diff --git a/SwarselSystems.org b/SwarselSystems.org index b846434..4c9efff 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -974,6 +974,889 @@ No matter what you do, check the initial /etc/nixos/configuration.nix for notabl :PROPERTIES: :CUSTOM_ID: h:58dc6384-0d19-4f71-9043-4014bd033ba2 :END: +**** Sandbox (Lenovo Y510P) +:PROPERTIES: +:CUSTOM_ID: h:60cf171f-2ec9-418f-8f67-85d159efe9d0 +:END: + +My old laptop, replaced by a new one, since most basic functions have stopped to work lately. However, it is still good as a dummy server for testing things out before having them go live. + +***** NixOS +:PROPERTIES: +:CUSTOM_ID: h:23b0f629-343c-42fa-bf9b-70bea341c0d2 +:END: + +#+begin_src nix :noweb yes :tangle profiles/sandbox/nixos.nix + + { config, pkgs, modulesPath, unstable, sops, ... }: let + matrixDomain = "swatrix.swarsel.win"; + in { + + imports = [ + ./hardware-configuration.nix + # we import here a service that is not available yet on normal nixpkgs + # this module is hence not in the modules list, we add it ourselves + (unstable + "/nixos/modules/services/matrix/mautrix-signal.nix") + ]; + + boot.loader.grub = { + enable = true; + device = "/dev/sda"; + useOSProber = true; + }; + + users.users.swarsel = { + isNormalUser = true; + description = "Leon S"; + extraGroups = [ "networkmanager" "wheel" "lp"]; + packages = with pkgs; []; + }; + + # actual config starts here + + fileSystems."/mnt/Eternor" = { + device = "//192.168.1.3/Eternor"; + fsType = "cifs"; + options = let + # this line prevents hanging on network split + automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s"; + in ["${automount_opts},credentials=/etc/nixos/smb-secrets,uid=1000,gid=100"]; + }; + + environment.systemPackages = with pkgs; [ + git + gnupg + ssh-to-age + lego + nginx + calibre + openvpn + jq + iptables + busybox + wireguard-tools + matrix-synapse + lottieconverter + ffmpeg + pciutils + alsa-utils + mpv + zfs + ]; + + services.xserver = { + layout = "us"; + xkbVariant = "altgr-intl"; + }; + + nix.settings.experimental-features = ["nix-command" "flakes"]; + + services.openssh = { + enable = true; + settings.PermitRootLogin = "yes"; + listenAddresses = [{ + port = 22; + addr = "0.0.0.0"; + }]; + }; + users.users.root.openssh.authorizedKeys.keyFiles = [ + ../../secrets/keys/authorized_keys + ]; + + system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change + + environment.shellAliases = { + nswitch = "cd ~/.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; + }; + + boot.supportedFilesystems = [ "zfs" ]; + boot.zfs.forceImportRoot = false; + networking.hostId = "8a8ad84a"; + + networking.hostName = "sandbox"; # Define your hostname. + networking.enableIPv6 = true; + networking.firewall.enable = false; + + documentation = { + enable = false; + }; + + sops.age.sshKeyPaths = [ "/etc/ssh/sops" ]; + sops.defaultSopsFile = "/root/.dotfiles/secrets/sandbox/secrets.yaml"; + sops.validateSopsFiles = false; + sops.secrets.dnstokenfull = {owner="acme";}; + sops.templates."certs.secret".content = '' + CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull} + ''; + + security.acme = { + acceptTerms = true; + preliminarySelfsigned = false; + defaults.email = "mrswarsel@gmail.com"; + defaults.dnsProvider = "cloudflare"; + defaults.environmentFile = "${config.sops.templates."certs.secret".path}"; + }; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + virtualHosts = { + + "stash.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "https://192.168.1.5"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + # "/push/" = { + # proxyPass = "http://192.168.2.5:7867"; + # }; + "/.well-known/carddav" = { + return = "301 $scheme://$host/remote.php/dav"; + }; + "/.well-known/caldav" = { + return = "301 $scheme://$host/remote.php/dav"; + }; + }; + }; + + "swatrix.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "~ ^(/_matrix|/_synapse/client)" = { + proxyPass = "http://127.0.0.1:8008"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }; + + + "sound.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:4040"; + proxyWebsockets = true; + extraConfig = '' + proxy_redirect http:// https://; + proxy_read_timeout 600s; + proxy_send_timeout 600s; + proxy_buffering off; + proxy_request_buffering off; + client_max_body_size 0; + ''; + }; + }; + }; + + "scan.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:28981"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }; + + "screen.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:8096"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }; + + "scroll.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:8080"; + extraConfig = '' + client_max_body_size 0; + ''; + }; + }; + }; + + + }; + }; + + + sops.secrets.kavita = { owner = "kavita";}; + + services.kavita = { + enable = true; + user = "kavita"; + port = 8080; + tokenKeyFile = config.sops.secrets.kavita.path; + }; + + users.users.jellyfin = { + extraGroups = [ "video" "render" ]; + }; + + # nixpkgs.config.packageOverrides = pkgs: { + # vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; + # }; + + hardware.graphics = { + enable = true; + extraPackages = with pkgs; [ + intel-media-driver # LIBVA_DRIVER_NAME=iHD + vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium) + vaapiVdpau + libvdpau-va-gl + ]; + }; + + services.jellyfin = { + enable = true; + user = "jellyfin"; + # openFirewall = true; # this works only for the default ports + }; + + users.groups.vpn = {}; + + users.users.vpn = { + isNormalUser = true; + group = "vpn"; + home = "/home/vpn"; + }; + + boot.kernelModules = [ "tun" ]; + + services.radarr = { + enable = true; + }; + + services.readarr = { + enable = true; + }; + services.sonarr = { + enable = true; + }; + services.lidarr = { + enable = true; + }; + services.prowlarr = { + enable = true; + }; + + networking.firewall.extraCommands = '' + sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP + ''; + networking.iproute2 = { + enable = true; + rttablesExtraConfig = '' + 200 vpn + ''; + }; + boot.kernel.sysctl = { + "net.ipv4.conf.all.rp_filter" = 2; + "net.ipv4.conf.default.rp_filter" = 2; + "net.ipv4.conf.enp7s0.rp_filter" = 2; + }; + environment.etc = { + "openvpn/iptables.sh" = + { source = ../../scripts/server1/iptables.sh; + mode = "0755"; + }; + "openvpn/update-resolv-conf" = + { source = ../../scripts/server1/update-resolv-conf; + mode = "0755"; + }; + "openvpn/routing.sh" = + { source = ../../scripts/server1/routing.sh; + mode = "0755"; + }; + "openvpn/ca.rsa.2048.crt" = + { source = ../../secrets/certs/ca.rsa.2048.crt; + mode = "0644"; + }; + "openvpn/crl.rsa.2048.pem" = + { source = ../../secrets/certs/crl.rsa.2048.pem; + mode = "0644"; + }; + }; + + sops.secrets.vpnuser = {}; + sops.secrets.rpcuser = {owner="vpn";}; + sops.secrets.vpnpass = {}; + sops.secrets.rpcpass = {owner="vpn";}; + sops.secrets.vpnprot = {}; + sops.secrets.vpnloc = {}; + # sops.secrets.crlpem = {}; + # sops.secrets.capem = {}; + sops.templates."transmission-rpc".owner = "vpn"; + sops.templates."transmission-rpc".content = builtins.toJSON { + rpc-username = config.sops.placeholder.rpcuser; + rpc-password = config.sops.placeholder.rpcpass; + }; + + sops.templates.pia.content = '' + ${config.sops.placeholder.vpnuser} + ${config.sops.placeholder.vpnpass} + ''; + + sops.templates.vpn.content = '' + client + dev tun + proto ${config.sops.placeholder.vpnprot} + remote ${config.sops.placeholder.vpnloc} + resolv-retry infinite + nobind + persist-key + persist-tun + cipher aes-128-cbc + auth sha1 + tls-client + remote-cert-tls server + + auth-user-pass ${config.sops.templates.pia.path} + compress + verb 1 + reneg-sec 0 + + crl-verify /etc/openvpn/crl.rsa.2048.pem + ca /etc/openvpn/ca.rsa.2048.crt + + disable-occ + ''; + + services.openvpn.servers = { + pia = { + autoStart = true; + updateResolvConf = false; + config = "config ${config.sops.templates.vpn.path}"; + }; + }; + + services.transmission = { + enable = true; + credentialsFile = config.sops.templates."transmission-rpc".path; + user = "vpn"; + settings = { + + alt-speed-down= 8000; + alt-speed-enabled= false; + alt-speed-time-begin= 0; + alt-speed-time-day= 127; + alt-speed-time-enabled= true; + alt-speed-time-end= 360; + alt-speed-up= 2000; + bind-address-ipv4= "0.0.0.0"; + bind-address-ipv6= "::"; + blocklist-enabled= false; + blocklist-url= "http://www.example.com/blocklist"; + cache-size-mb= 256; + dht-enabled= false; + download-dir= "/test"; + download-limit= 100; + download-limit-enabled= 0; + download-queue-enabled= true; + download-queue-size= 5; + encryption= 2; + idle-seeding-limit= 30; + idle-seeding-limit-enabled= false; + incomplete-dir= "/var/lib/transmission-daemon/Downloads"; + incomplete-dir-enabled= false; + lpd-enabled= false; + max-peers-global= 200; + message-level= 1; + peer-congestion-algorithm= ""; + peer-id-ttl-hours= 6; + peer-limit-global= 100; + peer-limit-per-torrent= 40; + peer-port= 22371; + peer-port-random-high= 65535; + peer-port-random-low= 49152; + peer-port-random-on-start= false; + peer-socket-tos= "default"; + pex-enabled= false; + port-forwarding-enabled= false; + preallocation= 1; + prefetch-enabled= true; + queue-stalled-enabled= true; + queue-stalled-minutes= 30; + ratio-limit= 2; + ratio-limit-enabled= false; + rename-partial-files= true; + rpc-authentication-required= true; + rpc-bind-address= "0.0.0.0"; + rpc-enabled= true; + rpc-host-whitelist= ""; + rpc-host-whitelist-enabled= true; + rpc-port= 9091; + rpc-url= "/transmission/"; + rpc-whitelist= "127.0.0.1,192.168.3.2"; + rpc-whitelist-enabled= true; + scrape-paused-torrents-enabled= true; + script-torrent-done-enabled= false; + seed-queue-enabled= false; + seed-queue-size= 10; + speed-limit-down= 6000; + speed-limit-down-enabled= true; + speed-limit-up= 500; + speed-limit-up-enabled= true; + start-added-torrents= true; + trash-original-torrent-files= false; + umask= 2; + upload-limit= 100; + upload-limit-enabled= 0; + upload-slots-per-torrent= 14; + utp-enabled= false; + }; + }; + + # services.nginx = { + # enable = true; + # virtualHosts = { + + # "192.168.1.192" = { + # locations = { + # "/transmission" = { + # proxyPass = "http://127.0.0.1:9091"; + # extraConfig = '' + # proxy_set_header Host $host; + # proxy_set_header X-Real-IP $remote_addr; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # ''; + # }; + # }; + # }; + # }; + # }; + + + # sops.secrets.matrixsharedsecret = {owner="matrix-synapse";}; + # sops.templates."matrix_user_register.sh".content = '' + # register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008 + # ''; + # sops.templates.matrixshared.owner = "matrix-synapse"; + # sops.templates.matrixshared.content = '' + # registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret} + # ''; + # sops.secrets.mautrixtelegram_as = {owner="matrix-synapse";}; + # sops.secrets.mautrixtelegram_hs = {owner="matrix-synapse";}; + # sops.secrets.mautrixtelegram_api_id = {owner="matrix-synapse";}; + # sops.secrets.mautrixtelegram_api_hash = {owner="matrix-synapse";}; + # sops.templates.mautrixtelegram.owner = "matrix-synapse"; + # sops.templates.mautrixtelegram.content = '' + # MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as} + # MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs} + # MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id} + # MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash} + # ''; + + + + + # ---------------- + # sops.secrets.mautrixwhatsapp_shared = {owner="matrix-synapse";}; + # sops.templates.mautrixwhatsapp.owner = "matrix-synapse"; + # sops.templates.mautrixwhatsapp.content = '' + # MAUTRIX_WHATSAPP_BRIDGE_LOGIN_SHARED_SECRET=${config.sops.placeholder.mautrixwhatsapp_shared} + # ''; + + services.postgresql.enable = true; + services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" '' + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram'; + CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp'; + CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal'; + CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + ''; + + services.matrix-synapse = { + settings.app_service_config_files = [ + "/var/lib/matrix-synapse/telegram-registration.yaml" + "/var/lib/matrix-synapse/whatsapp-registration.yaml" + "/var/lib/matrix-synapse/signal-registration.yaml" + "/var/lib/matrix-synapse/doublepuppet.yaml" + ]; + enable = false; + settings.server_name = matrixDomain; + settings.public_baseurl = "https://${matrixDomain}"; + extraConfigFiles = [ + config.sops.templates.matrixshared.path + ]; + settings.listeners = [ + { port = 8008; + bind_addresses = [ "0.0.0.0" ]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + names = [ "client" "federation" ]; + compress = true; + } + ]; + } + ]; + }; + + services.mautrix-telegram = { + enable = false; + environmentFile = config.sops.templates.mautrixtelegram.path; + settings = { + homeserver = { + address = "http://localhost:8008"; + domain = matrixDomain; + }; + appservice = { + address= "http://localhost:29317"; + hostname = "0.0.0.0"; + port = "29317"; + provisioning.enabled = true; + id = "telegram"; + # ephemeral_events = true; # not needed due to double puppeting + public = { + enabled = false; + }; + database = "postgresql:///mautrix-telegram?host=/run/postgresql"; + }; + bridge = { + # login_shared_secret_map = { + # matrixDomain = "as_token:doublepuppet"; + # }; + relaybot.authless_portals = true; + allow_avatar_remove = true; + allow_contact_info = true; + sync_channel_members = true; + startup_sync = true; + sync_create_limit = 0; + sync_direct_chats = true; + telegram_link_preview = true; + permissions = { + "*" = "relaybot"; + "@swarsel:${matrixDomain}" = "admin"; + }; + # Animated stickers conversion requires additional packages in the + # service's path. + # If this isn't a fresh installation, clearing the bridge's uploaded + # file cache might be necessary (make a database backup first!): + # delete from telegram_file where \ + # mime_type in ('application/gzip', 'application/octet-stream') + animated_sticker = { + target = "gif"; + args = { + width = 256; + height = 256; + fps = 30; # only for webm + background = "020202"; # only for gif, transparency not supported + }; + }; + }; + }; + }; + # systemd.services.mautrix-telegram.path = with pkgs; [ + # lottieconverter # for animated stickers conversion, unfree package + # ffmpeg # if converting animated stickers to webm (very slow!) + # ]; + + services.mautrix-whatsapp = { + enable = false; + # environmentFile = config.sops.templates.mautrixwhatsapp.path; + settings = { + homeserver = { + address = "http://localhost:8008"; + domain = matrixDomain; + }; + appservice = { + address= "http://localhost:29318"; + hostname = "0.0.0.0"; + port = 29318; + database = { + type = "postgres"; + uri = "postgresql:///mautrix-whatsapp?host=/run/postgresql"; + }; + }; + bridge = { + displayname_template = "{{or .FullName .PushName .JID}} (WA)"; + history_sync = { + backfill = true; + max_initial_conversations = -1; + message_count = -1; + request_full_sync = true; + full_sync_config = { + days_limit = 900; + size_mb_limit = 5000; + storage_quota_mb = 5000; + }; + }; + login_shared_secret_map = { + matrixDomain = "as_token:doublepuppet"; + }; + sync_manual_marked_unread = true; + send_presence_on_typing = true; + parallel_member_sync = true; + url_previews = true; + caption_in_message = true; + extev_polls = true; + permissions = { + "*" = "relaybot"; + "@swarsel:${matrixDomain}" = "admin"; + }; + }; + }; + }; + + services.mautrix-signal = { + enable = false; + # environmentFile = config.sops.templates.mautrixwhatsapp.path; + settings = { + homeserver = { + address = "http://localhost:8008"; + domain = matrixDomain; + }; + appservice = { + + address= "http://localhost:29328"; + hostname = "0.0.0.0"; + port = 29328; + database = { + type = "postgres"; + uri = "postgresql:///mautrix-signal?host=/run/postgresql"; + }; + }; + bridge = { + displayname_template = "{{or .ContactName .ProfileName .PhoneNumber}} (Signal)"; + login_shared_secret_map = { + matrixDomain = "as_token:doublepuppet"; + }; + caption_in_message = true; + permissions = { + "*" = "relaybot"; + "@swarsel:${matrixDomain}" = "admin"; + }; + }; + }; + }; + + # restart the bridges daily. this is done for the signal bridge mainly which stops carrying + # messages out after a while. + + systemd.timers."restart-bridges" = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = "1d"; + OnUnitActiveSec = "1d"; + Unit = "restart-bridges.service"; + }; + }; + + systemd.services."restart-bridges" = { + script = '' + systemctl restart mautrix-whatsapp.service + systemctl restart mautrix-signal.service + systemctl restart mautrix-telegram.service + ''; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; + }; + + + users.groups.navidrome = { + gid = 61593; + }; + + users.groups.mpd = {}; + + users.users.navidrome = { + isSystemUser = true; + uid = 61593; + group = "navidrome"; + extraGroups = [ "audio" "utmp" ]; + }; + + users.users.mpd = { + isSystemUser = true; + group = "mpd"; + extraGroups = [ "audio" "utmp" ]; + }; + + sound = { + enable = true; + }; + + hardware.enableAllFirmware = true; + + sops.secrets.mpdpass = { owner = "mpd";}; + + services.navidrome = { + enable = true; + settings = { + Address = "0.0.0.0"; + Port = 4040; + MusicFolder = "/mnt/"; + EnableSharing = true; + EnableTranscodingConfig = true; + Scanner.GroupAlbumReleases = true; + ScanSchedule = "@every 24h"; + # Insert these values locally as sops-nix does not work for them + # LastFM.ApiKey = TEMPLATE; + # LastFM.Secret = TEMPLATE; + # Spotify.ID = TEMPLATE; + # Spotify.Secret = TEMPLATE; + UILoginBackgroundUrl = "https://i.imgur.com/OMLxi7l.png"; + UIWelcomeMessage = "~SwarselSound~"; + }; + }; + services.mpd = { + enable = true; + musicDirectory = "/mnt/Eternor/Musik"; + user = "mpd"; + group = "mpd"; + network = { + port = 3254; + listenAddress = "any"; + }; + credentials = [ + { + passwordFile = config.sops.secrets.mpdpass.path; + permissions = [ + "read" + "add" + "control" + "admin" + ]; + } + ]; + }; + + + users.groups.spotifyd = { + gid = 65136; + }; + + users.users.spotifyd = { + isSystemUser = true; + uid = 65136; + group = "spotifyd"; + extraGroups = [ "audio" "utmp" ]; + }; + + services.spotifyd = { + enable = true; + settings = { + global = { + dbus_type = "session"; + use_mpris = false; + device = "default:CARD=PCH"; + device_name = "SwarselSpot"; + mixer = "alsa"; + zeroconf_port = 1025; + }; + }; + }; + + # Network shares + # add a user with sudo smbpasswd -a + services.samba = { + package = pkgs.samba4Full; + extraConfig = '' + workgroup = WORKGROUP + server role = standalone server + dns proxy = no + + pam password change = yes + map to guest = bad user + create mask = 0664 + force create mode = 0664 + directory mask = 0775 + force directory mode = 0775 + follow symlinks = yes + ''; + + # ^^ `samba4Full` is compiled with avahi, ldap, AD etc support compared to the default package, `samba` + # Required for samba to register mDNS records for auto discovery + # See https://github.com/NixOS/nixpkgs/blob/592047fc9e4f7b74a4dc85d1b9f5243dfe4899e3/pkgs/top-level/all-packages.nix#L27268 + enable = true; + # openFirewall = true; + shares.test = { + browseable = "yes"; + "read only" = "no"; + "guest ok" = "no"; + path = "/test2"; + writable = "true"; + comment = "Eternor"; + "valid users" = "@smbtest2"; + }; + }; + + + services.avahi = { + publish.enable = true; + publish.userServices = true; + # ^^ Needed to allow samba to automatically register mDNS records without the need for an `extraServiceFile` + nssmdns = true; + # ^^ Not one hundred percent sure if this is needed- if it aint broke, don't fix it + enable = true; + }; + + services.samba-wsdd = { + # This enables autodiscovery on windows since SMB1 (and thus netbios) support was discontinued + enable = true; + }; + + + + + + + + + + + } + +#+end_src **** Threed (Surface Pro 3) :PROPERTIES: :CUSTOM_ID: h:7b1a8f91-ef43-433c-ba4c-c5baf50e1de4 @@ -3529,889 +4412,6 @@ Lastly, the machine that runs matrix needs to regularly update, as otherwise you #+end_src -**** Sandbox (Lenovo Y510P) -:PROPERTIES: -:CUSTOM_ID: h:60cf171f-2ec9-418f-8f67-85d159efe9d0 -:END: - -My laptop, sadly soon to be replaced by a new one, since most basic functions are stopping to work lately. - -***** NixOS -:PROPERTIES: -:CUSTOM_ID: h:23b0f629-343c-42fa-bf9b-70bea341c0d2 -:END: - -#+begin_src nix :noweb yes :tangle profiles/sandbox/nixos.nix - - { config, pkgs, modulesPath, unstable, sops, ... }: let - matrixDomain = "swatrix.swarsel.win"; - in { - - imports = [ - ./hardware-configuration.nix - # we import here a service that is not available yet on normal nixpkgs - # this module is hence not in the modules list, we add it ourselves - (unstable + "/nixos/modules/services/matrix/mautrix-signal.nix") - ]; - - boot.loader.grub = { - enable = true; - device = "/dev/sda"; - useOSProber = true; - }; - - users.users.swarsel = { - isNormalUser = true; - description = "Leon S"; - extraGroups = [ "networkmanager" "wheel" "lp"]; - packages = with pkgs; []; - }; - - # actual config starts here - - fileSystems."/mnt/Eternor" = { - device = "//192.168.1.3/Eternor"; - fsType = "cifs"; - options = let - # this line prevents hanging on network split - automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s"; - in ["${automount_opts},credentials=/etc/nixos/smb-secrets,uid=1000,gid=100"]; - }; - - environment.systemPackages = with pkgs; [ - git - gnupg - ssh-to-age - lego - nginx - calibre - openvpn - jq - iptables - busybox - wireguard-tools - matrix-synapse - lottieconverter - ffmpeg - pciutils - alsa-utils - mpv - zfs - ]; - - services.xserver = { - layout = "us"; - xkbVariant = "altgr-intl"; - }; - - nix.settings.experimental-features = ["nix-command" "flakes"]; - - services.openssh = { - enable = true; - settings.PermitRootLogin = "yes"; - listenAddresses = [{ - port = 22; - addr = "0.0.0.0"; - }]; - }; - users.users.root.openssh.authorizedKeys.keyFiles = [ - ../../secrets/keys/authorized_keys - ]; - - system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change - - environment.shellAliases = { - nswitch = "cd ~/.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;"; - }; - - boot.supportedFilesystems = [ "zfs" ]; - boot.zfs.forceImportRoot = false; - networking.hostId = "8a8ad84a"; - - networking.hostName = "sandbox"; # Define your hostname. - networking.enableIPv6 = true; - networking.firewall.enable = false; - - documentation = { - enable = false; - }; - - sops.age.sshKeyPaths = [ "/etc/ssh/sops" ]; - sops.defaultSopsFile = "/root/.dotfiles/secrets/sandbox/secrets.yaml"; - sops.validateSopsFiles = false; - sops.secrets.dnstokenfull = {owner="acme";}; - sops.templates."certs.secret".content = '' - CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull} - ''; - - security.acme = { - acceptTerms = true; - preliminarySelfsigned = false; - defaults.email = "mrswarsel@gmail.com"; - defaults.dnsProvider = "cloudflare"; - defaults.environmentFile = "${config.sops.templates."certs.secret".path}"; - }; - - services.nginx = { - enable = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - virtualHosts = { - - "stash.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "https://192.168.1.5"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - # "/push/" = { - # proxyPass = "http://192.168.2.5:7867"; - # }; - "/.well-known/carddav" = { - return = "301 $scheme://$host/remote.php/dav"; - }; - "/.well-known/caldav" = { - return = "301 $scheme://$host/remote.php/dav"; - }; - }; - }; - - "swatrix.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "~ ^(/_matrix|/_synapse/client)" = { - proxyPass = "http://127.0.0.1:8008"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - - - "sound.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:4040"; - proxyWebsockets = true; - extraConfig = '' - proxy_redirect http:// https://; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - proxy_buffering off; - proxy_request_buffering off; - client_max_body_size 0; - ''; - }; - }; - }; - - "scan.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:28981"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - - "screen.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:8096"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - - "scroll.swarsel.win" = { - enableACME = true; - forceSSL = true; - acmeRoot = null; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:8080"; - extraConfig = '' - client_max_body_size 0; - ''; - }; - }; - }; - - - }; - }; - - - sops.secrets.kavita = { owner = "kavita";}; - - services.kavita = { - enable = true; - user = "kavita"; - port = 8080; - tokenKeyFile = config.sops.secrets.kavita.path; - }; - - users.users.jellyfin = { - extraGroups = [ "video" "render" ]; - }; - - # nixpkgs.config.packageOverrides = pkgs: { - # vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; - # }; - - hardware.graphics = { - enable = true; - extraPackages = with pkgs; [ - intel-media-driver # LIBVA_DRIVER_NAME=iHD - vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium) - vaapiVdpau - libvdpau-va-gl - ]; - }; - - services.jellyfin = { - enable = true; - user = "jellyfin"; - # openFirewall = true; # this works only for the default ports - }; - - users.groups.vpn = {}; - - users.users.vpn = { - isNormalUser = true; - group = "vpn"; - home = "/home/vpn"; - }; - - boot.kernelModules = [ "tun" ]; - - services.radarr = { - enable = true; - }; - - services.readarr = { - enable = true; - }; - services.sonarr = { - enable = true; - }; - services.lidarr = { - enable = true; - }; - services.prowlarr = { - enable = true; - }; - - networking.firewall.extraCommands = '' - sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP - ''; - networking.iproute2 = { - enable = true; - rttablesExtraConfig = '' - 200 vpn - ''; - }; - boot.kernel.sysctl = { - "net.ipv4.conf.all.rp_filter" = 2; - "net.ipv4.conf.default.rp_filter" = 2; - "net.ipv4.conf.enp7s0.rp_filter" = 2; - }; - environment.etc = { - "openvpn/iptables.sh" = - { source = ../../scripts/server1/iptables.sh; - mode = "0755"; - }; - "openvpn/update-resolv-conf" = - { source = ../../scripts/server1/update-resolv-conf; - mode = "0755"; - }; - "openvpn/routing.sh" = - { source = ../../scripts/server1/routing.sh; - mode = "0755"; - }; - "openvpn/ca.rsa.2048.crt" = - { source = ../../secrets/certs/ca.rsa.2048.crt; - mode = "0644"; - }; - "openvpn/crl.rsa.2048.pem" = - { source = ../../secrets/certs/crl.rsa.2048.pem; - mode = "0644"; - }; - }; - - sops.secrets.vpnuser = {}; - sops.secrets.rpcuser = {owner="vpn";}; - sops.secrets.vpnpass = {}; - sops.secrets.rpcpass = {owner="vpn";}; - sops.secrets.vpnprot = {}; - sops.secrets.vpnloc = {}; - # sops.secrets.crlpem = {}; - # sops.secrets.capem = {}; - sops.templates."transmission-rpc".owner = "vpn"; - sops.templates."transmission-rpc".content = builtins.toJSON { - rpc-username = config.sops.placeholder.rpcuser; - rpc-password = config.sops.placeholder.rpcpass; - }; - - sops.templates.pia.content = '' - ${config.sops.placeholder.vpnuser} - ${config.sops.placeholder.vpnpass} - ''; - - sops.templates.vpn.content = '' - client - dev tun - proto ${config.sops.placeholder.vpnprot} - remote ${config.sops.placeholder.vpnloc} - resolv-retry infinite - nobind - persist-key - persist-tun - cipher aes-128-cbc - auth sha1 - tls-client - remote-cert-tls server - - auth-user-pass ${config.sops.templates.pia.path} - compress - verb 1 - reneg-sec 0 - - crl-verify /etc/openvpn/crl.rsa.2048.pem - ca /etc/openvpn/ca.rsa.2048.crt - - disable-occ - ''; - - services.openvpn.servers = { - pia = { - autoStart = true; - updateResolvConf = false; - config = "config ${config.sops.templates.vpn.path}"; - }; - }; - - services.transmission = { - enable = true; - credentialsFile = config.sops.templates."transmission-rpc".path; - user = "vpn"; - settings = { - - alt-speed-down= 8000; - alt-speed-enabled= false; - alt-speed-time-begin= 0; - alt-speed-time-day= 127; - alt-speed-time-enabled= true; - alt-speed-time-end= 360; - alt-speed-up= 2000; - bind-address-ipv4= "0.0.0.0"; - bind-address-ipv6= "::"; - blocklist-enabled= false; - blocklist-url= "http://www.example.com/blocklist"; - cache-size-mb= 256; - dht-enabled= false; - download-dir= "/test"; - download-limit= 100; - download-limit-enabled= 0; - download-queue-enabled= true; - download-queue-size= 5; - encryption= 2; - idle-seeding-limit= 30; - idle-seeding-limit-enabled= false; - incomplete-dir= "/var/lib/transmission-daemon/Downloads"; - incomplete-dir-enabled= false; - lpd-enabled= false; - max-peers-global= 200; - message-level= 1; - peer-congestion-algorithm= ""; - peer-id-ttl-hours= 6; - peer-limit-global= 100; - peer-limit-per-torrent= 40; - peer-port= 22371; - peer-port-random-high= 65535; - peer-port-random-low= 49152; - peer-port-random-on-start= false; - peer-socket-tos= "default"; - pex-enabled= false; - port-forwarding-enabled= false; - preallocation= 1; - prefetch-enabled= true; - queue-stalled-enabled= true; - queue-stalled-minutes= 30; - ratio-limit= 2; - ratio-limit-enabled= false; - rename-partial-files= true; - rpc-authentication-required= true; - rpc-bind-address= "0.0.0.0"; - rpc-enabled= true; - rpc-host-whitelist= ""; - rpc-host-whitelist-enabled= true; - rpc-port= 9091; - rpc-url= "/transmission/"; - rpc-whitelist= "127.0.0.1,192.168.3.2"; - rpc-whitelist-enabled= true; - scrape-paused-torrents-enabled= true; - script-torrent-done-enabled= false; - seed-queue-enabled= false; - seed-queue-size= 10; - speed-limit-down= 6000; - speed-limit-down-enabled= true; - speed-limit-up= 500; - speed-limit-up-enabled= true; - start-added-torrents= true; - trash-original-torrent-files= false; - umask= 2; - upload-limit= 100; - upload-limit-enabled= 0; - upload-slots-per-torrent= 14; - utp-enabled= false; - }; - }; - - # services.nginx = { - # enable = true; - # virtualHosts = { - - # "192.168.1.192" = { - # locations = { - # "/transmission" = { - # proxyPass = "http://127.0.0.1:9091"; - # extraConfig = '' - # proxy_set_header Host $host; - # proxy_set_header X-Real-IP $remote_addr; - # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # ''; - # }; - # }; - # }; - # }; - # }; - - - # sops.secrets.matrixsharedsecret = {owner="matrix-synapse";}; - # sops.templates."matrix_user_register.sh".content = '' - # register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008 - # ''; - # sops.templates.matrixshared.owner = "matrix-synapse"; - # sops.templates.matrixshared.content = '' - # registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret} - # ''; - # sops.secrets.mautrixtelegram_as = {owner="matrix-synapse";}; - # sops.secrets.mautrixtelegram_hs = {owner="matrix-synapse";}; - # sops.secrets.mautrixtelegram_api_id = {owner="matrix-synapse";}; - # sops.secrets.mautrixtelegram_api_hash = {owner="matrix-synapse";}; - # sops.templates.mautrixtelegram.owner = "matrix-synapse"; - # sops.templates.mautrixtelegram.content = '' - # MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as} - # MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs} - # MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id} - # MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash} - # ''; - - - - - # ---------------- - # sops.secrets.mautrixwhatsapp_shared = {owner="matrix-synapse";}; - # sops.templates.mautrixwhatsapp.owner = "matrix-synapse"; - # sops.templates.mautrixwhatsapp.content = '' - # MAUTRIX_WHATSAPP_BRIDGE_LOGIN_SHARED_SECRET=${config.sops.placeholder.mautrixwhatsapp_shared} - # ''; - - services.postgresql.enable = true; - services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" '' - CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; - CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram'; - CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp'; - CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal'; - CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; - ''; - - services.matrix-synapse = { - settings.app_service_config_files = [ - "/var/lib/matrix-synapse/telegram-registration.yaml" - "/var/lib/matrix-synapse/whatsapp-registration.yaml" - "/var/lib/matrix-synapse/signal-registration.yaml" - "/var/lib/matrix-synapse/doublepuppet.yaml" - ]; - enable = false; - settings.server_name = matrixDomain; - settings.public_baseurl = "https://${matrixDomain}"; - extraConfigFiles = [ - config.sops.templates.matrixshared.path - ]; - settings.listeners = [ - { port = 8008; - bind_addresses = [ "0.0.0.0" ]; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ - { - names = [ "client" "federation" ]; - compress = true; - } - ]; - } - ]; - }; - - services.mautrix-telegram = { - enable = false; - environmentFile = config.sops.templates.mautrixtelegram.path; - settings = { - homeserver = { - address = "http://localhost:8008"; - domain = matrixDomain; - }; - appservice = { - address= "http://localhost:29317"; - hostname = "0.0.0.0"; - port = "29317"; - provisioning.enabled = true; - id = "telegram"; - # ephemeral_events = true; # not needed due to double puppeting - public = { - enabled = false; - }; - database = "postgresql:///mautrix-telegram?host=/run/postgresql"; - }; - bridge = { - # login_shared_secret_map = { - # matrixDomain = "as_token:doublepuppet"; - # }; - relaybot.authless_portals = true; - allow_avatar_remove = true; - allow_contact_info = true; - sync_channel_members = true; - startup_sync = true; - sync_create_limit = 0; - sync_direct_chats = true; - telegram_link_preview = true; - permissions = { - "*" = "relaybot"; - "@swarsel:${matrixDomain}" = "admin"; - }; - # Animated stickers conversion requires additional packages in the - # service's path. - # If this isn't a fresh installation, clearing the bridge's uploaded - # file cache might be necessary (make a database backup first!): - # delete from telegram_file where \ - # mime_type in ('application/gzip', 'application/octet-stream') - animated_sticker = { - target = "gif"; - args = { - width = 256; - height = 256; - fps = 30; # only for webm - background = "020202"; # only for gif, transparency not supported - }; - }; - }; - }; - }; - # systemd.services.mautrix-telegram.path = with pkgs; [ - # lottieconverter # for animated stickers conversion, unfree package - # ffmpeg # if converting animated stickers to webm (very slow!) - # ]; - - services.mautrix-whatsapp = { - enable = false; - # environmentFile = config.sops.templates.mautrixwhatsapp.path; - settings = { - homeserver = { - address = "http://localhost:8008"; - domain = matrixDomain; - }; - appservice = { - address= "http://localhost:29318"; - hostname = "0.0.0.0"; - port = 29318; - database = { - type = "postgres"; - uri = "postgresql:///mautrix-whatsapp?host=/run/postgresql"; - }; - }; - bridge = { - displayname_template = "{{or .FullName .PushName .JID}} (WA)"; - history_sync = { - backfill = true; - max_initial_conversations = -1; - message_count = -1; - request_full_sync = true; - full_sync_config = { - days_limit = 900; - size_mb_limit = 5000; - storage_quota_mb = 5000; - }; - }; - login_shared_secret_map = { - matrixDomain = "as_token:doublepuppet"; - }; - sync_manual_marked_unread = true; - send_presence_on_typing = true; - parallel_member_sync = true; - url_previews = true; - caption_in_message = true; - extev_polls = true; - permissions = { - "*" = "relaybot"; - "@swarsel:${matrixDomain}" = "admin"; - }; - }; - }; - }; - - services.mautrix-signal = { - enable = false; - # environmentFile = config.sops.templates.mautrixwhatsapp.path; - settings = { - homeserver = { - address = "http://localhost:8008"; - domain = matrixDomain; - }; - appservice = { - - address= "http://localhost:29328"; - hostname = "0.0.0.0"; - port = 29328; - database = { - type = "postgres"; - uri = "postgresql:///mautrix-signal?host=/run/postgresql"; - }; - }; - bridge = { - displayname_template = "{{or .ContactName .ProfileName .PhoneNumber}} (Signal)"; - login_shared_secret_map = { - matrixDomain = "as_token:doublepuppet"; - }; - caption_in_message = true; - permissions = { - "*" = "relaybot"; - "@swarsel:${matrixDomain}" = "admin"; - }; - }; - }; - }; - - # restart the bridges daily. this is done for the signal bridge mainly which stops carrying - # messages out after a while. - - systemd.timers."restart-bridges" = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnBootSec = "1d"; - OnUnitActiveSec = "1d"; - Unit = "restart-bridges.service"; - }; - }; - - systemd.services."restart-bridges" = { - script = '' - systemctl restart mautrix-whatsapp.service - systemctl restart mautrix-signal.service - systemctl restart mautrix-telegram.service - ''; - serviceConfig = { - Type = "oneshot"; - User = "root"; - }; - }; - - - users.groups.navidrome = { - gid = 61593; - }; - - users.groups.mpd = {}; - - users.users.navidrome = { - isSystemUser = true; - uid = 61593; - group = "navidrome"; - extraGroups = [ "audio" "utmp" ]; - }; - - users.users.mpd = { - isSystemUser = true; - group = "mpd"; - extraGroups = [ "audio" "utmp" ]; - }; - - sound = { - enable = true; - }; - - hardware.enableAllFirmware = true; - - sops.secrets.mpdpass = { owner = "mpd";}; - - services.navidrome = { - enable = true; - settings = { - Address = "0.0.0.0"; - Port = 4040; - MusicFolder = "/mnt/"; - EnableSharing = true; - EnableTranscodingConfig = true; - Scanner.GroupAlbumReleases = true; - ScanSchedule = "@every 24h"; - # Insert these values locally as sops-nix does not work for them - # LastFM.ApiKey = TEMPLATE; - # LastFM.Secret = TEMPLATE; - # Spotify.ID = TEMPLATE; - # Spotify.Secret = TEMPLATE; - UILoginBackgroundUrl = "https://i.imgur.com/OMLxi7l.png"; - UIWelcomeMessage = "~SwarselSound~"; - }; - }; - services.mpd = { - enable = true; - musicDirectory = "/mnt/Eternor/Musik"; - user = "mpd"; - group = "mpd"; - network = { - port = 3254; - listenAddress = "any"; - }; - credentials = [ - { - passwordFile = config.sops.secrets.mpdpass.path; - permissions = [ - "read" - "add" - "control" - "admin" - ]; - } - ]; - }; - - - users.groups.spotifyd = { - gid = 65136; - }; - - users.users.spotifyd = { - isSystemUser = true; - uid = 65136; - group = "spotifyd"; - extraGroups = [ "audio" "utmp" ]; - }; - - services.spotifyd = { - enable = true; - settings = { - global = { - dbus_type = "session"; - use_mpris = false; - device = "default:CARD=PCH"; - device_name = "SwarselSpot"; - mixer = "alsa"; - zeroconf_port = 1025; - }; - }; - }; - - # Network shares - # add a user with sudo smbpasswd -a - services.samba = { - package = pkgs.samba4Full; - extraConfig = '' - workgroup = WORKGROUP - server role = standalone server - dns proxy = no - - pam password change = yes - map to guest = bad user - create mask = 0664 - force create mode = 0664 - directory mask = 0775 - force directory mode = 0775 - follow symlinks = yes - ''; - - # ^^ `samba4Full` is compiled with avahi, ldap, AD etc support compared to the default package, `samba` - # Required for samba to register mDNS records for auto discovery - # See https://github.com/NixOS/nixpkgs/blob/592047fc9e4f7b74a4dc85d1b9f5243dfe4899e3/pkgs/top-level/all-packages.nix#L27268 - enable = true; - # openFirewall = true; - shares.test = { - browseable = "yes"; - "read only" = "no"; - "guest ok" = "no"; - path = "/test2"; - writable = "true"; - comment = "Eternor"; - "valid users" = "@smbtest2"; - }; - }; - - - services.avahi = { - publish.enable = true; - publish.userServices = true; - # ^^ Needed to allow samba to automatically register mDNS records without the need for an `extraServiceFile` - nssmdns = true; - # ^^ Not one hundred percent sure if this is needed- if it aint broke, don't fix it - enable = true; - }; - - services.samba-wsdd = { - # This enables autodiscovery on windows since SMB1 (and thus netbios) support was discontinued - enable = true; - }; - - - - - - - - - - - } - -#+end_src ** Common NixOS :PROPERTIES: :CUSTOM_ID: h:1c1250cd-e9b4-4715-8d9f-eb09e64bfc7f @@ -4470,6 +4470,9 @@ Next, we need to make sure that flakes stay enabled when we rebuild the configur #+end_src **** Make users non-mutable +:PROPERTIES: +:CUSTOM_ID: h:48959890-fbc7-4d28-b33c-f33e028ab473 +:END: This ensures that all user-configuration happens here in the config file. @@ -4544,6 +4547,9 @@ Needed for control over system-wide privileges etc. #+end_src **** Enable automatic garbage collection +:PROPERTIES: +:CUSTOM_ID: h:9a3b7f1f-d0c3-417e-a262-c920fb25f3ee +:END: The nix store fills up over time, until =/boot/efi= is filled. This snippet cleans it automatically on a weekly basis. @@ -4559,6 +4565,9 @@ The nix store fills up over time, until =/boot/efi= is filled. This snippet clea #+end_src **** Enable automatic store optimisation +:PROPERTIES: +:CUSTOM_ID: h:97a2b9f7-c835-4db8-a0e9-e923bab69ee8 +:END: This enables hardlinking identical files in the nix store, to save on disk space. I have read this incurs a significant I/O overhead, I need to keep an eye on this. @@ -9442,7 +9451,10 @@ Also, Emacs needs a little extra love to accept my Yubikey for git commits etc. (magit-display-buffer-function #'magit-display-buffer-same-window-except-diff-v1)) ; stay in the same window #+end_src -* Yubikey support +*** Yubikey support +:PROPERTIES: +:CUSTOM_ID: h:d78709dd-4f79-441c-9166-76f61f90359a +:END: The following settings are needed to make sure emacs works for magit commits and pushes. It is not a beautiful solution since commiting uses pinentry-emacs and pushing uses pinentry-gtk2, but it works for now at least. @@ -10432,3 +10444,567 @@ This sets up the =dashboard=, which is really quite useless. But, it looks cool #+end_src +* Wiki +:PROPERTIES: +:CUSTOM_ID: h:c4c37b94-0760-4bff-9917-f1b0f023f6c3 +:END: + +This houses a few configuration snippets that might be useful if you are new to the nix ecosystem. It will be infrequently updated as I come across things that I deem to be interesting to such a reader. Also, interesting configuration tricks will move here if I happen to obsolete them in my main configuration. + +** Importing a NixOS module that is not in nixpkgs +:PROPERTIES: +:CUSTOM_ID: h:b917d84e-5549-4966-8817-f1d947083ab9 +:END: + +This requires changes in multiple locations. As an example we will use an early version of the mautrix-signal module by Niklas Korz. + +1) Add the module source to =flake.nix=: + + #+begin_src nix + { + inputs = { + [...] + # provides expressions for mautrix-signal + nixpkgs-mautrix-signal ={ + url = github:niklaskorz/nixpkgs/nixos-23.11-mautrix-signal; + }; + [...] + }; + + outputs = inputs@{ + self, + [...] + nixpkgs-mautrix-signal, + [...] + }: let + [...] + pkgsmautrix = import nixpkgs-mautrix-signal { inherit system; + config.allowUnfree = true; + }; + [...] + in { + nixosConfigurations = { + matrix = nixpkgs.lib.nixosSystem { + pkgs = pkgsmautrix; + # this is to import a service module that is not on nixpkgs + # this way avoids infinite recursion errors + specialArgs.unstable = nixpkgs-mautrix-signal; + modules = [ + [...] + ]; + }; + }; + } + } + + #+end_src + +2) Import the module in the configuration (=configuration.nix=) + + #+begin_src nix + + [...] + imports = [ + [...] + (unstable + "/nixos/modules/services/matrix/mautrix-signal.nix") + ]; + + [...] + #+end_src +** Build a firefox addon +:PROPERTIES: +:CUSTOM_ID: h:0ea4318a-ef11-4d9a-bef4-e994c5020989 +:END: + +1) app id can be found in the manifest.json file of the .xpi (.xpi is just a normal archive) +2) url can be found by copy url of the "add extension" button on the addon page +3) the rest of the information is also found in the manifest.json, but might not be needed + + In =configuration.nix=: + +#+begin_src nix + programs.firefox = { + [...] + profiles.default = { + [...] + extensions = with pkgs.nur.repos.rycee.firefox-addons; [ + [...] + (buildFirefoxXpiAddon { + pname = ":emoji:"; + version = "0.1.3"; + addonId = "gonelf@gmail.com"; + url = "https://addons.mozilla.org/firefox/downloads/file/3365324/emojidots-0.1.3.xpi"; + sha256 = "4f7cc25c478fe52eb82f37c9ff4978dcaa3f95020398c5b184e517f6efa2c201"; + meta = with lib; + { + description = "emoji autocomplete anywhere on the internet"; + mozPermissions = [ "https://gist.githubusercontent.com/gonelf/d8ae3ccb7902b501c4a5dd625d4089da/raw/5eeda197ba92f8c8139e846a1225d5640077e06f/emoji_pretty.json" "tabs" "storage"]; + platforms = platforms.all; + }; + }) + [...] +#+end_src +** Define shell utility as package +:PROPERTIES: +:CUSTOM_ID: h:ce7a2467-72e0-4a13-89c0-61e3b3dbb6e7 +:END: + +In =configuration.nix= (or =home.nix=): + +#+begin_src nix + + home.packages = with pkgs; [ # or for NixOS environment.systemPackages = with pkgs; [ + [...] + (pkgs.writeShellApplication { + name = "pass-fuzzel"; + runtimeInputs = [ pkgs.pass pkgs.fuzzel ]; + text = '' + shopt -s nullglob globstar + + typeit=0 + if [[ $# -ge 1 && $1 == "--type" ]]; then + typeit=1 + shift + fi + + export PASSWORD_STORE_DIR=~/.local/share/password-store + prefix=''${PASSWORD_STORE_DIR-~/.local/share/password-store} + password_files=( "$prefix"/**/*.gpg ) + password_files=( "''${password_files[@]#"$prefix"/}" ) + password_files=( "''${password_files[@]%.gpg}" ) + + password=$(printf '%s\n' "''${password_files[@]}" | fuzzel --dmenu "$@") + + [[ -n $password ]] || exit + + if [[ $typeit -eq 0 ]]; then + pass show -c "$password" &>/tmp/pass-fuzzel + else + pass show "$password" | { IFS= read -r pass; printf %s "$pass"; } | wtype - + fi + notify-send -u critical -a pass -t 1000 "Copied/Typed Password" + ''; + }) + + [...] + +#+end_src +** Add program with prebuild binaries to nix store +:PROPERTIES: +:CUSTOM_ID: h:f98faf13-1e3b-4ba4-9e76-cc4b98f1c308 +:END: + +In =configuration.nix=: + +#+begin_src nix + + home.packages = with pkgs; [ # or for NixOS environment.systemPackages = with pkgs; [ + [...] + (stdenv.mkDerivation { + name = "oama"; + + src = pkgs.fetchurl { + name = "oama"; + url = "https://github.com/pdobsan/oama/releases/download/0.13.1/oama-0.13.1-Linux-x86_64-static.tgz"; + sha256 = "sha256-OTdCObVfnMPhgZxVtZqehgUXtKT1iyqozdkPIV+i3Gc="; + }; + + phases = [ + "unpackPhase" + ]; + + unpackPhase = '' + mkdir -p $out/bin + tar xvf $src -C $out/ + mv $out/oama-0.13.1-Linux-x86_64-static/oama $out/bin/ + ''; + + }) + + [...] + #+end_src +** Patch a utilty for nix paths: +:PROPERTIES: +:CUSTOM_ID: h:fceba848-f065-40e0-ad3f-d16e48c24db5 +:END: +See https://drakerossman.com/blog/how-to-patch-a-package-source-on-nixos +** let-block for overriding a package in nixpkgs (here: replacing airsonic with airsonic-advanced) +:PROPERTIES: +:CUSTOM_ID: h:f87f511f-f2be-486d-8297-4361eee6a0d8 +:END: + +This can be useful if a module does not let you use your own package yourself. + +In =flake.nix=: + +#+begin_src nix + + pkgs = import nixpkgs { inherit system; + overlays = [ emacs-overlay.overlay + nur.overlay + nixgl.overlay + (self: super: { + airsonic = super.airsonic.overrideAttrs (_: rec { + version = "11.0.2-kagemomiji"; + name = "airsonic-advanced-${version}"; + src = super.fetchurl { + url = "https://github.com/kagemomiji/airsonic-advanced/releases/download/11.0.2/airsonic.war"; + sha256 = "PgErtEizHraZgoWHs5jYJJ5NsliDd9VulQfS64ackFo="; + }; + }); + }) + ]; + config.allowUnfree = true; + }; + +#+end_src +** Reference configurations +:PROPERTIES: +:CUSTOM_ID: h:236b7d18-d97b-4714-805f-2ca4d8b1c3c2 +:END: + +Configurations that I have retired or are there for the general study. + +*** non-nixos +:PROPERTIES: +:CUSTOM_ID: h:60bd347b-81c5-47b2-82f7-2e6a0c888d3e +:END: +My Surface Pro 3, only used for on-the-go university work. Be careful when pushing large changes to this machine, as it easily runs out of memory on large switches. At the moment the only machine running non-NixOS, so special care must be taken not to break this one during updates. + +***** Channel setup +:PROPERTIES: +:CUSTOM_ID: h:63e6e03a-8c1e-45f4-aec2-7ca351eccd35 +:END: + +This installs nixGL, which is needed to run GL apps installed through home-manager, since this machine is not using NixOS. + +This is not super clean (because it is not fully replicative), but I do not really care. + +1) Install nixGL: + +#+begin_src nix + nix-channel --add https://github.com/guibou/nixGL/archive/main.tar.gz nixgl && nix-channel --update + nix-env -iA nixgl.auto.nixGLDefault # or replace `nixGLDefault` with your desired wrapper +#+end_src + +This is needed in order to use EGL. Prefix programs that use it with `nixGL` + +***** Home manager +:PROPERTIES: +:CUSTOM_ID: h:483a26b5-5a40-4417-9ffb-67cc2cf07161 +:END: + +Special things to note here: We are running xcape to allow =CAPS= to act as =CTRL= and =ESC=. Also we are using =nixGL= in most places. + +#+begin_src nix + + { config, pkgs, lib, fetchFromGitHub, ... }: + + { + programs.home-manager.enable = true; + home.username = "leons"; + home.homeDirectory = "/home/leons"; + + home.stateVersion = "23.05"; # Please read the comment before changing. + + stylix.image = ../../wallpaper/surfacewp.png; + <> + + nixpkgs = { + config = { + allowUnfree = true; + allowUnfreePredicate = (_: true); + }; + }; + services.xcape = { + enable = true; + mapExpression = { + Control_L = "Escape"; + }; + }; + #keyboard config + home.keyboard.layout = "us"; + + sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" ]; + + # waybar config + programs.waybar.settings.mainBar.cpu.format = "{icon0} {icon1} {icon2} {icon3}"; + + programs.waybar.settings.mainBar.temperature.hwmon-path = "/sys/devices/platform/coretemp.0/hwmon/hwmon3/temp3_input"; + programs.waybar.settings.mainBar.modules-right = ["custom/outer-left-arrow-dark" "mpris" "custom/left-arrow-light" + "network" + "custom/left-arrow-dark" + "pulseaudio" + "custom/left-arrow-light" + "battery" + "custom/left-arrow-dark" + "temperature" + "custom/left-arrow-light" + "disk" + "custom/left-arrow-dark" + "memory" + "custom/left-arrow-light" + "cpu" + "custom/left-arrow-dark" + "tray" + "custom/left-arrow-light" + "clock#2" + "custom/left-arrow-dark" + "clock#1" ]; + services.blueman-applet.enable = true; + home.packages = with pkgs; [ + # nixgl.auto.nixGLDefault + evince + # nodejs_20 + + # messaging + # we use gomuks for RAM preservation, but keep schildi around for files and images + ]; + + programs.zsh.initExtra = " + export GPG_TTY=\"$(tty)\" + export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) + gpgconf --launch gpg-agent + "; + + # sway config + wayland.windowManager.sway= { + config = rec { + input = { + "*" = { + xkb_layout = "us"; + xkb_options = "ctrl:nocaps,grp:win_space_toggle"; + xkb_variant = "altgr-intl"; + }; + "type:touchpad" = { + dwt = "enabled"; + tap = "enabled"; + natural_scroll = "enabled"; + middle_emulation = "enabled"; + }; + }; + + output = { + eDP-1 = { + mode = "2160x1440@59.955Hz"; + scale = "1"; + bg = "~/.dotfiles/wallpaper/surfacewp.png fill"; + }; + }; + + keybindings = let + modifier = config.wayland.windowManager.sway.config.modifier; + in { + "${modifier}+F2" = "exec brightnessctl set +5%"; + "${modifier}+F1"= "exec brightnessctl set 5%-"; + "${modifier}+n" = "exec sway output eDP-1 transform normal, splith"; + "${modifier}+Ctrl+p" = "exec nixGL wl-mirror eDP-1"; + "${modifier}+t" = "exec sway output eDP-1 transform 90, splitv"; + "${modifier}+XF86AudioLowerVolume" = "exec grim -g \"$(slurp)\" -t png - | wl-copy -t image/png"; + "${modifier}+XF86AudioRaiseVolume" = "exec grim -g \"$(slurp)\" -t png - | wl-copy -t image/png"; + "${modifier}+w" = "exec \"bash ~/.dotfiles/scripts/checkgomuks.sh\""; + }; + + startup = [ + { command = "sleep 60 && nixGL nextcloud --background";} + # { command = "sleep 60 && nixGL spotify";} + { command = "sleep 60 && nixGL discord --start-minimized -enable-features=UseOzonePlatform -ozone-platform=wayland";} + # { command = "sleep 60 && nixGL schildichat-desktop --hidden";} + { command = "sleep 60 && nixGL syncthingtray --wait"; } + { command = "sleep 60 && ANKI_WAYLAND=1 nixGL anki";} + { command = "nm-applet --indicator";} + { command = "sleep 60 && OBSIDIAN_USE_WAYLAND=1 nixGL obsidian -enable-features=UseOzonePlatform -ozone-platform=wayland";} + ]; + + keycodebindings = { + "124" = "exec systemctl suspend"; + }; + }; + + extraConfig = " + exec swaymsg input 7062:6917:NTRG0001:01_1B96:1B05 map_to_output eDP-1 + exec swaymsg input 7062:6917:NTRG0001:01_1B96:1B05_Stylus map_to_output eDP-1 + "; + }; + } + +#+end_src +*** nixos +:PROPERTIES: +:CUSTOM_ID: h:3f747cb3-bf83-4cb6-8fe4-6a4865472eeb +:END: +***** Onett (Lenovo Y510P) +:PROPERTIES: +:CUSTOM_ID: h:80753b6b-667e-4b04-a260-a3b5c73fb624 +:END: + +My laptop, sadly soon to be replaced by a new one, since most basic functions are stopping to work lately. + +****** NixOS +:PROPERTIES: +:CUSTOM_ID: h:6f3fe0dc-a857-440a-b4bd-c32fd9024b8b +:END: + +#+begin_src nix + + { config, lib, pkgs, inputs, ... }: + + { + + <> + + services = { + greetd.settings.initial_session.user ="swarsel"; + xserver.videoDrivers = ["nvidia"]; + }; + + + hardware = { + nvidia = { + modesetting.enable = true; + powerManagement.enable = true; + prime = { + intelBusId = "PCI:0:2:0"; + nvidiaBusId = "PCI:1:0:0"; + sync.enable = true; + }; + }; + pulseaudio.configFile = pkgs.runCommand "default.pa" {} '' + sed 's/module-udev-detect$/module-udev-detect tsched=0/' \ + ${pkgs.pulseaudio}/etc/pulse/default.pa > $out + ''; + bluetooth.enable = true; + }; + + stylix.image = ../../wallpaper/lenovowp.png; + <> + + boot.loader.grub = { + enable = true; + device = "/dev/sda"; + useOSProber = true; + }; + + networking.hostName = "onett"; # Define your hostname. + networking.enableIPv6 = false; + + users.users.swarsel = { + isNormalUser = true; + description = "Leon S"; + extraGroups = [ "networkmanager" "wheel" "lp"]; + packages = with pkgs; []; + }; + + system.stateVersion = "23.05"; # Did you read the comment? + + environment.systemPackages = with pkgs; [ + ]; + + + } + +#+end_src +****** Home Manager +:PROPERTIES: +:CUSTOM_ID: h:7b76c914-c9b2-47b5-ba89-c501d6391110 +:END: + +#+begin_src nix + + { config, pkgs, lib, fetchFromGitHub, ... }: + + { + + <> + + home = { + username = "swarsel"; + homeDirectory = "/home/swarsel"; + stateVersion = "23.05"; # Please read the comment before changing. + keyboard.layout = "de"; + packages = with pkgs; [ + ]; + }; + + sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" ]; + + # # waybar config + programs.waybar.settings.mainBar = { + cpu.format = "{icon0} {icon1} {icon2} {icon3} {icon4} {icon5} {icon6} {icon7}"; + temperature.hwmon-path = "/sys/devices/platform/coretemp.0/hwmon/hwmon3/temp3_input"; + }; + <> + + services.blueman-applet.enable = true; + + wayland.windowManager.sway= { + config = rec { + input = { + "1:1:AT_Translated_Set_2_keyboard" = { + xkb_layout = "us"; + xkb_options = "grp:win_space_toggle"; + # xkb_options = "ctrl:nocaps,grp:win_space_toggle"; + xkb_variant = "altgr-intl"; + }; + "2362:33538:ipad_keyboard_Keyboard" = { + xkb_layout = "us"; + xkb_options = "altwin:swap_lalt_lwin,ctrl:nocaps,grp:win_space_toggle"; + xkb_variant = "colemak_dh"; + }; + "36125:53060:splitkb.com_Kyria_rev3" = { + xkb_layout = "us"; + xkb_variant = "altgr-intl"; + }; + + "type:touchpad" = { + dwt = "enabled"; + tap = "enabled"; + natural_scroll = "enabled"; + middle_emulation = "enabled"; + }; + }; + + output = { + eDP-1 = { + mode = "1920x1080"; + scale = "1"; + bg = "~/.dotfiles/wallpaper/lenovowp.png fill"; + position = "1920,0"; + }; + VGA-1 = { + mode = "1920x1080"; + scale = "1"; + bg = "~/.dotfiles/wallpaper/lenovowp.png fill"; + position = "0,0"; + }; + }; + + keybindings = let + modifier = config.wayland.windowManager.sway.config.modifier; + in { + "${modifier}+F2" = "exec brightnessctl set +5%"; + "${modifier}+F1"= "exec brightnessctl set 5%-"; + "XF86MonBrightnessUp" = "exec brightnessctl set +5%"; + "XF86MonBrightnessDown"= "exec brightnessctl set 5%-"; + "${modifier}+Ctrl+p" = "exec wl-mirror eDP-1"; + "XF86HomePage" = "exec wtype -P Escape -p Escape"; + "${modifier}+w" = "exec \"bash ~/.dotfiles/scripts/checkschildi.sh\""; + }; + keycodebindings = { + "94" = "exec wtype c"; + "Shift+94" = "exec wtype C"; + "Ctrl+94" = "exec wtype -M ctrl c -m ctrl"; + "Ctrl+Shift+94" = "exec wtype -M ctrl -M shift c -m ctrl -m shift"; + }; + + startup = [ + <> + ]; + }; + + extraConfig = " + "; + }; + } + +#+end_src diff --git a/Wiki.org b/Wiki.org deleted file mode 100644 index 9986140..0000000 --- a/Wiki.org +++ /dev/null @@ -1,536 +0,0 @@ -#+title: Useful Nix bits - -This pages houses a few configuration snippets that might be useful if you are new to the nix ecosystem. It will be infrequently updated as I come across things that I deem to be interesting to such a reader. - -* Importing a NixOS module that is not in nixpkgs - -This requires changes in multiple locations. As an example we will use an early version of the mautrix-signal module by Niklas Korz. - -1) Add the module source to flake.nix: - - #+begin_src nix flake.nix - { - inputs = { - [...] - # provides expressions for mautrix-signal - nixpkgs-mautrix-signal ={ - url = github:niklaskorz/nixpkgs/nixos-23.11-mautrix-signal; - }; - [...] - }; - - outputs = inputs@{ - self, - [...] - nixpkgs-mautrix-signal, - [...] - }: let - [...] - pkgsmautrix = import nixpkgs-mautrix-signal { inherit system; - config.allowUnfree = true; - }; - [...] - in { - nixosConfigurations = { - matrix = nixpkgs.lib.nixosSystem { - pkgs = pkgsmautrix; - # this is to import a service module that is not on nixpkgs - # this way avoids infinite recursion errors - specialArgs.unstable = nixpkgs-mautrix-signal; - modules = [ - [...] - ]; - }; - }; - } - } - - #+end_src - -2) Import the module in the configuration: - - #+begin_src nix configuration.nix - - [...] - imports = [ - [...] - (unstable + "/nixos/modules/services/matrix/mautrix-signal.nix") - ]; - - [...] - #+end_src - -* Build a firefox addon - -1) app id can be found in the manifest.json file of the .xpi (.xpi is just a normal archive) -2) url can be found by copy url of the "add extension" button on the addon page -3) the rest of the information is also found in the manifest.json, but might not be needed - -#+begin_src nix configuration.nix - programs.firefox = { - [...] - profiles.default = { - [...] - extensions = with pkgs.nur.repos.rycee.firefox-addons; [ - [...] - (buildFirefoxXpiAddon { - pname = ":emoji:"; - version = "0.1.3"; - addonId = "gonelf@gmail.com"; - url = "https://addons.mozilla.org/firefox/downloads/file/3365324/emojidots-0.1.3.xpi"; - sha256 = "4f7cc25c478fe52eb82f37c9ff4978dcaa3f95020398c5b184e517f6efa2c201"; - meta = with lib; - { - description = "emoji autocomplete anywhere on the internet"; - mozPermissions = [ "https://gist.githubusercontent.com/gonelf/d8ae3ccb7902b501c4a5dd625d4089da/raw/5eeda197ba92f8c8139e846a1225d5640077e06f/emoji_pretty.json" "tabs" "storage"]; - platforms = platforms.all; - }; - }) - [...] -#+end_src - -* Define shell utility as package - -#+begin_src nix configuration.nix - - home.packages = with pkgs; [ # or for NixOS environment.systemPackages = with pkgs; [ - [...] - (pkgs.writeShellApplication { - name = "pass-fuzzel"; - runtimeInputs = [ pkgs.pass pkgs.fuzzel ]; - text = '' - shopt -s nullglob globstar - - typeit=0 - if [[ $# -ge 1 && $1 == "--type" ]]; then - typeit=1 - shift - fi - - export PASSWORD_STORE_DIR=~/.local/share/password-store - prefix=''${PASSWORD_STORE_DIR-~/.local/share/password-store} - password_files=( "$prefix"/**/*.gpg ) - password_files=( "''${password_files[@]#"$prefix"/}" ) - password_files=( "''${password_files[@]%.gpg}" ) - - password=$(printf '%s\n' "''${password_files[@]}" | fuzzel --dmenu "$@") - - [[ -n $password ]] || exit - - if [[ $typeit -eq 0 ]]; then - pass show -c "$password" &>/tmp/pass-fuzzel - else - pass show "$password" | { IFS= read -r pass; printf %s "$pass"; } | wtype - - fi - notify-send -u critical -a pass -t 1000 "Copied/Typed Password" - ''; - }) - - [...] - -#+end_src - -* Add program with prebuild binaries to nix store - -#+begin_src nix configuration.nix - - home.packages = with pkgs; [ # or for NixOS environment.systemPackages = with pkgs; [ - [...] - (stdenv.mkDerivation { - name = "oama"; - - src = pkgs.fetchurl { - name = "oama"; - url = "https://github.com/pdobsan/oama/releases/download/0.13.1/oama-0.13.1-Linux-x86_64-static.tgz"; - sha256 = "sha256-OTdCObVfnMPhgZxVtZqehgUXtKT1iyqozdkPIV+i3Gc="; - }; - - phases = [ - "unpackPhase" - ]; - - unpackPhase = '' - mkdir -p $out/bin - tar xvf $src -C $out/ - mv $out/oama-0.13.1-Linux-x86_64-static/oama $out/bin/ - ''; - - }) - - [...] - #+end_src - -* Patch a utilty for nix paths: -See https://drakerossman.com/blog/how-to-patch-a-package-source-on-nixos -* let-block for overriding a package in nixpkgs (here: replacing airsonic with airsonic-advanced) - -This can be useful if a module does not let you use your own package yourself. - -#+begin_src nix :tangle no - - pkgs = import nixpkgs { inherit system; - overlays = [ emacs-overlay.overlay - nur.overlay - nixgl.overlay - (self: super: { - airsonic = super.airsonic.overrideAttrs (_: rec { - version = "11.0.2-kagemomiji"; - name = "airsonic-advanced-${version}"; - src = super.fetchurl { - url = "https://github.com/kagemomiji/airsonic-advanced/releases/download/11.0.2/airsonic.war"; - sha256 = "PgErtEizHraZgoWHs5jYJJ5NsliDd9VulQfS64ackFo="; - }; - }); - }) - ]; - config.allowUnfree = true; - }; - -#+end_src - -* Reference configurations - -Configurations that I have retired or are there for the general study. - -** non-nixos -:PROPERTIES: -:CUSTOM_ID: h:42339b42-c64b-4d0c-a80c-5c44d3423fce -:END: - -My Surface Pro 3, only used for on-the-go university work. Be careful when pushing large changes to this machine, as it easily runs out of memory on large switches. At the moment the only machine running non-NixOS, so special care must be taken not to break this one during updates. - -**** Channel setup -:PROPERTIES: -:CUSTOM_ID: h:42e45181-9d78-4266-a9a0-9621032f38b0 -:END: - -This installs nixGL, which is needed to run GL apps installed through home-manager, since this machine is not using NixOS. - -This is not super clean (because it is not fully replicative), but I do not really care. - -1) Install nixGL: - -#+begin_src nix :tangle no - nix-channel --add https://github.com/guibou/nixGL/archive/main.tar.gz nixgl && nix-channel --update - nix-env -iA nixgl.auto.nixGLDefault # or replace `nixGLDefault` with your desired wrapper -#+end_src - -This is needed in order to use EGL. Prefix programs that use it with `nixGL` - -**** Home manager -:PROPERTIES: -:CUSTOM_ID: h:929d56f5-e16f-4341-901c-24e8a8450398 -:END: - -Special things to note here: We are running xcape to allow =CAPS= to act as =CTRL= and =ESC=. Also we are using =nixGL= in most places. - -#+begin_src nix :noweb yes :tangle profiles/surface/home.nix - - { config, pkgs, lib, fetchFromGitHub, ... }: - - { - programs.home-manager.enable = true; - home.username = "leons"; - home.homeDirectory = "/home/leons"; - - home.stateVersion = "23.05"; # Please read the comment before changing. - - stylix.image = ../../wallpaper/surfacewp.png; - <> - - nixpkgs = { - config = { - allowUnfree = true; - allowUnfreePredicate = (_: true); - }; - }; - services.xcape = { - enable = true; - mapExpression = { - Control_L = "Escape"; - }; - }; - #keyboard config - home.keyboard.layout = "us"; - - sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" ]; - - # waybar config - programs.waybar.settings.mainBar.cpu.format = "{icon0} {icon1} {icon2} {icon3}"; - - programs.waybar.settings.mainBar.temperature.hwmon-path = "/sys/devices/platform/coretemp.0/hwmon/hwmon3/temp3_input"; - programs.waybar.settings.mainBar.modules-right = ["custom/outer-left-arrow-dark" "mpris" "custom/left-arrow-light" - "network" - "custom/left-arrow-dark" - "pulseaudio" - "custom/left-arrow-light" - "battery" - "custom/left-arrow-dark" - "temperature" - "custom/left-arrow-light" - "disk" - "custom/left-arrow-dark" - "memory" - "custom/left-arrow-light" - "cpu" - "custom/left-arrow-dark" - "tray" - "custom/left-arrow-light" - "clock#2" - "custom/left-arrow-dark" - "clock#1" ]; - services.blueman-applet.enable = true; - home.packages = with pkgs; [ - # nixgl.auto.nixGLDefault - evince - # nodejs_20 - - # messaging - # we use gomuks for RAM preservation, but keep schildi around for files and images - ]; - - programs.zsh.initExtra = " - export GPG_TTY=\"$(tty)\" - export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) - gpgconf --launch gpg-agent - "; - - # sway config - wayland.windowManager.sway= { - config = rec { - input = { - "*" = { - xkb_layout = "us"; - xkb_options = "ctrl:nocaps,grp:win_space_toggle"; - xkb_variant = "altgr-intl"; - }; - "type:touchpad" = { - dwt = "enabled"; - tap = "enabled"; - natural_scroll = "enabled"; - middle_emulation = "enabled"; - }; - }; - - output = { - eDP-1 = { - mode = "2160x1440@59.955Hz"; - scale = "1"; - bg = "~/.dotfiles/wallpaper/surfacewp.png fill"; - }; - }; - - keybindings = let - modifier = config.wayland.windowManager.sway.config.modifier; - in { - "${modifier}+F2" = "exec brightnessctl set +5%"; - "${modifier}+F1"= "exec brightnessctl set 5%-"; - "${modifier}+n" = "exec sway output eDP-1 transform normal, splith"; - "${modifier}+Ctrl+p" = "exec nixGL wl-mirror eDP-1"; - "${modifier}+t" = "exec sway output eDP-1 transform 90, splitv"; - "${modifier}+XF86AudioLowerVolume" = "exec grim -g \"$(slurp)\" -t png - | wl-copy -t image/png"; - "${modifier}+XF86AudioRaiseVolume" = "exec grim -g \"$(slurp)\" -t png - | wl-copy -t image/png"; - "${modifier}+w" = "exec \"bash ~/.dotfiles/scripts/checkgomuks.sh\""; - }; - - startup = [ - { command = "sleep 60 && nixGL nextcloud --background";} - # { command = "sleep 60 && nixGL spotify";} - { command = "sleep 60 && nixGL discord --start-minimized -enable-features=UseOzonePlatform -ozone-platform=wayland";} - # { command = "sleep 60 && nixGL schildichat-desktop --hidden";} - { command = "sleep 60 && nixGL syncthingtray --wait"; } - { command = "sleep 60 && ANKI_WAYLAND=1 nixGL anki";} - { command = "nm-applet --indicator";} - { command = "sleep 60 && OBSIDIAN_USE_WAYLAND=1 nixGL obsidian -enable-features=UseOzonePlatform -ozone-platform=wayland";} - ]; - - keycodebindings = { - "124" = "exec systemctl suspend"; - }; - }; - - extraConfig = " - exec swaymsg input 7062:6917:NTRG0001:01_1B96:1B05 map_to_output eDP-1 - exec swaymsg input 7062:6917:NTRG0001:01_1B96:1B05_Stylus map_to_output eDP-1 - "; - }; - } - -#+end_src -** nixos -**** Onett (Lenovo Y510P) -:PROPERTIES: -:CUSTOM_ID: h:6bc7b9c7-ccfd-42d7-982a-97907aa28b80 -:END: - -My laptop, sadly soon to be replaced by a new one, since most basic functions are stopping to work lately. - -***** NixOS -:PROPERTIES: -:CUSTOM_ID: h:20fc100c-045d-468a-9bf2-824037e6785b -:END: - -#+begin_src nix :noweb yes :tangle profiles/onett/nixos.nix - - { config, lib, pkgs, inputs, ... }: - - { - - <> - - services = { - greetd.settings.initial_session.user ="swarsel"; - xserver.videoDrivers = ["nvidia"]; - }; - - - hardware = { - nvidia = { - modesetting.enable = true; - powerManagement.enable = true; - prime = { - intelBusId = "PCI:0:2:0"; - nvidiaBusId = "PCI:1:0:0"; - sync.enable = true; - }; - }; - pulseaudio.configFile = pkgs.runCommand "default.pa" {} '' - sed 's/module-udev-detect$/module-udev-detect tsched=0/' \ - ${pkgs.pulseaudio}/etc/pulse/default.pa > $out - ''; - bluetooth.enable = true; - }; - - stylix.image = ../../wallpaper/lenovowp.png; - <> - - boot.loader.grub = { - enable = true; - device = "/dev/sda"; - useOSProber = true; - }; - - networking.hostName = "onett"; # Define your hostname. - networking.enableIPv6 = false; - - users.users.swarsel = { - isNormalUser = true; - description = "Leon S"; - extraGroups = [ "networkmanager" "wheel" "lp"]; - packages = with pkgs; []; - }; - - system.stateVersion = "23.05"; # Did you read the comment? - - environment.systemPackages = with pkgs; [ - ]; - - - } - -#+end_src - -***** Home Manager -:PROPERTIES: -:CUSTOM_ID: h:d35847ae-2207-4417-9858-b0ea7e2b1a0b -:END: - -#+begin_src nix :noweb yes :tangle profiles/onett/home.nix - - { config, pkgs, lib, fetchFromGitHub, ... }: - - { - - <> - - home = { - username = "swarsel"; - homeDirectory = "/home/swarsel"; - stateVersion = "23.05"; # Please read the comment before changing. - keyboard.layout = "de"; - packages = with pkgs; [ - ]; - }; - - sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" ]; - - # # waybar config - programs.waybar.settings.mainBar = { - cpu.format = "{icon0} {icon1} {icon2} {icon3} {icon4} {icon5} {icon6} {icon7}"; - temperature.hwmon-path = "/sys/devices/platform/coretemp.0/hwmon/hwmon3/temp3_input"; - }; - <> - - services.blueman-applet.enable = true; - - wayland.windowManager.sway= { - config = rec { - input = { - "1:1:AT_Translated_Set_2_keyboard" = { - xkb_layout = "us"; - xkb_options = "grp:win_space_toggle"; - # xkb_options = "ctrl:nocaps,grp:win_space_toggle"; - xkb_variant = "altgr-intl"; - }; - "2362:33538:ipad_keyboard_Keyboard" = { - xkb_layout = "us"; - xkb_options = "altwin:swap_lalt_lwin,ctrl:nocaps,grp:win_space_toggle"; - xkb_variant = "colemak_dh"; - }; - "36125:53060:splitkb.com_Kyria_rev3" = { - xkb_layout = "us"; - xkb_variant = "altgr-intl"; - }; - - "type:touchpad" = { - dwt = "enabled"; - tap = "enabled"; - natural_scroll = "enabled"; - middle_emulation = "enabled"; - }; - }; - - output = { - eDP-1 = { - mode = "1920x1080"; - scale = "1"; - bg = "~/.dotfiles/wallpaper/lenovowp.png fill"; - position = "1920,0"; - }; - VGA-1 = { - mode = "1920x1080"; - scale = "1"; - bg = "~/.dotfiles/wallpaper/lenovowp.png fill"; - position = "0,0"; - }; - }; - - keybindings = let - modifier = config.wayland.windowManager.sway.config.modifier; - in { - "${modifier}+F2" = "exec brightnessctl set +5%"; - "${modifier}+F1"= "exec brightnessctl set 5%-"; - "XF86MonBrightnessUp" = "exec brightnessctl set +5%"; - "XF86MonBrightnessDown"= "exec brightnessctl set 5%-"; - "${modifier}+Ctrl+p" = "exec wl-mirror eDP-1"; - "XF86HomePage" = "exec wtype -P Escape -p Escape"; - "${modifier}+w" = "exec \"bash ~/.dotfiles/scripts/checkschildi.sh\""; - }; - keycodebindings = { - "94" = "exec wtype c"; - "Shift+94" = "exec wtype C"; - "Ctrl+94" = "exec wtype -M ctrl c -m ctrl"; - "Ctrl+Shift+94" = "exec wtype -M ctrl -M shift c -m ctrl -m shift"; - }; - - startup = [ - <> - ]; - }; - - extraConfig = " - "; - }; - } - -#+end_src diff --git a/index.html b/index.html index 20cddee..3eb998d 100644 --- a/index.html +++ b/index.html @@ -3,7 +3,7 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + SwarselSystems: NixOS + Emacs Configuration @@ -339,37 +339,46 @@
  • 4.4.11. devdocs
  • 4.4.12. Projectile
  • 4.4.13. Magit
    • +
  • 4.4.14. Yubikey support
    • +
  • 4.4.15. Forge
    • +
  • 4.4.16. git-timemachine
    • +
  • 4.4.17. Delimiters (brackets): rainbow-delimiters, highlight-parentheses
    • +
  • 4.4.18. rainbow-mode
    • +
  • 4.4.19. Corfu
    • +
  • 4.4.20. cape
    • +
  • 4.4.21. rust
    • +
  • 4.4.22. Tramp
    • +
  • 4.4.23. diff-hl
    • +
  • 4.4.24. Commenting
    • +
  • 4.4.25. yasnippet
    • +
  • 4.4.26. eglot
    • +
  • 4.4.27. Breadcrumb
    • +
  • 4.4.28. Prevent breaking of hardlinks
    • +
  • 4.4.29. Dirvish
    • +
  • 4.4.30. pdf-tools: pdf-viewer and support for dirvish
    • +
  • 4.4.31. Jupyter
    • +
  • 4.4.32. undo-tree
    • +
  • 4.4.33. Hydra
    • +
  • 4.4.34. External Applications
    • +
  • 4.4.35. Email
    • +
  • 4.4.36. Calendar
    • +
  • 4.4.37. Dashboard: emacs startup screen
    • -
  • 5. Yubikey support +
  • 5. Wiki @@ -378,7 +387,7 @@

    -This file has 40289 words spanning 10434 lines and was last revised on 2024-07-17 02:28:18 +0200. +This file has 42235 words spanning 11010 lines and was last revised on 2024-07-17 04:32:19 +0200.

    @@ -428,7 +437,7 @@ This section defines my Emacs configuration. For a while, I considered to use ry

    -My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2024-07-17 02:28:18 +0200) +My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2024-07-17 04:32:19 +0200)

    • @@ -1601,6 +1610,891 @@ No matter what you do, check the initial /etc/nixos/configuration.nix for notabl
      +
    1. Sandbox (Lenovo Y510P)
      +
      +

      +My old laptop, replaced by a new one, since most basic functions have stopped to work lately. However, it is still good as a dummy server for testing things out before having them go live. +

      +
      +
        +
      1. NixOS
        +
        +
        +
        +    { config, pkgs, modulesPath, unstable, sops, ... }: let
+    matrixDomain = "swatrix.swarsel.win";
+  in {
+
+    imports = [
+      ./hardware-configuration.nix
+      # we import here a service that is not available yet on normal nixpkgs
+      # this module is hence not in the modules list, we add it ourselves
+      (unstable + "/nixos/modules/services/matrix/mautrix-signal.nix")
+    ];
+
+      boot.loader.grub = {
+        enable = true;
+        device = "/dev/sda";
+        useOSProber = true;
+      };
+
+      users.users.swarsel = {
+        isNormalUser = true;
+        description = "Leon S";
+        extraGroups = [ "networkmanager" "wheel" "lp"];
+        packages = with pkgs; [];
+      };
+
+  # actual config starts here
+
+    fileSystems."/mnt/Eternor" = {
+      device = "//192.168.1.3/Eternor";
+      fsType = "cifs";
+      options = let
+        # this line prevents hanging on network split
+        automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
+      in ["${automount_opts},credentials=/etc/nixos/smb-secrets,uid=1000,gid=100"];
+    };
+
+      environment.systemPackages = with pkgs; [
+      git
+      gnupg
+      ssh-to-age
+      lego
+      nginx
+      calibre
+      openvpn
+      jq
+      iptables
+      busybox
+      wireguard-tools
+      matrix-synapse
+      lottieconverter
+      ffmpeg
+      pciutils
+      alsa-utils
+      mpv
+      zfs
+      ];
+
+      services.xserver = {
+        layout = "us";
+        xkbVariant = "altgr-intl";
+      };
+
+      nix.settings.experimental-features = ["nix-command" "flakes"];
+
+      services.openssh = {
+        enable = true;
+        settings.PermitRootLogin = "yes";
+        listenAddresses = [{
+          port = 22;
+          addr = "0.0.0.0";
+        }];
+      };
+      users.users.root.openssh.authorizedKeys.keyFiles = [
+        ../../secrets/keys/authorized_keys
+      ];
+
+      system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
+
+      environment.shellAliases = {
+        nswitch = "cd ~/.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
+      };
+
+boot.supportedFilesystems = [ "zfs" ];
+boot.zfs.forceImportRoot = false;
+networking.hostId = "8a8ad84a";
+
+      networking.hostName = "sandbox"; # Define your hostname.
+      networking.enableIPv6 = true;
+      networking.firewall.enable = false;
+
+      documentation = {
+        enable = false;
+      };
+
+    sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
+    sops.defaultSopsFile = "/root/.dotfiles/secrets/sandbox/secrets.yaml";
+    sops.validateSopsFiles = false;
+    sops.secrets.dnstokenfull = {owner="acme";};
+    sops.templates."certs.secret".content = ''
+    CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
+    '';
+
+    security.acme = {
+      acceptTerms = true;
+      preliminarySelfsigned = false;
+      defaults.email = "mrswarsel@gmail.com";
+      defaults.dnsProvider = "cloudflare";
+      defaults.environmentFile = "${config.sops.templates."certs.secret".path}";
+    };
+
+    services.nginx = {
+      enable = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      recommendedOptimisation = true;
+      recommendedGzipSettings = true;
+      virtualHosts = {
+
+        "stash.swarsel.win" = {
+          enableACME = true;
+          forceSSL = true;
+          acmeRoot = null;
+          locations = {
+            "/" = {
+              proxyPass = "https://192.168.1.5";
+              extraConfig = ''
+              client_max_body_size 0;
+              '';
+            };
+            # "/push/" = {
+              # proxyPass = "http://192.168.2.5:7867";
+            # };
+            "/.well-known/carddav" = {
+              return = "301 $scheme://$host/remote.php/dav";
+            };
+            "/.well-known/caldav" = {
+              return = "301 $scheme://$host/remote.php/dav";
+            };
+          };
+        };
+
+        "swatrix.swarsel.win" = {
+          enableACME = true;
+          forceSSL = true;
+          acmeRoot = null;
+          locations = {
+            "~ ^(/_matrix|/_synapse/client)" = {
+              proxyPass = "http://127.0.0.1:8008";
+              extraConfig = ''
+                  client_max_body_size 0;
+                '';
+            };
+          };
+        };
+
+
+          "sound.swarsel.win" = {
+            enableACME = true;
+            forceSSL = true;
+            acmeRoot = null;
+            locations = {
+              "/" = {
+                proxyPass = "http://127.0.0.1:4040";
+                proxyWebsockets = true;
+                extraConfig = ''
+                  proxy_redirect          http:// https://;
+                  proxy_read_timeout      600s;
+                  proxy_send_timeout      600s;
+                  proxy_buffering         off;
+                  proxy_request_buffering off;
+                  client_max_body_size    0;
+                '';
+              };
+            };
+          };
+
+          "scan.swarsel.win" = {
+            enableACME = true;
+            forceSSL = true;
+            acmeRoot = null;
+            locations = {
+              "/" = {
+                proxyPass = "http://127.0.0.1:28981";
+                extraConfig = ''
+                  client_max_body_size 0;
+                '';
+              };
+            };
+          };
+
+          "screen.swarsel.win" = {
+            enableACME = true;
+            forceSSL = true;
+            acmeRoot = null;
+            locations = {
+              "/" = {
+                proxyPass = "http://127.0.0.1:8096";
+                extraConfig = ''
+                  client_max_body_size 0;
+                '';
+              };
+            };
+          };
+
+          "scroll.swarsel.win" = {
+            enableACME = true;
+            forceSSL = true;
+            acmeRoot = null;
+            locations = {
+              "/" = {
+                proxyPass = "http://127.0.0.1:8080";
+                extraConfig = ''
+                  client_max_body_size 0;
+                '';
+              };
+            };
+          };
+
+
+        };
+      };
+
+
+    sops.secrets.kavita = { owner = "kavita";};
+
+    services.kavita = {
+      enable = true;
+      user = "kavita";
+      port = 8080;
+      tokenKeyFile = config.sops.secrets.kavita.path;
+    };
+
+    users.users.jellyfin = {
+      extraGroups  = [ "video" "render" ];
+    };
+
+     # nixpkgs.config.packageOverrides = pkgs: {
+     #   vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
+     # };
+
+     hardware.graphics = {
+       enable = true;
+       extraPackages = with pkgs; [
+         intel-media-driver # LIBVA_DRIVER_NAME=iHD
+         vaapiIntel         # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
+         vaapiVdpau
+         libvdpau-va-gl
+       ];
+     };
+
+    services.jellyfin = {
+      enable = true;
+      user = "jellyfin";
+      # openFirewall = true; # this works only for the default ports
+    };
+
+                users.groups.vpn = {};
+
+                users.users.vpn = {
+                  isNormalUser = true;
+                  group = "vpn";
+                  home = "/home/vpn";
+                };
+
+                boot.kernelModules = [ "tun" ];
+
+                services.radarr = {
+                  enable = true;
+                };
+
+                services.readarr = {
+                  enable = true;
+                };
+                services.sonarr = {
+                  enable = true;
+                };
+                services.lidarr = {
+                  enable = true;
+                };
+                services.prowlarr = {
+                  enable = true;
+                };
+
+                networking.firewall.extraCommands = ''
+                sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP
+                '';
+                networking.iproute2 = {
+                  enable = true;
+                  rttablesExtraConfig = ''
+                  200     vpn
+                  '';
+                };
+                boot.kernel.sysctl = {
+                  "net.ipv4.conf.all.rp_filter" = 2;
+                  "net.ipv4.conf.default.rp_filter" = 2;
+                  "net.ipv4.conf.enp7s0.rp_filter" = 2;
+                };
+                environment.etc = {
+                  "openvpn/iptables.sh" =
+                    { source = ../../scripts/server1/iptables.sh;
+                      mode = "0755";
+                    };
+                  "openvpn/update-resolv-conf" =
+                    { source = ../../scripts/server1/update-resolv-conf;
+                      mode = "0755";
+                    };
+                  "openvpn/routing.sh" =
+                    { source = ../../scripts/server1/routing.sh;
+                      mode = "0755";
+                    };
+                  "openvpn/ca.rsa.2048.crt" =
+                    { source = ../../secrets/certs/ca.rsa.2048.crt;
+                      mode = "0644";
+                    };
+                  "openvpn/crl.rsa.2048.pem" =
+                    { source = ../../secrets/certs/crl.rsa.2048.pem;
+                      mode = "0644";
+                    };
+                };
+
+                sops.secrets.vpnuser = {};
+                sops.secrets.rpcuser = {owner="vpn";};
+                sops.secrets.vpnpass = {};
+                sops.secrets.rpcpass = {owner="vpn";};
+                sops.secrets.vpnprot = {};
+                sops.secrets.vpnloc = {};
+                # sops.secrets.crlpem = {};
+                # sops.secrets.capem = {};
+                sops.templates."transmission-rpc".owner = "vpn";
+                sops.templates."transmission-rpc".content = builtins.toJSON {
+                  rpc-username = config.sops.placeholder.rpcuser;
+                  rpc-password = config.sops.placeholder.rpcpass;
+                };
+
+                sops.templates.pia.content = ''
+                ${config.sops.placeholder.vpnuser}
+                ${config.sops.placeholder.vpnpass}
+                '';
+
+                sops.templates.vpn.content = ''
+                  client
+                  dev tun
+                  proto ${config.sops.placeholder.vpnprot}
+                  remote ${config.sops.placeholder.vpnloc}
+                  resolv-retry infinite
+                  nobind
+                  persist-key
+                  persist-tun
+                  cipher aes-128-cbc
+                  auth sha1
+                  tls-client
+                  remote-cert-tls server
+
+                  auth-user-pass ${config.sops.templates.pia.path}
+                  compress
+                  verb 1
+                  reneg-sec 0
+
+                  crl-verify /etc/openvpn/crl.rsa.2048.pem
+                  ca /etc/openvpn/ca.rsa.2048.crt
+
+                  disable-occ
+                '';
+
+            services.openvpn.servers = {
+              pia = {
+                autoStart = true;
+                updateResolvConf = false;
+                config = "config ${config.sops.templates.vpn.path}";
+              };
+            };
+
+          services.transmission = {
+            enable = true;
+            credentialsFile = config.sops.templates."transmission-rpc".path;
+            user = "vpn";
+            settings = {
+
+            alt-speed-down= 8000;
+            alt-speed-enabled= false;
+            alt-speed-time-begin= 0;
+            alt-speed-time-day= 127;
+            alt-speed-time-enabled= true;
+            alt-speed-time-end= 360;
+            alt-speed-up= 2000;
+            bind-address-ipv4= "0.0.0.0";
+            bind-address-ipv6= "::";
+            blocklist-enabled= false;
+            blocklist-url= "http://www.example.com/blocklist";
+            cache-size-mb= 256;
+            dht-enabled= false;
+            download-dir= "/test";
+            download-limit= 100;
+            download-limit-enabled= 0;
+            download-queue-enabled= true;
+            download-queue-size= 5;
+            encryption= 2;
+            idle-seeding-limit= 30;
+            idle-seeding-limit-enabled= false;
+            incomplete-dir= "/var/lib/transmission-daemon/Downloads";
+            incomplete-dir-enabled= false;
+            lpd-enabled= false;
+            max-peers-global= 200;
+            message-level= 1;
+            peer-congestion-algorithm= "";
+            peer-id-ttl-hours= 6;
+            peer-limit-global= 100;
+            peer-limit-per-torrent= 40;
+            peer-port= 22371;
+            peer-port-random-high= 65535;
+            peer-port-random-low= 49152;
+            peer-port-random-on-start= false;
+            peer-socket-tos= "default";
+            pex-enabled= false;
+            port-forwarding-enabled= false;
+            preallocation= 1;
+            prefetch-enabled= true;
+            queue-stalled-enabled= true;
+            queue-stalled-minutes= 30;
+            ratio-limit= 2;
+            ratio-limit-enabled= false;
+            rename-partial-files= true;
+            rpc-authentication-required= true;
+            rpc-bind-address= "0.0.0.0";
+            rpc-enabled= true;
+            rpc-host-whitelist= "";
+            rpc-host-whitelist-enabled= true;
+            rpc-port= 9091;
+            rpc-url= "/transmission/";
+            rpc-whitelist= "127.0.0.1,192.168.3.2";
+            rpc-whitelist-enabled= true;
+            scrape-paused-torrents-enabled= true;
+            script-torrent-done-enabled= false;
+            seed-queue-enabled= false;
+            seed-queue-size= 10;
+            speed-limit-down= 6000;
+            speed-limit-down-enabled= true;
+            speed-limit-up= 500;
+            speed-limit-up-enabled= true;
+            start-added-torrents= true;
+            trash-original-torrent-files= false;
+            umask= 2;
+            upload-limit= 100;
+            upload-limit-enabled= 0;
+            upload-slots-per-torrent= 14;
+            utp-enabled= false;
+            };
+          };
+
+        # services.nginx = {
+        #       enable = true;
+        #       virtualHosts = {
+
+        #         "192.168.1.192" = {
+        #           locations = {
+        #             "/transmission" = {
+        #               proxyPass = "http://127.0.0.1:9091";
+        #               extraConfig = ''
+        #               proxy_set_header Host $host;
+        #               proxy_set_header X-Real-IP $remote_addr;
+        #               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        #               '';
+        #             };
+        #           };
+        #         };
+        #       };
+        # };
+
+
+    # sops.secrets.matrixsharedsecret = {owner="matrix-synapse";};
+    # sops.templates."matrix_user_register.sh".content = ''
+    # register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008
+    # '';
+    # sops.templates.matrixshared.owner = "matrix-synapse";
+    # sops.templates.matrixshared.content = ''
+    # registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret}
+    # '';
+    # sops.secrets.mautrixtelegram_as = {owner="matrix-synapse";};
+    # sops.secrets.mautrixtelegram_hs = {owner="matrix-synapse";};
+    # sops.secrets.mautrixtelegram_api_id = {owner="matrix-synapse";};
+    # sops.secrets.mautrixtelegram_api_hash = {owner="matrix-synapse";};
+    # sops.templates.mautrixtelegram.owner = "matrix-synapse";
+    # sops.templates.mautrixtelegram.content = ''
+    # MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as}
+    # MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs}
+    # MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id}
+    # MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash}
+    # '';
+
+
+
+
+    # ----------------
+    # sops.secrets.mautrixwhatsapp_shared = {owner="matrix-synapse";};
+    # sops.templates.mautrixwhatsapp.owner = "matrix-synapse";
+    # sops.templates.mautrixwhatsapp.content = ''
+    # MAUTRIX_WHATSAPP_BRIDGE_LOGIN_SHARED_SECRET=${config.sops.placeholder.mautrixwhatsapp_shared}
+    # '';
+
+    services.postgresql.enable = true;
+    services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
+      CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+      CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+        TEMPLATE template0
+        LC_COLLATE = "C"
+        LC_CTYPE = "C";
+      CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram';
+      CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram"
+        TEMPLATE template0
+        LC_COLLATE = "C"
+        LC_CTYPE = "C";
+      CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp';
+      CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp"
+        TEMPLATE template0
+        LC_COLLATE = "C"
+        LC_CTYPE = "C";
+      CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal';
+      CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal"
+        TEMPLATE template0
+        LC_COLLATE = "C"
+        LC_CTYPE = "C";
+    '';
+
+    services.matrix-synapse = {
+      settings.app_service_config_files = [
+        "/var/lib/matrix-synapse/telegram-registration.yaml"
+        "/var/lib/matrix-synapse/whatsapp-registration.yaml"
+        "/var/lib/matrix-synapse/signal-registration.yaml"
+        "/var/lib/matrix-synapse/doublepuppet.yaml"
+      ];
+      enable = false;
+      settings.server_name = matrixDomain;
+      settings.public_baseurl = "https://${matrixDomain}";
+      extraConfigFiles = [
+        config.sops.templates.matrixshared.path
+      ];
+      settings.listeners = [
+        { port = 8008;
+          bind_addresses = [ "0.0.0.0" ];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [
+            {
+              names = [ "client" "federation" ];
+              compress = true;
+            }
+          ];
+        }
+      ];
+    };
+
+    services.mautrix-telegram = {
+      enable = false;
+      environmentFile = config.sops.templates.mautrixtelegram.path;
+      settings = {
+        homeserver = {
+          address = "http://localhost:8008";
+          domain = matrixDomain;
+        };
+        appservice = {
+          address= "http://localhost:29317";
+          hostname = "0.0.0.0";
+          port = "29317";
+          provisioning.enabled = true;
+          id = "telegram";
+          # ephemeral_events = true; # not needed due to double puppeting
+          public = {
+            enabled = false;
+          };
+          database = "postgresql:///mautrix-telegram?host=/run/postgresql";
+        };
+        bridge = {
+          # login_shared_secret_map = {
+            # matrixDomain = "as_token:doublepuppet";
+          # };
+          relaybot.authless_portals = true;
+          allow_avatar_remove = true;
+          allow_contact_info = true;
+          sync_channel_members = true;
+          startup_sync = true;
+          sync_create_limit = 0;
+          sync_direct_chats = true;
+          telegram_link_preview = true;
+          permissions = {
+            "*" = "relaybot";
+            "@swarsel:${matrixDomain}" = "admin";
+          };
+          # Animated stickers conversion requires additional packages in the
+          # service's path.
+          # If this isn't a fresh installation, clearing the bridge's uploaded
+          # file cache might be necessary (make a database backup first!):
+          # delete from telegram_file where \
+          #   mime_type in ('application/gzip', 'application/octet-stream')
+          animated_sticker = {
+            target = "gif";
+            args = {
+              width = 256;
+              height = 256;
+              fps = 30;               # only for webm
+              background = "020202";  # only for gif, transparency not supported
+            };
+          };
+        };
+      };
+    };
+    # systemd.services.mautrix-telegram.path = with pkgs; [
+      # lottieconverter  # for animated stickers conversion, unfree package
+      # ffmpeg           # if converting animated stickers to webm (very slow!)
+    # ];
+
+    services.mautrix-whatsapp = {
+      enable = false;
+      # environmentFile = config.sops.templates.mautrixwhatsapp.path;
+      settings = {
+        homeserver = {
+          address = "http://localhost:8008";
+          domain = matrixDomain;
+        };
+        appservice = {
+          address= "http://localhost:29318";
+          hostname = "0.0.0.0";
+          port = 29318;
+          database = {
+            type = "postgres";
+            uri = "postgresql:///mautrix-whatsapp?host=/run/postgresql";
+          };
+        };
+        bridge = {
+          displayname_template = "{{or .FullName .PushName .JID}} (WA)";
+          history_sync = {
+            backfill = true;
+            max_initial_conversations = -1;
+            message_count = -1;
+            request_full_sync = true;
+            full_sync_config = {
+              days_limit = 900;
+              size_mb_limit = 5000;
+              storage_quota_mb = 5000;
+            };
+          };
+          login_shared_secret_map = {
+            matrixDomain = "as_token:doublepuppet";
+          };
+          sync_manual_marked_unread = true;
+          send_presence_on_typing = true;
+          parallel_member_sync = true;
+          url_previews = true;
+          caption_in_message = true;
+          extev_polls = true;
+          permissions = {
+            "*" = "relaybot";
+            "@swarsel:${matrixDomain}" = "admin";
+          };
+        };
+      };
+    };
+
+    services.mautrix-signal = {
+      enable = false;
+      # environmentFile = config.sops.templates.mautrixwhatsapp.path;
+      settings = {
+        homeserver = {
+          address = "http://localhost:8008";
+          domain = matrixDomain;
+        };
+        appservice = {
+
+          address= "http://localhost:29328";
+          hostname = "0.0.0.0";
+          port = 29328;
+          database = {
+            type = "postgres";
+            uri = "postgresql:///mautrix-signal?host=/run/postgresql";
+          };
+        };
+        bridge = {
+          displayname_template = "{{or .ContactName .ProfileName .PhoneNumber}} (Signal)";
+          login_shared_secret_map = {
+            matrixDomain = "as_token:doublepuppet";
+          };
+          caption_in_message = true;
+          permissions = {
+            "*" = "relaybot";
+            "@swarsel:${matrixDomain}" = "admin";
+          };
+        };
+      };
+    };
+
+    # restart the bridges daily. this is done for the signal bridge mainly which stops carrying
+    # messages out after a while.
+
+    systemd.timers."restart-bridges" = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnBootSec = "1d";
+        OnUnitActiveSec = "1d";
+        Unit = "restart-bridges.service";
+      };
+    };
+
+    systemd.services."restart-bridges" = {
+      script = ''
+      systemctl restart mautrix-whatsapp.service
+      systemctl restart mautrix-signal.service
+      systemctl restart mautrix-telegram.service
+      '';
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+      };
+    };
+
+
+    users.groups.navidrome = {
+      gid = 61593;
+    };
+
+    users.groups.mpd = {};
+
+    users.users.navidrome = {
+      isSystemUser = true;
+      uid = 61593;
+      group = "navidrome";
+      extraGroups  = [ "audio" "utmp" ];
+    };
+
+    users.users.mpd = {
+      isSystemUser = true;
+      group = "mpd";
+      extraGroups  = [ "audio" "utmp" ];
+    };
+
+    sound = {
+      enable = true;
+    };
+
+    hardware.enableAllFirmware = true;
+
+    sops.secrets.mpdpass = { owner = "mpd";};
+
+    services.navidrome = {
+      enable = true;
+      settings = {
+        Address = "0.0.0.0";
+        Port = 4040;
+        MusicFolder = "/mnt/";
+        EnableSharing = true;
+        EnableTranscodingConfig = true;
+        Scanner.GroupAlbumReleases = true;
+        ScanSchedule = "@every 24h";
+        # Insert these values locally as sops-nix does not work for them
+        # LastFM.ApiKey = TEMPLATE;
+        # LastFM.Secret = TEMPLATE;
+        # Spotify.ID = TEMPLATE;
+        # Spotify.Secret = TEMPLATE;
+        UILoginBackgroundUrl = "https://i.imgur.com/OMLxi7l.png";
+        UIWelcomeMessage = "~SwarselSound~";
+      };
+    };
+    services.mpd = {
+      enable = true;
+      musicDirectory = "/mnt/Eternor/Musik";
+      user = "mpd";
+      group = "mpd";
+      network = {
+        port = 3254;
+        listenAddress = "any";
+      };
+      credentials = [
+        {
+          passwordFile = config.sops.secrets.mpdpass.path;
+          permissions = [
+            "read"
+            "add"
+            "control"
+            "admin"
+          ];
+        }
+      ];
+    };
+
+
+    users.groups.spotifyd = {
+      gid = 65136;
+    };
+
+    users.users.spotifyd = {
+      isSystemUser = true;
+      uid = 65136;
+      group = "spotifyd";
+      extraGroups  = [ "audio" "utmp" ];
+    };
+
+    services.spotifyd = {
+      enable = true;
+      settings = {
+        global = {
+          dbus_type = "session";
+          use_mpris = false;
+          device = "default:CARD=PCH";
+          device_name = "SwarselSpot";
+          mixer = "alsa";
+          zeroconf_port = 1025;
+        };
+      };
+    };
+
+      # Network shares
+      # add a user with sudo smbpasswd -a <user>
+      services.samba = {
+        package = pkgs.samba4Full;
+        extraConfig = ''
+        workgroup = WORKGROUP
+        server role = standalone server
+        dns proxy = no
+
+        pam password change = yes
+        map to guest = bad user
+        create mask = 0664
+        force create mode = 0664
+        directory mask = 0775
+        force directory mode = 0775
+        follow symlinks = yes
+        '';
+
+        # ^^ `samba4Full` is compiled with avahi, ldap, AD etc support compared to the default package, `samba`
+        # Required for samba to register mDNS records for auto discovery
+        # See https://github.com/NixOS/nixpkgs/blob/592047fc9e4f7b74a4dc85d1b9f5243dfe4899e3/pkgs/top-level/all-packages.nix#L27268
+        enable = true;
+        # openFirewall = true;
+        shares.test = {
+          browseable = "yes";
+          "read only" = "no";
+          "guest ok" = "no";
+          path = "/test2";
+          writable = "true";
+          comment = "Eternor";
+          "valid users" = "@smbtest2";
+        };
+      };
+
+
+      services.avahi = {
+        publish.enable = true;
+        publish.userServices = true;
+        # ^^ Needed to allow samba to automatically register mDNS records without the need for an `extraServiceFile`
+        nssmdns = true;
+        # ^^ Not one hundred percent sure if this is needed- if it aint broke, don't fix it
+  enable = true;
+      };
+
+      services.samba-wsdd = {
+      # This enables autodiscovery on windows since SMB1 (and thus netbios) support was discontinued
+        enable = true;
+      };
+
+
+
+
+
+
+
+
+
+
+    }
+
+
        +
        +
        +
        2. +
      +
    2. Threed (Surface Pro 3)

      @@ -4611,891 +5505,6 @@ in { } - -

      - -
      3. -
    - -
  • Sandbox (Lenovo Y510P)
    -
    -

    -My laptop, sadly soon to be replaced by a new one, since most basic functions are stopping to work lately. -

    -
    -
      -
    1. NixOS
      -
      -
      -
      -    { config, pkgs, modulesPath, unstable, sops, ... }: let
-    matrixDomain = "swatrix.swarsel.win";
-  in {
-
-    imports = [
-      ./hardware-configuration.nix
-      # we import here a service that is not available yet on normal nixpkgs
-      # this module is hence not in the modules list, we add it ourselves
-      (unstable + "/nixos/modules/services/matrix/mautrix-signal.nix")
-    ];
-
-      boot.loader.grub = {
-        enable = true;
-        device = "/dev/sda";
-        useOSProber = true;
-      };
-
-      users.users.swarsel = {
-        isNormalUser = true;
-        description = "Leon S";
-        extraGroups = [ "networkmanager" "wheel" "lp"];
-        packages = with pkgs; [];
-      };
-
-  # actual config starts here
-
-    fileSystems."/mnt/Eternor" = {
-      device = "//192.168.1.3/Eternor";
-      fsType = "cifs";
-      options = let
-        # this line prevents hanging on network split
-        automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
-      in ["${automount_opts},credentials=/etc/nixos/smb-secrets,uid=1000,gid=100"];
-    };
-
-      environment.systemPackages = with pkgs; [
-      git
-      gnupg
-      ssh-to-age
-      lego
-      nginx
-      calibre
-      openvpn
-      jq
-      iptables
-      busybox
-      wireguard-tools
-      matrix-synapse
-      lottieconverter
-      ffmpeg
-      pciutils
-      alsa-utils
-      mpv
-      zfs
-      ];
-
-      services.xserver = {
-        layout = "us";
-        xkbVariant = "altgr-intl";
-      };
-
-      nix.settings.experimental-features = ["nix-command" "flakes"];
-
-      services.openssh = {
-        enable = true;
-        settings.PermitRootLogin = "yes";
-        listenAddresses = [{
-          port = 22;
-          addr = "0.0.0.0";
-        }];
-      };
-      users.users.root.openssh.authorizedKeys.keyFiles = [
-        ../../secrets/keys/authorized_keys
-      ];
-
-      system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change
-
-      environment.shellAliases = {
-        nswitch = "cd ~/.dotfiles; git pull; nixos-rebuild --flake .#$(hostname) switch; cd -;";
-      };
-
-boot.supportedFilesystems = [ "zfs" ];
-boot.zfs.forceImportRoot = false;
-networking.hostId = "8a8ad84a";
-
-      networking.hostName = "sandbox"; # Define your hostname.
-      networking.enableIPv6 = true;
-      networking.firewall.enable = false;
-
-      documentation = {
-        enable = false;
-      };
-
-    sops.age.sshKeyPaths = [ "/etc/ssh/sops" ];
-    sops.defaultSopsFile = "/root/.dotfiles/secrets/sandbox/secrets.yaml";
-    sops.validateSopsFiles = false;
-    sops.secrets.dnstokenfull = {owner="acme";};
-    sops.templates."certs.secret".content = ''
-    CF_DNS_API_TOKEN=${config.sops.placeholder.dnstokenfull}
-    '';
-
-    security.acme = {
-      acceptTerms = true;
-      preliminarySelfsigned = false;
-      defaults.email = "mrswarsel@gmail.com";
-      defaults.dnsProvider = "cloudflare";
-      defaults.environmentFile = "${config.sops.templates."certs.secret".path}";
-    };
-
-    services.nginx = {
-      enable = true;
-      recommendedProxySettings = true;
-      recommendedTlsSettings = true;
-      recommendedOptimisation = true;
-      recommendedGzipSettings = true;
-      virtualHosts = {
-
-        "stash.swarsel.win" = {
-          enableACME = true;
-          forceSSL = true;
-          acmeRoot = null;
-          locations = {
-            "/" = {
-              proxyPass = "https://192.168.1.5";
-              extraConfig = ''
-              client_max_body_size 0;
-              '';
-            };
-            # "/push/" = {
-              # proxyPass = "http://192.168.2.5:7867";
-            # };
-            "/.well-known/carddav" = {
-              return = "301 $scheme://$host/remote.php/dav";
-            };
-            "/.well-known/caldav" = {
-              return = "301 $scheme://$host/remote.php/dav";
-            };
-          };
-        };
-
-        "swatrix.swarsel.win" = {
-          enableACME = true;
-          forceSSL = true;
-          acmeRoot = null;
-          locations = {
-            "~ ^(/_matrix|/_synapse/client)" = {
-              proxyPass = "http://127.0.0.1:8008";
-              extraConfig = ''
-                  client_max_body_size 0;
-                '';
-            };
-          };
-        };
-
-
-          "sound.swarsel.win" = {
-            enableACME = true;
-            forceSSL = true;
-            acmeRoot = null;
-            locations = {
-              "/" = {
-                proxyPass = "http://127.0.0.1:4040";
-                proxyWebsockets = true;
-                extraConfig = ''
-                  proxy_redirect          http:// https://;
-                  proxy_read_timeout      600s;
-                  proxy_send_timeout      600s;
-                  proxy_buffering         off;
-                  proxy_request_buffering off;
-                  client_max_body_size    0;
-                '';
-              };
-            };
-          };
-
-          "scan.swarsel.win" = {
-            enableACME = true;
-            forceSSL = true;
-            acmeRoot = null;
-            locations = {
-              "/" = {
-                proxyPass = "http://127.0.0.1:28981";
-                extraConfig = ''
-                  client_max_body_size 0;
-                '';
-              };
-            };
-          };
-
-          "screen.swarsel.win" = {
-            enableACME = true;
-            forceSSL = true;
-            acmeRoot = null;
-            locations = {
-              "/" = {
-                proxyPass = "http://127.0.0.1:8096";
-                extraConfig = ''
-                  client_max_body_size 0;
-                '';
-              };
-            };
-          };
-
-          "scroll.swarsel.win" = {
-            enableACME = true;
-            forceSSL = true;
-            acmeRoot = null;
-            locations = {
-              "/" = {
-                proxyPass = "http://127.0.0.1:8080";
-                extraConfig = ''
-                  client_max_body_size 0;
-                '';
-              };
-            };
-          };
-
-
-        };
-      };
-
-
-    sops.secrets.kavita = { owner = "kavita";};
-
-    services.kavita = {
-      enable = true;
-      user = "kavita";
-      port = 8080;
-      tokenKeyFile = config.sops.secrets.kavita.path;
-    };
-
-    users.users.jellyfin = {
-      extraGroups  = [ "video" "render" ];
-    };
-
-     # nixpkgs.config.packageOverrides = pkgs: {
-     #   vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
-     # };
-
-     hardware.graphics = {
-       enable = true;
-       extraPackages = with pkgs; [
-         intel-media-driver # LIBVA_DRIVER_NAME=iHD
-         vaapiIntel         # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
-         vaapiVdpau
-         libvdpau-va-gl
-       ];
-     };
-
-    services.jellyfin = {
-      enable = true;
-      user = "jellyfin";
-      # openFirewall = true; # this works only for the default ports
-    };
-
-                users.groups.vpn = {};
-
-                users.users.vpn = {
-                  isNormalUser = true;
-                  group = "vpn";
-                  home = "/home/vpn";
-                };
-
-                boot.kernelModules = [ "tun" ];
-
-                services.radarr = {
-                  enable = true;
-                };
-
-                services.readarr = {
-                  enable = true;
-                };
-                services.sonarr = {
-                  enable = true;
-                };
-                services.lidarr = {
-                  enable = true;
-                };
-                services.prowlarr = {
-                  enable = true;
-                };
-
-                networking.firewall.extraCommands = ''
-                sudo iptables -A OUTPUT ! -o lo -m owner --uid-owner vpn -j DROP
-                '';
-                networking.iproute2 = {
-                  enable = true;
-                  rttablesExtraConfig = ''
-                  200     vpn
-                  '';
-                };
-                boot.kernel.sysctl = {
-                  "net.ipv4.conf.all.rp_filter" = 2;
-                  "net.ipv4.conf.default.rp_filter" = 2;
-                  "net.ipv4.conf.enp7s0.rp_filter" = 2;
-                };
-                environment.etc = {
-                  "openvpn/iptables.sh" =
-                    { source = ../../scripts/server1/iptables.sh;
-                      mode = "0755";
-                    };
-                  "openvpn/update-resolv-conf" =
-                    { source = ../../scripts/server1/update-resolv-conf;
-                      mode = "0755";
-                    };
-                  "openvpn/routing.sh" =
-                    { source = ../../scripts/server1/routing.sh;
-                      mode = "0755";
-                    };
-                  "openvpn/ca.rsa.2048.crt" =
-                    { source = ../../secrets/certs/ca.rsa.2048.crt;
-                      mode = "0644";
-                    };
-                  "openvpn/crl.rsa.2048.pem" =
-                    { source = ../../secrets/certs/crl.rsa.2048.pem;
-                      mode = "0644";
-                    };
-                };
-
-                sops.secrets.vpnuser = {};
-                sops.secrets.rpcuser = {owner="vpn";};
-                sops.secrets.vpnpass = {};
-                sops.secrets.rpcpass = {owner="vpn";};
-                sops.secrets.vpnprot = {};
-                sops.secrets.vpnloc = {};
-                # sops.secrets.crlpem = {};
-                # sops.secrets.capem = {};
-                sops.templates."transmission-rpc".owner = "vpn";
-                sops.templates."transmission-rpc".content = builtins.toJSON {
-                  rpc-username = config.sops.placeholder.rpcuser;
-                  rpc-password = config.sops.placeholder.rpcpass;
-                };
-
-                sops.templates.pia.content = ''
-                ${config.sops.placeholder.vpnuser}
-                ${config.sops.placeholder.vpnpass}
-                '';
-
-                sops.templates.vpn.content = ''
-                  client
-                  dev tun
-                  proto ${config.sops.placeholder.vpnprot}
-                  remote ${config.sops.placeholder.vpnloc}
-                  resolv-retry infinite
-                  nobind
-                  persist-key
-                  persist-tun
-                  cipher aes-128-cbc
-                  auth sha1
-                  tls-client
-                  remote-cert-tls server
-
-                  auth-user-pass ${config.sops.templates.pia.path}
-                  compress
-                  verb 1
-                  reneg-sec 0
-
-                  crl-verify /etc/openvpn/crl.rsa.2048.pem
-                  ca /etc/openvpn/ca.rsa.2048.crt
-
-                  disable-occ
-                '';
-
-            services.openvpn.servers = {
-              pia = {
-                autoStart = true;
-                updateResolvConf = false;
-                config = "config ${config.sops.templates.vpn.path}";
-              };
-            };
-
-          services.transmission = {
-            enable = true;
-            credentialsFile = config.sops.templates."transmission-rpc".path;
-            user = "vpn";
-            settings = {
-
-            alt-speed-down= 8000;
-            alt-speed-enabled= false;
-            alt-speed-time-begin= 0;
-            alt-speed-time-day= 127;
-            alt-speed-time-enabled= true;
-            alt-speed-time-end= 360;
-            alt-speed-up= 2000;
-            bind-address-ipv4= "0.0.0.0";
-            bind-address-ipv6= "::";
-            blocklist-enabled= false;
-            blocklist-url= "http://www.example.com/blocklist";
-            cache-size-mb= 256;
-            dht-enabled= false;
-            download-dir= "/test";
-            download-limit= 100;
-            download-limit-enabled= 0;
-            download-queue-enabled= true;
-            download-queue-size= 5;
-            encryption= 2;
-            idle-seeding-limit= 30;
-            idle-seeding-limit-enabled= false;
-            incomplete-dir= "/var/lib/transmission-daemon/Downloads";
-            incomplete-dir-enabled= false;
-            lpd-enabled= false;
-            max-peers-global= 200;
-            message-level= 1;
-            peer-congestion-algorithm= "";
-            peer-id-ttl-hours= 6;
-            peer-limit-global= 100;
-            peer-limit-per-torrent= 40;
-            peer-port= 22371;
-            peer-port-random-high= 65535;
-            peer-port-random-low= 49152;
-            peer-port-random-on-start= false;
-            peer-socket-tos= "default";
-            pex-enabled= false;
-            port-forwarding-enabled= false;
-            preallocation= 1;
-            prefetch-enabled= true;
-            queue-stalled-enabled= true;
-            queue-stalled-minutes= 30;
-            ratio-limit= 2;
-            ratio-limit-enabled= false;
-            rename-partial-files= true;
-            rpc-authentication-required= true;
-            rpc-bind-address= "0.0.0.0";
-            rpc-enabled= true;
-            rpc-host-whitelist= "";
-            rpc-host-whitelist-enabled= true;
-            rpc-port= 9091;
-            rpc-url= "/transmission/";
-            rpc-whitelist= "127.0.0.1,192.168.3.2";
-            rpc-whitelist-enabled= true;
-            scrape-paused-torrents-enabled= true;
-            script-torrent-done-enabled= false;
-            seed-queue-enabled= false;
-            seed-queue-size= 10;
-            speed-limit-down= 6000;
-            speed-limit-down-enabled= true;
-            speed-limit-up= 500;
-            speed-limit-up-enabled= true;
-            start-added-torrents= true;
-            trash-original-torrent-files= false;
-            umask= 2;
-            upload-limit= 100;
-            upload-limit-enabled= 0;
-            upload-slots-per-torrent= 14;
-            utp-enabled= false;
-            };
-          };
-
-        # services.nginx = {
-        #       enable = true;
-        #       virtualHosts = {
-
-        #         "192.168.1.192" = {
-        #           locations = {
-        #             "/transmission" = {
-        #               proxyPass = "http://127.0.0.1:9091";
-        #               extraConfig = ''
-        #               proxy_set_header Host $host;
-        #               proxy_set_header X-Real-IP $remote_addr;
-        #               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        #               '';
-        #             };
-        #           };
-        #         };
-        #       };
-        # };
-
-
-    # sops.secrets.matrixsharedsecret = {owner="matrix-synapse";};
-    # sops.templates."matrix_user_register.sh".content = ''
-    # register_new_matrix_user -k ${config.sops.placeholder.matrixsharedsecret} http://localhost:8008
-    # '';
-    # sops.templates.matrixshared.owner = "matrix-synapse";
-    # sops.templates.matrixshared.content = ''
-    # registration_shared_secret: ${config.sops.placeholder.matrixsharedsecret}
-    # '';
-    # sops.secrets.mautrixtelegram_as = {owner="matrix-synapse";};
-    # sops.secrets.mautrixtelegram_hs = {owner="matrix-synapse";};
-    # sops.secrets.mautrixtelegram_api_id = {owner="matrix-synapse";};
-    # sops.secrets.mautrixtelegram_api_hash = {owner="matrix-synapse";};
-    # sops.templates.mautrixtelegram.owner = "matrix-synapse";
-    # sops.templates.mautrixtelegram.content = ''
-    # MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=${config.sops.placeholder.mautrixtelegram_as}
-    # MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=${config.sops.placeholder.mautrixtelegram_hs}
-    # MAUTRIX_TELEGRAM_TELEGRAM_API_ID=${config.sops.placeholder.mautrixtelegram_api_id}
-    # MAUTRIX_TELEGRAM_TELEGRAM_API_HASH=${config.sops.placeholder.mautrixtelegram_api_hash}
-    # '';
-
-
-
-
-    # ----------------
-    # sops.secrets.mautrixwhatsapp_shared = {owner="matrix-synapse";};
-    # sops.templates.mautrixwhatsapp.owner = "matrix-synapse";
-    # sops.templates.mautrixwhatsapp.content = ''
-    # MAUTRIX_WHATSAPP_BRIDGE_LOGIN_SHARED_SECRET=${config.sops.placeholder.mautrixwhatsapp_shared}
-    # '';
-
-    services.postgresql.enable = true;
-    services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
-      CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
-      CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
-        TEMPLATE template0
-        LC_COLLATE = "C"
-        LC_CTYPE = "C";
-      CREATE ROLE "mautrix-telegram" WITH LOGIN PASSWORD 'telegram';
-      CREATE DATABASE "mautrix-telegram" WITH OWNER "mautrix-telegram"
-        TEMPLATE template0
-        LC_COLLATE = "C"
-        LC_CTYPE = "C";
-      CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp';
-      CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp"
-        TEMPLATE template0
-        LC_COLLATE = "C"
-        LC_CTYPE = "C";
-      CREATE ROLE "mautrix-signal" WITH LOGIN PASSWORD 'signal';
-      CREATE DATABASE "mautrix-signal" WITH OWNER "mautrix-signal"
-        TEMPLATE template0
-        LC_COLLATE = "C"
-        LC_CTYPE = "C";
-    '';
-
-    services.matrix-synapse = {
-      settings.app_service_config_files = [
-        "/var/lib/matrix-synapse/telegram-registration.yaml"
-        "/var/lib/matrix-synapse/whatsapp-registration.yaml"
-        "/var/lib/matrix-synapse/signal-registration.yaml"
-        "/var/lib/matrix-synapse/doublepuppet.yaml"
-      ];
-      enable = false;
-      settings.server_name = matrixDomain;
-      settings.public_baseurl = "https://${matrixDomain}";
-      extraConfigFiles = [
-        config.sops.templates.matrixshared.path
-      ];
-      settings.listeners = [
-        { port = 8008;
-          bind_addresses = [ "0.0.0.0" ];
-          type = "http";
-          tls = false;
-          x_forwarded = true;
-          resources = [
-            {
-              names = [ "client" "federation" ];
-              compress = true;
-            }
-          ];
-        }
-      ];
-    };
-
-    services.mautrix-telegram = {
-      enable = false;
-      environmentFile = config.sops.templates.mautrixtelegram.path;
-      settings = {
-        homeserver = {
-          address = "http://localhost:8008";
-          domain = matrixDomain;
-        };
-        appservice = {
-          address= "http://localhost:29317";
-          hostname = "0.0.0.0";
-          port = "29317";
-          provisioning.enabled = true;
-          id = "telegram";
-          # ephemeral_events = true; # not needed due to double puppeting
-          public = {
-            enabled = false;
-          };
-          database = "postgresql:///mautrix-telegram?host=/run/postgresql";
-        };
-        bridge = {
-          # login_shared_secret_map = {
-            # matrixDomain = "as_token:doublepuppet";
-          # };
-          relaybot.authless_portals = true;
-          allow_avatar_remove = true;
-          allow_contact_info = true;
-          sync_channel_members = true;
-          startup_sync = true;
-          sync_create_limit = 0;
-          sync_direct_chats = true;
-          telegram_link_preview = true;
-          permissions = {
-            "*" = "relaybot";
-            "@swarsel:${matrixDomain}" = "admin";
-          };
-          # Animated stickers conversion requires additional packages in the
-          # service's path.
-          # If this isn't a fresh installation, clearing the bridge's uploaded
-          # file cache might be necessary (make a database backup first!):
-          # delete from telegram_file where \
-          #   mime_type in ('application/gzip', 'application/octet-stream')
-          animated_sticker = {
-            target = "gif";
-            args = {
-              width = 256;
-              height = 256;
-              fps = 30;               # only for webm
-              background = "020202";  # only for gif, transparency not supported
-            };
-          };
-        };
-      };
-    };
-    # systemd.services.mautrix-telegram.path = with pkgs; [
-      # lottieconverter  # for animated stickers conversion, unfree package
-      # ffmpeg           # if converting animated stickers to webm (very slow!)
-    # ];
-
-    services.mautrix-whatsapp = {
-      enable = false;
-      # environmentFile = config.sops.templates.mautrixwhatsapp.path;
-      settings = {
-        homeserver = {
-          address = "http://localhost:8008";
-          domain = matrixDomain;
-        };
-        appservice = {
-          address= "http://localhost:29318";
-          hostname = "0.0.0.0";
-          port = 29318;
-          database = {
-            type = "postgres";
-            uri = "postgresql:///mautrix-whatsapp?host=/run/postgresql";
-          };
-        };
-        bridge = {
-          displayname_template = "{{or .FullName .PushName .JID}} (WA)";
-          history_sync = {
-            backfill = true;
-            max_initial_conversations = -1;
-            message_count = -1;
-            request_full_sync = true;
-            full_sync_config = {
-              days_limit = 900;
-              size_mb_limit = 5000;
-              storage_quota_mb = 5000;
-            };
-          };
-          login_shared_secret_map = {
-            matrixDomain = "as_token:doublepuppet";
-          };
-          sync_manual_marked_unread = true;
-          send_presence_on_typing = true;
-          parallel_member_sync = true;
-          url_previews = true;
-          caption_in_message = true;
-          extev_polls = true;
-          permissions = {
-            "*" = "relaybot";
-            "@swarsel:${matrixDomain}" = "admin";
-          };
-        };
-      };
-    };
-
-    services.mautrix-signal = {
-      enable = false;
-      # environmentFile = config.sops.templates.mautrixwhatsapp.path;
-      settings = {
-        homeserver = {
-          address = "http://localhost:8008";
-          domain = matrixDomain;
-        };
-        appservice = {
-
-          address= "http://localhost:29328";
-          hostname = "0.0.0.0";
-          port = 29328;
-          database = {
-            type = "postgres";
-            uri = "postgresql:///mautrix-signal?host=/run/postgresql";
-          };
-        };
-        bridge = {
-          displayname_template = "{{or .ContactName .ProfileName .PhoneNumber}} (Signal)";
-          login_shared_secret_map = {
-            matrixDomain = "as_token:doublepuppet";
-          };
-          caption_in_message = true;
-          permissions = {
-            "*" = "relaybot";
-            "@swarsel:${matrixDomain}" = "admin";
-          };
-        };
-      };
-    };
-
-    # restart the bridges daily. this is done for the signal bridge mainly which stops carrying
-    # messages out after a while.
-
-    systemd.timers."restart-bridges" = {
-      wantedBy = [ "timers.target" ];
-      timerConfig = {
-        OnBootSec = "1d";
-        OnUnitActiveSec = "1d";
-        Unit = "restart-bridges.service";
-      };
-    };
-
-    systemd.services."restart-bridges" = {
-      script = ''
-      systemctl restart mautrix-whatsapp.service
-      systemctl restart mautrix-signal.service
-      systemctl restart mautrix-telegram.service
-      '';
-      serviceConfig = {
-        Type = "oneshot";
-        User = "root";
-      };
-    };
-
-
-    users.groups.navidrome = {
-      gid = 61593;
-    };
-
-    users.groups.mpd = {};
-
-    users.users.navidrome = {
-      isSystemUser = true;
-      uid = 61593;
-      group = "navidrome";
-      extraGroups  = [ "audio" "utmp" ];
-    };
-
-    users.users.mpd = {
-      isSystemUser = true;
-      group = "mpd";
-      extraGroups  = [ "audio" "utmp" ];
-    };
-
-    sound = {
-      enable = true;
-    };
-
-    hardware.enableAllFirmware = true;
-
-    sops.secrets.mpdpass = { owner = "mpd";};
-
-    services.navidrome = {
-      enable = true;
-      settings = {
-        Address = "0.0.0.0";
-        Port = 4040;
-        MusicFolder = "/mnt/";
-        EnableSharing = true;
-        EnableTranscodingConfig = true;
-        Scanner.GroupAlbumReleases = true;
-        ScanSchedule = "@every 24h";
-        # Insert these values locally as sops-nix does not work for them
-        # LastFM.ApiKey = TEMPLATE;
-        # LastFM.Secret = TEMPLATE;
-        # Spotify.ID = TEMPLATE;
-        # Spotify.Secret = TEMPLATE;
-        UILoginBackgroundUrl = "https://i.imgur.com/OMLxi7l.png";
-        UIWelcomeMessage = "~SwarselSound~";
-      };
-    };
-    services.mpd = {
-      enable = true;
-      musicDirectory = "/mnt/Eternor/Musik";
-      user = "mpd";
-      group = "mpd";
-      network = {
-        port = 3254;
-        listenAddress = "any";
-      };
-      credentials = [
-        {
-          passwordFile = config.sops.secrets.mpdpass.path;
-          permissions = [
-            "read"
-            "add"
-            "control"
-            "admin"
-          ];
-        }
-      ];
-    };
-
-
-    users.groups.spotifyd = {
-      gid = 65136;
-    };
-
-    users.users.spotifyd = {
-      isSystemUser = true;
-      uid = 65136;
-      group = "spotifyd";
-      extraGroups  = [ "audio" "utmp" ];
-    };
-
-    services.spotifyd = {
-      enable = true;
-      settings = {
-        global = {
-          dbus_type = "session";
-          use_mpris = false;
-          device = "default:CARD=PCH";
-          device_name = "SwarselSpot";
-          mixer = "alsa";
-          zeroconf_port = 1025;
-        };
-      };
-    };
-
-      # Network shares
-      # add a user with sudo smbpasswd -a <user>
-      services.samba = {
-        package = pkgs.samba4Full;
-        extraConfig = ''
-        workgroup = WORKGROUP
-        server role = standalone server
-        dns proxy = no
-
-        pam password change = yes
-        map to guest = bad user
-        create mask = 0664
-        force create mode = 0664
-        directory mask = 0775
-        force directory mode = 0775
-        follow symlinks = yes
-        '';
-
-        # ^^ `samba4Full` is compiled with avahi, ldap, AD etc support compared to the default package, `samba`
-        # Required for samba to register mDNS records for auto discovery
-        # See https://github.com/NixOS/nixpkgs/blob/592047fc9e4f7b74a4dc85d1b9f5243dfe4899e3/pkgs/top-level/all-packages.nix#L27268
-        enable = true;
-        # openFirewall = true;
-        shares.test = {
-          browseable = "yes";
-          "read only" = "no";
-          "guest ok" = "no";
-          path = "/test2";
-          writable = "true";
-          comment = "Eternor";
-          "valid users" = "@smbtest2";
-        };
-      };
-
-
-      services.avahi = {
-        publish.enable = true;
-        publish.userServices = true;
-        # ^^ Needed to allow samba to automatically register mDNS records without the need for an `extraServiceFile`
-        nssmdns = true;
-        # ^^ Not one hundred percent sure if this is needed- if it aint broke, don't fix it
-  enable = true;
-      };
-
-      services.samba-wsdd = {
-      # This enables autodiscovery on windows since SMB1 (and thus netbios) support was discontinued
-        enable = true;
-      };
-
-
-
-
-
-
-
-
-
-
-    }
-
      @@ -5565,8 +5574,8 @@ nix.settings.experimental-features = ["nix-command" "flakes"];
      2. -
    2. Make users non-mutable
      -
      +
    3. Make users non-mutable
      +

      This ensures that all user-configuration happens here in the config file.

      @@ -5647,8 +5656,8 @@ security.polkit.enable = true;
      4. -
    4. Enable automatic garbage collection
      -
      +
    5. Enable automatic garbage collection
      +

      The nix store fills up over time, until /boot/efi is filled. This snippet cleans it automatically on a weekly basis.

      @@ -5666,8 +5675,8 @@ nix.gc = {
      6. -
    6. Enable automatic store optimisation
      -
      +
    7. Enable automatic store optimisation
      +

      This enables hardlinking identical files in the nix store, to save on disk space. I have read this incurs a significant I/O overhead, I need to keep an eye on this.

      @@ -11223,11 +11232,9 @@ Also, Emacs needs a little extra love to accept my Yubikey for git commits etc.
      - - -
      -

      5. Yubikey support

      -
      +
      +

      4.4.14. Yubikey support

      +

      The following settings are needed to make sure emacs works for magit commits and pushes. It is not a beautiful solution since commiting uses pinentry-emacs and pushing uses pinentry-gtk2, but it works for now at least.

      @@ -11244,8 +11251,9 @@ The following settings are needed to make sure emacs works for magit commits and
      +
      -

      5.0.1. Forge

      +

      4.4.15. Forge

      NOTE: Make sure to configure a GitHub token before using this package! @@ -11283,7 +11291,7 @@ NOTE: Make sure to configure a GitHub token before using this package!

      -

      5.0.2. git-timemachine

      +

      4.4.16. git-timemachine

      This is just a nice utility to browse different versions of a file of a git project within Emacs. @@ -11300,7 +11308,7 @@ This is just a nice utility to browse different versions of a file of a git proj

      -

      5.0.3. Delimiters (brackets): rainbow-delimiters, highlight-parentheses

      +

      4.4.17. Delimiters (brackets): rainbow-delimiters, highlight-parentheses

      • rainbow-delimiters colors all delimiters, also ones not in current selection
        • @@ -11343,7 +11351,7 @@ I am not completely sure on electric-pair-mode yet, sometimes it is very helpful
      -

      5.0.4. rainbow-mode

      +

      4.4.18. rainbow-mode

      Complimentary to the delimiters-packages above, this package sets the background color of the delimiters, which makes it easier to see at a glance where we are in a delimiter-tree. @@ -11359,7 +11367,7 @@ Complimentary to the delimiters-packages above, this package sets the background

      -

      5.0.5. Corfu

      +

      4.4.19. Corfu

      This is the company equivalent to the vertico gang. @@ -11428,7 +11436,7 @@ Navigation functions defined here: -

      5.0.6. cape

      +

      4.4.20. cape

      cape adds even more completion capabilities by adding a lot of completion logic that is exposed as separate functions. I tried out adding these to the completion-at-points-functions alist, but I felt like it cluttered my suggestions too much. Hence I now just call the respective functions when I need them. For this I setup the C-z keybinding in General evil. @@ -11482,7 +11490,7 @@ I leave the commented out alist extensions here in case I want to try them out a

      -

      5.0.7. rust

      +

      4.4.21. rust

      This sets up rustic-mode with tree-sitter support - there is still one issue to iron out with automatic adding of dependency crates, but everything else works fine now. @@ -11509,7 +11517,7 @@ This sets up rustic-mode with tree-sitter support - there is still one issue to

      -

      5.0.8. Tramp

      +

      4.4.22. Tramp

      Tramp allows for SSH access of files over Emacs. I have no ideas what the options here mean, but this is a recommended configuration that I found (sadly I lost the link). I need to research more what these options really do. @@ -11547,7 +11555,7 @@ Tramp allows for SSH access of files over Emacs. I have no ideas what the option

      -

      5.0.9. diff-hl

      +

      4.4.23. diff-hl

      This is a simple highlighting utility that uses the margin to visually show the differences since the last git commit. @@ -11569,7 +11577,7 @@ This is a simple highlighting utility that uses the margin to visually show the

      -

      5.0.10. Commenting

      +

      4.4.24. Commenting

      This package allows for swift commenting out and in of code snippets. For some reason, it is a bit broken in my config, as it sometimes comments out too much, sometimes too little, and sometimes it splits lines during commenting. Also, in org-mode when inside a src-block, it often times jumps to the top of the block. @@ -11589,7 +11597,7 @@ Still, this is avery convenient package.

      -

      5.0.11. yasnippet

      +

      4.4.25. yasnippet

      yasnippet allows to define snippets that can be quickly expanded by hitting the TAB key after inputting a keyword. @@ -11676,7 +11684,7 @@ The following block is mostly inspired from -

      5.0.12. eglot

      +

      4.4.26. eglot

      After having tried out lsp-mode and lsp-bridge for a while each, I must say that eglot feels the most clean and fast to me. @@ -11718,7 +11726,7 @@ After having tried out lsp-mode and lsp-bridge for a w

      -

      5.0.13. Breadcrumb

      +

      4.4.27. Breadcrumb

      This simple shows the path to the current file on the top of the buffer - I just think it looks kind of neat, even though it is not extremely useful :) @@ -11734,7 +11742,7 @@ This simple shows the path to the current file on the top of the buffer - I just

      -

      5.0.14. Prevent breaking of hardlinks

      +

      4.4.28. Prevent breaking of hardlinks

      This setting ensures that hard links are preserved during the backup process, which is useful for maintaining the integrity of files that are linked in multiple locations. @@ -11749,7 +11757,7 @@ This setting ensures that hard links are preserved during the backup process, wh

      -

      5.0.15. Dirvish

      +

      4.4.29. Dirvish

      Dirvish is an improvement upon the dired-framework and has more features like file preview etc. Sadly it has an incompatibility with openwith which is why I have disabled that package. @@ -11813,7 +11821,7 @@ Dirvish is an improvement upon the dired-framework and has more features like fi

      -

      5.0.16. pdf-tools: pdf-viewer and support for dirvish

      +

      4.4.30. pdf-tools: pdf-viewer and support for dirvish

      This enables pdf-previewing in dirvish and gives a much better pdf-viewer than is shipped normally by emacs. @@ -11832,7 +11840,7 @@ This enables pdf-previewing in dirvish and gives a much better pdf-viewer than i

      -

      5.0.17. Jupyter

      +

      4.4.31. Jupyter

      This is a jupyter client. Using it is a bit cumbersome though, so I have not fully explored all features. @@ -11847,7 +11855,7 @@ This is a jupyter client. Using it is a bit cumbersome though, so I have not ful

      -

      5.0.18. undo-tree

      +

      4.4.32. undo-tree

      Base emacs undo logic is very useful, but not easy to understand for me. I prefer undo-tree, which makes switching between branches easier and also allows quickly switching back to a much older state using the visualizer. @@ -11886,7 +11894,7 @@ While we are at it, we are also setting up a persistent undo-file for every file

      -

      5.0.19. Hydra

      +

      4.4.33. Hydra

      Hydra allows for the writing of macro-style functions. I have not yet looked into this all too much, but it seems to be a potent feature. @@ -11923,7 +11931,7 @@ I only wrote this in order to try out hydra; rarely do I really need this. Howev

    -

    5.0.20. External Applications

    +

    4.4.34. External Applications

      @@ -12072,7 +12080,7 @@ This section is here to make Anki usable from within Emacs - an endeavour that I
    -

    5.0.21. Email

    +

    4.4.35. Email

      @@ -12182,7 +12190,7 @@ This adds the simple utility of sending desktop notifications whenever a new mai
    -

    5.0.22. Calendar

    +

    4.4.36. Calendar

    This provides a beautiful calender to emacs. @@ -12249,7 +12257,7 @@ Yes, I am aware that I am exposing my university-calendar to the public here. I

    -

    5.0.23. Dashboard: emacs startup screen

    +

    4.4.37. Dashboard: emacs startup screen

    This sets up the dashboard, which is really quite useless. But, it looks cool and makes me happy whenever I start an emacsclient without a file name as argument :) @@ -12323,9 +12331,625 @@ This sets up the dashboard, which is really quite useless. But, it

    +
    +

    5. Wiki

    +
    +

    +This houses a few configuration snippets that might be useful if you are new to the nix ecosystem. It will be infrequently updated as I come across things that I deem to be interesting to such a reader. Also, interesting configuration tricks will move here if I happen to obsolete them in my main configuration. +

    +
    +
    +

    5.1. Importing a NixOS module that is not in nixpkgs

    +
    +

    +This requires changes in multiple locations. As an example we will use an early version of the mautrix-signal module by Niklas Korz. +

    + +
      +

    1. +Add the module source to flake.nix: +

      + +
      +
      {
+  inputs = {
+    [...]
+      # provides expressions for mautrix-signal
+      nixpkgs-mautrix-signal ={
+      url = github:niklaskorz/nixpkgs/nixos-23.11-mautrix-signal;
+    };
+    [...]
+  };
+
+  outputs = inputs@{
+    self,
+      [...]
+        nixpkgs-mautrix-signal,
+      [...]
+  }: let
+    [...]
+      pkgsmautrix = import nixpkgs-mautrix-signal { inherit system;
+                                                    config.allowUnfree = true;
+                                                  };
+    [...]
+  in {
+    nixosConfigurations = {
+      matrix = nixpkgs.lib.nixosSystem {
+        pkgs = pkgsmautrix;
+        # this is to import a service module that is not on nixpkgs
+        # this way avoids infinite recursion errors
+        specialArgs.unstable = nixpkgs-mautrix-signal;
+        modules = [
+          [...]
+        ];
+      };
+    };
+  }
+}
+
+
      +
      2. + +

    2. +Import the module in the configuration (configuration.nix) +

      + +
      +
      +[...]
+  imports = [
+  [...]
+  (unstable + "/nixos/modules/services/matrix/mautrix-signal.nix")
+];
+
+[...]
+
      +
      3. +
    +
    +
    +
    +

    5.2. Build a firefox addon

    +
    +
      +
    1. app id can be found in the manifest.json file of the .xpi (.xpi is just a normal archive)
      2. +
    2. url can be found by copy url of the "add extension" button on the addon page
      3. +

    3. +the rest of the information is also found in the manifest.json, but might not be needed +

      + +

      +In configuration.nix: +

      4. +
    + +
    +
    programs.firefox = {
+  [...]
+   profiles.default = {
+     [...]
+     extensions = with pkgs.nur.repos.rycee.firefox-addons; [
+       [...]
+       (buildFirefoxXpiAddon {
+         pname = ":emoji:";
+         version = "0.1.3";
+         addonId = "gonelf@gmail.com";
+         url = "https://addons.mozilla.org/firefox/downloads/file/3365324/emojidots-0.1.3.xpi";
+         sha256 = "4f7cc25c478fe52eb82f37c9ff4978dcaa3f95020398c5b184e517f6efa2c201";
+         meta = with lib;
+           {
+             description = "emoji autocomplete anywhere on the internet";
+             mozPermissions = [ "https://gist.githubusercontent.com/gonelf/d8ae3ccb7902b501c4a5dd625d4089da/raw/5eeda197ba92f8c8139e846a1225d5640077e06f/emoji_pretty.json" "tabs" "storage"];
+             platforms = platforms.all;
+           };
+       })
+ [...]
+
    +
    +
    +
    +
    +

    5.3. Define shell utility as package

    +
    +

    +In configuration.nix (or home.nix): +

    + +
    +
    +home.packages = with pkgs; [ # or for NixOS environment.systemPackages = with pkgs; [
+  [...]
+  (pkgs.writeShellApplication {
+      name = "pass-fuzzel";
+      runtimeInputs = [ pkgs.pass pkgs.fuzzel ];
+      text = ''
+       shopt -s nullglob globstar
+
+       typeit=0
+       if [[ $# -ge 1 && $1 == "--type" ]]; then
+         typeit=1
+         shift
+       fi
+
+       export PASSWORD_STORE_DIR=~/.local/share/password-store
+       prefix=''${PASSWORD_STORE_DIR-~/.local/share/password-store}
+       password_files=( "$prefix"/**/*.gpg )
+       password_files=( "''${password_files[@]#"$prefix"/}" )
+       password_files=( "''${password_files[@]%.gpg}" )
+
+       password=$(printf '%s\n' "''${password_files[@]}" | fuzzel --dmenu "$@")
+
+       [[ -n $password ]] || exit
+
+       if [[ $typeit -eq 0 ]]; then
+         pass show -c "$password" &>/tmp/pass-fuzzel
+       else
+         pass show "$password" | { IFS= read -r pass; printf %s "$pass"; } | wtype -
+       fi
+       notify-send -u critical -a pass -t 1000 "Copied/Typed Password"
+     '';
+    })
+
+  [...]
+
+
    +
    +
    +
    +
    +

    5.4. Add program with prebuild binaries to nix store

    +
    +

    +In configuration.nix: +

    + +
    +
    +home.packages = with pkgs; [ # or for NixOS environment.systemPackages = with pkgs; [
+  [...]
+   (stdenv.mkDerivation {
+    name = "oama";
+
+    src = pkgs.fetchurl {
+        name = "oama";
+        url = "https://github.com/pdobsan/oama/releases/download/0.13.1/oama-0.13.1-Linux-x86_64-static.tgz";
+        sha256 = "sha256-OTdCObVfnMPhgZxVtZqehgUXtKT1iyqozdkPIV+i3Gc=";
+    };
+
+    phases = [
+      "unpackPhase"
+    ];
+
+    unpackPhase = ''
+    mkdir -p $out/bin
+    tar xvf $src -C $out/
+    mv $out/oama-0.13.1-Linux-x86_64-static/oama $out/bin/
+    '';
+
+})
+
+  [...]
+
    +
    +
    +
    +     +
    +

    5.6. let-block for overriding a package in nixpkgs (here: replacing airsonic with airsonic-advanced)

    +
    +

    +This can be useful if a module does not let you use your own package yourself. +

    + +

    +In flake.nix: +

    + +
    +
    +pkgs = import nixpkgs { inherit system;
+                        overlays = [ emacs-overlay.overlay
+                                     nur.overlay
+                                     nixgl.overlay
+                                     (self: super: {
+                                       airsonic = super.airsonic.overrideAttrs (_: rec {
+                                         version = "11.0.2-kagemomiji";
+                                         name = "airsonic-advanced-${version}";
+                                         src = super.fetchurl {
+                                           url = "https://github.com/kagemomiji/airsonic-advanced/releases/download/11.0.2/airsonic.war";
+                                           sha256 = "PgErtEizHraZgoWHs5jYJJ5NsliDd9VulQfS64ackFo=";
+                                         };
+                                       });
+                                     })
+                                   ];
+                        config.allowUnfree = true;
+                      };
+
+
    +
    +
    +
    +
    +

    5.7. Reference configurations

    +
    +

    +Configurations that I have retired or are there for the general study. +

    +
    +
    +

    5.7.1. non-nixos

    +
    +

    +My Surface Pro 3, only used for on-the-go university work. Be careful when pushing large changes to this machine, as it easily runs out of memory on large switches. At the moment the only machine running non-NixOS, so special care must be taken not to break this one during updates. +

    +
    +
      +
    1. Channel setup
      +
      +

      +This installs nixGL, which is needed to run GL apps installed through home-manager, since this machine is not using NixOS. +

      + +

      +This is not super clean (because it is not fully replicative), but I do not really care. +

      + +
        +
      1. Install nixGL:
        2. +
      + +
      +
      nix-channel --add https://github.com/guibou/nixGL/archive/main.tar.gz nixgl && nix-channel --update
+  nix-env -iA nixgl.auto.nixGLDefault   # or replace `nixGLDefault` with your desired wrapper
+
      +
      + +

      +This is needed in order to use EGL. Prefix programs that use it with `nixGL` +

      +
      +
      2. +
    2. Home manager
      +
      +

      +Special things to note here: We are running xcape to allow CAPS to act as CTRL and ESC. Also we are using nixGL in most places. +

      + +
      +
      +{ config, pkgs, lib, fetchFromGitHub, ... }:
+
+{
+  programs.home-manager.enable = true;
+  home.username = "leons";
+  home.homeDirectory = "/home/leons";
+
+  home.stateVersion = "23.05"; # Please read the comment before changing.
+
+   stylix.image = ../../wallpaper/surfacewp.png;
+  <<theme>>
+
+  nixpkgs = {
+    config = {
+      allowUnfree = true;
+      allowUnfreePredicate = (_: true);
+    };
+  };
+  services.xcape = {
+    enable = true;
+    mapExpression = {
+      Control_L = "Escape";
+    };
+  };
+  #keyboard config
+  home.keyboard.layout = "us";
+
+  sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" ];
+
+  # waybar config
+  programs.waybar.settings.mainBar.cpu.format = "{icon0} {icon1} {icon2} {icon3}";
+
+  programs.waybar.settings.mainBar.temperature.hwmon-path = "/sys/devices/platform/coretemp.0/hwmon/hwmon3/temp3_input";
+  programs.waybar.settings.mainBar.modules-right = ["custom/outer-left-arrow-dark" "mpris" "custom/left-arrow-light"
+                                                    "network"
+                                                    "custom/left-arrow-dark"
+                                                    "pulseaudio"
+                                                    "custom/left-arrow-light"
+                                                    "battery"
+                                                    "custom/left-arrow-dark"
+                                                    "temperature"
+                                                    "custom/left-arrow-light"
+                                                    "disk"
+                                                    "custom/left-arrow-dark"
+                                                    "memory"
+                                                    "custom/left-arrow-light"
+                                                    "cpu"
+                                                    "custom/left-arrow-dark"
+                                                    "tray"
+                                                    "custom/left-arrow-light"
+                                                    "clock#2"
+                                                    "custom/left-arrow-dark"
+                                                    "clock#1" ];
+  services.blueman-applet.enable = true;
+  home.packages = with pkgs; [
+    # nixgl.auto.nixGLDefault
+    evince
+    # nodejs_20
+
+    # messaging
+    # we use gomuks for RAM preservation, but keep schildi around for files and images
+  ];
+
+  programs.zsh.initExtra = "
+export GPG_TTY=\"$(tty)\"
+export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
+gpgconf --launch gpg-agent
+      ";
+
+  # sway config
+  wayland.windowManager.sway= {
+    config = rec {
+      input = {
+        "*" = {
+          xkb_layout = "us";
+          xkb_options = "ctrl:nocaps,grp:win_space_toggle";
+          xkb_variant = "altgr-intl";
+        };
+        "type:touchpad" = {
+          dwt = "enabled";
+          tap = "enabled";
+          natural_scroll = "enabled";
+          middle_emulation = "enabled";
+        };
+      };
+
+      output = {
+        eDP-1 = {
+          mode = "2160x1440@59.955Hz";
+          scale = "1";
+          bg = "~/.dotfiles/wallpaper/surfacewp.png fill";
+        };
+      };
+
+      keybindings = let
+        modifier = config.wayland.windowManager.sway.config.modifier;
+      in {
+        "${modifier}+F2"  = "exec brightnessctl set +5%";
+        "${modifier}+F1"= "exec brightnessctl set 5%-";
+        "${modifier}+n" = "exec sway output eDP-1 transform normal, splith";
+        "${modifier}+Ctrl+p" = "exec nixGL wl-mirror eDP-1";
+        "${modifier}+t" = "exec sway output eDP-1 transform 90, splitv";
+        "${modifier}+XF86AudioLowerVolume" = "exec grim -g \"$(slurp)\" -t png - | wl-copy -t image/png";
+        "${modifier}+XF86AudioRaiseVolume" = "exec grim -g \"$(slurp)\" -t png - | wl-copy -t image/png";
+        "${modifier}+w" = "exec \"bash ~/.dotfiles/scripts/checkgomuks.sh\"";
+      };
+
+      startup = [
+        { command = "sleep 60 && nixGL nextcloud --background";}
+        # { command = "sleep 60 && nixGL spotify";}
+        { command = "sleep 60 && nixGL discord --start-minimized -enable-features=UseOzonePlatform -ozone-platform=wayland";}
+        # { command = "sleep 60 && nixGL schildichat-desktop --hidden";}
+        { command = "sleep 60 && nixGL syncthingtray --wait"; }
+        { command = "sleep 60 && ANKI_WAYLAND=1 nixGL anki";}
+        { command = "nm-applet --indicator";}
+        { command = "sleep 60 && OBSIDIAN_USE_WAYLAND=1 nixGL obsidian -enable-features=UseOzonePlatform -ozone-platform=wayland";}
+      ];
+
+      keycodebindings = {
+        "124" = "exec systemctl suspend";
+      };
+    };
+
+    extraConfig = "
+    exec swaymsg input 7062:6917:NTRG0001:01_1B96:1B05 map_to_output eDP-1
+    exec swaymsg input 7062:6917:NTRG0001:01_1B96:1B05_Stylus map_to_output eDP-1
+    ";
+  };
+}
+
+
      +
      +
      +
      3. +
    +
    +
    +

    5.7.2. nixos

    +
    +
    +
      +
    1. Onett (Lenovo Y510P)
      +
      +

      +My laptop, sadly soon to be replaced by a new one, since most basic functions are stopping to work lately. +

      +
      +
        +
      1. NixOS
        +
        +
        +
        +{ config, lib, pkgs, inputs, ... }:
+
+{
+
+  <<wrap>>
+
+  services = {
+    greetd.settings.initial_session.user ="swarsel";
+    xserver.videoDrivers = ["nvidia"];
+  };
+
+
+  hardware = {
+    nvidia = {
+      modesetting.enable = true;
+      powerManagement.enable = true;
+      prime = {
+        intelBusId = "PCI:0:2:0";
+        nvidiaBusId = "PCI:1:0:0";
+        sync.enable = true;
+      };
+    };
+    pulseaudio.configFile = pkgs.runCommand "default.pa" {} ''
+                 sed 's/module-udev-detect$/module-udev-detect tsched=0/' \
+                   ${pkgs.pulseaudio}/etc/pulse/default.pa > $out
+                 '';
+    bluetooth.enable = true;
+  };
+
+  stylix.image = ../../wallpaper/lenovowp.png;
+  <<theme>>
+
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/sda";
+    useOSProber = true;
+  };
+
+  networking.hostName = "onett"; # Define your hostname.
+  networking.enableIPv6 = false;
+
+  users.users.swarsel = {
+    isNormalUser = true;
+    description = "Leon S";
+    extraGroups = [ "networkmanager" "wheel" "lp"];
+    packages = with pkgs; [];
+  };
+
+  system.stateVersion = "23.05"; # Did you read the comment?
+
+  environment.systemPackages = with pkgs; [
+  ];
+
+
+}
+
+
        +
        +
        +
        2. +
      2. Home Manager
        +
        +
        +
        +{ config, pkgs, lib, fetchFromGitHub, ... }:
+
+{
+
+  <<gpgagent>>
+
+  home = {
+    username = "swarsel";
+    homeDirectory = "/home/swarsel";
+    stateVersion = "23.05"; # Please read the comment before changing.
+    keyboard.layout = "de";
+    packages = with pkgs; [
+    ];
+  };
+
+  sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" ];
+
+  # # waybar config
+  programs.waybar.settings.mainBar = {
+    cpu.format = "{icon0} {icon1} {icon2} {icon3} {icon4} {icon5} {icon6} {icon7}";
+    temperature.hwmon-path = "/sys/devices/platform/coretemp.0/hwmon/hwmon3/temp3_input";
+  };
+  <<waybarlaptop>>
+
+  services.blueman-applet.enable = true;
+
+  wayland.windowManager.sway= {
+    config = rec {
+      input = {
+        "1:1:AT_Translated_Set_2_keyboard" = {
+          xkb_layout = "us";
+          xkb_options = "grp:win_space_toggle";
+          # xkb_options = "ctrl:nocaps,grp:win_space_toggle";
+          xkb_variant = "altgr-intl";
+        };
+        "2362:33538:ipad_keyboard_Keyboard" = {
+          xkb_layout = "us";
+          xkb_options = "altwin:swap_lalt_lwin,ctrl:nocaps,grp:win_space_toggle";
+          xkb_variant = "colemak_dh";
+        };
+        "36125:53060:splitkb.com_Kyria_rev3" = {
+          xkb_layout = "us";
+          xkb_variant = "altgr-intl";
+        };
+
+        "type:touchpad" = {
+          dwt = "enabled";
+          tap = "enabled";
+          natural_scroll = "enabled";
+          middle_emulation = "enabled";
+        };
+      };
+
+      output = {
+        eDP-1 = {
+          mode = "1920x1080";
+          scale = "1";
+          bg = "~/.dotfiles/wallpaper/lenovowp.png fill";
+          position = "1920,0";
+        };
+        VGA-1 = {
+          mode = "1920x1080";
+          scale = "1";
+          bg = "~/.dotfiles/wallpaper/lenovowp.png fill";
+          position = "0,0";
+        };
+      };
+
+      keybindings = let
+        modifier = config.wayland.windowManager.sway.config.modifier;
+      in {
+        "${modifier}+F2"  = "exec brightnessctl set +5%";
+        "${modifier}+F1"= "exec brightnessctl set 5%-";
+        "XF86MonBrightnessUp"  = "exec brightnessctl set +5%";
+        "XF86MonBrightnessDown"= "exec brightnessctl set 5%-";
+        "${modifier}+Ctrl+p" = "exec wl-mirror eDP-1";
+        "XF86HomePage" = "exec wtype -P Escape -p Escape";
+        "${modifier}+w" = "exec \"bash ~/.dotfiles/scripts/checkschildi.sh\"";
+      };
+      keycodebindings = {
+        "94" = "exec wtype c";
+        "Shift+94" = "exec wtype C";
+        "Ctrl+94" = "exec wtype -M ctrl c -m ctrl";
+        "Ctrl+Shift+94" = "exec wtype -M ctrl -M shift c -m ctrl -m shift";
+      };
+
+      startup = [
+        <<startupnixos>>
+      ];
+    };
+
+    extraConfig = "
+ ";
+  };
+}
+
+
        +
        +
        +
        3. +
      +
      2. +
    +
    +
    +
    +

    Author: Leon Schwarzäugl

    -

    Created: 2024-07-17 Mi 02:28

    +

    Created: 2024-07-17 Mi 04:32

    Validate

    diff --git a/profiles/onett/hardware-configuration.nix b/profiles/onett/hardware-configuration.nix deleted file mode 100644 index 037bd7f..0000000 --- a/profiles/onett/hardware-configuration.nix +++ /dev/null @@ -1,33 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ata_piix" "usb_storage" "sd_mod" "sr_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/147e3682-eb15-4e96-9cac-4f2fb5888a69"; - fsType = "ext4"; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp7s0.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp8s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/profiles/onett/home.nix b/profiles/onett/home.nix deleted file mode 100644 index 27c5aa8..0000000 --- a/profiles/onett/home.nix +++ /dev/null @@ -1,132 +0,0 @@ -{ config, pkgs, lib, fetchFromGitHub, ... }: - -{ - - - services.gpg-agent = { - enable = true; - enableSshSupport = true; - enableExtraSocket = true; - pinentryPackage = pkgs.pinentry.gtk2; - defaultCacheTtl = 600; - maxCacheTtl = 7200; - extraConfig = '' - allow-loopback-pinentry - allow-emacs-pinentry - ''; - }; - - - home = { - username = "swarsel"; - homeDirectory = "/home/swarsel"; - stateVersion = "23.05"; # Please read the comment before changing. - keyboard.layout = "de"; - packages = with pkgs; [ - ]; - }; - - sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" ]; - - # # waybar config - programs.waybar.settings.mainBar = { - cpu.format = "{icon0} {icon1} {icon2} {icon3} {icon4} {icon5} {icon6} {icon7}"; - temperature.hwmon-path = "/sys/devices/platform/coretemp.0/hwmon/hwmon3/temp3_input"; - }; - - programs.waybar.settings.mainBar.modules-right = ["custom/outer-left-arrow-dark" - "mpris" - "custom/left-arrow-light" - "network" - "custom/left-arrow-dark" - "pulseaudio" - "custom/left-arrow-light" - "custom/pseudobat" - "battery" - "custom/left-arrow-dark" - "group/hardware" - "custom/left-arrow-light" - "clock#2" - "custom/left-arrow-dark" - "clock#1" - ]; - - - services.blueman-applet.enable = true; - - wayland.windowManager.sway= { - config = rec { - input = { - "1:1:AT_Translated_Set_2_keyboard" = { - xkb_layout = "us"; - xkb_options = "grp:win_space_toggle"; - # xkb_options = "ctrl:nocaps,grp:win_space_toggle"; - xkb_variant = "altgr-intl"; - }; - "2362:33538:ipad_keyboard_Keyboard" = { - xkb_layout = "us"; - xkb_options = "altwin:swap_lalt_lwin,ctrl:nocaps,grp:win_space_toggle"; - xkb_variant = "colemak_dh"; - }; - "36125:53060:splitkb.com_Kyria_rev3" = { - xkb_layout = "us"; - xkb_variant = "altgr-intl"; - }; - - "type:touchpad" = { - dwt = "enabled"; - tap = "enabled"; - natural_scroll = "enabled"; - middle_emulation = "enabled"; - }; - }; - - output = { - eDP-1 = { - mode = "1920x1080"; - scale = "1"; - bg = "~/.dotfiles/wallpaper/lenovowp.png fill"; - position = "1920,0"; - }; - VGA-1 = { - mode = "1920x1080"; - scale = "1"; - bg = "~/.dotfiles/wallpaper/lenovowp.png fill"; - position = "0,0"; - }; - }; - - keybindings = let - modifier = config.wayland.windowManager.sway.config.modifier; - in { - "${modifier}+F2" = "exec brightnessctl set +5%"; - "${modifier}+F1"= "exec brightnessctl set 5%-"; - "XF86MonBrightnessUp" = "exec brightnessctl set +5%"; - "XF86MonBrightnessDown"= "exec brightnessctl set 5%-"; - "${modifier}+Ctrl+p" = "exec wl-mirror eDP-1"; - "XF86HomePage" = "exec wtype -P Escape -p Escape"; - "${modifier}+w" = "exec \"bash ~/.dotfiles/scripts/checkschildi.sh\""; - }; - keycodebindings = { - "94" = "exec wtype c"; - "Shift+94" = "exec wtype C"; - "Ctrl+94" = "exec wtype -M ctrl c -m ctrl"; - "Ctrl+Shift+94" = "exec wtype -M ctrl -M shift c -m ctrl -m shift"; - }; - - startup = [ - - { command = "nextcloud --background";} - { command = "discord --start-minimized";} - { command = "element-desktop --hidden -enable-features=UseOzonePlatform -ozone-platform=wayland --disable-gpu-driver-bug-workarounds";} - { command = "ANKI_WAYLAND=1 anki";} - { command = "OBSIDIAN_USE_WAYLAND=1 obsidian";} - { command = "nm-applet";} - - ]; - }; - - extraConfig = " - "; - }; -} diff --git a/profiles/onett/nixos.nix b/profiles/onett/nixos.nix deleted file mode 100644 index 54bd52c..0000000 --- a/profiles/onett/nixos.nix +++ /dev/null @@ -1,108 +0,0 @@ -{ config, lib, pkgs, inputs, ... }: - -{ - - - imports = - [ - ./hardware-configuration.nix - ]; - - - services = { - greetd.settings.initial_session.user ="swarsel"; - xserver.videoDrivers = ["nvidia"]; - }; - - - hardware = { - nvidia = { - modesetting.enable = true; - powerManagement.enable = true; - prime = { - intelBusId = "PCI:0:2:0"; - nvidiaBusId = "PCI:1:0:0"; - sync.enable = true; - }; - }; - pulseaudio.configFile = pkgs.runCommand "default.pa" {} '' - sed 's/module-udev-detect$/module-udev-detect tsched=0/' \ - ${pkgs.pulseaudio}/etc/pulse/default.pa > $out - ''; - bluetooth.enable = true; - }; - - stylix.image = ../../wallpaper/lenovowp.png; - - stylix = { - enable = true; - base16Scheme = ../../wallpaper/swarsel.yaml; - # base16Scheme = "${pkgs.base16-schemes}/share/themes/shapeshifter.yaml"; - polarity = "dark"; - opacity.popups = 0.5; - cursor = { - package = pkgs.capitaine-cursors; - name = "capitaine-cursors"; - size = 16; - }; - fonts = { - sizes = { - terminal = 10; - applications = 11; - }; - serif = { - # package = (pkgs.nerdfonts.override { fonts = [ "FiraMono" "FiraCode"]; }); - package = pkgs.cantarell-fonts; - # package = pkgs.montserrat; - name = "Cantarell"; - # name = "FiraCode Nerd Font Propo"; - # name = "Montserrat"; - }; - - sansSerif = { - # package = (pkgs.nerdfonts.override { fonts = [ "FiraMono" "FiraCode"]; }); - package = pkgs.cantarell-fonts; - # package = pkgs.montserrat; - name = "Cantarell"; - # name = "FiraCode Nerd Font Propo"; - # name = "Montserrat"; - }; - - monospace = { - package = (pkgs.nerdfonts.override { fonts = [ "FiraCode"]; }); - name = "FiraCode Nerd Font Mono"; - }; - - emoji = { - package = pkgs.noto-fonts-emoji; - name = "Noto Color Emoji"; - }; - }; - }; - - - - - boot.loader.grub = { - enable = true; - device = "/dev/sda"; - useOSProber = true; - }; - - networking.hostName = "onett"; # Define your hostname. - networking.enableIPv6 = false; - - users.users.swarsel = { - isNormalUser = true; - description = "Leon S"; - extraGroups = [ "networkmanager" "wheel" "lp"]; - packages = with pkgs; []; - }; - - system.stateVersion = "23.05"; # Did you read the comment? - - environment.systemPackages = with pkgs; [ - ]; - - -} diff --git a/profiles/stand/home.nix b/profiles/stand/home.nix deleted file mode 100644 index 6e665e3..0000000 --- a/profiles/stand/home.nix +++ /dev/null @@ -1,94 +0,0 @@ -{ config, pkgs, lib, fetchFromGitHub, ... }: - -{ - - - services.gpg-agent = { - enable = true; - enableSshSupport = true; - enableExtraSocket = true; - pinentryPackage = pkgs.pinentry-gtk2; - extraConfig = '' - allow-emacs-pinentry - allow-loopback-pinentry - ''; - }; - - - home = { - username = "homelen"; - homeDirectory = "/home/homelen"; - stateVersion = "23.05"; # Please read the comment before changing. - keyboard.layout = "us"; - packages = with pkgs; [ - ]; - }; - - sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" ]; - - services.blueman-applet.enable = true; - - # waybar config - programs.waybar.settings.mainBar = { - cpu.format = "{icon0} {icon1} {icon2} {icon3} {icon4} {icon5} {icon6} {icon7}"; - temperature.hwmon-path = "/sys/devices/platform/coretemp.0/hwmon/hwmon1/temp3_input"; - }; - - programs.waybar.settings.mainBar."custom/pseudobat"= { - format= ""; - on-click-right= "wlogout -p layer-shell"; - }; - programs.waybar.settings.mainBar.modules-right = ["custom/outer-left-arrow-dark" - "mpris" - "custom/left-arrow-light" - "network" - "custom/left-arrow-dark" - "pulseaudio" - "custom/left-arrow-light" - "custom/pseudobat" - "battery" - "custom/left-arrow-dark" - "group/hardware" - "custom/left-arrow-light" - "clock#2" - "custom/left-arrow-dark" - "clock#1" - ]; - - - wayland.windowManager.sway= { - config = rec { - input = { - "36125:53060:splitkb.com_Kyria_rev3" = { - xkb_layout = "us"; - xkb_variant = "altgr-intl"; - }; - }; - - output = { - DP-1 = { - mode = "2560x1440"; - scale = "1"; - bg = "~/.dotfiles/wallpaper/standwp.png fill"; - }; - }; - - keybindings = let - modifier = config.wayland.windowManager.sway.config.modifier; - in { - "${modifier}+w" = "exec \"bash ~/.dotfiles/scripts/checkschildi.sh\""; - }; - - startup = [ - - { command = "nextcloud --background";} - { command = "discord --start-minimized";} - { command = "element-desktop --hidden -enable-features=UseOzonePlatform -ozone-platform=wayland --disable-gpu-driver-bug-workarounds";} - { command = "ANKI_WAYLAND=1 anki";} - { command = "OBSIDIAN_USE_WAYLAND=1 obsidian";} - { command = "nm-applet";} - - ]; - }; - }; -} diff --git a/profiles/stand/nixos.nix b/profiles/stand/nixos.nix deleted file mode 100644 index 68e1bb3..0000000 --- a/profiles/stand/nixos.nix +++ /dev/null @@ -1,98 +0,0 @@ -{ config, lib, pkgs, inputs, ... }: - -{ - - - imports = - [ - ./hardware-configuration.nix - ]; - - - services = { - getty.autologinUser = "homelen"; - greetd.settings.initial_session.user="homelen"; - }; - - stylix.image = ../../wallpaper/standwp.png; - - stylix = { - base16Scheme = ../../wallpaper/swarsel.yaml; - # base16Scheme = "${pkgs.base16-schemes}/share/themes/shapeshifter.yaml"; - polarity = "dark"; - opacity.popups = 0.5; - cursor = { - package = pkgs.capitaine-cursors; - name = "capitaine-cursors"; - size = 16; - }; - fonts = { - sizes = { - terminal = 10; - applications = 11; - }; - serif = { - # package = (pkgs.nerdfonts.override { fonts = [ "FiraMono" "FiraCode"]; }); - package = pkgs.cantarell-fonts; - # package = pkgs.montserrat; - name = "Cantarell"; - # name = "FiraCode Nerd Font Propo"; - # name = "Montserrat"; - }; - - sansSerif = { - # package = (pkgs.nerdfonts.override { fonts = [ "FiraMono" "FiraCode"]; }); - package = pkgs.cantarell-fonts; - # package = pkgs.montserrat; - name = "Cantarell"; - # name = "FiraCode Nerd Font Propo"; - # name = "Montserrat"; - }; - - monospace = { - package = (pkgs.nerdfonts.override { fonts = [ "FiraCode"]; }); - name = "FiraCode Nerd Font Mono"; - }; - - emoji = { - package = pkgs.noto-fonts-emoji; - name = "Noto Color Emoji"; - }; - }; - }; - - - - - # Bootloader. - boot.loader.grub = { - enable = true; - devices = ["nodev" ]; - useOSProber = true; - }; - - # boot.kernelPackages = pkgs.linuxPackages_latest; - networking = { - hostName = "stand"; # Define your hostname. - enableIPv6 = false; - firewall.enable = false; - # networkmanager.enable = true; - }; - - hardware = { - bluetooth.enable = true; - }; - - users.users.homelen = { - isNormalUser = true; - description = "Leon S"; - extraGroups = [ "networkmanager" "wheel" "lp" "audio" "video" ]; - packages = with pkgs; []; - }; - - environment.systemPackages = with pkgs; [ - ]; - - system.stateVersion = "23.05"; # Did you read the comment? Dont change this basically - -} diff --git a/profiles/surface/home.nix b/profiles/surface/home.nix deleted file mode 100644 index 809919c..0000000 --- a/profiles/surface/home.nix +++ /dev/null @@ -1,177 +0,0 @@ -{ config, pkgs, lib, fetchFromGitHub, ... }: - -{ - programs.home-manager.enable = true; - home.username = "leons"; - home.homeDirectory = "/home/leons"; - - home.stateVersion = "23.05"; # Please read the comment before changing. - - stylix.image = ../../wallpaper/surfacewp.png; - - stylix = { - enable = true; - base16Scheme = ../../wallpaper/swarsel.yaml; - # base16Scheme = "${pkgs.base16-schemes}/share/themes/shapeshifter.yaml"; - polarity = "dark"; - opacity.popups = 0.5; - cursor = { - package = pkgs.capitaine-cursors; - name = "capitaine-cursors"; - size = 16; - }; - fonts = { - sizes = { - terminal = 10; - applications = 11; - }; - serif = { - # package = (pkgs.nerdfonts.override { fonts = [ "FiraMono" "FiraCode"]; }); - package = pkgs.cantarell-fonts; - # package = pkgs.montserrat; - name = "Cantarell"; - # name = "FiraCode Nerd Font Propo"; - # name = "Montserrat"; - }; - - sansSerif = { - # package = (pkgs.nerdfonts.override { fonts = [ "FiraMono" "FiraCode"]; }); - package = pkgs.cantarell-fonts; - # package = pkgs.montserrat; - name = "Cantarell"; - # name = "FiraCode Nerd Font Propo"; - # name = "Montserrat"; - }; - - monospace = { - package = (pkgs.nerdfonts.override { fonts = [ "FiraCode"]; }); - name = "FiraCode Nerd Font Mono"; - }; - - emoji = { - package = pkgs.noto-fonts-emoji; - name = "Noto Color Emoji"; - }; - }; - }; - - - - - nixpkgs = { - config = { - allowUnfree = true; - allowUnfreePredicate = (_: true); - }; - }; - services.xcape = { - enable = true; - mapExpression = { - Control_L = "Escape"; - }; - }; - #keyboard config - home.keyboard.layout = "us"; - - sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" ]; - - # waybar config - programs.waybar.settings.mainBar.cpu.format = "{icon0} {icon1} {icon2} {icon3}"; - - programs.waybar.settings.mainBar.temperature.hwmon-path = "/sys/devices/platform/coretemp.0/hwmon/hwmon3/temp3_input"; - programs.waybar.settings.mainBar.modules-right = ["custom/outer-left-arrow-dark" "mpris" "custom/left-arrow-light" - "network" - "custom/left-arrow-dark" - "pulseaudio" - "custom/left-arrow-light" - "battery" - "custom/left-arrow-dark" - "temperature" - "custom/left-arrow-light" - "disk" - "custom/left-arrow-dark" - "memory" - "custom/left-arrow-light" - "cpu" - "custom/left-arrow-dark" - "tray" - "custom/left-arrow-light" - "clock#2" - "custom/left-arrow-dark" - "clock#1" ]; - services.blueman-applet.enable = true; - home.packages = with pkgs; [ - # nixgl.auto.nixGLDefault - evince - # nodejs_20 - - # messaging - # we use gomuks for RAM preservation, but keep schildi around for files and images - ]; - - programs.zsh.initExtra = " -export GPG_TTY=\"$(tty)\" -export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) -gpgconf --launch gpg-agent - "; - - # sway config - wayland.windowManager.sway= { - config = rec { - input = { - "*" = { - xkb_layout = "us"; - xkb_options = "ctrl:nocaps,grp:win_space_toggle"; - xkb_variant = "altgr-intl"; - }; - "type:touchpad" = { - dwt = "enabled"; - tap = "enabled"; - natural_scroll = "enabled"; - middle_emulation = "enabled"; - }; - }; - - output = { - eDP-1 = { - mode = "2160x1440@59.955Hz"; - scale = "1"; - bg = "~/.dotfiles/wallpaper/surfacewp.png fill"; - }; - }; - - keybindings = let - modifier = config.wayland.windowManager.sway.config.modifier; - in { - "${modifier}+F2" = "exec brightnessctl set +5%"; - "${modifier}+F1"= "exec brightnessctl set 5%-"; - "${modifier}+n" = "exec sway output eDP-1 transform normal, splith"; - "${modifier}+Ctrl+p" = "exec nixGL wl-mirror eDP-1"; - "${modifier}+t" = "exec sway output eDP-1 transform 90, splitv"; - "${modifier}+XF86AudioLowerVolume" = "exec grim -g \"$(slurp)\" -t png - | wl-copy -t image/png"; - "${modifier}+XF86AudioRaiseVolume" = "exec grim -g \"$(slurp)\" -t png - | wl-copy -t image/png"; - "${modifier}+w" = "exec \"bash ~/.dotfiles/scripts/checkgomuks.sh\""; - }; - - startup = [ - { command = "sleep 60 && nixGL nextcloud --background";} - # { command = "sleep 60 && nixGL spotify";} - { command = "sleep 60 && nixGL discord --start-minimized -enable-features=UseOzonePlatform -ozone-platform=wayland";} - # { command = "sleep 60 && nixGL schildichat-desktop --hidden";} - { command = "sleep 60 && nixGL syncthingtray --wait"; } - { command = "sleep 60 && ANKI_WAYLAND=1 nixGL anki";} - { command = "nm-applet --indicator";} - { command = "sleep 60 && OBSIDIAN_USE_WAYLAND=1 nixGL obsidian -enable-features=UseOzonePlatform -ozone-platform=wayland";} - ]; - - keycodebindings = { - "124" = "exec systemctl suspend"; - }; - }; - - extraConfig = " - exec swaymsg input 7062:6917:NTRG0001:01_1B96:1B05 map_to_output eDP-1 - exec swaymsg input 7062:6917:NTRG0001:01_1B96:1B05_Stylus map_to_output eDP-1 - "; - }; -} diff --git a/profiles/twoson/home.nix b/profiles/twoson/home.nix deleted file mode 100644 index a9cb3ef..0000000 --- a/profiles/twoson/home.nix +++ /dev/null @@ -1,127 +0,0 @@ -{ config, pkgs, lib, fetchFromGitHub, ... }: - -{ - - - home = { - username = "swarsel"; - homeDirectory = "/home/swarsel"; - stateVersion = "23.05"; # TEMPLATE -- Please read the comment before changing. - keyboard.layout = "us"; # TEMPLATE - home.packages = with pkgs; [ - # --------------------------------------------------------------- - # if schildichat works on this machine, use it, otherwise go for element - # element-desktop - # --------------------------------------------------------------- - ]; - }; - # update path if the sops private key is stored somewhere else - sops.age.sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/sops" ]; - - # waybar config - TEMPLATE - update for cores and temp - programs.waybar.settings.mainBar = { - #cpu.format = "{icon0} {icon1} {icon2} {icon3}"; - cpu.format = "{icon0} {icon1} {icon2} {icon3} {icon4} {icon5} {icon6} {icon7}"; - temperature.hwmon-path = "/sys/devices/platform/coretemp.0/hwmon/hwmon1/temp3_input"; - }; - - # ----------------------------------------------------------------- - # is this machine always connected to power? If yes, use this block: - # - # programs.waybar.settings.mainBar."custom/pseudobat"= { - # format= ""; - # on-click-right= "wlogout -p layer-shell"; - # }; - # programs.waybar.settings.mainBar.modules-right = ["custom/outer-left-arrow-dark" - # "mpris" - # "custom/left-arrow-light" - # "network" - # "custom/left-arrow-dark" - # "pulseaudio" - # "custom/left-arrow-light" - # "custom/pseudobat" - # "battery" - # "custom/left-arrow-dark" - # "group/hardware" - # "custom/left-arrow-light" - # "clock#2" - # "custom/left-arrow-dark" - # "clock#1" - # ]; - # - # ----------------------------------------------------------------- - - # ----------------------------------------------------------------- - # if not always connected to power (laptop), use this (default): - - programs.waybar.settings.mainBar.modules-right = ["custom/outer-left-arrow-dark" - "mpris" - "custom/left-arrow-light" - "network" - "custom/left-arrow-dark" - "pulseaudio" - "custom/left-arrow-light" - "custom/pseudobat" - "battery" - "custom/left-arrow-dark" - "group/hardware" - "custom/left-arrow-light" - "clock#2" - "custom/left-arrow-dark" - "clock#1" - ]; - - # ----------------------------------------------------------------- - - wayland.windowManager.sway= { - config = rec { - # update for actual inputs here, - input = { - "36125:53060:splitkb.com_Kyria_rev3" = { - xkb_layout = "us"; - xkb_variant = "altgr-intl"; - }; - # "1:1:AT_Translated_Set_2_keyboard" = { # TEMPLATE - # xkb_layout = "us"; - # xkb_options = "grp:win_space_toggle"; - # # xkb_options = "ctrl:nocaps,grp:win_space_toggle"; - # xkb_variant = "altgr-intl"; - # }; - "type:touchpad" = { - dwt = "enabled"; - tap = "enabled"; - natural_scroll = "enabled"; - middle_emulation = "enabled"; - }; - - }; - - output = { - DP-1 = { - mode = "1920x1280"; # TEMPLATE - scale = "1"; - bg = "~/.dotfiles/wallpaper/t14swp.png fill"; - }; - }; - - keybindings = let - modifier = config.wayland.windowManager.sway.config.modifier; - in { - # TEMPLATE - "${modifier}+w" = "exec \"bash ~/.dotfiles/scripts/checkschildi.sh\""; - # "${modifier}+w" = "exec \"bash ~/.dotfiles/scripts/checkelement.sh\""; - }; - - startup = [ - - { command = "nextcloud --background";} - { command = "discord --start-minimized";} - { command = "element-desktop --hidden -enable-features=UseOzonePlatform -ozone-platform=wayland --disable-gpu-driver-bug-workarounds";} - { command = "ANKI_WAYLAND=1 anki";} - { command = "OBSIDIAN_USE_WAYLAND=1 obsidian";} - { command = "nm-applet";} - - ]; - }; - }; -} diff --git a/profiles/twoson/nixos.nix b/profiles/twoson/nixos.nix deleted file mode 100644 index aa72ed6..0000000 --- a/profiles/twoson/nixos.nix +++ /dev/null @@ -1,102 +0,0 @@ -{ config, lib, pkgs, inputs, ... }: - -{ - - - imports = - [ - ./hardware-configuration.nix - ]; - - - services = { - getty.autologinUser = "swarsel"; - greetd.settings.initial_session.user="swarsel"; - }; - - # Bootloader - # boot.loader.grub.enable = true; - # boot.loader.grub.device = "/dev/sda"; # TEMPLATE - if only one disk, this will work - # boot.loader.grub.useOSProber = true; - - # -------------------------------------- - # you might need a configuration like this instead: - # Bootloader - # boot.loader.grub.enable = true; - # boot.loader.grub.devices = ["nodev" ]; - # boot.loader.grub.useOSProber = true; - # boot.kernelPackages = pkgs.linuxPackages_latest; - # -------------------------------------- - - networking.hostName = "twoson"; # Define your hostname. - - stylix.image = ../../wallpaper/t14swp.png; - - stylix = { - base16Scheme = ../../wallpaper/swarsel.yaml; - # base16Scheme = "${pkgs.base16-schemes}/share/themes/shapeshifter.yaml"; - polarity = "dark"; - opacity.popups = 0.5; - cursor = { - package = pkgs.capitaine-cursors; - name = "capitaine-cursors"; - size = 16; - }; - fonts = { - sizes = { - terminal = 10; - applications = 11; - }; - serif = { - # package = (pkgs.nerdfonts.override { fonts = [ "FiraMono" "FiraCode"]; }); - package = pkgs.cantarell-fonts; - # package = pkgs.montserrat; - name = "Cantarell"; - # name = "FiraCode Nerd Font Propo"; - # name = "Montserrat"; - }; - - sansSerif = { - # package = (pkgs.nerdfonts.override { fonts = [ "FiraMono" "FiraCode"]; }); - package = pkgs.cantarell-fonts; - # package = pkgs.montserrat; - name = "Cantarell"; - # name = "FiraCode Nerd Font Propo"; - # name = "Montserrat"; - }; - - monospace = { - package = (pkgs.nerdfonts.override { fonts = [ "FiraCode"]; }); - name = "FiraCode Nerd Font Mono"; - }; - - emoji = { - package = pkgs.noto-fonts-emoji; - name = "Noto Color Emoji"; - }; - }; - }; - - - - - # Configure keymap in X11 (only used for login) - services.xserver = { - layout = "us"; - xkbVariant = "altgr-intl"; - }; - - users.users.swarsel = { - isNormalUser = true; - description = "TEMPLATE"; - extraGroups = [ "networkmanager" "wheel" "lp" "audio" "video" ]; - packages = with pkgs; []; - }; - - environment.systemPackages = with pkgs; [ - ]; - - system.stateVersion = "23.05"; # TEMPLATE - but probably no need to change - - -}