iofq/nix
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

opentofu incus
Some checks failed
/ check (push) Has been cancelled
Details

Browse source
This commit is contained in:
iofq 2026-03-21 13:41:50 -05:00
parent e4f5ca2fc9
commit 3d8242b314
22 changed files with 340 additions and 211 deletions
Download patch file Download diff file Expand all files Collapse all files

8
nixos/base/configuration.nix Normal file
View file

@ -0,0 +1,8 @@
{ pkgs, ... }:
with pkgs;
{
security.sudo.enable = lib.mkForce false;
networking = {
useHostResolvConf = lib.mkForce false;
};
}

13
nixos/default.nix
View file

@ -73,4 +73,17 @@ in
./oracle/configuration.nix
];
};
base = inputs.nixpkgs-stable.lib.nixosSystem {
pkgs = pkgs.nixos-stable;
specialArgs = {
inherit inputs system attrs;
host = {
hostName = "nixos";
inherit (attrs) username;
};
};
modules = defaultModules ++ [
./base/configuration.nix
];
};
}

38
nixos/modules/net.nix
View file

@ -94,25 +94,25 @@ in
};
};
systemd = {
mounts = [
{
type = "nfs";
mountConfig = {
Options = "noatime";
};
what = "zen:/tank/home";
where = "/mnt/home";
}
];
automounts = [
{
wantedBy = [ "multi-user.target" ];
automountConfig = {
TimeoutIdleSec = "600";
};
where = "/mnt/home";
}
];
# mounts = [
# {
# type = "nfs";
# mountConfig = {
# Options = "noatime";
# };
# what = "zen:/tank/home";
# where = "/mnt/home";
# }
# ];
# automounts = [
# {
# wantedBy = [ "multi-user.target" ];
# automountConfig = {
# TimeoutIdleSec = "600";
# };
# where = "/mnt/home";
# }
# ];
};
};
}

144
nixos/zen/configuration.nix
View file

@ -9,152 +9,12 @@
imports = [
./hardware-configuration.nix
];
boot = {
kernel.sysctl = {
"vm.swappiness" = 6;
};
};
sops = {
secrets = {
"password".sopsFile = ../../secrets/k8s.yaml;
forgejo-runner.sopsFile = ../../secrets/forgejo-runner.yaml;
"b2-immich/env".sopsFile = ../../secrets/restic.yaml;
"b2-immich/repo".sopsFile = ../../secrets/restic.yaml;
"b2-immich/password".sopsFile = ../../secrets/restic.yaml;
"cf-dns-key".sopsFile = ../../secrets/cf-acme.yaml;
};
};
services.restic.backups = {
b2-immich = {
initialize = true;
environmentFile = config.sops.secrets."b2-immich/env".path;
repositoryFile = config.sops.secrets."b2-immich/repo".path;
passwordFile = config.sops.secrets."b2-immich/password".path;
paths = [
"/tank/immich"
];
timerConfig = {
OnCalendar = "06:00";
};
pruneOpts = [
"--keep-daily 31"
"--keep-monthly 6"
"--keep-yearly 1"
];
};
};
networking = {
hostId = "44238132";
firewall = {
allowedTCPPorts = [
22
80
443
2049 # nfs
];
interfaces."podman+" = {
allowedTCPPorts = [ 33393 ];
};
};
};
machine.sys.zram = false;
machine.sys.swap = false;
services = {
zfs.autoScrub.enable = true;
zfs.autoSnapshot.enable = true;
fstrim.enable = true;
nfs.server.enable = true;
immich = {
enable = true;
package = pkgs-unstable.immich;
port = 2283;
host = "localhost";
openFirewall = true;
machine-learning.enable = true;
mediaLocation = "/tank/immich";
accelerationDevices = null;
};
nginx = {
enable = true;
virtualHosts."img.10110110.xyz" = {
forceSSL = true;
useACMEHost = "10110110.xyz";
locations."/" = {
proxyPass = "http://localhost:${toString config.services.immich.port}";
proxyWebsockets = true;
recommendedProxySettings = true;
extraConfig = ''
client_max_body_size 50000M;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
send_timeout 600s;
'';
};
};
};
};
services.gitea-actions-runner = {
package = pkgs.forgejo-runner;
instances.default = {
enable = true;
name = host.hostName;
settings = {
runner.capacity = 3;
container = {
force_pull = true;
valid_volumes = [
"/nix/store"
"/nix/var/nix/daemon-socket"
];
};
};
url = "https://git.10110110.xyz";
tokenFile = config.sops.secrets.forgejo-runner.path;
labels = [
"ubuntu-latest:docker://node:24-bullseye"
"nix-upstream-latest:docker://nixos/nix:latest"
"nix-latest:docker://git.10110110.xyz/ci/nix"
];
};
};
# services.k3s = {
# enable = true;
# role = "agent";
# extraFlags = toString [
# "--flannel-iface=tailscale0"
# ];
# tokenFile = config.sops.secrets."password".path;
# serverAddr = "https://consensus:6443";
# };
# systemd.services.k3s = {
# preStart = ''
# until ${pkgs.tailscale}/bin/tailscale status; do
# sleep 1
# done
# '';
# };
security.acme = {
acceptTerms = true;
defaults.email = "acme@10110110.xyz";
certs = {
"10110110.xyz" = {
domain = "*.10110110.xyz";
group = config.services.nginx.group;
dnsProvider = "cloudflare";
environmentFile = config.sops.secrets."cf-dns-key".path;
};
};
};
virtualisation.podman.enable = true;
hardware = {
graphics.enable = true;
nvidia = {
modesetting.enable = true;
nvidiaSettings = true;
open = false;
package = config.boot.kernelPackages.nvidiaPackages.stable;
};
enableRedistributableFirmware = true;
firmware = [ pkgs.linux-firmware ];
};
}

56
nixos/zen/hardware-configuration.nix
View file

@ -1,69 +1,27 @@
{
config,
lib,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot = {
extraModulePackages = [ ];
initrd = {
availableKernelModules = [
"xhci_pci"
"ahci"
"usbhid"
"usb_storage"
"sd_mod"
];
kernelModules = [
"dm-snapshot"
"nvme"
];
};
initrd.availableKernelModules = [
"xhci_pci"
"ahci"
];
initrd.kernelModules = [ ];
kernelModules = [ "kvm-amd" ];
loader = {
efi = {
canTouchEfiVariables = true;
};
systemd-boot = {
enable = true;
};
};
extraModulePackages = [ ];
supportedFilesystems = [
"zfs"
"nfs"
];
zfs = {
# extraPools = [ "rice" ];
extraPools = [ "tank" ];
forceImportRoot = false;
};
};
fileSystems = {
"/" = {
device = "/dev/mapper/nixos-root";
fsType = "btrfs";
};
"/boot" = {
device = "/dev/disk/by-uuid/7A75-7368";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
"/nix/store" = {
device = "/dev/mapper/nixos-store";
fsType = "btrfs";
};
};
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
system.stateVersion = "25.11";
}

168
nixos/zen/old-configuration.nix Normal file
View file

@ -0,0 +1,168 @@
{
host,
config,
pkgs,
pkgs-unstable,
...
}:
{
imports = [
./hardware-configuration.nix
];
# boot = {
# kernel.sysctl = {
# "vm.swappiness" = 6;
# };
# };
# sops = {
# secrets = {
# "password".sopsFile = ../../secrets/k8s.yaml;
# # "tailscale-auth".sopsFile = ../../secrets/tailscale.yaml;
# forgejo-runner.sopsFile = ../../secrets/forgejo-runner.yaml;
# "b2-immich/env".sopsFile = ../../secrets/restic.yaml;
# "b2-immich/repo".sopsFile = ../../secrets/restic.yaml;
# "b2-immich/password".sopsFile = ../../secrets/restic.yaml;
# "cf-dns-key".sopsFile = ../../secrets/cf-acme.yaml;
# };
# };
# services.restic.backups = {
# b2-immich = {
# initialize = true;
# environmentFile = config.sops.secrets."b2-immich/env".path;
# repositoryFile = config.sops.secrets."b2-immich/repo".path;
# passwordFile = config.sops.secrets."b2-immich/password".path;
#
# paths = [
# "/tank/immich"
# ];
# timerConfig = {
# OnCalendar = "06:00";
# };
# pruneOpts = [
# "--keep-daily 31"
# "--keep-monthly 6"
# "--keep-yearly 1"
# ];
# };
# };
# networking = {
# nftables.enable = true;
# hostId = "44238132";
# firewall = {
# allowedTCPPorts = [
# 22
# 80
# 443
# 2049 # nfs
# ];
# trustedInterfaces = [
# "tailscale0"
# "incusbr0"
# ];
# };
# };
services = {
zfs.autoScrub.enable = true;
zfs.autoSnapshot.enable = true;
fstrim.enable = true;
nfs.server.enable = true;
# immich = {
# enable = true;
# package = pkgs-unstable.immich;
# port = 2283;
# host = "localhost";
# openFirewall = true;
# machine-learning.enable = true;
# mediaLocation = "/tank/immich";
# accelerationDevices = null;
# };
# nginx = {
# enable = true;
# virtualHosts."img.10110110.xyz" = {
# forceSSL = true;
# useACMEHost = "10110110.xyz";
# locations."/" = {
# proxyPass = "http://localhost:${toString config.services.immich.port}";
# proxyWebsockets = true;
# recommendedProxySettings = true;
# extraConfig = ''
# client_max_body_size 50000M;
# proxy_read_timeout 600s;
# proxy_send_timeout 600s;
# send_timeout 600s;
# '';
# };
# };
# };
};
# services.gitea-actions-runner = {
# package = pkgs.forgejo-runner;
# instances.default = {
# enable = true;
# name = host.hostName;
# settings = {
# runner.capacity = 3;
# container = {
# force_pull = true;
# valid_volumes = [
# "/nix/store"
# "/nix/var/nix/daemon-socket"
# ];
# };
# };
# url = "https://git.10110110.xyz";
# tokenFile = config.sops.secrets.forgejo-runner.path;
# labels = [
# "ubuntu-latest:docker://node:24-bullseye"
# "nix-upstream-latest:docker://nixos/nix:latest"
# "nix-latest:docker://git.10110110.xyz/ci/nix"
# ];
# };
# };
# services.k3s = {
# enable = true;
# role = "server";
# extraFlags = toString [
# "--disable=traefik"
# "--vpn-auth=file=${config.sops.secrets."tailscale-auth".path}"
# "--node-external-ip=100.64.246.41"
# ];
# tokenFile = config.sops.secrets."password".path;
# serverAddr = "https://zen:6443";
# };
# systemd.services.k3s = {
# preStart = ''
# until ${pkgs.tailscale}/bin/tailscale status; do
# sleep 1
# done
# '';
# };
# security.acme = {
# acceptTerms = true;
# defaults.email = "acme@10110110.xyz";
# certs = {
# "10110110.xyz" = {
# domain = "*.10110110.xyz";
# group = config.services.nginx.group;
# dnsProvider = "cloudflare";
# environmentFile = config.sops.secrets."cf-dns-key".path;
# };
# };
# };
# virtualisation = {
# podman.enable = false;
# incus.enable = true;
# };
# hardware = {
# graphics.enable = true;
# nvidia = {
# modesetting.enable = true;
# nvidiaSettings = true;
# open = false;
# package = config.boot.kernelPackages.nvidiaPackages.stable;
# };
# enableRedistributableFirmware = true;
# firmware = [ pkgs.linux-firmware ];
# };
}