From 52554d4f92feeaadc3f9413c55d1af6373298dc2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leon=20Schwarz=C3=A4ugl?= Date: Sun, 1 Feb 2026 22:18:01 +0100 Subject: [PATCH] chore: update flake --- .github/README.md | 4 +- SwarselSystems.org | 1549 +++++++++-------- flake.lock | 297 ++-- flake.nix | 15 +- .../summers/guests/transmission/default.nix | 1 + .../summers/secrets/transmission/secrets.yaml | 5 +- modules/home/common/swayidle.nix | 8 +- modules/home/common/vesktop-tray.nix | 2 +- modules/home/common/zsh.nix | 13 +- modules/nixos/client/nautilus.nix | 10 + modules/nixos/optional/microvm-guest.nix | 3 +- modules/nixos/server/adguardhome.nix | 2 +- modules/nixos/server/bastion.nix | 6 +- modules/nixos/server/kanidm.nix | 94 +- modules/nixos/server/koillection.nix | 4 +- modules/nixos/server/mailserver.nix | 12 +- modules/nixos/server/matrix.nix | 10 +- modules/nixos/server/microbin.nix | 1 + modules/nixos/server/mpd.nix | 10 +- modules/nixos/server/shlink.nix | 14 +- modules/nixos/server/slink.nix | 14 +- modules/nixos/server/ssh-builder.nix | 3 +- modules/nixos/server/transmission.nix | 16 + modules/shared/config-lib.nix | 2 + nix/hosts.nix | 1 + nix/topology.nix | 2 +- profiles/home/dgxspark/default.nix | 37 - profiles/nixos/personal/default.nix | 1 + 28 files changed, 1111 insertions(+), 1025 deletions(-) create mode 100644 modules/nixos/client/nautilus.nix diff --git a/.github/README.md b/.github/README.md index 06f1f98..bc87ee8 100644 --- a/.github/README.md +++ b/.github/README.md @@ -135,7 +135,7 @@ |πŸ“Ό **Videos** | [Jellyfin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/jellyfin.nix) | |🎡 **Music** | [Navidrome](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/navidrome.nix) + [Spotifyd](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/spotifyd.nix) + [MPD](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/mpd.nix) | |πŸ—¨οΈ **Messaging** | [Matrix](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/matrix.nix) | - |πŸ“ **Filesharing** | [Nectcloud](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/nextcloud.nix) | + |πŸ“ **Filesharing** | [Nextcloud](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/nextcloud.nix) | |🎞️ **Photos** | [Immich](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/immich.nix) | |πŸ“„ **Documents** | [Paperless](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/paperless.nix) | |πŸ”„ **File Sync** | [Syncthing](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/syncthing.nix) | @@ -156,7 +156,7 @@ |⛏️ **Minecraft** | [Minecraft](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/minecraft.nix) | |☁️ **S3** | [Garage](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/garage.nix) | |πŸ•ΈοΈ **Nix Binary Cache** | [Attic](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/attic.nix) | - |πŸ™ **Nix Build farm** | [Attic](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/hydra.nix) | + |πŸ™ **Nix Build farm** | [Hydra](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/hydra.nix) | |πŸ”‘ **Cert-based SSH** | [OPKSSH](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/opkssh.nix) | |πŸ”¨ **Home Asset Management**| [Homebox](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/homebox.nix) | |πŸ‘€ **DNS Records** | [NSD](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/nsd.nix) | diff --git a/SwarselSystems.org b/SwarselSystems.org index 7fb59b1..3ddd0e3 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -359,7 +359,7 @@ This is a comprehensive list of the services/components ran by my server machine |πŸ“Ό **Videos** | [Jellyfin](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/jellyfin.nix) | |🎡 **Music** | [Navidrome](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/navidrome.nix) + [Spotifyd](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/spotifyd.nix) + [MPD](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/mpd.nix) | |πŸ—¨οΈ **Messaging** | [Matrix](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/matrix.nix) | - |πŸ“ **Filesharing** | [Nectcloud](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/nextcloud.nix) | + |πŸ“ **Filesharing** | [Nextcloud](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/nextcloud.nix) | |🎞️ **Photos** | [Immich](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/immich.nix) | |πŸ“„ **Documents** | [Paperless](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/paperless.nix) | |πŸ”„ **File Sync** | [Syncthing](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/syncthing.nix) | @@ -380,7 +380,7 @@ This is a comprehensive list of the services/components ran by my server machine |⛏️ **Minecraft** | [Minecraft](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/minecraft.nix) | |☁️ **S3** | [Garage](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/garage.nix) | |πŸ•ΈοΈ **Nix Binary Cache** | [Attic](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/attic.nix) | - |πŸ™ **Nix Build farm** | [Attic](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/hydra.nix) | + |πŸ™ **Nix Build farm** | [Hydra](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/hydra.nix) | |πŸ”‘ **Cert-based SSH** | [OPKSSH](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/opkssh.nix) | |πŸ”¨ **Home Asset Management**| [Homebox](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/homebox.nix) | |πŸ‘€ **DNS Records** | [NSD](https://github.com/Swarsel/.dotfiles/tree/main/modules/nixos/server/nsd.nix) | @@ -1737,13 +1737,22 @@ A short overview over each input and what it does: home-manager = { url = "github:nix-community/home-manager"; - # url = "github:Swarsel/home-manager/main"; inputs.nixpkgs.follows = "nixpkgs"; }; nix-index-database = { url = "github:nix-community/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; }; + dns = { + url = "github:kirelagin/dns.nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + nixos-generators = { + url = "github:nix-community/nixos-generators"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + topologyPrivate.url = "./files/topology/public"; # emacs-overlay.url = "github:nix-community/emacs-overlay"; emacs-overlay.url = "github:nix-community/emacs-overlay/aba8daa237dc07a3bb28a61c252a718e8eb38057?narHash=sha256-4OXXccXsY1sBXTXjYIthdjXLAotozSh4F8StGRuLyMQ%3D"; @@ -1755,7 +1764,6 @@ A short overview over each input and what it does: sops.url = "github:Mic92/sops-nix"; lanzaboote.url = "github:nix-community/lanzaboote"; nix-on-droid.url = "github:nix-community/nix-on-droid/release-24.05"; - nixos-generators.url = "github:nix-community/nixos-generators"; nixos-images.url = "github:Swarsel/nixos-images/main"; nixos-hardware.url = "github:NixOS/nixos-hardware/master"; nswitch-rcm-nix.url = "github:Swarsel/nswitch-rcm-nix"; @@ -1773,11 +1781,10 @@ A short overview over each input and what it does: nixos-extra-modules.url = "github:oddlama/nixos-extra-modules/main"; microvm.url = "github:astro/microvm.nix"; treefmt-nix.url = "github:numtide/treefmt-nix"; - dns.url = "github:kirelagin/dns.nix"; nix-minecraft.url = "github:Infinidoge/nix-minecraft"; simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master"; nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; - topologyPrivate.url = "./files/topology/public"; + pia.url = "github:Swarsel/pia.nix/custom"; }; outputs = @@ -2244,217 +2251,218 @@ The rest of the functions are used to build full NixOS systems as well as halfCo - =ConfigurationsPerArch= does the same for full NixOS systems (NixOS or darwin). These can further be specialized by passing in the corresponding =minimal= arg that is used during bootstrapping. #+begin_src nix-ts :tangle nix/hosts.nix - { self, inputs, ... }: - { - flake = { config, ... }: - let - inherit (self) outputs; - inherit (outputs) lib homeLib; - # lib = (inputs.nixpkgs.lib // inputs.home-manager.lib).extend (_: _: { swarselsystems = import "${self}/lib" { inherit self lib inputs outputs; inherit (inputs) systems; }; }); + { self, inputs, ... }: + { + flake = { config, ... }: + let + inherit (self) outputs; + inherit (outputs) lib homeLib; + # lib = (inputs.nixpkgs.lib // inputs.home-manager.lib).extend (_: _: { swarselsystems = import "${self}/lib" { inherit self lib inputs outputs; inherit (inputs) systems; }; }); - mkNixosHost = { minimal }: configName: arch: - inputs.nixpkgs.lib.nixosSystem { - specialArgs = { - inherit inputs outputs self minimal homeLib configName arch; - inherit (config.pkgs.${arch}) lib; - inherit (config) nodes topologyPrivate; - globals = config.globals.${arch}; - type = "nixos"; - withHomeManager = true; - extraModules = [ "${self}/modules/nixos/common/globals.nix" ]; - }; - modules = [ - inputs.disko.nixosModules.disko - inputs.home-manager.nixosModules.home-manager - inputs.impermanence.nixosModules.impermanence - inputs.lanzaboote.nixosModules.lanzaboote - inputs.microvm.nixosModules.host - inputs.microvm.nixosModules.microvm - inputs.nix-index-database.nixosModules.nix-index - inputs.nix-minecraft.nixosModules.minecraft-servers - inputs.nix-topology.nixosModules.default - inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm - inputs.simple-nixos-mailserver.nixosModules.default - inputs.sops.nixosModules.sops - inputs.stylix.nixosModules.stylix - inputs.swarsel-nix.nixosModules.default - inputs.nixos-nftables-firewall.nixosModules.default - (inputs.nixos-extra-modules + "/modules/guests") - (inputs.nixos-extra-modules + "/modules/interface-naming.nix") - "${self}/hosts/nixos/${arch}/${configName}" - "${self}/profiles/nixos" - "${self}/modules/nixos" - { - _module.args.dns = inputs.dns; + mkNixosHost = { minimal }: configName: arch: + inputs.nixpkgs.lib.nixosSystem { + specialArgs = { + inherit inputs outputs self minimal homeLib configName arch; + inherit (config.pkgs.${arch}) lib; + inherit (config) nodes topologyPrivate; + globals = config.globals.${arch}; + type = "nixos"; + withHomeManager = true; + extraModules = [ "${self}/modules/nixos/common/globals.nix" ]; + }; + modules = [ + inputs.disko.nixosModules.disko + inputs.home-manager.nixosModules.home-manager + inputs.impermanence.nixosModules.impermanence + inputs.lanzaboote.nixosModules.lanzaboote + inputs.microvm.nixosModules.host + inputs.microvm.nixosModules.microvm + inputs.nix-index-database.nixosModules.nix-index + inputs.nix-minecraft.nixosModules.minecraft-servers + inputs.nix-topology.nixosModules.default + inputs.nswitch-rcm-nix.nixosModules.nswitch-rcm + inputs.simple-nixos-mailserver.nixosModules.default + inputs.sops.nixosModules.sops + inputs.stylix.nixosModules.stylix + inputs.swarsel-nix.nixosModules.default + inputs.nixos-nftables-firewall.nixosModules.default + inputs.pia.nixosModules.default + (inputs.nixos-extra-modules + "/modules/guests") + (inputs.nixos-extra-modules + "/modules/interface-naming.nix") + "${self}/hosts/nixos/${arch}/${configName}" + "${self}/profiles/nixos" + "${self}/modules/nixos" + { + _module.args.dns = inputs.dns; - microvm.guest.enable = lib.mkDefault false; + microvm.guest.enable = lib.mkDefault false; - networking.hostName = lib.swarselsystems.mkStrong configName; + networking.hostName = lib.swarselsystems.mkStrong configName; - node = { - name = lib.mkForce configName; - arch = lib.mkForce arch; - type = lib.mkForce "nixos"; - secretsDir = ../hosts/nixos/${arch}/${configName}/secrets; - configDir = ../hosts/nixos/${arch}/${configName}; - lockFromBootstrapping = lib.mkIf (!minimal) (lib.swarselsystems.mkStrong true); - }; + node = { + name = lib.mkForce configName; + arch = lib.mkForce arch; + type = lib.mkForce "nixos"; + secretsDir = ../hosts/nixos/${arch}/${configName}/secrets; + configDir = ../hosts/nixos/${arch}/${configName}; + lockFromBootstrapping = lib.mkIf (!minimal) (lib.swarselsystems.mkStrong true); + }; - swarselprofiles = { - minimal = lib.mkIf minimal (lib.swarselsystems.mkStrong true); - }; + swarselprofiles = { + minimal = lib.mkIf minimal (lib.swarselsystems.mkStrong true); + }; - swarselmodules.server = { - ssh = lib.mkIf (!minimal) (lib.swarselsystems.mkStrong true); - }; + swarselmodules.server = { + ssh = lib.mkIf (!minimal) (lib.swarselsystems.mkStrong true); + }; - swarselsystems = { - mainUser = lib.swarselsystems.mkStrong "swarsel"; - }; - } - ]; - }; + swarselsystems = { + mainUser = lib.swarselsystems.mkStrong "swarsel"; + }; + } + ]; + }; - mkDarwinHost = { minimal }: configName: arch: - inputs.nix-darwin.lib.darwinSystem { - specialArgs = { - inherit inputs lib outputs self minimal configName; - inherit (config) nodes topologyPrivate; - withHomeManager = true; - globals = config.globals.${arch}; - }; - modules = [ - # inputs.disko.nixosModules.disko - # inputs.sops.nixosModules.sops - # inputs.impermanence.nixosModules.impermanence - # inputs.lanzaboote.nixosModules.lanzaboote - # inputs.fw-fanctrl.nixosModules.default - # inputs.nix-topology.nixosModules.default - inputs.home-manager.darwinModules.home-manager - "${self}/hosts/darwin/${arch}/${configName}" - "${self}/modules/nixos/darwin" - # needed for infrastructure - "${self}/modules/shared/meta.nix" - "${self}/modules/nixos/common/globals.nix" - { - node = { - name = lib.mkForce configName; - arch = lib.mkForce arch; - type = lib.mkForce "darwin"; - secretsDir = ../hosts/darwin/${arch}/${configName}/secrets; - }; - } - ]; - }; + mkDarwinHost = { minimal }: configName: arch: + inputs.nix-darwin.lib.darwinSystem { + specialArgs = { + inherit inputs lib outputs self minimal configName; + inherit (config) nodes topologyPrivate; + withHomeManager = true; + globals = config.globals.${arch}; + }; + modules = [ + # inputs.disko.nixosModules.disko + # inputs.sops.nixosModules.sops + # inputs.impermanence.nixosModules.impermanence + # inputs.lanzaboote.nixosModules.lanzaboote + # inputs.fw-fanctrl.nixosModules.default + # inputs.nix-topology.nixosModules.default + inputs.home-manager.darwinModules.home-manager + "${self}/hosts/darwin/${arch}/${configName}" + "${self}/modules/nixos/darwin" + # needed for infrastructure + "${self}/modules/shared/meta.nix" + "${self}/modules/nixos/common/globals.nix" + { + node = { + name = lib.mkForce configName; + arch = lib.mkForce arch; + type = lib.mkForce "darwin"; + secretsDir = ../hosts/darwin/${arch}/${configName}/secrets; + }; + } + ]; + }; - mkHalfHost = configName: type: arch: - let - systemFunc = if (type == "home") then inputs.home-manager.lib.homeManagerConfiguration else inputs.nix-on-droid.lib.nixOnDroidConfiguration; - pkgs = lib.swarselsystems.pkgsFor.${arch}; - in - systemFunc { - inherit pkgs; - extraSpecialArgs = { - inherit inputs lib outputs self configName arch type; - inherit (config) nodes topologyPrivate; - globals = config.globals.${arch}; - minimal = false; - }; - modules = [ - inputs.stylix.homeModules.stylix - inputs.nix-index-database.homeModules.nix-index - inputs.sops.homeManagerModules.sops - inputs.spicetify-nix.homeManagerModules.default - inputs.swarsel-nix.homeModules.default - "${self}/hosts/${type}/${arch}/${configName}" - "${self}/profiles/home" - "${self}/modules/nixos/common/pii.nix" - { - node = { - name = lib.mkForce configName; - arch = lib.mkForce arch; - type = lib.mkForce type; - secretsDir = ../hosts/${type}/${arch}/${configName}/secrets; - }; - } - ]; - }; + mkHalfHost = configName: type: arch: + let + systemFunc = if (type == "home") then inputs.home-manager.lib.homeManagerConfiguration else inputs.nix-on-droid.lib.nixOnDroidConfiguration; + pkgs = lib.swarselsystems.pkgsFor.${arch}; + in + systemFunc { + inherit pkgs; + extraSpecialArgs = { + inherit inputs lib outputs self configName arch type; + inherit (config) nodes topologyPrivate; + globals = config.globals.${arch}; + minimal = false; + }; + modules = [ + inputs.stylix.homeModules.stylix + inputs.nix-index-database.homeModules.nix-index + inputs.sops.homeManagerModules.sops + inputs.spicetify-nix.homeManagerModules.default + inputs.swarsel-nix.homeModules.default + "${self}/hosts/${type}/${arch}/${configName}" + "${self}/profiles/home" + "${self}/modules/nixos/common/pii.nix" + { + node = { + name = lib.mkForce configName; + arch = lib.mkForce arch; + type = lib.mkForce type; + secretsDir = ../hosts/${type}/${arch}/${configName}/secrets; + }; + } + ]; + }; - linuxArches = [ "x86_64-linux" "aarch64-linux" ]; - darwinArches = [ "x86_64-darwin" "aarch64-darwin" ]; - mkArches = type: if (type == "nixos") then linuxArches else if (type == "darwin") then darwinArches else linuxArches ++ darwinArches; + linuxArches = [ "x86_64-linux" "aarch64-linux" ]; + darwinArches = [ "x86_64-darwin" "aarch64-darwin" ]; + mkArches = type: if (type == "nixos") then linuxArches else if (type == "darwin") then darwinArches else linuxArches ++ darwinArches; - readHostDirs = hostDir: - if builtins.pathExists hostDir then - builtins.attrNames - ( - lib.filterAttrs (_: type: type == "directory") - (builtins.readDir hostDir) - ) else [ ]; + readHostDirs = hostDir: + if builtins.pathExists hostDir then + builtins.attrNames + ( + lib.filterAttrs (_: type: type == "directory") + (builtins.readDir hostDir) + ) else [ ]; - mkHalfHostsForArch = type: arch: - let - hostDir = "${self}/hosts/${type}/${arch}"; - hosts = readHostDirs hostDir; - in - lib.genAttrs hosts (host: mkHalfHost host type arch); + mkHalfHostsForArch = type: arch: + let + hostDir = "${self}/hosts/${type}/${arch}"; + hosts = readHostDirs hostDir; + in + lib.genAttrs hosts (host: mkHalfHost host type arch); - mkHostsForArch = type: arch: minimal: - let - hostDir = "${self}/hosts/${type}/${arch}"; - hosts = readHostDirs hostDir; - in - if (type == "nixos") then - lib.genAttrs hosts (host: mkNixosHost { inherit minimal; } host arch) - else if (type == "darwin") then - lib.genAttrs hosts (host: mkDarwinHost { inherit minimal; } host arch) - else { }; + mkHostsForArch = type: arch: minimal: + let + hostDir = "${self}/hosts/${type}/${arch}"; + hosts = readHostDirs hostDir; + in + if (type == "nixos") then + lib.genAttrs hosts (host: mkNixosHost { inherit minimal; } host arch) + else if (type == "darwin") then + lib.genAttrs hosts (host: mkDarwinHost { inherit minimal; } host arch) + else { }; - mkConfigurationsPerArch = type: minimal: - let - arches = mkArches type; - toMake = if (minimal == null) then (arch: _: mkHalfHostsForArch type arch) else (arch: _: mkHostsForArch type arch minimal); - in - lib.concatMapAttrs toMake - (lib.listToAttrs (map (a: { name = a; value = { }; }) arches)); + mkConfigurationsPerArch = type: minimal: + let + arches = mkArches type; + toMake = if (minimal == null) then (arch: _: mkHalfHostsForArch type arch) else (arch: _: mkHostsForArch type arch minimal); + in + lib.concatMapAttrs toMake + (lib.listToAttrs (map (a: { name = a; value = { }; }) arches)); - halfConfigurationsPerArch = type: mkConfigurationsPerArch type null; - configurationsPerArch = type: minimal: mkConfigurationsPerArch type minimal; + halfConfigurationsPerArch = type: mkConfigurationsPerArch type null; + configurationsPerArch = type: minimal: mkConfigurationsPerArch type minimal; - in - rec { - nixosConfigurations = configurationsPerArch "nixos" false; - nixosConfigurationsMinimal = configurationsPerArch "nixos" true; - darwinConfigurations = configurationsPerArch "darwin" false; - darwinConfigurationsMinimal = configurationsPerArch "darwin" true; - homeConfigurations = halfConfigurationsPerArch "home"; - nixOnDroidConfigurations = halfConfigurationsPerArch "android"; + in + rec { + nixosConfigurations = configurationsPerArch "nixos" false; + nixosConfigurationsMinimal = configurationsPerArch "nixos" true; + darwinConfigurations = configurationsPerArch "darwin" false; + darwinConfigurationsMinimal = configurationsPerArch "darwin" true; + homeConfigurations = halfConfigurationsPerArch "home"; + nixOnDroidConfigurations = halfConfigurationsPerArch "android"; - guestConfigurations = lib.flip lib.concatMapAttrs config.nixosConfigurations ( - _: node: - lib.flip lib.mapAttrs' (node.config.guests or { }) ( - guestName: guestDef: - lib.nameValuePair guestDef.nodeName node.config.microvm.vms.${guestName}.config - ) - ); + guestConfigurations = lib.flip lib.concatMapAttrs config.nixosConfigurations ( + _: node: + lib.flip lib.mapAttrs' (node.config.guests or { }) ( + guestName: guestDef: + lib.nameValuePair guestDef.nodeName node.config.microvm.vms.${guestName}.config + ) + ); - diskoConfigurations.default = import "${self}/files/templates/hosts/nixos/disk-config.nix"; + diskoConfigurations.default = import "${self}/files/templates/hosts/nixos/disk-config.nix"; - nodes = config.nixosConfigurations - // config.darwinConfigurations - // config.guestConfigurations; + nodes = config.nixosConfigurations + // config.darwinConfigurations + // config.guestConfigurations; - guestResources = lib.mapAttrs - (name: _: let - f = arg: lib.foldr (base: acc: base + acc) 0 (map (node: nodes."${name}-${node}".config.microvm.${arg}) (builtins.attrNames nodes.${name}.config.guests)); - in { - mem = f "mem"; - vcpu = f "vcpu"; - }) nodes; + guestResources = lib.mapAttrs + (name: _: let + f = arg: lib.foldr (base: acc: base + acc) 0 (map (node: nodes."${name}-${node}".config.microvm.${arg}) (builtins.attrNames nodes.${name}.config.guests)); + in { + mem = f "mem"; + vcpu = f "vcpu"; + }) nodes; - "@" = lib.mapAttrs (_: v: v.config.system.build.toplevel) config.nodes; - }; - } + "@" = lib.mapAttrs (_: v: v.config.system.build.toplevel) config.nodes; + }; + } #+end_src ** Topology (nix-topology generated network diagram) @@ -2627,7 +2635,7 @@ Another note concerning [[https://flake.parts/][flake-parts]]: }; }; - switch-bedroom = mkDevice "Switch Bedroom" { + switch-bedroom = mkSwitch "Switch Bedroom" { info = "Cisco SG 200-08"; image = "${self}/files/topology-images/Cisco_SG_200-08.png"; interfaceGroups = [ @@ -4961,6 +4969,7 @@ This is my main server that I run at home. It handles most tasks that require bi { self, lib, minimal, ... }: { imports = [ + "${self}/profiles/nixos/microvm" "${self}/modules/nixos" ]; @@ -10207,6 +10216,20 @@ Here I disable global completion to prevent redundant compinit calls and cache i }; } #+end_src +***** nautilus + +#+begin_src nix-ts :tangle modules/nixos/client/nautilus.nix + { lib, config, ... }: + { + options.swarselmodules.nautilus = lib.mkEnableOption "nautilus config"; + config = lib.mkIf config.swarselmodules.nautilus { + programs.nautilus-open-any-terminal = { + enable = true; + terminal = "kitty"; + }; + }; + } +#+end_src ***** syncthing :PROPERTIES: :CUSTOM_ID: h:1e6d3d56-e415-43a2-8e80-3bad8062ecf8 @@ -11672,17 +11695,19 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t :END: #+begin_src nix-ts :tangle modules/nixos/server/bastion.nix - { self, lib, config, withHomeManager, ... }: + { self, lib, config, withHomeManager, confLib, ... }: { options.swarselmodules.server.bastion = lib.mkEnableOption "enable bastion on server"; config = lib.mkIf config.swarselmodules.server.bastion ({ users = { + persistentIds.jump = confLib.mkIds 1001; groups = { jump = { }; }; users = { - "jump" = { + jump = { + autoSubUidGidRange = false; isNormalUser = true; useDefaultShell = true; group = lib.mkForce "jump"; @@ -11750,7 +11775,7 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t Restricts access to the system by the nix build user as per https://discourse.nixos.org/t/wrapper-to-restrict-builder-access-through-ssh-worth-upstreaming/25834. #+begin_src nix-ts :tangle modules/nixos/server/ssh-builder.nix - { self, pkgs, lib, config, ... }: + { self, pkgs, lib, config, confLib, ... }: let ssh-restrict = "restrict,pty,command=\"${wrapper-dispatch-ssh-nix}/bin/wrapper-dispatch-ssh-nix\" "; @@ -11772,6 +11797,7 @@ Restricts access to the system by the nix build user as per https://discourse.ni options.swarselmodules.server.ssh-builder = lib.mkEnableOption "enable ssh-builder config on server"; config = lib.mkIf config.swarselmodules.server.ssh-builder { users = { + persistentIds.builder = confLib.mkIds 965; groups.builder = { }; users.builder = { useDefaultShell = true; @@ -13098,7 +13124,7 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin :END: #+begin_src nix-ts :tangle modules/nixos/server/mpd.nix - { self, lib, config, pkgs, confLib, ... }: + { lib, config, pkgs, confLib, ... }: let inherit (config.swarselsystems) sopsFile; inherit (confLib.gen { name = "mpd"; port = 3254; }) servicePort serviceName serviceUser serviceGroup; @@ -13130,10 +13156,10 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin mpv ]; - topology.self.services.${serviceName} = { - info = "http://localhost:${builtins.toString servicePort}"; - icon = lib.mkForce "${self}/files/topology-images/mpd.png"; - }; + # topology.self.services.${serviceName} = { + # info = "http://localhost:${builtins.toString servicePort}"; + # icon = lib.mkForce "${self}/files/topology-images/mpd.png"; + # }; environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM { directories = [{ directory = "/var/lib/${serviceName}"; user = "mpd"; group = "mpd"; }]; @@ -13298,7 +13324,7 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin :END: #+begin_src nix-ts :tangle modules/nixos/server/matrix.nix - { self, lib, config, pkgs, globals, dns, confLib, ... }: + { lib, config, pkgs, globals, dns, confLib, ... }: let inherit (config.swarselsystems) sopsFile; inherit (confLib.gen { name = "matrix"; user = "matrix-synapse"; port = 8008; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6; @@ -13363,14 +13389,6 @@ This is the configuration to make [[#h:58c7563e-6954-42e6-a622-9d06523e8e24][Hin # networking.firewall.allowedTCPPorts = [ servicePort federationPort ]; - topology.self.services = lib.listToAttrs (map - (service: - lib.nameValuePair "mautrix-${service}" { - name = "mautrix-${service}"; - icon = "${self}/files/topology-images/mautrix.png"; - }) - [ "whatsapp" "signal" "telegram" ]); - systemd = { timers."restart-bridges" = { wantedBy = [ "timers.target" ]; @@ -14036,6 +14054,7 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml= let inherit (confLib.gen { name = "transmission"; port = 9091; }) serviceName servicePort serviceDomain; inherit (confLib.static) isHome homeServiceAddress homeWebProxy nginxAccessRules; + inherit (config.swarselsystems) sopsFile; lidarrUser = "lidarr"; lidarrGroup = lidarrUser; @@ -14053,217 +14072,232 @@ Also I install Tika and Gotenberg, which are needed to create PDFs out of =.eml= prowlarrGroup = prowlarrUser; prowlarrPort = 9696; in - { - options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} and friends on server"; - config = lib.mkIf config.swarselmodules.server.${serviceName} { + { + options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} and friends on server"; + config = lib.mkIf config.swarselmodules.server.${serviceName} { - # this user/group section is probably unneeded - users = { - persistentIds = { - prowlarr = confLib.mkIds 971; - readarr = confLib.mkIds 970; - }; - groups = { - dockeruser = { - gid = 1155; - }; - "${radarrGroup}" = { }; - "${readarrGroup}" = { }; - "${sonarrGroup}" = { }; - "${lidarrGroup}" = { }; - "${prowlarrGroup}" = { }; + sops.secrets = { + pia = { inherit sopsFile; }; }; + + # this user/group section is probably unneeded users = { - dockeruser = { - isSystemUser = true; - uid = 1155; - group = "docker"; - extraGroups = [ "users" ]; + persistentIds = { + prowlarr = confLib.mkIds 971; + readarr = confLib.mkIds 970; }; - "${radarrUser}" = { - isSystemUser = true; - group = radarrGroup; - extraGroups = [ "users" ]; - }; - "${readarrGroup}" = { - isSystemUser = true; - group = readarrGroup; - extraGroups = [ "users" ]; - }; - "${sonarrGroup}" = { - isSystemUser = true; - group = sonarrGroup; - extraGroups = [ "users" ]; - }; - "${lidarrUser}" = { - isSystemUser = true; - group = lidarrGroup; - extraGroups = [ "users" ]; - }; - "${prowlarrGroup}" = { - isSystemUser = true; - group = prowlarrGroup; - extraGroups = [ "users" ]; - }; - }; - }; - - virtualisation.docker.enable = true; - environment.systemPackages = with pkgs; [ - docker - ]; - - topology.self.services = { - radarr.info = "https://${serviceDomain}/radarr"; - readarr = { - name = "Readarr"; - info = "https://${serviceDomain}/readarr"; - icon = "${self}/files/topology-images/readarr.png"; - }; - sonarr.info = "https://${serviceDomain}/sonarr"; - lidarr.info = "https://${serviceDomain}/lidarr"; - prowlarr.info = "https://${serviceDomain}/prowlarr"; - }; - - globals.services.transmission = { - domain = serviceDomain; - inherit isHome; - }; - - environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM { - directories = [ - { directory = "/var/lib/radarr"; user = radarrUser; group = radarrGroup; } - { directory = "/var/lib/readarr"; user = readarrUser; group = readarrGroup; } - { directory = "/var/lib/sonarr"; user = sonarrUser; group = sonarrGroup; } - { directory = "/var/lib/lidarr"; user = lidarrUser; group = lidarrGroup; } - { directory = "/var/lib/private/prowlarr"; user = prowlarrUser; group = prowlarrGroup; } - ]; - }; - - services = { - radarr = { - enable = true; - user = radarrUser; - group = radarrGroup; - settings.server.port = radarrPort; - openFirewall = true; - dataDir = "/var/lib/radarr"; - }; - readarr = { - enable = true; - user = readarrUser; - group = readarrGroup; - settings.server.port = readarrPort; - openFirewall = true; - dataDir = "/var/lib/readarr"; - }; - sonarr = { - enable = true; - user = sonarrUser; - group = sonarrGroup; - settings.server.port = sonarrPort; - openFirewall = true; - dataDir = "/var/lib/sonarr"; - }; - lidarr = { - enable = true; - user = lidarrUser; - group = lidarrGroup; - settings.server.port = lidarrPort; - openFirewall = true; - dataDir = "/var/lib/lidarr"; - }; - prowlarr = { - enable = true; - settings.server.port = prowlarrPort; - openFirewall = true; - }; - }; - - nodes = { - ${homeWebProxy}.services.nginx = { - upstreams = { - transmission = { - servers = { - "${homeServiceAddress}:${builtins.toString servicePort}" = { }; - }; + groups = { + dockeruser = { + gid = 1155; }; - radarr = { - servers = { + "${radarrGroup}" = { }; + "${readarrGroup}" = { }; + "${sonarrGroup}" = { }; + "${lidarrGroup}" = { }; + "${prowlarrGroup}" = { }; + }; + users = { + dockeruser = { + isSystemUser = true; + uid = 1155; + group = "docker"; + extraGroups = [ "users" ]; + }; + "${radarrUser}" = { + isSystemUser = true; + group = radarrGroup; + extraGroups = [ "users" ]; + }; + "${readarrGroup}" = { + isSystemUser = true; + group = readarrGroup; + extraGroups = [ "users" ]; + }; + "${sonarrGroup}" = { + isSystemUser = true; + group = sonarrGroup; + extraGroups = [ "users" ]; + }; + "${lidarrUser}" = { + isSystemUser = true; + group = lidarrGroup; + extraGroups = [ "users" ]; + }; + "${prowlarrGroup}" = { + isSystemUser = true; + group = prowlarrGroup; + extraGroups = [ "users" ]; + }; + }; + }; + + virtualisation.docker.enable = true; + environment.systemPackages = with pkgs; [ + docker + ]; + + topology.self.services = { + radarr.info = "https://${serviceDomain}/radarr"; + readarr = { + name = "Readarr"; + info = "https://${serviceDomain}/readarr"; + icon = "${self}/files/topology-images/readarr.png"; + }; + sonarr.info = "https://${serviceDomain}/sonarr"; + lidarr.info = "https://${serviceDomain}/lidarr"; + prowlarr.info = "https://${serviceDomain}/prowlarr"; + }; + + globals.services.transmission = { + domain = serviceDomain; + inherit isHome; + }; + + environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM { + directories = [ + { directory = "/var/lib/radarr"; user = radarrUser; group = radarrGroup; } + { directory = "/var/lib/readarr"; user = readarrUser; group = readarrGroup; } + { directory = "/var/lib/sonarr"; user = sonarrUser; group = sonarrGroup; } + { directory = "/var/lib/lidarr"; user = lidarrUser; group = lidarrGroup; } + { directory = "/var/lib/private/prowlarr"; user = prowlarrUser; group = prowlarrGroup; } + ]; + }; + + services = { + pia = { + enable = true; + credentials.credentialsFile = config.sops.secrets.pia.path; + protocol = "wireguard"; + autoConnect = { + enable = true; + region = "sweden"; + }; + portForwarding.enable = true; + dns.enable = true; + }; + radarr = { + enable = true; + user = radarrUser; + group = radarrGroup; + settings.server.port = radarrPort; + openFirewall = true; + dataDir = "/var/lib/radarr"; + }; + readarr = { + enable = true; + user = readarrUser; + group = readarrGroup; + settings.server.port = readarrPort; + openFirewall = true; + dataDir = "/var/lib/readarr"; + }; + sonarr = { + enable = true; + user = sonarrUser; + group = sonarrGroup; + settings.server.port = sonarrPort; + openFirewall = true; + dataDir = "/var/lib/sonarr"; + }; + lidarr = { + enable = true; + user = lidarrUser; + group = lidarrGroup; + settings.server.port = lidarrPort; + openFirewall = true; + dataDir = "/var/lib/lidarr"; + }; + prowlarr = { + enable = true; + settings.server.port = prowlarrPort; + openFirewall = true; + }; + }; + + nodes = { + ${homeWebProxy}.services.nginx = { + upstreams = { + transmission = { + servers = { + "${homeServiceAddress}:${builtins.toString servicePort}" = { }; + }; + }; + radarr = { + servers = { "${homeServiceAddress}:${builtins.toString radarrPort}" = { }; }; - }; - readarr = { + }; + readarr = { servers = { "${homeServiceAddress}:${builtins.toString readarrPort}" = { }; }; - }; - sonarr = { + }; + sonarr = { servers = { "${homeServiceAddress}:${builtins.toString sonarrPort}" = { }; }; - }; - lidarr = { + }; + lidarr = { servers = { "${homeServiceAddress}:${builtins.toString lidarrPort}" = { }; }; - }; - prowlarr = { + }; + prowlarr = { servers = { "${homeServiceAddress}:${builtins.toString prowlarrPort}" = { }; }; + }; }; - }; - virtualHosts = { - "${serviceDomain}" = { - enableACME = false; - forceSSL = false; - acmeRoot = null; - extraConfig = nginxAccessRules; - locations = { - "/" = { - proxyPass = "http://transmission"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - "/radarr" = { - proxyPass = "http://radarr"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - "/readarr" = { - proxyPass = "http://readarr"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - "/sonarr" = { - proxyPass = "http://sonarr"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - "/lidarr" = { - proxyPass = "http://lidarr"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - "/prowlarr" = { - proxyPass = "http://prowlarr"; - extraConfig = '' - client_max_body_size 0; - ''; + virtualHosts = { + "${serviceDomain}" = { + enableACME = false; + forceSSL = false; + acmeRoot = null; + extraConfig = nginxAccessRules; + locations = { + "/" = { + proxyPass = "http://transmission"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + "/radarr" = { + proxyPass = "http://radarr"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + "/readarr" = { + proxyPass = "http://readarr"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + "/sonarr" = { + proxyPass = "http://sonarr"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + "/lidarr" = { + proxyPass = "http://lidarr"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + "/prowlarr" = { + proxyPass = "http://prowlarr"; + extraConfig = '' + client_max_body_size 0; + ''; + }; }; }; }; }; }; }; - }; - } + } #+end_src @@ -15406,7 +15440,8 @@ kanidm person credential create-reset-token }; }; - systemd.services."generateSSLCert-${serviceName}" = + systemd.services = { + "generateSSLCert-${serviceName}" = let daysValid = 3650; renewBeforeDays = 365; @@ -15458,6 +15493,12 @@ kanidm person credential create-reset-token fi ''; }; + kanidm = { + environment.KANIDM_TRUST_X_FORWARD_FOR = "true"; + serviceConfig.RestartSec = "30"; + }; + }; + # system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence { @@ -15521,7 +15562,7 @@ kanidm person credential create-reset-token # tls_key = config.sops.secrets.kanidm-self-signed-key.path; tls_key = keyPathBase; bindaddress = "0.0.0.0:${toString servicePort}"; - trust_x_forward_for = true; + # trust_x_forward_for = true; }; enableClient = true; clientSettings = { @@ -15718,7 +15759,6 @@ kanidm person credential create-reset-token }; }; - systemd.services.${serviceName}.serviceConfig.RestartSec = "30"; nodes = let extraConfig = '' @@ -16126,7 +16166,7 @@ kanidm person credential create-reset-token #+begin_src nix-ts :tangle modules/nixos/server/koillection.nix { self, lib, config, globals, dns, confLib, ... }: let - inherit (confLib.gen { name = "koillection"; port = 2282; dir = "/var/lib/koillection"; }) servicePort serviceName serviceUser serviceDir serviceDomain serviceAddress proxyAddress4 proxyAddress6; + inherit (confLib.gen { name = "koillection"; port = 2282; dir = "/var/lib/koillection"; }) servicePort serviceName serviceUser serviceDir serviceDomain serviceAddress proxyAddress4 proxyAddress6 topologyContainerName; inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules; serviceDB = "koillection"; @@ -16150,11 +16190,11 @@ kanidm person credential create-reset-token koillection-env-file = { inherit sopsFile; }; }; - topology.self.services.${serviceName} = { - name = lib.swarselsystems.toCapitalized serviceName; - info = "https://${serviceDomain}"; - icon = "${self}/files/topology-images/${serviceName}.png"; - }; + topology.nodes.${topologyContainerName}.services.${serviceName} = { + name = lib.swarselsystems.toCapitalized serviceName; + info = "https://${serviceDomain}"; + icon = "${self}/files/topology-images/${serviceName}.png"; + }; globals = { networks = { @@ -16558,6 +16598,7 @@ kanidm person credential create-reset-token config = lib.mkIf config.swarselmodules.server.${serviceName} { users = { + persistentIds.${serviceName} = confLib.mkIds 964; groups.${serviceGroup} = { }; users.${serviceUser} = { @@ -16680,7 +16721,7 @@ kanidm person credential create-reset-token #+begin_src nix-ts :tangle modules/nixos/server/shlink.nix { self, lib, config, dns, globals, confLib, ... }: let - inherit (confLib.gen { name = "shlink"; port = 8081; dir = "/var/lib/shlink"; }) servicePort serviceName serviceDomain serviceDir serviceAddress proxyAddress4 proxyAddress6; + inherit (confLib.gen { name = "shlink"; port = 8081; dir = "/var/lib/shlink"; }) servicePort serviceName serviceDomain serviceDir serviceAddress proxyAddress4 proxyAddress6 topologyContainerName; inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules; containerRev = "sha256:1a697baca56ab8821783e0ce53eb4fb22e51bb66749ec50581adc0cb6d031d7a"; @@ -16711,6 +16752,12 @@ kanidm person credential create-reset-token }; }; + topology.nodes.${topologyContainerName}.services.${serviceName} = { + name = lib.swarselsystems.toCapitalized serviceName; + info = "https://${serviceDomain}"; + icon = "${self}/files/topology-images/${serviceName}.png"; + }; + virtualisation.oci-containers.containers.${serviceName} = { image = "shlinkio/shlink@${containerRev}"; environment = { @@ -16757,12 +16804,6 @@ kanidm person credential create-reset-token { directory = "/var/lib/containers"; } ]; - topology.self.services.${serviceName} = { - name = lib.swarselsystems.toCapitalized serviceName; - info = "https://${serviceDomain}"; - icon = "${self}/files/topology-images/${serviceName}.png"; - }; - globals = { networks = { ${webProxyIf}.hosts = lib.mkIf isProxied { @@ -16802,129 +16843,129 @@ Deployment notes: - finally, disable new user registration in web ui #+begin_src nix-ts :tangle modules/nixos/server/slink.nix -{ lib, config, dns, globals, confLib, ... }: -let - inherit (confLib.gen { name = "slink"; port = 3000; dir = "/var/lib/slink"; }) servicePort serviceName serviceDomain serviceDir serviceAddress proxyAddress4 proxyAddress6; - inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules; + { lib, config, dns, globals, confLib, ... }: + let + inherit (confLib.gen { name = "slink"; port = 3000; dir = "/var/lib/slink"; }) servicePort serviceName serviceDomain serviceDir serviceAddress proxyAddress4 proxyAddress6 topologyContainerName; + inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules; - containerRev = "sha256:98b9442696f0a8cbc92f0447f54fa4bad227af5dcfd6680545fedab2ed28ddd9"; -in -{ - options = { - swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; - }; - config = lib.mkIf config.swarselmodules.server.${serviceName} { - - swarselmodules.server = { - podman = true; + containerRev = "sha256:98b9442696f0a8cbc92f0447f54fa4bad227af5dcfd6680545fedab2ed28ddd9"; + in + { + options = { + swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server"; }; + config = lib.mkIf config.swarselmodules.server.${serviceName} { - virtualisation.oci-containers.containers.${serviceName} = { - image = "anirdev/slink@${containerRev}"; - environment = { - "ORIGIN" = "https://${serviceDomain}"; - "TZ" = config.repo.secrets.common.location.timezone; - "STORAGE_PROVIDER" = "local"; - "IMAGE_MAX_SIZE" = "50M"; - "USER_APPROVAL_REQUIRED" = "true"; + swarselmodules.server = { + podman = true; }; - ports = [ "${builtins.toString servicePort}:${builtins.toString servicePort}" ]; - volumes = [ - "${serviceDir}/var/data:/app/var/data" - "${serviceDir}/images:/app/slink/images" + + topology.nodes.${topologyContainerName}.services.${serviceName} = { + name = lib.swarselsystems.toCapitalized serviceName; + info = "https://${serviceDomain}"; + icon = "services.not-available"; + }; + + virtualisation.oci-containers.containers.${serviceName} = { + image = "anirdev/slink@${containerRev}"; + environment = { + "ORIGIN" = "https://${serviceDomain}"; + "TZ" = config.repo.secrets.common.location.timezone; + "STORAGE_PROVIDER" = "local"; + "IMAGE_MAX_SIZE" = "50M"; + "USER_APPROVAL_REQUIRED" = "true"; + }; + ports = [ "${builtins.toString servicePort}:${builtins.toString servicePort}" ]; + volumes = [ + "${serviceDir}/var/data:/app/var/data" + "${serviceDir}/images:/app/slink/images" + ]; + }; + + systemd.tmpfiles.settings."12-slink" = builtins.listToAttrs ( + map + (path: { + name = "${serviceDir}/${path}"; + value = { + d = { + group = "root"; + user = "root"; + mode = "0750"; + }; + }; + }) [ + "var/data" + "images" + ] + ); + + # networking.firewall.allowedTCPPorts = [ servicePort ]; + + environment.persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [ + { directory = serviceDir; } ]; - }; - systemd.tmpfiles.settings."12-slink" = builtins.listToAttrs ( - map - (path: { - name = "${serviceDir}/${path}"; - value = { - d = { - group = "root"; - user = "root"; - mode = "0750"; - }; + globals = { + networks = { + ${webProxyIf}.hosts = lib.mkIf isProxied { + ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ]; + }; + ${homeProxyIf}.hosts = lib.mkIf isHome { + ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ]; }; - }) [ - "var/data" - "images" - ] - ); - - # networking.firewall.allowedTCPPorts = [ servicePort ]; - - environment.persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [ - { directory = serviceDir; } - ]; - - topology.self.services.${serviceName} = { - name = lib.swarselsystems.toCapitalized serviceName; - info = "https://${serviceDomain}"; - icon = "services.not-available"; - }; - - globals = { - networks = { - ${webProxyIf}.hosts = lib.mkIf isProxied { - ${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ]; }; - ${homeProxyIf}.hosts = lib.mkIf isHome { - ${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ]; + services.${serviceName} = { + domain = serviceDomain; + inherit proxyAddress4 proxyAddress6 isHome serviceAddress; + homeServiceAddress = lib.mkIf isHome homeServiceAddress; }; }; - services.${serviceName} = { - domain = serviceDomain; - inherit proxyAddress4 proxyAddress6 isHome serviceAddress; - homeServiceAddress = lib.mkIf isHome homeServiceAddress; - }; - }; - nodes = - let - genNginx = toAddress: extraConfig: { - upstreams = { - ${serviceName} = { - servers = { - "${toAddress}:${builtins.toString servicePort}" = { }; - }; - }; - }; - virtualHosts = { - "${serviceDomain}" = { - useACMEHost = globals.domains.main; - - forceSSL = true; - acmeRoot = null; - oauth2 = { - enable = true; - allowedGroups = [ "slink_access" ]; - }; - inherit extraConfig; - locations = { - "/" = { - proxyPass = "http://${serviceName}"; + nodes = + let + genNginx = toAddress: extraConfig: { + upstreams = { + ${serviceName} = { + servers = { + "${toAddress}:${builtins.toString servicePort}" = { }; }; - "/image" = { - proxyPass = "http://${serviceName}"; - setOauth2Headers = false; - bypassAuth = true; + }; + }; + virtualHosts = { + "${serviceDomain}" = { + useACMEHost = globals.domains.main; + + forceSSL = true; + acmeRoot = null; + oauth2 = { + enable = true; + allowedGroups = [ "slink_access" ]; + }; + inherit extraConfig; + locations = { + "/" = { + proxyPass = "http://${serviceName}"; + }; + "/image" = { + proxyPass = "http://${serviceName}"; + setOauth2Headers = false; + bypassAuth = true; + }; }; }; }; }; + in + { + ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { + "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; + }; + ${webProxy}.services.nginx = genNginx serviceAddress ""; + ${homeWebProxy}.services.nginx = lib.mkIf isHome (genNginx homeServiceAddress nginxAccessRules); }; - in - { - ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = { - "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6; - }; - ${webProxy}.services.nginx = genNginx serviceAddress ""; - ${homeWebProxy}.services.nginx = lib.mkIf isHome (genNginx homeServiceAddress nginxAccessRules); - }; - }; -} + }; + } #+end_src **** Snipe-IT (currently unused) @@ -17901,6 +17942,15 @@ When changing the hashed passwords, =dovecot= needs to be restarted manually, it }; config = lib.mkIf config.swarselmodules.server.${serviceName} { + users = { + persistentIds = { + knot-resolver = confLib.mkIds 963; + postfix-tlspol = confLib.mkIds 962; + roundcube = confLib.mkIds 961; + redis-rspamd = confLib.mkIds 960; + }; + }; + globals.services = { ${serviceName} = { domain = serviceDomain; @@ -17950,11 +18000,12 @@ When changing the hashed passwords, =dovecot= needs to be restarted manually, it domains = [ baseDomain ]; indexDir = "${serviceDir}/indices"; openFirewall = true; - certificateScheme = "acme"; + # certificateScheme = "acme"; dmarcReporting.enable = true; enableSubmission = true; enableSubmissionSsl = true; enableImapSsl = true; + x509.useACMEHost = globals.domains.main; loginAccounts = { "${user1}@${baseDomain}" = { @@ -19057,7 +19108,7 @@ This has some state: homeDomains) ++ [ { domain = "smb.${globals.domains.main}"; - answer = globals.networks.home-lan.vlans.services.hosts.storage.ipv4; + answer = globals.networks.home-lan.vlans.services.hosts.summers-storage.ipv4; enabled = true; } ]; @@ -19799,7 +19850,7 @@ Some standard options that should be set for every microvm host. Some standard options that should be set for every microvm guest. We set the default #+begin_src nix-ts :tangle modules/nixos/optional/microvm-guest.nix - { self, lib, config, inputs, microVMParent, nodes, globals, confLib, ... }: + { self, config, inputs, ... }: { imports = [ inputs.disko.nixosModules.disko @@ -19816,6 +19867,7 @@ Some standard options that should be set for every microvm guest. We set the def inputs.stylix.nixosModules.stylix inputs.swarsel-nix.nixosModules.default inputs.nixos-nftables-firewall.nixosModules.default + inputs.pia.nixosModules.default (inputs.nixos-extra-modules + "/modules/interface-naming.nix") @@ -21603,9 +21655,9 @@ To specify both content in Early initialization and General configuration, use l Currently I only use it as before with =initExtra= though. #+begin_src nix-ts :tangle modules/home/common/zsh.nix - { self, config, pkgs, lib, minimal, globals, confLib, type, ... }: + { self, config, pkgs, lib, minimal, globals, confLib, type, arch, ... }: let - inherit (config.swarselsystems) flakePath isNixos; + inherit (config.swarselsystems) flakePath isNixos homeDir; crocDomain = globals.services.croc.domain; in { @@ -21625,7 +21677,11 @@ Currently I only use it as before with =initExtra= though. // lib.optionalAttrs (!minimal) { shellAliases = lib.recursiveUpdate { - hg = "history | grep"; + nb = "nix build"; + nbl = "nix build --builders \"\""; + nbo = "nix build --offline --builders \"\""; + nd = "nix develop"; + ns = "nix shell"; hmswitch = lib.mkIf (!isNixos) "${lib.getExe pkgs.home-manager} --flake ${flakePath}#$(hostname) switch |& nom"; nswitch = lib.mkIf isNixos "cd ${flakePath}; swarsel-deploy $(hostname) switch; cd -;"; ntest = lib.mkIf isNixos "cd ${flakePath}; swarsel-deploy $(hostname) test; cd -;"; @@ -21651,7 +21707,8 @@ Currently I only use it as before with =initExtra= though. boot-diff = "nix store diff-closures /run/*-system"; gen-diff = "nix profile diff-closures --profile /nix/var/nix/profiles/system"; cc = "wl-copy"; - build-topology = "nix build --override-input topologyPrivate ${self}/files/topology/private .#topology.x86_64-linux.config.output"; + build-topology = "nix build --override-input topologyPrivate ${self}/files/topology/private ${flakePath}#topology.${arch}.config.output"; + build-topology-dev = "nix build --show-trace --override-input nix-topology ${homeDir}/Documents/Private/nix-topology --override-input topologyPrivate ${self}/files/topology/private ${flakePath}#topology.${arch}.config.output"; build-iso = "nix build --print-out-paths .#live-iso"; nix-review-local = "nix run nixpkgs#nixpkgs-review -- rev HEAD"; nix-review-post = "nix run nixpkgs#nixpkgs-review -- pr --post-result --systems linux"; @@ -24308,7 +24365,7 @@ Sets up a systemd user service for anki that does not stall the shutdown process }; Service = { - ExecStart = "${pkgs.vesktop}/bin/vesktop --start-minimized --enable-speech-dispatcher --ozone-platform-hint=auto --enable-features=WaylandWindowDecorations --enable-wayland-ime"; + ExecStart = "${pkgs.vesktop}/bin/vesktop --start-minimized --ozone-platform-hint=auto --enable-features=WaylandWindowDecorations --enable-wayland-ime"; }; }; }; @@ -25714,12 +25771,12 @@ This service changes the screen hue at night. I am not sure if that really does # { timeout = 600; command = ''${pkgs.sway}/bin/swaymsg "output * dpms off"; resumeCommand = "${pkgs.sway}/bin/swaymsg output * dpms on''; } { timeout = 600; command = "${suspend}"; } ]; - events = [ + events = { # { event = "before-sleep"; command = "${lib.getExe pkgs.swaylock-effects} -f --screenshots --clock --effect-blur 7x5 --effect-vignette 0.5:0.5 --fade-in 0.2"; } # { event = "after-resume"; command = "${swaylock} -f "; } - { event = "before-sleep"; command = "${swaylock} -f "; } - { event = "lock"; command = "${swaylock} -f "; } - ]; + before-sleep = "${swaylock} -f "; + lock = "${swaylock} -f "; + }; }; }; @@ -27359,220 +27416,222 @@ In short, the options defined here are passed to the modules systems using =_mod :CUSTOM_ID: h:a33322d5-014a-4072-a4a5-91bc71c343b8 :END: #+begin_src nix-ts :noweb yes :tangle modules/shared/config-lib.nix - { self, config, lib, globals, inputs, outputs, minimal, nixosConfig ? null, ... }: - let - domainDefault = service: config.repo.secrets.common.services.domains.${service}; - proxyDefault = config.swarselsystems.proxyHost; + { self, config, lib, globals, inputs, outputs, minimal, nixosConfig ? null, ... }: + let + domainDefault = service: config.repo.secrets.common.services.domains.${service}; + proxyDefault = config.swarselsystems.proxyHost; - addressDefault = + addressDefault = + if + config.swarselsystems.proxyHost != config.node.name + then if - config.swarselsystems.proxyHost != config.node.name + config.swarselsystems.server.wireguard.interfaces.wgProxy.isClient then - if - config.swarselsystems.server.wireguard.interfaces.wgProxy.isClient - then - globals.networks."${config.swarselsystems.server.wireguard.interfaces.wgProxy.serverNetConfigPrefix}-wgProxy".hosts.${config.node.name}.ipv4 - else - globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.ipv4 + globals.networks."${config.swarselsystems.server.wireguard.interfaces.wgProxy.serverNetConfigPrefix}-wgProxy".hosts.${config.node.name}.ipv4 else - "localhost"; - in - { - _module.args = { - confLib = rec { - getConfig = if nixosConfig == null then config else nixosConfig; + globals.networks.${config.swarselsystems.server.netConfigName}.hosts.${config.node.name}.ipv4 + else + "localhost"; + in + { + _module.args = { + confLib = rec { + getConfig = if nixosConfig == null then config else nixosConfig; - gen = { name ? "n/a", user ? name, group ? user, dir ? null, port ? null, domain ? (domainDefault name), address ? addressDefault, proxy ? proxyDefault }: rec { - servicePort = port; - serviceName = name; - specificServiceName = "${name}-${config.node.name}"; - serviceUser = user; - serviceGroup = group; - serviceDomain = domain; - baseDomain = lib.swarselsystems.getBaseDomain domain; - subDomain = lib.swarselsystems.getSubDomain domain; - serviceDir = dir; - serviceAddress = address; - serviceProxy = proxy; - proxyAddress4 = globals.hosts.${proxy}.wanAddress4 or null; - proxyAddress6 = globals.hosts.${proxy}.wanAddress6 or null; - }; + gen = { name ? "n/a", user ? name, group ? user, dir ? null, port ? null, domain ? (domainDefault name), address ? addressDefault, proxy ? proxyDefault }: rec { + servicePort = port; + serviceName = name; + specificServiceName = "${name}-${config.node.name}"; + serviceUser = user; + serviceGroup = group; + serviceDomain = domain; + baseDomain = lib.swarselsystems.getBaseDomain domain; + subDomain = lib.swarselsystems.getSubDomain domain; + serviceDir = dir; + serviceAddress = address; + serviceProxy = proxy; + serviceNode = config.node.name; + topologyContainerName = "${serviceNode}-${config.virtualisation.oci-containers.backend}-${name}"; + proxyAddress4 = globals.hosts.${proxy}.wanAddress4 or null; + proxyAddress6 = globals.hosts.${proxy}.wanAddress6 or null; + }; - static = rec { - inherit (globals.hosts.${config.node.name}) isHome; - inherit (globals.general) homeProxy webProxy dnsServer homeDnsServer homeWebProxy idmServer oauthServer; - webProxyIf = "${webProxy}-wgProxy"; - homeProxyIf = "home-wgHome"; - isProxied = config.node.name != webProxy; - nginxAccessRules = '' - allow ${globals.networks.home-lan.vlans.home.cidrv4}; - allow ${globals.networks.home-lan.vlans.home.cidrv6}; - allow ${globals.networks.home-lan.vlans.services.hosts.${homeProxy}.ipv4}; - allow ${globals.networks.home-lan.vlans.services.hosts.${homeProxy}.ipv6}; - deny all; - ''; - homeServiceAddress = lib.optionalString (config.swarselsystems.server.wireguard.interfaces ? wgHome) globals.networks."${config.swarselsystems.server.wireguard.interfaces.wgHome.serverNetConfigPrefix}-wgHome".hosts.${config.node.name}.ipv4; - }; + static = rec { + inherit (globals.hosts.${config.node.name}) isHome; + inherit (globals.general) homeProxy webProxy dnsServer homeDnsServer homeWebProxy idmServer oauthServer; + webProxyIf = "${webProxy}-wgProxy"; + homeProxyIf = "home-wgHome"; + isProxied = config.node.name != webProxy; + nginxAccessRules = '' + allow ${globals.networks.home-lan.vlans.home.cidrv4}; + allow ${globals.networks.home-lan.vlans.home.cidrv6}; + allow ${globals.networks.home-lan.vlans.services.hosts.${homeProxy}.ipv4}; + allow ${globals.networks.home-lan.vlans.services.hosts.${homeProxy}.ipv6}; + deny all; + ''; + homeServiceAddress = lib.optionalString (config.swarselsystems.server.wireguard.interfaces ? wgHome) globals.networks."${config.swarselsystems.server.wireguard.interfaces.wgHome.serverNetConfigPrefix}-wgHome".hosts.${config.node.name}.ipv4; + }; - mkIds = id: { - uid = id; - gid = id; - }; + mkIds = id: { + uid = id; + gid = id; + }; - mkDeviceMac = id: - let - mod = n: d: n - (n / d) * d; - toHexByte = n: - let - hex = "0123456789abcdef"; - hi = n / 16; - lo = mod n 16; - in - builtins.substring hi 1 hex - + builtins.substring lo 1 hex; + mkDeviceMac = id: + let + mod = n: d: n - (n / d) * d; + toHexByte = n: + let + hex = "0123456789abcdef"; + hi = n / 16; + lo = mod n 16; + in + builtins.substring hi 1 hex + + builtins.substring lo 1 hex; - max = 16777215; # 256^3 - 1 + max = 16777215; # 256^3 - 1 - b1 = id / (256 * 256); - r1 = mod id (256 * 256); - b2 = r1 / 256; - b3 = mod r1 256; - in - if - (id <= max) - then - (builtins.concatStringsSep ":" - (map toHexByte [ b1 b2 b3 ])) - else - (throw "Device MAC ID too large (max is 16777215)"); - - mkMicrovm = - if config.swarselsystems.withMicroVMs then - (guestName: - { eternorPaths ? [ ] - , withZfs ? false - , ... - }: - { - ${guestName} = - { - backend = "microvm"; - autostart = true; - zfs = lib.mkIf withZfs - ({ - # stateful config usually bind-mounted to /var/lib/ that should be backed up remotely - "/state" = { - pool = "Vault"; - dataset = "guests/${guestName}/state"; - }; - # other stuff that should only reside on zfs, not backed up remotely - "/persist" = { - pool = "Vault"; - dataset = "guests/${guestName}/persist"; - }; - } // lib.optionalAttrs (eternorPaths != [ ]) - (lib.listToAttrs (map - # data that is pulled in externally by services, some of which is backed up externally - (eternorPath: - lib.nameValuePair "/storage/${eternorPath}" { - pool = "Vault"; - dataset = "Eternor/${eternorPath}"; - }) eternorPaths))); - modules = [ - (config.node.configDir + /guests/${guestName}/default.nix) - { - node.secretsDir = config.node.configDir + /secrets/${guestName}; - node.configDir = config.node.configDir + /guests/${guestName}; - networking.nftables.firewall = { - zones.untrusted.interfaces = lib.mkIf - ( - lib.length config.guests.${guestName}.networking.links == 1 - ) - config.guests.${guestName}.networking.links; - }; - - fileSystems = { - "/persist".neededForBoot = true; - } // lib.optionalAttrs withZfs { - "/state".neededForBoot = true; - }; - } - "${self}/modules/nixos/optional/microvm-guest.nix" - "${self}/modules/nixos/optional/systemd-networkd-base.nix" - ]; - microvm = { - system = config.node.arch; - baseMac = config.repo.secrets.local.networking.networks.lan.mac; - interfaces.vlan-services = { - mac = lib.mkForce "02:${lib.substring 3 5 config.guests.${guestName}.microvm.baseMac}:${mkDeviceMac globals.networks.home-lan.vlans.services.hosts."${config.node.name}-${guestName}".id}"; + b1 = id / (256 * 256); + r1 = mod id (256 * 256); + b2 = r1 / 256; + b3 = mod r1 256; + in + if + (id <= max) + then + (builtins.concatStringsSep ":" + (map toHexByte [ b1 b2 b3 ])) + else + (throw "Device MAC ID too large (max is 16777215)"); + mkMicrovm = + if config.swarselsystems.withMicroVMs then + (guestName: + { eternorPaths ? [ ] + , withZfs ? false + , ... + }: + { + ${guestName} = + { + backend = "microvm"; + autostart = true; + zfs = lib.mkIf withZfs + ({ + # stateful config usually bind-mounted to /var/lib/ that should be backed up remotely + "/state" = { + pool = "Vault"; + dataset = "guests/${guestName}/state"; + }; + # other stuff that should only reside on zfs, not backed up remotely + "/persist" = { + pool = "Vault"; + dataset = "guests/${guestName}/persist"; + }; + } // lib.optionalAttrs (eternorPaths != [ ]) + (lib.listToAttrs (map + # data that is pulled in externally by services, some of which is backed up externally + (eternorPath: + lib.nameValuePair "/storage/${eternorPath}" { + pool = "Vault"; + dataset = "Eternor/${eternorPath}"; + }) eternorPaths))); + modules = [ + (config.node.configDir + /guests/${guestName}/default.nix) + { + node.secretsDir = config.node.configDir + /secrets/${guestName}; + node.configDir = config.node.configDir + /guests/${guestName}; + networking.nftables.firewall = { + zones.untrusted.interfaces = lib.mkIf + ( + lib.length config.guests.${guestName}.networking.links == 1 + ) + config.guests.${guestName}.networking.links; }; - }; - extraSpecialArgs = { - inherit (inputs.self) nodes; - inherit (inputs.self.pkgs.${config.node.arch}) lib; - inherit inputs outputs minimal; - inherit (inputs) self; - withHomeManager = false; - microVMParent = config.node.name; - globals = inputs.self.globals.${config.node.arch}; - }; - }; - }) else - (_: { - _ = { }; - }); - genNginx = - { serviceAddress - , serviceName - , serviceDomain - , servicePort - , protocol ? "http" - , maxBody ? (-1) - , maxBodyUnit ? "" - , noSslVerify ? false - , proxyWebsockets ? false - , oauth2 ? false - , oauth2Groups ? [ ] - , extraConfig ? "" - , extraConfigLoc ? "" - }: { - upstreams = { - ${serviceName} = { - servers = { - "${serviceAddress}:${builtins.toString servicePort}" = { }; - }; - }; - }; - virtualHosts = { - "${serviceDomain}" = { - useACMEHost = globals.domains.main; - forceSSL = true; - acmeRoot = null; - oauth2 = { - enable = lib.mkIf oauth2 true; - allowedGroups = lib.mkIf (oauth2Groups != [ ]) oauth2Groups; - }; - locations = { - "/" = { - proxyPass = "${protocol}://${serviceName}"; - proxyWebsockets = lib.mkIf proxyWebsockets true; - extraConfig = lib.optionalString (maxBody != (-1)) '' - client_max_body_size ${builtins.toString maxBody}${maxBodyUnit}; - '' + extraConfigLoc; + fileSystems = { + "/persist".neededForBoot = true; + } // lib.optionalAttrs withZfs { + "/state".neededForBoot = true; + }; + } + "${self}/modules/nixos/optional/microvm-guest.nix" + "${self}/modules/nixos/optional/systemd-networkd-base.nix" + ]; + microvm = { + system = config.node.arch; + baseMac = config.repo.secrets.local.networking.networks.lan.mac; + interfaces.vlan-services = { + mac = lib.mkForce "02:${lib.substring 3 5 config.guests.${guestName}.microvm.baseMac}:${mkDeviceMac globals.networks.home-lan.vlans.services.hosts."${config.node.name}-${guestName}".id}"; + + }; + }; + extraSpecialArgs = { + inherit (inputs.self) nodes; + inherit (inputs.self.pkgs.${config.node.arch}) lib; + inherit inputs outputs minimal; + inherit (inputs) self; + withHomeManager = false; + microVMParent = config.node.name; + globals = inputs.self.globals.${config.node.arch}; }; }; - extraConfig = lib.optionalString noSslVerify '' - proxy_ssl_verify off; - '' + extraConfig; + }) else + (_: { + _ = { }; + }); + + genNginx = + { serviceAddress + , serviceName + , serviceDomain + , servicePort + , protocol ? "http" + , maxBody ? (-1) + , maxBodyUnit ? "" + , noSslVerify ? false + , proxyWebsockets ? false + , oauth2 ? false + , oauth2Groups ? [ ] + , extraConfig ? "" + , extraConfigLoc ? "" + }: { + upstreams = { + ${serviceName} = { + servers = { + "${serviceAddress}:${builtins.toString servicePort}" = { }; }; }; }; + virtualHosts = { + "${serviceDomain}" = { + useACMEHost = globals.domains.main; + forceSSL = true; + acmeRoot = null; + oauth2 = { + enable = lib.mkIf oauth2 true; + allowedGroups = lib.mkIf (oauth2Groups != [ ]) oauth2Groups; + }; + locations = { + "/" = { + proxyPass = "${protocol}://${serviceName}"; + proxyWebsockets = lib.mkIf proxyWebsockets true; + extraConfig = lib.optionalString (maxBody != (-1)) '' + client_max_body_size ${builtins.toString maxBody}${maxBodyUnit}; + '' + extraConfigLoc; + }; + }; + extraConfig = lib.optionalString noSslVerify '' + proxy_ssl_verify off; + '' + extraConfig; + }; + }; + }; - }; }; - } + }; + } #+end_src *** Packages @@ -29887,6 +29946,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a lid = lib.mkDefault true; login = lib.mkDefault true; lowBattery = lib.mkDefault false; + nautilus = lib.mkDefault true; network = lib.mkDefault true; networkDevices = lib.mkDefault true; nftables = lib.mkDefault true; @@ -30233,62 +30293,25 @@ This holds modules that are to be used on most hosts. These are also the most im options.swarselprofiles.dgxspark = lib.mkEnableOption "is this a dgx spark host"; config = lib.mkIf config.swarselprofiles.dgxspark { swarselmodules = { - anki = lib.mkDefault false; - anki-tray = lib.mkDefault false; atuin = lib.mkDefault true; - autotiling = lib.mkDefault false; - batsignal = lib.mkDefault false; bash = lib.mkDefault true; blueman-applet = lib.mkDefault true; - desktop = lib.mkDefault false; direnv = lib.mkDefault true; - element-desktop = lib.mkDefault false; - element-tray = lib.mkDefault false; - emacs = lib.mkDefault false; - env = lib.mkDefault false; eza = lib.mkDefault true; firefox = lib.mkDefault true; fuzzel = lib.mkDefault true; - gammastep = lib.mkDefault false; general = lib.mkDefault true; git = lib.mkDefault true; - gnome-keyring = lib.mkDefault false; gpgagent = lib.mkDefault true; - hexchat = lib.mkDefault false; - kanshi = lib.mkDefault false; - kdeconnect = lib.mkDefault false; kitty = lib.mkDefault true; - mail = lib.mkDefault false; - mako = lib.mkDefault false; nix-index = lib.mkDefault true; nixgl = lib.mkDefault true; nix-your-shell = lib.mkDefault true; nm-applet = lib.mkDefault true; - obs-studio = lib.mkDefault false; - obsidian = lib.mkDefault false; - obsidian-tray = lib.mkDefault false; - ownpackages = lib.mkDefault false; - packages = lib.mkDefault false; - passwordstore = lib.mkDefault false; - programs = lib.mkDefault false; sops = lib.mkDefault true; - spicetify = lib.mkDefault false; - spotify-player = lib.mkDefault false; - ssh = lib.mkDefault false; starship = lib.mkDefault true; stylix = lib.mkDefault true; - sway = lib.mkDefault false; - swayidle = lib.mkDefault false; - swaylock = lib.mkDefault false; - swayosd = lib.mkDefault false; - symlink = lib.mkDefault false; tmux = lib.mkDefault true; - vesktop = lib.mkDefault false; - vesktop-tray = lib.mkDefault false; - syncthing-tray = lib.mkDefault false; - waybar = lib.mkDefault false; - yubikey = lib.mkDefault false; - yubikeytouch = lib.mkDefault false; zellij = lib.mkDefault true; zsh = lib.mkDefault true; }; diff --git a/flake.lock b/flake.lock index 0e44f31..418bfad 100644 --- a/flake.lock +++ b/flake.lock @@ -298,7 +298,9 @@ "dns": { "inputs": { "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs_3" + "nixpkgs": [ + "nixpkgs" + ] }, "locked": { "lastModified": 1768143854, @@ -316,7 +318,7 @@ }, "emacs-overlay": { "inputs": { - "nixpkgs": "nixpkgs_4", + "nixpkgs": "nixpkgs_3", "nixpkgs-stable": "nixpkgs-stable" }, "locked": { @@ -337,7 +339,7 @@ }, "fenix": { "inputs": { - "nixpkgs": "nixpkgs_16", + "nixpkgs": "nixpkgs_15", "rust-analyzer-src": "rust-analyzer-src" }, "locked": { @@ -696,7 +698,25 @@ }, "flake-utils_6": { "inputs": { - "systems": "systems_8" + "systems": "systems_3" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_7": { + "inputs": { + "systems": "systems_9" }, "locked": { "lastModified": 1731533236, @@ -891,11 +911,11 @@ ] }, "locked": { - "lastModified": 1769102673, - "narHash": "sha256-/qvRFjn1s3bIJdSKG6IpaE6ML3j9anQKUqGhmt4Qe+E=", + "lastModified": 1769622371, + "narHash": "sha256-Cs1/+P3ntxl9mOIL7/QtItBAzQJ2xjvTMHv7qw0nFV0=", "owner": "nix-community", "repo": "home-manager", - "rev": "b0491fe55680bd19be8e74847969dad9d7784658", + "rev": "02d763228d8aff317e6e5a319474b6d4d9d826a5", "type": "github" }, "original": { @@ -952,7 +972,7 @@ "nix-eval-jobs": [ "nix-eval-jobs" ], - "nixpkgs": "nixpkgs_5" + "nixpkgs": "nixpkgs_4" }, "locked": { "lastModified": 1759783173, @@ -972,7 +992,7 @@ "impermanence": { "inputs": { "home-manager": "home-manager_2", - "nixpkgs": "nixpkgs_6" + "nixpkgs": "nixpkgs_5" }, "locked": { "lastModified": 1768941735, @@ -1014,7 +1034,7 @@ "lanzaboote": { "inputs": { "crane": "crane", - "nixpkgs": "nixpkgs_7", + "nixpkgs": "nixpkgs_6", "pre-commit": "pre-commit", "rust-overlay": "rust-overlay" }, @@ -1034,7 +1054,7 @@ }, "microvm": { "inputs": { - "nixpkgs": "nixpkgs_8", + "nixpkgs": "nixpkgs_7", "spectrum": "spectrum" }, "locked": { @@ -1116,7 +1136,7 @@ "inputs": { "niri-stable": "niri-stable", "niri-unstable": "niri-unstable", - "nixpkgs": "nixpkgs_9", + "nixpkgs": "nixpkgs_8", "nixpkgs-stable": "nixpkgs-stable_2", "xwayland-satellite-stable": "xwayland-satellite-stable", "xwayland-satellite-unstable": "xwayland-satellite-unstable" @@ -1187,7 +1207,7 @@ }, "nix-darwin": { "inputs": { - "nixpkgs": "nixpkgs_10" + "nixpkgs": "nixpkgs_9" }, "locked": { "lastModified": 1768764703, @@ -1267,7 +1287,7 @@ "inputs": { "flake-compat": "flake-compat_2", "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs_11" + "nixpkgs": "nixpkgs_10" }, "locked": { "lastModified": 1768962252, @@ -1287,7 +1307,7 @@ "inputs": { "home-manager": "home-manager_3", "nix-formatter-pack": "nix-formatter-pack", - "nixpkgs": "nixpkgs_12", + "nixpkgs": "nixpkgs_11", "nixpkgs-docs": "nixpkgs-docs", "nixpkgs-for-bootstrap": "nixpkgs-for-bootstrap", "nmd": "nmd_2" @@ -1310,7 +1330,7 @@ "nix-topology": { "inputs": { "flake-parts": "flake-parts_2", - "nixpkgs": "nixpkgs_13" + "nixpkgs": "nixpkgs_12" }, "locked": { "lastModified": 1769018862, @@ -1364,7 +1384,7 @@ "nixgl": { "inputs": { "flake-utils": "flake-utils_3", - "nixpkgs": "nixpkgs_14" + "nixpkgs": "nixpkgs_13" }, "locked": { "lastModified": 1762090880, @@ -1399,7 +1419,7 @@ "inputs": { "devshell": "devshell_2", "flake-parts": "flake-parts_3", - "nixpkgs": "nixpkgs_15", + "nixpkgs": "nixpkgs_14", "nixt": "nixt", "pre-commit-hooks": "pre-commit-hooks" }, @@ -1421,7 +1441,9 @@ "nixos-generators": { "inputs": { "nixlib": "nixlib", - "nixpkgs": "nixpkgs_17" + "nixpkgs": [ + "nixpkgs" + ] }, "locked": { "lastModified": 1764234087, @@ -1476,7 +1498,7 @@ "nixos-nftables-firewall": { "inputs": { "dependencyDagOfSubmodule": "dependencyDagOfSubmodule", - "nixpkgs": "nixpkgs_18" + "nixpkgs": "nixpkgs_16" }, "locked": { "lastModified": 1715521768, @@ -1805,22 +1827,6 @@ } }, "nixpkgs_10": { - "locked": { - "lastModified": 1765934234, - "narHash": "sha256-pJjWUzNnjbIAMIc5gRFUuKCDQ9S1cuh3b2hKgA7Mc4A=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "af84f9d270d404c17699522fab95bbf928a2d92f", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_11": { "locked": { "lastModified": 1748929857, "narHash": "sha256-lcZQ8RhsmhsK8u7LIFsJhsLh/pzR9yZ8yqpTzyGdj+Q=", @@ -1836,7 +1842,7 @@ "type": "github" } }, - "nixpkgs_12": { + "nixpkgs_11": { "locked": { "lastModified": 1708172716, "narHash": "sha256-3M94oln0b61m3dUmLyECCA9hYAHXZEszM4saE3CmQO4=", @@ -1851,7 +1857,7 @@ "type": "github" } }, - "nixpkgs_13": { + "nixpkgs_12": { "locked": { "lastModified": 1766651565, "narHash": "sha256-QEhk0eXgyIqTpJ/ehZKg9IKS7EtlWxF3N7DXy42zPfU=", @@ -1867,7 +1873,7 @@ "type": "github" } }, - "nixpkgs_14": { + "nixpkgs_13": { "locked": { "lastModified": 1746378225, "narHash": "sha256-OeRSuL8PUjIfL3Q0fTbNJD/fmv1R+K2JAOqWJd3Oceg=", @@ -1882,7 +1888,7 @@ "type": "github" } }, - "nixpkgs_15": { + "nixpkgs_14": { "locked": { "lastModified": 1737885589, "narHash": "sha256-Zf0hSrtzaM1DEz8//+Xs51k/wdSajticVrATqDrfQjg=", @@ -1898,7 +1904,7 @@ "type": "github" } }, - "nixpkgs_16": { + "nixpkgs_15": { "locked": { "lastModified": 1677063315, "narHash": "sha256-qiB4ajTeAOVnVSAwCNEEkoybrAlA+cpeiBxLobHndE8=", @@ -1914,23 +1920,7 @@ "type": "github" } }, - "nixpkgs_17": { - "locked": { - "lastModified": 1736657626, - "narHash": "sha256-FWlPMUzp0lkQBdhKlPqtQdqmp+/C+1MBiEytaYfrCTY=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "2f9e2f85cb14a46410a1399aa9ea7ecf433e422e", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_18": { + "nixpkgs_16": { "locked": { "lastModified": 1692638711, "narHash": "sha256-J0LgSFgJVGCC1+j5R2QndadWI1oumusg6hCtYAzLID4=", @@ -1946,6 +1936,38 @@ "type": "github" } }, + "nixpkgs_17": { + "locked": { + "lastModified": 1769018530, + "narHash": "sha256-MJ27Cy2NtBEV5tsK+YraYr2g851f3Fl1LpNHDzDX15c=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "88d3861acdd3d2f0e361767018218e51810df8a1", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_18": { + "locked": { + "lastModified": 1720957393, + "narHash": "sha256-oedh2RwpjEa+TNxhg5Je9Ch6d3W1NKi7DbRO1ziHemA=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "693bc46d169f5af9c992095736e82c3488bf7dbb", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_19": { "locked": { "lastModified": 1769018530, @@ -1980,37 +2002,21 @@ }, "nixpkgs_20": { "locked": { - "lastModified": 1720957393, - "narHash": "sha256-oedh2RwpjEa+TNxhg5Je9Ch6d3W1NKi7DbRO1ziHemA=", - "owner": "nixos", + "lastModified": 1767892417, + "narHash": "sha256-dhhvQY67aboBk8b0/u0XB6vwHdgbROZT3fJAjyNh5Ww=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "693bc46d169f5af9c992095736e82c3488bf7dbb", + "rev": "3497aa5c9457a9d88d71fa93a4a8368816fbeeba", "type": "github" }, "original": { - "owner": "nixos", + "owner": "NixOS", "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, "nixpkgs_21": { - "locked": { - "lastModified": 1769018530, - "narHash": "sha256-MJ27Cy2NtBEV5tsK+YraYr2g851f3Fl1LpNHDzDX15c=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "88d3861acdd3d2f0e361767018218e51810df8a1", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_22": { "locked": { "lastModified": 1764947035, "narHash": "sha256-EYHSjVM4Ox4lvCXUMiKKs2vETUSL5mx+J2FfutM7T9w=", @@ -2026,7 +2032,7 @@ "type": "github" } }, - "nixpkgs_23": { + "nixpkgs_22": { "locked": { "lastModified": 1764374374, "narHash": "sha256-naS7hg/D1yLKSZoENx9gvsPLFiNEOTcqamJSu0OEvCA=", @@ -2042,7 +2048,7 @@ "type": "github" } }, - "nixpkgs_24": { + "nixpkgs_23": { "locked": { "lastModified": 1768569498, "narHash": "sha256-bB6Nt99Cj8Nu5nIUq0GLmpiErIT5KFshMQJGMZwgqUo=", @@ -2058,7 +2064,7 @@ "type": "github" } }, - "nixpkgs_25": { + "nixpkgs_24": { "locked": { "lastModified": 1768564909, "narHash": "sha256-Kell/SpJYVkHWMvnhqJz/8DqQg2b6PguxVWOuadbHCc=", @@ -2074,7 +2080,7 @@ "type": "github" } }, - "nixpkgs_26": { + "nixpkgs_25": { "locked": { "lastModified": 1767767207, "narHash": "sha256-Mj3d3PfwltLmukFal5i3fFt27L6NiKXdBezC1EBuZs4=", @@ -2090,7 +2096,7 @@ "type": "github" } }, - "nixpkgs_27": { + "nixpkgs_26": { "locked": { "lastModified": 1759733170, "narHash": "sha256-TXnlsVb5Z8HXZ6mZoeOAIwxmvGHp1g4Dw89eLvIwKVI=", @@ -2106,7 +2112,7 @@ "type": "github" } }, - "nixpkgs_28": { + "nixpkgs_27": { "locked": { "lastModified": 1767364772, "narHash": "sha256-fFUnEYMla8b7UKjijLnMe+oVFOz6HjijGGNS1l7dYaQ=", @@ -2122,7 +2128,7 @@ "type": "github" } }, - "nixpkgs_29": { + "nixpkgs_28": { "locked": { "lastModified": 1742268799, "narHash": "sha256-IhnK4LhkBlf14/F8THvUy3xi/TxSQkp9hikfDZRD4Ic=", @@ -2138,22 +2144,7 @@ "type": "github" } }, - "nixpkgs_3": { - "locked": { - "lastModified": 1616989418, - "narHash": "sha256-LcOn5wHR/1JwClfY/Ai/b+pSRY+d23QtIPQHwPAyHHI=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "9d8e05e088ad91b7c62886a2175f38bfa443db2c", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_30": { + "nixpkgs_29": { "locked": { "lastModified": 1765934234, "narHash": "sha256-pJjWUzNnjbIAMIc5gRFUuKCDQ9S1cuh3b2hKgA7Mc4A=", @@ -2169,7 +2160,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_3": { "locked": { "lastModified": 1760284886, "narHash": "sha256-TK9Kr0BYBQ/1P5kAsnNQhmWWKgmZXwUQr4ZMjCzWf2c=", @@ -2185,7 +2176,7 @@ "type": "github" } }, - "nixpkgs_5": { + "nixpkgs_4": { "locked": { "lastModified": 1759652726, "narHash": "sha256-2VjnimOYDRb3DZHyQ2WH2KCouFqYm9h0Rr007Al/WSA=", @@ -2201,7 +2192,7 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_5": { "locked": { "lastModified": 1768564909, "narHash": "sha256-Kell/SpJYVkHWMvnhqJz/8DqQg2b6PguxVWOuadbHCc=", @@ -2217,7 +2208,7 @@ "type": "github" } }, - "nixpkgs_7": { + "nixpkgs_6": { "locked": { "lastModified": 1768127708, "narHash": "sha256-1Sm77VfZh3mU0F5OqKABNLWxOuDeHIlcFjsXeeiPazs=", @@ -2233,7 +2224,7 @@ "type": "github" } }, - "nixpkgs_8": { + "nixpkgs_7": { "locked": { "lastModified": 1759381078, "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=", @@ -2249,7 +2240,7 @@ "type": "github" } }, - "nixpkgs_9": { + "nixpkgs_8": { "locked": { "lastModified": 1769018530, "narHash": "sha256-MJ27Cy2NtBEV5tsK+YraYr2g851f3Fl1LpNHDzDX15c=", @@ -2265,6 +2256,22 @@ "type": "github" } }, + "nixpkgs_9": { + "locked": { + "lastModified": 1765934234, + "narHash": "sha256-pJjWUzNnjbIAMIc5gRFUuKCDQ9S1cuh3b2hKgA7Mc4A=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "af84f9d270d404c17699522fab95bbf928a2d92f", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixt": { "inputs": { "flake-compat": "flake-compat_3", @@ -2361,7 +2368,7 @@ "nswitch-rcm-nix": { "inputs": { "flake-parts": "flake-parts_4", - "nixpkgs": "nixpkgs_20" + "nixpkgs": "nixpkgs_18" }, "locked": { "lastModified": 1721304043, @@ -2380,7 +2387,7 @@ "nur": { "inputs": { "flake-parts": "flake-parts_5", - "nixpkgs": "nixpkgs_21" + "nixpkgs": "nixpkgs_19" }, "locked": { "lastModified": 1769114635, @@ -2535,6 +2542,26 @@ "type": "github" } }, + "pia": { + "inputs": { + "flake-utils": "flake-utils_6", + "nixpkgs": "nixpkgs_20" + }, + "locked": { + "lastModified": 1769674747, + "narHash": "sha256-fj6i2Xay3Jz8MJHcPiJslsL+YHh2JzaJtWr7rA0ckgY=", + "owner": "Swarsel", + "repo": "pia.nix", + "rev": "7b56baf2300e49bb05d7e24f2fcd5d8ce4a40143", + "type": "github" + }, + "original": { + "owner": "Swarsel", + "ref": "custom", + "repo": "pia.nix", + "type": "github" + } + }, "pre-commit": { "inputs": { "flake-compat": "flake-compat", @@ -2585,7 +2612,7 @@ "inputs": { "flake-compat": "flake-compat_6", "gitignore": "gitignore_3", - "nixpkgs": "nixpkgs_22" + "nixpkgs": "nixpkgs_21" }, "locked": { "lastModified": 1769069492, @@ -2626,7 +2653,7 @@ "nixos-hardware": "nixos-hardware", "nixos-images": "nixos-images", "nixos-nftables-firewall": "nixos-nftables-firewall", - "nixpkgs": "nixpkgs_19", + "nixpkgs": "nixpkgs_17", "nixpkgs-bisect": "nixpkgs-bisect", "nixpkgs-dev": "nixpkgs-dev", "nixpkgs-kernel": "nixpkgs-kernel", @@ -2637,6 +2664,7 @@ "nixpkgs-stable25_11": "nixpkgs-stable25_11", "nswitch-rcm-nix": "nswitch-rcm-nix", "nur": "nur", + "pia": "pia", "pre-commit-hooks": "pre-commit-hooks_2", "simple-nixos-mailserver": "simple-nixos-mailserver", "smallpkgs": "smallpkgs", @@ -2644,7 +2672,7 @@ "spicetify-nix": "spicetify-nix", "stylix": "stylix", "swarsel-nix": "swarsel-nix", - "systems": "systems_6", + "systems": "systems_7", "topologyPrivate": "topologyPrivate", "treefmt-nix": "treefmt-nix", "vbc-nix": "vbc-nix", @@ -2764,7 +2792,7 @@ "blobs": "blobs", "flake-compat": "flake-compat_7", "git-hooks": "git-hooks", - "nixpkgs": "nixpkgs_23" + "nixpkgs": "nixpkgs_22" }, "locked": { "lastModified": 1766321686, @@ -2800,7 +2828,7 @@ }, "sops": { "inputs": { - "nixpkgs": "nixpkgs_24" + "nixpkgs": "nixpkgs_23" }, "locked": { "lastModified": 1768863606, @@ -2834,8 +2862,8 @@ }, "spicetify-nix": { "inputs": { - "nixpkgs": "nixpkgs_25", - "systems": "systems_3" + "nixpkgs": "nixpkgs_24", + "systems": "systems_4" }, "locked": { "lastModified": 1768656845, @@ -2938,9 +2966,9 @@ "firefox-gnome-theme": "firefox-gnome-theme", "flake-parts": "flake-parts_6", "gnome-shell": "gnome-shell", - "nixpkgs": "nixpkgs_26", + "nixpkgs": "nixpkgs_25", "nur": "nur_2", - "systems": "systems_4", + "systems": "systems_5", "tinted-foot": "tinted-foot", "tinted-kitty": "tinted-kitty", "tinted-schemes": "tinted-schemes", @@ -2964,8 +2992,8 @@ "swarsel-nix": { "inputs": { "flake-parts": "flake-parts_7", - "nixpkgs": "nixpkgs_27", - "systems": "systems_5" + "nixpkgs": "nixpkgs_26", + "systems": "systems_6" }, "locked": { "lastModified": 1760190732, @@ -3073,6 +3101,21 @@ } }, "systems_7": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_8": { "locked": { "lastModified": 1689347949, "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", @@ -3087,7 +3130,7 @@ "type": "github" } }, - "systems_8": { + "systems_9": { "locked": { "lastModified": 1681028828, "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", @@ -3196,7 +3239,7 @@ }, "treefmt-nix": { "inputs": { - "nixpkgs": "nixpkgs_28" + "nixpkgs": "nixpkgs_27" }, "locked": { "lastModified": 1768158989, @@ -3214,8 +3257,8 @@ }, "vbc-nix": { "inputs": { - "nixpkgs": "nixpkgs_29", - "systems": "systems_7" + "nixpkgs": "nixpkgs_28", + "systems": "systems_8" }, "locked": { "lastModified": 1742477270, @@ -3291,8 +3334,8 @@ "zjstatus": { "inputs": { "crane": "crane_3", - "flake-utils": "flake-utils_6", - "nixpkgs": "nixpkgs_30", + "flake-utils": "flake-utils_7", + "nixpkgs": "nixpkgs_29", "rust-overlay": "rust-overlay_3" }, "locked": { diff --git a/flake.nix b/flake.nix index de15f43..995faeb 100644 --- a/flake.nix +++ b/flake.nix @@ -37,13 +37,22 @@ home-manager = { url = "github:nix-community/home-manager"; - # url = "github:Swarsel/home-manager/main"; inputs.nixpkgs.follows = "nixpkgs"; }; nix-index-database = { url = "github:nix-community/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; }; + dns = { + url = "github:kirelagin/dns.nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + nixos-generators = { + url = "github:nix-community/nixos-generators"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + topologyPrivate.url = "./files/topology/public"; # emacs-overlay.url = "github:nix-community/emacs-overlay"; emacs-overlay.url = "github:nix-community/emacs-overlay/aba8daa237dc07a3bb28a61c252a718e8eb38057?narHash=sha256-4OXXccXsY1sBXTXjYIthdjXLAotozSh4F8StGRuLyMQ%3D"; @@ -55,7 +64,6 @@ sops.url = "github:Mic92/sops-nix"; lanzaboote.url = "github:nix-community/lanzaboote"; nix-on-droid.url = "github:nix-community/nix-on-droid/release-24.05"; - nixos-generators.url = "github:nix-community/nixos-generators"; nixos-images.url = "github:Swarsel/nixos-images/main"; nixos-hardware.url = "github:NixOS/nixos-hardware/master"; nswitch-rcm-nix.url = "github:Swarsel/nswitch-rcm-nix"; @@ -73,11 +81,10 @@ nixos-extra-modules.url = "github:oddlama/nixos-extra-modules/main"; microvm.url = "github:astro/microvm.nix"; treefmt-nix.url = "github:numtide/treefmt-nix"; - dns.url = "github:kirelagin/dns.nix"; nix-minecraft.url = "github:Infinidoge/nix-minecraft"; simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master"; nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; - topologyPrivate.url = "./files/topology/public"; + pia.url = "github:Swarsel/pia.nix/custom"; }; outputs = diff --git a/hosts/nixos/x86_64-linux/summers/guests/transmission/default.nix b/hosts/nixos/x86_64-linux/summers/guests/transmission/default.nix index 6afde67..38b5503 100644 --- a/hosts/nixos/x86_64-linux/summers/guests/transmission/default.nix +++ b/hosts/nixos/x86_64-linux/summers/guests/transmission/default.nix @@ -1,6 +1,7 @@ { self, lib, minimal, ... }: { imports = [ + "${self}/profiles/nixos/microvm" "${self}/modules/nixos" ]; diff --git a/hosts/nixos/x86_64-linux/summers/secrets/transmission/secrets.yaml b/hosts/nixos/x86_64-linux/summers/secrets/transmission/secrets.yaml index c4f3a52..1cf7cb9 100644 --- a/hosts/nixos/x86_64-linux/summers/secrets/transmission/secrets.yaml +++ b/hosts/nixos/x86_64-linux/summers/secrets/transmission/secrets.yaml @@ -1,4 +1,5 @@ wireguard-private-key: ENC[AES256_GCM,data:o3wV7UI5BSV9YU0uaumgfFWBJlgMewpUqOusvcGWxOW8dSrT/aqpT9iu1K0=,iv:fNf6fOL8KcYBxmfFLi5K/qPmNfon16HE1fgQ86qNDNU=,tag:BoRbtrw7jvENAn5wiP/sWQ==,type:str] +pia: ENC[AES256_GCM,data:9bMMSavvHTC5UM24W+Gsy69VQdc=,iv:pRd18+/Yy8BWp/kybOqM1VPpIkS7vLSWXZ93PZT+mAk=,tag:DYiiv3+zl8N9UR2X4Yv58A==,type:str] sops: age: - recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u @@ -19,8 +20,8 @@ sops: aEg5NzQxeVZPaUY1bTBBa1ZidXJrS2MKUCsDOnsmpOZTQsnvdYguDK8uH4FetcXq nKzlSJ8zvYXzb91PfCcjYbp3ttUGeeJLVPnrD42+3i8H2U8btSrR8w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-01-07T13:36:52Z" - mac: ENC[AES256_GCM,data:Sb9HItfMt5WaTYJw1/OcPVR3SBKzAifgK0NTwSb59ByxAsaOhkXrGL2cx+6p7QpVBw2V9duiFVmZhOp9vW2clCQX2RwiSAxaRLcDtVIoqB7YfmiNTdzrEDFHJNndbT6Vs0qOb42tjMyKXGZIcrA55G3Vh8S5Qy5w3IW4CSwI20U=,iv:pRjPa71yPRy4X29IPjk9Jju4JZkhIK2uucgK/dBX4L8=,tag:2RD746vX1mlQu3GyDELF8w==,type:str] + lastmodified: "2026-01-28T11:27:02Z" + mac: ENC[AES256_GCM,data:7QTzIr3m0Gip66y+RNZrmmbUTn1jm+7PrEPerH/iw1resKHU5g+I3cumNqPt+iJYIbvNJmzfi5g6qLyjvcIjMFK8gy+RAkQ86r3zd9O0sWd9Nyd8OWstl/8srxGQNK8gWNEFIF97Dz2Hs26WYHa5NTWrZkyblFjJ2a1EiL+mNzo=,iv:aTF8ew4Ucu+QqiOz10F+KyuLb1Ukz6Q674SoSdYQxOM=,tag:5UeUHsJlKiwKfC7VwoEltg==,type:str] pgp: - created_at: "2026-01-12T22:05:42Z" enc: |- diff --git a/modules/home/common/swayidle.nix b/modules/home/common/swayidle.nix index 1bbcbcc..a7f7fcd 100644 --- a/modules/home/common/swayidle.nix +++ b/modules/home/common/swayidle.nix @@ -22,12 +22,12 @@ in # { timeout = 600; command = ''${pkgs.sway}/bin/swaymsg "output * dpms off"; resumeCommand = "${pkgs.sway}/bin/swaymsg output * dpms on''; } { timeout = 600; command = "${suspend}"; } ]; - events = [ + events = { # { event = "before-sleep"; command = "${lib.getExe pkgs.swaylock-effects} -f --screenshots --clock --effect-blur 7x5 --effect-vignette 0.5:0.5 --fade-in 0.2"; } # { event = "after-resume"; command = "${swaylock} -f "; } - { event = "before-sleep"; command = "${swaylock} -f "; } - { event = "lock"; command = "${swaylock} -f "; } - ]; + before-sleep = "${swaylock} -f "; + lock = "${swaylock} -f "; + }; }; }; diff --git a/modules/home/common/vesktop-tray.nix b/modules/home/common/vesktop-tray.nix index 1d258d7..8f6e281 100644 --- a/modules/home/common/vesktop-tray.nix +++ b/modules/home/common/vesktop-tray.nix @@ -19,7 +19,7 @@ }; Service = { - ExecStart = "${pkgs.vesktop}/bin/vesktop --start-minimized --enable-speech-dispatcher --ozone-platform-hint=auto --enable-features=WaylandWindowDecorations --enable-wayland-ime"; + ExecStart = "${pkgs.vesktop}/bin/vesktop --start-minimized --ozone-platform-hint=auto --enable-features=WaylandWindowDecorations --enable-wayland-ime"; }; }; }; diff --git a/modules/home/common/zsh.nix b/modules/home/common/zsh.nix index 847163f..d06566a 100644 --- a/modules/home/common/zsh.nix +++ b/modules/home/common/zsh.nix @@ -1,6 +1,6 @@ -{ self, config, pkgs, lib, minimal, globals, confLib, type, ... }: +{ self, config, pkgs, lib, minimal, globals, confLib, type, arch, ... }: let - inherit (config.swarselsystems) flakePath isNixos; + inherit (config.swarselsystems) flakePath isNixos homeDir; crocDomain = globals.services.croc.domain; in { @@ -20,7 +20,11 @@ in // lib.optionalAttrs (!minimal) { shellAliases = lib.recursiveUpdate { - hg = "history | grep"; + nb = "nix build"; + nbl = "nix build --builders \"\""; + nbo = "nix build --offline --builders \"\""; + nd = "nix develop"; + ns = "nix shell"; hmswitch = lib.mkIf (!isNixos) "${lib.getExe pkgs.home-manager} --flake ${flakePath}#$(hostname) switch |& nom"; nswitch = lib.mkIf isNixos "cd ${flakePath}; swarsel-deploy $(hostname) switch; cd -;"; ntest = lib.mkIf isNixos "cd ${flakePath}; swarsel-deploy $(hostname) test; cd -;"; @@ -46,7 +50,8 @@ in boot-diff = "nix store diff-closures /run/*-system"; gen-diff = "nix profile diff-closures --profile /nix/var/nix/profiles/system"; cc = "wl-copy"; - build-topology = "nix build --override-input topologyPrivate ${self}/files/topology/private .#topology.x86_64-linux.config.output"; + build-topology = "nix build --override-input topologyPrivate ${self}/files/topology/private ${flakePath}#topology.${arch}.config.output"; + build-topology-dev = "nix build --show-trace --override-input nix-topology ${homeDir}/Documents/Private/nix-topology --override-input topologyPrivate ${self}/files/topology/private ${flakePath}#topology.${arch}.config.output"; build-iso = "nix build --print-out-paths .#live-iso"; nix-review-local = "nix run nixpkgs#nixpkgs-review -- rev HEAD"; nix-review-post = "nix run nixpkgs#nixpkgs-review -- pr --post-result --systems linux"; diff --git a/modules/nixos/client/nautilus.nix b/modules/nixos/client/nautilus.nix new file mode 100644 index 0000000..7ad593a --- /dev/null +++ b/modules/nixos/client/nautilus.nix @@ -0,0 +1,10 @@ +{ lib, config, ... }: +{ + options.swarselmodules.nautilus = lib.mkEnableOption "nautilus config"; + config = lib.mkIf config.swarselmodules.nautilus { + programs.nautilus-open-any-terminal = { + enable = true; + terminal = "kitty"; + }; + }; +} diff --git a/modules/nixos/optional/microvm-guest.nix b/modules/nixos/optional/microvm-guest.nix index 73e0794..1d0ce8f 100644 --- a/modules/nixos/optional/microvm-guest.nix +++ b/modules/nixos/optional/microvm-guest.nix @@ -1,4 +1,4 @@ -{ self, lib, config, inputs, microVMParent, nodes, globals, confLib, ... }: +{ self, config, inputs, ... }: { imports = [ inputs.disko.nixosModules.disko @@ -15,6 +15,7 @@ inputs.stylix.nixosModules.stylix inputs.swarsel-nix.nixosModules.default inputs.nixos-nftables-firewall.nixosModules.default + inputs.pia.nixosModules.default (inputs.nixos-extra-modules + "/modules/interface-naming.nix") diff --git a/modules/nixos/server/adguardhome.nix b/modules/nixos/server/adguardhome.nix index cca7f31..3f0acc2 100644 --- a/modules/nixos/server/adguardhome.nix +++ b/modules/nixos/server/adguardhome.nix @@ -70,7 +70,7 @@ in homeDomains) ++ [ { domain = "smb.${globals.domains.main}"; - answer = globals.networks.home-lan.vlans.services.hosts.storage.ipv4; + answer = globals.networks.home-lan.vlans.services.hosts.summers-storage.ipv4; enabled = true; } ]; diff --git a/modules/nixos/server/bastion.nix b/modules/nixos/server/bastion.nix index 7503576..d1b31e9 100644 --- a/modules/nixos/server/bastion.nix +++ b/modules/nixos/server/bastion.nix @@ -1,14 +1,16 @@ -{ self, lib, config, withHomeManager, ... }: +{ self, lib, config, withHomeManager, confLib, ... }: { options.swarselmodules.server.bastion = lib.mkEnableOption "enable bastion on server"; config = lib.mkIf config.swarselmodules.server.bastion ({ users = { + persistentIds.jump = confLib.mkIds 1001; groups = { jump = { }; }; users = { - "jump" = { + jump = { + autoSubUidGidRange = false; isNormalUser = true; useDefaultShell = true; group = lib.mkForce "jump"; diff --git a/modules/nixos/server/kanidm.nix b/modules/nixos/server/kanidm.nix index 6de8284..85bb5ff 100644 --- a/modules/nixos/server/kanidm.nix +++ b/modules/nixos/server/kanidm.nix @@ -93,58 +93,65 @@ in }; }; - systemd.services."generateSSLCert-${serviceName}" = - let - daysValid = 3650; - renewBeforeDays = 365; - in - { - before = [ "${serviceName}.service" ]; - requiredBy = [ "${serviceName}.service" ]; - after = [ "local-fs.target" ]; - requires = [ "local-fs.target" ]; + systemd.services = { + "generateSSLCert-${serviceName}" = + let + daysValid = 3650; + renewBeforeDays = 365; + in + { + before = [ "${serviceName}.service" ]; + requiredBy = [ "${serviceName}.service" ]; + after = [ "local-fs.target" ]; + requires = [ "local-fs.target" ]; - serviceConfig = { - Type = "oneshot"; - }; + serviceConfig = { + Type = "oneshot"; + }; - script = '' - set -eu + script = '' + set -eu - ${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir} - ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${certsDir}" else ""} - ${pkgs.coreutils}/bin/install -d -m 0750 ${privateDir} - ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0750 /persist${privateDir}" else ""} + ${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir} + ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0755 /persist${certsDir}" else ""} + ${pkgs.coreutils}/bin/install -d -m 0750 ${privateDir} + ${if config.swarselsystems.isImpermanence then "${pkgs.coreutils}/bin/install -d -m 0750 /persist${privateDir}" else ""} - need_gen=0 - if [ ! -f "${certPath}" ] || [ ! -f "${keyPath}" ]; then - need_gen=1 - else - enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPath}" | cut -d= -f2)" - end_epoch="$(${pkgs.coreutils}/bin/date -d "$enddate" +%s)" - now_epoch="$(${pkgs.coreutils}/bin/date +%s)" - seconds_left=$(( end_epoch - now_epoch )) - days_left=$(( seconds_left / 86400 )) - if [ "$days_left" -lt ${toString renewBeforeDays} ]; then + need_gen=0 + if [ ! -f "${certPath}" ] || [ ! -f "${keyPath}" ]; then need_gen=1 else - echo 'Certificate exists and is still valid' + enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPath}" | cut -d= -f2)" + end_epoch="$(${pkgs.coreutils}/bin/date -d "$enddate" +%s)" + now_epoch="$(${pkgs.coreutils}/bin/date +%s)" + seconds_left=$(( end_epoch - now_epoch )) + days_left=$(( seconds_left / 86400 )) + if [ "$days_left" -lt ${toString renewBeforeDays} ]; then + need_gen=1 + else + echo 'Certificate exists and is still valid' + fi fi - fi - if [ "$need_gen" -eq 1 ]; then - ${pkgs.openssl}/bin/openssl req -x509 -nodes -days ${toString daysValid} -newkey rsa:4096 -sha256 \ - -keyout "${keyPath}" \ - -out "${certPath}" \ - -subj "/CN=${serviceDomain}" \ - -addext "subjectAltName=DNS:${serviceDomain}" + if [ "$need_gen" -eq 1 ]; then + ${pkgs.openssl}/bin/openssl req -x509 -nodes -days ${toString daysValid} -newkey rsa:4096 -sha256 \ + -keyout "${keyPath}" \ + -out "${certPath}" \ + -subj "/CN=${serviceDomain}" \ + -addext "subjectAltName=DNS:${serviceDomain}" - chmod 0644 "${certPath}" - chmod 0600 "${keyPath}" - chown ${serviceUser}:${serviceGroup} "${certPath}" "${keyPath}" - fi - ''; + chmod 0644 "${certPath}" + chmod 0600 "${keyPath}" + chown ${serviceUser}:${serviceGroup} "${certPath}" "${keyPath}" + fi + ''; + }; + kanidm = { + environment.KANIDM_TRUST_X_FORWARD_FOR = "true"; + serviceConfig.RestartSec = "30"; }; + }; + # system.activationScripts."createPersistentStorageDirs" = lib.mkIf config.swarselsystems.isImpermanence { @@ -208,7 +215,7 @@ in # tls_key = config.sops.secrets.kanidm-self-signed-key.path; tls_key = keyPathBase; bindaddress = "0.0.0.0:${toString servicePort}"; - trust_x_forward_for = true; + # trust_x_forward_for = true; }; enableClient = true; clientSettings = { @@ -405,7 +412,6 @@ in }; }; - systemd.services.${serviceName}.serviceConfig.RestartSec = "30"; nodes = let diff --git a/modules/nixos/server/koillection.nix b/modules/nixos/server/koillection.nix index 0149036..cae571b 100644 --- a/modules/nixos/server/koillection.nix +++ b/modules/nixos/server/koillection.nix @@ -1,6 +1,6 @@ { self, lib, config, globals, dns, confLib, ... }: let - inherit (confLib.gen { name = "koillection"; port = 2282; dir = "/var/lib/koillection"; }) servicePort serviceName serviceUser serviceDir serviceDomain serviceAddress proxyAddress4 proxyAddress6; + inherit (confLib.gen { name = "koillection"; port = 2282; dir = "/var/lib/koillection"; }) servicePort serviceName serviceUser serviceDir serviceDomain serviceAddress proxyAddress4 proxyAddress6 topologyContainerName; inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules; serviceDB = "koillection"; @@ -24,7 +24,7 @@ in koillection-env-file = { inherit sopsFile; }; }; - topology.self.services.${serviceName} = { + topology.nodes.${topologyContainerName}.services.${serviceName} = { name = lib.swarselsystems.toCapitalized serviceName; info = "https://${serviceDomain}"; icon = "${self}/files/topology-images/${serviceName}.png"; diff --git a/modules/nixos/server/mailserver.nix b/modules/nixos/server/mailserver.nix index df187e3..38996ea 100644 --- a/modules/nixos/server/mailserver.nix +++ b/modules/nixos/server/mailserver.nix @@ -16,6 +16,15 @@ in }; config = lib.mkIf config.swarselmodules.server.${serviceName} { + users = { + persistentIds = { + knot-resolver = confLib.mkIds 963; + postfix-tlspol = confLib.mkIds 962; + roundcube = confLib.mkIds 961; + redis-rspamd = confLib.mkIds 960; + }; + }; + globals.services = { ${serviceName} = { domain = serviceDomain; @@ -65,11 +74,12 @@ in domains = [ baseDomain ]; indexDir = "${serviceDir}/indices"; openFirewall = true; - certificateScheme = "acme"; + # certificateScheme = "acme"; dmarcReporting.enable = true; enableSubmission = true; enableSubmissionSsl = true; enableImapSsl = true; + x509.useACMEHost = globals.domains.main; loginAccounts = { "${user1}@${baseDomain}" = { diff --git a/modules/nixos/server/matrix.nix b/modules/nixos/server/matrix.nix index 908cd8e..f65c143 100644 --- a/modules/nixos/server/matrix.nix +++ b/modules/nixos/server/matrix.nix @@ -1,4 +1,4 @@ -{ self, lib, config, pkgs, globals, dns, confLib, ... }: +{ lib, config, pkgs, globals, dns, confLib, ... }: let inherit (config.swarselsystems) sopsFile; inherit (confLib.gen { name = "matrix"; user = "matrix-synapse"; port = 8008; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6; @@ -63,14 +63,6 @@ in # networking.firewall.allowedTCPPorts = [ servicePort federationPort ]; - topology.self.services = lib.listToAttrs (map - (service: - lib.nameValuePair "mautrix-${service}" { - name = "mautrix-${service}"; - icon = "${self}/files/topology-images/mautrix.png"; - }) - [ "whatsapp" "signal" "telegram" ]); - systemd = { timers."restart-bridges" = { wantedBy = [ "timers.target" ]; diff --git a/modules/nixos/server/microbin.nix b/modules/nixos/server/microbin.nix index ecd9550..d962877 100644 --- a/modules/nixos/server/microbin.nix +++ b/modules/nixos/server/microbin.nix @@ -12,6 +12,7 @@ in config = lib.mkIf config.swarselmodules.server.${serviceName} { users = { + persistentIds.${serviceName} = confLib.mkIds 964; groups.${serviceGroup} = { }; users.${serviceUser} = { diff --git a/modules/nixos/server/mpd.nix b/modules/nixos/server/mpd.nix index 8339d46..119a019 100644 --- a/modules/nixos/server/mpd.nix +++ b/modules/nixos/server/mpd.nix @@ -1,4 +1,4 @@ -{ self, lib, config, pkgs, confLib, ... }: +{ lib, config, pkgs, confLib, ... }: let inherit (config.swarselsystems) sopsFile; inherit (confLib.gen { name = "mpd"; port = 3254; }) servicePort serviceName serviceUser serviceGroup; @@ -30,10 +30,10 @@ in mpv ]; - topology.self.services.${serviceName} = { - info = "http://localhost:${builtins.toString servicePort}"; - icon = lib.mkForce "${self}/files/topology-images/mpd.png"; - }; + # topology.self.services.${serviceName} = { + # info = "http://localhost:${builtins.toString servicePort}"; + # icon = lib.mkForce "${self}/files/topology-images/mpd.png"; + # }; environment.persistence."/state" = lib.mkIf config.swarselsystems.isMicroVM { directories = [{ directory = "/var/lib/${serviceName}"; user = "mpd"; group = "mpd"; }]; diff --git a/modules/nixos/server/shlink.nix b/modules/nixos/server/shlink.nix index 59d9231..fb552a3 100644 --- a/modules/nixos/server/shlink.nix +++ b/modules/nixos/server/shlink.nix @@ -1,6 +1,6 @@ { self, lib, config, dns, globals, confLib, ... }: let - inherit (confLib.gen { name = "shlink"; port = 8081; dir = "/var/lib/shlink"; }) servicePort serviceName serviceDomain serviceDir serviceAddress proxyAddress4 proxyAddress6; + inherit (confLib.gen { name = "shlink"; port = 8081; dir = "/var/lib/shlink"; }) servicePort serviceName serviceDomain serviceDir serviceAddress proxyAddress4 proxyAddress6 topologyContainerName; inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules; containerRev = "sha256:1a697baca56ab8821783e0ce53eb4fb22e51bb66749ec50581adc0cb6d031d7a"; @@ -31,6 +31,12 @@ in }; }; + topology.nodes.${topologyContainerName}.services.${serviceName} = { + name = lib.swarselsystems.toCapitalized serviceName; + info = "https://${serviceDomain}"; + icon = "${self}/files/topology-images/${serviceName}.png"; + }; + virtualisation.oci-containers.containers.${serviceName} = { image = "shlinkio/shlink@${containerRev}"; environment = { @@ -77,12 +83,6 @@ in { directory = "/var/lib/containers"; } ]; - topology.self.services.${serviceName} = { - name = lib.swarselsystems.toCapitalized serviceName; - info = "https://${serviceDomain}"; - icon = "${self}/files/topology-images/${serviceName}.png"; - }; - globals = { networks = { ${webProxyIf}.hosts = lib.mkIf isProxied { diff --git a/modules/nixos/server/slink.nix b/modules/nixos/server/slink.nix index 8f0309f..ae1ce6d 100644 --- a/modules/nixos/server/slink.nix +++ b/modules/nixos/server/slink.nix @@ -1,6 +1,6 @@ { lib, config, dns, globals, confLib, ... }: let - inherit (confLib.gen { name = "slink"; port = 3000; dir = "/var/lib/slink"; }) servicePort serviceName serviceDomain serviceDir serviceAddress proxyAddress4 proxyAddress6; + inherit (confLib.gen { name = "slink"; port = 3000; dir = "/var/lib/slink"; }) servicePort serviceName serviceDomain serviceDir serviceAddress proxyAddress4 proxyAddress6 topologyContainerName; inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules; containerRev = "sha256:98b9442696f0a8cbc92f0447f54fa4bad227af5dcfd6680545fedab2ed28ddd9"; @@ -15,6 +15,12 @@ in podman = true; }; + topology.nodes.${topologyContainerName}.services.${serviceName} = { + name = lib.swarselsystems.toCapitalized serviceName; + info = "https://${serviceDomain}"; + icon = "services.not-available"; + }; + virtualisation.oci-containers.containers.${serviceName} = { image = "anirdev/slink@${containerRev}"; environment = { @@ -54,12 +60,6 @@ in { directory = serviceDir; } ]; - topology.self.services.${serviceName} = { - name = lib.swarselsystems.toCapitalized serviceName; - info = "https://${serviceDomain}"; - icon = "services.not-available"; - }; - globals = { networks = { ${webProxyIf}.hosts = lib.mkIf isProxied { diff --git a/modules/nixos/server/ssh-builder.nix b/modules/nixos/server/ssh-builder.nix index f36be9a..1118bd6 100644 --- a/modules/nixos/server/ssh-builder.nix +++ b/modules/nixos/server/ssh-builder.nix @@ -1,4 +1,4 @@ -{ self, pkgs, lib, config, ... }: +{ self, pkgs, lib, config, confLib, ... }: let ssh-restrict = "restrict,pty,command=\"${wrapper-dispatch-ssh-nix}/bin/wrapper-dispatch-ssh-nix\" "; @@ -20,6 +20,7 @@ in options.swarselmodules.server.ssh-builder = lib.mkEnableOption "enable ssh-builder config on server"; config = lib.mkIf config.swarselmodules.server.ssh-builder { users = { + persistentIds.builder = confLib.mkIds 965; groups.builder = { }; users.builder = { useDefaultShell = true; diff --git a/modules/nixos/server/transmission.nix b/modules/nixos/server/transmission.nix index d737e38..34d3a2e 100644 --- a/modules/nixos/server/transmission.nix +++ b/modules/nixos/server/transmission.nix @@ -2,6 +2,7 @@ let inherit (confLib.gen { name = "transmission"; port = 9091; }) serviceName servicePort serviceDomain; inherit (confLib.static) isHome homeServiceAddress homeWebProxy nginxAccessRules; + inherit (config.swarselsystems) sopsFile; lidarrUser = "lidarr"; lidarrGroup = lidarrUser; @@ -23,6 +24,10 @@ in options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} and friends on server"; config = lib.mkIf config.swarselmodules.server.${serviceName} { + sops.secrets = { + pia = { inherit sopsFile; }; + }; + # this user/group section is probably unneeded users = { persistentIds = { @@ -107,6 +112,17 @@ in }; services = { + pia = { + enable = true; + credentials.credentialsFile = config.sops.secrets.pia.path; + protocol = "wireguard"; + autoConnect = { + enable = true; + region = "sweden"; + }; + portForwarding.enable = true; + dns.enable = true; + }; radarr = { enable = true; user = radarrUser; diff --git a/modules/shared/config-lib.nix b/modules/shared/config-lib.nix index bf21184..106d3f2 100644 --- a/modules/shared/config-lib.nix +++ b/modules/shared/config-lib.nix @@ -33,6 +33,8 @@ in serviceDir = dir; serviceAddress = address; serviceProxy = proxy; + serviceNode = config.node.name; + topologyContainerName = "${serviceNode}-${config.virtualisation.oci-containers.backend}-${name}"; proxyAddress4 = globals.hosts.${proxy}.wanAddress4 or null; proxyAddress6 = globals.hosts.${proxy}.wanAddress6 or null; }; diff --git a/nix/hosts.nix b/nix/hosts.nix index 31f7406..f1770a7 100644 --- a/nix/hosts.nix +++ b/nix/hosts.nix @@ -33,6 +33,7 @@ inputs.stylix.nixosModules.stylix inputs.swarsel-nix.nixosModules.default inputs.nixos-nftables-firewall.nixosModules.default + inputs.pia.nixosModules.default (inputs.nixos-extra-modules + "/modules/guests") (inputs.nixos-extra-modules + "/modules/interface-naming.nix") "${self}/hosts/nixos/${arch}/${configName}" diff --git a/nix/topology.nix b/nix/topology.nix index 7e80e3d..85dbcd7 100644 --- a/nix/topology.nix +++ b/nix/topology.nix @@ -157,7 +157,7 @@ }; }; - switch-bedroom = mkDevice "Switch Bedroom" { + switch-bedroom = mkSwitch "Switch Bedroom" { info = "Cisco SG 200-08"; image = "${self}/files/topology-images/Cisco_SG_200-08.png"; interfaceGroups = [ diff --git a/profiles/home/dgxspark/default.nix b/profiles/home/dgxspark/default.nix index 81c41e0..c4d63bb 100644 --- a/profiles/home/dgxspark/default.nix +++ b/profiles/home/dgxspark/default.nix @@ -3,62 +3,25 @@ options.swarselprofiles.dgxspark = lib.mkEnableOption "is this a dgx spark host"; config = lib.mkIf config.swarselprofiles.dgxspark { swarselmodules = { - anki = lib.mkDefault false; - anki-tray = lib.mkDefault false; atuin = lib.mkDefault true; - autotiling = lib.mkDefault false; - batsignal = lib.mkDefault false; bash = lib.mkDefault true; blueman-applet = lib.mkDefault true; - desktop = lib.mkDefault false; direnv = lib.mkDefault true; - element-desktop = lib.mkDefault false; - element-tray = lib.mkDefault false; - emacs = lib.mkDefault false; - env = lib.mkDefault false; eza = lib.mkDefault true; firefox = lib.mkDefault true; fuzzel = lib.mkDefault true; - gammastep = lib.mkDefault false; general = lib.mkDefault true; git = lib.mkDefault true; - gnome-keyring = lib.mkDefault false; gpgagent = lib.mkDefault true; - hexchat = lib.mkDefault false; - kanshi = lib.mkDefault false; - kdeconnect = lib.mkDefault false; kitty = lib.mkDefault true; - mail = lib.mkDefault false; - mako = lib.mkDefault false; nix-index = lib.mkDefault true; nixgl = lib.mkDefault true; nix-your-shell = lib.mkDefault true; nm-applet = lib.mkDefault true; - obs-studio = lib.mkDefault false; - obsidian = lib.mkDefault false; - obsidian-tray = lib.mkDefault false; - ownpackages = lib.mkDefault false; - packages = lib.mkDefault false; - passwordstore = lib.mkDefault false; - programs = lib.mkDefault false; sops = lib.mkDefault true; - spicetify = lib.mkDefault false; - spotify-player = lib.mkDefault false; - ssh = lib.mkDefault false; starship = lib.mkDefault true; stylix = lib.mkDefault true; - sway = lib.mkDefault false; - swayidle = lib.mkDefault false; - swaylock = lib.mkDefault false; - swayosd = lib.mkDefault false; - symlink = lib.mkDefault false; tmux = lib.mkDefault true; - vesktop = lib.mkDefault false; - vesktop-tray = lib.mkDefault false; - syncthing-tray = lib.mkDefault false; - waybar = lib.mkDefault false; - yubikey = lib.mkDefault false; - yubikeytouch = lib.mkDefault false; zellij = lib.mkDefault true; zsh = lib.mkDefault true; }; diff --git a/profiles/nixos/personal/default.nix b/profiles/nixos/personal/default.nix index e27e8dc..04858c0 100644 --- a/profiles/nixos/personal/default.nix +++ b/profiles/nixos/personal/default.nix @@ -25,6 +25,7 @@ lid = lib.mkDefault true; login = lib.mkDefault true; lowBattery = lib.mkDefault false; + nautilus = lib.mkDefault true; network = lib.mkDefault true; networkDevices = lib.mkDefault true; nftables = lib.mkDefault true;