diff --git a/Justfile b/Justfile deleted file mode 100644 index db4b1bf..0000000 --- a/Justfile +++ /dev/null @@ -1,66 +0,0 @@ -# just is a command runner, Justfile is very similar to Makefile, but simpler. - -############################################################################ -# -# Nix commands related to the local machine -# -############################################################################ - -deploy: - nixos-rebuild switch --flake . --use-remote-sudo - -debug: - nixos-rebuild switch --flake . --use-remote-sudo --show-trace --verbose - -up: - nix flake update - -# Update specific input -# usage: make upp i=home-manager -upp: - nix flake update $(i) - -history: - nix profile history --profile /nix/var/nix/profiles/system - -repl: - nix repl -f flake:nixpkgs - -clean: - # remove all generations older than 7 days - sudo nix profile wipe-history --profile /nix/var/nix/profiles/system --older-than 7d - -gc: - # garbage collect all unused nix store entries - sudo nix-collect-garbage --delete-old - -############################################################################ -# -# Idols, Commands related to my remote distributed building cluster -# -############################################################################ - -add-idols-ssh-key: - ssh-add ~/.ssh/ai-idols - -aqua: add-idols-ssh-key - nixos-rebuild --flake .#aquamarine --target-host aquamarine --build-host aquamarine switch --use-remote-sudo - -aqua-debug: add-idols-ssh-key - nixos-rebuild --flake .#aquamarine --target-host aquamarine --build-host aquamarine switch --use-remote-sudo --show-trace --verbose - -ruby: add-idols-ssh-key - nixos-rebuild --flake .#ruby --target-host ruby --build-host ruby switch --use-remote-sudo - -ruby-debug: add-idols-ssh-key - nixos-rebuild --flake .#ruby --target-host ruby --build-host ruby switch --use-remote-sudo --show-trace --verbose - -kana: add-idols-ssh-key - nixos-rebuild --flake .#kana --target-host kana --build-host kana switch --use-remote-sudo - -kana-debug: add-idols-ssh-key - nixos-rebuild --flake .#kana --target-host kana --build-host kana switch --use-remote-sudo --show-trace --verbose - -idols: aqua ruby kana - -idols-debug: aqua-debug ruby-debug kana-debug diff --git a/README.md b/README.md index 70ed1fb..f4ab78f 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,12 @@ # min nix config :) @ Wastring -- laptop (Acer Swift 3) † 2025-08-05 -- desktop (ThinkCentre) -- macmini (2014 MacMini) +- legacy (Lenovo Yoga) +- node (Lenovo ThinkCentre) +- archive (2014 MacMini) @ iFACTS Office -- jobb (MinisForum AI X1 Pro) -- work-desktop (VM @ Proxmox) +- core (MinisForum AI X1 Pro) + +@ Old Computers +- laptop (Acer Swift 3) † 2025-08-05 diff --git a/flake.lock b/flake.lock index 2e7fade..683828f 100644 --- a/flake.lock +++ b/flake.lock @@ -227,6 +227,24 @@ "type": "github" } }, + "flake-utils": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "fromYaml": { "flake": false, "locked": { @@ -736,6 +754,22 @@ "type": "github" } }, + "nixpkgs_4": { + "locked": { + "lastModified": 1744536153, + "narHash": "sha256-awS2zRgF4uTwrOKwwiJcByDzDOdo3Q1rPZbiHQg/N38=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "18dd725c29603f582cf1900e0d25f9f1063dbf11", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nur": { "inputs": { "flake-parts": [ @@ -792,7 +826,26 @@ "neovim-nightly-overlay": "neovim-nightly-overlay", "nixpkgs": "nixpkgs_3", "sops-nix": "sops-nix", - "stylix": "stylix" + "stylix": "stylix", + "typsite": "typsite" + } + }, + "rust-overlay": { + "inputs": { + "nixpkgs": "nixpkgs_4" + }, + "locked": { + "lastModified": 1749004659, + "narHash": "sha256-zaZrcC5UwHPGkgfnhTPx5sZfSSnUJdvYHhgex10RadQ=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "c52e346aedfa745564599558a096e88f9a5557f9", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" } }, "sops-nix": { @@ -879,6 +932,21 @@ "type": "github" } }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "tinted-foot": { "flake": false, "locked": { @@ -981,6 +1049,28 @@ "type": "github" } }, + "typsite": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ], + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1757041869, + "narHash": "sha256-3gq3miYeelGbYU6rpVzHJHVrnNegrLf9ec8KBN+a2uo=", + "owner": "Glomzzz", + "repo": "typsite", + "rev": "0e8ca8ad75dc077d680550a797babd3b29495d25", + "type": "github" + }, + "original": { + "owner": "Glomzzz", + "repo": "typsite", + "type": "github" + } + }, "xdph": { "inputs": { "hyprland-protocols": [ diff --git a/flake.nix b/flake.nix index 5884e1e..99c5154 100644 --- a/flake.nix +++ b/flake.nix @@ -12,6 +12,10 @@ url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; + typsite = { + url = "github:Glomzzz/typsite"; + inputs.nixpkgs.follows = "nixpkgs"; + }; # Neovim neovim-nightly-overlay.url = "github:nix-community/neovim-nightly-overlay"; @@ -34,7 +38,8 @@ nixpkgs, home-manager, stylix, - sops-nix, + sops-nix, + typsite, ... }@inputs: let @@ -53,7 +58,7 @@ modules = [ stylix.nixosModules.stylix ./maskiner/legacy/configuration.nix - sops-nix.nixosModules.sops + sops-nix.nixosModules.sops ]; }; node = nixpkgs.lib.nixosSystem { @@ -63,7 +68,7 @@ }; modules = [ ./maskiner/node/configuration.nix - sops-nix.nixosModules.sops + sops-nix.nixosModules.sops ]; }; core = nixpkgs.lib.nixosSystem { @@ -75,7 +80,7 @@ ./maskiner/core/configuration.nix stylix.nixosModules.stylix home-manager.nixosModules.home-manager - sops-nix.nixosModules.sops + sops-nix.nixosModules.sops ]; }; archive = nixpkgs.lib.nixosSystem { diff --git a/maskiner/node/configuration.nix b/maskiner/node/configuration.nix index 004ca46..ecf63bc 100644 --- a/maskiner/node/configuration.nix +++ b/maskiner/node/configuration.nix @@ -21,6 +21,8 @@ ../../moduler/uptime-kuma.nix ../../moduler/services/monitoring ../../moduler/services/headscale + ../../moduler/services/actual + ../../moduler/services/forgejo # ../../moduler/wastring.nix ../../moduler/wedding.nix ]; @@ -33,6 +35,14 @@ mode = "0440"; }; + forgejo = { + enable = true; + }; + + actual = { + enable = true; + }; + grafana = { enable = true; host = "127.0.0.1"; @@ -72,34 +82,6 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII60tdNsG0z9q2jHmoTKvkeLQE6OF0bmTsDX1bpqpoG7 fw@jobb" ]; - security.acme = { - acceptTerms = true; - defaults.email = "fredrik@wastring.com"; - certs."shop.wastring.com" = { - dnsProvider = "gandiv5"; - webroot = null; - credentialsFile = config.sops.secrets.gandi_key.path; - dnsPropagationCheck = true; - }; - }; - services.nginx = { - enable = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - virtualHosts."shop.wastring.com" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:8080"; - proxyWebsockets = true; - extraConfig = - "proxy_ssl_server_name on;" - + - # required when the server wants to use HTTP Authentication - "proxy_pass_header Authorization;"; - }; - }; - }; networking.hostName = myhostname; diff --git a/moduler/dev.nix b/moduler/dev.nix index b579440..03afa7e 100644 --- a/moduler/dev.nix +++ b/moduler/dev.nix @@ -41,6 +41,7 @@ in # Blogging hugo + zola # System Design sqlc diff --git a/moduler/kitchenowl.nix b/moduler/kitchenowl.nix index 9d351a4..f3ae4aa 100644 --- a/moduler/kitchenowl.nix +++ b/moduler/kitchenowl.nix @@ -7,6 +7,34 @@ let in { + security.acme = { + acceptTerms = true; + defaults.email = "fredrik@wastring.com"; + certs."shop.wastring.com" = { + dnsProvider = "gandiv5"; + webroot = null; + credentialsFile = config.sops.secrets.gandi_key.path; + dnsPropagationCheck = true; + }; + }; + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts."shop.wastring.com" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8080"; + proxyWebsockets = true; + extraConfig = + "proxy_ssl_server_name on;" + + + # required when the server wants to use HTTP Authentication + "proxy_pass_header Authorization;"; + }; + }; + }; virtualisation.oci-containers = { backend = "podman"; containers = { diff --git a/moduler/programs.nix b/moduler/programs.nix index c6bbdc9..e8c562f 100644 --- a/moduler/programs.nix +++ b/moduler/programs.nix @@ -4,8 +4,7 @@ inputs, lib, config, - pkgs, - myhostname, + pkgs, myhostname, ... }: { services.udev = { @@ -39,6 +38,9 @@ xdg-user-dirs angryipscanner + # TUI + gurk-rs + # Browsers librewolf chawan diff --git a/moduler/programs/k9s/default.nix b/moduler/programs/k9s/default.nix index 65155c8..362db7b 100644 --- a/moduler/programs/k9s/default.nix +++ b/moduler/programs/k9s/default.nix @@ -9,8 +9,7 @@ let in { programs.k9s = { - # enable = true; - enable = false; + enable = true; settings = { k9s.ui.skin = "catppuccin-latte"; }; diff --git a/moduler/radicale.nix b/moduler/radicale.nix index dbf7daa..5a4ca9e 100644 --- a/moduler/radicale.nix +++ b/moduler/radicale.nix @@ -4,30 +4,11 @@ }: { - security.acme = { - certs."cal.wastring.com" = { - dnsProvider = "gandiv5"; - webroot = null; - credentialsFile = config.sops.secrets.gandi_key.path; - dnsPropagationCheck = true; - }; - }; - # services.nginx = { - # virtualHosts."cal.wastring.com" = { - # enableACME = true; - # forceSSL = true; - # locations."/" = { - # proxyPass = "http://127.0.0.1:5232"; - # proxyWebsockets = true; # needed if you need to use WebSocket - # extraConfig = "proxy_ssl_server_name on;" + "proxy_pass_header Authorization;"; - # }; - # }; - # }; services.radicale = { enable = true; settings = { auth.type = "none"; - server.hosts = [ "0.0.0.0:5232" ]; + server.hosts = [ "100.64.0.4:5232" ]; }; }; } diff --git a/moduler/services/actual/default.nix b/moduler/services/actual/default.nix new file mode 100644 index 0000000..0860a27 --- /dev/null +++ b/moduler/services/actual/default.nix @@ -0,0 +1,46 @@ +{ + lib, + config, + ... +}: +with lib; +{ + options = { + actual = { + enable = mkEnableOption "enables Actual"; + port = lib.mkOption { + type = lib.types.int; + default = 8001; + description = "The port that Actual is served on."; + }; + hostname = lib.mkOption { + type = lib.types.str; + default = "localhost"; + description = "The hostname that Actual is served on."; + }; + }; + }; + + config = mkMerge [ + (mkIf config.actual.enable { + services = { + actual = { + enable = true; + openFirewall = true; + settings = { + port = config.actual.port; + hostname = config.actual.hostname; + }; + }; + nginx.virtualHosts."budget.wastring.com" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://${toString config.actual.hostname}:${toString config.actual.port}"; + proxyWebsockets = true; + }; + }; + }; + }) + ]; +} diff --git a/moduler/services/forgejo/default.nix b/moduler/services/forgejo/default.nix new file mode 100644 index 0000000..d45ec8c --- /dev/null +++ b/moduler/services/forgejo/default.nix @@ -0,0 +1,91 @@ +{ + lib, + pkgs, + config, + ... +}: +let + cfg = config.services.forgejo; + srv = cfg.settings.server; +in +with lib; +{ + options = { + forgejo = { + enable = mkEnableOption "enables forgejo"; + port = lib.mkOption { + type = lib.types.int; + default = 8003; + description = "The port that Actual is served on."; + }; + domain = lib.mkOption { + type = lib.types.str; + default = "git.wastring.com"; + description = "The hostname that Actual is served on."; + }; + }; + }; + config = mkMerge [ + (mkIf config.actual.enable { + services.nginx = { + virtualHosts.${config.forgejo.domain} = { + forceSSL = true; + enableACME = true; + extraConfig = '' + client_max_body_size 512M; + ''; + locations."/".proxyPass = "http://localhost:${toString config.forgejo.port}"; + }; + }; + + sops.secrets.smtp_password = { }; + sops.secrets.forgejo-admin-password.owner = "forgejo"; + systemd.services.forgejo.preStart = + let + adminCmd = "${lib.getExe cfg.package} admin user"; + pwd = config.sops.secrets.forgejo-admin-password; + user = "fw"; + in + '' + ${adminCmd} create --admin --email "root@localhost" --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true + ## uncomment this line to change an admin user which was already created + # ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true + ''; + + services.forgejo = { + enable = true; + database.type = "postgres"; + # Enable support for Git Large File Storage + lfs.enable = true; + settings = { + server = { + DOMAIN = "${config.forgejo.domain}"; + # You need to specify this to remove the port from URLs in the web UI. + ROOT_URL = "https://${config.forgejo.domain}/"; + HTTP_PORT = config.forgejo.port; + }; + # You can temporarily allow registration to create an admin user. + service.DISABLE_REGISTRATION = true; + # Add support for actions, based on act: https://github.com/nektos/act + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "github"; + }; + # Sending emails is completely optional + # You can send a test email from the web UI at: + # Profile Picture > Site Administration > Configuration > Mailer Configuration + mailer = { + ENABLED = true; + SMTP_ADDR = "mail.gandi.net"; + FROM = "noreply@${config.forgejo.domain}"; + USER = "fredrik@wastring.com"; + }; + }; + secrets = { + mailer.PASSWD = config.sops.secrets.smtp_password.path; + }; + }; + }) + ]; + +} diff --git a/secrets/sops.yaml b/secrets/sops.yaml index cf1f0ce..8f6bed5 100644 --- a/secrets/sops.yaml +++ b/secrets/sops.yaml @@ -2,6 +2,8 @@ gandi_key: ENC[AES256_GCM,data:rhsDbf5RyChBWsgyLZoHCr12K1CztsoSitGNJbqqXlGhvYIP4 wireguard_private_key: ENC[AES256_GCM,data:Fk3ZYyj51iSC0q7gQKY9kyg+kPHDJJJOYLiKyIuB2aDbI5yy8pggGyRBjtY=,iv:RQa34Irb93NlOCnpH7oEzDjJ30qlzMTAiosUsZYreqQ=,tag:0UFrh55JHSlJvzDtw7A60w==,type:str] wireguard_public_key: ENC[AES256_GCM,data:4ETVdAeLrqwPh7LZGN6wounajnh8bD9zdq4GWMCdSOJB6Z5ZA4iNHFKPU0k=,iv:RPKRI6A8sOmn22OdVrgl2RpbKGdfkrDdExlRd2QT/Wg=,tag:68cWti2y7f99GFHVYH1rtQ==,type:str] github_password: ENC[AES256_GCM,data:2Q27cc0cqsWFt/lBNUApWPVRQaXi7uZ3UEn051G/Ar8lZs9zTYYWrg==,iv:s81MlK8u7QzP1azsNw2CtKouJqe/pAHZ7wy5aCWEEuI=,tag:Lf9o6RbLdsQ7ZYCMdVXglQ==,type:str] +smtp_password: ENC[AES256_GCM,data:h1K973qeehIIATdoqFhrLiY7XiU=,iv:ltrsG9KZ8rQuSJXNXswMnbIW/N8+CGbRmiTiENzcGTM=,tag:mD/VpM1FqZaiwksWQpAAog==,type:str] +forgejo-admin-password: ENC[AES256_GCM,data:FuDfqjeQ2T5KcOO1BQ==,iv:ueX7XjbiChuwfYm1B/MJvJaYdWbCmoIs91lj9h9uFYE=,tag:qUszDTRZklwSKrS0PpJhTA==,type:str] sops: age: - recipient: age1jeyw96795qu52swmtkjqgr2w3g4vxc43ckc5r4hlwpje23ptnfwsheah0s @@ -31,7 +33,7 @@ sops: OU8yT0cvcnZMMXphMFVHSXpHNjc4dEkKyXiwholsJthB9O7onb0buF6qHNVNZA3s A2+HSl5P0HCyaZhDIDBFdaUL2r0CHKOPCN3Lrd5+Rirnx48RnDxwBA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-09-16T20:08:36Z" - mac: ENC[AES256_GCM,data:AC+MzlY0cJDoiEeSHyce84vueGabqQH/9dUfykUtlLvZehm7evBKR2YC4CMX3rAEv8zNvq8ZsPe5nTdzgB1WGQczkBQoVTe8Wh9vbH/xUVA7Wjk3AtJMkcy3rL4DYZyx5oBFht30o7ixgwTnOk9gXsdrkDbn5zozoIyWcGApgnQ=,iv:dyIphekRyLsgkreE2H6eCoESMh7vRqULtdNmqoqgLN4=,tag:AqRiy8Cv7CBOhWLkyRaqrg==,type:str] + lastmodified: "2025-09-23T11:21:30Z" + mac: ENC[AES256_GCM,data:/bLDPC0lRZhs/KY3wQ+nEapiIaMjjWCFUVQLgojiGfKvp7Cp7XmyGaHx1GbcxVSbh67TxjlbojEtno6QVtbfT64gFFq6X5Y96S1UCLBgTzsbn7c8NKzXvf3viUPgf8zZJDnKT2nzq6p3FVt+ZNcheZfpBUO1WmXadEbmCNGMR6A=,iv:BAh9rLxGcfNt0xrwgJDe9edLaAHoRFFSb0nnlbH6FMQ=,tag:2f3L7mQ+on/3wy64nhCC/Q==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2