fix: All machine have they own hardware

2025-12-22 02:12:52 +01:00 · 2025-12-22 02:12:52 +01:00 · 4070c37cc5
commit 4070c37cc5
parent 1637885001
17 changed files with 286 additions and 103 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -3,20 +3,13 @@
 {
  system.stateVersion = "25.11";
-  imports =
+  imports = [
-    [
+    ./hardware-configuration.nix
-      ./hardware-configuration.nix
+    ./package.nix
-      ./package.nix
+    ./host.nix
-      ./host.nix
+    ./default.nix
-      ./default.nix
+    ./module
-      ./module/nginx.nix
+  ];
      ./module/newt.nix
      ./module/tailscale.nix
      ./module/searXNG.nix
      ./module/roundcube.nix
      ./module/vaultWarden.nix
    ];
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
--- a/default.nix
+++ b/default.nix
@ -4,7 +4,7 @@ with lib;
 let
  mkServiceOption = { desc, defaultEnabled ? false, extraOpts ? {} }: mkOption {
-    description = desc;
+    description = "Configuration for the ${desc}";
    default = {};
    type = types.submodule {
      options = {
@ -12,44 +12,70 @@ let
      } // extraOpts;
    };
  };
 in
 {
  options = {
    sACME = mkServiceOption { desc = "ACME DNS Challenge"; };
-    sROUNDCUBE = mkServiceOption {
+  mkPortOption = default: mkOption {
-      desc = "Roundcube webapp";
+    type = types.port;
    default = default;
    description = "Port for the service to listen on.";
  };
 in {
  options.module = {
    domain = mkOption {
      type = types.str;
      default = "wateir.fr";
    };
    hostName = mkOption {
      type = types.str;
      default = "${config.networking.hostName}.${config.module.domain}";
      description = "Global FQDN for all hosted services.";
    };
    smtpServer = mkServiceOption {
      desc = "Mail Service with Environment Credentials";
      extraOpts = {
-        port = mkOption { type = types.port; default = 1984; };
+        username = lib.mkOption { type = lib.types.str; };
        password = lib.mkOption { type = lib.types.str; };
        host = lib.mkOption {
          type = types.str;
          default = "tls://smtp.purelymail.com";
        };
        port = lib.mkOption { type = lib.types.port; default = 465; };
      };
    };
-    sVAULTWARDEN = mkServiceOption {
+    acme = mkServiceOption {
-      desc = "Vaultwarden service";
+      desc = "ACME DNS Challenge";
      extraOpts = {
        externalPort = mkOption { type = types.port; default = 8000; };
        internalPort = mkOption { type = types.port; default = 8222; };
      };
    };
-    sSEARXNG = mkServiceOption {
+    tailscale = mkServiceOption {
      desc = "SearXNG meta-search engine";
      extraOpts = {
        port = mkOption { type = types.port; default = 1692; };
      };
    };
    sTAILSCALE = mkServiceOption {
      desc = "Tailscale VPN";
      defaultEnabled = true;
    };
-    sNEWT = mkServiceOption { desc = "Newt custom wireguard tunnel"; };
+    newt = mkServiceOption {
      desc = "Newt custom wireguard tunnel";
    };
-    HostName = mkOption {
+    roundcube = mkServiceOption {
-      type = types.str;
+      desc = "Roundcube webapp";
-      default = "${config.networking.hostName}.ssh.wateir.fr";
+      extraOpts = { port = mkPortOption 1984; };
-      description = "Global hostname with domain for all services";
+    };
    vaultwarden = mkServiceOption {
      desc = "Vaultwarden password manager";
      extraOpts = {
        externalPort = mkPortOption 8000;
        internalPort = mkPortOption 8222;
      };
    };
    searxng = mkServiceOption {
      desc = "SearXNG meta-search engine";
      extraOpts = { port = mkPortOption 1692; };
    };
  };
 }
--- a/flake.lock
+++ b/flake.lock
@ -0,0 +1,123 @@
 {
  "nodes": {
    "agenix": {
      "inputs": {
        "darwin": "darwin",
        "home-manager": "home-manager",
        "nixpkgs": "nixpkgs",
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1762618334,
        "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
        "owner": "ryantm",
        "repo": "agenix",
        "rev": "fcdea223397448d35d9b31f798479227e80183f6",
        "type": "github"
      },
      "original": {
        "owner": "ryantm",
        "repo": "agenix",
        "type": "github"
      }
    },
    "darwin": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1744478979,
        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
        "owner": "lnl7",
        "repo": "nix-darwin",
        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
        "type": "github"
      },
      "original": {
        "owner": "lnl7",
        "ref": "master",
        "repo": "nix-darwin",
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1745494811,
        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1754028485,
        "narHash": "sha256-IiiXB3BDTi6UqzAZcf2S797hWEPCRZOwyNThJIYhUfk=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "59e69648d345d6e8fef86158c555730fa12af9de",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-25.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1766201043,
        "narHash": "sha256-eplAP+rorKKd0gNjV3rA6+0WMzb1X1i16F5m5pASnjA=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "b3aad468604d3e488d627c0b43984eb60e75e782",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-25.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "agenix": "agenix",
        "nixpkgs": "nixpkgs_2"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,24 @@
 {
  description = "My homelab config";
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
    agenix.url = "github:ryantm/agenix";
  };
  outputs = { self, nixpkgs, agenix, ... }:
    let
      system = "x86_64-linux";
    in {
    nixosConfigurations.ThinkCentre-Server-004 = nixpkgs.lib.nixosSystem {
      inherit system;
      modules = [
        ./configuration.nix
        agenix.nixosModules.default
        {
          environment.systemPackages = [ agenix.packages.${system}.default ];
        }
      ];
    };
  };
 }
--- a/hardware-configuration.nix
+++ b/hardware-configuration.nix
@ -1,33 +0,0 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "ehci_pci" "usbhid" "usb_storage" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/d0cdb124-21fc-444d-847f-addf3561ce7f";
      fsType = "ext4";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/9A69-F2F6";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/d5604472-7e21-4894-b30b-d4c4a0cdd945"; }
    ];
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/host.nix
+++ b/host.nix
@ -2,10 +2,10 @@
 {
  config = lib.mkIf (config.networking.hostName == "ThinkCentre-Server-004") {
-    sVAULTWARDEN.enable = true;
+    module.vaultwarden.enable = true;
-    sROUNDCUBE.enable   = true;
+    module.roundcube.enable   = true;
-    sSEARXNG.enable     = true;
+    module.searxng.enable     = true;
-    sACME.enable        = true;
+    module.acme.enable        = true;
-    sNEWT.enable        = true;
+    module.newt.enable        = true;
  };
 }
--- a/module/acme.nix
+++ b/module/acme.nix
@ -1,11 +1,11 @@
 { config, lib, ... }:
-lib.mkIf config.sACME.enable {
+lib.mkIf config.module.acme.enable {
  security.acme = {
    acceptTerms = true;
-    defaults.email = config.sACME.email;
+    defaults.email =  "noreply@wateir.fr";
-    certs."${config.sACME.domain}" = {
+    certs."${config.module.domain}" = {
      dnsProvider = "ovh";
      environmentFile = "/etc/acme.env";
    };
--- a/module/default.nix
+++ b/module/default.nix
@ -0,0 +1,12 @@
 { ... }:
 {
  imports = [
    ./nginx.nix
    ./newt.nix
    ./tailscale.nix
    ./acme.nix
    ./searXNG.nix
    ./roundcube.nix
    ./vaultWarden.nix
  ];
 }
--- a/module/newt.nix
+++ b/module/newt.nix
@ -1,6 +1,6 @@
 {config,lib, ... }:
-lib.mkIf config.sNEWT.enable{
+lib.mkIf config.module.newt.enable{
  services.newt = {
     enable = true;
     environmentFile = "/etc/newt.env";
--- a/module/nginx.nix
+++ b/module/nginx.nix
@ -6,11 +6,11 @@ with lib;
  services.nginx.enable = true;
  services.nginx.virtualHosts = mkMerge [
-    (mkIf config.sVAULTWARDEN.enable {
+    (mkIf config.module.vaultwarden.enable {
-      "${config.HostName}-vault" = {
+      "${config.module.hostName}-vault" = {
-        listen = [{ addr = "0.0.0.0"; port = config.sVAULTWARDEN.externalPort; }];
+        listen = [{ addr = "0.0.0.0"; port = config.module.vaultwarden.externalPort; }];
        locations."/" = {
-          proxyPass = "http://127.0.0.1:${toString config.sVAULTWARDEN.internalPort}";
+          proxyPass = "http://127.0.0.1:${toString config.module.vaultwarden.internalPort}";
          extraConfig = ''
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
@ -21,9 +21,9 @@ with lib;
      };
    })
-    (mkIf config.sROUNDCUBE.enable {
+    (mkIf config.module.roundcube.enable {
-      "${config.HostName}-roundcube" = {
+      "${config.module.hostName}-roundcube" = {
-        listen = [{ addr = "0.0.0.0"; port = config.sROUNDCUBE.port; }];
+        listen = [{ addr = "0.0.0.0"; port = config.module.roundcube.port; }];
        root = "${pkgs.roundcube}/public_html";
        locations."/" = {
          extraConfig = ''
@ -43,7 +43,7 @@ with lib;
  ];
  networking.firewall.allowedTCPPorts = concatLists [
-    (if config.sVAULTWARDEN.enable then [ config.sVAULTWARDEN.externalPort ] else [])
+    (if config.module.vaultwarden.enable then [ config.module.vaultwarden.externalPort ] else [])
-    (if config.sROUNDCUBE.enable   then [ config.sROUNDCUBE.port   ] else [])
+    (if config.module.roundcube.enable   then [ config.module.roundcube.port   ] else [])
  ];
 }
--- a/module/roundcube.nix
+++ b/module/roundcube.nix
@ -1,22 +1,42 @@
 { config, pkgs, lib, ... }:
-lib.mkIf config.sROUNDCUBE.enable {
+lib.mkIf config.module.roundcube.enable {
  age.secrets = {
    smtp_server = {
      file = ../secrets/smtp_server.age;
      owner = "roundcube";
      group = "roundcube";
      mode = "0400";
    };
    imap_server = {
      file = ../secrets/imap_server.age;
      owner = "roundcube";
      group = "roundcube";
      mode = "0400";
    };
  };
  services.roundcube = {
    enable = true;
-    hostName = "${config.HostName}";
+    hostName = "mail.${config.module.domain}";
    plugins = [ "multiple_accounts" ];
    configureNginx = false;
    extraConfig = ''
-      # PurelyMail configuration
+      $config['default_host'] = trim(
-      $config['default_host'] = 'ssl://imap.purelymail.com';
+        file_get_contents('${config.age.secrets.imap_server.path}')
      );
      $config['default_port'] = 993;
-      $config['smtp_server'] = 'tls://smtp.purelymail.com';
+      $config['smtp_server'] = trim(
        file_get_contents('${config.age.secrets.smtp_server.path}')
      );
      $config['smtp_port'] = 465;
      $config['smtp_user'] = '%u';
      $config['smtp_pass'] = '%p';
    '';
  };
  systemd.services.nginx.serviceConfig.ProtectHome = false;
--- a/module/searXNG.nix
+++ b/module/searXNG.nix
@ -1,6 +1,6 @@
 { config,lib,pkgs, ... }:
-lib.mkIf config.sSEARXNG.enable {
+lib.mkIf config.module.roundcube.enable {
  services.searx = {
      enable = true;
      redisCreateLocally = true;
@ -9,7 +9,7 @@ lib.mkIf config.sSEARXNG.enable {
      environmentFile = "/etc/searx.env";
      settings.server = {
        bind_address = "0.0.0.0";
-        port = config.sSEARXNG.port;
+        port = config.module.searxng.port;
      };
      settings.engines = lib.mapAttrsToList (name: value: { inherit name; } // value) {
        "wikidata".disabled = true;
--- a/module/tailscale.nix
+++ b/module/tailscale.nix
@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:
-lib.mkIf config.sTAILSCALE.enable {
+lib.mkIf config.module.tailscale.enable {
  services.tailscale = {
    enable = true;
    extraDaemonFlags = [
--- a/module/vaultWarden.nix
+++ b/module/vaultWarden.nix
@ -1,12 +1,12 @@
 { config, lib, ... }:
-lib.mkIf config.sVAULTWARDEN.enable {
+lib.mkIf config.module.vaultwarden.enable {
  services.vaultwarden = {
    enable = true;
    config = {
-      ROCKET_PORT = config.sVAULTWARDEN.internalPort;
+      ROCKET_PORT = config.module.vaultwarden.internalPort;
      ROCKET_ADDRESS = "127.0.0.1";
-      SIGNUPS_ALLOWED = true;
+      SIGNUPS_ALLOWED = false;
    };
  };
 }
--- a/secrets/imap_server.age
+++ b/secrets/imap_server.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -0,0 +1,11 @@
 let
  user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINh+ozv5FVvlAk2cuoHQJa2p+TngWXCcAAWvztLpGl67";
  users = [ user1];
  system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHc2hgH+0cCxO5a68S0OFIX437m6+qNWY9h5A7amtn46";
  systems = [ system1 ];
 in
 {
  "smtp_server.age".publicKeys = [ user1 system1 ];
  "imap_server.age".publicKeys = [ user1 system1 ];
 }
--- a/secrets/smtp_server.age
+++ b/secrets/smtp_server.age
@ -0,0 +1,7 @@
 age-encryption.org/v1
 -> ssh-ed25519 ZX/yJA eL8O0gkAjDmfZjQJfjPprh3VnKiDQvF32Thj9eNJMxk
 c4jNlqCMTamLtZYmCPKFJqx84MlbAxYUwhl7AQdMymk
 -> ssh-ed25519 5AyMyw TdzekvQWSlaUobeF+td3+IAG9QuISKxfzQvq5asBDFk
 6mi74qzSE/9hVeR6lue99/fR58bMUhs2JEyeJ93JWAg
 --- 2awy6GXsPTDjOcfK1/RuVTRPXId9HEHTfzcvzupZa7I
 ƒNüå,Ó”jê¯°Ê²zÜ˜Òßàã%ú1N—¬yª_<C2AA>oåA©b%I‚5‰²œPô<50>‰ÉÎ