DuN0z/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

CLEAN: nix develop

Browse source
This commit is contained in:
DuN0z 2025-10-05 08:20:57 +02:00
parent daeb15f821
commit c495445e91
22 changed files with 439 additions and 423 deletions
Download patch file Download diff file Expand all files Collapse all files

2
modules/common/fonts.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ...}: {
{pkgs, ...}: {
fonts.packages = with pkgs; [
dejavu_fonts
];

4
modules/common/networking.nix
View file

@ -1,8 +1,8 @@
_: {
networking = {
nameservers = ["1.1.1.1" "8.8.8.8"];
# dhcpcd.extraConfig = "nohook resolv.conf";
# dhcpcd.extraConfig = "nohook resolv.conf";
firewall.enable = true;
interfaces.enp11s0.wakeOnLan.enable = true ;
interfaces.enp11s0.wakeOnLan.enable = true;
};
}

4
modules/common/nix.nix
View file

@ -5,7 +5,7 @@
};
nixpkgs.config = {
# allowUnfree = true;
# allowUnsupportedSystem = true;
# allowUnfree = true;
# allowUnsupportedSystem = true;
};
}

13
modules/common/qemu.nix
View file

@ -1,7 +1,7 @@
{
lib,
pkgs,
config,
config,
...
}: {
boot.kernelModules = lib.mkAfter ["tun"];
@ -22,21 +22,20 @@
virtualisation.libvirtd = {
enable = true;
qemu =
qemu =
if lib.versionOlder config.system.nixos.release "25.11"
then {
ovmf.enable = true;
ovmf.packages = [pkgs.OVMFFull.fd];
runAsRoot = false;
swtpm.enable = true;
} else {
}
else {
runAsRoot = false;
swtpm.enable = true;
};
};
};
users.users.lomig.extraGroups = ["libvirtd" "kvm" "input"];
environment.etc."qemu/bridge.conf".text = ''
@ -47,7 +46,7 @@
source = "${pkgs.qemu}/libexec/qemu-bridge-helper";
owner = "root";
group = "kvm";
setuid = true ;
setuid = true;
permissions = "u+rwx,g+rx,o+rx";
};
}

8
modules/desktop/xorg-bspwm.nix
View file

@ -1,15 +1,11 @@
{
config,
lib,
...
}: {
{lib, ...}: {
services = {
xserver = {
enable = true;
displayManager = {
lightdm.enable = true;
};
windowManager.bspwm.enable = true ;
windowManager.bspwm.enable = true;
};
displayManager = {
gdm.enable = lib.mkForce false;

4
modules/roles/workstation.nix
View file

@ -11,8 +11,8 @@
../virtual/vfio.nix
# Dev
# ../dev/qemu.nix
# ../virtual/truenas.nix # seulement si tu lutilises sur ce host
# ../dev/qemu.nix
# ../virtual/truenas.nix # seulement si tu lutilises sur ce host
];
environment.systemPackages = with pkgs; [

81
modules/services/forgejo.nix
View file

@ -1,6 +1,4 @@
# NixOS module Forgejo avec SQLite, SSH et reverse proxy Caddy
{ config, pkgs, lib, ... }: {
{pkgs, ...}: {
# --- Utilisateur dédié ---
users.users.git = {
isSystemUser = true;
@ -11,52 +9,51 @@
users.groups.git = {};
# --- Forgejo ---
services.forgejo = {
enable = true;
user = "git";
group = "git";
database = {
type = "sqlite3";
path = "/var/lib/forgejo/data/gitea.db";
services = {
forgejo = {
enable = true;
user = "git";
group = "git";
database = {
type = "sqlite3";
path = "/var/lib/forgejo/data/gitea.db";
};
settings = {
server = {
DOMAIN = "govel.porzh.me";
ROOT_URL = "https://govel.porzh.me/";
SSH_DOMAIN = "govel.porzh.me";
HTTP_PORT = 3000;
SSH_PORT = 22;
START_SSH_SERVER = false;
};
service = {
DISABLE_REGISTRATION = true;
REGISTER_EMAIL_CONFIRM = false;
};
repository = {
DEFAULT_BRANCH = "main";
};
};
};
settings = {
server = {
DOMAIN = "govel.porzh.me";
ROOT_URL = "https://govel.porzh.me/";
SSH_DOMAIN = "govel.porzh.me";
HTTP_PORT = 3000;
SSH_PORT = 22;
START_SSH_SERVER = false;
};
service = {
DISABLE_REGISTRATION = true;
REGISTER_EMAIL_CONFIRM = false;
};
repository = {
DEFAULT_BRANCH = "main";
openssh.enable = true;
caddy = {
enable = true;
virtualHosts."govel.porzh.me" = {
extraConfig = ''
reverse_proxy localhost:3000
'';
};
};
};
# --- Ouvrir les ports nécessaires ---
networking.firewall.allowedTCPPorts = [ 80 443 2222 ];
# --- Rediriger port SSH interne de Forgejo ---
services.openssh.enable = true;
networking.firewall.interfaces."eth0".allowedTCPPorts = [ 22 ]; # pour admin
# --- Caddy pour govel.porzh.me ---
services.caddy = {
enable = true;
virtualHosts."govel.porzh.me" = {
extraConfig = ''
reverse_proxy localhost:3000
'';
};
networking.firewall = {
allowedTCPPorts = [80 443 2222];
interfaces."eth0".allowedTCPPorts = [22];
};
# --- Pour que Forgejo génère les bonnes URLs Git ---
# networking.hostName = "git"; # non strictement obligatoire
# networking.hostName = "git"; # non strictement obligatoire
# --- Optionnel : config DNS ---
# git.lomig.me -> ton IP publique (ou IP locale si LAN)
@ -67,6 +64,4 @@
# --- Astuce : génère une paire de clés pour laccès SSH Git ---
# ssh-keygen -t ed25519 -f ~/.ssh/id_git_forgejo
# puis ajoute la clé publique dans ton compte Forgejo
}

34
modules/services/ftp.nix
View file

@ -1,14 +1,14 @@
{ config, pkgs, lib, ... }: {
_: {
# -------------------------------------------------
# 1⃣ Création de lutilisateur système dédié FTP
# -------------------------------------------------
users.users.ftpuser = {
isSystemUser = true; # pas de login shell
description = "Compte FTP dédié";
home = "/srv/ftp/ftpuser";
createHome = true;
group = "ftpuser";
shell = "/usr/bin/nologin";
isSystemUser = true; # pas de login shell
description = "Compte FTP dédié";
home = "/srv/ftp/ftpuser";
createHome = true;
group = "ftpuser";
shell = "/usr/bin/nologin";
};
users.groups.ftpuser = {};
@ -16,11 +16,11 @@
extraConfig = ''
Match User ftpuser
ChrootDirectory /srv/ftp/ftpuser
ForceCommand internal-sftp
AllowTcpForwarding no
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
'';
};
};
# -------------------------------------------------
# 2⃣ Permissions du répertoire home (méthode A)
@ -48,22 +48,20 @@
# Chroot chaque utilisateur local dans son $HOME
chrootlocalUser = true;
allowWriteableChroot = true ;
extraConfig = ''
pasv_min_port=40000
pasv_max_port=40004
'';
allowWriteableChroot = true;
extraConfig = ''
pasv_min_port=40000
pasv_max_port=40004
'';
};
# -------------------------------------------------
# 4⃣ Ouverture des ports dans le firewall NixOS
# -------------------------------------------------
networking.firewall = {
allowedTCPPorts = [ 21 40000 40001 40002 40003 40004 ];
allowedTCPPorts = [21 40000 40001 40002 40003 40004];
# Si vous utilisez FTPS implicite (port 990) :
# allowedTCPPorts = [ 21 990 40000 40001 40002 40003 40004 ];
};
}

14
modules/services/goaccess.nix
View file

@ -1,9 +1,9 @@
{ pkgs, ... }: {
{pkgs, ...}: {
environment.systemPackages = with pkgs; [
goaccess
];
# Service pour générer le rapport statique GoAccess
# Service pour générer le rapport statique GoAccess
systemd.services.goaccess-report = {
description = "Generate GoAccess HTML report";
serviceConfig = {
@ -11,10 +11,10 @@
};
};
# Timer pour régénérer le rapport toutes les heures
# Timer pour régénérer le rapport toutes les heures
systemd.timers.goaccess-report = {
description = "Hourly GoAccess report generation";
wantedBy = [ "timers.target" ];
wantedBy = ["timers.target"];
timerConfig = {
OnCalendar = "hourly";
Persistent = true;
@ -28,10 +28,8 @@
file_server browse
try_files {path} {path}/ /index.html
'';
'';
};
};
};
}
}

4
modules/services/pihole.nix
View file

@ -11,7 +11,7 @@
environment = {
TZ = "Europe/Paris";
WEBPASSWORD = "changeme"; # Change à ta convenance
WEBPASSWORD = "changeme"; # Change à ta convenance
PIHOLE_DNS_ = "1.1.1.1;1.0.0.1";
};
@ -19,6 +19,6 @@
"/srv/pihole/etc-pihole:/etc/pihole"
"/srv/pihole/etc-dnsmasq.d:/etc/dnsmasq.d"
];
extraOptions = [ "--cap-add=NET_ADMIN" ];
extraOptions = ["--cap-add=NET_ADMIN"];
};
}

65
modules/sites/levr.porzh.me.nix
View file

@ -1,49 +1,48 @@
{ config, pkgs, ... }:
{
# -----------------------------------------------------------------
# 1⃣ Caddy (reverseproxy / serveur web statique)
# -----------------------------------------------------------------
_: {
# -----------------------------------------------------------------
# 1⃣ Caddy (reverseproxy / serveur web statique)
# -----------------------------------------------------------------
services.caddy = {
enable = true;
# Caddy démarre en tant quutilisateur «caddy».
# On lui donne accès au répertoire du blog via les ACL créées plus haut.
# (Pas besoin de config supplémentaire côté OS.)
# Caddy démarre en tant quutilisateur «caddy».
# On lui donne accès au répertoire du blog via les ACL créées plus haut.
# (Pas besoin de config supplémentaire côté OS.)
# -----------------------------------------------------------------
# 2⃣ Sites gérés par Caddy (Caddyfile intégré)
# -----------------------------------------------------------------
# -----------------------------------------------------------------
# 2⃣ Sites gérés par Caddy (Caddyfile intégré)
# -----------------------------------------------------------------
virtualHosts = {
"levr.porzh.me" = {
# Le domaine sera automatiquement provisionné avec TLS via ACME
# (Let's Encrypt) grâce à loption `autoHTTPS = true` (défaut).
# Aucun certificat manuel nest requis.
# Le domaine sera automatiquement provisionné avec TLS via ACME
# (Let's Encrypt) grâce à loption `autoHTTPS = true` (défaut).
# Aucun certificat manuel nest requis.
# Le répertoire contenant les fichiers générés par Hugo
# Le répertoire contenant les fichiers générés par Hugo
# (Optionnel) Rediriger HTTP → HTTPS Caddy le fait déjà,
# mais on le rend explicite pour la clarté.
# (Optionnel) Rediriger HTTP → HTTPS Caddy le fait déjà,
# mais on le rend explicite pour la clarté.
extraConfig = ''
@http {
protocol http
}
redir @http https://{host}{uri} permanent
root * /srv/blog/public
file_server
@http {
protocol http
}
redir @http https://{host}{uri} permanent
root * /srv/blog/public
file_server
log {
output file /var/log/caddy/access-levr.porzh.me.log
}
log {
output file /var/log/caddy/access-levr.porzh.me.log
}
'';
};
};
};
# -----------------------------------------------------------------
# 3⃣ Ouverture du firewall (ports 80 et 443)
# -----------------------------------------------------------------
# networking.firewall.allowedTCPPorts = [
# 80 # HTTP (pour la redirection ACME)
# 443 # HTTPS (site final)
# ];
# -----------------------------------------------------------------
# 3⃣ Ouverture du firewall (ports 80 et 443)
# -----------------------------------------------------------------
# networking.firewall.allowedTCPPorts = [
# 80 # HTTP (pour la redirection ACME)
# 443 # HTTPS (site final)
# ];
}

9
modules/sites/porzh.me.nix
View file

@ -1,10 +1,8 @@
{ config, pkgs, ... }:
let
{pkgs, ...}: let
porzhSite = pkgs.stdenv.mkDerivation {
pname = "porzh-site";
version = "1.0";
src = ./porzh.me; # le dossier avec ton index.html, image, etc.
src = ./porzh.me; # le dossier avec ton index.html, image, etc.
installPhase = ''
mkdir -p $out
@ -16,7 +14,7 @@ in {
enable = true;
virtualHosts = {
"porzh.me" = {
serverAliases = [ "www.porzh.me" ];
serverAliases = ["www.porzh.me"];
extraConfig = ''
root * ${porzhSite}
file_server
@ -25,4 +23,3 @@ in {
};
};
}