Главная Обзор Помощь
Вход
control
/
home
1
0
Ответвить 0
Файлы
Дерево: 65c6ed39ba
Ветки Метки
home
/
hosts
/
odin
Zander Hawke 65c6ed39ba feat(odin): add NAT for container internet access and git in Gogs container 2 дней назад
..
containers 65c6ed39ba feat(odin): add NAT for container internet access and git in Gogs container 2 дней назад
services 65c6ed39ba feat(odin): add NAT for container internet access and git in Gogs container 2 дней назад
system 4d853407a7 fix: trim whitespaces and nixfmt 2 дней назад
users dddaa1eca1 chore(odin): update caddy plugin hash and refine home-manager setup service 7 месяцев назад
README.md 4769ca5da4 docs: add odin server docs, Gogs container, and push-to-mirror setup +1 2 дней назад
default.nix 1dd1940b17 feat(odin): add Gogs container with dark theme, admin provisioning, and cloudflared ingress 2 дней назад

README.md

Fan Control

hwmon2/pwm1 => harddrives bay top hwmon2/pwm2 => CPU fan hwmon2/pwm4 => harddrives bay bottom hwmon2/pwm7 => mainboard bay top

Name Location Start Stop
PWM1 HDD Top 20 0
PWM4 HDD Bottom 80 60
PWM2 CPU Fan 150? 0?
PWM7 Main Top 65 60 
nix run github:nix-community/nixos-anywhere -- \
  --disko-mode mount \
  --flake .#odin \
  --target-host [email protected]

Containers

odin runs several services inside NixOS containers. Each container is a standalone nixosConfiguration in the flake.

Gogs (git.t5.st)

Self-hosted Git service accessible at https://git.t5.st via Cloudflare tunnel.

Container config: hosts/odin/containers/gogs.nix

Module: modules/nixos/gogs.nix

Features:

  • Dark theme with accent color variants (configure via services.gogs.theme)
  • Registration disabled, admin user provisioned via age secret on first start
  • SSH server on port 2222 ([email protected])
  • SQLite3 database (persisted on @services Btrfs subvolume)

Deploy:

# Rebuild and restart the host
nixos-rebuild switch --flake .#odin

# Enter the container
nixos-container root-login gogs

# Check service status
systemctl status gogs

Config example:

services.gogs = {
  enable = true;
  theme = "dark-blue";
  adminUser = {
    name = "control";
    email = "[email protected]";
    passwordFile = "/run/secrets/gogs-admin";
  };
  settings = {
    auth.DISABLE_REGISTRATION = true;
    server = {
      DOMAIN = "git.t5.st";
      EXTERNAL_URL = "https://git.t5.st/";
      HTTP_PORT = 3000;
      SSH_PORT = 2222;
      START_SSH_SERVER = true;
    };
  };
};

Push-to-Mirror

To mirror a repository on Gogs to an upstream (e.g., Codeberg), set up a post-receive hook per-repo via the Gogs web UI:

https://git.t5.st/{owner}/{repo}/settings/hooks/git/post-receive

Hook script using a Codeberg PAT:

#!/bin/sh
while read oldrev newrev refname; do
    branch=$(git rev-parse --symbolic --abbrev-ref "$refname")
    if [ "master" = "$branch" ]; then
        PAT=$(cat /run/secrets/codeberg-pat)
        git push --quiet --force --mirror \
          "https://x-access-token:${PAT}@codeberg.org/{owner}/{repo}.git"
    fi
done

Prerequisites:

  1. Generate a Codeberg PAT with repo scope at codeberg.org → Settings → Applications

  2. Add the PAT as an age secret in hosts/odin/system/age.nix:

    "odin/services/codeberg-pat" = {
 file = secrets."odin/services/codeberg-pat.age";
 mode = "0444";
};

  3. Bind-mount the secret into the container in hosts/odin/default.nix:

    containers.gogs.bindMounts."/run/secrets/codeberg-pat" = {
 hostPath = config.age.secrets."odin/services/codeberg-pat".path;
 isReadOnly = true;
};

  4. Create the age-encrypted file with the PAT as content:

    echo -n "YOUR_CODEGERG_PAT" | agenix -e secrets/odin/services/codeberg-pat.age

Grist (grist.odin.t5.st)

Spreadsheet server accessible at https://grist.odin.t5.st via Caddy reverse proxy.

Container config: hosts/odin/containers/grist.nix

Deploy:

nixos-container create grist --flake .#grist --host-address 192.168.1.1 --local-address 192.168.1.2
nixos-container start grist

Fan Control

#!/usr/bin/env bash

# Create a temporary directory
temp=$(mktemp -d)

# Function to cleanup temporary directory on exit
cleanup() {
  rm -rf "$temp"
}
trap cleanup EXIT

# Create the directory where sshd expects to find the host keys
install -d -m755 "$temp/persist/etc/ssh"
install -d -m755 "$temp/etc/ssh"

# Decrypt your private key from the password store and copy it to the temporary directory
cat ./ssh_host_ed25519_key.txt > "$temp/persist/etc/ssh/ssh_host_ed25519_key"
cat ./ssh_host_rsa_key.txt > "$temp/persist/etc/ssh/ssh_host_rsa_key"
cat ./ssh_host_ed25519_key.txt > "$temp/etc/ssh/ssh_host_ed25519_key"
cat ./ssh_host_rsa_key.txt > "$temp/etc/ssh/ssh_host_rsa_key"

# Set the correct permissions so sshd will accept the key
chmod 600 "$temp/persist/etc/ssh/ssh_host_ed25519_key"
chmod 600 "$temp/persist/etc/ssh/ssh_host_rsa_key"
chmod 600 "$temp/etc/ssh/ssh_host_ed25519_key"
chmod 600 "$temp/etc/ssh/ssh_host_rsa_key"

# Install NixOS to the host system with our secrets
nix run github:nix-community/nixos-anywhere -- \
  --disko-mode mount \
  --extra-files "$temp" \
  --build-on-remote \
  --flake .#odin \
  root@[NIXOS-IP]