diff --git a/hosts/chidi/default.nix b/hosts/chidi/default.nix index c706cfd..2095847 100644 --- a/hosts/chidi/default.nix +++ b/hosts/chidi/default.nix @@ -1,6 +1,6 @@ { - inputs, pkgs, + inputs, user, hostname, ... @@ -20,7 +20,6 @@ home-manager.users.${user} = { imports = [ - inputs.nixvim.homeModules.nixvim ../../profiles/atuin.nix ../../profiles/bash.nix ../../profiles/bat.nix @@ -44,6 +43,7 @@ ../../profiles/zk.nix ../../profiles/zoxide.nix ../../profiles/zsh.nix + inputs.nixvim.homeModules.nixvim ]; fonts.fontconfig.enable = true; programs.git.settings.user.email = "christoph@tuist.dev"; diff --git a/hosts/jason/default.nix b/hosts/jason/default.nix index 7a960ce..9c54d90 100644 --- a/hosts/jason/default.nix +++ b/hosts/jason/default.nix @@ -19,7 +19,6 @@ home-manager.users.${user} = { imports = [ - inputs.nixvim.homeModules.nixvim ../../profiles/atuin.nix ../../profiles/bash.nix ../../profiles/bat.nix @@ -43,6 +42,7 @@ ../../profiles/zk.nix ../../profiles/zoxide.nix ../../profiles/zsh.nix + inputs.nixvim.homeModules.nixvim ]; fonts.fontconfig.enable = true; programs.git.settings.user.email = "christoph@schmatzler.com"; diff --git a/hosts/michael/default.nix b/hosts/michael/default.nix index 8f538b2..c31a52f 100644 --- a/hosts/michael/default.nix +++ b/hosts/michael/default.nix @@ -1,9 +1,9 @@ { - modulesPath, - hostname, - inputs, config, + inputs, user, + hostname, + modulesPath, ... }: { imports = [ @@ -14,9 +14,9 @@ ./secrets.nix ../../modules/gitea.nix ../../profiles/core.nix - ../../profiles/openssh.nix ../../profiles/fail2ban.nix ../../profiles/nixos.nix + ../../profiles/openssh.nix ../../profiles/tailscale.nix inputs.disko.nixosModules.disko inputs.sops-nix.nixosModules.sops @@ -35,9 +35,10 @@ }; }; + networking.hostName = hostname; + home-manager.users.${user} = { imports = [ - inputs.nixvim.homeModules.nixvim ../../profiles/bash.nix ../../profiles/bat.nix ../../profiles/direnv.nix @@ -54,8 +55,7 @@ ../../profiles/ssh.nix ../../profiles/starship.nix ../../profiles/zoxide.nix + inputs.nixvim.homeModules.nixvim ]; }; - - networking.hostName = hostname; } diff --git a/hosts/michael/secrets.nix b/hosts/michael/secrets.nix index 37d65d9..99896b8 100644 --- a/hosts/michael/secrets.nix +++ b/hosts/michael/secrets.nix @@ -1,22 +1,22 @@ {...}: { - sops.secrets.michael-gitea-litestream = { - sopsFile = ../../secrets/michael-gitea-litestream; - format = "binary"; - owner = "gitea"; - group = "gitea"; - }; - - sops.secrets.michael-gitea-restic-password = { - sopsFile = ../../secrets/michael-gitea-restic-password; - format = "binary"; - owner = "gitea"; - group = "gitea"; - }; - - sops.secrets.michael-gitea-restic-env = { - sopsFile = ../../secrets/michael-gitea-restic-env; - format = "binary"; - owner = "gitea"; - group = "gitea"; + sops.secrets = { + michael-gitea-litestream = { + sopsFile = ../../secrets/michael-gitea-litestream; + format = "binary"; + owner = "gitea"; + group = "gitea"; + }; + michael-gitea-restic-password = { + sopsFile = ../../secrets/michael-gitea-restic-password; + format = "binary"; + owner = "gitea"; + group = "gitea"; + }; + michael-gitea-restic-env = { + sopsFile = ../../secrets/michael-gitea-restic-env; + format = "binary"; + owner = "gitea"; + group = "gitea"; + }; }; } diff --git a/hosts/tahani/default.nix b/hosts/tahani/default.nix index 5e88670..e67a720 100644 --- a/hosts/tahani/default.nix +++ b/hosts/tahani/default.nix @@ -10,15 +10,16 @@ ./paperless.nix ./secrets.nix ../../profiles/core.nix - ../../profiles/openssh.nix ../../profiles/nixos.nix + ../../profiles/openssh.nix ../../profiles/tailscale.nix inputs.sops-nix.nixosModules.sops ]; + networking.hostName = hostname; + home-manager.users.${user} = { imports = [ - inputs.nixvim.homeModules.nixvim ../../profiles/atuin.nix ../../profiles/bash.nix ../../profiles/bat.nix @@ -41,6 +42,7 @@ ../../profiles/zk.nix ../../profiles/zoxide.nix ../../profiles/zsh.nix + inputs.nixvim.homeModules.nixvim ]; programs.git.settings.user.email = "christoph@schmatzler.com"; @@ -54,6 +56,4 @@ size = 16 * 1024; } ]; - - networking.hostName = hostname; } diff --git a/hosts/tahani/networking.nix b/hosts/tahani/networking.nix index 2f4a988..486e2ab 100644 --- a/hosts/tahani/networking.nix +++ b/hosts/tahani/networking.nix @@ -1,10 +1,5 @@ -{ - config, - hostname, - ... -}: { +{config, ...}: { networking = { - hostName = hostname; useDHCP = false; interfaces.eno1.ipv4.addresses = [ { diff --git a/modules/gitea.nix b/modules/gitea.nix index d57a489..f0a109f 100644 --- a/modules/gitea.nix +++ b/modules/gitea.nix @@ -11,181 +11,188 @@ in { enable = mkEnableOption "Gitea git hosting service"; litestream = { - bucket = mkOption { - type = types.str; - description = "S3 bucket name for Litestream database replication"; - }; + bucket = + mkOption { + type = types.str; + description = "S3 bucket name for Litestream database replication"; + }; - secretFile = mkOption { - type = types.path; - description = "Path to the environment file containing S3 credentials for Litestream"; - }; + secretFile = + mkOption { + type = types.path; + description = "Path to the environment file containing S3 credentials for Litestream"; + }; }; restic = { - bucket = mkOption { - type = types.str; - description = "S3 bucket name for Restic repository backups"; - }; + bucket = + mkOption { + type = types.str; + description = "S3 bucket name for Restic repository backups"; + }; - passwordFile = mkOption { - type = types.path; - description = "Path to the file containing the Restic repository password"; - }; + passwordFile = + mkOption { + type = types.path; + description = "Path to the file containing the Restic repository password"; + }; - environmentFile = mkOption { - type = types.path; - description = "Path to the environment file containing S3 credentials for Restic"; - }; + environmentFile = + mkOption { + type = types.path; + description = "Path to the environment file containing S3 credentials for Restic"; + }; }; s3 = { - endpoint = mkOption { - type = types.str; - default = "s3.eu-central-003.backblazeb2.com"; - description = "S3 endpoint URL"; - }; + endpoint = + mkOption { + type = types.str; + default = "s3.eu-central-003.backblazeb2.com"; + description = "S3 endpoint URL"; + }; }; }; - config = mkIf cfg.enable { - networking.firewall.allowedTCPPorts = [80 443]; + config = + mkIf cfg.enable { + networking.firewall.allowedTCPPorts = [80 443]; - services.redis.servers.gitea = { - enable = true; - port = 6380; - bind = "127.0.0.1"; - settings = { - maxmemory = "64mb"; - maxmemory-policy = "allkeys-lru"; + services.redis.servers.gitea = { + enable = true; + port = 6380; + bind = "127.0.0.1"; + settings = { + maxmemory = "64mb"; + maxmemory-policy = "allkeys-lru"; + }; }; - }; - services.gitea = { - enable = true; - database = { - type = "sqlite3"; - path = "/var/lib/gitea/data/gitea.db"; + services.gitea = { + enable = true; + database = { + type = "sqlite3"; + path = "/var/lib/gitea/data/gitea.db"; + }; + settings = { + server = { + ROOT_URL = "https://git.schmatzler.com/"; + DOMAIN = "git.schmatzler.com"; + HTTP_ADDR = "127.0.0.1"; + HTTP_PORT = 3000; + LANDING_PAGE = "explore"; + }; + service.DISABLE_REGISTRATION = true; + security.INSTALL_LOCK = true; + cache = { + ADAPTER = "redis"; + HOST = "redis://127.0.0.1:6380/0?pool_size=100&idle_timeout=180s"; + ITEM_TTL = "16h"; + }; + "cache.last_commit" = { + ITEM_TTL = "8760h"; + COMMITS_COUNT = 100; + }; + session = { + PROVIDER = "redis"; + PROVIDER_CONFIG = "redis://127.0.0.1:6380/1?pool_size=100&idle_timeout=180s"; + COOKIE_SECURE = true; + SAME_SITE = "strict"; + }; + api.ENABLE_SWAGGER = false; + }; }; - settings = { - server = { - ROOT_URL = "https://git.schmatzler.com/"; - DOMAIN = "git.schmatzler.com"; - HTTP_ADDR = "127.0.0.1"; - HTTP_PORT = 3000; - LANDING_PAGE = "explore"; - }; - service.DISABLE_REGISTRATION = true; - security.INSTALL_LOCK = true; - cache = { - ADAPTER = "redis"; - HOST = "redis://127.0.0.1:6380/0?pool_size=100&idle_timeout=180s"; - ITEM_TTL = "16h"; - }; - "cache.last_commit" = { - ITEM_TTL = "8760h"; - COMMITS_COUNT = 100; - }; - session = { - PROVIDER = "redis"; - PROVIDER_CONFIG = "redis://127.0.0.1:6380/1?pool_size=100&idle_timeout=180s"; - COOKIE_SECURE = true; - SAME_SITE = "strict"; - }; - api.ENABLE_SWAGGER = false; - }; - }; - services.litestream = { - enable = true; - environmentFile = cfg.litestream.secretFile; - settings = { - dbs = [ - { - path = "/var/lib/gitea/data/gitea.db"; - replicas = [ - { - type = "s3"; - bucket = cfg.litestream.bucket; - path = "gitea"; - endpoint = cfg.s3.endpoint; - } - ]; + services.litestream = { + enable = true; + environmentFile = cfg.litestream.secretFile; + settings = { + dbs = [ + { + path = "/var/lib/gitea/data/gitea.db"; + replicas = [ + { + type = "s3"; + bucket = cfg.litestream.bucket; + path = "gitea"; + endpoint = cfg.s3.endpoint; + } + ]; + } + ]; + }; + }; + + systemd.services.litestream = { + serviceConfig = { + User = mkForce "gitea"; + Group = mkForce "gitea"; + }; + }; + + services.caddy = { + enable = true; + virtualHosts."git.schmatzler.com".extraConfig = '' + header { + Strict-Transport-Security "max-age=31536000; includeSubDomains" + X-Content-Type-Options "nosniff" + X-Frame-Options "DENY" + Referrer-Policy "strict-origin-when-cross-origin" } + reverse_proxy localhost:3000 + ''; + }; + + services.restic.backups.gitea = { + repository = "s3:${cfg.s3.endpoint}/${cfg.restic.bucket}"; + paths = ["/var/lib/gitea"]; + exclude = [ + "/var/lib/gitea/log" + "/var/lib/gitea/data/gitea.db" + "/var/lib/gitea/data/gitea.db-shm" + "/var/lib/gitea/data/gitea.db-wal" ]; + passwordFile = cfg.restic.passwordFile; + environmentFile = cfg.restic.environmentFile; + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 4" + "--keep-monthly 6" + ]; + timerConfig = { + OnCalendar = "daily"; + Persistent = true; + RandomizedDelaySec = "1h"; + }; + }; + + systemd.services.restic-backups-gitea = { + wants = ["restic-init-gitea.service"]; + after = ["restic-init-gitea.service"]; + serviceConfig = { + User = mkForce "gitea"; + Group = mkForce "gitea"; + }; + }; + + systemd.services.restic-init-gitea = { + description = "Initialize Restic repository for Gitea backups"; + wantedBy = ["multi-user.target"]; + after = ["network-online.target"]; + wants = ["network-online.target"]; + path = [pkgs.restic]; + serviceConfig = { + Type = "oneshot"; + User = "gitea"; + Group = "gitea"; + RemainAfterExit = true; + EnvironmentFile = cfg.restic.environmentFile; + }; + script = '' + export RESTIC_PASSWORD=$(cat ${cfg.restic.passwordFile}) + restic -r s3:${cfg.s3.endpoint}/${cfg.restic.bucket} snapshots &>/dev/null || \ + restic -r s3:${cfg.s3.endpoint}/${cfg.restic.bucket} init + ''; }; }; - - systemd.services.litestream = { - serviceConfig = { - User = mkForce "gitea"; - Group = mkForce "gitea"; - }; - }; - - services.caddy = { - enable = true; - virtualHosts."git.schmatzler.com".extraConfig = '' - header { - Strict-Transport-Security "max-age=31536000; includeSubDomains" - X-Content-Type-Options "nosniff" - X-Frame-Options "DENY" - Referrer-Policy "strict-origin-when-cross-origin" - } - reverse_proxy localhost:3000 - ''; - }; - - services.restic.backups.gitea = { - repository = "s3:${cfg.s3.endpoint}/${cfg.restic.bucket}"; - paths = ["/var/lib/gitea"]; - exclude = [ - "/var/lib/gitea/log" - "/var/lib/gitea/data/gitea.db" - "/var/lib/gitea/data/gitea.db-shm" - "/var/lib/gitea/data/gitea.db-wal" - ]; - passwordFile = cfg.restic.passwordFile; - environmentFile = cfg.restic.environmentFile; - pruneOpts = [ - "--keep-daily 7" - "--keep-weekly 4" - "--keep-monthly 6" - ]; - timerConfig = { - OnCalendar = "daily"; - Persistent = true; - RandomizedDelaySec = "1h"; - }; - }; - - systemd.services.restic-backups-gitea = { - wants = ["restic-init-gitea.service"]; - after = ["restic-init-gitea.service"]; - serviceConfig = { - User = mkForce "gitea"; - Group = mkForce "gitea"; - }; - }; - - systemd.services.restic-init-gitea = { - description = "Initialize Restic repository for Gitea backups"; - wantedBy = ["multi-user.target"]; - after = ["network-online.target"]; - wants = ["network-online.target"]; - path = [pkgs.restic]; - serviceConfig = { - Type = "oneshot"; - User = "gitea"; - Group = "gitea"; - RemainAfterExit = true; - EnvironmentFile = cfg.restic.environmentFile; - }; - script = '' - export RESTIC_PASSWORD=$(cat ${cfg.restic.passwordFile}) - restic -r s3:${cfg.s3.endpoint}/${cfg.restic.bucket} snapshots &>/dev/null || \ - restic -r s3:${cfg.s3.endpoint}/${cfg.restic.bucket} init - ''; - }; - }; } diff --git a/modules/pgbackrest.nix b/modules/pgbackrest.nix index 052bcce..85c2f6b 100644 --- a/modules/pgbackrest.nix +++ b/modules/pgbackrest.nix @@ -34,20 +34,17 @@ in { default = "s3.eu-central-003.backblazeb2.com"; description = "S3 endpoint URL"; }; - bucket = mkOption { type = types.str; description = "S3 bucket name"; }; - region = mkOption { type = types.str; default = "eu-central-003"; description = "S3 region"; }; - path = mkOption { type = types.str; @@ -71,7 +68,6 @@ in { default = 7; description = "Number of full backups to retain"; }; - diff = mkOption { type = types.int; @@ -95,7 +91,6 @@ in { default = "zst"; description = "Compression algorithm (none, gz, lz4, zst)"; }; - level = mkOption { type = types.int; @@ -126,7 +121,6 @@ in { default = "daily"; description = "OnCalendar expression for full backups"; }; - diff = mkOption { type = types.str; diff --git a/profiles/darwin.nix b/profiles/darwin.nix index 3416285..b55ad54 100644 --- a/profiles/darwin.nix +++ b/profiles/darwin.nix @@ -1,8 +1,8 @@ { - constants, - inputs, pkgs, + inputs, user, + constants, ... }: { home-manager.extraSpecialArgs = {inherit user constants inputs;}; diff --git a/profiles/dock.nix b/profiles/dock.nix index 4a5b0a6..a87c006 100644 --- a/profiles/dock.nix +++ b/profiles/dock.nix @@ -1,7 +1,7 @@ { config, - pkgs, lib, + pkgs, user, ... }: diff --git a/profiles/home.nix b/profiles/home.nix index 040f2a0..7ed0487 100644 --- a/profiles/home.nix +++ b/profiles/home.nix @@ -1,8 +1,8 @@ { - pkgs, lib, - constants, + pkgs, inputs, + constants, ... }: let setWallpaperScript = import ./wallpaper.nix {inherit pkgs;}; diff --git a/profiles/nixos.nix b/profiles/nixos.nix index 5dedb2d..be2f2e8 100644 --- a/profiles/nixos.nix +++ b/profiles/nixos.nix @@ -1,8 +1,8 @@ { pkgs, + inputs, user, constants, - inputs, ... }: { security.sudo.enable = true; diff --git a/profiles/packages.nix b/profiles/packages.nix index 2e5a15f..af16468 100644 --- a/profiles/packages.nix +++ b/profiles/packages.nix @@ -1,6 +1,6 @@ { + lib, pkgs, - inputs, ... }: with pkgs; diff --git a/profiles/zellij.nix b/profiles/zellij.nix index 396b472..8533e0d 100644 --- a/profiles/zellij.nix +++ b/profiles/zellij.nix @@ -1,8 +1,4 @@ -{ - lib, - pkgs, - ... -}: { +{pkgs, ...}: { programs.zellij = { enable = true; settings = {