migrates dnsc-server

2026-03-04 22:46:08 +01:00 · 2026-03-04 22:46:08 +01:00 · 996dc27419
commit 996dc27419
parent ac4074245c
15 changed files with 318 additions and 9 deletions
--- a/flake.nix
+++ b/flake.nix
@ -20,6 +20,7 @@
    nixpkgs.url = "https://channels.nixos.org/nixpkgs-unstable/nixexprs.tar.xz";
    nixpkgs-lib.follows = "nixpkgs";
    nixvim.url = "github:nix-community/nixvim";
+    agenix.url = "github:ryantm/agenix";
    dms = {
      url = "github:AvengeMedia/DankMaterialShell/stable";
      inputs.nixpkgs.follows = "nixpkgs";
--- a/modules/base/default.nix
+++ b/modules/base/default.nix
@ -108,6 +108,11 @@ in
          "networkmanager"
          "wheel"
        ];
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvXWZOPOJJDAoF+Sx/ZLoAVu6G/7/MAWoknBgMAzjul dennis@dnsc-mac"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKnmuxDkpDIku5t1Tykz21u78xoQ7LJR8JEcfth32LGu dennis@dnsc-work"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF8LXdDU3C4PcCHb/BEm1xQIZyo2KTR5Dcuw6ni+SxmH dennis@dnsc-machine"
+        ];
      };
    };
 }
--- a/modules/cli-tools/default.nix
+++ b/modules/cli-tools/default.nix
@ -17,6 +17,8 @@ let
      usbutils
      opencode
      lazygit
+      wget
+      btop
    ];
 in
 {
--- a/modules/hosts/dnsc-server/_hardware-configuration.nix
+++ b/modules/hosts/dnsc-server/_hardware-configuration.nix
@ -0,0 +1,52 @@
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "vmd"
+    "xhci_pci"
+    "ahci"
+    "usb_storage"
+    "usbhid"
+    "sd_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/89318ceb-c0c6-47f2-9cad-99612498bd75";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/EE6C-978E";
+    fsType = "vfat";
+    options = [
+      "fmask=0077"
+      "dmask=0077"
+    ];
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-uuid/9c843b67-418a-4d11-8700-6a0eb866c02c"; }
+  ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/modules/hosts/dnsc-server/default.nix
+++ b/modules/hosts/dnsc-server/default.nix
@ -0,0 +1,41 @@
+{ inputs, config, ... }:
+let
+  hostname = "dnsc-server";
+in
+{
+  flake.nixosConfigurations.${hostname} = inputs.nixpkgs.lib.nixosSystem {
+    system = "x86_64-linux";
+    modules = with config.flake.modules.nixos; [
+      agenix.nixosModules.default
+      home-manager
+      base
+      git
+      ssh
+      zfs
+      ups
+      cli-tools
+      nix
+      jellyfin
+      restic
+      samba-share
+
+      {
+        imports = [ ./_hardware-configuration.nix ];
+        samba-share.path = "/main/share";
+        samba-share.allowedHosts = "192.168.178. 127.0.0.1 localhost";
+        networking.hostName = hostname;
+        system.stateVersion = "24.11";
+
+        # Secrets for this machine
+        age = {
+          identityPaths = [
+            "${config.users.users.dennis.home}/.ssh/id_ed25519"
+          ];
+          secrets."restic/password" = {
+            file = ../../secrets/restic/password.age;
+          };
+        };
+      }
+    ];
+  };
+}
--- a/modules/jellyfin/default.nix
+++ b/modules/jellyfin/default.nix
@ -0,0 +1,32 @@
+{ ... }:
+{
+  flake.modules.nixos.jellyfin =
+    { pkgs, ... }:
+    {
+      services.jellyfin = {
+        enable = true;
+        openFirewall = true;
+      };
+
+      nixpkgs.config.packageOverrides = pkgs: {
+        vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
+      };
+
+      hardware.graphics = {
+        enable = true;
+        extraPackages = with pkgs; [
+          intel-media-driver
+          intel-vaapi-driver
+          libva-vdpau-driver
+          intel-compute-runtime
+          vpl-gpu-rt
+        ];
+      };
+
+      environment.systemPackages = with pkgs; [
+        jellyfin
+        jellyfin-web
+        jellyfin-ffmpeg
+      ];
+    };
+}
--- a/modules/restic/default.nix
+++ b/modules/restic/default.nix
@ -0,0 +1,40 @@
+{ inputs, ... }:
+{
+  flake.modules.nixos.restic =
+    { pkgs, config, ... }:
+    {
+      # Root SSH for storage box
+      programs.ssh = {
+        extraConfig = ''
+          Host dnsc-storage
+            AddKeysToAgent yes
+            Hostname u295965.your-storagebox.de
+            User u295965
+            IdentityFile /root/.ssh/id_ed25519
+            IdentitiesOnly yes
+            Port 23
+        '';
+      };
+
+      services.restic.backups = {
+        "dnsc-storage" = {
+          initialize = true;
+          passwordFile = config.age.secrets."restic/password".path;
+          repository = "sftp:dnsc-storage:restic/dnsc-server";
+          createWrapper = true;
+          paths = [
+            "/main/share"
+            "/data/actual-server"
+          ];
+          pruneOpts = [
+            "--keep-last 3"
+          ];
+          timerConfig = {
+            OnCalendar = "daily";
+            Persistent = true;
+            RandomizedDelaySec = "5h";
+          };
+        };
+      };
+    };
+}
--- a/modules/samba-share/default.nix
+++ b/modules/samba-share/default.nix
@ -0,0 +1,56 @@
+{ lib, ... }:
+{
+  flake.modules.nixos.samba-share =
+    { pkgs, config, lib, ... }:
+    {
+      options.samba-share = {
+        path = lib.mkOption {
+          type = lib.types.str;
+          description = "Path to the directory to share via Samba.";
+        };
+        allowedHosts = lib.mkOption {
+          type = lib.types.str;
+          description = "Space-separated list of allowed hosts/subnets (e.g. \"192.168.1. 127.0.0.1\").";
+        };
+      };
+
+      config = {
+        services.samba = {
+          enable = true;
+          openFirewall = true;
+          settings = {
+            global = {
+              "workgroup" = "WORKGROUP";
+              "security" = "user";
+              "hosts allow" = config.samba-share.allowedHosts;
+              "hosts deny" = "0.0.0.0/0";
+              "guest account" = "nobody";
+              "map to guest" = "bad user";
+            };
+            "share" = {
+              "path" = config.samba-share.path;
+              "browseable" = "yes";
+              "writeable" = "yes";
+              "read only" = "no";
+              "guest ok" = "yes";
+              "force user" = "dennis";
+              "force group" = "users";
+            };
+          };
+        };
+
+        services.samba-wsdd = {
+          enable = true;
+          openFirewall = true;
+        };
+
+        services.avahi = {
+          publish.enable = true;
+          publish.userServices = true;
+          nssmdns4 = true;
+          enable = true;
+          openFirewall = true;
+        };
+      };
+    };
+}
--- a/modules/scrolling-desktop/niri/dms/colors.kdl
+++ b/modules/scrolling-desktop/niri/dms/colors.kdl
@ -5,14 +5,14 @@ layout {
    background-color "transparent"

    focus-ring {
-        active-color   "#c3c0ff"
-        inactive-color "#928f9a"
+        active-color   "#d2bcfd"
+        inactive-color "#948f99"
        urgent-color   "#ffb4ab"
    }

    border {
-        active-color   "#c3c0ff"
-        inactive-color "#928f9a"
+        active-color   "#d2bcfd"
+        inactive-color "#948f99"
        urgent-color   "#ffb4ab"
    }

@ -21,19 +21,19 @@ layout {
    }

    tab-indicator {
-        active-color   "#c3c0ff"
-        inactive-color "#928f9a"
+        active-color   "#d2bcfd"
+        inactive-color "#948f99"
        urgent-color   "#ffb4ab"
    }

    insert-hint {
-        color "#c3c0ff80"
+        color "#d2bcfd80"
    }
 }

 recent-windows {
    highlight {
-        active-color   "#424078"
+        active-color   "#4f3d74"
        urgent-color   "#ffb4ab"
    }
 }
--- a/modules/ssh/default.nix
+++ b/modules/ssh/default.nix
@ -3,7 +3,15 @@
  flake.modules.nixos.ssh =
    { pkgs, ... }:
    {
-      services.openssh.enable = true;
+      services.openssh = {
+        enable = true;
+        settings = {
+          X11Forwarding = false;
+          PermitRootLogin = "no";
+          PasswordAuthentication = false;
+        };
+        openFirewall = true;
+      };

      home-manager.sharedModules = [
        inputs.self.modules.homeManager.ssh
--- a/modules/ups/default.nix
+++ b/modules/ups/default.nix
@ -0,0 +1,22 @@
+{ ... }:
+{
+  flake.modules.nixos.ups =
+    { pkgs, ... }:
+    {
+      power.ups = {
+        enable = true;
+
+        ups."eaton-ups" = {
+          driver = "usbhid-ups";
+          port = "auto";
+        };
+
+        users.upsmon = {
+          passwordFile = "/etc/upsmon.passwd";
+          upsmon = "primary";
+        };
+
+        upsmon.monitor."eaton-ups".user = "upsmon";
+      };
+    };
+}
--- a/modules/zfs/default.nix
+++ b/modules/zfs/default.nix
@ -0,0 +1,15 @@
+{ ... }:
+{
+  flake.modules.nixos.zfs =
+    { pkgs, ... }:
+    {
+      boot.supportedFilesystems = [ "zfs" ];
+      boot.zfs.forceImportRoot = false;
+      boot.zfs.extraPools = [ "main" ];
+
+      services.zfs = {
+        autoSnapshot.enable = true;
+        trim.enable = true;
+      };
+    };
+}
--- a/secrets/restic/password.age
+++ b/secrets/restic/password.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 JIw3cQ u0VpHg/TVASeIVR7/mfbllXrlM71vNpqQhgnfya6vQY
+HKopl3RT1S2+W1Sb95eFUhdH4Fh35KS5l6KLYyfdw/Y
+-> ssh-ed25519 HufN+g Vfe9hzCZm69hjyk9S0/ZFbVkuvTe3nGbNw9BZfuiiAM
+4H1Nfgd8usdv34RuCf3R3J+jyqHj4rnbNHmgkav7VDs
+-> ssh-ed25519 cTYF0w H4NeFzgk/mTkEe6uPXutoh6r6wfpNS0SNJYUi1VNRgg
+AAjgzAkbXLXBVLtMZAPfXOfgGnpgsF6DvH1BK/vW6E0
+--- rEeM9TuloOX1HuwGmtdxk+Mi+NnWYsHndCStBbCqSh4
+³ÞØaÇ“]ê£[&«™ëÜñ™àèü¶©[¦|eµr'EõZáŠÛB?â¿H¸·¬»v<C2BB>Œ4Mr§MüÄ EÊ1óf§J’ÑrÆ«ÕÂ%
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,26 @@
+let
+  dnsc-air = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvXWZOPOJJDAoF+Sx/ZLoAVu6G/7/MAWoknBgMAzjul dennis@dnsc-mac";
+  dnsc-vps-sm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF/sUA38t7TI1LYADLBn898Hh0MTR4maiHVwEtDoN9W5 dnsc-vps-sm";
+  dnsc-server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM3mkEgvHrwjsEReHQHpLbMP71JLvp6XxMPyW7PTaLCd dennis@dnsc-server";
+  systems = [
+    dnsc-air
+    dnsc-vps-sm
+    dnsc-server
+  ];
+in
+{
+  # Add like this: "secret1.age".publicKeys = systems;
+  "vaultwarden/env.age".publicKeys = systems;
+  "restic/password.age".publicKeys = systems;
+}
+
+# 1. Create a file with secret
+# nix run github:ryantm/agenix -- -e $FILE_PATH
+#
+# 2. Reference the file in NixOS config:
+# {
+#  age.secrets.secret1.file = ../secrets/secret1.age;
+# }
+#
+# 3. And use it like this:
+# passwordFile = config.age.secrets.secret1.path;
--- a/secrets/vaultwarden/env.age
+++ b/secrets/vaultwarden/env.age