nomad/nixcfg
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

vps host

Browse source
This commit is contained in:
nomadics9 2024-10-18 18:25:21 +03:00
parent 37dc85fa47
commit 0310898db1
27 changed files with 939 additions and 46 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
.sops.yaml Normal file
View file

@ -0,0 +1,10 @@
keys:
- &primary age16yxxp5lqg63zzh3s0f82lpslgc3phy6ugcqdnhh8y7fak65zrqkshjxt25
- &ssh_key ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICqA7j8hk3+k0b04eDxuoUakldqKrP0aatLm+CREjFJe
creation_rules:
- path_regex: secrets/secrets.yaml$
key_groups:
- age:
- *primary
- pgp:
- *ssh_key

199
flake.lock
View file

@ -1,5 +1,46 @@
{ {
"nodes": { "nodes": {
"arion": {
"inputs": {
"flake-parts": "flake-parts",
"haskell-flake": "haskell-flake",
"hercules-ci-effects": "hercules-ci-effects",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1722825873,
"narHash": "sha256-bFNXkD+s9NuidZePiJAjjFUnsMOwXb7hEZ4JEDdSALw=",
"owner": "hercules-ci",
"repo": "arion",
"rev": "90bc85532767c785245f5c1e29ebfecb941cf8c9",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "arion",
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1729099656,
"narHash": "sha256-VftVIg7UXTy1bq+tzi1aVYOWl7PQ35IpjW88yMYjjpc=",
"owner": "nix-community",
"repo": "disko",
"rev": "d7d57edb72e54891fa67a6f058a46b2bb405663b",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"dotfiles": { "dotfiles": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -16,6 +57,86 @@
"url": "https://github.com/nomadics9/dotfiles.git" "url": "https://github.com/nomadics9/dotfiles.git"
} }
}, },
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"arion",
"nixpkgs"
]
},
"locked": {
"lastModified": 1722555600,
"narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": [
"arion",
"hercules-ci-effects",
"nixpkgs"
]
},
"locked": {
"lastModified": 1712014858,
"narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
"type": "github"
},
"original": {
"id": "flake-parts",
"type": "indirect"
}
},
"haskell-flake": {
"locked": {
"lastModified": 1675296942,
"narHash": "sha256-u1X1sblozi5qYEcLp1hxcyo8FfDHnRUVX3dJ/tW19jY=",
"owner": "srid",
"repo": "haskell-flake",
"rev": "c2cafce9d57bfca41794dc3b99c593155006c71e",
"type": "github"
},
"original": {
"owner": "srid",
"ref": "0.1.0",
"repo": "haskell-flake",
"type": "github"
}
},
"hercules-ci-effects": {
"inputs": {
"flake-parts": "flake-parts_2",
"nixpkgs": [
"arion",
"nixpkgs"
]
},
"locked": {
"lastModified": 1719226092,
"narHash": "sha256-YNkUMcCUCpnULp40g+svYsaH1RbSEj6s4WdZY/SHe38=",
"owner": "hercules-ci",
"repo": "hercules-ci-effects",
"rev": "11e4b8dc112e2f485d7c97e1cee77f9958f498f5",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "hercules-ci-effects",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -23,11 +144,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1728903686, "lastModified": 1729165983,
"narHash": "sha256-ZHFrGNWDDriZ4m8CA/5kDa250SG1LiiLPApv1p/JF0o=", "narHash": "sha256-gtcodl79t5ZbbX4TSx4RNyggasEvLdVnc/IM+RyxqJw=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "e1aec543f5caf643ca0d94b6a633101942fd065f", "rev": "78a7a070bbcc3b37cc36080c2a3514207d427b3b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -38,16 +159,16 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1728492678, "lastModified": 1725194671,
"narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=", "narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=",
"owner": "nixos", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7", "rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "NixOS",
"ref": "nixos-unstable", "ref": "nixpkgs-unstable",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@ -68,12 +189,68 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-stable_2": {
"locked": {
"lastModified": 1728156290,
"narHash": "sha256-uogSvuAp+1BYtdu6UWuObjHqSbBohpyARXDWqgI12Ss=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "17ae88b569bb15590549ff478bab6494dde4a907",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1728888510,
"narHash": "sha256-nsNdSldaAyu6PE3YUA+YQLqUDJh+gRbBooMMekZJwvI=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "a3c0b3b21515f74fd2665903d4ce6bc4dc81c77c",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"arion": "arion",
"disko": "disko",
"dotfiles": "dotfiles", "dotfiles": "dotfiles",
"home-manager": "home-manager", "home-manager": "home-manager",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs_2",
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable_2"
},
"locked": {
"lastModified": 1728345710,
"narHash": "sha256-lpunY1+bf90ts+sA2/FgxVNIegPDKCpEoWwOPu4ITTQ=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "06535d0e3d0201e6a8080dd32dbfde339b94f01b",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
} }
} }
}, },

48
flake.nix
View file

@ -8,6 +8,16 @@
url = "github:nix-community/home-manager"; url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs"; # Pin sops-nix to follow nixpkgs
};
arion = {
url = "github:hercules-ci/arion";
inputs.nixpkgs.follows = "nixpkgs";
};
disko.url = "github:nix-community/disko";
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.11"; nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.11";
@ -19,7 +29,7 @@
outputs = { self, home-manager, nixpkgs, dotfiles, ... }@inputs: outputs = { self, home-manager, nixpkgs, dotfiles, sops-nix, arion, disko, ... }@inputs:
let let
inherit (self) outputs; inherit (self) outputs;
systems = [ systems = [
@ -31,23 +41,51 @@
]; ];
forAllSystems = nixpkgs.lib.genAttrs systems; forAllSystems = nixpkgs.lib.genAttrs systems;
user = "nomad"; user = "nomad";
hostname = "unkown"; hostname = "vps";
in in
{ {
packages = packages =
forAllSystems (system: import ./pkgs nixpkgs.legacyPackages.${system}); forAllSystems (system: import ./pkgs nixpkgs.legacyPackages.${system});
overlays = import ./overlays { inherit inputs; }; overlays = import ./overlays { inherit inputs; };
nixosConfigurations = { nixosConfigurations = {
${hostname} = nixpkgs.lib.nixosSystem {
unkown = nixpkgs.lib.nixosSystem {
specialArgs = { inherit inputs outputs user hostname; }; specialArgs = { inherit inputs outputs user hostname; };
modules = [ ./hosts/${hostname} ]; modules = [
./hosts/${hostname}
sops-nix.nixosModules.sops
arion.nixosModules.arion
];
};
homelab = nixpkgs.lib.nixosSystem {
specialArgs = { inherit inputs outputs user; };
modules = [
./hosts/homelab
arion.nixosModules.arion
disko.nixosModules.disko
sops-nix.nixosModules.sops
];
};
vps = nixpkgs.lib.nixosSystem {
specialArgs = { inherit inputs outputs user; };
modules = [
./hosts/vps
arion.nixosModules.arion
disko.nixosModules.disko
sops-nix.nixosModules.sops
];
}; };
}; };
homeConfigurations = { homeConfigurations = {
"${user}@${hostname}" = home-manager.lib.homeManagerConfiguration { "${user}@${hostname}" = home-manager.lib.homeManagerConfiguration {
pkgs = nixpkgs.legacyPackages."x86_64-linux"; pkgs = nixpkgs.legacyPackages."x86_64-linux";
extraSpecialArgs = { inherit inputs outputs user; }; extraSpecialArgs = { inherit inputs outputs user; };
modules = [ ./home/${user}/${hostname}.nix ]; modules = [
./home/${user}/${hostname}.nix
];
}; };
}; };
}; };

6
home/common/default.nix
View file

@ -29,7 +29,11 @@
nix = { nix = {
package = lib.mkDefault pkgs.nix; package = lib.mkDefault pkgs.nix;
settings = { settings = {
experimental-features = [ "nix-command" "flakes" "repl-flake" ]; experimental-features = [
"nix-command"
"flakes"
#"repl-flake"
];
warn-dirty = false; warn-dirty = false;
}; };
}; };

1
home/features/cli/default.nix
View file

@ -22,6 +22,5 @@
zip zip
exiftool exiftool
nvtopPackages.full nvtopPackages.full
cava
]; ];
} }

7
home/nomad/dotfiles/nvim.nix Normal file
View file

@ -0,0 +1,7 @@
{ inputs, ... }:
{
home.file.".config/nvim" = {
source = "${inputs.dotfiles}/nvim";
recursive = true;
};
}

2
home/nomad/unkown.nix
View file

@ -5,7 +5,7 @@
../features/cli ../features/cli
../features/desktop ../features/desktop
../features/themes ../features/themes
./home.nix ./unkown/home.nix
]; ];
features = { features = {

9
home/nomad/home.nix → home/nomad/unkown/home.nix
View file

@ -2,7 +2,7 @@
# #
# home-manager init ./ # home-manager init ./
{ config, lib, pkgs, user, ... }: { config, lib, pkgs, user, inputs, ... }:
{ {
home.username = lib.mkDefault user; home.username = lib.mkDefault user;
@ -22,6 +22,7 @@
# Essentials # Essentials
kitty kitty
firefox firefox
google-chrome
# Apps # Apps
vlc vlc
amberol amberol
@ -118,13 +119,13 @@
MOZ_DRM_DEVICE = "/dev/dri/card0:/dev/dri/card1"; MOZ_DRM_DEVICE = "/dev/dri/card0:/dev/dri/card1";
WLR_DRM_DEVICES = "/dev/dri/card0:/dev/dri/card1"; WLR_DRM_DEVICES = "/dev/dri/card0:/dev/dri/card1";
#WLR_NO_HARDWARE_CURSORS = "1"; # if no cursor,uncomment this line #WLR_NO_HARDWARE_CURSORS = "1"; # if no cursor,uncomment this line
GBM_BACKEND = "nvidia-drm"; #GBM_BACKEND = "nvidia-drm";
CLUTTER_BACKEND = "wayland"; CLUTTER_BACKEND = "wayland";
LIBVA_DRIVER_NAME = "iHD"; LIBVA_DRIVER_NAME = "iHD";
WLR_RENDERER = "vulkan"; WLR_RENDERER = "vulkan";
VK_DRIVER_FILES = "/run/opengl-driver/share/vulkan/icd.d/nvidia_icd.x86_64.json"; VK_DRIVER_FILES = "/run/opengl-driver/share/vulkan/icd.d/nvidia_icd.x86_64.json";
__GLX_VENDOR_LIBRARY_NAME = "nvidia"; #__GLX_VENDOR_LIBRARY_NAME = "nvidia";
__NV_PRIME_RENDER_OFFLOAD = "1"; #__NV_PRIME_RENDER_OFFLOAD = "1";
XDG_CURRENT_DESKTOP = "Hyprland"; XDG_CURRENT_DESKTOP = "Hyprland";
XDG_SESSION_DESKTOP = "Hyprland"; XDG_SESSION_DESKTOP = "Hyprland";
XDG_SESSION_TYPE = "wayland"; XDG_SESSION_TYPE = "wayland";

17
home/nomad/vps.nix Normal file
View file

@ -0,0 +1,17 @@
{
imports = [
../common
./dotfiles/nvim.nix
../features/cli
./vps/home.nix
];
features = {
cli = {
zsh.enable = true;
fzf.enable = true;
neofetch.enable = true;
};
};
}

28
home/nomad/vps/home.nix Normal file
View file

@ -0,0 +1,28 @@
{ config, lib, pkgs, user, ... }:
{
home.username = lib.mkDefault user;
home.homeDirectory = lib.mkDefault "/home/${config.home.username}";
home.stateVersion = "24.05";
home.packages = with pkgs; [
tailscale
htop
bun
lua-language-server
kitty
];
home.file = { };
home.sessionVariables = {
EDITOR = "nvim";
XDG_CACHE_HOME = "${config.home.homeDirectory}/.cache";
XDG_CONFIG_HOME = "${config.home.homeDirectory}/.config";
XDG_BIN_HOME = "${config.home.homeDirectory}/.nix-profile/bin";
XDG_DATA_HOME = "${config.home.homeDirectory}/.local/share";
};
# Let Home Manager install and manage itself.
programs.home-manager.enable = true;
}

2
hosts/common/default.nix
View file

@ -4,6 +4,8 @@
imports = [ imports = [
./users ./users
./services ./services
./homelab
./vps
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
]; ];

1
hosts/common/services/default.nix
View file

@ -1,7 +1,6 @@
{ {
imports = [ imports = [
./vm.nix ./vm.nix
./vfio.nix
./steam.nix ./steam.nix
./polkit.nix ./polkit.nix
./appimage.nix ./appimage.nix

74
hosts/common/users/nomad.nix
View file

@ -4,26 +4,62 @@
, user , user
, ... , ...
}: { }: {
users.users.${user} = { users.users = {
initialPassword = "4321"; ${user} = {
isNormalUser = true; initialPassword = "4321";
shell = pkgs.zsh; isNormalUser = true;
description = "${user}"; shell = pkgs.zsh;
extraGroups = [ description = "${user}";
"wheel" extraGroups = [
"networkmanager" "wheel"
"libvirtd" "networkmanager"
"flatpak" "libvirtd"
"audio" "flatpak"
"video" "audio"
"plugdev" "video"
"input" "plugdev"
"kvm" "input"
"qemu-libvirtd" "kvm"
"docker" "qemu-libvirtd"
]; "docker"
packages = [ inputs.home-manager.packages.${pkgs.system}.default ]; "key"
];
packages = [ inputs.home-manager.packages.${pkgs.system}.default ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICqA7j8hk3+k0b04eDxuoUakldqKrP0aatLm+CREjFJe"
];
};
root = {
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICqA7j8hk3+k0b04eDxuoUakldqKrP0aatLm+CREjFJe"
];
extraGroups = [ "key" ];
};
}; };
# Decrypt the secrets file using sops-nix with age
sops.secrets = {
DUFS_USERNAME = { };
DUFS_PASSWORD = { };
NEXTCLOUD_DB_USERNAME = { };
NEXTCLOUD_DB_PASSWORD = { };
NEXTCLOUD_DB = { };
};
sops.templates."my-env.env".content = ''
DUFS_USERNAME = "${config.sops.placeholder.DUFS_USERNAME}"
DUFS_PASSWORD = "${config.sops.placeholder.DUFS_PASSWORD}"
NEXTCLOUD_DB_USERNAME = "${config.sops.placeholder.NEXTCLOUD_DB_USERNAME}"
NEXTCLOUD_DB_PASSWORD = "${config.sops.placeholder.NEXTCLOUD_DB_PASSWORD}"
NEXTCLOUD_DB = "${config.sops.placeholder.NEXTCLOUD_DB}"
'';
users.users = { };
programs.zsh.enable = true; programs.zsh.enable = true;
home-manager.users.${user} = home-manager.users.${user} =
import ../../../home/${user}/${config.networking.hostName}.nix; import ../../../home/${user}/${config.networking.hostName}.nix;

10
hosts/common/vps/default.nix Normal file
View file

@ -0,0 +1,10 @@
{
imports = [
./dufs.nix
./nextcloud.nix
./pairdrop.nix
./syncthing.nix
./vpn.nix
];
}

43
hosts/common/vps/dufs.nix Normal file
View file

@ -0,0 +1,43 @@
{ config, lib, pkgs, user, ... }:
with lib;
let
dufsService = {
project.name = "dufs";
services = {
dufs = {
service.image = "sigoden/dufs:latest";
service.ports = [
"5000:5000"
];
service.volumes = [
"${config.users.users.${user}.home}/dockers/dufs/data:/data"
];
service.command = [
"/data"
"-a"
"???:???@/:rw"
"-A"
"-a"
"@/p"
];
service.env_file = [ "${config.sops.templates."my-env.env".path}" ];
};
};
};
in
{
options.vps.dufs.enable = mkEnableOption " Enable DUFS service ";
config = mkIf config.vps.dufs.enable {
virtualisation.arion = {
backend = "docker";
projects.dufs = {
serviceName = "dufs";
settings = dufsService;
};
};
};
}

63
hosts/common/vps/nextcloud.nix Normal file
View file

@ -0,0 +1,63 @@
{ config, lib, pkgs, user, ... }:
with lib;
let
nextcloudService = {
project.name = "nextcloud";
services = {
nextcloud = {
service = {
image = "lscr.io/linuxserver/nextcloud:latest";
environment = {
PUID = "1000"; # User ID
PGID = "1000"; # Group ID
TZ = "Asia/Kuwait"; # Time zone
};
volumes = [
"/home/${user}/dockers/nextcloud/config:/config" # Config path
"/home/${user}/dockers/nextcloud/data:/data" # Data path
"/home/${user}/dockers/nextcloud/postgres_data:/var/lib/postgresql/data" # PostgreSQL data path
];
ports = [
"4400:443"
];
restart = "unless-stopped";
networks = [ "nextcloud_network" ];
env_file = [ "${config.sops.templates."my-env.env".path}" ];
};
};
nextcloud-postgres = {
service = {
image = "postgres:latest";
environment = {
POSTGRES_USER = "$NEXTCLOUD_DB_USER";
POSTGRES_PASSWORD = "$NEXTCLOUD_DB_PASSWORD";
POSTGRES_DB = "$NEXTCLOUD_DB";
};
ports = [
"5432:5432"
];
volumes = [
"/home/${user}/dockers/nextcloud/pgdata:/var/lib/postgresql/data"
];
env_file = [ "${config.sops.templates."my-env.env".path}" ]; #idk why the image isnt reading this file. will fix later
networks = [ "nextcloud_network" ];
};
};
};
};
in
{
options.vps.nextcloud.enable = mkEnableOption "Enable Nextcloud service for VPS";
config = mkIf config.vps.nextcloud.enable {
virtualisation.arion = {
backend = "docker";
projects.nextcloud = {
serviceName = "nextcloud";
settings = nextcloudService;
};
};
};
}

42
hosts/common/vps/pairdrop.nix Normal file
View file

@ -0,0 +1,42 @@
{ config, lib, pkgs, ... }:
with lib;
let
pairdropService = {
project.name = "pairdrop";
services = {
pairdrop = {
service = {
image = "lscr.io/linuxserver/pairdrop:latest";
environment = {
PUID = "1000"; # User ID
PGID = "1000"; # Group ID
TZ = "Asia/Kuwait"; # Time zone
RATE_LIMIT = "false"; # Optional
WS_FALLBACK = "false"; # Optional
RTC_CONFIG = ""; # Optional
DEBUG_MODE = "false"; # Optional
};
ports = [
"3000:3000"
];
restart = "unless-stopped";
};
};
};
};
in
{
options.vps.pairdrop.enable = mkEnableOption "Enable Pairdrop service";
config = mkIf config.vps.pairdrop.enable {
virtualisation.arion = {
backend = "docker";
projects.pairdrop = {
serviceName = "pairdrop";
settings = pairdropService;
};
};
};
}

44
hosts/common/vps/syncthing.nix Normal file
View file

@ -0,0 +1,44 @@
{ config, lib, pkgs, user, ... }:
with lib;
let
syncthingService = {
project.name = "syncthing";
services = {
syncthing = {
service = {
image = "syncthing/syncthing:latest";
hostname = "NixOS-syncthing";
environment = {
PUID = "1000"; # User ID
PGID = "1000"; # Group ID
};
volumes = [
"/home/${user}/dockers/syncthing:/var/syncthing" # Adjust the path as necessary
];
ports = [
"8384:8384" # Web UI
"22000:22000/tcp" # TCP file transfers
"22000:22000/udp" # QUIC file transfers
"21027:21027/udp" # Receive local discovery broadcasts
];
restart = "unless-stopped";
};
};
};
};
in
{
options.vps.syncthing.enable = mkEnableOption "Enable Syncthing service on VPS";
config = mkIf config.vps.syncthing.enable {
virtualisation.arion = {
backend = "docker";
projects.syncthing = {
serviceName = "syncthing";
settings = syncthingService;
};
};
};
}

56
hosts/common/vps/vpn.nix Normal file
View file

@ -0,0 +1,56 @@
{ config, lib, pkgs, user, ... }:
with lib;
let
wgEasyService = {
project.name = "vpn";
services = {
wgEasy = {
service = {
image = "ghcr.io/wg-easy/wg-easy:latest";
environment = {
LANG = "en";
WG_HOST = "vpn.nmd.mov"; # Change to your host's public address
PASSWORD_HASH = "$$2a$$12$$fnnv.bDGodZEiIK4wBxA8u2K2Qc99BCjD72jmylBFooFEVFgtQ2ma"; # Replace with your hash
PORT = "51821";
WG_DEFAULT_DNS = "1.1.1.1";
UI_TRAFFIC_STATS = "true";
UI_CHART_TYPE = "1"; # Line chart
UI_ENABLE_SORT_CLIENTS = "true";
};
volumes = [
"/home/${user}/dockers/wg-easy/etc_wireguard:/etc/wireguard" # Adjust the path as necessary
];
ports = [
"51820:51820/udp"
"51821:51821/tcp"
];
restart = "unless-stopped";
capabilities = {
NET_ADMIN = true;
SYS_MODULE = true;
# "NET_RAW" # Uncomment if using Podman
};
sysctls = {
"net.ipv4.ip_forward" = 1;
"net.ipv4.conf.all.src_valid_mark" = 1;
};
};
};
};
};
in
{
options.vps.vpn.enable = mkEnableOption "Enable WG-Easy service on VPS";
config = mkIf config.vps.vpn.enable {
virtualisation.arion = {
backend = "docker";
projects.vpn = {
serviceName = "vpn";
settings = wgEasyService;
};
};
};
}

10
hosts/unkown/configuration.nix
View file

@ -1,4 +1,4 @@
{ pkgs, hostname, ... }: { { pkgs, hostname, inputs, user, ... }: {
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
@ -21,7 +21,7 @@
common.services.nautilus.enable = true; common.services.nautilus.enable = true;
# Virtual Box (Virt-Manager) and GPU Passthru. you have to configure hosts/services/vfio.nix for passthrough to work! # Virtual Box (Virt-Manager) and GPU Passthru. you have to configure hosts/services/vfio.nix for passthrough to work!
common.services.vm.enable = true; common.services.vm.enable = true;
common.services.vfio.enable = false; #common.services.vfio.enable = false;
# AppStores # AppStores
common.services.appimage.enable = true; common.services.appimage.enable = true;
common.services.steam.enable = true; common.services.steam.enable = true;
@ -37,6 +37,12 @@
# Ntfs support # Ntfs support
boot.supportedFilesystems = [ "ntfs" ]; boot.supportedFilesystems = [ "ntfs" ];
sops = {
age.keyFile = "/etc/nixos/sops/age/keys.txt";
defaultSopsFile = ../../secrets/secrets.yaml;
defaultSopsFormat = "yaml";
};
# Enable GDM Login Manager # Enable GDM Login Manager

1
hosts/unkown/hardware-configuration.nix
View file

@ -12,7 +12,6 @@
boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" ]; boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" =
{ {

132
hosts/vps/configuration.nix Normal file
View file

@ -0,0 +1,132 @@
{ pkgs, hostname, user, lib, ... }: {
imports = [
./hardware-configuration.nix
];
hardware.disko.enable = true;
programs.nix-ld.enable = true;
common.services.appimage.enable = true;
systemd.services.arion = {
enable = true;
serviceConfig = {
Restart = "on-failure";
};
};
vps = {
dufs.enable = true;
nextcloud.enable = false;
pairdrop.enable = true;
syncthing.enable = true;
vpn.enable = true;
};
sops = {
age.keyFile = "/etc/nixos/sops/age/keys.txt";
defaultSopsFile = ../../secrets/secrets.yaml;
defaultSopsFormat = "yaml";
};
services.caddy = {
enable = true;
extraConfig = ''
fs.nmd.mov {
reverse_proxy localhost:5000
}
vpn.nmd.mov {
reverse_proxy localhost:51821
}
s.nmd.mov {
reverse_proxy localhost:8384
}
drop.nmd.mov {
reverse_proxy localhost:3000
}
dot.nmd.mov {
reverse_proxy localhost:4400
}
'';
};
networking.useDHCP = lib.mkForce false;
services.cloud-init = {
enable = true;
network.enable = true;
};
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "yes";
PasswordAuthentication = false;
};
};
boot.loader.grub = {
efiSupport = true;
efiInstallAsRemovable = true;
};
networking.hostName = "vps";
time.timeZone = "Asia/Kuwait";
i18n.defaultLocale = "en_US.UTF-8";
i18n.extraLocaleSettings = {
LC_ADDRESS = "en_GB.UTF-8";
LC_IDENTIFICATION = "en_GB.UTF-8";
LC_MEASUREMENT = "en_GB.UTF-8";
LC_MONETARY = "en_GB.UTF-8";
LC_NAME = "en_GB.UTF-8";
LC_NUMERIC = "en_GB.UTF-8";
LC_PAPER = "en_GB.UTF-8";
LC_TELEPHONE = "en_GB.UTF-8";
LC_TIME = "en_GB.UTF-8";
};
services.printing.enable = false;
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
neovim
git
zsh
arion
sops
];
networking.firewall.enable = false;
networking.firewall.allowedTCPPorts = [
22
80
443
5000
4400
3000
8384
22000
51821
];
networking.firewall.allowedUDPPorts = [
22000
21027
51820
];
system.stateVersion = "24.05";
}

47
hosts/vps/default.nix Normal file
View file

@ -0,0 +1,47 @@
# A staring point is the basic NIXOS configuration generated by the ISO installer.
# On an existing NIXOS install you can use the following command in your flakes basedir:
# sudo nixos-generate-config --dir ./hosts/your-host
#
# Please make sure to change the first couple of lines in your configuration.nix:
# { config, inputs, ouputs, lib, pkgs, user, ... }:
{
# imports = [ # Include the results of the hardware scan.
# ./hardware-configuration.nix
# inputs.home-manager.nixosModules.home-manager
# ];
#
# # ...
#
# Moreover please update the packages option in your user configuration and add the home-manager options:
# users.users = {
# ${user} = {
# isNormalUser = true;
# initialPassword = "4321";
# extraGroups = [ "wheel" ]; # Enable sudo for the user.
# packages = [ inputs.home-manager.packages.${pkgs.system}.default ];
# };
# };
# home-manager = {
# useUserPackages = true;
# extraSpecialArgs = { inherit inputs outputs; };
# users.${user} =
# import ../../home/${user}/${config.networking.hostName}.nix;
# };
# Please also change your hostname accordingly:
#:w
# networking.hostName = "unkown"; # Define your hostname.
imports = [
../common
./hardware
./configuration.nix
];
}

26
hosts/vps/hardware-configuration.nix Normal file
View file

@ -0,0 +1,26 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
#networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens3.useDHCP = lib.mkDefault true;
# networking.interfaces.ens4.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

6
hosts/vps/hardware/default.nix Normal file
View file

@ -0,0 +1,6 @@
{
imports = [
./disko.nix
];
}

68
hosts/vps/hardware/disko.nix Normal file
View file

@ -0,0 +1,68 @@
{ config
, lib
, pkgs
, ...
}:
with lib; let
cfg = config.hardware.disko;
in
{
options.hardware.disko.enable = mkEnableOption "disko harddrives";
config = mkIf cfg.enable {
disko.devices = {
disk.disk1 = {
device = lib.mkDefault "/dev/vda";
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
name = "boot";
size = "1M";
type = "EF02";
};
esp = {
name = "ESP";
size = "500M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
name = "root";
size = "100%";
content = {
type = "lvm_pv";
vg = "pool";
};
};
};
};
};
lvm_vg = {
pool = {
type = "lvm_vg";
lvs = {
root = {
size = "100%FREE";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
mountOptions = [
"defaults"
];
};
};
};
};
};
};
};
}

33
secrets/secrets.yaml Normal file
View file

@ -0,0 +1,33 @@
DUFS_USERNAME: ENC[AES256_GCM,data:3RsFcVo=,iv:y0VLlbBA6HT3yXa3O0G4xy3OJE1gGNvul0ZktxQd7w4=,tag:cFT59GgF+1q0XK4UELXMuA==,type:str]
DUFS_PASSWORD: ENC[AES256_GCM,data:dHoGsIXMDuA=,iv:lhw9IfvifOPFyRflcsk/HguwayHgrDShwQr5MMOGITc=,tag:VfFpQylAhXTok79u9wwi4Q==,type:str]
NEXTCLOUD_DB_USERNAME: ENC[AES256_GCM,data:785HjW3Z2gNRJv6fzA==,iv:Lsh04lUtJm0Aufw5zH+UmL/98D47Lue/A/JDKi304G8=,tag:7QnY25N3a8rVXG7u8o8pVw==,type:str]
NEXTCLOUD_DB_PASSWORD: ENC[AES256_GCM,data:exumoIY6Um/Y2JuKx+RHGHEOjj03,iv:i4sx8Pa3tV7wDMR8EgtMXidsz/tvVBaMIkpv9ohPavw=,tag:zqt2ukTq8gjOT8RssMu5OQ==,type:str]
NEXTCLOUD_DB: ENC[AES256_GCM,data:RduFtc85u9sTTZg=,iv:AZoA7CvVyxfpXTi4BTVPlwJGbFLLOTkF0JiMN+smFGA=,tag:MNjL/Jl3EInrKXRqTq/TAg==,type:str]
#ENC[AES256_GCM,data:4q3pEXswuO/X37NbzpKwEA==,iv:1HMEgmtyOeTQ0PSWmkBS9sItAaM2SI5+N7NNlhC83kQ=,tag:bRxjHkvPMNIEsOEB8uqcxw==,type:comment]
#ENC[AES256_GCM,data:tIG7zbWpyrVFdxSFMQKe,iv:uBQyygtmRvSyqA7lY+k+RkPjFc42ZHpOJ2xfWve7S5I=,tag:kxqAmOOsYcjd8/OyZ4/XEA==,type:comment]
#ENC[AES256_GCM,data:bRXt/JXa2tTCCaDh63T/ObOlp2RX,iv:VbgRCu+bgc6uCqbipoFP3KFY6BkuBQlwr6kjzAFhSew=,tag:BqJhaygo7C/vuviiKIxPwg==,type:comment]
#ENC[AES256_GCM,data:8D6evYfOld7GzZt7je/r0ItK0QNW,iv:LFnGgoGG4aNZCjrdGLje4WKPEGak4ONFV2GsIjA3ObA=,tag:yXFhsgES74KK9o/Jqw0l4w==,type:comment]
#ENC[AES256_GCM,data:wpcsQzzU1iNX9R8QnUH9leiUHhSevQ1pRB8g,iv:C8T5N5gbmn0tZIBBjikEMFrUoBhELeOTug+Zs7EPsbg=,tag:Skn4XXsDt9+chTGz13WePw==,type:comment]
#ENC[AES256_GCM,data:G7uJLIEcCFFRigRzlnon5lrN,iv:nXepSHNIa6aoXXwxoQNZEYlhh0YrChjWnrAuhvDSmLA=,tag:80BMpjOOl6elE7DxdXp8jA==,type:comment]
#ENC[AES256_GCM,data:G1vtah0OCHMKg2s=,iv:eCBHaUoGAKGD8g0vnXDfSh/3vciA1Nc6iEGXd4SLy+E=,tag:dHsr23oRNTaA8nJVx9Mm7g==,type:comment]
#ENC[AES256_GCM,data:3xVxASFGWKH7AKtL,iv:lAAXNt51V2wqlnMUCu9fX511hxGqoo75v5ZUzvuzqVQ=,tag:4TLBVZfbaLXcjda4H8vyIg==,type:comment]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age16yxxp5lqg63zzh3s0f82lpslgc3phy6ugcqdnhh8y7fak65zrqkshjxt25
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArQ3Z0MUVMbDRobU4yK1hM
aVlRTnp1c1E0MmRmUHJKcm1ZV2ljV2hDNmhJCi9xcU44d21MaWpVOHM3cFA3OGI5
clA0WWpoZSswaWpYZUZZMU9MQ3BTMVEKLS0tIEsvbnF0N2FqMWJYck53WHZkd2tp
dnVPRUlvK2FwbzZVdUJGTzRrcXpNRDgKtRwrBdnRyBtobutdQYjle/gY3lm/QFmP
gNu8Wky3g5NRtwmzyZVO77L8KrJQ3AHuJ2TQuFaVRzVGFNhR0aiTug==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-18T12:10:02Z"
mac: ENC[AES256_GCM,data:w/EJCD1pYmlCKAG2w+7FvEluvnJVNj6rDjTBSNr7Dv0SiMVj1eypq4Zxb47eIQsdWCJ9xqXIriPnva9IdQMDsvAD1gCTFruy2rbDcIrJSKYw99oXQXlzX/AKvZtLIZqKsMpR/i65XYuqZmu2yWZWqWBUsmtpOcMcsC1XkHR04t8=,iv:h1Xjd2ugiS37pQQ7iURkYx+v1e4KqmeNY6LYIuRKN1k=,tag:FFJmX/VC+hXqbegAfmZ6/w==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1