swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2026-04-21 16:49:11 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: Add automatic formatting for .nix files

Browse source
This commit is contained in:
Swarsel 2024-07-19 00:45:48 +02:00
parent 9dc9a1fe1b
commit 72d321f478
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
46 changed files with 3204 additions and 3164 deletions
Download patch file Download diff file Expand all files Collapse all files

6
.github/workflows/flake-checks.yaml vendored
View file

@ -14,7 +14,9 @@ jobs:
- name: Install Nix - name: Install Nix
uses: DeterminateSystems/nix-installer-action@v3 uses: DeterminateSystems/nix-installer-action@v3
- uses: DeterminateSystems/magic-nix-cache-action@main - uses: DeterminateSystems/magic-nix-cache-action@main
- name: Check for dead code - name: Check for dead code in .nix files
run: git ls-files '*.nix' | nix run nixpkgs#deadnix run: git ls-files '*.nix' | nix run nixpkgs#deadnix
- name: Check for lints - name: Check for lints in .nix files
run: nix run nixpkgs#statix -- check run: nix run nixpkgs#statix -- check
- name: Check formatting in .nix files
run: git ls-files '*.nix' | xargs nix run nixpkgs#alejandra -- --check

49
SwarselSystems.org
View file

@ -5131,6 +5131,11 @@ Programming languages and default lsp's are defined here: [[#h:0e7e8bea-ec58-499
nmap nmap
lsof lsof
# nix
alejandra
deadnix
statix
# local file sharing # local file sharing
wormhole-rs wormhole-rs
@ -7524,41 +7529,37 @@ Used in: [[#h:bbcfa895-4d46-4b1d-b84e-f634e982c46e][Centered org-mode Buffers]]
#+end_src #+end_src
**** org-mode: Auto-tangle and export Configuration Files **** org-mode: Upon-save actions (Auto-tangle, export to html, formatting)
:PROPERTIES: :PROPERTIES:
:CUSTOM_ID: h:59d4306e-9b73-4b2c-b039-6a6518c357fc :CUSTOM_ID: h:59d4306e-9b73-4b2c-b039-6a6518c357fc
:END: :END:
This section automatically tangles all configuration blocks in this file to the defined Emacs org-file. It also exports the configuration file as html. This section handles everything that shoudld happen when I save =SwarselSystems.org=. It:
1) automatically tangles all configuration blocks in this file
2) exports the configuration file as html for an easier reading experience with working links and index
3) formats the generated =.nix= files in accordance to the =Alejandra=-style.
We set a hook that runs everytime we save the file. It would be a bit more efficient to only export and format when we enter a magit window for instance (since especially the html export takes times), however, since I cannot be sure to only ever commit from magit (I do indeed sometimes use git from the command line), I prefer this approach.
#+begin_src emacs-lisp #+begin_src emacs-lisp
(defun run-alejandra ()
(interactive)
(let ((default-directory (expand-file-name "~/.dotfiles")))
(shell-command "alejandra . -q")))
(defun swarsel/org-babel-tangle-config () (defun swarsel/org-babel-tangle-config ()
(when (string-equal (buffer-file-name) (when (string-equal (buffer-file-name)
swarsel-swarsel-org-filepath) swarsel-swarsel-org-filepath)
;; Dynamic scoping to the rescue ;; Dynamic scoping to the rescue
(let ((org-confirm-babel-evaluate nil)) (let ((org-confirm-babel-evaluate nil))
(org-html-export-to-html) (org-html-export-to-html)
(org-babel-tangle))) (org-babel-tangle)
(when (string-equal (buffer-file-name) (run-alejandra))))
swarsel-emacs-org-filepath)
;; Dynamic scoping to the rescue
(let ((org-confirm-babel-evaluate nil))
(org-html-export-to-html)
(org-babel-tangle)))
(when (string-equal (buffer-file-name)
swarsel-nix-org-filepath)
;; Dynamic scoping to the rescue
(let ((org-confirm-babel-evaluate nil))
(org-babel-tangle))))
(setq org-html-htmlize-output-type nil)
(add-hook 'org-mode-hook (lambda () (add-hook 'after-save-hook #'swarsel/org-babel-tangle-config)))
(setq org-html-htmlize-output-type nil)
(add-hook 'org-mode-hook (lambda () (add-hook 'after-save-hook #'swarsel/org-babel-tangle-config)))
#+end_src #+end_src

336
flake.nix
View file

@ -2,76 +2,73 @@
description = "SwarseFlake - Nix Flake for all SwarselSystems"; description = "SwarseFlake - Nix Flake for all SwarselSystems";
inputs = { inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-24.05"; nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-24.05";
# user-level configuration # user-level configuration
home-manager = { home-manager = {
url = "github:nix-community/home-manager"; url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
# overlay to access bleeding edge emacs # overlay to access bleeding edge emacs
emacs-overlay = { emacs-overlay = {
url = "github:nix-community/emacs-overlay"; url = "github:nix-community/emacs-overlay";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
# nix user repository # nix user repository
# i use this mainly to not have to build all firefox extensions # i use this mainly to not have to build all firefox extensions
# myself as well as for the emacs-init package (tbd) # myself as well as for the emacs-init package (tbd)
nur.url = "github:nix-community/NUR"; nur.url = "github:nix-community/NUR";
# provides GL to non-NixOS hosts # provides GL to non-NixOS hosts
nixgl.url = "github:guibou/nixGL"; nixgl.url = "github:guibou/nixGL";
# manages all theming using Home-Manager # manages all theming using Home-Manager
stylix.url = "github:danth/stylix"; stylix.url = "github:danth/stylix";
# nix secrets management # nix secrets management
sops-nix.url = "github:Mic92/sops-nix"; sops-nix.url = "github:Mic92/sops-nix";
# enable secure boot on NixOS # enable secure boot on NixOS
lanzaboote.url = "github:nix-community/lanzaboote"; lanzaboote.url = "github:nix-community/lanzaboote";
# nix for android # nix for android
nix-on-droid = { nix-on-droid = {
url = "github:t184256/nix-on-droid/release-23.05"; url = "github:t184256/nix-on-droid/release-23.05";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
# generate NixOS images # generate NixOS images
nixos-generators = { nixos-generators = {
url = "github:nix-community/nixos-generators"; url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
# patches for gaming on nix # patches for gaming on nix
nix-gaming = { nix-gaming = {
url = "github:fufexan/nix-gaming"; url = "github:fufexan/nix-gaming";
}; };
# hardware quirks on nix # hardware quirks on nix
nixos-hardware = { nixos-hardware = {
url = "github:NixOS/nixos-hardware/master"; url = "github:NixOS/nixos-hardware/master";
}; };
# dynamic library loading # dynamic library loading
nix-alien = { nix-alien = {
url = "github:thiagokokada/nix-alien"; url = "github:thiagokokada/nix-alien";
}; };
# automatic nintendo switch payload injection # automatic nintendo switch payload injection
nswitch-rcm-nix = { nswitch-rcm-nix = {
url = "github:Swarsel/nswitch-rcm-nix"; url = "github:Swarsel/nswitch-rcm-nix";
}; };
}; };
outputs = inputs@{ outputs = inputs @ {
nixpkgs, nixpkgs,
nixpkgs-stable, nixpkgs-stable,
home-manager, home-manager,
@ -85,49 +82,54 @@
nixos-hardware, nixos-hardware,
nix-alien, nix-alien,
nswitch-rcm-nix, nswitch-rcm-nix,
... ...
}: let }: let
system = "x86_64-linux"; # not very portable, but I do not use other architectures at the moment system = "x86_64-linux"; # not very portable, but I do not use other architectures at the moment
pkgs = import nixpkgs { inherit system; pkgs = import nixpkgs {
overlays = [ emacs-overlay.overlay inherit system;
nur.overlay overlays = [
nixgl.overlay emacs-overlay.overlay
(final: _prev: { nur.overlay
stable = import nixpkgs-stable { nixgl.overlay
inherit (final) system config; (final: _prev: {
}; stable = import nixpkgs-stable {
}) inherit (final) system config;
]; };
config.allowUnfree = true; })
}; ];
config.allowUnfree = true;
# NixOS modules that can only be used on NixOS systems };
nixModules = [ stylix.nixosModules.stylix
sops-nix.nixosModules.sops
nswitch-rcm-nix.nixosModules.nswitch-rcm
./profiles/common/nixos.nix
# dynamic library loading
({ self, system, ... }: {
environment.systemPackages = with self.inputs.nix-alien.packages.${system}; [
nix-alien
];
# needed for `nix-alien-ld`
programs.nix-ld.enable = true;
})
];
# Home-Manager modules wanted on non-NixOS systems
homeModules = [ stylix.homeManagerModules.stylix
];
# Home-Manager modules wanted on both NixOS and non-NixOS systems
mixedModules = [ sops-nix.homeManagerModules.sops
./profiles/common/home.nix
];
in {
# NixOS modules that can only be used on NixOS systems
nixModules = [
stylix.nixosModules.stylix
sops-nix.nixosModules.sops
nswitch-rcm-nix.nixosModules.nswitch-rcm
./profiles/common/nixos.nix
# dynamic library loading
({
self,
system,
...
}: {
environment.systemPackages = with self.inputs.nix-alien.packages.${system}; [
nix-alien
];
# needed for `nix-alien-ld`
programs.nix-ld.enable = true;
})
];
# Home-Manager modules wanted on non-NixOS systems
homeModules = [
stylix.homeManagerModules.stylix
];
# Home-Manager modules wanted on both NixOS and non-NixOS systems
mixedModules = [
sops-nix.homeManagerModules.sops
./profiles/common/home.nix
];
in {
# NixOS setups - run home-manager as a NixOS module for better compatibility # NixOS setups - run home-manager as a NixOS module for better compatibility
# another benefit - full rebuild on nixos-rebuild switch # another benefit - full rebuild on nixos-rebuild switch
# run rebuild using `nswitch` # run rebuild using `nswitch`
@ -136,130 +138,153 @@
# Make sure to move hardware-configuration to the appropriate location, by default it is found in /etc/nixos/. # Make sure to move hardware-configuration to the appropriate location, by default it is found in /etc/nixos/.
nixosConfigurations = { nixosConfigurations = {
onett = nixpkgs.lib.nixosSystem { onett = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs pkgs; }; specialArgs = {inherit inputs pkgs;};
modules = nixModules ++ [ modules =
./profiles/onett/nixos.nix nixModules
home-manager.nixosModules.home-manager ++ [
{ ./profiles/onett/nixos.nix
home-manager.users.swarsel.imports = mixedModules ++ [ home-manager.nixosModules.home-manager
./profiles/onett/home.nix {
]; home-manager.users.swarsel.imports =
} mixedModules
]; ++ [
./profiles/onett/home.nix
];
}
];
}; };
sandbox = nixpkgs.lib.nixosSystem { sandbox = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs pkgs; }; specialArgs = {inherit inputs pkgs;};
modules = [ modules = [
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
./profiles/sandbox/nixos.nix ./profiles/sandbox/nixos.nix
]; ];
}; };
twoson = nixpkgs.lib.nixosSystem { twoson = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs pkgs; }; specialArgs = {inherit inputs pkgs;};
modules = nixModules ++ [ modules =
./profiles/twoson/nixos.nix nixModules
home-manager.nixosModules.home-manager ++ [
{ ./profiles/twoson/nixos.nix
home-manager.users.swarsel.imports = mixedModules ++ [ home-manager.nixosModules.home-manager
./profiles/twoson/home.nix {
]; home-manager.users.swarsel.imports =
} mixedModules
]; ++ [
./profiles/twoson/home.nix
];
}
];
}; };
threed = nixpkgs.lib.nixosSystem { threed = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs pkgs; }; specialArgs = {inherit inputs pkgs;};
modules = nixModules ++ [ modules =
lanzaboote.nixosModules.lanzaboote nixModules
./profiles/threed/nixos.nix ++ [
home-manager.nixosModules.home-manager lanzaboote.nixosModules.lanzaboote
{ ./profiles/threed/nixos.nix
home-manager.users.swarsel.imports = mixedModules ++ [ home-manager.nixosModules.home-manager
./profiles/threed/home.nix {
]; home-manager.users.swarsel.imports =
} mixedModules
]; ++ [
./profiles/threed/home.nix
];
}
];
}; };
fourside = nixpkgs.lib.nixosSystem { fourside = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs pkgs; }; specialArgs = {inherit inputs pkgs;};
modules = nixModules ++ [ modules =
nixos-hardware.nixosModules.lenovo-thinkpad-p14s-amd-gen2 nixModules
./profiles/fourside/nixos.nix ++ [
home-manager.nixosModules.home-manager nixos-hardware.nixosModules.lenovo-thinkpad-p14s-amd-gen2
{ ./profiles/fourside/nixos.nix
home-manager.users.swarsel.imports = mixedModules ++ [ home-manager.nixosModules.home-manager
./profiles/fourside/home.nix {
]; home-manager.users.swarsel.imports =
} mixedModules
]; ++ [
./profiles/fourside/home.nix
];
}
];
}; };
winters = nixpkgs.lib.nixosSystem { winters = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs pkgs; }; specialArgs = {inherit inputs pkgs;};
modules = nixModules ++ [ modules =
nixos-hardware.nixosModules.framework-16-inch-7040-amd nixModules
./profiles/winters/nixos.nix ++ [
home-manager.nixosModules.home-manager nixos-hardware.nixosModules.framework-16-inch-7040-amd
{ ./profiles/winters/nixos.nix
home-manager.users.swarsel.imports = mixedModules ++ [ home-manager.nixosModules.home-manager
./profiles/winters/home.nix {
]; home-manager.users.swarsel.imports =
} mixedModules
]; ++ [
./profiles/winters/home.nix
];
}
];
}; };
stand = nixpkgs.lib.nixosSystem { stand = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs pkgs; }; specialArgs = {inherit inputs pkgs;};
modules = nixModules ++ [ modules =
./profiles/stand/nixos.nix nixModules
home-manager.nixosModules.home-manager ++ [
{ ./profiles/stand/nixos.nix
home-manager.users.homelen.imports = mixedModules ++ [ home-manager.nixosModules.home-manager
./profiles/stand/home.nix {
]; home-manager.users.homelen.imports =
} mixedModules
]; ++ [
./profiles/stand/home.nix
];
}
];
}; };
nginx = nixpkgs.lib.nixosSystem { nginx = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs pkgs; }; specialArgs = {inherit inputs pkgs;};
modules = [ modules = [
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
./profiles/server1/nginx/nixos.nix ./profiles/server1/nginx/nixos.nix
]; ];
}; };
calibre = nixpkgs.lib.nixosSystem { calibre = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs pkgs; }; specialArgs = {inherit inputs pkgs;};
modules = [ modules = [
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
./profiles/server1/calibre/nixos.nix ./profiles/server1/calibre/nixos.nix
]; ];
}; };
jellyfin = nixpkgs.lib.nixosSystem { jellyfin = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs pkgs; }; specialArgs = {inherit inputs pkgs;};
modules = [ modules = [
# sops-nix.nixosModules.sops # sops-nix.nixosModules.sops
./profiles/server1/jellyfin/nixos.nix ./profiles/server1/jellyfin/nixos.nix
]; ];
}; };
transmission = nixpkgs.lib.nixosSystem { transmission = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs pkgs; }; specialArgs = {inherit inputs pkgs;};
modules = [ modules = [
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
./profiles/server1/transmission/nixos.nix ./profiles/server1/transmission/nixos.nix
]; ];
}; };
matrix = nixpkgs.lib.nixosSystem { matrix = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs pkgs; }; specialArgs = {inherit inputs pkgs;};
# this is to import a service module that is not on nixpkgs # this is to import a service module that is not on nixpkgs
# this way avoids infinite recursion errors # this way avoids infinite recursion errors
modules = [ modules = [
@ -267,43 +292,43 @@
./profiles/server1/matrix/nixos.nix ./profiles/server1/matrix/nixos.nix
]; ];
}; };
sound = nixpkgs.lib.nixosSystem { sound = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs pkgs; }; specialArgs = {inherit inputs pkgs;};
modules = [ modules = [
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
./profiles/server1/sound/nixos.nix ./profiles/server1/sound/nixos.nix
]; ];
}; };
spotifyd = nixpkgs.lib.nixosSystem { spotifyd = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs pkgs; }; specialArgs = {inherit inputs pkgs;};
modules = [ modules = [
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
./profiles/server1/spotifyd/nixos.nix ./profiles/server1/spotifyd/nixos.nix
]; ];
}; };
paperless = nixpkgs.lib.nixosSystem { paperless = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs pkgs; }; specialArgs = {inherit inputs pkgs;};
modules = [ modules = [
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
./profiles/server1/paperless/nixos.nix ./profiles/server1/paperless/nixos.nix
]; ];
}; };
#ovm swarsel #ovm swarsel
sync = nixpkgs.lib.nixosSystem { sync = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs pkgs; }; specialArgs = {inherit inputs pkgs;};
modules = [ modules = [
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
./profiles/remote/oracle/sync/nixos.nix ./profiles/remote/oracle/sync/nixos.nix
]; ];
}; };
#ovm swarsel #ovm swarsel
swatrix = nixpkgs.lib.nixosSystem { swatrix = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs pkgs; }; specialArgs = {inherit inputs pkgs;};
modules = [ modules = [
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
./profiles/remote/oracle/matrix/nixos.nix ./profiles/remote/oracle/matrix/nixos.nix
@ -315,29 +340,26 @@
# run rebuild using `hmswitch` # run rebuild using `hmswitch`
homeConfigurations = { homeConfigurations = {
"leons@PCisLee" = home-manager.lib.homeManagerConfiguration { "leons@PCisLee" = home-manager.lib.homeManagerConfiguration {
inherit pkgs; inherit pkgs;
modules = homeModules ++ mixedModules ++ [ modules =
./profiles/surface/home.nix homeModules
]; ++ mixedModules
++ [
./profiles/surface/home.nix
];
}; };
}; };
nixOnDroidConfigurations = { nixOnDroidConfigurations = {
default = nix-on-droid.lib.nixOnDroidConfiguration { default = nix-on-droid.lib.nixOnDroidConfiguration {
modules = [ modules = [
./profiles/mysticant/configuration.nix ./profiles/mysticant/configuration.nix
]; ];
}; };
}; };
packages.x86_64-linux = { packages.x86_64-linux = {
}; };
}; };
} }

63
index.html
View file

@ -3,7 +3,7 @@
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head> <head>
<!-- 2024-07-19 Fr 00:29 --> <!-- 2024-07-19 Fr 00:52 -->
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" /> <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" /> <meta name="viewport" content="width=device-width, initial-scale=1" />
<title>SwarselSystems: NixOS + Emacs Configuration</title> <title>SwarselSystems: NixOS + Emacs Configuration</title>
@ -387,7 +387,7 @@
</div> </div>
</div> </div>
<p> <p>
<b>This file has 40971 words spanning 10908 lines and was last revised on 2024-07-19 00:29:02 +0200.</b> <b>This file has 41033 words spanning 10909 lines and was last revised on 2024-07-19 00:52:31 +0200.</b>
</p> </p>
<p> <p>
@ -437,7 +437,7 @@ This section defines my Emacs configuration. For a while, I considered to use ry
</p> </p>
<p> <p>
My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2024-07-19 00:29:02 +0200) My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2024-07-19 00:52:31 +0200)
</p></li> </p></li>
</ul> </ul>
@ -6335,6 +6335,11 @@ Programming languages and default lsp's are defined here: <a href="#h:0e7e8bea-e
nmap nmap
lsof lsof
# nix
alejandra
deadnix
statix
# local file sharing # local file sharing
wormhole-rs wormhole-rs
@ -9194,40 +9199,40 @@ Used in: <a href="#h:bbcfa895-4d46-4b1d-b84e-f634e982c46e">Centered org-mode Buf
</div> </div>
</div> </div>
</li> </li>
<li><a id="h:59d4306e-9b73-4b2c-b039-6a6518c357fc"></a>org-mode: Auto-tangle and export Configuration Files<br /> <li><a id="h:59d4306e-9b73-4b2c-b039-6a6518c357fc"></a>org-mode: Upon-save actions (Auto-tangle, export to html, formatting)<br />
<div class="outline-text-5" id="text-h:59d4306e-9b73-4b2c-b039-6a6518c357fc"> <div class="outline-text-5" id="text-h:59d4306e-9b73-4b2c-b039-6a6518c357fc">
<p> <p>
This section automatically tangles all configuration blocks in this file to the defined Emacs org-file. It also exports the configuration file as html. This section handles everything that shoudld happen when I save <code>SwarselSystems.org</code>. It:
</p> </p>
<ol class="org-ol">
<li>automatically tangles all configuration blocks in this file</li>
<li>exports the configuration file as html for an easier reading experience with working links and index</li>
<li>formats the generated <code>.nix</code> files in accordance to the <code>Alejandra</code>-style.</li>
</ol>
<p>
We set a hook that runs everytime we save the file. It would be a bit more efficient to only export and format when we enter a magit window for instance (since especially the html export takes times), however, since I cannot be sure to only ever commit from magit (I do indeed sometimes use git from the command line), I prefer this approach.
</p>
<div class="org-src-container"> <div class="org-src-container">
<pre class="src src-emacs-lisp"> <pre class="src src-emacs-lisp">(defun run-alejandra ()
(defun swarsel/org-babel-tangle-config () (interactive)
(when (string-equal (buffer-file-name) (let ((default-directory (expand-file-name "~/.dotfiles")))
swarsel-swarsel-org-filepath) (shell-command "alejandra . -q")))
;; Dynamic scoping to the rescue
(let ((org-confirm-babel-evaluate nil))
(org-html-export-to-html)
(org-babel-tangle)))
(when (string-equal (buffer-file-name)
swarsel-emacs-org-filepath)
;; Dynamic scoping to the rescue
(let ((org-confirm-babel-evaluate nil))
(org-html-export-to-html)
(org-babel-tangle)))
(when (string-equal (buffer-file-name)
swarsel-nix-org-filepath)
;; Dynamic scoping to the rescue
(let ((org-confirm-babel-evaluate nil))
(org-babel-tangle))))
(setq org-html-htmlize-output-type nil) (defun swarsel/org-babel-tangle-config ()
(when (string-equal (buffer-file-name)
(add-hook 'org-mode-hook (lambda () (add-hook 'after-save-hook #'swarsel/org-babel-tangle-config))) swarsel-swarsel-org-filepath)
;; Dynamic scoping to the rescue
(let ((org-confirm-babel-evaluate nil))
(org-html-export-to-html)
(org-babel-tangle)
(run-alejandra))))
(setq org-html-htmlize-output-type nil)
(add-hook 'org-mode-hook (lambda () (add-hook 'after-save-hook #'swarsel/org-babel-tangle-config)))
</pre> </pre>
</div> </div>
@ -9336,7 +9341,7 @@ The standard Emacs behaviour for the Python process shell is a bit annoying. Thi
</div> </div>
</div> </div>
</li> </li>
<li><a id="org03da7a6"></a>Nix common prefix bracketer<br /> <li><a id="orgbb564b1"></a>Nix common prefix bracketer<br />
<div class="outline-text-5" id="text-4-2-1-15"> <div class="outline-text-5" id="text-4-2-1-15">
<p> <p>
This function searches for common delimiters in region and removes them, summarizing all captured lines by it. This function searches for common delimiters in region and removes them, summarizing all captured lines by it.
@ -12907,7 +12912,7 @@ My laptop, sadly soon to be replaced by a new one, since most basic functions ar
</div> </div>
<div id="postamble" class="status"> <div id="postamble" class="status">
<p class="author">Author: Leon Schwarzäugl</p> <p class="author">Author: Leon Schwarzäugl</p>
<p class="date">Created: 2024-07-19 Fr 00:29</p> <p class="date">Created: 2024-07-19 Fr 00:52</p>
<p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p> <p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
</div> </div>
</body> </body>

79
profiles/TEMPLATE/home.nix
View file

@ -1,8 +1,8 @@
{ config, pkgs, ... }:
{ {
config,
pkgs,
...
}: {
services.gpg-agent = { services.gpg-agent = {
enable = true; enable = true;
enableSshSupport = true; enableSshSupport = true;
@ -11,11 +11,11 @@
defaultCacheTtl = 600; defaultCacheTtl = 600;
maxCacheTtl = 7200; maxCacheTtl = 7200;
extraConfig = '' extraConfig = ''
allow-loopback-pinentry allow-loopback-pinentry
allow-emacs-pinentry allow-emacs-pinentry
''; '';
}; };
home = { home = {
username = "TEMPLATE"; username = "TEMPLATE";
homeDirectory = "/home/TEMPLATE"; homeDirectory = "/home/TEMPLATE";
@ -29,7 +29,7 @@
]; ];
}; };
# update path if the sops private key is stored somewhere else # update path if the sops private key is stored somewhere else
sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" ]; sops.age.sshKeyPaths = ["${config.home.homeDirectory}/.ssh/sops"];
# waybar config - TEMPLATE - update for cores and temp # waybar config - TEMPLATE - update for cores and temp
programs.waybar.settings.mainBar = { programs.waybar.settings.mainBar = {
@ -40,7 +40,7 @@
# ----------------------------------------------------------------- # -----------------------------------------------------------------
# is this machine always connected to power? If yes, use this block: # is this machine always connected to power? If yes, use this block:
# #
# programs.waybar.settings.mainBar."custom/pseudobat"= { # programs.waybar.settings.mainBar."custom/pseudobat"= {
# format= ""; # format= "";
# on-click-right= "wlogout -p layer-shell"; # on-click-right= "wlogout -p layer-shell";
@ -61,32 +61,33 @@
# "custom/left-arrow-dark" # "custom/left-arrow-dark"
# "clock#1" # "clock#1"
# ]; # ];
# #
# ----------------------------------------------------------------- # -----------------------------------------------------------------
# ----------------------------------------------------------------- # -----------------------------------------------------------------
# if not always connected to power (laptop), use this (default): # if not always connected to power (laptop), use this (default):
programs.waybar.settings.mainBar.modules-right = ["custom/outer-left-arrow-dark" programs.waybar.settings.mainBar.modules-right = [
"mpris" "custom/outer-left-arrow-dark"
"custom/left-arrow-light" "mpris"
"network" "custom/left-arrow-light"
"custom/left-arrow-dark" "network"
"pulseaudio" "custom/left-arrow-dark"
"custom/left-arrow-light" "pulseaudio"
"custom/pseudobat" "custom/left-arrow-light"
"battery" "custom/pseudobat"
"custom/left-arrow-dark" "battery"
"group/hardware" "custom/left-arrow-dark"
"custom/left-arrow-light" "group/hardware"
"clock#2" "custom/left-arrow-light"
"custom/left-arrow-dark" "clock#2"
"clock#1" "custom/left-arrow-dark"
]; "clock#1"
];
# ----------------------------------------------------------------- # -----------------------------------------------------------------
wayland.windowManager.sway= { wayland.windowManager.sway = {
config = rec { config = rec {
# update for actual inputs here, # update for actual inputs here,
input = { input = {
@ -94,7 +95,8 @@
xkb_layout = "us"; xkb_layout = "us";
xkb_variant = "altgr-intl"; xkb_variant = "altgr-intl";
}; };
"1:1:AT_Translated_Set_2_keyboard" = { # TEMPLATE "1:1:AT_Translated_Set_2_keyboard" = {
# TEMPLATE
xkb_layout = "us"; xkb_layout = "us";
xkb_options = "grp:win_space_toggle"; xkb_options = "grp:win_space_toggle";
# xkb_options = "ctrl:nocaps,grp:win_space_toggle"; # xkb_options = "ctrl:nocaps,grp:win_space_toggle";
@ -106,7 +108,6 @@
natural_scroll = "enabled"; natural_scroll = "enabled";
middle_emulation = "enabled"; middle_emulation = "enabled";
}; };
}; };
output = { output = {
@ -126,14 +127,12 @@
}; };
startup = [ startup = [
{command = "nextcloud --background";}
{ command = "nextcloud --background";} {command = "discord --start-minimized";}
{ command = "discord --start-minimized";} {command = "element-desktop --hidden -enable-features=UseOzonePlatform -ozone-platform=wayland --disable-gpu-driver-bug-workarounds";}
{ command = "element-desktop --hidden -enable-features=UseOzonePlatform -ozone-platform=wayland --disable-gpu-driver-bug-workarounds";} {command = "ANKI_WAYLAND=1 anki";}
{ command = "ANKI_WAYLAND=1 anki";} {command = "OBSIDIAN_USE_WAYLAND=1 obsidian";}
{ command = "OBSIDIAN_USE_WAYLAND=1 obsidian";} {command = "nm-applet";}
{ command = "nm-applet";}
]; ];
}; };
}; };

32
profiles/TEMPLATE/nixos.nix
View file

@ -1,17 +1,11 @@
{ pkgs, ... }: {pkgs, ...}: {
imports = [
{ ./hardware-configuration.nix
];
imports =
[
./hardware-configuration.nix
];
services = { services = {
getty.autologinUser = "TEMPLATE"; getty.autologinUser = "TEMPLATE";
greetd.settings.initial_session.user="TEMPLATE"; greetd.settings.initial_session.user = "TEMPLATE";
}; };
# Bootloader # Bootloader
@ -37,7 +31,7 @@
networking.hostName = "TEMPLATE"; # Define your hostname. networking.hostName = "TEMPLATE"; # Define your hostname.
stylix.image = ../../wallpaper/TEMPLATEwp.png; stylix.image = ../../wallpaper/TEMPLATEwp.png;
stylix = { stylix = {
enable = true; enable = true;
base16Scheme = ../../wallpaper/swarsel.yaml; base16Scheme = ../../wallpaper/swarsel.yaml;
@ -62,7 +56,7 @@
# name = "FiraCode Nerd Font Propo"; # name = "FiraCode Nerd Font Propo";
# name = "Montserrat"; # name = "Montserrat";
}; };
sansSerif = { sansSerif = {
# package = (pkgs.nerdfonts.override { fonts = [ "FiraMono" "FiraCode"]; }); # package = (pkgs.nerdfonts.override { fonts = [ "FiraMono" "FiraCode"]; });
package = pkgs.cantarell-fonts; package = pkgs.cantarell-fonts;
@ -71,21 +65,18 @@
# name = "FiraCode Nerd Font Propo"; # name = "FiraCode Nerd Font Propo";
# name = "Montserrat"; # name = "Montserrat";
}; };
monospace = { monospace = {
package = pkgs.nerdfonts.override { fonts = [ "FiraCode"]; }; package = pkgs.nerdfonts.override {fonts = ["FiraCode"];};
name = "FiraCode Nerd Font Mono"; name = "FiraCode Nerd Font Mono";
}; };
emoji = { emoji = {
package = pkgs.noto-fonts-emoji; package = pkgs.noto-fonts-emoji;
name = "Noto Color Emoji"; name = "Noto Color Emoji";
}; };
}; };
}; };
# Configure keymap in X11 (only used for login) # Configure keymap in X11 (only used for login)
services.xserver = { services.xserver = {
@ -96,7 +87,7 @@
users.users.TEMPLATE = { users.users.TEMPLATE = {
isNormalUser = true; isNormalUser = true;
description = "TEMPLATE"; description = "TEMPLATE";
extraGroups = [ "networkmanager" "wheel" "lp" "audio" "video" ]; extraGroups = ["networkmanager" "wheel" "lp" "audio" "video"];
packages = with pkgs; []; packages = with pkgs; [];
}; };
@ -104,5 +95,4 @@
]; ];
system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
} }

2592
profiles/common/home.nix
View file

File diff suppressed because it is too large Load diff

939
profiles/common/nixos.nix
View file

@ -1,511 +1,508 @@
{ config, lib, pkgs, ... }:
{ {
config,
lib,
pkgs,
...
}: {
home-manager = { home-manager = {
useGlobalPkgs = true; useGlobalPkgs = true;
useUserPackages = true; useUserPackages = true;
}; };
services.xserver = { services.xserver = {
xkb = { xkb = {
layout = "us"; layout = "us";
variant = "altgr-intl"; variant = "altgr-intl";
};
};
nix.settings.experimental-features = ["nix-command" "flakes"];
users.mutableUsers = false;
environment = {
wordlist.enable = true;
sessionVariables = {
NIXOS_OZONE_WL = "1";
GST_PLUGIN_SYSTEM_PATH_1_0 = lib.makeSearchPathOutput "lib" "lib/gstreamer-1.0" (with pkgs.gst_all_1; [
gst-plugins-good
gst-plugins-bad
gst-plugins-ugly
gst-libav
]);
};
};
# gstreamer plugins for nautilus (used for file metadata)
time.hardwareClockInLocalTime = true;
# dont style GRUB with stylix
stylix.targets.grub.enable = false; # the styling makes grub more ugly
security.polkit.enable = true;
nix.gc = {
automatic = true;
randomizedDelaySec = "14m";
dates = "weekly";
options = "--delete-older-than 10d";
};
nix.optimise = {
automatic = true;
dates = [ "weekly" ];
};
# systemd
systemd.extraConfig = ''
DefaultTimeoutStartSec=60s
DefaultTimeoutStopSec=15s
'';
hardware = {
graphics = {
enable = true;
enable32Bit = true;
};
pulseaudio= {
enable = true;
package = pkgs.pulseaudioFull;
};
enableAllFirmware = true;
bluetooth = {
powerOnBoot = true;
settings = {
General = {
Enable = "Source,Sink,Media,Socket";
};
}; };
}; };
};
networking.networkmanager = { nix.settings.experimental-features = ["nix-command" "flakes"];
enable = true;
ensureProfiles = {
environmentFiles = [
"${config.sops.templates."network-manager.env".path}"
];
profiles = {
"Ernest Routerford" = {
connection = {
id = "Ernest Routerford";
permissions = "";
type = "wifi";
};
ipv4 = {
dns-search = "";
method = "auto";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
dns-search = "";
method = "auto";
};
wifi = {
mac-address-blacklist = "";
mode = "infrastructure";
ssid = "Ernest Routerford";
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-psk";
psk = "$ERNEST";
};
};
LAN-Party = { users.mutableUsers = false;
connection = {
autoconnect = "false";
id = "LAN-Party";
type = "ethernet";
};
ethernet = {
auto-negotiate = "true";
cloned-mac-address = "preserve";
mac-address = "90:2E:16:D0:A1:87";
};
ipv4 = { method = "shared"; };
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
};
eduroam = {
"802-1x" = {
eap = "ttls;";
identity = "$EDUID";
password = "$EDUPASS";
phase2-auth = "mschapv2";
};
connection = {
id = "eduroam";
type = "wifi";
};
ipv4 = { method = "auto"; };
ipv6 = {
addr-gen-mode = "default";
method = "auto";
};
proxy = { };
wifi = {
mode = "infrastructure";
ssid = "eduroam";
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-eap";
};
};
local = {
connection = {
autoconnect = "false";
id = "local";
type = "ethernet";
};
ethernet = { };
ipv4 = {
address1 = "10.42.1.1/24";
method = "shared";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
};
HH40V_39F5 = {
connection = {
id = "HH40V_39F5";
type = "wifi";
};
ipv4 = { method = "auto"; };
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
wifi = {
band = "bg";
mode = "infrastructure";
ssid = "HH40V_39F5";
};
wifi-security = {
key-mgmt = "wpa-psk";
psk = "$FRAUNS";
};
};
magicant = {
connection = {
id = "magicant";
type = "wifi";
};
ipv4 = { method = "auto"; };
ipv6 = {
addr-gen-mode = "default";
method = "auto";
};
proxy = { };
wifi = {
mode = "infrastructure";
ssid = "magicant";
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-psk";
psk = "$HANDYHOTSPOT";
};
};
"sweden-aes-128-cbc-udp-dns" = {
connection = {
autoconnect = "false";
id = "PIA Sweden";
type = "vpn";
};
ipv4 = { method = "auto"; };
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = { };
vpn = {
auth = "sha1";
ca =
"${config.users.users.swarsel.home}/.dotfiles/secrets/certs/sweden-aes-128-cbc-udp-dns-ca.pem";
challenge-response-flags = "2";
cipher = "aes-128-cbc";
compress = "yes";
connection-type = "password";
crl-verify-file = "${config.users.users.swarsel.home}/.dotfiles/secrets/certs/sweden-aes-128-cbc-udp-dns-crl-verify.pem";
dev = "tun";
password-flags = "0";
remote = "sweden.privacy.network:1198";
remote-cert-tls = "server";
reneg-seconds = "0";
service-type = "org.freedesktop.NetworkManager.openvpn";
username = "$VPNUSER";
};
vpn-secrets = { password = "$VPNPASS"; };
};
Hotspot = {
connection = {
autoconnect = "false";
id = "Hotspot";
type = "wifi";
};
ipv4 = { method = "shared"; };
ipv6 = {
addr-gen-mode = "default";
method = "ignore";
};
proxy = { };
wifi = {
mode = "ap";
ssid = "Hotspot-fourside";
};
wifi-security = {
group = "ccmp;";
key-mgmt = "wpa-psk";
pairwise = "ccmp;";
proto = "rsn;";
psk = "$HOTSPOT";
};
};
environment = {
wordlist.enable = true;
sessionVariables = {
NIXOS_OZONE_WL = "1";
GST_PLUGIN_SYSTEM_PATH_1_0 = lib.makeSearchPathOutput "lib" "lib/gstreamer-1.0" (with pkgs.gst_all_1; [
gst-plugins-good
gst-plugins-bad
gst-plugins-ugly
gst-libav
]);
}; };
}; };
}; # gstreamer plugins for nautilus (used for file metadata)
systemd.services.NetworkManager-ensure-profiles.after = [ "NetworkManager.service" ]; time.hardwareClockInLocalTime = true;
time.timeZone = "Europe/Vienna"; # dont style GRUB with stylix
stylix.targets.grub.enable = false; # the styling makes grub more ugly
i18n = { security.polkit.enable = true;
defaultLocale = "en_US.UTF-8";
extraLocaleSettings = { nix.gc = {
LC_ADDRESS = "de_AT.UTF-8"; automatic = true;
LC_IDENTIFICATION = "de_AT.UTF-8"; randomizedDelaySec = "14m";
LC_MEASUREMENT = "de_AT.UTF-8"; dates = "weekly";
LC_MONETARY = "de_AT.UTF-8"; options = "--delete-older-than 10d";
LC_NAME = "de_AT.UTF-8";
LC_NUMERIC = "de_AT.UTF-8";
LC_PAPER = "de_AT.UTF-8";
LC_TELEPHONE = "de_AT.UTF-8";
LC_TIME = "de_AT.UTF-8";
}; };
};
sops = { nix.optimise = {
automatic = true;
defaultSopsFile = "${config.users.users.swarsel.home}/.dotfiles/secrets/general/secrets.yaml"; dates = ["weekly"];
validateSopsFiles = false;
secrets = {
swarseluser = {neededForUsers = true;};
ernest = {};
frauns = {};
hotspot = {};
eduid = {};
edupass = {};
handyhotspot = {};
vpnuser = {};
vpnpass = {};
}; };
templates = {
"network-manager.env".content = '' # systemd
ERNEST=${config.sops.placeholder.ernest} systemd.extraConfig = ''
FRAUNS=${config.sops.placeholder.frauns} DefaultTimeoutStartSec=60s
HOTSPOT=${config.sops.placeholder.hotspot} DefaultTimeoutStopSec=15s
EDUID=${config.sops.placeholder.eduid}
EDUPASS=${config.sops.placeholder.edupass}
HANDYHOTSPOT=${config.sops.placeholder.handyhotspot}
VPNUSER=${config.sops.placeholder.vpnuser}
VPNPASS=${config.sops.placeholder.vpnpass}
''; '';
hardware = {
graphics = {
enable = true;
enable32Bit = true;
};
pulseaudio = {
enable = true;
package = pkgs.pulseaudioFull;
};
enableAllFirmware = true;
bluetooth = {
powerOnBoot = true;
settings = {
General = {
Enable = "Source,Sink,Media,Socket";
};
};
};
}; };
};
environment.systemPackages = with pkgs; [ networking.networkmanager = {
# yubikey packages enable = true;
gnupg ensureProfiles = {
yubikey-personalization environmentFiles = [
yubikey-personalization-gui "${config.sops.templates."network-manager.env".path}"
yubico-pam ];
yubioath-flutter profiles = {
yubikey-manager "Ernest Routerford" = {
yubikey-manager-qt connection = {
yubico-piv-tool id = "Ernest Routerford";
cfssl permissions = "";
pcsctools type = "wifi";
pcscliteWithPolkit.out };
ipv4 = {
dns-search = "";
method = "auto";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
dns-search = "";
method = "auto";
};
wifi = {
mac-address-blacklist = "";
mode = "infrastructure";
ssid = "Ernest Routerford";
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-psk";
psk = "$ERNEST";
};
};
# ledger packages LAN-Party = {
ledger-live-desktop connection = {
autoconnect = "false";
id = "LAN-Party";
type = "ethernet";
};
ethernet = {
auto-negotiate = "true";
cloned-mac-address = "preserve";
mac-address = "90:2E:16:D0:A1:87";
};
ipv4 = {method = "shared";};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = {};
};
# pinentry eduroam = {
"802-1x" = {
eap = "ttls;";
identity = "$EDUID";
password = "$EDUPASS";
phase2-auth = "mschapv2";
};
connection = {
id = "eduroam";
type = "wifi";
};
ipv4 = {method = "auto";};
ipv6 = {
addr-gen-mode = "default";
method = "auto";
};
proxy = {};
wifi = {
mode = "infrastructure";
ssid = "eduroam";
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-eap";
};
};
# theme related local = {
adwaita-icon-theme connection = {
autoconnect = "false";
id = "local";
type = "ethernet";
};
ethernet = {};
ipv4 = {
address1 = "10.42.1.1/24";
method = "shared";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = {};
};
# kde-connect HH40V_39F5 = {
xdg-desktop-portal connection = {
id = "HH40V_39F5";
type = "wifi";
};
ipv4 = {method = "auto";};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
proxy = {};
wifi = {
band = "bg";
mode = "infrastructure";
ssid = "HH40V_39F5";
};
wifi-security = {
key-mgmt = "wpa-psk";
psk = "$FRAUNS";
};
};
# bluetooth magicant = {
bluez connection = {
id = "magicant";
type = "wifi";
};
ipv4 = {method = "auto";};
ipv6 = {
addr-gen-mode = "default";
method = "auto";
};
proxy = {};
wifi = {
mode = "infrastructure";
ssid = "magicant";
};
wifi-security = {
auth-alg = "open";
key-mgmt = "wpa-psk";
psk = "$HANDYHOTSPOT";
};
};
# lsp-related ------------------------------- "sweden-aes-128-cbc-udp-dns" = {
# nix connection = {
# latex autoconnect = "false";
texlab id = "PIA Sweden";
ghostscript_headless type = "vpn";
# wireguard };
wireguard-tools ipv4 = {method = "auto";};
# rust ipv6 = {
rust-analyzer addr-gen-mode = "stable-privacy";
clippy method = "auto";
rustfmt };
# go proxy = {};
go vpn = {
gopls auth = "sha1";
# zig ca = "${config.users.users.swarsel.home}/.dotfiles/secrets/certs/sweden-aes-128-cbc-udp-dns-ca.pem";
zig challenge-response-flags = "2";
zls cipher = "aes-128-cbc";
# cpp compress = "yes";
clang-tools connection-type = "password";
# + cuda crl-verify-file = "${config.users.users.swarsel.home}/.dotfiles/secrets/certs/sweden-aes-128-cbc-udp-dns-crl-verify.pem";
cudatoolkit dev = "tun";
#lsp-bridge / python password-flags = "0";
gcc remote = "sweden.privacy.network:1198";
gdb remote-cert-tls = "server";
(python3.withPackages(ps: with ps; [ jupyter ipython pyqt5 epc orjson sexpdata six setuptools paramiko numpy pandas scipy matplotlib requests debugpy flake8 gnureadline python-lsp-server])) reneg-seconds = "0";
# (python3.withPackages(ps: with ps; [ jupyter ipython pyqt5 numpy pandas scipy matplotlib requests debugpy flake8 gnureadline python-lsp-server])) service-type = "org.freedesktop.NetworkManager.openvpn";
# -------------------------------------------- username = "$VPNUSER";
};
vpn-secrets = {password = "$VPNPASS";};
};
(stdenv.mkDerivation { Hotspot = {
name = "oama"; connection = {
autoconnect = "false";
id = "Hotspot";
type = "wifi";
};
ipv4 = {method = "shared";};
ipv6 = {
addr-gen-mode = "default";
method = "ignore";
};
proxy = {};
wifi = {
mode = "ap";
ssid = "Hotspot-fourside";
};
wifi-security = {
group = "ccmp;";
key-mgmt = "wpa-psk";
pairwise = "ccmp;";
proto = "rsn;";
psk = "$HOTSPOT";
};
};
};
};
};
src = pkgs.fetchurl { systemd.services.NetworkManager-ensure-profiles.after = ["NetworkManager.service"];
time.timeZone = "Europe/Vienna";
i18n = {
defaultLocale = "en_US.UTF-8";
extraLocaleSettings = {
LC_ADDRESS = "de_AT.UTF-8";
LC_IDENTIFICATION = "de_AT.UTF-8";
LC_MEASUREMENT = "de_AT.UTF-8";
LC_MONETARY = "de_AT.UTF-8";
LC_NAME = "de_AT.UTF-8";
LC_NUMERIC = "de_AT.UTF-8";
LC_PAPER = "de_AT.UTF-8";
LC_TELEPHONE = "de_AT.UTF-8";
LC_TIME = "de_AT.UTF-8";
};
};
sops = {
defaultSopsFile = "${config.users.users.swarsel.home}/.dotfiles/secrets/general/secrets.yaml";
validateSopsFiles = false;
secrets = {
swarseluser = {neededForUsers = true;};
ernest = {};
frauns = {};
hotspot = {};
eduid = {};
edupass = {};
handyhotspot = {};
vpnuser = {};
vpnpass = {};
};
templates = {
"network-manager.env".content = ''
ERNEST=${config.sops.placeholder.ernest}
FRAUNS=${config.sops.placeholder.frauns}
HOTSPOT=${config.sops.placeholder.hotspot}
EDUID=${config.sops.placeholder.eduid}
EDUPASS=${config.sops.placeholder.edupass}
HANDYHOTSPOT=${config.sops.placeholder.handyhotspot}
VPNUSER=${config.sops.placeholder.vpnuser}
VPNPASS=${config.sops.placeholder.vpnpass}
'';
};
};
environment.systemPackages = with pkgs; [
# yubikey packages
gnupg
yubikey-personalization
yubikey-personalization-gui
yubico-pam
yubioath-flutter
yubikey-manager
yubikey-manager-qt
yubico-piv-tool
cfssl
pcsctools
pcscliteWithPolkit.out
# ledger packages
ledger-live-desktop
# pinentry
# theme related
adwaita-icon-theme
# kde-connect
xdg-desktop-portal
# bluetooth
bluez
# lsp-related -------------------------------
# nix
# latex
texlab
ghostscript_headless
# wireguard
wireguard-tools
# rust
rust-analyzer
clippy
rustfmt
# go
go
gopls
# zig
zig
zls
# cpp
clang-tools
# + cuda
cudatoolkit
#lsp-bridge / python
gcc
gdb
(python3.withPackages (ps: with ps; [jupyter ipython pyqt5 epc orjson sexpdata six setuptools paramiko numpy pandas scipy matplotlib requests debugpy flake8 gnureadline python-lsp-server]))
# (python3.withPackages(ps: with ps; [ jupyter ipython pyqt5 numpy pandas scipy matplotlib requests debugpy flake8 gnureadline python-lsp-server]))
# --------------------------------------------
(stdenv.mkDerivation {
name = "oama"; name = "oama";
url = "https://github.com/pdobsan/oama/releases/download/0.13.1/oama-0.13.1-Linux-x86_64-static.tgz";
sha256 = "sha256-OTdCObVfnMPhgZxVtZqehgUXtKT1iyqozdkPIV+i3Gc=";
};
phases = [ src = pkgs.fetchurl {
"unpackPhase" name = "oama";
]; url = "https://github.com/pdobsan/oama/releases/download/0.13.1/oama-0.13.1-Linux-x86_64-static.tgz";
sha256 = "sha256-OTdCObVfnMPhgZxVtZqehgUXtKT1iyqozdkPIV+i3Gc=";
};
unpackPhase = '' phases = [
mkdir -p $out/bin "unpackPhase"
tar xvf $src -C $out/ ];
mv $out/oama-0.13.1-Linux-x86_64-static/oama $out/bin/
'';
}) unpackPhase = ''
mkdir -p $out/bin
]; tar xvf $src -C $out/
mv $out/oama-0.13.1-Linux-x86_64-static/oama $out/bin/
programs = { '';
dconf.enable = true; })
evince.enable = true;
kdeconnect.enable = true;
};
programs.zsh.enable = true;
users.defaultUserShell = pkgs.zsh;
environment.shells = with pkgs; [ zsh ];
environment.pathsToLink = [ "/share/zsh" ];
services.blueman.enable = true;
# enable scanners over network
hardware.sane = {
enable = true;
extraBackends = [ pkgs.sane-airscan ];
};
# enable discovery and usage of network devices (esp. printers)
services.printing = {
enable = true;
drivers = [
pkgs.gutenprint
pkgs.gutenprintBin
]; ];
browsedConf = ''
BrowseDNSSDSubTypes _cups,_print
BrowseLocalProtocols all
BrowseRemoteProtocols all
CreateIPPPrinterQueues All
BrowseProtocols all
'';
};
services.avahi = { programs = {
enable = true; dconf.enable = true;
nssmdns4 = true; evince.enable = true;
openFirewall = true; kdeconnect.enable = true;
};
services.gvfs.enable = true;
# Make CAPS work as a dual function ESC/CTRL key
services.interception-tools = {
enable = true;
udevmonConfig = let
dualFunctionKeysConfig = builtins.toFile "dual-function-keys.yaml" ''
TIMING:
TAP_MILLISEC: 200
DOUBLE_TAP_MILLISEC: 0
MAPPINGS:
- KEY: KEY_CAPSLOCK
TAP: KEY_ESC
HOLD: KEY_LEFTCTRL
'';
in ''
- JOB: |
${pkgs.interception-tools}/bin/intercept -g $DEVNODE \
| ${pkgs.interception-tools-plugins.dual-function-keys}/bin/dual-function-keys -c ${dualFunctionKeysConfig} \
| ${pkgs.interception-tools}/bin/uinput -d $DEVNODE
DEVICE:
EVENTS:
EV_KEY: [KEY_CAPSLOCK]
'';
};
programs.ssh.startAgent = false;
services.pcscd.enable = true;
hardware.ledger.enable = true;
services.udev.packages = with pkgs; [
yubikey-personalization
ledger-udev-rules
];
services.greetd = {
enable = true;
settings = {
initial_session.command = "sway";
# initial_session.user ="swarsel";
default_session.command = ''
${pkgs.greetd.tuigreet}/bin/tuigreet \
--time \
--asterisks \
--user-menu \
--cmd sway
'';
}; };
};
environment.etc."greetd/environments".text = '' programs.zsh.enable = true;
sway users.defaultUserShell = pkgs.zsh;
''; environment.shells = with pkgs; [zsh];
environment.pathsToLink = ["/share/zsh"];
services.blueman.enable = true;
# enable scanners over network
hardware.sane = {
enable = true;
extraBackends = [pkgs.sane-airscan];
};
# enable discovery and usage of network devices (esp. printers)
services.printing = {
enable = true;
drivers = [
pkgs.gutenprint
pkgs.gutenprintBin
];
browsedConf = ''
BrowseDNSSDSubTypes _cups,_print
BrowseLocalProtocols all
BrowseRemoteProtocols all
CreateIPPPrinterQueues All
BrowseProtocols all
'';
};
services.avahi = {
enable = true;
nssmdns4 = true;
openFirewall = true;
};
services.gvfs.enable = true;
# Make CAPS work as a dual function ESC/CTRL key
services.interception-tools = {
enable = true;
udevmonConfig = let
dualFunctionKeysConfig = builtins.toFile "dual-function-keys.yaml" ''
TIMING:
TAP_MILLISEC: 200
DOUBLE_TAP_MILLISEC: 0
MAPPINGS:
- KEY: KEY_CAPSLOCK
TAP: KEY_ESC
HOLD: KEY_LEFTCTRL
'';
in ''
- JOB: |
${pkgs.interception-tools}/bin/intercept -g $DEVNODE \
| ${pkgs.interception-tools-plugins.dual-function-keys}/bin/dual-function-keys -c ${dualFunctionKeysConfig} \
| ${pkgs.interception-tools}/bin/uinput -d $DEVNODE
DEVICE:
EVENTS:
EV_KEY: [KEY_CAPSLOCK]
'';
};
programs.ssh.startAgent = false;
services.pcscd.enable = true;
hardware.ledger.enable = true;
services.udev.packages = with pkgs; [
yubikey-personalization
ledger-udev-rules
];
services.greetd = {
enable = true;
settings = {
initial_session.command = "sway";
# initial_session.user ="swarsel";
default_session.command = ''
${pkgs.greetd.tuigreet}/bin/tuigreet \
--time \
--asterisks \
--user-menu \
--cmd sway
'';
};
};
environment.etc."greetd/environments".text = ''
sway
'';
} }

43
profiles/fourside/hardware-configuration.nix
View file

@ -1,31 +1,34 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, modulesPath, ... }:
{ {
imports = config,
[ (modulesPath + "/installer/scan/not-detected.nix") lib,
]; modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc"];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [];
boot.kernelModules = [ "kvm-amd" ]; boot.kernelModules = ["kvm-amd"];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [];
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-uuid/55eee3d2-4125-4aba-a326-10cde2abdf26"; device = "/dev/disk/by-uuid/55eee3d2-4125-4aba-a326-10cde2abdf26";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = fileSystems."/boot" = {
{ device = "/dev/disk/by-uuid/BC7A-F7D9"; device = "/dev/disk/by-uuid/BC7A-F7D9";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = swapDevices = [
[ { device = "/dev/disk/by-uuid/0a74b04a-99e0-48cd-afcf-6ca849f6f85a"; } {device = "/dev/disk/by-uuid/0a74b04a-99e0-48cd-afcf-6ca849f6f85a";}
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

88
profiles/fourside/home.nix
View file

@ -1,8 +1,8 @@
{ config, pkgs, ... }:
{ {
config,
pkgs,
...
}: {
services.gpg-agent = { services.gpg-agent = {
enable = true; enable = true;
enableSshSupport = true; enableSshSupport = true;
@ -11,11 +11,11 @@
defaultCacheTtl = 600; defaultCacheTtl = 600;
maxCacheTtl = 7200; maxCacheTtl = 7200;
extraConfig = '' extraConfig = ''
allow-loopback-pinentry allow-loopback-pinentry
allow-emacs-pinentry allow-emacs-pinentry
''; '';
}; };
home = { home = {
username = "swarsel"; username = "swarsel";
homeDirectory = "/home/swarsel"; homeDirectory = "/home/swarsel";
@ -24,7 +24,7 @@
packages = with pkgs; [ packages = with pkgs; [
]; ];
}; };
sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" ]; sops.age.sshKeyPaths = ["${config.home.homeDirectory}/.ssh/sops"];
# waybar config - TEMPLATE - update for cores and temp # waybar config - TEMPLATE - update for cores and temp
programs.waybar.settings.mainBar = { programs.waybar.settings.mainBar = {
@ -34,26 +34,25 @@
temperature.input-filename = "temp1_input"; temperature.input-filename = "temp1_input";
}; };
programs.waybar.settings.mainBar.modules-right = [
programs.waybar.settings.mainBar.modules-right = ["custom/outer-left-arrow-dark" "custom/outer-left-arrow-dark"
"mpris" "mpris"
"custom/left-arrow-light" "custom/left-arrow-light"
"network" "network"
"custom/left-arrow-dark" "custom/left-arrow-dark"
"pulseaudio" "pulseaudio"
"custom/left-arrow-light" "custom/left-arrow-light"
"custom/pseudobat" "custom/pseudobat"
"battery" "battery"
"custom/left-arrow-dark" "custom/left-arrow-dark"
"group/hardware" "group/hardware"
"custom/left-arrow-light" "custom/left-arrow-light"
"clock#2" "clock#2"
"custom/left-arrow-dark" "custom/left-arrow-dark"
"clock#1" "clock#1"
]; ];
wayland.windowManager.sway= { wayland.windowManager.sway = {
config = rec { config = rec {
# update for actual inputs here, # update for actual inputs here,
input = { input = {
@ -61,7 +60,8 @@
xkb_layout = "us"; xkb_layout = "us";
xkb_variant = "altgr-intl"; xkb_variant = "altgr-intl";
}; };
"1:1:AT_Translated_Set_2_keyboard" = { # TEMPLATE "1:1:AT_Translated_Set_2_keyboard" = {
# TEMPLATE
xkb_layout = "us"; xkb_layout = "us";
xkb_options = "grp:win_space_toggle"; xkb_options = "grp:win_space_toggle";
xkb_variant = "altgr-intl"; xkb_variant = "altgr-intl";
@ -72,7 +72,6 @@
natural_scroll = "enabled"; natural_scroll = "enabled";
middle_emulation = "enabled"; middle_emulation = "enabled";
}; };
}; };
output = { output = {
@ -91,17 +90,22 @@
}; };
workspaceOutputAssign = [ workspaceOutputAssign = [
{ output = "eDP-1"; workspace = "1:";} {
{ output = "DP-4"; workspace = "2:";} output = "eDP-1";
workspace = "1:";
}
{
output = "DP-4";
workspace = "2:";
}
]; ];
keybindings = let keybindings = let
inherit (config.wayland.windowManager.sway.config) modifier; inherit (config.wayland.windowManager.sway.config) modifier;
in { in {
"${modifier}+w" = "exec \"bash ~/.dotfiles/scripts/checkelement.sh\""; "${modifier}+w" = "exec \"bash ~/.dotfiles/scripts/checkelement.sh\"";
"XF86MonBrightnessUp" = "exec brightnessctl set +5%"; "XF86MonBrightnessUp" = "exec brightnessctl set +5%";
"XF86MonBrightnessDown"= "exec brightnessctl set 5%-"; "XF86MonBrightnessDown" = "exec brightnessctl set 5%-";
"XF86Display" = "exec wl-mirror eDP-1"; "XF86Display" = "exec wl-mirror eDP-1";
# these are left open to use # these are left open to use
# "XF86WLAN" = "exec wl-mirror eDP-1"; # "XF86WLAN" = "exec wl-mirror eDP-1";
@ -115,14 +119,12 @@
}; };
startup = [ startup = [
{command = "nextcloud --background";}
{ command = "nextcloud --background";} {command = "discord --start-minimized";}
{ command = "discord --start-minimized";} {command = "element-desktop --hidden -enable-features=UseOzonePlatform -ozone-platform=wayland --disable-gpu-driver-bug-workarounds";}
{ command = "element-desktop --hidden -enable-features=UseOzonePlatform -ozone-platform=wayland --disable-gpu-driver-bug-workarounds";} {command = "ANKI_WAYLAND=1 anki";}
{ command = "ANKI_WAYLAND=1 anki";} {command = "OBSIDIAN_USE_WAYLAND=1 obsidian";}
{ command = "OBSIDIAN_USE_WAYLAND=1 obsidian";} {command = "nm-applet";}
{ command = "nm-applet";}
]; ];
}; };
}; };

115
profiles/fourside/nixos.nix
View file

@ -1,21 +1,21 @@
{ config, pkgs, ... }:
{ {
config,
# pkgs,
...
}: {
#
# imports = # imports =
# [ # [
# ./hardware-configuration.nix # ./hardware-configuration.nix
# ]; # ];
# #
imports = imports = [
[ ./hardware-configuration.nix
./hardware-configuration.nix ];
];
services = { services = {
getty.autologinUser = "swarsel"; getty.autologinUser = "swarsel";
greetd.settings.initial_session.user="swarsel"; greetd.settings.initial_session.user = "swarsel";
}; };
boot = { boot = {
@ -24,7 +24,7 @@
# kernelPackages = pkgs.linuxPackages_latest; # kernelPackages = pkgs.linuxPackages_latest;
}; };
sops.age.sshKeyPaths = [ "${config.users.users.swarsel.home}/.ssh/sops" ]; sops.age.sshKeyPaths = ["${config.users.users.swarsel.home}/.ssh/sops"];
networking = { networking = {
hostName = "fourside"; # Define your hostname. hostName = "fourside"; # Define your hostname.
@ -33,32 +33,44 @@
firewall.checkReversePath = false; firewall.checkReversePath = false;
firewall = { firewall = {
enable = true; enable = true;
allowedUDPPorts = [ 4380 27036 14242 34197 51820 ]; # 34197: factorio; 4380 27036 14242: barotrauma; 51820: wireguard allowedUDPPorts = [4380 27036 14242 34197 51820]; # 34197: factorio; 4380 27036 14242: barotrauma; 51820: wireguard
allowedTCPPorts = [ ]; # 34197: factorio; 4380 27036 14242: barotrauma; 51820: wireguard allowedTCPPorts = []; # 34197: factorio; 4380 27036 14242: barotrauma; 51820: wireguard
allowedTCPPortRanges = [ allowedTCPPortRanges = [
{from = 27015; to = 27030;} # barotrauma {
{from = 27036; to = 27037;} # barotrauma from = 27015;
to = 27030;
} # barotrauma
{
from = 27036;
to = 27037;
} # barotrauma
]; ];
allowedUDPPortRanges = [ allowedUDPPortRanges = [
{from = 27000; to = 27031;} # barotrauma {
{from = 58962; to = 58964;} # barotrauma from = 27000;
to = 27031;
} # barotrauma
{
from = 58962;
to = 58964;
} # barotrauma
]; ];
}; };
}; };
virtualisation.virtualbox = { virtualisation.virtualbox = {
host = { host = {
enable = true; enable = true;
enableExtensionPack = true; enableExtensionPack = true;
}; };
# leaving this here for future notice. setting guest.enable = true will make 'restarting sysinit-reactivation.target' take till timeout on nixos-rebuild switch # leaving this here for future notice. setting guest.enable = true will make 'restarting sysinit-reactivation.target' take till timeout on nixos-rebuild switch
guest = { guest = {
enable = false; enable = false;
};
}; };
};
stylix.image = ../../wallpaper/lenovowp.png; stylix.image = ../../wallpaper/lenovowp.png;
stylix = { stylix = {
enable = true; enable = true;
base16Scheme = ../../wallpaper/swarsel.yaml; base16Scheme = ../../wallpaper/swarsel.yaml;
@ -83,7 +95,7 @@
# name = "FiraCode Nerd Font Propo"; # name = "FiraCode Nerd Font Propo";
# name = "Montserrat"; # name = "Montserrat";
}; };
sansSerif = { sansSerif = {
# package = (pkgs.nerdfonts.override { fonts = [ "FiraMono" "FiraCode"]; }); # package = (pkgs.nerdfonts.override { fonts = [ "FiraMono" "FiraCode"]; });
package = pkgs.cantarell-fonts; package = pkgs.cantarell-fonts;
@ -92,38 +104,35 @@
# name = "FiraCode Nerd Font Propo"; # name = "FiraCode Nerd Font Propo";
# name = "Montserrat"; # name = "Montserrat";
}; };
monospace = { monospace = {
package = pkgs.nerdfonts.override { fonts = [ "FiraCode"]; }; package = pkgs.nerdfonts.override {fonts = ["FiraCode"];};
name = "FiraCode Nerd Font Mono"; name = "FiraCode Nerd Font Mono";
}; };
emoji = { emoji = {
package = pkgs.noto-fonts-emoji; package = pkgs.noto-fonts-emoji;
name = "Noto Color Emoji"; name = "Noto Color Emoji";
}; };
}; };
}; };
hardware = { hardware = {
graphics = { graphics = {
enable = true; enable = true;
enable32Bit = true; enable32Bit = true;
extraPackages = with pkgs; [ extraPackages = with pkgs; [
vulkan-loader vulkan-loader
vulkan-validation-layers vulkan-validation-layers
vulkan-extension-layer vulkan-extension-layer
]; ];
};
bluetooth.enable = true;
trackpoint = {
enable = true;
device = "TPPS/2 Elan TrackPoint";
};
}; };
bluetooth.enable = true;
trackpoint = {
enable = true;
device = "TPPS/2 Elan TrackPoint";
};
};
programs.steam = { programs.steam = {
enable = true; enable = true;
@ -132,7 +141,7 @@
]; ];
}; };
# Configure keymap in X11 (only used for login) # Configure keymap in X11 (only used for login)
services.thinkfan = { services.thinkfan = {
enable = false; enable = false;
@ -143,7 +152,7 @@
services.nswitch-rcm = { services.nswitch-rcm = {
enable = true; enable = true;
package = pkgs.fetchurl { package = pkgs.fetchurl {
url = "https://github.com/Atmosphere-NX/Atmosphere/releases/download/1.3.2/fusee.bin"; url = "https://github.com/Atmosphere-NX/Atmosphere/releases/download/1.3.2/fusee.bin";
hash = "sha256-5AXzNsny45SPLIrvWJA9/JlOCal5l6Y++Cm+RtlJppI="; hash = "sha256-5AXzNsny45SPLIrvWJA9/JlOCal5l6Y++Cm+RtlJppI=";
}; };
@ -153,21 +162,19 @@
isNormalUser = true; isNormalUser = true;
description = "Leon S"; description = "Leon S";
hashedPasswordFile = config.sops.secrets.swarseluser.path; hashedPasswordFile = config.sops.secrets.swarseluser.path;
extraGroups = [ "networkmanager" "wheel" "lp" "audio" "video" "vboxusers" "scanner" ]; extraGroups = ["networkmanager" "wheel" "lp" "audio" "video" "vboxusers" "scanner"];
packages = with pkgs; []; packages = with pkgs; [];
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
# gog games installing # gog games installing
heroic heroic
# minecraft # minecraft
temurin-bin-17 temurin-bin-17
(prismlauncher.override { (prismlauncher.override {
glfw = pkgs.glfw-wayland-minecraft; glfw = pkgs.glfw-wayland-minecraft;
}) })
]; ];
system.stateVersion = "23.05"; system.stateVersion = "23.05";
} }

5
profiles/mysticant/configuration.nix
View file

@ -1,6 +1,4 @@
{ pkgs, ... }: {pkgs, ...}: {
{
environment.packages = with pkgs; [ environment.packages = with pkgs; [
vim vim
git git
@ -18,5 +16,4 @@
nix.extraOptions = '' nix.extraOptions = ''
experimental-features = nix-command flakes experimental-features = nix-command flakes
''; '';
} }

20
profiles/remote/oracle/matrix/hardware-configuration.nix
View file

@ -1,14 +1,18 @@
{ modulesPath, ... }: {modulesPath, ...}: {
{ imports = [(modulesPath + "/profiles/qemu-guest.nix")];
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.grub = { boot.loader.grub = {
efiSupport = true; efiSupport = true;
efiInstallAsRemovable = true; efiInstallAsRemovable = true;
device = "nodev"; device = "nodev";
}; };
fileSystems."/boot" = { device = "/dev/disk/by-uuid/A1B2-7E6F"; fsType = "vfat"; }; fileSystems."/boot" = {
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; device = "/dev/disk/by-uuid/A1B2-7E6F";
boot.initrd.kernelModules = [ "nvme" ]; fsType = "vfat";
fileSystems."/" = { device = "/dev/mapper/ocivolume-root"; fsType = "xfs"; }; };
boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"];
boot.initrd.kernelModules = ["nvme"];
fileSystems."/" = {
device = "/dev/mapper/ocivolume-root";
fsType = "xfs";
};
} }

128
profiles/remote/oracle/matrix/nixos.nix
View file

@ -1,7 +1,11 @@
{ config, pkgs, sops, ... }: let {
config,
pkgs,
sops,
...
}: let
matrixDomain = "swatrix.swarsel.win"; matrixDomain = "swatrix.swarsel.win";
in { in {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
@ -23,24 +27,24 @@ in {
nix.settings.experimental-features = ["nix-command" "flakes"]; nix.settings.experimental-features = ["nix-command" "flakes"];
sops = { sops = {
age.sshKeyPaths = [ "/etc/ssh/sops" ]; age.sshKeyPaths = ["/etc/ssh/sops"];
defaultSopsFile = "/root/.dotfiles/secrets/omatrix/secrets.yaml"; defaultSopsFile = "/root/.dotfiles/secrets/omatrix/secrets.yaml";
validateSopsFiles = false; validateSopsFiles = false;
secrets = { secrets = {
dnstokenfull = {owner="acme";}; dnstokenfull = {owner = "acme";};
matrixsharedsecret = {owner="matrix-synapse";}; matrixsharedsecret = {owner = "matrix-synapse";};
mautrixtelegram_as = {owner="matrix-synapse";}; mautrixtelegram_as = {owner = "matrix-synapse";};
mautrixtelegram_hs = {owner="matrix-synapse";}; mautrixtelegram_hs = {owner = "matrix-synapse";};
mautrixtelegram_api_id = {owner="matrix-synapse";}; mautrixtelegram_api_id = {owner = "matrix-synapse";};
mautrixtelegram_api_hash = {owner="matrix-synapse";}; mautrixtelegram_api_hash = {owner = "matrix-synapse";};
}; };
templates = { templates = {
"certs.secret".content = '' "certs.secret".content = ''
CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull} CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
''; '';
"matrix_user_register.sh".content = '' "matrix_user_register.sh".content = ''
register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008 register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008
''; '';
mautrixtelegram = { mautrixtelegram = {
owner = "matrix-synapse"; owner = "matrix-synapse";
content = '' content = ''
@ -48,13 +52,13 @@ in {
MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs} MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs}
MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id} MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id}
MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash} MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash}
''; '';
}; };
matrixshared = { matrixshared = {
owner = "matrix-synapse"; owner = "matrix-synapse";
content = '' content = ''
registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret} registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret}
''; '';
}; };
}; };
}; };
@ -78,7 +82,6 @@ in {
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedGzipSettings = true; recommendedGzipSettings = true;
virtualHosts = { virtualHosts = {
"swatrix.swarsel.win" = { "swatrix.swarsel.win" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@ -87,8 +90,8 @@ in {
"~ ^(/_matrix|/_synapse/client)" = { "~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://localhost:8008"; proxyPass = "http://localhost:8008";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';
}; };
}; };
}; };
@ -102,13 +105,13 @@ in {
enableIPv6 = false; enableIPv6 = false;
domain = "swarsel.win"; domain = "swarsel.win";
firewall.extraCommands = '' firewall.extraCommands = ''
iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 8008 -j ACCEPT iptables -I INPUT -m state --state NEW -p tcp --dport 8008 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 29317 -j ACCEPT iptables -I INPUT -m state --state NEW -p tcp --dport 29317 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 29318 -j ACCEPT iptables -I INPUT -m state --state NEW -p tcp --dport 29318 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 29328 -j ACCEPT iptables -I INPUT -m state --state NEW -p tcp --dport 29328 -j ACCEPT
''; '';
}; };
services.openssh = { services.openssh = {
enable = true; enable = true;
@ -129,27 +132,27 @@ in {
services.postgresql = { services.postgresql = {
enable = true; enable = true;
initialScript = pkgs.writeText "synapse-init.sql" '' initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0 TEMPLATE template0
LC_COLLATE = "C" LC_COLLATE = "C"
LC_CTYPE = "C"; LC_CTYPE = "C";
CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram'; CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram';
CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram" CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram"
TEMPLATE template0 TEMPLATE template0
LC_COLLATE = "C" LC_COLLATE = "C"
LC_CTYPE = "C"; LC_CTYPE = "C";
CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp'; CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp';
CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp" CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp"
TEMPLATE template0 TEMPLATE template0
LC_COLLATE = "C" LC_COLLATE = "C"
LC_CTYPE = "C"; LC_CTYPE = "C";
CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal'; CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal';
CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal" CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal"
TEMPLATE template0 TEMPLATE template0
LC_COLLATE = "C" LC_COLLATE = "C"
LC_CTYPE = "C"; LC_CTYPE = "C";
''; '';
}; };
services.matrix-synapse = { services.matrix-synapse = {
settings.app_service_config_files = [ settings.app_service_config_files = [
@ -164,14 +167,15 @@ in {
public_baseurl = "https://${matrixDomain}"; public_baseurl = "https://${matrixDomain}";
}; };
listeners = [ listeners = [
{ port = 8008; {
bind_addresses = [ "0.0.0.0" ]; port = 8008;
bind_addresses = ["0.0.0.0"];
type = "http"; type = "http";
tls = false; tls = false;
x_forwarded = true; x_forwarded = true;
resources = [ resources = [
{ {
names = [ "client" "federation" ]; names = ["client" "federation"];
compress = true; compress = true;
} }
]; ];
@ -191,7 +195,7 @@ in {
domain = matrixDomain; domain = matrixDomain;
}; };
appservice = { appservice = {
address= "http://localhost:29317"; address = "http://localhost:29317";
hostname = "0.0.0.0"; hostname = "0.0.0.0";
port = "29317"; port = "29317";
provisioning.enabled = true; provisioning.enabled = true;
@ -220,16 +224,16 @@ in {
args = { args = {
width = 256; width = 256;
height = 256; height = 256;
fps = 30; # only for webm fps = 30; # only for webm
background = "020202"; # only for gif, transparency not supported background = "020202"; # only for gif, transparency not supported
}; };
}; };
}; };
}; };
}; };
systemd.services.mautrix-telegram.path = with pkgs; [ systemd.services.mautrix-telegram.path = with pkgs; [
lottieconverter # for animated stickers conversion, unfree package lottieconverter # for animated stickers conversion, unfree package
ffmpeg # if converting animated stickers to webm (very slow!) ffmpeg # if converting animated stickers to webm (very slow!)
]; ];
services.mautrix-whatsapp = { services.mautrix-whatsapp = {
@ -240,7 +244,7 @@ in {
domain = matrixDomain; domain = matrixDomain;
}; };
appservice = { appservice = {
address= "http://localhost:29318"; address = "http://localhost:29318";
hostname = "0.0.0.0"; hostname = "0.0.0.0";
port = 29318; port = 29318;
database = { database = {
@ -287,8 +291,7 @@ in {
domain = matrixDomain; domain = matrixDomain;
}; };
appservice = { appservice = {
address = "http://localhost:29328";
address= "http://localhost:29328";
hostname = "0.0.0.0"; hostname = "0.0.0.0";
port = 29328; port = 29328;
database = { database = {
@ -314,7 +317,7 @@ in {
# messages out after a while. # messages out after a while.
systemd.timers."restart-bridges" = { systemd.timers."restart-bridges" = {
wantedBy = [ "timers.target" ]; wantedBy = ["timers.target"];
timerConfig = { timerConfig = {
OnBootSec = "1d"; OnBootSec = "1d";
OnUnitActiveSec = "1d"; OnUnitActiveSec = "1d";
@ -324,14 +327,13 @@ in {
systemd.services."restart-bridges" = { systemd.services."restart-bridges" = {
script = '' script = ''
systemctl restart mautrix-whatsapp.service systemctl restart mautrix-whatsapp.service
systemctl restart mautrix-signal.service systemctl restart mautrix-signal.service
systemctl restart mautrix-telegram.service systemctl restart mautrix-telegram.service
''; '';
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
User = "root"; User = "root";
}; };
}; };
} }

43
profiles/remote/oracle/sync/hardware-configuration.nix
View file

@ -1,28 +1,31 @@
{ config, lib, modulesPath, ... }:
{ {
imports = config,
[ (modulesPath + "/profiles/qemu-guest.nix") lib,
]; modulesPath,
...
}: {
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ]; boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod"];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [];
boot.kernelModules = [ "kvm-amd" ]; boot.kernelModules = ["kvm-amd"];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [];
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-uuid/4b47378a-02eb-4548-bab8-59cbf379252a"; device = "/dev/disk/by-uuid/4b47378a-02eb-4548-bab8-59cbf379252a";
fsType = "xfs"; fsType = "xfs";
}; };
fileSystems."/boot" = fileSystems."/boot" = {
{ device = "/dev/disk/by-uuid/2B75-2AD5"; device = "/dev/disk/by-uuid/2B75-2AD5";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = swapDevices = [
[ { device = "/dev/disk/by-uuid/f0126a93-753e-4769-ada8-7499a1efb3a9"; } {device = "/dev/disk/by-uuid/f0126a93-753e-4769-ada8-7499a1efb3a9";}
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

44
profiles/remote/oracle/sync/nixos.nix
View file

@ -1,6 +1,8 @@
{ config, pkgs, ... }:
{ {
config,
pkgs,
...
}: {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
@ -19,13 +21,13 @@
nix.settings.experimental-features = ["nix-command" "flakes"]; nix.settings.experimental-features = ["nix-command" "flakes"];
sops = { sops = {
age.sshKeyPaths = [ "/etc/ssh/sops" ]; age.sshKeyPaths = ["/etc/ssh/sops"];
defaultSopsFile = "/root/.dotfiles/secrets/sync/secrets.yaml"; defaultSopsFile = "/root/.dotfiles/secrets/sync/secrets.yaml";
validateSopsFiles = false; validateSopsFiles = false;
secrets.swarsel = { owner = "root";}; secrets.swarsel = {owner = "root";};
secrets.dnstokenfull = {owner="acme";}; secrets.dnstokenfull = {owner = "acme";};
templates."certs.secret".content = '' templates."certs.secret".content = ''
CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull} CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
''; '';
}; };
@ -44,7 +46,6 @@
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedGzipSettings = true; recommendedGzipSettings = true;
virtualHosts = { virtualHosts = {
"synki.swarsel.win" = { "synki.swarsel.win" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@ -53,8 +54,8 @@
"/" = { "/" = {
proxyPass = "http://localhost:27701"; proxyPass = "http://localhost:27701";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';
}; };
}; };
}; };
@ -67,8 +68,8 @@
"/" = { "/" = {
proxyPass = "http://localhost:8384/"; proxyPass = "http://localhost:8384/";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';
}; };
}; };
}; };
@ -81,8 +82,8 @@
"/" = { "/" = {
proxyPass = "http://localhost:3000"; proxyPass = "http://localhost:3000";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';
}; };
}; };
}; };
@ -96,14 +97,14 @@
enableIPv6 = false; enableIPv6 = false;
domain = "subnet03112148.vcn03112148.oraclevcn.com"; domain = "subnet03112148.vcn03112148.oraclevcn.com";
firewall.extraCommands = '' firewall.extraCommands = ''
iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 27701 -j ACCEPT iptables -I INPUT -m state --state NEW -p tcp --dport 27701 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 8384 -j ACCEPT iptables -I INPUT -m state --state NEW -p tcp --dport 8384 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 3000 -j ACCEPT iptables -I INPUT -m state --state NEW -p tcp --dport 3000 -j ACCEPT
iptables -I INPUT -m state --state NEW -p tcp --dport 22000 -j ACCEPT iptables -I INPUT -m state --state NEW -p tcp --dport 22000 -j ACCEPT
iptables -I INPUT -m state --state NEW -p udp --dport 22000 -j ACCEPT iptables -I INPUT -m state --state NEW -p udp --dport 22000 -j ACCEPT
iptables -I INPUT -m state --state NEW -p udp --dport 21027 -j ACCEPT iptables -I INPUT -m state --state NEW -p udp --dport 21027 -j ACCEPT
''; '';
}; };
services.openssh = { services.openssh = {
@ -160,5 +161,4 @@
}; };
}; };
}; };
} }

31
profiles/sandbox/hardware-configuration.nix
View file

@ -1,24 +1,27 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, modulesPath, ... }:
{ {
imports = config,
[ (modulesPath + "/installer/scan/not-detected.nix") lib,
]; modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ata_piix" "usb_storage" "sd_mod" "sr_mod" ]; boot.initrd.availableKernelModules = ["xhci_pci" "ehci_pci" "ata_piix" "usb_storage" "sd_mod" "sr_mod"];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [];
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-uuid/147e3682-eb15-4e96-9cac-4f2fb5888a69"; device = "/dev/disk/by-uuid/147e3682-eb15-4e96-9cac-4f2fb5888a69";
fsType = "ext4"; fsType = "ext4";
}; };
swapDevices = [ ]; swapDevices = [];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

413
profiles/sandbox/nixos.nix
View file

@ -1,7 +1,11 @@
{ config, pkgs, sops, ... }: let {
config,
pkgs,
sops,
...
}: let
matrixDomain = "swatrix.swarsel.win"; matrixDomain = "swatrix.swarsel.win";
in { in {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
@ -10,9 +14,9 @@ in {
enable = true; enable = true;
device = "/dev/sda"; device = "/dev/sda";
useOSProber = true; useOSProber = true;
supportedFilesystems = [ "zfs" ]; supportedFilesystems = ["zfs"];
zfs.forceImportRoot = false; zfs.forceImportRoot = false;
kernelModules = [ "tun" ]; kernelModules = ["tun"];
kernel.sysctl = { kernel.sysctl = {
"net.ipv4.conf.all.rp_filter" = 2; "net.ipv4.conf.all.rp_filter" = 2;
"net.ipv4.conf.default.rp_filter" = 2; "net.ipv4.conf.default.rp_filter" = 2;
@ -26,13 +30,13 @@ in {
enableIPv6 = true; enableIPv6 = true;
firewall.enable = false; firewall.enable = false;
firewall.extraCommands = '' firewall.extraCommands = ''
sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP
''; '';
iproute2 = { iproute2 = {
enable = true; enable = true;
rttablesExtraConfig = '' rttablesExtraConfig = ''
200 vpn 200 vpn
''; '';
}; };
}; };
@ -41,7 +45,7 @@ in {
hardware.enableAllFirmware = true; hardware.enableAllFirmware = true;
extraPackages = with pkgs; [ extraPackages = with pkgs; [
intel-media-driver # LIBVA_DRIVER_NAME=iHD intel-media-driver # LIBVA_DRIVER_NAME=iHD
vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium) vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
vaapiVdpau vaapiVdpau
libvdpau-va-gl libvdpau-va-gl
]; ];
@ -64,7 +68,7 @@ in {
}; };
users = { users = {
jellyfin = { jellyfin = {
extraGroups = [ "video" "render" ]; extraGroups = ["video" "render"];
}; };
vpn = { vpn = {
isNormalUser = true; isNormalUser = true;
@ -75,23 +79,23 @@ in {
isSystemUser = true; isSystemUser = true;
uid = 61593; uid = 61593;
group = "navidrome"; group = "navidrome";
extraGroups = [ "audio" "utmp" ]; extraGroups = ["audio" "utmp"];
}; };
spotifyd = { spotifyd = {
isSystemUser = true; isSystemUser = true;
uid = 65136; uid = 65136;
group = "spotifyd"; group = "spotifyd";
extraGroups = [ "audio" "utmp" ]; extraGroups = ["audio" "utmp"];
}; };
mpd = { mpd = {
isSystemUser = true; isSystemUser = true;
group = "mpd"; group = "mpd";
extraGroups = [ "audio" "utmp" ]; extraGroups = ["audio" "utmp"];
}; };
swarsel = { swarsel = {
isNormalUser = true; isNormalUser = true;
description = "Leon S"; description = "Leon S";
extraGroups = [ "networkmanager" "wheel" "lp"]; extraGroups = ["networkmanager" "wheel" "lp"];
packages = with pkgs; []; packages = with pkgs; [];
}; };
root = { root = {
@ -133,26 +137,26 @@ in {
zfs zfs
]; ];
etc = { etc = {
"openvpn/iptables.sh" = "openvpn/iptables.sh" = {
{ source = ../../scripts/server1/iptables.sh; source = ../../scripts/server1/iptables.sh;
mode = "0755"; mode = "0755";
}; };
"openvpn/update-resolv-conf" = "openvpn/update-resolv-conf" = {
{ source = ../../scripts/server1/update-resolv-conf; source = ../../scripts/server1/update-resolv-conf;
mode = "0755"; mode = "0755";
}; };
"openvpn/routing.sh" = "openvpn/routing.sh" = {
{ source = ../../scripts/server1/routing.sh; source = ../../scripts/server1/routing.sh;
mode = "0755"; mode = "0755";
}; };
"openvpn/ca.rsa.2048.crt" = "openvpn/ca.rsa.2048.crt" = {
{ source = ../../secrets/certs/ca.rsa.2048.crt; source = ../../secrets/certs/ca.rsa.2048.crt;
mode = "0644"; mode = "0644";
}; };
"openvpn/crl.rsa.2048.pem" = "openvpn/crl.rsa.2048.pem" = {
{ source = ../../secrets/certs/crl.rsa.2048.pem; source = ../../secrets/certs/crl.rsa.2048.pem;
mode = "0644"; mode = "0644";
}; };
}; };
shellAliases = { shellAliases = {
nswitch = "cd ~/.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; nswitch = "cd ~/.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
@ -161,7 +165,7 @@ in {
systemd = { systemd = {
timers."restart-bridges" = { timers."restart-bridges" = {
wantedBy = [ "timers.target" ]; wantedBy = ["timers.target"];
timerConfig = { timerConfig = {
OnBootSec = "1d"; OnBootSec = "1d";
OnUnitActiveSec = "1d"; OnUnitActiveSec = "1d";
@ -171,10 +175,10 @@ in {
services."restart-bridges" = { services."restart-bridges" = {
script = '' script = ''
systemctl restart mautrix-whatsapp.service systemctl restart mautrix-whatsapp.service
systemctl restart mautrix-signal.service systemctl restart mautrix-signal.service
systemctl restart mautrix-telegram.service systemctl restart mautrix-telegram.service
''; '';
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
User = "root"; User = "root";
@ -190,19 +194,19 @@ in {
}; };
sops = { sops = {
age.sshKeyPaths = [ "/etc/ssh/sops" ]; age.sshKeyPaths = ["/etc/ssh/sops"];
defaultSopsFile = "/root/.dotfiles/secrets/sandbox/secrets.yaml"; defaultSopsFile = "/root/.dotfiles/secrets/sandbox/secrets.yaml";
validateSopsFiles = false; validateSopsFiles = false;
secrets = { secrets = {
dnstokenfull = {owner="acme";}; dnstokenfull = {owner = "acme";};
kavita = { owner = "kavita";}; kavita = {owner = "kavita";};
vpnuser = {}; vpnuser = {};
rpcuser = {owner="vpn";}; rpcuser = {owner = "vpn";};
vpnpass = {}; vpnpass = {};
rpcpass = {owner="vpn";}; rpcpass = {owner = "vpn";};
vpnprot = {}; vpnprot = {};
vpnloc = {}; vpnloc = {};
mpdpass = { owner = "mpd";}; mpdpass = {owner = "mpd";};
}; };
templates = { templates = {
"transmission-rpc" = { "transmission-rpc" = {
@ -214,37 +218,37 @@ in {
}; };
pia.content = '' pia.content = ''
${config.sops.placeholder.vpnuser} ${config.sops.placeholder.vpnuser}
${config.sops.placeholder.vpnpass} ${config.sops.placeholder.vpnpass}
''; '';
vpn.content = '' vpn.content = ''
client client
dev tun dev tun
proto ${config.sops.placeholder.vpnprot} proto ${config.sops.placeholder.vpnprot}
remote ${config.sops.placeholder.vpnloc} remote ${config.sops.placeholder.vpnloc}
resolv-retry infinite resolv-retry infinite
nobind nobind
persist-key persist-key
persist-tun persist-tun
cipher aes-128-cbc cipher aes-128-cbc
auth sha1 auth sha1
tls-client tls-client
remote-cert-tls server remote-cert-tls server
auth-user-pass ${config.sops.templates.pia.path} auth-user-pass ${config.sops.templates.pia.path}
compress compress
verb 1 verb 1
reneg-sec 0 reneg-sec 0
crl-verify /etc/openvpn/crl.rsa.2048.pem crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt ca /etc/openvpn/ca.rsa.2048.crt
disable-occ disable-occ
''; '';
"certs.secret".content = '' "certs.secret".content = ''
CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull} CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
''; '';
}; };
}; };
@ -265,10 +269,12 @@ in {
openssh = { openssh = {
enable = true; enable = true;
settings.PermitRootLogin = "yes"; settings.PermitRootLogin = "yes";
listenAddresses = [{ listenAddresses = [
port = 22; {
addr = "0.0.0.0"; port = 22;
}]; addr = "0.0.0.0";
}
];
}; };
nginx = { nginx = {
@ -278,7 +284,6 @@ in {
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedGzipSettings = true; recommendedGzipSettings = true;
virtualHosts = { virtualHosts = {
"stash.swarsel.win" = { "stash.swarsel.win" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@ -287,8 +292,8 @@ in {
"/" = { "/" = {
proxyPass = "https://192.168.1.5"; proxyPass = "https://192.168.1.5";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';
}; };
"/.well-known/carddav" = { "/.well-known/carddav" = {
return = "301 $scheme://$host/remote.php/dav"; return = "301 $scheme://$host/remote.php/dav";
@ -307,13 +312,12 @@ in {
"~ ^(/_matrix|/_synapse/client)" = { "~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://127.0.0.1:8008"; proxyPass = "http://127.0.0.1:8008";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';
}; };
}; };
}; };
"sound.swarsel.win" = { "sound.swarsel.win" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@ -323,13 +327,13 @@ in {
proxyPass = "http://127.0.0.1:4040"; proxyPass = "http://127.0.0.1:4040";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = '' extraConfig = ''
proxy_redirect http:// https://; proxy_redirect http:// https://;
proxy_read_timeout 600s; proxy_read_timeout 600s;
proxy_send_timeout 600s; proxy_send_timeout 600s;
proxy_buffering off; proxy_buffering off;
proxy_request_buffering off; proxy_request_buffering off;
client_max_body_size 0; client_max_body_size 0;
''; '';
}; };
}; };
}; };
@ -342,8 +346,8 @@ in {
"/" = { "/" = {
proxyPass = "http://127.0.0.1:28981"; proxyPass = "http://127.0.0.1:28981";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';
}; };
}; };
}; };
@ -356,8 +360,8 @@ in {
"/" = { "/" = {
proxyPass = "http://127.0.0.1:8096"; proxyPass = "http://127.0.0.1:8096";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';
}; };
}; };
}; };
@ -370,8 +374,8 @@ in {
"/" = { "/" = {
proxyPass = "http://127.0.0.1:8080"; proxyPass = "http://127.0.0.1:8080";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';
}; };
}; };
}; };
@ -417,74 +421,74 @@ in {
credentialsFile = config.sops.templates."transmission-rpc".path; credentialsFile = config.sops.templates."transmission-rpc".path;
user = "vpn"; user = "vpn";
settings = { settings = {
alt-speed-down= 8000; alt-speed-down = 8000;
alt-speed-enabled= false; alt-speed-enabled = false;
alt-speed-time-begin= 0; alt-speed-time-begin = 0;
alt-speed-time-day= 127; alt-speed-time-day = 127;
alt-speed-time-enabled= true; alt-speed-time-enabled = true;
alt-speed-time-end= 360; alt-speed-time-end = 360;
alt-speed-up= 2000; alt-speed-up = 2000;
bind-address-ipv4= "0.0.0.0"; bind-address-ipv4 = "0.0.0.0";
bind-address-ipv6= "::"; bind-address-ipv6 = "::";
blocklist-enabled= false; blocklist-enabled = false;
blocklist-url= "http://www.example.com/blocklist"; blocklist-url = "http://www.example.com/blocklist";
cache-size-mb= 256; cache-size-mb = 256;
dht-enabled= false; dht-enabled = false;
download-dir= "/test"; download-dir = "/test";
download-limit= 100; download-limit = 100;
download-limit-enabled= 0; download-limit-enabled = 0;
download-queue-enabled= true; download-queue-enabled = true;
download-queue-size= 5; download-queue-size = 5;
encryption= 2; encryption = 2;
idle-seeding-limit= 30; idle-seeding-limit = 30;
idle-seeding-limit-enabled= false; idle-seeding-limit-enabled = false;
incomplete-dir= "/var/lib/transmission-daemon/Downloads"; incomplete-dir = "/var/lib/transmission-daemon/Downloads";
incomplete-dir-enabled= false; incomplete-dir-enabled = false;
lpd-enabled= false; lpd-enabled = false;
max-peers-global= 200; max-peers-global = 200;
message-level= 1; message-level = 1;
peer-congestion-algorithm= ""; peer-congestion-algorithm = "";
peer-id-ttl-hours= 6; peer-id-ttl-hours = 6;
peer-limit-global= 100; peer-limit-global = 100;
peer-limit-per-torrent= 40; peer-limit-per-torrent = 40;
peer-port= 22371; peer-port = 22371;
peer-port-random-high= 65535; peer-port-random-high = 65535;
peer-port-random-low= 49152; peer-port-random-low = 49152;
peer-port-random-on-start= false; peer-port-random-on-start = false;
peer-socket-tos= "default"; peer-socket-tos = "default";
pex-enabled= false; pex-enabled = false;
port-forwarding-enabled= false; port-forwarding-enabled = false;
preallocation= 1; preallocation = 1;
prefetch-enabled= true; prefetch-enabled = true;
queue-stalled-enabled= true; queue-stalled-enabled = true;
queue-stalled-minutes= 30; queue-stalled-minutes = 30;
ratio-limit= 2; ratio-limit = 2;
ratio-limit-enabled= false; ratio-limit-enabled = false;
rename-partial-files= true; rename-partial-files = true;
rpc-authentication-required= true; rpc-authentication-required = true;
rpc-bind-address= "0.0.0.0"; rpc-bind-address = "0.0.0.0";
rpc-enabled= true; rpc-enabled = true;
rpc-host-whitelist= ""; rpc-host-whitelist = "";
rpc-host-whitelist-enabled= true; rpc-host-whitelist-enabled = true;
rpc-port= 9091; rpc-port = 9091;
rpc-url= "/transmission/"; rpc-url = "/transmission/";
rpc-whitelist= "127.0.0.1,192.168.3.2"; rpc-whitelist = "127.0.0.1,192.168.3.2";
rpc-whitelist-enabled= true; rpc-whitelist-enabled = true;
scrape-paused-torrents-enabled= true; scrape-paused-torrents-enabled = true;
script-torrent-done-enabled= false; script-torrent-done-enabled = false;
seed-queue-enabled= false; seed-queue-enabled = false;
seed-queue-size= 10; seed-queue-size = 10;
speed-limit-down= 6000; speed-limit-down = 6000;
speed-limit-down-enabled= true; speed-limit-down-enabled = true;
speed-limit-up= 500; speed-limit-up = 500;
speed-limit-up-enabled= true; speed-limit-up-enabled = true;
start-added-torrents= true; start-added-torrents = true;
trash-original-torrent-files= false; trash-original-torrent-files = false;
umask= 2; umask = 2;
upload-limit= 100; upload-limit = 100;
upload-limit-enabled= 0; upload-limit-enabled = 0;
upload-slots-per-torrent= 14; upload-slots-per-torrent = 14;
utp-enabled= false; utp-enabled = false;
}; };
}; };
@ -508,9 +512,6 @@ in {
# MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash} # MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash}
# ''; # '';
# ---------------- # ----------------
# sops.secrets.mautrixwhatsapp_shared = {owner="matrix-synapse";}; # sops.secrets.mautrixwhatsapp_shared = {owner="matrix-synapse";};
# sops.templates.mautrixwhatsapp.owner = "matrix-synapse"; # sops.templates.mautrixwhatsapp.owner = "matrix-synapse";
@ -521,27 +522,27 @@ in {
postgresql = { postgresql = {
enable = true; enable = true;
initialScript = pkgs.writeText "synapse-init.sql" '' initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0 TEMPLATE template0
LC_COLLATE = "C" LC_COLLATE = "C"
LC_CTYPE = "C"; LC_CTYPE = "C";
CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram'; CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram';
CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram" CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram"
TEMPLATE template0 TEMPLATE template0
LC_COLLATE = "C" LC_COLLATE = "C"
LC_CTYPE = "C"; LC_CTYPE = "C";
CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp'; CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp';
CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp" CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp"
TEMPLATE template0 TEMPLATE template0
LC_COLLATE = "C" LC_COLLATE = "C"
LC_CTYPE = "C"; LC_CTYPE = "C";
CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal'; CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal';
CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal" CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal"
TEMPLATE template0 TEMPLATE template0
LC_COLLATE = "C" LC_COLLATE = "C"
LC_CTYPE = "C"; LC_CTYPE = "C";
''; '';
}; };
matrix-synapse = { matrix-synapse = {
settings.app_service_config_files = [ settings.app_service_config_files = [
@ -557,14 +558,15 @@ in {
config.sops.templates.matrixshared.path config.sops.templates.matrixshared.path
]; ];
settings.listeners = [ settings.listeners = [
{ port = 8008; {
bind_addresses = [ "0.0.0.0" ]; port = 8008;
bind_addresses = ["0.0.0.0"];
type = "http"; type = "http";
tls = false; tls = false;
x_forwarded = true; x_forwarded = true;
resources = [ resources = [
{ {
names = [ "client" "federation" ]; names = ["client" "federation"];
compress = true; compress = true;
} }
]; ];
@ -581,7 +583,7 @@ in {
domain = matrixDomain; domain = matrixDomain;
}; };
appservice = { appservice = {
address= "http://localhost:29317"; address = "http://localhost:29317";
hostname = "0.0.0.0"; hostname = "0.0.0.0";
port = "29317"; port = "29317";
provisioning.enabled = true; provisioning.enabled = true;
@ -613,8 +615,8 @@ in {
args = { args = {
width = 256; width = 256;
height = 256; height = 256;
fps = 30; # only for webm fps = 30; # only for webm
background = "020202"; # only for gif, transparency not supported background = "020202"; # only for gif, transparency not supported
}; };
}; };
}; };
@ -630,7 +632,7 @@ in {
domain = matrixDomain; domain = matrixDomain;
}; };
appservice = { appservice = {
address= "http://localhost:29318"; address = "http://localhost:29318";
hostname = "0.0.0.0"; hostname = "0.0.0.0";
port = 29318; port = 29318;
database = { database = {
@ -676,8 +678,7 @@ in {
domain = matrixDomain; domain = matrixDomain;
}; };
appservice = { appservice = {
address = "http://localhost:29328";
address= "http://localhost:29328";
hostname = "0.0.0.0"; hostname = "0.0.0.0";
port = 29328; port = 29328;
database = { database = {
@ -740,7 +741,6 @@ in {
]; ];
}; };
spotifyd = { spotifyd = {
enable = true; enable = true;
settings = { settings = {
@ -760,18 +760,18 @@ in {
samba = { samba = {
package = pkgs.samba4Full; package = pkgs.samba4Full;
extraConfig = '' extraConfig = ''
workgroup = WORKGROUP workgroup = WORKGROUP
server role = standalone server server role = standalone server
dns proxy = no dns proxy = no
pam password change = yes pam password change = yes
map to guest = bad user map to guest = bad user
create mask = 0664 create mask = 0664
force create mode = 0664 force create mode = 0664
directory mask = 0775 directory mask = 0775
force directory mode = 0775 force directory mode = 0775
follow symlinks = yes follow symlinks = yes
''; '';
# ^^ `samba4Full` is compiled with avahi, ldap, AD etc support compared to the default package, `samba` # ^^ `samba4Full` is compiled with avahi, ldap, AD etc support compared to the default package, `samba`
# Required for samba to register mDNS records for auto discovery # Required for samba to register mDNS records for auto discovery
@ -789,7 +789,6 @@ in {
}; };
}; };
avahi = { avahi = {
publish.enable = true; publish.enable = true;
publish.userServices = true; publish.userServices = true;

74
profiles/server1/TEMPLATE/nixos.nix
View file

@ -1,41 +1,43 @@
{ pkgs, modulesPath, ... }: {
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
];
{ environment.systemPackages = with pkgs; [
imports = [ git
(modulesPath + "/virtualisation/proxmox-lxc.nix") gnupg
]; ssh-to-age
];
environment.systemPackages = with pkgs; [ services.xserver = {
git layout = "us";
gnupg xkbVariant = "altgr-intl";
ssh-to-age };
];
services.xserver = { nix.settings.experimental-features = ["nix-command" "flakes"];
layout = "us";
xkbVariant = "altgr-intl";
};
nix.settings.experimental-features = ["nix-command" "flakes"]; proxmoxLXC = {
manageNetwork = true; # manage network myself
manageHostName = false; # manage hostname myself
};
networking = {
hostName = "TEMPLATE"; # Define your hostname.
useDHCP = true;
enableIPv6 = false;
firewall.enable = false;
};
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
};
users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys
];
# users.users.root.password = "TEMPLATE";
proxmoxLXC = { system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
manageNetwork = true; # manage network myself }
manageHostName = false; # manage hostname myself
};
networking = {
hostName = "TEMPLATE"; # Define your hostname.
useDHCP = true;
enableIPv6 = false;
firewall.enable = false;
};
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
};
users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys
];
# users.users.root.password = "TEMPLATE";
system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
}

24
profiles/server1/calibre/hardware-configuration.nix
View file

@ -1,22 +1,20 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ lib, ... }: {lib, ...}: {
imports = [];
{ boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "vfio_pci" "usbhid"];
imports = [ ]; boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ]; fileSystems."/" = {
boot.initrd.kernelModules = [ ]; device = "/dev/mapper/pve-vm--120--disk--0";
boot.kernelModules = [ "kvm-intel" ]; fsType = "ext4";
boot.extraModulePackages = [ ]; };
fileSystems."/" = swapDevices = [];
{ device = "/dev/mapper/pve-vm--120--disk--0";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

125
profiles/server1/calibre/nixos.nix
View file

@ -1,70 +1,71 @@
{ config, pkgs, modulesPath, ... }: {
config,
pkgs,
modulesPath,
...
}: {
imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix")
./hardware-configuration.nix
];
{ environment.systemPackages = with pkgs; [
imports = [ git
(modulesPath + "/virtualisation/proxmox-lxc.nix") gnupg
./hardware-configuration.nix ssh-to-age
calibre
];
users.groups.lxc_shares = {
gid = 10000;
members = [
"kavita"
"calibre-web"
"root"
]; ];
};
environment.systemPackages = with pkgs; [ services.xserver = {
git layout = "us";
gnupg xkbVariant = "altgr-intl";
ssh-to-age };
calibre
];
users.groups.lxc_shares = { nix.settings.experimental-features = ["nix-command" "flakes"];
gid = 10000;
members = [
"kavita"
"calibre-web"
"root"
];
};
services.xserver = { sops = {
layout = "us"; age.sshKeyPaths = ["/etc/ssh/sops"];
xkbVariant = "altgr-intl"; defaultSopsFile = "/.dotfiles/secrets/calibre/secrets.yaml";
}; validateSopsFiles = false;
secrets.kavita = {owner = "kavita";};
};
proxmoxLXC = {
manageNetwork = true; # manage network myself
manageHostName = false; # manage hostname myself
};
networking = {
hostName = "calibre"; # Define your hostname.
useDHCP = true;
enableIPv6 = false;
firewall.enable = false;
};
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
};
users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys
];
nix.settings.experimental-features = ["nix-command" "flakes"]; system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
sops = { environment.shellAliases = {
age.sshKeyPaths = [ "/etc/ssh/sops" ]; nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
defaultSopsFile = "/.dotfiles/secrets/calibre/secrets.yaml"; };
validateSopsFiles = false;
secrets.kavita = { owner = "kavita";};
};
proxmoxLXC = {
manageNetwork = true; # manage network myself
manageHostName = false; # manage hostname myself
};
networking = {
hostName = "calibre"; # Define your hostname.
useDHCP = true;
enableIPv6 = false;
firewall.enable = false;
};
services.openssh = {
enable = true;
settings.PermitRootLogin = "yes";
};
users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys
];
system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change services.kavita = {
enable = true;
environment.shellAliases = { user = "kavita";
nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; port = 8080;
}; tokenKeyFile = config.sops.secrets.kavita.path;
};
services.kavita = { }
enable = true;
user = "kavita";
port = 8080;
tokenKeyFile = config.sops.secrets.kavita.path;
};
}

32
profiles/server1/jellyfin/hardware-configuration.nix
View file

@ -1,27 +1,25 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ lib, ... }: {lib, ...}: {
imports = [];
{ boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "vfio_pci" "usbhid"];
imports = [ ]; boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ]; fileSystems."/" = {
boot.initrd.kernelModules = [ ]; device = "/dev/mapper/pve-vm--121--disk--0";
boot.kernelModules = [ "kvm-intel" ]; fsType = "ext4";
boot.extraModulePackages = [ ]; };
fileSystems."/" = fileSystems."/media/Videos" = {
{ device = "/dev/mapper/pve-vm--121--disk--0"; device = "//192.168.1.3/Eternor";
fsType = "ext4"; fsType = "cifs";
}; };
fileSystems."/media/Videos" = swapDevices = [];
{ device = "//192.168.1.3/Eternor";
fsType = "cifs";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

14
profiles/server1/jellyfin/nixos.nix
View file

@ -1,6 +1,9 @@
{ config, pkgs, modulesPath, ... }:
{ {
config,
pkgs,
modulesPath,
...
}: {
imports = [ imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix") (modulesPath + "/virtualisation/proxmox-lxc.nix")
./hardware-configuration.nix ./hardware-configuration.nix
@ -21,7 +24,7 @@
}; };
users.users.jellyfin = { users.users.jellyfin = {
extraGroups = [ "video" "render" ]; extraGroups = ["video" "render"];
}; };
services.xserver = { services.xserver = {
@ -56,13 +59,13 @@
}; };
nixpkgs.config.packageOverrides = pkgs: { nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; vaapiIntel = pkgs.vaapiIntel.override {enableHybridCodec = true;};
}; };
hardware.graphics = { hardware.graphics = {
enable = true; enable = true;
extraPackages = with pkgs; [ extraPackages = with pkgs; [
intel-media-driver # LIBVA_DRIVER_NAME=iHD intel-media-driver # LIBVA_DRIVER_NAME=iHD
vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium) vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
vaapiVdpau vaapiVdpau
libvdpau-va-gl libvdpau-va-gl
]; ];
@ -73,5 +76,4 @@
user = "jellyfin"; user = "jellyfin";
# openFirewall = true; # this works only for the default ports # openFirewall = true; # this works only for the default ports
}; };
} }

24
profiles/server1/matrix/hardware-configuration.nix
View file

@ -1,22 +1,20 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ lib, ... }: {lib, ...}: {
imports = [];
{ boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "vfio_pci" "usbhid"];
imports = [ ]; boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ]; fileSystems."/" = {
boot.initrd.kernelModules = [ ]; device = "/dev/mapper/pve-vm--102--disk--0";
boot.kernelModules = [ "kvm-intel" ]; fsType = "ext4";
boot.extraModulePackages = [ ]; };
fileSystems."/" = swapDevices = [];
{ device = "/dev/mapper/pve-vm--102--disk--0";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

128
profiles/server1/matrix/nixos.nix
View file

@ -1,8 +1,12 @@
{ config, pkgs, modulesPath, sops, ... }: let {
config,
pkgs,
modulesPath,
sops,
...
}: let
matrixDomain = "matrix2.swarsel.win"; matrixDomain = "matrix2.swarsel.win";
in { in {
services = { services = {
xserver = { xserver = {
layout = "us"; layout = "us";
@ -11,35 +15,36 @@ in {
openssh = { openssh = {
enable = true; enable = true;
settings.PermitRootLogin = "yes"; settings.PermitRootLogin = "yes";
listenAddresses = [{ listenAddresses = [
port = 22; {
addr = "0.0.0.0"; port = 22;
}]; addr = "0.0.0.0";
}
];
}; };
}; };
nix.settings.experimental-features = ["nix-command" "flakes"]; nix.settings.experimental-features = ["nix-command" "flakes"];
proxmoxLXC = { proxmoxLXC = {
manageNetwork = true; # manage network myself manageNetwork = true; # manage network myself
manageHostName = false; # manage hostname myself manageHostName = false; # manage hostname myself
}; };
networking = { networking = {
useDHCP = true; useDHCP = true;
enableIPv6 = false; enableIPv6 = false;
}; };
users.users.root.openssh.authorizedKeys.keyFiles = [ users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys ../../../secrets/keys/authorized_keys
]; ];
system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
environment.shellAliases = { environment.shellAliases = {
nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
}; };
imports = [ imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix") (modulesPath + "/virtualisation/proxmox-lxc.nix")
@ -62,25 +67,25 @@ in {
]; ];
sops = { sops = {
age.sshKeyPaths = [ "/etc/ssh/sops" ]; age.sshKeyPaths = ["/etc/ssh/sops"];
defaultSopsFile = "/.dotfiles/secrets/matrix/secrets.yaml"; defaultSopsFile = "/.dotfiles/secrets/matrix/secrets.yaml";
validateSopsFiles = false; validateSopsFiles = false;
secrets = { secrets = {
matrixsharedsecret = {owner="matrix-synapse";}; matrixsharedsecret = {owner = "matrix-synapse";};
mautrixtelegram_as = {owner="matrix-synapse";}; mautrixtelegram_as = {owner = "matrix-synapse";};
mautrixtelegram_hs = {owner="matrix-synapse";}; mautrixtelegram_hs = {owner = "matrix-synapse";};
mautrixtelegram_api_id = {owner="matrix-synapse";}; mautrixtelegram_api_id = {owner = "matrix-synapse";};
mautrixtelegram_api_hash = {owner="matrix-synapse";}; mautrixtelegram_api_hash = {owner = "matrix-synapse";};
}; };
templates = { templates = {
"matrix_user_register.sh".content = '' "matrix_user_register.sh".content = ''
register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008 register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008
''; '';
matrixshared = { matrixshared = {
owner = "matrix-synapse"; owner = "matrix-synapse";
content = '' content = ''
registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret} registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret}
''; '';
}; };
mautrixtelegram = { mautrixtelegram = {
owner = "matrix-synapse"; owner = "matrix-synapse";
@ -89,7 +94,7 @@ in {
MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs} MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs}
MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id} MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id}
MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash} MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash}
''; '';
}; };
}; };
}; };
@ -97,27 +102,27 @@ in {
services.postgresql = { services.postgresql = {
enable = true; enable = true;
initialScript = pkgs.writeText "synapse-init.sql" '' initialScript = pkgs.writeText "synapse-init.sql" ''
CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
TEMPLATE template0 TEMPLATE template0
LC_COLLATE = "C" LC_COLLATE = "C"
LC_CTYPE = "C"; LC_CTYPE = "C";
CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram'; CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram';
CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram" CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram"
TEMPLATE template0 TEMPLATE template0
LC_COLLATE = "C" LC_COLLATE = "C"
LC_CTYPE = "C"; LC_CTYPE = "C";
CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp'; CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp';
CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp" CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp"
TEMPLATE template0 TEMPLATE template0
LC_COLLATE = "C" LC_COLLATE = "C"
LC_CTYPE = "C"; LC_CTYPE = "C";
CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal'; CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal';
CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal" CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal"
TEMPLATE template0 TEMPLATE template0
LC_COLLATE = "C" LC_COLLATE = "C"
LC_CTYPE = "C"; LC_CTYPE = "C";
''; '';
}; };
services.matrix-synapse = { services.matrix-synapse = {
@ -132,14 +137,15 @@ in {
server_name = matrixDomain; server_name = matrixDomain;
public_baseurl = "https://${matrixDomain}"; public_baseurl = "https://${matrixDomain}";
listeners = [ listeners = [
{ port = 8008; {
bind_addresses = [ "0.0.0.0" ]; port = 8008;
bind_addresses = ["0.0.0.0"];
type = "http"; type = "http";
tls = false; tls = false;
x_forwarded = true; x_forwarded = true;
resources = [ resources = [
{ {
names = [ "client" "federation" ]; names = ["client" "federation"];
compress = true; compress = true;
} }
]; ];
@ -160,7 +166,7 @@ in {
domain = matrixDomain; domain = matrixDomain;
}; };
appservice = { appservice = {
address= "http://localhost:29317"; address = "http://localhost:29317";
hostname = "0.0.0.0"; hostname = "0.0.0.0";
port = "29317"; port = "29317";
provisioning.enabled = true; provisioning.enabled = true;
@ -189,16 +195,16 @@ in {
args = { args = {
width = 256; width = 256;
height = 256; height = 256;
fps = 30; # only for webm fps = 30; # only for webm
background = "020202"; # only for gif, transparency not supported background = "020202"; # only for gif, transparency not supported
}; };
}; };
}; };
}; };
}; };
systemd.services.mautrix-telegram.path = with pkgs; [ systemd.services.mautrix-telegram.path = with pkgs; [
lottieconverter # for animated stickers conversion, unfree package lottieconverter # for animated stickers conversion, unfree package
ffmpeg # if converting animated stickers to webm (very slow!) ffmpeg # if converting animated stickers to webm (very slow!)
]; ];
services.mautrix-whatsapp = { services.mautrix-whatsapp = {
@ -209,7 +215,7 @@ in {
domain = matrixDomain; domain = matrixDomain;
}; };
appservice = { appservice = {
address= "http://localhost:29318"; address = "http://localhost:29318";
hostname = "0.0.0.0"; hostname = "0.0.0.0";
port = 29318; port = 29318;
database = { database = {
@ -255,8 +261,7 @@ in {
domain = matrixDomain; domain = matrixDomain;
}; };
appservice = { appservice = {
address = "http://localhost:29328";
address= "http://localhost:29328";
hostname = "0.0.0.0"; hostname = "0.0.0.0";
port = 29328; port = 29328;
database = { database = {
@ -282,7 +287,7 @@ in {
# messages out after a while. # messages out after a while.
systemd.timers."restart-bridges" = { systemd.timers."restart-bridges" = {
wantedBy = [ "timers.target" ]; wantedBy = ["timers.target"];
timerConfig = { timerConfig = {
OnBootSec = "1d"; OnBootSec = "1d";
OnUnitActiveSec = "1d"; OnUnitActiveSec = "1d";
@ -292,14 +297,13 @@ in {
systemd.services."restart-bridges" = { systemd.services."restart-bridges" = {
script = '' script = ''
systemctl restart mautrix-whatsapp.service systemctl restart mautrix-whatsapp.service
systemctl restart mautrix-signal.service systemctl restart mautrix-signal.service
systemctl restart mautrix-telegram.service systemctl restart mautrix-telegram.service
''; '';
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
User = "root"; User = "root";
}; };
}; };
} }

24
profiles/server1/nginx/hardware-configuration.nix
View file

@ -1,22 +1,20 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ lib, ... }: {lib, ...}: {
imports = [];
{ boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "vfio_pci" "usbhid"];
imports = [ ]; boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ]; fileSystems."/" = {
boot.initrd.kernelModules = [ ]; device = "/dev/mapper/pve-vm--119--disk--0";
boot.kernelModules = [ "kvm-intel" ]; fsType = "ext4";
boot.extraModulePackages = [ ]; };
fileSystems."/" = swapDevices = [];
{ device = "/dev/mapper/pve-vm--119--disk--0";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

56
profiles/server1/nginx/nixos.nix
View file

@ -1,5 +1,9 @@
{ config, pkgs, modulesPath, ... }:
{ {
config,
pkgs,
modulesPath,
...
}: {
imports = [ imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix") (modulesPath + "/virtualisation/proxmox-lxc.nix")
./hardware-configuration.nix ./hardware-configuration.nix
@ -21,12 +25,12 @@
nix.settings.experimental-features = ["nix-command" "flakes"]; nix.settings.experimental-features = ["nix-command" "flakes"];
sops = { sops = {
age.sshKeyPaths = [ "/etc/ssh/sops" ]; age.sshKeyPaths = ["/etc/ssh/sops"];
defaultSopsFile = "/.dotfiles/secrets/nginx/secrets.yaml"; defaultSopsFile = "/.dotfiles/secrets/nginx/secrets.yaml";
validateSopsFiles = false; validateSopsFiles = false;
secrets.dnstokenfull = {owner="acme";}; secrets.dnstokenfull = {owner = "acme";};
templates."certs.secret".content = '' templates."certs.secret".content = ''
CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull} CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
''; '';
}; };
proxmoxLXC = { proxmoxLXC = {
@ -69,7 +73,6 @@
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedGzipSettings = true; recommendedGzipSettings = true;
virtualHosts = { virtualHosts = {
"stash.swarsel.win" = { "stash.swarsel.win" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@ -79,7 +82,7 @@
proxyPass = "https://192.168.1.5"; proxyPass = "https://192.168.1.5";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';
}; };
# "/push/" = { # "/push/" = {
# proxyPass = "http://192.168.2.5:7867"; # proxyPass = "http://192.168.2.5:7867";
@ -101,13 +104,12 @@
"~ ^(/_matrix|/_synapse/client)" = { "~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://192.168.1.23:8008"; proxyPass = "http://192.168.1.23:8008";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';
}; };
}; };
}; };
"sound.swarsel.win" = { "sound.swarsel.win" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@ -117,13 +119,13 @@
proxyPass = "http://192.168.1.13:4040"; proxyPass = "http://192.168.1.13:4040";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = '' extraConfig = ''
proxy_redirect http:// https://; proxy_redirect http:// https://;
proxy_read_timeout 600s; proxy_read_timeout 600s;
proxy_send_timeout 600s; proxy_send_timeout 600s;
proxy_buffering off; proxy_buffering off;
proxy_request_buffering off; proxy_request_buffering off;
client_max_body_size 0; client_max_body_size 0;
''; '';
}; };
}; };
}; };
@ -136,8 +138,8 @@
"/" = { "/" = {
proxyPass = "http://192.168.1.24:28981"; proxyPass = "http://192.168.1.24:28981";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';
}; };
}; };
}; };
@ -150,8 +152,8 @@
"/" = { "/" = {
proxyPass = "http://192.168.1.16:8096"; proxyPass = "http://192.168.1.16:8096";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';
}; };
}; };
}; };
@ -164,8 +166,8 @@
"~ ^(/_matrix|/_synapse/client)" = { "~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://192.168.1.20:8008"; proxyPass = "http://192.168.1.20:8008";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';
}; };
}; };
}; };
@ -178,8 +180,8 @@
"/" = { "/" = {
proxyPass = "http://192.168.1.22:8080"; proxyPass = "http://192.168.1.22:8080";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';
}; };
}; };
}; };
@ -192,13 +194,11 @@
"/" = { "/" = {
proxyPass = "https://192.168.1.7"; proxyPass = "https://192.168.1.7";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';
}; };
}; };
}; };
}; };
}; };
} }

24
profiles/server1/paperless/hardware-configuration.nix
View file

@ -1,22 +1,20 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ lib, ... }: {lib, ...}: {
imports = [];
{ boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "vfio_pci" "usbhid"];
imports = [ ]; boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ]; fileSystems."/" = {
boot.initrd.kernelModules = [ ]; device = "/dev/mapper/pve-vm--117--disk--0";
boot.kernelModules = [ "kvm-intel" ]; fsType = "ext4";
boot.extraModulePackages = [ ]; };
fileSystems."/" = swapDevices = [];
{ device = "/dev/mapper/pve-vm--117--disk--0";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

41
profiles/server1/paperless/nixos.nix
View file

@ -1,14 +1,14 @@
{ config, pkgs, modulesPath, ... }:
{ {
config,
pkgs,
modulesPath,
...
}: {
imports = [ imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix") (modulesPath + "/virtualisation/proxmox-lxc.nix")
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
services = { services = {
xserver = { xserver = {
layout = "us"; layout = "us";
@ -17,36 +17,36 @@
openssh = { openssh = {
enable = true; enable = true;
settings.PermitRootLogin = "yes"; settings.PermitRootLogin = "yes";
listenAddresses = [{ listenAddresses = [
port = 22; {
addr = "0.0.0.0"; port = 22;
}]; addr = "0.0.0.0";
}
];
}; };
}; };
nix.settings.experimental-features = ["nix-command" "flakes"]; nix.settings.experimental-features = ["nix-command" "flakes"];
proxmoxLXC = { proxmoxLXC = {
manageNetwork = true; # manage network myself manageNetwork = true; # manage network myself
manageHostName = false; # manage hostname myself manageHostName = false; # manage hostname myself
}; };
networking = { networking = {
useDHCP = true; useDHCP = true;
enableIPv6 = false; enableIPv6 = false;
}; };
users.users.root.openssh.authorizedKeys.keyFiles = [ users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys ../../../secrets/keys/authorized_keys
]; ];
system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
environment.shellAliases = { environment.shellAliases = {
nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
}; };
users.groups.lxc_shares = { users.groups.lxc_shares = {
gid = 10000; gid = 10000;
@ -68,10 +68,10 @@
}; };
sops = { sops = {
age.sshKeyPaths = [ "/etc/ssh/sops" ]; age.sshKeyPaths = ["/etc/ssh/sops"];
defaultSopsFile = "/root/.dotfiles/secrets/paperless/secrets.yaml"; defaultSopsFile = "/root/.dotfiles/secrets/paperless/secrets.yaml";
validateSopsFiles = false; validateSopsFiles = false;
secrets.admin = { owner = "paperless";}; secrets.admin = {owner = "paperless";};
}; };
services.paperless = { services.paperless = {
@ -90,5 +90,4 @@
}; };
}; };
}; };
} }

34
profiles/server1/sound/hardware-configuration.nix
View file

@ -1,28 +1,26 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ lib, ... }: {lib, ...}: {
imports = [];
{ boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "vfio_pci" "usbhid"];
imports = [ ]; boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ]; fileSystems."/" = {
boot.initrd.kernelModules = [ ]; device = "/mnt/data/images/118/vm-118-disk-0.raw";
boot.kernelModules = [ "kvm-intel" ]; fsType = "ext4";
boot.extraModulePackages = [ ]; options = ["loop"];
};
fileSystems."/" = fileSystems."/media" = {
{ device = "/mnt/data/images/118/vm-118-disk-0.raw"; device = "//192.168.1.3/Eternor";
fsType = "ext4"; fsType = "cifs";
options = [ "loop" ]; };
};
fileSystems."/media" = swapDevices = [];
{ device = "//192.168.1.3/Eternor";
fsType = "cifs";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

44
profiles/server1/sound/nixos.nix
View file

@ -1,14 +1,14 @@
{ config, pkgs, modulesPath, ... }:
{ {
config,
pkgs,
modulesPath,
...
}: {
imports = [ imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix") (modulesPath + "/virtualisation/proxmox-lxc.nix")
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
services = { services = {
xserver = { xserver = {
layout = "us"; layout = "us";
@ -17,36 +17,36 @@
openssh = { openssh = {
enable = true; enable = true;
settings.PermitRootLogin = "yes"; settings.PermitRootLogin = "yes";
listenAddresses = [{ listenAddresses = [
port = 22; {
addr = "0.0.0.0"; port = 22;
}]; addr = "0.0.0.0";
}
];
}; };
}; };
nix.settings.experimental-features = ["nix-command" "flakes"]; nix.settings.experimental-features = ["nix-command" "flakes"];
proxmoxLXC = { proxmoxLXC = {
manageNetwork = true; # manage network myself manageNetwork = true; # manage network myself
manageHostName = false; # manage hostname myself manageHostName = false; # manage hostname myself
}; };
networking = { networking = {
useDHCP = true; useDHCP = true;
enableIPv6 = false; enableIPv6 = false;
}; };
users.users.root.openssh.authorizedKeys.keyFiles = [ users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys ../../../secrets/keys/authorized_keys
]; ];
system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
environment.shellAliases = { environment.shellAliases = {
nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
}; };
proxmoxLXC.privileged = true; # manage hostname myself proxmoxLXC.privileged = true; # manage hostname myself
@ -73,13 +73,13 @@
isSystemUser = true; isSystemUser = true;
uid = 61593; uid = 61593;
group = "navidrome"; group = "navidrome";
extraGroups = [ "audio" "utmp" ]; extraGroups = ["audio" "utmp"];
}; };
mpd = { mpd = {
isSystemUser = true; isSystemUser = true;
group = "mpd"; group = "mpd";
extraGroups = [ "audio" "utmp" ]; extraGroups = ["audio" "utmp"];
}; };
}; };
}; };
@ -103,10 +103,10 @@
]; ];
sops = { sops = {
age.sshKeyPaths = [ "/etc/ssh/sops" ]; age.sshKeyPaths = ["/etc/ssh/sops"];
defaultSopsFile = "/.dotfiles/secrets/sound/secrets.yaml"; defaultSopsFile = "/.dotfiles/secrets/sound/secrets.yaml";
validateSopsFiles = false; validateSopsFiles = false;
secrets.mpdpass = { owner = "mpd";}; secrets.mpdpass = {owner = "mpd";};
}; };
services.navidrome = { services.navidrome = {

24
profiles/server1/spotifyd/hardware-configuration.nix
View file

@ -1,22 +1,20 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ lib, ... }: {lib, ...}: {
imports = [];
{ boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "vfio_pci" "usbhid"];
imports = [ ]; boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ]; fileSystems."/" = {
boot.initrd.kernelModules = [ ]; device = "/dev/mapper/pve-vm--123--disk--0";
boot.kernelModules = [ "kvm-intel" ]; fsType = "ext4";
boot.extraModulePackages = [ ]; };
fileSystems."/" = swapDevices = [];
{ device = "/dev/mapper/pve-vm--123--disk--0";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

38
profiles/server1/spotifyd/nixos.nix
View file

@ -1,14 +1,13 @@
{ pkgs, modulesPath, ... }:
{ {
pkgs,
modulesPath,
...
}: {
imports = [ imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix") (modulesPath + "/virtualisation/proxmox-lxc.nix")
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
services = { services = {
xserver = { xserver = {
layout = "us"; layout = "us";
@ -17,36 +16,36 @@
openssh = { openssh = {
enable = true; enable = true;
settings.PermitRootLogin = "yes"; settings.PermitRootLogin = "yes";
listenAddresses = [{ listenAddresses = [
port = 22; {
addr = "0.0.0.0"; port = 22;
}]; addr = "0.0.0.0";
}
];
}; };
}; };
nix.settings.experimental-features = ["nix-command" "flakes"]; nix.settings.experimental-features = ["nix-command" "flakes"];
proxmoxLXC = { proxmoxLXC = {
manageNetwork = true; # manage network myself manageNetwork = true; # manage network myself
manageHostName = false; # manage hostname myself manageHostName = false; # manage hostname myself
}; };
networking = { networking = {
useDHCP = true; useDHCP = true;
enableIPv6 = false; enableIPv6 = false;
}; };
users.users.root.openssh.authorizedKeys.keyFiles = [ users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys ../../../secrets/keys/authorized_keys
]; ];
system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
environment.shellAliases = { environment.shellAliases = {
nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; nswitch = "cd /.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
}; };
proxmoxLXC.privileged = true; # manage hostname myself proxmoxLXC.privileged = true; # manage hostname myself
@ -58,7 +57,7 @@
isSystemUser = true; isSystemUser = true;
uid = 65136; uid = 65136;
group = "spotifyd"; group = "spotifyd";
extraGroups = [ "audio" "utmp" ]; extraGroups = ["audio" "utmp"];
}; };
sound = { sound = {
@ -89,5 +88,4 @@
}; };
}; };
}; };
} }

24
profiles/server1/transmission/hardware-configuration.nix
View file

@ -1,22 +1,20 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ lib, ... }: {lib, ...}: {
imports = [];
{ boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "vfio_pci" "usbhid"];
imports = [ ]; boot.initrd.kernelModules = [];
boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [];
boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "vfio_pci" "usbhid" ]; fileSystems."/" = {
boot.initrd.kernelModules = [ ]; device = "/dev/mapper/pve-vm--122--disk--0";
boot.kernelModules = [ "kvm-intel" ]; fsType = "ext4";
boot.extraModulePackages = [ ]; };
fileSystems."/" = swapDevices = [];
{ device = "/dev/mapper/pve-vm--122--disk--0";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

262
profiles/server1/transmission/nixos.nix
View file

@ -1,6 +1,9 @@
{ config, pkgs, modulesPath, ... }:
{ {
config,
pkgs,
modulesPath,
...
}: {
imports = [ imports = [
(modulesPath + "/virtualisation/proxmox-lxc.nix") (modulesPath + "/virtualisation/proxmox-lxc.nix")
./hardware-configuration.nix ./hardware-configuration.nix
@ -45,12 +48,12 @@
nix.settings.experimental-features = ["nix-command" "flakes"]; nix.settings.experimental-features = ["nix-command" "flakes"];
sops = { sops = {
age.sshKeyPaths = [ "/etc/ssh/sops" ]; age.sshKeyPaths = ["/etc/ssh/sops"];
defaultSopsFile = "/.dotfiles/secrets/transmission/secrets.yaml"; defaultSopsFile = "/.dotfiles/secrets/transmission/secrets.yaml";
validateSopsFiles = false; validateSopsFiles = false;
}; };
boot.kernelModules = [ "tun" ]; boot.kernelModules = ["tun"];
proxmoxLXC = { proxmoxLXC = {
manageNetwork = true; # manage network myself manageNetwork = true; # manage network myself
manageHostName = false; # manage hostname myself manageHostName = false; # manage hostname myself
@ -83,38 +86,40 @@
networking.iproute2 = { networking.iproute2 = {
enable = true; enable = true;
rttablesExtraConfig = '' rttablesExtraConfig = ''
200 vpn 200 vpn
''; '';
}; };
environment.etc = { environment.etc = {
"openvpn/iptables.sh" = "openvpn/iptables.sh" = {
{ source = ../../../scripts/server1/iptables.sh; source = ../../../scripts/server1/iptables.sh;
mode = "0755"; mode = "0755";
}; };
"openvpn/update-resolv-conf" = "openvpn/update-resolv-conf" = {
{ source = ../../../scripts/server1/update-resolv-conf; source = ../../../scripts/server1/update-resolv-conf;
mode = "0755"; mode = "0755";
}; };
"openvpn/routing.sh" = "openvpn/routing.sh" = {
{ source = ../../../scripts/server1/routing.sh; source = ../../../scripts/server1/routing.sh;
mode = "0755"; mode = "0755";
}; };
"openvpn/ca.rsa.2048.crt" = "openvpn/ca.rsa.2048.crt" = {
{ source = ../../../secrets/certs/ca.rsa.2048.crt; source = ../../../secrets/certs/ca.rsa.2048.crt;
mode = "0644"; mode = "0644";
}; };
"openvpn/crl.rsa.2048.pem" = "openvpn/crl.rsa.2048.pem" = {
{ source = ../../../secrets/certs/crl.rsa.2048.pem; source = ../../../secrets/certs/crl.rsa.2048.pem;
mode = "0644"; mode = "0644";
}; };
}; };
services.openssh = { services.openssh = {
enable = true; enable = true;
settings.PermitRootLogin = "yes"; settings.PermitRootLogin = "yes";
listenAddresses = [{ listenAddresses = [
port = 22; {
addr = "0.0.0.0"; port = 22;
}]; addr = "0.0.0.0";
}
];
}; };
users.users.root.openssh.authorizedKeys.keyFiles = [ users.users.root.openssh.authorizedKeys.keyFiles = [
../../../secrets/keys/authorized_keys ../../../secrets/keys/authorized_keys
@ -138,44 +143,44 @@
}; };
pia.content = '' pia.content = ''
${config.sops.placeholder.vpnuser} ${config.sops.placeholder.vpnuser}
${config.sops.placeholder.vpnpass} ${config.sops.placeholder.vpnpass}
''; '';
vpn.content = '' vpn.content = ''
client client
dev tun dev tun
proto ${config.sops.placeholder.vpnprot} proto ${config.sops.placeholder.vpnprot}
remote ${config.sops.placeholder.vpnloc} remote ${config.sops.placeholder.vpnloc}
resolv-retry infinite resolv-retry infinite
nobind nobind
persist-key persist-key
persist-tun persist-tun
cipher aes-128-cbc cipher aes-128-cbc
auth sha1 auth sha1
tls-client tls-client
remote-cert-tls server remote-cert-tls server
auth-user-pass ${config.sops.templates.pia.path} auth-user-pass ${config.sops.templates.pia.path}
compress compress
verb 1 verb 1
reneg-sec 0 reneg-sec 0
crl-verify /etc/openvpn/crl.rsa.2048.pem crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt ca /etc/openvpn/ca.rsa.2048.crt
disable-occ disable-occ
dhcp-option DNS 209.222.18.222 dhcp-option DNS 209.222.18.222
dhcp-option DNS 209.222.18.218 dhcp-option DNS 209.222.18.218
dhcp-option DNS 8.8.8.8 dhcp-option DNS 8.8.8.8
route-noexec route-noexec
''; '';
}; };
secrets = { secrets = {
vpnuser = {}; vpnuser = {};
rpcuser = {owner="vpn";}; rpcuser = {owner = "vpn";};
vpnpass = {}; vpnpass = {};
rpcpass = {owner="vpn";}; rpcpass = {owner = "vpn";};
vpnprot = {}; vpnprot = {};
vpnloc = {}; vpnloc = {};
}; };
@ -194,77 +199,74 @@
user = "vpn"; user = "vpn";
group = "lxc_shares"; group = "lxc_shares";
settings = { settings = {
alt-speed-down = 8000;
alt-speed-down= 8000; alt-speed-enabled = false;
alt-speed-enabled= false; alt-speed-time-begin = 0;
alt-speed-time-begin= 0; alt-speed-time-day = 127;
alt-speed-time-day= 127; alt-speed-time-enabled = true;
alt-speed-time-enabled= true; alt-speed-time-end = 360;
alt-speed-time-end= 360; alt-speed-up = 2000;
alt-speed-up= 2000; bind-address-ipv4 = "0.0.0.0";
bind-address-ipv4= "0.0.0.0"; bind-address-ipv6 = "::";
bind-address-ipv6= "::"; blocklist-enabled = false;
blocklist-enabled= false; blocklist-url = "http://www.example.com/blocklist";
blocklist-url= "http://www.example.com/blocklist"; cache-size-mb = 4;
cache-size-mb= 4; dht-enabled = false;
dht-enabled= false; download-dir = "/media/Eternor/New";
download-dir= "/media/Eternor/New"; download-limit = 100;
download-limit= 100; download-limit-enabled = 0;
download-limit-enabled= 0; download-queue-enabled = true;
download-queue-enabled= true; download-queue-size = 5;
download-queue-size= 5; encryption = 2;
encryption= 2; idle-seeding-limit = 30;
idle-seeding-limit= 30; idle-seeding-limit-enabled = false;
idle-seeding-limit-enabled= false; incomplete-dir = "/var/lib/transmission-daemon/Downloads";
incomplete-dir= "/var/lib/transmission-daemon/Downloads"; incomplete-dir-enabled = false;
incomplete-dir-enabled= false; lpd-enabled = false;
lpd-enabled= false; max-peers-global = 200;
max-peers-global= 200; message-level = 1;
message-level= 1; peer-congestion-algorithm = "";
peer-congestion-algorithm= ""; peer-id-ttl-hours = 6;
peer-id-ttl-hours= 6; peer-limit-global = 100;
peer-limit-global= 100; peer-limit-per-torrent = 40;
peer-limit-per-torrent= 40; peer-port = 22371;
peer-port= 22371; peer-port-random-high = 65535;
peer-port-random-high= 65535; peer-port-random-low = 49152;
peer-port-random-low= 49152; peer-port-random-on-start = false;
peer-port-random-on-start= false; peer-socket-tos = "default";
peer-socket-tos= "default"; pex-enabled = false;
pex-enabled= false; port-forwarding-enabled = false;
port-forwarding-enabled= false; preallocation = 1;
preallocation= 1; prefetch-enabled = true;
prefetch-enabled= true; queue-stalled-enabled = true;
queue-stalled-enabled= true; queue-stalled-minutes = 30;
queue-stalled-minutes= 30; ratio-limit = 2;
ratio-limit= 2; ratio-limit-enabled = false;
ratio-limit-enabled= false; rename-partial-files = true;
rename-partial-files= true; rpc-authentication-required = true;
rpc-authentication-required= true; rpc-bind-address = "0.0.0.0";
rpc-bind-address= "0.0.0.0"; rpc-enabled = true;
rpc-enabled= true; rpc-host-whitelist = "";
rpc-host-whitelist= ""; rpc-host-whitelist-enabled = true;
rpc-host-whitelist-enabled= true; rpc-port = 9091;
rpc-port= 9091; rpc-url = "/transmission/";
rpc-url= "/transmission/"; rpc-whitelist = "127.0.0.1,192.168.3.2";
rpc-whitelist= "127.0.0.1,192.168.3.2"; rpc-whitelist-enabled = true;
rpc-whitelist-enabled= true; scrape-paused-torrents-enabled = true;
scrape-paused-torrents-enabled= true; script-torrent-done-enabled = false;
script-torrent-done-enabled= false; seed-queue-enabled = false;
seed-queue-enabled= false; seed-queue-size = 10;
seed-queue-size= 10; speed-limit-down = 6000;
speed-limit-down= 6000; speed-limit-down-enabled = true;
speed-limit-down-enabled= true; speed-limit-up = 500;
speed-limit-up= 500; speed-limit-up-enabled = true;
speed-limit-up-enabled= true; start-added-torrents = true;
start-added-torrents= true; trash-original-torrent-files = false;
trash-original-torrent-files= false; umask = 2;
umask= 2; upload-limit = 100;
upload-limit= 100; upload-limit-enabled = 0;
upload-limit-enabled= 0; upload-slots-per-torrent = 14;
upload-slots-per-torrent= 14; utp-enabled = false;
utp-enabled= false;
}; };
}; };
} }

43
profiles/threed/hardware-configuration.nix
View file

@ -1,31 +1,34 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, modulesPath, ... }:
{ {
imports = config,
[ (modulesPath + "/installer/scan/not-detected.nix") lib,
]; modulesPath,
...
}: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" ]; boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "sd_mod"];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = ["kvm-intel"];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [];
fileSystems."/" = fileSystems."/" = {
{ device = "/dev/disk/by-uuid/4a590cad-28d9-4153-bdb8-e424ec3bd5c8"; device = "/dev/disk/by-uuid/4a590cad-28d9-4153-bdb8-e424ec3bd5c8";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = fileSystems."/boot" = {
{ device = "/dev/disk/by-uuid/C67D-61AD"; device = "/dev/disk/by-uuid/C67D-61AD";
fsType = "vfat"; fsType = "vfat";
}; };
swapDevices = swapDevices = [
[ { device = "/dev/disk/by-uuid/b07aac27-a443-489c-9fdb-01c1ef633699"; } {device = "/dev/disk/by-uuid/b07aac27-a443-489c-9fdb-01c1ef633699";}
]; ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's

73
profiles/threed/home.nix
View file

@ -1,8 +1,8 @@
{ config, pkgs, ... }:
{ {
config,
pkgs,
...
}: {
services.gpg-agent = { services.gpg-agent = {
enable = true; enable = true;
enableSshSupport = true; enableSshSupport = true;
@ -11,11 +11,10 @@
defaultCacheTtl = 600; defaultCacheTtl = 600;
maxCacheTtl = 7200; maxCacheTtl = 7200;
extraConfig = '' extraConfig = ''
allow-loopback-pinentry allow-loopback-pinentry
allow-emacs-pinentry allow-emacs-pinentry
''; '';
}; };
home = { home = {
username = "swarsel"; username = "swarsel";
@ -26,32 +25,32 @@
]; ];
}; };
sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" ]; sops.age.sshKeyPaths = ["${config.home.homeDirectory}/.ssh/sops"];
programs.waybar.settings.mainBar = { programs.waybar.settings.mainBar = {
cpu.format = "{icon0} {icon1} {icon2} {icon3}"; cpu.format = "{icon0} {icon1} {icon2} {icon3}";
temperature.hwmon-path = "/sys/devices/platform/coretemp.0/hwmon/hwmon1/temp3_input"; temperature.hwmon-path = "/sys/devices/platform/coretemp.0/hwmon/hwmon1/temp3_input";
}; };
programs.waybar.settings.mainBar.modules-right = ["custom/outer-left-arrow-dark"
"mpris"
"custom/left-arrow-light"
"network"
"custom/left-arrow-dark"
"pulseaudio"
"custom/left-arrow-light"
"custom/pseudobat"
"battery"
"custom/left-arrow-dark"
"group/hardware"
"custom/left-arrow-light"
"clock#2"
"custom/left-arrow-dark"
"clock#1"
];
wayland.windowManager.sway= { programs.waybar.settings.mainBar.modules-right = [
"custom/outer-left-arrow-dark"
"mpris"
"custom/left-arrow-light"
"network"
"custom/left-arrow-dark"
"pulseaudio"
"custom/left-arrow-light"
"custom/pseudobat"
"battery"
"custom/left-arrow-dark"
"group/hardware"
"custom/left-arrow-light"
"clock#2"
"custom/left-arrow-dark"
"clock#1"
];
wayland.windowManager.sway = {
config = rec { config = rec {
input = { input = {
"*" = { "*" = {
@ -78,8 +77,8 @@
keybindings = let keybindings = let
inherit (config.wayland.windowManager.sway.config) modifier; inherit (config.wayland.windowManager.sway.config) modifier;
in { in {
"${modifier}+F2" = "exec brightnessctl set +5%"; "${modifier}+F2" = "exec brightnessctl set +5%";
"${modifier}+F1"= "exec brightnessctl set 5%-"; "${modifier}+F1" = "exec brightnessctl set 5%-";
"${modifier}+n" = "exec sway output eDP-1 transform normal, splith"; "${modifier}+n" = "exec sway output eDP-1 transform normal, splith";
"${modifier}+Ctrl+p" = "exec wl-mirror eDP-1"; "${modifier}+Ctrl+p" = "exec wl-mirror eDP-1";
"${modifier}+t" = "exec sway output eDP-1 transform 90, splitv"; "${modifier}+t" = "exec sway output eDP-1 transform 90, splitv";
@ -89,14 +88,12 @@
}; };
startup = [ startup = [
{command = "nextcloud --background";}
{ command = "nextcloud --background";} {command = "discord --start-minimized";}
{ command = "discord --start-minimized";} {command = "element-desktop --hidden -enable-features=UseOzonePlatform -ozone-platform=wayland --disable-gpu-driver-bug-workarounds";}
{ command = "element-desktop --hidden -enable-features=UseOzonePlatform -ozone-platform=wayland --disable-gpu-driver-bug-workarounds";} {command = "ANKI_WAYLAND=1 anki";}
{ command = "ANKI_WAYLAND=1 anki";} {command = "OBSIDIAN_USE_WAYLAND=1 obsidian";}
{ command = "OBSIDIAN_USE_WAYLAND=1 obsidian";} {command = "nm-applet";}
{ command = "nm-applet";}
]; ];
keycodebindings = { keycodebindings = {

33
profiles/threed/nixos.nix
View file

@ -1,16 +1,15 @@
{ lib, pkgs, ... }:
{ {
lib,
imports = pkgs,
[ ...
./hardware-configuration.nix }: {
]; imports = [
./hardware-configuration.nix
];
services = { services = {
getty.autologinUser = "swarsel"; getty.autologinUser = "swarsel";
greetd.settings.initial_session.user="swarsel"; greetd.settings.initial_session.user = "swarsel";
}; };
hardware.bluetooth.enable = true; hardware.bluetooth.enable = true;
@ -35,7 +34,7 @@
}; };
stylix.image = ../../wallpaper/surfacewp.png; stylix.image = ../../wallpaper/surfacewp.png;
stylix = { stylix = {
enable = true; enable = true;
base16Scheme = ../../wallpaper/swarsel.yaml; base16Scheme = ../../wallpaper/swarsel.yaml;
@ -60,7 +59,7 @@
# name = "FiraCode Nerd Font Propo"; # name = "FiraCode Nerd Font Propo";
# name = "Montserrat"; # name = "Montserrat";
}; };
sansSerif = { sansSerif = {
# package = (pkgs.nerdfonts.override { fonts = [ "FiraMono" "FiraCode"]; }); # package = (pkgs.nerdfonts.override { fonts = [ "FiraMono" "FiraCode"]; });
package = pkgs.cantarell-fonts; package = pkgs.cantarell-fonts;
@ -69,26 +68,23 @@
# name = "FiraCode Nerd Font Propo"; # name = "FiraCode Nerd Font Propo";
# name = "Montserrat"; # name = "Montserrat";
}; };
monospace = { monospace = {
package = pkgs.nerdfonts.override { fonts = [ "FiraCode"]; }; package = pkgs.nerdfonts.override {fonts = ["FiraCode"];};
name = "FiraCode Nerd Font Mono"; name = "FiraCode Nerd Font Mono";
}; };
emoji = { emoji = {
package = pkgs.noto-fonts-emoji; package = pkgs.noto-fonts-emoji;
name = "Noto Color Emoji"; name = "Noto Color Emoji";
}; };
}; };
}; };
users.users.swarsel = { users.users.swarsel = {
isNormalUser = true; isNormalUser = true;
description = "Leon S"; description = "Leon S";
extraGroups = [ "networkmanager" "wheel" "lp" "audio" "video" ]; extraGroups = ["networkmanager" "wheel" "lp" "audio" "video"];
packages = with pkgs; []; packages = with pkgs; [];
}; };
@ -96,5 +92,4 @@
]; ];
system.stateVersion = "23.05"; system.stateVersion = "23.05";
} }

84
profiles/winters/home.nix
View file

@ -1,8 +1,8 @@
{ config, pkgs, ... }:
{ {
config,
pkgs,
...
}: {
services.gpg-agent = { services.gpg-agent = {
enable = true; enable = true;
enableSshSupport = true; enableSshSupport = true;
@ -11,11 +11,11 @@
defaultCacheTtl = 600; defaultCacheTtl = 600;
maxCacheTtl = 7200; maxCacheTtl = 7200;
extraConfig = '' extraConfig = ''
allow-loopback-pinentry allow-loopback-pinentry
allow-emacs-pinentry allow-emacs-pinentry
''; '';
}; };
home = { home = {
username = "swarsel"; username = "swarsel";
homeDirectory = "/home/swarsel"; homeDirectory = "/home/swarsel";
@ -24,7 +24,7 @@
packages = with pkgs; [ packages = with pkgs; [
]; ];
}; };
sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" ]; sops.age.sshKeyPaths = ["${config.home.homeDirectory}/.ssh/sops"];
# waybar config - TEMPLATE - update for cores and temp # waybar config - TEMPLATE - update for cores and temp
programs.waybar.settings.mainBar = { programs.waybar.settings.mainBar = {
@ -34,26 +34,25 @@
temperature.input-filename = "temp1_input"; temperature.input-filename = "temp1_input";
}; };
programs.waybar.settings.mainBar.modules-right = [
programs.waybar.settings.mainBar.modules-right = ["custom/outer-left-arrow-dark" "custom/outer-left-arrow-dark"
"mpris" "mpris"
"custom/left-arrow-light" "custom/left-arrow-light"
"network" "network"
"custom/left-arrow-dark" "custom/left-arrow-dark"
"pulseaudio" "pulseaudio"
"custom/left-arrow-light" "custom/left-arrow-light"
"custom/pseudobat" "custom/pseudobat"
"battery" "battery"
"custom/left-arrow-dark" "custom/left-arrow-dark"
"group/hardware" "group/hardware"
"custom/left-arrow-light" "custom/left-arrow-light"
"clock#2" "clock#2"
"custom/left-arrow-dark" "custom/left-arrow-dark"
"clock#1" "clock#1"
]; ];
wayland.windowManager.sway= { wayland.windowManager.sway = {
config = rec { config = rec {
# update for actual inputs here, # update for actual inputs here,
input = { input = {
@ -61,7 +60,8 @@
xkb_layout = "us"; xkb_layout = "us";
xkb_variant = "altgr-intl"; xkb_variant = "altgr-intl";
}; };
"1:1:AT_Translated_Set_2_keyboard" = { # TEMPLATE "1:1:AT_Translated_Set_2_keyboard" = {
# TEMPLATE
xkb_layout = "us"; xkb_layout = "us";
xkb_options = "grp:win_space_toggle"; xkb_options = "grp:win_space_toggle";
xkb_variant = "altgr-intl"; xkb_variant = "altgr-intl";
@ -72,7 +72,6 @@
natural_scroll = "enabled"; natural_scroll = "enabled";
middle_emulation = "enabled"; middle_emulation = "enabled";
}; };
}; };
output = { output = {
@ -92,11 +91,16 @@
}; };
workspaceOutputAssign = [ workspaceOutputAssign = [
{ output = "eDP-1"; workspace = "1:";} {
{ output = "HDMI-A-1"; workspace = "2:";} output = "eDP-1";
workspace = "1:";
}
{
output = "HDMI-A-1";
workspace = "2:";
}
]; ];
# keybindings = let # keybindings = let
# inherit (config.wayland.windowManager.sway.config) modifier; # inherit (config.wayland.windowManager.sway.config) modifier;
# in { # in {
@ -104,14 +108,12 @@
# }; # };
startup = [ startup = [
{command = "nextcloud --background";}
{ command = "nextcloud --background";} {command = "discord --start-minimized";}
{ command = "discord --start-minimized";} {command = "element-desktop --hidden -enable-features=UseOzonePlatform -ozone-platform=wayland --disable-gpu-driver-bug-workarounds";}
{ command = "element-desktop --hidden -enable-features=UseOzonePlatform -ozone-platform=wayland --disable-gpu-driver-bug-workarounds";} {command = "ANKI_WAYLAND=1 anki";}
{ command = "ANKI_WAYLAND=1 anki";} {command = "OBSIDIAN_USE_WAYLAND=1 obsidian";}
{ command = "OBSIDIAN_USE_WAYLAND=1 obsidian";} {command = "nm-applet";}
{ command = "nm-applet";}
]; ];
}; };
}; };

59
profiles/winters/nixos.nix
View file

@ -1,21 +1,17 @@
{ pkgs, ... }: {pkgs, ...}: {
#
{
#
# imports = # imports =
# [ # [
# ./hardware-configuration.nix # ./hardware-configuration.nix
# ]; # ];
# #
imports = imports = [
[ ./hardware-configuration.nix
./hardware-configuration.nix ];
];
services = { services = {
getty.autologinUser = "swarsel"; getty.autologinUser = "swarsel";
greetd.settings.initial_session.user="swarsel"; greetd.settings.initial_session.user = "swarsel";
}; };
boot = { boot = {
@ -31,8 +27,8 @@
firewall.checkReversePath = "strict"; firewall.checkReversePath = "strict";
firewall = { firewall = {
enable = true; enable = true;
allowedUDPPorts = [ ]; allowedUDPPorts = [];
allowedTCPPorts = [ ]; allowedTCPPorts = [];
allowedTCPPortRanges = [ allowedTCPPortRanges = [
]; ];
allowedUDPPortRanges = [ allowedUDPPortRanges = [
@ -42,17 +38,17 @@
virtualisation.virtualbox = { virtualisation.virtualbox = {
host = { host = {
enable = true; enable = true;
enableExtensionPack = true; enableExtensionPack = true;
}; };
# leaving this here for future notice. setting guest.enable = true will make 'restarting sysinit-reactivation.target' take till timeout on nixos-rebuild switch # leaving this here for future notice. setting guest.enable = true will make 'restarting sysinit-reactivation.target' take till timeout on nixos-rebuild switch
guest = { guest = {
enable = false; enable = false;
};
}; };
};
stylix.image = ../../wallpaper/lenovowp.png; stylix.image = ../../wallpaper/lenovowp.png;
stylix = { stylix = {
enable = true; enable = true;
base16Scheme = ../../wallpaper/swarsel.yaml; base16Scheme = ../../wallpaper/swarsel.yaml;
@ -77,7 +73,7 @@
# name = "FiraCode Nerd Font Propo"; # name = "FiraCode Nerd Font Propo";
# name = "Montserrat"; # name = "Montserrat";
}; };
sansSerif = { sansSerif = {
# package = (pkgs.nerdfonts.override { fonts = [ "FiraMono" "FiraCode"]; }); # package = (pkgs.nerdfonts.override { fonts = [ "FiraMono" "FiraCode"]; });
package = pkgs.cantarell-fonts; package = pkgs.cantarell-fonts;
@ -86,31 +82,28 @@
# name = "FiraCode Nerd Font Propo"; # name = "FiraCode Nerd Font Propo";
# name = "Montserrat"; # name = "Montserrat";
}; };
monospace = { monospace = {
package = pkgs.nerdfonts.override { fonts = [ "FiraCode"]; }; package = pkgs.nerdfonts.override {fonts = ["FiraCode"];};
name = "FiraCode Nerd Font Mono"; name = "FiraCode Nerd Font Mono";
}; };
emoji = { emoji = {
package = pkgs.noto-fonts-emoji; package = pkgs.noto-fonts-emoji;
name = "Noto Color Emoji"; name = "Noto Color Emoji";
}; };
}; };
}; };
hardware = { hardware = {
graphics = { graphics = {
enable = true; enable = true;
enable32Bit = true; enable32Bit = true;
extraPackages = with pkgs; [ extraPackages = with pkgs; [
]; ];
};
bluetooth.enable = true;
}; };
bluetooth.enable = true;
};
programs.steam = { programs.steam = {
enable = true; enable = true;
@ -124,7 +117,7 @@
users.users.swarsel = { users.users.swarsel = {
isNormalUser = true; isNormalUser = true;
description = "Leon S"; description = "Leon S";
extraGroups = [ "networkmanager" "wheel" "lp" "audio" "video" "vboxusers" "scanner" ]; extraGroups = ["networkmanager" "wheel" "lp" "audio" "video" "vboxusers" "scanner"];
packages = with pkgs; []; packages = with pkgs; [];
}; };
@ -140,6 +133,4 @@
]; ];
system.stateVersion = "23.05"; system.stateVersion = "23.05";
} }

35
programs/emacs/init.el
View file

@ -171,28 +171,23 @@ create a new one."
visual-fill-column-center-text t) visual-fill-column-center-text t)
(visual-fill-column-mode 1)) (visual-fill-column-mode 1))
(defun swarsel/org-babel-tangle-config () (defun run-alejandra ()
(when (string-equal (buffer-file-name) (interactive)
swarsel-swarsel-org-filepath) (let ((default-directory (expand-file-name "~/.dotfiles")))
;; Dynamic scoping to the rescue (shell-command "alejandra . -q")))
(let ((org-confirm-babel-evaluate nil))
(org-html-export-to-html)
(org-babel-tangle)))
(when (string-equal (buffer-file-name)
swarsel-emacs-org-filepath)
;; Dynamic scoping to the rescue
(let ((org-confirm-babel-evaluate nil))
(org-html-export-to-html)
(org-babel-tangle)))
(when (string-equal (buffer-file-name)
swarsel-nix-org-filepath)
;; Dynamic scoping to the rescue
(let ((org-confirm-babel-evaluate nil))
(org-babel-tangle))))
(setq org-html-htmlize-output-type nil) (defun swarsel/org-babel-tangle-config ()
(when (string-equal (buffer-file-name)
swarsel-swarsel-org-filepath)
;; Dynamic scoping to the rescue
(let ((org-confirm-babel-evaluate nil))
(org-html-export-to-html)
(org-babel-tangle)
(run-alejandra))))
(add-hook 'org-mode-hook (lambda () (add-hook 'after-save-hook #'swarsel/org-babel-tangle-config))) (setq org-html-htmlize-output-type nil)
(add-hook 'org-mode-hook (lambda () (add-hook 'after-save-hook #'swarsel/org-babel-tangle-config)))
(defun org-fold-outer () (defun org-fold-outer ()
(interactive) (interactive)

4
templates/cpp_flake.nix
View file

@ -11,7 +11,6 @@
llvm = pkgs.llvmPackages_latest; llvm = pkgs.llvmPackages_latest;
in { in {
devShells.${system}.default = pkgs.mkShell { devShells.${system}.default = pkgs.mkShell {
packages = with pkgs; [ packages = with pkgs; [
gcc gcc
#builder #builder
@ -29,10 +28,9 @@
hardeningDisable = ["all"]; hardeningDisable = ["all"];
# direnv does not allow aliases, use scripts as a workaround # direnv does not allow aliases, use scripts as a workaround
shellHook = '' shellHook = ''
PATH_add ~/.dotfiles/scripts/devShell PATH_add ~/.dotfiles/scripts/devShell
''; '';
# ... # ...
}; };
}; };
} }

7
templates/cu_flake.nix
View file

@ -7,10 +7,12 @@
outputs = {nixpkgs, ...}: let outputs = {nixpkgs, ...}: let
system = "x86_64-linux"; system = "x86_64-linux";
pkgs = import nixpkgs { system = "x86_64-linux"; config.allowUnfree = true; }; pkgs = import nixpkgs {
system = "x86_64-linux";
config.allowUnfree = true;
};
in { in {
devShells.${system}.default = pkgs.mkShell { devShells.${system}.default = pkgs.mkShell {
packages = with pkgs; [ packages = with pkgs; [
# gcc # gcc
#builder #builder
@ -39,7 +41,6 @@
]; ];
hardeningDisable = ["all"]; hardeningDisable = ["all"];
# ... # ...
}; };
}; };
} }

1
templates/other_flake.nix
View file

@ -9,7 +9,6 @@
pkgs = nixpkgs.legacyPackages.${system}; pkgs = nixpkgs.legacyPackages.${system};
in { in {
devShells.${system}.default = pkgs.mkShell { devShells.${system}.default = pkgs.mkShell {
packages = with pkgs; [ packages = with pkgs; [
# fill here # fill here
]; ];

1
templates/py_flake.nix
View file

@ -9,7 +9,6 @@
pkgs = nixpkgs.legacyPackages.${system}; pkgs = nixpkgs.legacyPackages.${system};
in { in {
devShells.${system}.default = pkgs.mkShell { devShells.${system}.default = pkgs.mkShell {
packages = [ packages = [
(pkgs.python3.withPackages (python-pkgs: [ (pkgs.python3.withPackages (python-pkgs: [
python-pkgs.numpy python-pkgs.numpy

10
templates/rust_flake.nix
View file

@ -5,7 +5,11 @@
rust-overlay.url = "github:oxalica/rust-overlay"; rust-overlay.url = "github:oxalica/rust-overlay";
}; };
outputs = { nixpkgs, rust-overlay, ...}: let outputs = {
nixpkgs,
rust-overlay,
...
}: let
system = "x86_64-linux"; system = "x86_64-linux";
pkgs = import nixpkgs { pkgs = import nixpkgs {
inherit system; inherit system;
@ -14,7 +18,6 @@
toolchain = pkgs.rust-bin.fromRustupToolchainFile ./toolchain.toml; toolchain = pkgs.rust-bin.fromRustupToolchainFile ./toolchain.toml;
in { in {
devShells.${system}.default = pkgs.mkShell { devShells.${system}.default = pkgs.mkShell {
packages = with pkgs; [ packages = with pkgs; [
cargo cargo
clippy clippy
@ -27,10 +30,9 @@
env = { env = {
RUST_BACKTRACE = "full"; RUST_BACKTRACE = "full";
}; };
RUST_SRC_PATH = "${toolchain}/lib/rustlib/src/rust/library"; RUST_SRC_PATH = "${toolchain}/lib/rustlib/src/rust/library";
# ... # ...
}; };
}; };
} }