Configuration for my NixOS based systems and Home Manager
ngp.computer
Implement agenix, fixup for new ISP
-5
coredns/packetlost.dev.hosts
-5
coredns/packetlost.dev.hosts
···
3
3
192.168.1.3 plex.packetlost.dev
4
4
192.168.1.3 jellyfin.packetlost.dev
5
5
192.168.1.3 nats.packetlost.dev
6
-
fe80::9ab7:85ff:fe1e:dfe8 plex.packetlost.dev
7
-
fe80::9ab7:85ff:fe1e:dfe8 jellyfin.packetlost.dev
8
-
fe80::9ab7:85ff:fe1e:dfe8 nats.packetlost.dev
9
-
# Old edge proxy was 192.168.1.15
10
6
11
7
# LAN Hosts
12
8
192.168.1.3 misaki.packetlost.dev misaki
13
9
192.168.1.3 cache.packetlost.dev cache
14
-
#fe80::9ab7:85ff:fe1e:dfe8 misaki.packetlost.dev misaki
15
10
192.168.1.5 komoe.packetlost.dev komoe
16
11
192.168.1.6 rainbow.packetlost.dev rainbow
17
12
192.168.1.10 ichika.packetlost.dev ichika
+109
-13
flake.lock
+109
-13
flake.lock
···
1
1
{
2
2
"nodes": {
3
+
"agenix": {
4
+
"inputs": {
5
+
"darwin": "darwin",
6
+
"home-manager": "home-manager",
7
+
"nixpkgs": "nixpkgs",
8
+
"systems": "systems"
9
+
},
10
+
"locked": {
11
+
"lastModified": 1762618334,
12
+
"narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
13
+
"owner": "ryantm",
14
+
"repo": "agenix",
15
+
"rev": "fcdea223397448d35d9b31f798479227e80183f6",
16
+
"type": "github"
17
+
},
18
+
"original": {
19
+
"owner": "ryantm",
20
+
"repo": "agenix",
21
+
"type": "github"
22
+
}
23
+
},
24
+
"darwin": {
25
+
"inputs": {
26
+
"nixpkgs": [
27
+
"agenix",
28
+
"nixpkgs"
29
+
]
30
+
},
31
+
"locked": {
32
+
"lastModified": 1744478979,
33
+
"narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
34
+
"owner": "lnl7",
35
+
"repo": "nix-darwin",
36
+
"rev": "43975d782b418ebf4969e9ccba82466728c2851b",
37
+
"type": "github"
38
+
},
39
+
"original": {
40
+
"owner": "lnl7",
41
+
"ref": "master",
42
+
"repo": "nix-darwin",
43
+
"type": "github"
44
+
}
45
+
},
3
46
"determinate-nixd-aarch64-darwin": {
4
47
"flake": false,
5
48
"locked": {
···
162
205
"home-manager": {
163
206
"inputs": {
164
207
"nixpkgs": [
208
+
"agenix",
209
+
"nixpkgs"
210
+
]
211
+
},
212
+
"locked": {
213
+
"lastModified": 1745494811,
214
+
"narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
215
+
"owner": "nix-community",
216
+
"repo": "home-manager",
217
+
"rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
218
+
"type": "github"
219
+
},
220
+
"original": {
221
+
"owner": "nix-community",
222
+
"repo": "home-manager",
223
+
"type": "github"
224
+
}
225
+
},
226
+
"home-manager_2": {
227
+
"inputs": {
228
+
"nixpkgs": [
165
229
"nixpkgs"
166
230
]
167
231
},
···
184
248
"inputs": {
185
249
"flake-parts": "flake-parts",
186
250
"git-hooks-nix": "git-hooks-nix",
187
-
"nixpkgs": "nixpkgs",
251
+
"nixpkgs": "nixpkgs_2",
188
252
"nixpkgs-23-11": "nixpkgs-23-11",
189
253
"nixpkgs-regression": "nixpkgs-regression"
190
254
},
···
203
267
},
204
268
"nixpkgs": {
205
269
"locked": {
206
-
"lastModified": 1761597516,
207
-
"narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=",
208
-
"rev": "daf6dc47aa4b44791372d6139ab7b25269184d55",
209
-
"revCount": 811874,
210
-
"type": "tarball",
211
-
"url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2505.811874%2Brev-daf6dc47aa4b44791372d6139ab7b25269184d55/019a3494-3498-707e-9086-1fb81badc7fe/source.tar.gz"
270
+
"lastModified": 1754028485,
271
+
"narHash": "sha256-IiiXB3BDTi6UqzAZcf2S797hWEPCRZOwyNThJIYhUfk=",
272
+
"owner": "NixOS",
273
+
"repo": "nixpkgs",
274
+
"rev": "59e69648d345d6e8fef86158c555730fa12af9de",
275
+
"type": "github"
212
276
},
213
277
"original": {
214
-
"type": "tarball",
215
-
"url": "https://flakehub.com/f/NixOS/nixpkgs/0.2505"
278
+
"owner": "NixOS",
279
+
"ref": "nixos-25.05",
280
+
"repo": "nixpkgs",
281
+
"type": "github"
216
282
}
217
283
},
218
284
"nixpkgs-23-11": {
···
265
331
},
266
332
"nixpkgs_2": {
267
333
"locked": {
334
+
"lastModified": 1761597516,
335
+
"narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=",
336
+
"rev": "daf6dc47aa4b44791372d6139ab7b25269184d55",
337
+
"revCount": 811874,
338
+
"type": "tarball",
339
+
"url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2505.811874%2Brev-daf6dc47aa4b44791372d6139ab7b25269184d55/019a3494-3498-707e-9086-1fb81badc7fe/source.tar.gz"
340
+
},
341
+
"original": {
342
+
"type": "tarball",
343
+
"url": "https://flakehub.com/f/NixOS/nixpkgs/0.2505"
344
+
}
345
+
},
346
+
"nixpkgs_3": {
347
+
"locked": {
268
348
"lastModified": 1764494334,
269
349
"narHash": "sha256-x2xCEXUlU4Ap56+t5HaoReOQ/bV/bIQ5rzTn/m+V3HQ=",
270
350
"owner": "nixos",
···
279
359
"type": "github"
280
360
}
281
361
},
282
-
"nixpkgs_3": {
362
+
"nixpkgs_4": {
283
363
"locked": {
284
364
"lastModified": 1759417375,
285
365
"narHash": "sha256-O7eHcgkQXJNygY6AypkF9tFhsoDQjpNEojw3eFs73Ow=",
···
299
379
"inputs": {
300
380
"flake-compat": "flake-compat_2",
301
381
"gitignore": "gitignore",
302
-
"nixpkgs": "nixpkgs_3"
382
+
"nixpkgs": "nixpkgs_4"
303
383
},
304
384
"locked": {
305
385
"lastModified": 1763988335,
···
317
397
},
318
398
"root": {
319
399
"inputs": {
400
+
"agenix": "agenix",
320
401
"determinite": "determinite",
321
-
"home-manager": "home-manager",
322
-
"nixpkgs": "nixpkgs_2",
402
+
"home-manager": "home-manager_2",
403
+
"nixpkgs": "nixpkgs_3",
323
404
"nixpkgs-unstable": "nixpkgs-unstable",
324
405
"pre-commit-hooks": "pre-commit-hooks"
406
+
}
407
+
},
408
+
"systems": {
409
+
"locked": {
410
+
"lastModified": 1681028828,
411
+
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
412
+
"owner": "nix-systems",
413
+
"repo": "default",
414
+
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
415
+
"type": "github"
416
+
},
417
+
"original": {
418
+
"owner": "nix-systems",
419
+
"repo": "default",
420
+
"type": "github"
325
421
}
326
422
}
327
423
},
+6
-3
flake.nix
+6
-3
flake.nix
···
14
14
inputs.nixpkgs.follows = "nixpkgs";
15
15
};
16
16
pre-commit-hooks.url = "github:cachix/git-hooks.nix";
17
+
agenix.url = "github:ryantm/agenix";
17
18
};
18
19
19
20
outputs =
···
23
24
, determinite
24
25
, home-manager
25
26
, pre-commit-hooks
27
+
, agenix
26
28
, ...
27
29
}@inputs:
28
30
let
···
44
46
(final: prev: {
45
47
# Override the version of Plex installed to be the latest
46
48
plexRaw = prev.plexRaw.overrideAttrs rec {
47
-
version = "1.43.0.10346-fc911a729";
49
+
version = "1.43.0.10389-8be686aa6";
48
50
src = final.fetchurl {
49
51
url = "https://downloads.plex.tv/plex-media-server-new/${version}/debian/plexmediaserver_${version}_amd64.deb";
50
-
sha256 = "jfQ11luQoafUYb5sGpvE7jPiErGt2HXVLwn70M/Hqyc=";
52
+
sha256 = "0HjB8Ggekwl5dKwM1Kh51Ic25t3V6veKbuzM7czrpeg=";
51
53
};
52
54
};
53
55
## Override the json object that contains verions and hashes for Immich
···
71
73
{
72
74
nixosConfigurations.${name} = inputs.nixpkgs.lib.nixosSystem {
73
75
inherit system;
74
-
specialArgs = { inherit unstable; };
76
+
specialArgs = { inherit unstable inputs; };
75
77
modules = [
76
78
determinite.nixosModules.default
77
79
./configuration.nix
80
+
agenix.nixosModules.default
78
81
home-manager.nixosModules.home-manager
79
82
{
80
83
home-manager.useGlobalPkgs = true;
+2
-1
packages.nix
+2
-1
packages.nix
···
1
-
{ pkgs, lib, ... }:
1
+
{ pkgs, lib, inputs, ... }:
2
2
let # bash script to let dbus know about important env variables and
3
3
# propagate them to relevent services run at the end of sway config
4
4
# see
···
61
61
vis
62
62
rc
63
63
ncdu
64
+
inputs.agenix.packages."${system}".agenix
64
65
65
66
# ZFS / filesystem stuff
66
67
zfs
+6
secrets/porkbun-api-key.age
+6
secrets/porkbun-api-key.age
···
1
+
age-encryption.org/v1
2
+
-> ssh-ed25519 e6zq8g CdLTZ6uXiJB+xaD+I5NVHD5OxLSH+yAz99j04GiKukU
3
+
kQTUR4yK23wHV9QGMlmTmIlMh63nP49g1NrS+sJKfBY
4
+
--- H6/xHryPPKmAWW/bDXUN4YBXMKrsFpUAveKxWsT0SH0
5
+
�E����,�ήS��P)A.�����
�9O\�����2n��U�!���X�a���
l�Z�4*(G�[
��>�Z
l�
6
+
:QՅ���������o����$=��& ڍ�w�t^�<<E
�0p�8��:����
G�̉����J #�QR�����p��kA,�=!��5�KK��0o��nQ��)�\\�ĘN�����wQ�҉
+8
secrets/secrets.nix
+8
secrets/secrets.nix
···
1
+
let
2
+
noah = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQFlX3hhXxsqAUYLvF+IX1YWQ+k22OHlqMOjgyNBe9e noah@misaki";
3
+
misaki = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO+Rcf4Lr+JPWGKQol6eAml6SMgERkGJWgN7y1qYUUvX root@nixos";
4
+
#users = [noah];
5
+
in
6
+
{
7
+
"porkbun-api-key.age".publicKeys = [ noah misaki ];
8
+
}
+44
-36
services.nix
+44
-36
services.nix
···
2
2
, lib
3
3
, pkgs
4
4
, unstable
5
-
, system
6
5
, ...
7
6
}:
8
-
let
9
-
#unstable = import unstable {
10
-
# inherit system;
11
-
# config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
12
-
# "plexmediaserver"
13
-
# "teamspeak-server"
14
-
# ];
15
-
# overlays = [
16
-
# (final: prev: {
17
-
# # Override the version of Plex installed to be the latest
18
-
# plexRaw = prev.plexRaw.overrideAttrs rec {
19
-
# version = "1.43.0.10346-fc911a729";
20
-
# src = final.fetchurl {
21
-
# url = "https://downloads.plex.tv/plex-media-server-new/${version}/debian/plexmediaserver_${version}_amd64.deb";
22
-
# sha256 = "jfQ11luQoafUYb5sGpvE7jPiErGt2HXVLwn70M/Hqyc=";
23
-
# };
24
-
# };
25
-
# ## Override the json object that contains verions and hashes for Immich
26
-
# #immich = prev.immich.override { sourcesJSON = ./overrides/immich-sources.json; };
27
-
# ## Fix errors wit numpy version failing to resolve in the immich ML package
28
-
# #immich-machine-learning = prev.immich-machine-learning.overrideAttrs
29
-
# # (finalAttrs: prevAttrs: {
30
-
# # pythonRelaxDeps = prevAttrs.pythonRelaxDeps ++ [ "numpy" ];
31
-
# # });
32
-
# })
33
-
# ];
34
-
#};
35
-
#age = import <agenix/modules/age.nix> { };
36
-
in
37
7
{
38
8
39
9
services.zfs = {
···
265
235
settings = builtins.fromJSON (builtins.readFile /home/noah/.step/config/ca.json);
266
236
};
267
237
238
+
age.secrets.acme = {
239
+
file = ./secrets/porkbun-api-key.age;
240
+
owner = "root";
241
+
group = "acme";
242
+
};
243
+
244
+
# TODO: re-enable this once Agenix is set up
268
245
security.acme = {
269
246
acceptTerms = true;
270
247
defaults.email = "noah@packetlost.dev";
271
248
certs."plex.packetlost.dev" = {
249
+
dnsProvider = "porkbun";
272
250
group = "httpd";
251
+
environmentFile = config.age.secrets.acme.path;
273
252
};
274
253
certs."img.ngp.computer" = {
275
254
group = "httpd";
255
+
dnsProvider = "porkbun";
256
+
environmentFile = config.age.secrets.acme.path;
257
+
};
258
+
certs."photos.ngp.computer" = {
259
+
group = "httpd";
260
+
dnsProvider = "porkbun";
261
+
environmentFile = config.age.secrets.acme.path;
262
+
};
263
+
certs."jellyfin.packetlost.dev" = {
264
+
group = "httpd";
265
+
dnsProvider = "porkbun";
266
+
environmentFile = config.age.secrets.acme.path;
276
267
};
277
268
};
278
269
···
347
338
# wantedBy = [ "multi-user.target" ];
348
339
#};
349
340
"update-downstream-src" = {
350
-
path = with pkgs; [ rc coreutils git openssh ];
341
+
path = with pkgs; [
342
+
rc
343
+
coreutils
344
+
git
345
+
openssh
346
+
];
351
347
script = "exec ${./scripts/update-src}";
352
348
serviceConfig = {
353
349
Type = "oneshot";
···
378
374
accelerationDevices = [ "/dev/dri/renderD128" ];
379
375
mediaLocation = "/srv/shokuhou/pictures/immich";
380
376
};
381
-
users.users.immich.extraGroups = [ "video" "render" "nas" ];
377
+
users.users.immich.extraGroups = [
378
+
"video"
379
+
"render"
380
+
"nas"
381
+
];
382
382
383
383
# Nginx Reverse SSL Proxy
384
384
services.nginx = {
···
399
399
"http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
400
400
};
401
401
virtualHosts."photos.ngp.computer" = {
402
-
enableACME = true;
402
+
enableACME = false;
403
+
useACMEHost = "photos.ngp.computer";
404
+
acmeRoot = null;
403
405
forceSSL = true;
404
406
locations."/" = {
405
407
proxyPass = "http://[::1]:${toString config.services.immich.port}";
···
415
417
};
416
418
virtualHosts."img.ngp.computer" = {
417
419
forceSSL = true;
418
-
enableACME = true;
420
+
enableACME = false;
421
+
useACMEHost = "img.ngp.computer";
422
+
acmeRoot = null;
419
423
root = "/srv/shokuhou/pictures/public";
420
424
extraConfig = ''
421
425
sendfile on;
···
443
447
};
444
448
virtualHosts."jellyfin.packetlost.dev" = {
445
449
forceSSL = true;
446
-
enableACME = true;
450
+
enableACME = false;
451
+
useACMEHost = "jellyfin.packetlost.dev";
452
+
acmeRoot = null;
447
453
http2 = true;
448
454
locations."/" = {
449
455
proxyPass = "http://localhost:8096/";
···
454
460
virtualHosts."plex.packetlost.dev" = {
455
461
# Since we want a secure connection, we force SSL
456
462
forceSSL = true;
457
-
enableACME = true;
463
+
enableACME = false;
464
+
useACMEHost = "plex.packetlost.dev";
465
+
acmeRoot = null;
458
466
459
467
# http2 can more performant for streaming: https://blog.cloudflare.com/introducing-http2/
460
468
http2 = true;