README.md

@@ -48,12 +48,14 @@ nix multi user, multi system, configuration with `sops` secret management, `home
 
 ## Tech Debt
 - monitor configuration in `~/.config/monitors.xml` should be sym linked to `/run/gdm/.config/monitors.xml` (https://www.reddit.com/r/NixOS/comments/u09cz9/home_manager_create_my_own_symlinks_automatically/)
+- syncthing folders should just be enabled per devices and then combined with "extraDevices" to give final folder configurations
 - syncthing folder passwords
 - nfs export should be backed by the same values for server and client
 - move fail2ban configs out of fail2ban.nix and into configs for their respective services
 - nginx config should be reworked to give a list of subdomains and then the config information to apply to each proxy
 ## New Features
 - offline access for nfs mounts (overlay with rsync might be a good option here? https://www.spinics.net/lists/linux-unionfs/msg07105.html note about nfs4 and overlay fs)
+- Flake templates - we need to add these to some kind of local registry??? `nix flake show templates` - https://nix.dev/manual/nix/2.18/command-ref/new-cli/nix3-flake-init
 - samba mounts
 - figure out steam vr things?
 - Open GL?
@@ -68,5 +70,3 @@ nix multi user, multi system, configuration with `sops` secret management, `home
 - SMART test with email results
 - Create Tor guard/relay server
 - remote distributed builds - https://nix.dev/tutorials/nixos/distributed-builds-setup.html
-- migrate away from flakes and move to npins
-- forgejo dedicated sshd that can only do forgejo things and that the main deamon proxies to when trying to log in with the git user, with the goal of being able to host that deamon on port 22222 and set up a port forward rule on gateway for 22 -> deamon:22222

configurations/home-manager/default.nix

@@ -1,12 +1,10 @@
 {
   lib,
   config,
-  osConfig,
   ...
 }: let
   users = config.host.users;
 in {
   leyla = lib.mkIf users.leyla.isNormalUser (import ./leyla);
   eve = lib.mkIf users.eve.isNormalUser (import ./eve);
-  git = lib.mkIf (osConfig.services.forgejo.enable or false) (import ./git);
 }

configurations/home-manager/git/default.nix

@@ -1,20 +0,0 @@
-{osConfig, ...}: {
-  home = {
-    username = osConfig.users.users.git.name;
-    homeDirectory = osConfig.users.users.git.home;
-
-    # This value determines the Home Manager release that your configuration is
-    # compatible with. This helps avoid breakage when a new Home Manager release
-    # introduces backwards incompatible changes.
-    #
-    # You should not change this value, even if you update Home Manager. If you do
-    # want to update the value, then make sure to first check the Home Manager
-    # release notes.
-    stateVersion = "23.11"; # Please read the comment before changing.
-  };
-
-  programs.ssh.extraConfig = ''
-    AuthorizedKeysFile
-    /var/lib/forgejo/.ssh/authorized_keys
-  '';
-}

flake.nix

@@ -114,12 +114,7 @@
       nixpkgs.lib.attrsets.mapAttrsToList (hostname: system: (
         nixpkgs.lib.attrsets.mapAttrs' (user: _: {
           name = "${user}@${hostname}";
-          value = mkHome {
+          value = mkHome user hostname system.pkgs.hostPlatform.system system.config;
-            user = user;
-            host = hostname;
-            system = system.pkgs.hostPlatform.system;
-            osConfig = system.config;
-          };
         })
         system.config.home-manager.users
       ))

modules/nixos-modules/server/fail2ban.nix

@@ -92,7 +92,7 @@ in {
             enabled = true;
             filter = "forgejo";
             action = ''iptables-multiport[name=HTTP, port="http,https"]'';
-            logpath = "${config.services.forgejo.settings.log.ROOT_PATH}/*.log";
+            logpath = "${config.services.forgejo.stateDir}/log/*.log";
             backend = "auto";
             findtime = 600;
             bantime = 600;

modules/nixos-modules/server/forgejo.nix

@@ -6,7 +6,7 @@
   forgejoPort = 8081;
   stateDir = "/var/lib/forgejo";
   db_user = "forgejo";
-  sshPort = 22222;
+  sshPort = 2222;
 in {
   options.host.forgejo = {
     enable = lib.mkEnableOption "should forgejo be enabled on this computer";
@@ -33,8 +33,7 @@ in {
         };
       };
 
-      services = {
+      services.forgejo = {
-        forgejo = {
         enable = true;
         database = {
           type = "postgres";
@@ -48,8 +47,9 @@ in {
             START_SSH_SERVER = true;
             SSH_LISTEN_PORT = sshPort;
             SSH_PORT = 22;
-              BUILTIN_SSH_SERVER_USER = config.users.users.git.name;
+            # TODO: we need to create this user, and then store their authorized keys somewhere and have both ssh server allow login in as that user based on those authorized keys
-              ROOT_URL = "https://git.jan-leila.com";
+            BUILTIN_SSH_SERVER_USER = "git";
+            ROOT_URL = "https://git.jan-leila.com:";
           };
           service = {
             DISABLE_REGISTRATION = true;
@@ -61,7 +61,6 @@ in {
           };
         };
       };
-      };
 
       networking.firewall.allowedTCPPorts = [
         config.services.forgejo.settings.server.SSH_LISTEN_PORT

modules/nixos-modules/server/network_storage/nfs.nix

@@ -37,15 +37,20 @@
       lib.mkIf (config.host.network_storage.nfs.enable && config.host.network_storage.enable) {
         services.nfs.server = {
           enable = true;
-          exports = lib.strings.concatLines (lib.lists.imap0 (
+          exports = lib.strings.concatLines (
-              i: directory: "${directory._directory} 100.64.0.0/10(fsid=${toString i},rw,nohide,sync,no_subtree_check,crossmnt)"
+            [
+              "/export 100.64.0.0/10(rw,fsid=0,no_subtree_check)"
+            ]
+            ++ (builtins.map (
+                directory: "${directory._directory} 100.64.0.0/10(rw,nohide,sync,no_subtree_check,crossmnt)"
               )
               (
                 builtins.filter (
                   directory: lib.lists.any (target: target == directory.folder) config.host.network_storage.nfs.directories
                 )
                 config.host.network_storage.directories
-            ));
+              ))
+          );
         };
         networking.firewall.interfaces.${config.services.tailscale.interfaceName}.allowedTCPPorts = [
           config.host.network_storage.nfs.port

modules/nixos-modules/sync.nix

@@ -77,7 +77,7 @@ in {
             assertion = lib.strings.hasPrefix mountDir folder.path;
             message = "syncthing folder ${folder.label} is stored at ${folder.path} which not under the persisted path of ${mountDir}";
           })
-          config.services.syncthing.settings.folders;
+          config.services.syncthing.folders;
         environment.persistence = {
           "/persist/system/root" = {
             enable = true;

modules/nixos-modules/users.nix

@@ -20,9 +20,9 @@
     adguardhome = 2003;
     hass = 2004;
     headscale = 2005;
+    nextcloud = 2006;
     syncthing = 2007;
     ollama = 2008;
-    git = 2009;
   };
 
   gids = {
@@ -35,9 +35,9 @@
     adguardhome = 2003;
     hass = 2004;
     headscale = 2005;
+    nextcloud = 2006;
     syncthing = 2007;
     ollama = 2008;
-    git = 2009;
   };
 
   users = config.users.users;
@@ -141,6 +141,12 @@ in {
             group = config.users.users.headscale.name;
           };
 
+          nextcloud = {
+            uid = lib.mkForce uids.nextcloud;
+            isSystemUser = true;
+            group = config.users.users.nextcloud.name;
+          };
+
           syncthing = {
             uid = lib.mkForce uids.syncthing;
             isSystemUser = true;
@@ -152,13 +158,6 @@ in {
             isSystemUser = true;
             group = config.users.users.ollama.name;
           };
-
-          git = {
-            uid = lib.mkForce uids.git;
-            isSystemUser = !config.services.forgejo.enable;
-            isNormalUser = config.services.forgejo.enable;
-            group = config.users.users.git.name;
-          };
         };
 
         groups = {
@@ -233,6 +232,14 @@ in {
             ];
           };
 
+          nextcloud = {
+            gid = lib.mkForce gids.nextcloud;
+            members = [
+              users.nextcloud.name
+              # leyla
+            ];
+          };
+
           syncthing = {
             gid = lib.mkForce gids.syncthing;
             members = [
@@ -248,13 +255,6 @@ in {
               users.ollama.name
             ];
           };
-
-          git = {
-            gid = lib.mkForce gids.git;
-            members = [
-              users.git.name
-            ];
-          };
         };
       };
     }

util/default.nix

@@ -36,13 +36,8 @@
   home-manager-config = nixpkgs: {
     home-manager.useUserPackages = true;
     home-manager.backupFileExtension = "backup";
-    home-manager.extraSpecialArgs = {
+    home-manager.extraSpecialArgs = {inherit inputs outputs util;};
-      inherit inputs outputs util;
+    home-manager.users = import ../configurations/home-manager nixpkgs;
-    };
-    home-manager.users = import ../configurations/home-manager (nixpkgs
-      // {
-        osConfig = nixpkgs.config;
-      });
     home-manager.sharedModules = home-manager-modules;
   };
 
@@ -66,7 +61,7 @@ in {
     nixpkgs.lib.nixosSystem {
       modules = [
         {
-          # TODO: authorized keys for all users and hosts
+          # TODO: authorized keys for all users
         }
         ../configurations/nixos/${host}
       ];
@@ -102,12 +97,7 @@ in {
         ];
     };
 
-  mkHome = {
+  mkHome = user: host: system: osConfig:
-    user,
-    host,
-    system,
-    osConfig,
-  }:
     home-manager.lib.homeManagerConfiguration {
       pkgs = pkgsFor system;
       extraSpecialArgs = {