AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: AtaraxiaDev:f52eaa8eb21af66dec79907c4b81f381a6fa03a8
Branches Tags
AtaraxiaDev:dev
AtaraxiaDev:master
...
compare: AtaraxiaDev:d22c2abb30f56f5a8bfaaafd66f5e1e983a00c91
Branches Tags
AtaraxiaDev:dev
AtaraxiaDev:master

16 Commits
f52eaa8eb2 ... d22c2abb30

Author SHA1 Message Date
Dmitriy Kholkin
d22c2abb30
feat: migrate media-stack containers to quadlet 2025-07-10 18:39:31 +03:00
Dmitriy Kholkin
ce43a4f211
fix: dns in podman containers 2025-07-10 18:38:18 +03:00
Dmitriy Kholkin
d823982850
fix: persist syncyomi state directory 2025-07-10 18:37:50 +03:00
Dmitriy Kholkin
eb50441b92
feat: add headscale service 2025-07-10 18:37:38 +03:00
Dmitriy Kholkin
6cedde7e17
feat: add nginx integration to some services 2025-07-10 18:36:59 +03:00
Dmitriy Kholkin
312fdc791e
fix: sing-box package in tinyproxy container 2025-07-10 18:35:51 +03:00
Dmitriy Kholkin
0172df4d55
feat: add nginx module 2025-07-10 18:33:24 +03:00
Dmitriy Kholkin
d95ec28daa
feat: add zsh module to nixos 2025-07-10 18:32:40 +03:00
Dmitriy Kholkin
763958b2ac
feat: fix home-manager detection in modules 2025-07-10 18:31:51 +03:00
Dmitriy Kholkin
caea7cc34c
fix: omv libvirt guest permissions 2025-07-10 18:29:41 +03:00
Dmitriy Kholkin
b690f94a5d
feat: auto load nas hdd on orion 2025-07-10 18:29:16 +03:00
Dmitriy Kholkin
7e9c9efc08
fix: orion boot. strange problem with unstable zfs module loading 2025-07-10 18:28:59 +03:00
Dmitriy Kholkin
d0c5de2ab7
chore: update lite-config input 2025-07-10 18:28:14 +03:00
Dmitriy Kholkin
b6a7394c2a
fix: nixos-vm and test quadlet container 2025-07-08 22:25:13 +03:00
Dmitriy Kholkin
1349461d3c
fix: orion build 2025-07-08 22:24:01 +03:00
Dmitriy Kholkin
601ddc9795
feat: add quadlet bridge network 2025-07-08 22:23:36 +03:00
35 changed files with 2548 additions and 316 deletions
Show Stats Expand all files Collapse all files

8
flake.lock generated
View File

@ -638,16 +638,16 @@
}, },
"lite-config": { "lite-config": {
"locked": { "locked": {
"lastModified": 1749323815, "lastModified": 1752091719,
"narHash": "sha256-NAhCvl7RZDL0XiQi7GMJ4KJsakQZDpKuIb5H9m3nhSI=", "narHash": "sha256-N0cjol3O7SzZhaq/Y6y0rIbda233v5eD0ei5IJOMwzA=",
"owner": "ataraxiasjel", "owner": "ataraxiasjel",
"repo": "lite-config", "repo": "lite-config",
"rev": "dc6717c8fbdabf81740a26c745316a5cb40e8c70", "rev": "2807667b2f6128c15417053ce569c282049f4555",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "ataraxiasjel", "owner": "ataraxiasjel",
"ref": "v0.10.0", "ref": "v0.10.1",
"repo": "lite-config", "repo": "lite-config",
"type": "github" "type": "github"
} }

7
flake.nix
View File

@ -21,7 +21,7 @@
nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
flake-parts.url = "github:hercules-ci/flake-parts"; flake-parts.url = "github:hercules-ci/flake-parts";
lite-config.url = "github:ataraxiasjel/lite-config/v0.10.0"; lite-config.url = "github:ataraxiasjel/lite-config/v0.10.1";
flake-registry = { flake-registry = {
url = "github:nixos/flake-registry"; url = "github:nixos/flake-registry";
flake = false; flake = false;
@ -119,7 +119,6 @@
]; ];
hostModuleDir = ./hosts; hostModuleDir = ./hosts;
hosts = { hosts = {
NixOS-VM.system = "x86_64-linux";
# home-workstation # home-workstation
andromedae = { andromedae = {
system = "x86_64-linux"; system = "x86_64-linux";
@ -144,6 +143,10 @@
system = "x86_64-linux"; system = "x86_64-linux";
useHomeManager = false; useHomeManager = false;
}; };
NixOS-VM = {
system = "x86_64-linux";
useHomeManager = false;
};
}; };
}; };

58
hosts/NixOS-VM/default.nix
View File

@ -1,8 +1,4 @@
{ { modulesPath, ... }:
modulesPath,
pkgs,
...
}:
{ {
imports = [ imports = [
(modulesPath + "/profiles/qemu-guest.nix") (modulesPath + "/profiles/qemu-guest.nix")
@ -11,9 +7,9 @@
ataraxia.defaults.role = "base"; ataraxia.defaults.role = "base";
boot.kernelParams = [ # boot.kernelParams = [
"systemd.setenv=SYSTEMD_SULOGIN_FORCE=1" # "systemd.setenv=SYSTEMD_SULOGIN_FORCE=1"
]; # ];
virtualisation.memorySize = 4096; virtualisation.memorySize = 4096;
virtualisation.cores = 4; virtualisation.cores = 4;
@ -23,48 +19,12 @@
"-vga qxl" "-vga qxl"
"-display gtk" "-display gtk"
]; ];
users.users.test = { virtualisation.diskSize = 8192;
isNormalUser = true;
};
boot.supportedFilesystems = [ "zfs" ]; boot.loader.grub.enable = false;
boot.zfs.forceImportRoot = false;
networking.hostId = "84977205";
environment.systemPackages = with pkgs; [ ataraxia.virtualisation.podman = true;
# test overlay ataraxia.containers.filestash.enable = true;
sing-box
];
# Test persist module system.stateVersion = "25.05";
persist.enable = true;
persist.cache.clean.enable = true;
persist.state.directories = [ "/etc" ];
persist.cache.directories = [ "/cache" ];
home-manager.users.ataraxia = {
home.stateVersion = "24.11";
persist.enable = true;
persist.cache.clean.enable = false;
persist.state.directories = [ "test-home" ];
persist.cache.directories = [
"test-1"
"test-2"
];
persist.state.files = [ "home" ];
};
home-manager.users.test = {
home.stateVersion = "24.11";
persist.enable = true;
persist.cache.clean.enable = true;
persist.cache.directories = [
"test-3"
"test-4"
];
persist.cache.files = [
"home"
"home3"
];
};
system.stateVersion = "24.11";
} }

2
hosts/orion/backups.nix
View File

@ -8,7 +8,7 @@
{ {
imports = [ inputs.ataraxiasjel-nur.nixosModules.rustic ]; imports = [ inputs.ataraxiasjel-nur.nixosModules.rustic ];
sops.secrets.rustic-vps-pass.sopsFile = secretsDir + /rustic.yaml; sops.secrets.rustic-nas-pass.sopsFile = secretsDir + /rustic.yaml;
sops.secrets.rustic-backups-s3-env.sopsFile = secretsDir + /rustic.yaml; sops.secrets.rustic-backups-s3-env.sopsFile = secretsDir + /rustic.yaml;
services.rustic.backups = services.rustic.backups =
let let

30
hosts/orion/boot.nix
View File

@ -1,14 +1,31 @@
{ pkgs, ... }: { pkgs, lib, ... }:
let
inherit (lib) mkForce;
in
{ {
services.scx.enable = true; # services.scx.enable = true;
services.scx.scheduler = "scx_bpfland"; # services.scx.scheduler = "scx_bpfland";
networking.hostId = "a9408846"; networking.hostId = "a9408846";
boot = { boot = {
kernelPackages = pkgs.linuxPackages_cachyos-server; kernelPackages = pkgs.linuxPackages_hardened;
zfs.package = pkgs.zfs_cachyos; # zfs.package = pkgs.zfs_unstable;
zfs.devNodes = "/dev/disk/by-id"; zfs.devNodes = "/dev/disk/by-id";
zfs.extraPools = [ "nas-pool" ];
initrd = {
luks.devices = {
"crypt-nas" = {
device = "/dev/disk/by-id/ata-ST4000NM0035-1V4107_ZC1A7CWN";
keyFile = "/nas_keyfile0.bin";
};
};
secrets = {
"/nas_keyfile0.bin" = "/etc/secrets/nas_keyfile0.bin";
};
supportedFilesystems = [ "zfs" ];
};
loader = { loader = {
grub = { grub = {
@ -33,10 +50,11 @@
"scsi_mod.use_blk_mq=1" "scsi_mod.use_blk_mq=1"
"pti=off" "pti=off"
"spectre_v2=off" "spectre_v2=off"
"systemd.setenv=SYSTEMD_SULOGIN_FORCE=1"
]; ];
kernel.sysctl = { kernel.sysctl = {
"kernel.split_lock_mitigate" = 0; "kernel.split_lock_mitigate" = 0;
"vm.overcommit_memory" = 1; "vm.overcommit_memory" = mkForce 1;
}; };
tmp.useTmpfs = true; tmp.useTmpfs = true;

58
hosts/orion/default.nix
View File

@ -4,6 +4,9 @@
inputs, inputs,
... ...
}: }:
let
inherit (lib) concatLists unique;
in
{ {
imports = [ imports = [
inputs.srvos.nixosModules.server inputs.srvos.nixosModules.server
@ -94,7 +97,6 @@
mkvtoolnix-cli mkvtoolnix-cli
nfs-utils nfs-utils
p7zip p7zip
podman-compose
pwgen pwgen
ripgrep ripgrep
rsync rsync
@ -102,6 +104,13 @@
smartmontools smartmontools
]; ];
ataraxia.services.nginx.enable = true;
ataraxia.services.nginx.defaultSettings = {
useACMEHost = "ataraxiadev.com";
enableACME = false;
forceSSL = true;
};
ataraxia.containers.filestash.enable = true; ataraxia.containers.filestash.enable = true;
ataraxia.containers.media-stack.enable = true; ataraxia.containers.media-stack.enable = true;
ataraxia.containers.tinyproxy.enable = true; ataraxia.containers.tinyproxy.enable = true;
@ -110,10 +119,57 @@
ataraxia.services.gitea.enable = true; ataraxia.services.gitea.enable = true;
ataraxia.services.syncyomi.enable = true; ataraxia.services.syncyomi.enable = true;
ataraxia.services.vaultwarden.enable = true; ataraxia.services.vaultwarden.enable = true;
ataraxia.services.headscale.enable = true;
ataraxia.services.headscale.extraDns = unique (
concatLists (
map
(name: [
{
inherit name;
type = "A";
value = "100.64.0.1";
}
{
inherit name;
type = "AAAA";
value = "fd7a:115c:a1e0::1";
}
])
[
"api.ataraxiadev.com"
"cache.ataraxiadev.com"
"cal.ataraxiadev.com"
"code.ataraxiadev.com"
"docs.ataraxiadev.com"
"element.ataraxiadev.com"
"files.ataraxiadev.com"
"home.ataraxiadev.com"
"jackett.ataraxiadev.com"
"jellyfin.ataraxiadev.com"
"kavita.ataraxiadev.com"
"ldap.ataraxiadev.com"
"lib.ataraxiadev.com"
"matrix.ataraxiadev.com"
"medusa.ataraxiadev.com"
"pdf.ataraxiadev.com"
"qbit.ataraxiadev.com"
"radarr.ataraxiadev.com"
"restic.ataraxiadev.com"
"s3.ataraxiadev.com"
"sonarr.ataraxiadev.com"
"tools.ataraxiadev.com"
"turn.ataraxiadev.com"
"vw.ataraxiadev.com"
"wiki.ataraxiadev.com"
]
)
);
ataraxia.virtualisation.guests = { ataraxia.virtualisation.guests = {
omv = { omv = {
autoStart = true; autoStart = true;
user = "root";
group = "root";
xmlFile = ./vm/omv.xml; xmlFile = ./vm/omv.xml;
}; };
}; };

4
modules/nixos/applications/corectrl.nix
View File

@ -2,10 +2,10 @@
config, config,
lib, lib,
pkgs, pkgs,
useHomeManager,
... ...
}: }:
let let
inherit (builtins) hasAttr;
inherit (lib) mkEnableOption mkIf; inherit (lib) mkEnableOption mkIf;
cfg = config.ataraxia.programs.corectrl; cfg = config.ataraxia.programs.corectrl;
defaultUser = config.ataraxia.defaults.users.defaultUser; defaultUser = config.ataraxia.defaults.users.defaultUser;
@ -22,7 +22,7 @@ in
# gpuOverclock.ppfeaturemask = "0xffffffff"; # gpuOverclock.ppfeaturemask = "0xffffffff";
}; };
home-manager = mkIf (hasAttr "users" config.home-manager) { home-manager = mkIf useHomeManager {
users.${defaultUser} = { users.${defaultUser} = {
startupApplications = [ "${pkgs.corectrl}/bin/corectrl" ]; startupApplications = [ "${pkgs.corectrl}/bin/corectrl" ];
persist.state.directories = [ ".config/corectrl" ]; persist.state.directories = [ ".config/corectrl" ];

4
modules/nixos/applications/steam.nix
View File

@ -2,10 +2,10 @@
config, config,
lib, lib,
pkgs, pkgs,
useHomeManager,
... ...
}: }:
let let
inherit (builtins) hasAttr;
inherit (lib) mkEnableOption mkIf; inherit (lib) mkEnableOption mkIf;
cfg = config.ataraxia.programs.steam; cfg = config.ataraxia.programs.steam;
defaultUser = config.ataraxia.defaults.users.defaultUser; defaultUser = config.ataraxia.defaults.users.defaultUser;
@ -43,7 +43,7 @@ in
}; };
programs.steam.gamescopeSession.args = [ "--adaptive-sync" ]; programs.steam.gamescopeSession.args = [ "--adaptive-sync" ];
home-manager = mkIf (hasAttr "users" config.home-manager) { home-manager = mkIf useHomeManager {
users.${defaultUser} = { users.${defaultUser} = {
startupApplications = [ "${config.programs.steam.package}/bin/steam" ]; startupApplications = [ "${config.programs.steam.package}/bin/steam" ];
persist.state.directories = [ ".local/share/Steam" ]; persist.state.directories = [ ".local/share/Steam" ];

4
modules/nixos/applications/waydroid.nix
View File

@ -2,10 +2,10 @@
config, config,
lib, lib,
pkgs, pkgs,
useHomeManager,
... ...
}: }:
let let
inherit (builtins) hasAttr;
inherit (lib) mkEnableOption mkIf; inherit (lib) mkEnableOption mkIf;
cfg = config.ataraxia.programs.waydroid; cfg = config.ataraxia.programs.waydroid;
defaultUser = config.ataraxia.defaults.users.defaultUser; defaultUser = config.ataraxia.defaults.users.defaultUser;
@ -21,7 +21,7 @@ in
persist.state.directories = [ "/var/lib/waydroid" ]; persist.state.directories = [ "/var/lib/waydroid" ];
home-manager = mkIf (hasAttr "users" config.home-manager) { home-manager = mkIf useHomeManager {
users.${defaultUser} = { users.${defaultUser} = {
home.packages = with pkgs; [ waydroid-script ]; home.packages = with pkgs; [ waydroid-script ];
persist.state.directories = [ persist.state.directories = [

70
modules/nixos/containers/filestash.nix
View File

@ -1,33 +1,71 @@
{ config, lib, ... }: { config, lib, ... }:
let let
inherit (lib) mkEnableOption mkIf; inherit (lib)
mkEnableOption
mkIf
mkOption
recursiveUpdate
;
inherit (lib.types) bool;
inherit (config.virtualisation.quadlet) networks;
cfg = config.ataraxia.containers.filestash; cfg = config.ataraxia.containers.filestash;
nginx = config.ataraxia.services.nginx;
nas-path = "/media/nas/media-stack"; nas-path = "/media/nas/media-stack";
domain = "files.ataraxiadev.com";
port = "8334";
in in
{ {
options.ataraxia.containers.filestash = { options.ataraxia.containers.filestash = {
enable = mkEnableOption "Enable filestash container"; enable = mkEnableOption "Enable filestash container";
nginxHost = mkOption {
type = bool;
default = config.ataraxia.services.nginx.enable;
description = "Enable nginx vHost integration";
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
virtualisation.oci-containers.containers.filestash = { virtualisation.quadlet.containers.filestash = {
autoStart = true; autoStart = true;
environment = { containerConfig = {
PUID = "1000"; environments = {
PGID = "100"; PUID = "1000";
UMASK = "002"; PGID = "100";
TZ = "Europe/Moscow"; UMASK = "002";
APPLICATION_URL = "files.ataraxiadev.com"; TZ = "Europe/Moscow";
CANARY = "true"; APPLICATION_URL = domain;
CANARY = "true";
};
# Tags: latest
image = "docker.io/machines/filestash@sha256:923c3399768fada3424bb6f3bc01521dad30e9a7a840cfb2eba3610b6acafffe";
networks = [ networks.br-services.ref ];
publishPorts = [ "127.0.0.1:${port}:${port}/tcp" ];
volumes = [
"${nas-path}/configs/filestash:/app/data/state"
"${nas-path}:/mnt"
];
};
};
services.nginx.virtualHosts = mkIf cfg.nginxHost {
${domain} = recursiveUpdate nginx.defaultSettings {
locations."/" = {
proxyPass = "http://127.0.0.1:${port}";
proxyWebsockets = true;
extraConfig = ''
allow 127.0.0.1/32;
allow 100.64.0.0/16;
allow 10.10.10.0/24;
allow fd7a:115c:a1e0::/64;
deny all;
proxy_busy_buffers_size 1024k;
proxy_buffers 32 1024k;
proxy_buffer_size 1024k;
proxy_read_timeout 86400;
'';
};
}; };
# Tags: latest
image = "docker.io/machines/filestash@sha256:923c3399768fada3424bb6f3bc01521dad30e9a7a840cfb2eba3610b6acafffe";
ports = [ "127.0.0.1:8334:8334/tcp" ];
volumes = [
"${nas-path}/configs/filestash:/app/data/state"
"${nas-path}:/mnt"
];
}; };
}; };
} }

30
modules/nixos/containers/media-stack/caddy.nix
View File

@ -8,6 +8,8 @@ let
inherit (lib) mkEnableOption mkIf; inherit (lib) mkEnableOption mkIf;
cfg = config.ataraxia.containers.media-stack; cfg = config.ataraxia.containers.media-stack;
pods = config.virtualisation.quadlet.pods;
nas-path = "/media/nas/media-stack"; nas-path = "/media/nas/media-stack";
caddyconf = pkgs.writeText "Caddyfile" '' caddyconf = pkgs.writeText "Caddyfile" ''
@ -47,21 +49,23 @@ in
}; };
config = mkIf cfg.caddy { config = mkIf cfg.caddy {
virtualisation.oci-containers.containers.media-caddy = { virtualisation.quadlet.containers.caddy = {
autoStart = true; autoStart = true;
# Tags: release-20b7f25, release-2.10.0, release containerConfig = {
image = "ghcr.io/hotio/caddy@sha256:937fe02672e7ce7f189e28d45c4ccfe86b2a7d5791b4e04badb55e143e32d5b7"; # Tags: release-20b7f25, release-2.10.0, release
environment = { image = "ghcr.io/hotio/caddy@sha256:937fe02672e7ce7f189e28d45c4ccfe86b2a7d5791b4e04badb55e143e32d5b7";
PUID = "1000"; pod = pods.media-stack.ref;
PGID = "100"; environments = {
UMASK = "002"; PUID = "1000";
TZ = "Europe/Moscow"; PGID = "100";
UMASK = "002";
TZ = "Europe/Moscow";
};
volumes = [
"${nas-path}/configs/caddy:/config"
"${caddyconf}:/config/Caddyfile"
];
}; };
extraOptions = [ "--pod=media-stack" ];
volumes = [
"${nas-path}/configs/caddy:/config"
"${caddyconf}:/config/Caddyfile"
];
}; };
}; };
} }

103
modules/nixos/containers/media-stack/default.nix
View File

@ -1,7 +1,6 @@
{ {
config, config,
lib, lib,
pkgs,
... ...
}: }:
let let
@ -9,16 +8,22 @@ let
mkDefault mkDefault
mkEnableOption mkEnableOption
mkIf mkIf
optionals mkOption
recursiveUpdate
; ;
inherit (lib.types) bool;
cfg = config.ataraxia.containers.media-stack; cfg = config.ataraxia.containers.media-stack;
networks = config.virtualisation.quadlet.networks;
nginx = config.ataraxia.services.nginx;
backend = config.virtualisation.oci-containers.backend; caddy-port = "8180";
pod-name = "media-stack"; # TODO: fix caddy for medusa. Maybe change to something else
medusa-port = "8180";
open-ports = [ open-ports = [
# caddy # caddy
"127.0.0.1:8180:8180" "127.0.0.1:${caddy-port}:${caddy-port}"
"127.0.0.1:${medusa-port}:${medusa-port}"
# qbittorrent # qbittorrent
"0.0.0.0:7000:7000" "0.0.0.0:7000:7000"
"0.0.0.0:7000:7000/udp" "0.0.0.0:7000:7000/udp"
@ -41,6 +46,11 @@ in
options.ataraxia.containers.media-stack = { options.ataraxia.containers.media-stack = {
enable = mkEnableOption "Enable media-stack containers"; enable = mkEnableOption "Enable media-stack containers";
nginxHost = mkOption {
type = bool;
default = config.ataraxia.services.nginx.enable;
description = "Enable nginx vHost integration";
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -55,40 +65,59 @@ in
ataraxia.containers.media-stack.recyclarr = mkDefault true; ataraxia.containers.media-stack.recyclarr = mkDefault true;
ataraxia.containers.media-stack.sonarr = mkDefault true; ataraxia.containers.media-stack.sonarr = mkDefault true;
systemd.services."podman-create-${pod-name}" = virtualisation.quadlet.pods.media-stack = {
let podConfig = {
portsMapping = lib.concatMapStrings (port: " -p " + port) open-ports; dns = [ pod-dns ];
start = pkgs.writeShellScript "create-pod-${pod-name}" '' networks = [ networks.br-services.ref ];
podman pod exists ${pod-name} || podman pod create -n ${pod-name} ${portsMapping} --dns ${pod-dns} publishPorts = open-ports;
''; };
stop = pkgs.writeShellScript "remove-pod-${pod-name}" '' };
podman pod rm -i -f ${pod-name}
''; services.nginx.virtualHosts = mkIf cfg.nginxHost {
in "media-stack" = recursiveUpdate nginx.defaultSettings {
rec { serverAliases = [
path = [ "jackett.ataraxiadev.com"
pkgs.coreutils "kavita.ataraxiadev.com"
config.virtualisation.podman.package "lidarr.ataraxiadev.com"
"qbit.ataraxiadev.com"
"radarr.ataraxiadev.com"
"sonarr.ataraxiadev.com"
]; ];
before = locations."/" = {
[ ] proxyPass = "http://127.0.0.1:${caddy-port}";
++ optionals cfg.caddy [ "${backend}-media-caddy.service" ] proxyWebsockets = true;
++ optionals cfg.jackett [ "${backend}-jackett.service" ] extraConfig = ''
++ optionals cfg.jellyfin [ "${backend}-jellyfin.service" ] proxy_buffer_size 128k;
++ optionals cfg.kavita [ "${backend}-kavita.service" ] proxy_buffers 4 256k;
++ optionals cfg.lidarr [ "${backend}-lidarr.service" ] proxy_busy_buffers_size 256k;
++ optionals cfg.medusa [ "${backend}-medusa.service" ] send_timeout 15m;
++ optionals cfg.qbittorrent [ "${backend}-qbittorrent.service" ] proxy_connect_timeout 600;
++ optionals cfg.radarr [ "${backend}-radarr.service" ] proxy_send_timeout 600;
++ optionals cfg.recyclarr [ "${backend}-recyclarr.service" ] proxy_read_timeout 15m;
++ optionals cfg.sonarr [ "${backend}-sonarr.service" ]; '';
requiredBy = before;
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
ExecStart = start;
ExecStop = stop;
}; };
}; };
"jellyfin.ataraxiadev.com" = recursiveUpdate nginx.defaultSettings {
locations."/" = {
proxyPass = "http://127.0.0.1:${caddy-port}";
extraConfig = ''
proxy_buffering off;
'';
};
locations."/socket" = {
proxyPass = "http://127.0.0.1:${caddy-port}";
proxyWebsockets = true;
};
extraConfig = ''
client_max_body_size 50M;
'';
};
"medusa.ataraxiadev.com" = recursiveUpdate nginx.defaultSettings {
locations."/" = {
proxyPass = "http://127.0.0.1:${medusa-port}";
proxyWebsockets = true;
};
};
};
}; };
} }

28
modules/nixos/containers/media-stack/jackett.nix
View File

@ -3,6 +3,8 @@ let
inherit (lib) mkEnableOption mkIf; inherit (lib) mkEnableOption mkIf;
cfg = config.ataraxia.containers.media-stack; cfg = config.ataraxia.containers.media-stack;
pods = config.virtualisation.quadlet.pods;
nas-path = "/media/nas/media-stack"; nas-path = "/media/nas/media-stack";
in in
{ {
@ -11,20 +13,22 @@ in
}; };
config = mkIf cfg.jackett { config = mkIf cfg.jackett {
virtualisation.oci-containers.containers.jackett = { virtualisation.quadlet.containers.jackett = {
autoStart = true; autoStart = true;
environment = { containerConfig = {
PUID = "1000"; # Tags: 0.22.2117, version-v0.22.2117, v0.22.2117-ls80
PGID = "100"; image = "docker.io/linuxserver/jackett@sha256:221606b0ed7df0d66e601d0ba83f5f9cc9b9c761bafad3507d6854406b3a447b";
UMASK = "002"; pod = pods.media-stack.ref;
TZ = "Europe/Moscow"; environments = {
PUID = "1000";
PGID = "100";
UMASK = "002";
TZ = "Europe/Moscow";
};
volumes = [
"${nas-path}/configs/jackett:/config"
];
}; };
extraOptions = [ "--pod=media-stack" ];
# Tags: 0.22.2117, version-v0.22.2117, v0.22.2117-ls80
image = "docker.io/linuxserver/jackett@sha256:221606b0ed7df0d66e601d0ba83f5f9cc9b9c761bafad3507d6854406b3a447b";
volumes = [
"${nas-path}/configs/jackett:/config"
];
}; };
}; };
} }

48
modules/nixos/containers/media-stack/jellyfin.nix
View File

@ -8,6 +8,8 @@ let
inherit (lib) mkEnableOption mkIf; inherit (lib) mkEnableOption mkIf;
cfg = config.ataraxia.containers.media-stack; cfg = config.ataraxia.containers.media-stack;
pods = config.virtualisation.quadlet.pods;
nas-path = "/media/nas/media-stack"; nas-path = "/media/nas/media-stack";
renderGid = toString config.users.groups.render.gid; renderGid = toString config.users.groups.render.gid;
videoGid = toString config.users.groups.video.gid; videoGid = toString config.users.groups.video.gid;
@ -23,29 +25,33 @@ in
}; };
config = mkIf cfg.jellyfin { config = mkIf cfg.jellyfin {
virtualisation.oci-containers.containers.jellyfin = { virtualisation.quadlet.containers.jellyfin = {
autoStart = true; autoStart = true;
# Tags: 10.10.7, version-10.10.7ubu2404, 10.10.7ubu2404-ls68 containerConfig = {
image = "docker.io/linuxserver/jellyfin@sha256:d325675bce77eda246f13d0aa2bf94002d4e426e6e1783594cf9b6df164fcb23"; # Tags: 10.10.7, version-10.10.7ubu2404, 10.10.7ubu2404-ls68
environment = { image = "docker.io/linuxserver/jellyfin@sha256:d325675bce77eda246f13d0aa2bf94002d4e426e6e1783594cf9b6df164fcb23";
PUID = "1000"; pod = pods.media-stack.ref;
PGID = "100"; environments = {
UMASK = "002"; PUID = "1000";
TZ = "Europe/Moscow"; PGID = "100";
http_proxy = "http://10.10.10.6:8888"; UMASK = "002";
https_proxy = "http://10.10.10.6:8888"; TZ = "Europe/Moscow";
http_proxy = "http://10.10.10.6:8888";
https_proxy = "http://10.10.10.6:8888";
};
addGroups = [
renderGid
videoGid
inputGid
];
devices = [ "/dev/dri/renderD128" ];
# podmanArgs = [ "--privileged" ];
volumes = [
"${nas-path}/configs/jellyfin:/config"
"${nas-path}/media:/data/media"
"${intro-skipper-fix}:/custom-cont-init.d/intro-skipper-fix:ro"
];
}; };
extraOptions = [
"--pod=media-stack"
"--device=/dev/dri/renderD128:/dev/dri/renderD128"
"--group-add=${renderGid},${videoGid},${inputGid}"
# "--privileged"
];
volumes = [
"${nas-path}/configs/jellyfin:/config"
"${nas-path}/media:/data/media"
"${intro-skipper-fix}:/custom-cont-init.d/intro-skipper-fix:ro"
];
}; };
}; };
} }

38
modules/nixos/containers/media-stack/kavita.nix
View File

@ -3,6 +3,8 @@ let
inherit (lib) mkEnableOption mkIf; inherit (lib) mkEnableOption mkIf;
cfg = config.ataraxia.containers.media-stack; cfg = config.ataraxia.containers.media-stack;
pods = config.virtualisation.quadlet.pods;
nas-path = "/media/nas/media-stack"; nas-path = "/media/nas/media-stack";
in in
{ {
@ -11,25 +13,27 @@ in
}; };
config = mkIf cfg.kavita { config = mkIf cfg.kavita {
virtualisation.oci-containers.containers.kavita = { virtualisation.quadlet.containers.kavita = {
autoStart = true; autoStart = true;
# Tags: 0.8.6, version-v0.8.6.2, v0.8.6.2-ls79 containerConfig = {
image = "docker.io/linuxserver/kavita@sha256:b222e4b2137db2301756d018076d0bfee858077d8af24d709f1f4003d628e580"; # Tags: 0.8.6, version-v0.8.6.2, v0.8.6.2-ls79
environment = { image = "docker.io/linuxserver/kavita@sha256:b222e4b2137db2301756d018076d0bfee858077d8af24d709f1f4003d628e580";
PUID = "1000"; pod = pods.media-stack.ref;
PGID = "100"; environments = {
TZ = "Europe/Moscow"; PUID = "1000";
DOTNET_SYSTEM_GLOBALIZATION_INVARIANT = "true"; PGID = "100";
TZ = "Europe/Moscow";
DOTNET_SYSTEM_GLOBALIZATION_INVARIANT = "true";
};
volumes = [
"${nas-path}/configs/kavita:/config"
"${nas-path}/media/books:/data/books"
"${nas-path}/media/comics:/data/comics"
"${nas-path}/media/fanfics:/data/fanfics"
"${nas-path}/media/manga:/data/manga"
"${nas-path}/media/novels:/data/novels"
];
}; };
extraOptions = [ "--pod=media-stack" ];
volumes = [
"${nas-path}/configs/kavita:/config"
"${nas-path}/media/books:/data/books"
"${nas-path}/media/comics:/data/comics"
"${nas-path}/media/fanfics:/data/fanfics"
"${nas-path}/media/manga:/data/manga"
"${nas-path}/media/novels:/data/novels"
];
}; };
}; };
} }

32
modules/nixos/containers/media-stack/lidarr.nix
View File

@ -3,6 +3,8 @@ let
inherit (lib) mkEnableOption mkIf; inherit (lib) mkEnableOption mkIf;
cfg = config.ataraxia.containers.media-stack; cfg = config.ataraxia.containers.media-stack;
pods = config.virtualisation.quadlet.pods;
nas-path = "/media/nas/media-stack"; nas-path = "/media/nas/media-stack";
in in
{ {
@ -11,22 +13,24 @@ in
}; };
config = mkIf cfg.lidarr { config = mkIf cfg.lidarr {
virtualisation.oci-containers.containers.lidarr = { virtualisation.quadlet.containers.lidarr = {
autoStart = true; autoStart = true;
environment = { containerConfig = {
PUID = "1000"; # Tags: 2.12.4, version-2.12.4.4658, 2.12.4.4658-ls45
PGID = "100"; image = "docker.io/linuxserver/lidarr@sha256:71fe6d5702691c6ac8961b9b1042fdea1ff833a49c82c5e165346fa88999a48a";
TZ = "Europe/Moscow"; pod = pods.media-stack.ref;
environments = {
PUID = "1000";
PGID = "100";
TZ = "Europe/Moscow";
};
volumes = [
"${nas-path}/configs/lidarr/config:/config"
"${nas-path}/configs/lidarr/custom-services.d:/custom-services.d"
"${nas-path}/configs/lidarr/custom-cont-init.d:/custom-cont-init.d"
"${nas-path}:/data"
];
}; };
extraOptions = [ "--pod=media-stack" ];
# Tags: 2.12.4, version-2.12.4.4658, 2.12.4.4658-ls45
image = "docker.io/linuxserver/lidarr@sha256:71fe6d5702691c6ac8961b9b1042fdea1ff833a49c82c5e165346fa88999a48a";
volumes = [
"${nas-path}/configs/lidarr/config:/config"
"${nas-path}/configs/lidarr/custom-services.d:/custom-services.d"
"${nas-path}/configs/lidarr/custom-cont-init.d:/custom-cont-init.d"
"${nas-path}:/data"
];
}; };
}; };
} }

28
modules/nixos/containers/media-stack/medusa.nix
View File

@ -3,6 +3,8 @@ let
inherit (lib) mkEnableOption mkIf; inherit (lib) mkEnableOption mkIf;
cfg = config.ataraxia.containers.media-stack; cfg = config.ataraxia.containers.media-stack;
pods = config.virtualisation.quadlet.pods;
nas-path = "/media/nas/media-stack"; nas-path = "/media/nas/media-stack";
in in
{ {
@ -11,20 +13,22 @@ in
}; };
config = mkIf cfg.medusa { config = mkIf cfg.medusa {
virtualisation.oci-containers.containers.medusa = { virtualisation.quadlet.containers.medusa = {
autoStart = true; autoStart = true;
# Tags: 1.0.22, version-v1.0.22, v1.0.22-ls230 containerConfig = {
image = "docker.io/linuxserver/medusa@sha256:89d7397b64b079050d8d20284fc692aee36a196885f57e5d9a396455d58a130d"; # Tags: 1.0.22, version-v1.0.22, v1.0.22-ls230
environment = { image = "docker.io/linuxserver/medusa@sha256:89d7397b64b079050d8d20284fc692aee36a196885f57e5d9a396455d58a130d";
PUID = "1000"; pod = pods.media-stack.ref;
PGID = "100"; environments = {
TZ = "Europe/Moscow"; PUID = "1000";
PGID = "100";
TZ = "Europe/Moscow";
};
volumes = [
"${nas-path}/configs/medusa:/config"
"${nas-path}:/data"
];
}; };
extraOptions = [ "--pod=media-stack" ];
volumes = [
"${nas-path}/configs/medusa:/config"
"${nas-path}:/data"
];
}; };
}; };
} }

66
modules/nixos/containers/media-stack/qbittorrent.nix
View File

@ -1,17 +1,12 @@
{ { config, lib, ... }:
config,
lib,
pkgs,
...
}:
let let
inherit (lib) mkEnableOption mkIf; inherit (lib) mkEnableOption mkIf;
cfg = config.ataraxia.containers.media-stack; cfg = config.ataraxia.containers.media-stack;
volumes = config.virtualisation.quadlet.volumes;
pods = config.virtualisation.quadlet.pods;
backend = "podman";
nas-path = "/media/nas/media-stack"; nas-path = "/media/nas/media-stack";
volume = "local-nfs";
nfs-share = "10.10.10.11:/"; nfs-share = "10.10.10.11:/";
in in
{ {
@ -20,40 +15,35 @@ in
}; };
config = mkIf cfg.qbittorrent { config = mkIf cfg.qbittorrent {
virtualisation.oci-containers.containers.qbittorrent = { virtualisation.quadlet.containers.qbittorrent = {
autoStart = true; autoStart = true;
# Tags: 5.1.2, version-5.1.2-r0, 5.1.2-r0-ls402 containerConfig = {
image = "docker.io/linuxserver/qbittorrent@sha256:94c8c82291c4fcf86084a6efb9f806786296fad48739e4723dc9a5393073a2ae"; # Tags: 5.1.2, version-5.1.2-r0, 5.1.2-r0-ls402
environment = { image = "docker.io/linuxserver/qbittorrent@sha256:94c8c82291c4fcf86084a6efb9f806786296fad48739e4723dc9a5393073a2ae";
PUID = "1000"; pod = pods.media-stack.ref;
PGID = "100"; environments = {
UMASK = "002"; PUID = "1000";
TZ = "Europe/Moscow"; PGID = "100";
TORRENTING_PORT = "7000"; UMASK = "002";
DOCKER_MODS = "ghcr.io/gabe565/linuxserver-mod-vuetorrent"; TZ = "Europe/Moscow";
TORRENTING_PORT = "7000";
DOCKER_MODS = "ghcr.io/gabe565/linuxserver-mod-vuetorrent";
};
volumes = [
"${nas-path}/configs/qbittorrent:/config"
"${nas-path}:/data"
"${volumes.nfs-share.ref}:/nfs"
];
}; };
extraOptions = [ "--pod=media-stack" ];
volumes = [
"${nas-path}/configs/qbittorrent:/config"
"${nas-path}:/data"
"${volume}:/nfs"
];
}; };
systemd.services."podman-create-volume-${volume}" = virtualisation.quadlet.volumes.nfs-share = {
let volumeConfig = {
start = pkgs.writeShellScript "create-volume-${volume}" '' device = nfs-share;
podman volume exists ${volume} || podman volume create --opt type=nfs4 --opt o=rw --opt device=${nfs-share} ${volume} type = "nfs4";
''; options = "rw";
in
rec {
path = [ config.virtualisation.podman.package ];
before = [ "${backend}-qbittorrent.service" ];
requiredBy = before;
serviceConfig = {
Type = "oneshot";
ExecStart = start;
};
}; };
};
}; };
} }

30
modules/nixos/containers/media-stack/radarr.nix
View File

@ -3,6 +3,8 @@ let
inherit (lib) mkEnableOption mkIf; inherit (lib) mkEnableOption mkIf;
cfg = config.ataraxia.containers.media-stack; cfg = config.ataraxia.containers.media-stack;
pods = config.virtualisation.quadlet.pods;
nas-path = "/media/nas/media-stack"; nas-path = "/media/nas/media-stack";
in in
{ {
@ -11,21 +13,23 @@ in
}; };
config = mkIf cfg.radarr { config = mkIf cfg.radarr {
virtualisation.oci-containers.containers.radarr = { virtualisation.quadlet.containers.radarr = {
autoStart = true; autoStart = true;
environment = { containerConfig = {
PUID = "1000"; # Tags: 5.26.2, version-5.26.2.10099, 5.26.2.10099-ls276
PGID = "100"; image = "docker.io/linuxserver/radarr@sha256:07a474b61394553e047ad43a1a78c1047fc99be0144c509dd91e3877f402ebcb";
UMASK = "002"; pod = pods.media-stack.ref;
TZ = "Europe/Moscow"; environments = {
PUID = "1000";
PGID = "100";
UMASK = "002";
TZ = "Europe/Moscow";
};
volumes = [
"${nas-path}/configs/radarr:/config"
"${nas-path}:/data"
];
}; };
extraOptions = [ "--pod=media-stack" ];
# Tags: 5.26.2, version-5.26.2.10099, 5.26.2.10099-ls276
image = "docker.io/linuxserver/radarr@sha256:07a474b61394553e047ad43a1a78c1047fc99be0144c509dd91e3877f402ebcb";
volumes = [
"${nas-path}/configs/radarr:/config"
"${nas-path}:/data"
];
}; };
}; };
} }

26
modules/nixos/containers/media-stack/recyclarr.nix
View File

@ -3,6 +3,8 @@ let
inherit (lib) mkEnableOption mkIf; inherit (lib) mkEnableOption mkIf;
cfg = config.ataraxia.containers.media-stack; cfg = config.ataraxia.containers.media-stack;
pods = config.virtualisation.quadlet.pods;
nas-path = "/media/nas/media-stack"; nas-path = "/media/nas/media-stack";
in in
{ {
@ -11,19 +13,21 @@ in
}; };
config = mkIf cfg.recyclarr { config = mkIf cfg.recyclarr {
virtualisation.oci-containers.containers.recyclarr = { virtualisation.quadlet.containers.recyclarr = {
autoStart = true; autoStart = true;
environment = { containerConfig = {
CRON_SCHEDULE = "@daily"; # Tags: 7.4.1, 7.4, 7
TZ = "Europe/Moscow"; image = "ghcr.io/recyclarr/recyclarr@sha256:759540877f95453eca8a26c1a93593e783a7a824c324fbd57523deffb67f48e1";
pod = pods.media-stack.ref;
user = "1000:100";
environments = {
CRON_SCHEDULE = "@daily";
TZ = "Europe/Moscow";
};
volumes = [
"${nas-path}/configs/recyclarr:/config"
];
}; };
extraOptions = [ "--pod=media-stack" ];
# Tags: 7.4.1, 7.4, 7
image = "ghcr.io/recyclarr/recyclarr@sha256:759540877f95453eca8a26c1a93593e783a7a824c324fbd57523deffb67f48e1";
volumes = [
"${nas-path}/configs/recyclarr:/config"
];
user = "1000:100";
}; };
}; };
} }

30
modules/nixos/containers/media-stack/sonarr.nix
View File

@ -3,6 +3,8 @@ let
inherit (lib) mkEnableOption mkIf; inherit (lib) mkEnableOption mkIf;
cfg = config.ataraxia.containers.media-stack; cfg = config.ataraxia.containers.media-stack;
pods = config.virtualisation.quadlet.pods;
nas-path = "/media/nas/media-stack"; nas-path = "/media/nas/media-stack";
in in
{ {
@ -11,21 +13,23 @@ in
}; };
config = mkIf cfg.sonarr { config = mkIf cfg.sonarr {
virtualisation.oci-containers.containers.sonarr = { virtualisation.quadlet.containers.sonarr = {
autoStart = true; autoStart = true;
environment = { containerConfig = {
PUID = "1000"; # Tags: 4.0.15, version-4.0.15.2941, 4.0.15.2941-ls285
PGID = "100"; image = "docker.io/linuxserver/sonarr@sha256:1156329d544b38bd1483add75c9b72c559f20e1ca043fd2d6376c2589d38951f";
UMASK = "002"; pod = pods.media-stack.ref;
TZ = "Europe/Moscow"; environments = {
PUID = "1000";
PGID = "100";
UMASK = "002";
TZ = "Europe/Moscow";
};
volumes = [
"${nas-path}/configs/sonarr:/config"
"${nas-path}:/data"
];
}; };
extraOptions = [ "--pod=media-stack" ];
# Tags: 4.0.15, version-4.0.15.2941, 4.0.15.2941-ls285
image = "docker.io/linuxserver/sonarr@sha256:1156329d544b38bd1483add75c9b72c559f20e1ca043fd2d6376c2589d38951f";
volumes = [
"${nas-path}/configs/sonarr:/config"
"${nas-path}:/data"
];
}; };
}; };
} }

3
modules/nixos/containers/tinyproxy.nix
View File

@ -50,7 +50,7 @@ in
RuntimeDirectoryMode = "0700"; RuntimeDirectoryMode = "0700";
ExecStart = [ ExecStart = [
"" ""
"${lib.getExe cfg.package} -D \${STATE_DIRECTORY} -C \${RUNTIME_DIRECTORY} run" "${lib.getExe pkgs.sing-box} -D \${STATE_DIRECTORY} -C \${RUNTIME_DIRECTORY} run"
]; ];
}; };
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
@ -70,6 +70,7 @@ in
rejectPackets = false; rejectPackets = false;
}; };
}; };
system.stateVersion = "25.05";
}; };
}; };
}; };

3
modules/nixos/roles/default.nix
View File

@ -3,6 +3,7 @@
lib, lib,
pkgs, pkgs,
inputs, inputs,
useHomeManager,
... ...
}: }:
let let
@ -46,6 +47,7 @@ in
ataraxia.defaults.nix.enable = mkDefault true; ataraxia.defaults.nix.enable = mkDefault true;
ataraxia.defaults.ssh.enable = mkDefault true; ataraxia.defaults.ssh.enable = mkDefault true;
ataraxia.defaults.users.enable = mkDefault true; ataraxia.defaults.users.enable = mkDefault true;
ataraxia.defaults.zsh.enable = mkDefault (!useHomeManager);
programs.nix-index.enable = mkDefault true; programs.nix-index.enable = mkDefault true;
programs.nix-index-database.comma.enable = mkDefault true; programs.nix-index-database.comma.enable = mkDefault true;
@ -87,7 +89,6 @@ in
ataraxia.profiles.minimal = mkDefault true; ataraxia.profiles.minimal = mkDefault true;
ataraxia.virtualisation.podman = mkDefault true; ataraxia.virtualisation.podman = mkDefault true;
ataraxia.virtualisation.libvirt = mkDefault true; ataraxia.virtualisation.libvirt = mkDefault true;
virtualisation.quadlet.enable = mkDefault true;
boot.supportedFilesystems = [ "nfs" ]; boot.supportedFilesystems = [ "nfs" ];

7
modules/nixos/security/acme.nix
View File

@ -1,13 +1,15 @@
{ {
config, config,
lib, lib,
inputs, secretsDir,
... ...
}: }:
let let
inherit (lib) mkEnableOption mkIf; inherit (lib) mkEnableOption mkIf;
cfg = config.ataraxia.security.acme; cfg = config.ataraxia.security.acme;
nginxEnabled = config.ataraxia.services.nginx.enable;
nginxGroup = config.services.nginx.group;
in in
{ {
options.ataraxia.security.acme = { options.ataraxia.security.acme = {
@ -16,7 +18,7 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
sops.secrets.cf-dns-api = { sops.secrets.cf-dns-api = {
sopsFile = inputs.self.secretsDir + /misc.yaml; sopsFile = secretsDir + /misc.yaml;
owner = "acme"; owner = "acme";
}; };
security.acme = { security.acme = {
@ -25,6 +27,7 @@ in
defaults.server = "https://acme-v02.api.letsencrypt.org/directory"; # production defaults.server = "https://acme-v02.api.letsencrypt.org/directory"; # production
defaults.email = "admin@ataraxiadev.com"; defaults.email = "admin@ataraxiadev.com";
defaults.renewInterval = "weekly"; defaults.renewInterval = "weekly";
defaults.group = mkIf nginxEnabled nginxGroup;
certs = { certs = {
"ataraxiadev.com" = { "ataraxiadev.com" = {
extraDomainNames = [ "*.ataraxiadev.com" ]; extraDomainNames = [ "*.ataraxiadev.com" ];

27
modules/nixos/services/authentik.nix
View File

@ -6,10 +6,17 @@
... ...
}: }:
let let
inherit (lib) mkEnableOption mkIf mkOption; inherit (lib)
inherit (lib.types) str; mkEnableOption
mkIf
mkOption
recursiveUpdate
;
inherit (lib.types) bool str;
cfg = config.ataraxia.services.authentik; cfg = config.ataraxia.services.authentik;
nginx = config.ataraxia.services.nginx;
domain = "auth.ataraxiadev.com";
in in
{ {
imports = [ inputs.ataraxiasjel-nur.nixosModules.authentik ]; imports = [ inputs.ataraxiasjel-nur.nixosModules.authentik ];
@ -23,6 +30,11 @@ in
Name for sops secrets directory. Defaults to hostname. Name for sops secrets directory. Defaults to hostname.
''; '';
}; };
nginxHost = mkOption {
type = bool;
default = config.ataraxia.services.nginx.enable;
description = "Enable nginx vHost integration";
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -45,12 +57,21 @@ in
environmentFile = config.sops.secrets.authentik-env.path; environmentFile = config.sops.secrets.authentik-env.path;
outposts.ldap = { outposts.ldap = {
enable = true; enable = true;
host = "https://auth.ataraxiadev.com"; host = "https://${domain}";
environmentFile = config.sops.secrets.authentik-ldap.path; environmentFile = config.sops.secrets.authentik-ldap.path;
listen.address = "127.0.0.1"; listen.address = "127.0.0.1";
listen.ldap = 3389; listen.ldap = 3389;
listen.ldaps = 6636; listen.ldaps = 6636;
}; };
}; };
services.nginx.virtualHosts = mkIf cfg.nginxHost {
${domain} = recursiveUpdate nginx.defaultSettings {
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.authentik.listen.http}";
proxyWebsockets = true;
};
};
};
}; };
} }

28
modules/nixos/services/gitea.nix
View File

@ -6,10 +6,17 @@
... ...
}: }:
let let
inherit (lib) mkEnableOption mkIf mkOption; inherit (lib)
inherit (lib.types) str; mkEnableOption
mkIf
mkOption
recursiveUpdate
;
inherit (lib.types) bool str;
cfg = config.ataraxia.services.gitea; cfg = config.ataraxia.services.gitea;
nginx = config.ataraxia.services.nginx;
domain = "code.ataraxiadev.com";
gitea-user = config.services.gitea.user; gitea-user = config.services.gitea.user;
# gitea-group = "gitea"; # gitea-group = "gitea";
@ -37,6 +44,11 @@ in
Name for sops secrets directory. Defaults to hostname. Name for sops secrets directory. Defaults to hostname.
''; '';
}; };
nginxHost = mkOption {
type = bool;
default = config.ataraxia.services.nginx.enable;
description = "Enable nginx vHost integration";
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -70,10 +82,10 @@ in
mailerPasswordFile = config.sops.secrets.gitea-mailer.path; mailerPasswordFile = config.sops.secrets.gitea-mailer.path;
settings = { settings = {
server = { server = {
DOMAIN = "code.ataraxiadev.com"; DOMAIN = domain;
HTTP_ADDRESS = "127.0.0.1"; HTTP_ADDRESS = "127.0.0.1";
HTTP_PORT = 6000; HTTP_PORT = 6000;
ROOT_URL = "https://code.ataraxiadev.com"; ROOT_URL = "https://${domain}";
}; };
actions = { actions = {
ENABLED = false; ENABLED = false;
@ -128,6 +140,14 @@ in
}; };
}; };
services.nginx.virtualHosts = mkIf cfg.nginxHost {
${domain} = recursiveUpdate nginx.defaultSettings {
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.gitea.settings.server.HTTP_PORT}";
};
};
};
systemd.services.gitea-dump-clean = systemd.services.gitea-dump-clean =
let let
older-than = "3"; # in days older-than = "3"; # in days

158
modules/nixos/services/headscale.nix Normal file
View File

@ -0,0 +1,158 @@
{
config,
lib,
pkgs,
secretsDir,
...
}:
let
inherit (lib)
mkEnableOption
mkIf
mkOption
recursiveUpdate
;
inherit (lib.types)
bool
enum
listOf
str
submodule
;
cfg = config.ataraxia.services.headscale;
nginx = config.ataraxia.services.nginx;
domain = "wg.ataraxiadev.com";
dnsEntry = submodule {
options = {
name = mkOption {
type = str;
};
type = mkOption {
type = enum [
"A"
"AAAA"
];
};
value = mkOption {
type = str;
};
};
};
in
{
options.ataraxia.services.headscale = {
enable = mkEnableOption "Enable headscale service";
sopsDir = mkOption {
type = str;
default = config.networking.hostName;
description = ''
Name for sops secrets directory. Defaults to hostname.
'';
};
nginxHost = mkOption {
type = bool;
default = config.ataraxia.services.nginx.enable;
description = "Enable nginx vHost integration";
};
extraDns = mkOption {
type = listOf dnsEntry;
description = ''
Extra dns records for headscale.
'';
};
};
config = mkIf cfg.enable {
services.headscale = {
enable = true;
address = "0.0.0.0";
port = 8005;
settings = {
server_url = "https://${domain}";
ip_prefixes = [
"fd7a:115c:a1e0::/64"
"100.64.0.0/16"
];
dns = {
override_local_dns = true;
base_domain = "tailnet.ataraxiadev.com";
nameservers.global = [ "127.0.0.1" ];
extra_records = cfg.extraDns;
};
oidc = {
only_start_if_oidc_is_available = true;
issuer = "https://auth.ataraxiadev.com/application/o/headscale/";
client_id = "n6UBhK8PahexLPb7GkU1xzoFLcYxQX0HWDytpUoi";
client_secret_path = config.sops.secrets.headscale-oidc.path;
scope = [
"openid"
"profile"
"email"
"groups"
];
allowed_groups = [ "headscale" ];
};
grpc_listen_addr = "127.0.0.1:50443";
grpc_allow_insecure = true;
disable_check_updates = true;
ephemeral_node_inactivity_timeout = "4h";
};
};
services.nginx.virtualHosts = mkIf cfg.nginxHost {
${domain} = recursiveUpdate nginx.defaultSettings {
locations."/headscale." = {
extraConfig = ''
grpc_pass grpc://${config.services.headscale.settings.grpc_listen_addr};
'';
priority = 1;
};
locations."/metrics" = {
proxyPass = "http://127.0.0.1:${toString config.services.headscale.port}";
extraConfig = ''
allow 100.64.0.0/16;
allow 10.10.10.0/24;
deny all;
'';
priority = 2;
};
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.headscale.port}";
proxyWebsockets = true;
priority = 3;
};
};
};
sops.secrets.headscale-oidc = {
sopsFile = secretsDir + /${cfg.sopsDir}/headscale.yaml;
owner = "headscale";
restartUnits = [ "headscale.service" ];
};
systemd.services.headscale = {
serviceConfig.TimeoutStopSec = 15;
serviceConfig.ExecStartPre =
let
waitAuthnetikReady = pkgs.writeShellScript "waitAuthnetikReady" ''
# Check until authentik is alive
max_retry=100
counter=0
until ${lib.getExe pkgs.curl} -fsSL http://auth.ataraxiadev.com/-/health/ready/
do
echo "Waiting for the authentik..."
sleep 3
[[ counter -eq $max_retry ]] && echo "Could not connect to authentik!" && exit 1
echo "Trying again. Try #$counter"
((counter++))
done
echo "Authentik is alive!"
'';
in
waitAuthnetikReady;
};
persist.state.directories = [ "/var/lib/headscale" ];
};
}

60
modules/nixos/services/nginx.nix Normal file
View File

@ -0,0 +1,60 @@
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) mkEnableOption mkIf mkOption;
inherit (lib.types) attrs;
cfg = config.ataraxia.services.nginx;
in
{
options.ataraxia.services.nginx = {
enable = mkEnableOption "Enable nginx service";
defaultSettings = mkOption {
type = attrs;
default = { };
description = ''
Default settings to append to virtualHosts. Does not apllied automatically.
Usage example: `your-host = recursiveUpdate defaultSettings { };`
'';
};
# extraConfig = mkOption {
# type = str;
# default = "";
# description = ''
# Default settings to append to extraConfig of virtual host's location. Does not apllied automatically.
# Usage example: `extraConfig = recursiveUpdate extraConfig "";`
# '';
# };
};
config = mkIf cfg.enable {
services.nginx = {
enable = true;
package = pkgs.nginxQuic;
recommendedBrotliSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedUwsgiSettings = true;
recommendedZstdSettings = true;
clientMaxBodySize = "250m";
commonHttpConfig = ''
proxy_hide_header X-Frame-Options;
'';
};
networking.firewall.allowedTCPPorts = [
80
443
];
networking.firewall.allowedUDPPorts = [
80
443
];
};
}

2
modules/nixos/services/syncyomi.nix
View File

@ -30,5 +30,7 @@ in
services.syncyomi.enable = true; services.syncyomi.enable = true;
services.syncyomi.configFile = config.sops.secrets.syncyomi.path; services.syncyomi.configFile = config.sops.secrets.syncyomi.path;
networking.firewall.allowedTCPPorts = [ 8282 ]; networking.firewall.allowedTCPPorts = [ 8282 ];
persist.state.directories = [ config.services.syncyomi.dataDir ];
}; };
} }

37
modules/nixos/services/vaultwarden.nix
View File

@ -5,10 +5,17 @@
... ...
}: }:
let let
inherit (lib) mkEnableOption mkIf mkOption; inherit (lib)
inherit (lib.types) str; mkEnableOption
mkIf
mkOption
recursiveUpdate
;
inherit (lib.types) bool str;
cfg = config.ataraxia.services.vaultwarden; cfg = config.ataraxia.services.vaultwarden;
nginx = config.ataraxia.services.nginx;
domain = "vw.ataraxiadev.com";
in in
{ {
options.ataraxia.services.vaultwarden = { options.ataraxia.services.vaultwarden = {
@ -20,6 +27,11 @@ in
Name for sops secrets directory. Defaults to hostname. Name for sops secrets directory. Defaults to hostname.
''; '';
}; };
nginxHost = mkOption {
type = bool;
default = config.ataraxia.services.nginx.enable;
description = "Enable nginx vHost integration";
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -31,7 +43,7 @@ in
enable = true; enable = true;
backupDir = "/srv/vaultwarden"; backupDir = "/srv/vaultwarden";
config = { config = {
domain = "https://vw.ataraxiadev.com"; domain = "https://${domain}";
extendedLogging = true; extendedLogging = true;
invitationsAllowed = false; invitationsAllowed = false;
useSyslog = true; useSyslog = true;
@ -56,11 +68,20 @@ in
environmentFile = config.sops.secrets.vaultwarden.path; environmentFile = config.sops.secrets.vaultwarden.path;
}; };
# We need to do this to successufully create backup folder services.nginx.virtualHosts = mkIf cfg.nginxHost {
# systemd.services.backup-vaultwarden.serviceConfig = { ${domain} = recursiveUpdate nginx.defaultSettings {
# User = "root"; locations."/" = {
# Group = "root"; proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.rocketPort}";
# }; };
locations."/notifications/hub" = {
proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.websocketPort}";
proxyWebsockets = true;
};
locations."/notifications/hub/negotiate" = {
proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.rocketPort}";
};
};
};
persist.state.directories = [ persist.state.directories = [
"/var/lib/vaultwarden" "/var/lib/vaultwarden"

42
modules/nixos/virtualisation/virtualisation.nix
View File

@ -2,15 +2,11 @@
config, config,
lib, lib,
pkgs, pkgs,
useHomeManager,
... ...
}: }:
let let
inherit (lib) inherit (lib) mkEnableOption mkIf optionals;
hasAttr
mkEnableOption
mkIf
optionals
;
cfg = config.ataraxia.virtualisation; cfg = config.ataraxia.virtualisation;
defaultUser = config.ataraxia.defaults.users.defaultUser; defaultUser = config.ataraxia.defaults.users.defaultUser;
@ -39,6 +35,14 @@ in
defaultNetwork.settings.dns_enabled = true; defaultNetwork.settings.dns_enabled = true;
dockerSocket.enable = !config.virtualisation.docker.enable; dockerSocket.enable = !config.virtualisation.docker.enable;
}; };
containers.containersConf.settings = {
network = {
dns_servers = [
"10.10.10.1"
"host"
];
};
};
containers.registries.search = [ containers.registries.search = [
"docker.io" "docker.io"
"ghcr.io" "ghcr.io"
@ -69,8 +73,29 @@ in
}; };
spiceUSBRedirection.enable = cfg.libvirt; spiceUSBRedirection.enable = cfg.libvirt;
quadlet = {
enable = true;
autoEscape = true;
autoUpdate.enable = false;
networks = {
br-services.networkConfig = {
# TODO: enable dns, fix dns resolution
# dns = [ "10.10.10.1" ];
disableDns = true;
driver = "bridge";
ipamDriver = "host-local";
ipv6 = false;
name = "br-services";
podmanArgs = [ "--interface-name=br-services" ];
subnets = [ "10.99.0.0/16" ];
};
};
};
}; };
boot.enableContainers = true;
environment.systemPackages = environment.systemPackages =
[ ] [ ]
++ optionals cfg.docker [ pkgs.docker-compose ] ++ optionals cfg.docker [ pkgs.docker-compose ]
@ -79,8 +104,9 @@ in
users.users."qemu-libvirtd" = mkIf cfg.libvirt { users.users."qemu-libvirtd" = mkIf cfg.libvirt {
extraGroups = lib.optionals (!config.virtualisation.libvirtd.qemu.runAsRoot) [ extraGroups = lib.optionals (!config.virtualisation.libvirtd.qemu.runAsRoot) [
"kvm"
"input" "input"
"kvm"
"libvitrd"
]; ];
}; };
@ -92,7 +118,7 @@ in
"/var/lib/containers" "/var/lib/containers"
]; ];
home-manager = mkIf (hasAttr "users" config.home-manager) { home-manager = mkIf useHomeManager {
users.${defaultUser} = { users.${defaultUser} = {
home.file.".config/containers/storage.conf".text = '' home.file.".config/containers/storage.conf".text = ''
[storage] [storage]

10
modules/nixos/workspace/wayland.nix
View File

@ -1,6 +1,10 @@
{ config, lib, ... }: {
config,
lib,
useHomeManager,
...
}:
let let
inherit (builtins) hasAttr;
inherit (lib) getExe mkEnableOption mkIf; inherit (lib) getExe mkEnableOption mkIf;
cfg = config.ataraxia.wayland; cfg = config.ataraxia.wayland;
@ -31,7 +35,7 @@ in
}; };
}; };
home-manager = mkIf (hasAttr "users" config.home-manager) { home-manager = mkIf useHomeManager {
users.${defaultUser} = { users.${defaultUser} = {
ataraxia.wayland.hyprland.enable = cfg.hyprland.enable; ataraxia.wayland.hyprland.enable = cfg.hyprland.enable;
}; };

115
modules/nixos/workspace/zsh/default.nix Normal file
View File

@ -0,0 +1,115 @@
{
config,
lib,
pkgs,
useHomeManager,
...
}:
let
inherit (lib) mkEnableOption mkIf;
cfg = config.ataraxia.defaults.zsh;
defaultUser = config.ataraxia.defaults.users.defaultUser;
in
{
options.ataraxia.defaults.zsh = {
enable = mkEnableOption "Default zsh settings";
};
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [
eza
libqalculate
rsync
];
programs.zsh = {
enable = true;
enableCompletion = true;
enableBashCompletion = true;
autosuggestions.enable = true;
syntaxHighlighting.enable = true;
histFile = "$HOME/.zsh/history";
histSize = 1000000;
setOptions = [
"AUTO_CD"
"HIST_IGNORE_SPACE"
];
promptInit = ''
source ${pkgs.zsh-powerlevel10k}/share/zsh-powerlevel10k/powerlevel10k.zsh-theme
source ${./p10k.zsh}
'';
shellAliases = {
"_" = "doas";
"clr" = "clear";
"rcp" = "rsync -ah --partial --no-whole-file --info=progress2";
"rrcp" = "_ rsync -ah --partial --no-whole-file --info=progress2";
"ncg" = "_ nix-collect-garbage";
"ncgd" = "_ nix-collect-garbage -d";
"show-packages" = "_ nix-store -q --references /run/current-system/sw";
"nsp" = "nix-shell --run zsh -p";
"nd" = "nix develop -c zsh";
"nb" = "nix build";
"nr" = "nix run";
"e" = "$EDITOR";
"q" = "qalc";
"man" = "pinfo";
"l" = "eza -lag";
"tree" = "eza -T";
"ltree" = "eza -lgT";
"atree" = "eza -aT";
"latree" = "eza -lagT";
# systemd
"ctl" = "systemctl";
"ctlsp" = "systemctl stop";
"ctlst" = "systemctl start";
"ctlrt" = "systemctl restart";
"ctls" = "systemctl status";
"ctlu" = "systemctl --user";
"ctlusp" = "systemctl --user stop";
"ctlust" = "systemctl --user start";
"ctlurt" = "systemctl --user restart";
"ctlus" = "systemctl --user status";
"ctlfailed" = "systemctl --failed --all";
"ctlrf" = "systemctl reset-failed";
"ctldrd" = "systemctl daemon-reload";
"j" = "journalctl";
"ju" = "journalctl -xe -u";
"juu" = "journalctl -xe --user-unit";
};
interactiveShellInit = ''
# Start and then view status of service
ctlsts () {
systemctl start "$1"
systemctl status "$1"
}
ctlusts () {
systemctl --user start "$1"
systemctl --user status "$1"
}
# Restart and then view status of service
ctlrts () {
systemctl restart "$1"
systemctl status "$1"
}
ctlurts () {
systemctl --user restart "$1"
systemctl --user status "$1"
}
'';
};
# TODO: permissions
persist.state.directories = mkIf (!useHomeManager) [ "/home/${defaultUser}/.zsh" ];
home-manager = mkIf useHomeManager {
users.${defaultUser} = {
persist.state.directories = [ ".zsh" ];
};
};
systemd.tmpfiles.rules = [
"f /home/${defaultUser}/.zshrc 0644 ${defaultUser} users -"
];
};
}

1641
modules/nixos/workspace/zsh/p10k.zsh Normal file
View File

File diff suppressed because it is too large Load Diff

27
secrets/orion/headscale.yaml Normal file
View File

@ -0,0 +1,27 @@
headscale-oidc: ENC[AES256_GCM,data:lu1c/XSD7/fV1MuwAETDV1PCn3C7zr0UKK0u4/5Z2AoQXHLsUES3Yvu7B9kStFd3M+GoOq6Y0xYVGLS9x5TcEVFDKSsdRRgGYlu2C/x+NUOlP0cEKKq222NYIZ6iA9emP6A2ZVy1ZpM1UE65vJHk1NHHbS4zYiiJMskOacwW1bs=,iv:o9/TG+9/MU6mchYtj6navG97eJhP/4kUlWcx/xjhvK0=,tag:l2xQhGn1vkcBZvBZevpTOg==,type:str]
headscale-oidc-env: ENC[AES256_GCM,data:LX26VJfqImj5hHGSczey4okdPsNdxsIQ4OD3kRhwRt4P2MAdlVWiBQl47Jj5lk1Nm/yZejf4GXARLoQf3TK1ie4aDaWJx8Yhl8aSpy1s3h/1lcM7OCNb9WhUB+ZmikXaA6sOui4sQfGEtf0ydeIE0CwH04WL+Qomu+WxFzUVSzPW3baR2AKSqKiLGLGB0mZrRmdbhSdxCJN85j2i/Q==,iv:9b4pMMLj9huMg2RnrU10xqjRoA3NCWUKn4rc956Gm+s=,tag:+XN0KzJqWvTS/8ufGooNfg==,type:str]
sops:
shamir_threshold: 1
age:
- recipient: age13phpsegg6vu7a34ydtfa9s904dfpgzqhzru7epnky7glezk0xvkst9qh6h
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhdWVNQVRkYUwvVkRnUlJV
ZFI3K1NsTzBFWDZXSU5Md0NQRTlsUTlCTHhZCjFObFNMSENXN2NIZlQ1ZHBEZ3Fu
R0JhVXdsRThUS3ZDWXV2OTFkODdQUGMKLS0tIEZiZ1ZEWTBaMnlIc2lTWGQxSW1W
bjNGQnFnOFVwbHdsVkpuNHJlRVc2c1kK/IQzoSi17GU8D6LP+4ccxq+Ip3lary62
0dkRYgMOf+jR21VA+1jhyFFYkwzZl7ajnM+pXYKf+/togQv6MnML/g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m5msm7rgqye2q9zesgedg0emga4ntehlr629786lrxs3rhk0squq0ly9je
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSZFdCQmltbnduUklHdTJB
OGR6WllGaS8xUUhNT0t6cU1JVHF0V0tsSlF3CmlSYlNDZEJvRzdCT3hrRGFPeGdZ
eFRCVUFtbFJBUnNPREd2RzR1eUYyOFkKLS0tIGZBWGJURE5Cb2lreWdPYjJWL0FV
VzBXZTNORldzcGo2KzVhTmQ5dERMMjAKMEV+wMtClLbgur/Qx/xLaQNjjqNtm1sf
5z+Hi/D0aqgA09k5iAxGdfez0rFJAX32w6vJouMTfYzCLqC6iaaomQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-24T20:09:29Z"
mac: ENC[AES256_GCM,data:akcHfxJrGSPINI28sQdxcz4s6P9Va+GAvF0TC7adgf2mgVtqkZdaZPJZ/BaVlxccWf3tFgBMKwLVHcfmxMi93KnxFxOuA3DWYnjmBfHzxHFq+jWke7BHzRhPvVsKOKKHdfkXPCZnqyHLwRPp0jUyrANw9m9Ub2JTomfHy3j2+FA=,iv:784bnpb7v0z3KewsnH+RXYkdml+o2sj/qvR7qqn/om0=,tag:L1c/p8GcUlT+4sLyr0T5fA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.8.1