forked from mirrors_public/oddlama_nix-config
docs: update readme
This commit is contained in:
parent
7d1e022b3e
commit
e1231f8da1
6 changed files with 35 additions and 140 deletions
79
README.md
79
README.md
|
@ -1,4 +1,8 @@
|
||||||
# About
|
[Hosts](#hosts) \| [Programs](#programs--services) \| [Structure](./STRUCTURE.md)
|
||||||
|
|
||||||
|

|
||||||
|
|
||||||
|
## ❄️ My NixOS Configuration
|
||||||
|
|
||||||
This is my personal nix config. It's still in the making, but this is what I got so far:
|
This is my personal nix config. It's still in the making, but this is what I got so far:
|
||||||
|
|
||||||
|
@ -17,12 +21,6 @@ Desktop machines:
|
||||||
- System-wide theme using [stylix](https://github.com/danth/stylix)
|
- System-wide theme using [stylix](https://github.com/danth/stylix)
|
||||||
-->
|
-->
|
||||||
|
|
||||||
<!--
|
|
||||||
XXX: todo, use details summary to show gallery of programs
|
|
||||||
|
|
||||||
- aa
|
|
||||||
-->
|
|
||||||
|
|
||||||
Server related stuff:
|
Server related stuff:
|
||||||
|
|
||||||
- Log and system monitoring through [grafana](https://github.com/grafana/grafana) using
|
- Log and system monitoring through [grafana](https://github.com/grafana/grafana) using
|
||||||
|
@ -30,55 +28,48 @@ Server related stuff:
|
||||||
- [loki](https://github.com/grafana/loki) and [promtail](https://grafana.com/docs/loki/latest/clients/promtail/) for logs
|
- [loki](https://github.com/grafana/loki) and [promtail](https://grafana.com/docs/loki/latest/clients/promtail/) for logs
|
||||||
- Single-Sign-On for all services using oauth2 via [kanidm](https://github.com/kanidm/kanidm)
|
- Single-Sign-On for all services using oauth2 via [kanidm](https://github.com/kanidm/kanidm)
|
||||||
- Zoned nftables firewall via [nixos-nftables-firewall](https://github.com/thelegy/nixos-nftables-firewall)
|
- Zoned nftables firewall via [nixos-nftables-firewall](https://github.com/thelegy/nixos-nftables-firewall)
|
||||||
- Service isolation using nixos-containers and [microvms](https://github.com/astro/microvm.nix)
|
- Service isolation using [microvms](https://github.com/astro/microvm.nix) and nixos-containers
|
||||||
<!--
|
|
||||||
XXX: todo, use details summary to show gallery of services
|
|
||||||
|
|
||||||
- aa
|
|
||||||
-->
|
|
||||||
|
|
||||||
## Hosts
|
## Hosts
|
||||||
|
|
||||||
| | Name | Type | Purpose
|
| | Type | Name | Hardware | Purpose
|
||||||
---|---|---|---
|
---|---|---|---|---
|
||||||
💻 | nom | Gigabyte AERO 15-W8 (i7-8750H) | My laptop and my main portable development machine <sub>Framework when?</sub>
|
💻 | Laptop | nom | Gigabyte AERO 15-W8 (i7-8750H) | My laptop and my main portable development machine <sub>Framework when?</sub>
|
||||||
🖥️ | kroma | PC (AMD Ryzen 9 5900X) | Main workstation and development machine, also for some occasional gaming
|
🖥️ | Desktop | kroma | PC (AMD Ryzen 9 5900X) | Main workstation and development machine, also for some occasional gaming
|
||||||
🖥️ | ward | ODROID H3 | Energy efficient SBC for my home firewall and some lightweight services using containers and microvms.
|
🖥️ | Server | ward | ODROID H3 | Energy efficient SBC for my home firewall and some lightweight services using containers and microvms.
|
||||||
🥔 | zackbiene | ODROID N2+ | ARM SBC for home automation, isolating the sketchy stuff from my main network
|
🖥️ | Server | sire | Threadripper 1950X | Home media server and data storage. Runs all services as microvms.
|
||||||
☁️ | envoy | Hetzner Cloud server | Mailserver
|
🥔 | Server | zackbiene | ODROID N2+ | ARM SBC for home automation, isolating the sketchy stuff from my main network
|
||||||
☁️ | sentinel | Hetzner Cloud server | Proxies and protects my local services
|
☁️ | VPS | sentinel | Hetzner Cloud server | Proxies and protects my local services
|
||||||
|
☁️ | VPS | envoy | Hetzner Cloud server | Mailserver (WIP, still on gentoo)
|
||||||
|
|
||||||
<!-- 🖥️ home server -->
|
## Programs & Services
|
||||||
|
|
||||||
<sub>
|
#### Desktop Programs
|
||||||
not yet nixified: my main development machine, the powerful home server, and some services (still in transition from gentoo :/)
|
|
||||||
</sub>
|
|
||||||
|
|
||||||
## Programs
|
|
||||||
|
|
||||||
| | |
|
| | |
|
||||||
|---|---|
|
|---|---|
|
||||||
**Shell** | zsh <!--& [nushell](https://github.com/nushell/nushell)--> with [starship](https://github.com/starship/starship), fzf plugins and sqlite history
|
**Shell** | zsh <!--& [nushell](https://github.com/nushell/nushell)--> with [starship](https://github.com/starship/starship), fzf plugins and sqlite history
|
||||||
**Terminal** | [kitty](https://github.com/kovidgoyal/kitty)
|
**Terminal** | [kitty](https://github.com/kovidgoyal/kitty)
|
||||||
**Editor** | [neovim](https://github.com/neovim/neovim)
|
**Editor** | [neovim](https://github.com/neovim/neovim) via [nixvim](https://github.com/nix-community/nixvim)
|
||||||
**WM** | [sway](https://github.com/swaywm/sway) & [i3](https://github.com/i3/i3) (still need X11 for gaming)
|
**WM** | [sway](https://github.com/swaywm/sway) & [i3](https://github.com/i3/i3) (still need X11 for gaming)
|
||||||
|
**Browser** | [Firefox](https://www.mozilla.org/en-US/firefox/new/)
|
||||||
|
**Notifications** | [wired-notify](https://github.com/Toqozz/wired-notify)
|
||||||
|
**Screenshots** | [Flameshot](https://github.com/flameshot-org/flameshot) with custom [QR code detection](./pkgs/scripts/screenshot-area-scan-qr.nix) and [OCR to clipboard](./pkgs/scripts/screenshot-area.nix)
|
||||||
|
**Gaming** | [Steam](https://store.steampowered.com/) and [Bottles](https://github.com/bottlesdevs/Bottles)
|
||||||
|
|
||||||
<!-- XXX: add icons
|
#### Services
|
||||||
|
|
||||||
## Self-hosted Services
|
|
||||||
|
|
||||||
| | |
|
| | |
|
||||||
|---|---|
|
|---|---|
|
||||||
- Vaultwarden
|
**Git** | Forgejo
|
||||||
- Adguard Home
|
**SSO** | Kanidm
|
||||||
- Forgjeo
|
**Logs** | Loki
|
||||||
- Grafana
|
**Time Series DB** | Influxdb
|
||||||
- Immich
|
**Monitoring** | Grafana
|
||||||
- Kanidm
|
**DNS AdBlock** | AdGuard Home
|
||||||
- Loki
|
**Passwords** | Vaultwarden
|
||||||
- Paperless
|
**Photos** | Immich
|
||||||
- Influxdb
|
**Documents** | Paperless
|
||||||
-->
|
|
||||||
|
|
||||||
## Structure
|
## Structure
|
||||||
|
|
||||||
|
@ -89,13 +80,11 @@ but here's a quick breakdown of the what you will find where.
|
||||||
|
|
||||||
| | |
|
| | |
|
||||||
|---|---|
|
|---|---|
|
||||||
`apps/` | runnable actions for flake maintenance
|
|
||||||
`hosts/<hostname>` | top-level configuration for `<hostname>`
|
`hosts/<hostname>` | top-level configuration for `<hostname>`
|
||||||
`lib/` | library functions overlayed on top of `nixpkgs.lib`
|
`lib/` | library functions overlayed on top of `nixpkgs.lib`
|
||||||
`modules/config/` | global configuration for all hosts
|
`modules/config/` | global configuration for all hosts
|
||||||
`modules/optional/` | optional configuration included by hosts
|
`modules/optional/` | optional configuration included by hosts
|
||||||
`modules/meta/` | simplified setup for existing modules and cross-host config
|
`modules/*` | classical reusable configuration modules
|
||||||
`modules/*/` | classical reusable configuration modules
|
|
||||||
`nix/` | library functions and flake plumbing
|
`nix/` | library functions and flake plumbing
|
||||||
`pkgs/` | Custom packages and scripts
|
`pkgs/` | Custom packages and scripts
|
||||||
`secrets/` | Global secrets and age identities
|
`secrets/` | Global secrets and age identities
|
||||||
|
@ -111,7 +100,7 @@ but here's a quick breakdown of the what you will find where.
|
||||||
- Create hosts/<name>
|
- Create hosts/<name>
|
||||||
- Fill net.nix
|
- Fill net.nix
|
||||||
- Fill fs.nix (you need to know the device /dev/by-id paths in advance for partitioning to work!)
|
- Fill fs.nix (you need to know the device /dev/by-id paths in advance for partitioning to work!)
|
||||||
- Run generate-secrets
|
- Run `agenix generate` and `agenix rekey` (create's dummy secrets for initial deploy)
|
||||||
|
|
||||||
#### Initial deploy
|
#### Initial deploy
|
||||||
|
|
||||||
|
|
|
@ -3,8 +3,6 @@
|
||||||
If you are interested in parts of my configuration, you probably want to examine the contents of `users/`, `modules/` and `hosts/`.
|
If you are interested in parts of my configuration, you probably want to examine the contents of `users/`, `modules/` and `hosts/`.
|
||||||
Make sure to utilize the github search if you know what you need!
|
Make sure to utilize the github search if you know what you need!
|
||||||
|
|
||||||
- `apps/` Additional runnable actions for flake maintenance, like showing wireguard QR codes.
|
|
||||||
|
|
||||||
- `hosts/<hostname>` contains the top-level configuration for `<hostname>`.
|
- `hosts/<hostname>` contains the top-level configuration for `<hostname>`.
|
||||||
Follow the imports from there to see what it entails.
|
Follow the imports from there to see what it entails.
|
||||||
|
|
||||||
|
|
|
@ -1,24 +0,0 @@
|
||||||
{self, ...} @ inputs: system: let
|
|
||||||
pkgs = self.pkgs.${system};
|
|
||||||
inherit
|
|
||||||
(pkgs.lib)
|
|
||||||
flip
|
|
||||||
nameValuePair
|
|
||||||
removeSuffix
|
|
||||||
;
|
|
||||||
mkApp = drv: {
|
|
||||||
type = "app";
|
|
||||||
program = "${drv}";
|
|
||||||
};
|
|
||||||
args = inputs // {inherit pkgs;};
|
|
||||||
apps = [
|
|
||||||
./format-secrets.nix
|
|
||||||
./show-wireguard-qr.nix
|
|
||||||
];
|
|
||||||
in
|
|
||||||
builtins.listToAttrs (flip map apps (
|
|
||||||
appPath:
|
|
||||||
nameValuePair
|
|
||||||
(removeSuffix ".nix" (builtins.baseNameOf appPath))
|
|
||||||
(mkApp (import appPath args))
|
|
||||||
))
|
|
|
@ -1,22 +0,0 @@
|
||||||
{
|
|
||||||
self,
|
|
||||||
pkgs,
|
|
||||||
nixpkgs,
|
|
||||||
...
|
|
||||||
}: let
|
|
||||||
inherit (nixpkgs.lib) concatStringsSep;
|
|
||||||
inherit (extraLib) rageEncryptArgs;
|
|
||||||
in
|
|
||||||
pkgs.writeShellScript "format-secrets" ''
|
|
||||||
set -euo pipefail
|
|
||||||
[[ -d .git ]] && [[ -f flake.nix ]] || { echo "[1;31merror:[m Please execute this from the project's root folder (the folder with flake.nix)" >&2; exit 1; }
|
|
||||||
for f in $(find . -type f -name '*.nix.age'); do
|
|
||||||
echo "Formatting $f ..."
|
|
||||||
decrypted=$(${../rage-decrypt-and-cache.sh} --print-out-path "$f" ${concatStringsSep " " self.secretsConfig.masterIdentities}) \
|
|
||||||
|| { echo "[1;31merror:[m Failed to decrypt!" >&2; exit 1; }
|
|
||||||
formatted=$(${pkgs.alejandra}/bin/alejandra --quiet < "$decrypted") \
|
|
||||||
|| { echo "[1;31merror:[m Failed to format $decrypted!" >&2; exit 1; }
|
|
||||||
${pkgs.rage}/bin/rage -e ${rageEncryptArgs} <<< "$formatted" > "$f" \
|
|
||||||
|| { echo "[1;31merror:[m Failed to re-encrypt!" >&2; exit 1; }
|
|
||||||
done
|
|
||||||
''
|
|
|
@ -1,43 +0,0 @@
|
||||||
{
|
|
||||||
self,
|
|
||||||
pkgs,
|
|
||||||
...
|
|
||||||
}: let
|
|
||||||
inherit
|
|
||||||
(pkgs.lib)
|
|
||||||
attrNames
|
|
||||||
concatMap
|
|
||||||
concatStringsSep
|
|
||||||
escapeShellArg
|
|
||||||
unique
|
|
||||||
;
|
|
||||||
|
|
||||||
nodeNames = attrNames self.nodes;
|
|
||||||
wireguardNetworks = unique (concatMap (n: attrNames self.nodes.${n}.config.meta.wireguard) nodeNames);
|
|
||||||
|
|
||||||
externalPeersForNet = wgName:
|
|
||||||
concatMap (serverNode:
|
|
||||||
map
|
|
||||||
(peer: {inherit wgName serverNode peer;})
|
|
||||||
(attrNames self.nodes.${serverNode}.config.meta.wireguard.${wgName}.server.externalPeers))
|
|
||||||
(self.extraLib.wireguard wgName).participatingServerNodes;
|
|
||||||
allExternalPeers = concatMap externalPeersForNet wireguardNetworks;
|
|
||||||
in
|
|
||||||
pkgs.writeShellScript "show-wireguard-qr" ''
|
|
||||||
set -euo pipefail
|
|
||||||
json_sel=$(echo ${escapeShellArg (concatStringsSep "\n" (map (x: "${builtins.toJSON x}\t[33m${x.wgName}[m.[34m${x.serverNode}[m.[32m${x.peer}[m") allExternalPeers))} \
|
|
||||||
| ${pkgs.fzf}/bin/fzf --delimiter='\t' --ansi --multi --query="''${1-}" --tiebreak=end --bind=tab:down,btab:up,change:top,ctrl-space:toggle --with-nth=2.. --height='~50%' --tac \
|
|
||||||
| ${pkgs.coreutils}/bin/cut -d$'\t' -f1)
|
|
||||||
[[ -n "$json_sel" ]] || exit 1
|
|
||||||
|
|
||||||
while IFS= read -r line; do
|
|
||||||
wgName=$(${pkgs.jq}/bin/jq -r .wgName <<< "$line")
|
|
||||||
serverNode=$(${pkgs.jq}/bin/jq -r .serverNode <<< "$line")
|
|
||||||
peer=$(${pkgs.jq}/bin/jq -r .peer <<< "$line")
|
|
||||||
echo "======== $wgName.$serverNode.$peer ========"
|
|
||||||
|
|
||||||
createConfigScript=$(nix build --no-link --print-out-paths --impure --show-trace --expr \
|
|
||||||
'let flk = builtins.getFlake "${../../.}"; in (flk.extraLib.wireguard "'"$wgName"'").wgQuickConfigScript "${pkgs.system}" "'"$serverNode"'" "'"$peer"'"')
|
|
||||||
"$createConfigScript" | tee /dev/tty | ${pkgs.qrencode}/bin/qrencode -t ansiutf8
|
|
||||||
done <<< "$json_sel"
|
|
||||||
''
|
|
|
@ -200,9 +200,6 @@
|
||||||
.${system};
|
.${system};
|
||||||
};
|
};
|
||||||
|
|
||||||
# `nix run .#<app>`
|
|
||||||
apps = import ./apps inputs system;
|
|
||||||
|
|
||||||
# `nix flake check`
|
# `nix flake check`
|
||||||
checks.pre-commit-hooks = pre-commit-hooks.lib.${system}.run {
|
checks.pre-commit-hooks = pre-commit-hooks.lib.${system}.run {
|
||||||
src = cleanSource ./.;
|
src = cleanSource ./.;
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue