Syzygial/NixMachines
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'main' of https://git.syzygial.cc/Syzygial/NixMachines

Browse Source
This commit is contained in:
David Crompton
2025-07-21 19:09:05 -04:00
parent c73a6fff61 092c3ec9ac
commit 7a10a92621
13 changed files with 111 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
machines/hippocampus/backups/gitea.nix
View File

@@ -1,6 +1,24 @@
{ ... }: {
{ pkgs, config, ... }: {
services.gitea.dump = {
enable = true;
interval = "2:45";
};
systemd.timers."gitea-clear-dump" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "daily";
Persistent = true;
Unit = "gitea-clear-dump.service";
};
};
systemd.services."gitea-clear-dump" = {
script = ''
${pkgs.findutils}/bin/find /var/lib/gitea/dump -type f -ctime +5 -exec rm -f {} \;
'';
serviceConfig = {
Type = "oneshot";
User = config.services.gitea.user;
};
};
}

2
machines/hippocampus/modules/headscale.nix
View File

@@ -91,7 +91,7 @@ let
partOf = ["headscale.service"];
script = ''
${cfg.package}/bin/headscale preauthkeys -u ${name} create \
${cfg.package}/bin/headscale preauthkeys -u $(${cfg.package}/bin/headscale users -o json-line list | ${pkgs.jq}/bin/jq '.[] | select(.name=="${name}").id') create \
${lib.optionalString options.preAuthEphemeral "--ephemeral"} \
${lib.optionalString options.preAuthReusable "--reusable"} \
--expiration ${options.preAuthExpiration} \

5
machines/hippocampus/oci/Wireguard.ContainerFile Normal file
View File

@@ -0,0 +1,5 @@
FROM alpine:3.16
RUN apk add --no-cache bash wireguard-tools jq curl git ncurses
RUN git clone https://github.com/pia-foss/manual-connections /manual-connections
WORKDIR /manual-connections
CMD bash -c "/manual-connections/run_setup.sh && watch -n 60 curl ip.me"

24
machines/hippocampus/oci/jelly.nix
View File

@@ -18,10 +18,12 @@
in {
containers = {
wireguard = {
image = "thrnz/docker-wireguard-pia";
# Derived from the pia-wg.tar.gz
# which was built from the containerfile
image = "localhost/pia-wg:latest";
volumes = [
# "${configDir}/wireguard:/config"
"${configDir}/wireguard_pia:/pia"
# "${configDir}/wireguard_pia:/pia"
];
ports = getPorts [
"deluge"
@@ -34,13 +36,23 @@
];
environment = {
TZ = "America/Toronto";
LOC = "ca";
LOC = "ca";
PIA_DNS = "false"; # - true/false
PIA_PF = "false"; # - true/false
PIA_CONNECT = "true"; # - true/false; connect to VPN after configuration has been created. Set to false to only create configuration file. Only effective for wireguard protocol. Default true.
MAX_LATENCY = "0.2"; # - numeric value, in seconds
AUTOCONNECT = "true"; # - true/false; this will test for and select the server with the lowest latency, it will override PREFERRED_REGION
# PREFERRED_REGION = ""; # - the region ID for a PIA server
DIP_TOKEN = "n";
VPN_PROTOCOL = "wireguard"; # - wireguard or openvpn; openvpn will default to openvpn_udp_standard, but can also specify openvpn_tcp/udp_standad/strong
DISABLE_IPV6 = "no"; # - yes/no
};
extraOptions = [
"--cap-add=ALL"
"--pull=newer"
"--dns=1.1.1.1"
"--privileged" "--dns=1.1.1.1"
"--env-file=${config.sops.secrets.jellyfin-pia.path}"
"--cap-add=NET_ADMIN,NET_RAW,SYS_MODULE"
"--cap-drop=MKNOD,AUDIT_WRITE"
"--sysctl=net.ipv4.ip_forward=1"
"--sysctl=net.ipv4.conf.all.src_valid_mark=1"
"--sysctl=net.ipv6.conf.lo.disable_ipv6=1"
"--sysctl=net.ipv6.conf.all.disable_ipv6=1"

BIN
machines/hippocampus/oci/pia-wg.tar.gz Normal file
View File

Binary file not shown.

13
machines/hippocampus/secrets/pass.yaml
View File

@@ -1,7 +1,7 @@
nextcloud:
adminPass: ENC[AES256_GCM,data:D2SAD/Somvw8abIm0KX4fWRfuQ==,iv:Y7K14yZZFcu97KVBd0219hwnGY4LEX2DNxxulSegr/8=,tag:aRJAlz1xvQxWodcE2bZLdQ==,type:str]
s3secret: ENC[AES256_GCM,data:lIVuiZMh376MSuu13UPCu49Q64bVbk+WM/CUEIGzV0Q=,iv:J2vHalppWEupWK07zXsMoiH6avmpsgg0Cqcc7EkZVV4=,tag:pxKwiaH5SZa8Vh71gLGQWw==,type:str]
jellyfin-pia: ENC[AES256_GCM,data:rbqpmm2EtxcMeJfjlGaJOwPCn4UAZaKsH8Zeztk7A6QiSw==,iv:8A6NHVHgKIL6iwLKgRrT6T3k0pgDI5lL5rDMN5/Egrw=,tag:P6Kh9cOnrB23Z7S72xBK7g==,type:str]
jellyfin-pia: ENC[AES256_GCM,data:hOgUAr47FMd2QgzgXBeqv41Paqy6zn6tyWVDbF1JtqcTog/zZC4=,iv:opnxrycFszAhuMARcP48gKF6eL1ERNgWS68wO+s4CIM=,tag:fqimxKdTAh55ANKD3bp46w==,type:str]
ddclient: ENC[AES256_GCM,data:a31MKnoEZXrj/s8z3+MP9jhQ5/sBjljZphXBJsWj5GU=,iv:YHKCartadDQa59aUf9Fw/KgdgMgsqsVLDAIh/KeqehQ=,tag:hUaUqjcX75xw6eC9axtQmw==,type:str]
anki: ENC[AES256_GCM,data:hUBKr/s1DDorlmbHDUvHtVSumw==,iv:Ekjt6dsncinHhM+dV/mxOjErBQpgKtPOVbmwGRy9XOE=,tag:zvfV9z3QROgsk4eznmxqDw==,type:str]
tandoor-secret: ENC[AES256_GCM,data:/clEIU38M7lJ6+JbFSKWb5kKSUvxdGYPq2Hl9TjgijZtYIYFOleJQ9PiT+d/osmY/r0=,iv:Nulu93V+s9RBmEDRs2LXJXy7l0O/AeU0CwwtTNLGw2c=,tag:brRyVaWeUGLx1nt0MtcIEw==,type:str]
@@ -14,10 +14,6 @@ restic:
passwd: ENC[AES256_GCM,data:vUsAP5+iZo7U55xnUP7Cnk1OxnrO+paHKmT2cuc=,iv:GF7fybEQZIxHPm1Z6Sj5dn/zOR5dRVgikH8LILsTMIs=,tag:Mh61boRPsfHeiSfXmrEx5Q==,type:str]
backblaze: ENC[AES256_GCM,data:IfWzuIYUrCGYpP68CPFi2vLqq9NVmiVyCE+Z8yi+cnaQwgwNL40lJEPL/U3d0lgsmrsV4GheNJ0oQ9tnrrJeBgZgwMl/CwXMctuUHo+cvVot/cNRd1vCdjRr7WUnw8737uxyW45OaaYbkZRa3NWEGDll1iFDWB2w4n5DTsomyO03tFZB5gckwQYmpjYmK4DcIWyTaEiDrznmkyM+sxoWv9pcTHZIIN7TCHHkzmlMzXXqJnoRfCpdVm/QF9jbrAYs,iv:tOa1FFyggm0ScoRdFk6tACOnQVcZMYaDqeJyX5SMKXc=,tag:EY5jQhZnLP6IzqY9garoEQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1crymppz88etsdjpckmtdhr397x5xg5wv8jt6tcj23gt2snq73pzs04fuve
enc: |
@@ -28,8 +24,7 @@ sops:
RVUzMlFya3Z0amdTUTJ5YjFRck5kZzQKoWZzExqzPRpQPL4CdqBalc1/dYtjBH6J
LGR0oImfOWlIJwcaJLv/fc470UvXHHwIji9v/pbV7xMkgMjlJthaYg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-26T02:45:21Z"
mac: ENC[AES256_GCM,data:t5+2iRUJprwwW8GRiQx/h8IOYjjhsq+954GDL2ujXiZVM3oBhESdeBi6aMMwsqABCr+PjP4gb4qHHbduxWlGSZlAh4HSiVwwizI8XV8HZqUqPKBJEqRThzcwznCk4DOGpf1PMbktBX/r50pDeoDcgShKka1bMY8kD385SVklgNE=,iv:EXFXz12HNTMRoW0gIrTEZPHhdTG2cxaWf65uTgT7nZ4=,tag:5XweTiLnO9N8eZb4EPkh6g==,type:str]
pgp: []
lastmodified: "2025-07-19T19:15:37Z"
mac: ENC[AES256_GCM,data:RPGKe5f+5GUnGK3zybRrTnd8N4TprLWBEWLI2HI68Acf1MlJ1AMOWOhpi5xa0Hkxpah8D/d0CEH2ymaO5EBSUamPdYThI4g/4cxNBXboKnALSf91ZUty86/1+14TbI6vFCZ5ghjB4THxszGf47ajIDa/TjHx0yHFWDi7rpApmcw=,iv:ep/NlJfkIkQe5RJ4U2YfZ7/0S4vWqxjg+xrLLnJwfwI=,tag:c01jey2juzoPKux7n/0rug==,type:str]
unencrypted_suffix: _unencrypted
version: 3.9.0
version: 3.10.2

5
machines/hippocampus/servers/public.nix
View File

@@ -25,7 +25,7 @@
./public/nextcloud.nix
# Rabb.it at home
./public/watchthingz.nix
# ./public/watchthingz.nix
# Pterodactyl Game Server
./public/pterodactyl.nix
@@ -47,5 +47,8 @@
# Random Usage, specific port
./public/random.nix
# Perfect Pitch Project
./public/perfect_pitch.nix
];
}

3
machines/hippocampus/servers/public/headscale.nix
View File

@@ -26,6 +26,9 @@
dns = {
base_domain = "tailnet";
magic_dns = true;
nameservers.global = [
"1.1.1.1"
];
};
};
};

2
machines/hippocampus/servers/public/hydra.nix
View File

@@ -17,7 +17,7 @@ in {
'';
};
nix.extraOptions = ''
allowed-uris = https://github.com/ https://git.savannah.gnu.org/ https://git.syzygial.cc https://gitlab.com https://sr.ht github: gitlab:
allowed-uris = https://github.com/ https://git.savannah.gnu.org/ https://git.syzygial.cc https://gitlab.com https://sr.ht github: gitlab: https://git.lix.systems
'';
systemd.services.hydra = {
serviceConfig = {

2
machines/hippocampus/servers/public/nextcloud.nix
View File

@@ -13,7 +13,7 @@ in {
services.nextcloud = {
enable = true;
package = pkgs.nextcloud30;
package = pkgs.nextcloud31;
hostName = "localhost";
settings = {
trusted_domains = [

52
machines/hippocampus/servers/public/perfect_pitch.nix Normal file
View File

@@ -0,0 +1,52 @@
{config, pkgs, ...}:
{
systemd.targets.machines.enable = true;
systemd.services."perfectpitch-container" = {
enable = true;
wantedBy = ["machines.target"];
environment = {
# SYSTEMD_NSPAWN_USE_CGNS = "0";
};
script = ''
exec ${config.systemd.package}/bin/systemd-nspawn --hostname perfectpitch \
--resolv-conf=off --system-call-filter="add_key keyctl bpf" --bind /dev/fuse \
-nbD /var/lib/machines/perfectpitch --machine perfectpitch
'';
postStart = ''
${pkgs.iproute2}/bin/ip link set ve-perfectpitch up || true
${pkgs.iproute2}/bin/ip addr add 10.2.0.0 dev ve-perfectpitch || true
${pkgs.iproute2}/bin/ip route add 10.2.0.1 dev ve-perfectpitch || true
'';
serviceConfig = {
Type = "notify";
Slice = "machine.slice";
Delegate = true;
DeviceAllow = "/dev/fuse rwm";
};
};
networking.nat = {
enable = true;
# Check for hostBridge use vb instead of ve
internalInterfaces = ["ve-perfectpitch"];
externalInterface = "enp0s25";
enableIPv6 = true;
forwardPorts = [
{ sourcePort = 8022;
destination = "10.2.0.1:22";
proto = "tcp";
}
{ sourcePort = 8022;
destination = "10.2.0.1:22";
proto = "udp";
}
];
};
services.caddy.virtualHosts = {
"pitch.crompton.cc" = {
extraConfig = ''
reverse_proxy 10.2.0.1:8080
'';
};
};
}

4
machines/hippocampus/servers/public/pterodactyl.nix
View File

@@ -32,11 +32,11 @@
externalInterface = "enp0s25";
enableIPv6 = true;
forwardPorts = [
{ sourcePort = "25565:28000";
{ sourcePort = "25565:26000";
destination = "10.1.0.1:25565-25600";
proto = "tcp";
}
{ sourcePort = "25565:28000";
{ sourcePort = "25565:26000";
destination = "10.1.0.1:25565-25600";
proto = "udp";
}

2
machines/hippocampus/services/dyndns.nix
View File

@@ -2,7 +2,7 @@
sops.secrets.ddclient = {};
services.ddclient = {
enable = true;
usev4 = "web, web=dynamicdns.park-your-domain.com/getip";
usev4 = "webv4, web=dynamicdns.park-your-domain.com/getip";
protocol = "namecheap";
server = "dynamicdns.park-your-domain.com";
username = "crompton.cc";