DuN0z/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

CLEAN: nix develop

Browse source
This commit is contained in:
DuN0z 2025-10-05 08:20:57 +02:00
parent daeb15f821
commit c495445e91
22 changed files with 439 additions and 423 deletions
Download patch file Download diff file Expand all files Collapse all files

23
flake.nix
View file

@ -22,24 +22,25 @@
home-manager, home-manager,
nur, nur,
... ...
} @ inputs: let }: let
mkUnstablePkgsWithNur = { system, config ? {} }: mkUnstablePkgsWithNur = {
system,
config ? {},
}:
import nixpkgs-unstable { import nixpkgs-unstable {
inherit system; inherit system;
overlays = [ nur.overlays.default ]; overlays = [nur.overlays.default];
config = config ; inherit config;
}; };
in in {
{
nixosConfigurations = { nixosConfigurations = {
pennsardin = nixpkgs-unstable.lib.nixosSystem { pennsardin = nixpkgs-unstable.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
pkgs = mkUnstablePkgsWithNur { pkgs = mkUnstablePkgsWithNur {
system = "x86_64-linux"; system = "x86_64-linux";
config = { config = {
allowUnfree = true ; allowUnfree = true;
allowUnsupportedSystem = true ; allowUnsupportedSystem = true;
}; };
}; };
modules = [ modules = [
@ -65,12 +66,12 @@
}; };
}; };
# --- DevShell (x86_64 uniquement) --- # --- DevShell (x86_64 uniquement) ---
devShells.x86_64-linux.default = import ./devshell.nix { devShells.x86_64-linux.default = import ./devshell.nix {
pkgs = import nixpkgs-stable {system = "x86_64-linux";}; pkgs = import nixpkgs-stable {system = "x86_64-linux";};
}; };
# --- Formatter (x86_64 uniquement) --- # --- Formatter (x86_64 uniquement) ---
formatter.x86_64-linux = formatter.x86_64-linux =
(import nixpkgs-stable {system = "x86_64-linux";}).alejandra; (import nixpkgs-stable {system = "x86_64-linux";}).alejandra;
}; };

18
hm/common/browser.nix
View file

@ -1,15 +1,19 @@
{pkgs, nur, ... }: { {
pkgs,
nur,
...
}: {
programs.firefox = { programs.firefox = {
enable = true; enable = true;
languagePacks = ["fr"]; languagePacks = ["fr"];
profiles.default = { profiles.default = {
settings = { settings = {
"intl.locale.requested" = "fr" ; "intl.locale.requested" = "fr";
"intl.accept_languages" = "fr, en-US, en"; "intl.accept_languages" = "fr, en-US, en";
"layers.acceleration.disabled" = true ; "layers.acceleration.disabled" = true;
"gfx.webrender.all" = false ; "gfx.webrender.all" = false;
"privacy.trackingprotection.enabled" = true ; "privacy.trackingprotection.enabled" = true;
"privacy.resistFingerprinting" = true ; "privacy.resistFingerprinting" = true;
"network.cookie.cookieBehavior" = 1; "network.cookie.cookieBehavior" = 1;
}; };
extensions.packages = with pkgs.nur.repos.rycee.firefox-addons; [ extensions.packages = with pkgs.nur.repos.rycee.firefox-addons; [
@ -20,6 +24,6 @@
]; ];
}; };
}; };
} }
# vim: set ts=2 sw=2 sts=2 et : # vim: set ts=2 sw=2 sts=2 et :

2
hm/common/git.nix
View file

@ -1,7 +1,7 @@
_: { _: {
programs.git = { programs.git = {
enable = true; enable = true;
userName = "DuN0z" ; userName = "DuN0z";
userEmail = "dun0z@porzh.me"; userEmail = "dun0z@porzh.me";
}; };
} }

119
hm/desktop/bspwm.nix
View file

@ -1,20 +1,42 @@
# hm/desktop/bspwm.nix # hm/desktop/bspwm.nix
{ pkgs, lib, ... }:
{ {
pkgs,
lib,
...
}: {
imports = [ imports = [
../common/browser.nix ../common/browser.nix
]; ];
home.packages = with pkgs; [ home.packages = with pkgs; [
bspwm sxhkd xorg.xinit xterm alacritty rofi feh font-awesome bspwm
picom xorg.xset xidlehook betterlockscreen pywal16 imagemagick sxhkd
pulsemixer ranger jq file highlight unzip mpv xorg.xinit
xterm
alacritty
rofi
feh
font-awesome
picom
xorg.xset
xidlehook
betterlockscreen
pywal16
imagemagick
pulsemixer
ranger
jq
file
highlight
unzip
mpv
protonvpn-gui protonvpn-gui
]; ];
# Gère le ssh-agent proprement côté user # Gère le ssh-agent proprement côté user
services.ssh-agent.enable = true; services.ssh-agent.enable = true;
xsession.enable = true; xsession = {
enable = true;
xsession.windowManager.bspwm = { xsession.windowManager.bspwm = {
enable = true; enable = true;
@ -34,18 +56,20 @@
bspc monitor -d I II III IV V VI bspc monitor -d I II III IV V VI
''; '';
}; };
};
# xsession.initExtra = '' # xsession.initExtra = ''
# xset s 300 300 # xset s 300 300
# xset s on # xset s on
# xset s noblank # xset s noblank
# xset +dpms # xset +dpms
# xset dpms 0 0 500 # xset dpms 0 0 500
# ''; # '';
services.sxhkd = { services = {
sxhkd = {
enable = true; enable = true;
extraOptions = [ "-m" "1" ]; extraOptions = ["-m" "1"];
keybindings = { keybindings = {
"super + Return" = "alacritty"; "super + Return" = "alacritty";
"super + c" = "bspc node -c"; "super + c" = "bspc node -c";
@ -82,25 +106,7 @@
"super + t" = "bspc node -t tiled"; "super + t" = "bspc node -t tiled";
}; };
}; };
polybar = {
# xidlehook (user service)
systemd.user.services.xidlehook = {
Unit.Description = "Idle: lock at 5min, suspend at ~8min";
Service = {
ExecStart = ''
${pkgs.xidlehook}/bin/xidlehook \
--detect-sleep \
--not-when-fullscreen \
--timer 300 "${pkgs.betterlockscreen}/bin/betterlockscreen -l dim" "" \
--timer 500 "systemctl suspend" ""
'';
Restart = "always";
};
Install.WantedBy = [ "graphical-session.target" ];
};
# polybar (config intégrée pour démarrer simple)
services.polybar = {
enable = true; enable = true;
script = "polybar main &"; script = "polybar main &";
config = { config = {
@ -133,23 +139,49 @@
}; };
}; };
}; };
};
# alacritty # xidlehook (user service)
programs.alacritty = { systemd.user.services.xidlehook = {
Unit.Description = "Idle: lock at 5min, suspend at ~8min";
Service = {
ExecStart = ''
${pkgs.xidlehook}/bin/xidlehook \
--detect-sleep \
--not-when-fullscreen \
--timer 300 "${pkgs.betterlockscreen}/bin/betterlockscreen -l dim" "" \
--timer 500 "systemctl suspend" ""
'';
Restart = "always";
};
Install.WantedBy = ["graphical-session.target"];
};
programs = {
alacritty = {
enable = true; enable = true;
settings = { settings = {
general.import = [ "~/.cache/wal/colors-alacritty.toml" ]; general.import = ["~/.cache/wal/colors-alacritty.toml"];
font = { font = {
normal = { family = lib.mkForce "Iosevka Nerd Font"; style = "Regular"; }; normal = {
bold = { family = lib.mkForce "Iosevka Nerd Font"; style = "Bold"; }; family = lib.mkForce "Iosevka Nerd Font";
italic = { family = lib.mkForce "Iosevka Nerd Font"; style = "Italic"; }; style = "Regular";
};
bold = {
family = lib.mkForce "Iosevka Nerd Font";
style = "Bold";
};
italic = {
family = lib.mkForce "Iosevka Nerd Font";
style = "Italic";
};
size = lib.mkForce 9; size = lib.mkForce 9;
}; };
}; };
}; };
programs.rtorrent = { rtorrent = {
enable = true ; enable = true;
extraConfig = '' extraConfig = ''
directory = /srv/raid directory = /srv/raid
port_range = 6881-6891 port_range = 6881-6891
@ -160,10 +192,11 @@
pieces.hash.on_completion.set = no pieces.hash.on_completion.set = no
network.max_open_files.set = 8192 network.max_open_files.set = 8192
session = /home/lomig/.cache/rtorrent/session session = /home/lomig/.cache/rtorrent/session
''; '';
}; };
};
home.activation.createRtorrentSessionDir = lib.hm.dag.entryAfter ["writeBoundary"] '' home.activation.createRtorrentSessionDir = lib.hm.dag.entryAfter ["writeBoundary"] ''
mkdir -p ~/.cache/rtorrent/session mkdir -p ~/.cache/rtorrent/session
''; '';
} }

85
hosts/forbann/configuration.nix
View file

@ -1,67 +1,70 @@
{ config, pkgs, ...}: {pkgs, ...}: {
{ boot = {
boot.loader.grub = { kernelPackages = pkgs.linuxPackages;
enable = true ; initrd.supportedFilesystems = ["ext4"];
loader.grub = {
enable = true;
device = "/dev/vda"; device = "/dev/vda";
}; };
fileSystems."/" = {
device = "/dev/vda1" ;
fsType = "ext4" ;
}; };
fileSystems."/srv" = { fileSystems = {
device = "shared0" ; "/" = {
fsType = "9p" ; device = "/dev/vda1";
options = [ "trans=virtio" "version=9p2000.L" "rw" ]; fsType = "ext4";
neededForBoot = false ;
noCheck = true ;
}; };
"/srv" = {
systemd.services.mountShared = { device = "shared0";
description = "Mount 9p shared folder" ; fsType = "9p";
after = [ "local-fs.target" "network.target" ]; options = ["trans=virtio" "version=9p2000.L" "rw"];
wantedBy = [ "multi-user.target" ]; neededForBoot = false;
serviceConfig = { noCheck = true;
Type = "oneshot" ;
ExecStart = "${pkgs.util-linux}/bin/mount -t 9p -o trans=virtio,version=9p2000.L shared0 /srv";
RemainAfterExit = true ;
}; };
}; };
boot.kernelPackages = pkgs.linuxPackages ;
boot.initrd.supportedFilesystems = [ "ext4" ];
networking = { networking = {
useDHCP = true; useDHCP = true;
useNetworkd = true ; useNetworkd = true;
hostName = "forbann" ; hostName = "forbann";
}; };
systemd.network = { systemd = {
enable = true ; services.mountShared = {
description = "Mount 9p shared folder";
after = ["local-fs.target" "network.target"];
wantedBy = ["multi-user.target"];
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.util-linux}/bin/mount -t 9p -o trans=virtio,version=9p2000.L shared0 /srv";
RemainAfterExit = true;
};
};
network = {
enable = true;
networks."10-eth0" = { networks."10-eth0" = {
matchConfig.Name = "eth0"; matchConfig.Name = "eth0";
networkConfig = { networkConfig = {
Address = "192.168.1.10/24"; Address = "192.168.1.10/24";
Gateway = "192.168.0.254" ; Gateway = "192.168.0.254";
DNS = "192.168.0.254" ; DNS = "192.168.0.254";
};
}; };
}; };
}; };
services.openssh.enable = true ; services = {
openssh.enable = true;
services.rtorrent = { rtorrent = {
enable = true ; enable = true;
dataDir = "/home/vmuser/torrents" ; dataDir = "/home/vmuser/torrents";
};
}; };
users.users.vmuser = { users.users.vmuser = {
isNormalUser = true ; isNormalUser = true;
extraGroups = [ "wheel" ]; extraGroups = ["wheel"];
password = "changeme" ; password = "changeme";
}; };
system.stateVersion = "25.05" ; system.stateVersion = "25.05";
} }

58
hosts/pennsardin/configuration.nix
View file

@ -8,34 +8,31 @@
networking.hostName = "pennsardin"; networking.hostName = "pennsardin";
boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelPackages = pkgs.linuxPackages_latest;
boot.swraid.enable = true ; boot.swraid.enable = true;
fileSystems = {
fileSystems."/" = "/" = {
{ device = "/dev/disk/by-uuid/b1a1ae71-4277-45d5-a3d2-f49354f263d4"; device = "/dev/disk/by-uuid/b1a1ae71-4277-45d5-a3d2-f49354f263d4";
fsType = "ext4"; fsType = "ext4";
}; };
"/boot" = {
fileSystems."/boot" = device = "/dev/disk/by-uuid/1DB2-7A0F";
{ device = "/dev/disk/by-uuid/1DB2-7A0F";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ]; options = ["fmask=0077" "dmask=0077"];
}; };
"/proc" = {
fileSystems."/proc" = device = "proc";
{ fsType = "proc";
device = "proc" ; options = ["defaults" "hidepid=2"];
fsType = "proc" ; neededForBoot = true;
options = [ "defaults" "hidepid=2" ];
neededForBoot = true ;
}; };
"/srv/raid" = {
fileSystems."/srv/raid" = device = "/dev/disk/by-uuid/85f72160-4720-463a-9dc6-7c5216733f2b";
{ device = "/dev/disk/by-uuid/85f72160-4720-463a-9dc6-7c5216733f2b";
fsType = "btrfs"; fsType = "btrfs";
}; };
};
swapDevices = [ ]; swapDevices = [];
users.users.lomig = { users.users.lomig = {
isNormalUser = true; isNormalUser = true;
@ -49,27 +46,27 @@
}; };
networking = { networking = {
useNetworkd = true ; useNetworkd = true;
firewall.allowedTCPPorts = [ 22 80 5900 5901 5902 ]; firewall.allowedTCPPorts = [22 80 5900 5901 5902];
interfaces.enp11s0.useDHCP = false ; interfaces.enp11s0.useDHCP = false;
interfaces.br0 = { interfaces.br0 = {
useDHCP = false ; useDHCP = false;
ipv4.addresses = [ ipv4.addresses = [
{ {
address = "192.168.0.2"; address = "192.168.0.2";
prefixLength = 24 ; prefixLength = 24;
} }
]; ];
}; };
defaultGateway = { defaultGateway = {
interface = "br0" ; interface = "br0";
address = "192.168.0.254" ; address = "192.168.0.254";
}; };
nameservers = [ "192.168.0.254" "1.1.1.1" ]; nameservers = ["192.168.0.254" "1.1.1.1"];
bridges.br0.interfaces = [ "enp11s0" ]; bridges.br0.interfaces = ["enp11s0"];
}; };
systemd.network = { systemd.network = {
enable = true ; enable = true;
netdevs."br0" = { netdevs."br0" = {
netdevConfig = { netdevConfig = {
Name = "br0"; Name = "br0";
@ -77,7 +74,7 @@
}; };
}; };
networks."br0" = { networks."br0" = {
matchConfig.Name = "br0" ; matchConfig.Name = "br0";
}; };
networks."enp11s0" = { networks."enp11s0" = {
matchConfig.Name = "enp11s0"; matchConfig.Name = "enp11s0";
@ -87,6 +84,5 @@
system.stateVersion = "25.05"; # pour éviter les hurlements inutiles system.stateVersion = "25.05"; # pour éviter les hurlements inutiles
} }
# vim: set ts=2 sw=2 sts=2 et : # vim: set ts=2 sw=2 sts=2 et :

38
hosts/terre-neuvas/configuration.nix
View file

@ -1,14 +1,14 @@
# Edit this configuration file to define what should be installed on # Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page # your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help). # and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{ {
config,
nix.settings.experimental-features = ["nix-command" "flakes" ]; pkgs,
imports = ...
[ # Include the results of the hardware scan. }: {
nix.settings.experimental-features = ["nix-command" "flakes"];
imports = [
# Include the results of the hardware scan.
./hardware.nix ./hardware.nix
../../profiles/server-selfhosted.nix ../../profiles/server-selfhosted.nix
../../modules/services/ftp.nix ../../modules/services/ftp.nix
@ -32,7 +32,7 @@
users.users.lomig = { users.users.lomig = {
isNormalUser = true; isNormalUser = true;
extraGroups = [ "lp" "wheel" "docker" ]; extraGroups = ["lp" "wheel" "docker"];
shell = pkgs.zsh; shell = pkgs.zsh;
}; };
@ -49,27 +49,27 @@
hugo hugo
]; ];
networking = { networking = {
useNetworkd = true ; useNetworkd = true;
firewall.allowedTCPPorts = [ 22 80 5900 5901 5902 ]; firewall.allowedTCPPorts = [22 80 5900 5901 5902];
interfaces.eno1.useDHCP = false ; interfaces.eno1.useDHCP = false;
interfaces.br0 = { interfaces.br0 = {
useDHCP = false ; useDHCP = false;
ipv4.addresses = [ ipv4.addresses = [
{ {
address = "192.168.0.3"; address = "192.168.0.3";
prefixLength = 24 ; prefixLength = 24;
} }
]; ];
}; };
defaultGateway = { defaultGateway = {
interface = "br0" ; interface = "br0";
address = "192.168.0.254" ; address = "192.168.0.254";
}; };
nameservers = [ "192.168.0.254" "1.1.1.1" ]; nameservers = ["192.168.0.254" "1.1.1.1"];
bridges.br0.interfaces = [ "eno1" ]; bridges.br0.interfaces = ["eno1"];
}; };
systemd.network = { systemd.network = {
enable = true ; enable = true;
netdevs."br0" = { netdevs."br0" = {
netdevConfig = { netdevConfig = {
Name = "br0"; Name = "br0";
@ -77,7 +77,7 @@
}; };
}; };
networks."br0" = { networks."br0" = {
matchConfig.Name = "br0" ; matchConfig.Name = "br0";
}; };
networks."eno1" = { networks."eno1" = {
matchConfig.Name = "eno1"; matchConfig.Name = "eno1";

51
hosts/terre-neuvas/hardware.nix
View file

@ -1,46 +1,43 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = config,
[ (modulesPath + "/installer/scan/not-detected.nix") lib,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; boot = {
boot.initrd.kernelModules = [ ]; initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod"];
boot.kernelModules = lib.mkAfter [ "kvm-intel" "tun" ]; initrd.kernelModules = [];
boot.extraModulePackages = [ ]; kernelModules = lib.mkAfter ["kvm-intel" "tun"];
extraModulePackages = [];
};
fileSystems."/" = fileSystems = {
{ device = "/dev/disk/by-uuid/f37e4afb-1ee2-4f70-a93c-398461405181"; "/" = {
device = "/dev/disk/by-uuid/f37e4afb-1ee2-4f70-a93c-398461405181";
fsType = "ext4"; fsType = "ext4";
}; };
"/boot" = {
fileSystems."/boot" = device = "/dev/disk/by-uuid/111D-E5E8";
{ device = "/dev/disk/by-uuid/111D-E5E8";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ]; options = ["fmask=0077" "dmask=0077"];
}; };
"/srv" = {
fileSystems."/srv" = device = "/dev/disk/by-uuid/2ef442a9-0eab-4dc5-b17c-076e18a54873";
{ device = "/dev/disk/by-uuid/2ef442a9-0eab-4dc5-b17c-076e18a54873";
fsType = "btrfs"; fsType = "btrfs";
}; };
};
swapDevices = swapDevices = [
[ { device = "/dev/disk/by-uuid/c3a69154-ead9-4fcc-a9b1-3b741a42ee97"; } {device = "/dev/disk/by-uuid/c3a69154-ead9-4fcc-a9b1-3b741a42ee97";}
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
# networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
} }

2
modules/common/fonts.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ...}: { {pkgs, ...}: {
fonts.packages = with pkgs; [ fonts.packages = with pkgs; [
dejavu_fonts dejavu_fonts
]; ];

4
modules/common/networking.nix
View file

@ -1,8 +1,8 @@
_: { _: {
networking = { networking = {
nameservers = ["1.1.1.1" "8.8.8.8"]; nameservers = ["1.1.1.1" "8.8.8.8"];
# dhcpcd.extraConfig = "nohook resolv.conf"; # dhcpcd.extraConfig = "nohook resolv.conf";
firewall.enable = true; firewall.enable = true;
interfaces.enp11s0.wakeOnLan.enable = true ; interfaces.enp11s0.wakeOnLan.enable = true;
}; };
} }

4
modules/common/nix.nix
View file

@ -5,7 +5,7 @@
}; };
nixpkgs.config = { nixpkgs.config = {
# allowUnfree = true; # allowUnfree = true;
# allowUnsupportedSystem = true; # allowUnsupportedSystem = true;
}; };
} }

7
modules/common/qemu.nix
View file

@ -29,14 +29,13 @@
ovmf.packages = [pkgs.OVMFFull.fd]; ovmf.packages = [pkgs.OVMFFull.fd];
runAsRoot = false; runAsRoot = false;
swtpm.enable = true; swtpm.enable = true;
} else { }
else {
runAsRoot = false; runAsRoot = false;
swtpm.enable = true; swtpm.enable = true;
}; };
}; };
users.users.lomig.extraGroups = ["libvirtd" "kvm" "input"]; users.users.lomig.extraGroups = ["libvirtd" "kvm" "input"];
environment.etc."qemu/bridge.conf".text = '' environment.etc."qemu/bridge.conf".text = ''
@ -47,7 +46,7 @@
source = "${pkgs.qemu}/libexec/qemu-bridge-helper"; source = "${pkgs.qemu}/libexec/qemu-bridge-helper";
owner = "root"; owner = "root";
group = "kvm"; group = "kvm";
setuid = true ; setuid = true;
permissions = "u+rwx,g+rx,o+rx"; permissions = "u+rwx,g+rx,o+rx";
}; };
} }

8
modules/desktop/xorg-bspwm.nix
View file

@ -1,15 +1,11 @@
{ {lib, ...}: {
config,
lib,
...
}: {
services = { services = {
xserver = { xserver = {
enable = true; enable = true;
displayManager = { displayManager = {
lightdm.enable = true; lightdm.enable = true;
}; };
windowManager.bspwm.enable = true ; windowManager.bspwm.enable = true;
}; };
displayManager = { displayManager = {
gdm.enable = lib.mkForce false; gdm.enable = lib.mkForce false;

4
modules/roles/workstation.nix
View file

@ -11,8 +11,8 @@
../virtual/vfio.nix ../virtual/vfio.nix
# Dev # Dev
# ../dev/qemu.nix # ../dev/qemu.nix
# ../virtual/truenas.nix # seulement si tu lutilises sur ce host # ../virtual/truenas.nix # seulement si tu lutilises sur ce host
]; ];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [

29
modules/services/forgejo.nix
View file

@ -1,6 +1,4 @@
# NixOS module Forgejo avec SQLite, SSH et reverse proxy Caddy {pkgs, ...}: {
{ config, pkgs, lib, ... }: {
# --- Utilisateur dédié --- # --- Utilisateur dédié ---
users.users.git = { users.users.git = {
isSystemUser = true; isSystemUser = true;
@ -11,7 +9,8 @@
users.groups.git = {}; users.groups.git = {};
# --- Forgejo --- # --- Forgejo ---
services.forgejo = { services = {
forgejo = {
enable = true; enable = true;
user = "git"; user = "git";
group = "git"; group = "git";
@ -37,16 +36,8 @@
}; };
}; };
}; };
openssh.enable = true;
# --- Ouvrir les ports nécessaires --- caddy = {
networking.firewall.allowedTCPPorts = [ 80 443 2222 ];
# --- Rediriger port SSH interne de Forgejo ---
services.openssh.enable = true;
networking.firewall.interfaces."eth0".allowedTCPPorts = [ 22 ]; # pour admin
# --- Caddy pour govel.porzh.me ---
services.caddy = {
enable = true; enable = true;
virtualHosts."govel.porzh.me" = { virtualHosts."govel.porzh.me" = {
extraConfig = '' extraConfig = ''
@ -54,9 +45,15 @@
''; '';
}; };
}; };
};
# --- Ouvrir les ports nécessaires ---
networking.firewall = {
allowedTCPPorts = [80 443 2222];
interfaces."eth0".allowedTCPPorts = [22];
};
# --- Pour que Forgejo génère les bonnes URLs Git --- # --- Pour que Forgejo génère les bonnes URLs Git ---
# networking.hostName = "git"; # non strictement obligatoire # networking.hostName = "git"; # non strictement obligatoire
# --- Optionnel : config DNS --- # --- Optionnel : config DNS ---
# git.lomig.me -> ton IP publique (ou IP locale si LAN) # git.lomig.me -> ton IP publique (ou IP locale si LAN)
@ -67,6 +64,4 @@
# --- Astuce : génère une paire de clés pour laccès SSH Git --- # --- Astuce : génère une paire de clés pour laccès SSH Git ---
# ssh-keygen -t ed25519 -f ~/.ssh/id_git_forgejo # ssh-keygen -t ed25519 -f ~/.ssh/id_git_forgejo
# puis ajoute la clé publique dans ton compte Forgejo # puis ajoute la clé publique dans ton compte Forgejo
} }

10
modules/services/ftp.nix
View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: { _: {
# ------------------------------------------------- # -------------------------------------------------
# 1⃣ Création de lutilisateur système dédié FTP # 1⃣ Création de lutilisateur système dédié FTP
# ------------------------------------------------- # -------------------------------------------------
@ -48,22 +48,20 @@
# Chroot chaque utilisateur local dans son $HOME # Chroot chaque utilisateur local dans son $HOME
chrootlocalUser = true; chrootlocalUser = true;
allowWriteableChroot = true ; allowWriteableChroot = true;
extraConfig = '' extraConfig = ''
pasv_min_port=40000 pasv_min_port=40000
pasv_max_port=40004 pasv_max_port=40004
''; '';
}; };
# ------------------------------------------------- # -------------------------------------------------
# 4⃣ Ouverture des ports dans le firewall NixOS # 4⃣ Ouverture des ports dans le firewall NixOS
# ------------------------------------------------- # -------------------------------------------------
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ 21 40000 40001 40002 40003 40004 ]; allowedTCPPorts = [21 40000 40001 40002 40003 40004];
# Si vous utilisez FTPS implicite (port 990) : # Si vous utilisez FTPS implicite (port 990) :
# allowedTCPPorts = [ 21 990 40000 40001 40002 40003 40004 ]; # allowedTCPPorts = [ 21 990 40000 40001 40002 40003 40004 ];
}; };
} }

12
modules/services/goaccess.nix
View file

@ -1,9 +1,9 @@
{ pkgs, ... }: { {pkgs, ...}: {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
goaccess goaccess
]; ];
# Service pour générer le rapport statique GoAccess # Service pour générer le rapport statique GoAccess
systemd.services.goaccess-report = { systemd.services.goaccess-report = {
description = "Generate GoAccess HTML report"; description = "Generate GoAccess HTML report";
serviceConfig = { serviceConfig = {
@ -11,10 +11,10 @@
}; };
}; };
# Timer pour régénérer le rapport toutes les heures # Timer pour régénérer le rapport toutes les heures
systemd.timers.goaccess-report = { systemd.timers.goaccess-report = {
description = "Hourly GoAccess report generation"; description = "Hourly GoAccess report generation";
wantedBy = [ "timers.target" ]; wantedBy = ["timers.target"];
timerConfig = { timerConfig = {
OnCalendar = "hourly"; OnCalendar = "hourly";
Persistent = true; Persistent = true;
@ -32,6 +32,4 @@
}; };
}; };
}; };
}
}

2
modules/services/pihole.nix
View file

@ -19,6 +19,6 @@
"/srv/pihole/etc-pihole:/etc/pihole" "/srv/pihole/etc-pihole:/etc/pihole"
"/srv/pihole/etc-dnsmasq.d:/etc/dnsmasq.d" "/srv/pihole/etc-dnsmasq.d:/etc/dnsmasq.d"
]; ];
extraOptions = [ "--cap-add=NET_ADMIN" ]; extraOptions = ["--cap-add=NET_ADMIN"];
}; };
} }

47
modules/sites/levr.porzh.me.nix
View file

@ -1,28 +1,27 @@
{ config, pkgs, ... }: _: {
{ # -----------------------------------------------------------------
# ----------------------------------------------------------------- # 1⃣ Caddy (reverseproxy / serveur web statique)
# 1⃣ Caddy (reverseproxy / serveur web statique) # -----------------------------------------------------------------
# -----------------------------------------------------------------
services.caddy = { services.caddy = {
enable = true; enable = true;
# Caddy démarre en tant quutilisateur «caddy». # Caddy démarre en tant quutilisateur «caddy».
# On lui donne accès au répertoire du blog via les ACL créées plus haut. # On lui donne accès au répertoire du blog via les ACL créées plus haut.
# (Pas besoin de config supplémentaire côté OS.) # (Pas besoin de config supplémentaire côté OS.)
# ----------------------------------------------------------------- # -----------------------------------------------------------------
# 2⃣ Sites gérés par Caddy (Caddyfile intégré) # 2⃣ Sites gérés par Caddy (Caddyfile intégré)
# ----------------------------------------------------------------- # -----------------------------------------------------------------
virtualHosts = { virtualHosts = {
"levr.porzh.me" = { "levr.porzh.me" = {
# Le domaine sera automatiquement provisionné avec TLS via ACME # Le domaine sera automatiquement provisionné avec TLS via ACME
# (Let's Encrypt) grâce à loption `autoHTTPS = true` (défaut). # (Let's Encrypt) grâce à loption `autoHTTPS = true` (défaut).
# Aucun certificat manuel nest requis. # Aucun certificat manuel nest requis.
# Le répertoire contenant les fichiers générés par Hugo # Le répertoire contenant les fichiers générés par Hugo
# (Optionnel) Rediriger HTTP → HTTPS Caddy le fait déjà, # (Optionnel) Rediriger HTTP → HTTPS Caddy le fait déjà,
# mais on le rend explicite pour la clarté. # mais on le rend explicite pour la clarté.
extraConfig = '' extraConfig = ''
@http { @http {
protocol http protocol http
@ -39,11 +38,11 @@
}; };
}; };
# ----------------------------------------------------------------- # -----------------------------------------------------------------
# 3⃣ Ouverture du firewall (ports 80 et 443) # 3⃣ Ouverture du firewall (ports 80 et 443)
# ----------------------------------------------------------------- # -----------------------------------------------------------------
# networking.firewall.allowedTCPPorts = [ # networking.firewall.allowedTCPPorts = [
# 80 # HTTP (pour la redirection ACME) # 80 # HTTP (pour la redirection ACME)
# 443 # HTTPS (site final) # 443 # HTTPS (site final)
# ]; # ];
} }

7
modules/sites/porzh.me.nix
View file

@ -1,6 +1,4 @@
{ config, pkgs, ... }: {pkgs, ...}: let
let
porzhSite = pkgs.stdenv.mkDerivation { porzhSite = pkgs.stdenv.mkDerivation {
pname = "porzh-site"; pname = "porzh-site";
version = "1.0"; version = "1.0";
@ -16,7 +14,7 @@ in {
enable = true; enable = true;
virtualHosts = { virtualHosts = {
"porzh.me" = { "porzh.me" = {
serverAliases = [ "www.porzh.me" ]; serverAliases = ["www.porzh.me"];
extraConfig = '' extraConfig = ''
root * ${porzhSite} root * ${porzhSite}
file_server file_server
@ -25,4 +23,3 @@ in {
}; };
}; };
} }

4
profiles/server-selfhosted.nix
View file

@ -12,8 +12,8 @@
services.openssh = { services.openssh = {
enable = true; enable = true;
settings = { settings = {
PasswordAuthentication = false ; PasswordAuthentication = false;
PubkeyAuthentication = true ; PubkeyAuthentication = true;
}; };
}; };

4
profiles/workstation-bspwm.nix
View file

@ -20,8 +20,8 @@
services.openssh = { services.openssh = {
enable = true; enable = true;
settings = { settings = {
X11Forwarding = true ; X11Forwarding = true;
X11DisplayOffset = 10 ; X11DisplayOffset = 10;
}; };
}; };