nettika/nixos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: nettika:master
Branches Tags
nettika:master
nettika:radicale-sync
nettika:apogee
..
compare: nettika:apogee
Branches Tags
nettika:master
nettika:radicale-sync
nettika:apogee

1 commit
master ... apogee

Author SHA1 Message Date
Nettika
1b04cd6f94 Setup matrix on apogee 2025-10-08 17:16:52 -07:00
26 changed files with 173 additions and 337 deletions
Download patch file Download diff file Expand all files Collapse all files

2
flake.nix
View file

@ -1,5 +1,5 @@
{
description = "Nettika's NixOS Configs";
description = "NixOS Configurations";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";

9
hosts/apogee/default.nix Normal file
View file

@ -0,0 +1,9 @@
{ ... }: {
imports = [ ./matrix.nix ./gandicloud.nix ];
networking.hostName = "apogee";
services.postgresql.enable = true;
promptSymbol = "🔭";
}

46
hosts/apogee/gandicloud.nix Normal file
View file

@ -0,0 +1,46 @@
# This is the configuration required to run NixOS on GandiCloud.
{ lib, modulesPath, ... }: {
imports = [ (modulesPath + "/virtualisation/openstack-config.nix") ];
config = {
boot.initrd.kernelModules = [
"xen-blkfront"
"xen-tpmfront"
"xen-kbdfront"
"xen-fbfront"
"xen-netfront"
"xen-pcifront"
"xen-scsifront"
];
# Show debug kernel message on boot then reduce loglevel once booted
boot.consoleLogLevel = 7;
boot.kernel.sysctl."kernel.printk" = "4 4 1 7";
# For "openstack console log show"
boot.kernelParams = [ "console=ttyS0" ];
systemd.services."serial-getty@ttyS0" = {
enable = true;
wantedBy = [ "multi-user.target" ];
serviceConfig.Restart = "always";
};
# The device exposed by Xen
boot.loader.grub.device = lib.mkForce "/dev/xvda";
# This is to get a prompt via the "openstack console url show" command
systemd.services."getty@tty1" = {
enable = lib.mkForce true;
wantedBy = [ "multi-user.target" ];
serviceConfig.Restart = "always";
};
# This is required to get an IPv6 address on our infrastructure
networking.tempAddresses = "disabled";
nix.extraOptions = ''
experimental-features = nix-command flakes
'';
system.stateVersion = "24.11";
};
}

28
hosts/apogee/matrix.nix Normal file
View file

@ -0,0 +1,28 @@
{ config, ... }:
let domain = "leaf.ninja";
in {
age.secrets.synapse-secrets-config.file =
./secrets/synapse-secrets-config.age;
services.matrix-synapse = {
enable = true;
extraConfigFiles = [ config.age.secrets.synapse-secrets-config.path ];
settings = {
server_name = domain;
database_type = "psycopg2";
database_args.database = "matrix-synapse";
};
};
networking.firewall.allowedTCPPorts = [
8448 # Matrix federation
];
services.caddy = {
enable = true;
virtualHosts."matrix.${domain}".extraConfig = ''
reverse_proxy /_matrix/* localhost:8008
reverse_proxy /_synapse/client/* localhost:8008
'';
};
}

6
hosts/apogee/secrets/synapse-secrets-config.age Normal file
View file

@ -0,0 +1,6 @@
age-encryption.org/v1
-> ssh-ed25519 f+PJrQ 2Gd75cRZviUH5xYRTC+6oKAT5/FfpY2zfMJVYwVlcCs
eA4B5qHSoPujIgcpBl4UOT8ovvdiTUb16Yk/lHNJJKo
--- 58bdTWl7z2skdVACACl/aAt76ciYkJOjnvDyendgKpQ
Q¼³¿‡vð¨ÖÑ=·VU&÷‡ÿLd°<¸#³¥Ëh~yð"«kvõ1I<31>ƒz?»U“……üåH
rÑYIm½¤lÒÈhÓû&<26>ðÁªPqžK>Œsž;ÕæÉ…uX7·¥Îó©¿z<C2BF>-¦(êȬ

46
hosts/astral/default.nix
View file

@ -1,14 +1,8 @@
{ modulesPath, nixosModules, agenix, lib, pkgs, ... }: {
{ nixosModules, modulesPath, lib, pkgs, ... }: {
imports = [
"${modulesPath}/virtualisation/amazon-image.nix"
nixosModules.nano
nixosModules.nettika
nixosModules.promptmoji
agenix.nixosModules.default
./forgejo.nix
./links.nix
./radicale.nix
./vaultwarden.nix
];
boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
@ -19,28 +13,23 @@
dates = "weekly";
options = "--delete-older-than 30d";
};
settings = {
trusted-users = [ "@wheel" ];
experimental-features = [ "nix-command" "flakes" ];
};
settings.trusted-users = [ "@wheel" ];
};
networking = {
hostName = "astral";
firewall.allowedTCPPorts = [ 80 443 ];
networkmanager.enable = true;
};
users.defaultUserShell = pkgs.fish;
security.sudo.wheelNeedsPassword = false;
environment.variables.EDITOR = "nano";
services.caddy = {
enable = true;
package = pkgs.caddy.withPlugins {
plugins =
[ "github.com/abiosoft/caddy-exec@v0.0.0-20240914124740-521d8736cb4d" ];
hash = "sha256-ef6/x7wjKk0axjX6MfAzTTwPM2FTOTSSyI9zLLrczV0=";
};
virtualHosts = {
"astral.leaf.ninja".extraConfig = ''
respond "astral is online"
@ -49,13 +38,32 @@
};
};
services.postgresql.enable = true;
programs.fish.enable = true;
programs.git = {
enable = true;
lfs.enable = true;
config = {
init.defaultBranch = "master";
user = {
email = "git@nettika.cat";
name = "Nettika";
};
credential.helper = "store";
};
};
programs.nano = {
enable = true;
nanorc = ''
set autoindent
set linenumbers
'';
};
documentation.man.generateCaches = false;
promptSymbol = "👻";
promptSymbol = "";
time.timeZone = "America/Los_Angeles";

38
hosts/astral/forgejo.nix
View file

@ -1,38 +0,0 @@
{ config, pkgs, ... }:
let domain = "git.leaf.ninja";
in {
services.forgejo = {
enable = true;
database.type = "postgres";
lfs.enable = true;
settings = {
server = {
DOMAIN = domain;
ROOT_URL = "https://${domain}/";
HTTP_PORT = 3000;
};
service.DISABLE_REGISTRATION = true;
mailer = {
ENABLED = true;
SMTP_ADDR = "smtp.migadu.com";
FROM = "forgejo@leaf.ninja";
USER = "forgejo@$leaf.ninja";
};
webhook.ALLOWED_HOST_LIST =
pkgs.lib.concatStringsSep "," [ "localhost" "::1" ];
};
secrets = {
mailer.PASSWD = config.age.secrets.forgejo-mailer-password.path;
};
};
services.caddy.virtualHosts.${domain}.extraConfig = ''
reverse_proxy localhost:3000
'';
age.secrets.forgejo-mailer-password = {
file = ./secrets/forgejo-mailer-password.age;
mode = "400";
owner = "forgejo";
};
}

21
hosts/astral/links.nix
View file

@ -1,21 +0,0 @@
{ pkgs, lib, ... }:
let
domain = "nettika.leaf.ninja";
root = "/srv/links";
in {
services.caddy.virtualHosts = {
${domain}.extraConfig = ''
root * ${root}
file_server
'';
"http://localhost:8081".extraConfig = let git = lib.getExe pkgs.git;
in ''
route {
exec {
command ${git} pull --rebase
directory ${root}
}
}
'';
};
}

25
hosts/astral/radicale.nix
View file

@ -1,25 +0,0 @@
{ config, ... }:
let domain = "radicale.leaf.ninja";
in {
age.secrets.radicale-htpasswd = {
file = ./secrets/radicale-htpasswd;
mode = "400";
owner = "radicale";
};
services.radicale = {
enable = true;
settings = {
server.hosts = [ "localhost:5232" ];
auth = {
type = "htpasswd";
htpasswd_filename = config.age.secrets.radicale-htpasswd.path;
htpasswd_encryption = "plain";
};
};
};
services.caddy.virtualHosts.${domain}.extraConfig = ''
reverse_proxy localhost:5232
'';
}

7
hosts/astral/secrets/forgejo-mailer-password.age
View file

@ -1,7 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 f+PJrQ 6h8dfxbHOBbyTK6iwzbqVpUUYJtJhg6XMAoRWDhbdT8
kZSsccA4qkiTS8wNdZphZ9cioiFbXjR4xkVZBi1j0aM
-> ssh-ed25519 nz/vnw Q+BuraNFun6RwcLPFcKcjBptgpZdddI+hQP2UVKFJmA
WJNvdIDTDBXbaXYw7gom7YQTTNrxlsP1EvTDNN5G9+0
--- a6gvFS7YixX30i1Jm04vrwzq3Xh9iXufdnZMnPPI+Mw
ÒÍÔ‡]‡¤h6µ+„2xDŸ ÇUŸãZºâeAzêÿ³DkÔLÇ;½†Iª ê/Œæ'®éøï4nL»T<4Ó}iãÁí _ÛÝà

9
hosts/astral/secrets/radicale-htpasswd
View file

@ -1,9 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 f+PJrQ pKqLrqz0R7kAzNQZ3ChRsoWa63JEN2H2KHtGguF5nSc
6Mk1qDWKx26jPdEzaVMh0vgUeVWjAGcmIPpvSU8BFNE
-> ssh-ed25519 nz/vnw 0PuVNQ97Qa6iCk4pPf34lgS1aPb4CeDB4Qclk5F24T4
OwJOYMTlTY9+Pj/BwG09z4q2/QViii710Kh3xPU5FRA
--- mSdutlC3gFq8lDjeOGqi361i+DUI1Yg6Bpl7hCfznJA
“ÜtQÆ/í rNeKeíé¸Ñ¥Äè~ˆý¾×Ÿ{_¡o
y_Ü­}¸Ã»P*W5<57>»´õFû.ECø¡Z©å#;
£¢ð§Ûli…Ô§±*´Î]yT

BIN
hosts/astral/secrets/vaultwarden-env.age
View file

Binary file not shown.

25
hosts/astral/vaultwarden.nix
View file

@ -1,25 +0,0 @@
{ config, ... }:
let domain = "vault.leaf.ninja";
in {
services.vaultwarden = {
enable = true;
config = {
domain = "https://${domain}";
signupsAllowed = false;
rocketAddress = "0.0.0.0";
rocketPort = 8222;
smtpHost = "smtp.migadu.com";
smtpFrom = "vaultwarden@leaf.ninja";
smtpPort = 587;
smtpSecurity = "starttls";
smtpUsername = "vaultwarden@leaf.ninja";
};
environmentFile = config.age.secrets.vaultwarden-env.path;
};
services.caddy.virtualHosts.${domain}.extraConfig = ''
reverse_proxy localhost:8222
'';
age.secrets.vaultwarden-env.file = ./secrets/vaultwarden-env.age;
}

21
hosts/default.nix
View file

@ -1,24 +1,17 @@
{ self, nixpkgs, phps, agenix }:
let
baseSpecialArgs = {
inherit (self) nixosModules;
inherit agenix;
};
nixosSystem = args:
nixpkgs.lib.nixosSystem
(nixpkgs.lib.recursiveUpdate args { specialArgs = baseSpecialArgs; });
{ self, nixpkgs, phps, agenix, ... }:
let inherit (nixpkgs.lib) nixosSystem;
in {
marauder = nixosSystem {
system = "x86_64-linux";
modules = [ ./marauder ];
specialArgs = { inherit phps; };
specialArgs = {
inherit (self) nixosModules;
inherit phps agenix;
};
};
astral = nixosSystem {
system = "x86_64-linux";
modules = [ ./astral ];
};
quasar = nixosSystem {
system = "x86_64-linux";
modules = [ ./quasar ];
specialArgs = { inherit (self) nixosModules; };
};
}

77
hosts/marauder/default.nix
View file

@ -11,7 +11,6 @@ let
in {
imports = [
./backup.nix
nixosModules.nano
nixosModules.nettika
nixosModules.promptmoji
agenix.nixosModules.default
@ -31,6 +30,8 @@ in {
nixpkgs.config.allowUnfree = true;
environment.variables.EDITOR = "nano";
documentation.man.generateCaches = false;
environment.variables = {
@ -76,7 +77,6 @@ in {
};
kernelModules = [ "kvm-amd" ];
kernelParams = [ "amd_pstate=active" ];
binfmt.emulatedSystems = [ "aarch64-linux" ];
};
hardware = {
@ -103,74 +103,69 @@ in {
environment.systemPackages = with pkgs; [
# Chat clients
discord
cinny-desktop
signal-desktop
slack
element-desktop
telegram-desktop
signal-desktop
# Browsers
filezilla
firefox
filezilla
# Creative
bambu-studio
blender
gimp
inkscape
gimp
krita
openscad-unstable
bambu-studio
orca-slicer
plasticity
# Multimedia
ffcheck
ffmpeg
vlc
ffmpeg
ffcheck
aonsoku
# Editors
abiword
obsidian
# Code Editors
vscode
arduino-ide
# Dev Tools
fossil
just
kondo
nixd
nixfmt-classic
nixpkgs-fmt
pyenv
rustup
electron
uv
ruff
fossil
just
dioxus-cli
# Languages
gcc
kotlin
nodejs
php
# Command line
agenix.packages.x86_64-linux.default
backblaze-b2
dig
htop
jq
unzip
zip
# Network
mullvad-vpn
qbittorrent
# Utility Apps
baobab
gparted
system-config-printer
backblaze-b2
# Misc
gcc
obsidian
intiface-central
prismlauncher
blender
mullvad-vpn
qbittorrent
system-config-printer
openssl
pkg-config
prismlauncher
agenix.packages.x86_64-linux.default
abiword
];
programs.git = {
@ -178,15 +173,22 @@ in {
lfs.enable = true;
config = {
init.defaultBranch = "master";
push.autoSetupRemote = true;
user = {
name = "Nettika";
email = "git@nettika.cat";
name = "Nettika";
};
credential.helper = "store";
};
};
programs.nano = {
enable = true;
nanorc = ''
set autoindent
set linenumbers
'';
};
programs.steam = {
enable = true;
remotePlay.openFirewall = true;
@ -197,7 +199,7 @@ in {
programs.ssh.extraConfig = ''
Host quasar
HostName quasar.leaf.ninja
HostName consortium.chat
IdentityFile ~/.ssh/LightsailDefaultKey-us-west-2.pem
Host monolith
@ -206,6 +208,9 @@ in {
Host astral
HostName astral.leaf.ninja
IdentityFile ~/.ssh/LightsailDefaultKey-us-west-2.pem
Host apogee
HostName 46.226.107.209
'';
services.mysql = {

9
hosts/marauder/secrets/restic-env.age
View file

@ -1,6 +1,5 @@
age-encryption.org/v1
-> ssh-ed25519 f+PJrQ VJshLBSbF93anR9fOJ3Kwhxh1AOdvsS0hoJ86Bw9oBQ
It8hELrRN+EYt9nv75lVHha+ZDUhCDNQVczDZVlDCBs
--- xzJ/50+WOA+IWRXiAvBbJLUlsgsSztQrzbimng2QdlU
<EFBFBD>´Ï¬jÒ<>ÿ8K7$ðwÃbԲǰ€Ì~]NBª]QÐM+cw
þþÔJ•o—Í”ÔSîØš!N¨Du¦OÈnçZnNâæÍѵV¬:ŒŸ®¬kúÝcó)|æŒJ…opÇSÎH˜«f§ùØu1šã9Çå
-> ssh-ed25519 f+PJrQ qccE2xAzfBZ3DCRQtQDgwS1UzjlZx44oUrYjcDfMfDk
I2l6xRJsdQLYB2cMo0Kfi6mVyhZsuSPFG574P8pl12Y
--- WoBlo7fqYRkiBYPoLpa3wHB8ZPCVy32a4aL5UswCHJc
LŁćΚČ[¤Nî<#Ő]<5D> ź<>üBÄ}×fË%P„ôxK±Ű¨ţkI˝©”<§V<C2A7>ź…¶YÄ5#ĺ±đ÷ű”qEł4­®¶l—ËřFľ“8ukȨ<C48C>űÂ%Ŕ´U53yěű"Ťg\î<>©ŞZćŮC®őWĄ˛g­z

BIN
hosts/marauder/secrets/restic-password.age
View file

Binary file not shown.

49
hosts/quasar/default.nix
View file

@ -1,49 +0,0 @@
{ modulesPath, nixosModules, agenix, pkgs, config, ... }: {
imports = [
"${modulesPath}/virtualisation/amazon-image.nix"
nixosModules.nano
nixosModules.nettika
nixosModules.promptmoji
agenix.nixosModules.default
./matrix.nix
];
nixpkgs.config.allowUnfree = true;
nix.settings = {
experimental-features = [ "nix-command" "flakes" ];
trusted-users = [ "@wheel" ];
};
security.sudo.wheelNeedsPassword = false;
users.defaultUserShell = pkgs.fish;
networking = {
hostName = "quasar";
networkmanager.enable = true;
firewall.allowedTCPPorts = [ 80 443 ];
};
environment.systemPackages = [ pkgs.htop ];
services.postgresql.enable = true;
services.caddy = {
enable = true;
virtualHosts."quasar.leaf.ninja".extraConfig = ''
respond "quasar is online"
header Strict-Transport-Security: "max-age=63072000; includeSubDomains"
'';
};
programs.fish.enable = true;
promptSymbol = "🌟";
documentation.man.generateCaches = false;
time.timeZone = "America/Los_Angeles";
system.stateVersion = "24.05";
}

46
hosts/quasar/matrix.nix
View file

@ -1,46 +0,0 @@
{ pkgs, config, ... }:
let
canonicalDomain = "consortium.chat";
delegatedDomain = "matrix.consortium.chat";
adminAppDomain = "admin.consortium.chat";
in {
age.secrets.matrix-synapse-secrets = {
file = ./secrets/matrix-synapse-secrets.yaml;
owner = "matrix-synapse";
mode = "400";
};
services.matrix-synapse = {
enable = true;
settings = {
server_name = "consortium.chat";
database_type = "psycopg2";
database_args.database = "matrix-synapse";
};
extraConfigFiles = [ config.age.secrets.matrix-synapse-secrets.path ];
};
services.caddy.virtualHosts = {
${canonicalDomain}.extraConfig = let
wellknown = {
server = builtins.toJSON { "m.server" = "${delegatedDomain}:443"; };
client = builtins.toJSON {
"m.homeserver".base_url = "https://${delegatedDomain}";
};
};
in ''
respond /.well-known/matrix/server `${wellknown.server}` 200
respond /.well-known/matrix/client `${wellknown.client}` 200
reverse_proxy localhost:8008
header Strict-Transport-Security "max-age=63072000; includeSubDomains"
'';
${delegatedDomain}.extraConfig = ''
reverse_proxy /_matrix/* localhost:8008
reverse_proxy /_synapse/client/* localhost:8008
'';
${adminAppDomain}.extraConfig = ''
root * ${pkgs.synapse-admin}
file_server
'';
};
}

BIN
hosts/quasar/secrets/matrix-synapse-secrets.yaml
View file

Binary file not shown.

6
hosts/readme.md
View file

@ -1,6 +0,0 @@
# Hosts
- [astral](astral) - VPS running miscellaneous servers
- [marauder](marauder) - My laptop
- [quasar](quasar) - VPS running the [consortium.chat](https://consortium.chat)
matrix-synapse instance

1
modules/default.nix
View file

@ -1,5 +1,4 @@
{
nano = ./nano.nix;
nettika = ./nettika.nix;
promptmoji = ./promptmoji.nix;
}

11
modules/nano.nix
View file

@ -1,11 +0,0 @@
{ ... }: {
environment.variables.EDITOR = "nano";
programs.nano = {
enable = true;
nanorc = ''
set autoindent
set linenumbers
'';
};
}

7
modules/readme.md
View file

@ -1,7 +0,0 @@
# Modules
- `nano`: Base config for [nano](https://www.nano-editor.org)
- `nettika`: Base config for user "nettika"
- `promptmoji`: Fish prompt starting with an emoji to indicate which host I'm
logged into. The emoji is configured with `promptSymbol`. Ignored if
`programs.fish.enabled` is false.

4
readme.md
View file

@ -1,4 +0,0 @@
# Nettika's NixOS Configs
- [hosts](hosts) - my `nixosConfigurations`
- [modules](modules) - my `nixosModules`

17
secrets.nix
View file

@ -1,17 +1,8 @@
let
marauder =
marauder.nettika =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHopty1QG8P+OfGxQ9CV0BI1IRB/q6yITzMZaZ6Zspid";
astral =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRJf6qsNoITXPBdiFsmZuLR0dyP/D6WYNP/RQynl3kf";
quasar =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoVsKoMEiA2G0WIC/6gFsNE09yhumWf4xnDuoRcD2Px";
in {
"hosts/marauder/secrets/restic-env.age".publicKeys = [ marauder ];
"hosts/marauder/secrets/restic-password.age".publicKeys = [ marauder ];
"hosts/quasar/secrets/matrix-synapse-secrets.yaml".publicKeys =
[ marauder quasar ];
"hosts/astral/secrets/vaultwarden-env.age".publicKeys = [ marauder astral ];
"hosts/astral/secrets/forgejo-mailer-password.age".publicKeys =
[ marauder astral ];
"hosts/astral/secrets/radicale-htpasswd".publicKeys = [ marauder astral ];
"hosts/marauder/secrets/restic-env.age".publicKeys = [ marauder.nettika ];
"hosts/marauder/secrets/restic-password.age".publicKeys =
[ marauder.nettika ];
}