AZ-Intec-GmbH/AZ-PI
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: separate pi-configs

Browse Source
This commit is contained in:
m3tm3re
2026-05-01 09:20:49 +02:00
parent f8fcc88405
commit bbe6b7670f
136 changed files with 1 additions and 7439 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.envrc
View File

@@ -1,5 +0,0 @@
#!/usr/bin/env bash
# Activate the devshell from the Nix flake
# This loads all tools and environment variables defined in flake.nix
use flake

45
AGENTS.md
View File

@@ -1,45 +0,0 @@
# Agent Instructions
## MANDATORY: Use td for Task Management
You must run td usage --new-session at conversation start (or after /clear) to see current work.
Use td usage -q for subsequent reads.
This project uses **bd** (beads) for issue tracking. Run `bd onboard` to get started.
## Quick Reference
```bash
bd ready # Find available work
bd show <id> # View issue details
bd update <id> --status in_progress # Claim work
bd close <id> # Complete work
bd sync # Sync with git
```
## Landing the Plane (Session Completion)
**When ending a work session**, you MUST complete ALL steps below. Work is NOT complete until `git push` succeeds.
**MANDATORY WORKFLOW:**
1. **File issues for remaining work** - Create issues for anything that needs follow-up
2. **Run quality gates** (if code changed) - Tests, linters, builds
3. **Update issue status** - Close finished work, update in-progress items
4. **PUSH TO REMOTE** - This is MANDATORY:
```bash
git pull --rebase
bd sync
git push
git status # MUST show "up to date with origin"
```
5. **Clean up** - Clear stashes, prune remote branches
6. **Verify** - All changes committed AND pushed
7. **Hand off** - Provide context for next session
**CRITICAL RULES:**
- Work is NOT complete until `git push` succeeds
- NEVER stop before pushing - that leaves work stranded locally
- NEVER say "ready to push when you are" - YOU must push
- If push fails, resolve and retry until it succeeds

0
README.md
View File

161
flake.nix
View File

@@ -15,77 +15,17 @@
url = "github:nix-community/home-manager/release-25.11";
inputs.nixpkgs.follows = "nixpkgs";
};
home-manager-unstable = {
url = "github:nix-community/home-manager/master";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
m3ta-nixpkgs.url = "git+https://code.m3ta.dev/m3tam3re/nixpkgs";
# m3ta-nixpkgs.url = "path:/home/sascha.koenig/p/NIX/nixpkgs";
#
llm-agents.url = "github:numtide/llm-agents.nix";
nur = {
url = "github:nix-community/NUR";
inputs.nixpkgs.follows = "nixpkgs";
};
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
agenix.url = "github:ryantm/agenix";
deploy-rs.url = "github:serokell/deploy-rs";
nixos-anywhere = {
url = "github:nix-community/nixos-anywhere";
inputs.nixpkgs.follows = "nixpkgs";
};
nix-colors.url = "github:misterio77/nix-colors";
nix-ai-tools.url = "github:numtide/nix-ai-tools";
# agents = {
# # url = "path:/home/sascha.koenig/p/AI/AGENTS";
# url = "git+https://code.m3ta.dev/m3tam3re/AGENTS";
# flake = false;
# };
agents = {
# url = "path:/home/sascha.koenig/p/AI/AGENTS";
url = "git+https://code.m3ta.dev/m3tam3re/AGENTS";
inputs.nixpkgs.follows = "nixpkgs";
};
skills-anthropic = {
url = "github:anthropics/skills";
flake = false;
};
skills-vercel = {
url = "github:vercel-labs/skills";
flake = false;
};
zugferd-service = {
url = "git+https://git.az-gruppe.com/AZ-Intec-GmbH/zugferd-service";
};
};
outputs = {
self,
agenix,
agents,
deploy-rs,
home-manager,
llm-agents,
nixpkgs,
m3ta-nixpkgs,
nur,
...
} @ inputs: let
inherit (self) outputs;
@@ -104,96 +44,7 @@
all = import ./overlays {inherit inputs;};
in
builtins.removeAttrs all ["mkLlmAgentsOverlay"];
lib.mkLlmAgentsOverlay = (import ./overlays {inherit inputs;}).mkLlmAgentsOverlay;
# Development shell
devShells = forAllSystems (system: let
pkgs = import nixpkgs {
inherit system;
config.allowUnfree = true; # Allow unfree packages in devShell
};
m3taLib = m3ta-nixpkgs.lib.${system};
rules = m3taLib.opencode-rules.mkOpencodeRules {
inherit agents;
languages = ["nix"];
};
in {
default = pkgs.mkShell {
inherit (rules) instructions;
buildInputs = with pkgs; [
alejandra
nixd
opencode
agenix.packages.${system}.default
];
shellHook = ''
${rules.shellHook}
echo "🚀 NixOS Infrastructure Development Shell with Opencode Rules"
echo ""
echo "Active rules:"
echo " - Nix language conventions"
echo " - Coding-style best practices"
echo " - Naming conventions"
echo " - Documentation standards"
echo " - Testing guidelines"
echo " - Git workflow patterns"
echo " - Project structure guidelines"
echo ""
echo "Generated files:"
echo " - .opencode-rules/ (symlink to AGENTS repo)"
echo " - opencode.json (configuration file)"
echo ""
echo "Useful commands:"
echo " - cat opencode.json View rules configuration"
echo " - ls .opencode-rules/ Browse available rules"
echo " - nix develop Re-enter this shell"
echo ""
echo "Remember to add to .gitignore:"
echo " .opencode-rules"
echo " opencode.json"
echo "======================================"
'';
};
});
nixosConfigurations = {
AZ-CLD-1 = nixpkgs.lib.nixosSystem {
specialArgs = {
inherit inputs outputs;
system = "x86_64-linux";
};
modules = [
./hosts/AZ-CLD-1
agenix.nixosModules.default
inputs.disko.nixosModules.disko
inputs.zugferd-service.nixosModules.default
];
};
AZ-PRM-1 = nixpkgs.lib.nixosSystem {
specialArgs = {
inherit inputs outputs;
system = "x86_64-linux";
};
modules = [
./hosts/AZ-PRM-1
agenix.nixosModules.default
inputs.disko.nixosModules.disko
];
};
AZLT124-L = inputs.nixpkgs-unstable.lib.nixosSystem {
specialArgs = {
inherit inputs outputs;
system = "x86_64-linux";
};
modules = [
./hosts/AZLT124-L
agenix.nixosModules.default
inputs.home-manager-unstable.nixosModules.home-manager
m3ta-nixpkgs.nixosModules.default
];
};
};
homeConfigurations = {
"logistik@AZPILOGISTIK01" = let
system = "aarch64-linux";
@@ -328,17 +179,5 @@
modules = [./home/users/vertrieb/AZPIVERTRIEB01.nix];
};
};
deploy.nodes = {
AZ-CLD-1 = {
hostname = "AZ-CLD-1";
profiles.system = {
sshUser = "sascha.koenig";
interactiveSudo = false;
sshOpts = ["-tt"];
remoteBuild = true;
path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.AZ-CLD-1;
};
};
};
};
}

3
home/common/default.nix
View File

@@ -15,9 +15,7 @@
# Add overlays your own flake exports (from overlays and pkgs dir):
outputs.overlays.additions
outputs.overlays.modifications
outputs.overlays.unstable-packages
inputs.nur.overlays.default
inputs.m3ta-nixpkgs.overlays.default
inputs.m3ta-nixpkgs.overlays.modifications
# Add stable as an overlay for home-manager
@@ -27,7 +25,6 @@
config.allowUnfree = true;
};
})
(outputs.lib.mkLlmAgentsOverlay system)
# You can also add overlays exported from other flakes:
# neovim-nightly-overlay.overlays.default

1
home/users/jannik.mueller/AZ-CLD-1.nix
View File

@@ -1 +0,0 @@
{...}: {imports = [./home.nix ../../common];}

1
home/users/jannik.mueller/AZ-PRM-1.nix
View File

@@ -1 +0,0 @@
{...}: {imports = [./home.nix ../../common];}

122
home/users/jannik.mueller/home-stable.nix
View File

@@ -1,122 +0,0 @@
# This is a default home.nix generated by the follwing hone-manager command
#
# home-manager init ./
{
config,
lib,
pkgs,
...
}: {
# Home Manager needs a bit of information about you and the paths it should
# manage.
home.username = lib.mkDefault "your-name";
home.homeDirectory = lib.mkDefault "/home/${config.home.username}";
# This value determines the Home Manager release that your configuration is
# compatible with. This helps avoid breakage when a new Home Manager release
# introduces backwards incompatible changes.
#
# You should not change this value, even if you update Home Manager. If you do
# want to update the value, then make sure to first check the Home Manager
# release notes.
home.stateVersion = "25.05"; # Please read the comment before changing.
# The home.packages option allows you to install Nix packages into your
# environment.
home.packages = with pkgs; [
# # Adds the 'hello' command to your environment. It prints a friendly
# # "Hello, world!" when run.
# pkgs.hello
# # It is sometimes useful to fine-tune packages, for example, by applying
# # overrides. You can do that directly here, just don't forget the
# # parentheses. Maybe you want to install Nerd Fonts with a limited number of
# # fonts?
# (pkgs.nerdfonts.override { fonts = [ "FantasqueSansMono" ]; })
# # You can also create simple shell scripts directly inside your
# # configuration. For example, this adds a command 'my-hello' to your
# # environment:
# (pkgs.writeShellScriptBin "my-hello" ''
# echo "Hello, ${config.home.username}!"
# '')
];
programs.git = {
enable = true;
difftastic.enable = true;
userName = "jannik.mueller";
userEmail = "jannik.mueller@azintec.com";
aliases = {
st = "status";
logd = "log --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit";
};
extraConfig = {
core.excludesfile = "~/.gitignore_global";
init.defaultBranch = "master";
pull.rebase = false;
};
};
programs.jujutsu = {
enable = true;
settings = {
user = {
email = "jannik.mueller@azintec.com";
name = "Jannik Mueller";
};
};
};
# Home Manager is pretty good at managing dotfiles. The primary way to manage
# plain files is through 'home.file'.
home.file = {
# # Building this configuration will create a copy of 'dotfiles/screenrc' in
# # the Nix store. Activating the configuration will then make '~/.screenrc' a
# # symlink to the Nix store copy.
# ".screenrc".source = dotfiles/screenrc;
# # You can also set the file content immediately.
# ".gradle/gradle.properties".text = ''
# org.gradle.console=verbose
# org.gradle.daemon.idletimeout=3600000
# '';
};
# Home Manager can also manage your environment variables through
# 'home.sessionVariables'. If you don't want to manage your shell through Home
# Manager then you have to manually source 'hm-session-vars.sh' located at
# either
#
# ~/.nix-profile/etc/profile.d/hm-session-vars.sh
#
# or
#
# ~/.local/state/nix/profiles/profile/etc/profile.d/hm-session-vars.sh
#
# or
#
# /etc/profiles/per-user/m3tam3re/etc/profile.d/hm-session-vars.sh
#
home.sessionVariables = {
# EDITOR = "emacs";
};
programs.ssh = {
enable = true;
matchBlocks = {
"git.az-gruppe.com" = {
hostname = "152.53.186.119";
user = "jannik.mueller";
port = 2022;
identityFile = "~/.ssh/jannik.mueller";
};
"AZ-CLD-1" = {
hostname = "152.53.186.119";
user = "jannik.mueller";
port = 2022;
identityFile = "~/.ssh/jannik.mueller";
};
};
};
# Let Home Manager install and manage itself.
programs.home-manager.enable = true;
}

124
home/users/jannik.mueller/home.nix
View File

@@ -1,124 +0,0 @@
# This is a default home.nix generated by the follwing hone-manager command
#
# home-manager init ./
{
config,
lib,
pkgs,
...
}: {
# Home Manager needs a bit of information about you and the paths it should
# manage.
home.username = lib.mkDefault "your-name";
home.homeDirectory = lib.mkDefault "/home/${config.home.username}";
# This value determines the Home Manager release that your configuration is
# compatible with. This helps avoid breakage when a new Home Manager release
# introduces backwards incompatible changes.
#
# You should not change this value, even if you update Home Manager. If you do
# want to update the value, then make sure to first check the Home Manager
# release notes.
home.stateVersion = "25.05"; # Please read the comment before changing.
# The home.packages option allows you to install Nix packages into your
# environment.
home.packages = with pkgs; [
# # Adds the 'hello' command to your environment. It prints a friendly
# # "Hello, world!" when run.
# pkgs.hello
# # It is sometimes useful to fine-tune packages, for example, by applying
# # overrides. You can do that directly here, just don't forget the
# # parentheses. Maybe you want to install Nerd Fonts with a limited number of
# # fonts?
# (pkgs.nerdfonts.override { fonts = [ "FantasqueSansMono" ]; })
# # You can also create simple shell scripts directly inside your
# # configuration. For example, this adds a command 'my-hello' to your
# # environment:
# (pkgs.writeShellScriptBin "my-hello" ''
# echo "Hello, ${config.home.username}!"
# '')
];
programs.git = {
enable = true;
settings = {
user = {
name = "jannik.mueller";
email = "jannik.mueller@azintec.com";
};
core.excludesfile = "~/.gitignore_global";
init.defaultBranch = "master";
pull.rebase = false;
alias = {
st = "status";
logd = "log --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit";
};
};
};
programs.jujutsu = {
enable = true;
settings = {
user = {
email = "jannik.mueller@azintec.com";
name = "Jannik Mueller";
};
};
};
# Home Manager is pretty good at managing dotfiles. The primary way to manage
# plain files is through 'home.file'.
home.file = {
# # Building this configuration will create a copy of 'dotfiles/screenrc' in
# # the Nix store. Activating the configuration will then make '~/.screenrc' a
# # symlink to the Nix store copy.
# ".screenrc".source = dotfiles/screenrc;
# # You can also set the file content immediately.
# ".gradle/gradle.properties".text = ''
# org.gradle.console=verbose
# org.gradle.daemon.idletimeout=3600000
# '';
};
# Home Manager can also manage your environment variables through
# 'home.sessionVariables'. If you don't want to manage your shell through Home
# Manager then you have to manually source 'hm-session-vars.sh' located at
# either
#
# ~/.nix-profile/etc/profile.d/hm-session-vars.sh
#
# or
#
# ~/.local/state/nix/profiles/profile/etc/profile.d/hm-session-vars.sh
#
# or
#
# /etc/profiles/per-user/m3tam3re/etc/profile.d/hm-session-vars.sh
#
home.sessionVariables = {
# EDITOR = "emacs";
};
programs.ssh = {
enable = true;
enableDefaultConfig = false;
matchBlocks = {
"git.az-gruppe.com" = {
hostname = "152.53.186.119";
user = "jannik.mueller";
port = 2022;
identityFile = "~/.ssh/jannik.mueller";
};
"AZ-CLD-1" = {
hostname = "152.53.186.119";
user = "jannik.mueller";
port = 2022;
identityFile = "~/.ssh/jannik.mueller";
};
};
};
# Let Home Manager install and manage itself.
programs.home-manager.enable = true;
}

60
home/users/sascha.koenig/AZ-CLD-1.nix
View File

@@ -1,60 +0,0 @@
{config, ...}: {
imports = [
./home.nix
../../common
../../features/cli/fish.nix
../../features/cli/fzf.nix
../../features/cli/nushell.nix
../../features/cli/starship.nix
];
programs.carapace = {
enable = true;
enableFishIntegration = true;
enableNushellIntegration = true;
enableBashIntegration = true;
};
programs.zoxide = {
enable = true;
enableFishIntegration = true;
enableNushellIntegration = true;
};
programs.bat = {enable = true;};
programs.direnv = {
enable = true;
enableNushellIntegration = true;
nix-direnv.enable =
true;
};
programs.eza = {
enable = true;
enableFishIntegration = true;
enableBashIntegration = true;
extraOptions = ["-l" "--icons" "--git" "-a"];
};
programs.lf = {
enable = true;
settings = {
preview = true;
drawbox = true;
hidden = true;
icons = true;
theme = "Dracula";
previewer = "bat";
};
};
features = {
cli = {
fish.enable = true;
nushell.enable = true;
fzf.enable = true;
starship.enable = true;
};
};
coding.editors.neovim.enable = true;
}

61
home/users/sascha.koenig/AZ-PRM-1.nix
View File

@@ -1,61 +0,0 @@
{config, ...}: {
imports = [
./home.nix
../../common
../../features/cli
../../features/cli/fish.nix
../../features/cli/fzf.nix
../../features/cli/nushell.nix
../../features/cli/starship.nix
];
programs.carapace = {
enable = true;
enableFishIntegration = true;
enableNushellIntegration = true;
enableBashIntegration = true;
};
programs.zoxide = {
enable = true;
enableFishIntegration = true;
enableNushellIntegration = true;
};
programs.bat = {enable = true;};
programs.direnv = {
enable = true;
enableNushellIntegration = true;
nix-direnv.enable =
true;
};
programs.eza = {
enable = true;
enableFishIntegration = true;
enableBashIntegration = true;
extraOptions = ["-l" "--icons" "--git" "-a"];
};
programs.lf = {
enable = true;
settings = {
preview = true;
drawbox = true;
hidden = true;
icons = true;
theme = "Dracula";
previewer = "bat";
};
};
features = {
cli = {
fish.enable = true;
nushell.enable = true;
fzf.enable = true;
starship.enable = true;
};
};
coding.editors.neovim.enable = true;
}

106
home/users/sascha.koenig/AZLT124-L.nix
View File

@@ -1,106 +0,0 @@
{
config,
lib,
inputs,
...
}:
with lib; let
cfg = config.features.desktop.hyprland;
in {
imports = [
../../common
./home.nix
../../features/cli
../../features/coding
../../features/desktop
inputs.nix-colors.homeManagerModules.default
];
config = mkMerge [
{
xdg = {
enable = true;
userDirs.setSessionVariables = true;
configFile."mimeapps.list".force = true;
mimeApps = {
enable = true;
associations.added = {
"application/zip" = ["org.gnome.FileRoller.desktop"];
"application/csv" = ["calc.desktop"];
"application/pdf" = ["vivaldi-stable.desktop"];
"x-scheme-handler/http" = ["vivaldi-stable.desktop"];
"x-scheme-handler/https" = ["vivaldi-stable.desktop"];
};
defaultApplications = {
"application/zip" = ["org.gnome.FileRoller.desktop"];
"application/csv" = ["calc.desktop"];
"application/pdf" = ["vivaldi-stable.desktop"];
"application/md" = ["dev.zed.Zed.desktop"];
"application/text" = ["dev.zed.Zed.desktop"];
"x-scheme-handler/http" = ["vivaldi-stable.desktop"];
"x-scheme-handler/https" = ["vivaldi-stable.desktop"];
};
};
};
services.hyprpaper.settings = {
ipc = "on";
preload = ["/home/sascha.koenig/.config/hypr/wallpapers/wallhaven-lmmo8r_2560x1600.png"];
wallpaper = [
"eDP-1,/home/sascha.koenig/.config/hypr/wallpapers/wallhaven-lmmo8r_2560x1600.png"
"DP-8,/home/sascha.koenig/.config/hypr/wallpapers/wallhaven-lmmo8r_2560x1600.png"
"DP-10,/home/sascha.koenig/.config/hypr/wallpapers/wallhaven-lmmo8r_2560x1600.png"
];
};
features = {
cli = {
fish.enable = true;
nushell.enable = true;
fzf.enable = true;
nitch.enable = true;
secrets.enable = true;
starship.enable = true;
television.enable = true;
};
desktop = {
coding.enable = true;
hyprland.enable = true;
media.enable = true;
office.enable = true;
rofi.enable = true;
fonts.enable = true;
wayland.enable = true;
};
};
}
(mkIf cfg.enable {
wayland.windowManager.hyprland = {
enable = true;
settings = {
source = "~/.config/hypr/monitors.conf";
workspace = [
"1, monitor:eDP-1, default:true"
"2, monitor:eDP-1"
"3, monitor:DP-8"
"4, monitor:DP-8"
"5, monitor:DP-10"
"6, monitor:DP-10"
];
windowrule = [
"match:class com.obsproject.Studio, workspace 1"
"match:class dev.zed.Zed, workspace 3"
"match:class vivaldi-stable, workspace 4, opacity 1.0"
"match:initial_title 3.basecamp.com_/5996442/, workspace 5, opacity 1.0"
"match:initial_title 3.basecamp.com_/5996442/, tile on"
"match:initial_title teams.microsoft.com_/, workspace 6, opacity 1.0"
"match:initial_title teams.microsoft.com_/, tile on"
"match:initial_title outlook.office.com_/mail/, workspace 6, opacity 1.0"
"match:initial_title outlook.office.com_/mail/, tile on"
];
};
};
})
];
}

123
home/users/sascha.koenig/home-stable.nix
View File

@@ -1,123 +0,0 @@
# This is a default home.nix generated by the follwing hone-manager command
#
# home-manager init ./
{
config,
lib,
pkgs,
...
}: {
# Home Manager needs a bit of information about you and the paths it should
# manage.
home.username = lib.mkDefault "your-name";
home.homeDirectory = lib.mkDefault "/home/${config.home.username}";
# This value determines the Home Manager release that your configuration is
# compatible with. This helps avoid breakage when a new Home Manager release
# introduces backwards incompatible changes.
#
# You should not change this value, even if you update Home Manager. If you do
# want to update the value, then make sure to first check the Home Manager
# release notes.
home.stateVersion = "25.05"; # Please read the comment before changing.
# The home.packages option allows you to install Nix packages into your
# environment.
home.packages = with pkgs; [
gcc
# # Adds the 'hello' command to your environment. It prints a friendly
# # "Hello, world!" when run.
# pkgs.hello
# # It is sometimes useful to fine-tune packages, for example, by applying
# # overrides. You can do that directly here, just don't forget the
# # parentheses. Maybe you want to install Nerd Fonts with a limited number of
# # fonts?
# (pkgs.nerdfonts.override { fonts = [ "FantasqueSansMono" ]; })
# # You can also create simple shell scripts directly inside your
# # configuration. For example, this adds a command 'my-hello' to your
# # environment:
# (pkgs.writeShellScriptBin "my-hello" ''
# echo "Hello, ${config.home.username}!"
# '')
];
programs.git = {
enable = true;
difftastic.enable = true;
userName = "sascha.koenig";
userEmail = "sascha.koenig@azintec.com";
aliases = {
st = "status";
logd = "log --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit";
};
extraConfig = {
core.excludesfile = "~/.gitignore_global";
init.defaultBranch = "master";
pull.rebase = false;
};
};
programs.jujutsu = {
enable = true;
settings = {
user = {
email = "sascha.koenig@azintec.com";
name = "Sascha Koenig";
};
};
};
# Home Manager is pretty good at managing dotfiles. The primary way to manage
# plain files is through 'home.file'.
home.file = {
# # Building this configuration will create a copy of 'dotfiles/screenrc' in
# # the Nix store. Activating the configuration will then make '~/.screenrc' a
# # symlink to the Nix store copy.
# ".screenrc".source = dotfiles/screenrc;
# # You can also set the file content immediately.
# ".gradle/gradle.properties".text = ''
# org.gradle.console=verbose
# org.gradle.daemon.idletimeout=3600000
# '';
};
# Home Manager can also manage your environment variables through
# 'home.sessionVariables'. If you don't want to manage your shell through Home
# Manager then you have to manually source 'hm-session-vars.sh' located at
# either
#
# ~/.nix-profile/etc/profile.d/hm-session-vars.sh
#
# or
#
# ~/.local/state/nix/profiles/profile/etc/profile.d/hm-session-vars.sh
#
# or
#
# /etc/profiles/per-user/m3tam3re/etc/profile.d/hm-session-vars.sh
#
home.sessionVariables = {
# EDITOR = "emacs";
};
programs.ssh = {
enable = true;
matchBlocks = {
"git.az-gruppe.com" = {
hostname = "152.53.186.119";
user = "sascha.koenig";
port = 2022;
identityFile = "~/.ssh/sascha.koenig";
};
"AZ-CLD-1" = {
hostname = "152.53.186.119";
user = "sascha.koenig";
port = 2022;
identityFile = "~/.ssh/sascha.koenig";
};
};
};
# Let Home Manager install and manage itself.
programs.home-manager.enable = true;
}

140
home/users/sascha.koenig/home.nix
View File

@@ -1,140 +0,0 @@
# This is a default home.nix generated by the follwing hone-manager command
#
# home-manager init ./
{
config,
lib,
pkgs,
...
}: {
# Home Manager needs a bit of information about you and the paths it should
# manage.
home.username = lib.mkDefault "your-name";
home.homeDirectory = lib.mkDefault "/home/${config.home.username}";
# This value determines the Home Manager release that your configuration is
# compatible with. This helps avoid breakage when a new Home Manager release
# introduces backwards incompatible changes.
#
# You should not change this value, even if you update Home Manager. If you do
# want to update the value, then make sure to first check the Home Manager
# release notes.
home.stateVersion = "25.05"; # Please read the comment before changing.
# The home.packages option allows you to install Nix packages into your
# environment.
home.packages = with pkgs; [
gcc
# # Adds the 'hello' command to your environment. It prints a friendly
# # "Hello, world!" when run.
# pkgs.hello
# # It is sometimes useful to fine-tune packages, for example, by applying
# # overrides. You can do that directly here, just don't forget the
# # parentheses. Maybe you want to install Nerd Fonts with a limited number of
# # fonts?
# (pkgs.nerdfonts.override { fonts = [ "FantasqueSansMono" ]; })
# # You can also create simple shell scripts directly inside your
# # configuration. For example, this adds a command 'my-hello' to your
# # environment:
# (pkgs.writeShellScriptBin "my-hello" ''
# echo "Hello, ${config.home.username}!"
# '')
];
programs.git = {
enable = true;
signing.format = null;
settings = {
user = {
name = "sascha.koenig";
email = "sascha.koenig@azintec.com";
};
core.excludesfile = "~/.gitignore_global";
init.defaultBranch = "master";
pull.rebase = false;
alias = {
st = "status";
logd = "log --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit";
};
};
};
programs.difftastic.enable = true;
programs.jujutsu = {
enable = true;
settings = {
user = {
email = "sascha.koenig@azintec.com";
name = "Sascha Koenig";
};
};
};
# Home Manager is pretty good at managing dotfiles. The primary way to manage
# plain files is through 'home.file'.
home.file = {
# # Building this configuration will create a copy of 'dotfiles/screenrc' in
# # the Nix store. Activating the configuration will then make '~/.screenrc' a
# # symlink to the Nix store copy.
# ".screenrc".source = dotfiles/screenrc;
# # You can also set the file content immediately.
# ".gradle/gradle.properties".text = ''
# org.gradle.console=verbose
# org.gradle.daemon.idletimeout=3600000
# '';
};
# Home Manager can also manage your environment variables through
# 'home.sessionVariables'. If you don't want to manage your shell through Home
# Manager then you have to manually source 'hm-session-vars.sh' located at
# either
#
# ~/.nix-profile/etc/profile.d/hm-session-vars.sh
#
# or
#
# ~/.local/state/nix/profiles/profile/etc/profile.d/hm-session-vars.sh
#
# or
#
# /etc/profiles/per-user/m3tam3re/etc/profile.d/hm-session-vars.sh
#
home.sessionVariables = {
# EDITOR = "emacs";
};
programs.ssh = {
enable = true;
enableDefaultConfig = false;
matchBlocks = {
"git.az-gruppe.com" = {
hostname = "152.53.186.119";
user = "sascha.koenig";
port = 2022;
identityFile = "~/.ssh/sascha.koenig";
};
"code.m3ta.dev" = {
hostname = "code.m3ta.dev";
user = "m3tam3re";
identityFile = "~/.ssh/sascha.koenig";
};
"AZ-CLD-1" = {
hostname = "152.53.186.119";
user = "sascha.koenig";
port = 2022;
identityFile = "~/.ssh/sascha.koenig";
};
"AZ-PRM-1" = {
hostname = "192.168.152.76";
user = "sascha.koenig";
port = 2022;
identityFile = "~/.ssh/sascha.koenig";
};
};
};
# Let Home Manager install and manage itself.
programs.home-manager.enable = true;
}

136
hosts/AZ-CLD-1/configuration.nix
View File

@@ -1,136 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{
config,
lib,
pkgs,
...
}: {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./disko-config.nix
];
boot.loader.grub = {
efiSupport = true;
efiInstallAsRemovable = true;
};
swapDevices = [
{
device = "/var/lib/swapfile";
size = 16 * 1024;
}
];
networking.hostName = "AZ-CLD-1"; # Define your hostname.
# Pick only one of the below networking options.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
# Set your time zone.
time.timeZone = "Europe/Berlin";
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
i18n.defaultLocale = "de_DE.UTF-8";
# console = {
# font = "Lat2-Terminus16";
# keyMap = "us";
# useXkbConfig = true; # use xkb.options in tty.
# };
# Enable the X11 windowing system.
# services.xserver.enable = true;
# Configure keymap in X11
# services.xserver.xkb.layout = "us";
# services.xserver.xkb.options = "eurosign:e,caps:escape";
# Enable CUPS to print documents.
# services.printing.enable = true;
# Enable sound.
# services.pulseaudio.enable = true;
# OR
# services.pipewire = {
# enable = true;
# pulse.enable = true;
# };
# Enable touchpad support (enabled default in most desktopManager).
# services.libinput.enable = true;
# Define a user account. Don't forget to set a password with passwd.
# users.users.alice = {
# isNormalUser = true;
# extraGroups = [ "wheel" ]; # Enable sudo for the user.
# packages = with pkgs; [
# tree
# ];
# };
# programs.firefox.enable = true;
# List packages installed in system profile.
# You can use https://search.nixos.org/ to find more packages (and options).
environment.systemPackages = with pkgs; [
neovim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
git
];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
# List services that you want to enable:
# Enable the OpenSSH daemon.
services.openssh = {
enable = true;
ports = [2022];
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
};
};
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [587];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
#
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
# to actually do that.
#
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
#
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
#
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "25.05"; # Did you read the comment?
}

12
hosts/AZ-CLD-1/default.nix
View File

@@ -1,12 +0,0 @@
{
imports = [
../common
./configuration.nix
./secrets.nix
./services
];
extraServices = {
podman.enable = true;
};
}

39
hosts/AZ-CLD-1/disko-config.nix
View File

@@ -1,39 +0,0 @@
{
disko.devices = {
disk = {
main = {
type = "disk";
device = "/dev/vda"; # CHANGE ME
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02"; # for GRUB MBR
priority = 1;
};
esp = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = ["defaults" "umask=0077"];
};
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
mountOptions = ["noatime" "nodiratime" "discard"];
};
};
};
};
};
};
};
}

28
hosts/AZ-CLD-1/hardware-configuration.nix
View File

@@ -1,28 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

81
hosts/AZ-CLD-1/secrets.nix
View File

@@ -1,81 +0,0 @@
{
age = {
secrets = {
traefik-env = {
file = ../../secrets/traefik-env.age;
};
baserow-env = {
file = ../../secrets/baserow-env.age;
};
librechat = {
file = ../../secrets/librechat.age;
};
librechat-env = {
file = ../../secrets/librechat-env.age;
};
librechat-env-dev = {
file = ../../secrets/librechat-env-dev.age;
};
librechat-env-prod = {
file = ../../secrets/librechat-env-prod.age;
};
litellm-env = {
file = ../../secrets/litellm-env.age;
};
metabase-env = {
file = ../../secrets/metabase-env.age;
};
n8n-env = {
file = ../../secrets/n8n-env.age;
};
netbird-auth-secret = {
file = ../../secrets/netbird-auth-secret.age;
};
netbird-db-password = {
file = ../../secrets/netbird-db-password.age;
};
netbird-encryption-key = {
file = ../../secrets/netbird-encryption-key.age;
};
netbird-dashboard-env = {
file = ../../secrets/netbird-dashboard-env.age;
};
netbird-server-env = {
file = ../../secrets/netbird-server-env.age;
};
netbird-proxy-env = {
file = ../../secrets/netbird-proxy-env.age;
};
outline-env = {
file = ../../secrets/outline-env.age;
owner = "outline";
};
pgadmin-pw = {
file = ../../secrets/pgadmin-pw.age;
owner = "pgadmin";
};
vaultwarden-env = {
file = ../../secrets/vaultwarden-env.age;
};
hetzner-s3-az-intern-secret-key = {
file = ../../secrets/hetzner-s3-az-intern-secret-key.age;
owner = "outline";
};
hetzner-s3-az-intern-access-key = {
file = ../../secrets/hetzner-s3-az-intern-access-key.age;
};
zammad-pw = {
file = ../../secrets/zammad-pw.age;
};
zammad-secret = {
file = ../../secrets/zammad-secret.age;
};
zammad-hr-env-prod = {
file = ../../secrets/zammad-hr-env-prod.age;
};
zammad-hr-env = {
file = ../../secrets/zammad-hr-env.age;
};
};
};
}

75
hosts/AZ-CLD-1/services/containers/baserow.nix
View File

@@ -1,75 +0,0 @@
{
config,
lib,
...
}: let
serviceName = "baserow";
portUtils = import ../../../../lib/port-utils.nix {inherit lib;};
servicePort = portUtils.getPort serviceName "AZ-CLD-1";
in {
virtualisation.oci-containers.containers.${serviceName} = {
image = "docker.io/baserow/baserow:2.1.6";
environment = {
BASEROW_AMOUNT_OF_GUNICORN_WORKERS = "4";
BASEROW_AMOUNT_OF_WORKERS = "2";
DATABASE_CONN_MAX_AGE = "60";
# Proxy: tell Django the connection is HTTPS so cookies get Secure flag
BASEROW_ENABLE_SECURE_PROXY_SSL_HEADER = "yes";
# Published apps run on different origins — allow cross-origin cookie delivery
BASEROW_FRONTEND_SAME_SITE_COOKIE = "none";
# Valid base domain for published app subdomains
BASEROW_BUILDER_DOMAINS = "az-gruppe.com";
# Disable Caddy's on_demand TLS — Traefik handles TLS termination
BASEROW_CADDY_GLOBAL_CONF = "auto_https off";
};
environmentFiles = [config.age.secrets.baserow-env.path];
ports = ["127.0.0.1:${toString servicePort}:80"];
volumes = ["baserow_data:/baserow/data"];
extraOptions = ["--add-host=postgres:10.89.0.1" "--ip=10.89.0.10" "--network=web"];
};
# Traefik configuration
services.traefik.dynamicConfigOptions.http = {
services.${serviceName}.loadBalancer.servers = [
{
url = "http://localhost:${toString servicePort}/";
}
];
middlewares."${serviceName}-headers".headers = {
customRequestHeaders = {
X-Forwarded-Proto = "https";
X-Forwarded-Port = "443";
};
};
routers.${serviceName} = {
rule = "Host(`br.az-gruppe.com`)";
tls = {
certResolver = "ionos";
};
service = serviceName;
entrypoints = "websecure";
middlewares = ["${serviceName}-headers"];
};
routers.azubi = {
rule = "Host(`azubi.az-gruppe.com`)";
tls = {
certResolver = "ionos";
};
service = serviceName;
entrypoints = "websecure";
middlewares = ["${serviceName}-headers"];
};
routers.ausbilder = {
rule = "Host(`ausbilder.az-gruppe.com`)";
tls = {
certResolver = "ionos";
};
service = serviceName;
entrypoints = "websecure";
middlewares = ["${serviceName}-headers"];
};
};
}

20
hosts/AZ-CLD-1/services/containers/default.nix
View File

@@ -1,20 +0,0 @@
{lib, ...}: {
imports = [
./baserow.nix
./it-tools.nix
./librechat.nix
./litellm.nix
./librechat-dev.nix
./netbird.nix
./portainer.nix
./zammad-hr.nix
];
system.activationScripts.createPodmanNetworkWeb = lib.mkAfter ''
if ! /run/current-system/sw/bin/podman network exists web; then
/run/current-system/sw/bin/podman network create web --subnet=10.89.0.0/24 --internal
fi
if ! /run/current-system/sw/bin/podman network exists web-dev; then
/run/current-system/sw/bin/podman network create web-dev --subnet=10.89.1.0/24 --internal
fi
'';
}

28
hosts/AZ-CLD-1/services/containers/it-tools.nix
View File

@@ -1,28 +0,0 @@
{lib, ...}: let
serviceName = "it-tools";
portUtils = import ../../../../lib/port-utils.nix {inherit lib;};
servicePort = portUtils.getPort serviceName "AZ-CLD-1";
in {
virtualisation.oci-containers.containers.${serviceName} = {
image = "docker.io/sharevb/it-tools:latest";
ports = ["127.0.0.1:${toString servicePort}:8080"];
};
# Traefik configuration
services.traefik.dynamicConfigOptions.http = {
services.${serviceName}.loadBalancer.servers = [
{
url = "http://localhost:${toString servicePort}/";
}
];
routers.${serviceName} = {
rule = "Host(`tools.az-gruppe.com`)";
tls = {
certResolver = "ionos";
};
service = serviceName;
entrypoints = "websecure";
};
};
}

134
hosts/AZ-CLD-1/services/containers/librechat-dev.nix
View File

@@ -1,134 +0,0 @@
{
config,
lib,
pkgs,
...
}: let
serviceName = "librechat-dev";
portUtils = import ../../../../lib/port-utils.nix {inherit lib;};
servicePort = portUtils.getPort serviceName "AZ-CLD-1";
ragApiDevPort = portUtils.getPort "rag-api-dev" "AZ-CLD-1";
envFileDev = config.age.secrets.librechat-env-dev.path;
envFileCommon = config.age.secrets.librechat.path;
in {
virtualisation.oci-containers = {
containers.meilisearch-dev = {
image = "getmeili/meilisearch:v1.12.3";
autoStart = false;
volumes = ["librechat_dev_meili:/meili_data"];
environment = {
MEILI_HTTP_ADDR = "0.0.0.0:7700";
MEILI_NO_ANALYTICS = "true";
};
environmentFiles = [envFileDev envFileCommon];
extraOptions = ["--ip=10.89.1.20" "--network=web-dev"];
};
containers.rag_api-dev = {
image = "ghcr.io/danny-avila/librechat-rag-api-dev-lite:latest";
autoStart = false;
environment = {
RAG_PORT = "8000";
DB_HOST = "10.89.1.1";
DB_PORT = "5432";
};
environmentFiles = [envFileDev envFileCommon];
dependsOn = ["meilisearch-dev"];
extraOptions = ["--add-host=postgres:10.89.1.1" "--ip=10.89.1.21" "--network=web-dev"];
ports = ["127.0.0.1:${toString ragApiDevPort}:8000"];
};
containers.mongodb-dev = {
image = "mongo:7";
autoStart = false;
volumes = [
"librechat_dev_mongo:/data/db"
"/var/backup/mongodb-dev:/data/backups"
];
extraOptions = ["--ip=10.89.1.22" "--network=web-dev"];
};
containers.${serviceName} = {
image = "ghcr.io/danny-avila/librechat-dev-api:latest";
autoStart = false;
ports = ["127.0.0.1:${toString servicePort}:3080"];
dependsOn = ["mongodb-dev" "rag_api-dev" "meilisearch-dev"];
environment = {
HOST = "0.0.0.0";
NODE_ENV = "development";
MONGO_URI = "mongodb://mongodb-dev:27017/LibreChatDev";
MEILI_HOST = "http://meilisearch-dev:7700";
RAG_PORT = "8000";
RAG_API_URL = "http://rag_api-dev:8000";
};
environmentFiles = [envFileDev envFileCommon];
volumes = [
"/var/lib/librechat-dev/librechat.yaml:/app/librechat.yaml:ro"
"librechat_dev_images:/app/client/public/images"
"librechat_dev_uploads:/app/uploads"
"librechat_dev_logs:/app/api/logs"
];
extraOptions = ["--ip=10.89.1.23" "--network=web-dev"];
};
};
# Traefik configuration
services.traefik.dynamicConfigOptions.http = {
services.${serviceName}.loadBalancer.servers = [
{
url = "http://localhost:${toString servicePort}/";
}
];
routers.${serviceName} = {
rule = "Host(`chat-dev.az-gruppe.com`)";
tls = {
certResolver = "ionos";
};
service = serviceName;
entrypoints = "websecure";
};
};
environment.systemPackages = [
(pkgs.writeShellScriptBin "librechat-dev" ''
#!/usr/bin/env bash
set -e
SERVICES=(
podman-meilisearch-dev
podman-mongodb-dev
podman-rag_api-dev
podman-librechat-dev
)
case "$1" in
up)
echo "🚀 Starte LibreChat-Dev-Umgebung..."
for svc in "''${SERVICES[@]}"; do
sudo systemctl start "$svc"
done
;;
down)
echo "🛑 Stoppe LibreChat-Dev-Umgebung..."
for svc in "''${SERVICES[@]}"; do
sudo systemctl stop "$svc"
done
;;
restart)
echo "🔄 Neustart der LibreChat-Dev-Umgebung..."
for svc in "''${SERVICES[@]}"; do
sudo systemctl restart "$svc"
done
;;
status)
systemctl status "''${SERVICES[@]}"
;;
*)
echo "Usage: librechat-dev {up|down|restart|status}"
exit 1
;;
esac
'')
];
}

170
hosts/AZ-CLD-1/services/containers/librechat.nix
View File

@@ -1,170 +0,0 @@
{
config,
lib,
pkgs,
...
}: let
serviceName = "librechat";
portUtils = import ../../../../lib/port-utils.nix {inherit lib;};
servicePort = portUtils.getPort serviceName "AZ-CLD-1";
ragApiPort = portUtils.getPort "rag-api" "AZ-CLD-1";
envFileProd = config.age.secrets.librechat-env-prod.path;
envFileCommon = config.age.secrets.librechat.path;
in {
virtualisation.oci-containers = {
containers.meilisearch = {
image = "getmeili/meilisearch:v1.35.1";
autoStart = true;
volumes = ["librechat_meili:/meili_data"];
environment = {
MEILI_HTTP_ADDR = "0.0.0.0:7700";
MEILI_NO_ANALYTICS = "true";
};
environmentFiles = [envFileCommon envFileProd];
extraOptions = ["--ip=10.89.0.20" "--network=web"];
};
containers.rag_api = {
image = "registry.librechat.ai/danny-avila/librechat-rag-api-dev-lite:latest";
autoStart = true;
environment = {
RAG_PORT = "8000";
DB_HOST = "10.89.0.1";
DB_PORT = "5432";
};
environmentFiles = [envFileCommon envFileProd];
dependsOn = ["meilisearch"];
extraOptions = ["--add-host=postgres:10.89.0.1" "--ip=10.89.0.21" "--network=web"];
ports = ["127.0.0.1:${toString ragApiPort}:8000"];
};
containers.mongodb = {
image = "mongo:8.0.17";
autoStart = true;
volumes = [
"librechat_mongo:/data/db"
"/var/backup/mongodb:/data/backups"
];
# Enable auth once users exist; see Mongo auth doc.
# command = [ "mongod", "--auth" ];
extraOptions = ["--ip=10.89.0.22" "--network=web"];
};
containers.${serviceName} = {
image = "registry.librechat.ai/danny-avila/librechat-dev:latest";
autoStart = true;
user = "1000:1000";
ports = ["127.0.0.1:${toString servicePort}:3080"];
dependsOn = ["mongodb" "rag_api" "meilisearch"];
environment = {
HOST = "0.0.0.0";
NODE_ENV = "production";
# Mongo URI (start without auth; switch to mongodb://user:pass@mongodb:27017/LibreChat after Step 4)
MONGO_URI = "mongodb://mongodb:27017/LibreChat";
MEILI_HOST = "http://meilisearch:7700";
RAG_PORT = "8000";
RAG_API_URL = "http://rag_api:8000";
};
environmentFiles = [envFileCommon envFileProd];
volumes = [
# Config file still needs to be a bind mount for host management
"/var/lib/librechat/librechat.yaml:/app/librechat.yaml:ro"
# Use named volumes for application data
"librechat_images:/app/client/public/images"
"librechat_uploads:/app/uploads"
"librechat_logs:/app/api/logs"
];
extraOptions = ["--ip=10.89.0.23" "--network=web" "--dns=8.8.8.8" "--dns=8.8.4.4"];
};
};
systemd.services."mongo-backup" = {
serviceConfig = {
Type = "oneshot";
User = "root";
Group = "root";
};
script = ''
set -euo pipefail
BACKUP_DIR="/var/backup/mongodb"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
TEMP_BACKUP="mongodb_backup_$TIMESTAMP"
ARCHIVE_NAME="mongodb_backup_$TIMESTAMP.tar.gz"
# Ensure backup directory exists with proper permissions
mkdir -p "$BACKUP_DIR"
chown root:root "$BACKUP_DIR"
chmod 750 "$BACKUP_DIR"
echo "Starting MongoDB backup at $(date)"
# Create the backup dump in container
if ${pkgs.podman}/bin/podman exec mongodb mongodump --out "/data/backups/$TEMP_BACKUP"; then
echo "MongoDB dump completed successfully"
# Create compressed archive from the backup
cd "$BACKUP_DIR"
if [ -d "$TEMP_BACKUP" ]; then
echo "Creating compressed archive: $ARCHIVE_NAME"
${pkgs.gnutar}/bin/tar --use-compress-program=${pkgs.gzip}/bin/gzip -cf "$ARCHIVE_NAME" -C . "$TEMP_BACKUP"
# Remove the uncompressed backup directory
rm -rf "$TEMP_BACKUP"
# Verify archive was created
if [ -f "$ARCHIVE_NAME" ]; then
ARCHIVE_SIZE=$(${pkgs.coreutils}/bin/du -sh "$ARCHIVE_NAME" | cut -f1)
echo "Compressed backup created: $ARCHIVE_NAME (Size: $ARCHIVE_SIZE)"
# Keep only the 2 most recent backup archives
ls -1t mongodb_backup_*.tar.gz | tail -n +3 | xargs -r rm -f
echo "Old backup archives cleaned up, keeping 2 most recent"
# List current backups
echo "Current backups:"
ls -lah mongodb_backup_*.tar.gz 2>/dev/null || echo "No previous backups found"
else
echo "ERROR: Failed to create compressed archive" >&2
exit 1
fi
else
echo "ERROR: Backup directory not found at $BACKUP_DIR/$TEMP_BACKUP" >&2
exit 1
fi
else
echo "ERROR: MongoDB backup failed" >&2
exit 1
fi
echo "MongoDB backup completed successfully at $(date)"
'';
};
systemd.timers."mongo-backup" = {
wantedBy = ["timers.target"];
timerConfig = {
OnCalendar = "*-*-* 02:00:00";
RandomizedDelaySec = "30m";
Persistent = true;
};
};
# Traefik configuration
services.traefik.dynamicConfigOptions.http = {
services.${serviceName}.loadBalancer.servers = [
{
url = "http://localhost:${toString servicePort}/";
}
];
routers.${serviceName} = {
rule = "Host(`chat.az-gruppe.com`)";
tls = {
certResolver = "ionos";
};
service = serviceName;
entrypoints = "websecure";
};
};
}

42
hosts/AZ-CLD-1/services/containers/litellm.nix
View File

@@ -1,42 +0,0 @@
{
config,
lib,
...
}: let
serviceName = "litellm";
portUtils = import ../../../../lib/port-utils.nix {inherit lib;};
servicePort = portUtils.getPort serviceName "AZ-CLD-1";
in {
virtualisation.oci-containers.containers.${serviceName} = {
#image = "ghcr.io/berriai/litellm:v1.78.5-stable";
image = "docker.litellm.ai/berriai/litellm:v1.82.3-stable";
ports = ["127.0.0.1:${toString servicePort}:4000"];
environmentFiles = [config.age.secrets.litellm-env.path];
environment = {
ANONYMIZED_TELEMETRY = "False";
DO_NOT_TRACK = "True";
SCARF_NO_ANALYTICS = "True";
STORE_MODEL_IN_DB = "True";
};
volumes = ["/var/lib/litellm/config.yaml:/app/config.yaml"];
extraOptions = ["--add-host=postgres:10.89.0.1" "--ip=10.89.0.30" "--network=web"];
};
# Traefik configuration
services.traefik.dynamicConfigOptions.http = {
services.${serviceName}.loadBalancer.servers = [
{
url = "http://localhost:${toString servicePort}/";
}
];
routers.${serviceName} = {
rule = "Host(`llm.az-gruppe.com`)";
tls = {
certResolver = "ionos";
};
service = serviceName;
entrypoints = "websecure";
};
};
}

245
hosts/AZ-CLD-1/services/containers/netbird.nix
View File

@@ -1,245 +0,0 @@
{
config,
lib,
pkgs,
...
}: let
serviceName = "netbird";
portUtils = import ../../../../lib/port-utils.nix {inherit lib;};
servicePort = portUtils.getPort serviceName "AZ-CLD-1";
domain = "v.az-gruppe.com";
proxyDomain = "p.az-gruppe.com";
ipBase = "10.89.0";
ipOffset = 50;
# Derived IPs
gatewayIp = "${ipBase}.1";
dashboardIp = "${ipBase}.${toString ipOffset}";
serverIp = "${ipBase}.${toString (ipOffset + 1)}";
proxyIp = "${ipBase}.${toString (ipOffset + 2)}";
# Database configuration
dbName = "netbird";
dbUser = "netbird";
dbHost = gatewayIp;
# NetBird config as Nix attribute set
netbirdConfig = {
server = {
listenAddress = ":80";
exposedAddress = "https://${domain}:443";
stunPorts = [3478];
metricsPort = 9090;
healthcheckAddress = ":9000";
logLevel = "info";
logFile = "console";
dataDir = "/var/lib/netbird";
auth = {
issuer = "https://${domain}/oauth2";
localAuthDisabled = true;
signKeyRefreshEnabled = true;
dashboardRedirectURIs = [
"https://${domain}/nb-auth"
"https://${domain}/nb-silent-auth"
];
cliRedirectURIs = ["http://localhost:53000/"];
};
reverseProxy = {
trustedHTTPProxies = ["${gatewayIp}/32"];
};
# Proxy Feature
proxy = {
enabled = true;
domain = proxyDomain;
};
store = {
engine = "postgres";
postgres = {
host = dbHost;
port = 5432;
database = dbName;
username = dbUser;
};
};
};
};
# Generate YAML config
yamlFormat = pkgs.formats.yaml {};
configYamlBase = yamlFormat.generate "netbird-config-base.yaml" netbirdConfig;
# Script to inject secrets at runtime
configGenScript = pkgs.writeShellScript "netbird-gen-config" ''
set -euo pipefail
AUTH_SECRET=$(cat "$1")
DB_PASSWORD=$(cat "$2")
ENCRYPTION_KEY=$(cat "$3")
${pkgs.yq-go}/bin/yq eval "
.server.authSecret = \"$AUTH_SECRET\" |
.server.store.encryptionKey = \"$ENCRYPTION_KEY\" |
.server.store.postgres.password = \"$DB_PASSWORD\"
" ${configYamlBase}
'';
in {
age.secrets."${serviceName}-auth-secret".file = ../../../../secrets/${serviceName}-auth-secret.age;
age.secrets."${serviceName}-db-password".file = ../../../../secrets/${serviceName}-db-password.age;
age.secrets."${serviceName}-encryption-key".file = ../../../../secrets/${serviceName}-encryption-key.age;
age.secrets."${serviceName}-dashboard-env".file = ../../../../secrets/${serviceName}-dashboard-env.age;
age.secrets."${serviceName}-server-env".file = ../../../../secrets/${serviceName}-server-env.age;
age.secrets."${serviceName}-proxy-env".file = ../../../../secrets/${serviceName}-proxy-env.age;
# Systemd oneshot service to generate config with secrets
systemd.services."${serviceName}-config" = {
description = "Generate NetBird config with secrets";
wantedBy = ["multi-user.target"];
before = ["podman-${serviceName}-server.service"];
requiredBy = ["podman-${serviceName}-server.service"];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = pkgs.writeShellScript "netbird-write-config" ''
mkdir -p /var/lib/${serviceName}
${configGenScript} \
${config.age.secrets."${serviceName}-auth-secret".path} \
${config.age.secrets."${serviceName}-db-password".path} \
${config.age.secrets."${serviceName}-encryption-key".path} \
> /var/lib/${serviceName}/config.yaml
chmod 600 /var/lib/${serviceName}/config.yaml
'';
};
};
virtualisation.oci-containers.containers = {
"${serviceName}-dashboard" = {
image = "netbirdio/dashboard:latest";
autoStart = true;
ports = ["127.0.0.1:${toString servicePort}:80"];
environmentFiles = [config.age.secrets."${serviceName}-dashboard-env".path];
extraOptions = [
"--ip=${dashboardIp}"
"--network=web"
];
};
"${serviceName}-server" = {
image = "netbirdio/netbird-server:latest";
autoStart = true;
ports = ["3478:3478/udp"];
environmentFiles = [config.age.secrets."${serviceName}-server-env".path];
volumes = [
"${serviceName}_data:/var/lib/netbird"
"/var/lib/${serviceName}/config.yaml:/etc/netbird/config.yaml:ro"
];
cmd = ["--config" "/etc/netbird/config.yaml"];
extraOptions = [
"--ip=${serverIp}"
"--network=web"
];
};
"${serviceName}-proxy" = {
image = "netbirdio/reverse-proxy:latest";
autoStart = true;
ports = ["51820:51820/udp"];
volumes = [
"${serviceName}_proxy_certs:/certs"
];
environmentFiles = [config.age.secrets."${serviceName}-proxy-env".path];
cmd = [
"--domain=${proxyDomain}"
"--mgmt=https://${domain}:443"
"--addr=:8443"
"--cert-dir=/certs"
"--acme-certs"
"--trusted-proxies=${gatewayIp}/32"
];
dependsOn = ["${serviceName}-server"];
extraOptions = [
"--ip=${proxyIp}"
"--network=web"
];
};
};
services.traefik.dynamicConfigOptions = {
# HTTP services and routers
http = {
services = {
"${serviceName}-dashboard".loadBalancer.servers = [
{url = "http://localhost:${toString servicePort}/";}
];
"${serviceName}-server".loadBalancer.servers = [
{url = "http://${serverIp}:80/";}
];
"${serviceName}-server-h2c".loadBalancer.servers = [
{url = "h2c://${serverIp}:80";}
];
};
routers = {
# gRPC (Signal + Management)
"${serviceName}-grpc" = {
rule = "Host(`${domain}`) && (PathPrefix(`/signalexchange.SignalExchange/`) || PathPrefix(`/management.ManagementService/`) || PathPrefix(`/management.ProxyService/`))";
entrypoints = "websecure";
tls.certResolver = "ionos";
service = "${serviceName}-server-h2c";
priority = 100;
};
# Backend (relay, WebSocket, API, OAuth2)
"${serviceName}-backend" = {
rule = "Host(`${domain}`) && (PathPrefix(`/relay`) || PathPrefix(`/ws-proxy/`) || PathPrefix(`/api`) || PathPrefix(`/oauth2`))";
entrypoints = "websecure";
tls.certResolver = "ionos";
service = "${serviceName}-server";
priority = 100;
};
# Dashboard (catch-all, lowest priority)
"${serviceName}-dashboard" = {
rule = "Host(`${domain}`)";
entrypoints = "websecure";
tls.certResolver = "ionos";
service = "${serviceName}-dashboard";
priority = 1;
};
};
};
# TCP for proxy TLS passthrough
tcp = {
services."${serviceName}-proxy-tls".loadBalancer.servers = [
{address = "${proxyIp}:8443";}
];
routers."${serviceName}-proxy-passthrough" = {
entryPoints = ["websecure"];
rule = "HostSNI(`*`)";
service = "${serviceName}-proxy-tls";
priority = 1;
tls.passthrough = true;
};
};
# ServersTransport for proxy protocol v2 (optional)
serversTransports."pp-v2" = {
proxyProtocol.version = 2;
};
};
networking.firewall.allowedUDPPorts = [
3478 # STUN
51820 # WireGuard for proxy
];
}

33
hosts/AZ-CLD-1/services/containers/portainer.nix
View File

@@ -1,33 +0,0 @@
{lib, ...}: let
serviceName = "portainer";
portUtils = import ../../../../lib/port-utils.nix {inherit lib;};
servicePort = portUtils.getPort serviceName "AZ-CLD-1";
in {
virtualisation.oci-containers.containers.${serviceName} = {
image = "docker.io/portainer/portainer-ce:latest";
ports = ["127.0.0.1:${toString servicePort}:9000"];
volumes = [
"/etc/localtime:/etc/localtime:ro"
"/run/podman/podman.sock:/var/run/docker.sock:ro"
"portainer_data:/data"
];
};
# Traefik configuration
services.traefik.dynamicConfigOptions.http = {
services.${serviceName}.loadBalancer.servers = [
{
url = "http://localhost:${toString servicePort}/";
}
];
routers.${serviceName} = {
rule = "Host(`pt.az-gruppe.com`)";
tls = {
certResolver = "ionos";
};
service = serviceName;
entrypoints = "websecure";
};
};
}

297
hosts/AZ-CLD-1/services/containers/zammad-hr.nix
View File

@@ -1,297 +0,0 @@
{
config,
lib,
pkgs,
...
}: let
instanceName = "hr";
serviceName = "zammad-${instanceName}";
portUtils = import ../../../../lib/port-utils.nix {inherit lib;};
servicePort = portUtils.getPort serviceName "AZ-CLD-1";
elasticsearchPort = portUtils.getPort "${serviceName}-elasticsearch" "AZ-CLD-1";
envFileProd = config.age.secrets."${serviceName}-env-prod".path;
envFileCommon = config.age.secrets."${serviceName}-env".path;
zammadVersion = "6.5.2-22";
zammadImage = "ghcr.io/zammad/zammad:${zammadVersion}";
ipBase = "10.89.0";
ipOffset = 40;
# Domain-Konfiguration
zammadDomain = "hr-ticket.az-gruppe.com";
sharedEnvironment = {
MEMCACHE_SERVERS = "zammad-memcached:11211";
POSTGRESQL_DB = "zammad_${instanceName}";
POSTGRESQL_HOST = "10.89.0.1";
POSTGRESQL_USER = "zammad_${instanceName}";
POSTGRESQL_PORT = "5432";
POSTGRESQL_OPTIONS = "?pool=50";
REDIS_URL = "redis://zammad-redis:6379";
TZ = "Europe/Berlin";
BACKUP_DIR = "/var/tmp/zammad";
BACKUP_TIME = "03:00";
HOLD_DAYS = "10";
ELASTICSEARCH_ENABLED = "true";
ELASTICSEARCH_HOST = "zammad-elasticsearch";
ELASTICSEARCH_PORT = "9200";
ELASTICSEARCH_NAMESPACE = "zammad_${instanceName}";
NGINX_PORT = "8080";
# CSRF & Reverse Proxy Settings
NGINX_SERVER_SCHEME = "https";
NGINX_SERVER_NAME = zammadDomain;
ZAMMAD_HTTP_TYPE = "https";
ZAMMAD_FQDN = zammadDomain;
RAILS_TRUSTED_PROXIES = "['127.0.0.1', '::1', '10.89.0.0/24']";
};
in {
virtualisation.oci-containers = {
containers."${serviceName}-elasticsearch" = {
image = "elasticsearch:8.19.6";
autoStart = true;
volumes = ["${serviceName}_elasticsearch:/usr/share/elasticsearch/data"];
environment = {
"discovery.type" = "single-node";
"xpack.security.enabled" = "false";
ES_JAVA_OPTS = "-Xms1g -Xmx1g";
};
extraOptions = [
"--ip=${ipBase}.${toString ipOffset}"
"--network=web"
"--network-alias=zammad-elasticsearch"
];
ports = ["127.0.0.1:${toString elasticsearchPort}:9200"];
};
containers."${serviceName}-memcached" = {
image = "memcached:1.6.39-alpine";
autoStart = true;
cmd = ["memcached" "-m" "256M"];
extraOptions = [
"--ip=${ipBase}.${toString (ipOffset + 1)}"
"--network=web"
"--network-alias=zammad-memcached"
];
};
containers."${serviceName}-redis" = {
image = "redis:7.4.6-alpine";
autoStart = true;
volumes = ["${serviceName}_redis:/data"];
extraOptions = [
"--ip=${ipBase}.${toString (ipOffset + 2)}"
"--network=web"
"--network-alias=zammad-redis"
];
};
containers."${serviceName}-railsserver" = {
image = zammadImage;
autoStart = true;
cmd = ["zammad-railsserver"];
environment = sharedEnvironment;
environmentFiles = [envFileCommon envFileProd];
volumes = ["${serviceName}_storage:/opt/zammad/storage"];
dependsOn = ["${serviceName}-memcached" "${serviceName}-redis" "${serviceName}-elasticsearch"];
extraOptions = [
"--ip=${ipBase}.${toString (ipOffset + 4)}"
"--network=web"
"--add-host=postgres:10.89.0.1"
"--network-alias=zammad-railsserver"
];
};
containers."${serviceName}-scheduler" = {
image = zammadImage;
autoStart = true;
cmd = ["zammad-scheduler"];
environment = sharedEnvironment;
environmentFiles = [envFileCommon envFileProd];
volumes = ["${serviceName}_storage:/opt/zammad/storage"];
dependsOn = ["${serviceName}-memcached" "${serviceName}-redis"];
extraOptions = [
"--ip=${ipBase}.${toString (ipOffset + 5)}"
"--network=web"
"--add-host=postgres:10.89.0.1"
];
};
containers."${serviceName}-websocket" = {
image = zammadImage;
autoStart = true;
cmd = ["zammad-websocket"];
environment = sharedEnvironment;
environmentFiles = [envFileCommon envFileProd];
volumes = ["${serviceName}_storage:/opt/zammad/storage"];
dependsOn = ["${serviceName}-memcached" "${serviceName}-redis"];
extraOptions = [
"--ip=${ipBase}.${toString (ipOffset + 6)}"
"--network=web"
"--add-host=postgres:10.89.0.1"
"--network-alias=zammad-websocket"
];
};
containers."${serviceName}-nginx" = {
image = zammadImage;
autoStart = true;
cmd = ["zammad-nginx"];
environment = sharedEnvironment;
environmentFiles = [envFileCommon envFileProd];
volumes = ["${serviceName}_storage:/opt/zammad/storage"];
dependsOn = ["${serviceName}-railsserver"];
ports = ["127.0.0.1:${toString servicePort}:8080"];
extraOptions = [
"--ip=${ipBase}.${toString (ipOffset + 7)}"
"--network=web"
"--add-host=postgres:10.89.0.1"
];
};
containers."${serviceName}-backup" = {
image = zammadImage;
autoStart = true;
cmd = ["zammad-backup"];
environment = sharedEnvironment;
environmentFiles = [envFileCommon envFileProd];
volumes = [
"${serviceName}_storage:/opt/zammad/storage:ro"
"/var/backup/${serviceName}:/var/tmp/zammad:rw"
];
dependsOn = ["${serviceName}-memcached" "${serviceName}-redis"];
extraOptions = [
"--ip=${ipBase}.${toString (ipOffset + 8)}"
"--network=web"
"--add-host=postgres:10.89.0.1"
"--user=0:0"
];
};
};
# Init als oneshot systemd-Service
systemd.services."${serviceName}-init" = {
description = "Zammad ${instanceName} Database Initialization";
after = [
"podman-${serviceName}-memcached.service"
"podman-${serviceName}-redis.service"
"podman-${serviceName}-elasticsearch.service"
];
requires = [
"podman-${serviceName}-memcached.service"
"podman-${serviceName}-redis.service"
];
wantedBy = [];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
User = "root";
Group = "root";
};
script = ''
set -euo pipefail
echo "Starting Zammad ${instanceName} database initialization..."
${pkgs.podman}/bin/podman run --rm \
--name ${serviceName}-init-oneshot \
--network web \
--ip ${ipBase}.${toString (ipOffset + 3)} \
--add-host=postgres:10.89.0.1 \
--user 0:0 \
--env-file ${envFileCommon} \
--env-file ${envFileProd} \
--env MEMCACHE_SERVERS=zammad-memcached:11211 \
--env POSTGRESQL_DB=zammad_${instanceName} \
--env POSTGRESQL_HOST=10.89.0.1 \
--env POSTGRESQL_USER=zammad_${instanceName} \
--env POSTGRESQL_PORT=5432 \
--env POSTGRESQL_OPTIONS='?pool=50' \
--env REDIS_URL=redis://zammad-redis:6379 \
--env TZ=Europe/Berlin \
--env ELASTICSEARCH_ENABLED=true \
--env ELASTICSEARCH_HOST=zammad-elasticsearch \
--env ELASTICSEARCH_PORT=9200 \
--env ELASTICSEARCH_NAMESPACE=zammad_${instanceName} \
--env NGINX_SERVER_SCHEME=https \
--env NGINX_SERVER_NAME=${zammadDomain} \
--env ZAMMAD_HTTP_TYPE=https \
--env ZAMMAD_FQDN=${zammadDomain} \
-v ${serviceName}_storage:/opt/zammad/storage \
${zammadImage} \
zammad-init
echo "Zammad ${instanceName} initialization completed successfully"
'';
};
# Backup retention service
systemd.services."${serviceName}-backup-cleanup" = {
serviceConfig = {
Type = "oneshot";
User = "root";
Group = "root";
};
script = ''
set -euo pipefail
BACKUP_DIR="/var/backup/${serviceName}"
HOLD_DAYS=10
echo "Starting ${serviceName} backup cleanup at $(date)"
mkdir -p "$BACKUP_DIR"
chown root:root "$BACKUP_DIR"
chmod 750 "$BACKUP_DIR"
${pkgs.findutils}/bin/find "$BACKUP_DIR" -type f -name "*.gz" -mtime +$HOLD_DAYS -delete
echo "Current backups:"
ls -lah "$BACKUP_DIR" || echo "No backups found"
echo "${serviceName} backup cleanup completed at $(date)"
'';
};
systemd.timers."${serviceName}-backup-cleanup" = {
wantedBy = ["timers.target"];
timerConfig = {
OnCalendar = "*-*-* 04:00:00";
RandomizedDelaySec = "30m";
Persistent = true;
};
};
# Traefik configuration with proper headers
services.traefik.dynamicConfigOptions.http = {
services.${serviceName}.loadBalancer.servers = [
{
url = "http://localhost:${toString servicePort}/";
}
];
middlewares."${serviceName}-headers".headers = {
customRequestHeaders = {
X-Forwarded-Proto = "https";
X-Forwarded-Port = "443";
X-Forwarded-Host = zammadDomain;
X-Real-IP = "";
};
};
routers.${serviceName} = {
rule = "Host(`${zammadDomain}`)";
tls = {
certResolver = "ionos";
};
service = serviceName;
entrypoints = "websecure";
middlewares = ["${serviceName}-headers"];
};
};
}

18
hosts/AZ-CLD-1/services/default.nix
View File

@@ -1,18 +0,0 @@
{
imports = [
./containers
./gitea.nix
./gotenberg.nix
./metabase.nix
./n8n.nix
./netbird.nix
./ntfy.nix
./outline.nix
./postgres.nix
./traefik.nix
./vaultwarden.nix
./zugferd.nix
# ./zammad.nix
];
}

42
hosts/AZ-CLD-1/services/gitea.nix
View File

@@ -1,42 +0,0 @@
{lib, ...}: let
serviceName = "gitea";
portUtils = import ../../../lib/port-utils.nix {inherit lib;};
servicePort = portUtils.getPort serviceName "AZ-CLD-1";
in {
services.${serviceName} = {
enable = true;
settings = {
server = {
ROOT_URL = "https://git.az-gruppe.com";
HTTP_PORT = servicePort;
};
mailer.SENDMAIL_PATH = "/run/wrappers/bin/sendmail";
service.DISABLE_REGISTRATION = true;
};
lfs.enable = true;
dump = {
enable = true;
type = "tar.gz";
interval = "03:30:00";
backupDir = "/var/backup/gitea";
};
};
# Traefik configuration
services.traefik.dynamicConfigOptions.http = {
services.${serviceName}.loadBalancer.servers = [
{
url = "http://localhost:${toString servicePort}/";
}
];
routers.${serviceName} = {
rule = "Host(`git.az-gruppe.com`)";
tls = {
certResolver = "ionos";
};
service = serviceName;
entrypoints = "websecure";
};
};
}

11
hosts/AZ-CLD-1/services/gotenberg.nix
View File

@@ -1,11 +0,0 @@
{lib, ...}: let
serviceName = "gotenberg";
portUtils = import ../../../lib/port-utils.nix {inherit lib;};
servicePort = portUtils.getPort serviceName "AZ-CLD-1";
in {
services.gotenberg = {
enable = true;
port = servicePort;
bindIP = "127.0.0.1";
};
}

36
hosts/AZ-CLD-1/services/metabase.nix
View File

@@ -1,36 +0,0 @@
{
config,
lib,
...
}: let
serviceName = "metabase";
portUtils = import ../../../lib/port-utils.nix {inherit lib;};
servicePort = portUtils.getPort serviceName "AZ-CLD-1";
in {
services.${serviceName} = {
enable = true;
listen.port = servicePort;
};
systemd.services.${serviceName}.serviceConfig = {
EnvironmentFile = config.age.secrets.metabase-env.path;
};
# Traefik configuration
services.traefik.dynamicConfigOptions.http = {
services.${serviceName}.loadBalancer.servers = [
{
url = "http://localhost:${toString servicePort}/";
}
];
routers.${serviceName} = {
rule = "Host(`kpi.az-gruppe.com`)";
tls = {
certResolver = "ionos";
};
service = serviceName;
entrypoints = "websecure";
};
};
}

36
hosts/AZ-CLD-1/services/n8n.nix
View File

@@ -1,36 +0,0 @@
{
config,
lib,
...
}: let
serviceName = "n8n";
portUtils = import ../../../lib/port-utils.nix {inherit lib;};
servicePort = portUtils.getPort serviceName "AZ-CLD-1";
in {
services.${serviceName} = {
enable = true;
environment.WEBHOOK_URL = "https://wf.az-gruppe.com";
};
systemd.services.${serviceName}.serviceConfig = {
EnvironmentFile = config.age.secrets.n8n-env.path;
};
# Traefik configuration
services.traefik.dynamicConfigOptions.http = {
services.${serviceName}.loadBalancer.servers = [
{
url = "http://localhost:${toString servicePort}/";
}
];
routers.${serviceName} = {
rule = "Host(`wf.az-gruppe.com`)";
tls = {
certResolver = "ionos";
};
service = serviceName;
entrypoints = "websecure";
};
};
}

31
hosts/AZ-CLD-1/services/netbird.nix
View File

@@ -1,31 +0,0 @@
{pkgs, ...}: {
services.netbird = {
enable = true;
package = pkgs.unstable.netbird;
};
systemd.services.netbird = {
environment = {
NB_DISABLE_SSH_CONFIG = "true";
};
path = [
pkgs.shadow
pkgs.util-linux
];
};
programs.ssh.extraConfig = ''
Match exec "${pkgs.netbird}/bin/netbird ssh detect %h %p"
PreferredAuthentications password,publickey,keyboard-interactive
PasswordAuthentication yes
PubkeyAuthentication yes
BatchMode no
ProxyCommand ${pkgs.netbird}/bin/netbird ssh proxy %h %p
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
CheckHostIP no
LogLevel ERROR
'';
networking.firewall.checkReversePath = "loose";
}

37
hosts/AZ-CLD-1/services/ntfy.nix
View File

@@ -1,37 +0,0 @@
{
config,
lib,
...
}: let
serviceName = "ntfy-sh";
portUtils = import ../../../lib/port-utils.nix {inherit lib;};
servicePort = portUtils.getPort "ntfy-sh" "AZ-CLD-1";
in {
services.${serviceName} = {
enable = true;
settings = {
base-url = "https://ping.az-gruppe.com";
listen-http = ":${toString servicePort}";
auth-file = "/var/lib/ntfy-sh/user.db";
auth-default-access = "deny-all";
};
};
# Traefik configuration
services.traefik.dynamicConfigOptions.http = {
services.${serviceName}.loadBalancer.servers = [
{
url = "http://localhost:${toString servicePort}/";
}
];
routers.${serviceName} = {
rule = "Host(`ping.az-gruppe.com`)";
tls = {
certResolver = "ionos";
};
service = serviceName;
entrypoints = "websecure";
};
};
}

46
hosts/AZ-CLD-1/services/outline.nix
View File

@@ -1,46 +0,0 @@
{
config,
lib,
...
}: let
serviceName = "outline";
portUtils = import ../../../lib/port-utils.nix {inherit lib;};
servicePort = portUtils.getPort serviceName "AZ-CLD-1";
in {
services.${serviceName} = {
enable = true;
port = servicePort;
publicUrl = "https://wiki.az-gruppe.com";
databaseUrl = "postgresql://outline:outline@127.0.0.1:5432/outline";
storage = {
storageType = "s3";
region = "eu-central";
uploadBucketUrl = "https://nbg1.your-objectstorage.com";
uploadBucketName = "az-wiki";
secretKeyFile = config.age.secrets.hetzner-s3-az-intern-secret-key.path;
accessKey = "CRT7V4HR5CG9NHICD2WW";
};
};
systemd.services.${serviceName}.serviceConfig = {
EnvironmentFile = config.age.secrets.outline-env.path;
};
# Traefik configuration
services.traefik.dynamicConfigOptions.http = {
services.${serviceName}.loadBalancer.servers = [
{
url = "http://localhost:${toString servicePort}/";
}
];
routers.${serviceName} = {
rule = "Host(`wiki.az-gruppe.com`)";
tls = {
certResolver = "ionos";
};
service = serviceName;
entrypoints = "websecure";
};
};
}

179
hosts/AZ-CLD-1/services/postgres.nix
View File

@@ -1,179 +0,0 @@
{
config,
pkgs,
...
}: {
services.postgresql = {
enable = true;
enableTCPIP = true;
package = pkgs.postgresql_17;
settings = {
ssl = true;
max_connections = 200;
shared_buffers = "4GB";
superuser_reserved_connections = 5;
idle_in_transaction_session_timeout = "10min";
idle_session_timeout = "2h";
tcp_keepalives_idle = 60;
tcp_keepalives_interval = 10;
tcp_keepalives_count = 6;
deadlock_timeout = "1s";
authentication_timeout = "30s";
log_connections = true;
log_disconnections = true;
log_lock_waits = true;
};
extensions = with pkgs.postgresql17Packages; [
pgvector
];
initialScript = pkgs.writeText "backend-initScript" ''
CREATE USER baserow WITH ENCRYPTED PASSWORD 'baserow';
CREATE DATABASE baserow;
ALTER DATABASE baserow OWNER to baserow;
ALTER DATABASE baserow CONNECTION LIMIT 60;
CREATE USER kestra WITH ENCRYPTED PASSWORD 'kestra';
CREATE DATABASE kestra;
ALTER DATABASE kestra OWNER to kestra;
ALTER DATABASE kestra CONNECTION LIMIT 10;
CREATE USER librechat_rag WITH ENCRYPTED PASSWORD 'librechat_rag';
CREATE DATABASE librechat_rag;
ALTER DATABASE librechat_rag OWNER to librechat_rag;
ALTER DATABASE librechat_rag CONNECTION LIMIT 20;
CREATE USER librechat_rag_dev WITH ENCRYPTED PASSWORD 'librechat_rag_dev';
CREATE DATABASE librechat_rag_dev;
ALTER DATABASE librechat_rag_dev OWNER to librechat_rag_dev;
ALTER DATABASE librechat_rag_dev CONNECTION LIMIT 10;
CREATE USER metabase WITH ENCRYPTED PASSWORD 'metabase';
CREATE DATABASE metabase;
ALTER DATABASE metabase OWNER to metabase;
ALTER DATABASE metabase CONNECTION LIMIT 15;
CREATE USER n8n WITH ENCRYPTED PASSWORD 'n8n';
CREATE DATABASE n8n;
ALTER DATABASE n8n OWNER to n8n;
ALTER DATABASE n8n CONNECTION LIMIT 5;
CREATE USER outline WITH ENCRYPTED PASSWORD 'outline';
CREATE DATABASE outline;
ALTER DATABASE outline OWNER to outline;
ALTER DATABASE outline CONNECTION LIMIT 5;
CREATE USER vaultwarden WITH ENCRYPTED PASSWORD 'vaultwarden';
CREATE DATABASE vaultwarden;
ALTER DATABASE vaultwarden OWNER to vaultwarden;
ALTER DATABASE vaultwarden CONNECTION LIMIT 20;
CREATE USER zammad-hr WITH ENCRYPTED PASSWORD 'zammad-hr';
CREATE DATABASE zammad-hr;
ALTER DATABASE zammad-hr OWNER to zammad-hr;
ALTER DATABASE zammad-hr CONNECTION LIMIT 50;
-- Group roles (NOLOGIN, for permission management)
CREATE ROLE admin NOLOGIN;
CREATE ROLE dba NOLOGIN;
-- Personal login roles
CREATE USER sascha_koenig WITH ENCRYPTED PASSWORD 'sascha_koenig';
GRANT admin TO sascha_koenig;
CREATE USER jannik_mueller WITH ENCRYPTED PASSWORD 'jannik_mueller';
GRANT admin TO jannik_mueller;
'';
authentication = pkgs.lib.mkOverride 10 ''
# Local connections (Unix socket)
local all postgres peer
local all sascha_koenig scram-sha-256
local all jannik_mueller scram-sha-256
local az_test az_test scram-sha-256
local metabase,az_kpi_raw metabase scram-sha-256
local n8n n8n scram-sha-256
local outline outline scram-sha-256
local vaultwarden vaultwarden scram-sha-256
local zammad zammad scram-sha-256
# Localhost connections (IPv4 and IPv6)
host all postgres 127.0.0.1/32 scram-sha-256
host all postgres ::1/128 scram-sha-256
host all sascha_koenig 127.0.0.1/32 scram-sha-256
host all sascha_koenig ::1/128 scram-sha-256
host all jannik_mueller 127.0.0.1/32 scram-sha-256
host all jannik_mueller ::1/128 scram-sha-256
host az_test az_test 127.0.0.1/32 scram-sha-256
host az_test az_test ::1/128 scram-sha-256
host outline outline 127.0.0.1/32 scram-sha-256
host outline outline ::1/128 scram-sha-256
host metabase,az_kpi_raw metabase 127.0.0.1/32 scram-sha-256
host metabase,az_kpi_raw metabase ::1/128 scram-sha-256
host n8n n8n 127.0.0.1/32 scram-sha-256
host n8n n8n ::1/128 scram-sha-256
host vaultwarden vaultwarden 127.0.0.1/32 scram-sha-256
host vaultwarden vaultwarden ::1/128 scram-sha-256
host zammad zammad 127.0.0.1/32 scram-sha-256
host zammad zammad ::1/128 scram-sha-256
# Podman network connections for Baserow
host baserow baserow 10.89.0.0/24 scram-sha-256
host kestra kestra 10.89.0.0/24 scram-sha-256
host librechat_rag librechat_rag 10.89.0.0/24 scram-sha-256
host librechat_rag_dev librechat_rag_dev 10.89.1.0/24 scram-sha-256
host zammad_hr zammad_hr 10.89.0.0/24 scram-sha-256
host postgres zammad_hr 10.89.0.0/24 scram-sha-256
host litellm litellm 10.89.0.0/24 scram-sha-256
host netbird netbird 10.89.0.0/24 scram-sha-256
# Netbird network connections
host az_kpi_raw kestra_prm 100.91.49.26/32 scram-sha-256
# Deny all other connections
local all all reject
host all all 0.0.0.0/0 reject
host all all ::/0 reject
'';
};
services.postgresqlBackup = {
enable = true;
startAt = "03:10:00";
databases = ["az_kpi_raw" "baserow" "kestra" "librechat_rag" "litellm" "metabase" "n8n" "outline" "vaultwarden" "zammad" "zammad_hr"];
};
services.pgadmin = {
enable = true;
initialPasswordFile = "${config.age.secrets.pgadmin-pw.path}";
initialEmail = "sascha.koenig@azintec.com";
};
# Traefik configuration specific to baserow
services.traefik.dynamicConfigOptions.http = {
services.pgadmin.loadBalancer.servers = [{url = "http://localhost:5050/";}];
routers.pgadmin = {
rule = "Host(`pg.az-gruppe.com`)";
tls.certResolver = "ionos";
service = "pgadmin";
entrypoints = "websecure";
};
};
networking.firewall = {
extraCommands = ''
iptables -A INPUT -p tcp -s 127.0.0.1 --dport 5432 -j ACCEPT
iptables -A INPUT -p tcp -s 10.89.0.0/24 --dport 5432 -j ACCEPT
iptables -A INPUT -p tcp -s 10.89.1.0/24 --dport 5432 -j ACCEPT
iptables -A INPUT -p tcp -s 100.91.49.26/32 --dport 5432 -j ACCEPT
'';
};
}

74
hosts/AZ-CLD-1/services/traefik.nix
View File

@@ -1,74 +0,0 @@
{config, ...}: {
services.traefik = {
enable = true;
staticConfigOptions = {
log = {level = "WARN";};
certificatesResolvers = {
ionos = {
acme = {
email = "sascha.koenig@azintec.com";
storage = "/var/lib/traefik/acme.json";
caserver = "https://acme-v02.api.letsencrypt.org/directory";
dnsChallenge = {
provider = "ionos";
resolvers = ["1.1.1.1:53" "8.8.8.8:53"];
propagation = {
delayBeforeChecks = 60;
disableChecks = true;
};
};
};
};
};
api = {};
entryPoints = {
web = {
address = ":80";
http.redirections.entryPoint = {
to = "websecure";
scheme = "https";
};
};
websecure = {
address = ":443";
};
};
};
dynamicConfigOptions = {
http = {
services = {
dummy = {
loadBalancer.servers = [
{url = "http://192.168.0.1";} # Diese URL wird nie verwendet
];
};
};
middlewares = {
auth = {
basicAuth = {
users = ["sascha.koenig:$apr1$1xqdta2b$DIVNvvp5iTUGNccJjguKh."];
};
};
};
routers = {
api = {
rule = "Host(`r.az-gruppe.com`)";
service = "api@internal";
middlewares = ["auth"];
entrypoints = ["websecure"];
tls = {
certResolver = "ionos";
};
};
};
};
};
};
systemd.services.traefik.serviceConfig = {
EnvironmentFile = ["${config.age.secrets.traefik-env.path}"];
};
networking.firewall.allowedTCPPorts = [80 443];
}

37
hosts/AZ-CLD-1/services/vaultwarden.nix
View File

@@ -1,37 +0,0 @@
{
config,
lib,
...
}: let
serviceName = "vaultwarden";
portUtils = import ../../../lib/port-utils.nix {inherit lib;};
servicePort = portUtils.getPort serviceName "AZ-CLD-1";
in {
services.${serviceName} = {
enable = true;
dbBackend = "postgresql";
config = {
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = servicePort;
};
environmentFile = config.age.secrets.vaultwarden-env.path;
};
# Traefik configuration
services.traefik.dynamicConfigOptions.http = {
services.${serviceName}.loadBalancer.servers = [
{
url = "http://localhost:${toString servicePort}/";
}
];
routers.${serviceName} = {
rule = "Host(`pw.az-gruppe.com`)";
tls = {
certResolver = "ionos";
};
service = serviceName;
entrypoints = "websecure";
};
};
}

40
hosts/AZ-CLD-1/services/zammad.nix
View File

@@ -1,40 +0,0 @@
{
config,
lib,
...
}: let
serviceName = "zammad";
portUtils = import ../../../lib/port-utils.nix {inherit lib;};
servicePort = portUtils.getPort serviceName "AZ-CLD-1";
in {
services.${serviceName} = {
enable = true;
openPorts = false;
port = servicePort;
secretKeyBaseFile = config.age.secrets.zammad-secret.path;
database = {
createLocally = false;
port = 5432;
host = "127.0.0.1";
passwordFile = config.age.secrets.zammad-pw.path;
};
};
# Traefik configuration
services.traefik.dynamicConfigOptions.http = {
services.${serviceName}.loadBalancer.servers = [
{
url = "http://localhost:${toString servicePort}/";
}
];
routers.${serviceName} = {
rule = "Host(`help.az-gruppe.com`)";
tls = {
certResolver = "ionos";
};
service = serviceName;
entrypoints = "websecure";
};
};
}

10
hosts/AZ-CLD-1/services/zugferd.nix
View File

@@ -1,10 +0,0 @@
{lib, ...}: let
serviceName = "zugferd-service";
portUtils = import ../../../lib/port-utils.nix {inherit lib;};
in {
services.${serviceName} = {
enable = true;
port = portUtils.getPort serviceName "AZ-CLD-1";
host = "127.0.0.1";
};
}

41
hosts/AZ-PRM-1/configuration.nix
View File

@@ -1,41 +0,0 @@
{pkgs, ...}: {
imports = [
./hardware-configuration.nix
./disko-config.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "AZ-PRM-1";
networking.networkmanager.enable = true;
time.timeZone = "Europe/Berlin";
i18n.defaultLocale = "de_DE.UTF-8";
environment.systemPackages = with pkgs; [
neovim
git
python3
python3Packages.pysmb
];
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
services.openssh = {
enable = true;
ports = [2022];
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
};
};
networking.firewall.allowedTCPPorts = [587];
system.stateVersion = "25.05";
}

11
hosts/AZ-PRM-1/default.nix
View File

@@ -1,11 +0,0 @@
{
imports = [
../common
./configuration.nix
./secrets.nix
./services
];
extraServices = {
podman.enable = true;
};
}

34
hosts/AZ-PRM-1/disko-config.nix
View File

@@ -1,34 +0,0 @@
{
disko.devices = {
disk = {
main = {
type = "disk";
device = "/dev/sda";
content = {
type = "gpt";
partitions = {
esp = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = ["defaults" "umask=0077"];
};
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
mountOptions = ["noatime" "nodiratime" "discard"];
};
};
};
};
};
};
};
}

17
hosts/AZ-PRM-1/hardware-configuration.nix
View File

@@ -1,17 +0,0 @@
{
config,
lib,
pkgs,
...
}: {
virtualisation.hypervGuest.enable = true;
boot.initrd.availableKernelModules = ["sd_mod" "sr_mod" "hv_storvsc"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

34
hosts/AZ-PRM-1/secrets.nix
View File

@@ -1,34 +0,0 @@
{
age = {
secrets = {
traefik-env = {
file = ../../secrets/traefik-env.age;
};
kestra-config = {
file = ../../secrets/kestra-config.age;
mode = "644";
};
kestra-env = {file = ../../secrets/kestra-env.age;};
kestra-secrets = {file = ../../secrets/kestra-secrets.age;};
n8n-env = {
file = ../../secrets/n8n-env-prm.age;
};
pgadmin-pw = {
file = ../../secrets/pgadmin-pw.age;
owner = "pgadmin";
};
pg-cert = {
file = ../../secrets/server.crt.age;
owner = "postgres";
group = "postgres";
mode = "0644";
};
pg-key = {
file = ../../secrets/server.key.age;
owner = "postgres";
group = "postgres";
mode = "0600";
};
};
};
}

15
hosts/AZ-PRM-1/services/containers/default.nix
View File

@@ -1,15 +0,0 @@
{lib, ...}: {
imports = [
#./baserow.nix
./kestra.nix
./stirling-pdf.nix
];
system.activationScripts.createPodmanNetworkWeb = lib.mkAfter ''
if ! /run/current-system/sw/bin/podman network exists web; then
/run/current-system/sw/bin/podman network create web --subnet=10.89.0.0/24 --internal
fi
if ! /run/current-system/sw/bin/podman network exists web-dev; then
/run/current-system/sw/bin/podman network create web-dev --subnet=10.89.1.0/24 --internal
fi
'';
}

43
hosts/AZ-PRM-1/services/containers/kestra.nix
View File

@@ -1,43 +0,0 @@
{
config,
lib,
...
}: let
serviceName = "kestra";
portUtils = import ../../../../lib/port-utils.nix {inherit lib;};
servicePort = portUtils.getPort serviceName "AZ-CLD-1";
in {
virtualisation.oci-containers.containers."${serviceName}" = {
image = "docker.io/kestra/kestra:latest";
environmentFiles = [
config.age.secrets.kestra-env.path
config.age.secrets.kestra-secrets.path
];
cmd = ["server" "standalone" "--config" "/etc/config/application.yaml"];
ports = ["127.0.0.1:${toString servicePort}:8080"];
user = "root";
volumes = [
"/var/run/podman/podman.sock:/var/run/docker.sock"
"${config.age.secrets.kestra-config.path}:/etc/config/application.yaml"
"kestra_data:/app/storage"
"/tmp/kestra-wd:/tmp/kestra-wd"
];
extraOptions = ["--add-host=postgres:10.89.0.1" "--ip=10.89.0.12" "--network=web"];
};
systemd.tmpfiles.rules = [
"d /tmp/kestra-wd 0750 1000 1000 - -"
];
# Traefik configuration specific to littlelink
services.traefik.dynamicConfigOptions.http = {
services.kestra.loadBalancer.servers = [{url = "http://localhost:${toString servicePort}/";}];
routers.kestra = {
rule = "Host(`k.l.az-gruppe.com`)";
tls = {certResolver = "ionos";};
service = "kestra";
entrypoints = "websecure";
};
};
}

27
hosts/AZ-PRM-1/services/containers/stirling-pdf.nix
View File

@@ -1,27 +0,0 @@
{...}: {
virtualisation.oci-containers.containers."stirling-pdf" = {
image = "docker.stirlingpdf.com/stirlingtools/stirling-pdf:latest-fat";
ports = ["127.0.0.1:3032:8080"];
environment = {
SECURITY_ENABLELOGIN = "False";
DISABLE_ADDITIONAL_FEATURES = "False";
};
volumes = [
"stirling_pdf_data:/usr/share/tessdata"
"stirling_pdf_configs:/configs"
];
extraOptions = ["--ip=10.89.0.13" "--network=web"];
};
services.traefik.dynamicConfigOptions.http = {
services.stirling-pdf.loadBalancer.servers = [{url = "http://localhost:3032/";}];
routers.stirling-pdf = {
rule = "Host(`pdf.l.az-gruppe.com`)";
tls = {certResolver = "ionos";};
service = "stirling-pdf";
entrypoints = "websecure";
};
};
}

12
hosts/AZ-PRM-1/services/default.nix
View File

@@ -1,12 +0,0 @@
{
imports = [
./containers
./n8n.nix
./netbird.nix
./pgadmin.nix
./postgres.nix
./traefik.nix
./traefik-routing.nix
];
}

29
hosts/AZ-PRM-1/services/n8n.nix
View File

@@ -1,29 +0,0 @@
{config, ...}: {
services.n8n = {
enable = true;
environment = {
WEBHOOK_URL = "https://wf.l.az-gruppe.com";
NODES_EXCLUDE = "[]";
};
};
systemd.services.n8n.serviceConfig = {
EnvironmentFile = ["${config.age.secrets.n8n-env.path}"];
};
# Traefik configuration specific to n8n
services.traefik.dynamicConfigOptions.http = {
services.n8n.loadBalancer.servers = [
{
url = "http://localhost:5678/";
}
];
routers.n8n = {
rule = "Host(`wf.l.az-gruppe.com`)";
tls = {
certResolver = "ionos";
};
service = "n8n";
entrypoints = "websecure";
};
};
}

31
hosts/AZ-PRM-1/services/netbird.nix
View File

@@ -1,31 +0,0 @@
{pkgs, ...}: {
services.netbird = {
enable = true;
package = pkgs.unstable.netbird;
};
systemd.services.netbird = {
environment = {
NB_DISABLE_SSH_CONFIG = "true";
};
path = [
pkgs.shadow
pkgs.util-linux
];
};
programs.ssh.extraConfig = ''
Match exec "${pkgs.netbird}/bin/netbird ssh detect %h %p"
PreferredAuthentications password,publickey,keyboard-interactive
PasswordAuthentication yes
PubkeyAuthentication yes
BatchMode no
ProxyCommand ${pkgs.netbird}/bin/netbird ssh proxy %h %p
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
CheckHostIP no
LogLevel ERROR
'';
networking.firewall.checkReversePath = "loose";
}

18
hosts/AZ-PRM-1/services/pgadmin.nix
View File

@@ -1,18 +0,0 @@
{config, ...}: {
services.pgadmin = {
enable = true;
initialPasswordFile = "${config.age.secrets.pgadmin-pw.path}";
initialEmail = "sascha.koenig@azintec.com";
};
# Traefik configuration specific to baserow
services.traefik.dynamicConfigOptions.http = {
services.pgadmin.loadBalancer.servers = [{url = "http://localhost:5050/";}];
routers.pgadmin = {
rule = "Host(`pg.l.az-gruppe.com`)";
tls.certResolver = "ionos";
service = "pgadmin";
entrypoints = "websecure";
};
};
}

67
hosts/AZ-PRM-1/services/postgres.nix
View File

@@ -1,67 +0,0 @@
{
config,
pkgs,
...
}: {
services.postgresql = {
enable = true;
enableTCPIP = true;
package = pkgs.postgresql_17;
settings = {
ssl = true;
ssl_cert_file = config.age.secrets.pg-cert.path;
ssl_key_file = config.age.secrets.pg-key.path;
};
extensions = with pkgs.postgresql17Packages; [
pgvector
];
initialScript = pkgs.writeText "backend-initScript" ''
CREATE USER baserow WITH ENCRYPTED PASSWORD 'baserow';
CREATE DATABASE baserow;
ALTER DATABASE baserow OWNER to baserow;
CREATE USER kestra WITH ENCRYPTED PASSWORD 'kestra';
CREATE DATABASE kestra;
ALTER DATABASE kestra OWNER to kestra;
CREATE USER n8n WITH ENCRYPTED PASSWORD 'n8n';
CREATE DATABASE n8n;
ALTER DATABASE n8n OWNER to n8n;
CREATE USER vaultwarden WITH ENCRYPTED PASSWORD 'n8n';
CREATE DATABASE vaultwarden;
ALTER DATABASE vaultwarden OWNER to vaultwarden;
'';
authentication = pkgs.lib.mkOverride 10 ''
# Local connections (Unix socket)
local all postgres peer
local n8n n8n scram-sha-256
# Localhost connections (IPv4 and IPv6)
host all postgres 127.0.0.1/32 scram-sha-256
host all postgres ::1/128 scram-sha-256
host n8n n8n 127.0.0.1/32 scram-sha-256
host n8n n8n ::1/128 scram-sha-256
# Podman network connections
host baserow baserow 10.89.0.0/24 scram-sha-256
host kestra kestra 10.89.0.0/24 scram-sha-256
# Deny all other connections
host all all 0.0.0.0/0 reject
host all all ::/0 reject
'';
};
services.postgresqlBackup = {
enable = true;
startAt = "03:10:00";
databases = ["baserow" "kestra" "n8n"];
};
networking.firewall = {
extraCommands = ''
iptables -A INPUT -p tcp -s 127.0.0.1 --dport 5432 -j ACCEPT
iptables -A INPUT -p tcp -s 10.89.0.0/24 --dport 5432 -j ACCEPT
'';
};
}

7
hosts/AZ-PRM-1/services/samba.nix
View File

@@ -1,7 +0,0 @@
{pkgs, ...}: {
services.samba = {
enable = true;
package = pkgs.samba4Full;
openFirewall = true;
};
}

31
hosts/AZ-PRM-1/services/traefik-routing.nix
View File

@@ -1,31 +0,0 @@
{
services.traefik.dynamicConfigOptions.http = {
services.ptrg.loadBalancer.servers = [{url = "http://192.168.152.102:7784/";}];
routers.prtg = {
rule = "Host(`m.l.az-gruppe.com`)";
tls = {certResolver = "ionos";};
service = "ptrg";
entrypoints = "websecure";
};
services.AZHA.loadBalancer.servers = [{url = "http://192.168.152.47:8123/";}];
routers.AZHA = {
rule = "Host(`ha.l.az-gruppe.com`)";
tls = {certResolver = "ionos";};
service = "AZHA";
entrypoints = "websecure";
};
services.AZDESK.loadBalancer.servers = [
{
url = "https://azdesk.az-group.local:443/";
}
];
routers.AZDESK = {
rule = "Host(`it-ticket.l.az-gruppe.com`)";
tls = {certResolver = "ionos";};
service = "AZDESK";
entrypoints = "websecure";
};
};
}

89
hosts/AZ-PRM-1/services/traefik.nix
View File

@@ -1,89 +0,0 @@
{config, ...}: {
services.traefik = {
enable = true;
staticConfigOptions = {
log = {level = "WARN";};
serversTransport.insecureSkipVerify = true;
certificatesResolvers = {
ionos = {
acme = {
email = "sascha.koenig@azintec.com";
storage = "/var/lib/traefik/acme.json";
caserver = "https://acme-v02.api.letsencrypt.org/directory";
dnsChallenge = {
provider = "ionos";
resolvers = ["1.1.1.1:53" "8.8.8.8:53"];
propagation = {
delayBeforeChecks = 60;
disableChecks = true;
};
};
};
};
};
api = {};
entryPoints = {
web = {
address = ":80";
http.redirections.entryPoint = {
to = "websecure";
scheme = "https";
};
};
websecure = {
address = ":443";
http.tls = {
certResolver = "ionos";
domains = [
{
main = "l.az-gruppe.com";
sans = ["*.l.az-gruppe.com"];
}
];
};
};
};
};
dynamicConfigOptions = {
http = {
services = {
dummy = {
loadBalancer.servers = [
{url = "http://192.168.0.1";}
];
};
};
middlewares = {
auth = {
basicAuth = {
users = ["sascha.koenig:$apr1$1xqdta2b$DIVNvvp5iTUGNccJjguKh."];
};
};
};
routers = {
api = {
rule = "Host(`r.l.az-gruppe.com`)";
service = "api@internal";
middlewares = ["auth"];
entrypoints = ["websecure"];
tls = {
certResolver = "ionos";
domains = [
{
main = "l.az-gruppe.com";
sans = ["*.l.az-gruppe.com"];
}
];
};
};
};
};
};
};
systemd.services.traefik.serviceConfig = {
EnvironmentFile = ["${config.age.secrets.traefik-env.path}"];
};
networking.firewall.allowedTCPPorts = [80 443];
}

165
hosts/AZLT124-L/configuration.nix
View File

@@ -1,165 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{
config,
pkgs,
...
}: {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
];
# Bootloader.
boot.loader.systemd-boot.enable = true;
boot.initrd.kernelModules = ["amdgpu" "hid_asus"];
boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelParams = ["pcie_aspm=off" "pcie_port_pm=off"];
boot.extraModprobeConfig = ''
options hid_asus enable_touchpad=1
options mt7925e disable_aspm=1
options mt7925_common disable_clc=1
'';
services.xserver.videoDrivers = ["amdgpu"];
security.polkit.enable = true;
security.pam.services.gdm.enableGnomeKeyring = true;
networking = {
wireless.iwd = {
enable = true;
settings = {
Settings = {
Timers = "DefaultRoamThreshold=30";
};
General = {
AddressRandomization = "network";
};
};
};
networkmanager = {
enable = true;
wifi = {
backend = "iwd";
powersave = false;
};
};
hostName = "AZLT124-L";
};
systemd.services.disable-wifi-powersave = {
description = "Disable WiFi power save";
after = ["network-online.target" "iwd.service"];
wants = ["network-online.target"];
wantedBy = ["multi-user.target"];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = ''
${pkgs.bash}/bin/bash -c 'for i in {1..30}; do \
${pkgs.iw}/bin/iw dev wlan0 set power_save off 2>/dev/null && exit 0; \
sleep 1; \
done; exit 1'
'';
Restart = "on-failure";
RestartSec = "10s";
};
};
# Define your hostname.
# warp-terminal update fix
# networking.extraHosts = ''
# 127.0.0.1 releases.warp.dev
# 127.0.0.1 app.warp.dev
# '';
# Pick only one of the below networking options.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# Set your time zone.
time.timeZone = "Europe/Berlin";
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
i18n.defaultLocale = "de_DE.UTF-8";
# console = {
# font = "Lat2-Terminus16";
# keyMap = "us";
# useXkbConfig = true; # use xkb.options in tty.
# };
# Enable the X11 windowing system.
# services.xserver.enable = true;
# Enable the GNOME Desktop Environment.
# services.xserver.displayManager.gdm.enable = true;
# services.xserver.desktopManager.gnome.enable = true;
# Configure keymap in X11
# services.xserver.xkb.layout = "us";
# services.xserver.xkb.options = "eurosign:e,caps:escape";
# Enable CUPS to print documents.
# services.printing.enable = true;
# Enable sound.
# hardware.pulseaudio.enable = true;
# OR
# Enable touchpad support (enabled default in most desktopManager).
# services.libinput.enable = true;
# Define a user account. Don't forget to set a password with passwd.
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [asusctl git];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
# Enable the OpenSSH daemon.
services.openssh = {
enable = true;
settings.PermitRootLogin = "no";
settings = {
PasswordAuthentication = true;
};
};
services.fstrim.enable = true;
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [8080];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
#
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
# to actually do that.
#
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
#
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
#
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "25.05"; # Did you read the comment?
}

102
hosts/AZLT124-L/default.nix
View File

@@ -1,102 +0,0 @@
{
inputs,
outputs,
pkgs,
lib,
...
}: {
imports = [
# Import only the parts we need from common, avoiding Home Manager conflicts
../common/extraServices
./configuration.nix
./hardware.nix
./programs.nix
./secrets.nix
./services
# Import unstable Home Manager directly
inputs.home-manager-unstable.nixosModules.home-manager
];
# Create the user directly here
users.users."sascha.koenig" = {
hashedPassword = "$y$j9T$ORX4btVZgs9Xjq2oIvzJm0$lXiPwaa0D6t.eMDIx1UBesEAMOkWXBoGwpeI7X0aS8D";
isNormalUser = true;
shell = pkgs.nushell;
group = "sascha.koenig";
extraGroups = [
"wheel"
"networkmanager"
"libvirtd"
"flatpak"
"plugdev"
"input"
"kvm"
"qemu-libvirtd"
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEZbg/Z9mnflXuLahGY8WOSBMqbgeqVIkIwRkquys1Ml sascha.koenig@azintec.com"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU= m3tam3re@MBP-Sascha.fritz.box"
];
packages = [inputs.home-manager-unstable.packages.${pkgs.stdenv.hostPlatform.system}.default];
};
users.groups."sascha.koenig" = {};
# Configure Home Manager with unstable
home-manager = {
useUserPackages = true;
extraSpecialArgs = {
inherit inputs outputs;
system = "x86_64-linux";
};
users."sascha.koenig" = import ../../home/users/sascha.koenig/AZLT124-L.nix;
};
# Configure nixpkgs to use unstable
nixpkgs = {
overlays = [
outputs.overlays.additions
outputs.overlays.modifications
# Add stable as an overlay since base is unstable
(final: _prev: {
stable = import inputs.nixpkgs {
system = final.stdenv.hostPlatform.system;
config.allowUnfree = true;
};
})
];
config = {
allowUnfree = true;
};
};
# Copy nix settings from common
nix = {
settings = {
experimental-features = "nix-command flakes";
trusted-users = [
"root"
"sascha.koenig"
];
};
gc = {
automatic = true;
options = "--delete-older-than 30d";
};
optimise.automatic = true;
registry =
(lib.mapAttrs (_: flake: {inherit flake;}))
((lib.filterAttrs (_: lib.isType "flake")) (inputs
// {
# Use unstable nixpkgs in registry
nixpkgs = inputs.nixpkgs-unstable;
}));
nixPath = ["/etc/nix/path"];
};
extraServices = {
flatpak.enable = true;
ollama.enable = true;
podman.enable = true;
virtualisation.enable = true;
};
}

68
hosts/AZLT124-L/hardware-configuration.nix
View File

@@ -1,68 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "thunderbolt" "usbhid" "usb_storage" "sd_mod" "sdhci_pci"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-amd"];
boot.extraModulePackages = [];
fileSystems."/" = {
device = "/dev/disk/by-uuid/9fcbe547-12dc-467d-a0e2-cefeedaf28d9";
fsType = "btrfs";
options = ["subvol=root" "compress=zstd" "noatime" "ssd" "discard=async"];
};
fileSystems."/home" = {
device = "/dev/disk/by-uuid/9fcbe547-12dc-467d-a0e2-cefeedaf28d9";
fsType = "btrfs";
options = ["subvol=home" "compress=zstd" "noatime" "ssd" "discard=async"];
};
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/9fcbe547-12dc-467d-a0e2-cefeedaf28d9";
fsType = "btrfs";
options = ["subvol=nix" "compress=zstd" "noatime" "ssd" "discard=async"];
};
fileSystems."/persist" = {
device = "/dev/disk/by-uuid/9fcbe547-12dc-467d-a0e2-cefeedaf28d9";
fsType = "btrfs";
options = ["subvol=persist" "compress=zstd" "noatime" "ssd" "discard=async"];
};
fileSystems."/var/log" = {
device = "/dev/disk/by-uuid/9fcbe547-12dc-467d-a0e2-cefeedaf28d9";
fsType = "btrfs";
options = ["subvol=log" "compress=zstd" "noatime" "ssd" "discard=async"];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/89EE-C4CE";
fsType = "vfat";
options = ["fmask=0022" "dmask=0022"];
};
swapDevices = [
{device = "/dev/disk/by-uuid/7e78ee33-a051-439a-80aa-635d0ab698e4";}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp194s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

8
hosts/AZLT124-L/hardware.nix
View File

@@ -1,8 +0,0 @@
{
hardware = {
amdgpu.opencl.enable = true;
bluetooth.enable = true;
keyboard.zsa.enable = true;
graphics.enable = true;
};
}

42
hosts/AZLT124-L/programs.nix
View File

@@ -1,42 +0,0 @@
{pkgs, ...}: {
programs.nix-ld.enable = true;
programs.nix-ld.libraries = with pkgs; [
# Add any missing dynamic libraries for unpackaged programs
# here, NOT in environment.systemPackages
];
programs.hyprland = {
enable = true;
xwayland.enable = true;
withUWSM = true;
};
programs.fish.enable = true;
programs.thunar = {
enable = true;
plugins = with pkgs; [thunar-archive-plugin thunar-volman];
};
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
pinentryPackage = pkgs.pinentry-gnome3;
settings = {default-cache-ttl = 10800;};
};
programs.obs-studio = {
enable = true;
enableVirtualCamera = true;
plugins = with pkgs.obs-studio-plugins; [
obs-composite-blur
obs-vaapi
# obs-vertical-canvas
obs-vkcapture
wlrobs
];
};
programs.nh = {
enable = true;
clean.enable = true;
clean.extraArgs = "--keep-since 4d --keep 3";
flake = "/home/m3tam3re/p/nixos/nixos-config";
};
services.netbird.enable = true;
environment.systemPackages = [pkgs.netbird-ui];
}

22
hosts/AZLT124-L/secrets.nix
View File

@@ -1,22 +0,0 @@
{
age = {
secrets = {
outline-key = {
file = ../../secrets/outline-key.age;
owner = "sascha.koenig";
};
ref-key = {
file = ../../secrets/ref-key.age;
owner = "sascha.koenig";
};
exa-key = {
file = ../../secrets/exa-key.age;
owner = "sascha.koenig";
};
kestractl-env = {
file = ../../secrets/kestractl-env.age;
owner = "sascha.koenig";
};
};
};
}

114
hosts/AZLT124-L/services/ad.nix
View File

@@ -1,114 +0,0 @@
{
config,
pkgs,
...
}: {
environment.systemPackages = with pkgs; [
adcli # Helper library and tools for Active Directory client operations
oddjob # Odd Job Daemon
samba4Full # Standard Windows interoperability suite of programs for Linux and Unix
sssd # System Security Services Daemon
krb5 # MIT Kerberos 5
realmd # DBus service for configuring Kerberos and other
];
#
# Security
#
security = {
krb5 = {
enable = true;
settings = {
libdefaults = {
udp_preference_limit = 0;
default_realm = "AZ-GROUP";
};
};
};
pam = {
makeHomeDir.umask = "077";
services.login.makeHomeDir = true;
services.sshd.makeHomeDir = true;
};
sudo = {
extraConfig = ''
%domain\ admins ALL=(ALL:ALL) NOPASSWD: ALL
Defaults:%domain\ admins env_keep+=TERMINFO_DIRS
Defaults:%domain\ admins env_keep+=TERMINFO
'';
# Use extraConfig because of blank space in 'domain admins'.
# Alternatively, you can use the GID.
# extraRules = [
# { groups = [ "domain admins" ];
# commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; }
# ];
};
};
#
# Services
#
services = {
nscd = {
enable = true;
config = ''
server-user nscd
enable-cache hosts yes
positive-time-to-live hosts 0
negative-time-to-live hosts 0
shared hosts yes
enable-cache passwd no
enable-cache group no
enable-cache netgroup no
enable-cache services no
'';
};
sssd = {
enable = true;
config = ''
[sssd]
domains = az-group
config_file_version = 2
services = nss, pam
[domain/az-group]
override_shell = /run/current-system/sw/bin/zsh
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = AZ-GROUP
realmd_tags = manages-system joined-with-samba
id_provider = ad
fallback_homedir = /home/%u
ad_domain = your_domain_lowercase
use_fully_qualified_names = false
ldap_id_mapping = false
auth_provider = ad
access_provider = ad
chpass_provider = ad
ad_gpo_access_control = permissive
enumerate = true
'';
};
};
#
# Systemd
#
systemd = {
services.realmd = {
description = "Realm Discovery Service";
wantedBy = ["multi-user.target"];
after = ["network.target"];
serviceConfig = {
Type = "dbus";
BusName = "org.freedesktop.realmd";
ExecStart = "${pkgs.realmd}/libexec/realmd";
User = "root";
};
};
};
}

43
hosts/AZLT124-L/services/default.nix
View File

@@ -1,43 +0,0 @@
{pkgs, ...}: {
imports = [
# ./ad.nix
./mem0.nix
./n8n.nix
./netbird.nix
./sound.nix
./udev.nix
];
services = {
espanso = {
enable = true;
package = pkgs.espanso-wayland;
};
hypridle.enable = true;
printing.enable = true;
gvfs.enable = true;
gnome.gnome-keyring.enable = true;
qdrant = {
enable = true;
settings = {
service = {
host = "0.0.0.0";
};
};
};
upower.enable = true;
avahi = {
enable = true;
nssmdns4 = true;
publish = {
addresses = true;
workstation = true;
userServices = true;
};
};
asusd = {
enable = true;
};
desktopManager.gnome.enable = true;
displayManager.gdm.enable = true;
};
}

23
hosts/AZLT124-L/services/mem0.nix
View File

@@ -1,23 +0,0 @@
{
m3ta.mem0 = {
enable = false;
port = 8000;
host = "127.0.0.1";
# LLM Configuration
llm = {
provider = "openai";
apiKeyFile = "/var/lib/mem0/openai-api-key-1"; # Use agenix or sops-nix
};
# Vector Storage Configuration
vectorStore = {
provider = "qdrant"; # or "chroma", "pinecone", etc.
config = {
host = "localhost";
port = 6333;
collection_name = "mem0_alice";
};
};
};
}

20
hosts/AZLT124-L/services/n8n.nix
View File

@@ -1,20 +0,0 @@
{
config,
lib,
...
}: let
serviceName = "n8n";
portUtils = import ../../../lib/port-utils.nix {inherit lib;};
servicePort = portUtils.getPort serviceName "AZLT124-L";
in {
services.${serviceName} = {
enable = true;
openFirewall = true;
};
systemd.services.n8n = {
environment = {
N8N_SECURE_COOKIE = "false";
N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = "false";
};
};
}

28
hosts/AZLT124-L/services/netbird.nix
View File

@@ -1,28 +0,0 @@
{pkgs, ...}: {
services.netbird.enable = true;
systemd.services.netbird = {
environment = {
NB_DISABLE_SSH_CONFIG = "true";
};
path = [
pkgs.shadow
pkgs.util-linux
];
};
programs.ssh.extraConfig = ''
Match exec "${pkgs.netbird}/bin/netbird ssh detect %h %p"
PreferredAuthentications password,publickey,keyboard-interactive
PasswordAuthentication yes
PubkeyAuthentication yes
BatchMode no
ProxyCommand ${pkgs.netbird}/bin/netbird ssh proxy %h %p
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
CheckHostIP no
LogLevel ERROR
'';
networking.firewall.checkReversePath = "loose";
}

11
hosts/AZLT124-L/services/sound.nix
View File

@@ -1,11 +0,0 @@
{
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = false;
wireplumber.enable = true;
};
}

8
hosts/AZLT124-L/services/udev.nix
View File

@@ -1,8 +0,0 @@
{pkgs, ...}: {
services.udev.extraRules = ''
SUBSYSTEM=="usb", MODE="0666"
'';
environment.systemPackages = with pkgs; [
zsa-udev-rules
];
}

71
hosts/common/default.nix
View File

@@ -1,71 +0,0 @@
# Common configuration for all hosts
{
config,
pkgs,
lib,
inputs,
outputs,
system,
...
}: {
imports = [
./extraServices
./users
inputs.home-manager.nixosModules.home-manager
];
home-manager = {
useUserPackages = true;
extraSpecialArgs = {
inherit inputs outputs system;
};
};
nixpkgs = {
# You can add overlays here
overlays = [
# Add overlays your own flake exports (from overlays and pkgs dir):
outputs.overlays.additions
outputs.overlays.modifications
outputs.overlays.unstable-packages
inputs.nur.overlays.default
inputs.m3ta-nixpkgs.overlays.default
(outputs.lib.mkLlmAgentsOverlay system)
# You can also add overlays exported from other flakes:
# neovim-nightly-overlay.overlays.default
# Or define it inline, for example:
# (final: prev: {
# hi = final.hello.overrideAttrs (oldAttrs: {
# patches = [ ./change-hello-to-hi.patch ];
# });
# })
];
# Configure your nixpkgs instance
config = {
# Disable if you don't want unfree packages
allowUnfree = true;
};
};
nix = {
settings = {
experimental-features = "nix-command flakes";
trusted-users = [
"root"
"sascha.koenig"
"jannik.mueller"
]; # Set users that are allowed to use the flake command
};
gc = {
automatic = true;
options = "--delete-older-than 30d";
};
optimise.automatic = true;
registry =
(lib.mapAttrs (_: flake: {inherit flake;}))
((lib.filterAttrs (_: lib.isType "flake")) inputs);
nixPath = ["/etc/nix/path"];
};
}

8
hosts/common/extraServices/default.nix
View File

@@ -1,8 +0,0 @@
{
imports = [
./flatpak.nix
./ollama.nix
./podman.nix
./virtualisation.nix
];
}

23
hosts/common/extraServices/flatpak.nix
View File

@@ -1,23 +0,0 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.extraServices.flatpak;
in {
options.extraServices.flatpak.enable = mkEnableOption "enable flatpak";
config = mkIf cfg.enable {
services.flatpak.enable = true;
xdg.portal = {
# xdg desktop intergration (required for flatpak)
enable = true;
extraPortals = with pkgs; [
xdg-desktop-portal-hyprland
];
config.common.default = "*";
};
};
}

27
hosts/common/extraServices/ollama.nix
View File

@@ -1,27 +0,0 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.extraServices.ollama;
in {
options.extraServices.ollama.enable = mkEnableOption "enable ollama";
config = mkIf cfg.enable {
services.ollama = {
enable = true;
package = pkgs.ollama-vulkan;
host = "[::]";
openFirewall = true;
environmentVariables = {
OLLAMA_HOST = "0.0.0.0";
};
};
nixpkgs.config = {
rocmSupport = config.services.xserver.videoDrivers == ["amdgpu"];
cudaSupport = config.services.xserver.videoDrivers == ["nvidia"];
};
};
}

33
hosts/common/extraServices/podman.nix
View File

@@ -1,33 +0,0 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.extraServices.podman;
in {
options.extraServices.podman.enable = mkEnableOption "enable podman";
config = mkIf cfg.enable {
virtualisation = {
podman = {
enable = true;
dockerCompat = true;
dockerSocket.enable = true;
autoPrune = {
enable = true;
dates = "weekly";
flags = [
"--filter=until=24h"
"--filter=label!=important"
];
};
defaultNetwork.settings.dns_enabled = true;
};
};
environment.systemPackages = with pkgs; [
podman-compose
];
};
}

42
hosts/common/extraServices/virtualisation.nix
View File

@@ -1,42 +0,0 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.extraServices.virtualisation;
in {
options.extraServices.virtualisation.enable = mkEnableOption "enable virtualisation";
config = mkIf cfg.enable {
virtualisation = {
libvirtd = {
enable = true;
qemu = {
package = pkgs.qemu_kvm;
runAsRoot = true;
swtpm.enable = true;
};
};
};
programs.virt-manager.enable = true;
environment = {
systemPackages = [pkgs.qemu];
etc = {
"ovmf/OVMF_CODE.fd" = {
source = "${(pkgs.OVMF.override {
secureBoot = true;
tpmSupport = true;
}).fd}/FV/OVMF_CODE.fd";
};
"ovmf/OVMF_VARS.fd" = {
source = "${(pkgs.OVMF.override {
secureBoot = true;
tpmSupport = true;
}).fd}/FV/OVMF_VARS.fd";
};
};
};
};
}

6
hosts/common/users/default.nix
View File

@@ -1,6 +0,0 @@
{
imports = [
./jannik.mueller.nix
./sascha.koenig.nix
];
}

27
hosts/common/users/jannik.mueller.nix
View File

@@ -1,27 +0,0 @@
{
config,
pkgs,
inputs,
...
}: {
users.users."jannik.mueller" = {
hashedPassword = "$y$j9T$09RgD3AU3PK9Oi6JGLe0V1$i8J2ZOD1h1b6Zpw28ub.kExujoDKHzokeXzkM23Tfd/";
isNormalUser = true;
extraGroups = [
"wheel"
"networkmanager"
"libvirtd"
"flatpak"
"plugdev"
"input"
"kvm"
"qemu-libvirtd"
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPvZazSuIoWoRWhkAqQDMLeurxVUyy1MTllp1wfw1tzq"
];
packages = [inputs.home-manager.packages.${pkgs.stdenv.hostPlatform.system}.default];
};
home-manager.users."jannik.mueller" =
import ../../../home/users/jannik.mueller/${config.networking.hostName}.nix;
}

29
hosts/common/users/sascha.koenig.nix
View File

@@ -1,29 +0,0 @@
{
config,
pkgs,
inputs,
...
}: {
users.users."sascha.koenig" = {
hashedPassword = "$y$j9T$ORX4btVZgs9Xjq2oIvzJm0$lXiPwaa0D6t.eMDIx1UBesEAMOkWXBoGwpeI7X0aS8D";
isNormalUser = true;
shell = pkgs.nushell;
extraGroups = [
"wheel"
"networkmanager"
"libvirtd"
"flatpak"
"plugdev"
"input"
"kvm"
"qemu-libvirtd"
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEZbg/Z9mnflXuLahGY8WOSBMqbgeqVIkIwRkquys1Ml sascha.koenig@azintec.com"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU= m3tam3re@MBP-Sascha.fritz.box"
];
packages = [inputs.home-manager.packages.${pkgs.stdenv.hostPlatform.system}.default];
};
home-manager.users."sascha.koenig" =
import ../../../home/users/sascha.koenig/${config.networking.hostName}.nix;
}

11
lib/port-utils.nix
View File

@@ -1,11 +0,0 @@
{lib}: let
ports = import ./ports.nix;
in {
# Get port for a service, with optional host-specific override
getPort = service: host:
ports.hostPorts.${host}.${service} or ports.ports.${service};
# Get all ports for a specific host
getHostPorts = host:
lib.mapAttrs (_: port: port) (ports.ports // (ports.hostPorts.${host} or {}));
}

54
lib/ports.nix
View File

@@ -1,54 +0,0 @@
{
ports = {
# Infrastructure
traefik = {
http = 80;
https = 443;
};
# Core services (3000-3099 range)
gitea = 3030;
outline = 3031;
vaultwarden = 3032;
baserow = 3050;
zammad = 3034;
metabase = 3013;
ntfy-sh = 3033;
it-tools = 3035;
zammad-hr = 3036;
netbird = 3038;
zammad-hr-elasticsearch = 3037;
# Docker services (3100-3199 range)
librechat = 3040;
librechat-dev = 3141;
rag-api = 8000;
rag-api-dev = 8100;
litellm = 4000;
# Workflow/automation (5000-5999 range)
n8n = 5678;
kestra = 5080;
zugferd-service = 5060;
gotenberg = 5070;
# Management tools (9000-9999 range)
portainer = 9000;
};
# Host-specific port allocations
hostPorts = {
AZ-CLD-1 = {
# Development environment gets higher port ranges
baserow = 3050;
librechat-dev = 3141;
rag-api-dev = 8100;
};
AZ-PRM-1 = {
# Production gets clean base ports
baserow = 3051; # Changed to avoid conflict
kestra = 5080; # Changed to avoid conflict
};
};
}

26
overlays/default.nix
View File

@@ -1,37 +1,13 @@
{inputs, ...}: {
# This one brings our custom packages from the 'pkgs' directory
additions = final: prev:
(import ../pkgs {pkgs = final;})
// {
zugferd-service = inputs.zugferd-service.packages.${prev.stdenv.hostPlatform.system}.default;
};
additions = final: prev: (import ../pkgs {pkgs = final;});
# This one contains whatever you want to overlay
# You can change versions, add patches, set compilation flags, anything really.
# https://nixos.wiki/wiki/Overlays
modifications = final: prev: {
# n8n = import ./mods/n8n.nix {inherit prev;};
vivaldi = prev.vivaldi.override {
commandLineArgs = "--enable-features=UseOzonePlatform --ozone-platform=wayland";
};
# example = prev.example.overrideAttrs (oldAttrs: rec {
# ...
# });
};
stable-packages = final: _prev: {
stable = import inputs.nixpkgs {
system = final.stdenv.hostPlatform.system;
config.allowUnfree = true;
};
};
unstable-packages = final: _prev: {
unstable = import inputs.nixpkgs-unstable {
system = final.stdenv.hostPlatform.system;
config.allowUnfree = true;
};
};
# Flatten llm-agents packages into top-level pkgs namespace.
mkLlmAgentsOverlay = system: _final: _prev:
inputs.llm-agents.packages.${system} or {};
}

56
pkgs/aider-chat-env/default.nix
View File

@@ -1,56 +0,0 @@
{
lib,
stdenv,
python3,
zlib,
libffi,
makeWrapper,
}: let
pythonEnv = python3.withPackages (ps:
with ps; [
pip
virtualenv
]);
in
stdenv.mkDerivation rec {
pname = "aider-chat-env";
version = "0.1.0";
src = ./.;
nativeBuildInputs = [makeWrapper];
buildInputs = [pythonEnv zlib libffi];
installPhase = ''
mkdir -p $out/bin
cat > $out/bin/aider-chat-env <<EOF
#!/bin/sh
VENV_DIR="\$HOME/.aider-chat-venv"
if [ ! -d "\$VENV_DIR" ]; then
echo "Creating new virtual environment in \$VENV_DIR..."
${pythonEnv}/bin/python -m venv "\$VENV_DIR"
source "\$VENV_DIR/bin/activate"
# Upgrade pip first
python -m pip install --no-cache-dir --upgrade pip
# Install aider-chat
python -m pip install --no-cache-dir aider-chat
else
source "\$VENV_DIR/bin/activate"
fi
exec "\$SHELL"
EOF
chmod +x $out/bin/aider-chat-env
'';
postFixup = ''
wrapProgram $out/bin/aider-chat-env \
--prefix PATH : ${lib.makeBinPath buildInputs} \
--prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [stdenv.cc.cc.lib zlib libffi]}
'';
meta = with lib; {
description = "Python environment with aider-chat";
license = licenses.mit;
platforms = platforms.all;
};
}

36
pkgs/code2prompt/default.nix
View File

@@ -1,36 +0,0 @@
{
lib,
fetchFromGitHub,
rustPlatform,
pkg-config,
perl,
openssl,
}:
rustPlatform.buildRustPackage rec {
pname = "code2prompt";
version = "3.0.2";
src = fetchFromGitHub {
owner = "mufeedvh";
repo = "code2prompt";
rev = "v${version}";
hash = "sha256-9YbsrbExRFbsEz2GifklmUGp3YlsEUOi25+P5vPK8fs=";
};
cargoLock = {
lockFile = src + "/Cargo.lock";
};
buildAndTestSubdir = "crates/code2prompt";
nativeBuildInputs = [pkg-config perl];
buildInputs = [openssl];
meta = {
description = "A CLI tool that converts your codebase into a single LLM prompt with a source tree, prompt templating, and token counting";
homepage = "https://github.com/mufeedvh/code2prompt";
license = lib.licenses.mit;
mainProgram = "code2prompt";
};
}

8
pkgs/default.nix
View File

@@ -1,11 +1,3 @@
{pkgs, ...}: {
# Define your custom packages here
hyprpaper-random = pkgs.callPackage ./hyprpaper-random {};
launch-webapp = pkgs.callPackage ./launch-webapp {};
msty = pkgs.callPackage ./msty {};
msty-sidecar = pkgs.callPackage ./msty-sidecar {};
zellij-ps = pkgs.callPackage ./zellij-ps {};
aider-chat-env = pkgs.callPackage ./aider-chat-env {};
code2prompt = pkgs.callPackage ./code2prompt {};
# pomodoro-timer = pkgs.callPackage ./pomodoro-timer {};
}

72
pkgs/hyprpaper-random/default.nix
View File

@@ -1,72 +0,0 @@
{
lib,
stdenv,
writeShellScriptBin,
fd,
hyprland,
coreutils,
gawk,
}: let
script = writeShellScriptBin "hyprpaper-random" ''
#!/usr/bin/env bash
set -euo pipefail
# Directory (override with WALLPAPER_DIR)
DIR="''${WALLPAPER_DIR:-''${XDG_CONFIG_HOME:-$HOME/.config}/hypr/wallpapers}"
HYPRCTL="${hyprland}/bin/hyprctl"
FD="${fd}/bin/fd"
SHUF="${coreutils}/bin/shuf"
TR="${coreutils}/bin/tr"
AWK="${gawk}/bin/awk"
# Pick one random image (null-safe)
WALLPAPER="$(
"$FD" . "$DIR" -t f -e jpg -e jpeg -e png -e webp -e avif -0 --follow --hidden \
| "$SHUF" -z -n1 \
| "$TR" -d '\0'
)"
if [[ -z "''${WALLPAPER:-}" ]]; then
echo "No wallpapers found in: $DIR" >&2
exit 1
fi
# Preload so hyprpaper can use it
"$HYPRCTL" hyprpaper preload "$WALLPAPER" >/dev/null 2>&1 || true
# Apply to all monitors
"$HYPRCTL" monitors \
| "$AWK" '/^Monitor /{print $2}' \
| while IFS= read -r mon; do
[ -n "$mon" ] && "$HYPRCTL" hyprpaper wallpaper "$mon,$WALLPAPER"
done
exit 0
'';
in
stdenv.mkDerivation {
pname = "hyprpaper-random";
version = "0.1.1";
dontUnpack = true;
buildInputs = [
fd
hyprland
coreutils
gawk
];
installPhase = ''
mkdir -p "$out/bin"
ln -s ${script}/bin/hyprpaper-random "$out/bin/hyprpaper-random"
'';
meta = with lib; {
description = "Minimal random wallpaper setter for Hyprpaper";
license = licenses.mit;
platforms = platforms.linux;
mainProgram = "hyprpaper-random";
};
}

41
pkgs/launch-webapp/default.nix
View File

@@ -1,41 +0,0 @@
{
lib,
stdenv,
writeShellScriptBin,
}: let
launcher = writeShellScriptBin "launch-webapp" ''
#!/usr/bin/env bash
browser=$(xdg-settings get default-web-browser)
case "$browser" in
google-chrome*) browser_bin="google-chrome" ;;
brave-browser*) browser_bin="brave-browser" ;;
microsoft-edge*) browser_bin="microsoft-edge" ;;
opera*) browser_bin="opera" ;;
vivaldi*) browser_bin="vivaldi" ;;
*) browser_bin="chromium" ;;
esac
exec_cmd="/etc/profiles/per-user/$USER/bin/$browser_bin"
exec setsid uwsm app -- "$exec_cmd" --app="$1" ''${@:2}
'';
in
stdenv.mkDerivation {
pname = "launch-webapp";
version = "0.1.0";
dontUnpack = true;
installPhase = ''
mkdir -p $out/bin
ln -s ${launcher}/bin/launch-webapp $out/bin/launch-webapp
'';
meta = with lib; {
description = "Launches a web app using your default browser in app mode.";
license = licenses.mit;
platforms = platforms.linux;
maintainers = [];
};
}

38
pkgs/msty-sidecar/default.nix
View File

@@ -1,38 +0,0 @@
{
appimageTools,
fetchurl,
nodejs,
nodePackages,
uv,
python3,
makeWrapper,
}: let
pname = "msty-sidecar";
version = "0.4.0";
src = fetchurl {
url = "https://sidecar-assets.msty.studio/prod/latest/linux/amd64/MstySidecar_x86_64_amd64.AppImage";
sha256 = "sha256-UhsokCG0NPqn5nhn//AaIuY6sWlZkejNlqMEyN4Opqg=";
};
appimageContents = appimageTools.extractType2 {inherit pname version src;};
in
appimageTools.wrapType2 {
inherit pname version src;
nativeBuildInputs = [makeWrapper];
extraPkgs = pkgs: [
nodejs
nodePackages.npm
uv
python3
];
extraInstallCommands = ''
install -m 444 -D ${appimageContents}/mstysidecar.desktop -t $out/share/applications
substituteInPlace $out/share/applications/mstysidecar.desktop \
--replace 'Exec=AppRun' 'Exec=${pname}'
install -m 444 -D ${appimageContents}/mstysidecar.png \
$out/share/icons/hicolor/256x256/apps/mstysidecar.png
wrapProgram $out/bin/${pname} \
--prefix PATH : ${nodejs}/bin:${nodePackages.npm}/bin:${uv}/bin:${python3}/bin
'';
}

28
pkgs/msty/default.nix
View File

@@ -1,28 +0,0 @@
{
appimageTools,
fetchurl,
makeWrapper,
}: let
pname = "msty";
version = "1.9.2";
src = fetchurl {
url = "https://assets.msty.app/prod/latest/linux/amd64/Msty_x86_64_amd64.AppImage";
sha256 = "sha256-Z4t0EcV9X4g5X0lBwipiMdP8lgPuBkhykAIKjHSUpnI=";
};
appimageContents = appimageTools.extractType2 {inherit pname version src;};
in
appimageTools.wrapType2 {
inherit pname version src;
nativeBuildInputs = [makeWrapper];
extraInstallCommands = ''
install -m 444 -D ${appimageContents}/msty.desktop -t $out/share/applications
substituteInPlace $out/share/applications/msty.desktop \
--replace 'Exec=AppRun' 'Exec=${pname}'
install -m 444 -D ${appimageContents}/msty.png \
$out/share/icons/hicolor/256x256/apps/msty.png
wrapProgram $out/bin/${pname} \
--set XDG_CURRENT_DESKTOP GNOME
'';
}

92
pkgs/pomodoro-timer/default.nix
View File

@@ -1,92 +0,0 @@
{
lib,
stdenv,
writeShellScriptBin,
timer,
kitty,
rofi,
libnotify,
speechd,
}: let
launcher = writeShellScriptBin "launch-timer" ''
#!/bin/bash
validate_time() {
local input=$1
if [[ $input =~ ^[0-9]+[mhs]$ ]]; then
return 0
else
return 1
fi
}
notify_end() {
local session_name=$1
${libnotify}/bin/notify-send "Pomodoro" "$session_name session ended!"
${speechd}/bin/spd-say "$session_name session ended"
}
start_timer() {
local duration=$1
local session_name=$2
kitty \
--class="floating-pomodoro" \
--title="floating-pomodoro" \
${timer}/bin/timer $duration
notify_end "$session_name"
}
# Show rofi menu with options
selected=$(printf "work\nbreak\ncustom" | rofi -dmenu -p "Work Timer:" -l 3)
# Exit if no selection was made
[ -z "$selected" ] && exit
case $selected in
"work")
start_timer "45m" "work"
;;
"break")
start_timer "10m" "break"
;;
"custom")
# Show input dialog for custom time
custom_time=$(rofi -dmenu -p "Enter time (e.g., 25m, 1h, 30s):" -l 0)
# Validate input and start timer
if [ ! -z "$custom_time" ] && validate_time "$custom_time"; then
start_timer "$custom_time" "custom"
else
${libnotify}/bin/notify-send "Invalid time format" "Please use format: 30s, 25m, or 1h"
exit 1
fi
;;
esac
'';
in
stdenv.mkDerivation {
pname = "work-timer";
version = "0.1.0";
dontUnpack = true;
buildInputs = [
timer
kitty
rofi
libnotify
speechd
];
installPhase = ''
mkdir -p $out/bin
ln -s ${launcher}/bin/launch-timer $out/bin/launch-timer
'';
meta = with lib; {
description = "A Work timer.";
license = licenses.mit;
platforms = platforms.linux;
maintainers = [];
};
}

41
pkgs/zellij-ps/default.nix
View File

@@ -1,41 +0,0 @@
{
lib,
stdenv,
fetchFromGitea,
fish,
fd,
fzf,
makeWrapper,
zellij,
}:
with lib;
stdenv.mkDerivation {
pname = "zellij-ps";
version = "0.1.0";
src = fetchFromGitea {
domain = "code.m3tam3re.com";
owner = "m3tam3re";
repo = "helper-scripts";
rev = "08a3217b83391c1110545c1ee3161eecd5dbe5e9";
sha256 = "1sc4i58mwcg3qsq0wwl5rvk08ykbxc497bq7mrxiirndsarskby7";
};
buildInputs = [];
nativeBuildInputs = [makeWrapper];
installPhase = ''
mkdir -p $out/bin
cp zellij-ps.fish $out/bin/zellij-ps
wrapProgram $out/bin/zellij-ps \
--prefix PATH : ${lib.makeBinPath [fish fd fzf zellij]}
'';
meta = with lib; {
description = "A small project script for zellij";
homepage = "https://code.m3tam3re.com/m3tam3re/helper-scripts";
license = licenses.mit;
maintainers = with maintainers; [m3tam3re];
platforms = platforms.unix;
};
}

49
secrets.nix
View File

@@ -1,49 +0,0 @@
let
#SYSTEMS
AZ-CLD-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIItSijmU5YwcJcoshtmYxpxBaVA4TPaCMk23ws7KDkAH";
AZLT124-L = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIg/nFOPx763xIbepPsdYRE49R7HwvikXhLF/iPgH1Jh";
AZ-PRM-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID6gl9maUQ99I4t8mCAdfUw6lrA9NYx2EbwqGOmKts+l";
#USERS
sascha.koenig = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEZbg/Z9mnflXuLahGY8WOSBMqbgeqVIkIwRkquys1Ml";
jannik.mueller = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPvZazSuIoWoRWhkAqQDMLeurxVUyy1MTllp1wfw1tzq";
users = [sascha.koenig];
systems = [AZ-CLD-1 AZLT124-L AZ-PRM-1];
in {
"secrets/server.crt.age".publicKeys = systems ++ users;
"secrets/server.key.age".publicKeys = systems ++ users;
"secrets/traefik-env.age".publicKeys = systems ++ users;
"secrets/baserow-db.age".publicKeys = systems ++ users;
"secrets/baserow-env.age".publicKeys = systems ++ users;
"secrets/kestra-env.age".publicKeys = systems ++ users;
"secrets/kestra-config.age".publicKeys = systems ++ users;
"secrets/kestra-secrets.age".publicKeys = systems ++ users;
"secrets/kestractl-env.age".publicKeys = systems ++ users;
"secrets/librechat-env.age".publicKeys = systems ++ users;
"secrets/librechat.age".publicKeys = systems ++ users;
"secrets/librechat-env-prod.age".publicKeys = systems ++ users;
"secrets/librechat-env-dev.age".publicKeys = systems ++ users;
"secrets/litellm-env.age".publicKeys = systems ++ users;
"secrets/metabase-env.age".publicKeys = systems ++ users;
"secrets/n8n-env.age".publicKeys = systems ++ users;
"secrets/n8n-env-prm.age".publicKeys = systems ++ users;
"secrets/n8n-db.age".publicKeys = systems ++ users;
"secrets/netbird-auth-secret.age".publicKeys = systems ++ users;
"secrets/netbird-db-password.age".publicKeys = systems ++ users;
"secrets/netbird-encryption-key.age".publicKeys = systems ++ users;
"secrets/netbird-dashboard-env.age".publicKeys = systems ++ users;
"secrets/netbird-server-env.age".publicKeys = systems ++ users;
"secrets/netbird-proxy-env.age".publicKeys = systems ++ users;
"secrets/outline-env.age".publicKeys = systems ++ users;
"secrets/pgadmin-pw.age".publicKeys = systems ++ users;
"secrets/vaultwarden-env.age".publicKeys = systems ++ users;
"secrets/vaultwarden-db.age".publicKeys = systems ++ users;
"secrets/zammad-pw.age".publicKeys = systems ++ users;
"secrets/zammad-secret.age".publicKeys = systems ++ users;
"secrets/zammad-hr-env.age".publicKeys = systems ++ users;
"secrets/zammad-hr-env-prod.age".publicKeys = systems ++ users;
"secrets/outline-key.age".publicKeys = systems ++ users;
"secrets/ref-key.age".publicKeys = systems ++ users;
"secrets/exa-key.age".publicKeys = systems ++ users;
}

15
secrets/baserow-db.age
View File

@@ -1,15 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpoVnNlZyBkeUZi
YmZZdk5zeHBBTkxDdkRyZ1QyZmlRdGdhOUFoRW8rRk5YSHVYYzEwCjgxTmZQNm14
TUZuSkxGNUhYUGhIWG1jV0FsdG52bENpS3hwb09yMDhvdGMKLT4gc3NoLWVkMjU1
MTkgU3JIYXFBIFFmZlE0QnR4YXFBMlcvVGxnQmJnU0xkQWdidXlEMUJpQ0Q3OFl2
Qkc4WGsKWGhNY1dORTdvUWJvUzZJSG96eTVvWk4vR0VsbitHR3YycE5hcDhYanFq
MAotPiBzc2gtZWQyNTUxOSBsR3FWWmcgS25HRFRaRTZZLzVoV1IxNEdrakE5UWM1
TTRMTS9VLzJiQXVXakJVZnh5QQp4dFZZekVZSlBwVEJ6MDBBNzFSTklPMTU5em1J
QlhDMDkvTURhcXpDbXhzCi0+IHNzaC1lZDI1NTE5IENTTXloZyBQYkU3ajVUNkdt
YVdleU5Ya1VJUkJwclFiTlBUdXlrMHpNMEh5OWRCNzJNCjJzMlV5ckpTbWFvR1Ro
MTBBcmtobzlzbG1HWmxlRkpLMkhoTHhwRE1uVG8KLT4gPH5zLWdyZWFzZSBYV3Fx
M0sKenM4Ci0tLSArOERIa00rcWhPeUdsbHFqSFRvOWVEN0dlTjhRbDZCVlFrVzZG
QnZMNWxvCiVRTPOhecBLeAXqlUijvGmRXFJhmnDdPxE4/PGCOKJZwBAsn/TNS1K9
M4bdsdSB
-----END AGE ENCRYPTED FILE-----

23
secrets/baserow-env.age
View File

@@ -1,23 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpoVnNlZyBYQ1k5
L2hTMDQwaFNaMmpoUGV6cDlkMzRrOVBjZG5DNitLcWdRTHdlbTBjCm5HVGxKREN6
VVRqbk9LR3RVNmpoNmc1Y2l6Nk4yT285cUEvaXBacmZMNG8KLT4gc3NoLWVkMjU1
MTkgU3JIYXFBIFg1eU9PVGpuTlhQbUN2THRHcERCOUF2ZHRibXlBUWtGUUhKcUZs
OTlORmsKS3p5Slo1ZWtqdTlWbUVlZEZvcG1XZTF6VTBqazNUZDlRL3F3cFpKcUxJ
NAotPiBzc2gtZWQyNTUxOSBsR3FWWmcgZTZhUlNFVXZxT29zdmNRWEdBbFNud004
aTJnZEM4NWtVREg2YWxyZDdWbwpmOVVMcnVRamFMREd1K25PczdqWlc4N2hjUVlw
MXJTVzVzcXRyZENoVndJCi0+IHNzaC1lZDI1NTE5IENTTXloZyA5QW1UbllFZ2NM
LzVUVExVK0psZDZuSG4rdXNDRkYxblVVNnpzMjNlNVFFClY4ck96ZHJ4MndRMVhn
ODlwd05Bc1AxdWpTSEpjTURqUHdkbWpXRWozUWMKLT4gOz1aLHAtZ3JlYXNlIEsK
YlFjMjVvdkt4WElTdk5IZHNqb1dBcEMvYVNZUTRJb3V5WnhHcGdPWTY1QUVNMnpu
R09JMC9CWTVEQndSaHFjTgpFdVRVRTZIMStyOFF1dE8xeXRTTUVadllLRlBveTd5
YXhMTXdEZGNWamI2cgotLS0gY1U2T0s2NEZtbmVTcmIxeDZrNEZJTzVuY2RlQWU2
Z1ZFbHBKTzlESEZvUQob76pZzXMo/EvmWmKwXQBlBjbwdImpHYOu85+JuC74SjAB
NR2m6BkYK/IUPQ6ZNegTcax97YsHLqt2UHMx5vxQqSPcG+u8ThR6XUxJ0963Lzbb
Xt4ygA4nH0LIT5lsuH2kG0cLAnPGtINh4k6haqVx00jeKAhONqQayQ3pEW1gXw1R
YAkBQ9RdgYWyj1Fd5+4APHwmOp+84NZrgHLbgVtr5ocPdeqtxZ1bfxpUPFVRPT9J
sJKubUtbg0eB1f0Y0Z2JaBH23AuJ1DP2Q7iruA/foRS4hFBpS2FlMO3NbKP3RlCr
TFT57KvUbXjpE4yB11/lJw9Yxvtq+EtDPaYud6uif6DjN1cLNPDad1KYa0pR3qRS
L+3b28UiF9PrjJQGz6RiSfCQj896uRRQLVwIGYmEnezcJ4DEdw0uu8o62/swzCNx
JGI8zwftm6pHo5Fb9qPbkFLRAaKV94JjFdFmPRltpQ==
-----END AGE ENCRYPTED FILE-----

15
secrets/exa-key.age
View File

@@ -1,15 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpoVnNlZyBWMVBr
TDVmNmlTSkFrem9JREI5Z2djS0NWS3RQVUFMeVFZeExjUjlKSW1BCnZxQ3FCTHVG
SytRUWs0UFVRdzI0UGJuQW5STENicHVmQWdRQlh4THZUYmMKLT4gc3NoLWVkMjU1
MTkgU3JIYXFBIHM5a3VheSt4ZXlsNi9UYWx2amR1NWlTYWE2eXVRVU5FSzNYaXkw
cnp3MUUKYnBZZ2dQbDJMb0NVdG5oM2lKeGNGUWdrdThEMEEvbTRzTTFEajZJWmRz
awotPiBzc2gtZWQyNTUxOSBsR3FWWmcgSkdiSmloMlRraTdidWl5U0YyNjVTeFFP
K3l5a1VuUzRpaG5NTzBDRG1Scwo2eDNsM1MrYXhzMDhNT2NEVWFseGR0ankyRVdj
VitBWDBPQnk0eVEyTzFvCi0+IHNzaC1lZDI1NTE5IENTTXloZyBCaHBOUkMxS3M5
MTFZSUhPZi9ja1hNNnZyM2orbkdtblVrdFBlWThRWVdRCmQxNEYyTW5SdDZiQkx2
dHFLK1NicmZXOUU0UWNTRmZsYXRYRUVFQkxEeGsKLT4gcS1ncmVhc2UgeSkgQzZZ
WDg1IW4KSGcKLS0tIDRhU2NNNzlaU05rS0NJTTV2bEpnK1ZOQkZFc2IxWkNZeko4
NEtmajlVRXcKLf10VyJLLFwaRLCulJN/YGiMqIqwV+9Hfyjns9Exx3mASfBW4yJR
qwjpGpVhKIaTNiKo8PdJofw5y6tOCz5NTDmgpVI1
-----END AGE ENCRYPTED FILE-----

11
secrets/hetzner-s3-az-intern-access-key.age
View File

@@ -1,11 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpoVnNlZyBDcUZI
aCsvQzBoaytUZ0NpRVY1NW1WV0dyMXVjVnowZ0FlQkNKeDU4ZzBnCnVzcElPTXVm
QjQ2MjA4YlNYRjF3dmtpUFliMWJIMVJYWkx3Z2tsTzhXeVUKLT4gc3NoLWVkMjU1
MTkgQ1NNeWhnIFZZQ0ZTemdKTno5UUpuRjF6UENydjRtNGZnWWtRRVlLWUhPOXZL
YlpzRmMKem9yUDY2eFhBNGpVbnlibmw5K0FkSElGdzR3Rnl4VEpxUUtxTGs1ZFBw
ZwotPiB+LltMYj0ldC1ncmVhc2UKSE9TOFo1T3E4WFo0Z2hHS0hBTmJkRDQ2a0J0
NW9qWXpCcncKLS0tIEdzKzR3WW9rZnpvTDdKQndqN1VBTWxMY1hidkhXWUZoTWhh
bE9RM1dnY2cKeguIFY/T8kg7t6pDHyCVSdx88fbkCbefaHkLT3ZeLFlEeyIxvvrv
HTgpP0kje+G9jKjku7Q=
-----END AGE ENCRYPTED FILE-----

12
secrets/hetzner-s3-az-intern-secret-key.age
View File

@@ -1,12 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpoVnNlZyByQU9Y
UUdPWmxxSTZ6Rnd3K2V4Q0NQMnRkUXhvQkg5NUMrNVI0YmJ1NDE4CnJpQkZZNFVj
SWw2ZVdKV08rd3poZE5vaVBNN2R3bENBOGp3a2JIdzFNdE0KLT4gc3NoLWVkMjU1
MTkgQ1NNeWhnIEkzWGkwVDBkNkw5S0VWbVFlYzN2OWM4dWJZQm5NakdsWUlTaGNa
Myt0ZzQKZ0dWQy9JaW1YOVdoZVU1T0ExUm4vaEcvRXFGS3ZDVXE2N21ySjI1S0dY
WQotPiB3dzxrLWdyZWFzZQp5R0tXWjBJelF0NFk2MlF1c1ZrdHlxWWprWkN2Mlc2
SVVmSTRMSENOVnNVUWFJVmhtL05VeWNJZE54TWFTdm1tCkVTUVQKLS0tIGZ6M1JS
aWlmeFQydERNS2ROdnBGa0U4anFOVzdITStyblZQeDV3VVFSWUkKXRiSMZZLMcrq
gCXaaUBC4GtG21xSqqsD3MoBNJ+V2XzWC8UFFo8sQiJQB1Pak/CiicRnFkyEbj7m
qAfbhKEAroS3kErgbL9w5w==
-----END AGE ENCRYPTED FILE-----

7
secrets/hetzner-s3-az-intern-secretekey.age
View File

@@ -1,7 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 JqYQjw U5No3H94fSASBcRRZLgTBHxByB95Ziyf4PF2zyrjWhc
IbrSOSlaCOphRfXDGkrXONxqZMKd7wQTbeR/C1MWvOg
-> ssh-ed25519 CSMyhg MW59VNnTF2MEGytjYT1opGF/W3gwmmtnt6njTKbu0gQ
KSnptKwX5I3b5fNMzYE1dMcklmqM+Mehm8zdcjIOKTM
--- F50ScuHxKrtaxMrBPi8yNGPbLThR0nYZoneOCN6vhhY
É]êp§k¹²¬ªÕõxþuQ<75>uŠ”6êÆÌðÕÕ*E)‡äüü-á)áߧA²¿àœ<C593>(¾›°ü„‚©ýýmì^O

29
secrets/kestra-config.age
View File

@@ -1,29 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpoVnNlZyBRYXF4
cisrS0NGeHZIckRrV2FzNjA1Ym91Tk83czRUZVhXNkJseFJMYmc4CjJlUlRMcmFD
TGxyZjRhd0RxRXQyRFZBZk5CT2VpczR4QTliQkh2R1pnZlkKLT4gc3NoLWVkMjU1
MTkgU3JIYXFBIEI4YitPTXB3VFp3SzByUStDTms5TitnQUx3aFdQY09rZmNzTjAz
SWJsV0UKc0t1YnRzVXFiZWZDRkJZd1Zld0ZMZE4zN2pJYXp2OGQzOW5BQ2htcG5r
UQotPiBzc2gtZWQyNTUxOSBsR3FWWmcgS0hINXZOVWlGNzZRWUlBYVE3S0FMVXBs
NXZGZTRDRXBuNGp3ejM4WnhEMApHZWZyT0ozZXU2WHNJMUcxUDBRZlFhU3g1RWI1
UVcrMlBUSjArSURWa0pjCi0+IHNzaC1lZDI1NTE5IENTTXloZyBhTE1oMmh2Smc0
RDM3T1B5UGhLeUVVZG9CclNoSGhQWGRXbVgrSnU2UURFCkhidDBoNTUrRXpzeGgr
T2VkRjZ5TGJaeWE1K2U4RjJKa3AzMVJSQ1ZjQ1EKLT4gcHxQJFotZ3JlYXNlClVP
d09WTS9NR1htNzA2WFNnbUh2TGJWdVhVSUppMVZkcFNSQjJwazZtelpFNXhXZDBV
MzVoQzJWWW5JVjhlYlYKb0NCNkl0YXA4WWZwZCszSVdWUXlKYzZQaXVTS3VDT2lC
Tk5DS05idAotLS0gMmMzYU9uaGJJaUtzNlRNNExYUWFOQmZKcEwxZFpQZC8vTVJ1
MDZ3TXNPYwrXl7PIzv7lRFfBOlmJ6i74CchhE9HAet4uB5NFOfDt3Q5BjCMd/lVD
ZVENpsyjyxhI48gqLOEUAFn8UhOaxYcnu6F0f436Az5AiQfzvcmU4WKi6XRJ12qx
7jg0wi04xIqujcQNTSWG9mOJ9P/8VrlRJ5HRVo0gE8MaulBuxzmMFJr0ZSAtQXXO
DNLltwJ0r6Sy9yLeakDyAxSPOUZSH0B9VzWFmTUcboaWbbDSoy8+kSNpiue81O+i
Wy6Dlpr2e0A2HJEmQHHE71Ur6Edpwl+xn3YJjYN4bqMO/KjbrXerT3/Z+gHItMWy
Z6QHxMDCw7o/iGhTTp9ALUfFG861x64z9YXoacX1jGLq/bs/3SXaCy/keXMd/y16
XPRm0P07Ux+wPKKKIyQ64hEemTj7c5KAlPnlrqvbaPCbx0/QONMZz4kXKFEgzXqi
B6wr4PnsGsDOKe32IysYraZ6MTyYrHX7/5udOy/YMwb6SiX7Fm5J+XgE2rH4XevA
q2kn1UcXTglW5y2ot24HHasCh+bZLv8OiG19qQq3nC3PsYpWYT1lMcm64uBWbvZ7
ejkWrwOZF5FnKEnaj/OKRg3EPSoOkovY12/2X6boehHUTGfga4jZDVvPLgOLwlfk
27VNDynyZot98qYquTcdVyVTNNWvOre53Zw9AM0+XwxcPAUWrFXE99cimoT3XQlp
c1V4G8xUgANT/Er32o3yhmItmnRrdtT4oIpqlVJEZ3ploYJKmbxVBnAvTzby88HG
I4vmrAaE0omIE/GQ1+cNONfk55Paezw+DM6LEGy/SW4OZamqpd5aIdYJDLSUe0wQ
+5xH8m1iszJm8s3f8ocw/dVGgK9M74k=
-----END AGE ENCRYPTED FILE-----

17
secrets/kestra-db.age
View File

@@ -1,17 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFpoVnNlZyA3bFpG
UjJ3UDRDd3pFdFdoaVp5MjlrbldmUU44d0xqNkQvOGFoSjNKT25jCmNVQjczbU9q
ZWh1Rk9oNC9DTXJPQlBrWEQ1YjBKU2Z5RVpvNU1GdVNzczQKLT4gc3NoLWVkMjU1
MTkgU3JIYXFBIHZqOWZPRFdKOVVNZWhlT1hmWHJ4N3h2Zko2R3owU1hDRjNsYjhX
eFB2Mk0KQWJnT3Urb21abkhiUHpQM1FBcUhtcWFFQ0hTMzJ2UkJYMHo2aG5lVU9F
VQotPiBzc2gtZWQyNTUxOSBsR3FWWmcgbTlEd25LQ2hURkl5U2trM3U2UnVyaXkr
QnZGbnRxVkdhbWhYNU9USG1Cbwo1R21MWFhPT2lMcTU3aEVwcnJCbVdiRzV1YlE1
VVFlN3packl4dGhOanBvCi0+IHNzaC1lZDI1NTE5IENTTXloZyBwSnRIR1BIUmRl
N2h0SitFYW9GQmY1ZTUrZnRDRlJMeUEvR0kxZTlLalVNCkU1ZE9abHdIOUluaUNz
bkpvNDdUM21Vd1k5OURhRVBvVis1MlpEcER2cXMKLT4gSndpSGluLWdyZWFzZQp1
ZVB6cVUwN0tSRXY2YVl5STVPL3RkYUNIbDFWTmFWZVBvbFRMT2F5SWR1UWZzODZF
VmpFaURuNklaT2llZ2dVCmQxYVZnT2FBWlBWVUZGOUswOHdHb1c0R0ZrYlRodVJx
YlZtcmhtVWY0aGJPam9UODV3Ci0tLSBKcWVEUzFVWHFaUHFlMkJtMXd5TlRvME8y
cWUwemhzZ1VYeDF3ZkUxMk13CgitI44UftlBnDaKhbYE3XBHopWw5UdrhFzB2KLM
7MnMleigJjEoKmi2b6wjld6x
-----END AGE ENCRYPTED FILE-----

Some files were not shown because too many files have changed in this diff Show More