{"id":25853057,"url":"https://github.com/secshellnet/nixos","last_synced_at":"2025-03-01T14:31:53.812Z","repository":{"id":221542297,"uuid":"746183726","full_name":"secshellnet/nixos","owner":"secshellnet","description":"NixOS flake for servers","archived":false,"fork":false,"pushed_at":"2025-02-26T14:51:08.000Z","size":163,"stargazers_count":4,"open_issues_count":1,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-02-26T15:40:17.752Z","etag":null,"topics":["linux-server","nixos"],"latest_commit_sha":null,"homepage":"https://search.secshell.de","language":"Nix","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/secshellnet.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-01-21T10:18:44.000Z","updated_at":"2025-02-26T14:51:12.000Z","dependencies_parsed_at":"2024-05-22T15:57:25.336Z","dependency_job_id":"98d09ad5-a264-4346-8bd1-c8741bf441df","html_url":"https://github.com/secshellnet/nixos","commit_stats":null,"previous_names":["secshellnet/nixos"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secshellnet%2Fnixos","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secshellnet%2Fnixos/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secshellnet%2Fnixos/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secshellnet%2Fnixos/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/secshellnet","download_url":"https://codeload.github.com/secshellnet/nixos/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241378123,"owners_count":19953228,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["linux-server","nixos"],"created_at":"2025-03-01T14:31:45.824Z","updated_at":"2025-03-01T14:31:53.796Z","avatar_url":"https://github.com/secshellnet.png","language":"Nix","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Secure Shell Networks: Nix flake for servers\n\nThis repository provides nix configurations for servers managed by Secure Shell Networks.\n\n## Example\nWe're using a single flake, which builds nixosSystems dynamicly based on the \ncontents of the `hosts` directory. The `configuration.nix` of each host imports \nthe `hardware-configuration.nix`, which has been generated during installation\nand extended by the bootloader configuration. Secret values are managed using\nsops and will be stored in the `secrets.yaml` inside the host directory.\n\nAdding `portal.example.com` to the directory structure looks like this:\n```sh\n.\n├── docker-images.toml\n├── flake.lock\n├── flake.nix\n├── hosts\n│   └── com\n│      └── example\n│      └── portal\n│      ├── configuration.nix\n│      ├── hardware-configuration.nix\n│      └── secrets.yaml\n└── modules\n    └── default.nix\n```\n\nThe `configuration.nix` contains also the configuration properties of the\n`secshell` namespace, in which services like hedgedoc and vaultwarden can\nbe enabled.\n```nix\n# hosts/com/example/portal/configuration.nix\n{ config\n, pkgs\n, lib\n, ...\n}: {\n imports = [\n ./hardware-configuration.nix\n ./networking.nix\n ];\n\n secshell = {\n hedgedoc = {\n enable = true;\n internal_port = 8000;\n };\n vaultwarden = {\n enable = true;\n internal_port = 8001;\n };\n users = [ \"alice\" \"bob\" ];\n };\n\n system.stateVersion = \"24.05\";\n}\n```\n\n```nix\n# flake.nix\n{\n inputs = {\n nixpkgs.url = \"github:NixOS/nixpkgs/nixos-24.05\";\n nixpkgs-unstable.url = \"github:nixos/nixpkgs/nixos-unstable\";\n sops-nix.url = \"github:Mic92/sops-nix\";\n deploy-sh.url = \"github:Defelo/deploy-sh\";\n secshell.url = \"github:secshellnet/nixos\";\n };\n outputs = \n { self\n , nixpkgs\n , nixpkgs-unstable\n , sops-nix\n , deploy-sh\n , secshell\n , ...\n } @ inputs:\n let\n mkPkgs = { system, repo ? nixpkgs }: import repo {\n inherit system;\n config.allowUnfreePredicate = pkg: builtins.elem (repo.lib.getName pkg) [\n # Note: If your system requires non free packages, you need to \n # allow the usage of them here. Examples for non free\n # packages are mongodb or elasticsearch. If you are using\n # unfree packages the installation will fail and provide\n # instructions on what to add in this section.\n ];\n };\n\n inherit (nixpkgs) lib;\n defaultSystems = [\n \"x86_64-linux\"\n \"x86_64-darwin\"\n \"aarch64-linux\"\n \"aarch64-darwin\"\n ];\n eachDefaultSystem = lib.genAttrs defaultSystems;\n in {\n nixosConfigurations = let\n hosts = let\n listHosts = dir: let\n dirContent = builtins.readDir dir;\n isHost = dirContent.\"configuration.nix\" or null == \"regular\";\n in\n if isHost\n then [dir]\n else\n lib.pipe dirContent [\n (lib.filterAttrs (_: type: type == \"directory\"))\n builtins.attrNames\n (map (x: listHosts /${dir}/${x}))\n builtins.concatLists\n ];\n in\n listHosts ./hosts;\n\n makeFqdn = lib.flip lib.pipe [\n (lib.path.removePrefix ./hosts)\n lib.path.subpath.components\n lib.reverseList\n (builtins.concatStringsSep \".\")\n ];\n in\n builtins.listToAttrs (\n map (host: {\n name = makeFqdn host;\n value = lib.nixosSystem rec {\n system = if lib.pathExists /${host}/system.txt\n then lib.removeSuffix \"\\n\" (builtins.readFile /${host}/system.txt)\n else \"x86_64-linux\";\n pkgs = mkPkgs { inherit system; };\n specialArgs =\n inputs\n // (lib.mapAttrs' (name: value: {\n name = lib.removePrefix \"nix\" name;\n value = mkPkgs { inherit system; repo = value; };\n }) (lib.filterAttrs (name: _: lib.hasPrefix \"nixpkgs-\" name) inputs))\n // {\n docker-images = fromTOML (builtins.readFile ./docker-images.toml);\n };\n modules = [\n deploy-sh.nixosModules.default\n sops-nix.nixosModules.default\n secshell.nixosModules.default\n /${host}/configuration.nix\n ./modules/default.nix\n {\n networking.hostName = builtins.head (lib.splitString \".\" (makeFqdn host));\n networking.domain = builtins.concatStringsSep \".\" (builtins.tail (lib.splitString \".\" (makeFqdn host)));\n deploy-sh.targetHost = \"root@${makeFqdn host}\";\n sops.defaultSopsFile = /${host}/secrets.yaml;\n }\n ];\n };\n })\n hosts\n );\n\n deploy-sh.hosts = lib.filterAttrs (_: host: host.config ? \"deploy-sh\") self.nixosConfigurations;\n\n devShells = eachDefaultSystem (system: let\n pkgs = import nixpkgs {inherit system;};\n in {\n default = pkgs.mkShell {\n packages = with pkgs; [\n sops\n ssh-to-age\n ] ++ [\n deploy-sh.packages.${system}.default\n ];\n };\n });\n };\n}\n```\n\n```nix\n# modules/default.nix\n{ pkgs\n, ...\n}: {\n time.timeZone = \"Europe/Berlin\";\n i18n.extraLocaleSettings.LC_TIME = \"en_GB.UTF-8\";\n console.keyMap = \"de\";\n \n sops.age.sshKeyPaths = [ \"/etc/ssh/ssh_host_ed25519_key\" ];\n\n services.openssh = {\n enable = true;\n openFirewall = true;\n };\n}\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecshellnet%2Fnixos","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsecshellnet%2Fnixos","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecshellnet%2Fnixos/lists"}