From 1fd4e939a1d8b01bdd792fd0b935a870f2c59b5f Mon Sep 17 00:00:00 2001
From: Leon Vatthauer <leon.vatthauer@fau.de>
Date: Wed, 8 May 2024 11:03:22 +0200
Subject: [PATCH] added dafoe
---
dafoe/README.md | 20 +++++++
dafoe/configuration.nix | 87 ++++++++++++++++++++++++++++++
dafoe/hardware-configuration.nix | 33 ++++++++++++
dafoe/programs/default.nix | 8 +++
dafoe/programs/neovim.nix | 14 +++++
dafoe/programs/ssh.nix | 6 +++
dafoe/programs/starship.nix | 8 +++
dafoe/programs/zsh.nix | 19 +++++++
dafoe/services/acme.nix | 10 ++++
dafoe/services/ddns.nix | 16 ++++++
dafoe/services/default.nix | 13 +++++
dafoe/services/forgejo.nix | 23 ++++++++
dafoe/services/nginx.nix | 44 +++++++++++++++
dafoe/services/printing.nix | 20 +++++++
dafoe/services/restic.nix | 15 ++++++
dafoe/services/resumee-website.nix | 15 ++++++
dafoe/services/ssh.nix | 4 ++
dafoe/services/vaultwarden.nix | 19 +++++++
flake.lock | 6 +--
flake.nix | 5 ++
gunther/leonv.nix | 3 ++
21 files changed, 385 insertions(+), 3 deletions(-)
create mode 100644 dafoe/README.md
create mode 100644 dafoe/configuration.nix
create mode 100644 dafoe/hardware-configuration.nix
create mode 100644 dafoe/programs/default.nix
create mode 100644 dafoe/programs/neovim.nix
create mode 100644 dafoe/programs/ssh.nix
create mode 100644 dafoe/programs/starship.nix
create mode 100644 dafoe/programs/zsh.nix
create mode 100644 dafoe/services/acme.nix
create mode 100644 dafoe/services/ddns.nix
create mode 100644 dafoe/services/default.nix
create mode 100644 dafoe/services/forgejo.nix
create mode 100644 dafoe/services/nginx.nix
create mode 100644 dafoe/services/printing.nix
create mode 100644 dafoe/services/restic.nix
create mode 100644 dafoe/services/resumee-website.nix
create mode 100644 dafoe/services/ssh.nix
create mode 100644 dafoe/services/vaultwarden.nix
diff --git a/dafoe/README.md b/dafoe/README.md
new file mode 100644
index 0000000..7a1a1cf
--- /dev/null
+++ b/dafoe/README.md
@@ -0,0 +1,20 @@
+# Willem
+
+Willem is a server running on a Raspberry Pi 400 offering the following services:
+- [Gitea](git.vatthauer.xyz)
+- [Vaultwarden](bitwarden.vatthauer.xyz)
+
+There are daily backups of the Gitea instance using Restic via B2.
+## Installation on Raspberry Pi 400
+### Resources
+- https://nixos.wiki/wiki/NixOS_on_ARM/Raspberry_Pi_4
+- https://nixos.wiki/wiki/NixOS_on_ARM#Installation
+
+### Step by step
+1. Follow the [generic installation steps](https://nixos.wiki/wiki/NixOS_on_ARM#Installation) to get NixOS up and running on the Pi.
+2. Generate the default `configuration.nix` via `sudo nixos-generate-config` and do a first rebuild `sudo nixos-rebuild switch`
+3. Somehow get this repository onto the machine and `cd` into it
+4. We need git: `nix-shell -p git`
+5. Build the flake via `sudo nixos-rebuild switch --flake .`
+6. At this point you can restart
+7. Login, set password, move the repository to `/home/leonv/nixos`
\ No newline at end of file
diff --git a/dafoe/configuration.nix b/dafoe/configuration.nix
new file mode 100644
index 0000000..cd5e5eb
--- /dev/null
+++ b/dafoe/configuration.nix
@@ -0,0 +1,87 @@
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running 'nixos-help').
+
+{ config, pkgs, lib, inputs, ... }:
+{
+ imports =
+ [
+ ./hardware-configuration.nix
+ ./services
+ ./programs
+ ];
+
+ # enable flakes
+ nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+ # Use the extlinux boot loader. (NixOS wants to enable GRUB by default)
+ boot.loader.grub.enable = true;
+ boot.loader.grub.device = "/dev/sda";
+
+ networking.hostName = "dafoe"; # Define your hostname.
+ #networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
+ networking.firewall.allowedTCPPorts = [ 22 80 443 631 8096 8920 ];
+ networking.firewall.allowedUDPPorts = [ 22 80 443 631 1900 7359 ];
+
+ # Set your time zone.
+ time.timeZone = "Europe/Berlin";
+
+ # Define a user account. Don't forget to set a password with 'passwd'.
+ users.users.leonv = {
+ isNormalUser = true;
+ initialPassword = "leonv";
+ extraGroups = [ "wheel" ]; # Enable 'sudo' for the user.
+ packages = with pkgs; [
+ ];
+ };
+ users.defaultUserShell = pkgs.zsh;
+
+ # List packages installed in system profile.
+ environment.systemPackages = with pkgs; [
+ wget
+ zsh
+ oh-my-zsh
+ restic
+ # for hugo website
+ hugo
+ go
+ ];
+ environment.variables = {
+ EDITOR = "vim";
+
+ # bitwarden key
+ YUBICO_CLIENT_ID = "${../nix-secrets/willem/vaultwarden/yubico-id}";
+ YUBICO_SECRET_KEY = "${../nix-secrets/willem/vaultwarden/yubico-secret}";
+ };
+ environment.shells = [ pkgs.zsh ];
+
+ programs.git = {
+ enable = true;
+ lfs.enable = true;
+ config = {
+ init = {
+ defaultBranch = "main";
+ };
+ commit = {
+ gpgsign = true;
+ };
+ gpg = {
+ format = "ssh";
+ };
+ user = {
+ email = "leon.vatthauer@fau.de";
+ name = "Leon Vatthauer";
+ signingkey = "~/.ssh/git";
+ };
+ };
+ };
+
+ nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
+ "plexmediaserver"
+ ];
+
+ services.jellyfin.enable = true;
+
+ system.stateVersion = "23.11"; # Did you read the comment?
+}
+
diff --git a/dafoe/hardware-configuration.nix b/dafoe/hardware-configuration.nix
new file mode 100644
index 0000000..72881ed
--- /dev/null
+++ b/dafoe/hardware-configuration.nix
@@ -0,0 +1,33 @@
+# Do not modify this file! It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations. Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+ imports =
+ [ (modulesPath + "/profiles/qemu-guest.nix")
+ ];
+
+ boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];
+ boot.initrd.kernelModules = [ ];
+ boot.kernelModules = [ ];
+ boot.extraModulePackages = [ ];
+
+ fileSystems."/" =
+ { device = "/dev/disk/by-uuid/40245dca-bf9c-4f39-ad96-8c2fee4b7b2e";
+ fsType = "ext4";
+ };
+
+ swapDevices =
+ [ { device = "/dev/disk/by-uuid/d8d1edd9-e549-4d92-94d5-8ac5af126a5b"; }
+ ];
+
+ # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+ # (the default) this is the recommended approach. When using systemd-networkd it's
+ # still possible to use this option, but it's recommended to use it in conjunction
+ # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+ networking.useDHCP = lib.mkDefault true;
+ # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+
+ nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
diff --git a/dafoe/programs/default.nix b/dafoe/programs/default.nix
new file mode 100644
index 0000000..5316865
--- /dev/null
+++ b/dafoe/programs/default.nix
@@ -0,0 +1,8 @@
+{
+ imports = [
+ ./neovim.nix
+ ./ssh.nix
+ ./starship.nix
+ ./zsh.nix
+ ];
+}
diff --git a/dafoe/programs/neovim.nix b/dafoe/programs/neovim.nix
new file mode 100644
index 0000000..37a1ea9
--- /dev/null
+++ b/dafoe/programs/neovim.nix
@@ -0,0 +1,14 @@
+{ pkgs, ... }:
+{
+ programs.neovim = {
+ enable = true;
+ configure = {
+ customRC = '''';
+ packages.myVimPackage = with pkgs.vimPlugins; {
+ start = [ vim-nix ];
+ };
+ };
+ viAlias = true;
+ vimAlias = true;
+ };
+}
\ No newline at end of file
diff --git a/dafoe/programs/ssh.nix b/dafoe/programs/ssh.nix
new file mode 100644
index 0000000..e4c886d
--- /dev/null
+++ b/dafoe/programs/ssh.nix
@@ -0,0 +1,6 @@
+{
+ programs.ssh.startAgent = true;
+ programs.ssh.extraConfig = ''
+ AddKeysToAgent yes
+ '';
+}
\ No newline at end of file
diff --git a/dafoe/programs/starship.nix b/dafoe/programs/starship.nix
new file mode 100644
index 0000000..a2d4525
--- /dev/null
+++ b/dafoe/programs/starship.nix
@@ -0,0 +1,8 @@
+{
+ programs.starship = {
+ enable = true;
+ settings = {
+ gradle.symbol = "🐘";
+ };
+ };
+}
\ No newline at end of file
diff --git a/dafoe/programs/zsh.nix b/dafoe/programs/zsh.nix
new file mode 100644
index 0000000..f783f10
--- /dev/null
+++ b/dafoe/programs/zsh.nix
@@ -0,0 +1,19 @@
+{
+ programs.zsh = {
+ enable = true;
+ shellAliases = {
+ clean = "sudo nix-env --delete-generations old --profile /nix/var/nix/profiles/system && sudo /nix/var/nix/profiles/system/bin/switch-to-configuration switch && sudo nix-store --gc";
+ };
+ shellInit = ''
+ function rebuild () {
+ sudo nixos-rebuild switch --flake "/home/leonv/nixos?submodules=1"
+ sudo cp -r /home/leonv/nixos /etc/
+ }
+ '';
+ ohMyZsh = {
+ enable = true;
+ plugins = [ "git" ];
+ theme = "dpoggi";
+ };
+ };
+}
diff --git a/dafoe/services/acme.nix b/dafoe/services/acme.nix
new file mode 100644
index 0000000..c2572df
--- /dev/null
+++ b/dafoe/services/acme.nix
@@ -0,0 +1,10 @@
+{
+ security.acme.acceptTerms = true;
+ security.acme.certs = {
+ "git.vatthauer.xyz".email = "leonvatthauer@outlook.com";
+ "bitwarden.vatthauer.xyz".email = "leonvatthauer@outlook.com";
+ "video.vatthauer.xyz".email = "leonvatthauer@outlook.com";
+ "files.vatthauer.xyz".email = "leonvatthauer@outlook.com";
+ #"vatthauer.xyz".email = "leonvatthauer@outlook.com";
+ };
+}
diff --git a/dafoe/services/ddns.nix b/dafoe/services/ddns.nix
new file mode 100644
index 0000000..76d79d0
--- /dev/null
+++ b/dafoe/services/ddns.nix
@@ -0,0 +1,16 @@
+{ pkgs, ... }:
+{
+ # dynamic dns
+ users.users.ddns = {
+ isSystemUser = true;
+ group = "ddns";
+ };
+ users.groups.ddns = {};
+ systemd.services.ddns-updater = {
+ enable = true;
+ serviceConfig.User = "ddns";
+ path = [ pkgs.curl ];
+ script = "${../../nix-secrets/willem/ddns/update}";
+ startAt = "hourly";
+ };
+}
diff --git a/dafoe/services/default.nix b/dafoe/services/default.nix
new file mode 100644
index 0000000..7791043
--- /dev/null
+++ b/dafoe/services/default.nix
@@ -0,0 +1,13 @@
+{ lib, pkgs, inputs, ... }:
+{
+ imports = [
+ ./acme.nix
+ ./ddns.nix
+ ./nginx.nix
+ ./forgejo.nix
+ #./printing.nix
+ ./restic.nix
+ ./ssh.nix
+ ./vaultwarden.nix
+ ];
+}
diff --git a/dafoe/services/forgejo.nix b/dafoe/services/forgejo.nix
new file mode 100644
index 0000000..6e1ffa1
--- /dev/null
+++ b/dafoe/services/forgejo.nix
@@ -0,0 +1,23 @@
+{ pkgs, ...}:
+{
+ services.forgejo = {
+ enable = true;
+ settings.DEFAULT.APP_NAME = "Lambda-Git";
+ package = pkgs.forgejo;
+ stateDir = "/forgejo";
+ database = {
+ type = "sqlite3";
+ };
+ dump = {
+ enable = true;
+ interval = "02:00";
+ };
+ settings.server = {
+ ROOT_URL = "https://git.vatthauer.xyz";
+ HTTP_PORT = 3001;
+ DOMAIN = "git.vatthauer.xyz";
+ };
+ settings.session.COOKIE_SECURE = true;
+ settings.service.DISABLE_REGISTRATION = true;
+ };
+}
diff --git a/dafoe/services/nginx.nix b/dafoe/services/nginx.nix
new file mode 100644
index 0000000..b26f04f
--- /dev/null
+++ b/dafoe/services/nginx.nix
@@ -0,0 +1,44 @@
+{ lib, pkgs, inputs, ... }:
+{
+ services.nginx = {
+ enable = true;
+ recommendedGzipSettings = true;
+ recommendedOptimisation = true;
+ recommendedProxySettings = true;
+ recommendedTlsSettings = true;
+ };
+
+ services.nginx.virtualHosts."git.vatthauer.xyz" = {
+ enableACME = true;
+ forceSSL = true;
+ locations."/" = {
+ proxyPass = "http://localhost:3001/";
+ };
+ };
+
+ services.nginx.virtualHosts."bitwarden.vatthauer.xyz" = {
+ enableACME = true;
+ forceSSL = true;
+ locations."/" = {
+ proxyPass = "http://localhost:8222/";
+ };
+ };
+
+ services.nginx.virtualHosts."video.vatthauer.xyz" = {
+ enableACME = true;
+ forceSSL = false;
+ locations."/" = {
+ proxyPass = "http://localhost:8096";
+ };
+ };
+ #services.nginx.virtualHosts."vatthauer.xyz" = {
+ # forceSSL = true;
+ # enableACME = true;
+ # root = pkgs.callPackage ./resumee-website.nix {};
+ #};
+ services.nginx.virtualHosts."files.vatthauer.xyz" = {
+ forceSSL = true;
+ enableACME = true;
+ root = "/var/www";
+ };
+}
diff --git a/dafoe/services/printing.nix b/dafoe/services/printing.nix
new file mode 100644
index 0000000..321e5b2
--- /dev/null
+++ b/dafoe/services/printing.nix
@@ -0,0 +1,20 @@
+{ pkgs, ... }:
+{
+ # Enable CUPS to print documents.
+ services.avahi = {
+ enable = true;
+ publish.enable = true;
+ publish.userServices = true;
+ };
+ services.printing = {
+ enable = true;
+ drivers = [ pkgs.splix ];
+ browsing = true;
+ listenAddresses = [ "*:631" ];
+ allowFrom = [ "all" ];
+ defaultShared = true;
+ extraConf = ''
+ BrowseLocalProtocols all
+ '';
+ };
+}
diff --git a/dafoe/services/restic.nix b/dafoe/services/restic.nix
new file mode 100644
index 0000000..5b7f636
--- /dev/null
+++ b/dafoe/services/restic.nix
@@ -0,0 +1,15 @@
+{
+ services.restic.backups = {
+ giteaBackup = {
+ paths = [ "/forgejo/dump" ];
+ environmentFile = "${../../nix-secrets/willem/gitea/backupCreds}";
+ passwordFile = "${../../nix-secrets/willem/restic/password}";
+ repository = "b2:gitea-willem";
+ initialize = true;
+ timerConfig = {
+ OnCalendar = "04:00";
+ Persistent = true;
+ };
+ };
+ };
+}
diff --git a/dafoe/services/resumee-website.nix b/dafoe/services/resumee-website.nix
new file mode 100644
index 0000000..d898fef
--- /dev/null
+++ b/dafoe/services/resumee-website.nix
@@ -0,0 +1,15 @@
+{ stdenv, git, go, hugo }:
+stdenv.mkDerivation {
+ name = "resumee-website";
+ version = "1.0";
+ src = builtins.fetchGit {
+ url = "https://git.vatthauer.xyz/leonv/resumee-website.git";
+ rev = "5cd0f5bb30da8d7297a15be3704e4d9efc73d8b4";
+ };
+ nativeBuildInputs = [ git go hugo ];
+ buildPhase = "hugo -d $out";
+ outputHashAlgo = "sha256";
+ outputHashMode = "recursive";
+ outputHash = "sha256-PQzuhxRrruBbEfUjhPGPeJkJ6vsbMJ+5Ojg4t11oNV8=";
+}
+
diff --git a/dafoe/services/ssh.nix b/dafoe/services/ssh.nix
new file mode 100644
index 0000000..dba27db
--- /dev/null
+++ b/dafoe/services/ssh.nix
@@ -0,0 +1,4 @@
+{
+ # Enable the OpenSSH daemon.
+ services.openssh.enable = true;
+}
\ No newline at end of file
diff --git a/dafoe/services/vaultwarden.nix b/dafoe/services/vaultwarden.nix
new file mode 100644
index 0000000..1f7d8a2
--- /dev/null
+++ b/dafoe/services/vaultwarden.nix
@@ -0,0 +1,19 @@
+{
+ services.vaultwarden = {
+ enable = true;
+ config = {
+ DOMAIN = "https://bitwarden.vatthauer.xyz";
+ SIGNUPS_ALLOWED = false;
+
+ ROCKET_ADDRESS = "127.0.0.1";
+ ROCKET_PORT = 8222;
+
+ ROCKET_LOG = "critical";
+
+ ADMIN_TOKEN = "${../../nix-secrets/willem/vaultwarden/admin-token}";
+
+ YUBICO_CLIENT_ID = "${../../nix-secrets/willem/vaultwarden/yubico-id}";
+ YUBICO_SECRET_KEY = "${../../nix-secrets/willem/vaultwarden/yubico-secret}";
+ };
+ };
+}
diff --git a/flake.lock b/flake.lock
index cc33d9f..7fa807a 100644
--- a/flake.lock
+++ b/flake.lock
@@ -160,11 +160,11 @@
"homebrew-core": {
"flake": false,
"locked": {
- "lastModified": 1714451058,
- "narHash": "sha256-2OynGCZFa3HD3LizrcnGVa1voijuI9ZXK/iE3wLK5NM=",
+ "lastModified": 1714451504,
+ "narHash": "sha256-1G1ksvFwzg1i9ZYLACtVIS/0EAop0tiAeexfD01pHyc=",
"owner": "homebrew",
"repo": "homebrew-core",
- "rev": "e071ff1388a74e9c978f361b6183c22fcf4c725b",
+ "rev": "b376432848daaf1243709cee4c835c2a7c6397c1",
"type": "github"
},
"original": {
diff --git a/flake.nix b/flake.nix
index 2991826..ba37521 100644
--- a/flake.nix
+++ b/flake.nix
@@ -57,6 +57,11 @@
specialArgs = { inherit inputs; };
modules = [ ./willem/configuration.nix ];
};
+ dafoe = unstable.lib.nixosSystem {
+ system = "x86_64-linux";
+ specialArgs = { inherit inputs; };
+ modules = [ ./dafoe/configuration.nix ];
+ };
};
darwinConfigurations = {
shinx = darwin.lib.darwinSystem {
diff --git a/gunther/leonv.nix b/gunther/leonv.nix
index 358f8f3..6d9f34e 100755
--- a/gunther/leonv.nix
+++ b/gunther/leonv.nix
@@ -91,6 +91,9 @@
])
lean4
+
+ # for emacs
+ texlab
];
programs.home-manager.enable = true;