diff --git a/allowed_signers b/allowed_signers new file mode 100644 index 0000000..0b3a3dc --- /dev/null +++ b/allowed_signers @@ -0,0 +1 @@ +rouven@rfive.de namespaces="git" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICqjaaB4RSwGGZXHb8UqTLz0GkOWlKctHoxmhpkwsFMI rouven@thinkpad diff --git a/flake.lock b/flake.lock index 1f27677..be1cd3c 100644 --- a/flake.lock +++ b/flake.lock @@ -12,11 +12,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1736955230, - "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=", + "lastModified": 1745630506, + "narHash": "sha256-bHCFgGeu8XjWlVuaWzi3QONjDW3coZDqSHvnd4l7xus=", "owner": "ryantm", "repo": "agenix", - "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c", + "rev": "96e078c646b711aee04b82ba01aefbff87004ded", "type": "github" }, "original": { @@ -33,15 +33,17 @@ "flake-utils": "flake-utils", "napalm": "napalm", "nixpkgs": "nixpkgs", - "poetry2nix": "poetry2nix", - "systems": "systems_2" + "pyproject-build-systems": "pyproject-build-systems", + "pyproject-nix": "pyproject-nix", + "systems": "systems_2", + "uv2nix": "uv2nix" }, "locked": { - "lastModified": 1744375272, - "narHash": "sha256-xvWbdTctLu5YWgcp+lNTh51GAY3vB2XEXUFKRMJUiCM=", + "lastModified": 1746770624, + "narHash": "sha256-40c1p1EiveXd8P4MsG21+M4x/0QOCGQJP0ISyx9L1QE=", "owner": "nix-community", "repo": "authentik-nix", - "rev": "105b3b6c004ce00d1d3c7a88669bea4aadfd4580", + "rev": "0b5a36483867e2473a40610d0dcb7cb06260a6cf", "type": "github" }, "original": { @@ -53,16 +55,16 @@ "authentik-src": { "flake": false, "locked": { - "lastModified": 1744135136, - "narHash": "sha256-7wvoCRhLipX4qzrb/ctsozG565yckx+moxiF6vRo84I=", + "lastModified": 1745954192, + "narHash": "sha256-QuIgeu3CN6S44/zSiaj+iIkDz2494mb1MWvD3eYYkVE=", "owner": "goauthentik", "repo": "authentik", - "rev": "74eab55c615b156e4191ee98dc789e2d58c016f9", + "rev": "22412729e2379d645da2ac0c0270a0ac6147945e", "type": "github" }, "original": { "owner": "goauthentik", - "ref": "version/2025.2.4", + "ref": "version/2025.4.0", "repo": "authentik", "type": "github" } @@ -106,11 +108,11 @@ ] }, "locked": { - "lastModified": 1700795494, - "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "lastModified": 1744478979, + "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "rev": "43975d782b418ebf4969e9ccba82466728c2851b", "type": "github" }, "original": { @@ -277,11 +279,11 @@ ] }, "locked": { - "lastModified": 1745439012, - "narHash": "sha256-TwbdiH28QK7Da2JQTqFHdb+UCJq6QbF2mtf+RxHVzEA=", + "lastModified": 1746798521, + "narHash": "sha256-axfz/jBEH9XHpS7YSumstV7b2PrPf7L8bhWUtLBv3nA=", "owner": "nix-community", "repo": "home-manager", - "rev": "d31710fb2cd536b1966fee2af74e99a0816a61a8", + "rev": "e95a7c5b6fa93304cd2fd78cf676c4f6d23c422c", "type": "github" }, "original": { @@ -396,28 +398,6 @@ "type": "github" } }, - "nix-github-actions": { - "inputs": { - "nixpkgs": [ - "authentik", - "poetry2nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1729742964, - "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", - "owner": "nix-community", - "repo": "nix-github-actions", - "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-github-actions", - "type": "github" - } - }, "nix-index-database": { "inputs": { "nixpkgs": [ @@ -425,11 +405,11 @@ ] }, "locked": { - "lastModified": 1745120797, - "narHash": "sha256-owQ0VQ+7cSanTVPxaZMWEzI22Q4bGnuvhVjLAJBNQ3E=", + "lastModified": 1746330942, + "narHash": "sha256-ShizFaJCAST23tSrHHtFFGF0fwd72AG+KhPZFFQX/0o=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "69716041f881a2af935021c1182ed5b0cc04d40e", + "rev": "137fd2bd726fff343874f85601b51769b48685cc", "type": "github" }, "original": { @@ -440,11 +420,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1744098102, - "narHash": "sha256-tzCdyIJj9AjysC3OuKA+tMD/kDEDAF9mICPDU7ix0JA=", + "lastModified": 1746141548, + "narHash": "sha256-IgBWhX7A2oJmZFIrpRuMnw5RAufVnfvOgHWgIdds+hc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c8cd81426f45942bb2906d5ed2fe21d2f19d95b7", + "rev": "f02fddb8acef29a8b32f10a335d44828d7825b78", "type": "github" }, "original": { @@ -502,11 +482,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1745391562, - "narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=", + "lastModified": 1746663147, + "narHash": "sha256-Ua0drDHawlzNqJnclTJGf87dBmaO/tn7iZ+TCkTRpRc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7", + "rev": "dda3dcd3fe03e991015e9a74b22d35950f264a54", "type": "github" }, "original": { @@ -535,37 +515,6 @@ "type": "sourcehut" } }, - "poetry2nix": { - "inputs": { - "flake-utils": [ - "authentik", - "flake-utils" - ], - "nix-github-actions": "nix-github-actions", - "nixpkgs": [ - "authentik", - "nixpkgs" - ], - "systems": [ - "authentik", - "systems" - ], - "treefmt-nix": "treefmt-nix" - }, - "locked": { - "lastModified": 1743690424, - "narHash": "sha256-cX98bUuKuihOaRp8dNV1Mq7u6/CQZWTPth2IJPATBXc=", - "owner": "nix-community", - "repo": "poetry2nix", - "rev": "ce2369db77f45688172384bbeb962bc6c2ea6f94", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "poetry2nix", - "type": "github" - } - }, "pre-commit-hooks-nix": { "inputs": { "flake-compat": [ @@ -613,6 +562,56 @@ "type": "sourcehut" } }, + "pyproject-build-systems": { + "inputs": { + "nixpkgs": [ + "authentik", + "nixpkgs" + ], + "pyproject-nix": [ + "authentik", + "pyproject-nix" + ], + "uv2nix": [ + "authentik", + "uv2nix" + ] + }, + "locked": { + "lastModified": 1744599653, + "narHash": "sha256-nysSwVVjG4hKoOjhjvE6U5lIKA8sEr1d1QzEfZsannU=", + "owner": "pyproject-nix", + "repo": "build-system-pkgs", + "rev": "7dba6dbc73120e15b558754c26024f6c93015dd7", + "type": "github" + }, + "original": { + "owner": "pyproject-nix", + "repo": "build-system-pkgs", + "type": "github" + } + }, + "pyproject-nix": { + "inputs": { + "nixpkgs": [ + "authentik", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1746146146, + "narHash": "sha256-60+mzI2lbgn+G8F5mz+cmkDvHFn4s5oqcOna1SzYy74=", + "owner": "pyproject-nix", + "repo": "pyproject.nix", + "rev": "3e9623bdd86a3c545e82b7f97cfdba5f07232d9a", + "type": "github" + }, + "original": { + "owner": "pyproject-nix", + "repo": "pyproject.nix", + "type": "github" + } + }, "root": { "inputs": { "agenix": "agenix", @@ -680,28 +679,6 @@ "type": "github" } }, - "treefmt-nix": { - "inputs": { - "nixpkgs": [ - "authentik", - "poetry2nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1730120726, - "narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "9ef337e492a5555d8e17a51c911ff1f02635be15", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, "trucksimulatorbot": { "inputs": { "images": "images", @@ -722,6 +699,31 @@ "repo": "trucksimulator", "type": "sourcehut" } + }, + "uv2nix": { + "inputs": { + "nixpkgs": [ + "authentik", + "nixpkgs" + ], + "pyproject-nix": [ + "authentik", + "pyproject-nix" + ] + }, + "locked": { + "lastModified": 1746048139, + "narHash": "sha256-LdCLyiihLg6P2/mjzP0+W7RtraDSIaJJPTy6SCtW5Ag=", + "owner": "pyproject-nix", + "repo": "uv2nix", + "rev": "680e2f8e637bc79b84268949d2f2b2f5e5f1d81c", + "type": "github" + }, + "original": { + "owner": "pyproject-nix", + "repo": "uv2nix", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index a259311..ea13a0e 100644 --- a/flake.nix +++ b/flake.nix @@ -115,6 +115,7 @@ authentik.nixosModules.default ./hosts/nuc ./shared + ./shared/caddy { nixpkgs.overlays = [ self.overlays.default ]; } @@ -128,6 +129,7 @@ impermanence.nixosModules.impermanence agenix.nixosModules.default ./hosts/fujitsu + ./shared/caddy ./shared { nixpkgs.overlays = [ self.overlays.default ]; @@ -140,6 +142,7 @@ modules = [ ./hosts/falkenstein ./shared + ./shared/caddy { nixpkgs.overlays = [ self.overlays.default ]; } diff --git a/hosts/falkenstein/modules/caddy/default.nix b/hosts/falkenstein/modules/caddy/default.nix index 21ddc81..b5126b1 100644 --- a/hosts/falkenstein/modules/caddy/default.nix +++ b/hosts/falkenstein/modules/caddy/default.nix @@ -17,22 +17,6 @@ let in { services.caddy = { - enable = true; - email = "ca@${config.networking.domain}"; - logFormat = "format console"; - globalConfig = '' - servers { - metrics - } - ''; - virtualHosts.":2018" = { - extraConfig = '' - metrics - ''; - logFormat = '' - output discard - ''; - }; virtualHosts."${config.networking.domain}".extraConfig = '' file_server browse root * /srv/web/${config.networking.domain} @@ -40,7 +24,4 @@ in respond /.well-known/matrix/server ${builtins.toJSON serverConfig} ''; }; - systemd.services.caddy.environment.XDG_DATA_HOME = "/var/lib"; - networking.firewall.allowedTCPPorts = [ 80 443 2018 ]; - networking.firewall.allowedUDPPorts = [ 443 ]; } diff --git a/hosts/fujitsu/modules/jellyfin/default.nix b/hosts/fujitsu/modules/jellyfin/default.nix index 8379831..fdb5880 100644 --- a/hosts/fujitsu/modules/jellyfin/default.nix +++ b/hosts/fujitsu/modules/jellyfin/default.nix @@ -1,6 +1,12 @@ +{ config, ... }: +let + domain = "media.vpn.rfive.de"; +in { services.jellyfin = { enable = true; - openFirewall = true; }; + services.caddy.virtualHosts."http://${domain}".extraConfig = '' + reverse_proxy 127.0.0.1:8096 + ''; } diff --git a/hosts/nuc/default.nix b/hosts/nuc/default.nix index c5f9c7f..2ea4007 100644 --- a/hosts/nuc/default.nix +++ b/hosts/nuc/default.nix @@ -5,6 +5,7 @@ # Include the results of the hardware scan. ./hardware-configuration.nix ./modules/authentik + ./modules/atuin ./modules/networks ./modules/adguard ./modules/backup @@ -15,7 +16,6 @@ ./modules/monitoring ./modules/torrent ./modules/vaultwarden - ./modules/caddy ./modules/indexing ]; diff --git a/hosts/nuc/modules/adguard/default.nix b/hosts/nuc/modules/adguard/default.nix index b368d88..86ef790 100644 --- a/hosts/nuc/modules/adguard/default.nix +++ b/hosts/nuc/modules/adguard/default.nix @@ -1,13 +1,19 @@ { ... }: +let + domain = "adguard.vpn.rfive.de"; + port = 3000; +in { networking.firewall.allowedTCPPorts = [ 53 ]; networking.firewall.allowedUDPPorts = [ 53 ]; services.adguardhome = { enable = true; - openFirewall = true; settings = { dns.bind_hosts = [ "192.168.42.2" ]; - http.address = "0.0.0.0:3000"; + http.address = "127.0.0.1:${toString port}"; }; }; + services.caddy.virtualHosts."http://${domain}".extraConfig = '' + reverse_proxy 127.0.0.1:${toString port} + ''; } diff --git a/hosts/nuc/modules/atuin/default.nix b/hosts/nuc/modules/atuin/default.nix new file mode 100644 index 0000000..96442cf --- /dev/null +++ b/hosts/nuc/modules/atuin/default.nix @@ -0,0 +1,12 @@ +{ config, ... }: +let + domain = "shell.vpn.rfive.de"; +in +{ + services.atuin = { + enable = true; + }; + services.caddy.virtualHosts."http://${domain}".extraConfig = '' + reverse_proxy 127.0.0.1:${toString config.services.atuin.port} + ''; +} diff --git a/hosts/nuc/modules/indexing/prowlarr.nix b/hosts/nuc/modules/indexing/prowlarr.nix index 03bc1b8..5a2910b 100644 --- a/hosts/nuc/modules/indexing/prowlarr.nix +++ b/hosts/nuc/modules/indexing/prowlarr.nix @@ -1,7 +1,12 @@ -{ ... }: +{ config, ... }: +let + domain = "index.vpn.rfive.de"; +in { services.prowlarr = { enable = true; - openFirewall = true; }; + services.caddy.virtualHosts."http://${domain}".extraConfig = '' + reverse_proxy 127.0.0.1:${toString config.services.prowlarr.settings.server.port} + ''; } diff --git a/hosts/nuc/modules/indexing/radarr.nix b/hosts/nuc/modules/indexing/radarr.nix index f56365f..1eda08e 100644 --- a/hosts/nuc/modules/indexing/radarr.nix +++ b/hosts/nuc/modules/indexing/radarr.nix @@ -1,7 +1,12 @@ -{ ... }: +{ config, ... }: +let + domain = "movies.vpn.rfive.de"; +in { services.radarr = { enable = true; - openFirewall = true; }; + services.caddy.virtualHosts."http://${domain}".extraConfig = '' + reverse_proxy 127.0.0.1:${toString config.services.radarr.settings.server.port} + ''; } diff --git a/hosts/nuc/modules/indexing/sonarr.nix b/hosts/nuc/modules/indexing/sonarr.nix index 92f5cc0..2596e14 100644 --- a/hosts/nuc/modules/indexing/sonarr.nix +++ b/hosts/nuc/modules/indexing/sonarr.nix @@ -1,7 +1,12 @@ -{ ... }: +{ config, ... }: +let + domain = "shows.vpn.rfive.de"; +in { services.sonarr = { enable = true; - openFirewall = true; }; + services.caddy.virtualHosts."http://${domain}".extraConfig = '' + reverse_proxy 127.0.0.1:${toString config.services.sonarr.settings.server.port} + ''; } diff --git a/hosts/nuc/modules/torrent/default.nix b/hosts/nuc/modules/torrent/default.nix index d55f270..dd9e081 100644 --- a/hosts/nuc/modules/torrent/default.nix +++ b/hosts/nuc/modules/torrent/default.nix @@ -1,5 +1,6 @@ { config, pkgs, ... }: let + domain = "torrents.vpn.rfive.de"; cfg = { stateDir = "/var/lib/qbittorrent"; downloadDir = "/var/videos/"; # TODO support other Media Types @@ -124,7 +125,9 @@ in SystemCallFilter = "@system-service"; }; }; - networking.firewall.allowedTCPPorts = [ cfg.port ]; + services.caddy.virtualHosts."http://${domain}".extraConfig = '' + reverse_proxy 127.0.0.1:${toString cfg.port} + ''; systemd.tmpfiles.rules = [ # ensure downloads directory is created, set permissions "d ${cfg.stateDir} - ${cfg.user} ${cfg.user} - -" diff --git a/hosts/thinkpad/modules/networks/default.nix b/hosts/thinkpad/modules/networks/default.nix index cd2ead1..d2143cc 100644 --- a/hosts/thinkpad/modules/networks/default.nix +++ b/hosts/thinkpad/modules/networks/default.nix @@ -81,6 +81,9 @@ "WIFI@DB" = { authProtocols = [ "NONE" ]; }; + "WIFIonICE" = { + authProtocols = [ "NONE" ]; + }; }; }; }; diff --git a/hosts/thinkpad/modules/security/default.nix b/hosts/thinkpad/modules/security/default.nix index 63b94eb..fbbeb97 100644 --- a/hosts/thinkpad/modules/security/default.nix +++ b/hosts/thinkpad/modules/security/default.nix @@ -18,6 +18,8 @@ cue = true; }; }; + # fixes run0 failing to execute + services.systemd-run0 = { }; }; krb5 = { enable = true; diff --git a/hosts/thinkpad/modules/virtualisation/default.nix b/hosts/thinkpad/modules/virtualisation/default.nix index edda2ae..172cd6e 100644 --- a/hosts/thinkpad/modules/virtualisation/default.nix +++ b/hosts/thinkpad/modules/virtualisation/default.nix @@ -1,13 +1,13 @@ { pkgs, ... }: { virtualisation = { - # podman = { - # enable = true; - # defaultNetwork.settings.dns_enabled = true; - # }; - docker = { + podman = { enable = true; + defaultNetwork.settings.dns_enabled = true; }; + # docker = { + # enable = true; + # }; libvirtd = { enable = true; qemu = { @@ -27,4 +27,20 @@ virt-viewer podman-compose ]; + systemd.nspawn = { + n1 = { + networkConfig = { + Private = true; + VirtualEthernet = true; + Bridge = "br0"; + }; + }; + n2 = { + networkConfig = { + Private = true; + VirtualEthernet = true; + Bridge = "br0"; + }; + }; + }; } diff --git a/secrets/nuc/mautrix-telegram/env.age b/secrets/nuc/mautrix-telegram/env.age index 212d341..07dffbb 100644 Binary files a/secrets/nuc/mautrix-telegram/env.age and b/secrets/nuc/mautrix-telegram/env.age differ diff --git a/hosts/nuc/modules/caddy/default.nix b/shared/caddy/default.nix similarity index 100% rename from hosts/nuc/modules/caddy/default.nix rename to shared/caddy/default.nix diff --git a/shared/zsh.nix b/shared/zsh.nix index 67395f3..3fa3fff 100644 --- a/shared/zsh.nix +++ b/shared/zsh.nix @@ -26,6 +26,9 @@ in iperf jq helix + nushell + atuin + nmap ]; users.defaultUserShell = pkgs.zsh; programs.fzf = { @@ -68,6 +71,8 @@ in zstyle ':completion:*:complete:networkctl:*' list-grouped true source ${pkgs.agdsn-zsh-config}/etc/zsh/zshrc source ${pkgs.zsh-fzf-tab}/share/fzf-tab/fzf-tab.plugin.zsh + source ${pkgs.zsh-vi-mode}/share/zsh-vi-mode/zsh-vi-mode.plugin.zsh + zvm_after_init_commands+=(eval "$(atuin init zsh)") unsetopt extendedglob @@ -100,7 +105,6 @@ in # then # cat ${../images/cat.sixel} # fi - eval "$(${pkgs.mcfly}/bin/mcfly init zsh)" eval "$(${pkgs.zoxide}/bin/zoxide init zsh)" ''; }; diff --git a/test b/test new file mode 100644 index 0000000..e69de29 diff --git a/users/rouven/modules/git/default.nix b/users/rouven/modules/git/default.nix index 754118c..53df2ac 100644 --- a/users/rouven/modules/git/default.nix +++ b/users/rouven/modules/git/default.nix @@ -17,7 +17,8 @@ extraConfig = { merge.conflictStyle = "diff3"; diff.colorMoved = "default"; - user.signingkey = "B95E8FE6B11C4D09"; + user.signingkey = "~/.ssh/git.pub"; + gpg.format = "ssh"; pull.rebase = false; init.defaultBranch = "main"; commit.gpgsign = true; diff --git a/users/rouven/modules/packages.nix b/users/rouven/modules/packages.nix index d35bb76..c433d2b 100644 --- a/users/rouven/modules/packages.nix +++ b/users/rouven/modules/packages.nix @@ -5,7 +5,6 @@ # essentials htop-vim lsof - postgresql zip unzip @@ -15,6 +14,7 @@ glab tio tcpdump + openconnect # graphics (zathura.override { plugins = [ zathuraPkgs.zathura_pdf_mupdf ]; }) @@ -53,6 +53,7 @@ typst hut wine + electrum # ansible ansible-lint (python3.withPackages (ps: [ @@ -83,14 +84,12 @@ rustfmt clippy gcc - nodejs_20 gnumake go pre-commit # fancy tools just - himalaya # strace but with colors # (strace.overrideAttrs (_: { # patches = [ diff --git a/users/rouven/modules/wayland/river.nix b/users/rouven/modules/wayland/river.nix index 14c285d..04f2d14 100644 --- a/users/rouven/modules/wayland/river.nix +++ b/users/rouven/modules/wayland/river.nix @@ -44,7 +44,7 @@ }; "None" = builtins.mapAttrs (_key: bind: "spawn \"" + bind + "\"") { Print = "${pkgs.sway-contrib.grimshot}/bin/grimshot copy area"; - XF86Launch2 = "${pkgs.sway-contrib.grimshot}/bin/grimshot save area - | ${pkgs.swappy}/bin/swappy -f -"; + XF86SelectiveScreenshot = "${pkgs.sway-contrib.grimshot}/bin/grimshot save area - | ${pkgs.swappy}/bin/swappy -f -"; XF86MonBrightnessUp = "${pkgs.light}/bin/light -A 10"; XF86MonBrightnessDown = "${pkgs.light}/bin/light -U 10"; XF86AudioMute = "${pkgs.pulseaudio}/bin/pactl set-sink-mute @DEFAULT_SINK@ toggle";