BeiNacht/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

desktop-2024-11-03-09-13-27

Browse Source
This commit is contained in:
Alexander Szczepanski
2024-11-03 09:13:27 +01:00
parent 4160c3408f
commit ed7833b3e9
38 changed files with 525 additions and 1245 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
machine/desktop/configuration.nix
View File

@ -1,8 +1,12 @@
{ config, pkgs, inputs, outputs, ... }:
let
be = import ../../configs/borg-exclude.nix;
in
{
config,
pkgs,
inputs,
outputs,
...
}: let
be = import ../../configs/borg-exclude.nix;
in {
nixpkgs = {
overlays = [
(self: super: {
@ -24,7 +28,6 @@ in
hash = "sha256-zQK1tuxu2ZmKxPO0amkfcT/RFBSkU2pWD0qhGyCCHXI=";
})
];
});
});
})
@ -52,7 +55,7 @@ in
defaultSopsFile = ../../secrets.yaml;
validateSopsFiles = true;
age = {
sshKeyPaths = [ "/persist/etc/ssh/ssh_host_ed25519_key" ];
sshKeyPaths = ["/persist/etc/ssh/ssh_host_ed25519_key"];
keyFile = "/persist/var/lib/sops-nix/key.txt";
generateKey = true;
};
@ -78,8 +81,8 @@ in
"kvm"
"gccarch-znver3"
];
trusted-substituters = [ "https://ai.cachix.org" ];
trusted-public-keys = [ "ai.cachix.org-1:N9dzRK+alWwoKXQlnn0H6aUx0lU/mspIoz8hMvGvbbc=" ];
trusted-substituters = ["https://ai.cachix.org"];
trusted-public-keys = ["ai.cachix.org-1:N9dzRK+alWwoKXQlnn0H6aUx0lU/mspIoz8hMvGvbbc="];
};
chaotic.nyx.cache.enable = false;
@ -99,14 +102,14 @@ in
configurationLimit = 5;
useOSProber = true;
};
efi = { canTouchEfiVariables = true; };
efi = {canTouchEfiVariables = true;};
};
tmp.useTmpfs = false;
supportedFilesystems = [ "btrfs" ];
supportedFilesystems = ["btrfs"];
kernelPackages = pkgs.pkgs.linuxPackages_cachyos;
kernelModules = [ "nct6775" ];
extraModulePackages = with pkgs.pkgs.linuxPackages_cachyos; [ ryzen-smu ];
kernelModules = ["nct6775"];
extraModulePackages = with pkgs.pkgs.linuxPackages_cachyos; [ryzen-smu];
# kernelParams = [ "clearcpuid=514" ];
# kernelParams = [ "amdgpu.ppfeaturemask=0xffffffff" ];
# kernelPatches = [{
@ -168,9 +171,9 @@ in
systemd.services = {
monitor = {
description = "AMDGPU Control Daemon";
wantedBy = [ "multi-user.target" ];
after = [ "multi-user.target" ];
serviceConfig = { ExecStart = "${pkgs.lact}/bin/lact daemon"; };
wantedBy = ["multi-user.target"];
after = ["multi-user.target"];
serviceConfig = {ExecStart = "${pkgs.lact}/bin/lact daemon";};
};
};
@ -301,7 +304,6 @@ in
"read only" = "no";
"create mask" = "0644";
"directory mask" = "0755";
};
};
};

37
machine/desktop/hardware-configuration.nix
View File

@ -1,60 +1,63 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "uas" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "uas" "usb_storage" "usbhid" "sd_mod"];
boot.initrd.kernelModules = ["dm-snapshot"];
boot.kernelModules = ["kvm-amd"];
boot.extraModulePackages = [];
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/87c6b0fb-b921-47d5-a3a1-4b4c0a4f02ad";
fsType = "btrfs";
options = [ "subvol=root" "discard=async" "compress=zstd" "noatime" ];
options = ["subvol=root" "discard=async" "compress=zstd" "noatime"];
};
"/home" = {
device = "/dev/disk/by-uuid/87c6b0fb-b921-47d5-a3a1-4b4c0a4f02ad";
fsType = "btrfs";
options = [ "subvol=home" "discard=async" "compress=zstd" "noatime" ];
options = ["subvol=home" "discard=async" "compress=zstd" "noatime"];
};
"/nix" = {
device = "/dev/disk/by-uuid/87c6b0fb-b921-47d5-a3a1-4b4c0a4f02ad";
fsType = "btrfs";
options = [ "subvol=nix" "discard=async" "compress=zstd" "noatime" ];
options = ["subvol=nix" "discard=async" "compress=zstd" "noatime"];
};
"/persist" = {
device = "/dev/disk/by-uuid/87c6b0fb-b921-47d5-a3a1-4b4c0a4f02ad";
fsType = "btrfs";
options = [ "subvol=persist" "discard=async" "compress=zstd" "noatime" ];
options = ["subvol=persist" "discard=async" "compress=zstd" "noatime"];
neededForBoot = true;
};
"/var/log" = {
device = "/dev/disk/by-uuid/87c6b0fb-b921-47d5-a3a1-4b4c0a4f02ad";
fsType = "btrfs";
options = [ "subvol=log" "discard=async" "compress=zstd" "noatime" ];
options = ["subvol=log" "discard=async" "compress=zstd" "noatime"];
neededForBoot = true;
};
"/boot" = {
device = "/dev/disk/by-uuid/4339-5A4C";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
options = ["fmask=0022" "dmask=0022"];
};
};
swapDevices = [{ device = "/dev/disk/by-uuid/831be7b8-5b1b-4bda-a27d-5a1c4efb2c4d"; }];
swapDevices = [{device = "/dev/disk/by-uuid/831be7b8-5b1b-4bda-a27d-5a1c4efb2c4d";}];
networking.useDHCP = lib.mkDefault true;
# nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";

82
machine/framework/configuration.nix
View File

@ -1,8 +1,13 @@
{ config, pkgs, lib, outputs, inputs, ... }:
let
be = import ../../configs/borg-exclude.nix;
in
{
config,
pkgs,
lib,
outputs,
inputs,
...
}: let
be = import ../../configs/borg-exclude.nix;
in {
nixpkgs = {
overlays = [
outputs.overlays.additions
@ -34,7 +39,7 @@ in
defaultSopsFile = ../../secrets.yaml;
validateSopsFiles = true;
age = {
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
@ -57,19 +62,19 @@ in
initrd.systemd.enable = true;
loader = {
grub = {
enable = true;
efiSupport = true;
device = "nodev";
configurationLimit = 5;
enableCryptodisk = true;
};
efi = { canTouchEfiVariables = true; };
enable = true;
efiSupport = true;
device = "nodev";
configurationLimit = 5;
enableCryptodisk = true;
};
efi = {canTouchEfiVariables = true;};
};
supportedFilesystems = [ "btrfs" ];
# kernelPatches = [{
# name = "fix problems with netfilter in 6.11.4";
# patch = ../../kernelpatches/fix-netfilter-6.11.4.patch;
# }];
supportedFilesystems = ["btrfs"];
# kernelPatches = [{
# name = "fix problems with netfilter in 6.11.4";
# patch = ../../kernelpatches/fix-netfilter-6.11.4.patch;
# }];
tmp.useTmpfs = false;
};
@ -103,12 +108,30 @@ in
fanSpeedUpdateFrequency = 5;
movingAverageInterval = 30;
speedCurve = [
{ temp = 0; speed = 15; }
{ temp = 50; speed = 15; }
{ temp = 65; speed = 25; }
{ temp = 70; speed = 35; }
{ temp = 75; speed = 50; }
{ temp = 85; speed = 100; }
{
temp = 0;
speed = 15;
}
{
temp = 50;
speed = 15;
}
{
temp = 65;
speed = 25;
}
{
temp = 70;
speed = 35;
}
{
temp = 75;
speed = 50;
}
{
temp = 85;
speed = 100;
}
];
};
};
@ -120,7 +143,7 @@ in
enableAllFirmware = true;
openrazer = {
enable = true;
users = [ "alex" ];
users = ["alex"];
};
graphics = {
@ -148,7 +171,7 @@ in
btrfs.autoScrub = {
enable = true;
interval = "monthly";
fileSystems = [ "/home/alex/shared/storage" ];
fileSystems = ["/home/alex/shared/storage"];
};
pipewire = {
@ -164,10 +187,9 @@ in
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets.borg-key.path}";
};
extraCreateArgs =
"--stats --verbose --checkpoint-interval 600 --exclude-caches";
extraCreateArgs = "--stats --verbose --checkpoint-interval 600 --exclude-caches";
environment.BORG_RSH = "ssh -i /home/alex/.ssh/id_borg_ed25519";
paths = [ "/home/alex" "/var/lib" ];
paths = ["/home/alex" "/var/lib"];
repo = "ssh://u278697-sub9@u278697.your-storagebox.de:23/./borg";
startAt = "daily";
prune.keep = {
@ -194,7 +216,7 @@ in
# systemd.services.nix-daemon.serviceConfig.LimitNOFILE = 40960;
environment = {
sessionVariables = { LIBVA_DRIVER_NAME = "iHD"; }; # Force intel-media-driver
sessionVariables = {LIBVA_DRIVER_NAME = "iHD";}; # Force intel-media-driver
systemPackages = with pkgs; [
# psensor
mission-center
@ -232,7 +254,7 @@ in
# Resume Offset is offset of swapfile
# https://wiki.archlinux.org/title/Power_management/Suspend_and_hibernate#Hibernation_into_swap_file
# boot.kernelParams = [ "mem_sleep_default=deep" "resume_offset=190937088" ];
boot.kernelParams = [ "mem_sleep_default=deep" ];
boot.kernelParams = ["mem_sleep_default=deep"];
# Suspend-then-hibernate everywhere
services.logind = {

31
machine/framework/hardware-configuration.nix
View File

@ -1,13 +1,16 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [
"xhci_pci"
@ -16,9 +19,9 @@
"usb_storage"
"sd_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
fileSystems = {
"/" = {
@ -68,7 +71,7 @@
"/boot" = {
device = "/dev/disk/by-uuid/427A-97BA";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
options = ["fmask=0022" "dmask=0022"];
};
"/home/alex/shared/storage" = {
device = "/dev/disk/by-uuid/58259976-4f63-4f60-a755-7870b08286e7";
@ -94,9 +97,11 @@
'';
# boot.initrd.luks.devices."luks-e36ec189-2211-4bcc-bb9d-46650443d76b".device = "/dev/disk/by-uuid/e36ec189-2211-4bcc-bb9d-46650443d76b";
swapDevices = [{
device = "/dev/disk/by-uuid/9f90bae0-287b-480c-9aa1-de108b4b4626";
}];
swapDevices = [
{
device = "/dev/disk/by-uuid/9f90bae0-287b-480c-9aa1-de108b4b4626";
}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's

36
machine/mini/configuration.nix
View File

@ -1,7 +1,12 @@
{ config, pkgs, inputs, outputs, ... }:
let secrets = import ../../configs/secrets.nix;
{
config,
pkgs,
inputs,
outputs,
...
}: let
secrets = import ../../configs/secrets.nix;
in {
nixpkgs = {
overlays = [
outputs.overlays.additions
@ -33,18 +38,23 @@ in {
efi.canTouchEfiVariables = true;
};
extraModulePackages = with pkgs.linuxPackages; [ rtl88x2bu ];
extraModulePackages = with pkgs.linuxPackages; [rtl88x2bu];
};
time.timeZone = "Europe/Berlin";
networking = {
hostName = "mini";
useDHCP = false;
firewall = { enable = false; };
firewall = {enable = false;};
interfaces = {
enp3s0.useDHCP = true;
# wlp0s20u1u1.useDHCP = true;
wlp0s20u1u2.ipv4.addresses = [{ address = "192.168.12.1"; prefixLength = 24; }];
wlp0s20u1u2.ipv4.addresses = [
{
address = "192.168.12.1";
prefixLength = 24;
}
];
};
nftables.enable = true;
@ -84,7 +94,6 @@ in {
# networks.Skynet.psk = secrets.wifipassword;
# interfaces = [ "wlp0s20u1u1" ];
# };
};
environment.systemPackages = with pkgs; [
@ -111,10 +120,9 @@ in {
networks.wlp0s20u1u2 = {
ssid = "Skynet-Tor";
authentication.saePasswords = [
{ password = "REMOVED_OLD_PASSWORD_FROM_HISTORY"; }
{password = "REMOVED_OLD_PASSWORD_FROM_HISTORY";}
];
};
};
};
};
@ -196,11 +204,9 @@ in {
mode = "repokey-blake2";
passphrase = secrets.borg-key;
};
extraCreateArgs =
"--list --stats --verbose --checkpoint-interval 600 --exclude-caches";
environment.BORG_RSH =
"ssh -o StrictHostKeyChecking=no -i /home/alex/.ssh/id_ed25519";
paths = [ "/home/alex" "/var/lib" ];
extraCreateArgs = "--list --stats --verbose --checkpoint-interval 600 --exclude-caches";
environment.BORG_RSH = "ssh -o StrictHostKeyChecking=no -i /home/alex/.ssh/id_ed25519";
paths = ["/home/alex" "/var/lib"];
repo = secrets.borg-repo;
startAt = "daily";
prune.keep = {
@ -209,7 +215,7 @@ in {
monthly = 6;
};
extraPruneArgs = "--save-space --list --stats";
exclude = [ "/home/alex/.cache" ];
exclude = ["/home/alex/.cache"];
};
};

45
machine/mini/hardware-configuration.nix
View File

@ -1,34 +1,33 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
fileSystems."/" =
{
device = "/dev/disk/by-uuid/8be3b4e5-7219-4427-bba4-340f1dc4b868";
fsType = "ext4";
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/8be3b4e5-7219-4427-bba4-340f1dc4b868";
fsType = "ext4";
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/7C10-C8BD";
fsType = "vfat";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/7C10-C8BD";
fsType = "vfat";
};
swapDevices =
[{ device = "/dev/disk/by-uuid/edb5324f-3cd2-4b8c-bb05-cca045adeaf6"; }];
swapDevices = [{device = "/dev/disk/by-uuid/edb5324f-3cd2-4b8c-bb05-cca045adeaf6";}];
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

62
machine/nixos-libvirt/configuration.nix
View File

@ -1,62 +0,0 @@
{ config, pkgs, lib, outputs, ... }:
{
nixpkgs = {
overlays = [
outputs.overlays.additions
outputs.overlays.modifications
outputs.overlays.unstable-packages
];
config = {
allowUnfree = true;
};
};
imports = [
./hardware-configuration.nix
../../configs/common.nix
../../configs/user.nix
../../configs/docker.nix
../../configs/pantheon.nix
../../configs/user-gui.nix
];
networking.hostName = "nixos-libvirt"; # Define your hostname.
time.timeZone = "Europe/Berlin";
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
boot.loader.grub.useOSProber = true;
# boot.loader.systemd-boot.enable = true;
# boot.loader.efi.canTouchEfiVariables = true;
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.enp0s1.useDHCP = true;
programs.nix-ld.enable = true;
services = {
k3s = {
enable = true;
role = "server";
};
};
environment.pantheon.excludePackages = (with pkgs.pantheon; [
elementary-calculator
# elementary-calendar
elementary-camera
elementary-code
elementary-music
# elementary-photos
# elementary-screenshot
# elementary-tasks
elementary-videos
epiphany
]);
system.stateVersion = "24.05";
}

31
machine/nixos-libvirt/hardware-configuration.nix
View File

@ -1,31 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/bc7b8b67-966c-44f5-824b-bea72de13d92";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

17
machine/nixos-virtualbox/configuration.nix
View File

@ -1,5 +1,10 @@
{ config, pkgs, lib, outputs, ... }:
{
config,
pkgs,
lib,
outputs,
...
}: {
nixpkgs = {
config = {
allowUnfree = true;
@ -17,7 +22,7 @@
defaultSopsFile = ../../secrets.yaml;
validateSopsFiles = true;
age = {
sshKeyPaths = [ "/persist/etc/ssh/ssh_host_ed25519_key" ];
sshKeyPaths = ["/persist/etc/ssh/ssh_host_ed25519_key"];
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
@ -40,18 +45,18 @@
device = "nodev";
};
};
supportedFilesystems = [ "btrfs" ];
supportedFilesystems = ["btrfs"];
initrd = {
enable = true;
supportedFilesystems = [ "btrfs" ];
supportedFilesystems = ["btrfs"];
postResumeCommands = lib.mkAfter ''
mkdir -p /mnt
# We first mount the btrfs root to /mnt
# so we can manipulate btrfs subvolumes.
mount -o subvol=/ /dev/vda3 /mnt
# While we're tempted to just delete /root and create
# a new snapshot from /root-blank, /root is already
# populated at this point with a number of subvolumes,
@ -78,7 +83,7 @@
echo "restoring blank /root subvolume..."
btrfs subvolume snapshot /mnt/root-blank /mnt/root
# Once we're done rolling back to a blank snapshot,
# we can unmount /mnt and continue on the boot process.
umount /mnt

90
machine/nixos-virtualbox/hardware-configuration.nix
View File

@ -1,61 +1,59 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ ];
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [];
boot.initrd.availableKernelModules = [ "ata_piix" "ohci_pci" "ehci_pci" "ahci" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.initrd.availableKernelModules = ["ata_piix" "ohci_pci" "ehci_pci" "ahci" "sd_mod" "sr_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
fileSystems."/" =
{
device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964";
fsType = "btrfs";
options = [ "subvol=root" "compress=zstd" "noatime" ];
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964";
fsType = "btrfs";
options = ["subvol=root" "compress=zstd" "noatime"];
};
fileSystems."/home" =
{
device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964";
fsType = "btrfs";
options = [ "subvol=home" "compress=zstd" "noatime" ];
};
fileSystems."/home" = {
device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964";
fsType = "btrfs";
options = ["subvol=home" "compress=zstd" "noatime"];
};
fileSystems."/nix" =
{
device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964";
fsType = "btrfs";
options = [ "subvol=nix" "compress=zstd" "noatime" ];
};
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964";
fsType = "btrfs";
options = ["subvol=nix" "compress=zstd" "noatime"];
};
fileSystems."/persist" =
{
device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964";
fsType = "btrfs";
options = [ "subvol=persist" "compress=zstd" "noatime" ];
neededForBoot = true;
};
fileSystems."/persist" = {
device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964";
fsType = "btrfs";
options = ["subvol=persist" "compress=zstd" "noatime"];
neededForBoot = true;
};
fileSystems."/var/log" =
{
device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964";
fsType = "btrfs";
options = [ "subvol=log" "compress=zstd" "noatime" ];
neededForBoot = true;
};
fileSystems."/var/log" = {
device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964";
fsType = "btrfs";
options = ["subvol=log" "compress=zstd" "noatime"];
neededForBoot = true;
};
fileSystems."/boot" =
{
device = "/dev/disk/by-uuid/6F47-35E9";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/6F47-35E9";
fsType = "vfat";
options = ["fmask=0022" "dmask=0022"];
};
swapDevices = [ ];
swapDevices = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's

51
machine/nixos-vm.nix
View File

@ -1,51 +0,0 @@
{ config, pkgs, lib, ... }:
let unstable = import <nixos-unstable> { config.allowUnfree = true; };
in {
imports = [
/etc/nixos/hardware-configuration.nix
../configs/common.nix
../configs/user.nix
../configs/docker.nix
../configs/pantheon.nix
../configs/user-gui.nix
];
networking.hostName = "nixos-vm"; # Define your hostname.
time.timeZone = "Europe/Berlin";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.enp0s1.useDHCP = true;
hardware.parallels.enable = true;
programs.nix-ld.enable = true;
services = {
k3s = {
enable = true;
role = "server";
};
};
environment.pantheon.excludePackages = (with pkgs.pantheon; [
elementary-calculator
# elementary-calendar
elementary-camera
elementary-code
elementary-music
# elementary-photos
# elementary-screenshot
# elementary-tasks
elementary-videos
epiphany
]);
system.stateVersion = "23.05";
}

31
machine/vps-arm/configuration.nix
View File

@ -1,9 +1,14 @@
{ config, lib, pkgs, outputs, inputs, ... }:
let
{
config,
lib,
pkgs,
outputs,
inputs,
...
}: let
secrets = import ../../configs/secrets.nix;
be = import ../../configs/borg-exclude.nix;
in
{
in {
nixpkgs = {
overlays = [
outputs.overlays.additions
@ -36,7 +41,7 @@ in
defaultSopsFile = ../../secrets-vps-arm.yaml;
validateSopsFiles = true;
age = {
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
@ -91,10 +96,12 @@ in
};
interfaces.enp7s0 = {
useDHCP = true;
ipv6.addresses = [{
address = "2a0a:4cc0:1:124c::1";
prefixLength = 64;
}];
ipv6.addresses = [
{
address = "2a0a:4cc0:1:124c::1";
prefixLength = 64;
}
];
};
firewall = {
allowPing = true;
@ -178,7 +185,6 @@ in
};
};
};
};
};
@ -210,10 +216,9 @@ in
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets.borg-key.path}";
};
extraCreateArgs =
"--stats --verbose --checkpoint-interval 600 --exclude-caches";
extraCreateArgs = "--stats --verbose --checkpoint-interval 600 --exclude-caches";
environment.BORG_RSH = "ssh -i /home/alex/.ssh/id_borg_rsa";
paths = [ "/home/alex" "/var/lib" ];
paths = ["/home/alex" "/var/lib"];
repo = "ssh://u278697-sub3@u278697.your-storagebox.de:23/./borg-arm";
startAt = "daily";
prune.keep = {

42
machine/vps-arm/hardware-configuration.nix
View File

@ -1,30 +1,34 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_scsi" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.initrd.availableKernelModules = ["xhci_pci" "virtio_scsi" "sr_mod"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/332b05c2-56cc-4b0b-b906-54b6b87542cd";
fsType = "ext4";
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/332b05c2-56cc-4b0b-b906-54b6b87542cd";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/3D20-21CC";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/3D20-21CC";
fsType = "vfat";
options = ["fmask=0022" "dmask=0022"];
};
swapDevices = [ ];
swapDevices = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's

621
machine/vps.nix
View File

@ -1,621 +0,0 @@
{ config, lib, pkgs, ... }:
let
secrets = import ../configs/secrets.nix;
be = import ../configs/borg-exclude.nix;
unstable = import <nixos-unstable> { config.allowUnfree = true; };
in
{
imports =
[
/etc/nixos/hardware-configuration.nix
../configs/common-server.nix
];
boot.loader.grub = {
enable = true;
device = "/dev/sda"; # or "nodev" for efi only
};
time.timeZone = "Europe/Berlin";
networking = {
hostName = "vps"; # Define your hostname.
useDHCP = false;
# defaultGateway = {
# "address" = "gw.contabo.net";
# "interface" = "ens18";
# };
defaultGateway6 = {
address = "fe80::1";
interface = "ens18";
};
interfaces.ens18 = {
useDHCP = true;
# ipv4.addresses = [ {
# address = "207.180.220.97";
# prefixLength = 24;
# } ];
ipv6.addresses = [{
address = "2a02:c207:3008:1547::1";
prefixLength = 64;
}];
};
wireguard.interfaces = {
wg0 = {
ips = [ "10.100.0.1/24" ];
listenPort = 51820;
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
'';
privateKey = secrets.wireguard-vps-private;
peers = [
{
publicKey = secrets.wireguard-desktop-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.2/32" ];
}
{
publicKey = secrets.wireguard-mini-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.3/32" "192.168.178.0/24" ];
}
{
publicKey = secrets.wireguard-mbp-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.4/32" ];
}
{
publicKey = secrets.wireguard-phone1-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.5/32" ];
}
{
publicKey = secrets.wireguard-raspberrypi-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.6/32" ];
}
{
publicKey = secrets.wireguard-framework-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.7/32" ];
}
{
publicKey = secrets.wireguard-thinkpad-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.8/32" ];
}
{
publicKey = secrets.wireguard-a53-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.9/32" ];
}
{
publicKey = secrets.wireguard-vps2-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.50/32" ];
}
{
publicKey = secrets.wireguard-vps3-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.100/32" ];
}
];
};
};
nat = {
enable = true;
externalInterface = "ens18";
internalInterfaces = [ "wg0" ];
};
firewall = {
allowPing = true;
allowedTCPPorts = [
80 # web
222 # SSH for gitea
443 # web
9898 # i2p
9899
18080
21114 #Rustdesk
21115 #Rustdesk
21116 #Rustdesk
21117 #Rustdesk
21118 #Rustdesk
21119 #Rustdesk
22000 # syncthing
];
allowedUDPPorts = [
80 # web
443 # web
3478 # headscale
9898 # i2p
21116 # Rustdesk
51820 # wireguard
];
interfaces.wg0 = {
allowedTCPPorts = [
19999 # netdata
2049
4444 # i2p http proxy
61208 # foo
7070 # i2p control
7654 # i2p torrent
];
};
# extraCommands = ''
# iptables -A nixos-fw -p tcp --source 10.100.0.0/24 --dport 19999:19999 -j nixos-fw-accept
# '';
};
};
environment.systemPackages = with pkgs; [
goaccess
xd
nyx
mkp224o
progress
headscale
];
programs = {
mtr.enable = true;
fuse.userAllowOther = true;
nix-ld.enable = true;
};
security.acme = {
defaults.email = "webmaster@szczepan.ski";
acceptTerms = true;
};
services = {
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
clientMaxBodySize = "0";
commonHttpConfig = ''
log_format main '$host $remote_addr - $remote_user [$time_local] $upstream_cache_status "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" "$gzip_ratio" '
'$request_time $upstream_response_time $pipe';
access_log /var/log/nginx/access.log main;
'';
virtualHosts = {
"szczepan.ski" = {
forceSSL = true;
enableACME = true;
globalRedirect = "alexander.szczepan.ski";
};
"ipv6.szczepan.ski" = {
forceSSL = true;
enableACME = true;
globalRedirect = "alexander.szczepan.ski";
};
"alexander.szczepan.ski" = {
forceSSL = true;
enableACME = true;
root = "/var/www/alexander.szczepan.ski";
};
"nextcloud.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8080/";
extraConfig = ''
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
'';
};
"/.well-known/carddav" = {
return = "301 $scheme://$host/remote.php/dav";
};
"/.well-known/caldav" = {
return = "301 $scheme://$host/remote.php/dav";
};
};
};
# "nextcloud.ipv6.szczepan.ski" = {
# forceSSL = true;
# enableACME = true;
# globalRedirect = "nextcloud.szczepan.ski";
# };
"firefly.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = { "/" = { proxyPass = "http://127.0.0.1:8081/"; }; };
};
"etesync.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = { "/" = { proxyPass = "http://127.0.0.1:8082/"; }; };
};
"etesync-web.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = { "/" = { proxyPass = "http://127.0.0.1:8086/"; }; };
};
"etesync-notes.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = { "/" = { proxyPass = "http://127.0.0.1:8087/"; }; };
};
"portainer.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = { "/" = { proxyPass = "http://127.0.0.1:8083/"; }; };
};
"jellyfin.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = { "/" = { proxyPass = "http://127.0.0.1:8085/"; }; };
};
"webdav.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = { "/" = { proxyPass = "http://127.0.0.1:8090/"; }; };
};
"pihole.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = { "/" = { proxyPass = "http://127.0.0.1:8091/"; }; };
};
"git.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = { "/" = { proxyPass = "http://127.0.0.1:8084/"; }; };
};
"torrents.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = { "/" = { proxyPass = "http://127.0.0.1:9091/"; }; };
};
"headscale.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8088/";
proxyWebsockets = true;
};
};
};
"syncthing.szczepan.ski" = {
forceSSL = true;
enableACME = true;
basicAuth = { alex = secrets.nginx-syncthing-password; };
locations = {
"/" = {
extraConfig = ''
proxy_set_header Host localhost;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8384/;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
'';
};
};
};
"homeassistant.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://10.100.0.3:8123/";
proxyWebsockets = true;
};
};
};
"goaccess.szczepan.ski" = {
forceSSL = true;
enableACME = true;
basicAuth = { alex = secrets.nginx-syncthing-password; };
locations = {
"/" = { root = "/var/www/goaccess"; };
"/ws" = {
proxyPass = "http://127.0.0.1:7890/";
proxyWebsockets = true;
};
};
};
"vaultwarden.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8092/";
proxyWebsockets = true;
};
"/notifications/hub" = {
proxyPass = "http://127.0.0.1:3012";
proxyWebsockets = true;
};
"/notifications/hub/negotiate" = {
proxyPass = "http://127.0.0.1:8092/";
proxyWebsockets = true;
};
};
};
};
};
headscale = {
enable = true;
address = "127.0.0.1";
port = 8088;
# dns = { baseDomain = "example.com"; };
settings = {
logtail.enabled = false;
server_url = "https://headscale.szczepan.ski";
ip_prefixes = [
"100.64.0.0/10"
];
dns_config = {
base_domain = "szczepan.ski";
magic_dns = true;
domains = [ "headscale.szczepan.ski" ];
nameservers = [
"1.1.1.1"
"9.9.9.9"
];
};
};
};
tailscale.enable = true;
webdav = {
enable = true;
user = "alex";
group = "users";
settings = {
address = "127.0.0.1";
port = 8090;
scope = "/home/alex/docker/";
modify = true;
auth = true;
users = [{
username = "alex";
password = secrets.webdav-password;
}];
};
};
nfs.server = {
enable = false;
exports = ''
/export 10.100.0.0/24(rw,fsid=0,no_subtree_check)
/export/docker 10.100.0.0/24(rw,nohide,insecure,no_subtree_check)
'';
};
vaultwarden = {
enable = true;
config = {
domain = "https://vaultwarden.szczepan.ski";
signupsAllowed = false;
rocketPort = 8092;
rocketAddress = "127.0.0.1";
# adminToken =
# "jCehRECvxqWmXKMZx3dgtVEdJuqUxXoODEagItTPptBizG9SGQLCpTqjZoBM4ZDa";
websocketEnabled = true;
websocketAddress = "127.0.0.1";
websocketPort = 3012;
};
};
i2pd = {
enable = false;
ifname = "ens18";
address = "207.180.220.97";
# TCP & UDP
port = 9898;
ntcp2.port = 9899;
# websocket = {
# enable = true;
# address = "10.100.0.1";
# };
proto = {
http = {
enable = true;
address = "10.100.0.1";
};
httpProxy = {
enable = true;
address = "10.100.0.1";
};
socksProxy = {
enable = true;
address = "10.100.0.1";
};
i2cp = {
enable = true;
address = "10.100.0.1";
};
sam = { enable = true; };
};
inTunnels = {
foo = {
enable = true;
# keys = "foo-keys.dat";
inPort = 80;
address = "127.0.0.1";
destination = "127.0.0.1";
port = 8008;
};
foo2 = {
enable = true;
# keys = "foo-keys.dat";
inPort = 80;
address = "127.0.0.1";
destination = "127.0.0.1";
port = 8009;
};
};
logLevel = "error";
enableIPv4 = true;
enableIPv6 = true;
};
icecast = {
enable = false;
hostname = "254ryojirydttsaealusydhwyjfe2rpschdaduok4czhg45of6ua.b32.i2p";
listen = {
port = 13337;
address = "127.0.0.1";
};
admin = {
user = "alex";
password = "AaOnwDoZnspv8MszCpZZ1KuR9xXJWIE5";
};
};
davfs2 = {
enable = true;
};
tor = {
enable = true;
# relay = {
# enable = true;
# role = "private-bridge";
# };
# settings = {
# ORPort = 9001;
# ControlPort = 9051;
# };
openFirewall = true;
enableGeoIP = false;
relay.onionServices = {
foo = {
version = 3;
map = [{
port = 80;
target = {
addr = "127.0.0.1";
port = 8008;
};
}];
};
foo2 = {
version = 3;
map = [{
port = 80;
target = {
addr = "127.0.0.1";
port = 8009;
};
}];
};
};
settings = {
ClientUseIPv4 = true;
ClientUseIPv6 = false;
ClientPreferIPv6ORPort = false;
};
};
fail2ban = {
enable = true;
bantime = "7d";
jails = {
sshd = {
settings = {
filter = "sshd";
maxretry = 4;
action = ''iptables[name=ssh, port=ssh, protocol=tcp]'';
enabled = true;
};
};
};
};
netdata.enable = true;
syncthing = {
user = "alex";
group = "users";
enable = true;
dataDir = "/home/alex/syncthing";
configDir = "/home/alex/.config/syncthing";
};
borgbackup.jobs.home = rec {
compression = "auto,zstd";
encryption = {
mode = "repokey-blake2";
passphrase = secrets.borg-key;
};
extraCreateArgs =
"--stats --verbose --checkpoint-interval 600 --exclude-caches";
environment.BORG_RSH = "ssh -i /home/alex/.ssh/id_borg_rsa";
paths = [ "/home/alex" "/var/lib" ];
repo = secrets.borg-repo;
startAt = "daily";
prune.keep = {
daily = 4;
weekly = 2;
monthly = 2;
};
extraPruneArgs = "--save-space --stats";
exclude = [
"/home/alex/storage"
"/home/alex/storagebox"
"/home/alex/docker/jellyfin/data"
"/home/alex/.cache"
"/var/lib/monero"
];
};
autofs = {
enable = true;
autoMaster =
let
mapConf = pkgs.writeText "auto" ''
nextcloud -fstype=davfs,conf=/path/to/davfs/conf,uid=myuid :https\:nextcloud.domain/remote.php/webdav/
'';
in
''
/home/directory/mounts file:${mapConf}
'';
};
};
systemd.services = {
# Limit stack size to reduce memory usage
fail2ban.serviceConfig.LimitSTACK = 256 * 1024;
goaccess = {
description = "GoAccess real-time web log analysis";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
script = "${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.* | ${pkgs.goaccess}/bin/goaccess - -o /var/www/goaccess/index.html --log-format='%v %h %^[%d:%t %^]%^\"%r\" %s %b \"%R\" \"%u\"' --real-time-html --ws-url=wss://goaccess.szczepan.ski:443/ws --port 7890 --time-format \"%H:%M:%S\" --date-format \"%d/%b/%Y\"";
# serviceConfig = {
# ExecStart = "${pkgs.bash}/bin/bash -c "${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.* | ${pkgs.goaccess}/bin/goaccess -o /var/www/goaccess/index.html --log-format='%v %h %^[%d:%t %^]%^\"%r\" %s %b \"%R\" \"%u\"' --real-time-html --ws-url=wss://goaccess.szczepan.ski:443/ws --port 7890 --time-format \"%H:%M:%S\" --date-format \"%d/%b/%Y\"'";
# # ExecStop = "/bin/kill -9 ${MAINPID}";
# };
};
};
system.stateVersion = "24.05";
}