Git/Nixconfigs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Original commit

Browse source
This commit is contained in:
Maxiem Geldhof 2025-10-12 17:15:04 +02:00
commit cc74263a3b
26 changed files with 3052 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

153
flake.lock generated Normal file
View file

@ -0,0 +1,153 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1754433428,
"narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=",
"owner": "ryantm",
"repo": "agenix",
"rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1744478979,
"narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "43975d782b418ebf4969e9ccba82466728c2851b",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1745494811,
"narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1758463745,
"narHash": "sha256-uhzsV0Q0I9j2y/rfweWeGif5AWe0MGrgZ/3TjpDYdGA=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3b955f5f0a942f9f60cdc9cacb7844335d0f21c3",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-25.05",
"repo": "home-manager",
"type": "github"
}
},
"nix-darwin": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1759509947,
"narHash": "sha256-4XifSIHfpJKcCf5bZZRhj8C4aCpjNBaE3kXr02s4rHU=",
"owner": "nix-darwin",
"repo": "nix-darwin",
"rev": "000eadb231812ad6ea6aebd7526974aaf4e79355",
"type": "github"
},
"original": {
"owner": "nix-darwin",
"ref": "nix-darwin-25.05",
"repo": "nix-darwin",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1759478543,
"narHash": "sha256-AetDmsj6lkwyEzAhnayQ8wXKkHremjCDqchKhSoAMhE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "cacb0bf08c2f851ec166ec665c777cf9fc542283",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-25.05-darwin",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"home-manager": "home-manager_2",
"nix-darwin": "nix-darwin",
"nixpkgs": "nixpkgs"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

40
flake.nix Normal file
View file

@ -0,0 +1,40 @@
{
description = "Example nix-darwin system flake";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-25.05-darwin";
nix-darwin.url = "github:nix-darwin/nix-darwin/nix-darwin-25.05";
nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
home-manager.url = "github:nix-community/home-manager/release-25.05";
home-manager.inputs.nixpkgs.follows = "nixpkgs";
agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "nixpkgs";
};
outputs =
inputs@{
self,
nix-darwin,
home-manager,
nixpkgs,
agenix,
}:
let
macbook = import ./systems/macbook/macbook.nix {
nix-darwin = nix-darwin;
home-manager = home-manager;
self = self;
agenix = agenix;
};
selene = import ./systems/selene/system.nix {
agenix = agenix;
};
in
{
# Build darwin flake using:
# $ darwin-rebuild build --flake .#Maxiems-MacBook-Pro
darwinConfigurations."Maxiems-MacBook-Pro" = macbook;
nixosConfigurations.selene = selene;
};
}

1
keys/asus.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdcSzVRG/BHxDx79A3kM5cZ3ZlMipcSorVIpxAJC2xF maxiem@maxiem-asustufgamingf15fx506lhfx506lh

BIN
keys/google-storage-key Normal file
View file

Binary file not shown.

1
keys/hetzner.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKcfmaqbtwSEydV2hge/aDWxfwlKOw/JJZZWy8ycjojH hetzner@maxiemgeldhof.com

7
keys/jellyfin-key Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 gSqcWw 6TUQ5nbQ/j886U3+MNcFFiUN2GZqmRZryFxQsE5eMFI
KO/HfhxCWv3IEdEg+A9pEWYmlM+/YGXIdVe/sw4vpaE
-> ssh-ed25519 lFtjmQ oK6lK9vYjLg/lsUnoxMs6oftFQsSh5U6qkSZoWWrmB8
rMcN88GFQ8VdxMKVMeJL/gJdrRgdKhs5wHaU2JohD+0
--- a9kKvgDEZnMMhjuI2XmcAcCXNo3oNpVPCiSHp1ZiYDQ
KüÇnv6&Ñ´}¶ˆ>B?;ÉaÚ0`²µJú7<C3BA>OÖ(¤.ÖLV4<02>M9bÆ çâ|]&sïõ5

7
keys/macbook.priv Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 M7OTMg 1m4v/Xmw+N9+pVrttLG1GnH3LCgJSQOOW6T34cIMq08
kSwgueUJm4DCjgDdi5OGHnhtMNz1zb5lhyYfVmlYp7M
-> ssh-ed25519 CJLJQg 7zWWonoFKuLQWJaEZGysrGUjcwznXhrbtnpYPULjoWc
MplLAdVbgYTE99pIhFaMGnO+L6n/xL0kgTaVc4J2NKQ
--- jYPfNgq9uBO50jSTrwDJ2M0vrx5iYEf4yiGyy9PCA/o
3·éÆ<C3A9>ôšäŒÏ2ø>Ú[yÛ+¼ÆD€ýÉ[cª?Àž1Sº—e¦:¯V¾¤Ñû"ÔXÉ[ûøþ[b 7iq<69>î‡YZ žýínÔ¼2™¯ni"q kî`ƃJ©:Qù…ýSÙ©gÁù~E\áÎ’£|=Ëvƒ—o} lfŠÈìÀØt[£×gì>;dc1<63> <Gçö¾€UíºÇ¶u¡9hx—óÕƒlNü¦”Æ0=D!¥šÇi½§ éä„< úXê!é2ƒ 6íI<C3AD>MG˜*Sõ!3™Ht4øãvè/Ï&°Àô‹“ìLY5j<35>Ú<7F>ªúæÛÖ#ŽBðËÝÛäò·ÆX¬K´ «4Ó}ƤELâû¨€<C2A8>©ÂŸ ë<9í|èò;„›ûÄ<˜d_$£¨¡ËŽÆ<C5BD>Èt¦@lR6™R™™Fn!Û¥³¶ã¥™<ScUƒbT{27 ½)Jº¥ö”t¬ÇÈ$ev¢Öç8ƒ™ìÓGݤæùä¬zuZ4pmÃÖ™L=iEjnuŸ—H\/oëÝšúɤ_ëÒÜùeˆ õOb³…ª¬‰<C2AC><11>Ñó Z0…§úrk"_â\Ãë<C383>Ø@Û

1
keys/macbook.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJfqdqySAsEAXhB/jadKH6Ol5wVAlzyQRwgxq7DXsDgW maxiem@maxiemgeldhof.com

BIN
keys/master.priv Normal file
View file

Binary file not shown.

1
keys/master.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICg1ebl3uHhiGPxW6X2Lii5tvuxyuG74AFh/wqxw8rxC maxiem@maxiemgeldhof.com

11
keys/secrets.nix Normal file
View file

@ -0,0 +1,11 @@
let
selene = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBEiuoUbvgZ2N03MTcWw4z+oUB9SG0jR0fy5AnTTBHym" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKcfmaqbtwSEydV2hge/aDWxfwlKOw/JJZZWy8ycjojH" ];
macbook = [ (builtins.readFile ./macbook.pub) ];
master = [ (builtins.readFile ./master.pub) ];
in
{
"jellyfin-key".publicKeys = selene;
"google-storage-key".publicKeys = selene;
"macbook.priv".publicKeys = macbook ++ master;
"master.priv".publicKeys = macbook ++ master;
}

2392
modules/servermodules/grafana/dashboards/jellyfin.json Normal file
View file

File diff suppressed because it is too large Load diff

70
modules/servermodules/grafana/grafana.nix Normal file
View file

@ -0,0 +1,70 @@
{ config, ... }:
{
services.grafana = {
enable = true;
settings = {
server = {
# Listening Address
http_addr = "127.0.0.1";
# and Port
http_port = 3000;
# Grafana needs to know on which domain and URL it's running
domain = "grafana.maxiemgeldhof.com";
};
};
provision.datasources.path = ./provision;
provision.dashboards.settings = {
apiVersion = 1;
providers = [
{
name = "default";
options.path = ./dashboards;
}
];
};
};
services.prometheus.exporters.node = {
enable = true;
port = 9000;
# https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/monitoring/prometheus/exporters.nix
enabledCollectors = [ "systemd" ];
# /nix/store/zgsw0yx18v10xa58psanfabmg95nl2bb-node_exporter-1.8.1/bin/node_exporter --help
extraFlags = [
"--collector.ethtool"
"--collector.softirqs"
"--collector.tcpstat"
"--collector.wifi"
];
};
services.prometheus = {
enable = true;
globalConfig.scrape_interval = "30s";
scrapeConfigs = [
{
job_name = "node";
static_configs = [
{
targets = [
"localhost:${toString config.services.prometheus.exporters.node.port}"
"localhost:8096"
];
}
];
}
{
job_name = "jellyfin";
static_configs = [
{
targets = [
"localhost:9594"
];
}
];
}
];
};
}

19
modules/servermodules/grafana/provision/prom.yaml Normal file
View file

@ -0,0 +1,19 @@
# Configuration file version
apiVersion: 1
prune: true
datasources:
- name: Prometheus
type: prometheus
access: proxy
url: http://localhost:9090
jsonData:
httpMethod: POST
manageAlerts: true
allowAsRecordingRulesTarget: true
prometheusType: Prometheus
prometheusVersion: 3.3.0
cacheLevel: 'High'
disableRecordingRules: false
timeInterval: 10s # Prometheus scrape interval
incrementalQueryOverlapWindow: 10m

60
modules/servermodules/jellyfin/jellyfin.nix Normal file
View file

@ -0,0 +1,60 @@
{
pkgs,
config,
exporter-pkg,
...
}:
{
environment.systemPackages = [
pkgs.jellyfin
pkgs.jellyfin-web
pkgs.jellyfin-ffmpeg
];
services.jellyfin = {
enable = true;
configDir = "/jellyfin/config";
dataDir = "/jellyfin/data";
};
age.secrets.jellyfin-key = {
file = ./secrets/jellyfin-key;
owner = "jellyfin";
};
# Define the systemd service
systemd.services.jellyfin-exporter = {
description = "Jellyfin Exporter for Prometheus";
wantedBy = [ "multi-user.target" ];
after = [
"network-online.target"
"run-agenix.d.mount"
]; # Should start after network is up
wants = [
"network-online.target"
"run-agenix.d.mount"
]; # Should start after network is up
serviceConfig = {
# The command to start the exporter
# You MUST replace the placeholders below with your actual data
ExecStart = ''
/bin/sh -c "${exporter-pkg}/bin/jellyfin_exporter \
--jellyfin.address=http://localhost:8096 \
--jellyfin.token=$(cat ${config.age.secrets.jellyfin-key.path})"
'';
# Run the service as the user we created
User = "jellyfin";
# Automatically restart the service if it fails
Restart = "on-failure";
RestartSec = "5s";
};
};
systemd.tmpfiles.rules = [
"L+ /data/movies - - - - /mnt/volume-hel1-1/movies"
"L+ /data/series - - - - /mnt/volume-hel1-1/series"
];
}

76
modules/servermodules/nginx.nix Normal file
View file

@ -0,0 +1,76 @@
{ rootdomain }:
{
systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/logs/nginx" ];
services.nginx.enable = true;
services.nginx.commonHttpConfig = ''
log_format myformat '$remote_addr - $remote_user [$time_local] '
'$host "$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
'';
services.nginx.virtualHosts."default" = {
enableACME = false;
rejectSSL = true;
default = true;
locations."/" = {
return = 404;
};
extraConfig = ''
access_log /logs/nginx/nginx-access.log myformat;
'';
};
services.nginx.virtualHosts."grafana.${rootdomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3000";
proxyWebsockets = true;
recommendedProxySettings = true;
};
extraConfig = ''
access_log /logs/nginx/nginx-access.log myformat;
'';
};
services.nginx.virtualHosts."jellyfin.${rootdomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8096";
proxyWebsockets = true;
recommendedProxySettings = true;
};
locations."/metrics" = {
proxyPass = "http://127.0.0.1:8096/metrics";
recommendedProxySettings = true;
extraConfig = ''
allow 127.0.0.1;
allow 192.168.0.0/16;
allow 10.0.0.0/8;
allow 172.16.0.0/12;
deny all;
'';
};
extraConfig = ''
access_log /logs/nginx/nginx-access.log myformat;
'';
};
security.acme = {
acceptTerms = true;
defaults.email = "admin@${rootdomain}";
};
systemd.tmpfiles.rules = [
# Type Path Mode User Group Age Argument
"d /logs/nginx 0755 nginx nginx - -"
]
}

15
modules/servermodules/packages.nix Normal file
View file

@ -0,0 +1,15 @@
{ pkgs, ... }:
{
environment.systemPackages = [
pkgs.git
pkgs.google-cloud-sdk
pkgs.zulu8
pkgs.wget
pkgs.tmux
];
age.secrets.google-storage-key = {
file = ./secrets/google-storage-key;
owner = "root";
};
environment.variables.GOOGLE_APPLICATION_CREDENTIALS = config.age.secrets."google-storage-key".path;
}

22
modules/usermodules/darwinsettings.nix Normal file
View file

@ -0,0 +1,22 @@
self:
{ pkgs, agenix, ... }: {
# List packages installed in system profile. To search by name, run:
# $ nix-env -qaP | grep wget
environment.systemPackages = [ pkgs.vim pkgs.vscode pkgs.git pkgs.nixfmt-rfc-style agenix.packages.aarch64-darwin.default pkgs.python3];
# Necessary for using flakes on this system.
nix.settings.experimental-features = "nix-command flakes";
nixpkgs.config.allowUnfree = true;
# Set Git commit hash for darwin-version.
system.configurationRevision = self.rev or self.dirtyRev or null;
# Used for backwards compatibility, please read the changelog before changing.
# $ darwin-rebuild changelog
system.stateVersion = 6;
# The platform the configuration will be used on.
nixpkgs.hostPlatform = "aarch64-darwin";
system.defaults.dock.autohide = true;
}

15
systems/macbook/macbook.nix Normal file
View file

@ -0,0 +1,15 @@
{ nix-darwin, home-manager, agenix, self }:
nix-darwin.lib.darwinSystem {
modules = [
{ system.primaryUser = "maxiemgeldhof"; }
(import ../../modules/usermodules/darwinsettings.nix self)
home-manager.darwinModules.home-manager
(import ./users.nix)
agenix.darwinModules.default
];
specialArgs = {
home-manager=home-manager;
agenix = agenix;
};
}

14
systems/macbook/users.nix Normal file
View file

@ -0,0 +1,14 @@
{ pkgs, home-manager, config, ... }:
let
userconfig = {
home.stateVersion = "25.05";
home.homeDirectory = "/Users/maxiemgeldhof";
programs.home-manager.enable = true;
};
in {
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.users.maxiemgeldhof = userconfig;
users.users.maxiemgeldhof.home = "/Users/maxiemgeldhof";
}

33
systems/selene/basesettings.nix Normal file
View file

@ -0,0 +1,33 @@
{ ... }:
{
imports = [
./hardware-configuration.nix
./networking.nix # generated at runtime by nixos-infect
];
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
networking.hostName = "selene";
networking.domain = "";
networking.firewall = {
enable = true;
allowedTCPPorts = [
22
80
443
];
};
services.openssh.enable = true;
services.openssh.settings.PasswordAuthentication = false;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKcfmaqbtwSEydV2hge/aDWxfwlKOw/JJZZWy8ycjojH hetzner@maxiemgeldhof.com"
];
age.identityPaths = [ "/root/.ssh/id_ed25519" ];
system.stateVersion = "23.11";
nix.settings.experimental-features = [
"nix-command"
"flakes"
];
}

13
systems/selene/hardware.nix Normal file
View file

@ -0,0 +1,13 @@
{ modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.grub = {
efiSupport = true;
efiInstallAsRemovable = true;
device = "nodev";
};
fileSystems."/boot" = { device = "/dev/disk/by-uuid/7AE2-203E"; fsType = "vfat"; };
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/sdc1"; fsType = "ext4"; };
}

44
systems/selene/networking.nix Normal file
View file

@ -0,0 +1,44 @@
{ lib, ... }: {
# This file was populated at runtime with the networking
# details gathered from the active system.
networking = {
nameservers = [ "8.8.8.8" ];
defaultGateway = "172.31.1.1";
defaultGateway6 = {
address = "fe80::1";
interface = "eth0";
};
dhcpcd.enable = false;
usePredictableInterfaceNames = lib.mkForce false;
interfaces = {
eth0 = {
ipv4.addresses = [{
address = "37.27.207.39";
prefixLength = 32;
}];
ipv6.addresses = [
{
address = "2a01:4f9:c010:bbba::1";
prefixLength = 64;
}
{
address = "fe80::9000:6ff:fe5c:ed79";
prefixLength = 64;
}
];
ipv4.routes = [{
address = "172.31.1.1";
prefixLength = 32;
}];
ipv6.routes = [{
address = "fe80::1";
prefixLength = 128;
}];
};
};
};
services.udev.extraRules = ''
ATTR{address}=="92:00:06:5c:ed:79", NAME="eth0"
'';
}

19
systems/selene/system.nix Normal file
View file

@ -0,0 +1,19 @@
{ agenix }:
nixpkgs.lib.nixosSystem {
system = system;
specialArgs = {
# This selects the package for the current system and passes it
exporter-pkg = jellyfin-exporter.packages.${system}.default;
};
modules = [
./basesettings.nix
./users.nix
../../modules/servermodules/packages.nix
(import ./nginx.nix "maxiemgeldhof.com")
../../modules/servermodules/grafana.nix
../../modules/servermodules/jellyfin.nix
./volumes.nix
agenix.nixosModules.default
];
}

17
systems/selene/users.nix Normal file
View file

@ -0,0 +1,17 @@
{
users.users.selene = {
isNormalUser = true;
home = "/home/selene";
hashedPassword = "$y$j9T$KjOwguW/7P9GvbNg6Yy.k/$8xf3aqnJ909HSjxtpe854RKdiXiPpbOLt.aiuJSfeC0";
openssh.authorizedKeys.keys = [
(builtins.readFile ../../keys/hetzner.pub)
(builtins.readFile ../../keys/asus.pub)
(builtins.readFile "../../keys/pacbook.pub")
];
extraGroups = [
"wheel"
"networkmanager"
];
};
}

21
systems/selene/volumes.nix Normal file
View file

@ -0,0 +1,21 @@
{
fileSystems."/mnt/volume-hel1-2" = {
device = "/dev/disk/by-id/scsi-0HC_Volume_103422022";
fsType = "ext4";
options = [
"defaults"
"discard"
"nofail"
];
};
fileSystems."/mnt/volume-hel1-1" = {
device = "/dev/disk/by-id/scsi-0HC_Volume_103419450";
fsType = "ext4";
options = [
"defaults"
"discard"
"nofail"
];
};
}