sam
/
nixos
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: sam:master
Branches Tags
sam:master
sam:development
sam:cloudnix
sam:metrics-server
sam:nixvim
sam:bitcoin
sam:docker
sam:docker-entrypoint
sam:incus
sam:lxd
sam:nebula
sam:overseer
sam:disko
sam:change-decrypt-key
sam:media
sam:impermanence
sam:fileserver-host
sam:sops
sam:modules
..
compare: sam:bitcoin
Branches Tags
sam:master
sam:development
sam:cloudnix
sam:metrics-server
sam:nixvim
sam:bitcoin
sam:docker
sam:docker-entrypoint
sam:incus
sam:lxd
sam:nebula
sam:overseer
sam:disko
sam:change-decrypt-key
sam:media
sam:impermanence
sam:fileserver-host
sam:sops
sam:modules

No commits in common. "master" and "bitcoin" have entirely different histories.
master ... bitcoin

124 changed files with 891 additions and 5130 deletions
Show Stats Expand all files Collapse all files

0
.gitignore vendored
View File

20
.tmux.conf
View File

@ -1,20 +0,0 @@
# improve colors
set -g default-terminal 'screen-256color
# remap leader key to ctrl-s
set -g prefix2 C-s
# vim keymaps for switching panes
setw -g mode-keys vi
bind-key h select-pane -L
bind-key j select-pane -D
bind-key k select-pane -U
bind-key l select-pane -R
bind-key r C-h select-window -t :-
bind-key r C-h select-window -t :+
# plugins
set -g @plugin 'tmux-plugins/tpm'
set -g @plugin 'Nybkox/tmux-kanagawa'
run '~/.tmux/plugins/tpm/tpm'

128
bin/auto-update-nixos
View File

@ -1,128 +0,0 @@
#!/usr/bin/env bash
# Wrapper script for nixos-rebuild
# Configuration parameters
operation="switch" # The nixos-rebuild operation to use
hostname=$(/run/current-system/sw/bin/hostname) # The name of the host to build
flakeDir="${FLAKE_DIR}" # Path to the flake file (and optionally the hostname). Defaults to the FLAKE_DIR environment variable.
update=false # Whether to update flake.lock (false by default)
user=$(/run/current-system/sw/bin/whoami) # Which user account to use for git commands (defaults to whoever called the script)
reboot=false
remote=false
remainingArgs="" # All remaining arguments that haven't yet been processed (will be passed to nixos-rebuild)
function usage() {
echo "nixos-rebuild Operations Script (NOS) updates your system and your flake.lock file by pulling the latest versions."
echo ""
echo "Running the script with no parameters performs the following operations:"
echo " 1. Pull the latest version of the config"
echo " 2. Update your flake.lock file"
echo " 3. Commit any changes back to the repository"
echo " 4. Run 'nixos-rebuild switch'."
echo ""
echo "Advanced usage: nixos-upgrade-script.sh [-o|--operation operation] [-f|--flake path-to-flake] [extra nixos-rebuild parameters]"
echo "Options:"
echo " -h, --help Show this help screen."
echo " -o, --operation The nixos-rebuild operation to perform."
echo " -f, --flake <path> The path to your flake.nix file (and optionally, the hostname to build)."
echo " -U, --update Update and commit flake.lock."
echo " -R, --build-host <user@host> Attempt build on remote host."
echo " -r, --reboot Reboots system is there is a kernel or init update"
echo " -u, --user Which user account to run git commands under."
echo ""
exit 2
}
POSITIONAL_ARGS=()
while [[ $# -gt 0 ]]; do
case "$1" in
--flake | -f)
flakeDir="$2"
shift
shift
;;
--operation | -o)
operation="$2"
shift
shift
;;
--user | -u)
user="$2"
shift
shift
;;
--build-host | -R)
remote=true
host="$2"
shift
shift
;;
--update | --upgrade | -U)
update=true
shift
;;
--reboot | -r)
reboot=true
shift
;;
--help | -h)
usage
exit 0
;;
*)
POSITIONAL_ARGS+=("$1") # save positional arg
shift
;;
esac
done
remainingArgs=${POSITIONAL_ARGS[@]}
set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
if [ -z "${flakeDir}" ]; then
echo "Flake directory not specified. Use '--flake <path>' or set \$FLAKE_DIR."
exit 1
fi
# wait for wifi networks to come online.
sleep 10
cd $flakeDir
current_branch=$(git branch --show-current)
[ "$current_branch" != "master" ] && echo "Not on master branch. Aborting auto-update" && exit 0
echo "Pulling the latest version of the repository..."
/run/wrappers/bin/sudo -u $user git stash
/run/wrappers/bin/sudo -u $user git pull
if [ $update = true ]; then
echo "Updating flake.lock..."
/run/wrappers/bin/sudo -u $user nix flake update --commit-lock-file && /run/wrappers/bin/sudo -u $user git push
else
echo "Skipping 'nix flake update'..."
fi
options="--flake $flakeDir $remainingArgs --use-remote-sudo"
echo "Running this operation: nixos-rebuild $operation $options"
if [ $remote = true ]; then
echo "Attempting remote build..."
/run/wrappers/bin/sudo -u root /run/current-system/sw/bin/nixos-rebuild $operation $options --build-host "$host"
else
/run/wrappers/bin/sudo -u root /run/current-system/sw/bin/nixos-rebuild $operation $options
fi
echo "Checking if reboot is necessary"
reboot_diff=$(diff <(readlink /run/booted-system/{initrd,kernel,kernel-modules}) <(readlink /nix/var/nix/profiles/system/{initrd,kernel,kernel-modules}))
if [ -n "$reboot_diff" ] && [ $reboot == true ]; then
echo "System requires a reboot. Rebooting now..."
reboot
else
echo "No reboot necessary."
echo "Update complete."
exit 0
fi
echo "Update complete."
exit 0

505
flake.lock
View File

@ -46,11 +46,11 @@
]
},
"locked": {
"lastModified": 1735644329,
"narHash": "sha256-tO3HrHriyLvipc4xr+Ewtdlo7wM1OjXNjlWRgmM7peY=",
"lastModified": 1722113426,
"narHash": "sha256-Yo/3loq572A8Su6aY5GP56knpuKYRvM2a1meP9oJZCw=",
"owner": "numtide",
"repo": "devshell",
"rev": "f7795ede5b02664b57035b3b757876703e2c3eac",
"rev": "67cce7359e4cd3c45296fb4aaf6a19e2a9c757ae",
"type": "github"
},
"original": {
@ -92,34 +92,49 @@
]
},
"locked": {
"lastModified": 1734005403,
"narHash": "sha256-vgh3TqfkFdnPxREBedw4MQehIDc3N8YyxBOB45n+AvU=",
"lastModified": 1722175938,
"narHash": "sha256-HKyB4HD+NdX3T233bY31hm76v3/tdQBNeLLvopKbZeY=",
"owner": "erikarvstedt",
"repo": "extra-container",
"rev": "f4de6c329b306a9d3a9798a30e060c166f781baa",
"rev": "37e7207ac9f857eedb58b208b9dc91cd6b24e651",
"type": "github"
},
"original": {
"owner": "erikarvstedt",
"ref": "0.13",
"repo": "extra-container",
"type": "github"
}
},
"flake-compat": {
"locked": {
"lastModified": 1733328505,
"narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
"rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
"revCount": 69,
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"revCount": 57,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.1.0/01948eb7-9cba-704f-bbf3-3fa956735b52/source.tar.gz"
"url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
@ -170,32 +185,11 @@
]
},
"locked": {
"lastModified": 1738453229,
"narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=",
"lastModified": 1727826117,
"narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_4": {
"inputs": {
"nixpkgs-lib": [
"nur",
"nixpkgs"
]
},
"locked": {
"lastModified": 1733312601,
"narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
"rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
"type": "github"
},
"original": {
@ -209,47 +203,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_4"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github"
},
"original": {
@ -260,22 +218,23 @@
},
"git-hooks": {
"inputs": {
"flake-compat": [
"nixvim",
"flake-compat"
],
"flake-compat": "flake-compat_2",
"gitignore": "gitignore",
"nixpkgs": [
"nixvim",
"nixpkgs"
],
"nixpkgs-stable": [
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1737465171,
"narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=",
"lastModified": 1727854478,
"narHash": "sha256-/odH2nUMAwkMgOS2nG2z0exLQNJS4S2LfMW0teqU7co=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17",
"rev": "5f58871c9657b5fc0a7f65670fe2ba99c26c1d79",
"type": "github"
},
"original": {
@ -351,16 +310,16 @@
]
},
"locked": {
"lastModified": 1739757849,
"narHash": "sha256-Gs076ot1YuAAsYVcyidLKUMIc4ooOaRGO0PqTY7sBzA=",
"lastModified": 1726989464,
"narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "9d3d080aec2a35e05a15cedd281c2384767c2cfe",
"rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-24.11",
"ref": "release-24.05",
"repo": "home-manager",
"type": "github"
}
@ -373,27 +332,27 @@
]
},
"locked": {
"lastModified": 1739570999,
"narHash": "sha256-eCc0/Q4bPpe4/AS+uzIrHLJcR6BxPQ69q2kD0/Qe6rU=",
"lastModified": 1726989464,
"narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "254d47082e23dbf72fdeca1da6fe1da420f478d8",
"rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-24.11",
"ref": "release-24.05",
"repo": "home-manager",
"type": "github"
}
},
"impermanence": {
"locked": {
"lastModified": 1737831083,
"narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=",
"lastModified": 1727649413,
"narHash": "sha256-FA53of86DjFdeQzRDVtvgWF9o52rWK70VHGx0Y8fElQ=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170",
"rev": "d0b38e550039a72aff896ee65b0918e975e6d48e",
"type": "github"
},
"original": {
@ -402,94 +361,26 @@
"type": "github"
}
},
"ixx": {
"inputs": {
"flake-utils": [
"nixvim",
"nuschtosSearch",
"flake-utils"
],
"nixpkgs": [
"nixvim",
"nuschtosSearch",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729958008,
"narHash": "sha256-EiOq8jF4Z/zQe0QYVc3+qSKxRK//CFHMB84aYrYGwEs=",
"owner": "NuschtOS",
"repo": "ixx",
"rev": "9fd01aad037f345350eab2cd45e1946cc66da4eb",
"type": "github"
},
"original": {
"owner": "NuschtOS",
"ref": "v0.0.6",
"repo": "ixx",
"type": "github"
}
},
"lnbits": {
"inputs": {
"nixpkgs": "nixpkgs_2",
"poetry2nix": "poetry2nix"
},
"locked": {
"lastModified": 1729199171,
"narHash": "sha256-NX/fzZfGppFkP7yoRJyg/0pKo9y4+agBnO4XCgbzp3U=",
"owner": "lnbits",
"repo": "lnbits",
"rev": "51c9d294cdb40c777b1048bbee267b49cdaf7a34",
"type": "github"
},
"original": {
"owner": "lnbits",
"ref": "v0.12.12",
"repo": "lnbits",
"type": "github"
}
},
"minimal-tmux": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1730695632,
"narHash": "sha256-JtbuSxWFR94HiUdQL9uIm2V/kwGz0gbVbqvYWmEncbc=",
"owner": "niksingh710",
"repo": "minimal-tmux-status",
"rev": "d7188c1aeb1c7dd03230982445b7360f5e230131",
"type": "github"
},
"original": {
"owner": "niksingh710",
"repo": "minimal-tmux-status",
"type": "github"
}
},
"nix-bitcoin": {
"inputs": {
"extra-container": "extra-container",
"flake-utils": "flake-utils_2",
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-unstable": "nixpkgs-unstable"
},
"locked": {
"lastModified": 1739709805,
"narHash": "sha256-8/OuhPELneYOtncScsPrAwmlzBNSAFotoTKd6JxU6OA=",
"lastModified": 1727247704,
"narHash": "sha256-Jl1CYXNIdJ4Ac0MK15e8+vflFOgPxZZNw24CKfLC6QY=",
"owner": "fort-nix",
"repo": "nix-bitcoin",
"rev": "bff10a66e50f6a3387b3e5acbbdf2519c624e8bc",
"rev": "a0d36d59248ac54f1b42a668326346a77640c7f5",
"type": "github"
},
"original": {
"owner": "fort-nix",
"ref": "nixos-24.11",
"ref": "nixos-24.05",
"repo": "nix-bitcoin",
"type": "github"
}
@ -521,49 +412,27 @@
]
},
"locked": {
"lastModified": 1739553546,
"narHash": "sha256-L4ou3xfOr17EAe836djRoQ7auVkYOREMtiQa82wVGqU=",
"lastModified": 1727707210,
"narHash": "sha256-8XZp5XO2FC6INZEZ2WlwErtvFVpl45ACn8CJ2hfTA0Y=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "353846417f985e74fdc060555f17939e4472ea2c",
"rev": "f61d5f2051a387a15817007220e9fb3bbead57b3",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "nix-darwin-24.11",
"repo": "nix-darwin",
"type": "github"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"lnbits",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703863825,
"narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nix-secrets": {
"flake": false,
"locked": {
"lastModified": 1739387047,
"narHash": "sha256-KpogJP00vwuMIKkGJff3zp0YfV9GfOG//UzMK4nWWUw=",
"lastModified": 1728169228,
"narHash": "sha256-WT6kWWqMQE4KBdziZ/uuJ9sPcVg+6QJoOdBPdKAD0gI=",
"ref": "refs/heads/master",
"rev": "be51e237b5b3d441a194f3e516175f6a543aee35",
"revCount": 280,
"rev": "e9709bbb9adc91fb6b4dab5b16e15546cc596695",
"revCount": 165,
"type": "git",
"url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
},
@ -603,13 +472,29 @@
"type": "github"
}
},
"nixpkgs-unstable": {
"nixpkgs-stable": {
"locked": {
"lastModified": 1739451785,
"narHash": "sha256-3ebRdThRic9bHMuNi2IAA/ek9b32bsy8F5R4SvGTIog=",
"lastModified": 1725762081,
"narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "1128e89fd5e11bb25aedbfc287733c6502202ea9",
"rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1726871744,
"narHash": "sha256-V5LpfdHyQkUF7RfOaDPrZDP+oqz88lTJrMT1+stXNwo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a1d92660c6b3b7c26fb883500a80ea9d33321be2",
"type": "github"
},
"original": {
@ -621,11 +506,11 @@
},
"nixpkgs-unstable_2": {
"locked": {
"lastModified": 1739736696,
"narHash": "sha256-zON2GNBkzsIyALlOCFiEBcIjI4w38GYOb+P+R4S8Jsw=",
"lastModified": 1728018373,
"narHash": "sha256-NOiTvBbRLIOe5F6RbHaAh6++BNjsb149fGZd1T4+KBg=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "d74a2335ac9c133d6bbec9fc98d91a77f1604c1f",
"rev": "bc947f541ae55e999ffdb4013441347d83b00feb",
"type": "github"
},
"original": {
@ -637,11 +522,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1723938990,
"narHash": "sha256-9tUadhnZQbWIiYVXH8ncfGXGvkNq3Hag4RCBEMUk7MI=",
"lastModified": 1728067476,
"narHash": "sha256-/uJcVXuBt+VFCPQIX+4YnYrHaubJSx4HoNsJVNRgANM=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "c42fcfbdfeae23e68fc520f9182dde9f38ad1890",
"rev": "6e6b3dd395c3b1eb9be9f2d096383a8d05add030",
"type": "github"
},
"original": {
@ -651,38 +536,6 @@
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1739923778,
"narHash": "sha256-BqUY8tz0AQ4to2Z4+uaKczh81zsGZSYxjgvtw+fvIfM=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "36864ed72f234b9540da4cf7a0c49e351d30d3f1",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "release-24.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_4": {
"locked": {
"lastModified": 1739736696,
"narHash": "sha256-zON2GNBkzsIyALlOCFiEBcIjI4w38GYOb+P+R4S8Jsw=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "d74a2335ac9c133d6bbec9fc98d91a77f1604c1f",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixvim": {
"inputs": {
"devshell": "devshell",
@ -694,36 +547,30 @@
"nixpkgs": [
"nixpkgs"
],
"nuschtosSearch": "nuschtosSearch",
"treefmt-nix": "treefmt-nix_2"
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1739623149,
"narHash": "sha256-9hyreNdQtQaFzWAx38CHiKHFQ8vAc/J2/kXeT7Nwy6s=",
"lastModified": 1728083208,
"narHash": "sha256-jaoWQm2+oAUDU1ft+RWrxcgc/4lHGE0AkZlIBiVjQiQ=",
"owner": "nix-community",
"repo": "nixvim",
"rev": "6b2c62b91a10a773e705f55e8b34a19c8b1f3728",
"rev": "e246bd57da2a09b18b0667f7de40dc1c55a94667",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "nixos-24.11",
"ref": "nixos-24.05",
"repo": "nixvim",
"type": "github"
}
},
"nur": {
"inputs": {
"flake-parts": "flake-parts_4",
"nixpkgs": "nixpkgs_4",
"treefmt-nix": "treefmt-nix_3"
},
"locked": {
"lastModified": 1739903703,
"narHash": "sha256-w2tTcjx39lJoPDaFbIxi+INIjAKE0jbIx9TNjj9ghmg=",
"lastModified": 1728121595,
"narHash": "sha256-e9kRLdv2D4Lk6obeLEzm/m2TYcnZuMnVtqtQUKBCMVs=",
"owner": "nix-community",
"repo": "NUR",
"rev": "2215ad5c4347f522523715e809f5f2022509f504",
"rev": "b638dbc3cd5ecae15140d2de7897dc9395cd128e",
"type": "github"
},
"original": {
@ -732,66 +579,16 @@
"type": "github"
}
},
"nuschtosSearch": {
"inputs": {
"flake-utils": "flake-utils_3",
"ixx": "ixx",
"nixpkgs": [
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1738508923,
"narHash": "sha256-4DaDrQDAIxlWhTjH6h/+xfG05jt3qDZrZE/7zDLQaS4=",
"owner": "NuschtOS",
"repo": "search",
"rev": "86e2038290859006e05ca7201425ea5b5de4aecb",
"type": "github"
},
"original": {
"owner": "NuschtOS",
"repo": "search",
"type": "github"
}
},
"poetry2nix": {
"inputs": {
"flake-utils": "flake-utils",
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"lnbits",
"nixpkgs"
],
"systems": "systems_2",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1724134185,
"narHash": "sha256-nDqpGjz7cq3ThdC98BPe1ANCNlsJds/LLZ3/MdIXjA0=",
"owner": "nix-community",
"repo": "poetry2nix",
"rev": "5ee730a8752264e463c0eaf06cc060fd07f6dae9",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "poetry2nix",
"type": "github"
}
},
"root": {
"inputs": {
"arion": "arion",
"disko": "disko",
"home-manager": "home-manager",
"impermanence": "impermanence",
"lnbits": "lnbits",
"minimal-tmux": "minimal-tmux",
"nix-bitcoin": "nix-bitcoin",
"nix-colors": "nix-colors",
"nix-secrets": "nix-secrets",
"nixpkgs": "nixpkgs_3",
"nixpkgs": "nixpkgs_2",
"nixpkgs-unstable": "nixpkgs-unstable_2",
"nixvim": "nixvim",
"nur": "nur",
@ -802,14 +599,15 @@
"inputs": {
"nixpkgs": [
"nixpkgs"
]
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1739262228,
"narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
"lastModified": 1727734513,
"narHash": "sha256-i47LQwoGCVQq4upV2YHV0OudkauHNuFsv306ualB/Sw=",
"owner": "mic92",
"repo": "sops-nix",
"rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
"rev": "3198a242e547939c5e659353551b0668ec150268",
"type": "github"
},
"original": {
@ -833,73 +631,7 @@
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"id": "systems",
"type": "indirect"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"lnbits",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1719749022,
"narHash": "sha256-ddPKHcqaKCIFSFc/cvxS14goUhCOAwsM1PbMr0ZtHMg=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "8df5ff62195d4e67e2264df0b7f5e8c9995fd0bd",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"treefmt-nix_2": {
"inputs": {
"nixpkgs": [
"nixvim",
@ -907,32 +639,11 @@
]
},
"locked": {
"lastModified": 1738953846,
"narHash": "sha256-yrK3Hjcr8F7qS/j2F+r7C7o010eVWWlm4T1PrbKBOxQ=",
"lastModified": 1727984844,
"narHash": "sha256-xpRqITAoD8rHlXQafYZOLvUXCF6cnZkPfoq67ThN0Hc=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "4f09b473c936d41582dd744e19f34ec27592c5fd",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"treefmt-nix_3": {
"inputs": {
"nixpkgs": [
"nur",
"nixpkgs"
]
},
"locked": {
"lastModified": 1733222881,
"narHash": "sha256-JIPcz1PrpXUCbaccEnrcUS8jjEb/1vJbZz5KkobyFdM=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "49717b5af6f80172275d47a418c9719a31a78b53",
"rev": "4446c7a6fc0775df028c5a3f6727945ba8400e64",
"type": "github"
},
"original": {

205
flake.nix
View File

@ -1,9 +1,9 @@
{
description = "Nixos Config";
description = "Nix Config";
inputs = {
# Nixpkgs
nixpkgs.url = "github:nixos/nixpkgs/release-24.11";
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
# NUR
@ -11,13 +11,13 @@
# Home manager
home-manager = {
url = "github:nix-community/home-manager/release-24.11";
url = "github:nix-community/home-manager/release-24.05";
inputs.nixpkgs.follows = "nixpkgs";
};
# Nixvim
nixvim = {
url = "github:nix-community/nixvim/nixos-24.11";
url = "github:nix-community/nixvim/nixos-24.05";
inputs.nixpkgs.follows = "nixpkgs";
};
@ -28,14 +28,10 @@
# nix-bitcoin
nix-bitcoin = {
url = "github:fort-nix/nix-bitcoin/nixos-24.11";
url = "github:fort-nix/nix-bitcoin/nixos-24.05";
inputs.nixpkgs.follows = "nixpkgs";
};
lnbits = {
url = "github:lnbits/lnbits/v0.12.12";
};
# Nix colors
nix-colors.url = "github:misterio77/nix-colors";
@ -57,112 +53,99 @@
nix-secrets = {
url = "git+ssh://git@git.bitlab21.com/sam/nix-secrets.git";
inputs = {};
};
minimal-tmux = {
url = "github:niksingh710/minimal-tmux-status";
inputs.nixpkgs.follows = "nixpkgs";
flake = false;
};
};
outputs = {
self,
nixpkgs,
home-manager,
...
} @ inputs: let
inherit (self) outputs;
systems = [
"x86_64-linux"
];
forAllSystems = nixpkgs.lib.genAttrs systems;
inherit (nixpkgs) lib;
configVars = import ./vars {inherit inputs lib;};
specialArgs = {
inherit
inputs
outputs
configVars
;
};
in {
packages = forAllSystems (system: import ./pkgs nixpkgs.legacyPackages.${system});
overlays = import ./overlays {inherit inputs;};
nixosModules = import ./modules/nixos;
homeManagerModules = import ./modules/home-manager;
outputs =
{ self
, nixpkgs
, home-manager
, ...
} @ inputs:
let
inherit (self) outputs;
systems = [
"x86_64-linux"
];
forAllSystems = nixpkgs.lib.genAttrs systems;
specialArgs = { inherit inputs outputs; };
in
{
packages = forAllSystems (system: import ./pkgs nixpkgs.legacyPackages.${system});
formatter = forAllSystems (system: nixpkgs.legacyPackages.${system}.alejandra);
overlays = import ./overlays { inherit inputs; };
nixosModules = import ./modules/nixos;
homeManagerModules = import ./modules/home-manager;
# System level configs
nixosConfigurations = {
bootstrap = nixpkgs.lib.nixosSystem {
inherit specialArgs;
modules = [
./hosts/bootstrap
];
};
sparky = nixpkgs.lib.nixosSystem {
inherit specialArgs;
modules = [
./hosts/sparky
home-manager.nixosModules.home-manager
{
home-manager.extraSpecialArgs = specialArgs;
}
];
};
semita = nixpkgs.lib.nixosSystem {
inherit specialArgs;
modules = [
./hosts/semita
home-manager.nixosModules.home-manager
{
home-manager.extraSpecialArgs = specialArgs;
}
];
};
merlin = nixpkgs.lib.nixosSystem {
inherit specialArgs;
modules = [
./hosts/merlin
home-manager.nixosModules.home-manager
{
home-manager.extraSpecialArgs = specialArgs;
}
];
};
citadel = nixpkgs.lib.nixosSystem {
inherit specialArgs;
modules = [
./hosts/citadel
home-manager.nixosModules.home-manager
{
home-manager.extraSpecialArgs = specialArgs;
}
];
};
cloudnix = nixpkgs.lib.nixosSystem {
inherit specialArgs;
modules = [
./hosts/cloudnix
home-manager.nixosModules.home-manager
{
home-manager.extraSpecialArgs = specialArgs;
}
];
};
iso = nixpkgs.lib.nixosSystem {
inherit specialArgs;
modules = [
./hosts/iso
home-manager.nixosModules.home-manager
{
home-manager.extraSpecialArgs = specialArgs;
}
];
# System level configs
nixosConfigurations = {
nixdev = nixpkgs.lib.nixosSystem {
inherit specialArgs;
modules = [
./hosts/nixdev
home-manager.nixosModules.home-manager
{
home-manager.extraSpecialArgs = specialArgs;
}
];
};
fileserver = nixpkgs.lib.nixosSystem {
inherit specialArgs;
modules = [
./hosts/fileserver
home-manager.nixosModules.home-manager
{
home-manager.extraSpecialArgs = specialArgs;
}
];
};
bootstrap = nixpkgs.lib.nixosSystem {
inherit specialArgs;
modules = [
./hosts/bootstrap
];
};
sparky = nixpkgs.lib.nixosSystem {
inherit specialArgs;
modules = [
./hosts/sparky
home-manager.nixosModules.home-manager
{
home-manager.extraSpecialArgs = specialArgs;
}
];
};
semita = nixpkgs.lib.nixosSystem {
inherit specialArgs;
modules = [
./hosts/semita
home-manager.nixosModules.home-manager
{
home-manager.extraSpecialArgs = specialArgs;
}
];
};
nebula = nixpkgs.lib.nixosSystem {
inherit specialArgs;
modules = [
./hosts/nebula
home-manager.nixosModules.home-manager
{
home-manager.extraSpecialArgs = specialArgs;
}
];
};
citadel = nixpkgs.lib.nixosSystem {
inherit specialArgs;
modules = [
./hosts/citadel
home-manager.nixosModules.home-manager
{
home-manager.extraSpecialArgs = specialArgs;
}
];
};
};
};
};
}

38
home/citadel.nix
View File

@ -1,4 +1,4 @@
{config, pkgs, ...}: {
{config, ...}: {
imports = [
# Import users
./users/sam
@ -13,12 +13,6 @@
./common/optional/desktop/common/themes/standard-dark.nix
./common/optional/notes.nix
./common/optional/yazi.nix
./common/optional/desktop/common/kodi.nix
./common/optional/desktop/common/xdg
];
home.packages = [
pkgs.qgis
];
colorScheme = {
@ -56,28 +50,28 @@
! dwm
dwm.borderpx: 6
dwm.font: monospace:size=14
dwm.col_base00: #${config.colorScheme.palette.base00}
dwm.col_base03: #${config.colorScheme.palette.base03}
dwm.col_base04: #${config.colorScheme.palette.base04}
dwm.col_base05: #${config.colorScheme.palette.base05}
dwm.col_base08: #${config.colorScheme.palette.base08}
dwm.col_base0B: #${config.colorScheme.palette.base0B}
dwm.col_base00: #${config.colorScheme.colors.base00}
dwm.col_base03: #${config.colorScheme.colors.base03}
dwm.col_base04: #${config.colorScheme.colors.base04}
dwm.col_base05: #${config.colorScheme.colors.base05}
dwm.col_base08: #${config.colorScheme.colors.base08}
dwm.col_base0B: #${config.colorScheme.colors.base0B}
! dmenu
dmenu.font: monospace:size=14
dmenu.font2: NotoColorEmoji:pixelsize=44:antialias=true:autohint=true
dmenu.topbar: 1
dmenu.normfgcolor: #${config.colorScheme.palette.base05}
dmenu.normbgcolor: #${config.colorScheme.palette.base03}
dmenu.selfgcolor: #${config.colorScheme.palette.base00}
dmenu.selbgcolor: #${config.colorScheme.palette.base0B}
dmenu.normfgcolor: #${config.colorScheme.colors.base05}
dmenu.normbgcolor: #${config.colorScheme.colors.base03}
dmenu.selfgcolor: #${config.colorScheme.colors.base00}
dmenu.selbgcolor: #${config.colorScheme.colors.base0B}
Nsxiv.window.background: #${config.colorScheme.palette.base03}
Nsxiv.window.foreground: #${config.colorScheme.palette.base05}
Nsxiv.mark.foreground: #${config.colorScheme.palette.base08}
Nsxiv.window.background: #${config.colorScheme.colors.base03}
Nsxiv.window.foreground: #${config.colorScheme.colors.base05}
Nsxiv.mark.foreground: #${config.colorScheme.colors.base08}
Nsxiv.bar.background: #${config.colorScheme.palette.base00}
Nsxiv.bar.foreground: #${config.colorScheme.palette.base05}
Nsxiv.bar.background: #${config.colorScheme.colors.base00}
Nsxiv.bar.foreground: #${config.colorScheme.colors.base05}
Nsxiv.bar.font: monospace:size=12

8
home/common/core/default.nix
View File

@ -4,11 +4,10 @@
inputs.nix-colors.homeManagerModules.default
./zsh.nix
./nixvim
./tmux.nix
];
nixpkgs.overlays = [
inputs.nur.overlays.default
inputs.nur.overlay
outputs.overlays.additions
outputs.overlays.unstable-packages
];
@ -19,18 +18,15 @@
ripgrep
fzf
eza
bat
killall
pciutils
tree
jq
coreutils
btop
htop
postgresql_16
postgresql
libqalculate
tmux
tealdeer
;
};
home.stateVersion = "24.05";

8
home/common/core/nixvim/default.nix
View File

@ -25,11 +25,9 @@
pkgs.shellharden
pkgs.shfmt
pkgs.stylua
pkgs.glow
];
programs.nixvim = {
enable = true;
package = pkgs.neovim-unwrapped;
enableMan = true; # install man pages for nixvim options
clipboard.register = "unnamedplus"; # use system clipboard instead of internal registers
globals.mapleader = " ";
@ -60,12 +58,6 @@
let g:db_ui_hide_schemas = ['pg_catalog', 'pg_toast_temp.*', 'pg_toast']
let g:db_ui_use_nerd_fonts = 1
let g:db_ui_execute_on_save = 0
" == custom surround
augroup initvim
au!
autocmd FileType markdown,vimwiki let b:surround_{char2nr('b')} = "**\r**"
augroup END
'';
};
}

63
home/common/core/nixvim/keymaps.nix
View File

@ -1,11 +1,13 @@
{
programs.nixvim.keymaps = [
programs.nixvim.keymaps = [
# Switching buffers
{
mode = ["n"];
action = "<C-w>h";
key = "<S-h>";
options = {silent = true;};
options = {
silent = true;
};
}
{
mode = ["n"];
@ -50,6 +52,35 @@ programs.nixvim.keymaps = [
options = {noremap = true;};
}
# Telescope Plugin
{
# find files
mode = ["n"];
key = "<Leader>ff";
action = "<cmd>Telescope find_files<CR>";
options = {noremap = true;};
}
{
# live grep
mode = ["n"];
key = "<Leader>fg";
action = "<cmd>Telescope live_grep<CR>";
options = {noremap = true;};
}
{
# buffers
mode = ["n"];
key = "<Leader>fb";
action = "<cmd>Telescope buffers<CR>";
options = {noremap = true;};
}
{
# help tags
mode = ["n"];
key = "<Leader>fh";
action = "<cmd>Telescope help_tags<CR>";
options = {noremap = true;};
}
# paste over selected text without yanking it
{
mode = ["v"];
@ -82,33 +113,5 @@ programs.nixvim.keymaps = [
action = ": resize +1<CR>";
options = {noremap = true;};
}
# indent line in or out
{
mode = ["v"];
key = "<";
action = "<gv";
options = {noremap = true;};
}
{
mode = ["v"];
key = ">";
action = ">gv";
options = {noremap = true;};
}
# move selected line up or down
{
mode = ["v"];
key = "<C-d>";
action = ":m '>+1<CR>gv=gv";
options = {noremap = true;};
}
{
mode = ["v"];
key = "<C-u>";
action = ":m '<-2<CR>gv=gv";
options = {noremap = true;};
}
];
}

22
home/common/core/nixvim/plugins/cmp.nix
View File

@ -3,7 +3,6 @@
cmp-emoji = { enable = true; };
cmp = {
enable = true;
cmdline = {};
settings = {
autoEnableSources = true;
experimental = { ghost_text = true; };
@ -12,7 +11,7 @@
fetchingTimeout = 200;
maxViewEntries = 30;
};
snippet = { expand = "function(args) require('luasnip').lsp_expand(args.body) end"; };
snippet = { expand = "luasnip"; };
formatting = {
fields = [ "kind" "abbr" "menu" ];
format = ''
@ -44,10 +43,14 @@
};
mapping = {
"<Tab>" = "cmp.mapping(cmp.mapping.select_next_item(), {'i', 's'})";
"<S-Tab>" = "cmp.mapping.select_prev_item()";
"<C-j>" = "cmp.mapping.select_next_item()";
"<C-k>" = "cmp.mapping.select_prev_item()";
"<C-e>" = "cmp.mapping.abort()";
"<C-b>" = "cmp.mapping.scroll_docs(-4)";
"<C-f>" = "cmp.mapping.scroll_docs(4)";
"<C-Space>" = "cmp.mapping.complete()";
"<CR>" = "cmp.mapping.confirm({ select = true })";
"<S-CR>" = "cmp.mapping.confirm({ behavior = cmp.ConfirmBehavior.Replace, select = true })";
};
};
};
@ -55,7 +58,7 @@
cmp-buffer = { enable = true; };
cmp-path = { enable = true; }; # file system paths
cmp_luasnip = { enable = true; }; # snippets
cmp-cmdline = { enable = true; }; # autocomplete for cmdline
cmp-cmdline = { enable = false; }; # autocomplete for cmdline
};
programs.nixvim.extraConfigLua = ''
luasnip = require("luasnip")
@ -91,15 +94,22 @@
-- Use buffer source for `/` (if you enabled `native_menu`, this won't work anymore).
cmp.setup.cmdline({'/', "?" }, {
mapping = cmp.mapping.preset.cmdline(),
sources = {
{ name = 'buffer' }
}
})
-- Set configuration for specific filetype.
cmp.setup.filetype('gitcommit', {
sources = cmp.config.sources({
{ name = 'cmp_git' }, -- You can specify the `cmp_git` source if you were installed it.
}, {
{ name = 'buffer' },
})
})
-- Use cmdline & path source for ':' (if you enabled `native_menu`, this won't work anymore).
cmp.setup.cmdline(':', {
mapping = cmp.mapping.preset.cmdline(),
sources = cmp.config.sources({
{ name = 'path' }
}, {

12
home/common/core/nixvim/plugins/conform.nix
View File

@ -38,16 +38,4 @@
}
'';
programs.nixvim.keymaps = [
# format document with Conform
{
mode = ["n"];
key = "<leader>cf";
action = "<CMD>Format<CR>";
options = {
silent = true;
desc = "Conform auto-format document";
};
}
];
}

38
home/common/core/nixvim/plugins/default.nix
View File

@ -5,7 +5,6 @@
}: let
user = config.home.username;
in {
imports = [
./cmp.nix
./colorizer.nix
@ -23,11 +22,8 @@ in {
./todo-comments.nix
./oil.nix
./comment.nix
./git-workree.nix
];
programs.nixvim.plugins.web-devicons.enable = true;
# Load Plugins that aren't provided as modules by nixvim
programs.nixvim.extraPlugins = [
pkgs.vimPlugins.vim-numbertoggle
@ -36,18 +32,6 @@ in {
pkgs.vimPlugins.vim-dadbod-ui
pkgs.vimPlugins.vim-dadbod-completion
pkgs.vimPlugins.fugitive
(pkgs.vimUtils.buildVimPlugin
{
name = "glow.nvim";
src = pkgs.fetchFromGitHub {
owner = "ellisonleao";
repo = "glow.nvim";
rev = "238070a";
sha256 = "sha256-GsNcASzVvY0066kak2nvUY5luzanoBclqcUOsODww8g=";
};
})
(pkgs.vimUtils.buildVimPlugin
{
name = "buffer_manager.nvim";
@ -74,18 +58,6 @@ in {
pkgs.vimPlugins.vim-devicons
];
programs.nixvim.extraConfigLua = ''
-- function to read api key from secrets file
local function read_api_key(file_path)
local file = io.open(file_path, "r")
if file then
local api_key = file:read("*all")
file:close()
return api_key
else
error("Failed to open file: " .. file_path)
end
end
-- buffer_manager.nvim
local opts = {noremap = true}
@ -112,16 +84,6 @@ in {
}
)
require('glow').setup({
border = "shadow",
style = "dark",
pager = false,
width = 80,
height = 100,
width_ratio = 0.7,
height_ratio = 0.7,
})
-- Custom color for modified buffers
vim.api.nvim_set_hl(0, "BufferManagerModified", { fg = "#988100" })

26
home/common/core/nixvim/plugins/git-workree.nix
View File

@ -1,26 +0,0 @@
{
programs.nixvim.keymaps = [
# Switching worktrees
{
mode = ["n"];
key = "<leader>fws";
action = "<cmd>lua require('telescope').extensions.git_worktree.git_worktrees()<CR>";
options = {noremap = true;};
}
{
mode = ["n"];
key = "<leader>fwc";
action = "<cmd>lua require('telescope').extensions.git_worktree.create_git_worktree()<CR>";
options = {noremap = true;};
}
];
programs.nixvim.plugins.git-worktree = {
enable = true;
enableTelescope = true;
autopush = true;
changeDirectoryCommand = "cd";
clearJumpsOnChange = true;
updateOnChange = true;
updateOnChangeCommand = "e .";
};
}

20
home/common/core/nixvim/plugins/gitsigns.nix
View File

@ -2,24 +2,34 @@
programs.nixvim.plugins.gitsigns = {
enable = true;
settings.signs.add = {
set_hl = "GitSignsAdd";
hl = "GitSignsAdd";
text = " ";
numhl = "GitSignsAddNr";
linehl = "GitSignsAddLn";
};
settings.signs.change = {
set_hl = "GitSignsChange";
hl = "GitSignsChange";
text = " ";
numhl = "GitSignsChangeNr";
linehl = "GitSignsChangeLn";
};
settings.signs.delete = {
set_hl = "GitSignsDelete";
hl = "GitSignsDelete";
text = " ";
numhl = "GitSignsDeleteNr";
linehl = "GitSignsDeleteLn";
};
settings.signs.topdelete = {
set_hl = "GitSignsDelete";
hl = "GitSignsDelete";
text = " ";
numhl = "GitSignsDeleteNr";
linehl = "GitSignsDeleteLn";
};
settings.signs.changedelete = {
set_hl = "GitSignsChange";
hl = "GitSignsChange";
text = " ";
numhl = "GitSignsChangeNr";
linehl = "GitSignsChangeLn";
};
};
}

1
home/common/core/nixvim/plugins/harpoon.nix
View File

@ -3,7 +3,6 @@
enable = true;
keymaps = {
toggleQuickMenu = "<leader>h";
addFile = "<leader>a";
};
};
}

22
home/common/core/nixvim/plugins/lsp.nix
View File

@ -1,32 +1,18 @@
{ osConfig , ... }:
let
hostname = osConfig.networking.hostName;
in
{
programs.nixvim.plugins = {
lsp = {
enable = true;
servers = {
lua_ls = {enable = true;};
nixd = {
enable = true;
cmd = ["nixd"];
settings = {
nixpkgs.expr = "import <nixpkgs> { }";
options = {
nixos.expr = "(builtins.getFlake \"/etc/nixos\").nixosConfigurations.${hostname}.options";
# TODO get home-manager options working when hm imported as submodule
# home_manager.expr = "(builtins.getFlake \"github:nix-community/home-manager\").homeConfigurations.${hostname}.options";
};
};
};
lua-ls = {enable = true;};
nixd = {enable = true;};
bashls = {enable = true;};
pyright = {enable = true;};
html = {enable = true;};
marksman = {enable = true;};
ccls = {enable = true;};
cssls = {enable = true;};
ts_ls = {enable = true;};
r-language-server = {enable = true;};
tsserver = {enable = true;};
};
keymaps = {
lspBuf = {

36
home/common/core/nixvim/plugins/lualine.nix
View File

@ -1,26 +1,22 @@
{
programs.nixvim.plugins.lualine = {
enable = true;
settings = {
options = {
theme = "auto";
sectionSeparators = {
left = "";
right = "";
};
componentSeparators = {
left = "";
right = "";
};
};
sections = {
lualine_a = ["mode"];
lualine_b = ["branch" "diff" "diagnostics"];
lualine_c = ["filename"];
lualine_x = ["encoding" "fileformat" "filetype"];
lualine_y = ["progress"];
lualine_z = ["locations"];
};
theme = "auto";
componentSeparators = {
left = "";
right = "";
};
sectionSeparators = {
left = "";
right = "";
};
sections = {
lualine_a = [ "mode" ];
lualine_b = [ "branch" "diff" "diagnostics" ];
lualine_c = [ "filename" ];
lualine_x = [ "encoding" "fileformat" "filetype" ];
lualine_y = [ "progress" ];
lualine_z = [ "locations" ];
};
};
}

2
home/common/core/nixvim/plugins/luasnip.nix
View File

@ -1,7 +1,7 @@
{ pkgs, ... }: {
programs.nixvim.plugins.luasnip = {
enable = true;
settings = {
extraConfig = {
enable_autosnippets = true;
store_selection_keys = "<Tab>";
};

4
home/common/core/nixvim/plugins/oil.nix
View File

@ -1,9 +1,5 @@
{
programs.nixvim.plugins.oil = {
enable = true;
settings = {
columns = ["icon"];
view_options.show_hidden = true;
};
};
}

2
home/common/core/nixvim/plugins/surround.nix
View File

@ -1,3 +1,3 @@
{
programs.nixvim.plugins.vim-surround.enable = true; # vim-surround
programs.nixvim.plugins.surround.enable = true; # vim-surround
}

51
home/common/core/nixvim/plugins/telescope.nix
View File

@ -3,55 +3,4 @@
enable = true;
extensions.fzy-native.enable = true;
};
programs.nixvim.keymaps = [
{
# find files
mode = ["n"];
key = "<Leader>ff";
action = "<cmd>Telescope find_files<CR>";
options = {noremap = true;};
}
{
# live grep
mode = ["n"];
key = "<Leader>fg";
action = "<cmd>Telescope live_grep<CR>";
options = {noremap = true;};
}
{
# grep string under cursor
mode = ["n"];
key = "<Leader>fs";
action = "<cmd>Telescope grep_string<CR>";
options = {noremap = true;};
}
{
# buffers
mode = ["n"];
key = "<Leader>fb";
action = "<cmd>Telescope buffers<CR>";
options = {noremap = true;};
}
{
# help tags
mode = ["n"];
key = "<Leader>fh";
action = "<cmd>Telescope help_tags<CR>";
options = {noremap = true;};
}
{
# show recently opened files
mode = ["n"];
key = "<Leader>fo";
action = "<cmd>Telescope oldfiles<CR>";
options = {noremap = true;};
}
{
# show recently opened files
mode = ["n"];
key = "<Leader>fk";
action = "<cmd>Telescope keymaps<CR>";
options = {noremap = true;};
}
];
}

25
home/common/core/tmux.nix
View File

@ -1,25 +0,0 @@
{
pkgs,
inputs,
...
}: {
programs.tmux = {
enable = true;
clock24 = true;
extraConfig = ''
# vim keymaps for switching panes
setw -g mode-keys vi
bind-key h select-pane -L
bind-key j select-pane -D
bind-key k select-pane -U
bind-key l select-pane -R
bind-key -r C-h select-window -t :-
bind-key -r C-h select-window -t :+
'';
plugins = [
{ plugin = inputs.minimal-tmux.packages.${pkgs.system}.default; }
pkgs.tmuxPlugins.yank
];
};
}

5
home/common/core/zsh.nix
View File

@ -9,9 +9,6 @@
shellAliases = {
ll = "ls -l";
src = "cd ~/.local/share/src";
no = "cd /etc/nixos";
cat = "bat --decorations=never";
ls = "eza";
};
history.size = 10000;
history.path = "${config.xdg.dataHome}/zsh/history";
@ -103,8 +100,6 @@
echo -ne '\e[5 q' # Use beam shape cursor on startup.
preexec() { echo -ne '\e[5 q' ;} # Use beam shape cursor for each new prompt.
export MANPAGER="nvim +Man\!"
'';
};
}

18
home/common/optional/desktop/common/default.nix
View File

@ -14,21 +14,9 @@
pkgs.xfce.thunar
pkgs.kcolorchooser
pkgs.zotero
pkgs.transmission_3
pkgs.transmission
pkgs.qgis
pkgs.mpv
pkgs.simple-scan
pkgs.pandoc
pkgs.texlive.combined.scheme-small
pkgs.libreoffice-fresh
pkgs.hunspell
pkgs.hunspellDicts.en-gb-large
pkgs.hunspellDicts.en-gb-large
pkgs.hunspellDicts.en_US
pkgs.set_wm_class
pkgs.xorg.xkill
pkgs.R
pkgs.gimp
pkgs.gajim
pkgs.vlc
pkgs.gnome.simple-scan
];
}

87
home/common/optional/desktop/common/firefox.nix
View File

@ -1,45 +1,38 @@
{
pkgs,
config,
configVars,
...
}: let
{ pkgs, config, ... }:
let
user = config.home.username;
dockerContainerIp = configVars.networking.addresses.docker.ip;
in {
in
{
programs.firefox = {
package = pkgs.firefox-bin;
enable = true;
profiles.${user} = {
search = {
force = true;
default = "Searx";
order = ["Searx" "DuckDuckGo"];
order = [ "Searx" "DuckDuckGo" ];
engines = {
"Nix Packages" = {
urls = [
{
template = "https://search.nixos.org/packages";
params = [
{ name = "type"; value = "packages"; }
{ name = "query"; value = "{searchTerms}"; }
];
}
];
urls = [{
template = "https://search.nixos.org/packages";
params = [
{ name = "type"; value = "packages"; }
{ name = "query"; value = "{searchTerms}"; }
];
}];
icon = "''${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
definedAliases = ["@np"];
definedAliases = [ "@np" ];
};
"NixOS Wiki" = {
urls = [{template = "https://nixos.wiki/index.php?search={searchTerms}";}];
urls = [{ template = "https://nixos.wiki/index.php?search={searchTerms}"; }];
iconUpdateURL = "https://nixos.wiki/favicon.png";
updateInterval = 24 * 60 * 60 * 1000; # every day
definedAliases = ["@nw"];
definedAliases = [ "@nw" ];
};
"Searx" = {
urls = [{template = "http://searx.lan/?q={searchTerms}";}];
urls = [{ template = "http://10.0.10.35:8855/?q={searchTerms}"; }];
iconUpdateURL = "https://docs.searxng.org/_static/searxng-wordmark.svg";
updateInterval = 24 * 60 * 60 * 1000; # every day
definedAliases = ["@searx"];
definedAliases = [ "@searx" ];
};
"Bing".metaData.hidden = true;
"Google".metaData.alias = "@g"; # builtin engines only support specifying one additional alias
@ -48,38 +41,16 @@ in {
bookmarks = [
{
name = "toolbar";
toolbar = true;
bookmarks = [
{
name = "Jellyfin";
url = "http://jellyfin.lan";
}
{
name = "Pihole";
url = "http://dns.lan/admin";
}
{
name = "Searx";
url = "http://searx.lan";
}
{
name = "Mempool";
url = "http://mempool.lan";
}
{
name = "Grafana";
url = "http://grafana.lan";
}
{
name = "Prometheus";
url = "http://metrics.lan";
}
{
name = "Nixos Package Search";
url = "https://search.nixos.org/packages";
}
];
name = "wikipedia";
tags = [ "wiki" ];
keyword = "wiki";
url = "https://en.wikipedia.org/wiki/Special:Search?search=%s&go=Go";
}
{
name = "bitlab21";
tags = [ "bitcoin" ];
keyword = "bitcoin";
url = "https://bitlab21.com";
}
];
@ -89,7 +60,7 @@ in {
"identity.fxaccounts.enabled" = false;
"signon.rememberSignons" = false;
"browser.compactmode.show" = true;
"browser.startup.homepage" = "http://searx.lan";
"browser.startup.homepage" = "http://10.0.10.35:8855";
"browser.search.defaultenginename" = "Searx";
"browser.search.order.1" = "Searx";
};
@ -100,9 +71,11 @@ in {
bitwarden
sponsorblock
darkreader
vimium
privacy-badger
zotero-connector
];
};
};
}

2
home/common/optional/desktop/common/fontconfig.nix
View File

@ -3,7 +3,7 @@
home.packages = with pkgs; [
nerdfonts
noto-fonts
noto-fonts-cjk-sans
noto-fonts-cjk
noto-fonts-emoji
hack-font
liberation_ttf

13
home/common/optional/desktop/common/kodi.nix
View File

@ -1,13 +0,0 @@
{
pkgs,
...
}: {
programs.kodi = {
enable = true;
package = pkgs.kodi.withPackages (kodiPkgs:
with kodiPkgs; [
netflix
jellycon
]);
};
}

2
home/common/optional/desktop/common/themes/standard-dark.nix
View File

@ -15,7 +15,7 @@
package = pkgs.kanagawa-gtk-theme;
};
iconTheme = {
package = pkgs.adwaita-icon-theme;
package = pkgs.gnome.adwaita-icon-theme;
name = "Adwaita";
};

6
home/common/optional/desktop/common/wayland/mako.nix
View File

@ -2,11 +2,11 @@
{
services.mako = {
enable = true;
backgroundColor = "#${config.colorScheme.palette.base00}";
borderColor = "#${config.colorScheme.palette.base0D}";
backgroundColor = "#${config.colorScheme.colors.base00}";
borderColor = "#${config.colorScheme.colors.base0D}";
borderRadius = 5;
borderSize = 2;
textColor = "#${config.colorScheme.palette.base05}";
textColor = "#${config.colorScheme.colors.base05}";
layer = "overlay";
};
}

5
home/common/optional/desktop/common/x11/default.nix
View File

@ -11,9 +11,4 @@
pkgs.feh
];
programs.chromium = {
enable = true;
package = pkgs.brave;
};
}

67
home/common/optional/desktop/common/xdg/default.nix
View File

@ -1,67 +0,0 @@
{pkgs, config, lib, ...}: {
xdg.desktopEntries = {
firefox = {
name = "Firefox";
exec = "${pkgs.firefox}/bin/firefox";
};
zathura-wrapper = {
name = "Zathura-wrapper";
exec = "st -T st-float -g 150x50 -e zathura %F";
terminal = false;
mimeType = ["application/pdf"];
};
nsxiv-wrapper = {
name = "Nsxiv-wrapper";
# exec = "nsxiv-wrapper %f";
exec = "st -T st-float -g 150x50 -e nsxiv %F";
terminal = false;
mimeType = ["image/*"];
};
nvim-wrapper = {
name = "Nvim-wrapper";
exec = "st -T st-float -g 150x50 -e nvim %F";
terminal = false;
mimeType = ["text/*"];
};
mpv-wrapper = {
name = "Mpv-wrapper";
exec = "st -T st-float -g 150x50 -e mpv %F";
terminal = false;
mimeType = ["video/*"];
};
};
# Forces creation of mimeapps.list if hm link has been overwritten by another application
# https://discourse.nixos.org/t/home-manager-and-the-mimeapps-list-file-on-plasma-kde-desktops/37694
xdg.configFile."mimeapps.list" = lib.mkIf config.xdg.mimeApps.enable { force = true; };
xdg.mimeApps = {
enable = lib.mkDefault true;
defaultApplications = {
"application/pdf" = "zathura-wrapper.desktop";
# text
"text/html" = "firefox.desktop";
"text/plain" = "nvim-wrapper.desktop";
# images
"image/jpeg" = "nsxiv-wrapper.desktop";
"image/jpg" = "nsxiv-wrapper.desktop";
"image/png" = "nsxiv-wrapper.desktop";
"image/tiff" = "nsxiv-wrapper.desktop";
"image/gif" = "nsxiv-wrapper.desktop";
"image/heic" = "nsxiv-wrapper.desktop";
"image/bmp" = "nsxiv-wrapper.desktop";
"image/webp" = "nsxiv-wrapper.desktop";
# video
"video/mp4" = "mpv-wrapper.desktop";
"video/mpeg" = "mpv-wrapper.desktop";
"x-scheme-handler/http" = "firefox.desktop";
"x-scheme-handler/https" = "firefox.desktop";
"x-scheme-handler/about" = "firefox.desktop";
"x-scheme-handler/unknown" = "firefox.desktop";
};
};
}

2
home/common/optional/desktop/dwm/default.nix
View File

@ -31,8 +31,6 @@
./scripts/aichat-wrapper.nix
./scripts/dmenu-wifi.nix
./scripts/battery-status.nix
./scripts/dmenu-set-wm-class.nix
./scripts/key-remaps.nix
];
home.packages = [

18
home/common/optional/desktop/dwm/dunst.nix
View File

@ -8,7 +8,7 @@
enable = true;
iconTheme = {
name = "Adwaita";
package = pkgs.adwaita-icon-theme;
package = pkgs.gnome.adwaita-icon-theme;
size = "16x16";
};
settings = {
@ -131,7 +131,7 @@
offset = "15x60";
origin = "top-right";
frame_color = "#${config.colorScheme.palette.base0B}";
frame_color = "#${config.colorScheme.colors.base0B}";
frame_width = 2;
# Browser for opening urls in context menu.
@ -157,21 +157,21 @@
};
urgency_low = {
background = "#${config.colorScheme.palette.base03}";
foreground = "#${config.colorScheme.palette.base05}";
background = "#${config.colorScheme.colors.base03}";
foreground = "#${config.colorScheme.colors.base05}";
timeout = 15;
};
urgency_normal = {
background = "#${config.colorScheme.palette.base03}";
foreground = "#${config.colorScheme.palette.base05}";
background = "#${config.colorScheme.colors.base03}";
foreground = "#${config.colorScheme.colors.base05}";
timeout = 15;
};
urgency_critical = {
background = "#${config.colorScheme.palette.base08}";
foreground = "#${config.colorScheme.palette.base05}";
frame_color = "#${config.colorScheme.palette.base05}";
background = "#${config.colorScheme.colors.base08}";
foreground = "#${config.colorScheme.colors.base05}";
frame_color = "#${config.colorScheme.colors.base05}";
timeout = 0;
};
};

4
home/common/optional/desktop/dwm/scripts/clipboard-recall.nix
View File

@ -53,7 +53,7 @@
(writeShellScriptBin "clipboard-image-recall" ''
# Script to view and select and output images in image clipboard dir to clipboard.
monitor_name=$(get-focused-monitor)
monitor_info=$(${xorg.xrandr}/bin/xrandr | grep "$monitor_name")
monitor_info=$(xrandr | grep "$monitor_name")
width=$(echo $monitor_info | grep -oP '\d+x\d+' | cut -dx -f1)
height=$(echo $monitor_info | grep -oP '\d+x\d+' | cut -dx -f2)
@ -68,7 +68,7 @@
filesdir="$(find $1 -type f -printf '%T@ %p\n' | sort -rn | cut -d ' ' -f 2-)"
[ "$filesdir" == "" ] && notify-send -t 1000 "Clipboard Recall" "No images in directory" && exit 1
output="$(echo "$filesdir" | ${nsxiv}/bin/nsxiv -tioq -g "$scale_width"x"$scale_height" -N float )"
output="$(echo "$filesdir" | ${nsxiv}/bin/nsxiv -tioq -g "$scale_width"x"$scale_height" -N nsxiv-float )"
num_lines=$( echo "$output" | wc -l)
if [ "$num_lines" -gt 1 ]; then

13
home/common/optional/desktop/dwm/scripts/dmenu-set-wm-class.nix
View File

@ -1,13 +0,0 @@
{ pkgs, ... }:
{
home.packages = with pkgs; [
(writeShellScriptBin "dmenu-set-wm-class" ''
${libnotify}/bin/notify-send "Set Window Class" "Select window..."
winid=$(${xorg.xwininfo}/bin/xwininfo | grep "Window id:" | grep -o "0x[0-9a-fA-F]*")
class=$(${xorg.xprop}/bin/xprop -id "$winid" WM_CLASS | grep -o "\".*\"$")
new_class=$( echo "" | ${dmenu}/bin/dmenu -p "Selected: $class. Set class name of window:")
[ -z "$new_class" ] && ${libnotify}/bin/notify-send "Set Window Class" "Nothing set, exiting" && exit
${set_wm_class}/bin/set_wm_class "$winid" "$new_class"
'')
];
}

2
home/common/optional/desktop/dwm/scripts/get-focused-monitor.nix
View File

@ -3,7 +3,7 @@
home.packages = with pkgs; [
(writeShellScriptBin "get-focused-monitor" ''
# get the current cursor location into X and Y variables
eval $(${xdotool}/bin/xdotool getmouselocation --shell)
eval $(xdotool getmouselocation --shell)
# compare mouse location to monitor coordinates
while IFS= read -r line; do

11
home/common/optional/desktop/dwm/scripts/key-remaps.nix
View File

@ -1,11 +0,0 @@
{pkgs, ...}: {
home.packages = with pkgs; [
(writeShellScriptBin "key-remaps" ''
${xorg.xmodmap}/bin/xmodmap -e "keycode 64 = Mode_switch"
${xorg.xmodmap}/bin/xmodmap -e "keycode 43 = h H Left H"
${xorg.xmodmap}/bin/xmodmap -e "keycode 44 = j J Down J"
${xorg.xmodmap}/bin/xmodmap -e "keycode 45 = k K Up K"
${xorg.xmodmap}/bin/xmodmap -e "keycode 46 = l L Right L"
'')
];
}

5
home/common/optional/desktop/dwm/sxhkdrc.nix
View File

@ -15,7 +15,7 @@
XF86AudioMicMute
pamixer --default-source --toggle-mute && dunstify-volume-notification && pkill -RTMIN+10 dwmblocks && exit 1
control + F9
XF86Messenger
dunstify-battery-notification
control + F8
@ -26,9 +26,6 @@
control + F7
emoji-picker
control + F4
dmenu-set-wm-class
'';
};
}

4
home/common/optional/desktop/dwm/xinitrc.nix
View File

@ -1,4 +1,4 @@
{...}: {
{pkgs, ...}: {
# TODO: configure x11 to look in .config/x11
home.file.".xinitrc" = {
recursive = true;
@ -7,7 +7,7 @@
picom -b --config ~/.config/picom/picom.conf
xrdb -merge ~/.Xresources
autostart="clipboard-save dwmblocks feh-wallpaper-changer sxhkd key-remaps"
autostart="clipboard-save dwmblocks feh-wallpaper-changer sxhkd"
for program in $autostart; do
pidof -sx "$program" || "$program" &

4
home/common/optional/desktop/hyprland/default.nix
View File

@ -22,8 +22,8 @@
extraConfig =
let
monitor = "${toString (builtins.map (m: "monitor=${ m.name },${ toString( m.width ) }x${ toString( m.height ) }@${ toString( m.refreshRate ) },${ toString( m.x ) }x${ toString( m.y ) },${ toString( m.scale ) }\n") config.monitors)}";
active = "rgba(${config.colorScheme.palette.base08}ee)";
inactive = "rgba(${config.colorScheme.palette.base0C}ee)";
active = "rgba(${config.colorScheme.colors.base08}ee)";
inactive = "rgba(${config.colorScheme.colors.base0C}ee)";
in
''

7
home/common/optional/git.nix
View File

@ -1,13 +1,10 @@
{ pkgs, configVars, ... }:
let
email = configVars.email.user;
in
{ pkgs, ... }:
{
programs.git = {
enable = true;
package = pkgs.gitAndTools.gitFull;
userName = "Sam";
userEmail = "${email}";
userEmail = "samual.shop@proton.me";
aliases = { };
extraConfig = {
pull.rebase = false;

8
home/common/optional/notes.nix
View File

@ -3,8 +3,7 @@ let
user = config.home.username;
in
{
home.activation.getNotes = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
touch /tmp/notes
home.activation.get-notes = lib.hm.dag.entryAfter [ "installPackages" ] ''
notes_dir=/home/${user}/.local/share/notes
remote=git@git.bitlab21.com:sam/notes
if [ -d "$notes_dir" ];
@ -14,9 +13,6 @@ in
else
mkdir -p "$notes_dir" && PATH="${pkgs.git}/bin:${pkgs.openssh}/bin:$PATH" git clone "$remote" "$notes_dir"
fi
'';
home.activation.foo = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
touch /tmp/foo
exit 0
'';
}

15
home/merlin.nix → home/fileserver.nix
View File

@ -1,11 +1,14 @@
{
...
{ ...
}: {
imports = [
# Import users
./users/admin
./common/core
./common/optional/git.nix
./common/optional/sops.nix
];
./common/core
./common/optional/sops.nix
# Import optional
./common/optional/git.nix
];
}

14
home/cloudnix.nix → home/nebula.nix
View File

@ -1,11 +1,13 @@
{
...
{ ...
}: {
imports = [
# Import users
./users/admin
./common/core
./common/optional/git.nix
./common/optional/sops.nix
];
./common/core
# Import optional
./common/optional/git.nix
];
}

29
home/nixdev.nix Normal file
View File

@ -0,0 +1,29 @@
{ ...
}: {
imports = [
# Import users
./users/sam
./common/core
./common/optional/desktop/hyprland
./common/optional/desktop/waybar.nix
./common/optional/sops.nix
# Import optional
./common/optional/git.nix
];
# ------
# | DP-1
# ------
monitors = [
{
name = "Virtual-1";
width = 2048;
height = 1152;
x = 0;
workspace = "1";
primary = true;
}
];
}

35
home/semita.nix
View File

@ -18,11 +18,6 @@
./common/optional/notes.nix
./common/optional/yazi.nix
./common/optional/transmission.nix
./common/optional/desktop/common/xdg
];
home.packages = [
pkgs.qgis
];
colorScheme = {
@ -58,28 +53,28 @@
! dwm
dwm.borderpx: 3
dwm.font: monospace:size=12
dwm.col_base00: #${config.colorScheme.palette.base00}
dwm.col_base03: #${config.colorScheme.palette.base03}
dwm.col_base04: #${config.colorScheme.palette.base04}
dwm.col_base05: #${config.colorScheme.palette.base05}
dwm.col_base08: #${config.colorScheme.palette.base08}
dwm.col_base0B: #${config.colorScheme.palette.base0B}
dwm.col_base00: #${config.colorScheme.colors.base00}
dwm.col_base03: #${config.colorScheme.colors.base03}
dwm.col_base04: #${config.colorScheme.colors.base04}
dwm.col_base05: #${config.colorScheme.colors.base05}
dwm.col_base08: #${config.colorScheme.colors.base08}
dwm.col_base0B: #${config.colorScheme.colors.base0B}
! dmenu
dmenu.font: monospace:size=12
dmenu.font2: NotoColorEmoji:pixelsize=22:antialias=true:autohint=true
dmenu.topbar: 1
dmenu.normfgcolor: #${config.colorScheme.palette.base05}
dmenu.normbgcolor: #${config.colorScheme.palette.base03}
dmenu.selfgcolor: #${config.colorScheme.palette.base00}
dmenu.selbgcolor: #${config.colorScheme.palette.base0B}
dmenu.normfgcolor: #${config.colorScheme.colors.base05}
dmenu.normbgcolor: #${config.colorScheme.colors.base03}
dmenu.selfgcolor: #${config.colorScheme.colors.base00}
dmenu.selbgcolor: #${config.colorScheme.colors.base0B}
Nsxiv.window.background: #${config.colorScheme.palette.base03}
Nsxiv.window.foreground: #${config.colorScheme.palette.base05}
Nsxiv.mark.foreground: #${config.colorScheme.palette.base08}
Nsxiv.window.background: #${config.colorScheme.colors.base03}
Nsxiv.window.foreground: #${config.colorScheme.colors.base05}
Nsxiv.mark.foreground: #${config.colorScheme.colors.base08}
Nsxiv.bar.background: #${config.colorScheme.palette.base00}
Nsxiv.bar.foreground: #${config.colorScheme.palette.base05}
Nsxiv.bar.background: #${config.colorScheme.colors.base00}
Nsxiv.bar.foreground: #${config.colorScheme.colors.base05}
Nsxiv.bar.font: monospace:size=12
'';
}

1
home/sparky.nix
View File

@ -11,7 +11,6 @@
./common/optional/git.nix
./common/optional/syncthing.nix
./common/optional/desktop/cinnamon
./common/optional/desktop/common/kodi.nix
];

13
home/users/admin/default.nix
View File

@ -1,4 +1,4 @@
{ outputs, ... }:
{ config, pkgs, lib, outputs, ... }:
{
home.username = "admin";
@ -7,16 +7,6 @@
imports = [
] ++ (builtins.attrValues outputs.homeManagerModules); # import all homeManagerModules?
programs.ssh = {
enable = true;
matchBlocks = {
"git.bitlab21.com" = {
identitiesOnly = true;
identityFile = ["~/.ssh/deploy_key-ssh-ed25519"];
};
};
};
home.packages = [
];
@ -27,7 +17,6 @@
];
home.sessionVariables = {
EDITOR = "nvim";
};
programs.home-manager.enable = true;

7
home/users/sam/default.nix
View File

@ -1,9 +1,4 @@
{
outputs,
...
}:
{
{outputs, ...}: {
home.username = "sam";
home.homeDirectory = "/home/sam";

125
hosts/citadel/default.nix
View File

@ -3,20 +3,18 @@
lib,
pkgs,
config,
configVars,
outputs,
...
}: let
# Disko setup
fsType = "btrfs"; # one of ext4 or btrfs. Use btrfs if using impermanence
dev = "/dev/nvme0n1"; # depends on target hardware
encrypted = true; # currrently only applies to btrfs
btrfsMountDevice = "/dev/mapper/crypted";
btrfsMountDevice =
if encrypted
then "/dev/mapper/crypted"
else "/dev/root_vg/root";
user = "sam";
impermanence = true;
piholeIp = configVars.networking.addresses.pihole.ip;
merlinIp = configVars.networking.addresses.merlin.ip;
gatewayIp = configVars.networking.addresses.gateway.ip;
in {
imports = [
# Create users for this host
@ -46,33 +44,19 @@ in {
../common/optional/pipewire.nix
../common/optional/openssh.nix
../common/optional/dwm.nix
../common/optional/fileserver/nfs-client/media.nix
../common/optional/fileserver/nfs-client/photos.nix
../common/optional/fileserver/nfs-client/personal.nix
../common/optional/nfs-mounts/media.nix
../common/optional/nfs-mounts/homeshare.nix
../common/optional/nfs-mounts/photos.nix
../common/optional/printing.nix
../common/optional/backlight.nix
../common/optional/xmodmap-arrow-remaps.nix
../common/optional/nix-ld.nix
../common/optional/gaming.nix
../common/optional/powersave.nix
../common/optional/restic-backup.nix
../common/optional/distributed-builds/local-machine.nix
# ../../modules/nixos
outputs.nixosModules.nixosAutoUpgrade
];
boot = {
supportedFilesystems = ["nfs"];
blacklistedKernelModules = ["snd_hda_intel" "snd_soc_skl"];
kernelModules = ["iwlwifi"];
initrd.kernelModules = ["thinkpad-acpi" "acpi-call" "nfs"];
# BUG: Using older linux kernel because of build errors
# see https://github.com/NixOS/nixpkgs/issues/375605
# kernelPackages = pkgs.linuxPackagesFor pkgs.linux_latest;
kernelPackages = pkgs.linuxKernel.packages.linux_6_12;
initrd.kernelModules = ["thinkpad-acpi" "acpi-call"];
kernelPackages = pkgs.linuxPackagesFor pkgs.linux_latest;
extraModulePackages = [
config.boot.kernelPackages.acpi_call
];
@ -83,24 +67,6 @@ in {
};
};
swapDevices = [
{
device = "/.swapvol/swapfile";
size = 4 * 1024;
}
];
system.services.nixosAutoUpgrade = {
enable = true;
persistent = true;
reboot = false;
remote = "remotebuild@${merlinIp}";
pushUpdates = false;
configDir = "/etc/nixos";
onCalendar = "*-*-* 08:00:00";
user = "sam";
};
services = {
libinput.touchpad.accelSpeed = "0.5";
xserver = {
@ -108,18 +74,8 @@ in {
dpi = 196;
upscaleDefaultCursor = true;
};
# enable oom killer when system ram drops below 5% free
earlyoom = {
enable = true;
freeMemThreshold = 5; # <%5 free
};
};
# fix cpu throttling on Lenovo Thinkpad
# see: https://github.com/erpalma/throttled
services.throttled.enable = true;
environment.variables = {
GDK_SCALE = "2.2";
GDK_DPI_SCALE = "0.8";
@ -128,6 +84,17 @@ in {
XCURSOR_SIZE = "64";
};
services.tlp = {
enable = true;
settings = {
CPU_SCALING_GOVERNOR_ON_AC = "ondemand";
CPU_SCALING_GOVERNOR_ON_BAT = "powersave";
START_CHARGE_THRESH_BAT0 = 50;
STOP_CHARGE_THRESH_BAT0 = 95;
};
};
hardware = {
bluetooth = {
enable = true;
@ -139,61 +106,11 @@ in {
];
};
# nvidia
hardware.opengl = {
enable = true;
};
services.xserver.videoDrivers = ["nvidia"];
hardware.nvidia = {
prime = {
offload = {
enable = true;
enableOffloadCmd = true;
};
intelBusId = "PCI:0:2:0";
nvidiaBusId = "PCI:1:0:0";
};
nvidiaPersistenced = true;
modesetting.enable = true;
powerManagement.enable = true;
powerManagement.finegrained = true;
open = false;
nvidiaSettings = true;
};
# https://bbs.archlinux.org/viewtopic.php?id=297276 for NVreg_EnableGpuFirmware fix
# https://discourse.nixos.org/t/how-to-use-nvidia-prime-offload-to-run-the-x-server-on-the-integrated-board/9091/15
# for udev rules to disable dGPU when not in use
boot.extraModprobeConfig = ''
options nvidia NVreg_EnableGpuFirmware=0
'';
services.udev.extraRules = ''
# Remove NVIDIA USB xHCI Host Controller devices, if present
ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c0330", ATTR{remove}="1"
# Remove NVIDIA USB Type-C UCSI devices, if present
ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x0c8000", ATTR{remove}="1"
# Remove NVIDIA Audio devices, if present
ACTION=="add", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x040300", ATTR{remove}="1"
# Enable runtime PM for NVIDIA VGA/3D controller devices on driver bind
ACTION=="bind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030000", TEST=="power/control", ATTR{power/control}="auto"
ACTION=="bind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030200", TEST=="power/control", ATTR{power/control}="auto"
# Disable runtime PM for NVIDIA VGA/3D controller devices on driver unbind
ACTION=="unbind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030000", TEST=="power/control", ATTR{power/control}="on"
ACTION=="unbind", SUBSYSTEM=="pci", ATTR{vendor}=="0x10de", ATTR{class}=="0x030200", TEST=="power/control", ATTR{power/control}="on"
'';
programs.fuse.userAllowOther = true;
networking = {
hostName = "citadel";
networkmanager.enable = true;
enableIPv6 = false;
nameservers = ["${piholeIp}" "${gatewayIp}" "8.8.8.8"];
nameservers = ["10.0.10.60" "8.8.8.8"];
};
services.libinput.enable = true;

112
hosts/cloudnix/default.nix
View File

@ -1,112 +0,0 @@
{
configVars,
outputs,
lib,
...
}: let
user = "admin";
merlinIp = configVars.networking.addresses.merlin.ip;
cloudnixIp = configVars.networking.addresses.cloudnix.ip;
btrfsMountDevice = "/dev/disk/by-uuid/2aec8052-68fc-4bac-9b8d-c10b9b659ad8";
in {
imports = [
# Create users for this host
../common/users/${user}
# Import core options
./hardware-configuration.nix
../common/core
# Impermanence
../common/optional/persistence.nix
(import ../common/disks/btrfs/impermanence.nix {
btrfsMountDevice = btrfsMountDevice;
lib = lib;
})
# Import optional options
../common/optional/persistence.nix
../common/optional/openssh.nix
../common/optional/distributed-builds/local-machine.nix
../common/optional/nixos-containers/semitamaps.nix
../common/optional/nixos-containers/vaultwarden.nix
../common/optional/nixos-containers/xmpp.nix
../common/optional/fail2ban.nix
../common/optional/restic-backup.nix
../common/optional/nginx/vaultwarden.nix
../common/optional/nginx/xmpp.nix
outputs.nixosModules.nixosAutoUpgrade
];
services.restic.backups = {
daily = {
paths = [
"/persist/"
];
exclude = [
];
};
};
boot = {
loader = {
efi.canTouchEfiVariables = false;
grub = {
enable = true;
devices = ["/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_57492184"];
};
};
};
services = {
earlyoom = {
enable = true;
freeMemThreshold = 5; # <%5 free
};
};
system.services.nixosAutoUpgrade = {
enable = true;
persistent = true;
remote = "remotebuild@${merlinIp}";
reboot = false;
pushUpdates = false;
configDir = "/etc/nixos";
onCalendar = "*-*-* 06:00:00";
user = "admin";
};
environment.persistence."/persist" = {
directories = [
"/var/lib/tailscale"
];
};
# enable tailscale
services.tailscale.enable = true;
networking = {
hostName = "cloudnix";
nameservers = ["8.8.8.8"];
firewall.enable = true;
};
systemd.network.networks."10-wan" = {
networkConfig.DHCP = "no";
address = [
"${cloudnixIp}/32"
];
routes = [
{ routeConfig = { Destination = "172.31.1.1"; }; }
{ routeConfig = { Gateway = "172.31.1.1"; GatewayOnLink = true; }; }
];
};
services.libinput.enable = true;
}

61
hosts/cloudnix/hardware-configuration.nix
View File

@ -1,61 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/2aec8052-68fc-4bac-9b8d-c10b9b659ad8";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/.swapvol" =
{ device = "/dev/disk/by-uuid/2aec8052-68fc-4bac-9b8d-c10b9b659ad8";
fsType = "btrfs";
options = [ "subvol=swap" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/1DE3-CACA";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/2aec8052-68fc-4bac-9b8d-c10b9b659ad8";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
fileSystems."/persist" =
{ device = "/dev/disk/by-uuid/2aec8052-68fc-4bac-9b8d-c10b9b659ad8";
fsType = "btrfs";
options = [ "subvol=persist" ];
};
swapDevices = [
{
device = "/.swapvol/swapfile";
size = 2 * 1024;
}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

18
hosts/common/core/default.nix
View File

@ -14,7 +14,7 @@ in
outputs.overlays.additions
outputs.overlays.modifications
outputs.overlays.unstable-packages
inputs.nur.overlays.default
inputs.nur.overlay
];
config = {
allowUnfree = true;
@ -37,27 +37,13 @@ in
};
};
nix.gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
};
environment.systemPackages = [
pkgs.rsync
pkgs.curl
pkgs.just
pkgs.git
pkgs.vim
];
programs.git = {
enable = true;
package = pkgs.git;
config = {
# need to set /etc/nixos as safe directory to enable root to interact with non-root nix config repo
safe = {directory = ["/etc/nixos"]; };
};
};
system.stateVersion = "24.05";
}

16
hosts/common/core/sops.nix
View File

@ -1,13 +1,13 @@
{
lib,
inputs,
config,
...
}: let
{ pkgs, lib, inputs, config, ... }:
let
secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml";
hasOptinPersistence = config.environment.persistence ? "/persist";
in {
hostname = config.networking.hostName;
in
{
imports = [
inputs.sops-nix.nixosModules.sops
];
@ -17,7 +17,7 @@ in {
validateSopsFiles = false;
age = {
sshKeyPaths = ["${lib.optionalString hasOptinPersistence "/persist"}/etc/ssh/ssh_host_ed25519_key"];
sshKeyPaths = [ "${lib.optionalString hasOptinPersistence "/persist"}/etc/ssh/ssh_host_ed25519_key" ];
};
secrets = {
"passwords/root".neededForUsers = true;

36
hosts/common/disks/basic.nix
View File

@ -1,36 +0,0 @@
{
device ? throw "Must define a device, e.g. /dev/sda",
fsModule ? "Must specify submodule"
}:
{
disko.devices = {
disk = {
main = {
type = "disk";
inherit device;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
start = "1M";
end = "128M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = ["umask=0077"];
};
};
root = {
size = "100%";
content = import "${fsModule}";
};
};
};
};
};
};
}

57
hosts/common/disks/btrfs/legacy.nix
View File

@ -1,57 +0,0 @@
{
disko.devices = {
disk = {
main = {
type = "disk";
device = "/dev/sda";
content = {
type = "gpt";
partitions = {
BOOT = {
size = "1M";
type = "EF02";
priority = 1;
};
ESP = {
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = ["umask=0077"];
};
};
root = {
size = "100%";
content = {
type = "btrfs";
extraArgs = ["-f"];
subvolumes = {
"/root" = {
mountpoint = "/";
};
"/persist" = {
mountOptions = ["subvol=persist"];
mountpoint = "/persist";
};
"/nix" = {
mountOptions = ["subvol=nix" "noatime"];
mountpoint = "/nix";
};
"/swap" = {
mountOptions = ["noatime"];
mountpoint = "/.swapvol";
};
};
};
};
};
};
};
};
};
}

1
hosts/common/disks/btrfs/persist.nix
View File

@ -19,6 +19,7 @@
"/swap" = {
mountOptions = [ "noatime" ];
mountpoint = "/.swapvol";
swap.swapfile.size = "8192M";
};
};
}

9
hosts/common/disks/default.nix
View File

@ -1,8 +1,11 @@
{ device, fsType, encrypted, impermanence, ... }:
let
fsModule = if impermanence then ./${fsType}/persist.nix else ./${fsType}/standard.nix;
basic = import ./basic.nix { inherit device; fsModule = fsModule; };
basic = import ./${fsType}/basic.nix { inherit device; };
lvm = import ./lvm.nix { inherit device; fsModule = fsModule; };
luks = import ./luks.nix { inherit device; fsModule = fsModule; };
in
if fsType == "btrfs" && encrypted then luks
else basic
if fsType == "ext4" then basic
else if fsType == "btrfs" && encrypted then luks
else if fsType == "btrfs" then lvm
else null

0
hosts/common/disks/ext4/ext4.nix → hosts/common/disks/ext4/basic.nix
View File

42
hosts/common/optional/distributed-builds/local-machine.nix
View File

@ -1,42 +0,0 @@
{ pkgs, configVars, ... }:
let
remoteMachineIp = configVars.networking.addresses.remote-builder.ip;
in
{
# nix.distributedBuilds = true;
# nix.settings.builders-use-substitutes = true;
# nix.settings.max-jobs = 0;
# nix.settings.trusted-substituters = ["ssh://${remoteMachineIp}"];
# nix.settings.substituters = ["ssh://${remoteMachineIp}"];
#
# nix.buildMachines = [
# {
# hostName = "remotebuild@${remoteMachineIp}";
# speedFactor = 1;
# maxJobs = 10;
# sshKey = "/root/.ssh/remotebuild";
# system = pkgs.stdenv.hostPlatform.system;
# supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
# }
# ];
programs.ssh.knownHosts = {
"merlin" = {
publicKey = "${remoteMachineIp} ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFSGyrQvwa7gj0tG/EX3siWzGT9badUkD0yw0YGkcNeQ";
};
};
programs.ssh.extraConfig = ''
Host ${remoteMachineIp}
Port 22
User remotebuild
IdentitiesOnly yes
IdentityFile /root/.ssh/remotebuild
'';
sops.secrets = {
"ssh_keys/root/remotebuild" = {
path = "/root/.ssh/remotebuild";
};
};
}

15
hosts/common/optional/distributed-builds/remote-builder-machine.nix
View File

@ -1,15 +0,0 @@
{
users.users.remotebuild = {
isNormalUser = true;
createHome = false;
group = "remotebuild";
openssh.authorizedKeys.keyFiles = [
./remotebuild.pub
];
};
users.groups.remotebuild = {};
nix.settings.trusted-users = ["remotebuild"];
}

1
hosts/common/optional/distributed-builds/remotebuild.pub
View File

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUPnjP4eql1QT4b9ewbyy7Dyk26PrlQlilO7/RBKCHz remote

70
hosts/common/optional/docker-containers/arrstack.nix
View File

@ -1,70 +0,0 @@
{config, ...}: let
openVpnPwd = config.sops.secrets."software/proton/openvpn_password".path;
openVpnUser = config.sops.secrets."software/proton/openvpn_user".path;
in {
sops.secrets = {
"software/proton/openvpn_password" = {};
"software/proton/openvpn_user" = {};
};
networking = {
firewall = {
enable = true;
allowedTCPPorts = [
6887
];
allowedUDPPorts = [
6887
];
};
};
virtualisation.arion = {
backend = "podman-socket";
projects.arrstack = {
settings = {
services.gluetun.service = {
ports = [
"8076:8076" # qbittorrent webui port
"6887:6887" # qbittorrent torrenting port
"6887:6887/udp" # qbittorrent torrenting port
];
image = "qmcgaw/gluetun";
capabilities = {NET_ADMIN = true;};
container_name = "glutun";
restart = "always";
volumes = [
"/srv/docker/media-server/arrstack/gluetun:/gluetun"
"${openVpnPwd}:/run/secrets/openvpn_password"
"${openVpnUser}:/run/secrets/openvpn_user"
];
environment = {
VPN_SERVICE_PROVIDER = "protonvpn";
VPN_TYPE = "openvpn";
SERVER_COUNTRIES = "Switzerland";
VPN_PORT_FORWARDING = "on";
};
devices = ["/dev/net/tun:/dev/net/tun"];
};
services.qbittorrent.service = {
image = "lscr.io/linuxserver/qbittorrent:latest";
container_name = "qbittorrent";
restart = "always";
volumes = [
"/srv/docker/media-server/arrstack/qbittorrent:/config"
"/media/media/downloads:/downloads"
];
environment = {
TZ = "Europe/London";
WEBUI_PORT = 8076;
TORRENTING_PORT = 6887;
PUID = 1000;
PGID = 1000;
};
network_mode = "service:gluetun";
};
};
};
};
}

17
hosts/common/optional/docker-containers/baikal.nix
View File

@ -1,17 +0,0 @@
{
config.virtualisation.oci-containers = {
backend = "podman";
containers = {
baikal = {
image = "ckulka/baikal:nginx";
ports = [
"6734:80"
];
volumes = [
"/srv/docker/baikal/config:/var/www/baikal/config"
"/srv/docker/baikal/data:/var/www/baikal/Specific"
];
};
};
};
}

31
hosts/common/optional/docker-containers/jellyfin.nix
View File

@ -1,31 +0,0 @@
{
config.virtualisation.oci-containers = {
backend = "podman";
containers = {
jellyfin = {
image = "lscr.io/linuxserver/jellyfin:latest";
ports = [
"8096:8096"
];
volumes = [
"/srv/docker/media-server/jellyfin/config:/config"
"/media/media/tv:/data/tvshows:ro"
"/media/media/movies:/data/movies:ro"
"/media/media/music/music_data:/data/music:ro"
"/media/media/youtube:/data/youtube:ro"
"/media/media/podcasts:/data/podcasts:ro"
"/srv/docker/media-server/jellyfin/config/custom-cont-init.d:/custom-cont-init.d:ro"
];
environment = {
PUID = "1000";
PGID = "1000";
DOCKER_MODS = "linuxserver/mods:jellyfin-opencl-intel";
NVIDIA_VISIBLE_DEVICES = "all";
};
extraOptions = [
"--device=nvidia.com/gpu=all"
];
};
};
};
}

78
hosts/common/optional/docker-containers/photoprism.nix
View File

@ -1,78 +0,0 @@
{config, ...}: {
sops.secrets = {
"software/photoprism" = {
path = "/etc/photoprism/options.yml";
};
};
virtualisation.arion = {
backend = "podman-socket";
projects.photoprism = {
settings = {
services.photoprism.service = {
ports = [
"2342:2342"
];
container_name = "photoprism";
image = "photoprism/photoprism:latest";
restart = "always";
depends_on = ["mariadb"];
volumes = [
"/media/photos/sam/originals:/photoprism/originals"
"/media/photos/sam/imports:/photoprism/import"
"/srv/docker/photoprism/storage:/photoprism/storage"
"${config.sops.secrets."software/photoprism".path}:/etc/photoprism/options.yml"
];
environment = {
PHOTOPRISM_CONFIG_PATH = "/etc/photoprism";
PHOTOPRISM_INIT = "intel";
PHOTOPRISM_ORIGINALS_LIMIT = 5000;
PHOTOPRISM_HTTP_COMPRESSION = "gzip";
PHOTOPRISM_DEBUG = "false";
PHOTOPRISM_LOG = "trace";
PHOTOPRISM_PUBLIC = "false";
PHOTOPRISM_READONLY = "false";
PHOTOPRISM_EXPERIMENTAL = "false";
PHOTOPRISM_DISABLE_CHOWN = "false";
PHOTOPRISM_DISABLE_WEBDAV = "false";
PHOTOPRISM_DISABLE_SETTINGS = "false";
PHOTOPRISM_DISABLE_TENSORFLOW = "false";
PHOTOPRISM_DISABLE_FACES = "false";
PHOTOPRISM_DISABLE_CLASSIFICATION = "false";
PHOTOPRISM_DARKTABLE_PRESETS = "false";
PHOTOPRISM_DETECT_NSFW = "false";
PHOTOPRISM_UPLOAD_NSFW = "true";
PHOTOPRISM_DATABASE_DRIVER = "mysql";
PHOTOPRISM_DATABASE_SERVER = "mariadb:3306";
PHOTOPRISM_DATABASE_NAME = "photoprism";
PHOTOPRISM_DATABASE_USER = "photoprism";
PHOTOPRISM_SITE_TITLE = "PhotoPrism";
PHOTOPRISM_SITE_CAPTION = "AI-Powered Photos App";
PHOTOPRISM_UID = 0;
PHOTOPRISM_GID = 0;
PHOTOPRISM_FFMPEG_ENCODER = "intel";
PHOTOPRISM_FFMPEG_SIZE = "1920";
PHOTOPRISM_FFMPEG_BITRATE = "50";
HOME = "/photoprism";
};
devices = ["/dev/dri:/dev/dri"];
};
services.mariadb.service = {
container_name = "photoprism-mariadb";
image = "mariadb:10.11";
restart = "always";
command = "mysqld --innodb-buffer-pool-size=4G --innodb_log_file_size=1G --transaction-isolation=READ-COMMITTED --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci --max-connections=512 --innodb-rollback-on-timeout=OFF --innodb-lock-wait-timeout=120";
volumes = [
"/srv/docker/photoprism/database:/var/lib/mysql"
];
environment = {
MARIADB_AUTO_UPGRADE = "1";
MARIADB_INITDB_SKIP_TZINFO = "1";
MYSQL_DATABASE = "photoprism";
MYSQL_USER = "photoprism";
};
};
};
};
};
}

26
hosts/common/optional/docker-containers/pihole.nix
View File

@ -1,26 +0,0 @@
{
virtualisation.arion = {
backend = "podman-socket";
projects.pihole = {
settings = {
services.pihole.service = {
ports = [
"53:53/tcp"
"53:53/udp"
"80:80/tcp"
];
container_name = "pihole";
image = "pihole/pihole:latest";
restart = "always";
volumes = [
"/srv/docker/pihole/etc-pihole:/etc/pihole"
"/srv/docker/pihole/etc-dnsmasq.d:/etc/dnsmasq.d"
];
environment = {
TZ = "Europe/London";
};
};
};
};
};
}

32
hosts/common/optional/docker-containers/searxng.nix
View File

@ -1,32 +0,0 @@
{configVars, ...}:
let
# configVars = import ../../../../vars {inherit inputs};
piholeIp = configVars.networking.addresses.pihole.ip;
in
{
virtualisation.arion = {
backend = "podman-socket";
projects.searxng = {
settings = {
services.redis.service = {
container_name = "redis";
image = "redis:alpine";
restart = "always";
command = [ "redis-server" "--save" "" "--appendonly" "no" ];
tmpfs = [ "/var/lib/redis" ];
capabilities = { ALL = false; SETGID = true; SETUID = true; DAC_OVERRIDE = true; };
};
services.searxng.service = {
container_name = "searxng";
image = "searxng/searxng:latest";
restart = "always";
ports = [ "8855:8080" ];
dns = [ piholeIp ];
volumes = [ "/srv/docker/searxng-docker/searxng:/etc/searxng:rw" ];
capabilities = { ALL = false; CHOWN = true; SETGID = true; SETUID = true; DAC_OVERRIDE = true; };
};
};
};
};
}

25
hosts/common/optional/docker-containers/semitamaps-tileserver.nix
View File

@ -1,25 +0,0 @@
{
config.virtualisation.oci-containers = {
backend = "podman";
containers = {
tileserver-gl = {
image = "maptiler/tileserver-gl";
ports = [
"8080:8080"
];
volumes = [
"/data/semitamaps-data/tileserver-gl/data:/data"
];
};
mbgl-renderer = {
image = "mbgl-renderer";
ports = [
"8081:80"
];
volumes = [
"/data/semitamaps-data/tileserver-gl/data:/data"
];
};
};
};
}

29
hosts/common/optional/docker-containers/syncthing.nix
View File

@ -1,29 +0,0 @@
{
virtualisation.arion = {
backend = "podman-socket";
projects.syncthing = {
settings = {
services.syncthing.service = {
ports = [
"8384:8384"
"22000:22000/tcp"
"22000:22000/udp"
"21027:21027/udp"
];
container_name = "syncthing";
image = "lscr.io/linuxserver/syncthing:latest";
restart = "always";
environment = {
PUID = "1000";
GUID = "1000";
};
volumes = [
"/srv/docker/syncthing/appdata/config:/config"
"/srv/docker/syncthing/data:/data"
];
};
};
};
};
}

3
hosts/common/optional/docker.nix → hosts/common/optional/docker/default.nix
View File

@ -17,9 +17,6 @@
};
};
# need to open firewall for dns resolving. see https://github.com/NixOS/nixpkgs/issues/226365#issuecomment-1814296639
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
environment.persistence."/persist" = {
hideMounts = true;
directories = [

12
hosts/common/optional/dwm.nix
View File

@ -12,12 +12,12 @@
windowManager.dwm = {
enable = true;
package = pkgs.dwm.overrideAttrs {
# src = /home/sam/.local/share/src/dwm;
src = pkgs.fetchgit {
url = "https://git.bitlab21.com/sam/dwm";
rev = "26c82bae50ed580f651fd8316d9b162620872035";
sha256 = "sha256-Qx71t1d7RMVaWKIJ71SPIF49+jjhwN7xI2ZubAoHO8E=";
};
#src = /home/sam/.local/share/src/dwm;
src = pkgs.fetchgit {
url = "https://git.bitlab21.com/sam/dwm";
rev = "49dd30c0d9970ce480ada51dfcaac1a071804c64";
sha256 = "0ywca25a1pdjvb4cgv5gx36x3yd6922pqvn9a5f60lcn5fv2a96n";
};
};
};
};

34
hosts/common/optional/fail2ban.nix
View File

@ -1,34 +0,0 @@
{pkgs, ...}: {
environment.systemPackages = [pkgs.fail2ban];
environment.etc = {
"fail2ban/filter.d/nginx-bruteforce.conf".text = ''
[Definition]
failregex = ^<HOST>.*(GET|POST).* (404|444|403|400) .*$
'';
};
services.fail2ban = {
enable = true;
maxretry = 5;
ignoreIP = [
];
bantime-increment = {
enable = true;
multipliers = "1 2 4 8 16 32 64";
maxtime = "168h";
};
jails = {
nginx-spam.settings = {
filter = "nginx-bruteforce";
action = "iptables-allports";
logpath = "/var/log/nginx/access.log";
backend = "auto";
findtime = 600;
bantime = 600;
maxretry = 10;
};
};
};
}

27
hosts/common/optional/fileserver-nfs-mount.nix Normal file
View File

@ -0,0 +1,27 @@
{...}:
{
fileSystems."/exports" = {
device = "/dev/vdb1";
fsType = "ext4";
};
services.nfs.server = {
enable = true;
# fixed rpc.statd port; for firewall
lockdPort = 4001;
mountdPort = 4002;
statdPort = 4000;
extraNfsdConfig = '''';
exports = ''
/exports *(rw,insecure,all_squash)
'';
};
# open nfs ports
networking.firewall = {
enable = true;
# for NFSv3; view with `rpcinfo -p`
allowedTCPPorts = [ 111 2049 4000 4001 4002 20048 ];
allowedUDPPorts = [ 111 2049 4000 4001 4002 20048 ];
};
}

10
hosts/common/optional/fileserver/nfs-client/media.nix
View File

@ -1,10 +0,0 @@
{configVars, pkgs, ...}: let
fileserverIp = configVars.networking.addresses.fileserver.ip;
in {
environment.systemPackages = [pkgs.nfs-utils];
fileSystems."/media/media" = {
device = "${fileserverIp}:/srv/export/media";
fsType = "nfs";
options = ["noatime" "_netdev"];
};
}

10
hosts/common/optional/fileserver/nfs-client/personal.nix
View File

@ -1,10 +0,0 @@
{configVars, pkgs, ...}: let
fileserverIp = configVars.networking.addresses.fileserver.ip;
in {
environment.systemPackages = [pkgs.nfs-utils];
fileSystems."/media/personal" = {
device = "${fileserverIp}:/srv/export/personal";
fsType = "nfs";
options = ["noatime" "_netdev"];
};
}

10
hosts/common/optional/fileserver/nfs-client/photos.nix
View File

@ -1,10 +0,0 @@
{configVars, pkgs, ...}: let
fileserverIp = configVars.networking.addresses.fileserver.ip;
in {
environment.systemPackages = [pkgs.nfs-utils];
fileSystems."/media/photos" = {
device = "${fileserverIp}:/srv/export/photos";
fsType = "nfs";
options = ["noatime" "_netdev"];
};
}

42
hosts/common/optional/fileserver/nfs-server/homeshare.nix
View File

@ -1,42 +0,0 @@
{configVars, ...}:
let
homeshareDataLocation = configVars.locations.homeshareDataLocation;
subnetIp = configVars.networking.addresses.subnet.ip;
in {
fileSystems."/srv/export/photos" = {
device = "${homeshareDataLocation}/photos";
options = [ "bind" ];
};
fileSystems."/srv/export/personal" = {
device = "${homeshareDataLocation}/personal";
options = [ "bind" ];
};
fileSystems."/srv/export/media" = {
device = "${homeshareDataLocation}/media";
options = [ "bind" ];
};
services.nfs.server = {
enable = true;
# fixed rpc.statd port; for firewall
lockdPort = 4001;
mountdPort = 4002;
statdPort = 4000;
extraNfsdConfig = '''';
exports = ''
/srv/export/photos ${subnetIp}/24(rw,sync,no_subtree_check)
/srv/export/media ${subnetIp}/24(rw,sync,no_subtree_check)
/srv/export/personal ${subnetIp}/24(rw,sync,no_subtree_check)
'';
};
# open nfs ports
networking.firewall = {
enable = true;
# for NFSv3; view with `rpcinfo -p`
allowedTCPPorts = [ 111 2049 4000 4001 4002 20048 ];
allowedUDPPorts = [ 111 2049 4000 4001 4002 20048 ];
};
}

10
hosts/common/optional/gaming.nix
View File

@ -1,15 +1,15 @@
{ pkgs, lib, ... }:
{
# Gaming
# xone failing to build - https://github.com/NixOS/nixpkgs/pull/347471
# hardware.xone.enable = true;
hardware.xone.enable = true;
environment.systemPackages = with pkgs; [
#Xbox controller
# linuxKernel.packages.linux_zen.xone
linuxKernel.packages.linux_zen.xone
# Steam
mangohud
gamemode
gamescope
# WINE
wine
@ -23,7 +23,7 @@
# Extra dependencies
gnutls
openldap
libgpg-error
libgpgerror
freetype
sqlite
libxml2
@ -41,9 +41,11 @@
programs.steam = {
enable = true;
gamescopeSession.enable = true;
};
programs.gamemode.enable = true;
programs.gamescope.enable = true;
nixpkgs.config.packageOverrides = pkgs: {
steam = pkgs.steam.override {

9
hosts/common/optional/nfs-mounts/homeshare.nix Normal file
View File

@ -0,0 +1,9 @@
{
fileSystems."/media/homeshare" = {
device = "10.0.10.30:/mnt/homeshare";
fsType = "nfs";
options = [ "noatime" "_netdev" ];
};
}

7
hosts/common/optional/nfs-mounts/media.nix Normal file
View File

@ -0,0 +1,7 @@
{
fileSystems."/media/media" = {
device = "10.0.10.30:/mnt/media";
fsType = "nfs";
options = ["noatime" "_netdev"];
};
}

9
hosts/common/optional/nfs-mounts/photos.nix Normal file
View File

@ -0,0 +1,9 @@
{
fileSystems."/media/photos" = {
device = "10.0.10.30:/mnt/photos";
fsType = "nfs";
options = [ "noatime" "_netdev" "ro" ];
};
}

20
hosts/common/optional/nginx/semitamaps.nix
View File

@ -1,20 +0,0 @@
{configVars, ...}: let
email = configVars.email.user;
domain = configVars.domains.xmpp;
in {
security.acme = {
acceptTerms = true;
defaults.email = email;
};
networking.firewall.allowedTCPPorts = [80 443];
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."${domain}" = {
enableACME = true;
forceSSL = true;
root = "/srv/hello/";
};
};
}

24
hosts/common/optional/nginx/vaultwarden.nix
View File

@ -1,24 +0,0 @@
{configVars, ...}: let
email = configVars.email.user;
domain = configVars.domains.vaultwarden;
vaultwardenIp = configVars.networking.addresses.vaultwarden.localAddress;
vaultwardenPort = configVars.networking.addresses.vaultwarden.port;
in {
networking.firewall.allowedTCPPorts = [80 443];
security.acme = {
acceptTerms = true;
defaults.email = email;
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."${domain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://${vaultwardenIp}:${toString vaultwardenPort}";
};
};
};
}

92
hosts/common/optional/nginx/xmpp.nix
View File

@ -1,92 +0,0 @@
{configVars, ...}: let
email = configVars.email.user;
xmppDomain = configVars.domains.xmpp;
xmppIp = configVars.networking.addresses.xmpp.localAddress;
xmppPort = configVars.networking.addresses.xmpp.ports.xmpp-http;
in {
networking.firewall.allowedTCPPorts = [80 443];
users.groups.www-data = {
gid = 33;
};
users.users.nginx = {
isSystemUser = true;
uid = 60;
extraGroups = ["www-data"];
};
systemd.tmpfiles.rules = [
"d /var/www/${xmppDomain} 0777 root root"
];
services.httpd.virtualHosts."root" = {
hostName = "${xmppDomain}";
documentRoot = "/var/www/${xmppDomain}";
};
security.acme = {
acceptTerms = true;
defaults.email = email;
certs = {
"${xmppDomain}" = {
webroot = "/var/www/${xmppDomain}";
email = email;
extraDomainNames = [
"chat.${xmppDomain}"
];
group = "www-data";
};
};
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."chat.${xmppDomain}" = {
# enableACME = true;
forceSSL = true;
extraConfig = ''
client_max_body_size 10G;
'';
sslCertificate = "/var/lib/acme/${xmppDomain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${xmppDomain}/key.pem";
locations = {
"/" = {
proxyPass = "http://${xmppIp}:${toString xmppPort}";
extraConfig = ''
proxy_set_header Host "${xmppDomain}";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
tcp_nodelay on;
'';
};
"/xmpp-websocket" = {
proxyPass = "http://${xmppIp}:${toString xmppPort}/xmpp-websocket";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Connection "Upgrade";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host "${xmppDomain}";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900s;
'';
};
"/upload/" = {
extraConfig = ''
proxy_buffering off;
proxy_set_header Host $host;
# pass PUT requests to mod_http_upload for processing
if ($request_method = PUT) {
proxy_pass http://${xmppIp}:${toString xmppPort};
}
alias /var/lib/prosody/http_upload; # storage path of mod_http_upload. NGINX will serve these files to the clients.
'';
};
};
};
};
}

21
hosts/common/optional/nix-ld.nix
View File

@ -1,21 +0,0 @@
{ lib, pkgs, ... }:
{
# Using non-Nix Python Packages with Binaries on NixOS https://github.com/mcdonc/.nixconfig/blob/e7885ad18b7980f221e59a21c91b8eb02795b541/videos/pydev/script.rst
programs.nix-ld.enable = true;
programs.nix-ld.libraries = with pkgs; [
zlib # numpy
libgcc # sqlalchemy
expat # pyosmium
# that's where the shared libs go, you can find which one you need using
# nix-locate --top-level libstdc++.so.6 (replace this with your lib)
# ^ this requires `nix-index` pkg
];
environment.variables = {
NIX_LD_LIBRARY_PATH="/run/current-system/sw/share/nix-ld/lib";
NIX_LD="/run/current-system/sw/share/nix-ld/lib/ld.so";
LD_LIBRARY_PATH=lib.mkForce "$NIX_LD_LIBRARY_PATH";
};
}

98
hosts/common/optional/nixos-containers/backup-server.nix
View File

@ -1,98 +0,0 @@
{
pkgs,
configVars,
lib,
...
}: let
containerName = "backup-server";
containerIp = configVars.networking.addresses.backup-server.ip;
gatewayIp = configVars.networking.addresses.gateway.ip;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
backupContainerData = configVars.locations.backupContainerData;
in {
networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0";
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/nixos-containers/${containerName}"
];
};
containers."${containerName}" = {
autoStart = true;
privateNetwork = true;
hostBridge = "br0";
nixpkgs = pkgs.path;
bindMounts = {
"/srv/backup" = {
hostPath = backupContainerData;
isReadOnly = false;
};
};
config = {
pkgs,
lib,
...
}: {
networking = {
defaultGateway = "${gatewayIp}";
interfaces.eth0.ipv4.addresses = [
{
"address" = "${containerIp}";
"prefixLength" = 24;
}
];
firewall = {
enable = true;
allowedTCPPorts = [
8000
];
};
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
environment.systemPackages = [
pkgs.vim
pkgs.git
pkgs.python311
pkgs.restic
pkgs.apacheHttpd
];
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
users.users = {
root = {
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
};
};
services.restic.server = {
enable = true;
listenAddress = "0.0.0.0:8000";
dataDir = "/srv/backup/restic";
};
system.stateVersion = "24.05";
};
};
}

320
hosts/common/optional/nixos-containers/baseddata-worker.nix
View File

@ -1,320 +0,0 @@
{
lib,
pkgs,
inputs,
configVars,
...
}: let
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
containerName = "bd-worker";
sops-nix = inputs.sops-nix;
baseddataData = configVars.locations.baseddataData;
in {
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/nixos-containers/${containerName}"
];
};
services.restic.backups = {
daily = {
paths = [
baseddataData
];
};
};
networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0";
containers.${containerName} = {
autoStart = true;
privateNetwork = true;
hostBridge = "br0";
nixpkgs = pkgs.path;
allowedDevices = [
{
node = "/dev/net/tun";
modifier = "rw";
}
];
bindMounts = {
"/etc/ssh/ssh_host_ed25519_key" = {
hostPath = "/etc/ssh/ssh_host_ed25519_key";
isReadOnly = true;
};
"/data/baseddata-data" = {
hostPath = baseddataData;
isReadOnly = false;
};
};
config = {
pkgs,
lib,
config,
...
}: let
configVars = import ../../../../vars {inherit inputs lib;};
secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml";
# define ip addresses
containerIp = configVars.networking.addresses.bd-worker.ip;
gatewayIp = configVars.networking.addresses.gateway.ip;
postgresIp = configVars.networking.addresses.postgres.ip;
postgresRemoteIp = configVars.networking.addresses.postgres-remote.ip;
postgresPort = toString configVars.networking.addresses.postgres.port;
bitcoindIp = configVars.networking.addresses.bitcoin-node.ip;
bitcoindPort = toString configVars.networking.addresses.bitcoin-node.services.bitcoind.port;
# define secret paths
notifybotUsername = config.sops.secrets."comms/xmpp/notifybot/username".path;
notifybotPassword = config.sops.secrets."comms/xmpp/notifybot/password".path;
recipientUsername = config.sops.secrets."comms/xmpp/mrsu/username".path;
postgresUser = config.sops.secrets."software/postgres/baseddata/user_username".path;
postgresPassword = config.sops.secrets."software/postgres/baseddata/user_password".path;
bitcoindRPCUsername = config.sops.secrets."software/bitcoind/username".path;
bitcoindRPCPassword = config.sops.secrets."software/bitcoind/bitcoin-rpcpassword-public".path;
dbtProfiles = config.sops.templates."profiles.yml".path;
pgsyncConfig = config.sops.templates."pgsync.yml".path;
baseddataEnv = "dev";
in {
networking = {
defaultGateway = "${gatewayIp}";
interfaces.eth0.ipv4.addresses = [
{
"address" = "${containerIp}";
"prefixLength" = 24;
}
];
firewall = {
enable = true;
allowedTCPPorts = [
4200
];
};
useHostResolvConf = lib.mkForce false;
};
sops = {
defaultSopsFile = "${secretsFile}";
validateSopsFiles = false;
age = {
sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
};
};
sops.secrets = {
"ssh_keys/baseddata-models-access/id_ed25519" = {
mode = "0400";
path = "/root/.ssh/id_ed25519";
};
"comms/xmpp/notifybot/username" = {};
"comms/xmpp/notifybot/password" = {};
"comms/xmpp/mrsu/username" = {};
"software/postgres/baseddata/user_password" = {};
"software/postgres/baseddata/user_username" = {};
"software/bitcoind/username" = {};
"software/bitcoind/bitcoin-rpcpassword-public" = {};
};
sops.templates."profiles.yml" = {
mode = "0600";
path = "/root/.dbt/profiles.yml";
content = ''
baseddata:
target: prod
outputs:
prod:
dbname: baseddata
host: ${postgresIp}
pass: '${config.sops.placeholder."software/postgres/baseddata/user_password"}'
port: 5432
schema: models
threads: 6
type: postgres
user: ${config.sops.placeholder."software/postgres/baseddata/user_username"}
'';
};
sops.templates."pgsync.yml" = {
mode = "0600";
path = "/root/.pgsync.yml";
content = ''
from: postgresql://${config.sops.placeholder."software/postgres/baseddata/user_username"}:${config.sops.placeholder."software/postgres/baseddata/user_password"}@${postgresIp}/baseddata
to: postgresql://${config.sops.placeholder."software/postgres/baseddata/user_username"}:${config.sops.placeholder."software/postgres/baseddata/user_password"}@${postgresRemoteIp}/baseddata
schemas:
- models_final
to_safe: true
'';
};
imports = [
sops-nix.nixosModules.sops
];
services.resolved.enable = true;
services.tailscale.enable = true;
environment.systemPackages = [
pkgs.vim
pkgs.git
pkgs.python311
pkgs.poetry
pkgs.aria2
pkgs.osmctools
pkgs.osmium-tool
pkgs.osm2pgsql
pkgs.pgsync
pkgs.postgresql_16
pkgs.htop
];
environment.variables = {
BASEDDATA_ENVIRONMENT = "dev";
NIX_LD_LIBRARY_PATH = "/run/current-system/sw/share/nix-ld/lib";
NIX_LD = "/run/current-system/sw/share/nix-ld/lib/ld.so";
LD_LIBRARY_PATH = "/run/current-system/sw/share/nix-ld/lib";
};
systemd.services.baseddata-deploy-service = {
wantedBy = ["multi-user.target"];
after = ["network.target"];
description = "Initiates deployment of application and builds python environment using Poetry";
environment = {
BASEDDATA_ENVIRONMENT = "${baseddataEnv}";
};
serviceConfig = {
ExecStart = pkgs.writeShellScript "baseddata-deploy-service" ''
GITCMD="${pkgs.openssh}/bin/ssh -i /root/.ssh/id_ed25519"
if [ ! -d "/srv/baseddata-models" ]; then
GIT_SSH_COMMAND=$GITCMD ${pkgs.git}/bin/git clone --branch $BASEDDATA_ENVIRONMENT git@git.bitlab21.com:sam/baseddata-models.git /srv/baseddata-models
else
cd /srv/baseddata-models
GIT_SSH_COMMAND=$GITCMD ${pkgs.git}/bin/git stash --include-untracked
GIT_SSH_COMMAND=$GITCMD ${pkgs.git}/bin/git pull
fi
cd /srv/baseddata-models
mkdir .venv
${pkgs.poetry}/bin/poetry lock --no-update
${pkgs.poetry}/bin/poetry install
'';
Restart = "on-failure";
};
};
systemd.services.baseddata-prefect-server = {
wantedBy = ["multi-user.target"];
after = ["baseddata-deploy-service.target"];
description = "Initates the Prefect server";
environment = {
NIX_LD_LIBRARY_PATH = "/run/current-system/sw/share/nix-ld/lib";
NIX_LD = "/run/current-system/sw/share/nix-ld/lib/ld.so";
LD_LIBRARY_PATH = "/run/current-system/sw/share/nix-ld/lib";
PREFECT_API_URL = "http://${containerIp}:4200/api";
BASEDDATA_ENVIRONMENT = "${baseddataEnv}";
};
serviceConfig = {
WorkingDirectory = "/srv/baseddata-models";
ExecStart = pkgs.writeShellScript "baseddata-prefect-server" ''
# run prefect server
.venv/bin/prefect server start --host ${containerIp}
'';
Restart = "on-failure";
};
};
systemd.services.baseddata-serve-flows = {
wantedBy = ["multi-user.target"];
after = ["baseddata-prefect-server.target"];
description = "Serves the Prefect flows";
path = ["/run/current-system/sw" "/srv/baseddata-models/.venv"];
environment = {
PREFECT_API_URL = "http://${containerIp}:4200/api";
BASEDDATA_ENVIRONMENT = "${baseddataEnv}";
NIX_LD_LIBRARY_PATH = "/run/current-system/sw/share/nix-ld/lib";
NIX_LD = "/run/current-system/sw/share/nix-ld/lib/ld.so";
LD_LIBRARY_PATH = "/run/current-system/sw/share/nix-ld/lib";
};
serviceConfig = {
WorkingDirectory = "/srv/baseddata-models";
ExecStartPre = "${pkgs.coreutils}/bin/timeout 120 ${pkgs.bash}/bin/bash -c 'until ${pkgs.netcat-openbsd}/bin/nc -z ${containerIp} 4200; do sleep 3; done'";
ExecStart = pkgs.writeShellScript "baseddata-serve-flows" ''
# set prefect environment variables
.venv/bin/prefect variable set "xmpp_jid" $(cat ${notifybotUsername}) --overwrite
.venv/bin/prefect variable set "xmpp_password" $(cat ${notifybotPassword}) --overwrite
.venv/bin/prefect variable set "xmpp_recipient" $(cat ${recipientUsername}) --overwrite
.venv/bin/prefect variable set "postgres_host" ${postgresIp} --overwrite
.venv/bin/prefect variable set "postgres_port" ${postgresPort} --overwrite
.venv/bin/prefect variable set "postgres_user" $(cat ${postgresUser}) --overwrite
.venv/bin/prefect variable set "postgres_pwd" $(cat ${postgresPassword}) --overwrite
.venv/bin/prefect variable set "postgres_dbname" "baseddata" --overwrite
.venv/bin/prefect variable set "postgres_schema" "models_final" --overwrite
.venv/bin/prefect variable set "bitcoin_rpc_password" $(cat ${bitcoindRPCPassword}) --overwrite
.venv/bin/prefect variable set "bitcoin_rpc_username" $(cat ${bitcoindRPCUsername}) --overwrite
.venv/bin/prefect variable set "bitcoind_ip" ${bitcoindIp} --overwrite
.venv/bin/prefect variable set "bitcoind_port" ${bitcoindPort} --overwrite
.venv/bin/prefect variable set "osm_dir" "/data/baseddata-data/osm" --overwrite
.venv/bin/prefect variable set "wdpa_dir" "/data/baseddata-data/wdpa" --overwrite
.venv/bin/prefect variable set "dbt_profiles_dir" $(dirname ${dbtProfiles}) --overwrite
.venv/bin/prefect variable set "pgsync_config" ${pgsyncConfig} --overwrite
# serve flows
.venv/bin/python automation/flows/serve-flows.py
'';
Restart = "on-failure";
};
};
programs.nix-ld.enable = true;
programs.nix-ld.libraries = with pkgs; [
zlib
libgcc
];
programs.ssh.knownHosts = {
"git.bitlab21.com" = {
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALNd2BGf64heYjWT9yt0fVmngepiHRIMsL7au/MRteg";
};
};
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
users.users.root = {
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
};
system.stateVersion = "24.05";
};
};
}

236
hosts/common/optional/nixos-containers/docker.nix
View File

@ -1,236 +0,0 @@
{
pkgs,
lib,
inputs,
config,
outputs,
configVars,
...
}: let
containerName = "docker";
containerIp = configVars.networking.addresses.docker.ip;
gatewayIp = configVars.networking.addresses.gateway.ip;
dockerContainerData = configVars.locations.dockerContainerData;
homeshareDataLocation = configVars.locations.homeshareDataLocation;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
arion = inputs.arion;
sops-nix = inputs.sops-nix;
in {
networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0";
services.restic.backups = {
daily = {
paths = [
dockerContainerData
];
};
};
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/nixos-containers/${containerName}"
];
};
containers."${containerName}" = {
enableTun = true;
# configuration to run docker/podman in systemd-nspawn container
# https://discourse.nixos.org/t/podman-docker-in-nixos-container-ideally-in-unprivileged-one/22909/12
additionalCapabilities = [
''all" --system-call-filter="add_key keyctl bpf" --capability="all''
];
extraFlags = ["--private-users-ownership=chown"];
allowedDevices = [
{
node = "/dev/nvidia0";
modifier = "rwm";
}
{
node = "/dev/nvidiactl";
modifier = "rwm";
}
{
node = "/dev/nvidia-uvm";
modifier = "rwm";
}
{
node = "/dev/fuse";
modifier = "rwm";
}
{
node = "/dev/mapper/control";
modifier = "rw";
}
{
node = "/dev/console";
modifier = "rwm";
}
{
node = "/dev/dri/card1";
modifier = "rwm";
}
{
node = "/dev/dri/renderD128";
modifier = "rwm";
}
{
node = "/dev/net/tun";
modifier = "rw";
}
];
######
autoStart = true;
privateNetwork = true;
hostBridge = "br0";
nixpkgs = pkgs.path;
bindMounts = {
"/media/photos" = {
hostPath = "${homeshareDataLocation}/photos";
isReadOnly = false;
};
"/run/opengl-driver/lib" = {
hostPath = "/run/opengl-driver/lib";
isReadOnly = false;
};
"/dev/dri" = {
hostPath = "/dev/dri";
isReadOnly = false;
};
"/media/media" = {
hostPath = "${homeshareDataLocation}/media";
isReadOnly = false;
};
"/srv/docker" = {
hostPath = dockerContainerData;
isReadOnly = false;
};
"/etc/ssh/ssh_host_ed25519_key" = {
hostPath = "/etc/ssh/ssh_host_ed25519_key";
isReadOnly = true;
};
};
config = {
pkgs,
lib,
...
}: let
secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml";
in {
nixpkgs.overlays = [
outputs.overlays.unstable-packages
];
networking = {
enableIPv6 = false;
defaultGateway = "${gatewayIp}";
interfaces.eth0.ipv4.addresses = [
{
"address" = "${containerIp}";
"prefixLength" = 24;
}
];
firewall = {
enable = true;
allowedTCPPorts = [
];
};
useHostResolvConf = lib.mkForce false;
};
hardware.graphics = {
enable = true;
};
nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) [
"nvidia-x11"
"nvidia-settings"
"nvidia-persistenced"
];
services.xserver.videoDrivers = ["nvidia"];
hardware.nvidia = {
modesetting.enable = true;
powerManagement.enable = false;
open = false;
nvidiaSettings = false;
package = config.boot.kernelPackages.nvidiaPackages.stable;
};
services.resolved.enable = true;
sops = {
defaultSopsFile = "${secretsFile}";
validateSopsFiles = false;
age = {
sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
};
};
imports = [
arion.nixosModules.arion
sops-nix.nixosModules.sops
../docker-containers/arrstack.nix
../docker-containers/jellyfin.nix
../docker-containers/photoprism.nix
../docker-containers/syncthing.nix
../docker-containers/baikal.nix
(import ../docker-containers/searxng.nix {configVars = configVars;})
];
environment.systemPackages = [
pkgs.vim
pkgs.git
pkgs.arion
pkgs.dive
pkgs.podman-tui
pkgs.podman-compose
pkgs.unstable.nvidia-container-toolkit
];
virtualisation = {
containers.cdi.dynamic.nvidia.enable = true;
podman = {
enableNvidia = true;
enable = true;
dockerSocket.enable = true;
defaultNetwork.settings.dns_enabled = true;
dockerCompat = true;
};
};
networking.firewall.interfaces."podman+".allowedUDPPorts = [53];
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
users.users = {
root = {
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
};
};
system.stateVersion = "24.05";
};
};
}

82
hosts/common/optional/nixos-containers/jellyfin.nix
View File

@ -1,60 +1,37 @@
{
pkgs,
lib,
configVars,
pkgs,
...
}: let
containerName = "jellyfin";
containerIp = "10.0.10.44"; #configVars.networking.addresses.jellyfin.ip;
gatewayIp = configVars.networking.addresses.gateway.ip;
homeshareDataLocation = configVars.locations.homeshareDataLocation;
jellyfinContainerData = configVars.locations.jellyfinContainerData;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
container_name = "jellyfin";
container_ip = "10.0.10.6";
in {
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/nixos-containers/${container_name}"
];
};
networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0";
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/nixos-containers/${containerName}"
];
};
containers."${containerName}" = {
containers.${container_name} = {
autoStart = true;
privateNetwork = true;
hostBridge = "br0";
nixpkgs = pkgs.path;
allowedDevices = [
{
node = "/dev/nvidia0";
modifier = "rwm";
}
{
node = "/dev/nvidiactl";
modifier = "rwm";
}
{
node = "/dev/dri/card1";
modifier = "rwm";
}
{
node = "/dev/dri/renderD128";
modifier = "rwm";
}
];
bindMounts = {
"/media/media" = {
hostPath = "${homeshareDataLocation}/media";
isReadOnly = true;
};
"/var/lib/jellyfin" = {
hostPath = "${jellyfinContainerData}";
hostPath = "/media/main-ssd/jellyfin";
isReadOnly = false;
};
"/var/lib/jellyfin/data/media" = {
hostPath = "/media/media";
isReadOnly = true;
};
};
config = {
@ -63,16 +40,17 @@ in {
...
}: {
networking = {
defaultGateway = "${gatewayIp}";
defaultGateway = "10.0.10.1";
interfaces.eth0.ipv4.addresses = [
{
"address" = "${containerIp}";
"address" = "${container_ip}";
"prefixLength" = 24;
}
];
firewall = {
enable = true;
allowedTCPPorts = [
5432
];
};
useHostResolvConf = lib.mkForce false;
@ -80,29 +58,25 @@ in {
services.resolved.enable = true;
imports = [
];
environment.systemPackages = [
pkgs.vim
pkgs.git
];
services.jellyfin = {
enable = true;
openFirewall = true;
user = "jellyfin";
user="jellyfin";
};
environment.systemPackages = [
pkgs.jellyfin
pkgs.jellyfin-web
pkgs.jellyfin-ffmpeg
];
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
users.users = {
root = {
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
};
users.users.root = {
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
};
system.stateVersion = "24.05";

306
hosts/common/optional/nixos-containers/metrics-server.nix
View File

@ -1,306 +0,0 @@
{
pkgs,
lib,
configVars,
inputs,
...
}: let
containerName = "metrics-server";
containerIp = configVars.networking.addresses.metrics-server.ip;
notifybotJid = configVars.xmpp.notifybotJid;
receiverJid = configVars.xmpp.personalAccount;
dockerContainerIp = configVars.networking.addresses.docker.ip;
smWorkerIp = configVars.networking.addresses.sm-worker.ip;
merlinIp = configVars.networking.addresses.merlin.ip;
bdWorker = configVars.networking.addresses.bd-worker.ip;
pihole = configVars.networking.addresses.pihole.ip;
bitcoinNode = configVars.networking.addresses.bitcoin-node.ip;
postres = configVars.networking.addresses.postgres.ip;
backupServer = configVars.networking.addresses.backup-server.ip;
sops-nix = inputs.sops-nix;
http_endpoints = configVars.metrics-server.blackbox.http_endpoints;
gatewayIp = configVars.networking.addresses.gateway.ip;
metricsServerContainerData = configVars.locations.metricsServerContainerData;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
in {
networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0";
services.restic.backups = {
daily = {
paths = [
metricsServerContainerData
];
};
};
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/nixos-containers/${containerName}"
];
};
containers."${containerName}" = {
enableTun = true;
autoStart = true;
privateNetwork = true;
hostBridge = "br0";
nixpkgs = pkgs.path;
bindMounts = {
"/var/lib/" = {
hostPath = metricsServerContainerData;
isReadOnly = false;
};
"/etc/ssh/ssh_host_ed25519_key" = {
hostPath = "/etc/ssh/ssh_host_ed25519_key";
isReadOnly = true;
};
};
config = {
pkgs,
lib,
config,
...
}: let
secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml";
in {
networking = {
defaultGateway = "${gatewayIp}";
interfaces.eth0.ipv4.addresses = [
{
"address" = "${containerIp}";
"prefixLength" = 24;
}
];
firewall = {
enable = true;
allowedTCPPorts = [
config.services.prometheus.port
config.services.grafana.port
config.services.prometheus.exporters.blackbox.port
9199 #xmpp listen port
];
};
useHostResolvConf = lib.mkForce false;
};
sops = {
defaultSopsFile = "${secretsFile}";
validateSopsFiles = false;
age = {
sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
};
secrets = {
"software/restic-passphrase" = {};
"software/restic-exporter-credentials" = {};
"comms/xmpp/notifybot/password" = {
mode = "0644";
};
};
};
services.resolved.enable = true;
imports = [
sops-nix.nixosModules.sops
];
environment.systemPackages = [
pkgs.vim
pkgs.git
];
services.grafana = {
enable = true;
settings.server = {
http_port = 2342;
http_addr = "0.0.0.0";
};
};
# main prometheus service
services.prometheus = {
enable = true;
webExternalUrl = "http://${containerIp}:9001";
port = 9001;
alertmanagers = [
{
scheme = "http";
path_prefix = "/";
static_configs = [
{
targets = [
"0.0.0.0:9093"
];
}
];
}
];
ruleFiles = [
"${pkgs.writeText
"alert_rule.yml"
''
groups:
- name: blackbox_alert
rules:
- alert: EndpointDown
expr: probe_success{job="blackbox"} == 0
for: 1m
labels:
severity: critical
annotations:
summary: "Endpoint {{ $labels.instance }} down"
description: "An endpoint has been down for more than 1 minute."
''}"
];
scrapeConfigs = [
{
job_name = "node_exporter";
static_configs = [
{
targets = [
"${dockerContainerIp}:9100"
"${smWorkerIp}:9100"
"${merlinIp}:9100"
"${bdWorker}:9100"
"${pihole}:9100"
"${bitcoinNode}:9100"
"${postres}:9100"
"${backupServer}:9100"
];
}
];
}
{
job_name = "restic-exporter";
static_configs = [
{
targets = [
"0.0.0.0:8001"
];
}
];
}
{
job_name = "blackbox";
scrape_interval = "30s";
scrape_timeout = "15s";
metrics_path = "/probe";
params.module = ["http_basic"];
relabel_configs = [
{
source_labels = ["__address__"];
target_label = "__param_target";
}
{
source_labels = ["__param_target"];
target_label = "instance";
}
{
target_label = "__address__";
replacement = "${config.services.prometheus.exporters.blackbox.listenAddress}:${toString config.services.prometheus.exporters.blackbox.port}";
}
];
static_configs = [
{targets = http_endpoints;}
];
}
];
};
# setup alertmanager
services.prometheus.xmpp-alerts = {
enable = true;
settings = {
jid = notifybotJid;
password_command = "cat ${config.sops.secrets."comms/xmpp/notifybot/password".path}";
to_jid = receiverJid;
listen_address = "0.0.0.0";
listen_port = 9199;
};
};
services.prometheus.alertmanager = {
webExternalUrl = "http://${containerIp}:9093";
enable = true;
openFirewall = true;
port = 9093;
configText = ''
global:
resolve_timeout: 1m
route:
group_by: ['...']
repeat_interval: 1h
receiver: 'xmpp-alerts'
receivers:
- name: 'xmpp-alerts'
webhook_configs:
- url: 'http://0.0.0.0:9199/alert'
'';
};
# prometheus exporters
services.prometheus.exporters = {
blackbox = {
enable = true;
configFile = pkgs.writeText "blackbox-conf.yaml" ''
modules:
http_basic:
prober: http
timeout: 5s
http:
preferred_ip_protocol: ip4
valid_http_versions: ["HTTP/1.1", "HTTP/2"]
method: GET
# fail_if_ssl: false
# fail_if_not_ssl: true
# tls_config:
# insecure_skip_verify: true
tcp_connect:
prober: tcp
tcp:
preferred_ip_protocol: ip4
'';
};
node = {
enable = true;
enabledCollectors = ["systemd"];
port = 9002;
};
restic = {
enable = true;
repository = "";
environmentFile = config.sops.secrets."software/restic-exporter-credentials".path;
passwordFile = config.sops.secrets."software/restic-passphrase".path;
refreshInterval = 10800; # refresh every 3 hours
port = 8001;
};
};
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
users.users = {
root = {
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
};
};
system.stateVersion = "24.05";
};
};
}

137
hosts/common/optional/nixos-containers/nix-bitcoin.nix
View File

@ -2,36 +2,28 @@
inputs,
lib,
config,
configVars,
pkgs,
...
}: let
containerName = "bitcoin-node";
containerIp = configVars.networking.addresses.bitcoin-node.ip;
mempoolPort = configVars.networking.addresses.bitcoin-node.services.mempool.port;
bitcoinNodeContainerData = configVars.locations.bitcoinNodeContainerData;
bitcoindData = configVars.locations.bitcoindData;
gatewayIp = configVars.networking.addresses.gateway.ip;
allowip = configVars.networking.addresses.bitcoin-node.services.bitcoind.allowip;
bitcoin-rpcpassword-privileged = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-rpcpassword-privileged".path;
bitcoin-rpcpassword-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-rpcpassword-public".path;
bitcoin-HMAC-privileged = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-privileged".path;
bitcoin-HMAC-public = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/bitcoind/bitcoin-HMAC-public".path;
container_name = "bitcoin-node";
container_ip = "10.0.10.4";
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
in {
services.restic.backups = {
daily = {
paths = [
bitcoinNodeContainerData
];
exclude = [
"${bitcoindData}"
"${bitcoinNodeContainerData}/electrs"
];
};
sops.secrets = {
"software/bitcoind/bitcoin-rpcpassword-privileged" = {};
"software/bitcoind/bitcoin-rpcpassword-public" = {};
"software/bitcoind/bitcoin-HMAC-privileged" = {};
"software/bitcoind/bitcoin-HMAC-public" = {};
};
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/nixos-containers/${containerName}"
"/var/lib/nixos-containers/${container_name}"
];
};
@ -39,18 +31,42 @@ in {
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0";
containers.${containerName} = {
containers.${container_name} = {
autoStart = true;
privateNetwork = true;
hostBridge = "br0";
nixpkgs = pkgs.path;
bindMounts = {
"/var/lib/" = {
hostPath = bitcoinNodeContainerData;
"/etc/nix-bitcoin-secrets/bitcoin-rpcpassword-privileged" = {
hostPath = "${bitcoin-rpcpassword-privileged}";
isReadOnly = false;
};
"/etc/nix-bitcoin-secrets/bitcoin-rpcpassword-public" = {
hostPath = "${bitcoin-rpcpassword-public}";
isReadOnly = false;
};
"/etc/nix-bitcoin-secrets/bitcoin-HMAC-privileged" = {
hostPath = "${bitcoin-HMAC-privileged}";
isReadOnly = false;
};
"/etc/nix-bitcoin-secrets/bitcoin-HMAC-public" = {
hostPath = "${bitcoin-HMAC-public}";
isReadOnly = false;
};
"/var/lib/bitcoind" = {
hostPath = bitcoindData;
hostPath = "/media/main-ssd/nix-bitcoin/bitcoind";
isReadOnly = false;
};
"/var/lib/electrs" = {
hostPath = "/media/main-ssd/nix-bitcoin/electrs";
isReadOnly = false;
};
"/var/lib/mysql" = {
hostPath = "/media/main-ssd/nix-bitcoin/mysql";
isReadOnly = false;
};
"/var/lib/tor" = {
hostPath = "/media/main-ssd/nix-bitcoin/tor";
isReadOnly = false;
};
};
@ -62,7 +78,6 @@ in {
}: {
imports = [
inputs.nix-bitcoin.nixosModules.default
# inputs.lnbits.nixosModules.default
];
environment.systemPackages = with pkgs; [
vim
@ -70,23 +85,17 @@ in {
jq
];
networking = {
defaultGateway = "${gatewayIp}";
interfaces.eth0.ipv4.addresses = [
{
"address" = "${containerIp}";
"prefixLength" = 24;
}
];
defaultGateway = "10.0.10.1";
interfaces.eth0.ipv4.addresses = [ { "address" = "${container_ip}"; "prefixLength" = 24; } ];
firewall = {
enable = true;
allowedTCPPorts = [
# 80
# 443
80
443
22
config.containers.bitcoin-node.config.services.bitcoind.rpc.port
config.containers.bitcoin-node.config.services.mempool.frontend.port
config.containers.bitcoin-node.config.services.electrs.port
# config.containers.bitcoin-node.config.services.rtl.port
# config.containers.bitcoin-node.config.services.lnd.port
];
};
useHostResolvConf = lib.mkForce false;
@ -96,12 +105,7 @@ in {
# node services here
nix-bitcoin.generateSecrets = true;
nix-bitcoin.nodeinfo.enable = true;
services = {
backups = {
enable = true;
frequency = "daily";
};
tor = {
enable = true;
client.enable = true;
@ -115,7 +119,8 @@ in {
txindex = true;
rpc = {
address = "0.0.0.0";
allowip = allowip;
threads = 6;
allowip = ["10.0.0.0/8"];
users = let
name = "bitcoin";
in {
@ -138,61 +143,15 @@ in {
enable = true;
electrumServer = "electrs";
frontend = {
port = mempoolPort;
port = 4080;
address = "0.0.0.0";
};
};
lnd = {
enable = false;
lndconnect = {
enable = true;
onion = true;
};
extraConfig = ''
alias=bitlab21
tor.active=true
tor.skip-proxy-for-clearnet-targets=1
'';
};
rtl = {
enable = false;
nodes.lnd.enable = true;
address = "0.0.0.0";
};
# lnbits = {
# enable = false;
# openFirewall = true;
# host = "0.0.0.0";
# port = 8231;
# env = {
# LNBITS_ADMIN_UI = "true";
# LNBITS_BACKEND_WALLET_CLASS = "LndRestWallet";
# LND_REST_ENDPOINT = "https://127.0.0.1:8080";
# LND_REST_CERT = "/etc/nix-bitcoin-secrets/lnd-cert";
# LND_REST_MACAROON = "/var/lib/lnbits/admin.macaroon";
# AUTH_ALLOWED_METHODS = "user-id-only, username-password";
# };
# };
};
# Add custom systemd overrides for above services
# systemd.services.lnbits.after = ["lnd.service"];
nix-bitcoin.onionServices = {
bitcoind.enable = true;
electrs.enable = true;
mempool-frontend.enable = true;
# lnd.public = true;
};
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = {

121
hosts/common/optional/nixos-containers/pihole.nix
View File

@ -1,121 +0,0 @@
{
pkgs,
lib,
inputs,
configVars,
...
}: let
containerName = "pihole";
containerIp = configVars.networking.addresses.pihole.ip;
gatewayIp = configVars.networking.addresses.gateway.ip;
piholeContainerData = configVars.locations.piholeContainerData;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
arion = inputs.arion;
in {
networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0";
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/nixos-containers/${containerName}"
];
};
containers."${containerName}" = {
enableTun = true;
# configuration to run docker/podman in systemd-nspawn container
# https://discourse.nixos.org/t/podman-docker-in-nixos-container-ideally-in-unprivileged-one/22909/12
additionalCapabilities = [
''all" --system-call-filter="add_key keyctl bpf" --capability="all''
];
extraFlags = ["--private-users-ownership=chown"];
allowedDevices = [
];
######
autoStart = true;
privateNetwork = true;
hostBridge = "br0";
nixpkgs = pkgs.path;
bindMounts = {
"/srv/docker/pihole" = {
hostPath = piholeContainerData;
isReadOnly = false;
};
};
config = {
pkgs,
lib,
...
}: {
networking = {
defaultGateway = "${gatewayIp}";
interfaces.eth0.ipv4.addresses = [
{
"address" = "${containerIp}";
"prefixLength" = 24;
}
];
firewall = {
enable = true;
allowedTCPPorts = [
];
};
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = false;
imports = [
arion.nixosModules.arion
../docker-containers/pihole.nix
];
environment.systemPackages = [
pkgs.vim
pkgs.git
pkgs.arion
pkgs.lsof
pkgs.podman-compose
];
virtualisation = {
podman = {
enable = true;
dockerSocket.enable = true;
defaultNetwork.settings.dns_enabled = true;
dockerCompat = true;
};
};
networking.firewall.interfaces."podman+".allowedUDPPorts = [53];
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
users.users = {
root = {
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
};
};
system.stateVersion = "24.05";
};
};
}

89
hosts/common/optional/nixos-containers/postgres.nix
View File

@ -2,17 +2,13 @@
inputs,
lib,
config,
configVars,
pkgs,
...
}: let
postgresPasswordPath = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."software/postgres/postgres/password".path;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
containerName = "postgres";
containerIp = configVars.networking.addresses.postgres.ip;
subnetIp = configVars.networking.addresses.subnet.ip;
gatewayIp = configVars.networking.addresses.gateway.ip;
postgresContainerData = configVars.locations.postgresContainerData;
container_name = "postgres";
container_ip = "10.0.10.5";
in {
sops.secrets = {
"software/postgres/postgres/password" = {
@ -22,7 +18,7 @@ in {
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/nixos-containers/${containerName}"
"/var/lib/nixos-containers/${container_name}"
];
};
@ -30,14 +26,14 @@ in {
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0";
containers.${containerName} = {
containers.${container_name} = {
autoStart = true;
privateNetwork = true;
hostBridge = "br0";
nixpkgs = pkgs.path;
bindMounts = {
"/var/lib/postgresql" = {
hostPath = postgresContainerData;
hostPath = "/media/main-ssd/postgresql";
isReadOnly = false;
};
};
@ -48,10 +44,10 @@ in {
...
}: {
networking = {
defaultGateway = "${gatewayIp}";
defaultGateway = "10.0.10.1";
interfaces.eth0.ipv4.addresses = [
{
"address" = "${containerIp}";
"address" = "${container_ip}";
"prefixLength" = 24;
}
];
@ -74,64 +70,33 @@ in {
enable = true;
enableJIT = true;
package = pkgs.postgresql_16;
extensions = with pkgs.postgresql_16.pkgs; [postgis];
enableTCPIP = true;
extraPlugins = with pkgs.postgresql_16.pkgs; [ postgis ];
settings = {
# max_worker_processes = "12";
# max_parallel_workers = "8";
# max_parallel_workers_per_gather = "4";
# max_connections = "100";
# autovacuum_work_mem = "2GB";
# shared_buffers = "32GB";
# work_mem = "0.32GB";
# maintenance_work_mem = "64MB";
max_worker_processes = "12";
max_parallel_workers = "8";
max_parallel_workers_per_gather = "4";
max_connections = "100";
shared_buffers = "2GB";
effective_cache_size = "6GB";
maintenance_work_mem = "1GB";
checkpoint_completion_target = "0.9";
wal_buffers = "16MB";
default_statistics_target = "500";
random_page_cost = "1.1";
effective_io_concurrency = "200";
work_mem = "17476kB";
huge_pages = "off";
min_wal_size = "4GB";
max_wal_size = "16GB";
max_worker_processes = "6";
max_parallel_workers_per_gather = "3";
max_parallel_workers = "6";
max_parallel_maintenance_workers = "3";
autovacuum_work_mem = "2GB";
shared_buffers = "32GB";
work_mem = "0.32GB";
maintenance_work_mem = "64MB";
};
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser origin-address auth-method
local all postgres peer
host all all ${subnetIp}/24 scram-sha-256
local replication all peer
host replication all 127.0.0.1/32 scram-sha-256
#type database DBuser auth-method
local all all trust
'';
};
# systemd.services.postgresql.postStart = ''
# $PSQL -tA <<'EOF'
# DO $$
# DECLARE password TEXT;
# BEGIN
# password := trim(both from replace(pg_read_file('${postgresPasswordPath}'), E'\n', '''));
# EXECUTE format('ALTER ROLE postgres WITH PASSWORD '''%s''';', password);
# END $$;
# EOF
# '';
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
systemd.services.postgresql.postStart = ''
$PSQL -tA <<'EOF'
DO $$
DECLARE password TEXT;
BEGIN
password := trim(both from replace(pg_read_file('${postgresPasswordPath}'), E'\n', '''));
EXECUTE format('ALTER ROLE postgres WITH PASSWORD '''%s''';', password);
END $$;
EOF
'';
services.openssh = {
enable = true;

170
hosts/common/optional/nixos-containers/reverse-proxy.nix
View File

@ -1,170 +0,0 @@
{
pkgs,
lib,
configVars,
inputs,
...
}: let
containerName = "reverse-proxy";
containerIp = configVars.networking.addresses.reverse-proxy.ip;
gatewayIp = configVars.networking.addresses.gateway.ip;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
sops-nix = inputs.sops-nix;
dockerContainerIp = configVars.networking.addresses.docker.ip;
bdWorker = configVars.networking.addresses.bd-worker.ip;
pihole = configVars.networking.addresses.pihole.ip;
bitcoinNode = configVars.networking.addresses.bitcoin-node.ip;
metricsServer = configVars.networking.addresses.metrics-server.ip;
in {
networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0";
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/nixos-containers/${containerName}"
];
};
containers."${containerName}" = {
enableTun = true;
autoStart = true;
privateNetwork = true;
hostBridge = "br0";
nixpkgs = pkgs.path;
bindMounts = {
"/etc/ssh/ssh_host_ed25519_key" = {
hostPath = "/etc/ssh/ssh_host_ed25519_key";
isReadOnly = true;
};
};
config = {
pkgs,
lib,
config,
...
}: let
secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml";
in {
sops = {
defaultSopsFile = "${secretsFile}";
validateSopsFiles = false;
age = {
sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
};
};
sops.secrets = {
"ssl_keys/lan-selfsigned.crt" = {
mode = "0644";
};
"ssl_keys/lan-selfsigned.key" = {
mode = "0644";
};
};
networking = {
defaultGateway = "${gatewayIp}";
interfaces.eth0.ipv4.addresses = [
{
"address" = "${containerIp}";
"prefixLength" = 24;
}
];
firewall = {
enable = true;
allowedTCPPorts = [
80
443
];
};
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
imports = [
sops-nix.nixosModules.sops
];
environment.systemPackages = [
pkgs.vim
pkgs.git
pkgs.nginx
];
services.nginx = {
enable = true;
virtualHosts = {
"jellyfin.lan" = {
forceSSL = true;
sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}";
sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}";
locations."/".proxyPass = "http://${dockerContainerIp}:8096";
};
"mempool.lan" = {
forceSSL = true;
sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}";
sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}";
locations."/".proxyPass = "http://${bitcoinNode}:4080";
extraConfig = ''
proxy_set_header Host mempool.lan;
'';
};
"grafana.lan" = {
forceSSL = true;
sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}";
sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}";
locations."/".proxyPass = "http://${metricsServer}:2342";
extraConfig = ''
proxy_set_header Host grafana.lan;
'';
};
"metrics.lan" = {
forceSSL = true;
sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}";
sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}";
locations."/".proxyPass = "http://${metricsServer}:9001";
};
"searx.lan" = {
forceSSL = true;
sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}";
sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}";
locations."/".proxyPass = "http://${dockerContainerIp}:8855";
};
"dns.lan" = {
forceSSL = true;
sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}";
sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}";
locations."/".proxyPass = "http://${pihole}:80";
};
"prefect.lan" = {
forceSSL = true;
sslCertificate = "${config.sops.secrets."ssl_keys/lan-selfsigned.crt".path}";
sslCertificateKey = "${config.sops.secrets."ssl_keys/lan-selfsigned.key".path}";
locations."/".proxyPass = "http://${bdWorker}:4200";
};
};
};
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
users.users = {
root = {
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
};
};
system.stateVersion = "24.05";
};
};
}

164
hosts/common/optional/nixos-containers/semitamaps-worker.nix
View File

@ -1,164 +0,0 @@
{
pkgs,
lib,
inputs,
configVars,
...
}: let
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
containerName = "sm-worker";
sops-nix = inputs.sops-nix;
semitamapsData = configVars.locations.semitamapsData;
containerIp = configVars.networking.addresses.sm-worker.ip;
gatewayIp = configVars.networking.addresses.gateway.ip;
arion = inputs.arion;
in {
networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0";
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/nixos-containers/${containerName}"
];
};
services.restic.backups = {
daily = {
paths = [
semitamapsData
];
};
};
containers."${containerName}" = {
enableTun = true;
# configuration to run docker/podman in systemd-nspawn container
# https://discourse.nixos.org/t/podman-docker-in-nixos-container-ideally-in-unprivileged-one/22909/12
additionalCapabilities = [
''all" --system-call-filter="add_key keyctl bpf" --capability="all''
];
extraFlags = ["--private-users-ownership=chown"];
allowedDevices = [
];
######
autoStart = true;
privateNetwork = true;
hostBridge = "br0";
nixpkgs = pkgs.path;
bindMounts = {
"/etc/ssh/ssh_host_ed25519_key" = {
hostPath = "/etc/ssh/ssh_host_ed25519_key";
isReadOnly = true;
};
"/data/semitamaps-data" = {
hostPath = semitamapsData;
isReadOnly = false;
};
};
config = {
pkgs,
lib,
...
}: let
secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml";
in {
networking = {
defaultGateway = "${gatewayIp}";
interfaces.eth0.ipv4.addresses = [
{
"address" = "${containerIp}";
"prefixLength" = 24;
}
];
firewall = {
enable = true;
allowedTCPPorts = [
2322
8080
8081
];
};
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
sops = {
defaultSopsFile = "${secretsFile}";
validateSopsFiles = false;
age = {
sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
};
};
imports = [
sops-nix.nixosModules.sops
arion.nixosModules.arion
../docker-containers/semitamaps-tileserver.nix
];
environment.systemPackages = [
pkgs.vim
pkgs.git
pkgs.arion
pkgs.podman-compose
pkgs.jdk
];
virtualisation = {
podman = {
enable = true;
dockerSocket.enable = true;
defaultNetwork.settings.dns_enabled = true;
dockerCompat = true;
};
};
networking.firewall.interfaces."podman+".allowedUDPPorts = [53];
systemd.services.photon = {
wantedBy = ["multi-user.target"];
after = ["network.target"];
description = "Photon Service";
path = ["/run/current-system/sw"];
serviceConfig = {
WorkingDirectory = "/data/semitamaps-data/photon";
ExecStart = pkgs.writeShellScript "photon" ''
java -jar photon-*.jar -cors-any
'';
Restart = "on-failure";
};
};
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
users.users = {
root = {
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
};
};
system.stateVersion = "24.05";
};
};
}

125
hosts/common/optional/nixos-containers/semitamaps.nix
View File

@ -1,125 +0,0 @@
{
pkgs,
lib,
configVars,
...
}: let
containerName = "semitamaps";
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
hostAddress = configVars.networking.addresses.semitamaps.hostAddress;
localAddress = configVars.networking.addresses.semitamaps.localAddress;
workingDirectory = "/var/www/semitamaps";
in {
systemd.tmpfiles.rules = [
"d /var/run/sockets 0660 www-data www-data -"
];
networking = {
nat = {
enable = true;
internalInterfaces = ["ve-+"];
externalInterface = "enp1s0";
};
};
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/nixos-containers/${containerName}"
];
};
containers."${containerName}" = {
autoStart = true;
privateNetwork = true;
hostAddress = hostAddress;
localAddress = localAddress;
nixpkgs = pkgs.path;
bindMounts = {
"/etc/ssh/ssh_host_ed25519_key" = {
hostPath = "/etc/ssh/ssh_host_ed25519_key";
isReadOnly = true;
};
"/var/run/sockets" = {
hostPath = "/var/run/sockets";
isReadOnly = false;
};
};
config = {
pkgs,
lib,
...
}: {
networking = {
firewall = {
enable = true;
rejectPackets = true;
allowedTCPPorts = [
80
443
];
};
useHostResolvConf = lib.mkForce false;
};
systemd.tmpfiles.rules = [
"d ${workingDirectory} 0750 www-data www-data"
"d ${workingDirectory}/.venv 0750 www-data www-data"
"d ${workingDirectory}/public/uploads 0775 www-data www-data"
];
services.resolved.enable = true;
imports = [
];
environment.systemPackages = [
pkgs.vim
pkgs.git
];
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
systemd.services.semitamaps = {
wantedBy = ["multi-user.target"];
after = ["network.target"];
description = "Deploys and serves semitamaps";
environment = {
};
serviceConfig = {
WorkingDirectory = "${workingDirectory}";
ExecStartPre = pkgs.writeShellScript "semitamaps-prestart" ''
set -e
GITCMD="${pkgs.openssh}/bin/ssh -i /etc/ssh/ssh_host_ed25519_key"
if [ ! -d ${workingDirectory}/.git ]; then
export GIT_SSH_COMMAND=$GITCMD
${pkgs.git}/bin/git clone git@git.bitlab21.com:sam/semitamaps.com.git ${workingDirectory}
fi
${pkgs.poetry}/bin/poetry install
'';
ExecStart = pkgs.writeShellScript "semitamaps-start" ''
.venv/bin/python .venv/bin/uvicorn --workers 4 --uds /var/run/sockets/semitamaps.sock app:app
'';
Restart = "on-failure";
};
};
programs.ssh.knownHosts = {
"git.bitlab21.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALNd2BGf64heYjWT9yt0fVmngepiHRIMsL7au/MRteg";
};
users.users = {
root = {
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
};
};
system.stateVersion = "24.05";
};
};
}

110
hosts/common/optional/nixos-containers/vaultwarden.nix
View File

@ -1,110 +0,0 @@
{
pkgs,
lib,
configVars,
inputs,
...
}: let
containerName = "vaultwarden";
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
hostAddress = configVars.networking.addresses.vaultwarden.hostAddress;
localAddress = configVars.networking.addresses.vaultwarden.localAddress;
vaultwardenPort = configVars.networking.addresses.vaultwarden.port;
cloudnixIp = configVars.networking.addresses.cloudnix.ip;
sops-nix = inputs.sops-nix;
in {
networking = {
nat = {
enable = true;
internalInterfaces = ["ve-+"];
externalInterface = "enp1s0";
};
};
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/nixos-containers/${containerName}"
];
};
containers."${containerName}" = {
autoStart = true;
privateNetwork = true;
hostAddress = hostAddress;
localAddress = localAddress;
nixpkgs = pkgs.path;
bindMounts = {
"/etc/ssh/ssh_host_ed25519_key" = {
hostPath = "/etc/ssh/ssh_host_ed25519_key";
isReadOnly = true;
};
};
config = {
pkgs,
lib,
...
}: let
secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml";
in {
networking = {
defaultGateway = cloudnixIp;
firewall = {
enable = true;
allowedTCPPorts = [
vaultwardenPort
];
};
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
sops = {
defaultSopsFile = "${secretsFile}";
validateSopsFiles = false;
age = {
sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
};
};
imports = [
sops-nix.nixosModules.sops
];
environment.systemPackages = [
pkgs.vim
pkgs.git
pkgs.lsof
];
services.vaultwarden = {
enable = true;
dbBackend = "sqlite";
config = {
ROCKET_ADDRESS = "0.0.0.0";
ROCKET_PORT = vaultwardenPort;
ROCKET_LOG = "critical";
};
};
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
users.users = {
root = {
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
};
};
system.stateVersion = "24.05";
};
};
}

277
hosts/common/optional/nixos-containers/xmpp.nix
View File

@ -1,277 +0,0 @@
{
pkgs,
lib,
configVars,
inputs,
...
}: let
containerName = "xmpp";
xmppDomain = configVars.domains.xmpp;
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
hostAddress = configVars.networking.addresses.xmpp.hostAddress;
externalIp = configVars.networking.addresses.cloudnix.ip;
localAddress = configVars.networking.addresses.xmpp.localAddress;
sops-nix = inputs.sops-nix;
xmppPorts = configVars.networking.addresses.xmpp.ports;
xmppUDPPorts =
[
xmppPorts.coturn
xmppPorts.coturn-tls
]
++ lib.range xmppPorts.coturn-min-udp xmppPorts.coturn-max-udp;
xmppTCPPorts = [
xmppPorts.coturn
xmppPorts.coturn-tls
xmppPorts.xmpp-https
xmppPorts.xmpp-http
xmppPorts.xmpp-s2s
xmppPorts.xmpp-c2s
xmppPorts.xmpp-c2s-legacy-tls
xmppPorts.xmpp-s2s-tls
];
in {
networking = {
nat = {
enable = true;
internalInterfaces = ["ve-+"];
externalInterface = "enp1s0";
};
firewall = {
enable = true;
allowedTCPPorts = xmppTCPPorts;
allowedUDPPorts = xmppUDPPorts;
};
};
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/nixos-containers/${containerName}"
];
};
systemd.tmpfiles.rules = [
"d /var/lib/prosody 0750"
];
containers."${containerName}" = {
autoStart = true;
privateNetwork = true;
hostAddress = hostAddress;
localAddress = localAddress;
nixpkgs = pkgs.path;
bindMounts = {
"/etc/ssh/ssh_host_ed25519_key" = {
hostPath = "/etc/ssh/ssh_host_ed25519_key";
isReadOnly = true;
};
"/var/lib/prosody" = {
hostPath = "/var/lib/prosody";
isReadOnly = false;
};
"/var/lib/acme/${xmppDomain}/" = {
hostPath = "/var/lib/acme/${xmppDomain}/";
isReadOnly = false;
};
};
forwardPorts =
lib.map (port: {
protocol = "tcp";
containerPort = port;
hostPort = port;
})
xmppTCPPorts
++ lib.map (port: {
protocol = "udp";
containerPort = port;
hostPort = port;
})
xmppUDPPorts;
config = {
pkgs,
lib,
config,
...
}: let
secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml";
in {
users.groups.www-data = {
gid = 33;
};
users.users.prosody = {
isSystemUser = true;
uid = 149;
extraGroups = ["www-data"];
};
users.users.turnserver = {
isSystemUser = true;
uid = 249;
extraGroups = ["www-data"];
};
networking = {
firewall = {
enable = true;
rejectPackets = true;
allowedTCPPorts = xmppTCPPorts ++ [80 443];
allowedUDPPorts = xmppUDPPorts;
};
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
sops = {
defaultSopsFile = "${secretsFile}";
validateSopsFiles = false;
age = {
sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
};
secrets = {
"software/coturn/static-auth-secret" = {
mode = "0644";
};
};
};
imports = [
sops-nix.nixosModules.sops
];
environment.systemPackages = [
pkgs.vim
pkgs.git
pkgs.prosody
pkgs.coturn
];
sops.templates."prosody_secrets.lua" = {
mode = "444";
content = ''
turn_external_secret = "${config.sops.placeholder."software/coturn/static-auth-secret"}";
'';
};
services.prosody = {
enable = true;
package = pkgs.prosody.override {
withCommunityModules = [
"turn_external"
"conversejs"
"admin_web"
"external_services"
"http_altconnect"
];
};
extraModules = [
"server_contact_info"
"http_file_share"
"external_services"
"turn_external"
"conversejs"
"admin_web"
"http"
"websocket"
"http_altconnect"
];
allowRegistration = true;
extraConfig = ''
Include "${config.sops.templates."prosody_secrets.lua".path}"
registration_invite_only = true;
allow_user_invites = true;
cross_domain_bosh = true;
cross_domain_websocket = true;
turn_external_host = "turn.${xmppDomain}";
turn_external_port = ${toString xmppPorts.coturn};
http_default_host = "${xmppDomain}";
certificates = "certs"
consider_websocket_secure = true
external_services = {
{
port="${toString xmppPorts.coturn}";
transport="tcp";
type="stun";
host="turn.${xmppDomain}"
};
{
port="${toString xmppPorts.coturn}";
transport="udp";
type="turn";
host="turn.${xmppDomain}"
};
}
s2s_direct_tls_ports = { ${toString xmppPorts.xmpp-s2s-tls} }
legacy_ssl_ports = { ${toString xmppPorts.xmpp-c2s-legacy-tls} }
legacy_ssl_ssl = {
certificate = "/var/lib/acme/${xmppDomain}/cert.pem";
key = "/var/lib/acme/${xmppDomain}/key.pem";
}
contact_info = {
admin = { "mailto:admin@${xmppDomain}", "xmpp:admin@${xmppDomain}" };
}
'';
modules.bosh = true;
s2sRequireEncryption = true;
c2sRequireEncryption = true;
s2sSecureAuth = false;
admins = ["root@${xmppDomain}"];
ssl.cert = "/var/lib/acme/${xmppDomain}/fullchain.pem";
ssl.key = "/var/lib/acme/${xmppDomain}/key.pem";
httpFileShare.domain = "upload.${xmppDomain}";
virtualHosts."${xmppDomain}" = {
enabled = true;
ssl.cert = "/var/lib/acme/${xmppDomain}/fullchain.pem";
ssl.key = "/var/lib/acme/${xmppDomain}/key.pem";
extraConfig = ''
http_external_url = "https://chat.${xmppDomain}/"
invites_page = "https://chat.${xmppDomain}/register?t={invite.token}"
http_paths = {
invites_page = "/invite";
invites_register_web = "/register";
}
disco_items = {
{ "upload.${xmppDomain}.com" },
{ "rooms.${xmppDomain}.com" },
{ "turn.${xmppDomain}.com" },
}
'';
domain = "${xmppDomain}";
};
muc = [
{
domain = "conference.${xmppDomain}";
}
];
uploadHttp = {
domain = "https://upload.${xmppDomain}";
uploadFileSizeLimit = "1000000000"; # 1 gb file-size limit
uploadExpireAfter = "31557600"; # files deleted after 1 year
};
};
services.coturn = {
enable = true;
realm = "turn.${xmppDomain}";
use-auth-secret = true;
static-auth-secret-file = config.sops.secrets."software/coturn/static-auth-secret".path;
tls-listening-port = xmppPorts.coturn-tls;
cert = "/var/lib/acme/${xmppDomain}/cert.pem";
pkey = "/var/lib/acme/${xmppDomain}/key.pem";
min-port = xmppPorts.coturn-min-udp;
max-port = xmppPorts.coturn-max-udp;
extraConfig = ''
external-ip = ${externalIp}/${localAddress}
log = /var/log/turnserver.log
verbose
'';
};
system.stateVersion = "24.05";
};
};
}

4
hosts/common/optional/persistence.nix
View File

@ -4,15 +4,17 @@
hideMounts = true;
directories = [
"/etc/nixos"
"/srv"
"/var/log"
"/var/lib/nixos"
"/var/lib/systemd/coredump"
"/etc/NetworkManager/system-connections"
"/var/lib/flatpak"
"/run/secrets-for-users"
];
files = [
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/machine-id"
];
};
}

Some files were not shown because too many files have changed in this diff Show More