From 0310898db1d188df0a7492266408be3d4fa465d4 Mon Sep 17 00:00:00 2001 From: nomadics9 Date: Fri, 18 Oct 2024 18:25:21 +0300 Subject: [PATCH] vps host --- .sops.yaml | 10 ++ flake.lock | 199 ++++++++++++++++++++++-- flake.nix | 48 +++++- home/common/default.nix | 6 +- home/features/cli/default.nix | 1 - home/nomad/dotfiles/nvim.nix | 7 + home/nomad/unkown.nix | 2 +- home/nomad/{ => unkown}/home.nix | 9 +- home/nomad/vps.nix | 17 ++ home/nomad/vps/home.nix | 28 ++++ hosts/common/default.nix | 2 + hosts/common/services/default.nix | 1 - hosts/common/users/nomad.nix | 74 ++++++--- hosts/common/vps/default.nix | 10 ++ hosts/common/vps/dufs.nix | 43 +++++ hosts/common/vps/nextcloud.nix | 63 ++++++++ hosts/common/vps/pairdrop.nix | 42 +++++ hosts/common/vps/syncthing.nix | 44 ++++++ hosts/common/vps/vpn.nix | 56 +++++++ hosts/unkown/configuration.nix | 10 +- hosts/unkown/hardware-configuration.nix | 1 - hosts/vps/configuration.nix | 132 ++++++++++++++++ hosts/vps/default.nix | 47 ++++++ hosts/vps/hardware-configuration.nix | 26 ++++ hosts/vps/hardware/default.nix | 6 + hosts/vps/hardware/disko.nix | 68 ++++++++ secrets/secrets.yaml | 33 ++++ 27 files changed, 939 insertions(+), 46 deletions(-) create mode 100644 .sops.yaml create mode 100644 home/nomad/dotfiles/nvim.nix rename home/nomad/{ => unkown}/home.nix (96%) create mode 100644 home/nomad/vps.nix create mode 100644 home/nomad/vps/home.nix create mode 100644 hosts/common/vps/default.nix create mode 100644 hosts/common/vps/dufs.nix create mode 100644 hosts/common/vps/nextcloud.nix create mode 100644 hosts/common/vps/pairdrop.nix create mode 100644 hosts/common/vps/syncthing.nix create mode 100644 hosts/common/vps/vpn.nix create mode 100644 hosts/vps/configuration.nix create mode 100644 hosts/vps/default.nix create mode 100644 hosts/vps/hardware-configuration.nix create mode 100644 hosts/vps/hardware/default.nix create mode 100644 hosts/vps/hardware/disko.nix create mode 100644 secrets/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..b06cd3b --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,10 @@ +keys: + - &primary age16yxxp5lqg63zzh3s0f82lpslgc3phy6ugcqdnhh8y7fak65zrqkshjxt25 + - &ssh_key ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICqA7j8hk3+k0b04eDxuoUakldqKrP0aatLm+CREjFJe +creation_rules: + - path_regex: secrets/secrets.yaml$ + key_groups: + - age: + - *primary + - pgp: + - *ssh_key diff --git a/flake.lock b/flake.lock index 1bf5c4f..b680cbc 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,46 @@ { "nodes": { + "arion": { + "inputs": { + "flake-parts": "flake-parts", + "haskell-flake": "haskell-flake", + "hercules-ci-effects": "hercules-ci-effects", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1722825873, + "narHash": "sha256-bFNXkD+s9NuidZePiJAjjFUnsMOwXb7hEZ4JEDdSALw=", + "owner": "hercules-ci", + "repo": "arion", + "rev": "90bc85532767c785245f5c1e29ebfecb941cf8c9", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "arion", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1729099656, + "narHash": "sha256-VftVIg7UXTy1bq+tzi1aVYOWl7PQ35IpjW88yMYjjpc=", + "owner": "nix-community", + "repo": "disko", + "rev": "d7d57edb72e54891fa67a6f058a46b2bb405663b", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "dotfiles": { "flake": false, "locked": { @@ -16,6 +57,86 @@ "url": "https://github.com/nomadics9/dotfiles.git" } }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "arion", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1722555600, + "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": [ + "arion", + "hercules-ci-effects", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1712014858, + "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d", + "type": "github" + }, + "original": { + "id": "flake-parts", + "type": "indirect" + } + }, + "haskell-flake": { + "locked": { + "lastModified": 1675296942, + "narHash": "sha256-u1X1sblozi5qYEcLp1hxcyo8FfDHnRUVX3dJ/tW19jY=", + "owner": "srid", + "repo": "haskell-flake", + "rev": "c2cafce9d57bfca41794dc3b99c593155006c71e", + "type": "github" + }, + "original": { + "owner": "srid", + "ref": "0.1.0", + "repo": "haskell-flake", + "type": "github" + } + }, + "hercules-ci-effects": { + "inputs": { + "flake-parts": "flake-parts_2", + "nixpkgs": [ + "arion", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719226092, + "narHash": "sha256-YNkUMcCUCpnULp40g+svYsaH1RbSEj6s4WdZY/SHe38=", + "owner": "hercules-ci", + "repo": "hercules-ci-effects", + "rev": "11e4b8dc112e2f485d7c97e1cee77f9958f498f5", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "hercules-ci-effects", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -23,11 +144,11 @@ ] }, "locked": { - "lastModified": 1728903686, - "narHash": "sha256-ZHFrGNWDDriZ4m8CA/5kDa250SG1LiiLPApv1p/JF0o=", + "lastModified": 1729165983, + "narHash": "sha256-gtcodl79t5ZbbX4TSx4RNyggasEvLdVnc/IM+RyxqJw=", "owner": "nix-community", "repo": "home-manager", - "rev": "e1aec543f5caf643ca0d94b6a633101942fd065f", + "rev": "78a7a070bbcc3b37cc36080c2a3514207d427b3b", "type": "github" }, "original": { @@ -38,16 +159,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1728492678, - "narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=", - "owner": "nixos", + "lastModified": 1725194671, + "narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7", + "rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c", "type": "github" }, "original": { - "owner": "nixos", - "ref": "nixos-unstable", + "owner": "NixOS", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } @@ -68,12 +189,68 @@ "type": "github" } }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1728156290, + "narHash": "sha256-uogSvuAp+1BYtdu6UWuObjHqSbBohpyARXDWqgI12Ss=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "17ae88b569bb15590549ff478bab6494dde4a907", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1728888510, + "narHash": "sha256-nsNdSldaAyu6PE3YUA+YQLqUDJh+gRbBooMMekZJwvI=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "a3c0b3b21515f74fd2665903d4ce6bc4dc81c77c", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { + "arion": "arion", + "disko": "disko", "dotfiles": "dotfiles", "home-manager": "home-manager", - "nixpkgs": "nixpkgs", - "nixpkgs-stable": "nixpkgs-stable" + "nixpkgs": "nixpkgs_2", + "nixpkgs-stable": "nixpkgs-stable", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable_2" + }, + "locked": { + "lastModified": 1728345710, + "narHash": "sha256-lpunY1+bf90ts+sA2/FgxVNIegPDKCpEoWwOPu4ITTQ=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "06535d0e3d0201e6a8080dd32dbfde339b94f01b", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index 5629808..a26bfb0 100644 --- a/flake.nix +++ b/flake.nix @@ -8,6 +8,16 @@ url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; }; + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; # Pin sops-nix to follow nixpkgs + }; + arion = { + url = "github:hercules-ci/arion"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + disko.url = "github:nix-community/disko"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.11"; @@ -19,7 +29,7 @@ - outputs = { self, home-manager, nixpkgs, dotfiles, ... }@inputs: + outputs = { self, home-manager, nixpkgs, dotfiles, sops-nix, arion, disko, ... }@inputs: let inherit (self) outputs; systems = [ @@ -31,23 +41,51 @@ ]; forAllSystems = nixpkgs.lib.genAttrs systems; user = "nomad"; - hostname = "unkown"; + hostname = "vps"; in { packages = forAllSystems (system: import ./pkgs nixpkgs.legacyPackages.${system}); overlays = import ./overlays { inherit inputs; }; nixosConfigurations = { - ${hostname} = nixpkgs.lib.nixosSystem { + + unkown = nixpkgs.lib.nixosSystem { specialArgs = { inherit inputs outputs user hostname; }; - modules = [ ./hosts/${hostname} ]; + modules = [ + ./hosts/${hostname} + sops-nix.nixosModules.sops + arion.nixosModules.arion + ]; + }; + + homelab = nixpkgs.lib.nixosSystem { + specialArgs = { inherit inputs outputs user; }; + modules = [ + ./hosts/homelab + arion.nixosModules.arion + disko.nixosModules.disko + sops-nix.nixosModules.sops + ]; + }; + + vps = nixpkgs.lib.nixosSystem { + specialArgs = { inherit inputs outputs user; }; + modules = [ + ./hosts/vps + arion.nixosModules.arion + disko.nixosModules.disko + sops-nix.nixosModules.sops + ]; }; }; + homeConfigurations = { "${user}@${hostname}" = home-manager.lib.homeManagerConfiguration { pkgs = nixpkgs.legacyPackages."x86_64-linux"; extraSpecialArgs = { inherit inputs outputs user; }; - modules = [ ./home/${user}/${hostname}.nix ]; + modules = [ + ./home/${user}/${hostname}.nix + ]; }; }; }; diff --git a/home/common/default.nix b/home/common/default.nix index 8b31055..96500fd 100644 --- a/home/common/default.nix +++ b/home/common/default.nix @@ -29,7 +29,11 @@ nix = { package = lib.mkDefault pkgs.nix; settings = { - experimental-features = [ "nix-command" "flakes" "repl-flake" ]; + experimental-features = [ + "nix-command" + "flakes" + #"repl-flake" + ]; warn-dirty = false; }; }; diff --git a/home/features/cli/default.nix b/home/features/cli/default.nix index 888b23c..722ba6e 100644 --- a/home/features/cli/default.nix +++ b/home/features/cli/default.nix @@ -22,6 +22,5 @@ zip exiftool nvtopPackages.full - cava ]; } diff --git a/home/nomad/dotfiles/nvim.nix b/home/nomad/dotfiles/nvim.nix new file mode 100644 index 0000000..cf9eee0 --- /dev/null +++ b/home/nomad/dotfiles/nvim.nix @@ -0,0 +1,7 @@ +{ inputs, ... }: +{ + home.file.".config/nvim" = { + source = "${inputs.dotfiles}/nvim"; + recursive = true; + }; +} diff --git a/home/nomad/unkown.nix b/home/nomad/unkown.nix index 64a7958..6f49912 100644 --- a/home/nomad/unkown.nix +++ b/home/nomad/unkown.nix @@ -5,7 +5,7 @@ ../features/cli ../features/desktop ../features/themes - ./home.nix + ./unkown/home.nix ]; features = { diff --git a/home/nomad/home.nix b/home/nomad/unkown/home.nix similarity index 96% rename from home/nomad/home.nix rename to home/nomad/unkown/home.nix index 102636a..31da764 100644 --- a/home/nomad/home.nix +++ b/home/nomad/unkown/home.nix @@ -2,7 +2,7 @@ # # home-manager init ./ -{ config, lib, pkgs, user, ... }: +{ config, lib, pkgs, user, inputs, ... }: { home.username = lib.mkDefault user; @@ -22,6 +22,7 @@ # Essentials kitty firefox + google-chrome # Apps vlc amberol @@ -118,13 +119,13 @@ MOZ_DRM_DEVICE = "/dev/dri/card0:/dev/dri/card1"; WLR_DRM_DEVICES = "/dev/dri/card0:/dev/dri/card1"; #WLR_NO_HARDWARE_CURSORS = "1"; # if no cursor,uncomment this line - GBM_BACKEND = "nvidia-drm"; + #GBM_BACKEND = "nvidia-drm"; CLUTTER_BACKEND = "wayland"; LIBVA_DRIVER_NAME = "iHD"; WLR_RENDERER = "vulkan"; VK_DRIVER_FILES = "/run/opengl-driver/share/vulkan/icd.d/nvidia_icd.x86_64.json"; - __GLX_VENDOR_LIBRARY_NAME = "nvidia"; - __NV_PRIME_RENDER_OFFLOAD = "1"; + #__GLX_VENDOR_LIBRARY_NAME = "nvidia"; + #__NV_PRIME_RENDER_OFFLOAD = "1"; XDG_CURRENT_DESKTOP = "Hyprland"; XDG_SESSION_DESKTOP = "Hyprland"; XDG_SESSION_TYPE = "wayland"; diff --git a/home/nomad/vps.nix b/home/nomad/vps.nix new file mode 100644 index 0000000..601bc8a --- /dev/null +++ b/home/nomad/vps.nix @@ -0,0 +1,17 @@ +{ + imports = [ + ../common + ./dotfiles/nvim.nix + ../features/cli + ./vps/home.nix + ]; + + features = { + cli = { + zsh.enable = true; + fzf.enable = true; + neofetch.enable = true; + }; + }; +} + diff --git a/home/nomad/vps/home.nix b/home/nomad/vps/home.nix new file mode 100644 index 0000000..377dee0 --- /dev/null +++ b/home/nomad/vps/home.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, user, ... }: + +{ + home.username = lib.mkDefault user; + home.homeDirectory = lib.mkDefault "/home/${config.home.username}"; + home.stateVersion = "24.05"; + + home.packages = with pkgs; [ + tailscale + htop + bun + lua-language-server + kitty + ]; + + home.file = { }; + + home.sessionVariables = { + EDITOR = "nvim"; + XDG_CACHE_HOME = "${config.home.homeDirectory}/.cache"; + XDG_CONFIG_HOME = "${config.home.homeDirectory}/.config"; + XDG_BIN_HOME = "${config.home.homeDirectory}/.nix-profile/bin"; + XDG_DATA_HOME = "${config.home.homeDirectory}/.local/share"; + }; + + # Let Home Manager install and manage itself. + programs.home-manager.enable = true; +} diff --git a/hosts/common/default.nix b/hosts/common/default.nix index 6130141..85e2793 100644 --- a/hosts/common/default.nix +++ b/hosts/common/default.nix @@ -4,6 +4,8 @@ imports = [ ./users ./services + ./homelab + ./vps inputs.home-manager.nixosModules.home-manager ]; diff --git a/hosts/common/services/default.nix b/hosts/common/services/default.nix index d21480d..19387f4 100644 --- a/hosts/common/services/default.nix +++ b/hosts/common/services/default.nix @@ -1,7 +1,6 @@ { imports = [ ./vm.nix - ./vfio.nix ./steam.nix ./polkit.nix ./appimage.nix diff --git a/hosts/common/users/nomad.nix b/hosts/common/users/nomad.nix index 2ea5812..f284a3f 100644 --- a/hosts/common/users/nomad.nix +++ b/hosts/common/users/nomad.nix @@ -4,26 +4,62 @@ , user , ... }: { - users.users.${user} = { - initialPassword = "4321"; - isNormalUser = true; - shell = pkgs.zsh; - description = "${user}"; - extraGroups = [ - "wheel" - "networkmanager" - "libvirtd" - "flatpak" - "audio" - "video" - "plugdev" - "input" - "kvm" - "qemu-libvirtd" - "docker" - ]; - packages = [ inputs.home-manager.packages.${pkgs.system}.default ]; + users.users = { + ${user} = { + initialPassword = "4321"; + isNormalUser = true; + shell = pkgs.zsh; + description = "${user}"; + extraGroups = [ + "wheel" + "networkmanager" + "libvirtd" + "flatpak" + "audio" + "video" + "plugdev" + "input" + "kvm" + "qemu-libvirtd" + "docker" + "key" + ]; + packages = [ inputs.home-manager.packages.${pkgs.system}.default ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICqA7j8hk3+k0b04eDxuoUakldqKrP0aatLm+CREjFJe" + ]; + }; + + root = { + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICqA7j8hk3+k0b04eDxuoUakldqKrP0aatLm+CREjFJe" + ]; + extraGroups = [ "key" ]; + }; }; + + # Decrypt the secrets file using sops-nix with age + + + sops.secrets = { + DUFS_USERNAME = { }; + DUFS_PASSWORD = { }; + NEXTCLOUD_DB_USERNAME = { }; + NEXTCLOUD_DB_PASSWORD = { }; + NEXTCLOUD_DB = { }; + }; + + + sops.templates."my-env.env".content = '' + DUFS_USERNAME = "${config.sops.placeholder.DUFS_USERNAME}" + DUFS_PASSWORD = "${config.sops.placeholder.DUFS_PASSWORD}" + NEXTCLOUD_DB_USERNAME = "${config.sops.placeholder.NEXTCLOUD_DB_USERNAME}" + NEXTCLOUD_DB_PASSWORD = "${config.sops.placeholder.NEXTCLOUD_DB_PASSWORD}" + NEXTCLOUD_DB = "${config.sops.placeholder.NEXTCLOUD_DB}" + ''; + + users.users = { }; + programs.zsh.enable = true; home-manager.users.${user} = import ../../../home/${user}/${config.networking.hostName}.nix; diff --git a/hosts/common/vps/default.nix b/hosts/common/vps/default.nix new file mode 100644 index 0000000..07cb347 --- /dev/null +++ b/hosts/common/vps/default.nix @@ -0,0 +1,10 @@ +{ + imports = [ + ./dufs.nix + ./nextcloud.nix + ./pairdrop.nix + ./syncthing.nix + ./vpn.nix + ]; + +} diff --git a/hosts/common/vps/dufs.nix b/hosts/common/vps/dufs.nix new file mode 100644 index 0000000..ea9444f --- /dev/null +++ b/hosts/common/vps/dufs.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, user, ... }: +with lib; +let + dufsService = { + project.name = "dufs"; + services = { + dufs = { + service.image = "sigoden/dufs:latest"; + service.ports = [ + "5000:5000" + ]; + service.volumes = [ + "${config.users.users.${user}.home}/dockers/dufs/data:/data" + ]; + service.command = [ + "/data" + "-a" + "???:???@/:rw" + "-A" + "-a" + "@/p" + ]; + service.env_file = [ "${config.sops.templates."my-env.env".path}" ]; + }; + }; + }; +in +{ + options.vps.dufs.enable = mkEnableOption " Enable DUFS service "; + + config = mkIf config.vps.dufs.enable { + virtualisation.arion = { + backend = "docker"; + projects.dufs = { + serviceName = "dufs"; + settings = dufsService; + }; + }; + }; +} + + + diff --git a/hosts/common/vps/nextcloud.nix b/hosts/common/vps/nextcloud.nix new file mode 100644 index 0000000..a5ce128 --- /dev/null +++ b/hosts/common/vps/nextcloud.nix @@ -0,0 +1,63 @@ +{ config, lib, pkgs, user, ... }: +with lib; + +let + nextcloudService = { + project.name = "nextcloud"; + services = { + nextcloud = { + service = { + image = "lscr.io/linuxserver/nextcloud:latest"; + environment = { + PUID = "1000"; # User ID + PGID = "1000"; # Group ID + TZ = "Asia/Kuwait"; # Time zone + }; + volumes = [ + "/home/${user}/dockers/nextcloud/config:/config" # Config path + "/home/${user}/dockers/nextcloud/data:/data" # Data path + "/home/${user}/dockers/nextcloud/postgres_data:/var/lib/postgresql/data" # PostgreSQL data path + ]; + ports = [ + "4400:443" + ]; + restart = "unless-stopped"; + networks = [ "nextcloud_network" ]; + env_file = [ "${config.sops.templates."my-env.env".path}" ]; + }; + }; + nextcloud-postgres = { + service = { + image = "postgres:latest"; + environment = { + POSTGRES_USER = "$NEXTCLOUD_DB_USER"; + POSTGRES_PASSWORD = "$NEXTCLOUD_DB_PASSWORD"; + POSTGRES_DB = "$NEXTCLOUD_DB"; + }; + ports = [ + "5432:5432" + ]; + volumes = [ + "/home/${user}/dockers/nextcloud/pgdata:/var/lib/postgresql/data" + ]; + env_file = [ "${config.sops.templates."my-env.env".path}" ]; #idk why the image isnt reading this file. will fix later + networks = [ "nextcloud_network" ]; + }; + }; + }; + }; +in +{ + options.vps.nextcloud.enable = mkEnableOption "Enable Nextcloud service for VPS"; + + config = mkIf config.vps.nextcloud.enable { + virtualisation.arion = { + backend = "docker"; + projects.nextcloud = { + serviceName = "nextcloud"; + settings = nextcloudService; + }; + }; + }; +} + diff --git a/hosts/common/vps/pairdrop.nix b/hosts/common/vps/pairdrop.nix new file mode 100644 index 0000000..1477839 --- /dev/null +++ b/hosts/common/vps/pairdrop.nix @@ -0,0 +1,42 @@ +{ config, lib, pkgs, ... }: +with lib; + +let + pairdropService = { + project.name = "pairdrop"; + services = { + pairdrop = { + service = { + image = "lscr.io/linuxserver/pairdrop:latest"; + environment = { + PUID = "1000"; # User ID + PGID = "1000"; # Group ID + TZ = "Asia/Kuwait"; # Time zone + RATE_LIMIT = "false"; # Optional + WS_FALLBACK = "false"; # Optional + RTC_CONFIG = ""; # Optional + DEBUG_MODE = "false"; # Optional + }; + ports = [ + "3000:3000" + ]; + restart = "unless-stopped"; + }; + }; + }; + }; +in +{ + options.vps.pairdrop.enable = mkEnableOption "Enable Pairdrop service"; + + config = mkIf config.vps.pairdrop.enable { + virtualisation.arion = { + backend = "docker"; + projects.pairdrop = { + serviceName = "pairdrop"; + settings = pairdropService; + }; + }; + }; +} + diff --git a/hosts/common/vps/syncthing.nix b/hosts/common/vps/syncthing.nix new file mode 100644 index 0000000..80d42b0 --- /dev/null +++ b/hosts/common/vps/syncthing.nix @@ -0,0 +1,44 @@ +{ config, lib, pkgs, user, ... }: +with lib; + +let + syncthingService = { + project.name = "syncthing"; + services = { + syncthing = { + service = { + image = "syncthing/syncthing:latest"; + hostname = "NixOS-syncthing"; + environment = { + PUID = "1000"; # User ID + PGID = "1000"; # Group ID + }; + volumes = [ + "/home/${user}/dockers/syncthing:/var/syncthing" # Adjust the path as necessary + ]; + ports = [ + "8384:8384" # Web UI + "22000:22000/tcp" # TCP file transfers + "22000:22000/udp" # QUIC file transfers + "21027:21027/udp" # Receive local discovery broadcasts + ]; + restart = "unless-stopped"; + }; + }; + }; + }; +in +{ + options.vps.syncthing.enable = mkEnableOption "Enable Syncthing service on VPS"; + + config = mkIf config.vps.syncthing.enable { + virtualisation.arion = { + backend = "docker"; + projects.syncthing = { + serviceName = "syncthing"; + settings = syncthingService; + }; + }; + }; +} + diff --git a/hosts/common/vps/vpn.nix b/hosts/common/vps/vpn.nix new file mode 100644 index 0000000..5a26440 --- /dev/null +++ b/hosts/common/vps/vpn.nix @@ -0,0 +1,56 @@ +{ config, lib, pkgs, user, ... }: +with lib; + +let + wgEasyService = { + project.name = "vpn"; + services = { + wgEasy = { + service = { + image = "ghcr.io/wg-easy/wg-easy:latest"; + environment = { + LANG = "en"; + WG_HOST = "vpn.nmd.mov"; # Change to your host's public address + PASSWORD_HASH = "$$2a$$12$$fnnv.bDGodZEiIK4wBxA8u2K2Qc99BCjD72jmylBFooFEVFgtQ2ma"; # Replace with your hash + PORT = "51821"; + WG_DEFAULT_DNS = "1.1.1.1"; + UI_TRAFFIC_STATS = "true"; + UI_CHART_TYPE = "1"; # Line chart + UI_ENABLE_SORT_CLIENTS = "true"; + }; + volumes = [ + "/home/${user}/dockers/wg-easy/etc_wireguard:/etc/wireguard" # Adjust the path as necessary + ]; + ports = [ + "51820:51820/udp" + "51821:51821/tcp" + ]; + restart = "unless-stopped"; + capabilities = { + NET_ADMIN = true; + SYS_MODULE = true; + # "NET_RAW" # Uncomment if using Podman + }; + sysctls = { + "net.ipv4.ip_forward" = 1; + "net.ipv4.conf.all.src_valid_mark" = 1; + }; + }; + }; + }; + }; +in +{ + options.vps.vpn.enable = mkEnableOption "Enable WG-Easy service on VPS"; + + config = mkIf config.vps.vpn.enable { + virtualisation.arion = { + backend = "docker"; + projects.vpn = { + serviceName = "vpn"; + settings = wgEasyService; + }; + }; + }; +} + diff --git a/hosts/unkown/configuration.nix b/hosts/unkown/configuration.nix index 8d23d3d..35041ce 100644 --- a/hosts/unkown/configuration.nix +++ b/hosts/unkown/configuration.nix @@ -1,4 +1,4 @@ -{ pkgs, hostname, ... }: { +{ pkgs, hostname, inputs, user, ... }: { imports = [ # Include the results of the hardware scan. @@ -21,7 +21,7 @@ common.services.nautilus.enable = true; # Virtual Box (Virt-Manager) and GPU Passthru. you have to configure hosts/services/vfio.nix for passthrough to work! common.services.vm.enable = true; - common.services.vfio.enable = false; + #common.services.vfio.enable = false; # AppStores common.services.appimage.enable = true; common.services.steam.enable = true; @@ -37,6 +37,12 @@ # Ntfs support boot.supportedFilesystems = [ "ntfs" ]; + sops = { + age.keyFile = "/etc/nixos/sops/age/keys.txt"; + defaultSopsFile = ../../secrets/secrets.yaml; + defaultSopsFormat = "yaml"; + }; + # Enable GDM Login Manager diff --git a/hosts/unkown/hardware-configuration.nix b/hosts/unkown/hardware-configuration.nix index 6739d23..6cf65e1 100644 --- a/hosts/unkown/hardware-configuration.nix +++ b/hosts/unkown/hardware-configuration.nix @@ -12,7 +12,6 @@ boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; fileSystems."/" = { diff --git a/hosts/vps/configuration.nix b/hosts/vps/configuration.nix new file mode 100644 index 0000000..5119238 --- /dev/null +++ b/hosts/vps/configuration.nix @@ -0,0 +1,132 @@ +{ pkgs, hostname, user, lib, ... }: { + + imports = [ + ./hardware-configuration.nix + ]; + + hardware.disko.enable = true; + + programs.nix-ld.enable = true; + common.services.appimage.enable = true; + + + systemd.services.arion = { + enable = true; + serviceConfig = { + Restart = "on-failure"; + }; + }; + + vps = { + dufs.enable = true; + nextcloud.enable = false; + pairdrop.enable = true; + syncthing.enable = true; + vpn.enable = true; + }; + + sops = { + age.keyFile = "/etc/nixos/sops/age/keys.txt"; + defaultSopsFile = ../../secrets/secrets.yaml; + defaultSopsFormat = "yaml"; + }; + + services.caddy = { + enable = true; + extraConfig = '' + fs.nmd.mov { + reverse_proxy localhost:5000 + } + vpn.nmd.mov { + reverse_proxy localhost:51821 + } + s.nmd.mov { + reverse_proxy localhost:8384 + } + drop.nmd.mov { + reverse_proxy localhost:3000 + } + dot.nmd.mov { + reverse_proxy localhost:4400 + } + ''; + }; + + + networking.useDHCP = lib.mkForce false; + services.cloud-init = { + enable = true; + network.enable = true; + }; + + services.openssh = { + enable = true; + settings = { + PermitRootLogin = "yes"; + PasswordAuthentication = false; + }; + }; + + + + boot.loader.grub = { + efiSupport = true; + efiInstallAsRemovable = true; + }; + + + + networking.hostName = "vps"; + + + + + time.timeZone = "Asia/Kuwait"; + i18n.defaultLocale = "en_US.UTF-8"; + i18n.extraLocaleSettings = { + LC_ADDRESS = "en_GB.UTF-8"; + LC_IDENTIFICATION = "en_GB.UTF-8"; + LC_MEASUREMENT = "en_GB.UTF-8"; + LC_MONETARY = "en_GB.UTF-8"; + LC_NAME = "en_GB.UTF-8"; + LC_NUMERIC = "en_GB.UTF-8"; + LC_PAPER = "en_GB.UTF-8"; + LC_TELEPHONE = "en_GB.UTF-8"; + LC_TIME = "en_GB.UTF-8"; + }; + + + services.printing.enable = false; + + nixpkgs.config.allowUnfree = true; + + + environment.systemPackages = with pkgs; [ + neovim + git + zsh + arion + sops + ]; + + + networking.firewall.enable = false; + networking.firewall.allowedTCPPorts = [ + 22 + 80 + 443 + 5000 + 4400 + 3000 + 8384 + 22000 + 51821 + ]; + networking.firewall.allowedUDPPorts = [ + 22000 + 21027 + 51820 + ]; + system.stateVersion = "24.05"; + +} diff --git a/hosts/vps/default.nix b/hosts/vps/default.nix new file mode 100644 index 0000000..680ddbe --- /dev/null +++ b/hosts/vps/default.nix @@ -0,0 +1,47 @@ +# A staring point is the basic NIXOS configuration generated by the ISO installer. +# On an existing NIXOS install you can use the following command in your flakes basedir: +# sudo nixos-generate-config --dir ./hosts/your-host +# +# Please make sure to change the first couple of lines in your configuration.nix: + +# { config, inputs, ouputs, lib, pkgs, user, ... }: + +{ + # imports = [ # Include the results of the hardware scan. + # ./hardware-configuration.nix + # inputs.home-manager.nixosModules.home-manager + # ]; + # + # # ... + # + # Moreover please update the packages option in your user configuration and add the home-manager options: + + # users.users = { + # ${user} = { + # isNormalUser = true; + # initialPassword = "4321"; + # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + # packages = [ inputs.home-manager.packages.${pkgs.system}.default ]; + # }; + # }; + + # home-manager = { + # useUserPackages = true; + # extraSpecialArgs = { inherit inputs outputs; }; + # users.${user} = + # import ../../home/${user}/${config.networking.hostName}.nix; + # }; + + # Please also change your hostname accordingly: + #:w + + # networking.hostName = "unkown"; # Define your hostname. + + + imports = [ + ../common + ./hardware + ./configuration.nix + ]; + +} diff --git a/hosts/vps/hardware-configuration.nix b/hosts/vps/hardware-configuration.nix new file mode 100644 index 0000000..e1631a2 --- /dev/null +++ b/hosts/vps/hardware-configuration.nix @@ -0,0 +1,26 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + #networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens3.useDHCP = lib.mkDefault true; + # networking.interfaces.ens4.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/vps/hardware/default.nix b/hosts/vps/hardware/default.nix new file mode 100644 index 0000000..9a2ffd7 --- /dev/null +++ b/hosts/vps/hardware/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./disko.nix + ]; +} + diff --git a/hosts/vps/hardware/disko.nix b/hosts/vps/hardware/disko.nix new file mode 100644 index 0000000..0a6033a --- /dev/null +++ b/hosts/vps/hardware/disko.nix @@ -0,0 +1,68 @@ +{ config +, lib +, pkgs +, ... +}: +with lib; let + cfg = config.hardware.disko; +in +{ + options.hardware.disko.enable = mkEnableOption "disko harddrives"; + + config = mkIf cfg.enable { + + disko.devices = { + disk.disk1 = { + device = lib.mkDefault "/dev/vda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + name = "boot"; + size = "1M"; + type = "EF02"; + }; + esp = { + name = "ESP"; + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + name = "root"; + size = "100%"; + content = { + type = "lvm_pv"; + vg = "pool"; + }; + }; + }; + }; + }; + lvm_vg = { + pool = { + type = "lvm_vg"; + lvs = { + root = { + size = "100%FREE"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ + "defaults" + ]; + }; + }; + }; + }; + }; + }; + }; +} + diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml new file mode 100644 index 0000000..60882fc --- /dev/null +++ b/secrets/secrets.yaml @@ -0,0 +1,33 @@ +DUFS_USERNAME: ENC[AES256_GCM,data:3RsFcVo=,iv:y0VLlbBA6HT3yXa3O0G4xy3OJE1gGNvul0ZktxQd7w4=,tag:cFT59GgF+1q0XK4UELXMuA==,type:str] +DUFS_PASSWORD: ENC[AES256_GCM,data:dHoGsIXMDuA=,iv:lhw9IfvifOPFyRflcsk/HguwayHgrDShwQr5MMOGITc=,tag:VfFpQylAhXTok79u9wwi4Q==,type:str] +NEXTCLOUD_DB_USERNAME: ENC[AES256_GCM,data:785HjW3Z2gNRJv6fzA==,iv:Lsh04lUtJm0Aufw5zH+UmL/98D47Lue/A/JDKi304G8=,tag:7QnY25N3a8rVXG7u8o8pVw==,type:str] +NEXTCLOUD_DB_PASSWORD: ENC[AES256_GCM,data:exumoIY6Um/Y2JuKx+RHGHEOjj03,iv:i4sx8Pa3tV7wDMR8EgtMXidsz/tvVBaMIkpv9ohPavw=,tag:zqt2ukTq8gjOT8RssMu5OQ==,type:str] +NEXTCLOUD_DB: ENC[AES256_GCM,data:RduFtc85u9sTTZg=,iv:AZoA7CvVyxfpXTi4BTVPlwJGbFLLOTkF0JiMN+smFGA=,tag:MNjL/Jl3EInrKXRqTq/TAg==,type:str] +#ENC[AES256_GCM,data:4q3pEXswuO/X37NbzpKwEA==,iv:1HMEgmtyOeTQ0PSWmkBS9sItAaM2SI5+N7NNlhC83kQ=,tag:bRxjHkvPMNIEsOEB8uqcxw==,type:comment] +#ENC[AES256_GCM,data:tIG7zbWpyrVFdxSFMQKe,iv:uBQyygtmRvSyqA7lY+k+RkPjFc42ZHpOJ2xfWve7S5I=,tag:kxqAmOOsYcjd8/OyZ4/XEA==,type:comment] +#ENC[AES256_GCM,data:bRXt/JXa2tTCCaDh63T/ObOlp2RX,iv:VbgRCu+bgc6uCqbipoFP3KFY6BkuBQlwr6kjzAFhSew=,tag:BqJhaygo7C/vuviiKIxPwg==,type:comment] +#ENC[AES256_GCM,data:8D6evYfOld7GzZt7je/r0ItK0QNW,iv:LFnGgoGG4aNZCjrdGLje4WKPEGak4ONFV2GsIjA3ObA=,tag:yXFhsgES74KK9o/Jqw0l4w==,type:comment] +#ENC[AES256_GCM,data:wpcsQzzU1iNX9R8QnUH9leiUHhSevQ1pRB8g,iv:C8T5N5gbmn0tZIBBjikEMFrUoBhELeOTug+Zs7EPsbg=,tag:Skn4XXsDt9+chTGz13WePw==,type:comment] +#ENC[AES256_GCM,data:G7uJLIEcCFFRigRzlnon5lrN,iv:nXepSHNIa6aoXXwxoQNZEYlhh0YrChjWnrAuhvDSmLA=,tag:80BMpjOOl6elE7DxdXp8jA==,type:comment] +#ENC[AES256_GCM,data:G1vtah0OCHMKg2s=,iv:eCBHaUoGAKGD8g0vnXDfSh/3vciA1Nc6iEGXd4SLy+E=,tag:dHsr23oRNTaA8nJVx9Mm7g==,type:comment] +#ENC[AES256_GCM,data:3xVxASFGWKH7AKtL,iv:lAAXNt51V2wqlnMUCu9fX511hxGqoo75v5ZUzvuzqVQ=,tag:4TLBVZfbaLXcjda4H8vyIg==,type:comment] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age16yxxp5lqg63zzh3s0f82lpslgc3phy6ugcqdnhh8y7fak65zrqkshjxt25 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArQ3Z0MUVMbDRobU4yK1hM + aVlRTnp1c1E0MmRmUHJKcm1ZV2ljV2hDNmhJCi9xcU44d21MaWpVOHM3cFA3OGI5 + clA0WWpoZSswaWpYZUZZMU9MQ3BTMVEKLS0tIEsvbnF0N2FqMWJYck53WHZkd2tp + dnVPRUlvK2FwbzZVdUJGTzRrcXpNRDgKtRwrBdnRyBtobutdQYjle/gY3lm/QFmP + gNu8Wky3g5NRtwmzyZVO77L8KrJQ3AHuJ2TQuFaVRzVGFNhR0aiTug== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-10-18T12:10:02Z" + mac: ENC[AES256_GCM,data:w/EJCD1pYmlCKAG2w+7FvEluvnJVNj6rDjTBSNr7Dv0SiMVj1eypq4Zxb47eIQsdWCJ9xqXIriPnva9IdQMDsvAD1gCTFruy2rbDcIrJSKYw99oXQXlzX/AKvZtLIZqKsMpR/i65XYuqZmu2yWZWqWBUsmtpOcMcsC1XkHR04t8=,iv:h1Xjd2ugiS37pQQ7iURkYx+v1e4KqmeNY6LYIuRKN1k=,tag:FFJmX/VC+hXqbegAfmZ6/w==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1