servius/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

feat: Added tako

Browse Source
This commit is contained in:
uttarayan21
2025-11-26 18:15:12 +05:30
parent 58594d582b
commit b5399c5cc8
51 changed files with 1922 additions and 4307 deletions
Download Patch File Download Diff File Expand all files Collapse all files

186
nixos/tako/configuration.nix Normal file
View File

@@ -0,0 +1,186 @@
{
config,
pkgs,
device,
...
}: {
imports = [
# Include the results of the hardware scan.
./services
./tako.nix
# ./docker.nix
];
virtualisation.docker.enable = true;
# virtualisation.podman = {
# enable = true;
# dockerSocket.enable = true;
# defaultNetwork.dnsname.enable = true;
# };
users.extraUsers.${device.user}.extraGroups = ["docker"];
environment.systemPackages = with pkgs; [
arion
];
security.sudo.wheelNeedsPassword = false;
sops = {
secrets."builder/tako/cache/private" = {};
secrets.users = {
sopsFile = ../../secrets/users.yaml;
format = "yaml";
key = "";
};
};
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
nix = {
settings = {
max-jobs = 1;
cores = 8;
auto-optimise-store = true;
extra-experimental-features = "nix-command flakes auto-allocate-uids";
trusted-users = ["root" "fs0c131y" "remotebuilder"];
trusted-substituters = [
"https://nix-community.cachix.org"
"https://nixos-raspberrypi.cachix.org"
# "https://sh.darksailor.dev"
];
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"nixos-raspberrypi.cachix.org-1:4iMO9LXa8BqhU+Rpg6LQKiGa2lsNh/j2oiYLNOQ5sPI="
# "tako:bcVPoFGBZ0i7JAKMXIqLj2GY3CulLC4kP7rQyqes1RM="
];
};
extraOptions = ''
build-users-group = nixbld
extra-nix-path = nixpkgs=flake:nixpkgs
builders-use-substitutes = true
secret-key-files = ${config.sops.secrets."builder/tako/cache/private".path}
'';
gc = {
automatic = true;
dates = "daily";
options = "--delete-older-than 5d";
};
package = pkgs.nixVersions.nix_2_31; # deploy-rs doesn't work with nix >= 2.32
distributedBuilds = true;
};
users.users.fs0c131y = {
isNormalUser = true;
extraGroups = ["wheel" "docker" "media"];
openssh.authorizedKeys.keyFiles = [
../../secrets/id_ed25519.pub
../../secrets/id_ios.pub
];
};
users.users.remotebuilder = {
isNormalUser = true;
openssh.authorizedKeys.keyFiles = [
../../secrets/id_ed25519.pub
];
};
users.groups.media = {};
nixpkgs.config.allowUnfree = true;
networking.hostName = "tako"; # Define your hostname.
# Pick only one of the below networking options.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
# Set your time zone.
time.timeZone = "Europe/Helsinki";
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
# i18n.defaultLocale = "en_US.UTF-8";
# console = {
# font = "Lat2-Terminus16";
# keyMap = "us";
# useXkbConfig = true; # use xkb.options in tty.
# };
# Enable the X11 windowing system.
# services.xserver.enable = true;
# Configure keymap in X11
# services.xserver.xkb.layout = "us";
# services.xserver.xkb.options = "eurosign:e,caps:escape";
# Enable CUPS to print documents.
# services.printing.enable = true;
# Enable sound.
# hardware.pulseaudio.enable = true;
# OR
# services.pipewire = {
# enable = true;
# pulse.enable = true;
# };
# Enable touchpad support (enabled default in most desktopManager).
# services.libinput.enable = true;
# Define a user account. Don't forget to set a password with passwd.
# users.users.alice = {
# isNormalUser = true;
# extraGroups = [ "wheel" ]; # Enable sudo for the user.
# packages = with pkgs; [
# firefox
# tree
# ];
# };
# List packages installed in system profile. To search, run:
# $ nix search wget
# environment.systemPackages = with pkgs; [
# vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
# wget
# ];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
# Enable the OpenSSH daemon.
services.openssh.enable = true;
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [22 80 443];
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
#
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
# to actually do that.
#
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
#
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
#
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "24.11"; # Did you read the comment?
}

96
nixos/tako/disk-config.nix Normal file
View File

@@ -0,0 +1,96 @@
{...}: {
disko.devices = {
disk = {
one = {
type = "disk";
device = "/dev/nvme0n1";
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
size = "1G";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = ["umask=0077"];
};
};
primary = {
size = "100%";
content = {
type = "lvm_pv";
vg = "pool";
};
};
};
};
};
two = {
type = "disk";
device = "/dev/nvme1n1";
content = {
type = "gpt";
partitions = {
primary = {
size = "100%";
content = {
type = "lvm_pv";
vg = "pool";
};
};
};
};
};
};
lvm_vg = {
pool = {
type = "lvm_vg";
lvs = {
root = {
size = "64G";
lvm_type = "mirror";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
mountOptions = [
"defaults"
];
};
};
nix = {
size = "256G";
lvm_type = "raid0";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/nix";
};
};
home = {
size = "256G";
lvm_type = "raid0";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/home";
};
};
media = {
size = "100%";
lvm_type = "raid0";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/media";
};
};
};
};
};
};
}

69
nixos/tako/docker.nix Normal file
View File

@@ -0,0 +1,69 @@
{
config,
lib,
pkgs,
...
}: {
# virtualisation = {
# docker.enable = true;
# podman.enable = true;
# oci-containers = {
# backend = "podman";
# containers.homeassistant = {
# volumes = ["home-assistant:/config"];
# environment.TZ = "Asia/Kolkata";
# image = "ghcr.io/home-assistant/home-assistant:stable"; # Warning: if the tag does not change, the image will not be updated
# extraOptions = [
# "--network=ha-net"
# ];
# };
# };
# };
# networking.firewall.allowedTCPPorts = [8123];
# environment.systemPackages = with pkgs; [
# docker
# podman
# ];
# services.caddy = {
# enable = true;
# virtualHosts."home.darksailor.dev".extraConfig = ''
# reverse_proxy localhost:8123
# '';
# };
# containers.llama = {
# autoStart = true;
# privateNetwork = true;
# hostAddress = "192.168.100.10";
# localAddress = "192.168.100.11";
# hostAddress6 = "fc00::1";
# localAddress6 = "fc00::2";
# config = {
# config,
# pkgs,
# libs,
# ...
# }: {
# system.stateVersion = "24.11";
# networking = {
# firewall = {
# enable = true;
# allowedTCPPorts = [4000];
# };
# # Use systemd-resolved inside the container
# # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
# useHostResolvConf = lib.mkForce false;
# };
# services.resolved.enable = true;
# services.llama-cpp = {
# enable = true;
# host = "127.0.0.1";
# port = 4000;
# model = builtins.fetchurl {
# name = "qwen_2.5.1_coder_7b_instruct_gguf";
# sha256 = "61834b88c1a1ce5c277028a98c4a0c94a564210290992a7ba301bbef96ef8eba";
# url = "https://huggingface.co/bartowski/Qwen2.5.1-Coder-7B-Instruct-GGUF/resolve/main/Qwen2.5.1-Coder-7B-Instruct-Q8_0.gguf?download=true";
# };
# };
# };
# };
}

17
nixos/tako/services/attic.nix Normal file
View File

@@ -0,0 +1,17 @@
{...}: {
services = {
atticd = {
enable = false;
listen = "/run/attic.sock";
};
caddy = {
virtualHosts."cache.darksailor.dev".extraConfig = ''
reverse_proxy /run/attic.sock {
transport http {
protocol = "fd"
}
}
'';
};
};
}

13
nixos/tako/services/atuin.nix Normal file
View File

@@ -0,0 +1,13 @@
{...}: {
services = {
atuin = {
enable = true;
openRegistration = false;
};
caddy = {
virtualHosts."atuin.darksailor.dev".extraConfig = ''
reverse_proxy localhost:8888
'';
};
};
}

107
nixos/tako/services/authelia.nix Normal file
View File

@@ -0,0 +1,107 @@
{config, ...}: {
sops = {
secrets = let
user = config.systemd.services.authelia-darksailor.serviceConfig.User;
in {
"authelia/servers/darksailor/jwtSecret".owner = user;
"authelia/servers/darksailor/storageEncryptionSecret".owner = user;
"authelia/servers/darksailor/sessionSecret".owner = user;
"authelia/users/servius".owner = user;
"lldap/users/authelia".owner = user;
users.owner = user;
"authelia/oidc/jwks".owner = user;
};
};
services = {
authelia = {
instances.darksailor = {
enable = true;
settings = {
authentication_backend = {
password_reset.disable = false;
password_change.disable = false;
ldap = {
address = "ldap://localhost:389";
timeout = "5s";
base_dn = "dc=darksailor,dc=dev";
user = "cn=authelia,ou=people,dc=darksailor,dc=dev";
users_filter = "(&({username_attribute}={input})(objectClass=person))";
groups_filter = "(&(member={dn})(objectClass=groupOfNames))";
additional_users_dn = "OU=people";
additional_groups_dn = "OU=groups";
};
};
session = {
cookies = [
{
domain = "darksailor.dev";
authelia_url = "https://auth.darksailor.dev";
name = "authelia_session";
}
];
};
access_control = {
default_policy = "one_factor";
rules = let
bypass_api = domain: [
{
inherit domain;
policy = "bypass";
resources = [
"^/api([/?].*)?$"
];
}
{
inherit domain;
policy = "one_factor";
}
];
in
(bypass_api "sonarr.tsuba.darksailor.dev")
++ (bypass_api "radarr.tsuba.darksailor.dev")
++ (bypass_api "lidarr.tsuba.darksailor.dev")
++ (bypass_api "bazarr.tsuba.darksailor.dev")
++ (bypass_api "prowlarr.tsuba.darksailor.dev");
};
storage = {
local = {
path = "/var/lib/authelia-darksailor/authelia.sqlite3";
};
};
theme = "dark";
notifier.filesystem.filename = "/var/lib/authelia-darksailor/authelia-notifier.log";
server = {
address = "0.0.0.0:5555";
endpoints.authz = {
forward-auth = {
implementation = "ForwardAuth";
};
auth-request = {
implementation = "AuthRequest";
};
};
};
};
secrets = {
jwtSecretFile = config.sops.secrets."authelia/servers/darksailor/jwtSecret".path;
storageEncryptionKeyFile = config.sops.secrets."authelia/servers/darksailor/storageEncryptionSecret".path;
sessionSecretFile = config.sops.secrets."authelia/servers/darksailor/sessionSecret".path;
oidcHmacSecretFile = config.sops.secrets."authelia/servers/darksailor/sessionSecret".path;
oidcIssuerPrivateKeyFile = config.sops.secrets."authelia/oidc/jwks".path;
};
environmentVariables = {
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.sops.secrets."lldap/users/authelia".path;
};
};
};
caddy = {
virtualHosts."auth.darksailor.dev".extraConfig = ''
reverse_proxy localhost:5555 {
# header_up Host {http.request.header.X-Forwarded-Host}
# header_up X-Forwarded-Host {http.request.header.X-Forwarded-Host}
# header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto}
}
'';
};
};
}

15
nixos/tako/services/caddy.nix Normal file
View File

@@ -0,0 +1,15 @@
{...}: {
services = {
caddy = {
enable = true;
extraConfig = ''
(auth) {
forward_auth localhost:5555 {
uri /api/authz/forward-auth?authelia_url=https://auth.darksailor.dev
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
}
'';
};
};
}

31
nixos/tako/services/default.nix Normal file
View File

@@ -0,0 +1,31 @@
{...}: {
imports = [
./atuin.nix
./authelia.nix
./caddy.nix
./excalidraw.nix
./fail2ban.nix
./flaresolverr.nix
./games
./gitea.nix
./homepage.nix
# ./immich.nix
./immich.nix
# ./llama.nix
./lldap.nix
./monitoring.nix
./nextcloud.nix
# ./paperless.nix
./prowlarr.nix
./resolved.nix
./searxng.nix
./tailscale.nix
./headscale.nix
./shitpost.nix
];
services = {
nix-serve = {
enable = true;
};
};
}

30
nixos/tako/services/excalidraw.nix Normal file
View File

@@ -0,0 +1,30 @@
{...}: {
virtualisation.oci-containers = {
backend = "docker";
containers = {
excalidraw = {
image = "excalidraw/excalidraw:latest";
ports = ["127.0.0.1:5959:80"];
volumes = [];
};
};
};
services.caddy.virtualHosts."draw.darksailor.dev".extraConfig = ''
import auth
reverse_proxy localhost:5959
'';
services.authelia = {
instances.darksailor = {
settings = {
access_control = {
rules = [
{
domain = "draw.darksailor.dev";
policy = "one_factor";
}
];
};
};
};
};
}

22
nixos/tako/services/fail2ban.nix Normal file
View File

@@ -0,0 +1,22 @@
{...}: {
# sops = {
# secrets."ryu/public" = {};
# };
services = {
fail2ban = {
enable = true;
bantime = "24h"; # Ban IPs for one day on the first ban
bantime-increment = {
enable = true; # Enable increment of bantime after each violation
# formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
multipliers = "1 2 4 8 16 32 64";
maxtime = "168h"; # Do not ban for more than 1 week
overalljails = true; # Calculate the bantime based on all the violations
};
# I'm beind a CG-NAT
ignoreIP = [
"106.219.121.52"
];
};
};
}

8
nixos/tako/services/flaresolverr.nix Normal file
View File

@@ -0,0 +1,8 @@
{stablePkgs, ...}: {
services = {
flaresolverr = {
enable = true;
package = stablePkgs.flaresolverr;
};
};
}

7
nixos/tako/services/games/default.nix Normal file
View File

@@ -0,0 +1,7 @@
{...}: {
imports = [
./minecraft.nix
./satisfactory.nix
./terraria.nix
];
}

56
nixos/tako/services/games/minecraft.nix Normal file
View File

@@ -0,0 +1,56 @@
{
pkgs,
inputs,
...
}: {
# imports = [inputs.nix-minecraft.nixosModules.minecraft-servers];
services = let
whitelist = {
"AbhinavSE" = "8b6c052e-69b3-4bee-b9dc-12eb94653c9e";
"Serveus" = "79882fb6-d594-4073-a3d0-70a01d0abb67";
"__Shun__" = "1c7a300f-98e4-402c-8741-432f3494bb25";
"shashikant" = "20891e82-203c-4d04-9868-79a5879ecfc3";
};
in {
minecraft-server = {
inherit whitelist;
enable = false;
openFirewall = true;
eula = true;
declarative = true;
serverProperties = {
motd = "Servius's Minecraft Server";
level-seed = "4504535438041489910";
view-distance = 24;
white-list = true;
};
package = let
getJavaVersion = v: (builtins.getAttr "openjdk${toString v}" pkgs.javaPackages.compiler).headless;
in
pkgs.minecraft-server.override {
url = "https://piston-data.mojang.com/v1/objects/6e64dcabba3c01a7271b4fa6bd898483b794c59b/server.jar";
sha1 = "sha1-bmTcq7o8AacnG0+mvYmEg7eUxZs=";
version = "1.21.6";
jre_headless = getJavaVersion 21;
};
};
# minecraft-servers = {
# enable = true;
# eula = true;
# openFirewall = true;
# servers.fabric = {
# inherit whitelist;
# enable = true;
# jvmOpts = "-Xmx4G -Xms4G";
# package = pkgs.fabricServers.fabric-1_21_7;
# serverProperties = {
# motd = "Servius's Fabric Minecraft Server";
# server-port = 25567;
# level-seed = "4504535438041489910";
# view-distance = 24;
# white-list = true;
# };
# };
# };
};
}

10
nixos/tako/services/games/satisfactory.nix Normal file
View File

@@ -0,0 +1,10 @@
{...}: {
imports = [
../../../../modules/nixos/satisfactory.nix
];
services.satisfactory = {
# enable = true;
enable = false;
maxPlayers = 4;
};
}

7
nixos/tako/services/games/terraria.nix Normal file
View File

@@ -0,0 +1,7 @@
{...}: {
services.terraria = {
enable = true;
# port = 7777;
autoCreatedWorldSize = "large";
};
}

185
nixos/tako/services/gitea.nix Normal file
View File

@@ -0,0 +1,185 @@
{
lib,
config,
pkgs,
...
}: {
virtualisation.docker.enable = true;
sops = {
# secrets."gitea/registration".owner = config.systemd.services.gitea-actions-tako.serviceConfig.User;
secrets."gitea/registration" = {};
secrets."authelia/oidc/gitea/client_secret" = {
owner = config.systemd.services.authelia-darksailor.serviceConfig.User;
mode = "0440";
restartUnits = [
"gitea.service"
"authelia-darksailor.service"
];
};
secrets."authelia/oidc/gitea/client_id" = {
owner = config.systemd.services.authelia-darksailor.serviceConfig.User;
mode = "0440";
restartUnits = [
"gitea.service"
"authelia-darksailor.service"
];
};
templates = {
"GITEA_REGISTRATION_TOKEN.env".content = ''
TOKEN=${config.sops.placeholder."gitea/registration"}
'';
"GITEA_OAUTH_SETUP.env".content = ''
CLIENT_ID=${config.sops.placeholder."authelia/oidc/gitea/client_id"}
CLIENT_SECRET=${config.sops.placeholder."authelia/oidc/gitea/client_secret"}
'';
};
};
services = {
gitea = {
enable = true;
lfs.enable = true;
settings = {
service = {
DISABLE_REGISTRATION = false;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
SHOW_REGISTRATION_BUTTON = false;
ENABLE_REVERSE_PROXY_AUTHENTICATION = false;
ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false;
ENABLE_PASSWORD_SIGNIN_FORM = false;
};
repository = {
ENABLE_PUSH_CREATE_USER = true;
};
mailer = {
ENABLED = true;
PROTOCOL = "sendmail";
};
security = {
REVERSE_PROXY_AUTHENTICATION_USER = "REMOTE-USER";
};
server = {
ROOT_URL = "https://git.darksailor.dev";
DOMAIN = "git.darksailor.dev";
# LFS_START_SERVER = true;
LFS_ALLOW_PURE_SSH = true;
};
oauth2_client = {
ENABLE_AUTO_REGISTRATION = true;
ACCOUNT_LINKING = "auto";
OPENID_CONNECT_SCOPES = "openid profile email";
};
openid = {
ENABLE_OPENID_SIGNIN = false;
ENABLE_OPENID_SIGNUP = true;
WHITELISTED_URIS = "auth.darksailor.dev";
};
};
};
# gitea-actions-runner = {
# instances = {
# tako = {
# enable = true;
# name = "tako";
# url = "https://git.darksailor.dev";
# labels = [
# "ubuntu-latest:docker://catthehacker/ubuntu:full-latest"
# "ubuntu-22.04:docker://catthehacker/ubuntu:full-22.04"
# "ubuntu-20.04:docker://catthehacker/ubuntu:full-20.04"
# "native:host"
# ];
# tokenFile = "${config.sops.templates."GITEA_REGISTRATION_TOKEN.env".path}";
# };
# };
# };
caddy = {
virtualHosts."git.darksailor.dev".extraConfig = ''
reverse_proxy localhost:3000
'';
};
authelia = {
instances.darksailor = {
settings = {
# access_control = {
# rules = [
# {
# domain = "git.darksailor.dev";
# policy = "bypass";
# resources = [
# "^/api([/?].*)?$"
# ];
# }
# {
# domain = "git.darksailor.dev";
# policy = "one_factor";
# }
# ];
# };
identity_providers = {
oidc = {
clients = [
{
client_name = "Gitea: Darksailor";
client_id = ''{{ secret "${config.sops.secrets."authelia/oidc/gitea/client_id".path}" }}'';
client_secret = ''{{ secret "${config.sops.secrets."authelia/oidc/gitea/client_secret".path}" }}'';
public = false;
authorization_policy = "one_factor";
require_pkce = false;
# pkce_challenge_method = "S256";
redirect_uris = [
"https://git.darksailor.dev/user/oauth2/authelia/callback"
];
scopes = [
"openid"
"email"
"profile"
];
response_types = ["code"];
grant_types = ["authorization_code"];
userinfo_signed_response_alg = "none";
token_endpoint_auth_method = "client_secret_post";
}
];
};
};
};
};
};
};
systemd.services.gitea = {
after = ["sops-install-secrets.service"];
};
# systemd.services."gitea-actions-tako" = {
# after = ["gitea.service"];
# };
# systemd.services.gitea-oauth-setup = let
# name = "authelia";
# gitea_oauth_script = pkgs.writeShellApplication {
# name = "gitea_oauth2_script";
# runtimeInputs = [config.services.gitea.package];
# text = ''
# gitea admin auth delete --id "$(gitea admin auth list | grep "${name}" | cut -d "$(printf '\t')" -f1)"
# gitea admin auth add-oauth --provider=openidConnect --name=${name} --key="$CLIENT_ID" --secret="$CLIENT_SECRET" --auto-discover-url=https://auth.darksailor.dev/.well-known/openid-configuration --scopes='openid email profile'
# '';
# };
# in {
# description = "Configure Gitea OAuth with Authelia";
# after = ["gitea.service"];
# wants = ["gitea.service"];
# wantedBy = ["multi-user.target"];
# serviceConfig = {
# Type = "oneshot";
# User = config.services.gitea.user;
# Group = config.services.gitea.group;
# RemainAfterExit = true;
# ExecStart = "${lib.getExe gitea_oauth_script}";
# WorkingDirectory = config.services.gitea.stateDir;
# EnvironmentFile = config.sops.templates."GITEA_OAUTH_SETUP.env".path;
# };
# environment = {
# GITEA_WORK_DIR = config.services.gitea.stateDir;
# GITEA_CUSTOM = config.services.gitea.customDir;
# };
# };
}

79
nixos/tako/services/headscale.nix Normal file
View File

@@ -0,0 +1,79 @@
{config, ...}: {
sops = {
secrets.headscale-secret = {
owner = config.systemd.services.headscale.serviceConfig.User;
mode = "0440";
restartUnits = ["headscale.service" "authelia-darksailor.service"];
key = "authelia/oidc/headscale/client_secret";
};
secrets.headscale-authelia = {
owner = config.systemd.services.authelia-darksailor.serviceConfig.User;
mode = "0440";
restartUnits = ["headscale.service" "authelia-darksailor.service"];
key = "authelia/oidc/headscale/client_secret";
};
};
services = {
headscale = {
enable = true;
port = 8095;
settings = {
dns = {
magic_dns = true;
base_domain = "headscale.darksailor.dev";
nameservers.global = ["1.1.1.1"];
};
oidc = {
issuer = "https://auth.darksailor.dev";
client_id = "headscale";
client_secret_path = "${config.sops.secrets.headscale-secret.path}";
pkce = {
enabled = true;
method = "S256";
};
};
};
};
# headplane = {
# enable = true;
# settings = {
# server.port = 42562;
# };
# };
caddy = {
virtualHosts."headscale.darksailor.dev".extraConfig = ''
reverse_proxy localhost:${toString config.services.headplane.settings.server.port}
'';
};
authelia = {
instances.darksailor = {
settings = {
identity_providers = {
oidc = {
clients = [
{
client_name = "HeadScale";
client_id = "headscale";
client_secret = ''{{ secret "${config.sops.secrets.headscale-authelia.path}" }}'';
public = false;
authorization_policy = "one_factor";
require_pkce = true;
pkce_challenge_method = "S256";
redirect_uris = [
"https://headscale.darksailor.dev/oidc/callback"
];
scopes = ["openid" "email" "profile" "groups"];
response_types = ["code"];
grant_types = ["authorization_code"];
access_token_signed_response_alg = "none";
userinfo_signed_response_alg = "none";
token_endpoint_auth_method = "client_secret_basic";
}
];
};
};
};
};
};
};
}

181
nixos/tako/services/homepage.nix Normal file
View File

@@ -0,0 +1,181 @@
{config, ...}: {
services = {
homepage-dashboard = {
enable = true;
allowedHosts = "dashboard.darksailor.dev";
settings = {
title = "Servius' Dashboard";
description = "A collection of services and links for quick access.";
};
widgets = [
{
resources = {
cpu = true;
disk = "/";
memory = true;
};
}
];
services = [
{
"Tsuba" = [
{
"Jellyfin" = {
icon = "jellyfin.png";
description = "Jellyfin Media Server";
href = "https://jellyfin.tsuba.darksailor.dev";
};
}
{
"Sonarr" = {
icon = "sonarr.png";
description = "Sonarr: TV Series Management";
href = "https://sonarr.tsuba.darksailor.dev";
};
}
{
"Bazarr" = {
icon = "bazarr.png";
description = "Bazarr: Subtitles and Metadata";
href = "https://bazarr.tsuba.darksailor.dev";
};
}
{
"Radarr" = {
icon = "radarr.png";
description = "Radarr: Movie Management";
href = "https://radarr.tsuba.darksailor.dev";
};
}
{
"Deluge" = {
icon = "deluge.png";
description = "Deluge: Torrent Client";
href = "https://deluge.tsuba.darksailor.dev";
};
}
{
"Prowlarr" = {
icon = "prowlarr.png";
description = "Prowlarr: Indexer Manager";
href = "https://prowlarr.tsuba.darksailor.dev";
};
}
{
"Home Assistant" = {
icon = "home-assistant.png";
description = "Home Automation";
href = "https://home.darksailor.dev";
};
}
];
}
{
"Tako" = [
{
"Gitea" = {
icon = "gitea.png";
description = "Gitea Code Hosting";
href = "https://git.darksailor.dev";
};
}
{
"Nextcloud" = {
icon = "nextcloud.png";
description = "Nextcloud Suite";
href = "https://cloud.darksailor.dev";
};
}
{
"Open WebUI" = {
icon = "open-webui.png";
description = "Open WebUI for self hosted llms";
href = "https://llama.darksailor.dev";
};
}
{
"Immich" = {
icon = "immich.png";
description = "Immich: Self-hosted Photo and Video Backup";
href = "https://photos.darksailor.dev";
};
}
{
"Excalidraw" = {
icon = "excalidraw.png";
description = "Excalidraw: Self-hosted Collaborative Whiteboard";
href = "https://draw.darksailor.dev";
};
}
];
}
];
bookmarks = [
{
"Nix" = [
{
"Nixpkgs" = [
{
abbr = "pkgs";
href = "https://search.nixos.org/packages?channel=unstable";
}
];
}
{
"NixOS" = [
{
abbr = "nixos";
href = "https://search.nixos.org/options?channel=unstable";
}
];
}
{
"Home Manager" = [
{
abbr = "hm";
href = "https://home-manager-options.extranix.com";
}
];
}
{
"NixVim" = [
{
abbr = "nixvim";
href = "https://nix-community.github.io/nixvim/search";
}
];
}
{
"Tailscale" = [
{
abbr = "ts";
href = "https://login.tailscale.com";
}
];
}
];
}
];
};
caddy = {
virtualHosts."dashboard.darksailor.dev".extraConfig = ''
import auth
reverse_proxy localhost:${builtins.toString config.services.homepage-dashboard.listenPort}
'';
};
authelia = {
instances.darksailor = {
settings = {
access_control = {
rules = [
{
domain = "dashboard.darksailor.dev";
policy = "one_factor";
}
];
};
};
};
};
};
}

118
nixos/tako/services/immich.nix Normal file
View File

@@ -0,0 +1,118 @@
{
pkgs,
config,
...
}: {
sops = {
secrets."authelia/oidc/immich/client_id" = {
owner = config.systemd.services.authelia-darksailor.serviceConfig.User;
mode = "0440";
restartUnits = ["immich-server.service" "authelia-darksailor.service"];
};
secrets."authelia/oidc/immich/client_secret" = {
owner = config.systemd.services.authelia-darksailor.serviceConfig.User;
mode = "0440";
restartUnits = ["immich-server.service" "authelia-darksailor.service"];
};
templates = {
"immich-config.json" = {
content =
/*
json
*/
''
{
"oauth": {
"clientId": "${config.sops.placeholder."authelia/oidc/immich/client_id"}",
"clientSecret": "${config.sops.placeholder."authelia/oidc/immich/client_secret"}",
"enabled": true,
"autoLaunch": true,
"autoRegister": true,
"buttonText": "Login with Authelia",
"scope": "openid email profile",
"issuerUrl": "https://auth.darksailor.dev"
},
"passwordLogin" : {
"enabled": false
},
"server": {
"externalDomain": "https://photos.darksailor.dev"
},
{
"machineLearning": {
"enabled": true,
"urls": [
"http://ryu.darksailor.dev:3003",
"http://localhost:3003"
],
}
}
}
'';
mode = "0400";
owner = "immich";
restartUnits = ["immich-server.service"];
};
};
};
virtualisation.oci-containers = {
backend = "docker";
containers = {
immich-machine-learning = {
image = "ghcr.io/immich-app/immich-machine-learning:v${pkgs.immich.version}";
ports = [
"127.0.0.1:3003:3003"
];
volumes = [
"model-cache:/cache"
];
};
};
};
services.immich = {
enable = true;
mediaLocation = "/media/photos/immich";
accelerationDevices = null;
machine-learning.enable = false;
environment = {
IMMICH_CONFIG_FILE = config.sops.templates."immich-config.json".path;
};
package = pkgs.immich;
};
services.caddy = {
virtualHosts."photos.darksailor.dev".extraConfig = ''
reverse_proxy localhost:${builtins.toString config.services.immich.port}
'';
};
services.authelia = {
instances.darksailor = {
settings = {
identity_providers = {
oidc = {
clients = [
{
client_name = "immich";
client_id = ''{{ secret "${config.sops.secrets."authelia/oidc/immich/client_id".path}" }}'';
client_secret = ''{{ secret "${config.sops.secrets."authelia/oidc/immich/client_secret".path}" }}'';
public = false;
authorization_policy = "one_factor";
require_pkce = false;
redirect_uris = [
"https://photos.darksailor.dev/auth/login"
"https://photos.darksailor.dev/user-settings"
"app.immich:///oauth-callback"
];
scopes = ["openid" "profile" "email"];
response_types = ["code"];
grant_types = ["authorization_code"];
# access_token_signed_response_alg = "none";
userinfo_signed_response_alg = "none";
token_endpoint_auth_method = "client_secret_post";
}
];
};
};
};
};
};
}

103
nixos/tako/services/llama.nix Normal file
View File

@@ -0,0 +1,103 @@
{
config,
pkgs,
inputs,
...
}: {
sops = {
secrets."llama/api_key".owner = config.services.caddy.user;
secrets."llama/user".owner = config.services.caddy.user;
secrets."openai/api_key" = {};
templates = {
"LLAMA_API_KEY.env".content = ''
LLAMA_API_KEY=${config.sops.placeholder."llama/api_key"}
'';
api_key_env.owner = config.services.caddy.user;
"OPENAI_API_KEY.env".content = ''
OPENAI_API_KEY="${config.sops.placeholder."openai/api_key"}"
'';
};
};
services = {
llama-cpp = {
enable = false;
port = 11435;
model = pkgs.fetchurl {
url = "https://huggingface.co/lmstudio-community/gpt-oss-20b-GGUF/resolve/main/gpt-oss-20b-MXFP4.gguf";
sha256 = "65d06d31a3977d553cb3af137b5c26b5f1e9297a6aaa29ae7caa98788cde53ab";
};
# package = pkgs.ik_llama;
};
ollama = {
enable = false;
loadModels = [
"deepseek-r1:7b"
"deepseek-r1:14b"
"RobinBially/nomic-embed-text-8k"
"qwen3:8b"
];
port = 11434;
host = "0.0.0.0";
environmentVariables = {
OLLAMA_ORIGINS = "*";
};
};
open-webui = {
enable = false;
port = 7070;
environment = {
SCARF_NO_ANALYTICS = "True";
DO_NOT_TRACK = "True";
ANONYMIZED_TELEMETRY = "False";
WEBUI_AUTH = "False";
ENABLE_LOGIN_FORM = "False";
WEBUI_URL = "https://llama.darksailor.dev";
OPENAI_BASE_URL = "https://ollama.darksailor.dev/v1";
OLLAMA_API_BASE_URL = "https://ollama.ryu.darksailor.dev";
};
environmentFile = "${config.sops.templates."LLAMA_API_KEY.env".path}";
};
caddy = {
virtualHosts."llama.darksailor.dev".extraConfig = ''
import auth
reverse_proxy localhost:${builtins.toString config.services.open-webui.port}
'';
virtualHosts."ollama.darksailor.dev".extraConfig = ''
@apikey {
header Authorization "Bearer {env.LLAMA_API_KEY}"
}
handle @apikey {
header {
# Set response headers or proxy to a different service if API key is valid
Access-Control-Allow-Origin *
-Authorization "Bearer {env.LLAMA_API_KEY}" # Remove the header after validation
}
reverse_proxy localhost:${builtins.toString config.services.llama-cpp.port}
}
respond "Unauthorized" 403
'';
};
authelia = {
instances.darksailor = {
settings = {
access_control = {
rules = [
{
domain = "llama.darksailor.dev";
policy = "one_factor";
}
];
};
};
};
};
};
systemd.services.caddy = {
serviceConfig = {
EnvironmentFile = config.sops.templates."LLAMA_API_KEY.env".path;
};
};
}

53
nixos/tako/services/lldap.nix Normal file
View File

@@ -0,0 +1,53 @@
{
config,
lib,
...
}: {
services.lldap = {
enable = true;
settings = {
ldap_user_dn = "admin";
ldap_base_dn = "dc=darksailor,dc=dev";
ldap_user_email = "admin@darksailor.dev";
http_host = "127.0.0.1";
http_port = 5090;
ldap_port = 389;
ldap_host = "::";
ldap_user_pass_file = config.sops.secrets."lldap/admin".path;
environmentFile = ''
LLDAP_JWT_SECRET_FILE = ${config.sops.secrets."lldap/jwt".path};
LLDAP_KEY_SEED_FILE = ${config.sops.secrets."lldap/seed".path};
'';
};
};
users.users.lldap = {
name = "lldap";
group = "lldap";
description = "LDAP Server User";
isSystemUser = true;
};
users.groups.lldap = {};
systemd.services.lldap = {
serviceConfig = {
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
DynamicUser = lib.mkForce false;
User = "lldap";
Group = "lldap";
};
};
sops = {
secrets = let
owner = config.systemd.services.lldap.serviceConfig.User;
group = config.systemd.services.lldap.serviceConfig.Group;
restartUnits = ["lldap.service"];
cfg = {
inherit owner group restartUnits;
};
in {
"lldap/jwt" = cfg;
"lldap/seed" = cfg;
"lldap/admin" = cfg;
};
};
}

18
nixos/tako/services/navidrome.nix Normal file
View File

@@ -0,0 +1,18 @@
{...}: {
services = {
navidrome = {
enable = true;
settings = {
MusicFolder = "/media/music";
ReverseProxyUserHeader = "Remote-User";
ReverseProxyWhitelist = "127.0.0.1/32";
};
};
caddy = {
virtualHosts."music.darksailor.dev".extraConfig = ''
import auth
reverse_proxy localhost:4533
'';
};
};
}

104
nixos/tako/services/nextcloud.nix Normal file
View File

@@ -0,0 +1,104 @@
{
config,
pkgs,
...
}: {
sops = {
secrets."nextcloud/adminpass".owner = config.users.users.nextcloud.name;
# secrets."authelia/oidc/nextcloud/client_id".owner = config.users.users.nextcloud.name;
secrets."authelia/oidc/nextcloud/client_secret".owner = config.users.users.nextcloud.name;
};
imports = [
"${fetchTarball {
url = "https://github.com/onny/nixos-nextcloud-testumgebung/archive/fa6f062830b4bc3cedb9694c1dbf01d5fdf775ac.tar.gz";
sha256 = "0gzd0276b8da3ykapgqks2zhsqdv4jjvbv97dsxg0hgrhb74z0fs";
}}/nextcloud-extras.nix"
];
services = {
nextcloud = {
enable = true;
package = pkgs.nextcloud32;
extraApps = {
inherit (config.services.nextcloud.package.packages.apps) contacts calendar bookmarks user_oidc;
};
extraAppsEnable = true;
hostName = "cloud.darksailor.dev";
config.adminuser = "servius";
config.adminpassFile = config.sops.secrets."nextcloud/adminpass".path;
config.dbtype = "sqlite";
configureRedis = true;
https = true;
caching = {
redis = true;
apcu = true;
memcached = true;
};
webserver = "caddy";
settings = {};
};
# caddy = {
# virtualHosts."cloud.darksailor.dev".extraConfig = ''
# reverse_proxy localhost:8080
# '';
# };
# nginx.virtualHosts."${config.services.nextcloud.hostName}".listen = [
# {
# addr = "127.0.0.1";
# port = 8080; # NOT an exposed port
# }
# ];
# authelia.instances.darksailor = {
# settings = {
# definitions = {
# user_attributes = {
# is_nextcloud_admin = {
# expression = ''"nextcloud-admins" in groups"'';
# };
# };
# };
# identity_providers = {
# oidc = {
# claims_policies = {
# custom_claims = {
# is_nextcloud_admin = {};
# };
# };
# scopes = {
# nextcloud_userinfo = {
# claims = ["is_nextcloud_admin"];
# };
# };
# clients = [
# {
# client_name = "Nextcloud";
# client_id = "nextcloud";
# client_secret = ''{{ secret "${config.sops.secrets."authelia/oidc/nextcloud/client_secret".path}" }}'';
# public = false;
# authorization_policy = "one_factor";
# require_pkce = true;
# pkce_challenge_method = "S256";
# claims_policy = "nextcloud_userinfo";
# redirect_uris = [
# "https://cloud.darksailor.dev/apps/oidc_login/oidc"
# ];
# scopes = [
# "openid"
# "profile"
# "email"
# "groups"
# "nextcloud_userinfo"
# ];
# response_types = ["code"];
# grant_types = ["authorization_code"];
# # access_token_signed_response_alg = "none";
# userinfo_signed_response_alg = "none";
# token_endpoint_auth_method = "client_secret_basic";
# }
# ];
# };
# };
# };
# };
};
}

102
nixos/tako/services/paperless.nix Normal file
View File

@@ -0,0 +1,102 @@
{
pkgs,
config,
lib,
...
}: {
sops = {
secrets."paperless/adminpass".owner = config.users.users.paperless.name;
secrets."paperless/secret_key".owner = config.users.users.paperless.name;
secrets."authelia/oidc/paperless/client_id".owner = config.systemd.services.authelia-darksailor.serviceConfig.User;
secrets."authelia/oidc/paperless/client_secret".owner = config.systemd.services.authelia-darksailor.serviceConfig.User;
templates = {
"PAPERLESS.env" = {
content = ''
PAPERLESS_SOCIALACCOUNT_PROVIDERS='${config.sops.templates."PAPERLESS_SOCIALACCOUNT_PROVIDERS.json".content}'
'';
restartUnits = ["paperless-web.service" "authelia-darksailor.service"];
};
"PAPERLESS_SOCIALACCOUNT_PROVIDERS.json" = {
content =
/*
json
*/
builtins.toJSON
{
authelia = {
OAUTH_PKCE_ENABLED = "True";
APPS = [
{
provider_id = "authelia";
name = "Authelia";
"client_id" = "${config.sops.placeholder."authelia/oidc/paperless/client_id"}";
"secret" = "${config.sops.placeholder."authelia/oidc/paperless/client_secret"}";
"settings" = {
"server_url" = "https://auth.darksailor.dev/.well-known/openid-configuration";
};
}
];
};
};
restartUnits = ["paperless-web.service" "authelia-darksailor.service"];
};
};
};
# systemd.services.paperless-web.script = lib.mkBefore ''
# oidcSecret=$(< ${config.sops.secrets."authelia/oidc/paperless/client_secret".path})
# export PAPERLESS_SOCIALACCOUNT_PROVIDERS=$(
# ${pkgs.jq}/bin/jq <<< "$PAPERLESS_SOCIALACCOUNT_PROVIDERS" \
# --compact-output \
# --arg oidcSecret "$oidcSecret" '.openid_connect.APPS.[0].secret = $oidcSecret'
# )
# '';
services = {
paperless = {
enable = true;
passwordFile = config.sops.secrets."paperless/adminpass".path;
settings = {
PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
PAPERLESS_SOCIAL_AUTO_SIGNUP = "True";
PAPERLESS_DISABLE_REGULAR_LOGIN = "True";
PAPERLESS_SOCIALACCOUNT_ALLOW_SIGNUPS = "True";
PAPERLESS_URL = "https://paperless.darksailor.dev";
};
environmentFile = "${config.sops.templates."PAPERLESS.env".path}";
};
caddy = {
virtualHosts."paperless.darksailor.dev".extraConfig = ''
reverse_proxy localhost:28981
'';
};
authelia = {
instances.darksailor = {
settings = {
identity_providers = {
oidc = {
clients = [
{
client_name = "paperless";
client_id = ''{{ secret "${config.sops.secrets."authelia/oidc/paperless/client_id".path}" }}'';
client_secret = ''{{ secret "${config.sops.secrets."authelia/oidc/paperless/client_secret".path}" }}'';
public = false;
authorization_policy = "one_factor";
require_pkce = false;
redirect_uris = [
"https://paperless.darksailor.dev/auth/login"
];
scopes = ["openid" "profile" "email"];
response_types = ["code"];
grant_types = ["authorization_code"];
# access_token_signed_response_alg = "none";
userinfo_signed_response_alg = "none";
token_endpoint_auth_method = "client_secret_post";
}
];
};
};
};
};
};
};
}

21
nixos/tako/services/polaris.nix Normal file
View File

@@ -0,0 +1,21 @@
{...}: {
services = {
polaris = {
enable = false;
port = 5050;
settings = {
mount_dirs = [
{
name = "Music";
source = "/media/music";
}
];
};
};
caddy = {
virtualHosts."music.darksailor.dev".extraConfig = ''
reverse_proxy localhost:5050
'';
};
};
}

13
nixos/tako/services/prowlarr.nix Normal file
View File

@@ -0,0 +1,13 @@
{...}: {
services = {
prowlarr = {
enable = true;
settings = {
auth = {
authentication_enabled = true;
authentication_method = "External";
};
};
};
};
}

9
nixos/tako/services/resolved.nix Normal file
View File

@@ -0,0 +1,9 @@
{...}: {
services.resolved = {
enable = true;
dnssec = "true";
dnsovertls = "true";
domains = ["lemur-newton.ts.net"];
fallbackDns = ["1.1.1.1"];
};
}

66
nixos/tako/services/seafile.nix Normal file
View File

@@ -0,0 +1,66 @@
{config, ...}: {
sops = {
secrets."nextcloud/adminpass".owner = config.users.users.caddy.name;
};
services = {
seafile = {
enable = true;
# group = config.services.caddy.group;
adminEmail = "admin@darksailor.dev";
initialAdminPassword = "foobar";
seahubExtraConf =
/*
python
*/
''
ENABLE_REMOTE_USER_AUTHENTICATION = True
# Optional, HTTP header, which is configured in your web server conf file,
# used for Seafile to get user's unique id, default value is 'HTTP_REMOTE_USER'.
REMOTE_USER_HEADER = "HTTP_REMOTE_USER"
# Optional, when the value of HTTP_REMOTE_USER is not a valid email address
# Seafile will build a email-like unique id from the value of 'REMOTE_USER_HEADER'
# and this domain, e.g. user1@example.com.
REMOTE_USER_DOMAIN = "darksailor.dev"
# Optional, whether to create new user in Seafile system, default value is True.
# If this setting is disabled, users doesn't preexist in the Seafile DB cannot login.
# The admin has to first import the users from external systems like LDAP.
REMOTE_USER_CREATE_UNKNOWN_USER = True
# Optional, whether to activate new user in Seafile system, default value is True.
# If this setting is disabled, user will be unable to login by default.
# the administrator needs to manually activate this user.
REMOTE_USER_ACTIVATE_USER_AFTER_CREATION = True
'';
ccnetSettings = {
General.SERVICE_URL = "https://cloud.darksailor.dev";
};
};
caddy = {
virtualHosts."cloud.darksailor.dev".extraConfig = ''
import auth
reverse_proxy unix//run/seahub/gunicorn.sock
'';
};
authelia = {
instances.darksailor = {
settings = {
access_control = {
rules = [
{
domain = "cloud.darksailor.dev";
policy = "bypass";
resources = [
"^/(api2|seafhttp)([/?].*)?$"
];
}
{
domain = "cloud.darksailor.dev";
policy = "one_factor";
}
];
};
};
};
};
};
}

31
nixos/tako/services/searxng.nix Normal file
View File

@@ -0,0 +1,31 @@
{
config,
pkgs,
...
}: {
systemd.services.websurfx = {
description = "Websurfx";
wantedBy = ["multi-user.target"];
after = ["network.target"];
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.websurfx}/bin/websurfx";
Restart = "always";
RestartSec = 5;
User = "websurfx";
Group = "websurfx";
};
};
users.users.websurfx = {
group = "websurfx";
home = "/var/lib/websurfx";
isSystemUser = true;
# uid = config.ids.uids.websurfx;
};
users.groups.websurfx = {
# gid = config.ids.gids.websurfx;
};
services.caddy.virtualHosts."search.darksailor.dev".extraConfig = ''
reverse_proxy localhost:8080
'';
}

13
nixos/tako/services/shitpost.nix Normal file
View File

@@ -0,0 +1,13 @@
{pkgs, ...}: let
src = pkgs.fetchgit {
url = "https://git.darksailor.dev/servius/adarkdayinmylife.public";
# repo = "adarkdayinmy.life";
rev = "68d972f68cab8f68916b94df05b7ab6a7da4a1da";
sha256 = "sha256-EVis06rmHq1jJK0FVsbgi7TOru7GtEUpbx0PjU2AKEo=";
};
in {
services.caddy.virtualHosts."adarkdayinmy.life".extraConfig = ''
root * ${src}/
file_server
'';
}

15
nixos/tako/services/syncthing.nix Normal file
View File

@@ -0,0 +1,15 @@
{
pkgs,
device,
xdg,
...
}: {
services.syncthing = {
enable = true;
openDefaultPorts = true;
user = "${device.user}";
group = "${device.user}";
dataDir = xdg.dataDirs.syncthing;
configDir = xdg.configDirs.syncthing;
};
}

11
nixos/tako/services/tailscale.nix Normal file
View File

@@ -0,0 +1,11 @@
{masterPkgs, ...}: {
services.tailscale = {
enable = true;
useRoutingFeatures = "server";
extraUpFlags = "--advertise-exit-node";
package = masterPkgs.tailscale;
};
networking.firewall.trustedInterfaces = [
"tailscale0"
];
}

17
nixos/tako/services/vscode.nix Normal file
View File

@@ -0,0 +1,17 @@
{pkgs, ...}: {
services = {
openvscode-server = {
enable = true;
port = 3000;
host = "0.0.0.0";
extraPackages = with pkgs; [];
withoutConnectionToken = true;
};
caddy = {
virtualHosts."code.darksailor.dev".extraConfig = ''
import auth
reverse_proxy localhost:3000
'';
};
};
}

24
nixos/tako/services/zerotier.nix Normal file
View File

@@ -0,0 +1,24 @@
{config, ...}: {
# sops = {
# secrets."zerotier/api_key".owner = config.systemd.services.zeronsd-abfd31bd4766754d.serviceConfig.User;
# };
# services.zerotierone = {
# enable = true;
# port = 9994;
# joinNetworks = [
# "abfd31bd4766754d"
# ];
# };
# services.zeronsd = {
# servedNetworks = {
# abfd31bd4766754d = {
# settings = {
# log_level = "trace";
# local_url = "http://127.0.0.1:9994";
# domain = "zt.darksailor.dev";
# token = config.sops.secrets."zerotier/api_key".path;
# };
# };
# };
# };
}

64
nixos/tako/tako.nix Normal file
View File

@@ -0,0 +1,64 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
./disk-config.nix
];
boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci"];
boot.initrd.kernelModules = ["dm-snapshot"];
boot.kernelModules = ["kvm-amd"];
boot.extraModulePackages = [];
boot.binfmt.emulatedSystems = ["aarch64-linux"];
fileSystems."/var/lib/nextcloud" = {
device = "/media/nextcloud";
options = [
"bind"
];
};
fileSystems."/var/lib/docker" = {
device = "/media/docker";
options = [
"bind"
];
};
fileSystems."/home".neededForBoot = true;
# fileSystems."/" = {
# device = "/dev/disk/by-uuid/8f805d1b-a469-4db8-9ee1-b98ea220714a";
# fsType = "ext4";
# };
#
# fileSystems."/boot" = {
# device = "/dev/disk/by-uuid/D840-A590";
# fsType = "vfat";
# options = ["fmask=0022" "dmask=0022"];
# };
#
# fileSystems."/media" = {
# device = "/dev/disk/by-uuid/cad22fc7-08d2-4650-8d5e-a101e3fd1bd1";
# fsType = "ext4";
# };
swapDevices = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp6s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}