Migrated to NixOS (Oh Happy day!!)

2026-04-14 14:46:35 +02:00
parent b3ac11ef38
commit 77ba1cab5f
11 changed files with 196 additions and 129 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -669,6 +669,42 @@
        "type": "github"
      }
    },
+    "nixlib": {
+      "locked": {
+        "lastModified": 1736643958,
+        "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
+      }
+    },
+    "nixos-generators": {
+      "inputs": {
+        "nixlib": "nixlib",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1769813415,
+        "narHash": "sha256-nnVmNNKBi1YiBNPhKclNYDORoHkuKipoz7EtVnXO50A=",
+        "owner": "nix-community",
+        "repo": "nixos-generators",
+        "rev": "8946737ff703382fda7623b9fab071d037e897d5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixos-generators",
+        "type": "github"
+      }
+    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1775423009,
@@ -771,6 +807,7 @@
        "hyprland-plugins": "hyprland-plugins",
        "nix-homebrew": "nix-homebrew",
        "nixcord": "nixcord",
+        "nixos-generators": "nixos-generators",
        "nixpkgs": "nixpkgs",
        "nixvim": "nixvim",
        "sops-nix": "sops-nix",
--- a/flake.nix
+++ b/flake.nix
@@ -5,6 +5,11 @@
    # monorepo w/ recipes ("derivations")
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";

+    nixos-generators = {
+      url = "github:nix-community/nixos-generators";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
    # declarative Configs
    home-manager = {
      url = "github:nix-community/home-manager/master";
@@ -79,6 +84,7 @@
      nixvim,
      hyprland,
      sops-nix,
+      nixos-generators,
      ...
    }@inputs:
    let
@@ -169,5 +175,37 @@
        system = "x86_64-darwin";
        isDarwin = true;
      };
+
+      # NEW: flashable image for cyper-controller
+      packages.x86_64-linux.cyper-controller-image = nixos-generators.nixosGenerate {
+        system = "x86_64-linux";
+        format = "raw-efi";
+        specialArgs = {
+          inherit inputs primaryUser self;
+          hostName = "cyper-controller";
+          isDarwin = false;
+          isServer = true;
+        };
+        modules = [
+          { nixpkgs.hostPlatform = "x86_64-linux"; }
+          { networking.hostName = "cyper-controller"; }
+          ./hosts/cyper-controller/configuration.nix
+          ./nixos
+          inputs.sops-nix.nixosModules.sops
+          inputs.home-manager.nixosModules.home-manager
+          {
+            home-manager = {
+              extraSpecialArgs = {
+                inherit inputs primaryUser self;
+                hostName = "cyper-controller";
+                isDarwin = false;
+                isServer = true;
+              };
+              users.${primaryUser} = import ./home;
+              backupFileExtension = "backup";
+            };
+          }
+        ];
+      };
    };
 }
--- a/hosts/cyper-controller/configuration.nix
+++ b/hosts/cyper-controller/configuration.nix
@@ -6,7 +6,7 @@
    ../../nixos/roles/postgresql.nix
    ../../nixos/roles/wyl.nix
    ../../nixos/roles/adguard.nix
-    ../../nixos/roles/unifi.nix
+#    ../../nixos/roles/unifi.nix
    ../../nixos/roles/searxng.nix
    ../../nixos/roles/filebrowser.nix
    ../../nixos/roles/gitea.nix
--- a/hosts/cyper-controller/hardware-configuration.nix
+++ b/hosts/cyper-controller/hardware-configuration.nix
@@ -2,6 +2,7 @@
  config,
  lib,
  modulesPath,
+  primaryUser,
  ...
 }:

@@ -21,13 +22,14 @@
    kernelModules = [ "kvm-intel" ];
    extraModulePackages = [ ];
  };
+
  fileSystems = {
-    "/" = {
+    "/" = lib.mkForce {
      device = "/dev/disk/by-label/NIXROOT";
      fsType = "ext4";
    };

-    "/boot" = {
+    "/boot" = lib.mkForce {
      device = "/dev/disk/by-label/NIXBOOT";
      fsType = "vfat";
      options = [
@@ -37,8 +39,47 @@
    };

    # TODO: Add External Devices as by-label with no necessity for boot
+    "/storage/internal" = {
+      device = "/dev/disk/by-label/STORAGE";
+      fsType = "btrfs";
+      options = [
+        "compress=zstd"
+        "noatime"
+        "nofail"
+      ];
+    };
+
+    "/storage/fast" = {
+      device = "/dev/disk/by-label/FAST";
+      fsType = "ext4";
+      options = [
+        "nofail"
+        "noatime"
+        "x-systemd.automount"
+        "x-systemd.idle-timeout=60"
+      ];
+    };
+
+    "/storage/backup" = {
+      device = "/dev/disk/by-label/BACKUP";
+      fsType = "ext4";
+      options = [
+        "nofail"
+        "noatime"
+        "x-systemd.automount"
+        "x-systemd.idle-timeout=60"
+      ];
+    };
+
  };

+  systemd.tmpfiles.rules = [
+    "d /storage 0755 ${primaryUser} users -"
+    "d /storage/internal 0755 ${primaryUser} users -"
+    "d /storage/fast 0755 ${primaryUser} users -"
+    "d /storage/backup 0755 ${primaryUser} users -"
+  ];
+
  swapDevices = [
    {
      device = "/swapfile";
--- a/nixos/default.nix
+++ b/nixos/default.nix
@@ -51,6 +51,34 @@
    };
  };

+  virtualisation = lib.mkIf isServer {
+    vmVariant = {
+      virtualisation = {
+        forwardPorts = [
+          {
+            from = "host";
+            host.port = 2222;
+            guest.port = 22;
+          }
+        ];
+        qemu.networkingOptions = [
+          "-device virtio-net-pci,netdev=net0"
+          "-netdev user,id=net0,net=10.0.2.0/24,dhcpstart=10.0.2.15"
+        ];
+      };
+
+      systemd.network.networks."10-ethernet" = lib.mkForce {
+        matchConfig.Name = "ens*";
+        networkConfig = {
+          Address = "10.0.2.15/24";
+          Gateway = "10.0.2.2";
+          DNS = "8.8.8.8";
+          DHCP = "no";
+        };
+      };
+    };
+  };
+
  documentation = {
    enable = true;
    doc.enable = false;
--- a/nixos/roles/adguard.nix
+++ b/nixos/roles/adguard.nix
@@ -50,7 +50,7 @@ in
        };

        dhcp = {
-          enabled = false;
+          enabled = true;
          interface_name = primaryInterface;
          local_domain_name = "lan";
          dhcpv4 = {
--- a/nixos/roles/filebrowser.nix
+++ b/nixos/roles/filebrowser.nix
@@ -4,16 +4,13 @@
    enable = true;

    settings = {
-      port = 8080;
+      port = 10000;
      address = "0.0.0.0";
      baseURL = "/filebrowser";
      root = "/storage";
    };

-    # If you want the port opened in the firewall:
    openFirewall = true;
  };

-  #networking.firewall.allowedTCPPorts = [ 8080 ];
-
 }
--- a/nixos/roles/gitea.nix
+++ b/nixos/roles/gitea.nix
@@ -13,7 +13,7 @@ let
    stripRoot = false;
  };

-  domain = "192.168.2.31"; # swap to git.cyperpunk.de for prod
+  domain = "git.cyperpunk.de"; # swap to git.cyperpunk.de for prod
  httpPort = 9000;
  sshPort = 12222;
 in
@@ -95,7 +95,7 @@ in
        HTTP_PORT = httpPort;
        SSH_PORT = sshPort;
        SSH_LISTEN_PORT = sshPort;
-        ROOT_URL = "http://${domain}:${toString httpPort}/";
+        ROOT_URL = "https://${domain}/";
        DISABLE_SSH = false;
        START_SSH_SERVER = true;
      };
--- a/nixos/roles/matrix.nix
+++ b/nixos/roles/matrix.nix
@@ -6,8 +6,8 @@ let
 in
 {
  networking.firewall.allowedTCPPorts = [
+    8008
    8448
-    8080
  ];

  sops.secrets = {
@@ -18,74 +18,35 @@ in
    };
  };

-  services = {
-    matrix-synapse = {
-      enable = true;
-      settings = {
-        server_name = "cyperpunk.de";
-        public_baseurl = "http://matrix.cyperpunk.de";
-        enable_registration = false; # TODO: disable
-        enable_registration_without_verfication = true;
-        trusted_key_servers = [ { server_name = "matrix.org"; } ];
-        suppress_key_server_warning = true;
-        registration_shared_secret_path = config.sops.secrets.matrix_registration_secret.path;
-        macaroon_secret_key = "$__file{${config.sops.secrets.matrix_macaroon_secret.path}}";
-        listeners = [
-          {
-            port = 8008;
-            bind_addresses = [ "127.0.0.1" ];
-            type = "http";
-            tls = false;
-            x_forwarded = true;
-            resources = [
-              {
-                names = [
-                  "client"
-                  "federation"
-                ];
-                compress = false;
-              }
-            ];
-          }
-        ];
-      };
-    };
-
-    nginx = {
-      enable = true;
-      virtualHosts = {
-        "matrix.cyperpunk.de" = {
-          locations."/" = {
-            proxyPass = "http://127.0.0.1:${toString (builtins.elemAt config.services.matrix-synapse.settings.listeners 0).port}";
-            proxyWebsockets = true;
-            extraConfig = ''
-              proxy_set_header Host matrix.cyperpunk.de;
-            '';
-          };
-        };
-        "cinny" = {
-          listen = [
+  services.matrix-synapse = {
+    enable = true;
+    settings = {
+      server_name = "cyperpunk.de";
+      public_baseurl = "http://matrix.cyperpunk.de";
+      enable_registration = false; # TODO: disable
+      enable_registration_without_verfication = true;
+      trusted_key_servers = [ { server_name = "matrix.org"; } ];
+      suppress_key_server_warning = true;
+      registration_shared_secret_path = config.sops.secrets.matrix_registration_secret.path;
+      macaroon_secret_key = "$__file{${config.sops.secrets.matrix_macaroon_secret.path}}";
+      listeners = [
+        {
+          port = 8008;
+          bind_addresses = [ "0.0.0.0" ];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [
            {
-              addr = "0.0.0.0";
-              port = 8080;
+              names = [
+                "client"
+                "federation"
+              ];
+              compress = false;
            }
          ];
-          locations."/" = {
-            alias = "${pkgs.cinny}/";
-            extraConfig = ''
-              try_files $uri $uri/ /index.html;
-            '';
-          };
-        };
-        "${serverIP}" = {
-          locations = {
-            "/_matrix/" = {
-              proxyPass = "http://127.0.0.1:${toString (builtins.elemAt config.services.matrix-synapse.settings.listeners 0).port}";
-              proxyWebsockets = true;
-            };
-          };
-        };
-      };
+        }
+      ];
    };
  };
 }
--- a/nixos/roles/monitoring.nix
+++ b/nixos/roles/monitoring.nix
@@ -35,10 +35,10 @@ in
      };
      settings = {
        server = {
-          domain = serverIP; # "grafana.cyperpunk.de";
+          domain = "www.cyperpunk.de"; # serverIP; # "grafana.cyperpunk.de";
          http_port = 2342;
-          http_addr = "127.0.0.1";
-          root_url = "http://${serverIP}/grafana/";
+          http_addr = "0.0.0.0";
+          root_url = "http://www.cyperpunk.de/grafana/";
          serve_from_sub_path = true;
        };
        security = {
@@ -51,20 +51,6 @@ in
      };
    };

-    # nginx reverse proxy
-    nginx = {
-      enable = true;
-      virtualHosts."${serverIP}" = {
-        locations."/grafana/" = {
-          proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
-          proxyWebsockets = true;
-          extraConfig = ''
-            proxy_set_header Host ${serverIP};
-          '';
-        };
-      };
-    };
-
    # TODO: Computers should register themselves
    prometheus = {
      enable = true;
@@ -133,9 +119,7 @@ in
  };

  networking.firewall.allowedTCPPorts = [
-    80
-    443
-    # TODO: Remove
+    2342
    9001
    3100
  ];
--- a/nixos/roles/vaultwarden.nix
+++ b/nixos/roles/vaultwarden.nix
@@ -17,13 +17,12 @@ in
    backupDir = "/var/local/vaultwarden/backup";

    config = {
-      DOMAIN = "http://${ip}:${toString port}";
+      DOMAIN = "https://vault.cyperpunk.de"; # "http://${ip}:${toString port}";
      ROCKET_ADDRESS = "0.0.0.0";
      ROCKET_PORT = port;
      ROCKET_LOG = "critical";
      SIGNUPS_ALLOWED = true;
      WEBSOCKET_ENABLED = true;
-      ROCKET_TLS = "{certs=\"/var/lib/vaultwarden/ssl/cert.pem\",key=\"/var/lib/vaultwarden/ssl/key.pem\"}";
    };
  };

@@ -34,39 +33,21 @@ in

  networking.firewall.allowedTCPPorts = [ port ];

-  systemd.services.vaultwarden-backup-rotate = {
-    description = "Rotate old Vaultwarden backups";
-    serviceConfig = {
-      Type = "oneshot";
-      ExecStart = "${pkgs.findutils}/bin/find /var/lib/vaultwarden/backup -mtime +30 -delete";
+  systemd = {
+    services.vaultwarden-backup-rotate = {
+      description = "Rotate old Vaultwarden backups";
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = "${pkgs.findutils}/bin/find /var/lib/vaultwarden/backup -mtime +30 -delete";
+      };
    };
-  };

-  systemd.timers.vaultwarden-backup-rotate = {
-    wantedBy = [ "timers.target" ];
-    timerConfig = {
-      OnCalendar = "daily";
-      Persistent = true;
+    timers.vaultwarden-backup-rotate = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnCalendar = "daily";
+        Persistent = true;
+      };
    };
  };
-
-  # TODO: Remove for proper TLS Setup
-  systemd.services.vaultwarden-gen-cert = {
-    description = "Generate self-signed cert for Vaultwarden";
-    before = [ "vaultwarden.service" ];
-    wantedBy = [ "vaultwarden.service" ];
-    serviceConfig.Type = "oneshot";
-    script = ''
-      mkdir -p /var/lib/vaultwarden/ssl
-      if [ ! -f /var/lib/vaultwarden/ssl/cert.pem ]; then
-        ${pkgs.openssl}/bin/openssl req -x509 -newkey rsa:4096 -nodes \
-          -keyout /var/lib/vaultwarden/ssl/key.pem \
-          -out /var/lib/vaultwarden/ssl/cert.pem \
-          -days 3650 \
-          -subj "/CN=${ip}" \
-          -addext "subjectAltName=IP:${ip}"
-        chown -R vaultwarden:vaultwarden /var/lib/vaultwarden/ssl
-      fi
-    '';
-  };
 }