Initial commit

2026-03-06 08:31:13 +01:00 · 2026-03-06 08:31:13 +01:00 · 430194beda
commit 430194beda
109 changed files with 9066 additions and 0 deletions
--- a/templates/raspberry-pi/services/comin.nix
+++ b/templates/raspberry-pi/services/comin.nix
@ -0,0 +1,24 @@
+{
+  config,
+  pkgs,
+  outputs,
+  constants,
+  ...
+}:
+
+{
+  imports = [
+    outputs.nixosModules.comin
+  ];
+
+  services.comin = {
+    enable = true;
+    remotes = [
+      {
+        name = "origin";
+        url = "https://${constants.services.forgejo.fqdn}/steffen/cryodev-server.git";
+        branches.main.name = "main";
+      }
+    ];
+  };
+}
--- a/templates/raspberry-pi/services/default.nix
+++ b/templates/raspberry-pi/services/default.nix
@ -0,0 +1,9 @@
+{
+  imports = [
+    ./nginx.nix
+    ./openssh.nix
+    ./tailscale.nix
+    ./netdata.nix
+    ./comin.nix
+  ];
+}
--- a/templates/raspberry-pi/services/netdata.nix
+++ b/templates/raspberry-pi/services/netdata.nix
@ -0,0 +1,31 @@
+{
+  config,
+  pkgs,
+  outputs,
+  constants,
+  ...
+}:
+
+{
+  services.netdata = {
+    enable = true;
+    config = {
+      stream = {
+        enabled = "yes";
+        destination = "${constants.hosts.cryodev-main.ip}:${toString constants.services.netdata.port}";
+        "api key" = config.sops.placeholder."netdata/stream/child-uuid";
+      };
+    };
+  };
+
+  # Make sure sops is enabled/imported for this host to handle the secret
+  imports = [ outputs.nixosModules.sops ];
+
+  sops = {
+    defaultSopsFile = ../secrets.yaml;
+    secrets."netdata/stream/child-uuid" = {
+      owner = "netdata";
+      group = "netdata";
+    };
+  };
+}
--- a/templates/raspberry-pi/services/nginx.nix
+++ b/templates/raspberry-pi/services/nginx.nix
@ -0,0 +1,14 @@
+{
+  outputs,
+  ...
+}:
+
+{
+  imports = [ outputs.nixosModules.nginx ];
+
+  services.nginx = {
+    enable = true;
+    forceSSL = true;
+    openFirewall = true;
+  };
+}
--- a/templates/raspberry-pi/services/openssh.nix
+++ b/templates/raspberry-pi/services/openssh.nix
@ -0,0 +1,12 @@
+{
+  outputs,
+  ...
+}:
+
+{
+  imports = [
+    outputs.nixosModules.openssh
+  ];
+
+  services.openssh.enable = true;
+}
--- a/templates/raspberry-pi/services/tailscale.nix
+++ b/templates/raspberry-pi/services/tailscale.nix
@ -0,0 +1,28 @@
+{
+  config,
+  pkgs,
+  outputs,
+  constants,
+  ...
+}:
+
+{
+  imports = [
+    outputs.nixosModules.tailscale
+  ];
+
+  services.tailscale = {
+    enable = true;
+    # Connect to our own headscale instance
+    loginServer = "https://${constants.services.headscale.fqdn}";
+    # Allow SSH access over Tailscale
+    enableSSH = true;
+    # Use MagicDNS names
+    acceptDNS = true;
+
+    # Auth key for automated enrollment
+    authKeyFile = config.sops.secrets."tailscale/auth-key".path;
+  };
+
+  sops.secrets."tailscale/auth-key" = { };
+}