kb01/aux-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Removed Old Hosts
Some checks failed
/ Check Nix Flake (push) Failing after 1m2s
Details

Browse source
This commit is contained in:
Kaybee 2025-05-13 00:36:49 +02:00
parent 652ff9e6fb
commit 6d2441aefd
Signed by: kb01
SSH key fingerprint: SHA256:kv2GYUy1MZEqusYnS+Y9nMgrpv77jhm+3kknl3UGV1k
31 changed files with 0 additions and 1438 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
README.md
View file

@ -54,10 +54,6 @@ sudo nixos-rebuild switch --flake .
4. Commit your Changes if satisfied `git commit -m "Added Software hello-world"`
5. Then Push your Changes to the Remote, so that other systems can update `git push`
## Used Work
[Server Icon](./assets/server-solid.svg) © [FontAwesome](https://fontawesome.com) under the [CC BY 4.0 License](https://creativecommons.org/licenses/by/4.0/)
## License
[MIT © kB01](./LICENSE)

BIN
assets/LANA9Z.jpeg
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 53 KiB

1
assets/server-solid.svg
View file

@ -1 +0,0 @@
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><!--!Font Awesome Free 6.7.2 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free Copyright 2025 Fonticons, Inc.--><path d="M64 32C28.7 32 0 60.7 0 96l0 64c0 35.3 28.7 64 64 64l384 0c35.3 0 64-28.7 64-64l0-64c0-35.3-28.7-64-64-64L64 32zm280 72a24 24 0 1 1 0 48 24 24 0 1 1 0-48zm48 24a24 24 0 1 1 48 0 24 24 0 1 1 -48 0zM64 288c-35.3 0-64 28.7-64 64l0 64c0 35.3 28.7 64 64 64l384 0c35.3 0 64-28.7 64-64l0-64c0-35.3-28.7-64-64-64L64 288zm280 72a24 24 0 1 1 0 48 24 24 0 1 1 0-48zm56 24a24 24 0 1 1 48 0 24 24 0 1 1 -48 0z"/></svg>
Side by side

Before

Width:  |  Height:  |  Size: 627 B

22
homes/aarch64-linux/master@kb-senfnvp/default.nix
View file

@ -1,22 +0,0 @@
{ config, pkgs, lib, inputs, ... }:
{
home.username = "master";
home.homeDirectory = "/home/master";
home.packages = with pkgs; [
fastfetch
btop
sops
];
# SSH Configuration
programs.ssh.enable = true;
programs.ssh.matchBlocks."kb01@kb-one-git" = {
host = "git.kb-one.de";
user = "git";
identityFile = "/home/master/.ssh/kb01@kb-one-git";
port = 9522;
};
home.stateVersion = "24.05"; # NEVER CHANGE!!!
}

35
modules/nixos/services/binary-cache/default.nix
View file

@ -1,35 +0,0 @@
{ inputs, config, lib, pkgs, ... }:
let
cfg = config.services.binary-cache;
in
{
imports = [
];
options.services.binary-cache = {
enable = lib.mkOption {
type = with lib.types; uniq bool;
default = false;
description = "Enable Preconfigured Binary-Cache";
};
};
config = lib.mkIf cfg.enable {
services.nix-serve = {
enable = true;
secretKeyFile = "/var/secrets/cache-game01-private-key.pem";
};
# Configure Reverse-Proxy
services.traefik.dynamicConfigOptions = {
http.services.nix-cache.loadBalancer.servers = [ { url = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}/"; } ];
http.routers.nix-cache.entrypoints = "websecure";
# http.routers.nix-cache.tls = true;
http.routers.nix-cache.tls.certresolver = "letsencrypt";
http.routers.nix-cache.rule = "Host(`cache.game01.kb-one.de`)";
http.routers.nix-cache.service = "nix-cache";
};
};
}

87
modules/nixos/services/forgejo-runner/default.nix
View file

@ -1,87 +0,0 @@
{ inputs, config, lib, pkgs, ... }:
let
cfg = config.services.forgejo-runner;
in
{
options.services.forgejo-runner = {
enable = lib.mkOption {
type = with lib.types; uniq bool;
default = false;
description = "Enable Forgejo Runners";
};
};
config = lib.mkIf (cfg.enable) {
# services.gitea-actions-runner.package = pkgs.forgejo-runner;
# services.gitea-actions-runner.instances."kb-one-runner@games-01" = {
# enable = true;
# name = "kb-one-runner@games-01";
# url = "https://git.kb-one.de/";
# tokenFile = "/opt/secrets/kb-one-runner@games-01_token";
# labels = [
# # provide a debian base with nodejs for actions
# "debian-latest:docker://node:18-bullseye"
# # fake the ubuntu name, because node provides no ubuntu builds
# "ubuntu-latest:docker://node:18-bullseye"
# # provide native execution on the host
# "native:host"
# ];
# hostPackages = with pkgs; [
# bash
# coreutils
# curl
# gawk
# gitMinimal
# gnused
# nodejs
# wget
# nix
# ];
# };
# systemd.services.forgejo-runner = {
# wantedBy = [ "multi-user.target" ];
# after = [ "docker.service" ];
# description = "";
# serviceConfig = {
# Type = "notify";
# User = "runner";
# WorkingDirectory = "/home/runner";
# ExecStart = ''${pkgs.forgejo-runner}/bin/forgejo-runner deamon'';
# ExecStop = ''/bin/kill -s HUP $MAINPID'';
# Restart = "on-failure";
# TimeoutSec = 0;
# RestartSec = 10;
# };
# };
# users.users.runner = {
# isNormalUser = true;
# };
# environment.systemPackages = [ pkgs.forgejo-runner ];
# virtualisation.podman.enable = true;
# virtualisation.podman.defaultNetwork.settings.dns_enabled = true;
# virtualisation.podman.dockerCompat = true;
virtualisation.docker.enable = true;
virtualisation.oci-containers.backend = "docker";
virtualisation.oci-containers.containers."docker-in-docker" = {
image = "docker:dind";
hostname = "docker";
extraOptions = [ "--privileged" "--network=kb-forgejo-runner" ];
cmd = [ "dockerd" "-H" "tcp://docker:42349" "--tls=false" ];
};
virtualisation.oci-containers.containers."forgejo-runner" = {
image = "code.forgejo.org/forgejo/runner:4.0.0";
hostname = "forgejo-runner";
extraOptions = [ "--network=kb-forgejo-runner" ];
environment.DOCKER_HOST = "tcp://docker:42349";
user = "1001:1001";
volumes = [ "forgejo-runner-data:/data" ];
cmd = [ "/bin/sh" "-c" "sleep 5; forgejo-runner daemon" ];
};
};
}

10
modules/nixos/services/minecraft/README.md
View file

@ -1,10 +0,0 @@
# Minecraft Server Configuration
Details about the Minecraft Module.
## Installation
1. Rebuild switch configuration
2. Create Database Structure
1. New Database `sudo mysql -u root < /run/secrets/rendered/minecraft/database/database-init.sql`
2. Restore Backup `sudo mysql -u root < path/to/backup.sql`

27
modules/nixos/services/minecraft/database.nix
View file

@ -1,27 +0,0 @@
{
inputs,
config,
lib,
pkgs,
system,
...
}:
let
cfg = config.services.minecraft;
in
{
config = lib.mkIf (cfg.enable && (cfg.servers.velocity.enable || cfg.servers.survival.enable)) {
services.mysql = {
package = pkgs.mariadb;
enable = true;
settings.mysqld.port = 3459;
};
sops.secrets."minecraft/database/luckperms_password" = { sopsFile = ./secrets.yaml; };
sops.templates."minecraft/database/database-init.sql".content = ''
CREATE DATABASE 'luckperms';
CREATE USER 'luckperms'@'localhost';
GRANT ALL PRIVILEGES ON luckperms.* TO 'luckperms'@'localhost' IDENTIFIED BY '${config.sops.placeholder."minecraft/database/luckperms_password"}';
'';
# services.mysqlBackup.databases = [ "luckperms" ]; # Add Luckperms Database to Backups
};
}

49
modules/nixos/services/minecraft/default.nix
View file

@ -1,49 +0,0 @@
{ inputs, config, lib, pkgs, ... }:
let
cfg = config.services.minecraft;
in
{
imports = [
inputs.nix-minecraft.nixosModules.minecraft-servers
./vanilla-test.nix
./survival.nix
./velocity.nix
./database.nix
];
options.services.minecraft = {
enable = lib.mkOption {
type = with lib.types; uniq bool;
default = false;
description = "Enable kBs Minecraft Servers";
};
servers.vanilla.enable = lib.mkOption {
type = with lib.types; uniq bool;
default = false;
description = "test server";
};
servers.survival.enable = lib.mkOption {
type = with lib.types; uniq bool;
default = false;
description = "Survival Server";
};
servers.velocity.enable = lib.mkOption {
type = with lib.types; uniq bool;
default = false;
description = "Velocity Proxy Server";
};
};
config = lib.mkIf cfg.enable {
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"minecraft-server"
];
services.minecraft-servers = {
enable = true;
eula = true;
};
};
}

23
modules/nixos/services/minecraft/secrets.yaml
View file

@ -1,23 +0,0 @@
minecraft:
database:
luckperms_password: ENC[AES256_GCM,data:Gnt/SilH7q4t1NzCeaqCc6nxso9cWt7b/KXCxzrDdR1LAnmex3QL5Q==,iv:PrTkXcMPPyfJkAKxSKUkaPbYcH+9n6W7MPcTR5e4L8g=,tag:sxDdUHyN+fCIi4g0K+oQIw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age165jt2q3uxp79k4jfsegnq7ul9j54l2rqsn87rq0qjkcv3y5krcmqsznyw7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBScTUyNFBNdHFwd1pudWNK
Y2F2aXFLYmh4RURJLy9mMisxMU96VGRiU2hjCjdSZmxLRFF6OVpFNy9iQ0NLdytl
UHdSaUVtMnlWQ3d1ZnluNXVHOWdoalkKLS0tIDBxVGdaZWhTclJWZ3FwZHRHSTN1
RDhlN1JjWW1XZERLWExRSTlDN3ZjZkEKMiQaUezdBcWOH82Sk451PdB54SzYwcXY
YkjGp+bB7rIz07no68Xl4qmO+/iHKSFlPvG4jR/j4ZaNYiU9aeldLA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-01-17T14:22:01Z"
mac: ENC[AES256_GCM,data:BlLD3wEezCCA9t1X4xmy9lfT3ztsR3dknio78Si9v3UJmpJSOpwJ/VhU5RRbMzL1EyOrU1abEr6em83s6LRq87fwso1j6asOavELT5WOfl6f5CU2iK8nQGWZCFeR+09d9hVI+AAH9farpgTDd5sHfUFPCKEaGwuTenpeF4Tonak=,iv:JYoHMIPkT+Dv3GZlp1wt7wlU7IYL6erd/u0cuclB0Ow=,tag:XD8pd/GCrdLRvdEFBgowJA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.2

49
modules/nixos/services/minecraft/survival.nix
View file

@ -1,49 +0,0 @@
{
inputs,
config,
lib,
pkgs,
system,
...
}:
let
cfg = config.services.minecraft;
in
{
config = lib.mkIf (cfg.enable && cfg.servers.survival.enable) {
services.minecraft-servers.servers."survival" = {
enable = true;
autoStart = true;
enableReload = true;
package = pkgs.paperServers.paper-1_21_4;
serverProperties = {
online-mode = false;
server-ip = "127.0.0.1";
server-port = 49333;
difficulty = 3;
gamemode = 1;
max-players = 5;
};
openFirewall = false; # Should use Velocity Player Proxy
# Add Plugins
symlinks = {
"plugins/LuckPerms.jar" = pkgs.fetchurl {
url = "https://download.luckperms.net/1567/bukkit/loader/LuckPerms-Bukkit-5.4.150.jar";
sha512 = "39cr9nd68afrrvn80kvdgaml37xkj3mzhv50y3app5j1199hg12kls29r49x06p9rxm6dk7i0j8aww2hw4ahm18andb69a5kp97vf94";
};
};
# Configure Velocity Modern forwarding https://docs.papermc.io/velocity/player-information-forwarding#configuring-modern-forwarding-for-paper
files."spigot.yml".value = {
settings.bungeecord = false;
};
files."config/paper-global.yml".value = {
proxies.velocity.enabled = true;
proxies.velocity.online-mode = "online-mode";
forwarding.secret = ""; # TODO: Add Forewarding Secret using Sops
};
};
};
}

30
modules/nixos/services/minecraft/vanilla-test.nix
View file

@ -1,30 +0,0 @@
{
inputs,
config,
lib,
pkgs,
system,
...
}:
let
cfg = config.services.minecraft;
in
{
config = lib.mkIf (cfg.enable && cfg.servers.vanilla.enable) {
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"minecraft-server"
];
services.minecraft-servers.servers."vanilla-test" = {
enable = true;
autoStart = true;
enableReload = true;
package = pkgs.vanillaServers.vanilla;
whitelist = {
kB01guy = "1ff88b66-beda-4386-85b9-a00a5c27437a";
};
openFirewall = true;
};
};
}

73
modules/nixos/services/minecraft/velocity.nix
View file

@ -1,73 +0,0 @@
{
inputs,
config,
lib,
pkgs,
system,
...
}:
let
cfg = config.services.minecraft;
in
{
config = lib.mkIf (cfg.enable && cfg.servers.velocity.enable) {
# Configure Server
services.minecraft-servers.servers."velocity" = {
enable = true;
autoStart = true;
enableReload = true;
stopCommand = "end";
package = pkgs.velocityServers.velocity;
symlinks = {
"plugins/LuckPerms.jar" = pkgs.fetchurl {
url = "https://download.luckperms.net/1567/velocity/LuckPerms-Velocity-5.4.150.jar";
sha512 = "3dr69g2fbav3if44nmifgz7hn86gdf62hcks92kkvwxf4xa3z7x615j426kgljyhgy84hf75wzpai258mg7dj9x17vpkn634kkzwmw6";
};
"plugins/Geyser-Velocity.jar" = pkgs.fetchurl {
url = "https://download.geysermc.org/v2/projects/geyser/versions/2.6.0/builds/730/downloads/velocity";
sha512 = "3shnm8q8vq8j44xxg4qwqwalw6ml9nkzfrzvv8pkblkjp25nfk3h14b4y9vdim1sa2a18mkf8hmhb16g1mka2rh7l0z0yg4kh3lj2i0";
};
"plugins/floodgate-velocity.jar" = pkgs.fetchurl {
url = "https://download.geysermc.org/v2/projects/floodgate/versions/2.2.3/builds/114/downloads/velocity";
sha512 = "1k7qban3gar0fxxi5kp5i8d72k6ck65cvsfbg4nh8bz40jwqn35fx9gj3zbb06x5l8sg6qxl7w2nsn3jan4hjq7m5lwf2c1l1mjaw81";
};
"plugins/LibreLogin.jar" = pkgs.fetchurl {
url = "https://modrinth.com/plugin/libre-login/version/0.23.0";
sha512 = "1wrnp82vv47hhvjp1lxdndmngndykshi7iindnpg61j0v7i8bdgr9rk5qvanvw95gcj59cnhxdmjynq8fm127n4gv53acdidlxz39sd";
};
};
files = {
"velocity.toml".value = {
config-version = "2.7"; # NEVER change this!
bind = "0.0.0.0:25565";
online-mode = false;
player-info-forwarding-mode = "modern";
enable-player-address-logging = false;
# servers.lobby = "";
servers.survival = "127.0.0.1:${toString config.services.minecraft-servers.servers."survival".serverProperties.server-port}";
servers.lobby = "127.0.0.1:123";
servers.try = [
#"lobby"
"survival"
];
forced-hosts."lobby.example.com" = [ "lobby" ];
advanced.tcp-fast-open = true;
};
};
};
networking.firewall.allowedTCPPorts = [ 25565 ];
# Configure Plugin Luckperms
sops.templates."minecraft/velocity/plugin/luckperms/config.yml".path = "/srv/minecraft/velocity/plugins/luckperms/config.yml";
sops.templates."minecraft/velocity/plugin/luckperms/config.yml".owner = config.services.minecraft-servers.user;
sops.templates."minecraft/velocity/plugin/luckperms/config.yml".content = lib.generators.toYAML { } { # Unfortunately currently lib.generators.toYAML generates JSON, and the File will not be Human readable
storage-method = "mariadb";
data.address = "localhost:${toString config.services.mysql.settings.mysqld.port}";
data.database = "luckperms";
data.username = "luckperms";
data.password = ''${config.sops.placeholder."minecraft/database/luckperms_password"}''; # Secret created in ./database.nix
};
};
}

53
modules/nixos/services/traefik-proxy/default.nix
View file

@ -1,53 +0,0 @@
{ inputs, config, lib, pkgs, ... }:
let
cfg = config.services.traefik-proxy;
in
{
imports = [
];
options.services.traefik-proxy = {
enable = lib.mkOption {
type = with lib.types; uniq bool;
default = false;
description = "Enable Pre-Configured Traefik Proxy";
};
};
config = lib.mkIf (cfg.enable ||
config.services.binary-cache.enable ||
config.suites.nas.media.enable) {
services.traefik = {
enable = true;
staticConfigOptions = {
entryPoints = {
web = {
address = ":80";
asDefault = true;
http.redirections.entrypoint = {
to = "websecure";
scheme = "https";
};
};
websecure = {
address = ":443";
asDefault = true;
http.tls.certResolver = "letsencrypt";
};
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
# Configure Letsencrypt
services.traefik.staticConfigOptions = {
certificatesResolvers.letsencrypt.acme = {
email = "kb01@kb-one.de";
tlsChallenge = {};
storage = "/var/secrets/traefik/acme.json";
};
};
};
}

59
modules/nixos/suites/nas/default.nix
View file

@ -1,59 +0,0 @@
{
inputs,
config,
lib,
pkgs,
system,
...
}:
let
cfg = config.suites.nas;
in
{
imports = [
./jellyfin.nix
./kavita.nix
];
options.suites.nas.enable = lib.mkOption {
type = with lib.types; uniq bool;
default = false;
description = "Enable Preconfigured NAS Config";
};
options.suites.nas.domain = lib.mkOption {
type = with lib.types; string;
default = "localhost";
description = "NAS Reachable Domain Name";
};
options.suites.nas.media.enable = lib.mkOption {
type = with lib.types; uniq bool;
default = true;
description = "Enable Media Servers";
};
options.suites.nas.media.folder = lib.mkOption {
type = with lib.types; str;
default = "/home/media/media";
description = "Media Root Directory";
};
# Media Config
config = lib.mkIf (cfg.enable && cfg.media.enable) {
# Media Defaults
suites.nas.media.jellyfin.enable = true;
suites.nas.media.kavita.enable = false;
# Create Media User
users.groups.media = {};
users.users.media = {
isSystemUser = true;
createHome = true;
description = "Media User";
group = "media";
home = "/home/media";
};
};
}

41
modules/nixos/suites/nas/jellyfin.nix
View file

@ -1,41 +0,0 @@
{
inputs,
config,
lib,
pkgs,
system,
...
}:
let
cfg = config.suites.nas.media.jellyfin;
in
{
options.suites.nas.media.jellyfin.enable = lib.mkOption {
type = with lib.types; uniq bool;
default = false;
description = "Enable Preconfigured Jellyfin Config";
};
options.suites.nas.media.jellyfin.subdomain = lib.mkOption {
type = with lib.types; string;
default = "watch";
description = "Subdomain for Jellyfin Server";
};
config = lib.mkIf (cfg.enable) {
services.jellyfin.enable = true;
services.jellyfin.user = "media";
# Configure Reverse-Proxy
services.traefik.dynamicConfigOptions = {
http.services.jellyfin.loadBalancer.servers = [ { url = "http://localhost:8096/"; } ];
http.routers.jellyfin.entrypoints = "websecure";
http.routers.jellyfin.tls = true;
#http.routers.jellyfin.tls.certresolver = "letsencrypt";
http.routers.jellyfin.rule = "Host(`${cfg.subdomain}.${config.suites.nas.domain}`)";
http.routers.jellyfin.service = "jellyfin";
};
};
}

42
modules/nixos/suites/nas/kavita.nix
View file

@ -1,42 +0,0 @@
{
inputs,
config,
lib,
pkgs,
system,
...
}:
let
cfg = config.suites.nas.media.kavita;
in
{
options.suites.nas.media.kavita.enable = lib.mkOption {
type = with lib.types; uniq bool;
default = false;
description = "Enable Preconfigured kavita Config";
};
options.suites.nas.media.kavita.subdomain = lib.mkOption {
type = with lib.types; string;
default = "read";
description = "Kavita Subdomain";
};
config = lib.mkIf (cfg.enable) {
services.kavita.enable = true;
services.kavita.user = "media";
services.kavita.tokenKeyFile = "/home/media/secrets/kavita-secret";
# Configure Reverse-Proxy
services.traefik.dynamicConfigOptions = {
http.services.kavita.loadBalancer.servers = [ { url = "http://localhost:5000/"; } ];
http.routers.kavita.entrypoints = "websecure";
http.routers.kavita.tls = true;
#http.routers.kavita.tls.certresolver = "letsencrypt";
http.routers.kavita.rule = "Host(`${cfg.subdomain}.${config.suites.nas.domain}`)";
http.routers.kavita.service = "kavita";
};
};
}

39
modules/nixos/suites/senfnvp/README.md
View file

@ -1,39 +0,0 @@
# Senfnvp Stack
The Senfnvp Stack contains Web Infra-structure.
## Notes
``` nix
senfnvp = {
enable = true;
hostname = "senfnvp.kb-one.de";
# Defaults
proxy.enable = true;
website.enable = true;
forgejo.enable = true;
forgejo.initializeDatabase = false; # Only use once!
forgejo.enableFail2Ban = true;
keycloak.enable = true;
keycloak.initializeDatabase = false; # Only use once!
docker-compose.enable = true; # Configuration for Docker-Compose support for Mailcow
};
```
### The Database
The Database Server is enabled when when you enable the Stack itself.
When you Activate a Service you might want to Edit the File at `./database/init-servicename.template.sql`. If you have a Database-Dump, place it there with the Naming-Sheme `./database/init-servicename.sql`. When creating a new Setup you can just run `cp init-servicename.template.sql init-servicename.sql` to use the template. The template only creates the Database, User and Password and lets it to the Service create its Tables.
Basically the order is like this:
- Create Secrets `sops ./secrets.yaml`
- Apply Template `cp ./database/init-forgejo.template.sql ./database/init-forgejo.sql`
- Initialize ´forgejo.enable = true; forgejo.initializeDatabase = true;`
- Apply config `nixos-rebuild switch --flake .`
- Wait for Initialisation
- Wait! Dumps will take time!
- Enable Production `forgejo.enable = true; forgejo.initializeDatabase = false;`
- Apply config `nixos-rebuild switch --flake .`
-

84
modules/nixos/suites/senfnvp/default.nix
View file

@ -1,84 +0,0 @@
{
inputs,
config,
lib,
pkgs,
system,
...
}:
let
cfg = config.suites.senfnvp;
in
{
imports = [
./website.nix
./forgejo.nix
];
options.suites.senfnvp.enable = lib.mkOption {
type = with lib.types; uniq bool;
default = false;
description = "Enables the senfnvp Stack";
};
options.suites.senfnvp.hostname = lib.mkOption {
type = with lib.types; string;
default = "kb-one.de";
description = "Hostname of senfnvp Stack";
};
options.suites.senfnvp.database.enable = lib.mkOption {
type = with lib.types; uniq bool;
default = true;
description = "Enable senfnvp Database";
};
options.suites.senfnvp.proxy.enable = lib.mkOption {
type = with lib.types; uniq bool;
default = true;
description = "Enable senfnvp Proxy";
};
config = lib.mkIf (cfg.enable) {
containers.proxy = lib.mkIf (cfg.enable && cfg.proxy.enable) {
autoStart = true;
config = { config, pkgs, lib, ... }: {
services.traefik = {
enable = true;
staticConfigOptions = {
entryPoints = {
web = {
address = ":80";
asDefault = true;
http.redirections.entrypoint = {
to = "websecure";
scheme = "https";
};
};
websecure = {
address = ":443";
asDefault = true;
http.tls.certResolver = "letsencrypt";
};
git-ssh.address = ":9522";
};
certificatesResolvers.letsencrypt.acme = {
tlsChallenge = {};
storage = "/var/secrets/traefik/acme.json";
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 9522];
};
};
# Core Container
# A Guide to Nix Containers: https://blog.beardhatcode.be/2020/12/Declarative-Nixos-Containers.html
containers.core = {
autoStart = true;
privateNetwork = true;
config = { config, pkgs, lib, ... }: {
};
};
};
}

54
modules/nixos/suites/senfnvp/forgejo.nix
View file

@ -1,54 +0,0 @@
{
inputs,
config,
lib,
pkgs,
system,
...
}:
let
cfg = config.suites.senfnvp;
in
{
options.suites.senfnvp.forgejo.enable = lib.mkOption {
type = with lib.types; uniq bool;
default = true;
description = "Enable Forgejo";
};
options.suites.senfnvp.forgejo.sshPort = lib.mkOption {
type = with lib.types; port;
default = 9522;
description = "Forgejo SSH Port";
};
options.suites.senfnvp.forgejo.httpPort = lib.mkOption {
type = with lib.types; port;
default = 3000;
description = "Forgejo http Port";
};
config = lib.mkIf (cfg.enable && cfg.forgejo.enable) {
containers.forgejo = {
autoStart = true;
config = {
services.forgejo = {
enable = !cfg.forgejo.initializeDatabase;
settings.server = {
ROOT_URL = "git.${cfg.hostname}";
SSH_PORT = cfg.forgejo.sshPort;
HTTP_PORT = cfg.forgejo.httpPort;
};
database = {
type = "postgres";
#host = "127.0.0.1"; # default Value
port = cfg.database.port;
#name = "forgejo"; # default Value
#user = "forgejo"; # default Value
passwordFile = "";
};
};
};
};
};
}

41
modules/nixos/suites/senfnvp/website.nix
View file

@ -1,41 +0,0 @@
{
inputs,
config,
lib,
pkgs,
system,
...
}:
let
cfg = config.suites.senfnvp;
in
{
options.suites.senfnvp.website.enable = lib.mkOption {
type = with lib.types; uniq bool;
default = true;
description = "Enable senfnvp Website (kb-one.de)";
};
options.suites.senfnvp.website.httpPort = lib.mkOption {
type = with lib.types; port;
default = 8080;
description = "Website HTTP Port";
};
config = lib.mkIf (cfg.enable && cfg.website.enable) {
containers.website = {
autoStart = true;
config = {
services.nginx.enable = true;
services.nginx.virtualHosts."${cfg.hostname}" = {
root = "/var/www/${cfg.hostname}";
listen = [{
addr = "127.0.0.1";
port = cfg.website.httpPort;
}];
};
};
};
};
}

84
systems/README.md
View file

@ -1,32 +1,5 @@
# Systems
## [LANA9Z](./x86_64-linux/LANA9Z)
<table>
<tr>
<td><img src="../assets/LANA9Z.jpeg" width="152" height="114"></td>
<td>
<table>
<tr>
<td>User</td>
<td><a href="../main/homes/x86_64-linux/kb@LANA9Z">kb@LANA9Z</a></td>
</tr>
<tr>
<td>Cpu</td>
<td><a href="https://www.intel.com/content/www/us/en/products/sku/53464/intel-core-i72640m-processor-4m-cache-up-to-3-50-ghz/specifications.html">Intel i7-2640M</a>, 2 Cores, max 3.50 GHz</td>
</tr>
<tr>
<td>Ram</td>
<td>16 GB</td>
</tr>
<tr>
<td>Device</td>
<td>MacBook Pro 2011 (MacBook Pro 8,1)</td>
</tr>
</table>
</td>
</tr>
</table>
## [LoyAdjo](./x86_64-linux/LoyAdjo)
<table>
<tr>
@ -139,60 +112,3 @@
</tr>
</table>
## [kb-game-01](./x86_64-linux/kb-game-01)
<table>
<tr>
<td><img src="../assets/server-solid.svg" width="152" height="114"></td>
<td>
<table>
<tr>
<td>User</td>
<td>master@kb-game-01</td>
</tr>
<tr>
<td>Cpu</td>
<td><a href="https://www.amd.com/en/products/processors/server/epyc/7002-series.html">AMD EPYC 7702P</a>, 4 / 64 Cores, max 3.35 GHz</td>
</tr>
<tr>
<td>Ram</td>
<td>16 GB</td>
</tr>
<tr>
<td>Device</td>
<td>KVM Server for Game-Servers (or Build-Server)</td>
</tr>
</table>
</td>
</tr>
</table>
## [U3ncSovm](./x86_64-linux/U3ncSovm)
<table>
<tr>
<td><img src="../assets/server-solid.svg" width="152" height="114"></td>
<td>
<table>
<tr>
<td>User</td>
<td>master@U3ncSovm</td>
</tr>
<tr>
<td>Cpu</td>
<td>...</td>
</tr>
<tr>
<td>Ram</td>
<td>...</td>
</tr>
<tr>
<td>Device</td>
<td>Custom NAS Server, currently under construction only as VM.</td>
</tr>
<tr>
<td>Build</td>
<td><pre lang="bash">nixos-rebuild build-vm --flake .#U3ncSovm</pre></td>
</tr>
</table>
</td>
</tr>
</table>

75
systems/aarch64-linux/kb-senfnvp/default.nix
View file

@ -1,75 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
./hardware.nix
];
# Configure Nix
nix.settings.experimental-features = [ "nix-command" "flakes" ];
nix.settings.trusted-users=[ "remotebuild" ];
nix.package = pkgs.lix;
# Networking
networking.hostName = "kb-senfnvp";
networking.networkmanager.enable = true;
networking.nameservers = [
"1.1.1.1"
];
# Set your time zone.
time.timeZone = "Europe/Amsterdam";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "de";
};
users.users.master = { # Managed by Homemanager
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJszrrdVHmMUdgOakyFNOIPV9BfopwflqivmK13Fmsab kb@Ohybke"
];
isNormalUser = true;
extraGroups = [ "wheel" ];
};
users.users.remotebuild = {
isNormalUser = true;
createHome = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJV9cwMXlbaBdg2gReSnLxH3EV5cyFoSi21f5fZhPfdC kb@Ohybke"
];
};
environment.systemPackages = with pkgs; [
git
wget
vim
tree
fastfetch
];
# Default Editor
programs.vim.enable = true;
programs.vim.defaultEditor = true;
# SSH and Mosh
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
ports = [ 9553 ];
openFirewall = true;
};
programs.mosh.enable = true;
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
system.stateVersion = "24.11"; # NEVER CHANGE THIS !!!!
}

52
systems/aarch64-linux/kb-senfnvp/hardware.nix
View file

@ -1,52 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
# System
boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_scsi" "sr_mod" "sr_mod" "r8169" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
# Boot Loader
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# SSH Remote Unlock
boot.kernelParams = [ "ip=dhcp" ];
boot.initrd.systemd.users.root.shell = "/bin/cryptsetup-askpass";
boot.initrd.network = {
enable = true;
ssh = {
enable = true;
port = 7299;
authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ6jJa135d46R9XgV7h5SfxALabycI5ZPN8kdSQbEkYM kb@Ohybke" ];
hostKeys = [ "/etc/secrets/initrd/ssh_host_rsa_key" ];
};
postCommands = ''
echo 'cryptsetup-askpass' >> /root/.profile
'';
};
# Disks
boot.initrd.luks.devices."luks-2d08047a-a014-480b-8a24-a70e20a2d7d7".device = "/dev/disk/by-uuid/2d08047a-a014-480b-8a24-a70e20a2d7d7";
fileSystems."/" = {
device = "/dev/disk/by-uuid/9c1d9682-5cfb-4683-a789-f544fc6e7681";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/FEAA-61DA";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices = [ ];
# Networking
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp7s0.useDHCP = lib.mkDefault true;
}

7
systems/x86_64-iso/plasma6-64bit-iso/default.nix
View file

@ -1,7 +0,0 @@
{ pkgs, modulesPath, lib, ... }:
{
imports = [
"${modulesPath}/installer/cd-dvd/installation-cd-graphical-calamares-plasma6.nix"
];
}

61
systems/x86_64-linux/U3ncSovm/default.nix
View file

@ -1,61 +0,0 @@
{ config, lib, pkgs, inputs, ... }:
{
imports = [ # Include the results of the hardware scan.
./hardware.nix
];
# Configure Nix
nix.settings.experimental-features = [ "nix-command" "flakes" ];
nix.package = pkgs.lix;
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.efiSupport = true;
boot.loader.grub.devices = [ "nodev" ];
boot.loader.efi.canTouchEfiVariables = true;
# Define your hostname.
networking.hostName = "U3ncSovm";
# Set your time zone.
time.timeZone = "Europe/Amsterdam";
# Configure keymap in X11
services.xserver.xkb.layout = "us";
# Define a user account. Don't forget to set a password with passwd.
users.users.master = {
initialPassword = "test";
openssh.authorizedKeys.keys = [
];
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user.
packages = with pkgs; [
tree
vim
fastfetch
];
};
# List packages installed in system profile. To search, run:
environment.systemPackages = with pkgs; [
vim
wget
git
];
# SSH and Mosh
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
ports = [ 5530 ];
openFirewall = true;
};
programs.mosh.enable = true;
# Do NOT change this value
system.stateVersion = "24.05"; # Did you read the comment?
}

49
systems/x86_64-linux/U3ncSovm/hardware.nix
View file

@ -1,49 +0,0 @@
{ config, lib, pkgs, modulesPath, inputs, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
# Configure NixOS
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
# Boot Parameters
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "firewire_ohci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" "wl" ];
boot.extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ];
# Filesystems
fileSystems."/" = {
device = "/dev/disk/by-uuid/00000000-0000-0000-0000-000000000000";
fsType = "ext4";
};
boot.initrd.luks.devices."luks-00000000-0000-0000-0000-000000000000".device = "/dev/disk/by-uuid/00000000-0000-0000-0000-000000000000";
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/0000-0000";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices = [
{
device = "/swapfile";
size = 4*1024;
}
];
# Network
networking.useDHCP = lib.mkDefault true;
# Hardware
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# Virtual Machine Configuration
virtualisation.vmVariant = {
# following configuration is added only when building VM with build-vm
virtualisation = {
memorySize = 4*1024;
cores = 3;
};
};
}

105
systems/x86_64-linux/kb-game-01/default.nix
View file

@ -1,105 +0,0 @@
{ config, lib, pkgs, inputs, ... }:
{
imports = [ # Include the results of the hardware scan.
./hardware.nix
];
# Configure Nix
nix.settings.experimental-features = [ "nix-command" "flakes" ];
nix.settings.trusted-users=[ "remotebuild" ];
nix.settings.trusted-public-keys = [
"cache.HyperC:90YNJ0eWsuBGVVP989lJh1rL8C0KM6IKbAtEUiu+FCU="
];
nix.package = pkgs.lix;
nixpkgs.overlays = [ inputs.nix-minecraft.overlay ];
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.efiSupport = true;
boot.loader.grub.devices = [ "nodev" ];
boot.loader.efi.canTouchEfiVariables = true;
# Define your hostname.
networking.hostName = "kb-game-01";
# Set your time zone.
time.timeZone = "Europe/Amsterdam";
# Configure keymap in X11
services.xserver.xkb.layout = "us";
# Define a user account. Don't forget to set a password with passwd.
users.users.master = {
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKLbU0GpeqkYOsccsddQgZAppd5SFiokGAfjKr+dEEjY kb HyperC"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHS3DoQe/4TtdTLD/Fl41rTjE0n5MyFMl59VGVejcskO kb voloxo"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPpN/3esM0SFLJ2guCBOYX8IdBC+jUiMF+xPYkTEuzbe kb-work yerukall"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMN1LWMOfFtRKkSLIA/XTj3KYm7OG2bjqEmGXj0gmDc7 kb@LoyAdjo"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE7W8FUUvM8rUGK6qV3XOIxR0y/pdyo9z5HZNzOADs5+ kb@Rubtrm"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILgfAxGyxjNOZyuUZIlwVCzj/mBM9uM7apNDzEJ3g+F+ kb@LANA9C"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKurR2GzSHyD3AM0Xn+YmwfGcLjBlQX1ZRh93S8YiQwn kb@Ohybke"
];
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user.
packages = with pkgs; [
vim
sops
];
};
users.users.remotebuild = {
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBHdxVb42GEb/rwrsQx/Wc2v2P+WIq8/WNlF+l31Rl/a Remotebuilds from HyperC"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL/WONflZXVoZd8I4HdNMXNtoYELnCaxqdFY0QKDXXS9 Remotebuilds from Rubtrm"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJqjdhtK0xeJcHwwCAia6I+WuZCkN9pUS21MNjJ2jOuc Remotebuilds from LANA9Z"
];
};
# List packages installed in system profile. To search, run:
environment.systemPackages = with pkgs; [
vim
wget
git
tree
];
# Default Editor
programs.vim.enable = true;
programs.vim.defaultEditor = true;
# Sops Secrets Config
sops.defaultSopsFormat = "yaml";
sops.age.keyFile = "/home/master/.config/sops/age/keys.txt";
# SSH and Mosh
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
ports = [ 3422 ];
openFirewall = true;
};
programs.mosh.enable = true;
# Minecraft Servers
services.minecraft = {
enable = true;
servers.velocity.enable = true;
servers.survival.enable = true;
};
# Forgejo Runner
services.forgejo-runner.enable = true;
# Binary Cache
services.binary-cache.enable = false; # No Binary-Cache, when there are Secrets in the /nix/store
# Enable QUEMU Quest Agent
services.qemuGuest.enable = true;
# Do NOT change this value
system.stateVersion = "24.05"; # Did you read the comment?
}

38
systems/x86_64-linux/kb-game-01/hardware.nix
View file

@ -1,38 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-label/NIXROOT";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-label/NIXBOOT";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens3.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

61
systems/x86_64-linux/mow0m/default.nix
View file

@ -1,61 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
./hardware.nix
];
# Networking
networking.hostName = "mow0m";
networking.networkmanager.enable = true;
# Set your time zone.
time.timeZone = "Europe/Amsterdam";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "de";
};
users.users.master = {
isNormalUser = true;
extraGroups = [ "wheel" ];
packages = with pkgs; [
tree
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF+qnaWHrGk+DHz5I3L8wK5MPVzjck9LTuctnzK55WJs kb@LoyAdjo"
];
};
# programs.firefox.enable = true;
# System Packages: (search via $ nix search wget)
environment.systemPackages = with pkgs; [
vim
tree
wget
];
# SSH and Mosh
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
ports = [ 9553 ];
openFirewall = true;
};
programs.mosh.enable = true;
# Firewall
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
system.stateVersion = "24.11"; # NEVER CHANGE THIS!!!
}

83
systems/x86_64-linux/mow0m/hardware.nix
View file

@ -1,83 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.kernelParams = [ "elevator=noop" "boot.shell_on_fail" "ip=dhcp" ];
boot.extraModulePackages = [ ];
boot.supportedFilesystems = [ "zfs" ];
networking.hostId = "c61a0c21";
networking.useDHCP = lib.mkDefault true;
# Bootloader
boot.loader = {
efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot"; # use the same mount point here.
};
grub = {
enable = true;
version = 2;
copyKernels = true;
efiSupport = true;
mirroredBoots = [
{devices = [ "/dev/nvme0n1" ]; path = "/boot";}
{devices = [ "/dev/nvme1n1" ]; path = "/boot1";}
];
};
};
# Uncomment [on a working system] to ensure extra safeguards are active that zfs uses to protect zfs pools:
#boot.zfs.forceImportAll = false;
#boot.zfs.forceImportRoot = false;
# Remote Filesystem(s) unlocking
boot.initrd.network.enable = true;
boot.initrd.network.ssh = {
enable = true;
port = 2550;
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAPKorzbCjRROOmFpiEfbH2mmLJ8qACUUt7pln87PgkA kb@LoyAdjo"
];
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
};
boot.initrd.network.postCommands = ''
zpool import -a
echo "zfs load-key -a; killall zfs" >> /root/.profile
'';
# Filesystems
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/7C96-7E8A";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
fileSystems."/boot1" = {
device = "/dev/disk/by-uuid/7C97-3483";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
fileSystems."/" = {
device = "mow0m/root";
fsType = "zfs";
};
fileSystems."/nix" = {
device = "mow0m/root/nix";
fsType = "zfs";
};
fileSystems."/home" = {
device = "mow0m/root/home";
fsType = "zfs";
};
swapDevices = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}