Koen/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: Koen:2264daf9860da9620f6a5b9d60ad13ee49b9fc38
Branches Tags
Koen:main
..
compare: Koen:fde1d41bb8b485c38ac395215ee89b37f82bc57f
Branches Tags
Koen:main

17 commits
2264daf986 ... fde1d41bb8

Author SHA1 Message Date
KoenDR06
fde1d41bb8 add acme shit 2026-02-09 14:38:02 +01:00
KoenDR06
d7812f37c3 Merge branch 'main' into containers 2026-02-09 14:11:22 +01:00
KoenDR06
cfb96f8887 flake update 2026-02-09 13:50:15 +01:00
KoenDR06
a6bff8a467 gonna deploy now 2026-02-09 13:45:20 +01:00
KoenDR06
c340cf4ff3 add public server 2026-02-09 13:19:41 +01:00
KoenDR06
7019a80883 finally works 2026-02-09 13:09:23 +01:00
KoenDR06
d8670e844c idk 2026-02-08 02:06:55 +01:00
KoenDR06
fd4fa42261 idk 2026-02-08 00:39:40 +01:00
KoenDR06
25b7880f68 fix: double mute keybind 2026-02-06 21:52:17 +01:00
KoenDR06
fac3b41efc Merge branch 'main' of ssh://solis:34916/Koen/nix-config 2026-02-05 17:00:00 +01:00
KoenDR06
e187315c4a reenable rooms timer 2026-02-05 00:04:31 +01:00
KoenDR06
18f05807d2 Merge branch 'main' into containers 2026-01-19 22:24:31 +01:00
KoenDR06
047940d0db Merge branch 'main' into containers 2026-01-19 22:15:42 +01:00
KoenDR06
423bfff09d idk 2026-01-02 23:09:16 +01:00
KoenDR06
02eb92a443 forgejo works now but vaultwarden is fucky 2025-12-29 01:45:04 +01:00
KoenDR06
f1b3559434 Foregejo containers fully operational 2025-12-25 13:11:54 +01:00
KoenDR06
2de1a62d2f init 2025-12-23 19:46:22 +01:00
14 changed files with 472 additions and 40 deletions
Download patch file Download diff file Expand all files Collapse all files

30
flake.lock generated
View file

@ -10,11 +10,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1762618334,
"narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
"lastModified": 1770165109,
"narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=",
"owner": "ryantm",
"repo": "agenix",
"rev": "fcdea223397448d35d9b31f798479227e80183f6",
"rev": "b027ee29d959fda4b60b57566d64c98a202e0feb",
"type": "github"
},
"original": {
@ -73,11 +73,11 @@
]
},
"locked": {
"lastModified": 1768949235,
"narHash": "sha256-TtjKgXyg1lMfh374w5uxutd6Vx2P/hU81aEhTxrO2cg=",
"lastModified": 1770260404,
"narHash": "sha256-3iVX1+7YUIt23hBx1WZsUllhbmP2EnXrV8tCRbLxHc8=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "75ed713570ca17427119e7e204ab3590cc3bf2a5",
"rev": "0d782ee42c86b196acff08acfbf41bb7d13eed5b",
"type": "github"
},
"original": {
@ -97,11 +97,11 @@
]
},
"locked": {
"lastModified": 1770072491,
"narHash": "sha256-tTYck5pk+Aio5gju+AlaYi862dh8OLog9NxSwqvV3J0=",
"lastModified": 1770641372,
"narHash": "sha256-Vwc5X8QZEeVoJSy0i3SrLN/t8v17mCAirhlTVouUjd4=",
"owner": "KoenDR06",
"repo": "nix-hyprland",
"rev": "eaaba884058f7ebdf9a9c7db40fadb90c11a78a0",
"rev": "bd4b87ef132fd55dcfb446211bc9c83fef344285",
"type": "github"
},
"original": {
@ -112,11 +112,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1769318308,
"narHash": "sha256-Mjx6p96Pkefks3+aA+72lu1xVehb6mv2yTUUqmSet6Q=",
"lastModified": 1770464364,
"narHash": "sha256-z5NJPSBwsLf/OfD8WTmh79tlSU8XgIbwmk6qB1/TFzY=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "1cd347bf3355fce6c64ab37d3967b4a2cb4b878c",
"rev": "23d72dabcb3b12469f57b37170fcbc1789bd7457",
"type": "github"
},
"original": {
@ -136,11 +136,11 @@
]
},
"locked": {
"lastModified": 1767662275,
"narHash": "sha256-d5Q1GmQ+sW1Bt8cgDE0vOihzLaswsm8cSdg8124EqXE=",
"lastModified": 1769956244,
"narHash": "sha256-12RCFLyAedyMOdenUi7cN3ioJPEGjA/ZG1BLjugfUVs=",
"owner": "pjones",
"repo": "plasma-manager",
"rev": "51816be33a1ff0d4b22427de83222d5bfa96d30e",
"rev": "fe54ea85c6e4413fba03b84d50f2b431d2f7c831",
"type": "github"
},
"original": {

6
machines/artemis/modules.nix
View file

@ -29,6 +29,12 @@
users.default.enable = true;
containers = {
forgejo.enable = true;
nginx.enable = true;
vaultwarden.enable = true;
};
base = {
nix.enable = true;
locale.enable = true;

2
machines/solis/modules.nix
View file

@ -32,7 +32,7 @@
timers = {
backup.enable = true;
rooms.enable = false;
rooms.enable = true;
};
};
}

6
machines/terra/modules.nix
View file

@ -37,6 +37,12 @@
users.default.enable = true;
containers = {
nginx.enable = true;
forgejo.enable = true;
vaultwarden.enable = true;
};
base = {
nix.enable = true;
locale.enable = true;

31
modules/base/secrets.nix
View file

@ -6,7 +6,7 @@
}: let
inherit (lib) mkEnableOption mkIf;
cfg = config.horseman.base.secrets;
secretFile = path: ../../secrets/${path};
secretFile = path: ../../secrets/${path}.age;
username = config.horseman.username;
in {
options = {
@ -19,38 +19,45 @@ in {
environment.systemPackages = [pkgs.ragenix];
age.secrets = {
wifi.file = secretFile "wifi.age";
wifi.file = secretFile "wifi";
personalSSHpub = {
file = secretFile "ssh/id_personal.pub.age";
file = secretFile "ssh/id_personal.pub";
owner = username;
group = "users";
path = "/home/horseman/.ssh/id_ed25519.pub";
path = "/home/${username}/.ssh/id_ed25519.pub";
};
personalSSH = {
file = secretFile "ssh/id_personal.age";
file = secretFile "ssh/id_personal";
owner = username;
group = "users";
path = "/home/horseman/.ssh/id_ed25519";
path = "/home/${username}/.ssh/id_ed25519";
};
githubSSHpub = {
file = secretFile "ssh/id_github.pub.age";
file = secretFile "ssh/id_github.pub";
owner = username;
group = "users";
path = "/home/horseman/.ssh/id_github.pub";
path = "/home/${username}/.ssh/id_github.pub";
};
githubSSH = {
file = secretFile "ssh/id_github.age";
file = secretFile "ssh/id_github";
owner = username;
group = "users";
path = "/home/horseman/.ssh/id_github";
path = "/home/${username}/.ssh/id_github";
};
sshConfig = {
file = secretFile "ssh/config.age";
file = secretFile "ssh/config";
owner = username;
group = "users";
path = "/home/horseman/.ssh/config";
path = "/home/${username}/.ssh/config";
};
forgejo-secret = {
file = secretFile "containers/forgejo-secret";
path = "/run/forgejo-secrets/secret";
symlink = false;
mode = "444";
};
};
};

26
modules/containers/default.nix Normal file
View file

@ -0,0 +1,26 @@
{lib, ...}: let
inherit (lib) mkOption types;
in {
imports = [
./nginx.nix
./forgejo.nix
./vaultwarden.nix
];
options = {
backupDir = mkOption {
type = types.str;
};
};
config = {
networking.nat = {
enable = true;
# Use "ve-*" when using nftables instead of iptables
internalInterfaces = ["ve-+"];
externalInterface = "eno1";
# Lazy IPv6 connectivity for the container
enableIPv6 = true;
};
};
}

173
modules/containers/forgejo.nix Normal file
View file

@ -0,0 +1,173 @@
{
inputs,
outputs,
lib,
config,
pkgs,
...
}: let
inherit (lib) types mkOption mkEnableOption mkIf;
cfg = config.horseman.containers.forgejo;
username = config.horseman.username;
BACKUP_DIR = config.horseman.containers.backupDir;
DATA_DIR = "/home/${username}/backups/volumes/forgejo";
in {
options = {
horseman.containers.forgejo = {
enable = mkEnableOption "forgejo containers";
port = mkOption {
default = 3000;
type = types.int;
};
sshPort = mkOption {
default = 34916;
type = types.int;
};
url = mkOption {
default = "https://git.koendev.nl";
type = types.str;
};
};
};
config = mkIf cfg.enable {
systemd.timers."backup-forgejo" = {
wantedBy = ["timers.target"];
timerConfig = {
OnCalendar = "daily";
Persistent = true;
};
};
environment.systemPackages = [pkgs.gnutar];
systemd.services."backup-forgejo" = {
script = ''
cd ${BACKUP_DIR}
${pkgs.gnutar}/bin/tar -cf forgejo-$(date +'%Y-%m-%d').tar ${DATA_DIR}
'';
serviceConfig = {
User = "root";
};
};
containers.forgejoRunner = {
autoStart = true;
privateNetwork = true;
hostAddress = "172.16.0.2";
localAddress = "192.168.100.2";
bindMounts = {
"/var/lib/secrets" = {
hostPath = "/run/forgejo-secrets";
isReadOnly = true;
};
};
config = {
config,
pkgs,
...
}: let
configFile = pkgs.writeText "runner.yml" ''
runner:
labels:
- "self-hosted:host"
'';
in {
environment.systemPackages = with pkgs; [
forgejo-runner
];
users.groups.runner = {};
users.users.runner = {
isNormalUser = true;
group = "runner";
};
systemd.services.startup = {
script = ''
cd ${config.users.users.runner.home}
${pkgs.forgejo-runner}/bin/forgejo-runner create-runner-file --instance http://192.168.100.3:3000 --secret $(cat /var/lib/secrets/secret) --name runner
sleep 10
${pkgs.forgejo-runner}/bin/forgejo-runner daemon --config ${configFile}
'';
serviceConfig.User = "runner";
wantedBy = ["multi-user.target"];
};
system.stateVersion = "23.11";
};
};
containers.forgejo = {
autoStart = true;
privateNetwork = true;
hostAddress = "172.16.0.3";
localAddress = "192.168.100.3";
bindMounts = {
"/var/lib/forgejo" = {
hostPath = DATA_DIR;
isReadOnly = false;
};
"/var/lib/secrets" = {
hostPath = "/run/forgejo-secrets";
isReadOnly = true;
};
};
config = {
config,
pkgs,
...
}: {
environment.systemPackages = [pkgs.forgejo];
services.forgejo = {
enable = true;
stateDir = "/var/lib/forgejo";
settings = {
server = {
HTTP_PORT = cfg.port;
SSH_PORT = cfg.sshPort;
ROOT_URL = cfg.url;
};
session = {
COOKIE_SECURE = false; # TODO Set to true
};
service = {
DISABLE_REGISTRATION = true;
};
};
};
systemd.services.startup = {
script = ''
cd ${config.users.users.forgejo.home}
${pkgs.forgejo}/bin/forgejo forgejo-cli actions register --name runner --secret $(cat /var/lib/secrets/secret) --config ${config.services.forgejo.stateDir}/custom/conf/app.ini
'';
serviceConfig.User = "forgejo";
wantedBy = ["multi-user.target"];
};
networking = {
firewall = {
enable = true;
allowedTCPPorts = [cfg.port cfg.sshPort];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
system.stateVersion = "23.11";
};
};
};
}

107
modules/containers/nginx.nix Normal file
View file

@ -0,0 +1,107 @@
{
inputs,
outputs,
lib,
config,
pkgs,
...
}: let
inherit (lib) mkEnableOption mkIf mkOption types;
cfg = config.horseman.containers.nginx;
osConfig = config;
in {
options = {
horseman.containers.nginx = {
enable = mkEnableOption "nginx container";
domain = mkOption {
type = types.str;
default = "koendev.nl";
};
};
};
config = mkIf cfg.enable {
security.acme = {
acceptTerms = true;
defaults.email = "koen.de.ruiter@hotmail.com";
};
containers.nginx = {
autoStart = true;
privateNetwork = true;
hostAddress = "172.16.0.1";
localAddress = "192.168.100.1";
bindMounts = {
"/var/www/portfolio" = {
hostPath = "/var/www/portfolio";
isReadOnly = true;
};
"/var/www/public" = {
hostPath = "/var/www/public";
isReadOnly = true;
};
};
config = {
config,
pkgs,
lib,
...
}: {
services.nginx = {
enable = true;
virtualHosts = {
"${cfg.domain}" = {
forceSSL = true;
enableACME = true;
root = "/var/www/portfolio";
default = true;
extraConfig = ''
error_page 404 /404.html;
'';
};
"public.${cfg.domain}" = {
forceSSL = true;
enableACME = true;
root = "/var/www/public";
};
"git.${cfg.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://${osConfig.containers.forgejo.localAddress}:${toString osConfig.horseman.containers.forgejo.port}";
};
};
"vault.${cfg.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://${osConfig.containers.vaultwarden.localAddress}:${toString osConfig.horseman.containers.vaultwarden.port}";
};
};
};
};
networking = {
firewall = {
enable = true;
allowedTCPPorts = [80 443];
};
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
system.stateVersion = "23.11";
};
};
};
}

95
modules/containers/vaultwarden.nix Normal file
View file

@ -0,0 +1,95 @@
{
inputs,
outputs,
lib,
config,
pkgs,
...
}: let
inherit (lib) types mkOption mkEnableOption mkIf;
cfg = config.horseman.containers.vaultwarden;
username = config.horseman.username;
BACKUP_DIR = config.horseman.containers.backupDir;
DATA_DIR = "/home/${username}/backups/volumes/vaultwarden";
in {
options = {
horseman.containers.vaultwarden = {
enable = mkEnableOption "Password manager";
port = mkOption {
default = 3000;
type = types.int;
};
url = mkOption {
default = "https://vault.koendev.nl";
type = types.str;
};
};
};
config = mkIf cfg.enable {
systemd.timers."backup-vaultwarden" = {
wantedBy = ["timers.target"];
timerConfig = {
OnCalendar = "daily";
Persistent = true;
};
};
environment.systemPackages = [pkgs.gnutar];
systemd.services."backup-vaultwarden" = {
script = ''
cd ${BACKUP_DIR}
${pkgs.gnutar}/bin/tar -cf vaultwarden-$(date +'%Y-%m-%d').tar ${DATA_DIR}
'';
serviceConfig = {
User = "root";
};
};
containers.vaultwarden = {
autoStart = true;
privateNetwork = true;
hostAddress = "172.16.0.4";
localAddress = "192.168.100.4";
bindMounts = {
"/var/lib/vaultwarden" = {
hostPath = DATA_DIR;
isReadOnly = false;
}; # TODO set correct
};
config = {
config,
pkgs,
...
}: {
environment.systemPackages = with pkgs; [
vaultwarden.webvault
];
services.vaultwarden = {
enable = true;
config = {
ROCKET_PORT = cfg.port;
ROCKET_ADDRESS = "0.0.0.0";
WEB_VAULT_FOLDER = "${pkgs.vaultwarden.webvault}/share/vaultwarden/vault";
};
};
networking = {
firewall = {
enable = true;
allowedTCPPorts = [cfg.port];
};
useHostResolvConf = lib.mkForce false;
};
system.stateVersion = "23.11";
};
};
};
}

1
modules/default.nix
View file

@ -12,6 +12,7 @@ in {
./base
./boot
./catppuccin
./containers
./hardware
./network
./timers

7
modules/wm/hyprland/animations.nix
View file

@ -46,13 +46,13 @@ in {
};
workspaces = {
speed = 4;
speed = 3;
curve = easeInOut;
style = "slidefade 5%";
};
specialWorkspace = {
speed = 2;
speed = 3;
curve = easeInOut;
style = "slidefadevert 10%";
};
@ -64,7 +64,7 @@ in {
windows = {
speed = 3;
curve = easeInOut;
curve = easeOut;
style = "gnomed";
};
@ -78,7 +78,6 @@ in {
speed = 1.5;
curve = linear;
};
fadeOut = {
speed = 10;
curve = linear;

9
modules/wm/hyprland/keybindings.nix
View file

@ -441,13 +441,6 @@ in {
params = "";
}
{
flags = [];
mods = [];
key = "XF86AudioMute";
dispatcher = "exec";
params = "wpctl set-volume -l 1.0 @DEFAULT_AUDIO_SINK@ 0%";
}
{
flags = ["e" "l"];
mods = [];
@ -481,7 +474,7 @@ in {
mods = [];
key = "XF86AudioMute";
dispatcher = "exec";
params = "wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle";
params = "wpctl set-volume -l 1.0 @DEFAULT_AUDIO_SINK@ 0%";
}
{
flags = ["e" "l"];

1
secrets.nix
View file

@ -17,6 +17,7 @@ let
"ssh/id_github"
"ssh/id_github.pub"
"ssh/config"
"containers/forgejo-secret"
];
attrs = map (secret: {"secrets/${secret}.age".publicKeys = all;}) secrets;
in

18
secrets/containers/forgejo-secret.age Normal file
View file

@ -0,0 +1,18 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9tczZkdyAvWjRI
VkpQNWpZNHdiZm9jVlZvcTYxS04wUk1hTWtmdWRXL2dydGwxc3pVCklSOWZYNThu
aVBSeDBwRldwTjVzT0VOaG9kNnV5SWJnT2M1YXVRSjUwUFkKLT4gc3NoLWVkMjU1
MTkgZ1BJZFpBIExmTUxudEFaR21CQzg5ejlUaXRoQW5ORmVqcUlRd1o2L0pZbTd5
UVBIeWcKZWVSV3k4bHZqV3pDaDMxYzBnZW9FL085TG14bkl0UlZoQ25CbW9iVENv
RQotPiBzc2gtZWQyNTUxOSBXeUlGekEgY2Zkd0VaZmxRaVV4cXBlRnNHeDMyUFFV
YVVzZlF2SXFjak5LREZINFRTMAp6dmFKOTd5eUMrczZ0WUU2T3hER3lkSHlTTGZj
U1k4ZVV1THJMK0RSd21zCi0+IHNzaC1lZDI1NTE5IGRiT2VoQSB0WkJpSkZHZ1BM
QitLdG9SdDdjckxVa0dxQ2dmQlNGekVITlllN2R3OWxZCmt2Zk5VSjNTdnB4Z2ln
TnExNytuZ2FtVE83NWZWcm1Fd25MS1NEL3JsbzgKLT4gc3NoLWVkMjU1MTkgdHYv
Q3pnIFVDMU9Kbld0aHFia3FmTEs2aGF2THdaSk1Ec2h2WWlMVjZvUkNHTFpCR1EK
NkR6R2JaZkZtbitBMmk1UjRFS3FFZ293bFhDUWxmR2M0ZHFoSVRGV2E1ZwotPiAn
eCFtQ3htLWdyZWFzZQp4VFZWeTlDNWlsNDI5WWlPTzNGbQotLS0gRmZIdXk3UUVw
ZEJjOGdnVVdlWWN5Y0VxaUJORG0ycTBQdVFGVGw1RVpZdwqD8VD14PUaG2u0/h9o
6VeX+m3nJkJgsXUkGPskTHHEc+1NaZ9MQM5dXzrmjfVHBT7N27bDcYlGG2RIfehC
Xz5jRZwSTG58wzt9
-----END AGE ENCRYPTED FILE-----