +1,15 @@ +{ config, pkgs, lib, inputs, modulesPath, ... }: { - config, - pkgs, - lib, - inputs, - modulesPath, - ... -}: { + nix = { - settings.experimental-features = ["nix-command" "flakes"]; - settings.trusted-users = ["root" "@wheel"]; + settings.experimental-features = [ "nix-command" "flakes" ]; + settings.trusted-users = [ "root" "@wheel" ]; }; networking = { firewall = { enable = true; - allowedTCPPorts = [22 9002]; + allowedTCPPorts = [ 22 9002 ]; }; }; @@ -35,7 +30,7 @@ console.keyMap = "fr"; i18n.defaultLocale = "fr_FR.UTF-8"; environment.sessionVariables = rec { - TERM = "xterm-256color"; + TERM = "xterm-256color"; }; nix.gc = { @@ -48,7 +43,7 @@ users = { users.tbarnouin = { isNormalUser = true; - extraGroups = ["wheel"]; + extraGroups = [ "wheel" ]; shell = pkgs.zsh; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos" @@ -71,7 +66,7 @@ }; ohMyZsh = { enable = true; - plugins = ["git"]; + plugins = [ "git" ]; theme = "bira"; }; }; @@ -83,21 +78,21 @@ nixpkgs.config.allowUnfree = true; environment = { localBinInPath = true; - systemPackages = with pkgs; [ - vim - bash - wget - curl - git - htop - tree - dig - ncdu - nmap - iperf3 - netcat-openbsd - ]; - }; + systemPackages = with pkgs; [ + vim + bash + wget + curl + git + htop + tree + dig + ncdu + nmap + iperf3 + netcat-openbsd + ]; + }; services = { openssh = { @@ -123,7 +118,7 @@ exporters = { node = { enable = true; - enabledCollectors = ["systemd"]; + enabledCollectors = [ "systemd" ]; port = 9002; }; }; diff --git a/systems/minimalMicrovmConfig.nix b/systems/minimalMicrovmConfig.nix index 0284417..cd46ddc 100644 --- a/systems/minimalMicrovmConfig.nix +++ b/systems/minimalMicrovmConfig.nix @@ -1,14 +1,8 @@ -{ - config, - pkgs, - lib, - inputs, - modulesPath, - microvm, - ... -}: let +{ config, pkgs, lib, inputs, modulesPath, microvm, ... }: +let cfg = config.services.micro_vm; -in { +in +{ options.services.micro_vm = { enable = lib.mkEnableOption "Enable NixOS microvm config"; hostname = lib.mkOption { @@ -59,13 +53,11 @@ in { mountPoint = "/run/secrets/${cfg.hostname}"; } ]; - interfaces = [ - { - type = "tap"; - id = "vm-${cfg.hostname}"; - mac = "${cfg.macAddr}"; - } - ]; + interfaces = [ { + type = "tap"; + id = "vm-${cfg.hostname}"; + mac = "${cfg.macAddr}"; + } ]; hypervisor = "qemu"; socket = "control.socket"; @@ -84,14 +76,14 @@ in { }; nix = { - settings.experimental-features = ["nix-command" "flakes"]; - settings.trusted-users = ["root" "@wheel"]; + settings.experimental-features = [ "nix-command" "flakes" ]; + settings.trusted-users = [ "root" "@wheel" ]; }; networking = { firewall = { enable = true; - allowedTCPPorts = [22 9002]; + allowedTCPPorts = [ 22 9002 ]; }; }; @@ -99,7 +91,7 @@ in { console.keyMap = "fr"; i18n.defaultLocale = "fr_FR.UTF-8"; environment.sessionVariables = rec { - TERM = "xterm-256color"; + TERM = "xterm-256color"; }; nix.gc = { @@ -112,7 +104,7 @@ in { users = { users.tbarnouin = { isNormalUser = true; - extraGroups = ["wheel"]; + extraGroups = [ "wheel" ]; shell = pkgs.zsh; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos" @@ -135,7 +127,7 @@ in { }; ohMyZsh = { enable = true; - plugins = ["git"]; + plugins = [ "git" ]; theme = "bira"; }; }; @@ -147,21 +139,21 @@ in { nixpkgs.config.allowUnfree = true; environment = { localBinInPath = true; - systemPackages = with pkgs; [ - vim - bash - wget - curl - git - htop - tree - dig - ncdu - nmap - iperf3 - netcat-openbsd - ]; - }; + systemPackages = with pkgs; [ + vim + bash + wget + curl + git + htop + tree + dig + ncdu + nmap + iperf3 + netcat-openbsd + ]; + }; services = { openssh = { @@ -187,7 +179,7 @@ in { exporters = { node = { enable = true; - enabledCollectors = ["systemd"]; + enabledCollectors = [ "systemd" ]; port = 9002; }; }; @@ -200,3 +192,4 @@ in { }; }; } + diff --git a/systems/minimalVMConfig.nix b/systems/minimalVMConfig.nix index 7cbc576..1431860 100644 --- a/systems/minimalVMConfig.nix +++ b/systems/minimalVMConfig.nix @@ -1,20 +1,15 @@ +{ config, pkgs, lib, inputs, modulesPath, ... }: { - config, - pkgs, - lib, - inputs, - modulesPath, - ... -}: { + nix = { - settings.experimental-features = ["nix-command" "flakes"]; - settings.trusted-users = ["root" "@wheel"]; + settings.experimental-features = [ "nix-command" "flakes" ]; + settings.trusted-users = [ "root" "@wheel" ]; }; networking = { firewall = { enable = true; - allowedTCPPorts = [22 9002]; + allowedTCPPorts = [ 22 9002 ]; }; }; @@ -22,7 +17,7 @@ console.keyMap = "fr"; i18n.defaultLocale = "fr_FR.UTF-8"; environment.sessionVariables = rec { - TERM = "xterm-256color"; + TERM = "xterm-256color"; }; nix.gc = { @@ -35,7 +30,7 @@ users = { users.tbarnouin = { isNormalUser = true; - extraGroups = ["wheel"]; + extraGroups = [ "wheel" ]; shell = pkgs.zsh; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxccGxdfOFXeEClqz3ULl94ubzaJnk4pUus+ek18G0B tbarnouin@nixos" @@ -58,7 +53,7 @@ }; ohMyZsh = { enable = true; - plugins = ["git"]; + plugins = [ "git" ]; theme = "bira"; }; }; @@ -70,21 +65,21 @@ nixpkgs.config.allowUnfree = true; environment = { localBinInPath = true; - systemPackages = with pkgs; [ - vim - bash - wget - curl - git - htop - tree - dig - ncdu - nmap - iperf3 - netcat-openbsd - ]; - }; + systemPackages = with pkgs; [ + vim + bash + wget + curl + git + htop + tree + dig + ncdu + nmap + iperf3 + netcat-openbsd + ]; + }; services = { cloud-init.network.enable = true; @@ -111,7 +106,7 @@ exporters = { node = { enable = true; - enabledCollectors = ["systemd"]; + enabledCollectors = [ "systemd" ]; port = 9002; }; };