fw/nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Added lots of sops

Browse source
This commit is contained in:
fwastring 2025-09-13 22:02:42 +02:00
parent 84bec55415
commit 01c04cd91c
25 changed files with 532 additions and 183 deletions
Download patch file Download diff file Expand all files Collapse all files

1
moduler/base.nix
View file

@ -17,6 +17,7 @@
);
nix.nixPath = [ "/etc/nix/path" ];
users.defaultUserShell = pkgs.bash;
documentation.man.generateCaches = false;
programs.fish.enable = true;
programs.bash = {
interactiveShellInit = ''

60
moduler/dev.nix
View file

@ -18,65 +18,55 @@ in
];
environment.systemPackages = with pkgs; [
timewarrior
# Neovim
inputs.neovim-nightly-overlay.packages.${pkgs.system}.default
# Nix
devenv
nixfmt-rfc-style
# Containers
kubectl
docker-slim
# Docker
dive
buildkit
containerd
cri-tools
yq
skopeo
umoci
velero
podman-tui
lazydocker
# Jobb
azure-cli
dotnetCorePackages.dotnet_9.sdk
google-cloud-sdk
jira-cli-go
gh
allure
kubectx
python314
# Minio
awscli
minio-client
# Blogging
hugo
# System Design
sqlc
postgresql
go-migrate-pg
argocd
ngrok
tailwindcss
yarn
plantuml
# Web Dev
tailwindcss
prettierd
# Go
air
go
templ
goa
prettierd
qrencode
air
go-migrate-pg
# Build
git
lazydocker
gcc
gnumake
cmake
# System Tools
yq
jq
git
(wrapHelm kubernetes-helm {
plugins = with pkgs.kubernetes-helmPlugins; [
helm-secrets
helm-diff
helm-s3
helm-git
];
})
k3sup
qrencode
];
}

5
moduler/fish.nix
View file

@ -55,10 +55,9 @@
};
interactiveShellInit = ''
fish_vi_key_bindings
set fish_greeting # Disable greeting
set fish_greeting
set FLAKE_DIR "/home/fw/nix"
set HM_DIR "$FLAKE_DIR#fw@jobb"
set SYSTEM_DIR "$FLAKE_DIR#jobb"
set JIRA_API_TOKEN ATATT3xFfGF0_fkpGB1ne-QOSJzFVG0yH31j2CRtdNqbePCyEm9enpnA2uA3go75_GQwZPFX_IO9tf10ALJWvDLjsuHl8MSOUkNd703Vqr4uuGLAbHY73Z_b9fDJVrfodTrGAN9sZ5Sp75opCVkXB7MVXSAIvlWimRdwe-tqDPH4vhwY9Hqcs6M=0510D6CD
set -Ux FZF_CTRL_R_OPTS "--reverse"
set -Ux FZF_TMUX_OPTS "-p"
set -e GOROOT

2
moduler/home.nix
View file

@ -21,7 +21,7 @@
../moduler/oh-my-posh.nix
../moduler/gtk.nix
# ../moduler/neovim.nix
../moduler/k9s
../moduler/programs/k9s
];
programs.home-manager.enable = true;

4
moduler/hyprland.nix
View file

@ -400,11 +400,11 @@ in
# Applications
"$mod, q, exec, ${pkgs.firefox}/bin/firefox"
"$mod, d, exec, ${pkgs.rofi}/bin/rofi -show drun"
"$mod, d, exec, ${pkgs.rofi}/bin/rofi -show drun -p 'Run: '"
# Screencapture
"$mod, S, exec, ${pkgs.grim}/bin/grim | wl-copy"
"$mod SHIFT+ALT, S, exec, ${pkgs.grim}/bin/grim -g \"$(slurp)\" - | ${pkgs.swappy}/bin/swappy -f -"
"$mod SHIFT+ALT, S, exec, ${pkgs.grim}/bin/grim -g \"$(slurp)\" ~/$(date +%Y-%m-%d-%H%M%S).png"
];
bindm = [

1
moduler/lsp.nix
View file

@ -12,7 +12,6 @@
environment.systemPackages = with pkgs; [
nixd
gopls
inputs.neovim-nightly-overlay.packages.${pkgs.system}.default
omnisharp-roslyn
nodePackages.vscode-json-languageserver
tailwindcss-language-server

45
moduler/network.nix
View file

@ -7,27 +7,32 @@
pkgs,
myhostname,
...
}: {
}:
{
services.netbird = {
enable = true;
ui.enable = true;
};
services.netbird = {
enable = true;
ui.enable = true;
};
environment.systemPackages = with pkgs; [
openvpn
networkmanagerapplet
wireguard-tools
networkmanager
openssh
environment.systemPackages = with pkgs; [
openvpn
networkmanagerapplet
wireguard-tools
networkmanager
openssh
mtr # A network diagnostic tool
iperf3
dnsutils # `dig` + `nslookup`
ldns # replacement of `dig`, it provide the command `drill`
aria2 # A lightweight multi-protocol & multi-source command-line download utility
socat # replacement of openbsd-netcat
nmap # A utility for network discovery and security auditing
ipcalc # it is a calculator for the IPv4/v6 addresses
];
(octodns.withProviders (ps: [
octodns-providers.gandi
]))
mtr # A network diagnostic tool
iperf3
dnsutils # `dig` + `nslookup`
ldns # replacement of `dig`, it provide the command `drill`
aria2 # A lightweight multi-protocol & multi-source command-line download utility
socat # replacement of openbsd-netcat
nmap # A utility for network discovery and security auditing
ipcalc # it is a calculator for the IPv4/v6 addresses
];
}

5
moduler/programs.nix
View file

@ -37,15 +37,12 @@
ghostty
kdePackages.okular
xdg-user-dirs
angryipscanner
# Browsers
librewolf
chawan
# Capturing
byzanz
scrot
# Displaying
zathura
feh

25
moduler/radicale.nix
View file

@ -1,4 +1,5 @@
{
config,
...
}:
{
@ -7,21 +8,21 @@
certs."cal.wastring.com" = {
dnsProvider = "gandiv5";
webroot = null;
credentialsFile = /run/secrets/gandi_key;
credentialsFile = config.sops.secrets.gandi_key.path;
dnsPropagationCheck = true;
};
};
services.nginx = {
virtualHosts."cal.wastring.com" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:5232";
proxyWebsockets = true; # needed if you need to use WebSocket
extraConfig = "proxy_ssl_server_name on;" + "proxy_pass_header Authorization;";
};
};
};
# services.nginx = {
# virtualHosts."cal.wastring.com" = {
# enableACME = true;
# forceSSL = true;
# locations."/" = {
# proxyPass = "http://127.0.0.1:5232";
# proxyWebsockets = true; # needed if you need to use WebSocket
# extraConfig = "proxy_ssl_server_name on;" + "proxy_pass_header Authorization;";
# };
# };
# };
services.radicale = {
enable = true;
settings = {

46
moduler/services/headscale/default.nix Normal file
View file

@ -0,0 +1,46 @@
{
lib,
config,
...
}:
with lib;
{
options = {
headscale = {
enable = mkEnableOption "enables headscale";
domain = lib.mkOption {
type = lib.types.str;
default = "headscale.wastring.com";
description = "The domain that headscale is served on.";
};
};
};
config = mkMerge [
(mkIf config.headscale.enable {
services = {
headscale = {
enable = true;
address = "0.0.0.0";
port = 8080;
server_url = "https://${domain}";
dns = {
baseDomain = "example.com";
};
settings = {
logtail.enabled = false;
};
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.headscale.port}";
proxyWebsockets = true;
};
};
};
})
];
}

101
moduler/services/monitoring/default.nix
View file

@ -1,53 +1,115 @@
{
lib,
config,
pkgs,
...
}:
with lib;
let
in
{
options = {
grafana = {
enable = lib.mkEnableOption "enables grafana";
host = lib.mkDefault "127.0.0.1";
port = lib.mkDefault 2342;
domain = lib.mkOption {
type = lib.types.str;
enable = mkEnableOption "enables grafana";
port = lib.mkOption {
type = lib.types.int;
default = 2342;
description = "The port Grafana listens on.";
};
host = mkOption {
type = types.str;
defaultText = literalExpression "127.0.0.1";
description = "The hostname that Grafana binds to";
};
domain = mkOption {
type = types.str;
description = "Domain name for Grafana to be served on.";
};
};
alloy = {
enable = mkEnableOption "enables alloy";
configPath = lib.mkOption {
type = lib.types.path;
default = ./alloy.yaml;
description = "The path to the configPath.";
};
};
prometheus = {
enable = lib.mkEnableOption "enables prometheus";
port = lib.mkDefault 9001;
exporter = {
enable = lib.mkEnableOption "enables node exporter";
port = lib.mkDefault 9002;
enable = mkEnableOption "enables prometheus";
port = lib.mkOption {
type = lib.types.int;
default = 9001;
description = "The port Prometheus listens on.";
};
exporters = {
enable = mkEnableOption "enables node exporters";
port = lib.mkOption {
type = lib.types.int;
default = 9002;
description = "The port Prometheus node exporter listens on.";
};
};
};
loki = {
enable = mkEnableOption "enables prometheus";
configFile = lib.mkOption {
type = lib.types.path;
default = ./loki.yaml;
description = "The path to the configFile.";
};
dataDir = lib.mkOption {
type = lib.types.str;
default = "/var/loki";
description = "The path to the data directory.";
};
};
};
config = lib.mkMerge [
(lib.mkIf config.grafana.enable {
config = mkMerge [
(mkIf config.grafana.enable {
services.grafana = {
enable = true;
domain = config.grafana.domain;
port = config.grafana.port;
addr = config.grafana.host;
settings = {
server = {
domain = config.grafana.domain;
http_port = config.grafana.port;
http_addr = config.grafana.host;
};
};
};
# nginx reverse proxy
services.nginx.virtualHosts."${config.grafana.domain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://${config.grafana.host}:${toString config.grafana.port}";
proxyWebsockets = true;
extraConfig = "proxy_ssl_server_name on;" + "proxy_pass_header Authorization;";
};
};
})
(mkIf config.loki.enable {
networking.firewall.allowedTCPPorts = [ 3100 ];
services.loki = {
enable = true;
configFile = config.loki.configFile;
dataDir = config.loki.dataDir;
};
})
(mkIf config.alloy.enable {
services.alloy = {
enable = true;
configPath = config.alloy.configPath;
};
})
(lib.mkIf config.prometheus.enable {
(mkIf config.prometheus.enable {
services.prometheus = {
enable = true;
port = config.prometheus.port;
exporters = lib.mkIf config.prometheus.exporters {
exporters = mkIf config.prometheus.exporters.enable {
node = {
enable = true;
enabledCollectors = [ "systemd" ];
@ -56,7 +118,7 @@
};
scrapeConfigs = [
{
job_name = "chrysalis";
job_name = "desktop";
static_configs = [
{
targets = [ "${config.grafana.host}:${toString config.prometheus.exporters.port}" ];
@ -64,7 +126,6 @@
];
}
];
};
})
];

55
moduler/services/monitoring/loki.yaml Normal file
View file

@ -0,0 +1,55 @@
auth_enabled: false
server:
http_listen_port: 3100
ingester:
lifecycler:
address: 0.0.0.0
ring:
kvstore:
store: inmemory
replication_factor: 1
final_sleep: 0s
chunk_idle_period: 1h
max_chunk_age: 1h
chunk_target_size: 1048576
chunk_retain_period: 30s
schema_config:
configs:
- from: 2020-10-24
store: boltdb-shipper
object_store: filesystem
schema: v11
index:
prefix: index_
period: 24h
- from: 2025-09-14 # Set this to a future date
store: tsdb
object_store: filesystem
schema: v13
index:
prefix: index_
period: 24h
storage_config:
boltdb_shipper:
active_index_directory: /var/lib/loki/boltdb-shipper-active
cache_location: /var/lib/loki/boltdb-shipper-cache
cache_ttl: 24h
filesystem:
directory: /var/lib/loki/chunks
tsdb_shipper:
active_index_directory: /var/lib/loki/tsdb-active-index
cache_location: /var/lib/loki/tsdb-cache
limits_config:
reject_old_samples: true
reject_old_samples_max_age: 168h
allow_structured_metadata: false
table_manager:
retention_deletes_enabled: false
retention_period: 0s

63
moduler/services/wireguard-server/default.nix Normal file
View file

@ -0,0 +1,63 @@
{
lib,
config,
pkgs,
...
}:
with lib;
let
in
{
options = {
wireguard-server = {
enable = mkEnableOption "enables wireguard-server";
port = lib.mkOption {
type = lib.types.int;
default = 51820;
description = "The port that the Wireguard server listens on.";
};
};
};
config = mkMerge [
(mkIf config.loki.enable {
sops.secrets.wireguard_private_key = {};
users.users."systemd-network".extraGroups = [ "keys" ];
networking.nat.enable = true;
networking.nat.externalInterface = "eth0";
networking.nat.internalInterfaces = [ "wg0" ];
networking.firewall = {
allowedUDPPorts = [ config.wireguard-server.port ];
};
networking.wireguard.enable = true;
networking.wireguard.interfaces = {
wg0 = {
ips = [ "10.100.0.1/24" ];
listenPort = config.wireguard-server.port;
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
'';
privateKeyFile = config.sops.secrets.wireguard_private_key.path;
peers = [
{
name = "fwastring";
publicKey = "iJw5Km99HT9/TuVtSyDhOwPPcoWeRO67dhhrKPbjRTA=";
allowedIPs = [ "10.100.0.2/32" ];
}
];
};
};
})
];
}

98
moduler/system.nix
View file

@ -24,68 +24,37 @@
};
environment.systemPackages = with pkgs; [
# Build
just
# Bluetooth
bluez
bluez-tools
# Zathura
poppler_utils
# Transform
imagemagick
pandoc
# Sound
alsa-utils
# Monitor
brightnessctl
# System
sops
libnotify
lf
xsel
xbanish
unzip
zip
wget
alsa-utils
htop
procps
fzf
eza
btop
xclip
dysk
rsync
procs
dust
brightnessctl
lolcat
fortune
cowsay
ripgrep
poppler_utils
dysk
grc
pkg-config
vim
fd
bluez
bluez-tools
openssl
imagemagick
pandoc
texliveFull
fastfetch
keyutils
pinentry-all
(pass.withExtensions (
ext: with ext; [
pass-import
pass-genphrase
pass-update
]
))
lazygit
chawan
go-passbolt-cli
waypipe
wl-clipboard
smartmontools
# Typesetting
typst
typstyle
tinymist
websocat
nix-search-cli
libsixel
# system call monitoring
strace # system call monitoring
@ -99,6 +68,37 @@
pciutils # lspci
usbutils # lsusb
# Files
fzf
eza
rsync
dust
ripgrep
fd
# Misc
lolcat
fortune
cowsay
# Security
openssl
# Git
lazygit
# Terminal Stuff
chawan
go-passbolt-cli
# Typesetting
typst
typstyle
tinymist
websocat
nix-search-cli
libsixel
(
let
base = pkgs.appimageTools.defaultFhsEnvArgs;

12
moduler/vaultwarden.nix
View file

@ -1,4 +1,5 @@
{
config,
...
}:
{
@ -15,7 +16,7 @@
certs."pass.wastring.com" = {
dnsProvider = "gandiv5";
webroot = null;
credentialsFile = /run/secrets/gandi_key;
credentialsFile = config.sops.secrets.gandi_key.path;
dnsPropagationCheck = true;
};
};
@ -23,19 +24,14 @@
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# other Nginx options
virtualHosts."pass.wastring.com" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8222";
proxyWebsockets = true; # needed if you need to use WebSocket
proxyWebsockets = true;
extraConfig =
# required when the target is also TLS server with multiple hosts
"proxy_ssl_server_name on;"
+
# required when the server wants to use HTTP Authentication
"proxy_pass_header Authorization;";
"proxy_ssl_server_name on;" + "proxy_pass_header Authorization;";
};
};
};

2
moduler/wastring.nix
View file

@ -7,7 +7,7 @@ in
certs."wastring.com" = {
dnsProvider = "gandiv5";
webroot = null;
credentialsFile = /run/secrets/gandi_key;
credentialsFile = config.sops.secrets.gandi_key.path;
dnsPropagationCheck = true;
};
};