From ac6c3688ef1c28d60b33f53c396040ebfef1dc26 Mon Sep 17 00:00:00 2001 From: Thierry Pouplier Date: Mon, 4 Aug 2025 22:15:59 -0400 Subject: [PATCH] Some more work toward a modular config --- flake.lock | 36 ++++++- flake.nix | 14 ++- hosts/lazyworkhorse/configuration.nix | 63 +++++++---- modules/default.nix | 7 ++ modules/nixos/bundles/default.nix | 6 ++ .../nixos}/bundles/graphical-desktop.nix | 4 +- modules/nixos/default.nix | 8 ++ modules/nixos/services/podman.nix | 32 ++++++ modules/nixos/services/traefik.nix | 101 ++++++++++++++++++ nixosModules/default.nix | 13 --- users/gortium.nix | 10 ++ 11 files changed, 252 insertions(+), 42 deletions(-) create mode 100644 modules/default.nix create mode 100644 modules/nixos/bundles/default.nix rename {nixosModules => modules/nixos}/bundles/graphical-desktop.nix (95%) create mode 100644 modules/nixos/default.nix create mode 100644 modules/nixos/services/podman.nix create mode 100644 modules/nixos/services/traefik.nix delete mode 100644 nixosModules/default.nix create mode 100644 users/gortium.nix diff --git a/flake.lock b/flake.lock index faa925e..3c6ef48 100644 --- a/flake.lock +++ b/flake.lock @@ -16,9 +16,43 @@ "type": "github" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1744868846, + "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1754328224, + "narHash": "sha256-glPK8DF329/dXtosV7YSzRlF4n35WDjaVwdOMEoEXHA=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "49021900e69812ba7ddb9e40f9170218a7eca9f4", + "type": "github" + }, + "original": { + "id": "sops-nix", + "type": "indirect" } } }, diff --git a/flake.nix b/flake.nix index 4589a22..45f88f5 100644 --- a/flake.nix +++ b/flake.nix @@ -5,19 +5,17 @@ nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable"; }; - outputs = { self, nixpkgs }: + outputs = { self, nixpkgs, sops-nix, ... }@inputs: let system = "x86_64-linux"; - - pkgs = import nixpkgs { - inherit system; - config = { - allowUnfree = true; - }; + pkgs = import nixpkgs { + inherit system; + config = { + allowUnfree = true; }; + }; in { - nixosConfigurations = { lazyworkhorse = nixpkgs.lib.nixosSystem { specialArgs = { inherit system; }; diff --git a/hosts/lazyworkhorse/configuration.nix b/hosts/lazyworkhorse/configuration.nix index 10c1ef5..dcdc9f2 100644 --- a/hosts/lazyworkhorse/configuration.nix +++ b/hosts/lazyworkhorse/configuration.nix @@ -8,35 +8,63 @@ imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix - ./nixosModules/default.nix + ./../../modules/default.nix + ./../../users/gortium.nix ]; # Flakesss nix.settings.experimental-features = [ "nix-command" "flakes" ]; + nix.settings.trusted-users = [ "root" "gortium" ]; + + nix.gc = { + automatic = true; + dates = "weekly"; # You can also use "daily" or a cron-like spec + options = "--delete-older-than 7d"; # Keep only 7 days of unreferenced data + }; + + nix.settings = { + auto-optimise-store = true; # Deduplicate identical files + keep-derivations = false; + keep-outputs = false; + }; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = false; - # networking.hostName = "nixos"; # Define your hostname. + networking.hostName = "lazyworkhorse"; # Define your hostname. # Pick only one of the below networking options. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + networking.hostId = "deadbeef"; # Set your time zone. time.timeZone = "America/Montreal"; + i18n.defaultLocale = "en_CA.UTF-8"; + i18n.extraLocaleSettings = { + LC_ADDRESS = "en_CA.UTF-8"; + LC_IDENTIFICATION = "en_CA.UTF-8"; + LC_MEASUREMENT = "en_CA.UTF-8"; + LC_MONETARY = "en_CA.UTF-8"; + LC_NAME = "en_CA.UTF-8"; + LC_NUMERIC = "en_CA.UTF-8"; + LC_PAPER = "en_CA.UTF-8"; + LC_TELEPHONE = "en_CA.UTF-8"; + LC_TIME = "en_CA.UTF-8"; + }; + # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; # Select internationalisation properties. - i18n.defaultLocale = "en_US.UTF-8"; - console = { - font = "Lat2-Terminus16"; - keyMap = "us"; - useXkbConfig = true; # use xkb.options in tty. - }; + # i18n.defaultLocale = "en_US.UTF-8"; + # console = { + # font = "Lat2-Terminus16"; + # keyMap = "us"; + # useXkbConfig = true; # use xkb.options in tty. + # }; # Configure keymap in X11 # services.xserver.xkb.layout = "us"; @@ -56,14 +84,8 @@ # Enable touchpad support (enabled default in most desktopManager). # services.libinput.enable = true; - # Define a user account. Don't forget to set a password with ‘passwd’. - users.users.gortium = { - isNormalUser = true; - extraGroups = [ "wheel" "docker" ]; # Enable ‘sudo’ for the user. - packages = with pkgs; [ - tree - ]; - }; + # nvim please + environment.variables.EDITOR = "neovim"; # programs.firefox.enable = true; @@ -72,6 +94,8 @@ environment.systemPackages = with pkgs; [ neovim wget + age + git ]; # Some programs need SUID wrappers, can be configured further or are @@ -85,7 +109,10 @@ # List services that you want to enable: # Enable the OpenSSH daemon. - services.openssh.enable = true; + services.openssh = { + enable = true; + settings.PermitRootLogin = "no"; + }; # Open ports in the firewall. # networking.firewall.allowedTCPPorts = [ ... ]; @@ -96,7 +123,7 @@ # Copy the NixOS configuration file and link it from the resulting system # (/run/current-system/configuration.nix). This is useful in case you # accidentally delete configuration.nix. - system.copySystemConfiguration = true; + # system.copySystemConfiguration = true; # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. diff --git a/modules/default.nix b/modules/default.nix new file mode 100644 index 0000000..9711d7f --- /dev/null +++ b/modules/default.nix @@ -0,0 +1,7 @@ +{ pkgs, lib, config, ... }: { + imports = + [ + # ./home + ./nixos + ]; +} diff --git a/modules/nixos/bundles/default.nix b/modules/nixos/bundles/default.nix new file mode 100644 index 0000000..5f52c2d --- /dev/null +++ b/modules/nixos/bundles/default.nix @@ -0,0 +1,6 @@ +{ pkgs, lib, config, ... }: { + imports = + [ + ./graphical-desktop.nix + ]; +} diff --git a/nixosModules/bundles/graphical-desktop.nix b/modules/nixos/bundles/graphical-desktop.nix similarity index 95% rename from nixosModules/bundles/graphical-desktop.nix rename to modules/nixos/bundles/graphical-desktop.nix index 1382e77..ca6eb2e 100644 --- a/nixosModules/bundles/graphical-desktop.nix +++ b/modules/nixos/bundles/graphical-desktop.nix @@ -2,7 +2,7 @@ { pkgs, lib, config, ... }: { options = { - grapfical-desktop.enable = lib.mkEnableOption "enable graphical desktop" + grapfical-desktop.enable = lib.mkEnableOption "enable graphical desktop"; }; config = lib.mkIf config.grapfical-desktop.enable { @@ -16,5 +16,5 @@ xwayland.enable = true; }; programs.waybar.enable = true; - } + }; } diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix new file mode 100644 index 0000000..5cc87b1 --- /dev/null +++ b/modules/nixos/default.nix @@ -0,0 +1,8 @@ +{ pkgs, lib, config, ... }: { + imports = + [ + ./bundles + # ./programs + # ./services + ]; +} diff --git a/modules/nixos/services/podman.nix b/modules/nixos/services/podman.nix new file mode 100644 index 0000000..606a611 --- /dev/null +++ b/modules/nixos/services/podman.nix @@ -0,0 +1,32 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.services.podman; +in { + options.services.podman.enable = mkEnableOption "enable podman"; + + config = mkIf cfg.enable { + virtualisation = { + podman = { + enable = true; + dockerCompat = true; + autoPrune = { + enable = true; + dates = "weekly"; + flags = [ + "--filter=until=24h" + "--filter=label!=important" + ]; + }; + defaultNetwork.settings.dns_enabled = true; + }; + }; + environment.systemPackages = with pkgs; [ + podman-compose + ]; + }; +} diff --git a/modules/nixos/services/traefik.nix b/modules/nixos/services/traefik.nix new file mode 100644 index 0000000..acb312d --- /dev/null +++ b/modules/nixos/services/traefik.nix @@ -0,0 +1,101 @@ +{config, ...}: { + services.traefik = { + enable = true; + staticConfigOptions = { + log = {level = "WARN";}; + certificatesResolvers = { + godaddy = { + acme = { + email = "letsencrypt.org.btlc2@passmail.net"; + storage = "/var/lib/traefik/acme.json"; + caserver = "https://acme-v02.api.letsencrypt.org/directory"; + dnsChallenge = { + provider = "godaddy"; + resolvers = ["1.1.1.1:53" "8.8.8.8:53"]; + propagation = { + delayBeforeChecks = 60; + disableChecks = true; + }; + }; + }; + }; + }; + api = {}; + entryPoints = { + web = { + address = ":80"; + http.redirections.entryPoint = { + to = "websecure"; + scheme = "https"; + }; + }; + rtmp = { + address = ":1935"; + }; + rtmps = { + address = ":1945"; + }; + websecure = { + address = ":443"; + }; + }; + }; + dynamicConfigOptions = { + http = { + services = { + dummy = { + loadBalancer.servers = [ + {url = "http://192.168.0.1";} # Diese URL wird nie verwendet + ]; + }; + }; + middlewares = { + domain-redirect = { + redirectRegex = { + regex = "^https://www\\.m3tam3re\\.com(.*)"; + replacement = "https://m3ta.dev$1"; + permanent = true; + }; + }; + strip-www = { + redirectRegex = { + regex = "^https://www\\.(.+)"; + replacement = "https://$1"; + permanent = true; + }; + }; + subdomain-redirect = { + redirectRegex = { + regex = "^https://([a-zA-Z0-9-]+)\\.m3tam3re\\.com(.*)"; + replacement = "https://$1.m3ta.dev$2"; + permanent = true; + }; + }; + auth = { + basicAuth = { + users = ["m3tam3re:$apr1$1xqdta2b$DIVNvvp5iTUGNccJjguKh."]; + }; + }; + }; + + routers = { + api = { + rule = "Host(`r.m3tam3re.com`)"; + service = "api@internal"; + middlewares = ["auth"]; + entrypoints = ["websecure"]; + tls = { + certResolver = "godaddy"; + }; + }; + }; + }; + }; + }; + + systemd.services.traefik.serviceConfig = { + EnvironmentFile = ["${config.age.secrets.traefik.path}"]; + }; + + networking.firewall.allowedTCPPorts = [80 443]; +} diff --git a/nixosModules/default.nix b/nixosModules/default.nix deleted file mode 100644 index c0af48c..0000000 --- a/nixosModules/default.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ pkgs, lib, config, ... }: { - imports = - [ - ./bundles/graphical-desktop.nix - # ./bundles/gaming.nix - # ./bundles/docker-server.nix - # ./bundles/terminal.nix - # ./bundles/csharp-devel.nix - # ./bundles/sound-music.nix - # ./bundles/local-ai.nix - # ./bundles/editors.nix - ]; -} diff --git a/users/gortium.nix b/users/gortium.nix new file mode 100644 index 0000000..9548288 --- /dev/null +++ b/users/gortium.nix @@ -0,0 +1,10 @@ +{ pkgs, inputs, config, ... }: { + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.gortium = { + isNormalUser = true; + extraGroups = [ "wheel" "docker" ]; # Enable ‘sudo’ for the user. + packages = with pkgs; [ + tree + ]; + }; +}