homelab framework module init (everything is a mess)

2025-07-28 02:05:13 +02:00 · 2025-07-28 02:05:13 +02:00 · bcbcc8b17b
commit bcbcc8b17b
parent 0347f4d325
94 changed files with 7289 additions and 436 deletions
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -0,0 +1,106 @@
+{
+  config,
+  lib,
+  pkgs,
+  inputs,
+  outputs,
+  ...
+}: {
+  imports = [
+    # Essential modules for all systems
+    inputs.sops-nix.nixosModules.sops
+    ../modules/homelab
+    # User configurations
+    ../users/plasmagoat.nix
+
+    # Secrets management
+    ../secrets
+  ];
+
+  # Colmena deployment defaults
+  deployment = {
+    targetHost = lib.mkDefault "${config.homelab.hostname}.${config.homelab.domain}";
+    tags = [config.nixpkgs.system config.networking.hostName];
+    replaceUnknownProfiles = lib.mkDefault true;
+    buildOnTarget = lib.mkDefault false;
+  };
+
+  # Basic system configuration that applies to ALL systems
+  nix = {
+    settings = {
+      experimental-features = ["nix-command" "flakes"];
+      auto-optimise-store = true;
+      allowed-users = ["@wheel"];
+      trusted-users = ["root" "@wheel"];
+    };
+
+    gc = {
+      automatic = true;
+      options = "--delete-older-than 15d";
+      dates = "daily";
+    };
+
+    optimise.automatic = true;
+
+    extraOptions = ''
+      keep-outputs = true
+      keep-derivations = true
+    '';
+  };
+
+  # Basic security
+  security.sudo.wheelNeedsPassword = false;
+
+  # SSH configuration
+  services.openssh = {
+    enable = true;
+    openFirewall = true;
+    settings = {
+      PasswordAuthentication = false;
+      PermitRootLogin = "prohibit-password";
+      KbdInteractiveAuthentication = false;
+    };
+  };
+
+  services.sshguard.enable = true;
+  programs.ssh.startAgent = true;
+
+  # Basic packages for all systems
+  environment.systemPackages = with pkgs; [
+    dig
+    nmap
+    traceroute
+    vim
+    git
+    curl
+    python3
+    htop
+    tree
+  ];
+
+  # Timezone and locale
+  time.timeZone = lib.mkDefault "Europe/Copenhagen";
+  console.keyMap = lib.mkDefault "dk-latin1";
+  i18n.defaultLocale = lib.mkDefault "en_US.UTF-8";
+
+  # System backup job (applies to all systems)
+  # homelab.global.backups.jobs = [
+  #   {
+  #     name = "system-config";
+  #     backend = "restic";
+  #     paths = [
+  #       "/etc/nixos"
+  #       "/etc/sops"
+  #       "/var/lib/nixos"
+  #     ];
+  #     schedule = "daily";
+  #     excludePatterns = [
+  #       "*/cache/*"
+  #       "*/tmp/*"
+  #     ];
+  #   }
+  # ];
+
+  # Default state version
+  system.stateVersion = lib.mkDefault "25.05";
+}
--- a/hosts/photos/default.nix
+++ b/hosts/photos/default.nix
@ -0,0 +1,28 @@
+{
+  outputs,
+  name,
+  ...
+}: let
+in {
+  imports = [
+    outputs.nixosModules.ente
+    ./ente.nix
+    # ./minio.nix
+  ];
+
+  homelab = {
+    enable = true;
+    hostname = name;
+    tags = [name];
+
+    monitoring.enable = true;
+    motd.enable = true;
+    services = {
+      minio.enable = true;
+    };
+  };
+
+  deployment.tags = ["ente"];
+
+  system.stateVersion = "25.05";
+}
--- a/hosts/photos/ente.nix
+++ b/hosts/photos/ente.nix
@ -0,0 +1,73 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  sops.secrets."ente/minio/root_password".owner = "ente";
+  sops.secrets."ente/minio/root_user".owner = "ente";
+  sops.secrets."service_accounts/ente/password".owner = "ente";
+
+  environment.systemPackages = with pkgs; [
+    ente-cli
+  ];
+
+  services.ente.api = {
+    enable = true;
+    enableLocalDB = true;
+
+    domain = "ente-museum.procopius.dk";
+    settings = {
+      # apps = {
+      #   accounts = "https://accounts.procopius.dk";
+      #   cast = "https://cast.procopius.dk";
+      #   public-albums = "https://albums.procopius.dk";
+      # };
+
+      smtp = {
+        host = "mail.procopius.dk";
+        port = "465";
+        username = "ente@procopius.dk";
+        password._secret = config.sops.secrets."service_accounts/ente/password".path;
+        # The email address from which to send the email. Set this to an email
+        # address whose credentials you're providing.
+        email = "ente@procopius.dk";
+        # Optional override for the sender name in the emails. If specified, it will
+        # be used for all emails sent by the instance (default is email specific).
+        sender-name = "ente";
+      };
+      internal.admins = [
+        1580559962386438
+      ];
+      s3 = {
+        use_path_style_urls = true;
+        b2-eu-cen = {
+          endpoint = "https://ente-minio-api.procopius.dk";
+          region = "us-east-1";
+          bucket = "ente";
+          key._secret = config.sops.secrets."ente/minio/root_user".path;
+          secret._secret = config.sops.secrets."ente/minio/root_password".path;
+        };
+      };
+    };
+  };
+  services.ente.web = {
+    enable = true;
+    domains = {
+      api = "ente-museum.procopius.dk";
+      accounts = "ente-accounts.procopius.dk";
+      albums = "ente-albums.procopius.dk";
+      cast = "ente-cast.procopius.dk";
+      photos = "ente-photos.procopius.dk";
+      auth = "ente-auth.procopius.dk";
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    3000
+    3001
+    3002
+    3003
+    3004
+    8080
+  ];
+}
--- a/hosts/photos/minio.nix
+++ b/hosts/photos/minio.nix
@ -0,0 +1,35 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  sops.secrets."ente/minio/root_user" = {};
+  sops.secrets."ente/minio/root_password" = {};
+
+  sops.templates."minio-root-credentials".content = ''
+    MINIO_ROOT_USER=${config.sops.placeholder."ente/minio/root_user"}
+    MINIO_ROOT_PASSWORD=${config.sops.placeholder."ente/minio/root_password"}
+  '';
+
+  services.minio = {
+    enable = true;
+    rootCredentialsFile = config.sops.templates."minio-root-credentials".path;
+  };
+
+  systemd.services.minio = {
+    environment.MINIO_SERVER_URL = "https://ente-minio-api.procopius.dk";
+    postStart = ''
+      # Wait until minio is up
+      ${lib.getExe pkgs.curl} --retry 5 --retry-connrefused --fail --no-progress-meter -o /dev/null "http://localhost:9000/minio/health/live"
+
+      # Make sure bucket exists
+      mkdir -p ${lib.escapeShellArg config.services.minio.dataDir}/ente
+    '';
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    9000
+    9001
+  ];
+}
--- a/hosts/sandbox/default.nix
+++ b/hosts/sandbox/default.nix
@ -0,0 +1,57 @@
+{
+  config,
+  name,
+  ...
+}: {
+  sops.secrets."restic/default-password" = {};
+
+  homelab = {
+    enable = true;
+    hostname = name;
+    tags = [name];
+
+    monitoring.enable = true;
+    motd.enable = true;
+
+    backups = {
+      enable = true;
+      backends = {
+        restic = {
+          enable = true;
+          repository = "/srv/restic-repo";
+          passwordFile = config.sops.secrets."restic/default-password".path;
+        };
+      };
+      jobs = [
+        {
+          name = "sandbox-home";
+          backend = "restic";
+          backendOptions = {
+            paths = ["/home/plasmagoat"];
+            repository = "/srv/restic-repo";
+            pruneOpts = [
+              "--keep-daily 7"
+              "--keep-weekly 4"
+              "--keep-monthly 6"
+              "--keep-yearly 3"
+            ];
+          };
+        }
+      ];
+    };
+
+    services.prometheus = {
+      enable = true;
+    };
+
+    services.gatus = {
+      enable = true;
+      ui = {
+        title = "Homelab Status Dashboard";
+        header = "My Homelab Services";
+      };
+    };
+  };
+
+  system.stateVersion = "25.05";
+}