chris/sneeuwvlok
chris/sneeuwvlok
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

started migration to snowfall

Browse source
This commit is contained in:
Chris Kruining 2025-07-23 10:03:10 +02:00
parent 091438d802
commit 5ba5d55108
No known key found for this signature in database
GPG key ID: EB894A3560CCCAD2
100 changed files with 49 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

23
_modules/system/authentication/himmelblau.nix Normal file
View file

@ -0,0 +1,23 @@
{ inputs, lib, config, ... }: let
inherit (lib) mkEnableOption mkIf;
cfg = config.modules.authentication.himmelblau;
in
{
imports = [ inputs.himmelblau.nixosModules.himmelblau ];
options.modules.authentication.himmelblau = {
enable = mkEnableOption "enable azure entra ID authentication";
};
config = mkIf cfg.enable {
services.himmelblau = {
enable = true;
settings = {
domains = [];
pam_allow_groups = [];
local_groups = [];
};
};
};
}

48
_modules/system/boot.nix Normal file
View file

@ -0,0 +1,48 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mkMerge mkIf mkEnableOption mkDefault mkForce;
cfg = config.modules.boot;
in
{
options.modules.boot =
{
silentBoot = mkEnableOption "Enable silent boot";
animatedBoot = mkEnableOption "Enable boot animation";
};
config = mkMerge [
({
boot.loader = {
efi.canTouchEfiVariables = true;
systemd-boot.enable = true;
timeout = mkDefault 0;
};
time.timeZone = "Europe/Amsterdam";
})
(mkIf (cfg.silentBoot == true) {
boot = {
consoleLogLevel = 0;
initrd.verbose = false;
kernelParams = [ "quiet" "splash" "boot.shell_on_fail" "udev.log_priority=3" "rd.systemd.show_status=auto" ];
loader.timeout = mkDefault 0;
};
})
(mkIf (cfg.animatedBoot == true) {
boot.plymouth = {
enable = true;
theme = mkForce "pixels";
themePackages = with pkgs; [
(adi1090x-plymouth-themes.override {
selected_themes = [ "pixels" ];
})
];
};
})
];
}

144
_modules/system/common/qbittorrent.nix Normal file
View file

@ -0,0 +1,144 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.qbittorrent;
UID = 888;
GID = 888;
in
{
options.services.qbittorrent = {
enable = mkEnableOption (lib.mdDoc "qBittorrent headless");
dataDir = mkOption {
type = types.path;
default = "/var/lib/qbittorrent";
description = lib.mdDoc ''
The directory where qBittorrent stores its data files.
'';
};
user = mkOption {
type = types.str;
default = "qbittorrent";
description = lib.mdDoc ''
User account under which qBittorrent runs.
'';
};
group = mkOption {
type = types.str;
default = "qbittorrent";
description = lib.mdDoc ''
Group under which qBittorrent runs.
'';
};
port = mkOption {
type = types.port;
default = 8080;
description = lib.mdDoc ''
qBittorrent web UI port.
'';
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Open services.qBittorrent.port to the outside network.
'';
};
package = mkOption {
type = types.package;
default = pkgs.qbittorrent-nox;
defaultText = literalExpression "pkgs.qbittorrent-nox";
description = lib.mdDoc ''
The qbittorrent package to use.
'';
};
};
config = mkIf cfg.enable (let
configFile = pkgs.writeText "qBittorrent.conf" ''
[BitTorrent]
Session\Port=53271
Session\SSL\Port=45846
Session\QueueingSystemEnabled=false
Session\MaxUploads=-1
Session\MaxUploadsPerTorrent=-1
[Meta]
MigrationVersion=8
[Network]
Cookies=@Invalid()
[Preferences]
WebUI\Port=5000
WebUI\Username=admin
WebUI\Password_PBKDF2="@ByteArray(Clgb2+ZyS3PDRVqtYpj0Ow==:kjN301CJife6g5ou8N2mk6ydQWPQIGgrTAWg5ByWCqAv0jDLphR/IaVQ1tu9KtA+il1udi48xSXZ3AUpjK/fRw==)"
[RSS]
AutoDownloader\DownloadRepacks=true
AutoDownloader\SmartEpisodeFilter=s(\\d+)e(\\d+), (\\d+)x(\\d+), "(\\d{4}[.\\-]\\d{1,2}[.\\-]\\d{1,2})", "(\\d{1,2}[.\\-]\\d{1,2}[.\\-]\\d{4})"
'';
in {
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [ cfg.port ];
};
systemd.tmpfiles.rules = [
# https://www.mankier.com/5/tmpfiles.d
"d '${cfg.dataDir}' 0700 ${cfg.user} ${cfg.group} - -"
"d '${cfg.dataDir}/__config' 0700 ${cfg.user} ${cfg.group} - -"
"L+ '${cfg.dataDir}/__config/qBittorrent.conf' - - - - ${configFile}"
];
systemd.services.qbittorrent = {
description = "qBittorrent-nox service";
documentation = [ "man:qbittorrent-nox(1)" ];
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "simple";
User = cfg.user;
Group = cfg.group;
ExecStartPre = let
preStartScript = pkgs.writeScript "qbittorrent-run-prestart" ''
#!${pkgs.bash}/bin/bash
# Create data directory if it doesn't exist
if ! test -d "$QBT_PROFILE"; then
echo "Creating initial qBittorrent data directory in: $QBT_PROFILE"
install -d -m 0755 -o "${cfg.user}" -g "${cfg.group}" "$QBT_PROFILE"
fi
'';
in
"!${preStartScript}";
ExecStart = "${cfg.package}/bin/qbittorrent-nox";
};
environment = {
QBT_PROFILE = cfg.dataDir;
QBT_WEBUI_PORT = toString cfg.port;
};
};
users.users = mkIf (cfg.user == "qbittorrent") {
qbittorrent = {
group = cfg.group;
uid = UID;
};
};
users.groups = mkIf (cfg.group == "qbittorrent") {
qbittorrent = { gid = GID; };
};
});
}

22
_modules/system/desktop/editors/nvim.nix Normal file
View file

@ -0,0 +1,22 @@
{ inputs, config, options, lib, pkgs, ... }:
let
inherit (lib.meta) getExe;
inherit (lib.modules) mkIf;
cfg = options.modules.desktop.editors.nvim;
in
{
imports = [
inputs.nvf.nixosModules.default
];
options.modules.desktop.editors.nvim = let
inherit (lib.options) mkEnableOption;
in {
enable = mkEnableOption "neo-vim (nixvim)";
};
config = mkIf cfg.enable {
};
}

34
_modules/system/desktop/gaming.nix Normal file
View file

@ -0,0 +1,34 @@
{ inputs, lib, config, ... }: let
inherit (lib) mkEnableOption mkIf;
cfg = config.modules.desktop.gaming;
in
{
imports = [ inputs.jovian.nixosModules.default ];
options.modules.desktop.gaming = {
enable = mkEnableOption "enable steamdeck like desktop";
};
config = mkIf cfg.enable {
services.desktopManager.plasma6.enable = true;
jovian = {
# devices = {
# steamdeck = {
# enable = true;
# enableGyroDsuService = true;
# autoUpdate = true;
# };
# };
steam = {
enable = true;
autoStart = true;
user = "chris";
updater.splash = "steamos";
desktopSession = "plasma";
};
steamos.useSteamOSConfig = true;
};
};
}

8
_modules/system/desktop/wine.nix Normal file
View file

@ -0,0 +1,8 @@
{ inputs, lib, pkgs, ... }:
{
# imports = [ inputs.erosanix.nixosModules.someModule ];
config = {
};
}

40
_modules/system/graphics.nix Normal file
View file

@ -0,0 +1,40 @@
{ ... }:
{
services.xserver.videoDrivers = [ "nvidia" ];
hardware = {
graphics = {
enable = true;
enable32Bit = true;
};
nvidia = {
modesetting.enable = true;
open = false;
nvidiaSettings = true;
powerManagement = {
enable = true;
finegrained = false;
};
# package = config.boot.kernelPackages.nvidiaPackages.vulkan_beta;
# package = let
# rcu_patch = pkgs.fetchpatch {
# url = "https://github.com/gentoo/gentoo/raw/c64caf53/x11-drivers/nvidia-drivers/files/nvidia-drivers-470.223.02-gpl-pfn_valid.patch";
# hash = "sha256-eZiQQp2S/asE7MfGvfe6dA/kdCvek9SYa/FFGp24dVg=";
# };
# in config.boot.kernelPackages.nvidiaPackages.mkDriver {
# version = "550.40.07";
# sha256_64bit = "sha256-KYk2xye37v7ZW7h+uNJM/u8fNf7KyGTZjiaU03dJpK0=";
# sha256_aarch64 = "sha256-AV7KgRXYaQGBFl7zuRcfnTGr8rS5n13nGUIe3mJTXb4=";
# openSha256 = "sha256-mRUTEWVsbjq+psVe+kAT6MjyZuLkG2yRDxCMvDJRL1I=";
# settingsSha256 = "sha256-c30AQa4g4a1EHmaEu1yc05oqY01y+IusbBuq+P6rMCs=";
# persistencedSha256 = "sha256-11tLSY8uUIl4X/roNnxf5yS2PQvHvoNjnd2CB67e870=";
# patches = [ rcu_patch ];
# };
};
};
}

31
_modules/system/networking/default.nix Normal file
View file

@ -0,0 +1,31 @@
{ config, options, lib, pkgs, ... }: let
inherit (lib.modules) mkDefault;
inherit (lib.options) mkOption;
cfg = config.modules.networking;
in {
options.modules.networking = {
wifi.backend = mkOption {
type = with lib.types; enum [ "wpa_supplicant" "iwd" ];
default = "wpa_supplicant";
example = "wpa_supplicant";
description = "set the backend used for wifi wpa_supplicant by default";
};
};
config = {
systemd.services.NetworkManager-wait-online.enable = false;
networking = {
enableIPv6 = true;
useDHCP = mkDefault true;
firewall.enable = true;
networkmanager = {
enable = mkDefault true;
wifi.backend = mkDefault config.modules.networking.wifi.backend;
};
};
};
}

22
_modules/system/networking/nfs.nix Normal file
View file

@ -0,0 +1,22 @@
{ config, lib, ... }:
let
inherit (lib) mkIf mkEnableOption;
cfg = config.modules.networking.nfs;
in
{
options.modules.networking.nfs = {
enable = mkEnableOption "Enable NFS";
};
config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ 2049 ];
services.nfs.server = {
enable = true;
exports = ''
/var/media manwe(rw,sync,no_subtree_check,fsid=0)
'';
};
};
}

71
_modules/system/networking/samba.nix Normal file
View file

@ -0,0 +1,71 @@
{ pkgs, config, lib, ... }:
let
inherit (builtins) getEnv;
inherit (lib.modules) mkIf mkMerge;
in
{
options.modules.networking.samba = let
inherit (lib.options) mkEnableOption;
in {
sharing.enable = mkEnableOption "Samba: enable NixOs -> external file-transfer";
receicing.enable = mkEnableOption "Samba: enable external -> NixOs file-transfer";
};
config = mkMerge [
(mkIf config.modules.networking.samba.sharing.enable {
users = {
groups.samba-guest = {};
users.samba-guest = {
isSystemUser = true;
description = "Residence of our Samba guest users";
group = "samba-guest";
home = "/var/empty";
createHome = false;
shell = pkgs.shadow;
};
};
user.extraGroups = [ "samba-guest" ];
networking.firewall = {
allowPing = true;
allowedTCPPorts = [ 5327 ];
allowedUDPPorts = [ 3702 ];
};
services.samba-wsdd.enable = true;
services.samba = {
enable = true;
openFirewall = true;
extraConfig = ''
server string = ${config.networking.hostName}
netbios name = ${config.networking.hostName}
workgroup = WORKGROUP
security = user
create mask 0664
force create mode 0664
directory mask 0775
force directory mode 0775
follow symlink = yes
hosts allow = 192.168.1.0/24 localhost
hosts deny = 0.0.0.0/0
guest account = nobody
map to guest = bad user
'';
shares = {
Public = {
path = (getEnv "HOME") + "/Public";
browseable = "yes";
"read only" = "yes";
"guest ok" = "yes";
"forse user" = "${config.user.name}";
"force group" = "samba-guest";
"write list" = "${config.user.name}";
};
};
};
})
];
}

28
_modules/system/networking/ssh.nix Normal file
View file

@ -0,0 +1,28 @@
{ config, lib, ... }:
let
inherit (lib.modules) mkIf;
inherit (lib.options) mkEnableOption;
cfg = config.modules.networking.ssh;
in
{
options.modules.networking.ssh = {
enable = mkEnableOption "enable ssh";
};
config = mkIf cfg.enable {
services.openssh = {
enable = true;
openFirewall = true;
ports = [ 22 ];
settings = {
PasswordAuthentication = true;
AllowUsers = [ "chris" "root" ];
UseDns = true;
UsePAM = true;
PermitRootLogin = "prohibit-password";
PermitEmptyPasswords = "no";
};
};
};
}

27
_modules/system/options.nix Normal file
View file

@ -0,0 +1,27 @@
{ config, lib, ... }:
let
inherit (lib.types) attrs;
inherit (lib.my) mkOpt;
in
{
options = {
user = mkOpt attrs {};
};
config = {
environment.variables = {
NIXPKGS_ALLOW_UNFREE = "1";
};
nix.settings = let
inherit (lib) elem attrNames filterAttrs;
users = (attrNames (filterAttrs (name: user: elem "wheel" (user.extraGroups or [])) config.users.users));# ++ [ "root" ];
in
{
trusted-users = users;
allowed-users = users;
experimental-features = [ "nix-command" "flakes" ];
};
};
}

77
_modules/system/security.nix Normal file
View file

@ -0,0 +1,77 @@
{ inputs, pkgs, ... }:
{
imports = [
inputs.sops-nix.nixosModules.sops
];
config = {
environment.systemPackages = with pkgs; [
bitwarden
sops
];
sops = {
defaultSopsFile = ../../secrets/secrets.yaml;
defaultSopsFormat = "yaml";
age.keyFile = "/home/";
};
security = {
sudo.execWheelOnly = true;
acme.acceptTerms = true;
polkit.enable = true;
pam = {
u2f = {
enable = true;
settings.cue = true;
};
};
};
networking.firewall.enable = true;
programs.gnupg.agent.enable = true;
boot = {
loader.systemd-boot = {
editor = false;
configurationLimit = 50;
};
kernelModules = [ "tcp_bbr" ];
kernel.sysctl = {
## TCP hardening
# Prevent bogus ICMP errors from filling up logs.
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
# Reverse path filtering causes the kernel to do source validation of
# packets received from all interfaces. This can mitigate IP spoofing.
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
# Do not accept IP source route packets (we're not a router)
"net.ipv4.conf.all.accept_source_route" = 0;
"net.ipv6.conf.all.accept_source_route" = 0;
# Don't send ICMP redirects (again, we're on a router)
"net.ipv4.conf.all.send_redirects" = 0;
"net.ipv4.conf.default.send_redirects" = 0;
# Refuse ICMP redirects (MITM mitigations)
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
# Protects against SYN flood attacks
"net.ipv4.tcp_syncookies" = 1;
# Incomplete protection again TIME-WAIT assassination
"net.ipv4.tcp_rfc1337" = 1;
## TCP optimization
# Enable TCP Fast Open for incoming and outgoing connections
"net.ipv4.tcp_fastopen" = 3;
# Bufferbloat mitigations + slight improvement in throughput & latency
"net.ipv4.tcp_congestion_control" = "bbr";
"net.core.default_qdisc" = "cake";
};
};
};
}

225
_modules/system/services/auth/authelia.nix Normal file
View file

@ -0,0 +1,225 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mkIf mkEnableOption;
user = "authelia-testing";
cfg = config.modules.services.auth.authelia;
in
{
options.modules.services.auth.authelia = {
enable = mkEnableOption "Authelia";
};
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [
authelia
];
services.authelia.instances.testing = {
enable = true;
secrets = {
storageEncryptionKeyFile = "/etc/authelia/testing/storageEncryptionKeyFile";
jwtSecretFile = "/etc/authelia/testing/jwtSecretFile";
sessionSecretFile = "/etc/authelia/testing/sessionSecrets";
};
settings = {
theme = "auto";
server = {
address = "tcp://127.0.0.1:9091";
};
# administration = {
# enable = true;
# enable_ui = true;
# address = "tcp://127.0.0.1:9092";
# users = [ "chris" ];
# groups = [ "admin" ];
# };
log = {
level = "info";
format = "json";
};
authentication_backend.file.path = "/etc/authelia/testing/users_database.yml";
access_control = {
default_policy = "deny";
rules = [
{
domain = ["auth.kruining.eu"];
policy = "bypass";
}
{
domain = ["*.kruining.eu"];
policy = "one_factor";
}
];
};
session = {
name = "authelia_testing_session";
expiration = "12h";
inactivity = "45m";
remember_me = "1m";
# redis.host = "/run/redis-authelia-testing/redis.sock";
cookies = [
{
domain = "kruining.eu";
authelia_url = "https://auth.kruining.eu";
default_redirection_url = "https://media.kruining.eu";
name = "authelia_session";
}
];
};
regulation = {
max_retries = 300;
find_time = "5m";
ban_time = "15m";
};
storage = {
local.path = "/var/lib/authelia-testing/db.sqlite3";
};
notifier = {
disable_startup_check = false;
filesystem.filename = "/var/lib/authelia-testing/notifications.txt";
};
identity_providers.oidc = {
jwks = [
{
# Authelia wants at least one private RSA key (why not just allow ecdsa is beyond me)
key = "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCrkJ2iCcGbZwr9\ntWGiQLzL1OV7WoC8OpRIvtVusyJ6YQGkcB9F3PV+wjzBCojIibjMpWci6vq7sZQp\nnttRsXIBRxyhUoWcg1X8zR2ebFPMqPkfQEYhCPxts/5iaVwESt+77RAeaoJu6Va4\n6ugCHUsujMDGNhXNHWNn1euXT/jnTID8zT2eff8XYItK/vAJgv9ZbDDcamZFqNAK\nWBLGQZGO5GGCDtp99yFlGgG8zhaYpqw/eC/DhRr/O0N0PkQBRsD0mJ5aWCeVIVKB\nP/W35L23XFlgupOcWpZ4Bf7ivjxfakBHq/yYcvq60a9LjwLW+QXyvdvWe7jdV+Bp\nON9VlJ1PAgMBAAECggEANT8o7UWB5S1R5/QHXUgiUFC++E3abpDvvLQdocHPDZRV\n4ic6TYCKYND/8hnG4hZ8WGdtXxT2xJIUneZDw1MDQwpDBH6MIUtRwKgYbTbJu1cm\nGmDkYxRa4+FdLkXs3Rgv4C9vNUFxQeMBm1qsrxtQXh4pJlta4NIiK/Pkro2Pfplp\nyKb5E7HhusHiLqezcPhErYnYQmLPtmInqfQnBAsGehiY6ZL3TMIGTo1FDrIEhu9q\nz31WaK8NuNd/bUqiEdFIVtNt3cSOfqCrtC20LwTIYiv/tDz0ahFOCA42vHSdkz35\nnO1dEkP2YCimTHbw9KwHmzkYL6Q2jd89L8/oCe2dYQKBgQDRz2pvfJjdb4FXLRH/\n/iEsDseRu2z2fg7SBNMloTV/dQGpvBgsEZDWlJw7NyIm2rlZ0kkae9QfLECJeT6A\nZuXnOuUDNUBE5/nj2DBC34gHotpErcJBTlKmr/KfILnh1uDVwLizYNQ6KZ6s3EK8\nSvLXNbEDrJ3HkQbs6OPtZsEVawKBgQDRVcCf+8wxdK1AF474F1E9zAvN8i5+6xIW\nb+YUDuueCzJf8h3wU9Chf/ItEtknw1CHQFNOmLodtQJgGzGDG0R6xmQnfUQIsky1\nO3HDs4xlCggfq9AWm+RKr5r3T34CiJfA4ZUq6i2FKNkdQREArJWcC4cjRItZvGj6\nKJ5ZRDBsrQKBgCnD9lYXIX8DEWY/LJQfDI9uqb+S5c/zrBOWrkmRW8rxidE2BkHP\nhVuR3b/T69J8O+VrfO3utH04G+jB3/VDhoSPLsOCuDZ/TzlR8dl+EeAjRPvi8wZ5\nBu7zm4KdyyLv2XXzlVDv949UdafHeOluqgS5RXGLzSTK8+v5OFYr3EfdAoGAJIP4\n3e9mZxobPprdbZljqov1Yy9jvO/0b8WFNOqFX0REvUfWwR1dv046SHKJPs5rNaya\n25L4pEX27BzSPjR7dY812U2YmIvBpbuA1Mp1Kwrc7+lgmxEGeaC4P3u2V2rMTfEL\nvDitSBUgCmJXPO7eCiJYqGZEiJq9FSYQuTGT4OECgYEAjR+dtmZkcszRo77XdXDo\nRFMlx47R5Xk4R2+faYneCkNJ/MqZdeQ3CxcfQFQHpNJb+1kacXusRDvlm2/777fj\nCOLxaxY6akOEG6dkgmWHzzm9JpmZ63g0I9k+C3zbyQnFyNRQmNW2gGCVwekRmAz+\n/a98+6ip2LRkTQYhZ064rfc=\n-----END PRIVATE KEY-----";
}
];
clients = [
{
client_id = "jellyfin";
client_name = "Jellyfin";
# af0WDhM6DILapBO.8Puu8IR1tyXLPqQNUoROgx4A8JWVIxRno4IhvXCMaN1zveuJzw1yw2h3
client_secret = "$pbkdf2-sha512$310000$9C/krTomC0MUJ2QosHwEKA$43H4gm6yaz.fU5eZsN/KxPDuL/S4jPjaNOcAKyU/uz7IVNDSQo71XQ3sqKZITZ/FLYTN5kxTlVUhEMB9Orlh1g";
token_endpoint_auth_method = "client_secret_post";
public = false;
require_pkce = true;
pkce_challenge_method = "S256";
authorization_policy = "one_factor";
userinfo_signed_response_alg = "none";
consent_mode = "implicit";
scopes = [ "openid" "profile" "groups" ];
redirect_uris = [ "https://jellyfin.kruining.eu/sso/OID/redirect/authelia" ];
}
{
client_id = "streamarr";
client_name = "Streamarr";
# ZPuiW2gpVV6MGXIJFk5P3EeSW8V_ICgqduF.hJVCKkrnVmRqIQXRk0o~HSA8ZdCf8joA4m_F
client_secret = "$pbkdf2-sha512$310000$CzZjvJT75bz5z7MjwxsEtg$JtOiIgaY5/HcLLxJgyX4zvsQV9jIoow0e4JdlFsk/LWRDOJ0kc.PzstlYfw7QERTXtJILoWsDqPzmvpneK5Leg";
public = false;
require_pkce = true;
pkce_challenge_method = "S256";
token_endpoint_auth_method = "client_secret_post";
authorization_policy = "one_factor";
userinfo_signed_response_alg = "none";
consent_mode = "implicit";
scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ];
redirect_uris = [ "http://localhost:3000/api/auth/oauth2/callback/authelia" ];
}
];
};
};
};
systemd = {
tmpfiles.rules = [
"d /var/lib/authelia-testing 400 ${user} ${user} -"
];
};
# These should not be set from nix but through other means to not leak the secret!
# This is purely for testing purposes!
environment.etc = {
"authelia/testing/storageEncryptionKeyFile" = {
mode = "0400";
user = user;
text = "you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this";
};
"authelia/testing/jwtSecretFile" = {
mode = "0400";
user = user;
text = "a_very_important_secret";
};
"authelia/testing/sessionSecrets" = {
mode = "0400";
user = user;
text = "some_session_secrets";
};
"authelia/testing/users_database.yml" = {
mode = "0400";
user = user;
text = ''
users:
chris:
disabled: false
displayname: Chris Kruining
password: $argon2id$v=19$m=65536,t=3,p=4$xl+ILZXFedOXb0Vb/Pao0Q$jfTun8xPYLQNcsjZCcyCeXMzxHAQWOtR7+4BJ+VS6n4
email: 'chris@kruining.eu'
picture: 'https://avatars.githubusercontent.com/u/5786905?v=4'
groups:
- jellyfin-admins
- jellyfin-users
- admin
- dev
jacqueline:
disabled: false
displayname: Jacqueline Bevers
password: $argon2id$v=19$m=65536,t=3,p=4$XgN8yEJV+syAE5yeos3HsA$SlN+j/lJfxJ5VxLu2CdrwowlCiWQNNGhIrSyDpohq18
groups:
- jellyfin-users
martijn:
disabled: false
displayname: Martijn Kruining
password: $argon2id$v=19$m=65536,t=3,p=4$XgN8yEJV+syAE5yeos3HsA$SlN+j/lJfxJ5VxLu2CdrwowlCiWQNNGhIrSyDpohq18
groups:
- jellyfin-users
andrea:
disabled: false
displayname: Andrea Kruining
password: $argon2id$v=19$m=65536,t=3,p=4$XgN8yEJV+syAE5yeos3HsA$SlN+j/lJfxJ5VxLu2CdrwowlCiWQNNGhIrSyDpohq18
groups:
- jellyfin-users
'';
};
};
services.caddy = {
enable = true;
virtualHosts = {
"auth.kruining.eu".extraConfig = ''
reverse_proxy http://127.0.0.1:9091
'';
};
extraConfig = ''
(auth) {
forward_auth http://127.0.0.1:9091 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
}
'';
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
};
}

86
_modules/system/services/auth/zitadel.nix Normal file
View file

@ -0,0 +1,86 @@
{ config, options, lib, pkgs, ... }:
let
inherit (lib) mkIf mkEnableOption;
cfg = config.modules.services.auth.zitadel;
db_name = "zitadel";
db_user = "zitadel";
in
{
options.modules.services.auth.zitadel = {
enable = mkEnableOption "Zitadel";
};
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [
zitadel
];
services = {
zitadel = {
enable = true;
openFirewall = true;
masterKeyFile = config.sops.secrets."zitadel/masterKey".path;
tlsMode = "external";
settings = {
Port = 9092;
Database = {
Host = "/run/postgresql";
# Zitadel will report error if port is not set
Port = 5432;
Database = db_name;
User.Username = db_user;
};
};
steps = {
TestInstance = {
InstanceName = "Zitadel test";
Org = {
Name = "Kruining.eu";
Human = {
UserName = "admin";
Password = "kaas";
};
};
};
};
};
postgresql = {
enable = true;
ensureDatabases = [ db_name ];
ensureUsers = [
{
name = db_user;
ensureDBOwnership = true;
}
];
};
caddy = {
enable = true;
virtualHosts = {
"auth-z.kruining.eu".extraConfig = ''
reverse_proxy h2c://127.0.0.1:9092
'';
};
# extraConfig = ''
# (auth) {
# forward_auth h2c://127.0.0.1:9092 {
# uri /api/authz/forward-auth
# copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
# }
# }
# '';
};
};
# Secrets
sops.secrets."zitadel/masterKey" = {
owner = "zitadel";
group = "zitadel";
restartUnits = [ "zitadel.service" ];
};
};
}

4
_modules/system/services/default.nix Normal file
View file

@ -0,0 +1,4 @@
{ ... }:
{
options.modules.services = {};
}

168
_modules/system/services/games/minecraft.nix Normal file
View file

@ -0,0 +1,168 @@
{ inputs, config, lib, pkgs, ... }:
let
inherit (lib.modules) mkIf;
in
{
imports = [
inputs.nix-minecraft.nixosModules.minecraft-servers
];
options.modules.services.games.minecraft = let
inherit (lib.options) mkEnableOption;
in {
enable = mkEnableOption "Minecraft";
};
config = mkIf config.modules.services.games.minecraft.enable {
user.users."minecraft" = {
isSystemUser = true;
group = "minecraft";
};
services = {
minecraft-servers = {
enable = true;
eula = true;
openFirewall = true;
user = "minecraft";
dataDir = "/var/lib/minecraft";
managementSystem = {
tmux.enable = false;
systemd-socket.enable = true;
};
servers = let
whitelist = {
ChrisPBacon = "e6128495-075b-44a9-87f6-8d844d5ea0e4";
satanjr616 = "1718f9d5-df1d-4aac-b10c-3229a0f1e8b2";
Ono95 = "010e7652-6d5d-4f9e-af89-438c8fe694ca";
JackLeLumber = "41910a94-8c8e-4528-a8ca-a2d7043f069d";
DarkyLink = "6faddb7f-12a9-4aac-bc08-dd6db892a380";
Archonite86 = "b5ab594d-de1c-4453-ba32-9107452be51b";
NotACultist86 = "44ac3f7c-0e18-4234-bb04-11a0652cdaeb";
};
ops = [
{
uuid = "e6128495-075b-44a9-87f6-8d844d5ea0e4";
name = "ChrisPBacon";
level = 4;
bypassesPlayerLimit = false;
}
{
uuid = "6faddb7f-12a9-4aac-bc08-dd6db892a380";
name = "DarkyLink";
level = 4;
bypassesPlayerLimit = false;
}
];
jvmOpts = "-Xms2048M -Xmx2048M -XX:+UseG1GC";
in {
vanilla = {
enable = true;
autoStart = true;
restart = "always";
inherit whitelist;
inherit jvmOpts;
package = pkgs.fabricServers.fabric-1_21_4.override { loaderVersion = "0.16.10"; };
serverProperties = {
gamemode = "survival";
difficulty = 3;
motd = "Chris' vanilla server";
white-list = true;
simulation-distance = 10;
server-port = 25501;
level-name = "world";
allow-flight = true;
enable-command-block = true;
enforce-whitelist = true;
spawn-protection = 0;
};
files."ops.json" = {
value = ops;
};
symlinks = let
inherit (builtins) attrValues;
inherit (pkgs) linkFarmFromDrvs fetchurl;
in {
mods = linkFarmFromDrvs "mods" (attrValues {
FabricApi = fetchurl { url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/ZNwYCTsk/fabric-api-0.118.0%2B1.21.4.jar"; sha512 = "1e0d31b6663dc2c7be648f3a5a9cf7b698b9a0fd0f7ae16d1d3f32d943d7c5205ff63a4f81b0c4e94a8997482cce026b7ca486e99d9ce35ac069aeb29b02a30d"; };
Terralith = fetchurl { url = "https://cdn.modrinth.com/data/8oi3bsk5/versions/MuJMtPGQ/Terralith_1.21.x_v2.5.8.jar"; sha512 = "f862ed5435ce4c11a97d2ea5c40eee9f817c908f3223b5fd3e3fff0562a55111d7429dc73a2f1ca0b1af7b1ff6fa0470ed6efebb5de13336c40bb70fb357dd60"; };
# DistantHorizons = fetchurl { url = "https://cdn.modrinth.com/data/uCdwusMi/versions/jptcCdp2/DistantHorizons-2.2.1-a-1.20.4-forge-fabric.jar"; sha512 = "47368d91099d0b5f364339a69f4e425f8fb1e3a7c3250a8b649da76135e68a22f1a76b191c87e15a5cdc0a1d36bc57f2fa825490d96711d09d96807be97d575d"; };
});
};
};
tekxit = let
inherit (pkgs) fetchzip;
src = fetchzip {
url = "https://tekxit.b-cdn.net/downloads/tekxit4/12.0.0Tekxit4Server.zip";
hash = "sha256-4NqeMGOpji/gMH8XX8RemkBAOB9ID/i1S3/xXgD23to=";
stripRoot = true;
};
in {
enable = true;
autoStart = true;
restart = "no";
inherit whitelist;
inherit jvmOpts;
package = pkgs.fabricServers.fabric-1_19_2.override { loaderVersion = "0.16.9"; };
serverProperties = {
gamemode = "survival";
difficulty = 3;
motd = "Chris' vanilla server";
white-list = true;
simulation-distance = 10;
server-port = 25502;
level-name = "world";
allow-flight = true;
enable-command-block = true;
enforce-whitelist = true;
spawn-protection = 0;
};
files = let
inherit (builtins) readDir;
inherit (lib) concatMapAttrs;
readDirRec = src: dir: fn:
concatMapAttrs (name: type: if type == "directory"
then (readDirRec src "${dir}/${name}" fn)
else { "${dir}/${name}" = (fn "${dir}/${name}"); }
) (readDir "${src}/${dir}");
copyDir = dir: readDirRec src dir (x: "${src}/${x}");
in {
"ops.json" = {
value = ops;
};
}
// (copyDir "config");
symlinks = let
inherit (builtins) attrNames readDir map;
inherit (pkgs) linkFarm fetchzip;
linkFarmFromDir = name: dir: linkFarm name (map (x: { name = x; path = "${src}/${dir}/${x}"; }) (attrNames (readDir "${src}/${dir}")));
in {
Deftu = linkFarmFromDir "tekxit-deftu" "Deftu";
TKXAddons = linkFarmFromDir "tekxit-TKXAddons" "TKXAddons";
mods = linkFarmFromDir "tekxit-mods" "mods";
scripts = linkFarmFromDir "tekxit-scripts" "scripts";
};
};
};
};
};
};
}

25
_modules/system/services/games/palworld.nix Normal file
View file

@ -0,0 +1,25 @@
{ config, options, lib, pkgs, ... }:
let
inherit (lib.modules) mkIf;
in
{
options.modules.services.games.palworld = let
inherit (lib.options) mkEnableOption;
in {
enable = mkEnableOption "Palworld";
};
config = mkIf config.modules.services.games.palworld.enable {
# kaas = (pkgs.mkSteamServer rec {
# name = "Palworld";
# src = pkgs.fetchSteam {
# inherit name;
# appId = "2394010";
# hash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
# };
#
# sartCmd = "PalServer.sh";
# hash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
# });
};
}

167
_modules/system/services/media.nix Normal file
View file

@ -0,0 +1,167 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mkIf;
user = "media";
group = "media";
directory = "/var/media";
in
{
options.modules.services.media = let
inherit (lib.options) mkEnableOption;
in {
enable = mkEnableOption "Media tools";
};
imports = let
extras = fetchTarball {
url = "https://github.com/onny/nixos-nextcloud-testumgebung/archive/fa6f062830b4bc3cedb9694c1dbf01d5fdf775ac.tar.gz";
sha256 = "0gzd0276b8da3ykapgqks2zhsqdv4jjvbv97dsxg0hgrhb74z0fs";
};
in [
"${extras}/nextcloud-extras.nix"
];
config = mkIf config.modules.services.media.enable {
environment.systemPackages = with pkgs; [
podman-tui
jellyfin
jellyfin-web
jellyfin-ffmpeg
jellyseerr
mediainfo
id3v2
yt-dlp
];
# need to permit these outdated packages until servarr finally upgrades at some point...
permittedInsecurePackages = [
"dotnet-sdk-6.0.428"
"aspnetcore-runtime-6.0.36"
];
users = {
users.${user} = {
isSystemUser = true;
group = group;
};
groups.${group} = {};
};
systemd.tmpfiles.rules = [
"d '${directory}/series' 0700 ${user} ${group} - -"
"d '${directory}/movies' 0700 ${user} ${group} - -"
"d '${directory}/music' 0700 ${user} ${group} - -"
"d '${directory}/qbittorrent' 0700 ${user} ${group} - -"
"d '${directory}/sabnzbd' 0700 ${user} ${group} - -"
"d '${directory}/reiverr/config' 0700 ${user} ${group} - -"
"d '${directory}/downloads/incomplete' 0700 ${user} ${group} - -"
"d '${directory}/downloads/done' 0700 ${user} ${group} - -"
];
services = let
serviceConf = {
enable = true;
openFirewall = true;
user = user;
group = group;
};
in {
jellyfin = serviceConf;
radarr = serviceConf;
sonarr = serviceConf;
bazarr = serviceConf;
lidarr = serviceConf;
lanraragi = {
enable = true;
port = 6969;
};
jellyseerr = {
enable = true;
openFirewall = true;
};
prowlarr = {
enable = true;
openFirewall = true;
};
qbittorrent = {
enable = true;
openFirewall = true;
dataDir = "${directory}/qbittorrent";
port = 5000;
user = user;
group = group;
};
sabnzbd = {
enable = true;
openFirewall = true;
configFile = "${directory}/sabnzbd/config.ini";
user = user;
group = group;
};
caddy = {
enable = true;
virtualHosts = {
"media.kruining.eu".extraConfig = ''
import auth
reverse_proxy http://127.0.0.1:9494
'';
"jellyfin.kruining.eu".extraConfig = ''
reverse_proxy http://127.0.0.1:8096
'';
# "series.kruining.eu".extraConfig = ''
# reverse_proxy http://127.0.0.1:8989
# '';
# "movies.kruining.eu".extraConfig = ''
# reverse_proxy http://127.0.0.1:7878
# '';
# "indexer.kruining.eu".extraConfig = ''
# reverse_proxy http://127.0.0.1:9696
# '';
# "torrents.kruining.eu".extraConfig = ''
# reverse_proxy http://127.0.0.1:5000
# '';
# "usenet.kruining.eu".extraConfig = ''
# reverse_proxy http://127.0.0.1:8080
# '';
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 6969 ];
modules.virtualisation.podman.enable = true;
virtualisation = {
oci-containers = {
backend = "podman";
containers = {
flaresolverr = {
image = "flaresolverr/flaresolverr";
autoStart = true;
ports = [ "127.0.0.1:8191:8191" ];
};
reiverr = {
image = "ghcr.io/aleksilassila/reiverr:v2.2.0";
autoStart = true;
ports = [ "127.0.0.1:9494:9494" ];
volumes = [ "${directory}/reiverr/config:/config" ];
};
};
};
};
systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL";
};
}

79
_modules/system/services/nextcloud.nix Normal file
View file

@ -0,0 +1,79 @@
{ config, lib, pkgs, ... }:
let
inherit (lib.options) mkEnableOption;
inherit (lib.modules) mkIf;
user = "nextcloud";
group = "nextcloud";
in
{
options.modules.services.nextcloud = {
enable = mkEnableOption "Nextcloud";
};
config = mkIf config.modules.services.nextcloud.enable {
users = {
users.${user} = {
isSystemUser = true;
group = group;
};
groups.${group} = {};
};
home-manager.users.${user}.home = {
stateVersion = config.system.stateVersion;
file.".netrc".text = ''
login root
password KaasIsAwesome!
'';
};
services.nextcloud = {
enable = true;
webserver = "caddy";
package = pkgs.nextcloud31;
hostName = "localhost";
config = {
adminpassFile = "/var/lib/nextcloud/admin-pass";
dbtype = "sqlite";
};
};
# systemd.user = {
# services.nextcloud-autosync = {
# Unit = {
# Description = "Automatic nextcloud sync";
# After = "network-online.target";
# };
# WantedBy = [ "multi-user.target" ];
# Service = {
# Type = "simple";
# ExecStart = "${pkgs.nextcloud-client}/bin/nextcloudcmd -h -n --path /var/media/music https://cloud.kruining.eu";
# TimeoutStopSec = "180";
# KillMode = "process";
# KillSignal = "SIGINT";
# };
# };
# timers.nextcloud-autosync = {
# Unit.Description = "Automatic nextcloud sync";
# Timer.OnBootSec = "5min";
# Timer.OnUnitActiveSec = "60min";
# Install.WantedBy = [ "multi-user.target" "timers.target" ];
# };
# startServices = true;
# };
services.caddy = {
enable = true;
virtualHosts."cloud.kruining.eu".extraConfig = ''
php_fastcgi unix//run/phpfpm/nextcloud.sock {
env front_controller_active true
}
'';
};
};
}

29
_modules/system/services/security.nix Normal file
View file

@ -0,0 +1,29 @@
{ config, lib, pkgs, ... }:
let
inherit (lib.options) mkEnableOption;
inherit (lib.modules) mkIf;
cfg = config.modules.services.security;
in
{
options.modules.services.security = {
enable = mkEnableOption "Security service(s): Vaultwarden";
};
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [
vaultwarden
vaultwarden-postgresql
];
services.vaultwarden = {
enable = true;
dbBackend = "postgresql";
config = {
SIGNUPS_ALLOWED = false;
DOMAIN = "https://passwords.kruining.eu";
};
};
};
}

11
_modules/system/shell/default.nix Normal file
View file

@ -0,0 +1,11 @@
{ config, lib, ... }:
let
inherit (lib.modules) mkIf;
cfg = config.modules.shell;
in
{
options.modules.shell = {};
config = mkIf cfg.enable {};
}

15
_modules/system/shell/zsh.nix Normal file
View file

@ -0,0 +1,15 @@
{ config, lib, ... }: let
inherit (lib.options) mkEnableOption;
inherit (lib.modules) mkIf;
cfg = config.modules.shell.zsh;
in
{
options.modules.shell.zsh = {
enable = mkEnableOption "enable ZSH";
};
config = mkIf cfg.enable {
programs.zsh.enable = true;
};
}

36
_modules/system/system/audio.nix Normal file
View file

@ -0,0 +1,36 @@
{ config, lib, pkgs, ... }:
let
inherit (lib.attrsets) attrValues;
inherit (lib.modules) mkIf;
cfg = config.modules.system.audio;
in
{
options.modules.system.audio = let
inherit (lib.options) mkEnableOption;
in
{
enable = mkEnableOption "modern audio support";
};
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [
# easyeffects
sof-firmware
];
security.rtkit.enable = true;
services.pulseaudio.enable = false;
services.pipewire = {
enable = true;
wireplumber.enable = true;
pulse.enable = true;
alsa = {
enable = true;
support32Bit = true;
};
};
};
}

30
_modules/system/system/bluetooth.nix Normal file
View file

@ -0,0 +1,30 @@
{ config, lib, ... }:
let
inherit (lib.modules) mkIf;
inherit (lib.options) mkEnableOption;
cfg = config.modules.system.bluetooth;
in
{
options.modules.system.bluetooth = {
enable = mkEnableOption "enable bluetooth";
};
config = mkIf cfg.enable {
hardware = {
bluetooth = {
enable = true;
powerOnBoot = true;
};
};
services.pipewire.wireplumber.extraConfig.bluetoothEnhancements = {
"monitor.bluez.properties" = {
"bluez5.enable-sbc-xq" = true;
"bluez5.enable-msbc" = true;
"bluez5.enable-hw-volume" = true;
"bluez5.roles" = [ "hsp_hs" "hsp_ag" "hfp_hf" "hfp_ag" ];
};
};
};
}

49
_modules/system/theming.nix Normal file
View file

@ -0,0 +1,49 @@
{ inputs, config, lib, pkgs, ... }:
let
inherit (lib) mkIf;
inherit (lib.options) mkEnableOption;
cfg = config.modules.theming;
in
{
imports = [
inputs.stylix.nixosModules.stylix
];
options.modules.theming = {
enable = mkEnableOption "enable theming";
};
config = mkIf cfg.enable {
stylix = {
enable = true;
autoEnable = true;
# base16Scheme = "${pkgs.base16-schemes}/share/themes/${cfg.theme}.yaml";
# image = ./${cfg.theme}.jpg;
# polarity = cfg.polarity;
fonts = {
serif = {
package = pkgs.dejavu_fonts;
name = "DejaVu Serif";
};
sansSerif = {
package = pkgs.dejavu_fonts;
name = "DejaVu Sans";
};
monospace = {
package = pkgs.nerd-fonts.jetbrains-mono;
name = "JetBrainsMono Nerd Font Mono";
};
emoji = {
package = pkgs.noto-fonts-emoji;
name = "Noto Color Emoji";
};
};
};
};
}

7
_modules/system/virtualisation/default.nix Normal file
View file

@ -0,0 +1,7 @@
{ config, options, lib, pkgs, ... }:
let
inherit (lib) mkIf mkEnableOption;
in
{
options.modules.virtualisation = {};
}

26
_modules/system/virtualisation/podman.nix Normal file
View file

@ -0,0 +1,26 @@
{ config, options, lib, pkgs, ... }:
let
inherit (lib.modules) mkIf;
cfg = config.modules.virtualisation.podman;
in
{
options.modules.virtualisation.podman = let
inherit (lib.options) mkEnableOption;
in
{
enable = mkEnableOption "enable podman";
};
config = mkIf config.modules.virtualisation.podman.enable {
virtualisation = {
containers.enable = true;
podman = {
enable = true;
dockerCompat = true;
defaultNetwork.settings.dns_enabled = true;
};
};
};
}

35
_modules/system/zsa_voyager.nix Normal file
View file

@ -0,0 +1,35 @@
{ config, pkgs, options, ... }:
{
environment.systemPackages = with pkgs; [
keymapp
];
hardware.keyboard.zsa.enable = true;
services.udev.extraRules = ''
# Rules for Oryx web flashing and live training
KERNEL=="hidraw*", ATTRS{idVendor}=="16c0", MODE="0664", GROUP="plugdev"
KERNEL=="hidraw*", ATTRS{idVendor}=="3297", MODE="0664", GROUP="plugdev"
# Legacy rules for live training over webusb (Not needed for firmware v21+)
# Rule for all ZSA keyboards
SUBSYSTEM=="usb", ATTR{idVendor}=="3297", GROUP="plugdev"
# Rule for the Moonlander
SUBSYSTEM=="usb", ATTR{idVendor}=="3297", ATTR{idProduct}=="1969", GROUP="plugdev"
# Rule for the Ergodox EZ
SUBSYSTEM=="usb", ATTR{idVendor}=="feed", ATTR{idProduct}=="1307", GROUP="plugdev"
# Rule for the Planck EZ
SUBSYSTEM=="usb", ATTR{idVendor}=="feed", ATTR{idProduct}=="6060", GROUP="plugdev"
# Wally Flashing rules for the Ergodox EZ
ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", ENV{ID_MM_DEVICE_IGNORE}="1"
ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789A]?", ENV{MTP_NO_PROBE}="1"
SUBSYSTEMS=="usb", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789ABCD]?", MODE:="0666"
KERNEL=="ttyACM*", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", MODE:="0666"
# Keymapp / Wally Flashing rules for the Moonlander and Planck EZ
SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", MODE:="0666", SYMLINK+="stm32_dfu"
# Keymapp Flashing rules for the Voyager
SUBSYSTEMS=="usb", ATTRS{idVendor}=="3297", MODE:="0666", SYMLINK+="ignition_dfu"
'';
}