Working NixOS port: all core services operational
- Fix Caddy cfProxy helper for cloudflared http:// vhosts (X-Forwarded-Proto) - Fix Authelia LDAP bind (readonly user ACL + password sync) - Add gitea-admin-setup oneshot service to survive rebuilds - Update Authelia forward_auth with header_up X-Forwarded-Proto https - Update TODO.org with completed tasks and LDAP config details - Remove old Helm/k8s artifacts (Chart.yaml, templates/, values/, scripts) - Add result to .gitignore Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Aner Zakobar
@@ -0,0 +1,70 @@
|
||||
{ pkgs, lib, homeyConfig, ... }:
|
||||
|
||||
# Bootstrap image for the primary Raspberry Pi 4.
|
||||
#
|
||||
# Flash this image first. Its only purpose is to boot the Pi so you can:
|
||||
# 1. Generate the age key: sudo age-keygen -o /var/lib/sops-nix/key.txt
|
||||
# 2. Print the pubkey: sudo age-keygen -y /var/lib/sops-nix/key.txt
|
||||
# 3. Add the pubkey to .sops.yaml, re-encrypt secrets, then deploy pi-main.
|
||||
#
|
||||
# No sops, no services, no external HD — just SSH + WiFi.
|
||||
#
|
||||
# WiFi PSK: uncomment and fill in before building. Do not commit the password.
|
||||
# networks."YourSSID".psk = "your-wifi-password";
|
||||
|
||||
{
|
||||
networking.hostName = "pi-main";
|
||||
time.timeZone = homeyConfig.timezone;
|
||||
i18n.defaultLocale = "en_US.UTF-8";
|
||||
system.stateVersion = "25.05";
|
||||
|
||||
nix.settings = {
|
||||
experimental-features = [ "nix-command" "flakes" ];
|
||||
substituters = [
|
||||
"https://cache.nixos.org"
|
||||
"https://nix-community.cachix.org"
|
||||
];
|
||||
trusted-public-keys = [
|
||||
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
|
||||
"nix-community.cachix.org-1:mB9FkXj6Q3Q4ohOcbM4FJ9Z1X2kCrVK4vZOqsDqqNqk="
|
||||
];
|
||||
};
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
||||
# linux_rpi4 is pre-built in cache.nixos.org — fetched, not compiled.
|
||||
boot.kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
|
||||
|
||||
networking.wireless = {
|
||||
enable = true;
|
||||
# networks."Zakobar".psk = "your-wifi-password";
|
||||
};
|
||||
networking.interfaces.wlan0.ipv4.addresses = [{
|
||||
address = "192.168.1.100";
|
||||
prefixLength = 24;
|
||||
}];
|
||||
networking.useDHCP = false;
|
||||
networking.interfaces.wlan0.useDHCP = false;
|
||||
networking.defaultGateway = "192.168.1.1";
|
||||
networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
|
||||
networking.firewall.allowedTCPPorts = [ 22 ];
|
||||
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
settings = {
|
||||
PasswordAuthentication = false;
|
||||
PermitRootLogin = "no";
|
||||
};
|
||||
};
|
||||
|
||||
users.mutableUsers = false;
|
||||
users.users.admin = {
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDfzDDO5juINctECmWlsYtGghEiX/RnTJ1cazLvOWSrPfsTyEd+B1+Ig8kFefNryjkpApfRXqj5KtLPNlpLfdVBrOIfhIveEp2MGqhgOGZFNVxQyXnZgii8Zdh4cqZ2O3pZpMsaAQBaJ9nH6dK0dJjicWT5f6TqwrVcInywRc5SuyizoSxoFmg7ch2rnlVi0j5XMVqdh8XLzHXZ7yWCzXy7+hWl/d7pwpyuzoK8dBw2EU9TauhgRDruom5Q9vWJTLStALC9pAIb0v9UFj9y+1zwx7pXsXp5F1g73EYrE4QR+QQ6z2LebuK280W0t+VA/fSCEB13DnkmofgqZQxX5MSCmrxZ5lTFp1FjW6yJo7As9FheF/GECowYkMRIx4IiQsjjHjZqlLRpLas11yAp6tGoZnw59hFo6Lu0Kva39jGVVmioYHtAeE5rD5w+v5kseJR4jlQ8aKB5yOjYUQOIz2AHQyoidgaeR2jPWqZUeRQbACI+/p3CHO45r3hrjATtGloBg0xF95Qws7Be3mjHVhbBLOoob8MdZ8nYAGnhlWrZphlkvXsHC6OUkuDJW00tmMjWXRlFwhFJ+nqUQCgLVjxVHQJ5rq9GeXBUuNXAeCm5BKBsdq+9qqVlt7D9iGyfr0lcZ7peKz/96KwPCWpG2En1Ur0/cVcbWnXEfG/xWO10tQ== cardno:24_758_470"
|
||||
];
|
||||
};
|
||||
security.sudo.wheelNeedsPassword = false;
|
||||
|
||||
environment.systemPackages = [ pkgs.age pkgs.vim ];
|
||||
}
|
||||
@@ -9,6 +9,10 @@
|
||||
./hardware.nix
|
||||
];
|
||||
|
||||
# linux_rpi4 is the Raspberry Pi Foundation's kernel, sourced from nixpkgs
|
||||
# and pre-built in cache.nixos.org. Avoids a multi-hour native compilation.
|
||||
boot.kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
|
||||
|
||||
# -------------------------------------------------------------------------
|
||||
# Identity
|
||||
# -------------------------------------------------------------------------
|
||||
@@ -50,7 +54,7 @@
|
||||
extraGroups = [ "wheel" "podman" ];
|
||||
# Paste your SSH public key here
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBFZRqiTsOCAJPMqUyMeLd2MbyjdGoyqDVq5/Inhb6EOaM1NUGG4b6FPmYgFLyJIm5LC9BOo6M7npiaiOs/zMqp+hoGLNQUNwm5/G0uy1bjkEfKdUTdGnJ2+M9rkxrR1c+KXrjkiqECqTbnPE4mJbGyVxBW2MwMeP5w8c0DB5KO528PetvHMPPQuEdXyZzDI4kKtVpMlJoPIrIGlNFX0G/wrgXcM4zU1snOTuYGqZnWW++4kBsgIlRKpf/bLJyUMTp30eLVr0fQ6OMBtj1tzUUBaaowU6VGYQQDU/rIh/NpkA2cEVPXZegM4OohkAqrJBFPIAg90WD9Z/SyQlz0Jn8PpAloP0Cuq2vVRr+QLEwxqGiFq91YQ2VtwksMHwJGVrXRCNegpxTZQijWMEd+o0FD2cEd7Ftw6v2L6g12GJ3QGX/q0d/u0GongLLa9fPXl4VoAu7AL+cUcbX/SS7RCG8kYAR3DwOazVbK0NWEdwvWdoSU4lZ3j2at1xqMGjHjyLiTeUqZBjm+Sl5MJWIYNg+8hnONljvggg4SzDFDAkgVLZtOCaZibsMA1ucGR7VRCM09uoaEI4/ZS5pCBtYcp8X67Bv67Og8s2NFf5sUfYBPPKpdBSs+dEPycNVff6JlmzfNiyzLawacGKIDWYSgkOl43N/5ehtpsL3HMZ+5SVNIw=="
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDfzDDO5juINctECmWlsYtGghEiX/RnTJ1cazLvOWSrPfsTyEd+B1+Ig8kFefNryjkpApfRXqj5KtLPNlpLfdVBrOIfhIveEp2MGqhgOGZFNVxQyXnZgii8Zdh4cqZ2O3pZpMsaAQBaJ9nH6dK0dJjicWT5f6TqwrVcInywRc5SuyizoSxoFmg7ch2rnlVi0j5XMVqdh8XLzHXZ7yWCzXy7+hWl/d7pwpyuzoK8dBw2EU9TauhgRDruom5Q9vWJTLStALC9pAIb0v9UFj9y+1zwx7pXsXp5F1g73EYrE4QR+QQ6z2LebuK280W0t+VA/fSCEB13DnkmofgqZQxX5MSCmrxZ5lTFp1FjW6yJo7As9FheF/GECowYkMRIx4IiQsjjHjZqlLRpLas11yAp6tGoZnw59hFo6Lu0Kva39jGVVmioYHtAeE5rD5w+v5kseJR4jlQ8aKB5yOjYUQOIz2AHQyoidgaeR2jPWqZUeRQbACI+/p3CHO45r3hrjATtGloBg0xF95Qws7Be3mjHVhbBLOoob8MdZ8nYAGnhlWrZphlkvXsHC6OUkuDJW00tmMjWXRlFwhFJ+nqUQCgLVjxVHQJ5rq9GeXBUuNXAeCm5BKBsdq+9qqVlt7D9iGyfr0lcZ7peKz/96KwPCWpG2En1Ur0/cVcbWnXEfG/xWO10tQ== cardno:24_758_470"
|
||||
];
|
||||
};
|
||||
|
||||
@@ -62,7 +66,7 @@
|
||||
homey.storage = {
|
||||
# Replace with the actual by-id path of your USB drive.
|
||||
# Find it: ls -la /dev/disk/by-id/ | grep -v part
|
||||
device = "/dev/disk/by-id/usb-WD_Ext_HDD_1021_5743415A4146313531393031-0:0-part1";
|
||||
device = "/dev/disk/by-label/homey-data";
|
||||
mountPoint = "/mnt/data";
|
||||
fsType = "ext4";
|
||||
};
|
||||
@@ -98,14 +102,14 @@
|
||||
|
||||
# -------------------------------------------------------------------------
|
||||
# Local DNS overrides (optional — makes LAN clients hit the Pi directly
|
||||
# instead of going through Cloudflare for *.home.zakobar.com)
|
||||
# instead of going through Cloudflare for *.zakobar.com)
|
||||
# -------------------------------------------------------------------------
|
||||
# If you run Pi-hole or Adguard, add these records there instead.
|
||||
# networking.extraHosts = ''
|
||||
# 192.168.1.100 home.zakobar.com
|
||||
# 192.168.1.100 auth.home.zakobar.com
|
||||
# 192.168.1.100 git.home.zakobar.com
|
||||
# 192.168.1.100 nextcloud.home.zakobar.com
|
||||
# 192.168.1.100 ldapadmin.home.zakobar.com
|
||||
# 192.168.1.100 zakobar.com
|
||||
# 192.168.1.100 auth.zakobar.com
|
||||
# 192.168.1.100 git.zakobar.com
|
||||
# 192.168.1.100 nextcloud.zakobar.com
|
||||
# 192.168.1.100 ldapadmin.zakobar.com
|
||||
# '';
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user