raphael/nixos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: raphael:1975d83017a7afb5fa2d9e14e5d3d31a0f6575ca
Branches Tags
raphael:master
...
compare: raphael:8359a6911119e1d01540c5f8dc232e9cd2fb6aaa
Branches Tags
raphael:master

42 commits
1975d83017 ... 8359a69111

Author SHA1 Message Date
Raphael
8359a69111
feat(hosts/fix): adding the thunderbird program installation 2026-03-31 19:36:46 +02:00
Raphael
eb171157dd
feat(flake): adding the hm configuration 2026-03-23 10:50:37 +01:00
Raphael
3b2ad02a12
feat(modules/games): adding gamescope to steam configuration 2026-03-23 10:50:20 +01:00
Raphael
d9f2fa1817
feat(hosts): adding the render group 2026-03-23 10:50:02 +01:00
Raphael
787090f5b4
feat(host/fix): adding mullvad autostart 2026-03-23 10:49:44 +01:00
Raphael
1f930fcd47
feat(hosts/fix): adding the new hw-config 2026-03-23 10:49:26 +01:00
Raphael
cec57776b1
fix(services/self_host): adding the registration by kanidm 2026-03-08 18:24:14 +01:00
Raphael
24c2cd2d12
feat(services/self_host): adding the sso account for deborah 2026-03-08 18:23:56 +01:00
Raphael
ec0b23d373
feat(hosts/server): adding the vault activation 2026-03-08 18:02:01 +01:00
Raphael
e54c9c482f
refactor(services/self_host): adding the monitor to the nixfmt 2026-03-08 18:01:45 +01:00
Raphael
2bc5f5ae65
feat(services/self_host): adding the vault configuration 2026-03-08 18:01:21 +01:00
Raphael
846ccf3475
feat(service/self_host): adding the vault to sso connection 2026-03-08 18:01:07 +01:00
Raphael
bda0054462
feat(services/self_host): adding the vault declaration 2026-03-08 17:55:16 +01:00
Raphael
1be665dfd4
feat(secrets): adding the vault secrets 2026-03-08 17:54:39 +01:00
Raphael
688fb2f4dd
fix(services/self_host): correcting the redirect uri for git 2026-03-06 12:28:07 +01:00
Raphael
159dc8a833
feat(secrets): adding the runner secrets on forgejo 2026-03-06 12:26:52 +01:00
Raphael
5cc6b40a3e
feat(services/selfhost): adding the git actions on forgejo 2026-03-06 12:26:12 +01:00
Raphael
3aff293749
feat(assets/grafana): adding the alloy-logs dashboards 2026-03-02 17:02:14 +01:00
Raphael
eb9ccdf0d5
feat(services/self_host): adding the loki services w/ alloy 2026-03-02 16:59:49 +01:00
Raphael
cdd4bdf113
feat(hosts/server): removing the master bot 2026-03-02 16:59:24 +01:00
Raphael
c6dfb15cb7
feat(secrets): adding grafana encryption key to age configuration 2026-03-02 12:42:17 +01:00
Raphael
a12041a70a
feat(secrets): adding grafana encryption key to age 2026-03-02 12:42:09 +01:00
Raphael
108371b5a7
feat(hosts/server): adding grafana encryption key to the secrets 2026-03-02 12:41:51 +01:00
Raphael
4f42094af4
feat(services/self_host): update the kanidm to 1.9 
- This version is stable and now totaly reproductible using nixos
 2026-03-01 22:43:05 +01:00
Raphael
563acef333
refactor(services/self_host): removing the imagesDir unused on the config 
- This folder was for images but moving to the fetchUrl
 2026-03-01 22:42:39 +01:00
Raphael
65a5d1fe43
feat(services/self_host): update the nextcloud to 33 
- Update now stable (winter26)
 2026-03-01 22:41:09 +01:00
Raphael
8456ea147c
feat(services/server): adding proxy setup for teamspeak redirection 2026-03-01 22:13:32 +01:00
Raphael
5a7b4e41fc
refactor(hosts/server): adding the format to nix files 2026-02-28 16:45:16 +01:00
Raphael
93d7fabef5
refactor(services/selfhosts): adding the format to nix files 2026-02-28 16:45:00 +01:00
Raphael
76eb961891
feat(self_hosts/sso): adding the new syntax for kanidm 2026-02-28 16:44:13 +01:00
Raphael
fd6110694e
refactor(services/minecraft): adding the format to nix files 2026-02-28 16:43:47 +01:00
Raphael
53b92464a5
feat(services/web): adding the format to protefolio nix files 2026-02-28 16:43:19 +01:00
Raphael
e9a7753e88
feat(hosts/server): adding the new mac ssh-key 2026-02-09 23:39:44 +01:00
Raphael
1773438cc8
feat(self_host/jellyfin): adding the dockers /downloads mount point 2026-01-08 13:46:42 +01:00
Raphael
85c7c2797c
feat(server/secrets): adding wireguard to the server's secret 2026-01-05 16:53:37 +01:00
Raphael
098da27752
feat(self_host/jellyfin): adding the dockerisation of arr services 2026-01-05 16:53:04 +01:00
Raphael
d611b4cc01
feat(secrets): adding the wireguard secrets configuration 2026-01-05 16:52:37 +01:00
Raphael
9626ff6e76
feat(self_host/mail): adding the rchouraqui mail account 2026-01-04 11:54:35 +01:00
Raphael
1ee8a09678
feat(self_host/sso): adding the forgejo redirect url 2026-01-03 23:16:18 +01:00
Raphael
313279edfc
feat(server/minecraft): adding the minecraft server configuration 
- Adding the mod create
 2026-01-03 23:15:46 +01:00
Raphael
ef9fed8790
feat(server/self_host): turning on the minecraft server 2026-01-03 23:15:16 +01:00
Raphael
d6f22cfaae
feat(server/hardware): adding the data disk 2026-01-03 23:14:46 +01:00
26 changed files with 1517 additions and 550 deletions
Download patch file Download diff file Expand all files Collapse all files

594
assets/grafana_dashboards/alloy-logs.json Normal file
View file

@ -0,0 +1,594 @@
{
"annotations": {
"list": [
{
"$$hashKey": "object:75",
"builtIn": 1,
"datasource": {
"uid": "-- Grafana --"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"type": "dashboard"
}
]
},
"description": "Log Viewer Dashboard for Loki",
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": 20,
"links": [
{
"$$hashKey": "object:59",
"icon": "bolt",
"includeVars": true,
"keepTime": true,
"tags": [],
"targetBlank": true,
"title": "View In Explore",
"type": "link",
"url": "/explore?orgId=1&left=[\"now-1h\",\"now\",\"Loki\",{\"expr\":\"{job=\\\"$app\\\"}\"},{\"ui\":[true,true,true,\"none\"]}]"
},
{
"$$hashKey": "object:61",
"icon": "external link",
"tags": [],
"targetBlank": true,
"title": "Learn LogQL",
"type": "link",
"url": "https://grafana.com/docs/loki/latest/logql/"
}
],
"panels": [
{
"datasource": {
"uid": "bfesvtbn7l534f"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "fixed"
},
"custom": {
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
}
},
"fieldMinMax": false,
"mappings": [],
"noValue": "0",
"unit": "short"
},
"overrides": [
{
"matcher": {
"id": "byName",
"options": "error"
},
"properties": [
{
"id": "color",
"value": {
"fixedColor": "semi-dark-red",
"mode": "fixed"
}
}
]
},
{
"matcher": {
"id": "byName",
"options": "warn"
},
"properties": [
{
"id": "color",
"value": {
"fixedColor": "semi-dark-yellow",
"mode": "fixed"
}
}
]
},
{
"matcher": {
"id": "byName",
"options": "info"
},
"properties": [
{
"id": "color",
"value": {
"fixedColor": "semi-dark-green",
"mode": "fixed"
}
}
]
},
{
"matcher": {
"id": "byName",
"options": "debug"
},
"properties": [
{
"id": "color",
"value": {
"fixedColor": "semi-dark-blue",
"mode": "fixed"
}
}
]
}
]
},
"gridPos": {
"h": 10,
"w": 8,
"x": 0,
"y": 0
},
"id": 6,
"options": {
"displayLabels": [],
"legend": {
"displayMode": "list",
"placement": "right",
"showLegend": true,
"values": [
"percent"
]
},
"pieType": "donut",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"sort": "none",
"tooltip": {
"hideZeros": true,
"mode": "multi",
"sort": "none"
}
},
"pluginVersion": "12.3.3",
"targets": [
{
"datasource": {
"type": "loki",
"uid": "bfesvtbn7l534f"
},
"direction": "backward",
"editorMode": "code",
"expr": "sum(count_over_time({job=\"systemd-journal\"} | detected_level = \"debug\" [$__auto])) by (detected_level)",
"hide": false,
"legendFormat": "{{detected_level}}",
"queryType": "range",
"refId": "D",
"step": ""
},
{
"datasource": {
"type": "loki",
"uid": "bfesvtbn7l534f"
},
"direction": "backward",
"editorMode": "code",
"expr": "sum(count_over_time({job=\"systemd-journal\"} | detected_level = \"info\" [$__auto])) by (detected_level)",
"hide": false,
"legendFormat": "{{detected_level}}",
"queryType": "range",
"refId": "C",
"step": ""
},
{
"datasource": {
"type": "loki",
"uid": "bfesvtbn7l534f"
},
"direction": "backward",
"editorMode": "code",
"expr": "sum(count_over_time({job=\"systemd-journal\"} | detected_level = \"unknown\" [$__auto])) by (detected_level)",
"hide": false,
"legendFormat": "{{detected_level}}",
"queryType": "range",
"refId": "E",
"step": ""
},
{
"datasource": {
"type": "loki",
"uid": "bfesvtbn7l534f"
},
"direction": "backward",
"editorMode": "code",
"expr": "sum(count_over_time({job=\"systemd-journal\"} | detected_level = \"warn\" [$__auto])) by (detected_level)",
"hide": false,
"legendFormat": "{{detected_level}}",
"queryType": "range",
"refId": "B",
"step": ""
},
{
"direction": "backward",
"editorMode": "code",
"expr": "sum(count_over_time({job=\"systemd-journal\"} | detected_level = \"error\" [$__auto])) by (detected_level)",
"legendFormat": "{{detected_level}}",
"queryType": "range",
"refId": "A",
"step": ""
}
],
"title": "Type log pie chart",
"transparent": true,
"type": "piechart"
},
{
"datasource": {
"type": "loki",
"uid": "bfesvtbn7l534f"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"axisSoftMin": 0,
"barAlignment": 0,
"barWidthFactor": 0.6,
"drawStyle": "bars",
"fillOpacity": 100,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 0,
"pointSize": 0,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "auto",
"showValues": false,
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "normal"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": 0
},
{
"color": "red",
"value": 80
}
]
},
"unit": "short"
},
"overrides": [
{
"matcher": {
"id": "byRegexp",
"options": "/^(info|information)$/i"
},
"properties": [
{
"id": "color",
"value": {
"fixedColor": "semi-dark-green",
"mode": "fixed"
}
}
]
},
{
"matcher": {
"id": "byRegexp",
"options": "/^debug$/i"
},
"properties": [
{
"id": "color",
"value": {
"fixedColor": "semi-dark-blue",
"mode": "fixed"
}
}
]
},
{
"matcher": {
"id": "byRegexp",
"options": "/^(warn|warning)$/i"
},
"properties": [
{
"id": "color",
"value": {
"fixedColor": "semi-dark-orange",
"mode": "fixed"
}
}
]
},
{
"matcher": {
"id": "byRegexp",
"options": "/^(error|errors)$/i"
},
"properties": [
{
"id": "color",
"value": {
"fixedColor": "semi-dark-red",
"mode": "fixed"
}
}
]
},
{
"matcher": {
"id": "byRegexp",
"options": "/^(crit|critical|fatal|severe)$/i"
},
"properties": [
{
"id": "color",
"value": {
"fixedColor": "#705da0",
"mode": "fixed"
}
}
]
},
{
"matcher": {
"id": "byRegexp",
"options": "/^(logs|unknown)$/i"
},
"properties": [
{
"id": "color",
"value": {
"fixedColor": "darkgray",
"mode": "fixed"
}
}
]
}
]
},
"gridPos": {
"h": 10,
"w": 16,
"x": 8,
"y": 0
},
"id": 9,
"interval": "5s",
"maxDataPoints": 500,
"options": {
"legend": {
"calcs": [
"sum"
],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"hideZeros": false,
"mode": "single",
"sort": "none"
}
},
"pluginVersion": "12.3.3",
"targets": [
{
"direction": "backward",
"editorMode": "code",
"expr": "sum(count_over_time({job=\"systemd-journal\"} [$__auto])) by (detected_level)",
"legendFormat": "{{detected_level}}",
"queryType": "range",
"refId": "A"
}
],
"title": "Metric query",
"transparent": true,
"type": "timeseries"
},
{
"datasource": {
"type": "loki",
"uid": "bfesvtbn7l534f"
},
"description": "All warn/error's logs will be printed here",
"fieldConfig": {
"defaults": {},
"overrides": []
},
"gridPos": {
"h": 18,
"w": 12,
"x": 0,
"y": 10
},
"id": 8,
"maxDataPoints": "",
"options": {
"dedupStrategy": "none",
"detailsMode": "inline",
"enableInfiniteScrolling": true,
"enableLogDetails": true,
"prettifyLogMessage": false,
"showControls": false,
"showLabels": false,
"showTime": true,
"sortOrder": "Descending",
"syntaxHighlighting": true,
"timestampResolution": "ms",
"wrapLogMessage": false
},
"pluginVersion": "12.3.3",
"targets": [
{
"datasource": {
"type": "loki",
"uid": "bfesvtbn7l534f"
},
"direction": "backward",
"editorMode": "code",
"expr": "{job=\"$app\"} | logfmt | detected_level =~ `err|error|emerg|emergency|fatal|crit|critical|warn` | line_format \"Service: {{ if .logger }}{{ .logger }}{{ else }}Loki{{ end }} | Message: {{ if .msg }}{{ .msg }}{{ else }}No Message{{ end }}\"",
"hide": false,
"legendFormat": "",
"queryType": "range",
"refId": "A"
}
],
"title": "Warn/Error's logs",
"transparent": true,
"type": "logs"
},
{
"datasource": {
"type": "loki",
"uid": "bfesvtbn7l534f"
},
"description": "All infos logs will be printed here",
"fieldConfig": {
"defaults": {},
"overrides": []
},
"gridPos": {
"h": 18,
"w": 12,
"x": 12,
"y": 10
},
"id": 7,
"maxDataPoints": "",
"options": {
"dedupStrategy": "none",
"detailsMode": "inline",
"enableInfiniteScrolling": true,
"enableLogDetails": true,
"prettifyLogMessage": false,
"showControls": false,
"showLabels": false,
"showTime": true,
"sortOrder": "Descending",
"syntaxHighlighting": true,
"timestampResolution": "ms",
"wrapLogMessage": false
},
"pluginVersion": "12.3.3",
"targets": [
{
"datasource": {
"type": "loki",
"uid": "bfesvtbn7l534f"
},
"direction": "backward",
"editorMode": "code",
"expr": "{job=\"$app\"} | logfmt | detected_level =~ `info|notice|debug|trace` | line_format \"Service: {{ if .logger }}{{ .logger }}{{ else }}Loki{{ end }} | Message: {{ if .msg }}{{ .msg }}{{ else }}No Message{{ end }}\"",
"hide": false,
"legendFormat": "",
"queryType": "range",
"refId": "A"
}
],
"title": "Logs Informative",
"transparent": true,
"type": "logs"
}
],
"preload": false,
"refresh": "",
"schemaVersion": 42,
"tags": [],
"templating": {
"list": [
{
"current": {
"text": "systemd-journal",
"value": "systemd-journal"
},
"datasource": "bfesvtbn7l534f",
"definition": "label_values(job)",
"includeAll": false,
"label": "App",
"name": "app",
"options": [],
"query": "label_values(job)",
"refresh": 1,
"regex": "",
"type": "query"
},
{
"current": {
"text": "",
"value": ""
},
"label": "String Match",
"name": "search",
"options": [
{
"selected": true,
"text": "",
"value": ""
}
],
"query": "",
"type": "textbox"
}
]
},
"time": {
"from": "now-1h",
"to": "now"
},
"timepicker": {
"refresh_intervals": [
"10s",
"30s",
"1m",
"5m",
"15m",
"30m",
"1h",
"2h",
"1d"
]
},
"timezone": "",
"title": "Logs / App",
"uid": "sadlil-loki-apps-dashboard",
"version": 13
}

3
flake.nix
View file

@ -45,6 +45,7 @@
./hosts/fix/configuration.nix ./hosts/fix/configuration.nix
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
{ {
home-manager.sharedModules = [ catppuccin.homeModules.catppuccin ];
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
home-manager.extraSpecialArgs = { home-manager.extraSpecialArgs = {
@ -53,7 +54,7 @@
nixvim = inputs.nixvim.packages."x86_64-linux".default; nixvim = inputs.nixvim.packages."x86_64-linux".default;
zen-browser = inputs.zen-browser.packages."x86_64-linux".default; zen-browser = inputs.zen-browser.packages."x86_64-linux".default;
}; };
home-manager.users.raphael = hm-config.homeConfigurations."hm-fix"; home-manager.users.raphael = import hm-config.outputs.homeModules.fix;
} }
]; ];
specialArgs = { specialArgs = {

70
hosts/fix/configuration.nix
View file

@ -6,6 +6,12 @@
... ...
}: }:
let
mullvad-autostart = pkgs.makeAutostartItem {
name = "mullvad-vpn";
package = pkgs.mullvad-vpn;
};
in
{ {
imports = [ imports = [
../global.nix ../global.nix
@ -19,7 +25,23 @@
hostName = "nixos-fix"; hostName = "nixos-fix";
firewall.enable = false; firewall.enable = false;
networkmanager.enable = true; networkmanager.enable = true;
wireless.enable = false; };
hardware = {
graphics = {
enable = true;
enable32Bit = true;
};
nvidia = {
open = false;
modesetting.enable = true;
powerManagement = {
enable = false;
finegrained = false;
};
nvidiaSettings = true;
package = config.boot.kernelPackages.nvidiaPackages.stable;
};
}; };
games = { games = {
@ -37,27 +59,7 @@
swaylock = { }; swaylock = { };
}; };
users = { users.defaultUserShell = pkgs.zsh;
defaultUserShell = pkgs.zsh;
users = {
deb = {
isNormalUser = true;
initialPassword = "pasadmin1234";
description = "deb";
useDefaultShell = true;
extraGroups = [
"networkmanager"
"dialout"
"docker"
"video"
];
packages = with pkgs; [
gnome-session
home-manager
];
};
};
};
# Bootloader. # Bootloader.
boot.loader = { boot.loader = {
@ -66,31 +68,36 @@
}; };
programs = { programs = {
thunderbird.enable = true;
hyprland = { hyprland = {
enable = true; enable = true;
xwayland.enable = true; xwayland.enable = true;
}; };
}; };
environment.systemPackages = with pkgs; [
mullvad-autostart
pciutils
vulkan-tools
];
services = { services = {
seatd.enable = true; mullvad-vpn = {
xserver = { enable = true;
desktopManager.gnome.enable = true; package = pkgs.mullvad-vpn;
displayManager.gdm.wayland = true;
}; };
xserver.videoDrivers = [ "nvidia" ];
seatd.enable = true;
greetd = { greetd = {
enable = true; enable = true;
settings = { settings = {
default_session = { default_session = {
command = "${pkgs.greetd.tuigreet}/bin/tuigreet --remember --user-menu --remember-user-session --time"; command = "${pkgs.tuigreet}/bin/tuigreet --remember --user-menu --remember-user-session --time";
}; };
}; };
useTextGreeter = true;
}; };
dbus.enable = true; dbus.enable = true;
openssh = {
enable = true;
ports = [ 42131 ];
};
pipewire = { pipewire = {
enable = true; enable = true;
alsa.enable = true; alsa.enable = true;
@ -115,6 +122,7 @@
enable = true; enable = true;
extraPortals = [ extraPortals = [
pkgs.xdg-desktop-portal-hyprland pkgs.xdg-desktop-portal-hyprland
pkgs.xdg-desktop-portal-gtk
]; ];
config.common.default = "*"; config.common.default = "*";
}; };

81
hosts/fix/hardware-configuration.nix
View file

@ -1,83 +1,36 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ { config, lib, pkgs, modulesPath, ... }:
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = [ imports =
(modulesPath + "/installer/scan/not-detected.nix") [ (modulesPath + "/installer/scan/not-detected.nix")
];
# services.dbus.enable = true;
boot = {
initrd = {
availableKernelModules = [
"xhci_pci"
"ahci"
"usbhid"
"sd_mod"
];
kernelModules = [ ];
};
kernelModules = [
"kvm-intel"
]; ];
extraModulePackages = [ ];
};
fileSystems = { boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "sd_mod" ];
"/" = { boot.initrd.kernelModules = [ ];
device = "/dev/disk/by-uuid/a943d592-57d3-497e-bf43-49b50ac73f0b"; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/2eec2aaa-4576-4591-9b9e-6d36ee4b0d02";
fsType = "ext4"; fsType = "ext4";
}; };
"/boot" = {
device = "/dev/disk/by-uuid/5AAB-0026"; fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/FE5B-8026";
fsType = "vfat"; fsType = "vfat";
options = [ options = [ "fmask=0077" "dmask=0077" ];
"fmask=0077"
"dmask=0077"
];
}; };
"/mnt/data" = {
device = "/dev/disk/by-uuid/5729d30c-5806-4ccd-8a2a-080a258084dc"; fileSystems."/mnt/data" =
{ device = "/dev/disk/by-uuid/416367e1-a2dc-4724-b9f5-9c10da4d87a5";
fsType = "ext4"; fsType = "ext4";
options = [
"acl"
"exec"
];
}; };
};
swapDevices = [ ]; swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.docker0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
services.xserver.videoDrivers = [ "nvidia" ];
hardware = {
graphics.enable = true;
nvidia = {
open = false;
modesetting.enable = true;
powerManagement.enable = false;
powerManagement.finegrained = false;
nvidiaSettings = true;
package = config.boot.kernelPackages.nvidiaPackages.stable;
};
};
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
} }

2
hosts/global.nix
View file

@ -45,6 +45,7 @@
"wheel" "wheel"
"docker" "docker"
"video" "video"
"render"
]; ];
}; };
}; };
@ -75,6 +76,7 @@
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
uwsm
git git
postgresql postgresql
vim vim

95
hosts/server/configuration.nix
View file

@ -7,7 +7,7 @@
}: }:
let let
sshKeyMac = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbHk7YasSMK5FBCArKLeqIoaGXsN+WlgVquObyC5Zec raphael@MacBook-Pro-de-raphael.local"; sshKeyMac = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIML4yVz1fhccwaTL0iHixkNkU5zUWU1rsit9u2TIIa5r raphael@raphaels-MacBook-Pro.local";
in in
{ {
imports = [ imports = [
@ -26,7 +26,6 @@ in
hostName = "nixos-server"; hostName = "nixos-server";
firewall.enable = false; firewall.enable = false;
networkmanager.enable = true; networkmanager.enable = true;
wireless.enable = false;
interfaces.enp0s31f6.ipv4.addresses = [ interfaces.enp0s31f6.ipv4.addresses = [
{ {
address = "192.168.1.1"; address = "192.168.1.1";
@ -59,15 +58,16 @@ in
nextcloud = true; nextcloud = true;
jellyfin = true; jellyfin = true;
sso = true; sso = true;
vault = true;
}; };
forty_two.irc = true; forty_two.irc = false;
web.portefolio = true; web.portefolio = true;
server = { server = {
minecraft = false; minecraft = true;
teamspeak = true; teamspeak = true;
}; };
bot_discord = { bot_discord = {
master = true; master = false;
bde = false; bde = false;
tut = false; tut = false;
marty = false; marty = false;
@ -78,46 +78,49 @@ in
}; };
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages =
age with pkgs;
bat [
cairo age
dconf bat
fastfetch cairo
git dconf
home-manager fastfetch
lego git
libjpeg home-manager
libpng lego
libuuid libjpeg
linux-manual libpng
man libuuid
man-pages linux-manual
man-pages-posix man
networkmanager man-pages
openssl man-pages-posix
pkg-config networkmanager
postgresql openssl
protonup-ng pkg-config
python3 postgresql
python3Packages.pip protonup-ng
qFlipper python3
ripgrep python3Packages.pip
swaylock qFlipper
swaylock-fancy ripgrep
tmux swaylock
unzip swaylock-fancy
vim tmux
wget unzip
wl-clipboard vim
xclip wget
xdg-desktop-portal-hyprland wl-clipboard
xsel xclip
yarn xdg-desktop-portal-hyprland
zsh xsel
] ++ [ yarn
inputs.agenix.packages.${pkgs.system}.agenix zsh
]; ]
++ [
inputs.agenix.packages.${pkgs.system}.agenix
];
# Bootloader. # Bootloader.
boot.loader = { boot.loader = {
@ -140,7 +143,7 @@ in
openssh = { openssh = {
enable = true; enable = true;
ports = [ ports = [
42131 42131
]; ];
}; };
udev.extraRules = '' udev.extraRules = ''

45
hosts/server/hardware-configuration.nix
View file

@ -1,28 +1,51 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }: {
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = imports = [
[ (modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ]; boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"usbhid"
"sd_mod"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems = {
{ device = "/dev/disk/by-uuid/67b9f544-f7d6-4203-a1ee-3d527f0c4ace"; "/" = {
device = "/dev/disk/by-uuid/67b9f544-f7d6-4203-a1ee-3d527f0c4ace";
fsType = "ext4"; fsType = "ext4";
}; };
"/boot" = {
fileSystems."/boot" = device = "/dev/disk/by-uuid/C2ED-90A4";
{ device = "/dev/disk/by-uuid/C2ED-90A4";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ]; options = [
"fmask=0077"
"dmask=0077"
];
}; };
"/mnt/data" = {
device = "/dev/disk/by-uuid/efa8669d-d141-4858-9e66-d3efa9a88816";
fsType = "ext4";
options = [
"acl"
"exec"
];
};
};
swapDevices = [ ]; swapDevices = [ ];

52
hosts/server/secrets.nix
View file

@ -5,66 +5,100 @@
age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
age.secrets."wireguard-secret" = {
file = ../../secrets/wireguard-secret.age;
owner = "root";
group = "root";
mode = "0400";
};
age.secrets."mailjet-user" = { age.secrets."mailjet-user" = {
file = ../../secrets/mailjet-user.age; file = ../../secrets/mailjet-user.age;
owner = "root"; owner = "root";
group = "root"; group = "root";
mode = "0400"; mode = "0400";
}; };
age.secrets."mailjet-pass" = { age.secrets."mailjet-pass" = {
file = ../../secrets/mailjet-pass.age; file = ../../secrets/mailjet-pass.age;
owner = "root"; owner = "root";
group = "root"; group = "root";
mode = "0400"; mode = "0400";
}; };
age.secrets."nextcloud-admin-pass" = { age.secrets."nextcloud-admin-pass" = {
file = ../../secrets/nextcloud-admin-pass.age; file = ../../secrets/nextcloud-admin-pass.age;
owner = "nextcloud"; owner = "nextcloud";
group = "nextcloud"; group = "nextcloud";
mode = "0400"; mode = "0400";
}; };
age.secrets."nextcloud-oidc-secret" = { age.secrets."nextcloud-oidc-secret" = {
file = ../../secrets/nextcloud-oidc-secret.age; file = ../../secrets/nextcloud-oidc-secret.age;
owner = "kanidm"; owner = "kanidm";
group = "kanidm"; group = "kanidm";
mode = "0400"; mode = "0400";
}; };
age.secrets."grafana-oidc-secret" = { age.secrets."grafana-oidc-secret" = {
file = ../../secrets/grafana-oidc-secret.age; file = ../../secrets/grafana-oidc-secret.age;
owner = "kanidm"; owner = "kanidm";
group = "grafana"; group = "grafana";
mode = "0440"; mode = "0440";
};
age.secrets."grafana-secret-key" = {
file = ../../secrets/grafana-secret-key.age;
owner = "grafana";
group = "grafana";
mode = "0440";
}; };
age.secrets."forgejo-oidc-secret" = { age.secrets."forgejo-oidc-secret" = {
file = ../../secrets/forgejo-oidc-secret.age; file = ../../secrets/forgejo-oidc-secret.age;
owner = "kanidm"; owner = "kanidm";
group = "forgejo"; group = "forgejo";
mode = "0440"; mode = "0440";
};
age.secrets."forgejo-runner-token" = {
file = ../../secrets/forgejo-runner-token.age;
owner = "forgejo";
group = "forgejo";
mode = "0440";
}; };
age.secrets."nextcloud-database" = { age.secrets."nextcloud-database" = {
file = ../../secrets/nextcloud-database.age; file = ../../secrets/nextcloud-database.age;
owner = "nextcloud"; owner = "nextcloud";
group = "nextcloud"; group = "nextcloud";
mode = "0400"; mode = "0400";
}; };
age.secrets."kanidm-admin" = { age.secrets."kanidm-admin" = {
file = ../../secrets/kandim-admin.age; file = ../../secrets/kandim-admin.age;
owner = "kanidm"; owner = "kanidm";
group = "kanidm"; group = "kanidm";
mode = "0400"; mode = "0400";
}; };
age.secrets."kanidm-idmAdmin" = { age.secrets."kanidm-idmAdmin" = {
file = ../../secrets/kandim-idmAdmin.age; file = ../../secrets/kandim-idmAdmin.age;
owner = "kanidm"; owner = "kanidm";
group = "kanidm"; group = "kanidm";
mode = "0400"; mode = "0400";
}; };
age.secrets."vault-oidc-secret" = {
file = ../../secrets/vault-oidc-secret.age;
owner = "kanidm";
group = "kanidm";
mode = "0400";
};
age.secrets."vault-secret-env" = {
file = ../../secrets/vault-secret-env.age;
owner = "vaultwarden";
group = "vaultwarden";
mode = "0400";
};
} }

1
modules/games/steam.nix
View file

@ -22,6 +22,7 @@ in
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
gamescope
wine-staging wine-staging
lutris lutris
dxvk dxvk

BIN
secrets/forgejo-runner-token.age Normal file
View file

Binary file not shown.

7
secrets/grafana-secret-key.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 Iy+0iw a6V5MbX371JEVJM4L1AiL0f3/W4oPhc0EeydmBlCwzI
QnsMyhcDyrCGkkJaQWA04u5YdiVrlIISyp/PEnY7emE
-> ssh-ed25519 ocqiLQ 6vkETQNUq8iMWqPD3uf+UrVcY34xz8KBPLWK2WRHjgk
ttdk+iK/DFYoshfffBN+tbxXkWHgVPz5fYQ+m4684aM
--- gBW+PH1fOqhXi0ChESyPAj7fqM21Lb9UYPJ5JWVuoFk
%¢Alb3£¹Sd·æT³ü÷PææHf{&Š.5@ëîúå;V†Pkz‡×¶µ<C2B6>¶ëïü»¸½ÃlZ¦øv¾ÆV£í¦

5
secrets/secrets.nix
View file

@ -10,13 +10,18 @@ let
]; ];
in in
{ {
"wireguard-secret.age".publicKeys = users ++ systems;
"mailjet-user.age".publicKeys = users ++ systems; "mailjet-user.age".publicKeys = users ++ systems;
"mailjet-pass.age".publicKeys = users ++ systems; "mailjet-pass.age".publicKeys = users ++ systems;
"nextcloud-admin-pass.age".publicKeys = users ++ systems; "nextcloud-admin-pass.age".publicKeys = users ++ systems;
"nextcloud-database.age".publicKeys = users ++ systems; "nextcloud-database.age".publicKeys = users ++ systems;
"nextcloud-oidc-secret.age".publicKeys = users ++ systems; "nextcloud-oidc-secret.age".publicKeys = users ++ systems;
"grafana-oidc-secret.age".publicKeys = users ++ systems; "grafana-oidc-secret.age".publicKeys = users ++ systems;
"grafana-secret-key.age".publicKeys = users ++ systems;
"forgejo-oidc-secret.age".publicKeys = users ++ systems; "forgejo-oidc-secret.age".publicKeys = users ++ systems;
"forgejo-runner-token.age".publicKeys = users ++ systems;
"kandim-admin.age".publicKeys = users ++ systems; "kandim-admin.age".publicKeys = users ++ systems;
"kandim-idmAdmin.age".publicKeys = users ++ systems; "kandim-idmAdmin.age".publicKeys = users ++ systems;
"vault-secret-env.age".publicKeys = users ++ systems;
"vault-oidc-secret.age".publicKeys = users ++ systems;
} }

BIN
secrets/vault-oidc-secret.age Normal file
View file

Binary file not shown.

9
secrets/vault-secret-env.age Normal file
View file

@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 Iy+0iw rpRn2BgDtK3p1tHofUH/nCEwRh4z7rjAwLbvbhCTSkg
6ZiVqx6pNZyYmhsDhZh3YG6+LKiRsnuWMfN8KzJLyhw
-> ssh-ed25519 ocqiLQ AguX30lc6+1ckV3ENiHhboGyNyf2pN0hqIytsTAjwz4
rAGWhtuROHn8p0eAGEKS6Xp+PyYmpbw2EbdadbfJxt0
--- WA9Zus5yXPXPD+TiHyUlEIqozmvhAxWQTE6s2olZ1fs
2*8Ö<38>3˜gã ¾E(µªÛ+ÃÝ<ïµtª<74>­Öà•ÞFúÕ×#v7Cü+|
Ò£ÉýZ¥Y(â.áÛ´Dê.‡Ôr`ý`Žz‡@™³<E284A2>Ã)141}Þ@°œ_¼þ&€¨œß2£ ÀºqÒOH>Ÿ÷w[„ðŒ<Õr<C395>Æ3àÚrI¦MÎb+ôÌo90H÷*D'ªy&ç]÷h1 솥ݞšs&Œ• Ò<ƒÇ
"ÊpœéÑÃýûiQß^×p9ÕËÎâžb#æ²)ch*ç;'"¢gõCvñfø­§Øæ}®Õùv

7
secrets/wireguard-secret.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 Iy+0iw 65IsIObRg7SuYCZnDp/LKpSn1tpnJTLaXFcc7/9gRkA
3L16P+XHyyfwSZLInsPv3UPMVYsPpYAV2E+/kl+oQbA
-> ssh-ed25519 ocqiLQ R3CkxF9zthAEZGE3CZypFGb/uwLazrBpwWT97N+1izA
EP6vUm4Y511GMctNJi0FO7bzUw6qHMqPRzxJiSTD23M
--- JqhMdyVwELZA++21d9WMdbGTciFtsea44hbbC+WWLHI
<>²N ±è=¬xûÓ0TEPñßßܯP<C2AF>øêmÊ=È<>aÿhª*Åp`ÉâÚ%¹Qû´…wËo+ãWJ·@åOkˆKíTRÚâÐ

16
services/self_host.nix
View file

@ -71,6 +71,14 @@ let
lib lib
; ;
}; };
vault = import ./self_host/vault.nix {
inherit
inputs
config
pkgs
lib
;
};
cfg = config.service.selfhost; cfg = config.service.selfhost;
in in
{ {
@ -83,6 +91,7 @@ in
nextcloud nextcloud
ollama ollama
sso sso
vault
]; ];
config = { config = {
@ -129,7 +138,12 @@ in
sso = lib.mkOption { sso = lib.mkOption {
type = lib.types.bool; type = lib.types.bool;
default = false; default = false;
description = "Enable the nextcloud"; description = "Enable the sso";
};
vault = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Enable the vault";
}; };
}; };
} }

23
services/self_host/git.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
let let
gitDomain = "git.enium.eu"; gitDomain = "git.enium.eu";
@ -30,13 +35,14 @@ in
AUTH_URL = "https://git.enium.eu/ui/oauth2"; AUTH_URL = "https://git.enium.eu/ui/oauth2";
TOKEN_URL = "https://git.enium.eu/oauth2/token"; TOKEN_URL = "https://git.enium.eu/oauth2/token";
API_URL = "https://git.enium.eu/oauth2/openid/forgejo/userinfo"; API_URL = "https://git.enium.eu/oauth2/openid/forgejo/userinfo";
REDIRECT_URI = "https://git.enium.eu/user/oauth2/Enium/callback";
CODE_CHALLENGE_METHOD = "S256"; CODE_CHALLENGE_METHOD = "S256";
ENABLE_AUTO_REGISTRATION = true; ENABLE_AUTO_REGISTRATION = true;
UPDATE_AVATAR = true; UPDATE_AVATAR = true;
}; };
service = { service = {
DISABLE_REGISTRATION = true; DISABLE_REGISTRATION = false;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true; ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
SHOW_REGISTRATION_BUTTON = false; SHOW_REGISTRATION_BUTTON = false;
DISABLE_PASSWORD_SIGNIN_FORM = true; DISABLE_PASSWORD_SIGNIN_FORM = true;
@ -46,7 +52,18 @@ in
}; };
}; };
}; };
gitea-actions-runner = {
package = pkgs.forgejo-runner;
instances.default = {
enable = true;
name = "monolith";
url = "https://git.enium.eu";
tokenFile = config.age.secrets.forgejo-runner-token.path;
labels = [
"ubuntu-latest:docker://node:16-bullseye"
];
};
};
nginx.virtualHosts."${gitDomain}" = { nginx.virtualHosts."${gitDomain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;

172
services/self_host/jellyfin.nix
View file

@ -1,84 +1,128 @@
{ {
config, config,
pkgs, pkgs,
lib, lib,
... ...
}: }:
let let
cfg = config.service.selfhost.jellyfin; cfg = config.service.selfhost.jellyfin;
wireguard-key = config.age.secrets."wireguard-secret".path;
in in
{ {
config = lib.mkIf cfg { config = lib.mkIf cfg {
virtualisation = {
docker.enable = true;
oci-containers = {
backend = "docker";
containers = {
gluetun = {
image = "qmcgaw/gluetun:latest";
autoStart = true;
extraOptions = [
"--cap-add=NET_ADMIN"
"--device=/dev/net/tun"
];
environment = {
VPN_SERVICE_PROVIDER = "mullvad";
VPN_TYPE = "wireguard";
WIREGUARD_PRIVATE_KEY = builtins.readFile wireguard-key;
BLOCK_MALICIOUS = "off";
BLOCK_SURVEILLANCE = "off";
BLOCK_ADS = "off";
WIREGUARD_ADDRESSES = "10.70.168.94/32";
SERVER_COUNTRIES = "Sweden";
SERVER_CITIES = "Stockholm";
SERVER_HOSTNAMES = "se-sto-wg-206";
TZ = "Europe/Paris";
};
ports = [
"8080:8080"
"7878:7878"
"8989:8989"
"9696:9696"
];
};
qbittorrent = {
image = "lscr.io/linuxserver/qbittorrent:latest";
autoStart = true;
extraOptions = [
"--network=container:gluetun"
];
environment = {
PUID = "1000";
PGID = "991";
WEBUI_PORT = "8080";
TZ = "Europe/Paris";
};
volumes = [
"/mnt/data/qbittorrent/config:/config"
"/mnt/data/downloads:/downloads"
];
};
radarr = {
image = "lscr.io/linuxserver/radarr:latest";
autoStart = true;
extraOptions = [
"--network=container:gluetun"
];
environment = {
PUID = "1000";
PGID = "991";
TZ = "Europe/Paris";
};
volumes = [
"/mnt/data/radarr/config:/config"
"/mnt/data/downloads:/downloads"
"/mnt/data:/data"
];
};
sonarr = {
image = "lscr.io/linuxserver/sonarr:latest";
autoStart = true;
extraOptions = [
"--network=container:gluetun"
];
environment = {
PUID = "1000";
PGID = "991";
TZ = "Europe/Paris";
};
volumes = [
"/mnt/data/sonarr/config:/config"
"/mnt/data/downloads:/downloads"
"/mnt/data:/data"
];
};
prowlarr = {
image = "lscr.io/linuxserver/prowlarr:latest";
autoStart = true;
extraOptions = [
"--network=container:gluetun"
];
environment = {
PUID = "1000";
PGID = "991";
TZ = "Europe/Paris";
};
volumes = [
"/mnt/data/prowlarr/config:/config"
];
};
};
};
};
users = { users = {
groups.datausers = { }; groups.datausers = { };
users = { users = {
jellyfin.extraGroups = [ "datausers" ]; jellyfin.extraGroups = [ "datausers" ];
radarr.extraGroups = [ "datausers" ];
sonarr.extraGroups = [ "datausers" ];
}; };
}; };
services = { services = {
jellyfin = { jellyfin = {
enable = true; enable = true;
dataDir = "/mnt/data/media"; dataDir = "/mnt/data/jellyfin";
openFirewall = true; openFirewall = true;
}; };
qbittorrent = {
enable = true;
openFirewall = true;
user = "qbittorrent";
group = "datausers";
webuiPort = 8137;
serverConfig = {
Preferences = {
Downloads = {
SavePath = "/mnt/data/downloads";
TempPathEnabled = false;
};
General = {
Locale = "fr_FR";
};
WebUI = {
Username = "raphael";
Password_PBKDF2 = "@ByteArray(CmH/e4LVehCMTT2BUTVo5g==:VqhgnDIsg0owhZqINmi6O0Ac3tXgz6JYAkxB7sqSH18VPQ6R6Tz9jT2a6KXtld4wG6ld41nFXSst0UqRFTUTUw==)";
};
};
};
};
flaresolverr = {
enable = true;
openFirewall = true;
port = 8191;
};
sonarr = {
enable = true;
dataDir = "/var/lib/sonarr";
user = "sonarr";
group = "datausers";
openFirewall = true;
};
radarr = {
enable = true;
dataDir = "/var/lib/radarr";
user = "radarr";
group = "datausers";
openFirewall = true;
};
prowlarr = {
enable = true;
dataDir = "/var/lib/prowlarr";
openFirewall = true;
};
bazarr.enable = true;
nginx.virtualHosts = { nginx.virtualHosts = {
"jellyfin.enium.eu" = { "jellyfin.enium.eu" = {
enableACME = true; enableACME = true;

139
services/self_host/mail.nix
View file

@ -22,7 +22,7 @@ in
shell = "/run/current-system/sw/bin/nologin"; shell = "/run/current-system/sw/bin/nologin";
}; };
users.groups = { users.groups = {
vmail = {}; vmail = { };
}; };
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d /run/dovecot 0755 dovecot dovecot - -" "d /run/dovecot 0755 dovecot dovecot - -"
@ -84,14 +84,22 @@ in
chroot = false; chroot = false;
command = "smtpd"; command = "smtpd";
args = [ args = [
"-o" "smtpd_recipient_restrictions=permit_sasl_authenticated,reject" "-o"
"-o" "smtpd_sasl_auth_enable=yes" "smtpd_recipient_restrictions=permit_sasl_authenticated,reject"
"-o" "smtpd_sasl_security_options=noanonymous" "-o"
"-o" "smtpd_sender_login_maps=hash:/var/lib/postfix/sender_login" "smtpd_sasl_auth_enable=yes"
"-o" "smtpd_sender_restrictions=reject_sender_login_mismatch" "-o"
"-o" "smtpd_tls_auth_only=yes" "smtpd_sasl_security_options=noanonymous"
"-o" "smtpd_tls_security_level=encrypt" "-o"
"-o" "syslog_name=postfix/submission" "smtpd_sender_login_maps=hash:/var/lib/postfix/sender_login"
"-o"
"smtpd_sender_restrictions=reject_sender_login_mismatch"
"-o"
"smtpd_tls_auth_only=yes"
"-o"
"smtpd_tls_security_level=encrypt"
"-o"
"syslog_name=postfix/submission"
]; ];
}; };
}; };
@ -211,16 +219,19 @@ in
raphael@enium.eu:{SHA512-CRYPT}$6$rIsn6/dLJ6MbITx5$vMo82dgkQZoV8BQIaO6Bs9J86ZjgcJ.LqMuIqnXVfuBRgZOqY/YiURBUOcS1P2wAo5h4TCFkKExfcjjX1reUU. raphael@enium.eu:{SHA512-CRYPT}$6$rIsn6/dLJ6MbITx5$vMo82dgkQZoV8BQIaO6Bs9J86ZjgcJ.LqMuIqnXVfuBRgZOqY/YiURBUOcS1P2wAo5h4TCFkKExfcjjX1reUU.
benjamin@enium.eu:{SHA512-CRYPT}$6$.34vS2JkrmGnioYo$pUF.vN5Q3njn5WRTLdMU5n7vGJdwk64bB/si0vQXFw.ioky4xlHUVocFXC8GI9wkVJNif.2kHvAYEcEtXvU2I0 benjamin@enium.eu:{SHA512-CRYPT}$6$.34vS2JkrmGnioYo$pUF.vN5Q3njn5WRTLdMU5n7vGJdwk64bB/si0vQXFw.ioky4xlHUVocFXC8GI9wkVJNif.2kHvAYEcEtXvU2I0
deborah@enium.eu:{SHA512-CRYPT}$6$IZ7Dd31uZ4VKzz04$z5IhS25Jve8KsX0GIIXB8GUiPYd3eSuxlDz9RZQHa2tE4hptgtXQVU3av42MIRpaN9GPqG9iM6jiQUwRZ9V39/ deborah@enium.eu:{SHA512-CRYPT}$6$IZ7Dd31uZ4VKzz04$z5IhS25Jve8KsX0GIIXB8GUiPYd3eSuxlDz9RZQHa2tE4hptgtXQVU3av42MIRpaN9GPqG9iM6jiQUwRZ9V39/
rchouraqui@enium.eu:{SHA512-CRYPT}$6$.YW4sF83D1EZXQW8$AZoxbni6XFGf3XuSp1sKhZ9cHjU5CcryEH8C45Fbu5s2nJHixDRnDeH6Vl5EvfQfH09wrxhDYp0Tld.TiUSpn.
''; '';
environment.etc."postfix-vmailbox".text = '' environment.etc."postfix-vmailbox".text = ''
raphael@enium.eu enium.eu/raphael/ raphael@enium.eu enium.eu/raphael/
benjamin@enium.eu enium.eu/benjamin/ benjamin@enium.eu enium.eu/benjamin/
deborah@enium.eu enium.eu/deborah/ deborah@enium.eu enium.eu/deborah/
rchouraqui@enium.eu enium.eu/rchouraqui/
''; '';
environment.etc."postfix-sender_login".text = '' environment.etc."postfix-sender_login".text = ''
raphael@enium.eu raphael@enium.eu raphael@enium.eu raphael@enium.eu
benjamin@enium.eu benjamin@enium.eu benjamin@enium.eu benjamin@enium.eu
deborah@enium.eu deborah@enium.eu deborah@enium.eu deborah@enium.eu
rchouraqui@enium.eu rchouraqui@enium.eu
no-reply@enium.eu raphael@enium.eu, benjamin@enium.eu no-reply@enium.eu raphael@enium.eu, benjamin@enium.eu
direction@enium.eu raphael@enium.eu, benjamin@enium.eu direction@enium.eu raphael@enium.eu, benjamin@enium.eu
@ -229,7 +240,7 @@ in
''; '';
environment.etc."postfix-virtual".text = '' environment.etc."postfix-virtual".text = ''
direction@enium.eu raphael@enium.eu, benjamin@enium.eu direction@enium.eu raphael@enium.eu, benjamin@enium.eu
recrutement@enium.eu raphael@enium.eu, benjamin@enium.eu recrutement@enium.eu raphael@enium.eu, benjamin@enium.eu, rchouraqui@enium.eu
contact@enium.eu raphael@enium.eu, benjamin@enium.eu contact@enium.eu raphael@enium.eu, benjamin@enium.eu
''; '';
@ -237,68 +248,68 @@ in
enable = true; enable = true;
postfix.enable = true; postfix.enable = true;
extraConfig = '' extraConfig = ''
worker "controller" { worker "controller" {
bind_socket = "127.0.0.1:11334"; bind_socket = "127.0.0.1:11334";
password = "admin"; password = "admin";
}; };
worker "normal" { worker "normal" {
bind_socket = "127.0.0.1:11333"; bind_socket = "127.0.0.1:11333";
}; };
worker "rspamd_proxy" { worker "rspamd_proxy" {
bind_socket = "127.0.0.1:11332"; bind_socket = "127.0.0.1:11332";
milter = yes; milter = yes;
timeout = 120s; timeout = 120s;
upstream "local" { upstream "local" {
self_scan = yes; self_scan = yes;
}; };
}; };
actions { actions {
reject = 12; reject = 12;
add_header = 6; add_header = 6;
greylist = 4; greylist = 4;
}; };
classifier "bayes" { classifier "bayes" {
backend = "redis"; backend = "redis";
servers = "127.0.0.1:6381"; servers = "127.0.0.1:6381";
autolearn = true; autolearn = true;
min_learns = 200; min_learns = 200;
new_schema = true; new_schema = true;
cache = true; cache = true;
statfile { statfile {
symbol = "BAYES_HAM"; symbol = "BAYES_HAM";
spam = false; spam = false;
}; };
statfile { statfile {
symbol = "BAYES_SPAM"; symbol = "BAYES_SPAM";
spam = true; spam = true;
}; };
learn_condition = <<EOD learn_condition = <<EOD
return function(task) return function(task)
return true return true
end end
EOD; EOD;
}; };
rbl { rbl {
enabled = true; enabled = true;
rbls = { rbls = {
spamhaus = { spamhaus = {
symbol = "RBL_SPAMHAUS"; symbol = "RBL_SPAMHAUS";
rbl = "zen.spamhaus.org"; rbl = "zen.spamhaus.org";
}; };
barracuda = { barracuda = {
symbol = "RBL_BARRACUDA"; symbol = "RBL_BARRACUDA";
rbl = "b.barracudacentral.org"; rbl = "b.barracudacentral.org";
}; };
}; };
}; };
''; '';
}; };
services.redis.servers.rspamd = { services.redis.servers.rspamd = {

541
services/self_host/monitor.nix
View file

@ -8,6 +8,8 @@
let let
cfg = config.service.selfhost.monitor; cfg = config.service.selfhost.monitor;
dashboardsDir = ../../assets/grafana_dashboards; dashboardsDir = ../../assets/grafana_dashboards;
oidc-secret = config.age.secrets.grafana-oidc-secret.path;
encryption-key = config.age.secrets.grafana-secret-key.path;
monitored = [ monitored = [
"nginx" "nginx"
"grafana" "grafana"
@ -15,247 +17,332 @@ let
in in
{ {
config = lib.mkIf cfg { config = lib.mkIf cfg {
services.grafana = { services = {
enable = true; grafana = {
package = pkgs.grafana; enable = true;
dataDir = "/var/lib/grafana"; package = pkgs.grafana;
provision = { dataDir = "/var/lib/grafana";
dashboards.settings.providers = [ provision = {
{ dashboards.settings.providers = [
name = "nixos-dashboards"; {
type = "file"; name = "nixos-dashboards";
updateIntervalSeconds = 30; type = "file";
editable = false; updateIntervalSeconds = 30;
editable = false;
options = { options = {
path = "/etc/grafana/dashboards"; path = "/etc/grafana/dashboards";
foldersFromFilesStructure = false; foldersFromFilesStructure = false;
};
}
];
datasources.settings.datasources = [
{
name = "Prometheus";
type = "prometheus";
uid = "prometheus";
access = "proxy";
url = "http://127.0.0.1:9090";
isDefault = true;
editable = false;
jsonData = {
httpMethod = "POST";
timeInterval = "15s";
};
}
];
};
settings = {
server = {
root_url = "https://monitor.enium.eu";
domain = "monitor.enium.eu";
serve_from_sub_path = false;
};
"auth.generic_oauth" = {
enabled = true;
name = "Enium";
allow_sign_up = true;
client_id = "grafana";
client_secret = "$__file{${oidc-secret}}";
scopes = "openid profile email groups";
auth_url = "https://auth.enium.eu/ui/oauth2";
token_url = "https://auth.enium.eu/oauth2/token";
api_url = "https://auth.enium.eu/oauth2/openid/grafana/userinfo";
redirect_uri = "https://monitor.enium.eu/login/generic_oauth";
use_pkce = true;
use_refresh_token = true;
login_attribute_path = "preferred_username";
name_attribute_path = "name";
email_attribute_path = "email";
groups_attribute_path = "groups";
role_attribute_path = "contains(groups, 'grafana_superadmins@enium.eu') && 'GrafanaAdmin' || contains(groups, 'grafana_admins@enium.eu') && 'Admin' || contains(groups, 'grafana_editors@enium.eu') && 'Editor' || 'Viewer'";
allow_assign_grafana_admin = true;
role_attribute_strict = false;
skip_org_role_sync = false;
};
log.level = "debug";
auth = {
disable_login_form = true;
disable_signout_menu = false;
};
security = {
secret_key = "$__file{${encryption-key}}";
cookie_secure = true;
cookie_samesite = "none";
allow_embedding = true;
};
};
};
prometheus = {
enable = true;
checkConfig = false;
exporters = {
blackbox = {
enable = true;
configFile = pkgs.writeText "blackbox-exporter.yml" ''
modules:
http_2xx:
prober: http
timeout: 5s
http:
valid_http_versions: ["HTTP/1.1", "HTTP/2.0"]
valid_status_codes: []
method: GET
no_follow_redirects: false
fail_if_not_ssl: false
'';
};
node.enable = true;
systemd.enable = true;
};
scrapeConfigs = [
{
job_name = "systemd_exporter";
metrics_path = "/metrics";
static_configs = [
{
targets = [
"127.0.0.1:9558"
];
}
];
}
{
job_name = "node_exporter";
static_configs = [
{
targets = [
"127.0.0.1:9100"
];
}
];
}
{
job_name = "process_exporter";
metrics_path = "/metrics";
scheme = "http";
static_configs = [
{
targets = [
"127.0.0.1:9256"
];
}
];
}
{
job_name = "blackbox_http_probe";
metrics_path = "/probe";
params = {
module = [
"http_2xx"
];
}; };
static_configs = [
{
targets = [
"https://raphael.parodi.pro"
"https://nextcloud.enium.eu"
"https://htop.enium.eu"
"https://monitor.enium.eu"
"https://ollama.enium.eu"
"http://relance-pas-stp.me:4242"
];
}
];
relabel_configs = [
{
source_labels = [ "__address__" ];
target_label = "__param_target";
}
{
source_labels = [ "__param_target" ];
target_label = "instance";
}
{
target_label = "__address__";
replacement = "127.0.0.1:9115";
}
];
proxy_url = "http://127.0.0.1:9115";
} }
]; ];
datasources.settings.datasources = [ ruleFiles = lib.mkForce [ "/etc/prometheus/services.rules" ];
{ };
name = "Prometheus"; loki = {
type = "prometheus"; enable = true;
uid = "prometheus"; configuration = {
access = "proxy"; auth_enabled = false;
url = "http://127.0.0.1:9090"; server = {
isDefault = true; http_listen_port = 3100;
editable = false; grpc_listen_port = 9095;
jsonData = { };
httpMethod = "POST"; common = {
timeInterval = "15s"; path_prefix = "/var/lib/loki";
storage = {
filesystem = {
chunks_directory = "/var/lib/loki/chunks";
rules_directory = "/var/lib/loki/rules";
};
}; };
} replication_factor = 1;
]; ring = {
}; instance_addr = "127.0.0.1";
settings = { kvstore.store = "inmemory";
server = { };
root_url = "https://monitor.enium.eu"; };
domain = "monitor.enium.eu"; schema_config = {
serve_from_sub_path = false; configs = [
}; {
from = "2024-01-01";
"auth.generic_oauth" = { store = "tsdb";
enabled = true; object_store = "filesystem";
name = "Enium"; schema = "v13";
allow_sign_up = true; index = {
client_id = "grafana"; prefix = "index_";
client_secret = "$__file{${config.age.secrets.grafana-oidc-secret.path}}"; period = "24h";
scopes = "openid profile email groups"; };
auth_url = "https://auth.enium.eu/ui/oauth2"; }
token_url = "https://auth.enium.eu/oauth2/token";
api_url = "https://auth.enium.eu/oauth2/openid/grafana/userinfo";
redirect_uri = "https://monitor.enium.eu/login/generic_oauth";
use_pkce = true;
use_refresh_token = true;
login_attribute_path = "preferred_username";
name_attribute_path = "name";
email_attribute_path = "email";
groups_attribute_path = "groups";
role_attribute_path = "contains(groups, 'grafana_superadmins@enium.eu') && 'GrafanaAdmin' || contains(groups, 'grafana_admins@enium.eu') && 'Admin' || contains(groups, 'grafana_editors@enium.eu') && 'Editor' || 'Viewer'";
allow_assign_grafana_admin = true;
role_attribute_strict = false;
skip_org_role_sync = false;
};
log.level = "debug";
auth = {
disable_login_form = true;
disable_signout_menu = false;
};
security = {
cookie_secure = true;
cookie_samesite = "none";
allow_embedding = true;
};
};
};
environment.etc."process-exporter.json".text = builtins.toJSON {
procMatchers = lib.map (svc: {
name = svc;
cmdline = [
"${svc}:"
];
}) monitored;
};
systemd.services.process_exporter = {
description = "Prometheus Process Exporter";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.prometheus-process-exporter}/bin/process-exporter --config.path /etc/process-exporter.json";
Restart = "always";
};
};
services.prometheus = {
enable = true;
checkConfig = false;
exporters = {
blackbox = {
enable = true;
configFile = pkgs.writeText "blackbox-exporter.yml" ''
modules:
http_2xx:
prober: http
timeout: 5s
http:
valid_http_versions: ["HTTP/1.1", "HTTP/2.0"]
valid_status_codes: []
method: GET
no_follow_redirects: false
fail_if_not_ssl: false
'';
};
node.enable = true;
systemd.enable = true;
};
scrapeConfigs = [
{
job_name = "systemd_exporter";
metrics_path = "/metrics";
static_configs = [
{
targets = [
"127.0.0.1:9558"
];
}
];
}
{
job_name = "node_exporter";
static_configs = [
{
targets = [
"127.0.0.1:9100"
];
}
];
}
{
job_name = "process_exporter";
metrics_path = "/metrics";
scheme = "http";
static_configs = [
{
targets = [
"127.0.0.1:9256"
];
}
];
}
{
job_name = "blackbox_http_probe";
metrics_path = "/probe";
params = {
module = [
"http_2xx"
]; ];
}; };
static_configs = [ };
{ };
targets = [ alloy = {
"https://raphael.parodi.pro" enable = true;
"https://nextcloud.enium.eu" configPath = pkgs.writeText "config.alloy" ''
"https://htop.enium.eu" loki.source.journal "systemd" {
"https://monitor.enium.eu" forward_to = [loki.relabel.journal.receiver]
"https://ollama.enium.eu" relabel_rules = loki.relabel.journal.rules
"http://relance-pas-stp.me:4242" labels = {
]; job = "systemd-journal",
} }
]; }
relabel_configs = [
{ loki.relabel "journal" {
source_labels = [ "__address__" ]; forward_to = [loki.write.local.receiver]
target_label = "__param_target";
rule {
source_labels = ["__journal__systemd_unit"]
target_label = "unit"
} }
{
source_labels = [ "__param_target" ]; rule {
target_label = "instance"; source_labels = ["__journal_priority_keyword"]
target_label = "level"
} }
{
target_label = "__address__"; rule {
replacement = "127.0.0.1:9115"; source_labels = ["__journal__hostname"]
target_label = "hostname"
} }
];
proxy_url = "http://127.0.0.1:9115";
}
];
ruleFiles = lib.mkForce [ "/etc/prometheus/services.rules" ];
};
environment.etc."grafana/dashboards".source = dashboardsDir; rule {
source_labels = ["__journal_syslog_identifier"]
target_label = "syslog_identifier"
}
}
environment.etc."prometheus/services.rules".text = '' loki.write "local" {
groups: endpoint {
- name: services url = "http://localhost:3100/loki/api/v1/push"
rules: }
- alert: nginxServiceDown }
expr: process_up{job="process_exporter",name="nginx"} == 0 '';
for: 1m };
labels: nginx.virtualHosts."monitor.enium.eu" = {
severity: critical enableACME = true;
annotations: forceSSL = true;
summary: "Processus nginx arrêté" locations."/" = {
description: "Le processus nginx ne tourne plus depuis >1m." proxyPass = "http://127.0.0.1:3000";
proxyWebsockets = true;
- alert: nginxServiceUp };
expr: process_up{job="process_exporter",name="nginx"} == 1
for: 1m
labels:
severity: info
annotations:
summary: "Processus nginx rétabli"
description: "Le processus nginx tourne de nouveau."
- alert: grafanaServiceDown
expr: process_up{job="process_exporter",name="grafana"} == 0
for: 1m
labels:
severity: critical
annotations:
summary: "Processus grafana arrêté"
description: "Le processus grafana ne tourne plus depuis >1m."
- alert: grafanaServiceUp
expr: process_up{job="process_exporter",name="grafana"} == 1
for: 1m
labels:
severity: info
annotations:
summary: "Processus grafana rétabli"
description: "Le processus grafana tourne de nouveau."
'';
services.nginx.virtualHosts."monitor.enium.eu" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3000";
proxyWebsockets = true;
}; };
}; };
systemd.services = {
alloy.serviceConfig.SupplementaryGroups = [ "systemd-journal" ];
process_exporter = {
description = "Prometheus Process Exporter";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.prometheus-process-exporter}/bin/process-exporter --config.path /etc/process-exporter.json";
Restart = "always";
};
};
};
environment.etc = {
"process-exporter.json".text = builtins.toJSON {
procMatchers = lib.map (svc: {
name = svc;
cmdline = [
"${svc}:"
];
}) monitored;
};
"grafana/dashboards".source = dashboardsDir;
"prometheus/services.rules".text = ''
groups:
- name: services
rules:
- alert: nginxServiceDown
expr: process_up{job="process_exporter",name="nginx"} == 0
for: 1m
labels:
severity: critical
annotations:
summary: "Processus nginx arrêté"
description: "Le processus nginx ne tourne plus depuis >1m."
- alert: nginxServiceUp
expr: process_up{job="process_exporter",name="nginx"} == 1
for: 1m
labels:
severity: info
annotations:
summary: "Processus nginx rétabli"
description: "Le processus nginx tourne de nouveau."
- alert: grafanaServiceDown
expr: process_up{job="process_exporter",name="grafana"} == 0
for: 1m
labels:
severity: critical
annotations:
summary: "Processus grafana arrêté"
description: "Le processus grafana ne tourne plus depuis >1m."
- alert: grafanaServiceUp
expr: process_up{job="process_exporter",name="grafana"} == 1
for: 1m
labels:
severity: info
annotations:
summary: "Processus grafana rétabli"
description: "Le processus grafana tourne de nouveau."
'';
};
}; };
} }

11
services/self_host/nextcloud.nix
View file

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
let let
cfg = config.service.selfhost.nextcloud; cfg = config.service.selfhost.nextcloud;
@ -6,7 +11,7 @@ let
nextcloud-database = config.age.secrets."nextcloud-database".path; nextcloud-database = config.age.secrets."nextcloud-database".path;
dataDir = "/mnt/data/nextcloud"; dataDir = "/mnt/data/nextcloud";
in in
{ {
config = lib.mkIf cfg { config = lib.mkIf cfg {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
php php
@ -66,7 +71,7 @@ in
nextcloud = { nextcloud = {
enable = true; enable = true;
https = true; https = true;
package = pkgs.nextcloud32; package = pkgs.nextcloud33;
hostName = "nextcloud.enium.eu"; hostName = "nextcloud.enium.eu";
datadir = dataDir; datadir = dataDir;
config = { config = {

87
services/self_host/sso.nix
View file

@ -9,8 +9,7 @@ let
cfg = config.service.selfhost.sso; cfg = config.service.selfhost.sso;
kanidm-admin = config.age.secrets."kanidm-admin".path; kanidm-admin = config.age.secrets."kanidm-admin".path;
kanidm-idmAdmin = config.age.secrets."kanidm-idmAdmin".path; kanidm-idmAdmin = config.age.secrets."kanidm-idmAdmin".path;
imagesDir = "/user/share/kanidm/assets"; forgejoLogo = pkgs.fetchurl {
kanidmLogo = pkgs.fetchurl {
url = "https://raw.githubusercontent.com/doc-sheet/forgejo/refs/heads/forgejo/assets/logo.svg"; url = "https://raw.githubusercontent.com/doc-sheet/forgejo/refs/heads/forgejo/assets/logo.svg";
name = "kanidm.svg"; name = "kanidm.svg";
sha256 = "sha256-rP7aZURtHBfF2OYuGLcKZhbvIN+B596T/3kaOxHUvig="; sha256 = "sha256-rP7aZURtHBfF2OYuGLcKZhbvIN+B596T/3kaOxHUvig=";
@ -25,11 +24,16 @@ let
name = "nextcloud.svg"; name = "nextcloud.svg";
sha256 = "sha256-hL51zJkFxUys1CoM8yUxiH8BDw111wh3Qv7eTLm+XYo="; sha256 = "sha256-hL51zJkFxUys1CoM8yUxiH8BDw111wh3Qv7eTLm+XYo=";
}; };
vaultLogo = pkgs.fetchurl {
url = "https://raw.githubusercontent.com/dani-garcia/vaultwarden/ba5519167634ebe1e1f0fc10d610d10d1f405101/resources/vaultwarden-icon.svg";
name = "vault.svg";
sha256 = "sha256-xY/pFVS9puG+Ub0M9WrISrY/eY1Rc+QeceGqHeUVx+8=";
};
in in
{ {
config = lib.mkIf cfg { config = lib.mkIf cfg {
users = { users = {
groups.kanidm = {}; groups.kanidm = { };
users.kanidm = { users.kanidm = {
isSystemUser = true; isSystemUser = true;
group = "kanidm"; group = "kanidm";
@ -39,17 +43,21 @@ in
security.acme.certs."auth.enium.eu".group = "nginx"; security.acme.certs."auth.enium.eu".group = "nginx";
services = { services = {
kanidm = { kanidm = {
package = pkgs.kanidmWithSecretProvisioning_1_8; package = pkgs.kanidmWithSecretProvisioning_1_9;
enableServer = true; server = {
serverSettings = { enable = true;
domain = "enium.eu"; settings = {
origin = "https://auth.enium.eu"; domain = "enium.eu";
bindaddress = "127.0.0.1:9000"; origin = "https://auth.enium.eu";
tls_chain = "/var/lib/acme/auth.enium.eu/fullchain.pem"; bindaddress = "127.0.0.1:9000";
tls_key = "/var/lib/acme/auth.enium.eu/key.pem"; tls_chain = "/var/lib/acme/auth.enium.eu/fullchain.pem";
tls_key = "/var/lib/acme/auth.enium.eu/key.pem";
};
};
client = {
enable = true;
settings.uri = config.services.kanidm.server.settings.origin;
}; };
enableClient = true;
clientSettings.uri = config.services.kanidm.serverSettings.origin;
provision = { provision = {
enable = true; enable = true;
autoRemove = false; autoRemove = false;
@ -66,6 +74,19 @@ in
"grafana_superadmins" "grafana_superadmins"
"forgejo_admins" "forgejo_admins"
"nextcloud_user" "nextcloud_user"
"vault_admins"
];
};
deborah = {
displayName = "Deborah";
legalName = "Deborah Parodi";
mailAddresses = [
"deborah@enium.eu"
];
groups = [
"grafana_superadmins"
"forgejo_users"
"vault_users"
]; ];
}; };
}; };
@ -88,6 +109,12 @@ in
forgejo_users = { forgejo_users = {
present = true; present = true;
}; };
vault_admins = {
present = true;
};
vault_users = {
present = true;
};
nextcloud_user = { nextcloud_user = {
present = true; present = true;
}; };
@ -96,8 +123,8 @@ in
forgejo = { forgejo = {
present = true; present = true;
displayName = "Forjego"; displayName = "Forjego";
imageFile = forgejoLogo;
originUrl = "https://git.enium.eu"; originUrl = "https://git.enium.eu";
imageFile = kanidmLogo;
originLanding = "https://git.enium.eu/user/oauth2/Enium/callback"; originLanding = "https://git.enium.eu/user/oauth2/Enium/callback";
basicSecretFile = config.age.secrets.forgejo-oidc-secret.path; basicSecretFile = config.age.secrets.forgejo-oidc-secret.path;
public = false; public = false;
@ -211,23 +238,47 @@ in
email = { email = {
joinType = "array"; joinType = "array";
valuesByGroup = { valuesByGroup = {
nextcloud_user = ["mail"]; nextcloud_user = [ "mail" ];
}; };
}; };
preferred_username = { preferred_username = {
joinType = "array"; joinType = "array";
valuesByGroup = { valuesByGroup = {
nextcloud_user = ["name"]; nextcloud_user = [ "name" ];
}; };
}; };
name = { name = {
joinType = "array"; joinType = "array";
valuesByGroup = { valuesByGroup = {
nextcloud_user = ["displayname"]; nextcloud_user = [ "displayname" ];
}; };
}; };
}; };
}; };
vault = {
present = true;
displayName = "Vault";
imageFile = vaultLogo;
originUrl = "https://vault.enium.eu";
originLanding = "https://vault.enium.eu/identity/connect/oidc-signin";
basicSecretFile = config.age.secrets.vault-oidc-secret.path;
public = false;
enableLocalhostRedirects = false;
allowInsecureClientDisablePkce = false;
preferShortUsername = true;
scopeMaps = {
vault_admins = [
"openid"
"profile"
"email"
];
vault_users = [
"openid"
"profile"
"email"
];
};
};
}; };
}; };
}; };

35
services/self_host/vault.nix Normal file
View file

@ -0,0 +1,35 @@
{ config, ... }:
let
vaultEnv = config.age.secrets.vault-secret-env.path;
in
{
services.vaultwarden = {
enable = true;
environmentFile = vaultEnv;
config = {
DOMAIN = "https://vault.enium.eu";
ROCKET_PORT = 8222;
SIGNUPS_ALLOWED = false;
SSO_ENABLED = true;
SSO_CLIENT_ID = "vault";
SSO_CLIENT_SECRET = "cat ${config.age.secrets.vault-oidc-secret.path}";
SSO_AUTHORITY = "https://auth.enium.eu/oauth2/openid/vault";
SSO_SIGNUPS_MATCH_EMAIL = true;
SSO_PKCE = true;
SSO_SCOPES = "openid profile email";
SSO_ONLY = true;
};
};
services.nginx.virtualHosts."vault.enium.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8222";
proxyWebsockets = true;
};
};
}

61
services/server/minecraft.nix
View file

@ -24,18 +24,67 @@ in
servers.enium-pv = { servers.enium-pv = {
enable = true; enable = true;
package = pkgs.fabricServers.fabric-1_20_1; autoStart = true;
jvmOpts = "-Xms4092M -Xmx4092M"; package = pkgs.fabricServers.fabric-1_21_11;
restart = "always";
jvmOpts = "-Xms2048M -Xmx8192M";
serverProperties = { serverProperties = {
difficulty = 3; difficulty = 2;
gamemode = 0; gamemode = 0;
max-players = 42; max-players = 42;
motd = "§l §3 Enium Survival§r\n§l §b Whitelisted Server"; motd = "§l §3 Enium Survival§r\n§l §b Whitelisted Server";
server-port = 64421; server-port = 25565;
spawn-protection = 16; spawn-protection = 0;
white-list = true; white-list = true;
}; };
restart = "no"; symlinks = {
mods = pkgs.linkFarmFromDrvs "mods" (
builtins.attrValues {
graves = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/kieAM9Us/versions/YiPkk2xn/ly-graves-v3.0.1.jar";
sha512 = "sha512-Wo+Sw6nVyqcaS7PWr+p3/+AkTYGAcuqk7heyBos/0jQYkCS/Z9q4Or6DInECkv8Cg4ZctmzrLOt6S8nr/sQYHw==";
};
lithium = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/gvQqBUqZ/versions/gl30uZvp/lithium-fabric-0.21.2%2Bmc1.21.11.jar";
sha512 = "sha512-lGJVEAE+DarxwuK22KRjyTL/YiD5G6WwzV+GhlghXwRtlNB7NGVmD1dsTcJ6WqGD373ByTA/EYlLWyWh3Gw7tg==";
};
jei = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/u6dRKJwZ/versions/9i2DXscL/jei-1.21.11-fabric-27.3.0.14.jar";
sha512 = "sha512-ua8at0LkNpFFIleVM6D6GQthBZvuIh7rt8GSuY0mKjMIJ+dJr5G0wIKqcnsT8oBwkQvlWuitfWAz/cnM1maM9A==";
};
jade = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/nvQzSEkH/versions/7cBo3s22/Jade-1.21.11-Fabric-21.0.1.jar";
sha512 = "sha512-aj1lnOyaPiH+AG6HYN6mNQtkqm1xGA+PCHouKn2U3t2mpfJ+r7+T3nCtxgbHXAe9/NncJb46Ds9ZTgIt7odRGw==";
};
chuncky = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/fALzjamp/versions/1CpEkmcD/Chunky-Fabric-1.4.55.jar";
sha512 = "sha512-O+DgSePepiVrOVzLH33MycayPLex9qcXp80cpV+dvaSJZ53zKGjHJmTrsoygXyw2ZZDR4aEfDcX2n5R5A7rYMw==";
};
fabric_api = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/gB6TkYEJ/fabric-api-0.140.2%2B1.21.11.jar";
sha512 = "sha512-r0RleX2AQBAhpq78jFRyAOfA+MrhNCmb8/r7wxD6gfBVJGsGFPwOA3U49KhE5VqtMKv6PGdGBCKFPfxCbwhtAA==";
};
create_fly = pkgs.fetchurl {
url = "https://cdn.modrinth.com/data/dKvj0eNn/versions/be2IkC5H/create-fly-1.21.11-6.0.8-4.jar";
sha512 = "1r9qx8q5s49xlycs9k02ylb0cgn5x0d3s0crl0942kwf2r6vvnk8pv46bxj6p4jnqg4r5c6b4526zjxwdjc1d5fg7613sgv6f71817x";
};
}
);
};
whitelist = {
EniumRaphael = "3134072d-eb2f-49d5-afb4-2a3cc4375100";
EniumBenjamin = "63e7d8d3-5090-4323-a7e6-c89707747b4b";
EniumTeam = "d4706408-ccfc-4a3d-b128-07db95b34843";
Zeldraft = "01cf2ab1-68a5-48c1-a948-76cda9574ae5";
dprive05 = "0ad8a45a-417a-40d3-aa10-b67765792c42";
};
operators = {
Zeldraft = {
uuid = "01cf2ab1-68a5-48c1-a948-76cda9574ae5";
level = 4;
bypassesPlayerLimit = true;
};
};
}; };
}; };
}; };

7
services/server/teamspeak.nix
View file

@ -21,6 +21,13 @@ in
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:9987"; proxyPass = "http://127.0.0.1:9987";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = ''
proxy_ssl_verify off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
'';
}; };
}; };
}; };

4
services/web/portefolio.nix
View file

@ -36,8 +36,8 @@ in
}; };
security.acme = { security.acme = {
certs = { certs = {
"parodi.pro" = {}; "parodi.pro" = { };
"raphael.parodi.pro" = {}; "raphael.parodi.pro" = { };
}; };
}; };
}; };