dennis/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

migrates dnsc-server

Browse source
This commit is contained in:
Dennis Schoepf 2026-03-04 22:46:08 +01:00
parent ac4074245c
commit 996dc27419
15 changed files with 318 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

1
flake.nix
View file

@ -20,6 +20,7 @@
nixpkgs.url = "https://channels.nixos.org/nixpkgs-unstable/nixexprs.tar.xz"; nixpkgs.url = "https://channels.nixos.org/nixpkgs-unstable/nixexprs.tar.xz";
nixpkgs-lib.follows = "nixpkgs"; nixpkgs-lib.follows = "nixpkgs";
nixvim.url = "github:nix-community/nixvim"; nixvim.url = "github:nix-community/nixvim";
agenix.url = "github:ryantm/agenix";
dms = { dms = {
url = "github:AvengeMedia/DankMaterialShell/stable"; url = "github:AvengeMedia/DankMaterialShell/stable";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";

5
modules/base/default.nix
View file

@ -108,6 +108,11 @@ in
"networkmanager" "networkmanager"
"wheel" "wheel"
]; ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvXWZOPOJJDAoF+Sx/ZLoAVu6G/7/MAWoknBgMAzjul dennis@dnsc-mac"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKnmuxDkpDIku5t1Tykz21u78xoQ7LJR8JEcfth32LGu dennis@dnsc-work"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF8LXdDU3C4PcCHb/BEm1xQIZyo2KTR5Dcuw6ni+SxmH dennis@dnsc-machine"
];
}; };
}; };
} }

2
modules/cli-tools/default.nix
View file

@ -17,6 +17,8 @@ let
usbutils usbutils
opencode opencode
lazygit lazygit
wget
btop
]; ];
in in
{ {

52
modules/hosts/dnsc-server/_hardware-configuration.nix Normal file
View file

@ -0,0 +1,52 @@
{
config,
lib,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [
"vmd"
"xhci_pci"
"ahci"
"usb_storage"
"usbhid"
"sd_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/89318ceb-c0c6-47f2-9cad-99612498bd75";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/EE6C-978E";
fsType = "vfat";
options = [
"fmask=0077"
"dmask=0077"
];
};
swapDevices = [
{ device = "/dev/disk/by-uuid/9c843b67-418a-4d11-8700-6a0eb866c02c"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

41
modules/hosts/dnsc-server/default.nix Normal file
View file

@ -0,0 +1,41 @@
{ inputs, config, ... }:
let
hostname = "dnsc-server";
in
{
flake.nixosConfigurations.${hostname} = inputs.nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = with config.flake.modules.nixos; [
agenix.nixosModules.default
home-manager
base
git
ssh
zfs
ups
cli-tools
nix
jellyfin
restic
samba-share
{
imports = [ ./_hardware-configuration.nix ];
samba-share.path = "/main/share";
samba-share.allowedHosts = "192.168.178. 127.0.0.1 localhost";
networking.hostName = hostname;
system.stateVersion = "24.11";
# Secrets for this machine
age = {
identityPaths = [
"${config.users.users.dennis.home}/.ssh/id_ed25519"
];
secrets."restic/password" = {
file = ../../secrets/restic/password.age;
};
};
}
];
};
}

32
modules/jellyfin/default.nix Normal file
View file

@ -0,0 +1,32 @@
{ ... }:
{
flake.modules.nixos.jellyfin =
{ pkgs, ... }:
{
services.jellyfin = {
enable = true;
openFirewall = true;
};
nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
};
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver
intel-vaapi-driver
libva-vdpau-driver
intel-compute-runtime
vpl-gpu-rt
];
};
environment.systemPackages = with pkgs; [
jellyfin
jellyfin-web
jellyfin-ffmpeg
];
};
}

40
modules/restic/default.nix Normal file
View file

@ -0,0 +1,40 @@
{ inputs, ... }:
{
flake.modules.nixos.restic =
{ pkgs, config, ... }:
{
# Root SSH for storage box
programs.ssh = {
extraConfig = ''
Host dnsc-storage
AddKeysToAgent yes
Hostname u295965.your-storagebox.de
User u295965
IdentityFile /root/.ssh/id_ed25519
IdentitiesOnly yes
Port 23
'';
};
services.restic.backups = {
"dnsc-storage" = {
initialize = true;
passwordFile = config.age.secrets."restic/password".path;
repository = "sftp:dnsc-storage:restic/dnsc-server";
createWrapper = true;
paths = [
"/main/share"
"/data/actual-server"
];
pruneOpts = [
"--keep-last 3"
];
timerConfig = {
OnCalendar = "daily";
Persistent = true;
RandomizedDelaySec = "5h";
};
};
};
};
}

56
modules/samba-share/default.nix Normal file
View file

@ -0,0 +1,56 @@
{ lib, ... }:
{
flake.modules.nixos.samba-share =
{ pkgs, config, lib, ... }:
{
options.samba-share = {
path = lib.mkOption {
type = lib.types.str;
description = "Path to the directory to share via Samba.";
};
allowedHosts = lib.mkOption {
type = lib.types.str;
description = "Space-separated list of allowed hosts/subnets (e.g. \"192.168.1. 127.0.0.1\").";
};
};
config = {
services.samba = {
enable = true;
openFirewall = true;
settings = {
global = {
"workgroup" = "WORKGROUP";
"security" = "user";
"hosts allow" = config.samba-share.allowedHosts;
"hosts deny" = "0.0.0.0/0";
"guest account" = "nobody";
"map to guest" = "bad user";
};
"share" = {
"path" = config.samba-share.path;
"browseable" = "yes";
"writeable" = "yes";
"read only" = "no";
"guest ok" = "yes";
"force user" = "dennis";
"force group" = "users";
};
};
};
services.samba-wsdd = {
enable = true;
openFirewall = true;
};
services.avahi = {
publish.enable = true;
publish.userServices = true;
nssmdns4 = true;
enable = true;
openFirewall = true;
};
};
};
}

16
modules/scrolling-desktop/niri/dms/colors.kdl
View file

@ -5,14 +5,14 @@ layout {
background-color "transparent" background-color "transparent"
focus-ring { focus-ring {
active-color "#c3c0ff" active-color "#d2bcfd"
inactive-color "#928f9a" inactive-color "#948f99"
urgent-color "#ffb4ab" urgent-color "#ffb4ab"
} }
border { border {
active-color "#c3c0ff" active-color "#d2bcfd"
inactive-color "#928f9a" inactive-color "#948f99"
urgent-color "#ffb4ab" urgent-color "#ffb4ab"
} }
@ -21,19 +21,19 @@ layout {
} }
tab-indicator { tab-indicator {
active-color "#c3c0ff" active-color "#d2bcfd"
inactive-color "#928f9a" inactive-color "#948f99"
urgent-color "#ffb4ab" urgent-color "#ffb4ab"
} }
insert-hint { insert-hint {
color "#c3c0ff80" color "#d2bcfd80"
} }
} }
recent-windows { recent-windows {
highlight { highlight {
active-color "#424078" active-color "#4f3d74"
urgent-color "#ffb4ab" urgent-color "#ffb4ab"
} }
} }

10
modules/ssh/default.nix
View file

@ -3,7 +3,15 @@
flake.modules.nixos.ssh = flake.modules.nixos.ssh =
{ pkgs, ... }: { pkgs, ... }:
{ {
services.openssh.enable = true; services.openssh = {
enable = true;
settings = {
X11Forwarding = false;
PermitRootLogin = "no";
PasswordAuthentication = false;
};
openFirewall = true;
};
home-manager.sharedModules = [ home-manager.sharedModules = [
inputs.self.modules.homeManager.ssh inputs.self.modules.homeManager.ssh

22
modules/ups/default.nix Normal file
View file

@ -0,0 +1,22 @@
{ ... }:
{
flake.modules.nixos.ups =
{ pkgs, ... }:
{
power.ups = {
enable = true;
ups."eaton-ups" = {
driver = "usbhid-ups";
port = "auto";
};
users.upsmon = {
passwordFile = "/etc/upsmon.passwd";
upsmon = "primary";
};
upsmon.monitor."eaton-ups".user = "upsmon";
};
};
}

15
modules/zfs/default.nix Normal file
View file

@ -0,0 +1,15 @@
{ ... }:
{
flake.modules.nixos.zfs =
{ pkgs, ... }:
{
boot.supportedFilesystems = [ "zfs" ];
boot.zfs.forceImportRoot = false;
boot.zfs.extraPools = [ "main" ];
services.zfs = {
autoSnapshot.enable = true;
trim.enable = true;
};
};
}

9
secrets/restic/password.age Normal file
View file

@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 JIw3cQ u0VpHg/TVASeIVR7/mfbllXrlM71vNpqQhgnfya6vQY
HKopl3RT1S2+W1Sb95eFUhdH4Fh35KS5l6KLYyfdw/Y
-> ssh-ed25519 HufN+g Vfe9hzCZm69hjyk9S0/ZFbVkuvTe3nGbNw9BZfuiiAM
4H1Nfgd8usdv34RuCf3R3J+jyqHj4rnbNHmgkav7VDs
-> ssh-ed25519 cTYF0w H4NeFzgk/mTkEe6uPXutoh6r6wfpNS0SNJYUi1VNRgg
AAjgzAkbXLXBVLtMZAPfXOfgGnpgsF6DvH1BK/vW6E0
--- rEeM9TuloOX1HuwGmtdxk+Mi+NnWYsHndCStBbCqSh4
³ÞØaÇ“]ê£[&«™ëÜñ™àèü¶©[¦|eµr'EõZáŠÛB?â¿H¸·¬»v<C2BB>Œ4Mr§MüÄ EÊ1óf§JÑrÆ«ÕÂ%

26
secrets/secrets.nix Normal file
View file

@ -0,0 +1,26 @@
let
dnsc-air = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvXWZOPOJJDAoF+Sx/ZLoAVu6G/7/MAWoknBgMAzjul dennis@dnsc-mac";
dnsc-vps-sm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF/sUA38t7TI1LYADLBn898Hh0MTR4maiHVwEtDoN9W5 dnsc-vps-sm";
dnsc-server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM3mkEgvHrwjsEReHQHpLbMP71JLvp6XxMPyW7PTaLCd dennis@dnsc-server";
systems = [
dnsc-air
dnsc-vps-sm
dnsc-server
];
in
{
# Add like this: "secret1.age".publicKeys = systems;
"vaultwarden/env.age".publicKeys = systems;
"restic/password.age".publicKeys = systems;
}
# 1. Create a file with secret
# nix run github:ryantm/agenix -- -e $FILE_PATH
#
# 2. Reference the file in NixOS config:
# {
# age.secrets.secret1.file = ../secrets/secret1.age;
# }
#
# 3. And use it like this:
# passwordFile = config.age.secrets.secret1.path;

BIN
secrets/vaultwarden/env.age Normal file
View file

Binary file not shown.