jordan/nix-config
1
1
Fork 0
Code Issues 10 Pull Requests Actions Projects 3 Wiki Activity

Compare commits

base: jordan:ef2661db53ec582d689e09c891ed261e0df1a60b
Branches Tags
jordan:master jordan:helios-disko jordan:hass jordan:immich jordan:zitadel jordan:skycam jordan:24.05 jordan:lunarvim jordan:matrix jordan:docs jordan:vps1 jordan:wallpapers jordan:fix-odyssey-nix-store
..
compare: jordan:helios-disko
Branches Tags
jordan:master jordan:helios-disko jordan:hass jordan:immich jordan:zitadel jordan:skycam jordan:24.05 jordan:lunarvim jordan:matrix jordan:docs jordan:vps1 jordan:wallpapers jordan:fix-odyssey-nix-store

1 Commits
ef2661db53 ... helios-dis

Author SHA1 Message Date
Jordan Holt
2cbacf93b6 hosts/helios: add initial disko config 2025-08-23 21:39:28 +01:00
14 changed files with 174 additions and 200 deletions
Expand all files Collapse all files

104
flake.lock generated
View File

@@ -71,11 +71,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1755946532, "lastModified": 1753216019,
"narHash": "sha256-POePremlUY5GyA1zfbtic6XLxDaQcqHN6l+bIxdT5gc=", "narHash": "sha256-zik7WISrR1ks2l6T1MZqZHb/OqroHdJnSnAehkE0kCk=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "aquamarine", "repo": "aquamarine",
"rev": "81584dae2df6ac79f6b6dae0ecb7705e95129ada", "rev": "be166e11d86ba4186db93e10c54a141058bdce49",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -213,11 +213,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1756115622, "lastModified": 1755519972,
"narHash": "sha256-iv8xVtmLMNLWFcDM/HcAPLRGONyTRpzL9NS09RnryRM=", "narHash": "sha256-bU4nqi3IpsUZJeyS8Jk85ytlX61i4b0KCxXX9YcOgVc=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "bafad29f89e83b2d861b493aa23034ea16595560", "rev": "4073ff2f481f9ef3501678ff479ed81402caae6d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -229,11 +229,11 @@
"firefox-gnome-theme": { "firefox-gnome-theme": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1756083905, "lastModified": 1755874650,
"narHash": "sha256-UqYGTBgI5ypGh0Kf6zZjom/vABg7HQocB4gmxzl12uo=", "narHash": "sha256-ClHCtrzwU6TIfK0qOzAsfPY4swrpbZ8SwUpBpVwphaY=",
"owner": "rafaelmardojai", "owner": "rafaelmardojai",
"repo": "firefox-gnome-theme", "repo": "firefox-gnome-theme",
"rev": "b655eaf16d4cbec9c3472f62eee285d4b419a808", "rev": "6fafa0409ad451b90db466f900b7549a1890bf1a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -517,11 +517,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1756245065, "lastModified": 1755928099,
"narHash": "sha256-aAZNbGcWrVRZgWgkQbkabSGcDVRDMgON4BipMy69gvI=", "narHash": "sha256-OILVkfhRCm8u18IZ2DKR8gz8CVZM2ZcJmQBXmjFLIfk=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "54b2879ce622d44415e727905925e21b8f833a98", "rev": "4a44fb9f7555da362af9d499817084f4288a957f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -576,11 +576,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1755678602, "lastModified": 1754305013,
"narHash": "sha256-uEC5O/NIUNs1zmc1aH1+G3GRACbODjk2iS0ET5hXtuk=", "narHash": "sha256-u+M2f0Xf1lVHzIPQ7DsNCDkM1NYxykOSsRr4t3TbSM4=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprgraphics", "repo": "hyprgraphics",
"rev": "157cc52065a104fc3b8fa542ae648b992421d1c7", "rev": "4c1d63a0f22135db123fc789f174b89544c6ec2d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -605,11 +605,11 @@
"xdph": "xdph" "xdph": "xdph"
}, },
"locked": { "locked": {
"lastModified": 1756498600, "lastModified": 1755883465,
"narHash": "sha256-09FSU9GTVyDlTcXjsjzumfUkIJUwht1DESNh41kufdc=", "narHash": "sha256-/yviTS9piazXoZAmnN0dXnYjDAFvooBnzJfPw2Gi30Y=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "Hyprland", "repo": "Hyprland",
"rev": "ea42041f936d5810c5cfa45d6bece12dde2fd9b6", "rev": "0d45b277d6c750377b336034b8adc53eae238d91",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -635,11 +635,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1756461489, "lastModified": 1755183521,
"narHash": "sha256-MeRYPD6GTbBEcoEqwl8kqCSKtM8CJcYayvPfKGoQkzc=", "narHash": "sha256-wrP8TM2lb2x0+PyTc7Uc3yfVBeIlYW7+hFeG14N9Cr8=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprland-plugins", "repo": "hyprland-plugins",
"rev": "376d08bbbd861f2125f5ef86e0003e3636ce110f", "rev": "c1ddebb423acc7c88653c04de5ddafee64dac89a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -782,11 +782,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1756117388, "lastModified": 1754481650,
"narHash": "sha256-oRDel6pNl/T2tI+nc/USU9ZP9w08dxtl7hiZxa0C/Wc=", "narHash": "sha256-6u6HdEFJh5gY6VfyMQbhP7zDdVcqOrCDTkbiHJmAtMI=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprutils", "repo": "hyprutils",
"rev": "b2ae3204845f5f2f79b4703b441252d8ad2ecfd0", "rev": "df6b8820c4a0835d83d0c7c7be86fbc555f1f7fd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -807,11 +807,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1755184602, "lastModified": 1751897909,
"narHash": "sha256-RCBQN8xuADB0LEgaKbfRqwm6CdyopE1xIEhNc67FAbw=", "narHash": "sha256-FnhBENxihITZldThvbO7883PdXC/2dzW4eiNvtoV5Ao=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprwayland-scanner", "repo": "hyprwayland-scanner",
"rev": "b3b0f1f40ae09d4447c20608e5a4faf8bf3c492d", "rev": "fcca0c61f988a9d092cbb33e906775014c61579d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -906,11 +906,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1756245047, "lastModified": 1755330281,
"narHash": "sha256-9bHzrVbjAudbO8q4vYFBWlEkDam31fsz0J7GB8k4AsI=", "narHash": "sha256-aJHFJWP9AuI8jUGzI77LYcSlkA9wJnOIg4ZqftwNGXA=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "a65b650d6981e23edd1afa1f01eb942f19cdcbb7", "rev": "3dac8a872557e0ca8c083cdcfc2f218d18e113b0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -946,11 +946,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1756266583, "lastModified": 1754725699,
"narHash": "sha256-cr748nSmpfvnhqSXPiCfUPxRz2FJnvf/RjJGvFfaCsM=", "narHash": "sha256-iAcj9T/Y+3DBy2J0N+yF9XQQQ8IEb5swLFzs23CdP88=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "8a6d5427d99ec71c64f0b93d45778c889005d9c2", "rev": "85dbfc7aaf52ecb755f87e577ddbe6dbbdbc1054",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -993,11 +993,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1756542300, "lastModified": 1755615617,
"narHash": "sha256-tlOn88coG5fzdyqz6R93SQL5Gpq+m/DsWpekNFhqPQk=", "narHash": "sha256-HMwfAJBdrr8wXAkbGhtcby1zGFvs+StOp19xNsbqdOg=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "d7600c775f877cd87b4f5a831c28aa94137377aa", "rev": "20075955deac2583bb12f07151c2df830ef346b4",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1008,11 +1008,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1756469547, "lastModified": 1755704039,
"narHash": "sha256-YvtD2E7MYsQ3r7K9K2G7nCslCKMPShoSEAtbjHLtH0k=", "narHash": "sha256-gKlP0LbyJ3qX0KObfIWcp5nbuHSb5EHwIvU6UcNBg2A=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "41d292bfc37309790f70f4c120b79280ce40af16", "rev": "9cb344e96d5b6918e94e1bca2d9f3ea1e9615545",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1078,11 +1078,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1755960406, "lastModified": 1754416808,
"narHash": "sha256-RF7j6C1TmSTK9tYWO6CdEMtg6XZaUKcvZwOCD2SICZs=", "narHash": "sha256-c6yg0EQ9xVESx6HGDOCMcyRSjaTpNJP10ef+6fRcofA=",
"owner": "cachix", "owner": "cachix",
"repo": "git-hooks.nix", "repo": "git-hooks.nix",
"rev": "e891a93b193fcaf2fc8012d890dc7f0befe86ec2", "rev": "9c52372878df6911f9afc1e2a1391f55e4dfc864",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1100,11 +1100,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1755960406, "lastModified": 1755879220,
"narHash": "sha256-RF7j6C1TmSTK9tYWO6CdEMtg6XZaUKcvZwOCD2SICZs=", "narHash": "sha256-2KZl6cU5rzEwXKMW369kLTzinJXXkF3TRExA6qEeVbc=",
"owner": "cachix", "owner": "cachix",
"repo": "git-hooks.nix", "repo": "git-hooks.nix",
"rev": "e891a93b193fcaf2fc8012d890dc7f0befe86ec2", "rev": "3ff4596663c8cbbffe06d863ee4c950bce2c3b78",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1143,11 +1143,11 @@
"secrets": { "secrets": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1756051653, "lastModified": 1755887038,
"narHash": "sha256-JJkQliqI7zn+esLnKQP82eQEuolNz8IELm/BYGPTvEw=", "narHash": "sha256-HoEMwFfR3rwNxwJjFCbj3rfW8k6EabHuMJAZOwsT95c=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "01cf200f61946ac9f259f9163933ea1749cb3531", "rev": "9e47b557087ebde3a30c9f97189d110c29d144fd",
"revCount": 41, "revCount": 40,
"type": "git", "type": "git",
"url": "ssh://git@git.vimium.com/jordan/nix-secrets.git" "url": "ssh://git@git.vimium.com/jordan/nix-secrets.git"
}, },
@@ -1349,11 +1349,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1755354946, "lastModified": 1753633878,
"narHash": "sha256-zdov5f/GcoLQc9qYIS1dUTqtJMeDqmBmo59PAxze6e4=", "narHash": "sha256-js2sLRtsOUA/aT10OCDaTjO80yplqwOIaLUqEe0nMx0=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "xdg-desktop-portal-hyprland", "repo": "xdg-desktop-portal-hyprland",
"rev": "a10726d6a8d0ef1a0c645378f983b6278c42eaa0", "rev": "371b96bd11ad2006ed4f21229dbd1be69bed3e8a",
"type": "github" "type": "github"
}, },
"original": { "original": {

2
flake.nix
View File

@@ -113,10 +113,10 @@
}: }:
flake-parts.lib.mkFlake { inherit inputs; } { flake-parts.lib.mkFlake { inherit inputs; } {
imports = [ imports = [
inputs.agenix-rekey.flakeModule
inputs.pre-commit-hooks.flakeModule inputs.pre-commit-hooks.flakeModule
inputs.nix-topology.flakeModule inputs.nix-topology.flakeModule
inputs.treefmt-nix.flakeModule inputs.treefmt-nix.flakeModule
./nix/agenix-rekey.nix
./nix/devshell.nix ./nix/devshell.nix
./nix/hosts.nix ./nix/hosts.nix
]; ];

9
hosts/common.nix
View File

@@ -6,19 +6,12 @@
}: }:
{ {
imports = [ imports = [
inputs.agenix.nixosModules.default inputs.agenix.nixosModules.age
inputs.agenix-rekey.nixosModules.default
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
../modules/nixos ../modules/nixos
../modules/nixos/impermanence.nix ../modules/nixos/impermanence.nix
]; ];
age.rekey = {
masterIdentities = [ ../secrets/yubikey-nix-primary.pub ];
storageMode = "local";
localStorageDir = ./. + "/secrets/rekeyed/${config.networking.hostName}";
};
nixpkgs = { nixpkgs = {
config.allowUnfree = true; config.allowUnfree = true;
overlays = [ overlays = [

3
hosts/helios/default.nix
View File

@@ -1,4 +1,5 @@
{ {
inputs,
pkgs, pkgs,
lib, lib,
... ...
@@ -9,7 +10,9 @@ let
in in
{ {
imports = [ imports = [
inputs.disko.nixosModules.disko
./hardware-configuration.nix ./hardware-configuration.nix
./disko-config.nix
../desktop.nix ../desktop.nix
../../users/jordan ../../users/jordan
]; ];

101
hosts/helios/disko-config.nix Normal file
View File

@@ -0,0 +1,101 @@
{ ... }:
{
disko.devices = {
disk = {
main = {
type = "disk";
device = "/dev/disk/by-id/ata-SanDisk_Ultra_II_480GB_162224802391";
content = {
type = "gpt";
partitions = {
MBR = {
size = "1M";
type = "EF02"; # For GRUB MBR
};
boot = {
size = "500M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "rpool";
};
};
};
};
};
};
zpool = {
rpool = {
type = "zpool";
options = {
ashift = "12";
};
rootFsOptions = {
compression = "zstd";
acltype = "posix";
atime = "off";
xattr = "sa";
dnodesize = "auto";
mountpoint = "none";
canmount = "off";
devices = "off";
exec = "off";
setuid = "off";
};
datasets = {
"local" = {
type = "zfs_fs";
};
"local/root" = {
type = "zfs_fs";
mountpoint = "/";
options = {
canmount = "noauto";
mountpoint = "/";
exec = "on";
setuid = "on";
};
postCreateHook = "zfs snapshot rpool/local/root@blank";
};
"local/nix" = {
type = "zfs_fs";
mountpoint = "/nix";
options = {
canmount = "noauto";
mountpoint = "/nix";
exec = "on";
setuid = "on";
};
};
"local/state" = {
type = "zfs_fs";
mountpoint = "/state";
options = {
canmount = "noauto";
mountpoint = "/state";
};
};
"safe" = {
type = "zfs_fs";
};
"safe/persist" = {
type = "zfs_fs";
mountpoint = "/persist";
options = {
canmount = "noauto";
mountpoint = "/persist";
};
};
};
};
};
};
}

11
hosts/odyssey/default.nix
View File

@@ -50,17 +50,6 @@
capSysAdmin = true; capSysAdmin = true;
}; };
environment.systemPackages = with pkgs; [
yubikey-manager
age-plugin-yubikey
];
services.udev.packages = with pkgs; [
libfido2
];
services.pcscd.enable = true;
modules = { modules = {
hardware.presonus-studio.enable = true; hardware.presonus-studio.enable = true;
services = { services = {

4
hosts/vps1/README.md
View File

@@ -6,8 +6,8 @@ VPS hosted in OVH.
## Specs ## Specs
- CPU - 4 vCores - CPU - ??
- Memory - 4 GB - Memory - ??
### Disks ### Disks

1
hosts/vps1/default.nix
View File

@@ -12,7 +12,6 @@
./matrix.nix ./matrix.nix
./nginx.nix ./nginx.nix
./photoprism.nix ./photoprism.nix
./vaultwarden.nix
../server.nix ../server.nix
]; ];

6
hosts/vps1/kanidm.nix
View File

@@ -30,12 +30,6 @@ in
}; };
}; };
# LDAP server binds to tailscale network interface
systemd.services.kanidm = {
requires = [ "tailscaled.service" ];
after = [ "tailscaled.service" ];
};
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"${domain}" = { "${domain}" = {
useACMEHost = "${domain}"; useACMEHost = "${domain}";

15
hosts/vps1/matrix.nix
View File

@@ -51,14 +51,6 @@ let
domain = serverName; domain = serverName;
}; };
}; };
proxyConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
'';
in in
{ {
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
@@ -108,11 +100,14 @@ in
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://localhost:8008"; proxyPass = "http://localhost:8008";
extraConfig = proxyConfig; extraConfig = ''
proxy_set_header X-Forwarded-For $remote_addr;
'';
}; };
"/_matrix" = { "/_matrix" = {
proxyPass = "http://localhost:8008"; proxyPass = "http://localhost:8008";
extraConfig = proxyConfig + '' extraConfig = ''
proxy_set_header X-Forwarded-For $remote_addr;
client_max_body_size 50M; client_max_body_size 50M;
''; '';
}; };

9
hosts/vps1/nginx.nix
View File

@@ -164,6 +164,15 @@ in
root = "/var/www/pki.vimium.com"; root = "/var/www/pki.vimium.com";
}; };
}; };
"suhailhussain.com" = {
forceSSL = true;
enableACME = true;
serverAliases = [ "www.suhailhussain.com" ];
extraConfig = nginxErrorPages + nginxEdgeHeaders + nginxStrictHeaders;
locations."/" = {
root = "/var/www/suhailhussain.com";
};
};
"vimium.com" = { "vimium.com" = {
default = true; default = true;
forceSSL = true; forceSSL = true;

73
hosts/vps1/vaultwarden.nix
View File

@@ -1,73 +0,0 @@
{
inputs,
config,
lib,
...
}:
let
inherit (lib)
mkForce
;
baseDomain = "vimium.com";
domain = "vaultwarden.${baseDomain}";
in
{
age.secrets."files/services/vaultwarden/envfile" = {
file = "${inputs.secrets}/files/services/vaultwarden/envfile.age";
};
services.vaultwarden = {
enable = true;
dbBackend = "sqlite";
backupDir = "/var/cache/vaultwarden-backup";
config = {
dataFolder = mkForce "/var/lib/vaultwarden";
useSysLog = true;
webVaultEnabled = true;
rocketPort = 8222;
signupsAllowed = false;
passwordIterations = 1000000;
invitationsAllowed = true;
invitationOrgName = "Vaultwarden";
domain = "https://${domain}";
};
environmentFile = config.age.secrets."files/services/vaultwarden/envfile".path;
};
services.nginx.virtualHosts = {
"${domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.rocketPort}";
proxyWebsockets = true;
};
};
};
systemd.services.backup-vaultwarden.environment.DATA_FOLDER = mkForce "/var/lib/vaultwarden";
systemd.services.vaultwarden.serviceConfig = {
StateDirectory = mkForce "vaultwarden";
RestartSec = "60";
};
environment.persistence."/persist".directories = [
{
directory = "/var/lib/vaultwarden";
user = "vaultwarden";
group = "vaultwarden";
mode = "0700";
}
];
environment.persistence."/state".directories = [
{
directory = config.services.vaultwarden.backupDir;
user = "vaultwarden";
group = "vaultwarden";
mode = "0700";
}
];
}

29
nix/agenix-rekey.nix
View File

@@ -1,29 +0,0 @@
{
inputs,
...
}:
{
imports = [
inputs.agenix-rekey.flakeModule
];
perSystem =
{ config, ... }:
{
agenix-rekey.nixosConfigurations = inputs.self.nixosConfigurations;
devshells.default = {
commands = [
{
inherit (config.agenix-rekey) package;
help = "Edit, generate, and rekey secrets";
}
];
env = [
{
name = "AGENIX_REKEY_ADD_TO_GIT";
value = "true";
}
];
};
};
}

7
secrets/yubikey-nix-primary.pub
View File

@@ -1,7 +0,0 @@
# Serial: 24187788, Slot: 1
# Name: YubiKey Nix Primary
# Created: Mon, 25 Aug 2025 21:00:00 +0000
# PIN policy: Once (A PIN is required once per session, if set)
# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
# Recipient: age1yubikey1qwwyem3502gqenzet20xdpjnuhhv2cezvzk590jdta9wqkw48p8gj7n4x96
AGE-PLUGIN-YUBIKEY-13SFHZQVZDDFHVHQGGYPC3