From 4070c37cc56ddae7c35f2a206938a647dae50557 Mon Sep 17 00:00:00 2001 From: Wateir Date: Mon, 22 Dec 2025 02:12:52 +0100 Subject: [PATCH] fix: All machine have they own hardware --- configuration.nix | 21 +++---- default.nix | 80 ++++++++++++++++-------- flake.lock | 123 +++++++++++++++++++++++++++++++++++++ flake.nix | 24 ++++++++ hardware-configuration.nix | 33 ---------- host.nix | 10 +-- module/acme.nix | 6 +- module/default.nix | 12 ++++ module/newt.nix | 2 +- module/nginx.nix | 18 +++--- module/roundcube.nix | 30 +++++++-- module/searXNG.nix | 4 +- module/tailscale.nix | 2 +- module/vaultWarden.nix | 6 +- secrets/imap_server.age | Bin 0 -> 348 bytes secrets/secrets.nix | 11 ++++ secrets/smtp_server.age | 7 +++ 17 files changed, 286 insertions(+), 103 deletions(-) create mode 100644 flake.lock create mode 100644 flake.nix delete mode 100644 hardware-configuration.nix create mode 100644 module/default.nix create mode 100644 secrets/imap_server.age create mode 100644 secrets/secrets.nix create mode 100644 secrets/smtp_server.age diff --git a/configuration.nix b/configuration.nix index 5067f9d..234ab72 100644 --- a/configuration.nix +++ b/configuration.nix @@ -3,20 +3,13 @@ { system.stateVersion = "25.11"; - imports = - [ - ./hardware-configuration.nix - ./package.nix - ./host.nix - ./default.nix - ./module/nginx.nix - ./module/newt.nix - ./module/tailscale.nix - - ./module/searXNG.nix - ./module/roundcube.nix - ./module/vaultWarden.nix - ]; + imports = [ + ./hardware-configuration.nix + ./package.nix + ./host.nix + ./default.nix + ./module + ]; nix.settings.experimental-features = [ "nix-command" "flakes" ]; diff --git a/default.nix b/default.nix index b38e4b1..cdc2318 100644 --- a/default.nix +++ b/default.nix @@ -4,7 +4,7 @@ with lib; let mkServiceOption = { desc, defaultEnabled ? false, extraOpts ? {} }: mkOption { - description = desc; + description = "Configuration for the ${desc}"; default = {}; type = types.submodule { options = { @@ -12,44 +12,70 @@ let } // extraOpts; }; }; -in -{ - options = { - sACME = mkServiceOption { desc = "ACME DNS Challenge"; }; - sROUNDCUBE = mkServiceOption { - desc = "Roundcube webapp"; + mkPortOption = default: mkOption { + type = types.port; + default = default; + description = "Port for the service to listen on."; + }; + +in { + options.module = { + domain = mkOption { + type = types.str; + default = "wateir.fr"; + }; + + hostName = mkOption { + type = types.str; + default = "${config.networking.hostName}.${config.module.domain}"; + description = "Global FQDN for all hosted services."; + }; + + smtpServer = mkServiceOption { + desc = "Mail Service with Environment Credentials"; extraOpts = { - port = mkOption { type = types.port; default = 1984; }; + username = lib.mkOption { type = lib.types.str; }; + password = lib.mkOption { type = lib.types.str; }; + + host = lib.mkOption { + type = types.str; + default = "tls://smtp.purelymail.com"; + }; + + port = lib.mkOption { type = lib.types.port; default = 465; }; }; }; - sVAULTWARDEN = mkServiceOption { - desc = "Vaultwarden service"; - extraOpts = { - externalPort = mkOption { type = types.port; default = 8000; }; - internalPort = mkOption { type = types.port; default = 8222; }; - }; + acme = mkServiceOption { + desc = "ACME DNS Challenge"; }; - sSEARXNG = mkServiceOption { - desc = "SearXNG meta-search engine"; - extraOpts = { - port = mkOption { type = types.port; default = 1692; }; - }; - }; - - sTAILSCALE = mkServiceOption { + tailscale = mkServiceOption { desc = "Tailscale VPN"; defaultEnabled = true; }; - sNEWT = mkServiceOption { desc = "Newt custom wireguard tunnel"; }; + newt = mkServiceOption { + desc = "Newt custom wireguard tunnel"; + }; - HostName = mkOption { - type = types.str; - default = "${config.networking.hostName}.ssh.wateir.fr"; - description = "Global hostname with domain for all services"; + roundcube = mkServiceOption { + desc = "Roundcube webapp"; + extraOpts = { port = mkPortOption 1984; }; + }; + + vaultwarden = mkServiceOption { + desc = "Vaultwarden password manager"; + extraOpts = { + externalPort = mkPortOption 8000; + internalPort = mkPortOption 8222; + }; + }; + + searxng = mkServiceOption { + desc = "SearXNG meta-search engine"; + extraOpts = { port = mkPortOption 1692; }; }; }; } diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..3fdc758 --- /dev/null +++ b/flake.lock @@ -0,0 +1,123 @@ +{ + "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1762618334, + "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=", + "owner": "ryantm", + "repo": "agenix", + "rev": "fcdea223397448d35d9b31f798479227e80183f6", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1744478979, + "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "43975d782b418ebf4969e9ccba82466728c2851b", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1745494811, + "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1754028485, + "narHash": "sha256-IiiXB3BDTi6UqzAZcf2S797hWEPCRZOwyNThJIYhUfk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "59e69648d345d6e8fef86158c555730fa12af9de", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-25.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1766201043, + "narHash": "sha256-eplAP+rorKKd0gNjV3rA6+0WMzb1X1i16F5m5pASnjA=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "b3aad468604d3e488d627c0b43984eb60e75e782", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-25.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "agenix": "agenix", + "nixpkgs": "nixpkgs_2" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..2b7f9b0 --- /dev/null +++ b/flake.nix @@ -0,0 +1,24 @@ +{ + description = "My homelab config"; + + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11"; + agenix.url = "github:ryantm/agenix"; + }; + + outputs = { self, nixpkgs, agenix, ... }: + let + system = "x86_64-linux"; + in { + nixosConfigurations.ThinkCentre-Server-004 = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + ./configuration.nix + agenix.nixosModules.default + { + environment.systemPackages = [ agenix.packages.${system}.default ]; + } + ]; + }; + }; +} diff --git a/hardware-configuration.nix b/hardware-configuration.nix deleted file mode 100644 index 89b236d..0000000 --- a/hardware-configuration.nix +++ /dev/null @@ -1,33 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "ehci_pci" "usbhid" "usb_storage" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/d0cdb124-21fc-444d-847f-addf3561ce7f"; - fsType = "ext4"; - }; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/9A69-F2F6"; - fsType = "vfat"; - options = [ "fmask=0077" "dmask=0077" ]; - }; - - swapDevices = - [ { device = "/dev/disk/by-uuid/d5604472-7e21-4894-b30b-d4c4a0cdd945"; } - ]; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/host.nix b/host.nix index d72e76e..70b3f70 100644 --- a/host.nix +++ b/host.nix @@ -2,10 +2,10 @@ { config = lib.mkIf (config.networking.hostName == "ThinkCentre-Server-004") { - sVAULTWARDEN.enable = true; - sROUNDCUBE.enable = true; - sSEARXNG.enable = true; - sACME.enable = true; - sNEWT.enable = true; + module.vaultwarden.enable = true; + module.roundcube.enable = true; + module.searxng.enable = true; + module.acme.enable = true; + module.newt.enable = true; }; } diff --git a/module/acme.nix b/module/acme.nix index 534dc95..8e4d41f 100644 --- a/module/acme.nix +++ b/module/acme.nix @@ -1,11 +1,11 @@ { config, lib, ... }: -lib.mkIf config.sACME.enable { +lib.mkIf config.module.acme.enable { security.acme = { acceptTerms = true; - defaults.email = config.sACME.email; + defaults.email = "noreply@wateir.fr"; - certs."${config.sACME.domain}" = { + certs."${config.module.domain}" = { dnsProvider = "ovh"; environmentFile = "/etc/acme.env"; }; diff --git a/module/default.nix b/module/default.nix new file mode 100644 index 0000000..4121ca5 --- /dev/null +++ b/module/default.nix @@ -0,0 +1,12 @@ +{ ... }: +{ + imports = [ + ./nginx.nix + ./newt.nix + ./tailscale.nix + ./acme.nix + ./searXNG.nix + ./roundcube.nix + ./vaultWarden.nix + ]; +} diff --git a/module/newt.nix b/module/newt.nix index 36147d8..06c93dc 100644 --- a/module/newt.nix +++ b/module/newt.nix @@ -1,6 +1,6 @@ {config,lib, ... }: -lib.mkIf config.sNEWT.enable{ +lib.mkIf config.module.newt.enable{ services.newt = { enable = true; environmentFile = "/etc/newt.env"; diff --git a/module/nginx.nix b/module/nginx.nix index 6e3f5ba..9dd33c7 100644 --- a/module/nginx.nix +++ b/module/nginx.nix @@ -6,11 +6,11 @@ with lib; services.nginx.enable = true; services.nginx.virtualHosts = mkMerge [ - (mkIf config.sVAULTWARDEN.enable { - "${config.HostName}-vault" = { - listen = [{ addr = "0.0.0.0"; port = config.sVAULTWARDEN.externalPort; }]; + (mkIf config.module.vaultwarden.enable { + "${config.module.hostName}-vault" = { + listen = [{ addr = "0.0.0.0"; port = config.module.vaultwarden.externalPort; }]; locations."/" = { - proxyPass = "http://127.0.0.1:${toString config.sVAULTWARDEN.internalPort}"; + proxyPass = "http://127.0.0.1:${toString config.module.vaultwarden.internalPort}"; extraConfig = '' proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; @@ -21,9 +21,9 @@ with lib; }; }) - (mkIf config.sROUNDCUBE.enable { - "${config.HostName}-roundcube" = { - listen = [{ addr = "0.0.0.0"; port = config.sROUNDCUBE.port; }]; + (mkIf config.module.roundcube.enable { + "${config.module.hostName}-roundcube" = { + listen = [{ addr = "0.0.0.0"; port = config.module.roundcube.port; }]; root = "${pkgs.roundcube}/public_html"; locations."/" = { extraConfig = '' @@ -43,7 +43,7 @@ with lib; ]; networking.firewall.allowedTCPPorts = concatLists [ - (if config.sVAULTWARDEN.enable then [ config.sVAULTWARDEN.externalPort ] else []) - (if config.sROUNDCUBE.enable then [ config.sROUNDCUBE.port ] else []) + (if config.module.vaultwarden.enable then [ config.module.vaultwarden.externalPort ] else []) + (if config.module.roundcube.enable then [ config.module.roundcube.port ] else []) ]; } diff --git a/module/roundcube.nix b/module/roundcube.nix index 1e953cb..c983664 100644 --- a/module/roundcube.nix +++ b/module/roundcube.nix @@ -1,22 +1,42 @@ { config, pkgs, lib, ... }: -lib.mkIf config.sROUNDCUBE.enable { +lib.mkIf config.module.roundcube.enable { + age.secrets = { + smtp_server = { + file = ../secrets/smtp_server.age; + owner = "roundcube"; + group = "roundcube"; + mode = "0400"; + }; + imap_server = { + file = ../secrets/imap_server.age; + owner = "roundcube"; + group = "roundcube"; + mode = "0400"; + }; + }; + + services.roundcube = { enable = true; - hostName = "${config.HostName}"; + hostName = "mail.${config.module.domain}"; plugins = [ "multiple_accounts" ]; configureNginx = false; extraConfig = '' - # PurelyMail configuration - $config['default_host'] = 'ssl://imap.purelymail.com'; + $config['default_host'] = trim( + file_get_contents('${config.age.secrets.imap_server.path}') + ); $config['default_port'] = 993; - $config['smtp_server'] = 'tls://smtp.purelymail.com'; + $config['smtp_server'] = trim( + file_get_contents('${config.age.secrets.smtp_server.path}') + ); $config['smtp_port'] = 465; $config['smtp_user'] = '%u'; $config['smtp_pass'] = '%p'; ''; + }; systemd.services.nginx.serviceConfig.ProtectHome = false; diff --git a/module/searXNG.nix b/module/searXNG.nix index 42a9a35..6101569 100644 --- a/module/searXNG.nix +++ b/module/searXNG.nix @@ -1,6 +1,6 @@ { config,lib,pkgs, ... }: -lib.mkIf config.sSEARXNG.enable { +lib.mkIf config.module.roundcube.enable { services.searx = { enable = true; redisCreateLocally = true; @@ -9,7 +9,7 @@ lib.mkIf config.sSEARXNG.enable { environmentFile = "/etc/searx.env"; settings.server = { bind_address = "0.0.0.0"; - port = config.sSEARXNG.port; + port = config.module.searxng.port; }; settings.engines = lib.mapAttrsToList (name: value: { inherit name; } // value) { "wikidata".disabled = true; diff --git a/module/tailscale.nix b/module/tailscale.nix index b29a6d5..6917f52 100644 --- a/module/tailscale.nix +++ b/module/tailscale.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -lib.mkIf config.sTAILSCALE.enable { +lib.mkIf config.module.tailscale.enable { services.tailscale = { enable = true; extraDaemonFlags = [ diff --git a/module/vaultWarden.nix b/module/vaultWarden.nix index ef190ed..fa807b3 100644 --- a/module/vaultWarden.nix +++ b/module/vaultWarden.nix @@ -1,12 +1,12 @@ { config, lib, ... }: -lib.mkIf config.sVAULTWARDEN.enable { +lib.mkIf config.module.vaultwarden.enable { services.vaultwarden = { enable = true; config = { - ROCKET_PORT = config.sVAULTWARDEN.internalPort; + ROCKET_PORT = config.module.vaultwarden.internalPort; ROCKET_ADDRESS = "127.0.0.1"; - SIGNUPS_ALLOWED = true; + SIGNUPS_ALLOWED = false; }; }; } diff --git a/secrets/imap_server.age b/secrets/imap_server.age new file mode 100644 index 0000000000000000000000000000000000000000..8dd66d8639d87475823c5af4c508fc5dbda522d3 GIT binary patch literal 348 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCTSiqNn0a#YAIF*8d^ zPYjF-j0g$!^~#LQGqbb^&aFuD&GGUJGp&ep&k53wEX*@DEavjE2+R!+4a#s1NlLQ_ zbT-K|k94o}Nj3E=smf2U$j*1mFD*ATC)_0}I3Tz@rPMUHJe|u(+af|cu+YynQ$MMq%GuvH$kME` zJkT#7$;i^t$2rT=H`gdA*~DKz!+=XyS689R#5FZP#67~;(KIQu&?Uv9)F>^nFf*vc z#WLN%*V5QE!==i^E73LCu$)VKr@q#d7^g( ssh-ed25519 ZX/yJA eL8O0gkAjDmfZjQJfjPprh3VnKiDQvF32Thj9eNJMxk +c4jNlqCMTamLtZYmCPKFJqx84MlbAxYUwhl7AQdMymk +-> ssh-ed25519 5AyMyw TdzekvQWSlaUobeF+td3+IAG9QuISKxfzQvq5asBDFk +6mi74qzSE/9hVeR6lue99/fR58bMUhs2JEyeJ93JWAg +--- 2awy6GXsPTDjOcfK1/RuVTRPXId9HEHTfzcvzupZa7I +N,Ӕjʲzܘ%1N y_oAb%I5P \ No newline at end of file