Compare commits
6 commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 7a41763873 | |||
| e23db8a0b4 | |||
| fee7a194db | |||
| efd0790d4f | |||
| 22d7c181e3 | |||
| 2a44e5c81e |
12 changed files with 196 additions and 19 deletions
|
|
@ -11,6 +11,7 @@ keys:
|
||||||
- &immich age1afyntwvj672lcq2e4dpxmw3syplzurnnd8q8j3265843jeedpveqkp465z
|
- &immich age1afyntwvj672lcq2e4dpxmw3syplzurnnd8q8j3265843jeedpveqkp465z
|
||||||
- &miniflux age15ja22wd9tt60vn32sk59pp6c7vtjsn8y3rypn8qfnvxthug8sp0q6f72uh
|
- &miniflux age15ja22wd9tt60vn32sk59pp6c7vtjsn8y3rypn8qfnvxthug8sp0q6f72uh
|
||||||
- &radicale age1j6z39kmnxkqa7jdcjsydy5cryjce7fttf225fh3pldyvq06ax3fq58mk8c
|
- &radicale age1j6z39kmnxkqa7jdcjsydy5cryjce7fttf225fh3pldyvq06ax3fq58mk8c
|
||||||
|
- &stream age148r2q3cy9sjem37rvgtcc4qjx8usxkdg77pqexa56gmcexn58aaslh3cnj
|
||||||
creation_rules:
|
creation_rules:
|
||||||
- path_regex: hosts/toaster/[^/]+\.yaml$
|
- path_regex: hosts/toaster/[^/]+\.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
|
|
@ -66,3 +67,9 @@ creation_rules:
|
||||||
- *admin_oxa
|
- *admin_oxa
|
||||||
age:
|
age:
|
||||||
- *conduwuit
|
- *conduwuit
|
||||||
|
- path_regex: hosts/stream/[^/]+\.yaml$
|
||||||
|
key_groups:
|
||||||
|
- pgp:
|
||||||
|
- *admin_oxa
|
||||||
|
age:
|
||||||
|
- *stream
|
||||||
|
|
|
||||||
20
flake.lock
generated
20
flake.lock
generated
|
|
@ -253,11 +253,11 @@
|
||||||
"lix": {
|
"lix": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1749682763,
|
"lastModified": 1749838547,
|
||||||
"narHash": "sha256-DDhns3NS6L5OlYR0mSX03I5D7uGLyyd3MZegd1wTCyc=",
|
"narHash": "sha256-4qJy0n+6P13/XAHPlcjcWK6MDNYd38PkFdI8iCiJYYo=",
|
||||||
"rev": "ee0655240270480d7f6063dcf12ec47f04d2ded6",
|
"rev": "1e34c3747779a82d59ef27b351d4ed02fb372a2a",
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
"url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/ee0655240270480d7f6063dcf12ec47f04d2ded6.tar.gz?rev=ee0655240270480d7f6063dcf12ec47f04d2ded6"
|
"url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/1e34c3747779a82d59ef27b351d4ed02fb372a2a.tar.gz?rev=1e34c3747779a82d59ef27b351d4ed02fb372a2a"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
|
|
@ -339,11 +339,11 @@
|
||||||
},
|
},
|
||||||
"nixos-hardware": {
|
"nixos-hardware": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1749195551,
|
"lastModified": 1749832440,
|
||||||
"narHash": "sha256-W5GKQHgunda/OP9sbKENBZhMBDNu2QahoIPwnsF6CeM=",
|
"narHash": "sha256-lfxhuxAaHlYFGr8yOrAXZqdMt8PrFLzjVqH9v3lQaoY=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixos-hardware",
|
"repo": "nixos-hardware",
|
||||||
"rev": "4602f7e1d3f197b3cb540d5accf5669121629628",
|
"rev": "db030f62a449568345372bd62ed8c5be4824fa49",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
@ -402,11 +402,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs-unstable": {
|
"nixpkgs-unstable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1749285348,
|
"lastModified": 1749794982,
|
||||||
"narHash": "sha256-frdhQvPbmDYaScPFiCnfdh3B/Vh81Uuoo0w5TkWmmjU=",
|
"narHash": "sha256-Kh9K4taXbVuaLC0IL+9HcfvxsSUx8dPB5s5weJcc9pc=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "3e3afe5174c561dee0df6f2c2b2236990146329f",
|
"rev": "ee930f9755f58096ac6e8ca94a1887e0534e2d81",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
||||||
11
flake.nix
11
flake.nix
|
|
@ -1,7 +1,7 @@
|
||||||
{
|
{
|
||||||
inputs = {
|
inputs = {
|
||||||
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
|
nixpkgs-unstable.url = "github:nixos/nixpkgs?ref=nixos-unstable";
|
||||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
|
nixpkgs.url = "github:NixOS/nixpkgs?ref=nixos-25.05";
|
||||||
|
|
||||||
flake-utils.url = "github:numtide/flake-utils";
|
flake-utils.url = "github:numtide/flake-utils";
|
||||||
|
|
||||||
|
|
@ -10,7 +10,7 @@
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
|
|
||||||
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
|
nixos-hardware.url = "github:NixOS/nixos-hardware?ref=master";
|
||||||
|
|
||||||
microvm = {
|
microvm = {
|
||||||
url = "github:astro/microvm.nix";
|
url = "github:astro/microvm.nix";
|
||||||
|
|
@ -21,7 +21,7 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
lanzaboote = {
|
lanzaboote = {
|
||||||
url = "github:nix-community/lanzaboote/v0.4.2";
|
url = "github:nix-community/lanzaboote?ref=v0.4.2";
|
||||||
inputs.nixpkgs.follows = "nixpkgs-unstable";
|
inputs.nixpkgs.follows = "nixpkgs-unstable";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
@ -71,6 +71,7 @@
|
||||||
"forgejo"
|
"forgejo"
|
||||||
"miniflux"
|
"miniflux"
|
||||||
"radicale"
|
"radicale"
|
||||||
|
"stream"
|
||||||
];
|
];
|
||||||
microvm-unstable-list = [
|
microvm-unstable-list = [
|
||||||
"auth"
|
"auth"
|
||||||
|
|
@ -121,7 +122,7 @@
|
||||||
./modules/emacs.nix
|
./modules/emacs.nix
|
||||||
./modules/gnupg.nix
|
./modules/gnupg.nix
|
||||||
./modules/mail
|
./modules/mail
|
||||||
./modules/plasma.nix
|
./modules/gnome.nix
|
||||||
./modules/radio.nix
|
./modules/radio.nix
|
||||||
./modules/science.nix
|
./modules/science.nix
|
||||||
./modules/tlp.nix
|
./modules/tlp.nix
|
||||||
|
|
|
||||||
|
|
@ -60,5 +60,37 @@ in
|
||||||
'';
|
'';
|
||||||
|
|
||||||
virtualHosts."news.oxapentane.com".extraConfig = "reverse_proxy http://10.89.88.14:8080";
|
virtualHosts."news.oxapentane.com".extraConfig = "reverse_proxy http://10.89.88.14:8080";
|
||||||
|
|
||||||
|
virtualHosts."music.oxapentane.com".extraConfig = ''
|
||||||
|
route {
|
||||||
|
reverse_proxy /outpost.goauthentik.io/* 10.89.88.11:9000 [fd31:185d:722f::11]:9000
|
||||||
|
|
||||||
|
@protected not path /share/* /rest/*
|
||||||
|
forward_auth @protected 10.89.88.11:9000 {
|
||||||
|
uri /outpost.goauthentik.io/auth/caddy
|
||||||
|
copy_headers X-Authentik-Username>Remote-User
|
||||||
|
trusted_proxies 10.89.88.11 fd31:185d:722f::11
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@subsonic path /rest/*
|
||||||
|
forward_auth @subsonic 10.89.88.11:9000 {
|
||||||
|
uri /outpost.goauthentik.io/auth/caddy
|
||||||
|
copy_headers X-Authentik-Username>Remote-User
|
||||||
|
@error status 1xx 3xx 4xx 5xx
|
||||||
|
handle_response @error {
|
||||||
|
respond <<SUBSONICERR
|
||||||
|
<subsonic-response xmlns="http://subsonic.org/restapi" status="failed" version="1.16.1" type="proxy-auth" serverVersion="n/a" openSubsonic="true">
|
||||||
|
<error code="40" message="Invalid credentials or unsupported client"></error>
|
||||||
|
</subsonic-response>
|
||||||
|
SUBSONICERR 200
|
||||||
|
}
|
||||||
|
trusted_proxies 10.89.88.11 fd31:185d:722f::11
|
||||||
|
}
|
||||||
|
}
|
||||||
|
reverse_proxy 10.89.88.17:4533
|
||||||
|
|
||||||
|
'';
|
||||||
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
76
hosts/stream/default.nix
Normal file
76
hosts/stream/default.nix
Normal file
|
|
@ -0,0 +1,76 @@
|
||||||
|
{ config, lib, ... }:
|
||||||
|
let
|
||||||
|
mac = "02:00:00:00:00:07";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./navidrome.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
sops.defaultSopsFile = ./secrets.yaml;
|
||||||
|
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
||||||
|
|
||||||
|
sops.secrets = {
|
||||||
|
"wg/0xa-proxy" = {
|
||||||
|
owner = config.users.users.systemd-network.name;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
microvm = {
|
||||||
|
hypervisor = "qemu";
|
||||||
|
mem = 4 * 1024;
|
||||||
|
vcpu = 3;
|
||||||
|
interfaces = [
|
||||||
|
{
|
||||||
|
type = "tap";
|
||||||
|
id = "uvm-stream";
|
||||||
|
mac = mac;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
shares =
|
||||||
|
[
|
||||||
|
{
|
||||||
|
source = "/nix/store";
|
||||||
|
mountPoint = "/nix/.ro-store";
|
||||||
|
tag = "store";
|
||||||
|
proto = "virtiofs";
|
||||||
|
}
|
||||||
|
]
|
||||||
|
++ map
|
||||||
|
(dir: {
|
||||||
|
source = dir;
|
||||||
|
mountPoint = "/${dir}";
|
||||||
|
tag = dir;
|
||||||
|
proto = "virtiofs";
|
||||||
|
})
|
||||||
|
[
|
||||||
|
"etc"
|
||||||
|
"var"
|
||||||
|
"home"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.useNetworkd = true;
|
||||||
|
networking.firewall.enable = lib.mkForce false; # firewalling done by the host
|
||||||
|
|
||||||
|
systemd.network = {
|
||||||
|
enable = true;
|
||||||
|
networks."11-host" = {
|
||||||
|
matchConfig.MACAddress = mac;
|
||||||
|
networkConfig = {
|
||||||
|
Address = "10.99.99.17/24";
|
||||||
|
DHCP = "no";
|
||||||
|
};
|
||||||
|
routes = [
|
||||||
|
{
|
||||||
|
Gateway = "10.99.99.1";
|
||||||
|
Destination = "0.0.0.0/0";
|
||||||
|
Metric = 1024;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.hostName = "stream";
|
||||||
|
system.stateVersion = "25.05";
|
||||||
|
}
|
||||||
16
hosts/stream/navidrome.nix
Normal file
16
hosts/stream/navidrome.nix
Normal file
|
|
@ -0,0 +1,16 @@
|
||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
services.navidrome = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
Address = "10.89.88.17";
|
||||||
|
BaseUrl = "/";
|
||||||
|
EnableExternalServices = false;
|
||||||
|
MusicFolder = "/var/lib/navidrome/music";
|
||||||
|
Port = 4533;
|
||||||
|
ScanSchedule = "@every 11m";
|
||||||
|
TranscodingCacheSize = "11GiB";
|
||||||
|
ReverseProxyWhitelist = "10.89.88.1/24";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
38
hosts/stream/secrets.yaml
Normal file
38
hosts/stream/secrets.yaml
Normal file
|
|
@ -0,0 +1,38 @@
|
||||||
|
wg:
|
||||||
|
0xa-proxy: ENC[AES256_GCM,data:uZfFc4elxCAVZvdIHJ7lgoPs9qKkD9ZvLhcYbexDcqn0alaMzIr++CY52FI=,iv:CREMt6GrLHs4Jwj/55awDFHh9hQlJPEi4ZQ7ZLMPvRA=,tag:iJAGdqzQbyezmDj+tzjdNQ==,type:str]
|
||||||
|
sops:
|
||||||
|
age:
|
||||||
|
- recipient: age148r2q3cy9sjem37rvgtcc4qjx8usxkdg77pqexa56gmcexn58aaslh3cnj
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSko5L1BCOTR1QmZabGw3
|
||||||
|
QS9kbDZyWEJvV09MNkNqbTNncjZrOXl6WFZrCmxQelVzbjdvUUl4aVl3UVFVL0Q5
|
||||||
|
S0VDNkdvcDZnZytCdjBrZUZYTFlEZncKLS0tIG1NWnlnRGovcWxDL2JYMTc2bEY5
|
||||||
|
K29Dd0t6b3FMZjU2cXFBbEw3RktkQlkKCh+jXv65KfAsSR4/0+UWwU5tCphrEEgE
|
||||||
|
WDbIdUZ8j5xHHQwJ58cU7uQ+BSy0yZlwwr8vPoaKdXQzMgyrQfq3gg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2025-06-12T22:54:11Z"
|
||||||
|
mac: ENC[AES256_GCM,data:15EU9VupWfvR8CrfKrX3nhpD60hYB2LY3vuAPvdqzKLliqSqolNj956fOFicfSHvmW/s+7x+M+5FROnOzSbToTZotFtvALQihHH999veGZMx8Q8oIyljT1PBw/SU9djXPI1KjG/zzYOAwu7y/Ffm0QKhMRziH7CQLn30KR0o2w0=,iv:ghdyTvcpgnBi2L9s4UrzwWwt9TeU0WkGquZ64+w9IN8=,tag:4m4hYFgejlEaQROB/OEi6g==,type:str]
|
||||||
|
pgp:
|
||||||
|
- created_at: "2025-06-12T22:51:49Z"
|
||||||
|
enc: |-
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQIMA7zUOKwzpAE7AQ/8ClHQoCuiC0AH28bDit4qjNh/TnYq3IbAdyITOqUYPRc6
|
||||||
|
th8MCDY0CfxvzDTLYxTlHH4MNDOiWWTMg/shC8xV3MrAIpEQV79ivYMay04aWpCH
|
||||||
|
HqlhjBynCwAnJRanc9Ch5zW1wCjpgMp+kMDX8JhhUL0Rmt2fd2nSp4R2bb+/HRvn
|
||||||
|
vAaDq3TTLkLr1OHcTNKFFbXafGLKMahxkQGRMgD1DIPCLW+nUxerUnlxHo4yjj3B
|
||||||
|
WKXBVKeWowgBHvelHqUVf6yeSmWZyFDP/jFxFEi75A+BYmwxlQcRDn0L0NKUlMa/
|
||||||
|
uF3jtW3XBMS/sLX7aRscBFeEq9XPce9urJK4KPFNVFI3X1WbD6O/Z87Y+MHa2n0s
|
||||||
|
DuxIwrffpw8p4qSVBAJLbSW1vR/suGh/0Cr31mzo4FJT92A93wc8JdLdpHUfTXL/
|
||||||
|
bEbt6M7OSqvIt5/mor7Ad6/HRkEl+sZJnHqeU/qKfAIKKfz5UVG/ZCZDZlVGTmpp
|
||||||
|
lV9Dn8QjA1ut4lMvACJBocnrlH4T6150ULL0r3gHuVy5YhnGR+LWFdgaCJ4v3f1J
|
||||||
|
A59eAyQENNMoSGZU/YZx95kFPc1O/GIkmiMpXZxBISN3F70QP30ieqbP1qnZRfMg
|
||||||
|
GldVAFhfaHct4lujlgRfOkmwcNG3gTIru4wAqg+wzriI9jm9vEoF0MDJs2cwNYTS
|
||||||
|
XgE32jq6Li59TMUQH9iB4l0cM42QbQ8BcSn6o/NhmF6HHq9W5yuD6EIs4KNfdHv6
|
||||||
|
ikgqQuGGO9v7qDMd0piyqeLRGMANepxrR5uMsbFmMnah9RUq9CjRbMADLa+8DeU=
|
||||||
|
=fEVm
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.10.2
|
||||||
|
|
@ -66,7 +66,7 @@
|
||||||
home = "/home/0xa";
|
home = "/home/0xa";
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
uid = 1000;
|
uid = 1000;
|
||||||
shell = pkgs.zsh;
|
shell = pkgs.fish;
|
||||||
};
|
};
|
||||||
|
|
||||||
# This value determines the NixOS release from which the default
|
# This value determines the NixOS release from which the default
|
||||||
|
|
|
||||||
|
|
@ -17,6 +17,7 @@
|
||||||
mpv
|
mpv
|
||||||
obs-studio
|
obs-studio
|
||||||
qbittorrent
|
qbittorrent
|
||||||
|
transmission_4-gtk
|
||||||
signal-desktop
|
signal-desktop
|
||||||
spotify
|
spotify
|
||||||
telegram-desktop
|
telegram-desktop
|
||||||
|
|
|
||||||
|
|
@ -31,7 +31,7 @@
|
||||||
nix-index
|
nix-index
|
||||||
kicad
|
kicad
|
||||||
kikit
|
kikit
|
||||||
freecad-wayland
|
freecad-qt6
|
||||||
imhex
|
imhex
|
||||||
python3Full
|
python3Full
|
||||||
nixfmt-rfc-style
|
nixfmt-rfc-style
|
||||||
|
|
|
||||||
|
|
@ -4,8 +4,6 @@
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
gnupg
|
gnupg
|
||||||
opensc
|
opensc
|
||||||
|
|
||||||
yubikey-personalization-gui
|
|
||||||
];
|
];
|
||||||
|
|
||||||
# smartcard support
|
# smartcard support
|
||||||
|
|
|
||||||
|
|
@ -71,6 +71,14 @@
|
||||||
publicKey = "dj5/CnTAFe5ELnZ5oWonYc+5VdzDyooTYGb/bqcxf3Y=";
|
publicKey = "dj5/CnTAFe5ELnZ5oWonYc+5VdzDyooTYGb/bqcxf3Y=";
|
||||||
privateKeyFile = config.sops.secrets."wg/0xa-proxy".path;
|
privateKeyFile = config.sops.secrets."wg/0xa-proxy".path;
|
||||||
};
|
};
|
||||||
|
"stream" = {
|
||||||
|
address = [
|
||||||
|
"10.89.88.17/24"
|
||||||
|
"fd31:185d:722f::17/48"
|
||||||
|
];
|
||||||
|
publicKey = "RDxbOvd/1FSWqIp5v1++wPBcG1hScAT4mhIlMZdvxU4=";
|
||||||
|
privateKeyFile = config.sops.secrets."wg/0xa-proxy".path;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue