+m3-atlas

flake.nix

@@ -69,6 +69,15 @@
           agenix.nixosModules.default
         ];
       };
+      m3-atlas = nixpkgs.lib.nixosSystem {
+        specialArgs = {inherit inputs outputs;};
+        system = "x86_64-linux";
+        modules = [
+          ./hosts/m3-atlas
+          inputs.disko.nixosModules.disko
+          agenix.nixosModules.default
+        ];
+      };
       m3-kratos = nixpkgs.lib.nixosSystem {
         specialArgs = {
           inherit inputs outputs;

home/m3tam3re/m3-atlas.nix

@@ -0,0 +1,17 @@
+{
+  imports = [
+    ../common
+    ../features/cli
+    ./home-server.nix
+  ];
+
+  features = {
+    cli = {
+      fish.enable = true;
+      fzf.enable = true;
+      neofetch.enable = true;
+      secrets.enable = false;
+      starship.enable = true;
+    };
+  };
+}

hosts/m3-atlas/configuration.nix

@@ -0,0 +1,110 @@
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page, on
+# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
+{pkgs, ...}: {
+  imports = [
+    # Include the results of the hardware scan.
+    ./disko-config.nix
+    ./hardware-configuration.nix
+  ];
+
+  # Bootloader.
+  boot.loader.grub = {
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+  };
+
+  networking.hostName = "m3-atlas"; # CHANGE ME.
+  networking.hostId = "15b60253"; # CHANGE ME
+  # Pick only one of the below networking options.
+  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+  networking.networkmanager.enable =
+    true; # Easiest to use and most distros use this by default.
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+
+  # Configure network proxy if necessary
+  # networking.proxy.default = "http://user:password@proxy:port/";
+  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+  # console = {
+  #   font = "Lat2-Terminus16";
+  #   keyMap = "us";
+  #   useXkbConfig = true; # use xkb.options in tty.
+  # };
+
+  # Enable the X11 windowing system.
+  # services.xserver.enable = true;
+
+  # Enable the GNOME Desktop Environment.
+  # services.xserver.displayManager.gdm.enable = true;
+  # services.xserver.desktopManager.gnome.enable = true;
+
+  # Configure keymap in X11
+  # services.xserver.xkb.layout = "us";
+  # services.xserver.xkb.options = "eurosign:e,caps:escape";
+
+  # Enable CUPS to print documents.
+  # services.printing.enable = true;
+
+  # Enable sound.
+  # hardware.pulseaudio.enable = true;
+  # OR
+
+  # Enable touchpad support (enabled default in most desktopManager).
+  # services.libinput.enable = true;
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [neovim git];
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  # programs.mtr.enable = true;
+  # programs.gnupg.agent = {
+  #   enable = true;
+  #   enableSSHSupport = true;
+  # };
+
+  # List services that you want to enable:
+
+  # Enable the OpenSSH daemon.
+  services.openssh = {
+    enable = true;
+    settings.PermitRootLogin = "no";
+  };
+
+  # [[Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # Copy the NixOS configuration file and link it from the resulting system
+  # (/run/current-system/configuration.nix). This is useful in case you
+  # accidentally delete configuration.nix.
+  # system.copySystemConfiguration = true;
+
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  #
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  #
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+  # to actually do that.
+  #
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  #
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  #
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "24.11"; # Did you read the comment?
+}

hosts/m3-atlas/default.nix

@@ -0,0 +1,50 @@
+# A staring point is the basic NIXOS configuration generated by the ISO installer.
+# On an existing NIXOS install you can use the following command in your flakes basedir:
+# sudo nixos-generate-config --dir ./hosts/m3tam3re
+#
+# Please make sure to change the first couple of lines in your configuration.nix:
+# { config, inputs, ouputs, lib, pkgs, ... }:
+#
+# {
+#   imports = [ # Include the results of the hardware scan.
+#     ./hardware-configuration.nix
+#     inputs.home-manager.nixosModules.home-manager
+#   ];
+#   ...
+#
+# Moreover please update the packages option in your user configuration and add the home-manager options:
+# users.users = {
+#   m3tam3re = {
+#     isNormalUser = true;
+#     initialPassword = "12345";
+#     extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+#     packages = [ inputs.home-manager.packages.${pkgs.system}.default ];
+#   };
+# };
+#
+# home-manager = {
+#   useUserPackages = true;
+#   extraSpecialArgs = { inherit inputs outputs; };
+#   users.m3tam3re =
+#     import ../../home/m3tam3re/${config.networking.hostName}.nix;
+# };
+#
+# Please also change your hostname accordingly:
+#:w
+# networking.hostName = "nixos"; # Define your hostname.
+{
+  imports = [
+    ../common
+    ./configuration.nix
+    ./programs.nix
+    ./secrets.nix
+    ./services
+  ];
+
+  extraServices = {
+    flatpak.enable = false;
+    ollama.enable = false;
+    podman.enable = true;
+    virtualisation.enable = false;
+  };
+}

hosts/m3-atlas/disko-config.nix

@@ -0,0 +1,39 @@
+{
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/vda"; # CHANGE ME
+        content = {
+          type = "gpt";
+          partitions = {
+            boot = {
+              size = "1M";
+              type = "EF02"; # for GRUB MBR
+              priority = 1;
+            };
+            esp = {
+              size = "512M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = ["defaults" "umask=0077"];
+              };
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+                mountOptions = ["noatime" "nodiratime" "discard"];
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/m3-atlas/hardware-configuration.nix

@@ -0,0 +1,26 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  lib,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = [];
+  boot.extraModulePackages = [];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/m3-atlas/programs.nix

@@ -0,0 +1,14 @@
+{pkgs, ...}: {
+  programs.nix-ld.enable = true;
+  programs.nix-ld.libraries = with pkgs; [
+    # Add any missing dynamic libraries for unpackaged programs
+    # here, NOT in environment.systemPackages
+  ];
+  programs.fish.enable = true;
+  programs.nh = {
+    enable = true;
+    clean.enable = true;
+    clean.extraArgs = "--keep-since 4d --keep 3";
+    flake = "/home/m3tam3re/p/nixos/nixos-config";
+  };
+}

hosts/m3-atlas/secrets.nix

@@ -0,0 +1,26 @@
+{
+  age = {
+    secrets = {
+      baserow-env = {
+        file = ../../secrets/baserow-env.age;
+      };
+      ghost-env = {
+        file = ../../secrets/ghost-env.age;
+      };
+      littlelink-m3tam3re = {
+        file = ../../secrets/littlelink-m3tam3re.age;
+      };
+      searx = {
+        file = ../../secrets/searx.age;
+      };
+      traefik = {
+        file = ../../secrets/traefik.age;
+        owner = "traefik";
+      };
+      m3tam3re-secrets = {
+        file = ../../secrets/m3tam3re-secrets.age;
+        owner = "m3tam3re";
+      };
+    };
+  };
+}

hosts/m3-atlas/services/containers/baserow.nix

@@ -0,0 +1,26 @@
+{config, ...}: {
+  virtualisation.oci-containers.containers."baserow" = {
+    image = "docker.io/baserow/baserow:1.30.1";
+    environmentFiles = [config.age.secrets.baserow-env.path];
+    ports = ["3001:80"];
+    volumes = ["baserow_data:/baserow/data"];
+    extraOptions = ["--add-host=postgres:10.89.0.1" "--ip=10.89.0.10" "--network=web"];
+  };
+  # Traefik configuration specific to baserow
+  services.traefik.dynamicConfigOptions.http = {
+    services.baserow.loadBalancer.servers = [
+      {
+        url = "http://localhost:3001/";
+      }
+    ];
+
+    routers.baserow = {
+      rule = "Host(`br.m3tam3re.com`)";
+      tls = {
+        certResolver = "godaddy";
+      };
+      service = "baserow";
+      entrypoints = "websecure";
+    };
+  };
+}

hosts/m3-atlas/services/containers/default.nix

@@ -0,0 +1,12 @@
+{lib, ...}: {
+  imports = [
+    ./baserow.nix
+    ./ghost.nix
+    ./littlelink.nix
+  ];
+  system.activationScripts.createPodmanNetworkWeb = lib.mkAfter ''
+    if ! /run/current-system/sw/bin/podman network exists web; then
+      /run/current-system/sw/bin/podman network create web --subnet=10.89.0.0/24 --internal
+    fi
+  '';
+}

hosts/m3-atlas/services/containers/ghost.nix

@@ -0,0 +1,26 @@
+{config, ...}: {
+  virtualisation.oci-containers.containers."ghost" = {
+    image = "docker.io/ghost:5.89";
+    environmentFiles = [config.age.secrets.ghost-env.path];
+    ports = ["3002:2368"];
+    volumes = ["ghost_data:/var/lib/ghost/content"];
+    extraOptions = ["--add-host=mysql:10.89.0.1" "--ip=10.89.0.11" "--network=web"];
+  };
+  # Traefik configuration specific to ghost
+  services.traefik.dynamicConfigOptions.http = {
+    services.ghost.loadBalancer.servers = [
+      {
+        url = "http://localhost:3002/";
+      }
+    ];
+
+    routers.ghost = {
+      rule = "Host(`www.m3tam3re.com`)";
+      tls = {
+        certResolver = "godaddy";
+      };
+      service = "ghost";
+      entrypoints = "websecure";
+    };
+  };
+}

hosts/m3-atlas/services/containers/littlelink.nix

@@ -0,0 +1,25 @@
+{config, ...}: {
+  virtualisation.oci-containers.containers."littlelink_m3tam3re" = {
+    image = "ghcr.io/techno-tim/littlelink-server";
+    environmentFiles = [config.age.secrets.littlelink-m3tam3re.path];
+    ports = ["3004:3000"];
+    extraOptions = ["--ip=10.89.0.12" "--network=web"];
+  };
+  # Traefik configuration specific to littlelink
+  services.traefik.dynamicConfigOptions.http = {
+    services.littlelink-m3tam3re.loadBalancer.servers = [
+      {
+        url = "http://localhost:3004/";
+      }
+    ];
+
+    routers.littlelink-m3tam3re = {
+      rule = "Host(`links.m3tam3re.com`)";
+      tls = {
+        certResolver = "godaddy";
+      };
+      service = "littlelink-m3tam3re";
+      entrypoints = "websecure";
+    };
+  };
+}

hosts/m3-atlas/services/default.nix

@@ -0,0 +1,11 @@
+{
+  imports = [
+    ./containers
+    ./gitea.nix
+    ./mysql.nix
+    ./postgres.nix
+    ./searx.nix
+    ./traefik.nix
+    ./wastebin.nix
+  ];
+}

hosts/m3-atlas/services/gitea.nix

@@ -0,0 +1,33 @@
+{
+  services.gitea = {
+    enable = true;
+    settings = {
+      server.ROOT_URL = "https://code.m3tam3re.com";
+      service.DISABLE_REGISTRATION = true;
+    };
+    lfs.enable = true;
+    dump = {
+      enable = true;
+      type = "tar.gz";
+      interval = "03:30:00";
+      backupDir = "/var/backup/gitea";
+    };
+  };
+  # Traefik configuration specific to gitea
+  services.traefik.dynamicConfigOptions.http = {
+    services.gitea.loadBalancer.servers = [
+      {
+        url = "http://localhost:3000/";
+      }
+    ];
+
+    routers.gitea = {
+      rule = "Host(`code.m3tam3re.com`)";
+      tls = {
+        certResolver = "godaddy";
+      };
+      service = "gitea";
+      entrypoints = "websecure";
+    };
+  };
+}

hosts/m3-atlas/services/mysql.nix

@@ -0,0 +1,23 @@
+{pkgs, ...}: {
+  services.mysql = {
+    enable = true;
+    package = pkgs.mysql84;
+    ensureDatabases = [
+      "ghost"
+      "matomo"
+    ];
+    initialScript = pkgs.writeText "initial-script.sql" ''
+      CREATE USER 'ghost'@'10.89.%' IDENTIFIED BY 'ghost';
+      GRANT ALL PRIVILEGES ON ghost.* TO 'ghost'@'10.89.%';
+
+      CREATE USER 'matomo'@'10.89.%' IDENTIFIED BY 'password';
+      GRANT ALL PRIVILEGES ON matomo.* TO 'matomo'@'10.89.%';
+    '';
+  };
+  services.mysqlBackup = {
+    enable = true;
+    calendar = "03:00:00";
+    databases = ["ghost" "matomo"];
+  };
+  networking.firewall.allowedTCPPorts = [3306];
+}

hosts/m3-atlas/services/postgres.nix

@@ -0,0 +1,25 @@
+{pkgs, ...}: {
+  services.postgresql = {
+    enable = true;
+    enableTCPIP = true;
+    package = pkgs.postgresql_15;
+    authentication = pkgs.lib.mkOverride 10 ''
+      local all all trust
+      host all all 127.0.0.1/32 trust
+      host all all ::1/128 trust
+      host all all 10.89.0.0/16 trust
+    '';
+    initialScript = pkgs.writeText "backend-initScript" ''
+      CREATE USER baserow WITH ENCRYPTED PASSWORD 'baserow';
+      CREATE DATABASE baserow;
+      GRANT ALL PRIVILEGES ON DATABASE baserow TO baserow;
+      ALTER DATABASE baserow OWNER to baserow;
+    '';
+  };
+  services.postgresqlBackup = {
+    enable = true;
+    startAt = "03:10:00";
+    databases = ["baserow"];
+  };
+  networking.firewall.allowedTCPPorts = [5432];
+}

hosts/m3-atlas/services/searx.nix

@@ -0,0 +1,28 @@
+{pkgs, ...}: {
+  services.searx = {
+    enable = true;
+    package = pkgs.searxng;
+    settings = {
+      server.port = 3005;
+      server.secret_key = "@SEARX_SECRET_KEY@";
+      search.formats = ["html" "json"];
+    };
+  };
+  # Traefik configuration specific to searx
+  services.traefik.dynamicConfigOptions.http = {
+    services.searx.loadBalancer.servers = [
+      {
+        url = "http://localhost:3005/";
+      }
+    ];
+
+    routers.searx = {
+      rule = "Host(`search.m3tam3re.com`)";
+      tls = {
+        certResolver = "godaddy";
+      };
+      service = "searx";
+      entrypoints = "websecure";
+    };
+  };
+}

hosts/m3-atlas/services/traefik.nix

@@ -0,0 +1,60 @@
+{config, ...}: {
+  services.traefik = {
+    enable = true;
+    staticConfigOptions = {
+      log = {level = "WARN";};
+      certificatesResolvers = {
+        godaddy = {
+          acme = {
+            email = "letsencrypt.org.btlc2@passmail.net";
+            storage = "/var/lib/traefik/acme.json";
+            caserver = "https://acme-v02.api.letsencrypt.org/directory";
+            dnsChallenge = {
+              provider = "godaddy";
+            };
+          };
+        };
+      };
+      api = {};
+      entryPoints = {
+        web = {
+          address = ":80";
+          http.redirections.entryPoint = {
+            to = "websecure";
+            scheme = "https";
+          };
+        };
+        websecure = {address = ":443";};
+      };
+    };
+    dynamicConfigOptions = {
+      http = {
+        middlewares = {
+          auth = {
+            basicAuth = {
+              users = ["m3tam3re:$apr1$1xqdta2b$DIVNvvp5iTUGNccJjguKh."];
+            };
+          };
+        };
+
+        routers = {
+          api = {
+            rule = "Host(`r.m3tam3re.com`)";
+            service = "api@internal";
+            middlewares = ["auth"];
+            entrypoints = ["websecure"];
+            tls = {
+              certResolver = "godaddy";
+            };
+          };
+        };
+      };
+    };
+  };
+
+  systemd.services.traefik.serviceConfig = {
+    EnvironmentFile = ["${config.age.secrets.traefik.path}"];
+  };
+
+  networking.firewall.allowedTCPPorts = [80 443];
+}

hosts/m3-atlas/services/wastebin.nix

@@ -0,0 +1,27 @@
+{
+  services.wastebin = {
+    enable = true;
+    settings = {
+      WASTEBIN_TITLE = "m3tam3re's wastebin";
+      WASTEBIN_BASE_URL = "https://bin.m3tam3re.com";
+      WASTEBIN_ADDRESS_PORT = "0.0.0.0:3003";
+    };
+  };
+  # Traefik configuration specific to wastebin
+  services.traefik.dynamicConfigOptions.http = {
+    services.wastebin.loadBalancer.servers = [
+      {
+        url = "http://localhost:3003/";
+      }
+    ];
+
+    routers.wastebin = {
+      rule = "Host(`bin.m3tam3re.com`)";
+      tls = {
+        certResolver = "godaddy";
+      };
+      service = "wastebin";
+      entrypoints = "websecure";
+    };
+  };
+}

secrets.nix

@@ -3,6 +3,7 @@ let
   m3-ares = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG+M4CygEQ29eTmLqgyIAFCxy0rgfO23klNiARBEA+3s";
   m3-kratos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDl+LtFGsk/A7BvxwiUCyq5wjRzGtQSrBJzzLGxINF4O";
   m3-helios = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIyHuLITpI+M45ZZem33wDusY2X988mBoWpD1HDeZNRJ";
+  m3-atlas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBYK1wsFkUPIb/lX1BH7+VyXmmGSbdEFHnvhAOcaC7H";
 
   # USERS
   m3tam3re = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU=";
@@ -12,12 +13,17 @@ let
   ];
 
   systems = [
+    m3-atlas
     m3-ares
     m3-helios
     m3-kratos
   ];
 in {
+  "secrets/baserow-env.age".publicKeys = systems ++ users;
+  "secrets/ghost-env.age".publicKeys = systems ++ users;
+  "secrets/littlelink-m3tam3re.age".publicKeys = systems ++ users;
   "secrets/m3tam3re-secrets.age".publicKeys = systems ++ users;
+  "secrets/searx.age".publicKeys = systems ++ users;
   "secrets/tailscale-key.age".publicKeys = systems ++ users;
   "secrets/traefik.age".publicKeys = systems ++ users;
   "secrets/wg-DE.age".publicKeys = systems ++ users;