From 99d19af39a488a1ee66fe10bb58a652e580e98de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Numbus?= Date: Fri, 13 Mar 2026 11:37:53 +0100 Subject: [PATCH] Huge update to organization. Added future numbus projects. --- README.md | 113 +++++++++++++----- deploy.sh | 107 ++++++++++++++--- numbus-backup-server.conf | 0 numbus-computer.conf | 0 deploy.conf => numbus-server.conf | 0 numbus-tv.conf | 0 .../configuration.nix | 6 +- .../flake.nix | 2 +- .../sops-nix/.sops.yaml | 0 .../sops-nix/secrets.yaml | 0 templates/numbus-computer/configuration.nix | 18 +++ templates/numbus-computer/flake.nix | 48 ++++++++ templates/numbus-computer/sops-nix/.sops.yaml | 9 ++ .../numbus-computer/sops-nix/secrets.yaml | 2 + templates/numbus-server/configuration.nix | 20 ++++ templates/numbus-server/flake.nix | 48 ++++++++ templates/numbus-server/sops-nix/.sops.yaml | 9 ++ templates/numbus-server/sops-nix/secrets.yaml | 4 + templates/numbus-tv/configuration.nix | 18 +++ templates/numbus-tv/flake.nix | 48 ++++++++ templates/numbus-tv/sops-nix/.sops.yaml | 9 ++ templates/numbus-tv/sops-nix/secrets.yaml | 2 + 22 files changed, 414 insertions(+), 49 deletions(-) create mode 100644 numbus-backup-server.conf create mode 100644 numbus-computer.conf rename deploy.conf => numbus-server.conf (100%) create mode 100644 numbus-tv.conf rename templates/{nix-config => numbus-backup-server}/configuration.nix (86%) rename templates/{nix-config => numbus-backup-server}/flake.nix (95%) rename templates/{nix-config => numbus-backup-server}/sops-nix/.sops.yaml (100%) rename templates/{nix-config => numbus-backup-server}/sops-nix/secrets.yaml (100%) create mode 100644 templates/numbus-computer/configuration.nix create mode 100644 templates/numbus-computer/flake.nix create mode 100644 templates/numbus-computer/sops-nix/.sops.yaml create mode 100644 templates/numbus-computer/sops-nix/secrets.yaml create mode 100644 templates/numbus-server/configuration.nix create mode 100644 templates/numbus-server/flake.nix create mode 100644 templates/numbus-server/sops-nix/.sops.yaml create mode 100644 templates/numbus-server/sops-nix/secrets.yaml create mode 100644 templates/numbus-tv/configuration.nix create mode 100644 templates/numbus-tv/flake.nix create mode 100644 templates/numbus-tv/sops-nix/.sops.yaml create mode 100644 templates/numbus-tv/sops-nix/secrets.yaml diff --git a/README.md b/README.md index bbdf194..3cf6680 100644 --- a/README.md +++ b/README.md @@ -1,54 +1,109 @@ -# ā˜ļø Numbus Server: Your Personal Cloud, Simplified šŸš€ +# ā˜ļø Welcome to Numbus šŸš€ -Welcome to the **Numbus Server** project! This repository provides a complete NixOS configuration to deploy a personal home server with a rich set of services in minutes. Our goal is to make self-hosting accessible to everyone, allowing you to take back control of your data with a solution that is easy to manage and highly reliable. - -## āœØ Features - -- šŸŒ **Free & Open-Source:** Built with transparency and community collaboration in mind. -- šŸš€ **Easy Deployment:** Get your server up and running in minutes with a single command. -- šŸ› ļø **Set & Forget:** A highly reliable, low-maintenance solution. -- šŸ”’ **Secure by Design:** Strong security practices are at the core of our configuration. -- šŸ“¦ **Popular Services:** Access a wide range of popular, pre-configured services. -- āš™ļø **Declarative & Reproducible:** Thanks to NixOS, your system configuration is entirely declarative, ensuring reproducibility and easy maintenance. - -## šŸ› ļø Key Technologies - -- **NixOS:** A declarative Linux distribution that makes system management a breeze. -- **Nix Flakes:** For reproducible builds and dependency management. -- **Docker & Docker Compose:** To run containerized services with ease. -- **Traefik:** A modern reverse proxy for securely exposing services. -- **Sops-nix:** For secure and convenient management of secrets. -- **NixOS-anywhere:** For seamless initial deployment to any machine. -- **Disko:** For declarative and predictable disk partitioning. +Welcome to the **Numbus Server** project! This repository provides a complete selection of highly customizable NixOS configurations to deploy **home servers**, **backup servers**, **computers**, **TVs** in an automated manner. Deploy devices in hours instead of days ! ## šŸš€ Getting Started -The entire deployment process is automated with the `deploy.sh` script. This script dynamically adapts the configuration to your hardware, network environment, and secrets. +The entire deployment process is automated around a bash script. It helps to dynamically adapt the configuration to your hardware, network environment, and secrets. -**1. Clone the Repository:** +### Requirements : +#### For numbus-server : +- A NixOS-based machine to deploy from +- A NixOS-based live machine to deploy to +- An email address with automated mail sending support +- A valid, public domain name + + +#### For numbus-backup-server : +- A NixOS-based machine to deploy from +- A NixOS-based live machine to deploy to +- An email address with automated mail sending support +- A valid domain name + +#### For numbus-computer : +- A NixOS-based machine to deploy from +- A NixOS-based live machine to deploy to + +#### For numbus-tv : +- A NixOS-based machine to deploy from +- A NixOS-based live machine to deploy to + +### On your Nix-based machine : + +**1. Clone the Repository :** ```bash -git clone https://git.numbus.eu/raphael/numbus-server.git -cd numbus-server +git clone https://git.numbus.eu/raphael/numbus.git +cd numbus ``` -**2. Run the Deployment Script:** +**2. (Optional) Fill in the configuration file :** + +This step is globally recommended as it reduces the risks of typos in the credentials. It also is better suited for repeated deployments to multiple machines. + +```bash +nano $your_choosed_device.conf +``` + +Example: if you want to deploy a server + +```bash +nano numbus-server.conf +``` + +**3. Run the Deployment Script :** ```bash ./deploy.sh ``` -**3. Follow the Prompts:** +**4. Follow the script's Prompts :** + +> If you followed **step 2**, then choose non-interactive mode. + +> If you skipped **step 2**, then choose interactive mode. The script will guide you through the setup process, including choosing a deployment mode and providing the necessary information. Once completed, the script will: - Adapt the configuration to your machine. - Generate SSH and `sops` keys. - Encrypt secrets for secure storage. -- Generate configuration files for Docker services. -- Deploy the NixOS configuration using `nixos-anywhere`. +- Generate configuration files for Podman services. +- Deploy the NixOS configuration to the remote using `nixos-anywhere`. - Verify the deployment and guide you through the final setup of the web UIs. +## āœØ Features + +- šŸŒ **Free & Open-Source :** Built with transparency and community collaboration in mind. +- šŸš€ **Easy Deployment :** Get your server up and running in minutes with a single command. +- šŸ› ļø **Set & Forget :** A highly reliable, low-maintenance solution. +- šŸ”’ **Secure by Design :** Strong security practices are at the core of our configuration. +- šŸ“¦ **Popular Services :** Access a wide range of popular, pre-configured services. +- āš™ļø **Declarative & Reproducible :** Thanks to NixOS, your system configuration is entirely declarative, ensuring reproducibility and easy maintenance. + +## šŸ› ļø Key Technologies + +#### Global project : +- **[NixOS](https://nixos.org):** A declarative Linux distribution that makes system management a breeze. +- **[Nix Flakes](https://wiki.nixos.org/wiki/Flakes):** For reproducible builds and dependency management. +- **[Sops-nix](https://github.com/Mic92/sops-nix):** For secure and convenient management of secrets. +- **[NixOS-anywhere](https://github.com/nix-community/nixos-anywhere):** For seamless initial deployment to any machine. +- **[Disko](https://github.com/nix-community/disko):** For declarative and predictable disk partitioning. + +#### Server-centric features : +- **[SnapRAID](https://www.snapraid.it):** Keep your data safe. +- **[Qemu/KVM](https://www.qemu.org):** Run virtual with near-native performance. +- **[Podman](https://podman.io):** Run rootless, containerized services with ease. +- **[Traefik](https://traefik.io/traefik):** A modern reverse proxy for securely exposing services. + +#### Desktop-centric features : +- **[GNOME](https://www.gnome.org):** A modern, elegant desktop environment. +- **[KDE Plasma](https://kde.org):** A full-featured and highly customizable desktop environment. + +#### TV-centric features : +- **[KDE Plasma Bigscreen](https://plasma-bigscreen.org):** An open-source TV interface for Linux. + + ## šŸ”§ Deployment Modes The `deploy.sh` script offers three modes to suit your needs: diff --git a/deploy.sh b/deploy.sh index 90240dd..db9a546 100644 --- a/deploy.sh +++ b/deploy.sh @@ -7,21 +7,20 @@ export GUM_SPIN_SPINNER_BOLD=true export GUM_SPIN_SHOW_ERROR=true export GUM_SPIN_TITLE_BOLD=true -NECESSARY_VARIABLES_LIST=( +NECESSARY_BACKUP_SERVER_VARIABLES_LIST=( #LIVE TARGET SETTINGS LIVE_TARGET_IP LIVE_TARGET_PASSWD #SERVER SETTINGS - LANGUAGE - LOCALE - TIMEZONE + SERVER_LANGUAGE + SERVER_LOCALE + SERVER_TIMEZONE SERVER_OWNER_NAME SERVER_USER_EMAIL SERVER_ADMIN_EMAIL - AUTHORIZED_SSH_PUBLIC_KEY + SERVER_AUTHORIZED_SSH_PUBKEYS # TRAEFIK SETTINGS - DOMAIN_NAME - CLOUDFLARE_DNS_API_TOKEN + TRAEFIK_CLOUDFLARE_TOKEN # SMTP SETTINGS SMTP_SERVER_USERNAME SMTP_SERVER_PASSWORD @@ -30,11 +29,83 @@ NECESSARY_VARIABLES_LIST=( #NETWORK SETTINGS NETWORK_SUBNET NETWORK_ROUTER_IP - HOME_SERVER_IP + NETWORK_HOME_SERVER_IP # SERVICES SETTINGS - SELECTED_DNS_SERVICE - SELECTED_WEB_APPLICATIONS - SELECTED_SYSTEM_SERVICES + SERVICES_DOMAIN_NAME + SERVICES_SELECTED_SYSTEM + SERVICES_SELECTED_WEB_APPLICATIONS +) + +NECESSARY_COMPUTER_VARIABLES_LIST=( + #LIVE TARGET SETTINGS + LIVE_TARGET_IP + LIVE_TARGET_PASSWD + #COMPUTER SETTINGS + COMPUTER_LANGUAGE + COMPUTER_LOCALE + COMPUTER_TIMEZONE + COMPUTER_OWNER_NAME + COMPUTER_USER_EMAIL + COMPUTER_ADMIN_EMAIL + COMPUTER_AUTHORIZED_SSH_PUBKEYS + #NETWORK SETTINGS + NETWORK_SUBNET + NETWORK_ROUTER_IP + NETWORK_HOME_COMPUTER_IP + # SERVICES SETTINGS + SERVICES_SELECTED_SYSTEM + SERVICES_SELECTED_APPLICATIONS +) + +NECESSARY_SERVER_VARIABLES_LIST=( + #LIVE TARGET SETTINGS + LIVE_TARGET_IP + LIVE_TARGET_PASSWD + #SERVER SETTINGS + SERVER_LANGUAGE + SERVER_LOCALE + SERVER_TIMEZONE + SERVER_OWNER_NAME + SERVER_USER_EMAIL + SERVER_ADMIN_EMAIL + SERVER_AUTHORIZED_SSH_PUBKEYS + # TRAEFIK SETTINGS + TRAEFIK_CLOUDFLARE_TOKEN + # SMTP SETTINGS + SMTP_SERVER_USERNAME + SMTP_SERVER_PASSWORD + SMTP_SERVER_HOST + SMTP_SERVER_PORT + #NETWORK SETTINGS + NETWORK_SUBNET + NETWORK_ROUTER_IP + NETWORK_HOME_SERVER_IP + # SERVICES SETTINGS + SERVICES_DOMAIN_NAME + SERVICES_SELECTED_DNS + SERVICES_SELECTED_SYSTEM + SERVICES_SELECTED_WEB_APPLICATIONS +) + +NECESSARY_TV_VARIABLES_LIST=( + #LIVE TARGET SETTINGS + LIVE_TARGET_IP + LIVE_TARGET_PASSWD + #TV SETTINGS + TV_LANGUAGE + TV_LOCALE + TV_TIMEZONE + TV_OWNER_NAME + TV_USER_EMAIL + TV_ADMIN_EMAIL + TV_AUTHORIZED_SSH_PUBKEYS + #NETWORK SETTINGS + NETWORK_SUBNET + NETWORK_ROUTER_IP + NETWORK_HOME_TV_IP + # SERVICES SETTINGS + SERVICES_SELECTED_SYSTEM + SERVICES_SELECTED_WEB_APPLICATIONS ) # Available services @@ -42,6 +113,7 @@ DNS_SERVICES_LIST=( "pi-hole" "adguard" ) + WEB_APPLICATIONS_LIST=( "crafty" "frigate" @@ -56,15 +128,18 @@ WEB_APPLICATIONS_LIST=( "uptime-kuma" "vscodium" ) + SYSTEM_SERVICES_LIST=( "clamav" "virtualization" ) + # Services descriptions DNS_SERVICES_DESCRIPTION=( "Pi-Hole : Simple open-source DNS black hole" "AdGuard : Feature rich DNS service" ) + WEB_APPLICATIONS_DESCRIPTION=( "Crafty : A web-based control panel for Minecraft servers" "Frigate [Home Assistant required] : AI-powered NVR for smart security cameras" @@ -79,6 +154,7 @@ WEB_APPLICATIONS_DESCRIPTION=( "Uptime-Kuma : A fancy self-hosted monitoring tool" "VSCodium : An open-source version of VScode in your web browser" ) + SYSTEM_SERVICES_DESCRIPTION=( "ClamAV : An open-source anti-virus" "Virtualization : Run Virtual Machines (KVM/QEMU) with Libvirt" @@ -162,13 +238,16 @@ necessary_information() { user_input "HOME_SERVER_IP" " Please choose the ip address that your server will use (i.e. any address in the 192.168.1.1/24 range that is not in use.) :" "For example 192.168.1.5" "${IP_REGEX}" "Invalid IP address format." } -necessary_information_config() { +import_variables() { + VARIABLES_LIST="${1}" + NECESSARY="${2:-false}" + echo -e "\n\nāž”ļø Please choose your configuration file :" local CONFIG_PATH="$(gum file)" source "${CONFIG_PATH}" local MISSING=0 - for VAR in "${NECESSARY_VARIABLES_LIST[@]}"; do + for VAR in "${VARIABLES_LIST[@]}"; do if [[ -v "${VAR}" && -n "${!VAR}" ]]; then gum style "āœ… "${VAR}" imported successfully from the config file" else @@ -985,7 +1064,7 @@ elif [[ "$ACTION_ANSWER" == "[2] šŸ’½ Deploy NixOS on a remote machine with a fi gum style --border normal --margin "1" --padding "1 2" --border-foreground 212 "āž”ļø On the target host : start the computer and boot into the NixOS iso. Launch a console and set up a new user password" gum confirm "Do you understand and wish to proceed?" || { echo "āŒ Aborting as requested"; exit 1; } - necessary_information_config + import_variables hierarchy_preparation setup_ssh hardware_detection diff --git a/numbus-backup-server.conf b/numbus-backup-server.conf new file mode 100644 index 0000000..e69de29 diff --git a/numbus-computer.conf b/numbus-computer.conf new file mode 100644 index 0000000..e69de29 diff --git a/deploy.conf b/numbus-server.conf similarity index 100% rename from deploy.conf rename to numbus-server.conf diff --git a/numbus-tv.conf b/numbus-tv.conf new file mode 100644 index 0000000..e69de29 diff --git a/templates/nix-config/configuration.nix b/templates/numbus-backup-server/configuration.nix similarity index 86% rename from templates/nix-config/configuration.nix rename to templates/numbus-backup-server/configuration.nix index 3f496df..a519138 100644 --- a/templates/nix-config/configuration.nix +++ b/templates/numbus-backup-server/configuration.nix @@ -17,8 +17,4 @@ # Secrets sops.secrets."authorizedSshPublicKeys" = { owner = "numbus-admin"; path = "/home/numbus-admin/.ssh/authorized_keys"; mode = "0600"; }; sops.secrets."smtpPassword" = { owner = "numbus-admin"; mode = "0600"; }; - sops.secrets."cloudflareDnsApiToken" = { owner = "numbus-admin"; mode = "0600"; }; - -# # TPM2 PCR check -# systemIdentity.enable = true; -# systemIdentity.pcr15 = "PCR_HASH"; \ No newline at end of file + sops.secrets."cloudflareDnsApiToken" = { owner = "numbus-admin"; mode = "0600"; }; \ No newline at end of file diff --git a/templates/nix-config/flake.nix b/templates/numbus-backup-server/flake.nix similarity index 95% rename from templates/nix-config/flake.nix rename to templates/numbus-backup-server/flake.nix index 9763186..0db377a 100644 --- a/templates/nix-config/flake.nix +++ b/templates/numbus-backup-server/flake.nix @@ -3,7 +3,7 @@ # Core Nixpkgs nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; # Numbus server configuration - numbus.url = "git+https://gittea.dev/numbus/numbus-server-module"; + numbus.url = "git+https://gittea.dev/numbus/numbus-backup-server"; numbus.inputs.nixpkgs.follows = "nixpkgs"; # Disk-partitioning helper disko.url = "github:nix-community/disko"; diff --git a/templates/nix-config/sops-nix/.sops.yaml b/templates/numbus-backup-server/sops-nix/.sops.yaml similarity index 100% rename from templates/nix-config/sops-nix/.sops.yaml rename to templates/numbus-backup-server/sops-nix/.sops.yaml diff --git a/templates/nix-config/sops-nix/secrets.yaml b/templates/numbus-backup-server/sops-nix/secrets.yaml similarity index 100% rename from templates/nix-config/sops-nix/secrets.yaml rename to templates/numbus-backup-server/sops-nix/secrets.yaml diff --git a/templates/numbus-computer/configuration.nix b/templates/numbus-computer/configuration.nix new file mode 100644 index 0000000..f42b219 --- /dev/null +++ b/templates/numbus-computer/configuration.nix @@ -0,0 +1,18 @@ +{ modulesPath, config, pkgs, inputs, ... }: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + (modulesPath + "/profiles/qemu-guest.nix") + inputs.sops-nix.nixosModules.sops + ]; + + # System + system.stateVersion = "25.11"; + + # Secrets management + sops.defaultSopsFile = ./secrets/secrets.yaml; + sops.age.sshKeyPaths = [ "/home/numbus-admin/.ssh/id_ed25519" ]; + sops.age.keyFile = "/var/lib/sops-nix/key.txt"; + # Secrets + sops.secrets."authorizedSshPublicKeys" = { owner = "numbus-admin"; path = "/home/numbus-admin/.ssh/authorized_keys"; mode = "0600"; }; \ No newline at end of file diff --git a/templates/numbus-computer/flake.nix b/templates/numbus-computer/flake.nix new file mode 100644 index 0000000..9b319b0 --- /dev/null +++ b/templates/numbus-computer/flake.nix @@ -0,0 +1,48 @@ +{ + inputs = { + # Core Nixpkgs + nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; + # Numbus server configuration + numbus.url = "git+https://gittea.dev/numbus/numbus-computer"; + numbus.inputs.nixpkgs.follows = "nixpkgs"; + # Disk-partitioning helper + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; + # Secrets handling + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs"; + # Power savings + autoaspm.url = "git+https://git.notthebe.ee/notthebee/AutoASPM"; + autoaspm.inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = { self, nixpkgs, numbus, disko, sops-nix, autoaspm, ... }@inputs: let + # System definition + system = "x86_64-linux"; + pkgs = import nixpkgs { + inherit system; + config.allowUnfree = true; + }; + in + { + nixosConfigurations = { + numbus-server = nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = { inherit inputs; }; + modules = [ + # Numbus server configuration + numbus.nixosModules.numbus + # Disk-partitioning helper + disko.nixosModules.disko + # Secrets handling + sops-nix.nixosModules.sops + # Power savings + autoaspm.nixosModules.autoaspm + # Core host configuration + ./configuration.nix + ./hardware-configuration.nix + ]; + }; + }; + }; +} diff --git a/templates/numbus-computer/sops-nix/.sops.yaml b/templates/numbus-computer/sops-nix/.sops.yaml new file mode 100644 index 0000000..de69314 --- /dev/null +++ b/templates/numbus-computer/sops-nix/.sops.yaml @@ -0,0 +1,9 @@ +# .sops.yaml + +keys: + - &primary $SOPS_PUBLIC_KEY +creation_rules: + - path_regex: secrets/secrets.yaml$ + key_groups: + - age: + - *primary \ No newline at end of file diff --git a/templates/numbus-computer/sops-nix/secrets.yaml b/templates/numbus-computer/sops-nix/secrets.yaml new file mode 100644 index 0000000..68bd283 --- /dev/null +++ b/templates/numbus-computer/sops-nix/secrets.yaml @@ -0,0 +1,2 @@ +authorizedSshPublicKeys: | +$SSH_KEYS_FORMATTED \ No newline at end of file diff --git a/templates/numbus-server/configuration.nix b/templates/numbus-server/configuration.nix new file mode 100644 index 0000000..a519138 --- /dev/null +++ b/templates/numbus-server/configuration.nix @@ -0,0 +1,20 @@ +{ modulesPath, config, pkgs, inputs, ... }: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + (modulesPath + "/profiles/qemu-guest.nix") + inputs.sops-nix.nixosModules.sops + ]; + + # System + system.stateVersion = "25.11"; + + # Secrets management + sops.defaultSopsFile = ./secrets/secrets.yaml; + sops.age.sshKeyPaths = [ "/home/numbus-admin/.ssh/id_ed25519" ]; + sops.age.keyFile = "/var/lib/sops-nix/key.txt"; + # Secrets + sops.secrets."authorizedSshPublicKeys" = { owner = "numbus-admin"; path = "/home/numbus-admin/.ssh/authorized_keys"; mode = "0600"; }; + sops.secrets."smtpPassword" = { owner = "numbus-admin"; mode = "0600"; }; + sops.secrets."cloudflareDnsApiToken" = { owner = "numbus-admin"; mode = "0600"; }; \ No newline at end of file diff --git a/templates/numbus-server/flake.nix b/templates/numbus-server/flake.nix new file mode 100644 index 0000000..0296512 --- /dev/null +++ b/templates/numbus-server/flake.nix @@ -0,0 +1,48 @@ +{ + inputs = { + # Core Nixpkgs + nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; + # Numbus server configuration + numbus.url = "git+https://gittea.dev/numbus/numbus-server"; + numbus.inputs.nixpkgs.follows = "nixpkgs"; + # Disk-partitioning helper + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; + # Secrets handling + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs"; + # Power savings + autoaspm.url = "git+https://git.notthebe.ee/notthebee/AutoASPM"; + autoaspm.inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = { self, nixpkgs, numbus, disko, sops-nix, autoaspm, ... }@inputs: let + # System definition + system = "x86_64-linux"; + pkgs = import nixpkgs { + inherit system; + config.allowUnfree = true; + }; + in + { + nixosConfigurations = { + numbus-server = nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = { inherit inputs; }; + modules = [ + # Numbus server configuration + numbus.nixosModules.numbus + # Disk-partitioning helper + disko.nixosModules.disko + # Secrets handling + sops-nix.nixosModules.sops + # Power savings + autoaspm.nixosModules.autoaspm + # Core host configuration + ./configuration.nix + ./hardware-configuration.nix + ]; + }; + }; + }; +} diff --git a/templates/numbus-server/sops-nix/.sops.yaml b/templates/numbus-server/sops-nix/.sops.yaml new file mode 100644 index 0000000..de69314 --- /dev/null +++ b/templates/numbus-server/sops-nix/.sops.yaml @@ -0,0 +1,9 @@ +# .sops.yaml + +keys: + - &primary $SOPS_PUBLIC_KEY +creation_rules: + - path_regex: secrets/secrets.yaml$ + key_groups: + - age: + - *primary \ No newline at end of file diff --git a/templates/numbus-server/sops-nix/secrets.yaml b/templates/numbus-server/sops-nix/secrets.yaml new file mode 100644 index 0000000..38c83a2 --- /dev/null +++ b/templates/numbus-server/sops-nix/secrets.yaml @@ -0,0 +1,4 @@ +authorizedSshPublicKeys: | +$SSH_KEYS_FORMATTED +smtpPassword: "$SMTP_SERVER_PASSWORD" +cloudflareDnsApiToken: "$CLOUDFLARE_DNS_API_TOKEN" \ No newline at end of file diff --git a/templates/numbus-tv/configuration.nix b/templates/numbus-tv/configuration.nix new file mode 100644 index 0000000..f42b219 --- /dev/null +++ b/templates/numbus-tv/configuration.nix @@ -0,0 +1,18 @@ +{ modulesPath, config, pkgs, inputs, ... }: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + (modulesPath + "/profiles/qemu-guest.nix") + inputs.sops-nix.nixosModules.sops + ]; + + # System + system.stateVersion = "25.11"; + + # Secrets management + sops.defaultSopsFile = ./secrets/secrets.yaml; + sops.age.sshKeyPaths = [ "/home/numbus-admin/.ssh/id_ed25519" ]; + sops.age.keyFile = "/var/lib/sops-nix/key.txt"; + # Secrets + sops.secrets."authorizedSshPublicKeys" = { owner = "numbus-admin"; path = "/home/numbus-admin/.ssh/authorized_keys"; mode = "0600"; }; \ No newline at end of file diff --git a/templates/numbus-tv/flake.nix b/templates/numbus-tv/flake.nix new file mode 100644 index 0000000..00c8472 --- /dev/null +++ b/templates/numbus-tv/flake.nix @@ -0,0 +1,48 @@ +{ + inputs = { + # Core Nixpkgs + nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; + # Numbus server configuration + numbus.url = "git+https://gittea.dev/numbus/numbus-tv"; + numbus.inputs.nixpkgs.follows = "nixpkgs"; + # Disk-partitioning helper + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; + # Secrets handling + sops-nix.url = "github:Mic92/sops-nix"; + sops-nix.inputs.nixpkgs.follows = "nixpkgs"; + # Power savings + autoaspm.url = "git+https://git.notthebe.ee/notthebee/AutoASPM"; + autoaspm.inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = { self, nixpkgs, numbus, disko, sops-nix, autoaspm, ... }@inputs: let + # System definition + system = "x86_64-linux"; + pkgs = import nixpkgs { + inherit system; + config.allowUnfree = true; + }; + in + { + nixosConfigurations = { + numbus-server = nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = { inherit inputs; }; + modules = [ + # Numbus server configuration + numbus.nixosModules.numbus + # Disk-partitioning helper + disko.nixosModules.disko + # Secrets handling + sops-nix.nixosModules.sops + # Power savings + autoaspm.nixosModules.autoaspm + # Core host configuration + ./configuration.nix + ./hardware-configuration.nix + ]; + }; + }; + }; +} diff --git a/templates/numbus-tv/sops-nix/.sops.yaml b/templates/numbus-tv/sops-nix/.sops.yaml new file mode 100644 index 0000000..de69314 --- /dev/null +++ b/templates/numbus-tv/sops-nix/.sops.yaml @@ -0,0 +1,9 @@ +# .sops.yaml + +keys: + - &primary $SOPS_PUBLIC_KEY +creation_rules: + - path_regex: secrets/secrets.yaml$ + key_groups: + - age: + - *primary \ No newline at end of file diff --git a/templates/numbus-tv/sops-nix/secrets.yaml b/templates/numbus-tv/sops-nix/secrets.yaml new file mode 100644 index 0000000..68bd283 --- /dev/null +++ b/templates/numbus-tv/sops-nix/secrets.yaml @@ -0,0 +1,2 @@ +authorizedSshPublicKeys: | +$SSH_KEYS_FORMATTED \ No newline at end of file