From 4fa6f90b3789cdbfb4e5dcdf385693e1fd9e3b01 Mon Sep 17 00:00:00 2001 From: Maxiem Geldhof Date: Mon, 13 Oct 2025 18:50:18 +0200 Subject: [PATCH 01/10] Fix selene --- systems/selene/system.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/systems/selene/system.nix b/systems/selene/system.nix index 2a7edc4..5479ef1 100644 --- a/systems/selene/system.nix +++ b/systems/selene/system.nix @@ -1,9 +1,9 @@ -{ agenix, jellyfin-exporter, nixpkgs, ... }: +{ agenix, jellyfin-exporter, nixpkgs, self, ... }: nixpkgs.lib.nixosSystem { - system = system; + system = "x86_64-linux"; specialArgs = { # This selects the package for the current system and passes it - exporter-pkg = jellyfin-exporter.packages.${system}.default; + exporter-pkg = jellyfin-exporter.packages.${self.system}.default; }; modules = [ From 893ec06b7c0a80744f30cd13d0cd8c535cf8dae1 Mon Sep 17 00:00:00 2001 From: Maxiem Geldhof Date: Mon, 13 Oct 2025 18:55:11 +0200 Subject: [PATCH 02/10] Fix selene --- flake.lock | 17 ++++++++++++ flake.nix | 3 ++ jellyfin-exporter/flake.nix | 55 +++++++++++++++++++++++++++++++++++++ 3 files changed, 75 insertions(+) create mode 100644 jellyfin-exporter/flake.nix diff --git a/flake.lock b/flake.lock index f5f51ff..fcd58d6 100644 --- a/flake.lock +++ b/flake.lock @@ -87,6 +87,22 @@ "type": "github" } }, + "jellyfin-exporter": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "path": "./jellyfin-exporter", + "type": "path" + }, + "original": { + "path": "./jellyfin-exporter", + "type": "path" + }, + "parent": [] + }, "nix-darwin": { "inputs": { "nixpkgs": [ @@ -128,6 +144,7 @@ "inputs": { "agenix": "agenix", "home-manager": "home-manager_2", + "jellyfin-exporter": "jellyfin-exporter", "nix-darwin": "nix-darwin", "nixpkgs": "nixpkgs" } diff --git a/flake.nix b/flake.nix index 2883726..013a23e 100644 --- a/flake.nix +++ b/flake.nix @@ -9,6 +9,8 @@ home-manager.inputs.nixpkgs.follows = "nixpkgs"; agenix.url = "github:ryantm/agenix"; agenix.inputs.nixpkgs.follows = "nixpkgs"; + jellyfin-exporter.url = "path:./jellyfin-exporter"; + jellyfin-exporter.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = @@ -18,6 +20,7 @@ home-manager, nixpkgs, agenix, + jellyfin-exporter, }: let macbook = import ./systems/macbook/macbook.nix inputs; diff --git a/jellyfin-exporter/flake.nix b/jellyfin-exporter/flake.nix new file mode 100644 index 0000000..307e58b --- /dev/null +++ b/jellyfin-exporter/flake.nix @@ -0,0 +1,55 @@ +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; + }; + + outputs = + { self, nixpkgs }: + let + # The set of systems to provide outputs for + allSystems = [ + "x86_64-linux" + "aarch64-linux" + "x86_64-darwin" + "aarch64-darwin" + ]; + + # A function that provides a system-specific Nixpkgs for the desired systems + forAllSystems = + f: + nixpkgs.lib.genAttrs allSystems ( + system: + f { + pkgs = import nixpkgs { inherit system; }; + } + ); + in + { + packages = forAllSystems ( + { pkgs }: + { + default = pkgs.buildGoModule (finalAttrs: { + doCheck = false; + pname = "jellyfin-exporter"; + version = "1.3.8"; + + src = pkgs.fetchFromGitHub { + owner = "rebelcore"; + repo = "jellyfin_exporter"; + tag = "v${finalAttrs.version}"; + hash = "sha256-7fIrjcy6y/Ayj43WeuPNCx3uVJyl5Wf6bWs5ta2PpWc="; + }; + + # Let Nix fetch Go modules and hash them automatically + vendorHash = "sha256-JSOKDbefQyDLNy2y1oW7HUplQw8uhhOGZ+ueWyUYYQ0="; + + meta = { + description = "Jellyfin exporter for Prometheus"; + homepage = "https://github.com/rebelcore/jellyfin_exporter"; + license = pkgs.lib.licenses.asl20; + }; + }); + } + ); + }; +} From 648bf43f76100d160fc0933bf851a66e8f2902e6 Mon Sep 17 00:00:00 2001 From: Maxiem Geldhof Date: Mon, 13 Oct 2025 18:56:59 +0200 Subject: [PATCH 03/10] Fix selene --- keys/secrets.nix | 2 + keys/wg-macbook | 7 +++ keys/wg-macbook.pub | 1 + keys/wg-selene | 11 ++++ keys/wg-selene.pub | 1 + modules/servermodules/jellyfin/jellyfin.nix | 2 +- modules/servermodules/nginx.nix | 4 +- modules/servermodules/packages.nix | 4 +- .../wireguard/wireguard-server.nix | 58 +++++++++++++++++++ modules/usermodules/darwinsettings.nix | 2 +- systems/macbook/macbook.nix | 3 +- systems/macbook/wireguard.nix | 42 ++++++++++++++ systems/selene/basesettings.nix | 2 +- systems/selene/system.nix | 15 +++-- systems/selene/users.nix | 2 +- 15 files changed, 142 insertions(+), 14 deletions(-) create mode 100644 keys/wg-macbook create mode 100644 keys/wg-macbook.pub create mode 100644 keys/wg-selene create mode 100644 keys/wg-selene.pub create mode 100644 modules/servermodules/wireguard/wireguard-server.nix create mode 100644 systems/macbook/wireguard.nix diff --git a/keys/secrets.nix b/keys/secrets.nix index ad697ad..3434403 100644 --- a/keys/secrets.nix +++ b/keys/secrets.nix @@ -8,4 +8,6 @@ in "google-storage-key".publicKeys = selene; "macbook.priv".publicKeys = macbook ++ master; "master.priv".publicKeys = macbook ++ master; + "wg-selene".publicKeys = macbook ++ selene ++ master; + "wg-macbook".publicKeys = macbook ++ master; } \ No newline at end of file diff --git a/keys/wg-macbook b/keys/wg-macbook new file mode 100644 index 0000000..1342b37 --- /dev/null +++ b/keys/wg-macbook @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 M7OTMg PyrVB10SxQZdhrwusKh+m6944Nj5vqBL6qGum8qK4Qg +huIr2n2ciTqu11o6ApcCoVMstQ9b3XoRfgAtU79wdnY +-> ssh-ed25519 CJLJQg 2O7UQVLdlMJZzt5TOo5EYpfWjKAnNLJ6OQY+xRTp2go +TonYGAfBSeUpSHl+jHSG2qO9kWseAxfog1oWeGFWc5s +--- Hh8KEiQFjdy2xYqcBX4L6XSp4GPpO29tSPrfpnZlv5o +?$JΦ^woNv*#4+=[ltQF6-wiy. ڢ8iҞ'.H,a \ No newline at end of file diff --git a/keys/wg-macbook.pub b/keys/wg-macbook.pub new file mode 100644 index 0000000..d151aae --- /dev/null +++ b/keys/wg-macbook.pub @@ -0,0 +1 @@ +uFmbvJBptZsrzYDqpZM7SsibELaIRZIT91dr+lg4UTQ= diff --git a/keys/wg-selene b/keys/wg-selene new file mode 100644 index 0000000..908d724 --- /dev/null +++ b/keys/wg-selene @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 M7OTMg rtefZhzmdX3bNzHNy3nkNUUhMkzl5Jhr5aRKQeMxyG0 +j8S1T4ZJ4rPCB1hLYB0XDrQapmDeBaVhHF1egscPMSI +-> ssh-ed25519 gSqcWw zXFb2UGB5MX9l1zRtSXjRvx2jKwzi3xJ6pSheWbcKHE +0sj7aWQEU9anrtn9nNc+GZV/hmZhGhBJiY4z+92QmhE +-> ssh-ed25519 lFtjmQ F1UrJyfMoLe2WQhg2quklc/m0U6fDoHdUHb9fKwbMAk +PqhWK8b8VPvnwYOv6o8ghihW4BY2gyXWjeVoBB3Jq1c +-> ssh-ed25519 CJLJQg NI5inqne74mHhVzieDbwHe2ir7b/5JupVpJ2eHehYHs +nkcF008pNF7+57K4dCQMrayVcUWSFVQ38MwK9JPUZ90 +--- Wo0W41Xg2j6kl6atrzbtE2ogo3mY1+sTqfyvWkUsUeA + EgfG'Ԏ!;+m\A Date: Sat, 18 Oct 2025 13:59:43 +0200 Subject: [PATCH 04/10] Macbook updates for agenix --- systems/macbook/macbook.nix | 14 ++++++++++---- systems/macbook/users.nix | 1 + systems/macbook/wireguard.nix | 11 +++-------- 3 files changed, 14 insertions(+), 12 deletions(-) diff --git a/systems/macbook/macbook.nix b/systems/macbook/macbook.nix index 308b3ed..046c0dc 100644 --- a/systems/macbook/macbook.nix +++ b/systems/macbook/macbook.nix @@ -1,16 +1,22 @@ -{ nix-darwin, home-manager, agenix, self, ... }: +{ + nix-darwin, + home-manager, + agenix, + self, + ... +}: nix-darwin.lib.darwinSystem { modules = [ + agenix.darwinModules.default { system.primaryUser = "maxiemgeldhof"; } (import ../../modules/usermodules/darwinsettings.nix self) home-manager.darwinModules.home-manager - import ./users.nix + ./users.nix ./wireguard.nix - agenix.darwinModules.default ]; specialArgs = { - home-manager=home-manager; + home-manager = home-manager; agenix = agenix; }; } diff --git a/systems/macbook/users.nix b/systems/macbook/users.nix index da4bb7a..df3810e 100644 --- a/systems/macbook/users.nix +++ b/systems/macbook/users.nix @@ -20,4 +20,5 @@ in home-manager.useUserPackages = true; home-manager.users.maxiemgeldhof = userconfig; users.users.maxiemgeldhof.home = "/Users/maxiemgeldhof"; + age.identityPaths = [ "/Users/maxiemgeldhof/.ssh/id_ed25519" ]; } diff --git a/systems/macbook/wireguard.nix b/systems/macbook/wireguard.nix index 0e0139c..f299683 100644 --- a/systems/macbook/wireguard.nix +++ b/systems/macbook/wireguard.nix @@ -1,12 +1,7 @@ { config, ... }: { - age.secrets.wg-private.file = "../../keys/wg-macbook"; - services.wg-quick.interfaces.wg0 = { - # Add a name for your interface here, e.g., wg0 - enable = true; - # Path to your WireGuard config file - # e.g., /etc/wireguard/wg0.conf - + age.secrets.wg-private.file = ../../keys/wg-macbook; + networking.wg-quick.interfaces.wg-selene = { privateKeyFile = config.age.secrets.wg-private.path; # The internal IP address assigned to this client by the server. @@ -23,7 +18,7 @@ peers = [ { # Public key of the SERVER. - publicKey = builtins.readFile ../../../keys/wg-selene.pub; + publicKey = builtins.readFile ../../keys/wg-selene.pub; # The server's public IP address and listening port. endpoint = "37.27.207.39:51820"; From b6714ee64f472b4e08cef8a6aa76c423771fab5f Mon Sep 17 00:00:00 2001 From: Maxiem Geldhof Date: Sat, 18 Oct 2025 14:26:06 +0200 Subject: [PATCH 05/10] Refactor the clients --- .../wireguard/wireguard-server.nix | 106 ++++++++++-------- systems/macbook/macbook.nix | 2 +- systems/macbook/wireguard.nix | 55 +++++---- systems/selene/system.nix | 2 +- 4 files changed, 85 insertions(+), 80 deletions(-) diff --git a/modules/servermodules/wireguard/wireguard-server.nix b/modules/servermodules/wireguard/wireguard-server.nix index b1e50fc..797f9b0 100644 --- a/modules/servermodules/wireguard/wireguard-server.nix +++ b/modules/servermodules/wireguard/wireguard-server.nix @@ -1,58 +1,68 @@ +let + allowedIPs = [ "10.100.0.1/24" ]; + port = 51820; + publicIp = "37.27.207.39"; +in { - pkgs, - config, - ... -}: -{ - # enable NAT - networking.nat.enable = true; - networking.nat.externalInterface = "eth0"; - networking.nat.internalInterfaces = [ "wg0" ]; - networking.firewall = { - allowedUDPPorts = [ 51820 ]; - }; + serverModule = + { + pkgs, + config, + ... + }: + { + # enable NAT + networking.nat.enable = true; + networking.nat.externalInterface = "eth0"; + networking.nat.internalInterfaces = [ "wg0" ]; + networking.firewall = { + allowedUDPPorts = [ port ]; + }; - age.secrets.wg-selene = { - file = ../../../keys/wg-selene; - owner = "selene"; - }; - networking.wireguard.interfaces = { - # "wg0" is the network interface name. You can name the interface arbitrarily. - wg0 = { - # Determines the IP address and subnet of the server's end of the tunnel interface. - ips = [ "10.100.0.1/24" ]; + age.secrets.wg-selene = { + file = ../../../keys/wg-selene; + owner = "selene"; + }; + networking.wireguard.interfaces = { + # "wg0" is the network interface name. You can name the interface arbitrarily. + wg0 = { + # Determines the IP address and subnet of the server's end of the tunnel interface. + ips = allowedIPs; - # The port that WireGuard listens to. Must be accessible by the client. - listenPort = 51820; + # The port that WireGuard listens to. Must be accessible by the client. + listenPort = port; - # This allows the wireguard server to route your traffic to the internet and hence be like a VPN - # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients - # postSetup = '' - # ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE - # ''; + # This allows the wireguard server to route your traffic to the internet and hence be like a VPN + # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients + # postSetup = '' + # ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + # ''; - # # This undoes the above command - # postShutdown = '' - # ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE - # ''; + # # This undoes the above command + # postShutdown = '' + # ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE + # ''; - # Path to the private key file. - # - # Note: The private key can also be included inline via the privateKey option, - # but this makes the private key world-readable; thus, using privateKeyFile is - # recommended. + # Path to the private key file. + # + # Note: The private key can also be included inline via the privateKey option, + # but this makes the private key world-readable; thus, using privateKeyFile is + # recommended. - privateKeyFile = config.age.secrets.wg-selene.path; + privateKeyFile = config.age.secrets.wg-selene.path; - peers = [ - # List of allowed peers. - { # Feel free to give a meaningful name - # Public key of the peer (not a file path). - publicKey = (builtins.readFile ../../../keys/wg-macbook.pub); - # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. - allowedIPs = [ "10.100.0.2/32" ]; - } - ]; + peers = [ + # List of allowed peers. + (import ../../systems/macbook/wireguard.nix).peerConfig + ]; + }; + }; }; + + infoForClients = { + endpoint = "${publicIp}:${builtins.toString port}"; + allowedIPs = allowedIPs; + publicKey = builtins.readFile ../../../keys/wg-selene.pub; + persistentKeepalive = 25; }; -} \ No newline at end of file +} diff --git a/systems/macbook/macbook.nix b/systems/macbook/macbook.nix index 046c0dc..8ce6646 100644 --- a/systems/macbook/macbook.nix +++ b/systems/macbook/macbook.nix @@ -12,7 +12,7 @@ nix-darwin.lib.darwinSystem { (import ../../modules/usermodules/darwinsettings.nix self) home-manager.darwinModules.home-manager ./users.nix - ./wireguard.nix + (import ./wireguard.nix).systemModule ]; specialArgs = { diff --git a/systems/macbook/wireguard.nix b/systems/macbook/wireguard.nix index f299683..35e93c8 100644 --- a/systems/macbook/wireguard.nix +++ b/systems/macbook/wireguard.nix @@ -1,37 +1,32 @@ -{ config, ... }: +let + ip = "10.100.0.2/32"; + publicKey = (builtins.readFile ../../keys/wg-macbook.pub); +in { - age.secrets.wg-private.file = ../../keys/wg-macbook; - networking.wg-quick.interfaces.wg-selene = { - privateKeyFile = config.age.secrets.wg-private.path; + systemModule = { config, ... }: { + age.secrets.wg-private.file = ../../keys/wg-macbook; + networking.wg-quick.interfaces.wg-selene = { + privateKeyFile = config.age.secrets.wg-private.path; - # The internal IP address assigned to this client by the server. - # The /24 subnet mask is important for knowing the VPN's local network. - address = [ "10.100.0.2/32" ]; + # The internal IP address assigned to this client by the server. + # The /24 subnet mask is important for knowing the VPN's local network. + address = [ ip ]; - # DNS server(s) to use when the tunnel is active. - # This is critical for resolving hostnames when all traffic is routed. - dns = [ - "1.1.1.1" - "1.0.0.1" - ]; # Cloudflare DNS, or use your preferred one like 8.8.8.8 + # DNS server(s) to use when the tunnel is active. + # This is critical for resolving hostnames when all traffic is routed. + dns = [ + "1.1.1.1" + "1.0.0.1" + ]; # Cloudflare DNS, or use your preferred one like 8.8.8.8 - peers = [ - { - # Public key of the SERVER. - publicKey = builtins.readFile ../../keys/wg-selene.pub; + peers = [ + (import ../../modules/servermodules/wireguard/wireguard-server.nix).infoForClients + ]; + }; + }; - # The server's public IP address and listening port. - endpoint = "37.27.207.39:51820"; - - # This is the most important part for a "VPN" setup. - # 0.0.0.0/0 tells your Mac to route all IPv4 traffic through the tunnel. - # Add "::/0" if your server and network support IPv6. - allowedIPs = [ "10.100.0.1/24" ]; - - # Optional but highly recommended for clients behind NAT. - # It sends a packet every 25 seconds to keep the connection open. - persistentKeepalive = 25; - } - ]; + peerConfig = { + publicKey = publicKey; + allowedIPs = [ip]; }; } diff --git a/systems/selene/system.nix b/systems/selene/system.nix index e580398..bc87a1b 100644 --- a/systems/selene/system.nix +++ b/systems/selene/system.nix @@ -17,7 +17,7 @@ nixpkgs.lib.nixosSystem { (import ../../modules/servermodules/nginx.nix "maxiemgeldhof.com") ../../modules/servermodules/grafana/grafana.nix ../../modules/servermodules/jellyfin/jellyfin.nix - ../../modules/servermodules/wireguard/wireguard-server.nix + (import ../../modules/servermodules/wireguard/wireguard-server.nix).serverModule ./volumes.nix agenix.nixosModules.default ]; From 564bcc9bb849bb00cd67bd8c310467fd8f4e51c0 Mon Sep 17 00:00:00 2001 From: Maxiem Geldhof Date: Thu, 23 Oct 2025 15:27:53 +0200 Subject: [PATCH 06/10] Add selene hetzner key --- keys/hetzner.priv | Bin 0 -> 962 bytes keys/secrets.nix | 1 + .../servermodules/wireguard/wireguard-server.nix | 2 +- systems/macbook/users.nix | 4 ++++ systems/selene/users.nix | 6 ++++++ 5 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 keys/hetzner.priv diff --git a/keys/hetzner.priv b/keys/hetzner.priv new file mode 100644 index 0000000000000000000000000000000000000000..ab405cf4decbeebfc44af91d11b927d03f372bc0 GIT binary patch literal 962 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCUlHTMtkO;^Y%H8e|e zFAK`7s5J5O%=LFFN;Qu#(XVthPYjH#Dm2Rp(f9Gs$d2$ycjYQ5j@(VW$ zb4_&gHw+DRPIWIVG4hBsH8Au{ta5iObumaX$w#*>J-9GAyj-Cur#vIH+&LpmKg7i- zG{iJ0I4aS_Am39vH!IuKJJ;JNs3IgsKdRg-%#+KpBqFcOt<=@C&?&hxyvWPLB0bsP zD=pQ+CB(-sz~4B;~I%oW|X9Ji9J+&~2*55ICh-@H-}V`JyiGGqTd3k!ol z!+dT1Aj8aLec$X1*HqU~%M{~sCtoff18sdr?d*cWz$AC4jKI8tvJlJAV&^D>Tu0aN z5=WoPfV4;tZRcXw3JY}GoV|R!0@D@3-9qxS3N4+qL&H-FJ;KV<^D5KyL$cEowR4OE zih`0YLql`?6LTsmLL9k*N>hxA1Kdqg93wq~T#_#|C7hUek&oH6*E)TJ9m8wTP13?((d4)#m%)1eiy6eeBzk-$(`f= zi~SX)4U>6dq7=VQDK8b>o_fc>_p|=4RV@e3J~durboiH+hRLkD&F=Qgrj&1ITrB4I zUSvtr=40;H<@co~$(NVR__?;^%bnCEvN{us_cOU|-fghnulD~}h2!4&&iNNt`F`A- z+R=Dop5U~bC9PU3?=l(2%uvjDXw3Sgz+Lt2bkQG|6soN<51qHlTNnu>6?(?+rCPZtERoJ0~$swDT-0eA9fcZh3Xu`PHkslh=IL zREpEvY4cKJW%Ic}|;Z-t*pWxeV||&zSozkeWJ>9L7^aV6t=Flq(FXynpnUuQ literal 0 HcmV?d00001 diff --git a/keys/secrets.nix b/keys/secrets.nix index 3434403..a33444d 100644 --- a/keys/secrets.nix +++ b/keys/secrets.nix @@ -10,4 +10,5 @@ in "master.priv".publicKeys = macbook ++ master; "wg-selene".publicKeys = macbook ++ selene ++ master; "wg-macbook".publicKeys = macbook ++ master; + "hetzner.priv".publicKeys = macbook ++ selene ++ master; } \ No newline at end of file diff --git a/modules/servermodules/wireguard/wireguard-server.nix b/modules/servermodules/wireguard/wireguard-server.nix index 797f9b0..96cbfb4 100644 --- a/modules/servermodules/wireguard/wireguard-server.nix +++ b/modules/servermodules/wireguard/wireguard-server.nix @@ -53,7 +53,7 @@ in peers = [ # List of allowed peers. - (import ../../systems/macbook/wireguard.nix).peerConfig + (import ../../../systems/macbook/wireguard.nix).peerConfig ]; }; }; diff --git a/systems/macbook/users.nix b/systems/macbook/users.nix index df3810e..038f488 100644 --- a/systems/macbook/users.nix +++ b/systems/macbook/users.nix @@ -13,6 +13,10 @@ let programs.zsh = (import ../../modules/usermodules/zsh.nix).programs.zsh; programs.git = (import ../../modules/usermodules/git.nix).programs.git; + + programs.ssh.matchBlocks.ren = { + + }; }; in { diff --git a/systems/selene/users.nix b/systems/selene/users.nix index 224c175..7bf2c37 100644 --- a/systems/selene/users.nix +++ b/systems/selene/users.nix @@ -14,4 +14,10 @@ "networkmanager" ]; }; + + age.secrets.hetzner-key = { + file = ../../keys/hetzner.priv; + owner = "selene"; + }; + } From 48143906d5122cba5cb4659794942e8e9dfffb34 Mon Sep 17 00:00:00 2001 From: Maxiem Geldhof Date: Thu, 23 Oct 2025 15:59:40 +0200 Subject: [PATCH 07/10] Add ren wg --- keys/secrets.nix | 1 + keys/wg-ren | 9 +++++++++ keys/wg-ren.pub | 1 + modules/servermodules/wireguard/wireguard-server.nix | 4 ++++ 4 files changed, 15 insertions(+) create mode 100644 keys/wg-ren create mode 100644 keys/wg-ren.pub diff --git a/keys/secrets.nix b/keys/secrets.nix index a33444d..c5712f9 100644 --- a/keys/secrets.nix +++ b/keys/secrets.nix @@ -11,4 +11,5 @@ in "wg-selene".publicKeys = macbook ++ selene ++ master; "wg-macbook".publicKeys = macbook ++ master; "hetzner.priv".publicKeys = macbook ++ selene ++ master; + "wg-ren".publicKeys = macbook++master; } \ No newline at end of file diff --git a/keys/wg-ren b/keys/wg-ren new file mode 100644 index 0000000..0b802c5 --- /dev/null +++ b/keys/wg-ren @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 M7OTMg Hkh55d8H9zcKmJdDIU1B5MAwd/5SO3t82kXwz6HhTCM +ezDoDh7C8lp3EplRKMELvFgB7boUcDqy5ZL9YZ4Sbfk +-> ssh-ed25519 CJLJQg VWtzsyADFT/AdqigUILj5IJiZATIiuLF6/aSp5vqyyI +hA5J4cRSCKMANvlxSw1gvHSeOz1fr98PKZmLbT19Bks +--- 9VDB4Q2hkMFs1n5wwUDgLhKoBETEerbyJvlilu9VeTU +dYWL.Xms% +0 8@ +6NjÙiύ]ujԻs' Date: Fri, 31 Oct 2025 16:29:03 +0100 Subject: [PATCH 08/10] Replace ren --- flake.nix | 3 +++ keys/wg-ren | 9 --------- keys/wg-ren.pub | 1 - systems/ren/hardware.nix | 14 ++++++++++++++ systems/ren/system.nix | 31 +++++++++++++++++++++++++++++++ systems/ren/users.nix | 26 ++++++++++++++++++++++++++ 6 files changed, 74 insertions(+), 10 deletions(-) delete mode 100644 keys/wg-ren delete mode 100644 keys/wg-ren.pub create mode 100644 systems/ren/hardware.nix create mode 100644 systems/ren/system.nix create mode 100644 systems/ren/users.nix diff --git a/flake.nix b/flake.nix index 013a23e..1667b77 100644 --- a/flake.nix +++ b/flake.nix @@ -26,11 +26,14 @@ macbook = import ./systems/macbook/macbook.nix inputs; selene = import ./systems/selene/system.nix inputs; + + ren = import ./systems/ren/system.nix inputs; in { # Build darwin flake using: # $ darwin-rebuild build --flake .#Maxiems-MacBook-Pro darwinConfigurations."Maxiems-MacBook-Pro" = macbook; nixosConfigurations.selene = selene; + nixosConfigurations.ren = ren; }; } diff --git a/keys/wg-ren b/keys/wg-ren deleted file mode 100644 index 0b802c5..0000000 --- a/keys/wg-ren +++ /dev/null @@ -1,9 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 M7OTMg Hkh55d8H9zcKmJdDIU1B5MAwd/5SO3t82kXwz6HhTCM -ezDoDh7C8lp3EplRKMELvFgB7boUcDqy5ZL9YZ4Sbfk --> ssh-ed25519 CJLJQg VWtzsyADFT/AdqigUILj5IJiZATIiuLF6/aSp5vqyyI -hA5J4cRSCKMANvlxSw1gvHSeOz1fr98PKZmLbT19Bks ---- 9VDB4Q2hkMFs1n5wwUDgLhKoBETEerbyJvlilu9VeTU -dYWL.Xms% -0 8@ -6NjÙiύ]ujԻs' Date: Fri, 31 Oct 2025 16:45:14 +0100 Subject: [PATCH 09/10] Ren key --- keys/hetzner.priv | Bin 962 -> 1073 bytes keys/macbook.priv | Bin 742 -> 742 bytes keys/master.priv | Bin 742 -> 742 bytes keys/ren.priv | Bin 0 -> 722 bytes keys/ren.pub | 1 + keys/secrets.nix | 4 +++- keys/wg-macbook | 13 +++++++------ keys/wg-ren | 7 +++++++ keys/wg-ren.pub | 1 + keys/wg-selene | Bin 587 -> 587 bytes systems/ren/hardware.nix | 22 +++++++++++++++++++--- systems/ren/system.nix | 6 ++++++ systems/ren/users.nix | 6 ++++-- 13 files changed, 48 insertions(+), 12 deletions(-) create mode 100644 keys/ren.priv create mode 100644 keys/ren.pub create mode 100644 keys/wg-ren create mode 100644 keys/wg-ren.pub diff --git a/keys/hetzner.priv b/keys/hetzner.priv index ab405cf4decbeebfc44af91d11b927d03f372bc0..3d9659c80256be0613768195e6213819013fcce9 100644 GIT binary patch delta 1005 zcmX@azL8^sPQ8g~d9F#WLAa|=s&`&#u$MtlnQvi0vZZBMfq7b@S8joKm5a7lq`tmW zK39ONt8Z3VrDuebwn2qudWNxazH?bfepO!b4hkYs=juhzH4!CkfDC2NorM9dPKg- z#E;_P;en2s=KckRS!uzBrlE$Zp;cZHnI74tk!eMNVXgs*;Ze!XzLsU_7LKl5hN%U9 z`pJ?00p)>3MeY?*E@6>DzS(}MnT3v_+Rkoye!+f@5x!1=;SmOt;~B;4%|i+UvkJAN zv@6|=Dt+DZ{3DC=oXedH{7ozz!?lefi=xt!EsQbeSCa;N+Y#h($iBy)BGaLDtrylL#d!F!Z4{^!O|$H$~~o6-^ao*s<@z{ z)U-azM>{m4Jg3mFEW4mGpwc@mDBHrwFgwpFkgGf;x!5=}G0`{5tHP%|y)rk?)F)Uw z*~`e-&7#7~FvmDIz%iuQ$kNr_l}lGwS0N(YKOi*F%%?IuCDOS#E6K3f+$*cd)Y7XW zEzKv>&)2-Du*5q!%h@6=nQLNhHP<(#UA*^gDO2?XjHn zu=ZfZ+&g?~cMi_EdHP9QnG?6%nKx&@uJvl$UM}`)<6gg@{uG|D>B}D$bj}XyNdB?M zhEr=skmbK*x#gc$bzSk+E~?AhTqRI^YJb-Lq#rlgVkWeI(qHfXLdfu$&8jn(k6*s( z7IM>HWk)@O<5u$%7o1M~*)G0+d*5uufFnm%vtHToxc%+5@73$#O_NwBo3owCe4|d&QOe`PEjh`RrX|U@X?uR9A7rVAYpK z9ph!&uFVv^sqXH^eWYOJm+xDTS<4@ouv$#$*PR1PnC!PKsj3gVrqQ`$`MwkV&Jnw2 zot^Pkc+I`&7aA|`rCUrAT)Fck@5{wzSN~0E`0UDc@=1t&_^#5(z$2ehb zR7T8p-?Fp+j8mBBtdP6*&~HW5|FCt_Qv7om*m?i+-Tk~b@qzExY0CF3ruGW$_;UaG z)zyE*`gb_ZIxJ~CJdfuUz&mAhl9i$Rh}K9{bYLUD11 zZfc5=si~o*LV9pva(KByQBHYAXt{Gnn0|{uwySrpw^2|< zNREC~xmTDcmt#ppUYT2|t7oB8a%Fgtmxo1qvcFeas)b94k6(blaf)|vl}lBXv4@%K z#E;_PMjn3Ue!h979>&JbrDewcc@`E1frk0o`ay=7$@;$88Lp|Wp_VDeupy9@@^ut`!!O;~B;4!`(vivkEPp zv_r#F3O&Ng)AK6R^h2`K6SZ@U1B!x@Eki?d{1bC3DncB&f=W}2iUZtDQXC^af?Sd^ zT}v}70t1tZ151lD4E@~7GQuLm^z#gpgR(ujbaizVoE)Pvb3#%hGhNcWii4smz0!O= zv>n|F6D`66QqvQI(hREVOPqr%a?MRFxQr(=w2H5ceK7x%$HIOqA)6I5Q`S3oeF|G8 zYPQnu;GxCMwGDn3tLA*-nEA<_+I?$_n_r6$Rjm(2LNw&cs5)Ft(@Iuncc zGr4WvZLr?2_WxIf;Ix}1ty(MZG8x9qP|SE}%=)CjUG?pB z(I1x-s;x2)owv$c8l;_m6k~ zCoxU5^DHZT(|oROd3DGhs*ls#Y4cKJW%Ic}|;Z-t*pWxeV< zQuoG^b+e45b5`-QK)DmMezA3aiBrEdllMY_xZmgYtNEXWe>||&zSozkeWJ>9L7^a< ziu8YZsq0ERx0*ekpVr=J@i@GV_u%v?38v9=Jq27la^v?sI`}7N_XBC$syYKPt{F$I zpUnu+JIOxpVPfqM*^KJy_^C?Egpa;8dMKeO`%AoE=UN(z=9AS2wudkFS=7}2(BtlF n6-R*>M(^cWH6}q<=W_=rq~+C^gst_s{%^LSldadOuh9nqS%_-$ diff --git a/keys/macbook.priv b/keys/macbook.priv index 2584bafcffa1884a5dfed494efc38dce37ae19b6..c3935a505f4fe3c75ac3d6c786c47c072bebf3f1 100644 GIT binary patch delta 710 zcmaFH`iymgPJN+yv7d*RiI=%|k+FWHMMY+klUHU`p{1!wWLlPQUSdRnSwW>~ReEJ; zC|6~%Wtx+vlb4fIR#rtxR%)VKMR0&|sCJTRkzr&}nRmE(VR^onk-2A)Czr0BLUD11 zZfc5=si~o*g0q*8S75qAuA!-+cA$}SWl~tOlVN#*WqnSfTe7derFU*py1tQbUS_D7 zv5RY2u&Y}rSD|sDaiu|6xuao*cSxXlW`1N;p0{~;Qj)K`wv%yCv0FCzC#IHUXDayM0c1+k&bill=cr zzEqp`qj_zzz3YiN|2?^)5;hB@w0d&v-SY6?$|awUO|F-qjHdbR)7E_aQTa}JR=9xMM_BRP3#>B^=jERtd;YF7g+_gJMCSuoV zi~k~XejI+*ZuL=Uo8&91XHR-27acrOypG9BM@9Fm{iONz zrT6}Y7cR)qx0JiKqHodxt34rAFF%|Rnd)0-bLC>Lv9m;LeYPTp<<6Ke6@{m@Ydn*r Q?p|N`cHN?qr6+Cx07UCKg#Z8m delta 710 zcmaFH`iymgPQ78SNtu2`Zn?IfrFKDBQAvr9yPs7xzq?0XMv1Rqm0?wqX--CEWLj8mPGo_(FPE;JLUD11 zZfc5=si~o*g0q*8S75q=c~y9LeqO$tcd1WcxL2ZURK0s;aglpyR&se&UPMMwQb}Gx zWI(7-R(^Ogmv2Fik7G($QhH>FtEFXuXNFs%uX~=qwvSn!eua-gc6vx+Sh9(ik)L-U zm#(g^LRMrznqPXMWvP?DsX)W~6JHNoA&cWu;|+v!i}KmoeLR zxtGU!ztqoq(sO>A(GR;@(UrHg_Z)L+_` z!Jl=mF#-=|&P`feW6Ljpx~y4bdVcK!=A5*y6BFMYxKR?lxc++j#5Z;_)+xz`6L@Xh zpMTre5c+o4@ol9GEi)>nf4k)~Pw^|u;V{gQol`nY!Xme6X zwUN2PURF)7T}!`BDOpp0{Dews*`jO0&si**XTG`YKKt&HXFs2;sVa>!Dabu+e{H6Z zZKi8hUg`Yl9x?j)ukX(Kb#h7k>q~d!f2MXQeDzP-+`4K_XRlzdz{SrBQ3kEEm;Wlt PR*HWVbNF@R4TswRRf|B% diff --git a/keys/master.priv b/keys/master.priv index 4c8e0ece083fa239e83daca24d47cccd4a58ace8..d2ffd90f0eaff661fe5b956ef04d42aa52c7b4ff 100644 GIT binary patch delta 710 zcmaFH`iymgPQ7DDNkF=*OR{H(bCGdqNP$PTUzlm2Q(lR7n7ekAi%E{TZ=P9}nX$HO zI#+Q)VPu}WZ;nBPS5|>;QfF-Av2RE3kKhr&af-#op7}1RM$UQTqPefUd|2K zo><#&IGHt3b?QBfOin8U)~9RtoIlzl6!3JnS^3;6H_x4OGLG3~^{V0Y)<;hr3_NW2 zgn#-wyJO2-_4xSu(|^)aPRx*+_@uXygdj2vjsOk delta 710 zcmaFH`iymgPQ9^Tv6Degu&0N2PF6vFYGt91yGf?GaZ*KjZf=2_ewA~0Zizu&UU`+f z0atcO@eh`vQ-wz)w{g_lpUw|`h#j(=)WsIhaE374*&LUD11 zZfc5=si~o*g0q*8S75q=d8Vm3!`quRQJ1om9 zWW07Abjni~V(pgaHhsT7XMxm3oi3{_UE5hJ3O**!v3qmWX`Wy6<@ehhf^%8+$F8?4 zyZoRkROMBsyO;W7ra8A9798<9dvgCIg^Q27{_I(?o3(dBP<=2n)9?C*E$8L`UX0P0 zyen~gFPFbw;?||nd$%t;npkw2g>k#UkG8d!)s}j$oslOcz*6kQY9w|@?>g@@j) zSJ`0m=akfP1>2+H2e#E3)w2`^mPEz=ns$E2!o@FcUZ1`4#X;4nS6w!q&nseRjX9A& zd(uPqyh3;Dzri1@j@m6!XNsNc!?or}(cV8ht4%D8ExwB#_;_vR;(alZ4>=f?Hq?IN zE=sXtsGF^>^|&nJh~&5Q`6vC2Ul%b|{qDYdDoZj$e)^2>$II>3Zpd32bfS8#{SAqw zPJ+whLzKA;#Oh{q30#XzZvD&f*X~_N#j}uaC-<3`n3evKZl9#NbVX@VUGq zN)0v4@C`F4DNCyKN-wa`F3K%;^)@buNG?q@_ANFuaSaJ6x8N$tcXBnzHqVTTEK98_ zD);ks4G3^6@=h+PaP%;-D2((8&B=>!$?z?=EJwGkpe({Lsa(OL$SupwLOa>e#k|BM zvb54C-77T9%hWP3GTp1JAT=V0 zuqq(Hv^*>-+1#bDFw!g}v^d+*C6G&3S63mu(8xG6vBWjW%{|q?x6r)E#VaDn#n<0I z!p$TvB~Uv!-@qg|+c6|BH<_#7%HFjvHHwG-pV|KFanC2uFyg-^rs&PQx+Qa4(7gp8 z<=ZOvv$6~AX7H(*7nFW#*DsBCttQc2#Q`hbmrwfG;_kC;+HRYTZJe5X=cL=7s-BhY zdbf)0mC|RGU2ERFeW>G-#jp7Cz}&A@{k+eu1rCKy)SLf9%KGDhjk%&`OkA4YC92Q6 zCtuC3y^wfcl&LCQfVnL$D>&@MgqaJSIDbC5Jda_j?%EaA3va)C=Kst__@1PgdAbgcR1SJ|pN^{{dKvBb^0?{26{b?~xUwCMEdJI*S- zsTW-g?G^++EC1E`HQ|(aTV2e$@P9|^p;fH;cVsyc9ZSx**E)(BI>O&P85V6cpYUbv(jUu1_b?Q!+pR literal 0 HcmV?d00001 diff --git a/keys/ren.pub b/keys/ren.pub new file mode 100644 index 0000000..3454ee9 --- /dev/null +++ b/keys/ren.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIM1gLSFZSVq+5s58+pymRJY+QOWHm6SZvvhY93YDm5k ren@me.com diff --git a/keys/secrets.nix b/keys/secrets.nix index c5712f9..c1ba64d 100644 --- a/keys/secrets.nix +++ b/keys/secrets.nix @@ -2,6 +2,7 @@ let selene = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBEiuoUbvgZ2N03MTcWw4z+oUB9SG0jR0fy5AnTTBHym" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKcfmaqbtwSEydV2hge/aDWxfwlKOw/JJZZWy8ycjojH" ]; macbook = [ (builtins.readFile ./macbook.pub) ]; master = [ (builtins.readFile ./master.pub) ]; + ren = [ (builtins.readFile ./ren.pub) ]; in { "jellyfin-key".publicKeys = selene; @@ -10,6 +11,7 @@ in "master.priv".publicKeys = macbook ++ master; "wg-selene".publicKeys = macbook ++ selene ++ master; "wg-macbook".publicKeys = macbook ++ master; - "hetzner.priv".publicKeys = macbook ++ selene ++ master; + "hetzner.priv".publicKeys = macbook ++ selene ++ master ++ ren; "wg-ren".publicKeys = macbook++master; + "ren.priv".publicKeys = master ++ ren; } \ No newline at end of file diff --git a/keys/wg-macbook b/keys/wg-macbook index 1342b37..d4487b3 100644 --- a/keys/wg-macbook +++ b/keys/wg-macbook @@ -1,7 +1,8 @@ age-encryption.org/v1 --> ssh-ed25519 M7OTMg PyrVB10SxQZdhrwusKh+m6944Nj5vqBL6qGum8qK4Qg -huIr2n2ciTqu11o6ApcCoVMstQ9b3XoRfgAtU79wdnY --> ssh-ed25519 CJLJQg 2O7UQVLdlMJZzt5TOo5EYpfWjKAnNLJ6OQY+xRTp2go -TonYGAfBSeUpSHl+jHSG2qO9kWseAxfog1oWeGFWc5s ---- Hh8KEiQFjdy2xYqcBX4L6XSp4GPpO29tSPrfpnZlv5o -?$JΦ^woNv*#4+=[ltQF6-wiy. ڢ8iҞ'.H,a \ No newline at end of file +-> ssh-ed25519 M7OTMg f7fgG3DiQpjnDRSEUjSinuqgLATaK7QRN59bSimH1EU +9sKf6eQVwqVBrB553zCHwFs0uyQGRpIJkBZ0AyXPFC4 +-> ssh-ed25519 CJLJQg +b+cRU3irwvMnqVBWBIV4GoRyEy+Lg3LHUxZ/httTDo +uBlqCHMXyf1Um+W6y1Bh9pY0osqdeTgFQGuR6eSHQP4 +--- Ft1Ii2eVy0h8X6h7ABOW6ryT4ctxg9jS8utA7s52bBA +z0yWϥ4Ͱ^| +MuRtLA:*Ȃh2Sζk咬F& m1y \ No newline at end of file diff --git a/keys/wg-ren b/keys/wg-ren new file mode 100644 index 0000000..858a6a6 --- /dev/null +++ b/keys/wg-ren @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 M7OTMg QdJds7EpXMyyO9aKmqQg3HWmY6RQbzkQxRQw+K9fn14 +/SlvfJAOmCqYvIOZm/ZSynAIWSC+2dAvPpa+5Me6I8k +-> ssh-ed25519 CJLJQg MqNRTuwFcRdZ5VFbcgXQwjRxMAHLJEdUKLuXFPtkRVc +qRaaJzGRPiW2doetErhhUKwUXitvsQ5CGl2QzGK44Ss +--- fCQGYqP7qr+S1tzDeyce5Bn4iWsXq+kIe/ojPNj0LVA +4Zi"՞3W+i98ߞ=unBy]@[X[] XÛ5̜zl@ \ No newline at end of file diff --git a/keys/wg-ren.pub b/keys/wg-ren.pub new file mode 100644 index 0000000..c183803 --- /dev/null +++ b/keys/wg-ren.pub @@ -0,0 +1 @@ +wvTFERFXOPcgziLtLtfF3LGv5zmBWikCy/yLRwSuxWA= diff --git a/keys/wg-selene b/keys/wg-selene index 908d72404ae9e93006a171a073c1b657842b762d..9c5a20016b9ae7f4d61fd92c8d8367713a2e083f 100644 GIT binary patch delta 515 zcmX@ja++m=PJMcoZ$V*IVu*gSfnQj#c~GQ5ny;6mp^0H>c3OF4Rz$G3ah7wgZ>D!n zC|6KnvP)1|N=c}ZUqp$KU%6wXS&B!JSy^6An30o(fu*T`V7_5kc1dDBSD}qeZxeiWhNjlp7=-*xY^_;9h!5^p15%k&M;qhpt z=Rc3Gb9>$!wlWGneH6lQFH<)9qOI6Ep0}UbbIoXohcgRgS4wMv-Y^kau9JZ$+iM z0aunquwjTvl$S|SfU}cfhEJrEL4-?DU}8b8OR7_1ScZq2VQPADa)58JCzr0BLUD11 zZfc5=si~o*LV9pva(KByRfJoTQK-9akRi<%;msvq@ zMrwFcvbTpTmqBrsd182=Yp7*nUQtP&Wu9NMwtG~VenxIohI@vSS7xM1mA0i(U~Y!% z#E;_PZib;nUX^LS`97&e;ei?HMunx>Im!CD2BBtYF8LlQp&m(=Y2M{YzK+>k0fiai z-WEv~VF6`%<&pknX89KB8JQX3CQgw?>6H=TS*c<9PEN*Ng@(zK;~B;4{X9)G^9u7) z%}sJWGQz4dQ(cnEJyMM_i_DYsO}$DB!V0{MQaw^LB0Y+^^0JfN3=Av^{M^j7P0hVc zQk(;QixMltl0(CT-NFKmEqu$pExiIlqbv=$baizV!t)KnO$;N_jk3(LbIcM;imH-I zT#fS6^Nn*O4Yi9y3ezgX%EGfli$hZ#xfJ%^zU-Qww$NSu>ylX9>-1^V)qhU*^ZAn+>t!GBk H-tUb8xYN9d diff --git a/systems/ren/hardware.nix b/systems/ren/hardware.nix index 496c286..2f48c31 100644 --- a/systems/ren/hardware.nix +++ b/systems/ren/hardware.nix @@ -6,9 +6,25 @@ efiInstallAsRemovable = true; device = "nodev"; }; - fileSystems."/boot" = { device = "/dev/disk/by-uuid/0683-2D32"; fsType = "vfat"; }; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/0683-2D32"; + fsType = "vfat"; + }; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "xen_blkfront" + "vmw_pvscsi" + ]; boot.initrd.kernelModules = [ "nvme" ]; - fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; + fileSystems."/" = { + device = "/dev/sda1"; + fsType = "ext4"; + }; system.stateVersion = "23.11"; + nix.settings.experimental-features = [ + "nix-command" + "flakes" + ]; + } diff --git a/systems/ren/system.nix b/systems/ren/system.nix index 2eea905..d78fa0d 100644 --- a/systems/ren/system.nix +++ b/systems/ren/system.nix @@ -23,6 +23,12 @@ nixpkgs.lib.nixosSystem { networking.hostName = "Ren"; networking.domain = ""; services.openssh.enable = true; + networking.firewall = { + enable = true; + allowedTCPPorts = [ + 22 + ]; + }; } ./users.nix ./hardware.nix diff --git a/systems/ren/users.nix b/systems/ren/users.nix index 4487e23..cb5485d 100644 --- a/systems/ren/users.nix +++ b/systems/ren/users.nix @@ -21,6 +21,8 @@ }; users.users.root.openssh.authorizedKeys.keys = [ - (builtins.readFile ../../keys/hetzner.pub) - ]; + (builtins.readFile ../../keys/hetzner.pub) + ]; + age.identityPaths = [ "/home/ren/.ssh/id_ed25519" ]; + } From 8e42f81a191c7914c93bd76d7774a386884be70b Mon Sep 17 00:00:00 2001 From: Maxiem Geldhof Date: Fri, 31 Oct 2025 17:23:17 +0100 Subject: [PATCH 10/10] Add forgejo --- modules/servermodules/forgejo/forgejo.nix | 36 +++++++++ modules/servermodules/nginx.nix | 91 ++++++++++++++--------- systems/selene/system.nix | 11 ++- 3 files changed, 102 insertions(+), 36 deletions(-) create mode 100644 modules/servermodules/forgejo/forgejo.nix diff --git a/modules/servermodules/forgejo/forgejo.nix b/modules/servermodules/forgejo/forgejo.nix new file mode 100644 index 0000000..e82db47 --- /dev/null +++ b/modules/servermodules/forgejo/forgejo.nix @@ -0,0 +1,36 @@ +{ + lib, + pkgs, + config, + ... +}: +let + cfg = config.services.forgejo; + srv = cfg.settings.server; +in +{ + services.forgejo = { + enable = true; + database.type = "postgres"; + # Enable support for Git Large File Storage + lfs.enable = true; + settings = { + server = { + DOMAIN = "git.maxiemgeldhof.com"; + # You need to specify this to remove the port from URLs in the web UI. + ROOT_URL = "https://${srv.DOMAIN}/"; + HTTP_PORT = 3028; + }; + # You can temporarily allow registration to create an admin user. + service.DISABLE_REGISTRATION = true; + # Add support for actions, based on act: https://github.com/nektos/act + actions = { + ENABLED = false; + }; + + metrics = { + ENABLED = true; + }; + }; + }; +} diff --git a/modules/servermodules/nginx.nix b/modules/servermodules/nginx.nix index cde8030..4cd70b6 100644 --- a/modules/servermodules/nginx.nix +++ b/modules/servermodules/nginx.nix @@ -1,39 +1,37 @@ -rootdomain: -{ +rootdomain: { systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/logs/nginx" ]; services.nginx.enable = true; services.nginx.commonHttpConfig = '' - log_format myformat '$remote_addr - $remote_user [$time_local] ' - '$host "$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent"'; - ''; + log_format myformat '$remote_addr - $remote_user [$time_local] ' + '$host "$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + ''; services.nginx.virtualHosts."default" = { - enableACME = false; - rejectSSL = true; - default = true; + enableACME = false; + rejectSSL = true; + default = true; - locations."/" = { - return = 404; - }; - extraConfig = '' - access_log /logs/nginx/nginx-access.log myformat; - ''; + locations."/" = { + return = 404; + }; + extraConfig = '' + access_log /logs/nginx/nginx-access.log myformat; + ''; }; - services.nginx.virtualHosts."grafana.${rootdomain}" = { - enableACME = true; - forceSSL = true; + enableACME = true; + forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:3000"; - proxyWebsockets = true; - recommendedProxySettings = true; - }; - extraConfig = '' - access_log /logs/nginx/nginx-access.log myformat; - ''; + locations."/" = { + proxyPass = "http://127.0.0.1:3000"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; + extraConfig = '' + access_log /logs/nginx/nginx-access.log myformat; + ''; }; services.nginx.virtualHosts."jellyfin.${rootdomain}" = { @@ -50,11 +48,11 @@ rootdomain: proxyPass = "http://127.0.0.1:8096/metrics"; recommendedProxySettings = true; extraConfig = '' - allow 127.0.0.1; - allow 192.168.0.0/16; - allow 10.0.0.0/8; - allow 172.16.0.0/12; - deny all; + allow 127.0.0.1; + allow 192.168.0.0/16; + allow 10.0.0.0/8; + allow 172.16.0.0/12; + deny all; ''; }; @@ -68,9 +66,34 @@ rootdomain: defaults.email = "admin@${rootdomain}"; }; + services.nginx.virtualHosts."git.${rootdomain}" = { + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://127.0.0.1:3028"; + recommendedProxySettings = true; + }; + + locations."/metrics" = { + proxyPass = "http://127.0.0.1:3028/metrics"; + recommendedProxySettings = true; + extraConfig = '' + allow 127.0.0.1; + allow 192.168.0.0/16; + allow 10.0.0.0/8; + allow 172.16.0.0/12; + deny all; + ''; + }; + + extraConfig = '' + access_log /logs/nginx/nginx-access.log myformat; + ''; + }; + systemd.tmpfiles.rules = [ - # Type Path Mode User Group Age Argument - "d /logs/nginx 0755 nginx nginx - -" + # Type Path Mode User Group Age Argument + "d /logs/nginx 0755 nginx nginx - -" ]; } - diff --git a/systems/selene/system.nix b/systems/selene/system.nix index bc87a1b..a48777f 100644 --- a/systems/selene/system.nix +++ b/systems/selene/system.nix @@ -1,5 +1,11 @@ -{ agenix, jellyfin-exporter, nixpkgs, self, ... }: -let +{ + agenix, + jellyfin-exporter, + nixpkgs, + self, + ... +}: +let system = "aarch64-linux"; in nixpkgs.lib.nixosSystem { @@ -19,6 +25,7 @@ nixpkgs.lib.nixosSystem { ../../modules/servermodules/jellyfin/jellyfin.nix (import ../../modules/servermodules/wireguard/wireguard-server.nix).serverModule ./volumes.nix + ../../modules/servermodules/forgejo/forgejo.nix agenix.nixosModules.default ]; }