genebean/dots
1
0
Fork 0
mirror of https://github.com/genebean/dots.git synced 2026-03-27 09:27:44 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add linting, formatting, and CI

Browse source 
- Add deadnix, nixfmt, and statix to flake inputs
- Add formatter output to flake for nix fmt support
- Add deadnix, nixfmt, statix to Home Manager packages
- Format all nix files with nixfmt
- Add GitHub Actions workflow for CI validation
- Support x86_64-darwin in formatter
This commit is contained in:
Gene Liverman 2026-03-14 01:04:02 -04:00
parent 1312755c4b
commit c1a53997ce
No known key found for this signature in database
75 changed files with 1417 additions and 767 deletions
Download patch file Download diff file Expand all files Collapse all files

6
modules/hosts/nixos/nixnuc/containers/audiobookshelf.nix
View file

@ -1,7 +1,9 @@
{ ... }: let
{ ... }:
let
volume_base = "/var/lib/audiobookshelf";
http_port = "13378";
in {
in
{
# Audiobookshelf
virtualisation.oci-containers.containers = {

10
modules/hosts/nixos/nixnuc/containers/mountain-mesh-bot-discord.nix
View file

@ -1,6 +1,8 @@
{ config, username, ... }: let
{ config, username, ... }:
let
volume_base = "/orico/mountain-mesh-bot-discord";
in {
in
{
# My mountain-mesh-bot-discord container
virtualisation.oci-containers.containers = {
@ -17,6 +19,8 @@ in {
sops.secrets.mtnmesh_bot_dot_env = {
path = "${volume_base}/.env";
restartUnits = [ "${config.virtualisation.oci-containers.containers.mtnmesh_bot_discord.serviceName}" ];
restartUnits = [
"${config.virtualisation.oci-containers.containers.mtnmesh_bot_discord.serviceName}"
];
};
}

7
modules/hosts/nixos/nixnuc/containers/psitransfer.nix
View file

@ -1,8 +1,10 @@
{ config, ... }: let
{ config, ... }:
let
volume_base = "/orico/psitransfer";
http_port = "3000";
psitransfer_dot_env = "${config.sops.secrets.psitransfer_dot_env.path}";
in {
in
{
#############################################################################
# My intent as of now is to only make this available to the outside world #
@ -29,4 +31,3 @@ in {
};
};
}

189
modules/hosts/nixos/nixnuc/default.nix
View file

@ -1,10 +1,18 @@
{ inputs, config, pkgs, username, ... }: let
{
inputs,
config,
pkgs,
username,
...
}:
let
http_port = 80;
https_port = 443;
home_domain = "home.technicalissues.us";
backend_ip = "127.0.0.1";
restic_backup_time = "02:00";
in {
in
{
imports = [
./hardware-configuration.nix
./containers/audiobookshelf.nix
@ -31,7 +39,9 @@ in {
};
environment = {
sessionVariables = { LIBVA_DRIVER_NAME = "iHD"; };
sessionVariables = {
LIBVA_DRIVER_NAME = "iHD";
};
systemPackages = with pkgs; [
inputs.compose2nix.packages.${pkgs.stdenv.hostPlatform.system}.default
docker-compose
@ -57,7 +67,7 @@ in {
intel-ocl # Generic OpenCL support
];
};
mailserver = {
enable = true;
enableImap = false;
@ -81,26 +91,26 @@ in {
# Open ports in the firewall.
firewall = {
allowedTCPPorts = [
22 # ssh
80 # http to local Nginx
443 # https to local Nginx
3000 # PsiTransfer in oci-container
3001 # immich-kiosk in compose
3002 # grafana
3005 # Firefly III
3006 # Firefly III Data Importer
3030 # Forgejo
3087 # Youtarr in docker compose
8001 # Tube Archivist
8384 # Syncthing gui
8888 # Atuin
8090 # Wallabag in docker compose
8945 # Pinchflat
22 # ssh
80 # http to local Nginx
443 # https to local Nginx
3000 # PsiTransfer in oci-container
3001 # immich-kiosk in compose
3002 # grafana
3005 # Firefly III
3006 # Firefly III Data Importer
3030 # Forgejo
3087 # Youtarr in docker compose
8001 # Tube Archivist
8384 # Syncthing gui
8888 # Atuin
8090 # Wallabag in docker compose
8945 # Pinchflat
13378 # Audiobookshelf in oci-container
];
allowedUDPPorts = [
1900 # Jellyfin service auto-discovery
7359 # Jellyfin auto-discovery
1900 # Jellyfin service auto-discovery
7359 # Jellyfin auto-discovery
];
};
# Or disable the firewall altogether.
@ -112,11 +122,19 @@ in {
networkmanager.enable = false;
useNetworkd = true;
vlans = {
vlan23 = { id = 23; interface = "eno1"; };
vlan23 = {
id = 23;
interface = "eno1";
};
};
interfaces = {
eno1.useDHCP = true;
vlan23.ipv4.addresses = [{ address = "192.168.23.21"; prefixLength = 24; }];
vlan23.ipv4.addresses = [
{
address = "192.168.23.21";
prefixLength = 24;
}
];
};
};
@ -311,7 +329,11 @@ in {
"nix-tester.${home_domain}"
];
listen = [
{ port = https_port; addr = "0.0.0.0"; ssl = true; }
{
port = https_port;
addr = "0.0.0.0";
ssl = true;
}
];
enableACME = true;
acmeRoot = null;
@ -331,7 +353,13 @@ in {
};
};
"ab.${home_domain}" = {
listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
listen = [
{
port = https_port;
addr = "0.0.0.0";
ssl = true;
}
];
enableACME = true;
acmeRoot = null;
forceSSL = true;
@ -342,17 +370,41 @@ in {
'';
};
"atuin.${home_domain}" = {
listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
listen = [
{
port = https_port;
addr = "0.0.0.0";
ssl = true;
}
];
enableACME = true;
acmeRoot = null;
forceSSL = true;
locations."/".proxyPass = "http://${backend_ip}:8888";
};
# budget.${home_domain}
"${config.services.firefly-iii.virtualHost}".listen = [{ port = 3005; addr = "0.0.0.0"; ssl = false; }];
"${config.services.firefly-iii-data-importer.virtualHost}".listen = [{ port = 3006; addr = "0.0.0.0"; ssl = false; }];
"${config.services.firefly-iii.virtualHost}".listen = [
{
port = 3005;
addr = "0.0.0.0";
ssl = false;
}
];
"${config.services.firefly-iii-data-importer.virtualHost}".listen = [
{
port = 3006;
addr = "0.0.0.0";
ssl = false;
}
];
"git.${home_domain}" = {
listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
listen = [
{
port = https_port;
addr = "0.0.0.0";
ssl = true;
}
];
enableACME = true;
acmeRoot = null;
forceSSL = true;
@ -362,7 +414,13 @@ in {
'';
};
"id.${home_domain}" = {
listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
listen = [
{
port = https_port;
addr = "0.0.0.0";
ssl = true;
}
];
enableACME = true;
acmeRoot = null;
forceSSL = true;
@ -374,7 +432,13 @@ in {
'';
};
"immich.${home_domain}" = {
listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
listen = [
{
port = https_port;
addr = "0.0.0.0";
ssl = true;
}
];
enableACME = true;
acmeRoot = null;
forceSSL = true;
@ -388,7 +452,13 @@ in {
'';
};
"immich-kiosk.${home_domain}" = {
listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
listen = [
{
port = https_port;
addr = "0.0.0.0";
ssl = true;
}
];
enableACME = true;
acmeRoot = null;
forceSSL = true;
@ -403,7 +473,13 @@ in {
'';
};
"jellyfin.${home_domain}" = {
listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
listen = [
{
port = https_port;
addr = "0.0.0.0";
ssl = true;
}
];
enableACME = true;
acmeRoot = null;
forceSSL = true;
@ -428,7 +504,13 @@ in {
'';
};
"mealie.${home_domain}" = {
listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
listen = [
{
port = https_port;
addr = "0.0.0.0";
ssl = true;
}
];
enableACME = true;
acmeRoot = null;
forceSSL = true;
@ -438,7 +520,13 @@ in {
'';
};
"monitoring.${home_domain}" = {
listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
listen = [
{
port = https_port;
addr = "0.0.0.0";
ssl = true;
}
];
enableACME = true;
acmeRoot = null;
forceSSL = true;
@ -469,7 +557,13 @@ in {
'';
};
"readit.${home_domain}" = {
listen = [{ port = https_port; addr = "0.0.0.0"; ssl = true; }];
listen = [
{
port = https_port;
addr = "0.0.0.0";
ssl = true;
}
];
enableACME = true;
acmeRoot = null;
forceSSL = true;
@ -557,7 +651,7 @@ in {
secrets = {
firefly_app_key = {
owner = config.services.firefly-iii.user;
restartUnits = ["nginx.service"];
restartUnits = [ "nginx.service" ];
};
firefly_pat_data_import = {
owner = config.services.firefly-iii-data-importer.user;
@ -582,7 +676,7 @@ in {
};
immich_kiosk_basic_auth = {
owner = config.users.users.nginx.name;
restartUnits = ["nginx.service"];
restartUnits = [ "nginx.service" ];
};
local_git_config = {
owner = "${username}";
@ -594,12 +688,12 @@ in {
};
mealie = {
mode = "0444";
restartUnits = ["mealie.service"];
restartUnits = [ "mealie.service" ];
};
nextcloud_admin_pass.owner = config.users.users.nextcloud.name;
nginx_basic_auth = {
owner = "nginx";
restartUnits = ["nginx.service"];
restartUnits = [ "nginx.service" ];
};
tailscale_key = {
restartUnits = [ "tailscaled-autoconnect.service" ];
@ -610,19 +704,24 @@ in {
systemd.services = {
jellyfin.environment.LIBVA_DRIVER_NAME = "iHD";
"mealie" = {
requires = ["postgresql.service"];
after = ["postgresql.service"];
requires = [ "postgresql.service" ];
after = [ "postgresql.service" ];
};
"nextcloud-setup" = {
requires = ["postgresql.service"];
after = ["postgresql.service"];
requires = [ "postgresql.service" ];
after = [ "postgresql.service" ];
};
};
users.users.${username} = {
isNormalUser = true;
description = "Gene Liverman";
extraGroups = [ "docker" "podman" "networkmanager" "wheel" ];
extraGroups = [
"docker"
"podman"
"networkmanager"
"wheel"
];
linger = true;
};

62
modules/hosts/nixos/nixnuc/hardware-configuration.nix
View file

@ -1,42 +1,54 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, modulesPath, ... }:
{
config,
lib,
modulesPath,
...
}:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ];
boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"usbhid"
"usb_storage"
"sd_mod"
"sdhci_pci"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/0ee15ee9-37ea-448d-aa3b-23eb25994df0";
fsType = "ext4";
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/0ee15ee9-37ea-448d-aa3b-23eb25994df0";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/4814-3E47";
fsType = "vfat";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/4814-3E47";
fsType = "vfat";
};
fileSystems."/var/lib/audiobookshelf" =
{ device = "orico/audiobookshelf";
fsType = "zfs";
};
fileSystems."/var/lib/audiobookshelf" = {
device = "orico/audiobookshelf";
fsType = "zfs";
};
fileSystems."/var/lib/postgresql" =
{ device = "orico/postgresql-data";
fsType = "zfs";
};
fileSystems."/var/lib/postgresql" = {
device = "orico/postgresql-data";
fsType = "zfs";
};
fileSystems."/var/lib/postgresql/16/pg_wal" =
{ device = "orico/postgresql-wal-16";
fsType = "zfs";
};
fileSystems."/var/lib/postgresql/16/pg_wal" = {
device = "orico/postgresql-wal-16";
fsType = "zfs";
};
# Second disk inside case
#fileSystems."/var/lib/postgresql" =

5
modules/hosts/nixos/nixnuc/home-gene.nix
View file

@ -1,3 +1,4 @@
{ ... }: {
home.stateVersion = "23.11";
{ ... }:
{
home.stateVersion = "23.11";
}

109
modules/hosts/nixos/nixnuc/monitoring-stack.nix
View file

@ -1,6 +1,8 @@
{ config, pkgs, ... }: let
{ config, pkgs, ... }:
let
home_domain = "home.technicalissues.us";
in {
in
{
environment.systemPackages = with pkgs; [
# Keeping empty for manual testing if needed
];
@ -25,7 +27,7 @@ in {
# ----------------------------
victoriametrics = {
enable = true;
stateDir = "victoriametrics"; # Just the directory name, module adds /var/lib/ prefix
stateDir = "victoriametrics"; # Just the directory name, module adds /var/lib/ prefix
package = pkgs.victoriametrics;
};
@ -47,21 +49,24 @@ in {
static_configs = [
{
targets = [
"127.0.0.1:9100" # nixnuc
"192.168.22.22:9100" # home assistant
"127.0.0.1:9100" # nixnuc
"192.168.22.22:9100" # home assistant
"umbrel:9100"
];
}
];
metric_relabel_configs = [
{
source_labels = ["__name__" "nodename"];
source_labels = [
"__name__"
"nodename"
];
regex = "node_uname_info;0d869efa-prometheus-node-exporter";
target_label = "nodename";
replacement = "homeassistant";
}
{
source_labels = ["__name__"];
source_labels = [ "__name__" ];
regex = "go_.*";
action = "drop";
}
@ -84,11 +89,11 @@ in {
{
job_name = "cadvisor";
static_configs = [
{ targets = ["127.0.0.1:8081"]; }
{ targets = [ "127.0.0.1:8081" ]; }
];
metric_relabel_configs = [
{
source_labels = ["__name__"];
source_labels = [ "__name__" ];
regex = "go_.*";
action = "drop";
}
@ -105,11 +110,11 @@ in {
{
job_name = "nginx";
static_configs = [
{ targets = ["127.0.0.1:9113"]; }
{ targets = [ "127.0.0.1:9113" ]; }
];
metric_relabel_configs = [
{
source_labels = ["__name__"];
source_labels = [ "__name__" ];
regex = "go_.*";
action = "drop";
}
@ -128,7 +133,7 @@ in {
scrape_interval = "30s";
metrics_path = "/api/prometheus";
static_configs = [
{ targets = ["192.168.22.22:8123"]; }
{ targets = [ "192.168.22.22:8123" ]; }
];
bearer_token_file = config.sops.secrets.home_assistant_token.path;
relabel_configs = [
@ -145,7 +150,7 @@ in {
scheme = "https";
scrape_interval = "30s";
static_configs = [
{ targets = ["utk.technicalissues.us"]; }
{ targets = [ "utk.technicalissues.us" ]; }
];
basic_auth = {
password_file = config.sops.secrets.uptimekuma_grafana_api_key.path;
@ -153,19 +158,19 @@ in {
};
metric_relabel_configs = [
{
source_labels = ["monitor_hostname"];
source_labels = [ "monitor_hostname" ];
regex = "^null$";
replacement = "";
target_label = "monitor_hostname";
}
{
source_labels = ["monitor_port"];
source_labels = [ "monitor_port" ];
regex = "^null$";
replacement = "";
target_label = "monitor_port";
}
{
source_labels = ["monitor_url"];
source_labels = [ "monitor_url" ];
regex = "https:\/\/";
replacement = "";
target_label = "monitor_url";
@ -211,17 +216,16 @@ in {
datasources.settings.datasources = [
{
name = "VictoriaMetrics";
type = "victoriametrics-metrics-datasource";
name = "VictoriaMetrics";
type = "victoriametrics-metrics-datasource";
access = "proxy";
url = "http://127.0.0.1:8428";
url = "http://127.0.0.1:8428";
isDefault = true;
uid = "VictoriaMetrics"; # Set explicit UID for use in alert rules
uid = "VictoriaMetrics"; # Set explicit UID for use in alert rules
}
];
};
settings = {
auth = {
# Set to true to disable (hide) the login form, useful if you use OAuth
@ -229,36 +233,36 @@ in {
};
"auth.generic_oauth" = {
name = "Pocket ID";
enabled = true;
name = "Pocket ID";
enabled = true;
# Use Grafana's file reference syntax for secrets
client_id = "$__file{${config.sops.secrets.grafana_oauth_client_id.path}}";
client_secret = "$__file{${config.sops.secrets.grafana_oauth_client_secret.path}}";
client_id = "$__file{${config.sops.secrets.grafana_oauth_client_id.path}}";
client_secret = "$__file{${config.sops.secrets.grafana_oauth_client_secret.path}}";
auth_style = "AutoDetect";
scopes = "openid email profile groups";
auth_url = "${config.services.pocket-id.settings.APP_URL}/authorize";
token_url = "${config.services.pocket-id.settings.APP_URL}/api/oidc/token";
allow_sign_up = true;
auto_login = true;
name_attribute_path = "display_name";
login_attribute_path = "preferred_username";
email_attribute_name = "email:primary";
email_attribute_path = "email";
role_attribute_path = "contains(groups[*], 'grafana_super_admin') && 'GrafanaAdmin' || contains(groups[*], 'grafana_admin') && 'Admin' || contains(groups[*], 'grafana_editor') && 'Editor' || 'Viewer'";
role_attribute_strict = false;
auth_style = "AutoDetect";
scopes = "openid email profile groups";
auth_url = "${config.services.pocket-id.settings.APP_URL}/authorize";
token_url = "${config.services.pocket-id.settings.APP_URL}/api/oidc/token";
allow_sign_up = true;
auto_login = true;
name_attribute_path = "display_name";
login_attribute_path = "preferred_username";
email_attribute_name = "email:primary";
email_attribute_path = "email";
role_attribute_path = "contains(groups[*], 'grafana_super_admin') && 'GrafanaAdmin' || contains(groups[*], 'grafana_admin') && 'Admin' || contains(groups[*], 'grafana_editor') && 'Editor' || 'Viewer'";
role_attribute_strict = false;
allow_assign_grafana_admin = true;
skip_org_role_sync = false;
use_pkce = true;
use_refresh_token = false;
tls_skip_verify_insecure = false;
skip_org_role_sync = false;
use_pkce = true;
use_refresh_token = false;
tls_skip_verify_insecure = false;
};
# Database configuration - use PostgreSQL with peer authentication
database = {
type = "postgres";
host = "/run/postgresql"; # Use Unix socket instead of TCP
host = "/run/postgresql"; # Use Unix socket instead of TCP
name = "grafana";
user = "grafana";
# No password needed - using peer authentication via Unix socket
@ -266,10 +270,10 @@ in {
# Server configuration
server = {
domain = "monitoring.${home_domain}";
http_addr = "0.0.0.0";
http_port = 3002;
root_url = "https://monitoring.${home_domain}/grafana/";
domain = "monitoring.${home_domain}";
http_addr = "0.0.0.0";
http_port = 3002;
root_url = "https://monitoring.${home_domain}/grafana/";
serve_from_sub_path = true;
};
@ -286,7 +290,7 @@ in {
# ----------------------------
# Exporters (using built-in NixOS modules)
# ----------------------------
# Node exporter - using the built-in module
prometheus.exporters.node = {
enable = true;
@ -332,7 +336,7 @@ in {
group = "vmagent";
};
users.groups.vmagent = {};
users.groups.vmagent = { };
# ----------------------------
# Systemd service dependencies
@ -350,19 +354,19 @@ in {
secrets = {
grafana_oauth_client_id = {
owner = "grafana";
restartUnits = ["grafana.service"];
restartUnits = [ "grafana.service" ];
};
grafana_oauth_client_secret = {
owner = "grafana";
restartUnits = ["grafana.service"];
restartUnits = [ "grafana.service" ];
};
home_assistant_token = {
owner = "vmagent";
restartUnits = ["vmagent.service"];
restartUnits = [ "vmagent.service" ];
};
uptimekuma_grafana_api_key = {
owner = "vmagent";
restartUnits = ["vmagent.service"];
restartUnits = [ "vmagent.service" ];
sopsFile = ../../../shared/secrets.yaml;
};
};
@ -378,4 +382,3 @@ in {
];
};
}