lightly-toasted/nix-config
1
0
Fork 0
mirror of https://github.com/lightly-toasted/nix-config.git synced 2026-01-31 16:50:23 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: lightly-toasted:210143a6c454e632c59c2232a666677868ceb0d1
Branches Tags
lightly-toasted:main
..
compare: lightly-toasted:3c314ad5bd22b9d9e0e006d38a83db529282578c
Branches Tags
lightly-toasted:main

No commits in common. "210143a6c454e632c59c2232a666677868ceb0d1" and "3c314ad5bd22b9d9e0e006d38a83db529282578c" have entirely different histories.
210143a6c4 ... 3c314ad5bd

17 changed files with 294 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

1
flake.nix
View file

@ -88,6 +88,7 @@
pkgs.home-manager pkgs.home-manager
pkgs.sops pkgs.sops
pkgs.git pkgs.git
pkgs.git-crypt
pkgs.just pkgs.just
pkgs.nh pkgs.nh
]; ];

1
home/hosts/y2q.nix
View file

@ -4,6 +4,7 @@
imports = [ imports = [
inputs.nixvim.homeModules.nixvim inputs.nixvim.homeModules.nixvim
../modules/runit
../modules/cli/git.nix ../modules/cli/git.nix
../modules/cli/ripgrep.nix ../modules/cli/ripgrep.nix
../modules/cli/btop.nix ../modules/cli/btop.nix

87
home/modules/runit/default.nix Normal file
View file

@ -0,0 +1,87 @@
{ config, lib, ... }:
{
imports = (
let
servicesPath = ./services;
serviceModules = builtins.attrNames (builtins.readDir (servicesPath));
in
map (module: servicesPath + "/${module}") serviceModules
);
options.runit = {
services = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
options = {
script = lib.mkOption {
type = lib.types.str;
description = "Shell commands executed as the service's main process";
};
log.enable = lib.mkEnableOption "Enable logging";
environment = lib.mkOption {
type = lib.types.attrsOf lib.types.str;
default = {};
description = "Environment variables passed to the service's processes";
};
environmentFile = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
description = "Environment file passed to the service";
};
};
}));
};
default = {};
description = "User-level runit services under ~/runit/services/";
};
config = {
home.file = lib.mkMerge (
lib.mapAttrsToList (serviceName: sCfg:
let
envExports = lib.concatStringsSep "\n" (
lib.mapAttrsToList (k: v: "export ${k}='${v}'") sCfg.environment
);
envFile = lib.mkIf (sCfg.environmentFile != null) {
"runit/services/${serviceName}/.env" = {
source = sCfg.environmentFile;
};
};
envFileSetup = if sCfg.environmentFile != null then ''
set -a
source .env
set +a
'' else "";
stderrToStdout = if sCfg.log.enable then "exec 2>&1" else "";
in
lib.mkMerge [
{
# run script
"runit/services/${serviceName}/run" = {
text = ''
#!/usr/bin/env bash
${stderrToStdout}
${envExports}
${envFileSetup}
${sCfg.script}
'';
executable = true;
};
# logging
"runit/services/${serviceName}/log/run" = lib.mkIf sCfg.log.enable {
text = ''
#!/bin/sh
mkdir -p main
exec svlogd -tt ./main
'';
executable = true;
};
}
envFile
]
) config.runit.services
);
};
}

37
home/modules/runit/services/caddy.nix Normal file
View file

@ -0,0 +1,37 @@
{ pkgs, config, ... }:
{
home.file.".config/caddy/Caddyfile".text = ''
{
http_port 8080
https_port 8443
auto_https off
}
# Cloudflare Tunnel
http://gist.toast.name {
# Opengist
reverse_proxy http://localhost:${config.runit.services.opengist.environment.OG_HTTP_PORT}
}
# Tailscale
http://y2q.ts.toast.name {
# Glances
reverse_proxy http://localhost:61208
}
http://grafana.ts.toast.name {
# Grafana
reverse_proxy http://localhost:${config.runit.services.grafana.environment.GF_SERVER_HTTP_PORT}
}
'';
runit.services.caddy = {
script = ''
exec ${pkgs.caddy}/bin/caddy run \
--config "$HOME/.config/caddy/Caddyfile" \
--adapter caddyfile
'';
log.enable = true;
};
}

30
home/modules/runit/services/cloudflared.nix Normal file
View file

@ -0,0 +1,30 @@
{ pkgs, config, rootPath, lib, ... }:
let
tunnel = "cb0d9c2c-48f9-4bca-9e81-ef92423c5afa";
subdomains = [
"gist.toast.name"
];
in
{
home.file.".cloudflared/${tunnel}.json".source = rootPath + /secrets/gitcrypt/cloudflared/${tunnel}.json;
home.file.".cloudflared/cert.pem".source = rootPath + /secrets/gitcrypt/cloudflared/cert.pem;
home.file.".cloudflared/config.yml".text = ''
tunnel: ${tunnel}
credentials-file: ${config.home.homeDirectory}/.cloudflared/${tunnel}.json
ingress:
${lib.concatMapStringsSep "\n" (host: ''
${" "}- hostname: ${host}
${" "} service: http://localhost:80
'') subdomains}
${" "}- service: http_status:404
'';
runit.services.cloudflared = {
script = ''
exec ${pkgs.cloudflared}/bin/cloudflared tunnel run
'';
log.enable = true;
};
}

9
home/modules/runit/services/glances.nix Normal file
View file

@ -0,0 +1,9 @@
{ pkgs, ... }:
{
runit.services.glances = {
script = ''
exec ${pkgs.glances}/bin/glances -w
'';
};
}

21
home/modules/runit/services/grafana.nix Normal file
View file

@ -0,0 +1,21 @@
{ pkgs, config, ... }:
{
runit.services.grafana = {
script = ''
HOME_PATH=$HOME/services/grafana
mkdir -p "$HOME_PATH"
exec ${pkgs.grafana}/bin/grafana server \
--homepath ${pkgs.grafana}/share/grafana
'';
environment = {
GF_SERVER_HTTP_ADDR = "127.0.0.1";
GF_SERVER_HTTP_PORT = "3000";
GF_PATHS_DATA = "${config.home.homeDirectory}/services/grafana";
};
log.enable = true;
};
}

20
home/modules/runit/services/opengist.nix Normal file
View file

@ -0,0 +1,20 @@
{ pkgs, rootPath, ... }:
{
runit.services.opengist = {
script = ''
exec ${pkgs.opengist}/bin/opengist start
'';
environment = {
OG_HTTP_HOST = "127.0.0.1";
OG_HTTP_PORT = "6157";
OG_SSH_HOST = "127.0.0.1";
OG_SSH_PORT = "6522";
};
environmentFile = rootPath + /secrets/gitcrypt/opengist.env;
log.enable = true;
};
}

25
home/modules/runit/services/prometheus.nix Normal file
View file

@ -0,0 +1,25 @@
{ pkgs, config, ... }:
{
home.file.".config/prometheus/prometheus.yml".text = ''
global:
scrape_interval: 1m
scrape_configs:
- job_name: 'restic_rest_server'
static_configs:
- targets: ['${config.runit.services.restic-rest-server.environment.LISTEN_ADDR}']
'';
runit.services.prometheus = {
script = ''
TSDB_PATH=$HOME/services/prometheus
mkdir -p TSDB_PATH
exec ${pkgs.prometheus}/bin/prometheus \
--config.file=$HOME/.config/prometheus/prometheus.yml \
--storage.tsdb.path=$TSDB_PATH \
--web.listen-address="127.0.0.1:9090"
'';
};
}

21
home/modules/runit/services/restic-rest-server.nix Normal file
View file

@ -0,0 +1,21 @@
{ pkgs, ... }:
{
runit.services.restic-rest-server = {
script = ''
DATA_DIR=$HOME/services/restic-rest-server
mkdir -p "$DATA_DIR"
exec ${pkgs.restic-rest-server}/bin/rest-server \
--listen "$LISTEN_ADDR" \
--log - \
--no-auth \
--path $DATA_DIR \
--prometheus --prometheus-no-auth
'';
environment = {
LISTEN_ADDR = "127.0.0.1:9000";
};
};
}

6
hosts/nixos/modules/services/restic.nix
View file

@ -3,7 +3,7 @@
{ {
sops.secrets = { sops.secrets = {
"restic/password" = {}; "restic/password" = {};
"restic/env/nixos" = {}; "restic/env" = {};
}; };
services.restic.backups.y2q = { services.restic.backups.y2q = {
@ -15,8 +15,8 @@
"/home/toast/workspace" "/home/toast/workspace"
]; ];
exclude = [ "node_modules" ]; exclude = [ "node_modules" ];
repository = "rest:http://restic.ts.700457.xyz/nixos/"; repository = "rest:http://y2q:9000/nixos/";
environmentFile = config.sops.secrets."restic/env/nixos".path; environmentFile = config.sops.secrets."restic/env".path;
pruneOpts = [ pruneOpts = [
"--keep-hourly 6" "--keep-hourly 6"
"--keep-daily 7" "--keep-daily 7"

47
hosts/vps/modules/services/restic.nix
View file

@ -1,15 +1,6 @@
{ config, ... }: { config, ... }:
{ let
sops.secrets = {
"restic/password" = {};
"restic/env/vps" = {};
};
services.restic.backups.y2q = {
initialize = true;
inhibitsSleep = true;
passwordFile = config.sops.secrets."restic/password".path;
paths = [ paths = [
"/var/lib/zipline" "/var/lib/zipline"
"/var/lib/postgresql" "/var/lib/postgresql"
@ -17,16 +8,44 @@
"/var/lib/trilium" "/var/lib/trilium"
"/var/lib/bitwarden_rs" "/var/lib/bitwarden_rs"
]; ];
repository = "rest:http://restic.ts.700457.xyz/vps/"; in {
environmentFile = config.sops.secrets."restic/env/vps".path; sops.secrets = {
"restic/password" = {};
"restic/env" = {};
"restic/rclone-config" = {};
};
services.restic.backups.b2 = {
initialize = true;
inhibitsSleep = true;
passwordFile = config.sops.secrets."restic/password".path;
paths = paths;
repository = "s3:https://s3.us-east-005.backblazeb2.com/restic-backups-vps";
environmentFile = config.sops.secrets."restic/env".path;
pruneOpts = [ pruneOpts = [
"--keep-hourly 3"
"--keep-daily 7" "--keep-daily 7"
"--keep-weekly 3" "--keep-weekly 3"
"--keep-monthly 3" "--keep-monthly 3"
]; ];
timerConfig = { timerConfig = {
OnCalendar = "hourly"; OnCalendar = "daily";
Persistent = true;
};
};
services.restic.backups.nextcloud = {
initialize = true;
inhibitsSleep = true;
passwordFile = config.sops.secrets."restic/password".path;
paths = paths;
repository = "rclone:nextcloud:restic/vps";
rcloneConfigFile = config.sops.secrets."restic/rclone-config".path;
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 6"
];
timerConfig = {
OnCalendar = "daily";
Persistent = true; Persistent = true;
}; };
}; };

BIN
secrets/gitcrypt/cloudflared/cb0d9c2c-48f9-4bca-9e81-ef92423c5afa.json Normal file
View file

Binary file not shown.

BIN
secrets/gitcrypt/cloudflared/cert.pem Normal file
View file

Binary file not shown.

BIN
secrets/gitcrypt/opengist.env Normal file
View file

Binary file not shown.

11
secrets/secrets.yaml
View file

@ -5,9 +5,8 @@ openrouter_api_key: ENC[AES256_GCM,data:c0GHwhX5S4cfOXs6iR8TWVwhW90bvehWdy8lJBmb
context7_api_key: ENC[AES256_GCM,data:3fvSGzii2MqlfMCFYIUcC8Fa18KBh2K91rYPtXe04+UzNb/ElBEVMoH4Gw==,iv:4cZlsYZVum/Ui3MNAzSMb8JxOCNchUzuwlh890Lc4vo=,tag:RDjeujPxDQC5eRqDcKfbvA==,type:str] context7_api_key: ENC[AES256_GCM,data:3fvSGzii2MqlfMCFYIUcC8Fa18KBh2K91rYPtXe04+UzNb/ElBEVMoH4Gw==,iv:4cZlsYZVum/Ui3MNAzSMb8JxOCNchUzuwlh890Lc4vo=,tag:RDjeujPxDQC5eRqDcKfbvA==,type:str]
restic: restic:
password: ENC[AES256_GCM,data:LhO9evxJ1jO+/jVefT1ImRB7mdQB6VWxMdXPzAX4v9ICy5V+QlPDHdug3fKgZfzZ2EJtxy0LeQqHhyACKvPACA==,iv:Ag5BXn7gViL2J7qALn6WoQ1zwS69/NkjU9iP7pw2g0U=,tag:nUSCMkojdSA3+aJ4OKM8rw==,type:str] password: ENC[AES256_GCM,data:LhO9evxJ1jO+/jVefT1ImRB7mdQB6VWxMdXPzAX4v9ICy5V+QlPDHdug3fKgZfzZ2EJtxy0LeQqHhyACKvPACA==,iv:Ag5BXn7gViL2J7qALn6WoQ1zwS69/NkjU9iP7pw2g0U=,tag:nUSCMkojdSA3+aJ4OKM8rw==,type:str]
env: env: ENC[AES256_GCM,data:ZqQ+0b/Wd8NRodjksdMNvl1bRIPfLPiw4NRDtG8tc8pVp9w/Je5WXePIB/8QQ33K2Uagqzfb0Y/pTbo4vQRLBXVWO4uofQ7YKxdiK4efTPr8Ic/uX3NuGyT+Q9hvawkICg==,iv:S9XcbSZewjEty35N0fSksTMT3q8Nnmy0HmgIF7oQ1cU=,tag:12ThSBX5qEIoW9Sp0IrKzA==,type:str]
nixos: ENC[AES256_GCM,data:l2XnT2zDWriWlicZaKMrU9+QC3nSbGyo10IUrszjIxKH7A2EI9KnTb2wtjZS/aA23tH31QTQ+VUh7Dcn+9jCufEkqH1PGbXRnTBBQ6HByCc=,iv:e1jbtsQ4vftPRf4NqkW529krViBRDkfyQVIR3+pKR0s=,tag:jLIq3FV2IS1OxKcSsizxpA==,type:str] rclone-config: ENC[AES256_GCM,data:r37TJRvVbjf2EfmF4lYz9WtPpx1VCgryKWSTRWIn1mXIgT5sNFLhcy4pFrAn4duk3D/JHngKS1v9THS6i5o3N7+jOeszbKEF2+XB+UG+ogRSlveN+2ohs0dWWLE1Yhr/sKkO7FKQu338mxssNwF2M7rqA7DiGrBuUXIOkwczBphuJbP8A/LRSvrD0DYj5XakM2R+NVeHGaSNHsmv2tVsMS0i7aHPsTbIp4Wyz+be0YXWMNezM8u5KW8=,iv:OA1IloW5FJ1lFcUh2WUvw5iMxiM55yTy0CnrVOQyr5w=,tag:d0gKGuYLOcIvZmf2ZQFD4g==,type:str]
vps: ENC[AES256_GCM,data:Cn9xC1gQ2p+b50zBkkM5dLgJo3XUUhwfZwxhzb1Wu4kidM3LU1J2Xq56uqPSeJkMn94+5FV/lHfoc70eZgxn8WdJDBJtgtldfRFdgSuM,iv:X29GHc8aBHSW5PihCVAQWMGWXNx/SY1lTK6W4mDx5ms=,tag:tDJxOMWDDql4gVtyIFky7Q==,type:str]
zipline: zipline:
env: ENC[AES256_GCM,data:HOcqrzXnu+BcpZYgv1yzPOTV4ydJiVa0oIXQWMUNt/X6q2TUGPOTwWg/dOgzoi6jGzFxm+wJzugO4lLQurUV0DiWIWLDSm/PK+zW34yLYwMrwK1bRaF9yl7usAN6BEmpLw==,iv:9IZDQRT2JoXNTuyPZrwRSr2m3SnXaLmJcafpkraCFWA=,tag:+7EoCTiY9f0/C5jgvPQknA==,type:str] env: ENC[AES256_GCM,data:HOcqrzXnu+BcpZYgv1yzPOTV4ydJiVa0oIXQWMUNt/X6q2TUGPOTwWg/dOgzoi6jGzFxm+wJzugO4lLQurUV0DiWIWLDSm/PK+zW34yLYwMrwK1bRaF9yl7usAN6BEmpLw==,iv:9IZDQRT2JoXNTuyPZrwRSr2m3SnXaLmJcafpkraCFWA=,tag:+7EoCTiY9f0/C5jgvPQknA==,type:str]
token: ENC[AES256_GCM,data:Ke+cJQ6Up5RUGqe/3tG7Nk40PoOQ1Vq1jN5QN4N5LXOFgclXpzN7sjx0bumFVEcgg4B7UkHmjHzjRAPtWheFu+1PaN02aQVLMGzYXgujqmccC+6roxYt4vdN0CLzf0Ii7k5KUwX3QdOV+lrVwyoBjgQyTD839YnODI7zavf+aDMlrE4+BlFjjV8MUQHsJ5G017xN0XLKOBIQsGpMl40YsvVXFrNwkZ+DkN7bXCZBiHI41W44snB1C3wkYOO+a0g4JzVjIhcHXalYgOW4Unuyyah8yDoXRxuSq7aZpQ+/AHRiuIuaHSrE5BUJu/9bJdjojNuk6VTsaLFtngViSjtyztcqMAIHFFq/KXAog8tg16dJH/V6PomrWXY=,iv:H/EcD/oNSw1mIwxsqyMeSRPsY7lnzEzTNJs6OPNfPw4=,tag:FgH9Nwxnq62uhCd/Av2kAA==,type:str] token: ENC[AES256_GCM,data:Ke+cJQ6Up5RUGqe/3tG7Nk40PoOQ1Vq1jN5QN4N5LXOFgclXpzN7sjx0bumFVEcgg4B7UkHmjHzjRAPtWheFu+1PaN02aQVLMGzYXgujqmccC+6roxYt4vdN0CLzf0Ii7k5KUwX3QdOV+lrVwyoBjgQyTD839YnODI7zavf+aDMlrE4+BlFjjV8MUQHsJ5G017xN0XLKOBIQsGpMl40YsvVXFrNwkZ+DkN7bXCZBiHI41W44snB1C3wkYOO+a0g4JzVjIhcHXalYgOW4Unuyyah8yDoXRxuSq7aZpQ+/AHRiuIuaHSrE5BUJu/9bJdjojNuk6VTsaLFtngViSjtyztcqMAIHFFq/KXAog8tg16dJH/V6PomrWXY=,iv:H/EcD/oNSw1mIwxsqyMeSRPsY7lnzEzTNJs6OPNfPw4=,tag:FgH9Nwxnq62uhCd/Av2kAA==,type:str]
@ -23,7 +22,7 @@ sops:
Z0crWElZcVFMVUd0VytoTHFqbkRDck0KY8nsRThk1hCA/yDNy5JJ0T6pTUwRZhYW Z0crWElZcVFMVUd0VytoTHFqbkRDck0KY8nsRThk1hCA/yDNy5JJ0T6pTUwRZhYW
j8grD6JYvauuYa+3tSIwqy2RPiKltx696n9nXy9iPnFUO0QY/rQGVg== j8grD6JYvauuYa+3tSIwqy2RPiKltx696n9nXy9iPnFUO0QY/rQGVg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-17T09:52:45Z" lastmodified: "2025-11-02T05:02:06Z"
mac: ENC[AES256_GCM,data:ul33Yr8a5VER09m2DrM+BiZDglSW5w/UrgWCamYEbsO2EtSGX3zg6r1j+++W2dNj3BXDiVD5DIEQ/LGMUtvhFmP5b/EWO6xucCgAekekYPKiafhh3h45db1s7E/PGwpBLzUk4ePoAb9hAvzx4pQvlpHHHIbFMxsTjNjoj7WxbGM=,iv:WrZokFbfu9bkQFq/FwHNAINzTRGBJlBJs54Epmb1Ya8=,tag:GyAiBG5OrS12/GqG/2zTlA==,type:str] mac: ENC[AES256_GCM,data:cj6FoyYzGwOP2hgIf3jhRSdFWR3SLd7eX2L/hrYyMtDKJNr70yyf3V2bzWfspZMGykgkJB3eQskMBxvn9P7s7XDPbjBeQ3ndqH5HBHuOsgManpYZgv5OusxBJfOh4DVGkIYgU/oZ+MjQ/RSBmHb45py15GxytTLs264Kp4o4KyQ=,iv:dQEo2IEkbiA2dt8NFznxxqDX4hCPED59WqMVqatH2/c=,tag:SaecqbewnXcsWNh9+OlWyA==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.11.0 version: 3.10.2

1
shell.nix
View file

@ -6,6 +6,7 @@ pkgs.mkShell {
home-manager home-manager
git git
sops sops
git-crypt
just just
nh nh
]; ];