Home

infra @main - refs - log -
-
https://git.jolheiser.com/infra.git
dragonwell flake
tree log patch
add gunpowder Signed-off-by: jolheiser <git@jolheiser.com>
Signature
-----BEGIN SSH SIGNATURE----- U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgBTEvCQk6VqUAdN2RuH6bj1dNkY oOpbPWj+jw4ua1B1cAAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5 AAAAQPMGClfhTJgwFbyXqy65iFhhrFHHqsvh4sOCsn/ZD5QwPpyS9cwhi/r6nXC06/hpCc Leo/S08e7OLiQ1/w8P2AA= -----END SSH SIGNATURE-----
jolheiser <git@jolheiser.com>
3 months ago
3 changed files, 191 additions(+), 0 deletions(-)
flake.nixgunpowder/default.nixgunpowder/hardware.nix
M flake.nixflake.nix
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
diff --git a/flake.nix b/flake.nix
index eacccdad8644ee72c73fe730739f5b19df6dd356..c1c7d2213ea1bccac3732249dd268b597585af18 100644
--- a/flake.nix
+++ b/flake.nix
@@ -79,6 +79,7 @@             ];
             services.tclip.package = inputs.tclip.packages.${pkgs.system}.tclipd;
           };
         jasmine.imports = [ ./jasmine ];
+        gunpowder.imports = [ ./gunpowder ];
       };
       nixConfig = {
         extra-substitutors = [ "https://jolheiser.cachix.org" ];
I gunpowder/default.nix
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
diff --git a/gunpowder/default.nix b/gunpowder/default.nix
new file mode 100644
index 0000000000000000000000000000000000000000..ae5a619b4d9d4a9786b351d064a826b9f14dcf35
--- /dev/null
+++ b/gunpowder/default.nix
@@ -0,0 +1,134 @@
+{ pkgs, ... }:
+let
+  username = "jolheiser";
+  key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJh5aUDN/KN28+4tbayXRQliLyKFZaCZtUMEBNaJfHYj";
+in
+{
+  imports = [ ./hardware.nix ];
+
+  boot = {
+    kernelPackages = pkgs.linuxPackages_latest;
+    kernelParams = [
+      "quiet"
+      "splash"
+    ];
+    loader.grub = {
+      enable = true;
+      device = "/dev/sda";
+      useOSProber = true;
+      enableCryptodisk = true;
+    };
+  };
+
+  boot.initrd.secrets = {
+    "/crypto_keyfile.bin" = null;
+  };
+
+  boot.initrd.luks.devices = {
+    "luks-1f9bde68-9c4c-423c-a95f-17aa170dd2b4".keyFile = "/crypto_keyfile.bin";
+    "luks-a2ca1842-1ce0-437e-ba5e-8864a41e81cb" = {
+      device = "/dev/disk/by-uuid/a2ca1842-1ce0-437e-ba5e-8864a41e81cb";
+      keyFile = "/crypto_keyfile.bin";
+    };
+  };
+
+  networking = {
+    hostName = "gunpowder";
+    networkmanager.enable = true;
+    firewall.enable = true;
+  };
+
+  services = {
+    xserver = {
+      enable = true;
+      displayManager.lightdm.enable = true;
+      desktopManager.xfce.enable = true;
+    };
+    openssh.enable = true;
+    tailscale.enable = true;
+    mullvad-vpn = {
+      enable = true;
+      package = pkgs.mullvad-vpn;
+    };
+    resolved.enable = true;
+
+    # media
+    jellyfin = {
+      enable = true;
+      openFirewall = true;
+    };
+    tailproxy.jellyfin = {
+      enable = true;
+      hostname = "jellyfin";
+      port = 8096;
+      authKey = "tskey-auth-khZwt3ASDX11CNTRL-jYDAVuX7VVLCebLUGdvnVLLoUkeEevXEV"; # One-time key
+    };
+    sonarr = {
+      enable = true;
+      openFirewall = true;
+    };
+    tailproxy.sonarr = {
+      enable = true;
+      hostname = "sonarr";
+      port = 8989;
+      authKey = "tskey-auth-k1mZ4587A511CNTRL-uxq54KBAvb6YuhvZbxscb6rf7x8UwNiP"; # One-time key
+    };
+    radarr = {
+      enable = true;
+      openFirewall = true;
+    };
+    tailproxy.radarr = {
+      enable = true;
+      hostname = "radarr";
+      port = 7878;
+      authKey = "tskey-auth-kjuWphWmFp11CNTRL-dcpVCTbdPTAAiqQHaKVhTA27uNQeHxmq5"; # One-time key
+    };
+    bazarr = {
+      enable = true;
+      openFirewall = true;
+    };
+    tailproxy.bazarr = {
+      enable = true;
+      hostname = "bazarr";
+      port = 6767;
+      authKey = "tskey-auth-kydeAt7KDA21CNTRL-bLfZMG4ip4i4a91DX1b85ipjnZi9KgoN9"; # One-time key
+    };
+    prowlarr = {
+      enable = true;
+      openFirewall = true;
+    };
+    tailproxy.prowlarr = {
+      enable = true;
+      hostname = "prowlarr";
+      port = 9696;
+      authKey = "tskey-auth-koCbGEVEvh11CNTRL-7pxqVBdP4v5xNvsPP5mMv5oW8PrgVQmb"; # One-time key
+    };
+  };
+
+  users = {
+    users = {
+      "${username}" = {
+        extraGroups = [
+          "wheel"
+          "docker"
+          "storage"
+        ];
+        isNormalUser = true;
+        openssh.authorizedKeys.keys = [ key ];
+      };
+      "root".openssh.authorizedKeys.keys = [ key ];
+    };
+    groups.media.members = [
+      "jolheiser"
+      "olheiser"
+      "jellyfin"
+      "radarr"
+      "sonarr"
+    ];
+  };
+
+  environment.systemPackages = with pkgs; [ qbittorrent ];
+
+  system.stateVersion = "22.11";
+}
+
I gunpowder/hardware.nix
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
diff --git a/gunpowder/hardware.nix b/gunpowder/hardware.nix
new file mode 100644
index 0000000000000000000000000000000000000000..d2228942b378da69219c33f49acf165369fd5844
--- /dev/null
+++ b/gunpowder/hardware.nix
@@ -0,0 +1,56 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "ehci_pci"
+    "ahci"
+    "usb_storage"
+    "usbhid"
+    "sd_mod"
+    "rtsx_pci_sdmmc"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/a3e3e496-9497-4340-9750-2104e2ab22ab";
+    fsType = "ext4";
+  };
+
+  fileSystems."/mnt/hdd" = {
+    device = "/dev/disk/by-uuid/eb8ad2da-12cf-454b-aa20-e497c4550b7c";
+    fsType = "ext4";
+    options = [
+      "users"
+      "nofail"
+      "gid=users"
+    ];
+  };
+
+  boot.initrd.luks.devices."luks-1f9bde68-9c4c-423c-a95f-17aa170dd2b4".device = "/dev/disk/by-uuid/1f9bde68-9c4c-423c-a95f-17aa170dd2b4";
+
+  swapDevices = [ { device = "/dev/disk/by-uuid/7e84d904-b00a-4c6c-aba4-ec1dde2dff85"; } ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp5s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
+