AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: AtaraxiaDev:537b517b3e8ebe0462fe402225aad59635f660d3
Branches Tags
AtaraxiaDev:dev
AtaraxiaDev:master
...
compare: AtaraxiaDev:f52eaa8eb21af66dec79907c4b81f381a6fa03a8
Branches Tags
AtaraxiaDev:dev
AtaraxiaDev:master

18 Commits
537b517b3e ... f52eaa8eb2

Author SHA1 Message Date
Dmitriy Kholkin
f52eaa8eb2
feat: add media-stack containers 2025-07-08 20:14:39 +03:00
Dmitriy Kholkin
daa99bf963
feat: add filestash container 2025-07-08 20:14:14 +03:00
Dmitriy Kholkin
2a7ffbb769
feat: enable quadlet by default in server role 2025-07-08 20:12:36 +03:00
Dmitriy Kholkin
3f1ab3a855
feat: disable waydroid on vega 2025-07-08 20:10:28 +03:00
Dmitriy Kholkin
5953860a63
feat: add syncyomi service 2025-07-08 20:09:57 +03:00
Dmitriy Kholkin
43694be7b8
fix: enable gitea on orion 2025-07-08 20:08:38 +03:00
Dmitriy Kholkin
c2bcc51aec
feat: add authentik service 2025-07-08 20:08:18 +03:00
Dmitriy Kholkin
54d5d760d2
feat: add gitea service 2025-07-08 20:07:11 +03:00
Dmitriy Kholkin
e8364fac08
feat: add acme module 2025-07-08 20:06:38 +03:00
Dmitriy Kholkin
91ed66d8fb
feat: add tinyproxy nixos-container to orion 2025-07-08 20:06:01 +03:00
Dmitriy Kholkin
5401e9e068
feat: add quadlet-nix flake input 2025-07-08 20:04:02 +03:00
Dmitriy Kholkin
10036817cc
fix: add srvos input 2025-07-08 20:03:45 +03:00
Dmitriy Kholkin
8de956ae72
feat: add vaultwared service to orion 2025-07-08 20:03:12 +03:00
Dmitriy Kholkin
56fb173b71
feat: add OMV vm to orion 2025-07-08 20:00:25 +03:00
Dmitriy Kholkin
df14232cc0
feat: add libvirt-guest module to nixos 2025-07-08 20:00:08 +03:00
Dmitriy Kholkin
1296c0e998
feat: add backup config for orion 2025-07-08 19:59:19 +03:00
Dmitriy Kholkin
1ff00246d3
feat: add boot config for orion 2025-07-08 19:58:52 +03:00
Dmitriy Kholkin
90013674f6
feat: add wip orion host config 2025-07-08 19:58:35 +03:00
34 changed files with 2374 additions and 14 deletions
Show Stats Expand all files Collapse all files

37
flake.lock generated
View File

@ -1049,6 +1049,21 @@
"type": "github"
}
},
"quadlet-nix": {
"locked": {
"lastModified": 1751931728,
"narHash": "sha256-i4OALPUnFhe9j9NauZaszZZTgIYSaLHmCO2gp9MZYKQ=",
"owner": "SEIAROTg",
"repo": "quadlet-nix",
"rev": "5cb4f185dc3722d589bdf238e6802c4c9f87994e",
"type": "github"
},
"original": {
"owner": "SEIAROTg",
"repo": "quadlet-nix",
"type": "github"
}
},
"root": {
"inputs": {
"ataraxiasjel-nur": "ataraxiasjel-nur",
@ -1071,7 +1086,9 @@
"nix2container": "nix2container",
"nixpkgs": "nixpkgs_9",
"nixpkgs-unstable": "nixpkgs-unstable",
"quadlet-nix": "quadlet-nix",
"sops-nix": "sops-nix",
"srvos": "srvos",
"walker": "walker"
}
},
@ -1116,6 +1133,26 @@
"type": "github"
}
},
"srvos": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1751564530,
"narHash": "sha256-DybnqQMmkMEbNQhrbMGFijZCa9g5mtYIMPACVNMJ5u8=",
"owner": "nix-community",
"repo": "srvos",
"rev": "6bb452f0b31058ffe64241bcf092ebf1c7758be1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "srvos",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,

11
flake.nix
View File

@ -60,10 +60,15 @@
url = "github:nix-community/nix-vscode-extensions";
inputs.nixpkgs.follows = "nixpkgs";
};
quadlet-nix.url = "github:SEIAROTg/quadlet-nix";
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
srvos = {
url = "github:nix-community/srvos";
inputs.nixpkgs.follows = "nixpkgs";
};
walker = {
url = "github:abenz1267/walker";
inputs.nixpkgs.follows = "nixpkgs";
@ -105,9 +110,13 @@
inputs.sops-nix.nixosModules.sops
inputs.chaotic.nixosModules.nyx-cache
inputs.chaotic.nixosModules.nyx-overlay
inputs.quadlet-nix.nixosModules.quadlet
./modules/nixos
];
homeModules = [ ./modules/home ];
homeModules = [
inputs.quadlet-nix.homeManagerModules.quadlet
./modules/home
];
hostModuleDir = ./hosts;
hosts = {
NixOS-VM.system = "x86_64-linux";

93
hosts/orion/backups.nix Normal file
View File

@ -0,0 +1,93 @@
{
config,
lib,
inputs,
secretsDir,
...
}:
{
imports = [ inputs.ataraxiasjel-nur.nixosModules.rustic ];
sops.secrets.rustic-vps-pass.sopsFile = secretsDir + /rustic.yaml;
sops.secrets.rustic-backups-s3-env.sopsFile = secretsDir + /rustic.yaml;
services.rustic.backups =
let
label = "hypervisor-nas";
in
rec {
nas-backup = {
backup = true;
prune = false;
initialize = true;
environmentFile = config.sops.secrets.rustic-backups-s3-env.path;
extraEnvironment = {
https_proxy = "http://10.10.10.6:8888";
};
pruneOpts = [ "--repack-cacheable-only=false" ];
timerConfig = {
OnCalendar = "05:00";
Persistent = true;
};
settings = {
repository = {
repository = "opendal:s3";
password-file = config.sops.secrets.rustic-nas-pass.path;
options = {
root = label;
bucket = "ataraxia-rustic-backups";
region = "eu-central-003";
endpoint = "https://s3.eu-central-003.backblazeb2.com";
};
};
repository.options = {
timeout = "2min";
retry = "5";
};
backup = {
host = config.networking.hostName;
label = label;
ignore-devid = true;
group-by = "label";
skip-identical-parent = true;
globs = [
"!/media/nas/**/cache"
"!/media/nas/**/.cache"
"!/media/nas/**/log"
"!/media/nas/**/logs"
"!/media/nas/media-stack/configs/lidarr/config/MediaCover"
"!/media/nas/media-stack/configs/qbittorrent/downloads"
"!/media/nas/media-stack/configs/recyclarr/repositories"
"!/srv/gitea"
"!/srv/wiki"
];
snapshots = [
{
sources = [
"/srv /media/nas/containers"
"/media/nas/media-stack/configs"
];
}
];
};
forget = {
filter-labels = [ label ];
group-by = "label";
prune = true;
keep-daily = 4;
keep-weekly = 2;
keep-monthly = 0;
};
};
};
nas-prune = lib.recursiveUpdate nas-backup {
backup = false;
prune = true;
initialize = false;
createWrapper = false;
timerConfig = {
OnCalendar = "Tue, 07:00";
Persistent = true;
};
};
};
}

48
hosts/orion/boot.nix Normal file
View File

@ -0,0 +1,48 @@
{ pkgs, ... }:
{
services.scx.enable = true;
services.scx.scheduler = "scx_bpfland";
networking.hostId = "a9408846";
boot = {
kernelPackages = pkgs.linuxPackages_cachyos-server;
zfs.package = pkgs.zfs_cachyos;
zfs.devNodes = "/dev/disk/by-id";
loader = {
grub = {
enable = true;
device = "nodev";
copyKernels = true;
efiSupport = true;
enableCryptodisk = true;
useOSProber = false;
zfsSupport = true;
};
efi.efiSysMountPoint = "/efi";
efi.canTouchEfiVariables = true;
};
kernelModules = [
"tcp_bbr"
"veth"
"nfsv4"
];
kernelParams = [
"scsi_mod.use_blk_mq=1"
"pti=off"
"spectre_v2=off"
];
kernel.sysctl = {
"kernel.split_lock_mitigate" = 0;
"vm.overcommit_memory" = 1;
};
tmp.useTmpfs = true;
tmp.tmpfsSize = "100%";
tmp.tmpfsHugeMemoryPages = "within_size";
supportedFilesystems = [ "zfs" ];
};
}

110
hosts/orion/default.nix
View File

@ -1,26 +1,122 @@
{ ... }:
{
lib,
pkgs,
inputs,
...
}:
{
imports = [
inputs.srvos.nixosModules.server
inputs.srvos.nixosModules.mixins-terminfo
./boot.nix
./disk-config.nix
./backups.nix
];
ataraxia.defaults.role = "server";
ataraxia.defaults.hardware.cpuVendor = "intel";
ataraxia.defaults.hardware.gpuVendor = "intel";
# Impermanence
ataraxia.filesystems.zfs.enable = true;
ataraxia.filesystems.zfs.eraseOnBoot.enable = true;
ataraxia.filesystems.zfs.eraseOnBoot.snapshots = [
"rpool/nixos/root@blank"
"rpool/user/home@blank"
"rpool/nixos/root@empty"
"rpool/user/home@empty"
];
ataraxia.filesystems.zfs.mountpoints = [
"/etc/secrets"
"/media/bittorrent"
"/media/libvirt"
"/media/libvirt/images"
"/nix"
"/persist"
"/srv/home"
"/srv"
"/var/lib/containers"
"/etc/secrets"
"/var/lib/docker"
"/var/lib/libvirt"
"/var/lib/nixos-containers"
"/var/lib/ocis"
"/var/lib/postgresql"
"/var/log"
"/vol"
];
ataraxia.networkd = {
enable = true;
domain = "home.ataraxiadev.com";
ifname = "enp2s0";
mac = "d4:3d:7e:26:a8:af";
bridge.enable = true;
ipv4 = [
{
address = "10.10.10.10/24";
gateway = "10.10.10.1";
dns = [
"10.10.10.1"
"9.9.9.9"
];
}
];
};
security.lockKernelModules = lib.mkForce false;
environment.memoryAllocator.provider = lib.mkForce "libc";
# Services
services.postgresql.enable = true;
services.postgresql.settings = {
full_page_writes = "off";
wal_init_zero = "off";
wal_recycle = "off";
};
services.tailscale = {
enable = true;
useRoutingFeatures = "both";
};
# Auto-mount lan nfs share
fileSystems."/media/local-nfs" = {
device = "10.10.10.11:/";
fsType = "nfs4";
options = [
"nfsvers=4.2"
"x-systemd.automount"
"noauto"
];
};
environment.systemPackages = with pkgs; [
bat
bottom
dnsutils
fd
kitty.terminfo
micro
mkvtoolnix-cli
nfs-utils
p7zip
podman-compose
pwgen
ripgrep
rsync
rustic-rs
smartmontools
];
ataraxia.containers.filestash.enable = true;
ataraxia.containers.media-stack.enable = true;
ataraxia.containers.tinyproxy.enable = true;
ataraxia.security.acme.enable = true;
ataraxia.services.authentik.enable = true;
ataraxia.services.gitea.enable = true;
ataraxia.services.syncyomi.enable = true;
ataraxia.services.vaultwarden.enable = true;
ataraxia.virtualisation.guests = {
omv = {
autoStart = true;
xmlFile = ./vm/omv.xml;
};
};
system.stateVersion = "25.05";
}

261
hosts/orion/disk-config.nix Normal file
View File

@ -0,0 +1,261 @@
{ inputs, ... }:
let
emptySnapshot =
name: "zfs list -t snapshot -H -o name | grep -E '^${name}@empty$' || zfs snapshot ${name}@empty";
in
{
imports = [ inputs.disko.nixosModules.disko ];
disko.devices = {
disk = {
main = {
device = "/dev/disk/by-id/ata-Samsung_SSD_870_EVO_500GB_S5Y1NJ1R160554B";
type = "disk";
content = {
type = "gpt";
partitions = {
esp = {
type = "EF00";
name = "ESP";
size = "512M";
priority = 1;
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/efi";
mountOptions = [ "umask=0077" ];
};
};
swap = {
name = "swap";
size = "16G";
priority = 2;
content = {
type = "swap";
randomEncryption = true;
};
};
boot = {
name = "bpool";
size = "4G";
priority = 3;
content = {
type = "zfs";
pool = "bpool";
};
};
cryptroot = {
size = "100%";
priority = 4;
content = {
type = "zfs";
pool = "rpool";
};
};
};
};
};
};
zpool = {
bpool = {
type = "zpool";
options = {
ashift = "13";
autotrim = "on";
compatibility = "grub2";
};
rootFsOptions = {
acltype = "posixacl";
atime = "on";
canmount = "off";
compression = "lz4";
devices = "off";
normalization = "formD";
relatime = "on";
xattr = "sa";
dedup = "off";
};
mountpoint = "/boot";
postCreateHook = emptySnapshot "bpool";
datasets = {
nixos = {
type = "zfs_fs";
options.mountpoint = "none";
options.canmount = "off";
postCreateHook = emptySnapshot "bpool/nixos";
};
"nixos/boot" = {
type = "zfs_fs";
mountpoint = "/boot";
options.canmount = "on";
postCreateHook = emptySnapshot "bpool/nixos/boot";
};
};
};
rpool = {
type = "zpool";
options = {
ashift = "13";
autotrim = "on";
cachefile = "none";
};
rootFsOptions = {
acltype = "posixacl";
atime = "on";
canmount = "off";
compression = "zstd";
dedup = "off";
dnodesize = "auto";
normalization = "formD";
relatime = "on";
xattr = "sa";
};
mountpoint = "/";
postCreateHook = emptySnapshot "rpool";
datasets = {
reserved = {
type = "zfs_fs";
options.mountpoint = "none";
options = {
canmount = "off";
refreservation = "10G";
};
};
nixos = {
type = "zfs_fs";
options.mountpoint = "none";
options.canmount = "off";
postCreateHook = emptySnapshot "rpool/nixos";
};
user = {
type = "zfs_fs";
options.mountpoint = "none";
options.canmount = "off";
postCreateHook = emptySnapshot "rpool/user";
};
persistent = {
type = "zfs_fs";
options.mountpoint = "none";
options.canmount = "off";
postCreateHook = emptySnapshot "rpool/persistent";
};
"nixos/root" = {
type = "zfs_fs";
mountpoint = "/";
options.canmount = "noauto";
postCreateHook = emptySnapshot "rpool/nixos/root";
};
"user/home" = {
type = "zfs_fs";
mountpoint = "/home";
options.canmount = "on";
postCreateHook = emptySnapshot "rpool/user/home";
};
"persistent/impermanence" = {
type = "zfs_fs";
mountpoint = "/persist";
options.canmount = "on";
postCreateHook = emptySnapshot "rpool/persistent/impermanence";
};
"persistent/servers" = {
type = "zfs_fs";
mountpoint = "/srv";
options.canmount = "on";
postCreateHook = emptySnapshot "rpool/persistent/servers";
};
"persistent/nix" = {
type = "zfs_fs";
mountpoint = "/nix";
options.canmount = "on";
postCreateHook = emptySnapshot "rpool/persistent/nix";
};
"persistent/secrets" = {
type = "zfs_fs";
mountpoint = "/etc/secrets";
options.canmount = "on";
postCreateHook = emptySnapshot "rpool/persistent/secrets";
};
"persistent/log" = {
type = "zfs_fs";
mountpoint = "/var/log";
options.canmount = "on";
postCreateHook = emptySnapshot "rpool/persistent/log";
};
"persistent/docker" = {
type = "zfs_fs";
mountpoint = "/var/lib/docker";
options.canmount = "on";
postCreateHook = emptySnapshot "rpool/persistent/docker";
};
"persistent/nixos-containers" = {
type = "zfs_fs";
mountpoint = "/var/lib/nixos-containers";
options.canmount = "on";
postCreateHook = emptySnapshot "rpool/persistent/nixos-containers";
};
"persistent/libvirt" = {
type = "zfs_fs";
mountpoint = "/var/lib/libvirt";
options.canmount = "on";
postCreateHook = emptySnapshot "rpool/persistent/libvirt";
};
"persistent/libvirt-user" = {
type = "zfs_fs";
mountpoint = "/media/libvirt";
options.canmount = "on";
postCreateHook = emptySnapshot "rpool/persistent/libvirt-user";
};
"persistent/libvirt-user/images" = {
type = "zfs_fs";
mountpoint = "/media/libvirt/images";
options.canmount = "on";
options.atime = "off";
options.recordsize = "16K";
options.compression = "lz4";
postCreateHook = emptySnapshot "rpool/persistent/libvirt-user/images";
};
"persistent/ocis" = {
type = "zfs_fs";
mountpoint = "/var/lib/ocis";
options.canmount = "on";
options.recordsize = "1M";
postCreateHook = emptySnapshot "rpool/persistent/ocis";
};
# "persistent/podman" = {
# type = "zfs_fs";
# mountpoint = "/var/lib/podman";
# options.canmount = "on";
# options.atime = "off";
# postCreateHook = emptySnapshot "rpool/persistent/podman";
# };
"persistent/postgresql" = {
type = "zfs_fs";
mountpoint = "/var/lib/postgresql";
options.canmount = "on";
options.recordsize = "16K";
options.atime = "off";
options.logbias = "latency";
postCreateHook = emptySnapshot "rpool/persistent/postgresql";
};
vol = {
type = "zfs_fs";
options.canmount = "off";
postCreateHook = emptySnapshot "rpool/vol";
};
"vol/podman" = {
type = "zfs_volume";
size = "40G";
options.volblocksize = "16K";
content = {
type = "filesystem";
format = "xfs";
mountpoint = "/var/lib/containers";
};
};
};
};
};
};
}

197
hosts/orion/vm/omv.xml Normal file
View File

@ -0,0 +1,197 @@
<domain type='kvm'>
<name>omv</name>
<uuid>48cd00d8-9060-4221-a8bb-4d1db42c5939</uuid>
<metadata>
<libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
<libosinfo:os id="http://debian.org/debian/12"/>
</libosinfo:libosinfo>
</metadata>
<memory unit='KiB'>1048576</memory>
<currentMemory unit='KiB'>2097152</currentMemory>
<vcpu placement='static'>2</vcpu>
<os>
<type arch='x86_64' machine='pc-q35-9.1'>hvm</type>
<loader readonly='yes' type='pflash'>/run/libvirt/nix-ovmf/OVMF_CODE.fd</loader>
<nvram template='/run/libvirt/nix-ovmf/OVMF_VARS.fd'>/var/lib/libvirt/qemu/nvram/omv_VARS.fd</nvram>
</os>
<features>
<acpi/>
<apic/>
<vmport state='off'/>
</features>
<cpu mode='host-passthrough' check='none' migratable='on'>
<topology sockets='1' dies='1' clusters='1' cores='2' threads='1'/>
</cpu>
<clock offset='utc'>
<timer name='rtc' tickpolicy='catchup'/>
<timer name='pit' tickpolicy='delay'/>
<timer name='hpet' present='no'/>
</clock>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<pm>
<suspend-to-mem enabled='no'/>
<suspend-to-disk enabled='no'/>
</pm>
<devices>
<emulator>/run/libvirt/nix-emulators/qemu-system-x86_64</emulator>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='/media/libvirt/images/omv.qcow2'/>
<target dev='vda' bus='virtio'/>
<boot order='1'/>
<address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
</disk>
<disk type='block' device='disk'>
<driver name='qemu' type='raw'/>
<source dev='/dev/disk/by-id/ata-ST1000LM024_HN-M101MBB_S30YJ9DF829362'/>
<target dev='vdb' bus='virtio'/>
<address type='pci' domain='0x0000' bus='0x07' slot='0x00' function='0x0'/>
</disk>
<disk type='file' device='cdrom'>
<driver name='qemu' type='raw'/>
<target dev='sda' bus='sata'/>
<readonly/>
<boot order='2'/>
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>
<controller type='usb' index='0' model='qemu-xhci' ports='15'>
<address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
</controller>
<controller type='pci' index='0' model='pcie-root'/>
<controller type='pci' index='1' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='1' port='0x10'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0' multifunction='on'/>
</controller>
<controller type='pci' index='2' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='2' port='0x11'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x1'/>
</controller>
<controller type='pci' index='3' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='3' port='0x12'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x2'/>
</controller>
<controller type='pci' index='4' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='4' port='0x13'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x3'/>
</controller>
<controller type='pci' index='5' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='5' port='0x14'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x4'/>
</controller>
<controller type='pci' index='6' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='6' port='0x15'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x5'/>
</controller>
<controller type='pci' index='7' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='7' port='0x16'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x6'/>
</controller>
<controller type='pci' index='8' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='8' port='0x17'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x7'/>
</controller>
<controller type='pci' index='9' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='9' port='0x18'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0' multifunction='on'/>
</controller>
<controller type='pci' index='10' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='10' port='0x19'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x1'/>
</controller>
<controller type='pci' index='11' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='11' port='0x1a'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x2'/>
</controller>
<controller type='pci' index='12' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='12' port='0x1b'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x3'/>
</controller>
<controller type='pci' index='13' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='13' port='0x1c'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x4'/>
</controller>
<controller type='pci' index='14' model='pcie-root-port'>
<model name='pcie-root-port'/>
<target chassis='14' port='0x1d'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x5'/>
</controller>
<controller type='sata' index='0'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
</controller>
<controller type='virtio-serial' index='0'>
<address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
</controller>
<interface type='bridge'>
<mac address='52:54:00:d8:ef:84'/>
<source bridge='br0'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
</interface>
<serial type='pty'>
<target type='isa-serial' port='0'>
<model name='isa-serial'/>
</target>
</serial>
<console type='pty'>
<target type='serial' port='0'/>
</console>
<channel type='unix'>
<target type='virtio' name='org.qemu.guest_agent.0'/>
<address type='virtio-serial' controller='0' bus='0' port='1'/>
</channel>
<channel type='spicevmc'>
<target type='virtio' name='com.redhat.spice.0'/>
<address type='virtio-serial' controller='0' bus='0' port='2'/>
</channel>
<input type='tablet' bus='usb'>
<address type='usb' bus='0' port='1'/>
</input>
<input type='mouse' bus='ps2'/>
<input type='keyboard' bus='ps2'/>
<tpm model='tpm-crb'>
<backend type='emulator' version='2.0'/>
</tpm>
<graphics type='spice' autoport='yes'>
<listen type='address'/>
<image compression='off'/>
</graphics>
<sound model='ich9'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x1b' function='0x0'/>
</sound>
<audio id='1' type='spice'/>
<video>
<model type='virtio' heads='1' primary='yes'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
</video>
<redirdev bus='usb' type='spicevmc'>
<address type='usb' bus='0' port='2'/>
</redirdev>
<redirdev bus='usb' type='spicevmc'>
<address type='usb' bus='0' port='3'/>
</redirdev>
<watchdog model='itco' action='reset'/>
<memballoon model='virtio'>
<address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
</memballoon>
<rng model='virtio'>
<backend model='random'>/dev/urandom</backend>
<address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x0'/>
</rng>
</devices>
</domain>

2
hosts/vega/default.nix
View File

@ -10,7 +10,6 @@ in
{
imports = [
./disk-config.nix
# ./hardware-configuration.nix
./boot.nix
inputs.catppuccin.nixosModules.catppuccin
@ -78,7 +77,6 @@ in
};
};
ataraxia.programs.waydroid.enable = true;
ataraxia.vpn.sing-box.enable = true;
ataraxia.vpn.sing-box.config = "dell-singbox";
services.tailscale = {

5
modules/home/roles/default.nix
View File

@ -75,7 +75,10 @@ in
{ allowUnfree = true; android_sdk.accept_license = true; }
'';
};
serverRole = recursiveUpdate baseRole { };
serverRole = recursiveUpdate baseRole {
# TODO: add user for containers
virtualisation.quadlet.enable = mkDefault true;
};
desktopRole = recursiveUpdate baseRole {
ataraxia.defaults.fonts.enable = mkDefault true;
ataraxia.defaults.sound.enable = mkDefault true;

33
modules/nixos/containers/filestash.nix Normal file
View File

@ -0,0 +1,33 @@
{ config, lib, ... }:
let
inherit (lib) mkEnableOption mkIf;
cfg = config.ataraxia.containers.filestash;
nas-path = "/media/nas/media-stack";
in
{
options.ataraxia.containers.filestash = {
enable = mkEnableOption "Enable filestash container";
};
config = mkIf cfg.enable {
virtualisation.oci-containers.containers.filestash = {
autoStart = true;
environment = {
PUID = "1000";
PGID = "100";
UMASK = "002";
TZ = "Europe/Moscow";
APPLICATION_URL = "files.ataraxiadev.com";
CANARY = "true";
};
# Tags: latest
image = "docker.io/machines/filestash@sha256:923c3399768fada3424bb6f3bc01521dad30e9a7a840cfb2eba3610b6acafffe";
ports = [ "127.0.0.1:8334:8334/tcp" ];
volumes = [
"${nas-path}/configs/filestash:/app/data/state"
"${nas-path}:/mnt"
];
};
};
}

67
modules/nixos/containers/media-stack/caddy.nix Normal file
View File

@ -0,0 +1,67 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) mkEnableOption mkIf;
cfg = config.ataraxia.containers.media-stack;
nas-path = "/media/nas/media-stack";
caddyconf = pkgs.writeText "Caddyfile" ''
{
auto_https off
http_port 8180
}
jellyfin.ataraxiadev.com:8180 {
reverse_proxy jellyfin:8096
}
qbit.ataraxiadev.com:8180 {
reverse_proxy qbittorrent:8080
}
medusa.ataraxiadev.com:8180 {
reverse_proxy medusa:8081
}
jackett.ataraxiadev.com:8180 {
reverse_proxy jackett:9117
}
sonarr.ataraxiadev.com:8180 {
reverse_proxy sonarr:8989
}
radarr.ataraxiadev.com:8180 {
reverse_proxy radarr:7878
}
lidarr.ataraxiadev.com:8180 {
reverse_proxy lidarr:8686
}
kavita.ataraxiadev.com:8180 {
reverse_proxy kavita:5000
}
'';
in
{
options.ataraxia.containers.media-stack = {
caddy = mkEnableOption "Enable media-caddy container";
};
config = mkIf cfg.caddy {
virtualisation.oci-containers.containers.media-caddy = {
autoStart = true;
# Tags: release-20b7f25, release-2.10.0, release
image = "ghcr.io/hotio/caddy@sha256:937fe02672e7ce7f189e28d45c4ccfe86b2a7d5791b4e04badb55e143e32d5b7";
environment = {
PUID = "1000";
PGID = "100";
UMASK = "002";
TZ = "Europe/Moscow";
};
extraOptions = [ "--pod=media-stack" ];
volumes = [
"${nas-path}/configs/caddy:/config"
"${caddyconf}:/config/Caddyfile"
];
};
};
}

94
modules/nixos/containers/media-stack/default.nix Normal file
View File

@ -0,0 +1,94 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib)
mkDefault
mkEnableOption
mkIf
optionals
;
cfg = config.ataraxia.containers.media-stack;
backend = config.virtualisation.oci-containers.backend;
pod-name = "media-stack";
open-ports = [
# caddy
"127.0.0.1:8180:8180"
# qbittorrent
"0.0.0.0:7000:7000"
"0.0.0.0:7000:7000/udp"
];
pod-dns = "10.10.10.1";
in
{
imports = [
./caddy.nix
./jackett.nix
./jellyfin.nix
./kavita.nix
./lidarr.nix
./medusa.nix
./qbittorrent.nix
./radarr.nix
./recyclarr.nix
./sonarr.nix
];
options.ataraxia.containers.media-stack = {
enable = mkEnableOption "Enable media-stack containers";
};
config = mkIf cfg.enable {
ataraxia.containers.media-stack.caddy = mkDefault true;
ataraxia.containers.media-stack.jackett = mkDefault true;
ataraxia.containers.media-stack.jellyfin = mkDefault true;
ataraxia.containers.media-stack.kavita = mkDefault true;
ataraxia.containers.media-stack.lidarr = mkDefault true;
ataraxia.containers.media-stack.medusa = mkDefault true;
ataraxia.containers.media-stack.qbittorrent = mkDefault true;
ataraxia.containers.media-stack.radarr = mkDefault true;
ataraxia.containers.media-stack.recyclarr = mkDefault true;
ataraxia.containers.media-stack.sonarr = mkDefault true;
systemd.services."podman-create-${pod-name}" =
let
portsMapping = lib.concatMapStrings (port: " -p " + port) open-ports;
start = pkgs.writeShellScript "create-pod-${pod-name}" ''
podman pod exists ${pod-name} || podman pod create -n ${pod-name} ${portsMapping} --dns ${pod-dns}
'';
stop = pkgs.writeShellScript "remove-pod-${pod-name}" ''
podman pod rm -i -f ${pod-name}
'';
in
rec {
path = [
pkgs.coreutils
config.virtualisation.podman.package
];
before =
[ ]
++ optionals cfg.caddy [ "${backend}-media-caddy.service" ]
++ optionals cfg.jackett [ "${backend}-jackett.service" ]
++ optionals cfg.jellyfin [ "${backend}-jellyfin.service" ]
++ optionals cfg.kavita [ "${backend}-kavita.service" ]
++ optionals cfg.lidarr [ "${backend}-lidarr.service" ]
++ optionals cfg.medusa [ "${backend}-medusa.service" ]
++ optionals cfg.qbittorrent [ "${backend}-qbittorrent.service" ]
++ optionals cfg.radarr [ "${backend}-radarr.service" ]
++ optionals cfg.recyclarr [ "${backend}-recyclarr.service" ]
++ optionals cfg.sonarr [ "${backend}-sonarr.service" ];
requiredBy = before;
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
ExecStart = start;
ExecStop = stop;
};
};
};
}

30
modules/nixos/containers/media-stack/jackett.nix Normal file
View File

@ -0,0 +1,30 @@
{ config, lib, ... }:
let
inherit (lib) mkEnableOption mkIf;
cfg = config.ataraxia.containers.media-stack;
nas-path = "/media/nas/media-stack";
in
{
options.ataraxia.containers.media-stack = {
jackett = mkEnableOption "Enable jackett container";
};
config = mkIf cfg.jackett {
virtualisation.oci-containers.containers.jackett = {
autoStart = true;
environment = {
PUID = "1000";
PGID = "100";
UMASK = "002";
TZ = "Europe/Moscow";
};
extraOptions = [ "--pod=media-stack" ];
# Tags: 0.22.2117, version-v0.22.2117, v0.22.2117-ls80
image = "docker.io/linuxserver/jackett@sha256:221606b0ed7df0d66e601d0ba83f5f9cc9b9c761bafad3507d6854406b3a447b";
volumes = [
"${nas-path}/configs/jackett:/config"
];
};
};
}

51
modules/nixos/containers/media-stack/jellyfin.nix Normal file
View File

@ -0,0 +1,51 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) mkEnableOption mkIf;
cfg = config.ataraxia.containers.media-stack;
nas-path = "/media/nas/media-stack";
renderGid = toString config.users.groups.render.gid;
videoGid = toString config.users.groups.video.gid;
inputGid = toString config.users.groups.input.gid;
intro-skipper-fix = pkgs.writeText "intro-skipper-fix" ''
#!/bin/bash
chown abc /usr/share/jellyfin/web/index.html
'';
in
{
options.ataraxia.containers.media-stack = {
jellyfin = mkEnableOption "Enable jellyfin container";
};
config = mkIf cfg.jellyfin {
virtualisation.oci-containers.containers.jellyfin = {
autoStart = true;
# Tags: 10.10.7, version-10.10.7ubu2404, 10.10.7ubu2404-ls68
image = "docker.io/linuxserver/jellyfin@sha256:d325675bce77eda246f13d0aa2bf94002d4e426e6e1783594cf9b6df164fcb23";
environment = {
PUID = "1000";
PGID = "100";
UMASK = "002";
TZ = "Europe/Moscow";
http_proxy = "http://10.10.10.6:8888";
https_proxy = "http://10.10.10.6:8888";
};
extraOptions = [
"--pod=media-stack"
"--device=/dev/dri/renderD128:/dev/dri/renderD128"
"--group-add=${renderGid},${videoGid},${inputGid}"
# "--privileged"
];
volumes = [
"${nas-path}/configs/jellyfin:/config"
"${nas-path}/media:/data/media"
"${intro-skipper-fix}:/custom-cont-init.d/intro-skipper-fix:ro"
];
};
};
}

35
modules/nixos/containers/media-stack/kavita.nix Normal file
View File

@ -0,0 +1,35 @@
{ config, lib, ... }:
let
inherit (lib) mkEnableOption mkIf;
cfg = config.ataraxia.containers.media-stack;
nas-path = "/media/nas/media-stack";
in
{
options.ataraxia.containers.media-stack = {
kavita = mkEnableOption "Enable kavita container";
};
config = mkIf cfg.kavita {
virtualisation.oci-containers.containers.kavita = {
autoStart = true;
# Tags: 0.8.6, version-v0.8.6.2, v0.8.6.2-ls79
image = "docker.io/linuxserver/kavita@sha256:b222e4b2137db2301756d018076d0bfee858077d8af24d709f1f4003d628e580";
environment = {
PUID = "1000";
PGID = "100";
TZ = "Europe/Moscow";
DOTNET_SYSTEM_GLOBALIZATION_INVARIANT = "true";
};
extraOptions = [ "--pod=media-stack" ];
volumes = [
"${nas-path}/configs/kavita:/config"
"${nas-path}/media/books:/data/books"
"${nas-path}/media/comics:/data/comics"
"${nas-path}/media/fanfics:/data/fanfics"
"${nas-path}/media/manga:/data/manga"
"${nas-path}/media/novels:/data/novels"
];
};
};
}

32
modules/nixos/containers/media-stack/lidarr.nix Normal file
View File

@ -0,0 +1,32 @@
{ config, lib, ... }:
let
inherit (lib) mkEnableOption mkIf;
cfg = config.ataraxia.containers.media-stack;
nas-path = "/media/nas/media-stack";
in
{
options.ataraxia.containers.media-stack = {
lidarr = mkEnableOption "Enable lidarr container";
};
config = mkIf cfg.lidarr {
virtualisation.oci-containers.containers.lidarr = {
autoStart = true;
environment = {
PUID = "1000";
PGID = "100";
TZ = "Europe/Moscow";
};
extraOptions = [ "--pod=media-stack" ];
# Tags: 2.12.4, version-2.12.4.4658, 2.12.4.4658-ls45
image = "docker.io/linuxserver/lidarr@sha256:71fe6d5702691c6ac8961b9b1042fdea1ff833a49c82c5e165346fa88999a48a";
volumes = [
"${nas-path}/configs/lidarr/config:/config"
"${nas-path}/configs/lidarr/custom-services.d:/custom-services.d"
"${nas-path}/configs/lidarr/custom-cont-init.d:/custom-cont-init.d"
"${nas-path}:/data"
];
};
};
}

30
modules/nixos/containers/media-stack/medusa.nix Normal file
View File

@ -0,0 +1,30 @@
{ config, lib, ... }:
let
inherit (lib) mkEnableOption mkIf;
cfg = config.ataraxia.containers.media-stack;
nas-path = "/media/nas/media-stack";
in
{
options.ataraxia.containers.media-stack = {
medusa = mkEnableOption "Enable medusa container";
};
config = mkIf cfg.medusa {
virtualisation.oci-containers.containers.medusa = {
autoStart = true;
# Tags: 1.0.22, version-v1.0.22, v1.0.22-ls230
image = "docker.io/linuxserver/medusa@sha256:89d7397b64b079050d8d20284fc692aee36a196885f57e5d9a396455d58a130d";
environment = {
PUID = "1000";
PGID = "100";
TZ = "Europe/Moscow";
};
extraOptions = [ "--pod=media-stack" ];
volumes = [
"${nas-path}/configs/medusa:/config"
"${nas-path}:/data"
];
};
};
}

59
modules/nixos/containers/media-stack/qbittorrent.nix Normal file
View File

@ -0,0 +1,59 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) mkEnableOption mkIf;
cfg = config.ataraxia.containers.media-stack;
backend = "podman";
nas-path = "/media/nas/media-stack";
volume = "local-nfs";
nfs-share = "10.10.10.11:/";
in
{
options.ataraxia.containers.media-stack = {
qbittorrent = mkEnableOption "Enable qbittorrent container";
};
config = mkIf cfg.qbittorrent {
virtualisation.oci-containers.containers.qbittorrent = {
autoStart = true;
# Tags: 5.1.2, version-5.1.2-r0, 5.1.2-r0-ls402
image = "docker.io/linuxserver/qbittorrent@sha256:94c8c82291c4fcf86084a6efb9f806786296fad48739e4723dc9a5393073a2ae";
environment = {
PUID = "1000";
PGID = "100";
UMASK = "002";
TZ = "Europe/Moscow";
TORRENTING_PORT = "7000";
DOCKER_MODS = "ghcr.io/gabe565/linuxserver-mod-vuetorrent";
};
extraOptions = [ "--pod=media-stack" ];
volumes = [
"${nas-path}/configs/qbittorrent:/config"
"${nas-path}:/data"
"${volume}:/nfs"
];
};
systemd.services."podman-create-volume-${volume}" =
let
start = pkgs.writeShellScript "create-volume-${volume}" ''
podman volume exists ${volume} || podman volume create --opt type=nfs4 --opt o=rw --opt device=${nfs-share} ${volume}
'';
in
rec {
path = [ config.virtualisation.podman.package ];
before = [ "${backend}-qbittorrent.service" ];
requiredBy = before;
serviceConfig = {
Type = "oneshot";
ExecStart = start;
};
};
};
}

31
modules/nixos/containers/media-stack/radarr.nix Normal file
View File

@ -0,0 +1,31 @@
{ config, lib, ... }:
let
inherit (lib) mkEnableOption mkIf;
cfg = config.ataraxia.containers.media-stack;
nas-path = "/media/nas/media-stack";
in
{
options.ataraxia.containers.media-stack = {
radarr = mkEnableOption "Enable radarr container";
};
config = mkIf cfg.radarr {
virtualisation.oci-containers.containers.radarr = {
autoStart = true;
environment = {
PUID = "1000";
PGID = "100";
UMASK = "002";
TZ = "Europe/Moscow";
};
extraOptions = [ "--pod=media-stack" ];
# Tags: 5.26.2, version-5.26.2.10099, 5.26.2.10099-ls276
image = "docker.io/linuxserver/radarr@sha256:07a474b61394553e047ad43a1a78c1047fc99be0144c509dd91e3877f402ebcb";
volumes = [
"${nas-path}/configs/radarr:/config"
"${nas-path}:/data"
];
};
};
}

29
modules/nixos/containers/media-stack/recyclarr.nix Normal file
View File

@ -0,0 +1,29 @@
{ config, lib, ... }:
let
inherit (lib) mkEnableOption mkIf;
cfg = config.ataraxia.containers.media-stack;
nas-path = "/media/nas/media-stack";
in
{
options.ataraxia.containers.media-stack = {
recyclarr = mkEnableOption "Enable recyclarr container";
};
config = mkIf cfg.recyclarr {
virtualisation.oci-containers.containers.recyclarr = {
autoStart = true;
environment = {
CRON_SCHEDULE = "@daily";
TZ = "Europe/Moscow";
};
extraOptions = [ "--pod=media-stack" ];
# Tags: 7.4.1, 7.4, 7
image = "ghcr.io/recyclarr/recyclarr@sha256:759540877f95453eca8a26c1a93593e783a7a824c324fbd57523deffb67f48e1";
volumes = [
"${nas-path}/configs/recyclarr:/config"
];
user = "1000:100";
};
};
}

31
modules/nixos/containers/media-stack/sonarr.nix Normal file
View File

@ -0,0 +1,31 @@
{ config, lib, ... }:
let
inherit (lib) mkEnableOption mkIf;
cfg = config.ataraxia.containers.media-stack;
nas-path = "/media/nas/media-stack";
in
{
options.ataraxia.containers.media-stack = {
sonarr = mkEnableOption "Enable sonarr container";
};
config = mkIf cfg.sonarr {
virtualisation.oci-containers.containers.sonarr = {
autoStart = true;
environment = {
PUID = "1000";
PGID = "100";
UMASK = "002";
TZ = "Europe/Moscow";
};
extraOptions = [ "--pod=media-stack" ];
# Tags: 4.0.15, version-4.0.15.2941, 4.0.15.2941-ls285
image = "docker.io/linuxserver/sonarr@sha256:1156329d544b38bd1483add75c9b72c559f20e1ca043fd2d6376c2589d38951f";
volumes = [
"${nas-path}/configs/sonarr:/config"
"${nas-path}:/data"
];
};
};
}

76
modules/nixos/containers/tinyproxy.nix Normal file
View File

@ -0,0 +1,76 @@
{
config,
lib,
secretsDir,
...
}:
let
inherit (lib) mkEnableOption mkIf;
cfg = config.ataraxia.containers.tinyproxy;
in
{
options.ataraxia.containers.tinyproxy = {
enable = mkEnableOption "Enable tinyproxy nixos-container";
};
config = mkIf cfg.enable {
sops.secrets.tinyproxy-singbox = {
sopsFile = secretsDir + /proxy.yaml;
restartUnits = [ "container@tinyproxy.service" ];
mode = "0600";
};
containers.tinyproxy = {
# extraFlags = [ "-U" ];
autoStart = true;
ephemeral = true;
privateNetwork = true;
hostBridge = "br0";
localAddress = "10.10.10.6/24";
bindMounts."/tmp/sing-box.json".hostPath = config.sops.secrets.tinyproxy-singbox.path;
config =
{ pkgs, ... }:
{
environment.systemPackages = with pkgs; [
dnsutils
kitty.terminfo
sing-box
];
systemd.packages = with pkgs; [ sing-box ];
systemd.services.sing-box = {
preStart = ''
umask 0007
mkdir -p ''${RUNTIME_DIRECTORY}
cp /tmp/sing-box.json ''${RUNTIME_DIRECTORY}/config.json
'';
serviceConfig = {
StateDirectory = "sing-box";
StateDirectoryMode = "0700";
RuntimeDirectory = "sing-box";
RuntimeDirectoryMode = "0700";
ExecStart = [
""
"${lib.getExe cfg.package} -D \${STATE_DIRECTORY} -C \${RUNTIME_DIRECTORY} run"
];
};
wantedBy = [ "multi-user.target" ];
};
networking = {
dhcpcd.denyInterfaces = [ "singtun0" ];
defaultGateway = "10.10.10.1";
hostName = "tinyproxy-node";
nameservers = [ "10.10.10.1" ];
useHostResolvConf = false;
firewall = {
enable = true;
allowedTCPPorts = [
8888
8889
];
rejectPackets = false;
};
};
};
};
};
}

1
modules/nixos/roles/default.nix
View File

@ -87,6 +87,7 @@ in
ataraxia.profiles.minimal = mkDefault true;
ataraxia.virtualisation.podman = mkDefault true;
ataraxia.virtualisation.libvirt = mkDefault true;
virtualisation.quadlet.enable = mkDefault true;
boot.supportedFilesystems = [ "nfs" ];

39
modules/nixos/security/acme.nix Normal file
View File

@ -0,0 +1,39 @@
{
config,
lib,
inputs,
...
}:
let
inherit (lib) mkEnableOption mkIf;
cfg = config.ataraxia.security.acme;
in
{
options.ataraxia.security.acme = {
enable = mkEnableOption "Default acme settings";
};
config = mkIf cfg.enable {
sops.secrets.cf-dns-api = {
sopsFile = inputs.self.secretsDir + /misc.yaml;
owner = "acme";
};
security.acme = {
acceptTerms = true;
# defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; # staging
defaults.server = "https://acme-v02.api.letsencrypt.org/directory"; # production
defaults.email = "admin@ataraxiadev.com";
defaults.renewInterval = "weekly";
certs = {
"ataraxiadev.com" = {
extraDomainNames = [ "*.ataraxiadev.com" ];
dnsResolver = "1.1.1.1:53";
dnsProvider = "cloudflare";
credentialFiles."CF_DNS_API_TOKEN_FILE" = config.sops.secrets.cf-dns-api.path;
};
};
};
persist.state.directories = [ "/var/lib/acme" ];
};
}

56
modules/nixos/services/authentik.nix Normal file
View File

@ -0,0 +1,56 @@
{
config,
lib,
inputs,
secretsDir,
...
}:
let
inherit (lib) mkEnableOption mkIf mkOption;
inherit (lib.types) str;
cfg = config.ataraxia.services.authentik;
in
{
imports = [ inputs.ataraxiasjel-nur.nixosModules.authentik ];
options.ataraxia.services.authentik = {
enable = mkEnableOption "Enable authentik service";
sopsDir = mkOption {
type = str;
default = config.networking.hostName;
description = ''
Name for sops secrets directory. Defaults to hostname.
'';
};
};
config = mkIf cfg.enable {
sops.secrets.authentik-env.sopsFile = secretsDir + /${cfg.sopsDir}/authentik.yaml;
sops.secrets.authentik-ldap.sopsFile = secretsDir + /${cfg.sopsDir}/authentik.yaml;
sops.secrets.authentik-env.restartUnits = [
"authentik-server.service"
"authentik-worker.service"
];
sops.secrets.authentik-ldap.restartUnits = [ "authentik-ldap-outpost.service" ];
backups.postgresql.authentik = { };
services.authentik = {
enable = true;
logLevel = "info";
listen.address = "127.0.0.1";
listen.http = 9000;
listen.https = 9443;
environmentFile = config.sops.secrets.authentik-env.path;
outposts.ldap = {
enable = true;
host = "https://auth.ataraxiadev.com";
environmentFile = config.sops.secrets.authentik-ldap.path;
listen.address = "127.0.0.1";
listen.ldap = 3389;
listen.ldaps = 6636;
};
};
};
}

174
modules/nixos/services/gitea.nix Normal file
View File

@ -0,0 +1,174 @@
{
config,
lib,
pkgs,
secretsDir,
...
}:
let
inherit (lib) mkEnableOption mkIf mkOption;
inherit (lib.types) str;
cfg = config.ataraxia.services.gitea;
gitea-user = config.services.gitea.user;
# gitea-group = "gitea";
# runner-user = "gitea-runner";
# runner-group = "root";
gitea-secret = {
sopsFile = secretsDir + /${cfg.sopsDir}/gitea.yaml;
owner = gitea-user;
restartUnits = [ "gitea.service" ];
};
# runner-secret = services: {
# sopsFile = secretsDir + /${cfg.sopsDir}/gitea.yaml;
# owner = runner-user;
# restartUnits = services;
# };
in
{
options.ataraxia.services.gitea = {
enable = mkEnableOption "Enable gitea service";
sopsDir = mkOption {
type = str;
default = config.networking.hostName;
description = ''
Name for sops secrets directory. Defaults to hostname.
'';
};
};
config = mkIf cfg.enable {
sops.secrets.gitea = gitea-secret;
sops.secrets.gitea-mailer = gitea-secret;
# sops.secrets.gitea-runner-hypervisor = runner-secret [ "gitea-runner-hypervisor.service" ];
persist.state.directories = [
# { directory = "/var/lib/gitea-runner"; user = runner-user; group = runner-group; }
# { directory = "/srv/gitea"; user = gitea-user; group = gitea-group; }
];
backups.postgresql.gitea = { };
# TODO: backups! gitea.dump setting
services.gitea = {
enable = true;
appName = "AtaraxiaDev's Gitea Instance";
database = {
type = "postgres";
passwordFile = config.sops.secrets.gitea.path;
};
dump = {
enable = true;
backupDir = "/srv/gitea/dump";
interval = "06:00";
type = "tar.zst";
};
lfs.enable = true;
stateDir = "/srv/gitea/data";
mailerPasswordFile = config.sops.secrets.gitea-mailer.path;
settings = {
server = {
DOMAIN = "code.ataraxiadev.com";
HTTP_ADDRESS = "127.0.0.1";
HTTP_PORT = 6000;
ROOT_URL = "https://code.ataraxiadev.com";
};
actions = {
ENABLED = false;
};
api = {
ENABLE_SWAGGER = false;
};
attachment = {
MAX_SIZE = 100;
MAX_FILES = 10;
};
mailer = {
ENABLED = true;
PROTOCOL = "smtps";
SMTP_ADDR = "mail.ataraxiadev.com";
USER = "gitea@ataraxiadev.com";
};
migrations = {
ALLOW_LOCALNETWORKS = true;
ALLOWED_DOMAINS = "";
};
packages = {
ENABLED = false;
};
"repository.upload" = {
FILE_MAX_SIZE = 100;
MAX_FILES = 10;
};
security = {
INSTALL_LOCK = true;
DISABLE_GIT_HOOKS = true;
DISABLE_WEBHOOKS = false;
IMPORT_LOCAL_PATHS = false;
PASSWORD_HASH_ALGO = "argon2";
};
oauth2 = {
JWT_SIGNING_ALGORITHM = "ES256";
};
service = {
DISABLE_REGISTRATION = true;
DEFAULT_ALLOW_CREATE_ORGANIZATION = false;
DEFAULT_USER_IS_RESTRICTED = true;
REGISTER_EMAIL_CONFIRM = false;
REGISTER_MANUAL_CONFIRM = true;
};
session = {
COOKIE_SECURE = true;
};
webhook = {
ALLOWED_HOST_LIST = "loopback, private, ataraxiadev.com, *.ataraxiadev.com";
};
};
};
systemd.services.gitea-dump-clean =
let
older-than = "3"; # in days
in
rec {
before = [ "gitea-dump.service" ];
requiredBy = before;
script = ''
${pkgs.findutils}/bin/find ${config.services.gitea.dump.backupDir} \
-mindepth 1 -type f -mtime +${older-than} -delete
'';
};
# users.users.${runner-user} = {
# isSystemUser = true;
# group = runner-group;
# };
# services.gitea-actions-runner.instances.hypervisor = {
# enable = true;
# name = "hypervisor";
# url = config.services.gitea.settings.server.ROOT_URL;
# tokenFile = config.sops.secrets.gitea-runner-hypervisor.path;
# labels = [
# "native:host"
# "debian-latest:docker://debian:12-slim"
# ];
# hostPackages = with pkgs; [
# bash
# curl
# gawk
# gitMinimal
# gnused
# wget
# ];
# # TODO: fix cache server
# # settings = {};
# };
# systemd.services.gitea-runner-hypervisor = {
# serviceConfig.DynamicUser = lib.mkForce false;
# serviceConfig.User = lib.mkForce runner-user;
# serviceConfig.Group = lib.mkForce runner-group;
# };
};
}

34
modules/nixos/services/syncyomi.nix Normal file
View File

@ -0,0 +1,34 @@
{
config,
lib,
inputs,
secretsDir,
...
}:
let
inherit (lib) mkEnableOption mkIf mkOption;
inherit (lib.types) str;
cfg = config.ataraxia.services.syncyomi;
in
{
imports = [ inputs.ataraxiasjel-nur.nixosModules.syncyomi ];
options.ataraxia.services.syncyomi = {
enable = mkEnableOption "Enable syncyomi service";
sopsDir = mkOption {
type = str;
default = config.networking.hostName;
description = ''
Name for sops secrets directory. Defaults to hostname.
'';
};
};
config = mkIf cfg.enable {
sops.secrets.syncyomi.sopsFile = secretsDir + /${cfg.sopsDir}/syncyomi.yaml;
services.syncyomi.enable = true;
services.syncyomi.configFile = config.sops.secrets.syncyomi.path;
networking.firewall.allowedTCPPorts = [ 8282 ];
};
}

80
modules/nixos/services/vaultwarden.nix Normal file
View File

@ -0,0 +1,80 @@
{
config,
lib,
secretsDir,
...
}:
let
inherit (lib) mkEnableOption mkIf mkOption;
inherit (lib.types) str;
cfg = config.ataraxia.services.vaultwarden;
in
{
options.ataraxia.services.vaultwarden = {
enable = mkEnableOption "Enable vaultwarden service";
sopsDir = mkOption {
type = str;
default = config.networking.hostName;
description = ''
Name for sops secrets directory. Defaults to hostname.
'';
};
};
config = mkIf cfg.enable {
sops.secrets.vaultwarden.sopsFile = secretsDir + /${cfg.sopsDir}/vaultwarden.yaml;
sops.secrets.vaultwarden.owner = config.users.users.vaultwarden.name;
sops.secrets.vaultwarden.restartUnits = [ "vaultwarden.service" ];
services.vaultwarden = {
enable = true;
backupDir = "/srv/vaultwarden";
config = {
domain = "https://vw.ataraxiadev.com";
extendedLogging = true;
invitationsAllowed = false;
useSyslog = true;
logLevel = "warn";
rocketAddress = "127.0.0.1";
rocketPort = 8812;
showPasswordHint = false;
signupsAllowed = false;
signupsDomainsWhitelist = "ataraxiadev.com";
signupsVerify = true;
smtpAuthMechanism = "Login";
smtpFrom = "vaultwarden@ataraxiadev.com";
smtpFromName = "Vaultwarden";
smtpHost = "mail.ataraxiadev.com";
smtpPort = 587;
smtpSecurity = "starttls";
websocketAddress = "127.0.0.1";
websocketEnabled = true;
websocketPort = 3012;
webVaultEnabled = true;
};
environmentFile = config.sops.secrets.vaultwarden.path;
};
# We need to do this to successufully create backup folder
# systemd.services.backup-vaultwarden.serviceConfig = {
# User = "root";
# Group = "root";
# };
persist.state.directories = [
"/var/lib/vaultwarden"
config.services.vaultwarden.backupDir
];
systemd.tmpfiles.rules =
let
backupDir = config.services.vaultwarden.backupDir;
user = config.systemd.services.backup-vaultwarden.serviceConfig.User;
group = config.systemd.services.backup-vaultwarden.serviceConfig.Group;
in
[
"d ${backupDir} 0700 ${user} ${group} -"
];
};
}

527
modules/nixos/virtualisation/libvirt-guest.nix Normal file
View File

@ -0,0 +1,527 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib)
concatStrings
mapAttrsToList
mkIf
mkMerge
mkOption
optionalString
;
inherit (lib.types)
attrsOf
bool
enum
int
listOf
nullOr
path
str
submodule
;
cfg = config.ataraxia.virtualisation.guests;
diskOptions.options = {
diskFile = mkOption {
type = str;
};
# TODO
bus = mkOption {
type = enum [
"virtio"
"ide"
"scsi"
"sata"
];
default = "virtio";
};
type = mkOption {
type = enum [
"raw"
"qcow2"
];
default = "qcow2";
};
targetName = mkOption {
type = str;
default = "vda";
};
discard = mkOption {
type = enum [
"ignore"
"unmap"
];
default = "unmap";
};
cache = mkOption {
type = enum [
"none"
"writethrough"
"writeback"
"directsync"
"unsafe"
];
default = "writeback";
};
};
mountOptions.options = {
sourceDir = mkOption {
type = str;
default = "";
};
targetDir = mkOption {
type = str;
default = "";
};
# TODO
type = mkOption {
type = enum [
"virtiofs"
"9p"
];
default = "virtiofs";
};
};
guestsOptions =
{ ... }:
{
options = rec {
xmlFile = mkOption {
type = nullOr path;
default = null;
};
connectUri = mkOption {
type = str;
default = "qemu:///system";
};
user = mkOption {
type = str;
default = "qemu-libvirtd";
};
group = mkOption {
type = str;
default = "qemu-libvirtd";
};
autoStart = mkOption {
type = bool;
default = false;
};
autoDefine = mkOption {
type = bool;
default = true;
};
guestOsType = mkOption {
type = enum [
"linux"
"windows"
];
default = "linux";
};
uefi = mkOption {
type = bool;
default = false;
};
memory = mkOption {
type = int;
default = 1024;
};
sharedMemory = mkOption {
type = bool;
# TODO: not needed if using 9p mount
default = devices.mounts != [ ];
};
cpu = {
sockets = mkOption {
type = int;
default = 1;
};
cores = mkOption {
type = int;
default = 1;
};
threads = mkOption {
type = int;
default = 1;
};
};
devices = {
disks = mkOption {
type = listOf (submodule diskOptions);
default = [ ];
};
mounts = mkOption {
type = listOf (submodule mountOptions);
default = [ ];
};
tablet = mkOption {
type = bool;
default = true;
};
serial = mkOption {
type = bool;
default = true;
};
qemuGuestAgent = mkOption {
type = bool;
default = guestOsType != "windows";
};
audio = {
enable = mkOption {
type = bool;
default = true;
};
type = mkOption {
# TODO
type = enum [
"none"
"alsa"
"coreaudio"
"dbus"
"jack"
"oss"
"pulseaudio"
"sdl"
"spice"
"file"
];
default = "spice";
};
};
graphics = {
enable = mkOption {
type = bool;
# TODO: must be true if video == true?
default = true;
};
type = mkOption {
# TODO
type = enum [
"sdl"
"vnc"
"spice"
"rdp"
"desktop"
"egl-headless"
];
default = "spice";
};
};
video = {
enable = mkOption {
type = bool;
default = true;
};
type = mkOption {
# TODO
type = enum [
"vga"
"cirrus"
"vmvga"
"xen"
"vbox"
"qxl"
"virtio"
"gop"
"bochs"
"ramfb"
"none"
];
default = "virtio";
};
};
network = {
enable = mkOption {
type = bool;
default = true;
};
interfaceType = mkOption {
# TODO
type = enum [
"network"
"macvlan"
"bridge"
];
default = "network";
};
modelType = mkOption {
type = enum [
"virtio"
"e1000"
];
default = "virtio";
};
macAddress = mkOption {
type = nullOr str;
default = null;
};
active = mkOption {
type = bool;
default = true;
};
sourceDev = mkOption {
type = str;
default = "default";
};
};
};
timeout = mkOption {
type = int;
default = 10;
};
};
};
genXML =
name: guest:
pkgs.writeText "libvirt-guest-${name}.xml" ''
<domain type="kvm">
<name>${name}</name>
<uuid>UUID</uuid>
<memory unit="MiB">${toString guest.memory}</memory>
${optionalString guest.sharedMemory ''
<memoryBacking>
<source type="memfd"/>
<access mode="shared"/>
</memoryBacking>
''}
<vcpu placement="static">${with guest.cpu; toString (sockets * cores * threads)}</vcpu>
<os>
<type arch="x86_64" machine="pc-q35-9.2">hvm</type>
${optionalString guest.uefi ''
<loader readonly="yes" type="pflash" format="raw">/run/libvirt/nix-ovmf/OVMF_CODE.fd</loader>
<nvram template="/run/libvirt/nix-ovmf/OVMF_CODE.fd" templateFormat="raw" format="raw">/var/lib/libvirt/qemu/nvram/${name}_VARS.fd</nvram>
''}
</os>
<features>
<acpi/>
<apic/>
${optionalString (guest.guestOsType == "windows") ''
<pae/>
<hyperv mode="custom">
<relaxed state="on"/>
<vapic state="on"/>
<spinlocks state="on" retries="8191"/>
<vpindex state="on"/>
<synic state="on"/>
</hyperv>
''}
<vmport state="off"/>
</features>
<cpu mode="host-passthrough" check="none" migratable="on">
${with guest.cpu; ''
<topology
sockets="${toString sockets}"
cores="${toString cores}"
threads="${toString threads}"
/>
''}
</cpu>
<clock offset="${if guest.guestOsType == "windows" then "localtime" else "utc"}">
<timer name="rtc" tickpolicy="catchup"/>
<timer name="pit" tickpolicy="delay"/>
<timer name="hpet" present="no"/>
${optionalString (guest.guestOsType == "windows") ''
<timer name="hypervclock" present="yes"/>
''}
</clock>
<pm>
<suspend-to-mem enabled="no"/>
<suspend-to-disk enabled="no"/>
</pm>
<devices>
<emulator>/run/libvirt/nix-emulators/qemu-system-x86_64</emulator>
${concatStrings (
map (disk: ''
<disk type="file" device="disk">
<driver name="qemu" type="${disk.type}" cache="${disk.cache}" discard="${disk.discard}"/>
<source file="${disk.diskFile}"/>
<target dev="${disk.targetName}" bus="${disk.bus}"/>
</disk>
'') guest.devices.disks
)}
${concatStrings (
map (mount: ''
<filesystem type="mount" accessmode="passthrough">
<driver type="virtiofs" queue="1024"/>
<binary path="/run/current-system/sw/bin/virtiofsd" xattr="on">
<cache mode="always"/>
<lock posix="on" flock="on"/>
</binary>
<source dir="${mount.sourceDir}"/>
<target dir="${mount.targetDir}"/>
</filesystem>
'') guest.devices.mounts
)}
${
with guest.devices.network;
if enable then
if interfaceType == "network" then
''
<interface type="network">
${optionalString (macAddress != null) ''
<mac address="${macAddress}"/>
''}
<source network="${sourceDev}"/>
<model type="${modelType}"/>
</interface>
''
else if interfaceType == "bridge" then
''
<interface type="bridge">
${optionalString (macAddress != null) ''
<mac address="${macAddress}"/>
''}
<source bridge="${sourceDev}"/>
<model type="${modelType}"/>
</interface>
''
else if interfaceType == "macvlan" then
''
<interface type="direct">
${optionalString (macAddress != null) ''
<mac address="${macAddress}"/>
''}
<source dev="${sourceDev}" mode="bridge"/>
<model type="${modelType}"/>
</interface>
''
else
""
else
""
}
${optionalString guest.devices.tablet ''
<input type="tablet" bus="usb"/>
''}
${optionalString guest.devices.serial ''
<serial type="pty"/>
''}
${optionalString guest.devices.qemuGuestAgent ''
<channel type="unix">
<target type="virtio" name="org.qemu.guest_agent.0"/>
</channel>
''}
${optionalString guest.devices.audio.enable ''
<audio id="1" type="${guest.devices.audio.type}"/>
<sound model="ich9"/>
''}
${
if guest.devices.graphics.enable then
if guest.devices.graphics.type == "spice" then
''
<graphics type="spice" autoport="yes">
<listen type="address"/>
<image compression="off"/>
</graphics>
''
else
""
else
""
}
${
with guest.devices.video;
with lib;
optionalString enable ''
<video>
${
if type == "virtio" then
''
<model type="virtio" heads="1"/>
''
else if type == "qxl" then
''
<model type="qxl" ram="65536" vram="65536" vgamem="16384" heads="1"/>
''
else
""
}
</video>
''
}
<channel type="spicevmc">
<target type="virtio" name="com.redhat.spice.0"/>
</channel>
<input type="mouse" bus="ps2"/>
<input type="keyboard" bus="ps2"/>
<redirdev bus='usb' type='spicevmc'/>
<memballoon model="virtio"/>
${optionalString (guest.guestOsType == "windows") ''
<rng model="virtio">
<backend model="random">/dev/urandom</backend>
</rng>
''}
</devices>
</domain>
'';
in
{
options.ataraxia.virtualisation.guests = mkOption {
default = { };
type = attrsOf (submodule guestsOptions);
};
config.systemd.services = mkMerge (
mapAttrsToList (name: guest: {
"libvirt-guest-define-${name}" = {
after = [ "libvirtd.service" ];
requires = [ "libvirtd.service" ];
wantedBy = mkIf guest.autoDefine [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "no";
User = guest.user;
Group = guest.group;
};
environment = {
LIBVIRT_DEFAULT_URI = guest.connectUri;
};
script =
if guest.xmlFile != null then
''
${pkgs.libvirt}/bin/virsh define --file ${guest.xmlFile}
${pkgs.libvirt}/bin/virsh net-start ${guest.devices.network.sourceDev} || true
''
else
''
uuid="$(${pkgs.libvirt}/bin/virsh domuuid '${name}' || true)"
${pkgs.libvirt}/bin/virsh define <(sed "s/UUID/$uuid/" '${genXML name guest}')
${optionalString (
guest.devices.network.interfaceType == "network"
) "${pkgs.libvirt}/bin/virsh net-start ${guest.devices.network.sourceDev} || true"}
'';
};
"libvirt-guest-${name}" = {
after = [ "libvirt-guest-define-${name}.service" ];
requires = [ "libvirt-guest-define-${name}.service" ];
wantedBy = mkIf guest.autoStart [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
User = guest.user;
Group = guest.group;
};
environment = {
LIBVIRT_DEFAULT_URI = guest.connectUri;
};
script = "${pkgs.libvirt}/bin/virsh start '${name}'";
preStop = ''
${pkgs.libvirt}/bin/virsh shutdown '${name}'
let "timeout = $(date +%s) + ${toString guest.timeout}"
while [ "$(${pkgs.libvirt}/bin/virsh list --name | grep --count '^${name}$')" -gt 0 ]; do
if [ "$(date +%s)" -ge "$timeout" ]; then
${pkgs.libvirt}/bin/virsh destroy '${name}'
else
sleep 0.5
fi
done
'';
};
}) cfg
);
}

5
overlays/default.nix
View File

@ -9,9 +9,8 @@ let
};
in
{
# attic-client = inputs.attic.packages.${system}.attic;
# attic-server = inputs.attic.packages.${system}.attic-server;
# cassowary-py = inputs.cassowary.packages.${system}.cassowary;
authentik = unstable.authentik;
authentik-outposts = unstable.authentik-outposts;
hyprlandUnstable = unstable.hyprland;
hyprlandPortalUnstable = unstable.xdg-desktop-portal-hyprland;
intel-vaapi-driver = prev.intel-vaapi-driver.override { enableHybridCodec = true; };

29
secrets/orion/authentik.yaml Normal file
View File

@ -0,0 +1,29 @@
authentik-docker-env: ENC[AES256_GCM,data:gQgij38e/InGVurVfXNkLTWuydSKu0InOXBooltqu7hpctm1noSGFXtfT2dgXcmftTXPzDx3Mah5zqAHXeygv4gWqnTaCXIw9IKmsz4V0VeycfUVzdtli2oo5Dyf1lyJHzSrxWVuatdQYafVQomIHswKHqSMIGg0LE7HR1HHDoPm57v8JMEbMGaw4PQ7cIasRPYwTQyzqiLAlohXpyovYlVd7yUZZQNWSozlD8mFwVaKPDEmnSfzEBxYMwnzY3d8MtHaI+S/kGKWcKBDQ58WXuLysjuIu7bgRiHnvbz/aUlKiF7r4deaIX4tWZsOarjYliSTBraZEHbFqO00viRISX1IBP4BVD7N1QsuczMk9MILWy5NZzUVT73MK2Y9WY4A3TYofdxjjSBnhXQnwfZlm3IY5cJxAVLjVXIUqMaQ+GHiJsnxdl9qVvvsJ/hadYgTpf+JZ9G4X6hE84/2vFrXItY/5VRyh1Hv4Z43wsCALw6pzWJcp8HbzkbyAJpROFXD9XPm28ocAEmc92mu0X4a3vevJq2cfvHTAYb5Gwyo868G/DZdgIq9MPpK3ZBGUtJnacIS5jtYowf9TncGpRSkxC0iUCwbl/aY02o9cfEuYhJK57e7o0N3oVxKhP3aelgrpq5sdy6QBNAc4IgTJwUucwTpqFSj4z7TDSIjtLA4BTlSEfwTRFVuF7VAakhoeSkW8YvHRaZB+Dq/2P3nLpFbPAjqW7XthlDypQ5ADRWBFfj9BzMbf+Kcd4rtO9bTtnyZPzpkbsbuWkF/I0NWeAlc7ozW3O37+n4Flt42fuHg2Vh0ncV7MSk6vETVBvtV04JSr65bBqhuKhBrGV7UHTHQAov3gyML3Gica0ZCcJvK9lKGaX+hEYaB0nb9qmtCQc4JKxGwboG5Lo59tIYGN3yPNf0QtiAMFWzZ8sTL1b2pV1NKIgoMtrx7l5dga2Mng4bhUIkLii0H/bqeY6qD/a2PV2B7zU3EInoK9UjieOGM6DaGJXcbj/JPJKMg23ZR/wbNM2LE59U8IomuXeJ+vRlRpZvxn9148qwJcF+DlgZlVFdGBnyUucLHZMZogtmcfe48QGYv5oKdBk2ZOVnvSxodiw1jPWgLmRATnWK4zaqBXlnMsoNZGyp57pYpTpaklulXy1kUwooMGyJo7TEOQj4zzgEjII5mrA6xb73Sg1qGIbSHyqMvg2f+CWgWPgwrlwug+6IepQHgPeIaukSIuDzhq5SJLZpBig+b4qNuVwUqtuWeoW1V2H/iaNojLsizcGVgiIlTnOU16mpn40G5tbpmsZLjSJnDhrPScz2kn1kA6mDjNmZ7s4s7ouAGxFpL3A==,iv:RoNU+sz4ibBnCZEwhrZOCZ8L2f4AKlA2HDkjGOd75HU=,tag:GmXqPgen7ZJ/hVqQhO+DbQ==,type:str]
authentik-docker-ldap: ENC[AES256_GCM,data:Ex6g0F9krdKj1Zn4V6oafV7PXrkdIHYsh6z287yEDkJdUUsz73QXKYjMIyF6AhoDFtOCPqmEB7J6qFxCzQjJsHYDbDT/pDHjJMpmnA==,iv:DrifVWgEak8Pd7V50UOnEs6lVH3+LhSNDmZ6z4QMS14=,tag:snAy/ebpo1yyHGmy9l12Ww==,type:str]
authentik-env: ENC[AES256_GCM,data:G2/zs34u73Iyob0ZBV2xRh6sAbr9LgvXeupfQeg7UhafEfFe9Izki7ig8ZzFwaoWMeewWvF2/LOlegK5n05D6CnDL0hMBCbRiGEd2df3zHLT0lbN5jbZ9mNw+p13+qT5lm3paV26PCsvERGQNQLJ8+SHrgB6S847fHqWANmQJRoiA2LFPWNj2VJfn2By1ZyH/JtQPERNuLGZJCz6PgecC4qM88+Rubqw3Jj9ebw3xvQFqAt1rhD08xSO6yFSBQRG0SxDmhX2L7dI2mm4CQl9LIA5dTF3tw/nqlVby5j2TqrfICoP87eunifcus16TNRHjDdpfKpWBpFuROoiBdzCRakkORcNzDegyNb9UI0hsklnT9c01b9vC75Jrmv6fcZFRbw7diwcs85Ty6aHKZAANhShYHx5TmO+SFIR2lZpXPpXQgJuXNz8EDYyflZfIBagwpD5G7NawDeGFrnqd7ioJqO/yoAQNaF5b8z5Fdw6xpwWCCmJ7MHUkIioHE8/82egi5d2lBPM+BHiMvTyi0jC1AwrL0cD+efdG19/vkEk2Vdvx4EQb+JaAzQeSYpcl4r78s9IWTEberibWi6dfu9bf+Wf4RZ3XA9x7ij2fK2VP+C1rbwsx35SWFME+XouBMYdnfZINKl4lEqawfilbTjfqNBrZMVarWBEnQ579q9MPuXWH1TAIoWXZnZkFJIZRmotXzO84/NSNSkcyeMZPqmASD2Wi5oS+szb+iPf5w1N1LLmj407lEo8zcQrc63Du77d4KRl+ClrHCGIkcE4wENn1PZO8pBtqke+d/OGJ2xf4n2FTa7ShwBWG6vfwD3JFswv/uFrIjlcwviRVakK3taRFdPrWacMACyDLlOVFWsXUJRE+QZUvcF+F6NgKI2OoEObg0TpIepBFafg09P+9t8iHhFB1/7JUdefLUQrP6mNecUoJdJHV12r5DGN0GfeFiUijXCXAwRQvskYMEHxCaL+a3WL4zVoKhxiE+c+N8rQeneypnSvOFgQZLe3GpzrGpuyT2scw89WbEkequ54xbKnKOjNQiNcXuIvofTn4l8sWaK6JPLltZzvbCH3L3NLOIcadkvLxH2Mprp0FKUb,iv:/fR2FJan/QRCKLKBaPdagcfMD4xsaezZAXHIYmwZ484=,tag:1u/EXA+4KdsVrchKUMY41A==,type:str]
authentik-ldap: ENC[AES256_GCM,data:trkAbd1/delgSdV2nvPjbDV4fK0Eeu0X3c8xGYFIotHhPrYqZeBlgh9m6W1dEBeH/DOqPDlc6hqwGCE7D39Ael/WV5dgQepzB+7eYQ==,iv:dNGa2YW2nm21lLuX0efxYO8TLyi6Or4IOID0Zvl3neQ=,tag:wBDWNxeuahiNw+vupGNPqw==,type:str]
sops:
shamir_threshold: 1
age:
- recipient: age13phpsegg6vu7a34ydtfa9s904dfpgzqhzru7epnky7glezk0xvkst9qh6h
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1cnFSMTlTbnBucXVsN2Zv
Nms5RklOaGgrZjlJMmlNTkRvV3o4NVZPb21FCmdNdGJKangxanlOczRZam5DMTVN
ZGdqbVJhNGRVMDVYcmhpNTBxSmJQdmsKLS0tIE1tRnNONVM2UXBJUyt6bWE5NmpK
MkpvTjFpQ0JLK3ZUaUJGdWpZRFNsUXMKn8ImvsqI9EiVxTx34VTp8l4zJp2pawGy
817OEdp9spuDG6AyoxrDjpsbZ0R/9kQ1W/Y9nJNNRrvMuIijw1FO0g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m5msm7rgqye2q9zesgedg0emga4ntehlr629786lrxs3rhk0squq0ly9je
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPbTErSzVzYlRadkRFT05V
ZXNRY1JIN2t2dGFIQ3lDV0hVYmdBWEYvazFFCmlid3ZGTzV4Y2NhOU5IVTF2QUFY
MTFWV1pGSk9DRDg5K1lCVVRaUUlEa3MKLS0tIGFhSjdieEtCQXRCVVpTekNISXR4
MW9UdVRKWUF6S3BZLzJ0QkhHbUpSc0kK3M8rkSRq1zo3TvlTf7erJc3RjamW+81D
GIKKOybcRBCJQ+SqFoyF97aaa3QVlDXEU1rvpoP+p88NAt7ERJXvsw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-24T16:13:04Z"
mac: ENC[AES256_GCM,data:OKANPvWhQCG/iFwc2zWVnaQ2799ai8l40styj60kpWB1Id7ccLomPCvzMMtZS/tCrp9HxrbYkN/9GgRnMrMoNvp2QtL19c4pmN2V9VKrEklm77UMeN5KEOemk5Iiqnjk6LF3mPuRa5nFTSwoLSsYPZ1v+vX7oob7WlhR57WAb+g=,iv:2waLQWzcqXT/9NN1rkaoc1Ym2qziGVOgRhc2nvDtMCI=,tag:ayzPdyGxts/02kIyayDPpQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.8.1

30
secrets/orion/gitea.yaml Normal file
View File

@ -0,0 +1,30 @@
gitea: ENC[AES256_GCM,data:J+ZBpsUSXOaPycPCjh6RgZQlRv8=,iv:DtE+qtWTIHS2OkFZBhUcjg07wVrwiMm7XsW63ZD4f5o=,tag:5vOIdgsBB8eMkIbRe6pNdA==,type:str]
gitea-mailer: ENC[AES256_GCM,data:o7JNqMqJM3OoDxSohmeYsPn1n3wb6J6L,iv:agiJl0halqfmKMvWA8b0boXF3rXrbC2bIj9zb5274hg=,tag:DjnNySDnYwVYtP9RNuEYGQ==,type:str]
gitea-secretkey: ENC[AES256_GCM,data:eyhy6wRwoWxUVGh3GghePwYZxX2BmHxly0Tn6eHq+6qDryDgL6c/fA==,iv:/xMqcni+lTh3syWSSp50pS6VHDTEDsUL2idFWEoCc9M=,tag:qgmGHzc5R6k6OLOEyrBlMw==,type:str]
gitea-internaltoken: ENC[AES256_GCM,data:BYA9CHQ/IVnwA/apr0V3EYE66vJfz5wdpOGxgMzVdcYKrqVVhfK7YQ==,iv:Fj4gn00rRc2E1A74SWeRZWktm4EvvTeCG04p8K2NSxk=,tag:BanFYGL7GF5Q8zdjugAICw==,type:str]
gitea-runner-hypervisor: ENC[AES256_GCM,data:vS++cR4ewTzT8W7h870tXJkFYy6F9hV8SA/A94kqIxsawAmeeu5xf5YVQZZcNw==,iv:h9LVb3J909tkoiI01mh7ZgW34MPrB49mC5Sn+b5iIQE=,tag:CJ9kk6Ly/X89VAU2pBOZaA==,type:str]
sops:
shamir_threshold: 1
age:
- recipient: age13phpsegg6vu7a34ydtfa9s904dfpgzqhzru7epnky7glezk0xvkst9qh6h
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHbUdCR3NvYlFoeW9hZU5k
Um5YYzE3aDN1WWRvd3JRWG83eDV2VVBUWXpvCjYwSU1neTF5cmZneDVSTmgrbzgv
SE9JSWY4SmRwVmVMNVhmb1RzSEF0ZzgKLS0tIHFzcHhQWUwzelRBWGJyd3RwQ05K
c1AvZ2EwY0VPWGc1WnhucDFmQmhtWUUKkHK658ViO8wtm/kJk5t3B6z7vXHsCHI6
PeIbqM+hQ2dW7yCJTfKyYoJGwaWrAgzjFRD0wbh9b+JQWavIiyhZrA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m5msm7rgqye2q9zesgedg0emga4ntehlr629786lrxs3rhk0squq0ly9je
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvUUwvZ25yUGo5YjJNcHFM
b1hUSTQ5VUlmODMwbEhzNFFTSmFFaG9tcTJFCmFrYU9qSWlVNmRqUnlmdEkrYlhF
V2lCNnZwNGZVL0pUaW5RTWVHaFpnYlEKLS0tIFpDNC9RU21kS3R2UzRvMnpBcjc5
U1VldmYxV2k4c3gwY1FUSjNQWmtRODQK7P9NTF9JxzilXiLdv4WCGt0V3pxB7xbt
gECxjDTHYd+TBkOExzYHAD7VXQGpPPyCKREZ1AsZJjhhZoZJrrMMuQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-21T19:08:51Z"
mac: ENC[AES256_GCM,data:ranW9+W0x11eRFRzGosVfapoW1xpgTUpUvzzItYcZT0Pr1cRpBMQNTmHXpItNKuw1Ut4PBzUlmtDl/Y1VlefVecy6j9xvEczgYvCXCRH+x5Dp2FAuIwqw+EuQWsxxZ/k32zzdWT2brWsO+z5EmLRePJu0mBoxRx1vqVAZef8vwo=,iv:yEofPQ22CpHLktUjRke1Tlg445TpX0ocpQBeoeWba+Q=,tag:Ai+tbYJJ5BHyNHfnK1elgw==,type:str]
unencrypted_suffix: _unencrypted
version: 3.8.1

25
secrets/orion/syncyomi.yaml Normal file
View File

@ -0,0 +1,25 @@
syncyomi: ENC[AES256_GCM,data:DRx/E4S4IEVp4uFT2STjsv79bFZk+RGfv9EDYHiCOdkUr6TaA4fcF17fWD2VX2HshnU4dTnlOG/Z27/eygixkXjlFOIcSXuZZIv+Pttxl/r0cgI7NM8fGh3rn2Id34gIpRpmW34VwIU3EU9ctwBwTmsbpM2zMBbXKTXyr/mWuLCqc6WiSHlz1mJaHmMUW6uidj5WbnoJ0KamLlJtkZz0P0v+CczMhon6d9S2xWJ3qi/Tt15jTldEkKBZ+sNag9yAUc5dSPvNRGXsq5NAtqIIXpIVdDvBHKXLtlkeDroHFidyRlBsUJ9ZmpMNyZvBAngzspRQuPJAWcvMOp2EtpxwiReDk3n9UNPkwmj5ZOPwDixwjoriV9fHFOdHRFqICWEJbRMLwj+NHnkxa5vZI8f9WCfwjk3npbgQ1yY+GxBlv5iVBIacG/QmOZjpy9X1WURFGev6tHcL9KBRg2sx0hDR+qO1f4t8KWE8unS9xFBMiynsDsX46XIY1YeXXGfjZRiSZYTmenkUvXfkhijBmlLAW38=,iv:OAUDQhm5aQwjUa0vn03PzWOrZlJiFdPYGdZPDV/lFRs=,tag:71OvVXwwIl93mC4EpTAmzA==,type:str]
sops:
age:
- recipient: age13phpsegg6vu7a34ydtfa9s904dfpgzqhzru7epnky7glezk0xvkst9qh6h
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDU0swYlJZalNxYWZHcDAv
RnhsbFZhN2NsMkxXUWdDL0R6aEcvTFZCTUJZCjNpaWxYVXZ5T3NCVTBkZnVPa2ZG
U1RWcUxwRkVGSDhVdEtOcmpSWUxNR00KLS0tIGRHUHJCUjJuU3lZQnlZU1N0Q3Iy
UUxOMmIzMUcxdmdBR2tHZUdjd2FBeWsKqGJ0Globcl/6eEAk4ICtvqIKBvTlXiot
hwysXkcNqiSvaETLFWmrwtd+zLAuwb9320QBB5J1PgyU4onbMq5c4w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m5msm7rgqye2q9zesgedg0emga4ntehlr629786lrxs3rhk0squq0ly9je
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHdVNnbTVzWGJ5aWtWOVdW
bURQWXB5S0JCVFcxMGF6Y3R5czJQV2txTXhJCklOZW5VTzNtQ2ZTbWRFYTJsRTBo
QjJ3WW5WcFlVeG0wQ1N5WW9QcXZ5a1UKLS0tIDJ6Zkk2UHFHYU1CVlIvRmh4ZW0y
K3pwd2JyZUVpRXh5YTkxMGFBR2dHVWcKXphBeCwSow+8ETCKx4AZ3xEiOQHMmAHC
qmPDJM94dt9dXFBWZ1hlf3k5keAqicQzmvFfj0jaEs2wKbrRiXFAVQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-17T20:20:57Z"
mac: ENC[AES256_GCM,data:K68jXgp7l8hHkBLD/XoQmaN9gYDXdFbH30SOoeUaw2u0bIUbTopMTu1hfO405F/bHQ3N0JIJb7fYz0dqD2QvfvcI2HAIb2ZAeR8Z7IVmVyNZRuttzLCJ2KeW3DGkVh1QHdyM5lbYyiPunm3tTArhHKM7Bf8W9pXbN+k4p+L2ZLM=,iv:26Pvkq6PUWqWkshzZUJOGY4wor2nFvbEza8dWUf8Cl4=,tag:JGUGDqI5QfjdJoimr4uAEw==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.1

26
secrets/orion/vaultwarden.yaml Normal file
View File

@ -0,0 +1,26 @@
vaultwarden: ENC[AES256_GCM,data:B1qaU/1jsDgbc7wEl3Yrehez3vHCOPDQ5rjpkYPf4QgVwonOvvEf4H7doVwabhihRqoy43QXBeDRuPVaea/ZJythvZV0cez2Mr6YrhG7/BSB+AIDEa+wNQTGgY5IWkztp7j4BP1XmyRA4A42dOnfHJR6BncJGAfhNguq3FZJuf5BClvyT5aov+GKfiO81l93ig324TKsU9ClLqmVarrPCNba683ADrH8g5EkB2rw0LwKJBWVQh0TKhTTyFdMFTNaIQ17K1ueqLwd2xIfHMmN61s=,iv:H6/RxF6LSMD3OUAY3mEhof2VGOCctg6FsaoyOTI9e5Q=,tag:W+nCl/RAWpdXWbE9v/oMOg==,type:str]
sops:
shamir_threshold: 1
age:
- recipient: age13phpsegg6vu7a34ydtfa9s904dfpgzqhzru7epnky7glezk0xvkst9qh6h
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnNVZpRE8zUzN0RWNXT09F
bUR0MmxMNDNybHBEN0FKY3VtTW1XREpaSkNJCnpGRmZqRlU0YlBiYkxkeEVLMzdv
eERFc3dITG5lOTVLRkJYM2NNa1lpWDgKLS0tIEsra0ZBblhiTk9kTFJxWjZtRDhS
NDhKY2dEVXFOL3JIZmtMVG5tVklIQXcKbLLeZOrJCGRPscw4LWsVAGk29EwQg0lK
+YYSsQLm+cZNLxHLClsmQn/ykEvIEA5/1DjFXVvulFW+Kbk9NwSxHA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m5msm7rgqye2q9zesgedg0emga4ntehlr629786lrxs3rhk0squq0ly9je
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqa0tPM2NiaW13Sk5rR091
VVBVYnRoc3I2WFI3WFhETTdXUzU4ckFZbGtJCjR4em80Vm1UQk9vM3h4OER6dVNs
RWJwazRiUHVXY01vZ1hyN3k3MlBrbUEKLS0tIDd3aEhxNDZHWDdETkd0VkMwOTZG
MWNhelRQZTdBZGMzUk5HQklSWWVTNWMK6gunbCmYfXh4fQ3mV0kh6TlwxTpxlUI0
Y6+pPh+Sw39KTFdirXv5OTWtCN53S6HXejIuctIOvdfrB1LYwsb7XA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-21T19:24:09Z"
mac: ENC[AES256_GCM,data:+KnkQjRKq7f7gojR4TDRUahPPcOshTQUIzJOmGBD4cspjLj0Ljf9tqoMCvCzwU7CGIg2c4phUCWluyQwlUAoiRL0rM8YyN2nE0PiWOcnl3p9FHwHxV9ElWiWpVnKroVxZEz0vmj0nsabl9PRD5ipX06kDK8GRZXFw+laSCy0N1E=,iv:7DO9ML9ToedihSJA6v1hMcd4Q/PJ+JLvJQk69kQ8btA=,tag:cifnSqY1ezoHt8WHtuyakw==,type:str]
unencrypted_suffix: _unencrypted
version: 3.8.1