xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: xin:6c39724060c204ae0668c88ba8bf158ce79eda00
Branches Tags
xin:master
...
compare: xin:c4cb1165140d77f66a28e4d432591ee34ca2c10c
Branches Tags
xin:master

5 commits
6c39724060 ... c4cb116514

Author SHA1 Message Date
xinyangli
c4cb116514
feat(massicot): provision kanidm 2024-07-30 10:59:12 +08:00
xinyangli
56f7449ed9
feat(weilite): add a vm for running immich 2024-07-29 14:56:28 +08:00
xinyangli
ffb223d03f
feat(modules): add modules for some common settings 2024-07-29 14:56:01 +08:00
xinyangli
1ce5b9ef9a
feat(home-manager): add atuin 2024-07-22 16:45:21 +08:00
xinyangli
837149b8f6
feat(home-manager): bind zellij pane key 2024-07-22 16:43:02 +08:00
11 changed files with 269 additions and 37 deletions
Show stats Expand all files Collapse all files

60
flake.lock
View file

@ -2,11 +2,11 @@
"nodes": { "nodes": {
"catppuccin": { "catppuccin": {
"locked": { "locked": {
"lastModified": 1720472194, "lastModified": 1721784420,
"narHash": "sha256-CYscFEts6tyvosc1T29nxhzIYJAj/1CCEkV3ZMzSN/c=", "narHash": "sha256-bgF6fN4Qgk7NErFKGuuqWXcLORsiykTYyqMUFRiAUBY=",
"owner": "catppuccin", "owner": "catppuccin",
"repo": "nix", "repo": "nix",
"rev": "d75d5803852fb0833767dc969a4581ac13204e22", "rev": "8bdb55cc1c13f572b6e4307a3c0d64f1ae286a4f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -99,11 +99,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1720734513, "lastModified": 1722203588,
"narHash": "sha256-neWQ8eNtLTd+YMesb7WjKl1SVCbDyCm46LUgP/g/hdo=", "narHash": "sha256-91V5FMSQ4z9bkhTCf0f86Zjw0bh367daSf0mzCIW0vU=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "90ae324e2c56af10f20549ab72014804a3064c7f", "rev": "792757f643cedc13f02098d8ed506d82e19ec1da",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -119,11 +119,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1720926593, "lastModified": 1722136042,
"narHash": "sha256-fW6e27L6qY6s+TxInwrS2EXZZfhMAlaNqT0sWS49qMA=", "narHash": "sha256-x3FmT4QSyK28itMiR5zfYhUrG5nY+2dv+AIcKfmSp5A=",
"owner": "Mic92", "owner": "Mic92",
"repo": "nix-index-database", "repo": "nix-index-database",
"rev": "5fe5b0cdf1268112dc96319388819b46dc051ef4", "rev": "c0ca47e8523b578464014961059999d8eddd4aae",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -143,11 +143,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1720920808, "lastModified": 1722302960,
"narHash": "sha256-aq9nBiDz0i+JH47YDtPcx/f5OaMMxy/JvBNLDMe97aI=", "narHash": "sha256-byZl18UZCHy3vLhxrXp8THzlzmwNfil93ZQLY30i7/Q=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-vscode-extensions", "repo": "nix-vscode-extensions",
"rev": "2571d560820e4ce23cf060a4460cebc0d9d17f60", "rev": "e1a1e6cabd0140ed353e173290e6d92510f5fd66",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -158,11 +158,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1720737798, "lastModified": 1722278305,
"narHash": "sha256-G/OtEAts7ZUvW5lrGMXSb8HqRp2Jr9I7reBuvCOL54w=", "narHash": "sha256-xLBAegsn9wbj+pQfbX07kykd5VBV3Ywk3IbObVAAlWA=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "c5013aa7ce2c7ec90acee5d965d950c8348db751", "rev": "eab049fe178c11395d65a858ba1b56461ba9652d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -174,11 +174,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1721187324, "lastModified": 1722307517,
"narHash": "sha256-QA/hwTo9TsEbtTxFjHdyIopyRqVbC3psML9D1CuSGcg=", "narHash": "sha256-QTsnr7l9MlOVMASsv6w1luxAKqR32RJceBYQlg5bpkM=",
"owner": "xinyangli", "owner": "xinyangli",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "5a00e83edebdcf87790dfa0a304b092f4e3ed694", "rev": "ebd00a4a357b00eb56b5d11f57aeb2b1fca9be34",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -190,11 +190,11 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1720691131, "lastModified": 1722087241,
"narHash": "sha256-CWT+KN8aTPyMIx8P303gsVxUnkinIz0a/Cmasz1jyIM=", "narHash": "sha256-2ShmEaFi0kJVOEEu5gmlykN5dwjWYWYUJmlRTvZQRpU=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a046c1202e11b62cbede5385ba64908feb7bfac4", "rev": "8c50662509100d53229d4be607f1a3a31157fa12",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -206,11 +206,11 @@
}, },
"nixpkgs-stable_2": { "nixpkgs-stable_2": {
"locked": { "locked": {
"lastModified": 1720915306, "lastModified": 1721524707,
"narHash": "sha256-6vuViC56+KSr+945bCV8akHK+7J5k6n/epYg/W3I5eQ=", "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "74348da2f3a312ee25cea09b98cdba4cb9fa5d5d", "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -222,11 +222,11 @@
}, },
"nur": { "nur": {
"locked": { "locked": {
"lastModified": 1720935990, "lastModified": 1722304333,
"narHash": "sha256-SAji50yPFmnQfD2XsDHk6tqEkRHDcWMpEoOlnEneqAY=", "narHash": "sha256-fC+PkQuMo1DykB7my6VLPOQi6ugnZuOGdGmAAKCmFVY=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NUR", "repo": "NUR",
"rev": "42851361fdfde870bfd7e3c71f2ac5d3113c63d6", "rev": "6cfe9fb0882d3d57fd67c783905757bb10b9115e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -258,11 +258,11 @@
"nixpkgs-stable": "nixpkgs-stable_2" "nixpkgs-stable": "nixpkgs-stable_2"
}, },
"locked": { "locked": {
"lastModified": 1720926522, "lastModified": 1722114803,
"narHash": "sha256-eTpnrT6yu1vp8C0B5fxHXhgKxHoYMoYTEikQx///jxY=", "narHash": "sha256-s6YhI8UHwQvO4cIFLwl1wZ1eS5Cuuw7ld2VzUchdFP0=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "0703ba03fd9c1665f8ab68cc3487302475164617", "rev": "eb34eb588132d653e4c4925d862f1e5a227cc2ab",
"type": "github" "type": "github"
}, },
"original": { "original": {

14
flake.nix
View file

@ -59,6 +59,7 @@
, ... }@inputs: , ... }@inputs:
let let
sharedHmModules = [ sharedHmModules = [
inputs.sops-nix.homeManagerModules.sops
inputs.nix-index-database.hmModules.nix-index inputs.nix-index-database.hmModules.nix-index
catppuccin.homeManagerModules.catppuccin catppuccin.homeManagerModules.catppuccin
self.homeManagerModules self.homeManagerModules
@ -100,6 +101,7 @@
}; };
in in
{ {
nixpkgs = nixpkgs;
nixosModules.default = import ./modules/nixos; nixosModules.default = import ./modules/nixos;
homeManagerModules = import ./modules/home-manager; homeManagerModules = import ./modules/home-manager;
@ -175,6 +177,18 @@
machines/raspite/configuration.nix machines/raspite/configuration.nix
] ++ sharedColmenaModules; ] ++ sharedColmenaModules;
}; };
weilite = { ... }: {
imports = [
machines/weilite
] ++ sharedColmenaModules;
deployment = {
targetHost = "weilite.coho-tet.ts.net";
targetPort = 22;
buildOnTarget = false;
};
nixpkgs.system = "x86_64-linux";
};
}; };
nixosConfigurations = { nixosConfigurations = {

5
home/xin/calcite.nix
View file

@ -54,4 +54,9 @@
vscode = { enable = true; languages = { cxx = true; python = true; scala = true; latex = true; }; }; vscode = { enable = true; languages = { cxx = true; python = true; scala = true; latex = true; }; };
zellij = { enable = true; }; zellij = { enable = true; };
}; };
programs.atuin = {
enable = true;
flags = [ "--disable-up-arrow" ];
};
} }

1
machines/massicot/default.nix
View file

@ -33,6 +33,7 @@
boot.loader.grub = { boot.loader.grub = {
enable = true; enable = true;
efiSupport = true; efiSupport = true;
configurationLimit = 5;
}; };
fileSystems."/mnt/storage" = { fileSystems."/mnt/storage" = {

83
machines/massicot/services.nix
View file

@ -63,6 +63,7 @@ in
}; };
}; };
services.kanidm = { services.kanidm = {
package = pkgs.kanidm.withSecretProvisioning;
enableServer = true; enableServer = true;
serverSettings = { serverSettings = {
domain = "auth.xinyang.life"; domain = "auth.xinyang.life";
@ -72,6 +73,84 @@ in
tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem''; tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem'';
# db_path = "/var/lib/kanidm/kanidm.db"; # db_path = "/var/lib/kanidm/kanidm.db";
}; };
provision = {
enable = true;
autoRemove = true;
groups = {
forgejo-access = {
members = [ "xin" ];
};
gts-users = {
members = [ "xin" ];
};
ocis-users = {
members = [ "xin" ];
};
linux_users = {
members = [ "xin" ];
};
hedgedoc-users = {
members = [ "xin" ];
};
immich-users = {
members = [ "xin" "zhuo" ];
};
};
persons = {
xin = {
displayName = "Xinyang Li";
mailAddresses = [ "lixinyang411@gmail.com" ];
};
zhuo = {
displayName = "Zhuo";
mailAddresses = [ "13681104320@163.com" ];
};
};
systems.oauth2 = {
forgejo = {
displayName = "ForgeJo";
originUrl = "https://git.xinyang.life/";
originLanding = " https://git.xinyang.life/user/oauth2/kandim";
allowInsecureClientDisablePkce = true;
scopeMaps = {
forgejo-access = [ "openid" "email" "profile" "groups" ];
};
};
gts = {
displayName = "GoToSocial";
originUrl = "https://xinyang.life/";
allowInsecureClientDisablePkce = true;
scopeMaps = {
gts-users = [ "openid" "email" "profile" "groups" ];
};
};
owncloud = {
displayName = "ownCloud";
originUrl = "https://home.xinyang.life:9201/";
public = true;
scopeMaps = {
ocis-users = [ "openid" "email" "profile" ];
};
};
hedgedoc = {
displayName = "HedgeDoc";
originUrl = "https://docs.xinyang.life/";
allowInsecureClientDisablePkce = true;
scopeMaps = {
hedgedoc-users = [ "openid" "email" "profile" ];
};
};
immich-mobile = {
displayName = "Immich";
originUrl = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
allowInsecureClientDisablePkce = true;
scopeMaps = {
immich-users = [ "openid" "email" "profile" ];
};
};
};
};
}; };
services.matrix-conduit = { services.matrix-conduit = {
enable = true; enable = true;
@ -179,10 +258,6 @@ in
virtualHosts."http://auth.xinyang.life:80".extraConfig = '' virtualHosts."http://auth.xinyang.life:80".extraConfig = ''
reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP} reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP}
route {
reverse_proxy * ${config.security.acme.certs."auth.xinyang.life".listenHTTP} order first
abort
}
''; '';
virtualHosts."https://auth.xinyang.life".extraConfig = '' virtualHosts."https://auth.xinyang.life".extraConfig = ''
reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} { reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} {

88
machines/weilite/default.nix Normal file
View file

@ -0,0 +1,88 @@
{ config, pkgs, lib, modulesPath, ... }:
with lib;
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
config = {
networking.hostName = "weilite";
commonSettings = {
auth.enable = true;
nix = {
enable = true;
enableMirrors = true;
};
};
boot = {
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "usb_storage" "sd_mod" ];
kernelModules = [ "kvm-intel" ];
};
environment.systemPackages = [
pkgs.virtiofsd
];
systemd.mounts = [
{ what = "XinPhotos";
where = "/mnt/XinPhotos";
type = "virtiofs";
wantedBy = [ "immich-server.service" ];
}
];
services.openssh.ports = [ 22 2222 ];
services.immich = {
enable = true;
mediaLocation = "/mnt/XinPhotos/immich";
host = "127.0.0.1";
port = 3001;
openFirewall = true;
machine-learning.enable = false;
environment = {
IMMICH_MACHINE_LEARNING_ENABLED = "false";
};
};
services.dae = {
enable = true;
configFile = "/var/lib/dae/config.dae";
};
services.tailscale = {
enable = true;
openFirewall = true;
permitCertUid = "caddy";
};
services.caddy = {
enable = true;
virtualHosts."weilite.coho-tet.ts.net:8080".extraConfig = ''
reverse_proxy 127.0.0.1:${toString config.services.immich.port}
'';
};
time.timeZone = "Asia/Shanghai";
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
fsType = "btrfs";
};
fileSystems."/boot" = {
device = "/dev/sda1";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
system.stateVersion = "24.11";
};
}

7
modules/home-manager/zellij.nix
View file

@ -19,6 +19,13 @@ in
"Ctrl p" "Ctrl p"
"Ctrl n" "Ctrl n"
]; ];
shared_except = {
_args = [ "pane" "locked" ];
bind = {
_args = [ "Ctrl b"];
SwitchToMode = "Pane";
};
};
}; };
}; };
}; };

41
modules/nixos/common-settings/auth.nix Normal file
View file

@ -0,0 +1,41 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mkIf mkEnableOption mkOption types;
cfg = config.commonSettings.auth;
in
{
options.commonSettings.auth = {
enable = mkEnableOption "Common auth settings for servers";
};
config = mkIf cfg.enable {
custom.kanidm-client = {
enable = true;
uri = "https://auth.xinyang.life";
asSSHAuth = {
enable = true;
allowedGroups = [ "linux_users" ];
};
sudoers = [ "xin@auth.xinyang.life" ];
};
services.openssh = {
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
PermitRootLogin = "no";
GSSAPIAuthentication = "no";
KerberosAuthentication = "no";
};
};
services.fail2ban.enable = true;
security.sudo = {
execWheelOnly = true;
wheelNeedsPassword = false;
};
};
}

0
modules/nixos/common-nix-conf.nix → modules/nixos/common-settings/nix-conf.nix
View file

3
modules/nixos/default.nix
View file

@ -1,7 +1,8 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
imports = [ imports = [
./common-nix-conf.nix ./common-settings/auth.nix
./common-settings/nix-conf.nix
./restic.nix ./restic.nix
./vaultwarden.nix ./vaultwarden.nix
./prometheus.nix ./prometheus.nix

4
modules/nixos/vaultwarden.nix
View file

@ -22,8 +22,8 @@ in
# TODO: mailserver support # TODO: mailserver support
}; };
}; };
config = { config = mkIf cfg.enable {
services.vaultwarden = mkIf cfg.enable { services.vaultwarden = {
enable = true; enable = true;
dbBackend = "sqlite"; dbBackend = "sqlite";
config = { config = {