homelab/config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: homelab:04e0af85a914ec12dc26bf20e64f9bb1b7385edf
Branches Tags
homelab:main
..
compare: homelab:756b3dd5766bc76f9ec5ddcd1eba3ca003188ba7
Branches Tags
homelab:main

No commits in common. "04e0af85a914ec12dc26bf20e64f9bb1b7385edf" and "756b3dd5766bc76f9ec5ddcd1eba3ca003188ba7" have entirely different histories.
04e0af85a9 ... 756b3dd576

15 changed files with 147 additions and 268 deletions
Show stats Expand all files Collapse all files

51
README.md
View file

@ -10,7 +10,7 @@ The nix based configuration for my home lab.
5. Create a secrets file with `sops edit secrets/HOSTNAME.yml` and put all required secrets in there. 5. Create a secrets file with `sops edit secrets/HOSTNAME.yml` and put all required secrets in there.
6. Commit changes to git. 6. Commit changes to git.
7. Start the VM. 7. Start the VM.
8. Deploy the configuration with `colmena apply --on HOSTNAME`. 8. Deploy the configuration with `colmena apply HOSTNAME`.
9. (Optional) If the VM requires an update to traefik run `colmena apply` to update all hosts. 9. (Optional) If the VM requires an update to traefik run `colmena apply` to update all hosts.
@ -29,53 +29,6 @@ The nix based configuration for my home lab.
- confgi.nix # Global configuration options - confgi.nix # Global configuration options
``` ```
## IP ranges
```
192.168.10.1 -> Main router
192.168.10.2 -> Openwrt accesspoint
192.168.10.3 -> Proxmox 1
192.168.10.4 -> Media share (Deprecated)
192.168.10.5 -> Mini 1 (Proxmox)
192.168.10.6 -> Mini 2 (Proxmox) (To be deployed)
192.168.10.[10-50] -> VM hosts
10 -> Proxy
11 -> Git
192.168.10.[100-200] -> DHCP range
174 -> Bluesky PDS
188 -> Portainer (Deprecated)
189 -> Bastion
190 -> Wings 1
191 -> Adguard (Deprecated)
192 -> Home assistant
```
## Data storage guidance
There are three categories of data used by applications, each should be
stored in their own specific way to ensure minimal possibility of data loss.
**Nothing should be deployed if it doesn't follow these guidelines!**
**Runtime state:** Data that has to be persisted to disk, but is not required
to be present after a restart of the application. Things such as encoding caches
fall in this category. **This data should be stored on the ephemeral file system
only**.
**Long term state:** Data that is generated by the application that has uses
between restarts, but can be easily replaced if it is lost. This is things such
as SSL certificates for traefik, as re-requesting these might cause
rate-limiting related issues. **This data should be persisted to the
`/persistent` directory. Use nix-impermanence for this.**.
**Application/user data:** This is most data managed by the system. This is data
that can not easily be replaced, such as pictures, videos, and other user
uploaded files, but also databases which are not purely generated, such as
Immich's database. **This data should be persisted to the Ceph cluster.
Preferably in real-time, but if this is infeasible, for example, running
databases on top of ceph incurs a large performance hit, the data should be
persisted in an automated fashion, such as through a cron job making a backup
every x hours.
## TODO: ## TODO:
### Services ### Services
@ -83,7 +36,7 @@ every x hours.
- FreshRSS: RSS server/reader - FreshRSS: RSS server/reader
- Gramps: Family tree - Gramps: Family tree
- hoarder: Bookmark manager - hoarder: Bookmark manager
- immich: Photos - immich: Fotos
- Jellyfin: Watching media files - Jellyfin: Watching media files
- Nextcloud: Files, contacts, calendar, etc - Nextcloud: Files, contacts, calendar, etc
- Pterodactyl panel: Game servers - Pterodactyl panel: Game servers

2
config.nix
View file

@ -1,5 +1,5 @@
{ {
domain = "kallestruik.nl"; domain = "staging.kallestruik.nl";
shortDomain = "khs.li"; shortDomain = "khs.li";
# Networking # Networking
defaultDNS = [ "192.168.10.1" ]; defaultDNS = [ "192.168.10.1" ];

18
flake.lock generated
View file

@ -2,11 +2,11 @@
"nodes": { "nodes": {
"impermanence": { "impermanence": {
"locked": { "locked": {
"lastModified": 1737831083, "lastModified": 1731242966,
"narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=", "narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=",
"owner": "nix-community", "owner": "nix-community",
"repo": "impermanence", "repo": "impermanence",
"rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170", "rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -17,11 +17,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1744232761, "lastModified": 1732014248,
"narHash": "sha256-gbl9hE39nQRpZaLjhWKmEu5ejtQsgI5TWYrIVVJn30U=", "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "f675531bc7e6657c10a18b565cfebd8aa9e24c14", "rev": "23e89b7da85c3640bbc2173fe04f4bd114342367",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -45,11 +45,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1744103455, "lastModified": 1734546875,
"narHash": "sha256-SR6+qjkPjGQG+8eM4dCcVtss8r9bre/LAxFMPJpaZeU=", "narHash": "sha256-6OvJbqQ6qPpNw3CA+W8Myo5aaLhIJY/nNFDk3zMXLfM=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "69d5a5a4635c27dae5a742f36108beccc506c1ba", "rev": "ed091321f4dd88afc28b5b4456e0a15bd8374b4d",
"type": "github" "type": "github"
}, },
"original": { "original": {

8
hosts/adguard.nix
View file

@ -1,8 +0,0 @@
{
...
}:
{
hostname = "adguard";
managed = false;
ip = "192.168.10.191";
}

11
hosts/bastion.nix
View file

@ -8,11 +8,10 @@ rec {
ip = "192.168.10.189"; ip = "192.168.10.189";
traefikRoutes = [ traefikRoutes = [
# NOTE: Disabled for now, since there is no auth yet {
# { name = "${hostname}-vpn";
# name = "${hostname}-vpn"; rule = "Host(`vpn.${hlConfig.domain}`)";
# rule = "Host(`vpn.${hlConfig.domain}`)"; target = "http://${ip}:80";
# target = "http://${ip}:80"; }
# }
]; ];
} }

19
hosts/git.nix
View file

@ -1,19 +0,0 @@
{
roles,
hlConfig,
}:
{
hostname = "git";
managed = true;
ip = "192.168.10.11";
roles = with roles; [
postgres
forgejo
];
config = {
forgejo.domain = "git.${hlConfig.domain}";
};
stateVersion = "24.05";
}

29
hosts/nix-test.nix Normal file
View file

@ -0,0 +1,29 @@
{
roles,
hlConfig,
}:
{
hostname = "nix-test";
managed = true;
ip = "192.168.10.99";
roles = with roles; [
postgres
podman
traefik
sonarr
authentik
forgejo
];
config = {
sonarr.domain = "service1.${hlConfig.domain}";
authentik.domain = "service2.${hlConfig.domain}";
forgejo.domain = "service3.${hlConfig.domain}";
traefik.wildcardDomains = [
hlConfig.domain
"pds.${hlConfig.domain}"
];
};
stateVersion = "24.05";
}

17
hosts/portainer.nix
View file

@ -1,17 +0,0 @@
{
...
}:
rec {
hostname = "portainer";
managed = false;
ip = "192.168.10.188";
traefikRoutes = [
{
name = "${hostname}-traefik-fallback";
rule = "HostRegexp(`.*`)";
target = "http://${ip}:80";
priority = 1;
}
];
}

21
hosts/proxy.nix
View file

@ -1,21 +0,0 @@
{
roles,
hlConfig,
}:
{
hostname = "proxy";
managed = true;
ip = "192.168.10.10";
roles = with roles; [
traefik
];
config = {
traefik.wildcardDomains = [
hlConfig.domain
hlConfig.shortDomain
"pds.${hlConfig.domain}"
];
};
stateVersion = "24.05";
}

24
roles/forgejo.nix
View file

@ -42,8 +42,7 @@
in in
{ {
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
3000 # Forgejo 3000
2222 # Forgejo built-in ssh server
]; ];
# Create the database # Create the database
@ -70,6 +69,17 @@
}; };
}; };
environment.persistence."/persistent" = {
directories = [
# TODO: Backup onto CEPH cluster periodically. Or maybe move fully, if performance allows it.
{
directory = "/appdata/forgejo";
user = "forgejo";
mode = "0700";
}
];
};
environment.systemPackages = environment.systemPackages =
let let
forgejo-cli = pkgs.writeShellScriptBin "forgejo-cli" '' forgejo-cli = pkgs.writeShellScriptBin "forgejo-cli" ''
@ -77,7 +87,7 @@
echo "No arguments supplied" echo "No arguments supplied"
exit 1 exit 1
fi fi
sudo -u forgejo -- ${lib.getExe pkgs.forgejo} --config /cephfs/appdata/forgejo/custom/conf/app.ini $@ sudo -u forgejo -- ${lib.getExe pkgs.forgejo} --config /appdata/forgejo/custom/conf/app.ini $@
''; '';
in in
[ [
@ -86,8 +96,7 @@
services.forgejo = { services.forgejo = {
enable = true; enable = true;
package = pkgs.forgejo; stateDir = "/appdata/forgejo";
stateDir = "/cephfs/appdata/forgejo";
lfs.enable = true; lfs.enable = true;
database = { database = {
@ -129,11 +138,6 @@
mailer = { mailer = {
ENABLED = true; ENABLED = true;
}; };
picture = {
DISABLE_GRAVATAR = false;
ENABLE_FEDERATED_AVATAR = true;
};
}; };
secrets = { secrets = {

1
roles/traefik.nix
View file

@ -129,7 +129,6 @@
entrypoints = [ "websecure" ]; entrypoints = [ "websecure" ];
service = route.name; service = route.name;
rule = route.rule; rule = route.rule;
priority = route.priority or "0";
}; };
}) routes }) routes
); );

47
secrets/git.yaml
View file

@ -1,47 +0,0 @@
forgejo:
db_pass: ENC[AES256_GCM,data:Kbsfciqm7InemdMohjVU90P03N+AyG5xK3DC8Ali+86Sk1iuOqGvZrxeWQFC+C33LYBSQObcauK6zhd6mtniSg==,iv:JyktRVc9D0Bx5AAv21AzoZp0h/aFLPt6qjXQDodyND0=,tag:xunAgH+zAdecQNMtMGqyvA==,type:str]
email_host: ENC[AES256_GCM,data:xmQQelGSqEwWhuiUYgvYlxP5LTkiuw==,iv:t0H4OA4kgOFXhL2bkgGTGl+fuaHwkxwzFSwQXqZbnGA=,tag:PZhGpttL5lxMN+ar/Vdqyg==,type:str]
email_port: ENC[AES256_GCM,data:ERRb,iv:5Cs7ryQTXbIJMExHOXeCFBvHPqjaO1t7TA8VrhtiTbM=,tag:vXZnUQQ6gT/SiuGzK/+Q/g==,type:str]
email_from: ENC[AES256_GCM,data:xFFAgVmf0boB0mOcQKKhiiRQ,iv:P8jW12RYOp4zwnRKGxjFPpTU6vS6LYozTXGPoGqXv3Q=,tag:MnIKOW3NQUumWDNLZogSzw==,type:str]
email_username: ENC[AES256_GCM,data:iJ70yLlPzsmCkuq6XvsKpujx,iv:XlA7n1GIVhgWuGWoD3io0jSPy5pdlmwzyMdqztQqyGo=,tag:5YsLkLD0SOn0YJhKEKvJ8Q==,type:str]
email_password: ENC[AES256_GCM,data:Wx1y1hyIeT+D0k5kXflo86cYl3Q=,iv:uTTIsEK0y1pCIsophxBNwEKoYBBNDa8qv4arjj9c4Mw=,tag:obv6lL2btVLf9365vyb+Pg==,type:str]
postgres:
forgejo: ENC[AES256_GCM,data:jG1RpH+5t9Q2aBiB0s/euEj5xLd7+7ZY7wQ9klskjFIDbjfDT8A+Llm2VlVbQDgXlhvfGjLIA2OiR4vaEH9U4g==,iv:POoGsB0P8VmuAM16IoQinGpnkpxQxb3rNDo88THfOwQ=,tag:FazT+fvxjh0AfLsoVHD+qw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1y86zket4wccf9kfp65gmlcsf0a9drjux7r3zlcfqqdkh99dfnyeqts8jra
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwQzFEVXA0OUZMQUJtZm9o
eGFOdDVwQUNJdlRob2xwQ21lcmNvRHdtTEd3ClVyVDlWZllTcWF1SVFkMUhQR0dR
U2c3N25LRlRPYU5uTUFiTnh6M3BGRjgKLS0tIGZ5TzZCZmRDVjVhVUI4c2Q1SXRJ
OXdlazF0a2V0eWcxNitlZ2FvRjNGZXMKUYa0smUtciuNPlltmygDNe5KVBLXxLru
JeiHzNy5hEtG+3nStBR8m1A7gMJGuKEn2cvDedOOhlATKWHpb39/2A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1htf3j7d0me9f24fadwth7avs40qm8yzhczljfgh0wjepdr8utfvqd369xp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQOXdQMy90QS9Uckk4SlFH
TzJlUWsrRGNFdE1yc2FZWnhsZ3hub3ZPdkVnCkY4OFhIY0tzajBkYy92K0RBejZS
MmtqbElJdEVhdXk2QlFzOStYRFB4YTgKLS0tIElrOUw2NGx3NGxFS211VlNBYWw2
N0dOcEM5aTdFd0tnV0NJOWI1eUpMY00K0ZHvxPjaVJm7HdaX0HUdx7CuzMEFoSAW
razcSD3PSvF/hBAyWSE4gjWpiKX65t/P+HVmLvE8wCY0ou88H53UVA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1w8flykazkwxewcxpe2mn50cawn857ylcdp4r7vp459p3q7cx9uasap4stz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwL1NHV1Rjd2dOamVhZUVR
RldsWko3ZkF5cGM3c241Q3MzbHRqQ2NqM2pBClpHN0RaQnZOcEVqTDVjYTNackE2
Vzd2YXRndHBSY04xVTdvdnJBL2xoNFkKLS0tIFloYVlXSHhyU1pWRW5SVXM1UFlN
TWZsbWF0U3pCZmJKRjQwRGhKNmN6d2sKgwe0htUOOw4FEC5Xvg7FAnnb8jpt+pRP
x7OUZZG/Jeb99at9YqjJDJp2hB6SsnZsHgqrrHupqGoAYZncAF4Ngg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-08T10:49:24Z"
mac: ENC[AES256_GCM,data:DczVEHMow0k66KVcfU9tlsg131VUZhwUMSiDLBTb22KtHJs/eSrjqQ+P+naTX8a4lOAn4KzQiRugl1AieBmPhB77RyFjM2WRDLYZlbxv9d8StjNlgAdpOok4aGhxf8fncI+op+Gk5HOSoVsT7IVnofK+0V+14XhmgfQJpHuP2yE=,iv:Z4yfkbrvhlubP8DNhGkfwzvOI1CRJBgo7MolxGV3/EU=,tag:ptATWw7zn0UP/GFBRSy/bg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

60
secrets/nix-test.yaml Normal file
View file

@ -0,0 +1,60 @@
traefik:
acmeEmail: ENC[AES256_GCM,data:aM2AQADo5s0c1b//UWPXNPlKMXNRRnPFDbM=,iv:RP7Tn8s1nYKJf0B0KO0BQkI4tnz/zUK8KqzQqeNiyZk=,tag:g4+lwK4miUdxOwLHQcUZhg==,type:str]
CLOUDFLARE_EMAIL: ENC[AES256_GCM,data:YHQ00Qh0t7owvFE/PXu8o4a8ry1P92/CVA==,iv:z982jUAm8W4Du/5dLopQZE0p5eWi4Ls7TYsiiwUlqvg=,tag:bek2eQ4duYBH8F2LG+Tr+g==,type:str]
CLOUDFLARE_DNS_API_TOKEN: ENC[AES256_GCM,data:zyTpv1AGA9GzfGfFyxqO40NKZt8LlHU1YT9kvXPZYAGUc5wE3GVxzg==,iv:W7u5gEeYNkCGO3D0Y+XBZ4PCI081QsNK10ThHKbV68M=,tag:7onKfU+mVz3euCbFrX1mdg==,type:str]
authentik:
db_pass: ENC[AES256_GCM,data:Jkz/wWf+yOm3d+hb+c56XXSGYjYRJbMwJqpcr4HMmu+WVflZCh/ILw==,iv:42uswgv+lIRnonX6kT0MFhs5EYaTgdakrBe9DmFUY2k=,tag:hUxlquZT4RBHlcLKVtHVlg==,type:str]
secret_key: ENC[AES256_GCM,data:JdSbOxLGa0Bqac/YV4HgpN2lD+UEgvWa4YqQ4nQJka8MTRmuFYNDN3eQ5d1bI7JCijy4y7QqyhtKfdpK/puVsNkoSb4Cmh3m7nlqHx/2b9M=,iv:2c5Zk+TLvvlW/JTq2pvdyqT0PNe4qJ9OXEGA20feh1g=,tag:7y2yYlUXrq7gH6qAHaypqA==,type:str]
email_host: ENC[AES256_GCM,data:T5UErdKKbyfYkbd+1V6JEz6yp7h+ww==,iv:o/wvYwDgx+z8v8l9A7OudP0GFGK6ngMrj/X3cLTDN6U=,tag:sR9PZkQc+28rs+rpPV142Q==,type:str]
email_port: ENC[AES256_GCM,data:bPPI,iv:3174C+o4058QF5c46qDWbUMRt+SpDEHtV+vbvQxfTn4=,tag:1oR0WLLzYru5BGdWluKJZg==,type:str]
email_from: ENC[AES256_GCM,data:X6NP2i3uAZQFK7JdeviIMFhNPw==,iv:dwZFyzzzzFNTVfe1nhWebXrTolCa991p+vJUAOxFJf8=,tag:gClo9mZfaVFP35yZath0Nw==,type:str]
email_username: ENC[AES256_GCM,data:c1lu5Tw6N6w96uUujSj1wHh7fQ==,iv:XX2iYXOzz8EhcZ75NlmLsasnZnCrihE9K17qS2nhAyI=,tag:qfhh3bB530IIsJwmjG20Lw==,type:str]
email_password: ENC[AES256_GCM,data:2f/LN5q/5RRIzAc8ol9RByf+RrQ=,iv:gy/UvcKzpvC0r4nQFbTYta8alzTjPWhFWCjGIw/PnuU=,tag:LLOk7NMuQ3VZ2zA779A5dw==,type:str]
forgejo:
db_pass: ENC[AES256_GCM,data:xJ0Jh4Q0gr0zoTful8iprs7Ly+xifvsaR9GgUrgvmsVatA4Ad7laVo9bnj3fpEHm3hOtlpKalys=,iv:69dIKbyG8UOhI5537Yf14vLt5HLVQ6FIK5mGd2/KEIM=,tag:Ef1z297ens/aKAwIMYctWA==,type:str]
email_host: ENC[AES256_GCM,data:HDJjMSYAgbvdS6p4TD7L3B3pAmNq7Q==,iv:01kDFluA0yuqJCa57kopLw0i1/t83FQu/RjoyAl8d8w=,tag:OswWkJxwlDZvH7GjVKv0MA==,type:str]
email_port: ENC[AES256_GCM,data:WOKc,iv:c1oMvzUr8S6ciP/35f/8FjhFSyF3cJCoa2kKGccGuB4=,tag:pBDK6cCg1vAMV4KEcd7lhw==,type:str]
email_from: ENC[AES256_GCM,data:H/aOZlAvMlv1CpW5i1v5U6PO,iv:e7j2pzvRY2798O4bDDI0k/hoQhUxG+g44C85jgYBD2c=,tag:4WpzQdSAs1bS8Pqh2ZIm1w==,type:str]
email_username: ENC[AES256_GCM,data:TPq7n3ypd4sXcx5l+b4ngVu8,iv:s1ifRo9Ro8v8p+Gq1pJsWxz9A3oK6Rt9tA1Bfbs3fzQ=,tag:nN+yqVk2hBOcHqe0QiIGyw==,type:str]
email_password: ENC[AES256_GCM,data:nyiLr08pVqBYFoEasYvjwVMJL9I=,iv:Cf1JzGgnr5HzPtGG4a59WWoDm2z9Ksnz1Z/A/xK6/34=,tag:1y2mpQixkmjdPdyXEFUouQ==,type:str]
postgres:
authentik: ENC[AES256_GCM,data:45DJfPHXeGyT8KDty5Po68whOVSTbT+iAfBpJ/6dKy0EeaKLKq/w1A==,iv:CtmwN+9tKmsCcU46OvBME/urkAvjEtVBqfqgs8dkkCU=,tag:j+yZfVv62IhkgF7HRT6zLQ==,type:str]
forgejo: ENC[AES256_GCM,data:tL1XRh6taMU8sGGF4zE9V3pY4jUn3zeyumTcmen5cTmE9z1A2UVpC8f8ZkWnz+97k+OWIKzbqZs=,iv:B2V+n7u7B89fy07WvzMwXSFgZEuNpHAvdywHI6RIhaI=,tag:5WmIIH79BLPuh31DGq5CaA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1y86zket4wccf9kfp65gmlcsf0a9drjux7r3zlcfqqdkh99dfnyeqts8jra
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYR21vNXUrWnhvdUMxbFpD
RzB6R0E4TTE0LzZsMkU4c0JWZ1A3eVA3dm04ClNWa3dFakQxMDNVeVhKZ1lmN25Y
bnBFWGh5QUw0Nll3VkpDSW8wYXI2dE0KLS0tIHFtSjY0cjZuUnh6TXFiNFpJQ0hr
ODJ0R3RRQnk1bUdtbURtSC9TSWdwQ1kKprJu0kIG64+YNgPxFI2tAfj2Xi4jgqGd
W2s2NNPwbGFS4gu5SYm4qLBuTRZTmI+E32n8CmZVGMhA8TyNYjKK9g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1htf3j7d0me9f24fadwth7avs40qm8yzhczljfgh0wjepdr8utfvqd369xp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1NG9POEtpQXNSdHkxa0xG
Rmx3TWN4U1VjdXFaS21KYWtIYS81Rjhwa0QwCkJBUU5LRkoyMGJ3OEVoTDRtNGxT
eDkyazFnV3FTK04zRXB6bjJUMlRXekkKLS0tIEEzbGM2UkJnOXBVa05oMS9wOVdY
MC9taWozUzlWMlE0NUVvSXc2bXZpc3cKJcAO5O7Z7zXuC/zmSqMBLM+YnZrq1ud2
TREfUDBRh/vUbWtbl13qU9NUH8szI+88WXMasc22paSBaQlFJvLTLQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1w8flykazkwxewcxpe2mn50cawn857ylcdp4r7vp459p3q7cx9uasap4stz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVREN2VlBSdU5rVU1GYk82
M2RoTWRLWjU3QmxNaEdFTjRGNmYweFphdVFVCmV6d29wSmc0U3E4aU5oMUdXTGR4
d2RqWVBWb0dKMGlQTk4zRnNwc2gyb00KLS0tIHhnNmdkZ0FqZXZiK3kxcjByRE5z
OHkvUTViMVZSUGFSeDN1ZDcxN3NtNzQK48qiEMcKbsrh8ZhnMD7lkhsy0JRMYiOU
EtXwHxEzIXukStQ9kXazfHJJouuqv7mhx12tgv+QKvrfWxCJ5WvE2A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-02-16T11:32:08Z"
mac: ENC[AES256_GCM,data:gO1LQdr6HTMMH3czNhMjS9BS9fNyQbw/50KGiAcS97lWN840zYmKXe/n8cJUmBHPtQZVB9QfQTuC3uEEFvhOd0qlmCQaCso5gbyxlTRx3Q2yx/JcpZtktWaJLqsncVUMELavKy7yB0/Q8QnUdDz0Tfo1qotY2He8iyyZUTBkuDA=,iv:+hZg5EJZ8jy08LG3Of9fb1NkN/fbBhhSXh+rM7a9PU8=,tag:UjayBiZy7QV8Puzu3jPIFQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.2

42
secrets/proxy.yaml
View file

@ -1,42 +0,0 @@
traefik:
acmeEmail: ENC[AES256_GCM,data:2NIn1rMLFehqkAO3tjFDn9UF7BMBKhD9aGU=,iv:WoFtJFykx8IEXxThJSVmNlOm0zfI0WP9Y3Ew8Eqg8aQ=,tag:r2LMLztbW0MBXwBPwoZJ5w==,type:str]
CLOUDFLARE_EMAIL: ENC[AES256_GCM,data:IyhExThwo41VOdWBO55KsDZfaEnTuBXkdA==,iv:amtywKJXT87IuqeKqhX7Jx8VeWtZ4KaVyc5CRoRg7SM=,tag:2EZTdhdXrG7JC0NDfjd3Dg==,type:str]
CLOUDFLARE_DNS_API_TOKEN: ENC[AES256_GCM,data:WaHJsdz9/SLNeKvxm54uXnZs7+e7phSbtWaccQPbX4Qv4aDF9CSVog==,iv:1bJen5qfY/bLd87LUTdbioMQPT1iH/91YhJm3Syf8yw=,tag:vdt5cPk3Zb/6ka9AJ5uk0w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1y86zket4wccf9kfp65gmlcsf0a9drjux7r3zlcfqqdkh99dfnyeqts8jra
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOeGxXdll5TkxVWHJBSVVr
WVF4VTlRWUErdUJqTGl5V24zV0hRYmd1N3hJCjVOMXZVVVpTREtUdzhranJiWSs5
cUd2N0VWa2gxUXhkQjlGV05EclRWOHMKLS0tIHFsMloxZ2d1UzU5eDVGT3dXWTNq
c3dpUlNCVjJzcE5aeS9xTFkrRXowVmcK799dYn13LAhigtQxD+uO8hcjddkdK0QG
F5txOFUUozgf7bgiTDhLlNQk2IV8cxk5TlNUKwr32C/bLsxyTvcTHg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1htf3j7d0me9f24fadwth7avs40qm8yzhczljfgh0wjepdr8utfvqd369xp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaRjlkcXNyMitndy8zNnpP
ZnU3dnNzWEdvKzNBRVk2UVdaRVYrZVlDNVg0CnQ3MlpWTVBheUhsZ0RmZGJnL2VK
ZlZ0clFZRmtma0xZU1hYaGVUSXcvSEUKLS0tIFd4NmhPNUdCalpDVmQ3SHB1QWlV
UWo5dWdTelJvdzVqU1l4cU8zZlcvWFkK6/4uT9YwqyVBkT3z9w+SuLHttVTRZw4s
ztujbvxEgxfG/57PdbBXjPKyke/GZIJbUSFrWMNId5Ni5PsOJrMK+Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1w8flykazkwxewcxpe2mn50cawn857ylcdp4r7vp459p3q7cx9uasap4stz
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAycm5IOGM2VDRwejRiS1Y1
dUZ2Zyt6c3RLaVFwYkJmaTFCeVk5UU1ZdzFVCklMRjRoZFgrL2oweko4eC9XenFy
OStrSzFOQnlSbllKYWpLMEs4QllNUDgKLS0tIFI0YmptcDlGM0tjdkNtdW9OdU84
SkJER2I3bDRGcjA5TFkwWDlwcFd0bUkKqsnJjdyDhA6d4aux89pI6uqxh1tAvfop
QE7Y7p7C8mRizec9HSjbSzHXvqic4shhxRzgk6jQy07nvIe+1CW7pQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-08T10:49:42Z"
mac: ENC[AES256_GCM,data:ClOIl+pDrTl1+ppHnCm//C5jPzAwQeaPck7Utr9KxKBfJzVfSQIvZdokXSCrOKm9vFrg4SODpGsYF2sUD3H0W9otys1FyDghoX1yZhWLkeBBcxzfb35hALZQFt+wUm0n0QGkNjAq/YtT0431Y8tr42h4MeSGv6JgyZEBkLf8D4o=,iv:k1B92QH6RkdcHyJC/z9fkg/OWkln4wdGQCBwuCYTo04=,tag:KWk6hRf/IqeGaUO+2hKIOA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1

65
systems/base/fs.nix
View file

@ -2,47 +2,36 @@
... ...
}: }:
{ {
boot.supportedFilesystems = [ "btrfs" ]; boot.supportedFilesystems = [ "btrfs" ];
fileSystems."/" = { fileSystems."/" = {
device = "none"; device = "none";
fsType = "tmpfs"; fsType = "tmpfs";
options = [ options = [ "defaults" "mode=755" ];
"defaults" };
"mode=755"
];
};
fileSystems."/boot" = { fileSystems."/boot" = {
device = "/dev/disk/by-label/boot"; device = "/dev/disk/by-label/boot";
fsType = "vfat"; fsType = "vfat";
}; };
fileSystems."/nix" = { fileSystems."/nix" = {
device = "/dev/disk/by-label/btrfs"; device = "/dev/disk/by-label/btrfs";
fsType = "btrfs"; fsType = "btrfs";
options = [ options = [ "compress=zstd" "subvol=nix" "noatime" ];
"compress=zstd" };
"subvol=nix"
"noatime"
];
};
fileSystems."/persistent" = { fileSystems."/persistent" = {
device = "/dev/disk/by-label/btrfs"; device = "/dev/disk/by-label/btrfs";
fsType = "btrfs"; fsType = "btrfs";
options = [ options = [ "compress=zstd" "subvol=persistent" "noatime" ];
"compress=zstd" autoResize = true;
"subvol=persistent" neededForBoot = true;
"noatime" };
];
autoResize = true;
neededForBoot = true;
};
fileSystems."/cephfs" = { fileSystems."/media" = {
device = "vm@b9b22d11-3492-49a6-92b7-b36cdf0161fe.cephfs=/"; device = "vm@b9b22d11-3492-49a6-92b7-b36cdf0161fe.cephfs=/media";
fsType = "ceph"; fsType = "ceph";
options = [ "nofail" ]; options = [ "nofail" ];
}; };
} }