DerGrumpf/cyper-nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Migrated to NixOS (Oh Happy day!!)

Browse Source
This commit is contained in:
DerGrumpf
2026-04-14 14:46:35 +02:00
parent b3ac11ef38
commit 77ba1cab5f
11 changed files with 196 additions and 129 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
flake.lock generated
View File

@@ -669,6 +669,42 @@
"type": "github" "type": "github"
} }
}, },
"nixlib": {
"locked": {
"lastModified": 1736643958,
"narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixos-generators": {
"inputs": {
"nixlib": "nixlib",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1769813415,
"narHash": "sha256-nnVmNNKBi1YiBNPhKclNYDORoHkuKipoz7EtVnXO50A=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "8946737ff703382fda7623b9fab071d037e897d5",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixos-generators",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1775423009, "lastModified": 1775423009,
@@ -771,6 +807,7 @@
"hyprland-plugins": "hyprland-plugins", "hyprland-plugins": "hyprland-plugins",
"nix-homebrew": "nix-homebrew", "nix-homebrew": "nix-homebrew",
"nixcord": "nixcord", "nixcord": "nixcord",
"nixos-generators": "nixos-generators",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixvim": "nixvim", "nixvim": "nixvim",
"sops-nix": "sops-nix", "sops-nix": "sops-nix",

38
flake.nix
View File

@@ -5,6 +5,11 @@
# monorepo w/ recipes ("derivations") # monorepo w/ recipes ("derivations")
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixos-generators = {
url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs";
};
# declarative Configs # declarative Configs
home-manager = { home-manager = {
url = "github:nix-community/home-manager/master"; url = "github:nix-community/home-manager/master";
@@ -79,6 +84,7 @@
nixvim, nixvim,
hyprland, hyprland,
sops-nix, sops-nix,
nixos-generators,
... ...
}@inputs: }@inputs:
let let
@@ -169,5 +175,37 @@
system = "x86_64-darwin"; system = "x86_64-darwin";
isDarwin = true; isDarwin = true;
}; };
# NEW: flashable image for cyper-controller
packages.x86_64-linux.cyper-controller-image = nixos-generators.nixosGenerate {
system = "x86_64-linux";
format = "raw-efi";
specialArgs = {
inherit inputs primaryUser self;
hostName = "cyper-controller";
isDarwin = false;
isServer = true;
};
modules = [
{ nixpkgs.hostPlatform = "x86_64-linux"; }
{ networking.hostName = "cyper-controller"; }
./hosts/cyper-controller/configuration.nix
./nixos
inputs.sops-nix.nixosModules.sops
inputs.home-manager.nixosModules.home-manager
{
home-manager = {
extraSpecialArgs = {
inherit inputs primaryUser self;
hostName = "cyper-controller";
isDarwin = false;
isServer = true;
};
users.${primaryUser} = import ./home;
backupFileExtension = "backup";
};
}
];
};
}; };
} }

2
hosts/cyper-controller/configuration.nix
View File

@@ -6,7 +6,7 @@
../../nixos/roles/postgresql.nix ../../nixos/roles/postgresql.nix
../../nixos/roles/wyl.nix ../../nixos/roles/wyl.nix
../../nixos/roles/adguard.nix ../../nixos/roles/adguard.nix
../../nixos/roles/unifi.nix # ../../nixos/roles/unifi.nix
../../nixos/roles/searxng.nix ../../nixos/roles/searxng.nix
../../nixos/roles/filebrowser.nix ../../nixos/roles/filebrowser.nix
../../nixos/roles/gitea.nix ../../nixos/roles/gitea.nix

45
hosts/cyper-controller/hardware-configuration.nix
View File

@@ -2,6 +2,7 @@
config, config,
lib, lib,
modulesPath, modulesPath,
primaryUser,
... ...
}: }:
@@ -21,13 +22,14 @@
kernelModules = [ "kvm-intel" ]; kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ]; extraModulePackages = [ ];
}; };
fileSystems = { fileSystems = {
"/" = { "/" = lib.mkForce {
device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "ext4"; fsType = "ext4";
}; };
"/boot" = { "/boot" = lib.mkForce {
device = "/dev/disk/by-label/NIXBOOT"; device = "/dev/disk/by-label/NIXBOOT";
fsType = "vfat"; fsType = "vfat";
options = [ options = [
@@ -37,8 +39,47 @@
}; };
# TODO: Add External Devices as by-label with no necessity for boot # TODO: Add External Devices as by-label with no necessity for boot
"/storage/internal" = {
device = "/dev/disk/by-label/STORAGE";
fsType = "btrfs";
options = [
"compress=zstd"
"noatime"
"nofail"
];
}; };
"/storage/fast" = {
device = "/dev/disk/by-label/FAST";
fsType = "ext4";
options = [
"nofail"
"noatime"
"x-systemd.automount"
"x-systemd.idle-timeout=60"
];
};
"/storage/backup" = {
device = "/dev/disk/by-label/BACKUP";
fsType = "ext4";
options = [
"nofail"
"noatime"
"x-systemd.automount"
"x-systemd.idle-timeout=60"
];
};
};
systemd.tmpfiles.rules = [
"d /storage 0755 ${primaryUser} users -"
"d /storage/internal 0755 ${primaryUser} users -"
"d /storage/fast 0755 ${primaryUser} users -"
"d /storage/backup 0755 ${primaryUser} users -"
];
swapDevices = [ swapDevices = [
{ {
device = "/swapfile"; device = "/swapfile";

28
nixos/default.nix
View File

@@ -51,6 +51,34 @@
}; };
}; };
virtualisation = lib.mkIf isServer {
vmVariant = {
virtualisation = {
forwardPorts = [
{
from = "host";
host.port = 2222;
guest.port = 22;
}
];
qemu.networkingOptions = [
"-device virtio-net-pci,netdev=net0"
"-netdev user,id=net0,net=10.0.2.0/24,dhcpstart=10.0.2.15"
];
};
systemd.network.networks."10-ethernet" = lib.mkForce {
matchConfig.Name = "ens*";
networkConfig = {
Address = "10.0.2.15/24";
Gateway = "10.0.2.2";
DNS = "8.8.8.8";
DHCP = "no";
};
};
};
};
documentation = { documentation = {
enable = true; enable = true;
doc.enable = false; doc.enable = false;

2
nixos/roles/adguard.nix
View File

@@ -50,7 +50,7 @@ in
}; };
dhcp = { dhcp = {
enabled = false; enabled = true;
interface_name = primaryInterface; interface_name = primaryInterface;
local_domain_name = "lan"; local_domain_name = "lan";
dhcpv4 = { dhcpv4 = {

5
nixos/roles/filebrowser.nix
View File

@@ -4,16 +4,13 @@
enable = true; enable = true;
settings = { settings = {
port = 8080; port = 10000;
address = "0.0.0.0"; address = "0.0.0.0";
baseURL = "/filebrowser"; baseURL = "/filebrowser";
root = "/storage"; root = "/storage";
}; };
# If you want the port opened in the firewall:
openFirewall = true; openFirewall = true;
}; };
#networking.firewall.allowedTCPPorts = [ 8080 ];
} }

4
nixos/roles/gitea.nix
View File

@@ -13,7 +13,7 @@ let
stripRoot = false; stripRoot = false;
}; };
domain = "192.168.2.31"; # swap to git.cyperpunk.de for prod domain = "git.cyperpunk.de"; # swap to git.cyperpunk.de for prod
httpPort = 9000; httpPort = 9000;
sshPort = 12222; sshPort = 12222;
in in
@@ -95,7 +95,7 @@ in
HTTP_PORT = httpPort; HTTP_PORT = httpPort;
SSH_PORT = sshPort; SSH_PORT = sshPort;
SSH_LISTEN_PORT = sshPort; SSH_LISTEN_PORT = sshPort;
ROOT_URL = "http://${domain}:${toString httpPort}/"; ROOT_URL = "https://${domain}/";
DISABLE_SSH = false; DISABLE_SSH = false;
START_SSH_SERVER = true; START_SSH_SERVER = true;
}; };

45
nixos/roles/matrix.nix
View File

@@ -6,8 +6,8 @@ let
in in
{ {
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
8008
8448 8448
8080
]; ];
sops.secrets = { sops.secrets = {
@@ -18,8 +18,7 @@ in
}; };
}; };
services = { services.matrix-synapse = {
matrix-synapse = {
enable = true; enable = true;
settings = { settings = {
server_name = "cyperpunk.de"; server_name = "cyperpunk.de";
@@ -33,7 +32,7 @@ in
listeners = [ listeners = [
{ {
port = 8008; port = 8008;
bind_addresses = [ "127.0.0.1" ]; bind_addresses = [ "0.0.0.0" ];
type = "http"; type = "http";
tls = false; tls = false;
x_forwarded = true; x_forwarded = true;
@@ -50,42 +49,4 @@ in
]; ];
}; };
}; };
nginx = {
enable = true;
virtualHosts = {
"matrix.cyperpunk.de" = {
locations."/" = {
proxyPass = "http://127.0.0.1:${toString (builtins.elemAt config.services.matrix-synapse.settings.listeners 0).port}";
proxyWebsockets = true;
extraConfig = ''
proxy_set_header Host matrix.cyperpunk.de;
'';
};
};
"cinny" = {
listen = [
{
addr = "0.0.0.0";
port = 8080;
}
];
locations."/" = {
alias = "${pkgs.cinny}/";
extraConfig = ''
try_files $uri $uri/ /index.html;
'';
};
};
"${serverIP}" = {
locations = {
"/_matrix/" = {
proxyPass = "http://127.0.0.1:${toString (builtins.elemAt config.services.matrix-synapse.settings.listeners 0).port}";
proxyWebsockets = true;
};
};
};
};
};
};
} }

24
nixos/roles/monitoring.nix
View File

@@ -35,10 +35,10 @@ in
}; };
settings = { settings = {
server = { server = {
domain = serverIP; # "grafana.cyperpunk.de"; domain = "www.cyperpunk.de"; # serverIP; # "grafana.cyperpunk.de";
http_port = 2342; http_port = 2342;
http_addr = "127.0.0.1"; http_addr = "0.0.0.0";
root_url = "http://${serverIP}/grafana/"; root_url = "http://www.cyperpunk.de/grafana/";
serve_from_sub_path = true; serve_from_sub_path = true;
}; };
security = { security = {
@@ -51,20 +51,6 @@ in
}; };
}; };
# nginx reverse proxy
nginx = {
enable = true;
virtualHosts."${serverIP}" = {
locations."/grafana/" = {
proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
proxyWebsockets = true;
extraConfig = ''
proxy_set_header Host ${serverIP};
'';
};
};
};
# TODO: Computers should register themselves # TODO: Computers should register themselves
prometheus = { prometheus = {
enable = true; enable = true;
@@ -133,9 +119,7 @@ in
}; };
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
80 2342
443
# TODO: Remove
9001 9001
3100 3100
]; ];

27
nixos/roles/vaultwarden.nix
View File

@@ -17,13 +17,12 @@ in
backupDir = "/var/local/vaultwarden/backup"; backupDir = "/var/local/vaultwarden/backup";
config = { config = {
DOMAIN = "http://${ip}:${toString port}"; DOMAIN = "https://vault.cyperpunk.de"; # "http://${ip}:${toString port}";
ROCKET_ADDRESS = "0.0.0.0"; ROCKET_ADDRESS = "0.0.0.0";
ROCKET_PORT = port; ROCKET_PORT = port;
ROCKET_LOG = "critical"; ROCKET_LOG = "critical";
SIGNUPS_ALLOWED = true; SIGNUPS_ALLOWED = true;
WEBSOCKET_ENABLED = true; WEBSOCKET_ENABLED = true;
ROCKET_TLS = "{certs=\"/var/lib/vaultwarden/ssl/cert.pem\",key=\"/var/lib/vaultwarden/ssl/key.pem\"}";
}; };
}; };
@@ -34,7 +33,8 @@ in
networking.firewall.allowedTCPPorts = [ port ]; networking.firewall.allowedTCPPorts = [ port ];
systemd.services.vaultwarden-backup-rotate = { systemd = {
services.vaultwarden-backup-rotate = {
description = "Rotate old Vaultwarden backups"; description = "Rotate old Vaultwarden backups";
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
@@ -42,31 +42,12 @@ in
}; };
}; };
systemd.timers.vaultwarden-backup-rotate = { timers.vaultwarden-backup-rotate = {
wantedBy = [ "timers.target" ]; wantedBy = [ "timers.target" ];
timerConfig = { timerConfig = {
OnCalendar = "daily"; OnCalendar = "daily";
Persistent = true; Persistent = true;
}; };
}; };
# TODO: Remove for proper TLS Setup
systemd.services.vaultwarden-gen-cert = {
description = "Generate self-signed cert for Vaultwarden";
before = [ "vaultwarden.service" ];
wantedBy = [ "vaultwarden.service" ];
serviceConfig.Type = "oneshot";
script = ''
mkdir -p /var/lib/vaultwarden/ssl
if [ ! -f /var/lib/vaultwarden/ssl/cert.pem ]; then
${pkgs.openssl}/bin/openssl req -x509 -newkey rsa:4096 -nodes \
-keyout /var/lib/vaultwarden/ssl/key.pem \
-out /var/lib/vaultwarden/ssl/cert.pem \
-days 3650 \
-subj "/CN=${ip}" \
-addext "subjectAltName=IP:${ip}"
chown -R vaultwarden:vaultwarden /var/lib/vaultwarden/ssl
fi
'';
}; };
} }