BeiNacht/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

desktop-2024-11-03-09-13-27

Browse Source
This commit is contained in:
Alexander Szczepanski
2024-11-03 09:13:27 +01:00
parent 4160c3408f
commit ed7833b3e9
38 changed files with 525 additions and 1245 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
configs/browser.nix
View File

@ -1,12 +1,14 @@
{ config, pkgs, lib, ... }:
{ {
config,
pkgs,
lib,
...
}: {
programs.firefox = { programs.firefox = {
enable = true; enable = true;
# nativeMessagingHosts.packages = with pkgs; [ uget-integrator ];
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
# uget
brave brave
librewolf librewolf
tor-browser-bundle-bin tor-browser-bundle-bin

10
configs/common-server.nix
View File

@ -1,9 +1,13 @@
{ config, lib, pkgs, ... }:
{ {
imports = [ ../configs/common.nix ../configs/docker.nix ../configs/user.nix ]; config,
lib,
pkgs,
...
}: {
imports = [../configs/common.nix ../configs/docker.nix ../configs/user.nix];
fileSystems."/export/docker" = { fileSystems."/export/docker" = {
device = "/home/alex/docker"; device = "/home/alex/docker";
options = [ "bind" ]; options = ["bind"];
}; };
} }

33
configs/common.nix
View File

@ -1,5 +1,10 @@
{ config, pkgs, lib, ... }:
{ {
config,
pkgs,
lib,
inputs,
...
}: {
boot = { boot = {
tmp = { tmp = {
useTmpfs = lib.mkDefault true; useTmpfs = lib.mkDefault true;
@ -7,7 +12,7 @@
}; };
# kernelParams = [ "quiet" ]; # kernelParams = [ "quiet" ];
consoleLogLevel = 0; consoleLogLevel = 0;
kernel.sysctl = { "vm.max_map_count" = 262144; }; kernel.sysctl = {"vm.max_map_count" = 262144;};
# initrd.systemd.enable = (!config.boot.swraid.enable && !config.boot.isContainer); # initrd.systemd.enable = (!config.boot.swraid.enable && !config.boot.isContainer);
}; };
@ -18,7 +23,7 @@
# Don't install the /lib/ld-linux.so.2 stub. This saves one instance of nixpkgs. # Don't install the /lib/ld-linux.so.2 stub. This saves one instance of nixpkgs.
ldso32 = null; ldso32 = null;
shells = with pkgs; [ bashInteractive zsh ]; shells = with pkgs; [bashInteractive zsh];
systemPackages = with pkgs; [ systemPackages = with pkgs; [
ack ack
@ -64,8 +69,10 @@
nil nil
nix-du nix-du
nix-tree nix-tree
nixpkgs-fmt nixd
alejandra
parallel parallel
pciutils pciutils
@ -74,8 +81,6 @@
unzip unzip
usbutils usbutils
wget wget
comma
]; ];
}; };
@ -88,7 +93,7 @@
}; };
networking = { networking = {
nameservers = [ "127.0.0.1" ]; nameservers = ["127.0.0.1"];
# If using dhcpcd: # If using dhcpcd:
dhcpcd.extraConfig = "nohook resolv.conf"; dhcpcd.extraConfig = "nohook resolv.conf";
# If using NetworkManager: # If using NetworkManager:
@ -107,14 +112,15 @@
}; };
nix = { nix = {
nixPath = ["nixpkgs=${inputs.nixpkgs-unstable}"];
channel.enable = false; channel.enable = false;
settings = { settings = {
auto-optimise-store = true; auto-optimise-store = true;
experimental-features = [ "nix-command" "flakes" ]; experimental-features = ["nix-command" "flakes"];
connect-timeout = 5; connect-timeout = 5;
log-lines = 25; log-lines = 25;
max-free = (3000 * 1024 * 1024); max-free = 3000 * 1024 * 1024;
min-free = (512 * 1024 * 1024); min-free = 512 * 1024 * 1024;
builders-use-substitutes = true; builders-use-substitutes = true;
}; };
@ -134,17 +140,16 @@
}; };
ssh.knownHosts = { ssh.knownHosts = {
"github.com".hostNames = [ "github.com" ]; "github.com".hostNames = ["github.com"];
"github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl"; "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
"u278697.your-storagebox.de".hostNames = [ "u278697.your-storagebox.de" ]; "u278697.your-storagebox.de".hostNames = ["u278697.your-storagebox.de"];
"u278697.your-storagebox.de".publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw=="; "u278697.your-storagebox.de".publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw==";
# [u278697.your-storagebox.de]:23 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs # [u278697.your-storagebox.de]:23 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs
# [u278697.your-storagebox.de]:23 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw== # [u278697.your-storagebox.de]:23 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw==
# [u278697.your-storagebox.de]:23 ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGK0po6usux4Qv2d8zKZN1dDvbWjxKkGsx7XwFdSUCnF19Q8psHEUWR7C/LtSQ5crU/g+tQVRBtSgoUcE8T+FWp5wBxKvWG2X9gD+s9/4zRmDeSJR77W6gSA/+hpOZoSE+4KgNdnbYSNtbZH/dN74EG7GLb/gcIpbUUzPNXpfKl7mQitw== # [u278697.your-storagebox.de]:23 ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGK0po6usux4Qv2d8zKZN1dDvbWjxKkGsx7XwFdSUCnF19Q8psHEUWR7C/LtSQ5crU/g+tQVRBtSgoUcE8T+FWp5wBxKvWG2X9gD+s9/4zRmDeSJR77W6gSA/+hpOZoSE+4KgNdnbYSNtbZH/dN74EG7GLb/gcIpbUUzPNXpfKl7mQitw==
}; };
}; };
services = { services = {
@ -195,7 +200,7 @@
}; };
}; };
journald = { extraConfig = "SystemMaxUse=500M"; }; journald = {extraConfig = "SystemMaxUse=500M";};
}; };
# The notion of "online" is a broken concept # The notion of "online" is a broken concept

5
configs/develop.nix
View File

@ -1,5 +1,8 @@
{ config, pkgs, ... }:
{ {
config,
pkgs,
...
}: {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
insomnia insomnia
meld meld

7
configs/docker.nix
View File

@ -1,6 +1,9 @@
{ config, pkgs, lib, ... }:
{ {
config,
pkgs,
lib,
...
}: {
virtualisation = { virtualisation = {
docker = { docker = {
enable = true; enable = true;

9
configs/games.nix
View File

@ -1,6 +1,11 @@
{ config, pkgs, lib, outputs, ... }:
{ {
users.extraGroups.gamemode.members = [ "alex" ]; config,
pkgs,
lib,
outputs,
...
}: {
users.extraGroups.gamemode.members = ["alex"];
programs = { programs = {
gamescope = { gamescope = {

6
configs/hardware.nix
View File

@ -1,5 +1,9 @@
{ config, pkgs, lib, ... }:
{ {
config,
pkgs,
lib,
...
}: {
services = { services = {
fwupd.enable = true; fwupd.enable = true;
}; };

7
configs/plasma-wayland.nix
View File

@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }: { {
config,
pkgs,
lib,
...
}: {
programs = { programs = {
dconf.enable = true; dconf.enable = true;
kdeconnect.enable = true; kdeconnect.enable = true;

60
configs/plasma.nix
View File

@ -1,60 +0,0 @@
{ config, pkgs, lib, ... }: {
programs = {
dconf.enable = true;
kdeconnect.enable = true;
};
environment = {
plasma6.excludePackages = with pkgs.kdePackages; [
plasma-browser-integration
konsole
oxygen
kate
];
systemPackages = with pkgs; [
kdePackages.ksshaskpass
kdePackages.kde-gtk-config
kdePackages.breeze-gtk
kdePackages.partitionmanager
kdePackages.filelight
kdePackages.plasma-disks
kdePackages.kalk
krusader
ktimetracker
kdiff3
kdiskmark
];
};
services = {
desktopManager.plasma6.enable = true;
displayManager = {
defaultSession = "plasmax11";
sddm = {
enable = true;
# wayland.enable = true;
};
};
xserver = {
enable = true;
excludePackages = [ pkgs.xterm ];
xkb.layout = "us";
# Enable touchpad support.
updateDbusEnvironment = true;
};
libinput.enable = true;
};
programs = {
ssh = {
startAgent = true;
askPassword = pkgs.lib.mkForce "${pkgs.kdePackages.ksshaskpass}/bin/ksshaskpass";
};
};
}

8
configs/printing.nix
View File

@ -1,9 +1,13 @@
{ config, pkgs, lib, ... }:
{ {
config,
pkgs,
lib,
...
}: {
services = { services = {
printing = { printing = {
enable = true; enable = true;
drivers = [ pkgs.brlaser ]; drivers = [pkgs.brlaser];
}; };
}; };
} }

17
configs/user-gui.nix
View File

@ -1,9 +1,14 @@
{ config, pkgs, inputs, home-manager, ... }:
{ {
imports = [ inputs.home-manager.nixosModules.home-manager ]; config,
pkgs,
inputs,
home-manager,
...
}: {
imports = [inputs.home-manager.nixosModules.home-manager];
networking = { networking = {
firewall.enable = false; firewall.enable = false;
networkmanager = { enable = true; }; networkmanager = {enable = true;};
}; };
fonts = { fonts = {
@ -11,7 +16,7 @@
fontDir.enable = true; fontDir.enable = true;
packages = with pkgs; [ packages = with pkgs; [
(nerdfonts.override { fonts = [ "Meslo" "RobotoMono"]; }) (nerdfonts.override {fonts = ["Meslo" "RobotoMono"];})
corefonts corefonts
google-fonts google-fonts
liberation_ttf liberation_ttf
@ -40,7 +45,7 @@
programs = { programs = {
adb.enable = true; adb.enable = true;
ssh = { startAgent = true; }; ssh = {startAgent = true;};
# dconf.enable = true; # dconf.enable = true;
# gnupg.agent = { # gnupg.agent = {
# enable = true; # enable = true;
@ -65,7 +70,7 @@
shotcut shotcut
]; ];
home-manager.users.alex = { pkgs, ... }: { home-manager.users.alex = {pkgs, ...}: {
programs = { programs = {
vscode = { vscode = {
enable = true; enable = true;

43
configs/user.nix
View File

@ -1,5 +1,10 @@
{ config, pkgs, lib, inputs, ... }: {
let config,
pkgs,
lib,
inputs,
...
}: let
serviceConfig = { serviceConfig = {
MountAPIVFS = true; MountAPIVFS = true;
PrivateTmp = true; PrivateTmp = true;
@ -12,8 +17,7 @@ let
ProtectSystem = "full"; ProtectSystem = "full";
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
}; };
in in {
{
imports = [ imports = [
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
{ {
@ -60,9 +64,9 @@ in
nix-ld.enable = true; nix-ld.enable = true;
}; };
environment.pathsToLink = [ "/share/zsh" ]; environment.pathsToLink = ["/share/zsh"];
home-manager.users.alex = { pkgs, ... }: { home-manager.users.alex = {pkgs, ...}: {
home = { home = {
stateVersion = "24.11"; stateVersion = "24.11";
packages = with pkgs; [ packages = with pkgs; [
@ -71,7 +75,6 @@ in
git-secret git-secret
kubectl kubectl
neofetch neofetch
nixfmt-classic
pstree pstree
qrencode qrencode
ranger ranger
@ -83,9 +86,9 @@ in
nix-output-monitor nix-output-monitor
]; ];
sessionPath = [ "$HOME/.npm-packages" "$HOME/.bin" ]; sessionPath = ["$HOME/.npm-packages" "$HOME/.bin"];
file = { file = {
".npmrc" = { source = ../home/npmrc; }; ".npmrc" = {source = ../home/npmrc;};
".bin/git-redate" = { ".bin/git-redate" = {
executable = true; executable = true;
source = ../home/bin/git-redate; source = ../home/bin/git-redate;
@ -104,14 +107,14 @@ in
serverAliveInterval = 60; serverAliveInterval = 60;
forwardAgent = true; forwardAgent = true;
matchBlocks."szczepan.ski" = { hostname = "szczepan.ski"; }; matchBlocks."szczepan.ski" = {hostname = "szczepan.ski";};
matchBlocks."mini" = { hostname = "mini"; }; matchBlocks."mini" = {hostname = "mini";};
matchBlocks."nixos-vm" = { matchBlocks."nixos-vm" = {
hostname = "127.0.0.1"; hostname = "127.0.0.1";
port = 1337; port = 1337;
}; };
matchBlocks."thinkpad" = { hostname = "thinkpad"; }; matchBlocks."thinkpad" = {hostname = "thinkpad";};
}; };
git = { git = {
@ -119,10 +122,10 @@ in
userName = "Alexander Szczepanski"; userName = "Alexander Szczepanski";
userEmail = "alexander@szczepan.ski"; userEmail = "alexander@szczepan.ski";
extraConfig = { extraConfig = {
core = { autocrlf = false; }; core = {autocrlf = false;};
color = { ui = "auto"; }; color = {ui = "auto";};
push = { default = "current"; }; push = {default = "current";};
pull = { rebase = true; }; pull = {rebase = true;};
}; };
}; };
@ -133,8 +136,7 @@ in
syntaxHighlighting.enable = true; syntaxHighlighting.enable = true;
oh-my-zsh = { oh-my-zsh = {
enable = true; enable = true;
plugins = plugins = ["cp" "common-aliases" "docker" "systemd" "wd" "kubectl" "git"];
[ "cp" "common-aliases" "docker" "systemd" "wd" "kubectl" "git" ];
}; };
plugins = [ plugins = [
{ {
@ -149,8 +151,7 @@ in
} }
]; ];
shellAliases = { shellAliases = {
active-services = active-services = "systemctl --no-page --no-legend --plain -t service --state=running";
"systemctl --no-page --no-legend --plain -t service --state=running";
db = "sudo updatedb"; db = "sudo updatedb";
"-g C" = "| wc -l"; "-g C" = "| wc -l";
"-g G" = "| grep --ignore-case"; "-g G" = "| grep --ignore-case";
@ -165,7 +166,7 @@ in
}; };
}; };
tmux = { enable = true; }; tmux = {enable = true;};
}; };
}; };
} }

5
configs/virtualisation.nix
View File

@ -1,6 +1,5 @@
{ pkgs, ... }: {pkgs, ...}: {
{ users.extraGroups.vboxusers.members = ["alex"];
users.extraGroups.vboxusers.members = [ "alex" ];
virtualisation = { virtualisation = {
virtualbox.host = { virtualbox.host = {

57
flake.nix
View File

@ -17,7 +17,6 @@
inputs.nixpkgs.follows = "nixpkgs-unstable"; inputs.nixpkgs.follows = "nixpkgs-unstable";
}; };
# Home manager
home-manager = { home-manager = {
url = "github:nix-community/home-manager/master"; url = "github:nix-community/home-manager/master";
inputs.nixpkgs.follows = "nixpkgs-unstable"; inputs.nixpkgs.follows = "nixpkgs-unstable";
@ -29,27 +28,20 @@
}; };
impermanence.url = "github:nix-community/impermanence"; impermanence.url = "github:nix-community/impermanence";
# nixos-cosmic = {
# url = "github:lilyinstarlight/nixos-cosmic";
# inputs.nixpkgs.follows = "nixpkgs-unstable";
# };
}; };
outputs = outputs = {
{ self self,
, chaotic chaotic,
, fw-fanctrl fw-fanctrl,
, home-manager home-manager,
, nixos-hardware nixos-hardware,
, nixpkgs-stable nixpkgs-stable,
, nixpkgs-unstable nixpkgs-unstable,
, sops-nix sops-nix,
# , nixos-cosmic impermanence,
, impermanence ...
, ... } @ inputs: let
} @ inputs:
let
inherit (self) outputs; inherit (self) outputs;
nixpkgs = nixpkgs-unstable; nixpkgs = nixpkgs-unstable;
@ -65,24 +57,13 @@
# This is a function that generates an attribute by calling a function you # This is a function that generates an attribute by calling a function you
# pass to it, with each system as an argument # pass to it, with each system as an argument
forAllSystems = nixpkgs.lib.genAttrs systems; forAllSystems = nixpkgs.lib.genAttrs systems;
in {
# cosmic-modules = [ overlays = import ./overlays {inherit inputs;};
# {
# nix.settings = {
# substituters = [ "https://cosmic.cachix.org/" ];
# trusted-public-keys = [ "cosmic.cachix.org-1:Dya9IyXD4xdBehWjrkPv6rtxpmMdRel02smYzA85dPE=" ];
# };
# }
# nixos-cosmic.nixosModules.default
# ];
in
{
overlays = import ./overlays { inherit inputs; };
nixosConfigurations = { nixosConfigurations = {
desktop = nixpkgs.lib.nixosSystem { desktop = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = { inherit inputs outputs; }; specialArgs = {inherit inputs outputs;};
modules = [ modules = [
impermanence.nixosModules.impermanence impermanence.nixosModules.impermanence
chaotic.nixosModules.default # OUR DEFAULT MODULE chaotic.nixosModules.default # OUR DEFAULT MODULE
@ -97,7 +78,7 @@
framework = nixpkgs.lib.nixosSystem { framework = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = { inherit inputs outputs; }; specialArgs = {inherit inputs outputs;};
modules = [ modules = [
fw-fanctrl.nixosModules.default fw-fanctrl.nixosModules.default
./machine/framework/configuration.nix ./machine/framework/configuration.nix
@ -107,7 +88,7 @@
vps-arm = nixpkgs.lib.nixosSystem { vps-arm = nixpkgs.lib.nixosSystem {
system = "aarch64-linux"; system = "aarch64-linux";
specialArgs = { inherit inputs outputs; }; specialArgs = {inherit inputs outputs;};
modules = [ modules = [
./machine/vps-arm/configuration.nix ./machine/vps-arm/configuration.nix
]; ];
@ -115,7 +96,7 @@
mini = nixpkgs.lib.nixosSystem { mini = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = { inherit inputs outputs; }; specialArgs = {inherit inputs outputs;};
modules = [ modules = [
./machine/mini/configuration.nix ./machine/mini/configuration.nix
]; ];
@ -123,7 +104,7 @@
nixos-virtualbox = nixpkgs.lib.nixosSystem { nixos-virtualbox = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = { inherit inputs outputs; }; specialArgs = {inherit inputs outputs;};
modules = [ modules = [
impermanence.nixosModules.impermanence impermanence.nixosModules.impermanence
sops-nix.nixosModules.sops sops-nix.nixosModules.sops

34
machine/desktop/configuration.nix
View File

@ -1,8 +1,12 @@
{ config, pkgs, inputs, outputs, ... }:
let
be = import ../../configs/borg-exclude.nix;
in
{ {
config,
pkgs,
inputs,
outputs,
...
}: let
be = import ../../configs/borg-exclude.nix;
in {
nixpkgs = { nixpkgs = {
overlays = [ overlays = [
(self: super: { (self: super: {
@ -24,7 +28,6 @@ in
hash = "sha256-zQK1tuxu2ZmKxPO0amkfcT/RFBSkU2pWD0qhGyCCHXI="; hash = "sha256-zQK1tuxu2ZmKxPO0amkfcT/RFBSkU2pWD0qhGyCCHXI=";
}) })
]; ];
}); });
}); });
}) })
@ -52,7 +55,7 @@ in
defaultSopsFile = ../../secrets.yaml; defaultSopsFile = ../../secrets.yaml;
validateSopsFiles = true; validateSopsFiles = true;
age = { age = {
sshKeyPaths = [ "/persist/etc/ssh/ssh_host_ed25519_key" ]; sshKeyPaths = ["/persist/etc/ssh/ssh_host_ed25519_key"];
keyFile = "/persist/var/lib/sops-nix/key.txt"; keyFile = "/persist/var/lib/sops-nix/key.txt";
generateKey = true; generateKey = true;
}; };
@ -78,8 +81,8 @@ in
"kvm" "kvm"
"gccarch-znver3" "gccarch-znver3"
]; ];
trusted-substituters = [ "https://ai.cachix.org" ]; trusted-substituters = ["https://ai.cachix.org"];
trusted-public-keys = [ "ai.cachix.org-1:N9dzRK+alWwoKXQlnn0H6aUx0lU/mspIoz8hMvGvbbc=" ]; trusted-public-keys = ["ai.cachix.org-1:N9dzRK+alWwoKXQlnn0H6aUx0lU/mspIoz8hMvGvbbc="];
}; };
chaotic.nyx.cache.enable = false; chaotic.nyx.cache.enable = false;
@ -99,14 +102,14 @@ in
configurationLimit = 5; configurationLimit = 5;
useOSProber = true; useOSProber = true;
}; };
efi = { canTouchEfiVariables = true; }; efi = {canTouchEfiVariables = true;};
}; };
tmp.useTmpfs = false; tmp.useTmpfs = false;
supportedFilesystems = [ "btrfs" ]; supportedFilesystems = ["btrfs"];
kernelPackages = pkgs.pkgs.linuxPackages_cachyos; kernelPackages = pkgs.pkgs.linuxPackages_cachyos;
kernelModules = [ "nct6775" ]; kernelModules = ["nct6775"];
extraModulePackages = with pkgs.pkgs.linuxPackages_cachyos; [ ryzen-smu ]; extraModulePackages = with pkgs.pkgs.linuxPackages_cachyos; [ryzen-smu];
# kernelParams = [ "clearcpuid=514" ]; # kernelParams = [ "clearcpuid=514" ];
# kernelParams = [ "amdgpu.ppfeaturemask=0xffffffff" ]; # kernelParams = [ "amdgpu.ppfeaturemask=0xffffffff" ];
# kernelPatches = [{ # kernelPatches = [{
@ -168,9 +171,9 @@ in
systemd.services = { systemd.services = {
monitor = { monitor = {
description = "AMDGPU Control Daemon"; description = "AMDGPU Control Daemon";
wantedBy = [ "multi-user.target" ]; wantedBy = ["multi-user.target"];
after = [ "multi-user.target" ]; after = ["multi-user.target"];
serviceConfig = { ExecStart = "${pkgs.lact}/bin/lact daemon"; }; serviceConfig = {ExecStart = "${pkgs.lact}/bin/lact daemon";};
}; };
}; };
@ -301,7 +304,6 @@ in
"read only" = "no"; "read only" = "no";
"create mask" = "0644"; "create mask" = "0644";
"directory mask" = "0755"; "directory mask" = "0755";
}; };
}; };
}; };

33
machine/desktop/hardware-configuration.nix
View File

@ -1,60 +1,63 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = config,
[ lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "uas" "usb_storage" "usbhid" "sd_mod" ]; boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "uas" "usb_storage" "usbhid" "sd_mod"];
boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.initrd.kernelModules = ["dm-snapshot"];
boot.kernelModules = [ "kvm-amd" ]; boot.kernelModules = ["kvm-amd"];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [];
fileSystems = { fileSystems = {
"/" = { "/" = {
device = "/dev/disk/by-uuid/87c6b0fb-b921-47d5-a3a1-4b4c0a4f02ad"; device = "/dev/disk/by-uuid/87c6b0fb-b921-47d5-a3a1-4b4c0a4f02ad";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=root" "discard=async" "compress=zstd" "noatime" ]; options = ["subvol=root" "discard=async" "compress=zstd" "noatime"];
}; };
"/home" = { "/home" = {
device = "/dev/disk/by-uuid/87c6b0fb-b921-47d5-a3a1-4b4c0a4f02ad"; device = "/dev/disk/by-uuid/87c6b0fb-b921-47d5-a3a1-4b4c0a4f02ad";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=home" "discard=async" "compress=zstd" "noatime" ]; options = ["subvol=home" "discard=async" "compress=zstd" "noatime"];
}; };
"/nix" = { "/nix" = {
device = "/dev/disk/by-uuid/87c6b0fb-b921-47d5-a3a1-4b4c0a4f02ad"; device = "/dev/disk/by-uuid/87c6b0fb-b921-47d5-a3a1-4b4c0a4f02ad";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=nix" "discard=async" "compress=zstd" "noatime" ]; options = ["subvol=nix" "discard=async" "compress=zstd" "noatime"];
}; };
"/persist" = { "/persist" = {
device = "/dev/disk/by-uuid/87c6b0fb-b921-47d5-a3a1-4b4c0a4f02ad"; device = "/dev/disk/by-uuid/87c6b0fb-b921-47d5-a3a1-4b4c0a4f02ad";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=persist" "discard=async" "compress=zstd" "noatime" ]; options = ["subvol=persist" "discard=async" "compress=zstd" "noatime"];
neededForBoot = true; neededForBoot = true;
}; };
"/var/log" = { "/var/log" = {
device = "/dev/disk/by-uuid/87c6b0fb-b921-47d5-a3a1-4b4c0a4f02ad"; device = "/dev/disk/by-uuid/87c6b0fb-b921-47d5-a3a1-4b4c0a4f02ad";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=log" "discard=async" "compress=zstd" "noatime" ]; options = ["subvol=log" "discard=async" "compress=zstd" "noatime"];
neededForBoot = true; neededForBoot = true;
}; };
"/boot" = { "/boot" = {
device = "/dev/disk/by-uuid/4339-5A4C"; device = "/dev/disk/by-uuid/4339-5A4C";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ]; options = ["fmask=0022" "dmask=0022"];
}; };
}; };
swapDevices = [{ device = "/dev/disk/by-uuid/831be7b8-5b1b-4bda-a27d-5a1c4efb2c4d"; }]; swapDevices = [{device = "/dev/disk/by-uuid/831be7b8-5b1b-4bda-a27d-5a1c4efb2c4d";}];
networking.useDHCP = lib.mkDefault true; networking.useDHCP = lib.mkDefault true;
# nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; # nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";

70
machine/framework/configuration.nix
View File

@ -1,8 +1,13 @@
{ config, pkgs, lib, outputs, inputs, ... }:
let
be = import ../../configs/borg-exclude.nix;
in
{ {
config,
pkgs,
lib,
outputs,
inputs,
...
}: let
be = import ../../configs/borg-exclude.nix;
in {
nixpkgs = { nixpkgs = {
overlays = [ overlays = [
outputs.overlays.additions outputs.overlays.additions
@ -34,7 +39,7 @@ in
defaultSopsFile = ../../secrets.yaml; defaultSopsFile = ../../secrets.yaml;
validateSopsFiles = true; validateSopsFiles = true;
age = { age = {
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
keyFile = "/var/lib/sops-nix/key.txt"; keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true; generateKey = true;
}; };
@ -63,13 +68,13 @@ in
configurationLimit = 5; configurationLimit = 5;
enableCryptodisk = true; enableCryptodisk = true;
}; };
efi = { canTouchEfiVariables = true; }; efi = {canTouchEfiVariables = true;};
}; };
supportedFilesystems = [ "btrfs" ]; supportedFilesystems = ["btrfs"];
# kernelPatches = [{ # kernelPatches = [{
# name = "fix problems with netfilter in 6.11.4"; # name = "fix problems with netfilter in 6.11.4";
# patch = ../../kernelpatches/fix-netfilter-6.11.4.patch; # patch = ../../kernelpatches/fix-netfilter-6.11.4.patch;
# }]; # }];
tmp.useTmpfs = false; tmp.useTmpfs = false;
}; };
@ -103,12 +108,30 @@ in
fanSpeedUpdateFrequency = 5; fanSpeedUpdateFrequency = 5;
movingAverageInterval = 30; movingAverageInterval = 30;
speedCurve = [ speedCurve = [
{ temp = 0; speed = 15; } {
{ temp = 50; speed = 15; } temp = 0;
{ temp = 65; speed = 25; } speed = 15;
{ temp = 70; speed = 35; } }
{ temp = 75; speed = 50; } {
{ temp = 85; speed = 100; } temp = 50;
speed = 15;
}
{
temp = 65;
speed = 25;
}
{
temp = 70;
speed = 35;
}
{
temp = 75;
speed = 50;
}
{
temp = 85;
speed = 100;
}
]; ];
}; };
}; };
@ -120,7 +143,7 @@ in
enableAllFirmware = true; enableAllFirmware = true;
openrazer = { openrazer = {
enable = true; enable = true;
users = [ "alex" ]; users = ["alex"];
}; };
graphics = { graphics = {
@ -148,7 +171,7 @@ in
btrfs.autoScrub = { btrfs.autoScrub = {
enable = true; enable = true;
interval = "monthly"; interval = "monthly";
fileSystems = [ "/home/alex/shared/storage" ]; fileSystems = ["/home/alex/shared/storage"];
}; };
pipewire = { pipewire = {
@ -164,10 +187,9 @@ in
mode = "repokey-blake2"; mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets.borg-key.path}"; passCommand = "cat ${config.sops.secrets.borg-key.path}";
}; };
extraCreateArgs = extraCreateArgs = "--stats --verbose --checkpoint-interval 600 --exclude-caches";
"--stats --verbose --checkpoint-interval 600 --exclude-caches";
environment.BORG_RSH = "ssh -i /home/alex/.ssh/id_borg_ed25519"; environment.BORG_RSH = "ssh -i /home/alex/.ssh/id_borg_ed25519";
paths = [ "/home/alex" "/var/lib" ]; paths = ["/home/alex" "/var/lib"];
repo = "ssh://u278697-sub9@u278697.your-storagebox.de:23/./borg"; repo = "ssh://u278697-sub9@u278697.your-storagebox.de:23/./borg";
startAt = "daily"; startAt = "daily";
prune.keep = { prune.keep = {
@ -194,7 +216,7 @@ in
# systemd.services.nix-daemon.serviceConfig.LimitNOFILE = 40960; # systemd.services.nix-daemon.serviceConfig.LimitNOFILE = 40960;
environment = { environment = {
sessionVariables = { LIBVA_DRIVER_NAME = "iHD"; }; # Force intel-media-driver sessionVariables = {LIBVA_DRIVER_NAME = "iHD";}; # Force intel-media-driver
systemPackages = with pkgs; [ systemPackages = with pkgs; [
# psensor # psensor
mission-center mission-center
@ -232,7 +254,7 @@ in
# Resume Offset is offset of swapfile # Resume Offset is offset of swapfile
# https://wiki.archlinux.org/title/Power_management/Suspend_and_hibernate#Hibernation_into_swap_file # https://wiki.archlinux.org/title/Power_management/Suspend_and_hibernate#Hibernation_into_swap_file
# boot.kernelParams = [ "mem_sleep_default=deep" "resume_offset=190937088" ]; # boot.kernelParams = [ "mem_sleep_default=deep" "resume_offset=190937088" ];
boot.kernelParams = [ "mem_sleep_default=deep" ]; boot.kernelParams = ["mem_sleep_default=deep"];
# Suspend-then-hibernate everywhere # Suspend-then-hibernate everywhere
services.logind = { services.logind = {

25
machine/framework/hardware-configuration.nix
View File

@ -1,11 +1,14 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = config,
[ lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
]; ];
@ -16,9 +19,9 @@
"usb_storage" "usb_storage"
"sd_mod" "sd_mod"
]; ];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [];
fileSystems = { fileSystems = {
"/" = { "/" = {
@ -68,7 +71,7 @@
"/boot" = { "/boot" = {
device = "/dev/disk/by-uuid/427A-97BA"; device = "/dev/disk/by-uuid/427A-97BA";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ]; options = ["fmask=0022" "dmask=0022"];
}; };
"/home/alex/shared/storage" = { "/home/alex/shared/storage" = {
device = "/dev/disk/by-uuid/58259976-4f63-4f60-a755-7870b08286e7"; device = "/dev/disk/by-uuid/58259976-4f63-4f60-a755-7870b08286e7";
@ -94,9 +97,11 @@
''; '';
# boot.initrd.luks.devices."luks-e36ec189-2211-4bcc-bb9d-46650443d76b".device = "/dev/disk/by-uuid/e36ec189-2211-4bcc-bb9d-46650443d76b"; # boot.initrd.luks.devices."luks-e36ec189-2211-4bcc-bb9d-46650443d76b".device = "/dev/disk/by-uuid/e36ec189-2211-4bcc-bb9d-46650443d76b";
swapDevices = [{ swapDevices = [
{
device = "/dev/disk/by-uuid/9f90bae0-287b-480c-9aa1-de108b4b4626"; device = "/dev/disk/by-uuid/9f90bae0-287b-480c-9aa1-de108b4b4626";
}]; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

36
machine/mini/configuration.nix
View File

@ -1,7 +1,12 @@
{ config, pkgs, inputs, outputs, ... }: {
let secrets = import ../../configs/secrets.nix; config,
pkgs,
inputs,
outputs,
...
}: let
secrets = import ../../configs/secrets.nix;
in { in {
nixpkgs = { nixpkgs = {
overlays = [ overlays = [
outputs.overlays.additions outputs.overlays.additions
@ -33,18 +38,23 @@ in {
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
}; };
extraModulePackages = with pkgs.linuxPackages; [ rtl88x2bu ]; extraModulePackages = with pkgs.linuxPackages; [rtl88x2bu];
}; };
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
networking = { networking = {
hostName = "mini"; hostName = "mini";
useDHCP = false; useDHCP = false;
firewall = { enable = false; }; firewall = {enable = false;};
interfaces = { interfaces = {
enp3s0.useDHCP = true; enp3s0.useDHCP = true;
# wlp0s20u1u1.useDHCP = true; # wlp0s20u1u1.useDHCP = true;
wlp0s20u1u2.ipv4.addresses = [{ address = "192.168.12.1"; prefixLength = 24; }]; wlp0s20u1u2.ipv4.addresses = [
{
address = "192.168.12.1";
prefixLength = 24;
}
];
}; };
nftables.enable = true; nftables.enable = true;
@ -84,7 +94,6 @@ in {
# networks.Skynet.psk = secrets.wifipassword; # networks.Skynet.psk = secrets.wifipassword;
# interfaces = [ "wlp0s20u1u1" ]; # interfaces = [ "wlp0s20u1u1" ];
# }; # };
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
@ -111,10 +120,9 @@ in {
networks.wlp0s20u1u2 = { networks.wlp0s20u1u2 = {
ssid = "Skynet-Tor"; ssid = "Skynet-Tor";
authentication.saePasswords = [ authentication.saePasswords = [
{ password = "REMOVED_OLD_PASSWORD_FROM_HISTORY"; } {password = "REMOVED_OLD_PASSWORD_FROM_HISTORY";}
]; ];
}; };
}; };
}; };
}; };
@ -196,11 +204,9 @@ in {
mode = "repokey-blake2"; mode = "repokey-blake2";
passphrase = secrets.borg-key; passphrase = secrets.borg-key;
}; };
extraCreateArgs = extraCreateArgs = "--list --stats --verbose --checkpoint-interval 600 --exclude-caches";
"--list --stats --verbose --checkpoint-interval 600 --exclude-caches"; environment.BORG_RSH = "ssh -o StrictHostKeyChecking=no -i /home/alex/.ssh/id_ed25519";
environment.BORG_RSH = paths = ["/home/alex" "/var/lib"];
"ssh -o StrictHostKeyChecking=no -i /home/alex/.ssh/id_ed25519";
paths = [ "/home/alex" "/var/lib" ];
repo = secrets.borg-repo; repo = secrets.borg-repo;
startAt = "daily"; startAt = "daily";
prune.keep = { prune.keep = {
@ -209,7 +215,7 @@ in {
monthly = 6; monthly = 6;
}; };
extraPruneArgs = "--save-space --list --stats"; extraPruneArgs = "--save-space --list --stats";
exclude = [ "/home/alex/.cache" ]; exclude = ["/home/alex/.cache"];
}; };
}; };

29
machine/mini/hardware-configuration.nix
View File

@ -1,34 +1,33 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = config,
[ lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
]; ];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ]; boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod"];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [];
fileSystems."/" = fileSystems."/" = {
{
device = "/dev/disk/by-uuid/8be3b4e5-7219-4427-bba4-340f1dc4b868"; device = "/dev/disk/by-uuid/8be3b4e5-7219-4427-bba4-340f1dc4b868";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = fileSystems."/boot" = {
{
device = "/dev/disk/by-uuid/7C10-C8BD"; device = "/dev/disk/by-uuid/7C10-C8BD";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = swapDevices = [{device = "/dev/disk/by-uuid/edb5324f-3cd2-4b8c-bb05-cca045adeaf6";}];
[{ device = "/dev/disk/by-uuid/edb5324f-3cd2-4b8c-bb05-cca045adeaf6"; }];
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
} }

62
machine/nixos-libvirt/configuration.nix
View File

@ -1,62 +0,0 @@
{ config, pkgs, lib, outputs, ... }:
{
nixpkgs = {
overlays = [
outputs.overlays.additions
outputs.overlays.modifications
outputs.overlays.unstable-packages
];
config = {
allowUnfree = true;
};
};
imports = [
./hardware-configuration.nix
../../configs/common.nix
../../configs/user.nix
../../configs/docker.nix
../../configs/pantheon.nix
../../configs/user-gui.nix
];
networking.hostName = "nixos-libvirt"; # Define your hostname.
time.timeZone = "Europe/Berlin";
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
boot.loader.grub.useOSProber = true;
# boot.loader.systemd-boot.enable = true;
# boot.loader.efi.canTouchEfiVariables = true;
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.enp0s1.useDHCP = true;
programs.nix-ld.enable = true;
services = {
k3s = {
enable = true;
role = "server";
};
};
environment.pantheon.excludePackages = (with pkgs.pantheon; [
elementary-calculator
# elementary-calendar
elementary-camera
elementary-code
elementary-music
# elementary-photos
# elementary-screenshot
# elementary-tasks
elementary-videos
epiphany
]);
system.stateVersion = "24.05";
}

31
machine/nixos-libvirt/hardware-configuration.nix
View File

@ -1,31 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/bc7b8b67-966c-44f5-824b-bea72de13d92";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

13
machine/nixos-virtualbox/configuration.nix
View File

@ -1,5 +1,10 @@
{ config, pkgs, lib, outputs, ... }:
{ {
config,
pkgs,
lib,
outputs,
...
}: {
nixpkgs = { nixpkgs = {
config = { config = {
allowUnfree = true; allowUnfree = true;
@ -17,7 +22,7 @@
defaultSopsFile = ../../secrets.yaml; defaultSopsFile = ../../secrets.yaml;
validateSopsFiles = true; validateSopsFiles = true;
age = { age = {
sshKeyPaths = [ "/persist/etc/ssh/ssh_host_ed25519_key" ]; sshKeyPaths = ["/persist/etc/ssh/ssh_host_ed25519_key"];
keyFile = "/var/lib/sops-nix/key.txt"; keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true; generateKey = true;
}; };
@ -40,11 +45,11 @@
device = "nodev"; device = "nodev";
}; };
}; };
supportedFilesystems = [ "btrfs" ]; supportedFilesystems = ["btrfs"];
initrd = { initrd = {
enable = true; enable = true;
supportedFilesystems = [ "btrfs" ]; supportedFilesystems = ["btrfs"];
postResumeCommands = lib.mkAfter '' postResumeCommands = lib.mkAfter ''
mkdir -p /mnt mkdir -p /mnt

50
machine/nixos-virtualbox/hardware-configuration.nix
View File

@ -1,61 +1,59 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = [ ]; config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [];
boot.initrd.availableKernelModules = [ "ata_piix" "ohci_pci" "ehci_pci" "ahci" "sd_mod" "sr_mod" ]; boot.initrd.availableKernelModules = ["ata_piix" "ohci_pci" "ehci_pci" "ahci" "sd_mod" "sr_mod"];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [];
boot.kernelModules = [ ]; boot.kernelModules = [];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [];
fileSystems."/" = fileSystems."/" = {
{
device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964"; device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=root" "compress=zstd" "noatime" ]; options = ["subvol=root" "compress=zstd" "noatime"];
}; };
fileSystems."/home" = fileSystems."/home" = {
{
device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964"; device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=home" "compress=zstd" "noatime" ]; options = ["subvol=home" "compress=zstd" "noatime"];
}; };
fileSystems."/nix" = fileSystems."/nix" = {
{
device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964"; device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=nix" "compress=zstd" "noatime" ]; options = ["subvol=nix" "compress=zstd" "noatime"];
}; };
fileSystems."/persist" = fileSystems."/persist" = {
{
device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964"; device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=persist" "compress=zstd" "noatime" ]; options = ["subvol=persist" "compress=zstd" "noatime"];
neededForBoot = true; neededForBoot = true;
}; };
fileSystems."/var/log" = fileSystems."/var/log" = {
{
device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964"; device = "/dev/disk/by-uuid/3719ec05-eb90-455f-98c0-0313c0bcb964";
fsType = "btrfs"; fsType = "btrfs";
options = [ "subvol=log" "compress=zstd" "noatime" ]; options = ["subvol=log" "compress=zstd" "noatime"];
neededForBoot = true; neededForBoot = true;
}; };
fileSystems."/boot" = fileSystems."/boot" = {
{
device = "/dev/disk/by-uuid/6F47-35E9"; device = "/dev/disk/by-uuid/6F47-35E9";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ]; options = ["fmask=0022" "dmask=0022"];
}; };
swapDevices = [ ]; swapDevices = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

51
machine/nixos-vm.nix
View File

@ -1,51 +0,0 @@
{ config, pkgs, lib, ... }:
let unstable = import <nixos-unstable> { config.allowUnfree = true; };
in {
imports = [
/etc/nixos/hardware-configuration.nix
../configs/common.nix
../configs/user.nix
../configs/docker.nix
../configs/pantheon.nix
../configs/user-gui.nix
];
networking.hostName = "nixos-vm"; # Define your hostname.
time.timeZone = "Europe/Berlin";
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.enp0s1.useDHCP = true;
hardware.parallels.enable = true;
programs.nix-ld.enable = true;
services = {
k3s = {
enable = true;
role = "server";
};
};
environment.pantheon.excludePackages = (with pkgs.pantheon; [
elementary-calculator
# elementary-calendar
elementary-camera
elementary-code
elementary-music
# elementary-photos
# elementary-screenshot
# elementary-tasks
elementary-videos
epiphany
]);
system.stateVersion = "23.05";
}

27
machine/vps-arm/configuration.nix
View File

@ -1,9 +1,14 @@
{ config, lib, pkgs, outputs, inputs, ... }: {
let config,
lib,
pkgs,
outputs,
inputs,
...
}: let
secrets = import ../../configs/secrets.nix; secrets = import ../../configs/secrets.nix;
be = import ../../configs/borg-exclude.nix; be = import ../../configs/borg-exclude.nix;
in in {
{
nixpkgs = { nixpkgs = {
overlays = [ overlays = [
outputs.overlays.additions outputs.overlays.additions
@ -36,7 +41,7 @@ in
defaultSopsFile = ../../secrets-vps-arm.yaml; defaultSopsFile = ../../secrets-vps-arm.yaml;
validateSopsFiles = true; validateSopsFiles = true;
age = { age = {
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
keyFile = "/var/lib/sops-nix/key.txt"; keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true; generateKey = true;
}; };
@ -91,10 +96,12 @@ in
}; };
interfaces.enp7s0 = { interfaces.enp7s0 = {
useDHCP = true; useDHCP = true;
ipv6.addresses = [{ ipv6.addresses = [
{
address = "2a0a:4cc0:1:124c::1"; address = "2a0a:4cc0:1:124c::1";
prefixLength = 64; prefixLength = 64;
}]; }
];
}; };
firewall = { firewall = {
allowPing = true; allowPing = true;
@ -178,7 +185,6 @@ in
}; };
}; };
}; };
}; };
}; };
@ -210,10 +216,9 @@ in
mode = "repokey-blake2"; mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets.borg-key.path}"; passCommand = "cat ${config.sops.secrets.borg-key.path}";
}; };
extraCreateArgs = extraCreateArgs = "--stats --verbose --checkpoint-interval 600 --exclude-caches";
"--stats --verbose --checkpoint-interval 600 --exclude-caches";
environment.BORG_RSH = "ssh -i /home/alex/.ssh/id_borg_rsa"; environment.BORG_RSH = "ssh -i /home/alex/.ssh/id_borg_rsa";
paths = [ "/home/alex" "/var/lib" ]; paths = ["/home/alex" "/var/lib"];
repo = "ssh://u278697-sub3@u278697.your-storagebox.de:23/./borg-arm"; repo = "ssh://u278697-sub3@u278697.your-storagebox.de:23/./borg-arm";
startAt = "daily"; startAt = "daily";
prune.keep = { prune.keep = {

32
machine/vps-arm/hardware-configuration.nix
View File

@ -1,30 +1,34 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = config,
[ (modulesPath + "/profiles/qemu-guest.nix") lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
]; ];
boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_scsi" "sr_mod" ]; boot.initrd.availableKernelModules = ["xhci_pci" "virtio_scsi" "sr_mod"];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [];
boot.kernelModules = [ ]; boot.kernelModules = [];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [];
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-uuid/332b05c2-56cc-4b0b-b906-54b6b87542cd"; device = "/dev/disk/by-uuid/332b05c2-56cc-4b0b-b906-54b6b87542cd";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = fileSystems."/boot" = {
{ device = "/dev/disk/by-uuid/3D20-21CC"; device = "/dev/disk/by-uuid/3D20-21CC";
fsType = "vfat"; fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ]; options = ["fmask=0022" "dmask=0022"];
}; };
swapDevices = [ ]; swapDevices = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

621
machine/vps.nix
View File

@ -1,621 +0,0 @@
{ config, lib, pkgs, ... }:
let
secrets = import ../configs/secrets.nix;
be = import ../configs/borg-exclude.nix;
unstable = import <nixos-unstable> { config.allowUnfree = true; };
in
{
imports =
[
/etc/nixos/hardware-configuration.nix
../configs/common-server.nix
];
boot.loader.grub = {
enable = true;
device = "/dev/sda"; # or "nodev" for efi only
};
time.timeZone = "Europe/Berlin";
networking = {
hostName = "vps"; # Define your hostname.
useDHCP = false;
# defaultGateway = {
# "address" = "gw.contabo.net";
# "interface" = "ens18";
# };
defaultGateway6 = {
address = "fe80::1";
interface = "ens18";
};
interfaces.ens18 = {
useDHCP = true;
# ipv4.addresses = [ {
# address = "207.180.220.97";
# prefixLength = 24;
# } ];
ipv6.addresses = [{
address = "2a02:c207:3008:1547::1";
prefixLength = 64;
}];
};
wireguard.interfaces = {
wg0 = {
ips = [ "10.100.0.1/24" ];
listenPort = 51820;
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
'';
privateKey = secrets.wireguard-vps-private;
peers = [
{
publicKey = secrets.wireguard-desktop-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.2/32" ];
}
{
publicKey = secrets.wireguard-mini-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.3/32" "192.168.178.0/24" ];
}
{
publicKey = secrets.wireguard-mbp-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.4/32" ];
}
{
publicKey = secrets.wireguard-phone1-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.5/32" ];
}
{
publicKey = secrets.wireguard-raspberrypi-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.6/32" ];
}
{
publicKey = secrets.wireguard-framework-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.7/32" ];
}
{
publicKey = secrets.wireguard-thinkpad-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.8/32" ];
}
{
publicKey = secrets.wireguard-a53-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.9/32" ];
}
{
publicKey = secrets.wireguard-vps2-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.50/32" ];
}
{
publicKey = secrets.wireguard-vps3-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.100/32" ];
}
];
};
};
nat = {
enable = true;
externalInterface = "ens18";
internalInterfaces = [ "wg0" ];
};
firewall = {
allowPing = true;
allowedTCPPorts = [
80 # web
222 # SSH for gitea
443 # web
9898 # i2p
9899
18080
21114 #Rustdesk
21115 #Rustdesk
21116 #Rustdesk
21117 #Rustdesk
21118 #Rustdesk
21119 #Rustdesk
22000 # syncthing
];
allowedUDPPorts = [
80 # web
443 # web
3478 # headscale
9898 # i2p
21116 # Rustdesk
51820 # wireguard
];
interfaces.wg0 = {
allowedTCPPorts = [
19999 # netdata
2049
4444 # i2p http proxy
61208 # foo
7070 # i2p control
7654 # i2p torrent
];
};
# extraCommands = ''
# iptables -A nixos-fw -p tcp --source 10.100.0.0/24 --dport 19999:19999 -j nixos-fw-accept
# '';
};
};
environment.systemPackages = with pkgs; [
goaccess
xd
nyx
mkp224o
progress
headscale
];
programs = {
mtr.enable = true;
fuse.userAllowOther = true;
nix-ld.enable = true;
};
security.acme = {
defaults.email = "webmaster@szczepan.ski";
acceptTerms = true;
};
services = {
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
clientMaxBodySize = "0";
commonHttpConfig = ''
log_format main '$host $remote_addr - $remote_user [$time_local] $upstream_cache_status "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" "$gzip_ratio" '
'$request_time $upstream_response_time $pipe';
access_log /var/log/nginx/access.log main;
'';
virtualHosts = {
"szczepan.ski" = {
forceSSL = true;
enableACME = true;
globalRedirect = "alexander.szczepan.ski";
};
"ipv6.szczepan.ski" = {
forceSSL = true;
enableACME = true;
globalRedirect = "alexander.szczepan.ski";
};
"alexander.szczepan.ski" = {
forceSSL = true;
enableACME = true;
root = "/var/www/alexander.szczepan.ski";
};
"nextcloud.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8080/";
extraConfig = ''
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
'';
};
"/.well-known/carddav" = {
return = "301 $scheme://$host/remote.php/dav";
};
"/.well-known/caldav" = {
return = "301 $scheme://$host/remote.php/dav";
};
};
};
# "nextcloud.ipv6.szczepan.ski" = {
# forceSSL = true;
# enableACME = true;
# globalRedirect = "nextcloud.szczepan.ski";
# };
"firefly.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = { "/" = { proxyPass = "http://127.0.0.1:8081/"; }; };
};
"etesync.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = { "/" = { proxyPass = "http://127.0.0.1:8082/"; }; };
};
"etesync-web.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = { "/" = { proxyPass = "http://127.0.0.1:8086/"; }; };
};
"etesync-notes.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = { "/" = { proxyPass = "http://127.0.0.1:8087/"; }; };
};
"portainer.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = { "/" = { proxyPass = "http://127.0.0.1:8083/"; }; };
};
"jellyfin.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = { "/" = { proxyPass = "http://127.0.0.1:8085/"; }; };
};
"webdav.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = { "/" = { proxyPass = "http://127.0.0.1:8090/"; }; };
};
"pihole.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = { "/" = { proxyPass = "http://127.0.0.1:8091/"; }; };
};
"git.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = { "/" = { proxyPass = "http://127.0.0.1:8084/"; }; };
};
"torrents.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = { "/" = { proxyPass = "http://127.0.0.1:9091/"; }; };
};
"headscale.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8088/";
proxyWebsockets = true;
};
};
};
"syncthing.szczepan.ski" = {
forceSSL = true;
enableACME = true;
basicAuth = { alex = secrets.nginx-syncthing-password; };
locations = {
"/" = {
extraConfig = ''
proxy_set_header Host localhost;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8384/;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
'';
};
};
};
"homeassistant.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://10.100.0.3:8123/";
proxyWebsockets = true;
};
};
};
"goaccess.szczepan.ski" = {
forceSSL = true;
enableACME = true;
basicAuth = { alex = secrets.nginx-syncthing-password; };
locations = {
"/" = { root = "/var/www/goaccess"; };
"/ws" = {
proxyPass = "http://127.0.0.1:7890/";
proxyWebsockets = true;
};
};
};
"vaultwarden.szczepan.ski" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8092/";
proxyWebsockets = true;
};
"/notifications/hub" = {
proxyPass = "http://127.0.0.1:3012";
proxyWebsockets = true;
};
"/notifications/hub/negotiate" = {
proxyPass = "http://127.0.0.1:8092/";
proxyWebsockets = true;
};
};
};
};
};
headscale = {
enable = true;
address = "127.0.0.1";
port = 8088;
# dns = { baseDomain = "example.com"; };
settings = {
logtail.enabled = false;
server_url = "https://headscale.szczepan.ski";
ip_prefixes = [
"100.64.0.0/10"
];
dns_config = {
base_domain = "szczepan.ski";
magic_dns = true;
domains = [ "headscale.szczepan.ski" ];
nameservers = [
"1.1.1.1"
"9.9.9.9"
];
};
};
};
tailscale.enable = true;
webdav = {
enable = true;
user = "alex";
group = "users";
settings = {
address = "127.0.0.1";
port = 8090;
scope = "/home/alex/docker/";
modify = true;
auth = true;
users = [{
username = "alex";
password = secrets.webdav-password;
}];
};
};
nfs.server = {
enable = false;
exports = ''
/export 10.100.0.0/24(rw,fsid=0,no_subtree_check)
/export/docker 10.100.0.0/24(rw,nohide,insecure,no_subtree_check)
'';
};
vaultwarden = {
enable = true;
config = {
domain = "https://vaultwarden.szczepan.ski";
signupsAllowed = false;
rocketPort = 8092;
rocketAddress = "127.0.0.1";
# adminToken =
# "jCehRECvxqWmXKMZx3dgtVEdJuqUxXoODEagItTPptBizG9SGQLCpTqjZoBM4ZDa";
websocketEnabled = true;
websocketAddress = "127.0.0.1";
websocketPort = 3012;
};
};
i2pd = {
enable = false;
ifname = "ens18";
address = "207.180.220.97";
# TCP & UDP
port = 9898;
ntcp2.port = 9899;
# websocket = {
# enable = true;
# address = "10.100.0.1";
# };
proto = {
http = {
enable = true;
address = "10.100.0.1";
};
httpProxy = {
enable = true;
address = "10.100.0.1";
};
socksProxy = {
enable = true;
address = "10.100.0.1";
};
i2cp = {
enable = true;
address = "10.100.0.1";
};
sam = { enable = true; };
};
inTunnels = {
foo = {
enable = true;
# keys = "foo-keys.dat";
inPort = 80;
address = "127.0.0.1";
destination = "127.0.0.1";
port = 8008;
};
foo2 = {
enable = true;
# keys = "foo-keys.dat";
inPort = 80;
address = "127.0.0.1";
destination = "127.0.0.1";
port = 8009;
};
};
logLevel = "error";
enableIPv4 = true;
enableIPv6 = true;
};
icecast = {
enable = false;
hostname = "254ryojirydttsaealusydhwyjfe2rpschdaduok4czhg45of6ua.b32.i2p";
listen = {
port = 13337;
address = "127.0.0.1";
};
admin = {
user = "alex";
password = "AaOnwDoZnspv8MszCpZZ1KuR9xXJWIE5";
};
};
davfs2 = {
enable = true;
};
tor = {
enable = true;
# relay = {
# enable = true;
# role = "private-bridge";
# };
# settings = {
# ORPort = 9001;
# ControlPort = 9051;
# };
openFirewall = true;
enableGeoIP = false;
relay.onionServices = {
foo = {
version = 3;
map = [{
port = 80;
target = {
addr = "127.0.0.1";
port = 8008;
};
}];
};
foo2 = {
version = 3;
map = [{
port = 80;
target = {
addr = "127.0.0.1";
port = 8009;
};
}];
};
};
settings = {
ClientUseIPv4 = true;
ClientUseIPv6 = false;
ClientPreferIPv6ORPort = false;
};
};
fail2ban = {
enable = true;
bantime = "7d";
jails = {
sshd = {
settings = {
filter = "sshd";
maxretry = 4;
action = ''iptables[name=ssh, port=ssh, protocol=tcp]'';
enabled = true;
};
};
};
};
netdata.enable = true;
syncthing = {
user = "alex";
group = "users";
enable = true;
dataDir = "/home/alex/syncthing";
configDir = "/home/alex/.config/syncthing";
};
borgbackup.jobs.home = rec {
compression = "auto,zstd";
encryption = {
mode = "repokey-blake2";
passphrase = secrets.borg-key;
};
extraCreateArgs =
"--stats --verbose --checkpoint-interval 600 --exclude-caches";
environment.BORG_RSH = "ssh -i /home/alex/.ssh/id_borg_rsa";
paths = [ "/home/alex" "/var/lib" ];
repo = secrets.borg-repo;
startAt = "daily";
prune.keep = {
daily = 4;
weekly = 2;
monthly = 2;
};
extraPruneArgs = "--save-space --stats";
exclude = [
"/home/alex/storage"
"/home/alex/storagebox"
"/home/alex/docker/jellyfin/data"
"/home/alex/.cache"
"/var/lib/monero"
];
};
autofs = {
enable = true;
autoMaster =
let
mapConf = pkgs.writeText "auto" ''
nextcloud -fstype=davfs,conf=/path/to/davfs/conf,uid=myuid :https\:nextcloud.domain/remote.php/webdav/
'';
in
''
/home/directory/mounts file:${mapConf}
'';
};
};
systemd.services = {
# Limit stack size to reduce memory usage
fail2ban.serviceConfig.LimitSTACK = 256 * 1024;
goaccess = {
description = "GoAccess real-time web log analysis";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
script = "${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.* | ${pkgs.goaccess}/bin/goaccess - -o /var/www/goaccess/index.html --log-format='%v %h %^[%d:%t %^]%^\"%r\" %s %b \"%R\" \"%u\"' --real-time-html --ws-url=wss://goaccess.szczepan.ski:443/ws --port 7890 --time-format \"%H:%M:%S\" --date-format \"%d/%b/%Y\"";
# serviceConfig = {
# ExecStart = "${pkgs.bash}/bin/bash -c "${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.* | ${pkgs.goaccess}/bin/goaccess -o /var/www/goaccess/index.html --log-format='%v %h %^[%d:%t %^]%^\"%r\" %s %b \"%R\" \"%u\"' --real-time-html --ws-url=wss://goaccess.szczepan.ski:443/ws --port 7890 --time-format \"%H:%M:%S\" --date-format \"%d/%b/%Y\"'";
# # ExecStop = "/bin/kill -9 ${MAINPID}";
# };
};
};
system.stateVersion = "24.05";
}

2
overlays/default.nix
View File

@ -1,5 +1,5 @@
# This file defines overlays # This file defines overlays
{ inputs, ... }: { {inputs, ...}: {
# This one brings our custom packages from the 'pkgs' directory # This one brings our custom packages from the 'pkgs' directory
additions = final: _prev: import ../pkgs final.pkgs; additions = final: _prev: import ../pkgs final.pkgs;

32
pkgs/psensor/default.nix
View File

@ -1,18 +1,18 @@
{ stdenv {
, lib stdenv,
, fetchurl lib,
, pkg-config fetchurl,
, lm_sensors pkg-config,
, libgtop lm_sensors,
, libatasmart libgtop,
, gtk3 libatasmart,
, libnotify gtk3,
, udisks2 libnotify,
# , libXNVCtrl udisks2,
, wrapGAppsHook3 # , libXNVCtrl
, libappindicator wrapGAppsHook3,
libappindicator,
}: }:
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "psensor"; pname = "psensor";
@ -23,7 +23,7 @@ stdenv.mkDerivation rec {
sha256 = "1ark901va79gfq5p8h8dqypjgm3f8crmj37520q3slwz2rfphkq8"; sha256 = "1ark901va79gfq5p8h8dqypjgm3f8crmj37520q3slwz2rfphkq8";
}; };
nativeBuildInputs = [ pkg-config wrapGAppsHook3 ]; nativeBuildInputs = [pkg-config wrapGAppsHook3];
buildInputs = [ buildInputs = [
lm_sensors lm_sensors
@ -45,7 +45,7 @@ stdenv.mkDerivation rec {
homepage = "https://wpitchoune.net/psensor/"; homepage = "https://wpitchoune.net/psensor/";
license = licenses.mit; license = licenses.mit;
platforms = platforms.linux; platforms = platforms.linux;
maintainers = with maintainers; [ ]; maintainers = with maintainers; [];
mainProgram = "psensor"; mainProgram = "psensor";
}; };
} }

28
services/adguardhome.nix
View File

@ -1,10 +1,12 @@
{ config, pkgs, lib, ... }:
let
dns-domain = "dns.szczepan.ski";
in
{ {
security.acme.certs.${dns-domain}.postRun = config,
'' pkgs,
lib,
...
}: let
dns-domain = "dns.szczepan.ski";
in {
security.acme.certs.${dns-domain}.postRun = ''
cp fullchain.pem /var/lib/AdGuardHome/chain.pem \ cp fullchain.pem /var/lib/AdGuardHome/chain.pem \
&& cp key.pem /var/lib/AdGuardHome/key.pem \ && cp key.pem /var/lib/AdGuardHome/key.pem \
&& chown adguardhome:adguardhome /var/lib/AdGuardHome/chain.pem \ && chown adguardhome:adguardhome /var/lib/AdGuardHome/chain.pem \
@ -18,7 +20,7 @@ in
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations = { locations = {
"/" = { proxyPass = "https://127.0.0.1:3003/"; }; "/" = {proxyPass = "https://127.0.0.1:3003/";};
}; };
}; };
}; };
@ -30,10 +32,12 @@ in
host = "127.0.0.1"; host = "127.0.0.1";
port = 3002; port = 3002;
settings = { settings = {
users = [{ users = [
{
name = "alex"; name = "alex";
password = "$2y$10$UhKvi4oztTfULWlIKnQhveORKXpIKCqpawJ/skSBAH96Njn4YDhTC"; password = "$2y$10$UhKvi4oztTfULWlIKnQhveORKXpIKCqpawJ/skSBAH96Njn4YDhTC";
}]; }
];
dns = { dns = {
bind_hots = [ bind_hots = [
"0.0.0.0" "0.0.0.0"
@ -76,7 +80,11 @@ in
# The following notation uses map # The following notation uses map
# to not have to manually create {enabled = true; url = "";} for every filter # to not have to manually create {enabled = true; url = "";} for every filter
# This is,qq however, fully optional # This is,qq however, fully optional
filters = map (url: { enabled = true; url = url; }) [ filters =
map (url: {
enabled = true;
url = url;
}) [
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_9.txt" # The Big List of Hacked Malware Web Sites "https://adguardteam.github.io/HostlistsRegistry/assets/filter_9.txt" # The Big List of Hacked Malware Web Sites
"https://adguardteam.github.io/HostlistsRegistry/assets/filter_11.txt" # malicious url blocklist "https://adguardteam.github.io/HostlistsRegistry/assets/filter_11.txt" # malicious url blocklist
]; ];

20
services/frigate.nix
View File

@ -1,8 +1,11 @@
{ config, lib, pkgs, ... }:
let
secrets = import ../configs/secrets.nix;
in
{ {
config,
lib,
pkgs,
...
}: let
secrets = import ../configs/secrets.nix;
in {
services = { services = {
nginx = { nginx = {
virtualHosts = { virtualHosts = {
@ -58,12 +61,14 @@ in
# }; # };
garage = { garage = {
ffmpeg.inputs = [{ ffmpeg.inputs = [
{
path = "rtsp://admin:REMOVED@192.168.178.42:554/H.264"; path = "rtsp://admin:REMOVED@192.168.178.42:554/H.264";
# input_args = "preset-rtsp-restream"; # input_args = "preset-rtsp-restream";
# roles = [ "record" "detect" ]; # roles = [ "record" "detect" ];
roles = [ "record" ]; roles = ["record"];
}]; }
];
record = { record = {
enabled = true; enabled = true;
@ -78,7 +83,6 @@ in
}; };
}; };
}; };
}; };
}; };
}; };

8
services/gitea.nix
View File

@ -1,12 +1,16 @@
{ config, lib, pkgs, ... }:
{ {
config,
lib,
pkgs,
...
}: {
services = { services = {
nginx = { nginx = {
virtualHosts = { virtualHosts = {
${config.services.gitea.settings.server.DOMAIN} = { ${config.services.gitea.settings.server.DOMAIN} = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations = { "/" = { proxyPass = "http://127.0.0.1:3001/"; }; }; locations = {"/" = {proxyPass = "http://127.0.0.1:3001/";};};
}; };
}; };
}; };

19
services/goaccess.nix
View File

@ -1,8 +1,11 @@
{ config, lib, pkgs, ... }:
let
secrets = import ../configs/secrets.nix;
in
{ {
config,
lib,
pkgs,
...
}: let
secrets = import ../configs/secrets.nix;
in {
services = { services = {
nginx = { nginx = {
virtualHosts = { virtualHosts = {
@ -11,7 +14,7 @@ in
enableACME = true; enableACME = true;
basicAuthFile = config.sops.secrets.goaccess-htpasswd.path; basicAuthFile = config.sops.secrets.goaccess-htpasswd.path;
locations = { locations = {
"/" = { root = "/var/www/goaccess"; }; "/" = {root = "/var/www/goaccess";};
"/ws" = { "/ws" = {
proxyPass = "http://127.0.0.1:7890/"; proxyPass = "http://127.0.0.1:7890/";
proxyWebsockets = true; proxyWebsockets = true;
@ -25,7 +28,7 @@ in
systemd = { systemd = {
tmpfiles.settings = { tmpfiles.settings = {
"goaccess" = { "goaccess" = {
"/var/www/goaccess" = { d.mode = "0755"; }; "/var/www/goaccess" = {d.mode = "0755";};
}; };
}; };
@ -35,8 +38,8 @@ in
goaccess = { goaccess = {
description = "GoAccess real-time web log analysis"; description = "GoAccess real-time web log analysis";
after = [ "network.target" ]; after = ["network.target"];
wantedBy = [ "multi-user.target" ]; wantedBy = ["multi-user.target"];
script = "${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.* | ${pkgs.goaccess}/bin/goaccess - -o /var/www/goaccess/index.html --log-format='%v %h %^[%d:%t %^]%^\"%r\" %s %b \"%R\" \"%u\"' --real-time-html --ws-url=wss://goaccess.szczepan.ski:443/ws --port 7890 --time-format \"%H:%M:%S\" --date-format \"%d/%b/%Y\""; script = "${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.* | ${pkgs.goaccess}/bin/goaccess - -o /var/www/goaccess/index.html --log-format='%v %h %^[%d:%t %^]%^\"%r\" %s %b \"%R\" \"%u\"' --real-time-html --ws-url=wss://goaccess.szczepan.ski:443/ws --port 7890 --time-format \"%H:%M:%S\" --date-format \"%d/%b/%Y\"";
# serviceConfig = { # serviceConfig = {
# StateDirectory = "/var/www/goaccess"; # StateDirectory = "/var/www/goaccess";

11
services/headscale.nix
View File

@ -1,6 +1,10 @@
{ config, lib, pkgs, ... }:
{ {
environment.systemPackages = with pkgs; [ headscale ]; config,
lib,
pkgs,
...
}: {
environment.systemPackages = with pkgs; [headscale];
services = { services = {
nginx = { nginx = {
@ -39,7 +43,7 @@
override_local_dns = true; override_local_dns = true;
base_domain = "szczepan.ski"; base_domain = "szczepan.ski";
magic_dns = true; magic_dns = true;
domains = [ "main.szczepan.ski" ]; domains = ["main.szczepan.ski"];
nameservers = [ nameservers = [
"100.64.0.2" "100.64.0.2"
"127.0.0.1" "127.0.0.1"
@ -47,6 +51,5 @@
}; };
}; };
}; };
}; };
} }

11
services/nextcloud.nix
View File

@ -1,5 +1,9 @@
{ config, lib, pkgs, ... }:
{ {
config,
lib,
pkgs,
...
}: {
services = { services = {
nginx = { nginx = {
virtualHosts = { virtualHosts = {
@ -66,7 +70,8 @@
phonetrack phonetrack
previewgenerator previewgenerator
tasks tasks
unroundedcorners; unroundedcorners
;
# user_migration = pkgs.fetchNextcloudApp { # user_migration = pkgs.fetchNextcloudApp {
# sha256 = "sha256-OwALAM/WPJ4gXHQado0njfJL+ciDsvfbPjqGWk23Pm8="; # sha256 = "sha256-OwALAM/WPJ4gXHQado0njfJL+ciDsvfbPjqGWk23Pm8=";
# url = "https://github.com/nextcloud-releases/user_migration/releases/download/v6.0.0/user_migration-v6.0.0.tar.gz"; # url = "https://github.com/nextcloud-releases/user_migration/releases/download/v6.0.0/user_migration-v6.0.0.tar.gz";
@ -98,6 +103,6 @@
}; };
systemd.services.nextcloud-cron = { systemd.services.nextcloud-cron = {
path = [ pkgs.perl ]; path = [pkgs.perl];
}; };
} }

6
services/rustdesk-server.nix
View File

@ -1,5 +1,9 @@
{ config, lib, pkgs, ... }:
{ {
config,
lib,
pkgs,
...
}: {
services = { services = {
rustdesk-server = { rustdesk-server = {
enable = true; enable = true;

8
services/uptime-kuma.nix
View File

@ -1,5 +1,9 @@
{ config, lib, pkgs, ... }:
{ {
config,
lib,
pkgs,
...
}: {
services = { services = {
uptime-kuma = { uptime-kuma = {
enable = true; enable = true;
@ -14,7 +18,7 @@
"uptime.szczepan.ski" = { "uptime.szczepan.ski" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations = { "/" = { proxyPass = "http://127.0.0.1:4000/"; }; }; locations = {"/" = {proxyPass = "http://127.0.0.1:4000/";};};
}; };
}; };
}; };