add(server)

2026-02-08 00:01:25 +00:00
parent 3c57067a6f
commit 0d3c5c559f
11 changed files with 355 additions and 0 deletions
--- a/config/hosts/aspects/doloro-laptop/disko.nix
+++ b/config/hosts/aspects/doloro-laptop/disko.nix
--- a/config/hosts/aspects/doloro-laptop/home.nix
+++ b/config/hosts/aspects/doloro-laptop/home.nix
--- a/config/hosts/aspects/doloro-laptop/host.nix
+++ b/config/hosts/aspects/doloro-laptop/host.nix
--- a/config/hosts/aspects/servers/rpi5.nix
+++ b/config/hosts/aspects/servers/rpi5.nix
@@ -0,0 +1,41 @@
+{
+  den,
+  __findFile,
+  modules,
+  ...
+}:
+{
+  den.aspects.rpi5 = {
+    includes = [
+      modules.raspberry-pi
+      modules.services.traefik
+    ];
+    nixos = {
+      users.users.doloro = {
+        isNormalUser = true;
+        extraGroups = [ "wheel" ];
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/4h+WCBBW82puv8SMdUbkWymF4amEMuZitgFztB6oZ" # laptop pub key
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBaa6Z5qtBSLEz+A4fQGYPfkOISsRQlmKkVbcx2zxML7" # pc pub key
+        ];
+        initialPassword = "meowmeowmeow";
+      };
+      networking.hostName = "nixos-001-rp5";
+
+      networking.firewall = {
+        enable = true;
+        allowedTCPPorts = [
+          80
+          443
+          8080
+        ];
+        allowedUDPPortRanges = [ ];
+      };
+
+      virtualisation.oci-containers.backend = "docker";
+
+      services.openssh.enable = true;
+      nixpkgs.hostPlatform = "aarch64-linux";
+    };
+  };
+}
--- a/config/hosts/computers.nix
+++ b/config/hosts/computers.nix
--- a/config/hosts/servers.nix
+++ b/config/hosts/servers.nix
@@ -0,0 +1,11 @@
+{ den, __findFile, ... }:
+{
+  # The single rpi5 i have running on the side of my desk
+  den.hosts.aarch64-linux.rpi5 = {
+    users.doloro = {
+      includes = [ <modules/user/groups> ];
+      aspect = "doloro-server";
+    };
+  };
+
+}
--- a/config/modules/raspberry-pi.nix
+++ b/config/modules/raspberry-pi.nix
@@ -0,0 +1,38 @@
+{
+  den,
+  __findFile,
+  modules,
+  inputs,
+  ...
+}:
+{
+  flake-file.inputs = {
+    raspberry-pi-nix.url = "github:nix-community/raspberry-pi-nix";
+  };
+  modules.raspberry-pi = {
+    # TODO, make this take an attr set which describes which rpi it is
+    nixos =
+      { pkgs, ... }:
+      let
+        rpi-pi = inputs.raspberry-pi-nix;
+      in
+      {
+        imports = [
+          rpi-pi.nixosModules.raspberry-pi
+          rpi-pi.nixosModules.sd-image
+        ];
+
+        environment.systemPackages = with pkgs; [
+          libraspberrypi
+        ];
+
+        sdImage.compressImage = false;
+        raspberry-pi-nix.board = "bcm2712"; # Rpi 5 - 64bit
+        # We need to rebuild kernel for 6.12
+        # raspberry-pi-nix.kernel-version = "v6_12_17";
+        raspberry-pi-nix.uboot.enable = false;
+
+        hardware.enableRedistributableFirmware = true;
+      };
+  };
+}
--- a/config/modules/services/traefik.nix
+++ b/config/modules/services/traefik.nix
@@ -0,0 +1,51 @@
+{
+  den,
+  __findFile,
+  modules,
+  ...
+}:
+{
+  # Basic traefik
+  modules.services.traefik = {
+    services.traefik = {
+      nixos =
+        { config, ... }:
+        {
+          enable = true;
+
+          staticConfigOptions = {
+            entryPoints = {
+              web = {
+                address = ":80";
+                http.redirections.entrypoint = {
+                  to = "websecure";
+                  scheme = "https";
+                };
+                asDefault = true;
+              };
+              websecure = {
+                address = ":443";
+                asDefault = true;
+                http.tls.certResolver = "letsencrypt";
+              };
+              traefik = {
+                address = ":8080";
+              };
+            };
+            certificatesResolvers.letsencrypt.acme = {
+              email = "doloroo@proton.me";
+              storage = "${config.services.traefik.dataDir}/acme.json";
+              httpChallenge.entryPoint = "web";
+            };
+            providers = {
+              docker = {
+                endpoint = "unix:///var/run/docker.sock";
+              };
+            };
+            api.dashboard = true;
+            api.insecure = true;
+          };
+        };
+    };
+  };
+}
--- a/config/modules/user/servers/root.nix
+++ b/config/modules/user/servers/root.nix
@@ -0,0 +1,16 @@
+{ modules, ... }:
+{
+  #	Applys public keys and various root account config
+  modules.servers.rootAcc =
+    { config, user, ... }:
+    {
+      nixos = {
+        users.users.root = {
+          openssh.authorizedKeys.keys = [
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/4h+WCBBW82puv8SMdUbkWymF4amEMuZitgFztB6oZ" # laptop pub key
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBaa6Z5qtBSLEz+A4fQGYPfkOISsRQlmKkVbcx2zxML7" # pc pub key
+          ];
+        };
+      };
+    };
+}
--- a/flake.lock
+++ b/flake.lock
@@ -529,6 +529,40 @@
        "type": "github"
      }
    },
+    "libcamera-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1725630279,
+        "narHash": "sha256-KH30jmHfxXq4j2CL7kv18DYECJRp9ECuWNPnqPZajPA=",
+        "owner": "raspberrypi",
+        "repo": "libcamera",
+        "rev": "69a894c4adad524d3063dd027f5c4774485cf9db",
+        "type": "github"
+      },
+      "original": {
+        "owner": "raspberrypi",
+        "repo": "libcamera",
+        "rev": "69a894c4adad524d3063dd027f5c4774485cf9db",
+        "type": "github"
+      }
+    },
+    "libpisp-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1724944683,
+        "narHash": "sha256-Fo2UJmQHS855YSSKKmGrsQnJzXog1cdpkIOO72yYAM4=",
+        "owner": "raspberrypi",
+        "repo": "libpisp",
+        "rev": "28196ed6edcfeda88d23cc5f213d51aa6fa17bb3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "raspberrypi",
+        "ref": "v1.0.7",
+        "repo": "libpisp",
+        "type": "github"
+      }
+    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1769330179,
@@ -577,6 +611,22 @@
        "type": "github"
      }
    },
+    "nixpkgs_4": {
+      "locked": {
+        "lastModified": 1736061677,
+        "narHash": "sha256-DjkQPnkAfd7eB522PwnkGhOMuT9QVCZspDpJJYyOj60=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "cbd8ec4de4469333c82ff40d057350c30e9f7d36",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "nixvim": {
      "inputs": {
        "flake-parts": "flake-parts_2",
@@ -622,6 +672,33 @@
        "type": "github"
      }
    },
+    "raspberry-pi-nix": {
+      "inputs": {
+        "libcamera-src": "libcamera-src",
+        "libpisp-src": "libpisp-src",
+        "nixpkgs": "nixpkgs_4",
+        "rpi-bluez-firmware-src": "rpi-bluez-firmware-src",
+        "rpi-firmware-nonfree-src": "rpi-firmware-nonfree-src",
+        "rpi-firmware-src": "rpi-firmware-src",
+        "rpi-linux-6_12_17-src": "rpi-linux-6_12_17-src",
+        "rpi-linux-6_6_78-src": "rpi-linux-6_6_78-src",
+        "rpi-linux-stable-src": "rpi-linux-stable-src",
+        "rpicam-apps-src": "rpicam-apps-src"
+      },
+      "locked": {
+        "lastModified": 1742223591,
+        "narHash": "sha256-ZNTz8r5jlJ1jvpqf5+aUYgpnYJSVX0iP14doOc1Hm0E=",
+        "owner": "nix-community",
+        "repo": "raspberry-pi-nix",
+        "rev": "3e8100d5e976a6a2be363015cb33463af9ef441a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "raspberry-pi-nix",
+        "type": "github"
+      }
+    },
    "root": {
      "inputs": {
        "den": "den",
@@ -637,10 +714,130 @@
          "nixpkgs"
        ],
        "nixvim": "nixvim",
+        "raspberry-pi-nix": "raspberry-pi-nix",
        "sops-nix": "sops-nix",
        "systems": "systems_3"
      }
    },
+    "rpi-bluez-firmware-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1708969706,
+        "narHash": "sha256-KakKnOBeWxh0exu44beZ7cbr5ni4RA9vkWYb9sGMb8Q=",
+        "owner": "RPi-Distro",
+        "repo": "bluez-firmware",
+        "rev": "78d6a07730e2d20c035899521ab67726dc028e1c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "RPi-Distro",
+        "ref": "bookworm",
+        "repo": "bluez-firmware",
+        "type": "github"
+      }
+    },
+    "rpi-firmware-nonfree-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1723266537,
+        "narHash": "sha256-T7eTKXqY9cxEMdab8Snda4CEOrEihy5uOhA6Fy+Mhnw=",
+        "owner": "RPi-Distro",
+        "repo": "firmware-nonfree",
+        "rev": "4b356e134e8333d073bd3802d767a825adec3807",
+        "type": "github"
+      },
+      "original": {
+        "owner": "RPi-Distro",
+        "ref": "bookworm",
+        "repo": "firmware-nonfree",
+        "type": "github"
+      }
+    },
+    "rpi-firmware-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1728405098,
+        "narHash": "sha256-4gnK0KbqFnjBmWia9Jt2gveVWftmHrprpwBqYVqE/k0=",
+        "owner": "raspberrypi",
+        "repo": "firmware",
+        "rev": "7bbb5f80d20a2335066a8781459c9f33e5eebc64",
+        "type": "github"
+      },
+      "original": {
+        "owner": "raspberrypi",
+        "ref": "1.20241008",
+        "repo": "firmware",
+        "type": "github"
+      }
+    },
+    "rpi-linux-6_12_17-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1740765145,
+        "narHash": "sha256-hoCsGc4+RC/2LmxDtswLBL5ZhWlw4vSiL4Vkl39r2MU=",
+        "owner": "raspberrypi",
+        "repo": "linux",
+        "rev": "5985ce32e511f4e8279a841a1b06a8c7d972b386",
+        "type": "github"
+      },
+      "original": {
+        "owner": "raspberrypi",
+        "ref": "rpi-6.12.y",
+        "repo": "linux",
+        "type": "github"
+      }
+    },
+    "rpi-linux-6_6_78-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1740503700,
+        "narHash": "sha256-Y8+ot4Yi3UKwlZK3ap15rZZ16VZDvmeFkD46+6Ku7bE=",
+        "owner": "raspberrypi",
+        "repo": "linux",
+        "rev": "2e071057fded90e789c0101498e45a1778be93fe",
+        "type": "github"
+      },
+      "original": {
+        "owner": "raspberrypi",
+        "ref": "rpi-6.6.y",
+        "repo": "linux",
+        "type": "github"
+      }
+    },
+    "rpi-linux-stable-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1728403745,
+        "narHash": "sha256-phCxkuO+jUGZkfzSrBq6yErQeO2Td+inIGHxctXbD5U=",
+        "owner": "raspberrypi",
+        "repo": "linux",
+        "rev": "5aeecea9f4a45248bcf564dec924965e066a7bfd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "raspberrypi",
+        "ref": "stable_20241008",
+        "repo": "linux",
+        "type": "github"
+      }
+    },
+    "rpicam-apps-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1727515047,
+        "narHash": "sha256-qCYGrcibOeGztxf+sd44lD6VAOGoUNwRqZDdAmcTa/U=",
+        "owner": "raspberrypi",
+        "repo": "rpicam-apps",
+        "rev": "a8ccf9f3cd9df49875dfb834a2b490d41d226031",
+        "type": "github"
+      },
+      "original": {
+        "owner": "raspberrypi",
+        "ref": "v1.5.2",
+        "repo": "rpicam-apps",
+        "type": "github"
+      }
+    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
--- a/flake.nix
+++ b/flake.nix
@@ -24,6 +24,7 @@
      inputs.nixpkgs.follows = "nixpkgs";
      url = "github:nix-community/nixvim";
    };
+    raspberry-pi-nix.url = "github:nix-community/raspberry-pi-nix";
    sops-nix = {
      inputs.nixpkgs.follows = "nixpkgs";
      url = "github:Mic92/sops-nix";