Aner Zakobar
2f0d0b5e4c
Replaces the Helm/k3s setup with a declarative NixOS configuration targeting
a Raspberry Pi 4. Services run as podman containers under systemd, with data
on an external HD at /mnt/data. Key components:
- flake.nix: multi-host flake with pi-main (aarch64) and a placeholder for a
second machine
- modules/common.nix: shared system config (nix, podman, sops, SSH)
- modules/storage.nix: external HD mount with per-service subdirs
- modules/caddy.nix: Caddy with cloudflare DNS-01 ACME + authelia forward_auth
- modules/cloudflared.nix: Cloudflare tunnel for remote access
- modules/backup.nix: restic daily backups with NC maintenance mode pre-hook
- modules/services/{openldap,authelia,gitea,nextcloud,phpldapadmin}.nix: core services
- modules/services/{jellyfin,transmission}.nix: media services (disabled by default)
- secrets/: sops-nix scaffold with .sops.yaml age key config
- hosts/pi-main/: hardware config + service selection for the Pi
- PORTING.md: step-by-step migration guide (SD card → data restore → verify)
84 lines
2.9 KiB
Nix
84 lines
2.9 KiB
Nix
{ config, lib, pkgs, homeyConfig, ... }:
|
|
|
|
# Pi-main host configuration.
|
|
# This file declares which services run on this machine and any
|
|
# host-specific overrides. Hardware config lives in hardware.nix.
|
|
|
|
{
|
|
imports = [
|
|
./hardware.nix
|
|
];
|
|
|
|
# -------------------------------------------------------------------------
|
|
# Identity
|
|
# -------------------------------------------------------------------------
|
|
networking.hostName = "pi-main";
|
|
|
|
# -------------------------------------------------------------------------
|
|
# Admin user
|
|
# -------------------------------------------------------------------------
|
|
users.users.admin = {
|
|
isNormalUser = true;
|
|
extraGroups = [ "wheel" "podman" ];
|
|
# Paste your SSH public key here
|
|
openssh.authorizedKeys.keys = [
|
|
"ssh-ed25519 AAAA... your-key-here"
|
|
];
|
|
};
|
|
|
|
security.sudo.wheelNeedsPassword = false; # convenience on a home server
|
|
|
|
# -------------------------------------------------------------------------
|
|
# External HD
|
|
# -------------------------------------------------------------------------
|
|
homey.storage = {
|
|
# Replace with the actual by-id path of your USB drive.
|
|
# Find it: ls -la /dev/disk/by-id/ | grep -v part
|
|
device = "/dev/disk/by-id/REPLACE-WITH-YOUR-DRIVE-ID";
|
|
mountPoint = "/mnt/data";
|
|
fsType = "ext4";
|
|
};
|
|
|
|
# -------------------------------------------------------------------------
|
|
# Services enabled on this host
|
|
# -------------------------------------------------------------------------
|
|
|
|
# Auth stack (run these together — authelia depends on openldap)
|
|
homey.openldap.enable = true;
|
|
homey.authelia.enable = true;
|
|
|
|
# Productivity
|
|
homey.gitea.enable = true;
|
|
homey.nextcloud.enable = true;
|
|
homey.phpldapadmin.enable = true;
|
|
|
|
# Media (enable when ready)
|
|
homey.jellyfin.enable = false;
|
|
homey.transmission.enable = false;
|
|
|
|
# Reverse proxy + Cloudflare
|
|
homey.caddy.enable = true;
|
|
homey.cloudflared.enable = true;
|
|
|
|
# Backups
|
|
homey.backup.enable = true;
|
|
# Where to send restic backups — set to your backup destination:
|
|
# "sftp:user@nas.local:/backups/homey"
|
|
# "b2:your-bucket-name:homey"
|
|
# "rclone:remote:homey"
|
|
homey.backup.repository = "sftp:REPLACE-WITH-BACKUP-DESTINATION";
|
|
|
|
# -------------------------------------------------------------------------
|
|
# Local DNS overrides (optional — makes LAN clients hit the Pi directly
|
|
# instead of going through Cloudflare for *.home.zakobar.com)
|
|
# -------------------------------------------------------------------------
|
|
# If you run Pi-hole or Adguard, add these records there instead.
|
|
# networking.extraHosts = ''
|
|
# 192.168.1.100 home.zakobar.com
|
|
# 192.168.1.100 auth.home.zakobar.com
|
|
# 192.168.1.100 git.home.zakobar.com
|
|
# 192.168.1.100 nextcloud.home.zakobar.com
|
|
# 192.168.1.100 ldapadmin.home.zakobar.com
|
|
# '';
|
|
}
|