homefree/homefree
1
0
Fork 0
Code Issues 66 Pull requests Projects 2 Releases Packages Wiki Activity Actions

Compare commits

base: homefree:f4e26687b654428093b6bef02e07b75a9bf5c666
Branches Tags
homefree:master
homefree:hf-7-move-out-sops
...
compare: homefree:b51aff67579b2f0946f02eae5ddfa24edf369fd5
Branches Tags
homefree:master
homefree:hf-7-move-out-sops

10 commits
f4e26687b6 ... b51aff6757

Author SHA1 Message Date
Ellis Rahhal
b51aff6757 * Several updates to support NUC hardware 2024-11-13 15:25:54 -08:00
Ellis Rahhal
4c0b423649 removed disk config 2024-11-12 17:40:37 -08:00
Ellis Rahhal
9fd1df8a7b updated flake lock 2024-11-12 17:36:04 -08:00
Ellis Rahhal
12e835c993 added disko 2024-11-12 17:35:44 -08:00
Ellis Rahhal
f2c77a398e hardware updates 2024-11-12 17:29:43 -08:00
Ellis Rahhal
169192468a updated boot config 2024-11-12 11:18:57 -08:00
Ellis Rahhal
72b31a79a2 moved to unstable 2024-11-11 22:26:30 -08:00
Ellis Rahhal
f52fb40bc5 added example system flake; updated readme 2024-11-06 14:09:00 -08:00
Ellis Rahhal
a62f7b5477 * Added Unifi 
* Added Adguard Home
 2024-11-06 11:35:15 -08:00
Ellis Rahhal
711b1ee568 added nvim config; added wireguard config 2024-11-03 00:05:50 -07:00
31 changed files with 2045 additions and 245 deletions
Show stats Expand all files Collapse all files

3
.sops.yaml
View file

@ -1,7 +1,6 @@
# see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml
keys:
- &user_homefree 06321d7f20335a7e08595ba905d137ee114ba2c2
- &server_homefree 34f107a24095fcf6d43606bd9155d88685ae071e
- &server_homefree bdbac59ef19fdd5a5f455f4bd0ac2d46fb892f75
creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
key_groups:

12
README.md
View file

@ -13,17 +13,13 @@ liberate you from giant cloud providers.
## Don't suckle the Feed. Cultivate the Seed.
## Building
## Installing
```
make build-image
```
Install NixOS directly, or use a deployment system such as [NixOS Anywhere](https://github.com/nix-community/nixos-anywhere)
## Running
Update system's configuration to look like something in [example-flake.nix](./example-flake.nix)
```
make run
```
Configure system by setting up values as defined in the [HomeFree module](./module.nix)
## Adding a secret

61
TODOS.md
View file

@ -1,6 +1,67 @@
TODOS
=====
* Go Live Checklist
* P1
* [ ] Landing Page
* [ ] Blog
* [ ] Mirror to Github
* [ ] Caddy proxy to HP server, HA
* [ ] HAProxy / Unbound override configuration migration
* [ ] Wireguard
* [ ] AdGuard
* [ ] Copy exceptions
* [ ] DHCP
* [ ] Copy Static IPs
* [ ] DNS (Dnsmasq or Unbound)
* [ ] qemu setup
* P2
* [ ] SOPS fixes
* [ ] consolidate to single script that works on host or on guest
* [ ] If no user key on guest, complain and abort
* [ ] Fix error messages that mess with getting fingerprit
* [ ] Make sure uid matches <curruser>@localhost, as it tells sops where to look for keyring
* [ ] Get nixos-anywhere disko config to work with LUKS with key file
* [ ] Move hardware config to module config
* [ ] DB of hardware, similar to nixos-hardware repo
* [ ] Backups
* [ ] Migration of services from HP server, HA
* [ ] SSO/Authentik
* [ ] GUI for setup, management
* [ ] Roadmap
* Problem statement
* Goal
* Top issues to solve
* Schedule
* Long term vision
* [ ] NAS
* [ ] SSO
* [ ] Security (wazuh ?)
* P3
* [ ] Monitoring Dashboard
* [ ] VLANs
* [ ] Health / Alerts
* [ ] Mirror to Gitlab
* [ ] Mirror to Bitbucket
* [ ] Mirror to Sourcehut
* [ ] Mirror to Codeberg
* [ ] Mirror to Gitea
* [ ] Mirror to Gogs
* Firewall
* Aliases
* NAT
* Port forwarding
* 1:1 NAT
* Outbound
* NPTv6
* Rules
* Shaper
* Services
* Captive Portal
* Intrusion Detection
* Make a flake that sets up host machine for dev
* hosts file changes (networking.extraHosts)
networking.extraHosts = ''

4
default.nix
View file

@ -1,4 +1,4 @@
{ homefree-inputs, system, ... }:
{ homefree-inputs, ... }:
{
_module.args.homefree-inputs = homefree-inputs;
@ -6,8 +6,10 @@
homefree-inputs.nixos-generators.nixosModules.all-formats
homefree-inputs.nixos-hardware.nixosModules.common-cpu-intel
homefree-inputs.nixos-hardware.nixosModules.common-pc-laptop
homefree-inputs.disko.nixosModules.disko
homefree-inputs.sops-nix.nixosModules.sops
homefree-inputs.authentik-nix.nixosModules.default
homefree-inputs.nixvim.nixosModules.nixvim
./module.nix
./hosts/homefree/configuration.nix
];

32
example-system-flake.nix Normal file
View file

@ -0,0 +1,32 @@
{
description = "HomeFree Instance";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
homefree.url = "github:erahhal/HomeFree";
};
outputs = {
self,
...
}@inputs:
{
nixosConfigurations = {
homefree =
let
system = "x86_64-linux";
in
inputs.nixpkgs.lib.nixosSystem {
system = system;
modules = [
inputs.homefree.nixosModules.default
];
specialArgs = {
inherit inputs;
inherit system;
};
};
};
};
}

787
flake.lock generated Normal file
View file

@ -0,0 +1,787 @@
{
"nodes": {
"adblock-unbound": {
"inputs": {
"adblockStevenBlack": "adblockStevenBlack",
"lancache-domains": "lancache-domains",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1704832551,
"narHash": "sha256-6xS/ANMIh3b4Ia3Ubl9rtb3LVw9QldihnP3IvuG9zwQ=",
"owner": "MayNiklas",
"repo": "nixos-adblock-unbound",
"rev": "a5d3731836b1c2ca65834e07be03c02daca5b434",
"type": "github"
},
"original": {
"owner": "MayNiklas",
"repo": "nixos-adblock-unbound",
"type": "github"
}
},
"adblockStevenBlack": {
"flake": false,
"locked": {
"lastModified": 1665337238,
"narHash": "sha256-LYYjWMy4xXXqnM3ROKseS7y0faNLYyyDPqUe1+Uf+RE=",
"owner": "StevenBlack",
"repo": "hosts",
"rev": "ff7d9bed83732bd3980ae452927541c6c4b15382",
"type": "github"
},
"original": {
"owner": "StevenBlack",
"repo": "hosts",
"type": "github"
}
},
"authentik-nix": {
"inputs": {
"authentik-src": "authentik-src",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils",
"napalm": "napalm",
"nixpkgs": "nixpkgs",
"poetry2nix": "poetry2nix",
"systems": "systems"
},
"locked": {
"lastModified": 1730763915,
"narHash": "sha256-+UPc6ZJHWJ9fQFAeqSqsQDCFDIXT+f3HiIOnHFIyrig=",
"owner": "erahhal",
"repo": "authentik-nix",
"rev": "daba454bd25cea9796e525d225f06fb0782abba6",
"type": "github"
},
"original": {
"owner": "erahhal",
"ref": "no-docs",
"repo": "authentik-nix",
"type": "github"
}
},
"authentik-src": {
"flake": false,
"locked": {
"lastModified": 1730315123,
"narHash": "sha256-UYOdBlkGeIGCG/pCGLANWv1bKTdBEUp6jTiLG7BpY7E=",
"owner": "goauthentik",
"repo": "authentik",
"rev": "e8b5e4c1272151f4a3666e53754f7deefb8e2fb3",
"type": "github"
},
"original": {
"owner": "goauthentik",
"ref": "version/2024.8.4",
"repo": "authentik",
"type": "github"
}
},
"devshell": {
"inputs": {
"nixpkgs": [
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1728330715,
"narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=",
"owner": "numtide",
"repo": "devshell",
"rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "devshell",
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1731274291,
"narHash": "sha256-cZ0QMpv5p2a6WEE+o9uu0a4ma6RzQDOQTbm7PbixWz8=",
"owner": "nix-community",
"repo": "disko",
"rev": "486250f404f4a4f4f33f8f669d83ca5f6e6b7dfc",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"revCount": 57,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1726153070,
"narHash": "sha256-HO4zgY0ekfwO5bX0QH/3kJ/h4KvUDFZg8YpkNwIbg1U=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "bcef6817a8b2aa20a5a6dbb19b43e63c5bf8619a",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": [
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1730504689,
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "506278e768c2a08bec68eb62932193e341f55c90",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": [
"authentik-nix",
"systems"
]
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"git-hooks": {
"inputs": {
"flake-compat": [
"nixvim",
"flake-compat"
],
"gitignore": "gitignore",
"nixpkgs": [
"nixvim",
"nixpkgs"
],
"nixpkgs-stable": [
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1730302582,
"narHash": "sha256-W1MIJpADXQCgosJZT8qBYLRuZls2KSiKdpnTVdKBuvU=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "af8a16fe5c264f5e9e18bcee2859b40a656876cf",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"nixvim",
"git-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1731235328,
"narHash": "sha256-NjavpgE9/bMe/ABvZpyHIUeYF1mqR5lhaep3wB79ucs=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "60bb110917844d354f3c18e05450606a435d2d10",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"ixx": {
"inputs": {
"flake-utils": [
"nixvim",
"nuschtosSearch",
"flake-utils"
],
"nixpkgs": [
"nixvim",
"nuschtosSearch",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729958008,
"narHash": "sha256-EiOq8jF4Z/zQe0QYVc3+qSKxRK//CFHMB84aYrYGwEs=",
"owner": "NuschtOS",
"repo": "ixx",
"rev": "9fd01aad037f345350eab2cd45e1946cc66da4eb",
"type": "github"
},
"original": {
"owner": "NuschtOS",
"ref": "v0.0.6",
"repo": "ixx",
"type": "github"
}
},
"lancache-domains": {
"flake": false,
"locked": {
"lastModified": 1679999806,
"narHash": "sha256-oDZ2pSf8IgofRS4HaRppGcd4kHQj48AC9dkS++avYy8=",
"owner": "uklans",
"repo": "cache-domains",
"rev": "31b2ba1e0a7c419327cb97f589b508d78b9aecbf",
"type": "github"
},
"original": {
"owner": "uklans",
"repo": "cache-domains",
"type": "github"
}
},
"napalm": {
"inputs": {
"flake-utils": [
"authentik-nix",
"flake-utils"
],
"nixpkgs": [
"authentik-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1725806412,
"narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=",
"owner": "willibutz",
"repo": "napalm",
"rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5",
"type": "github"
},
"original": {
"owner": "willibutz",
"ref": "avoid-foldl-stack-overflow",
"repo": "napalm",
"type": "github"
}
},
"nix-darwin": {
"inputs": {
"nixpkgs": [
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1730448474,
"narHash": "sha256-qE/cYKBhzxHMtKtLK3hlSR3uzO1pWPGLrBuQK7r0CHc=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "683d0c4cd1102dcccfa3f835565378c7f3cbe05e",
"type": "github"
},
"original": {
"owner": "lnl7",
"repo": "nix-darwin",
"type": "github"
}
},
"nix-editor": {
"inputs": {
"nixpkgs": "nixpkgs_2",
"utils": "utils"
},
"locked": {
"lastModified": 1703105021,
"narHash": "sha256-Ne9NG7x45a8aJyAN+yYWbr/6mQHBVVkwZZ72EZHHRqw=",
"owner": "vlinkz",
"repo": "nix-editor",
"rev": "b5017f8d61753ce6a3a1a2aa7e474d59146a8ae3",
"type": "github"
},
"original": {
"owner": "vlinkz",
"repo": "nix-editor",
"type": "github"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"authentik-nix",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703863825,
"narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nixlib": {
"locked": {
"lastModified": 1729990941,
"narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "7d68864343650322045894951602d6e82b5296d7",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixos-generators": {
"inputs": {
"nixlib": "nixlib",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1731341898,
"narHash": "sha256-2L34Jrd73o6q6t8xMVVK7cj4qk5uHYbSIh72qtIKWWs=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "3a5bf194b6b25ee27a2c61afed039f3cb3a0fbfc",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixos-generators",
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1731332224,
"narHash": "sha256-0ctfVp27ingWtY7dbP5+QpSQ98HaOZleU0teyHQUAw0=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "184687ae1a3139faa4746168baf071f60d0310c8",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "master",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1726937504,
"narHash": "sha256-bvGoiQBvponpZh8ClUcmJ6QnsNKw0EMrCQJARK3bI1c=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9357f4f23713673f310988025d9dc261c20e70c6",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1725233747,
"narHash": "sha256-Ss8QWLXdr2JCBPcYChJhz4xJm+h/xjl4G0c0XlP6a74=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1730602179,
"narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1675673983,
"narHash": "sha256-8hzNh1jtiPxL5r3ICNzSmpSzV7kGb3KwX+FS5BWJUTo=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "5a350a8f31bb7ef0c6e79aea3795a890cf7743d4",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1731139594,
"narHash": "sha256-IigrKK3vYRpUu+HEjPL/phrfh7Ox881er1UEsZvw9Q4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "76612b17c0ce71689921ca12d9ffdc9c23ce40b2",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_4": {
"locked": {
"lastModified": 1730272153,
"narHash": "sha256-B5WRZYsRlJgwVHIV6DvidFN7VX7Fg9uuwkRW9Ha8z+w=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "2d2a9ddbe3f2c00747398f3dc9b05f7f2ebb0f53",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixvim": {
"inputs": {
"devshell": "devshell",
"flake-compat": "flake-compat_2",
"flake-parts": "flake-parts_2",
"git-hooks": "git-hooks",
"home-manager": "home-manager",
"nix-darwin": "nix-darwin",
"nixpkgs": [
"nixpkgs"
],
"nuschtosSearch": "nuschtosSearch",
"treefmt-nix": "treefmt-nix_2"
},
"locked": {
"lastModified": 1731356813,
"narHash": "sha256-w0TJwJwZd9so/chWYFFEtOQdnXTCvmNXIHs1FWJDlMM=",
"owner": "nix-community",
"repo": "nixvim",
"rev": "c892aa20732f982d4cc2b3ef2e2276a2a9a4d45b",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixvim",
"type": "github"
}
},
"nuschtosSearch": {
"inputs": {
"flake-utils": "flake-utils_2",
"ixx": "ixx",
"nixpkgs": [
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1731347683,
"narHash": "sha256-BcSWCEUBShuB32LPif+EG0XGXyUi2jyjCSpGE1rbOws=",
"owner": "NuschtOS",
"repo": "search",
"rev": "135d202e032be70c93b6d7d53592ef4799d6efde",
"type": "github"
},
"original": {
"owner": "NuschtOS",
"repo": "search",
"type": "github"
}
},
"poetry2nix": {
"inputs": {
"flake-utils": [
"authentik-nix",
"flake-utils"
],
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"authentik-nix",
"nixpkgs"
],
"systems": [
"authentik-nix",
"systems"
],
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1727169160,
"narHash": "sha256-m/3tT0Wvk2V4H15riZC/yT7i7t+8V58HTDpthKV5yhk=",
"owner": "nix-community",
"repo": "poetry2nix",
"rev": "7624b3e0275d9b52dbdda46ef7ffee66b36ff823",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "poetry2nix",
"type": "github"
}
},
"root": {
"inputs": {
"adblock-unbound": "adblock-unbound",
"authentik-nix": "authentik-nix",
"disko": "disko",
"nix-editor": "nix-editor",
"nixos-generators": "nixos-generators",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_3",
"nixvim": "nixvim",
"sops-nix": "sops-nix"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": "nixpkgs_4",
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1731364708,
"narHash": "sha256-HC0anOL+KmUQ2hdRl0AtunbAckasxrkn4VLmxbW/WaA=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "4c91d52db103e757fc25b58998b0576ae702d659",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
"owner": "nix-systems",
"repo": "default-linux",
"rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default-linux",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"authentik-nix",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1719749022,
"narHash": "sha256-ddPKHcqaKCIFSFc/cvxS14goUhCOAwsM1PbMr0ZtHMg=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "8df5ff62195d4e67e2264df0b7f5e8c9995fd0bd",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"treefmt-nix_2": {
"inputs": {
"nixpkgs": [
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1730321837,
"narHash": "sha256-vK+a09qq19QNu2MlLcvN4qcRctJbqWkX7ahgPZ/+maI=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "746901bb8dba96d154b66492a29f5db0693dbfcc",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

39
flake.nix
View file

@ -2,11 +2,20 @@
description = "HomeFree Self-Hosting Platform";
inputs = {
# Use stable for main
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
# nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
nixos-hardware.url = "github:NixOS/nixos-hardware/master";
disko.url = "github:nix-community/disko";
disko.inputs.nixpkgs.follows = "nixpkgs";
nixvim = {
# url = "github:nix-community/nixvim/nixos-24.05";
url = "github:nix-community/nixvim";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-generators = {
url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs";
@ -22,10 +31,11 @@
};
authentik-nix = {
url = "github:nix-community/authentik-nix";
# url = "github:nix-community/authentik-nix/version/2024.8.3";
# url = "github:nix-community/authentik-nix";
url = "github:erahhal/authentik-nix/no-docs";
## optional overrides. Note that using a different version of nixpkgs can cause issues, especially with python dependencies
# inputs.nixpkgs.follows = "nixpkgs"
# inputs.flake-parts.follows = "flake-parts"
# inputs.flake-parts.follows = "flake-parts";
};
# notnft = {
@ -39,19 +49,34 @@
# };
};
outputs = { ... } @ inputs:
outputs = { self, ... } @ inputs:
let
system = "x86_64-linux";
# Can't use name "inputs" as it gets overridden by parent flakes that define inputs.nixpkgs.lib.nixosSystem
homefree-inputs = inputs;
# versionInfo = import ./version.nix;
# version = versionInfo.version + (inputs.nixpkgs.lib.optionalString (!versionInfo.released) "-dirty");
in
{
nixosModules = rec {
homefree = import ./default.nix { inherit homefree-inputs; inherit system; };
imports = [ ];
default = homefree;
lan-client = import ./lan-client.nix { inherit homefree-inputs; inherit system; };
};
nixosConfigurations = {
homefree-test = inputs.nixpkgs.lib.nixosSystem {
system = system;
modules = [
self.nixosModules.homefree
];
};
lan-client = inputs.nixpkgs.lib.nixosSystem {
system = system;
modules = [
self.nixosModules.lan-client
];
};
};
};
}

8
generate-sops-config-server.sh
View file

@ -1,10 +1,16 @@
#!/usr/bin/env bash
## @TODO: consolidate to single script that works on host or on guest
## @TODO: If no user key on guest, complain and abort
## @TODO: Fix error messages that mess with getting fingerprit
## @TODO: Make sure uid matches <curruser>@localhost, as it tells sops where to look for keyring
## https://www.reddit.com/r/GnuPG/comments/m76to1/is_there_a_way_to_change_the_name_on_a_key_pair/
## Import the user's SSH key into GPG
cp ~/.ssh/id_rsa /tmp/id_rsa
ssh-keygen -p -N "" -f /tmp/id_rsa
USER_GPG_FINGERPRINT=$(nix-shell --quiet -p gnupg -p ssh-to-pgp --run "ssh-to-pgp -private-key -i /tmp/id_rsa | gpg --import --quiet" 2>&1 | head -2 | tail -1)
USER_GPG_FINGERPRINT=$(nix-shell --quiet -p gnupg -p ssh-to-pgp --run "ssh-to-pgp -private-key -i /tmp/id_rsa | gpg --import --allow-non-selfsigned-uid --quiet" 2>&1 | head -2 | tail -1)
echo "${USER_GPG_FINGERPRINT}"
rm /tmp/id_rsa
# set ultimate trust level

1
generate-sops-config.sh
View file

@ -1,6 +1,7 @@
#!/usr/bin/env bash
ssh -o LogLevel=ERROR -o StrictHostKeychecking=no -p 2223 homefree@localhost "mkdir -p ~/.ssh"
scp -P 2223 ~/.ssh/id_rsa homefree@localhost:/home/homefree/.ssh/id_rsa
scp -P 2223 ~/.ssh/id_rsa.pub homefree@localhost:/home/homefree/.ssh/id_rsa.pub
ssh -o LogLevel=ERROR -o StrictHostKeychecking=no -p 2223 homefree@localhost "cd ~/nixcfg/HomeFree; ./generate-sops-config-server.sh"

83
hosts/configuration.nix
View file

@ -1,83 +0,0 @@
{ config, inputs, lib, ... }:
{
imports = [
../../profiles/authentik.nix
../../profiles/common.nix
../../profiles/config-editor.nix
../../profiles/ddclient.nix
../../profiles/home-assistant
../../profiles/hardware-configuration.nix
../../profiles/hosting.nix
../../profiles/postgres.nix
../../profiles/router.nix
../../profiles/vaultwarden.nix
../../profiles/virtual-machine.nix
];
# --------------------------------------------------------------------------------------
# Boot
# --------------------------------------------------------------------------------------
boot.loader = {
systemd-boot = {
enable = true;
configurationLimit = 10;
# Use maximum resolution in systemd-boot for hidpi
consoleMode = "max";
};
efi = {
canTouchEfiVariables = true;
};
};
# --------------------------------------------------------------------------------------
# File system
# --------------------------------------------------------------------------------------
# @TODO: Setup luks or some disk encryption (ZFS?)
# --------------------------------------------------------------------------------------
# Network
# --------------------------------------------------------------------------------------
# Prevent hanging when waiting for network to be up
systemd.network.wait-online.anyInterface = true;
# --------------------------------------------------------------------------------------
# Device specific
# --------------------------------------------------------------------------------------
# @TODO: Make this UI configurable
## Must be forced due to Authentik hard coding a value of UTC
time.timeZone = lib.mkForce config.homefree.system.timeZone;
networking = {
hostName = config.homefree.system.hostName;
## NetworkManager disabled in favor of networkd
useNetworkd = true;
wireless = {
# Disable wpa_supplicant
enable = false;
};
interfaces = {
ens3.useDHCP = true;
};
};
# services.openssh.hostKeys = [
# {
# bits = 4096;
# openSSHFormat = true;
# path = "/etc/ssh/ssh_host_rsa_key";
# rounds = 100;
# type = "rsa";
# }
# ];
# --------------------------------------------------------------------------------------
# Hardware specific
# --------------------------------------------------------------------------------------
}

22
hosts/homefree/configuration.nix
View file

@ -1,19 +1,23 @@
{ lib, ... }:
{ config, lib, ... }:
{
imports = [
../../profiles/adguardhome.nix
../../profiles/authentik.nix
../../profiles/common.nix
../../profiles/config-editor.nix
../../profiles/ddclient.nix
../../profiles/home-assistant
../../profiles/git.nix
../../profiles/gitea.nix
../../profiles/hardware-configuration.nix
../../profiles/hosting.nix
../../profiles/nixvim.nix
../../profiles/postgres.nix
../../profiles/router.nix
../../profiles/unifi.nix
../../profiles/vaultwarden.nix
../../profiles/virtual-machine.nix
../../profiles/wireguard.nix
];
# --------------------------------------------------------------------------------------
@ -51,19 +55,19 @@
# @TODO: Make this UI configurable
## Must be forced due to Authentik hard coding a value of UTC
time.timeZone = lib.mkForce "America/Los_Angeles";
time.timeZone = lib.mkForce config.homefree.system.timeZone;
networking = {
# @TODO: Make this UI configurable
hostName = "homefree";
hostName = config.homefree.system.hostName;
## NetworkManager disabled in favor of networkd
useNetworkd = true;
wireless = {
# Disable wpa_supplicant
enable = false;
};
# wireless = {
# # Disable wpa_supplicant
# enable = false;
# };
interfaces = {
ens3.useDHCP = true;
"${config.homefree.network.wan-interface}".useDHCP = true;
};
};

99
module.nix
View file

@ -1,8 +1,15 @@
## @TODO: Look at the following for a VM test setup
## https://github.com/nix-community/disko/blob/master/module.nix
{ lib, ... }:
{ config, lib, extendModules, ... }:
# let
# vmVariantWithHomefree = extendModules {
# modules = [
# ./lib/interactive-vm.nix
# ];
# };
# in
{
options.homefree = {
system = {
@ -12,12 +19,14 @@
description = "Hostname for the system";
};
## @TODO: Detect during setup
timeZone = lib.mkOption {
type = lib.types.str;
default = "America/Los_Angeles";
description = "Timezone for the system";
};
## @TODO: Detect during setup
defaultLocale = lib.mkOption {
type = lib.types.str;
default = "en_US.UTF-8";
@ -26,6 +35,7 @@
searchDomainsLocal = lib.mkOption {
type = lib.types.listOf lib.types.str;
## @TODO: Should this be "local"?
default = [ "localdomain" ];
description = "Search domain for the system";
};
@ -45,7 +55,11 @@
adminHashedPassword = lib.mkOption {
type = lib.types.str;
default = "";
description = "Hashed password for the system admin";
description = ''
Hashed password for the system admin
Generate with:
mkpasswd -m sha-512
'';
};
authorizedKeys = lib.mkOption {
@ -55,19 +69,28 @@
};
};
ddclient = lib.mkOption {
network = {
## @TODO: Detect during setup
wan-interface = lib.mkOption {
type = lib.types.str;
default = "ens3";
description = "External interface to the internet";
};
## @TODO: Detect during setup
lan-interface = lib.mkOption {
type = lib.types.str;
default = "ens5";
description = "Internal interface to the local network";
};
};
ddclient = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Enable dynamic DNS client";
};
interval = lib.mkOption {
type = lib.types.str;
default = "10m";
description = "Interval for dynamic DNS client";
};
protocol = lib.mkOption {
type = lib.types.str;
default = "hetzner";
@ -86,21 +109,67 @@
description = "Zone for dynamic DNS client";
};
interval = lib.mkOption {
type = lib.types.str;
default = "10m";
description = "Interval for dynamic DNS client";
};
domains = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ "*" "www" "dev" ];
default = [ "@" "*" "www" "dev" ];
description = "Domains for dynamic DNS client";
};
use = lib.mkOption {
usev4 = lib.mkOption {
type = lib.types.str;
default = "web, web=ipinfo.io/ip";
description = "Use format for dynamic DNS client";
description = "Use format for obtaining ipv4 for dynamic DNS client";
};
usev6 = lib.mkOption {
type = lib.types.str;
default = "web, web=v6.ipinfo.io/ip";
description = "Use format for obtaining ipv6 for dynamic DNS client";
};
};
wireguard = {
peers = lib.mkOption {
type = lib.types.listOf lib.types.attrs;
default = [ ];
description = "List of wireguard peers";
example = ''
[
# List of allowed peers.
{ # Feel free to give a meaning full name
# Public key of the peer (not a file path).
publicKey = "{client public key}";
# List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
allowedIPs = [ "10.100.0.2/32" ];
}
{ # John Doe
publicKey = "{john doe's public key}";
allowedIPs = [ "10.100.0.3/32" ];
}
];
'';
};
};
};
config = {
};
# options.virtualisation.vmVariantWithHomefree = lib.mkOption {
# description = ''
# Machine configuration to be added for the vm script available at `.system.build.vmWithHomefree`.
# '';
# inherit (vmVariantWithHomefree) type;
# default = { };
# visible = "shallow";
# };
#
# config = {
# system.build = {
# testVms = lib.mkDefault config.virtualisation.vmVariantWithHomefree.system.build.vmWithHomefree;
# };
# };
}

0
profiles/acme.nix
View file

158
profiles/adguardhome.nix Normal file
View file

@ -0,0 +1,158 @@
{ config, lib, pkgs, ... }:
{
#-----------------------------------------------------------------------------------------------------
# Ad blocking
#-----------------------------------------------------------------------------------------------------
services.adguardhome = {
enable = true;
openFirewall = true;
port = 3000;
settings = {
http = {
address = "0.0.0.0:3000";
session_ttl = "720h";
};
users = [
{
name = config.homefree.system.adminUsername;
password = "$2a$10$Tt4QvbLQxnspv2TbcLMP7ug8eJ0NqMsGyVPbpEqtmkyCVrFpvh4GS";
# password = config.homefree.system.adminHashedPassword;
}
];
auth_attempts = 5;
block_auth_min = 15;
theme = "auto";
dns = {
bind_hosts = [ "0.0.0.0" ];
port = 53;
anonymize_client_ip = false;
ratelimit = 20;
ratelimit_subnet_len_ipv4 = 24;
ratelimit_subnet_len_ipv6 = 56;
ratelimit_whitelist = [];
refuse_any = true;
upstream_dns = [
"10.0.0.1"
"https://dns10.quad9.net/dns-query"
];
bootstrap_dns = [
"9.9.9.10"
"149.112.112.10"
"2620:fe::10"
"2620:fe::fe:10"
];
upstream_mode = "load_balance";
fastest_timeout = "1s";
blocked_hosts = [
"version.bind"
"id.server"
"hostname.bind"
];
trusted_proxies = [
"127.0.0.0/8"
"::1/128"
];
cache_size = 4194304;
cache_ttl_min = 0;
cache_ttl_max = 0;
cache_optimistic = false;
aaaa_disabled = false;
enable_dnssec = false;
edns_client_subnet = {
custom_ip = "";
enabled = false;
use_custom = false;
};
max_goroutines = 300;
handle_ddr = true;
ipset = [];
ipset_file = "";
bootstrap_prefer_ipv6 = false;
upstream_timeout = "10s";
private_networks = [];
use_private_ptr_resolvers = true;
local_ptr_upstreams = [];
use_dns64 = false;
dns64_prefixes = [];
serve_http3 = false;
use_http3_upstreams = false;
serve_plain_dns = true;
hostsfile_enabled = true;
};
filters = [
{
enabled = true;
url = "https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt";
name = "AdGuard DNS filter";
id = 1;
}
{
enabled = false;
url = "https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt";
name = "AdAway Default Blocklist";
id = 2;
}
];
whitelist_filters = [];
user_rules = [];
dhcp = {
enabled = false;
};
filtering = {
blocking_ipv4 = "";
blocking_ipv6 = "";
blocked_services = {
schedule = {
time_zone = "Local";
};
ids = [];
};
protection_disabled_until = null;
safe_search = {
enabled = false;
bing = true;
duckduckgo = true;
google = true;
pixabay = true;
yandex = true;
youtube = true;
};
blocking_mode = "default";
parental_block_host = "family-block.dns.adguard.com";
safebrowsing_block_host = "standard-block.dns.adguard.com";
rewrites = [];
safebrowsing_cache_size = 1048576;
safesearch_cache_size = 1048576;
parental_cache_size = 1048576;
cache_time = 30;
filters_update_interval = 24;
blocked_response_ttl = 10;
filtering_enabled = true;
parental_enabled = false;
safebrowsing_enabled = false;
protection_enabled = true;
};
clients = {
runtime_sources = {
whois = true;
arp = true;
rdns = true;
dhcp = true;
hosts = true;
};
persistent = [];
};
log = {
file = "";
max_backups = 0;
max_size = 100;
max_age = 3;
compress = false;
local_time = false;
verbose = false;
};
schema_version = 28;
};
};
}

4
profiles/agenix.nix
View file

@ -1,4 +1,4 @@
{ agenix, options, system, ... }:
{ config, agenix, options, system, ... }:
{
environment.systemPackages = [
agenix.packages.${system}.default
@ -9,6 +9,6 @@
# default path is /etc/ssh/ssh_host_rsa_key
age.identityPaths = options.age.identityPaths.default ++ [
"/home/homefree/.ssh/id_rsa"
"/home/${config.system.homefree.adminUsername}/.ssh/id_rsa"
];
}

7
profiles/authentik.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ... }:
{ config, pkgs, ... }:
{
environment.systemPackages = with pkgs; [
openldap
@ -8,6 +8,7 @@
enable = true;
# Deployed SOPS file
environmentFile = "/run/secrets/authentik/authentik-env";
## @TODO: make these configurable from module
settings = {
email = {
host = "smtp.homefree.host";
@ -39,7 +40,7 @@
# @TODO: Move secrets to this folder
sopsFile = ../secrets/authentik.yaml;
owner = "homefree";
owner = config.homefree.system.adminUsername;
path = "/run/secrets/authentik/authentik-env";
restartUnits = [ "authentik.service" ];
};
@ -48,7 +49,7 @@
# @TODO: Move secrets to this folder
sopsFile = ../secrets/authentik.yaml;
owner = "homefree";
owner = config.homefree.system.adminUsername;
path = "/run/secrets/authentik/authentik-ldap-env";
restartUnits = [ "authentik-ldap.service" ];
};

53
profiles/common.nix
View file

@ -1,4 +1,4 @@
{ homefree-inputs, pkgs, system, ...}:
{ config, homefree-inputs, pkgs, system, ...}:
{
# --------------------------------------------------------------------------------------
@ -11,7 +11,7 @@
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "24.05"; # Did you read the comment?
system.stateVersion = "24.11"; # Did you read the comment?
# @TODO: Could this be useful for auto-upgrading systems out there?
# system.autoUpgrade = {
@ -27,10 +27,11 @@
# };
nix = {
nixPath = [ "nixpkgs=${homefree-inputs.nixpkgs}" "nixos-config=/home/homefree/nixcfg" ];
nixPath = [ "nixpkgs=${homefree-inputs.nixpkgs}" "nixos-config=/home/${config.homefree.system.adminUsername}/nixcfg" ];
# Which package collection to use system-wide.
package = pkgs.nixFlakes;
package = pkgs.nixVersions.stable;
# package = pkgs.nixFlakes;
settings = {
# sets up an isolated environment for each build process to improve reproducibility.
@ -73,7 +74,7 @@
keep-outputs = true
'';
registry.nixpkgs.flake = homefree-inputs.nixpkgs;
# registry.nixpkgs.flake = homefree-inputs.nixpkgs;
# Garbage collection - deletes all unreachable paths in Nix store.
gc = {
@ -96,14 +97,13 @@
# User config
# --------------------------------------------------------------------------------------
users.users.homefree = {
users.users."${config.homefree.system.adminUsername}" = {
isNormalUser = true;
home = "/home/homefree";
description = "Homefree User";
home = "/home/${config.homefree.system.adminUsername}";
description = "Homefree Admin";
extraGroups = [ "wheel" ];
# @TODO: Make this dynamic, not hard coded
openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNvmGn1/uFnfgnv5qsec0GC04LeVB1Qy/G7WivvvUZVBBDzp8goe1DsE8M8iqnBSin56gQZDWsd50co2MbFAWuqH2HxY7OGay7P/V2q+SziTYFva85WGl84qWvYMmdB+alAFBT3L4eH5cegC5NhNp+OGsQuq32RdojgXXQt6vyZnaOypuz90k3rqV6Rt+iBTLz6VziasCLcYydwOvi9f1q6YQwGPLKaupDrV6gxvoX9bXLdopqwnXPSE/Eqczxgwc3PefvAJPSd6TOqIXvbtpv/B3Evt5SPe2gq+qASc5K0tzgra8KAe813kkpq4FuKJzHbT+EmO70wiJjru7zMEhd erahhal@nfml-erahhalQFL" ];
hashedPassword = "$6$5.6V9H0g5F47ubUm$e0N.GXZ9eoqmvpO9MjZlCISC9IIxKKcf0xtnuFyuXSQEQlfaazrS4kBhplDB6GCsQgwpOxdrX2DmcwbMiX/h30";
openssh.authorizedKeys.keys= config.homefree.system.authorizedKeys;
hashedPassword = config.homefree.system.adminHashedPassword;
};
security.sudo.extraRules = [
@ -129,6 +129,15 @@
# Nix mounts read-write automatically when it needs to write to it.
boot.readOnlyNixStore = true;
boot.kernelPackages = pkgs.linuxPackages_latest;
# --------------------------------------------------------------------------------------
# Hardware
# --------------------------------------------------------------------------------------
hardware.enableRedistributableFirmware = true;
hardware.enableAllFirmware = true;
# --------------------------------------------------------------------------------------
# Services
# --------------------------------------------------------------------------------------
@ -162,6 +171,15 @@
powertop.enable = true;
};
# Eternal Terminal
services.eternal-terminal.enable = true;
# et port
networking.firewall.allowedTCPPorts = [ 2022 ];
environment.variables = {
ET_NO_TELEMETRY = "1";
};
# --------------------------------------------------------------------------------------
# i18n
# --------------------------------------------------------------------------------------
@ -183,23 +201,13 @@
programs.mosh.enable = true;
# environment.variables.EDITOR = "neovim";
programs.neovim = {
enable = true;
defaultEditor = true;
};
environment.interactiveShellInit = ''
alias vi='nvim'
alias vim='nvim'
'';
environment.systemPackages = with pkgs; [
at-spi2-core
backblaze-b2
bashmount
bfg-repo-cleaner
bind
btop
ccze # readable parsed system logs
cpufrequtils
distrobox
@ -231,7 +239,6 @@
memtest86plus
minicom
neofetch
neovim
nil
nix-index
openssl

15
profiles/ddclient.nix
View file

@ -7,13 +7,14 @@
services.ddclient = {
enable = true;
interval = "10m";
protocol = "hetzner";
username = "erahhal";
zone = "homefree.host";
domains = [ "@" "*" "www" "dev" ];
interval = config.homefree.ddclient.interval;
protocol = config.homefree.ddclient.protocol;
username = config.homefree.ddclient.username;
zone = config.homefree.ddclient.zone;
domains = config.homefree.ddclient.domains;
passwordFile = "/run/secrets/ddclient/ddclient-password";
use = "web, web=ipinfo.io/ip";
usev4 = config.homefree.ddclient.usev4;
usev6 = config.homefree.ddclient.usev6;
verbose = true;
};
@ -22,7 +23,7 @@
format = "yaml";
sopsFile = ../secrets/ddclient.yaml;
owner = "homefree";
owner = config.homefree.system.adminUsername;
path = "/run/secrets/ddclient/ddclient-password";
restartUnits = [ "ddclient.service" ];
};

69
profiles/git.nix Normal file
View file

@ -0,0 +1,69 @@
{ config, pkgs, ... }:
{
programs.git = {
enable = true;
lfs.enable = true;
config = {
checkout = {
defaultRemote = "origin";
};
color = {
ui = "auto";
};
core = {
# Can't specify "${pkgs.neovim}/bin/nvim" because programs.neovim
# wraps neovim-unwrapped in a special way to load plugins, so must
# expect nvim to be in $PATH here
editor = "nvim";
excludesfile = "~/.gitignore_global";
};
delta = {
enable = true;
};
# filter = {
# lfs = {
# clean = "${pkgs.git-lfs}/bin/git-lfs clean -- %f";
# smudge = "${pkgs.git-lfs}/bin/git-lfs smudge --skip -- %f";
# process = "${pkgs.git-lfs}/bin/git-lfs filter-process --skip";
# required = true;
# };
# };
push = {
default = "simple";
};
rerere = {
enabled = true;
};
include = {
path = "~/.gitconfig.local";
};
#==========================
# Diff settings
#==========================
pager = {
difftool = true;
};
#-------------------
## nvim
# - text-based
#------------------
diff = {
tool = "nvimdiff";
};
difftool = {
prompt = true;
};
merge = {
tool = "nvimdiff";
trustExitCode = false;
};
mergetool = {
trustExitCode = false;
};
};
};
}

5
profiles/gitea.nix
View file

@ -8,8 +8,11 @@
};
settings = {
server = {
HTTP_PORT = 3000;
HTTP_PORT = 3001;
DOMAIN = "git.${config.homefree.system.domain}";
MINIMUM_KEY_SIZE_CHECK = false;
START_SSH_SERVER = true;
SSH_PORT = 3022;
};
};
};

24
profiles/hardware-configuration.nix
View file

@ -8,30 +8,11 @@
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_blk" ];
boot.initrd.availableKernelModules = [ "ata_piix" "ahci" "xhci_pci" "nvme" "virtio_pci" "virtio_blk" "floppy" "sd_mod" "sr_mod" "usb_storage" "usbhid" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.kernelModules = [ "kvm-amd" "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "/dev/disk/by-label/nixos";
fsType = "ext4";
};
fileSystems."/efi" =
{ device = "systemd-1";
fsType = "autofs";
};
fileSystems."/home/homefree/nixcfg" =
{ device = "mount_homefree_source";
fsType = "virtiofs";
options = [ "nofail" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
@ -40,4 +21,5 @@
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

1
profiles/home-assistant/default.nix
View file

@ -95,6 +95,7 @@ in
# "group ui" = "!include groups.yaml";
http = {
# @TODO: Make this a passed-in var
base_url = "ha.homefree.lan";
use_x_forwarded_for = true;
trusted_proxies = [

59
profiles/hosting.nix
View file

@ -35,7 +35,8 @@ in
'';
## @TODO: Remove headers and check if still works
extraConfig = ''
reverse_proxy http://10.1.1.1:9000
# reverse_proxy http://10.1.1.1:9000
reverse_proxy http://127.0.0.1:9000
header {
Strict-Transport-Security "max-age=31536000; includeSubdomains"
X-XSS-Protection "1; mode=block"
@ -52,7 +53,8 @@ in
output file ${config.services.caddy.logDir}/access-vaultwarden.log
'';
extraConfig = ''
reverse_proxy http://10.1.1.1:8222
# reverse_proxy http://10.1.1.1:8222
reverse_proxy http://127.0.0.1:8222
header {
Strict-Transport-Security "max-age=31536000; includeSubdomains"
X-XSS-Protection "1; mode=block"
@ -71,7 +73,8 @@ in
# '';
## @TODO: Remove headers and check if still works
# extraConfig = ''
# reverse_proxy http://10.1.1.1:8123
# # reverse_proxy http://10.1.1.1:8123
# reverse_proxy http://127.0.0.1:8123
# header {
# Strict-Transport-Security "max-age=31536000; includeSubdomains"
# X-XSS-Protection "1; mode=block"
@ -89,7 +92,11 @@ in
'';
## @TODO: Remove headers and check if still works
extraConfig = ''
reverse_proxy http://10.1.1.1:9000
## Authentik
# reverse_proxy http://10.1.1.1:9000
# reverse_proxy http://10.1.1.1:9000
reverse_proxy http://127.0.0.1:9000
header {
Strict-Transport-Security "max-age=31536000; includeSubdomains"
X-XSS-Protection "1; mode=block"
@ -106,7 +113,49 @@ in
output file ${config.services.caddy.logDir}/access-git.log
'';
extraConfig = ''
reverse_proxy http://10.1.1.1:3000
# reverse_proxy http://10.1.1.1:3001
reverse_proxy http://127.0.0.1:3001
header {
Strict-Transport-Security "max-age=31536000; includeSubdomains"
X-XSS-Protection "1; mode=block"
X-Content-Type-Options "nosniff"
X-Frame-Options "SAMEORIGIN"
Referrer-Policy "same-origin"
}
'';
};
virtualHosts."http://adguard.homefree.lan, https://adguard.${config.homefree.system.domain}" = {
# Nix config mangles the log name, so set it manually
logFormat = ''
output file ${config.services.caddy.logDir}/access-adguard.log
'';
extraConfig = ''
# reverse_proxy http://10.1.1.1:3000
reverse_proxy http://127.0.0.1:3000
header {
Strict-Transport-Security "max-age=31536000; includeSubdomains"
X-XSS-Protection "1; mode=block"
X-Content-Type-Options "nosniff"
X-Frame-Options "SAMEORIGIN"
Referrer-Policy "same-origin"
}
'';
};
virtualHosts."http://unifi.homefree.lan, https://unifi.${config.homefree.system.domain}" = {
# Nix config mangles the log name, so set it manually
logFormat = ''
output file ${config.services.caddy.logDir}/access-unifi.log
'';
extraConfig = ''
# reverse_proxy https://10.1.1.1:8443 {
reverse_proxy https://127.0.0.1:8443 {
transport http {
tls
tls_insecure_skip_verify
}
}
header {
Strict-Transport-Security "max-age=31536000; includeSubdomains"
X-XSS-Protection "1; mode=block"

81
profiles/lib/interactive-vm.nix Normal file
View file

@ -0,0 +1,81 @@
{ homefreeLib, modulesPath, config, lib, ... }:
let
vm_homefree = (homefreeLib.prepareHomefreeConfig config homefreeLib.devices).homefree;
cfg_ = (lib.evalModules {
modules = lib.singleton {
# _file = toString input;
imports = lib.singleton { homefree.devices = vm_homefree.devices; };
options = {
homefree.devices = lib.mkOption {
type = homefreeLib.toplevel;
};
homefree.testMode = lib.mkOption {
type = lib.types.bool;
default = true;
};
};
};
}).config;
disks = lib.attrValues cfg_.homefree.devices.disk;
rootDisk = {
name = "root";
file = ''"$tmp"/${lib.escapeShellArg (builtins.head disks).name}.qcow2'';
driveExtraOpts.cache = "writeback";
driveExtraOpts.werror = "report";
deviceExtraOpts.bootindex = "1";
deviceExtraOpts.serial = "root";
};
otherDisks = map
(disk: {
name = disk.name;
file = ''"$tmp"/${lib.escapeShellArg disk.name}.qcow2'';
driveExtraOpts.werror = "report";
})
(builtins.tail disks);
diskoBasedConfiguration = {
# generated from disko config
virtualisation.fileSystems = cfg_.disko.devices._config.fileSystems;
boot = cfg_.disko.devices._config.boot or { };
swapDevices = cfg_.disko.devices._config.swapDevices or [ ];
};
hostPkgs = config.virtualisation.host.pkgs;
in
{
imports = [
(modulesPath + "/virtualisation/qemu-vm.nix")
diskoBasedConfiguration
];
disko.testMode = true;
disko.imageBuilder.copyNixStore = false;
disko.imageBuilder.extraConfig = {
disko.devices = cfg_.disko.devices;
};
disko.imageBuilder.imageFormat = "qcow2";
virtualisation.useEFIBoot = config.disko.tests.efi;
virtualisation.memorySize = lib.mkDefault config.disko.memSize;
virtualisation.useDefaultFilesystems = false;
virtualisation.diskImage = null;
virtualisation.qemu.drives = [ rootDisk ] ++ otherDisks;
boot.zfs.devNodes = "/dev/disk/by-uuid"; # needed because /dev/disk/by-id is empty in qemu-vms
boot.zfs.forceImportAll = true;
boot.zfs.forceImportRoot = lib.mkForce true;
system.build.vmWithDisko = hostPkgs.writers.writeDashBin "disko-vm" ''
set -efux
export tmp=$(${hostPkgs.coreutils}/bin/mktemp -d)
trap 'rm -rf "$tmp"' EXIT
${lib.concatMapStringsSep "\n" (disk: ''
${hostPkgs.qemu}/bin/qemu-img create -f qcow2 \
-b ${config.system.build.diskoImages}/${lib.escapeShellArg disk.name}.qcow2 \
-F qcow2 "$tmp"/${lib.escapeShellArg disk.name}.qcow2
'') disks}
set +f
${config.system.build.vm}/bin/run-*-vm
'';
}

501
profiles/nixvim.nix Normal file
View file

@ -0,0 +1,501 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
ripgrep
];
environment.interactiveShellInit = ''
alias vi='nvim'
alias vim='nvim'
'';
programs.nixvim = {
enable = true;
## ------------------------------------------------
## Options
## ------------------------------------------------
globals = {
mapleader = " "; # global
maplocalleader = " "; # per buffer, e.g. can change behavior per filetype
};
opts = {
number = true; # Show line numbers
relativenumber = true; # Show relative line numbers
ruler = true; # displays line, column, and cursor position at bottom
wrap = false; # don't wrap lines
signcolumn = "yes"; # always show two column sign column on left
cursorline = true; # Highlight line cursor sits on
undodir.__raw = "vim.fs.normalize('~/.local/share/nvim/undo/')";
undofile = true;
# -----------------------------------------------------
# Backspace settings
# indent allow backspacing over autoindent
# eol allow backspacing over line breaks (join lines)
# start allow backspacing over the start of insert; CTRL-W and CTRL-U
# 0 same as ":set backspace=" (Vi compatible)
# 1 same as ":set backspace=indent,eol"
# 2 same as ":set backspace=indent,eol,start"
# -----------------------------------------------------
bs = "2";
# -----------------------------------------------------
# Indentation settings
# -----------------------------------------------------
tabstop = 4; # number of spaces a tab counts for
shiftwidth = 4; # control how many columns text is indented with the reindent operations (<< and >>) and automatic C-style indentation.
expandtab = true; # Insert spaces when entering <Tab>
softtabstop = 4; # Number of spaces that a <Tab> counts for while performing editing operations, like inserting a <Tab> or using <BS>. It "feels" like a tab though
ai = true; # auto indent
};
keymaps = [
# -----------------------------------------------------
# nvim-tree
# -----------------------------------------------------
## Go to current buffer's file in nvim-tree
{
mode = [ "n" ];
key = ",n";
action = ":NvimTreeFindFile<CR>";
}
## Toggle nvim-tree visibility
{
mode = [ "n" ];
key = ",m";
action = ":NvimTreeToggle<CR>";
}
# -----------------------------------------------------
# buffer manipulation
# -----------------------------------------------------
## Next Buffer
{
key = "<Tab>";
action = ":bn<CR>";
options = { noremap = true; };
}
## Previous Buffer
{
key = "<S-Tab>";
action = ":bp<CR>";
options = { noremap = true; };
}
## Close Buffer
{
key = "<leader><Tab>";
action = ":bd<CR>";
options = { noremap = true; };
}
## Force Close Buffer
{
key = "<leader><S-Tab>";
action = ":bd!<CR>";
options = { noremap = true; };
}
## New Tab
{
key = "<leader>t";
action = ":tabnew split<CR>";
options = { noremap = true; };
}
# -----------------------------------------------------
# Telescope
# -----------------------------------------------------
## Lists files in your current working directory, respects .gitignore
{
mode = [ "n" ];
key = "<leader>ff";
action = "<cmd>Telescope find_files<cr>";
options = { noremap = true; };
}
## Finds files by filename
{
mode = [ "n" ];
key = "<c-p>";
action = "<cmd>Telescope find_files<cr>";
options = { noremap = true; };
}
## Search for a string in your current working directory and get results live as you type, respects .gitignore. (Requires ripgrep)
{
mode = [ "n" ];
key = "<leader>fg";
action = "<cmd>Telescope live_grep<cr>";
options = { noremap = true; };
}
## Search file contents
{
mode = [ "n" ];
key = "<c-s>";
action = "<cmd>Telescope live_grep<cr>";
options = { noremap = true; };
}
## Lists open buffers in current neovim instance
{
mode = [ "n" ];
key = "<leader>db";
action = "<cmd>Telescope buffers<cr>";
options = { noremap = true; };
}
## Lists available help tags and opens a new window with the relevant help info on <cr>
{
mode = [ "n" ];
key = "<leader>fh";
action = "<cmd>Telescope help_tags<cr>";
options = { noremap = true; };
}
## Lists manpage entries, opens them in a help window on <cr>
{
mode = [ "n" ];
key = "<leader>fm";
action = "<cmd>Telescope man_pages<cr>";
options = { noremap = true; };
}
## Lists previously open files
{
mode = [ "n" ];
key = "<leader>fp";
action = "<cmd>Telescope oldfiles<cr>";
options = { noremap = true; };
}
## Lists previously open files, Maps to ctrl-/
{
mode = [ "n" ];
key = "<c-_>";
action = "<cmd>Telescope oldfiles<cr>";
options = { noremap = true; };
}
## Lists spelling suggestions for the current word under the cursor, replaces word with selected suggestion on <cr>
{
mode = [ "n" ];
key = "<leader>fs";
action = "<cmd>Telescope spell_suggest<cr>";
options = { noremap = true; };
}
## Lists LSP references for iword under the cursor
{
mode = [ "n" ];
key = "<leader>fr";
action = "<cmd>Telescope lsp_references<cr>";
options = { noremap = true; };
}
## Lists LSP incoming calls for word under the cursor
{
mode = [ "n" ];
key = "<leader>fi";
action = "<cmd>Telescope lsp_incoming_calls<cr>";
options = { noremap = true; };
}
## Lists LSP outgoing calls for word under the cursor
{
mode = [ "n" ];
key = "<leader>fo";
action = "<cmd>Telescope lsp_outgoing_calls<cr>";
options = { noremap = true; };
}
## Dynamically Lists LSP for all workspace symbols
{
mode = [ "n" ];
key = "<leader>fw";
action = "<cmd>Telescope lsp_dynamic_workspace_symbols<cr>";
options = { noremap = true; };
}
## Goto the definition of the word under the cursor, if there's only one, otherwise show all options in Telescope
{
mode = [ "n" ];
key = "<leader>fd";
action = "<cmd>Telescope lsp_definitions<cr>";
options = { noremap = true; };
}
## Other Telescope options:
## git_files search only files in git, respects .gitignore
## oldfiles previously opened files
## command_history
## search_history
## man_pages
## resume lists the results including multi-selections of the previous
## picker
# -----------------------------------------------------
# Diff
# -----------------------------------------------------
{
mode = [ "n" ];
key = ",d";
## @TODO: This doesn't work
action = ''
function()
if next(require('diffview.lib').views) == nil then
vim.cmd('DiffviewOpen origin')
else
vim.cmd('DiffviewClose')
end
end
'';
options = { noremap = true; };
}
# -----------------------------------------------------
# Bufferline
# -----------------------------------------------------
{
mode = [ "n" ];
key = "<A-h>";
action = ":BufferLineCyclePrev<CR>";
options = { noremap = true; silent = true; };
}
{
mode = [ "n" ];
key = "<A-l>";
action = ":BufferLineCycleNex<CR>";
options = { noremap = true; silent = true; };
}
{
mode = [ "n" ];
key = "<A-c>";
action = ":bdelete!<CR>";
options = { noremap = true; silent = true; };
}
];
autoCmd = [
## Close nvim on last buffer closed, not leaving neovim-tree open
{
event = [ "BufEnter" ];
pattern = [ "NvimTree_*" ];
callback = {
__raw = ''
function()
local layout = vim.api.nvim_call_function("winlayout", {})
if layout[1] == "leaf" and vim.api.nvim_buf_get_option(vim.api.nvim_win_get_buf(layout[2]), "filetype") == "NvimTree" and layout[3] == nil then vim.cmd("confirm quit") end
end
'';
};
}
## Go to same line in file next time it is open
{
event = [ "BufReadPost" ];
pattern = [ "*" ];
callback = {
__raw = ''
function()
if vim.fn.line("'\"") > 1 and vim.fn.line("'\"") <= vim.fn.line("$") then
vim.api.nvim_exec("normal! g'\"",false)
end
end
'';
};
}
## Highlight tabs and trailing whitespace
{
event = [ "BufEnter" ];
pattern = [ "*" ];
callback = {
__raw = ''
function()
vim.cmd([[
if exists('w:extratabs')
call matchdelete(w:extratabs)
unlet w:extratabs
endif
if exists('w:trailingwhitespace')
call matchdelete(w:trailingwhitespace)
unlet w:trailingwhitespace
endif
highlight ExtraTabs ctermbg=red guibg=red
highlight TrailingWhitespace ctermbg=red guibg=red
if &ft != 'help'
let w:extratabs=matchadd('ExtraTabs', '\t\+')
let w:trailingwhitespace=matchadd('TrailingWhitespace', '\s\+$')
endif
]])
end
'';
};
}
## Trim tailing whitespace on save
{
event = [ "BufWritePre" ];
pattern = [ "*" ];
callback = {
__raw = ''
function()
vim.cmd([[
if &ft =~ 'javascript\|html\|jade\|json\|css\|less\|php\|python\|sh\|c\|cpp\|markdown\|yaml\|vim\|nix'
:%s/\s\+$//e
elseif expand('%:t') =~ '\.gltf$' || expand('%:t') =~ '\.glsl$'
:%s/\s\+$//e
endif
]])
end
'';
};
}
];
## ------------------------------------------------
## Theme
## ------------------------------------------------
colorschemes.tokyonight.enable = true;
# colorschemes.gruvbox.enable = true;
## Or:
# extraPlugins = [ pkgs.vimPlugins.gruvbox ];
# colorscheme = "gruvbox";
## ------------------------------------------------
## Included Plugins
## ------------------------------------------------
plugins.bufferline = {
enable = true;
# extraOptions = {
settings = {
options = {
tabpages = true;
sidebar_filetypes = {
NvimTree = true;
};
diagnostics = "nvim_lsp";
always_show_bufferline = true;
};
highlights = {
buffer_selected = {
# fg = "#ffffff";
bold = true;
};
};
};
};
plugins.comment.enable = true;
plugins.diffview = {
enable = true;
};
plugins.fugitive.enable = true;
plugins.gitsigns.enable = true;
plugins.lightline.enable = true;
plugins.lualine.enable = true;
plugins.nvim-autopairs.enable = true;
plugins.nvim-tree = {
enable = true;
extraOptions = {
actions = {
remove_file = {
close_window = false;
};
};
## Keep tree open if already open when opening a tab
tab = {
sync = {
open = true;
close = true;
};
};
view = {
width = 30;
};
renderer = {
group_empty = true;
};
git = {
enable = true;
ignore = false;
timeout = 500;
};
};
};
plugins.rainbow-delimiters.enable = true;
plugins.sleuth.enable = true;
plugins.telescope = {
enable = true;
extensions.ui-select.enable = true;
settings = {
defaults = {
mappings = {
i = {
# One instead of two esc taps to exit telescope
"<esc>" = {
__raw = "require('telescope.actions').close";
};
# Ctrl-space is used by Tmux, so remap to Ctrl-e
"<c-e>" = {
__raw = "require('telescope.actions').to_fuzzy_refine";
};
# "<c-o>" = {
# __raw = "require('trouble.sources.telescope').open";
# };
};
n = {
# "<c-o>" = {
# __raw = "require('trouble.sources.telescope').open";
# };
};
};
};
};
};
plugins.treesitter.enable = true;
plugins.tmux-navigator.enable = true;
plugins.trouble.enable = true;
# ## Needed for telescope, nvim-tree, trouble, diffview, bufferline, and other plugins
# ## Only on unstable at the moment
plugins.web-devicons.enable = true;
## ------------------------------------------------
## Extra Plugins
## ------------------------------------------------
extraPlugins = with pkgs.vimPlugins; [
vim-nix
{
plugin = vim-signify;
config = ''
let g:signify_vcs_cmds = { 'git': 'git diff --no-color --no-ext-diff -U0 master -- %f' }
let g:signify_priority = 1
highlight SignColumn ctermbg=237
'';
}
vim-surround
## focus-nvim only in unstable
# (pkgs.vimUtils.buildVimPlugin {
# name = "focus-nvim";
# src = pkgs.fetchFromGitHub {
# owner = "nvim-focus";
# repo = "focus.nvim";
# rev = "3841a38df972534567e85840d7ead20d3a26faa6";
# sha256 = "sha256-mgHk4u0ab2uSUNE+7DU22IO/xS5uop9iATfFRk6l6hs=";
# };
# })
];
};
}

32
profiles/router.nix
View file

@ -1,11 +1,9 @@
{ homefree-inputs, pkgs, ... }:
{ config, homefree-inputs, pkgs, ... }:
let
# @TODO: How to determine interface names?
# wan-interface = "ens5";
wan-interface = "ens3";
# lan-interface = "ens6";
lan-interface = "ens5";
wan-interface = config.homefree.network.wan-interface;
lan-interface = config.homefree.network.lan-interface;
vlan-wan-id = 100;
vlan-lan-id = 200;
vlan-iot-id = 201;
@ -53,6 +51,9 @@ in
useDHCP = false;
nameservers = dns-servers;
# resolvconf = {
# };
## Define VLANS
## https://www.breakds.org/post/vlan-configuration-by-examples/
# vlans = {
@ -77,7 +78,7 @@ in
interfaces = {
# Don't request DHCP on the physical interfaces
${wan-interface} = {
# useDHCP = false;
# useDHCP = true;
};
${lan-interface} = {
useDHCP = false;
@ -115,7 +116,10 @@ in
# Firewall
#-----------------------------------------------------------------------------------------------------
nat.enable = false;
## @TODO: Evaluate this
# nat.enable = false;
## @TODO: Evaluate this
firewall.enable = false;
## @TODO: Look into nftables Nix DSL: https://github.com/chayleaf/notnft
@ -250,7 +254,7 @@ in
"${lan-interface},10.1.1.100,10.1.1.254,255.255.255.0,8h"
];
## Disable DNS
## Disable DNS, since Unbound is handling DNS
port = 0;
## Additional DHCP options
@ -282,6 +286,7 @@ in
include = [
"\"${adlist.unbound-adblockStevenBlack}\""
];
port = 5353;
interface = [
"127.0.0.1"
"::1"
@ -307,12 +312,23 @@ in
local-data-ptr = [
"\"10.1.1.1 radicale.lan\""
];
hide-identity = true;
hide-version = true;
# Based on recommended settings in https://doc.pi-hole.net/guides/dns/unbound/#configure-unbound
harden-glue = true;
harden-dnssec-stripped = true;
use-caps-for-id = false;
prefetch = true;
edns-buffer-size = 1232;
};
forward-zone = [
{
name = ".";
forward-addr = [
"9.9.9.9#dns.quad9.net"
"1.1.1.1@853#cloudflare-dns.com"
"1.0.0.1@853#cloudflare-dns.com"
];

12
profiles/unifi.nix Normal file
View file

@ -0,0 +1,12 @@
{ pkgs, ... }:
{
nixpkgs.config.allowUnfree = true;
services.unifi = {
enable = true;
openFirewall = true;
unifiPackage = pkgs.unifi8;
mongodbPackage = pkgs.mongodb-7_0;
};
}

23
profiles/virtual-machine.nix
View file

@ -1,23 +0,0 @@
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
libvirt
virtiofsd
];
systemd.mounts = [
{
what = "mount_homefree_source";
where = "/home/homefree/nixcfg";
type = "virtiofs";
wantedBy = [ "multi-user.target" ];
enable = true;
}
];
boot.extraModprobeConfig = "options kvm_intel nested=1";
boot.kernelParams = [
"intel_iommu=on"
"cgroup_enable=freezer"
];
}

41
profiles/wireguard.nix Normal file
View file

@ -0,0 +1,41 @@
{ config, pkgs, ... }:
{
# enable NAT
networking.nat.enable = true;
networking.nat.externalInterface = config.homefree.network.wan-interface;
networking.nat.internalInterfaces = [ config.homefree.network.lan-interface ];
networking.firewall = {
allowedUDPPorts = [ 51820 ];
};
networking.wireguard.interfaces = {
# "wg0" is the network interface name. You can name the interface arbitrarily.
"${config.homefree.network.lan-interface}"= {
# Determines the IP address and subnet of the server's end of the tunnel interface.
ips = [ "192.168.3.1/24" ];
# The port that WireGuard listens to. Must be accessible by the client.
listenPort = 51820;
# This allows the wireguard server to route your traffic to the internet and hence be like a VPN
# For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o ${config.homefree.network.wan-interface} -j MASQUERADE
'';
# This undoes the above command
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 192.168.3.0/24 -o ${config.homefree.network.wan-interface} -j MASQUERADE
'';
# Path to the private key file.
#
# Note: The private key can also be included inline via the privateKey option,
# but this makes the private key world-readable; thus, using privateKeyFile is
# recommended.
privateKeyFile = "path to private key file";
peers = config.homefree.wireguard.peers;
};
};
}

53
secrets/authentik.yaml
View file

@ -11,40 +11,41 @@ sops:
lastmodified: "2024-09-20T03:22:05Z"
mac: ENC[AES256_GCM,data:EqC7gfouu7FQXZy2ZLEx0940lrTq1HWVbVwCnNC/x3S0ForK47ByrSqboHBYap2XP4HMJ+B7xYNH9jKkg3q5aL0CCaGA/6XcWLSRDa2u4bxvhCgV+bqoRUMZVeXGK7lhB+z4mzhzwM0LbnRL/ZzDiXylJlRn4rW+hQM1YY5Likw=,iv:V5B9n7MVl1e/RNDcqJr2Sf5gL9OwN+GtbluyFMe66Lc=,tag:4lOcJ6YxZVmzCynKGrSWNw==,type:str]
pgp:
- created_at: "2024-11-02T01:34:25Z"
- created_at: "2024-11-12T18:58:11Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQEMAwXRN+4RS6LCAQgAlEeSnrVk6p/tz4dWWpNj2A6/MzmUnLzlpg5aNUygpkag
STDi3brNklqerxvA/BUxeEsBpJboSx4E9D1/DMfDPMNWPdQ1EFZKbZYseSx/dMq2
+jafLL0aMOKGp5wwyjZ1fkjkfJINZuoix4zcUGVoQE1NNkR8a82HBl4mG8u7B/4s
ea96On4eEIJqp/gcp6ulfTLj+KpM8gt/lLh7Gy9xhRgyJC69uOL+yUw/98aVh9/d
mhTN6/wMtxViMtYa816a8wkwXGJGacdhKa5GJ1wlSJxiUBpC7oWC/2OdQ8W1C8s1
/RF5vK8Jf1hgzMvm/zUJib9CpyH+RhKAaOWnBgy9StJWAdC81NC4139LyUQCiC5J
0vE/AY2qOs2UidDEa+R1I7hfWRLAuDtq5Ap2S7ZkjibFTIsDviUqtFgnMEJIw1Kz
txuIiX6h2mPPXbvHWq0Y86e6DN0dkhc=
=13uJ
hQEMAwXRN+4RS6LCAQf/Y+19C35I5+35JaIsHqhG+/weMBTVLru8GgvKXYjtrLeA
f9aN1ILXUgIcB8tXMON+IU/paL22xiwVDMGnEb9Ek1jpgUTnfSzz1IwnnN+BQCAz
Je7Pyt350tn2U2VCc4jS94mK4QyqSm7Ew1zSUtv69WGJ+vMQcgpwBZ2FrvMGGe8+
itzo1J58wI2pWSx02rLGEU6EZOF3dVB0IHgtow2C5GiKWrPHNicj8jRVWVJjNgok
hg3n4tVZaju+i/NmKjc26Fi5NKnaAPAi3/Ac2rIMTSe6gf1zdspxwdORieEMtvW/
bDBh+AEr9Del490L8ic9L+vhsNdI3nn3PJo4ghyyCtRmAQkCEG+CVY0+yS/eqxXE
crPm+zLaDDlhQ/dpl7Vlk5G02D3Y74pHITZqU5ARHD00KBE78HIMLP7EkigStOwI
tTjEuaJnhEwnFUv7nH9lbxGKaR+PJmcGDAHvWm2WIbL/OmyAzLrK
=qQD3
-----END PGP MESSAGE-----
fp: 06321d7f20335a7e08595ba905d137ee114ba2c2
- created_at: "2024-11-02T01:34:25Z"
- created_at: "2024-11-12T18:58:11Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA5FV2IaFrgceARAAoi7NTkFJpXoDpQT7IwvIJ+aNHsk3euS4c2QQMi5qz8Ah
O0hfuaip9Ej0kh0sltwifLl+D6QT9JK6riodLrJWT87biHClmZCX0zcMPsBhI7RO
JPlq8kqXjPjufXpRhRWBNi97CblY0a8KbILwxt2bn9kcZEnJzU/DHMz5g7Ib2EyS
2qnHHYCvY+Wi0G/vGPkxqYNOCYArKUh+sZhfcQsuDAXtAm7zSeTKsG8+KQc6WVAu
uNNXOoxaT6CY/f72qeuN9u0m7coZkpOp086hCnViLAz8sm5YrzdDgFrvd7xmEaO3
enOqQI3eqyvTj+odihgKx513sVdJOkzNyU1raTToNFnoWBSCUhSUU/i+NfSpF8za
S2KrFI6JabSqyT57DfzF48EaUBEAUY+hu58FLfL5XMIhkH1Iri9GoQlJw2qwuzV+
Lo3TxdnoX+v8wB80lkmGIrxlvXlBELJ3JuJAfQtLu3ojoQL3CuPvUYNkjwKMqr0W
v3BR4fRffLEItEkTYLtpfldPLT7oLeYloTCMOilb8p+e3gBELnsSd8E8CXDB5DBy
BKf7UiD401IzA9gTsEZj8QqmtR0c4cJOgw2K+o+xCl/bqAJ/4PEwW6XpEk7ZOti1
z6ja5cfcYdRUS02c9Ni6wcpPBkGIQz1GzFXQO11S6lBXBXhnJIitPH/OqgE85mzS
VgFOvuaSBsZh2jPJZE0aR1hefpyqxqFfT/nXeBhjMgvPbyup7/uh00fet3TY3UCp
vp6JvMVtyWBnKFp90qwTlByl7zafQrlvzj1OnCypJapnZwgTkB5B
=gPZc
hQIMA9CsLUb7iS91AQ//T+paNLXPRJLQab4IeJ6dal8/XaP1GV2ZH31g+5wo8Zs/
hiABfY9TgC94rmHWpdNTMeFYJ7wVVj9JCEIZqu6QPl1TFcfHZ3s5dQ8g+L1Z5VY9
Eils1DLE6WWrKwY2jcxF06m/fWCdDTwKwZYBszkhaY9TDByDlyUUQrNFojSehhF9
+rKztcB9B5RwrnlapnHuxwKR6s3L+CpbgO2DSWk6RXDMiJsvhKp6aQz/nMINb8OI
CiYy8F6wG2n3uwUoc6Kyscdiy61GZL7e5K59YsGSTiIYBps3WhlV06gzY6+D0jUt
aI7Kv+jwKQtLrpdV8G1pnfvhNxM3W9MrXK4NbAB7LdAaLboRUM88Jaix6l0F+Rh/
4b02BiJj8CkcMHM47sFWzRLoQOM0AO7Xvm4qZSRTfrHK3C44UGnNSSgDDT3VrIYU
QgbN/xbgNG2SId8G1M1BuN3tdcobwNdsLrgyRF3af5DKvwUTuJhXwwfNvxFV/U6r
7DJdgUWqMV56zNfa6zHKs73M9i8Tlxa+HCFrqv2lfS3pEWaZgEThfnouVYJlFDBf
kzw2leZA9Nuw6NofpvLGu3gVpj8kmpb63Uc8ha+P7JcrT6PlVFEnoEUAvEYve5bV
C3mXMwKuYimG+ioAh31nV3P03mTO8ih0vycZmlSSqp8xujd8qhhFKnlGaoOCAdnU
ZgEJAhBaVf57lHh0DcIpxNj35PGQPZ59+ARCj9fYHvvwQX0VvhjtiZGLSEoj0liF
0ptIBADjIYQgAOUzg0W0mcuZZtf7VHdJwXgo3wIcEUkrsbBPI5KoHwlYV8HCDUmJ
uTM213L1DQ==
=JSZf
-----END PGP MESSAGE-----
fp: 34f107a24095fcf6d43606bd9155d88685ae071e
fp: bdbac59ef19fdd5a5f455f4bd0ac2d46fb892f75
unencrypted_suffix: _unencrypted
version: 3.8.1

1
version.nix Normal file
View file

@ -0,0 +1 @@
{ version = "0.0.1"; released = false; }