Kabbone/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

format the repo files

Browse Source
This commit is contained in:
Kabbone
2026-04-26 10:27:50 +02:00
parent 92fd97c9a2
commit b319cd93e9
116 changed files with 4726 additions and 4247 deletions
Download Patch File Download Diff File Expand all files Collapse all files

108
CLAUDE.md Normal file
View File

@@ -0,0 +1,108 @@
# CLAUDE.md
This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
## What This Repo Is
A NixOS flake configuration managing multiple hosts (desktops, laptops, servers). All hosts share common settings via `hosts/configuration_common.nix` and are assembled in `hosts/default.nix`.
## Common Commands
```bash
# Format all nix files
nix fmt
# Build a host configuration (no activation)
nixos-rebuild build --flake .#<host>
# Switch the current host
sudo nixos-rebuild switch --flake .#<host>
# Build a custom package
nix build .#<package>
# Edit an age-encrypted secret
agenix -e secrets/<path>.age
# Re-key all secrets after adding a new host key to secrets/secrets.nix
agenix -r
```
## Architecture
### Entry Points
- `flake.nix` — defines inputs (nixpkgs stable=25.11, unstable, home-manager, agenix, lanzaboote, jovian-nixos, microvm, impermanence, noctalia) and calls `hosts/default.nix` for `nixosConfigurations`
- `hosts/default.nix` — instantiates every host via `lib.nixosSystem`; contains the `mkHM` helper that wires home-manager into a host's modules list
### Host Structure
Each host lives in `hosts/<name>/`:
- `default.nix` — imports either `../../modules/desktop` or `../../modules/server`, sets the module options (`myDesktop.*` / `myServer.*`), and adds host-specific settings
- `home.nix` — host-specific home-manager config (merged with `hosts/home.nix` for desktops or `hosts/home_server.nix` for servers)
- `hardware-configuration.nix` — generated hardware config
Shared host-level files:
- `hosts/configuration_common.nix` — applied to every host: SSH (key-only, no root), locale, nix GC/settings, zsh, fonts, auto-upgrade flake URL
- `hosts/home.nix` — desktop home-manager base
- `hosts/home_server.nix` — server home-manager base
### Module System
Two top-level NixOS modules expose all major knobs as typed options:
**`modules/desktop/default.nix`** — `myDesktop.*`
- `windowManager`: `"niri"` (default) | `"sway"` | `"kde"`
- `cpu`: `"amd"` | `"intel"` | `"none"` — selects KVM kernel params
- `virtualisation.enable` — podman (docker-compat) + qemu/libvirt + virt-manager
- `syncthing.{enable,devices,folders}`
- `openrgb.{enable,motherboard}`
- `laptop.{enable,lidSwitch,hibernateDelaySec}`
- `nitrokey.enable`
- `niri.hotkeyVariant`: `"default"` | `"lifebook"`
- `git.signingKey` — SSH key for commit signing
- `extraSystemPackages`
**`modules/server/default.nix`** — `myServer.*`
- `sshPort` (default 2220)
- `virtualisation.{enable,cpu}` — podman only (no libvirt)
- `fail2ban.enable`
- `autoUpgrade.enable` (default true)
- `uid`, `sudoRequiresPassword`, `extraGroups`, `extraSystemPackages`
Service bundles are imported as lists in host `default.nix`:
- `modules/services/server/` — kabtop services (gitea, nextcloud, matrix, coturn, hydra, mealie, etc.)
- `modules/services/nas/` — jupiter services (nfs, vaultwarden, syncthing, paperless)
- `modules/services/dmz/` — dmz services (gitea runner microVM)
- `modules/services/kabtopci/` — kabtopci services (hydra, gitea runner)
- `modules/services/nasbackup/` — nasbak backup jobs
### Secrets (agenix)
`secrets/secrets.nix` declares which age public keys (users + host SSH keys) can decrypt each `.age` file. Add a new host: add its `ssh-ed25519` host key to `secrets/secrets.nix` in the relevant groups, then run `agenix -r` to re-key.
### Custom Packages & Overlays
- `packages/` — custom packages (e.g. `corosync-qdevice`), imported at `flake.nix` level
- `overlays/` — nixpkgs overlays applied globally
- Per-host overlays: set `nixpkgs.overlays` inside the host's `default.nix` so only that host is affected
### Disk Layouts
`disko/` contains reusable disko modules: `btrfs.nix`, `btrfs_luks.nix`, `nas_luks.nix` — referenced during initial install.
## Active Hosts
| Host | Role | WM / Notes |
|---|---|---|
| hades | Desktop | niri, AMD, Secure Boot (lanzaboote) |
| lifebook | Laptop | niri, Intel, Secure Boot |
| steamdeck | Gaming | KDE/Jovian-NixOS, Secure Boot |
| kabtop | Main server | gitea, nextcloud, matrix+bridges, coturn, hydra, mealie |
| kabtopci | CI server | hydra, nix-serve |
| jupiter | NAS | nfs, vaultwarden, syncthing, paperless |
| dmz | DMZ | gitea Actions homerunner microVM |
| nasbak | NAS backup | — |
| kubemaster-1 | K8s master | — |
See `SERVICES.md` for port-level service details per host.

16
disko/btrfs.nix
View File

@@ -13,7 +13,7 @@
content = { content = {
type = "filesystem"; type = "filesystem";
format = "vfat"; format = "vfat";
extraArgs = [ "-n" "NIXBOOT" ]; extraArgs = ["-n" "NIXBOOT"];
mountpoint = "/boot"; mountpoint = "/boot";
mountOptions = [ mountOptions = [
"defaults" "defaults"
@@ -24,31 +24,31 @@
size = "100%"; size = "100%";
content = { content = {
type = "btrfs"; type = "btrfs";
extraArgs = [ "-f" "-L" "NIXROOT" ]; extraArgs = ["-f" "-L" "NIXROOT"];
subvolumes = { subvolumes = {
"@" = { "@" = {
mountpoint = "/"; mountpoint = "/";
mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ]; mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
}; };
"@home" = { "@home" = {
mountpoint = "/home"; mountpoint = "/home";
mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ]; mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
}; };
"@nix" = { "@nix" = {
mountpoint = "/nix"; mountpoint = "/nix";
mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ]; mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
}; };
"@snapshots" = { "@snapshots" = {
mountpoint = "/mnt"; mountpoint = "/mnt";
mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ]; mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
}; };
"@srv" = { "@srv" = {
mountpoint = "/srv"; mountpoint = "/srv";
mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ]; mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
}; };
"@var" = { "@var" = {
mountpoint = "/var"; mountpoint = "/var";
mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ]; mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
}; };
"@swap" = { "@swap" = {
mountpoint = "/swap"; mountpoint = "/swap";

18
disko/btrfs_luks.nix
View File

@@ -13,7 +13,7 @@
content = { content = {
type = "filesystem"; type = "filesystem";
format = "vfat"; format = "vfat";
extraArgs = [ "-n NIXBOOT" ]; extraArgs = ["-n NIXBOOT"];
mountpoint = "/boot"; mountpoint = "/boot";
mountOptions = [ mountOptions = [
"defaults" "defaults"
@@ -33,35 +33,35 @@
}; };
content = { content = {
type = "btrfs"; type = "btrfs";
extraArgs = [ "-f -L NIXROOT" ]; extraArgs = ["-f -L NIXROOT"];
subvolumes = { subvolumes = {
"@" = { "@" = {
mountpoint = "/"; mountpoint = "/";
mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ]; mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
}; };
"@home" = { "@home" = {
mountpoint = "/home"; mountpoint = "/home";
mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ]; mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
}; };
"@nix" = { "@nix" = {
mountpoint = "/nix"; mountpoint = "/nix";
mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ]; mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
}; };
"@opt" = { "@opt" = {
mountpoint = "/opt"; mountpoint = "/opt";
mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ]; mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
}; };
"@snapshots" = { "@snapshots" = {
mountpoint = "/mnt"; mountpoint = "/mnt";
mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ]; mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
}; };
"@srv" = { "@srv" = {
mountpoint = "/srv"; mountpoint = "/srv";
mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ]; mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
}; };
"@var" = { "@var" = {
mountpoint = "/var"; mountpoint = "/var";
mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ]; mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
}; };
"@swap" = { "@swap" = {
mountpoint = "/swap"; mountpoint = "/swap";

85
flake.nix
View File

@@ -2,55 +2,55 @@
# https://github.com/MatthiasBenaets/nixos-config # https://github.com/MatthiasBenaets/nixos-config
# https://www.youtube.com/watch?v=AGVXJ-TIv3Y # https://www.youtube.com/watch?v=AGVXJ-TIv3Y
# #
# flake.nix * # flake.nix *
# ├─ ./hosts # ├─ ./hosts
# │ └─ default.nix # │ └─ default.nix
{ {
description = "Kabbone's personal NixOS Flake config"; description = "Kabbone's personal NixOS Flake config";
inputs = { inputs = {
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; # Nix Packages nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; # Nix Packages
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
nixos-hardware.url = "github:NixOS/nixos-hardware/master"; nixos-hardware.url = "github:NixOS/nixos-hardware/master";
microvm = { microvm = {
url = "github:microvm-nix/microvm.nix"; url = "github:microvm-nix/microvm.nix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
impermanence.url = "github:nix-community/impermanence"; impermanence.url = "github:nix-community/impermanence";
home-manager = { # User Package Management home-manager = {
url = "github:nix-community/home-manager/release-25.11"; # User Package Management
inputs.nixpkgs.follows = "nixpkgs"; url = "github:nix-community/home-manager/release-25.11";
}; inputs.nixpkgs.follows = "nixpkgs";
};
home-manager-unstable = { # User Package Management home-manager-unstable = {
url = "github:nix-community/home-manager"; # User Package Management
inputs.nixpkgs.follows = "nixpkgs-unstable"; url = "github:nix-community/home-manager";
}; inputs.nixpkgs.follows = "nixpkgs-unstable";
};
agenix = { agenix = {
url = "github:ryantm/agenix"; url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
jovian-nixos = { jovian-nixos = {
url = "github:Jovian-Experiments/Jovian-NixOS"; url = "github:Jovian-Experiments/Jovian-NixOS";
inputs.nixpkgs.follows = "nixpkgs-unstable"; inputs.nixpkgs.follows = "nixpkgs-unstable";
}; };
lanzaboote = { lanzaboote = {
url = "github:nix-community/lanzaboote/master"; url = "github:nix-community/lanzaboote/master";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
noctalia = {
url = "github:noctalia-dev/noctalia-shell";
inputs.nixpkgs.follows = "nixpkgs";
};
noctalia = {
url = "github:noctalia-dev/noctalia-shell";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = { outputs = {
@@ -67,17 +67,16 @@
lanzaboote, lanzaboote,
noctalia, noctalia,
... ...
} @ inputs: } @ inputs: let
let
systems = [ systems = [
# "aarch64-linux" # "aarch64-linux"
"x86_64-linux" "x86_64-linux"
]; ];
forAllSystems = nixpkgs.lib.genAttrs systems; forAllSystems = nixpkgs.lib.genAttrs systems;
in { in {
# Your custom packages # Your custom packages
# Accessible through 'nix build', 'nix shell', etc # Accessible through 'nix build', 'nix shell', etc
packages = forAllSystems (system: import ./packages { pkgs = nixpkgs.legacyPackages.${system}; }); packages = forAllSystems (system: import ./packages {pkgs = nixpkgs.legacyPackages.${system};});
# Formatter for your nix files, available through 'nix fmt' # Formatter for your nix files, available through 'nix fmt'
# Other options beside 'alejandra' include 'nixpkgs-fmt' # Other options beside 'alejandra' include 'nixpkgs-fmt'
formatter = forAllSystems (system: nixpkgs.legacyPackages.${system}.alejandra); formatter = forAllSystems (system: nixpkgs.legacyPackages.${system}.alejandra);
@@ -91,11 +90,11 @@
# These are usually stuff you would upstream into home-manager # These are usually stuff you would upstream into home-manager
#homeManagerModules = import ./modules/home-manager; #homeManagerModules = import ./modules/home-manager;
nixosConfigurations = ( # NixOS configurations
nixosConfigurations = ( # NixOS configurations import ./hosts {
import ./hosts { # Imports ./hosts/default.nix # Imports ./hosts/default.nix
inherit (nixpkgs) lib; inherit (nixpkgs) lib;
inherit inputs nixpkgs nixpkgs-unstable nixos-hardware home-manager home-manager-unstable agenix jovian-nixos microvm impermanence lanzaboote; # Also inherit home-manager so it does not need to be defined here. inherit inputs nixpkgs nixpkgs-unstable nixos-hardware home-manager home-manager-unstable agenix jovian-nixos microvm impermanence lanzaboote; # Also inherit home-manager so it does not need to be defined here.
} }
); );

14
hosts/configuration_common.nix
View File

@@ -2,10 +2,16 @@
# Common configuration shared by all hosts (desktop and server). # Common configuration shared by all hosts (desktop and server).
# Imported by configuration_desktop.nix and configuration_server.nix. # Imported by configuration_desktop.nix and configuration_server.nix.
# #
{ config, lib, pkgs, inputs, user, location, agenix, ... }:
{ {
config,
lib,
pkgs,
inputs,
user,
location,
agenix,
...
}: {
imports = [ imports = [
../modules/hardware/hydraCache.nix ../modules/hardware/hydraCache.nix
]; ];
@@ -86,7 +92,7 @@
nix = { nix = {
settings = { settings = {
auto-optimise-store = true; auto-optimise-store = true;
allowed-users = [ "@wheel" ]; allowed-users = ["@wheel"];
}; };
gc = { gc = {
automatic = true; automatic = true;

16
hosts/configuration_server.nix
View File

@@ -2,10 +2,16 @@
# Server configuration. Imports configuration_common.nix for shared settings. # Server configuration. Imports configuration_common.nix for shared settings.
# Service modules are imported per-host. # Service modules are imported per-host.
# #
{ config, lib, pkgs, inputs, user, location, agenix, ... }:
{ {
config,
lib,
pkgs,
inputs,
user,
location,
agenix,
...
}: {
imports = [ imports = [
./configuration_common.nix ./configuration_common.nix
]; ];
@@ -13,7 +19,7 @@
users.users.${user} = { users.users.${user} = {
isNormalUser = true; isNormalUser = true;
uid = 3000; uid = 3000;
extraGroups = [ "wheel" "networkmanager" "kvm" "libvirtd" ]; extraGroups = ["wheel" "networkmanager" "kvm" "libvirtd"];
}; };
security.sudo.wheelNeedsPassword = true; security.sudo.wheelNeedsPassword = true;
@@ -25,7 +31,7 @@
]; ];
services.openssh = { services.openssh = {
ports = [ 2220 ]; ports = [2220];
openFirewall = true; openFirewall = true;
}; };

280
hosts/default.nix
View File

@@ -12,10 +12,21 @@
# ├─ ./default.nix # ├─ ./default.nix
# └─ ./home.nix # └─ ./home.nix
# #
{
{ lib, inputs, nixpkgs, nixpkgs-unstable, nixos-hardware, home-manager, home-manager-unstable, agenix, jovian-nixos, microvm, impermanence, lanzaboote, ... }: lib,
inputs,
let nixpkgs,
nixpkgs-unstable,
nixos-hardware,
home-manager,
home-manager-unstable,
agenix,
jovian-nixos,
microvm,
impermanence,
lanzaboote,
...
}: let
# Default user — desktop hosts share this; server hosts may override per-host # Default user — desktop hosts share this; server hosts may override per-host
# by passing a different `user` value in their own specialArgs block. # by passing a different `user` value in their own specialArgs block.
defaultUser = "kabbone"; defaultUser = "kabbone";
@@ -30,7 +41,10 @@ let
pkgs-kabbone = import ../packages { pkgs-kabbone = import ../packages {
inherit system; inherit system;
pkgs = import nixpkgs { inherit system; config.allowUnfree = true; }; pkgs = import nixpkgs {
inherit system;
config.allowUnfree = true;
};
}; };
pkgs = import nixpkgs { pkgs = import nixpkgs {
@@ -51,136 +65,188 @@ let
{ {
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
home-manager.extraSpecialArgs = { inherit user; }; home-manager.extraSpecialArgs = {inherit user;};
home-manager.users.${user}.imports = hmImports; home-manager.users.${user}.imports = hmImports;
} }
]; ];
in {
in hades = lib.nixosSystem {
{ # Desktop profile
hades = lib.nixosSystem { # Desktop profile
inherit system; inherit system;
specialArgs = { inherit inputs location nixos-hardware agenix microvm nixpkgs lanzaboote; user = defaultUser; }; specialArgs = {
modules = [ inherit inputs location nixos-hardware agenix microvm nixpkgs lanzaboote;
agenix.nixosModules.default user = defaultUser;
microvm.nixosModules.host };
lanzaboote.nixosModules.lanzaboote modules =
./desktop # myDesktop options set inside [
./configuration_common.nix agenix.nixosModules.default
../modules/hardware/remoteBuilder.nix microvm.nixosModules.host
nixos-hardware.nixosModules.common-cpu-amd lanzaboote.nixosModules.lanzaboote
nixos-hardware.nixosModules.common-gpu-amd ./desktop # myDesktop options set inside
nixos-hardware.nixosModules.common-pc-ssd ./configuration_common.nix
] ++ (mkHM home-manager defaultUser [ ./home.nix ./desktop/home.nix ]); ../modules/hardware/remoteBuilder.nix
nixos-hardware.nixosModules.common-cpu-amd
nixos-hardware.nixosModules.common-gpu-amd
nixos-hardware.nixosModules.common-pc-ssd
]
++ (mkHM home-manager defaultUser [./home.nix ./desktop/home.nix]);
}; };
lifebook = lib.nixosSystem { # Laptop profile lifebook = lib.nixosSystem {
# Laptop profile
inherit system; inherit system;
specialArgs = { inherit inputs location nixos-hardware agenix lanzaboote; user = defaultUser; }; specialArgs = {
modules = [ inherit inputs location nixos-hardware agenix lanzaboote;
agenix.nixosModules.default user = defaultUser;
lanzaboote.nixosModules.lanzaboote };
./lifebook # myDesktop options set inside modules =
./configuration_common.nix [
nixos-hardware.nixosModules.common-cpu-intel agenix.nixosModules.default
nixos-hardware.nixosModules.common-pc-ssd lanzaboote.nixosModules.lanzaboote
] ++ (mkHM home-manager defaultUser [ ./home.nix ./lifebook/home.nix ]); ./lifebook # myDesktop options set inside
./configuration_common.nix
nixos-hardware.nixosModules.common-cpu-intel
nixos-hardware.nixosModules.common-pc-ssd
]
++ (mkHM home-manager defaultUser [./home.nix ./lifebook/home.nix]);
}; };
steamdeck = nixpkgs-unstable.lib.nixosSystem { # steamdeck profile steamdeck = nixpkgs-unstable.lib.nixosSystem {
# steamdeck profile
inherit system; inherit system;
specialArgs = { inherit inputs location nixos-hardware agenix jovian-nixos lanzaboote; user = defaultUser; }; specialArgs = {
modules = [ inherit inputs location nixos-hardware agenix jovian-nixos lanzaboote;
agenix.nixosModules.default user = defaultUser;
jovian-nixos.nixosModules.default };
lanzaboote.nixosModules.lanzaboote modules =
./steamdeck [
./configuration_common.nix agenix.nixosModules.default
] ++ (mkHM home-manager-unstable defaultUser [ ./home.nix ./steamdeck/home.nix ]); jovian-nixos.nixosModules.default
lanzaboote.nixosModules.lanzaboote
./steamdeck
./configuration_common.nix
]
++ (mkHM home-manager-unstable defaultUser [./home.nix ./steamdeck/home.nix]);
}; };
kabtop = lib.nixosSystem { # Server profile kabtop = lib.nixosSystem {
# Server profile
inherit system; inherit system;
specialArgs = { inherit inputs location nixos-hardware agenix impermanence; user = defaultUser; }; specialArgs = {
modules = [ inherit inputs location nixos-hardware agenix impermanence;
agenix.nixosModules.default user = defaultUser;
microvm.nixosModules.host };
./kabtop modules =
./configuration_common.nix [
nixos-hardware.nixosModules.common-cpu-amd agenix.nixosModules.default
nixos-hardware.nixosModules.common-pc-ssd microvm.nixosModules.host
] ++ (mkHM home-manager defaultUser [ ./home_server.nix ./kabtop/home.nix ]); ./kabtop
./configuration_common.nix
nixos-hardware.nixosModules.common-cpu-amd
nixos-hardware.nixosModules.common-pc-ssd
]
++ (mkHM home-manager defaultUser [./home_server.nix ./kabtop/home.nix]);
}; };
nasbak = lib.nixosSystem { # Server profile nasbak = lib.nixosSystem {
# Server profile
inherit system; inherit system;
specialArgs = { inherit inputs location nixos-hardware agenix; user = defaultUser; }; specialArgs = {
modules = [ inherit inputs location nixos-hardware agenix;
agenix.nixosModules.default user = defaultUser;
./nasbackup };
./configuration_common.nix modules =
nixos-hardware.nixosModules.common-cpu-intel [
nixos-hardware.nixosModules.common-pc-ssd agenix.nixosModules.default
] ++ (mkHM home-manager defaultUser [ ./home_server.nix ./nasbackup/home.nix ]); ./nasbackup
./configuration_common.nix
nixos-hardware.nixosModules.common-cpu-intel
nixos-hardware.nixosModules.common-pc-ssd
]
++ (mkHM home-manager defaultUser [./home_server.nix ./nasbackup/home.nix]);
}; };
jupiter = lib.nixosSystem { # Server profile jupiter = lib.nixosSystem {
# Server profile
inherit system; inherit system;
specialArgs = { inherit inputs location nixos-hardware agenix; user = defaultUser; }; specialArgs = {
modules = [ inherit inputs location nixos-hardware agenix;
agenix.nixosModules.default user = defaultUser;
./jupiter };
./configuration_common.nix modules =
nixos-hardware.nixosModules.common-cpu-intel [
nixos-hardware.nixosModules.common-pc-ssd agenix.nixosModules.default
] ++ (mkHM home-manager defaultUser [ ./home_server.nix ./jupiter/home.nix ]); ./jupiter
./configuration_common.nix
nixos-hardware.nixosModules.common-cpu-intel
nixos-hardware.nixosModules.common-pc-ssd
]
++ (mkHM home-manager defaultUser [./home_server.nix ./jupiter/home.nix]);
}; };
kabtopci = lib.nixosSystem { # Server profile kabtopci = lib.nixosSystem {
# Server profile
inherit system; inherit system;
specialArgs = { inherit inputs location nixos-hardware agenix impermanence; user = defaultUser; }; specialArgs = {
modules = [ inherit inputs location nixos-hardware agenix impermanence;
agenix.nixosModules.default user = defaultUser;
microvm.nixosModules.host };
./kabtopci modules =
./configuration_common.nix [
nixos-hardware.nixosModules.common-pc-ssd agenix.nixosModules.default
] ++ (mkHM home-manager defaultUser [ ./home_server.nix ./kabtopci/home.nix ]); microvm.nixosModules.host
./kabtopci
./configuration_common.nix
nixos-hardware.nixosModules.common-pc-ssd
]
++ (mkHM home-manager defaultUser [./home_server.nix ./kabtopci/home.nix]);
}; };
kubemaster-1 = lib.nixosSystem { # Server profile kubemaster-1 = lib.nixosSystem {
# Server profile
inherit system; inherit system;
specialArgs = { inherit inputs location nixos-hardware agenix impermanence; user = defaultUser; }; specialArgs = {
modules = [ inherit inputs location nixos-hardware agenix impermanence;
agenix.nixosModules.default user = defaultUser;
microvm.nixosModules.host };
./kubemaster-1 modules =
./configuration_common.nix [
nixos-hardware.nixosModules.common-cpu-intel agenix.nixosModules.default
nixos-hardware.nixosModules.common-pc-ssd microvm.nixosModules.host
] ++ (mkHM home-manager defaultUser [ ./home_server.nix ./kubemaster-1/home.nix ]); ./kubemaster-1
./configuration_common.nix
nixos-hardware.nixosModules.common-cpu-intel
nixos-hardware.nixosModules.common-pc-ssd
]
++ (mkHM home-manager defaultUser [./home_server.nix ./kubemaster-1/home.nix]);
}; };
dmz = lib.nixosSystem { # Server profile dmz = lib.nixosSystem {
# Server profile
inherit system; inherit system;
specialArgs = { inherit inputs location nixos-hardware agenix impermanence; user = defaultUser; }; specialArgs = {
modules = [ inherit inputs location nixos-hardware agenix impermanence;
agenix.nixosModules.default user = defaultUser;
microvm.nixosModules.host };
./dmz modules =
./configuration_common.nix [
nixos-hardware.nixosModules.common-pc-ssd agenix.nixosModules.default
] ++ (mkHM home-manager defaultUser [ ./home_server.nix ./dmz/home.nix ]); microvm.nixosModules.host
./dmz
./configuration_common.nix
nixos-hardware.nixosModules.common-pc-ssd
]
++ (mkHM home-manager defaultUser [./home_server.nix ./dmz/home.nix]);
}; };
# vm = lib.nixosSystem { # VM profile # vm = lib.nixosSystem { # VM profile
# inherit system; # inherit system;
# specialArgs = { inherit inputs user location; }; # specialArgs = { inherit inputs user location; };
# modules = [ # modules = [
# ./vm # ./vm
# ./configuration.nix # ./configuration.nix
# #
# (mkHM home-manager [ ./home.nix ./vm/home.nix ]) # (mkHM home-manager [ ./home.nix ./vm/home.nix ])
# ]; # ];
# }; # };
} }

32
hosts/desktop/default.nix
View File

@@ -1,10 +1,12 @@
# #
# Hades desktop — system configuration # Hades desktop — system configuration
# #
{ lib, pkgs, inputs, ... }:
{ {
lib,
pkgs,
inputs,
...
}: {
# Example: host-specific overlays — only hades gets these packages in its pkgs. # Example: host-specific overlays — only hades gets these packages in its pkgs.
# nixpkgs.overlays = [ # nixpkgs.overlays = [
# (final: prev: { # (final: prev: {
@@ -21,22 +23,22 @@
]; ];
# ── Desktop module options ────────────────────────────────────────────── # ── Desktop module options ──────────────────────────────────────────────
myDesktop.windowManager = "niri"; myDesktop.windowManager = "niri";
myDesktop.cpu = "amd"; myDesktop.cpu = "amd";
myDesktop.virtualisation.enable = true; myDesktop.virtualisation.enable = true;
myDesktop.openrgb.enable = true; myDesktop.openrgb.enable = true;
myDesktop.openrgb.motherboard = "amd"; myDesktop.openrgb.motherboard = "amd";
myDesktop.syncthing.enable = true; myDesktop.syncthing.enable = true;
myDesktop.syncthing.devices = { myDesktop.syncthing.devices = {
"jupiter.home.opel-online.de" = { id = "T53WU6Z-3NT74ZE-PZVZB2N-7FBTZ5K-HESC2ZM-W4ABDAS-NWXHTGI-ST4CDQR"; }; "jupiter.home.opel-online.de" = {id = "T53WU6Z-3NT74ZE-PZVZB2N-7FBTZ5K-HESC2ZM-W4ABDAS-NWXHTGI-ST4CDQR";};
"lifebook.home.opel-online.de" = { id = "RKPZG3H-BDUZID3-DV26MKR-UOARIQC-JBCAFXP-J5QFM4H-5EGBSM5-VEGXHQ4"; }; "lifebook.home.opel-online.de" = {id = "RKPZG3H-BDUZID3-DV26MKR-UOARIQC-JBCAFXP-J5QFM4H-5EGBSM5-VEGXHQ4";};
}; };
myDesktop.syncthing.folders = { myDesktop.syncthing.folders = {
"Sync" = { "Sync" = {
path = "/home/kabbone/Sync"; path = "/home/kabbone/Sync";
devices = [ "jupiter.home.opel-online.de" "lifebook.home.opel-online.de" ]; devices = ["jupiter.home.opel-online.de" "lifebook.home.opel-online.de"];
ignorePerms = false; ignorePerms = false;
}; };
}; };
@@ -45,16 +47,16 @@
boot = { boot = {
kernelPackages = pkgs.linuxPackages_latest; kernelPackages = pkgs.linuxPackages_latest;
loader = { loader = {
systemd-boot.enable = lib.mkForce false; systemd-boot.enable = lib.mkForce false;
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
efi.efiSysMountPoint = "/boot"; efi.efiSysMountPoint = "/boot";
timeout = 1; timeout = 1;
}; };
lanzaboote = { lanzaboote = {
enable = true; enable = true;
pkiBundle = "/etc/secureboot"; pkiBundle = "/etc/secureboot";
}; };
}; };
environment.systemPackages = [ pkgs.linux-firmware ]; environment.systemPackages = [pkgs.linux-firmware];
} }

247
hosts/desktop/hardware-configuration.nix
View File

@@ -10,17 +10,21 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = imports =
[ (modulesPath + "/installer/scan/not-detected.nix")] ++ [(modulesPath + "/installer/scan/not-detected.nix")]
[( import ../../modules/hardware/backup.nix )]; ++ [(import ../../modules/hardware/backup.nix)];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ]; boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod"];
boot.initrd.kernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ]; boot.initrd.kernelModules = ["vfio_pci" "vfio" "vfio_iommu_type1"];
boot.kernelModules = [ "kvm-amd" "nct6775" ]; boot.kernelModules = ["kvm-amd" "nct6775"];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [];
boot.tmp.useTmpfs = false; boot.tmp.useTmpfs = false;
boot.tmp.cleanOnBoot = true; boot.tmp.cleanOnBoot = true;
zramSwap.enable = true; zramSwap.enable = true;
@@ -34,149 +38,148 @@
}; };
services.btrbk = { services.btrbk = {
extraPackages = [ pkgs.lz4 pkgs.mbuffer ]; extraPackages = [pkgs.lz4 pkgs.mbuffer];
instances = { instances = {
hf = { hf = {
onCalendar = "hourly"; onCalendar = "hourly";
settings = { settings = {
incremental = "yes"; incremental = "yes";
snapshot_create = "ondemand"; snapshot_create = "ondemand";
snapshot_dir = "@snapshots"; snapshot_dir = "@snapshots";
timestamp_format = "long"; timestamp_format = "long";
snapshot_preserve = "2m 2w 5d 5h"; snapshot_preserve = "2m 2w 5d 5h";
snapshot_preserve_min = "latest"; snapshot_preserve_min = "latest";
volume = { volume = {
"/mnt/snapshots/root" = { "/mnt/snapshots/root" = {
snapshot_create = "always"; snapshot_create = "always";
subvolume = { subvolume = {
"@home" = {}; "@home" = {};
};
};
};
}; };
};
}; };
bak = { };
onCalendar = "daily";
settings = {
stream_buffer = "256m";
stream_compress = "lz4";
incremental = "yes";
snapshot_create = "no";
snapshot_dir = "@snapshots";
timestamp_format = "long";
snapshot_preserve_min = "all";
target_preserve_min = "no";
target_preserve = "4w 3d";
ssh_identity = "/etc/btrbk/ssh/id_ed25519_btrbk_nas";
ssh_user = "btrbk";
volume = {
"/mnt/snapshots/root" = {
subvolume = {
"@home" = {};
};
target = "ssh://jupiter.home.opel-online.de:2220/mnt/snapshots/Mars/@snapshots/@hades";
};
};
};
};
}; };
bak = {
onCalendar = "daily";
settings = {
stream_buffer = "256m";
stream_compress = "lz4";
incremental = "yes";
snapshot_create = "no";
snapshot_dir = "@snapshots";
timestamp_format = "long";
snapshot_preserve_min = "all";
target_preserve_min = "no";
target_preserve = "4w 3d";
ssh_identity = "/etc/btrbk/ssh/id_ed25519_btrbk_nas";
ssh_user = "btrbk";
volume = {
"/mnt/snapshots/root" = {
subvolume = {
"@home" = {};
};
target = "ssh://jupiter.home.opel-online.de:2220/mnt/snapshots/Mars/@snapshots/@hades";
};
};
};
};
};
}; };
systemd.timers = { systemd.timers = {
btrbk-bak = { btrbk-bak = {
after = [ "network-online.target" ]; after = ["network-online.target"];
requires = [ "network-online.target" ]; requires = ["network-online.target"];
}; };
}; };
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2"; device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
}; };
fileSystems."/home" = fileSystems."/home" = {
{ device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2"; device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
}; };
fileSystems."/srv" = fileSystems."/srv" = {
{ device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2"; device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
}; };
fileSystems."/nix" = fileSystems."/nix" = {
{ device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2"; device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
}; };
fileSystems."/swap" = fileSystems."/swap" = {
{ device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2"; device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async"];
}; };
fileSystems."/mnt/snapshots/root" = fileSystems."/mnt/snapshots/root" = {
{ device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2"; device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
}; };
fileSystems."/boot" = fileSystems."/boot" = {
{ device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part1"; device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part1";
fsType = "vfat"; fsType = "vfat";
}; };
fileSystems."/mnt/Pluto" = fileSystems."/mnt/Pluto" = {
{ device = "jupiter:/Pluto"; device = "jupiter:/Pluto";
fsType = "nfs"; fsType = "nfs";
options = [ "noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2" ]; options = ["noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2"];
}; };
fileSystems."/mnt/Mars" = fileSystems."/mnt/Mars" = {
{ device = "jupiter:/Mars"; device = "jupiter:/Mars";
fsType = "nfs"; fsType = "nfs";
options = [ "noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2" ]; options = ["noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2"];
}; };
swapDevices = [{device = "/swap/swapfile";}];
swapDevices = [ { device = "/swap/swapfile"; } ];
networking = { networking = {
useDHCP = false; # Deprecated useDHCP = false; # Deprecated
hostName = "hades"; hostName = "hades";
networkmanager = { networkmanager = {
enable = true; enable = true;
}; };
firewall = { firewall = {
enable = true; enable = true;
allowedUDPPorts = [ 24727 ]; allowedUDPPorts = [24727];
allowedTCPPorts = [ 24727 ]; allowedTCPPorts = [24727];
}; };
}; };
# systemd.network = { # systemd.network = {
# enable = true; # enable = true;
# networks = { # networks = {
# "10-lan" = { # "10-lan" = {
# matchConfig.Name = "eno1"; # matchConfig.Name = "eno1";
# ntp = [ "192.168.2.1" ]; # ntp = [ "192.168.2.1" ];
# domains = [ "home.opel-online.de" ]; # domains = [ "home.opel-online.de" ];
# networkConfig = { # networkConfig = {
# DHCP = "yes"; # DHCP = "yes";
# IPv6AcceptRA = true; # IPv6AcceptRA = true;
# }; # };
# }; # };
# }; # };
# }; # };
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
#powerManagement.powertop.enable = true; #powerManagement.powertop.enable = true;

9
hosts/desktop/home.nix
View File

@@ -2,12 +2,9 @@
# Hades desktop — home-manager host-specific additions # Hades desktop — home-manager host-specific additions
# (WM home config is loaded by modules/desktop based on myDesktop.windowManager) # (WM home config is loaded by modules/desktop based on myDesktop.windowManager)
# #
{pkgs, ...}: {
{ pkgs, ... }:
{
imports = [ imports = [
../../modules/home.nix # cmds / theme options ../../modules/home.nix # cmds / theme options
]; ];
home.packages = with pkgs; [ home.packages = with pkgs; [
@@ -21,7 +18,7 @@
]; ];
services = { services = {
blueman-applet.enable = true; blueman-applet.enable = true;
network-manager-applet.enable = true; network-manager-applet.enable = true;
}; };

36
hosts/dmz/default.nix
View File

@@ -1,38 +1,44 @@
# #
# DMZ — demilitarised zone server configuration # DMZ — demilitarised zone server configuration
# #
{ config, pkgs, user, agenix, impermanence, ... }:
{ {
imports = [ config,
./hardware-configuration.nix pkgs,
../../modules/server user,
] ++ (import ../../modules/services/dmz); agenix,
impermanence,
...
}: {
imports =
[
./hardware-configuration.nix
../../modules/server
]
++ (import ../../modules/services/dmz);
# ── Server module options ─────────────────────────────────────────────── # ── Server module options ───────────────────────────────────────────────
myServer.virtualisation.enable = true; myServer.virtualisation.enable = true;
myServer.virtualisation.cpu = "intel"; myServer.virtualisation.cpu = "intel";
# ── Host-specific settings ────────────────────────────────────────────── # ── Host-specific settings ──────────────────────────────────────────────
boot = { boot = {
kernelPackages = pkgs.linuxPackages_latest; kernelPackages = pkgs.linuxPackages_latest;
loader = { loader = {
systemd-boot.enable = true; systemd-boot.enable = true;
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
efi.efiSysMountPoint = "/boot"; efi.efiSysMountPoint = "/boot";
timeout = 1; timeout = 1;
}; };
}; };
services = { services = {
qemuGuest.enable = true; qemuGuest.enable = true;
avahi = { avahi = {
enable = true; enable = true;
nssmdns4 = true; nssmdns4 = true;
publish = { publish = {
enable = true; enable = true;
addresses = true; addresses = true;
userServices = true; userServices = true;
}; };
}; };

131
hosts/dmz/hardware-configuration.nix
View File

@@ -10,17 +10,21 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = config,
[ (modulesPath + "/profiles/qemu-guest.nix") lib,
]; pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ]; boot.initrd.availableKernelModules = ["uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk"];
boot.initrd.kernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ]; boot.initrd.kernelModules = ["vfio_pci" "vfio" "vfio_iommu_type1"];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [];
boot.tmp.useTmpfs = false; boot.tmp.useTmpfs = false;
boot.tmp.cleanOnBoot = true; boot.tmp.cleanOnBoot = true;
zramSwap.enable = true; zramSwap.enable = true;
@@ -33,75 +37,74 @@
]; ];
}; };
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
}; };
fileSystems."/home" = fileSystems."/home" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
}; };
fileSystems."/srv" = fileSystems."/srv" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
}; };
fileSystems."/var" = fileSystems."/var" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@var,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@var,discard=async"];
}; };
fileSystems."/nix" = fileSystems."/nix" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
}; };
fileSystems."/swap" = fileSystems."/swap" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async"];
}; };
fileSystems."/mnt/snapshots/root" = fileSystems."/mnt/snapshots/root" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
}; };
swapDevices = [];
swapDevices = [ ];
systemd.network = { systemd.network = {
enable = true; enable = true;
networks = { networks = {
"10-lan" = { "10-lan" = {
matchConfig.Name = "ens18"; matchConfig.Name = "ens18";
ntp = [ "192.168.101.1" ]; ntp = ["192.168.101.1"];
domains = [ "home.opel-online.de" ]; domains = ["home.opel-online.de"];
networkConfig = { networkConfig = {
DHCP = "yes"; DHCP = "yes";
IPv6AcceptRA = true; IPv6AcceptRA = true;
}; };
dns = [ dns = [
"192.168.101.1" "192.168.101.1"
]; ];
};
}; };
};
}; };
networking = { networking = {
useDHCP = false; # Deprecated useDHCP = false; # Deprecated
hostName = "dmz"; hostName = "dmz";
firewall = { firewall = {
enable = true; enable = true;
allowedUDPPorts = [ ]; allowedUDPPorts = [];
allowedTCPPorts = [ 80 443 ]; allowedTCPPorts = [80 443];
}; };
}; };
} }

16
hosts/dmz/home.nix
View File

@@ -10,16 +10,13 @@
# └─ ./hyprland # └─ ./hyprland
# └─ hyprland.nix # └─ hyprland.nix
# #
{pkgs, ...}: {
imports = [
../../modules/home.nix # Window Manager
];
{ pkgs, ... }: home = {
# Specific packages for laptop
{
imports =
[
../../modules/home.nix # Window Manager
];
home = { # Specific packages for laptop
packages = with pkgs; [ packages = with pkgs; [
# Applications # Applications
@@ -32,5 +29,4 @@
programs = { programs = {
alacritty.settings.font.size = 11; alacritty.settings.font.size = 11;
}; };
} }

76
hosts/fuji/default.nix
View File

@@ -5,7 +5,7 @@
# ├─ ./hosts # ├─ ./hosts
# │ └─ ./laptop # │ └─ ./laptop
# │ ├─ default.nix * # │ ├─ default.nix *
# │ └─ hardware-configuration.nix # │ └─ hardware-configuration.nix
# └─ ./modules # └─ ./modules
# ├─ ./desktop # ├─ ./desktop
# │ └─ ./hyprland # │ └─ ./hyprland
@@ -16,63 +16,75 @@
# └─ ./hardware # └─ ./hardware
# └─ default.nix # └─ default.nix
# #
{ config, nixpkgs, pkgs, user, lib, ... }:
{ {
imports = # For now, if applying to other system, swap files config,
[(import ./hardware-configuration.nix)] ++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix nixpkgs,
[(import ../../modules/wm/sway/default.nix)] ++ # Window Manager pkgs,
(import ../../modules/wm/virtualisation) ++ # libvirt + Docker user,
[(import ../../modules/wm/virtualisation/kvm-amd.nix)] ++ # kvm module options lib,
(import ../../modules/hardware); # Hardware devices ...
}: {
imports =
# For now, if applying to other system, swap files
[(import ./hardware-configuration.nix)]
++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix
[(import ../../modules/wm/sway/default.nix)]
++ # Window Manager
(import ../../modules/wm/virtualisation)
++ # libvirt + Docker
[(import ../../modules/wm/virtualisation/kvm-amd.nix)]
++ # kvm module options
(import ../../modules/hardware); # Hardware devices
boot = { # Boot options boot = {
# Boot options
kernelPackages = pkgs.linuxPackages_latest; kernelPackages = pkgs.linuxPackages_latest;
loader = { # EFI Boot loader = {
# EFI Boot
systemd-boot.enable = lib.mkForce false; systemd-boot.enable = lib.mkForce false;
efi = { efi = {
canTouchEfiVariables = true; canTouchEfiVariables = true;
efiSysMountPoint = "/boot"; efiSysMountPoint = "/boot";
}; };
timeout = 1; # Grub auto select time timeout = 1; # Grub auto select time
}; };
lanzaboote = { lanzaboote = {
enable = true; enable = true;
pkiBundle = "/etc/secureboot"; pkiBundle = "/etc/secureboot";
}; };
}; };
# hardware.sane = { # Used for scanning with Xsane # hardware.sane = { # Used for scanning with Xsane
# enable = false; # enable = false;
# extraBackends = [ pkgs.sane-airscan ]; # extraBackends = [ pkgs.sane-airscan ];
# }; # };
# hardware = { # hardware = {
# nitrokey.enable = true; # nitrokey.enable = true;
# }; # };
# environment = { # environment = {
# systemPackages = with pkgs; [ # systemPackages = with pkgs; [
## simple-scan ## simple-scan
## intel-media-driver ## intel-media-driver
## alacritty ## alacritty
# ]; # ];
# }; # };
services = { services = {
#auto-cpufreq.enable = true; #auto-cpufreq.enable = true;
blueman.enable = true; blueman.enable = true;
avahi = { # Needed to find wireless printer avahi = {
# Needed to find wireless printer
enable = true; enable = true;
nssmdns4 = true; nssmdns4 = true;
publish = { # Needed for detecting the scanner publish = {
# Needed for detecting the scanner
enable = true; enable = true;
addresses = true; addresses = true;
userServices = true; userServices = true;
}; };
}; };
}; };
} }

151
hosts/fuji/hardware-configuration.nix
View File

@@ -10,17 +10,21 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = imports =
[ (modulesPath + "/installer/scan/not-detected.nix")] ++ [(modulesPath + "/installer/scan/not-detected.nix")]
[( import ../../modules/hardware/backup.nix )]; ++ [(import ../../modules/hardware/backup.nix)];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ]; boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod"];
boot.initrd.kernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ]; boot.initrd.kernelModules = ["vfio_pci" "vfio" "vfio_iommu_type1"];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [];
boot.tmp.useTmpfs = false; boot.tmp.useTmpfs = false;
boot.tmp.cleanOnBoot = true; boot.tmp.cleanOnBoot = true;
zramSwap.enable = true; zramSwap.enable = true;
@@ -34,77 +38,76 @@
}; };
services.btrbk = { services.btrbk = {
instances = { instances = {
hf = { hf = {
onCalendar = "hourly"; onCalendar = "hourly";
settings = { settings = {
incremental = "yes"; incremental = "yes";
snapshot_create = "ondemand"; snapshot_create = "ondemand";
snapshot_dir = "@snapshots"; snapshot_dir = "@snapshots";
timestamp_format = "long"; timestamp_format = "long";
snapshot_preserve = "2m 2w 5d 5h"; snapshot_preserve = "2m 2w 5d 5h";
snapshot_preserve_min = "latest"; snapshot_preserve_min = "latest";
volume = { volume = {
"/mnt/snapshots/root" = { "/mnt/snapshots/root" = {
snapshot_create = "always"; snapshot_create = "always";
subvolume = { subvolume = {
"@home" = {}; "@home" = {};
};
};
};
}; };
};
}; };
};
}; };
};
}; };
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2"; device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
}; };
fileSystems."/home" = fileSystems."/home" = {
{ device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2"; device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
}; };
fileSystems."/srv" = fileSystems."/srv" = {
{ device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2"; device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
}; };
fileSystems."/nix" = fileSystems."/nix" = {
{ device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2"; device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
}; };
fileSystems."/swap" = fileSystems."/swap" = {
{ device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2"; device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async"];
}; };
fileSystems."/mnt/snapshots/root" = fileSystems."/mnt/snapshots/root" = {
{ device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2"; device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
}; };
fileSystems."/boot" = fileSystems."/boot" = {
{ device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part1"; device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part1";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = [{device = "/swap/swapfile";}];
swapDevices = [ { device = "/swap/swapfile"; } ];
networking = { networking = {
useDHCP = false; # Deprecated useDHCP = false; # Deprecated
hostName = "fuji"; hostName = "fuji";
networkmanager = { networkmanager = {
enable = false; enable = false;
@@ -117,17 +120,17 @@
}; };
systemd.network = { systemd.network = {
enable = true; enable = true;
networks = { networks = {
"10-lan" = { "10-lan" = {
matchConfig.Name = "eno1"; matchConfig.Name = "eno1";
ntp = [ "192.168.2.1" ]; ntp = ["192.168.2.1"];
networkConfig = { networkConfig = {
DHCP = "yes"; DHCP = "yes";
IPv6AcceptRA = true; IPv6AcceptRA = true;
}; };
};
}; };
};
}; };
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;

27
hosts/fuji/home.nix
View File

@@ -10,18 +10,15 @@
# └─ ./hyprland # └─ ./hyprland
# └─ hyprland.nix # └─ hyprland.nix
# #
{pkgs, ...}: {
imports = [
#../../modules/wm/hyprland/home.nix # Window Manager
#../../modules/wm/kde/home.nix # Window Manager
../../modules/home.nix # Window Manager
];
{ pkgs, ... }: home = {
# Specific packages for laptop
{
imports =
[
#../../modules/wm/hyprland/home.nix # Window Manager
#../../modules/wm/kde/home.nix # Window Manager
../../modules/home.nix # Window Manager
];
home = { # Specific packages for laptop
packages = with pkgs; [ packages = with pkgs; [
# Applications # Applications
#firefox #firefox
@@ -35,11 +32,11 @@
]; ];
}; };
services = { # Applets services = {
#blueman-applet.enable = true; # Bluetooth # Applets
network-manager-applet.enable = true; # Network #blueman-applet.enable = true; # Bluetooth
network-manager-applet.enable = true; # Network
}; };
xsession.preferStatusNotifierItems = true; xsession.preferStatusNotifierItems = true;
} }

112
hosts/home.nix
View File

@@ -14,32 +14,35 @@
# └─ ./shell # └─ ./shell
# └─ default.nix # └─ default.nix
# #
{
{ config, lib, pkgs, user, ... }: config,
lib,
{ pkgs,
user,
...
}: {
imports = imports =
(import ../modules/editors) ++ (import ../modules/editors)
(import ../modules/programs) ++ ++ (import ../modules/programs)
(import ../modules/programs/configs) ++ ++ (import ../modules/programs/configs)
(import ../modules/services) ++ ++ (import ../modules/services)
(import ../modules/shell); ++ (import ../modules/shell);
home = { home = {
username = "${user}"; username = "${user}";
homeDirectory = "/home/${user}"; homeDirectory = "/home/${user}";
packages = with pkgs; [ packages = with pkgs; [
# Terminal # Terminal
pfetch # Minimal fetch pfetch # Minimal fetch
ranger # File Manager ranger # File Manager
gnupg # sign and authorize 2nd Fac gnupg # sign and authorize 2nd Fac
xdg-utils xdg-utils
steam steam
wakelan wakelan
# dev ols # dev ols
gcc gcc
gnumake gnumake
gnupatch gnupatch
@@ -52,10 +55,10 @@
tailscale tailscale
wireguard-tools wireguard-tools
# VideAudio # VideAudio
mpv # Media Player mpv # Media Player
# Apps # Apps
qalculate-qt qalculate-qt
hdparm hdparm
python3 python3
@@ -68,16 +71,16 @@
vesktop vesktop
element-desktop element-desktop
# Fileanagement # Fileanagement
kdePackages.ark kdePackages.ark
pcmanfm # File Manager pcmanfm # File Manager
rsync # Syncer $ rsync -r dir1/ dir2/ rsync # Syncer $ rsync -r dir1/ dir2/
unzip # Zip files unzip # Zip files
unrar # Rar files unrar # Rar files
papirus-icon-theme papirus-icon-theme
arc-theme arc-theme
# General configuration # General configuration
keepassxc keepassxc
libreoffice libreoffice
gimp gimp
@@ -85,15 +88,15 @@
# Flatpak # Flatpak
#vscodium #vscodium
(vscode-with-extensions.override { (vscode-with-extensions.override {
vscode = vscodium; vscode = vscodium;
vscodeExtensions = with vscode-extensions; [ vscodeExtensions = with vscode-extensions; [
vscodevim.vim vscodevim.vim
github.copilot github.copilot
#ms-python.python #ms-python.python
ms-vscode.cpptools ms-vscode.cpptools
catppuccin.catppuccin-vsc-icons catppuccin.catppuccin-vsc-icons
catppuccin.catppuccin-vsc catppuccin.catppuccin-vsc
]; ];
}) })
sdkmanager sdkmanager
@@ -101,12 +104,12 @@
file.".config/wall".source = ../modules/themes/wall.jpg; file.".config/wall".source = ../modules/themes/wall.jpg;
file.".config/lockwall".source = ../modules/themes/lockwall.jpg; file.".config/lockwall".source = ../modules/themes/lockwall.jpg;
# pointerCursor = { # This will set cursor systemwide so applications can not choose their own # pointerCursor = { # This will set cursor systemwide so applications can not choose their own
# name = "Dracula-cursors"; # name = "Dracula-cursors";
# package = pkgs.dracula-theme; # package = pkgs.dracula-theme;
# size = 16; # size = 16;
# gtk.enable = true; # gtk.enable = true;
# }; # };
stateVersion = "23.05"; stateVersion = "23.05";
}; };
@@ -117,25 +120,24 @@
}; };
}; };
# gtk = { # Theming
# gtk = { # Theming # enable = true;
# enable = true; # theme = {
# theme = { # name = "Dracula";
# name = "Dracula"; # package = pkgs.dracula-theme;
# package = pkgs.dracula-theme; # };
# }; # iconTheme = {
# iconTheme = { # name = "Papirus-Dark";
# name = "Papirus-Dark"; # package = pkgs.papirus-icon-theme;
# package = pkgs.papirus-icon-theme; # };
# }; # font = {
# font = { # name = "Cascadia Code"; # or FiraCode Nerd Font Mono Medium
# name = "Cascadia Code"; # or FiraCode Nerd Font Mono Medium # }; # Cursor is declared under home.pointerCursor
# }; # Cursor is declared under home.pointerCursor # };
# };
systemd.user.services.mpris-proxy = { systemd.user.services.mpris-proxy = {
Unit.Description = "Mpris proxy"; Unit.Description = "Mpris proxy";
Unit.After = [ "network.target" "sound.target" ]; Unit.After = ["network.target" "sound.target"];
Service.ExecStart = "${pkgs.bluez}/bin/mpris-proxy"; Service.ExecStart = "${pkgs.bluez}/bin/mpris-proxy";
Install.WantedBy = [ "default.target" ]; Install.WantedBy = ["default.target"];
}; };
} }

30
hosts/home_server.nix
View File

@@ -14,12 +14,17 @@
# └─ ./shell # └─ ./shell
# └─ default.nix # └─ default.nix
# #
{
{ config, lib, pkgs, user, ... }: config,
lib,
{ pkgs,
imports = # Home Manager Modules user,
(import ../modules/editors) ++ ...
}: {
imports =
# Home Manager Modules
(import ../modules/editors)
++
#(import ../modules/programs) ++ #(import ../modules/programs) ++
#(import ../modules/programs/configs) ++ #(import ../modules/programs/configs) ++
#(import ../modules/services) ++ #(import ../modules/services) ++
@@ -31,12 +36,12 @@
packages = with pkgs; [ packages = with pkgs; [
# Terminal # Terminal
pfetch # Minimal fetch pfetch # Minimal fetch
ranger # File Manager ranger # File Manager
gnupg # sign and authorize 2nd Fac gnupg # sign and authorize 2nd Fac
#xdg-utils #xdg-utils
# Video/Audio # Video/Audio
#libva-utils # vainfo #libva-utils # vainfo
@@ -45,10 +50,9 @@
python3 python3
# File Management # File Management
rsync # Syncer $ rsync -r dir1/ dir2/ rsync # Syncer $ rsync -r dir1/ dir2/
#unzip # Zip files #unzip # Zip files
#unrar # Rar files #unrar # Rar files
]; ];
stateVersion = "23.11"; stateVersion = "23.11";
}; };

51
hosts/jupiter/default.nix
View File

@@ -1,55 +1,60 @@
# #
# Jupiter — NAS server configuration # Jupiter — NAS server configuration
# #
{ config, pkgs, inputs, user, ... }:
{ {
imports = [ config,
./hardware-configuration.nix pkgs,
../../modules/server inputs,
] ++ (import ../../modules/services/nas); user,
...
}: {
imports =
[
./hardware-configuration.nix
../../modules/server
]
++ (import ../../modules/services/nas);
# ── Server module options ─────────────────────────────────────────────── # ── Server module options ───────────────────────────────────────────────
# No virtualisation on the NAS # No virtualisation on the NAS
# ── Host-specific settings ────────────────────────────────────────────── # ── Host-specific settings ──────────────────────────────────────────────
# Example: host-specific overlay — only jupiter gets these packages in its pkgs. # Example: host-specific overlay — only jupiter gets these packages in its pkgs.
# nixpkgs.overlays = [ # nixpkgs.overlays = [
# (final: prev: { # (final: prev: {
# corosync-qdevice = (import ../../packages { pkgs = prev; }).corosync-qdevice; # corosync-qdevice = (import ../../packages { pkgs = prev; }).corosync-qdevice;
# firefox = inputs.nixpkgs-unstable.legacyPackages.${prev.system}.firefox; # firefox = inputs.nixpkgs-unstable.legacyPackages.${prev.system}.firefox;
# }) # })
# ]; # ];
boot = { boot = {
kernelPackages = pkgs.linuxPackages_latest; kernelPackages = pkgs.linuxPackages_latest;
loader = { loader = {
systemd-boot.enable = true; systemd-boot.enable = true;
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
efi.efiSysMountPoint = "/boot"; efi.efiSysMountPoint = "/boot";
timeout = 1; timeout = 1;
}; };
}; };
programs = { programs = {
ssh.startAgent = false; ssh.startAgent = false;
gnupg.agent = { gnupg.agent = {
enable = false; enable = false;
enableSSHSupport = true; enableSSHSupport = true;
pinentryPackage = pkgs.pinentry-curses; pinentryPackage = pkgs.pinentry-curses;
}; };
}; };
services = { services = {
qemuGuest.enable = true; qemuGuest.enable = true;
avahi = { avahi = {
enable = true; enable = true;
nssmdns4 = true; nssmdns4 = true;
publish = { publish = {
enable = true; enable = true;
addresses = true; addresses = true;
userServices = true; userServices = true;
}; };
}; };

311
hosts/jupiter/hardware-configuration.nix
View File

@@ -10,18 +10,22 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = imports =
[(modulesPath + "/profiles/qemu-guest.nix")] ++ [(modulesPath + "/profiles/qemu-guest.nix")]
[( import ../../modules/hardware/backup.nix )]; ++ [(import ../../modules/hardware/backup.nix)];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ]; boot.initrd.availableKernelModules = ["uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk"];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [];
boot.initrd.secrets = { boot.initrd.secrets = {
"/root/NASKeyfile" = "/root/NASKeyfile" =
/root/NASKeyfile; /root/NASKeyfile;
}; };
boot.initrd.luks.devices = { boot.initrd.luks.devices = {
NAS-RAID1 = { NAS-RAID1 = {
@@ -33,8 +37,8 @@
keyFile = "/root/NASKeyfile"; keyFile = "/root/NASKeyfile";
}; };
}; };
boot.kernelModules = [ ]; boot.kernelModules = [];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [];
boot.tmp.useTmpfs = false; boot.tmp.useTmpfs = false;
boot.tmp.cleanOnBoot = true; boot.tmp.cleanOnBoot = true;
zramSwap.enable = true; zramSwap.enable = true;
@@ -50,174 +54,174 @@
}; };
services.btrbk = { services.btrbk = {
extraPackages = [ pkgs.lz4 pkgs.mbuffer ]; extraPackages = [pkgs.lz4 pkgs.mbuffer];
instances = { instances = {
hf = { hf = {
onCalendar = "hourly"; onCalendar = "hourly";
settings = { settings = {
incremental = "yes"; incremental = "yes";
snapshot_create = "ondemand"; snapshot_create = "ondemand";
snapshot_dir = "@snapshots"; snapshot_dir = "@snapshots";
timestamp_format = "long"; timestamp_format = "long";
snapshot_preserve = "2w 5d 5h"; snapshot_preserve = "2w 5d 5h";
snapshot_preserve_min = "latest"; snapshot_preserve_min = "latest";
volume = {
"/mnt/snapshots/root" = {
snapshot_create = "always";
subvolume = {
"@" = {};
"@home" = {};
};
};
};
volume = {
"/mnt/snapshots/Mars" = {
snapshot_create = "always";
subvolume = {
"@nas" = {};
};
};
};
};
};
lf = {
onCalendar = "daily";
settings = {
incremental = "yes";
snapshot_create = "ondemand";
snapshot_dir = "@snapshots";
timestamp_format = "long";
snapshot_preserve = "2m 2w 5d"; volume = {
snapshot_preserve_min = "latest"; "/mnt/snapshots/root" = {
snapshot_create = "always";
volume = { subvolume = {
"/mnt/snapshots/Pluto" = { "@" = {};
snapshot_create = "always"; "@home" = {};
subvolume = {
"@" = {};
"@/Backups" = {};
"@/Games" = {};
"@/IT" = {};
"@/Media" = {};
"@/Pictures" = {};
"@/Rest" = {};
};
};
};
}; };
};
}; };
volume = {
"/mnt/snapshots/Mars" = {
snapshot_create = "always";
subvolume = {
"@nas" = {};
};
};
};
};
}; };
lf = {
onCalendar = "daily";
settings = {
incremental = "yes";
snapshot_create = "ondemand";
snapshot_dir = "@snapshots";
timestamp_format = "long";
snapshot_preserve = "2m 2w 5d";
snapshot_preserve_min = "latest";
volume = {
"/mnt/snapshots/Pluto" = {
snapshot_create = "always";
subvolume = {
"@" = {};
"@/Backups" = {};
"@/Games" = {};
"@/IT" = {};
"@/Media" = {};
"@/Pictures" = {};
"@/Rest" = {};
};
};
};
};
};
};
}; };
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
}; };
fileSystems."/home" = fileSystems."/home" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
}; };
fileSystems."/srv" = fileSystems."/srv" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
}; };
fileSystems."/nix" = fileSystems."/nix" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
}; };
fileSystems."/swap" = fileSystems."/swap" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async"];
}; };
fileSystems."/mnt/snapshots/root" = fileSystems."/mnt/snapshots/root" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
}; };
fileSystems."/mnt/snapshots/Mars" = fileSystems."/mnt/snapshots/Mars" = {
{ device = "/dev/disk/by-label/MARS"; device = "/dev/disk/by-label/MARS";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
}; };
fileSystems."/mnt/snapshots/Pluto" = fileSystems."/mnt/snapshots/Pluto" = {
{ device = "/dev/disk/by-label/NAS-RAID"; device = "/dev/disk/by-label/NAS-RAID";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd:8,noatime,subvolid=5" ]; options = ["compress=zstd:8,noatime,subvolid=5"];
}; };
fileSystems."/mnt/Pluto" = fileSystems."/mnt/Pluto" = {
{ device = "/dev/disk/by-label/NAS-RAID"; device = "/dev/disk/by-label/NAS-RAID";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd:8,noatime,subvol=@" ]; options = ["compress=zstd:8,noatime,subvol=@"];
}; };
fileSystems."/mnt/Mars" = fileSystems."/mnt/Mars" = {
{ device = "/dev/disk/by-label/MARS"; device = "/dev/disk/by-label/MARS";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nas,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nas,discard=async"];
}; };
fileSystems."/boot" = fileSystems."/boot" = {
{ device = "/dev/disk/by-label/NIXBOOT"; device = "/dev/disk/by-label/NIXBOOT";
fsType = "vfat"; fsType = "vfat";
}; };
fileSystems."/export/Pluto" = {
device = "/mnt/Pluto";
options = ["bind"];
};
fileSystems."/export/Mars" = {
device = "/mnt/Mars";
options = ["bind"];
};
swapDevices = [{device = "/swap/swapfile";}];
fileSystems."/export/Pluto" =
{ device = "/mnt/Pluto";
options = [ "bind" ];
};
fileSystems."/export/Mars" =
{ device = "/mnt/Mars";
options = [ "bind" ];
};
swapDevices = [ { device = "/swap/swapfile"; } ];
systemd.network = { systemd.network = {
enable = true; enable = true;
networks = { networks = {
"10-lan" = { "10-lan" = {
matchConfig.Name = "ens18"; matchConfig.Name = "ens18";
ntp = [ "192.168.2.1" ]; ntp = ["192.168.2.1"];
domains = [ "home.opel-online.de" ]; domains = ["home.opel-online.de"];
networkConfig = { networkConfig = {
DHCP = "yes"; DHCP = "yes";
IPv6AcceptRA = true; IPv6AcceptRA = true;
IPv6PrivacyExtensions=false; IPv6PrivacyExtensions = false;
}; };
ipv6AcceptRAConfig = { ipv6AcceptRAConfig = {
DHCPv6Client = "always"; DHCPv6Client = "always";
UseDNS = true; UseDNS = true;
}; };
dhcpV4Config = { dhcpV4Config = {
UseDNS = true; UseDNS = true;
}; };
dhcpV6Config = { dhcpV6Config = {
UseDNS = true; UseDNS = true;
}; };
};
}; };
};
}; };
networking = { networking = {
hostName = "jupiter"; hostName = "jupiter";
domain = "home.opel-online.de"; domain = "home.opel-online.de";
useDHCP = false; # For versatility sake, manually edit IP on nm-applet. useDHCP = false; # For versatility sake, manually edit IP on nm-applet.
#firewall = { #firewall = {
# enable = false; # enable = false;
# #allowedUDPPorts = [ 53 67 ]; # #allowedUDPPorts = [ 53 67 ];
@@ -234,5 +238,4 @@
${pkgs.hdparm}/sbin/hdparm -S 150 /dev/disk/by-uuid/57e6446d-faca-4b67-9063-e8d9afb80088 ${pkgs.hdparm}/sbin/hdparm -S 150 /dev/disk/by-uuid/57e6446d-faca-4b67-9063-e8d9afb80088
''; '';
}; };
} }

16
hosts/jupiter/home.nix
View File

@@ -10,16 +10,13 @@
# └─ ./hyprland # └─ ./hyprland
# └─ hyprland.nix # └─ hyprland.nix
# #
{pkgs, ...}: {
imports = [
../../modules/home.nix # Window Manager
];
{ pkgs, ... }: home = {
# Specific packages for laptop
{
imports =
[
../../modules/home.nix # Window Manager
];
home = { # Specific packages for laptop
packages = with pkgs; [ packages = with pkgs; [
# Applications # Applications
@@ -32,5 +29,4 @@
programs = { programs = {
alacritty.settings.font.size = 11; alacritty.settings.font.size = 11;
}; };
} }

36
hosts/kabtop/default.nix
View File

@@ -1,19 +1,25 @@
# #
# Kabtop — server configuration # Kabtop — server configuration
# #
{ config, pkgs, user, agenix, impermanence, ... }:
{ {
imports = [ config,
./hardware-configuration.nix pkgs,
../../modules/server user,
] ++ (import ../../modules/services/server); agenix,
impermanence,
...
}: {
imports =
[
./hardware-configuration.nix
../../modules/server
]
++ (import ../../modules/services/server);
# ── Server module options ─────────────────────────────────────────────── # ── Server module options ───────────────────────────────────────────────
myServer.virtualisation.enable = true; myServer.virtualisation.enable = true;
myServer.virtualisation.cpu = "amd"; myServer.virtualisation.cpu = "amd";
myServer.fail2ban.enable = true; myServer.fail2ban.enable = true;
# ── Host-specific settings ────────────────────────────────────────────── # ── Host-specific settings ──────────────────────────────────────────────
boot = { boot = {
@@ -30,24 +36,24 @@
environment.etc = { environment.etc = {
"fail2ban/filter.d/open-webui.conf" = { "fail2ban/filter.d/open-webui.conf" = {
source = ../../modules/services/server/fail2ban/filter/open-webui.conf; source = ../../modules/services/server/fail2ban/filter/open-webui.conf;
mode = "0444"; mode = "0444";
}; };
"fail2ban/filter.d/gitea.conf" = { "fail2ban/filter.d/gitea.conf" = {
source = ../../modules/services/server/fail2ban/filter/gitea.conf; source = ../../modules/services/server/fail2ban/filter/gitea.conf;
mode = "0444"; mode = "0444";
}; };
"fail2ban/filter.d/nextcloud.conf" = { "fail2ban/filter.d/nextcloud.conf" = {
source = ../../modules/services/server/fail2ban/filter/nextcloud.conf; source = ../../modules/services/server/fail2ban/filter/nextcloud.conf;
mode = "0444"; mode = "0444";
}; };
}; };
programs = { programs = {
ssh.startAgent = false; ssh.startAgent = false;
gnupg.agent = { gnupg.agent = {
enable = true; enable = true;
enableSSHSupport = true; enableSSHSupport = true;
pinentryPackage = pkgs.pinentry-curses; pinentryPackage = pkgs.pinentry-curses;
}; };
}; };

180
hosts/kabtop/hardware-configuration.nix
View File

@@ -10,17 +10,21 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = config,
[ (modulesPath + "/profiles/qemu-guest.nix") lib,
]; pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "ahci" "sd_mod" "sr_mod" ]; boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "ahci" "sd_mod" "sr_mod"];
boot.initrd.kernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ]; boot.initrd.kernelModules = ["vfio_pci" "vfio" "vfio_iommu_type1"];
boot.kernelModules = [ "kvm-amd" ]; boot.kernelModules = ["kvm-amd"];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [];
boot.tmp.useTmpfs = false; boot.tmp.useTmpfs = false;
boot.tmp.cleanOnBoot = true; boot.tmp.cleanOnBoot = true;
zramSwap.enable = true; zramSwap.enable = true;
@@ -34,81 +38,80 @@
}; };
services.btrbk = { services.btrbk = {
instances = { instances = {
hf = { hf = {
onCalendar = "hourly"; onCalendar = "hourly";
settings = { settings = {
incremental = "yes"; incremental = "yes";
snapshot_create = "ondemand"; snapshot_create = "ondemand";
snapshot_dir = "@snapshots"; snapshot_dir = "@snapshots";
timestamp_format = "long"; timestamp_format = "long";
snapshot_preserve = "2m 2w 5d 5h"; snapshot_preserve = "2m 2w 5d 5h";
snapshot_preserve_min = "latest"; snapshot_preserve_min = "latest";
volume = { volume = {
"/mnt/snapshots/root" = { "/mnt/snapshots/root" = {
snapshot_create = "always"; snapshot_create = "always";
subvolume = { subvolume = {
"@" = {}; "@" = {};
"@home" = {}; "@home" = {};
"@var" = {}; "@var" = {};
};
};
};
}; };
};
}; };
};
}; };
};
}; };
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
}; };
fileSystems."/home" = fileSystems."/home" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
}; };
fileSystems."/srv" = fileSystems."/srv" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
}; };
fileSystems."/var" = fileSystems."/var" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "space_cache=v2,ssd,noatime,subvol=@var,discard=async" ]; options = ["space_cache=v2,ssd,noatime,subvol=@var,discard=async"];
}; };
fileSystems."/nix" = fileSystems."/nix" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
}; };
fileSystems."/swap" = fileSystems."/swap" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async"];
}; };
fileSystems."/mnt/snapshots/root" =
{ device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ];
};
fileSystems."/mnt/snapshots/root" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
};
#swapDevices = [ { device = "/swap/swapfile"; } ]; #swapDevices = [ { device = "/swap/swapfile"; } ];
swapDevices = [ ]; swapDevices = [];
networking = { networking = {
useDHCP = false; # Deprecated useDHCP = false; # Deprecated
hostName = "kabtop"; hostName = "kabtop";
domain = "kabtop.de"; domain = "kabtop.de";
networkmanager = { networkmanager = {
@@ -116,34 +119,33 @@
}; };
firewall = { firewall = {
enable = true; enable = true;
allowedUDPPorts = [ ]; allowedUDPPorts = [];
allowedTCPPorts = [ 80 443 ]; allowedTCPPorts = [80 443];
}; };
}; };
systemd.network = { systemd.network = {
enable = true; enable = true;
networks = { networks = {
"10-lan" = { "10-lan" = {
matchConfig.Name = "ens18"; matchConfig.Name = "ens18";
address = [ address = [
"37.44.215.182/24" "37.44.215.182/24"
"2a13:7e80:0:ef::2/64" "2a13:7e80:0:ef::2/64"
]; ];
routes = [ routes = [
{ Gateway = "37.44.215.1"; } {Gateway = "37.44.215.1";}
{ Gateway = "fe80::1"; } {Gateway = "fe80::1";}
]; ];
dns = [ dns = [
"9.9.9.9" "9.9.9.9"
"2620:fe::fe" "2620:fe::fe"
]; ];
};
}; };
};
}; };
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
} }

16
hosts/kabtop/home.nix
View File

@@ -10,16 +10,13 @@
# └─ ./hyprland # └─ ./hyprland
# └─ hyprland.nix # └─ hyprland.nix
# #
{pkgs, ...}: {
imports = [
../../modules/home.nix # Window Manager
];
{ pkgs, ... }: home = {
# Specific packages for laptop
{
imports =
[
../../modules/home.nix # Window Manager
];
home = { # Specific packages for laptop
packages = with pkgs; [ packages = with pkgs; [
# Applications # Applications
@@ -32,5 +29,4 @@
programs = { programs = {
alacritty.settings.font.size = 11; alacritty.settings.font.size = 11;
}; };
} }

22
hosts/kabtopci/default.nix
View File

@@ -1,18 +1,24 @@
# #
# Kabtopci — CI server configuration # Kabtopci — CI server configuration
# #
{ config, pkgs, user, agenix, impermanence, ... }:
{ {
imports = [ config,
./hardware-configuration.nix pkgs,
../../modules/server user,
] ++ (import ../../modules/services/kabtopci); agenix,
impermanence,
...
}: {
imports =
[
./hardware-configuration.nix
../../modules/server
]
++ (import ../../modules/services/kabtopci);
# ── Server module options ─────────────────────────────────────────────── # ── Server module options ───────────────────────────────────────────────
myServer.virtualisation.enable = true; myServer.virtualisation.enable = true;
myServer.virtualisation.cpu = "amd"; myServer.virtualisation.cpu = "amd";
# ── Host-specific settings ────────────────────────────────────────────── # ── Host-specific settings ──────────────────────────────────────────────
boot = { boot = {

105
hosts/kabtopci/hardware-configuration.nix
View File

@@ -10,16 +10,19 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = config,
[ (modulesPath + "/installer/scan/not-detected.nix")]; lib,
pkgs,
modulesPath,
...
}: {
imports = [(modulesPath + "/installer/scan/not-detected.nix")];
boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sr_mod" "virtio_blk" ]; boot.initrd.availableKernelModules = ["ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sr_mod" "virtio_blk"];
boot.initrd.kernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ]; boot.initrd.kernelModules = ["vfio_pci" "vfio" "vfio_iommu_type1"];
boot.kernelModules = [ ]; boot.kernelModules = [];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [];
boot.tmp.useTmpfs = false; boot.tmp.useTmpfs = false;
boot.tmp.cleanOnBoot = true; boot.tmp.cleanOnBoot = true;
zramSwap.enable = true; zramSwap.enable = true;
@@ -32,46 +35,46 @@
]; ];
}; };
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
}; };
fileSystems."/home" = fileSystems."/home" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
}; };
fileSystems."/srv" = fileSystems."/srv" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
}; };
fileSystems."/var" = fileSystems."/var" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "space_cache=v2,ssd,noatime,subvol=@var,discard=async" ]; options = ["space_cache=v2,ssd,noatime,subvol=@var,discard=async"];
}; };
fileSystems."/nix" = fileSystems."/nix" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd:9,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ]; options = ["compress=zstd:9,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
}; };
fileSystems."/swap" = fileSystems."/swap" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async"];
}; };
swapDevices = [];
swapDevices = [ ];
networking = { networking = {
useDHCP = false; # Deprecated useDHCP = false; # Deprecated
hostName = "kabtopci"; hostName = "kabtopci";
domain = "ci.kabtop.de"; domain = "ci.kabtop.de";
networkmanager = { networkmanager = {
@@ -79,15 +82,19 @@
}; };
interfaces = { interfaces = {
ens3 = { ens3 = {
useDHCP = false; # For versatility sake, manually edit IP on nm-applet. useDHCP = false; # For versatility sake, manually edit IP on nm-applet.
ipv4.addresses = [ { ipv4.addresses = [
{
address = "195.90.221.87"; address = "195.90.221.87";
prefixLength = 22; prefixLength = 22;
} ]; }
ipv6.addresses = [ { ];
ipv6.addresses = [
{
address = "2a00:6800:3:d5b::2"; address = "2a00:6800:3:d5b::2";
prefixLength = 64; prefixLength = 64;
} ]; }
];
}; };
}; };
defaultGateway = "195.90.220.1"; defaultGateway = "195.90.220.1";
@@ -96,11 +103,11 @@
interface = "ens3"; interface = "ens3";
}; };
nameservers = [ "9.9.9.9" "2620:fe::fe" ]; nameservers = ["9.9.9.9" "2620:fe::fe"];
firewall = { firewall = {
enable = true; enable = true;
allowedUDPPorts = [ ]; allowedUDPPorts = [];
allowedTCPPorts = [ 80 443 ]; allowedTCPPorts = [80 443];
}; };
}; };

16
hosts/kabtopci/home.nix
View File

@@ -10,16 +10,13 @@
# └─ ./hyprland # └─ ./hyprland
# └─ hyprland.nix # └─ hyprland.nix
# #
{pkgs, ...}: {
imports = [
../../modules/home.nix # Window Manager
];
{ pkgs, ... }: home = {
# Specific packages for laptop
{
imports =
[
../../modules/home.nix # Window Manager
];
home = { # Specific packages for laptop
packages = with pkgs; [ packages = with pkgs; [
# Applications # Applications
@@ -32,5 +29,4 @@
programs = { programs = {
alacritty.settings.font.size = 11; alacritty.settings.font.size = 11;
}; };
} }

36
hosts/kubemaster-1/default.nix
View File

@@ -1,36 +1,42 @@
# #
# Kubemaster-1 — Kubernetes master server configuration # Kubemaster-1 — Kubernetes master server configuration
# #
{ config, pkgs, user, agenix, impermanence, ... }:
{ {
imports = [ config,
./hardware-configuration.nix pkgs,
../../modules/server user,
] ++ (import ../../modules/services/kubemaster); agenix,
impermanence,
...
}: {
imports =
[
./hardware-configuration.nix
../../modules/server
]
++ (import ../../modules/services/kubemaster);
# ── Server module options ─────────────────────────────────────────────── # ── Server module options ───────────────────────────────────────────────
myServer.virtualisation.enable = true; myServer.virtualisation.enable = true;
myServer.virtualisation.cpu = "intel"; myServer.virtualisation.cpu = "intel";
# ── Host-specific settings ────────────────────────────────────────────── # ── Host-specific settings ──────────────────────────────────────────────
boot = { boot = {
kernelPackages = pkgs.linuxPackages_latest; kernelPackages = pkgs.linuxPackages_latest;
loader = { loader = {
systemd-boot.enable = true; systemd-boot.enable = true;
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
efi.efiSysMountPoint = "/boot"; efi.efiSysMountPoint = "/boot";
timeout = 1; timeout = 1;
}; };
}; };
services.avahi = { services.avahi = {
enable = true; enable = true;
nssmdns4 = true; nssmdns4 = true;
publish = { publish = {
enable = true; enable = true;
addresses = true; addresses = true;
userServices = true; userServices = true;
}; };
}; };

131
hosts/kubemaster-1/hardware-configuration.nix
View File

@@ -10,17 +10,21 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = config,
[ (modulesPath + "/installer/scan/not-detected.nix") lib,
]; pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" "sr_mod" ]; boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" "sr_mod"];
boot.initrd.kernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ]; boot.initrd.kernelModules = ["vfio_pci" "vfio" "vfio_iommu_type1"];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [];
boot.tmp.useTmpfs = false; boot.tmp.useTmpfs = false;
boot.tmp.cleanOnBoot = true; boot.tmp.cleanOnBoot = true;
zramSwap.enable = true; zramSwap.enable = true;
@@ -33,74 +37,74 @@
]; ];
}; };
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
}; };
fileSystems."/home" = fileSystems."/home" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
}; };
fileSystems."/srv" = fileSystems."/srv" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
}; };
fileSystems."/var" = fileSystems."/var" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@var,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@var,discard=async"];
}; };
fileSystems."/nix" = fileSystems."/nix" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
}; };
fileSystems."/swap" = fileSystems."/swap" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async"];
}; };
fileSystems."/mnt/snapshots/root" = fileSystems."/mnt/snapshots/root" = {
{ device = "/dev/disk/by-label/NIXROOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
}; };
swapDevices = [];
swapDevices = [ ];
systemd.network = { systemd.network = {
enable = true; enable = true;
networks = { networks = {
"10-lan" = { "10-lan" = {
matchConfig.Name = "enp0s31f6"; matchConfig.Name = "enp0s31f6";
ntp = [ "192.168.2.1" ]; ntp = ["192.168.2.1"];
domains = [ "home.opel-online.de" ]; domains = ["home.opel-online.de"];
networkConfig = { networkConfig = {
DHCP = "yes"; DHCP = "yes";
IPv6AcceptRA = true; IPv6AcceptRA = true;
}; };
dns = [ dns = [
"192.168.2.1" "192.168.2.1"
]; ];
};
}; };
};
}; };
networking = { networking = {
useDHCP = false; # Deprecated useDHCP = false; # Deprecated
hostName = "kubemaster-1"; hostName = "kubemaster-1";
firewall = { firewall = {
enable = true; enable = true;
allowedUDPPorts = [ ]; allowedUDPPorts = [];
allowedTCPPorts = [ 80 443 ]; allowedTCPPorts = [80 443];
}; };
}; };
@@ -113,5 +117,4 @@
''; '';
}; };
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
} }

16
hosts/kubemaster-1/home.nix
View File

@@ -10,16 +10,13 @@
# └─ ./hyprland # └─ ./hyprland
# └─ hyprland.nix # └─ hyprland.nix
# #
{pkgs, ...}: {
imports = [
../../modules/home.nix # Window Manager
];
{ pkgs, ... }: home = {
# Specific packages for laptop
{
imports =
[
../../modules/home.nix # Window Manager
];
home = { # Specific packages for laptop
packages = with pkgs; [ packages = with pkgs; [
# Applications # Applications
@@ -32,5 +29,4 @@
programs = { programs = {
alacritty.settings.font.size = 11; alacritty.settings.font.size = 11;
}; };
} }

38
hosts/lifebook/default.nix
View File

@@ -1,36 +1,38 @@
# #
# Lifebook laptop — system configuration # Lifebook laptop — system configuration
# #
{ lib, pkgs, user, ... }:
{ {
lib,
pkgs,
user,
...
}: {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../modules/desktop ../../modules/desktop
]; ];
# ── Desktop module options ────────────────────────────────────────────── # ── Desktop module options ──────────────────────────────────────────────
myDesktop.windowManager = "niri"; myDesktop.windowManager = "niri";
myDesktop.niri.hotkeyVariant = "lifebook"; myDesktop.niri.hotkeyVariant = "lifebook";
myDesktop.cpu = "intel"; myDesktop.cpu = "intel";
myDesktop.virtualisation.enable = true; myDesktop.virtualisation.enable = true;
myDesktop.laptop.enable = true; myDesktop.laptop.enable = true;
myDesktop.laptop.lidSwitch = "suspend-then-hibernate"; myDesktop.laptop.lidSwitch = "suspend-then-hibernate";
myDesktop.laptop.hibernateDelaySec = "1h"; myDesktop.laptop.hibernateDelaySec = "1h";
myDesktop.git.signingKey = "/home/${user}/.ssh/id_ed25519_sk_rk_blackred"; myDesktop.git.signingKey = "/home/${user}/.ssh/id_ed25519_sk_rk_blackred";
myDesktop.syncthing.enable = true; myDesktop.syncthing.enable = true;
myDesktop.syncthing.devices = { myDesktop.syncthing.devices = {
"jupiter.home.opel-online.de" = { id = "T53WU6Z-3NT74ZE-PZVZB2N-7FBTZ5K-HESC2ZM-W4ABDAS-NWXHTGI-ST4CDQR"; }; "jupiter.home.opel-online.de" = {id = "T53WU6Z-3NT74ZE-PZVZB2N-7FBTZ5K-HESC2ZM-W4ABDAS-NWXHTGI-ST4CDQR";};
"hades.home.opel-online.de" = { id = "3VPCBVW-RH7XKFM-TWJGQHC-ZRAQ575-CQKGGKP-NAB4VXE-KCKJFUT-AMCUQQA"; }; "hades.home.opel-online.de" = {id = "3VPCBVW-RH7XKFM-TWJGQHC-ZRAQ575-CQKGGKP-NAB4VXE-KCKJFUT-AMCUQQA";};
}; };
myDesktop.syncthing.folders = { myDesktop.syncthing.folders = {
"Sync" = { "Sync" = {
path = "/home/kabbone/Sync"; path = "/home/kabbone/Sync";
devices = [ "jupiter.home.opel-online.de" "hades.home.opel-online.de" ]; devices = ["jupiter.home.opel-online.de" "hades.home.opel-online.de"];
ignorePerms = false; ignorePerms = false;
}; };
}; };
@@ -42,16 +44,16 @@
# ── Host-specific settings ────────────────────────────────────────────── # ── Host-specific settings ──────────────────────────────────────────────
boot = { boot = {
kernelPackages = pkgs.linuxPackages_latest; kernelPackages = pkgs.linuxPackages_latest;
initrd.prepend = [ "${./patched-SSDT4}" ]; initrd.prepend = ["${./patched-SSDT4}"];
loader = { loader = {
systemd-boot.enable = lib.mkForce false; systemd-boot.enable = lib.mkForce false;
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
efi.efiSysMountPoint = "/boot"; efi.efiSysMountPoint = "/boot";
timeout = 1; timeout = 1;
}; };
lanzaboote = { lanzaboote = {
enable = true; enable = true;
pkiBundle = "/etc/secureboot"; pkiBundle = "/etc/secureboot";
}; };
}; };

386
hosts/lifebook/hardware-configuration.nix
View File

@@ -10,222 +10,222 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = imports =
[ (modulesPath + "/installer/scan/not-detected.nix")] ++ [(modulesPath + "/installer/scan/not-detected.nix")]
[( import ../../modules/hardware/backup.nix )]; ++ [(import ../../modules/hardware/backup.nix)];
boot = { boot = {
initrd = { initrd = {
availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" "sdhci_pci" ]; availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" "sdhci_pci"];
kernelModules = [ "i915" "kvm_intel" "vfio_pci" "vfio" "vfio_iommu_type1" ]; kernelModules = ["i915" "kvm_intel" "vfio_pci" "vfio" "vfio_iommu_type1"];
systemd.enable = true; systemd.enable = true;
luks = { luks = {
devices."crypted" = { devices."crypted" = {
device = "/dev/disk/by-partlabel/disk-nvme0n1-luks"; device = "/dev/disk/by-partlabel/disk-nvme0n1-luks";
allowDiscards = true; allowDiscards = true;
bypassWorkqueues = true; bypassWorkqueues = true;
}; };
}; };
}; };
kernelModules = [ "kvm-intel" ]; kernelModules = ["kvm-intel"];
kernelParams = [ "luks.options=fido2-device=auto" "sysrq_always_enabled=1" "pcie_aspm=force" ]; kernelParams = ["luks.options=fido2-device=auto" "sysrq_always_enabled=1" "pcie_aspm=force"];
extraModprobeConfig = '' extraModprobeConfig = ''
options i915 force_probe=!9a49 options i915 force_probe=!9a49
options xe force_probe=9a49 options xe force_probe=9a49
''; '';
tmp.useTmpfs = false; tmp.useTmpfs = false;
tmp.cleanOnBoot = true; tmp.cleanOnBoot = true;
}; };
zramSwap.enable = true; zramSwap.enable = true;
services = { services = {
btrfs.autoScrub = { btrfs.autoScrub = {
enable = true; enable = true;
interval = "monthly"; interval = "monthly";
fileSystems = [ fileSystems = [
"/" "/"
]; ];
}; };
udev.extraRules = '' udev.extraRules = ''
ACTION=="add", SUBSYSTEM=="block", KERNEL=="mmcblk[0-9]p[0-9]", ENV{ID_FS_USAGE}=="filesystem", RUN{program}+="${pkgs.systemd}/bin/systemd-mount -o noatime,compress-force=zstd:15,ssd_spread,commit=120 --no-block --automount=yes --collect $devnode /run/media/mmcblk0p1" ACTION=="add", SUBSYSTEM=="block", KERNEL=="mmcblk[0-9]p[0-9]", ENV{ID_FS_USAGE}=="filesystem", RUN{program}+="${pkgs.systemd}/bin/systemd-mount -o noatime,compress-force=zstd:15,ssd_spread,commit=120 --no-block --automount=yes --collect $devnode /run/media/mmcblk0p1"
''; '';
btrbk = { btrbk = {
extraPackages = [ pkgs.lz4 pkgs.mbuffer ]; extraPackages = [pkgs.lz4 pkgs.mbuffer];
instances = { instances = {
hf = { hf = {
onCalendar = "hourly"; onCalendar = "hourly";
settings = { settings = {
incremental = "yes"; incremental = "yes";
snapshot_create = "ondemand"; snapshot_create = "ondemand";
snapshot_dir = "@snapshots"; snapshot_dir = "@snapshots";
timestamp_format = "long"; timestamp_format = "long";
snapshot_preserve = "2m 2w 5d 5h"; snapshot_preserve = "2m 2w 5d 5h";
snapshot_preserve_min = "latest"; snapshot_preserve_min = "latest";
volume = { volume = {
"/mnt/snapshots/root" = { "/mnt/snapshots/root" = {
snapshot_create = "always"; snapshot_create = "always";
subvolume = { subvolume = {
"@home" = {}; "@home" = {};
}; };
};
};
};
}; };
bak = {
onCalendar = "daily";
settings = {
stream_buffer = "256m";
stream_compress = "lz4";
incremental = "yes";
snapshot_create = "no";
snapshot_dir = "@snapshots";
timestamp_format = "long";
snapshot_preserve_min = "all";
target_preserve_min = "no";
target_preserve = "4w 3d";
ssh_identity = "/etc/btrbk/ssh/id_ed25519_btrbk_nas";
ssh_user = "btrbk";
volume = {
"/mnt/snapshots/root" = {
subvolume = {
"@home" = {};
};
target = "ssh://jupiter.home.opel-online.de:2220/mnt/snapshots/Mars/@snapshots/@lifebook";
};
};
};
};
};
};
tuned = {
enable = true;
profiles = {
balanced_powertop = {
main = {
include = "balanced";
};
sysfs = {
"/sys/class/net/wlan0/device/power/wakeup" = "enabled";
"/sys/bus/usb/devices/usb3/power/wakeup" = "enabled";
"/sys/bus/usb/devices/usb1/power/wakeup" = "enabled";
"/sys/bus/usb/devices/3-9/power/wakeup" = "enabled";
"/sys/bus/usb/devices/usb4/power/wakeup" = "enabled";
"/sys/bus/usb/devices/3-10/power/wakeup" = "enabled";
"/sys/bus/usb/devices/usb2/power/wakeup" = "enabled";
"/sys/bus/usb/devices/3-5/power/wakeup" = "enabled";
}; };
}; };
balanced-battery_powertop = { };
main = { bak = {
include = "balanced-battery"; onCalendar = "daily";
}; settings = {
sysfs = { stream_buffer = "256m";
"/sys/class/net/wlan0/device/power/wakeup" = "disabled"; stream_compress = "lz4";
"/sys/bus/usb/devices/usb3/power/wakeup" = "disabled"; incremental = "yes";
"/sys/bus/usb/devices/usb1/power/wakeup" = "disabled"; snapshot_create = "no";
"/sys/bus/usb/devices/3-9/power/wakeup" = "disabled"; snapshot_dir = "@snapshots";
"/sys/bus/usb/devices/usb4/power/wakeup" = "disabled"; timestamp_format = "long";
"/sys/bus/usb/devices/3-10/power/wakeup" = "disabled";
"/sys/bus/usb/devices/usb2/power/wakeup" = "disabled"; snapshot_preserve_min = "all";
"/sys/bus/usb/devices/3-5/power/wakeup" = "disabled"; target_preserve_min = "no";
target_preserve = "4w 3d";
ssh_identity = "/etc/btrbk/ssh/id_ed25519_btrbk_nas";
ssh_user = "btrbk";
volume = {
"/mnt/snapshots/root" = {
subvolume = {
"@home" = {};
};
target = "ssh://jupiter.home.opel-online.de:2220/mnt/snapshots/Mars/@snapshots/@lifebook";
};
}; };
}; };
}; };
}; };
}; };
systemd.timers = { tuned = {
btrbk-bak = { enable = true;
after = [ "network-online.target" ]; profiles = {
requires = [ "network-online.target" ]; balanced_powertop = {
main = {
include = "balanced";
};
sysfs = {
"/sys/class/net/wlan0/device/power/wakeup" = "enabled";
"/sys/bus/usb/devices/usb3/power/wakeup" = "enabled";
"/sys/bus/usb/devices/usb1/power/wakeup" = "enabled";
"/sys/bus/usb/devices/3-9/power/wakeup" = "enabled";
"/sys/bus/usb/devices/usb4/power/wakeup" = "enabled";
"/sys/bus/usb/devices/3-10/power/wakeup" = "enabled";
"/sys/bus/usb/devices/usb2/power/wakeup" = "enabled";
"/sys/bus/usb/devices/3-5/power/wakeup" = "enabled";
};
};
balanced-battery_powertop = {
main = {
include = "balanced-battery";
};
sysfs = {
"/sys/class/net/wlan0/device/power/wakeup" = "disabled";
"/sys/bus/usb/devices/usb3/power/wakeup" = "disabled";
"/sys/bus/usb/devices/usb1/power/wakeup" = "disabled";
"/sys/bus/usb/devices/3-9/power/wakeup" = "disabled";
"/sys/bus/usb/devices/usb4/power/wakeup" = "disabled";
"/sys/bus/usb/devices/3-10/power/wakeup" = "disabled";
"/sys/bus/usb/devices/usb2/power/wakeup" = "disabled";
"/sys/bus/usb/devices/3-5/power/wakeup" = "disabled";
};
};
}; };
};
}; };
fileSystems."/" = systemd.timers = {
{ device = "/dev/mapper/crypted"; btrbk-bak = {
fsType = "btrfs"; after = ["network-online.target"];
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ]; requires = ["network-online.target"];
}; };
};
fileSystems."/boot" = fileSystems."/" = {
{ device = "/dev/disk/by-label/NIXBOOT"; device = "/dev/mapper/crypted";
fsType = "vfat"; fsType = "btrfs";
}; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
};
fileSystems."/home" = fileSystems."/boot" = {
{ device = "/dev/mapper/crypted"; device = "/dev/disk/by-label/NIXBOOT";
fsType = "btrfs"; fsType = "vfat";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ]; };
};
fileSystems."/nix" = fileSystems."/home" = {
{ device = "/dev/mapper/crypted"; device = "/dev/mapper/crypted";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
}; };
fileSystems."/srv" = fileSystems."/nix" = {
{ device = "/dev/mapper/crypted"; device = "/dev/mapper/crypted";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
}; };
fileSystems."/swap" = fileSystems."/srv" = {
{ device = "/dev/mapper/crypted"; device = "/dev/mapper/crypted";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
}; };
fileSystems."/opt" = fileSystems."/swap" = {
{ device = "/dev/mapper/crypted"; device = "/dev/mapper/crypted";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@opt,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async"];
}; };
fileSystems."/var" = fileSystems."/opt" = {
{ device = "/dev/mapper/crypted"; device = "/dev/mapper/crypted";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@var,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@opt,discard=async"];
}; };
fileSystems."/mnt/snapshots/root" = fileSystems."/var" = {
{ device = "/dev/mapper/crypted"; device = "/dev/mapper/crypted";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@var,discard=async"];
}; };
fileSystems."/mnt/snapshots/root" = {
device = "/dev/mapper/crypted";
fsType = "btrfs";
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
};
fileSystems."/mnt/Pluto" = fileSystems."/mnt/Pluto" = {
{ device = "jupiter.home.opel-online.de:/Pluto"; device = "jupiter.home.opel-online.de:/Pluto";
fsType = "nfs"; fsType = "nfs";
options = [ "nofail,noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2" ]; options = ["nofail,noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2"];
}; };
fileSystems."/mnt/Mars" = fileSystems."/mnt/Mars" = {
{ device = "jupiter.home.opel-online.de:/Mars"; device = "jupiter.home.opel-online.de:/Mars";
fsType = "nfs"; fsType = "nfs";
options = [ "nofail,noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2" ]; options = ["nofail,noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2"];
}; };
swapDevices = [{device = "/swap/swapfile";}];
swapDevices = [ { device = "/swap/swapfile"; } ];
networking = { networking = {
useDHCP = false; # Deprecated useDHCP = false; # Deprecated
hostName = "lifebook"; hostName = "lifebook";
wireless.iwd.enable = true; wireless.iwd.enable = true;
networkmanager = { networkmanager = {
@@ -235,27 +235,27 @@
powersave = true; powersave = true;
}; };
}; };
# interfaces = { # interfaces = {
# wlan0 = { # wlan0 = {
# useDHCP = true; # For versatility sake, manually edit IP on nm-applet. # useDHCP = true; # For versatility sake, manually edit IP on nm-applet.
# #ipv4.addresses = [ { # #ipv4.addresses = [ {
# # address = "192.168.0.51"; # # address = "192.168.0.51";
# # prefixLength = 24; # # prefixLength = 24;
# #} ]; # #} ];
# }; # };
# }; # };
#defaultGateway = "192.168.0.1"; #defaultGateway = "192.168.0.1";
#nameservers = [ "192.168.0.4" ]; #nameservers = [ "192.168.0.4" ];
firewall = { firewall = {
checkReversePath = false; checkReversePath = false;
enable = true; enable = true;
allowedUDPPorts = [ 24727 51820 ]; allowedUDPPorts = [24727 51820];
allowedTCPPorts = [ 24727 ]; allowedTCPPorts = [24727];
}; };
}; };
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# powerManagement = { # powerManagement = {
# powertop.enable = true; # powertop.enable = true;
# }; # };
} }

9
hosts/lifebook/home.nix
View File

@@ -2,12 +2,9 @@
# Lifebook laptop — home-manager host-specific additions # Lifebook laptop — home-manager host-specific additions
# (WM home config is loaded by modules/desktop based on myDesktop.windowManager) # (WM home config is loaded by modules/desktop based on myDesktop.windowManager)
# #
{pkgs, ...}: {
{ pkgs, ... }:
{
imports = [ imports = [
../../modules/home.nix # cmds / theme options ../../modules/home.nix # cmds / theme options
]; ];
home.packages = with pkgs; [ home.packages = with pkgs; [
@@ -21,7 +18,7 @@
]; ];
services = { services = {
blueman-applet.enable = true; blueman-applet.enable = true;
network-manager-applet.enable = true; network-manager-applet.enable = true;
}; };

36
hosts/nasbackup/default.nix
View File

@@ -1,14 +1,18 @@
# #
# Nasbak — NAS backup server configuration # Nasbak — NAS backup server configuration
# #
{ config, pkgs, user, ... }:
{ {
imports = [ config,
./hardware-configuration.nix pkgs,
../../modules/server user,
] ++ (import ../../modules/services/nasbackup); ...
}: {
imports =
[
./hardware-configuration.nix
../../modules/server
]
++ (import ../../modules/services/nasbackup);
# ── Server module options ─────────────────────────────────────────────── # ── Server module options ───────────────────────────────────────────────
# No virtualisation on the backup NAS # No virtualisation on the backup NAS
@@ -17,30 +21,30 @@
boot = { boot = {
kernelPackages = pkgs.linuxPackages_latest; kernelPackages = pkgs.linuxPackages_latest;
loader = { loader = {
systemd-boot.enable = true; systemd-boot.enable = true;
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
efi.efiSysMountPoint = "/boot"; efi.efiSysMountPoint = "/boot";
timeout = 1; timeout = 1;
}; };
}; };
programs = { programs = {
ssh.startAgent = false; ssh.startAgent = false;
gnupg.agent = { gnupg.agent = {
enable = false; enable = false;
enableSSHSupport = true; enableSSHSupport = true;
pinentryPackage = pkgs.pinentry-curses; pinentryPackage = pkgs.pinentry-curses;
}; };
}; };
services = { services = {
qemuGuest.enable = true; qemuGuest.enable = true;
avahi = { avahi = {
enable = true; enable = true;
nssmdns4 = true; nssmdns4 = true;
publish = { publish = {
enable = true; enable = true;
addresses = true; addresses = true;
userServices = true; userServices = true;
}; };
}; };

319
hosts/nasbackup/hardware-configuration.nix
View File

@@ -1,4 +1,3 @@
# Hardware settings for Teclast F5 10" Laptop # Hardware settings for Teclast F5 10" Laptop
# NixOS @ sda2 # NixOS @ sda2
# #
@@ -10,18 +9,22 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = config,
[ (modulesPath + "/profiles/qemu-guest.nix") lib,
]; pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ]; boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod"];
boot.initrd.kernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ]; boot.initrd.kernelModules = ["vfio_pci" "vfio" "vfio_iommu_type1"];
boot.initrd.secrets = { boot.initrd.secrets = {
"/root/NASKeyfile" = "/root/NASKeyfile" =
/root/NASKeyfile; /root/NASKeyfile;
}; };
boot.initrd.luks.devices = { boot.initrd.luks.devices = {
NAS-RAID1 = { NAS-RAID1 = {
@@ -35,8 +38,8 @@
bypassWorkqueues = true; bypassWorkqueues = true;
}; };
}; };
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [];
boot.tmp.useTmpfs = false; boot.tmp.useTmpfs = false;
boot.tmp.cleanOnBoot = true; boot.tmp.cleanOnBoot = true;
zramSwap.enable = true; zramSwap.enable = true;
@@ -51,168 +54,167 @@
}; };
services.btrbk = { services.btrbk = {
extraPackages = [ pkgs.lz4 pkgs.mbuffer ]; extraPackages = [pkgs.lz4 pkgs.mbuffer];
instances = { instances = {
hf = { hf = {
onCalendar = "hourly"; onCalendar = "hourly";
settings = { settings = {
incremental = "yes"; incremental = "yes";
snapshot_create = "ondemand"; snapshot_create = "ondemand";
snapshot_dir = "@snapshots"; snapshot_dir = "@snapshots";
timestamp_format = "long"; timestamp_format = "long";
snapshot_preserve = "2m 2w 5d 5h"; snapshot_preserve = "2m 2w 5d 5h";
snapshot_preserve_min = "latest"; snapshot_preserve_min = "latest";
volume = { volume = {
"/mnt/snapshots/root" = { "/mnt/snapshots/root" = {
snapshot_create = "always"; snapshot_create = "always";
subvolume = { subvolume = {
"@" = {}; "@" = {};
"@home" = {}; "@home" = {};
};
};
};
};
};
bak = {
onCalendar = "weekly";
settings = {
stream_buffer = "265m";
stream_compress = "lz4";
incremental = "yes";
snapshot_create = "no";
snapshot_dir = "@snapshots";
timestamp_format = "long";
snapshot_preserve_min = "all";
target_preserve_min = "no";
target_preserve = "4w 2m";
archive_preserve_min = "no";
archive_preserve = "4w 2m";
ssh_identity = "/etc/btrbk/ssh/id_ed25519_btrbk";
ssh_user = "btrbk";
volume = {
"ssh://jupiter.home.opel-online.de:2220/mnt/snapshots/Mars" = {
subvolume = {
"@nas" = {
target = "/mnt/nas/Backups/Mars";
};
"@hades/@home" = {
target = "/mnt/nas/Backups/Hades";
snapshot_dir = "@snapshots/@hades";
};
"@lifebook/@home" = {
target = "/mnt/nas/Backups/Lifebook";
snapshot_dir = "@snapshots/@lifebook";
};
# "@steamdeck/@home" = {
# target = "/mnt/nas/Backups/Steamdeck";
# snapshot_dir = "@snapshots/@steamdeck";
# };
};
};
};
volume = {
"ssh://jupiter.home.opel-online.de:2220/mnt/snapshots/Pluto" = {
target = "/mnt/nas/Backups/Pluto";
subvolume = {
"@/Games" = {};
"@/IT" = {};
"@/Media" = {};
"@/Pictures" = {};
"@/Rest" = {};
};
};
};
}; };
};
}; };
};
}; };
bak = {
onCalendar = "weekly";
settings = {
stream_buffer = "265m";
stream_compress = "lz4";
incremental = "yes";
snapshot_create = "no";
snapshot_dir = "@snapshots";
timestamp_format = "long";
snapshot_preserve_min = "all";
target_preserve_min = "no";
target_preserve = "4w 2m";
archive_preserve_min = "no";
archive_preserve = "4w 2m";
ssh_identity = "/etc/btrbk/ssh/id_ed25519_btrbk";
ssh_user = "btrbk";
volume = {
"ssh://jupiter.home.opel-online.de:2220/mnt/snapshots/Mars" = {
subvolume = {
"@nas" = {
target = "/mnt/nas/Backups/Mars";
};
"@hades/@home" = {
target = "/mnt/nas/Backups/Hades";
snapshot_dir = "@snapshots/@hades";
};
"@lifebook/@home" = {
target = "/mnt/nas/Backups/Lifebook";
snapshot_dir = "@snapshots/@lifebook";
};
# "@steamdeck/@home" = {
# target = "/mnt/nas/Backups/Steamdeck";
# snapshot_dir = "@snapshots/@steamdeck";
# };
};
};
};
volume = {
"ssh://jupiter.home.opel-online.de:2220/mnt/snapshots/Pluto" = {
target = "/mnt/nas/Backups/Pluto";
subvolume = {
"@/Games" = {};
"@/IT" = {};
"@/Media" = {};
"@/Pictures" = {};
"@/Rest" = {};
};
};
};
};
};
};
}; };
systemd.services = { systemd.services = {
btrbk-bak = { btrbk-bak = {
after = [ "network-online.target" ]; after = ["network-online.target"];
requires = [ "network-online.target" ]; requires = ["network-online.target"];
}; };
}; };
fileSystems."/" = {
fileSystems."/" = device = "/dev/disk/by-label/NIXROOT";
{ device = "/dev/disk/by-label/NIXROOT"; fsType = "btrfs";
fsType = "btrfs"; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ];
};
fileSystems."/srv" =
{ device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ];
};
fileSystems."/swap" =
{ device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async" ];
};
fileSystems."/mnt/snapshots/root" =
{ device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ];
}; };
# fileSystems."/mnt/snapshots/Pluto" = fileSystems."/home" = {
# { device = "/dev/disk/by-label/NAS-RAID"; device = "/dev/disk/by-label/NIXROOT";
# fsType = "btrfs"; fsType = "btrfs";
# options = [ "compress=zstd,space_cache=v2,noatime,subvolid=5" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
# }; };
#
fileSystems."/mnt/nas" =
{ device = "/dev/disk/by-uuid/70523c79-ef5c-40f2-8782-60fc86bb445b";
fsType = "btrfs";
options = [ "compress=zstd:9,space_cache=v2,noatime,subvol=@nasbak" ];
};
fileSystems."/boot" = fileSystems."/srv" = {
{ device = "/dev/disk/by-label/NIXBOOT"; device = "/dev/disk/by-label/NIXROOT";
fsType = "vfat"; fsType = "btrfs";
}; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
};
fileSystems."/nix" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
};
fileSystems."/swap" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async"];
};
fileSystems."/mnt/snapshots/root" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
};
# fileSystems."/mnt/snapshots/Pluto" =
# { device = "/dev/disk/by-label/NAS-RAID";
# fsType = "btrfs";
# options = [ "compress=zstd,space_cache=v2,noatime,subvolid=5" ];
# };
#
fileSystems."/mnt/nas" = {
device = "/dev/disk/by-uuid/70523c79-ef5c-40f2-8782-60fc86bb445b";
fsType = "btrfs";
options = ["compress=zstd:9,space_cache=v2,noatime,subvol=@nasbak"];
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/NIXBOOT";
fsType = "vfat";
};
swapDevices = [{device = "/swap/swapfile";}];
swapDevices = [ { device = "/swap/swapfile"; } ];
systemd.network = { systemd.network = {
enable = true; enable = true;
networks = { networks = {
"10-lan" = { "10-lan" = {
matchConfig.Name = "ens18"; matchConfig.Name = "ens18";
ntp = [ "192.168.2.1" ]; ntp = ["192.168.2.1"];
domains = [ "home.opel-online.de" ]; domains = ["home.opel-online.de"];
networkConfig = { networkConfig = {
DHCP = "yes"; DHCP = "yes";
IPv6AcceptRA = true; IPv6AcceptRA = true;
}; };
};
}; };
};
}; };
networking = { networking = {
hostName = "nasbak"; hostName = "nasbak";
domain = "home.opel-online.de"; domain = "home.opel-online.de";
useDHCP = false; # For versatility sake, manually edit IP on nm-applet. useDHCP = false; # For versatility sake, manually edit IP on nm-applet.
#firewall = { #firewall = {
# enable = false; # enable = false;
# #allowedUDPPorts = [ 53 67 ]; # #allowedUDPPorts = [ 53 67 ];
@@ -224,10 +226,9 @@
powerManagement = { powerManagement = {
cpuFreqGovernor = lib.mkDefault "powersave"; cpuFreqGovernor = lib.mkDefault "powersave";
powertop.enable = true; powertop.enable = true;
# powerUpCommands = '' # powerUpCommands = ''
# ${pkgs.hdparm}/sbin/hdparm -S 150 /dev/disk/by-uuid/57e6446d-faca-4b67-9063-e8d9afb80088 # ${pkgs.hdparm}/sbin/hdparm -S 150 /dev/disk/by-uuid/57e6446d-faca-4b67-9063-e8d9afb80088
# ${pkgs.hdparm}/sbin/hdparm -S 150 /dev/disk/by-uuid/b9edc489-ac37-4b28-981d-442722df7ae2 # ${pkgs.hdparm}/sbin/hdparm -S 150 /dev/disk/by-uuid/b9edc489-ac37-4b28-981d-442722df7ae2
# ''; # '';
}; };
} }

16
hosts/nasbackup/home.nix
View File

@@ -10,16 +10,13 @@
# └─ ./hyprland # └─ ./hyprland
# └─ hyprland.nix # └─ hyprland.nix
# #
{pkgs, ...}: {
imports = [
../../modules/home.nix # Window Manager
];
{ pkgs, ... }: home = {
# Specific packages for laptop
{
imports =
[
../../modules/home.nix # Window Manager
];
home = { # Specific packages for laptop
packages = with pkgs; [ packages = with pkgs; [
# Applications # Applications
@@ -32,5 +29,4 @@
programs = { programs = {
alacritty.settings.font.size = 11; alacritty.settings.font.size = 11;
}; };
} }

62
hosts/nbf5/default.nix
View File

@@ -5,7 +5,7 @@
# ├─ ./hosts # ├─ ./hosts
# │ └─ ./laptop # │ └─ ./laptop
# │ ├─ default.nix * # │ ├─ default.nix *
# │ └─ hardware-configuration.nix # │ └─ hardware-configuration.nix
# └─ ./modules # └─ ./modules
# ├─ ./desktop # ├─ ./desktop
# │ └─ ./hyprland # │ └─ ./hyprland
@@ -16,57 +16,69 @@
# └─ ./hardware # └─ ./hardware
# └─ default.nix # └─ default.nix
# #
{ config, pkgs, user, ... }:
{ {
imports = # For now, if applying to other system, swap files config,
[(import ./hardware-configuration.nix)] ++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix pkgs,
user,
...
}: {
imports =
# For now, if applying to other system, swap files
[(import ./hardware-configuration.nix)]
++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix
#[(import ../../modules/wm/hyprland/default.nix)] ++ # Window Manager #[(import ../../modules/wm/hyprland/default.nix)] ++ # Window Manager
# [(import ../../modules/wm/sway/default.nix)] ++ # Window Manager # [(import ../../modules/wm/sway/default.nix)] ++ # Window Manager
[(import ../../modules/wm/virtualisation/docker.nix)] ++ # Docker [(import ../../modules/wm/virtualisation/docker.nix)]
[(import ../../modules/wm/virtualisation/kvm-intel.nix)] ++ # kvm module options ++ # Docker
(import ../../modules/hardware) ++ [(import ../../modules/wm/virtualisation/kvm-intel.nix)]
(import ../../modules/services/printer); # Hardware devices ++ # kvm module options
(import ../../modules/hardware)
++ (import ../../modules/services/printer); # Hardware devices
boot = { # Boot options boot = {
# Boot options
kernelPackages = pkgs.linuxPackages_latest; kernelPackages = pkgs.linuxPackages_latest;
loader = { # EFI Boot loader = {
# EFI Boot
systemd-boot.enable = true; systemd-boot.enable = true;
efi = { efi = {
canTouchEfiVariables = true; canTouchEfiVariables = true;
efiSysMountPoint = "/boot"; efiSysMountPoint = "/boot";
}; };
timeout = 1; # Grub auto select time timeout = 1; # Grub auto select time
}; };
}; };
environment = { environment = {
systemPackages = with pkgs; [ systemPackages = with pkgs; [
intel-media-driver intel-media-driver
]; ];
}; };
programs = { # No xbacklight, this is the alterantive programs = {
# No xbacklight, this is the alterantive
light.enable = true; light.enable = true;
}; };
services = { services = {
tlp = { tlp = {
enable = true; # TLP and auto-cpufreq for power management enable = true; # TLP and auto-cpufreq for power management
settings = { settings = {
USB_DENYLIST="fc32:1287 1e7d:2e4a 1d5c:5500 1d5c:5510"; USB_DENYLIST = "fc32:1287 1e7d:2e4a 1d5c:5500 1d5c:5510";
}; };
}; };
logind.lidSwitch = "suspend-then-hibernate"; # Laptop does not go to sleep when lid is closed logind.lidSwitch = "suspend-then-hibernate"; # Laptop does not go to sleep when lid is closed
#auto-cpufreq.enable = true; #auto-cpufreq.enable = true;
blueman.enable = true; blueman.enable = true;
avahi = { # Needed to find wireless printer avahi = {
# Needed to find wireless printer
enable = true; enable = true;
nssmdns4 = true; nssmdns4 = true;
publish = { # Needed for detecting the scanner publish = {
# Needed for detecting the scanner
enable = true; enable = true;
addresses = true; addresses = true;
userServices = true; userServices = true;
@@ -75,8 +87,8 @@
}; };
#temporary bluetooth fix #temporary bluetooth fix
# systemd.tmpfiles.rules = [ # systemd.tmpfiles.rules = [
# "d /var/lib/bluetooth 700 root root - -" # "d /var/lib/bluetooth 700 root root - -"
# ]; # ];
# systemd.targets."bluetooth".after = ["systemd-tmpfiles-setup.service"]; # systemd.targets."bluetooth".after = ["systemd-tmpfiles-setup.service"];
} }

188
hosts/nbf5/hardware-configuration.nix
View File

@@ -10,32 +10,36 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = config,
[ (modulesPath + "/installer/scan/not-detected.nix") lib,
]; pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot = { boot = {
initrd = { initrd = {
availableKernelModules = [ "ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci" "rtsx_usb_sdmmc" ]; availableKernelModules = ["ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci" "rtsx_usb_sdmmc"];
kernelModules = [ "i915" "kvm_intel" ]; kernelModules = ["i915" "kvm_intel"];
systemd.enable = true; systemd.enable = true;
luks = { luks = {
devices."root" = { devices."root" = {
device = "/dev/disk/by-uuid/75eccc7f-30b0-4fe8-8f82-90edaf284cd5"; device = "/dev/disk/by-uuid/75eccc7f-30b0-4fe8-8f82-90edaf284cd5";
allowDiscards = true; allowDiscards = true;
}; };
}; };
}; };
kernelModules = [ "kvm-intel" ]; kernelModules = ["kvm-intel"];
extraModprobeConfig = '' extraModprobeConfig = ''
options i915 enable_guc=3 enable_fbc=1 fastboot=1 options i915 enable_guc=3 enable_fbc=1 fastboot=1
''; '';
kernelParams = [ "mitigations=off" "luks.options=fido2-device=auto" ]; kernelParams = ["mitigations=off" "luks.options=fido2-device=auto"];
tmp.useTmpfs = true; tmp.useTmpfs = true;
}; };
zramSwap.enable = true; zramSwap.enable = true;
@@ -49,110 +53,108 @@
}; };
services.btrbk = { services.btrbk = {
instances = { instances = {
hf = { hf = {
onCalendar = "hourly"; onCalendar = "hourly";
settings = { settings = {
incremental = "yes"; incremental = "yes";
snapshot_create = "ondemand"; snapshot_create = "ondemand";
snapshot_dir = "@snapshots"; snapshot_dir = "@snapshots";
timestamp_format = "long"; timestamp_format = "long";
snapshot_preserve = "2m 2w 5d 5h"; snapshot_preserve = "2m 2w 5d 5h";
snapshot_preserve_min = "latest"; snapshot_preserve_min = "latest";
volume = { volume = {
"/mnt/snapshots/root" = { "/mnt/snapshots/root" = {
snapshot_create = "always"; snapshot_create = "always";
subvolume = { subvolume = {
"@home" = {}; "@home" = {};
};
};
};
}; };
};
}; };
};
}; };
};
}; };
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/mapper/root"; device = "/dev/mapper/root";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
}; };
fileSystems."/home" = fileSystems."/home" = {
{ device = "/dev/mapper/root"; device = "/dev/mapper/root";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
}; };
fileSystems."/srv" = fileSystems."/srv" = {
{ device = "/dev/mapper/root"; device = "/dev/mapper/root";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
}; };
fileSystems."/opt" = fileSystems."/opt" = {
{ device = "/dev/mapper/root"; device = "/dev/mapper/root";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@opt,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@opt,discard=async"];
}; };
fileSystems."/nix" = fileSystems."/nix" = {
{ device = "/dev/mapper/root"; device = "/dev/mapper/root";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
}; };
fileSystems."/mnt/snapshots/root" = fileSystems."/mnt/snapshots/root" = {
{ device = "/dev/mapper/root"; device = "/dev/mapper/root";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
}; };
fileSystems."/boot" = fileSystems."/boot" = {
{ device = "/dev/disk/by-label/BOOT"; device = "/dev/disk/by-label/BOOT";
fsType = "vfat"; fsType = "vfat";
}; };
fileSystems."/mnt/Pluto" = fileSystems."/mnt/Pluto" = {
{ device = "jupiter:/Pluto"; device = "jupiter:/Pluto";
fsType = "nfs"; fsType = "nfs";
options = [ "noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2" ]; options = ["noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2"];
}; };
fileSystems."/mnt/Mars" = fileSystems."/mnt/Mars" = {
{ device = "jupiter:/Mars"; device = "jupiter:/Mars";
fsType = "nfs"; fsType = "nfs";
options = [ "noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2" ]; options = ["noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2"];
}; };
swapDevices = [];
swapDevices = [ ];
networking = { networking = {
useDHCP = false; # Deprecated useDHCP = false; # Deprecated
hostName = "nbf5"; hostName = "nbf5";
wireless = { wireless = {
iwd.enable = true; iwd.enable = true;
interfaces = [ "wlan0" ]; interfaces = ["wlan0"];
}; };
interfaces = { interfaces = {
wlan0 = { wlan0 = {
useDHCP = true; # For versatility sake, manually edit IP on nm-applet. useDHCP = true; # For versatility sake, manually edit IP on nm-applet.
}; };
}; };
firewall = { firewall = {
enable = true; enable = true;
#allowedUDPPorts = [ 53 67 ]; #allowedUDPPorts = [ 53 67 ];
allowedTCPPorts = [ 80 443 ]; allowedTCPPorts = [80 443];
}; };
}; };
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
powerManagement = { powerManagement = {
cpuFreqGovernor = lib.mkDefault "schedutil"; cpuFreqGovernor = lib.mkDefault "schedutil";
powertop.enable = true; powertop.enable = true;
}; };
} }

31
hosts/nbf5/home.nix
View File

@@ -10,26 +10,23 @@
# └─ ./hyprland # └─ ./hyprland
# └─ hyprland.nix # └─ hyprland.nix
# #
{pkgs, ...}: {
imports = [
#../../modules/wm/hyprland/home.nix # Window Manager
#../../modules/wm/sway/home.nix # Window Manager
../../modules/home.nix # Window Manager
];
{ pkgs, ... }: home = {
# Specific packages for laptop
{
imports =
[
#../../modules/wm/hyprland/home.nix # Window Manager
#../../modules/wm/sway/home.nix # Window Manager
../../modules/home.nix # Window Manager
];
home = { # Specific packages for laptop
packages = with pkgs; [ packages = with pkgs; [
# Applications # Applications
firefox firefox
intel-gpu-tools intel-gpu-tools
pulsemixer pulsemixer
# Display # Display
light # xorg.xbacklight not supported. Other option is just use xrandr. light # xorg.xbacklight not supported. Other option is just use xrandr.
# Power Management # Power Management
#auto-cpufreq # Power management #auto-cpufreq # Power management
@@ -41,11 +38,11 @@
alacritty.settings.font.size = 11; alacritty.settings.font.size = 11;
}; };
services = { # Applets services = {
blueman-applet.enable = true; # Bluetooth # Applets
network-manager-applet.enable = true; # Network blueman-applet.enable = true; # Bluetooth
network-manager-applet.enable = true; # Network
}; };
xsession.preferStatusNotifierItems = true; xsession.preferStatusNotifierItems = true;
} }

31
hosts/steamdeck/default.nix
View File

@@ -1,10 +1,13 @@
# #
# Steamdeck — system configuration # Steamdeck — system configuration
# #
{ lib, pkgs, user, jovian-nixos, ... }:
{ {
lib,
pkgs,
user,
jovian-nixos,
...
}: {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
../../modules/desktop ../../modules/desktop
@@ -12,15 +15,15 @@
]; ];
# ── Desktop module options ────────────────────────────────────────────── # ── Desktop module options ──────────────────────────────────────────────
myDesktop.windowManager = "kde"; myDesktop.windowManager = "kde";
myDesktop.cpu = "amd"; myDesktop.cpu = "amd";
myDesktop.virtualisation.enable = true; myDesktop.virtualisation.enable = true;
myDesktop.nitrokey.enable = true; myDesktop.nitrokey.enable = true;
specialisation = { specialisation = {
sway.configuration = { sway.configuration = {
imports = [ (import ../../modules/wm/sway) ]; imports = [(import ../../modules/wm/sway)];
jovian.steam.enable = lib.mkForce false; jovian.steam.enable = lib.mkForce false;
services.desktopManager.plasma6.enable = lib.mkForce false; services.desktopManager.plasma6.enable = lib.mkForce false;
}; };
}; };
@@ -28,20 +31,20 @@
# ── Host-specific settings ────────────────────────────────────────────── # ── Host-specific settings ──────────────────────────────────────────────
boot = { boot = {
loader = { loader = {
systemd-boot.enable = lib.mkForce false; systemd-boot.enable = lib.mkForce false;
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
efi.efiSysMountPoint = "/boot"; efi.efiSysMountPoint = "/boot";
timeout = 1; timeout = 1;
}; };
lanzaboote = { lanzaboote = {
enable = true; enable = true;
pkiBundle = "/etc/secureboot"; pkiBundle = "/etc/secureboot";
}; };
}; };
services.printing = { services.printing = {
enable = true; enable = true;
drivers = [ pkgs.gutenprint ]; drivers = [pkgs.gutenprint];
}; };
services.tailscale.enable = true; services.tailscale.enable = true;

310
hosts/steamdeck/hardware-configuration.nix
View File

@@ -10,178 +10,180 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = config,
[ (modulesPath + "/installer/scan/not-detected.nix") lib,
]; pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot = { boot = {
initrd = { initrd = {
availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci" ]; availableKernelModules = ["nvme" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci"];
kernelModules = [ ]; kernelModules = [];
systemd.enable = true; systemd.enable = true;
luks = { luks = {
devices."crypted" = { devices."crypted" = {
device = "/dev/disk/by-partlabel/disk-nvme0n1-luks"; device = "/dev/disk/by-partlabel/disk-nvme0n1-luks";
allowDiscards = true; allowDiscards = true;
bypassWorkqueues = true; bypassWorkqueues = true;
}; };
}; };
}; };
kernelModules = [ "kvm-amd" "amdgpu" ]; kernelModules = ["kvm-amd" "amdgpu"];
kernelParams = [ "luks.options=fido2-device=auto" ]; kernelParams = ["luks.options=fido2-device=auto"];
tmp.useTmpfs = false; tmp.useTmpfs = false;
tmp.cleanOnBoot = true; tmp.cleanOnBoot = true;
}; };
zramSwap.enable = true; zramSwap.enable = true;
services = { services = {
btrfs.autoScrub = { btrfs.autoScrub = {
enable = true; enable = true;
interval = "monthly"; interval = "monthly";
fileSystems = [ fileSystems = [
"/" "/"
]; ];
}; };
udev.extraRules = '' udev.extraRules = ''
ACTION=="add", SUBSYSTEM=="block", KERNEL=="mmcblk[0-9]p[0-9]", ENV{ID_FS_USAGE}=="filesystem", RUN{program}+="${pkgs.systemd}/bin/systemd-mount -o noatime,compress-force=zstd:15,ssd_spread,commit=120 --no-block --automount=yes --collect $devnode /run/media/mmcblk0p1" ACTION=="add", SUBSYSTEM=="block", KERNEL=="mmcblk[0-9]p[0-9]", ENV{ID_FS_USAGE}=="filesystem", RUN{program}+="${pkgs.systemd}/bin/systemd-mount -o noatime,compress-force=zstd:15,ssd_spread,commit=120 --no-block --automount=yes --collect $devnode /run/media/mmcblk0p1"
''; '';
btrbk = { btrbk = {
instances = { instances = {
hf = { hf = {
onCalendar = "hourly"; onCalendar = "hourly";
settings = { settings = {
incremental = "yes"; incremental = "yes";
snapshot_create = "ondemand"; snapshot_create = "ondemand";
snapshot_dir = "@snapshots"; snapshot_dir = "@snapshots";
timestamp_format = "long"; timestamp_format = "long";
snapshot_preserve = "2m 2w 5d 5h"; snapshot_preserve = "2m 2w 5d 5h";
snapshot_preserve_min = "latest"; snapshot_preserve_min = "latest";
volume = { volume = {
"/mnt/snapshots/root" = { "/mnt/snapshots/root" = {
snapshot_create = "always"; snapshot_create = "always";
subvolume = { subvolume = {
"@home" = {}; "@home" = {};
}; };
};
};
};
}; };
# bak = { };
# onCalendar = "daily";
# settings = {
# stream_buffer = "256m";
# stream_compress = "lz4";
# incremental = "yes";
# snapshot_create = "no";
# snapshot_dir = "@snapshots";
# timestamp_format = "long";
#
# snapshot_preserve_min = "all";
# target_preserve_min = "no";
# target_preserve = "2m 4w 3d";
#
# ssh_identity = "/etc/btrbk/ssh/id_ed25519_btrbk_nas";
# ssh_user = "btrbk";
#
# volume = {
# "/mnt/snapshots/root" = {
# subvolume = {
# "@home" = {};
# };
# target = "ssh://jupiter.home.opel-online.de:2220/mnt/snapshots/Mars/@snapshots/@steamdeck";
# };
# };
# };
# };
}; };
};
# bak = {
# onCalendar = "daily";
# settings = {
# stream_buffer = "256m";
# stream_compress = "lz4";
# incremental = "yes";
# snapshot_create = "no";
# snapshot_dir = "@snapshots";
# timestamp_format = "long";
#
# snapshot_preserve_min = "all";
# target_preserve_min = "no";
# target_preserve = "2m 4w 3d";
#
# ssh_identity = "/etc/btrbk/ssh/id_ed25519_btrbk_nas";
# ssh_user = "btrbk";
#
# volume = {
# "/mnt/snapshots/root" = {
# subvolume = {
# "@home" = {};
# };
# target = "ssh://jupiter.home.opel-online.de:2220/mnt/snapshots/Mars/@snapshots/@steamdeck";
# };
# };
# };
# };
}; };
};
}; };
# #
# systemd.timers = { # systemd.timers = {
# btrbk-bak = { # btrbk-bak = {
# requires = [ "network-online.target" ]; # requires = [ "network-online.target" ];
# }; # };
# }; # };
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/mapper/crypted"; device = "/dev/mapper/crypted";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
}; };
fileSystems."/boot" = fileSystems."/boot" = {
{ device = "/dev/disk/by-label/NIXBOOT"; device = "/dev/disk/by-label/NIXBOOT";
fsType = "vfat"; fsType = "vfat";
}; };
fileSystems."/home" = fileSystems."/home" = {
{ device = "/dev/mapper/crypted"; device = "/dev/mapper/crypted";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
}; };
fileSystems."/nix" = fileSystems."/nix" = {
{ device = "/dev/mapper/crypted"; device = "/dev/mapper/crypted";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
}; };
fileSystems."/srv" = fileSystems."/srv" = {
{ device = "/dev/mapper/crypted"; device = "/dev/mapper/crypted";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
}; };
fileSystems."/swap" = fileSystems."/swap" = {
{ device = "/dev/mapper/crypted"; device = "/dev/mapper/crypted";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async"];
}; };
fileSystems."/opt" = fileSystems."/opt" = {
{ device = "/dev/mapper/crypted"; device = "/dev/mapper/crypted";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@opt,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@opt,discard=async"];
}; };
fileSystems."/mnt/snapshots/root" = fileSystems."/mnt/snapshots/root" = {
{ device = "/dev/mapper/crypted"; device = "/dev/mapper/crypted";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
}; };
# fileSystems."/sdcard" = # fileSystems."/sdcard" =
# { device = "/dev/disk/by-label/sdcard"; # { device = "/dev/disk/by-label/sdcard";
# fsType = "ext4"; # fsType = "ext4";
# options = [ "nofail,noauto,users,x-systemd.automount" ]; # options = [ "nofail,noauto,users,x-systemd.automount" ];
# }; # };
fileSystems."/mnt/Pluto" = fileSystems."/mnt/Pluto" = {
{ device = "jupiter:/Pluto"; device = "jupiter:/Pluto";
fsType = "nfs"; fsType = "nfs";
options = [ "nofail,noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2" ]; options = ["nofail,noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2"];
}; };
fileSystems."/mnt/Mars" = fileSystems."/mnt/Mars" = {
{ device = "jupiter:/Mars"; device = "jupiter:/Mars";
fsType = "nfs"; fsType = "nfs";
options = [ "nofail,noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2" ]; options = ["nofail,noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2"];
}; };
swapDevices = [{device = "/swap/swapfile";}];
swapDevices = [ { device = "/swap/swapfile"; } ];
networking = { networking = {
useDHCP = false; # Deprecated useDHCP = false; # Deprecated
hostName = "steamdeck"; hostName = "steamdeck";
wireless.iwd.enable = true; wireless.iwd.enable = true;
networkmanager = { networkmanager = {
@@ -191,22 +193,22 @@
powersave = false; powersave = false;
}; };
}; };
# interfaces = { # interfaces = {
# wlan0 = { # wlan0 = {
# useDHCP = true; # For versatility sake, manually edit IP on nm-applet. # useDHCP = true; # For versatility sake, manually edit IP on nm-applet.
# #ipv4.addresses = [ { # #ipv4.addresses = [ {
# # address = "192.168.0.51"; # # address = "192.168.0.51";
# # prefixLength = 24; # # prefixLength = 24;
# #} ]; # #} ];
# }; # };
# }; # };
#defaultGateway = "192.168.0.1"; #defaultGateway = "192.168.0.1";
#nameservers = [ "192.168.0.4" ]; #nameservers = [ "192.168.0.4" ];
firewall = { firewall = {
checkReversePath = "loose"; checkReversePath = "loose";
enable = true; enable = true;
allowedUDPPorts = [ 24727 ]; allowedUDPPorts = [24727];
allowedTCPPorts = [ 24727 ]; allowedTCPPorts = [24727];
}; };
}; };

11
hosts/steamdeck/home.nix
View File

@@ -1,19 +1,16 @@
# #
# Home-manager configuration for steamdeck # Home-manager configuration for steamdeck
# #
{pkgs, ...}: {
{ pkgs, ... }:
{
specialisation = { specialisation = {
sway.configuration = { sway.configuration = {
imports = [ (import ../../modules/wm/sway/home.nix) ]; imports = [(import ../../modules/wm/sway/home.nix)];
}; };
}; };
imports = imports =
[ (import ../../modules/home.nix) ] ++ [(import ../../modules/home.nix)]
[ (import ../../modules/wm/steam/home.nix) ]; ++ [(import ../../modules/wm/steam/home.nix)];
home = { home = {
packages = with pkgs; [ packages = with pkgs; [

52
hosts/vm/hardware-configuration.nix
View File

@@ -1,36 +1,40 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = config,
[ (modulesPath + "/profiles/qemu-guest.nix") lib,
]; pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ]; boot.initrd.availableKernelModules = ["uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk"];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [];
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-label/nixos"; device = "/dev/disk/by-label/nixos";
fsType = "btrfs"; fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime" ]; options = ["compress=zstd,space_cache=v2,ssd,noatime"];
}; };
# fileSystems."/home" = # fileSystems."/home" =
# { device = "/dev/disk/by-label/root"; # { device = "/dev/disk/by-label/root";
# fsType = "btrfs"; # fsType = "btrfs";
# options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home" ]; # options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home" ];
# }; # };
fileSystems."/boot" = fileSystems."/boot" = {
{ device = "/dev/disk/by-label/BOOT"; device = "/dev/disk/by-label/BOOT";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = [ ]; swapDevices = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

302
modules/desktop/default.nix
View File

@@ -28,29 +28,31 @@
# #
# myDesktop.extraSystemPackages = with pkgs; [ some-tool ]; # myDesktop.extraSystemPackages = with pkgs; [ some-tool ];
# #
{ config, lib, pkgs, inputs, user, ... }:
let
cfg = config.myDesktop;
in
{ {
config,
lib,
pkgs,
inputs,
user,
...
}: let
cfg = config.myDesktop;
in {
# Hardware modules that are always useful on desktops (bluetooth, …) # Hardware modules that are always useful on desktops (bluetooth, …)
imports = (import ../hardware); imports = import ../hardware;
# ── Options ────────────────────────────────────────────────────────────── # ── Options ──────────────────────────────────────────────────────────────
options.myDesktop = with lib; { options.myDesktop = with lib; {
windowManager = mkOption { windowManager = mkOption {
type = types.enum [ "niri" "sway" "kde" ]; type = types.enum ["niri" "sway" "kde"];
default = "niri"; default = "niri";
description = "Window manager / desktop environment for this host."; description = "Window manager / desktop environment for this host.";
}; };
cpu = mkOption { cpu = mkOption {
type = types.enum [ "amd" "intel" "none" ]; type = types.enum ["amd" "intel" "none"];
default = "none"; default = "none";
description = "CPU type selects the matching KVM kernel parameters."; description = "CPU type selects the matching KVM kernel parameters.";
}; };
@@ -58,42 +60,44 @@ in
mkEnableOption "virtualisation stack (podman/docker-compat, qemu/libvirt, virt-manager)"; mkEnableOption "virtualisation stack (podman/docker-compat, qemu/libvirt, virt-manager)";
syncthing = { syncthing = {
enable = mkEnableOption "syncthing continuous file synchronisation"; enable = mkEnableOption "syncthing continuous file synchronisation";
devices = mkOption { devices = mkOption {
type = types.attrs; type = types.attrs;
default = {}; default = {};
example = literalExpression example =
literalExpression
''{ "jupiter.home.example.de" = { id = "XXXXX-XXXXX-XXXXX-..."; }; }''; ''{ "jupiter.home.example.de" = { id = "XXXXX-XXXXX-XXXXX-..."; }; }'';
description = "Syncthing peer devices."; description = "Syncthing peer devices.";
}; };
folders = mkOption { folders = mkOption {
type = types.attrs; type = types.attrs;
default = {}; default = {};
example = literalExpression example =
literalExpression
''{ "Sync" = { path = "/home/user/Sync"; devices = [ "jupiter" ]; ignorePerms = false; }; }''; ''{ "Sync" = { path = "/home/user/Sync"; devices = [ "jupiter" ]; ignorePerms = false; }; }'';
description = "Syncthing shared folders."; description = "Syncthing shared folders.";
}; };
}; };
openrgb = { openrgb = {
enable = mkEnableOption "OpenRGB RGB motherboard control"; enable = mkEnableOption "OpenRGB RGB motherboard control";
motherboard = mkOption { motherboard = mkOption {
type = types.str; type = types.str;
default = "amd"; default = "amd";
description = "Motherboard vendor string passed to OpenRGB (amd or intel)."; description = "Motherboard vendor string passed to OpenRGB (amd or intel).";
}; };
}; };
laptop = { laptop = {
enable = mkEnableOption "laptop-specific settings (lid-switch, hibernate delay)"; enable = mkEnableOption "laptop-specific settings (lid-switch, hibernate delay)";
lidSwitch = mkOption { lidSwitch = mkOption {
type = types.str; type = types.str;
default = "suspend-then-hibernate"; default = "suspend-then-hibernate";
description = "systemd-logind action on lid close."; description = "systemd-logind action on lid close.";
}; };
hibernateDelaySec = mkOption { hibernateDelaySec = mkOption {
type = types.str; type = types.str;
default = "1h"; default = "1h";
description = "Delay before transitioning from suspend to hibernate."; description = "Delay before transitioning from suspend to hibernate.";
}; };
}; };
@@ -101,20 +105,20 @@ in
nitrokey.enable = mkEnableOption "Nitrokey hardware security key support"; nitrokey.enable = mkEnableOption "Nitrokey hardware security key support";
niri.hotkeyVariant = mkOption { niri.hotkeyVariant = mkOption {
type = types.enum [ "default" "lifebook" ]; type = types.enum ["default" "lifebook"];
default = "default"; default = "default";
description = "Niri hotkey variant to deploy selects binds/<variant>.kdl."; description = "Niri hotkey variant to deploy selects binds/<variant>.kdl.";
}; };
git.signingKey = mkOption { git.signingKey = mkOption {
type = types.str; type = types.str;
default = "/home/${user}/.ssh/id_ed25519_sk_rk_red"; default = "/home/${user}/.ssh/id_ed25519_sk_rk_red";
description = "SSH key used for git commit signing on this host."; description = "SSH key used for git commit signing on this host.";
}; };
extraSystemPackages = mkOption { extraSystemPackages = mkOption {
type = types.listOf types.package; type = types.listOf types.package;
default = []; default = [];
description = "Additional system packages specific to this host."; description = "Additional system packages specific to this host.";
}; };
}; };
@@ -122,15 +126,23 @@ in
# ── Configuration ──────────────────────────────────────────────────────── # ── Configuration ────────────────────────────────────────────────────────
config = lib.mkMerge [ config = lib.mkMerge [
# ── Base desktop config (replaces configuration_desktop.nix) ─────────── # ── Base desktop config (replaces configuration_desktop.nix) ───────────
{ {
users.users.${user} = { users.users.${user} = {
isNormalUser = true; isNormalUser = true;
uid = 2000; uid = 2000;
extraGroups = [ extraGroups = [
"wheel" "video" "audio" "camera" "networkmanager" "wheel"
"lp" "kvm" "libvirtd" "adb" "dialout" "tss" "video"
"audio"
"camera"
"networkmanager"
"lp"
"kvm"
"libvirtd"
"adb"
"dialout"
"tss"
]; ];
}; };
@@ -138,7 +150,7 @@ in
pam.services.login.enableGnomeKeyring = true; pam.services.login.enableGnomeKeyring = true;
# swaylock PAM is harmless on non-sway WMs # swaylock PAM is harmless on non-sway WMs
pam.services.swaylock = {}; pam.services.swaylock = {};
rtkit.enable = true; rtkit.enable = true;
}; };
environment.systemPackages = with pkgs; environment.systemPackages = with pkgs;
@@ -157,37 +169,37 @@ in
ausweisapp ausweisapp
e2fsprogs e2fsprogs
orca-slicer orca-slicer
] ]
++ cfg.extraSystemPackages; ++ cfg.extraSystemPackages;
nixpkgs.config.permittedInsecurePackages = [ "mbedtls-2.28.10" ]; nixpkgs.config.permittedInsecurePackages = ["mbedtls-2.28.10"];
services = { services = {
pipewire = { pipewire = {
enable = true; enable = true;
alsa.enable = true; alsa.enable = true;
pulse.enable = true; pulse.enable = true;
wireplumber.enable = true; wireplumber.enable = true;
}; };
pcscd.enable = true; pcscd.enable = true;
yubikey-agent.enable = true; yubikey-agent.enable = true;
udev.packages = with pkgs; [ yubikey-personalization nitrokey-udev-rules ]; udev.packages = with pkgs; [yubikey-personalization nitrokey-udev-rules];
flatpak.enable = true; flatpak.enable = true;
gvfs.enable = true; gvfs.enable = true;
fwupd.enable = true; fwupd.enable = true;
blueman.enable = true; blueman.enable = true;
avahi = { avahi = {
enable = true; enable = true;
nssmdns4 = true; nssmdns4 = true;
publish = { publish = {
enable = true; enable = true;
addresses = true; addresses = true;
userServices = true; userServices = true;
}; };
}; };
}; };
programs.dconf.enable = true; programs.dconf.enable = true;
system.autoUpgrade.enable = false; system.autoUpgrade.enable = false;
home-manager.users.${user}.programs.git.signing.key = home-manager.users.${user}.programs.git.signing.key =
@@ -226,20 +238,18 @@ in
services = { services = {
iio-niri.enable = false; iio-niri.enable = false;
greetd = { greetd = {
enable = true; enable = true;
useTextGreeter = true; useTextGreeter = true;
settings.default_session.command = settings.default_session.command = "${pkgs.tuigreet}/bin/tuigreet --time --cmd niri-session";
"${pkgs.tuigreet}/bin/tuigreet --time --cmd niri-session";
}; };
tuned.enable = true; tuned.enable = true;
upower.enable = true; upower.enable = true;
}; };
programs = { programs = {
niri.enable = true; niri.enable = true;
ssh.enableAskPassword = true; ssh.enableAskPassword = true;
ssh.askPassword = ssh.askPassword = "${pkgs.lxqt.lxqt-openssh-askpass}/bin/lxqt-openssh-askpass";
"${pkgs.lxqt.lxqt-openssh-askpass}/bin/lxqt-openssh-askpass";
}; };
# Noctalia shell + niri home config via home-manager # Noctalia shell + niri home config via home-manager
@@ -253,7 +263,7 @@ in
../wm/niri/binds/${cfg.niri.hotkeyVariant}.kdl; ../wm/niri/binds/${cfg.niri.hotkeyVariant}.kdl;
services = { services = {
mako.enable = true; mako.enable = true;
polkit-gnome.enable = true; polkit-gnome.enable = true;
}; };
@@ -261,37 +271,60 @@ in
fuzzel.enable = true; fuzzel.enable = true;
noctalia-shell = { noctalia-shell = {
enable = true; enable = true;
settings = { settings = {
appLauncher.terminalCommand = "alacritty -e"; appLauncher.terminalCommand = "alacritty -e";
bar = { bar = {
density = "compact"; density = "compact";
position = "top"; position = "top";
showCapsule = false; showCapsule = false;
widgets = { widgets = {
left = [ left = [
{ id = "ControlCenter"; useDistroLogo = true; } {
{ hideUnoccupied = false; id = "Workspace"; id = "ControlCenter";
labelMode = "index"; showApplications = true; } useDistroLogo = true;
{ id = "ActiveWindow"; } }
{
hideUnoccupied = false;
id = "Workspace";
labelMode = "index";
showApplications = true;
}
{id = "ActiveWindow";}
]; ];
center = [ center = [
{ formatHorizontal = "HH:mm\\ndd-MM-yy"; {
formatVertical = "HH mm"; formatHorizontal = "HH:mm\\ndd-MM-yy";
id = "Clock"; formatVertical = "HH mm";
useMonospacedFont = true; id = "Clock";
usePrimaryColor = true; } useMonospacedFont = true;
usePrimaryColor = true;
}
]; ];
right = [ right = [
{ id = "MediaMini"; } {id = "MediaMini";}
{ id = "SystemMonitor"; showNetworkStats = true; compactMode = false; } {
{ id = "WiFi"; } id = "SystemMonitor";
{ id = "Bluetooth"; } showNetworkStats = true;
{ id = "Battery"; displayMode = "icon-always"; hideIfNotDetected = true; } compactMode = false;
{ id = "Volume"; displayMode = "alwaysShow"; } }
{ id = "NotificationHistory"; hideWhenZero = true; } {id = "WiFi";}
{ id = "Tray"; } {id = "Bluetooth";}
{
id = "Battery";
displayMode = "icon-always";
hideIfNotDetected = true;
}
{
id = "Volume";
displayMode = "alwaysShow";
}
{
id = "NotificationHistory";
hideWhenZero = true;
}
{id = "Tray";}
]; ];
}; };
}; };
@@ -299,22 +332,22 @@ in
colorSchemes.predefinedScheme = "Catppuccin"; colorSchemes.predefinedScheme = "Catppuccin";
general = { general = {
avatarImage = "/home/${user}/.face"; avatarImage = "/home/${user}/.face";
radiusRatio = 0.2; radiusRatio = 0.2;
lockOnSusepnd = true; lockOnSusepnd = true;
}; };
location = { location = {
monthBeforeDay = true; monthBeforeDay = true;
name = "Munich, Germany"; name = "Munich, Germany";
showWeekNumberInCalendar = true; showWeekNumberInCalendar = true;
firstDayOfWeek = 0; firstDayOfWeek = 0;
}; };
wallpaper = { wallpaper = {
enabled = true; enabled = true;
overviewEnabled = false; overviewEnabled = false;
directory = "/home/${user}/.setup/modules/themes/"; directory = "/home/${user}/.setup/modules/themes/";
}; };
brightness = { brightness = {
@@ -323,26 +356,26 @@ in
}; };
controlCenter.shortcuts.left = [ controlCenter.shortcuts.left = [
{ id = "WiFi"; } {id = "WiFi";}
{ id = "Bluetooth"; } {id = "Bluetooth";}
{ id = "ScreenRecorder"; } {id = "ScreenRecorder";}
{ id = "PowerProfile"; } {id = "PowerProfile";}
{ id = "KeepAwake"; } {id = "KeepAwake";}
]; ];
dock.enabled = false; dock.enabled = false;
sessionMenu.enableCountdown = false; sessionMenu.enableCountdown = false;
templates = { templates = {
fuzzel = true; fuzzel = true;
alacritty = true; alacritty = true;
qt = true; qt = true;
gtk = true; gtk = true;
discord = true; discord = true;
code = true; code = true;
telegram = true; telegram = true;
niri = true; niri = true;
firefox = true; firefox = true;
}; };
}; };
}; };
@@ -379,7 +412,7 @@ in
programs = { programs = {
sway = { sway = {
enable = true; enable = true;
extraSessionCommands = '' extraSessionCommands = ''
export MOZ_ENABLE_WAYLAND="1" export MOZ_ENABLE_WAYLAND="1"
export MOZ_WEBRENDER="1" export MOZ_WEBRENDER="1"
@@ -390,19 +423,18 @@ in
''; '';
}; };
ssh.enableAskPassword = true; ssh.enableAskPassword = true;
ssh.askPassword = ssh.askPassword = "${pkgs.lxqt.lxqt-openssh-askpass}/bin/lxqt-openssh-askpass";
"${pkgs.lxqt.lxqt-openssh-askpass}/bin/lxqt-openssh-askpass";
}; };
xdg.portal = { xdg.portal = {
enable = true; enable = true;
wlr.enable = true; wlr.enable = true;
extraPortals = [ pkgs.xdg-desktop-portal-gtk ]; extraPortals = [pkgs.xdg-desktop-portal-gtk];
}; };
home-manager.users.${user}.imports = [ home-manager.users.${user}.imports = [
../wm/sway/home.nix ../wm/sway/home.nix
../wm/waybar.nix # sway uses waybar for the bar ../wm/waybar.nix # sway uses waybar for the bar
]; ];
}) })
@@ -417,36 +449,36 @@ in
programs.ssh = { programs.ssh = {
enableAskPassword = true; enableAskPassword = true;
askPassword = lib.mkDefault "${pkgs.kdePackages.ksshaskpass}/bin/ksshaskpass"; askPassword = lib.mkDefault "${pkgs.kdePackages.ksshaskpass}/bin/ksshaskpass";
}; };
services = { services = {
packagekit.enable = true; packagekit.enable = true;
desktopManager.plasma6.enable = true; desktopManager.plasma6.enable = true;
udev.packages = with pkgs; [ gnome-settings-daemon ]; udev.packages = with pkgs; [gnome-settings-daemon];
}; };
qt.platformTheme = "kde"; qt.platformTheme = "kde";
home-manager.users.${user}.imports = [ ../wm/kde/home.nix ]; home-manager.users.${user}.imports = [../wm/kde/home.nix];
}) })
# ── Virtualisation (podman/docker-compat + qemu/libvirt) ─────────────── # ── Virtualisation (podman/docker-compat + qemu/libvirt) ───────────────
(lib.mkIf cfg.virtualisation.enable { (lib.mkIf cfg.virtualisation.enable {
users.groups = { users.groups = {
docker.members = [ user ]; docker.members = [user];
libvirtd.members = [ "root" user ]; libvirtd.members = ["root" user];
}; };
virtualisation = { virtualisation = {
podman = { podman = {
enable = true; enable = true;
autoPrune.enable = true; autoPrune.enable = true;
dockerCompat = true; dockerCompat = true;
}; };
libvirtd = { libvirtd = {
enable = true; enable = true;
onShutdown = "shutdown"; onShutdown = "shutdown";
qemu.runAsRoot = false; qemu.runAsRoot = false;
}; };
spiceUSBRedirection.enable = true; spiceUSBRedirection.enable = true;
@@ -482,13 +514,13 @@ in
# ── Syncthing ────────────────────────────────────────────────────────── # ── Syncthing ──────────────────────────────────────────────────────────
(lib.mkIf cfg.syncthing.enable { (lib.mkIf cfg.syncthing.enable {
services.syncthing = { services.syncthing = {
enable = true; enable = true;
group = "users"; group = "users";
user = user; user = user;
dataDir = "/home/${user}/Sync"; dataDir = "/home/${user}/Sync";
configDir = "/home/${user}/.config/syncthing"; configDir = "/home/${user}/.config/syncthing";
overrideDevices = true; overrideDevices = true;
overrideFolders = true; overrideFolders = true;
openDefaultPorts = true; openDefaultPorts = true;
settings = { settings = {
devices = cfg.syncthing.devices; devices = cfg.syncthing.devices;
@@ -500,15 +532,14 @@ in
# ── OpenRGB ──────────────────────────────────────────────────────────── # ── OpenRGB ────────────────────────────────────────────────────────────
(lib.mkIf cfg.openrgb.enable { (lib.mkIf cfg.openrgb.enable {
services.hardware.openrgb = { services.hardware.openrgb = {
enable = true; enable = true;
motherboard = cfg.openrgb.motherboard; motherboard = cfg.openrgb.motherboard;
}; };
}) })
# ── Laptop ───────────────────────────────────────────────────────────── # ── Laptop ─────────────────────────────────────────────────────────────
(lib.mkIf cfg.laptop.enable { (lib.mkIf cfg.laptop.enable {
systemd.sleep.extraConfig = systemd.sleep.extraConfig = "HibernateDelaySec=${cfg.laptop.hibernateDelaySec}";
"HibernateDelaySec=${cfg.laptop.hibernateDelaySec}";
services.logind.settings.Login.HandleLidSwitch = services.logind.settings.Login.HandleLidSwitch =
cfg.laptop.lidSwitch; cfg.laptop.lidSwitch;
}) })
@@ -517,6 +548,5 @@ in
(lib.mkIf cfg.nitrokey.enable { (lib.mkIf cfg.nitrokey.enable {
hardware.nitrokey.enable = true; hardware.nitrokey.enable = true;
}) })
]; ];
} }

1
modules/editors/default.nix
View File

@@ -9,7 +9,6 @@
# └─ default.nix * # └─ default.nix *
# └─ ... # └─ ...
# #
[ [
./nvim ./nvim
] ]

21
modules/editors/nvim/config/default.nix
View File

@@ -1,16 +1,15 @@
{ nvim, ... }: {nvim, ...}: {
{
# Import all your configuration modules here # Import all your configuration modules here
programs.nixvim = { programs.nixvim = {
enable = true; enable = true;
colorschemes.gruvbox.enable = true; colorschemes.gruvbox.enable = true;
imports = [ imports = [
./bufferline.nix ./bufferline.nix
./plugins.nix ./plugins.nix
./options.nix ./options.nix
./keymaps.nix ./keymaps.nix
./highlight.nix ./highlight.nix
]; ];
}; };
} }

18
modules/editors/nvim/config/options.nix
View File

@@ -1,14 +1,14 @@
{ {
config = { config = {
globals.mapleader = " "; globals.mapleader = " ";
viAlias = true; viAlias = true;
vimAlias = true; vimAlias = true;
opts = { opts = {
number = true; # Show line numbers number = true; # Show line numbers
relativenumber = true; # Show relative line numbers relativenumber = true; # Show relative line numbers
shiftwidth = 2; # Tab width should be 2 shiftwidth = 2; # Tab width should be 2
};
}; };
};
} }

90
modules/editors/nvim/config/plugins.nix
View File

@@ -1,51 +1,51 @@
{ {
plugins = { plugins = {
lualine.enable = true; lualine.enable = true;
cmp = { cmp = {
enable = true; enable = true;
autoEnableSources = true; autoEnableSources = true;
settings = { settings = {
sources = [ sources = [
{name = "nvim_lsp";} {name = "nvim_lsp";}
{name = "path";} {name = "path";}
{name = "buffer";} {name = "buffer";}
{name = "luasnip";} {name = "luasnip";}
]; ];
mapping = { mapping = {
"<C-d>" = "cmp.mapping.scroll_docs(-4)"; "<C-d>" = "cmp.mapping.scroll_docs(-4)";
"<C-f>" = "cmp.mapping.scroll_docs(4)"; "<C-f>" = "cmp.mapping.scroll_docs(4)";
"<C-Space>" = "cmp.mapping.complete()"; "<C-Space>" = "cmp.mapping.complete()";
"<C-e>" = "cmp.mapping.close()"; "<C-e>" = "cmp.mapping.close()";
"<CR>" = "cmp.mapping.confirm({ select = true })"; "<CR>" = "cmp.mapping.confirm({ select = true })";
"<Tab>" = "cmp.mapping(cmp.mapping.select_next_item(), {'i', 's'})"; "<Tab>" = "cmp.mapping(cmp.mapping.select_next_item(), {'i', 's'})";
"<S-Tab>" = "cmp.mapping(cmp.mapping.select_prev_item(), {'i', 's'})"; "<S-Tab>" = "cmp.mapping(cmp.mapping.select_prev_item(), {'i', 's'})";
};
};
}; };
};
lsp = {
enable = true;
servers = {
tsserver.enable = true;
lua-ls = {
enable = true;
settings.telemetry.enable = false;
};
# rust-analyzer = {
# enable = true;
# installCargo = true;
# };
};
};
telescope.enable = true;
treesitter.enable = true;
luasnip.enable = true;
}; };
lsp = {
enable = true;
servers = {
tsserver.enable = true;
lua-ls = {
enable = true;
settings.telemetry.enable = false;
};
# rust-analyzer = {
# enable = true;
# installCargo = true;
# };
};
};
telescope.enable = true;
treesitter.enable = true;
luasnip.enable = true;
};
} }

279
modules/editors/nvim/default.nix
View File

@@ -1,13 +1,9 @@
# #
# Neovim # Neovim
# #
{pkgs, ...}: {
{ pkgs, ... }:
{
home = { home = {
packages = [ pkgs.gnvim ]; packages = [pkgs.gnvim];
}; };
programs = { programs = {
@@ -20,145 +16,144 @@
withRuby = true; withRuby = true;
withPython3 = true; withPython3 = true;
# plugins = with pkgs.vimPlugins; [ # plugins = with pkgs.vimPlugins; [
# #
# # Syntax # # Syntax
# #vim-nix # #vim-nix
# #vim-markdown # #vim-markdown
# #
# # Quality of life # # Quality of life
# vim-lastplace # Opens document where you left it # vim-lastplace # Opens document where you left it
# auto-pairs # Print double quotes/brackets/etc. # auto-pairs # Print double quotes/brackets/etc.
# vim-gitgutter # See uncommitted changes of file :GitGutterEnable # vim-gitgutter # See uncommitted changes of file :GitGutterEnable
# #
# # File Tree # # File Tree
# nerdtree # File Manager - set in extraConfig to F6 # nerdtree # File Manager - set in extraConfig to F6
# #
# # Customization # # Customization
# wombat256-vim # Color scheme for lightline # wombat256-vim # Color scheme for lightline
# srcery-vim # Color scheme for text # srcery-vim # Color scheme for text
# #
# lightline-vim # Info bar at bottom # lightline-vim # Info bar at bottom
# indent-blankline-nvim # Indentation lines # indent-blankline-nvim # Indentation lines
# #
# # Syntax # # Syntax
# nvim-treesitter.withAllGrammars # nvim-treesitter.withAllGrammars
# # finder # # finder
# telescope-nvim # telescope-nvim
# # completion # # completion
# nvim-cmp # nvim-cmp
# # status line # # status line
# lualine-nvim # lualine-nvim
# # indent # # indent
# indent-blankline-nvim # indent-blankline-nvim
# ]; # ];
# extraPackages = with pkgs; [ # extraPackages = with pkgs; [
# ripgrep # ripgrep
# fd # fd
# nodejs # nodejs
# nodePackages.npm # nodePackages.npm
# ]; # ];
# extraConfig = '' # extraConfig = ''
# set expandtab # set expandtab
# set shiftwidth=4 # set shiftwidth=4
# set tabstop=4 # set tabstop=4
# ''; # '';
# extraLuaConfig = '' # extraLuaConfig = ''
# vim.g.mapleader = ' ' # vim.g.mapleader = ' '
# vim.g.maplocalleader = ' ' # vim.g.maplocalleader = ' '
# #
# -- Set highlight on search # -- Set highlight on search
# vim.o.hlsearch = false # vim.o.hlsearch = false
# #
# -- Make line numbers default # -- Make line numbers default
# vim.wo.number = true # vim.wo.number = true
# #
# -- Enable mouse mode # -- Enable mouse mode
# vim.o.mouse = 'a' # vim.o.mouse = 'a'
# #
# -- Sync clipboard between OS and Neovim. # -- Sync clipboard between OS and Neovim.
# -- Remove this option if you want your OS clipboard to remain independent. # -- Remove this option if you want your OS clipboard to remain independent.
# -- See `:help 'clipboard'` # -- See `:help 'clipboard'`
# vim.o.clipboard = 'unnamedplus' # vim.o.clipboard = 'unnamedplus'
# #
# -- Enable break indent # -- Enable break indent
# vim.o.breakindent = true # vim.o.breakindent = true
# #
# -- Save undo history # -- Save undo history
# vim.o.undofile = true # vim.o.undofile = true
# #
# -- Case insensitive searching UNLESS /C or capital in search # -- Case insensitive searching UNLESS /C or capital in search
# vim.o.ignorecase = true # vim.o.ignorecase = true
# vim.o.smartcase = true # vim.o.smartcase = true
# #
# -- Keep signcolumn on by default # -- Keep signcolumn on by default
# vim.wo.signcolumn = 'yes' # vim.wo.signcolumn = 'yes'
# #
# -- Decrease update time # -- Decrease update time
# vim.o.updatetime = 250 # vim.o.updatetime = 250
# vim.o.timeout = true # vim.o.timeout = true
# vim.o.timeoutlen = 300 # vim.o.timeoutlen = 300
# #
# -- Set completeopt to have a better completion experience # -- Set completeopt to have a better completion experience
# vim.o.completeopt = 'menuone,noselect' # vim.o.completeopt = 'menuone,noselect'
# #
# -- NOTE: You should make sure your terminal supports this # -- NOTE: You should make sure your terminal supports this
# vim.o.termguicolors = true # vim.o.termguicolors = true
# #
# -- [[ Highlight on yank ]] # -- [[ Highlight on yank ]]
# -- See `:help vim.highlight.on_yank()` # -- See `:help vim.highlight.on_yank()`
# local highlight_group = vim.api.nvim_create_augroup('YankHighlight', { clear = true }) # local highlight_group = vim.api.nvim_create_augroup('YankHighlight', { clear = true })
# vim.api.nvim_create_autocmd('TextYankPost', { # vim.api.nvim_create_autocmd('TextYankPost', {
# callback = function() # callback = function()
# vim.highlight.on_yank() # vim.highlight.on_yank()
# end, # end,
# group = highlight_group, # group = highlight_group,
# pattern = '*', # pattern = '*',
# }) # })
# #
# -- [[ Configure Telescope ]] # -- [[ Configure Telescope ]]
# -- See `:help telescope` and `:help telescope.setup()` # -- See `:help telescope` and `:help telescope.setup()`
# require('telescope').setup { # require('telescope').setup {
# defaults = { # defaults = {
# mappings = { # mappings = {
# i = { # i = {
# ['<C-u>'] = false, # ['<C-u>'] = false,
# ['<C-d>'] = false, # ['<C-d>'] = false,
# }, # },
# }, # },
# }, # },
# } # }
# #
# -- Enable telescope fzf native, if installed # -- Enable telescope fzf native, if installed
# pcall(require('telescope').load_extension, 'fzf') # pcall(require('telescope').load_extension, 'fzf')
# #
# -- See `:help telescope.builtin` # -- See `:help telescope.builtin`
# vim.keymap.set('n', '<leader>?', require('telescope.builtin').oldfiles, { desc = '[?] Find recently opened files' }) # vim.keymap.set('n', '<leader>?', require('telescope.builtin').oldfiles, { desc = '[?] Find recently opened files' })
# vim.keymap.set('n', '<leader><space>', require('telescope.builtin').buffers, { desc = '[ ] Find existing buffers' }) # vim.keymap.set('n', '<leader><space>', require('telescope.builtin').buffers, { desc = '[ ] Find existing buffers' })
# vim.keymap.set('n', '<leader>/', function() # vim.keymap.set('n', '<leader>/', function()
# -- You can pass additional configuration to telescope to change theme, layout, etc. # -- You can pass additional configuration to telescope to change theme, layout, etc.
# require('telescope.builtin').current_buffer_fuzzy_find(require('telescope.themes').get_dropdown { # require('telescope.builtin').current_buffer_fuzzy_find(require('telescope.themes').get_dropdown {
# winblend = 10, # winblend = 10,
# previewer = false, # previewer = false,
# }) # })
# end, { desc = '[/] Fuzzily search in current buffer' }) # end, { desc = '[/] Fuzzily search in current buffer' })
# #
# vim.keymap.set('n', '<leader>gf', require('telescope.builtin').git_files, { desc = 'Search [G]it [F]iles' }) # vim.keymap.set('n', '<leader>gf', require('telescope.builtin').git_files, { desc = 'Search [G]it [F]iles' })
# vim.keymap.set('n', '<leader>sf', require('telescope.builtin').find_files, { desc = '[S]earch [F]iles' }) # vim.keymap.set('n', '<leader>sf', require('telescope.builtin').find_files, { desc = '[S]earch [F]iles' })
# vim.keymap.set('n', '<leader>sh', require('telescope.builtin').help_tags, { desc = '[S]earch [H]elp' }) # vim.keymap.set('n', '<leader>sh', require('telescope.builtin').help_tags, { desc = '[S]earch [H]elp' })
# vim.keymap.set('n', '<leader>sw', require('telescope.builtin').grep_string, { desc = '[S]earch current [W]ord' }) # vim.keymap.set('n', '<leader>sw', require('telescope.builtin').grep_string, { desc = '[S]earch current [W]ord' })
# vim.keymap.set('n', '<leader>sg', require('telescope.builtin').live_grep, { desc = '[S]earch by [G]rep' }) # vim.keymap.set('n', '<leader>sg', require('telescope.builtin').live_grep, { desc = '[S]earch by [G]rep' })
# vim.keymap.set('n', '<leader>sd', require('telescope.builtin').diagnostics, { desc = '[S]earch [D]iagnostics' }) # vim.keymap.set('n', '<leader>sd', require('telescope.builtin').diagnostics, { desc = '[S]earch [D]iagnostics' })
# require("indent_blankline").setup { # require("indent_blankline").setup {
# -- for example, context is off by default, use this to turn it on # -- for example, context is off by default, use this to turn it on
# show_current_context = true, # show_current_context = true,
# show_current_context_start = true, # show_current_context_start = true,
# } # }
# ''; # '';
}; };
}; };
} }

13
modules/hardware/backup.nix
View File

@@ -1,17 +1,18 @@
{ config, lib, pkgs, ... }:
{ {
config,
lib,
pkgs,
...
}: {
services.btrbk = { services.btrbk = {
sshAccess = [ sshAccess = [
{ {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDU2NJ9xwYnp6/frIOv96ih8psiFcC2eOQeT+ZEMW5rq"; key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDU2NJ9xwYnp6/frIOv96ih8psiFcC2eOQeT+ZEMW5rq";
roles = [ "source" "info" "send" ]; roles = ["source" "info" "send"];
} }
{ {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIma7jNVQZM+lFMOKUex0+cyDpeUA3Wo4SEJ7P9YnHPG"; key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIma7jNVQZM+lFMOKUex0+cyDpeUA3Wo4SEJ7P9YnHPG";
roles = [ "target" "info" "receive" "delete" ]; roles = ["target" "info" "receive" "delete"];
} }
]; ];
}; };

7
modules/hardware/bluetooth.nix
View File

@@ -1,13 +1,10 @@
# #
# Bluetooth # Bluetooth
# #
{pkgs, ...}: {
{ pkgs, ... }:
{
hardware.bluetooth = { hardware.bluetooth = {
enable = true; enable = true;
hsphfpd.enable = false; # HSP & HFP daemon hsphfpd.enable = false; # HSP & HFP daemon
settings = { settings = {
General = { General = {
Enable = "Source,Sink,Media,Socket"; Enable = "Source,Sink,Media,Socket";

11
modules/hardware/hydraCache.nix
View File

@@ -1,12 +1,14 @@
{ config, lib, pkgs, ... }:
{ {
config,
lib,
pkgs,
...
}: {
nix = { nix = {
settings = { settings = {
extra-trusted-public-keys = [ extra-trusted-public-keys = [
"hades-builder:AFdPgi6Qq/yKqc2V2imgzMikEkVEFCrDaHyAmOJ3MII=" "hades-builder:AFdPgi6Qq/yKqc2V2imgzMikEkVEFCrDaHyAmOJ3MII="
"steamdeck.cachix.org-1:BVoP4TEu3ECgotaO+3J3r9SSn62GkUDBwizOFU/q4Bc=" "steamdeck.cachix.org-1:BVoP4TEu3ECgotaO+3J3r9SSn62GkUDBwizOFU/q4Bc="
]; ];
extra-substituters = [ extra-substituters = [
"https://cache.home.opel-online.de" "https://cache.home.opel-online.de"
@@ -15,5 +17,4 @@
]; ];
}; };
}; };
} }

11
modules/hardware/remoteBuilder.nix
View File

@@ -1,10 +1,13 @@
{ pkgs, config, ... }:
{ {
users.users.nixremote = { # System User pkgs,
config,
...
}: {
users.users.nixremote = {
# System User
isSystemUser = true; isSystemUser = true;
group = "nixremote"; group = "nixremote";
extraGroups = [ "kvm" ]; extraGroups = ["kvm"];
uid = 1001; uid = 1001;
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILczsj4W1kFQaalFwaY+RJ4LEzNeFKD+itXB40Q2O59M nixremote@hades" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILczsj4W1kFQaalFwaY+RJ4LEzNeFKD+itXB40Q2O59M nixremote@hades"

34
modules/hardware/remoteClient.nix
View File

@@ -1,20 +1,24 @@
{ config, lib, pkgs, ... }:
{ {
config,
lib,
pkgs,
...
}: {
nix = { nix = {
distributedBuilds = false; distributedBuilds = false;
buildMachines = [ { buildMachines = [
hostName = "hades"; {
system = "x86_64-linux"; hostName = "hades";
supportedFeatures = [ "kvm" "big-parallel" ]; system = "x86_64-linux";
sshUser = "nixremote"; supportedFeatures = ["kvm" "big-parallel"];
sshKey = config.age.secrets."keys/nixremote".path; sshUser = "nixremote";
maxJobs = 1; sshKey = config.age.secrets."keys/nixremote".path;
speedFactor = 4; maxJobs = 1;
publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUVnbld5UVVVYSt2Y0hBS3g2ZWRiVGdxVzhwaCtNQ2lTNmZVd1lqWWNTK28gcm9vdEBoYWRlcwo=%"; speedFactor = 4;
protocol = "ssh-ng"; publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUVnbld5UVVVYSt2Y0hBS3g2ZWRiVGdxVzhwaCtNQ2lTNmZVd1lqWWNTK28gcm9vdEBoYWRlcwo=%";
} ]; protocol = "ssh-ng";
}
];
settings = { settings = {
extra-trusted-public-keys = [ extra-trusted-public-keys = [
"hades-builder:AFdPgi6Qq/yKqc2V2imgzMikEkVEFCrDaHyAmOJ3MII=" "hades-builder:AFdPgi6Qq/yKqc2V2imgzMikEkVEFCrDaHyAmOJ3MII="
@@ -24,7 +28,7 @@
]; ];
}; };
}; };
age.secrets."keys/nixremote" = { age.secrets."keys/nixremote" = {
file = ../../secrets/keys/nixremote.age; file = ../../secrets/keys/nixremote.age;
owner = "root"; owner = "root";

78
modules/home.nix
View File

@@ -1,31 +1,75 @@
{ lib, options, ... }:
{ {
lib,
options,
...
}: {
options = with lib; { options = with lib; {
cmds = { cmds = {
shell = mkOption { type = types.str; default = "zsh"; }; shell = mkOption {
fetch = mkOption { type = types.str; default = "hyfetch"; }; type = types.str;
editor = mkOption { type = types.str; default = "nvim"; }; default = "zsh";
};
fetch = mkOption {
type = types.str;
default = "hyfetch";
};
editor = mkOption {
type = types.str;
default = "nvim";
};
wm = mkOption { type = types.str; default = "sway"; }; wm = mkOption {
type = types.str;
default = "sway";
};
terminal = mkOption { type = types.str; default = "alacritty"; }; terminal = mkOption {
menu = mkOption { type = types.str; default = "rofi -show drun -show-icons"; }; type = types.str;
default = "alacritty";
};
menu = mkOption {
type = types.str;
default = "rofi -show drun -show-icons";
};
lock = mkOption { type = types.str; default = "locksway"; }; lock = mkOption {
type = types.str;
default = "locksway";
};
notifications = { notifications = {
volume = mkOption { type = types.str; default = "volume-notify"; }; volume = mkOption {
brightness = mkOption { type = types.str; default = "brightness-notify"; }; type = types.str;
default = "volume-notify";
};
brightness = mkOption {
type = types.str;
default = "brightness-notify";
};
}; };
}; };
is-wayland = mkOption { type = types.bool; default = true; }; is-wayland = mkOption {
type = types.bool;
default = true;
};
theme = { theme = {
theme = mkOption { type = types.str; default = "catppuccin-mocha"; }; theme = mkOption {
icon-theme = mkOption { type = types.str; default = "Papirus-Dark"; }; type = types.str;
font = mkOption { type = types.str; default = "Cascadia Code 11"; }; default = "catppuccin-mocha";
wallpaper = mkOption { type = types.str; default = ""; }; };
icon-theme = mkOption {
type = types.str;
default = "Papirus-Dark";
};
font = mkOption {
type = types.str;
default = "Cascadia Code 11";
};
wallpaper = mkOption {
type = types.str;
default = "";
};
}; };
}; };
} }

41
modules/kabbone/corosync-qdevice.nix
View File

@@ -4,20 +4,18 @@
pkgs, pkgs,
pkgs-kabbone, pkgs-kabbone,
... ...
}: }: let
let
cfg = config.services.corosync-qnetd; cfg = config.services.corosync-qnetd;
dataDir = "/var/run/corosync-qnetd"; dataDir = "/var/run/corosync-qnetd";
in in {
{
# interface # interface
options.services.corosync-qnetd = { options.services.corosync-qnetd = {
enable = lib.mkEnableOption "corosync-qnetd"; enable = lib.mkEnableOption "corosync-qnetd";
package = lib.mkPackageOption pkgs-kabbone "corosync-qdevice" { }; package = lib.mkPackageOption pkgs-kabbone "corosync-qdevice" {};
extraOptions = lib.mkOption { extraOptions = lib.mkOption {
type = with lib.types; listOf str; type = with lib.types; listOf str;
default = [ ]; default = [];
description = "Additional options with which to start corosync-qnetd."; description = "Additional options with which to start corosync-qnetd.";
}; };
}; };
@@ -26,7 +24,7 @@ in
# implementation # implementation
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
environment.systemPackages = [ cfg.package ]; environment.systemPackages = [cfg.package];
users.users.coroqnetd = { users.users.coroqnetd = {
isSystemUser = true; isSystemUser = true;
@@ -35,23 +33,22 @@ in
description = "Corosync-qnetd Service User"; description = "Corosync-qnetd Service User";
}; };
users.groups.coroqnetd = { }; users.groups.coroqnetd = {};
# environment.etc."corosync/corosync-qnetd.conf".text = '' # environment.etc."corosync/corosync-qnetd.conf".text = ''
# totem { # totem {
# version: 2 # version: 2
# secauth: on # secauth: on
# cluster_name: ${cfg.clusterName} # cluster_name: ${cfg.clusterName}
# transport: knet # transport: knet
# } # }
# logging {
# to_syslog: yes
# }
# '';
# logging { systemd.packages = [cfg.package];
# to_syslog: yes
# }
# '';
systemd.packages = [ cfg.package ];
systemd.services.corosync-qnetd = { systemd.services.corosync-qnetd = {
serviceConfig = { serviceConfig = {
User = "coroqnetd"; User = "coroqnetd";
@@ -60,7 +57,7 @@ in
}; };
}; };
environment.etc."sysconfig/corosync-qnetd".text = lib.optionalString (cfg.extraOptions != [ ]) '' environment.etc."sysconfig/corosync-qnetd".text = lib.optionalString (cfg.extraOptions != []) ''
COROSYNC-QNETD_OPTIONS="${lib.escapeShellArgs cfg.extraOptions}" COROSYNC-QNETD_OPTIONS="${lib.escapeShellArgs cfg.extraOptions}"
''; '';
}; };

37
modules/kabbone/mautrix-whatsapp.nix
View File

@@ -3,14 +3,13 @@
config, config,
pkgs, pkgs,
... ...
}: }: let
let
cfg = config.services.kabbone_mautrix-whatsapp; cfg = config.services.kabbone_mautrix-whatsapp;
dataDir = "/var/lib/mautrix-whatsapp"; dataDir = "/var/lib/mautrix-whatsapp";
registrationFile = "${dataDir}/whatsapp-registration.yaml"; registrationFile = "${dataDir}/whatsapp-registration.yaml";
settingsFile = "${dataDir}/config.yaml"; settingsFile = "${dataDir}/config.yaml";
settingsFileUnsubstituted = settingsFormat.generate "mautrix-whatsapp-config-unsubstituted.json" cfg.settings; settingsFileUnsubstituted = settingsFormat.generate "mautrix-whatsapp-config-unsubstituted.json" cfg.settings;
settingsFormat = pkgs.formats.json { }; settingsFormat = pkgs.formats.json {};
appservicePort = 29318; appservicePort = 29318;
# to be used with a list of lib.mkIf values # to be used with a list of lib.mkIf values
@@ -47,8 +46,8 @@ let
username_template = "whatsapp_{{.}}"; username_template = "whatsapp_{{.}}";
}; };
double_puppet = { double_puppet = {
servers = { }; servers = {};
secrets = { }; secrets = {};
}; };
# By default, the following keys/secrets are set to `generate`. This would break when the service # By default, the following keys/secrets are set to `generate`. This would break when the service
# is restarted, since the previously generated configuration will be overwritten everytime. # is restarted, since the previously generated configuration will be overwritten everytime.
@@ -66,13 +65,11 @@ let
}; };
}; };
}; };
in {
in
{
options.services.kabbone_mautrix-whatsapp = { options.services.kabbone_mautrix-whatsapp = {
enable = lib.mkEnableOption "mautrix-whatsapp, a Matrix-Whatsapp puppeting bridge"; enable = lib.mkEnableOption "mautrix-whatsapp, a Matrix-Whatsapp puppeting bridge";
package = lib.mkPackageOption pkgs "mautrix-whatsapp" { }; package = lib.mkPackageOption pkgs "mautrix-whatsapp" {};
settings = lib.mkOption { settings = lib.mkOption {
apply = lib.recursiveUpdate defaultConfig; apply = lib.recursiveUpdate defaultConfig;
@@ -159,7 +156,6 @@ in
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
users.users.mautrix-whatsapp = { users.users.mautrix-whatsapp = {
isSystemUser = true; isSystemUser = true;
group = "mautrix-whatsapp"; group = "mautrix-whatsapp";
@@ -167,19 +163,18 @@ in
description = "Mautrix-Whatsapp bridge user"; description = "Mautrix-Whatsapp bridge user";
}; };
users.groups.mautrix-whatsapp = { }; users.groups.mautrix-whatsapp = {};
services.matrix-synapse = lib.mkIf cfg.registerToSynapse { services.matrix-synapse = lib.mkIf cfg.registerToSynapse {
settings.app_service_config_files = [ registrationFile ]; settings.app_service_config_files = [registrationFile];
}; };
systemd.services.matrix-synapse = lib.mkIf cfg.registerToSynapse { systemd.services.matrix-synapse = lib.mkIf cfg.registerToSynapse {
serviceConfig.SupplementaryGroups = [ "mautrix-whatsapp" ]; serviceConfig.SupplementaryGroups = ["mautrix-whatsapp"];
}; };
# Note: this is defined here to avoid the docs depending on `config` # Note: this is defined here to avoid the docs depending on `config`
services.kabbone_mautrix-whatsapp.settings.homeserver = optOneOf ( services.kabbone_mautrix-whatsapp.settings.homeserver = optOneOf (
with config.services; with config.services; [
[
(lib.mkIf matrix-synapse.enable (mkDefaults { (lib.mkIf matrix-synapse.enable (mkDefaults {
domain = matrix-synapse.settings.server_name; domain = matrix-synapse.settings.server_name;
})) }))
@@ -193,11 +188,11 @@ in
systemd.services.kabbone_mautrix-whatsapp = { systemd.services.kabbone_mautrix-whatsapp = {
description = "mautrix-whatsapp, a Matrix-Whatsapp puppeting bridge."; description = "mautrix-whatsapp, a Matrix-Whatsapp puppeting bridge.";
wantedBy = [ "multi-user.target" ]; wantedBy = ["multi-user.target"];
wants = [ "network-online.target" ] ++ cfg.serviceDependencies; wants = ["network-online.target"] ++ cfg.serviceDependencies;
after = [ "network-online.target" ] ++ cfg.serviceDependencies; after = ["network-online.target"] ++ cfg.serviceDependencies;
# ffmpeg is required for conversion of voice messages # ffmpeg is required for conversion of voice messages
path = [ pkgs.ffmpeg-headless ]; path = [pkgs.ffmpeg-headless];
preStart = '' preStart = ''
# substitute the settings file by environment variables # substitute the settings file by environment variables
@@ -263,11 +258,11 @@ in
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallErrorNumber = "EPERM"; SystemCallErrorNumber = "EPERM";
SystemCallFilter = [ "@system-service" ]; SystemCallFilter = ["@system-service"];
Type = "simple"; Type = "simple";
UMask = 27; UMask = 27;
}; };
restartTriggers = [ settingsFileUnsubstituted ]; restartTriggers = [settingsFileUnsubstituted];
}; };
}; };
meta = { meta = {

3
modules/programs/configs/default.nix
View File

@@ -9,7 +9,6 @@
# └─ default.nix * # └─ default.nix *
# └─ ... # └─ ...
# #
[ [
./mpv.nix ./mpv.nix
] ]

17
modules/programs/configs/mpv.nix
View File

@@ -9,17 +9,14 @@
# └─ ./configs # └─ ./configs
# └─ mpv.nix * # └─ mpv.nix *
# #
{pkgs, ...}: {
{ pkgs, ... }:
{
home.file = { home.file = {
".config/mpv/mpv.conf".text = '' ".config/mpv/mpv.conf".text = ''
hwdec=vaapi hwdec=vaapi
vo=gpu vo=gpu
hwdec-codecs=all hwdec-codecs=all
gpu-context=wayland gpu-context=wayland
#profile=gpu-hq #profile=gpu-hq
''; '';
}; };
} }

299
modules/programs/firefox.nix
View File

@@ -1,12 +1,11 @@
# #
# Firefox Brower Emulator # Firefox Brower Emulator
# #
{ pkgs, config, ... }:
{ {
pkgs,
config,
...
}: {
#home.packages = [ pkgs.firefox-wayland ]; #home.packages = [ pkgs.firefox-wayland ];
programs = { programs = {
@@ -14,155 +13,155 @@
enable = true; enable = true;
configPath = "${config.xdg.configHome}/mozilla/firefox"; configPath = "${config.xdg.configHome}/mozilla/firefox";
#package = pkgs.wrapFirefox pkgs.firefox-unwrapped { #package = pkgs.wrapFirefox pkgs.firefox-unwrapped {
#forceWayland = true; #forceWayland = true;
# extraPolicies = { # extraPolicies = {
# ExtensionSettings = {}; # ExtensionSettings = {};
# }; # };
#}; #};
# package = pkgs.firefox-wayland; # package = pkgs.firefox-wayland;
# profiles.kabbone = { # profiles.kabbone = {
# #id = 271987; # #id = 271987;
# name = "kabbone"; # name = "kabbone";
# isDefault = true; # isDefault = true;
# settings = { # settings = {
# "media.ffmpeg.vaapi.enabled" = true; # "media.ffmpeg.vaapi.enabled" = true;
# "gfx.webrender.all" = true; # "gfx.webrender.all" = true;
# "browser.contentblocking.category" = "strict"; # "browser.contentblocking.category" = "strict";
# "browser.search.region" = "DE"; # "browser.search.region" = "DE";
# "extensions.active.ThemeID" = "dreamer-bold-colorway@mozilla.org"; # "extensions.active.ThemeID" = "dreamer-bold-colorway@mozilla.org";
# "media.autoplay.default" = 0; # "media.autoplay.default" = 0;
# "security.enterprise_roots.enabled" = true; # "security.enterprise_roots.enabled" = true;
# "widget.gtk.overlay-scrollbars.enabled" = true; # "widget.gtk.overlay-scrollbars.enabled" = true;
# "signon.rememberSignons" = false; # "signon.rememberSignons" = false;
# "extensions.formautofill.creditCards.enabled" = false; # "extensions.formautofill.creditCards.enabled" = false;
# "datareporting.healthreport.uploadEnabled" = false; # "datareporting.healthreport.uploadEnabled" = false;
# "browser.urlbar.placeholderName" = "DuckDuckGo"; # "browser.urlbar.placeholderName" = "DuckDuckGo";
# "browser.urlbar.placeholderName.private" = "DuckDuckGo"; # "browser.urlbar.placeholderName.private" = "DuckDuckGo";
# "browser.theme.toolbar-theme" = 0; # "browser.theme.toolbar-theme" = 0;
# }; # };
# #
# userChrome = '' # userChrome = ''
# /* Hide tab bar in FF Quantum */ # /* Hide tab bar in FF Quantum */
# @-moz-document url("chrome://browser/content/browser.xul") { # @-moz-document url("chrome://browser/content/browser.xul") {
# #TabsToolbar { # #TabsToolbar {
# visibility: collapse !important; # visibility: collapse !important;
# margin-bottom: 21px !important; # margin-bottom: 21px !important;
# } # }
# #
# #sidebar-box[sidebarcommand="treestyletab_piro_sakura_ne_jp-sidebar-action"] #sidebar-header { # #sidebar-box[sidebarcommand="treestyletab_piro_sakura_ne_jp-sidebar-action"] #sidebar-header {
# visibility: collapse !important; # visibility: collapse !important;
# } # }
# } # }
# ''; # '';
# #
# search = { # search = {
# engines = { # engines = {
# "Nix Packages" = { # "Nix Packages" = {
# urls = [{ # urls = [{
# template = "https://search.nixos.org/packages"; # template = "https://search.nixos.org/packages";
# params = [ # params = [
# { name = "type"; value = "packages"; } # { name = "type"; value = "packages"; }
# { name = "query"; value = "{searchTerms}"; } # { name = "query"; value = "{searchTerms}"; }
# ]; # ];
# }]; # }];
# #
# icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg"; # icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
# definedAliases = [ "@np" ]; # definedAliases = [ "@np" ];
# }; # };
# #
# "NixOS Wiki" = { # "NixOS Wiki" = {
# urls = [{ template = "https://nixos.wiki/index.php?search={searchTerms}"; }]; # urls = [{ template = "https://nixos.wiki/index.php?search={searchTerms}"; }];
# iconUpdateURL = "https://nixos.wiki/favicon.png"; # iconUpdateURL = "https://nixos.wiki/favicon.png";
# updateInterval = 24 * 60 * 60 * 1000; # every day # updateInterval = 24 * 60 * 60 * 1000; # every day
# definedAliases = [ "@nw" ]; # definedAliases = [ "@nw" ];
# }; # };
# }; # };
# #
# order = [ "DuckDuckGo" ]; # order = [ "DuckDuckGo" ];
# default = "DuckDuckGo"; # default = "DuckDuckGo";
# }; # };
# #
# bookmarks = [ # bookmarks = [
# { # {
# name = "Kabtop Nextcloud"; # name = "Kabtop Nextcloud";
# url = "https://cloud.kabtop.de/"; # url = "https://cloud.kabtop.de/";
# } # }
# { # {
# name = "Home Assistant"; # name = "Home Assistant";
# url = "https://hass.home.opel-online.de/"; # url = "https://hass.home.opel-online.de/";
# } # }
# { # {
# name = "Netflix"; # name = "Netflix";
# url = "https://netflix.com/browse"; # url = "https://netflix.com/browse";
# } # }
# { # {
# name = "YouTube"; # name = "YouTube";
# url = "https://youtube.com/"; # url = "https://youtube.com/";
# } # }
# { # {
# name = "Kicker"; # name = "Kicker";
# url = "https://kicker.de/"; # url = "https://kicker.de/";
# } # }
# { # {
# name = "Chilloutzone"; # name = "Chilloutzone";
# url = "https://chilloutzone.net/"; # url = "https://chilloutzone.net/";
# } # }
# { # {
# name = "myDealZ"; # name = "myDealZ";
# url = "https://mydealz.de/"; # url = "https://mydealz.de/";
# } # }
# { # {
# name = "Kabtop Git"; # name = "Kabtop Git";
# url = "https://git.kabtop.de/"; # url = "https://git.kabtop.de/";
# } # }
# { # {
# name = "Spotify"; # name = "Spotify";
# url = "https://open.spotify.com/"; # url = "https://open.spotify.com/";
# } # }
# { # {
# name = "Tech"; # name = "Tech";
# bookmarks = [ # bookmarks = [
# { # {
# name = "Golem"; # name = "Golem";
# url = "https://golem.de/"; # url = "https://golem.de/";
# } # }
# { # {
# name = "Heise"; # name = "Heise";
# url = "https://heise.de/"; # url = "https://heise.de/";
# } # }
# { # {
# name = "Phoronix"; # name = "Phoronix";
# url = "https://phoronix.com/"; # url = "https://phoronix.com/";
# } # }
# ]; # ];
# } # }
# { # {
# name = "Foren"; # name = "Foren";
# bookmarks = [ # bookmarks = [
# { # {
# name = "Archlinux-en"; # name = "Archlinux-en";
# url = "https://archlinux.org/"; # url = "https://archlinux.org/";
# } # }
# { # {
# name = "Archlinux-ARM"; # name = "Archlinux-ARM";
# url = "https://archlinuxarm.org/"; # url = "https://archlinuxarm.org/";
# } # }
# { # {
# name = "Archlinux-de"; # name = "Archlinux-de";
# url = "https://archlinux.de/"; # url = "https://archlinux.de/";
# } # }
# ]; # ];
# } # }
# ]; # ];
# }; # };
# #
# extensions = with pkgs.nur.repos.rycee.firefox-addons; [ # extensions = with pkgs.nur.repos.rycee.firefox-addons; [
# honey # honey
# keepassxc-browser # keepassxc-browser
# multi-account-containers # multi-account-containers
# netflix-1080p # netflix-1080p
# ublock-origin # ublock-origin
# ]; # ];
}; };
}; };
} }

76
modules/server/default.nix
View File

@@ -16,90 +16,91 @@
# #
# myServer.extraSystemPackages = with pkgs; [ some-tool ]; # myServer.extraSystemPackages = with pkgs; [ some-tool ];
# #
{ config, lib, pkgs, user, ... }:
let
cfg = config.myServer;
in
{ {
config,
lib,
pkgs,
user,
...
}: let
cfg = config.myServer;
in {
# ── Options ────────────────────────────────────────────────────────────── # ── Options ──────────────────────────────────────────────────────────────
options.myServer = with lib; { options.myServer = with lib; {
uid = mkOption { uid = mkOption {
type = types.int; type = types.int;
default = 3000; default = 3000;
description = "UID for the server user."; description = "UID for the server user.";
}; };
sshPort = mkOption { sshPort = mkOption {
type = types.port; type = types.port;
default = 2220; default = 2220;
description = "Port openssh listens on."; description = "Port openssh listens on.";
}; };
sudoRequiresPassword = mkOption { sudoRequiresPassword = mkOption {
type = types.bool; type = types.bool;
default = true; default = true;
description = "Whether wheel users must enter a password for sudo."; description = "Whether wheel users must enter a password for sudo.";
}; };
autoUpgrade.enable = mkOption { autoUpgrade.enable = mkOption {
type = types.bool; type = types.bool;
default = true; default = true;
description = "Enable automatic NixOS upgrades (inherits flake URL from configuration_common.nix)."; description = "Enable automatic NixOS upgrades (inherits flake URL from configuration_common.nix).";
}; };
virtualisation = { virtualisation = {
enable = mkEnableOption "container/VM stack (podman with docker-compat, KVM tuning)"; enable = mkEnableOption "container/VM stack (podman with docker-compat, KVM tuning)";
cpu = mkOption { cpu = mkOption {
type = types.enum [ "amd" "intel" "none" ]; type = types.enum ["amd" "intel" "none"];
default = "none"; default = "none";
description = "CPU type selects KVM kernel parameters when virtualisation is enabled."; description = "CPU type selects KVM kernel parameters when virtualisation is enabled.";
}; };
}; };
extraGroups = mkOption { extraGroups = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = []; default = [];
description = "Additional groups for the server user beyond the defaults."; description = "Additional groups for the server user beyond the defaults.";
}; };
extraSystemPackages = mkOption { extraSystemPackages = mkOption {
type = types.listOf types.package; type = types.listOf types.package;
default = []; default = [];
description = "Additional system packages specific to this host."; description = "Additional system packages specific to this host.";
}; };
fail2ban = { fail2ban = {
enable = mkEnableOption "fail2ban intrusion prevention"; enable = mkEnableOption "fail2ban intrusion prevention";
}; };
}; };
# ── Configuration ──────────────────────────────────────────────────────── # ── Configuration ────────────────────────────────────────────────────────
config = lib.mkMerge [ config = lib.mkMerge [
# ── Base server config ──────────────────────────────────────────────── # ── Base server config ────────────────────────────────────────────────
{ {
users.users.${user} = { users.users.${user} = {
isNormalUser = true; isNormalUser = true;
uid = cfg.uid; uid = cfg.uid;
extraGroups = [ "wheel" "networkmanager" "kvm" "libvirtd" ] ++ cfg.extraGroups; extraGroups = ["wheel" "networkmanager" "kvm" "libvirtd"] ++ cfg.extraGroups;
}; };
security.sudo.wheelNeedsPassword = cfg.sudoRequiresPassword; security.sudo.wheelNeedsPassword = cfg.sudoRequiresPassword;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs;
ffmpeg [
smartmontools ffmpeg
htop smartmontools
] ++ cfg.extraSystemPackages; htop
]
++ cfg.extraSystemPackages;
services.openssh = { services.openssh = {
ports = [ cfg.sshPort ]; ports = [cfg.sshPort];
openFirewall = true; openFirewall = true;
}; };
@@ -114,12 +115,12 @@ in
# ── Virtualisation (podman/docker-compat) ───────────────────────────── # ── Virtualisation (podman/docker-compat) ─────────────────────────────
(lib.mkIf cfg.virtualisation.enable { (lib.mkIf cfg.virtualisation.enable {
virtualisation.podman = { virtualisation.podman = {
enable = true; enable = true;
autoPrune.enable = true; autoPrune.enable = true;
dockerCompat = true; dockerCompat = true;
}; };
users.groups.docker.members = [ user ]; users.groups.docker.members = [user];
}) })
# ── KVM AMD ───────────────────────────────────────────────────────── # ── KVM AMD ─────────────────────────────────────────────────────────
@@ -141,11 +142,10 @@ in
# ── Fail2ban ────────────────────────────────────────────────────────── # ── Fail2ban ──────────────────────────────────────────────────────────
(lib.mkIf cfg.fail2ban.enable { (lib.mkIf cfg.fail2ban.enable {
services.fail2ban = { services.fail2ban = {
enable = true; enable = true;
maxretry = 5; maxretry = 5;
jails.DEFAULT.settings.findtime = "15m"; jails.DEFAULT.settings.findtime = "15m";
}; };
}) })
]; ];
} }

5
modules/services/dmz/default.nix
View File

@@ -9,11 +9,10 @@
# └─ default.nix * # └─ default.nix *
# └─ ... # └─ ...
# #
[ [
./microvm.nix ./microvm.nix
# ./hydra.nix # ./hydra.nix
] ]
# picom, polybar and sxhkd are pulled from desktop module # picom, polybar and sxhkd are pulled from desktop module
# redshift temporarely disables # redshift temporarely disables

113
modules/services/dmz/gitea_runner.nix
View File

@@ -1,60 +1,63 @@
{ lib, config, pkgs, ... }:
{ {
virtualisation = { lib,
podman ={ config,
enable = true; pkgs,
autoPrune.enable = true; ...
dockerCompat = true; }: {
}; virtualisation = {
containers.containersConf.settings = { podman = {
# podman seems to not work with systemd-resolved enable = true;
containers.dns_servers = [ "192.168.101.1" ]; autoPrune.enable = true;
#containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ]; dockerCompat = true;
};
containers.containersConf.settings = {
# podman seems to not work with systemd-resolved
containers.dns_servers = ["192.168.101.1"];
#containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ];
};
};
services.gitea-actions-runner.instances = {
homerunner = {
enable = true;
url = "https://git.kabtop.de";
name = "Homerunner";
tokenFile = config.age.secrets."services/gitea/homerunner-token".path;
labels = [
"home"
"debian-latest:docker://node:18-bullseye"
"ubuntu-latest:docker://node:16-bullseye"
"ubuntu-22.04:docker://node:16-bullseye"
"ubuntu-20.04:docker://node:16-bullseye"
"ubuntu-18.04:docker://node:16-buster"
"native:host"
];
hostPackages = with pkgs; [
bash
coreutils
curl
gawk
gitMinimal
gnused
nodejs
wget
];
settings = {
# container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
# the default network that also respects our dns server settings
container.network = "host";
container.privileged = false;
# container.valid_volumes = [
# "/nix"
# "${storeDeps}/bin"
# "${storeDeps}/etc/ssl"
# ];
}; };
}; };
};
services.gitea-actions-runner.instances = { age.secrets."services/gitea/homerunner-token" = {
homerunner = { file = ../../../secrets/services/gitea/homerunner-token.age;
enable = true; owner = "gitea-runner";
url = "https://git.kabtop.de"; };
name = "Homerunner";
tokenFile = config.age.secrets."services/gitea/homerunner-token".path;
labels = [
"home"
"debian-latest:docker://node:18-bullseye"
"ubuntu-latest:docker://node:16-bullseye"
"ubuntu-22.04:docker://node:16-bullseye"
"ubuntu-20.04:docker://node:16-bullseye"
"ubuntu-18.04:docker://node:16-buster"
"native:host"
];
hostPackages = with pkgs; [
bash
coreutils
curl
gawk
gitMinimal
gnused
nodejs
wget
];
settings = {
# container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
# the default network that also respects our dns server settings
container.network = "host";
container.privileged = false;
# container.valid_volumes = [
# "/nix"
# "${storeDeps}/bin"
# "${storeDeps}/etc/ssl"
# ];
};
};
};
age.secrets."services/gitea/homerunner-token" = {
file = ../../../secrets/services/gitea/homerunner-token.age;
owner = "gitea-runner";
};
} }

159
modules/services/dmz/hydra.nix
View File

@@ -1,91 +1,92 @@
{ lib, config, pkgs, ... }:
{ {
services = { lib,
hydra = { config,
enable = true; pkgs,
hydraURL = "https://hydra.home.opel-online.de"; ...
listenHost = "127.0.0.1"; }: {
notificationSender = "hydra@localhost"; services = {
useSubstitutes = true; hydra = {
minimumDiskFree = 30; enable = true;
}; hydraURL = "https://hydra.home.opel-online.de";
nix-serve = { listenHost = "127.0.0.1";
enable = true; notificationSender = "hydra@localhost";
port = 5001; useSubstitutes = true;
bindAddress = "127.0.0.1"; minimumDiskFree = 30;
secretKeyFile = config.age.secrets."keys/nixsign".path;
};
nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
virtualHosts = {
"home.opel-online.de" = {
enableACME = true;
forceSSL = true;
default = true;
locations."/".return = "503";
};
"hydra.home.opel-online.de" = {
useACMEHost = "home.opel-online.de";
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:3000";
extraConfig = ''
proxy_set_header X-Forwarded-Port 443;
'';
};
};
"cache.home.opel-online.de" = {
useACMEHost = "home.opel-online.de";
forceSSL = true;
locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
};
};
};
}; };
nix-serve = {
security.acme = { enable = true;
acceptTerms = true; port = 5001;
defaults = { bindAddress = "127.0.0.1";
email = "webmaster@opel-online.de"; secretKeyFile = config.age.secrets."keys/nixsign".path;
#server = "https://acme-staging-v02.api.letsencrypt.org/directory"; };
dnsResolver = "9.9.9.9:53"; nginx = {
}; enable = true;
certs = { recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
virtualHosts = {
"home.opel-online.de" = { "home.opel-online.de" = {
domain = "*.home.opel-online.de"; enableACME = true;
dnsProvider = "netcup"; forceSSL = true;
environmentFile = config.age.secrets."services/acme/opel-online".path; default = true;
webroot = null; locations."/".return = "503";
};
"hydra.home.opel-online.de" = {
useACMEHost = "home.opel-online.de";
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:3000";
extraConfig = ''
proxy_set_header X-Forwarded-Port 443;
'';
};
};
"cache.home.opel-online.de" = {
useACMEHost = "home.opel-online.de";
forceSSL = true;
locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
}; };
}; };
}; };
};
nix = {
settings = { security.acme = {
trusted-users = [ acceptTerms = true;
"hydra" defaults = {
]; email = "webmaster@opel-online.de";
allowed-uris = "http:// https://"; #server = "https://acme-staging-v02.api.letsencrypt.org/directory";
dnsResolver = "9.9.9.9:53";
};
certs = {
"home.opel-online.de" = {
domain = "*.home.opel-online.de";
dnsProvider = "netcup";
environmentFile = config.age.secrets."services/acme/opel-online".path;
webroot = null;
}; };
};
};
extraOptions = '' nix = {
secret-key-files = ${config.age.secrets."keys/nixsign".path} settings = {
''; trusted-users = [
}; "hydra"
];
age.secrets."keys/nixsign" = { allowed-uris = "http:// https://";
file = ../../../secrets/keys/nixservepriv.age;
owner = "hydra";
};
age.secrets."services/acme/opel-online" = {
file = ../../../secrets/services/acme/opel-online.age;
owner = "acme";
}; };
extraOptions = ''
secret-key-files = ${config.age.secrets."keys/nixsign".path}
'';
};
age.secrets."keys/nixsign" = {
file = ../../../secrets/keys/nixservepriv.age;
owner = "hydra";
};
age.secrets."services/acme/opel-online" = {
file = ../../../secrets/services/acme/opel-online.age;
owner = "acme";
};
} }

120
modules/services/dmz/microvm.nix
View File

@@ -1,48 +1,55 @@
{ config, microvm, lib, pkgs, user, agenix, impermanence, ... }:
let
name = "gitea-runner";
in
{ {
config,
microvm,
lib,
pkgs,
user,
agenix,
impermanence,
...
}: let
name = "gitea-runner";
in {
microvm = { microvm = {
autostart = [ autostart = [
name name
]; ];
vms = { vms = {
${name} = { ${name} = {
inherit pkgs; inherit pkgs;
config = { config = {
imports = imports =
[ agenix.nixosModules.default ] ++ [agenix.nixosModules.default]
[ impermanence.nixosModules.impermanence ] ++ ++ [impermanence.nixosModules.impermanence]
[( ./gitea_runner.nix )]; ++ [(./gitea_runner.nix)];
networking = { networking = {
hostName = "${name}"; hostName = "${name}";
firewall = { firewall = {
enable = true; enable = true;
allowedUDPPorts = [ ]; allowedUDPPorts = [];
allowedTCPPorts = [ ]; allowedTCPPorts = [];
}; };
}; };
systemd.network = { systemd.network = {
enable = true; enable = true;
networks = { networks = {
"10-lan" = { "10-lan" = {
matchConfig.Name = "*"; matchConfig.Name = "*";
networkConfig = { networkConfig = {
DHCP = "yes"; DHCP = "yes";
IPv6AcceptRA = true; IPv6AcceptRA = true;
}; };
};
}; };
};
}; };
users.users.${user} = { # System User users.users.${user} = {
# System User
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" ]; extraGroups = ["wheel"];
uid = 2000; uid = 2000;
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIANmaraVJ/o20c4dqVnGLp/wGck9QNHFPvO9jcEbKS29AAAABHNzaDo= kabbone@kabc" "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIANmaraVJ/o20c4dqVnGLp/wGck9QNHFPvO9jcEbKS29AAAABHNzaDo= kabbone@kabc"
@@ -56,30 +63,32 @@ in
enable = true; enable = true;
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;
hostKeys = [ hostKeys = [
{ {
path = "/persist/etc/ssh/ssh_host_ed25519_key"; path = "/persist/etc/ssh/ssh_host_ed25519_key";
type = "ed25519"; type = "ed25519";
} }
{ {
path = "/persist/etc/ssh/ssh_host_rsa_key"; path = "/persist/etc/ssh/ssh_host_rsa_key";
type = "rsa"; type = "rsa";
bits = 4096; bits = 4096;
}]; }
];
}; };
}; };
fileSystems."/persist".neededForBoot = lib.mkForce true; fileSystems."/persist".neededForBoot = lib.mkForce true;
environment = { environment = {
systemPackages = with pkgs; [ # Default packages install system-wide systemPackages = with pkgs; [
bash # Default packages install system-wide
coreutils bash
curl coreutils
gawk curl
gitMinimal gawk
gnused gitMinimal
nodejs gnused
wget nodejs
wget
]; ];
persistence."/persist" = { persistence."/persist" = {
directories = [ directories = [
@@ -100,27 +109,30 @@ in
vcpu = 4; vcpu = 4;
mem = 4096; mem = 4096;
interfaces = [ interfaces = [
{ {
type = "macvtap"; type = "macvtap";
id = "vm-${name}"; id = "vm-${name}";
mac = "04:00:00:00:00:01"; mac = "04:00:00:00:00:01";
macvtap = { macvtap = {
link = "ens18"; link = "ens18";
mode = "bridge"; mode = "bridge";
}; };
} ]; }
shares = [{ ];
source = "/nix/store"; shares = [
mountPoint = "/nix/.ro-store"; {
tag = "ro-store"; source = "/nix/store";
proto = "virtiofs"; mountPoint = "/nix/.ro-store";
} tag = "ro-store";
{ proto = "virtiofs";
source = "/etc/vm-persist/${name}"; }
mountPoint = "/persist"; {
tag = "persist"; source = "/etc/vm-persist/${name}";
proto = "virtiofs"; mountPoint = "/persist";
}]; tag = "persist";
proto = "virtiofs";
}
];
#writableStoreOverlay = "/nix/.rw-store"; #writableStoreOverlay = "/nix/.rw-store";
#storeOnDisk = true; #storeOnDisk = true;
}; };

5
modules/services/kabtopci/default.nix
View File

@@ -9,11 +9,10 @@
# └─ default.nix * # └─ default.nix *
# └─ ... # └─ ...
# #
[ [
# ./microvm.nix # ./microvm.nix
./hydra.nix ./hydra.nix
] ]
# picom, polybar and sxhkd are pulled from desktop module # picom, polybar and sxhkd are pulled from desktop module
# redshift temporarely disables # redshift temporarely disables

111
modules/services/kabtopci/gitea_runner.nix
View File

@@ -1,59 +1,62 @@
{ lib, config, pkgs, ... }:
{ {
virtualisation = { lib,
podman ={ config,
enable = true; pkgs,
autoPrune.enable = true; ...
dockerCompat = true; }: {
}; virtualisation = {
containers.containersConf.settings = { podman = {
# podman seems to not work with systemd-resolved enable = true;
containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ]; autoPrune.enable = true;
dockerCompat = true;
};
containers.containersConf.settings = {
# podman seems to not work with systemd-resolved
containers.dns_servers = ["8.8.8.8" "8.8.4.4"];
};
};
services.gitea-actions-runner.instances = {
cirunner = {
enable = true;
url = "https://git.kabtop.de";
name = "CI Kabtop runner";
tokenFile = config.age.secrets."services/gitea/cirunner-token".path;
labels = [
"ci"
"debian-latest:docker://node:18-bullseye"
"ubuntu-latest:docker://node:16-bullseye"
"ubuntu-22.04:docker://node:16-bullseye"
"ubuntu-20.04:docker://node:16-bullseye"
"ubuntu-18.04:docker://node:16-buster"
"native:host"
];
hostPackages = with pkgs; [
bash
coreutils
curl
gawk
gitMinimal
gnused
nodejs
wget
];
settings = {
# container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
# the default network that also respects our dns server settings
container.network = "host";
container.privileged = false;
# container.valid_volumes = [
# "/nix"
# "${storeDeps}/bin"
# "${storeDeps}/etc/ssl"
# ];
}; };
}; };
};
services.gitea-actions-runner.instances = { age.secrets."services/gitea/cirunner-token" = {
cirunner = { file = ../../../secrets/services/gitea/cirunner-token.age;
enable = true; owner = "gitea-runner";
url = "https://git.kabtop.de"; };
name = "CI Kabtop runner";
tokenFile = config.age.secrets."services/gitea/cirunner-token".path;
labels = [
"ci"
"debian-latest:docker://node:18-bullseye"
"ubuntu-latest:docker://node:16-bullseye"
"ubuntu-22.04:docker://node:16-bullseye"
"ubuntu-20.04:docker://node:16-bullseye"
"ubuntu-18.04:docker://node:16-buster"
"native:host"
];
hostPackages = with pkgs; [
bash
coreutils
curl
gawk
gitMinimal
gnused
nodejs
wget
];
settings = {
# container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
# the default network that also respects our dns server settings
container.network = "host";
container.privileged = false;
# container.valid_volumes = [
# "/nix"
# "${storeDeps}/bin"
# "${storeDeps}/etc/ssl"
# ];
};
};
};
age.secrets."services/gitea/cirunner-token" = {
file = ../../../secrets/services/gitea/cirunner-token.age;
owner = "gitea-runner";
};
} }

144
modules/services/kabtopci/hydra.nix
View File

@@ -1,82 +1,84 @@
{ lib, config, pkgs, ... }:
{ {
services = { lib,
hydra = { config,
enable = true; pkgs,
hydraURL = "https://hydra.ci.kabtop.de"; ...
listenHost = "127.0.0.1"; }: {
notificationSender = "hydra@kabtop.de"; services = {
useSubstitutes = true; hydra = {
minimumDiskFree = 8; enable = true;
}; hydraURL = "https://hydra.ci.kabtop.de";
nix-serve = { listenHost = "127.0.0.1";
enable = true; notificationSender = "hydra@kabtop.de";
port = 5001; useSubstitutes = true;
bindAddress = "127.0.0.1"; minimumDiskFree = 8;
secretKeyFile = config.age.secrets."keys/nixsign".path; };
}; nix-serve = {
nginx = { enable = true;
enable = true; port = 5001;
recommendedProxySettings = true; bindAddress = "127.0.0.1";
recommendedTlsSettings = true; secretKeyFile = config.age.secrets."keys/nixsign".path;
recommendedGzipSettings = true; };
recommendedOptimisation = true; nginx = {
virtualHosts = { enable = true;
"ci.kabtop.de" = { recommendedProxySettings = true;
enableACME = true; recommendedTlsSettings = true;
forceSSL = true; recommendedGzipSettings = true;
default = true; recommendedOptimisation = true;
locations."/".return = "503"; virtualHosts = {
}; "ci.kabtop.de" = {
"hydra.ci.kabtop.de" = { enableACME = true;
enableACME = true; forceSSL = true;
forceSSL = true; default = true;
locations."/" = { locations."/".return = "503";
proxyPass = "http://localhost:3000"; };
extraConfig = '' "hydra.ci.kabtop.de" = {
proxy_set_header X-Forwarded-Port 443; enableACME = true;
''; forceSSL = true;
}; locations."/" = {
}; proxyPass = "http://localhost:3000";
"cache.ci.kabtop.de" = { extraConfig = ''
enableACME = true; proxy_set_header X-Forwarded-Port 443;
forceSSL = true; '';
locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
}; };
}; };
"cache.ci.kabtop.de" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
};
}; };
}; };
};
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults = { defaults = {
email = "webmaster@kabtop.de"; email = "webmaster@kabtop.de";
webroot = "/var/lib/acme/acme-challenge"; webroot = "/var/lib/acme/acme-challenge";
#server = "https://acme-staging-v02.api.letsencrypt.org/directory"; #server = "https://acme-staging-v02.api.letsencrypt.org/directory";
};
}; };
};
nix = {
settings = {
trusted-users = [
"hydra"
];
allowed-uris = [
"github:"
"https://github.com/"
"git+ssh://github.com/"
];
};
extraOptions = '' nix = {
secret-key-files = ${config.age.secrets."keys/nixsign".path} settings = {
''; trusted-users = [
}; "hydra"
];
age.secrets."keys/nixsign" = { allowed-uris = [
file = ../../../secrets/keys/nixservepriv.age; "github:"
owner = "hydra"; "https://github.com/"
"git+ssh://github.com/"
];
}; };
extraOptions = ''
secret-key-files = ${config.age.secrets."keys/nixsign".path}
'';
};
age.secrets."keys/nixsign" = {
file = ../../../secrets/keys/nixservepriv.age;
owner = "hydra";
};
} }

116
modules/services/kabtopci/microvm.nix
View File

@@ -1,48 +1,55 @@
{ config, microvm, lib, pkgs, user, agenix, impermanence, ... }:
let
name = "gitea-runner";
in
{ {
config,
microvm,
lib,
pkgs,
user,
agenix,
impermanence,
...
}: let
name = "gitea-runner";
in {
microvm = { microvm = {
autostart = [ autostart = [
name name
]; ];
vms = { vms = {
${name} = { ${name} = {
inherit pkgs; inherit pkgs;
config = { config = {
imports = imports =
[ agenix.nixosModules.default ] ++ [agenix.nixosModules.default]
[ impermanence.nixosModules.impermanence ] ++ ++ [impermanence.nixosModules.impermanence]
[( ./gitea_runner.nix )]; ++ [(./gitea_runner.nix)];
networking = { networking = {
hostName = "${name}"; hostName = "${name}";
firewall = { firewall = {
enable = true; enable = true;
allowedUDPPorts = [ ]; allowedUDPPorts = [];
allowedTCPPorts = [ ]; allowedTCPPorts = [];
}; };
}; };
systemd.network = { systemd.network = {
enable = true; enable = true;
networks = { networks = {
"10-lan" = { "10-lan" = {
matchConfig.Name = "*"; matchConfig.Name = "*";
networkConfig = { networkConfig = {
DHCP = "yes"; DHCP = "yes";
IPv6AcceptRA = true; IPv6AcceptRA = true;
}; };
};
}; };
};
}; };
users.users.${user} = { # System User users.users.${user} = {
# System User
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" ]; extraGroups = ["wheel"];
uid = 2000; uid = 2000;
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIANmaraVJ/o20c4dqVnGLp/wGck9QNHFPvO9jcEbKS29AAAABHNzaDo= kabbone@kabc" "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIANmaraVJ/o20c4dqVnGLp/wGck9QNHFPvO9jcEbKS29AAAABHNzaDo= kabbone@kabc"
@@ -56,30 +63,32 @@ in
enable = true; enable = true;
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;
hostKeys = [ hostKeys = [
{ {
path = "/persist/etc/ssh/ssh_host_ed25519_key"; path = "/persist/etc/ssh/ssh_host_ed25519_key";
type = "ed25519"; type = "ed25519";
} }
{ {
path = "/persist/etc/ssh/ssh_host_rsa_key"; path = "/persist/etc/ssh/ssh_host_rsa_key";
type = "rsa"; type = "rsa";
bits = 4096; bits = 4096;
}]; }
];
}; };
}; };
fileSystems."/persist".neededForBoot = lib.mkForce true; fileSystems."/persist".neededForBoot = lib.mkForce true;
environment = { environment = {
systemPackages = with pkgs; [ # Default packages install system-wide systemPackages = with pkgs; [
bash # Default packages install system-wide
coreutils bash
curl coreutils
gawk curl
gitMinimal gawk
gnused gitMinimal
nodejs gnused
wget nodejs
wget
]; ];
persistence."/persist" = { persistence."/persist" = {
directories = [ directories = [
@@ -100,23 +109,26 @@ in
mem = 3096; mem = 3096;
#kernel = pkgs.linuxKernel.packages.linux_latest; #kernel = pkgs.linuxKernel.packages.linux_latest;
interfaces = [ interfaces = [
{ {
type = "user"; type = "user";
id = "vm-${name}"; id = "vm-${name}";
mac = "04:00:00:00:00:02"; mac = "04:00:00:00:00:02";
} ]; }
shares = [{ ];
source = "/nix/store"; shares = [
mountPoint = "/nix/.ro-store"; {
tag = "ro-store"; source = "/nix/store";
proto = "virtiofs"; mountPoint = "/nix/.ro-store";
} tag = "ro-store";
{ proto = "virtiofs";
source = "/etc/vm-persist/${name}"; }
mountPoint = "/persist"; {
tag = "persist"; source = "/etc/vm-persist/${name}";
proto = "virtiofs"; mountPoint = "/persist";
}]; tag = "persist";
proto = "virtiofs";
}
];
#writableStoreOverlay = "/nix/.rw-store"; #writableStoreOverlay = "/nix/.rw-store";
#storeOnDisk = true; #storeOnDisk = true;
}; };

12
modules/services/keyring.nix
View File

@@ -1,14 +1,16 @@
# #
# Screenshots # Screenshots
# #
{ pkgs, user, ... }:
{ {
services = { # sxhkd shortcut = Printscreen button (Print) pkgs,
user,
...
}: {
services = {
# sxhkd shortcut = Printscreen button (Print)
gnome-keyring = { gnome-keyring = {
enable = true; enable = true;
}; };
}; };
home.packages = with pkgs; [ gcr seahorse ]; home.packages = with pkgs; [gcr seahorse];
} }

7
modules/services/kubemaster/default.nix
View File

@@ -9,11 +9,10 @@
# └─ default.nix * # └─ default.nix *
# └─ ... # └─ ...
# #
[ [
# ./microvm.nix # ./microvm.nix
# ./hydra.nix # ./hydra.nix
] ]
# picom, polybar and sxhkd are pulled from desktop module # picom, polybar and sxhkd are pulled from desktop module
# redshift temporarely disables # redshift temporarely disables

3
modules/services/nas/default.nix
View File

@@ -9,7 +9,6 @@
# └─ default.nix * # └─ default.nix *
# └─ ... # └─ ...
# #
[ [
./nfs.nix ./nfs.nix
./nginx.nix ./nginx.nix
@@ -17,6 +16,6 @@
./syncthing.nix ./syncthing.nix
./paperless.nix ./paperless.nix
] ]
# picom, polybar and sxhkd are pulled from desktop module # picom, polybar and sxhkd are pulled from desktop module
# redshift temporarely disables # redshift temporarely disables

23
modules/services/nas/nfs.nix
View File

@@ -1,18 +1,23 @@
{config, pkgs, lib, ...}: { {
config,
pkgs,
lib,
...
}: {
# enable nfs # enable nfs
services.nfs.server = rec { services.nfs.server = rec {
enable = true; enable = true;
exports = '' exports = ''
/export 192.168.2.0/24(rw,fsid=0,no_subtree_check) /export 192.168.2.0/24(rw,fsid=0,no_subtree_check)
/export/Pluto 192.168.2.0/24(rw,no_subtree_check) /export/Pluto 192.168.2.0/24(rw,no_subtree_check)
/export/Mars 192.168.2.0/24(rw,no_subtree_check) /export/Mars 192.168.2.0/24(rw,no_subtree_check)
''; '';
createMountPoints = true; createMountPoints = true;
}; };
# open the firewall # open the firewall
networking.firewall = { networking.firewall = {
interfaces.ens18 = { interfaces.ens18 = {
allowedTCPPorts = [ 2049 ]; allowedTCPPorts = [2049];
}; };
}; };
} }

18
modules/services/nas/nginx.nix
View File

@@ -1,10 +1,12 @@
# #
# System notifications # System notifications
# #
{ config, lib, pkgs, ... }:
{ {
config,
lib,
pkgs,
...
}: {
services.nginx = { services.nginx = {
enable = true; enable = true;
recommendedProxySettings = true; recommendedProxySettings = true;
@@ -56,13 +58,12 @@
}; };
}; };
}; };
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults = { defaults = {
email = "webmaster@opel-online.de"; email = "webmaster@opel-online.de";
# server = "https://acme-staging-v02.api.letsencrypt.org/directory"; # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
dnsResolver = "9.9.9.9:53"; dnsResolver = "9.9.9.9:53";
}; };
certs = { certs = {
@@ -75,17 +76,16 @@
}; };
}; };
systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/mnt/Pluto/nix-cache" ]; systemd.services.nginx.serviceConfig.ReadWritePaths = ["/mnt/Pluto/nix-cache"];
networking.firewall = { networking.firewall = {
enable = true; enable = true;
allowedUDPPorts = [ ]; allowedUDPPorts = [];
allowedTCPPorts = [ 80 443 ]; allowedTCPPorts = [80 443];
}; };
age.secrets."services/acme/opel-online" = { age.secrets."services/acme/opel-online" = {
file = ../../../secrets/services/acme/opel-online.age; file = ../../../secrets/services/acme/opel-online.age;
owner = "acme"; owner = "acme";
}; };
} }

15
modules/services/nas/paperless.nix
View File

@@ -1,15 +1,17 @@
# #
# System notifications # System notifications
# #
{ config, lib, pkgs, ... }:
{ {
config,
lib,
pkgs,
...
}: {
services.paperless = { services.paperless = {
enable = true; enable = true;
domain = "paperless.home.opel-online.de"; domain = "paperless.home.opel-online.de";
passwordFile = config.age.secrets."services/paperless/pwFile".path; passwordFile = config.age.secrets."services/paperless/pwFile".path;
# environmentFile = config.age.secrets."services/paperless/environment".path; # environmentFile = config.age.secrets."services/paperless/environment".path;
configureTika = true; configureTika = true;
settings = { settings = {
PAPERLESS_OCR_LANGUAGE = "deu+eng"; PAPERLESS_OCR_LANGUAGE = "deu+eng";
@@ -31,8 +33,7 @@
}; };
age.secrets."services/paperless/pwFile" = { age.secrets."services/paperless/pwFile" = {
file = ../../../secrets/services/paperless/pwFile.age; file = ../../../secrets/services/paperless/pwFile.age;
owner = "paperless"; owner = "paperless";
}; };
} }

42
modules/services/nas/syncthing.nix
View File

@@ -1,29 +1,32 @@
# #
# System notifications # System notifications
# #
{ config, lib, pkgs, ... }:
{ {
config,
lib,
pkgs,
...
}: {
services.syncthing = { services.syncthing = {
enable = true; enable = true;
group = "users"; group = "users";
user = "kabbone"; user = "kabbone";
dataDir = "/home/${config.services.syncthing.user}/Sync"; dataDir = "/home/${config.services.syncthing.user}/Sync";
configDir = "/home/${config.services.syncthing.user}/.config/syncthing"; configDir = "/home/${config.services.syncthing.user}/.config/syncthing";
overrideDevices = true; # overrides any devices added or deleted through the WebUI overrideDevices = true; # overrides any devices added or deleted through the WebUI
overrideFolders = true; # overrides any folders added or deleted through the WebUI overrideFolders = true; # overrides any folders added or deleted through the WebUI
openDefaultPorts = true; openDefaultPorts = true;
settings = { settings = {
devices = { devices = {
"hades.home.opel-online.de" = { id = "3VPCBVW-RH7XKFM-TWJGQHC-ZRAQ575-CQKGGKP-NAB4VXE-KCKJFUT-AMCUQQA"; }; "hades.home.opel-online.de" = {id = "3VPCBVW-RH7XKFM-TWJGQHC-ZRAQ575-CQKGGKP-NAB4VXE-KCKJFUT-AMCUQQA";};
"lifebook.home.opel-online.de" = { id = "RKPZG3H-BDUZID3-DV26MKR-UOARIQC-JBCAFXP-J5QFM4H-5EGBSM5-VEGXHQ4"; }; "lifebook.home.opel-online.de" = {id = "RKPZG3H-BDUZID3-DV26MKR-UOARIQC-JBCAFXP-J5QFM4H-5EGBSM5-VEGXHQ4";};
}; };
folders = { folders = {
"Sync" = { # Name of folder in Syncthing, also the folder ID "Sync" = {
path = "/mnt/Mars/${config.services.syncthing.user}/Sync"; # Which folder to add to Syncthing # Name of folder in Syncthing, also the folder ID
devices = [ "hades.home.opel-online.de" "lifebook.home.opel-online.de" ]; # Which devices to share the folder with path = "/mnt/Mars/${config.services.syncthing.user}/Sync"; # Which folder to add to Syncthing
ignorePerms = false; # By default, Syncthing doesn't sync file permissions. This line enables it for this folder. devices = ["hades.home.opel-online.de" "lifebook.home.opel-online.de"]; # Which devices to share the folder with
ignorePerms = false; # By default, Syncthing doesn't sync file permissions. This line enables it for this folder.
}; };
}; };
}; };
@@ -35,19 +38,18 @@
useACMEHost = "home.opel-online.de"; useACMEHost = "home.opel-online.de";
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
recommendedProxySettings = false; recommendedProxySettings = false;
proxyPass = "http://${toString config.services.syncthing.guiAddress}"; proxyPass = "http://${toString config.services.syncthing.guiAddress}";
extraConfig = '' extraConfig = ''
proxy_set_header Host localhost; proxy_set_header Host localhost;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Server $host;
''; '';
}; };
}; };
}; };
}; };
} }

13
modules/services/nas/vaultwarden.nix
View File

@@ -1,10 +1,12 @@
# #
# System notifications # System notifications
# #
{ config, lib, pkgs, ... }:
{ {
config,
lib,
pkgs,
...
}: {
services.vaultwarden = { services.vaultwarden = {
enable = true; enable = true;
dbBackend = "sqlite"; dbBackend = "sqlite";
@@ -31,8 +33,7 @@
}; };
age.secrets."services/vaultwarden/environment" = { age.secrets."services/vaultwarden/environment" = {
file = ../../../secrets/services/vaultwarden/environment.age; file = ../../../secrets/services/vaultwarden/environment.age;
owner = "vaultwarden"; owner = "vaultwarden";
}; };
} }

5
modules/services/nasbackup/default.nix
View File

@@ -9,10 +9,9 @@
# └─ default.nix * # └─ default.nix *
# └─ ... # └─ ...
# #
[ [
# ./nfs.nix # ./nfs.nix
] ]
# picom, polybar and sxhkd are pulled from desktop module # picom, polybar and sxhkd are pulled from desktop module
# redshift temporarely disables # redshift temporarely disables

3
modules/services/printer/default.nix
View File

@@ -9,10 +9,9 @@
# └─ default.nix * # └─ default.nix *
# └─ ... # └─ ...
# #
[ [
./klipper.nix ./klipper.nix
] ]
# picom, polybar and sxhkd are pulled from desktop module # picom, polybar and sxhkd are pulled from desktop module
# redshift temporarely disables # redshift temporarely disables

192
modules/services/printer/klipper.nix
View File

@@ -1,101 +1,103 @@
{ lib, config, pkgs, ... }:
{ {
environment = { lib,
systemPackages = with pkgs; [ config,
klipperscreen pkgs,
]; ...
}: {
environment = {
systemPackages = with pkgs; [
klipperscreen
];
};
services = {
klipper = {
enable = true;
user = "moonraker";
group = "moonraker";
configFile = ./printer.cfg;
mutableConfig = true;
configDir = "/var/lib/moonraker/config";
firmwares."sovol06" = {
serial = "/dev/serial/by-id/usb-1a86_USB_Serial-if00-port0";
enableKlipperFlash = true;
enable = true;
configFile = ./firmware.conf;
};
}; };
services = { mainsail = {
klipper = { enable = true;
enable = true; nginx = {
user = "moonraker"; enableACME = false;
group = "moonraker"; #useACMEHost = "home.opel-online.de";
configFile = ./printer.cfg; serverName = "nbf5.home.opel-online.de";
mutableConfig = true; #onlySSL = true;
configDir = "/var/lib/moonraker/config"; #listenAddresses = [ "0.0.0.0" "::" ];
firmwares."sovol06" = { #forceSSL = true;
serial = "/dev/serial/by-id/usb-1a86_USB_Serial-if00-port0";
enableKlipperFlash = true;
enable = true;
configFile = ./firmware.conf;
};
}; };
mainsail = {
enable = true;
nginx = {
enableACME = false;
#useACMEHost = "home.opel-online.de";
serverName = "nbf5.home.opel-online.de";
#onlySSL = true;
#listenAddresses = [ "0.0.0.0" "::" ];
#forceSSL = true;
};
};
moonraker = {
enable = true;
allowSystemControl = true;
address = "0.0.0.0";
settings = {
authorization = {
force_logins = true;
cors_domains = [
"*://nbf5.home.opel-online.de"
"*.local"
];
trusted_clients = [
"127.0.0.0/8"
"192.168.2.0/24"
];
};
file_manager = {
enable_object_processing = true;
};
};
};
# nginx = {
# enable = true;
# recommendedProxySettings = true;
# recommendedTlsSettings = true;
# recommendedGzipSettings = true;
# recommendedOptimisation = true;
# virtualHosts = {
# "ci.kabtop.de" = {
# enableACME = true;
# forceSSL = true;
# default = true;
# locations."/".return = "503";
# };
# "hydra.ci.kabtop.de" = {
# enableACME = true;
# forceSSL = true;
# locations."/" = {
# proxyPass = "http://localhost:3000";
# extraConfig = ''
# proxy_set_header X-Forwarded-Port 443;
# '';
# };
# };
# "cache.ci.kabtop.de" = {
# enableACME = true;
# forceSSL = true;
# locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
# };
# };
# };
# };
#
# security.acme = {
# acceptTerms = true;
# defaults = {
# email = "webmaster@kabtop.de";
# webroot = "/var/lib/acme/acme-challenge";
# #server = "https://acme-staging-v02.api.letsencrypt.org/directory";
# };
}; };
moonraker = {
enable = true;
allowSystemControl = true;
address = "0.0.0.0";
settings = {
authorization = {
force_logins = true;
cors_domains = [
"*://nbf5.home.opel-online.de"
"*.local"
];
trusted_clients = [
"127.0.0.0/8"
"192.168.2.0/24"
];
};
file_manager = {
enable_object_processing = true;
};
};
};
# nginx = {
# enable = true;
# recommendedProxySettings = true;
# recommendedTlsSettings = true;
# recommendedGzipSettings = true;
# recommendedOptimisation = true;
# virtualHosts = {
# "ci.kabtop.de" = {
# enableACME = true;
# forceSSL = true;
# default = true;
# locations."/".return = "503";
# };
# "hydra.ci.kabtop.de" = {
# enableACME = true;
# forceSSL = true;
# locations."/" = {
# proxyPass = "http://localhost:3000";
# extraConfig = ''
# proxy_set_header X-Forwarded-Port 443;
# '';
# };
# };
# "cache.ci.kabtop.de" = {
# enableACME = true;
# forceSSL = true;
# locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
# };
# };
# };
# };
#
# security.acme = {
# acceptTerms = true;
# defaults = {
# email = "webmaster@kabtop.de";
# webroot = "/var/lib/acme/acme-challenge";
# #server = "https://acme-staging-v02.api.letsencrypt.org/directory";
# };
};
} }

16
modules/services/printer/nginx.nix
View File

@@ -1,10 +1,12 @@
# #
# System notifications # System notifications
# #
{ config, lib, pkgs, ... }:
{ {
config,
lib,
pkgs,
...
}: {
services.nginx = { services.nginx = {
enable = true; enable = true;
recommendedProxySettings = true; recommendedProxySettings = true;
@@ -20,13 +22,12 @@
}; };
}; };
}; };
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults = { defaults = {
email = "webmaster@opel-online.de"; email = "webmaster@opel-online.de";
# server = "https://acme-staging-v02.api.letsencrypt.org/directory"; # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
dnsResolver = "9.9.9.9:53"; dnsResolver = "9.9.9.9:53";
}; };
certs = { certs = {
@@ -41,13 +42,12 @@
networking.firewall = { networking.firewall = {
enable = true; enable = true;
allowedUDPPorts = [ ]; allowedUDPPorts = [];
allowedTCPPorts = [ 80 443 ]; allowedTCPPorts = [80 443];
}; };
age.secrets."services/acme/opel-online" = { age.secrets."services/acme/opel-online" = {
file = ../../../secrets/services/acme/opel-online.age; file = ../../../secrets/services/acme/opel-online.age;
owner = "acme"; owner = "acme";
}; };
} }

32
modules/services/server/coturn.nix
View File

@@ -1,4 +1,9 @@
{config, pkgs, lib, ...}: { {
config,
pkgs,
lib,
...
}: {
# enable coturn # enable coturn
services.coturn = rec { services.coturn = rec {
enable = true; enable = true;
@@ -43,21 +48,24 @@
# open the firewall # open the firewall
networking.firewall = { networking.firewall = {
interfaces.ens18 = let interfaces.ens18 = let
range = with config.services.coturn; [ { range = with config.services.coturn; [
from = min-port; {
to = max-port; from = min-port;
} ]; to = max-port;
in }
{ ];
in {
allowedUDPPortRanges = range; allowedUDPPortRanges = range;
allowedUDPPorts = [ 3478 ]; allowedUDPPorts = [3478];
allowedTCPPortRanges = range; allowedTCPPortRanges = range;
allowedTCPPorts = [ 3478 5349 ]; allowedTCPPorts = [3478 5349];
}; };
}; };
# get a certificate # get a certificate
security.acme.certs.${config.services.coturn.realm} = { security.acme.certs.${config.services.coturn.realm} = {
/* insert here the right configuration to obtain a certificate */ /*
insert here the right configuration to obtain a certificate
*/
postRun = "systemctl restart coturn.service"; postRun = "systemctl restart coturn.service";
group = "turnserver"; group = "turnserver";
}; };
@@ -67,7 +75,7 @@
#}; #};
age.secrets."services/coturn/static-auth" = { age.secrets."services/coturn/static-auth" = {
file = ../../../secrets/services/coturn/static-auth.age; file = ../../../secrets/services/coturn/static-auth.age;
owner = "turnserver"; owner = "turnserver";
}; };
} }

5
modules/services/server/default.nix
View File

@@ -9,7 +9,6 @@
# └─ default.nix * # └─ default.nix *
# └─ ... # └─ ...
# #
[ [
./postgresql.nix ./postgresql.nix
./gitea.nix ./gitea.nix
@@ -19,8 +18,8 @@
./coturn.nix ./coturn.nix
./hydra.nix ./hydra.nix
./mealie.nix ./mealie.nix
# ./ollama.nix # ./ollama.nix
] ]
# picom, polybar and sxhkd are pulled from desktop module # picom, polybar and sxhkd are pulled from desktop module
# redshift temporarely disables # redshift temporarely disables

114
modules/services/server/gitea.nix
View File

@@ -1,10 +1,12 @@
# #
# System notifications # System notifications
# #
{ config, lib, pkgs, ... }:
{ {
config,
lib,
pkgs,
...
}: {
services.gitea = { services.gitea = {
enable = true; enable = true;
dump.enable = false; dump.enable = false;
@@ -19,56 +21,56 @@
appName = "Kabtop Git"; appName = "Kabtop Git";
mailerPasswordFile = config.age.secrets."services/gitea/mailerPassword".path; mailerPasswordFile = config.age.secrets."services/gitea/mailerPassword".path;
settings = { settings = {
server = { server = {
ROOT_URL = "https://git.kabtop.de"; ROOT_URL = "https://git.kabtop.de";
HTTP_ADDR = "localhost"; HTTP_ADDR = "localhost";
DOMAIN = "git.kabtop.de"; DOMAIN = "git.kabtop.de";
SSH_PORT = 2220; SSH_PORT = 2220;
ENABLE_GZIP = true; ENABLE_GZIP = true;
LFS_START_SERVER = true; LFS_START_SERVER = true;
LFS_ALLOW_PURE_SSH = true; LFS_ALLOW_PURE_SSH = true;
}; };
security = { security = {
MIN_PASSWORD_LENGTH = 12; MIN_PASSWORD_LENGTH = 12;
PASSWORD_CHECK_PWN = true; PASSWORD_CHECK_PWN = true;
PASSWORD_HASH_ALGO = "argon2"; PASSWORD_HASH_ALGO = "argon2";
}; };
# oauth2 = { # oauth2 = {
# ENABLE = true; # ENABLE = true;
# #JWT_SECRET = "secret123"; # #JWT_SECRET = "secret123";
# }; # };
repository = { repository = {
MAX_CREATION_LIMIT = 100; MAX_CREATION_LIMIT = 100;
}; };
ui = { ui = {
SHOW_USER_EMAIL = false; SHOW_USER_EMAIL = false;
DEFAULT_THEME = "gitea-dark"; DEFAULT_THEME = "gitea-dark";
}; };
# openid = { # openid = {
# ENABLE_OPENID_SIGNIN = true; # ENABLE_OPENID_SIGNIN = true;
# WHITELISTED_URIS = "https://auth.kabtop.de"; # WHITELISTED_URIS = "https://auth.kabtop.de";
# }; # };
# oauth2_client = { # oauth2_client = {
# ENABLE_AUTO_REGISTRATION = true; # ENABLE_AUTO_REGISTRATION = true;
# }; # };
time = { time = {
DEFAULT_UI_LOCATION = "Europe/Berlin"; DEFAULT_UI_LOCATION = "Europe/Berlin";
}; };
other = { other = {
SHOW_FOOTER_VERSION = false; SHOW_FOOTER_VERSION = false;
}; };
session.COOKIE_SECURE = true; session.COOKIE_SECURE = true;
service = { service = {
REGISTER_EMAIL_CONFIRM = true; REGISTER_EMAIL_CONFIRM = true;
DISABLE_REGISTRATION = true; DISABLE_REGISTRATION = true;
}; };
actions = { actions = {
ENABLED = true; ENABLED = true;
}; };
indexer = { indexer = {
REPO_INDEXER_ENABLED = false; REPO_INDEXER_ENABLED = false;
}; };
}; };
}; };
@@ -87,11 +89,11 @@
}; };
}; };
age.secrets."services/gitea/mailerPassword" = { age.secrets."services/gitea/mailerPassword" = {
file = ../../../secrets/services/gitea/mailerPassword.age; file = ../../../secrets/services/gitea/mailerPassword.age;
owner = "gitea"; owner = "gitea";
}; };
age.secrets."services/gitea/databasePassword" = { age.secrets."services/gitea/databasePassword" = {
file = ../../../secrets/services/gitea/databasePassword.age; file = ../../../secrets/services/gitea/databasePassword.age;
owner = "gitea"; owner = "gitea";
}; };
} }

111
modules/services/server/gitea_runner.nix
View File

@@ -1,59 +1,62 @@
{ lib, config, pkgs, ... }:
{ {
virtualisation = { lib,
podman ={ config,
enable = true; pkgs,
autoPrune.enable = true; ...
dockerCompat = true; }: {
}; virtualisation = {
containers.containersConf.settings = { podman = {
# podman seems to not work with systemd-resolved enable = true;
containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ]; autoPrune.enable = true;
dockerCompat = true;
};
containers.containersConf.settings = {
# podman seems to not work with systemd-resolved
containers.dns_servers = ["8.8.8.8" "8.8.4.4"];
};
};
services.gitea-actions-runner.instances = {
serverrunner = {
enable = true;
url = "https://git.kabtop.de";
name = "Server runner";
tokenFile = config.age.secrets."services/gitea/serverrunner-token".path;
labels = [
"server"
"debian-latest:docker://node:18-bullseye"
"ubuntu-latest:docker://node:16-bullseye"
"ubuntu-22.04:docker://node:16-bullseye"
"ubuntu-20.04:docker://node:16-bullseye"
"ubuntu-18.04:docker://node:16-buster"
"native:host"
];
hostPackages = with pkgs; [
bash
coreutils
curl
gawk
gitMinimal
gnused
nodejs
wget
];
settings = {
# container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
# the default network that also respects our dns server settings
container.network = "host";
container.privileged = false;
# container.valid_volumes = [
# "/nix"
# "${storeDeps}/bin"
# "${storeDeps}/etc/ssl"
# ];
}; };
}; };
};
services.gitea-actions-runner.instances = { age.secrets."services/gitea/serverrunner-token" = {
serverrunner = { file = ../../../secrets/services/gitea/serverrunner-token.age;
enable = true; owner = "gitea-runner";
url = "https://git.kabtop.de"; };
name = "Server runner";
tokenFile = config.age.secrets."services/gitea/serverrunner-token".path;
labels = [
"server"
"debian-latest:docker://node:18-bullseye"
"ubuntu-latest:docker://node:16-bullseye"
"ubuntu-22.04:docker://node:16-bullseye"
"ubuntu-20.04:docker://node:16-bullseye"
"ubuntu-18.04:docker://node:16-buster"
"native:host"
];
hostPackages = with pkgs; [
bash
coreutils
curl
gawk
gitMinimal
gnused
nodejs
wget
];
settings = {
# container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
# the default network that also respects our dns server settings
container.network = "host";
container.privileged = false;
# container.valid_volumes = [
# "/nix"
# "${storeDeps}/bin"
# "${storeDeps}/etc/ssl"
# ];
};
};
};
age.secrets."services/gitea/serverrunner-token" = {
file = ../../../secrets/services/gitea/serverrunner-token.age;
owner = "gitea-runner";
};
} }

138
modules/services/server/hydra.nix
View File

@@ -1,77 +1,79 @@
{ lib, config, pkgs, ... }:
{ {
services = { lib,
hydra = { config,
enable = true; pkgs,
hydraURL = "https://hydra.ci.kabtop.de"; ...
listenHost = "127.0.0.1"; }: {
port = 3001; services = {
notificationSender = "hydra@kabtop.de"; hydra = {
useSubstitutes = true; enable = true;
minimumDiskFree = 50; hydraURL = "https://hydra.ci.kabtop.de";
maxServers = 10; listenHost = "127.0.0.1";
}; port = 3001;
nix-serve = { notificationSender = "hydra@kabtop.de";
enable = true; useSubstitutes = true;
port = 5001; minimumDiskFree = 50;
bindAddress = "127.0.0.1"; maxServers = 10;
secretKeyFile = config.age.secrets."keys/nixsign".path; };
}; nix-serve = {
nginx = { enable = true;
enable = true; port = 5001;
recommendedProxySettings = true; bindAddress = "127.0.0.1";
recommendedTlsSettings = true; secretKeyFile = config.age.secrets."keys/nixsign".path;
recommendedGzipSettings = true; };
recommendedOptimisation = true; nginx = {
virtualHosts = { enable = true;
"ci.kabtop.de" = { recommendedProxySettings = true;
enableACME = true; recommendedTlsSettings = true;
forceSSL = true; recommendedGzipSettings = true;
default = true; recommendedOptimisation = true;
locations."/".return = "503"; virtualHosts = {
}; "ci.kabtop.de" = {
"hydra.ci.kabtop.de" = { enableACME = true;
enableACME = true; forceSSL = true;
forceSSL = true; default = true;
locations."/" = { locations."/".return = "503";
proxyPass = "http://localhost:3001"; };
extraConfig = '' "hydra.ci.kabtop.de" = {
proxy_set_header X-Forwarded-Port 443; enableACME = true;
''; forceSSL = true;
}; locations."/" = {
}; proxyPass = "http://localhost:3001";
"cache.ci.kabtop.de" = { extraConfig = ''
enableACME = true; proxy_set_header X-Forwarded-Port 443;
forceSSL = true; '';
locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
}; };
}; };
"cache.ci.kabtop.de" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
};
}; };
}; };
};
nix = { nix = {
settings = { settings = {
cores = 5; cores = 5;
max-jobs = 1; max-jobs = 1;
trusted-users = [ trusted-users = [
"hydra" "hydra"
]; ];
allowed-uris = [ allowed-uris = [
"github:" "github:"
"https://github.com/" "https://github.com/"
"git+ssh://github.com/" "git+ssh://github.com/"
]; ];
};
extraOptions = ''
secret-key-files = ${config.age.secrets."keys/nixsign".path}
'';
};
age.secrets."keys/nixsign" = {
file = ../../../secrets/keys/nixservepriv.age;
owner = "hydra";
}; };
extraOptions = ''
secret-key-files = ${config.age.secrets."keys/nixsign".path}
'';
};
age.secrets."keys/nixsign" = {
file = ../../../secrets/keys/nixservepriv.age;
owner = "hydra";
};
} }

82
modules/services/server/jitsi.nix
View File

@@ -1,46 +1,48 @@
{ config, pkgs, ... }:
{ {
services.jitsi-meet = { config,
enable = true; pkgs,
hostName = "meet.kabtop.de"; ...
config = { }: {
enableWelcomePage = false; services.jitsi-meet = {
prejoinPageEnabled = true; enable = true;
defaultLang = "en"; hostName = "meet.kabtop.de";
}; config = {
interfaceConfig = { enableWelcomePage = false;
SHOW_JITSI_WATERMARK = false; prejoinPageEnabled = true;
SHOW_WATERMARK_FOR_GUESTS = false; defaultLang = "en";
};
}; };
#services.jibri = { interfaceConfig = {
# enable = true; SHOW_JITSI_WATERMARK = false;
# config = { SHOW_WATERMARK_FOR_GUESTS = false;
# recording = {
# recordings-directory = "/var/lib/jitsi-meet-recordings";
# };
# ffmpeg = {
# #framerate = 30;
# #video-encode-preset = "veryfast"; # https://trac.ffmpeg.org/wiki/Encode/H.264#a2.Chooseapresetandtune
# h264-constant-rate-factor = 21; # https://trac.ffmpeg.org/wiki/Encode/H.264#a1.ChooseaCRFvalue
# };
# };
#};
services.jitsi-videobridge = {
enable = true;
openFirewall = true;
}; };
};
#services.jibri = {
# enable = true;
# config = {
# recording = {
# recordings-directory = "/var/lib/jitsi-meet-recordings";
# };
# ffmpeg = {
# #framerate = 30;
# #video-encode-preset = "veryfast"; # https://trac.ffmpeg.org/wiki/Encode/H.264#a2.Chooseapresetandtune
# h264-constant-rate-factor = 21; # https://trac.ffmpeg.org/wiki/Encode/H.264#a1.ChooseaCRFvalue
# };
# };
#};
services.jitsi-videobridge = {
enable = true;
openFirewall = true;
};
services.prosody.extraConfig = '' services.prosody.extraConfig = ''
log = "/var/log/prosody/prosody.log" log = "/var/log/prosody/prosody.log"
''; '';
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d /var/log/prosody - prosody prosody" "d /var/log/prosody - prosody prosody"
#"d ${config.services.jibri.config.recording.recordings-directory} 0750 jibri jibri -" #"d ${config.services.jibri.config.recording.recordings-directory} 0750 jibri jibri -"
]; ];
security.acme.defaults.email = "webmaster@kabtop.de"; security.acme.defaults.email = "webmaster@kabtop.de";
security.acme.defaults.webroot = "/var/lib/acme/acme-challenge"; security.acme.defaults.webroot = "/var/lib/acme/acme-challenge";
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
} }

391
modules/services/server/matrix.nix
View File

@@ -1,10 +1,12 @@
# #
# System notifications # System notifications
# #
{
{ config, lib, pkgs, ... }: config,
lib,
let pkgs,
...
}: let
fqdn = "matrix.${config.networking.domain}"; fqdn = "matrix.${config.networking.domain}";
clientConfig = { clientConfig = {
"m.homeserver".base_url = "https://${fqdn}"; "m.homeserver".base_url = "https://${fqdn}";
@@ -24,230 +26,237 @@ in {
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedProxySettings = true; recommendedProxySettings = true;
virtualHosts = { virtualHosts = {
"${config.networking.domain}" = { "${config.networking.domain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
locations."/_matrix".proxyPass = "http://localhost:8008"; locations."/_matrix".proxyPass = "http://localhost:8008";
}; };
"${fqdn}" = { "${fqdn}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/health".proxyPass = "http://localhost:8008"; locations."/health".proxyPass = "http://localhost:8008";
locations."/_matrix".proxyPass = "http://localhost:8008"; locations."/_matrix".proxyPass = "http://localhost:8008";
locations."/_synapse/client".proxyPass = "http://localhost:8008"; locations."/_synapse/client".proxyPass = "http://localhost:8008";
locations."/".extraConfig = '' locations."/".extraConfig = ''
return 404; return 404;
''; '';
}; };
# "element.${config.networking.domain}" = { # "element.${config.networking.domain}" = {
# enableACME = true; # enableACME = true;
# forceSSL = true; # forceSSL = true;
# #
# root = pkgs.element-web.override { # root = pkgs.element-web.override {
# conf = { # conf = {
# default_server_config = clientConfig; # default_server_config = clientConfig;
# }; # };
# }; # };
# }; # };
}; };
}; };
imports = [ ../../kabbone/mautrix-whatsapp.nix ]; imports = [../../kabbone/mautrix-whatsapp.nix];
services.matrix-synapse = { services.matrix-synapse = {
enable = true; enable = true;
settings = { settings = {
server_name = config.networking.domain; server_name = config.networking.domain;
public_baseurl = "https://matrix.${config.networking.domain}"; public_baseurl = "https://matrix.${config.networking.domain}";
listeners = [ listeners = [
{ port = 8008; {
bind_addresses = [ "::1" ]; port = 8008;
type = "http"; bind_addresses = ["::1"];
tls = false; type = "http";
x_forwarded = true; tls = false;
resources = [ x_forwarded = true;
{ names = [ "client" ]; compress = true; } resources = [
{ names = [ "federation" ]; compress = false; } {
]; names = ["client"];
} compress = true;
]; }
{
names = ["federation"];
compress = false;
}
];
}
];
}; };
extraConfigFiles = [ extraConfigFiles = [
config.age.secrets."services/matrix/synapse.yml".path config.age.secrets."services/matrix/synapse.yml".path
]; ];
}; };
systemd.services = { systemd.services = {
matrix-synapse = { matrix-synapse = {
requires = [ "postgresql.service" ]; requires = ["postgresql.service"];
}; };
}; };
services = { services = {
mautrix-telegram = { mautrix-telegram = {
enable = true; enable = true;
registerToSynapse = true; registerToSynapse = true;
environmentFile = config.age.secrets."services/matrix/mautrix-telegram.env".path; environmentFile = config.age.secrets."services/matrix/mautrix-telegram.env".path;
settings = { settings = {
homeserver = { homeserver = {
address = "http://localhost:8008"; address = "http://localhost:8008";
domain = "kabtop.de"; domain = "kabtop.de";
}; };
appservice = { appservice = {
hostname = "127.0.0.1"; hostname = "127.0.0.1";
provisioning.enabled = false; provisioning.enabled = false;
id = "telegram"; id = "telegram";
public = { public = {
enabled = false; enabled = false;
};
};
bridge = {
sync_channel_members = true;
startup_sync = true;
public_portals = true;
double_puppet_server_map = {
"kabtop.de" = "https://kabtop.de";
};
encryption = {
allow = true;
default = true;
verification_levels = {
receive = "cross-signed-untrusted";
send = "cross-signed-untrusted";
};
};
private_chat_portal_meta = "default";
backfill = {
disable_notifications = true;
};
permissions = {
"@kabbone:kabtop.de" = "admin";
};
};
logging = {
loggers = {
mau = {
level = "WARN";
};
telethon = {
level = "WARN";
};
};
root = {
handlers = [
"console"
];
level = "WARN";
};
};
}; };
}; };
mautrix-signal = { bridge = {
enable = true; sync_channel_members = true;
registerToSynapse = true; startup_sync = true;
environmentFile = config.age.secrets."services/matrix/mautrix-signal.env".path; public_portals = true;
settings = { double_puppet_server_map = {
homeserver = { "kabtop.de" = "https://kabtop.de";
address = "http://localhost:8008";
domain = "kabtop.de";
};
appservice = {
hostname = "127.0.0.1";
id = "signal";
as_token = "$MAUTRIX_SIGNAL_AS_TOKEN";
hs_token = "$MAUTRIX_SIGNAL_HS_TOKEN";
};
database = {
type = "postgres";
uri = "$MAUTRIX_SIGNAL_APPSERVICE_DATABASE";
};
encryption = {
allow = true;
default = true;
verification_levels = {
receive = "cross-signed-untrusted";
send = "cross-signed-untrusted";
};
pickle_key = "$MAUTRIX_SIGNAL_ENCRYPTION_PICKLE_KEY";
};
backfill = {
enabled = true;
};
bridge = {
permissions = {
"@kabbone:kabtop.de" = "admin";
};
};
logging = {
min_level = "warn";
writers = [
{
format = "pretty-colored";
type = "stdout";
}
];
};
}; };
}; encryption = {
kabbone_mautrix-whatsapp = { allow = true;
enable = true; default = true;
registerToSynapse = true; verification_levels = {
environmentFile = config.age.secrets."services/matrix/mautrix-whatsapp.env".path; receive = "cross-signed-untrusted";
settings = { send = "cross-signed-untrusted";
homeserver = { };
address = "http://localhost:8008";
domain = "kabtop.de";
};
appservice = {
hostname = "127.0.0.1";
id = "whatsapp";
as_token = "$MAUTRIX_WHATSAPP_AS_TOKEN";
hs_token = "$MAUTRIX_WHATSAPP_HS_TOKEN";
};
database = {
type = "postgres";
uri = "$MAUTRIX_WHATSAPP_APPSERVICE_DATABASE";
};
encryption = {
allow = true;
default = true;
verification_levels = {
receive = "cross-signed-untrusted";
send = "cross-signed-untrusted";
};
pickle_key = "$MAUTRIX_WHATSAPP_ENCRYPTION_PICKLE_KEY";
};
network = {
history_sync.request_full_sync = true;
};
bridge = {
permissions = {
"@kabbone:kabtop.de" = "admin";
};
};
logging = {
min_level = "warn";
};
}; };
private_chat_portal_meta = "default";
backfill = {
disable_notifications = true;
};
permissions = {
"@kabbone:kabtop.de" = "admin";
};
};
logging = {
loggers = {
mau = {
level = "WARN";
};
telethon = {
level = "WARN";
};
};
root = {
handlers = [
"console"
];
level = "WARN";
};
};
}; };
};
mautrix-signal = {
enable = true;
registerToSynapse = true;
environmentFile = config.age.secrets."services/matrix/mautrix-signal.env".path;
settings = {
homeserver = {
address = "http://localhost:8008";
domain = "kabtop.de";
};
appservice = {
hostname = "127.0.0.1";
id = "signal";
as_token = "$MAUTRIX_SIGNAL_AS_TOKEN";
hs_token = "$MAUTRIX_SIGNAL_HS_TOKEN";
};
database = {
type = "postgres";
uri = "$MAUTRIX_SIGNAL_APPSERVICE_DATABASE";
};
encryption = {
allow = true;
default = true;
verification_levels = {
receive = "cross-signed-untrusted";
send = "cross-signed-untrusted";
};
pickle_key = "$MAUTRIX_SIGNAL_ENCRYPTION_PICKLE_KEY";
};
backfill = {
enabled = true;
};
bridge = {
permissions = {
"@kabbone:kabtop.de" = "admin";
};
};
logging = {
min_level = "warn";
writers = [
{
format = "pretty-colored";
type = "stdout";
}
];
};
};
};
kabbone_mautrix-whatsapp = {
enable = true;
registerToSynapse = true;
environmentFile = config.age.secrets."services/matrix/mautrix-whatsapp.env".path;
settings = {
homeserver = {
address = "http://localhost:8008";
domain = "kabtop.de";
};
appservice = {
hostname = "127.0.0.1";
id = "whatsapp";
as_token = "$MAUTRIX_WHATSAPP_AS_TOKEN";
hs_token = "$MAUTRIX_WHATSAPP_HS_TOKEN";
};
database = {
type = "postgres";
uri = "$MAUTRIX_WHATSAPP_APPSERVICE_DATABASE";
};
encryption = {
allow = true;
default = true;
verification_levels = {
receive = "cross-signed-untrusted";
send = "cross-signed-untrusted";
};
pickle_key = "$MAUTRIX_WHATSAPP_ENCRYPTION_PICKLE_KEY";
};
network = {
history_sync.request_full_sync = true;
};
bridge = {
permissions = {
"@kabbone:kabtop.de" = "admin";
};
};
logging = {
min_level = "warn";
};
};
};
}; };
age.secrets."services/matrix/synapse.yml" = { age.secrets."services/matrix/synapse.yml" = {
file = ../../../secrets/services/matrix/synapse.age; file = ../../../secrets/services/matrix/synapse.age;
owner = "matrix-synapse"; owner = "matrix-synapse";
}; };
age.secrets."services/matrix/mautrix-telegram.env" = { age.secrets."services/matrix/mautrix-telegram.env" = {
file = ../../../secrets/services/matrix/mautrix-telegram.age; file = ../../../secrets/services/matrix/mautrix-telegram.age;
owner = "mautrix-telegram"; owner = "mautrix-telegram";
}; };
age.secrets."services/matrix/mautrix-whatsapp.env" = { age.secrets."services/matrix/mautrix-whatsapp.env" = {
file = ../../../secrets/services/matrix/mautrix-whatsapp.age; file = ../../../secrets/services/matrix/mautrix-whatsapp.age;
owner = "mautrix-whatsapp"; owner = "mautrix-whatsapp";
}; };
age.secrets."services/matrix/mautrix-signal.env" = { age.secrets."services/matrix/mautrix-signal.env" = {
file = ../../../secrets/services/matrix/mautrix-signal.age; file = ../../../secrets/services/matrix/mautrix-signal.age;
owner = "mautrix-signal"; owner = "mautrix-signal";
}; };
} }

56
modules/services/server/mealie.nix
View File

@@ -1,36 +1,36 @@
{ config, pkgs, ... }:
{ {
config,
services.mealie = { pkgs,
enable = true; ...
listenAddress = "127.0.0.1"; }: {
credentialsFile = config.age.secrets."services/mealie/credentialsFile".path; services.mealie = {
settings = { enable = true;
ALLOW_SIGNUP = "false"; listenAddress = "127.0.0.1";
DB_ENGINE = "postgres"; credentialsFile = config.age.secrets."services/mealie/credentialsFile".path;
TZ = "Europe/Berlin"; settings = {
}; ALLOW_SIGNUP = "false";
DB_ENGINE = "postgres";
TZ = "Europe/Berlin";
}; };
};
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts = { virtualHosts = {
"mealie.kabtop.de" = { "mealie.kabtop.de" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/".proxyPass = "http://localhost:9000"; locations."/".proxyPass = "http://localhost:9000";
};
}; };
}; };
};
age.secrets."services/mealie/credentialsFile" = { age.secrets."services/mealie/credentialsFile" = {
file = ../../../secrets/services/mealie/credentialsFile.age; file = ../../../secrets/services/mealie/credentialsFile.age;
owner = "mealie"; owner = "mealie";
}; };
security.acme.defaults.email = "webmaster@kabtop.de";
security.acme.defaults.webroot = "/var/lib/acme/acme-challenge";
security.acme.acceptTerms = true;
security.acme.defaults.email = "webmaster@kabtop.de";
security.acme.defaults.webroot = "/var/lib/acme/acme-challenge";
security.acme.acceptTerms = true;
} }

116
modules/services/server/microvm.nix
View File

@@ -1,48 +1,55 @@
{ config, microvm, lib, pkgs, user, agenix, impermanence, ... }:
let
name = "gitea-runner";
in
{ {
config,
microvm,
lib,
pkgs,
user,
agenix,
impermanence,
...
}: let
name = "gitea-runner";
in {
microvm = { microvm = {
autostart = [ autostart = [
name name
]; ];
vms = { vms = {
${name} = { ${name} = {
inherit pkgs; inherit pkgs;
config = { config = {
imports = imports =
[ agenix.nixosModules.default ] ++ [agenix.nixosModules.default]
[ impermanence.nixosModules.impermanence ] ++ ++ [impermanence.nixosModules.impermanence]
[( ./gitea_runner.nix )]; ++ [(./gitea_runner.nix)];
networking = { networking = {
hostName = "${name}"; hostName = "${name}";
firewall = { firewall = {
enable = true; enable = true;
allowedUDPPorts = [ ]; allowedUDPPorts = [];
allowedTCPPorts = [ ]; allowedTCPPorts = [];
}; };
}; };
systemd.network = { systemd.network = {
enable = true; enable = true;
networks = { networks = {
"10-lan" = { "10-lan" = {
matchConfig.Name = "*"; matchConfig.Name = "*";
networkConfig = { networkConfig = {
DHCP = "yes"; DHCP = "yes";
IPv6AcceptRA = true; IPv6AcceptRA = true;
}; };
};
}; };
};
}; };
users.users.${user} = { # System User users.users.${user} = {
# System User
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" ]; extraGroups = ["wheel"];
uid = 2000; uid = 2000;
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIANmaraVJ/o20c4dqVnGLp/wGck9QNHFPvO9jcEbKS29AAAABHNzaDo= kabbone@kabc" "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIANmaraVJ/o20c4dqVnGLp/wGck9QNHFPvO9jcEbKS29AAAABHNzaDo= kabbone@kabc"
@@ -56,30 +63,32 @@ in
enable = true; enable = true;
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;
hostKeys = [ hostKeys = [
{ {
path = "/persist/etc/ssh/ssh_host_ed25519_key"; path = "/persist/etc/ssh/ssh_host_ed25519_key";
type = "ed25519"; type = "ed25519";
} }
{ {
path = "/persist/etc/ssh/ssh_host_rsa_key"; path = "/persist/etc/ssh/ssh_host_rsa_key";
type = "rsa"; type = "rsa";
bits = 4096; bits = 4096;
}]; }
];
}; };
}; };
fileSystems."/persist".neededForBoot = lib.mkForce true; fileSystems."/persist".neededForBoot = lib.mkForce true;
environment = { environment = {
systemPackages = with pkgs; [ # Default packages install system-wide systemPackages = with pkgs; [
bash # Default packages install system-wide
coreutils bash
curl coreutils
gawk curl
gitMinimal gawk
gnused gitMinimal
nodejs gnused
wget nodejs
wget
]; ];
persistence."/persist" = { persistence."/persist" = {
directories = [ directories = [
@@ -100,23 +109,26 @@ in
mem = 4096; mem = 4096;
#kernel = pkgs.linuxKernel.packages.linux_latest; #kernel = pkgs.linuxKernel.packages.linux_latest;
interfaces = [ interfaces = [
{ {
type = "user"; type = "user";
id = "vm-${name}"; id = "vm-${name}";
mac = "04:00:00:00:00:01"; mac = "04:00:00:00:00:01";
} ]; }
shares = [{ ];
source = "/nix/store"; shares = [
mountPoint = "/nix/.ro-store"; {
tag = "ro-store"; source = "/nix/store";
proto = "virtiofs"; mountPoint = "/nix/.ro-store";
} tag = "ro-store";
{ proto = "virtiofs";
source = "/etc/vm-persist/${name}"; }
mountPoint = "/persist"; {
tag = "persist"; source = "/etc/vm-persist/${name}";
proto = "virtiofs"; mountPoint = "/persist";
}]; tag = "persist";
proto = "virtiofs";
}
];
#writableStoreOverlay = "/nix/.rw-store"; #writableStoreOverlay = "/nix/.rw-store";
#storeOnDisk = true; #storeOnDisk = true;
}; };

149
modules/services/server/nextcloud.nix
View File

@@ -1,35 +1,37 @@
{ config, pkgs, ... }:
{ {
services.nextcloud = { config,
enable = true; pkgs,
hostName = "cloud.kabtop.de"; ...
https = true; }: {
package = pkgs.nextcloud32; services.nextcloud = {
database.createLocally = false; enable = true;
notify_push.enable = false; hostName = "cloud.kabtop.de";
enableImagemagick = true; https = true;
maxUploadSize = "512M"; package = pkgs.nextcloud32;
caching = { database.createLocally = false;
redis = true; notify_push.enable = false;
apcu = true; enableImagemagick = true;
}; maxUploadSize = "512M";
imaginary.enable = true; caching = {
settings = { redis = true;
log_type = "file"; apcu = true;
logfile = "nextcloud.log"; };
overwriteprotocol = "https"; imaginary.enable = true;
default_phone_region = "DE"; settings = {
log_type = "file";
logfile = "nextcloud.log";
overwriteprotocol = "https";
default_phone_region = "DE";
redis = { redis = {
host = "/run/redis-nextcloud/redis.sock"; host = "/run/redis-nextcloud/redis.sock";
port = 0; port = 0;
}; };
"memcache.local" = "\\OC\\Memcache\\APCu"; "memcache.local" = "\\OC\\Memcache\\APCu";
"memcache.distributed" = "\\OC\\Memcache\\Redis"; "memcache.distributed" = "\\OC\\Memcache\\Redis";
"memcache.locking" = "\\OC\\Memcache\\Redis"; "memcache.locking" = "\\OC\\Memcache\\Redis";
"enable_previews" = true; "enable_previews" = true;
"enabledPreviewproviders" = " "enabledPreviewproviders" = "
array ( array (
'OC\Preview\PNG', 'OC\Preview\PNG',
'OC\Preview\JPEG', 'OC\Preview\JPEG',
@@ -43,57 +45,56 @@
'OC\Preview\Krita', 'OC\Preview\Krita',
'OC\Preview\HEIC', 'OC\Preview\HEIC',
)"; )";
"maintenance_window_start" = "1"; "maintenance_window_start" = "1";
};
config = {
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "localhost";
dbname = "nextclouddb";
adminuser = "kabbone";
adminpassFile = config.age.secrets."services/nextcloud/adminpassFile".path;
dbpassFile = config.age.secrets."services/nextcloud/dbpassFile".path;
};
phpOptions = {
"opcache.interned_strings_buffer" = "16";
};
}; };
config = {
services.redis = { dbtype = "pgsql";
vmOverCommit = true; dbuser = "nextcloud";
servers.nextcloud = { dbhost = "localhost";
enable = true; dbname = "nextclouddb";
user = "nextcloud"; adminuser = "kabbone";
port = 0; adminpassFile = config.age.secrets."services/nextcloud/adminpassFile".path;
}; dbpassFile = config.age.secrets."services/nextcloud/dbpassFile".path;
}; };
phpOptions = {
"opcache.interned_strings_buffer" = "16";
};
};
services.nginx = { services.redis = {
vmOverCommit = true;
servers.nextcloud = {
enable = true; enable = true;
virtualHosts = { user = "nextcloud";
"${config.services.nextcloud.hostName}" = { port = 0;
enableACME = true; };
forceSSL = true; };
};
services.nginx = {
enable = true;
virtualHosts = {
"${config.services.nextcloud.hostName}" = {
enableACME = true;
forceSSL = true;
}; };
}; };
};
age.secrets."services/nextcloud/dbpassFile" = { age.secrets."services/nextcloud/dbpassFile" = {
file = ../../../secrets/services/nextcloud/dbpassFile.age; file = ../../../secrets/services/nextcloud/dbpassFile.age;
owner = "nextcloud"; owner = "nextcloud";
}; };
age.secrets."services/nextcloud/adminpassFile" = { age.secrets."services/nextcloud/adminpassFile" = {
file = ../../../secrets/services/nextcloud/adminpassFile.age; file = ../../../secrets/services/nextcloud/adminpassFile.age;
owner = "nextcloud"; owner = "nextcloud";
}; };
systemd.services."nextcloud-setup" = { systemd.services."nextcloud-setup" = {
requires = ["postgresql.service"]; requires = ["postgresql.service"];
after = ["postgresql.service"]; after = ["postgresql.service"];
}; };
security.acme.defaults.email = "webmaster@kabtop.de";
security.acme.defaults.webroot = "/var/lib/acme/acme-challenge";
security.acme.acceptTerms = true;
security.acme.defaults.email = "webmaster@kabtop.de";
security.acme.defaults.webroot = "/var/lib/acme/acme-challenge";
security.acme.acceptTerms = true;
} }

23
modules/services/server/ollama.nix
View File

@@ -1,9 +1,10 @@
{ config, pkgs, ... }:
let
ollamahostname = "llm.kabtop.de";
in
{ {
config,
pkgs,
...
}: let
ollamahostname = "llm.kabtop.de";
in {
virtualisation.oci-containers.containers."open-webui" = { virtualisation.oci-containers.containers."open-webui" = {
autoStart = true; autoStart = true;
image = "ghcr.io/open-webui/open-webui:ollama"; image = "ghcr.io/open-webui/open-webui:ollama";
@@ -11,17 +12,17 @@ in
"/var/lib/open-webui:/app/backend/data" "/var/lib/open-webui:/app/backend/data"
]; ];
hostname = "open-webui"; hostname = "open-webui";
ports = [ "8081:8080" ]; ports = ["8081:8080"];
}; };
services = { services = {
nginx = { nginx = {
virtualHosts = { virtualHosts = {
${ollamahostname} = { ${ollamahostname} = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/".proxyPass = "http://localhost:8081"; locations."/".proxyPass = "http://localhost:8081";
}; };
}; };
}; };
}; };

55
modules/services/server/postgresql.nix
View File

@@ -1,37 +1,39 @@
# #
# System notifications # System notifications
# #
{ config, lib, pkgs, ... }:
{ {
# imports = [ ./postgresql_upgrade.nix ]; config,
lib,
pkgs,
...
}: {
# imports = [ ./postgresql_upgrade.nix ];
services.postgresql = { services.postgresql = {
enable = true; enable = true;
package = pkgs.postgresql_16; package = pkgs.postgresql_16;
settings = { settings = {
max_connections = 200; max_connections = 200;
listen_addresses = "localhost"; listen_addresses = "localhost";
password_encryption = "scram-sha-256"; password_encryption = "scram-sha-256";
shared_buffers = "4GB"; shared_buffers = "4GB";
work_mem = "2GB"; work_mem = "2GB";
maintenance_work_mem = "500MB"; maintenance_work_mem = "500MB";
autovacuum_work_mem = -1; autovacuum_work_mem = -1;
log_timezone = "Europe/Berlin"; log_timezone = "Europe/Berlin";
timezone = "Europe/Berlin"; timezone = "Europe/Berlin";
}; };
authentication = pkgs.lib.mkOverride 14 '' authentication = pkgs.lib.mkOverride 14 ''
local all postgres peer local all postgres peer
host giteadb gitea localhost scram-sha-256 host giteadb gitea localhost scram-sha-256
host nextclouddb nextcloud localhost scram-sha-256 host nextclouddb nextcloud localhost scram-sha-256
host synapsedb synapse localhost scram-sha-256 host synapsedb synapse localhost scram-sha-256
host whatsappdb mautrixwa localhost scram-sha-256 host whatsappdb mautrixwa localhost scram-sha-256
host telegramdb mautrixtele localhost scram-sha-256 host telegramdb mautrixtele localhost scram-sha-256
host signaldb mautrixsignal localhost scram-sha-256 host signaldb mautrixsignal localhost scram-sha-256
host mealie mealie localhost scram-sha-256 host mealie mealie localhost scram-sha-256
host onlyoffice onlyoffice localhost scram-sha-256 host onlyoffice onlyoffice localhost scram-sha-256
local onlyoffice onlyoffice peer local onlyoffice onlyoffice peer
local hydra all ident map=hydra-users local hydra all ident map=hydra-users
''; '';
identMap = '' identMap = ''
hydra-users hydra hydra hydra-users hydra hydra
@@ -47,8 +49,7 @@
services.postgresqlBackup.enable = true; services.postgresqlBackup.enable = true;
age.secrets."services/postgresql/initScript.sql" = { age.secrets."services/postgresql/initScript.sql" = {
file = ../../../secrets/services/postgresql/initScript.age; file = ../../../secrets/services/postgresql/initScript.age;
owner = "postgres"; owner = "postgres";
}; };
} }

39
modules/services/server/postgresql_upgrade.nix
View File

@@ -1,5 +1,9 @@
{ config, lib, pkgs, ... }:
{ {
config,
lib,
pkgs,
...
}: {
environment.systemPackages = [ environment.systemPackages = [
(let (let
# XXX specify the postgresql package you'd like to upgrade to. # XXX specify the postgresql package you'd like to upgrade to.
@@ -8,26 +12,27 @@
# pp.plv8 # pp.plv8
]); ]);
cfg = config.services.postgresql; cfg = config.services.postgresql;
in pkgs.writeScriptBin "upgrade-pg-cluster" '' in
set -eux pkgs.writeScriptBin "upgrade-pg-cluster" ''
# XXX it's perhaps advisable to stop all services that depend on postgresql set -eux
systemctl stop postgresql # XXX it's perhaps advisable to stop all services that depend on postgresql
systemctl stop postgresql
export NEWDATA="/var/lib/postgresql/${newPostgres.psqlSchema}" export NEWDATA="/var/lib/postgresql/${newPostgres.psqlSchema}"
export NEWBIN="${newPostgres}/bin" export NEWBIN="${newPostgres}/bin"
export OLDDATA="${cfg.dataDir}" export OLDDATA="${cfg.dataDir}"
export OLDBIN="${cfg.package}/bin" export OLDBIN="${cfg.package}/bin"
install -d -m 0700 -o postgres -g postgres "$NEWDATA" install -d -m 0700 -o postgres -g postgres "$NEWDATA"
cd "$NEWDATA" cd "$NEWDATA"
sudo -u postgres $NEWBIN/initdb -D "$NEWDATA" ${lib.escapeShellArgs cfg.initdbArgs} sudo -u postgres $NEWBIN/initdb -D "$NEWDATA" ${lib.escapeShellArgs cfg.initdbArgs}
sudo -u postgres $NEWBIN/pg_upgrade \ sudo -u postgres $NEWBIN/pg_upgrade \
--old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \ --old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \
--old-bindir $OLDBIN --new-bindir $NEWBIN \ --old-bindir $OLDBIN --new-bindir $NEWBIN \
"$@" "$@"
'') '')
]; ];
} }

71
modules/services/server/woodpecker.nix
View File

@@ -1,11 +1,14 @@
# #
# CI/CD Woodpecker # CI/CD Woodpecker
# #
{ config, lib, pkgs, ... }:
{ {
environment.systemPackages = with pkgs; [ # Default packages install system-wide config,
lib,
pkgs,
...
}: {
environment.systemPackages = with pkgs; [
# Default packages install system-wide
woodpecker-server woodpecker-server
woodpecker-cli woodpecker-cli
]; ];
@@ -28,35 +31,35 @@
systemd.services = { systemd.services = {
woodpecker-server = { woodpecker-server = {
description = "CI/CD Pipeline Server"; description = "CI/CD Pipeline Server";
wantedBy = [ "multi-user.target" ]; wantedBy = ["multi-user.target"];
after = [ "network.target" "postgresql.service" ]; after = ["network.target" "postgresql.service"];
requires = [ "postgresql.service" ]; requires = ["postgresql.service"];
script = "${pkgs.woodpecker-server}/bin/woodpecker-server"; script = "${pkgs.woodpecker-server}/bin/woodpecker-server";
serviceConfig = { serviceConfig = {
User="woodpecker"; User = "woodpecker";
Group="woodpecker"; Group = "woodpecker";
Environment="HOME=/var/lib/woodpecker"; Environment = "HOME=/var/lib/woodpecker";
EnvironmentFile=config.age.secrets."services/woodpecker/environment".path; EnvironmentFile = config.age.secrets."services/woodpecker/environment".path;
ReadWritePaths="/var/lib/woodpecker /var/log/woodpecker"; ReadWritePaths = "/var/lib/woodpecker /var/log/woodpecker";
NoNewPrivileges=true; NoNewPrivileges = true;
MemoryDenyWriteExecute=true; MemoryDenyWriteExecute = true;
PrivateDevices=true; PrivateDevices = true;
PrivateTmp=true; PrivateTmp = true;
ProtectHome=true; ProtectHome = true;
ProtectSystem="strict"; ProtectSystem = "strict";
ProtectControlGroups=true; ProtectControlGroups = true;
RestrictSUIDSGID=true; RestrictSUIDSGID = true;
RestrictRealtime=true; RestrictRealtime = true;
LockPersonality=true; LockPersonality = true;
ProtectKernelLogs=true; ProtectKernelLogs = true;
ProtectKernelTunables=true; ProtectKernelTunables = true;
ProtectHostname=true; ProtectHostname = true;
ProtectKernelModules=true; ProtectKernelModules = true;
PrivateUsers=true; PrivateUsers = true;
ProtectClock=true; ProtectClock = true;
SystemCallArchitectures="native"; SystemCallArchitectures = "native";
SystemCallErrorNumber="EPERM"; SystemCallErrorNumber = "EPERM";
SystemCallFilter="@system-service"; SystemCallFilter = "@system-service";
}; };
}; };
}; };
@@ -81,9 +84,7 @@
}; };
age.secrets."services/woodpecker/environment" = { age.secrets."services/woodpecker/environment" = {
file = ../../../secrets/services/woodpecker/environment.age; file = ../../../secrets/services/woodpecker/environment.age;
owner = "woodpecker"; owner = "woodpecker";
}; };
} }

1
modules/shell/default.nix
View File

@@ -9,7 +9,6 @@
# └─ default.nix * # └─ default.nix *
# └─ ... # └─ ...
# #
[ [
./git.nix ./git.nix
./tmux.nix ./tmux.nix

49
modules/shell/tmux.nix
View File

@@ -1,10 +1,7 @@
# #
# Tmux # Tmux
# #
{pkgs, ...}: {
{ pkgs, ... }:
{
programs = { programs = {
tmux = { tmux = {
enable = true; enable = true;
@@ -17,24 +14,24 @@
shortcut = "Space"; shortcut = "Space";
baseIndex = 1; baseIndex = 1;
plugins = with pkgs.tmuxPlugins; [ plugins = with pkgs.tmuxPlugins; [
yank yank
sidebar sidebar
# { # {
# plugin = dracula; # plugin = dracula;
# extraConfig = " # extraConfig = "
# set -g @dracula-show-powerline true # set -g @dracula-show-powerline true
# set -g @dracula-plugins 'git cpu-usage ram-usage battery time' # set -g @dracula-plugins 'git cpu-usage ram-usage battery time'
# set -g @dracula-border-contrast true # set -g @dracula-border-contrast true
# "; # ";
# plugin = catppuccin; # plugin = catppuccin;
# extraConfig = " # extraConfig = "
# set -g @catppuccin_flavour 'macchiato' # set -g @catppuccin_flavour 'macchiato'
# set -g @catppuccin_window_tabs_enabled 'on' # set -g @catppuccin_window_tabs_enabled 'on'
# set -g @catppuccin_host 'on' # set -g @catppuccin_host 'on'
# set -g @catppuccin_user 'on' # set -g @catppuccin_user 'on'
# set -g @catppuccin_date_time '%Y-%m-%d %H:%M' # set -g @catppuccin_date_time '%Y-%m-%d %H:%M'
# "; # ";
# } # }
]; ];
extraConfig = '' extraConfig = ''
set -g mouse on set -g mouse on
@@ -45,7 +42,7 @@
bind-key v split-window -v -c "#{pane_current_path}" bind-key v split-window -v -c "#{pane_current_path}"
unbind '"' unbind '"'
unbind '%' unbind '%'
# moving between windows with vim movement keys # moving between windows with vim movement keys
bind m select-pane -L bind m select-pane -L
bind n select-pane -D bind n select-pane -D
@@ -55,19 +52,19 @@
# moving between windows with vim movement keys # moving between windows with vim movement keys
bind -r C-m select-window -t :- bind -r C-m select-window -t :-
bind -r C-i select-window -t :+ bind -r C-i select-window -t :+
# Vim style X clipboard integration # Vim style X clipboard integration
bind-key -T copy-mode-vi 'v' send-keys -X begin-selection bind-key -T copy-mode-vi 'v' send-keys -X begin-selection
bind-key -T copy-mode-vi C-v send-keys -X rectangle-toggle bind-key -T copy-mode-vi C-v send-keys -X rectangle-toggle
bind-key -T copy-mode-vi 'y' send-keys -X copy-selection-and-cancel bind-key -T copy-mode-vi 'y' send-keys -X copy-selection-and-cancel
bind-key P run "xsel -o | tmux load-buffer - ; tmux paste-buffer" bind-key P run "xsel -o | tmux load-buffer - ; tmux paste-buffer"
# resize panes with vim movement keys # resize panes with vim movement keys
bind -r M resize-pane -L 5 bind -r M resize-pane -L 5
bind -r N resize-pane -D 5 bind -r N resize-pane -D 5
bind -r E resize-pane -U 5 bind -r E resize-pane -U 5
bind -r I resize-pane -R 5 bind -r I resize-pane -R 5
# bindings for pane joining and breaking # bindings for pane joining and breaking
bind < split-window -h \; choose-window 'kill-pane ; join-pane -hs %%' bind < split-window -h \; choose-window 'kill-pane ; join-pane -hs %%'
bind > break-pane -d bind > break-pane -d

40
modules/shell/zsh.nix
View File

@@ -1,39 +1,37 @@
# #
# Shell # Shell
# #
{pkgs, ...}: {
{ pkgs, ... }:
{
programs = { programs = {
zsh = { zsh = {
enable = true; enable = true;
autosuggestion.enable = true; # Auto suggest options and highlights syntact, searches in history for options autosuggestion.enable = true; # Auto suggest options and highlights syntact, searches in history for options
syntaxHighlighting.enable = true; syntaxHighlighting.enable = true;
history.size = 10000; history.size = 10000;
oh-my-zsh = { # Extra plugins for zsh oh-my-zsh = {
# Extra plugins for zsh
enable = true; enable = true;
plugins = [ "git" ]; plugins = ["git"];
#custom = "$HOME/.config/zsh_nix/custom"; #custom = "$HOME/.config/zsh_nix/custom";
}; };
initContent = '' initContent = ''
if [[ $WAYLAND_DISPLAY ]]; then if [[ $WAYLAND_DISPLAY ]]; then
[[ $- != *i* ]] && return [[ $- != *i* ]] && return
[[ -z "$TMUX" ]] && (tmux attach || tmux new-session) [[ -z "$TMUX" ]] && (tmux attach || tmux new-session)
fi fi
# Spaceship # Spaceship
source ${pkgs.spaceship-prompt}/share/zsh/site-functions/prompt_spaceship_setup source ${pkgs.spaceship-prompt}/share/zsh/site-functions/prompt_spaceship_setup
autoload -U promptinit; promptinit autoload -U promptinit; promptinit
# source $HOME/.config/shell/shell_init # source $HOME/.config/shell/shell_init
# Hook direnv # Hook direnv
# emulate zsh -c "$(direnv hook zsh)" # emulate zsh -c "$(direnv hook zsh)"
# Swag # Swag
pfetch # Show fetch logo on terminal start pfetch # Show fetch logo on terminal start
eval "$(direnv hook zsh)" eval "$(direnv hook zsh)"
eval "$(ssh-agent)" eval "$(ssh-agent)"
''; '';
}; };
}; };

37
modules/wm/default.nix
View File

@@ -1,16 +1,29 @@
{ pkgs, lib, config, ... }:
with lib;
{ {
# NOTE: Dynamic imports based on option values are not supported in NixOS modules. pkgs,
# To conditionally load a WM, either import all WM modules and use mkIf in each, lib,
# or select the WM module directly in the host configuration. config,
imports = []; ...
}:
with lib; {
# NOTE: Dynamic imports based on option values are not supported in NixOS modules.
# To conditionally load a WM, either import all WM modules and use mkIf in each,
# or select the WM module directly in the host configuration.
imports = [];
options = { options = {
desktop = { desktop = {
wm = mkOption { type = types.str; default = "sway"; }; wm = mkOption {
taskbar = mkOption { type = types.str; default = "waybar"; }; type = types.str;
launcher = mkOption { type = types.str; default = "bemenu"; }; default = "sway";
}; };
taskbar = mkOption {
type = types.str;
default = "waybar";
};
launcher = mkOption {
type = types.str;
default = "bemenu";
};
}; };
};
} }

8
modules/wm/kde/home.nix
View File

@@ -10,8 +10,10 @@
# └─ ./gnome # └─ ./gnome
# └─ home.nix * # └─ home.nix *
# #
{ config, lib, pkgs, ... }:
{ {
config,
lib,
pkgs,
...
}: {
} }

Some files were not shown because too many files have changed in this diff Show More