+146

flake.lock

reviewed

··· 1 1 + { 2 2 + "nodes": { 3 3 + "agenix": { 4 4 + "inputs": { 5 5 + "darwin": "darwin", 6 6 + "home-manager": "home-manager", 7 7 + "nixpkgs": [ 8 8 + "nixpkgs" 9 9 + ], 10 10 + "systems": "systems" 11 11 + }, 12 12 + "locked": { 13 13 + "lastModified": 1747514353, 14 14 + "narHash": "sha256-E1WjB+zvDw4x058mg3MIdK5j2huvnNpTEEt2brhg2H8=", 15 15 + "owner": "ryantm", 16 16 + "repo": "agenix", 17 17 + "rev": "6697e8babbd8f323dfd5e28f160a0128582c128b", 18 18 + "type": "github" 19 19 + }, 20 20 + "original": { 21 21 + "owner": "ryantm", 22 22 + "repo": "agenix", 23 23 + "type": "github" 24 24 + } 25 25 + }, 26 26 + "darwin": { 27 27 + "inputs": { 28 28 + "nixpkgs": [ 29 29 + "agenix", 30 30 + "nixpkgs" 31 31 + ] 32 32 + }, 33 33 + "locked": { 34 34 + "lastModified": 1744478979, 35 35 + "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", 36 36 + "owner": "lnl7", 37 37 + "repo": "nix-darwin", 38 38 + "rev": "43975d782b418ebf4969e9ccba82466728c2851b", 39 39 + "type": "github" 40 40 + }, 41 41 + "original": { 42 42 + "owner": "lnl7", 43 43 + "ref": "master", 44 44 + "repo": "nix-darwin", 45 45 + "type": "github" 46 46 + } 47 47 + }, 48 48 + "disko": { 49 49 + "inputs": { 50 50 + "nixpkgs": [ 51 51 + "nixpkgs" 52 52 + ] 53 53 + }, 54 54 + "locked": { 55 55 + "lastModified": 1747274630, 56 56 + "narHash": "sha256-87RJwXbfOHyzTB9LYagAQ6vOZhszCvd8Gvudu+gf3qo=", 57 57 + "owner": "nix-community", 58 58 + "repo": "disko", 59 59 + "rev": "ec7c109a4f794fce09aad87239eab7f66540b888", 60 60 + "type": "github" 61 61 + }, 62 62 + "original": { 63 63 + "owner": "nix-community", 64 64 + "repo": "disko", 65 65 + "type": "github" 66 66 + } 67 67 + }, 68 68 + "home-manager": { 69 69 + "inputs": { 70 70 + "nixpkgs": [ 71 71 + "agenix", 72 72 + "nixpkgs" 73 73 + ] 74 74 + }, 75 75 + "locked": { 76 76 + "lastModified": 1745494811, 77 77 + "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", 78 78 + "owner": "nix-community", 79 79 + "repo": "home-manager", 80 80 + "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", 81 81 + "type": "github" 82 82 + }, 83 83 + "original": { 84 84 + "owner": "nix-community", 85 85 + "repo": "home-manager", 86 86 + "type": "github" 87 87 + } 88 88 + }, 89 89 + "nixos-hardware": { 90 90 + "locked": { 91 91 + "lastModified": 1747129300, 92 92 + "narHash": "sha256-L3clA5YGeYCF47ghsI7Tcex+DnaaN/BbQ4dR2wzoiKg=", 93 93 + "owner": "NixOS", 94 94 + "repo": "nixos-hardware", 95 95 + "rev": "e81fd167b33121269149c57806599045fd33eeed", 96 96 + "type": "github" 97 97 + }, 98 98 + "original": { 99 99 + "owner": "NixOS", 100 100 + "repo": "nixos-hardware", 101 101 + "type": "github" 102 102 + } 103 103 + }, 104 104 + "nixpkgs": { 105 105 + "locked": { 106 106 + "lastModified": 1747467164, 107 107 + "narHash": "sha256-JBXbjJ0t6T6BbVc9iPVquQI9XSXCGQJD8c8SgnUquus=", 108 108 + "owner": "NixOS", 109 109 + "repo": "nixpkgs", 110 110 + "rev": "3fcbdcfc707e0aa42c541b7743e05820472bdaec", 111 111 + "type": "github" 112 112 + }, 113 113 + "original": { 114 114 + "owner": "NixOS", 115 115 + "ref": "nixpkgs-unstable", 116 116 + "repo": "nixpkgs", 117 117 + "type": "github" 118 118 + } 119 119 + }, 120 120 + "root": { 121 121 + "inputs": { 122 122 + "agenix": "agenix", 123 123 + "disko": "disko", 124 124 + "nixos-hardware": "nixos-hardware", 125 125 + "nixpkgs": "nixpkgs" 126 126 + } 127 127 + }, 128 128 + "systems": { 129 129 + "locked": { 130 130 + "lastModified": 1681028828, 131 131 + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", 132 132 + "owner": "nix-systems", 133 133 + "repo": "default", 134 134 + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", 135 135 + "type": "github" 136 136 + }, 137 137 + "original": { 138 138 + "owner": "nix-systems", 139 139 + "repo": "default", 140 140 + "type": "github" 141 141 + } 142 142 + } 143 143 + }, 144 144 + "root": "root", 145 145 + "version": 7 146 146 + }

+3 -12

hosts/polecat/configuration.nix

reviewed

··· 9 9 imports = [ 10 10 ./hardware-configuration.nix 11 11 ../../modules/nixos/common/i18n.nix 12 12 + ../../modules/nixos/server/traefik.nix 13 13 + ../../modules/nixos/server/home-assistant.nix 12 14 ]; 13 15 14 16 age.secrets."passwd".file = ../../secrets/common/passwd.age; ··· 23 25 hostName = "polecat"; 24 26 networkmanager.enable = true; 25 27 domain = "otter.place"; 26 26 - useDHCP = false; 27 27 - interfaces.enp1s0 = { 28 28 - useDHCP = false; 29 29 - ipv4.addresses = [ 30 30 - { 31 31 - address = "192.168.1.50"; 32 32 - prefixLength = 24; 33 33 - } 34 34 - ]; 35 35 - }; 36 36 - defaultGateway = "192.168.1.1"; 37 37 - nameservers = [ "192.168.1.1" "1.1.1.1" ]; 28 28 + useDHCP = lib.mkForce true; 38 29 }; 39 30 40 31 time.timeZone = "Europe/Paris";

+27

modules/nixos/server/home-assistant.nix

reviewed

··· 1 1 + { pkgs, config, ... }: 2 2 + 3 3 + { 4 4 + virtualisation.oci-containers = { 5 5 + backend = "podman"; 6 6 + containers.homeassistant = { 7 7 + volumes = [ "home-assistant:/config" ]; 8 8 + environment.TZ = "Europe/Paris"; 9 9 + # Note: The image will not be updated on rebuilds, unless the version label changes 10 10 + image = "ghcr.io/home-assistant/home-assistant:2025.5.2"; 11 11 + autoStart = true; 12 12 + extraOptions = [ 13 13 + "--network=host" 14 14 + "--device=/dev/ttyUSB0:/dev/ttyUSB0" 15 15 + ]; 16 16 + }; 17 17 + }; 18 18 + 19 19 + services.traefik.dynamicConfigOptions.http = { 20 20 + routers.hass = { 21 21 + entryPoints = ["websecure"]; 22 22 + service = "hass"; 23 23 + rule = "Host(`home.otter.place`)"; 24 24 + }; 25 25 + services.hass.loadBalancer.servers = [{url = "http://localhost:8123";}]; 26 26 + }; 27 27 + }

+49

modules/nixos/server/traefik.nix

reviewed

··· 1 1 + { pkgs, config, ... }: 2 2 + 3 3 + { 4 4 + age.secrets."cloudflare-traefik.env".file = ../../secrets/common/cloudflare-traefik.env.age; 5 5 + 6 6 + services.traefik = { 7 7 + enable = true; 8 8 + 9 9 + staticConfigOptions = { 10 10 + entryPoints = { 11 11 + web = { 12 12 + address = ":80"; 13 13 + asDefault = true; 14 14 + http.redirections.entrypoint = { 15 15 + to = "websecure"; 16 16 + scheme = "https"; 17 17 + }; 18 18 + }; 19 19 + 20 20 + websecure = { 21 21 + address = ":443"; 22 22 + asDefault = true; 23 23 + http.tls.certResolver = "letsencrypt"; 24 24 + }; 25 25 + }; 26 26 + 27 27 + log = { 28 28 + level = "INFO"; 29 29 + filePath = "${config.services.traefik.dataDir}/traefik.log"; 30 30 + format = "json"; 31 31 + }; 32 32 + 33 33 + certificatesResolvers.letsencrypt.acme = { 34 34 + email = "alex@otter.foo"; 35 35 + storage = "${config.services.traefik.dataDir}/acme.json"; 36 36 + dnschallenge.provider = "cloudflare"; 37 37 + }; 38 38 + 39 39 + api.dashboard = false; 40 40 + }; 41 41 + 42 42 + dynamicConfigOptions = { 43 43 + http.routers = {}; 44 44 + http.services = {}; 45 45 + }; 46 46 + }; 47 47 + 48 48 + systemd.services.traefik.serviceConfig.EnvironmentFile = [config.age.secrets."cloudflare-traefik.env".path]; 49 49 + }

+9

secrets/common/cloudflare-traefik.env.age

reviewed

··· 1 1 + age-encryption.org/v1 2 2 + -> ssh-ed25519 eJaLeQ LLUTYC+ekESSJ4C2vriCF5C+7mkKPbwV3XswScf+Unc 3 3 + 5b3elAC4IXlzAZro4n4ccDN//DWaeh7x5Z/n3H3Dg84 4 4 + -> ssh-ed25519 PCx17Q tjbDRbNb4mmTDIdlAfGAFZLo2eyAt/w/7PaVkcvuW24 5 5 + AP/q1OXywWx4cHivo4I5qajgAyhlIfbpkYvX28EW5go 6 6 + -> ssh-ed25519 Z6U4Gw hEihGotHJWqqyqZT6an98xX6Nmu8K5REwPuPIBEgszc 7 7 + Ifu634nS0z0F4u5nnbbfQmXSMFy6JYb5ykiYKA68vrs 8 8 + --- suW2avpCtzYIi82hrWBWdcmNj1wonwvgE6bTO0UfLyQ 9 9 + ����گ;f���(���Ds'��"���C8mz�ܰ�L�4v�"���#):���Q�7\B�D� �,�x(���3�O~OD�Y���C_�

+1

secrets/secrets.nix

reviewed

··· 11 11 "paperless-password.age".publicKeys = [ alex ferret ]; 12 12 "miniflux-creds.age".publicKeys = [ alex ferret ]; 13 13 14 14 + "common/cloudflare-traefik.env.age".publicKeys = [ alex ferret polecat ]; 14 15 "common/passwd.age".publicKeys = [ alex polecat ferret ]; 15 16 }