Kabbone/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

format the repo files

Browse Source
This commit is contained in:
Kabbone
2026-04-26 10:27:50 +02:00
parent 92fd97c9a2
commit b319cd93e9
116 changed files with 4726 additions and 4247 deletions
Download Patch File Download Diff File Expand all files Collapse all files

108
CLAUDE.md Normal file
View File

@@ -0,0 +1,108 @@
# CLAUDE.md
This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
## What This Repo Is
A NixOS flake configuration managing multiple hosts (desktops, laptops, servers). All hosts share common settings via `hosts/configuration_common.nix` and are assembled in `hosts/default.nix`.
## Common Commands
```bash
# Format all nix files
nix fmt
# Build a host configuration (no activation)
nixos-rebuild build --flake .#<host>
# Switch the current host
sudo nixos-rebuild switch --flake .#<host>
# Build a custom package
nix build .#<package>
# Edit an age-encrypted secret
agenix -e secrets/<path>.age
# Re-key all secrets after adding a new host key to secrets/secrets.nix
agenix -r
```
## Architecture
### Entry Points
- `flake.nix` — defines inputs (nixpkgs stable=25.11, unstable, home-manager, agenix, lanzaboote, jovian-nixos, microvm, impermanence, noctalia) and calls `hosts/default.nix` for `nixosConfigurations`
- `hosts/default.nix` — instantiates every host via `lib.nixosSystem`; contains the `mkHM` helper that wires home-manager into a host's modules list
### Host Structure
Each host lives in `hosts/<name>/`:
- `default.nix` — imports either `../../modules/desktop` or `../../modules/server`, sets the module options (`myDesktop.*` / `myServer.*`), and adds host-specific settings
- `home.nix` — host-specific home-manager config (merged with `hosts/home.nix` for desktops or `hosts/home_server.nix` for servers)
- `hardware-configuration.nix` — generated hardware config
Shared host-level files:
- `hosts/configuration_common.nix` — applied to every host: SSH (key-only, no root), locale, nix GC/settings, zsh, fonts, auto-upgrade flake URL
- `hosts/home.nix` — desktop home-manager base
- `hosts/home_server.nix` — server home-manager base
### Module System
Two top-level NixOS modules expose all major knobs as typed options:
**`modules/desktop/default.nix`** — `myDesktop.*`
- `windowManager`: `"niri"` (default) | `"sway"` | `"kde"`
- `cpu`: `"amd"` | `"intel"` | `"none"` — selects KVM kernel params
- `virtualisation.enable` — podman (docker-compat) + qemu/libvirt + virt-manager
- `syncthing.{enable,devices,folders}`
- `openrgb.{enable,motherboard}`
- `laptop.{enable,lidSwitch,hibernateDelaySec}`
- `nitrokey.enable`
- `niri.hotkeyVariant`: `"default"` | `"lifebook"`
- `git.signingKey` — SSH key for commit signing
- `extraSystemPackages`
**`modules/server/default.nix`** — `myServer.*`
- `sshPort` (default 2220)
- `virtualisation.{enable,cpu}` — podman only (no libvirt)
- `fail2ban.enable`
- `autoUpgrade.enable` (default true)
- `uid`, `sudoRequiresPassword`, `extraGroups`, `extraSystemPackages`
Service bundles are imported as lists in host `default.nix`:
- `modules/services/server/` — kabtop services (gitea, nextcloud, matrix, coturn, hydra, mealie, etc.)
- `modules/services/nas/` — jupiter services (nfs, vaultwarden, syncthing, paperless)
- `modules/services/dmz/` — dmz services (gitea runner microVM)
- `modules/services/kabtopci/` — kabtopci services (hydra, gitea runner)
- `modules/services/nasbackup/` — nasbak backup jobs
### Secrets (agenix)
`secrets/secrets.nix` declares which age public keys (users + host SSH keys) can decrypt each `.age` file. Add a new host: add its `ssh-ed25519` host key to `secrets/secrets.nix` in the relevant groups, then run `agenix -r` to re-key.
### Custom Packages & Overlays
- `packages/` — custom packages (e.g. `corosync-qdevice`), imported at `flake.nix` level
- `overlays/` — nixpkgs overlays applied globally
- Per-host overlays: set `nixpkgs.overlays` inside the host's `default.nix` so only that host is affected
### Disk Layouts
`disko/` contains reusable disko modules: `btrfs.nix`, `btrfs_luks.nix`, `nas_luks.nix` — referenced during initial install.
## Active Hosts
| Host | Role | WM / Notes |
|---|---|---|
| hades | Desktop | niri, AMD, Secure Boot (lanzaboote) |
| lifebook | Laptop | niri, Intel, Secure Boot |
| steamdeck | Gaming | KDE/Jovian-NixOS, Secure Boot |
| kabtop | Main server | gitea, nextcloud, matrix+bridges, coturn, hydra, mealie |
| kabtopci | CI server | hydra, nix-serve |
| jupiter | NAS | nfs, vaultwarden, syncthing, paperless |
| dmz | DMZ | gitea Actions homerunner microVM |
| nasbak | NAS backup | — |
| kubemaster-1 | K8s master | — |
See `SERVICES.md` for port-level service details per host.

16
disko/btrfs.nix
View File

@@ -13,7 +13,7 @@
content = {
type = "filesystem";
format = "vfat";
extraArgs = [ "-n" "NIXBOOT" ];
extraArgs = ["-n" "NIXBOOT"];
mountpoint = "/boot";
mountOptions = [
"defaults"
@@ -24,31 +24,31 @@
size = "100%";
content = {
type = "btrfs";
extraArgs = [ "-f" "-L" "NIXROOT" ];
extraArgs = ["-f" "-L" "NIXROOT"];
subvolumes = {
"@" = {
mountpoint = "/";
mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ];
mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
};
"@home" = {
mountpoint = "/home";
mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ];
mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
};
"@nix" = {
mountpoint = "/nix";
mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ];
mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
};
"@snapshots" = {
mountpoint = "/mnt";
mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ];
mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
};
"@srv" = {
mountpoint = "/srv";
mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ];
mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
};
"@var" = {
mountpoint = "/var";
mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ];
mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
};
"@swap" = {
mountpoint = "/swap";

18
disko/btrfs_luks.nix
View File

@@ -13,7 +13,7 @@
content = {
type = "filesystem";
format = "vfat";
extraArgs = [ "-n NIXBOOT" ];
extraArgs = ["-n NIXBOOT"];
mountpoint = "/boot";
mountOptions = [
"defaults"
@@ -33,35 +33,35 @@
};
content = {
type = "btrfs";
extraArgs = [ "-f -L NIXROOT" ];
extraArgs = ["-f -L NIXROOT"];
subvolumes = {
"@" = {
mountpoint = "/";
mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ];
mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
};
"@home" = {
mountpoint = "/home";
mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ];
mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
};
"@nix" = {
mountpoint = "/nix";
mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ];
mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
};
"@opt" = {
mountpoint = "/opt";
mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ];
mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
};
"@snapshots" = {
mountpoint = "/mnt";
mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ];
mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
};
"@srv" = {
mountpoint = "/srv";
mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ];
mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
};
"@var" = {
mountpoint = "/var";
mountOptions = [ "compress=zstd" "noatime" "ssd" "discard=async" ];
mountOptions = ["compress=zstd" "noatime" "ssd" "discard=async"];
};
"@swap" = {
mountpoint = "/swap";

19
flake.nix
View File

@@ -5,7 +5,6 @@
# flake.nix *
# ├─ ./hosts
# │ └─ default.nix
{
description = "Kabbone's personal NixOS Flake config";
@@ -21,12 +20,14 @@
impermanence.url = "github:nix-community/impermanence";
home-manager = { # User Package Management
home-manager = {
# User Package Management
url = "github:nix-community/home-manager/release-25.11";
inputs.nixpkgs.follows = "nixpkgs";
};
home-manager-unstable = { # User Package Management
home-manager-unstable = {
# User Package Management
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs-unstable";
};
@@ -50,7 +51,6 @@
url = "github:noctalia-dev/noctalia-shell";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = {
@@ -67,17 +67,16 @@
lanzaboote,
noctalia,
...
} @ inputs:
let
} @ inputs: let
systems = [
# "aarch64-linux"
# "aarch64-linux"
"x86_64-linux"
];
forAllSystems = nixpkgs.lib.genAttrs systems;
in {
# Your custom packages
# Accessible through 'nix build', 'nix shell', etc
packages = forAllSystems (system: import ./packages { pkgs = nixpkgs.legacyPackages.${system}; });
packages = forAllSystems (system: import ./packages {pkgs = nixpkgs.legacyPackages.${system};});
# Formatter for your nix files, available through 'nix fmt'
# Other options beside 'alejandra' include 'nixpkgs-fmt'
formatter = forAllSystems (system: nixpkgs.legacyPackages.${system}.alejandra);
@@ -91,9 +90,9 @@
# These are usually stuff you would upstream into home-manager
#homeManagerModules = import ./modules/home-manager;
nixosConfigurations = ( # NixOS configurations
import ./hosts { # Imports ./hosts/default.nix
import ./hosts {
# Imports ./hosts/default.nix
inherit (nixpkgs) lib;
inherit inputs nixpkgs nixpkgs-unstable nixos-hardware home-manager home-manager-unstable agenix jovian-nixos microvm impermanence lanzaboote; # Also inherit home-manager so it does not need to be defined here.
}

14
hosts/configuration_common.nix
View File

@@ -2,10 +2,16 @@
# Common configuration shared by all hosts (desktop and server).
# Imported by configuration_desktop.nix and configuration_server.nix.
#
{ config, lib, pkgs, inputs, user, location, agenix, ... }:
{
config,
lib,
pkgs,
inputs,
user,
location,
agenix,
...
}: {
imports = [
../modules/hardware/hydraCache.nix
];
@@ -86,7 +92,7 @@
nix = {
settings = {
auto-optimise-store = true;
allowed-users = [ "@wheel" ];
allowed-users = ["@wheel"];
};
gc = {
automatic = true;

16
hosts/configuration_server.nix
View File

@@ -2,10 +2,16 @@
# Server configuration. Imports configuration_common.nix for shared settings.
# Service modules are imported per-host.
#
{ config, lib, pkgs, inputs, user, location, agenix, ... }:
{
config,
lib,
pkgs,
inputs,
user,
location,
agenix,
...
}: {
imports = [
./configuration_common.nix
];
@@ -13,7 +19,7 @@
users.users.${user} = {
isNormalUser = true;
uid = 3000;
extraGroups = [ "wheel" "networkmanager" "kvm" "libvirtd" ];
extraGroups = ["wheel" "networkmanager" "kvm" "libvirtd"];
};
security.sudo.wheelNeedsPassword = true;
@@ -25,7 +31,7 @@
];
services.openssh = {
ports = [ 2220 ];
ports = [2220];
openFirewall = true;
};

176
hosts/default.nix
View File

@@ -12,10 +12,21 @@
# ├─ ./default.nix
# └─ ./home.nix
#
{ lib, inputs, nixpkgs, nixpkgs-unstable, nixos-hardware, home-manager, home-manager-unstable, agenix, jovian-nixos, microvm, impermanence, lanzaboote, ... }:
let
{
lib,
inputs,
nixpkgs,
nixpkgs-unstable,
nixos-hardware,
home-manager,
home-manager-unstable,
agenix,
jovian-nixos,
microvm,
impermanence,
lanzaboote,
...
}: let
# Default user — desktop hosts share this; server hosts may override per-host
# by passing a different `user` value in their own specialArgs block.
defaultUser = "kabbone";
@@ -30,7 +41,10 @@ let
pkgs-kabbone = import ../packages {
inherit system;
pkgs = import nixpkgs { inherit system; config.allowUnfree = true; };
pkgs = import nixpkgs {
inherit system;
config.allowUnfree = true;
};
};
pkgs = import nixpkgs {
@@ -51,17 +65,20 @@ let
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.extraSpecialArgs = { inherit user; };
home-manager.extraSpecialArgs = {inherit user;};
home-manager.users.${user}.imports = hmImports;
}
];
in
{
hades = lib.nixosSystem { # Desktop profile
in {
hades = lib.nixosSystem {
# Desktop profile
inherit system;
specialArgs = { inherit inputs location nixos-hardware agenix microvm nixpkgs lanzaboote; user = defaultUser; };
modules = [
specialArgs = {
inherit inputs location nixos-hardware agenix microvm nixpkgs lanzaboote;
user = defaultUser;
};
modules =
[
agenix.nixosModules.default
microvm.nixosModules.host
lanzaboote.nixosModules.lanzaboote
@@ -71,116 +88,165 @@ in
nixos-hardware.nixosModules.common-cpu-amd
nixos-hardware.nixosModules.common-gpu-amd
nixos-hardware.nixosModules.common-pc-ssd
] ++ (mkHM home-manager defaultUser [ ./home.nix ./desktop/home.nix ]);
]
++ (mkHM home-manager defaultUser [./home.nix ./desktop/home.nix]);
};
lifebook = lib.nixosSystem { # Laptop profile
lifebook = lib.nixosSystem {
# Laptop profile
inherit system;
specialArgs = { inherit inputs location nixos-hardware agenix lanzaboote; user = defaultUser; };
modules = [
specialArgs = {
inherit inputs location nixos-hardware agenix lanzaboote;
user = defaultUser;
};
modules =
[
agenix.nixosModules.default
lanzaboote.nixosModules.lanzaboote
./lifebook # myDesktop options set inside
./configuration_common.nix
nixos-hardware.nixosModules.common-cpu-intel
nixos-hardware.nixosModules.common-pc-ssd
] ++ (mkHM home-manager defaultUser [ ./home.nix ./lifebook/home.nix ]);
]
++ (mkHM home-manager defaultUser [./home.nix ./lifebook/home.nix]);
};
steamdeck = nixpkgs-unstable.lib.nixosSystem { # steamdeck profile
steamdeck = nixpkgs-unstable.lib.nixosSystem {
# steamdeck profile
inherit system;
specialArgs = { inherit inputs location nixos-hardware agenix jovian-nixos lanzaboote; user = defaultUser; };
modules = [
specialArgs = {
inherit inputs location nixos-hardware agenix jovian-nixos lanzaboote;
user = defaultUser;
};
modules =
[
agenix.nixosModules.default
jovian-nixos.nixosModules.default
lanzaboote.nixosModules.lanzaboote
./steamdeck
./configuration_common.nix
] ++ (mkHM home-manager-unstable defaultUser [ ./home.nix ./steamdeck/home.nix ]);
]
++ (mkHM home-manager-unstable defaultUser [./home.nix ./steamdeck/home.nix]);
};
kabtop = lib.nixosSystem { # Server profile
kabtop = lib.nixosSystem {
# Server profile
inherit system;
specialArgs = { inherit inputs location nixos-hardware agenix impermanence; user = defaultUser; };
modules = [
specialArgs = {
inherit inputs location nixos-hardware agenix impermanence;
user = defaultUser;
};
modules =
[
agenix.nixosModules.default
microvm.nixosModules.host
./kabtop
./configuration_common.nix
nixos-hardware.nixosModules.common-cpu-amd
nixos-hardware.nixosModules.common-pc-ssd
] ++ (mkHM home-manager defaultUser [ ./home_server.nix ./kabtop/home.nix ]);
]
++ (mkHM home-manager defaultUser [./home_server.nix ./kabtop/home.nix]);
};
nasbak = lib.nixosSystem { # Server profile
nasbak = lib.nixosSystem {
# Server profile
inherit system;
specialArgs = { inherit inputs location nixos-hardware agenix; user = defaultUser; };
modules = [
specialArgs = {
inherit inputs location nixos-hardware agenix;
user = defaultUser;
};
modules =
[
agenix.nixosModules.default
./nasbackup
./configuration_common.nix
nixos-hardware.nixosModules.common-cpu-intel
nixos-hardware.nixosModules.common-pc-ssd
] ++ (mkHM home-manager defaultUser [ ./home_server.nix ./nasbackup/home.nix ]);
]
++ (mkHM home-manager defaultUser [./home_server.nix ./nasbackup/home.nix]);
};
jupiter = lib.nixosSystem { # Server profile
jupiter = lib.nixosSystem {
# Server profile
inherit system;
specialArgs = { inherit inputs location nixos-hardware agenix; user = defaultUser; };
modules = [
specialArgs = {
inherit inputs location nixos-hardware agenix;
user = defaultUser;
};
modules =
[
agenix.nixosModules.default
./jupiter
./configuration_common.nix
nixos-hardware.nixosModules.common-cpu-intel
nixos-hardware.nixosModules.common-pc-ssd
] ++ (mkHM home-manager defaultUser [ ./home_server.nix ./jupiter/home.nix ]);
]
++ (mkHM home-manager defaultUser [./home_server.nix ./jupiter/home.nix]);
};
kabtopci = lib.nixosSystem { # Server profile
kabtopci = lib.nixosSystem {
# Server profile
inherit system;
specialArgs = { inherit inputs location nixos-hardware agenix impermanence; user = defaultUser; };
modules = [
specialArgs = {
inherit inputs location nixos-hardware agenix impermanence;
user = defaultUser;
};
modules =
[
agenix.nixosModules.default
microvm.nixosModules.host
./kabtopci
./configuration_common.nix
nixos-hardware.nixosModules.common-pc-ssd
] ++ (mkHM home-manager defaultUser [ ./home_server.nix ./kabtopci/home.nix ]);
]
++ (mkHM home-manager defaultUser [./home_server.nix ./kabtopci/home.nix]);
};
kubemaster-1 = lib.nixosSystem { # Server profile
kubemaster-1 = lib.nixosSystem {
# Server profile
inherit system;
specialArgs = { inherit inputs location nixos-hardware agenix impermanence; user = defaultUser; };
modules = [
specialArgs = {
inherit inputs location nixos-hardware agenix impermanence;
user = defaultUser;
};
modules =
[
agenix.nixosModules.default
microvm.nixosModules.host
./kubemaster-1
./configuration_common.nix
nixos-hardware.nixosModules.common-cpu-intel
nixos-hardware.nixosModules.common-pc-ssd
] ++ (mkHM home-manager defaultUser [ ./home_server.nix ./kubemaster-1/home.nix ]);
]
++ (mkHM home-manager defaultUser [./home_server.nix ./kubemaster-1/home.nix]);
};
dmz = lib.nixosSystem { # Server profile
dmz = lib.nixosSystem {
# Server profile
inherit system;
specialArgs = { inherit inputs location nixos-hardware agenix impermanence; user = defaultUser; };
modules = [
specialArgs = {
inherit inputs location nixos-hardware agenix impermanence;
user = defaultUser;
};
modules =
[
agenix.nixosModules.default
microvm.nixosModules.host
./dmz
./configuration_common.nix
nixos-hardware.nixosModules.common-pc-ssd
] ++ (mkHM home-manager defaultUser [ ./home_server.nix ./dmz/home.nix ]);
]
++ (mkHM home-manager defaultUser [./home_server.nix ./dmz/home.nix]);
};
# vm = lib.nixosSystem { # VM profile
# inherit system;
# specialArgs = { inherit inputs user location; };
# modules = [
# ./vm
# ./configuration.nix
#
# (mkHM home-manager [ ./home.nix ./vm/home.nix ])
# ];
# };
# vm = lib.nixosSystem { # VM profile
# inherit system;
# specialArgs = { inherit inputs user location; };
# modules = [
# ./vm
# ./configuration.nix
#
# (mkHM home-manager [ ./home.nix ./vm/home.nix ])
# ];
# };
}

16
hosts/desktop/default.nix
View File

@@ -1,10 +1,12 @@
#
# Hades desktop — system configuration
#
{ lib, pkgs, inputs, ... }:
{
lib,
pkgs,
inputs,
...
}: {
# Example: host-specific overlays — only hades gets these packages in its pkgs.
# nixpkgs.overlays = [
# (final: prev: {
@@ -30,13 +32,13 @@
myDesktop.syncthing.enable = true;
myDesktop.syncthing.devices = {
"jupiter.home.opel-online.de" = { id = "T53WU6Z-3NT74ZE-PZVZB2N-7FBTZ5K-HESC2ZM-W4ABDAS-NWXHTGI-ST4CDQR"; };
"lifebook.home.opel-online.de" = { id = "RKPZG3H-BDUZID3-DV26MKR-UOARIQC-JBCAFXP-J5QFM4H-5EGBSM5-VEGXHQ4"; };
"jupiter.home.opel-online.de" = {id = "T53WU6Z-3NT74ZE-PZVZB2N-7FBTZ5K-HESC2ZM-W4ABDAS-NWXHTGI-ST4CDQR";};
"lifebook.home.opel-online.de" = {id = "RKPZG3H-BDUZID3-DV26MKR-UOARIQC-JBCAFXP-J5QFM4H-5EGBSM5-VEGXHQ4";};
};
myDesktop.syncthing.folders = {
"Sync" = {
path = "/home/kabbone/Sync";
devices = [ "jupiter.home.opel-online.de" "lifebook.home.opel-online.de" ];
devices = ["jupiter.home.opel-online.de" "lifebook.home.opel-online.de"];
ignorePerms = false;
};
};
@@ -56,5 +58,5 @@
};
};
environment.systemPackages = [ pkgs.linux-firmware ];
environment.systemPackages = [pkgs.linux-firmware];
}

113
hosts/desktop/hardware-configuration.nix
View File

@@ -10,17 +10,21 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")] ++
[( import ../../modules/hardware/backup.nix )];
[(modulesPath + "/installer/scan/not-detected.nix")]
++ [(import ../../modules/hardware/backup.nix)];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ];
boot.kernelModules = [ "kvm-amd" "nct6775" ];
boot.extraModulePackages = [ ];
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod"];
boot.initrd.kernelModules = ["vfio_pci" "vfio" "vfio_iommu_type1"];
boot.kernelModules = ["kvm-amd" "nct6775"];
boot.extraModulePackages = [];
boot.tmp.useTmpfs = false;
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
@@ -34,7 +38,7 @@
};
services.btrbk = {
extraPackages = [ pkgs.lz4 pkgs.mbuffer ];
extraPackages = [pkgs.lz4 pkgs.mbuffer];
instances = {
hf = {
onCalendar = "hourly";
@@ -89,66 +93,65 @@
systemd.timers = {
btrbk-bak = {
after = [ "network-online.target" ];
requires = [ "network-online.target" ];
after = ["network-online.target"];
requires = ["network-online.target"];
};
};
fileSystems."/" =
{ device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fileSystems."/" = {
device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
};
fileSystems."/home" =
{ device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fileSystems."/home" = {
device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
};
fileSystems."/srv" =
{ device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fileSystems."/srv" = {
device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fileSystems."/nix" = {
device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
};
fileSystems."/swap" =
{ device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fileSystems."/swap" = {
device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async"];
};
fileSystems."/mnt/snapshots/root" =
{ device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fileSystems."/mnt/snapshots/root" = {
device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part1";
fileSystems."/boot" = {
device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part1";
fsType = "vfat";
};
fileSystems."/mnt/Pluto" =
{ device = "jupiter:/Pluto";
fileSystems."/mnt/Pluto" = {
device = "jupiter:/Pluto";
fsType = "nfs";
options = [ "noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2" ];
options = ["noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2"];
};
fileSystems."/mnt/Mars" =
{ device = "jupiter:/Mars";
fileSystems."/mnt/Mars" = {
device = "jupiter:/Mars";
fsType = "nfs";
options = [ "noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2" ];
options = ["noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2"];
};
swapDevices = [ { device = "/swap/swapfile"; } ];
swapDevices = [{device = "/swap/swapfile";}];
networking = {
useDHCP = false; # Deprecated
@@ -158,25 +161,25 @@
};
firewall = {
enable = true;
allowedUDPPorts = [ 24727 ];
allowedTCPPorts = [ 24727 ];
allowedUDPPorts = [24727];
allowedTCPPorts = [24727];
};
};
# systemd.network = {
# enable = true;
# networks = {
# "10-lan" = {
# matchConfig.Name = "eno1";
# ntp = [ "192.168.2.1" ];
# domains = [ "home.opel-online.de" ];
# networkConfig = {
# DHCP = "yes";
# IPv6AcceptRA = true;
# };
# };
# };
# };
# systemd.network = {
# enable = true;
# networks = {
# "10-lan" = {
# matchConfig.Name = "eno1";
# ntp = [ "192.168.2.1" ];
# domains = [ "home.opel-online.de" ];
# networkConfig = {
# DHCP = "yes";
# IPv6AcceptRA = true;
# };
# };
# };
# };
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
#powerManagement.powertop.enable = true;

5
hosts/desktop/home.nix
View File

@@ -2,10 +2,7 @@
# Hades desktop — home-manager host-specific additions
# (WM home config is loaded by modules/desktop based on myDesktop.windowManager)
#
{ pkgs, ... }:
{
{pkgs, ...}: {
imports = [
../../modules/home.nix # cmds / theme options
];

16
hosts/dmz/default.nix
View File

@@ -1,14 +1,20 @@
#
# DMZ — demilitarised zone server configuration
#
{ config, pkgs, user, agenix, impermanence, ... }:
{
imports = [
config,
pkgs,
user,
agenix,
impermanence,
...
}: {
imports =
[
./hardware-configuration.nix
../../modules/server
] ++ (import ../../modules/services/dmz);
]
++ (import ../../modules/services/dmz);
# ── Server module options ───────────────────────────────────────────────
myServer.virtualisation.enable = true;

73
hosts/dmz/hardware-configuration.nix
View File

@@ -10,17 +10,21 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.availableKernelModules = ["uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk"];
boot.initrd.kernelModules = ["vfio_pci" "vfio" "vfio_iommu_type1"];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
boot.tmp.useTmpfs = false;
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
@@ -33,57 +37,57 @@
];
};
fileSystems."/" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
};
fileSystems."/home" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/home" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
};
fileSystems."/srv" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/srv" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
};
fileSystems."/var" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/var" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@var,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@var,discard=async"];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/nix" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
};
fileSystems."/swap" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/swap" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async"];
};
fileSystems."/mnt/snapshots/root" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/mnt/snapshots/root" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
};
swapDevices = [ ];
swapDevices = [];
systemd.network = {
enable = true;
networks = {
"10-lan" = {
matchConfig.Name = "ens18";
ntp = [ "192.168.101.1" ];
domains = [ "home.opel-online.de" ];
ntp = ["192.168.101.1"];
domains = ["home.opel-online.de"];
networkConfig = {
DHCP = "yes";
IPv6AcceptRA = true;
@@ -99,9 +103,8 @@
hostName = "dmz";
firewall = {
enable = true;
allowedUDPPorts = [ ];
allowedTCPPorts = [ 80 443 ];
allowedUDPPorts = [];
allowedTCPPorts = [80 443];
};
};
}

12
hosts/dmz/home.nix
View File

@@ -10,16 +10,13 @@
# └─ ./hyprland
# └─ hyprland.nix
#
{ pkgs, ... }:
{
imports =
[
{pkgs, ...}: {
imports = [
../../modules/home.nix # Window Manager
];
home = { # Specific packages for laptop
home = {
# Specific packages for laptop
packages = with pkgs; [
# Applications
@@ -32,5 +29,4 @@
programs = {
alacritty.settings.font.size = 11;
};
}

66
hosts/fuji/default.nix
View File

@@ -16,21 +16,32 @@
# └─ ./hardware
# └─ default.nix
#
{ config, nixpkgs, pkgs, user, lib, ... }:
{
imports = # For now, if applying to other system, swap files
[(import ./hardware-configuration.nix)] ++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix
[(import ../../modules/wm/sway/default.nix)] ++ # Window Manager
(import ../../modules/wm/virtualisation) ++ # libvirt + Docker
[(import ../../modules/wm/virtualisation/kvm-amd.nix)] ++ # kvm module options
config,
nixpkgs,
pkgs,
user,
lib,
...
}: {
imports =
# For now, if applying to other system, swap files
[(import ./hardware-configuration.nix)]
++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix
[(import ../../modules/wm/sway/default.nix)]
++ # Window Manager
(import ../../modules/wm/virtualisation)
++ # libvirt + Docker
[(import ../../modules/wm/virtualisation/kvm-amd.nix)]
++ # kvm module options
(import ../../modules/hardware); # Hardware devices
boot = { # Boot options
boot = {
# Boot options
kernelPackages = pkgs.linuxPackages_latest;
loader = { # EFI Boot
loader = {
# EFI Boot
systemd-boot.enable = lib.mkForce false;
efi = {
canTouchEfiVariables = true;
@@ -45,34 +56,35 @@
};
};
# hardware.sane = { # Used for scanning with Xsane
# enable = false;
# extraBackends = [ pkgs.sane-airscan ];
# };
# hardware = {
# nitrokey.enable = true;
# };
# hardware.sane = { # Used for scanning with Xsane
# enable = false;
# extraBackends = [ pkgs.sane-airscan ];
# };
# hardware = {
# nitrokey.enable = true;
# };
# environment = {
# systemPackages = with pkgs; [
## simple-scan
## intel-media-driver
## alacritty
# ];
# };
# environment = {
# systemPackages = with pkgs; [
## simple-scan
## intel-media-driver
## alacritty
# ];
# };
services = {
#auto-cpufreq.enable = true;
blueman.enable = true;
avahi = { # Needed to find wireless printer
avahi = {
# Needed to find wireless printer
enable = true;
nssmdns4 = true;
publish = { # Needed for detecting the scanner
publish = {
# Needed for detecting the scanner
enable = true;
addresses = true;
userServices = true;
};
};
};
}

65
hosts/fuji/hardware-configuration.nix
View File

@@ -10,17 +10,21 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")] ++
[( import ../../modules/hardware/backup.nix )];
[(modulesPath + "/installer/scan/not-detected.nix")]
++ [(import ../../modules/hardware/backup.nix)];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod"];
boot.initrd.kernelModules = ["vfio_pci" "vfio" "vfio_iommu_type1"];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
boot.tmp.useTmpfs = false;
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
@@ -59,49 +63,48 @@
};
};
fileSystems."/" =
{ device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fileSystems."/" = {
device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
};
fileSystems."/home" =
{ device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fileSystems."/home" = {
device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
};
fileSystems."/srv" =
{ device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fileSystems."/srv" = {
device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fileSystems."/nix" = {
device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
};
fileSystems."/swap" =
{ device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fileSystems."/swap" = {
device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async"];
};
fileSystems."/mnt/snapshots/root" =
{ device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fileSystems."/mnt/snapshots/root" = {
device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part2";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part1";
fileSystems."/boot" = {
device = "/dev/disk/by-id/nvme-ADATA_SX8200PNP_2J3320119186-part1";
fsType = "vfat";
};
swapDevices = [ { device = "/swap/swapfile"; } ];
swapDevices = [{device = "/swap/swapfile";}];
networking = {
useDHCP = false; # Deprecated
@@ -121,7 +124,7 @@
networks = {
"10-lan" = {
matchConfig.Name = "eno1";
ntp = [ "192.168.2.1" ];
ntp = ["192.168.2.1"];
networkConfig = {
DHCP = "yes";
IPv6AcceptRA = true;

15
hosts/fuji/home.nix
View File

@@ -10,18 +10,15 @@
# └─ ./hyprland
# └─ hyprland.nix
#
{ pkgs, ... }:
{
imports =
[
{pkgs, ...}: {
imports = [
#../../modules/wm/hyprland/home.nix # Window Manager
#../../modules/wm/kde/home.nix # Window Manager
../../modules/home.nix # Window Manager
];
home = { # Specific packages for laptop
home = {
# Specific packages for laptop
packages = with pkgs; [
# Applications
#firefox
@@ -35,11 +32,11 @@
];
};
services = { # Applets
services = {
# Applets
#blueman-applet.enable = true; # Bluetooth
network-manager-applet.enable = true; # Network
};
xsession.preferStatusNotifierItems = true;
}

76
hosts/home.nix
View File

@@ -14,23 +14,26 @@
# └─ ./shell
# └─ default.nix
#
{ config, lib, pkgs, user, ... }:
{
config,
lib,
pkgs,
user,
...
}: {
imports =
(import ../modules/editors) ++
(import ../modules/programs) ++
(import ../modules/programs/configs) ++
(import ../modules/services) ++
(import ../modules/shell);
(import ../modules/editors)
++ (import ../modules/programs)
++ (import ../modules/programs/configs)
++ (import ../modules/services)
++ (import ../modules/shell);
home = {
username = "${user}";
homeDirectory = "/home/${user}";
packages = with pkgs; [
# Terminal
# Terminal
pfetch # Minimal fetch
ranger # File Manager
gnupg # sign and authorize 2nd Fac
@@ -39,7 +42,7 @@
steam
wakelan
# dev ols
# dev ols
gcc
gnumake
gnupatch
@@ -52,10 +55,10 @@
tailscale
wireguard-tools
# VideAudio
# VideAudio
mpv # Media Player
# Apps
# Apps
qalculate-qt
hdparm
python3
@@ -68,7 +71,7 @@
vesktop
element-desktop
# Fileanagement
# Fileanagement
kdePackages.ark
pcmanfm # File Manager
rsync # Syncer $ rsync -r dir1/ dir2/
@@ -77,7 +80,7 @@
papirus-icon-theme
arc-theme
# General configuration
# General configuration
keepassxc
libreoffice
gimp
@@ -101,12 +104,12 @@
file.".config/wall".source = ../modules/themes/wall.jpg;
file.".config/lockwall".source = ../modules/themes/lockwall.jpg;
# pointerCursor = { # This will set cursor systemwide so applications can not choose their own
# name = "Dracula-cursors";
# package = pkgs.dracula-theme;
# size = 16;
# gtk.enable = true;
# };
# pointerCursor = { # This will set cursor systemwide so applications can not choose their own
# name = "Dracula-cursors";
# package = pkgs.dracula-theme;
# size = 16;
# gtk.enable = true;
# };
stateVersion = "23.05";
};
@@ -117,25 +120,24 @@
};
};
# gtk = { # Theming
# enable = true;
# theme = {
# name = "Dracula";
# package = pkgs.dracula-theme;
# };
# iconTheme = {
# name = "Papirus-Dark";
# package = pkgs.papirus-icon-theme;
# };
# font = {
# name = "Cascadia Code"; # or FiraCode Nerd Font Mono Medium
# }; # Cursor is declared under home.pointerCursor
# };
# gtk = { # Theming
# enable = true;
# theme = {
# name = "Dracula";
# package = pkgs.dracula-theme;
# };
# iconTheme = {
# name = "Papirus-Dark";
# package = pkgs.papirus-icon-theme;
# };
# font = {
# name = "Cascadia Code"; # or FiraCode Nerd Font Mono Medium
# }; # Cursor is declared under home.pointerCursor
# };
systemd.user.services.mpris-proxy = {
Unit.Description = "Mpris proxy";
Unit.After = [ "network.target" "sound.target" ];
Unit.After = ["network.target" "sound.target"];
Service.ExecStart = "${pkgs.bluez}/bin/mpris-proxy";
Install.WantedBy = [ "default.target" ];
Install.WantedBy = ["default.target"];
};
}

16
hosts/home_server.nix
View File

@@ -14,12 +14,17 @@
# └─ ./shell
# └─ default.nix
#
{ config, lib, pkgs, user, ... }:
{
imports = # Home Manager Modules
(import ../modules/editors) ++
config,
lib,
pkgs,
user,
...
}: {
imports =
# Home Manager Modules
(import ../modules/editors)
++
#(import ../modules/programs) ++
#(import ../modules/programs/configs) ++
#(import ../modules/services) ++
@@ -48,7 +53,6 @@
rsync # Syncer $ rsync -r dir1/ dir2/
#unzip # Zip files
#unrar # Rar files
];
stateVersion = "23.11";
};

29
hosts/jupiter/default.nix
View File

@@ -1,27 +1,32 @@
#
# Jupiter — NAS server configuration
#
{ config, pkgs, inputs, user, ... }:
{
imports = [
config,
pkgs,
inputs,
user,
...
}: {
imports =
[
./hardware-configuration.nix
../../modules/server
] ++ (import ../../modules/services/nas);
]
++ (import ../../modules/services/nas);
# ── Server module options ───────────────────────────────────────────────
# No virtualisation on the NAS
# ── Host-specific settings ──────────────────────────────────────────────
# Example: host-specific overlay — only jupiter gets these packages in its pkgs.
# nixpkgs.overlays = [
# (final: prev: {
# corosync-qdevice = (import ../../packages { pkgs = prev; }).corosync-qdevice;
# firefox = inputs.nixpkgs-unstable.legacyPackages.${prev.system}.firefox;
# })
# ];
# Example: host-specific overlay — only jupiter gets these packages in its pkgs.
# nixpkgs.overlays = [
# (final: prev: {
# corosync-qdevice = (import ../../packages { pkgs = prev; }).corosync-qdevice;
# firefox = inputs.nixpkgs-unstable.legacyPackages.${prev.system}.firefox;
# })
# ];
boot = {
kernelPackages = pkgs.linuxPackages_latest;

107
hosts/jupiter/hardware-configuration.nix
View File

@@ -10,15 +10,19 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports =
[(modulesPath + "/profiles/qemu-guest.nix")] ++
[( import ../../modules/hardware/backup.nix )];
[(modulesPath + "/profiles/qemu-guest.nix")]
++ [(import ../../modules/hardware/backup.nix)];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.initrd.availableKernelModules = ["uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk"];
boot.initrd.kernelModules = [];
boot.initrd.secrets = {
"/root/NASKeyfile" =
/root/NASKeyfile;
@@ -33,8 +37,8 @@
keyFile = "/root/NASKeyfile";
};
};
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.kernelModules = [];
boot.extraModulePackages = [];
boot.tmp.useTmpfs = false;
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
@@ -50,7 +54,7 @@
};
services.btrbk = {
extraPackages = [ pkgs.lz4 pkgs.mbuffer ];
extraPackages = [pkgs.lz4 pkgs.mbuffer];
instances = {
hf = {
onCalendar = "hourly";
@@ -112,94 +116,94 @@
};
};
fileSystems."/" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
};
fileSystems."/home" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/home" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
};
fileSystems."/srv" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/srv" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/nix" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
};
fileSystems."/swap" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/swap" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async"];
};
fileSystems."/mnt/snapshots/root" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/mnt/snapshots/root" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
};
fileSystems."/mnt/snapshots/Mars" =
{ device = "/dev/disk/by-label/MARS";
fileSystems."/mnt/snapshots/Mars" = {
device = "/dev/disk/by-label/MARS";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
};
fileSystems."/mnt/snapshots/Pluto" =
{ device = "/dev/disk/by-label/NAS-RAID";
fileSystems."/mnt/snapshots/Pluto" = {
device = "/dev/disk/by-label/NAS-RAID";
fsType = "btrfs";
options = [ "compress=zstd:8,noatime,subvolid=5" ];
options = ["compress=zstd:8,noatime,subvolid=5"];
};
fileSystems."/mnt/Pluto" =
{ device = "/dev/disk/by-label/NAS-RAID";
fileSystems."/mnt/Pluto" = {
device = "/dev/disk/by-label/NAS-RAID";
fsType = "btrfs";
options = [ "compress=zstd:8,noatime,subvol=@" ];
options = ["compress=zstd:8,noatime,subvol=@"];
};
fileSystems."/mnt/Mars" =
{ device = "/dev/disk/by-label/MARS";
fileSystems."/mnt/Mars" = {
device = "/dev/disk/by-label/MARS";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nas,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nas,discard=async"];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-label/NIXBOOT";
fileSystems."/boot" = {
device = "/dev/disk/by-label/NIXBOOT";
fsType = "vfat";
};
fileSystems."/export/Pluto" =
{ device = "/mnt/Pluto";
options = [ "bind" ];
fileSystems."/export/Pluto" = {
device = "/mnt/Pluto";
options = ["bind"];
};
fileSystems."/export/Mars" =
{ device = "/mnt/Mars";
options = [ "bind" ];
fileSystems."/export/Mars" = {
device = "/mnt/Mars";
options = ["bind"];
};
swapDevices = [ { device = "/swap/swapfile"; } ];
swapDevices = [{device = "/swap/swapfile";}];
systemd.network = {
enable = true;
networks = {
"10-lan" = {
matchConfig.Name = "ens18";
ntp = [ "192.168.2.1" ];
domains = [ "home.opel-online.de" ];
ntp = ["192.168.2.1"];
domains = ["home.opel-online.de"];
networkConfig = {
DHCP = "yes";
IPv6AcceptRA = true;
IPv6PrivacyExtensions=false;
IPv6PrivacyExtensions = false;
};
ipv6AcceptRAConfig = {
DHCPv6Client = "always";
@@ -234,5 +238,4 @@
${pkgs.hdparm}/sbin/hdparm -S 150 /dev/disk/by-uuid/57e6446d-faca-4b67-9063-e8d9afb80088
'';
};
}

12
hosts/jupiter/home.nix
View File

@@ -10,16 +10,13 @@
# └─ ./hyprland
# └─ hyprland.nix
#
{ pkgs, ... }:
{
imports =
[
{pkgs, ...}: {
imports = [
../../modules/home.nix # Window Manager
];
home = { # Specific packages for laptop
home = {
# Specific packages for laptop
packages = with pkgs; [
# Applications
@@ -32,5 +29,4 @@
programs = {
alacritty.settings.font.size = 11;
};
}

16
hosts/kabtop/default.nix
View File

@@ -1,14 +1,20 @@
#
# Kabtop — server configuration
#
{ config, pkgs, user, agenix, impermanence, ... }:
{
imports = [
config,
pkgs,
user,
agenix,
impermanence,
...
}: {
imports =
[
./hardware-configuration.nix
../../modules/server
] ++ (import ../../modules/services/server);
]
++ (import ../../modules/services/server);
# ── Server module options ───────────────────────────────────────────────
myServer.virtualisation.enable = true;

74
hosts/kabtop/hardware-configuration.nix
View File

@@ -10,17 +10,21 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "ahci" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "ahci" "sd_mod" "sr_mod"];
boot.initrd.kernelModules = ["vfio_pci" "vfio" "vfio_iommu_type1"];
boot.kernelModules = ["kvm-amd"];
boot.extraModulePackages = [];
boot.tmp.useTmpfs = false;
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
@@ -61,51 +65,50 @@
};
};
fileSystems."/" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
};
fileSystems."/home" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/home" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
};
fileSystems."/srv" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/srv" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
};
fileSystems."/var" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/var" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "space_cache=v2,ssd,noatime,subvol=@var,discard=async" ];
options = ["space_cache=v2,ssd,noatime,subvol=@var,discard=async"];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/nix" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
};
fileSystems."/swap" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/swap" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async"];
};
fileSystems."/mnt/snapshots/root" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/mnt/snapshots/root" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
};
#swapDevices = [ { device = "/swap/swapfile"; } ];
swapDevices = [ ];
swapDevices = [];
networking = {
useDHCP = false; # Deprecated
@@ -116,8 +119,8 @@
};
firewall = {
enable = true;
allowedUDPPorts = [ ];
allowedTCPPorts = [ 80 443 ];
allowedUDPPorts = [];
allowedTCPPorts = [80 443];
};
};
systemd.network = {
@@ -132,8 +135,8 @@
];
routes = [
{ Gateway = "37.44.215.1"; }
{ Gateway = "fe80::1"; }
{Gateway = "37.44.215.1";}
{Gateway = "fe80::1";}
];
dns = [
@@ -144,6 +147,5 @@
};
};
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

12
hosts/kabtop/home.nix
View File

@@ -10,16 +10,13 @@
# └─ ./hyprland
# └─ hyprland.nix
#
{ pkgs, ... }:
{
imports =
[
{pkgs, ...}: {
imports = [
../../modules/home.nix # Window Manager
];
home = { # Specific packages for laptop
home = {
# Specific packages for laptop
packages = with pkgs; [
# Applications
@@ -32,5 +29,4 @@
programs = {
alacritty.settings.font.size = 11;
};
}

16
hosts/kabtopci/default.nix
View File

@@ -1,14 +1,20 @@
#
# Kabtopci — CI server configuration
#
{ config, pkgs, user, agenix, impermanence, ... }:
{
imports = [
config,
pkgs,
user,
agenix,
impermanence,
...
}: {
imports =
[
./hardware-configuration.nix
../../modules/server
] ++ (import ../../modules/services/kabtopci);
]
++ (import ../../modules/services/kabtopci);
# ── Server module options ───────────────────────────────────────────────
myServer.virtualisation.enable = true;

75
hosts/kabtopci/hardware-configuration.nix
View File

@@ -10,16 +10,19 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")];
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [(modulesPath + "/installer/scan/not-detected.nix")];
boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.initrd.availableKernelModules = ["ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sr_mod" "virtio_blk"];
boot.initrd.kernelModules = ["vfio_pci" "vfio" "vfio_iommu_type1"];
boot.kernelModules = [];
boot.extraModulePackages = [];
boot.tmp.useTmpfs = false;
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
@@ -32,43 +35,43 @@
];
};
fileSystems."/" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
};
fileSystems."/home" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/home" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
};
fileSystems."/srv" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/srv" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
};
fileSystems."/var" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/var" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "space_cache=v2,ssd,noatime,subvol=@var,discard=async" ];
options = ["space_cache=v2,ssd,noatime,subvol=@var,discard=async"];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/nix" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd:9,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ];
options = ["compress=zstd:9,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
};
fileSystems."/swap" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/swap" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async"];
};
swapDevices = [ ];
swapDevices = [];
networking = {
useDHCP = false; # Deprecated
@@ -80,14 +83,18 @@
interfaces = {
ens3 = {
useDHCP = false; # For versatility sake, manually edit IP on nm-applet.
ipv4.addresses = [ {
ipv4.addresses = [
{
address = "195.90.221.87";
prefixLength = 22;
} ];
ipv6.addresses = [ {
}
];
ipv6.addresses = [
{
address = "2a00:6800:3:d5b::2";
prefixLength = 64;
} ];
}
];
};
};
defaultGateway = "195.90.220.1";
@@ -96,11 +103,11 @@
interface = "ens3";
};
nameservers = [ "9.9.9.9" "2620:fe::fe" ];
nameservers = ["9.9.9.9" "2620:fe::fe"];
firewall = {
enable = true;
allowedUDPPorts = [ ];
allowedTCPPorts = [ 80 443 ];
allowedUDPPorts = [];
allowedTCPPorts = [80 443];
};
};

12
hosts/kabtopci/home.nix
View File

@@ -10,16 +10,13 @@
# └─ ./hyprland
# └─ hyprland.nix
#
{ pkgs, ... }:
{
imports =
[
{pkgs, ...}: {
imports = [
../../modules/home.nix # Window Manager
];
home = { # Specific packages for laptop
home = {
# Specific packages for laptop
packages = with pkgs; [
# Applications
@@ -32,5 +29,4 @@
programs = {
alacritty.settings.font.size = 11;
};
}

16
hosts/kubemaster-1/default.nix
View File

@@ -1,14 +1,20 @@
#
# Kubemaster-1 — Kubernetes master server configuration
#
{ config, pkgs, user, agenix, impermanence, ... }:
{
imports = [
config,
pkgs,
user,
agenix,
impermanence,
...
}: {
imports =
[
./hardware-configuration.nix
../../modules/server
] ++ (import ../../modules/services/kubemaster);
]
++ (import ../../modules/services/kubemaster);
# ── Server module options ───────────────────────────────────────────────
myServer.virtualisation.enable = true;

73
hosts/kubemaster-1/hardware-configuration.nix
View File

@@ -10,17 +10,21 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" "sr_mod"];
boot.initrd.kernelModules = ["vfio_pci" "vfio" "vfio_iommu_type1"];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
boot.tmp.useTmpfs = false;
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
@@ -33,57 +37,57 @@
];
};
fileSystems."/" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
};
fileSystems."/home" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/home" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
};
fileSystems."/srv" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/srv" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
};
fileSystems."/var" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/var" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@var,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@var,discard=async"];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/nix" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
};
fileSystems."/swap" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/swap" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async"];
};
fileSystems."/mnt/snapshots/root" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/mnt/snapshots/root" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
};
swapDevices = [ ];
swapDevices = [];
systemd.network = {
enable = true;
networks = {
"10-lan" = {
matchConfig.Name = "enp0s31f6";
ntp = [ "192.168.2.1" ];
domains = [ "home.opel-online.de" ];
ntp = ["192.168.2.1"];
domains = ["home.opel-online.de"];
networkConfig = {
DHCP = "yes";
IPv6AcceptRA = true;
@@ -99,8 +103,8 @@
hostName = "kubemaster-1";
firewall = {
enable = true;
allowedUDPPorts = [ ];
allowedTCPPorts = [ 80 443 ];
allowedUDPPorts = [];
allowedTCPPorts = [80 443];
};
};
@@ -113,5 +117,4 @@
'';
};
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

12
hosts/kubemaster-1/home.nix
View File

@@ -10,16 +10,13 @@
# └─ ./hyprland
# └─ hyprland.nix
#
{ pkgs, ... }:
{
imports =
[
{pkgs, ...}: {
imports = [
../../modules/home.nix # Window Manager
];
home = { # Specific packages for laptop
home = {
# Specific packages for laptop
packages = with pkgs; [
# Applications
@@ -32,5 +29,4 @@
programs = {
alacritty.settings.font.size = 11;
};
}

16
hosts/lifebook/default.nix
View File

@@ -1,10 +1,12 @@
#
# Lifebook laptop — system configuration
#
{ lib, pkgs, user, ... }:
{
lib,
pkgs,
user,
...
}: {
imports = [
./hardware-configuration.nix
../../modules/desktop
@@ -24,13 +26,13 @@
myDesktop.syncthing.enable = true;
myDesktop.syncthing.devices = {
"jupiter.home.opel-online.de" = { id = "T53WU6Z-3NT74ZE-PZVZB2N-7FBTZ5K-HESC2ZM-W4ABDAS-NWXHTGI-ST4CDQR"; };
"hades.home.opel-online.de" = { id = "3VPCBVW-RH7XKFM-TWJGQHC-ZRAQ575-CQKGGKP-NAB4VXE-KCKJFUT-AMCUQQA"; };
"jupiter.home.opel-online.de" = {id = "T53WU6Z-3NT74ZE-PZVZB2N-7FBTZ5K-HESC2ZM-W4ABDAS-NWXHTGI-ST4CDQR";};
"hades.home.opel-online.de" = {id = "3VPCBVW-RH7XKFM-TWJGQHC-ZRAQ575-CQKGGKP-NAB4VXE-KCKJFUT-AMCUQQA";};
};
myDesktop.syncthing.folders = {
"Sync" = {
path = "/home/kabbone/Sync";
devices = [ "jupiter.home.opel-online.de" "hades.home.opel-online.de" ];
devices = ["jupiter.home.opel-online.de" "hades.home.opel-online.de"];
ignorePerms = false;
};
};
@@ -43,7 +45,7 @@
# ── Host-specific settings ──────────────────────────────────────────────
boot = {
kernelPackages = pkgs.linuxPackages_latest;
initrd.prepend = [ "${./patched-SSDT4}" ];
initrd.prepend = ["${./patched-SSDT4}"];
loader = {
systemd-boot.enable = lib.mkForce false;
efi.canTouchEfiVariables = true;

124
hosts/lifebook/hardware-configuration.nix
View File

@@ -10,17 +10,21 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")] ++
[( import ../../modules/hardware/backup.nix )];
[(modulesPath + "/installer/scan/not-detected.nix")]
++ [(import ../../modules/hardware/backup.nix)];
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" "sdhci_pci" ];
kernelModules = [ "i915" "kvm_intel" "vfio_pci" "vfio" "vfio_iommu_type1" ];
availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" "sdhci_pci"];
kernelModules = ["i915" "kvm_intel" "vfio_pci" "vfio" "vfio_iommu_type1"];
systemd.enable = true;
luks = {
devices."crypted" = {
@@ -31,8 +35,8 @@
};
};
kernelModules = [ "kvm-intel" ];
kernelParams = [ "luks.options=fido2-device=auto" "sysrq_always_enabled=1" "pcie_aspm=force" ];
kernelModules = ["kvm-intel"];
kernelParams = ["luks.options=fido2-device=auto" "sysrq_always_enabled=1" "pcie_aspm=force"];
extraModprobeConfig = ''
options i915 force_probe=!9a49
options xe force_probe=9a49
@@ -43,7 +47,6 @@
zramSwap.enable = true;
services = {
btrfs.autoScrub = {
enable = true;
@@ -57,7 +60,7 @@
'';
btrbk = {
extraPackages = [ pkgs.lz4 pkgs.mbuffer ];
extraPackages = [pkgs.lz4 pkgs.mbuffer];
instances = {
hf = {
onCalendar = "hourly";
@@ -149,80 +152,77 @@
systemd.timers = {
btrbk-bak = {
after = [ "network-online.target" ];
requires = [ "network-online.target" ];
after = ["network-online.target"];
requires = ["network-online.target"];
};
};
fileSystems."/" =
{ device = "/dev/mapper/crypted";
fileSystems."/" = {
device = "/dev/mapper/crypted";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-label/NIXBOOT";
fileSystems."/boot" = {
device = "/dev/disk/by-label/NIXBOOT";
fsType = "vfat";
};
fileSystems."/home" =
{ device = "/dev/mapper/crypted";
fileSystems."/home" = {
device = "/dev/mapper/crypted";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
};
fileSystems."/nix" =
{ device = "/dev/mapper/crypted";
fileSystems."/nix" = {
device = "/dev/mapper/crypted";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
};
fileSystems."/srv" =
{ device = "/dev/mapper/crypted";
fileSystems."/srv" = {
device = "/dev/mapper/crypted";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
};
fileSystems."/swap" =
{ device = "/dev/mapper/crypted";
fileSystems."/swap" = {
device = "/dev/mapper/crypted";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async"];
};
fileSystems."/opt" =
{ device = "/dev/mapper/crypted";
fileSystems."/opt" = {
device = "/dev/mapper/crypted";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@opt,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@opt,discard=async"];
};
fileSystems."/var" =
{ device = "/dev/mapper/crypted";
fileSystems."/var" = {
device = "/dev/mapper/crypted";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@var,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@var,discard=async"];
};
fileSystems."/mnt/snapshots/root" =
{ device = "/dev/mapper/crypted";
fileSystems."/mnt/snapshots/root" = {
device = "/dev/mapper/crypted";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
};
fileSystems."/mnt/Pluto" =
{ device = "jupiter.home.opel-online.de:/Pluto";
fileSystems."/mnt/Pluto" = {
device = "jupiter.home.opel-online.de:/Pluto";
fsType = "nfs";
options = [ "nofail,noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2" ];
options = ["nofail,noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2"];
};
fileSystems."/mnt/Mars" =
{ device = "jupiter.home.opel-online.de:/Mars";
fileSystems."/mnt/Mars" = {
device = "jupiter.home.opel-online.de:/Mars";
fsType = "nfs";
options = [ "nofail,noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2" ];
options = ["nofail,noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2"];
};
swapDevices = [ { device = "/swap/swapfile"; } ];
swapDevices = [{device = "/swap/swapfile";}];
networking = {
useDHCP = false; # Deprecated
@@ -235,27 +235,27 @@
powersave = true;
};
};
# interfaces = {
# wlan0 = {
# useDHCP = true; # For versatility sake, manually edit IP on nm-applet.
# #ipv4.addresses = [ {
# # address = "192.168.0.51";
# # prefixLength = 24;
# #} ];
# };
# };
# interfaces = {
# wlan0 = {
# useDHCP = true; # For versatility sake, manually edit IP on nm-applet.
# #ipv4.addresses = [ {
# # address = "192.168.0.51";
# # prefixLength = 24;
# #} ];
# };
# };
#defaultGateway = "192.168.0.1";
#nameservers = [ "192.168.0.4" ];
firewall = {
checkReversePath = false;
enable = true;
allowedUDPPorts = [ 24727 51820 ];
allowedTCPPorts = [ 24727 ];
allowedUDPPorts = [24727 51820];
allowedTCPPorts = [24727];
};
};
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# powerManagement = {
# powertop.enable = true;
# };
# powerManagement = {
# powertop.enable = true;
# };
}

5
hosts/lifebook/home.nix
View File

@@ -2,10 +2,7 @@
# Lifebook laptop — home-manager host-specific additions
# (WM home config is loaded by modules/desktop based on myDesktop.windowManager)
#
{ pkgs, ... }:
{
{pkgs, ...}: {
imports = [
../../modules/home.nix # cmds / theme options
];

14
hosts/nasbackup/default.nix
View File

@@ -1,14 +1,18 @@
#
# Nasbak — NAS backup server configuration
#
{ config, pkgs, user, ... }:
{
imports = [
config,
pkgs,
user,
...
}: {
imports =
[
./hardware-configuration.nix
../../modules/server
] ++ (import ../../modules/services/nasbackup);
]
++ (import ../../modules/services/nasbackup);
# ── Server module options ───────────────────────────────────────────────
# No virtualisation on the backup NAS

109
hosts/nasbackup/hardware-configuration.nix
View File

@@ -1,4 +1,3 @@
# Hardware settings for Teclast F5 10" Laptop
# NixOS @ sda2
#
@@ -10,15 +9,19 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ "vfio_pci" "vfio" "vfio_iommu_type1" ];
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod"];
boot.initrd.kernelModules = ["vfio_pci" "vfio" "vfio_iommu_type1"];
boot.initrd.secrets = {
"/root/NASKeyfile" =
/root/NASKeyfile;
@@ -35,8 +38,8 @@
bypassWorkqueues = true;
};
};
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
boot.tmp.useTmpfs = false;
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
@@ -51,7 +54,7 @@
};
services.btrbk = {
extraPackages = [ pkgs.lz4 pkgs.mbuffer ];
extraPackages = [pkgs.lz4 pkgs.mbuffer];
instances = {
hf = {
onCalendar = "hourly";
@@ -108,10 +111,10 @@
target = "/mnt/nas/Backups/Lifebook";
snapshot_dir = "@snapshots/@lifebook";
};
# "@steamdeck/@home" = {
# target = "/mnt/nas/Backups/Steamdeck";
# snapshot_dir = "@snapshots/@steamdeck";
# };
# "@steamdeck/@home" = {
# target = "/mnt/nas/Backups/Steamdeck";
# snapshot_dir = "@snapshots/@steamdeck";
# };
};
};
};
@@ -134,74 +137,73 @@
systemd.services = {
btrbk-bak = {
after = [ "network-online.target" ];
requires = [ "network-online.target" ];
after = ["network-online.target"];
requires = ["network-online.target"];
};
};
fileSystems."/" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
};
fileSystems."/home" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/home" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
};
fileSystems."/srv" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/srv" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/nix" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
};
fileSystems."/swap" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/swap" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async"];
};
fileSystems."/mnt/snapshots/root" =
{ device = "/dev/disk/by-label/NIXROOT";
fileSystems."/mnt/snapshots/root" = {
device = "/dev/disk/by-label/NIXROOT";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
};
# fileSystems."/mnt/snapshots/Pluto" =
# { device = "/dev/disk/by-label/NAS-RAID";
# fsType = "btrfs";
# options = [ "compress=zstd,space_cache=v2,noatime,subvolid=5" ];
# };
#
fileSystems."/mnt/nas" =
{ device = "/dev/disk/by-uuid/70523c79-ef5c-40f2-8782-60fc86bb445b";
# fileSystems."/mnt/snapshots/Pluto" =
# { device = "/dev/disk/by-label/NAS-RAID";
# fsType = "btrfs";
# options = [ "compress=zstd,space_cache=v2,noatime,subvolid=5" ];
# };
#
fileSystems."/mnt/nas" = {
device = "/dev/disk/by-uuid/70523c79-ef5c-40f2-8782-60fc86bb445b";
fsType = "btrfs";
options = [ "compress=zstd:9,space_cache=v2,noatime,subvol=@nasbak" ];
options = ["compress=zstd:9,space_cache=v2,noatime,subvol=@nasbak"];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-label/NIXBOOT";
fileSystems."/boot" = {
device = "/dev/disk/by-label/NIXBOOT";
fsType = "vfat";
};
swapDevices = [ { device = "/swap/swapfile"; } ];
swapDevices = [{device = "/swap/swapfile";}];
systemd.network = {
enable = true;
networks = {
"10-lan" = {
matchConfig.Name = "ens18";
ntp = [ "192.168.2.1" ];
domains = [ "home.opel-online.de" ];
ntp = ["192.168.2.1"];
domains = ["home.opel-online.de"];
networkConfig = {
DHCP = "yes";
IPv6AcceptRA = true;
@@ -224,10 +226,9 @@
powerManagement = {
cpuFreqGovernor = lib.mkDefault "powersave";
powertop.enable = true;
# powerUpCommands = ''
# ${pkgs.hdparm}/sbin/hdparm -S 150 /dev/disk/by-uuid/57e6446d-faca-4b67-9063-e8d9afb80088
# ${pkgs.hdparm}/sbin/hdparm -S 150 /dev/disk/by-uuid/b9edc489-ac37-4b28-981d-442722df7ae2
# '';
# powerUpCommands = ''
# ${pkgs.hdparm}/sbin/hdparm -S 150 /dev/disk/by-uuid/57e6446d-faca-4b67-9063-e8d9afb80088
# ${pkgs.hdparm}/sbin/hdparm -S 150 /dev/disk/by-uuid/b9edc489-ac37-4b28-981d-442722df7ae2
# '';
};
}

12
hosts/nasbackup/home.nix
View File

@@ -10,16 +10,13 @@
# └─ ./hyprland
# └─ hyprland.nix
#
{ pkgs, ... }:
{
imports =
[
{pkgs, ...}: {
imports = [
../../modules/home.nix # Window Manager
];
home = { # Specific packages for laptop
home = {
# Specific packages for laptop
packages = with pkgs; [
# Applications
@@ -32,5 +29,4 @@
programs = {
alacritty.settings.font.size = 11;
};
}

50
hosts/nbf5/default.nix
View File

@@ -16,23 +16,32 @@
# └─ ./hardware
# └─ default.nix
#
{ config, pkgs, user, ... }:
{
imports = # For now, if applying to other system, swap files
[(import ./hardware-configuration.nix)] ++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix
config,
pkgs,
user,
...
}: {
imports =
# For now, if applying to other system, swap files
[(import ./hardware-configuration.nix)]
++ # Current system hardware config @ /etc/nixos/hardware-configuration.nix
#[(import ../../modules/wm/hyprland/default.nix)] ++ # Window Manager
# [(import ../../modules/wm/sway/default.nix)] ++ # Window Manager
[(import ../../modules/wm/virtualisation/docker.nix)] ++ # Docker
[(import ../../modules/wm/virtualisation/kvm-intel.nix)] ++ # kvm module options
(import ../../modules/hardware) ++
(import ../../modules/services/printer); # Hardware devices
[(import ../../modules/wm/virtualisation/docker.nix)]
++ # Docker
[(import ../../modules/wm/virtualisation/kvm-intel.nix)]
++ # kvm module options
(import ../../modules/hardware)
++ (import ../../modules/services/printer); # Hardware devices
boot = { # Boot options
boot = {
# Boot options
kernelPackages = pkgs.linuxPackages_latest;
loader = { # EFI Boot
loader = {
# EFI Boot
systemd-boot.enable = true;
efi = {
canTouchEfiVariables = true;
@@ -48,7 +57,8 @@
];
};
programs = { # No xbacklight, this is the alterantive
programs = {
# No xbacklight, this is the alterantive
light.enable = true;
};
@@ -56,17 +66,19 @@
tlp = {
enable = true; # TLP and auto-cpufreq for power management
settings = {
USB_DENYLIST="fc32:1287 1e7d:2e4a 1d5c:5500 1d5c:5510";
USB_DENYLIST = "fc32:1287 1e7d:2e4a 1d5c:5500 1d5c:5510";
};
};
logind.lidSwitch = "suspend-then-hibernate"; # Laptop does not go to sleep when lid is closed
#auto-cpufreq.enable = true;
blueman.enable = true;
avahi = { # Needed to find wireless printer
avahi = {
# Needed to find wireless printer
enable = true;
nssmdns4 = true;
publish = { # Needed for detecting the scanner
publish = {
# Needed for detecting the scanner
enable = true;
addresses = true;
userServices = true;
@@ -75,8 +87,8 @@
};
#temporary bluetooth fix
# systemd.tmpfiles.rules = [
# "d /var/lib/bluetooth 700 root root - -"
# ];
# systemd.targets."bluetooth".after = ["systemd-tmpfiles-setup.service"];
# systemd.tmpfiles.rules = [
# "d /var/lib/bluetooth 700 root root - -"
# ];
# systemd.targets."bluetooth".after = ["systemd-tmpfiles-setup.service"];
}

80
hosts/nbf5/hardware-configuration.nix
View File

@@ -10,17 +10,21 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot = {
initrd = {
availableKernelModules = [ "ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci" "rtsx_usb_sdmmc" ];
kernelModules = [ "i915" "kvm_intel" ];
availableKernelModules = ["ahci" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci" "rtsx_usb_sdmmc"];
kernelModules = ["i915" "kvm_intel"];
systemd.enable = true;
luks = {
devices."root" = {
@@ -30,11 +34,11 @@
};
};
kernelModules = [ "kvm-intel" ];
kernelModules = ["kvm-intel"];
extraModprobeConfig = ''
options i915 enable_guc=3 enable_fbc=1 fastboot=1
'';
kernelParams = [ "mitigations=off" "luks.options=fido2-device=auto" ];
kernelParams = ["mitigations=off" "luks.options=fido2-device=auto"];
tmp.useTmpfs = true;
};
@@ -74,69 +78,67 @@
};
};
fileSystems."/" =
{ device = "/dev/mapper/root";
fileSystems."/" = {
device = "/dev/mapper/root";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
};
fileSystems."/home" =
{ device = "/dev/mapper/root";
fileSystems."/home" = {
device = "/dev/mapper/root";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
};
fileSystems."/srv" =
{ device = "/dev/mapper/root";
fileSystems."/srv" = {
device = "/dev/mapper/root";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
};
fileSystems."/opt" =
{ device = "/dev/mapper/root";
fileSystems."/opt" = {
device = "/dev/mapper/root";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@opt,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@opt,discard=async"];
};
fileSystems."/nix" =
{ device = "/dev/mapper/root";
fileSystems."/nix" = {
device = "/dev/mapper/root";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
};
fileSystems."/mnt/snapshots/root" =
{ device = "/dev/mapper/root";
fileSystems."/mnt/snapshots/root" = {
device = "/dev/mapper/root";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-label/BOOT";
fileSystems."/boot" = {
device = "/dev/disk/by-label/BOOT";
fsType = "vfat";
};
fileSystems."/mnt/Pluto" =
{ device = "jupiter:/Pluto";
fileSystems."/mnt/Pluto" = {
device = "jupiter:/Pluto";
fsType = "nfs";
options = [ "noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2" ];
options = ["noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2"];
};
fileSystems."/mnt/Mars" =
{ device = "jupiter:/Mars";
fileSystems."/mnt/Mars" = {
device = "jupiter:/Mars";
fsType = "nfs";
options = [ "noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2" ];
options = ["noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2"];
};
swapDevices = [ ];
swapDevices = [];
networking = {
useDHCP = false; # Deprecated
hostName = "nbf5";
wireless = {
iwd.enable = true;
interfaces = [ "wlan0" ];
interfaces = ["wlan0"];
};
interfaces = {
wlan0 = {
@@ -146,7 +148,7 @@
firewall = {
enable = true;
#allowedUDPPorts = [ 53 67 ];
allowedTCPPorts = [ 80 443 ];
allowedTCPPorts = [80 443];
};
};

15
hosts/nbf5/home.nix
View File

@@ -10,18 +10,15 @@
# └─ ./hyprland
# └─ hyprland.nix
#
{ pkgs, ... }:
{
imports =
[
{pkgs, ...}: {
imports = [
#../../modules/wm/hyprland/home.nix # Window Manager
#../../modules/wm/sway/home.nix # Window Manager
../../modules/home.nix # Window Manager
];
home = { # Specific packages for laptop
home = {
# Specific packages for laptop
packages = with pkgs; [
# Applications
firefox
@@ -41,11 +38,11 @@
alacritty.settings.font.size = 11;
};
services = { # Applets
services = {
# Applets
blueman-applet.enable = true; # Bluetooth
network-manager-applet.enable = true; # Network
};
xsession.preferStatusNotifierItems = true;
}

13
hosts/steamdeck/default.nix
View File

@@ -1,10 +1,13 @@
#
# Steamdeck — system configuration
#
{ lib, pkgs, user, jovian-nixos, ... }:
{
lib,
pkgs,
user,
jovian-nixos,
...
}: {
imports = [
./hardware-configuration.nix
../../modules/desktop
@@ -19,7 +22,7 @@
specialisation = {
sway.configuration = {
imports = [ (import ../../modules/wm/sway) ];
imports = [(import ../../modules/wm/sway)];
jovian.steam.enable = lib.mkForce false;
services.desktopManager.plasma6.enable = lib.mkForce false;
};
@@ -41,7 +44,7 @@
services.printing = {
enable = true;
drivers = [ pkgs.gutenprint ];
drivers = [pkgs.gutenprint];
};
services.tailscale.enable = true;

180
hosts/steamdeck/hardware-configuration.nix
View File

@@ -10,17 +10,21 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot = {
initrd = {
availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci" ];
kernelModules = [ ];
availableKernelModules = ["nvme" "xhci_pci" "usb_storage" "usbhid" "sd_mod" "sdhci_pci"];
kernelModules = [];
systemd.enable = true;
luks = {
devices."crypted" = {
@@ -31,8 +35,8 @@
};
};
kernelModules = [ "kvm-amd" "amdgpu" ];
kernelParams = [ "luks.options=fido2-device=auto" ];
kernelModules = ["kvm-amd" "amdgpu"];
kernelParams = ["luks.options=fido2-device=auto"];
tmp.useTmpfs = false;
tmp.cleanOnBoot = true;
};
@@ -74,111 +78,109 @@
};
};
};
# bak = {
# onCalendar = "daily";
# settings = {
# stream_buffer = "256m";
# stream_compress = "lz4";
# incremental = "yes";
# snapshot_create = "no";
# snapshot_dir = "@snapshots";
# timestamp_format = "long";
#
# snapshot_preserve_min = "all";
# target_preserve_min = "no";
# target_preserve = "2m 4w 3d";
#
# ssh_identity = "/etc/btrbk/ssh/id_ed25519_btrbk_nas";
# ssh_user = "btrbk";
#
# volume = {
# "/mnt/snapshots/root" = {
# subvolume = {
# "@home" = {};
# };
# target = "ssh://jupiter.home.opel-online.de:2220/mnt/snapshots/Mars/@snapshots/@steamdeck";
# };
# };
# };
# };
# bak = {
# onCalendar = "daily";
# settings = {
# stream_buffer = "256m";
# stream_compress = "lz4";
# incremental = "yes";
# snapshot_create = "no";
# snapshot_dir = "@snapshots";
# timestamp_format = "long";
#
# snapshot_preserve_min = "all";
# target_preserve_min = "no";
# target_preserve = "2m 4w 3d";
#
# ssh_identity = "/etc/btrbk/ssh/id_ed25519_btrbk_nas";
# ssh_user = "btrbk";
#
# volume = {
# "/mnt/snapshots/root" = {
# subvolume = {
# "@home" = {};
# };
# target = "ssh://jupiter.home.opel-online.de:2220/mnt/snapshots/Mars/@snapshots/@steamdeck";
# };
# };
# };
# };
};
};
};
#
# systemd.timers = {
# btrbk-bak = {
# requires = [ "network-online.target" ];
# };
# };
#
# systemd.timers = {
# btrbk-bak = {
# requires = [ "network-online.target" ];
# };
# };
fileSystems."/" =
{ device = "/dev/mapper/crypted";
fileSystems."/" = {
device = "/dev/mapper/crypted";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@,discard=async"];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-label/NIXBOOT";
fileSystems."/boot" = {
device = "/dev/disk/by-label/NIXBOOT";
fsType = "vfat";
};
fileSystems."/home" =
{ device = "/dev/mapper/crypted";
fileSystems."/home" = {
device = "/dev/mapper/crypted";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@home,discard=async"];
};
fileSystems."/nix" =
{ device = "/dev/mapper/crypted";
fileSystems."/nix" = {
device = "/dev/mapper/crypted";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@nix,discard=async"];
};
fileSystems."/srv" =
{ device = "/dev/mapper/crypted";
fileSystems."/srv" = {
device = "/dev/mapper/crypted";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@srv,discard=async"];
};
fileSystems."/swap" =
{ device = "/dev/mapper/crypted";
fileSystems."/swap" = {
device = "/dev/mapper/crypted";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@swap,discard=async"];
};
fileSystems."/opt" =
{ device = "/dev/mapper/crypted";
fileSystems."/opt" = {
device = "/dev/mapper/crypted";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@opt,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvol=@opt,discard=async"];
};
fileSystems."/mnt/snapshots/root" =
{ device = "/dev/mapper/crypted";
fileSystems."/mnt/snapshots/root" = {
device = "/dev/mapper/crypted";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime,subvolid=5,discard=async"];
};
# fileSystems."/sdcard" =
# { device = "/dev/disk/by-label/sdcard";
# fsType = "ext4";
# options = [ "nofail,noauto,users,x-systemd.automount" ];
# };
# fileSystems."/sdcard" =
# { device = "/dev/disk/by-label/sdcard";
# fsType = "ext4";
# options = [ "nofail,noauto,users,x-systemd.automount" ];
# };
fileSystems."/mnt/Pluto" =
{ device = "jupiter:/Pluto";
fileSystems."/mnt/Pluto" = {
device = "jupiter:/Pluto";
fsType = "nfs";
options = [ "nofail,noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2" ];
options = ["nofail,noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2"];
};
fileSystems."/mnt/Mars" =
{ device = "jupiter:/Mars";
fileSystems."/mnt/Mars" = {
device = "jupiter:/Mars";
fsType = "nfs";
options = [ "nofail,noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2" ];
options = ["nofail,noauto,users,x-systemd.automount,x-systemd.device-timeout=10,soft,timeo=14,x-systemd.idle-timeout=1min,sec=sys,exec,nfsvers=4.2"];
};
swapDevices = [ { device = "/swap/swapfile"; } ];
swapDevices = [{device = "/swap/swapfile";}];
networking = {
useDHCP = false; # Deprecated
@@ -191,22 +193,22 @@
powersave = false;
};
};
# interfaces = {
# wlan0 = {
# useDHCP = true; # For versatility sake, manually edit IP on nm-applet.
# #ipv4.addresses = [ {
# # address = "192.168.0.51";
# # prefixLength = 24;
# #} ];
# };
# };
# interfaces = {
# wlan0 = {
# useDHCP = true; # For versatility sake, manually edit IP on nm-applet.
# #ipv4.addresses = [ {
# # address = "192.168.0.51";
# # prefixLength = 24;
# #} ];
# };
# };
#defaultGateway = "192.168.0.1";
#nameservers = [ "192.168.0.4" ];
firewall = {
checkReversePath = "loose";
enable = true;
allowedUDPPorts = [ 24727 ];
allowedTCPPorts = [ 24727 ];
allowedUDPPorts = [24727];
allowedTCPPorts = [24727];
};
};

11
hosts/steamdeck/home.nix
View File

@@ -1,19 +1,16 @@
#
# Home-manager configuration for steamdeck
#
{ pkgs, ... }:
{
{pkgs, ...}: {
specialisation = {
sway.configuration = {
imports = [ (import ../../modules/wm/sway/home.nix) ];
imports = [(import ../../modules/wm/sway/home.nix)];
};
};
imports =
[ (import ../../modules/home.nix) ] ++
[ (import ../../modules/wm/steam/home.nix) ];
[(import ../../modules/home.nix)]
++ [(import ../../modules/wm/steam/home.nix)];
home = {
packages = with pkgs; [

42
hosts/vm/hardware-configuration.nix
View File

@@ -1,36 +1,40 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.availableKernelModules = ["uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk"];
boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
fileSystems."/" =
{ device = "/dev/disk/by-label/nixos";
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
fsType = "btrfs";
options = [ "compress=zstd,space_cache=v2,ssd,noatime" ];
options = ["compress=zstd,space_cache=v2,ssd,noatime"];
};
# fileSystems."/home" =
# { device = "/dev/disk/by-label/root";
# fsType = "btrfs";
# options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home" ];
# };
# fileSystems."/home" =
# { device = "/dev/disk/by-label/root";
# fsType = "btrfs";
# options = [ "compress=zstd,space_cache=v2,ssd,noatime,subvol=@home" ];
# };
fileSystems."/boot" =
{ device = "/dev/disk/by-label/BOOT";
fileSystems."/boot" = {
device = "/dev/disk/by-label/BOOT";
fsType = "vfat";
};
swapDevices = [ ];
swapDevices = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's

132
modules/desktop/default.nix
View File

@@ -28,28 +28,30 @@
#
# myDesktop.extraSystemPackages = with pkgs; [ some-tool ];
#
{ config, lib, pkgs, inputs, user, ... }:
let
cfg = config.myDesktop;
in
{
config,
lib,
pkgs,
inputs,
user,
...
}: let
cfg = config.myDesktop;
in {
# Hardware modules that are always useful on desktops (bluetooth, …)
imports = (import ../hardware);
imports = import ../hardware;
# ── Options ──────────────────────────────────────────────────────────────
options.myDesktop = with lib; {
windowManager = mkOption {
type = types.enum [ "niri" "sway" "kde" ];
type = types.enum ["niri" "sway" "kde"];
default = "niri";
description = "Window manager / desktop environment for this host.";
};
cpu = mkOption {
type = types.enum [ "amd" "intel" "none" ];
type = types.enum ["amd" "intel" "none"];
default = "none";
description = "CPU type selects the matching KVM kernel parameters.";
};
@@ -62,14 +64,16 @@ in
devices = mkOption {
type = types.attrs;
default = {};
example = literalExpression
example =
literalExpression
''{ "jupiter.home.example.de" = { id = "XXXXX-XXXXX-XXXXX-..."; }; }'';
description = "Syncthing peer devices.";
};
folders = mkOption {
type = types.attrs;
default = {};
example = literalExpression
example =
literalExpression
''{ "Sync" = { path = "/home/user/Sync"; devices = [ "jupiter" ]; ignorePerms = false; }; }'';
description = "Syncthing shared folders.";
};
@@ -101,7 +105,7 @@ in
nitrokey.enable = mkEnableOption "Nitrokey hardware security key support";
niri.hotkeyVariant = mkOption {
type = types.enum [ "default" "lifebook" ];
type = types.enum ["default" "lifebook"];
default = "default";
description = "Niri hotkey variant to deploy selects binds/<variant>.kdl.";
};
@@ -122,15 +126,23 @@ in
# ── Configuration ────────────────────────────────────────────────────────
config = lib.mkMerge [
# ── Base desktop config (replaces configuration_desktop.nix) ───────────
{
users.users.${user} = {
isNormalUser = true;
uid = 2000;
extraGroups = [
"wheel" "video" "audio" "camera" "networkmanager"
"lp" "kvm" "libvirtd" "adb" "dialout" "tss"
"wheel"
"video"
"audio"
"camera"
"networkmanager"
"lp"
"kvm"
"libvirtd"
"adb"
"dialout"
"tss"
];
};
@@ -160,7 +172,7 @@ in
]
++ cfg.extraSystemPackages;
nixpkgs.config.permittedInsecurePackages = [ "mbedtls-2.28.10" ];
nixpkgs.config.permittedInsecurePackages = ["mbedtls-2.28.10"];
services = {
pipewire = {
@@ -171,7 +183,7 @@ in
};
pcscd.enable = true;
yubikey-agent.enable = true;
udev.packages = with pkgs; [ yubikey-personalization nitrokey-udev-rules ];
udev.packages = with pkgs; [yubikey-personalization nitrokey-udev-rules];
flatpak.enable = true;
gvfs.enable = true;
fwupd.enable = true;
@@ -228,8 +240,7 @@ in
greetd = {
enable = true;
useTextGreeter = true;
settings.default_session.command =
"${pkgs.tuigreet}/bin/tuigreet --time --cmd niri-session";
settings.default_session.command = "${pkgs.tuigreet}/bin/tuigreet --time --cmd niri-session";
};
tuned.enable = true;
upower.enable = true;
@@ -238,8 +249,7 @@ in
programs = {
niri.enable = true;
ssh.enableAskPassword = true;
ssh.askPassword =
"${pkgs.lxqt.lxqt-openssh-askpass}/bin/lxqt-openssh-askpass";
ssh.askPassword = "${pkgs.lxqt.lxqt-openssh-askpass}/bin/lxqt-openssh-askpass";
};
# Noctalia shell + niri home config via home-manager
@@ -271,27 +281,50 @@ in
showCapsule = false;
widgets = {
left = [
{ id = "ControlCenter"; useDistroLogo = true; }
{ hideUnoccupied = false; id = "Workspace";
labelMode = "index"; showApplications = true; }
{ id = "ActiveWindow"; }
{
id = "ControlCenter";
useDistroLogo = true;
}
{
hideUnoccupied = false;
id = "Workspace";
labelMode = "index";
showApplications = true;
}
{id = "ActiveWindow";}
];
center = [
{ formatHorizontal = "HH:mm\\ndd-MM-yy";
{
formatHorizontal = "HH:mm\\ndd-MM-yy";
formatVertical = "HH mm";
id = "Clock";
useMonospacedFont = true;
usePrimaryColor = true; }
usePrimaryColor = true;
}
];
right = [
{ id = "MediaMini"; }
{ id = "SystemMonitor"; showNetworkStats = true; compactMode = false; }
{ id = "WiFi"; }
{ id = "Bluetooth"; }
{ id = "Battery"; displayMode = "icon-always"; hideIfNotDetected = true; }
{ id = "Volume"; displayMode = "alwaysShow"; }
{ id = "NotificationHistory"; hideWhenZero = true; }
{ id = "Tray"; }
{id = "MediaMini";}
{
id = "SystemMonitor";
showNetworkStats = true;
compactMode = false;
}
{id = "WiFi";}
{id = "Bluetooth";}
{
id = "Battery";
displayMode = "icon-always";
hideIfNotDetected = true;
}
{
id = "Volume";
displayMode = "alwaysShow";
}
{
id = "NotificationHistory";
hideWhenZero = true;
}
{id = "Tray";}
];
};
};
@@ -323,11 +356,11 @@ in
};
controlCenter.shortcuts.left = [
{ id = "WiFi"; }
{ id = "Bluetooth"; }
{ id = "ScreenRecorder"; }
{ id = "PowerProfile"; }
{ id = "KeepAwake"; }
{id = "WiFi";}
{id = "Bluetooth";}
{id = "ScreenRecorder";}
{id = "PowerProfile";}
{id = "KeepAwake";}
];
dock.enabled = false;
@@ -390,14 +423,13 @@ in
'';
};
ssh.enableAskPassword = true;
ssh.askPassword =
"${pkgs.lxqt.lxqt-openssh-askpass}/bin/lxqt-openssh-askpass";
ssh.askPassword = "${pkgs.lxqt.lxqt-openssh-askpass}/bin/lxqt-openssh-askpass";
};
xdg.portal = {
enable = true;
wlr.enable = true;
extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
extraPortals = [pkgs.xdg-desktop-portal-gtk];
};
home-manager.users.${user}.imports = [
@@ -423,19 +455,19 @@ in
services = {
packagekit.enable = true;
desktopManager.plasma6.enable = true;
udev.packages = with pkgs; [ gnome-settings-daemon ];
udev.packages = with pkgs; [gnome-settings-daemon];
};
qt.platformTheme = "kde";
home-manager.users.${user}.imports = [ ../wm/kde/home.nix ];
home-manager.users.${user}.imports = [../wm/kde/home.nix];
})
# ── Virtualisation (podman/docker-compat + qemu/libvirt) ───────────────
(lib.mkIf cfg.virtualisation.enable {
users.groups = {
docker.members = [ user ];
libvirtd.members = [ "root" user ];
docker.members = [user];
libvirtd.members = ["root" user];
};
virtualisation = {
@@ -507,8 +539,7 @@ in
# ── Laptop ─────────────────────────────────────────────────────────────
(lib.mkIf cfg.laptop.enable {
systemd.sleep.extraConfig =
"HibernateDelaySec=${cfg.laptop.hibernateDelaySec}";
systemd.sleep.extraConfig = "HibernateDelaySec=${cfg.laptop.hibernateDelaySec}";
services.logind.settings.Login.HandleLidSwitch =
cfg.laptop.lidSwitch;
})
@@ -517,6 +548,5 @@ in
(lib.mkIf cfg.nitrokey.enable {
hardware.nitrokey.enable = true;
})
];
}

1
modules/editors/default.nix
View File

@@ -9,7 +9,6 @@
# └─ default.nix *
# └─ ...
#
[
./nvim
]

3
modules/editors/nvim/config/default.nix
View File

@@ -1,5 +1,4 @@
{ nvim, ... }:
{
{nvim, ...}: {
# Import all your configuration modules here
programs.nixvim = {
enable = true;

8
modules/editors/nvim/config/plugins.nix
View File

@@ -35,10 +35,10 @@
enable = true;
settings.telemetry.enable = false;
};
# rust-analyzer = {
# enable = true;
# installCargo = true;
# };
# rust-analyzer = {
# enable = true;
# installCargo = true;
# };
};
};

279
modules/editors/nvim/default.nix
View File

@@ -1,13 +1,9 @@
#
# Neovim
#
{ pkgs, ... }:
{
{pkgs, ...}: {
home = {
packages = [ pkgs.gnvim ];
packages = [pkgs.gnvim];
};
programs = {
@@ -20,145 +16,144 @@
withRuby = true;
withPython3 = true;
# plugins = with pkgs.vimPlugins; [
#
# # Syntax
# #vim-nix
# #vim-markdown
#
# # Quality of life
# vim-lastplace # Opens document where you left it
# auto-pairs # Print double quotes/brackets/etc.
# vim-gitgutter # See uncommitted changes of file :GitGutterEnable
#
# # File Tree
# nerdtree # File Manager - set in extraConfig to F6
#
# # Customization
# wombat256-vim # Color scheme for lightline
# srcery-vim # Color scheme for text
#
# lightline-vim # Info bar at bottom
# indent-blankline-nvim # Indentation lines
#
# # Syntax
# nvim-treesitter.withAllGrammars
# # finder
# telescope-nvim
# # completion
# nvim-cmp
# # status line
# lualine-nvim
# # indent
# indent-blankline-nvim
# ];
# plugins = with pkgs.vimPlugins; [
#
# # Syntax
# #vim-nix
# #vim-markdown
#
# # Quality of life
# vim-lastplace # Opens document where you left it
# auto-pairs # Print double quotes/brackets/etc.
# vim-gitgutter # See uncommitted changes of file :GitGutterEnable
#
# # File Tree
# nerdtree # File Manager - set in extraConfig to F6
#
# # Customization
# wombat256-vim # Color scheme for lightline
# srcery-vim # Color scheme for text
#
# lightline-vim # Info bar at bottom
# indent-blankline-nvim # Indentation lines
#
# # Syntax
# nvim-treesitter.withAllGrammars
# # finder
# telescope-nvim
# # completion
# nvim-cmp
# # status line
# lualine-nvim
# # indent
# indent-blankline-nvim
# ];
# extraPackages = with pkgs; [
# ripgrep
# fd
# nodejs
# nodePackages.npm
# ];
# extraPackages = with pkgs; [
# ripgrep
# fd
# nodejs
# nodePackages.npm
# ];
# extraConfig = ''
# set expandtab
# set shiftwidth=4
# set tabstop=4
# '';
# extraConfig = ''
# set expandtab
# set shiftwidth=4
# set tabstop=4
# '';
# extraLuaConfig = ''
# vim.g.mapleader = ' '
# vim.g.maplocalleader = ' '
#
# -- Set highlight on search
# vim.o.hlsearch = false
#
# -- Make line numbers default
# vim.wo.number = true
#
# -- Enable mouse mode
# vim.o.mouse = 'a'
#
# -- Sync clipboard between OS and Neovim.
# -- Remove this option if you want your OS clipboard to remain independent.
# -- See `:help 'clipboard'`
# vim.o.clipboard = 'unnamedplus'
#
# -- Enable break indent
# vim.o.breakindent = true
#
# -- Save undo history
# vim.o.undofile = true
#
# -- Case insensitive searching UNLESS /C or capital in search
# vim.o.ignorecase = true
# vim.o.smartcase = true
#
# -- Keep signcolumn on by default
# vim.wo.signcolumn = 'yes'
#
# -- Decrease update time
# vim.o.updatetime = 250
# vim.o.timeout = true
# vim.o.timeoutlen = 300
#
# -- Set completeopt to have a better completion experience
# vim.o.completeopt = 'menuone,noselect'
#
# -- NOTE: You should make sure your terminal supports this
# vim.o.termguicolors = true
#
# -- [[ Highlight on yank ]]
# -- See `:help vim.highlight.on_yank()`
# local highlight_group = vim.api.nvim_create_augroup('YankHighlight', { clear = true })
# vim.api.nvim_create_autocmd('TextYankPost', {
# callback = function()
# vim.highlight.on_yank()
# end,
# group = highlight_group,
# pattern = '*',
# })
#
# -- [[ Configure Telescope ]]
# -- See `:help telescope` and `:help telescope.setup()`
# require('telescope').setup {
# defaults = {
# mappings = {
# i = {
# ['<C-u>'] = false,
# ['<C-d>'] = false,
# },
# },
# },
# }
#
# -- Enable telescope fzf native, if installed
# pcall(require('telescope').load_extension, 'fzf')
#
# -- See `:help telescope.builtin`
# vim.keymap.set('n', '<leader>?', require('telescope.builtin').oldfiles, { desc = '[?] Find recently opened files' })
# vim.keymap.set('n', '<leader><space>', require('telescope.builtin').buffers, { desc = '[ ] Find existing buffers' })
# vim.keymap.set('n', '<leader>/', function()
# -- You can pass additional configuration to telescope to change theme, layout, etc.
# require('telescope.builtin').current_buffer_fuzzy_find(require('telescope.themes').get_dropdown {
# winblend = 10,
# previewer = false,
# })
# end, { desc = '[/] Fuzzily search in current buffer' })
#
# vim.keymap.set('n', '<leader>gf', require('telescope.builtin').git_files, { desc = 'Search [G]it [F]iles' })
# vim.keymap.set('n', '<leader>sf', require('telescope.builtin').find_files, { desc = '[S]earch [F]iles' })
# vim.keymap.set('n', '<leader>sh', require('telescope.builtin').help_tags, { desc = '[S]earch [H]elp' })
# vim.keymap.set('n', '<leader>sw', require('telescope.builtin').grep_string, { desc = '[S]earch current [W]ord' })
# vim.keymap.set('n', '<leader>sg', require('telescope.builtin').live_grep, { desc = '[S]earch by [G]rep' })
# vim.keymap.set('n', '<leader>sd', require('telescope.builtin').diagnostics, { desc = '[S]earch [D]iagnostics' })
# require("indent_blankline").setup {
# -- for example, context is off by default, use this to turn it on
# show_current_context = true,
# show_current_context_start = true,
# }
# '';
# extraLuaConfig = ''
# vim.g.mapleader = ' '
# vim.g.maplocalleader = ' '
#
# -- Set highlight on search
# vim.o.hlsearch = false
#
# -- Make line numbers default
# vim.wo.number = true
#
# -- Enable mouse mode
# vim.o.mouse = 'a'
#
# -- Sync clipboard between OS and Neovim.
# -- Remove this option if you want your OS clipboard to remain independent.
# -- See `:help 'clipboard'`
# vim.o.clipboard = 'unnamedplus'
#
# -- Enable break indent
# vim.o.breakindent = true
#
# -- Save undo history
# vim.o.undofile = true
#
# -- Case insensitive searching UNLESS /C or capital in search
# vim.o.ignorecase = true
# vim.o.smartcase = true
#
# -- Keep signcolumn on by default
# vim.wo.signcolumn = 'yes'
#
# -- Decrease update time
# vim.o.updatetime = 250
# vim.o.timeout = true
# vim.o.timeoutlen = 300
#
# -- Set completeopt to have a better completion experience
# vim.o.completeopt = 'menuone,noselect'
#
# -- NOTE: You should make sure your terminal supports this
# vim.o.termguicolors = true
#
# -- [[ Highlight on yank ]]
# -- See `:help vim.highlight.on_yank()`
# local highlight_group = vim.api.nvim_create_augroup('YankHighlight', { clear = true })
# vim.api.nvim_create_autocmd('TextYankPost', {
# callback = function()
# vim.highlight.on_yank()
# end,
# group = highlight_group,
# pattern = '*',
# })
#
# -- [[ Configure Telescope ]]
# -- See `:help telescope` and `:help telescope.setup()`
# require('telescope').setup {
# defaults = {
# mappings = {
# i = {
# ['<C-u>'] = false,
# ['<C-d>'] = false,
# },
# },
# },
# }
#
# -- Enable telescope fzf native, if installed
# pcall(require('telescope').load_extension, 'fzf')
#
# -- See `:help telescope.builtin`
# vim.keymap.set('n', '<leader>?', require('telescope.builtin').oldfiles, { desc = '[?] Find recently opened files' })
# vim.keymap.set('n', '<leader><space>', require('telescope.builtin').buffers, { desc = '[ ] Find existing buffers' })
# vim.keymap.set('n', '<leader>/', function()
# -- You can pass additional configuration to telescope to change theme, layout, etc.
# require('telescope.builtin').current_buffer_fuzzy_find(require('telescope.themes').get_dropdown {
# winblend = 10,
# previewer = false,
# })
# end, { desc = '[/] Fuzzily search in current buffer' })
#
# vim.keymap.set('n', '<leader>gf', require('telescope.builtin').git_files, { desc = 'Search [G]it [F]iles' })
# vim.keymap.set('n', '<leader>sf', require('telescope.builtin').find_files, { desc = '[S]earch [F]iles' })
# vim.keymap.set('n', '<leader>sh', require('telescope.builtin').help_tags, { desc = '[S]earch [H]elp' })
# vim.keymap.set('n', '<leader>sw', require('telescope.builtin').grep_string, { desc = '[S]earch current [W]ord' })
# vim.keymap.set('n', '<leader>sg', require('telescope.builtin').live_grep, { desc = '[S]earch by [G]rep' })
# vim.keymap.set('n', '<leader>sd', require('telescope.builtin').diagnostics, { desc = '[S]earch [D]iagnostics' })
# require("indent_blankline").setup {
# -- for example, context is off by default, use this to turn it on
# show_current_context = true,
# show_current_context_start = true,
# }
# '';
};
};
}

13
modules/hardware/backup.nix
View File

@@ -1,17 +1,18 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}: {
services.btrbk = {
sshAccess = [
{
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDU2NJ9xwYnp6/frIOv96ih8psiFcC2eOQeT+ZEMW5rq";
roles = [ "source" "info" "send" ];
roles = ["source" "info" "send"];
}
{
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIma7jNVQZM+lFMOKUex0+cyDpeUA3Wo4SEJ7P9YnHPG";
roles = [ "target" "info" "receive" "delete" ];
roles = ["target" "info" "receive" "delete"];
}
];
};

5
modules/hardware/bluetooth.nix
View File

@@ -1,10 +1,7 @@
#
# Bluetooth
#
{ pkgs, ... }:
{
{pkgs, ...}: {
hardware.bluetooth = {
enable = true;
hsphfpd.enable = false; # HSP & HFP daemon

9
modules/hardware/hydraCache.nix
View File

@@ -1,7 +1,9 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}: {
nix = {
settings = {
extra-trusted-public-keys = [
@@ -15,5 +17,4 @@
];
};
};
}

11
modules/hardware/remoteBuilder.nix
View File

@@ -1,10 +1,13 @@
{ pkgs, config, ... }:
{
users.users.nixremote = { # System User
pkgs,
config,
...
}: {
users.users.nixremote = {
# System User
isSystemUser = true;
group = "nixremote";
extraGroups = [ "kvm" ];
extraGroups = ["kvm"];
uid = 1001;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILczsj4W1kFQaalFwaY+RJ4LEzNeFKD+itXB40Q2O59M nixremote@hades"

16
modules/hardware/remoteClient.nix
View File

@@ -1,20 +1,24 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}: {
nix = {
distributedBuilds = false;
buildMachines = [ {
buildMachines = [
{
hostName = "hades";
system = "x86_64-linux";
supportedFeatures = [ "kvm" "big-parallel" ];
supportedFeatures = ["kvm" "big-parallel"];
sshUser = "nixremote";
sshKey = config.age.secrets."keys/nixremote".path;
maxJobs = 1;
speedFactor = 4;
publicHostKey = "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUVnbld5UVVVYSt2Y0hBS3g2ZWRiVGdxVzhwaCtNQ2lTNmZVd1lqWWNTK28gcm9vdEBoYWRlcwo=%";
protocol = "ssh-ng";
} ];
}
];
settings = {
extra-trusted-public-keys = [
"hades-builder:AFdPgi6Qq/yKqc2V2imgzMikEkVEFCrDaHyAmOJ3MII="

76
modules/home.nix
View File

@@ -1,31 +1,75 @@
{ lib, options, ... }:
{
lib,
options,
...
}: {
options = with lib; {
cmds = {
shell = mkOption { type = types.str; default = "zsh"; };
fetch = mkOption { type = types.str; default = "hyfetch"; };
editor = mkOption { type = types.str; default = "nvim"; };
shell = mkOption {
type = types.str;
default = "zsh";
};
fetch = mkOption {
type = types.str;
default = "hyfetch";
};
editor = mkOption {
type = types.str;
default = "nvim";
};
wm = mkOption { type = types.str; default = "sway"; };
wm = mkOption {
type = types.str;
default = "sway";
};
terminal = mkOption { type = types.str; default = "alacritty"; };
menu = mkOption { type = types.str; default = "rofi -show drun -show-icons"; };
terminal = mkOption {
type = types.str;
default = "alacritty";
};
menu = mkOption {
type = types.str;
default = "rofi -show drun -show-icons";
};
lock = mkOption { type = types.str; default = "locksway"; };
lock = mkOption {
type = types.str;
default = "locksway";
};
notifications = {
volume = mkOption { type = types.str; default = "volume-notify"; };
brightness = mkOption { type = types.str; default = "brightness-notify"; };
volume = mkOption {
type = types.str;
default = "volume-notify";
};
brightness = mkOption {
type = types.str;
default = "brightness-notify";
};
};
};
is-wayland = mkOption { type = types.bool; default = true; };
is-wayland = mkOption {
type = types.bool;
default = true;
};
theme = {
theme = mkOption { type = types.str; default = "catppuccin-mocha"; };
icon-theme = mkOption { type = types.str; default = "Papirus-Dark"; };
font = mkOption { type = types.str; default = "Cascadia Code 11"; };
wallpaper = mkOption { type = types.str; default = ""; };
theme = mkOption {
type = types.str;
default = "catppuccin-mocha";
};
icon-theme = mkOption {
type = types.str;
default = "Papirus-Dark";
};
font = mkOption {
type = types.str;
default = "Cascadia Code 11";
};
wallpaper = mkOption {
type = types.str;
default = "";
};
};
};
}

19
modules/kabbone/corosync-qdevice.nix
View File

@@ -4,20 +4,18 @@
pkgs,
pkgs-kabbone,
...
}:
let
}: let
cfg = config.services.corosync-qnetd;
dataDir = "/var/run/corosync-qnetd";
in
{
in {
# interface
options.services.corosync-qnetd = {
enable = lib.mkEnableOption "corosync-qnetd";
package = lib.mkPackageOption pkgs-kabbone "corosync-qdevice" { };
package = lib.mkPackageOption pkgs-kabbone "corosync-qdevice" {};
extraOptions = lib.mkOption {
type = with lib.types; listOf str;
default = [ ];
default = [];
description = "Additional options with which to start corosync-qnetd.";
};
};
@@ -26,7 +24,7 @@ in
# implementation
config = lib.mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
environment.systemPackages = [cfg.package];
users.users.coroqnetd = {
isSystemUser = true;
@@ -35,7 +33,7 @@ in
description = "Corosync-qnetd Service User";
};
users.groups.coroqnetd = { };
users.groups.coroqnetd = {};
# environment.etc."corosync/corosync-qnetd.conf".text = ''
# totem {
@@ -45,13 +43,12 @@ in
# transport: knet
# }
# logging {
# to_syslog: yes
# }
# '';
systemd.packages = [ cfg.package ];
systemd.packages = [cfg.package];
systemd.services.corosync-qnetd = {
serviceConfig = {
User = "coroqnetd";
@@ -60,7 +57,7 @@ in
};
};
environment.etc."sysconfig/corosync-qnetd".text = lib.optionalString (cfg.extraOptions != [ ]) ''
environment.etc."sysconfig/corosync-qnetd".text = lib.optionalString (cfg.extraOptions != []) ''
COROSYNC-QNETD_OPTIONS="${lib.escapeShellArgs cfg.extraOptions}"
'';
};

37
modules/kabbone/mautrix-whatsapp.nix
View File

@@ -3,14 +3,13 @@
config,
pkgs,
...
}:
let
}: let
cfg = config.services.kabbone_mautrix-whatsapp;
dataDir = "/var/lib/mautrix-whatsapp";
registrationFile = "${dataDir}/whatsapp-registration.yaml";
settingsFile = "${dataDir}/config.yaml";
settingsFileUnsubstituted = settingsFormat.generate "mautrix-whatsapp-config-unsubstituted.json" cfg.settings;
settingsFormat = pkgs.formats.json { };
settingsFormat = pkgs.formats.json {};
appservicePort = 29318;
# to be used with a list of lib.mkIf values
@@ -47,8 +46,8 @@ let
username_template = "whatsapp_{{.}}";
};
double_puppet = {
servers = { };
secrets = { };
servers = {};
secrets = {};
};
# By default, the following keys/secrets are set to `generate`. This would break when the service
# is restarted, since the previously generated configuration will be overwritten everytime.
@@ -66,13 +65,11 @@ let
};
};
};
in
{
in {
options.services.kabbone_mautrix-whatsapp = {
enable = lib.mkEnableOption "mautrix-whatsapp, a Matrix-Whatsapp puppeting bridge";
package = lib.mkPackageOption pkgs "mautrix-whatsapp" { };
package = lib.mkPackageOption pkgs "mautrix-whatsapp" {};
settings = lib.mkOption {
apply = lib.recursiveUpdate defaultConfig;
@@ -159,7 +156,6 @@ in
};
config = lib.mkIf cfg.enable {
users.users.mautrix-whatsapp = {
isSystemUser = true;
group = "mautrix-whatsapp";
@@ -167,19 +163,18 @@ in
description = "Mautrix-Whatsapp bridge user";
};
users.groups.mautrix-whatsapp = { };
users.groups.mautrix-whatsapp = {};
services.matrix-synapse = lib.mkIf cfg.registerToSynapse {
settings.app_service_config_files = [ registrationFile ];
settings.app_service_config_files = [registrationFile];
};
systemd.services.matrix-synapse = lib.mkIf cfg.registerToSynapse {
serviceConfig.SupplementaryGroups = [ "mautrix-whatsapp" ];
serviceConfig.SupplementaryGroups = ["mautrix-whatsapp"];
};
# Note: this is defined here to avoid the docs depending on `config`
services.kabbone_mautrix-whatsapp.settings.homeserver = optOneOf (
with config.services;
[
with config.services; [
(lib.mkIf matrix-synapse.enable (mkDefaults {
domain = matrix-synapse.settings.server_name;
}))
@@ -193,11 +188,11 @@ in
systemd.services.kabbone_mautrix-whatsapp = {
description = "mautrix-whatsapp, a Matrix-Whatsapp puppeting bridge.";
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ] ++ cfg.serviceDependencies;
after = [ "network-online.target" ] ++ cfg.serviceDependencies;
wantedBy = ["multi-user.target"];
wants = ["network-online.target"] ++ cfg.serviceDependencies;
after = ["network-online.target"] ++ cfg.serviceDependencies;
# ffmpeg is required for conversion of voice messages
path = [ pkgs.ffmpeg-headless ];
path = [pkgs.ffmpeg-headless];
preStart = ''
# substitute the settings file by environment variables
@@ -263,11 +258,11 @@ in
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallErrorNumber = "EPERM";
SystemCallFilter = [ "@system-service" ];
SystemCallFilter = ["@system-service"];
Type = "simple";
UMask = 27;
};
restartTriggers = [ settingsFileUnsubstituted ];
restartTriggers = [settingsFileUnsubstituted];
};
};
meta = {

1
modules/programs/configs/default.nix
View File

@@ -9,7 +9,6 @@
# └─ default.nix *
# └─ ...
#
[
./mpv.nix
]

5
modules/programs/configs/mpv.nix
View File

@@ -9,10 +9,7 @@
# └─ ./configs
# └─ mpv.nix *
#
{ pkgs, ... }:
{
{pkgs, ...}: {
home.file = {
".config/mpv/mpv.conf".text = ''
hwdec=vaapi

297
modules/programs/firefox.nix
View File

@@ -1,12 +1,11 @@
#
# Firefox Brower Emulator
#
{ pkgs, config, ... }:
{
pkgs,
config,
...
}: {
#home.packages = [ pkgs.firefox-wayland ];
programs = {
@@ -19,150 +18,150 @@
# ExtensionSettings = {};
# };
#};
# package = pkgs.firefox-wayland;
# profiles.kabbone = {
# #id = 271987;
# name = "kabbone";
# isDefault = true;
# settings = {
# "media.ffmpeg.vaapi.enabled" = true;
# "gfx.webrender.all" = true;
# "browser.contentblocking.category" = "strict";
# "browser.search.region" = "DE";
# "extensions.active.ThemeID" = "dreamer-bold-colorway@mozilla.org";
# "media.autoplay.default" = 0;
# "security.enterprise_roots.enabled" = true;
# "widget.gtk.overlay-scrollbars.enabled" = true;
# "signon.rememberSignons" = false;
# "extensions.formautofill.creditCards.enabled" = false;
# "datareporting.healthreport.uploadEnabled" = false;
# "browser.urlbar.placeholderName" = "DuckDuckGo";
# "browser.urlbar.placeholderName.private" = "DuckDuckGo";
# "browser.theme.toolbar-theme" = 0;
# };
#
# userChrome = ''
# /* Hide tab bar in FF Quantum */
# @-moz-document url("chrome://browser/content/browser.xul") {
# #TabsToolbar {
# visibility: collapse !important;
# margin-bottom: 21px !important;
# }
#
# #sidebar-box[sidebarcommand="treestyletab_piro_sakura_ne_jp-sidebar-action"] #sidebar-header {
# visibility: collapse !important;
# }
# }
# '';
#
# search = {
# engines = {
# "Nix Packages" = {
# urls = [{
# template = "https://search.nixos.org/packages";
# params = [
# { name = "type"; value = "packages"; }
# { name = "query"; value = "{searchTerms}"; }
# ];
# }];
#
# icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
# definedAliases = [ "@np" ];
# };
#
# "NixOS Wiki" = {
# urls = [{ template = "https://nixos.wiki/index.php?search={searchTerms}"; }];
# iconUpdateURL = "https://nixos.wiki/favicon.png";
# updateInterval = 24 * 60 * 60 * 1000; # every day
# definedAliases = [ "@nw" ];
# };
# };
#
# order = [ "DuckDuckGo" ];
# default = "DuckDuckGo";
# };
#
# bookmarks = [
# {
# name = "Kabtop Nextcloud";
# url = "https://cloud.kabtop.de/";
# }
# {
# name = "Home Assistant";
# url = "https://hass.home.opel-online.de/";
# }
# {
# name = "Netflix";
# url = "https://netflix.com/browse";
# }
# {
# name = "YouTube";
# url = "https://youtube.com/";
# }
# {
# name = "Kicker";
# url = "https://kicker.de/";
# }
# {
# name = "Chilloutzone";
# url = "https://chilloutzone.net/";
# }
# {
# name = "myDealZ";
# url = "https://mydealz.de/";
# }
# {
# name = "Kabtop Git";
# url = "https://git.kabtop.de/";
# }
# {
# name = "Spotify";
# url = "https://open.spotify.com/";
# }
# {
# name = "Tech";
# bookmarks = [
# {
# name = "Golem";
# url = "https://golem.de/";
# }
# {
# name = "Heise";
# url = "https://heise.de/";
# }
# {
# name = "Phoronix";
# url = "https://phoronix.com/";
# }
# ];
# }
# {
# name = "Foren";
# bookmarks = [
# {
# name = "Archlinux-en";
# url = "https://archlinux.org/";
# }
# {
# name = "Archlinux-ARM";
# url = "https://archlinuxarm.org/";
# }
# {
# name = "Archlinux-de";
# url = "https://archlinux.de/";
# }
# ];
# }
# ];
# };
#
# extensions = with pkgs.nur.repos.rycee.firefox-addons; [
# honey
# keepassxc-browser
# multi-account-containers
# netflix-1080p
# ublock-origin
# ];
# package = pkgs.firefox-wayland;
# profiles.kabbone = {
# #id = 271987;
# name = "kabbone";
# isDefault = true;
# settings = {
# "media.ffmpeg.vaapi.enabled" = true;
# "gfx.webrender.all" = true;
# "browser.contentblocking.category" = "strict";
# "browser.search.region" = "DE";
# "extensions.active.ThemeID" = "dreamer-bold-colorway@mozilla.org";
# "media.autoplay.default" = 0;
# "security.enterprise_roots.enabled" = true;
# "widget.gtk.overlay-scrollbars.enabled" = true;
# "signon.rememberSignons" = false;
# "extensions.formautofill.creditCards.enabled" = false;
# "datareporting.healthreport.uploadEnabled" = false;
# "browser.urlbar.placeholderName" = "DuckDuckGo";
# "browser.urlbar.placeholderName.private" = "DuckDuckGo";
# "browser.theme.toolbar-theme" = 0;
# };
#
# userChrome = ''
# /* Hide tab bar in FF Quantum */
# @-moz-document url("chrome://browser/content/browser.xul") {
# #TabsToolbar {
# visibility: collapse !important;
# margin-bottom: 21px !important;
# }
#
# #sidebar-box[sidebarcommand="treestyletab_piro_sakura_ne_jp-sidebar-action"] #sidebar-header {
# visibility: collapse !important;
# }
# }
# '';
#
# search = {
# engines = {
# "Nix Packages" = {
# urls = [{
# template = "https://search.nixos.org/packages";
# params = [
# { name = "type"; value = "packages"; }
# { name = "query"; value = "{searchTerms}"; }
# ];
# }];
#
# icon = "${pkgs.nixos-icons}/share/icons/hicolor/scalable/apps/nix-snowflake.svg";
# definedAliases = [ "@np" ];
# };
#
# "NixOS Wiki" = {
# urls = [{ template = "https://nixos.wiki/index.php?search={searchTerms}"; }];
# iconUpdateURL = "https://nixos.wiki/favicon.png";
# updateInterval = 24 * 60 * 60 * 1000; # every day
# definedAliases = [ "@nw" ];
# };
# };
#
# order = [ "DuckDuckGo" ];
# default = "DuckDuckGo";
# };
#
# bookmarks = [
# {
# name = "Kabtop Nextcloud";
# url = "https://cloud.kabtop.de/";
# }
# {
# name = "Home Assistant";
# url = "https://hass.home.opel-online.de/";
# }
# {
# name = "Netflix";
# url = "https://netflix.com/browse";
# }
# {
# name = "YouTube";
# url = "https://youtube.com/";
# }
# {
# name = "Kicker";
# url = "https://kicker.de/";
# }
# {
# name = "Chilloutzone";
# url = "https://chilloutzone.net/";
# }
# {
# name = "myDealZ";
# url = "https://mydealz.de/";
# }
# {
# name = "Kabtop Git";
# url = "https://git.kabtop.de/";
# }
# {
# name = "Spotify";
# url = "https://open.spotify.com/";
# }
# {
# name = "Tech";
# bookmarks = [
# {
# name = "Golem";
# url = "https://golem.de/";
# }
# {
# name = "Heise";
# url = "https://heise.de/";
# }
# {
# name = "Phoronix";
# url = "https://phoronix.com/";
# }
# ];
# }
# {
# name = "Foren";
# bookmarks = [
# {
# name = "Archlinux-en";
# url = "https://archlinux.org/";
# }
# {
# name = "Archlinux-ARM";
# url = "https://archlinuxarm.org/";
# }
# {
# name = "Archlinux-de";
# url = "https://archlinux.de/";
# }
# ];
# }
# ];
# };
#
# extensions = with pkgs.nur.repos.rycee.firefox-addons; [
# honey
# keepassxc-browser
# multi-account-containers
# netflix-1080p
# ublock-origin
# ];
};
};
}

32
modules/server/default.nix
View File

@@ -16,17 +16,18 @@
#
# myServer.extraSystemPackages = with pkgs; [ some-tool ];
#
{ config, lib, pkgs, user, ... }:
let
cfg = config.myServer;
in
{
config,
lib,
pkgs,
user,
...
}: let
cfg = config.myServer;
in {
# ── Options ──────────────────────────────────────────────────────────────
options.myServer = with lib; {
uid = mkOption {
type = types.int;
default = 3000;
@@ -54,7 +55,7 @@ in
virtualisation = {
enable = mkEnableOption "container/VM stack (podman with docker-compat, KVM tuning)";
cpu = mkOption {
type = types.enum [ "amd" "intel" "none" ];
type = types.enum ["amd" "intel" "none"];
default = "none";
description = "CPU type selects KVM kernel parameters when virtualisation is enabled.";
};
@@ -75,31 +76,31 @@ in
fail2ban = {
enable = mkEnableOption "fail2ban intrusion prevention";
};
};
# ── Configuration ────────────────────────────────────────────────────────
config = lib.mkMerge [
# ── Base server config ────────────────────────────────────────────────
{
users.users.${user} = {
isNormalUser = true;
uid = cfg.uid;
extraGroups = [ "wheel" "networkmanager" "kvm" "libvirtd" ] ++ cfg.extraGroups;
extraGroups = ["wheel" "networkmanager" "kvm" "libvirtd"] ++ cfg.extraGroups;
};
security.sudo.wheelNeedsPassword = cfg.sudoRequiresPassword;
environment.systemPackages = with pkgs; [
environment.systemPackages = with pkgs;
[
ffmpeg
smartmontools
htop
] ++ cfg.extraSystemPackages;
]
++ cfg.extraSystemPackages;
services.openssh = {
ports = [ cfg.sshPort ];
ports = [cfg.sshPort];
openFirewall = true;
};
@@ -119,7 +120,7 @@ in
dockerCompat = true;
};
users.groups.docker.members = [ user ];
users.groups.docker.members = [user];
})
# ── KVM AMD ─────────────────────────────────────────────────────────
@@ -146,6 +147,5 @@ in
jails.DEFAULT.settings.findtime = "15m";
};
})
];
}

5
modules/services/dmz/default.nix
View File

@@ -9,11 +9,10 @@
# └─ default.nix *
# └─ ...
#
[
./microvm.nix
# ./hydra.nix
# ./hydra.nix
]
# picom, polybar and sxhkd are pulled from desktop module
# redshift temporarely disables

11
modules/services/dmz/gitea_runner.nix
View File

@@ -1,15 +1,18 @@
{ lib, config, pkgs, ... }:
{
lib,
config,
pkgs,
...
}: {
virtualisation = {
podman ={
podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
};
containers.containersConf.settings = {
# podman seems to not work with systemd-resolved
containers.dns_servers = [ "192.168.101.1" ];
containers.dns_servers = ["192.168.101.1"];
#containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ];
};
};

9
modules/services/dmz/hydra.nix
View File

@@ -1,6 +1,9 @@
{ lib, config, pkgs, ... }:
{
lib,
config,
pkgs,
...
}: {
services = {
hydra = {
enable = true;
@@ -86,6 +89,4 @@
file = ../../../secrets/services/acme/opel-online.age;
owner = "acme";
};
}

46
modules/services/dmz/microvm.nix
View File

@@ -1,30 +1,36 @@
{ config, microvm, lib, pkgs, user, agenix, impermanence, ... }:
let
name = "gitea-runner";
in
{
config,
microvm,
lib,
pkgs,
user,
agenix,
impermanence,
...
}: let
name = "gitea-runner";
in {
microvm = {
autostart = [
name
];
vms = {
${name} = {
inherit pkgs;
config = {
imports =
[ agenix.nixosModules.default ] ++
[ impermanence.nixosModules.impermanence ] ++
[( ./gitea_runner.nix )];
[agenix.nixosModules.default]
++ [impermanence.nixosModules.impermanence]
++ [(./gitea_runner.nix)];
networking = {
hostName = "${name}";
firewall = {
enable = true;
allowedUDPPorts = [ ];
allowedTCPPorts = [ ];
allowedUDPPorts = [];
allowedTCPPorts = [];
};
};
systemd.network = {
@@ -40,9 +46,10 @@ in
};
};
users.users.${user} = { # System User
users.users.${user} = {
# System User
isNormalUser = true;
extraGroups = [ "wheel" ];
extraGroups = ["wheel"];
uid = 2000;
openssh.authorizedKeys.keys = [
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIANmaraVJ/o20c4dqVnGLp/wGck9QNHFPvO9jcEbKS29AAAABHNzaDo= kabbone@kabc"
@@ -64,14 +71,16 @@ in
path = "/persist/etc/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}];
}
];
};
};
fileSystems."/persist".neededForBoot = lib.mkForce true;
environment = {
systemPackages = with pkgs; [ # Default packages install system-wide
systemPackages = with pkgs; [
# Default packages install system-wide
bash
coreutils
curl
@@ -108,8 +117,10 @@ in
link = "ens18";
mode = "bridge";
};
} ];
shares = [{
}
];
shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
@@ -120,7 +131,8 @@ in
mountPoint = "/persist";
tag = "persist";
proto = "virtiofs";
}];
}
];
#writableStoreOverlay = "/nix/.rw-store";
#storeOnDisk = true;
};

5
modules/services/kabtopci/default.nix
View File

@@ -9,11 +9,10 @@
# └─ default.nix *
# └─ ...
#
[
# ./microvm.nix
# ./microvm.nix
./hydra.nix
]
# picom, polybar and sxhkd are pulled from desktop module
# redshift temporarely disables

11
modules/services/kabtopci/gitea_runner.nix
View File

@@ -1,15 +1,18 @@
{ lib, config, pkgs, ... }:
{
lib,
config,
pkgs,
...
}: {
virtualisation = {
podman ={
podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
};
containers.containersConf.settings = {
# podman seems to not work with systemd-resolved
containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ];
containers.dns_servers = ["8.8.8.8" "8.8.4.4"];
};
};

8
modules/services/kabtopci/hydra.nix
View File

@@ -1,6 +1,9 @@
{ lib, config, pkgs, ... }:
{
lib,
config,
pkgs,
...
}: {
services = {
hydra = {
enable = true;
@@ -78,5 +81,4 @@
file = ../../../secrets/keys/nixservepriv.age;
owner = "hydra";
};
}

46
modules/services/kabtopci/microvm.nix
View File

@@ -1,30 +1,36 @@
{ config, microvm, lib, pkgs, user, agenix, impermanence, ... }:
let
name = "gitea-runner";
in
{
config,
microvm,
lib,
pkgs,
user,
agenix,
impermanence,
...
}: let
name = "gitea-runner";
in {
microvm = {
autostart = [
name
];
vms = {
${name} = {
inherit pkgs;
config = {
imports =
[ agenix.nixosModules.default ] ++
[ impermanence.nixosModules.impermanence ] ++
[( ./gitea_runner.nix )];
[agenix.nixosModules.default]
++ [impermanence.nixosModules.impermanence]
++ [(./gitea_runner.nix)];
networking = {
hostName = "${name}";
firewall = {
enable = true;
allowedUDPPorts = [ ];
allowedTCPPorts = [ ];
allowedUDPPorts = [];
allowedTCPPorts = [];
};
};
systemd.network = {
@@ -40,9 +46,10 @@ in
};
};
users.users.${user} = { # System User
users.users.${user} = {
# System User
isNormalUser = true;
extraGroups = [ "wheel" ];
extraGroups = ["wheel"];
uid = 2000;
openssh.authorizedKeys.keys = [
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIANmaraVJ/o20c4dqVnGLp/wGck9QNHFPvO9jcEbKS29AAAABHNzaDo= kabbone@kabc"
@@ -64,14 +71,16 @@ in
path = "/persist/etc/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}];
}
];
};
};
fileSystems."/persist".neededForBoot = lib.mkForce true;
environment = {
systemPackages = with pkgs; [ # Default packages install system-wide
systemPackages = with pkgs; [
# Default packages install system-wide
bash
coreutils
curl
@@ -104,8 +113,10 @@ in
type = "user";
id = "vm-${name}";
mac = "04:00:00:00:00:02";
} ];
shares = [{
}
];
shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
@@ -116,7 +127,8 @@ in
mountPoint = "/persist";
tag = "persist";
proto = "virtiofs";
}];
}
];
#writableStoreOverlay = "/nix/.rw-store";
#storeOnDisk = true;
};

12
modules/services/keyring.nix
View File

@@ -1,14 +1,16 @@
#
# Screenshots
#
{ pkgs, user, ... }:
{
services = { # sxhkd shortcut = Printscreen button (Print)
pkgs,
user,
...
}: {
services = {
# sxhkd shortcut = Printscreen button (Print)
gnome-keyring = {
enable = true;
};
};
home.packages = with pkgs; [ gcr seahorse ];
home.packages = with pkgs; [gcr seahorse];
}

7
modules/services/kubemaster/default.nix
View File

@@ -9,11 +9,10 @@
# └─ default.nix *
# └─ ...
#
[
# ./microvm.nix
# ./hydra.nix
# ./microvm.nix
# ./hydra.nix
]
# picom, polybar and sxhkd are pulled from desktop module
# redshift temporarely disables

3
modules/services/nas/default.nix
View File

@@ -9,7 +9,6 @@
# └─ default.nix *
# └─ ...
#
[
./nfs.nix
./nginx.nix
@@ -17,6 +16,6 @@
./syncthing.nix
./paperless.nix
]
# picom, polybar and sxhkd are pulled from desktop module
# redshift temporarely disables

9
modules/services/nas/nfs.nix
View File

@@ -1,4 +1,9 @@
{config, pkgs, lib, ...}: {
{
config,
pkgs,
lib,
...
}: {
# enable nfs
services.nfs.server = rec {
enable = true;
@@ -12,7 +17,7 @@
# open the firewall
networking.firewall = {
interfaces.ens18 = {
allowedTCPPorts = [ 2049 ];
allowedTCPPorts = [2049];
};
};
}

18
modules/services/nas/nginx.nix
View File

@@ -1,10 +1,12 @@
#
# System notifications
#
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}: {
services.nginx = {
enable = true;
recommendedProxySettings = true;
@@ -57,12 +59,11 @@
};
};
security.acme = {
acceptTerms = true;
defaults = {
email = "webmaster@opel-online.de";
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
dnsResolver = "9.9.9.9:53";
};
certs = {
@@ -75,17 +76,16 @@
};
};
systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/mnt/Pluto/nix-cache" ];
systemd.services.nginx.serviceConfig.ReadWritePaths = ["/mnt/Pluto/nix-cache"];
networking.firewall = {
enable = true;
allowedUDPPorts = [ ];
allowedTCPPorts = [ 80 443 ];
allowedUDPPorts = [];
allowedTCPPorts = [80 443];
};
age.secrets."services/acme/opel-online" = {
file = ../../../secrets/services/acme/opel-online.age;
owner = "acme";
};
}

11
modules/services/nas/paperless.nix
View File

@@ -1,15 +1,17 @@
#
# System notifications
#
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}: {
services.paperless = {
enable = true;
domain = "paperless.home.opel-online.de";
passwordFile = config.age.secrets."services/paperless/pwFile".path;
# environmentFile = config.age.secrets."services/paperless/environment".path;
# environmentFile = config.age.secrets."services/paperless/environment".path;
configureTika = true;
settings = {
PAPERLESS_OCR_LANGUAGE = "deu+eng";
@@ -34,5 +36,4 @@
file = ../../../secrets/services/paperless/pwFile.age;
owner = "paperless";
};
}

18
modules/services/nas/syncthing.nix
View File

@@ -1,10 +1,12 @@
#
# System notifications
#
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}: {
services.syncthing = {
enable = true;
group = "users";
@@ -16,13 +18,14 @@
openDefaultPorts = true;
settings = {
devices = {
"hades.home.opel-online.de" = { id = "3VPCBVW-RH7XKFM-TWJGQHC-ZRAQ575-CQKGGKP-NAB4VXE-KCKJFUT-AMCUQQA"; };
"lifebook.home.opel-online.de" = { id = "RKPZG3H-BDUZID3-DV26MKR-UOARIQC-JBCAFXP-J5QFM4H-5EGBSM5-VEGXHQ4"; };
"hades.home.opel-online.de" = {id = "3VPCBVW-RH7XKFM-TWJGQHC-ZRAQ575-CQKGGKP-NAB4VXE-KCKJFUT-AMCUQQA";};
"lifebook.home.opel-online.de" = {id = "RKPZG3H-BDUZID3-DV26MKR-UOARIQC-JBCAFXP-J5QFM4H-5EGBSM5-VEGXHQ4";};
};
folders = {
"Sync" = { # Name of folder in Syncthing, also the folder ID
"Sync" = {
# Name of folder in Syncthing, also the folder ID
path = "/mnt/Mars/${config.services.syncthing.user}/Sync"; # Which folder to add to Syncthing
devices = [ "hades.home.opel-online.de" "lifebook.home.opel-online.de" ]; # Which devices to share the folder with
devices = ["hades.home.opel-online.de" "lifebook.home.opel-online.de"]; # Which devices to share the folder with
ignorePerms = false; # By default, Syncthing doesn't sync file permissions. This line enables it for this folder.
};
};
@@ -49,5 +52,4 @@
};
};
};
}

9
modules/services/nas/vaultwarden.nix
View File

@@ -1,10 +1,12 @@
#
# System notifications
#
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}: {
services.vaultwarden = {
enable = true;
dbBackend = "sqlite";
@@ -34,5 +36,4 @@
file = ../../../secrets/services/vaultwarden/environment.age;
owner = "vaultwarden";
};
}

5
modules/services/nasbackup/default.nix
View File

@@ -9,10 +9,9 @@
# └─ default.nix *
# └─ ...
#
[
# ./nfs.nix
# ./nfs.nix
]
# picom, polybar and sxhkd are pulled from desktop module
# redshift temporarely disables

3
modules/services/printer/default.nix
View File

@@ -9,10 +9,9 @@
# └─ default.nix *
# └─ ...
#
[
./klipper.nix
]
# picom, polybar and sxhkd are pulled from desktop module
# redshift temporarely disables

86
modules/services/printer/klipper.nix
View File

@@ -1,6 +1,9 @@
{ lib, config, pkgs, ... }:
{
lib,
config,
pkgs,
...
}: {
environment = {
systemPackages = with pkgs; [
klipperscreen
@@ -57,45 +60,44 @@
};
};
# nginx = {
# enable = true;
# recommendedProxySettings = true;
# recommendedTlsSettings = true;
# recommendedGzipSettings = true;
# recommendedOptimisation = true;
# virtualHosts = {
# "ci.kabtop.de" = {
# enableACME = true;
# forceSSL = true;
# default = true;
# locations."/".return = "503";
# };
# "hydra.ci.kabtop.de" = {
# enableACME = true;
# forceSSL = true;
# locations."/" = {
# proxyPass = "http://localhost:3000";
# extraConfig = ''
# proxy_set_header X-Forwarded-Port 443;
# '';
# };
# };
# "cache.ci.kabtop.de" = {
# enableACME = true;
# forceSSL = true;
# locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
# };
# };
# };
# };
#
# security.acme = {
# acceptTerms = true;
# defaults = {
# email = "webmaster@kabtop.de";
# webroot = "/var/lib/acme/acme-challenge";
# #server = "https://acme-staging-v02.api.letsencrypt.org/directory";
# };
# nginx = {
# enable = true;
# recommendedProxySettings = true;
# recommendedTlsSettings = true;
# recommendedGzipSettings = true;
# recommendedOptimisation = true;
# virtualHosts = {
# "ci.kabtop.de" = {
# enableACME = true;
# forceSSL = true;
# default = true;
# locations."/".return = "503";
# };
# "hydra.ci.kabtop.de" = {
# enableACME = true;
# forceSSL = true;
# locations."/" = {
# proxyPass = "http://localhost:3000";
# extraConfig = ''
# proxy_set_header X-Forwarded-Port 443;
# '';
# };
# };
# "cache.ci.kabtop.de" = {
# enableACME = true;
# forceSSL = true;
# locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
# };
# };
# };
# };
#
# security.acme = {
# acceptTerms = true;
# defaults = {
# email = "webmaster@kabtop.de";
# webroot = "/var/lib/acme/acme-challenge";
# #server = "https://acme-staging-v02.api.letsencrypt.org/directory";
# };
};
}

16
modules/services/printer/nginx.nix
View File

@@ -1,10 +1,12 @@
#
# System notifications
#
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}: {
services.nginx = {
enable = true;
recommendedProxySettings = true;
@@ -21,12 +23,11 @@
};
};
security.acme = {
acceptTerms = true;
defaults = {
email = "webmaster@opel-online.de";
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
dnsResolver = "9.9.9.9:53";
};
certs = {
@@ -41,13 +42,12 @@
networking.firewall = {
enable = true;
allowedUDPPorts = [ ];
allowedTCPPorts = [ 80 443 ];
allowedUDPPorts = [];
allowedTCPPorts = [80 443];
};
age.secrets."services/acme/opel-online" = {
file = ../../../secrets/services/acme/opel-online.age;
owner = "acme";
};
}

24
modules/services/server/coturn.nix
View File

@@ -1,4 +1,9 @@
{config, pkgs, lib, ...}: {
{
config,
pkgs,
lib,
...
}: {
# enable coturn
services.coturn = rec {
enable = true;
@@ -43,21 +48,24 @@
# open the firewall
networking.firewall = {
interfaces.ens18 = let
range = with config.services.coturn; [ {
range = with config.services.coturn; [
{
from = min-port;
to = max-port;
} ];
in
{
}
];
in {
allowedUDPPortRanges = range;
allowedUDPPorts = [ 3478 ];
allowedUDPPorts = [3478];
allowedTCPPortRanges = range;
allowedTCPPorts = [ 3478 5349 ];
allowedTCPPorts = [3478 5349];
};
};
# get a certificate
security.acme.certs.${config.services.coturn.realm} = {
/* insert here the right configuration to obtain a certificate */
/*
insert here the right configuration to obtain a certificate
*/
postRun = "systemctl restart coturn.service";
group = "turnserver";
};

5
modules/services/server/default.nix
View File

@@ -9,7 +9,6 @@
# └─ default.nix *
# └─ ...
#
[
./postgresql.nix
./gitea.nix
@@ -19,8 +18,8 @@
./coturn.nix
./hydra.nix
./mealie.nix
# ./ollama.nix
# ./ollama.nix
]
# picom, polybar and sxhkd are pulled from desktop module
# redshift temporarely disables

30
modules/services/server/gitea.nix
View File

@@ -1,10 +1,12 @@
#
# System notifications
#
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}: {
services.gitea = {
enable = true;
dump.enable = false;
@@ -33,10 +35,10 @@
PASSWORD_CHECK_PWN = true;
PASSWORD_HASH_ALGO = "argon2";
};
# oauth2 = {
# ENABLE = true;
# #JWT_SECRET = "secret123";
# };
# oauth2 = {
# ENABLE = true;
# #JWT_SECRET = "secret123";
# };
repository = {
MAX_CREATION_LIMIT = 100;
};
@@ -44,13 +46,13 @@
SHOW_USER_EMAIL = false;
DEFAULT_THEME = "gitea-dark";
};
# openid = {
# ENABLE_OPENID_SIGNIN = true;
# WHITELISTED_URIS = "https://auth.kabtop.de";
# };
# oauth2_client = {
# ENABLE_AUTO_REGISTRATION = true;
# };
# openid = {
# ENABLE_OPENID_SIGNIN = true;
# WHITELISTED_URIS = "https://auth.kabtop.de";
# };
# oauth2_client = {
# ENABLE_AUTO_REGISTRATION = true;
# };
time = {
DEFAULT_UI_LOCATION = "Europe/Berlin";
};

11
modules/services/server/gitea_runner.nix
View File

@@ -1,15 +1,18 @@
{ lib, config, pkgs, ... }:
{
lib,
config,
pkgs,
...
}: {
virtualisation = {
podman ={
podman = {
enable = true;
autoPrune.enable = true;
dockerCompat = true;
};
containers.containersConf.settings = {
# podman seems to not work with systemd-resolved
containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ];
containers.dns_servers = ["8.8.8.8" "8.8.4.4"];
};
};

8
modules/services/server/hydra.nix
View File

@@ -1,6 +1,9 @@
{ lib, config, pkgs, ... }:
{
lib,
config,
pkgs,
...
}: {
services = {
hydra = {
enable = true;
@@ -73,5 +76,4 @@
file = ../../../secrets/keys/nixservepriv.age;
owner = "hydra";
};
}

6
modules/services/server/jitsi.nix
View File

@@ -1,6 +1,8 @@
{ config, pkgs, ... }:
{
config,
pkgs,
...
}: {
services.jitsi-meet = {
enable = true;
hostName = "meet.kabtop.de";

49
modules/services/server/matrix.nix
View File

@@ -1,10 +1,12 @@
#
# System notifications
#
{ config, lib, pkgs, ... }:
let
{
config,
lib,
pkgs,
...
}: let
fqdn = "matrix.${config.networking.domain}";
clientConfig = {
"m.homeserver".base_url = "https://${fqdn}";
@@ -41,20 +43,20 @@ in {
return 404;
'';
};
# "element.${config.networking.domain}" = {
# enableACME = true;
# forceSSL = true;
#
# root = pkgs.element-web.override {
# conf = {
# default_server_config = clientConfig;
# };
# };
# };
# "element.${config.networking.domain}" = {
# enableACME = true;
# forceSSL = true;
#
# root = pkgs.element-web.override {
# conf = {
# default_server_config = clientConfig;
# };
# };
# };
};
};
imports = [ ../../kabbone/mautrix-whatsapp.nix ];
imports = [../../kabbone/mautrix-whatsapp.nix];
services.matrix-synapse = {
enable = true;
@@ -62,14 +64,21 @@ in {
server_name = config.networking.domain;
public_baseurl = "https://matrix.${config.networking.domain}";
listeners = [
{ port = 8008;
bind_addresses = [ "::1" ];
{
port = 8008;
bind_addresses = ["::1"];
type = "http";
tls = false;
x_forwarded = true;
resources = [
{ names = [ "client" ]; compress = true; }
{ names = [ "federation" ]; compress = false; }
{
names = ["client"];
compress = true;
}
{
names = ["federation"];
compress = false;
}
];
}
];
@@ -81,7 +90,7 @@ in {
systemd.services = {
matrix-synapse = {
requires = [ "postgresql.service" ];
requires = ["postgresql.service"];
};
};

8
modules/services/server/mealie.nix
View File

@@ -1,7 +1,8 @@
{ config, pkgs, ... }:
{
config,
pkgs,
...
}: {
services.mealie = {
enable = true;
listenAddress = "127.0.0.1";
@@ -32,5 +33,4 @@
security.acme.defaults.email = "webmaster@kabtop.de";
security.acme.defaults.webroot = "/var/lib/acme/acme-challenge";
security.acme.acceptTerms = true;
}

46
modules/services/server/microvm.nix
View File

@@ -1,30 +1,36 @@
{ config, microvm, lib, pkgs, user, agenix, impermanence, ... }:
let
name = "gitea-runner";
in
{
config,
microvm,
lib,
pkgs,
user,
agenix,
impermanence,
...
}: let
name = "gitea-runner";
in {
microvm = {
autostart = [
name
];
vms = {
${name} = {
inherit pkgs;
config = {
imports =
[ agenix.nixosModules.default ] ++
[ impermanence.nixosModules.impermanence ] ++
[( ./gitea_runner.nix )];
[agenix.nixosModules.default]
++ [impermanence.nixosModules.impermanence]
++ [(./gitea_runner.nix)];
networking = {
hostName = "${name}";
firewall = {
enable = true;
allowedUDPPorts = [ ];
allowedTCPPorts = [ ];
allowedUDPPorts = [];
allowedTCPPorts = [];
};
};
systemd.network = {
@@ -40,9 +46,10 @@ in
};
};
users.users.${user} = { # System User
users.users.${user} = {
# System User
isNormalUser = true;
extraGroups = [ "wheel" ];
extraGroups = ["wheel"];
uid = 2000;
openssh.authorizedKeys.keys = [
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIANmaraVJ/o20c4dqVnGLp/wGck9QNHFPvO9jcEbKS29AAAABHNzaDo= kabbone@kabc"
@@ -64,14 +71,16 @@ in
path = "/persist/etc/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}];
}
];
};
};
fileSystems."/persist".neededForBoot = lib.mkForce true;
environment = {
systemPackages = with pkgs; [ # Default packages install system-wide
systemPackages = with pkgs; [
# Default packages install system-wide
bash
coreutils
curl
@@ -104,8 +113,10 @@ in
type = "user";
id = "vm-${name}";
mac = "04:00:00:00:00:01";
} ];
shares = [{
}
];
shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
@@ -116,7 +127,8 @@ in
mountPoint = "/persist";
tag = "persist";
proto = "virtiofs";
}];
}
];
#writableStoreOverlay = "/nix/.rw-store";
#storeOnDisk = true;
};

7
modules/services/server/nextcloud.nix
View File

@@ -1,6 +1,8 @@
{ config, pkgs, ... }:
{
config,
pkgs,
...
}: {
services.nextcloud = {
enable = true;
hostName = "cloud.kabtop.de";
@@ -95,5 +97,4 @@
security.acme.defaults.email = "webmaster@kabtop.de";
security.acme.defaults.webroot = "/var/lib/acme/acme-challenge";
security.acme.acceptTerms = true;
}

13
modules/services/server/ollama.nix
View File

@@ -1,9 +1,10 @@
{ config, pkgs, ... }:
let
ollamahostname = "llm.kabtop.de";
in
{
config,
pkgs,
...
}: let
ollamahostname = "llm.kabtop.de";
in {
virtualisation.oci-containers.containers."open-webui" = {
autoStart = true;
image = "ghcr.io/open-webui/open-webui:ollama";
@@ -11,7 +12,7 @@ in
"/var/lib/open-webui:/app/backend/data"
];
hostname = "open-webui";
ports = [ "8081:8080" ];
ports = ["8081:8080"];
};
services = {

11
modules/services/server/postgresql.nix
View File

@@ -1,11 +1,13 @@
#
# System notifications
#
{ config, lib, pkgs, ... }:
{
# imports = [ ./postgresql_upgrade.nix ];
config,
lib,
pkgs,
...
}: {
# imports = [ ./postgresql_upgrade.nix ];
services.postgresql = {
enable = true;
package = pkgs.postgresql_16;
@@ -50,5 +52,4 @@
file = ../../../secrets/services/postgresql/initScript.age;
owner = "postgres";
};
}

9
modules/services/server/postgresql_upgrade.nix
View File

@@ -1,5 +1,9 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}: {
environment.systemPackages = [
(let
# XXX specify the postgresql package you'd like to upgrade to.
@@ -8,7 +12,8 @@
# pp.plv8
]);
cfg = config.services.postgresql;
in pkgs.writeScriptBin "upgrade-pg-cluster" ''
in
pkgs.writeScriptBin "upgrade-pg-cluster" ''
set -eux
# XXX it's perhaps advisable to stop all services that depend on postgresql
systemctl stop postgresql

67
modules/services/server/woodpecker.nix
View File

@@ -1,11 +1,14 @@
#
# CI/CD Woodpecker
#
{ config, lib, pkgs, ... }:
{
environment.systemPackages = with pkgs; [ # Default packages install system-wide
config,
lib,
pkgs,
...
}: {
environment.systemPackages = with pkgs; [
# Default packages install system-wide
woodpecker-server
woodpecker-cli
];
@@ -28,35 +31,35 @@
systemd.services = {
woodpecker-server = {
description = "CI/CD Pipeline Server";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "postgresql.service" ];
requires = [ "postgresql.service" ];
wantedBy = ["multi-user.target"];
after = ["network.target" "postgresql.service"];
requires = ["postgresql.service"];
script = "${pkgs.woodpecker-server}/bin/woodpecker-server";
serviceConfig = {
User="woodpecker";
Group="woodpecker";
Environment="HOME=/var/lib/woodpecker";
EnvironmentFile=config.age.secrets."services/woodpecker/environment".path;
ReadWritePaths="/var/lib/woodpecker /var/log/woodpecker";
NoNewPrivileges=true;
MemoryDenyWriteExecute=true;
PrivateDevices=true;
PrivateTmp=true;
ProtectHome=true;
ProtectSystem="strict";
ProtectControlGroups=true;
RestrictSUIDSGID=true;
RestrictRealtime=true;
LockPersonality=true;
ProtectKernelLogs=true;
ProtectKernelTunables=true;
ProtectHostname=true;
ProtectKernelModules=true;
PrivateUsers=true;
ProtectClock=true;
SystemCallArchitectures="native";
SystemCallErrorNumber="EPERM";
SystemCallFilter="@system-service";
User = "woodpecker";
Group = "woodpecker";
Environment = "HOME=/var/lib/woodpecker";
EnvironmentFile = config.age.secrets."services/woodpecker/environment".path;
ReadWritePaths = "/var/lib/woodpecker /var/log/woodpecker";
NoNewPrivileges = true;
MemoryDenyWriteExecute = true;
PrivateDevices = true;
PrivateTmp = true;
ProtectHome = true;
ProtectSystem = "strict";
ProtectControlGroups = true;
RestrictSUIDSGID = true;
RestrictRealtime = true;
LockPersonality = true;
ProtectKernelLogs = true;
ProtectKernelTunables = true;
ProtectHostname = true;
ProtectKernelModules = true;
PrivateUsers = true;
ProtectClock = true;
SystemCallArchitectures = "native";
SystemCallErrorNumber = "EPERM";
SystemCallFilter = "@system-service";
};
};
};
@@ -84,6 +87,4 @@
file = ../../../secrets/services/woodpecker/environment.age;
owner = "woodpecker";
};
}

1
modules/shell/default.nix
View File

@@ -9,7 +9,6 @@
# └─ default.nix *
# └─ ...
#
[
./git.nix
./tmux.nix

25
modules/shell/tmux.nix
View File

@@ -1,10 +1,7 @@
#
# Tmux
#
{ pkgs, ... }:
{
{pkgs, ...}: {
programs = {
tmux = {
enable = true;
@@ -19,22 +16,22 @@
plugins = with pkgs.tmuxPlugins; [
yank
sidebar
# {
# {
# plugin = dracula;
# extraConfig = "
# set -g @dracula-show-powerline true
# set -g @dracula-plugins 'git cpu-usage ram-usage battery time'
# set -g @dracula-border-contrast true
# ";
# plugin = catppuccin;
# extraConfig = "
# set -g @catppuccin_flavour 'macchiato'
# set -g @catppuccin_window_tabs_enabled 'on'
# set -g @catppuccin_host 'on'
# set -g @catppuccin_user 'on'
# set -g @catppuccin_date_time '%Y-%m-%d %H:%M'
# ";
# }
# plugin = catppuccin;
# extraConfig = "
# set -g @catppuccin_flavour 'macchiato'
# set -g @catppuccin_window_tabs_enabled 'on'
# set -g @catppuccin_host 'on'
# set -g @catppuccin_user 'on'
# set -g @catppuccin_date_time '%Y-%m-%d %H:%M'
# ";
# }
];
extraConfig = ''
set -g mouse on

14
modules/shell/zsh.nix
View File

@@ -1,10 +1,7 @@
#
# Shell
#
{ pkgs, ... }:
{
{pkgs, ...}: {
programs = {
zsh = {
enable = true;
@@ -12,9 +9,10 @@
syntaxHighlighting.enable = true;
history.size = 10000;
oh-my-zsh = { # Extra plugins for zsh
oh-my-zsh = {
# Extra plugins for zsh
enable = true;
plugins = [ "git" ];
plugins = ["git"];
#custom = "$HOME/.config/zsh_nix/custom";
};
@@ -27,9 +25,9 @@
# Spaceship
source ${pkgs.spaceship-prompt}/share/zsh/site-functions/prompt_spaceship_setup
autoload -U promptinit; promptinit
# source $HOME/.config/shell/shell_init
# source $HOME/.config/shell/shell_init
# Hook direnv
# emulate zsh -c "$(direnv hook zsh)"
# emulate zsh -c "$(direnv hook zsh)"
# Swag
pfetch # Show fetch logo on terminal start
eval "$(direnv hook zsh)"

23
modules/wm/default.nix
View File

@@ -1,6 +1,10 @@
{ pkgs, lib, config, ... }:
with lib;
{
pkgs,
lib,
config,
...
}:
with lib; {
# NOTE: Dynamic imports based on option values are not supported in NixOS modules.
# To conditionally load a WM, either import all WM modules and use mkIf in each,
# or select the WM module directly in the host configuration.
@@ -8,9 +12,18 @@ with lib;
options = {
desktop = {
wm = mkOption { type = types.str; default = "sway"; };
taskbar = mkOption { type = types.str; default = "waybar"; };
launcher = mkOption { type = types.str; default = "bemenu"; };
wm = mkOption {
type = types.str;
default = "sway";
};
taskbar = mkOption {
type = types.str;
default = "waybar";
};
launcher = mkOption {
type = types.str;
default = "bemenu";
};
};
};
}

8
modules/wm/kde/home.nix
View File

@@ -10,8 +10,10 @@
# └─ ./gnome
# └─ home.nix *
#
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}: {
}

29
modules/wm/niri/home.nix
View File

@@ -10,10 +10,12 @@
# └─ ./sway
# └─ home.nix *
#
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}: {
programs = {
swaylock = {
enable = true;
@@ -30,12 +32,24 @@
swayidle = {
enable = true;
events = [
{ event = "before-sleep"; command = "${pkgs.swaylock}/bin/swaylock"; }
{ event = "lock"; command = "${pkgs.swaylock}/bin/swaylock -fF"; }
{
event = "before-sleep";
command = "${pkgs.swaylock}/bin/swaylock";
}
{
event = "lock";
command = "${pkgs.swaylock}/bin/swaylock -fF";
}
];
timeouts = [
{ timeout = 300; command = "${pkgs.swaylock}/bin/swaylock -fF"; }
{ timeout = 600; command = "${pkgs.niri}/bin/niri msg action power-off-monitors"; }
{
timeout = 300;
command = "${pkgs.swaylock}/bin/swaylock -fF";
}
{
timeout = 600;
command = "${pkgs.niri}/bin/niri msg action power-off-monitors";
}
];
};
};
@@ -43,5 +57,4 @@
xdg.configFile = {
"niri/config.kdl".source = ./config.kdl;
};
}

Some files were not shown because too many files have changed in this diff Show More