diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..a1666ac --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,11 @@ +# This example uses YAML anchors which allows reuse of multiple keys +# without having to repeat yourself. +# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml +# for a more complex example. +keys: + - &sky age1j8gk5rrczcdql0mkwevjsgdaqqqzavgv006sx0xnc7mzmlp3x4wqvtwdsa +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + age: + - *sky diff --git a/configuration.nix b/configuration.nix index 4054727..7a3fe3b 100644 --- a/configuration.nix +++ b/configuration.nix @@ -5,25 +5,25 @@ { config, lib, pkgs, ... }: { + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + sops.age.keyFile = "/secrets/age/keys.txt"; + imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix - ./users.nix - + ./users/users.nix + ./services/gitea.nix ]; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - # use network manager and set hostname - networking.networkmanager.enable = true; - networking.hostName = "rackserver"; - - + # set hostname + networking.hostName = "rackserver"; # wireguard server setup - # enable NAT networking.nat.enable = true; networking.nat.externalInterface = "eth0"; @@ -61,44 +61,58 @@ peers = [ # List of allowed peers. - { # Nub + { #nub # Public key of the peer (not a file path). - publicKey = "{}"; + publicKey = "L4msD0mEG2ctKDtaMJW2y3cs1fT2LBRVV7iVlWZ2nZc="; # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. - allowedIPs = [ "10.100.0.2/32" ]; - } - { # Ku - publicKey = "{}"; - allowedIPs = [ "10.100.0.3/32" ]; - } - { # Sky Laptop - publicKey = "{}"; - allowedIPs = [ "10.100.0.4/32" ]; - } - { # Sky Desktop - publicKey = "{}"; + allowedIPs = [ "10.100.0.2/32" ]; + } + { # ku + publicKey = "L4msD0mEG2ctKDtaMJW2y3cs1fT2LBRVV7iVlWZ2nZc="; + allowedIPs = [ "10.100.0.3/32" ]; + } + { # skyLaptop + publicKey = "L4msD0mEG2ctKDtaMJW2y3cs1fT2LBRVV7iVlWZ2nZc="; + allowedIPs = [ "10.100.0.4/32" ]; + } + { # skyDesktop + publicKey = "L4msD0mEG2ctKDtaMJW2y3cs1fT2LBRVV7iVlWZ2nZc="; allowedIPs = [ "10.100.0.5/32" ]; - } + } ]; }; }; - + # arion setup virtualisation.podman.enable = true; virtualisation.podman.dockerSocket.enable = true; - virtualisation.podman.defaultNetwork.dnsname.enable = true; + virtualisation.podman.defaultNetwork.settings.dns_enabled = true; - { pkgs, ... }: { environment.systemPackages = [ + pkgs.wget + pkgs.arion - # Do install the docker CLI to talk to podman. - # Not needed when virtualisation.docker.enable = true; + # Do install the docker CLI to talk to podman. + # Not needed when virtualisation.docker.enable = true; pkgs.docker-client ]; # List services that you want to enable: - + + networking.firewall.allowedTCPPorts = [ 80 443 22]; + + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + }; + + services.postgresql = { + enable = true; + }; + # Enable the OpenSSH daemon. services.openssh = { enable = true; diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..12a6fda --- /dev/null +++ b/flake.lock @@ -0,0 +1,100 @@ +{ + "nodes": { + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709578243, + "narHash": "sha256-hF96D+c2PBmAFhymMw3z8hou++lqKtZ7IzpFbYeL1/Y=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "23ff9821bcaec12981e32049e8687f25f11e5ef3", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1709479366, + "narHash": "sha256-n6F0n8UV6lnTZbYPl1A9q1BS0p4hduAv1mGAP17CVd0=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "b8697e57f10292a6165a20f03d2f42920dfaf973", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1709428628, + "narHash": "sha256-//ZCCnpVai/ShtO2vPjh3AWgo8riXCaret6V9s7Hew4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "66d65cb00b82ffa04ee03347595aa20e41fe3555", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1709356872, + "narHash": "sha256-mvxCirJbtkP0cZ6ABdwcgTk0u3bgLoIoEFIoYBvD6+4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "458b097d81f90275b3fdf03796f0563844926708", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_2", + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1709591996, + "narHash": "sha256-0sQcalXSgqlO6mnxBTXkSQChBHy2GQsokB1XY8r+LpQ=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "291aad29b59ceda517a06e59809f35cb0bb17c6b", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix index 3d052a5..54d92e4 100644 --- a/flake.nix +++ b/flake.nix @@ -2,25 +2,28 @@ description = "NixOS configuration"; inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; home-manager.url = "github:nix-community/home-manager"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; + sops-nix.url = "github:Mic92/sops-nix"; }; - outputs = inputs@{ nixpkgs, home-manager, ... }: { + outputs = inputs@{ nixpkgs, home-manager, sops-nix, ... }: { nixosConfigurations = { - hostname = nixpkgs.lib.nixosSystem { + rackserver = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = [ ./configuration.nix + sops-nix.nixosModules.sops home-manager.nixosModules.home-manager { home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; - home-manager.users.ku = import ./ku.nix; - home-manager.users.nub = import ./nub.nix; - home-manager.users.jas = import ./jas.nix; - home-manager.users.sky = import ./sky.nix; + home-manager.users.ku = import ./users/ku.nix; + home-manager.users.nub = import ./users/nub.nix; + home-manager.users.jas = import ./users/jas.nix; + home-manager.users.sky = import ./users/sky.nix; # Optionally, use home-manager.extraSpecialArgs to pass # arguments to home.nix diff --git a/gitea.nix b/gitea.nix deleted file mode 100644 index db14475..0000000 --- a/gitea.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ config, ... }: -{ - - services.certbot = { - enable = true; - agreeTerms = true; - }; - - services.nginx.virtualHosts."git.my-domain.tld" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://localhost:3001/"; - }; - }; - - services.postgresql = { - ensureDatabases = [ config.services.gitea.user ]; - ensureUsers = [ - { - name = config.services.gitea.database.user; - ensurePermissions."DATABASE ${config.services.gitea.database.name}" = "ALL PRIVILEGES"; - } - ]; - }; - - sops.secrets."postgres/gitea_dbpass" = { - sopsFile = ../.secrets/postgres.yaml; # bring your own password file - owner = config.services.gitea.user; - }; - - services.gitea = { - enable = true; - appName = "My awesome Gitea server"; # Give the site a name - database = { - type = "postgres"; - passwordFile = config.sops.secrets."postgres/gitea_dbpass".path; - }; - domain = "git.my-domain.tld"; - rootUrl = "https://git.my-domain.tld/"; - httpPort = 3001; - }; -} - diff --git a/ku.nix b/ku.nix deleted file mode 100644 index e86954e..0000000 --- a/ku.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ pkgs, ... }: { - home.packages = [ ]; - programs.bash.enable = true; - - # The state version is required and should stay at the version you - # originally installed. - home.stateVersion = "23.11"; -} diff --git a/services/gitea.nix b/services/gitea.nix new file mode 100644 index 0000000..81e580a --- /dev/null +++ b/services/gitea.nix @@ -0,0 +1,40 @@ +{ config, ... }: +{ + services.nginx.virtualHosts."git.my-domain.tld" = { + enableACME = false; + forceSSL = false; + locations."/" = { + proxyPass = "http://localhost:3001/"; + }; + }; + + services.postgresql = { + ensureDatabases = [ config.services.gitea.user ]; + ensureUsers = [ + { + name = config.services.gitea.database.user; + ensureDBOwnership = true; + } + ]; + }; + + #sops.secrets."postgres/gitea_dbpass" = { + # sopsFile = ../.secrets/postgres.yaml; # bring your own password file + # owner = config.services.gitea.user; + #}; + + services.gitea = { + enable = true; + appName = "My awesome Gitea server"; # Give the site a name + database = { + type = "postgres"; + password = "password"; # config.sops.secrets."postgres/gitea_dbpass".path + }; + settings.server = { + DOMAIN = "git.my-domain.tld"; + ROOT_URL = "https://git.my-domain.tld/"; + HTTP_PORT = 3001; + }; + }; +} + diff --git a/users/arion-compose.nix b/users/arion-compose.nix new file mode 100644 index 0000000..c27a07f --- /dev/null +++ b/users/arion-compose.nix @@ -0,0 +1,20 @@ +{ pkgs, ... }: +{ + project.name = "webapp"; + services = { + + webserver = { + image.enableRecommendedContents = true; + service.useHostStore = true; + service.command = [ "sh" "-c" '' + cd "$$WEB_ROOT" + ${pkgs.python3}/bin/python -m http.server + '' ]; + service.ports = [ + "8000:8000" # host:container + ]; + service.environment.WEB_ROOT = "${pkgs.nix.doc}/share/doc/nix/manual"; + service.stop_signal = "SIGINT"; + }; + }; +} diff --git a/users/arion-pkgs.nix b/users/arion-pkgs.nix new file mode 100644 index 0000000..d1f0fc2 --- /dev/null +++ b/users/arion-pkgs.nix @@ -0,0 +1 @@ +import { system = "x86_64-linux"; } diff --git a/jas.nix b/users/jas.nix similarity index 54% rename from jas.nix rename to users/jas.nix index e86954e..1695e50 100644 --- a/jas.nix +++ b/users/jas.nix @@ -1,4 +1,8 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ + home.username = "jas"; + home.homeDirectory = pkgs.lib.mkForce "/home/jas"; # use force here since vm trys to set it to /var/empty + home.packages = [ ]; programs.bash.enable = true; diff --git a/sky.nix b/users/ku.nix similarity index 60% rename from sky.nix rename to users/ku.nix index e978d08..7b34cd0 100644 --- a/sky.nix +++ b/users/ku.nix @@ -1,4 +1,7 @@ { pkgs, ... }: { + home.username = "ku"; + home.homeDirectory = pkgs.lib.mkForce "/home/ku"; # use force here since vm trys to set it to /var/empty + home.packages = [ ]; programs.bash.enable = true; @@ -6,4 +9,3 @@ # originally installed. home.stateVersion = "23.11"; } - diff --git a/nub.nix b/users/nub.nix similarity index 54% rename from nub.nix rename to users/nub.nix index e86954e..e5f8269 100644 --- a/nub.nix +++ b/users/nub.nix @@ -1,4 +1,8 @@ -{ pkgs, ... }: { +{ pkgs, ... }: +{ + home.username = "nub"; + home.homeDirectory = pkgs.lib.mkForce "/home/nub"; # use force here since vm trys to set it to /var/empty + home.packages = [ ]; programs.bash.enable = true; diff --git a/users/sky.nix b/users/sky.nix new file mode 100644 index 0000000..163b2fa --- /dev/null +++ b/users/sky.nix @@ -0,0 +1,18 @@ +{ pkgs, ... }: +{ + home.username = "sky"; + home.homeDirectory = pkgs.lib.mkForce "/home/sky"; # use force here since vm trys to set it to /var/empty + + home.packages = [ pkgs.neovim ]; + programs.bash.enable = true; + home.file.".ssh/authorized_keys" = { + text = + '' + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTT5oIuXAkJvNzsHQ/RP2OOWb7R7zMjhU0ZmZCStlOX sky@sky-laptop + ''; + }; + + # The state version is required and should stay at the version you + # originally installed. + home.stateVersion = "23.11"; +} diff --git a/users.nix b/users/users.nix similarity index 56% rename from users.nix rename to users/users.nix index da1ea55..03c9925 100644 --- a/users.nix +++ b/users/users.nix @@ -1,29 +1,31 @@ -{ config, lib, pkgs, ...}; - +{ config, lib, pkgs, ...}: { - imports = - [ # Include the results of the hardware scan. - - ]; users.users.sky.isNormalUser = true; users.users.ku.isNormalUser = true; users.users.nub.isNormalUser = true; - users.users.docker.isNormalUser = true; + users.users.jas.isNormalUser = true; + + users.users.podman.isSystemUser = true; + users.users.gitea.isSystemUser = true; + users.extraUsers.sky.hashedPassword = ""; users.groups.wheel.members=["sky"]; - users.extraUsers.podman.extraGroups = [ "podman" ]; + users.users.podman.group = "podman"; home-manager.users.podman = { pkgs, ... }: { + home.username = "podman"; + home.homeDirectory = pkgs.lib.mkForce "/home/podman"; + home.packages = [ ]; programs.bash.enable = true; home.file = { "arion-pkgs.nix" = { - source = ; # TODO: figure out how to make this work with flakes + source = ./arion-pkgs.nix; }; "arion-compose.nix" = { - source = ; # TODO: figure out how to make this work with flakes + source = ./arion-pkgs.nix; }; };