From d6f22cfaae5aac474e3f42a81d8ee00938777713 Mon Sep 17 00:00:00 2001 From: Raphael Date: Sat, 3 Jan 2026 23:14:46 +0100 Subject: [PATCH 01/42] feat(server/hardware): adding the data disk --- hosts/server/hardware-configuration.nix | 28 ++++++++++++++++++------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/hosts/server/hardware-configuration.nix b/hosts/server/hardware-configuration.nix index 955eb4c..848d0c8 100644 --- a/hosts/server/hardware-configuration.nix +++ b/hosts/server/hardware-configuration.nix @@ -13,16 +13,28 @@ boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/67b9f544-f7d6-4203-a1ee-3d527f0c4ace"; + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/67b9f544-f7d6-4203-a1ee-3d527f0c4ace"; + fsType = "ext4"; + }; + "/boot" = { + device = "/dev/disk/by-uuid/C2ED-90A4"; + fsType = "vfat"; + options = [ + "fmask=0077" + "dmask=0077" + ]; + }; + "/mnt/data" = { + device = "/dev/disk/by-uuid/efa8669d-d141-4858-9e66-d3efa9a88816"; fsType = "ext4"; + options = [ + "acl" + "exec" + ]; }; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/C2ED-90A4"; - fsType = "vfat"; - options = [ "fmask=0077" "dmask=0077" ]; - }; + }; swapDevices = [ ]; From ef9fed8790ffd4da67a1dbbf186107a7faa9ae2e Mon Sep 17 00:00:00 2001 From: Raphael Date: Sat, 3 Jan 2026 23:15:16 +0100 Subject: [PATCH 02/42] feat(server/self_host): turning on the minecraft server --- hosts/server/configuration.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix index f2ea58b..2c86545 100644 --- a/hosts/server/configuration.nix +++ b/hosts/server/configuration.nix @@ -26,7 +26,6 @@ in hostName = "nixos-server"; firewall.enable = false; networkmanager.enable = true; - wireless.enable = false; interfaces.enp0s31f6.ipv4.addresses = [ { address = "192.168.1.1"; @@ -60,10 +59,10 @@ in jellyfin = true; sso = true; }; - forty_two.irc = true; + forty_two.irc = false; web.portefolio = true; server = { - minecraft = false; + minecraft = true; teamspeak = true; }; bot_discord = { From 313279edfc23c92c0d03dbdd3b8f83f43a6f0618 Mon Sep 17 00:00:00 2001 From: Raphael Date: Sat, 3 Jan 2026 23:15:46 +0100 Subject: [PATCH 03/42] feat(server/minecraft): adding the minecraft server configuration - Adding the mod create --- services/server/minecraft.nix | 59 +++++++++++++++++++++++++++++++---- 1 file changed, 53 insertions(+), 6 deletions(-) diff --git a/services/server/minecraft.nix b/services/server/minecraft.nix index 310dc77..df0d89c 100644 --- a/services/server/minecraft.nix +++ b/services/server/minecraft.nix @@ -24,18 +24,65 @@ in servers.enium-pv = { enable = true; - package = pkgs.fabricServers.fabric-1_20_1; - jvmOpts = "-Xms4092M -Xmx4092M"; + autoStart = true; + package = pkgs.fabricServers.fabric-1_21_11; + restart = "always"; + jvmOpts = "-Xms2048M -Xmx8192M"; serverProperties = { - difficulty = 3; + difficulty = 2; gamemode = 0; max-players = 42; motd = "§l §3 Enium Survival§r\n§l §b Whitelisted Server"; - server-port = 64421; - spawn-protection = 16; + server-port = 25565; + spawn-protection = 0; white-list = true; }; - restart = "no"; + symlinks = { + mods = pkgs.linkFarmFromDrvs "mods" (builtins.attrValues { + graves = pkgs.fetchurl { + url = "https://cdn.modrinth.com/data/kieAM9Us/versions/YiPkk2xn/ly-graves-v3.0.1.jar"; + sha512 = "sha512-Wo+Sw6nVyqcaS7PWr+p3/+AkTYGAcuqk7heyBos/0jQYkCS/Z9q4Or6DInECkv8Cg4ZctmzrLOt6S8nr/sQYHw=="; + }; + lithium = pkgs.fetchurl { + url = "https://cdn.modrinth.com/data/gvQqBUqZ/versions/gl30uZvp/lithium-fabric-0.21.2%2Bmc1.21.11.jar"; + sha512 = "sha512-lGJVEAE+DarxwuK22KRjyTL/YiD5G6WwzV+GhlghXwRtlNB7NGVmD1dsTcJ6WqGD373ByTA/EYlLWyWh3Gw7tg=="; + }; + jei = pkgs.fetchurl { + url = "https://cdn.modrinth.com/data/u6dRKJwZ/versions/9i2DXscL/jei-1.21.11-fabric-27.3.0.14.jar"; + sha512 = "sha512-ua8at0LkNpFFIleVM6D6GQthBZvuIh7rt8GSuY0mKjMIJ+dJr5G0wIKqcnsT8oBwkQvlWuitfWAz/cnM1maM9A=="; + }; + jade = pkgs.fetchurl { + url = "https://cdn.modrinth.com/data/nvQzSEkH/versions/7cBo3s22/Jade-1.21.11-Fabric-21.0.1.jar"; + sha512 = "sha512-aj1lnOyaPiH+AG6HYN6mNQtkqm1xGA+PCHouKn2U3t2mpfJ+r7+T3nCtxgbHXAe9/NncJb46Ds9ZTgIt7odRGw=="; + }; + chuncky = pkgs.fetchurl { + url = "https://cdn.modrinth.com/data/fALzjamp/versions/1CpEkmcD/Chunky-Fabric-1.4.55.jar"; + sha512 = "sha512-O+DgSePepiVrOVzLH33MycayPLex9qcXp80cpV+dvaSJZ53zKGjHJmTrsoygXyw2ZZDR4aEfDcX2n5R5A7rYMw=="; + }; + fabric_api = pkgs.fetchurl { + url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/gB6TkYEJ/fabric-api-0.140.2%2B1.21.11.jar"; + sha512 = "sha512-r0RleX2AQBAhpq78jFRyAOfA+MrhNCmb8/r7wxD6gfBVJGsGFPwOA3U49KhE5VqtMKv6PGdGBCKFPfxCbwhtAA=="; + }; + create_fly = pkgs.fetchurl { + url = "https://cdn.modrinth.com/data/dKvj0eNn/versions/be2IkC5H/create-fly-1.21.11-6.0.8-4.jar"; + sha512 = "1r9qx8q5s49xlycs9k02ylb0cgn5x0d3s0crl0942kwf2r6vvnk8pv46bxj6p4jnqg4r5c6b4526zjxwdjc1d5fg7613sgv6f71817x"; + }; + }); + }; + whitelist = { + EniumRaphael = "3134072d-eb2f-49d5-afb4-2a3cc4375100"; + EniumBenjamin = "63e7d8d3-5090-4323-a7e6-c89707747b4b"; + EniumTeam = "d4706408-ccfc-4a3d-b128-07db95b34843"; + Zeldraft = "01cf2ab1-68a5-48c1-a948-76cda9574ae5"; + dprive05 = "0ad8a45a-417a-40d3-aa10-b67765792c42"; + }; + operators = { + Zeldraft = { + uuid = "01cf2ab1-68a5-48c1-a948-76cda9574ae5"; + level = 4; + bypassesPlayerLimit = true; + }; + }; }; }; }; From 1ee8a09678b63358c3d26320db681e4d8faf7287 Mon Sep 17 00:00:00 2001 From: Raphael Date: Sat, 3 Jan 2026 23:16:18 +0100 Subject: [PATCH 04/42] feat(self_host/sso): adding the forgejo redirect url --- services/self_host/sso.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/self_host/sso.nix b/services/self_host/sso.nix index e83b5e3..c60b322 100644 --- a/services/self_host/sso.nix +++ b/services/self_host/sso.nix @@ -96,9 +96,9 @@ in forgejo = { present = true; displayName = "Forjego"; - originUrl = "https://git.enium.eu"; imageFile = kanidmLogo; - originLanding = "https://git.enium.eu/user/oauth2/Enium/callback"; + originUrl = "https://git.enium.eu"; + originLanding = "https://git.enium.eu/login"; basicSecretFile = config.age.secrets.forgejo-oidc-secret.path; public = false; enableLocalhostRedirects = false; From 9626ff6e76f26f78051e297c2712eb59c20b9737 Mon Sep 17 00:00:00 2001 From: Raphael Date: Sun, 4 Jan 2026 11:54:35 +0100 Subject: [PATCH 05/42] feat(self_host/mail): adding the rchouraqui mail account --- services/self_host/mail.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/services/self_host/mail.nix b/services/self_host/mail.nix index eb0b401..99fb6e9 100644 --- a/services/self_host/mail.nix +++ b/services/self_host/mail.nix @@ -211,16 +211,19 @@ in raphael@enium.eu:{SHA512-CRYPT}$6$rIsn6/dLJ6MbITx5$vMo82dgkQZoV8BQIaO6Bs9J86ZjgcJ.LqMuIqnXVfuBRgZOqY/YiURBUOcS1P2wAo5h4TCFkKExfcjjX1reUU. benjamin@enium.eu:{SHA512-CRYPT}$6$.34vS2JkrmGnioYo$pUF.vN5Q3njn5WRTLdMU5n7vGJdwk64bB/si0vQXFw.ioky4xlHUVocFXC8GI9wkVJNif.2kHvAYEcEtXvU2I0 deborah@enium.eu:{SHA512-CRYPT}$6$IZ7Dd31uZ4VKzz04$z5IhS25Jve8KsX0GIIXB8GUiPYd3eSuxlDz9RZQHa2tE4hptgtXQVU3av42MIRpaN9GPqG9iM6jiQUwRZ9V39/ + rchouraqui@enium.eu:{SHA512-CRYPT}$6$.YW4sF83D1EZXQW8$AZoxbni6XFGf3XuSp1sKhZ9cHjU5CcryEH8C45Fbu5s2nJHixDRnDeH6Vl5EvfQfH09wrxhDYp0Tld.TiUSpn. ''; environment.etc."postfix-vmailbox".text = '' raphael@enium.eu enium.eu/raphael/ benjamin@enium.eu enium.eu/benjamin/ deborah@enium.eu enium.eu/deborah/ + rchouraqui@enium.eu enium.eu/rchouraqui/ ''; environment.etc."postfix-sender_login".text = '' raphael@enium.eu raphael@enium.eu benjamin@enium.eu benjamin@enium.eu deborah@enium.eu deborah@enium.eu + rchouraqui@enium.eu rchouraqui@enium.eu no-reply@enium.eu raphael@enium.eu, benjamin@enium.eu direction@enium.eu raphael@enium.eu, benjamin@enium.eu @@ -229,7 +232,7 @@ in ''; environment.etc."postfix-virtual".text = '' direction@enium.eu raphael@enium.eu, benjamin@enium.eu - recrutement@enium.eu raphael@enium.eu, benjamin@enium.eu + recrutement@enium.eu raphael@enium.eu, benjamin@enium.eu, rchouraqui@enium.eu contact@enium.eu raphael@enium.eu, benjamin@enium.eu ''; From d611b4cc01806bbca9975f84af205625c0615d19 Mon Sep 17 00:00:00 2001 From: Raphael Date: Mon, 5 Jan 2026 16:52:37 +0100 Subject: [PATCH 06/42] feat(secrets): adding the wireguard secrets configuration --- secrets/secrets.nix | 1 + secrets/wireguard-secret.age | 7 +++++++ 2 files changed, 8 insertions(+) create mode 100644 secrets/wireguard-secret.age diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 8810616..34cf3e4 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -10,6 +10,7 @@ let ]; in { + "wireguard-secret.age".publicKeys = users ++ systems; "mailjet-user.age".publicKeys = users ++ systems; "mailjet-pass.age".publicKeys = users ++ systems; "nextcloud-admin-pass.age".publicKeys = users ++ systems; diff --git a/secrets/wireguard-secret.age b/secrets/wireguard-secret.age new file mode 100644 index 0000000..8ece065 --- /dev/null +++ b/secrets/wireguard-secret.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 Iy+0iw 65IsIObRg7SuYCZnDp/LKpSn1tpnJTLaXFcc7/9gRkA +3L16P+XHyyfwSZLInsPv3UPMVYsPpYAV2E+/kl+oQbA +-> ssh-ed25519 ocqiLQ R3CkxF9zthAEZGE3CZypFGb/uwLazrBpwWT97N+1izA +EP6vUm4Y511GMctNJi0FO7bzUw6qHMqPRzxJiSTD23M +--- JqhMdyVwELZA++21d9WMdbGTciFtsea44hbbC+WWLHI +'N =x0TEPܯPmʒ=ȝah*p`%Qwo+WJ@OkKTR \ No newline at end of file From 098da27752d4fb4c68d6e7d34029f5c314d864c4 Mon Sep 17 00:00:00 2001 From: Raphael Date: Mon, 5 Jan 2026 16:53:04 +0100 Subject: [PATCH 07/42] feat(self_host/jellyfin): adding the dockerisation of arr services --- services/self_host/jellyfin.nix | 160 ++++++++++++++++++++------------ 1 file changed, 101 insertions(+), 59 deletions(-) diff --git a/services/self_host/jellyfin.nix b/services/self_host/jellyfin.nix index a0e558f..dd7548a 100644 --- a/services/self_host/jellyfin.nix +++ b/services/self_host/jellyfin.nix @@ -6,79 +6,121 @@ lib, }: let cfg = config.service.selfhost.jellyfin; + wireguard-key = config.age.secrets."wireguard-secret".path; in { config = lib.mkIf cfg { + virtualisation = { + docker.enable = true; + oci-containers = { + backend = "docker"; + containers = { + gluetun = { + image = "qmcgaw/gluetun:latest"; + autoStart = true; + extraOptions = [ + "--cap-add=NET_ADMIN" + "--device=/dev/net/tun" + ]; + environment = { + VPN_SERVICE_PROVIDER = "mullvad"; + VPN_TYPE = "wireguard"; + WIREGUARD_PRIVATE_KEY = builtins.readFile wireguard-key; + BLOCK_MALICIOUS = "off"; + BLOCK_SURVEILLANCE = "off"; + BLOCK_ADS = "off"; + WIREGUARD_ADDRESSES = "10.70.168.94/32"; + SERVER_COUNTRIES = "Sweden"; + SERVER_CITIES = "Stockholm"; + SERVER_HOSTNAMES = "se-sto-wg-206"; + TZ = "Europe/Paris"; + }; + ports = [ + "8080:8080" + "7878:7878" + "8989:8989" + "9696:9696" + ]; + }; + qbittorrent = { + image = "lscr.io/linuxserver/qbittorrent:latest"; + autoStart = true; + extraOptions = [ + "--network=container:gluetun" + ]; + environment = { + PUID = "1000"; + PGID = "991"; + WEBUI_PORT = "8080"; + TZ = "Europe/Paris"; + }; + volumes = [ + "/mnt/data/qbittorrent/config:/config" + "/mnt/data/downloads:/downloads" + ]; + }; + radarr = { + image = "lscr.io/linuxserver/radarr:latest"; + autoStart = true; + extraOptions = [ + "--network=container:gluetun" + ]; + environment = { + PUID = "1000"; + PGID = "991"; + TZ = "Europe/Paris"; + }; + volumes = [ + "/mnt/data/radarr/config:/config" + "/mnt/data:/data" + ]; + }; + sonarr = { + image = "lscr.io/linuxserver/sonarr:latest"; + autoStart = true; + extraOptions = [ + "--network=container:gluetun" + ]; + environment = { + PUID = "1000"; + PGID = "991"; + TZ = "Europe/Paris"; + }; + volumes = [ + "/mnt/data/sonarr/config:/config" + "/mnt/data:/data" + ]; + }; + prowlarr = { + image = "lscr.io/linuxserver/prowlarr:latest"; + autoStart = true; + extraOptions = [ + "--network=container:gluetun" + ]; + environment = { + PUID = "1000"; + PGID = "991"; + TZ = "Europe/Paris"; + }; + volumes = [ + "/mnt/data/prowlarr/config:/config" + ]; + }; + }; + }; + }; users = { groups.datausers = { }; users = { jellyfin.extraGroups = [ "datausers" ]; - radarr.extraGroups = [ "datausers" ]; - sonarr.extraGroups = [ "datausers" ]; }; }; services = { jellyfin = { enable = true; - dataDir = "/mnt/data/media"; + dataDir = "/mnt/data/jellyfin"; openFirewall = true; }; - - qbittorrent = { - enable = true; - openFirewall = true; - user = "qbittorrent"; - group = "datausers"; - - webuiPort = 8137; - - serverConfig = { - Preferences = { - Downloads = { - SavePath = "/mnt/data/downloads"; - TempPathEnabled = false; - }; - General = { - Locale = "fr_FR"; - }; - WebUI = { - Username = "raphael"; - Password_PBKDF2 = "@ByteArray(CmH/e4LVehCMTT2BUTVo5g==:VqhgnDIsg0owhZqINmi6O0Ac3tXgz6JYAkxB7sqSH18VPQ6R6Tz9jT2a6KXtld4wG6ld41nFXSst0UqRFTUTUw==)"; - }; - }; - }; - }; - - flaresolverr = { - enable = true; - openFirewall = true; - port = 8191; - }; - - sonarr = { - enable = true; - dataDir = "/var/lib/sonarr"; - user = "sonarr"; - group = "datausers"; - openFirewall = true; - }; - - radarr = { - enable = true; - dataDir = "/var/lib/radarr"; - user = "radarr"; - group = "datausers"; - openFirewall = true; - }; - - prowlarr = { - enable = true; - dataDir = "/var/lib/prowlarr"; - openFirewall = true; - }; - - bazarr.enable = true; - nginx.virtualHosts = { "jellyfin.enium.eu" = { enableACME = true; From 85c7c2797c47b1395874085a000dda1addf31b86 Mon Sep 17 00:00:00 2001 From: Raphael Date: Mon, 5 Jan 2026 16:53:37 +0100 Subject: [PATCH 08/42] feat(server/secrets): adding wireguard to the server's secret --- hosts/server/secrets.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hosts/server/secrets.nix b/hosts/server/secrets.nix index cc754ff..152c432 100644 --- a/hosts/server/secrets.nix +++ b/hosts/server/secrets.nix @@ -5,6 +5,13 @@ age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + age.secrets."wireguard-secret" = { + file = ../../secrets/wireguard-secret.age; + owner = "root"; + group = "root"; + mode = "0400"; + }; + age.secrets."mailjet-user" = { file = ../../secrets/mailjet-user.age; owner = "root"; From 1773438cc8bc206931d8b6d3762b393ab3dfb2f2 Mon Sep 17 00:00:00 2001 From: Raphael Date: Thu, 8 Jan 2026 13:46:42 +0100 Subject: [PATCH 09/42] feat(self_host/jellyfin): adding the dockers /downloads mount point --- services/self_host/jellyfin.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/self_host/jellyfin.nix b/services/self_host/jellyfin.nix index dd7548a..9abdc95 100644 --- a/services/self_host/jellyfin.nix +++ b/services/self_host/jellyfin.nix @@ -72,6 +72,7 @@ in }; volumes = [ "/mnt/data/radarr/config:/config" + "/mnt/data/downloads:/downloads" "/mnt/data:/data" ]; }; @@ -88,6 +89,7 @@ in }; volumes = [ "/mnt/data/sonarr/config:/config" + "/mnt/data/downloads:/downloads" "/mnt/data:/data" ]; }; From e9a7753e88500527434bea6b1a1e5647999655d6 Mon Sep 17 00:00:00 2001 From: Raphael Date: Mon, 9 Feb 2026 23:39:44 +0100 Subject: [PATCH 10/42] feat(hosts/server): adding the new mac ssh-key --- hosts/server/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix index 2c86545..7a2cf95 100644 --- a/hosts/server/configuration.nix +++ b/hosts/server/configuration.nix @@ -7,7 +7,7 @@ }: let - sshKeyMac = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbHk7YasSMK5FBCArKLeqIoaGXsN+WlgVquObyC5Zec raphael@MacBook-Pro-de-raphael.local"; + sshKeyMac = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIML4yVz1fhccwaTL0iHixkNkU5zUWU1rsit9u2TIIa5r raphael@raphaels-MacBook-Pro.local"; in { imports = [ From 53b92464a5dbc2418b1af7aea9512badf8627c96 Mon Sep 17 00:00:00 2001 From: Raphael Date: Sat, 28 Feb 2026 16:43:19 +0100 Subject: [PATCH 11/42] feat(services/web): adding the format to protefolio nix files --- services/web/portefolio.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/web/portefolio.nix b/services/web/portefolio.nix index d54ef44..87db8e1 100644 --- a/services/web/portefolio.nix +++ b/services/web/portefolio.nix @@ -36,8 +36,8 @@ in }; security.acme = { certs = { - "parodi.pro" = {}; - "raphael.parodi.pro" = {}; + "parodi.pro" = { }; + "raphael.parodi.pro" = { }; }; }; }; From fd6110694e9a9e72d8e5c903525ac8c7bed766e5 Mon Sep 17 00:00:00 2001 From: Raphael Date: Sat, 28 Feb 2026 16:43:47 +0100 Subject: [PATCH 12/42] refactor(services/minecraft): adding the format to nix files --- services/server/minecraft.nix | 62 ++++++++++++++++++----------------- 1 file changed, 32 insertions(+), 30 deletions(-) diff --git a/services/server/minecraft.nix b/services/server/minecraft.nix index df0d89c..b719e30 100644 --- a/services/server/minecraft.nix +++ b/services/server/minecraft.nix @@ -38,36 +38,38 @@ in white-list = true; }; symlinks = { - mods = pkgs.linkFarmFromDrvs "mods" (builtins.attrValues { - graves = pkgs.fetchurl { - url = "https://cdn.modrinth.com/data/kieAM9Us/versions/YiPkk2xn/ly-graves-v3.0.1.jar"; - sha512 = "sha512-Wo+Sw6nVyqcaS7PWr+p3/+AkTYGAcuqk7heyBos/0jQYkCS/Z9q4Or6DInECkv8Cg4ZctmzrLOt6S8nr/sQYHw=="; - }; - lithium = pkgs.fetchurl { - url = "https://cdn.modrinth.com/data/gvQqBUqZ/versions/gl30uZvp/lithium-fabric-0.21.2%2Bmc1.21.11.jar"; - sha512 = "sha512-lGJVEAE+DarxwuK22KRjyTL/YiD5G6WwzV+GhlghXwRtlNB7NGVmD1dsTcJ6WqGD373ByTA/EYlLWyWh3Gw7tg=="; - }; - jei = pkgs.fetchurl { - url = "https://cdn.modrinth.com/data/u6dRKJwZ/versions/9i2DXscL/jei-1.21.11-fabric-27.3.0.14.jar"; - sha512 = "sha512-ua8at0LkNpFFIleVM6D6GQthBZvuIh7rt8GSuY0mKjMIJ+dJr5G0wIKqcnsT8oBwkQvlWuitfWAz/cnM1maM9A=="; - }; - jade = pkgs.fetchurl { - url = "https://cdn.modrinth.com/data/nvQzSEkH/versions/7cBo3s22/Jade-1.21.11-Fabric-21.0.1.jar"; - sha512 = "sha512-aj1lnOyaPiH+AG6HYN6mNQtkqm1xGA+PCHouKn2U3t2mpfJ+r7+T3nCtxgbHXAe9/NncJb46Ds9ZTgIt7odRGw=="; - }; - chuncky = pkgs.fetchurl { - url = "https://cdn.modrinth.com/data/fALzjamp/versions/1CpEkmcD/Chunky-Fabric-1.4.55.jar"; - sha512 = "sha512-O+DgSePepiVrOVzLH33MycayPLex9qcXp80cpV+dvaSJZ53zKGjHJmTrsoygXyw2ZZDR4aEfDcX2n5R5A7rYMw=="; - }; - fabric_api = pkgs.fetchurl { - url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/gB6TkYEJ/fabric-api-0.140.2%2B1.21.11.jar"; - sha512 = "sha512-r0RleX2AQBAhpq78jFRyAOfA+MrhNCmb8/r7wxD6gfBVJGsGFPwOA3U49KhE5VqtMKv6PGdGBCKFPfxCbwhtAA=="; - }; - create_fly = pkgs.fetchurl { - url = "https://cdn.modrinth.com/data/dKvj0eNn/versions/be2IkC5H/create-fly-1.21.11-6.0.8-4.jar"; - sha512 = "1r9qx8q5s49xlycs9k02ylb0cgn5x0d3s0crl0942kwf2r6vvnk8pv46bxj6p4jnqg4r5c6b4526zjxwdjc1d5fg7613sgv6f71817x"; - }; - }); + mods = pkgs.linkFarmFromDrvs "mods" ( + builtins.attrValues { + graves = pkgs.fetchurl { + url = "https://cdn.modrinth.com/data/kieAM9Us/versions/YiPkk2xn/ly-graves-v3.0.1.jar"; + sha512 = "sha512-Wo+Sw6nVyqcaS7PWr+p3/+AkTYGAcuqk7heyBos/0jQYkCS/Z9q4Or6DInECkv8Cg4ZctmzrLOt6S8nr/sQYHw=="; + }; + lithium = pkgs.fetchurl { + url = "https://cdn.modrinth.com/data/gvQqBUqZ/versions/gl30uZvp/lithium-fabric-0.21.2%2Bmc1.21.11.jar"; + sha512 = "sha512-lGJVEAE+DarxwuK22KRjyTL/YiD5G6WwzV+GhlghXwRtlNB7NGVmD1dsTcJ6WqGD373ByTA/EYlLWyWh3Gw7tg=="; + }; + jei = pkgs.fetchurl { + url = "https://cdn.modrinth.com/data/u6dRKJwZ/versions/9i2DXscL/jei-1.21.11-fabric-27.3.0.14.jar"; + sha512 = "sha512-ua8at0LkNpFFIleVM6D6GQthBZvuIh7rt8GSuY0mKjMIJ+dJr5G0wIKqcnsT8oBwkQvlWuitfWAz/cnM1maM9A=="; + }; + jade = pkgs.fetchurl { + url = "https://cdn.modrinth.com/data/nvQzSEkH/versions/7cBo3s22/Jade-1.21.11-Fabric-21.0.1.jar"; + sha512 = "sha512-aj1lnOyaPiH+AG6HYN6mNQtkqm1xGA+PCHouKn2U3t2mpfJ+r7+T3nCtxgbHXAe9/NncJb46Ds9ZTgIt7odRGw=="; + }; + chuncky = pkgs.fetchurl { + url = "https://cdn.modrinth.com/data/fALzjamp/versions/1CpEkmcD/Chunky-Fabric-1.4.55.jar"; + sha512 = "sha512-O+DgSePepiVrOVzLH33MycayPLex9qcXp80cpV+dvaSJZ53zKGjHJmTrsoygXyw2ZZDR4aEfDcX2n5R5A7rYMw=="; + }; + fabric_api = pkgs.fetchurl { + url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/gB6TkYEJ/fabric-api-0.140.2%2B1.21.11.jar"; + sha512 = "sha512-r0RleX2AQBAhpq78jFRyAOfA+MrhNCmb8/r7wxD6gfBVJGsGFPwOA3U49KhE5VqtMKv6PGdGBCKFPfxCbwhtAA=="; + }; + create_fly = pkgs.fetchurl { + url = "https://cdn.modrinth.com/data/dKvj0eNn/versions/be2IkC5H/create-fly-1.21.11-6.0.8-4.jar"; + sha512 = "1r9qx8q5s49xlycs9k02ylb0cgn5x0d3s0crl0942kwf2r6vvnk8pv46bxj6p4jnqg4r5c6b4526zjxwdjc1d5fg7613sgv6f71817x"; + }; + } + ); }; whitelist = { EniumRaphael = "3134072d-eb2f-49d5-afb4-2a3cc4375100"; From 76eb961891791425ad367d44bedbac0c7a3c2c57 Mon Sep 17 00:00:00 2001 From: Raphael Date: Sat, 28 Feb 2026 16:44:13 +0100 Subject: [PATCH 13/42] feat(self_hosts/sso): adding the new syntax for kanidm --- services/self_host/sso.nix | 32 ++++++++++++++++++-------------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/services/self_host/sso.nix b/services/self_host/sso.nix index c60b322..b4eccf3 100644 --- a/services/self_host/sso.nix +++ b/services/self_host/sso.nix @@ -26,10 +26,10 @@ let sha256 = "sha256-hL51zJkFxUys1CoM8yUxiH8BDw111wh3Qv7eTLm+XYo="; }; in - { +{ config = lib.mkIf cfg { users = { - groups.kanidm = {}; + groups.kanidm = { }; users.kanidm = { isSystemUser = true; group = "kanidm"; @@ -40,16 +40,20 @@ in services = { kanidm = { package = pkgs.kanidmWithSecretProvisioning_1_8; - enableServer = true; - serverSettings = { - domain = "enium.eu"; - origin = "https://auth.enium.eu"; - bindaddress = "127.0.0.1:9000"; - tls_chain = "/var/lib/acme/auth.enium.eu/fullchain.pem"; - tls_key = "/var/lib/acme/auth.enium.eu/key.pem"; + server = { + enable = true; + settings = { + domain = "enium.eu"; + origin = "https://auth.enium.eu"; + bindaddress = "127.0.0.1:9000"; + tls_chain = "/var/lib/acme/auth.enium.eu/fullchain.pem"; + tls_key = "/var/lib/acme/auth.enium.eu/key.pem"; + }; + }; + client = { + enable = true; + settings.uri = config.services.kanidm.server.settings.origin; }; - enableClient = true; - clientSettings.uri = config.services.kanidm.serverSettings.origin; provision = { enable = true; autoRemove = false; @@ -211,19 +215,19 @@ in email = { joinType = "array"; valuesByGroup = { - nextcloud_user = ["mail"]; + nextcloud_user = [ "mail" ]; }; }; preferred_username = { joinType = "array"; valuesByGroup = { - nextcloud_user = ["name"]; + nextcloud_user = [ "name" ]; }; }; name = { joinType = "array"; valuesByGroup = { - nextcloud_user = ["displayname"]; + nextcloud_user = [ "displayname" ]; }; }; }; From 93d7fabef5fadd1c913ba0c5ba0d46e789071238 Mon Sep 17 00:00:00 2001 From: Raphael Date: Sat, 28 Feb 2026 16:45:00 +0100 Subject: [PATCH 14/42] refactor(services/selfhosts): adding the format to nix files --- services/self_host/git.nix | 7 +- services/self_host/jellyfin.nix | 10 +-- services/self_host/mail.nix | 134 ++++++++++++++++--------------- services/self_host/nextcloud.nix | 9 ++- 4 files changed, 89 insertions(+), 71 deletions(-) diff --git a/services/self_host/git.nix b/services/self_host/git.nix index 191d46d..ebeae81 100644 --- a/services/self_host/git.nix +++ b/services/self_host/git.nix @@ -1,4 +1,9 @@ -{ config, pkgs, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let gitDomain = "git.enium.eu"; diff --git a/services/self_host/jellyfin.nix b/services/self_host/jellyfin.nix index 9abdc95..0c1d50d 100644 --- a/services/self_host/jellyfin.nix +++ b/services/self_host/jellyfin.nix @@ -1,14 +1,14 @@ { -config, -pkgs, -lib, -... + config, + pkgs, + lib, + ... }: let cfg = config.service.selfhost.jellyfin; wireguard-key = config.age.secrets."wireguard-secret".path; in - { +{ config = lib.mkIf cfg { virtualisation = { docker.enable = true; diff --git a/services/self_host/mail.nix b/services/self_host/mail.nix index 99fb6e9..6844985 100644 --- a/services/self_host/mail.nix +++ b/services/self_host/mail.nix @@ -22,7 +22,7 @@ in shell = "/run/current-system/sw/bin/nologin"; }; users.groups = { - vmail = {}; + vmail = { }; }; systemd.tmpfiles.rules = [ "d /run/dovecot 0755 dovecot dovecot - -" @@ -84,14 +84,22 @@ in chroot = false; command = "smtpd"; args = [ - "-o" "smtpd_recipient_restrictions=permit_sasl_authenticated,reject" - "-o" "smtpd_sasl_auth_enable=yes" - "-o" "smtpd_sasl_security_options=noanonymous" - "-o" "smtpd_sender_login_maps=hash:/var/lib/postfix/sender_login" - "-o" "smtpd_sender_restrictions=reject_sender_login_mismatch" - "-o" "smtpd_tls_auth_only=yes" - "-o" "smtpd_tls_security_level=encrypt" - "-o" "syslog_name=postfix/submission" + "-o" + "smtpd_recipient_restrictions=permit_sasl_authenticated,reject" + "-o" + "smtpd_sasl_auth_enable=yes" + "-o" + "smtpd_sasl_security_options=noanonymous" + "-o" + "smtpd_sender_login_maps=hash:/var/lib/postfix/sender_login" + "-o" + "smtpd_sender_restrictions=reject_sender_login_mismatch" + "-o" + "smtpd_tls_auth_only=yes" + "-o" + "smtpd_tls_security_level=encrypt" + "-o" + "syslog_name=postfix/submission" ]; }; }; @@ -240,68 +248,68 @@ in enable = true; postfix.enable = true; extraConfig = '' - worker "controller" { - bind_socket = "127.0.0.1:11334"; - password = "admin"; - }; + worker "controller" { + bind_socket = "127.0.0.1:11334"; + password = "admin"; + }; - worker "normal" { - bind_socket = "127.0.0.1:11333"; - }; + worker "normal" { + bind_socket = "127.0.0.1:11333"; + }; - worker "rspamd_proxy" { - bind_socket = "127.0.0.1:11332"; - milter = yes; - timeout = 120s; - upstream "local" { - self_scan = yes; - }; - }; + worker "rspamd_proxy" { + bind_socket = "127.0.0.1:11332"; + milter = yes; + timeout = 120s; + upstream "local" { + self_scan = yes; + }; + }; - actions { - reject = 12; - add_header = 6; - greylist = 4; - }; + actions { + reject = 12; + add_header = 6; + greylist = 4; + }; - classifier "bayes" { - backend = "redis"; - servers = "127.0.0.1:6381"; - autolearn = true; - min_learns = 200; - new_schema = true; - cache = true; + classifier "bayes" { + backend = "redis"; + servers = "127.0.0.1:6381"; + autolearn = true; + min_learns = 200; + new_schema = true; + cache = true; - statfile { - symbol = "BAYES_HAM"; - spam = false; - }; + statfile { + symbol = "BAYES_HAM"; + spam = false; + }; - statfile { - symbol = "BAYES_SPAM"; - spam = true; - }; + statfile { + symbol = "BAYES_SPAM"; + spam = true; + }; - learn_condition = < Date: Sat, 28 Feb 2026 16:45:16 +0100 Subject: [PATCH 15/42] refactor(hosts/server): adding the format to nix files --- hosts/server/configuration.nix | 85 +++++++++++++------------ hosts/server/hardware-configuration.nix | 41 +++++++----- hosts/server/secrets.nix | 20 +++--- 3 files changed, 80 insertions(+), 66 deletions(-) diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix index 7a2cf95..0a89e86 100644 --- a/hosts/server/configuration.nix +++ b/hosts/server/configuration.nix @@ -77,46 +77,49 @@ in }; }; - environment.systemPackages = with pkgs; [ - age - bat - cairo - dconf - fastfetch - git - home-manager - lego - libjpeg - libpng - libuuid - linux-manual - man - man-pages - man-pages-posix - networkmanager - openssl - pkg-config - postgresql - protonup-ng - python3 - python3Packages.pip - qFlipper - ripgrep - swaylock - swaylock-fancy - tmux - unzip - vim - wget - wl-clipboard - xclip - xdg-desktop-portal-hyprland - xsel - yarn - zsh - ] ++ [ - inputs.agenix.packages.${pkgs.system}.agenix - ]; + environment.systemPackages = + with pkgs; + [ + age + bat + cairo + dconf + fastfetch + git + home-manager + lego + libjpeg + libpng + libuuid + linux-manual + man + man-pages + man-pages-posix + networkmanager + openssl + pkg-config + postgresql + protonup-ng + python3 + python3Packages.pip + qFlipper + ripgrep + swaylock + swaylock-fancy + tmux + unzip + vim + wget + wl-clipboard + xclip + xdg-desktop-portal-hyprland + xsel + yarn + zsh + ] + ++ [ + inputs.agenix.packages.${pkgs.system}.agenix + ]; # Bootloader. boot.loader = { @@ -139,7 +142,7 @@ in openssh = { enable = true; ports = [ - 42131 + 42131 ]; }; udev.extraRules = '' diff --git a/hosts/server/hardware-configuration.nix b/hosts/server/hardware-configuration.nix index 848d0c8..68b3b48 100644 --- a/hosts/server/hardware-configuration.nix +++ b/hosts/server/hardware-configuration.nix @@ -1,31 +1,42 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "usbhid" + "sd_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; fileSystems = { "/" = { - device = "/dev/disk/by-uuid/67b9f544-f7d6-4203-a1ee-3d527f0c4ace"; - fsType = "ext4"; - }; + device = "/dev/disk/by-uuid/67b9f544-f7d6-4203-a1ee-3d527f0c4ace"; + fsType = "ext4"; + }; "/boot" = { - device = "/dev/disk/by-uuid/C2ED-90A4"; - fsType = "vfat"; - options = [ - "fmask=0077" - "dmask=0077" - ]; - }; + device = "/dev/disk/by-uuid/C2ED-90A4"; + fsType = "vfat"; + options = [ + "fmask=0077" + "dmask=0077" + ]; + }; "/mnt/data" = { device = "/dev/disk/by-uuid/efa8669d-d141-4858-9e66-d3efa9a88816"; fsType = "ext4"; diff --git a/hosts/server/secrets.nix b/hosts/server/secrets.nix index 152c432..1b2b9eb 100644 --- a/hosts/server/secrets.nix +++ b/hosts/server/secrets.nix @@ -9,69 +9,69 @@ file = ../../secrets/wireguard-secret.age; owner = "root"; group = "root"; - mode = "0400"; + mode = "0400"; }; age.secrets."mailjet-user" = { file = ../../secrets/mailjet-user.age; owner = "root"; group = "root"; - mode = "0400"; + mode = "0400"; }; age.secrets."mailjet-pass" = { file = ../../secrets/mailjet-pass.age; owner = "root"; group = "root"; - mode = "0400"; + mode = "0400"; }; age.secrets."nextcloud-admin-pass" = { file = ../../secrets/nextcloud-admin-pass.age; owner = "nextcloud"; group = "nextcloud"; - mode = "0400"; + mode = "0400"; }; age.secrets."nextcloud-oidc-secret" = { file = ../../secrets/nextcloud-oidc-secret.age; owner = "kanidm"; group = "kanidm"; - mode = "0400"; + mode = "0400"; }; age.secrets."grafana-oidc-secret" = { file = ../../secrets/grafana-oidc-secret.age; owner = "kanidm"; group = "grafana"; - mode = "0440"; + mode = "0440"; }; age.secrets."forgejo-oidc-secret" = { file = ../../secrets/forgejo-oidc-secret.age; owner = "kanidm"; group = "forgejo"; - mode = "0440"; + mode = "0440"; }; age.secrets."nextcloud-database" = { file = ../../secrets/nextcloud-database.age; owner = "nextcloud"; group = "nextcloud"; - mode = "0400"; + mode = "0400"; }; age.secrets."kanidm-admin" = { file = ../../secrets/kandim-admin.age; owner = "kanidm"; group = "kanidm"; - mode = "0400"; + mode = "0400"; }; age.secrets."kanidm-idmAdmin" = { file = ../../secrets/kandim-idmAdmin.age; owner = "kanidm"; group = "kanidm"; - mode = "0400"; + mode = "0400"; }; } From 8456ea147c57acd5812257b43e04f45786018a09 Mon Sep 17 00:00:00 2001 From: Raphael Date: Sun, 1 Mar 2026 22:13:32 +0100 Subject: [PATCH 16/42] feat(services/server): adding proxy setup for teamspeak redirection --- services/server/teamspeak.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/services/server/teamspeak.nix b/services/server/teamspeak.nix index 4eb26d1..c5f4411 100644 --- a/services/server/teamspeak.nix +++ b/services/server/teamspeak.nix @@ -21,6 +21,13 @@ in locations."/" = { proxyPass = "http://127.0.0.1:9987"; proxyWebsockets = true; + extraConfig = '' + proxy_ssl_verify off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + ''; }; }; }; From 65a5d1fe43ecf591dce2fc41bde12a84ddb3536b Mon Sep 17 00:00:00 2001 From: Raphael Date: Sun, 1 Mar 2026 22:41:09 +0100 Subject: [PATCH 17/42] feat(services/self_host): update the nextcloud to 33 - Update now stable (winter26) --- services/self_host/nextcloud.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/self_host/nextcloud.nix b/services/self_host/nextcloud.nix index 6adcf14..d5bb96e 100644 --- a/services/self_host/nextcloud.nix +++ b/services/self_host/nextcloud.nix @@ -71,7 +71,7 @@ in nextcloud = { enable = true; https = true; - package = pkgs.nextcloud32; + package = pkgs.nextcloud33; hostName = "nextcloud.enium.eu"; datadir = dataDir; config = { From 563acef333dc8b08d4293a4e216d2e2eae18ab00 Mon Sep 17 00:00:00 2001 From: Raphael Date: Sun, 1 Mar 2026 22:42:39 +0100 Subject: [PATCH 18/42] refactor(services/self_host): removing the imagesDir unused on the config - This folder was for images but moving to the fetchUrl --- services/self_host/sso.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/services/self_host/sso.nix b/services/self_host/sso.nix index b4eccf3..afc4bcf 100644 --- a/services/self_host/sso.nix +++ b/services/self_host/sso.nix @@ -9,7 +9,6 @@ let cfg = config.service.selfhost.sso; kanidm-admin = config.age.secrets."kanidm-admin".path; kanidm-idmAdmin = config.age.secrets."kanidm-idmAdmin".path; - imagesDir = "/user/share/kanidm/assets"; kanidmLogo = pkgs.fetchurl { url = "https://raw.githubusercontent.com/doc-sheet/forgejo/refs/heads/forgejo/assets/logo.svg"; name = "kanidm.svg"; From 4f42094af4321ca74ce7d1267c24cd0820e6fc23 Mon Sep 17 00:00:00 2001 From: Raphael Date: Sun, 1 Mar 2026 22:43:05 +0100 Subject: [PATCH 19/42] feat(services/self_host): update the kanidm to 1.9 - This version is stable and now totaly reproductible using nixos --- services/self_host/sso.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/self_host/sso.nix b/services/self_host/sso.nix index afc4bcf..12f623b 100644 --- a/services/self_host/sso.nix +++ b/services/self_host/sso.nix @@ -38,7 +38,7 @@ in security.acme.certs."auth.enium.eu".group = "nginx"; services = { kanidm = { - package = pkgs.kanidmWithSecretProvisioning_1_8; + package = pkgs.kanidmWithSecretProvisioning_1_9; server = { enable = true; settings = { From 108371b5a7a6b880d88a3e6334f5b98e50619cfb Mon Sep 17 00:00:00 2001 From: Raphael Date: Mon, 2 Mar 2026 12:41:51 +0100 Subject: [PATCH 20/42] feat(hosts/server): adding grafana encryption key to the secrets --- hosts/server/secrets.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hosts/server/secrets.nix b/hosts/server/secrets.nix index 1b2b9eb..698cc70 100644 --- a/hosts/server/secrets.nix +++ b/hosts/server/secrets.nix @@ -46,6 +46,13 @@ mode = "0440"; }; + age.secrets."grafana-secret-key" = { + file = ../../secrets/grafana-secret-key.age; + owner = "grafana"; + group = "grafana"; + mode = "0440"; + }; + age.secrets."forgejo-oidc-secret" = { file = ../../secrets/forgejo-oidc-secret.age; owner = "kanidm"; From a12041a70ade6487ad85740fc7f8bf3327ba48a9 Mon Sep 17 00:00:00 2001 From: Raphael Date: Mon, 2 Mar 2026 12:42:04 +0100 Subject: [PATCH 21/42] feat(secrets): adding grafana encryption key to age --- secrets/grafana-secret-key.age | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 secrets/grafana-secret-key.age diff --git a/secrets/grafana-secret-key.age b/secrets/grafana-secret-key.age new file mode 100644 index 0000000..af16ce7 --- /dev/null +++ b/secrets/grafana-secret-key.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 Iy+0iw a6V5MbX371JEVJM4L1AiL0f3/W4oPhc0EeydmBlCwzI +QnsMyhcDyrCGkkJaQWA04u5YdiVrlIISyp/PEnY7emE +-> ssh-ed25519 ocqiLQ 6vkETQNUq8iMWqPD3uf+UrVcY34xz8KBPLWK2WRHjgk +ttdk+iK/DFYoshfffBN+tbxXkWHgVPz5fYQ+m4684aM +--- gBW+PH1fOqhXi0ChESyPAj7fqM21Lb9UYPJ5JWVuoFk +%Alb3SdTPHf{&.5@;VPkz׶+lZvV \ No newline at end of file From c6dfb15cb7f56fe243310837edb8c8a4da28c40d Mon Sep 17 00:00:00 2001 From: Raphael Date: Mon, 2 Mar 2026 12:42:17 +0100 Subject: [PATCH 22/42] feat(secrets): adding grafana encryption key to age configuration --- secrets/secrets.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 34cf3e4..606a5c6 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -17,6 +17,7 @@ in "nextcloud-database.age".publicKeys = users ++ systems; "nextcloud-oidc-secret.age".publicKeys = users ++ systems; "grafana-oidc-secret.age".publicKeys = users ++ systems; + "grafana-secret-key.age".publicKeys = users ++ systems; "forgejo-oidc-secret.age".publicKeys = users ++ systems; "kandim-admin.age".publicKeys = users ++ systems; "kandim-idmAdmin.age".publicKeys = users ++ systems; From cdd4bdf1130f9f2202c8c83fe7cb11d36a0115ec Mon Sep 17 00:00:00 2001 From: Raphael Date: Mon, 2 Mar 2026 16:59:15 +0100 Subject: [PATCH 23/42] feat(hosts/server): removing the master bot --- hosts/server/configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix index 0a89e86..74c509e 100644 --- a/hosts/server/configuration.nix +++ b/hosts/server/configuration.nix @@ -66,7 +66,7 @@ in teamspeak = true; }; bot_discord = { - master = true; + master = false; bde = false; tut = false; marty = false; From eb9ccdf0d5ea07dfe1cf7a48a114cd8b5e0e2ddf Mon Sep 17 00:00:00 2001 From: Raphael Date: Mon, 2 Mar 2026 16:59:49 +0100 Subject: [PATCH 24/42] feat(services/self_host): adding the loki services w/ alloy --- services/self_host/monitor.nix | 532 +++++++++++++++++++-------------- 1 file changed, 310 insertions(+), 222 deletions(-) diff --git a/services/self_host/monitor.nix b/services/self_host/monitor.nix index bbc25a7..b308b0d 100644 --- a/services/self_host/monitor.nix +++ b/services/self_host/monitor.nix @@ -1,122 +1,106 @@ { - config, - pkgs, - lib, - ... +config, +pkgs, +lib, +... }: let cfg = config.service.selfhost.monitor; dashboardsDir = ../../assets/grafana_dashboards; + oidc-secret = config.age.secrets.grafana-oidc-secret.path; + encryption-key = config.age.secrets.grafana-secret-key.path; monitored = [ "nginx" "grafana" ]; in -{ + { config = lib.mkIf cfg { - services.grafana = { - enable = true; - package = pkgs.grafana; - dataDir = "/var/lib/grafana"; - provision = { - dashboards.settings.providers = [ - { - name = "nixos-dashboards"; - type = "file"; - updateIntervalSeconds = 30; - editable = false; + services = { + grafana = { + enable = true; + package = pkgs.grafana; + dataDir = "/var/lib/grafana"; + provision = { + dashboards.settings.providers = [ + { + name = "nixos-dashboards"; + type = "file"; + updateIntervalSeconds = 30; + editable = false; - options = { - path = "/etc/grafana/dashboards"; - foldersFromFilesStructure = false; - }; - } - ]; - datasources.settings.datasources = [ - { - name = "Prometheus"; - type = "prometheus"; - uid = "prometheus"; - access = "proxy"; - url = "http://127.0.0.1:9090"; - isDefault = true; - editable = false; - jsonData = { - httpMethod = "POST"; - timeInterval = "15s"; - }; - } - ]; - }; - settings = { - server = { - root_url = "https://monitor.enium.eu"; - domain = "monitor.enium.eu"; - serve_from_sub_path = false; + options = { + path = "/etc/grafana/dashboards"; + foldersFromFilesStructure = false; + }; + } + ]; + datasources.settings.datasources = [ + { + name = "Prometheus"; + type = "prometheus"; + uid = "prometheus"; + access = "proxy"; + url = "http://127.0.0.1:9090"; + isDefault = true; + editable = false; + jsonData = { + httpMethod = "POST"; + timeInterval = "15s"; + }; + } + ]; }; + settings = { + server = { + root_url = "https://monitor.enium.eu"; + domain = "monitor.enium.eu"; + serve_from_sub_path = false; + }; - "auth.generic_oauth" = { - enabled = true; - name = "Enium"; - allow_sign_up = true; - client_id = "grafana"; - client_secret = "$__file{${config.age.secrets.grafana-oidc-secret.path}}"; - scopes = "openid profile email groups"; - auth_url = "https://auth.enium.eu/ui/oauth2"; - token_url = "https://auth.enium.eu/oauth2/token"; - api_url = "https://auth.enium.eu/oauth2/openid/grafana/userinfo"; - redirect_uri = "https://monitor.enium.eu/login/generic_oauth"; - use_pkce = true; - use_refresh_token = true; - login_attribute_path = "preferred_username"; - name_attribute_path = "name"; - email_attribute_path = "email"; - groups_attribute_path = "groups"; - role_attribute_path = "contains(groups, 'grafana_superadmins@enium.eu') && 'GrafanaAdmin' || contains(groups, 'grafana_admins@enium.eu') && 'Admin' || contains(groups, 'grafana_editors@enium.eu') && 'Editor' || 'Viewer'"; - allow_assign_grafana_admin = true; - role_attribute_strict = false; - skip_org_role_sync = false; - }; - log.level = "debug"; - auth = { - disable_login_form = true; - disable_signout_menu = false; - }; - security = { - cookie_secure = true; - cookie_samesite = "none"; - allow_embedding = true; + "auth.generic_oauth" = { + enabled = true; + name = "Enium"; + allow_sign_up = true; + client_id = "grafana"; + client_secret = "$__file{${oidc-secret}}"; + scopes = "openid profile email groups"; + auth_url = "https://auth.enium.eu/ui/oauth2"; + token_url = "https://auth.enium.eu/oauth2/token"; + api_url = "https://auth.enium.eu/oauth2/openid/grafana/userinfo"; + redirect_uri = "https://monitor.enium.eu/login/generic_oauth"; + use_pkce = true; + use_refresh_token = true; + login_attribute_path = "preferred_username"; + name_attribute_path = "name"; + email_attribute_path = "email"; + groups_attribute_path = "groups"; + role_attribute_path = "contains(groups, 'grafana_superadmins@enium.eu') && 'GrafanaAdmin' || contains(groups, 'grafana_admins@enium.eu') && 'Admin' || contains(groups, 'grafana_editors@enium.eu') && 'Editor' || 'Viewer'"; + allow_assign_grafana_admin = true; + role_attribute_strict = false; + skip_org_role_sync = false; + }; + log.level = "debug"; + auth = { + disable_login_form = true; + disable_signout_menu = false; + }; + security = { + secret_key = "$__file{${encryption-key}}"; + cookie_secure = true; + cookie_samesite = "none"; + allow_embedding = true; + }; }; }; - }; - - environment.etc."process-exporter.json".text = builtins.toJSON { - procMatchers = lib.map (svc: { - name = svc; - cmdline = [ - "${svc}:" - ]; - }) monitored; - }; - - systemd.services.process_exporter = { - description = "Prometheus Process Exporter"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - ExecStart = "${pkgs.prometheus-process-exporter}/bin/process-exporter --config.path /etc/process-exporter.json"; - Restart = "always"; - }; - }; - - services.prometheus = { - enable = true; - checkConfig = false; - exporters = { - blackbox = { - enable = true; - configFile = pkgs.writeText "blackbox-exporter.yml" '' + prometheus = { + enable = true; + checkConfig = false; + exporters = { + blackbox = { + enable = true; + configFile = pkgs.writeText "blackbox-exporter.yml" '' modules: http_2xx: prober: http @@ -127,135 +111,239 @@ in method: GET no_follow_redirects: false fail_if_not_ssl: false - ''; - }; - node.enable = true; - systemd.enable = true; - }; - scrapeConfigs = [ - { - job_name = "systemd_exporter"; - metrics_path = "/metrics"; - static_configs = [ - { - targets = [ - "127.0.0.1:9558" - ]; - } - ]; - } - { - job_name = "node_exporter"; - static_configs = [ - { - targets = [ - "127.0.0.1:9100" - ]; - } - ]; - } - { - job_name = "process_exporter"; - metrics_path = "/metrics"; - scheme = "http"; - static_configs = [ - { - targets = [ - "127.0.0.1:9256" - ]; - } - ]; - } - { - job_name = "blackbox_http_probe"; - metrics_path = "/probe"; - params = { - module = [ - "http_2xx" - ]; + ''; }; - static_configs = [ - { - targets = [ - "https://raphael.parodi.pro" - "https://nextcloud.enium.eu" - "https://htop.enium.eu" - "https://monitor.enium.eu" - "https://ollama.enium.eu" - "http://relance-pas-stp.me:4242" + node.enable = true; + systemd.enable = true; + }; + scrapeConfigs = [ + { + job_name = "systemd_exporter"; + metrics_path = "/metrics"; + static_configs = [ + { + targets = [ + "127.0.0.1:9558" + ]; + } + ]; + } + { + job_name = "node_exporter"; + static_configs = [ + { + targets = [ + "127.0.0.1:9100" + ]; + } + ]; + } + { + job_name = "process_exporter"; + metrics_path = "/metrics"; + scheme = "http"; + static_configs = [ + { + targets = [ + "127.0.0.1:9256" + ]; + } + ]; + } + { + job_name = "blackbox_http_probe"; + metrics_path = "/probe"; + params = { + module = [ + "http_2xx" ]; + }; + static_configs = [ + { + targets = [ + "https://raphael.parodi.pro" + "https://nextcloud.enium.eu" + "https://htop.enium.eu" + "https://monitor.enium.eu" + "https://ollama.enium.eu" + "http://relance-pas-stp.me:4242" + ]; + } + ]; + relabel_configs = [ + { + source_labels = [ "__address__" ]; + target_label = "__param_target"; + } + { + source_labels = [ "__param_target" ]; + target_label = "instance"; + } + { + target_label = "__address__"; + replacement = "127.0.0.1:9115"; + } + ]; + proxy_url = "http://127.0.0.1:9115"; + } + ]; + ruleFiles = lib.mkForce [ "/etc/prometheus/services.rules" ]; + }; + loki = { + enable = true; + configuration = { + auth_enabled = false; + server = { + http_listen_port = 3100; + grpc_listen_port = 9095; + }; + common = { + path_prefix = "/var/lib/loki"; + storage = { + filesystem = { + chunks_directory = "/var/lib/loki/chunks"; + rules_directory = "/var/lib/loki/rules"; + }; + }; + replication_factor = 1; + ring = { + instance_addr = "127.0.0.1"; + kvstore.store = "inmemory"; + }; + }; + schema_config = { + configs = [{ + from = "2024-01-01"; + store = "tsdb"; + object_store = "filesystem"; + schema = "v13"; + index = { + prefix = "index_"; + period = "24h"; + }; + }]; + }; + }; + }; + alloy = { + enable = true; + configPath = pkgs.writeText "config.alloy" '' + loki.source.journal "systemd" { + forward_to = [loki.relabel.journal.receiver] + relabel_rules = loki.relabel.journal.rules + labels = { + job = "systemd-journal", } - ]; - relabel_configs = [ - { - source_labels = [ "__address__" ]; - target_label = "__param_target"; + } + + loki.relabel "journal" { + forward_to = [loki.write.local.receiver] + + rule { + source_labels = ["__journal__systemd_unit"] + target_label = "unit" } - { - source_labels = [ "__param_target" ]; - target_label = "instance"; + + rule { + source_labels = ["__journal_priority_keyword"] + target_label = "level" } - { - target_label = "__address__"; - replacement = "127.0.0.1:9115"; + + rule { + source_labels = ["__journal__hostname"] + target_label = "hostname" } - ]; - proxy_url = "http://127.0.0.1:9115"; - } - ]; - ruleFiles = lib.mkForce [ "/etc/prometheus/services.rules" ]; - }; - environment.etc."grafana/dashboards".source = dashboardsDir; + rule { + source_labels = ["__journal_syslog_identifier"] + target_label = "syslog_identifier" + } + } - environment.etc."prometheus/services.rules".text = '' - groups: - - name: services - rules: - - alert: nginxServiceDown - expr: process_up{job="process_exporter",name="nginx"} == 0 - for: 1m - labels: - severity: critical - annotations: - summary: "Processus nginx arrêté" - description: "Le processus nginx ne tourne plus depuis >1m." - - - alert: nginxServiceUp - expr: process_up{job="process_exporter",name="nginx"} == 1 - for: 1m - labels: - severity: info - annotations: - summary: "Processus nginx rétabli" - description: "Le processus nginx tourne de nouveau." - - - alert: grafanaServiceDown - expr: process_up{job="process_exporter",name="grafana"} == 0 - for: 1m - labels: - severity: critical - annotations: - summary: "Processus grafana arrêté" - description: "Le processus grafana ne tourne plus depuis >1m." - - - alert: grafanaServiceUp - expr: process_up{job="process_exporter",name="grafana"} == 1 - for: 1m - labels: - severity: info - annotations: - summary: "Processus grafana rétabli" - description: "Le processus grafana tourne de nouveau." - ''; - - services.nginx.virtualHosts."monitor.enium.eu" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:3000"; - proxyWebsockets = true; + loki.write "local" { + endpoint { + url = "http://localhost:3100/loki/api/v1/push" + } + } + ''; + }; + nginx.virtualHosts."monitor.enium.eu" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:3000"; + proxyWebsockets = true; + }; }; }; + + + systemd.services = { + alloy.serviceConfig.SupplementaryGroups = [ "systemd-journal" ]; + process_exporter = { + description = "Prometheus Process Exporter"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.prometheus-process-exporter}/bin/process-exporter --config.path /etc/process-exporter.json"; + Restart = "always"; + }; + }; + }; + + environment.etc = { + "process-exporter.json".text = builtins.toJSON { + procMatchers = lib.map (svc: { + name = svc; + cmdline = [ + "${svc}:" + ]; + }) monitored; + }; + "grafana/dashboards".source = dashboardsDir; + "prometheus/services.rules".text = '' + groups: + - name: services + rules: + - alert: nginxServiceDown + expr: process_up{job="process_exporter",name="nginx"} == 0 + for: 1m + labels: + severity: critical + annotations: + summary: "Processus nginx arrêté" + description: "Le processus nginx ne tourne plus depuis >1m." + + - alert: nginxServiceUp + expr: process_up{job="process_exporter",name="nginx"} == 1 + for: 1m + labels: + severity: info + annotations: + summary: "Processus nginx rétabli" + description: "Le processus nginx tourne de nouveau." + + - alert: grafanaServiceDown + expr: process_up{job="process_exporter",name="grafana"} == 0 + for: 1m + labels: + severity: critical + annotations: + summary: "Processus grafana arrêté" + description: "Le processus grafana ne tourne plus depuis >1m." + + - alert: grafanaServiceUp + expr: process_up{job="process_exporter",name="grafana"} == 1 + for: 1m + labels: + severity: info + annotations: + summary: "Processus grafana rétabli" + description: "Le processus grafana tourne de nouveau." + ''; + }; + + + }; } From 3aff2937496731f1d5cbe82cf70d80aab959f02e Mon Sep 17 00:00:00 2001 From: Raphael Date: Mon, 2 Mar 2026 17:02:14 +0100 Subject: [PATCH 25/42] feat(assets/grafana): adding the alloy-logs dashboards --- assets/grafana_dashboards/alloy-logs.json | 594 ++++++++++++++++++++++ 1 file changed, 594 insertions(+) create mode 100644 assets/grafana_dashboards/alloy-logs.json diff --git a/assets/grafana_dashboards/alloy-logs.json b/assets/grafana_dashboards/alloy-logs.json new file mode 100644 index 0000000..36021c1 --- /dev/null +++ b/assets/grafana_dashboards/alloy-logs.json @@ -0,0 +1,594 @@ +{ + "annotations": { + "list": [ + { + "$$hashKey": "object:75", + "builtIn": 1, + "datasource": { + "uid": "-- Grafana --" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "description": "Log Viewer Dashboard for Loki", + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "id": 20, + "links": [ + { + "$$hashKey": "object:59", + "icon": "bolt", + "includeVars": true, + "keepTime": true, + "tags": [], + "targetBlank": true, + "title": "View In Explore", + "type": "link", + "url": "/explore?orgId=1&left=[\"now-1h\",\"now\",\"Loki\",{\"expr\":\"{job=\\\"$app\\\"}\"},{\"ui\":[true,true,true,\"none\"]}]" + }, + { + "$$hashKey": "object:61", + "icon": "external link", + "tags": [], + "targetBlank": true, + "title": "Learn LogQL", + "type": "link", + "url": "https://grafana.com/docs/loki/latest/logql/" + } + ], + "panels": [ + { + "datasource": { + "uid": "bfesvtbn7l534f" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "fixed" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "fieldMinMax": false, + "mappings": [], + "noValue": "0", + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "error" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-red", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "warn" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-yellow", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "info" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-green", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "debug" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-blue", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 10, + "w": 8, + "x": 0, + "y": 0 + }, + "id": 6, + "options": { + "displayLabels": [], + "legend": { + "displayMode": "list", + "placement": "right", + "showLegend": true, + "values": [ + "percent" + ] + }, + "pieType": "donut", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "sort": "none", + "tooltip": { + "hideZeros": true, + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "12.3.3", + "targets": [ + { + "datasource": { + "type": "loki", + "uid": "bfesvtbn7l534f" + }, + "direction": "backward", + "editorMode": "code", + "expr": "sum(count_over_time({job=\"systemd-journal\"} | detected_level = \"debug\" [$__auto])) by (detected_level)", + "hide": false, + "legendFormat": "{{detected_level}}", + "queryType": "range", + "refId": "D", + "step": "" + }, + { + "datasource": { + "type": "loki", + "uid": "bfesvtbn7l534f" + }, + "direction": "backward", + "editorMode": "code", + "expr": "sum(count_over_time({job=\"systemd-journal\"} | detected_level = \"info\" [$__auto])) by (detected_level)", + "hide": false, + "legendFormat": "{{detected_level}}", + "queryType": "range", + "refId": "C", + "step": "" + }, + { + "datasource": { + "type": "loki", + "uid": "bfesvtbn7l534f" + }, + "direction": "backward", + "editorMode": "code", + "expr": "sum(count_over_time({job=\"systemd-journal\"} | detected_level = \"unknown\" [$__auto])) by (detected_level)", + "hide": false, + "legendFormat": "{{detected_level}}", + "queryType": "range", + "refId": "E", + "step": "" + }, + { + "datasource": { + "type": "loki", + "uid": "bfesvtbn7l534f" + }, + "direction": "backward", + "editorMode": "code", + "expr": "sum(count_over_time({job=\"systemd-journal\"} | detected_level = \"warn\" [$__auto])) by (detected_level)", + "hide": false, + "legendFormat": "{{detected_level}}", + "queryType": "range", + "refId": "B", + "step": "" + }, + { + "direction": "backward", + "editorMode": "code", + "expr": "sum(count_over_time({job=\"systemd-journal\"} | detected_level = \"error\" [$__auto])) by (detected_level)", + "legendFormat": "{{detected_level}}", + "queryType": "range", + "refId": "A", + "step": "" + } + ], + "title": "Type log pie chart", + "transparent": true, + "type": "piechart" + }, + { + "datasource": { + "type": "loki", + "uid": "bfesvtbn7l534f" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "axisSoftMin": 0, + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "bars", + "fillOpacity": 100, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 0, + "pointSize": 0, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "showValues": false, + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": 0 + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byRegexp", + "options": "/^(info|information)$/i" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-green", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byRegexp", + "options": "/^debug$/i" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-blue", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byRegexp", + "options": "/^(warn|warning)$/i" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-orange", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byRegexp", + "options": "/^(error|errors)$/i" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-red", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byRegexp", + "options": "/^(crit|critical|fatal|severe)$/i" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#705da0", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byRegexp", + "options": "/^(logs|unknown)$/i" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "darkgray", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 10, + "w": 16, + "x": 8, + "y": 0 + }, + "id": 9, + "interval": "5s", + "maxDataPoints": 500, + "options": { + "legend": { + "calcs": [ + "sum" + ], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "hideZeros": false, + "mode": "single", + "sort": "none" + } + }, + "pluginVersion": "12.3.3", + "targets": [ + { + "direction": "backward", + "editorMode": "code", + "expr": "sum(count_over_time({job=\"systemd-journal\"} [$__auto])) by (detected_level)", + "legendFormat": "{{detected_level}}", + "queryType": "range", + "refId": "A" + } + ], + "title": "Metric query", + "transparent": true, + "type": "timeseries" + }, + { + "datasource": { + "type": "loki", + "uid": "bfesvtbn7l534f" + }, + "description": "All warn/error's logs will be printed here", + "fieldConfig": { + "defaults": {}, + "overrides": [] + }, + "gridPos": { + "h": 18, + "w": 12, + "x": 0, + "y": 10 + }, + "id": 8, + "maxDataPoints": "", + "options": { + "dedupStrategy": "none", + "detailsMode": "inline", + "enableInfiniteScrolling": true, + "enableLogDetails": true, + "prettifyLogMessage": false, + "showControls": false, + "showLabels": false, + "showTime": true, + "sortOrder": "Descending", + "syntaxHighlighting": true, + "timestampResolution": "ms", + "wrapLogMessage": false + }, + "pluginVersion": "12.3.3", + "targets": [ + { + "datasource": { + "type": "loki", + "uid": "bfesvtbn7l534f" + }, + "direction": "backward", + "editorMode": "code", + "expr": "{job=\"$app\"} | logfmt | detected_level =~ `err|error|emerg|emergency|fatal|crit|critical|warn` | line_format \"Service: {{ if .logger }}{{ .logger }}{{ else }}Loki{{ end }} | Message: {{ if .msg }}{{ .msg }}{{ else }}No Message{{ end }}\"", + "hide": false, + "legendFormat": "", + "queryType": "range", + "refId": "A" + } + ], + "title": "Warn/Error's logs", + "transparent": true, + "type": "logs" + }, + { + "datasource": { + "type": "loki", + "uid": "bfesvtbn7l534f" + }, + "description": "All infos logs will be printed here", + "fieldConfig": { + "defaults": {}, + "overrides": [] + }, + "gridPos": { + "h": 18, + "w": 12, + "x": 12, + "y": 10 + }, + "id": 7, + "maxDataPoints": "", + "options": { + "dedupStrategy": "none", + "detailsMode": "inline", + "enableInfiniteScrolling": true, + "enableLogDetails": true, + "prettifyLogMessage": false, + "showControls": false, + "showLabels": false, + "showTime": true, + "sortOrder": "Descending", + "syntaxHighlighting": true, + "timestampResolution": "ms", + "wrapLogMessage": false + }, + "pluginVersion": "12.3.3", + "targets": [ + { + "datasource": { + "type": "loki", + "uid": "bfesvtbn7l534f" + }, + "direction": "backward", + "editorMode": "code", + "expr": "{job=\"$app\"} | logfmt | detected_level =~ `info|notice|debug|trace` | line_format \"Service: {{ if .logger }}{{ .logger }}{{ else }}Loki{{ end }} | Message: {{ if .msg }}{{ .msg }}{{ else }}No Message{{ end }}\"", + "hide": false, + "legendFormat": "", + "queryType": "range", + "refId": "A" + } + ], + "title": "Logs Informative", + "transparent": true, + "type": "logs" + } + ], + "preload": false, + "refresh": "", + "schemaVersion": 42, + "tags": [], + "templating": { + "list": [ + { + "current": { + "text": "systemd-journal", + "value": "systemd-journal" + }, + "datasource": "bfesvtbn7l534f", + "definition": "label_values(job)", + "includeAll": false, + "label": "App", + "name": "app", + "options": [], + "query": "label_values(job)", + "refresh": 1, + "regex": "", + "type": "query" + }, + { + "current": { + "text": "", + "value": "" + }, + "label": "String Match", + "name": "search", + "options": [ + { + "selected": true, + "text": "", + "value": "" + } + ], + "query": "", + "type": "textbox" + } + ] + }, + "time": { + "from": "now-1h", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ] + }, + "timezone": "", + "title": "Logs / App", + "uid": "sadlil-loki-apps-dashboard", + "version": 13 +} From 5cc6b40a3e97e6164008d0fd62343069d139757b Mon Sep 17 00:00:00 2001 From: Raphael Date: Fri, 6 Mar 2026 12:26:12 +0100 Subject: [PATCH 26/42] feat(services/selfhost): adding the git actions on forgejo --- hosts/server/secrets.nix | 7 +++++++ secrets/forgejo-runner-token.age | Bin 0 -> 369 bytes services/self_host/git.nix | 14 +++++++++++++- 3 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 secrets/forgejo-runner-token.age diff --git a/hosts/server/secrets.nix b/hosts/server/secrets.nix index 698cc70..9f439c6 100644 --- a/hosts/server/secrets.nix +++ b/hosts/server/secrets.nix @@ -60,6 +60,13 @@ mode = "0440"; }; + age.secrets."forgejo-runner-token" = { + file = ../../secrets/forgejo-runner-token.age; + owner = "forgejo"; + group = "forgejo"; + mode = "0440"; + }; + age.secrets."nextcloud-database" = { file = ../../secrets/nextcloud-database.age; owner = "nextcloud"; diff --git a/secrets/forgejo-runner-token.age b/secrets/forgejo-runner-token.age new file mode 100644 index 0000000000000000000000000000000000000000..47e7e7f8147c505e5c85b56dc2513fc4a5ceb442 GIT binary patch literal 369 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCUltkgEhELU)HD$p+U zO7bfT@C~=Lh{|v(k8srY@+r1VH!%z-NXvKkF*37EPfhVRO6D>Mb@VhgDE3S94R%XU zEObfcKe;f|Cs4sW(5J8}D#X&?GB`@x z-#t^?EU2o=#5 Date: Fri, 6 Mar 2026 12:26:52 +0100 Subject: [PATCH 27/42] feat(secrets): adding the runner secrets on forgejo --- secrets/secrets.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 606a5c6..f839cf6 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -19,6 +19,7 @@ in "grafana-oidc-secret.age".publicKeys = users ++ systems; "grafana-secret-key.age".publicKeys = users ++ systems; "forgejo-oidc-secret.age".publicKeys = users ++ systems; + "forgejo-runner-token.age".publicKeys = users ++ systems; "kandim-admin.age".publicKeys = users ++ systems; "kandim-idmAdmin.age".publicKeys = users ++ systems; } From 688fb2f4dda63e1889ea5d8ba7338c2cd15e6a49 Mon Sep 17 00:00:00 2001 From: Raphael Date: Fri, 6 Mar 2026 12:28:03 +0100 Subject: [PATCH 28/42] fix(services/self_host): correcting the redirect uri for git --- services/self_host/sso.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/self_host/sso.nix b/services/self_host/sso.nix index 12f623b..c282d5e 100644 --- a/services/self_host/sso.nix +++ b/services/self_host/sso.nix @@ -101,7 +101,7 @@ in displayName = "Forjego"; imageFile = kanidmLogo; originUrl = "https://git.enium.eu"; - originLanding = "https://git.enium.eu/login"; + originLanding = "https://git.enium.eu/user/oauth2/Enium/callback"; basicSecretFile = config.age.secrets.forgejo-oidc-secret.path; public = false; enableLocalhostRedirects = false; From 1be665dfd4d230c892815b7ef69a7b460bfe542b Mon Sep 17 00:00:00 2001 From: Raphael Date: Sun, 8 Mar 2026 17:54:39 +0100 Subject: [PATCH 29/42] feat(secrets): adding the vault secrets --- hosts/server/secrets.nix | 13 +++++++++++++ secrets/secrets.nix | 2 ++ secrets/vault-oidc-secret.age | Bin 0 -> 371 bytes secrets/vault-secret-env.age | 9 +++++++++ 4 files changed, 24 insertions(+) create mode 100644 secrets/vault-oidc-secret.age create mode 100644 secrets/vault-secret-env.age diff --git a/hosts/server/secrets.nix b/hosts/server/secrets.nix index 9f439c6..c90b5e5 100644 --- a/hosts/server/secrets.nix +++ b/hosts/server/secrets.nix @@ -88,4 +88,17 @@ mode = "0400"; }; + age.secrets."vault-oidc-secret" = { + file = ../../secrets/vault-oidc-secret.age; + owner = "kanidm"; + group = "kanidm"; + mode = "0400"; + }; + + age.secrets."vault-secret-env" = { + file = ../../secrets/vault-secret-env.age; + owner = "vaultwarden"; + group = "vaultwarden"; + mode = "0400"; + }; } diff --git a/secrets/secrets.nix b/secrets/secrets.nix index f839cf6..3c4d101 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -22,4 +22,6 @@ in "forgejo-runner-token.age".publicKeys = users ++ systems; "kandim-admin.age".publicKeys = users ++ systems; "kandim-idmAdmin.age".publicKeys = users ++ systems; + "vault-secret-env.age".publicKeys = users ++ systems; + "vault-oidc-secret.age".publicKeys = users ++ systems; } diff --git a/secrets/vault-oidc-secret.age b/secrets/vault-oidc-secret.age new file mode 100644 index 0000000000000000000000000000000000000000..752b97a3228242fff297ee18f817b6812bd1711d GIT binary patch literal 371 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCUltkgEhELSKt%E?N# zG;&Rg$n(ic_AZa|@(xN*c8(~|jBqqEFV0H$v?vJ)4h^md3FHd!_f8C~(08ly%QA6G zDT^qH^vL(jF*VgM&@Xe2O80X1*3PJOa`(#g%}2K_Ke;f|Cr}}yJgFo-Hz%XY(OEyy zINik9sH&nk+pE&g*D>EUGe6Kb(#<3{L_Z|d(3Q)iEH}z6-6cvt$*tI@tT?2gz&O=C zF)u$f&pV ssh-ed25519 Iy+0iw rpRn2BgDtK3p1tHofUH/nCEwRh4z7rjAwLbvbhCTSkg +6ZiVqx6pNZyYmhsDhZh3YG6+LKiRsnuWMfN8KzJLyhw +-> ssh-ed25519 ocqiLQ AguX30lc6+1ckV3ENiHhboGyNyf2pN0hqIytsTAjwz4 +rAGWhtuROHn8p0eAGEKS6Xp+PyYmpbw2EbdadbfJxt0 +--- WA9Zus5yXPXPD+TiHyUlEIqozmvhAxWQTE6s2olZ1fs +2*8ց3g E(+w[ Date: Sun, 8 Mar 2026 17:55:16 +0100 Subject: [PATCH 30/42] feat(services/self_host): adding the vault declaration --- services/self_host.nix | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/services/self_host.nix b/services/self_host.nix index 9a146e3..92ecb5d 100644 --- a/services/self_host.nix +++ b/services/self_host.nix @@ -71,6 +71,14 @@ let lib ; }; + vault = import ./self_host/vault.nix { + inherit + inputs + config + pkgs + lib + ; + }; cfg = config.service.selfhost; in { @@ -83,6 +91,7 @@ in nextcloud ollama sso + vault ]; config = { @@ -129,7 +138,12 @@ in sso = lib.mkOption { type = lib.types.bool; default = false; - description = "Enable the nextcloud"; + description = "Enable the sso"; + }; + vault = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Enable the vault"; }; }; } From 846ccf3475474adc82a72f4d23efacb233c418c7 Mon Sep 17 00:00:00 2001 From: Raphael Date: Sun, 8 Mar 2026 18:01:07 +0100 Subject: [PATCH 31/42] feat(service/self_host): adding the vault to sso connection --- services/self_host/sso.nix | 40 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/services/self_host/sso.nix b/services/self_host/sso.nix index c282d5e..be4e77e 100644 --- a/services/self_host/sso.nix +++ b/services/self_host/sso.nix @@ -9,7 +9,7 @@ let cfg = config.service.selfhost.sso; kanidm-admin = config.age.secrets."kanidm-admin".path; kanidm-idmAdmin = config.age.secrets."kanidm-idmAdmin".path; - kanidmLogo = pkgs.fetchurl { + forgejoLogo = pkgs.fetchurl { url = "https://raw.githubusercontent.com/doc-sheet/forgejo/refs/heads/forgejo/assets/logo.svg"; name = "kanidm.svg"; sha256 = "sha256-rP7aZURtHBfF2OYuGLcKZhbvIN+B596T/3kaOxHUvig="; @@ -24,6 +24,11 @@ let name = "nextcloud.svg"; sha256 = "sha256-hL51zJkFxUys1CoM8yUxiH8BDw111wh3Qv7eTLm+XYo="; }; + vaultLogo = pkgs.fetchurl { + url = "https://raw.githubusercontent.com/dani-garcia/vaultwarden/ba5519167634ebe1e1f0fc10d610d10d1f405101/resources/vaultwarden-icon.svg"; + name = "vault.svg"; + sha256 = "sha256-xY/pFVS9puG+Ub0M9WrISrY/eY1Rc+QeceGqHeUVx+8="; + }; in { config = lib.mkIf cfg { @@ -69,6 +74,7 @@ in "grafana_superadmins" "forgejo_admins" "nextcloud_user" + "vault_admins" ]; }; }; @@ -91,6 +97,12 @@ in forgejo_users = { present = true; }; + vault_admins = { + present = true; + }; + vault_users = { + present = true; + }; nextcloud_user = { present = true; }; @@ -99,7 +111,7 @@ in forgejo = { present = true; displayName = "Forjego"; - imageFile = kanidmLogo; + imageFile = forgejoLogo; originUrl = "https://git.enium.eu"; originLanding = "https://git.enium.eu/user/oauth2/Enium/callback"; basicSecretFile = config.age.secrets.forgejo-oidc-secret.path; @@ -231,6 +243,30 @@ in }; }; }; + vault = { + present = true; + displayName = "Vault"; + imageFile = vaultLogo; + originUrl = "https://vault.enium.eu"; + originLanding = "https://vault.enium.eu/identity/connect/oidc-signin"; + basicSecretFile = config.age.secrets.vault-oidc-secret.path; + public = false; + enableLocalhostRedirects = false; + allowInsecureClientDisablePkce = false; + preferShortUsername = true; + scopeMaps = { + vault_admins = [ + "openid" + "profile" + "email" + ]; + vault_users = [ + "openid" + "profile" + "email" + ]; + }; + }; }; }; }; From 2bc5f5ae6503a9fb706039f8b73b415be0f9d5cd Mon Sep 17 00:00:00 2001 From: Raphael Date: Sun, 8 Mar 2026 18:01:21 +0100 Subject: [PATCH 32/42] feat(services/self_host): adding the vault configuration --- services/self_host/vault.nix | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 services/self_host/vault.nix diff --git a/services/self_host/vault.nix b/services/self_host/vault.nix new file mode 100644 index 0000000..62f1511 --- /dev/null +++ b/services/self_host/vault.nix @@ -0,0 +1,35 @@ +{ config, ... }: + +let + vaultEnv = config.age.secrets.vault-secret-env.path; +in +{ + services.vaultwarden = { + enable = true; + + environmentFile = vaultEnv; + + config = { + DOMAIN = "https://vault.enium.eu"; + ROCKET_PORT = 8222; + SIGNUPS_ALLOWED = false; + SSO_ENABLED = true; + SSO_CLIENT_ID = "vault"; + SSO_CLIENT_SECRET = "cat ${config.age.secrets.vault-oidc-secret.path}"; + SSO_AUTHORITY = "https://auth.enium.eu/oauth2/openid/vault"; + SSO_SIGNUPS_MATCH_EMAIL = true; + SSO_PKCE = true; + SSO_SCOPES = "openid profile email"; + SSO_ONLY = true; + }; + }; + + services.nginx.virtualHosts."vault.enium.eu" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8222"; + proxyWebsockets = true; + }; + }; +} From e54c9c482f93ed97e30230a73b6dd3d2d3f94201 Mon Sep 17 00:00:00 2001 From: Raphael Date: Sun, 8 Mar 2026 18:01:45 +0100 Subject: [PATCH 33/42] refactor(services/self_host): adding the monitor to the nixfmt --- services/self_host/monitor.nix | 55 +++++++++++++++++----------------- 1 file changed, 27 insertions(+), 28 deletions(-) diff --git a/services/self_host/monitor.nix b/services/self_host/monitor.nix index b308b0d..682b103 100644 --- a/services/self_host/monitor.nix +++ b/services/self_host/monitor.nix @@ -1,8 +1,8 @@ { -config, -pkgs, -lib, -... + config, + pkgs, + lib, + ... }: let @@ -15,7 +15,7 @@ let "grafana" ]; in - { +{ config = lib.mkIf cfg { services = { grafana = { @@ -101,16 +101,16 @@ in blackbox = { enable = true; configFile = pkgs.writeText "blackbox-exporter.yml" '' - modules: - http_2xx: - prober: http - timeout: 5s - http: - valid_http_versions: ["HTTP/1.1", "HTTP/2.0"] - valid_status_codes: [] - method: GET - no_follow_redirects: false - fail_if_not_ssl: false + modules: + http_2xx: + prober: http + timeout: 5s + http: + valid_http_versions: ["HTTP/1.1", "HTTP/2.0"] + valid_status_codes: [] + method: GET + no_follow_redirects: false + fail_if_not_ssl: false ''; }; node.enable = true; @@ -212,16 +212,18 @@ in }; }; schema_config = { - configs = [{ - from = "2024-01-01"; - store = "tsdb"; - object_store = "filesystem"; - schema = "v13"; - index = { - prefix = "index_"; - period = "24h"; - }; - }]; + configs = [ + { + from = "2024-01-01"; + store = "tsdb"; + object_store = "filesystem"; + schema = "v13"; + index = { + prefix = "index_"; + period = "24h"; + }; + } + ]; }; }; }; @@ -277,7 +279,6 @@ in }; }; - systemd.services = { alloy.serviceConfig.SupplementaryGroups = [ "systemd-journal" ]; process_exporter = { @@ -343,7 +344,5 @@ in ''; }; - - }; } From ec0b23d373b48bc0c0315193ead093a4d4b5f613 Mon Sep 17 00:00:00 2001 From: Raphael Date: Sun, 8 Mar 2026 18:02:01 +0100 Subject: [PATCH 34/42] feat(hosts/server): adding the vault activation --- hosts/server/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix index 74c509e..60f8f62 100644 --- a/hosts/server/configuration.nix +++ b/hosts/server/configuration.nix @@ -58,6 +58,7 @@ in nextcloud = true; jellyfin = true; sso = true; + vault = true; }; forty_two.irc = false; web.portefolio = true; From 24c2cd2d12ef750eb4692173070d39ed05435ae4 Mon Sep 17 00:00:00 2001 From: Raphael Date: Sun, 8 Mar 2026 18:23:56 +0100 Subject: [PATCH 35/42] feat(services/self_host): adding the sso account for deborah --- services/self_host/sso.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/services/self_host/sso.nix b/services/self_host/sso.nix index be4e77e..aa102a8 100644 --- a/services/self_host/sso.nix +++ b/services/self_host/sso.nix @@ -77,6 +77,18 @@ in "vault_admins" ]; }; + deborah = { + displayName = "Deborah"; + legalName = "Deborah Parodi"; + mailAddresses = [ + "deborah@enium.eu" + ]; + groups = [ + "grafana_superadmins" + "forgejo_users" + "vault_users" + ]; + }; }; groups = { grafana_superadmins = { From cec57776b1907768cfee60953ff9af52ffd12637 Mon Sep 17 00:00:00 2001 From: Raphael Date: Sun, 8 Mar 2026 18:24:14 +0100 Subject: [PATCH 36/42] fix(services/self_host): adding the registration by kanidm --- services/self_host/git.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/self_host/git.nix b/services/self_host/git.nix index 12def2a..902c291 100644 --- a/services/self_host/git.nix +++ b/services/self_host/git.nix @@ -42,7 +42,7 @@ in }; service = { - DISABLE_REGISTRATION = true; + DISABLE_REGISTRATION = false; ALLOW_ONLY_EXTERNAL_REGISTRATION = true; SHOW_REGISTRATION_BUTTON = false; DISABLE_PASSWORD_SIGNIN_FORM = true; From 1f930fcd47686aa71675737ec8fceaf8eec12c05 Mon Sep 17 00:00:00 2001 From: Raphael Date: Mon, 23 Mar 2026 10:49:26 +0100 Subject: [PATCH 37/42] feat(hosts/fix): adding the new hw-config --- hosts/fix/hardware-configuration.nix | 81 ++++++---------------------- 1 file changed, 17 insertions(+), 64 deletions(-) diff --git a/hosts/fix/hardware-configuration.nix b/hosts/fix/hardware-configuration.nix index a202e4a..9eb70cc 100644 --- a/hosts/fix/hardware-configuration.nix +++ b/hosts/fix/hardware-configuration.nix @@ -1,83 +1,36 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ - config, - lib, - pkgs, - modulesPath, - ... -}: +{ config, lib, pkgs, modulesPath, ... }: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - # services.dbus.enable = true; - boot = { - initrd = { - availableKernelModules = [ - "xhci_pci" - "ahci" - "usbhid" - "sd_mod" - ]; - kernelModules = [ ]; - }; - kernelModules = [ - "kvm-intel" + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") ]; - extraModulePackages = [ ]; - }; - fileSystems = { - "/" = { - device = "/dev/disk/by-uuid/a943d592-57d3-497e-bf43-49b50ac73f0b"; + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/2eec2aaa-4576-4591-9b9e-6d36ee4b0d02"; fsType = "ext4"; }; - "/boot" = { - device = "/dev/disk/by-uuid/5AAB-0026"; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/FE5B-8026"; fsType = "vfat"; - options = [ - "fmask=0077" - "dmask=0077" - ]; + options = [ "fmask=0077" "dmask=0077" ]; }; - "/mnt/data" = { - device = "/dev/disk/by-uuid/5729d30c-5806-4ccd-8a2a-080a258084dc"; + + fileSystems."/mnt/data" = + { device = "/dev/disk/by-uuid/416367e1-a2dc-4724-b9f5-9c10da4d87a5"; fsType = "ext4"; - options = [ - "acl" - "exec" - ]; }; - }; swapDevices = [ ]; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.docker0.useDHCP = lib.mkDefault true; - # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; - - services.xserver.videoDrivers = [ "nvidia" ]; - - hardware = { - graphics.enable = true; - nvidia = { - open = false; - modesetting.enable = true; - powerManagement.enable = false; - powerManagement.finegrained = false; - nvidiaSettings = true; - package = config.boot.kernelPackages.nvidiaPackages.stable; - }; - }; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } From 787090f5b447a06ad3f00bc081d65be9e5ab6fce Mon Sep 17 00:00:00 2001 From: Raphael Date: Mon, 23 Mar 2026 10:49:44 +0100 Subject: [PATCH 38/42] feat(host/fix): adding mullvad autostart --- hosts/fix/configuration.nix | 61 ++++++++++++++++++------------------- 1 file changed, 30 insertions(+), 31 deletions(-) diff --git a/hosts/fix/configuration.nix b/hosts/fix/configuration.nix index 44d74f4..d8b4394 100644 --- a/hosts/fix/configuration.nix +++ b/hosts/fix/configuration.nix @@ -6,6 +6,12 @@ ... }: +let + mullvad-autostart = pkgs.makeAutostartItem { + name = "mullvad-vpn"; + package = pkgs.mullvad-vpn; + }; +in { imports = [ ../global.nix @@ -19,7 +25,18 @@ hostName = "nixos-fix"; firewall.enable = false; networkmanager.enable = true; - wireless.enable = false; + }; + + hardware = { + graphics.enable = true; + nvidia = { + open = false; + modesetting.enable = true; + powerManagement.enable = false; + powerManagement.finegrained = false; + nvidiaSettings = true; + package = config.boot.kernelPackages.nvidiaPackages.stable; + }; }; games = { @@ -37,27 +54,7 @@ swaylock = { }; }; - users = { - defaultUserShell = pkgs.zsh; - users = { - deb = { - isNormalUser = true; - initialPassword = "pasadmin1234"; - description = "deb"; - useDefaultShell = true; - extraGroups = [ - "networkmanager" - "dialout" - "docker" - "video" - ]; - packages = with pkgs; [ - gnome-session - home-manager - ]; - }; - }; - }; + users.defaultUserShell = pkgs.zsh; # Bootloader. boot.loader = { @@ -72,25 +69,27 @@ }; }; + environment.systemPackages = [ + mullvad-autostart + ]; + services = { - seatd.enable = true; - xserver = { - desktopManager.gnome.enable = true; - displayManager.gdm.wayland = true; + mullvad-vpn = { + enable = true; + package = pkgs.mullvad-vpn; }; + xserver.videoDrivers = [ "nvidia" ]; + seatd.enable = true; greetd = { enable = true; settings = { default_session = { - command = "${pkgs.greetd.tuigreet}/bin/tuigreet --remember --user-menu --remember-user-session --time"; + command = "${pkgs.tuigreet}/bin/tuigreet --remember --user-menu --remember-user-session --time"; }; }; + useTextGreeter = true; }; dbus.enable = true; - openssh = { - enable = true; - ports = [ 42131 ]; - }; pipewire = { enable = true; alsa.enable = true; From d9f2fa1817769e1d1b8e3a8b87155eea0406bd9a Mon Sep 17 00:00:00 2001 From: Raphael Date: Mon, 23 Mar 2026 10:49:59 +0100 Subject: [PATCH 39/42] feat(hosts): adding the render group --- hosts/global.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/global.nix b/hosts/global.nix index f3e6d9e..034d314 100644 --- a/hosts/global.nix +++ b/hosts/global.nix @@ -45,6 +45,7 @@ "wheel" "docker" "video" + "render" ]; }; }; @@ -75,6 +76,7 @@ }; environment.systemPackages = with pkgs; [ + uwsm git postgresql vim From 3b2ad02a12d78c24dc0e3de10d08dc9f88052bff Mon Sep 17 00:00:00 2001 From: Raphael Date: Mon, 23 Mar 2026 10:50:20 +0100 Subject: [PATCH 40/42] feat(modules/games): adding gamescope to steam configuration --- modules/games/steam.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/games/steam.nix b/modules/games/steam.nix index bc81d4d..ca3bde0 100644 --- a/modules/games/steam.nix +++ b/modules/games/steam.nix @@ -22,6 +22,7 @@ in }; environment.systemPackages = with pkgs; [ + gamescope wine-staging lutris dxvk From eb171157ddcb9ac59898afe21adc81d53aaea7b2 Mon Sep 17 00:00:00 2001 From: Raphael Date: Mon, 23 Mar 2026 10:50:37 +0100 Subject: [PATCH 41/42] feat(flake): adding the hm configuration --- flake.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index c6fb519..c1f1508 100644 --- a/flake.nix +++ b/flake.nix @@ -45,6 +45,7 @@ ./hosts/fix/configuration.nix home-manager.nixosModules.home-manager { + home-manager.sharedModules = [ catppuccin.homeModules.catppuccin ]; home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; home-manager.extraSpecialArgs = { @@ -53,7 +54,7 @@ nixvim = inputs.nixvim.packages."x86_64-linux".default; zen-browser = inputs.zen-browser.packages."x86_64-linux".default; }; - home-manager.users.raphael = hm-config.homeConfigurations."hm-fix"; + home-manager.users.raphael = import hm-config.outputs.homeModules.fix; } ]; specialArgs = { From 8359a6911119e1d01540c5f8dc232e9cd2fb6aaa Mon Sep 17 00:00:00 2001 From: Raphael Date: Tue, 31 Mar 2026 19:36:46 +0200 Subject: [PATCH 42/42] feat(hosts/fix): adding the thunderbird program installation --- hosts/fix/configuration.nix | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/hosts/fix/configuration.nix b/hosts/fix/configuration.nix index d8b4394..3d1fb03 100644 --- a/hosts/fix/configuration.nix +++ b/hosts/fix/configuration.nix @@ -28,12 +28,17 @@ in }; hardware = { - graphics.enable = true; + graphics = { + enable = true; + enable32Bit = true; + }; nvidia = { open = false; modesetting.enable = true; - powerManagement.enable = false; - powerManagement.finegrained = false; + powerManagement = { + enable = false; + finegrained = false; + }; nvidiaSettings = true; package = config.boot.kernelPackages.nvidiaPackages.stable; }; @@ -63,14 +68,17 @@ in }; programs = { + thunderbird.enable = true; hyprland = { enable = true; xwayland.enable = true; }; }; - environment.systemPackages = [ + environment.systemPackages = with pkgs; [ mullvad-autostart + pciutils + vulkan-tools ]; services = { @@ -114,6 +122,7 @@ in enable = true; extraPortals = [ pkgs.xdg-desktop-portal-hyprland + pkgs.xdg-desktop-portal-gtk ]; config.common.default = "*"; };