stuff

2025-05-18 01:08:10 +02:00 · 2025-05-18 01:08:10 +02:00 · 8164e92af6
commit 8164e92af6
parent b8af0e9761
84 changed files with 674 additions and 567 deletions
--- a/hosts/abacus/forgejo.nix
+++ b/hosts/abacus/forgejo.nix
@ -1,21 +1,26 @@
 {
+  self,
  config,
  lib,
  pkgs,
  ...
 }:
 let
-  virtualHostName = "forgejo.helveticanonstandard.net";
+  cfg = config.services.forgejo;
+  inherit (config.age) secrets;
 in
 {
-  age.secrets = lib.mkSecrets {
+  age.secrets = {
    forgejo-mailer = {
+      file = self + /secrets/forgejo/mailer.age;
      mode = "400";
-      owner = "forgejo";
+      owner = cfg.user;
    };
+
    forgejo-admin = {
+      file = self + /secrets/forgejo/admin.age;
      mode = "400";
-      owner = "forgejo";
+      owner = cfg.user;
    };
  };

@ -24,10 +29,15 @@ in
    package = pkgs.forgejo;
    database.type = "postgres";
    lfs.enable = true;
+    dump = {
+      enable = true;
+      interval = "*-*-* 02:00:00";
+      backupDir = "/srv/backup/forgejo";
+    };
    settings = {
      server = {
-        DOMAIN = virtualHostName;
-        ROOT_URL = "https://${virtualHostName}/";
+        DOMAIN = "forgejo.helveticanonstandard.net";
+        ROOT_URL = "https://${cfg.settings.server.DOMAIN}/";
        HTTP_ADDR = "127.0.0.1";
        HTTP_PORT = 8060;
      };
@ -51,34 +61,36 @@ in
      };
    };

-    secrets.mailer.PASSWD = config.age.secrets.forgejo-mailer.path;
+    secrets.mailer.PASSWD = secrets.forgejo-mailer.path;
  };

-  # TODO what
-  systemd.services.forgejo.preStart = lib.getExe pkgs.writeShellApplication {
-    name = "forgejo-init-admin";
-    runtimeInputs = [
-      config.services.forgejo.package
-    ];
-    text =
-      let
-        passwordFile = config.age.secrets.forgejo-admin.path;
-      in
-      ''
-        admins=$(admin user list --admin)
-        admins=$((admins - 1))
+  # TODO
+  systemd.services.forgejo.preStart = lib.getExe (
+    pkgs.writeShellApplication {
+      name = "forgejo-init-admin";
+      runtimeInputs = [
+        cfg.package
+      ];
+      text =
+        let
+          passwordFile = secrets.forgejo-admin.path;
+        in
+        ''
+          admins=$(admin user list --admin)
+          admins=$((admins - 1))

-        if ((admins < 1)); then
-          gitea admin user create \
-            --admin \
-            --email helvetica@helveticanonstandard.net \
-            --username helvetica \
-            --password "$(cat -- ${passwordFile})"
-        fi
-      '';
-  };
+          if ((admins < 1)); then
+            gitea admin user create \
+              --admin \
+              --email helvetica@helveticanonstandard.net \
+              --username helvetica \
+              --password "$(cat -- ${passwordFile})"
+          fi
+        '';
+    }
+  );

-  services.nginx.virtualHosts.${virtualHostName} = {
+  services.nginx.virtualHosts.${cfg.settings.server.DOMAIN} = {
    enableACME = true;
    forceSSL = true;

@ -88,8 +100,8 @@ in

    locations."/".proxyPass =
      let
-        host = config.services.forgejo.settings.server.HTTP_ADDR;
-        port = builtins.toString config.services.forgejo.settings.server.HTTP_PORT;
+        host = cfg.settings.server.HTTP_ADDR;
+        port = builtins.toString cfg.settings.server.HTTP_PORT;
      in
      "http://${host}:${port}";
  };
--- a/hosts/abacus/navidrome.nix
+++ b/hosts/abacus/navidrome.nix
@ -10,6 +10,11 @@ in
      Port = 8050;
      MusicFolder = "/srv/music";
      EnableSharing = true;
+      Backup = {
+        Path = "/srv/backup/navidrome";
+        Count = 1;
+        Schedule = "0 2 * * *";
+      };
    };
  };

--- a/hosts/abacus/networking.nix
+++ b/hosts/abacus/networking.nix
@ -7,7 +7,7 @@
      domain = "wrz.one";
      interfaces.${interface}.ipv6.addresses = [
        {
-          address = "2a01:4f9:c012:92b5::2";
+          address = "2a01:4f8:c013:e64a::2";
          prefixLength = 64;
        }
      ];
--- a/hosts/abacus/nginx.nix
+++ b/hosts/abacus/nginx.nix
@ -1,3 +1,4 @@
+{ config, ... }:
 {
  services.nginx = {
    enable = true;
@ -23,7 +24,7 @@
          default = true;
          rejectSSL = true;

-          globalRedirect = "wrz.one";
+          globalRedirect = config.networking.domain;
        };
        # Redirect www to non-www
        ${matchWww}.globalRedirect = "$domain";
--- a/hosts/abacus/profiles.nix
+++ b/hosts/abacus/profiles.nix
@ -0,0 +1,3 @@
+{
+  profiles.server.enable = true;
+}
--- a/hosts/abacus/restic.nix
+++ b/hosts/abacus/restic.nix
@ -18,8 +18,9 @@ in
      config.services.vaultwarden.backupDir
      config.services.syncthing.dataDir
      config.services.forgejo.stateDir
+      config.services.forgejo.dump.backupDir
      config.services.postgresqlBackup.location
-      config.services.postgresqlBackup.location
+      config.services.navidrome.settings.Backup.Path
      # TODO: Add stateDir options for these
      "/var/lib/headscale"
      "/var/lib/navidrome"
--- a/hosts/abacus/system.nix
+++ b/hosts/abacus/system.nix
@ -1,3 +1,3 @@
 {
-  system.stateVersion = "24.11";
+  system.stateVersion = "25.05";
 }
--- a/hosts/abacus/vaultwarden.nix
+++ b/hosts/abacus/vaultwarden.nix
@ -5,26 +5,20 @@
 }:
 let
  virtualHostName = "vault.wrz.one";
-  backupDir = "/srv/backup/vaultwarden";
 in
 {
  age.secrets = lib.mkSecrets { vaultwarden = { }; };

  services.vaultwarden = {
    enable = true;
-
    dbBackend = "sqlite";
-
-    inherit backupDir;
+    backupDir = "/srv/backup/vaultwarden";

    config = {
      DOMAIN = "https://${virtualHostName}";
-
      SIGNUPS_ALLOWED = false;
      INVITATIONS_ALLOWED = false;
-
      ENABLE_WEBSOCKET = true;
-
      ROCKET_ADDRESS = "127.0.0.1";
      ROCKET_PORT = 8000;
    };
--- a/hosts/flamingo/profiles.nix
+++ b/hosts/flamingo/profiles.nix
@ -0,0 +1,9 @@
+{
+  profiles = {
+    desktop.enable = true;
+    emulation.enable = true;
+    gaming.enable = true;
+    piracy.enable = true;
+    productivity.enable = true;
+  };
+}
--- a/hosts/glacier/hardware.nix
+++ b/hosts/glacier/hardware.nix
@ -27,7 +27,6 @@
      kernelModules = [ "amdgpu" ];
    };
    kernelModules = [ "kvm-amd" ];
-    binfmt.emulatedSystems = [ "aarch64-linux" ];
  };

  powerManagement.cpuFreqGovernor = "performance";
--- a/hosts/glacier/profiles.nix
+++ b/hosts/glacier/profiles.nix
@ -1,9 +1,9 @@
 {
  profiles = {
-    desktop = true;
-    emulation = true;
-    gaming = true;
-    piracy = true;
-    productivity = true;
+    desktop.enable = true;
+    emulation.enable = true;
+    gaming.enable = true;
+    piracy.enable = true;
+    productivity.enable = true;
  };
 }
--- a/hosts/insomniac/profiles.nix
+++ b/hosts/insomniac/profiles.nix
@ -0,0 +1,9 @@
+{
+  profiles = {
+    desktop.enable = true;
+    emulation.enable = true;
+    gaming.enable = true;
+    piracy.enable = true;
+    productivity.enable = true;
+  };
+}
--- a/hosts/vessel/filesystems.nix
+++ b/hosts/vessel/filesystems.nix
@ -1,22 +1,29 @@
 {
+  boot.initrd.luks.devices = {
+    main.device = "/dev/disk/by-label/cryptmain";
+    vault.device = "/dev/disk/by-label/cryptvault";
+    void.device = "/dev/disk/by-label/cryptvoid";
+    sync.device = "/dev/disk/by-label/cryptsync";
+  };
+
  fileSystems = {
    "/" = {
-      label = "white";
+      device = "/dev/mapper/main";
      fsType = "ext4";
      options = [ "noatime" ];
    };
    "/srv/vault" = {
-      label = "black";
+      device = "/dev/mapper/vault";
      fsType = "ext4";
      options = [ "noatime" ];
    };
    "/srv/void" = {
-      label = "green";
+      device = "/dev/mapper/void";
      fsType = "ext4";
      options = [ "noatime" ];
    };
    "/srv/sync" = {
-      label = "red";
+      device = "/dev/mapper/sync";
      fsType = "ext4";
      options = [ "noatime" ];
    };
--- a/hosts/vessel/profiles.nix
+++ b/hosts/vessel/profiles.nix
@ -0,0 +1,3 @@
+{
+  profiles.server.enable = true;
+}
--- a/hosts/vessel/restic.nix
+++ b/hosts/vessel/restic.nix
@ -2,7 +2,6 @@
  attrName,
  config,
  lib,
-  pkgs,
  ...
 }:
 let
--- a/hosts/work/profiles.nix
+++ b/hosts/work/profiles.nix
@ -0,0 +1,6 @@
+{
+  profiles = {
+    desktop.enable = true;
+    productivity.enable = true;
+  };
+}