From 59901d65b976d4a998802d49bb8afd4ece32152c Mon Sep 17 00:00:00 2001 From: irl Date: Fri, 13 Jun 2025 10:56:42 +0100 Subject: [PATCH 1/4] feat: enable avahi to publish local name on homeserver --- nixos/hosts/homeserver/default.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/nixos/hosts/homeserver/default.nix b/nixos/hosts/homeserver/default.nix index efcb458..30d460e 100644 --- a/nixos/hosts/homeserver/default.nix +++ b/nixos/hosts/homeserver/default.nix @@ -20,6 +20,15 @@ services.xserver.xkb.layout = "us"; + services.avahi = { + enable = true; + publish = { + enable = true; + addresses = true; + workstation = true; + }; + }; + services.openssh = { enable = true; settings.PasswordAuthentication = false; From b40c4d8d5796d1682355a93b3bce6390cd328493 Mon Sep 17 00:00:00 2001 From: irl Date: Fri, 13 Jun 2025 18:28:36 +0100 Subject: [PATCH 2/4] feat: add age to home packages --- home/irl.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/home/irl.nix b/home/irl.nix index 45a0460..fe7490e 100644 --- a/home/irl.nix +++ b/home/irl.nix @@ -17,6 +17,7 @@ in if lib.strings.hasSuffix "darwin" pkgs.system then "/Users/irl" else "/home/irl"; home.stateVersion = "25.05"; home.packages = with pkgs; [ + age fish neofetch rust-analyzer From 6224c55ab445dbcc7cdc88238349dbcda39e6da3 Mon Sep 17 00:00:00 2001 From: irl Date: Fri, 13 Jun 2025 18:57:19 +0100 Subject: [PATCH 3/4] feat: set irl's password --- .sops.yaml | 13 +++++++++++++ flake.lock | 37 ++++++++++++++++++++++++++++++++++++- flake.nix | 5 +++++ nixos/common.nix | 27 ++++++++++++++++++++++++++- secrets.yaml | 25 +++++++++++++++++++++++++ 5 files changed, 105 insertions(+), 2 deletions(-) create mode 100644 .sops.yaml create mode 100644 secrets.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..b9340d2 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,13 @@ +keys: + - &users: + - &irl age1uhp600xemepn27l0vxnt7hmuvk53wmw5peh9d3wy4ma2apsympmqxm8jxq + - &hosts: + - &homeserver age1y9v37jc3kxuygw042qrsvseac5krhh3skp88ewlqlja00uslpyss62e4nd +creation_rules: + - path_regex: secrets.yaml$ + key_groups: + - age: + - *irl + - *homeserver + + diff --git a/flake.lock b/flake.lock index 042f8d1..6331e3b 100644 --- a/flake.lock +++ b/flake.lock @@ -110,6 +110,22 @@ "type": "github" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1744868846, + "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nur": { "inputs": { "flake-parts": "flake-parts", @@ -138,7 +154,26 @@ "flake-utils": "flake-utils", "home-manager": "home-manager", "nixpkgs": "nixpkgs", - "nur": "nur" + "nur": "nur", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1749592509, + "narHash": "sha256-VunQzfZFA+Y6x3wYi2UE4DEQ8qKoAZZCnZPUlSoqC+A=", + "owner": "mic92", + "repo": "sops-nix", + "rev": "50754dfaa0e24e313c626900d44ef431f3210138", + "type": "github" + }, + "original": { + "owner": "mic92", + "repo": "sops-nix", + "type": "github" } }, "systems": { diff --git a/flake.nix b/flake.nix index 9caea5f..aa859b4 100644 --- a/flake.nix +++ b/flake.nix @@ -16,6 +16,10 @@ url = "github:nix-community/NUR"; inputs.nixpkgs.follows = "nixpkgs"; }; + sops-nix = { + url = "github:mic92/sops-nix"; + inputs.nix.follows = "nixpkgs"; + }; }; outputs = { @@ -24,6 +28,7 @@ flake-utils, home-manager, nur, + sops-nix, ... }@inputs: let diff --git a/nixos/common.nix b/nixos/common.nix index d3cae09..f670c0e 100644 --- a/nixos/common.nix +++ b/nixos/common.nix @@ -1,8 +1,30 @@ -{ pkgs, ... }: +{ + pkgs, + config, + sops-nix, + ... +}: { + imports = [ + sops-nix.nixosModules.sops + ]; + nix.settings.experimental-features = "nix-command flakes"; + sops = { + defaultSopsFile = ../secrets.yaml; + validateSopsFiles = false; + + age = { + sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + keyFile = "/var/lib/sops-nix/key.txt"; + generateKey = true; + }; + + secrets.irl-password.neededForUsers = true; + }; + time.timeZone = "Europe/London"; i18n.defaultLocale = "en_GB.UTF-8"; @@ -19,9 +41,12 @@ LC_TIME = "en_GB.UTF-8"; }; + users.mutableUsers = false; + users.users.irl = { isNormalUser = true; description = "irl"; + hashedPasswordFile = config.sops.secrets.irl-password.path; extraGroups = [ "networkmanager" "wheel" diff --git a/secrets.yaml b/secrets.yaml new file mode 100644 index 0000000..57d61a2 --- /dev/null +++ b/secrets.yaml @@ -0,0 +1,25 @@ +irl-password: ENC[AES256_GCM,data:8DcPiZ9Ui40MaOaPJ5XmZI3M7XDqLtBqJKLEUnolMYuNoa6dDBF/IicokQO6zvNVw0G2DPVQwbKzgEaWtvnj+5rXm+QbyEVIKw==,iv:+qsf6VzsMzAj6A5B6TCQ/ZaYDt0EiZYwQ7gZg0sw2TM=,tag:3Xi5bSJ7rYEUUVIDuynHag==,type:str] +sops: + age: + - recipient: age1uhp600xemepn27l0vxnt7hmuvk53wmw5peh9d3wy4ma2apsympmqxm8jxq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRZmJkMlpoN2RRUEVVUCtS + cVl4T0grTit5TGtGUEM2MTlBRnQ2OWlWaEVrClErVm5uRzQySzNDM3J6dDFQY2U0 + cjlVS1NpTzdBQzgvSHJndmlxMWRmbUkKLS0tIHBtTkhSU1BTZHhMaXdZT0xiWWZD + ZXlLNjAzSVkxZWtDRjlUMHV5bnJXK3MKNGKAW7iq/Qfo1dAt3Zxjzu+PsjdtaYPG + a5Zvnazkm2dmuajldII/+xk4r/JewBZmeWdd37n2lUpbSisgcw0X5A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1y9v37jc3kxuygw042qrsvseac5krhh3skp88ewlqlja00uslpyss62e4nd + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiQTcxWkphbngrK3RMaEZF + UHU4ZURiVmNZdDhoR1l5YWVDZ1YvdlZWbndJCnRZd0tmR2lXcnA0V0dRaDZzZkg5 + YitPd01mbFc1VHVyTDl3Sk9UTGptclEKLS0tIEtWb0VNZWFLUmNZRDh3S0N4WmN0 + SlVKUDZWVEp2YmR4V3ArRW1GR1lXeTAKRJoawuTKrgrz6qeOSTmYLXO6n66QNPLA + C5UI4yB0WLeRxdqxU84a3rS2ZjgTh22RR0WwRe6siOaKOdS1G96DXw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-06-13T17:56:08Z" + mac: ENC[AES256_GCM,data:YjTPJ69gNE3MOxUq8X1H4ucqiJxIwRFBBLz0pu6nJgx64XDKe96qeiy7NLAnyJuzOgXpZxb6bm+ecf4E288Bq5NyqpWyrICXC37mSMMXTIoi+HZMHk/GYOAezfCHCBzJBKlJjTZhmslF1zu/4jGtUf/VTOCm+WTPDTUjVkzvwJ8=,iv:vsiDWLir7b/DmOgJFs9iuNxJxJAipdriP/XSPbm4MKU=,tag:aBXeQdetTepLNj/kl45McQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 From 1e31fc3725c95f9bc69c208c788ca22dfd7dd53f Mon Sep 17 00:00:00 2001 From: irl Date: Fri, 13 Jun 2025 20:19:23 +0100 Subject: [PATCH 4/4] feat: adds audiobookshelf and calibre-server --- nixos/hosts/homeserver/default.nix | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/nixos/hosts/homeserver/default.nix b/nixos/hosts/homeserver/default.nix index 30d460e..76e28e9 100644 --- a/nixos/hosts/homeserver/default.nix +++ b/nixos/hosts/homeserver/default.nix @@ -18,8 +18,23 @@ networking.hostName = "homeserver"; networking.networkmanager.enable = true; + users.groups.media = { }; + users.users.media = { + group = "media"; + isNormalUser = true; + }; + services.xserver.xkb.layout = "us"; + services.audiobookshelf = { + enable = true; + group = "media"; + host = "0.0.0.0"; + openFirewall = true; + port = 8000; + user = "media"; + }; + services.avahi = { enable = true; publish = { @@ -29,6 +44,16 @@ }; }; + services.calibre-server = { + enable = true; + extraFlags = [ "--enable-local-write" ]; + group = "media"; + libraries = [ "/srv/books" ]; + openFirewall = true; + port = 8585; + user = "media"; + }; + services.openssh = { enable = true; settings.PasswordAuthentication = false;